+3725. [contrib] Updated zkt and nslint to newest versions,
+ cleaned up and rearranged the contrib
+ directory, and added a README.
+
--- 9.10.0a2 released ---
3724. [bug] win32: Fixed a bug that prevented dig and
# elsewhere if there's a good reason for doing so.
#
-ac_config_files="$ac_config_files make/Makefile make/mkdep Makefile bin/Makefile bin/check/Makefile bin/confgen/Makefile bin/confgen/unix/Makefile bin/dig/Makefile bin/dnssec/Makefile bin/named/Makefile bin/named/unix/Makefile bin/nsupdate/Makefile bin/pkcs11/Makefile bin/python/Makefile bin/python/dnssec-checkds.py bin/python/dnssec-coverage.py bin/rndc/Makefile bin/tests/Makefile bin/tests/atomic/Makefile bin/tests/db/Makefile bin/tests/dst/Makefile bin/tests/dst/Kdh.+002+18602.key bin/tests/dst/Kdh.+002+18602.private bin/tests/dst/Kdh.+002+48957.key bin/tests/dst/Kdh.+002+48957.private bin/tests/dst/Ktest.+001+00002.key bin/tests/dst/Ktest.+001+54622.key bin/tests/dst/Ktest.+001+54622.private bin/tests/dst/Ktest.+003+23616.key bin/tests/dst/Ktest.+003+23616.private bin/tests/dst/Ktest.+003+49667.key bin/tests/dst/dst_2_data bin/tests/dst/t2_data_1 bin/tests/dst/t2_data_2 bin/tests/dst/t2_dsasig bin/tests/dst/t2_rsasig bin/tests/hashes/Makefile bin/tests/headerdep_test.sh bin/tests/master/Makefile bin/tests/mem/Makefile bin/tests/names/Makefile bin/tests/net/Makefile bin/tests/pkcs11/Makefile bin/tests/pkcs11/benchmarks/Makefile bin/tests/rbt/Makefile bin/tests/resolver/Makefile bin/tests/sockaddr/Makefile bin/tests/system/Makefile bin/tests/system/conf.sh bin/tests/system/dlz/prereq.sh bin/tests/system/dlzexternal/Makefile bin/tests/system/dlzexternal/ns1/named.conf bin/tests/system/dlzredir/prereq.sh bin/tests/system/filter-aaaa/Makefile bin/tests/system/geoip/Makefile bin/tests/system/inline/checkdsa.sh bin/tests/system/lwresd/Makefile bin/tests/system/rpz/Makefile bin/tests/system/rsabigexponent/Makefile bin/tests/system/tkey/Makefile bin/tests/system/tsiggss/Makefile bin/tests/tasks/Makefile bin/tests/timers/Makefile bin/tests/virtual-time/Makefile bin/tests/virtual-time/conf.sh bin/tools/Makefile contrib/check-secure-delegation.pl contrib/zone-edit.sh doc/Makefile doc/arm/Makefile doc/doxygen/Doxyfile doc/doxygen/Makefile doc/doxygen/doxygen-input-filter doc/misc/Makefile doc/xsl/Makefile doc/xsl/isc-docbook-chunk.xsl doc/xsl/isc-docbook-html.xsl doc/xsl/isc-docbook-latex.xsl doc/xsl/isc-manpage.xsl isc-config.sh lib/Makefile lib/bind9/Makefile lib/bind9/include/Makefile lib/bind9/include/bind9/Makefile lib/dns/Makefile lib/dns/include/Makefile lib/dns/include/dns/Makefile lib/dns/include/dst/Makefile lib/dns/tests/Makefile lib/irs/Makefile lib/irs/include/Makefile lib/irs/include/irs/Makefile lib/irs/include/irs/netdb.h lib/irs/include/irs/platform.h lib/isc/$arch/Makefile lib/isc/$arch/include/Makefile lib/isc/$arch/include/isc/Makefile lib/isc/$thread_dir/Makefile lib/isc/$thread_dir/include/Makefile lib/isc/$thread_dir/include/isc/Makefile lib/isc/Makefile lib/isc/include/Makefile lib/isc/include/isc/Makefile lib/isc/include/isc/platform.h lib/isc/tests/Makefile lib/isc/nls/Makefile lib/isc/unix/Makefile lib/isc/unix/include/Makefile lib/isc/unix/include/isc/Makefile lib/isccc/Makefile lib/isccc/include/Makefile lib/isccc/include/isccc/Makefile lib/isccfg/Makefile lib/isccfg/include/Makefile lib/isccfg/include/isccfg/Makefile lib/iscpk11/Makefile lib/iscpk11/include/Makefile lib/iscpk11/include/iscpk11/Makefile lib/iscpk11/include/pkcs11/Makefile lib/iscpk11/unix/Makefile lib/iscpk11/unix/include/Makefile lib/iscpk11/unix/include/pkcs11/Makefile lib/lwres/Makefile lib/lwres/include/Makefile lib/lwres/include/lwres/Makefile lib/lwres/include/lwres/netdb.h lib/lwres/include/lwres/platform.h lib/lwres/man/Makefile lib/lwres/unix/Makefile lib/lwres/unix/include/Makefile lib/lwres/unix/include/lwres/Makefile lib/tests/Makefile lib/tests/include/Makefile lib/tests/include/tests/Makefile lib/samples/Makefile lib/samples/Makefile-postinstall unit/Makefile unit/unittest.sh"
+ac_config_files="$ac_config_files make/Makefile make/mkdep Makefile bin/Makefile bin/check/Makefile bin/confgen/Makefile bin/confgen/unix/Makefile bin/dig/Makefile bin/dnssec/Makefile bin/named/Makefile bin/named/unix/Makefile bin/nsupdate/Makefile bin/pkcs11/Makefile bin/python/Makefile bin/python/dnssec-checkds.py bin/python/dnssec-coverage.py bin/rndc/Makefile bin/tests/Makefile bin/tests/atomic/Makefile bin/tests/db/Makefile bin/tests/dst/Makefile bin/tests/dst/Kdh.+002+18602.key bin/tests/dst/Kdh.+002+18602.private bin/tests/dst/Kdh.+002+48957.key bin/tests/dst/Kdh.+002+48957.private bin/tests/dst/Ktest.+001+00002.key bin/tests/dst/Ktest.+001+54622.key bin/tests/dst/Ktest.+001+54622.private bin/tests/dst/Ktest.+003+23616.key bin/tests/dst/Ktest.+003+23616.private bin/tests/dst/Ktest.+003+49667.key bin/tests/dst/dst_2_data bin/tests/dst/t2_data_1 bin/tests/dst/t2_data_2 bin/tests/dst/t2_dsasig bin/tests/dst/t2_rsasig bin/tests/hashes/Makefile bin/tests/headerdep_test.sh bin/tests/master/Makefile bin/tests/mem/Makefile bin/tests/names/Makefile bin/tests/net/Makefile bin/tests/pkcs11/Makefile bin/tests/pkcs11/benchmarks/Makefile bin/tests/rbt/Makefile bin/tests/resolver/Makefile bin/tests/sockaddr/Makefile bin/tests/system/Makefile bin/tests/system/conf.sh bin/tests/system/dlz/prereq.sh bin/tests/system/dlzexternal/Makefile bin/tests/system/dlzexternal/ns1/named.conf bin/tests/system/dlzredir/prereq.sh bin/tests/system/filter-aaaa/Makefile bin/tests/system/geoip/Makefile bin/tests/system/inline/checkdsa.sh bin/tests/system/lwresd/Makefile bin/tests/system/rpz/Makefile bin/tests/system/rsabigexponent/Makefile bin/tests/system/tkey/Makefile bin/tests/system/tsiggss/Makefile bin/tests/tasks/Makefile bin/tests/timers/Makefile bin/tests/virtual-time/Makefile bin/tests/virtual-time/conf.sh bin/tools/Makefile contrib/scripts/check-secure-delegation.pl contrib/scripts/zone-edit.sh doc/Makefile doc/arm/Makefile doc/doxygen/Doxyfile doc/doxygen/Makefile doc/doxygen/doxygen-input-filter doc/misc/Makefile doc/xsl/Makefile doc/xsl/isc-docbook-chunk.xsl doc/xsl/isc-docbook-html.xsl doc/xsl/isc-docbook-latex.xsl doc/xsl/isc-manpage.xsl isc-config.sh lib/Makefile lib/bind9/Makefile lib/bind9/include/Makefile lib/bind9/include/bind9/Makefile lib/dns/Makefile lib/dns/include/Makefile lib/dns/include/dns/Makefile lib/dns/include/dst/Makefile lib/dns/tests/Makefile lib/irs/Makefile lib/irs/include/Makefile lib/irs/include/irs/Makefile lib/irs/include/irs/netdb.h lib/irs/include/irs/platform.h lib/isc/$arch/Makefile lib/isc/$arch/include/Makefile lib/isc/$arch/include/isc/Makefile lib/isc/$thread_dir/Makefile lib/isc/$thread_dir/include/Makefile lib/isc/$thread_dir/include/isc/Makefile lib/isc/Makefile lib/isc/include/Makefile lib/isc/include/isc/Makefile lib/isc/include/isc/platform.h lib/isc/tests/Makefile lib/isc/nls/Makefile lib/isc/unix/Makefile lib/isc/unix/include/Makefile lib/isc/unix/include/isc/Makefile lib/isccc/Makefile lib/isccc/include/Makefile lib/isccc/include/isccc/Makefile lib/isccfg/Makefile lib/isccfg/include/Makefile lib/isccfg/include/isccfg/Makefile lib/iscpk11/Makefile lib/iscpk11/include/Makefile lib/iscpk11/include/iscpk11/Makefile lib/iscpk11/include/pkcs11/Makefile lib/iscpk11/unix/Makefile lib/iscpk11/unix/include/Makefile lib/iscpk11/unix/include/pkcs11/Makefile lib/lwres/Makefile lib/lwres/include/Makefile lib/lwres/include/lwres/Makefile lib/lwres/include/lwres/netdb.h lib/lwres/include/lwres/platform.h lib/lwres/man/Makefile lib/lwres/unix/Makefile lib/lwres/unix/include/Makefile lib/lwres/unix/include/lwres/Makefile lib/tests/Makefile lib/tests/include/Makefile lib/tests/include/tests/Makefile lib/samples/Makefile lib/samples/Makefile-postinstall unit/Makefile unit/unittest.sh"
#
"bin/tests/virtual-time/Makefile") CONFIG_FILES="$CONFIG_FILES bin/tests/virtual-time/Makefile" ;;
"bin/tests/virtual-time/conf.sh") CONFIG_FILES="$CONFIG_FILES bin/tests/virtual-time/conf.sh" ;;
"bin/tools/Makefile") CONFIG_FILES="$CONFIG_FILES bin/tools/Makefile" ;;
- "contrib/check-secure-delegation.pl") CONFIG_FILES="$CONFIG_FILES contrib/check-secure-delegation.pl" ;;
- "contrib/zone-edit.sh") CONFIG_FILES="$CONFIG_FILES contrib/zone-edit.sh" ;;
+ "contrib/scripts/check-secure-delegation.pl") CONFIG_FILES="$CONFIG_FILES contrib/scripts/check-secure-delegation.pl" ;;
+ "contrib/scripts/zone-edit.sh") CONFIG_FILES="$CONFIG_FILES contrib/scripts/zone-edit.sh" ;;
"doc/Makefile") CONFIG_FILES="$CONFIG_FILES doc/Makefile" ;;
"doc/arm/Makefile") CONFIG_FILES="$CONFIG_FILES doc/arm/Makefile" ;;
"doc/doxygen/Doxyfile") CONFIG_FILES="$CONFIG_FILES doc/doxygen/Doxyfile" ;;
bin/tests/virtual-time/Makefile
bin/tests/virtual-time/conf.sh
bin/tools/Makefile
- contrib/check-secure-delegation.pl
- contrib/zone-edit.sh
+ contrib/scripts/check-secure-delegation.pl
+ contrib/scripts/zone-edit.sh
doc/Makefile
doc/arm/Makefile
doc/doxygen/Doxyfile
--- /dev/null
+This directory contains contributed scripts, tools, libraries,
+and other useful additions to BIND 9. It includes:
+
+ - scripts/
+
+ Assorted useful scripts, including 'nanny' which monitors
+ named and restarts it in the event of a crash, 'zone-edit'
+ which enables editing of a dynamic zone, and others
+
+ - queryperf/
+
+ A DNS query performance testing tool
+
+ - dane/
+
+ mkdane.sh generates TLSA records for use with DNS-based
+ Authentication of Named Entities (DANE)
+
+ - dlz/modules
+
+ Dynamically linkable DLZ modules that can be configured into
+ named at runtime, enabling access to external data sources including
+ LDAP, MySQL, Berkeley DB, perl scripts, etc
+
+ - dlz/drivers
+
+ Old-style DLZ drivers that can be linked into named at compile
+ time. (These are no longer actively maintained and are expected
+ to be deprecated eventually.)
+
+ - sdb/
+
+ SDB drivers: another mechanism for accessing external data
+ sources
+
+ - idn/
+
+ Contains source for 'idnkit', which provides support for
+ Internationalized Domain Name processing.
+
+ - nslint-3.0a2
+
+ A lint-like tool for checking DNS files
+
+ - query-loc-0.4.0
+
+ A tool for retrieving location information stored in the DNS
+
+ - zkt-1.1.2
+
+ DNSSEC Zone Key Tools, an alternate method for managing keys
+ and signatures
+
+++ /dev/null
---- binfmt_elf.c.old Mon Dec 11 10:49:57 2000
-+++ binfmt_elf.c Wed Nov 1 13:05:23 2000
-@@ -1091,7 +1091,8 @@
-
- if (!current->dumpable ||
- limit < ELF_EXEC_PAGESIZE ||
-- atomic_read(¤t->mm->count) != 1)
-+/* atomic_read(¤t->mm->count) != 1) */
-+ test_and_set_bit(31, ¤t->mm->def_flags) != 0)
- return 0;
- current->dumpable = 0;
-
+++ /dev/null
-#! /bin/sh
-# Attempt to guess a canonical system name.
-# Copyright (C) 1992, 93, 94, 95, 1996 Free Software Foundation, Inc.
-#
-# This file is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-# General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
-#
-# As a special exception to the GNU General Public License, if you
-# distribute this file as part of a program that contains a
-# configuration script generated by Autoconf, you may include it under
-# the same distribution terms that you use for the rest of that program.
-
-# Written by Per Bothner <bothner@cygnus.com>.
-# The master version of this file is at the FSF in /home/gd/gnu/lib.
-#
-# This script attempts to guess a canonical system name similar to
-# config.sub. If it succeeds, it prints the system name on stdout, and
-# exits with 0. Otherwise, it exits with 1.
-#
-# The plan is that this can be called by configure scripts if you
-# don't specify an explicit system type (host/target name).
-#
-# Only a few systems have been added to this list; please add others
-# (but try to keep the structure clean).
-#
-
-# This is needed to find uname on a Pyramid OSx when run in the BSD universe.
-# (ghazi@noc.rutgers.edu 8/24/94.)
-if (test -f /.attbin/uname) >/dev/null 2>&1 ; then
- PATH=$PATH:/.attbin ; export PATH
-fi
-
-UNAME_MACHINE=`(uname -m) 2>/dev/null` || UNAME_MACHINE=unknown
-UNAME_RELEASE=`(uname -r) 2>/dev/null` || UNAME_RELEASE=unknown
-UNAME_SYSTEM=`(uname -s) 2>/dev/null` || UNAME_SYSTEM=unknown
-UNAME_VERSION=`(uname -v) 2>/dev/null` || UNAME_VERSION=unknown
-
-trap 'rm -f dummy.c dummy.o dummy; exit 1' 1 2 15
-
-# Note: order is significant - the case branches are not exclusive.
-
-case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
- alpha:OSF1:*:*)
- # A Vn.n version is a released version.
- # A Tn.n version is a released field test version.
- # A Xn.n version is an unreleased experimental baselevel.
- # 1.2 uses "1.2" for uname -r.
- echo alpha-dec-osf`echo ${UNAME_RELEASE} | sed -e 's/^[VTX]//'`
- exit 0 ;;
- 21064:Windows_NT:50:3)
- echo alpha-dec-winnt3.5
- exit 0 ;;
- Amiga*:UNIX_System_V:4.0:*)
- echo m68k-cbm-sysv4
- exit 0;;
- amiga:NetBSD:*:*)
- echo m68k-cbm-netbsd${UNAME_RELEASE}
- exit 0 ;;
- amiga:OpenBSD:*:*)
- echo m68k-cbm-openbsd${UNAME_RELEASE}
- exit 0 ;;
- arm:RISC*:1.[012]*:*|arm:riscix:1.[012]*:*)
- echo arm-acorn-riscix${UNAME_RELEASE}
- exit 0;;
- Pyramid*:OSx*:*:*|MIS*:OSx*:*:*)
- # akee@wpdis03.wpafb.af.mil (Earle F. Ake) contributed MIS and NILE.
- if test "`(/bin/universe) 2>/dev/null`" = att ; then
- echo pyramid-pyramid-sysv3
- else
- echo pyramid-pyramid-bsd
- fi
- exit 0 ;;
- NILE:*:*:dcosx)
- echo pyramid-pyramid-svr4
- exit 0 ;;
- sun4*:SunOS:5.*:* | tadpole*:SunOS:5.*:*)
- echo sparc-sun-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
- exit 0 ;;
- i86pc:SunOS:5.*:*)
- echo i386-pc-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
- exit 0 ;;
- sun4*:SunOS:6*:*)
- # According to config.sub, this is the proper way to canonicalize
- # SunOS6. Hard to guess exactly what SunOS6 will be like, but
- # it's likely to be more like Solaris than SunOS4.
- echo sparc-sun-solaris3`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
- exit 0 ;;
- sun4*:SunOS:*:*)
- case "`/usr/bin/arch -k`" in
- Series*|S4*)
- UNAME_RELEASE=`uname -v`
- ;;
- esac
- # Japanese Language versions have a version number like `4.1.3-JL'.
- echo sparc-sun-sunos`echo ${UNAME_RELEASE}|sed -e 's/-/_/'`
- exit 0 ;;
- sun3*:SunOS:*:*)
- echo m68k-sun-sunos${UNAME_RELEASE}
- exit 0 ;;
- aushp:SunOS:*:*)
- echo sparc-auspex-sunos${UNAME_RELEASE}
- exit 0 ;;
- atari*:NetBSD:*:*)
- echo m68k-atari-netbsd${UNAME_RELEASE}
- exit 0 ;;
- atari*:OpenBSD:*:*)
- echo m68k-atari-openbsd${UNAME_RELEASE}
- exit 0 ;;
- sun3*:NetBSD:*:*)
- echo m68k-sun-netbsd${UNAME_RELEASE}
- exit 0 ;;
- sun3*:OpenBSD:*:*)
- echo m68k-sun-openbsd${UNAME_RELEASE}
- exit 0 ;;
- mac68k:NetBSD:*:*)
- echo m68k-apple-netbsd${UNAME_RELEASE}
- exit 0 ;;
- mac68k:OpenBSD:*:*)
- echo m68k-apple-openbsd${UNAME_RELEASE}
- exit 0 ;;
- powerpc:machten:*:*)
- echo powerpc-apple-machten${UNAME_RELEASE}
- exit 0 ;;
- RISC*:Mach:*:*)
- echo mips-dec-mach_bsd4.3
- exit 0 ;;
- RISC*:ULTRIX:*:*)
- echo mips-dec-ultrix${UNAME_RELEASE}
- exit 0 ;;
- VAX*:ULTRIX*:*:*)
- echo vax-dec-ultrix${UNAME_RELEASE}
- exit 0 ;;
- mips:*:*:UMIPS | mips:*:*:RISCos)
- sed 's/^ //' << EOF >dummy.c
- int main (argc, argv) int argc; char **argv; {
- #if defined (host_mips) && defined (MIPSEB)
- #if defined (SYSTYPE_SYSV)
- printf ("mips-mips-riscos%ssysv\n", argv[1]); exit (0);
- #endif
- #if defined (SYSTYPE_SVR4)
- printf ("mips-mips-riscos%ssvr4\n", argv[1]); exit (0);
- #endif
- #if defined (SYSTYPE_BSD43) || defined(SYSTYPE_BSD)
- printf ("mips-mips-riscos%sbsd\n", argv[1]); exit (0);
- #endif
- #endif
- exit (-1);
- }
-EOF
- ${CC-cc} dummy.c -o dummy \
- && ./dummy `echo "${UNAME_RELEASE}" | sed -n 's/\([0-9]*\).*/\1/p'` \
- && rm dummy.c dummy && exit 0
- rm -f dummy.c dummy
- echo mips-mips-riscos${UNAME_RELEASE}
- exit 0 ;;
- Night_Hawk:Power_UNIX:*:*)
- echo powerpc-harris-powerunix
- exit 0 ;;
- m88k:CX/UX:7*:*)
- echo m88k-harris-cxux7
- exit 0 ;;
- m88k:*:4*:R4*)
- echo m88k-motorola-sysv4
- exit 0 ;;
- m88k:*:3*:R3*)
- echo m88k-motorola-sysv3
- exit 0 ;;
- AViiON:dgux:*:*)
- # DG/UX returns AViiON for all architectures
- UNAME_PROCESSOR=`/usr/bin/uname -p`
- if [ $UNAME_PROCESSOR = mc88100 -o $UNAME_PROCESSOR = mc88110 ] ; then
- if [ ${TARGET_BINARY_INTERFACE}x = m88kdguxelfx \
- -o ${TARGET_BINARY_INTERFACE}x = x ] ; then
- echo m88k-dg-dgux${UNAME_RELEASE}
- else
- echo m88k-dg-dguxbcs${UNAME_RELEASE}
- fi
- else echo i586-dg-dgux${UNAME_RELEASE}
- fi
- exit 0 ;;
- M88*:DolphinOS:*:*) # DolphinOS (SVR3)
- echo m88k-dolphin-sysv3
- exit 0 ;;
- M88*:*:R3*:*)
- # Delta 88k system running SVR3
- echo m88k-motorola-sysv3
- exit 0 ;;
- XD88*:*:*:*) # Tektronix XD88 system running UTekV (SVR3)
- echo m88k-tektronix-sysv3
- exit 0 ;;
- Tek43[0-9][0-9]:UTek:*:*) # Tektronix 4300 system running UTek (BSD)
- echo m68k-tektronix-bsd
- exit 0 ;;
- *:IRIX*:*:*)
- echo mips-sgi-irix`echo ${UNAME_RELEASE}|sed -e 's/-/_/g'`
- exit 0 ;;
- ????????:AIX?:[12].1:2) # AIX 2.2.1 or AIX 2.1.1 is RT/PC AIX.
- echo romp-ibm-aix # uname -m gives an 8 hex-code CPU id
- exit 0 ;; # Note that: echo "'`uname -s`'" gives 'AIX '
- i?86:AIX:*:*)
- echo i386-ibm-aix
- exit 0 ;;
- *:AIX:2:3)
- if grep bos325 /usr/include/stdio.h >/dev/null 2>&1; then
- sed 's/^ //' << EOF >dummy.c
- #include <sys/systemcfg.h>
-
- main()
- {
- if (!__power_pc())
- exit(1);
- puts("powerpc-ibm-aix3.2.5");
- exit(0);
- }
-EOF
- ${CC-cc} dummy.c -o dummy && ./dummy && rm dummy.c dummy && exit 0
- rm -f dummy.c dummy
- echo rs6000-ibm-aix3.2.5
- elif grep bos324 /usr/include/stdio.h >/dev/null 2>&1; then
- echo rs6000-ibm-aix3.2.4
- else
- echo rs6000-ibm-aix3.2
- fi
- exit 0 ;;
- *:AIX:*:4)
- if /usr/sbin/lsattr -EHl proc0 | grep POWER >/dev/null 2>&1; then
- IBM_ARCH=rs6000
- else
- IBM_ARCH=powerpc
- fi
- if [ -x /usr/bin/oslevel ] ; then
- IBM_REV=`/usr/bin/oslevel`
- else
- IBM_REV=4.${UNAME_RELEASE}
- fi
- echo ${IBM_ARCH}-ibm-aix${IBM_REV}
- exit 0 ;;
- *:AIX:*:*)
- echo rs6000-ibm-aix
- exit 0 ;;
- ibmrt:4.4BSD:*|romp-ibm:BSD:*)
- echo romp-ibm-bsd4.4
- exit 0 ;;
- ibmrt:*BSD:*|romp-ibm:BSD:*) # covers RT/PC NetBSD and
- echo romp-ibm-bsd${UNAME_RELEASE} # 4.3 with uname added to
- exit 0 ;; # report: romp-ibm BSD 4.3
- *:BOSX:*:*)
- echo rs6000-bull-bosx
- exit 0 ;;
- DPX/2?00:B.O.S.:*:*)
- echo m68k-bull-sysv3
- exit 0 ;;
- 9000/[34]??:4.3bsd:1.*:*)
- echo m68k-hp-bsd
- exit 0 ;;
- hp300:4.4BSD:*:* | 9000/[34]??:4.3bsd:2.*:*)
- echo m68k-hp-bsd4.4
- exit 0 ;;
- 9000/[3478]??:HP-UX:*:*)
- case "${UNAME_MACHINE}" in
- 9000/31? ) HP_ARCH=m68000 ;;
- 9000/[34]?? ) HP_ARCH=m68k ;;
- 9000/7?? | 9000/8?[1679] ) HP_ARCH=hppa1.1 ;;
- 9000/8?? ) HP_ARCH=hppa1.0 ;;
- esac
- HPUX_REV=`echo ${UNAME_RELEASE}|sed -e 's/[^.]*.[0B]*//'`
- echo ${HP_ARCH}-hp-hpux${HPUX_REV}
- exit 0 ;;
- 3050*:HI-UX:*:*)
- sed 's/^ //' << EOF >dummy.c
- #include <unistd.h>
- int
- main ()
- {
- long cpu = sysconf (_SC_CPU_VERSION);
- /* The order matters, because CPU_IS_HP_MC68K erroneously returns
- true for CPU_PA_RISC1_0. CPU_IS_PA_RISC returns correct
- results, however. */
- if (CPU_IS_PA_RISC (cpu))
- {
- switch (cpu)
- {
- case CPU_PA_RISC1_0: puts ("hppa1.0-hitachi-hiuxwe2"); break;
- case CPU_PA_RISC1_1: puts ("hppa1.1-hitachi-hiuxwe2"); break;
- case CPU_PA_RISC2_0: puts ("hppa2.0-hitachi-hiuxwe2"); break;
- default: puts ("hppa-hitachi-hiuxwe2"); break;
- }
- }
- else if (CPU_IS_HP_MC68K (cpu))
- puts ("m68k-hitachi-hiuxwe2");
- else puts ("unknown-hitachi-hiuxwe2");
- exit (0);
- }
-EOF
- ${CC-cc} dummy.c -o dummy && ./dummy && rm dummy.c dummy && exit 0
- rm -f dummy.c dummy
- echo unknown-hitachi-hiuxwe2
- exit 0 ;;
- 9000/7??:4.3bsd:*:* | 9000/8?[79]:4.3bsd:*:* )
- echo hppa1.1-hp-bsd
- exit 0 ;;
- 9000/8??:4.3bsd:*:*)
- echo hppa1.0-hp-bsd
- exit 0 ;;
- hp7??:OSF1:*:* | hp8?[79]:OSF1:*:* )
- echo hppa1.1-hp-osf
- exit 0 ;;
- hp8??:OSF1:*:*)
- echo hppa1.0-hp-osf
- exit 0 ;;
- i?86:OSF1:*:*)
- if [ -x /usr/sbin/sysversion ] ; then
- echo ${UNAME_MACHINE}-unknown-osf1mk
- else
- echo ${UNAME_MACHINE}-unknown-osf1
- fi
- exit 0 ;;
- parisc*:Lites*:*:*)
- echo hppa1.1-hp-lites
- exit 0 ;;
- C1*:ConvexOS:*:* | convex:ConvexOS:C1*:*)
- echo c1-convex-bsd
- exit 0 ;;
- C2*:ConvexOS:*:* | convex:ConvexOS:C2*:*)
- if getsysinfo -f scalar_acc
- then echo c32-convex-bsd
- else echo c2-convex-bsd
- fi
- exit 0 ;;
- C34*:ConvexOS:*:* | convex:ConvexOS:C34*:*)
- echo c34-convex-bsd
- exit 0 ;;
- C38*:ConvexOS:*:* | convex:ConvexOS:C38*:*)
- echo c38-convex-bsd
- exit 0 ;;
- C4*:ConvexOS:*:* | convex:ConvexOS:C4*:*)
- echo c4-convex-bsd
- exit 0 ;;
- CRAY*X-MP:*:*:*)
- echo xmp-cray-unicos
- exit 0 ;;
- CRAY*Y-MP:*:*:*)
- echo ymp-cray-unicos${UNAME_RELEASE}
- exit 0 ;;
- CRAY*[A-Z]90:*:*:*)
- echo ${UNAME_MACHINE}-cray-unicos${UNAME_RELEASE} \
- | sed -e 's/CRAY.*\([A-Z]90\)/\1/' \
- -e y/ABCDEFGHIJKLMNOPQRSTUVWXYZ/abcdefghijklmnopqrstuvwxyz/
- exit 0 ;;
- CRAY*TS:*:*:*)
- echo t90-cray-unicos${UNAME_RELEASE}
- exit 0 ;;
- CRAY-2:*:*:*)
- echo cray2-cray-unicos
- exit 0 ;;
- F300:UNIX_System_V:*:*)
- FUJITSU_SYS=`uname -p | tr [A-Z] [a-z] | sed -e 's/\///'`
- FUJITSU_REL=`echo ${UNAME_RELEASE} | sed -e 's/ /_/'`
- echo "f300-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}"
- exit 0 ;;
- F301:UNIX_System_V:*:*)
- echo f301-fujitsu-uxpv`echo $UNAME_RELEASE | sed 's/ .*//'`
- exit 0 ;;
- hp3[0-9][05]:NetBSD:*:*)
- echo m68k-hp-netbsd${UNAME_RELEASE}
- exit 0 ;;
- hp3[0-9][05]:OpenBSD:*:*)
- echo m68k-hp-openbsd${UNAME_RELEASE}
- exit 0 ;;
- i?86:BSD/386:*:* | *:BSD/OS:*:*)
- echo ${UNAME_MACHINE}-pc-bsdi${UNAME_RELEASE}
- exit 0 ;;
- *:FreeBSD:*:*)
- echo ${UNAME_MACHINE}-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`
- exit 0 ;;
- *:NetBSD:*:*)
- echo ${UNAME_MACHINE}-unknown-netbsd`echo ${UNAME_RELEASE}|sed -e 's/[-_].*/\./'`
- exit 0 ;;
- *:OpenBSD:*:*)
- echo ${UNAME_MACHINE}-unknown-openbsd`echo ${UNAME_RELEASE}|sed -e 's/[-_].*/\./'`
- exit 0 ;;
- i*:CYGWIN*:*)
- echo i386-pc-cygwin32
- exit 0 ;;
- p*:CYGWIN*:*)
- echo powerpcle-unknown-cygwin32
- exit 0 ;;
- prep*:SunOS:5.*:*)
- echo powerpcle-unknown-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
- exit 0 ;;
- *:GNU:*:*)
- echo `echo ${UNAME_MACHINE}|sed -e 's,/.*$,,'`-unknown-gnu`echo ${UNAME_RELEASE}|sed -e 's,/.*$,,'`
- exit 0 ;;
- *:Linux:*:*)
- # The BFD linker knows what the default object file format is, so
- # first see if it will tell us.
- ld_help_string=`ld --help 2>&1`
- if echo "$ld_help_string" | grep >/dev/null 2>&1 "supported emulations: elf_i.86"; then
- echo "${UNAME_MACHINE}-pc-linux-gnu" ; exit 0
- elif echo "$ld_help_string" | grep >/dev/null 2>&1 "supported emulations: i.86linux"; then
- echo "${UNAME_MACHINE}-pc-linux-gnuaout" ; exit 0
- elif echo "$ld_help_string" | grep >/dev/null 2>&1 "supported emulations: i.86coff"; then
- echo "${UNAME_MACHINE}-pc-linux-gnucoff" ; exit 0
- elif echo "$ld_help_string" | grep >/dev/null 2>&1 "supported emulations: m68kelf"; then
- echo "${UNAME_MACHINE}-unknown-linux-gnu" ; exit 0
- elif echo "$ld_help_string" | grep >/dev/null 2>&1 "supported emulations: m68klinux"; then
- echo "${UNAME_MACHINE}-unknown-linux-gnuaout" ; exit 0
- elif echo "$ld_help_string" | grep >/dev/null 2>&1 "supported emulations: elf32ppc"; then
- echo "powerpc-unknown-linux-gnu" ; exit 0
- elif test "${UNAME_MACHINE}" = "alpha" ; then
- echo alpha-unknown-linux-gnu ; exit 0
- elif test "${UNAME_MACHINE}" = "sparc" ; then
- echo sparc-unknown-linux-gnu ; exit 0
- else
- # Either a pre-BFD a.out linker (linux-gnuoldld) or one that does not give us
- # useful --help. Gcc wants to distinguish between linux-gnuoldld and linux-gnuaout.
- test ! -d /usr/lib/ldscripts/. \
- && echo "${UNAME_MACHINE}-pc-linux-gnuoldld" && exit 0
- # Determine whether the default compiler is a.out or elf
- cat >dummy.c <<EOF
-main(argc, argv)
-int argc;
-char *argv[];
-{
-#ifdef __ELF__
- printf ("%s-pc-linux-gnu\n", argv[1]);
-#else
- printf ("%s-pc-linux-gnuaout\n", argv[1]);
-#endif
- return 0;
-}
-EOF
- ${CC-cc} dummy.c -o dummy 2>/dev/null && ./dummy "${UNAME_MACHINE}" && rm dummy.c dummy && exit 0
- rm -f dummy.c dummy
- fi ;;
-# ptx 4.0 does uname -s correctly, with DYNIX/ptx in there. earlier versions
-# are messed up and put the nodename in both sysname and nodename.
- i?86:DYNIX/ptx:4*:*)
- echo i386-sequent-sysv4
- exit 0 ;;
- i?86:*:4.*:* | i?86:SYSTEM_V:4.*:*)
- if grep Novell /usr/include/link.h >/dev/null 2>/dev/null; then
- echo ${UNAME_MACHINE}-univel-sysv${UNAME_RELEASE}
- else
- echo ${UNAME_MACHINE}-pc-sysv${UNAME_RELEASE}
- fi
- exit 0 ;;
- i?86:*:3.2:*)
- if test -f /usr/options/cb.name; then
- UNAME_REL=`sed -n 's/.*Version //p' </usr/options/cb.name`
- echo ${UNAME_MACHINE}-pc-isc$UNAME_REL
- elif /bin/uname -X 2>/dev/null >/dev/null ; then
- UNAME_REL=`(/bin/uname -X|egrep Release|sed -e 's/.*= //')`
- (/bin/uname -X|egrep i80486 >/dev/null) && UNAME_MACHINE=i486
- (/bin/uname -X|egrep '^Machine.*Pentium' >/dev/null) \
- && UNAME_MACHINE=i586
- echo ${UNAME_MACHINE}-pc-sco$UNAME_REL
- else
- echo ${UNAME_MACHINE}-pc-sysv32
- fi
- exit 0 ;;
- Intel:Mach:3*:*)
- echo i386-pc-mach3
- exit 0 ;;
- paragon:*:*:*)
- echo i860-intel-osf1
- exit 0 ;;
- i860:*:4.*:*) # i860-SVR4
- if grep Stardent /usr/include/sys/uadmin.h >/dev/null 2>&1 ; then
- echo i860-stardent-sysv${UNAME_RELEASE} # Stardent Vistra i860-SVR4
- else # Add other i860-SVR4 vendors below as they are discovered.
- echo i860-unknown-sysv${UNAME_RELEASE} # Unknown i860-SVR4
- fi
- exit 0 ;;
- mini*:CTIX:SYS*5:*)
- # "miniframe"
- echo m68010-convergent-sysv
- exit 0 ;;
- M68*:*:R3V[567]*:*)
- test -r /sysV68 && echo 'm68k-motorola-sysv' && exit 0 ;;
- 3[34]??:*:4.0:3.0 | 3[34]??,*:*:4.0:3.0 | 4850:*:4.0:3.0)
- OS_REL=''
- test -r /etc/.relid \
- && OS_REL=.`sed -n 's/[^ ]* [^ ]* \([0-9][0-9]\).*/\1/p' < /etc/.relid`
- /bin/uname -p 2>/dev/null | grep 86 >/dev/null \
- && echo i486-ncr-sysv4.3${OS_REL} && exit 0
- /bin/uname -p 2>/dev/null | /bin/grep entium >/dev/null \
- && echo i586-ncr-sysv4.3${OS_REL} && exit 0 ;;
- 3[34]??:*:4.0:* | 3[34]??,*:*:4.0:*)
- /bin/uname -p 2>/dev/null | grep 86 >/dev/null \
- && echo i486-ncr-sysv4 && exit 0 ;;
- m68*:LynxOS:2.*:*)
- echo m68k-unknown-lynxos${UNAME_RELEASE}
- exit 0 ;;
- mc68030:UNIX_System_V:4.*:*)
- echo m68k-atari-sysv4
- exit 0 ;;
- i?86:LynxOS:2.*:*)
- echo i386-unknown-lynxos${UNAME_RELEASE}
- exit 0 ;;
- TSUNAMI:LynxOS:2.*:*)
- echo sparc-unknown-lynxos${UNAME_RELEASE}
- exit 0 ;;
- rs6000:LynxOS:2.*:* | PowerPC:LynxOS:2.*:*)
- echo rs6000-unknown-lynxos${UNAME_RELEASE}
- exit 0 ;;
- SM[BE]S:UNIX_SV:*:*)
- echo mips-dde-sysv${UNAME_RELEASE}
- exit 0 ;;
- RM*:SINIX-*:*:*)
- echo mips-sni-sysv4
- exit 0 ;;
- *:SINIX-*:*:*)
- if uname -p 2>/dev/null >/dev/null ; then
- UNAME_MACHINE=`(uname -p) 2>/dev/null`
- echo ${UNAME_MACHINE}-sni-sysv4
- else
- echo ns32k-sni-sysv
- fi
- exit 0 ;;
- *:UNIX_System_V:4*:FTX*)
- # From Gerald Hewes <hewes@openmarket.com>.
- # How about differentiating between stratus architectures? -djm
- echo hppa1.1-stratus-sysv4
- exit 0 ;;
- *:*:*:FTX*)
- # From seanf@swdc.stratus.com.
- echo i860-stratus-sysv4
- exit 0 ;;
- mc68*:A/UX:*:*)
- echo m68k-apple-aux${UNAME_RELEASE}
- exit 0 ;;
- R3000:*System_V*:*:* | R4000:UNIX_SYSV:*:*)
- if [ -d /usr/nec ]; then
- echo mips-nec-sysv${UNAME_RELEASE}
- else
- echo mips-unknown-sysv${UNAME_RELEASE}
- fi
- exit 0 ;;
- PENTIUM:CPunix:4.0*:*) # Unisys `ClearPath HMP IX 4000' SVR4/MP effort
- # says <Richard.M.Bartel@ccMail.Census.GOV>
- echo i586-unisys-sysv4
- exit 0 ;;
-esac
-
-#echo '(No uname command or uname output not recognized.)' 1>&2
-#echo "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" 1>&2
-
-cat >dummy.c <<EOF
-#ifdef _SEQUENT_
-# include <sys/types.h>
-# include <sys/utsname.h>
-#endif
-main ()
-{
-#if defined (sony)
-#if defined (MIPSEB)
- /* BFD wants "bsd" instead of "newsos". Perhaps BFD should be changed,
- I don't know.... */
- printf ("mips-sony-bsd\n"); exit (0);
-#else
-#include <sys/param.h>
- printf ("m68k-sony-newsos%s\n",
-#ifdef NEWSOS4
- "4"
-#else
- ""
-#endif
- ); exit (0);
-#endif
-#endif
-
-#if defined (__arm) && defined (__acorn) && defined (__unix)
- printf ("arm-acorn-riscix"); exit (0);
-#endif
-
-#if defined (hp300) && !defined (hpux)
- printf ("m68k-hp-bsd\n"); exit (0);
-#endif
-
-#if defined (NeXT)
-#if !defined (__ARCHITECTURE__)
-#define __ARCHITECTURE__ "m68k"
-#endif
- int version;
- version=`(hostinfo | sed -n 's/.*NeXT Mach \([0-9]*\).*/\1/p') 2>/dev/null`;
- printf ("%s-next-nextstep%d\n", __ARCHITECTURE__, version);
- exit (0);
-#endif
-
-#if defined (MULTIMAX) || defined (n16)
-#if defined (UMAXV)
- printf ("ns32k-encore-sysv\n"); exit (0);
-#else
-#if defined (CMU)
- printf ("ns32k-encore-mach\n"); exit (0);
-#else
- printf ("ns32k-encore-bsd\n"); exit (0);
-#endif
-#endif
-#endif
-
-#if defined (__386BSD__)
- printf ("i386-pc-bsd\n"); exit (0);
-#endif
-
-#if defined (sequent)
-#if defined (i386)
- printf ("i386-sequent-dynix\n"); exit (0);
-#endif
-#if defined (ns32000)
- printf ("ns32k-sequent-dynix\n"); exit (0);
-#endif
-#endif
-
-#if defined (_SEQUENT_)
- struct utsname un;
-
- uname(&un);
-
- if (strncmp(un.version, "V2", 2) == 0) {
- printf ("i386-sequent-ptx2\n"); exit (0);
- }
- if (strncmp(un.version, "V1", 2) == 0) { /* XXX is V1 correct? */
- printf ("i386-sequent-ptx1\n"); exit (0);
- }
- printf ("i386-sequent-ptx\n"); exit (0);
-
-#endif
-
-#if defined (vax)
-#if !defined (ultrix)
- printf ("vax-dec-bsd\n"); exit (0);
-#else
- printf ("vax-dec-ultrix\n"); exit (0);
-#endif
-#endif
-
-#if defined (alliant) && defined (i860)
- printf ("i860-alliant-bsd\n"); exit (0);
-#endif
-
- exit (1);
-}
-EOF
-
-${CC-cc} dummy.c -o dummy 2>/dev/null && ./dummy && rm dummy.c dummy && exit 0
-rm -f dummy.c dummy
-
-# Apollos put the system type in the environment.
-
-test -d /usr/apollo && { echo ${ISP}-apollo-${SYSTYPE}; exit 0; }
-
-# Convex versions that predate uname can use getsysinfo(1)
-
-if [ -x /usr/convex/getsysinfo ]
-then
- case `getsysinfo -f cpu_type` in
- c1*)
- echo c1-convex-bsd
- exit 0 ;;
- c2*)
- if getsysinfo -f scalar_acc
- then echo c32-convex-bsd
- else echo c2-convex-bsd
- fi
- exit 0 ;;
- c34*)
- echo c34-convex-bsd
- exit 0 ;;
- c38*)
- echo c38-convex-bsd
- exit 0 ;;
- c4*)
- echo c4-convex-bsd
- exit 0 ;;
- esac
-fi
-
-#echo '(Unable to guess system type)' 1>&2
-
-exit 1
+++ /dev/null
-#! /bin/sh
-
-# Guess values for system-dependent variables and create Makefiles.
-# Generated automatically using autoconf version 2.13
-# Copyright (C) 1992, 93, 94, 95, 96 Free Software Foundation, Inc.
-#
-# This configure script is free software; the Free Software Foundation
-# gives unlimited permission to copy, distribute and modify it.
-
-# Defaults:
-ac_help=
-ac_default_prefix=/usr/local
-# Any additions from configure.in:
-ac_help="$ac_help
- --without-gcc don't use gcc"
-
-# Initialize some variables set by options.
-# The variables have the same names as the options, with
-# dashes changed to underlines.
-build=NONE
-cache_file=./config.cache
-exec_prefix=NONE
-host=NONE
-no_create=
-nonopt=NONE
-no_recursion=
-prefix=NONE
-program_prefix=NONE
-program_suffix=NONE
-program_transform_name=s,x,x,
-silent=
-site=
-srcdir=
-target=NONE
-verbose=
-x_includes=NONE
-x_libraries=NONE
-bindir='${exec_prefix}/bin'
-sbindir='${exec_prefix}/sbin'
-libexecdir='${exec_prefix}/libexec'
-datadir='${prefix}/share'
-sysconfdir='${prefix}/etc'
-sharedstatedir='${prefix}/com'
-localstatedir='${prefix}/var'
-libdir='${exec_prefix}/lib'
-includedir='${prefix}/include'
-oldincludedir='/usr/include'
-infodir='${prefix}/info'
-mandir='${prefix}/man'
-
-# Initialize some other variables.
-subdirs=
-MFLAGS= MAKEFLAGS=
-SHELL=${CONFIG_SHELL-/bin/sh}
-# Maximum number of lines to put in a shell here document.
-ac_max_here_lines=12
-
-ac_prev=
-for ac_option
-do
-
- # If the previous option needs an argument, assign it.
- if test -n "$ac_prev"; then
- eval "$ac_prev=\$ac_option"
- ac_prev=
- continue
- fi
-
- case "$ac_option" in
- -*=*) ac_optarg=`echo "$ac_option" | sed 's/[-_a-zA-Z0-9]*=//'` ;;
- *) ac_optarg= ;;
- esac
-
- # Accept the important Cygnus configure options, so we can diagnose typos.
-
- case "$ac_option" in
-
- -bindir | --bindir | --bindi | --bind | --bin | --bi)
- ac_prev=bindir ;;
- -bindir=* | --bindir=* | --bindi=* | --bind=* | --bin=* | --bi=*)
- bindir="$ac_optarg" ;;
-
- -build | --build | --buil | --bui | --bu)
- ac_prev=build ;;
- -build=* | --build=* | --buil=* | --bui=* | --bu=*)
- build="$ac_optarg" ;;
-
- -cache-file | --cache-file | --cache-fil | --cache-fi \
- | --cache-f | --cache- | --cache | --cach | --cac | --ca | --c)
- ac_prev=cache_file ;;
- -cache-file=* | --cache-file=* | --cache-fil=* | --cache-fi=* \
- | --cache-f=* | --cache-=* | --cache=* | --cach=* | --cac=* | --ca=* | --c=*)
- cache_file="$ac_optarg" ;;
-
- -datadir | --datadir | --datadi | --datad | --data | --dat | --da)
- ac_prev=datadir ;;
- -datadir=* | --datadir=* | --datadi=* | --datad=* | --data=* | --dat=* \
- | --da=*)
- datadir="$ac_optarg" ;;
-
- -disable-* | --disable-*)
- ac_feature=`echo $ac_option|sed -e 's/-*disable-//'`
- # Reject names that are not valid shell variable names.
- if test -n "`echo $ac_feature| sed 's/[-a-zA-Z0-9_]//g'`"; then
- { echo "configure: error: $ac_feature: invalid feature name" 1>&2; exit 1; }
- fi
- ac_feature=`echo $ac_feature| sed 's/-/_/g'`
- eval "enable_${ac_feature}=no" ;;
-
- -enable-* | --enable-*)
- ac_feature=`echo $ac_option|sed -e 's/-*enable-//' -e 's/=.*//'`
- # Reject names that are not valid shell variable names.
- if test -n "`echo $ac_feature| sed 's/[-_a-zA-Z0-9]//g'`"; then
- { echo "configure: error: $ac_feature: invalid feature name" 1>&2; exit 1; }
- fi
- ac_feature=`echo $ac_feature| sed 's/-/_/g'`
- case "$ac_option" in
- *=*) ;;
- *) ac_optarg=yes ;;
- esac
- eval "enable_${ac_feature}='$ac_optarg'" ;;
-
- -exec-prefix | --exec_prefix | --exec-prefix | --exec-prefi \
- | --exec-pref | --exec-pre | --exec-pr | --exec-p | --exec- \
- | --exec | --exe | --ex)
- ac_prev=exec_prefix ;;
- -exec-prefix=* | --exec_prefix=* | --exec-prefix=* | --exec-prefi=* \
- | --exec-pref=* | --exec-pre=* | --exec-pr=* | --exec-p=* | --exec-=* \
- | --exec=* | --exe=* | --ex=*)
- exec_prefix="$ac_optarg" ;;
-
- -gas | --gas | --ga | --g)
- # Obsolete; use --with-gas.
- with_gas=yes ;;
-
- -help | --help | --hel | --he)
- # Omit some internal or obsolete options to make the list less imposing.
- # This message is too long to be a string in the A/UX 3.1 sh.
- cat << EOF
-Usage: configure [options] [host]
-Options: [defaults in brackets after descriptions]
-Configuration:
- --cache-file=FILE cache test results in FILE
- --help print this message
- --no-create do not create output files
- --quiet, --silent do not print \`checking...' messages
- --version print the version of autoconf that created configure
-Directory and file names:
- --prefix=PREFIX install architecture-independent files in PREFIX
- [$ac_default_prefix]
- --exec-prefix=EPREFIX install architecture-dependent files in EPREFIX
- [same as prefix]
- --bindir=DIR user executables in DIR [EPREFIX/bin]
- --sbindir=DIR system admin executables in DIR [EPREFIX/sbin]
- --libexecdir=DIR program executables in DIR [EPREFIX/libexec]
- --datadir=DIR read-only architecture-independent data in DIR
- [PREFIX/share]
- --sysconfdir=DIR read-only single-machine data in DIR [PREFIX/etc]
- --sharedstatedir=DIR modifiable architecture-independent data in DIR
- [PREFIX/com]
- --localstatedir=DIR modifiable single-machine data in DIR [PREFIX/var]
- --libdir=DIR object code libraries in DIR [EPREFIX/lib]
- --includedir=DIR C header files in DIR [PREFIX/include]
- --oldincludedir=DIR C header files for non-gcc in DIR [/usr/include]
- --infodir=DIR info documentation in DIR [PREFIX/info]
- --mandir=DIR man documentation in DIR [PREFIX/man]
- --srcdir=DIR find the sources in DIR [configure dir or ..]
- --program-prefix=PREFIX prepend PREFIX to installed program names
- --program-suffix=SUFFIX append SUFFIX to installed program names
- --program-transform-name=PROGRAM
- run sed PROGRAM on installed program names
-EOF
- cat << EOF
-Host type:
- --build=BUILD configure for building on BUILD [BUILD=HOST]
- --host=HOST configure for HOST [guessed]
- --target=TARGET configure for TARGET [TARGET=HOST]
-Features and packages:
- --disable-FEATURE do not include FEATURE (same as --enable-FEATURE=no)
- --enable-FEATURE[=ARG] include FEATURE [ARG=yes]
- --with-PACKAGE[=ARG] use PACKAGE [ARG=yes]
- --without-PACKAGE do not use PACKAGE (same as --with-PACKAGE=no)
- --x-includes=DIR X include files are in DIR
- --x-libraries=DIR X library files are in DIR
-EOF
- if test -n "$ac_help"; then
- echo "--enable and --with options recognized:$ac_help"
- fi
- exit 0 ;;
-
- -host | --host | --hos | --ho)
- ac_prev=host ;;
- -host=* | --host=* | --hos=* | --ho=*)
- host="$ac_optarg" ;;
-
- -includedir | --includedir | --includedi | --included | --include \
- | --includ | --inclu | --incl | --inc)
- ac_prev=includedir ;;
- -includedir=* | --includedir=* | --includedi=* | --included=* | --include=* \
- | --includ=* | --inclu=* | --incl=* | --inc=*)
- includedir="$ac_optarg" ;;
-
- -infodir | --infodir | --infodi | --infod | --info | --inf)
- ac_prev=infodir ;;
- -infodir=* | --infodir=* | --infodi=* | --infod=* | --info=* | --inf=*)
- infodir="$ac_optarg" ;;
-
- -libdir | --libdir | --libdi | --libd)
- ac_prev=libdir ;;
- -libdir=* | --libdir=* | --libdi=* | --libd=*)
- libdir="$ac_optarg" ;;
-
- -libexecdir | --libexecdir | --libexecdi | --libexecd | --libexec \
- | --libexe | --libex | --libe)
- ac_prev=libexecdir ;;
- -libexecdir=* | --libexecdir=* | --libexecdi=* | --libexecd=* | --libexec=* \
- | --libexe=* | --libex=* | --libe=*)
- libexecdir="$ac_optarg" ;;
-
- -localstatedir | --localstatedir | --localstatedi | --localstated \
- | --localstate | --localstat | --localsta | --localst \
- | --locals | --local | --loca | --loc | --lo)
- ac_prev=localstatedir ;;
- -localstatedir=* | --localstatedir=* | --localstatedi=* | --localstated=* \
- | --localstate=* | --localstat=* | --localsta=* | --localst=* \
- | --locals=* | --local=* | --loca=* | --loc=* | --lo=*)
- localstatedir="$ac_optarg" ;;
-
- -mandir | --mandir | --mandi | --mand | --man | --ma | --m)
- ac_prev=mandir ;;
- -mandir=* | --mandir=* | --mandi=* | --mand=* | --man=* | --ma=* | --m=*)
- mandir="$ac_optarg" ;;
-
- -nfp | --nfp | --nf)
- # Obsolete; use --without-fp.
- with_fp=no ;;
-
- -no-create | --no-create | --no-creat | --no-crea | --no-cre \
- | --no-cr | --no-c)
- no_create=yes ;;
-
- -no-recursion | --no-recursion | --no-recursio | --no-recursi \
- | --no-recurs | --no-recur | --no-recu | --no-rec | --no-re | --no-r)
- no_recursion=yes ;;
-
- -oldincludedir | --oldincludedir | --oldincludedi | --oldincluded \
- | --oldinclude | --oldinclud | --oldinclu | --oldincl | --oldinc \
- | --oldin | --oldi | --old | --ol | --o)
- ac_prev=oldincludedir ;;
- -oldincludedir=* | --oldincludedir=* | --oldincludedi=* | --oldincluded=* \
- | --oldinclude=* | --oldinclud=* | --oldinclu=* | --oldincl=* | --oldinc=* \
- | --oldin=* | --oldi=* | --old=* | --ol=* | --o=*)
- oldincludedir="$ac_optarg" ;;
-
- -prefix | --prefix | --prefi | --pref | --pre | --pr | --p)
- ac_prev=prefix ;;
- -prefix=* | --prefix=* | --prefi=* | --pref=* | --pre=* | --pr=* | --p=*)
- prefix="$ac_optarg" ;;
-
- -program-prefix | --program-prefix | --program-prefi | --program-pref \
- | --program-pre | --program-pr | --program-p)
- ac_prev=program_prefix ;;
- -program-prefix=* | --program-prefix=* | --program-prefi=* \
- | --program-pref=* | --program-pre=* | --program-pr=* | --program-p=*)
- program_prefix="$ac_optarg" ;;
-
- -program-suffix | --program-suffix | --program-suffi | --program-suff \
- | --program-suf | --program-su | --program-s)
- ac_prev=program_suffix ;;
- -program-suffix=* | --program-suffix=* | --program-suffi=* \
- | --program-suff=* | --program-suf=* | --program-su=* | --program-s=*)
- program_suffix="$ac_optarg" ;;
-
- -program-transform-name | --program-transform-name \
- | --program-transform-nam | --program-transform-na \
- | --program-transform-n | --program-transform- \
- | --program-transform | --program-transfor \
- | --program-transfo | --program-transf \
- | --program-trans | --program-tran \
- | --progr-tra | --program-tr | --program-t)
- ac_prev=program_transform_name ;;
- -program-transform-name=* | --program-transform-name=* \
- | --program-transform-nam=* | --program-transform-na=* \
- | --program-transform-n=* | --program-transform-=* \
- | --program-transform=* | --program-transfor=* \
- | --program-transfo=* | --program-transf=* \
- | --program-trans=* | --program-tran=* \
- | --progr-tra=* | --program-tr=* | --program-t=*)
- program_transform_name="$ac_optarg" ;;
-
- -q | -quiet | --quiet | --quie | --qui | --qu | --q \
- | -silent | --silent | --silen | --sile | --sil)
- silent=yes ;;
-
- -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb)
- ac_prev=sbindir ;;
- -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \
- | --sbi=* | --sb=*)
- sbindir="$ac_optarg" ;;
-
- -sharedstatedir | --sharedstatedir | --sharedstatedi \
- | --sharedstated | --sharedstate | --sharedstat | --sharedsta \
- | --sharedst | --shareds | --shared | --share | --shar \
- | --sha | --sh)
- ac_prev=sharedstatedir ;;
- -sharedstatedir=* | --sharedstatedir=* | --sharedstatedi=* \
- | --sharedstated=* | --sharedstate=* | --sharedstat=* | --sharedsta=* \
- | --sharedst=* | --shareds=* | --shared=* | --share=* | --shar=* \
- | --sha=* | --sh=*)
- sharedstatedir="$ac_optarg" ;;
-
- -site | --site | --sit)
- ac_prev=site ;;
- -site=* | --site=* | --sit=*)
- site="$ac_optarg" ;;
-
- -srcdir | --srcdir | --srcdi | --srcd | --src | --sr)
- ac_prev=srcdir ;;
- -srcdir=* | --srcdir=* | --srcdi=* | --srcd=* | --src=* | --sr=*)
- srcdir="$ac_optarg" ;;
-
- -sysconfdir | --sysconfdir | --sysconfdi | --sysconfd | --sysconf \
- | --syscon | --sysco | --sysc | --sys | --sy)
- ac_prev=sysconfdir ;;
- -sysconfdir=* | --sysconfdir=* | --sysconfdi=* | --sysconfd=* | --sysconf=* \
- | --syscon=* | --sysco=* | --sysc=* | --sys=* | --sy=*)
- sysconfdir="$ac_optarg" ;;
-
- -target | --target | --targe | --targ | --tar | --ta | --t)
- ac_prev=target ;;
- -target=* | --target=* | --targe=* | --targ=* | --tar=* | --ta=* | --t=*)
- target="$ac_optarg" ;;
-
- -v | -verbose | --verbose | --verbos | --verbo | --verb)
- verbose=yes ;;
-
- -version | --version | --versio | --versi | --vers)
- echo "configure generated by autoconf version 2.13"
- exit 0 ;;
-
- -with-* | --with-*)
- ac_package=`echo $ac_option|sed -e 's/-*with-//' -e 's/=.*//'`
- # Reject names that are not valid shell variable names.
- if test -n "`echo $ac_package| sed 's/[-_a-zA-Z0-9]//g'`"; then
- { echo "configure: error: $ac_package: invalid package name" 1>&2; exit 1; }
- fi
- ac_package=`echo $ac_package| sed 's/-/_/g'`
- case "$ac_option" in
- *=*) ;;
- *) ac_optarg=yes ;;
- esac
- eval "with_${ac_package}='$ac_optarg'" ;;
-
- -without-* | --without-*)
- ac_package=`echo $ac_option|sed -e 's/-*without-//'`
- # Reject names that are not valid shell variable names.
- if test -n "`echo $ac_package| sed 's/[-a-zA-Z0-9_]//g'`"; then
- { echo "configure: error: $ac_package: invalid package name" 1>&2; exit 1; }
- fi
- ac_package=`echo $ac_package| sed 's/-/_/g'`
- eval "with_${ac_package}=no" ;;
-
- --x)
- # Obsolete; use --with-x.
- with_x=yes ;;
-
- -x-includes | --x-includes | --x-include | --x-includ | --x-inclu \
- | --x-incl | --x-inc | --x-in | --x-i)
- ac_prev=x_includes ;;
- -x-includes=* | --x-includes=* | --x-include=* | --x-includ=* | --x-inclu=* \
- | --x-incl=* | --x-inc=* | --x-in=* | --x-i=*)
- x_includes="$ac_optarg" ;;
-
- -x-libraries | --x-libraries | --x-librarie | --x-librari \
- | --x-librar | --x-libra | --x-libr | --x-lib | --x-li | --x-l)
- ac_prev=x_libraries ;;
- -x-libraries=* | --x-libraries=* | --x-librarie=* | --x-librari=* \
- | --x-librar=* | --x-libra=* | --x-libr=* | --x-lib=* | --x-li=* | --x-l=*)
- x_libraries="$ac_optarg" ;;
-
- -*) { echo "configure: error: $ac_option: invalid option; use --help to show usage" 1>&2; exit 1; }
- ;;
-
- *)
- if test -n "`echo $ac_option| sed 's/[-a-z0-9.]//g'`"; then
- echo "configure: warning: $ac_option: invalid host type" 1>&2
- fi
- if test "x$nonopt" != xNONE; then
- { echo "configure: error: can only configure for one host and one target at a time" 1>&2; exit 1; }
- fi
- nonopt="$ac_option"
- ;;
-
- esac
-done
-
-if test -n "$ac_prev"; then
- { echo "configure: error: missing argument to --`echo $ac_prev | sed 's/_/-/g'`" 1>&2; exit 1; }
-fi
-
-trap 'rm -fr conftest* confdefs* core core.* *.core $ac_clean_files; exit 1' 1 2 15
-
-# File descriptor usage:
-# 0 standard input
-# 1 file creation
-# 2 errors and warnings
-# 3 some systems may open it to /dev/tty
-# 4 used on the Kubota Titan
-# 6 checking for... messages and results
-# 5 compiler messages saved in config.log
-if test "$silent" = yes; then
- exec 6>/dev/null
-else
- exec 6>&1
-fi
-exec 5>./config.log
-
-echo "\
-This file contains any messages produced by compilers while
-running configure, to aid debugging if configure makes a mistake.
-" 1>&5
-
-# Strip out --no-create and --no-recursion so they do not pile up.
-# Also quote any args containing shell metacharacters.
-ac_configure_args=
-for ac_arg
-do
- case "$ac_arg" in
- -no-create | --no-create | --no-creat | --no-crea | --no-cre \
- | --no-cr | --no-c) ;;
- -no-recursion | --no-recursion | --no-recursio | --no-recursi \
- | --no-recurs | --no-recur | --no-recu | --no-rec | --no-re | --no-r) ;;
- *" "*|*" "*|*[\[\]\~\#\$\^\&\*\(\)\{\}\\\|\;\<\>\?]*)
- ac_configure_args="$ac_configure_args '$ac_arg'" ;;
- *) ac_configure_args="$ac_configure_args $ac_arg" ;;
- esac
-done
-
-# NLS nuisances.
-# Only set these to C if already set. These must not be set unconditionally
-# because not all systems understand e.g. LANG=C (notably SCO).
-# Fixing LC_MESSAGES prevents Solaris sh from translating var values in `set'!
-# Non-C LC_CTYPE values break the ctype check.
-if test "${LANG+set}" = set; then LANG=C; export LANG; fi
-if test "${LC_ALL+set}" = set; then LC_ALL=C; export LC_ALL; fi
-if test "${LC_MESSAGES+set}" = set; then LC_MESSAGES=C; export LC_MESSAGES; fi
-if test "${LC_CTYPE+set}" = set; then LC_CTYPE=C; export LC_CTYPE; fi
-
-# confdefs.h avoids OS command line length limits that DEFS can exceed.
-rm -rf conftest* confdefs.h
-# AIX cpp loses on an empty file, so make sure it contains at least a newline.
-echo > confdefs.h
-
-# A filename unique to this package, relative to the directory that
-# configure is in, which we can look for to find out if srcdir is correct.
-ac_unique_file=nslint.c
-
-# Find the source files, if location was not specified.
-if test -z "$srcdir"; then
- ac_srcdir_defaulted=yes
- # Try the directory containing this script, then its parent.
- ac_prog=$0
- ac_confdir=`echo $ac_prog|sed 's%/[^/][^/]*$%%'`
- test "x$ac_confdir" = "x$ac_prog" && ac_confdir=.
- srcdir=$ac_confdir
- if test ! -r $srcdir/$ac_unique_file; then
- srcdir=..
- fi
-else
- ac_srcdir_defaulted=no
-fi
-if test ! -r $srcdir/$ac_unique_file; then
- if test "$ac_srcdir_defaulted" = yes; then
- { echo "configure: error: can not find sources in $ac_confdir or .." 1>&2; exit 1; }
- else
- { echo "configure: error: can not find sources in $srcdir" 1>&2; exit 1; }
- fi
-fi
-srcdir=`echo "${srcdir}" | sed 's%\([^/]\)/*$%\1%'`
-
-# Prefer explicitly selected file to automatically selected ones.
-if test -z "$CONFIG_SITE"; then
- if test "x$prefix" != xNONE; then
- CONFIG_SITE="$prefix/share/config.site $prefix/etc/config.site"
- else
- CONFIG_SITE="$ac_default_prefix/share/config.site $ac_default_prefix/etc/config.site"
- fi
-fi
-for ac_site_file in $CONFIG_SITE; do
- if test -r "$ac_site_file"; then
- echo "loading site script $ac_site_file"
- . "$ac_site_file"
- fi
-done
-
-if test -r "$cache_file"; then
- echo "loading cache $cache_file"
- . $cache_file
-else
- echo "creating cache $cache_file"
- > $cache_file
-fi
-
-ac_ext=c
-# CFLAGS is not in ac_cpp because -g, -O, etc. are not valid cpp options.
-ac_cpp='$CPP $CPPFLAGS'
-ac_compile='${CC-cc} -c $CFLAGS $CPPFLAGS conftest.$ac_ext 1>&5'
-ac_link='${CC-cc} -o conftest${ac_exeext} $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS 1>&5'
-cross_compiling=$ac_cv_prog_cc_cross
-
-ac_exeext=
-ac_objext=o
-if (echo "testing\c"; echo 1,2,3) | grep c >/dev/null; then
- # Stardent Vistra SVR4 grep lacks -e, says ghazi@caip.rutgers.edu.
- if (echo -n testing; echo 1,2,3) | sed s/-n/xn/ | grep xn >/dev/null; then
- ac_n= ac_c='
-' ac_t=' '
- else
- ac_n=-n ac_c= ac_t=
- fi
-else
- ac_n= ac_c='\c' ac_t=
-fi
-
-
-
-ac_aux_dir=
-for ac_dir in $srcdir $srcdir/.. $srcdir/../..; do
- if test -f $ac_dir/install-sh; then
- ac_aux_dir=$ac_dir
- ac_install_sh="$ac_aux_dir/install-sh -c"
- break
- elif test -f $ac_dir/install.sh; then
- ac_aux_dir=$ac_dir
- ac_install_sh="$ac_aux_dir/install.sh -c"
- break
- fi
-done
-if test -z "$ac_aux_dir"; then
- { echo "configure: error: can not find install-sh or install.sh in $srcdir $srcdir/.. $srcdir/../.." 1>&2; exit 1; }
-fi
-ac_config_guess=$ac_aux_dir/config.guess
-ac_config_sub=$ac_aux_dir/config.sub
-ac_configure=$ac_aux_dir/configure # This should be Cygnus configure.
-
-
-# Do some error checking and defaulting for the host and target type.
-# The inputs are:
-# configure --host=HOST --target=TARGET --build=BUILD NONOPT
-#
-# The rules are:
-# 1. You are not allowed to specify --host, --target, and nonopt at the
-# same time.
-# 2. Host defaults to nonopt.
-# 3. If nonopt is not specified, then host defaults to the current host,
-# as determined by config.guess.
-# 4. Target and build default to nonopt.
-# 5. If nonopt is not specified, then target and build default to host.
-
-# The aliases save the names the user supplied, while $host etc.
-# will get canonicalized.
-case $host---$target---$nonopt in
-NONE---*---* | *---NONE---* | *---*---NONE) ;;
-*) { echo "configure: error: can only configure for one host and one target at a time" 1>&2; exit 1; } ;;
-esac
-
-
-# Make sure we can run config.sub.
-if ${CONFIG_SHELL-/bin/sh} $ac_config_sub sun4 >/dev/null 2>&1; then :
-else { echo "configure: error: can not run $ac_config_sub" 1>&2; exit 1; }
-fi
-
-echo $ac_n "checking host system type""... $ac_c" 1>&6
-echo "configure:575: checking host system type" >&5
-
-host_alias=$host
-case "$host_alias" in
-NONE)
- case $nonopt in
- NONE)
- if host_alias=`${CONFIG_SHELL-/bin/sh} $ac_config_guess`; then :
- else { echo "configure: error: can not guess host type; you must specify one" 1>&2; exit 1; }
- fi ;;
- *) host_alias=$nonopt ;;
- esac ;;
-esac
-
-host=`${CONFIG_SHELL-/bin/sh} $ac_config_sub $host_alias`
-host_cpu=`echo $host | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\1/'`
-host_vendor=`echo $host | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\2/'`
-host_os=`echo $host | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\3/'`
-echo "$ac_t""$host" 1>&6
-
-echo $ac_n "checking target system type""... $ac_c" 1>&6
-echo "configure:596: checking target system type" >&5
-
-target_alias=$target
-case "$target_alias" in
-NONE)
- case $nonopt in
- NONE) target_alias=$host_alias ;;
- *) target_alias=$nonopt ;;
- esac ;;
-esac
-
-target=`${CONFIG_SHELL-/bin/sh} $ac_config_sub $target_alias`
-target_cpu=`echo $target | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\1/'`
-target_vendor=`echo $target | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\2/'`
-target_os=`echo $target | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\3/'`
-echo "$ac_t""$target" 1>&6
-
-echo $ac_n "checking build system type""... $ac_c" 1>&6
-echo "configure:614: checking build system type" >&5
-
-build_alias=$build
-case "$build_alias" in
-NONE)
- case $nonopt in
- NONE) build_alias=$host_alias ;;
- *) build_alias=$nonopt ;;
- esac ;;
-esac
-
-build=`${CONFIG_SHELL-/bin/sh} $ac_config_sub $build_alias`
-build_cpu=`echo $build | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\1/'`
-build_vendor=`echo $build | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\2/'`
-build_os=`echo $build | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\3/'`
-echo "$ac_t""$build" 1>&6
-
-test "$host_alias" != "$target_alias" &&
- test "$program_prefix$program_suffix$program_transform_name" = \
- NONENONEs,x,x, &&
- program_prefix=${target_alias}-
-
-
-umask 002
-
-if test -z "$PWD" ; then
- PWD=`pwd`
-fi
-
-
-
-
-
- # Check whether --with-gcc or --without-gcc was given.
-if test "${with_gcc+set}" = set; then
- withval="$with_gcc"
- :
-fi
-
- V_CCOPT="-O"
- V_INCLS=""
- if test "${srcdir}" != "." ; then
- V_INCLS="-I\$\(srcdir\)"
- fi
- if test "${CFLAGS+set}" = set; then
- LBL_CFLAGS="$CFLAGS"
- fi
- if test -z "$CC" ; then
- case "$target_os" in
-
- bsdi*)
- # Extract the first word of "shlicc2", so it can be a program name with args.
-set dummy shlicc2; ac_word=$2
-echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
-echo "configure:668: checking for $ac_word" >&5
-if eval "test \"`echo '$''{'ac_cv_prog_SHLICC2'+set}'`\" = set"; then
- echo $ac_n "(cached) $ac_c" 1>&6
-else
- if test -n "$SHLICC2"; then
- ac_cv_prog_SHLICC2="$SHLICC2" # Let the user override the test.
-else
- IFS="${IFS= }"; ac_save_ifs="$IFS"; IFS=":"
- ac_dummy="$PATH"
- for ac_dir in $ac_dummy; do
- test -z "$ac_dir" && ac_dir=.
- if test -f $ac_dir/$ac_word; then
- ac_cv_prog_SHLICC2="yes"
- break
- fi
- done
- IFS="$ac_save_ifs"
- test -z "$ac_cv_prog_SHLICC2" && ac_cv_prog_SHLICC2="no"
-fi
-fi
-SHLICC2="$ac_cv_prog_SHLICC2"
-if test -n "$SHLICC2"; then
- echo "$ac_t""$SHLICC2" 1>&6
-else
- echo "$ac_t""no" 1>&6
-fi
-
- if test $SHLICC2 = yes ; then
- CC=shlicc2
- export CC
- fi
- ;;
- esac
- fi
- if test -z "$CC" -a "$with_gcc" = no ; then
- CC=cc
- export CC
- fi
- # Extract the first word of "gcc", so it can be a program name with args.
-set dummy gcc; ac_word=$2
-echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
-echo "configure:709: checking for $ac_word" >&5
-if eval "test \"`echo '$''{'ac_cv_prog_CC'+set}'`\" = set"; then
- echo $ac_n "(cached) $ac_c" 1>&6
-else
- if test -n "$CC"; then
- ac_cv_prog_CC="$CC" # Let the user override the test.
-else
- IFS="${IFS= }"; ac_save_ifs="$IFS"; IFS=":"
- ac_dummy="$PATH"
- for ac_dir in $ac_dummy; do
- test -z "$ac_dir" && ac_dir=.
- if test -f $ac_dir/$ac_word; then
- ac_cv_prog_CC="gcc"
- break
- fi
- done
- IFS="$ac_save_ifs"
-fi
-fi
-CC="$ac_cv_prog_CC"
-if test -n "$CC"; then
- echo "$ac_t""$CC" 1>&6
-else
- echo "$ac_t""no" 1>&6
-fi
-
-if test -z "$CC"; then
- # Extract the first word of "cc", so it can be a program name with args.
-set dummy cc; ac_word=$2
-echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
-echo "configure:739: checking for $ac_word" >&5
-if eval "test \"`echo '$''{'ac_cv_prog_CC'+set}'`\" = set"; then
- echo $ac_n "(cached) $ac_c" 1>&6
-else
- if test -n "$CC"; then
- ac_cv_prog_CC="$CC" # Let the user override the test.
-else
- IFS="${IFS= }"; ac_save_ifs="$IFS"; IFS=":"
- ac_prog_rejected=no
- ac_dummy="$PATH"
- for ac_dir in $ac_dummy; do
- test -z "$ac_dir" && ac_dir=.
- if test -f $ac_dir/$ac_word; then
- if test "$ac_dir/$ac_word" = "/usr/ucb/cc"; then
- ac_prog_rejected=yes
- continue
- fi
- ac_cv_prog_CC="cc"
- break
- fi
- done
- IFS="$ac_save_ifs"
-if test $ac_prog_rejected = yes; then
- # We found a bogon in the path, so make sure we never use it.
- set dummy $ac_cv_prog_CC
- shift
- if test $# -gt 0; then
- # We chose a different compiler from the bogus one.
- # However, it has the same basename, so the bogon will be chosen
- # first if we set CC to just the basename; use the full file name.
- shift
- set dummy "$ac_dir/$ac_word" "$@"
- shift
- ac_cv_prog_CC="$@"
- fi
-fi
-fi
-fi
-CC="$ac_cv_prog_CC"
-if test -n "$CC"; then
- echo "$ac_t""$CC" 1>&6
-else
- echo "$ac_t""no" 1>&6
-fi
-
- if test -z "$CC"; then
- case "`uname -s`" in
- *win32* | *WIN32*)
- # Extract the first word of "cl", so it can be a program name with args.
-set dummy cl; ac_word=$2
-echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
-echo "configure:790: checking for $ac_word" >&5
-if eval "test \"`echo '$''{'ac_cv_prog_CC'+set}'`\" = set"; then
- echo $ac_n "(cached) $ac_c" 1>&6
-else
- if test -n "$CC"; then
- ac_cv_prog_CC="$CC" # Let the user override the test.
-else
- IFS="${IFS= }"; ac_save_ifs="$IFS"; IFS=":"
- ac_dummy="$PATH"
- for ac_dir in $ac_dummy; do
- test -z "$ac_dir" && ac_dir=.
- if test -f $ac_dir/$ac_word; then
- ac_cv_prog_CC="cl"
- break
- fi
- done
- IFS="$ac_save_ifs"
-fi
-fi
-CC="$ac_cv_prog_CC"
-if test -n "$CC"; then
- echo "$ac_t""$CC" 1>&6
-else
- echo "$ac_t""no" 1>&6
-fi
- ;;
- esac
- fi
- test -z "$CC" && { echo "configure: error: no acceptable cc found in \$PATH" 1>&2; exit 1; }
-fi
-
-echo $ac_n "checking whether the C compiler ($CC $CFLAGS $LDFLAGS) works""... $ac_c" 1>&6
-echo "configure:822: checking whether the C compiler ($CC $CFLAGS $LDFLAGS) works" >&5
-
-ac_ext=c
-# CFLAGS is not in ac_cpp because -g, -O, etc. are not valid cpp options.
-ac_cpp='$CPP $CPPFLAGS'
-ac_compile='${CC-cc} -c $CFLAGS $CPPFLAGS conftest.$ac_ext 1>&5'
-ac_link='${CC-cc} -o conftest${ac_exeext} $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS 1>&5'
-cross_compiling=$ac_cv_prog_cc_cross
-
-cat > conftest.$ac_ext << EOF
-
-#line 833 "configure"
-#include "confdefs.h"
-
-main(){return(0);}
-EOF
-if { (eval echo configure:838: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
- ac_cv_prog_cc_works=yes
- # If we can't run a trivial program, we are probably using a cross compiler.
- if (./conftest; exit) 2>/dev/null; then
- ac_cv_prog_cc_cross=no
- else
- ac_cv_prog_cc_cross=yes
- fi
-else
- echo "configure: failed program was:" >&5
- cat conftest.$ac_ext >&5
- ac_cv_prog_cc_works=no
-fi
-rm -fr conftest*
-ac_ext=c
-# CFLAGS is not in ac_cpp because -g, -O, etc. are not valid cpp options.
-ac_cpp='$CPP $CPPFLAGS'
-ac_compile='${CC-cc} -c $CFLAGS $CPPFLAGS conftest.$ac_ext 1>&5'
-ac_link='${CC-cc} -o conftest${ac_exeext} $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS 1>&5'
-cross_compiling=$ac_cv_prog_cc_cross
-
-echo "$ac_t""$ac_cv_prog_cc_works" 1>&6
-if test $ac_cv_prog_cc_works = no; then
- { echo "configure: error: installation or configuration problem: C compiler cannot create executables." 1>&2; exit 1; }
-fi
-echo $ac_n "checking whether the C compiler ($CC $CFLAGS $LDFLAGS) is a cross-compiler""... $ac_c" 1>&6
-echo "configure:864: checking whether the C compiler ($CC $CFLAGS $LDFLAGS) is a cross-compiler" >&5
-echo "$ac_t""$ac_cv_prog_cc_cross" 1>&6
-cross_compiling=$ac_cv_prog_cc_cross
-
-echo $ac_n "checking whether we are using GNU C""... $ac_c" 1>&6
-echo "configure:869: checking whether we are using GNU C" >&5
-if eval "test \"`echo '$''{'ac_cv_prog_gcc'+set}'`\" = set"; then
- echo $ac_n "(cached) $ac_c" 1>&6
-else
- cat > conftest.c <<EOF
-#ifdef __GNUC__
- yes;
-#endif
-EOF
-if { ac_try='${CC-cc} -E conftest.c'; { (eval echo configure:878: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }; } | egrep yes >/dev/null 2>&1; then
- ac_cv_prog_gcc=yes
-else
- ac_cv_prog_gcc=no
-fi
-fi
-
-echo "$ac_t""$ac_cv_prog_gcc" 1>&6
-
-if test $ac_cv_prog_gcc = yes; then
- GCC=yes
-else
- GCC=
-fi
-
-ac_test_CFLAGS="${CFLAGS+set}"
-ac_save_CFLAGS="$CFLAGS"
-CFLAGS=
-echo $ac_n "checking whether ${CC-cc} accepts -g""... $ac_c" 1>&6
-echo "configure:897: checking whether ${CC-cc} accepts -g" >&5
-if eval "test \"`echo '$''{'ac_cv_prog_cc_g'+set}'`\" = set"; then
- echo $ac_n "(cached) $ac_c" 1>&6
-else
- echo 'void f(){}' > conftest.c
-if test -z "`${CC-cc} -g -c conftest.c 2>&1`"; then
- ac_cv_prog_cc_g=yes
-else
- ac_cv_prog_cc_g=no
-fi
-rm -f conftest*
-
-fi
-
-echo "$ac_t""$ac_cv_prog_cc_g" 1>&6
-if test "$ac_test_CFLAGS" = set; then
- CFLAGS="$ac_save_CFLAGS"
-elif test $ac_cv_prog_cc_g = yes; then
- if test "$GCC" = yes; then
- CFLAGS="-g -O2"
- else
- CFLAGS="-g"
- fi
-else
- if test "$GCC" = yes; then
- CFLAGS="-O2"
- else
- CFLAGS=
- fi
-fi
-
- if test "$GCC" != yes ; then
- echo $ac_n "checking that $CC handles ansi prototypes""... $ac_c" 1>&6
-echo "configure:930: checking that $CC handles ansi prototypes" >&5
- if eval "test \"`echo '$''{'ac_cv_lbl_cc_ansi_prototypes'+set}'`\" = set"; then
- echo $ac_n "(cached) $ac_c" 1>&6
-else
- cat > conftest.$ac_ext <<EOF
-#line 935 "configure"
-#include "confdefs.h"
-#include <sys/types.h>
-int main() {
-int frob(int, char *)
-; return 0; }
-EOF
-if { (eval echo configure:942: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
- rm -rf conftest*
- ac_cv_lbl_cc_ansi_prototypes=yes
-else
- echo "configure: failed program was:" >&5
- cat conftest.$ac_ext >&5
- rm -rf conftest*
- ac_cv_lbl_cc_ansi_prototypes=no
-fi
-rm -f conftest*
-fi
-
- echo "$ac_t""$ac_cv_lbl_cc_ansi_prototypes" 1>&6
- if test $ac_cv_lbl_cc_ansi_prototypes = no ; then
- case "$target_os" in
-
- hpux*)
- echo $ac_n "checking for HP-UX ansi compiler ($CC -Aa -D_HPUX_SOURCE)""... $ac_c" 1>&6
-echo "configure:960: checking for HP-UX ansi compiler ($CC -Aa -D_HPUX_SOURCE)" >&5
- savedcflags="$CFLAGS"
- CFLAGS="-Aa -D_HPUX_SOURCE $CFLAGS"
- if eval "test \"`echo '$''{'ac_cv_lbl_cc_hpux_cc_aa'+set}'`\" = set"; then
- echo $ac_n "(cached) $ac_c" 1>&6
-else
- cat > conftest.$ac_ext <<EOF
-#line 967 "configure"
-#include "confdefs.h"
-#include <sys/types.h>
-int main() {
-int frob(int, char *)
-; return 0; }
-EOF
-if { (eval echo configure:974: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
- rm -rf conftest*
- ac_cv_lbl_cc_hpux_cc_aa=yes
-else
- echo "configure: failed program was:" >&5
- cat conftest.$ac_ext >&5
- rm -rf conftest*
- ac_cv_lbl_cc_hpux_cc_aa=no
-fi
-rm -f conftest*
-fi
-
- echo "$ac_t""$ac_cv_lbl_cc_hpux_cc_aa" 1>&6
- if test $ac_cv_lbl_cc_hpux_cc_aa = no ; then
- { echo "configure: error: see the INSTALL doc for more info" 1>&2; exit 1; }
- fi
- CFLAGS="$savedcflags"
- V_CCOPT="-Aa $V_CCOPT"
- cat >> confdefs.h <<\EOF
-#define _HPUX_SOURCE 1
-EOF
-
- ;;
-
- *)
- { echo "configure: error: see the INSTALL doc for more info" 1>&2; exit 1; }
- ;;
- esac
- fi
- V_INCLS="$V_INCLS -I/usr/local/include"
- LDFLAGS="$LDFLAGS -L/usr/local/lib"
-
- case "$target_os" in
-
- irix*)
- V_CCOPT="$V_CCOPT -xansi -signed -g3"
- ;;
-
- osf*)
- V_CCOPT="$V_CCOPT -std1 -g3"
- ;;
-
- ultrix*)
- echo $ac_n "checking that Ultrix $CC hacks const in prototypes""... $ac_c" 1>&6
-echo "configure:1018: checking that Ultrix $CC hacks const in prototypes" >&5
- if eval "test \"`echo '$''{'ac_cv_lbl_cc_const_proto'+set}'`\" = set"; then
- echo $ac_n "(cached) $ac_c" 1>&6
-else
- cat > conftest.$ac_ext <<EOF
-#line 1023 "configure"
-#include "confdefs.h"
-#include <sys/types.h>
-int main() {
-struct a { int b; };
- void c(const struct a *)
-; return 0; }
-EOF
-if { (eval echo configure:1031: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
- rm -rf conftest*
- ac_cv_lbl_cc_const_proto=yes
-else
- echo "configure: failed program was:" >&5
- cat conftest.$ac_ext >&5
- rm -rf conftest*
- ac_cv_lbl_cc_const_proto=no
-fi
-rm -f conftest*
-fi
-
- echo "$ac_t""$ac_cv_lbl_cc_const_proto" 1>&6
- if test $ac_cv_lbl_cc_const_proto = no ; then
- cat >> confdefs.h <<\EOF
-#define const
-EOF
-
- fi
- ;;
- esac
- fi
-
-
-echo $ac_n "checking how to run the C preprocessor""... $ac_c" 1>&6
-echo "configure:1056: checking how to run the C preprocessor" >&5
-# On Suns, sometimes $CPP names a directory.
-if test -n "$CPP" && test -d "$CPP"; then
- CPP=
-fi
-if test -z "$CPP"; then
-if eval "test \"`echo '$''{'ac_cv_prog_CPP'+set}'`\" = set"; then
- echo $ac_n "(cached) $ac_c" 1>&6
-else
- # This must be in double quotes, not single quotes, because CPP may get
- # substituted into the Makefile and "${CC-cc}" will confuse make.
- CPP="${CC-cc} -E"
- # On the NeXT, cc -E runs the code through the compiler's parser,
- # not just through cpp.
- cat > conftest.$ac_ext <<EOF
-#line 1071 "configure"
-#include "confdefs.h"
-#include <assert.h>
-Syntax Error
-EOF
-ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
-{ (eval echo configure:1077: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
-ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
-if test -z "$ac_err"; then
- :
-else
- echo "$ac_err" >&5
- echo "configure: failed program was:" >&5
- cat conftest.$ac_ext >&5
- rm -rf conftest*
- CPP="${CC-cc} -E -traditional-cpp"
- cat > conftest.$ac_ext <<EOF
-#line 1088 "configure"
-#include "confdefs.h"
-#include <assert.h>
-Syntax Error
-EOF
-ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
-{ (eval echo configure:1094: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
-ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
-if test -z "$ac_err"; then
- :
-else
- echo "$ac_err" >&5
- echo "configure: failed program was:" >&5
- cat conftest.$ac_ext >&5
- rm -rf conftest*
- CPP="${CC-cc} -nologo -E"
- cat > conftest.$ac_ext <<EOF
-#line 1105 "configure"
-#include "confdefs.h"
-#include <assert.h>
-Syntax Error
-EOF
-ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
-{ (eval echo configure:1111: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
-ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
-if test -z "$ac_err"; then
- :
-else
- echo "$ac_err" >&5
- echo "configure: failed program was:" >&5
- cat conftest.$ac_ext >&5
- rm -rf conftest*
- CPP=/lib/cpp
-fi
-rm -f conftest*
-fi
-rm -f conftest*
-fi
-rm -f conftest*
- ac_cv_prog_CPP="$CPP"
-fi
- CPP="$ac_cv_prog_CPP"
-else
- ac_cv_prog_CPP="$CPP"
-fi
-echo "$ac_t""$CPP" 1>&6
-
-for ac_hdr in fcntl.h malloc.h memory.h
-do
-ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'`
-echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6
-echo "configure:1139: checking for $ac_hdr" >&5
-if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then
- echo $ac_n "(cached) $ac_c" 1>&6
-else
- cat > conftest.$ac_ext <<EOF
-#line 1144 "configure"
-#include "confdefs.h"
-#include <$ac_hdr>
-EOF
-ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
-{ (eval echo configure:1149: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
-ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
-if test -z "$ac_err"; then
- rm -rf conftest*
- eval "ac_cv_header_$ac_safe=yes"
-else
- echo "$ac_err" >&5
- echo "configure: failed program was:" >&5
- cat conftest.$ac_ext >&5
- rm -rf conftest*
- eval "ac_cv_header_$ac_safe=no"
-fi
-rm -f conftest*
-fi
-if eval "test \"`echo '$ac_cv_header_'$ac_safe`\" = yes"; then
- echo "$ac_t""yes" 1>&6
- ac_tr_hdr=HAVE_`echo $ac_hdr | sed 'y%abcdefghijklmnopqrstuvwxyz./-%ABCDEFGHIJKLMNOPQRSTUVWXYZ___%'`
- cat >> confdefs.h <<EOF
-#define $ac_tr_hdr 1
-EOF
-
-else
- echo "$ac_t""no" 1>&6
-fi
-done
-
-
-for ac_func in strerror
-do
-echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
-echo "configure:1179: checking for $ac_func" >&5
-if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
- echo $ac_n "(cached) $ac_c" 1>&6
-else
- cat > conftest.$ac_ext <<EOF
-#line 1184 "configure"
-#include "confdefs.h"
-/* System header to define __stub macros and hopefully few prototypes,
- which can conflict with char $ac_func(); below. */
-#include <assert.h>
-/* Override any gcc2 internal prototype to avoid an error. */
-/* We use char because int might match the return type of a gcc2
- builtin and then its argument prototype would still apply. */
-char $ac_func();
-
-int main() {
-
-/* The GNU C library defines this for functions which it implements
- to always fail with ENOSYS. Some functions are actually named
- something starting with __ and the normal name is an alias. */
-#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
-choke me
-#else
-$ac_func();
-#endif
-
-; return 0; }
-EOF
-if { (eval echo configure:1207: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
- rm -rf conftest*
- eval "ac_cv_func_$ac_func=yes"
-else
- echo "configure: failed program was:" >&5
- cat conftest.$ac_ext >&5
- rm -rf conftest*
- eval "ac_cv_func_$ac_func=no"
-fi
-rm -f conftest*
-fi
-
-if eval "test \"`echo '$ac_cv_func_'$ac_func`\" = yes"; then
- echo "$ac_t""yes" 1>&6
- ac_tr_func=HAVE_`echo $ac_func | tr 'abcdefghijklmnopqrstuvwxyz' 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'`
- cat >> confdefs.h <<EOF
-#define $ac_tr_func 1
-EOF
-
-else
- echo "$ac_t""no" 1>&6
-LIBOBJS="$LIBOBJS ${ac_func}.${ac_objext}"
-fi
-done
-
-
-echo $ac_n "checking for main in -lnsl""... $ac_c" 1>&6
-echo "configure:1234: checking for main in -lnsl" >&5
-ac_lib_var=`echo nsl'_'main | sed 'y%./+-%__p_%'`
-if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
- echo $ac_n "(cached) $ac_c" 1>&6
-else
- ac_save_LIBS="$LIBS"
-LIBS="-lnsl $LIBS"
-cat > conftest.$ac_ext <<EOF
-#line 1242 "configure"
-#include "confdefs.h"
-
-int main() {
-main()
-; return 0; }
-EOF
-if { (eval echo configure:1249: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
- rm -rf conftest*
- eval "ac_cv_lib_$ac_lib_var=yes"
-else
- echo "configure: failed program was:" >&5
- cat conftest.$ac_ext >&5
- rm -rf conftest*
- eval "ac_cv_lib_$ac_lib_var=no"
-fi
-rm -f conftest*
-LIBS="$ac_save_LIBS"
-
-fi
-if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then
- echo "$ac_t""yes" 1>&6
- ac_tr_lib=HAVE_LIB`echo nsl | sed -e 's/[^a-zA-Z0-9_]/_/g' \
- -e 'y/abcdefghijklmnopqrstuvwxyz/ABCDEFGHIJKLMNOPQRSTUVWXYZ/'`
- cat >> confdefs.h <<EOF
-#define $ac_tr_lib 1
-EOF
-
- LIBS="-lnsl $LIBS"
-
-else
- echo "$ac_t""no" 1>&6
-fi
-
-echo $ac_n "checking for main in -lsocket""... $ac_c" 1>&6
-echo "configure:1277: checking for main in -lsocket" >&5
-ac_lib_var=`echo socket'_'main | sed 'y%./+-%__p_%'`
-if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
- echo $ac_n "(cached) $ac_c" 1>&6
-else
- ac_save_LIBS="$LIBS"
-LIBS="-lsocket $LIBS"
-cat > conftest.$ac_ext <<EOF
-#line 1285 "configure"
-#include "confdefs.h"
-
-int main() {
-main()
-; return 0; }
-EOF
-if { (eval echo configure:1292: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
- rm -rf conftest*
- eval "ac_cv_lib_$ac_lib_var=yes"
-else
- echo "configure: failed program was:" >&5
- cat conftest.$ac_ext >&5
- rm -rf conftest*
- eval "ac_cv_lib_$ac_lib_var=no"
-fi
-rm -f conftest*
-LIBS="$ac_save_LIBS"
-
-fi
-if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then
- echo "$ac_t""yes" 1>&6
- ac_tr_lib=HAVE_LIB`echo socket | sed -e 's/[^a-zA-Z0-9_]/_/g' \
- -e 'y/abcdefghijklmnopqrstuvwxyz/ABCDEFGHIJKLMNOPQRSTUVWXYZ/'`
- cat >> confdefs.h <<EOF
-#define $ac_tr_lib 1
-EOF
-
- LIBS="-lsocket $LIBS"
-
-else
- echo "$ac_t""no" 1>&6
-fi
-
-
-echo $ac_n "checking for ANSI C header files""... $ac_c" 1>&6
-echo "configure:1321: checking for ANSI C header files" >&5
-if eval "test \"`echo '$''{'ac_cv_header_stdc'+set}'`\" = set"; then
- echo $ac_n "(cached) $ac_c" 1>&6
-else
- cat > conftest.$ac_ext <<EOF
-#line 1326 "configure"
-#include "confdefs.h"
-#include <stdlib.h>
-#include <stdarg.h>
-#include <string.h>
-#include <float.h>
-EOF
-ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
-{ (eval echo configure:1334: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
-ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
-if test -z "$ac_err"; then
- rm -rf conftest*
- ac_cv_header_stdc=yes
-else
- echo "$ac_err" >&5
- echo "configure: failed program was:" >&5
- cat conftest.$ac_ext >&5
- rm -rf conftest*
- ac_cv_header_stdc=no
-fi
-rm -f conftest*
-
-if test $ac_cv_header_stdc = yes; then
- # SunOS 4.x string.h does not declare mem*, contrary to ANSI.
-cat > conftest.$ac_ext <<EOF
-#line 1351 "configure"
-#include "confdefs.h"
-#include <string.h>
-EOF
-if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
- egrep "memchr" >/dev/null 2>&1; then
- :
-else
- rm -rf conftest*
- ac_cv_header_stdc=no
-fi
-rm -f conftest*
-
-fi
-
-if test $ac_cv_header_stdc = yes; then
- # ISC 2.0.2 stdlib.h does not declare free, contrary to ANSI.
-cat > conftest.$ac_ext <<EOF
-#line 1369 "configure"
-#include "confdefs.h"
-#include <stdlib.h>
-EOF
-if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
- egrep "free" >/dev/null 2>&1; then
- :
-else
- rm -rf conftest*
- ac_cv_header_stdc=no
-fi
-rm -f conftest*
-
-fi
-
-if test $ac_cv_header_stdc = yes; then
- # /bin/cc in Irix-4.0.5 gets non-ANSI ctype macros unless using -ansi.
-if test "$cross_compiling" = yes; then
- :
-else
- cat > conftest.$ac_ext <<EOF
-#line 1390 "configure"
-#include "confdefs.h"
-#include <ctype.h>
-#define ISLOWER(c) ('a' <= (c) && (c) <= 'z')
-#define TOUPPER(c) (ISLOWER(c) ? 'A' + ((c) - 'a') : (c))
-#define XOR(e, f) (((e) && !(f)) || (!(e) && (f)))
-int main () { int i; for (i = 0; i < 256; i++)
-if (XOR (islower (i), ISLOWER (i)) || toupper (i) != TOUPPER (i)) exit(2);
-exit (0); }
-
-EOF
-if { (eval echo configure:1401: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
-then
- :
-else
- echo "configure: failed program was:" >&5
- cat conftest.$ac_ext >&5
- rm -fr conftest*
- ac_cv_header_stdc=no
-fi
-rm -fr conftest*
-fi
-
-fi
-fi
-
-echo "$ac_t""$ac_cv_header_stdc" 1>&6
-if test $ac_cv_header_stdc = yes; then
- cat >> confdefs.h <<\EOF
-#define STDC_HEADERS 1
-EOF
-
-fi
-
-echo $ac_n "checking for int32_t""... $ac_c" 1>&6
-echo "configure:1425: checking for int32_t" >&5
-if eval "test \"`echo '$''{'ac_cv_type_int32_t'+set}'`\" = set"; then
- echo $ac_n "(cached) $ac_c" 1>&6
-else
- cat > conftest.$ac_ext <<EOF
-#line 1430 "configure"
-#include "confdefs.h"
-#include <sys/types.h>
-#if STDC_HEADERS
-#include <stdlib.h>
-#include <stddef.h>
-#endif
-EOF
-if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
- egrep "(^|[^a-zA-Z_0-9])int32_t[^a-zA-Z_0-9]" >/dev/null 2>&1; then
- rm -rf conftest*
- ac_cv_type_int32_t=yes
-else
- rm -rf conftest*
- ac_cv_type_int32_t=no
-fi
-rm -f conftest*
-
-fi
-echo "$ac_t""$ac_cv_type_int32_t" 1>&6
-if test $ac_cv_type_int32_t = no; then
- cat >> confdefs.h <<\EOF
-#define int32_t int
-EOF
-
-fi
-
-echo $ac_n "checking for u_int32_t""... $ac_c" 1>&6
-echo "configure:1458: checking for u_int32_t" >&5
-if eval "test \"`echo '$''{'ac_cv_type_u_int32_t'+set}'`\" = set"; then
- echo $ac_n "(cached) $ac_c" 1>&6
-else
- cat > conftest.$ac_ext <<EOF
-#line 1463 "configure"
-#include "confdefs.h"
-#include <sys/types.h>
-#if STDC_HEADERS
-#include <stdlib.h>
-#include <stddef.h>
-#endif
-EOF
-if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
- egrep "(^|[^a-zA-Z_0-9])u_int32_t[^a-zA-Z_0-9]" >/dev/null 2>&1; then
- rm -rf conftest*
- ac_cv_type_u_int32_t=yes
-else
- rm -rf conftest*
- ac_cv_type_u_int32_t=no
-fi
-rm -f conftest*
-
-fi
-echo "$ac_t""$ac_cv_type_u_int32_t" 1>&6
-if test $ac_cv_type_u_int32_t = no; then
- cat >> confdefs.h <<\EOF
-#define u_int32_t u_int
-EOF
-
-fi
-
-
-rm -f os-proto.h
- if test "${LBL_CFLAGS+set}" = set; then
- V_CCOPT="$V_CCOPT ${LBL_CFLAGS}"
- fi
- if test -f .devel ; then
- if test "$GCC" = yes ; then
- if test "$SHLICC2" = yes ; then
- ac_cv_lbl_gcc_vers=2
- V_CCOPT="`echo $V_CCOPT | sed -e 's/-O/-O2/'`"
- else
- echo $ac_n "checking gcc version""... $ac_c" 1>&6
-echo "configure:1502: checking gcc version" >&5
- if eval "test \"`echo '$''{'ac_cv_lbl_gcc_vers'+set}'`\" = set"; then
- echo $ac_n "(cached) $ac_c" 1>&6
-else
- ac_cv_lbl_gcc_vers=`$CC --version 2>&1 | \
- sed -e 's/\..*//'`
-fi
-
- echo "$ac_t""$ac_cv_lbl_gcc_vers" 1>&6
- if test $ac_cv_lbl_gcc_vers -gt 1 ; then
- V_CCOPT="`echo $V_CCOPT | sed -e 's/-O/-O2/'`"
- fi
- fi
- if test "${LBL_CFLAGS+set}" != set; then
- if test "$ac_cv_prog_cc_g" = yes ; then
- V_CCOPT="-g $V_CCOPT"
- fi
- V_CCOPT="$V_CCOPT -Wall"
- if test $ac_cv_lbl_gcc_vers -gt 1 ; then
- V_CCOPT="$V_CCOPT -Wmissing-prototypes -Wstrict-prototypes"
- fi
- fi
- else
- case "$target_os" in
-
- irix6*)
- V_CCOPT="$V_CCOPT -fullwarn -n32"
- ;;
-
- *)
- ;;
- esac
- fi
- os=`echo $target_os | sed -e 's/\([0-9][0-9]*\)[^0-9].*$/\1/'`
- name="lbl/os-$os.h"
- if test -f $name ; then
- ln -s $name os-proto.h
- cat >> confdefs.h <<\EOF
-#define HAVE_OS_PROTO_H 1
-EOF
-
- else
- echo "configure: warning: can't find $name" 1>&2
- fi
- fi
-
-if test -r lbl/gnuc.h ; then
- rm -f gnuc.h
- ln -s lbl/gnuc.h gnuc.h
-fi
-
-
-
-
-# Find a good install program. We prefer a C program (faster),
-# so one script is as good as another. But avoid the broken or
-# incompatible versions:
-# SysV /etc/install, /usr/sbin/install
-# SunOS /usr/etc/install
-# IRIX /sbin/install
-# AIX /bin/install
-# AIX 4 /usr/bin/installbsd, which doesn't work without a -g flag
-# AFS /usr/afsws/bin/install, which mishandles nonexistent args
-# SVR4 /usr/ucb/install, which tries to use the nonexistent group "staff"
-# ./install, which can be erroneously created by make from ./install.sh.
-echo $ac_n "checking for a BSD compatible install""... $ac_c" 1>&6
-echo "configure:1568: checking for a BSD compatible install" >&5
-if test -z "$INSTALL"; then
-if eval "test \"`echo '$''{'ac_cv_path_install'+set}'`\" = set"; then
- echo $ac_n "(cached) $ac_c" 1>&6
-else
- IFS="${IFS= }"; ac_save_IFS="$IFS"; IFS=":"
- for ac_dir in $PATH; do
- # Account for people who put trailing slashes in PATH elements.
- case "$ac_dir/" in
- /|./|.//|/etc/*|/usr/sbin/*|/usr/etc/*|/sbin/*|/usr/afsws/bin/*|/usr/ucb/*) ;;
- *)
- # OSF1 and SCO ODT 3.0 have their own names for install.
- # Don't use installbsd from OSF since it installs stuff as root
- # by default.
- for ac_prog in ginstall scoinst install; do
- if test -f $ac_dir/$ac_prog; then
- if test $ac_prog = install &&
- grep dspmsg $ac_dir/$ac_prog >/dev/null 2>&1; then
- # AIX install. It has an incompatible calling convention.
- :
- else
- ac_cv_path_install="$ac_dir/$ac_prog -c"
- break 2
- fi
- fi
- done
- ;;
- esac
- done
- IFS="$ac_save_IFS"
-
-fi
- if test "${ac_cv_path_install+set}" = set; then
- INSTALL="$ac_cv_path_install"
- else
- # As a last resort, use the slow shell script. We don't cache a
- # path for INSTALL within a source directory, because that will
- # break other packages using the cache if that directory is
- # removed, or if the path is relative.
- INSTALL="$ac_install_sh"
- fi
-fi
-echo "$ac_t""$INSTALL" 1>&6
-
-# Use test -z because SunOS4 sh mishandles braces in ${var-val}.
-# It thinks the first close brace ends the variable substitution.
-test -z "$INSTALL_PROGRAM" && INSTALL_PROGRAM='${INSTALL}'
-
-test -z "$INSTALL_SCRIPT" && INSTALL_SCRIPT='${INSTALL_PROGRAM}'
-
-test -z "$INSTALL_DATA" && INSTALL_DATA='${INSTALL} -m 644'
-
-
-trap '' 1 2 15
-cat > confcache <<\EOF
-# This file is a shell script that caches the results of configure
-# tests run on this system so they can be shared between configure
-# scripts and configure runs. It is not useful on other systems.
-# If it contains results you don't want to keep, you may remove or edit it.
-#
-# By default, configure uses ./config.cache as the cache file,
-# creating it if it does not exist already. You can give configure
-# the --cache-file=FILE option to use a different cache file; that is
-# what configure does when it calls configure scripts in
-# subdirectories, so they share the cache.
-# Giving --cache-file=/dev/null disables caching, for debugging configure.
-# config.status only pays attention to the cache file if you give it the
-# --recheck option to rerun configure.
-#
-EOF
-# The following way of writing the cache mishandles newlines in values,
-# but we know of no workaround that is simple, portable, and efficient.
-# So, don't put newlines in cache variables' values.
-# Ultrix sh set writes to stderr and can't be redirected directly,
-# and sets the high bit in the cache file unless we assign to the vars.
-(set) 2>&1 |
- case `(ac_space=' '; set | grep ac_space) 2>&1` in
- *ac_space=\ *)
- # `set' does not quote correctly, so add quotes (double-quote substitution
- # turns \\\\ into \\, and sed turns \\ into \).
- sed -n \
- -e "s/'/'\\\\''/g" \
- -e "s/^\\([a-zA-Z0-9_]*_cv_[a-zA-Z0-9_]*\\)=\\(.*\\)/\\1=\${\\1='\\2'}/p"
- ;;
- *)
- # `set' quotes correctly as required by POSIX, so do not add quotes.
- sed -n -e 's/^\([a-zA-Z0-9_]*_cv_[a-zA-Z0-9_]*\)=\(.*\)/\1=${\1=\2}/p'
- ;;
- esac >> confcache
-if cmp -s $cache_file confcache; then
- :
-else
- if test -w $cache_file; then
- echo "updating cache $cache_file"
- cat confcache > $cache_file
- else
- echo "not updating unwritable cache $cache_file"
- fi
-fi
-rm -f confcache
-
-trap 'rm -fr conftest* confdefs* core core.* *.core $ac_clean_files; exit 1' 1 2 15
-
-test "x$prefix" = xNONE && prefix=$ac_default_prefix
-# Let make expand exec_prefix.
-test "x$exec_prefix" = xNONE && exec_prefix='${prefix}'
-
-# Any assignment to VPATH causes Sun make to only execute
-# the first set of double-colon rules, so remove it if not needed.
-# If there is a colon in the path, we need to keep it.
-if test "x$srcdir" = x.; then
- ac_vpsub='/^[ ]*VPATH[ ]*=[^:]*$/d'
-fi
-
-trap 'rm -f $CONFIG_STATUS conftest*; exit 1' 1 2 15
-
-# Transform confdefs.h into DEFS.
-# Protect against shell expansion while executing Makefile rules.
-# Protect against Makefile macro expansion.
-cat > conftest.defs <<\EOF
-s%#define \([A-Za-z_][A-Za-z0-9_]*\) *\(.*\)%-D\1=\2%g
-s%[ `~#$^&*(){}\\|;'"<>?]%\\&%g
-s%\[%\\&%g
-s%\]%\\&%g
-s%\$%$$%g
-EOF
-DEFS=`sed -f conftest.defs confdefs.h | tr '\012' ' '`
-rm -f conftest.defs
-
-
-# Without the "./", some shells look in PATH for config.status.
-: ${CONFIG_STATUS=./config.status}
-
-echo creating $CONFIG_STATUS
-rm -f $CONFIG_STATUS
-cat > $CONFIG_STATUS <<EOF
-#! /bin/sh
-# Generated automatically by configure.
-# Run this file to recreate the current configuration.
-# This directory was configured as follows,
-# on host `(hostname || uname -n) 2>/dev/null | sed 1q`:
-#
-# $0 $ac_configure_args
-#
-# Compiler output produced by configure, useful for debugging
-# configure, is in ./config.log if it exists.
-
-ac_cs_usage="Usage: $CONFIG_STATUS [--recheck] [--version] [--help]"
-for ac_option
-do
- case "\$ac_option" in
- -recheck | --recheck | --rechec | --reche | --rech | --rec | --re | --r)
- echo "running \${CONFIG_SHELL-/bin/sh} $0 $ac_configure_args --no-create --no-recursion"
- exec \${CONFIG_SHELL-/bin/sh} $0 $ac_configure_args --no-create --no-recursion ;;
- -version | --version | --versio | --versi | --vers | --ver | --ve | --v)
- echo "$CONFIG_STATUS generated by autoconf version 2.13"
- exit 0 ;;
- -help | --help | --hel | --he | --h)
- echo "\$ac_cs_usage"; exit 0 ;;
- *) echo "\$ac_cs_usage"; exit 1 ;;
- esac
-done
-
-ac_given_srcdir=$srcdir
-ac_given_INSTALL="$INSTALL"
-
-trap 'rm -fr `echo "Makefile" | sed "s/:[^ ]*//g"` conftest*; exit 1' 1 2 15
-EOF
-cat >> $CONFIG_STATUS <<EOF
-
-# Protect against being on the right side of a sed subst in config.status.
-sed 's/%@/@@/; s/@%/@@/; s/%g\$/@g/; /@g\$/s/[\\\\&%]/\\\\&/g;
- s/@@/%@/; s/@@/@%/; s/@g\$/%g/' > conftest.subs <<\\CEOF
-$ac_vpsub
-$extrasub
-s%@SHELL@%$SHELL%g
-s%@CFLAGS@%$CFLAGS%g
-s%@CPPFLAGS@%$CPPFLAGS%g
-s%@CXXFLAGS@%$CXXFLAGS%g
-s%@FFLAGS@%$FFLAGS%g
-s%@DEFS@%$DEFS%g
-s%@LDFLAGS@%$LDFLAGS%g
-s%@LIBS@%$LIBS%g
-s%@exec_prefix@%$exec_prefix%g
-s%@prefix@%$prefix%g
-s%@program_transform_name@%$program_transform_name%g
-s%@bindir@%$bindir%g
-s%@sbindir@%$sbindir%g
-s%@libexecdir@%$libexecdir%g
-s%@datadir@%$datadir%g
-s%@sysconfdir@%$sysconfdir%g
-s%@sharedstatedir@%$sharedstatedir%g
-s%@localstatedir@%$localstatedir%g
-s%@libdir@%$libdir%g
-s%@includedir@%$includedir%g
-s%@oldincludedir@%$oldincludedir%g
-s%@infodir@%$infodir%g
-s%@mandir@%$mandir%g
-s%@host@%$host%g
-s%@host_alias@%$host_alias%g
-s%@host_cpu@%$host_cpu%g
-s%@host_vendor@%$host_vendor%g
-s%@host_os@%$host_os%g
-s%@target@%$target%g
-s%@target_alias@%$target_alias%g
-s%@target_cpu@%$target_cpu%g
-s%@target_vendor@%$target_vendor%g
-s%@target_os@%$target_os%g
-s%@build@%$build%g
-s%@build_alias@%$build_alias%g
-s%@build_cpu@%$build_cpu%g
-s%@build_vendor@%$build_vendor%g
-s%@build_os@%$build_os%g
-s%@SHLICC2@%$SHLICC2%g
-s%@CC@%$CC%g
-s%@CPP@%$CPP%g
-s%@LIBOBJS@%$LIBOBJS%g
-s%@V_CCOPT@%$V_CCOPT%g
-s%@V_INCLS@%$V_INCLS%g
-s%@INSTALL_PROGRAM@%$INSTALL_PROGRAM%g
-s%@INSTALL_SCRIPT@%$INSTALL_SCRIPT%g
-s%@INSTALL_DATA@%$INSTALL_DATA%g
-
-CEOF
-EOF
-
-cat >> $CONFIG_STATUS <<\EOF
-
-# Split the substitutions into bite-sized pieces for seds with
-# small command number limits, like on Digital OSF/1 and HP-UX.
-ac_max_sed_cmds=90 # Maximum number of lines to put in a sed script.
-ac_file=1 # Number of current file.
-ac_beg=1 # First line for current file.
-ac_end=$ac_max_sed_cmds # Line after last line for current file.
-ac_more_lines=:
-ac_sed_cmds=""
-while $ac_more_lines; do
- if test $ac_beg -gt 1; then
- sed "1,${ac_beg}d; ${ac_end}q" conftest.subs > conftest.s$ac_file
- else
- sed "${ac_end}q" conftest.subs > conftest.s$ac_file
- fi
- if test ! -s conftest.s$ac_file; then
- ac_more_lines=false
- rm -f conftest.s$ac_file
- else
- if test -z "$ac_sed_cmds"; then
- ac_sed_cmds="sed -f conftest.s$ac_file"
- else
- ac_sed_cmds="$ac_sed_cmds | sed -f conftest.s$ac_file"
- fi
- ac_file=`expr $ac_file + 1`
- ac_beg=$ac_end
- ac_end=`expr $ac_end + $ac_max_sed_cmds`
- fi
-done
-if test -z "$ac_sed_cmds"; then
- ac_sed_cmds=cat
-fi
-EOF
-
-cat >> $CONFIG_STATUS <<EOF
-
-CONFIG_FILES=\${CONFIG_FILES-"Makefile"}
-EOF
-cat >> $CONFIG_STATUS <<\EOF
-for ac_file in .. $CONFIG_FILES; do if test "x$ac_file" != x..; then
- # Support "outfile[:infile[:infile...]]", defaulting infile="outfile.in".
- case "$ac_file" in
- *:*) ac_file_in=`echo "$ac_file"|sed 's%[^:]*:%%'`
- ac_file=`echo "$ac_file"|sed 's%:.*%%'` ;;
- *) ac_file_in="${ac_file}.in" ;;
- esac
-
- # Adjust a relative srcdir, top_srcdir, and INSTALL for subdirectories.
-
- # Remove last slash and all that follows it. Not all systems have dirname.
- ac_dir=`echo $ac_file|sed 's%/[^/][^/]*$%%'`
- if test "$ac_dir" != "$ac_file" && test "$ac_dir" != .; then
- # The file is in a subdirectory.
- test ! -d "$ac_dir" && mkdir "$ac_dir"
- ac_dir_suffix="/`echo $ac_dir|sed 's%^\./%%'`"
- # A "../" for each directory in $ac_dir_suffix.
- ac_dots=`echo $ac_dir_suffix|sed 's%/[^/]*%../%g'`
- else
- ac_dir_suffix= ac_dots=
- fi
-
- case "$ac_given_srcdir" in
- .) srcdir=.
- if test -z "$ac_dots"; then top_srcdir=.
- else top_srcdir=`echo $ac_dots|sed 's%/$%%'`; fi ;;
- /*) srcdir="$ac_given_srcdir$ac_dir_suffix"; top_srcdir="$ac_given_srcdir" ;;
- *) # Relative path.
- srcdir="$ac_dots$ac_given_srcdir$ac_dir_suffix"
- top_srcdir="$ac_dots$ac_given_srcdir" ;;
- esac
-
- case "$ac_given_INSTALL" in
- [/$]*) INSTALL="$ac_given_INSTALL" ;;
- *) INSTALL="$ac_dots$ac_given_INSTALL" ;;
- esac
-
- echo creating "$ac_file"
- rm -f "$ac_file"
- configure_input="Generated automatically from `echo $ac_file_in|sed 's%.*/%%'` by configure."
- case "$ac_file" in
- *Makefile*) ac_comsub="1i\\
-# $configure_input" ;;
- *) ac_comsub= ;;
- esac
-
- ac_file_inputs=`echo $ac_file_in|sed -e "s%^%$ac_given_srcdir/%" -e "s%:% $ac_given_srcdir/%g"`
- sed -e "$ac_comsub
-s%@configure_input@%$configure_input%g
-s%@srcdir@%$srcdir%g
-s%@top_srcdir@%$top_srcdir%g
-s%@INSTALL@%$INSTALL%g
-" $ac_file_inputs | (eval "$ac_sed_cmds") > $ac_file
-fi; done
-rm -f conftest.s*
-
-EOF
-cat >> $CONFIG_STATUS <<EOF
-
-EOF
-cat >> $CONFIG_STATUS <<\EOF
-
-exit 0
-EOF
-chmod +x $CONFIG_STATUS
-rm -fr confdefs* $ac_clean_files
-test "$no_create" = yes || ${CONFIG_SHELL-/bin/sh} $CONFIG_STATUS || exit 1
-
-
-if test -f .devel ; then
- make depend
-fi
-exit 0
+++ /dev/null
-dnl @(#) $Header: /u0/home/explorer/proj/ISC/git-conversion/cvsroot/bind9/contrib/nslint-2.1a3/configure.in,v 1.1 2001/12/21 04:12:03 marka Exp $ (LBL)
-dnl
-dnl Copyright (c) 1995, 1996, 1997
-dnl The Regents of the University of California. All rights reserved.
-dnl
-dnl Process this file with autoconf to produce a configure script.
-dnl
-
-AC_INIT(nslint.c)
-
-AC_CANONICAL_SYSTEM
-
-umask 002
-
-if test -z "$PWD" ; then
- PWD=`pwd`
-fi
-
-AC_LBL_C_INIT(V_CCOPT, V_INCLS)
-
-AC_CHECK_HEADERS(fcntl.h malloc.h memory.h)
-
-AC_REPLACE_FUNCS(strerror)
-AC_CHECK_LIB(nsl, main)
-AC_CHECK_LIB(socket, main)
-
-AC_CHECK_TYPE(int32_t, int)
-AC_CHECK_TYPE(u_int32_t, u_int)
-
-AC_LBL_DEVEL(V_CCOPT)
-
-if test -r lbl/gnuc.h ; then
- rm -f gnuc.h
- ln -s lbl/gnuc.h gnuc.h
-fi
-
-AC_SUBST(V_CCOPT)
-AC_SUBST(V_INCLS)
-
-AC_PROG_INSTALL
-
-AC_OUTPUT(Makefile)
-
-if test -f .devel ; then
- make depend
-fi
-exit 0
+++ /dev/null
-#! /bin/sh
-#
-# install - install a program, script, or datafile
-# This comes from X11R5 (mit/util/scripts/install.sh).
-#
-# Copyright 1991 by the Massachusetts Institute of Technology
-#
-# Permission to use, copy, modify, distribute, and sell this software and its
-# documentation for any purpose is hereby granted without fee, provided that
-# the above copyright notice appear in all copies and that both that
-# copyright notice and this permission notice appear in supporting
-# documentation, and that the name of M.I.T. not be used in advertising or
-# publicity pertaining to distribution of the software without specific,
-# written prior permission. M.I.T. makes no representations about the
-# suitability of this software for any purpose. It is provided "as is"
-# without express or implied warranty.
-#
-# Calling this script install-sh is preferred over install.sh, to prevent
-# `make' implicit rules from creating a file called install from it
-# when there is no Makefile.
-#
-# This script is compatible with the BSD install script, but was written
-# from scratch. It can only install one file at a time, a restriction
-# shared with many OS's install programs.
-
-
-# set DOITPROG to echo to test this script
-
-# Don't use :- since 4.3BSD and earlier shells don't like it.
-doit="${DOITPROG-}"
-
-
-# put in absolute paths if you don't have them in your path; or use env. vars.
-
-mvprog="${MVPROG-mv}"
-cpprog="${CPPROG-cp}"
-chmodprog="${CHMODPROG-chmod}"
-chownprog="${CHOWNPROG-chown}"
-chgrpprog="${CHGRPPROG-chgrp}"
-stripprog="${STRIPPROG-strip}"
-rmprog="${RMPROG-rm}"
-mkdirprog="${MKDIRPROG-mkdir}"
-
-transformbasename=""
-transform_arg=""
-instcmd="$mvprog"
-chmodcmd="$chmodprog 0755"
-chowncmd=""
-chgrpcmd=""
-stripcmd=""
-rmcmd="$rmprog -f"
-mvcmd="$mvprog"
-src=""
-dst=""
-dir_arg=""
-
-while [ x"$1" != x ]; do
- case $1 in
- -c) instcmd="$cpprog"
- shift
- continue;;
-
- -d) dir_arg=true
- shift
- continue;;
-
- -m) chmodcmd="$chmodprog $2"
- shift
- shift
- continue;;
-
- -o) chowncmd="$chownprog $2"
- shift
- shift
- continue;;
-
- -g) chgrpcmd="$chgrpprog $2"
- shift
- shift
- continue;;
-
- -s) stripcmd="$stripprog"
- shift
- continue;;
-
- -t=*) transformarg=`echo $1 | sed 's/-t=//'`
- shift
- continue;;
-
- -b=*) transformbasename=`echo $1 | sed 's/-b=//'`
- shift
- continue;;
-
- *) if [ x"$src" = x ]
- then
- src=$1
- else
- # this colon is to work around a 386BSD /bin/sh bug
- :
- dst=$1
- fi
- shift
- continue;;
- esac
-done
-
-if [ x"$src" = x ]
-then
- echo "install: no input file specified"
- exit 1
-else
- true
-fi
-
-if [ x"$dir_arg" != x ]; then
- dst=$src
- src=""
-
- if [ -d $dst ]; then
- instcmd=:
- else
- instcmd=mkdir
- fi
-else
-
-# Waiting for this to be detected by the "$instcmd $src $dsttmp" command
-# might cause directories to be created, which would be especially bad
-# if $src (and thus $dsttmp) contains '*'.
-
- if [ -f $src -o -d $src ]
- then
- true
- else
- echo "install: $src does not exist"
- exit 1
- fi
-
- if [ x"$dst" = x ]
- then
- echo "install: no destination specified"
- exit 1
- else
- true
- fi
-
-# If destination is a directory, append the input filename; if your system
-# does not like double slashes in filenames, you may need to add some logic
-
- if [ -d $dst ]
- then
- dst="$dst"/`basename $src`
- else
- true
- fi
-fi
-
-## this sed command emulates the dirname command
-dstdir=`echo $dst | sed -e 's,[^/]*$,,;s,/$,,;s,^$,.,'`
-
-# Make sure that the destination directory exists.
-# this part is taken from Noah Friedman's mkinstalldirs script
-
-# Skip lots of stat calls in the usual case.
-if [ ! -d "$dstdir" ]; then
-defaultIFS='
-'
-IFS="${IFS-${defaultIFS}}"
-
-oIFS="${IFS}"
-# Some sh's can't handle IFS=/ for some reason.
-IFS='%'
-set - `echo ${dstdir} | sed -e 's@/@%@g' -e 's@^%@/@'`
-IFS="${oIFS}"
-
-pathcomp=''
-
-while [ $# -ne 0 ] ; do
- pathcomp="${pathcomp}${1}"
- shift
-
- if [ ! -d "${pathcomp}" ] ;
- then
- $mkdirprog "${pathcomp}"
- else
- true
- fi
-
- pathcomp="${pathcomp}/"
-done
-fi
-
-if [ x"$dir_arg" != x ]
-then
- $doit $instcmd $dst &&
-
- if [ x"$chowncmd" != x ]; then $doit $chowncmd $dst; else true ; fi &&
- if [ x"$chgrpcmd" != x ]; then $doit $chgrpcmd $dst; else true ; fi &&
- if [ x"$stripcmd" != x ]; then $doit $stripcmd $dst; else true ; fi &&
- if [ x"$chmodcmd" != x ]; then $doit $chmodcmd $dst; else true ; fi
-else
-
-# If we're going to rename the final executable, determine the name now.
-
- if [ x"$transformarg" = x ]
- then
- dstfile=`basename $dst`
- else
- dstfile=`basename $dst $transformbasename |
- sed $transformarg`$transformbasename
- fi
-
-# don't allow the sed command to completely eliminate the filename
-
- if [ x"$dstfile" = x ]
- then
- dstfile=`basename $dst`
- else
- true
- fi
-
-# Make a temp file name in the proper directory.
-
- dsttmp=$dstdir/#inst.$$#
-
-# Move or copy the file name to the temp name
-
- $doit $instcmd $src $dsttmp &&
-
- trap "rm -f ${dsttmp}" 0 &&
-
-# and set any options; do chmod last to preserve setuid bits
-
-# If any of these fail, we abort the whole thing. If we want to
-# ignore errors from any of these, just make sure not to ignore
-# errors from the above "$doit $instcmd $src $dsttmp" command.
-
- if [ x"$chowncmd" != x ]; then $doit $chowncmd $dsttmp; else true;fi &&
- if [ x"$chgrpcmd" != x ]; then $doit $chgrpcmd $dsttmp; else true;fi &&
- if [ x"$stripcmd" != x ]; then $doit $stripcmd $dsttmp; else true;fi &&
- if [ x"$chmodcmd" != x ]; then $doit $chmodcmd $dsttmp; else true;fi &&
-
-# Now rename the file to the real destination.
-
- $doit $rmcmd -f $dstdir/$dstfile &&
- $doit $mvcmd $dsttmp $dstdir/$dstfile
-
-fi &&
-
-
-exit 0
+++ /dev/null
-/*
- * Copyright (c) 1994, 1995, 1996
- * The Regents of the University of California. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that: (1) source code distributions
- * retain the above copyright notice and this paragraph in its entirety, (2)
- * distributions including binary code include the above copyright notice and
- * this paragraph in its entirety in the documentation or other materials
- * provided with the distribution, and (3) all advertising materials mentioning
- * features or use of this software display the following acknowledgement:
- * ``This product includes software developed by the University of California,
- * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
- * the University nor the names of its contributors may be used to endorse
- * or promote products derived from this software without specific prior
- * written permission.
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
- * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
- *
- * @(#) $Header: /u0/home/explorer/proj/ISC/git-conversion/cvsroot/bind9/contrib/nslint-2.1a3/lbl/os-irix5.h,v 1.1 2001/12/21 04:12:05 marka Exp $ (LBL)
- */
-
-/* Prototypes missing in IRIX 5 */
-#ifdef __STDC__
-struct ether_addr;
-#endif
-int ether_hostton(char *, struct ether_addr *);
-char *ether_ntoa(struct ether_addr *);
-#ifdef __STDC__
-struct utmp;
-#endif
-void login(struct utmp *);
-int setenv(const char *, const char *, int);
-int sigblock(int);
-int sigsetmask(int);
-int snprintf(char *, size_t, const char *, ...);
-time_t time(time_t *);
+++ /dev/null
-/*
- * Copyright (c) 1995, 1996
- * The Regents of the University of California. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that: (1) source code distributions
- * retain the above copyright notice and this paragraph in its entirety, (2)
- * distributions including binary code include the above copyright notice and
- * this paragraph in its entirety in the documentation or other materials
- * provided with the distribution, and (3) all advertising materials mentioning
- * features or use of this software display the following acknowledgement:
- * ``This product includes software developed by the University of California,
- * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
- * the University nor the names of its contributors may be used to endorse
- * or promote products derived from this software without specific prior
- * written permission.
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
- * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
- *
- * @(#) $Header: /u0/home/explorer/proj/ISC/git-conversion/cvsroot/bind9/contrib/nslint-2.1a3/lbl/os-osf3.h,v 1.1 2001/12/21 04:12:05 marka Exp $ (LBL)
- */
-
-/* Prototypes missing in osf3 */
-int flock(int, int);
-int ioctl(int, int, caddr_t);
-int iruserok(u_int, int, char *, char *);
-int pfopen(char *, int);
-int rcmd(char **, u_short, const char *, const char *, const char *, int *);
-int rresvport(int *);
-int snprintf(char *, size_t, const char *, ...);
-void sync(void);
+++ /dev/null
-/*
- * Copyright (c) 1993, 1994, 1995, 1996, 1997, 2000
- * The Regents of the University of California. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that: (1) source code distributions
- * retain the above copyright notice and this paragraph in its entirety, (2)
- * distributions including binary code include the above copyright notice and
- * this paragraph in its entirety in the documentation or other materials
- * provided with the distribution, and (3) all advertising materials mentioning
- * features or use of this software display the following acknowledgement:
- * ``This product includes software developed by the University of California,
- * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
- * the University nor the names of its contributors may be used to endorse
- * or promote products derived from this software without specific prior
- * written permission.
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
- * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
- *
- * @(#) $Id: os-solaris2.h,v 1.1 2001/12/21 04:12:05 marka Exp $ (LBL)
- */
-
-/* Prototypes missing in SunOS 5 */
-int daemon(int, int);
-int dn_expand(const u_char *, const u_char *, const u_char *, char *, int);
-int dn_skipname(const u_char *, const u_char *);
-int flock(int, int);
-int getdtablesize(void);
-int gethostname(char *, int);
-int getpagesize(void);
-char *getusershell(void);
-char *getwd(char *);
-int iruserok(u_int, int, char *, char *);
-#ifdef __STDC__
-struct utmp;
-void login(struct utmp *);
-#endif
-int logout(const char *);
-int res_query(const char *, int, int, u_char *, int);
-int setenv(const char *, const char *, int);
-#if defined(_STDIO_H) && defined(HAVE_SETLINEBUF)
-int setlinebuf(FILE *);
-#endif
-int sigblock(int);
-int sigsetmask(int);
-char *strerror(int);
-int snprintf(char *, size_t, const char *, ...);
-int strcasecmp(const char *, const char *);
-void unsetenv(const char *);
+++ /dev/null
-/*
- * Copyright (c) 1989, 1990, 1993, 1994, 1995, 1996
- * The Regents of the University of California. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that: (1) source code distributions
- * retain the above copyright notice and this paragraph in its entirety, (2)
- * distributions including binary code include the above copyright notice and
- * this paragraph in its entirety in the documentation or other materials
- * provided with the distribution, and (3) all advertising materials mentioning
- * features or use of this software display the following acknowledgement:
- * ``This product includes software developed by the University of California,
- * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
- * the University nor the names of its contributors may be used to endorse
- * or promote products derived from this software without specific prior
- * written permission.
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
- * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
- *
- * @(#) $Header: /u0/home/explorer/proj/ISC/git-conversion/cvsroot/bind9/contrib/nslint-2.1a3/lbl/os-sunos4.h,v 1.1 2001/12/21 04:12:05 marka Exp $ (LBL)
- */
-
-/* Prototypes missing in SunOS 4 */
-#ifdef FILE
-int _filbuf(FILE *);
-int _flsbuf(u_char, FILE *);
-int fclose(FILE *);
-int fflush(FILE *);
-int fgetc(FILE *);
-int fprintf(FILE *, const char *, ...);
-int fputc(int, FILE *);
-int fputs(const char *, FILE *);
-u_int fread(void *, u_int, u_int, FILE *);
-int fseek(FILE *, long, int);
-u_int fwrite(const void *, u_int, u_int, FILE *);
-int pclose(FILE *);
-void rewind(FILE *);
-void setbuf(FILE *, char *);
-int setlinebuf(FILE *);
-int ungetc(int, FILE *);
-int vfprintf(FILE *, const char *, ...);
-int vprintf(const char *, ...);
-#endif
-
-#if __GNUC__ <= 1
-int read(int, char *, u_int);
-int write(int, char *, u_int);
-#endif
-
-long a64l(const char *);
-#ifdef __STDC__
-struct sockaddr;
-#endif
-int accept(int, struct sockaddr *, int *);
-int bind(int, struct sockaddr *, int);
-int bcmp(const void *, const void *, u_int);
-void bcopy(const void *, void *, u_int);
-void bzero(void *, int);
-int chroot(const char *);
-int close(int);
-void closelog(void);
-int connect(int, struct sockaddr *, int);
-char *crypt(const char *, const char *);
-int daemon(int, int);
-int fchmod(int, int);
-int fchown(int, int, int);
-void endgrent(void);
-void endpwent(void);
-void endservent(void);
-#ifdef __STDC__
-struct ether_addr;
-#endif
-struct ether_addr *ether_aton(const char *);
-int flock(int, int);
-#ifdef __STDC__
-struct stat;
-#endif
-int fstat(int, struct stat *);
-#ifdef __STDC__
-struct statfs;
-#endif
-int fstatfs(int, struct statfs *);
-int fsync(int);
-#ifdef __STDC__
-struct timeb;
-#endif
-int ftime(struct timeb *);
-int ftruncate(int, off_t);
-int getdtablesize(void);
-long gethostid(void);
-int gethostname(char *, int);
-int getopt(int, char * const *, const char *);
-int getpagesize(void);
-char *getpass(char *);
-int getpeername(int, struct sockaddr *, int *);
-int getpriority(int, int);
-#ifdef __STDC__
-struct rlimit;
-#endif
-int getrlimit(int, struct rlimit *);
-int getsockname(int, struct sockaddr *, int *);
-int getsockopt(int, int, int, char *, int *);
-#ifdef __STDC__
-struct timeval;
-struct timezone;
-#endif
-int gettimeofday(struct timeval *, struct timezone *);
-char *getusershell(void);
-char *getwd(char *);
-int initgroups(const char *, int);
-int ioctl(int, int, caddr_t);
-int iruserok(u_long, int, char *, char *);
-int isatty(int);
-int killpg(int, int);
-int listen(int, int);
-#ifdef __STDC__
-struct utmp;
-#endif
-void login(struct utmp *);
-int logout(const char *);
-off_t lseek(int, off_t, int);
-int lstat(const char *, struct stat *);
-int mkstemp(char *);
-char *mktemp(char *);
-int munmap(caddr_t, int);
-void openlog(const char *, int, int);
-void perror(const char *);
-int printf(const char *, ...);
-int puts(const char *);
-long random(void);
-int readlink(const char *, char *, int);
-#ifdef __STDC__
-struct iovec;
-#endif
-int readv(int, struct iovec *, int);
-int recv(int, char *, u_int, int);
-int recvfrom(int, char *, u_int, int, struct sockaddr *, int *);
-int rename(const char *, const char *);
-int rcmd(char **, u_short, char *, char *, char *, int *);
-int rresvport(int *);
-int send(int, char *, u_int, int);
-int sendto(int, char *, u_int, int, struct sockaddr *, int);
-int setenv(const char *, const char *, int);
-int seteuid(int);
-int setpriority(int, int, int);
-int select(int, fd_set *, fd_set *, fd_set *, struct timeval *);
-int setpgrp(int, int);
-void setpwent(void);
-int setrlimit(int, struct rlimit *);
-void setservent(int);
-int setsockopt(int, int, int, char *, int);
-int shutdown(int, int);
-int sigblock(int);
-void (*signal (int, void (*) (int))) (int);
-int sigpause(int);
-int sigsetmask(int);
-#ifdef __STDC__
-struct sigvec;
-#endif
-int sigvec(int, struct sigvec *, struct sigvec*);
-int snprintf(char *, size_t, const char *, ...);
-int socket(int, int, int);
-int socketpair(int, int, int, int *);
-int symlink(const char *, const char *);
-void srandom(int);
-int sscanf(char *, const char *, ...);
-int stat(const char *, struct stat *);
-int statfs(char *, struct statfs *);
-char *strerror(int);
-int strcasecmp(const char *, const char *);
-#ifdef __STDC__
-struct tm;
-#endif
-int strftime(char *, int, char *, struct tm *);
-int strncasecmp(const char *, const char *, int);
-long strtol(const char *, char **, int);
-void sync(void);
-void syslog(int, const char *, ...);
-int system(const char *);
-long tell(int);
-time_t time(time_t *);
-char *timezone(int, int);
-int tolower(int);
-int toupper(int);
-int truncate(char *, off_t);
-void unsetenv(const char *);
-int vfork(void);
-int vsprintf(char *, const char *, ...);
-int writev(int, struct iovec *, int);
-#ifdef __STDC__
-struct rusage;
-#endif
-int utimes(const char *, struct timeval *);
-#if __GNUC__ <= 1
-int wait(int *);
-pid_t wait3(int *, int, struct rusage *);
-#endif
-
-/* Ugly signal hacking */
-#ifdef SIG_ERR
-#undef SIG_ERR
-#define SIG_ERR (void (*)(int))-1
-#undef SIG_DFL
-#define SIG_DFL (void (*)(int))0
-#undef SIG_IGN
-#define SIG_IGN (void (*)(int))1
-
-#ifdef KERNEL
-#undef SIG_CATCH
-#define SIG_CATCH (void (*)(int))2
-#endif
-#undef SIG_HOLD
-#define SIG_HOLD (void (*)(int))3
-#endif
+++ /dev/null
-/*
- * Copyright (c) 1990, 1993, 1994, 1995, 1996
- * The Regents of the University of California. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that: (1) source code distributions
- * retain the above copyright notice and this paragraph in its entirety, (2)
- * distributions including binary code include the above copyright notice and
- * this paragraph in its entirety in the documentation or other materials
- * provided with the distribution, and (3) all advertising materials mentioning
- * features or use of this software display the following acknowledgement:
- * ``This product includes software developed by the University of California,
- * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
- * the University nor the names of its contributors may be used to endorse
- * or promote products derived from this software without specific prior
- * written permission.
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
- * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
- *
- * @(#) $Header: /u0/home/explorer/proj/ISC/git-conversion/cvsroot/bind9/contrib/nslint-2.1a3/lbl/os-ultrix4.h,v 1.1 2001/12/21 04:12:05 marka Exp $ (LBL)
- */
-
-/* Prototypes missing in Ultrix 4 */
-int bcmp(const char *, const char *, u_int);
-void bcopy(const void *, void *, u_int);
-void bzero(void *, u_int);
-void endservent(void);
-int getopt(int, char * const *, const char *);
-#ifdef __STDC__
-struct timeval;
-struct timezone;
-#endif
-int gettimeofday(struct timeval *, struct timezone *);
-int ioctl(int, int, caddr_t);
-int pfopen(char *, int);
-int setlinebuf(FILE *);
-int socket(int, int, int);
-int strcasecmp(const char *, const char *);
-@(#) $Id: CHANGES,v 1.1 2001/12/21 04:12:02 marka Exp $ (LBL)
+@(#) $Id: CHANGES 250 2009-10-16 23:26:47Z leres $ (LBL)
-v2.1 Wed Aug 22 18:30:35 PDT 2001
+v3.0 Fri Oct 16 16:26:04 PDT 2009
+
+- Add IPv6 support.
+
+v2.2 Fri Mar 13 22:29:52 PDT 2009
+
+- Convert source tree to subversion
+
+v2.1 Fri Feb 15 20:45:01 PST 2008
- Handle "srv" records.
- Add "ignore" option
+- Hack in support for "view"
+
+- Check for duplicate "cname" records.
+
+- Upgrade to autoconf 2.61
+
v2.0.2 Tue Mar 20 17:49:13 PST 2001
- Allow missing trailing dot in certain special cases.
- Document nslint.conf network keyword.
+- Sort the network list so that we always pick the right network/mask
+ when the overlap.
+
v2.0.1 Tue Dec 14 11:24:31 PST 1999
- Handle $ttl.
configure.in
install-sh
lbl/gnuc.h
-lbl/os-irix5.h
-lbl/os-osf3.h
-lbl/os-solaris2.h
-lbl/os-sunos4.h
-lbl/os-ultrix4.h
mkdep
nslint.8
nslint.c
savestr.c
savestr.h
strerror.c
+version.h
-@(#) $Header: /u0/home/explorer/proj/ISC/git-conversion/cvsroot/bind9/contrib/nslint-2.1a3/INSTALL,v 1.1 2001/12/21 04:12:02 marka Exp $ (LBL)
+@(#) $Id: INSTALL 238 2009-03-14 05:43:37Z leres $ (LBL)
You will need an ANSI C compiler to build nslint. The configure
script will abort if your compiler is not ANSI compliant. If this
configure.in - configure script source
install-sh - BSD style install script
lbl/gnuc.h - gcc macros and defines
-lbl/os-*.h - os dependent defines and prototypes
mkdep - construct Makefile dependency list
nslint.8 - manual entry
nslint.c - main program
savestr.c - strdup() replacement
savestr.h - savestr prototypes
strerror.c - missing routine
+version.h - prototypes, defines and struct definitions
-# Copyright (c) 1992, 1993, 1994, 1995, 1996, 1997, 2000
+# Copyright (c) 1992, 1993, 1994, 1995, 1996, 1997, 2000, 2008, 2009
# The Regents of the University of California. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
#
-# @(#) $Id: Makefile.in,v 1.2 2004/07/20 07:13:40 marka Exp $ (LBL)
+# @(#) $Id: Makefile.in 242 2009-10-14 08:30:03Z leres $ (LBL)
#
# Various configurable paths (remember to edit Makefile.in, not Makefile)
# Pathname of directory to install the binary
BINDEST = @bindir@
# Pathname of directory to install the man page
-MANDEST = @mandir@
+MANDEST = @prefix@/man
+# The root of the directory tree for read-only
+datarootdir = @datarootdir@
# VPATH
srcdir = @srcdir@
# Standard CFLAGS
CFLAGS = $(CCOPT) $(DEFS) $(INCLS)
+# Standard LDFLAGS
+LDFLAGS = @LDFLAGS@
+
# Standard LIBS
LIBS = @LIBS@
SRC = $(CSRC) $(GENSRC)
-# We would like to say "OBJ = $(SRC:.c=.o)" but Ultrix's make cannot
+# We would like to say "OBJS = $(SRC:.c=.o)" but Ultrix's make cannot
# hack the extra indirection
-OBJ = $(CSRC:.c=.o) $(GENSRC:.c=.o) @LIBOBJS@
+OBJS = $(CSRC:.c=.o) $(GENSRC:.c=.o) @LIBOBJS@
TAGHDR = \
/usr/include/sys/types.h \
TAGFILES = $(SRC) $(TAGHDR)
-CLEANFILES = $(PROG) $(OBJ) $(GENSRC)
+CLEANFILES = $(PROG) $(OBJS) $(GENSRC) purify $(OBJS:.o=_pure_*.o)
+
+$(PROG): $(OBJS)
+ @rm -f $@
+ $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $(OBJS) $(LIBS)
-$(PROG): $(OBJ)
+purify: $(OBJS)
@rm -f $@
- $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $(OBJ) $(LIBS)
+ purify $(CC) $(CFLAGS) $(LDFLAGS) -static -o purify $(OBJS) $(LIBS)
version.o: version.c
version.c: $(srcdir)/VERSION
install: force
$(INSTALL) -m 555 -o bin -g bin $(PROG) $(DESTDIR)$(BINDEST)/$(PROG)
-
-install-man: force
- $(INSTALL) -m 444 -o bin -g bin $(srcdir)/$(PROG).8 \
- $(DESTDIR)$(MANDEST)/man8/$(PROG).8
+ @diff $(srcdir)/$(PROG).8 $(DESTDIR)$(MANDEST)/man8 >/dev/null 2>&1 || \
+ $(INSTALL) -m 444 -o bin -g bin $(srcdir)/$(PROG).8 $(DESTDIR)$(MANDEST)/man8/
clean: force
rm -f $(CLEANFILES)
distclean: force
- rm -f $(CLEANFILES) Makefile config.cache config.log config.status \
- gnuc.h os-proto.h
+ rm -rf $(CLEANFILES) Makefile config.cache config.log config.status \
+ gnuc.h os-proto.h autom4te.cache
tags: $(TAGFILES)
ctags -wtd $(TAGFILES)
"rm -f $$name" ; \
rm -f $$name
+sign:
+ @name=${PROG}-`cat VERSION`.tar.gz; \
+ set -x; \
+ rm -f $${name}.asc; \
+ gpg --armor --detach-sign $${name}
+
force: /tmp
depend: $(GENSRC) force
./mkdep -c $(CC) $(DEFS) $(INCLS) $(SRC)
-@(#) $Id: README,v 1.1 2001/12/21 04:12:02 marka Exp $ (LBL)
+@(#) $Id: README 237 2009-03-14 05:38:15Z leres $ (LBL)
NSLINT 2.0
Lawrence Berkeley National Laboratory
-dnl @(#) $Header: /u0/home/explorer/proj/ISC/git-conversion/cvsroot/bind9/contrib/nslint-2.1a3/aclocal.m4,v 1.1 2001/12/21 04:12:03 marka Exp $ (LBL)
+dnl @(#) $Id: aclocal.m4 616 2009-10-10 00:08:08Z leres $ (LBL)
dnl
-dnl Copyright (c) 1995, 1996, 1997, 1998, 1999
+dnl Copyright (c) 2008, 2009
dnl The Regents of the University of California. All rights reserved.
dnl
dnl Redistribution and use in source and binary forms, with or without
dnl Determine which compiler we're using (cc or gcc)
dnl If using gcc, determine the version number
dnl If using cc, require that it support ansi prototypes
-dnl If using gcc, use -O2 (otherwise use -O)
+dnl If using gcc, use -O3 (otherwise use -O)
dnl If using cc, explicitly specify /usr/local/include
dnl
dnl usage:
dnl $1 (copt set)
dnl $2 (incls set)
dnl CC
-dnl LDFLAGS
-dnl LBL_CFLAGS
+dnl LDFLAGS set
dnl
AC_DEFUN(AC_LBL_C_INIT,
[AC_PREREQ(2.12)
+ AC_ARG_ENABLE([optimization],
+ [AS_HELP_STRING([--disable-optimization],
+ [turn off gcc optimization])],
+ ac_cv_without_optimization=${withval})
AC_BEFORE([$0], [AC_PROG_CC])
AC_BEFORE([$0], [AC_LBL_FIXINCLUDES])
AC_BEFORE([$0], [AC_LBL_DEVEL])
AC_ARG_WITH(gcc, [ --without-gcc don't use gcc])
- $1="-O"
+ AC_USE_SYSTEM_EXTENSIONS
+ $1=""
+ if test "${ac_cv_without_optimization+set}" != set; then
+ $1="-O"
+ fi
$2=""
if test "${srcdir}" != "." ; then
$2="-I\$\(srcdir\)"
fi
- if test "${CFLAGS+set}" = set; then
- LBL_CFLAGS="$CFLAGS"
- fi
if test -z "$CC" ; then
case "$target_os" in
export CC
fi
AC_PROG_CC
+ AC_SYS_LARGEFILE
if test "$GCC" != yes ; then
AC_MSG_CHECKING(that $CC handles ansi prototypes)
AC_CACHE_VAL(ac_cv_lbl_cc_ansi_prototypes,
fi
CFLAGS="$savedcflags"
$1="-Aa $$1"
- AC_DEFINE(_HPUX_SOURCE)
+ AC_DEFINE(_HPUX_SOURCE,,[HP-UX ansi compiler])
;;
*)
ac_cv_lbl_cc_const_proto=no))
AC_MSG_RESULT($ac_cv_lbl_cc_const_proto)
if test $ac_cv_lbl_cc_const_proto = no ; then
- AC_DEFINE(const,)
+ AC_DEFINE(const,,[ultrix can't hack const])
fi
;;
esac
fi
])
+AC_LBL_ENABLE_CHECK(brov6 activemapping expire-dfa-states)
+dnl
+dnl This allows us to check for bogus configure enable/disable
+dnl command line options
+dnl
+dnl usage:
+dnl
+dnl AC_LBL_ENABLE_CHECK(opt ...)
+dnl
+AC_DEFUN(AC_LBL_ENABLE_CHECK,
+ [set |
+ sed -n -e 's/^enable_\([[^=]]*\)=[[^=]]*$/\1/p' |
+ while read var; do
+ ok=0
+ for o in $1; do
+ if test "${o}" = "${var}" ; then
+ ok=1
+ break
+ fi
+ done
+ if test ${ok} -eq 0 ; then
+ # It's hard to kill configure script from subshell!
+ AC_MSG_ERROR(unknown enable option: ${var})
+ exit 1
+ fi
+ done
+ if test $? -ne 0 ; then
+ exit 1
+ fi])
+
dnl
dnl Use pfopen.c if available and pfopen() not in standard libraries
dnl Require libpcap
done
if test "x$libpcap" = xFAIL ; then
AC_MSG_RESULT(not found)
- unset ac_cv_lbl_lib_pcap_pcap_open_live_
- AC_LBL_CHECK_LIB(pcap, pcap_open_live, libpcap="-lpcap")
+ AC_CHECK_LIB(pcap, pcap_open_live, libpcap="-lpcap")
+ unset ac_cv_lib_pcap_pcap_open_live
if test "x$libpcap" = xFAIL ; then
- unset ac_cv_lbl_lib_pcap_pcap_open_live_
CFLAGS="$CFLAGS -I/usr/local/include"
LIBS="$LIBS -L/usr/local/lib"
- AC_LBL_CHECK_LIB(pcap, pcap_open_live, libpcap="-lpcap")
+ AC_CHECK_LIB(pcap, pcap_open_live, libpcap="-lpcap")
+ unset ac_cv_lib_pcap_pcap_open_live
if test "x$libpcap" = xFAIL ; then
AC_MSG_ERROR(see the INSTALL doc for more info)
fi
[AC_BEFORE([$0], [AC_LBL_LIBPCAP])
AC_TYPE_SIGNAL
if test "$ac_cv_type_signal" = void ; then
- AC_DEFINE(RETSIGVAL,)
+ AC_DEFINE(RETSIGVAL,,[signal function return value])
else
AC_DEFINE(RETSIGVAL,(0))
fi
case "$target_os" in
irix*)
- AC_DEFINE(_BSD_SIGNALS)
+ AC_DEFINE(_BSD_SIGNALS,,[irix's BSD style signals])
;;
*)
dnl prefer sigset() to sigaction()
AC_CHECK_FUNCS(sigset)
if test $ac_cv_func_sigset = yes ; then
- AC_DEFINE(signal,sigset)
+ AC_DEFINE(signal,sigset,[use sigset() instead of signal()])
else
AC_CHECK_FUNCS(sigaction)
fi
dnl HAVE_SOCKADDR_SA_LEN (defined)
dnl
AC_DEFUN(AC_LBL_SOCKADDR_SA_LEN,
- [AC_MSG_CHECKING(if sockaddr struct has sa_len member)
- AC_CACHE_VAL(ac_cv_lbl_sockaddr_has_sa_len,
+ [AC_CHECK_MEMBERS(struct sockaddr.sa_len,,,[
+# include <sys/types.h>
+# include <sys/socket.h>])])
+
+dnl
+dnl Makes sure socklen_t is defined
+dnl
+dnl usage:
+dnl
+dnl AC_LBL_SOCKLEN_T
+dnl
+dnl results:
+dnl
+dnl socklen_t (defined if missing)
+dnl
+AC_DEFUN(AC_LBL_SOCKLEN_T,
+ [AC_MSG_CHECKING(for socklen_t in sys/socket.h using $CC)
+ AC_CACHE_VAL(ac_cv_lbl_socklen_t,
AC_TRY_COMPILE([
+# include "confdefs.h"
# include <sys/types.h>
-# include <sys/socket.h>],
- [u_int i = sizeof(((struct sockaddr *)0)->sa_len)],
- ac_cv_lbl_sockaddr_has_sa_len=yes,
- ac_cv_lbl_sockaddr_has_sa_len=no))
- AC_MSG_RESULT($ac_cv_lbl_sockaddr_has_sa_len)
- if test $ac_cv_lbl_sockaddr_has_sa_len = yes ; then
- AC_DEFINE(HAVE_SOCKADDR_SA_LEN)
+# include <sys/socket.h>
+# if STDC_HEADERS
+# include <stdlib.h>
+# include <stddef.h>
+# endif],
+ [socklen_t i],
+ ac_cv_lbl_socklen_t=yes,
+ ac_cv_lbl_socklen_t=no))
+ AC_MSG_RESULT($ac_cv_lbl_socklen_t)
+ if test $ac_cv_lbl_socklen_t = no ; then
+ AC_DEFINE(socklen_t, int, [Define socklen_t if missing])
fi])
dnl
ac_cv_lbl_have_iff_loopback=no))
AC_MSG_RESULT($ac_cv_lbl_have_iff_loopback)
if test $ac_cv_lbl_have_iff_loopback = yes ; then
- AC_DEFINE(HAVE_IFF_LOOPBACK)
+ AC_DEFINE(HAVE_IFF_LOOPBACK,, [Have IFF_LOOPBACK define/enum])
fi])
-dnl
-dnl Checks to see if -R is used
-dnl
-dnl usage:
-dnl
-dnl AC_LBL_HAVE_RUN_PATH
-dnl
-dnl results:
-dnl
-dnl ac_cv_lbl_have_run_path (yes or no)
-dnl
-AC_DEFUN(AC_LBL_HAVE_RUN_PATH,
- [AC_MSG_CHECKING(for ${CC-cc} -R)
- AC_CACHE_VAL(ac_cv_lbl_have_run_path,
- [echo 'main(){}' > conftest.c
- ${CC-cc} -o conftest conftest.c -R/a1/b2/c3 >conftest.out 2>&1
- if test ! -s conftest.out ; then
- ac_cv_lbl_have_run_path=yes
- else
- ac_cv_lbl_have_run_path=no
- fi
- rm -f conftest*])
- AC_MSG_RESULT($ac_cv_lbl_have_run_path)
- ])
-
dnl
dnl Due to the stupid way it's implemented, AC_CHECK_TYPE is nearly useless.
dnl
ac_cv_lbl_have_$1=no))
AC_MSG_RESULT($ac_cv_lbl_have_$1)
if test $ac_cv_lbl_have_$1 = no ; then
- AC_DEFINE($1, $2)
+ AC_DEFINE($1, $2, Define $1)
fi])
dnl
[ if test "$GCC" = yes ; then
if test "$SHLICC2" = yes ; then
ac_cv_lbl_gcc_vers=2
- $1="`echo $$1 | sed -e 's/-O/-O2/'`"
+ $1="`echo $$1 | sed -e 's/-O/-O3/'`"
else
AC_MSG_CHECKING(gcc version)
AC_CACHE_VAL(ac_cv_lbl_gcc_vers,
- ac_cv_lbl_gcc_vers=`$CC --version 2>&1 | \
- sed -e 's/\..*//'`)
+ # Gag, the gcc folks keep changing the output...
+ # try to grab N.N.N
+ ac_cv_lbl_gcc_vers=`$CC --version 2>&1 |
+ sed -e '1!d' -e 's/[[[^0-9]]]*\([[[0-9]]][[[0-9]]]*\)\.[[[0-9\]]][[[0-9]]]*\.[[[0-9]]][[[0-9]]]*.*/\1/'`)
AC_MSG_RESULT($ac_cv_lbl_gcc_vers)
- if test $ac_cv_lbl_gcc_vers -gt 1 ; then
- $1="`echo $$1 | sed -e 's/-O/-O2/'`"
+ if test "$ac_cv_lbl_gcc_vers" -gt 1 ; then
+ $1="`echo $$1 | sed -e 's/-O/-O3/'`"
fi
fi
- if test "${LBL_CFLAGS+set}" != set; then
- if test "$ac_cv_prog_cc_g" = yes ; then
- $1="-g $$1"
- fi
- $1="$$1 -Wall"
- if test $ac_cv_lbl_gcc_vers -gt 1 ; then
- $1="$$1 -Wmissing-prototypes -Wstrict-prototypes"
+ if test "$ac_cv_prog_cc_g" = yes ; then
+ $1="-g $$1"
+ fi
+ $1="$$1 -Wall"
+ if test "$ac_cv_lbl_gcc_vers" -gt 1 ; then
+ $1="$$1 -Wmissing-prototypes -Wstrict-prototypes"
+ if [[ "`uname -s`" = "FreeBSD" ]]; then
+ $1="$$1 -Werror"
fi
fi
else
dnl HAVE_OS_PROTO_H (defined)
dnl os-proto.h (symlinked)
dnl
-AC_DEFUN(AC_LBL_DEVEL,
- [rm -f os-proto.h
- if test "${LBL_CFLAGS+set}" = set; then
- $1="$$1 ${LBL_CFLAGS}"
- fi
+AC_DEFUN(AC_LBL_DEVEL,[
+ AC_BEFORE([$0], [AC_LBL_LD_RUN_PATH])
+ rm -f os-proto.h
if test -f .devel ; then
AC_LBL_CHECK_WALL($1)
os=`echo $target_os | sed -e 's/\([[0-9]][[0-9]]*\)[[^0-9]].*$/\1/'`
name="lbl/os-$os.h"
if test -f $name ; then
ln -s $name os-proto.h
- AC_DEFINE(HAVE_OS_PROTO_H)
+ AC_DEFINE(HAVE_OS_PROTO_H,,[have os-proto.h])
else
AC_MSG_WARN(can't find $name)
fi
# libraries (i.e. libc):
AC_CHECK_FUNC(gethostbyname, ,
# Some OSes (eg. Solaris) place it in libnsl:
- AC_LBL_CHECK_LIB(nsl, gethostbyname, ,
+ AC_CHECK_LIB(nsl, gethostbyname, ,
# Some strange OSes (SINIX) have it in libsocket:
- AC_LBL_CHECK_LIB(socket, gethostbyname, ,
+ AC_CHECK_LIB(socket, gethostbyname, ,
# Unfortunately libsocket sometimes depends on libnsl.
# AC_CHECK_LIB's API is essentially broken so the
# following ugliness is necessary:
- AC_LBL_CHECK_LIB(socket, gethostbyname,
+ AC_CHECK_LIB(socket, gethostbyname,
LIBS="-lsocket -lnsl $LIBS",
AC_CHECK_LIB(resolv, gethostbyname),
-lnsl))))
AC_CHECK_FUNC(socket, , AC_CHECK_LIB(socket, socket, ,
- AC_LBL_CHECK_LIB(socket, socket, LIBS="-lsocket -lnsl $LIBS", ,
+ AC_CHECK_LIB(socket, socket, LIBS="-lsocket -lnsl $LIBS", ,
-lnsl)))
# DLPI needs putmsg under HPUX so test for -lstr while we're at it
AC_CHECK_LIB(str, putmsg)
])
+
+dnl
+dnl AC_LBL_RUN_PATH
+dnl
+dnl Extracts -L directories from LIBS; if any are found they are
+dnl converted to a LD_RUN_PATH and put in V_ENVIRONMENT
+dnl
+dnl usage:
+dnl
+dnl AC_LBL_RUN_PATH
+dnl
+dnl results:
+dnl
+dnl V_ENVIRONMENT
+dnl
+AC_DEFUN(AC_LBL_LD_RUN_PATH, [
+ AC_MSG_CHECKING(LD_RUN_PATH)
+ AC_SUBST(V_ENVIRONMENT)
+ dnl
+ dnl Split out -L directories
+ dnl
+ ldirs=""
+ for x in ${LIBS}; do
+ case x${x} in
+
+ x-L*)
+ ldirs="${ldirs} ${x}"
+ ;;
+
+ *)
+ ;;
+ esac
+ done
+
+ dnl
+ dnl Build LD_RUN_PATH
+ dnl
+ if test -n "${ldirs}"; then
+ V_ENVIRONMENT="LD_RUN_PATH=\"`echo \"${ldirs}\" | sed -e 's,-L,,g' -e 's,^ *,,' -e 's, ,:,g'`\""
+ AC_MSG_RESULT(${V_ENVIRONMENT})
+ else
+ AC_MSG_RESULT(empty)
+ fi])
+
+dnl
+dnl AC_LBL_BROCCOLI
+dnl
+dnl Include Broccoli support
+dnl
+dnl usage:
+dnl
+dnl AC_LBL_BROCCOLI(copt, incls, [min-vers])
+dnl
+dnl results:
+dnl
+dnl $1 (copt variable appended)
+dnl $2 (incls variable appended)
+dnl $3 minimum version (optional)
+dnl
+AC_DEFUN(AC_LBL_BROCCOLI, [
+ AC_BEFORE([$0], [AC_LBL_LD_RUN_PATH])
+ dnl
+ dnl configure flags
+ dnl
+ AC_ARG_WITH([broccoli],
+ [AS_HELP_STRING([--without-broccoli],
+ [disable Broccoli support @<:@default=check@:>@])],
+ ac_cv_with_broccoli=${withval})
+ dnl
+ dnl Network application libraries
+ dnl
+ AC_LBL_LIBRARY_NET
+
+ AC_MSG_CHECKING(for broccoli)
+ if test "${ac_cv_with_broccoli}" = "" -o \
+ "${ac_cv_with_broccoli}" = yes ; then
+ cflags=""
+ libs=""
+ dnl
+ dnl Our entire path
+ dnl
+ dirs="`echo ${PATH} | sed -e 's/:/ /g'`"
+ dnl
+ dnl Add in default Bro install bin directory
+ dnl
+ dirs="${dirs} /usr/local/bro/bin"
+ for d in ${dirs}; do
+ if test -x ${d}/broccoli-config ; then
+ broccoli_config_path="${d}/broccoli-config"
+ cflags="`${broccoli_config_path} --cflags`"
+ libs="`${broccoli_config_path} --libs`"
+ break
+ fi
+ done
+ if test -n "${cflags}" ; then
+ ac_cv_have_broccoli=yes
+ else
+ ac_cv_have_broccoli=no
+ fi
+ AC_MSG_RESULT($ac_cv_have_broccoli)
+ if test "${ac_cv_with_broccoli}" = yes -a \
+ ${ac_cv_have_broccoli} = "no" ; then
+ AC_MSG_ERROR(Broccoli explicitly enabled but not supported)
+ fi
+ else
+ AC_MSG_RESULT([disabled])
+ fi
+
+ dnl
+ dnl Optionally check for minimum Broccoli version
+ dnl
+ if test "$ac_cv_have_broccoli" = yes -a -n "$3"; then
+ AC_MSG_CHECKING(Broccoli >= $3)
+ BROCCOLI_VERSION="`${broccoli_config_path} --version`"
+ AC_MSG_RESULT(${BROCCOLI_VERSION})
+ dnl
+ dnl Sort the two versions; the desired version should
+ dnl appear first (or perhaps 1st and 2nd)
+ dnl
+ tvers="`(echo "$3" ; echo ${BROCCOLI_VERSION}) |
+ sort -t. +0 -1n +1 -2n +2 -3n +3 -4n |
+ head -1`"
+ if test "${tvers}" != "$3"; then
+ if test "${ac_cv_with_broccoli}" = yes; then
+ AC_MSG_ERROR(Broccoli $3 or higher is required)
+ fi
+ AC_MSG_NOTICE(Broccoli support disabled)
+ ac_cv_have_broccoli="no"
+ fi
+ fi
+
+ dnl
+ dnl Broccoli ho!
+ dnl
+ if test "$ac_cv_have_broccoli" = yes ; then
+ AC_DEFINE(HAVE_BROCCOLI)
+ dnl
+ dnl Split out -I directories
+ dnl
+ for x in ${cflags}; do
+ case x${x} in
+
+ x-I*)
+ eval "$2=\"\$$2 ${x}\""
+ ;;
+
+ *)
+ eval "$1=\"\$$1 ${x}\""
+ ;;
+ esac
+ done
+
+ dnl
+ dnl Add in Broccoli libs
+ dnl
+ LIBS="$LIBS ${libs}"
+
+ dnl
+ dnl Look for the libs in DIR or DIR/lib
+ dnl
+ AC_ARG_WITH([openssl],
+ [AS_HELP_STRING([--with-openssl=DIR],
+ [Use OpenSSL installation in DIR])],
+ [eval "$2=\"-I${withval}/include \$$2\""
+ for x in ${withval}/lib ${withval}; do
+ if test -r ${x}/libssl.a; then
+ LIBS="-L${x} ${LIBS}"
+ break
+ fi
+ done])
+
+ dnl
+ dnl -lssl needs to come first on some systems!
+ dnl
+ AC_CHECK_LIB(ssl, OPENSSL_add_all_algorithms_conf,
+ [LIBS="${LIBS} -lssl -lcrypto"],,-lcrypto)
+ dnl
+ dnl Newer versions of 1.4.0 and anything higher needs bro_init()
+ dnl
+ AC_CHECK_LIB(broccoli, bro_init, [AC_DEFINE(HAVE_BRO_INIT)])
+ fi])
--- /dev/null
+#! /bin/sh
+# Attempt to guess a canonical system name.
+# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999,
+# 2000, 2001, 2002, 2003 Free Software Foundation, Inc.
+
+timestamp='2003-07-02'
+
+# This file is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+#
+# As a special exception to the GNU General Public License, if you
+# distribute this file as part of a program that contains a
+# configuration script generated by Autoconf, you may include it under
+# the same distribution terms that you use for the rest of that program.
+
+# Originally written by Per Bothner <per@bothner.com>.
+# Please send patches to <config-patches@gnu.org>. Submit a context
+# diff and a properly formatted ChangeLog entry.
+#
+# This script attempts to guess a canonical system name similar to
+# config.sub. If it succeeds, it prints the system name on stdout, and
+# exits with 0. Otherwise, it exits with 1.
+#
+# The plan is that this can be called by configure scripts if you
+# don't specify an explicit build system type.
+
+me=`echo "$0" | sed -e 's,.*/,,'`
+
+usage="\
+Usage: $0 [OPTION]
+
+Output the configuration name of the system \`$me' is run on.
+
+Operation modes:
+ -h, --help print this help, then exit
+ -t, --time-stamp print date of last modification, then exit
+ -v, --version print version number, then exit
+
+Report bugs and patches to <config-patches@gnu.org>."
+
+version="\
+GNU config.guess ($timestamp)
+
+Originally written by Per Bothner.
+Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001
+Free Software Foundation, Inc.
+
+This is free software; see the source for copying conditions. There is NO
+warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
+
+help="
+Try \`$me --help' for more information."
+
+# Parse command line
+while test $# -gt 0 ; do
+ case $1 in
+ --time-stamp | --time* | -t )
+ echo "$timestamp" ; exit 0 ;;
+ --version | -v )
+ echo "$version" ; exit 0 ;;
+ --help | --h* | -h )
+ echo "$usage"; exit 0 ;;
+ -- ) # Stop option processing
+ shift; break ;;
+ - ) # Use stdin as input.
+ break ;;
+ -* )
+ echo "$me: invalid option $1$help" >&2
+ exit 1 ;;
+ * )
+ break ;;
+ esac
+done
+
+if test $# != 0; then
+ echo "$me: too many arguments$help" >&2
+ exit 1
+fi
+
+trap 'exit 1' 1 2 15
+
+# CC_FOR_BUILD -- compiler used by this script. Note that the use of a
+# compiler to aid in system detection is discouraged as it requires
+# temporary files to be created and, as you can see below, it is a
+# headache to deal with in a portable fashion.
+
+# Historically, `CC_FOR_BUILD' used to be named `HOST_CC'. We still
+# use `HOST_CC' if defined, but it is deprecated.
+
+# Portable tmp directory creation inspired by the Autoconf team.
+
+set_cc_for_build='
+trap "exitcode=\$?; (rm -f \$tmpfiles 2>/dev/null; rmdir \$tmp 2>/dev/null) && exit \$exitcode" 0 ;
+trap "rm -f \$tmpfiles 2>/dev/null; rmdir \$tmp 2>/dev/null; exit 1" 1 2 13 15 ;
+: ${TMPDIR=/tmp} ;
+ { tmp=`(umask 077 && mktemp -d -q "$TMPDIR/cgXXXXXX") 2>/dev/null` && test -n "$tmp" && test -d "$tmp" ; } ||
+ { test -n "$RANDOM" && tmp=$TMPDIR/cg$$-$RANDOM && (umask 077 && mkdir $tmp) ; } ||
+ { tmp=$TMPDIR/cg-$$ && (umask 077 && mkdir $tmp) && echo "Warning: creating insecure temp directory" >&2 ; } ||
+ { echo "$me: cannot create a temporary directory in $TMPDIR" >&2 ; exit 1 ; } ;
+dummy=$tmp/dummy ;
+tmpfiles="$dummy.c $dummy.o $dummy.rel $dummy" ;
+case $CC_FOR_BUILD,$HOST_CC,$CC in
+ ,,) echo "int x;" > $dummy.c ;
+ for c in cc gcc c89 c99 ; do
+ if ($c -c -o $dummy.o $dummy.c) >/dev/null 2>&1 ; then
+ CC_FOR_BUILD="$c"; break ;
+ fi ;
+ done ;
+ if test x"$CC_FOR_BUILD" = x ; then
+ CC_FOR_BUILD=no_compiler_found ;
+ fi
+ ;;
+ ,,*) CC_FOR_BUILD=$CC ;;
+ ,*,*) CC_FOR_BUILD=$HOST_CC ;;
+esac ;'
+
+# This is needed to find uname on a Pyramid OSx when run in the BSD universe.
+# (ghazi@noc.rutgers.edu 1994-08-24)
+if (test -f /.attbin/uname) >/dev/null 2>&1 ; then
+ PATH=$PATH:/.attbin ; export PATH
+fi
+
+UNAME_MACHINE=`(uname -m) 2>/dev/null` || UNAME_MACHINE=unknown
+UNAME_RELEASE=`(uname -r) 2>/dev/null` || UNAME_RELEASE=unknown
+UNAME_SYSTEM=`(uname -s) 2>/dev/null` || UNAME_SYSTEM=unknown
+UNAME_VERSION=`(uname -v) 2>/dev/null` || UNAME_VERSION=unknown
+
+# Note: order is significant - the case branches are not exclusive.
+
+case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
+ *:NetBSD:*:*)
+ # NetBSD (nbsd) targets should (where applicable) match one or
+ # more of the tupples: *-*-netbsdelf*, *-*-netbsdaout*,
+ # *-*-netbsdecoff* and *-*-netbsd*. For targets that recently
+ # switched to ELF, *-*-netbsd* would select the old
+ # object file format. This provides both forward
+ # compatibility and a consistent mechanism for selecting the
+ # object file format.
+ #
+ # Note: NetBSD doesn't particularly care about the vendor
+ # portion of the name. We always set it to "unknown".
+ sysctl="sysctl -n hw.machine_arch"
+ UNAME_MACHINE_ARCH=`(/sbin/$sysctl 2>/dev/null || \
+ /usr/sbin/$sysctl 2>/dev/null || echo unknown)`
+ case "${UNAME_MACHINE_ARCH}" in
+ armeb) machine=armeb-unknown ;;
+ arm*) machine=arm-unknown ;;
+ sh3el) machine=shl-unknown ;;
+ sh3eb) machine=sh-unknown ;;
+ *) machine=${UNAME_MACHINE_ARCH}-unknown ;;
+ esac
+ # The Operating System including object format, if it has switched
+ # to ELF recently, or will in the future.
+ case "${UNAME_MACHINE_ARCH}" in
+ arm*|i386|m68k|ns32k|sh3*|sparc|vax)
+ eval $set_cc_for_build
+ if echo __ELF__ | $CC_FOR_BUILD -E - 2>/dev/null \
+ | grep __ELF__ >/dev/null
+ then
+ # Once all utilities can be ECOFF (netbsdecoff) or a.out (netbsdaout).
+ # Return netbsd for either. FIX?
+ os=netbsd
+ else
+ os=netbsdelf
+ fi
+ ;;
+ *)
+ os=netbsd
+ ;;
+ esac
+ # The OS release
+ # Debian GNU/NetBSD machines have a different userland, and
+ # thus, need a distinct triplet. However, they do not need
+ # kernel version information, so it can be replaced with a
+ # suitable tag, in the style of linux-gnu.
+ case "${UNAME_VERSION}" in
+ Debian*)
+ release='-gnu'
+ ;;
+ *)
+ release=`echo ${UNAME_RELEASE}|sed -e 's/[-_].*/\./'`
+ ;;
+ esac
+ # Since CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM:
+ # contains redundant information, the shorter form:
+ # CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM is used.
+ echo "${machine}-${os}${release}"
+ exit 0 ;;
+ amiga:OpenBSD:*:*)
+ echo m68k-unknown-openbsd${UNAME_RELEASE}
+ exit 0 ;;
+ arc:OpenBSD:*:*)
+ echo mipsel-unknown-openbsd${UNAME_RELEASE}
+ exit 0 ;;
+ hp300:OpenBSD:*:*)
+ echo m68k-unknown-openbsd${UNAME_RELEASE}
+ exit 0 ;;
+ mac68k:OpenBSD:*:*)
+ echo m68k-unknown-openbsd${UNAME_RELEASE}
+ exit 0 ;;
+ macppc:OpenBSD:*:*)
+ echo powerpc-unknown-openbsd${UNAME_RELEASE}
+ exit 0 ;;
+ mvme68k:OpenBSD:*:*)
+ echo m68k-unknown-openbsd${UNAME_RELEASE}
+ exit 0 ;;
+ mvme88k:OpenBSD:*:*)
+ echo m88k-unknown-openbsd${UNAME_RELEASE}
+ exit 0 ;;
+ mvmeppc:OpenBSD:*:*)
+ echo powerpc-unknown-openbsd${UNAME_RELEASE}
+ exit 0 ;;
+ pmax:OpenBSD:*:*)
+ echo mipsel-unknown-openbsd${UNAME_RELEASE}
+ exit 0 ;;
+ sgi:OpenBSD:*:*)
+ echo mipseb-unknown-openbsd${UNAME_RELEASE}
+ exit 0 ;;
+ sun3:OpenBSD:*:*)
+ echo m68k-unknown-openbsd${UNAME_RELEASE}
+ exit 0 ;;
+ wgrisc:OpenBSD:*:*)
+ echo mipsel-unknown-openbsd${UNAME_RELEASE}
+ exit 0 ;;
+ *:OpenBSD:*:*)
+ echo ${UNAME_MACHINE}-unknown-openbsd${UNAME_RELEASE}
+ exit 0 ;;
+ alpha:OSF1:*:*)
+ if test $UNAME_RELEASE = "V4.0"; then
+ UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $3}'`
+ fi
+ # According to Compaq, /usr/sbin/psrinfo has been available on
+ # OSF/1 and Tru64 systems produced since 1995. I hope that
+ # covers most systems running today. This code pipes the CPU
+ # types through head -n 1, so we only detect the type of CPU 0.
+ ALPHA_CPU_TYPE=`/usr/sbin/psrinfo -v | sed -n -e 's/^ The alpha \(.*\) processor.*$/\1/p' | head -n 1`
+ case "$ALPHA_CPU_TYPE" in
+ "EV4 (21064)")
+ UNAME_MACHINE="alpha" ;;
+ "EV4.5 (21064)")
+ UNAME_MACHINE="alpha" ;;
+ "LCA4 (21066/21068)")
+ UNAME_MACHINE="alpha" ;;
+ "EV5 (21164)")
+ UNAME_MACHINE="alphaev5" ;;
+ "EV5.6 (21164A)")
+ UNAME_MACHINE="alphaev56" ;;
+ "EV5.6 (21164PC)")
+ UNAME_MACHINE="alphapca56" ;;
+ "EV5.7 (21164PC)")
+ UNAME_MACHINE="alphapca57" ;;
+ "EV6 (21264)")
+ UNAME_MACHINE="alphaev6" ;;
+ "EV6.7 (21264A)")
+ UNAME_MACHINE="alphaev67" ;;
+ "EV6.8CB (21264C)")
+ UNAME_MACHINE="alphaev68" ;;
+ "EV6.8AL (21264B)")
+ UNAME_MACHINE="alphaev68" ;;
+ "EV6.8CX (21264D)")
+ UNAME_MACHINE="alphaev68" ;;
+ "EV6.9A (21264/EV69A)")
+ UNAME_MACHINE="alphaev69" ;;
+ "EV7 (21364)")
+ UNAME_MACHINE="alphaev7" ;;
+ "EV7.9 (21364A)")
+ UNAME_MACHINE="alphaev79" ;;
+ esac
+ # A Vn.n version is a released version.
+ # A Tn.n version is a released field test version.
+ # A Xn.n version is an unreleased experimental baselevel.
+ # 1.2 uses "1.2" for uname -r.
+ echo ${UNAME_MACHINE}-dec-osf`echo ${UNAME_RELEASE} | sed -e 's/^[VTX]//' | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'`
+ exit 0 ;;
+ Alpha*:OpenVMS:*:*)
+ echo alpha-hp-vms
+ exit 0 ;;
+ Alpha\ *:Windows_NT*:*)
+ # How do we know it's Interix rather than the generic POSIX subsystem?
+ # Should we change UNAME_MACHINE based on the output of uname instead
+ # of the specific Alpha model?
+ echo alpha-pc-interix
+ exit 0 ;;
+ 21064:Windows_NT:50:3)
+ echo alpha-dec-winnt3.5
+ exit 0 ;;
+ Amiga*:UNIX_System_V:4.0:*)
+ echo m68k-unknown-sysv4
+ exit 0;;
+ *:[Aa]miga[Oo][Ss]:*:*)
+ echo ${UNAME_MACHINE}-unknown-amigaos
+ exit 0 ;;
+ *:[Mm]orph[Oo][Ss]:*:*)
+ echo ${UNAME_MACHINE}-unknown-morphos
+ exit 0 ;;
+ *:OS/390:*:*)
+ echo i370-ibm-openedition
+ exit 0 ;;
+ arm:RISC*:1.[012]*:*|arm:riscix:1.[012]*:*)
+ echo arm-acorn-riscix${UNAME_RELEASE}
+ exit 0;;
+ SR2?01:HI-UX/MPP:*:* | SR8000:HI-UX/MPP:*:*)
+ echo hppa1.1-hitachi-hiuxmpp
+ exit 0;;
+ Pyramid*:OSx*:*:* | MIS*:OSx*:*:* | MIS*:SMP_DC-OSx*:*:*)
+ # akee@wpdis03.wpafb.af.mil (Earle F. Ake) contributed MIS and NILE.
+ if test "`(/bin/universe) 2>/dev/null`" = att ; then
+ echo pyramid-pyramid-sysv3
+ else
+ echo pyramid-pyramid-bsd
+ fi
+ exit 0 ;;
+ NILE*:*:*:dcosx)
+ echo pyramid-pyramid-svr4
+ exit 0 ;;
+ DRS?6000:unix:4.0:6*)
+ echo sparc-icl-nx6
+ exit 0 ;;
+ DRS?6000:UNIX_SV:4.2*:7*)
+ case `/usr/bin/uname -p` in
+ sparc) echo sparc-icl-nx7 && exit 0 ;;
+ esac ;;
+ sun4H:SunOS:5.*:*)
+ echo sparc-hal-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
+ exit 0 ;;
+ sun4*:SunOS:5.*:* | tadpole*:SunOS:5.*:*)
+ echo sparc-sun-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
+ exit 0 ;;
+ i86pc:SunOS:5.*:*)
+ echo i386-pc-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
+ exit 0 ;;
+ sun4*:SunOS:6*:*)
+ # According to config.sub, this is the proper way to canonicalize
+ # SunOS6. Hard to guess exactly what SunOS6 will be like, but
+ # it's likely to be more like Solaris than SunOS4.
+ echo sparc-sun-solaris3`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
+ exit 0 ;;
+ sun4*:SunOS:*:*)
+ case "`/usr/bin/arch -k`" in
+ Series*|S4*)
+ UNAME_RELEASE=`uname -v`
+ ;;
+ esac
+ # Japanese Language versions have a version number like `4.1.3-JL'.
+ echo sparc-sun-sunos`echo ${UNAME_RELEASE}|sed -e 's/-/_/'`
+ exit 0 ;;
+ sun3*:SunOS:*:*)
+ echo m68k-sun-sunos${UNAME_RELEASE}
+ exit 0 ;;
+ sun*:*:4.2BSD:*)
+ UNAME_RELEASE=`(sed 1q /etc/motd | awk '{print substr($5,1,3)}') 2>/dev/null`
+ test "x${UNAME_RELEASE}" = "x" && UNAME_RELEASE=3
+ case "`/bin/arch`" in
+ sun3)
+ echo m68k-sun-sunos${UNAME_RELEASE}
+ ;;
+ sun4)
+ echo sparc-sun-sunos${UNAME_RELEASE}
+ ;;
+ esac
+ exit 0 ;;
+ aushp:SunOS:*:*)
+ echo sparc-auspex-sunos${UNAME_RELEASE}
+ exit 0 ;;
+ # The situation for MiNT is a little confusing. The machine name
+ # can be virtually everything (everything which is not
+ # "atarist" or "atariste" at least should have a processor
+ # > m68000). The system name ranges from "MiNT" over "FreeMiNT"
+ # to the lowercase version "mint" (or "freemint"). Finally
+ # the system name "TOS" denotes a system which is actually not
+ # MiNT. But MiNT is downward compatible to TOS, so this should
+ # be no problem.
+ atarist[e]:*MiNT:*:* | atarist[e]:*mint:*:* | atarist[e]:*TOS:*:*)
+ echo m68k-atari-mint${UNAME_RELEASE}
+ exit 0 ;;
+ atari*:*MiNT:*:* | atari*:*mint:*:* | atarist[e]:*TOS:*:*)
+ echo m68k-atari-mint${UNAME_RELEASE}
+ exit 0 ;;
+ *falcon*:*MiNT:*:* | *falcon*:*mint:*:* | *falcon*:*TOS:*:*)
+ echo m68k-atari-mint${UNAME_RELEASE}
+ exit 0 ;;
+ milan*:*MiNT:*:* | milan*:*mint:*:* | *milan*:*TOS:*:*)
+ echo m68k-milan-mint${UNAME_RELEASE}
+ exit 0 ;;
+ hades*:*MiNT:*:* | hades*:*mint:*:* | *hades*:*TOS:*:*)
+ echo m68k-hades-mint${UNAME_RELEASE}
+ exit 0 ;;
+ *:*MiNT:*:* | *:*mint:*:* | *:*TOS:*:*)
+ echo m68k-unknown-mint${UNAME_RELEASE}
+ exit 0 ;;
+ powerpc:machten:*:*)
+ echo powerpc-apple-machten${UNAME_RELEASE}
+ exit 0 ;;
+ RISC*:Mach:*:*)
+ echo mips-dec-mach_bsd4.3
+ exit 0 ;;
+ RISC*:ULTRIX:*:*)
+ echo mips-dec-ultrix${UNAME_RELEASE}
+ exit 0 ;;
+ VAX*:ULTRIX*:*:*)
+ echo vax-dec-ultrix${UNAME_RELEASE}
+ exit 0 ;;
+ 2020:CLIX:*:* | 2430:CLIX:*:*)
+ echo clipper-intergraph-clix${UNAME_RELEASE}
+ exit 0 ;;
+ mips:*:*:UMIPS | mips:*:*:RISCos)
+ eval $set_cc_for_build
+ sed 's/^ //' << EOF >$dummy.c
+#ifdef __cplusplus
+#include <stdio.h> /* for printf() prototype */
+ int main (int argc, char *argv[]) {
+#else
+ int main (argc, argv) int argc; char *argv[]; {
+#endif
+ #if defined (host_mips) && defined (MIPSEB)
+ #if defined (SYSTYPE_SYSV)
+ printf ("mips-mips-riscos%ssysv\n", argv[1]); exit (0);
+ #endif
+ #if defined (SYSTYPE_SVR4)
+ printf ("mips-mips-riscos%ssvr4\n", argv[1]); exit (0);
+ #endif
+ #if defined (SYSTYPE_BSD43) || defined(SYSTYPE_BSD)
+ printf ("mips-mips-riscos%sbsd\n", argv[1]); exit (0);
+ #endif
+ #endif
+ exit (-1);
+ }
+EOF
+ $CC_FOR_BUILD -o $dummy $dummy.c \
+ && $dummy `echo "${UNAME_RELEASE}" | sed -n 's/\([0-9]*\).*/\1/p'` \
+ && exit 0
+ echo mips-mips-riscos${UNAME_RELEASE}
+ exit 0 ;;
+ Motorola:PowerMAX_OS:*:*)
+ echo powerpc-motorola-powermax
+ exit 0 ;;
+ Motorola:*:4.3:PL8-*)
+ echo powerpc-harris-powermax
+ exit 0 ;;
+ Night_Hawk:*:*:PowerMAX_OS | Synergy:PowerMAX_OS:*:*)
+ echo powerpc-harris-powermax
+ exit 0 ;;
+ Night_Hawk:Power_UNIX:*:*)
+ echo powerpc-harris-powerunix
+ exit 0 ;;
+ m88k:CX/UX:7*:*)
+ echo m88k-harris-cxux7
+ exit 0 ;;
+ m88k:*:4*:R4*)
+ echo m88k-motorola-sysv4
+ exit 0 ;;
+ m88k:*:3*:R3*)
+ echo m88k-motorola-sysv3
+ exit 0 ;;
+ AViiON:dgux:*:*)
+ # DG/UX returns AViiON for all architectures
+ UNAME_PROCESSOR=`/usr/bin/uname -p`
+ if [ $UNAME_PROCESSOR = mc88100 ] || [ $UNAME_PROCESSOR = mc88110 ]
+ then
+ if [ ${TARGET_BINARY_INTERFACE}x = m88kdguxelfx ] || \
+ [ ${TARGET_BINARY_INTERFACE}x = x ]
+ then
+ echo m88k-dg-dgux${UNAME_RELEASE}
+ else
+ echo m88k-dg-dguxbcs${UNAME_RELEASE}
+ fi
+ else
+ echo i586-dg-dgux${UNAME_RELEASE}
+ fi
+ exit 0 ;;
+ M88*:DolphinOS:*:*) # DolphinOS (SVR3)
+ echo m88k-dolphin-sysv3
+ exit 0 ;;
+ M88*:*:R3*:*)
+ # Delta 88k system running SVR3
+ echo m88k-motorola-sysv3
+ exit 0 ;;
+ XD88*:*:*:*) # Tektronix XD88 system running UTekV (SVR3)
+ echo m88k-tektronix-sysv3
+ exit 0 ;;
+ Tek43[0-9][0-9]:UTek:*:*) # Tektronix 4300 system running UTek (BSD)
+ echo m68k-tektronix-bsd
+ exit 0 ;;
+ *:IRIX*:*:*)
+ echo mips-sgi-irix`echo ${UNAME_RELEASE}|sed -e 's/-/_/g'`
+ exit 0 ;;
+ ????????:AIX?:[12].1:2) # AIX 2.2.1 or AIX 2.1.1 is RT/PC AIX.
+ echo romp-ibm-aix # uname -m gives an 8 hex-code CPU id
+ exit 0 ;; # Note that: echo "'`uname -s`'" gives 'AIX '
+ i*86:AIX:*:*)
+ echo i386-ibm-aix
+ exit 0 ;;
+ ia64:AIX:*:*)
+ if [ -x /usr/bin/oslevel ] ; then
+ IBM_REV=`/usr/bin/oslevel`
+ else
+ IBM_REV=${UNAME_VERSION}.${UNAME_RELEASE}
+ fi
+ echo ${UNAME_MACHINE}-ibm-aix${IBM_REV}
+ exit 0 ;;
+ *:AIX:2:3)
+ if grep bos325 /usr/include/stdio.h >/dev/null 2>&1; then
+ eval $set_cc_for_build
+ sed 's/^ //' << EOF >$dummy.c
+ #include <sys/systemcfg.h>
+
+ main()
+ {
+ if (!__power_pc())
+ exit(1);
+ puts("powerpc-ibm-aix3.2.5");
+ exit(0);
+ }
+EOF
+ $CC_FOR_BUILD -o $dummy $dummy.c && $dummy && exit 0
+ echo rs6000-ibm-aix3.2.5
+ elif grep bos324 /usr/include/stdio.h >/dev/null 2>&1; then
+ echo rs6000-ibm-aix3.2.4
+ else
+ echo rs6000-ibm-aix3.2
+ fi
+ exit 0 ;;
+ *:AIX:*:[45])
+ IBM_CPU_ID=`/usr/sbin/lsdev -C -c processor -S available | sed 1q | awk '{ print $1 }'`
+ if /usr/sbin/lsattr -El ${IBM_CPU_ID} | grep ' POWER' >/dev/null 2>&1; then
+ IBM_ARCH=rs6000
+ else
+ IBM_ARCH=powerpc
+ fi
+ if [ -x /usr/bin/oslevel ] ; then
+ IBM_REV=`/usr/bin/oslevel`
+ else
+ IBM_REV=${UNAME_VERSION}.${UNAME_RELEASE}
+ fi
+ echo ${IBM_ARCH}-ibm-aix${IBM_REV}
+ exit 0 ;;
+ *:AIX:*:*)
+ echo rs6000-ibm-aix
+ exit 0 ;;
+ ibmrt:4.4BSD:*|romp-ibm:BSD:*)
+ echo romp-ibm-bsd4.4
+ exit 0 ;;
+ ibmrt:*BSD:*|romp-ibm:BSD:*) # covers RT/PC BSD and
+ echo romp-ibm-bsd${UNAME_RELEASE} # 4.3 with uname added to
+ exit 0 ;; # report: romp-ibm BSD 4.3
+ *:BOSX:*:*)
+ echo rs6000-bull-bosx
+ exit 0 ;;
+ DPX/2?00:B.O.S.:*:*)
+ echo m68k-bull-sysv3
+ exit 0 ;;
+ 9000/[34]??:4.3bsd:1.*:*)
+ echo m68k-hp-bsd
+ exit 0 ;;
+ hp300:4.4BSD:*:* | 9000/[34]??:4.3bsd:2.*:*)
+ echo m68k-hp-bsd4.4
+ exit 0 ;;
+ 9000/[34678]??:HP-UX:*:*)
+ HPUX_REV=`echo ${UNAME_RELEASE}|sed -e 's/[^.]*.[0B]*//'`
+ case "${UNAME_MACHINE}" in
+ 9000/31? ) HP_ARCH=m68000 ;;
+ 9000/[34]?? ) HP_ARCH=m68k ;;
+ 9000/[678][0-9][0-9])
+ if [ -x /usr/bin/getconf ]; then
+ sc_cpu_version=`/usr/bin/getconf SC_CPU_VERSION 2>/dev/null`
+ sc_kernel_bits=`/usr/bin/getconf SC_KERNEL_BITS 2>/dev/null`
+ case "${sc_cpu_version}" in
+ 523) HP_ARCH="hppa1.0" ;; # CPU_PA_RISC1_0
+ 528) HP_ARCH="hppa1.1" ;; # CPU_PA_RISC1_1
+ 532) # CPU_PA_RISC2_0
+ case "${sc_kernel_bits}" in
+ 32) HP_ARCH="hppa2.0n" ;;
+ 64) HP_ARCH="hppa2.0w" ;;
+ '') HP_ARCH="hppa2.0" ;; # HP-UX 10.20
+ esac ;;
+ esac
+ fi
+ if [ "${HP_ARCH}" = "" ]; then
+ eval $set_cc_for_build
+ sed 's/^ //' << EOF >$dummy.c
+
+ #define _HPUX_SOURCE
+ #include <stdlib.h>
+ #include <unistd.h>
+
+ int main ()
+ {
+ #if defined(_SC_KERNEL_BITS)
+ long bits = sysconf(_SC_KERNEL_BITS);
+ #endif
+ long cpu = sysconf (_SC_CPU_VERSION);
+
+ switch (cpu)
+ {
+ case CPU_PA_RISC1_0: puts ("hppa1.0"); break;
+ case CPU_PA_RISC1_1: puts ("hppa1.1"); break;
+ case CPU_PA_RISC2_0:
+ #if defined(_SC_KERNEL_BITS)
+ switch (bits)
+ {
+ case 64: puts ("hppa2.0w"); break;
+ case 32: puts ("hppa2.0n"); break;
+ default: puts ("hppa2.0"); break;
+ } break;
+ #else /* !defined(_SC_KERNEL_BITS) */
+ puts ("hppa2.0"); break;
+ #endif
+ default: puts ("hppa1.0"); break;
+ }
+ exit (0);
+ }
+EOF
+ (CCOPTS= $CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null) && HP_ARCH=`$dummy`
+ test -z "$HP_ARCH" && HP_ARCH=hppa
+ fi ;;
+ esac
+ if [ ${HP_ARCH} = "hppa2.0w" ]
+ then
+ # avoid double evaluation of $set_cc_for_build
+ test -n "$CC_FOR_BUILD" || eval $set_cc_for_build
+ if echo __LP64__ | (CCOPTS= $CC_FOR_BUILD -E -) | grep __LP64__ >/dev/null
+ then
+ HP_ARCH="hppa2.0w"
+ else
+ HP_ARCH="hppa64"
+ fi
+ fi
+ echo ${HP_ARCH}-hp-hpux${HPUX_REV}
+ exit 0 ;;
+ ia64:HP-UX:*:*)
+ HPUX_REV=`echo ${UNAME_RELEASE}|sed -e 's/[^.]*.[0B]*//'`
+ echo ia64-hp-hpux${HPUX_REV}
+ exit 0 ;;
+ 3050*:HI-UX:*:*)
+ eval $set_cc_for_build
+ sed 's/^ //' << EOF >$dummy.c
+ #include <unistd.h>
+ int
+ main ()
+ {
+ long cpu = sysconf (_SC_CPU_VERSION);
+ /* The order matters, because CPU_IS_HP_MC68K erroneously returns
+ true for CPU_PA_RISC1_0. CPU_IS_PA_RISC returns correct
+ results, however. */
+ if (CPU_IS_PA_RISC (cpu))
+ {
+ switch (cpu)
+ {
+ case CPU_PA_RISC1_0: puts ("hppa1.0-hitachi-hiuxwe2"); break;
+ case CPU_PA_RISC1_1: puts ("hppa1.1-hitachi-hiuxwe2"); break;
+ case CPU_PA_RISC2_0: puts ("hppa2.0-hitachi-hiuxwe2"); break;
+ default: puts ("hppa-hitachi-hiuxwe2"); break;
+ }
+ }
+ else if (CPU_IS_HP_MC68K (cpu))
+ puts ("m68k-hitachi-hiuxwe2");
+ else puts ("unknown-hitachi-hiuxwe2");
+ exit (0);
+ }
+EOF
+ $CC_FOR_BUILD -o $dummy $dummy.c && $dummy && exit 0
+ echo unknown-hitachi-hiuxwe2
+ exit 0 ;;
+ 9000/7??:4.3bsd:*:* | 9000/8?[79]:4.3bsd:*:* )
+ echo hppa1.1-hp-bsd
+ exit 0 ;;
+ 9000/8??:4.3bsd:*:*)
+ echo hppa1.0-hp-bsd
+ exit 0 ;;
+ *9??*:MPE/iX:*:* | *3000*:MPE/iX:*:*)
+ echo hppa1.0-hp-mpeix
+ exit 0 ;;
+ hp7??:OSF1:*:* | hp8?[79]:OSF1:*:* )
+ echo hppa1.1-hp-osf
+ exit 0 ;;
+ hp8??:OSF1:*:*)
+ echo hppa1.0-hp-osf
+ exit 0 ;;
+ i*86:OSF1:*:*)
+ if [ -x /usr/sbin/sysversion ] ; then
+ echo ${UNAME_MACHINE}-unknown-osf1mk
+ else
+ echo ${UNAME_MACHINE}-unknown-osf1
+ fi
+ exit 0 ;;
+ parisc*:Lites*:*:*)
+ echo hppa1.1-hp-lites
+ exit 0 ;;
+ C1*:ConvexOS:*:* | convex:ConvexOS:C1*:*)
+ echo c1-convex-bsd
+ exit 0 ;;
+ C2*:ConvexOS:*:* | convex:ConvexOS:C2*:*)
+ if getsysinfo -f scalar_acc
+ then echo c32-convex-bsd
+ else echo c2-convex-bsd
+ fi
+ exit 0 ;;
+ C34*:ConvexOS:*:* | convex:ConvexOS:C34*:*)
+ echo c34-convex-bsd
+ exit 0 ;;
+ C38*:ConvexOS:*:* | convex:ConvexOS:C38*:*)
+ echo c38-convex-bsd
+ exit 0 ;;
+ C4*:ConvexOS:*:* | convex:ConvexOS:C4*:*)
+ echo c4-convex-bsd
+ exit 0 ;;
+ CRAY*Y-MP:*:*:*)
+ echo ymp-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
+ exit 0 ;;
+ CRAY*[A-Z]90:*:*:*)
+ echo ${UNAME_MACHINE}-cray-unicos${UNAME_RELEASE} \
+ | sed -e 's/CRAY.*\([A-Z]90\)/\1/' \
+ -e y/ABCDEFGHIJKLMNOPQRSTUVWXYZ/abcdefghijklmnopqrstuvwxyz/ \
+ -e 's/\.[^.]*$/.X/'
+ exit 0 ;;
+ CRAY*TS:*:*:*)
+ echo t90-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
+ exit 0 ;;
+ CRAY*T3E:*:*:*)
+ echo alphaev5-cray-unicosmk${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
+ exit 0 ;;
+ CRAY*SV1:*:*:*)
+ echo sv1-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
+ exit 0 ;;
+ *:UNICOS/mp:*:*)
+ echo nv1-cray-unicosmp${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
+ exit 0 ;;
+ F30[01]:UNIX_System_V:*:* | F700:UNIX_System_V:*:*)
+ FUJITSU_PROC=`uname -m | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'`
+ FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'`
+ FUJITSU_REL=`echo ${UNAME_RELEASE} | sed -e 's/ /_/'`
+ echo "${FUJITSU_PROC}-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}"
+ exit 0 ;;
+ i*86:BSD/386:*:* | i*86:BSD/OS:*:* | *:Ascend\ Embedded/OS:*:*)
+ echo ${UNAME_MACHINE}-pc-bsdi${UNAME_RELEASE}
+ exit 0 ;;
+ sparc*:BSD/OS:*:*)
+ echo sparc-unknown-bsdi${UNAME_RELEASE}
+ exit 0 ;;
+ *:BSD/OS:*:*)
+ echo ${UNAME_MACHINE}-unknown-bsdi${UNAME_RELEASE}
+ exit 0 ;;
+ *:FreeBSD:*:*|*:GNU/FreeBSD:*:*)
+ # Determine whether the default compiler uses glibc.
+ eval $set_cc_for_build
+ sed 's/^ //' << EOF >$dummy.c
+ #include <features.h>
+ #if __GLIBC__ >= 2
+ LIBC=gnu
+ #else
+ LIBC=
+ #endif
+EOF
+ eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep ^LIBC=`
+ # GNU/FreeBSD systems have a "k" prefix to indicate we are using
+ # FreeBSD's kernel, but not the complete OS.
+ case ${LIBC} in gnu) kernel_only='k' ;; esac
+ echo ${UNAME_MACHINE}-unknown-${kernel_only}freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`${LIBC:+-$LIBC}
+ exit 0 ;;
+ i*:CYGWIN*:*)
+ echo ${UNAME_MACHINE}-pc-cygwin
+ exit 0 ;;
+ i*:MINGW*:*)
+ echo ${UNAME_MACHINE}-pc-mingw32
+ exit 0 ;;
+ i*:PW*:*)
+ echo ${UNAME_MACHINE}-pc-pw32
+ exit 0 ;;
+ x86:Interix*:[34]*)
+ echo i586-pc-interix${UNAME_RELEASE}|sed -e 's/\..*//'
+ exit 0 ;;
+ [345]86:Windows_95:* | [345]86:Windows_98:* | [345]86:Windows_NT:*)
+ echo i${UNAME_MACHINE}-pc-mks
+ exit 0 ;;
+ i*:Windows_NT*:* | Pentium*:Windows_NT*:*)
+ # How do we know it's Interix rather than the generic POSIX subsystem?
+ # It also conflicts with pre-2.0 versions of AT&T UWIN. Should we
+ # UNAME_MACHINE based on the output of uname instead of i386?
+ echo i586-pc-interix
+ exit 0 ;;
+ i*:UWIN*:*)
+ echo ${UNAME_MACHINE}-pc-uwin
+ exit 0 ;;
+ p*:CYGWIN*:*)
+ echo powerpcle-unknown-cygwin
+ exit 0 ;;
+ prep*:SunOS:5.*:*)
+ echo powerpcle-unknown-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
+ exit 0 ;;
+ *:GNU:*:*)
+ echo `echo ${UNAME_MACHINE}|sed -e 's,[-/].*$,,'`-unknown-gnu`echo ${UNAME_RELEASE}|sed -e 's,/.*$,,'`
+ exit 0 ;;
+ i*86:Minix:*:*)
+ echo ${UNAME_MACHINE}-pc-minix
+ exit 0 ;;
+ arm*:Linux:*:*)
+ echo ${UNAME_MACHINE}-unknown-linux-gnu
+ exit 0 ;;
+ cris:Linux:*:*)
+ echo cris-axis-linux-gnu
+ exit 0 ;;
+ ia64:Linux:*:*)
+ echo ${UNAME_MACHINE}-unknown-linux-gnu
+ exit 0 ;;
+ m68*:Linux:*:*)
+ echo ${UNAME_MACHINE}-unknown-linux-gnu
+ exit 0 ;;
+ mips:Linux:*:*)
+ eval $set_cc_for_build
+ sed 's/^ //' << EOF >$dummy.c
+ #undef CPU
+ #undef mips
+ #undef mipsel
+ #if defined(__MIPSEL__) || defined(__MIPSEL) || defined(_MIPSEL) || defined(MIPSEL)
+ CPU=mipsel
+ #else
+ #if defined(__MIPSEB__) || defined(__MIPSEB) || defined(_MIPSEB) || defined(MIPSEB)
+ CPU=mips
+ #else
+ CPU=
+ #endif
+ #endif
+EOF
+ eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep ^CPU=`
+ test x"${CPU}" != x && echo "${CPU}-unknown-linux-gnu" && exit 0
+ ;;
+ mips64:Linux:*:*)
+ eval $set_cc_for_build
+ sed 's/^ //' << EOF >$dummy.c
+ #undef CPU
+ #undef mips64
+ #undef mips64el
+ #if defined(__MIPSEL__) || defined(__MIPSEL) || defined(_MIPSEL) || defined(MIPSEL)
+ CPU=mips64el
+ #else
+ #if defined(__MIPSEB__) || defined(__MIPSEB) || defined(_MIPSEB) || defined(MIPSEB)
+ CPU=mips64
+ #else
+ CPU=
+ #endif
+ #endif
+EOF
+ eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep ^CPU=`
+ test x"${CPU}" != x && echo "${CPU}-unknown-linux-gnu" && exit 0
+ ;;
+ ppc:Linux:*:*)
+ echo powerpc-unknown-linux-gnu
+ exit 0 ;;
+ ppc64:Linux:*:*)
+ echo powerpc64-unknown-linux-gnu
+ exit 0 ;;
+ alpha:Linux:*:*)
+ case `sed -n '/^cpu model/s/^.*: \(.*\)/\1/p' < /proc/cpuinfo` in
+ EV5) UNAME_MACHINE=alphaev5 ;;
+ EV56) UNAME_MACHINE=alphaev56 ;;
+ PCA56) UNAME_MACHINE=alphapca56 ;;
+ PCA57) UNAME_MACHINE=alphapca56 ;;
+ EV6) UNAME_MACHINE=alphaev6 ;;
+ EV67) UNAME_MACHINE=alphaev67 ;;
+ EV68*) UNAME_MACHINE=alphaev68 ;;
+ esac
+ objdump --private-headers /bin/sh | grep ld.so.1 >/dev/null
+ if test "$?" = 0 ; then LIBC="libc1" ; else LIBC="" ; fi
+ echo ${UNAME_MACHINE}-unknown-linux-gnu${LIBC}
+ exit 0 ;;
+ parisc:Linux:*:* | hppa:Linux:*:*)
+ # Look for CPU level
+ case `grep '^cpu[^a-z]*:' /proc/cpuinfo 2>/dev/null | cut -d' ' -f2` in
+ PA7*) echo hppa1.1-unknown-linux-gnu ;;
+ PA8*) echo hppa2.0-unknown-linux-gnu ;;
+ *) echo hppa-unknown-linux-gnu ;;
+ esac
+ exit 0 ;;
+ parisc64:Linux:*:* | hppa64:Linux:*:*)
+ echo hppa64-unknown-linux-gnu
+ exit 0 ;;
+ s390:Linux:*:* | s390x:Linux:*:*)
+ echo ${UNAME_MACHINE}-ibm-linux
+ exit 0 ;;
+ sh64*:Linux:*:*)
+ echo ${UNAME_MACHINE}-unknown-linux-gnu
+ exit 0 ;;
+ sh*:Linux:*:*)
+ echo ${UNAME_MACHINE}-unknown-linux-gnu
+ exit 0 ;;
+ sparc:Linux:*:* | sparc64:Linux:*:*)
+ echo ${UNAME_MACHINE}-unknown-linux-gnu
+ exit 0 ;;
+ x86_64:Linux:*:*)
+ echo x86_64-unknown-linux-gnu
+ exit 0 ;;
+ i*86:Linux:*:*)
+ # The BFD linker knows what the default object file format is, so
+ # first see if it will tell us. cd to the root directory to prevent
+ # problems with other programs or directories called `ld' in the path.
+ # Set LC_ALL=C to ensure ld outputs messages in English.
+ ld_supported_targets=`cd /; LC_ALL=C ld --help 2>&1 \
+ | sed -ne '/supported targets:/!d
+ s/[ ][ ]*/ /g
+ s/.*supported targets: *//
+ s/ .*//
+ p'`
+ case "$ld_supported_targets" in
+ elf32-i386)
+ TENTATIVE="${UNAME_MACHINE}-pc-linux-gnu"
+ ;;
+ a.out-i386-linux)
+ echo "${UNAME_MACHINE}-pc-linux-gnuaout"
+ exit 0 ;;
+ coff-i386)
+ echo "${UNAME_MACHINE}-pc-linux-gnucoff"
+ exit 0 ;;
+ "")
+ # Either a pre-BFD a.out linker (linux-gnuoldld) or
+ # one that does not give us useful --help.
+ echo "${UNAME_MACHINE}-pc-linux-gnuoldld"
+ exit 0 ;;
+ esac
+ # Determine whether the default compiler is a.out or elf
+ eval $set_cc_for_build
+ sed 's/^ //' << EOF >$dummy.c
+ #include <features.h>
+ #ifdef __ELF__
+ # ifdef __GLIBC__
+ # if __GLIBC__ >= 2
+ LIBC=gnu
+ # else
+ LIBC=gnulibc1
+ # endif
+ # else
+ LIBC=gnulibc1
+ # endif
+ #else
+ #ifdef __INTEL_COMPILER
+ LIBC=gnu
+ #else
+ LIBC=gnuaout
+ #endif
+ #endif
+EOF
+ eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep ^LIBC=`
+ test x"${LIBC}" != x && echo "${UNAME_MACHINE}-pc-linux-${LIBC}" && exit 0
+ test x"${TENTATIVE}" != x && echo "${TENTATIVE}" && exit 0
+ ;;
+ i*86:DYNIX/ptx:4*:*)
+ # ptx 4.0 does uname -s correctly, with DYNIX/ptx in there.
+ # earlier versions are messed up and put the nodename in both
+ # sysname and nodename.
+ echo i386-sequent-sysv4
+ exit 0 ;;
+ i*86:UNIX_SV:4.2MP:2.*)
+ # Unixware is an offshoot of SVR4, but it has its own version
+ # number series starting with 2...
+ # I am not positive that other SVR4 systems won't match this,
+ # I just have to hope. -- rms.
+ # Use sysv4.2uw... so that sysv4* matches it.
+ echo ${UNAME_MACHINE}-pc-sysv4.2uw${UNAME_VERSION}
+ exit 0 ;;
+ i*86:OS/2:*:*)
+ # If we were able to find `uname', then EMX Unix compatibility
+ # is probably installed.
+ echo ${UNAME_MACHINE}-pc-os2-emx
+ exit 0 ;;
+ i*86:XTS-300:*:STOP)
+ echo ${UNAME_MACHINE}-unknown-stop
+ exit 0 ;;
+ i*86:atheos:*:*)
+ echo ${UNAME_MACHINE}-unknown-atheos
+ exit 0 ;;
+ i*86:LynxOS:2.*:* | i*86:LynxOS:3.[01]*:* | i*86:LynxOS:4.0*:*)
+ echo i386-unknown-lynxos${UNAME_RELEASE}
+ exit 0 ;;
+ i*86:*DOS:*:*)
+ echo ${UNAME_MACHINE}-pc-msdosdjgpp
+ exit 0 ;;
+ i*86:*:4.*:* | i*86:SYSTEM_V:4.*:*)
+ UNAME_REL=`echo ${UNAME_RELEASE} | sed 's/\/MP$//'`
+ if grep Novell /usr/include/link.h >/dev/null 2>/dev/null; then
+ echo ${UNAME_MACHINE}-univel-sysv${UNAME_REL}
+ else
+ echo ${UNAME_MACHINE}-pc-sysv${UNAME_REL}
+ fi
+ exit 0 ;;
+ i*86:*:5:[78]*)
+ case `/bin/uname -X | grep "^Machine"` in
+ *486*) UNAME_MACHINE=i486 ;;
+ *Pentium) UNAME_MACHINE=i586 ;;
+ *Pent*|*Celeron) UNAME_MACHINE=i686 ;;
+ esac
+ echo ${UNAME_MACHINE}-unknown-sysv${UNAME_RELEASE}${UNAME_SYSTEM}${UNAME_VERSION}
+ exit 0 ;;
+ i*86:*:3.2:*)
+ if test -f /usr/options/cb.name; then
+ UNAME_REL=`sed -n 's/.*Version //p' </usr/options/cb.name`
+ echo ${UNAME_MACHINE}-pc-isc$UNAME_REL
+ elif /bin/uname -X 2>/dev/null >/dev/null ; then
+ UNAME_REL=`(/bin/uname -X|grep Release|sed -e 's/.*= //')`
+ (/bin/uname -X|grep i80486 >/dev/null) && UNAME_MACHINE=i486
+ (/bin/uname -X|grep '^Machine.*Pentium' >/dev/null) \
+ && UNAME_MACHINE=i586
+ (/bin/uname -X|grep '^Machine.*Pent *II' >/dev/null) \
+ && UNAME_MACHINE=i686
+ (/bin/uname -X|grep '^Machine.*Pentium Pro' >/dev/null) \
+ && UNAME_MACHINE=i686
+ echo ${UNAME_MACHINE}-pc-sco$UNAME_REL
+ else
+ echo ${UNAME_MACHINE}-pc-sysv32
+ fi
+ exit 0 ;;
+ pc:*:*:*)
+ # Left here for compatibility:
+ # uname -m prints for DJGPP always 'pc', but it prints nothing about
+ # the processor, so we play safe by assuming i386.
+ echo i386-pc-msdosdjgpp
+ exit 0 ;;
+ Intel:Mach:3*:*)
+ echo i386-pc-mach3
+ exit 0 ;;
+ paragon:*:*:*)
+ echo i860-intel-osf1
+ exit 0 ;;
+ i860:*:4.*:*) # i860-SVR4
+ if grep Stardent /usr/include/sys/uadmin.h >/dev/null 2>&1 ; then
+ echo i860-stardent-sysv${UNAME_RELEASE} # Stardent Vistra i860-SVR4
+ else # Add other i860-SVR4 vendors below as they are discovered.
+ echo i860-unknown-sysv${UNAME_RELEASE} # Unknown i860-SVR4
+ fi
+ exit 0 ;;
+ mini*:CTIX:SYS*5:*)
+ # "miniframe"
+ echo m68010-convergent-sysv
+ exit 0 ;;
+ mc68k:UNIX:SYSTEM5:3.51m)
+ echo m68k-convergent-sysv
+ exit 0 ;;
+ M680?0:D-NIX:5.3:*)
+ echo m68k-diab-dnix
+ exit 0 ;;
+ M68*:*:R3V[567]*:*)
+ test -r /sysV68 && echo 'm68k-motorola-sysv' && exit 0 ;;
+ 3[34]??:*:4.0:3.0 | 3[34]??A:*:4.0:3.0 | 3[34]??,*:*:4.0:3.0 | 3[34]??/*:*:4.0:3.0 | 4400:*:4.0:3.0 | 4850:*:4.0:3.0 | SKA40:*:4.0:3.0 | SDS2:*:4.0:3.0 | SHG2:*:4.0:3.0)
+ OS_REL=''
+ test -r /etc/.relid \
+ && OS_REL=.`sed -n 's/[^ ]* [^ ]* \([0-9][0-9]\).*/\1/p' < /etc/.relid`
+ /bin/uname -p 2>/dev/null | grep 86 >/dev/null \
+ && echo i486-ncr-sysv4.3${OS_REL} && exit 0
+ /bin/uname -p 2>/dev/null | /bin/grep entium >/dev/null \
+ && echo i586-ncr-sysv4.3${OS_REL} && exit 0 ;;
+ 3[34]??:*:4.0:* | 3[34]??,*:*:4.0:*)
+ /bin/uname -p 2>/dev/null | grep 86 >/dev/null \
+ && echo i486-ncr-sysv4 && exit 0 ;;
+ m68*:LynxOS:2.*:* | m68*:LynxOS:3.0*:*)
+ echo m68k-unknown-lynxos${UNAME_RELEASE}
+ exit 0 ;;
+ mc68030:UNIX_System_V:4.*:*)
+ echo m68k-atari-sysv4
+ exit 0 ;;
+ TSUNAMI:LynxOS:2.*:*)
+ echo sparc-unknown-lynxos${UNAME_RELEASE}
+ exit 0 ;;
+ rs6000:LynxOS:2.*:*)
+ echo rs6000-unknown-lynxos${UNAME_RELEASE}
+ exit 0 ;;
+ PowerPC:LynxOS:2.*:* | PowerPC:LynxOS:3.[01]*:* | PowerPC:LynxOS:4.0*:*)
+ echo powerpc-unknown-lynxos${UNAME_RELEASE}
+ exit 0 ;;
+ SM[BE]S:UNIX_SV:*:*)
+ echo mips-dde-sysv${UNAME_RELEASE}
+ exit 0 ;;
+ RM*:ReliantUNIX-*:*:*)
+ echo mips-sni-sysv4
+ exit 0 ;;
+ RM*:SINIX-*:*:*)
+ echo mips-sni-sysv4
+ exit 0 ;;
+ *:SINIX-*:*:*)
+ if uname -p 2>/dev/null >/dev/null ; then
+ UNAME_MACHINE=`(uname -p) 2>/dev/null`
+ echo ${UNAME_MACHINE}-sni-sysv4
+ else
+ echo ns32k-sni-sysv
+ fi
+ exit 0 ;;
+ PENTIUM:*:4.0*:*) # Unisys `ClearPath HMP IX 4000' SVR4/MP effort
+ # says <Richard.M.Bartel@ccMail.Census.GOV>
+ echo i586-unisys-sysv4
+ exit 0 ;;
+ *:UNIX_System_V:4*:FTX*)
+ # From Gerald Hewes <hewes@openmarket.com>.
+ # How about differentiating between stratus architectures? -djm
+ echo hppa1.1-stratus-sysv4
+ exit 0 ;;
+ *:*:*:FTX*)
+ # From seanf@swdc.stratus.com.
+ echo i860-stratus-sysv4
+ exit 0 ;;
+ *:VOS:*:*)
+ # From Paul.Green@stratus.com.
+ echo hppa1.1-stratus-vos
+ exit 0 ;;
+ mc68*:A/UX:*:*)
+ echo m68k-apple-aux${UNAME_RELEASE}
+ exit 0 ;;
+ news*:NEWS-OS:6*:*)
+ echo mips-sony-newsos6
+ exit 0 ;;
+ R[34]000:*System_V*:*:* | R4000:UNIX_SYSV:*:* | R*000:UNIX_SV:*:*)
+ if [ -d /usr/nec ]; then
+ echo mips-nec-sysv${UNAME_RELEASE}
+ else
+ echo mips-unknown-sysv${UNAME_RELEASE}
+ fi
+ exit 0 ;;
+ BeBox:BeOS:*:*) # BeOS running on hardware made by Be, PPC only.
+ echo powerpc-be-beos
+ exit 0 ;;
+ BeMac:BeOS:*:*) # BeOS running on Mac or Mac clone, PPC only.
+ echo powerpc-apple-beos
+ exit 0 ;;
+ BePC:BeOS:*:*) # BeOS running on Intel PC compatible.
+ echo i586-pc-beos
+ exit 0 ;;
+ SX-4:SUPER-UX:*:*)
+ echo sx4-nec-superux${UNAME_RELEASE}
+ exit 0 ;;
+ SX-5:SUPER-UX:*:*)
+ echo sx5-nec-superux${UNAME_RELEASE}
+ exit 0 ;;
+ SX-6:SUPER-UX:*:*)
+ echo sx6-nec-superux${UNAME_RELEASE}
+ exit 0 ;;
+ Power*:Rhapsody:*:*)
+ echo powerpc-apple-rhapsody${UNAME_RELEASE}
+ exit 0 ;;
+ *:Rhapsody:*:*)
+ echo ${UNAME_MACHINE}-apple-rhapsody${UNAME_RELEASE}
+ exit 0 ;;
+ *:Darwin:*:*)
+ case `uname -p` in
+ *86) UNAME_PROCESSOR=i686 ;;
+ powerpc) UNAME_PROCESSOR=powerpc ;;
+ esac
+ echo ${UNAME_PROCESSOR}-apple-darwin${UNAME_RELEASE}
+ exit 0 ;;
+ *:procnto*:*:* | *:QNX:[0123456789]*:*)
+ UNAME_PROCESSOR=`uname -p`
+ if test "$UNAME_PROCESSOR" = "x86"; then
+ UNAME_PROCESSOR=i386
+ UNAME_MACHINE=pc
+ fi
+ echo ${UNAME_PROCESSOR}-${UNAME_MACHINE}-nto-qnx${UNAME_RELEASE}
+ exit 0 ;;
+ *:QNX:*:4*)
+ echo i386-pc-qnx
+ exit 0 ;;
+ NSR-[DGKLNPTVW]:NONSTOP_KERNEL:*:*)
+ echo nsr-tandem-nsk${UNAME_RELEASE}
+ exit 0 ;;
+ *:NonStop-UX:*:*)
+ echo mips-compaq-nonstopux
+ exit 0 ;;
+ BS2000:POSIX*:*:*)
+ echo bs2000-siemens-sysv
+ exit 0 ;;
+ DS/*:UNIX_System_V:*:*)
+ echo ${UNAME_MACHINE}-${UNAME_SYSTEM}-${UNAME_RELEASE}
+ exit 0 ;;
+ *:Plan9:*:*)
+ # "uname -m" is not consistent, so use $cputype instead. 386
+ # is converted to i386 for consistency with other x86
+ # operating systems.
+ if test "$cputype" = "386"; then
+ UNAME_MACHINE=i386
+ else
+ UNAME_MACHINE="$cputype"
+ fi
+ echo ${UNAME_MACHINE}-unknown-plan9
+ exit 0 ;;
+ *:TOPS-10:*:*)
+ echo pdp10-unknown-tops10
+ exit 0 ;;
+ *:TENEX:*:*)
+ echo pdp10-unknown-tenex
+ exit 0 ;;
+ KS10:TOPS-20:*:* | KL10:TOPS-20:*:* | TYPE4:TOPS-20:*:*)
+ echo pdp10-dec-tops20
+ exit 0 ;;
+ XKL-1:TOPS-20:*:* | TYPE5:TOPS-20:*:*)
+ echo pdp10-xkl-tops20
+ exit 0 ;;
+ *:TOPS-20:*:*)
+ echo pdp10-unknown-tops20
+ exit 0 ;;
+ *:ITS:*:*)
+ echo pdp10-unknown-its
+ exit 0 ;;
+ SEI:*:*:SEIUX)
+ echo mips-sei-seiux${UNAME_RELEASE}
+ exit 0 ;;
+esac
+
+#echo '(No uname command or uname output not recognized.)' 1>&2
+#echo "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" 1>&2
+
+eval $set_cc_for_build
+cat >$dummy.c <<EOF
+#ifdef _SEQUENT_
+# include <sys/types.h>
+# include <sys/utsname.h>
+#endif
+main ()
+{
+#if defined (sony)
+#if defined (MIPSEB)
+ /* BFD wants "bsd" instead of "newsos". Perhaps BFD should be changed,
+ I don't know.... */
+ printf ("mips-sony-bsd\n"); exit (0);
+#else
+#include <sys/param.h>
+ printf ("m68k-sony-newsos%s\n",
+#ifdef NEWSOS4
+ "4"
+#else
+ ""
+#endif
+ ); exit (0);
+#endif
+#endif
+
+#if defined (__arm) && defined (__acorn) && defined (__unix)
+ printf ("arm-acorn-riscix"); exit (0);
+#endif
+
+#if defined (hp300) && !defined (hpux)
+ printf ("m68k-hp-bsd\n"); exit (0);
+#endif
+
+#if defined (NeXT)
+#if !defined (__ARCHITECTURE__)
+#define __ARCHITECTURE__ "m68k"
+#endif
+ int version;
+ version=`(hostinfo | sed -n 's/.*NeXT Mach \([0-9]*\).*/\1/p') 2>/dev/null`;
+ if (version < 4)
+ printf ("%s-next-nextstep%d\n", __ARCHITECTURE__, version);
+ else
+ printf ("%s-next-openstep%d\n", __ARCHITECTURE__, version);
+ exit (0);
+#endif
+
+#if defined (MULTIMAX) || defined (n16)
+#if defined (UMAXV)
+ printf ("ns32k-encore-sysv\n"); exit (0);
+#else
+#if defined (CMU)
+ printf ("ns32k-encore-mach\n"); exit (0);
+#else
+ printf ("ns32k-encore-bsd\n"); exit (0);
+#endif
+#endif
+#endif
+
+#if defined (__386BSD__)
+ printf ("i386-pc-bsd\n"); exit (0);
+#endif
+
+#if defined (sequent)
+#if defined (i386)
+ printf ("i386-sequent-dynix\n"); exit (0);
+#endif
+#if defined (ns32000)
+ printf ("ns32k-sequent-dynix\n"); exit (0);
+#endif
+#endif
+
+#if defined (_SEQUENT_)
+ struct utsname un;
+
+ uname(&un);
+
+ if (strncmp(un.version, "V2", 2) == 0) {
+ printf ("i386-sequent-ptx2\n"); exit (0);
+ }
+ if (strncmp(un.version, "V1", 2) == 0) { /* XXX is V1 correct? */
+ printf ("i386-sequent-ptx1\n"); exit (0);
+ }
+ printf ("i386-sequent-ptx\n"); exit (0);
+
+#endif
+
+#if defined (vax)
+# if !defined (ultrix)
+# include <sys/param.h>
+# if defined (BSD)
+# if BSD == 43
+ printf ("vax-dec-bsd4.3\n"); exit (0);
+# else
+# if BSD == 199006
+ printf ("vax-dec-bsd4.3reno\n"); exit (0);
+# else
+ printf ("vax-dec-bsd\n"); exit (0);
+# endif
+# endif
+# else
+ printf ("vax-dec-bsd\n"); exit (0);
+# endif
+# else
+ printf ("vax-dec-ultrix\n"); exit (0);
+# endif
+#endif
+
+#if defined (alliant) && defined (i860)
+ printf ("i860-alliant-bsd\n"); exit (0);
+#endif
+
+ exit (1);
+}
+EOF
+
+$CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null && $dummy && exit 0
+
+# Apollos put the system type in the environment.
+
+test -d /usr/apollo && { echo ${ISP}-apollo-${SYSTYPE}; exit 0; }
+
+# Convex versions that predate uname can use getsysinfo(1)
+
+if [ -x /usr/convex/getsysinfo ]
+then
+ case `getsysinfo -f cpu_type` in
+ c1*)
+ echo c1-convex-bsd
+ exit 0 ;;
+ c2*)
+ if getsysinfo -f scalar_acc
+ then echo c32-convex-bsd
+ else echo c2-convex-bsd
+ fi
+ exit 0 ;;
+ c34*)
+ echo c34-convex-bsd
+ exit 0 ;;
+ c38*)
+ echo c38-convex-bsd
+ exit 0 ;;
+ c4*)
+ echo c4-convex-bsd
+ exit 0 ;;
+ esac
+fi
+
+cat >&2 <<EOF
+$0: unable to guess system type
+
+This script, last modified $timestamp, has failed to recognize
+the operating system you are using. It is advised that you
+download the most up to date version of the config scripts from
+
+ ftp://ftp.gnu.org/pub/gnu/config/
+
+If the version you run ($0) is already up to date, please
+send the following data and any information you think might be
+pertinent to <config-patches@gnu.org> in order to provide the needed
+information to handle your system.
+
+config.guess timestamp = $timestamp
+
+uname -m = `(uname -m) 2>/dev/null || echo unknown`
+uname -r = `(uname -r) 2>/dev/null || echo unknown`
+uname -s = `(uname -s) 2>/dev/null || echo unknown`
+uname -v = `(uname -v) 2>/dev/null || echo unknown`
+
+/usr/bin/uname -p = `(/usr/bin/uname -p) 2>/dev/null`
+/bin/uname -X = `(/bin/uname -X) 2>/dev/null`
+
+hostinfo = `(hostinfo) 2>/dev/null`
+/bin/universe = `(/bin/universe) 2>/dev/null`
+/usr/bin/arch -k = `(/usr/bin/arch -k) 2>/dev/null`
+/bin/arch = `(/bin/arch) 2>/dev/null`
+/usr/bin/oslevel = `(/usr/bin/oslevel) 2>/dev/null`
+/usr/convex/getsysinfo = `(/usr/convex/getsysinfo) 2>/dev/null`
+
+UNAME_MACHINE = ${UNAME_MACHINE}
+UNAME_RELEASE = ${UNAME_RELEASE}
+UNAME_SYSTEM = ${UNAME_SYSTEM}
+UNAME_VERSION = ${UNAME_VERSION}
+EOF
+
+exit 1
+
+# Local variables:
+# eval: (add-hook 'write-file-hooks 'time-stamp)
+# time-stamp-start: "timestamp='"
+# time-stamp-format: "%:y-%02m-%02d"
+# time-stamp-end: "'"
+# End:
#! /bin/sh
-# Configuration validation subroutine script, version 1.1.
-# Copyright (C) 1991, 92, 93, 94, 95, 1996 Free Software Foundation, Inc.
+# Configuration validation subroutine script.
+# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999,
+# 2000, 2001, 2002, 2003 Free Software Foundation, Inc.
+
+timestamp='2003-07-04'
+
# This file is (in principle) common to ALL GNU software.
# The presence of a machine in this file suggests that SOME GNU software
# can handle that machine. It does not imply ALL GNU software can.
# configuration script generated by Autoconf, you may include it under
# the same distribution terms that you use for the rest of that program.
+# Please send patches to <config-patches@gnu.org>. Submit a context
+# diff and a properly formatted ChangeLog entry.
+#
# Configuration subroutine to validate and canonicalize a configuration type.
# Supply the specified configuration type as an argument.
# If it is invalid, we print an error message on stderr and exit with code 1.
# CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM
# It is wrong to echo any other type of specification.
-if [ x$1 = x ]
-then
- echo Configuration name missing. 1>&2
- echo "Usage: $0 CPU-MFR-OPSYS" 1>&2
- echo "or $0 ALIAS" 1>&2
- echo where ALIAS is a recognized configuration type. 1>&2
- exit 1
-fi
+me=`echo "$0" | sed -e 's,.*/,,'`
-# First pass through any local machine types.
-case $1 in
- *local*)
- echo $1
- exit 0
- ;;
- *)
- ;;
+usage="\
+Usage: $0 [OPTION] CPU-MFR-OPSYS
+ $0 [OPTION] ALIAS
+
+Canonicalize a configuration name.
+
+Operation modes:
+ -h, --help print this help, then exit
+ -t, --time-stamp print date of last modification, then exit
+ -v, --version print version number, then exit
+
+Report bugs and patches to <config-patches@gnu.org>."
+
+version="\
+GNU config.sub ($timestamp)
+
+Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001
+Free Software Foundation, Inc.
+
+This is free software; see the source for copying conditions. There is NO
+warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
+
+help="
+Try \`$me --help' for more information."
+
+# Parse command line
+while test $# -gt 0 ; do
+ case $1 in
+ --time-stamp | --time* | -t )
+ echo "$timestamp" ; exit 0 ;;
+ --version | -v )
+ echo "$version" ; exit 0 ;;
+ --help | --h* | -h )
+ echo "$usage"; exit 0 ;;
+ -- ) # Stop option processing
+ shift; break ;;
+ - ) # Use stdin as input.
+ break ;;
+ -* )
+ echo "$me: invalid option $1$help"
+ exit 1 ;;
+
+ *local*)
+ # First pass through any local machine types.
+ echo $1
+ exit 0;;
+
+ * )
+ break ;;
+ esac
+done
+
+case $# in
+ 0) echo "$me: missing argument$help" >&2
+ exit 1;;
+ 1) ;;
+ *) echo "$me: too many arguments$help" >&2
+ exit 1;;
esac
# Separate what the user gave into CPU-COMPANY and OS or KERNEL-OS (if any).
# Here we must recognize all the valid KERNEL-OS combinations.
maybe_os=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\2/'`
case $maybe_os in
- linux-gnu*)
+ nto-qnx* | linux-gnu* | kfreebsd*-gnu* | netbsd*-gnu* | storm-chaos* | os2-emx* | rtmk-nova*)
os=-$maybe_os
basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'`
;;
-convergent* | -ncr* | -news | -32* | -3600* | -3100* | -hitachi* |\
-c[123]* | -convex* | -sun | -crds | -omron* | -dg | -ultra | -tti* | \
-harris | -dolphin | -highlevel | -gould | -cbm | -ns | -masscomp | \
- -apple)
+ -apple | -axis)
+ os=
+ basic_machine=$1
+ ;;
+ -sim | -cisco | -oki | -wec | -winbond)
os=
basic_machine=$1
;;
+ -scout)
+ ;;
+ -wrs)
+ os=-vxworks
+ basic_machine=$1
+ ;;
+ -chorusos*)
+ os=-chorusos
+ basic_machine=$1
+ ;;
+ -chorusrdb)
+ os=-chorusrdb
+ basic_machine=$1
+ ;;
-hiux*)
os=-hiuxwe2
;;
-sco5)
- os=sco3.2v5
+ os=-sco3.2v5
basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
;;
-sco4)
os=-sco3.2v2
basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
;;
+ -udk*)
+ basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+ ;;
-isc)
os=-isc2.2
basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
-psos*)
os=-psos
;;
+ -mint | -mint[0-9]*)
+ basic_machine=m68k-atari
+ os=-mint
+ ;;
esac
# Decode aliases for certain CPU-COMPANY combinations.
case $basic_machine in
# Recognize the basic CPU types without company name.
# Some are omitted here because they have special meanings below.
- tahoe | i860 | m68k | m68000 | m88k | ns32k | arm \
- | arme[lb] | pyramid \
- | tron | a29k | 580 | i960 | h8300 | hppa | hppa1.0 | hppa1.1 \
- | alpha | we32k | ns16k | clipper | i370 | sh \
- | powerpc | powerpcle | 1750a | dsp16xx | mips64 | mipsel \
- | pdp11 | mips64el | mips64orion | mips64orionel \
- | sparc | sparclet | sparclite | sparc64)
+ 1750a | 580 \
+ | a29k \
+ | alpha | alphaev[4-8] | alphaev56 | alphaev6[78] | alphapca5[67] \
+ | alpha64 | alpha64ev[4-8] | alpha64ev56 | alpha64ev6[78] | alpha64pca5[67] \
+ | arc | arm | arm[bl]e | arme[lb] | armv[2345] | armv[345][lb] | avr \
+ | c4x | clipper \
+ | d10v | d30v | dlx | dsp16xx \
+ | fr30 | frv \
+ | h8300 | h8500 | hppa | hppa1.[01] | hppa2.0 | hppa2.0[nw] | hppa64 \
+ | i370 | i860 | i960 | ia64 \
+ | ip2k \
+ | m32r | m68000 | m68k | m88k | mcore \
+ | mips | mipsbe | mipseb | mipsel | mipsle \
+ | mips16 \
+ | mips64 | mips64el \
+ | mips64vr | mips64vrel \
+ | mips64orion | mips64orionel \
+ | mips64vr4100 | mips64vr4100el \
+ | mips64vr4300 | mips64vr4300el \
+ | mips64vr5000 | mips64vr5000el \
+ | mipsisa32 | mipsisa32el \
+ | mipsisa32r2 | mipsisa32r2el \
+ | mipsisa64 | mipsisa64el \
+ | mipsisa64sb1 | mipsisa64sb1el \
+ | mipsisa64sr71k | mipsisa64sr71kel \
+ | mipstx39 | mipstx39el \
+ | mn10200 | mn10300 \
+ | msp430 \
+ | ns16k | ns32k \
+ | openrisc | or32 \
+ | pdp10 | pdp11 | pj | pjl \
+ | powerpc | powerpc64 | powerpc64le | powerpcle | ppcbe \
+ | pyramid \
+ | sh | sh[1234] | sh[23]e | sh[34]eb | shbe | shle | sh[1234]le | sh3ele \
+ | sh64 | sh64le \
+ | sparc | sparc64 | sparc86x | sparclet | sparclite | sparcv9 | sparcv9b \
+ | strongarm \
+ | tahoe | thumb | tic4x | tic80 | tron \
+ | v850 | v850e \
+ | we32k \
+ | x86 | xscale | xstormy16 | xtensa \
+ | z8k)
basic_machine=$basic_machine-unknown
;;
+ m6811 | m68hc11 | m6812 | m68hc12)
+ # Motorola 68HC11/12.
+ basic_machine=$basic_machine-unknown
+ os=-none
+ ;;
+ m88110 | m680[12346]0 | m683?2 | m68360 | m5200 | v70 | w65 | z8k)
+ ;;
+
# We use `pc' rather than `unknown'
# because (1) that's what they normally are, and
# (2) the word "unknown" tends to confuse beginning users.
- i[3456]86)
+ i*86 | x86_64)
basic_machine=$basic_machine-pc
;;
# Object if more than one company name word.
exit 1
;;
# Recognize the basic CPU types with company name.
- vax-* | tahoe-* | i[3456]86-* | i860-* | m68k-* | m68000-* | m88k-* \
- | sparc-* | ns32k-* | fx80-* | arm-* | c[123]* \
- | mips-* | pyramid-* | tron-* | a29k-* | romp-* | rs6000-* | power-* \
- | none-* | 580-* | cray2-* | h8300-* | i960-* | xmp-* | ymp-* \
- | hppa-* | hppa1.0-* | hppa1.1-* | alpha-* | we32k-* | cydra-* | ns16k-* \
- | pn-* | np1-* | xps100-* | clipper-* | orion-* | sparclite-* \
- | pdp11-* | sh-* | powerpc-* | powerpcle-* | sparc64-* | mips64-* | mipsel-* \
- | mips64el-* | mips64orion-* | mips64orionel-* | f301-*)
+ 580-* \
+ | a29k-* \
+ | alpha-* | alphaev[4-8]-* | alphaev56-* | alphaev6[78]-* \
+ | alpha64-* | alpha64ev[4-8]-* | alpha64ev56-* | alpha64ev6[78]-* \
+ | alphapca5[67]-* | alpha64pca5[67]-* | amd64-* | arc-* \
+ | arm-* | armbe-* | armle-* | armeb-* | armv*-* \
+ | avr-* \
+ | bs2000-* \
+ | c[123]* | c30-* | [cjt]90-* | c4x-* | c54x-* | c55x-* | c6x-* \
+ | clipper-* | cydra-* \
+ | d10v-* | d30v-* | dlx-* \
+ | elxsi-* \
+ | f30[01]-* | f700-* | fr30-* | frv-* | fx80-* \
+ | h8300-* | h8500-* \
+ | hppa-* | hppa1.[01]-* | hppa2.0-* | hppa2.0[nw]-* | hppa64-* \
+ | i*86-* | i860-* | i960-* | ia64-* \
+ | ip2k-* \
+ | m32r-* \
+ | m68000-* | m680[012346]0-* | m68360-* | m683?2-* | m68k-* \
+ | m88110-* | m88k-* | mcore-* \
+ | mips-* | mipsbe-* | mipseb-* | mipsel-* | mipsle-* \
+ | mips16-* \
+ | mips64-* | mips64el-* \
+ | mips64vr-* | mips64vrel-* \
+ | mips64orion-* | mips64orionel-* \
+ | mips64vr4100-* | mips64vr4100el-* \
+ | mips64vr4300-* | mips64vr4300el-* \
+ | mips64vr5000-* | mips64vr5000el-* \
+ | mipsisa32-* | mipsisa32el-* \
+ | mipsisa32r2-* | mipsisa32r2el-* \
+ | mipsisa64-* | mipsisa64el-* \
+ | mipsisa64sb1-* | mipsisa64sb1el-* \
+ | mipsisa64sr71k-* | mipsisa64sr71kel-* \
+ | mipstx39-* | mipstx39el-* \
+ | msp430-* \
+ | none-* | np1-* | nv1-* | ns16k-* | ns32k-* \
+ | orion-* \
+ | pdp10-* | pdp11-* | pj-* | pjl-* | pn-* | power-* \
+ | powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* | ppcbe-* \
+ | pyramid-* \
+ | romp-* | rs6000-* \
+ | sh-* | sh[1234]-* | sh[23]e-* | sh[34]eb-* | shbe-* \
+ | shle-* | sh[1234]le-* | sh3ele-* | sh64-* | sh64le-* \
+ | sparc-* | sparc64-* | sparc86x-* | sparclet-* | sparclite-* \
+ | sparcv9-* | sparcv9b-* | strongarm-* | sv1-* | sx?-* \
+ | tahoe-* | thumb-* \
+ | tic30-* | tic4x-* | tic54x-* | tic55x-* | tic6x-* | tic80-* \
+ | tron-* \
+ | v850-* | v850e-* | vax-* \
+ | we32k-* \
+ | x86-* | x86_64-* | xps100-* | xscale-* | xstormy16-* \
+ | xtensa-* \
+ | ymp-* \
+ | z8k-*)
;;
# Recognize the various machine names and aliases which stand
# for a CPU type and a company and sometimes even an OS.
+ 386bsd)
+ basic_machine=i386-unknown
+ os=-bsd
+ ;;
3b1 | 7300 | 7300-att | att-7300 | pc7300 | safari | unixpc)
basic_machine=m68000-att
;;
3b*)
basic_machine=we32k-att
;;
+ a29khif)
+ basic_machine=a29k-amd
+ os=-udi
+ ;;
+ adobe68k)
+ basic_machine=m68010-adobe
+ os=-scout
+ ;;
alliant | fx80)
basic_machine=fx80-alliant
;;
basic_machine=a29k-none
os=-bsd
;;
+ amd64)
+ basic_machine=x86_64-pc
+ ;;
amdahl)
basic_machine=580-amdahl
os=-sysv
;;
amiga | amiga-*)
- basic_machine=m68k-cbm
+ basic_machine=m68k-unknown
;;
- amigados)
- basic_machine=m68k-cbm
- os=-amigados
+ amigaos | amigados)
+ basic_machine=m68k-unknown
+ os=-amigaos
;;
amigaunix | amix)
- basic_machine=m68k-cbm
+ basic_machine=m68k-unknown
os=-sysv4
;;
apollo68)
basic_machine=m68k-apollo
os=-sysv
;;
+ apollo68bsd)
+ basic_machine=m68k-apollo
+ os=-bsd
+ ;;
aux)
basic_machine=m68k-apple
os=-aux
basic_machine=ns32k-sequent
os=-dynix
;;
+ c90)
+ basic_machine=c90-cray
+ os=-unicos
+ ;;
convex-c1)
basic_machine=c1-convex
os=-bsd
basic_machine=c38-convex
os=-bsd
;;
- cray | ymp)
- basic_machine=ymp-cray
- os=-unicos
- ;;
- cray2)
- basic_machine=cray2-cray
- os=-unicos
- ;;
- [ctj]90-cray)
- basic_machine=c90-cray
+ cray | j90)
+ basic_machine=j90-cray
os=-unicos
;;
crds | unos)
basic_machine=m68k-crds
;;
+ cris | cris-* | etrax*)
+ basic_machine=cris-axis
+ ;;
da30 | da30-*)
basic_machine=m68k-da30
;;
decstation | decstation-3100 | pmax | pmax-* | pmin | dec3100 | decstatn)
basic_machine=mips-dec
;;
+ decsystem10* | dec10*)
+ basic_machine=pdp10-dec
+ os=-tops10
+ ;;
+ decsystem20* | dec20*)
+ basic_machine=pdp10-dec
+ os=-tops20
+ ;;
delta | 3300 | motorola-3300 | motorola-delta \
| 3300-motorola | delta-motorola)
basic_machine=m68k-motorola
encore | umax | mmax)
basic_machine=ns32k-encore
;;
+ es1800 | OSE68k | ose68k | ose | OSE)
+ basic_machine=m68k-ericsson
+ os=-ose
+ ;;
fx2800)
basic_machine=i860-alliant
;;
basic_machine=tron-gmicro
os=-sysv
;;
+ go32)
+ basic_machine=i386-pc
+ os=-go32
+ ;;
h3050r* | hiux*)
basic_machine=hppa1.1-hitachi
os=-hiuxwe2
basic_machine=h8300-hitachi
os=-hms
;;
+ h8300xray)
+ basic_machine=h8300-hitachi
+ os=-xray
+ ;;
+ h8500hms)
+ basic_machine=h8500-hitachi
+ os=-hms
+ ;;
harris)
basic_machine=m88k-harris
os=-sysv3
basic_machine=m68k-hp
os=-hpux
;;
+ hp3k9[0-9][0-9] | hp9[0-9][0-9])
+ basic_machine=hppa1.0-hp
+ ;;
hp9k2[0-9][0-9] | hp9k31[0-9])
basic_machine=m68000-hp
;;
hp9k3[2-9][0-9])
basic_machine=m68k-hp
;;
- hp9k7[0-9][0-9] | hp7[0-9][0-9] | hp9k8[0-9]7 | hp8[0-9]7)
+ hp9k6[0-9][0-9] | hp6[0-9][0-9])
+ basic_machine=hppa1.0-hp
+ ;;
+ hp9k7[0-79][0-9] | hp7[0-79][0-9])
+ basic_machine=hppa1.1-hp
+ ;;
+ hp9k78[0-9] | hp78[0-9])
+ # FIXME: really hppa2.0-hp
+ basic_machine=hppa1.1-hp
+ ;;
+ hp9k8[67]1 | hp8[67]1 | hp9k80[24] | hp80[24] | hp9k8[78]9 | hp8[78]9 | hp9k893 | hp893)
+ # FIXME: really hppa2.0-hp
+ basic_machine=hppa1.1-hp
+ ;;
+ hp9k8[0-9][13679] | hp8[0-9][13679])
basic_machine=hppa1.1-hp
;;
hp9k8[0-9][0-9] | hp8[0-9][0-9])
hppa-next)
os=-nextstep3
;;
+ hppaosf)
+ basic_machine=hppa1.1-hp
+ os=-osf
+ ;;
+ hppro)
+ basic_machine=hppa1.1-hp
+ os=-proelf
+ ;;
i370-ibm* | ibm*)
basic_machine=i370-ibm
- os=-mvs
;;
# I'm not sure what "Sysv32" means. Should this be sysv3.2?
- i[3456]86v32)
+ i*86v32)
basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
os=-sysv32
;;
- i[3456]86v4*)
+ i*86v4*)
basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
os=-sysv4
;;
- i[3456]86v)
+ i*86v)
basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
os=-sysv
;;
- i[3456]86sol2)
+ i*86sol2)
basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
os=-solaris2
;;
+ i386mach)
+ basic_machine=i386-mach
+ os=-mach
+ ;;
+ i386-vsta | vsta)
+ basic_machine=i386-unknown
+ os=-vsta
+ ;;
iris | iris4d)
basic_machine=mips-sgi
case $os in
basic_machine=ns32k-utek
os=-sysv
;;
+ mingw32)
+ basic_machine=i386-pc
+ os=-mingw32
+ ;;
miniframe)
basic_machine=m68000-convergent
;;
+ *mint | -mint[0-9]* | *MiNT | *MiNT[0-9]*)
+ basic_machine=m68k-atari
+ os=-mint
+ ;;
mips3*-*)
basic_machine=`echo $basic_machine | sed -e 's/mips3/mips64/'`
;;
mips3*)
basic_machine=`echo $basic_machine | sed -e 's/mips3/mips64/'`-unknown
;;
+ mmix*)
+ basic_machine=mmix-knuth
+ os=-mmixware
+ ;;
+ monitor)
+ basic_machine=m68k-rom68k
+ os=-coff
+ ;;
+ morphos)
+ basic_machine=powerpc-unknown
+ os=-morphos
+ ;;
+ msdos)
+ basic_machine=i386-pc
+ os=-msdos
+ ;;
+ mvs)
+ basic_machine=i370-ibm
+ os=-mvs
+ ;;
ncr3000)
basic_machine=i486-ncr
os=-sysv4
;;
+ netbsd386)
+ basic_machine=i386-unknown
+ os=-netbsd
+ ;;
+ netwinder)
+ basic_machine=armv4l-rebel
+ os=-linux
+ ;;
news | news700 | news800 | news900)
basic_machine=m68k-sony
os=-newsos
basic_machine=mips-sony
os=-newsos
;;
+ necv70)
+ basic_machine=v70-nec
+ os=-sysv
+ ;;
next | m*-next )
basic_machine=m68k-next
case $os in
basic_machine=i960-intel
os=-nindy
;;
+ mon960)
+ basic_machine=i960-intel
+ os=-mon960
+ ;;
+ nonstopux)
+ basic_machine=mips-compaq
+ os=-nonstopux
+ ;;
np1)
basic_machine=np1-gould
;;
+ nv1)
+ basic_machine=nv1-cray
+ os=-unicosmp
+ ;;
+ nsr-tandem)
+ basic_machine=nsr-tandem
+ ;;
+ op50n-* | op60c-*)
+ basic_machine=hppa1.1-oki
+ os=-proelf
+ ;;
+ or32 | or32-*)
+ basic_machine=or32-unknown
+ os=-coff
+ ;;
+ OSE68000 | ose68000)
+ basic_machine=m68000-ericsson
+ os=-ose
+ ;;
+ os68k)
+ basic_machine=m68k-none
+ os=-os68k
+ ;;
pa-hitachi)
basic_machine=hppa1.1-hitachi
os=-hiuxwe2
pbb)
basic_machine=m68k-tti
;;
- pc532 | pc532-*)
+ pc532 | pc532-*)
basic_machine=ns32k-pc532
;;
- pentium | p5)
- basic_machine=i586-intel
+ pentium | p5 | k5 | k6 | nexgen | viac3)
+ basic_machine=i586-pc
+ ;;
+ pentiumpro | p6 | 6x86 | athlon | athlon_*)
+ basic_machine=i686-pc
;;
- pentiumpro | p6)
- basic_machine=i686-intel
+ pentiumii | pentium2 | pentiumiii | pentium3)
+ basic_machine=i686-pc
;;
- pentium-* | p5-*)
+ pentium4)
+ basic_machine=i786-pc
+ ;;
+ pentium-* | p5-* | k5-* | k6-* | nexgen-* | viac3-*)
basic_machine=i586-`echo $basic_machine | sed 's/^[^-]*-//'`
;;
- pentiumpro-* | p6-*)
+ pentiumpro-* | p6-* | 6x86-* | athlon-*)
basic_machine=i686-`echo $basic_machine | sed 's/^[^-]*-//'`
;;
- k5)
- # We don't have specific support for AMD's K5 yet, so just call it a Pentium
- basic_machine=i586-amd
+ pentiumii-* | pentium2-* | pentiumiii-* | pentium3-*)
+ basic_machine=i686-`echo $basic_machine | sed 's/^[^-]*-//'`
;;
- nexen)
- # We don't have specific support for Nexgen yet, so just call it a Pentium
- basic_machine=i586-nexgen
+ pentium4-*)
+ basic_machine=i786-`echo $basic_machine | sed 's/^[^-]*-//'`
;;
pn)
basic_machine=pn-gould
;;
- power) basic_machine=rs6000-ibm
+ power) basic_machine=power-ibm
;;
ppc) basic_machine=powerpc-unknown
- ;;
+ ;;
ppc-*) basic_machine=powerpc-`echo $basic_machine | sed 's/^[^-]*-//'`
;;
ppcle | powerpclittle | ppc-le | powerpc-little)
basic_machine=powerpcle-unknown
- ;;
+ ;;
ppcle-* | powerpclittle-*)
basic_machine=powerpcle-`echo $basic_machine | sed 's/^[^-]*-//'`
;;
+ ppc64) basic_machine=powerpc64-unknown
+ ;;
+ ppc64-*) basic_machine=powerpc64-`echo $basic_machine | sed 's/^[^-]*-//'`
+ ;;
+ ppc64le | powerpc64little | ppc64-le | powerpc64-little)
+ basic_machine=powerpc64le-unknown
+ ;;
+ ppc64le-* | powerpc64little-*)
+ basic_machine=powerpc64le-`echo $basic_machine | sed 's/^[^-]*-//'`
+ ;;
ps2)
basic_machine=i386-ibm
;;
+ pw32)
+ basic_machine=i586-unknown
+ os=-pw32
+ ;;
+ rom68k)
+ basic_machine=m68k-rom68k
+ os=-coff
+ ;;
rm[46]00)
basic_machine=mips-siemens
;;
rtpc | rtpc-*)
basic_machine=romp-ibm
;;
+ s390 | s390-*)
+ basic_machine=s390-ibm
+ ;;
+ s390x | s390x-*)
+ basic_machine=s390x-ibm
+ ;;
+ sa29200)
+ basic_machine=a29k-amd
+ os=-udi
+ ;;
+ sb1)
+ basic_machine=mipsisa64sb1-unknown
+ ;;
+ sb1el)
+ basic_machine=mipsisa64sb1el-unknown
+ ;;
+ sei)
+ basic_machine=mips-sei
+ os=-seiux
+ ;;
sequent)
basic_machine=i386-sequent
;;
basic_machine=sh-hitachi
os=-hms
;;
+ sh64)
+ basic_machine=sh64-unknown
+ ;;
+ sparclite-wrs | simso-wrs)
+ basic_machine=sparclite-wrs
+ os=-vxworks
+ ;;
sps7)
basic_machine=m68k-bull
os=-sysv2
spur)
basic_machine=spur-unknown
;;
+ st2000)
+ basic_machine=m68k-tandem
+ ;;
+ stratus)
+ basic_machine=i860-stratus
+ os=-sysv4
+ ;;
sun2)
basic_machine=m68000-sun
;;
sun386 | sun386i | roadrunner)
basic_machine=i386-sun
;;
+ sv1)
+ basic_machine=sv1-cray
+ os=-unicos
+ ;;
symmetry)
basic_machine=i386-sequent
os=-dynix
;;
+ t3e)
+ basic_machine=alphaev5-cray
+ os=-unicos
+ ;;
+ t90)
+ basic_machine=t90-cray
+ os=-unicos
+ ;;
+ tic54x | c54x*)
+ basic_machine=tic54x-unknown
+ os=-coff
+ ;;
+ tic55x | c55x*)
+ basic_machine=tic55x-unknown
+ os=-coff
+ ;;
+ tic6x | c6x*)
+ basic_machine=tic6x-unknown
+ os=-coff
+ ;;
+ tx39)
+ basic_machine=mipstx39-unknown
+ ;;
+ tx39el)
+ basic_machine=mipstx39el-unknown
+ ;;
+ toad1)
+ basic_machine=pdp10-xkl
+ os=-tops20
+ ;;
tower | tower-32)
basic_machine=m68k-ncr
;;
basic_machine=a29k-nyu
os=-sym1
;;
+ v810 | necv810)
+ basic_machine=v810-nec
+ os=-none
+ ;;
vaxv)
basic_machine=vax-dec
os=-sysv
basic_machine=vax-dec
os=-vms
;;
- vpp*|vx|vx-*)
- basic_machine=f301-fujitsu
- ;;
+ vpp*|vx|vx-*)
+ basic_machine=f301-fujitsu
+ ;;
vxworks960)
basic_machine=i960-wrs
os=-vxworks
basic_machine=a29k-wrs
os=-vxworks
;;
- xmp)
- basic_machine=xmp-cray
- os=-unicos
+ w65*)
+ basic_machine=w65-wdc
+ os=-none
;;
- xps | xps100)
+ w89k-*)
+ basic_machine=hppa1.1-winbond
+ os=-proelf
+ ;;
+ xps | xps100)
basic_machine=xps100-honeywell
;;
+ ymp)
+ basic_machine=ymp-cray
+ os=-unicos
+ ;;
+ z8k-*-coff)
+ basic_machine=z8k-unknown
+ os=-sim
+ ;;
none)
basic_machine=none-none
os=-none
# Here we handle the default manufacturer of certain CPU types. It is in
# some cases the only manufacturer, in others, it is the most popular.
- mips)
- basic_machine=mips-mips
+ w89k)
+ basic_machine=hppa1.1-winbond
+ ;;
+ op50n)
+ basic_machine=hppa1.1-oki
+ ;;
+ op60c)
+ basic_machine=hppa1.1-oki
;;
romp)
basic_machine=romp-ibm
vax)
basic_machine=vax-dec
;;
+ pdp10)
+ # there are many clones, so DEC is not a safe bet
+ basic_machine=pdp10-unknown
+ ;;
pdp11)
basic_machine=pdp11-dec
;;
we32k)
basic_machine=we32k-att
;;
- sparc)
+ sh3 | sh4 | sh[34]eb | sh[1234]le | sh[23]ele)
+ basic_machine=sh-unknown
+ ;;
+ sh64)
+ basic_machine=sh64-unknown
+ ;;
+ sparc | sparcv9 | sparcv9b)
basic_machine=sparc-sun
;;
- cydra)
+ cydra)
basic_machine=cydra-cydrome
;;
orion)
orion105)
basic_machine=clipper-highlevel
;;
+ mac | mpw | mac-mpw)
+ basic_machine=m68k-apple
+ ;;
+ pmac | pmac-mpw)
+ basic_machine=powerpc-apple
+ ;;
+ *-unknown)
+ # Make sure to match an already-canonicalized machine name.
+ ;;
*)
echo Invalid configuration \`$1\': machine \`$basic_machine\' not recognized 1>&2
exit 1
-solaris)
os=-solaris2
;;
- -unixware* | svr4*)
+ -svr4*)
os=-sysv4
;;
+ -unixware*)
+ os=-sysv4.2uw
+ ;;
-gnu/linux*)
os=`echo $os | sed -e 's|gnu/linux|linux-gnu|'`
;;
-gnu* | -bsd* | -mach* | -minix* | -genix* | -ultrix* | -irix* \
| -*vms* | -sco* | -esix* | -isc* | -aix* | -sunos | -sunos[34]*\
| -hpux* | -unos* | -osf* | -luna* | -dgux* | -solaris* | -sym* \
- | -amigados* | -msdos* | -newsos* | -unicos* | -aof* | -aos* \
+ | -amigaos* | -amigados* | -msdos* | -newsos* | -unicos* | -aof* \
+ | -aos* \
| -nindy* | -vxsim* | -vxworks* | -ebmon* | -hms* | -mvs* \
| -clix* | -riscos* | -uniplus* | -iris* | -rtu* | -xenix* \
- | -hiux* | -386bsd* | -netbsd* | -openbsd* | -freebsd* | -riscix* \
- | -lynxos* | -bosx* | -nextstep* | -cxux* | -aout* | -elf* \
+ | -hiux* | -386bsd* | -netbsd* | -openbsd* | -kfreebsd* | -freebsd* | -riscix* \
+ | -lynxos* | -bosx* | -nextstep* | -cxux* | -aout* | -elf* | -oabi* \
| -ptx* | -coff* | -ecoff* | -winnt* | -domain* | -vsta* \
| -udi* | -eabi* | -lites* | -ieee* | -go32* | -aux* \
- | -cygwin32* | -pe* | -psos* | -moss* | -proelf* | -rtems* \
- | -linux-gnu* | -uxpv*)
+ | -chorusos* | -chorusrdb* \
+ | -cygwin* | -pe* | -psos* | -moss* | -proelf* | -rtems* \
+ | -mingw32* | -linux-gnu* | -uxpv* | -beos* | -mpeix* | -udk* \
+ | -interix* | -uwin* | -mks* | -rhapsody* | -darwin* | -opened* \
+ | -openstep* | -oskit* | -conix* | -pw32* | -nonstopux* \
+ | -storm-chaos* | -tops10* | -tenex* | -tops20* | -its* \
+ | -os2* | -vos* | -palmos* | -uclinux* | -nucleus* \
+ | -morphos* | -superux* | -rtmk* | -rtmk-nova* | -windiss* \
+ | -powermax* | -dnix* | -nx6 | -nx7 | -sei*)
# Remember, each alternative MUST END IN *, to match a version number.
;;
+ -qnx*)
+ case $basic_machine in
+ x86-* | i*86-*)
+ ;;
+ *)
+ os=-nto$os
+ ;;
+ esac
+ ;;
+ -nto-qnx*)
+ ;;
+ -nto*)
+ os=`echo $os | sed -e 's|nto|nto-qnx|'`
+ ;;
+ -sim | -es1800* | -hms* | -xray | -os68k* | -none* | -v88r* \
+ | -windows* | -osx | -abug | -netware* | -os9* | -beos* \
+ | -macos* | -mpw* | -magic* | -mmixware* | -mon960* | -lnews*)
+ ;;
+ -mac*)
+ os=`echo $os | sed -e 's|mac|macos|'`
+ ;;
-linux*)
os=`echo $os | sed -e 's|linux|linux-gnu|'`
;;
-sunos6*)
os=`echo $os | sed -e 's|sunos6|solaris3|'`
;;
+ -opened*)
+ os=-openedition
+ ;;
+ -wince*)
+ os=-wince
+ ;;
-osfrose*)
os=-osfrose
;;
-acis*)
os=-aos
;;
+ -atheos*)
+ os=-atheos
+ ;;
+ -386bsd)
+ os=-bsd
+ ;;
-ctix* | -uts*)
os=-sysv
;;
+ -nova*)
+ os=-rtmk-nova
+ ;;
-ns2 )
- os=-nextstep2
+ os=-nextstep2
+ ;;
+ -nsk*)
+ os=-nsk
;;
# Preserve the version number of sinix5.
-sinix5.*)
# This must come after -sysvr4.
-sysv*)
;;
+ -ose*)
+ os=-ose
+ ;;
+ -es1800*)
+ os=-ose
+ ;;
-xenix)
os=-xenix
;;
+ -*mint | -mint[0-9]* | -*MiNT | -MiNT[0-9]*)
+ os=-mint
+ ;;
+ -aros*)
+ os=-aros
+ ;;
+ -kaos*)
+ os=-kaos
+ ;;
-none)
;;
*)
*-acorn)
os=-riscix1.2
;;
+ arm*-rebel)
+ os=-linux
+ ;;
arm*-semi)
os=-aout
;;
- pdp11-*)
+ c4x-* | tic4x-*)
+ os=-coff
+ ;;
+ # This must come before the *-dec entry.
+ pdp10-*)
+ os=-tops20
+ ;;
+ pdp11-*)
os=-none
;;
*-dec | vax-*)
# default.
# os=-sunos4
;;
+ m68*-cisco)
+ os=-aout
+ ;;
+ mips*-cisco)
+ os=-elf
+ ;;
+ mips*-*)
+ os=-elf
+ ;;
+ or32-*)
+ os=-coff
+ ;;
*-tti) # must be before sparc entry or we get the wrong os.
os=-sysv3
;;
sparc-* | *-sun)
os=-sunos4.1.1
;;
+ *-be)
+ os=-beos
+ ;;
*-ibm)
os=-aix
;;
+ *-wec)
+ os=-proelf
+ ;;
+ *-winbond)
+ os=-proelf
+ ;;
+ *-oki)
+ os=-proelf
+ ;;
*-hp)
os=-hpux
;;
os=-sysv
;;
*-cbm)
- os=-amigados
+ os=-amigaos
;;
*-dg)
os=-dgux
*-next)
os=-nextstep3
;;
- *-gould)
+ *-gould)
os=-sysv
;;
- *-highlevel)
+ *-highlevel)
os=-bsd
;;
*-encore)
os=-bsd
;;
- *-sgi)
+ *-sgi)
os=-irix
;;
- *-siemens)
+ *-siemens)
os=-sysv4
;;
*-masscomp)
os=-rtu
;;
- f301-fujitsu)
+ f30[01]-fujitsu | f700-fujitsu)
os=-uxpv
;;
+ *-rom68k)
+ os=-coff
+ ;;
+ *-*bug)
+ os=-coff
+ ;;
+ *-apple)
+ os=-macos
+ ;;
+ *-atari*)
+ os=-mint
+ ;;
*)
os=-none
;;
-aix*)
vendor=ibm
;;
+ -beos*)
+ vendor=be
+ ;;
-hpux*)
vendor=hp
;;
+ -mpeix*)
+ vendor=hp
+ ;;
-hiux*)
vendor=hitachi
;;
-genix*)
vendor=ns
;;
- -mvs*)
+ -mvs* | -opened*)
vendor=ibm
;;
-ptx*)
vendor=sequent
;;
- -vxsim* | -vxworks*)
+ -vxsim* | -vxworks* | -windiss*)
vendor=wrs
;;
-aux*)
vendor=apple
;;
+ -hms*)
+ vendor=hitachi
+ ;;
+ -mpw* | -macos*)
+ vendor=apple
+ ;;
+ -*mint | -mint[0-9]* | -*MiNT | -MiNT[0-9]*)
+ vendor=atari
+ ;;
+ -vos*)
+ vendor=stratus
+ ;;
esac
basic_machine=`echo $basic_machine | sed "s/unknown/$vendor/"`
;;
esac
echo $basic_machine$os
+exit 0
+
+# Local variables:
+# eval: (add-hook 'write-file-hooks 'time-stamp)
+# time-stamp-start: "timestamp='"
+# time-stamp-format: "%:y-%02m-%02d"
+# time-stamp-end: "'"
+# End:
--- /dev/null
+#! /bin/sh
+# From configure.in @(#) Id (LBL).
+# Guess values for system-dependent variables and create Makefiles.
+# Generated by GNU Autoconf 2.62.
+#
+# Copyright (c) 1995, 1996, 1997, 2006, 2009
+# The Regents of the University of California. All rights reserved.
+#
+# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
+# 2002, 2003, 2004, 2005, 2006, 2007, 2008 Free Software Foundation, Inc.
+# This configure script is free software; the Free Software Foundation
+# gives unlimited permission to copy, distribute and modify it.
+## --------------------- ##
+## M4sh Initialization. ##
+## --------------------- ##
+
+# Be more Bourne compatible
+DUALCASE=1; export DUALCASE # for MKS sh
+if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
+ emulate sh
+ NULLCMD=:
+ # Pre-4.2 versions of Zsh do word splitting on ${1+"$@"}, which
+ # is contrary to our usage. Disable this feature.
+ alias -g '${1+"$@"}'='"$@"'
+ setopt NO_GLOB_SUBST
+else
+ case `(set -o) 2>/dev/null` in
+ *posix*) set -o posix ;;
+esac
+
+fi
+
+
+
+
+# PATH needs CR
+# Avoid depending upon Character Ranges.
+as_cr_letters='abcdefghijklmnopqrstuvwxyz'
+as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ'
+as_cr_Letters=$as_cr_letters$as_cr_LETTERS
+as_cr_digits='0123456789'
+as_cr_alnum=$as_cr_Letters$as_cr_digits
+
+as_nl='
+'
+export as_nl
+# Printing a long string crashes Solaris 7 /usr/bin/printf.
+as_echo='\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\'
+as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo
+as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo$as_echo
+if (test "X`printf %s $as_echo`" = "X$as_echo") 2>/dev/null; then
+ as_echo='printf %s\n'
+ as_echo_n='printf %s'
+else
+ if test "X`(/usr/ucb/echo -n -n $as_echo) 2>/dev/null`" = "X-n $as_echo"; then
+ as_echo_body='eval /usr/ucb/echo -n "$1$as_nl"'
+ as_echo_n='/usr/ucb/echo -n'
+ else
+ as_echo_body='eval expr "X$1" : "X\\(.*\\)"'
+ as_echo_n_body='eval
+ arg=$1;
+ case $arg in
+ *"$as_nl"*)
+ expr "X$arg" : "X\\(.*\\)$as_nl";
+ arg=`expr "X$arg" : ".*$as_nl\\(.*\\)"`;;
+ esac;
+ expr "X$arg" : "X\\(.*\\)" | tr -d "$as_nl"
+ '
+ export as_echo_n_body
+ as_echo_n='sh -c $as_echo_n_body as_echo'
+ fi
+ export as_echo_body
+ as_echo='sh -c $as_echo_body as_echo'
+fi
+
+# The user is always right.
+if test "${PATH_SEPARATOR+set}" != set; then
+ PATH_SEPARATOR=:
+ (PATH='/bin;/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 && {
+ (PATH='/bin:/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 ||
+ PATH_SEPARATOR=';'
+ }
+fi
+
+# Support unset when possible.
+if ( (MAIL=60; unset MAIL) || exit) >/dev/null 2>&1; then
+ as_unset=unset
+else
+ as_unset=false
+fi
+
+
+# IFS
+# We need space, tab and new line, in precisely that order. Quoting is
+# there to prevent editors from complaining about space-tab.
+# (If _AS_PATH_WALK were called with IFS unset, it would disable word
+# splitting by setting IFS to empty value.)
+IFS=" "" $as_nl"
+
+# Find who we are. Look in the path if we contain no directory separator.
+case $0 in
+ *[\\/]* ) as_myself=$0 ;;
+ *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+ IFS=$as_save_IFS
+ test -z "$as_dir" && as_dir=.
+ test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break
+done
+IFS=$as_save_IFS
+
+ ;;
+esac
+# We did not find ourselves, most probably we were run as `sh COMMAND'
+# in which case we are not to be found in the path.
+if test "x$as_myself" = x; then
+ as_myself=$0
+fi
+if test ! -f "$as_myself"; then
+ $as_echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2
+ { (exit 1); exit 1; }
+fi
+
+# Work around bugs in pre-3.0 UWIN ksh.
+for as_var in ENV MAIL MAILPATH
+do ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var
+done
+PS1='$ '
+PS2='> '
+PS4='+ '
+
+# NLS nuisances.
+LC_ALL=C
+export LC_ALL
+LANGUAGE=C
+export LANGUAGE
+
+# Required to use basename.
+if expr a : '\(a\)' >/dev/null 2>&1 &&
+ test "X`expr 00001 : '.*\(...\)'`" = X001; then
+ as_expr=expr
+else
+ as_expr=false
+fi
+
+if (basename -- /) >/dev/null 2>&1 && test "X`basename -- / 2>&1`" = "X/"; then
+ as_basename=basename
+else
+ as_basename=false
+fi
+
+
+# Name of the executable.
+as_me=`$as_basename -- "$0" ||
+$as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \
+ X"$0" : 'X\(//\)$' \| \
+ X"$0" : 'X\(/\)' \| . 2>/dev/null ||
+$as_echo X/"$0" |
+ sed '/^.*\/\([^/][^/]*\)\/*$/{
+ s//\1/
+ q
+ }
+ /^X\/\(\/\/\)$/{
+ s//\1/
+ q
+ }
+ /^X\/\(\/\).*/{
+ s//\1/
+ q
+ }
+ s/.*/./; q'`
+
+# CDPATH.
+$as_unset CDPATH
+
+
+if test "x$CONFIG_SHELL" = x; then
+ if (eval ":") 2>/dev/null; then
+ as_have_required=yes
+else
+ as_have_required=no
+fi
+
+ if test $as_have_required = yes && (eval ":
+(as_func_return () {
+ (exit \$1)
+}
+as_func_success () {
+ as_func_return 0
+}
+as_func_failure () {
+ as_func_return 1
+}
+as_func_ret_success () {
+ return 0
+}
+as_func_ret_failure () {
+ return 1
+}
+
+exitcode=0
+if as_func_success; then
+ :
+else
+ exitcode=1
+ echo as_func_success failed.
+fi
+
+if as_func_failure; then
+ exitcode=1
+ echo as_func_failure succeeded.
+fi
+
+if as_func_ret_success; then
+ :
+else
+ exitcode=1
+ echo as_func_ret_success failed.
+fi
+
+if as_func_ret_failure; then
+ exitcode=1
+ echo as_func_ret_failure succeeded.
+fi
+
+if ( set x; as_func_ret_success y && test x = \"\$1\" ); then
+ :
+else
+ exitcode=1
+ echo positional parameters were not saved.
+fi
+
+test \$exitcode = 0) || { (exit 1); exit 1; }
+
+(
+ as_lineno_1=\$LINENO
+ as_lineno_2=\$LINENO
+ test \"x\$as_lineno_1\" != \"x\$as_lineno_2\" &&
+ test \"x\`expr \$as_lineno_1 + 1\`\" = \"x\$as_lineno_2\") || { (exit 1); exit 1; }
+") 2> /dev/null; then
+ :
+else
+ as_candidate_shells=
+ as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in /bin$PATH_SEPARATOR/usr/bin$PATH_SEPARATOR$PATH
+do
+ IFS=$as_save_IFS
+ test -z "$as_dir" && as_dir=.
+ case $as_dir in
+ /*)
+ for as_base in sh bash ksh sh5; do
+ as_candidate_shells="$as_candidate_shells $as_dir/$as_base"
+ done;;
+ esac
+done
+IFS=$as_save_IFS
+
+
+ for as_shell in $as_candidate_shells $SHELL; do
+ # Try only shells that exist, to save several forks.
+ if { test -f "$as_shell" || test -f "$as_shell.exe"; } &&
+ { ("$as_shell") 2> /dev/null <<\_ASEOF
+if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
+ emulate sh
+ NULLCMD=:
+ # Pre-4.2 versions of Zsh do word splitting on ${1+"$@"}, which
+ # is contrary to our usage. Disable this feature.
+ alias -g '${1+"$@"}'='"$@"'
+ setopt NO_GLOB_SUBST
+else
+ case `(set -o) 2>/dev/null` in
+ *posix*) set -o posix ;;
+esac
+
+fi
+
+
+:
+_ASEOF
+}; then
+ CONFIG_SHELL=$as_shell
+ as_have_required=yes
+ if { "$as_shell" 2> /dev/null <<\_ASEOF
+if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
+ emulate sh
+ NULLCMD=:
+ # Pre-4.2 versions of Zsh do word splitting on ${1+"$@"}, which
+ # is contrary to our usage. Disable this feature.
+ alias -g '${1+"$@"}'='"$@"'
+ setopt NO_GLOB_SUBST
+else
+ case `(set -o) 2>/dev/null` in
+ *posix*) set -o posix ;;
+esac
+
+fi
+
+
+:
+(as_func_return () {
+ (exit $1)
+}
+as_func_success () {
+ as_func_return 0
+}
+as_func_failure () {
+ as_func_return 1
+}
+as_func_ret_success () {
+ return 0
+}
+as_func_ret_failure () {
+ return 1
+}
+
+exitcode=0
+if as_func_success; then
+ :
+else
+ exitcode=1
+ echo as_func_success failed.
+fi
+
+if as_func_failure; then
+ exitcode=1
+ echo as_func_failure succeeded.
+fi
+
+if as_func_ret_success; then
+ :
+else
+ exitcode=1
+ echo as_func_ret_success failed.
+fi
+
+if as_func_ret_failure; then
+ exitcode=1
+ echo as_func_ret_failure succeeded.
+fi
+
+if ( set x; as_func_ret_success y && test x = "$1" ); then
+ :
+else
+ exitcode=1
+ echo positional parameters were not saved.
+fi
+
+test $exitcode = 0) || { (exit 1); exit 1; }
+
+(
+ as_lineno_1=$LINENO
+ as_lineno_2=$LINENO
+ test "x$as_lineno_1" != "x$as_lineno_2" &&
+ test "x`expr $as_lineno_1 + 1`" = "x$as_lineno_2") || { (exit 1); exit 1; }
+
+_ASEOF
+}; then
+ break
+fi
+
+fi
+
+ done
+
+ if test "x$CONFIG_SHELL" != x; then
+ for as_var in BASH_ENV ENV
+ do ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var
+ done
+ export CONFIG_SHELL
+ exec "$CONFIG_SHELL" "$as_myself" ${1+"$@"}
+fi
+
+
+ if test $as_have_required = no; then
+ echo This script requires a shell more modern than all the
+ echo shells that I found on your system. Please install a
+ echo modern shell, or manually run the script under such a
+ echo shell if you do have one.
+ { (exit 1); exit 1; }
+fi
+
+
+fi
+
+fi
+
+
+
+(eval "as_func_return () {
+ (exit \$1)
+}
+as_func_success () {
+ as_func_return 0
+}
+as_func_failure () {
+ as_func_return 1
+}
+as_func_ret_success () {
+ return 0
+}
+as_func_ret_failure () {
+ return 1
+}
+
+exitcode=0
+if as_func_success; then
+ :
+else
+ exitcode=1
+ echo as_func_success failed.
+fi
+
+if as_func_failure; then
+ exitcode=1
+ echo as_func_failure succeeded.
+fi
+
+if as_func_ret_success; then
+ :
+else
+ exitcode=1
+ echo as_func_ret_success failed.
+fi
+
+if as_func_ret_failure; then
+ exitcode=1
+ echo as_func_ret_failure succeeded.
+fi
+
+if ( set x; as_func_ret_success y && test x = \"\$1\" ); then
+ :
+else
+ exitcode=1
+ echo positional parameters were not saved.
+fi
+
+test \$exitcode = 0") || {
+ echo No shell found that supports shell functions.
+ echo Please tell bug-autoconf@gnu.org about your system,
+ echo including any error possibly output before this message.
+ echo This can help us improve future autoconf versions.
+ echo Configuration will now proceed without shell functions.
+}
+
+
+
+ as_lineno_1=$LINENO
+ as_lineno_2=$LINENO
+ test "x$as_lineno_1" != "x$as_lineno_2" &&
+ test "x`expr $as_lineno_1 + 1`" = "x$as_lineno_2" || {
+
+ # Create $as_me.lineno as a copy of $as_myself, but with $LINENO
+ # uniformly replaced by the line number. The first 'sed' inserts a
+ # line-number line after each line using $LINENO; the second 'sed'
+ # does the real work. The second script uses 'N' to pair each
+ # line-number line with the line containing $LINENO, and appends
+ # trailing '-' during substitution so that $LINENO is not a special
+ # case at line end.
+ # (Raja R Harinath suggested sed '=', and Paul Eggert wrote the
+ # scripts with optimization help from Paolo Bonzini. Blame Lee
+ # E. McMahon (1931-1989) for sed's syntax. :-)
+ sed -n '
+ p
+ /[$]LINENO/=
+ ' <$as_myself |
+ sed '
+ s/[$]LINENO.*/&-/
+ t lineno
+ b
+ :lineno
+ N
+ :loop
+ s/[$]LINENO\([^'$as_cr_alnum'_].*\n\)\(.*\)/\2\1\2/
+ t loop
+ s/-\n.*//
+ ' >$as_me.lineno &&
+ chmod +x "$as_me.lineno" ||
+ { $as_echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2
+ { (exit 1); exit 1; }; }
+
+ # Don't try to exec as it changes $[0], causing all sort of problems
+ # (the dirname of $[0] is not the place where we might find the
+ # original and so on. Autoconf is especially sensitive to this).
+ . "./$as_me.lineno"
+ # Exit status is that of the last command.
+ exit
+}
+
+
+if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then
+ as_dirname=dirname
+else
+ as_dirname=false
+fi
+
+ECHO_C= ECHO_N= ECHO_T=
+case `echo -n x` in
+-n*)
+ case `echo 'x\c'` in
+ *c*) ECHO_T=' ';; # ECHO_T is single tab character.
+ *) ECHO_C='\c';;
+ esac;;
+*)
+ ECHO_N='-n';;
+esac
+if expr a : '\(a\)' >/dev/null 2>&1 &&
+ test "X`expr 00001 : '.*\(...\)'`" = X001; then
+ as_expr=expr
+else
+ as_expr=false
+fi
+
+rm -f conf$$ conf$$.exe conf$$.file
+if test -d conf$$.dir; then
+ rm -f conf$$.dir/conf$$.file
+else
+ rm -f conf$$.dir
+ mkdir conf$$.dir 2>/dev/null
+fi
+if (echo >conf$$.file) 2>/dev/null; then
+ if ln -s conf$$.file conf$$ 2>/dev/null; then
+ as_ln_s='ln -s'
+ # ... but there are two gotchas:
+ # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail.
+ # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable.
+ # In both cases, we have to default to `cp -p'.
+ ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe ||
+ as_ln_s='cp -p'
+ elif ln conf$$.file conf$$ 2>/dev/null; then
+ as_ln_s=ln
+ else
+ as_ln_s='cp -p'
+ fi
+else
+ as_ln_s='cp -p'
+fi
+rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file
+rmdir conf$$.dir 2>/dev/null
+
+if mkdir -p . 2>/dev/null; then
+ as_mkdir_p=:
+else
+ test -d ./-p && rmdir ./-p
+ as_mkdir_p=false
+fi
+
+if test -x / >/dev/null 2>&1; then
+ as_test_x='test -x'
+else
+ if ls -dL / >/dev/null 2>&1; then
+ as_ls_L_option=L
+ else
+ as_ls_L_option=
+ fi
+ as_test_x='
+ eval sh -c '\''
+ if test -d "$1"; then
+ test -d "$1/.";
+ else
+ case $1 in
+ -*)set "./$1";;
+ esac;
+ case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in
+ ???[sx]*):;;*)false;;esac;fi
+ '\'' sh
+ '
+fi
+as_executable_p=$as_test_x
+
+# Sed expression to map a string onto a valid CPP name.
+as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'"
+
+# Sed expression to map a string onto a valid variable name.
+as_tr_sh="eval sed 'y%*+%pp%;s%[^_$as_cr_alnum]%_%g'"
+
+
+
+exec 7<&0 </dev/null 6>&1
+
+# Name of the host.
+# hostname on some systems (SVR3.2, Linux) returns a bogus exit status,
+# so uname gets run too.
+ac_hostname=`(hostname || uname -n) 2>/dev/null | sed 1q`
+
+#
+# Initializations.
+#
+ac_default_prefix=/usr/local
+ac_clean_files=
+ac_config_libobj_dir=.
+LIBOBJS=
+cross_compiling=no
+subdirs=
+MFLAGS=
+MAKEFLAGS=
+SHELL=${CONFIG_SHELL-/bin/sh}
+
+# Identity of this package.
+PACKAGE_NAME=
+PACKAGE_TARNAME=
+PACKAGE_VERSION=
+PACKAGE_STRING=
+PACKAGE_BUGREPORT=
+
+ac_unique_file="nslint.c"
+# Factoring default headers for most tests.
+ac_includes_default="\
+#include <stdio.h>
+#ifdef HAVE_SYS_TYPES_H
+# include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_STAT_H
+# include <sys/stat.h>
+#endif
+#ifdef STDC_HEADERS
+# include <stdlib.h>
+# include <stddef.h>
+#else
+# ifdef HAVE_STDLIB_H
+# include <stdlib.h>
+# endif
+#endif
+#ifdef HAVE_STRING_H
+# if !defined STDC_HEADERS && defined HAVE_MEMORY_H
+# include <memory.h>
+# endif
+# include <string.h>
+#endif
+#ifdef HAVE_STRINGS_H
+# include <strings.h>
+#endif
+#ifdef HAVE_INTTYPES_H
+# include <inttypes.h>
+#endif
+#ifdef HAVE_STDINT_H
+# include <stdint.h>
+#endif
+#ifdef HAVE_UNISTD_H
+# include <unistd.h>
+#endif"
+
+ac_subst_vars='SHELL
+PATH_SEPARATOR
+PACKAGE_NAME
+PACKAGE_TARNAME
+PACKAGE_VERSION
+PACKAGE_STRING
+PACKAGE_BUGREPORT
+exec_prefix
+prefix
+program_transform_name
+bindir
+sbindir
+libexecdir
+datarootdir
+datadir
+sysconfdir
+sharedstatedir
+localstatedir
+includedir
+oldincludedir
+docdir
+infodir
+htmldir
+dvidir
+pdfdir
+psdir
+libdir
+localedir
+mandir
+DEFS
+ECHO_C
+ECHO_N
+ECHO_T
+LIBS
+build_alias
+host_alias
+target_alias
+build
+build_cpu
+build_vendor
+build_os
+host
+host_cpu
+host_vendor
+host_os
+target
+target_cpu
+target_vendor
+target_os
+CC
+CFLAGS
+LDFLAGS
+CPPFLAGS
+ac_ct_CC
+EXEEXT
+OBJEXT
+CPP
+GREP
+EGREP
+SHLICC2
+INSTALL_PROGRAM
+INSTALL_SCRIPT
+INSTALL_DATA
+LIBOBJS
+V_CCOPT
+V_INCLS
+LTLIBOBJS'
+ac_subst_files=''
+ac_user_opts='
+enable_option_checking
+enable_optimization
+with_gcc
+enable_largefile
+'
+ ac_precious_vars='build_alias
+host_alias
+target_alias
+CC
+CFLAGS
+LDFLAGS
+LIBS
+CPPFLAGS
+CPP'
+
+
+# Initialize some variables set by options.
+ac_init_help=
+ac_init_version=false
+ac_unrecognized_opts=
+ac_unrecognized_sep=
+# The variables have the same names as the options, with
+# dashes changed to underlines.
+cache_file=/dev/null
+exec_prefix=NONE
+no_create=
+no_recursion=
+prefix=NONE
+program_prefix=NONE
+program_suffix=NONE
+program_transform_name=s,x,x,
+silent=
+site=
+srcdir=
+verbose=
+x_includes=NONE
+x_libraries=NONE
+
+# Installation directory options.
+# These are left unexpanded so users can "make install exec_prefix=/foo"
+# and all the variables that are supposed to be based on exec_prefix
+# by default will actually change.
+# Use braces instead of parens because sh, perl, etc. also accept them.
+# (The list follows the same order as the GNU Coding Standards.)
+bindir='${exec_prefix}/bin'
+sbindir='${exec_prefix}/sbin'
+libexecdir='${exec_prefix}/libexec'
+datarootdir='${prefix}/share'
+datadir='${datarootdir}'
+sysconfdir='${prefix}/etc'
+sharedstatedir='${prefix}/com'
+localstatedir='${prefix}/var'
+includedir='${prefix}/include'
+oldincludedir='/usr/include'
+docdir='${datarootdir}/doc/${PACKAGE}'
+infodir='${datarootdir}/info'
+htmldir='${docdir}'
+dvidir='${docdir}'
+pdfdir='${docdir}'
+psdir='${docdir}'
+libdir='${exec_prefix}/lib'
+localedir='${datarootdir}/locale'
+mandir='${datarootdir}/man'
+
+ac_prev=
+ac_dashdash=
+for ac_option
+do
+ # If the previous option needs an argument, assign it.
+ if test -n "$ac_prev"; then
+ eval $ac_prev=\$ac_option
+ ac_prev=
+ continue
+ fi
+
+ case $ac_option in
+ *=*) ac_optarg=`expr "X$ac_option" : '[^=]*=\(.*\)'` ;;
+ *) ac_optarg=yes ;;
+ esac
+
+ # Accept the important Cygnus configure options, so we can diagnose typos.
+
+ case $ac_dashdash$ac_option in
+ --)
+ ac_dashdash=yes ;;
+
+ -bindir | --bindir | --bindi | --bind | --bin | --bi)
+ ac_prev=bindir ;;
+ -bindir=* | --bindir=* | --bindi=* | --bind=* | --bin=* | --bi=*)
+ bindir=$ac_optarg ;;
+
+ -build | --build | --buil | --bui | --bu)
+ ac_prev=build_alias ;;
+ -build=* | --build=* | --buil=* | --bui=* | --bu=*)
+ build_alias=$ac_optarg ;;
+
+ -cache-file | --cache-file | --cache-fil | --cache-fi \
+ | --cache-f | --cache- | --cache | --cach | --cac | --ca | --c)
+ ac_prev=cache_file ;;
+ -cache-file=* | --cache-file=* | --cache-fil=* | --cache-fi=* \
+ | --cache-f=* | --cache-=* | --cache=* | --cach=* | --cac=* | --ca=* | --c=*)
+ cache_file=$ac_optarg ;;
+
+ --config-cache | -C)
+ cache_file=config.cache ;;
+
+ -datadir | --datadir | --datadi | --datad)
+ ac_prev=datadir ;;
+ -datadir=* | --datadir=* | --datadi=* | --datad=*)
+ datadir=$ac_optarg ;;
+
+ -datarootdir | --datarootdir | --datarootdi | --datarootd | --dataroot \
+ | --dataroo | --dataro | --datar)
+ ac_prev=datarootdir ;;
+ -datarootdir=* | --datarootdir=* | --datarootdi=* | --datarootd=* \
+ | --dataroot=* | --dataroo=* | --dataro=* | --datar=*)
+ datarootdir=$ac_optarg ;;
+
+ -disable-* | --disable-*)
+ ac_useropt=`expr "x$ac_option" : 'x-*disable-\(.*\)'`
+ # Reject names that are not valid shell variable names.
+ expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null &&
+ { $as_echo "$as_me: error: invalid feature name: $ac_useropt" >&2
+ { (exit 1); exit 1; }; }
+ ac_useropt_orig=$ac_useropt
+ ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'`
+ case $ac_user_opts in
+ *"
+"enable_$ac_useropt"
+"*) ;;
+ *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--disable-$ac_useropt_orig"
+ ac_unrecognized_sep=', ';;
+ esac
+ eval enable_$ac_useropt=no ;;
+
+ -docdir | --docdir | --docdi | --doc | --do)
+ ac_prev=docdir ;;
+ -docdir=* | --docdir=* | --docdi=* | --doc=* | --do=*)
+ docdir=$ac_optarg ;;
+
+ -dvidir | --dvidir | --dvidi | --dvid | --dvi | --dv)
+ ac_prev=dvidir ;;
+ -dvidir=* | --dvidir=* | --dvidi=* | --dvid=* | --dvi=* | --dv=*)
+ dvidir=$ac_optarg ;;
+
+ -enable-* | --enable-*)
+ ac_useropt=`expr "x$ac_option" : 'x-*enable-\([^=]*\)'`
+ # Reject names that are not valid shell variable names.
+ expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null &&
+ { $as_echo "$as_me: error: invalid feature name: $ac_useropt" >&2
+ { (exit 1); exit 1; }; }
+ ac_useropt_orig=$ac_useropt
+ ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'`
+ case $ac_user_opts in
+ *"
+"enable_$ac_useropt"
+"*) ;;
+ *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--enable-$ac_useropt_orig"
+ ac_unrecognized_sep=', ';;
+ esac
+ eval enable_$ac_useropt=\$ac_optarg ;;
+
+ -exec-prefix | --exec_prefix | --exec-prefix | --exec-prefi \
+ | --exec-pref | --exec-pre | --exec-pr | --exec-p | --exec- \
+ | --exec | --exe | --ex)
+ ac_prev=exec_prefix ;;
+ -exec-prefix=* | --exec_prefix=* | --exec-prefix=* | --exec-prefi=* \
+ | --exec-pref=* | --exec-pre=* | --exec-pr=* | --exec-p=* | --exec-=* \
+ | --exec=* | --exe=* | --ex=*)
+ exec_prefix=$ac_optarg ;;
+
+ -gas | --gas | --ga | --g)
+ # Obsolete; use --with-gas.
+ with_gas=yes ;;
+
+ -help | --help | --hel | --he | -h)
+ ac_init_help=long ;;
+ -help=r* | --help=r* | --hel=r* | --he=r* | -hr*)
+ ac_init_help=recursive ;;
+ -help=s* | --help=s* | --hel=s* | --he=s* | -hs*)
+ ac_init_help=short ;;
+
+ -host | --host | --hos | --ho)
+ ac_prev=host_alias ;;
+ -host=* | --host=* | --hos=* | --ho=*)
+ host_alias=$ac_optarg ;;
+
+ -htmldir | --htmldir | --htmldi | --htmld | --html | --htm | --ht)
+ ac_prev=htmldir ;;
+ -htmldir=* | --htmldir=* | --htmldi=* | --htmld=* | --html=* | --htm=* \
+ | --ht=*)
+ htmldir=$ac_optarg ;;
+
+ -includedir | --includedir | --includedi | --included | --include \
+ | --includ | --inclu | --incl | --inc)
+ ac_prev=includedir ;;
+ -includedir=* | --includedir=* | --includedi=* | --included=* | --include=* \
+ | --includ=* | --inclu=* | --incl=* | --inc=*)
+ includedir=$ac_optarg ;;
+
+ -infodir | --infodir | --infodi | --infod | --info | --inf)
+ ac_prev=infodir ;;
+ -infodir=* | --infodir=* | --infodi=* | --infod=* | --info=* | --inf=*)
+ infodir=$ac_optarg ;;
+
+ -libdir | --libdir | --libdi | --libd)
+ ac_prev=libdir ;;
+ -libdir=* | --libdir=* | --libdi=* | --libd=*)
+ libdir=$ac_optarg ;;
+
+ -libexecdir | --libexecdir | --libexecdi | --libexecd | --libexec \
+ | --libexe | --libex | --libe)
+ ac_prev=libexecdir ;;
+ -libexecdir=* | --libexecdir=* | --libexecdi=* | --libexecd=* | --libexec=* \
+ | --libexe=* | --libex=* | --libe=*)
+ libexecdir=$ac_optarg ;;
+
+ -localedir | --localedir | --localedi | --localed | --locale)
+ ac_prev=localedir ;;
+ -localedir=* | --localedir=* | --localedi=* | --localed=* | --locale=*)
+ localedir=$ac_optarg ;;
+
+ -localstatedir | --localstatedir | --localstatedi | --localstated \
+ | --localstate | --localstat | --localsta | --localst | --locals)
+ ac_prev=localstatedir ;;
+ -localstatedir=* | --localstatedir=* | --localstatedi=* | --localstated=* \
+ | --localstate=* | --localstat=* | --localsta=* | --localst=* | --locals=*)
+ localstatedir=$ac_optarg ;;
+
+ -mandir | --mandir | --mandi | --mand | --man | --ma | --m)
+ ac_prev=mandir ;;
+ -mandir=* | --mandir=* | --mandi=* | --mand=* | --man=* | --ma=* | --m=*)
+ mandir=$ac_optarg ;;
+
+ -nfp | --nfp | --nf)
+ # Obsolete; use --without-fp.
+ with_fp=no ;;
+
+ -no-create | --no-create | --no-creat | --no-crea | --no-cre \
+ | --no-cr | --no-c | -n)
+ no_create=yes ;;
+
+ -no-recursion | --no-recursion | --no-recursio | --no-recursi \
+ | --no-recurs | --no-recur | --no-recu | --no-rec | --no-re | --no-r)
+ no_recursion=yes ;;
+
+ -oldincludedir | --oldincludedir | --oldincludedi | --oldincluded \
+ | --oldinclude | --oldinclud | --oldinclu | --oldincl | --oldinc \
+ | --oldin | --oldi | --old | --ol | --o)
+ ac_prev=oldincludedir ;;
+ -oldincludedir=* | --oldincludedir=* | --oldincludedi=* | --oldincluded=* \
+ | --oldinclude=* | --oldinclud=* | --oldinclu=* | --oldincl=* | --oldinc=* \
+ | --oldin=* | --oldi=* | --old=* | --ol=* | --o=*)
+ oldincludedir=$ac_optarg ;;
+
+ -prefix | --prefix | --prefi | --pref | --pre | --pr | --p)
+ ac_prev=prefix ;;
+ -prefix=* | --prefix=* | --prefi=* | --pref=* | --pre=* | --pr=* | --p=*)
+ prefix=$ac_optarg ;;
+
+ -program-prefix | --program-prefix | --program-prefi | --program-pref \
+ | --program-pre | --program-pr | --program-p)
+ ac_prev=program_prefix ;;
+ -program-prefix=* | --program-prefix=* | --program-prefi=* \
+ | --program-pref=* | --program-pre=* | --program-pr=* | --program-p=*)
+ program_prefix=$ac_optarg ;;
+
+ -program-suffix | --program-suffix | --program-suffi | --program-suff \
+ | --program-suf | --program-su | --program-s)
+ ac_prev=program_suffix ;;
+ -program-suffix=* | --program-suffix=* | --program-suffi=* \
+ | --program-suff=* | --program-suf=* | --program-su=* | --program-s=*)
+ program_suffix=$ac_optarg ;;
+
+ -program-transform-name | --program-transform-name \
+ | --program-transform-nam | --program-transform-na \
+ | --program-transform-n | --program-transform- \
+ | --program-transform | --program-transfor \
+ | --program-transfo | --program-transf \
+ | --program-trans | --program-tran \
+ | --progr-tra | --program-tr | --program-t)
+ ac_prev=program_transform_name ;;
+ -program-transform-name=* | --program-transform-name=* \
+ | --program-transform-nam=* | --program-transform-na=* \
+ | --program-transform-n=* | --program-transform-=* \
+ | --program-transform=* | --program-transfor=* \
+ | --program-transfo=* | --program-transf=* \
+ | --program-trans=* | --program-tran=* \
+ | --progr-tra=* | --program-tr=* | --program-t=*)
+ program_transform_name=$ac_optarg ;;
+
+ -pdfdir | --pdfdir | --pdfdi | --pdfd | --pdf | --pd)
+ ac_prev=pdfdir ;;
+ -pdfdir=* | --pdfdir=* | --pdfdi=* | --pdfd=* | --pdf=* | --pd=*)
+ pdfdir=$ac_optarg ;;
+
+ -psdir | --psdir | --psdi | --psd | --ps)
+ ac_prev=psdir ;;
+ -psdir=* | --psdir=* | --psdi=* | --psd=* | --ps=*)
+ psdir=$ac_optarg ;;
+
+ -q | -quiet | --quiet | --quie | --qui | --qu | --q \
+ | -silent | --silent | --silen | --sile | --sil)
+ silent=yes ;;
+
+ -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb)
+ ac_prev=sbindir ;;
+ -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \
+ | --sbi=* | --sb=*)
+ sbindir=$ac_optarg ;;
+
+ -sharedstatedir | --sharedstatedir | --sharedstatedi \
+ | --sharedstated | --sharedstate | --sharedstat | --sharedsta \
+ | --sharedst | --shareds | --shared | --share | --shar \
+ | --sha | --sh)
+ ac_prev=sharedstatedir ;;
+ -sharedstatedir=* | --sharedstatedir=* | --sharedstatedi=* \
+ | --sharedstated=* | --sharedstate=* | --sharedstat=* | --sharedsta=* \
+ | --sharedst=* | --shareds=* | --shared=* | --share=* | --shar=* \
+ | --sha=* | --sh=*)
+ sharedstatedir=$ac_optarg ;;
+
+ -site | --site | --sit)
+ ac_prev=site ;;
+ -site=* | --site=* | --sit=*)
+ site=$ac_optarg ;;
+
+ -srcdir | --srcdir | --srcdi | --srcd | --src | --sr)
+ ac_prev=srcdir ;;
+ -srcdir=* | --srcdir=* | --srcdi=* | --srcd=* | --src=* | --sr=*)
+ srcdir=$ac_optarg ;;
+
+ -sysconfdir | --sysconfdir | --sysconfdi | --sysconfd | --sysconf \
+ | --syscon | --sysco | --sysc | --sys | --sy)
+ ac_prev=sysconfdir ;;
+ -sysconfdir=* | --sysconfdir=* | --sysconfdi=* | --sysconfd=* | --sysconf=* \
+ | --syscon=* | --sysco=* | --sysc=* | --sys=* | --sy=*)
+ sysconfdir=$ac_optarg ;;
+
+ -target | --target | --targe | --targ | --tar | --ta | --t)
+ ac_prev=target_alias ;;
+ -target=* | --target=* | --targe=* | --targ=* | --tar=* | --ta=* | --t=*)
+ target_alias=$ac_optarg ;;
+
+ -v | -verbose | --verbose | --verbos | --verbo | --verb)
+ verbose=yes ;;
+
+ -version | --version | --versio | --versi | --vers | -V)
+ ac_init_version=: ;;
+
+ -with-* | --with-*)
+ ac_useropt=`expr "x$ac_option" : 'x-*with-\([^=]*\)'`
+ # Reject names that are not valid shell variable names.
+ expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null &&
+ { $as_echo "$as_me: error: invalid package name: $ac_useropt" >&2
+ { (exit 1); exit 1; }; }
+ ac_useropt_orig=$ac_useropt
+ ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'`
+ case $ac_user_opts in
+ *"
+"with_$ac_useropt"
+"*) ;;
+ *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--with-$ac_useropt_orig"
+ ac_unrecognized_sep=', ';;
+ esac
+ eval with_$ac_useropt=\$ac_optarg ;;
+
+ -without-* | --without-*)
+ ac_useropt=`expr "x$ac_option" : 'x-*without-\(.*\)'`
+ # Reject names that are not valid shell variable names.
+ expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null &&
+ { $as_echo "$as_me: error: invalid package name: $ac_useropt" >&2
+ { (exit 1); exit 1; }; }
+ ac_useropt_orig=$ac_useropt
+ ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'`
+ case $ac_user_opts in
+ *"
+"with_$ac_useropt"
+"*) ;;
+ *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--without-$ac_useropt_orig"
+ ac_unrecognized_sep=', ';;
+ esac
+ eval with_$ac_useropt=no ;;
+
+ --x)
+ # Obsolete; use --with-x.
+ with_x=yes ;;
+
+ -x-includes | --x-includes | --x-include | --x-includ | --x-inclu \
+ | --x-incl | --x-inc | --x-in | --x-i)
+ ac_prev=x_includes ;;
+ -x-includes=* | --x-includes=* | --x-include=* | --x-includ=* | --x-inclu=* \
+ | --x-incl=* | --x-inc=* | --x-in=* | --x-i=*)
+ x_includes=$ac_optarg ;;
+
+ -x-libraries | --x-libraries | --x-librarie | --x-librari \
+ | --x-librar | --x-libra | --x-libr | --x-lib | --x-li | --x-l)
+ ac_prev=x_libraries ;;
+ -x-libraries=* | --x-libraries=* | --x-librarie=* | --x-librari=* \
+ | --x-librar=* | --x-libra=* | --x-libr=* | --x-lib=* | --x-li=* | --x-l=*)
+ x_libraries=$ac_optarg ;;
+
+ -*) { $as_echo "$as_me: error: unrecognized option: $ac_option
+Try \`$0 --help' for more information." >&2
+ { (exit 1); exit 1; }; }
+ ;;
+
+ *=*)
+ ac_envvar=`expr "x$ac_option" : 'x\([^=]*\)='`
+ # Reject names that are not valid shell variable names.
+ expr "x$ac_envvar" : ".*[^_$as_cr_alnum]" >/dev/null &&
+ { $as_echo "$as_me: error: invalid variable name: $ac_envvar" >&2
+ { (exit 1); exit 1; }; }
+ eval $ac_envvar=\$ac_optarg
+ export $ac_envvar ;;
+
+ *)
+ # FIXME: should be removed in autoconf 3.0.
+ $as_echo "$as_me: WARNING: you should use --build, --host, --target" >&2
+ expr "x$ac_option" : ".*[^-._$as_cr_alnum]" >/dev/null &&
+ $as_echo "$as_me: WARNING: invalid host type: $ac_option" >&2
+ : ${build_alias=$ac_option} ${host_alias=$ac_option} ${target_alias=$ac_option}
+ ;;
+
+ esac
+done
+
+if test -n "$ac_prev"; then
+ ac_option=--`echo $ac_prev | sed 's/_/-/g'`
+ { $as_echo "$as_me: error: missing argument to $ac_option" >&2
+ { (exit 1); exit 1; }; }
+fi
+
+if test -n "$ac_unrecognized_opts"; then
+ case $enable_option_checking in
+ no) ;;
+ fatal) { $as_echo "$as_me: error: Unrecognized options: $ac_unrecognized_opts" >&2
+ { (exit 1); exit 1; }; } ;;
+ *) $as_echo "$as_me: WARNING: Unrecognized options: $ac_unrecognized_opts" >&2 ;;
+ esac
+fi
+
+# Check all directory arguments for consistency.
+for ac_var in exec_prefix prefix bindir sbindir libexecdir datarootdir \
+ datadir sysconfdir sharedstatedir localstatedir includedir \
+ oldincludedir docdir infodir htmldir dvidir pdfdir psdir \
+ libdir localedir mandir
+do
+ eval ac_val=\$$ac_var
+ # Remove trailing slashes.
+ case $ac_val in
+ */ )
+ ac_val=`expr "X$ac_val" : 'X\(.*[^/]\)' \| "X$ac_val" : 'X\(.*\)'`
+ eval $ac_var=\$ac_val;;
+ esac
+ # Be sure to have absolute directory names.
+ case $ac_val in
+ [\\/$]* | ?:[\\/]* ) continue;;
+ NONE | '' ) case $ac_var in *prefix ) continue;; esac;;
+ esac
+ { $as_echo "$as_me: error: expected an absolute directory name for --$ac_var: $ac_val" >&2
+ { (exit 1); exit 1; }; }
+done
+
+# There might be people who depend on the old broken behavior: `$host'
+# used to hold the argument of --host etc.
+# FIXME: To remove some day.
+build=$build_alias
+host=$host_alias
+target=$target_alias
+
+# FIXME: To remove some day.
+if test "x$host_alias" != x; then
+ if test "x$build_alias" = x; then
+ cross_compiling=maybe
+ $as_echo "$as_me: WARNING: If you wanted to set the --build type, don't use --host.
+ If a cross compiler is detected then cross compile mode will be used." >&2
+ elif test "x$build_alias" != "x$host_alias"; then
+ cross_compiling=yes
+ fi
+fi
+
+ac_tool_prefix=
+test -n "$host_alias" && ac_tool_prefix=$host_alias-
+
+test "$silent" = yes && exec 6>/dev/null
+
+
+ac_pwd=`pwd` && test -n "$ac_pwd" &&
+ac_ls_di=`ls -di .` &&
+ac_pwd_ls_di=`cd "$ac_pwd" && ls -di .` ||
+ { $as_echo "$as_me: error: Working directory cannot be determined" >&2
+ { (exit 1); exit 1; }; }
+test "X$ac_ls_di" = "X$ac_pwd_ls_di" ||
+ { $as_echo "$as_me: error: pwd does not report name of working directory" >&2
+ { (exit 1); exit 1; }; }
+
+
+# Find the source files, if location was not specified.
+if test -z "$srcdir"; then
+ ac_srcdir_defaulted=yes
+ # Try the directory containing this script, then the parent directory.
+ ac_confdir=`$as_dirname -- "$as_myself" ||
+$as_expr X"$as_myself" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
+ X"$as_myself" : 'X\(//\)[^/]' \| \
+ X"$as_myself" : 'X\(//\)$' \| \
+ X"$as_myself" : 'X\(/\)' \| . 2>/dev/null ||
+$as_echo X"$as_myself" |
+ sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
+ s//\1/
+ q
+ }
+ /^X\(\/\/\)[^/].*/{
+ s//\1/
+ q
+ }
+ /^X\(\/\/\)$/{
+ s//\1/
+ q
+ }
+ /^X\(\/\).*/{
+ s//\1/
+ q
+ }
+ s/.*/./; q'`
+ srcdir=$ac_confdir
+ if test ! -r "$srcdir/$ac_unique_file"; then
+ srcdir=..
+ fi
+else
+ ac_srcdir_defaulted=no
+fi
+if test ! -r "$srcdir/$ac_unique_file"; then
+ test "$ac_srcdir_defaulted" = yes && srcdir="$ac_confdir or .."
+ { $as_echo "$as_me: error: cannot find sources ($ac_unique_file) in $srcdir" >&2
+ { (exit 1); exit 1; }; }
+fi
+ac_msg="sources are in $srcdir, but \`cd $srcdir' does not work"
+ac_abs_confdir=`(
+ cd "$srcdir" && test -r "./$ac_unique_file" || { $as_echo "$as_me: error: $ac_msg" >&2
+ { (exit 1); exit 1; }; }
+ pwd)`
+# When building in place, set srcdir=.
+if test "$ac_abs_confdir" = "$ac_pwd"; then
+ srcdir=.
+fi
+# Remove unnecessary trailing slashes from srcdir.
+# Double slashes in file names in object file debugging info
+# mess up M-x gdb in Emacs.
+case $srcdir in
+*/) srcdir=`expr "X$srcdir" : 'X\(.*[^/]\)' \| "X$srcdir" : 'X\(.*\)'`;;
+esac
+for ac_var in $ac_precious_vars; do
+ eval ac_env_${ac_var}_set=\${${ac_var}+set}
+ eval ac_env_${ac_var}_value=\$${ac_var}
+ eval ac_cv_env_${ac_var}_set=\${${ac_var}+set}
+ eval ac_cv_env_${ac_var}_value=\$${ac_var}
+done
+
+#
+# Report the --help message.
+#
+if test "$ac_init_help" = "long"; then
+ # Omit some internal or obsolete options to make the list less imposing.
+ # This message is too long to be a string in the A/UX 3.1 sh.
+ cat <<_ACEOF
+\`configure' configures this package to adapt to many kinds of systems.
+
+Usage: $0 [OPTION]... [VAR=VALUE]...
+
+To assign environment variables (e.g., CC, CFLAGS...), specify them as
+VAR=VALUE. See below for descriptions of some of the useful variables.
+
+Defaults for the options are specified in brackets.
+
+Configuration:
+ -h, --help display this help and exit
+ --help=short display options specific to this package
+ --help=recursive display the short help of all the included packages
+ -V, --version display version information and exit
+ -q, --quiet, --silent do not print \`checking...' messages
+ --cache-file=FILE cache test results in FILE [disabled]
+ -C, --config-cache alias for \`--cache-file=config.cache'
+ -n, --no-create do not create output files
+ --srcdir=DIR find the sources in DIR [configure dir or \`..']
+
+Installation directories:
+ --prefix=PREFIX install architecture-independent files in PREFIX
+ [$ac_default_prefix]
+ --exec-prefix=EPREFIX install architecture-dependent files in EPREFIX
+ [PREFIX]
+
+By default, \`make install' will install all the files in
+\`$ac_default_prefix/bin', \`$ac_default_prefix/lib' etc. You can specify
+an installation prefix other than \`$ac_default_prefix' using \`--prefix',
+for instance \`--prefix=\$HOME'.
+
+For better control, use the options below.
+
+Fine tuning of the installation directories:
+ --bindir=DIR user executables [EPREFIX/bin]
+ --sbindir=DIR system admin executables [EPREFIX/sbin]
+ --libexecdir=DIR program executables [EPREFIX/libexec]
+ --sysconfdir=DIR read-only single-machine data [PREFIX/etc]
+ --sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com]
+ --localstatedir=DIR modifiable single-machine data [PREFIX/var]
+ --libdir=DIR object code libraries [EPREFIX/lib]
+ --includedir=DIR C header files [PREFIX/include]
+ --oldincludedir=DIR C header files for non-gcc [/usr/include]
+ --datarootdir=DIR read-only arch.-independent data root [PREFIX/share]
+ --datadir=DIR read-only architecture-independent data [DATAROOTDIR]
+ --infodir=DIR info documentation [DATAROOTDIR/info]
+ --localedir=DIR locale-dependent data [DATAROOTDIR/locale]
+ --mandir=DIR man documentation [DATAROOTDIR/man]
+ --docdir=DIR documentation root [DATAROOTDIR/doc/PACKAGE]
+ --htmldir=DIR html documentation [DOCDIR]
+ --dvidir=DIR dvi documentation [DOCDIR]
+ --pdfdir=DIR pdf documentation [DOCDIR]
+ --psdir=DIR ps documentation [DOCDIR]
+_ACEOF
+
+ cat <<\_ACEOF
+
+System types:
+ --build=BUILD configure for building on BUILD [guessed]
+ --host=HOST cross-compile to build programs to run on HOST [BUILD]
+ --target=TARGET configure for building compilers for TARGET [HOST]
+_ACEOF
+fi
+
+if test -n "$ac_init_help"; then
+
+ cat <<\_ACEOF
+
+Optional Features:
+ --disable-option-checking ignore unrecognized --enable/--with options
+ --disable-FEATURE do not include FEATURE (same as --enable-FEATURE=no)
+ --enable-FEATURE[=ARG] include FEATURE [ARG=yes]
+ --disable-optimization turn off gcc optimization
+ --disable-largefile omit support for large files
+
+Optional Packages:
+ --with-PACKAGE[=ARG] use PACKAGE [ARG=yes]
+ --without-PACKAGE do not use PACKAGE (same as --with-PACKAGE=no)
+ --without-gcc don't use gcc
+
+Some influential environment variables:
+ CC C compiler command
+ CFLAGS C compiler flags
+ LDFLAGS linker flags, e.g. -L<lib dir> if you have libraries in a
+ nonstandard directory <lib dir>
+ LIBS libraries to pass to the linker, e.g. -l<library>
+ CPPFLAGS C/C++/Objective C preprocessor flags, e.g. -I<include dir> if
+ you have headers in a nonstandard directory <include dir>
+ CPP C preprocessor
+
+Use these variables to override the choices made by `configure' or to help
+it to find libraries and programs with nonstandard names/locations.
+
+_ACEOF
+ac_status=$?
+fi
+
+if test "$ac_init_help" = "recursive"; then
+ # If there are subdirs, report their specific --help.
+ for ac_dir in : $ac_subdirs_all; do test "x$ac_dir" = x: && continue
+ test -d "$ac_dir" ||
+ { cd "$srcdir" && ac_pwd=`pwd` && srcdir=. && test -d "$ac_dir"; } ||
+ continue
+ ac_builddir=.
+
+case "$ac_dir" in
+.) ac_dir_suffix= ac_top_builddir_sub=. ac_top_build_prefix= ;;
+*)
+ ac_dir_suffix=/`$as_echo "$ac_dir" | sed 's|^\.[\\/]||'`
+ # A ".." for each directory in $ac_dir_suffix.
+ ac_top_builddir_sub=`$as_echo "$ac_dir_suffix" | sed 's|/[^\\/]*|/..|g;s|/||'`
+ case $ac_top_builddir_sub in
+ "") ac_top_builddir_sub=. ac_top_build_prefix= ;;
+ *) ac_top_build_prefix=$ac_top_builddir_sub/ ;;
+ esac ;;
+esac
+ac_abs_top_builddir=$ac_pwd
+ac_abs_builddir=$ac_pwd$ac_dir_suffix
+# for backward compatibility:
+ac_top_builddir=$ac_top_build_prefix
+
+case $srcdir in
+ .) # We are building in place.
+ ac_srcdir=.
+ ac_top_srcdir=$ac_top_builddir_sub
+ ac_abs_top_srcdir=$ac_pwd ;;
+ [\\/]* | ?:[\\/]* ) # Absolute name.
+ ac_srcdir=$srcdir$ac_dir_suffix;
+ ac_top_srcdir=$srcdir
+ ac_abs_top_srcdir=$srcdir ;;
+ *) # Relative name.
+ ac_srcdir=$ac_top_build_prefix$srcdir$ac_dir_suffix
+ ac_top_srcdir=$ac_top_build_prefix$srcdir
+ ac_abs_top_srcdir=$ac_pwd/$srcdir ;;
+esac
+ac_abs_srcdir=$ac_abs_top_srcdir$ac_dir_suffix
+
+ cd "$ac_dir" || { ac_status=$?; continue; }
+ # Check for guested configure.
+ if test -f "$ac_srcdir/configure.gnu"; then
+ echo &&
+ $SHELL "$ac_srcdir/configure.gnu" --help=recursive
+ elif test -f "$ac_srcdir/configure"; then
+ echo &&
+ $SHELL "$ac_srcdir/configure" --help=recursive
+ else
+ $as_echo "$as_me: WARNING: no configuration information is in $ac_dir" >&2
+ fi || ac_status=$?
+ cd "$ac_pwd" || { ac_status=$?; break; }
+ done
+fi
+
+test -n "$ac_init_help" && exit $ac_status
+if $ac_init_version; then
+ cat <<\_ACEOF
+configure
+generated by GNU Autoconf 2.62
+
+Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
+2002, 2003, 2004, 2005, 2006, 2007, 2008 Free Software Foundation, Inc.
+This configure script is free software; the Free Software Foundation
+gives unlimited permission to copy, distribute and modify it.
+
+Copyright (c) 1995, 1996, 1997, 2006, 2009
+ The Regents of the University of California. All rights reserved.
+_ACEOF
+ exit
+fi
+cat >config.log <<_ACEOF
+This file contains any messages produced by compilers while
+running configure, to aid debugging if configure makes a mistake.
+
+It was created by $as_me, which was
+generated by GNU Autoconf 2.62. Invocation command line was
+
+ $ $0 $@
+
+_ACEOF
+exec 5>>config.log
+{
+cat <<_ASUNAME
+## --------- ##
+## Platform. ##
+## --------- ##
+
+hostname = `(hostname || uname -n) 2>/dev/null | sed 1q`
+uname -m = `(uname -m) 2>/dev/null || echo unknown`
+uname -r = `(uname -r) 2>/dev/null || echo unknown`
+uname -s = `(uname -s) 2>/dev/null || echo unknown`
+uname -v = `(uname -v) 2>/dev/null || echo unknown`
+
+/usr/bin/uname -p = `(/usr/bin/uname -p) 2>/dev/null || echo unknown`
+/bin/uname -X = `(/bin/uname -X) 2>/dev/null || echo unknown`
+
+/bin/arch = `(/bin/arch) 2>/dev/null || echo unknown`
+/usr/bin/arch -k = `(/usr/bin/arch -k) 2>/dev/null || echo unknown`
+/usr/convex/getsysinfo = `(/usr/convex/getsysinfo) 2>/dev/null || echo unknown`
+/usr/bin/hostinfo = `(/usr/bin/hostinfo) 2>/dev/null || echo unknown`
+/bin/machine = `(/bin/machine) 2>/dev/null || echo unknown`
+/usr/bin/oslevel = `(/usr/bin/oslevel) 2>/dev/null || echo unknown`
+/bin/universe = `(/bin/universe) 2>/dev/null || echo unknown`
+
+_ASUNAME
+
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+ IFS=$as_save_IFS
+ test -z "$as_dir" && as_dir=.
+ $as_echo "PATH: $as_dir"
+done
+IFS=$as_save_IFS
+
+} >&5
+
+cat >&5 <<_ACEOF
+
+
+## ----------- ##
+## Core tests. ##
+## ----------- ##
+
+_ACEOF
+
+
+# Keep a trace of the command line.
+# Strip out --no-create and --no-recursion so they do not pile up.
+# Strip out --silent because we don't want to record it for future runs.
+# Also quote any args containing shell meta-characters.
+# Make two passes to allow for proper duplicate-argument suppression.
+ac_configure_args=
+ac_configure_args0=
+ac_configure_args1=
+ac_must_keep_next=false
+for ac_pass in 1 2
+do
+ for ac_arg
+ do
+ case $ac_arg in
+ -no-create | --no-c* | -n | -no-recursion | --no-r*) continue ;;
+ -q | -quiet | --quiet | --quie | --qui | --qu | --q \
+ | -silent | --silent | --silen | --sile | --sil)
+ continue ;;
+ *\'*)
+ ac_arg=`$as_echo "$ac_arg" | sed "s/'/'\\\\\\\\''/g"` ;;
+ esac
+ case $ac_pass in
+ 1) ac_configure_args0="$ac_configure_args0 '$ac_arg'" ;;
+ 2)
+ ac_configure_args1="$ac_configure_args1 '$ac_arg'"
+ if test $ac_must_keep_next = true; then
+ ac_must_keep_next=false # Got value, back to normal.
+ else
+ case $ac_arg in
+ *=* | --config-cache | -C | -disable-* | --disable-* \
+ | -enable-* | --enable-* | -gas | --g* | -nfp | --nf* \
+ | -q | -quiet | --q* | -silent | --sil* | -v | -verb* \
+ | -with-* | --with-* | -without-* | --without-* | --x)
+ case "$ac_configure_args0 " in
+ "$ac_configure_args1"*" '$ac_arg' "* ) continue ;;
+ esac
+ ;;
+ -* ) ac_must_keep_next=true ;;
+ esac
+ fi
+ ac_configure_args="$ac_configure_args '$ac_arg'"
+ ;;
+ esac
+ done
+done
+$as_unset ac_configure_args0 || test "${ac_configure_args0+set}" != set || { ac_configure_args0=; export ac_configure_args0; }
+$as_unset ac_configure_args1 || test "${ac_configure_args1+set}" != set || { ac_configure_args1=; export ac_configure_args1; }
+
+# When interrupted or exit'd, cleanup temporary files, and complete
+# config.log. We remove comments because anyway the quotes in there
+# would cause problems or look ugly.
+# WARNING: Use '\'' to represent an apostrophe within the trap.
+# WARNING: Do not start the trap code with a newline, due to a FreeBSD 4.0 bug.
+trap 'exit_status=$?
+ # Save into config.log some information that might help in debugging.
+ {
+ echo
+
+ cat <<\_ASBOX
+## ---------------- ##
+## Cache variables. ##
+## ---------------- ##
+_ASBOX
+ echo
+ # The following way of writing the cache mishandles newlines in values,
+(
+ for ac_var in `(set) 2>&1 | sed -n '\''s/^\([a-zA-Z_][a-zA-Z0-9_]*\)=.*/\1/p'\''`; do
+ eval ac_val=\$$ac_var
+ case $ac_val in #(
+ *${as_nl}*)
+ case $ac_var in #(
+ *_cv_*) { $as_echo "$as_me:$LINENO: WARNING: Cache variable $ac_var contains a newline." >&5
+$as_echo "$as_me: WARNING: Cache variable $ac_var contains a newline." >&2;} ;;
+ esac
+ case $ac_var in #(
+ _ | IFS | as_nl) ;; #(
+ BASH_ARGV | BASH_SOURCE) eval $ac_var= ;; #(
+ *) $as_unset $ac_var ;;
+ esac ;;
+ esac
+ done
+ (set) 2>&1 |
+ case $as_nl`(ac_space='\'' '\''; set) 2>&1` in #(
+ *${as_nl}ac_space=\ *)
+ sed -n \
+ "s/'\''/'\''\\\\'\'''\''/g;
+ s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1='\''\\2'\''/p"
+ ;; #(
+ *)
+ sed -n "/^[_$as_cr_alnum]*_cv_[_$as_cr_alnum]*=/p"
+ ;;
+ esac |
+ sort
+)
+ echo
+
+ cat <<\_ASBOX
+## ----------------- ##
+## Output variables. ##
+## ----------------- ##
+_ASBOX
+ echo
+ for ac_var in $ac_subst_vars
+ do
+ eval ac_val=\$$ac_var
+ case $ac_val in
+ *\'\''*) ac_val=`$as_echo "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;;
+ esac
+ $as_echo "$ac_var='\''$ac_val'\''"
+ done | sort
+ echo
+
+ if test -n "$ac_subst_files"; then
+ cat <<\_ASBOX
+## ------------------- ##
+## File substitutions. ##
+## ------------------- ##
+_ASBOX
+ echo
+ for ac_var in $ac_subst_files
+ do
+ eval ac_val=\$$ac_var
+ case $ac_val in
+ *\'\''*) ac_val=`$as_echo "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;;
+ esac
+ $as_echo "$ac_var='\''$ac_val'\''"
+ done | sort
+ echo
+ fi
+
+ if test -s confdefs.h; then
+ cat <<\_ASBOX
+## ----------- ##
+## confdefs.h. ##
+## ----------- ##
+_ASBOX
+ echo
+ cat confdefs.h
+ echo
+ fi
+ test "$ac_signal" != 0 &&
+ $as_echo "$as_me: caught signal $ac_signal"
+ $as_echo "$as_me: exit $exit_status"
+ } >&5
+ rm -f core *.core core.conftest.* &&
+ rm -f -r conftest* confdefs* conf$$* $ac_clean_files &&
+ exit $exit_status
+' 0
+for ac_signal in 1 2 13 15; do
+ trap 'ac_signal='$ac_signal'; { (exit 1); exit 1; }' $ac_signal
+done
+ac_signal=0
+
+# confdefs.h avoids OS command line length limits that DEFS can exceed.
+rm -f -r conftest* confdefs.h
+
+# Predefined preprocessor variables.
+
+cat >>confdefs.h <<_ACEOF
+#define PACKAGE_NAME "$PACKAGE_NAME"
+_ACEOF
+
+
+cat >>confdefs.h <<_ACEOF
+#define PACKAGE_TARNAME "$PACKAGE_TARNAME"
+_ACEOF
+
+
+cat >>confdefs.h <<_ACEOF
+#define PACKAGE_VERSION "$PACKAGE_VERSION"
+_ACEOF
+
+
+cat >>confdefs.h <<_ACEOF
+#define PACKAGE_STRING "$PACKAGE_STRING"
+_ACEOF
+
+
+cat >>confdefs.h <<_ACEOF
+#define PACKAGE_BUGREPORT "$PACKAGE_BUGREPORT"
+_ACEOF
+
+
+# Let the site file select an alternate cache file if it wants to.
+# Prefer an explicitly selected file to automatically selected ones.
+ac_site_file1=NONE
+ac_site_file2=NONE
+if test -n "$CONFIG_SITE"; then
+ ac_site_file1=$CONFIG_SITE
+elif test "x$prefix" != xNONE; then
+ ac_site_file1=$prefix/share/config.site
+ ac_site_file2=$prefix/etc/config.site
+else
+ ac_site_file1=$ac_default_prefix/share/config.site
+ ac_site_file2=$ac_default_prefix/etc/config.site
+fi
+for ac_site_file in "$ac_site_file1" "$ac_site_file2"
+do
+ test "x$ac_site_file" = xNONE && continue
+ if test -r "$ac_site_file"; then
+ { $as_echo "$as_me:$LINENO: loading site script $ac_site_file" >&5
+$as_echo "$as_me: loading site script $ac_site_file" >&6;}
+ sed 's/^/| /' "$ac_site_file" >&5
+ . "$ac_site_file"
+ fi
+done
+
+if test -r "$cache_file"; then
+ # Some versions of bash will fail to source /dev/null (special
+ # files actually), so we avoid doing that.
+ if test -f "$cache_file"; then
+ { $as_echo "$as_me:$LINENO: loading cache $cache_file" >&5
+$as_echo "$as_me: loading cache $cache_file" >&6;}
+ case $cache_file in
+ [\\/]* | ?:[\\/]* ) . "$cache_file";;
+ *) . "./$cache_file";;
+ esac
+ fi
+else
+ { $as_echo "$as_me:$LINENO: creating cache $cache_file" >&5
+$as_echo "$as_me: creating cache $cache_file" >&6;}
+ >$cache_file
+fi
+
+# Check that the precious variables saved in the cache have kept the same
+# value.
+ac_cache_corrupted=false
+for ac_var in $ac_precious_vars; do
+ eval ac_old_set=\$ac_cv_env_${ac_var}_set
+ eval ac_new_set=\$ac_env_${ac_var}_set
+ eval ac_old_val=\$ac_cv_env_${ac_var}_value
+ eval ac_new_val=\$ac_env_${ac_var}_value
+ case $ac_old_set,$ac_new_set in
+ set,)
+ { $as_echo "$as_me:$LINENO: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&5
+$as_echo "$as_me: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&2;}
+ ac_cache_corrupted=: ;;
+ ,set)
+ { $as_echo "$as_me:$LINENO: error: \`$ac_var' was not set in the previous run" >&5
+$as_echo "$as_me: error: \`$ac_var' was not set in the previous run" >&2;}
+ ac_cache_corrupted=: ;;
+ ,);;
+ *)
+ if test "x$ac_old_val" != "x$ac_new_val"; then
+ # differences in whitespace do not lead to failure.
+ ac_old_val_w=`echo x $ac_old_val`
+ ac_new_val_w=`echo x $ac_new_val`
+ if test "$ac_old_val_w" != "$ac_new_val_w"; then
+ { $as_echo "$as_me:$LINENO: error: \`$ac_var' has changed since the previous run:" >&5
+$as_echo "$as_me: error: \`$ac_var' has changed since the previous run:" >&2;}
+ ac_cache_corrupted=:
+ else
+ { $as_echo "$as_me:$LINENO: warning: ignoring whitespace changes in \`$ac_var' since the previous run:" >&5
+$as_echo "$as_me: warning: ignoring whitespace changes in \`$ac_var' since the previous run:" >&2;}
+ eval $ac_var=\$ac_old_val
+ fi
+ { $as_echo "$as_me:$LINENO: former value: \`$ac_old_val'" >&5
+$as_echo "$as_me: former value: \`$ac_old_val'" >&2;}
+ { $as_echo "$as_me:$LINENO: current value: \`$ac_new_val'" >&5
+$as_echo "$as_me: current value: \`$ac_new_val'" >&2;}
+ fi;;
+ esac
+ # Pass precious variables to config.status.
+ if test "$ac_new_set" = set; then
+ case $ac_new_val in
+ *\'*) ac_arg=$ac_var=`$as_echo "$ac_new_val" | sed "s/'/'\\\\\\\\''/g"` ;;
+ *) ac_arg=$ac_var=$ac_new_val ;;
+ esac
+ case " $ac_configure_args " in
+ *" '$ac_arg' "*) ;; # Avoid dups. Use of quotes ensures accuracy.
+ *) ac_configure_args="$ac_configure_args '$ac_arg'" ;;
+ esac
+ fi
+done
+if $ac_cache_corrupted; then
+ { $as_echo "$as_me:$LINENO: error: changes in the environment can compromise the build" >&5
+$as_echo "$as_me: error: changes in the environment can compromise the build" >&2;}
+ { { $as_echo "$as_me:$LINENO: error: run \`make distclean' and/or \`rm $cache_file' and start over" >&5
+$as_echo "$as_me: error: run \`make distclean' and/or \`rm $cache_file' and start over" >&2;}
+ { (exit 1); exit 1; }; }
+fi
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+
+
+
+
+ac_aux_dir=
+for ac_dir in "$srcdir" "$srcdir/.." "$srcdir/../.."; do
+ if test -f "$ac_dir/install-sh"; then
+ ac_aux_dir=$ac_dir
+ ac_install_sh="$ac_aux_dir/install-sh -c"
+ break
+ elif test -f "$ac_dir/install.sh"; then
+ ac_aux_dir=$ac_dir
+ ac_install_sh="$ac_aux_dir/install.sh -c"
+ break
+ elif test -f "$ac_dir/shtool"; then
+ ac_aux_dir=$ac_dir
+ ac_install_sh="$ac_aux_dir/shtool install -c"
+ break
+ fi
+done
+if test -z "$ac_aux_dir"; then
+ { { $as_echo "$as_me:$LINENO: error: cannot find install-sh or install.sh in \"$srcdir\" \"$srcdir/..\" \"$srcdir/../..\"" >&5
+$as_echo "$as_me: error: cannot find install-sh or install.sh in \"$srcdir\" \"$srcdir/..\" \"$srcdir/../..\"" >&2;}
+ { (exit 1); exit 1; }; }
+fi
+
+# These three variables are undocumented and unsupported,
+# and are intended to be withdrawn in a future Autoconf release.
+# They can cause serious problems if a builder's source tree is in a directory
+# whose full name contains unusual characters.
+ac_config_guess="$SHELL $ac_aux_dir/config.guess" # Please don't use this var.
+ac_config_sub="$SHELL $ac_aux_dir/config.sub" # Please don't use this var.
+ac_configure="$SHELL $ac_aux_dir/configure" # Please don't use this var.
+
+
+# Make sure we can run config.sub.
+$SHELL "$ac_aux_dir/config.sub" sun4 >/dev/null 2>&1 ||
+ { { $as_echo "$as_me:$LINENO: error: cannot run $SHELL $ac_aux_dir/config.sub" >&5
+$as_echo "$as_me: error: cannot run $SHELL $ac_aux_dir/config.sub" >&2;}
+ { (exit 1); exit 1; }; }
+
+{ $as_echo "$as_me:$LINENO: checking build system type" >&5
+$as_echo_n "checking build system type... " >&6; }
+if test "${ac_cv_build+set}" = set; then
+ $as_echo_n "(cached) " >&6
+else
+ ac_build_alias=$build_alias
+test "x$ac_build_alias" = x &&
+ ac_build_alias=`$SHELL "$ac_aux_dir/config.guess"`
+test "x$ac_build_alias" = x &&
+ { { $as_echo "$as_me:$LINENO: error: cannot guess build type; you must specify one" >&5
+$as_echo "$as_me: error: cannot guess build type; you must specify one" >&2;}
+ { (exit 1); exit 1; }; }
+ac_cv_build=`$SHELL "$ac_aux_dir/config.sub" $ac_build_alias` ||
+ { { $as_echo "$as_me:$LINENO: error: $SHELL $ac_aux_dir/config.sub $ac_build_alias failed" >&5
+$as_echo "$as_me: error: $SHELL $ac_aux_dir/config.sub $ac_build_alias failed" >&2;}
+ { (exit 1); exit 1; }; }
+
+fi
+{ $as_echo "$as_me:$LINENO: result: $ac_cv_build" >&5
+$as_echo "$ac_cv_build" >&6; }
+case $ac_cv_build in
+*-*-*) ;;
+*) { { $as_echo "$as_me:$LINENO: error: invalid value of canonical build" >&5
+$as_echo "$as_me: error: invalid value of canonical build" >&2;}
+ { (exit 1); exit 1; }; };;
+esac
+build=$ac_cv_build
+ac_save_IFS=$IFS; IFS='-'
+set x $ac_cv_build
+shift
+build_cpu=$1
+build_vendor=$2
+shift; shift
+# Remember, the first character of IFS is used to create $*,
+# except with old shells:
+build_os=$*
+IFS=$ac_save_IFS
+case $build_os in *\ *) build_os=`echo "$build_os" | sed 's/ /-/g'`;; esac
+
+
+{ $as_echo "$as_me:$LINENO: checking host system type" >&5
+$as_echo_n "checking host system type... " >&6; }
+if test "${ac_cv_host+set}" = set; then
+ $as_echo_n "(cached) " >&6
+else
+ if test "x$host_alias" = x; then
+ ac_cv_host=$ac_cv_build
+else
+ ac_cv_host=`$SHELL "$ac_aux_dir/config.sub" $host_alias` ||
+ { { $as_echo "$as_me:$LINENO: error: $SHELL $ac_aux_dir/config.sub $host_alias failed" >&5
+$as_echo "$as_me: error: $SHELL $ac_aux_dir/config.sub $host_alias failed" >&2;}
+ { (exit 1); exit 1; }; }
+fi
+
+fi
+{ $as_echo "$as_me:$LINENO: result: $ac_cv_host" >&5
+$as_echo "$ac_cv_host" >&6; }
+case $ac_cv_host in
+*-*-*) ;;
+*) { { $as_echo "$as_me:$LINENO: error: invalid value of canonical host" >&5
+$as_echo "$as_me: error: invalid value of canonical host" >&2;}
+ { (exit 1); exit 1; }; };;
+esac
+host=$ac_cv_host
+ac_save_IFS=$IFS; IFS='-'
+set x $ac_cv_host
+shift
+host_cpu=$1
+host_vendor=$2
+shift; shift
+# Remember, the first character of IFS is used to create $*,
+# except with old shells:
+host_os=$*
+IFS=$ac_save_IFS
+case $host_os in *\ *) host_os=`echo "$host_os" | sed 's/ /-/g'`;; esac
+
+
+{ $as_echo "$as_me:$LINENO: checking target system type" >&5
+$as_echo_n "checking target system type... " >&6; }
+if test "${ac_cv_target+set}" = set; then
+ $as_echo_n "(cached) " >&6
+else
+ if test "x$target_alias" = x; then
+ ac_cv_target=$ac_cv_host
+else
+ ac_cv_target=`$SHELL "$ac_aux_dir/config.sub" $target_alias` ||
+ { { $as_echo "$as_me:$LINENO: error: $SHELL $ac_aux_dir/config.sub $target_alias failed" >&5
+$as_echo "$as_me: error: $SHELL $ac_aux_dir/config.sub $target_alias failed" >&2;}
+ { (exit 1); exit 1; }; }
+fi
+
+fi
+{ $as_echo "$as_me:$LINENO: result: $ac_cv_target" >&5
+$as_echo "$ac_cv_target" >&6; }
+case $ac_cv_target in
+*-*-*) ;;
+*) { { $as_echo "$as_me:$LINENO: error: invalid value of canonical target" >&5
+$as_echo "$as_me: error: invalid value of canonical target" >&2;}
+ { (exit 1); exit 1; }; };;
+esac
+target=$ac_cv_target
+ac_save_IFS=$IFS; IFS='-'
+set x $ac_cv_target
+shift
+target_cpu=$1
+target_vendor=$2
+shift; shift
+# Remember, the first character of IFS is used to create $*,
+# except with old shells:
+target_os=$*
+IFS=$ac_save_IFS
+case $target_os in *\ *) target_os=`echo "$target_os" | sed 's/ /-/g'`;; esac
+
+
+# The aliases save the names the user supplied, while $host etc.
+# will get canonicalized.
+test -n "$target_alias" &&
+ test "$program_prefix$program_suffix$program_transform_name" = \
+ NONENONEs,x,x, &&
+ program_prefix=${target_alias}-
+
+umask 002
+
+if test -z "$PWD" ; then
+ PWD=`pwd`
+fi
+
+ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+if test -n "$ac_tool_prefix"; then
+ # Extract the first word of "${ac_tool_prefix}gcc", so it can be a program name with args.
+set dummy ${ac_tool_prefix}gcc; ac_word=$2
+{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if test "${ac_cv_prog_CC+set}" = set; then
+ $as_echo_n "(cached) " >&6
+else
+ if test -n "$CC"; then
+ ac_cv_prog_CC="$CC" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+ IFS=$as_save_IFS
+ test -z "$as_dir" && as_dir=.
+ for ac_exec_ext in '' $ac_executable_extensions; do
+ if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+ ac_cv_prog_CC="${ac_tool_prefix}gcc"
+ $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+ break 2
+ fi
+done
+done
+IFS=$as_save_IFS
+
+fi
+fi
+CC=$ac_cv_prog_CC
+if test -n "$CC"; then
+ { $as_echo "$as_me:$LINENO: result: $CC" >&5
+$as_echo "$CC" >&6; }
+else
+ { $as_echo "$as_me:$LINENO: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+fi
+if test -z "$ac_cv_prog_CC"; then
+ ac_ct_CC=$CC
+ # Extract the first word of "gcc", so it can be a program name with args.
+set dummy gcc; ac_word=$2
+{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if test "${ac_cv_prog_ac_ct_CC+set}" = set; then
+ $as_echo_n "(cached) " >&6
+else
+ if test -n "$ac_ct_CC"; then
+ ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+ IFS=$as_save_IFS
+ test -z "$as_dir" && as_dir=.
+ for ac_exec_ext in '' $ac_executable_extensions; do
+ if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+ ac_cv_prog_ac_ct_CC="gcc"
+ $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+ break 2
+ fi
+done
+done
+IFS=$as_save_IFS
+
+fi
+fi
+ac_ct_CC=$ac_cv_prog_ac_ct_CC
+if test -n "$ac_ct_CC"; then
+ { $as_echo "$as_me:$LINENO: result: $ac_ct_CC" >&5
+$as_echo "$ac_ct_CC" >&6; }
+else
+ { $as_echo "$as_me:$LINENO: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+ if test "x$ac_ct_CC" = x; then
+ CC=""
+ else
+ case $cross_compiling:$ac_tool_warned in
+yes:)
+{ $as_echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
+whose name does not start with the host triplet. If you think this
+configuration is useful to you, please write to autoconf@gnu.org." >&5
+$as_echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
+whose name does not start with the host triplet. If you think this
+configuration is useful to you, please write to autoconf@gnu.org." >&2;}
+ac_tool_warned=yes ;;
+esac
+ CC=$ac_ct_CC
+ fi
+else
+ CC="$ac_cv_prog_CC"
+fi
+
+if test -z "$CC"; then
+ if test -n "$ac_tool_prefix"; then
+ # Extract the first word of "${ac_tool_prefix}cc", so it can be a program name with args.
+set dummy ${ac_tool_prefix}cc; ac_word=$2
+{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if test "${ac_cv_prog_CC+set}" = set; then
+ $as_echo_n "(cached) " >&6
+else
+ if test -n "$CC"; then
+ ac_cv_prog_CC="$CC" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+ IFS=$as_save_IFS
+ test -z "$as_dir" && as_dir=.
+ for ac_exec_ext in '' $ac_executable_extensions; do
+ if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+ ac_cv_prog_CC="${ac_tool_prefix}cc"
+ $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+ break 2
+ fi
+done
+done
+IFS=$as_save_IFS
+
+fi
+fi
+CC=$ac_cv_prog_CC
+if test -n "$CC"; then
+ { $as_echo "$as_me:$LINENO: result: $CC" >&5
+$as_echo "$CC" >&6; }
+else
+ { $as_echo "$as_me:$LINENO: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+ fi
+fi
+if test -z "$CC"; then
+ # Extract the first word of "cc", so it can be a program name with args.
+set dummy cc; ac_word=$2
+{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if test "${ac_cv_prog_CC+set}" = set; then
+ $as_echo_n "(cached) " >&6
+else
+ if test -n "$CC"; then
+ ac_cv_prog_CC="$CC" # Let the user override the test.
+else
+ ac_prog_rejected=no
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+ IFS=$as_save_IFS
+ test -z "$as_dir" && as_dir=.
+ for ac_exec_ext in '' $ac_executable_extensions; do
+ if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+ if test "$as_dir/$ac_word$ac_exec_ext" = "/usr/ucb/cc"; then
+ ac_prog_rejected=yes
+ continue
+ fi
+ ac_cv_prog_CC="cc"
+ $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+ break 2
+ fi
+done
+done
+IFS=$as_save_IFS
+
+if test $ac_prog_rejected = yes; then
+ # We found a bogon in the path, so make sure we never use it.
+ set dummy $ac_cv_prog_CC
+ shift
+ if test $# != 0; then
+ # We chose a different compiler from the bogus one.
+ # However, it has the same basename, so the bogon will be chosen
+ # first if we set CC to just the basename; use the full file name.
+ shift
+ ac_cv_prog_CC="$as_dir/$ac_word${1+' '}$@"
+ fi
+fi
+fi
+fi
+CC=$ac_cv_prog_CC
+if test -n "$CC"; then
+ { $as_echo "$as_me:$LINENO: result: $CC" >&5
+$as_echo "$CC" >&6; }
+else
+ { $as_echo "$as_me:$LINENO: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+fi
+if test -z "$CC"; then
+ if test -n "$ac_tool_prefix"; then
+ for ac_prog in cl.exe
+ do
+ # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args.
+set dummy $ac_tool_prefix$ac_prog; ac_word=$2
+{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if test "${ac_cv_prog_CC+set}" = set; then
+ $as_echo_n "(cached) " >&6
+else
+ if test -n "$CC"; then
+ ac_cv_prog_CC="$CC" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+ IFS=$as_save_IFS
+ test -z "$as_dir" && as_dir=.
+ for ac_exec_ext in '' $ac_executable_extensions; do
+ if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+ ac_cv_prog_CC="$ac_tool_prefix$ac_prog"
+ $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+ break 2
+ fi
+done
+done
+IFS=$as_save_IFS
+
+fi
+fi
+CC=$ac_cv_prog_CC
+if test -n "$CC"; then
+ { $as_echo "$as_me:$LINENO: result: $CC" >&5
+$as_echo "$CC" >&6; }
+else
+ { $as_echo "$as_me:$LINENO: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+ test -n "$CC" && break
+ done
+fi
+if test -z "$CC"; then
+ ac_ct_CC=$CC
+ for ac_prog in cl.exe
+do
+ # Extract the first word of "$ac_prog", so it can be a program name with args.
+set dummy $ac_prog; ac_word=$2
+{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if test "${ac_cv_prog_ac_ct_CC+set}" = set; then
+ $as_echo_n "(cached) " >&6
+else
+ if test -n "$ac_ct_CC"; then
+ ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+ IFS=$as_save_IFS
+ test -z "$as_dir" && as_dir=.
+ for ac_exec_ext in '' $ac_executable_extensions; do
+ if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+ ac_cv_prog_ac_ct_CC="$ac_prog"
+ $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+ break 2
+ fi
+done
+done
+IFS=$as_save_IFS
+
+fi
+fi
+ac_ct_CC=$ac_cv_prog_ac_ct_CC
+if test -n "$ac_ct_CC"; then
+ { $as_echo "$as_me:$LINENO: result: $ac_ct_CC" >&5
+$as_echo "$ac_ct_CC" >&6; }
+else
+ { $as_echo "$as_me:$LINENO: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+ test -n "$ac_ct_CC" && break
+done
+
+ if test "x$ac_ct_CC" = x; then
+ CC=""
+ else
+ case $cross_compiling:$ac_tool_warned in
+yes:)
+{ $as_echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
+whose name does not start with the host triplet. If you think this
+configuration is useful to you, please write to autoconf@gnu.org." >&5
+$as_echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
+whose name does not start with the host triplet. If you think this
+configuration is useful to you, please write to autoconf@gnu.org." >&2;}
+ac_tool_warned=yes ;;
+esac
+ CC=$ac_ct_CC
+ fi
+fi
+
+fi
+
+
+test -z "$CC" && { { $as_echo "$as_me:$LINENO: error: no acceptable C compiler found in \$PATH
+See \`config.log' for more details." >&5
+$as_echo "$as_me: error: no acceptable C compiler found in \$PATH
+See \`config.log' for more details." >&2;}
+ { (exit 1); exit 1; }; }
+
+# Provide some information about the compiler.
+$as_echo "$as_me:$LINENO: checking for C compiler version" >&5
+set X $ac_compile
+ac_compiler=$2
+{ (ac_try="$ac_compiler --version >&5"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+ (eval "$ac_compiler --version >&5") 2>&5
+ ac_status=$?
+ $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); }
+{ (ac_try="$ac_compiler -v >&5"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+ (eval "$ac_compiler -v >&5") 2>&5
+ ac_status=$?
+ $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); }
+{ (ac_try="$ac_compiler -V >&5"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+ (eval "$ac_compiler -V >&5") 2>&5
+ ac_status=$?
+ $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); }
+
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h. */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h. */
+
+int
+main ()
+{
+
+ ;
+ return 0;
+}
+_ACEOF
+ac_clean_files_save=$ac_clean_files
+ac_clean_files="$ac_clean_files a.out a.out.dSYM a.exe b.out"
+# Try to create an executable without -o first, disregard a.out.
+# It will help us diagnose broken compilers, and finding out an intuition
+# of exeext.
+{ $as_echo "$as_me:$LINENO: checking for C compiler default output file name" >&5
+$as_echo_n "checking for C compiler default output file name... " >&6; }
+ac_link_default=`$as_echo "$ac_link" | sed 's/ -o *conftest[^ ]*//'`
+
+# The possible output files:
+ac_files="a.out conftest.exe conftest a.exe a_out.exe b.out conftest.*"
+
+ac_rmfiles=
+for ac_file in $ac_files
+do
+ case $ac_file in
+ *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj ) ;;
+ * ) ac_rmfiles="$ac_rmfiles $ac_file";;
+ esac
+done
+rm -f $ac_rmfiles
+
+if { (ac_try="$ac_link_default"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+ (eval "$ac_link_default") 2>&5
+ ac_status=$?
+ $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); }; then
+ # Autoconf-2.13 could set the ac_cv_exeext variable to `no'.
+# So ignore a value of `no', otherwise this would lead to `EXEEXT = no'
+# in a Makefile. We should not override ac_cv_exeext if it was cached,
+# so that the user can short-circuit this test for compilers unknown to
+# Autoconf.
+for ac_file in $ac_files ''
+do
+ test -f "$ac_file" || continue
+ case $ac_file in
+ *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj )
+ ;;
+ [ab].out )
+ # We found the default executable, but exeext='' is most
+ # certainly right.
+ break;;
+ *.* )
+ if test "${ac_cv_exeext+set}" = set && test "$ac_cv_exeext" != no;
+ then :; else
+ ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'`
+ fi
+ # We set ac_cv_exeext here because the later test for it is not
+ # safe: cross compilers may not add the suffix if given an `-o'
+ # argument, so we may need to know it at that point already.
+ # Even if this section looks crufty: it has the advantage of
+ # actually working.
+ break;;
+ * )
+ break;;
+ esac
+done
+test "$ac_cv_exeext" = no && ac_cv_exeext=
+
+else
+ ac_file=''
+fi
+
+{ $as_echo "$as_me:$LINENO: result: $ac_file" >&5
+$as_echo "$ac_file" >&6; }
+if test -z "$ac_file"; then
+ $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+{ { $as_echo "$as_me:$LINENO: error: C compiler cannot create executables
+See \`config.log' for more details." >&5
+$as_echo "$as_me: error: C compiler cannot create executables
+See \`config.log' for more details." >&2;}
+ { (exit 77); exit 77; }; }
+fi
+
+ac_exeext=$ac_cv_exeext
+
+# Check that the compiler produces executables we can run. If not, either
+# the compiler is broken, or we cross compile.
+{ $as_echo "$as_me:$LINENO: checking whether the C compiler works" >&5
+$as_echo_n "checking whether the C compiler works... " >&6; }
+# FIXME: These cross compiler hacks should be removed for Autoconf 3.0
+# If not cross compiling, check that we can run a simple program.
+if test "$cross_compiling" != yes; then
+ if { ac_try='./$ac_file'
+ { (case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+ (eval "$ac_try") 2>&5
+ ac_status=$?
+ $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); }; }; then
+ cross_compiling=no
+ else
+ if test "$cross_compiling" = maybe; then
+ cross_compiling=yes
+ else
+ { { $as_echo "$as_me:$LINENO: error: cannot run C compiled programs.
+If you meant to cross compile, use \`--host'.
+See \`config.log' for more details." >&5
+$as_echo "$as_me: error: cannot run C compiled programs.
+If you meant to cross compile, use \`--host'.
+See \`config.log' for more details." >&2;}
+ { (exit 1); exit 1; }; }
+ fi
+ fi
+fi
+{ $as_echo "$as_me:$LINENO: result: yes" >&5
+$as_echo "yes" >&6; }
+
+rm -f -r a.out a.out.dSYM a.exe conftest$ac_cv_exeext b.out
+ac_clean_files=$ac_clean_files_save
+# Check that the compiler produces executables we can run. If not, either
+# the compiler is broken, or we cross compile.
+{ $as_echo "$as_me:$LINENO: checking whether we are cross compiling" >&5
+$as_echo_n "checking whether we are cross compiling... " >&6; }
+{ $as_echo "$as_me:$LINENO: result: $cross_compiling" >&5
+$as_echo "$cross_compiling" >&6; }
+
+{ $as_echo "$as_me:$LINENO: checking for suffix of executables" >&5
+$as_echo_n "checking for suffix of executables... " >&6; }
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+ (eval "$ac_link") 2>&5
+ ac_status=$?
+ $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); }; then
+ # If both `conftest.exe' and `conftest' are `present' (well, observable)
+# catch `conftest.exe'. For instance with Cygwin, `ls conftest' will
+# work properly (i.e., refer to `conftest.exe'), while it won't with
+# `rm'.
+for ac_file in conftest.exe conftest conftest.*; do
+ test -f "$ac_file" || continue
+ case $ac_file in
+ *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj ) ;;
+ *.* ) ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'`
+ break;;
+ * ) break;;
+ esac
+done
+else
+ { { $as_echo "$as_me:$LINENO: error: cannot compute suffix of executables: cannot compile and link
+See \`config.log' for more details." >&5
+$as_echo "$as_me: error: cannot compute suffix of executables: cannot compile and link
+See \`config.log' for more details." >&2;}
+ { (exit 1); exit 1; }; }
+fi
+
+rm -f conftest$ac_cv_exeext
+{ $as_echo "$as_me:$LINENO: result: $ac_cv_exeext" >&5
+$as_echo "$ac_cv_exeext" >&6; }
+
+rm -f conftest.$ac_ext
+EXEEXT=$ac_cv_exeext
+ac_exeext=$EXEEXT
+{ $as_echo "$as_me:$LINENO: checking for suffix of object files" >&5
+$as_echo_n "checking for suffix of object files... " >&6; }
+if test "${ac_cv_objext+set}" = set; then
+ $as_echo_n "(cached) " >&6
+else
+ cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h. */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h. */
+
+int
+main ()
+{
+
+ ;
+ return 0;
+}
+_ACEOF
+rm -f conftest.o conftest.obj
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+ (eval "$ac_compile") 2>&5
+ ac_status=$?
+ $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); }; then
+ for ac_file in conftest.o conftest.obj conftest.*; do
+ test -f "$ac_file" || continue;
+ case $ac_file in
+ *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM ) ;;
+ *) ac_cv_objext=`expr "$ac_file" : '.*\.\(.*\)'`
+ break;;
+ esac
+done
+else
+ $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+{ { $as_echo "$as_me:$LINENO: error: cannot compute suffix of object files: cannot compile
+See \`config.log' for more details." >&5
+$as_echo "$as_me: error: cannot compute suffix of object files: cannot compile
+See \`config.log' for more details." >&2;}
+ { (exit 1); exit 1; }; }
+fi
+
+rm -f conftest.$ac_cv_objext conftest.$ac_ext
+fi
+{ $as_echo "$as_me:$LINENO: result: $ac_cv_objext" >&5
+$as_echo "$ac_cv_objext" >&6; }
+OBJEXT=$ac_cv_objext
+ac_objext=$OBJEXT
+{ $as_echo "$as_me:$LINENO: checking whether we are using the GNU C compiler" >&5
+$as_echo_n "checking whether we are using the GNU C compiler... " >&6; }
+if test "${ac_cv_c_compiler_gnu+set}" = set; then
+ $as_echo_n "(cached) " >&6
+else
+ cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h. */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h. */
+
+int
+main ()
+{
+#ifndef __GNUC__
+ choke me
+#endif
+
+ ;
+ return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+ (eval "$ac_compile") 2>conftest.er1
+ ac_status=$?
+ grep -v '^ *+' conftest.er1 >conftest.err
+ rm -f conftest.er1
+ cat conftest.err >&5
+ $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); } && {
+ test -z "$ac_c_werror_flag" ||
+ test ! -s conftest.err
+ } && test -s conftest.$ac_objext; then
+ ac_compiler_gnu=yes
+else
+ $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ ac_compiler_gnu=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+ac_cv_c_compiler_gnu=$ac_compiler_gnu
+
+fi
+{ $as_echo "$as_me:$LINENO: result: $ac_cv_c_compiler_gnu" >&5
+$as_echo "$ac_cv_c_compiler_gnu" >&6; }
+if test $ac_compiler_gnu = yes; then
+ GCC=yes
+else
+ GCC=
+fi
+ac_test_CFLAGS=${CFLAGS+set}
+ac_save_CFLAGS=$CFLAGS
+{ $as_echo "$as_me:$LINENO: checking whether $CC accepts -g" >&5
+$as_echo_n "checking whether $CC accepts -g... " >&6; }
+if test "${ac_cv_prog_cc_g+set}" = set; then
+ $as_echo_n "(cached) " >&6
+else
+ ac_save_c_werror_flag=$ac_c_werror_flag
+ ac_c_werror_flag=yes
+ ac_cv_prog_cc_g=no
+ CFLAGS="-g"
+ cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h. */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h. */
+
+int
+main ()
+{
+
+ ;
+ return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+ (eval "$ac_compile") 2>conftest.er1
+ ac_status=$?
+ grep -v '^ *+' conftest.er1 >conftest.err
+ rm -f conftest.er1
+ cat conftest.err >&5
+ $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); } && {
+ test -z "$ac_c_werror_flag" ||
+ test ! -s conftest.err
+ } && test -s conftest.$ac_objext; then
+ ac_cv_prog_cc_g=yes
+else
+ $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ CFLAGS=""
+ cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h. */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h. */
+
+int
+main ()
+{
+
+ ;
+ return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+ (eval "$ac_compile") 2>conftest.er1
+ ac_status=$?
+ grep -v '^ *+' conftest.er1 >conftest.err
+ rm -f conftest.er1
+ cat conftest.err >&5
+ $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); } && {
+ test -z "$ac_c_werror_flag" ||
+ test ! -s conftest.err
+ } && test -s conftest.$ac_objext; then
+ :
+else
+ $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ ac_c_werror_flag=$ac_save_c_werror_flag
+ CFLAGS="-g"
+ cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h. */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h. */
+
+int
+main ()
+{
+
+ ;
+ return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+ (eval "$ac_compile") 2>conftest.er1
+ ac_status=$?
+ grep -v '^ *+' conftest.er1 >conftest.err
+ rm -f conftest.er1
+ cat conftest.err >&5
+ $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); } && {
+ test -z "$ac_c_werror_flag" ||
+ test ! -s conftest.err
+ } && test -s conftest.$ac_objext; then
+ ac_cv_prog_cc_g=yes
+else
+ $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+ ac_c_werror_flag=$ac_save_c_werror_flag
+fi
+{ $as_echo "$as_me:$LINENO: result: $ac_cv_prog_cc_g" >&5
+$as_echo "$ac_cv_prog_cc_g" >&6; }
+if test "$ac_test_CFLAGS" = set; then
+ CFLAGS=$ac_save_CFLAGS
+elif test $ac_cv_prog_cc_g = yes; then
+ if test "$GCC" = yes; then
+ CFLAGS="-g -O2"
+ else
+ CFLAGS="-g"
+ fi
+else
+ if test "$GCC" = yes; then
+ CFLAGS="-O2"
+ else
+ CFLAGS=
+ fi
+fi
+{ $as_echo "$as_me:$LINENO: checking for $CC option to accept ISO C89" >&5
+$as_echo_n "checking for $CC option to accept ISO C89... " >&6; }
+if test "${ac_cv_prog_cc_c89+set}" = set; then
+ $as_echo_n "(cached) " >&6
+else
+ ac_cv_prog_cc_c89=no
+ac_save_CC=$CC
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h. */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h. */
+#include <stdarg.h>
+#include <stdio.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+/* Most of the following tests are stolen from RCS 5.7's src/conf.sh. */
+struct buf { int x; };
+FILE * (*rcsopen) (struct buf *, struct stat *, int);
+static char *e (p, i)
+ char **p;
+ int i;
+{
+ return p[i];
+}
+static char *f (char * (*g) (char **, int), char **p, ...)
+{
+ char *s;
+ va_list v;
+ va_start (v,p);
+ s = g (p, va_arg (v,int));
+ va_end (v);
+ return s;
+}
+
+/* OSF 4.0 Compaq cc is some sort of almost-ANSI by default. It has
+ function prototypes and stuff, but not '\xHH' hex character constants.
+ These don't provoke an error unfortunately, instead are silently treated
+ as 'x'. The following induces an error, until -std is added to get
+ proper ANSI mode. Curiously '\x00'!='x' always comes out true, for an
+ array size at least. It's necessary to write '\x00'==0 to get something
+ that's true only with -std. */
+int osf4_cc_array ['\x00' == 0 ? 1 : -1];
+
+/* IBM C 6 for AIX is almost-ANSI by default, but it replaces macro parameters
+ inside strings and character constants. */
+#define FOO(x) 'x'
+int xlc6_cc_array[FOO(a) == 'x' ? 1 : -1];
+
+int test (int i, double x);
+struct s1 {int (*f) (int a);};
+struct s2 {int (*f) (double a);};
+int pairnames (int, char **, FILE *(*)(struct buf *, struct stat *, int), int, int);
+int argc;
+char **argv;
+int
+main ()
+{
+return f (e, argv, 0) != argv[0] || f (e, argv, 1) != argv[1];
+ ;
+ return 0;
+}
+_ACEOF
+for ac_arg in '' -qlanglvl=extc89 -qlanglvl=ansi -std \
+ -Ae "-Aa -D_HPUX_SOURCE" "-Xc -D__EXTENSIONS__"
+do
+ CC="$ac_save_CC $ac_arg"
+ rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+ (eval "$ac_compile") 2>conftest.er1
+ ac_status=$?
+ grep -v '^ *+' conftest.er1 >conftest.err
+ rm -f conftest.er1
+ cat conftest.err >&5
+ $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); } && {
+ test -z "$ac_c_werror_flag" ||
+ test ! -s conftest.err
+ } && test -s conftest.$ac_objext; then
+ ac_cv_prog_cc_c89=$ac_arg
+else
+ $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+
+fi
+
+rm -f core conftest.err conftest.$ac_objext
+ test "x$ac_cv_prog_cc_c89" != "xno" && break
+done
+rm -f conftest.$ac_ext
+CC=$ac_save_CC
+
+fi
+# AC_CACHE_VAL
+case "x$ac_cv_prog_cc_c89" in
+ x)
+ { $as_echo "$as_me:$LINENO: result: none needed" >&5
+$as_echo "none needed" >&6; } ;;
+ xno)
+ { $as_echo "$as_me:$LINENO: result: unsupported" >&5
+$as_echo "unsupported" >&6; } ;;
+ *)
+ CC="$CC $ac_cv_prog_cc_c89"
+ { $as_echo "$as_me:$LINENO: result: $ac_cv_prog_cc_c89" >&5
+$as_echo "$ac_cv_prog_cc_c89" >&6; } ;;
+esac
+
+
+ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+
+
+ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+{ $as_echo "$as_me:$LINENO: checking how to run the C preprocessor" >&5
+$as_echo_n "checking how to run the C preprocessor... " >&6; }
+# On Suns, sometimes $CPP names a directory.
+if test -n "$CPP" && test -d "$CPP"; then
+ CPP=
+fi
+if test -z "$CPP"; then
+ if test "${ac_cv_prog_CPP+set}" = set; then
+ $as_echo_n "(cached) " >&6
+else
+ # Double quotes because CPP needs to be expanded
+ for CPP in "$CC -E" "$CC -E -traditional-cpp" "/lib/cpp"
+ do
+ ac_preproc_ok=false
+for ac_c_preproc_warn_flag in '' yes
+do
+ # Use a header file that comes with gcc, so configuring glibc
+ # with a fresh cross-compiler works.
+ # Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+ # <limits.h> exists even on freestanding compilers.
+ # On the NeXT, cc -E runs the code through the compiler's parser,
+ # not just through cpp. "Syntax error" is here to catch this case.
+ cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h. */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h. */
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+ Syntax error
+_ACEOF
+if { (ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+ (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
+ ac_status=$?
+ grep -v '^ *+' conftest.er1 >conftest.err
+ rm -f conftest.er1
+ cat conftest.err >&5
+ $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); } >/dev/null && {
+ test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
+ test ! -s conftest.err
+ }; then
+ :
+else
+ $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ # Broken: fails on valid input.
+continue
+fi
+
+rm -f conftest.err conftest.$ac_ext
+
+ # OK, works on sane cases. Now check whether nonexistent headers
+ # can be detected and how.
+ cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h. */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h. */
+#include <ac_nonexistent.h>
+_ACEOF
+if { (ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+ (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
+ ac_status=$?
+ grep -v '^ *+' conftest.er1 >conftest.err
+ rm -f conftest.er1
+ cat conftest.err >&5
+ $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); } >/dev/null && {
+ test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
+ test ! -s conftest.err
+ }; then
+ # Broken: success on invalid input.
+continue
+else
+ $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ # Passes both tests.
+ac_preproc_ok=:
+break
+fi
+
+rm -f conftest.err conftest.$ac_ext
+
+done
+# Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped.
+rm -f conftest.err conftest.$ac_ext
+if $ac_preproc_ok; then
+ break
+fi
+
+ done
+ ac_cv_prog_CPP=$CPP
+
+fi
+ CPP=$ac_cv_prog_CPP
+else
+ ac_cv_prog_CPP=$CPP
+fi
+{ $as_echo "$as_me:$LINENO: result: $CPP" >&5
+$as_echo "$CPP" >&6; }
+ac_preproc_ok=false
+for ac_c_preproc_warn_flag in '' yes
+do
+ # Use a header file that comes with gcc, so configuring glibc
+ # with a fresh cross-compiler works.
+ # Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+ # <limits.h> exists even on freestanding compilers.
+ # On the NeXT, cc -E runs the code through the compiler's parser,
+ # not just through cpp. "Syntax error" is here to catch this case.
+ cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h. */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h. */
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+ Syntax error
+_ACEOF
+if { (ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+ (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
+ ac_status=$?
+ grep -v '^ *+' conftest.er1 >conftest.err
+ rm -f conftest.er1
+ cat conftest.err >&5
+ $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); } >/dev/null && {
+ test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
+ test ! -s conftest.err
+ }; then
+ :
+else
+ $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ # Broken: fails on valid input.
+continue
+fi
+
+rm -f conftest.err conftest.$ac_ext
+
+ # OK, works on sane cases. Now check whether nonexistent headers
+ # can be detected and how.
+ cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h. */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h. */
+#include <ac_nonexistent.h>
+_ACEOF
+if { (ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+ (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
+ ac_status=$?
+ grep -v '^ *+' conftest.er1 >conftest.err
+ rm -f conftest.er1
+ cat conftest.err >&5
+ $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); } >/dev/null && {
+ test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
+ test ! -s conftest.err
+ }; then
+ # Broken: success on invalid input.
+continue
+else
+ $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ # Passes both tests.
+ac_preproc_ok=:
+break
+fi
+
+rm -f conftest.err conftest.$ac_ext
+
+done
+# Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped.
+rm -f conftest.err conftest.$ac_ext
+if $ac_preproc_ok; then
+ :
+else
+ { { $as_echo "$as_me:$LINENO: error: C preprocessor \"$CPP\" fails sanity check
+See \`config.log' for more details." >&5
+$as_echo "$as_me: error: C preprocessor \"$CPP\" fails sanity check
+See \`config.log' for more details." >&2;}
+ { (exit 1); exit 1; }; }
+fi
+
+ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+
+
+{ $as_echo "$as_me:$LINENO: checking for grep that handles long lines and -e" >&5
+$as_echo_n "checking for grep that handles long lines and -e... " >&6; }
+if test "${ac_cv_path_GREP+set}" = set; then
+ $as_echo_n "(cached) " >&6
+else
+ if test -z "$GREP"; then
+ ac_path_GREP_found=false
+ # Loop through the user's path and test for each of PROGNAME-LIST
+ as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH$PATH_SEPARATOR/usr/xpg4/bin
+do
+ IFS=$as_save_IFS
+ test -z "$as_dir" && as_dir=.
+ for ac_prog in grep ggrep; do
+ for ac_exec_ext in '' $ac_executable_extensions; do
+ ac_path_GREP="$as_dir/$ac_prog$ac_exec_ext"
+ { test -f "$ac_path_GREP" && $as_test_x "$ac_path_GREP"; } || continue
+# Check for GNU ac_path_GREP and select it if it is found.
+ # Check for GNU $ac_path_GREP
+case `"$ac_path_GREP" --version 2>&1` in
+*GNU*)
+ ac_cv_path_GREP="$ac_path_GREP" ac_path_GREP_found=:;;
+*)
+ ac_count=0
+ $as_echo_n 0123456789 >"conftest.in"
+ while :
+ do
+ cat "conftest.in" "conftest.in" >"conftest.tmp"
+ mv "conftest.tmp" "conftest.in"
+ cp "conftest.in" "conftest.nl"
+ $as_echo 'GREP' >> "conftest.nl"
+ "$ac_path_GREP" -e 'GREP$' -e '-(cannot match)-' < "conftest.nl" >"conftest.out" 2>/dev/null || break
+ diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break
+ ac_count=`expr $ac_count + 1`
+ if test $ac_count -gt ${ac_path_GREP_max-0}; then
+ # Best one so far, save it but keep looking for a better one
+ ac_cv_path_GREP="$ac_path_GREP"
+ ac_path_GREP_max=$ac_count
+ fi
+ # 10*(2^10) chars as input seems more than enough
+ test $ac_count -gt 10 && break
+ done
+ rm -f conftest.in conftest.tmp conftest.nl conftest.out;;
+esac
+
+ $ac_path_GREP_found && break 3
+ done
+ done
+done
+IFS=$as_save_IFS
+ if test -z "$ac_cv_path_GREP"; then
+ { { $as_echo "$as_me:$LINENO: error: no acceptable grep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" >&5
+$as_echo "$as_me: error: no acceptable grep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" >&2;}
+ { (exit 1); exit 1; }; }
+ fi
+else
+ ac_cv_path_GREP=$GREP
+fi
+
+fi
+{ $as_echo "$as_me:$LINENO: result: $ac_cv_path_GREP" >&5
+$as_echo "$ac_cv_path_GREP" >&6; }
+ GREP="$ac_cv_path_GREP"
+
+
+{ $as_echo "$as_me:$LINENO: checking for egrep" >&5
+$as_echo_n "checking for egrep... " >&6; }
+if test "${ac_cv_path_EGREP+set}" = set; then
+ $as_echo_n "(cached) " >&6
+else
+ if echo a | $GREP -E '(a|b)' >/dev/null 2>&1
+ then ac_cv_path_EGREP="$GREP -E"
+ else
+ if test -z "$EGREP"; then
+ ac_path_EGREP_found=false
+ # Loop through the user's path and test for each of PROGNAME-LIST
+ as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH$PATH_SEPARATOR/usr/xpg4/bin
+do
+ IFS=$as_save_IFS
+ test -z "$as_dir" && as_dir=.
+ for ac_prog in egrep; do
+ for ac_exec_ext in '' $ac_executable_extensions; do
+ ac_path_EGREP="$as_dir/$ac_prog$ac_exec_ext"
+ { test -f "$ac_path_EGREP" && $as_test_x "$ac_path_EGREP"; } || continue
+# Check for GNU ac_path_EGREP and select it if it is found.
+ # Check for GNU $ac_path_EGREP
+case `"$ac_path_EGREP" --version 2>&1` in
+*GNU*)
+ ac_cv_path_EGREP="$ac_path_EGREP" ac_path_EGREP_found=:;;
+*)
+ ac_count=0
+ $as_echo_n 0123456789 >"conftest.in"
+ while :
+ do
+ cat "conftest.in" "conftest.in" >"conftest.tmp"
+ mv "conftest.tmp" "conftest.in"
+ cp "conftest.in" "conftest.nl"
+ $as_echo 'EGREP' >> "conftest.nl"
+ "$ac_path_EGREP" 'EGREP$' < "conftest.nl" >"conftest.out" 2>/dev/null || break
+ diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break
+ ac_count=`expr $ac_count + 1`
+ if test $ac_count -gt ${ac_path_EGREP_max-0}; then
+ # Best one so far, save it but keep looking for a better one
+ ac_cv_path_EGREP="$ac_path_EGREP"
+ ac_path_EGREP_max=$ac_count
+ fi
+ # 10*(2^10) chars as input seems more than enough
+ test $ac_count -gt 10 && break
+ done
+ rm -f conftest.in conftest.tmp conftest.nl conftest.out;;
+esac
+
+ $ac_path_EGREP_found && break 3
+ done
+ done
+done
+IFS=$as_save_IFS
+ if test -z "$ac_cv_path_EGREP"; then
+ { { $as_echo "$as_me:$LINENO: error: no acceptable egrep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" >&5
+$as_echo "$as_me: error: no acceptable egrep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" >&2;}
+ { (exit 1); exit 1; }; }
+ fi
+else
+ ac_cv_path_EGREP=$EGREP
+fi
+
+ fi
+fi
+{ $as_echo "$as_me:$LINENO: result: $ac_cv_path_EGREP" >&5
+$as_echo "$ac_cv_path_EGREP" >&6; }
+ EGREP="$ac_cv_path_EGREP"
+
+
+{ $as_echo "$as_me:$LINENO: checking for ANSI C header files" >&5
+$as_echo_n "checking for ANSI C header files... " >&6; }
+if test "${ac_cv_header_stdc+set}" = set; then
+ $as_echo_n "(cached) " >&6
+else
+ cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h. */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h. */
+#include <stdlib.h>
+#include <stdarg.h>
+#include <string.h>
+#include <float.h>
+
+int
+main ()
+{
+
+ ;
+ return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+ (eval "$ac_compile") 2>conftest.er1
+ ac_status=$?
+ grep -v '^ *+' conftest.er1 >conftest.err
+ rm -f conftest.er1
+ cat conftest.err >&5
+ $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); } && {
+ test -z "$ac_c_werror_flag" ||
+ test ! -s conftest.err
+ } && test -s conftest.$ac_objext; then
+ ac_cv_header_stdc=yes
+else
+ $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ ac_cv_header_stdc=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+
+if test $ac_cv_header_stdc = yes; then
+ # SunOS 4.x string.h does not declare mem*, contrary to ANSI.
+ cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h. */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h. */
+#include <string.h>
+
+_ACEOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+ $EGREP "memchr" >/dev/null 2>&1; then
+ :
+else
+ ac_cv_header_stdc=no
+fi
+rm -f conftest*
+
+fi
+
+if test $ac_cv_header_stdc = yes; then
+ # ISC 2.0.2 stdlib.h does not declare free, contrary to ANSI.
+ cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h. */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h. */
+#include <stdlib.h>
+
+_ACEOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+ $EGREP "free" >/dev/null 2>&1; then
+ :
+else
+ ac_cv_header_stdc=no
+fi
+rm -f conftest*
+
+fi
+
+if test $ac_cv_header_stdc = yes; then
+ # /bin/cc in Irix-4.0.5 gets non-ANSI ctype macros unless using -ansi.
+ if test "$cross_compiling" = yes; then
+ :
+else
+ cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h. */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h. */
+#include <ctype.h>
+#include <stdlib.h>
+#if ((' ' & 0x0FF) == 0x020)
+# define ISLOWER(c) ('a' <= (c) && (c) <= 'z')
+# define TOUPPER(c) (ISLOWER(c) ? 'A' + ((c) - 'a') : (c))
+#else
+# define ISLOWER(c) \
+ (('a' <= (c) && (c) <= 'i') \
+ || ('j' <= (c) && (c) <= 'r') \
+ || ('s' <= (c) && (c) <= 'z'))
+# define TOUPPER(c) (ISLOWER(c) ? ((c) | 0x40) : (c))
+#endif
+
+#define XOR(e, f) (((e) && !(f)) || (!(e) && (f)))
+int
+main ()
+{
+ int i;
+ for (i = 0; i < 256; i++)
+ if (XOR (islower (i), ISLOWER (i))
+ || toupper (i) != TOUPPER (i))
+ return 2;
+ return 0;
+}
+_ACEOF
+rm -f conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+ (eval "$ac_link") 2>&5
+ ac_status=$?
+ $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
+ { (case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+ (eval "$ac_try") 2>&5
+ ac_status=$?
+ $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); }; }; then
+ :
+else
+ $as_echo "$as_me: program exited with status $ac_status" >&5
+$as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+( exit $ac_status )
+ac_cv_header_stdc=no
+fi
+rm -rf conftest.dSYM
+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
+fi
+
+
+fi
+fi
+{ $as_echo "$as_me:$LINENO: result: $ac_cv_header_stdc" >&5
+$as_echo "$ac_cv_header_stdc" >&6; }
+if test $ac_cv_header_stdc = yes; then
+
+cat >>confdefs.h <<\_ACEOF
+#define STDC_HEADERS 1
+_ACEOF
+
+fi
+
+# On IRIX 5.3, sys/types and inttypes.h are conflicting.
+
+
+
+
+
+
+
+
+
+for ac_header in sys/types.h sys/stat.h stdlib.h string.h memory.h strings.h \
+ inttypes.h stdint.h unistd.h
+do
+as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
+{ $as_echo "$as_me:$LINENO: checking for $ac_header" >&5
+$as_echo_n "checking for $ac_header... " >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
+ $as_echo_n "(cached) " >&6
+else
+ cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h. */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h. */
+$ac_includes_default
+
+#include <$ac_header>
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+ (eval "$ac_compile") 2>conftest.er1
+ ac_status=$?
+ grep -v '^ *+' conftest.er1 >conftest.err
+ rm -f conftest.er1
+ cat conftest.err >&5
+ $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); } && {
+ test -z "$ac_c_werror_flag" ||
+ test ! -s conftest.err
+ } && test -s conftest.$ac_objext; then
+ eval "$as_ac_Header=yes"
+else
+ $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ eval "$as_ac_Header=no"
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+ac_res=`eval 'as_val=${'$as_ac_Header'}
+ $as_echo "$as_val"'`
+ { $as_echo "$as_me:$LINENO: result: $ac_res" >&5
+$as_echo "$ac_res" >&6; }
+if test `eval 'as_val=${'$as_ac_Header'}
+ $as_echo "$as_val"'` = yes; then
+ cat >>confdefs.h <<_ACEOF
+#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1
+_ACEOF
+
+fi
+
+done
+
+
+
+ # Check whether --enable-optimization was given.
+if test "${enable_optimization+set}" = set; then
+ enableval=$enable_optimization; ac_cv_without_optimization=${withval}
+fi
+
+
+
+
+
+# Check whether --with-gcc was given.
+if test "${with_gcc+set}" = set; then
+ withval=$with_gcc;
+fi
+
+
+ if test "${ac_cv_header_minix_config_h+set}" = set; then
+ { $as_echo "$as_me:$LINENO: checking for minix/config.h" >&5
+$as_echo_n "checking for minix/config.h... " >&6; }
+if test "${ac_cv_header_minix_config_h+set}" = set; then
+ $as_echo_n "(cached) " >&6
+fi
+{ $as_echo "$as_me:$LINENO: result: $ac_cv_header_minix_config_h" >&5
+$as_echo "$ac_cv_header_minix_config_h" >&6; }
+else
+ # Is the header compilable?
+{ $as_echo "$as_me:$LINENO: checking minix/config.h usability" >&5
+$as_echo_n "checking minix/config.h usability... " >&6; }
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h. */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h. */
+$ac_includes_default
+#include <minix/config.h>
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+ (eval "$ac_compile") 2>conftest.er1
+ ac_status=$?
+ grep -v '^ *+' conftest.er1 >conftest.err
+ rm -f conftest.er1
+ cat conftest.err >&5
+ $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); } && {
+ test -z "$ac_c_werror_flag" ||
+ test ! -s conftest.err
+ } && test -s conftest.$ac_objext; then
+ ac_header_compiler=yes
+else
+ $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ ac_header_compiler=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+{ $as_echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
+$as_echo "$ac_header_compiler" >&6; }
+
+# Is the header present?
+{ $as_echo "$as_me:$LINENO: checking minix/config.h presence" >&5
+$as_echo_n "checking minix/config.h presence... " >&6; }
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h. */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h. */
+#include <minix/config.h>
+_ACEOF
+if { (ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+ (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
+ ac_status=$?
+ grep -v '^ *+' conftest.er1 >conftest.err
+ rm -f conftest.er1
+ cat conftest.err >&5
+ $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); } >/dev/null && {
+ test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
+ test ! -s conftest.err
+ }; then
+ ac_header_preproc=yes
+else
+ $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ ac_header_preproc=no
+fi
+
+rm -f conftest.err conftest.$ac_ext
+{ $as_echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
+$as_echo "$ac_header_preproc" >&6; }
+
+# So? What about this header?
+case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
+ yes:no: )
+ { $as_echo "$as_me:$LINENO: WARNING: minix/config.h: accepted by the compiler, rejected by the preprocessor!" >&5
+$as_echo "$as_me: WARNING: minix/config.h: accepted by the compiler, rejected by the preprocessor!" >&2;}
+ { $as_echo "$as_me:$LINENO: WARNING: minix/config.h: proceeding with the compiler's result" >&5
+$as_echo "$as_me: WARNING: minix/config.h: proceeding with the compiler's result" >&2;}
+ ac_header_preproc=yes
+ ;;
+ no:yes:* )
+ { $as_echo "$as_me:$LINENO: WARNING: minix/config.h: present but cannot be compiled" >&5
+$as_echo "$as_me: WARNING: minix/config.h: present but cannot be compiled" >&2;}
+ { $as_echo "$as_me:$LINENO: WARNING: minix/config.h: check for missing prerequisite headers?" >&5
+$as_echo "$as_me: WARNING: minix/config.h: check for missing prerequisite headers?" >&2;}
+ { $as_echo "$as_me:$LINENO: WARNING: minix/config.h: see the Autoconf documentation" >&5
+$as_echo "$as_me: WARNING: minix/config.h: see the Autoconf documentation" >&2;}
+ { $as_echo "$as_me:$LINENO: WARNING: minix/config.h: section \"Present But Cannot Be Compiled\"" >&5
+$as_echo "$as_me: WARNING: minix/config.h: section \"Present But Cannot Be Compiled\"" >&2;}
+ { $as_echo "$as_me:$LINENO: WARNING: minix/config.h: proceeding with the preprocessor's result" >&5
+$as_echo "$as_me: WARNING: minix/config.h: proceeding with the preprocessor's result" >&2;}
+ { $as_echo "$as_me:$LINENO: WARNING: minix/config.h: in the future, the compiler will take precedence" >&5
+$as_echo "$as_me: WARNING: minix/config.h: in the future, the compiler will take precedence" >&2;}
+
+ ;;
+esac
+{ $as_echo "$as_me:$LINENO: checking for minix/config.h" >&5
+$as_echo_n "checking for minix/config.h... " >&6; }
+if test "${ac_cv_header_minix_config_h+set}" = set; then
+ $as_echo_n "(cached) " >&6
+else
+ ac_cv_header_minix_config_h=$ac_header_preproc
+fi
+{ $as_echo "$as_me:$LINENO: result: $ac_cv_header_minix_config_h" >&5
+$as_echo "$ac_cv_header_minix_config_h" >&6; }
+
+fi
+if test $ac_cv_header_minix_config_h = yes; then
+ MINIX=yes
+else
+ MINIX=
+fi
+
+
+ if test "$MINIX" = yes; then
+
+cat >>confdefs.h <<\_ACEOF
+#define _POSIX_SOURCE 1
+_ACEOF
+
+
+cat >>confdefs.h <<\_ACEOF
+#define _POSIX_1_SOURCE 2
+_ACEOF
+
+
+cat >>confdefs.h <<\_ACEOF
+#define _MINIX 1
+_ACEOF
+
+ fi
+
+
+
+ { $as_echo "$as_me:$LINENO: checking whether it is safe to define __EXTENSIONS__" >&5
+$as_echo_n "checking whether it is safe to define __EXTENSIONS__... " >&6; }
+if test "${ac_cv_safe_to_define___extensions__+set}" = set; then
+ $as_echo_n "(cached) " >&6
+else
+ cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h. */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h. */
+
+# define __EXTENSIONS__ 1
+ $ac_includes_default
+int
+main ()
+{
+
+ ;
+ return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+ (eval "$ac_compile") 2>conftest.er1
+ ac_status=$?
+ grep -v '^ *+' conftest.er1 >conftest.err
+ rm -f conftest.er1
+ cat conftest.err >&5
+ $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); } && {
+ test -z "$ac_c_werror_flag" ||
+ test ! -s conftest.err
+ } && test -s conftest.$ac_objext; then
+ ac_cv_safe_to_define___extensions__=yes
+else
+ $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ ac_cv_safe_to_define___extensions__=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+{ $as_echo "$as_me:$LINENO: result: $ac_cv_safe_to_define___extensions__" >&5
+$as_echo "$ac_cv_safe_to_define___extensions__" >&6; }
+ test $ac_cv_safe_to_define___extensions__ = yes &&
+ cat >>confdefs.h <<\_ACEOF
+#define __EXTENSIONS__ 1
+_ACEOF
+
+ cat >>confdefs.h <<\_ACEOF
+#define _ALL_SOURCE 1
+_ACEOF
+
+ cat >>confdefs.h <<\_ACEOF
+#define _GNU_SOURCE 1
+_ACEOF
+
+ cat >>confdefs.h <<\_ACEOF
+#define _POSIX_PTHREAD_SEMANTICS 1
+_ACEOF
+
+ cat >>confdefs.h <<\_ACEOF
+#define _TANDEM_SOURCE 1
+_ACEOF
+
+
+ V_CCOPT=""
+ if test "${ac_cv_without_optimization+set}" != set; then
+ V_CCOPT="-O"
+ fi
+ V_INCLS=""
+ if test "${srcdir}" != "." ; then
+ V_INCLS="-I\$\(srcdir\)"
+ fi
+ if test -z "$CC" ; then
+ case "$target_os" in
+
+ bsdi*)
+ # Extract the first word of "shlicc2", so it can be a program name with args.
+set dummy shlicc2; ac_word=$2
+{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if test "${ac_cv_prog_SHLICC2+set}" = set; then
+ $as_echo_n "(cached) " >&6
+else
+ if test -n "$SHLICC2"; then
+ ac_cv_prog_SHLICC2="$SHLICC2" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+ IFS=$as_save_IFS
+ test -z "$as_dir" && as_dir=.
+ for ac_exec_ext in '' $ac_executable_extensions; do
+ if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+ ac_cv_prog_SHLICC2="yes"
+ $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+ break 2
+ fi
+done
+done
+IFS=$as_save_IFS
+
+ test -z "$ac_cv_prog_SHLICC2" && ac_cv_prog_SHLICC2="no"
+fi
+fi
+SHLICC2=$ac_cv_prog_SHLICC2
+if test -n "$SHLICC2"; then
+ { $as_echo "$as_me:$LINENO: result: $SHLICC2" >&5
+$as_echo "$SHLICC2" >&6; }
+else
+ { $as_echo "$as_me:$LINENO: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+ if test $SHLICC2 = yes ; then
+ CC=shlicc2
+ export CC
+ fi
+ ;;
+ esac
+ fi
+ if test -z "$CC" -a "$with_gcc" = no ; then
+ CC=cc
+ export CC
+ fi
+ ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+if test -n "$ac_tool_prefix"; then
+ # Extract the first word of "${ac_tool_prefix}gcc", so it can be a program name with args.
+set dummy ${ac_tool_prefix}gcc; ac_word=$2
+{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if test "${ac_cv_prog_CC+set}" = set; then
+ $as_echo_n "(cached) " >&6
+else
+ if test -n "$CC"; then
+ ac_cv_prog_CC="$CC" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+ IFS=$as_save_IFS
+ test -z "$as_dir" && as_dir=.
+ for ac_exec_ext in '' $ac_executable_extensions; do
+ if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+ ac_cv_prog_CC="${ac_tool_prefix}gcc"
+ $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+ break 2
+ fi
+done
+done
+IFS=$as_save_IFS
+
+fi
+fi
+CC=$ac_cv_prog_CC
+if test -n "$CC"; then
+ { $as_echo "$as_me:$LINENO: result: $CC" >&5
+$as_echo "$CC" >&6; }
+else
+ { $as_echo "$as_me:$LINENO: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+fi
+if test -z "$ac_cv_prog_CC"; then
+ ac_ct_CC=$CC
+ # Extract the first word of "gcc", so it can be a program name with args.
+set dummy gcc; ac_word=$2
+{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if test "${ac_cv_prog_ac_ct_CC+set}" = set; then
+ $as_echo_n "(cached) " >&6
+else
+ if test -n "$ac_ct_CC"; then
+ ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+ IFS=$as_save_IFS
+ test -z "$as_dir" && as_dir=.
+ for ac_exec_ext in '' $ac_executable_extensions; do
+ if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+ ac_cv_prog_ac_ct_CC="gcc"
+ $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+ break 2
+ fi
+done
+done
+IFS=$as_save_IFS
+
+fi
+fi
+ac_ct_CC=$ac_cv_prog_ac_ct_CC
+if test -n "$ac_ct_CC"; then
+ { $as_echo "$as_me:$LINENO: result: $ac_ct_CC" >&5
+$as_echo "$ac_ct_CC" >&6; }
+else
+ { $as_echo "$as_me:$LINENO: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+ if test "x$ac_ct_CC" = x; then
+ CC=""
+ else
+ case $cross_compiling:$ac_tool_warned in
+yes:)
+{ $as_echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
+whose name does not start with the host triplet. If you think this
+configuration is useful to you, please write to autoconf@gnu.org." >&5
+$as_echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
+whose name does not start with the host triplet. If you think this
+configuration is useful to you, please write to autoconf@gnu.org." >&2;}
+ac_tool_warned=yes ;;
+esac
+ CC=$ac_ct_CC
+ fi
+else
+ CC="$ac_cv_prog_CC"
+fi
+
+if test -z "$CC"; then
+ if test -n "$ac_tool_prefix"; then
+ # Extract the first word of "${ac_tool_prefix}cc", so it can be a program name with args.
+set dummy ${ac_tool_prefix}cc; ac_word=$2
+{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if test "${ac_cv_prog_CC+set}" = set; then
+ $as_echo_n "(cached) " >&6
+else
+ if test -n "$CC"; then
+ ac_cv_prog_CC="$CC" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+ IFS=$as_save_IFS
+ test -z "$as_dir" && as_dir=.
+ for ac_exec_ext in '' $ac_executable_extensions; do
+ if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+ ac_cv_prog_CC="${ac_tool_prefix}cc"
+ $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+ break 2
+ fi
+done
+done
+IFS=$as_save_IFS
+
+fi
+fi
+CC=$ac_cv_prog_CC
+if test -n "$CC"; then
+ { $as_echo "$as_me:$LINENO: result: $CC" >&5
+$as_echo "$CC" >&6; }
+else
+ { $as_echo "$as_me:$LINENO: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+ fi
+fi
+if test -z "$CC"; then
+ # Extract the first word of "cc", so it can be a program name with args.
+set dummy cc; ac_word=$2
+{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if test "${ac_cv_prog_CC+set}" = set; then
+ $as_echo_n "(cached) " >&6
+else
+ if test -n "$CC"; then
+ ac_cv_prog_CC="$CC" # Let the user override the test.
+else
+ ac_prog_rejected=no
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+ IFS=$as_save_IFS
+ test -z "$as_dir" && as_dir=.
+ for ac_exec_ext in '' $ac_executable_extensions; do
+ if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+ if test "$as_dir/$ac_word$ac_exec_ext" = "/usr/ucb/cc"; then
+ ac_prog_rejected=yes
+ continue
+ fi
+ ac_cv_prog_CC="cc"
+ $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+ break 2
+ fi
+done
+done
+IFS=$as_save_IFS
+
+if test $ac_prog_rejected = yes; then
+ # We found a bogon in the path, so make sure we never use it.
+ set dummy $ac_cv_prog_CC
+ shift
+ if test $# != 0; then
+ # We chose a different compiler from the bogus one.
+ # However, it has the same basename, so the bogon will be chosen
+ # first if we set CC to just the basename; use the full file name.
+ shift
+ ac_cv_prog_CC="$as_dir/$ac_word${1+' '}$@"
+ fi
+fi
+fi
+fi
+CC=$ac_cv_prog_CC
+if test -n "$CC"; then
+ { $as_echo "$as_me:$LINENO: result: $CC" >&5
+$as_echo "$CC" >&6; }
+else
+ { $as_echo "$as_me:$LINENO: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+fi
+if test -z "$CC"; then
+ if test -n "$ac_tool_prefix"; then
+ for ac_prog in cl.exe
+ do
+ # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args.
+set dummy $ac_tool_prefix$ac_prog; ac_word=$2
+{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if test "${ac_cv_prog_CC+set}" = set; then
+ $as_echo_n "(cached) " >&6
+else
+ if test -n "$CC"; then
+ ac_cv_prog_CC="$CC" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+ IFS=$as_save_IFS
+ test -z "$as_dir" && as_dir=.
+ for ac_exec_ext in '' $ac_executable_extensions; do
+ if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+ ac_cv_prog_CC="$ac_tool_prefix$ac_prog"
+ $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+ break 2
+ fi
+done
+done
+IFS=$as_save_IFS
+
+fi
+fi
+CC=$ac_cv_prog_CC
+if test -n "$CC"; then
+ { $as_echo "$as_me:$LINENO: result: $CC" >&5
+$as_echo "$CC" >&6; }
+else
+ { $as_echo "$as_me:$LINENO: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+ test -n "$CC" && break
+ done
+fi
+if test -z "$CC"; then
+ ac_ct_CC=$CC
+ for ac_prog in cl.exe
+do
+ # Extract the first word of "$ac_prog", so it can be a program name with args.
+set dummy $ac_prog; ac_word=$2
+{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if test "${ac_cv_prog_ac_ct_CC+set}" = set; then
+ $as_echo_n "(cached) " >&6
+else
+ if test -n "$ac_ct_CC"; then
+ ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+ IFS=$as_save_IFS
+ test -z "$as_dir" && as_dir=.
+ for ac_exec_ext in '' $ac_executable_extensions; do
+ if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+ ac_cv_prog_ac_ct_CC="$ac_prog"
+ $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+ break 2
+ fi
+done
+done
+IFS=$as_save_IFS
+
+fi
+fi
+ac_ct_CC=$ac_cv_prog_ac_ct_CC
+if test -n "$ac_ct_CC"; then
+ { $as_echo "$as_me:$LINENO: result: $ac_ct_CC" >&5
+$as_echo "$ac_ct_CC" >&6; }
+else
+ { $as_echo "$as_me:$LINENO: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+ test -n "$ac_ct_CC" && break
+done
+
+ if test "x$ac_ct_CC" = x; then
+ CC=""
+ else
+ case $cross_compiling:$ac_tool_warned in
+yes:)
+{ $as_echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
+whose name does not start with the host triplet. If you think this
+configuration is useful to you, please write to autoconf@gnu.org." >&5
+$as_echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
+whose name does not start with the host triplet. If you think this
+configuration is useful to you, please write to autoconf@gnu.org." >&2;}
+ac_tool_warned=yes ;;
+esac
+ CC=$ac_ct_CC
+ fi
+fi
+
+fi
+
+
+test -z "$CC" && { { $as_echo "$as_me:$LINENO: error: no acceptable C compiler found in \$PATH
+See \`config.log' for more details." >&5
+$as_echo "$as_me: error: no acceptable C compiler found in \$PATH
+See \`config.log' for more details." >&2;}
+ { (exit 1); exit 1; }; }
+
+# Provide some information about the compiler.
+$as_echo "$as_me:$LINENO: checking for C compiler version" >&5
+set X $ac_compile
+ac_compiler=$2
+{ (ac_try="$ac_compiler --version >&5"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+ (eval "$ac_compiler --version >&5") 2>&5
+ ac_status=$?
+ $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); }
+{ (ac_try="$ac_compiler -v >&5"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+ (eval "$ac_compiler -v >&5") 2>&5
+ ac_status=$?
+ $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); }
+{ (ac_try="$ac_compiler -V >&5"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+ (eval "$ac_compiler -V >&5") 2>&5
+ ac_status=$?
+ $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); }
+
+{ $as_echo "$as_me:$LINENO: checking whether we are using the GNU C compiler" >&5
+$as_echo_n "checking whether we are using the GNU C compiler... " >&6; }
+if test "${ac_cv_c_compiler_gnu+set}" = set; then
+ $as_echo_n "(cached) " >&6
+else
+ cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h. */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h. */
+
+int
+main ()
+{
+#ifndef __GNUC__
+ choke me
+#endif
+
+ ;
+ return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+ (eval "$ac_compile") 2>conftest.er1
+ ac_status=$?
+ grep -v '^ *+' conftest.er1 >conftest.err
+ rm -f conftest.er1
+ cat conftest.err >&5
+ $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); } && {
+ test -z "$ac_c_werror_flag" ||
+ test ! -s conftest.err
+ } && test -s conftest.$ac_objext; then
+ ac_compiler_gnu=yes
+else
+ $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ ac_compiler_gnu=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+ac_cv_c_compiler_gnu=$ac_compiler_gnu
+
+fi
+{ $as_echo "$as_me:$LINENO: result: $ac_cv_c_compiler_gnu" >&5
+$as_echo "$ac_cv_c_compiler_gnu" >&6; }
+if test $ac_compiler_gnu = yes; then
+ GCC=yes
+else
+ GCC=
+fi
+ac_test_CFLAGS=${CFLAGS+set}
+ac_save_CFLAGS=$CFLAGS
+{ $as_echo "$as_me:$LINENO: checking whether $CC accepts -g" >&5
+$as_echo_n "checking whether $CC accepts -g... " >&6; }
+if test "${ac_cv_prog_cc_g+set}" = set; then
+ $as_echo_n "(cached) " >&6
+else
+ ac_save_c_werror_flag=$ac_c_werror_flag
+ ac_c_werror_flag=yes
+ ac_cv_prog_cc_g=no
+ CFLAGS="-g"
+ cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h. */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h. */
+
+int
+main ()
+{
+
+ ;
+ return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+ (eval "$ac_compile") 2>conftest.er1
+ ac_status=$?
+ grep -v '^ *+' conftest.er1 >conftest.err
+ rm -f conftest.er1
+ cat conftest.err >&5
+ $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); } && {
+ test -z "$ac_c_werror_flag" ||
+ test ! -s conftest.err
+ } && test -s conftest.$ac_objext; then
+ ac_cv_prog_cc_g=yes
+else
+ $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ CFLAGS=""
+ cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h. */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h. */
+
+int
+main ()
+{
+
+ ;
+ return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+ (eval "$ac_compile") 2>conftest.er1
+ ac_status=$?
+ grep -v '^ *+' conftest.er1 >conftest.err
+ rm -f conftest.er1
+ cat conftest.err >&5
+ $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); } && {
+ test -z "$ac_c_werror_flag" ||
+ test ! -s conftest.err
+ } && test -s conftest.$ac_objext; then
+ :
+else
+ $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ ac_c_werror_flag=$ac_save_c_werror_flag
+ CFLAGS="-g"
+ cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h. */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h. */
+
+int
+main ()
+{
+
+ ;
+ return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+ (eval "$ac_compile") 2>conftest.er1
+ ac_status=$?
+ grep -v '^ *+' conftest.er1 >conftest.err
+ rm -f conftest.er1
+ cat conftest.err >&5
+ $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); } && {
+ test -z "$ac_c_werror_flag" ||
+ test ! -s conftest.err
+ } && test -s conftest.$ac_objext; then
+ ac_cv_prog_cc_g=yes
+else
+ $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+ ac_c_werror_flag=$ac_save_c_werror_flag
+fi
+{ $as_echo "$as_me:$LINENO: result: $ac_cv_prog_cc_g" >&5
+$as_echo "$ac_cv_prog_cc_g" >&6; }
+if test "$ac_test_CFLAGS" = set; then
+ CFLAGS=$ac_save_CFLAGS
+elif test $ac_cv_prog_cc_g = yes; then
+ if test "$GCC" = yes; then
+ CFLAGS="-g -O2"
+ else
+ CFLAGS="-g"
+ fi
+else
+ if test "$GCC" = yes; then
+ CFLAGS="-O2"
+ else
+ CFLAGS=
+ fi
+fi
+{ $as_echo "$as_me:$LINENO: checking for $CC option to accept ISO C89" >&5
+$as_echo_n "checking for $CC option to accept ISO C89... " >&6; }
+if test "${ac_cv_prog_cc_c89+set}" = set; then
+ $as_echo_n "(cached) " >&6
+else
+ ac_cv_prog_cc_c89=no
+ac_save_CC=$CC
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h. */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h. */
+#include <stdarg.h>
+#include <stdio.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+/* Most of the following tests are stolen from RCS 5.7's src/conf.sh. */
+struct buf { int x; };
+FILE * (*rcsopen) (struct buf *, struct stat *, int);
+static char *e (p, i)
+ char **p;
+ int i;
+{
+ return p[i];
+}
+static char *f (char * (*g) (char **, int), char **p, ...)
+{
+ char *s;
+ va_list v;
+ va_start (v,p);
+ s = g (p, va_arg (v,int));
+ va_end (v);
+ return s;
+}
+
+/* OSF 4.0 Compaq cc is some sort of almost-ANSI by default. It has
+ function prototypes and stuff, but not '\xHH' hex character constants.
+ These don't provoke an error unfortunately, instead are silently treated
+ as 'x'. The following induces an error, until -std is added to get
+ proper ANSI mode. Curiously '\x00'!='x' always comes out true, for an
+ array size at least. It's necessary to write '\x00'==0 to get something
+ that's true only with -std. */
+int osf4_cc_array ['\x00' == 0 ? 1 : -1];
+
+/* IBM C 6 for AIX is almost-ANSI by default, but it replaces macro parameters
+ inside strings and character constants. */
+#define FOO(x) 'x'
+int xlc6_cc_array[FOO(a) == 'x' ? 1 : -1];
+
+int test (int i, double x);
+struct s1 {int (*f) (int a);};
+struct s2 {int (*f) (double a);};
+int pairnames (int, char **, FILE *(*)(struct buf *, struct stat *, int), int, int);
+int argc;
+char **argv;
+int
+main ()
+{
+return f (e, argv, 0) != argv[0] || f (e, argv, 1) != argv[1];
+ ;
+ return 0;
+}
+_ACEOF
+for ac_arg in '' -qlanglvl=extc89 -qlanglvl=ansi -std \
+ -Ae "-Aa -D_HPUX_SOURCE" "-Xc -D__EXTENSIONS__"
+do
+ CC="$ac_save_CC $ac_arg"
+ rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+ (eval "$ac_compile") 2>conftest.er1
+ ac_status=$?
+ grep -v '^ *+' conftest.er1 >conftest.err
+ rm -f conftest.er1
+ cat conftest.err >&5
+ $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); } && {
+ test -z "$ac_c_werror_flag" ||
+ test ! -s conftest.err
+ } && test -s conftest.$ac_objext; then
+ ac_cv_prog_cc_c89=$ac_arg
+else
+ $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+
+fi
+
+rm -f core conftest.err conftest.$ac_objext
+ test "x$ac_cv_prog_cc_c89" != "xno" && break
+done
+rm -f conftest.$ac_ext
+CC=$ac_save_CC
+
+fi
+# AC_CACHE_VAL
+case "x$ac_cv_prog_cc_c89" in
+ x)
+ { $as_echo "$as_me:$LINENO: result: none needed" >&5
+$as_echo "none needed" >&6; } ;;
+ xno)
+ { $as_echo "$as_me:$LINENO: result: unsupported" >&5
+$as_echo "unsupported" >&6; } ;;
+ *)
+ CC="$CC $ac_cv_prog_cc_c89"
+ { $as_echo "$as_me:$LINENO: result: $ac_cv_prog_cc_c89" >&5
+$as_echo "$ac_cv_prog_cc_c89" >&6; } ;;
+esac
+
+
+ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+
+ # Check whether --enable-largefile was given.
+if test "${enable_largefile+set}" = set; then
+ enableval=$enable_largefile;
+fi
+
+if test "$enable_largefile" != no; then
+
+ { $as_echo "$as_me:$LINENO: checking for special C compiler options needed for large files" >&5
+$as_echo_n "checking for special C compiler options needed for large files... " >&6; }
+if test "${ac_cv_sys_largefile_CC+set}" = set; then
+ $as_echo_n "(cached) " >&6
+else
+ ac_cv_sys_largefile_CC=no
+ if test "$GCC" != yes; then
+ ac_save_CC=$CC
+ while :; do
+ # IRIX 6.2 and later do not support large files by default,
+ # so use the C compiler's -n32 option if that helps.
+ cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h. */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h. */
+#include <sys/types.h>
+ /* Check that off_t can represent 2**63 - 1 correctly.
+ We can't simply define LARGE_OFF_T to be 9223372036854775807,
+ since some C++ compilers masquerading as C compilers
+ incorrectly reject 9223372036854775807. */
+#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62))
+ int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721
+ && LARGE_OFF_T % 2147483647 == 1)
+ ? 1 : -1];
+int
+main ()
+{
+
+ ;
+ return 0;
+}
+_ACEOF
+ rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+ (eval "$ac_compile") 2>conftest.er1
+ ac_status=$?
+ grep -v '^ *+' conftest.er1 >conftest.err
+ rm -f conftest.er1
+ cat conftest.err >&5
+ $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); } && {
+ test -z "$ac_c_werror_flag" ||
+ test ! -s conftest.err
+ } && test -s conftest.$ac_objext; then
+ break
+else
+ $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+
+fi
+
+rm -f core conftest.err conftest.$ac_objext
+ CC="$CC -n32"
+ rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+ (eval "$ac_compile") 2>conftest.er1
+ ac_status=$?
+ grep -v '^ *+' conftest.er1 >conftest.err
+ rm -f conftest.er1
+ cat conftest.err >&5
+ $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); } && {
+ test -z "$ac_c_werror_flag" ||
+ test ! -s conftest.err
+ } && test -s conftest.$ac_objext; then
+ ac_cv_sys_largefile_CC=' -n32'; break
+else
+ $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+
+fi
+
+rm -f core conftest.err conftest.$ac_objext
+ break
+ done
+ CC=$ac_save_CC
+ rm -f conftest.$ac_ext
+ fi
+fi
+{ $as_echo "$as_me:$LINENO: result: $ac_cv_sys_largefile_CC" >&5
+$as_echo "$ac_cv_sys_largefile_CC" >&6; }
+ if test "$ac_cv_sys_largefile_CC" != no; then
+ CC=$CC$ac_cv_sys_largefile_CC
+ fi
+
+ { $as_echo "$as_me:$LINENO: checking for _FILE_OFFSET_BITS value needed for large files" >&5
+$as_echo_n "checking for _FILE_OFFSET_BITS value needed for large files... " >&6; }
+if test "${ac_cv_sys_file_offset_bits+set}" = set; then
+ $as_echo_n "(cached) " >&6
+else
+ while :; do
+ cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h. */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h. */
+#include <sys/types.h>
+ /* Check that off_t can represent 2**63 - 1 correctly.
+ We can't simply define LARGE_OFF_T to be 9223372036854775807,
+ since some C++ compilers masquerading as C compilers
+ incorrectly reject 9223372036854775807. */
+#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62))
+ int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721
+ && LARGE_OFF_T % 2147483647 == 1)
+ ? 1 : -1];
+int
+main ()
+{
+
+ ;
+ return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+ (eval "$ac_compile") 2>conftest.er1
+ ac_status=$?
+ grep -v '^ *+' conftest.er1 >conftest.err
+ rm -f conftest.er1
+ cat conftest.err >&5
+ $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); } && {
+ test -z "$ac_c_werror_flag" ||
+ test ! -s conftest.err
+ } && test -s conftest.$ac_objext; then
+ ac_cv_sys_file_offset_bits=no; break
+else
+ $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+ cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h. */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h. */
+#define _FILE_OFFSET_BITS 64
+#include <sys/types.h>
+ /* Check that off_t can represent 2**63 - 1 correctly.
+ We can't simply define LARGE_OFF_T to be 9223372036854775807,
+ since some C++ compilers masquerading as C compilers
+ incorrectly reject 9223372036854775807. */
+#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62))
+ int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721
+ && LARGE_OFF_T % 2147483647 == 1)
+ ? 1 : -1];
+int
+main ()
+{
+
+ ;
+ return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+ (eval "$ac_compile") 2>conftest.er1
+ ac_status=$?
+ grep -v '^ *+' conftest.er1 >conftest.err
+ rm -f conftest.er1
+ cat conftest.err >&5
+ $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); } && {
+ test -z "$ac_c_werror_flag" ||
+ test ! -s conftest.err
+ } && test -s conftest.$ac_objext; then
+ ac_cv_sys_file_offset_bits=64; break
+else
+ $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+ ac_cv_sys_file_offset_bits=unknown
+ break
+done
+fi
+{ $as_echo "$as_me:$LINENO: result: $ac_cv_sys_file_offset_bits" >&5
+$as_echo "$ac_cv_sys_file_offset_bits" >&6; }
+case $ac_cv_sys_file_offset_bits in #(
+ no | unknown) ;;
+ *)
+cat >>confdefs.h <<_ACEOF
+#define _FILE_OFFSET_BITS $ac_cv_sys_file_offset_bits
+_ACEOF
+;;
+esac
+rm -rf conftest*
+ if test $ac_cv_sys_file_offset_bits = unknown; then
+ { $as_echo "$as_me:$LINENO: checking for _LARGE_FILES value needed for large files" >&5
+$as_echo_n "checking for _LARGE_FILES value needed for large files... " >&6; }
+if test "${ac_cv_sys_large_files+set}" = set; then
+ $as_echo_n "(cached) " >&6
+else
+ while :; do
+ cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h. */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h. */
+#include <sys/types.h>
+ /* Check that off_t can represent 2**63 - 1 correctly.
+ We can't simply define LARGE_OFF_T to be 9223372036854775807,
+ since some C++ compilers masquerading as C compilers
+ incorrectly reject 9223372036854775807. */
+#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62))
+ int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721
+ && LARGE_OFF_T % 2147483647 == 1)
+ ? 1 : -1];
+int
+main ()
+{
+
+ ;
+ return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+ (eval "$ac_compile") 2>conftest.er1
+ ac_status=$?
+ grep -v '^ *+' conftest.er1 >conftest.err
+ rm -f conftest.er1
+ cat conftest.err >&5
+ $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); } && {
+ test -z "$ac_c_werror_flag" ||
+ test ! -s conftest.err
+ } && test -s conftest.$ac_objext; then
+ ac_cv_sys_large_files=no; break
+else
+ $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+ cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h. */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h. */
+#define _LARGE_FILES 1
+#include <sys/types.h>
+ /* Check that off_t can represent 2**63 - 1 correctly.
+ We can't simply define LARGE_OFF_T to be 9223372036854775807,
+ since some C++ compilers masquerading as C compilers
+ incorrectly reject 9223372036854775807. */
+#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62))
+ int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721
+ && LARGE_OFF_T % 2147483647 == 1)
+ ? 1 : -1];
+int
+main ()
+{
+
+ ;
+ return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+ (eval "$ac_compile") 2>conftest.er1
+ ac_status=$?
+ grep -v '^ *+' conftest.er1 >conftest.err
+ rm -f conftest.er1
+ cat conftest.err >&5
+ $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); } && {
+ test -z "$ac_c_werror_flag" ||
+ test ! -s conftest.err
+ } && test -s conftest.$ac_objext; then
+ ac_cv_sys_large_files=1; break
+else
+ $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+ ac_cv_sys_large_files=unknown
+ break
+done
+fi
+{ $as_echo "$as_me:$LINENO: result: $ac_cv_sys_large_files" >&5
+$as_echo "$ac_cv_sys_large_files" >&6; }
+case $ac_cv_sys_large_files in #(
+ no | unknown) ;;
+ *)
+cat >>confdefs.h <<_ACEOF
+#define _LARGE_FILES $ac_cv_sys_large_files
+_ACEOF
+;;
+esac
+rm -rf conftest*
+ fi
+fi
+
+ if test "$GCC" != yes ; then
+ { $as_echo "$as_me:$LINENO: checking that $CC handles ansi prototypes" >&5
+$as_echo_n "checking that $CC handles ansi prototypes... " >&6; }
+ if test "${ac_cv_lbl_cc_ansi_prototypes+set}" = set; then
+ $as_echo_n "(cached) " >&6
+else
+ cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h. */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h. */
+#include <sys/types.h>
+int
+main ()
+{
+int frob(int, char *)
+ ;
+ return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+ (eval "$ac_compile") 2>conftest.er1
+ ac_status=$?
+ grep -v '^ *+' conftest.er1 >conftest.err
+ rm -f conftest.er1
+ cat conftest.err >&5
+ $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); } && {
+ test -z "$ac_c_werror_flag" ||
+ test ! -s conftest.err
+ } && test -s conftest.$ac_objext; then
+ ac_cv_lbl_cc_ansi_prototypes=yes
+else
+ $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ ac_cv_lbl_cc_ansi_prototypes=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+
+ { $as_echo "$as_me:$LINENO: result: $ac_cv_lbl_cc_ansi_prototypes" >&5
+$as_echo "$ac_cv_lbl_cc_ansi_prototypes" >&6; }
+ if test $ac_cv_lbl_cc_ansi_prototypes = no ; then
+ case "$target_os" in
+
+ hpux*)
+ { $as_echo "$as_me:$LINENO: checking for HP-UX ansi compiler ($CC -Aa -D_HPUX_SOURCE)" >&5
+$as_echo_n "checking for HP-UX ansi compiler ($CC -Aa -D_HPUX_SOURCE)... " >&6; }
+ savedcflags="$CFLAGS"
+ CFLAGS="-Aa -D_HPUX_SOURCE $CFLAGS"
+ if test "${ac_cv_lbl_cc_hpux_cc_aa+set}" = set; then
+ $as_echo_n "(cached) " >&6
+else
+ cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h. */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h. */
+#include <sys/types.h>
+int
+main ()
+{
+int frob(int, char *)
+ ;
+ return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+ (eval "$ac_compile") 2>conftest.er1
+ ac_status=$?
+ grep -v '^ *+' conftest.er1 >conftest.err
+ rm -f conftest.er1
+ cat conftest.err >&5
+ $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); } && {
+ test -z "$ac_c_werror_flag" ||
+ test ! -s conftest.err
+ } && test -s conftest.$ac_objext; then
+ ac_cv_lbl_cc_hpux_cc_aa=yes
+else
+ $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ ac_cv_lbl_cc_hpux_cc_aa=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+
+ { $as_echo "$as_me:$LINENO: result: $ac_cv_lbl_cc_hpux_cc_aa" >&5
+$as_echo "$ac_cv_lbl_cc_hpux_cc_aa" >&6; }
+ if test $ac_cv_lbl_cc_hpux_cc_aa = no ; then
+ { { $as_echo "$as_me:$LINENO: error: see the INSTALL doc for more info" >&5
+$as_echo "$as_me: error: see the INSTALL doc for more info" >&2;}
+ { (exit 1); exit 1; }; }
+ fi
+ CFLAGS="$savedcflags"
+ V_CCOPT="-Aa $V_CCOPT"
+
+cat >>confdefs.h <<\_ACEOF
+#define _HPUX_SOURCE /**/
+_ACEOF
+
+ ;;
+
+ *)
+ { { $as_echo "$as_me:$LINENO: error: see the INSTALL doc for more info" >&5
+$as_echo "$as_me: error: see the INSTALL doc for more info" >&2;}
+ { (exit 1); exit 1; }; }
+ ;;
+ esac
+ fi
+ V_INCLS="$V_INCLS -I/usr/local/include"
+ LDFLAGS="$LDFLAGS -L/usr/local/lib"
+
+ case "$target_os" in
+
+ irix*)
+ V_CCOPT="$V_CCOPT -xansi -signed -g3"
+ ;;
+
+ osf*)
+ V_CCOPT="$V_CCOPT -std1 -g3"
+ ;;
+
+ ultrix*)
+ { $as_echo "$as_me:$LINENO: checking that Ultrix $CC hacks const in prototypes" >&5
+$as_echo_n "checking that Ultrix $CC hacks const in prototypes... " >&6; }
+ if test "${ac_cv_lbl_cc_const_proto+set}" = set; then
+ $as_echo_n "(cached) " >&6
+else
+ cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h. */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h. */
+#include <sys/types.h>
+int
+main ()
+{
+struct a { int b; };
+ void c(const struct a *)
+ ;
+ return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+ (eval "$ac_compile") 2>conftest.er1
+ ac_status=$?
+ grep -v '^ *+' conftest.er1 >conftest.err
+ rm -f conftest.er1
+ cat conftest.err >&5
+ $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); } && {
+ test -z "$ac_c_werror_flag" ||
+ test ! -s conftest.err
+ } && test -s conftest.$ac_objext; then
+ ac_cv_lbl_cc_const_proto=yes
+else
+ $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ ac_cv_lbl_cc_const_proto=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+
+ { $as_echo "$as_me:$LINENO: result: $ac_cv_lbl_cc_const_proto" >&5
+$as_echo "$ac_cv_lbl_cc_const_proto" >&6; }
+ if test $ac_cv_lbl_cc_const_proto = no ; then
+
+cat >>confdefs.h <<\_ACEOF
+#define const /**/
+_ACEOF
+
+ fi
+ ;;
+ esac
+ fi
+
+# Find a good install program. We prefer a C program (faster),
+# so one script is as good as another. But avoid the broken or
+# incompatible versions:
+# SysV /etc/install, /usr/sbin/install
+# SunOS /usr/etc/install
+# IRIX /sbin/install
+# AIX /bin/install
+# AmigaOS /C/install, which installs bootblocks on floppy discs
+# AIX 4 /usr/bin/installbsd, which doesn't work without a -g flag
+# AFS /usr/afsws/bin/install, which mishandles nonexistent args
+# SVR4 /usr/ucb/install, which tries to use the nonexistent group "staff"
+# OS/2's system install, which has a completely different semantic
+# ./install, which can be erroneously created by make from ./install.sh.
+# Reject install programs that cannot install multiple files.
+{ $as_echo "$as_me:$LINENO: checking for a BSD-compatible install" >&5
+$as_echo_n "checking for a BSD-compatible install... " >&6; }
+if test -z "$INSTALL"; then
+if test "${ac_cv_path_install+set}" = set; then
+ $as_echo_n "(cached) " >&6
+else
+ as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+ IFS=$as_save_IFS
+ test -z "$as_dir" && as_dir=.
+ # Account for people who put trailing slashes in PATH elements.
+case $as_dir/ in
+ ./ | .// | /cC/* | \
+ /etc/* | /usr/sbin/* | /usr/etc/* | /sbin/* | /usr/afsws/bin/* | \
+ ?:\\/os2\\/install\\/* | ?:\\/OS2\\/INSTALL\\/* | \
+ /usr/ucb/* ) ;;
+ *)
+ # OSF1 and SCO ODT 3.0 have their own names for install.
+ # Don't use installbsd from OSF since it installs stuff as root
+ # by default.
+ for ac_prog in ginstall scoinst install; do
+ for ac_exec_ext in '' $ac_executable_extensions; do
+ if { test -f "$as_dir/$ac_prog$ac_exec_ext" && $as_test_x "$as_dir/$ac_prog$ac_exec_ext"; }; then
+ if test $ac_prog = install &&
+ grep dspmsg "$as_dir/$ac_prog$ac_exec_ext" >/dev/null 2>&1; then
+ # AIX install. It has an incompatible calling convention.
+ :
+ elif test $ac_prog = install &&
+ grep pwplus "$as_dir/$ac_prog$ac_exec_ext" >/dev/null 2>&1; then
+ # program-specific install script used by HP pwplus--don't use.
+ :
+ else
+ rm -rf conftest.one conftest.two conftest.dir
+ echo one > conftest.one
+ echo two > conftest.two
+ mkdir conftest.dir
+ if "$as_dir/$ac_prog$ac_exec_ext" -c conftest.one conftest.two "`pwd`/conftest.dir" &&
+ test -s conftest.one && test -s conftest.two &&
+ test -s conftest.dir/conftest.one &&
+ test -s conftest.dir/conftest.two
+ then
+ ac_cv_path_install="$as_dir/$ac_prog$ac_exec_ext -c"
+ break 3
+ fi
+ fi
+ fi
+ done
+ done
+ ;;
+esac
+
+done
+IFS=$as_save_IFS
+
+rm -rf conftest.one conftest.two conftest.dir
+
+fi
+ if test "${ac_cv_path_install+set}" = set; then
+ INSTALL=$ac_cv_path_install
+ else
+ # As a last resort, use the slow shell script. Don't cache a
+ # value for INSTALL within a source directory, because that will
+ # break other packages using the cache if that directory is
+ # removed, or if the value is a relative name.
+ INSTALL=$ac_install_sh
+ fi
+fi
+{ $as_echo "$as_me:$LINENO: result: $INSTALL" >&5
+$as_echo "$INSTALL" >&6; }
+
+# Use test -z because SunOS4 sh mishandles braces in ${var-val}.
+# It thinks the first close brace ends the variable substitution.
+test -z "$INSTALL_PROGRAM" && INSTALL_PROGRAM='${INSTALL}'
+
+test -z "$INSTALL_SCRIPT" && INSTALL_SCRIPT='${INSTALL}'
+
+test -z "$INSTALL_DATA" && INSTALL_DATA='${INSTALL} -m 644'
+
+
+
+
+for ac_header in fcntl.h memory.h
+do
+as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
+ { $as_echo "$as_me:$LINENO: checking for $ac_header" >&5
+$as_echo_n "checking for $ac_header... " >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
+ $as_echo_n "(cached) " >&6
+fi
+ac_res=`eval 'as_val=${'$as_ac_Header'}
+ $as_echo "$as_val"'`
+ { $as_echo "$as_me:$LINENO: result: $ac_res" >&5
+$as_echo "$ac_res" >&6; }
+else
+ # Is the header compilable?
+{ $as_echo "$as_me:$LINENO: checking $ac_header usability" >&5
+$as_echo_n "checking $ac_header usability... " >&6; }
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h. */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h. */
+$ac_includes_default
+#include <$ac_header>
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+ (eval "$ac_compile") 2>conftest.er1
+ ac_status=$?
+ grep -v '^ *+' conftest.er1 >conftest.err
+ rm -f conftest.er1
+ cat conftest.err >&5
+ $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); } && {
+ test -z "$ac_c_werror_flag" ||
+ test ! -s conftest.err
+ } && test -s conftest.$ac_objext; then
+ ac_header_compiler=yes
+else
+ $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ ac_header_compiler=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+{ $as_echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
+$as_echo "$ac_header_compiler" >&6; }
+
+# Is the header present?
+{ $as_echo "$as_me:$LINENO: checking $ac_header presence" >&5
+$as_echo_n "checking $ac_header presence... " >&6; }
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h. */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h. */
+#include <$ac_header>
+_ACEOF
+if { (ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+ (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
+ ac_status=$?
+ grep -v '^ *+' conftest.er1 >conftest.err
+ rm -f conftest.er1
+ cat conftest.err >&5
+ $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); } >/dev/null && {
+ test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
+ test ! -s conftest.err
+ }; then
+ ac_header_preproc=yes
+else
+ $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ ac_header_preproc=no
+fi
+
+rm -f conftest.err conftest.$ac_ext
+{ $as_echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
+$as_echo "$ac_header_preproc" >&6; }
+
+# So? What about this header?
+case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
+ yes:no: )
+ { $as_echo "$as_me:$LINENO: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5
+$as_echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;}
+ { $as_echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the compiler's result" >&5
+$as_echo "$as_me: WARNING: $ac_header: proceeding with the compiler's result" >&2;}
+ ac_header_preproc=yes
+ ;;
+ no:yes:* )
+ { $as_echo "$as_me:$LINENO: WARNING: $ac_header: present but cannot be compiled" >&5
+$as_echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;}
+ { $as_echo "$as_me:$LINENO: WARNING: $ac_header: check for missing prerequisite headers?" >&5
+$as_echo "$as_me: WARNING: $ac_header: check for missing prerequisite headers?" >&2;}
+ { $as_echo "$as_me:$LINENO: WARNING: $ac_header: see the Autoconf documentation" >&5
+$as_echo "$as_me: WARNING: $ac_header: see the Autoconf documentation" >&2;}
+ { $as_echo "$as_me:$LINENO: WARNING: $ac_header: section \"Present But Cannot Be Compiled\"" >&5
+$as_echo "$as_me: WARNING: $ac_header: section \"Present But Cannot Be Compiled\"" >&2;}
+ { $as_echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5
+$as_echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;}
+ { $as_echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5
+$as_echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;}
+
+ ;;
+esac
+{ $as_echo "$as_me:$LINENO: checking for $ac_header" >&5
+$as_echo_n "checking for $ac_header... " >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
+ $as_echo_n "(cached) " >&6
+else
+ eval "$as_ac_Header=\$ac_header_preproc"
+fi
+ac_res=`eval 'as_val=${'$as_ac_Header'}
+ $as_echo "$as_val"'`
+ { $as_echo "$as_me:$LINENO: result: $ac_res" >&5
+$as_echo "$ac_res" >&6; }
+
+fi
+if test `eval 'as_val=${'$as_ac_Header'}
+ $as_echo "$as_val"'` = yes; then
+ cat >>confdefs.h <<_ACEOF
+#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1
+_ACEOF
+
+fi
+
+done
+
+
+
+for ac_func in strerror
+do
+as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
+{ $as_echo "$as_me:$LINENO: checking for $ac_func" >&5
+$as_echo_n "checking for $ac_func... " >&6; }
+if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
+ $as_echo_n "(cached) " >&6
+else
+ cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h. */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h. */
+/* Define $ac_func to an innocuous variant, in case <limits.h> declares $ac_func.
+ For example, HP-UX 11i <limits.h> declares gettimeofday. */
+#define $ac_func innocuous_$ac_func
+
+/* System header to define __stub macros and hopefully few prototypes,
+ which can conflict with char $ac_func (); below.
+ Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+ <limits.h> exists even on freestanding compilers. */
+
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+
+#undef $ac_func
+
+/* Override any GCC internal prototype to avoid an error.
+ Use char because int might match the return type of a GCC
+ builtin and then its argument prototype would still apply. */
+#ifdef __cplusplus
+extern "C"
+#endif
+char $ac_func ();
+/* The GNU C library defines this for functions which it implements
+ to always fail with ENOSYS. Some functions are actually named
+ something starting with __ and the normal name is an alias. */
+#if defined __stub_$ac_func || defined __stub___$ac_func
+choke me
+#endif
+
+int
+main ()
+{
+return $ac_func ();
+ ;
+ return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+ (eval "$ac_link") 2>conftest.er1
+ ac_status=$?
+ grep -v '^ *+' conftest.er1 >conftest.err
+ rm -f conftest.er1
+ cat conftest.err >&5
+ $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); } && {
+ test -z "$ac_c_werror_flag" ||
+ test ! -s conftest.err
+ } && test -s conftest$ac_exeext && {
+ test "$cross_compiling" = yes ||
+ $as_test_x conftest$ac_exeext
+ }; then
+ eval "$as_ac_var=yes"
+else
+ $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ eval "$as_ac_var=no"
+fi
+
+rm -rf conftest.dSYM
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+ conftest$ac_exeext conftest.$ac_ext
+fi
+ac_res=`eval 'as_val=${'$as_ac_var'}
+ $as_echo "$as_val"'`
+ { $as_echo "$as_me:$LINENO: result: $ac_res" >&5
+$as_echo "$ac_res" >&6; }
+if test `eval 'as_val=${'$as_ac_var'}
+ $as_echo "$as_val"'` = yes; then
+ cat >>confdefs.h <<_ACEOF
+#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1
+_ACEOF
+
+else
+ case " $LIBOBJS " in
+ *" $ac_func.$ac_objext "* ) ;;
+ *) LIBOBJS="$LIBOBJS $ac_func.$ac_objext"
+ ;;
+esac
+
+fi
+done
+
+
+
+{ $as_echo "$as_me:$LINENO: checking for main in -lnsl" >&5
+$as_echo_n "checking for main in -lnsl... " >&6; }
+if test "${ac_cv_lib_nsl_main+set}" = set; then
+ $as_echo_n "(cached) " >&6
+else
+ ac_check_lib_save_LIBS=$LIBS
+LIBS="-lnsl $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h. */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h. */
+
+
+int
+main ()
+{
+return main ();
+ ;
+ return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+ (eval "$ac_link") 2>conftest.er1
+ ac_status=$?
+ grep -v '^ *+' conftest.er1 >conftest.err
+ rm -f conftest.er1
+ cat conftest.err >&5
+ $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); } && {
+ test -z "$ac_c_werror_flag" ||
+ test ! -s conftest.err
+ } && test -s conftest$ac_exeext && {
+ test "$cross_compiling" = yes ||
+ $as_test_x conftest$ac_exeext
+ }; then
+ ac_cv_lib_nsl_main=yes
+else
+ $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ ac_cv_lib_nsl_main=no
+fi
+
+rm -rf conftest.dSYM
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+ conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_nsl_main" >&5
+$as_echo "$ac_cv_lib_nsl_main" >&6; }
+if test $ac_cv_lib_nsl_main = yes; then
+ cat >>confdefs.h <<_ACEOF
+#define HAVE_LIBNSL 1
+_ACEOF
+
+ LIBS="-lnsl $LIBS"
+
+fi
+
+
+{ $as_echo "$as_me:$LINENO: checking for main in -lsocket" >&5
+$as_echo_n "checking for main in -lsocket... " >&6; }
+if test "${ac_cv_lib_socket_main+set}" = set; then
+ $as_echo_n "(cached) " >&6
+else
+ ac_check_lib_save_LIBS=$LIBS
+LIBS="-lsocket $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h. */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h. */
+
+
+int
+main ()
+{
+return main ();
+ ;
+ return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+ (eval "$ac_link") 2>conftest.er1
+ ac_status=$?
+ grep -v '^ *+' conftest.er1 >conftest.err
+ rm -f conftest.er1
+ cat conftest.err >&5
+ $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); } && {
+ test -z "$ac_c_werror_flag" ||
+ test ! -s conftest.err
+ } && test -s conftest$ac_exeext && {
+ test "$cross_compiling" = yes ||
+ $as_test_x conftest$ac_exeext
+ }; then
+ ac_cv_lib_socket_main=yes
+else
+ $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ ac_cv_lib_socket_main=no
+fi
+
+rm -rf conftest.dSYM
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+ conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_socket_main" >&5
+$as_echo "$ac_cv_lib_socket_main" >&6; }
+if test $ac_cv_lib_socket_main = yes; then
+ cat >>confdefs.h <<_ACEOF
+#define HAVE_LIBSOCKET 1
+_ACEOF
+
+ LIBS="-lsocket $LIBS"
+
+fi
+
+
+{ $as_echo "$as_me:$LINENO: checking for int32_t using $CC" >&5
+$as_echo_n "checking for int32_t using $CC... " >&6; }
+ if test "${ac_cv_lbl_have_int32_t+set}" = set; then
+ $as_echo_n "(cached) " >&6
+else
+ cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h. */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h. */
+
+# include "confdefs.h"
+# include <sys/types.h>
+# if STDC_HEADERS
+# include <stdlib.h>
+# include <stddef.h>
+# endif
+int
+main ()
+{
+int32_t i
+ ;
+ return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+ (eval "$ac_compile") 2>conftest.er1
+ ac_status=$?
+ grep -v '^ *+' conftest.er1 >conftest.err
+ rm -f conftest.er1
+ cat conftest.err >&5
+ $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); } && {
+ test -z "$ac_c_werror_flag" ||
+ test ! -s conftest.err
+ } && test -s conftest.$ac_objext; then
+ ac_cv_lbl_have_int32_t=yes
+else
+ $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ ac_cv_lbl_have_int32_t=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+
+ { $as_echo "$as_me:$LINENO: result: $ac_cv_lbl_have_int32_t" >&5
+$as_echo "$ac_cv_lbl_have_int32_t" >&6; }
+ if test $ac_cv_lbl_have_int32_t = no ; then
+
+cat >>confdefs.h <<\_ACEOF
+#define int32_t int
+_ACEOF
+
+ fi
+{ $as_echo "$as_me:$LINENO: checking for u_int32_t using $CC" >&5
+$as_echo_n "checking for u_int32_t using $CC... " >&6; }
+ if test "${ac_cv_lbl_have_u_int32_t+set}" = set; then
+ $as_echo_n "(cached) " >&6
+else
+ cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h. */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h. */
+
+# include "confdefs.h"
+# include <sys/types.h>
+# if STDC_HEADERS
+# include <stdlib.h>
+# include <stddef.h>
+# endif
+int
+main ()
+{
+u_int32_t i
+ ;
+ return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+ (eval "$ac_compile") 2>conftest.er1
+ ac_status=$?
+ grep -v '^ *+' conftest.er1 >conftest.err
+ rm -f conftest.er1
+ cat conftest.err >&5
+ $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); } && {
+ test -z "$ac_c_werror_flag" ||
+ test ! -s conftest.err
+ } && test -s conftest.$ac_objext; then
+ ac_cv_lbl_have_u_int32_t=yes
+else
+ $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ ac_cv_lbl_have_u_int32_t=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+
+ { $as_echo "$as_me:$LINENO: result: $ac_cv_lbl_have_u_int32_t" >&5
+$as_echo "$ac_cv_lbl_have_u_int32_t" >&6; }
+ if test $ac_cv_lbl_have_u_int32_t = no ; then
+
+cat >>confdefs.h <<\_ACEOF
+#define u_int32_t u_int
+_ACEOF
+
+ fi
+
+
+
+ rm -f os-proto.h
+ if test -f .devel ; then
+ if test "$GCC" = yes ; then
+ if test "$SHLICC2" = yes ; then
+ ac_cv_lbl_gcc_vers=2
+ V_CCOPT="`echo $V_CCOPT | sed -e 's/-O/-O3/'`"
+ else
+ { $as_echo "$as_me:$LINENO: checking gcc version" >&5
+$as_echo_n "checking gcc version... " >&6; }
+ if test "${ac_cv_lbl_gcc_vers+set}" = set; then
+ $as_echo_n "(cached) " >&6
+else
+ # Gag, the gcc folks keep changing the output...
+ # try to grab N.N.N
+ ac_cv_lbl_gcc_vers=`$CC --version 2>&1 |
+ sed -e '1!d' -e 's/[^0-9]*\([0-9][0-9]*\)\.[0-9\][0-9]*\.[0-9][0-9]*.*/\1/'`
+fi
+
+ { $as_echo "$as_me:$LINENO: result: $ac_cv_lbl_gcc_vers" >&5
+$as_echo "$ac_cv_lbl_gcc_vers" >&6; }
+ if test "$ac_cv_lbl_gcc_vers" -gt 1 ; then
+ V_CCOPT="`echo $V_CCOPT | sed -e 's/-O/-O3/'`"
+ fi
+ fi
+ if test "$ac_cv_prog_cc_g" = yes ; then
+ V_CCOPT="-g $V_CCOPT"
+ fi
+ V_CCOPT="$V_CCOPT -Wall"
+ if test "$ac_cv_lbl_gcc_vers" -gt 1 ; then
+ V_CCOPT="$V_CCOPT -Wmissing-prototypes -Wstrict-prototypes"
+ if [ "`uname -s`" = "FreeBSD" ]; then
+ V_CCOPT="$V_CCOPT -Werror"
+ fi
+ fi
+ else
+ case "$target_os" in
+
+ irix6*)
+ V_CCOPT="$V_CCOPT -fullwarn -n32"
+ ;;
+
+ *)
+ ;;
+ esac
+ fi
+ os=`echo $target_os | sed -e 's/\([0-9][0-9]*\)[^0-9].*$/\1/'`
+ name="lbl/os-$os.h"
+ if test -f $name ; then
+ ln -s $name os-proto.h
+
+cat >>confdefs.h <<\_ACEOF
+#define HAVE_OS_PROTO_H /**/
+_ACEOF
+
+ else
+ { $as_echo "$as_me:$LINENO: WARNING: can't find $name" >&5
+$as_echo "$as_me: WARNING: can't find $name" >&2;}
+ fi
+ fi
+
+if test -r lbl/gnuc.h ; then
+ rm -f gnuc.h
+ ln -s lbl/gnuc.h gnuc.h
+fi
+
+
+
+
+
+
+
+ac_config_files="$ac_config_files Makefile"
+
+cat >confcache <<\_ACEOF
+# This file is a shell script that caches the results of configure
+# tests run on this system so they can be shared between configure
+# scripts and configure runs, see configure's option --config-cache.
+# It is not useful on other systems. If it contains results you don't
+# want to keep, you may remove or edit it.
+#
+# config.status only pays attention to the cache file if you give it
+# the --recheck option to rerun configure.
+#
+# `ac_cv_env_foo' variables (set or unset) will be overridden when
+# loading this file, other *unset* `ac_cv_foo' will be assigned the
+# following values.
+
+_ACEOF
+
+# The following way of writing the cache mishandles newlines in values,
+# but we know of no workaround that is simple, portable, and efficient.
+# So, we kill variables containing newlines.
+# Ultrix sh set writes to stderr and can't be redirected directly,
+# and sets the high bit in the cache file unless we assign to the vars.
+(
+ for ac_var in `(set) 2>&1 | sed -n 's/^\([a-zA-Z_][a-zA-Z0-9_]*\)=.*/\1/p'`; do
+ eval ac_val=\$$ac_var
+ case $ac_val in #(
+ *${as_nl}*)
+ case $ac_var in #(
+ *_cv_*) { $as_echo "$as_me:$LINENO: WARNING: Cache variable $ac_var contains a newline." >&5
+$as_echo "$as_me: WARNING: Cache variable $ac_var contains a newline." >&2;} ;;
+ esac
+ case $ac_var in #(
+ _ | IFS | as_nl) ;; #(
+ BASH_ARGV | BASH_SOURCE) eval $ac_var= ;; #(
+ *) $as_unset $ac_var ;;
+ esac ;;
+ esac
+ done
+
+ (set) 2>&1 |
+ case $as_nl`(ac_space=' '; set) 2>&1` in #(
+ *${as_nl}ac_space=\ *)
+ # `set' does not quote correctly, so add quotes (double-quote
+ # substitution turns \\\\ into \\, and sed turns \\ into \).
+ sed -n \
+ "s/'/'\\\\''/g;
+ s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1='\\2'/p"
+ ;; #(
+ *)
+ # `set' quotes correctly as required by POSIX, so do not add quotes.
+ sed -n "/^[_$as_cr_alnum]*_cv_[_$as_cr_alnum]*=/p"
+ ;;
+ esac |
+ sort
+) |
+ sed '
+ /^ac_cv_env_/b end
+ t clear
+ :clear
+ s/^\([^=]*\)=\(.*[{}].*\)$/test "${\1+set}" = set || &/
+ t end
+ s/^\([^=]*\)=\(.*\)$/\1=${\1=\2}/
+ :end' >>confcache
+if diff "$cache_file" confcache >/dev/null 2>&1; then :; else
+ if test -w "$cache_file"; then
+ test "x$cache_file" != "x/dev/null" &&
+ { $as_echo "$as_me:$LINENO: updating cache $cache_file" >&5
+$as_echo "$as_me: updating cache $cache_file" >&6;}
+ cat confcache >$cache_file
+ else
+ { $as_echo "$as_me:$LINENO: not updating unwritable cache $cache_file" >&5
+$as_echo "$as_me: not updating unwritable cache $cache_file" >&6;}
+ fi
+fi
+rm -f confcache
+
+test "x$prefix" = xNONE && prefix=$ac_default_prefix
+# Let make expand exec_prefix.
+test "x$exec_prefix" = xNONE && exec_prefix='${prefix}'
+
+# Transform confdefs.h into DEFS.
+# Protect against shell expansion while executing Makefile rules.
+# Protect against Makefile macro expansion.
+#
+# If the first sed substitution is executed (which looks for macros that
+# take arguments), then branch to the quote section. Otherwise,
+# look for a macro that doesn't take arguments.
+ac_script='
+:mline
+/\\$/{
+ N
+ s,\\\n,,
+ b mline
+}
+t clear
+:clear
+s/^[ ]*#[ ]*define[ ][ ]*\([^ (][^ (]*([^)]*)\)[ ]*\(.*\)/-D\1=\2/g
+t quote
+s/^[ ]*#[ ]*define[ ][ ]*\([^ ][^ ]*\)[ ]*\(.*\)/-D\1=\2/g
+t quote
+b any
+:quote
+s/[ `~#$^&*(){}\\|;'\''"<>?]/\\&/g
+s/\[/\\&/g
+s/\]/\\&/g
+s/\$/$$/g
+H
+:any
+${
+ g
+ s/^\n//
+ s/\n/ /g
+ p
+}
+'
+DEFS=`sed -n "$ac_script" confdefs.h`
+
+
+ac_libobjs=
+ac_ltlibobjs=
+for ac_i in : $LIBOBJS; do test "x$ac_i" = x: && continue
+ # 1. Remove the extension, and $U if already installed.
+ ac_script='s/\$U\././;s/\.o$//;s/\.obj$//'
+ ac_i=`$as_echo "$ac_i" | sed "$ac_script"`
+ # 2. Prepend LIBOBJDIR. When used with automake>=1.10 LIBOBJDIR
+ # will be set to the directory where LIBOBJS objects are built.
+ ac_libobjs="$ac_libobjs \${LIBOBJDIR}$ac_i\$U.$ac_objext"
+ ac_ltlibobjs="$ac_ltlibobjs \${LIBOBJDIR}$ac_i"'$U.lo'
+done
+LIBOBJS=$ac_libobjs
+
+LTLIBOBJS=$ac_ltlibobjs
+
+
+
+: ${CONFIG_STATUS=./config.status}
+ac_write_fail=0
+ac_clean_files_save=$ac_clean_files
+ac_clean_files="$ac_clean_files $CONFIG_STATUS"
+{ $as_echo "$as_me:$LINENO: creating $CONFIG_STATUS" >&5
+$as_echo "$as_me: creating $CONFIG_STATUS" >&6;}
+cat >$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
+#! $SHELL
+# Generated by $as_me.
+# Run this file to recreate the current configuration.
+# Compiler output produced by configure, useful for debugging
+# configure, is in config.log if it exists.
+
+debug=false
+ac_cs_recheck=false
+ac_cs_silent=false
+SHELL=\${CONFIG_SHELL-$SHELL}
+_ACEOF
+
+cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
+## --------------------- ##
+## M4sh Initialization. ##
+## --------------------- ##
+
+# Be more Bourne compatible
+DUALCASE=1; export DUALCASE # for MKS sh
+if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
+ emulate sh
+ NULLCMD=:
+ # Pre-4.2 versions of Zsh do word splitting on ${1+"$@"}, which
+ # is contrary to our usage. Disable this feature.
+ alias -g '${1+"$@"}'='"$@"'
+ setopt NO_GLOB_SUBST
+else
+ case `(set -o) 2>/dev/null` in
+ *posix*) set -o posix ;;
+esac
+
+fi
+
+
+
+
+# PATH needs CR
+# Avoid depending upon Character Ranges.
+as_cr_letters='abcdefghijklmnopqrstuvwxyz'
+as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ'
+as_cr_Letters=$as_cr_letters$as_cr_LETTERS
+as_cr_digits='0123456789'
+as_cr_alnum=$as_cr_Letters$as_cr_digits
+
+as_nl='
+'
+export as_nl
+# Printing a long string crashes Solaris 7 /usr/bin/printf.
+as_echo='\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\'
+as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo
+as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo$as_echo
+if (test "X`printf %s $as_echo`" = "X$as_echo") 2>/dev/null; then
+ as_echo='printf %s\n'
+ as_echo_n='printf %s'
+else
+ if test "X`(/usr/ucb/echo -n -n $as_echo) 2>/dev/null`" = "X-n $as_echo"; then
+ as_echo_body='eval /usr/ucb/echo -n "$1$as_nl"'
+ as_echo_n='/usr/ucb/echo -n'
+ else
+ as_echo_body='eval expr "X$1" : "X\\(.*\\)"'
+ as_echo_n_body='eval
+ arg=$1;
+ case $arg in
+ *"$as_nl"*)
+ expr "X$arg" : "X\\(.*\\)$as_nl";
+ arg=`expr "X$arg" : ".*$as_nl\\(.*\\)"`;;
+ esac;
+ expr "X$arg" : "X\\(.*\\)" | tr -d "$as_nl"
+ '
+ export as_echo_n_body
+ as_echo_n='sh -c $as_echo_n_body as_echo'
+ fi
+ export as_echo_body
+ as_echo='sh -c $as_echo_body as_echo'
+fi
+
+# The user is always right.
+if test "${PATH_SEPARATOR+set}" != set; then
+ PATH_SEPARATOR=:
+ (PATH='/bin;/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 && {
+ (PATH='/bin:/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 ||
+ PATH_SEPARATOR=';'
+ }
+fi
+
+# Support unset when possible.
+if ( (MAIL=60; unset MAIL) || exit) >/dev/null 2>&1; then
+ as_unset=unset
+else
+ as_unset=false
+fi
+
+
+# IFS
+# We need space, tab and new line, in precisely that order. Quoting is
+# there to prevent editors from complaining about space-tab.
+# (If _AS_PATH_WALK were called with IFS unset, it would disable word
+# splitting by setting IFS to empty value.)
+IFS=" "" $as_nl"
+
+# Find who we are. Look in the path if we contain no directory separator.
+case $0 in
+ *[\\/]* ) as_myself=$0 ;;
+ *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+ IFS=$as_save_IFS
+ test -z "$as_dir" && as_dir=.
+ test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break
+done
+IFS=$as_save_IFS
+
+ ;;
+esac
+# We did not find ourselves, most probably we were run as `sh COMMAND'
+# in which case we are not to be found in the path.
+if test "x$as_myself" = x; then
+ as_myself=$0
+fi
+if test ! -f "$as_myself"; then
+ $as_echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2
+ { (exit 1); exit 1; }
+fi
+
+# Work around bugs in pre-3.0 UWIN ksh.
+for as_var in ENV MAIL MAILPATH
+do ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var
+done
+PS1='$ '
+PS2='> '
+PS4='+ '
+
+# NLS nuisances.
+LC_ALL=C
+export LC_ALL
+LANGUAGE=C
+export LANGUAGE
+
+# Required to use basename.
+if expr a : '\(a\)' >/dev/null 2>&1 &&
+ test "X`expr 00001 : '.*\(...\)'`" = X001; then
+ as_expr=expr
+else
+ as_expr=false
+fi
+
+if (basename -- /) >/dev/null 2>&1 && test "X`basename -- / 2>&1`" = "X/"; then
+ as_basename=basename
+else
+ as_basename=false
+fi
+
+
+# Name of the executable.
+as_me=`$as_basename -- "$0" ||
+$as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \
+ X"$0" : 'X\(//\)$' \| \
+ X"$0" : 'X\(/\)' \| . 2>/dev/null ||
+$as_echo X/"$0" |
+ sed '/^.*\/\([^/][^/]*\)\/*$/{
+ s//\1/
+ q
+ }
+ /^X\/\(\/\/\)$/{
+ s//\1/
+ q
+ }
+ /^X\/\(\/\).*/{
+ s//\1/
+ q
+ }
+ s/.*/./; q'`
+
+# CDPATH.
+$as_unset CDPATH
+
+
+
+ as_lineno_1=$LINENO
+ as_lineno_2=$LINENO
+ test "x$as_lineno_1" != "x$as_lineno_2" &&
+ test "x`expr $as_lineno_1 + 1`" = "x$as_lineno_2" || {
+
+ # Create $as_me.lineno as a copy of $as_myself, but with $LINENO
+ # uniformly replaced by the line number. The first 'sed' inserts a
+ # line-number line after each line using $LINENO; the second 'sed'
+ # does the real work. The second script uses 'N' to pair each
+ # line-number line with the line containing $LINENO, and appends
+ # trailing '-' during substitution so that $LINENO is not a special
+ # case at line end.
+ # (Raja R Harinath suggested sed '=', and Paul Eggert wrote the
+ # scripts with optimization help from Paolo Bonzini. Blame Lee
+ # E. McMahon (1931-1989) for sed's syntax. :-)
+ sed -n '
+ p
+ /[$]LINENO/=
+ ' <$as_myself |
+ sed '
+ s/[$]LINENO.*/&-/
+ t lineno
+ b
+ :lineno
+ N
+ :loop
+ s/[$]LINENO\([^'$as_cr_alnum'_].*\n\)\(.*\)/\2\1\2/
+ t loop
+ s/-\n.*//
+ ' >$as_me.lineno &&
+ chmod +x "$as_me.lineno" ||
+ { $as_echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2
+ { (exit 1); exit 1; }; }
+
+ # Don't try to exec as it changes $[0], causing all sort of problems
+ # (the dirname of $[0] is not the place where we might find the
+ # original and so on. Autoconf is especially sensitive to this).
+ . "./$as_me.lineno"
+ # Exit status is that of the last command.
+ exit
+}
+
+
+if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then
+ as_dirname=dirname
+else
+ as_dirname=false
+fi
+
+ECHO_C= ECHO_N= ECHO_T=
+case `echo -n x` in
+-n*)
+ case `echo 'x\c'` in
+ *c*) ECHO_T=' ';; # ECHO_T is single tab character.
+ *) ECHO_C='\c';;
+ esac;;
+*)
+ ECHO_N='-n';;
+esac
+if expr a : '\(a\)' >/dev/null 2>&1 &&
+ test "X`expr 00001 : '.*\(...\)'`" = X001; then
+ as_expr=expr
+else
+ as_expr=false
+fi
+
+rm -f conf$$ conf$$.exe conf$$.file
+if test -d conf$$.dir; then
+ rm -f conf$$.dir/conf$$.file
+else
+ rm -f conf$$.dir
+ mkdir conf$$.dir 2>/dev/null
+fi
+if (echo >conf$$.file) 2>/dev/null; then
+ if ln -s conf$$.file conf$$ 2>/dev/null; then
+ as_ln_s='ln -s'
+ # ... but there are two gotchas:
+ # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail.
+ # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable.
+ # In both cases, we have to default to `cp -p'.
+ ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe ||
+ as_ln_s='cp -p'
+ elif ln conf$$.file conf$$ 2>/dev/null; then
+ as_ln_s=ln
+ else
+ as_ln_s='cp -p'
+ fi
+else
+ as_ln_s='cp -p'
+fi
+rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file
+rmdir conf$$.dir 2>/dev/null
+
+if mkdir -p . 2>/dev/null; then
+ as_mkdir_p=:
+else
+ test -d ./-p && rmdir ./-p
+ as_mkdir_p=false
+fi
+
+if test -x / >/dev/null 2>&1; then
+ as_test_x='test -x'
+else
+ if ls -dL / >/dev/null 2>&1; then
+ as_ls_L_option=L
+ else
+ as_ls_L_option=
+ fi
+ as_test_x='
+ eval sh -c '\''
+ if test -d "$1"; then
+ test -d "$1/.";
+ else
+ case $1 in
+ -*)set "./$1";;
+ esac;
+ case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in
+ ???[sx]*):;;*)false;;esac;fi
+ '\'' sh
+ '
+fi
+as_executable_p=$as_test_x
+
+# Sed expression to map a string onto a valid CPP name.
+as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'"
+
+# Sed expression to map a string onto a valid variable name.
+as_tr_sh="eval sed 'y%*+%pp%;s%[^_$as_cr_alnum]%_%g'"
+
+
+exec 6>&1
+
+# Save the log message, to keep $[0] and so on meaningful, and to
+# report actual input values of CONFIG_FILES etc. instead of their
+# values after options handling.
+ac_log="
+This file was extended by $as_me, which was
+generated by GNU Autoconf 2.62. Invocation command line was
+
+ CONFIG_FILES = $CONFIG_FILES
+ CONFIG_HEADERS = $CONFIG_HEADERS
+ CONFIG_LINKS = $CONFIG_LINKS
+ CONFIG_COMMANDS = $CONFIG_COMMANDS
+ $ $0 $@
+
+on `(hostname || uname -n) 2>/dev/null | sed 1q`
+"
+
+_ACEOF
+
+cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
+# Files that config.status was made for.
+config_files="$ac_config_files"
+
+_ACEOF
+
+cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
+ac_cs_usage="\
+\`$as_me' instantiates files from templates according to the
+current configuration.
+
+Usage: $0 [OPTIONS] [FILE]...
+
+ -h, --help print this help, then exit
+ -V, --version print version number and configuration settings, then exit
+ -q, --quiet do not print progress messages
+ -d, --debug don't remove temporary files
+ --recheck update $as_me by reconfiguring in the same conditions
+ --file=FILE[:TEMPLATE]
+ instantiate the configuration file FILE
+
+Configuration files:
+$config_files
+
+Report bugs to <bug-autoconf@gnu.org>."
+
+_ACEOF
+cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
+ac_cs_version="\\
+config.status
+configured by $0, generated by GNU Autoconf 2.62,
+ with options \\"`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`\\"
+
+Copyright (C) 2008 Free Software Foundation, Inc.
+This config.status script is free software; the Free Software Foundation
+gives unlimited permission to copy, distribute and modify it."
+
+ac_pwd='$ac_pwd'
+srcdir='$srcdir'
+INSTALL='$INSTALL'
+test -n "\$AWK" || AWK=awk
+_ACEOF
+
+cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
+# The default lists apply if the user does not specify any file.
+ac_need_defaults=:
+while test $# != 0
+do
+ case $1 in
+ --*=*)
+ ac_option=`expr "X$1" : 'X\([^=]*\)='`
+ ac_optarg=`expr "X$1" : 'X[^=]*=\(.*\)'`
+ ac_shift=:
+ ;;
+ *)
+ ac_option=$1
+ ac_optarg=$2
+ ac_shift=shift
+ ;;
+ esac
+
+ case $ac_option in
+ # Handling of the options.
+ -recheck | --recheck | --rechec | --reche | --rech | --rec | --re | --r)
+ ac_cs_recheck=: ;;
+ --version | --versio | --versi | --vers | --ver | --ve | --v | -V )
+ $as_echo "$ac_cs_version"; exit ;;
+ --debug | --debu | --deb | --de | --d | -d )
+ debug=: ;;
+ --file | --fil | --fi | --f )
+ $ac_shift
+ case $ac_optarg in
+ *\'*) ac_optarg=`$as_echo "$ac_optarg" | sed "s/'/'\\\\\\\\''/g"` ;;
+ esac
+ CONFIG_FILES="$CONFIG_FILES '$ac_optarg'"
+ ac_need_defaults=false;;
+ --he | --h | --help | --hel | -h )
+ $as_echo "$ac_cs_usage"; exit ;;
+ -q | -quiet | --quiet | --quie | --qui | --qu | --q \
+ | -silent | --silent | --silen | --sile | --sil | --si | --s)
+ ac_cs_silent=: ;;
+
+ # This is an error.
+ -*) { $as_echo "$as_me: error: unrecognized option: $1
+Try \`$0 --help' for more information." >&2
+ { (exit 1); exit 1; }; } ;;
+
+ *) ac_config_targets="$ac_config_targets $1"
+ ac_need_defaults=false ;;
+
+ esac
+ shift
+done
+
+ac_configure_extra_args=
+
+if $ac_cs_silent; then
+ exec 6>/dev/null
+ ac_configure_extra_args="$ac_configure_extra_args --silent"
+fi
+
+_ACEOF
+cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
+if \$ac_cs_recheck; then
+ set X '$SHELL' '$0' $ac_configure_args \$ac_configure_extra_args --no-create --no-recursion
+ shift
+ \$as_echo "running CONFIG_SHELL=$SHELL \$*" >&6
+ CONFIG_SHELL='$SHELL'
+ export CONFIG_SHELL
+ exec "\$@"
+fi
+
+_ACEOF
+cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
+exec 5>>config.log
+{
+ echo
+ sed 'h;s/./-/g;s/^.../## /;s/...$/ ##/;p;x;p;x' <<_ASBOX
+## Running $as_me. ##
+_ASBOX
+ $as_echo "$ac_log"
+} >&5
+
+_ACEOF
+cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
+_ACEOF
+
+cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
+
+# Handling of arguments.
+for ac_config_target in $ac_config_targets
+do
+ case $ac_config_target in
+ "Makefile") CONFIG_FILES="$CONFIG_FILES Makefile" ;;
+
+ *) { { $as_echo "$as_me:$LINENO: error: invalid argument: $ac_config_target" >&5
+$as_echo "$as_me: error: invalid argument: $ac_config_target" >&2;}
+ { (exit 1); exit 1; }; };;
+ esac
+done
+
+
+# If the user did not use the arguments to specify the items to instantiate,
+# then the envvar interface is used. Set only those that are not.
+# We use the long form for the default assignment because of an extremely
+# bizarre bug on SunOS 4.1.3.
+if $ac_need_defaults; then
+ test "${CONFIG_FILES+set}" = set || CONFIG_FILES=$config_files
+fi
+
+# Have a temporary directory for convenience. Make it in the build tree
+# simply because there is no reason against having it here, and in addition,
+# creating and moving files from /tmp can sometimes cause problems.
+# Hook for its removal unless debugging.
+# Note that there is a small window in which the directory will not be cleaned:
+# after its creation but before its name has been assigned to `$tmp'.
+$debug ||
+{
+ tmp=
+ trap 'exit_status=$?
+ { test -z "$tmp" || test ! -d "$tmp" || rm -fr "$tmp"; } && exit $exit_status
+' 0
+ trap '{ (exit 1); exit 1; }' 1 2 13 15
+}
+# Create a (secure) tmp directory for tmp files.
+
+{
+ tmp=`(umask 077 && mktemp -d "./confXXXXXX") 2>/dev/null` &&
+ test -n "$tmp" && test -d "$tmp"
+} ||
+{
+ tmp=./conf$$-$RANDOM
+ (umask 077 && mkdir "$tmp")
+} ||
+{
+ $as_echo "$as_me: cannot create a temporary directory in ." >&2
+ { (exit 1); exit 1; }
+}
+
+# Set up the scripts for CONFIG_FILES section.
+# No need to generate them if there are no CONFIG_FILES.
+# This happens for instance with `./config.status config.h'.
+if test -n "$CONFIG_FILES"; then
+
+
+ac_cr='\r'
+ac_cs_awk_cr=`$AWK 'BEGIN { print "a\rb" }' </dev/null 2>/dev/null`
+if test "$ac_cs_awk_cr" = "a${ac_cr}b"; then
+ ac_cs_awk_cr='\\r'
+else
+ ac_cs_awk_cr=$ac_cr
+fi
+
+echo 'BEGIN {' >"$tmp/subs1.awk" &&
+_ACEOF
+
+
+{
+ echo "cat >conf$$subs.awk <<_ACEOF" &&
+ echo "$ac_subst_vars" | sed 's/.*/&!$&$ac_delim/' &&
+ echo "_ACEOF"
+} >conf$$subs.sh ||
+ { { $as_echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5
+$as_echo "$as_me: error: could not make $CONFIG_STATUS" >&2;}
+ { (exit 1); exit 1; }; }
+ac_delim_num=`echo "$ac_subst_vars" | grep -c '$'`
+ac_delim='%!_!# '
+for ac_last_try in false false false false false :; do
+ . ./conf$$subs.sh ||
+ { { $as_echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5
+$as_echo "$as_me: error: could not make $CONFIG_STATUS" >&2;}
+ { (exit 1); exit 1; }; }
+
+ if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.awk | grep -c X` = $ac_delim_num; then
+ break
+ elif $ac_last_try; then
+ { { $as_echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5
+$as_echo "$as_me: error: could not make $CONFIG_STATUS" >&2;}
+ { (exit 1); exit 1; }; }
+ else
+ ac_delim="$ac_delim!$ac_delim _$ac_delim!! "
+ fi
+done
+rm -f conf$$subs.sh
+
+cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
+cat >>"\$tmp/subs1.awk" <<\\_ACAWK &&
+_ACEOF
+sed -n '
+h
+s/^/S["/; s/!.*/"]=/
+p
+g
+s/^[^!]*!//
+:repl
+t repl
+s/'"$ac_delim"'$//
+t delim
+:nl
+h
+s/\(.\{148\}\).*/\1/
+t more1
+s/["\\]/\\&/g; s/^/"/; s/$/\\n"\\/
+p
+n
+b repl
+:more1
+s/["\\]/\\&/g; s/^/"/; s/$/"\\/
+p
+g
+s/.\{148\}//
+t nl
+:delim
+h
+s/\(.\{148\}\).*/\1/
+t more2
+s/["\\]/\\&/g; s/^/"/; s/$/"/
+p
+b
+:more2
+s/["\\]/\\&/g; s/^/"/; s/$/"\\/
+p
+g
+s/.\{148\}//
+t delim
+' <conf$$subs.awk | sed '
+/^[^""]/{
+ N
+ s/\n//
+}
+' >>$CONFIG_STATUS || ac_write_fail=1
+rm -f conf$$subs.awk
+cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
+_ACAWK
+cat >>"\$tmp/subs1.awk" <<_ACAWK &&
+ for (key in S) S_is_set[key] = 1
+ FS = "\a"
+
+}
+{
+ line = $ 0
+ nfields = split(line, field, "@")
+ substed = 0
+ len = length(field[1])
+ for (i = 2; i < nfields; i++) {
+ key = field[i]
+ keylen = length(key)
+ if (S_is_set[key]) {
+ value = S[key]
+ line = substr(line, 1, len) "" value "" substr(line, len + keylen + 3)
+ len += length(value) + length(field[++i])
+ substed = 1
+ } else
+ len += 1 + keylen
+ }
+
+ print line
+}
+
+_ACAWK
+_ACEOF
+cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
+if sed "s/$ac_cr//" < /dev/null > /dev/null 2>&1; then
+ sed "s/$ac_cr\$//; s/$ac_cr/$ac_cs_awk_cr/g"
+else
+ cat
+fi < "$tmp/subs1.awk" > "$tmp/subs.awk" \
+ || { { $as_echo "$as_me:$LINENO: error: could not setup config files machinery" >&5
+$as_echo "$as_me: error: could not setup config files machinery" >&2;}
+ { (exit 1); exit 1; }; }
+_ACEOF
+
+# VPATH may cause trouble with some makes, so we remove $(srcdir),
+# ${srcdir} and @srcdir@ from VPATH if srcdir is ".", strip leading and
+# trailing colons and then remove the whole line if VPATH becomes empty
+# (actually we leave an empty line to preserve line numbers).
+if test "x$srcdir" = x.; then
+ ac_vpsub='/^[ ]*VPATH[ ]*=/{
+s/:*\$(srcdir):*/:/
+s/:*\${srcdir}:*/:/
+s/:*@srcdir@:*/:/
+s/^\([^=]*=[ ]*\):*/\1/
+s/:*$//
+s/^[^=]*=[ ]*$//
+}'
+fi
+
+cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
+fi # test -n "$CONFIG_FILES"
+
+
+eval set X " :F $CONFIG_FILES "
+shift
+for ac_tag
+do
+ case $ac_tag in
+ :[FHLC]) ac_mode=$ac_tag; continue;;
+ esac
+ case $ac_mode$ac_tag in
+ :[FHL]*:*);;
+ :L* | :C*:*) { { $as_echo "$as_me:$LINENO: error: Invalid tag $ac_tag." >&5
+$as_echo "$as_me: error: Invalid tag $ac_tag." >&2;}
+ { (exit 1); exit 1; }; };;
+ :[FH]-) ac_tag=-:-;;
+ :[FH]*) ac_tag=$ac_tag:$ac_tag.in;;
+ esac
+ ac_save_IFS=$IFS
+ IFS=:
+ set x $ac_tag
+ IFS=$ac_save_IFS
+ shift
+ ac_file=$1
+ shift
+
+ case $ac_mode in
+ :L) ac_source=$1;;
+ :[FH])
+ ac_file_inputs=
+ for ac_f
+ do
+ case $ac_f in
+ -) ac_f="$tmp/stdin";;
+ *) # Look for the file first in the build tree, then in the source tree
+ # (if the path is not absolute). The absolute path cannot be DOS-style,
+ # because $ac_f cannot contain `:'.
+ test -f "$ac_f" ||
+ case $ac_f in
+ [\\/$]*) false;;
+ *) test -f "$srcdir/$ac_f" && ac_f="$srcdir/$ac_f";;
+ esac ||
+ { { $as_echo "$as_me:$LINENO: error: cannot find input file: $ac_f" >&5
+$as_echo "$as_me: error: cannot find input file: $ac_f" >&2;}
+ { (exit 1); exit 1; }; };;
+ esac
+ case $ac_f in *\'*) ac_f=`$as_echo "$ac_f" | sed "s/'/'\\\\\\\\''/g"`;; esac
+ ac_file_inputs="$ac_file_inputs '$ac_f'"
+ done
+
+ # Let's still pretend it is `configure' which instantiates (i.e., don't
+ # use $as_me), people would be surprised to read:
+ # /* config.h. Generated by config.status. */
+ configure_input='Generated from '`
+ $as_echo "$*" | sed 's|^[^:]*/||;s|:[^:]*/|, |g'
+ `' by configure.'
+ if test x"$ac_file" != x-; then
+ configure_input="$ac_file. $configure_input"
+ { $as_echo "$as_me:$LINENO: creating $ac_file" >&5
+$as_echo "$as_me: creating $ac_file" >&6;}
+ fi
+ # Neutralize special characters interpreted by sed in replacement strings.
+ case $configure_input in #(
+ *\&* | *\|* | *\\* )
+ ac_sed_conf_input=`$as_echo "$configure_input" |
+ sed 's/[\\\\&|]/\\\\&/g'`;; #(
+ *) ac_sed_conf_input=$configure_input;;
+ esac
+
+ case $ac_tag in
+ *:-:* | *:-) cat >"$tmp/stdin" \
+ || { { $as_echo "$as_me:$LINENO: error: could not create $ac_file" >&5
+$as_echo "$as_me: error: could not create $ac_file" >&2;}
+ { (exit 1); exit 1; }; } ;;
+ esac
+ ;;
+ esac
+
+ ac_dir=`$as_dirname -- "$ac_file" ||
+$as_expr X"$ac_file" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
+ X"$ac_file" : 'X\(//\)[^/]' \| \
+ X"$ac_file" : 'X\(//\)$' \| \
+ X"$ac_file" : 'X\(/\)' \| . 2>/dev/null ||
+$as_echo X"$ac_file" |
+ sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
+ s//\1/
+ q
+ }
+ /^X\(\/\/\)[^/].*/{
+ s//\1/
+ q
+ }
+ /^X\(\/\/\)$/{
+ s//\1/
+ q
+ }
+ /^X\(\/\).*/{
+ s//\1/
+ q
+ }
+ s/.*/./; q'`
+ { as_dir="$ac_dir"
+ case $as_dir in #(
+ -*) as_dir=./$as_dir;;
+ esac
+ test -d "$as_dir" || { $as_mkdir_p && mkdir -p "$as_dir"; } || {
+ as_dirs=
+ while :; do
+ case $as_dir in #(
+ *\'*) as_qdir=`$as_echo "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #'(
+ *) as_qdir=$as_dir;;
+ esac
+ as_dirs="'$as_qdir' $as_dirs"
+ as_dir=`$as_dirname -- "$as_dir" ||
+$as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
+ X"$as_dir" : 'X\(//\)[^/]' \| \
+ X"$as_dir" : 'X\(//\)$' \| \
+ X"$as_dir" : 'X\(/\)' \| . 2>/dev/null ||
+$as_echo X"$as_dir" |
+ sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
+ s//\1/
+ q
+ }
+ /^X\(\/\/\)[^/].*/{
+ s//\1/
+ q
+ }
+ /^X\(\/\/\)$/{
+ s//\1/
+ q
+ }
+ /^X\(\/\).*/{
+ s//\1/
+ q
+ }
+ s/.*/./; q'`
+ test -d "$as_dir" && break
+ done
+ test -z "$as_dirs" || eval "mkdir $as_dirs"
+ } || test -d "$as_dir" || { { $as_echo "$as_me:$LINENO: error: cannot create directory $as_dir" >&5
+$as_echo "$as_me: error: cannot create directory $as_dir" >&2;}
+ { (exit 1); exit 1; }; }; }
+ ac_builddir=.
+
+case "$ac_dir" in
+.) ac_dir_suffix= ac_top_builddir_sub=. ac_top_build_prefix= ;;
+*)
+ ac_dir_suffix=/`$as_echo "$ac_dir" | sed 's|^\.[\\/]||'`
+ # A ".." for each directory in $ac_dir_suffix.
+ ac_top_builddir_sub=`$as_echo "$ac_dir_suffix" | sed 's|/[^\\/]*|/..|g;s|/||'`
+ case $ac_top_builddir_sub in
+ "") ac_top_builddir_sub=. ac_top_build_prefix= ;;
+ *) ac_top_build_prefix=$ac_top_builddir_sub/ ;;
+ esac ;;
+esac
+ac_abs_top_builddir=$ac_pwd
+ac_abs_builddir=$ac_pwd$ac_dir_suffix
+# for backward compatibility:
+ac_top_builddir=$ac_top_build_prefix
+
+case $srcdir in
+ .) # We are building in place.
+ ac_srcdir=.
+ ac_top_srcdir=$ac_top_builddir_sub
+ ac_abs_top_srcdir=$ac_pwd ;;
+ [\\/]* | ?:[\\/]* ) # Absolute name.
+ ac_srcdir=$srcdir$ac_dir_suffix;
+ ac_top_srcdir=$srcdir
+ ac_abs_top_srcdir=$srcdir ;;
+ *) # Relative name.
+ ac_srcdir=$ac_top_build_prefix$srcdir$ac_dir_suffix
+ ac_top_srcdir=$ac_top_build_prefix$srcdir
+ ac_abs_top_srcdir=$ac_pwd/$srcdir ;;
+esac
+ac_abs_srcdir=$ac_abs_top_srcdir$ac_dir_suffix
+
+
+ case $ac_mode in
+ :F)
+ #
+ # CONFIG_FILE
+ #
+
+ case $INSTALL in
+ [\\/$]* | ?:[\\/]* ) ac_INSTALL=$INSTALL ;;
+ *) ac_INSTALL=$ac_top_build_prefix$INSTALL ;;
+ esac
+_ACEOF
+
+cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
+# If the template does not know about datarootdir, expand it.
+# FIXME: This hack should be removed a few years after 2.60.
+ac_datarootdir_hack=; ac_datarootdir_seen=
+
+ac_sed_dataroot='
+/datarootdir/ {
+ p
+ q
+}
+/@datadir@/p
+/@docdir@/p
+/@infodir@/p
+/@localedir@/p
+/@mandir@/p
+'
+case `eval "sed -n \"\$ac_sed_dataroot\" $ac_file_inputs"` in
+*datarootdir*) ac_datarootdir_seen=yes;;
+*@datadir@*|*@docdir@*|*@infodir@*|*@localedir@*|*@mandir@*)
+ { $as_echo "$as_me:$LINENO: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&5
+$as_echo "$as_me: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&2;}
+_ACEOF
+cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
+ ac_datarootdir_hack='
+ s&@datadir@&$datadir&g
+ s&@docdir@&$docdir&g
+ s&@infodir@&$infodir&g
+ s&@localedir@&$localedir&g
+ s&@mandir@&$mandir&g
+ s&\\\${datarootdir}&$datarootdir&g' ;;
+esac
+_ACEOF
+
+# Neutralize VPATH when `$srcdir' = `.'.
+# Shell code in configure.ac might set extrasub.
+# FIXME: do we really want to maintain this feature?
+cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
+ac_sed_extra="$ac_vpsub
+$extrasub
+_ACEOF
+cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
+:t
+/@[a-zA-Z_][a-zA-Z_0-9]*@/!b
+s|@configure_input@|$ac_sed_conf_input|;t t
+s&@top_builddir@&$ac_top_builddir_sub&;t t
+s&@top_build_prefix@&$ac_top_build_prefix&;t t
+s&@srcdir@&$ac_srcdir&;t t
+s&@abs_srcdir@&$ac_abs_srcdir&;t t
+s&@top_srcdir@&$ac_top_srcdir&;t t
+s&@abs_top_srcdir@&$ac_abs_top_srcdir&;t t
+s&@builddir@&$ac_builddir&;t t
+s&@abs_builddir@&$ac_abs_builddir&;t t
+s&@abs_top_builddir@&$ac_abs_top_builddir&;t t
+s&@INSTALL@&$ac_INSTALL&;t t
+$ac_datarootdir_hack
+"
+eval sed \"\$ac_sed_extra\" "$ac_file_inputs" | $AWK -f "$tmp/subs.awk" >$tmp/out \
+ || { { $as_echo "$as_me:$LINENO: error: could not create $ac_file" >&5
+$as_echo "$as_me: error: could not create $ac_file" >&2;}
+ { (exit 1); exit 1; }; }
+
+test -z "$ac_datarootdir_hack$ac_datarootdir_seen" &&
+ { ac_out=`sed -n '/\${datarootdir}/p' "$tmp/out"`; test -n "$ac_out"; } &&
+ { ac_out=`sed -n '/^[ ]*datarootdir[ ]*:*=/p' "$tmp/out"`; test -z "$ac_out"; } &&
+ { $as_echo "$as_me:$LINENO: WARNING: $ac_file contains a reference to the variable \`datarootdir'
+which seems to be undefined. Please make sure it is defined." >&5
+$as_echo "$as_me: WARNING: $ac_file contains a reference to the variable \`datarootdir'
+which seems to be undefined. Please make sure it is defined." >&2;}
+
+ rm -f "$tmp/stdin"
+ case $ac_file in
+ -) cat "$tmp/out" && rm -f "$tmp/out";;
+ *) rm -f "$ac_file" && mv "$tmp/out" "$ac_file";;
+ esac \
+ || { { $as_echo "$as_me:$LINENO: error: could not create $ac_file" >&5
+$as_echo "$as_me: error: could not create $ac_file" >&2;}
+ { (exit 1); exit 1; }; }
+ ;;
+
+
+
+ esac
+
+done # for ac_tag
+
+
+{ (exit 0); exit 0; }
+_ACEOF
+chmod +x $CONFIG_STATUS
+ac_clean_files=$ac_clean_files_save
+
+test $ac_write_fail = 0 ||
+ { { $as_echo "$as_me:$LINENO: error: write failure creating $CONFIG_STATUS" >&5
+$as_echo "$as_me: error: write failure creating $CONFIG_STATUS" >&2;}
+ { (exit 1); exit 1; }; }
+
+
+# configure is writing to config.log, and then calls config.status.
+# config.status does its own redirection, appending to config.log.
+# Unfortunately, on DOS this fails, as config.log is still kept open
+# by configure, so config.status won't be able to write to it; its
+# output is simply discarded. So we exec the FD to /dev/null,
+# effectively closing config.log, so it can be properly (re)opened and
+# appended to by config.status. When coming back to configure, we
+# need to make the FD available again.
+if test "$no_create" != yes; then
+ ac_cs_success=:
+ ac_config_status_args=
+ test "$silent" = yes &&
+ ac_config_status_args="$ac_config_status_args --quiet"
+ exec 5>/dev/null
+ $SHELL $CONFIG_STATUS $ac_config_status_args || ac_cs_success=false
+ exec 5>>config.log
+ # Use ||, not &&, to avoid exiting from the if with $? = 1, which
+ # would make configure fail if this is the last instruction.
+ $ac_cs_success || { (exit 1); exit 1; }
+fi
+if test -n "$ac_unrecognized_opts" && test "$enable_option_checking" != no; then
+ { $as_echo "$as_me:$LINENO: WARNING: Unrecognized options: $ac_unrecognized_opts" >&5
+$as_echo "$as_me: WARNING: Unrecognized options: $ac_unrecognized_opts" >&2;}
+fi
+
+
+if test -f .devel ; then
+ make depend
+fi
+exit 0
--- /dev/null
+AC_REVISION([@(#) $Id: configure.in 241 2009-10-10 23:31:13Z leres $ (LBL)])
+dnl
+AC_COPYRIGHT([Copyright (c) 1995, 1996, 1997, 2006, 2009
+ The Regents of the University of California. All rights reserved.])
+dnl
+dnl Process this file with autoconf to produce a configure script.
+dnl
+
+AC_INIT
+AC_CONFIG_SRCDIR(nslint.c)
+
+AC_CANONICAL_TARGET
+
+umask 002
+
+if test -z "$PWD" ; then
+ PWD=`pwd`
+fi
+
+AC_LBL_C_INIT(V_CCOPT, V_INCLS)
+AC_PROG_INSTALL
+
+AC_CHECK_HEADERS(fcntl.h memory.h)
+
+AC_REPLACE_FUNCS(strerror)
+AC_CHECK_LIB(nsl, main)
+AC_CHECK_LIB(socket, main)
+
+AC_LBL_CHECK_TYPE(int32_t, int)
+AC_LBL_CHECK_TYPE(u_int32_t, u_int)
+
+AC_LBL_DEVEL(V_CCOPT)
+
+if test -r lbl/gnuc.h ; then
+ rm -f gnuc.h
+ ln -s lbl/gnuc.h gnuc.h
+fi
+
+AC_SUBST(CFLAGS)
+AC_SUBST(LDFLAGS)
+AC_SUBST(LIBS)
+AC_SUBST(V_CCOPT)
+AC_SUBST(V_INCLS)
+
+AC_CONFIG_FILES(Makefile)
+AC_OUTPUT
+
+if test -f .devel ; then
+ make depend
+fi
+exit 0
--- /dev/null
+#!/bin/sh
+# install - install a program, script, or datafile
+
+scriptversion=2006-12-25.00
+
+# This originates from X11R5 (mit/util/scripts/install.sh), which was
+# later released in X11R6 (xc/config/util/install.sh) with the
+# following copyright and license.
+#
+# Copyright (C) 1994 X Consortium
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to
+# deal in the Software without restriction, including without limitation the
+# rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+# sell copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# X CONSORTIUM BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN
+# AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNEC-
+# TION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+#
+# Except as contained in this notice, the name of the X Consortium shall not
+# be used in advertising or otherwise to promote the sale, use or other deal-
+# ings in this Software without prior written authorization from the X Consor-
+# tium.
+#
+#
+# FSF changes to this file are in the public domain.
+#
+# Calling this script install-sh is preferred over install.sh, to prevent
+# `make' implicit rules from creating a file called install from it
+# when there is no Makefile.
+#
+# This script is compatible with the BSD install script, but was written
+# from scratch.
+
+nl='
+'
+IFS=" "" $nl"
+
+# set DOITPROG to echo to test this script
+
+# Don't use :- since 4.3BSD and earlier shells don't like it.
+doit=${DOITPROG-}
+if test -z "$doit"; then
+ doit_exec=exec
+else
+ doit_exec=$doit
+fi
+
+# Put in absolute file names if you don't have them in your path;
+# or use environment vars.
+
+chgrpprog=${CHGRPPROG-chgrp}
+chmodprog=${CHMODPROG-chmod}
+chownprog=${CHOWNPROG-chown}
+cmpprog=${CMPPROG-cmp}
+cpprog=${CPPROG-cp}
+mkdirprog=${MKDIRPROG-mkdir}
+mvprog=${MVPROG-mv}
+rmprog=${RMPROG-rm}
+stripprog=${STRIPPROG-strip}
+
+posix_glob='?'
+initialize_posix_glob='
+ test "$posix_glob" != "?" || {
+ if (set -f) 2>/dev/null; then
+ posix_glob=
+ else
+ posix_glob=:
+ fi
+ }
+'
+
+posix_mkdir=
+
+# Desired mode of installed file.
+mode=0755
+
+chgrpcmd=
+chmodcmd=$chmodprog
+chowncmd=
+mvcmd=$mvprog
+rmcmd="$rmprog -f"
+stripcmd=
+
+src=
+dst=
+dir_arg=
+dst_arg=
+
+copy_on_change=false
+no_target_directory=
+
+usage="\
+Usage: $0 [OPTION]... [-T] SRCFILE DSTFILE
+ or: $0 [OPTION]... SRCFILES... DIRECTORY
+ or: $0 [OPTION]... -t DIRECTORY SRCFILES...
+ or: $0 [OPTION]... -d DIRECTORIES...
+
+In the 1st form, copy SRCFILE to DSTFILE.
+In the 2nd and 3rd, copy all SRCFILES to DIRECTORY.
+In the 4th, create DIRECTORIES.
+
+Options:
+ --help display this help and exit.
+ --version display version info and exit.
+
+ -c (ignored)
+ -C install only if different (preserve the last data modification time)
+ -d create directories instead of installing files.
+ -g GROUP $chgrpprog installed files to GROUP.
+ -m MODE $chmodprog installed files to MODE.
+ -o USER $chownprog installed files to USER.
+ -s $stripprog installed files.
+ -t DIRECTORY install into DIRECTORY.
+ -T report an error if DSTFILE is a directory.
+
+Environment variables override the default commands:
+ CHGRPPROG CHMODPROG CHOWNPROG CMPPROG CPPROG MKDIRPROG MVPROG
+ RMPROG STRIPPROG
+"
+
+while test $# -ne 0; do
+ case $1 in
+ -c) ;;
+
+ -C) copy_on_change=true;;
+
+ -d) dir_arg=true;;
+
+ -g) chgrpcmd="$chgrpprog $2"
+ shift;;
+
+ --help) echo "$usage"; exit $?;;
+
+ -m) mode=$2
+ case $mode in
+ *' '* | *' '* | *'
+'* | *'*'* | *'?'* | *'['*)
+ echo "$0: invalid mode: $mode" >&2
+ exit 1;;
+ esac
+ shift;;
+
+ -o) chowncmd="$chownprog $2"
+ shift;;
+
+ -s) stripcmd=$stripprog;;
+
+ -t) dst_arg=$2
+ shift;;
+
+ -T) no_target_directory=true;;
+
+ --version) echo "$0 $scriptversion"; exit $?;;
+
+ --) shift
+ break;;
+
+ -*) echo "$0: invalid option: $1" >&2
+ exit 1;;
+
+ *) break;;
+ esac
+ shift
+done
+
+if test $# -ne 0 && test -z "$dir_arg$dst_arg"; then
+ # When -d is used, all remaining arguments are directories to create.
+ # When -t is used, the destination is already specified.
+ # Otherwise, the last argument is the destination. Remove it from $@.
+ for arg
+ do
+ if test -n "$dst_arg"; then
+ # $@ is not empty: it contains at least $arg.
+ set fnord "$@" "$dst_arg"
+ shift # fnord
+ fi
+ shift # arg
+ dst_arg=$arg
+ done
+fi
+
+if test $# -eq 0; then
+ if test -z "$dir_arg"; then
+ echo "$0: no input file specified." >&2
+ exit 1
+ fi
+ # It's OK to call `install-sh -d' without argument.
+ # This can happen when creating conditional directories.
+ exit 0
+fi
+
+if test -z "$dir_arg"; then
+ trap '(exit $?); exit' 1 2 13 15
+
+ # Set umask so as not to create temps with too-generous modes.
+ # However, 'strip' requires both read and write access to temps.
+ case $mode in
+ # Optimize common cases.
+ *644) cp_umask=133;;
+ *755) cp_umask=22;;
+
+ *[0-7])
+ if test -z "$stripcmd"; then
+ u_plus_rw=
+ else
+ u_plus_rw='% 200'
+ fi
+ cp_umask=`expr '(' 777 - $mode % 1000 ')' $u_plus_rw`;;
+ *)
+ if test -z "$stripcmd"; then
+ u_plus_rw=
+ else
+ u_plus_rw=,u+rw
+ fi
+ cp_umask=$mode$u_plus_rw;;
+ esac
+fi
+
+for src
+do
+ # Protect names starting with `-'.
+ case $src in
+ -*) src=./$src;;
+ esac
+
+ if test -n "$dir_arg"; then
+ dst=$src
+ dstdir=$dst
+ test -d "$dstdir"
+ dstdir_status=$?
+ else
+
+ # Waiting for this to be detected by the "$cpprog $src $dsttmp" command
+ # might cause directories to be created, which would be especially bad
+ # if $src (and thus $dsttmp) contains '*'.
+ if test ! -f "$src" && test ! -d "$src"; then
+ echo "$0: $src does not exist." >&2
+ exit 1
+ fi
+
+ if test -z "$dst_arg"; then
+ echo "$0: no destination specified." >&2
+ exit 1
+ fi
+
+ dst=$dst_arg
+ # Protect names starting with `-'.
+ case $dst in
+ -*) dst=./$dst;;
+ esac
+
+ # If destination is a directory, append the input filename; won't work
+ # if double slashes aren't ignored.
+ if test -d "$dst"; then
+ if test -n "$no_target_directory"; then
+ echo "$0: $dst_arg: Is a directory" >&2
+ exit 1
+ fi
+ dstdir=$dst
+ dst=$dstdir/`basename "$src"`
+ dstdir_status=0
+ else
+ # Prefer dirname, but fall back on a substitute if dirname fails.
+ dstdir=`
+ (dirname "$dst") 2>/dev/null ||
+ expr X"$dst" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
+ X"$dst" : 'X\(//\)[^/]' \| \
+ X"$dst" : 'X\(//\)$' \| \
+ X"$dst" : 'X\(/\)' \| . 2>/dev/null ||
+ echo X"$dst" |
+ sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
+ s//\1/
+ q
+ }
+ /^X\(\/\/\)[^/].*/{
+ s//\1/
+ q
+ }
+ /^X\(\/\/\)$/{
+ s//\1/
+ q
+ }
+ /^X\(\/\).*/{
+ s//\1/
+ q
+ }
+ s/.*/./; q'
+ `
+
+ test -d "$dstdir"
+ dstdir_status=$?
+ fi
+ fi
+
+ obsolete_mkdir_used=false
+
+ if test $dstdir_status != 0; then
+ case $posix_mkdir in
+ '')
+ # Create intermediate dirs using mode 755 as modified by the umask.
+ # This is like FreeBSD 'install' as of 1997-10-28.
+ umask=`umask`
+ case $stripcmd.$umask in
+ # Optimize common cases.
+ *[2367][2367]) mkdir_umask=$umask;;
+ .*0[02][02] | .[02][02] | .[02]) mkdir_umask=22;;
+
+ *[0-7])
+ mkdir_umask=`expr $umask + 22 \
+ - $umask % 100 % 40 + $umask % 20 \
+ - $umask % 10 % 4 + $umask % 2
+ `;;
+ *) mkdir_umask=$umask,go-w;;
+ esac
+
+ # With -d, create the new directory with the user-specified mode.
+ # Otherwise, rely on $mkdir_umask.
+ if test -n "$dir_arg"; then
+ mkdir_mode=-m$mode
+ else
+ mkdir_mode=
+ fi
+
+ posix_mkdir=false
+ case $umask in
+ *[123567][0-7][0-7])
+ # POSIX mkdir -p sets u+wx bits regardless of umask, which
+ # is incompatible with FreeBSD 'install' when (umask & 300) != 0.
+ ;;
+ *)
+ tmpdir=${TMPDIR-/tmp}/ins$RANDOM-$$
+ trap 'ret=$?; rmdir "$tmpdir/d" "$tmpdir" 2>/dev/null; exit $ret' 0
+
+ if (umask $mkdir_umask &&
+ exec $mkdirprog $mkdir_mode -p -- "$tmpdir/d") >/dev/null 2>&1
+ then
+ if test -z "$dir_arg" || {
+ # Check for POSIX incompatibilities with -m.
+ # HP-UX 11.23 and IRIX 6.5 mkdir -m -p sets group- or
+ # other-writeable bit of parent directory when it shouldn't.
+ # FreeBSD 6.1 mkdir -m -p sets mode of existing directory.
+ ls_ld_tmpdir=`ls -ld "$tmpdir"`
+ case $ls_ld_tmpdir in
+ d????-?r-*) different_mode=700;;
+ d????-?--*) different_mode=755;;
+ *) false;;
+ esac &&
+ $mkdirprog -m$different_mode -p -- "$tmpdir" && {
+ ls_ld_tmpdir_1=`ls -ld "$tmpdir"`
+ test "$ls_ld_tmpdir" = "$ls_ld_tmpdir_1"
+ }
+ }
+ then posix_mkdir=:
+ fi
+ rmdir "$tmpdir/d" "$tmpdir"
+ else
+ # Remove any dirs left behind by ancient mkdir implementations.
+ rmdir ./$mkdir_mode ./-p ./-- 2>/dev/null
+ fi
+ trap '' 0;;
+ esac;;
+ esac
+
+ if
+ $posix_mkdir && (
+ umask $mkdir_umask &&
+ $doit_exec $mkdirprog $mkdir_mode -p -- "$dstdir"
+ )
+ then :
+ else
+
+ # The umask is ridiculous, or mkdir does not conform to POSIX,
+ # or it failed possibly due to a race condition. Create the
+ # directory the slow way, step by step, checking for races as we go.
+
+ case $dstdir in
+ /*) prefix='/';;
+ -*) prefix='./';;
+ *) prefix='';;
+ esac
+
+ eval "$initialize_posix_glob"
+
+ oIFS=$IFS
+ IFS=/
+ $posix_glob set -f
+ set fnord $dstdir
+ shift
+ $posix_glob set +f
+ IFS=$oIFS
+
+ prefixes=
+
+ for d
+ do
+ test -z "$d" && continue
+
+ prefix=$prefix$d
+ if test -d "$prefix"; then
+ prefixes=
+ else
+ if $posix_mkdir; then
+ (umask=$mkdir_umask &&
+ $doit_exec $mkdirprog $mkdir_mode -p -- "$dstdir") && break
+ # Don't fail if two instances are running concurrently.
+ test -d "$prefix" || exit 1
+ else
+ case $prefix in
+ *\'*) qprefix=`echo "$prefix" | sed "s/'/'\\\\\\\\''/g"`;;
+ *) qprefix=$prefix;;
+ esac
+ prefixes="$prefixes '$qprefix'"
+ fi
+ fi
+ prefix=$prefix/
+ done
+
+ if test -n "$prefixes"; then
+ # Don't fail if two instances are running concurrently.
+ (umask $mkdir_umask &&
+ eval "\$doit_exec \$mkdirprog $prefixes") ||
+ test -d "$dstdir" || exit 1
+ obsolete_mkdir_used=true
+ fi
+ fi
+ fi
+
+ if test -n "$dir_arg"; then
+ { test -z "$chowncmd" || $doit $chowncmd "$dst"; } &&
+ { test -z "$chgrpcmd" || $doit $chgrpcmd "$dst"; } &&
+ { test "$obsolete_mkdir_used$chowncmd$chgrpcmd" = false ||
+ test -z "$chmodcmd" || $doit $chmodcmd $mode "$dst"; } || exit 1
+ else
+
+ # Make a couple of temp file names in the proper directory.
+ dsttmp=$dstdir/_inst.$$_
+ rmtmp=$dstdir/_rm.$$_
+
+ # Trap to clean up those temp files at exit.
+ trap 'ret=$?; rm -f "$dsttmp" "$rmtmp" && exit $ret' 0
+
+ # Copy the file name to the temp name.
+ (umask $cp_umask && $doit_exec $cpprog "$src" "$dsttmp") &&
+
+ # and set any options; do chmod last to preserve setuid bits.
+ #
+ # If any of these fail, we abort the whole thing. If we want to
+ # ignore errors from any of these, just make sure not to ignore
+ # errors from the above "$doit $cpprog $src $dsttmp" command.
+ #
+ { test -z "$chowncmd" || $doit $chowncmd "$dsttmp"; } &&
+ { test -z "$chgrpcmd" || $doit $chgrpcmd "$dsttmp"; } &&
+ { test -z "$stripcmd" || $doit $stripcmd "$dsttmp"; } &&
+ { test -z "$chmodcmd" || $doit $chmodcmd $mode "$dsttmp"; } &&
+
+ # If -C, don't bother to copy if it wouldn't change the file.
+ if $copy_on_change &&
+ old=`LC_ALL=C ls -dlL "$dst" 2>/dev/null` &&
+ new=`LC_ALL=C ls -dlL "$dsttmp" 2>/dev/null` &&
+
+ eval "$initialize_posix_glob" &&
+ $posix_glob set -f &&
+ set X $old && old=:$2:$4:$5:$6 &&
+ set X $new && new=:$2:$4:$5:$6 &&
+ $posix_glob set +f &&
+
+ test "$old" = "$new" &&
+ $cmpprog "$dst" "$dsttmp" >/dev/null 2>&1
+ then
+ rm -f "$dsttmp"
+ else
+ # Rename the file to the real destination.
+ $doit $mvcmd -f "$dsttmp" "$dst" 2>/dev/null ||
+
+ # The rename failed, perhaps because mv can't rename something else
+ # to itself, or perhaps because mv is so ancient that it does not
+ # support -f.
+ {
+ # Now remove or move aside any old file at destination location.
+ # We try this two ways since rm can't unlink itself on some
+ # systems and the destination file might be busy for other
+ # reasons. In this case, the final cleanup might fail but the new
+ # file should still install successfully.
+ {
+ test ! -f "$dst" ||
+ $doit $rmcmd -f "$dst" 2>/dev/null ||
+ { $doit $mvcmd -f "$dst" "$rmtmp" 2>/dev/null &&
+ { $doit $rmcmd -f "$rmtmp" 2>/dev/null; :; }
+ } ||
+ { echo "$0: cannot unlink or rename $dst" >&2
+ (exit 1); exit 1
+ }
+ } &&
+
+ # Now rename the file to the real destination.
+ $doit $mvcmd "$dsttmp" "$dst"
+ }
+ fi || exit 1
+
+ trap '' 0
+ fi
+done
+
+# Local variables:
+# eval: (add-hook 'write-file-hooks 'time-stamp)
+# time-stamp-start: "scriptversion="
+# time-stamp-format: "%:y-%02m-%02d.%02H"
+# time-stamp-end: "$"
+# End:
-/* @(#) $Header: /u0/home/explorer/proj/ISC/git-conversion/cvsroot/bind9/contrib/nslint-2.1a3/lbl/gnuc.h,v 1.1 2001/12/21 04:12:05 marka Exp $ (LBL) */
+/* @(#) $Id: gnuc.h,v 1.4 2006/04/30 03:58:45 leres Exp $ (LBL) */
/* Define __P() macro, if necessary */
#ifndef __P
*
* For example:
*
- * __dead void foo(void) __attribute__((volatile));
+ * __dead void foo(void) __attribute__((noreturn));
*
*/
#ifdef __GNUC__
#ifndef __dead
+#if __GNUC__ >= 4
+#define __dead
+#define noreturn __noreturn__
+#else
#define __dead volatile
+#define noreturn volatile
+#endif
#endif
#if __GNUC__ < 2 || (__GNUC__ == 2 && __GNUC_MINOR__ < 5)
#ifndef __attribute__
-.\" @(#) $Id: nslint.8,v 1.1 2001/12/21 04:12:03 marka Exp $ (LBL)
+.\" @(#) $Id: nslint.8 238 2009-03-14 05:43:37Z leres $ (LBL)
.\"
-.\" Copyright (c) 1994, 1996, 1997, 1999, 2001
+.\" Copyright (c) 1994, 1996, 1997, 1999, 2001, 2002, 2009
.\" The Regents of the University of California. All rights reserved.
.\" All rights reserved.
.\"
.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
.\"
-.TH nslint 8 "20 March 2001"
+.TH nslint 8 "2 May 2002"
.UC 4
.SH NAME
nslint - perform consistency checks on dns files
[
.B -d
] [
-.B -b
-.I named.boot
+.B -c
+.I named.conf
] [
-.B -B
-.I nslint.boot
+.B -C
+.I nslint.conf
]
.br
.B nslint
[
.B -d
] [
-.B -c
-.I named.conf
+.B -b
+.I named.boot
] [
-.B -C
-.I nslint.conf
+.B -B
+.I nslint.boot
]
.SH DESCRIPTION
.B Nslint
.B nslint
exits with a non-zero status.
.LP
-Here is a short list of errors
+Here is a partial list of errors
.B nslint
detects:
.IP
.B WKS
records.
.IP
-Missing quotes.
+Missing semicolons and quotes.
.LP
.SH OPTIONS
.TP
.IR stdout .
.LP
.B Nslint
-knows how to read old style
-.I named.boot
-and BIND 8's new
+knows how to read
+BIND 8 and 9's
.I named.conf
-files. If both files exist,
+configuration file and also
+older BIND's
+.I named.boot
+file. If both files exist,
.B nslint
will prefer
.I named.conf
(on the theory that you forgot to delete
.I named.boot
-when you upgraded to BIND 8).
+when you upgraded BIND).
.LP
.SH "ADVANCED CONFIGURATION"
There are some cases where it is necessary to use the
advanced configuration features of
.BR nslint .
Advanced configuration is done with the
+.I nslint.conf
+file. (You can also use
.I nslint.boot
-file.
+which has a syntax similar to
+.I named.boot
+but is not described here.)
.LP
The most common is when a site has a demilitarized zone (DMZ).
The problem here is that the DMZ network will have
record defined for
.IR gateway.es.net .
The solution is to create a
-.I nslint.boot
+.I nslint.conf
file (in the same directory as the other dns files)
with:
.LP
.RS
.nf
.sp .5
-primary es.net nslint.es.net
+zone "es.net" {
+.RS
+type master;
+file "nslint.es.net";
+.RE
+};
.sp .5
.fi
.RE
.RS
.nf
.sp .5
-primary es.net nslint.es.net
+zone "es.net" {
+.RS
+type master;
+file "nslint.es.net";
+.RE
+};
.sp .5
.fi
.RE
.RS
.nf
.sp .5
-primary lbl.gov nslint.lbl.gov
-primary 0.128.in-addr.arpa nslint.128.0.rev
+zone "lbl.gov" {
+.RS
+type master;
+file "nslint.lbl.gov";
+.RE
+};
+.LP
+zone "0.128.in-addr.arpa" {
+.RS
+type master;
+file "nslint.128.0.rev";
+.RE
+};
.sp .5
.fi
.RE
.LP
to
-.I nslint.boot
+.I nslint.conf
and create
.I nslint.lbl.gov
with:
and
.IR jerry.lbl.gov .
.LP
-One last
+Another
.B nslint
feature helps detect hosts that have mistakenly had two ip addresses
assigned on the same subnet. This can happen when two different
nslint {
.RS
network "128.0.6/22";
-network "128.0.6 255.255.252.0";
.RE
};
.sp .5
.fi
.RE
.LP
-The two network lines in this example are equivalent ways of saying the same
-thing; that subnet
-.I 128.0.6
-has a 22 bit wide subnet mask.
-.LP
-If you are using
-.IR nslint.boot ,
-the syntax would be:
+or:
.LP
.RS
.nf
.sp .5
-network 128.0.6/22
-network 128.0.6 255.255.252.0
+nslint {
+.RS
+network "128.0.6 255.255.252.0";
+.RE
+};
.sp .5
.fi
.RE
.LP
-Again this shows two ways of saying the same thing.
+These two examples are are equivalent ways of saying the same thing;
+that subnet
+.I 128.0.6
+has a 22 bit wide subnet mask.
.LP
Using information from the above
.B network
.B network
lines in your
.I nslint.conf
-or
-.I nslint.boot
-files,
+file,
.B nslint
requires you to include lines for all networks;
otherwise you might forget to add
.B network
lines for new networks.
.LP
+Sometimes you have a zone that
+.B nslint
+just can't deal with. A good example is
+a dynamic dns zone. To handle this, you can
+add the following to
+.IB nslint.com :
+.LP
+.RS
+.nf
+.sp .5
+nslint {
+.RS
+ignorezone "dhcp.lbl.gov";
+.RE
+};
+.sp .5
+.fi
+.RE
+.LP
+This will suppress "name referenced without other records" warnings.
+.LP
.SH FILES
.na
.nh
.nf
-/etc/named.boot - default named configuration file
-nslint.boot - default nslint configuration file
+/etc/named.conf - default named configuration file
+/etc/named.boot - old style named configuration file
+nslint.conf - default nslint configuration file
+nslint.boot - old style nslint configuration file
.ad
.hy
.fi
/*
- * Copyright (c) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001
+ * Copyright (c) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2005, 2006, 2007, 2008, 2009
* The Regents of the University of California. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
*/
#ifndef lint
static const char copyright[] =
- "@(#) Copyright (c) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001\n\
+ "@(#) Copyright (c) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2005, 2006, 2007, 2008, 2009\n\
The Regents of the University of California. All rights reserved.\n";
static const char rcsid[] =
- "@(#) $Id: nslint.c,v 1.2 2011/11/30 00:48:51 marka Exp $ (LBL)";
+ "@(#) $Id: nslint.c 247 2009-10-14 17:54:05Z leres $ (LBL)";
#endif
/*
* nslint - perform consistency checks on dns files
#include <sys/types.h>
#include <sys/stat.h>
+#include <sys/socket.h>
#include <netinet/in.h>
#ifdef HAVE_FCNTL_H
#include <fcntl.h>
#endif
-#ifdef HAVE_MALLOC_H
-#include <malloc.h>
-#endif
#ifdef HAVE_MEMORY_H
#include <memory.h>
#endif
#include <unistd.h>
#include "savestr.h"
+#include "version.h"
#include "gnuc.h"
#ifdef HAVE_OS_PROTO_H
#define NSLINTBOOT "nslint.boot" /* default nslint.boot file */
#define NSLINTCONF "nslint.conf" /* default nslint.conf file */
-/* item struct */
+/* Is the string just a dot by itself? */
+#define CHECKDOT(p) (p[0] == '.' && p[1] == '\0')
+
+/* Address (network order) */
+struct addr {
+ u_int family;
+ union {
+ struct in_addr _a_addr4;
+ struct in6_addr _a_addr6;
+ } addr;
+};
+#define a_addr4 addr._a_addr4.s_addr
+#define a_addr6 addr._a_addr6.s6_addr
+
+/* Network */
+struct network {
+ u_int family;
+ union {
+ struct in_addr _n_addr4;
+ struct in6_addr _n_addr6;
+ } addr;
+ union {
+ struct in_addr _n_mask4;
+ struct in6_addr _n_mask6;
+ } mask;
+};
+#define n_addr4 addr._n_addr4.s_addr
+#define n_mask4 mask._n_mask4.s_addr
+#define n_addr6 addr._n_addr6.s6_addr
+#define n_mask6 mask._n_mask6.s6_addr
+
+/* Item struct */
struct item {
char *host; /* pointer to hostname */
- u_int32_t addr; /* ip address */
+ struct addr addr; /* ip address */
u_int ttl; /* ttl of A records */
int records; /* resource records seen */
int flags; /* flags word */
};
+/* Ignored zone struct */
+struct ignoredzone {
+ char *zone; /* zone name */
+ int len; /* length of zone */
+};
+
/* Resource records seen */
#define REC_A 0x0001
-#define REC_PTR 0x0002
-#define REC_WKS 0x0004
-#define REC_HINFO 0x0008
-#define REC_MX 0x0010
-#define REC_CNAME 0x0020
-#define REC_NS 0x0040
-#define REC_SOA 0x0080
-#define REC_RP 0x0100
-#define REC_TXT 0x0200
-#define REC_SRV 0x0400
+#define REC_AAAA 0x0002
+#define REC_PTR 0x0004
+#define REC_WKS 0x0008
+#define REC_HINFO 0x0010
+#define REC_MX 0x0020
+#define REC_CNAME 0x0040
+#define REC_NS 0x0080
+#define REC_SOA 0x0100
+#define REC_RP 0x0200
+#define REC_TXT 0x0400
+#define REC_SRV 0x0800
/* These aren't real records */
-#define REC_OTHER 0x0800
-#define REC_REF 0x1000
-#define REC_UNKNOWN 0x2000
+#define REC_OTHER 0x1000
+#define REC_REF 0x2000
+#define REC_UNKNOWN 0x4000
+
+/* resource record types for parsing */
+enum rrtype {
+ RR_UNDEF = 0,
+ RR_A,
+ RR_AAAA,
+ RR_ALLOWDUPA,
+ RR_CNAME,
+ RR_DNSKEY,
+ RR_HINFO,
+ RR_MX,
+ RR_NS,
+ RR_PTR,
+ RR_RP,
+ RR_SOA,
+ RR_SRV,
+ RR_TXT,
+ RR_WKS,
+ RR_RRSIG,
+ RR_NSEC,
+};
/* Test for records we want to map to REC_OTHER */
#define MASK_TEST_REC (REC_WKS | REC_HINFO | \
/* Mask away records we don't care about in the final processing to REC_OTHER */
#define MASK_CHECK_REC \
- (REC_A | REC_PTR | REC_CNAME | REC_REF | REC_OTHER)
+ (REC_A | REC_AAAA | REC_PTR | REC_CNAME | REC_REF | REC_OTHER)
/* Test for records we want to check for duplicate name detection */
#define MASK_TEST_DUP \
- (REC_A | REC_HINFO)
+ (REC_A | REC_AAAA | REC_HINFO | REC_CNAME)
/* Flags */
#define FLG_SELFMX 0x001 /* mx record refers to self */
#define FLG_SMTPWKS 0x004 /* saw wks with smtp/tcp */
#define FLG_ALLOWDUPA 0x008 /* allow duplicate a records */
+/* doconf() and doboot() flags */
+#define CONF_MUSTEXIST 0x001 /* fatal for files to not exist */
+#define CONF_NOZONE 0x002 /* do not parse zone files */
+
/* Test for smtp problems */
#define MASK_TEST_SMTP \
(FLG_SELFMX | FLG_SMTPWKS)
-
#define ITEMSIZE (1 << 17) /* power of two */
-#define ITEMHASH(str, h, p) \
- for (p = str, h = 0; *p != '.' && *p != '\0';) h = (h << 5) - h + *p++
struct item items[ITEMSIZE];
int itemcnt; /* count of items */
int debug;
int errors;
+#ifdef __FreeBSD__
+char *bootfile = "/etc/namedb/named.boot";
+char *conffile = "/etc/namedb/named.conf";
+#else
char *bootfile = "/etc/named.boot";
char *conffile = "/etc/named.conf";
+#endif
char *nslintboot;
char *nslintconf;
char *prog;
char *cwd = ".";
+static struct network *netlist;
+static u_int netlistsize; /* size of array */
+static u_int netlistcnt; /* next free element */
+
char **protoserv; /* valid protocol/service names */
int protoserv_init;
int protoserv_last;
int protoserv_len;
static char inaddr[] = ".in-addr.arpa.";
+static char inaddr6[] = ".ip6.arpa.";
+
+/* XXX should be dynamic */
+static struct ignoredzone ignoredzones[10];
+static int numignoredzones = 0;
+#define SIZEIGNOREDZONES (sizeof(ignoredzones) / sizeof(ignoredzones[0]))
/* SOA record */
#define SOA_SERIAL 0
#define NSOAVAL (sizeof(soaval) / sizeof(soaval[0]))
/* Forwards */
-static inline void add_domain(char *, const char *);
-int checkdots(const char *);
-void checkdups(struct item *, int);
-int checkserv(const char *, char **p);
-int checkwks(FILE *, char *, int *, char **);
-int cmpaddr(const void *, const void *);
-int cmphost(const void *, const void *);
-int doboot(const char *, int);
-int doconf(const char *, int);
-void initprotoserv(void);
-char *intoa(u_int32_t);
-int main(int, char **);
-int nslint(void);
-int parseinaddr(const char *, u_int32_t *, u_int32_t *);
-int parsenetwork(const char *, char **);
-u_int32_t parseptr(const char *, u_int32_t, u_int32_t, char **);
-char *parsequoted(char *);
-int parsesoa(const char *, char **);
-void process(const char *, const char *, const char *);
-int rfc1034host(const char *, int);
-int updateitem(const char *, u_int32_t, int, u_int, int);
-__dead void usage(void) __attribute__((volatile));
+void add_domain(char *, const char *);
+const char *addr2str(struct addr *);
+int checkaddr(const char *);
+int checkdots(const char *);
+void checkdups(struct item *, int);
+int checkignoredzone(const char *);
+int checkserv(const char *, char **p);
+int checkwks(FILE *, char *, int *, char **);
+int cmpaddr(const void *, const void *);
+int cmpitemaddr(const void *, const void *);
+int cmpitemhost(const void *, const void *);
+int cmpnetwork(const void *, const void *);
+void doboot(const char *, int);
+void doconf(const char *, int);
+const char *extractaddr(const char *, struct addr *);
+const char *extractnetwork(const char *, struct network *);
+struct network *findnetwork(struct addr *);
+void initprotoserv(void);
+int main(int, char **);
+int maskwidth(struct network *);
+const char *network2str(struct network *);
+void nslint(void);
+const char *parsenetwork(const char *);
+const char *parseptr(const char *, struct addr *);
+char *parsequoted(char *);
+int parserrsig(const char *, char **);
+int parsesoa(const char *, char **);
+void process(const char *, const char *, const char *);
+int rfc1034host(const char *, int);
+enum rrtype txt2rrtype(const char *);
+int samesubnet(struct addr *, struct addr *, struct network *);
+void setmaskwidth(u_int w, struct network *);
+int updateitem(const char *, struct addr *, int, u_int, int);
+void usage(void) __attribute__((noreturn));
extern char *optarg;
extern int optind, opterr;
-/* add domain if necessary */
-static inline void
-add_domain(register char *name, register const char *domain)
-{
- register char *cp;
-
- /* Kill trailing white space and convert to lowercase */
- for (cp = name; *cp != '\0' && !isspace(*cp); ++cp)
- if (isupper(*cp))
- *cp = tolower(*cp);
- *cp-- = '\0';
- /* If necessary, append domain */
- if (cp >= name && *cp++ != '.') {
- if (*domain != '.')
- *cp++ = '.';
- (void)strcpy(cp, domain);
- }
- /* XXX should we insure a trailing dot? */
-}
-
int
main(int argc, char **argv)
{
- register char *cp;
- register int op, status, i, donamedboot, donamedconf;
+ char *cp;
+ int op, donamedboot, donamedconf;
if ((cp = strrchr(argv[0], '/')) != NULL)
prog = cp + 1;
if (optind != argc || (donamedboot && donamedconf))
usage();
- if (donamedboot)
- status = doboot(bootfile, 1);
- else if (donamedconf)
- status = doconf(conffile, 1);
- else {
- status = doconf(conffile, 0);
- if (status < 0) {
- status = doboot(bootfile, 1);
- ++donamedboot;
- } else
+ /* Find config file if not manually specified */
+ if (!donamedboot && !donamedconf) {
+ if (access(conffile, R_OK) >= 0)
++donamedconf;
+ if (access(bootfile, R_OK) >= 0)
+ ++donamedboot;
+
+ if (donamedboot && donamedconf) {
+ fprintf(stderr,
+ "%s: nslint: both %s and %s exist; use -b or -c\n",
+ prog, conffile, bootfile);
+ exit(1);
+ }
}
if (donamedboot) {
+ doboot(bootfile, CONF_MUSTEXIST | CONF_NOZONE);
if (nslintboot != NULL)
- status |= doboot(nslintboot, 1);
- else if ((i = doboot(NSLINTBOOT, 0)) > 0)
- status |= i;
+ doboot(nslintboot, CONF_MUSTEXIST);
+ else
+ doboot(NSLINTBOOT, 0);
+ doboot(bootfile, CONF_MUSTEXIST);
} else {
+ doconf(conffile, CONF_MUSTEXIST | CONF_NOZONE);
if (nslintconf != NULL)
- status |= doconf(nslintconf, 1);
- else if ((i = doconf(NSLINTCONF, 0)) > 0)
- status |= i;
+ doconf(nslintconf, CONF_MUSTEXIST);
+ else
+ doconf(NSLINTCONF, 0);
+ doconf(conffile, CONF_MUSTEXIST);
+ }
+
+ /* Sort network list */
+ if (netlistcnt > 0)
+ qsort(netlist, netlistcnt, sizeof(netlist[0]), cmpnetwork);
+
+ nslint();
+ exit (errors != 0);
+}
+
+/* add domain if necessary */
+void
+add_domain(char *name, const char *domain)
+{
+ char *cp;
+
+ /* Kill trailing white space and convert to lowercase */
+ for (cp = name; *cp != '\0' && !isspace(*cp); ++cp)
+ if (isupper(*cp))
+ *cp = tolower(*cp);
+ *cp-- = '\0';
+ /* If necessary, append domain */
+ if (cp >= name && *cp++ != '.') {
+ if (*domain != '.')
+ *cp++ = '.';
+ (void)strcpy(cp, domain);
+ }
+ /* XXX should we insure a trailing dot? */
+}
+
+const char *
+addr2str(struct addr *ap)
+{
+ struct network net;
+
+ memset(&net, 0, sizeof(net));
+ net.family = ap->family;
+ switch (ap->family) {
+
+ case AF_INET:
+ net.n_addr4 = ap->a_addr4;
+ setmaskwidth(32, &net);
+ break;
+
+ case AF_INET6:
+ memmove(net.n_addr6, &ap->a_addr6, sizeof(ap->a_addr6));
+ setmaskwidth(128, &net);
+ break;
+
+ default:
+ return ("<nil>");
}
- status |= nslint();
- exit (status);
+ return (network2str(&net));
+}
+
+/*
+ * Returns true if name is really an ip address.
+ */
+int
+checkaddr(const char *name)
+{
+ struct in_addr addr;
+
+ return (inet_pton(AF_INET, name, (char *)&addr));
+}
+
+/*
+ * Returns true if name contains a dot but not a trailing dot.
+ * Special case: allow a single dot if the second part is not one
+ * of the 3 or 4 letter top level domains or is any 2 letter TLD
+ */
+int
+checkdots(const char *name)
+{
+ const char *cp, *cp2;
+
+ if ((cp = strchr(name, '.')) == NULL)
+ return (0);
+ cp2 = name + strlen(name) - 1;
+ if (cp2 >= name && *cp2 == '.')
+ return (0);
+
+ /* Return true of more than one dot*/
+ ++cp;
+ if (strchr(cp, '.') != NULL)
+ return (1);
+
+ if (strlen(cp) == 2 ||
+ strcasecmp(cp, "gov") == 0 ||
+ strcasecmp(cp, "edu") == 0 ||
+ strcasecmp(cp, "com") == 0 ||
+ strcasecmp(cp, "net") == 0 ||
+ strcasecmp(cp, "org") == 0 ||
+ strcasecmp(cp, "mil") == 0 ||
+ strcasecmp(cp, "int") == 0 ||
+ strcasecmp(cp, "nato") == 0 ||
+ strcasecmp(cp, "arpa") == 0)
+ return (1);
+ return (0);
}
-struct netlist {
- u_int32_t net;
- u_int32_t mask;
+/* Records we use to detect duplicates */
+static struct duprec {
+ int record;
+ char *name;
+} duprec[] = {
+ { REC_A, "a" },
+ { REC_AAAA, "aaaa" },
+ { REC_HINFO, "hinfo" },
+ { REC_CNAME, "cname" },
+ { 0, NULL },
};
-static struct netlist *netlist;
-static u_int netlistsize; /* size of array */
-static u_int netlistcnt; /* next free element */
+void
+checkdups(struct item *ip, int records)
+{
+ struct duprec *dp;
+
+ records &= (ip->records & MASK_TEST_DUP);
+ if (records == 0)
+ return;
+ for (dp = duprec; dp->name != NULL; ++dp)
+ if ((records & dp->record) != 0) {
+ ++errors;
+ fprintf(stderr, "%s: multiple \"%s\" records for %s\n",
+ prog, dp->name, ip->host);
+ records &= ~dp->record;
+ }
+ if (records != 0)
+ fprintf(stderr, "%s: checkdups: records not zero %s (0x%x)\n",
+ prog, ip->host, records);
+}
-static u_int32_t
-findmask(u_int32_t addr)
+/* Check for an "ignored zone" (usually dynamic dns) */
+int
+checkignoredzone(const char *name)
{
- register int i;
+ int i, len, len2;
+
+ len = strlen(name);
+ if (len > 1 && name[len - 1] == '.')
+ --len;
+ for (i = 0; i < numignoredzones; ++i) {
+ len2 = len - ignoredzones[i].len;
+ if (len2 >= 0 &&
+ strncasecmp(name + len2,
+ ignoredzones[i].zone, len - len2) == 0)
+ return (1);
+ }
+ return (0);
+}
- for (i = 0; i < netlistcnt; ++i)
- if ((addr & netlist[i].mask) == netlist[i].net)
- return (netlist[i].mask);
+int
+checkserv(const char *serv, char **p)
+{
+ for (; *p != NULL; ++p)
+ if (*serv == **p && strcmp(serv, *p) == 0)
+ return (1);
return (0);
}
int
-parsenetwork(register const char *cp, register char **errstrp)
+checkwks(FILE *f, char *proto, int *smtpp, char **errstrp)
{
- register int i, w;
- register u_int32_t net, mask;
- register u_int32_t o;
- register int shift;
+ int n, sawparen;
+ char *cp, *serv, **p;
static char errstr[132];
+ char buf[1024];
+ char psbuf[512];
- while (isspace(*cp))
- ++cp;
- net = 0;
- mask = 0;
- shift = 24;
- while (isdigit(*cp) && shift >= 0) {
- o = 0;
- do {
- o = o * 10 + (*cp++ - '0');
- } while (isdigit(*cp));
- net |= o << shift;
- shift -= 8;
- if (*cp != '.')
- break;
- ++cp;
+ if (!protoserv_init) {
+ initprotoserv();
+ ++protoserv_init;
}
+ /* Line count */
+ n = 0;
+
+ /* Terminate protocol */
+ cp = proto;
+ while (!isspace(*cp) && *cp != '\0')
+ ++cp;
+ if (*cp != '\0')
+ *cp++ = '\0';
- if (isspace(*cp)) {
+ /* Find services */
+ *smtpp = 0;
+ sawparen = 0;
+ if (*cp == '(') {
+ ++sawparen;
++cp;
while (isspace(*cp))
++cp;
- mask = htonl(inet_addr(cp));
- if ((int)mask == -1) {
- *errstrp = errstr;
- (void)sprintf(errstr, "bad mask \"%s\"", cp);
- return (0);
- }
- i = 0;
- while (isdigit(*cp))
- ++cp;
- for (i = 0; i < 3 && *cp == '.'; ++i) {
- ++cp;
- while (isdigit(*cp))
+ }
+ for (;;) {
+ if (*cp == '\0') {
+ if (!sawparen)
+ break;
+ if (fgets(buf, sizeof(buf), f) == NULL) {
+ *errstrp = "mismatched parens";
+ return (n);
+ }
+ ++n;
+ cp = buf;
+ while (isspace(*cp))
++cp;
}
- if (i != 3) {
- *errstrp = "wrong number of dots in mask";
- return (0);
+ /* Find end of service, converting to lowercase */
+ for (serv = cp; !isspace(*cp) && *cp != '\0'; ++cp)
+ if (isupper(*cp))
+ *cp = tolower(*cp);
+ if (*cp != '\0')
+ *cp++ = '\0';
+ if (sawparen && *cp == ')') {
+ /* XXX should check for trailing junk */
+ break;
}
- } else if (*cp == '/') {
- ++cp;
- w = atoi(cp);
- do {
- ++cp;
- } while (isdigit(*cp));
- if (w < 1 || w > 32) {
- *errstrp = "bad mask width";
- return (0);
+
+ (void)sprintf(psbuf, "%s/%s", serv, proto);
+
+ if (*serv == 's' && strcmp(psbuf, "tcp/smtp") == 0)
+ ++*smtpp;
+
+ for (p = protoserv; *p != NULL; ++p)
+ if (*psbuf == **p && strcmp(psbuf, *p) == 0) {
+ break;
+ }
+ if (*p == NULL) {
+ sprintf(errstr, "%s unknown", psbuf);
+ *errstrp = errstr;
+ break;
}
- mask = 0xffffffff << (32 - w);
- } else {
- *errstrp = "garbage after net";
- return (0);
}
- while (isspace(*cp))
- ++cp;
+ return (n);
+}
- if (*cp != '\0') {
- *errstrp = "trailing garbage";
- return (0);
- }
+int
+cmpaddr(const void *arg1, const void *arg2)
+{
+ int i, r1;
+ const struct network *n1, *n2;
+
+ n1 = (const struct network *)arg1;
+ n2 = (const struct network *)arg2;
+
+ /* IPv4 before IPv6 */
+ if (n1->family != n2->family)
+ return ((n1->family == AF_INET) ? -1 : 1);
+
+ switch (n1->family) {
- /* Finaly sanity checks */
- if ((net & ~ mask) != 0) {
- *errstrp = errstr;
- (void)sprintf(errstr, "host bits set in net \"%s\"",
- intoa(net));
+ case AF_INET:
+ /* Address */
+ if (ntohl(n1->n_addr4) < ntohl(n2->n_addr4))
+ return (-1);
+ else if (ntohl(n1->n_addr4) > ntohl(n2->n_addr4))
+ return (1);
return (0);
- }
- /* Make sure there's room */
- if (netlistsize <= netlistcnt) {
- if (netlistsize == 0) {
- netlistsize = 32;
- netlist = (struct netlist *)
- malloc(netlistsize * sizeof(*netlist));
- } else {
- netlistsize <<= 1;
- netlist = (struct netlist *)
- realloc(netlist, netlistsize * sizeof(*netlist));
- }
- if (netlist == NULL) {
- fprintf(stderr, "%s: nslint: malloc/realloc: %s\n",
- prog, strerror(errno));
- exit(1);
+ case AF_INET6:
+ /* Address */
+ r1 = 0;
+ for (i = 0; i < 16; ++i) {
+ if (ntohl(n1->n_addr6[i]) < ntohl(n2->n_addr6[i]))
+ return (-1);
+ if (ntohl(n1->n_addr6[i]) > ntohl(n2->n_addr6[i]))
+ return (1);
}
+ return (0);
+
+ default:
+ abort();
}
+}
- /* Add to list */
- netlist[netlistcnt].net = net;
- netlist[netlistcnt].mask = mask;
- ++netlistcnt;
+int
+cmpitemaddr(const void *arg1, const void *arg2)
+{
+ struct item *i1, *i2;
- return (1);
+ i1 = (struct item *)arg1;
+ i2 = (struct item *)arg2;
+
+ return (cmpaddr(&i1->addr, &i2->addr));
}
int
-doboot(register const char *file, register int mustexist)
+cmpitemhost(const void *arg1, const void *arg2)
{
- register int n;
- register char *cp, *cp2;
- register FILE *f;
- char *errstr;
- char buf[1024], name[128];
+ struct item *i1, *i2;
- errno = 0;
- f = fopen(file, "r");
+ i1 = (struct item *)arg1;
+ i2 = (struct item *)arg2;
+
+ return (strcasecmp(i1->host, i1->host));
+}
+
+/* Sort by network number (use mask when networks are the same) */
+int
+cmpnetwork(const void *arg1, const void *arg2)
+{
+ int i, r1, r2;
+ const struct network *n1, *n2;
+
+ n1 = (const struct network *)arg1;
+ n2 = (const struct network *)arg2;
+
+ /* IPv4 before IPv6 */
+ if (n1->family != n2->family)
+ return ((n1->family == AF_INET) ? -1 : 1);
+
+ switch (n1->family) {
+
+ case AF_INET:
+ /* Address */
+ if (ntohl(n1->n_addr4) < ntohl(n2->n_addr4))
+ return (-1);
+ else if (ntohl(n1->n_addr4) > ntohl(n2->n_addr4))
+ return (1);
+
+ /* Mask */
+ if (ntohl(n1->n_mask4) < ntohl(n2->n_mask4))
+ return (1);
+ else if (ntohl(n1->n_mask4) > ntohl(n2->n_mask4))
+ return (-1);
+ return (0);
+
+ case AF_INET6:
+ /* Address */
+ r1 = 0;
+ for (i = 0; i < 16; ++i) {
+ if (ntohl(n1->n_addr6[i]) < ntohl(n2->n_addr6[i]))
+ return (-1);
+ if (ntohl(n1->n_addr6[i]) > ntohl(n2->n_addr6[i]))
+ return (1);
+ }
+
+ /* Mask */
+ r2 = 0;
+ for (i = 0; i < 16; ++i) {
+ if (n1->n_mask6[i] < n2->n_mask6[i])
+ return (1);
+ if (n1->n_mask6[i] > n2->n_mask6[i])
+ return (-1);
+ }
+ return (0);
+ break;
+
+ default:
+ abort();
+ }
+ abort();
+}
+
+void
+doboot(const char *file, int flags)
+{
+ int n;
+ char *cp, *cp2;
+ FILE *f;
+ const char *errstr;
+ char buf[1024], name[128];
+
+ errno = 0;
+ f = fopen(file, "r");
if (f == NULL) {
/* Not an error if it doesn't exist */
- if (!mustexist && errno == ENOENT) {
+ if ((flags & CONF_MUSTEXIST) == 0 && errno == ENOENT) {
if (debug > 1)
printf(
"%s: doit: %s doesn't exist (ignoring)\n",
prog, file);
- return (-1);
+ return;
}
fprintf(stderr, "%s: %s: %s\n", prog, file, strerror(errno));
exit(1);
/* Process it! (zone is the same as the domain) */
nsoaval = -1;
memset(soaval, 0, sizeof(soaval));
- process(cp2, name, name);
+ if ((flags & CONF_NOZONE) == 0)
+ process(cp2, name, name);
continue;
}
if (strcasecmp(cp2, "network") == 0) {
- if (!parsenetwork(cp, &errstr)) {
+ errstr = parsenetwork(cp);
+ if (errstr != NULL) {
++errors;
fprintf(stderr,
"%s: %s:%d: bad network: %s\n",
while (!isspace(*cp) && *cp != '\0')
++cp;
*cp = '\0';
- errors += doboot(cp2, 1);
+ doboot(cp2, 1);
continue;
}
/* Eat any other options */
}
(void)fclose(f);
-
- return (errors != 0);
}
-int
-doconf(register const char *file, register int mustexist)
+void
+doconf(const char *file, int flags)
{
- register int n, fd, cc, i, depth;
- register char *cp, *cp2, *buf;
- register char *name, *zonename, *filename, *typename;
- register int namelen, zonenamelen, filenamelen, typenamelen;
- char *errstr;
+ int n, fd, cc, i, depth;
+ char *cp, *cp2, *buf;
+ const char *p;
+ char *name, *zonename, *filename, *typename;
+ int namelen, zonenamelen, filenamelen, typenamelen;
struct stat sbuf;
char zone[128], includefile[256];
fd = open(file, O_RDONLY, 0);
if (fd < 0) {
/* Not an error if it doesn't exist */
- if (!mustexist && errno == ENOENT) {
+ if ((flags & CONF_MUSTEXIST) == 0 && errno == ENOENT) {
if (debug > 1)
printf(
"%s: doconf: %s doesn't exist (ignoring)\n",
prog, file);
- return (-1);
+ return;
}
fprintf(stderr, "%s: %s: %s\n", prog, file, strerror(errno));
exit(1);
/* Eat everything to the next semicolon, perhaps eating matching qbraces */
#define EATSEMICOLON \
{ \
- register int depth = 0; \
+ int depth = 0; \
while (*cp != '\0') { \
EATCOMMENTS \
if (*cp == ';') { \
} \
}
+/* Eat everything to the next left qbrace */
+#define EATSLEFTBRACE \
+ while (*cp != '\0') { \
+ EATCOMMENTS \
+ if (*cp == '{') { \
+ ++cp; \
+ break; \
+ } \
+ ++cp; \
+ }
+
n = 1;
zone[0] = '\0';
cp = buf;
filename[filenamelen] = '\0';
nsoaval = -1;
memset(soaval, 0, sizeof(soaval));
- process(filename, zone, zone);
+ if ((flags & CONF_NOZONE) == 0)
+ process(filename, zone, zone);
}
continue;
}
EATCOMMENTS
GETQUOTEDNAME(cp2, i)
-
cp2[i] = '\0';
- if (!parsenetwork(cp2, &errstr)) {
+ p = parsenetwork(cp2);
+ if (p != NULL) {
++errors;
fprintf(stderr,
"%s: %s:%d: bad network: %s\n",
- prog, file, n, errstr);
+ prog, file, n, p);
+ }
+ } else if (strncasecmp(name, "ignorezone",
+ namelen) == 0) {
+ EATCOMMENTS
+ GETQUOTEDNAME(cp2, i)
+ cp2[i] = '\0';
+ if (numignoredzones + 1 <
+ sizeof(ignoredzones) /
+ sizeof(ignoredzones[0])) {
+ ignoredzones[numignoredzones].zone =
+ savestr(cp2);
+ if (ignoredzones[numignoredzones].zone != NULL) {
+ ignoredzones[numignoredzones].len = strlen(cp2);
+ ++numignoredzones;
+ }
}
} else {
++errors;
EATCOMMENTS
if (*cp != ';') {
++errors;
- fprintf(stderr, "missing options semi\n");
+ fprintf(stderr,
+ "%s: %s:%d: missing nslint semi\n",
+ prog, file, n);
} else
++cp;
continue;
GETQUOTEDNAME(filename, filenamelen)
strncpy(includefile, filename, filenamelen);
includefile[filenamelen] = '\0';
- errors += doconf(includefile, 1);
+ doconf(includefile, 1);
EATSEMICOLON
continue;
}
+ if (strncasecmp(name, "view", namelen) == 0) {
+ EATSLEFTBRACE
+ continue;
+ }
/* Skip over statements we don't understand */
EATSEMICOLON
free(buf);
close(fd);
- return (errors != 0);
}
-/* Return true when done */
-int
-parsesoa(register const char *cp, register char **errstrp)
+const char *
+extractaddr(const char *str, struct addr *ap)
{
- register char ch, *garbage;
- static char errstr[132];
- /* Eat leading whitespace */
- while (isspace(*cp))
- ++cp;
+ memset(ap, 0, sizeof(*ap));
- /* Find opening paren */
- if (nsoaval < 0) {
- cp = strchr(cp, '(');
- if (cp == NULL)
- return (0);
- ++cp;
- while (isspace(*cp))
- ++cp;
- nsoaval = 0;
- }
+ /* Let's see what we've got here */
+ if (strchr(str, '.') != NULL) {
+ ap->family = AF_INET;
+ } else if (strchr(str, ':') != NULL) {
+ ap->family = AF_INET6;
+ } else
+ return ("unrecognized address type");
- /* Grab any numbers we find */
- garbage = "leading garbage";
- while (isdigit(*cp) && nsoaval < NSOAVAL) {
- soaval[nsoaval] = atoi(cp);
- do {
- ++cp;
- } while (isdigit(*cp));
- if (nsoaval == SOA_SERIAL && *cp == '.' && isdigit(cp[1])) {
- do {
- ++cp;
- } while (isdigit(*cp));
- } else {
- ch = *cp;
- if (isupper(ch))
- ch = tolower(ch);
- switch (ch) {
+ switch (ap->family) {
- case 'w':
- soaval[nsoaval] *= 7;
- /* fall through */
+ case AF_INET:
+ if (!inet_pton(ap->family, str, &ap->a_addr4))
+ return ("cannot parse IPv4 address");
- case 'd':
- soaval[nsoaval] *= 24;
- /* fall through */
+ break;
- case 'h':
- soaval[nsoaval] *= 60;
- /* fall through */
+ case AF_INET6:
+ if (!inet_pton(ap->family, str, &ap->a_addr6))
+ return ("cannot parse IPv6 address");
+ break;
- case 'm':
- soaval[nsoaval] *= 60;
- /* fall through */
+ default:
+ abort();
+ }
- case 's':
- ++cp;
- break;
+ return (NULL);
+}
- default:
- ; /* none */
- }
- }
- while (isspace(*cp))
- ++cp;
- garbage = "trailing garbage";
- ++nsoaval;
+const char *
+extractnetwork(const char *str, struct network *np)
+{
+ int i;
+ long w;
+ char *cp, *ep;
+ const char *p;
+ char temp[64];
+
+ memset(np, 0, sizeof(*np));
+
+ /* Let's see what we've got here */
+ if (strchr(str, '.') != NULL) {
+ np->family = AF_INET;
+ w = 32;
+ } else if (strchr(str, ':') != NULL) {
+ np->family = AF_INET6;
+ w = 128;
+ } else
+ return ("unrecognized address type");
+
+ p = strchr(str, '/');
+ if (p != NULL) {
+ /* Mask length was specified */
+ strncpy(temp, str, sizeof(temp));
+ temp[sizeof(temp) - 1] = '\0';
+ cp = strchr(temp, '/');
+ if (cp == NULL)
+ abort();
+ *cp++ = '\0';
+ ep = NULL;
+ w = strtol(cp, &ep, 10);
+ if (*ep != '\0')
+ return ("garbage following mask width");
+ str = temp;
}
- /* If we're done, do some sanity checks */
- if (nsoaval >= NSOAVAL && *cp == ')') {
- ++cp;
- if (*cp != '\0')
- *errstrp = garbage;
- else if (soaval[SOA_EXPIRE] <
- soaval[SOA_REFRESH] + 10 * soaval[SOA_RETRY]) {
- (void)sprintf(errstr,
- "expire less than refresh + 10 * retry (%u < %u + 10 * %u)",
- soaval[SOA_EXPIRE],
- soaval[SOA_REFRESH],
- soaval[SOA_RETRY]);
- *errstrp = errstr;
- } else if (soaval[SOA_REFRESH] < 2 * soaval[SOA_RETRY]) {
- (void)sprintf(errstr,
- "refresh less than 2 * retry (%u < 2 * %u)",
- soaval[SOA_REFRESH],
- soaval[SOA_RETRY]);
- *errstrp = errstr;
+ switch (np->family) {
+
+ case AF_INET:
+ if (!inet_pton(np->family, str, &np->n_addr4))
+ return ("cannot parse IPv4 address");
+
+ if (w > 32)
+ return ("mask length must be <= 32");
+ setmaskwidth(w, np);
+
+ if ((np->n_addr4 & ~np->n_mask4) != 0)
+ return ("non-network bits set in addr");
+
+#ifdef notdef
+ if ((ntohl(np->n_addr4) & 0xff000000) == 0)
+ return ("high octet must be non-zero");
+#endif
+ break;
+
+ case AF_INET6:
+ if (!inet_pton(np->family, str, &np->n_addr6))
+ return ("cannot parse IPv6 address");
+ if (w > 128)
+ return ("mask length must be <= 128");
+ setmaskwidth(w, np);
+
+ for (i = 0; i < 16; ++i) {
+ if ((np->n_addr6[i] & ~np->n_mask6[i]) != 0)
+ return ("non-network bits set in addr");
}
- return (1);
- }
+ break;
- if (*cp != '\0') {
- *errstrp = garbage;
- return (1);
+ default:
+ abort();
}
- return (0);
+ return (NULL);
}
-void
-process(register const char *file, register const char *domain,
- register const char *zone)
+struct network *
+findnetwork(struct addr *ap)
{
- register FILE *f;
- register char ch, *cp, *cp2, *cp3, *rtype;
- register const char *ccp;
- register int n, sawsoa, flags, i;
- register u_int ttl;
- register u_int32_t addr;
- u_int32_t net, mask;
- int smtp;
- char buf[1024], name[128], lastname[128], odomain[128];
- char *errstr;
- char *dotfmt = "%s: %s/%s:%d \"%s\" target missing trailing dot: %s\n";
+ int i, j;
+ struct network *np;
+
+ switch (ap->family) {
+
+ case AF_INET:
+ for (i = 0, np = netlist; i < netlistcnt; ++i, ++np)
+ if ((ap->a_addr4 & np->n_mask4) == np->n_addr4)
+ return (np);
+ break;
+
+ case AF_INET6:
+ for (i = 0, np = netlist; i < netlistcnt; ++i, ++np) {
+ for (j = 0; j < sizeof(ap->a_addr6); ++j) {
+ if ((ap->a_addr6[j] & np->n_mask6[j]) !=
+ np->n_addr6[j])
+ break;
+ }
+ if (j >= sizeof(ap->a_addr6))
+ return (np);
+ }
+ break;
- f = fopen(file, "r");
- if (f == NULL) {
- fprintf(stderr, "%s: %s/%s: %s\n",
- prog, cwd, file, strerror(errno));
- ++errors;
- return;
+ default:
+ abort();
}
- if (debug > 1)
- printf("%s: process: opened %s/%s\n", prog, cwd, file);
+ return (NULL);
+}
- /* Are we doing an in-addr.arpa domain? */
- n = 0;
- net = 0;
- mask = 0;
- ccp = domain + strlen(domain) - sizeof(inaddr) + 1;
- if (ccp >= domain && strcasecmp(ccp, inaddr) == 0 &&
- !parseinaddr(domain, &net, &mask)) {
- ++errors;
- fprintf(stderr, "%s: %s/%s:%d bad in-addr.arpa domain\n",
- prog, cwd, file, n);
- fclose(f);
- return;
- }
+void
+initprotoserv(void)
+{
+ char *cp;
+ struct servent *sp;
+ char psbuf[512];
- lastname[0] = '\0';
- sawsoa = 0;
- while (fgets(buf, sizeof(buf), f) != NULL) {
- ++n;
- cp = buf;
- while (*cp != '\0') {
- /* Handle quoted strings (but don't report errors) */
- if (*cp == '"') {
- ++cp;
- while (*cp != '"' && *cp != '\n' && *cp != '\0')
- ++cp;
- continue;
- }
- if (*cp == '\n' || *cp == ';')
- break;
- ++cp;
- }
- *cp-- = '\0';
+ protoserv_len = 256;
+ protoserv = (char **)malloc(protoserv_len * sizeof(*protoserv));
+ if (protoserv == NULL) {
+ fprintf(stderr, "%s: nslint: malloc: %s\n",
+ prog, strerror(errno));
+ exit(1);
+ }
- /* Nuke trailing white space */
- while (cp >= buf && isspace(*cp))
- *cp-- = '\0';
+ while ((sp = getservent()) != NULL) {
+ (void)sprintf(psbuf, "%s/%s", sp->s_name, sp->s_proto);
- cp = buf;
- if (*cp == '\0')
- continue;
+ /* Convert to lowercase */
+ for (cp = psbuf; *cp != '\0'; ++cp)
+ if (isupper(*cp))
+ *cp = tolower(*cp);
- /* Handle multi-line soa records */
- if (sawsoa) {
- errstr = NULL;
- if (parsesoa(cp, &errstr))
- sawsoa = 0;
- if (errstr != NULL) {
- ++errors;
- fprintf(stderr,
- "%s: %s/%s:%d bad \"soa\" record (%s)\n",
- prog, cwd, file, n, errstr);
+ if (protoserv_last + 1 >= protoserv_len) {
+ protoserv_len <<= 1;
+ protoserv = realloc(protoserv,
+ protoserv_len * sizeof(*protoserv));
+ if (protoserv == NULL) {
+ fprintf(stderr, "%s: nslint: realloc: %s\n",
+ prog, strerror(errno));
+ exit(1);
}
- continue;
}
- if (debug > 3)
- printf(">%s<\n", cp);
+ protoserv[protoserv_last] = savestr(psbuf);
+ ++protoserv_last;
+ }
+ protoserv[protoserv_last] = NULL;
+}
- /* Look for name */
- if (isspace(*cp)) {
- /* Same name as last record */
- if (lastname[0] == '\0') {
- ++errors;
- fprintf(stderr,
- "%s: %s/%s:%d no default name\n",
- prog, cwd, file, n);
- continue;
+int
+maskwidth(struct network *np)
+{
+ int w;
+ int i, j;
+ u_int32_t m, tm;
+
+ /* Work backwards until we find a set bit */
+ switch (np->family) {
+
+ case AF_INET:
+ m = ntohl(np->n_mask4);
+ for (w = 32; w > 0; --w) {
+ tm = 0xffffffff << (32 - w);
+ if (tm == m)
+ break;
+ }
+ break;
+
+ case AF_INET6:
+ w = 128;
+ for (j = 15; j >= 0; --j) {
+ m = np->n_mask6[j];
+ for (i = 8; i > 0; --w, --i) {
+ tm = (0xff << (8 - i)) & 0xff;
+ if (tm == m)
+ return (w);
}
- (void)strcpy(name, lastname);
- } else {
- /* Extract name, converting to lowercase */
- for (cp2 = name; !isspace(*cp) && *cp != '\0'; ++cp)
- if (isupper(*cp))
- *cp2++ = tolower(*cp);
- else
- *cp2++ = *cp;
- *cp2 = '\0';
-
- /* Check for domain shorthand */
- if (name[0] == '@' && name[1] == '\0')
- (void)strcpy(name, domain);
}
+ break;
- /* Find next token */
- while (isspace(*cp))
- ++cp;
+ default:
+ abort();
+ }
+ return (w);
+}
- /* Handle includes (gag) */
- if (name[0] == '$' && strcasecmp(name, "$include") == 0) {
- /* Extract filename */
- cp2 = name;
- while (!isspace(*cp) && *cp != '\0')
- *cp2++ = *cp++;
- *cp2 = '\0';
+const char *
+network2str(struct network *np)
+{
+ int w;
+ size_t len, size;
+ char *cp;
+ static char buf[128];
+
+ w = maskwidth(np);
+ switch (np->family) {
+
+ case AF_INET:
+ if (inet_ntop(np->family, &np->n_addr4,
+ buf, sizeof(buf)) == NULL) {
+ fprintf(stderr, "network2str: v4 botch");
+ abort();
+ }
+ if (w == 32)
+ return (buf);
+ break;
+
+ case AF_INET6:
+ if (inet_ntop(np->family, &np->n_addr6,
+ buf, sizeof(buf)) == NULL) {
+ fprintf(stderr, "network2str: v6 botch");
+ abort();
+ }
+ if (w == 128)
+ return (buf);
+ break;
- /* Look for optional domain */
- while (isspace(*cp))
- ++cp;
- if (*cp == '\0')
- process(name, domain, zone);
- else {
- cp2 = cp;
- /* Convert optional domain to lowercase */
- for (; !isspace(*cp) && *cp != '\0'; ++cp)
- if (isupper(*cp))
- *cp = tolower(*cp);
- *cp = '\0';
- process(name, cp2, cp2);
- }
+ default:
+ return ("<nil>");
+ }
+
+ /* Append address mask width */
+ cp = buf;
+ len = strlen(cp);
+ cp += len;
+ size = sizeof(buf) - len;
+ (void)snprintf(cp, size, "/%d", w);
+ return (buf);
+}
+
+void
+nslint(void)
+{
+ int n, records, flags;
+ struct item *ip, *lastaip, **ipp, **itemlist;
+ struct addr addr, lastaddr;
+ struct network *np;
+
+ itemlist = (struct item **)calloc(itemcnt, sizeof(*ipp));
+ if (itemlist == NULL) {
+ fprintf(stderr, "%s: nslint: calloc: %s\n",
+ prog, strerror(errno));
+ exit(1);
+ }
+ ipp = itemlist;
+ for (n = 0, ip = items; n < ITEMSIZE; ++n, ++ip) {
+ if (ip->host == NULL)
continue;
+ /* Save entries with addresses for later check */
+ if (ip->addr.family != 0)
+ *ipp++ = ip;
+
+ if (debug > 1) {
+ if (debug > 2)
+ printf("%d\t", n);
+ printf("%s\t%s\t0x%x\t0x%x\n",
+ ip->host, addr2str(&ip->addr),
+ ip->records, ip->flags);
}
- /* Handle $origin */
- if (name[0] == '$' && strcasecmp(name, "$origin") == 0) {
- /* Extract domain, converting to lowercase */
- for (cp2 = odomain; !isspace(*cp) && *cp != '\0'; ++cp)
- if (isupper(*cp))
- *cp2++ = tolower(*cp);
- else
- *cp2++ = *cp;
- *cp2 = '\0';
- domain = odomain;
- lastname[0] = '\0';
+ /* Check for illegal hostnames (rfc1034) */
+ if (rfc1034host(ip->host, ip->records))
+ ++errors;
+
+ /* Check for missing ptr records (ok if also an ns record) */
+ records = ip->records & MASK_CHECK_REC;
+ if ((ip->records & MASK_TEST_REC) != 0)
+ records |= REC_OTHER;
+ switch (records) {
+
+ case REC_A | REC_OTHER | REC_PTR | REC_REF:
+ case REC_A | REC_OTHER | REC_PTR:
+ case REC_A | REC_PTR | REC_REF:
+ case REC_A | REC_PTR:
+ case REC_AAAA | REC_OTHER | REC_PTR | REC_REF:
+ case REC_AAAA | REC_OTHER | REC_PTR:
+ case REC_AAAA | REC_PTR | REC_REF:
+ case REC_AAAA | REC_PTR:
+ case REC_CNAME:
+ /* These are O.K. */
+ break;
+
+ case REC_CNAME | REC_REF:
+ ++errors;
+ fprintf(stderr, "%s: \"cname\" referenced by other"
+ " \"cname\" or \"mx\": %s\n", prog, ip->host);
+ break;
- /* Are we doing an in-addr.arpa domain? */
- net = 0;
- mask = 0;
- ccp = domain + strlen(domain) - (sizeof(inaddr) - 1);
- if (ccp >= domain && strcasecmp(ccp, inaddr) == 0 &&
- !parseinaddr(domain, &net, &mask)) {
+ case REC_OTHER | REC_REF:
+ case REC_OTHER:
+ /*
+ * This is only an error if there is an address
+ * associated with the hostname; this means
+ * there was a wks entry with bogus address.
+ * Otherwise, we have an mx or hinfo.
+ *
+ * XXX ignore localhost for now
+ * (use flag to indicate loopback?)
+ */
+ if (ip->addr.family == AF_INET &&
+ ip->addr.a_addr4 != htonl(INADDR_LOOPBACK)) {
++errors;
fprintf(stderr,
- "%s: %s/%s:%d bad in-addr.arpa domain\n",
- prog, cwd, file, n);
- return;
+ "%s: \"wks\" without \"a\" and \"ptr\": %s -> %s\n",
+ prog, ip->host, addr2str(&ip->addr));
}
- continue;
- }
+ break;
- /* Handle ttl */
- if (name[0] == '$' && strcasecmp(name, "$ttl") == 0) {
- cp2 = cp;
- while (isdigit(*cp))
- ++cp;
- ch = *cp;
- if (isupper(ch))
- ch = tolower(ch);
- if (strchr("wdhms", ch) != NULL)
- ++cp;
- while (isspace(*cp))
- ++cp;
- if (*cp != '\0') {
+ case REC_REF:
+ if (!checkignoredzone(ip->host)) {
++errors;
- fprintf(stderr,
- "%s: %s/%s:%d bad $ttl \"%s\"\n",
- prog, cwd, file, n, cp2);
+ fprintf(stderr, "%s: Name referenced without"
+ " other records: %s\n", prog, ip->host);
}
- (void)strcpy(name, lastname);
- continue;
- }
+ break;
- /* Parse ttl or use default */
- if (isdigit(*cp)) {
- ttl = atoi(cp);
- do {
- ++cp;
- } while (isdigit(*cp));
+ case REC_A | REC_OTHER | REC_REF:
+ case REC_A | REC_OTHER:
+ case REC_A | REC_REF:
+ case REC_A:
+ case REC_AAAA | REC_OTHER | REC_REF:
+ case REC_AAAA | REC_OTHER:
+ case REC_AAAA | REC_REF:
+ case REC_AAAA:
+ ++errors;
+ fprintf(stderr, "%s: Missing \"ptr\": %s -> %s\n",
+ prog, ip->host, addr2str(&ip->addr));
+ break;
- ch = *cp;
- if (isupper(ch))
- ch = tolower(ch);
- switch (ch) {
+ case REC_OTHER | REC_PTR | REC_REF:
+ case REC_OTHER | REC_PTR:
+ case REC_PTR | REC_REF:
+ case REC_PTR:
+ ++errors;
+ fprintf(stderr, "%s: Missing \"a\": %s -> %s\n",
+ prog, ip->host, addr2str(&ip->addr));
+ break;
- case 'w':
- ttl *= 7;
- /* fall through */
+ case REC_A | REC_CNAME | REC_OTHER | REC_PTR | REC_REF:
+ case REC_A | REC_CNAME | REC_OTHER | REC_PTR:
+ case REC_A | REC_CNAME | REC_OTHER | REC_REF:
+ case REC_A | REC_CNAME | REC_OTHER:
+ case REC_A | REC_CNAME | REC_PTR | REC_REF:
+ case REC_A | REC_CNAME | REC_PTR:
+ case REC_A | REC_CNAME | REC_REF:
+ case REC_A | REC_CNAME:
+ case REC_AAAA | REC_CNAME | REC_OTHER | REC_PTR | REC_REF:
+ case REC_AAAA | REC_CNAME | REC_OTHER | REC_PTR:
+ case REC_AAAA | REC_CNAME | REC_OTHER | REC_REF:
+ case REC_AAAA | REC_CNAME | REC_OTHER:
+ case REC_AAAA | REC_CNAME | REC_PTR | REC_REF:
+ case REC_AAAA | REC_CNAME | REC_PTR:
+ case REC_AAAA | REC_CNAME | REC_REF:
+ case REC_AAAA | REC_CNAME:
+ case REC_CNAME | REC_OTHER | REC_PTR | REC_REF:
+ case REC_CNAME | REC_OTHER | REC_PTR:
+ case REC_CNAME | REC_OTHER | REC_REF:
+ case REC_CNAME | REC_OTHER:
+ case REC_CNAME | REC_PTR | REC_REF:
+ case REC_CNAME | REC_PTR:
+ ++errors;
+ fprintf(stderr, "%s: \"cname\" %s has other records\n",
+ prog, ip->host);
+ break;
- case 'd':
- ttl *= 24;
- /* fall through */
+ case 0:
+ /* Second level test */
+ if ((ip->records & ~(REC_NS | REC_TXT)) == 0)
+ break;
+ /* Fall through... */
- case 'h':
- ttl *= 60;
- /* fall through */
+ default:
+ ++errors;
+ fprintf(stderr,
+ "%s: records == 0x%x: can't happen (%s 0x%x)\n",
+ prog, records, ip->host, ip->records);
+ break;
+ }
- case 'm':
- ttl *= 60;
- /* fall through */
+ /* Check for smtp problems */
+ flags = ip->flags & MASK_TEST_SMTP;
- case 's':
- ++cp;
- break;
+ if ((flags & FLG_SELFMX) != 0 &&
+ (ip->records & (REC_A | REC_AAAA)) == 0) {
+ ++errors;
+ fprintf(stderr,
+ "%s: Self \"mx\" for %s missing"
+ " \"a\" or \"aaaa\" record\n",
+ prog, ip->host);
+ }
- default:
- ; /* none */
- }
+ switch (flags) {
+ case 0:
+ case FLG_SELFMX | FLG_SMTPWKS:
+ /* These are O.K. */
+ break;
- if (!isspace(*cp)) {
+ case FLG_SELFMX:
+ if ((ip->records & REC_WKS) != 0) {
++errors;
- fprintf(stderr, "%s: %s/%s:%d bad ttl\n",
- prog, cwd, file, n);
- continue;
+ fprintf(stderr,
+ "%s: smtp/tcp missing from \"wks\": %s\n",
+ prog, ip->host);
}
+ break;
- /* Find next token */
- ++cp;
- while (isspace(*cp))
- ++cp;
- } else
- ttl = soaval[SOA_MINIMUM];
-
- /* Eat optional "in" */
- if ((cp[0] == 'i' || cp[0] == 'I') &&
- (cp[1] == 'n' || cp[1] == 'N') && isspace(cp[2])) {
- /* Find next token */
- cp += 3;
- while (isspace(*cp))
- ++cp;
- } else if ((cp[0] == 'c' || cp[0] == 'C') &&
- isspace(cp[5]) && strncasecmp(cp, "chaos", 5) == 0) {
- /* Find next token */
- cp += 5;
- while (isspace(*cp))
- ++cp;
- }
-
- /* Find end of record type, converting to lowercase */
- rtype = cp;
- for (rtype = cp; !isspace(*cp) && *cp != '\0'; ++cp)
- if (isupper(*cp))
- *cp = tolower(*cp);
- *cp++ = '\0';
-
- /* Find "the rest" */
- while (isspace(*cp))
- ++cp;
+ case FLG_SMTPWKS:
+ ++errors;
+ fprintf(stderr,
+ "%s: Saw smtp/tcp without self \"mx\": %s\n",
+ prog, ip->host);
+ break;
- /* Check for non-ptr names with dots but no trailing dot */
- if (!isdigit(*name) &&
- checkdots(name) && strcmp(domain, ".") != 0) {
+ default:
++errors;
fprintf(stderr,
- "%s: %s/%s:%d \"%s\" name missing trailing dot: %s\n",
- prog, cwd, file, n, rtype, name);
+ "%s: flags == 0x%x: can't happen (%s)\n",
+ prog, flags, ip->host);
}
- /* Check for FQDNs outside the zone */
- cp2 = name + strlen(name) - 1;
- if (cp2 >= name && *cp2 == '.' && strchr(name, '.') != NULL) {
- cp2 = name + strlen(name) - strlen(zone);
- if (cp2 >= name && strcasecmp(cp2, zone) != 0) {
- ++errors;
- fprintf(stderr,
- "%s: %s/%s:%d \"%s\" outside zone %s\n",
- prog, cwd, file, n, name, zone);
- }
+ /* Check for chained MX records */
+ if ((ip->flags & (FLG_SELFMX | FLG_MXREF)) == FLG_MXREF &&
+ (ip->records & REC_MX) != 0) {
+ ++errors;
+ fprintf(stderr, "%s: \"mx\" referenced by other"
+ " \"mx\" record: %s\n", prog, ip->host);
}
+ }
-#define CHECK4(p, a, b, c, d) \
- (p[0] == (a) && p[1] == (b) && p[2] == (c) && p[3] == (d) && p[4] == '\0')
-#define CHECK3(p, a, b, c) \
- (p[0] == (a) && p[1] == (b) && p[2] == (c) && p[3] == '\0')
-#define CHECK2(p, a, b) \
- (p[0] == (a) && p[1] == (b) && p[2] == '\0')
-#define CHECKDOT(p) \
- (p[0] == '.' && p[1] == '\0')
+ /* Check for doubly booked addresses */
+ n = ipp - itemlist;
+ qsort(itemlist, n, sizeof(itemlist[0]), cmpaddr);
+ memset(&lastaddr, 0, sizeof(lastaddr));
+ ip = NULL;
+ for (ipp = itemlist; n > 0; ++ipp, --n) {
+ addr = (*ipp)->addr;
+ if (cmpaddr(&lastaddr, &addr) == 0 &&
+ ((*ipp)->flags & FLG_ALLOWDUPA) == 0 &&
+ (ip->flags & FLG_ALLOWDUPA) == 0) {
+ ++errors;
+ fprintf(stderr, "%s: %s in use by %s and %s\n",
+ prog, addr2str(&addr), (*ipp)->host, ip->host);
+ }
+ memmove(&lastaddr, &addr, sizeof(addr));
+ ip = *ipp;
+ }
- if (rtype[0] == 'a' && rtype[1] == '\0') {
- /* Handle "a" record */
- add_domain(name, domain);
- addr = htonl(inet_addr(cp));
- if ((int)addr == -1) {
- ++errors;
- cp2 = cp + strlen(cp) - 1;
- if (cp2 >= cp && *cp2 == '\n')
- *cp2 = '\0';
- fprintf(stderr,
- "%s: %s/%s:%d bad \"a\" record ip addr \"%s\"\n",
- prog, cwd, file, n, cp);
- continue;
- }
- errors += updateitem(name, addr, REC_A, ttl, 0);
- } else if (CHECK4(rtype, 'a', 'a', 'a', 'a')) {
- /* Just eat for now */
- continue;
- } else if (CHECK3(rtype, 'p', 't', 'r')) {
- /* Handle "ptr" record */
- add_domain(name, domain);
- if (strcmp(cp, "@") == 0)
- (void)strcpy(cp, zone);
- if (checkdots(cp)) {
- ++errors;
- fprintf(stderr, dotfmt,
- prog, cwd, file, n, rtype, cp);
- }
- add_domain(cp, domain);
- errstr = NULL;
- addr = parseptr(name, net, mask, &errstr);
- if (errstr != NULL) {
- ++errors;
- fprintf(stderr,
- "%s: %s/%s:%d bad \"ptr\" record (%s) ip addr \"%s\"\n",
- prog, cwd, file, n, errstr, name);
- continue;
- }
- errors += updateitem(cp, addr, REC_PTR, 0, 0);
- } else if (CHECK3(rtype, 's', 'o', 'a')) {
- /* Handle "soa" record */
- if (!CHECKDOT(name)) {
- add_domain(name, domain);
- errors += updateitem(name, 0, REC_SOA, 0, 0);
- }
- errstr = NULL;
- if (!parsesoa(cp, &errstr))
- ++sawsoa;
- if (errstr != NULL) {
- ++errors;
- fprintf(stderr,
- "%s: %s/%s:%d bad \"soa\" record (%s)\n",
- prog, cwd, file, n, errstr);
- continue;
- }
- } else if (CHECK3(rtype, 'w', 'k', 's')) {
- /* Handle "wks" record */
- addr = htonl(inet_addr(cp));
- if ((int)addr == -1) {
- ++errors;
- cp2 = cp;
- while (!isspace(*cp2) && *cp2 != '\0')
- ++cp2;
- *cp2 = '\0';
- fprintf(stderr,
- "%s: %s/%s:%d bad \"wks\" record ip addr \"%s\"\n",
- prog, cwd, file, n, cp);
- continue;
- }
- /* Step over ip address */
- while (*cp == '.' || isdigit(*cp))
- ++cp;
- while (isspace(*cp))
- *cp++ = '\0';
- /* Make sure services are legit */
- errstr = NULL;
- n += checkwks(f, cp, &smtp, &errstr);
- if (errstr != NULL) {
- ++errors;
- fprintf(stderr,
- "%s: %s/%s:%d bad \"wks\" record (%s)\n",
- prog, cwd, file, n, errstr);
- continue;
- }
- add_domain(name, domain);
- errors += updateitem(name, addr, REC_WKS,
- 0, smtp ? FLG_SMTPWKS : 0);
- /* XXX check to see if ip address records exists? */
- } else if (rtype[0] == 'h' && strcmp(rtype, "hinfo") == 0) {
- /* Handle "hinfo" record */
- add_domain(name, domain);
- errors += updateitem(name, 0, REC_HINFO, 0, 0);
- cp2 = cp;
- cp = parsequoted(cp);
- if (cp == NULL) {
- ++errors;
- fprintf(stderr,
- "%s: %s/%s:%d \"hinfo\" missing quote: %s\n",
- prog, cwd, file, n, cp2);
- continue;
- }
- if (!isspace(*cp)) {
- ++errors;
- fprintf(stderr,
- "%s: %s/%s:%d \"hinfo\" missing white space: %s\n",
- prog, cwd, file, n, cp2);
+ /* Check for hosts with multiple addresses on the same subnet */
+ n = ipp - itemlist;
+ qsort(itemlist, n, sizeof(itemlist[0]), cmpitemhost);
+ if (netlistcnt > 0) {
+ n = ipp - itemlist;
+ lastaip = NULL;
+ for (ipp = itemlist; n > 0; ++ipp, --n) {
+ ip = *ipp;
+ if ((ip->records & (REC_A | REC_AAAA)) == 0 ||
+ (ip->flags & FLG_ALLOWDUPA) != 0)
continue;
+ if (lastaip != NULL &&
+ strcasecmp(ip->host, lastaip->host) == 0) {
+ np = findnetwork(&ip->addr);
+ if (np == NULL) {
+ ++errors;
+ fprintf(stderr,
+ "%s: Can't find subnet mask"
+ " for %s (%s)\n",
+ prog, ip->host,
+ addr2str(&ip->addr));
+ } else if (samesubnet(&lastaip->addr,
+ &ip->addr, np)) {
+ ++errors;
+ fprintf(stderr,
+ "%s: Multiple \"a\" records for %s on subnet %s",
+ prog, ip->host,
+ network2str(np));
+ fprintf(stderr, "\n\t(%s",
+ addr2str(&lastaip->addr));
+ fprintf(stderr, " and %s)\n",
+ addr2str(&ip->addr));
+ }
}
+ lastaip = ip;
+ }
+ }
+
+ if (debug)
+ printf("%s: %d/%d items used, %d error%s\n", prog, itemcnt,
+ ITEMSIZE, errors, errors == 1 ? "" : "s");
+}
+
+const char *
+parsenetwork(const char *cp)
+{
+ const char *p;
+ struct network net;
+
+ while (isspace(*cp))
+ ++cp;
+
+ p = extractnetwork(cp, &net);
+ if (p != NULL)
+ return (p);
+
+ while (isspace(*cp))
+ ++cp;
+
+ /* Make sure there's room */
+ if (netlistsize <= netlistcnt) {
+ if (netlistsize == 0) {
+ netlistsize = 32;
+ netlist = (struct network *)
+ malloc(netlistsize * sizeof(*netlist));
+ } else {
+ netlistsize <<= 1;
+ netlist = (struct network *)
+ realloc(netlist, netlistsize * sizeof(*netlist));
+ }
+ if (netlist == NULL) {
+ fprintf(stderr,
+ "%s: parsenetwork: malloc/realloc: %s\n",
+ prog, strerror(errno));
+ exit(1);
+ }
+ }
+
+ /* Add to list */
+ memmove(netlist + netlistcnt, &net, sizeof(net));
+ ++netlistcnt;
+
+ return (NULL);
+}
+
+const char *
+parseptr(const char *str, struct addr *ap)
+{
+ int i, n, base;
+ u_long v, v2;
+ char *cp;
+ const char *p;
+ u_char *up;
+
+ memset(ap, 0, sizeof(*ap));
+ base = -1;
+
+ /* IPv4 */
+ p = str + strlen(str) - sizeof(inaddr) + 1;
+ if (p >= str && strcasecmp(p, inaddr) == 0) {
+ ap->family = AF_INET;
+ n = 4;
+ base = 10;
+ } else {
+ /* IPv6 */
+ p = str + strlen(str) - sizeof(inaddr6) + 1;
+ if (p >= str && strcasecmp(p, inaddr6) == 0) {
+ ap->family = AF_INET6;
+ n = 16;
+ base = 16;
+ }
+ }
+
+ if (base < 0)
+ return ("Not a IPv4 or IPv6 \"ptr\" record");
+
+ up = (u_char *)&ap->addr;
+ for (i = 0; i < n; ++i) {
+ /* Back up to previous dot or beginning of string */
+ while (p > str && p[-1] != '.')
+ --p;
+ v = strtoul(p, &cp, base);
+
+ if (base == 10) {
+ if (v > 0xff)
+ return ("Octet larger than 8 bits");
+ } else {
+ if (v > 0xf)
+ return ("Octet larger than 4 bits");
+ if (*cp != '.')
+ return ("Junk in \"ptr\" record");
+
+ /* Back up over dot */
+ if (p > str)
+ --p;
+
+ /* Back up to previous dot or beginning of string */
+ while (p > str && p[-1] != '.')
+ --p;
+ v2 = strtoul(p, &cp, base);
+ if (v2 > 0xf)
+ return ("Octet larger than 4 bits");
+ if (*cp != '.')
+ return ("Junk in \"ptr\" record");
+ v = (v << 4) | v2;
+ }
+ if (*cp != '.')
+ return ("Junk in \"ptr\" record");
+
+ *up++ = v & 0xff;
+
+ /* Back up over dot */
+ if (p > str)
+ --p;
+ else if (p == str)
+ break;
+ }
+ if (i < n - 1)
+ return ("Too many octets in \"ptr\" record");
+ if (p != str)
+ return ("Not enough octets in \"ptr\" record");
+
+ return (NULL);
+}
+
+/* Returns a pointer after the next token or quoted string, else NULL */
+char *
+parsequoted(char *cp)
+{
+
+ if (*cp == '"') {
+ ++cp;
+ while (*cp != '"' && *cp != '\0')
++cp;
- while (isspace(*cp))
- ++cp;
- if (*cp == '\0') {
- ++errors;
- fprintf(stderr,
- "%s: %s/%s:%d \"hinfo\" missing keyword: %s\n",
- prog, cwd, file, n, cp2);
- continue;
- }
- cp = parsequoted(cp);
- if (cp == NULL) {
- ++errors;
- fprintf(stderr,
- "%s: %s/%s:%d \"hinfo\" missing quote: %s\n",
- prog, cwd, file, n, cp2);
- continue;
- }
- if (*cp != '\0') {
- ++errors;
- fprintf(stderr,
- "%s: %s/%s:%d \"hinfo\" garbage after keywords: %s\n",
- prog, cwd, file, n, cp2);
- continue;
- }
- } else if (CHECK2(rtype, 'm', 'x')) {
- /* Handle "mx" record */
- add_domain(name, domain);
- errors += updateitem(name, 0, REC_MX, ttl, 0);
+ if (*cp != '"')
+ return (NULL);
+ ++cp;
+ } else {
+ while (!isspace(*cp) && *cp != '\0')
+ ++cp;
+ }
+ return (cp);
+}
- /* Look for priority */
- if (!isdigit(*cp)) {
- ++errors;
- fprintf(stderr,
- "%s: %s/%s:%d bad \"mx\" priority: %s\n",
- prog, cwd, file, n, cp);
- }
+/* Return true when done */
+int
+parserrsig(const char *str, char **errstrp)
+{
+ const char *cp;
- /* Skip over priority */
+ /* XXX just look for closing paren */
+ cp = str + strlen(str) - 1;
+ while (cp >= str)
+ if (*cp-- == ')')
+ return (1);
+ return (0);
+}
+
+/* Return true when done */
+int
+parsesoa(const char *cp, char **errstrp)
+{
+ char ch, *garbage;
+ static char errstr[132];
+
+ /* Eat leading whitespace */
+ while (isspace(*cp))
+ ++cp;
+
+ /* Find opening paren */
+ if (nsoaval < 0) {
+ cp = strchr(cp, '(');
+ if (cp == NULL)
+ return (0);
+ ++cp;
+ while (isspace(*cp))
++cp;
- while (isdigit(*cp))
- ++cp;
- while (isspace(*cp))
+ nsoaval = 0;
+ }
+
+ /* Grab any numbers we find */
+ garbage = "leading garbage";
+ while (isdigit(*cp) && nsoaval < NSOAVAL) {
+ soaval[nsoaval] = atoi(cp);
+ do {
+ ++cp;
+ } while (isdigit(*cp));
+ if (nsoaval == SOA_SERIAL && *cp == '.' && isdigit(cp[1])) {
+ do {
++cp;
- if (*cp == '\0') {
- ++errors;
- fprintf(stderr,
- "%s: %s/%s:%d missing \"mx\" hostname\n",
- prog, cwd, file, n);
- }
- if (strcmp(cp, "@") == 0)
- (void)strcpy(cp, zone);
- if (checkdots(cp)) {
- ++errors;
- fprintf(stderr, dotfmt,
- prog, cwd, file, n, rtype, cp);
- }
+ } while (isdigit(*cp));
+ } else {
+ ch = *cp;
+ if (isupper(ch))
+ ch = tolower(ch);
+ switch (ch) {
- /* Check to see if mx host exists */
- add_domain(cp, domain);
- flags = FLG_MXREF;
- if (*name == *cp && strcmp(name, cp) == 0)
- flags |= FLG_SELFMX;
- errors += updateitem(cp, 0, REC_REF, 0, flags);
- } else if (rtype[0] == 'c' && strcmp(rtype, "cname") == 0) {
- /* Handle "cname" record */
- add_domain(name, domain);
- errors += updateitem(name, 0, REC_CNAME, 0, 0);
- if (checkdots(cp)) {
- ++errors;
- fprintf(stderr, dotfmt,
- prog, cwd, file, n, rtype, cp);
- }
+ case 'w':
+ soaval[nsoaval] *= 7;
+ /* fall through */
- /* Make sure cname points somewhere */
- if (strcmp(cp, "@") == 0)
- (void)strcpy(cp, zone);
- add_domain(cp, domain);
- errors += updateitem(cp, 0, REC_REF, 0, 0);
- } else if (CHECK3(rtype, 's', 'r', 'v')) {
- /* Handle "srv" record */
- add_domain(name, domain);
- errors += updateitem(name, 0, REC_SRV, 0, 0);
- cp2 = cp;
+ case 'd':
+ soaval[nsoaval] *= 24;
+ /* fall through */
- /* Skip over three values */
- for (i = 0; i < 3; ++i) {
- if (!isdigit(*cp)) {
- ++errors;
- fprintf(stderr, "%s: %s/%s:%d"
- " bad \"srv\" value: %s\n",
- prog, cwd, file, n, cp);
- }
+ case 'h':
+ soaval[nsoaval] *= 60;
+ /* fall through */
- /* Skip over value */
+ case 'm':
+ soaval[nsoaval] *= 60;
+ /* fall through */
+
+ case 's':
++cp;
- while (isdigit(*cp))
- ++cp;
- while (isspace(*cp))
- ++cp;
- }
+ break;
- /* Check to see if mx host exists */
- add_domain(cp, domain);
- errors += updateitem(cp, 0, REC_REF, 0, 0);
- } else if (CHECK3(rtype, 't', 'x', 't')) {
- /* Handle "txt" record */
- add_domain(name, domain);
- errors += updateitem(name, 0, REC_TXT, 0, 0);
- cp2 = cp;
- cp = parsequoted(cp);
- if (cp == NULL) {
- ++errors;
- fprintf(stderr,
- "%s: %s/%s:%d \"txt\" missing quote: %s\n",
- prog, cwd, file, n, cp2);
- continue;
+ default:
+ ; /* none */
}
- while (isspace(*cp))
+ }
+ while (isspace(*cp))
+ ++cp;
+ garbage = "trailing garbage";
+ ++nsoaval;
+ }
+
+ /* If we're done, do some sanity checks */
+ if (nsoaval >= NSOAVAL && *cp == ')') {
+ ++cp;
+ if (*cp != '\0')
+ *errstrp = garbage;
+ else if (soaval[SOA_EXPIRE] <
+ soaval[SOA_REFRESH] + 10 * soaval[SOA_RETRY]) {
+ (void)sprintf(errstr,
+ "expire less than refresh + 10 * retry (%u < %u + 10 * %u)",
+ soaval[SOA_EXPIRE],
+ soaval[SOA_REFRESH],
+ soaval[SOA_RETRY]);
+ *errstrp = errstr;
+ } else if (soaval[SOA_REFRESH] < 2 * soaval[SOA_RETRY]) {
+ (void)sprintf(errstr,
+ "refresh less than 2 * retry (%u < 2 * %u)",
+ soaval[SOA_REFRESH],
+ soaval[SOA_RETRY]);
+ *errstrp = errstr;
+ }
+ return (1);
+ }
+
+ if (*cp != '\0') {
+ *errstrp = garbage;
+ return (1);
+ }
+
+ return (0);
+}
+
+void
+process(const char *file, const char *domain, const char *zone)
+{
+ FILE *f;
+ char ch, *cp, *cp2, *cp3, *rtype;
+ const char *p;
+ int n, sawsoa, sawrrsig, flags, i;
+ u_int ttl;
+ enum rrtype rrtype;
+ struct addr *ap;
+ struct addr addr;
+ // struct network *net;
+ int smtp;
+ char buf[2048], name[256], lastname[256], odomain[256];
+ char *errstr;
+ const char *addrfmt =
+ "%s: %s/%s:%d \"%s\" target is an ip address: %s\n";
+ const char *dotfmt =
+ "%s: %s/%s:%d \"%s\" target missing trailing dot: %s\n";
+
+ /* Check for an "ignored zone" (usually dynamic dns) */
+ if (checkignoredzone(zone))
+ return;
+
+ f = fopen(file, "r");
+ if (f == NULL) {
+ fprintf(stderr, "%s: %s/%s: %s\n",
+ prog, cwd, file, strerror(errno));
+ ++errors;
+ return;
+ }
+ if (debug > 1)
+ printf("%s: process: opened %s/%s\n", prog, cwd, file);
+
+ /* Line number */
+ n = 0;
+
+ ap = &addr;
+
+ lastname[0] = '\0';
+ sawsoa = 0;
+ sawrrsig = 0;
+ while (fgets(buf, sizeof(buf), f) != NULL) {
+ ++n;
+ cp = buf;
+ while (*cp != '\0') {
+ /* Handle quoted strings (but don't report errors) */
+ if (*cp == '"') {
++cp;
- if (*cp != '\0') {
- ++errors;
- fprintf(stderr,
- "%s: %s/%s:%d \"txt\" garbage after text: %s\n",
- prog, cwd, file, n, cp2);
+ while (*cp != '"' && *cp != '\n' && *cp != '\0')
+ ++cp;
continue;
}
- } else if (CHECK2(rtype, 'n', 's')) {
- /* Handle "ns" record */
- errors += updateitem(zone, 0, REC_NS, 0, 0);
- if (strcmp(cp, "@") == 0)
- (void)strcpy(cp, zone);
- if (checkdots(cp)) {
- ++errors;
- fprintf(stderr, dotfmt,
- prog, cwd, file, n, rtype, cp);
- }
- add_domain(cp, domain);
- errors += updateitem(cp, 0, REC_REF, 0, 0);
- } else if (CHECK2(rtype, 'r', 'p')) {
- /* Handle "rp" record */
- add_domain(name, domain);
- errors += updateitem(name, 0, REC_RP, 0, 0);
- cp2 = cp;
+ if (*cp == '\n' || *cp == ';')
+ break;
+ ++cp;
+ }
+ *cp-- = '\0';
- /* Step over mailbox name */
- /* XXX could add_domain() and check further */
- while (!isspace(*cp) && *cp != '\0')
- ++cp;
- if (*cp == '\0') {
+ /* Nuke trailing white space */
+ while (cp >= buf && isspace(*cp))
+ *cp-- = '\0';
+
+ cp = buf;
+ if (*cp == '\0')
+ continue;
+
+ /* Handle multi-line soa records */
+ if (sawsoa) {
+ errstr = NULL;
+ if (parsesoa(cp, &errstr))
+ sawsoa = 0;
+ if (errstr != NULL) {
++errors;
fprintf(stderr,
- "%s: %s/%s:%d \"rp\" missing text name: %s\n",
- prog, cwd, file, n, cp2);
- continue;
+ "%s: %s/%s:%d Bad \"soa\" record (%s)\n",
+ prog, cwd, file, n, errstr);
}
- ++cp;
- cp3 = cp;
-
- /* Step over text name */
- while (!isspace(*cp) && *cp != '\0')
- ++cp;
+ continue;
+ }
- if (*cp != '\0') {
+ /* Handle multi-line rrsig records */
+ if (sawrrsig) {
+ errstr = NULL;
+ if (parserrsig(cp, &errstr))
+ sawsoa = 0;
+ if (errstr != NULL) {
++errors;
fprintf(stderr,
- "%s: %s/%s:%d \"rp\" garbage after text name: %s\n",
- prog, cwd, file, n, cp2);
- continue;
+ "%s: %s/%s:%d Bad \"rrsig\" record (%s)\n",
+ prog, cwd, file, n, errstr);
}
+ continue;
+ }
- /* Make sure text name points somewhere (if not ".") */
- if (!CHECKDOT(cp3)) {
- add_domain(cp3, domain);
- errors += updateitem(cp3, 0, REC_REF, 0, 0);
- }
- } else if (rtype[0] == 'a' && strcmp(rtype, "allowdupa") == 0) {
- /* Handle "allow duplicate a" record */
- add_domain(name, domain);
- addr = htonl(inet_addr(cp));
- if ((int)addr == -1) {
+ if (debug > 3)
+ printf(">%s<\n", cp);
+
+ /* Look for name */
+ if (isspace(*cp)) {
+ /* Same name as last record */
+ if (lastname[0] == '\0') {
++errors;
- cp2 = cp + strlen(cp) - 1;
- if (cp2 >= cp && *cp2 == '\n')
- *cp2 = '\0';
fprintf(stderr,
- "%s: %s/%s:%d bad \"allowdupa\" record ip addr \"%s\"\n",
- prog, cwd, file, n, cp);
+ "%s: %s/%s:%d No default name\n",
+ prog, cwd, file, n);
continue;
}
- errors += updateitem(name, addr, 0, 0, FLG_ALLOWDUPA);
+ (void)strcpy(name, lastname);
} else {
- /* Unknown record type */
- ++errors;
- fprintf(stderr,
- "%s: %s/%s:%d unknown record type \"%s\"\n",
- prog, cwd, file, n, rtype);
- add_domain(name, domain);
- errors += updateitem(name, 0, REC_UNKNOWN, 0, 0);
+ /* Extract name, converting to lowercase */
+ for (cp2 = name; !isspace(*cp) && *cp != '\0'; ++cp)
+ if (isupper(*cp))
+ *cp2++ = tolower(*cp);
+ else
+ *cp2++ = *cp;
+ *cp2 = '\0';
+
+ /* Check for domain shorthand */
+ if (name[0] == '@' && name[1] == '\0')
+ (void)strcpy(name, domain);
}
- (void)strcpy(lastname, name);
- }
- (void)fclose(f);
- return;
-}
-/* Records we use to detect duplicates */
-static struct duprec {
- int record;
- char *name;
-} duprec[] = {
- { REC_A, "a" },
- { REC_HINFO, "hinfo" },
- { 0, NULL },
-};
+ /* Find next token */
+ while (isspace(*cp))
+ ++cp;
-void
-checkdups(register struct item *ip, register int records)
-{
- register struct duprec *dp;
+ /* Handle includes (gag) */
+ if (name[0] == '$' && strcasecmp(name, "$include") == 0) {
+ /* Extract filename */
+ cp2 = name;
+ while (!isspace(*cp) && *cp != '\0')
+ *cp2++ = *cp++;
+ *cp2 = '\0';
- records &= (ip->records & MASK_TEST_DUP);
- if (records == 0)
- return;
- for (dp = duprec; dp->name != NULL; ++dp)
- if ((records & dp->record) != 0) {
- ++errors;
- fprintf(stderr, "%s: multiple \"%s\" records for %s\n",
- prog, dp->name, ip->host);
- records &= ~dp->record;
+ /* Look for optional domain */
+ while (isspace(*cp))
+ ++cp;
+ if (*cp == '\0')
+ process(name, domain, zone);
+ else {
+ cp2 = cp;
+ /* Convert optional domain to lowercase */
+ for (; !isspace(*cp) && *cp != '\0'; ++cp)
+ if (isupper(*cp))
+ *cp = tolower(*cp);
+ *cp = '\0';
+ process(name, cp2, cp2);
+ }
+ continue;
}
- if (records != 0)
- fprintf(stderr, "%s: checkdups: records not zero (%d)\n",
- prog, records);
-}
-int
-updateitem(register const char *host, register u_int32_t addr,
- register int records, register u_int ttl, register int flags)
-{
- register const char *ccp;
- register int n, errs;
- register u_int i;
- register struct item *ip;
- int foundsome;
+ /* Handle $origin */
+ if (name[0] == '$' && strcasecmp(name, "$origin") == 0) {
+ /* Extract domain, converting to lowercase */
+ for (cp2 = odomain; !isspace(*cp) && *cp != '\0'; ++cp)
+ if (isupper(*cp))
+ *cp2++ = tolower(*cp);
+ else
+ *cp2++ = *cp;
+ *cp2 = '\0';
+ domain = odomain;
+ lastname[0] = '\0';
+ continue;
+ }
- n = 0;
- foundsome = 0;
- errs = 0;
- ITEMHASH(host, i, ccp);
- ip = &items[i & (ITEMSIZE - 1)];
- while (n < ITEMSIZE && ip->host) {
- if ((addr == 0 || addr == ip->addr || ip->addr == 0) &&
- *host == *ip->host && strcmp(host, ip->host) == 0) {
- ++foundsome;
- if (ip->addr == 0)
- ip->addr = addr;
- if ((records & MASK_TEST_DUP) != 0)
- checkdups(ip, records);
- ip->records |= records;
- /* Only check differing ttl's for A and MX records */
- if (ip->ttl == 0)
- ip->ttl = ttl;
- else if (ttl != 0 && ip->ttl != ttl) {
+ /* Handle ttl */
+ if (name[0] == '$' && strcasecmp(name, "$ttl") == 0) {
+ cp2 = cp;
+ while (isdigit(*cp))
+ ++cp;
+ ch = *cp;
+ if (isupper(ch))
+ ch = tolower(ch);
+ if (strchr("wdhms", ch) != NULL)
+ ++cp;
+ while (isspace(*cp))
+ ++cp;
+ if (*cp != '\0') {
+ ++errors;
fprintf(stderr,
- "%s: differing ttls for %s (%u != %u)\n",
- prog, ip->host, ttl, ip->ttl);
- ++errs;
+ "%s: %s/%s:%d Bad $ttl \"%s\"\n",
+ prog, cwd, file, n, cp2);
}
- ip->flags |= flags;
- /* Not done if we wildcard matched the name */
- if (addr)
- return (errs);
+ (void)strcpy(name, lastname);
+ continue;
}
- ++n;
- ++ip;
- if (ip >= &items[ITEMSIZE])
- ip = items;
- }
- if (n >= ITEMSIZE) {
- fprintf(stderr, "%s: out of item slots (max %d)\n",
- prog, ITEMSIZE);
- exit(1);
- }
+ /* Parse ttl or use default */
+ if (isdigit(*cp)) {
+ ttl = atoi(cp);
+ do {
+ ++cp;
+ } while (isdigit(*cp));
- /* Done if we were wildcarding the name (and found entries for it) */
- if (addr == 0 && foundsome)
- return (errs);
+ ch = *cp;
+ if (isupper(ch))
+ ch = tolower(ch);
+ switch (ch) {
- /* Didn't find it, make new entry */
- ++itemcnt;
- if (ip->host) {
- fprintf(stderr, "%s: reusing bucket!\n", prog);
- exit(1);
- }
- ip->addr = addr;
- ip->host = savestr(host);
- if ((records & MASK_TEST_DUP) != 0)
- checkdups(ip, records);
- ip->records |= records;
- if (ttl != 0)
- ip->ttl = ttl;
- ip->flags |= flags;
- return (errs);
-}
+ case 'w':
+ ttl *= 7;
+ /* fall through */
-static const char *microlist[] = {
- "_tcp",
- "_udp",
- "_msdcs",
- "_sites",
- NULL
-};
+ case 'd':
+ ttl *= 24;
+ /* fall through */
-int
-rfc1034host(register const char *host, register int recs)
-{
- register const char *cp, **p;
- register int underok;
+ case 'h':
+ ttl *= 60;
+ /* fall through */
- underok = 0;
- for (p = microlist; *p != NULL ;++p)
- if ((cp = strstr(host, *p)) != NULL &&
- cp > host &&
- cp[-1] == '.' &&
- cp[strlen(*p)] == '.') {
- ++underok;
- break;
- }
+ case 'm':
+ ttl *= 60;
+ /* fall through */
- cp = host;
- if (!(isalpha(*cp) || isdigit(*cp) || (*cp == '_' && underok))) {
- fprintf(stderr,
- "%s: illegal hostname \"%s\" (starts with non-alpha/numeric)\n",
- prog, host);
- return (1);
- }
- for (++cp; *cp != '.' && *cp != '\0'; ++cp)
- if (!(isalpha(*cp) || isdigit(*cp) || *cp == '-' ||
- (*cp == '/' && (recs & REC_SOA) != 0))) {
- fprintf(stderr,
- "%s: illegal hostname \"%s\" ('%c' illegal character)\n",
- prog, host, *cp);
- return (1);
- }
- if (--cp >= host && *cp == '-') {
- fprintf(stderr, "%s: illegal hostname \"%s\" (ends with '-')\n",
- prog, host);
- return (1);
- }
- return (0);
-}
+ case 's':
+ ++cp;
+ break;
-int
-nslint(void)
-{
- register int n, records, flags;
- register struct item *ip, *lastaip, **ipp, **itemlist;
- register u_int32_t addr, lastaddr, mask;
+ default:
+ ; /* none */
+ }
- itemlist = (struct item **)calloc(itemcnt, sizeof(*ipp));
- if (itemlist == NULL) {
- fprintf(stderr, "%s: nslint: calloc: %s\n",
- prog, strerror(errno));
- exit(1);
- }
- ipp = itemlist;
- for (n = 0, ip = items; n < ITEMSIZE; ++n, ++ip) {
- if (ip->host == NULL)
- continue;
+ if (!isspace(*cp)) {
+ ++errors;
+ fprintf(stderr, "%s: %s/%s:%d Bad ttl\n",
+ prog, cwd, file, n);
+ continue;
+ }
- /* Save entries with addresses for later check */
- if (ip->addr != 0)
- *ipp++ = ip;
+ /* Find next token */
+ ++cp;
+ while (isspace(*cp))
+ ++cp;
+ } else
+ ttl = soaval[SOA_MINIMUM];
- if (debug > 1) {
- if (debug > 2)
- printf("%d\t", n);
- printf("%s\t%s\t0x%x\t0x%x\n",
- ip->host, intoa(ip->addr), ip->records, ip->flags);
+ /* Eat optional "in" */
+ if ((cp[0] == 'i' || cp[0] == 'I') &&
+ (cp[1] == 'n' || cp[1] == 'N') && isspace(cp[2])) {
+ /* Find next token */
+ cp += 3;
+ while (isspace(*cp))
+ ++cp;
+ } else if ((cp[0] == 'c' || cp[0] == 'C') &&
+ isspace(cp[5]) && strncasecmp(cp, "chaos", 5) == 0) {
+ /* Find next token */
+ cp += 5;
+ while (isspace(*cp))
+ ++cp;
}
- /* Check for illegal hostnames (rfc1034) */
- if (rfc1034host(ip->host, ip->records))
- ++errors;
-
- /* Check for missing ptr records (ok if also an ns record) */
- records = ip->records & MASK_CHECK_REC;
- if ((ip->records & MASK_TEST_REC) != 0)
- records |= REC_OTHER;
- switch (records) {
+ /* Find end of record type, converting to lowercase */
+ rtype = cp;
+ for (rtype = cp; !isspace(*cp) && *cp != '\0'; ++cp)
+ if (isupper(*cp))
+ *cp = tolower(*cp);
+ *cp++ = '\0';
- case REC_A | REC_OTHER | REC_PTR | REC_REF:
- case REC_A | REC_OTHER | REC_PTR:
- case REC_A | REC_PTR | REC_REF:
- case REC_A | REC_PTR:
- case REC_CNAME:
- /* These are O.K. */
- break;
+ /* Find "the rest" */
+ while (isspace(*cp))
+ ++cp;
- case REC_CNAME | REC_REF:
+ /* Check for non-ptr names with dots but no trailing dot */
+ if (!isdigit(*name) &&
+ checkdots(name) && strcmp(domain, ".") != 0) {
++errors;
- fprintf(stderr, "%s: \"cname\" referenced by other"
- " \"cname\" or \"mx\": %s\n", prog, ip->host);
- break;
+ fprintf(stderr,
+ "%s: %s/%s:%d \"%s\" name missing trailing dot: %s\n",
+ prog, cwd, file, n, rtype, name);
+ }
- case REC_OTHER | REC_REF:
- case REC_OTHER:
- /*
- * This is only an error if there is an address
- * associated with the hostname; this means
- * there was a wks entry with bogus address.
- * Otherwise, we have an mx or hinfo.
- */
- if (ip->addr != 0) {
+ /* Check for FQDNs outside the zone */
+ cp2 = name + strlen(name) - 1;
+ if (cp2 >= name && *cp2 == '.' && strchr(name, '.') != NULL) {
+ cp2 = name + strlen(name) - strlen(zone);
+ if (cp2 >= name && strcasecmp(cp2, zone) != 0) {
++errors;
fprintf(stderr,
- "%s: \"wks\" without \"a\" and \"ptr\": %s -> %s\n",
- prog, ip->host, intoa(ip->addr));
+ "%s: %s/%s:%d \"%s\" outside zone %s\n",
+ prog, cwd, file, n, name, zone);
}
- break;
+ }
- case REC_REF:
- ++errors;
- fprintf(stderr,
- "%s: name referenced without other records: %s\n",
- prog, ip->host);
- break;
+ rrtype = txt2rrtype(rtype);
+ switch (rrtype) {
- case REC_A | REC_OTHER | REC_REF:
- case REC_A | REC_OTHER:
- case REC_A | REC_REF:
- case REC_A:
- ++errors;
- fprintf(stderr, "%s: missing \"ptr\": %s -> %s\n",
- prog, ip->host, intoa(ip->addr));
+ case RR_A:
+ /* Handle "a" record */
+ add_domain(name, domain);
+ p = extractaddr(cp, ap);
+ if (p != NULL) {
+ ++errors;
+ cp2 = cp + strlen(cp) - 1;
+ if (cp2 >= cp && *cp2 == '\n')
+ *cp2 = '\0';
+ fprintf(stderr,
+ "%s: %s/%s:%d Bad \"a\" record ip addr \"%s\"\n",
+ prog, cwd, file, n, cp);
+ continue;
+ }
+ if (ap->family != AF_INET) {
+ ++errors;
+ cp2 = cp + strlen(cp) - 1;
+ if (cp2 >= cp && *cp2 == '\n')
+ *cp2 = '\0';
+ fprintf(stderr,
+ "%s: %s/%s:%d \"a\"record not AF_INET \"%s\"\n",
+ prog, cwd, file, n, cp);
+ continue;
+ }
+ errors += updateitem(name, ap, REC_A, ttl, 0);
break;
- case REC_OTHER | REC_PTR | REC_REF:
- case REC_OTHER | REC_PTR:
- case REC_PTR | REC_REF:
- case REC_PTR:
- ++errors;
- fprintf(stderr, "%s: missing \"a\": %s -> %s\n",
- prog, ip->host, intoa(ip->addr));
+ case RR_AAAA:
+ /* Handle "aaaa" record */
+ add_domain(name, domain);
+ p = extractaddr(cp, ap);
+ if (p != NULL) {
+ ++errors;
+ cp2 = cp + strlen(cp) - 1;
+ if (cp2 >= cp && *cp2 == '\n')
+ *cp2 = '\0';
+ fprintf(stderr,
+ "%s: %s/%s:%d Bad \"aaaa\" record ip addr \"%s\"\n",
+ prog, cwd, file, n, cp);
+ continue;
+ }
+ if (ap->family != AF_INET6) {
+ ++errors;
+ cp2 = cp + strlen(cp) - 1;
+ if (cp2 >= cp && *cp2 == '\n')
+ *cp2 = '\0';
+ fprintf(stderr,
+ "%s: %s/%s:%d \"aaaa\"record not AF_INET6 \"%s\"\n",
+ prog, cwd, file, n, cp);
+ continue;
+ }
+ errors += updateitem(name, ap, REC_AAAA, ttl, 0);
break;
- case REC_A | REC_CNAME | REC_OTHER | REC_PTR | REC_REF:
- case REC_A | REC_CNAME | REC_OTHER | REC_PTR:
- case REC_A | REC_CNAME | REC_OTHER | REC_REF:
- case REC_A | REC_CNAME | REC_OTHER:
- case REC_A | REC_CNAME | REC_PTR | REC_REF:
- case REC_A | REC_CNAME | REC_PTR:
- case REC_A | REC_CNAME | REC_REF:
- case REC_A | REC_CNAME:
- case REC_CNAME | REC_OTHER | REC_PTR | REC_REF:
- case REC_CNAME | REC_OTHER | REC_PTR:
- case REC_CNAME | REC_OTHER | REC_REF:
- case REC_CNAME | REC_OTHER:
- case REC_CNAME | REC_PTR | REC_REF:
- case REC_CNAME | REC_PTR:
- ++errors;
- fprintf(stderr, "%s: \"cname\" %s has other records\n",
- prog, ip->host);
+ case RR_PTR:
+ /* Handle "ptr" record */
+ add_domain(name, domain);
+ if (strcmp(cp, "@") == 0)
+ (void)strcpy(cp, zone);
+ if (checkdots(cp)) {
+ ++errors;
+ fprintf(stderr,
+ checkaddr(cp) ? addrfmt : dotfmt,
+ prog, cwd, file, n, rtype, cp);
+ }
+ add_domain(cp, domain);
+ p = parseptr(name, ap);
+ if (p != NULL) {
+ ++errors;
+ fprintf(stderr,
+ "%s: %s/%s:%d Bad \"ptr\" record (%s) ip addr \"%s\"\n",
+ prog, cwd, file, n, p, name);
+ continue;
+ }
+ errors += updateitem(cp, ap, REC_PTR, 0, 0);
break;
- case 0:
- /* Second level test */
- if ((ip->records & ~(REC_NS | REC_TXT)) == 0)
- break;
- /* Fall through... */
-
- default:
- ++errors;
- fprintf(stderr,
- "%s: records == 0x%x: can't happen (%s 0x%x)\n",
- prog, records, ip->host, ip->records);
+ case RR_SOA:
+ /* Handle "soa" record */
+ if (!CHECKDOT(name)) {
+ add_domain(name, domain);
+ errors += updateitem(name, NULL, REC_SOA, 0, 0);
+ }
+ errstr = NULL;
+ if (!parsesoa(cp, &errstr))
+ ++sawsoa;
+ if (errstr != NULL) {
+ ++errors;
+ fprintf(stderr,
+ "%s: %s/%s:%d Bad \"soa\" record (%s)\n",
+ prog, cwd, file, n, errstr);
+ continue;
+ }
break;
- }
- /* Check for smtp problems */
- flags = ip->flags & MASK_TEST_SMTP;
+ case RR_WKS:
+ /* Handle "wks" record */
+ p = extractaddr(cp, ap);
+ if (p != NULL) {
+ ++errors;
+ cp2 = cp;
+ while (!isspace(*cp2) && *cp2 != '\0')
+ ++cp2;
+ *cp2 = '\0';
+ fprintf(stderr,
+ "%s: %s/%s:%d Bad \"wks\" record ip addr \"%s\"\n",
+ prog, cwd, file, n, cp);
+ continue;
+ }
+ /* Step over ip address */
+ while (*cp == '.' || isdigit(*cp))
+ ++cp;
+ while (isspace(*cp))
+ *cp++ = '\0';
+ /* Make sure services are legit */
+ errstr = NULL;
+ n += checkwks(f, cp, &smtp, &errstr);
+ if (errstr != NULL) {
+ ++errors;
+ fprintf(stderr,
+ "%s: %s/%s:%d Bad \"wks\" record (%s)\n",
+ prog, cwd, file, n, errstr);
+ continue;
+ }
+ add_domain(name, domain);
+ errors += updateitem(name, ap, REC_WKS,
+ 0, smtp ? FLG_SMTPWKS : 0);
+ /* XXX check to see if ip address records exists? */
+ break;
- if ((flags & FLG_SELFMX) != 0 && (ip->records & REC_A) == 0) {
- ++errors;
- fprintf(stderr,
- "%s: self \"mx\" for %s missing \"a\" record\n",
- prog, ip->host);
- }
+ case RR_HINFO:
+ /* Handle "hinfo" record */
+ add_domain(name, domain);
+ errors += updateitem(name, NULL, REC_HINFO, 0, 0);
+ cp2 = cp;
+ cp = parsequoted(cp);
+ if (cp == NULL) {
+ ++errors;
+ fprintf(stderr,
+ "%s: %s/%s:%d \"hinfo\" missing quote: %s\n",
+ prog, cwd, file, n, cp2);
+ continue;
+ }
+ if (!isspace(*cp)) {
+ ++errors;
+ fprintf(stderr,
+ "%s: %s/%s:%d \"hinfo\" missing white space: %s\n",
+ prog, cwd, file, n, cp2);
+ continue;
+ }
+ ++cp;
+ while (isspace(*cp))
+ ++cp;
+ if (*cp == '\0') {
+ ++errors;
+ fprintf(stderr,
+ "%s: %s/%s:%d \"hinfo\" missing keyword: %s\n",
+ prog, cwd, file, n, cp2);
+ continue;
+ }
+ cp = parsequoted(cp);
+ if (cp == NULL) {
+ ++errors;
+ fprintf(stderr,
+ "%s: %s/%s:%d \"hinfo\" missing quote: %s\n",
+ prog, cwd, file, n, cp2);
+ continue;
+ }
+ if (*cp != '\0') {
+ ++errors;
+ fprintf(stderr,
+ "%s: %s/%s:%d \"hinfo\" garbage after keywords: %s\n",
+ prog, cwd, file, n, cp2);
+ continue;
+ }
+ break;
- switch (flags) {
+ case RR_MX:
+ /* Handle "mx" record */
+ add_domain(name, domain);
+ errors += updateitem(name, NULL, REC_MX, ttl, 0);
- case 0:
- case FLG_SELFMX | FLG_SMTPWKS:
- /* These are O.K. */
- break;
+ /* Look for priority */
+ if (!isdigit(*cp)) {
+ ++errors;
+ fprintf(stderr,
+ "%s: %s/%s:%d Bad \"mx\" priority: %s\n",
+ prog, cwd, file, n, cp);
+ }
- case FLG_SELFMX:
- if ((ip->records & REC_WKS) != 0) {
+ /* Skip over priority */
+ ++cp;
+ while (isdigit(*cp))
+ ++cp;
+ while (isspace(*cp))
+ ++cp;
+ if (*cp == '\0') {
++errors;
fprintf(stderr,
- "%s: smtp/tcp missing from \"wks\": %s\n",
- prog, ip->host);
+ "%s: %s/%s:%d Missing \"mx\" hostname\n",
+ prog, cwd, file, n);
+ }
+ if (strcmp(cp, "@") == 0)
+ (void)strcpy(cp, zone);
+ if (checkdots(cp)) {
+ ++errors;
+ fprintf(stderr,
+ checkaddr(cp) ? addrfmt : dotfmt,
+ prog, cwd, file, n, rtype, cp);
}
- break;
- case FLG_SMTPWKS:
- ++errors;
- fprintf(stderr,
- "%s: saw smtp/tcp without self \"mx\": %s\n",
- prog, ip->host);
+ /* Check to see if mx host exists */
+ add_domain(cp, domain);
+ flags = FLG_MXREF;
+ if (*name == *cp && strcmp(name, cp) == 0)
+ flags |= FLG_SELFMX;
+ errors += updateitem(cp, NULL, REC_REF, 0, flags);
break;
- default:
- ++errors;
- fprintf(stderr,
- "%s: flags == 0x%x: can't happen (%s)\n",
- prog, flags, ip->host);
- }
+ case RR_CNAME:
+ /* Handle "cname" record */
+ add_domain(name, domain);
+ errors += updateitem(name, NULL, REC_CNAME, 0, 0);
+ if (checkdots(cp)) {
+ ++errors;
+ fprintf(stderr,
+ checkaddr(cp) ? addrfmt : dotfmt,
+ prog, cwd, file, n, rtype, cp);
+ }
- /* Check for chained MX records */
- if ((ip->flags & (FLG_SELFMX | FLG_MXREF)) == FLG_MXREF &&
- (ip->records & REC_MX) != 0) {
- ++errors;
- fprintf(stderr, "%s: \"mx\" referenced by other"
- " \"mx\" record: %s\n", prog, ip->host);
- }
- }
+ /* Make sure cname points somewhere */
+ if (strcmp(cp, "@") == 0)
+ (void)strcpy(cp, zone);
+ add_domain(cp, domain);
+ errors += updateitem(cp, NULL, REC_REF, 0, 0);
+ break;
- /* Check for doubly booked addresses */
- n = ipp - itemlist;
- qsort(itemlist, n, sizeof(itemlist[0]), cmpaddr);
- lastaddr = 0;
- ip = NULL;
- for (ipp = itemlist; n > 0; ++ipp, --n) {
- addr = (*ipp)->addr;
- if (lastaddr == addr &&
- ((*ipp)->flags & FLG_ALLOWDUPA) == 0 &&
- (ip->flags & FLG_ALLOWDUPA) == 0) {
- ++errors;
- fprintf(stderr, "%s: %s in use by %s and %s\n",
- prog, intoa(addr), (*ipp)->host, ip->host);
- }
- lastaddr = addr;
- ip = *ipp;
- }
+ case RR_SRV:
+ /* Handle "srv" record */
+ add_domain(name, domain);
+ errors += updateitem(name, NULL, REC_SRV, 0, 0);
+ cp2 = cp;
- /* Check for hosts with multiple addresses on the same subnet */
- n = ipp - itemlist;
- qsort(itemlist, n, sizeof(itemlist[0]), cmphost);
- if (netlistcnt > 0) {
- n = ipp - itemlist;
- lastaip = NULL;
- for (ipp = itemlist; n > 0; ++ipp, --n) {
- ip = *ipp;
- if ((ip->records & REC_A) == 0 ||
- (ip->flags & FLG_ALLOWDUPA) != 0)
- continue;
- if (lastaip != NULL &&
- strcasecmp(ip->host, lastaip->host) == 0) {
- mask = findmask(ip->addr);
- if (mask == 0) {
- ++errors;
- fprintf(stderr,
- "%s: can't find mask for %s (%s)\n",
- prog, ip->host, intoa(ip->addr));
- } else if ((lastaip->addr & mask) ==
- (ip->addr & mask) ) {
+ /* Skip over three values */
+ for (i = 0; i < 3; ++i) {
+ if (!isdigit(*cp)) {
++errors;
- fprintf(stderr,
- "%s: multiple \"a\" records for %s on subnet %s",
- prog, ip->host,
- intoa(ip->addr & mask));
- fprintf(stderr, "\n\t(%s",
- intoa(lastaip->addr));
- fprintf(stderr, " and %s)\n",
- intoa(ip->addr));
+ fprintf(stderr, "%s: %s/%s:%d"
+ " Bad \"srv\" value: %s\n",
+ prog, cwd, file, n, cp);
}
- }
- lastaip = ip;
- }
- }
-
- if (debug)
- printf("%s: %d/%d items used, %d error%s\n", prog, itemcnt,
- ITEMSIZE, errors, errors == 1 ? "" : "s");
- return (errors != 0);
-}
-
-/* Similar to inet_ntoa() */
-char *
-intoa(u_int32_t addr)
-{
- register char *cp;
- register u_int byte;
- register int n;
- static char buf[sizeof(".xxx.xxx.xxx.xxx")];
-
- cp = &buf[sizeof buf];
- *--cp = '\0';
-
- n = 4;
- do {
- byte = addr & 0xff;
- *--cp = byte % 10 + '0';
- byte /= 10;
- if (byte > 0) {
- *--cp = byte % 10 + '0';
- byte /= 10;
- if (byte > 0)
- *--cp = byte + '0';
- }
- *--cp = '.';
- addr >>= 8;
- } while (--n > 0);
-
- return cp + 1;
-}
-
-int
-parseinaddr(register const char *cp, register u_int32_t *netp,
- register u_int32_t *maskp)
-{
- register int i, bits;
- register u_int32_t o, net, mask;
- if (!isdigit(*cp))
- return (0);
- net = 0;
- mask = 0xff000000;
- bits = 0;
- o = 0;
- do {
- o = o * 10 + (*cp++ - '0');
- } while (isdigit(*cp));
- net = o << 24;
-
- /* Check for classless delegation mask width */
- if (*cp == '/') {
- ++cp;
- o = 0;
- do {
- o = o * 10 + (*cp++ - '0');
- } while (isdigit(*cp));
- bits = o;
- if (bits <= 0 || bits > 32)
- return (0);
- }
-
- if (*cp == '.' && isdigit(cp[1])) {
- ++cp;
- o = 0;
- do {
- o = o * 10 + (*cp++ - '0');
- } while (isdigit(*cp));
- net = (net >> 8) | (o << 24);
- mask = 0xffff0000;
- if (*cp == '.' && isdigit(cp[1])) {
- ++cp;
- o = 0;
- do {
- o = o * 10 + (*cp++ - '0');
- } while (isdigit(*cp));
- net = (net >> 8) | (o << 24);
- mask = 0xffffff00;
- if (*cp == '.' && isdigit(cp[1])) {
+ /* Skip over value */
++cp;
- o = 0;
- do {
- o = o * 10 + (*cp++ - '0');
- } while (isdigit(*cp));
- net = (net >> 8) | (o << 24);
- mask = 0xffffffff;
+ while (isdigit(*cp))
+ ++cp;
+ while (isspace(*cp))
+ ++cp;
}
- }
- }
- if (strcasecmp(cp, inaddr) != 0)
- return (0);
-
- /* Classless delegation */
- /* XXX check that calculated mask isn't smaller than octet mask? */
- if (bits != 0)
- for (mask = 0, i = 31; bits > 0; --i, --bits)
- mask |= (1 << i);
- *netp = net;
- *maskp = mask;
- return (1);
-}
-
-u_int32_t
-parseptr(register const char *cp, u_int32_t net, u_int32_t mask,
- register char **errstrp)
-{
- register u_int32_t o, addr;
- register int shift;
-
- addr = 0;
- shift = 0;
- while (isdigit(*cp) && shift < 32) {
- o = 0;
- do {
- o = o * 10 + (*cp++ - '0');
- } while (isdigit(*cp));
- addr |= o << shift;
- shift += 8;
- if (*cp != '.') {
- if (*cp == '\0')
- break;
- *errstrp = "missing dot";
- return (0);
- }
- ++cp;
- }
+ /* Check to see if mx host exists */
+ add_domain(cp, domain);
+ errors += updateitem(cp, NULL, REC_REF, 0, 0);
+ break;
- if (shift > 32) {
- *errstrp = "more than 4 octets";
- return (0);
- }
+ case RR_TXT:
+ /* Handle "txt" record */
+ add_domain(name, domain);
+ errors += updateitem(name, NULL, REC_TXT, 0, 0);
+ cp2 = cp;
+ cp = parsequoted(cp);
+ if (cp == NULL) {
+ ++errors;
+ fprintf(stderr,
+ "%s: %s/%s:%d \"txt\" missing quote: %s\n",
+ prog, cwd, file, n, cp2);
+ continue;
+ }
+ while (isspace(*cp))
+ ++cp;
+ if (*cp != '\0') {
+ ++errors;
+ fprintf(stderr,
+ "%s: %s/%s:%d \"txt\" garbage after text: %s\n",
+ prog, cwd, file, n, cp2);
+ continue;
+ }
+ break;
- if (shift == 32 && strcasecmp(cp, inaddr + 1) == 0)
- return (addr);
+ case RR_NS:
+ /* Handle "ns" record */
+ errors += updateitem(zone, NULL, REC_NS, 0, 0);
+ if (strcmp(cp, "@") == 0)
+ (void)strcpy(cp, zone);
+ if (checkdots(cp)) {
+ ++errors;
+ fprintf(stderr,
+ checkaddr(cp) ? addrfmt : dotfmt,
+ prog, cwd, file, n, rtype, cp);
+ }
+ add_domain(cp, domain);
+ errors += updateitem(cp, NULL, REC_REF, 0, 0);
+ break;
-#ifdef notdef
- if (*cp != '\0') {
- *errstrp = "trailing junk";
- return (0);
- }
-#endif
-#ifdef notdef
- if ((~mask & net) != 0) {
- *errstrp = "too many octets for net";
- return (0);
- }
-#endif
- return (net | addr);
-}
+ case RR_RP:
+ /* Handle "rp" record */
+ add_domain(name, domain);
+ errors += updateitem(name, NULL, REC_RP, 0, 0);
+ cp2 = cp;
-int
-checkwks(register FILE *f, register char *proto, register int *smtpp,
- register char **errstrp)
-{
- register int n, sawparen;
- register char *cp, *serv, **p;
- static char errstr[132];
- char buf[1024];
- char psbuf[512];
+ /* Step over mailbox name */
+ /* XXX could add_domain() and check further */
+ while (!isspace(*cp) && *cp != '\0')
+ ++cp;
+ if (*cp == '\0') {
+ ++errors;
+ fprintf(stderr,
+ "%s: %s/%s:%d \"rp\" missing text name: %s\n",
+ prog, cwd, file, n, cp2);
+ continue;
+ }
+ ++cp;
+ cp3 = cp;
- if (!protoserv_init) {
- initprotoserv();
- ++protoserv_init;
- }
+ /* Step over text name */
+ while (!isspace(*cp) && *cp != '\0')
+ ++cp;
- /* Line count */
- n = 0;
+ if (*cp != '\0') {
+ ++errors;
+ fprintf(stderr,
+ "%s: %s/%s:%d \"rp\" garbage after text name: %s\n",
+ prog, cwd, file, n, cp2);
+ continue;
+ }
- /* Terminate protocol */
- cp = proto;
- while (!isspace(*cp) && *cp != '\0')
- ++cp;
- if (*cp != '\0')
- *cp++ = '\0';
+ /* Make sure text name points somewhere (if not ".") */
+ if (!CHECKDOT(cp3)) {
+ add_domain(cp3, domain);
+ errors += updateitem(cp3, NULL, REC_REF, 0, 0);
+ }
+ break;
- /* Find services */
- *smtpp = 0;
- sawparen = 0;
- if (*cp == '(') {
- ++sawparen;
- ++cp;
- while (isspace(*cp))
- ++cp;
- }
- for (;;) {
- if (*cp == '\0') {
- if (!sawparen)
- break;
- if (fgets(buf, sizeof(buf), f) == NULL) {
- *errstrp = "mismatched parens";
- return (n);
+ case RR_ALLOWDUPA:
+ /* Handle "allow duplicate a" record */
+ add_domain(name, domain);
+ p = extractaddr(cp, ap);
+ if (p != NULL) {
+ ++errors;
+ cp2 = cp + strlen(cp) - 1;
+ if (cp2 >= cp && *cp2 == '\n')
+ *cp2 = '\0';
+ fprintf(stderr,
+ "%s: %s/%s:%d Bad \"allowdupa\" record ip addr \"%s\"\n",
+ prog, cwd, file, n, cp);
+ continue;
}
- ++n;
- cp = buf;
- while (isspace(*cp))
- ++cp;
- }
- /* Find end of service, converting to lowercase */
- for (serv = cp; !isspace(*cp) && *cp != '\0'; ++cp)
- if (isupper(*cp))
- *cp = tolower(*cp);
- if (*cp != '\0')
- *cp++ = '\0';
- if (sawparen && *cp == ')') {
- /* XXX should check for trailing junk */
+ errors += updateitem(name, ap, 0, 0, FLG_ALLOWDUPA);
break;
- }
- (void)sprintf(psbuf, "%s/%s", serv, proto);
+ case RR_DNSKEY:
+ /* Handle "dnskey" record */
+ add_domain(name, domain);
+ errors += updateitem(name, NULL, REC_CNAME, 0, 0);
+ if (checkdots(cp)) {
+ ++errors;
+ fprintf(stderr,
+ checkaddr(cp) ? addrfmt : dotfmt,
+ prog, cwd, file, n, rtype, cp);
+ }
- if (*serv == 's' && strcmp(psbuf, "tcp/smtp") == 0)
- ++*smtpp;
+ /* Make sure cname points somewhere */
+ if (strcmp(cp, "@") == 0)
+ (void)strcpy(cp, zone);
+ add_domain(cp, domain);
+ errors += updateitem(cp, NULL, REC_REF, 0, 0);
+ break;
- for (p = protoserv; *p != NULL; ++p)
- if (*psbuf == **p && strcmp(psbuf, *p) == 0) {
- break;
+ case RR_RRSIG:
+ errstr = NULL;
+ if (!parserrsig(cp, &errstr))
+ ++sawrrsig;
+ if (errstr != NULL) {
+ ++errors;
+ fprintf(stderr,
+ "%s: %s/%s:%d Bad \"rrsig\" record (%s)\n",
+ prog, cwd, file, n, errstr);
+ continue;
}
- if (*p == NULL) {
- sprintf(errstr, "%s unknown", psbuf);
- *errstrp = errstr;
+ break;
+
+ case RR_NSEC:
+ /* XXX */
+ continue;
+
+ default:
+ /* Unknown record type */
+ ++errors;
+ fprintf(stderr,
+ "%s: %s/%s:%d Unknown record type \"%s\"\n",
+ prog, cwd, file, n, rtype);
+ add_domain(name, domain);
+ errors += updateitem(name, NULL, REC_UNKNOWN, 0, 0);
break;
}
+ (void)strcpy(lastname, name);
}
-
- return (n);
+ (void)fclose(f);
+ return;
}
+static const char *microlist[] = {
+ "_tcp",
+ "_udp",
+ "_msdcs",
+ "_sites",
+ NULL
+};
+
int
-checkserv(register const char *serv, register char **p)
+rfc1034host(const char *host, int recs)
{
- for (; *p != NULL; ++p)
- if (*serv == **p && strcmp(serv, *p) == 0)
- return (1);
- return (0);
-}
+ const char *cp, **p;
+ int underok;
-void
-initprotoserv(void)
-{
- register char *cp;
- register struct servent *sp;
- char psbuf[512];
+ underok = 0;
+ for (p = microlist; *p != NULL ;++p)
+ if ((cp = strstr(host, *p)) != NULL &&
+ cp > host &&
+ cp[-1] == '.' &&
+ cp[strlen(*p)] == '.') {
+ ++underok;
+ break;
+ }
- protoserv_len = 256;
- protoserv = (char **)malloc(protoserv_len * sizeof(*protoserv));
- if (protoserv == NULL) {
- fprintf(stderr, "%s: nslint: malloc: %s\n",
- prog, strerror(errno));
- exit(1);
+ cp = host;
+ if (!(isalpha(*cp) || isdigit(*cp) || (*cp == '_' && underok))) {
+ fprintf(stderr,
+ "%s: illegal hostname \"%s\" (starts with non-alpha/numeric)\n",
+ prog, host);
+ return (1);
}
-
- while ((sp = getservent()) != NULL) {
- (void)sprintf(psbuf, "%s/%s", sp->s_name, sp->s_proto);
-
- /* Convert to lowercase */
- for (cp = psbuf; *cp != '\0'; ++cp)
- if (isupper(*cp))
- *cp = tolower(*cp);
-
- if (protoserv_last + 1 >= protoserv_len) {
- protoserv_len <<= 1;
- protoserv = realloc(protoserv,
- protoserv_len * sizeof(*protoserv));
- if (protoserv == NULL) {
- fprintf(stderr, "%s: nslint: realloc: %s\n",
- prog, strerror(errno));
- exit(1);
- }
+ for (++cp; *cp != '.' && *cp != '\0'; ++cp)
+ if (!(isalpha(*cp) || isdigit(*cp) || *cp == '-' ||
+ (*cp == '/' && (recs & REC_SOA) != 0))) {
+ fprintf(stderr,
+ "%s: Illegal hostname \"%s\" ('%c' illegal character)\n",
+ prog, host, *cp);
+ return (1);
}
- protoserv[protoserv_last] = savestr(psbuf);
- ++protoserv_last;
+ if (--cp >= host && *cp == '-') {
+ fprintf(stderr, "%s: Illegal hostname \"%s\" (ends with '-')\n",
+ prog, host);
+ return (1);
}
- protoserv[protoserv_last] = NULL;
+ return (0);
+}
+
+enum rrtype
+txt2rrtype(const char *str)
+{
+ if (strcasecmp(str, "aaaa") == 0)
+ return (RR_AAAA);
+ if (strcasecmp(str, "a") == 0)
+ return (RR_A);
+ if (strcasecmp(str, "allowdupa") == 0)
+ return (RR_ALLOWDUPA);
+ if (strcasecmp(str, "cname") == 0)
+ return (RR_CNAME);
+ if (strcasecmp(str, "dnskey") == 0)
+ return (RR_DNSKEY);
+ if (strcasecmp(str, "hinfo") == 0)
+ return (RR_HINFO);
+ if (strcasecmp(str, "mx") == 0)
+ return (RR_MX);
+ if (strcasecmp(str, "ns") == 0)
+ return (RR_NS);
+ if (strcasecmp(str, "ptr") == 0)
+ return (RR_PTR);
+ if (strcasecmp(str, "rp") == 0)
+ return (RR_RP);
+ if (strcasecmp(str, "soa") == 0)
+ return (RR_SOA);
+ if (strcasecmp(str, "srv") == 0)
+ return (RR_SRV);
+ if (strcasecmp(str, "txt") == 0)
+ return (RR_TXT);
+ if (strcasecmp(str, "wks") == 0)
+ return (RR_WKS);
+ if (strcasecmp(str, "RRSIG") == 0)
+ return (RR_RRSIG);
+ if (strcasecmp(str, "NSEC") == 0)
+ return (RR_NSEC);
+ return (RR_UNDEF);
}
-/*
- * Returns true if name contains a dot but not a trailing dot.
- * Special case: allow a single dot if the second part is not one
- * of the 3 or 4 letter top level domains or is any 2 letter TLD
- */
int
-checkdots(register const char *name)
+samesubnet(struct addr *a1, struct addr *a2, struct network *np)
{
- register const char *cp, *cp2;
+ int i;
+ u_int32_t v1, v2;
- if ((cp = strchr(name, '.')) == NULL)
- return (0);
- cp2 = name + strlen(name) - 1;
- if (cp2 >= name && *cp2 == '.')
+ /* IPv4 before IPv6 */
+ if (a1->family != a2->family)
return (0);
- /* Return true of more than one dot*/
- ++cp;
- if (strchr(cp, '.') != NULL)
- return (1);
+ switch (a1->family) {
+
+ case AF_INET:
+ /* Apply the mask to both values */
+ v1 = a1->a_addr4 & np->n_mask4;
+ v2 = a2->a_addr4 & np->n_mask4;
+ return (v1 == v2);
+
+ case AF_INET6:
+ /* Apply the mask to both values */
+ for (i = 0; i < 16; ++i) {
+ v1 = a1->a_addr6[i] & np->n_mask6[i];
+ v2 = a2->a_addr6[i] & np->n_mask6[i];
+ if (v1 != v2)
+ return (0);
+ }
+ break;
- if (strlen(cp) == 2 ||
- strcasecmp(cp, "gov") == 0 ||
- strcasecmp(cp, "edu") == 0 ||
- strcasecmp(cp, "com") == 0 ||
- strcasecmp(cp, "net") == 0 ||
- strcasecmp(cp, "org") == 0 ||
- strcasecmp(cp, "mil") == 0 ||
- strcasecmp(cp, "int") == 0 ||
- strcasecmp(cp, "nato") == 0 ||
- strcasecmp(cp, "arpa") == 0)
- return (1);
- return (0);
+ default:
+ abort();
+ }
+ return (1);
}
-int
-cmpaddr(register const void *ip1, register const void *ip2)
+/* Set address mask in network order */
+void
+setmaskwidth(u_int w, struct network *np)
{
- register u_int32_t a1, a2;
-
- a1 = (*(struct item **)ip1)->addr;
- a2 = (*(struct item **)ip2)->addr;
-
- if (a1 < a2)
- return (-1);
- else if (a1 > a2)
- return (1);
- else
- return (0);
+ int i, j;
+
+ switch (np->family) {
+
+ case AF_INET:
+ if (w <= 0)
+ np->n_mask4 = 0;
+ else
+ np->n_mask4 = htonl(0xffffffff << (32 - w));
+ break;
+
+ case AF_INET6:
+ /* XXX is this right? */
+ memset(np->n_mask6, 0, sizeof(np->n_mask6));
+ for (i = 0; i < w / 8; ++i)
+ np->n_mask6[i] = 0xff;
+ i = w / 8;
+ j = w % 8;
+ if (j > 0 && i < 16)
+ np->n_mask6[i] = 0xff << (8 - j);
+ break;
+
+ default:
+ abort();
+ }
}
int
-cmphost(register const void *ip1, register const void *ip2)
+updateitem(const char *host, struct addr *ap, int records, u_int ttl, int flags)
{
- register const char *s1, *s2;
+ const char *ccp;
+ int n, errs;
+ u_int i;
+ struct item *ip;
+ int foundsome;
- s1 = (*(struct item **)ip1)->host;
- s2 = (*(struct item **)ip2)->host;
+ n = 0;
+ foundsome = 0;
+ errs = 0;
- return (strcasecmp(s1, s2));
-}
+ /* Hash the host name */
+ i = 0;
+ ccp = host;
+ while (*ccp != '\0')
+ i = i * 37 + *ccp++;
+ ip = &items[i & (ITEMSIZE - 1)];
-/* Returns a pointer after the next token or quoted string, else NULL */
-char *
-parsequoted(register char *cp)
-{
+ /* Look for a match or any empty slot */
+ while (n < ITEMSIZE && ip->host != NULL) {
- if (*cp == '"') {
- ++cp;
- while (*cp != '"' && *cp != '\0')
- ++cp;
- if (*cp != '"')
- return (NULL);
- ++cp;
- } else {
- while (!isspace(*cp) && *cp != '\0')
- ++cp;
+ if ((ap == NULL || ip->addr.family == 0 ||
+ cmpaddr(ap, &ip->addr) == 0) &&
+ *host == *ip->host && strcmp(host, ip->host) == 0) {
+ ++foundsome;
+ if (ip->addr.family == 0 && ap != NULL)
+ memmove(&ip->addr, ap, sizeof(*ap));
+ if ((records & MASK_TEST_DUP) != 0)
+ checkdups(ip, records);
+ ip->records |= records;
+ /* Only check differing ttl's for A and MX records */
+ if (ip->ttl == 0)
+ ip->ttl = ttl;
+ else if (ttl != 0 && ip->ttl != ttl) {
+ fprintf(stderr,
+ "%s: Differing ttls for %s (%u != %u)\n",
+ prog, ip->host, ttl, ip->ttl);
+ ++errs;
+ }
+ ip->flags |= flags;
+ /* Not done if we wildcard matched the name */
+ if (ap != NULL)
+ return (errs);
+ }
+ ++n;
+ ++ip;
+ if (ip >= &items[ITEMSIZE])
+ ip = items;
}
- return (cp);
+
+ if (n >= ITEMSIZE) {
+ fprintf(stderr, "%s: Out of item slots (max %d)\n",
+ prog, ITEMSIZE);
+ exit(1);
+ }
+
+ /* Done if we were wildcarding the name (and found entries for it) */
+ if (ap == NULL && foundsome) {
+ return (errs);
+ }
+
+ /* Didn't find it, make new entry */
+ ++itemcnt;
+ if (ip->host) {
+ fprintf(stderr, "%s: Reusing bucket!\n", prog);
+ exit(1);
+ }
+ if (ap != NULL)
+ memmove(&ip->addr, ap, sizeof(*ap));
+ ip->host = savestr(host);
+ if ((records & MASK_TEST_DUP) != 0)
+ checkdups(ip, records);
+ ip->records |= records;
+ if (ttl != 0)
+ ip->ttl = ttl;
+ ip->flags |= flags;
+ return (errs);
}
-__dead void
+void
usage(void)
{
- extern char version[];
fprintf(stderr, "Version %s\n", version);
fprintf(stderr, "usage: %s [-d] [-b named.boot] [-B nslint.boot]\n",
#ifndef lint
static const char rcsid[] =
- "@(#) $Header: /u0/home/explorer/proj/ISC/git-conversion/cvsroot/bind9/contrib/nslint-2.1a3/savestr.c,v 1.1 2001/12/21 04:12:04 marka Exp $ (LBL)";
+ "@(#) $Id: savestr.c,v 1.2 2006/03/09 02:27:11 leres Exp $ (LBL)";
#endif
#include <sys/types.h>
-#ifdef HAVE_MALLOC_H
-#include <malloc.h>
-#endif
#include <stdio.h>
#include <stdlib.h>
* WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
*
- * @(#) $Header: /u0/home/explorer/proj/ISC/git-conversion/cvsroot/bind9/contrib/nslint-2.1a3/savestr.h,v 1.1 2001/12/21 04:12:05 marka Exp $ (LBL)
+ * @(#) $Header: savestr.h,v 1.1 97/04/22 13:30:21 leres Exp $ (LBL)
*/
extern char *savestr(const char *);
--- /dev/null
+/* @(#) $Id: version.h 239 2009-03-14 05:44:54Z leres $ (LBL) */
+
+extern const char version[];
+++ /dev/null
-Moved to ${top}/bin/pkcs11
+zkt 1.1.2 -- 05. Dec 2012
+
+* bug Fixed bug introduced by changes on inc_soa_serial()
+
+zkt 1.1.1 -- 27. Nov 2012
+
+* bug Error fixed in zkt-conf in parsing the version number
+
+* misc inc_soa_serial() now returns 0 on success
+
+* bug Fixed bug in inc_serial()
+ The zone file wasn't closed on succesful change of the soa record.
+ Many thanks to Frederik Soderblom for fixing this.
+
+zkt 1.1 -- 30. Jan 2012
+
+* misc Release numbering changed to three level "major.minor.revison" scheme
+
+* bug REMOVE_HOLD_TIME was set to 10 days only (Thanks to Chris Thompson)
+
+* doc Improved README file (Thanks to Jan-Piet Mens)
+
+* misc Fixed some typos in log messages
+
+* bug Fixed error in rollover.c (return code of genfirstkey() wasn't checked)
+
+* misc Default of KeySetDir changed from NULL to ".." (best for hierarchical mode)
+ Default Sig Lifetime changed from 10 days to 3 weeks (21 days)
+ Default ZSK lifetime changed from 3 months to 4 times the sig lifetime
+ Default KSK lifetime changed from 1 year to 2 years
+ Parameter checks in checkconfig() adapted.
+ KSK random device changed back from /dev/urandom to BIND default
+ (Be aware of some possibly long delay in key generation)
+
+* func New configure option to set the bind utility path manually (--enable-bindutil_path)
+ BIND_UTIL_PATH in config_zkt.h will no longer used
+ (Thanks to Mans Nilsson)
+
+* bug If nsec3 is turned on and KeyAlgo (or AddKeyAlgo) is RSHASHA1
+ or DSA, genkey() uses algorithm type NSECRSASHA1 or NSEC3DSA instead.
+ (Thanks to Holger Wirtz)
+
+* bug Error in printconfigdiff() fixed. (Thanks to Holger Wirtz)
+
+* func Description added to (some of the) dnssec.conf parameters
+
+* func Adding a patch from Hrant Dadivanyan to always pre-publish ZSKs
+
+* misc Config file syntax changed to parameter names without underscores.
+ zkt-conf uses ZKT_VERSION string as config version
+
+* bug "make install-man" now installs all man page
+
+* bug Bug fixed in zfparse.c. zkt-conf was unable to detect an already
+ included dnskey.db file if another file was included.
+
+* misc destination dnssec-zkt removed from Makefile.in
+
+* func dki_prt_managedkeys() added to dki.c
+ zkt_list_managedkeys() added to zkt.c
+ zkt-ls has new option -M to print out a list of managed-keys
+
+* bug Bug fixed in the config parser (zconf.c). Couldn't parse
+ agorithm RSASHA512 correctly (Thanks to Michael Sinatra)
+
zkt 1.0 -- 15. June 2010
-* feat "/dev/urandom" check added to checkconfig()
+* func "/dev/urandom" check added to checkconfig()
-* feat Config compability switch (-C) added to zkt-conf
+* func Config compability switch (-C) added to zkt-conf
-* feat zkt-ls has a new switch -s to change sorting of domains from
+* func zkt-ls has a new switch -s to change sorting of domains from
subdomain before parent to subdomain below the parent
-* feat "zkt-ls -T" prints only parent trust anchor
+* func "zkt-ls -T" prints only parent trust anchor
zkt 1.0rc1 -- 1. Apr 2010 (The 1.0 release was sponsored by DOMINIC(r) )
-* feat Several config parameter are printed now in a more consistent and
+* func Several config parameter are printed now in a more consistent and
user friendly form.
SerialFormat "Incremental" could be abbreviated as "inc" on input.
MAN_LS = zkt-ls.8
PROG_LS= zkt-ls
-SRC_ZKT = dnssec-zkt.c strlist.c zkt.c tcap.c
-OBJ_ZKT = $(SRC_ZKT:.c=.o)
-MAN_ZKT = dnssec-zkt.8
-PROG_ZKT= dnssec-zkt
-
SRC_SER = zkt-soaserial.c
OBJ_SER = $(SRC_SER:.c=.o)
#MAN_SER = zkt-soaserial.8
PROG_SER= zkt-soaserial
-SRC_PRG = $(SRC_SIG) $(SRC_CNF) $(SRC_ZKT) $(SRC_LS) $(SRC_SER) $(SRC_KEY)
+SRC_PRG = $(SRC_SIG) $(SRC_CNF) $(SRC_LS) $(SRC_SER) $(SRC_KEY)
OBJ_PRG = $(SRC_PRG:.c=.o)
-PROG_PRG= $(PROG_SIG) $(PROG_CNF) $(PROG_ZKT) $(PROG_LS) $(PROG_SER) $(PROG_KEY)
+PROG_PRG= $(PROG_SIG) $(PROG_CNF) $(PROG_LS) $(PROG_SER) $(PROG_KEY)
-MAN_ALL = $(MAN_ZKT) $(MAN_SIG) $(MAN_LS) $(MAN_CNF) $(MAN_KEY)
+MAN_ALL = $(MAN_SIG) $(MAN_LS) $(MAN_CNF) $(MAN_KEY)
OTHER = README README.logging TODO LICENSE CHANGELOG tags Makefile.in \
- configure examples
-SAVE = $(HEADER) $(SRC_ALL) $(SRC_SIG) $(SRC_CNF) $(SRC_ZKT) $(SRC_KLS) \
+ configure distribute.sh examples
+SAVE = $(HEADER) $(SRC_ALL) $(SRC_SIG) $(SRC_CNF) $(SRC_KLS) \
$(SRC_LS) $(SRC_KEY) $(SRC_SER) $(OTHER) \
man configure.ac config.h.in doc
#MNTSAVE = $(SAVE) configure.ac config.h.in doc
-all: $(PROG_CNF) $(PROG_ZKT) $(PROG_LS) $(PROG_SIG) $(PROG_SER) $(PROG_KEY)
+all: $(PROG_CNF) $(PROG_LS) $(PROG_SIG) $(PROG_SER) $(PROG_KEY)
macos: ## for MAC OS (depreciated)
macos:
$(PROG_SIG): $(OBJ_SIG) $(OBJ_ALL) Makefile
$(CC) $(LDFLAGS) $(OBJ_SIG) $(OBJ_ALL) -o $(PROG_SIG)
- ln -f $(PROG_SIG) dnssec-signer
$(PROG_CNF): $(OBJ_CNF) $(OBJ_ALL) Makefile
$(CC) $(LDFLAGS) $(OBJ_CNF) $(OBJ_ALL) -o $(PROG_CNF)
$(PROG_KEY): $(OBJ_KEY) $(OBJ_ALL) Makefile
$(CC) $(LDFLAGS) $(LIBS) $(OBJ_KEY) $(OBJ_ALL) -o $(PROG_KEY)
-$(PROG_ZKT): $(OBJ_ZKT) $(OBJ_ALL) Makefile
- $(CC) $(LDFLAGS) $(LIBS) $(OBJ_ZKT) $(OBJ_ALL) -o $(PROG_ZKT)
-
$(PROG_LS): $(OBJ_LS) $(OBJ_ALL) Makefile
$(CC) $(LDFLAGS) $(LIBS) $(OBJ_LS) $(OBJ_ALL) -o $(PROG_LS)
install: ## install binaries in prefix/bin
install: $(PROG_PRG)
test -d $(prefix)/bin || mkdir -p $(prefix)/bin
- cp dnssec-signer $(PROG_PRG) $(prefix)/bin/
+ cp $(PROG_PRG) $(prefix)/bin/
install-man: ## install man pages in mandir
install-man:
test -d $(mandir)/man8/ || mkdir -p $(mandir)/man8/
- cp -p man/$(MAN_ZKT) man/$(MAN_SIG) $(mandir)/man8/
+ cp -p man/$(MAN_LS) man/$(MAN_SIG) man/$(MAN_KEY) man/$(MAN_CNF) $(mandir)/man8/
## all dependicies
#:r !make depend
-#gcc -MM -g -DHAVE_CONFIG_H -I. -Wall -Wmissing-prototypes zkt-signer.c zone.c ncparse.c rollover.c nscomm.c soaserial.c zkt-conf.c zfparse.c dnssec-zkt.c strlist.c zkt.c tcap.c zkt-ls.c strlist.c zkt.c tcap.c zkt-soaserial.c dki.c misc.c domaincmp.c zconf.c log.c
+#gcc -MM -g -DHAVE_CONFIG_H -I. -Wall -Wmissing-prototypes zkt-signer.c zone.c ncparse.c rollover.c nscomm.c soaserial.c zkt-conf.c zfparse.c zkt-ls.c zkt-soaserial.c zkt-keyman.c dki.c misc.c domaincmp.c zconf.c log.c
zkt-signer.o: zkt-signer.c config.h config_zkt.h zconf.h debug.h misc.h \
ncparse.h nscomm.h zone.h dki.h log.h soaserial.h rollover.h
zone.o: zone.c config.h config_zkt.h debug.h domaincmp.h misc.h zconf.h \
zfparse.h
zfparse.o: zfparse.c config.h config_zkt.h zconf.h log.h debug.h \
zfparse.h
-dnssec-zkt.o: dnssec-zkt.c config.h config_zkt.h debug.h misc.h zconf.h \
- strlist.h dki.h zkt.h
-strlist.o: strlist.c strlist.h
-zkt.o: zkt.c config.h config_zkt.h dki.h misc.h zconf.h strlist.h \
- domaincmp.h tcap.h zkt.h
-tcap.o: tcap.c config.h config_zkt.h tcap.h
zkt-ls.o: zkt-ls.c config.h config_zkt.h debug.h misc.h zconf.h strlist.h \
dki.h tcap.h zkt.h
-strlist.o: strlist.c strlist.h
-zkt.o: zkt.c config.h config_zkt.h dki.h misc.h zconf.h strlist.h \
- domaincmp.h tcap.h zkt.h
-tcap.o: tcap.c config.h config_zkt.h tcap.h
zkt-soaserial.o: zkt-soaserial.c config.h config_zkt.h
+zkt-keyman.o: zkt-keyman.c config.h config_zkt.h debug.h misc.h zconf.h \
+ strlist.h dki.h zkt.h
dki.o: dki.c config.h config_zkt.h debug.h domaincmp.h misc.h zconf.h \
dki.h
misc.o: misc.c config.h config_zkt.h zconf.h log.h debug.h misc.h
#
# README dnssec zone key tool
#
-# (c) March 2005 - Aug 2009 by Holger Zuleger hznet
+# (c) March 2005 - Aug 2010 by Holger Zuleger hznet
# (c) domaincmp() Aug 2005 by Karle Boss & H. Zuleger (kaho)
# (c) zconf.c by Jeroen Masar & Holger Zuleger
#
To build the software:
a) Get the current version of zkt
- $ wget http://www.hznet.de/dns/zkt/zkt-1.0.tar.gz
+ $ wget http://www.hznet.de/dns/zkt/zkt-1.1.tar.gz
b) Unpack
- $ tar xzvf zkt-1.0.tar.gz
+ $ tar xzvf zkt-1.1.tar.gz
c) Change to source directory
- $ cd zkt-1.0
+ $ cd zkt-1.1
d) Run configure script
$ ./configure
$ zkt-conf -s -O "Zonedir: /var/named/zones" -w
or use your prefered editor
$ vi /var/named/dnssec.conf
+ (optional) You'll probably want to have zkt-ls work recursively
+ $ zkt-conf -s -O "Recursive: True" -w
c) Prepare one of your zone for zkt
- $ cd /var/name/zones/net/example.net # change dir to zone directory
+ $ cd /var/named/zones/net/example.net # change dir to zone directory
$ cp <zonefile> zone.db # copy and rename existing zone file to "zone.db"
- $ zkt-conf -w zone.db # create local dnssec.conf file and include dnskey.db into zone file
+ $ zkt-conf -w zone.db # create local dnssec.conf file and include dnskey.db into zone file
+
+d) Prepare for initial signing
+ $ cd /var/named/zones/net/example.net
+ $ touch zone.db.signed
+ $ zkt-signer -v -v -o example.net # -o is ORIGIN (i.e. zone name)
+
+e) Publish your zone
+ @ add `zone.db.signed' as zone file to your name server
+ @ publish DS contained in `dsset-example.net.' at your zone's parent
+
Key rollover events
KSK key generation and revoking
Zone reload resp. freeze/thaw of dynamic zone
- LG_INFO: Currently none
- planned:
- Mesages for key generation and key status change
- (e.g.: pre-publish -> activate; revoked -> removed etc.)
+ LG_INFO:
+ Messages for key generation/removal and ksk rollover
LG_DEBUG: all "verbose" (-v) and "very verbose" (-v -v) messages
Some recomended and useful logging settings
-TODO list as of zkt-0.99
+TODO list as of zkt-1.1
-general:
- Renaming to zkt-? and split of the functions of dnssec-zkt to
- separate commands
- Fixed in zkt-1.0 (zkt-conf command)
-
-dnssec-zkt:
+zkt-ls:
feat option to specify the key age as remaining lifetime
(Option -i inverse age ?).
-dnssec-signer:
+zkt-signer:
bug Distribute_Cmd wouldn't work properly on dynamic zones
(missing freeze, thaw; copy Keyfiles instead of signed zone file)
data in the hosted domain.
In other words: It's highly recommended to use the
option -r when you use zkt-signer on a production zone.
- Then the time of propagation is (more or less) equal to the timestamp
+ Than the time of propagation is (more or less) equal to the timestamp
of the zone.db.signed file.
- bug The max_TTL parameter should be set to the value found
- in the zone. A mechanism for setting up a dnssec.conf file
- for the zone specific TTL values is needed.
- Fixed in zkt-1.0 (zkt-conf command)
-
-zkt-conf:
- port Option -C (compability) to create older config files
- misc Change syntax of config parameters to a more uniq form (e.g. no "_" char)
-
zkt-rollover:
feat New command to roll keys independent of zone signing
(Usefull for dynamic zones managed by BIND9.7)
# define ALWAYS_CHECK_KEYSETFILES 1
#endif
+#ifndef ALLOW_ALWAYS_PREPUBLISH_ZSK
+# define ALLOW_ALWAYS_PREPUBLISH_ZSK 1
+#endif
+
#ifndef CONFIG_PATH
# define CONFIG_PATH "/var/named/"
#endif
# define USE_TREE 1
#endif
-/* BIND version and utility path will be set by ./configure script */
-#ifndef BIND_VERSION
-# define BIND_VERSION 942
-#endif
-
+/* BIND version and utility path *must* be set by ./configure script */
#ifndef BIND_UTIL_PATH
-# define BIND_UTIL_PATH "/usr/local/sbin/"
+# error ("BIND_UTIL_PATH not set. Please run configure with --enable-bind_util_path=");
+#endif
+#ifndef BIND_VERSION
+# define BIND_VERSION 970
#endif
#ifndef ZKT_VERSION
# if defined(USE_TREE) && USE_TREE
-# define ZKT_VERSION "vT0.99c (c) Feb 2005 - Aug 2009 Holger Zuleger hznet.de"
+# define ZKT_VERSION "vT1.1.0 (c) Feb 2005 - Jan 2012 Holger Zuleger hznet.de"
# else
-# define ZKT_VERSION "v0.99c (c) Feb 2005 - Aug 2009 Holger Zuleger hznet.de"
+# define ZKT_VERSION "v1.1.0 (c) Feb 2005 - Jan 2012 Holger Zuleger hznet.de"
# endif
#endif
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.61 for ZKT 1.0.
+# Generated by GNU Autoconf 2.61 for ZKT 1.1.2.
#
# Report bugs to <Holger Zuleger hznet.de>.
#
# Identity of this package.
PACKAGE_NAME='ZKT'
PACKAGE_TARNAME='zkt'
-PACKAGE_VERSION='1.0'
-PACKAGE_STRING='ZKT 1.0'
+PACKAGE_VERSION='1.1.2'
+PACKAGE_STRING='ZKT 1.1.2'
PACKAGE_BUGREPORT='Holger Zuleger hznet.de'
ac_unique_file="zkt-signer.c"
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures ZKT 1.0 to adapt to many kinds of systems.
+\`configure' configures ZKT 1.1.2 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of ZKT 1.0:";;
+ short | recursive ) echo "Configuration of ZKT 1.1.2:";;
esac
cat <<\_ACEOF
Optional Features:
--disable-FEATURE do not include FEATURE (same as --enable-FEATURE=no)
--enable-FEATURE[=ARG] include FEATURE [ARG=yes]
+ --enable-bind_util_path=PATH
+ Define path to BIND utilities, default is path to
+ dnssec-signzone
--disable-color-mode zkt without colors
--enable-print-timezone print out timezone
--enable-print-age print age with year
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-ZKT configure 1.0
+ZKT configure 1.1.2
generated by GNU Autoconf 2.61
Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by ZKT $as_me 1.0, which was
+It was created by ZKT $as_me 1.1.2, which was
generated by GNU Autoconf 2.61. Invocation command line was
$ $0 $@
### find out the path to BIND utils and version
-# Extract the first word of "dnssec-signzone", so it can be a program name with args.
+# Check whether --enable-bind_util_path was given.
+if test "${enable_bind_util_path+set}" = set; then
+ enableval=$enable_bind_util_path; bind_util_path=$enableval
+fi
+
+if test -n "$bind_util_path"
+then
+ if test -x "$bind_util_path/dnssec-signzone"
+ then
+ { echo "$as_me:$LINENO: BIND utilities path successfully set to $bind_util_path." >&5
+echo "$as_me: BIND utilities path successfully set to $bind_util_path." >&6;}
+ SIGNZONE_PROG=$bind_util_path/dnssec-signzone
+ else
+ { { echo "$as_me:$LINENO: error: *** 'BIND utility not found in $bind_util_path, please use --enable-bind_util_path= to set it manually' ***" >&5
+echo "$as_me: error: *** 'BIND utility not found in $bind_util_path, please use --enable-bind_util_path= to set it manually' ***" >&2;}
+ { (exit 1); exit 1; }; }
+ fi
+else
+ # Extract the first word of "dnssec-signzone", so it can be a program name with args.
set dummy dnssec-signzone; ac_word=$2
{ echo "$as_me:$LINENO: checking for $ac_word" >&5
echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
fi
-if test -z "$SIGNZONE_PROG" ; then
- { echo "$as_me:$LINENO: WARNING: *** 'BIND dnssec-signzone' missing, use default BIND_UTIL_PATH and BIND_VERSION setting out of config_zkt.h ***" >&5
-echo "$as_me: WARNING: *** 'BIND dnssec-signzone' missing, use default BIND_UTIL_PATH and BIND_VERSION setting out of config_zkt.h ***" >&2;}
-else
- bind_util_path=`dirname "$SIGNZONE_PROG"`
- # define BIND_UTIL_PATH in config.h.in
+ if test -n "$SIGNZONE_PROG"
+ then
+ bind_util_path=`dirname "$SIGNZONE_PROG"`
+ { echo "$as_me:$LINENO: BIND utilities path automatically set to $bind_util_path." >&5
+echo "$as_me: BIND utilities path automatically set to $bind_util_path." >&6;}
+ else
+ { { echo "$as_me:$LINENO: error: *** 'could not determine BIND utility path, please use --enable-bind_util_path= ' to set it manually ***" >&5
+echo "$as_me: error: *** 'could not determine BIND utility path, please use --enable-bind_util_path= ' to set it manually ***" >&2;}
+ { (exit 1); exit 1; }; }
+ fi
+fi
+### By now, we have a path. We'll use it.
+# define BIND_UTIL_PATH in config.h.in
cat >>confdefs.h <<_ACEOF
#define BIND_UTIL_PATH "$bind_util_path/"
_ACEOF
- # define BIND_VERSION in config.h.in
- bind_version=`$SIGNZONE_PROG 2>&1 | grep "Version:" | tr -cd "[0-9]\012" | sed "s/^\(...\).*/\1/"`
+# define BIND_VERSION in config.h.in
+bind_version=`$SIGNZONE_PROG 2>&1 | grep "Version:" | tr -cd "[0-9]\012" | sed "s/^\(...\).*/\1/"`
cat >>confdefs.h <<_ACEOF
#define BIND_VERSION $bind_version
_ACEOF
-fi
+
ac_ext=c
enableval=$enable_printyear;
fi
-test "$printyear" = yes && printyear=1
printyear=0
if test "$enable_printyear" = "yes"; then
printyear=1
cat >>confdefs.h <<_ACEOF
-#define ZKT_COPYRIGHT "(c) Feb 2005 - Mar 2010 Holger Zuleger hznet.de"
+#define ZKT_COPYRIGHT "(c) Feb 2005 - Nov 2012 Holger Zuleger hznet.de"
_ACEOF
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by ZKT $as_me 1.0, which was
+This file was extended by ZKT $as_me 1.1.2, which was
generated by GNU Autoconf 2.61. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
_ACEOF
cat >>$CONFIG_STATUS <<_ACEOF
ac_cs_version="\\
-ZKT config.status 1.0
+ZKT config.status 1.1.2
configured by $0, generated by GNU Autoconf 2.61,
with options \\"`echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`\\"
# 2008-10-01 if BIND_UTIL_PATH check failed, use config_zkt.h setting as last resort
# 2009-07-30 check for timegm() added
# 2009-12-02 the tr command in bind_version= didn't work well under solaris
+# 2010-10-14 new option to specify BIND_UTIL_PATH on command line (thanks to Mans Nilsson)
+# No build in default BIND_UTIL_PATH used anymore
#
dnl AC_PREREQ(2.59)
### Package name and current version
-AC_INIT(ZKT, 1.0, Holger Zuleger hznet.de)
-dnl AC_REVISION($Revision: 1.2 $)
+AC_INIT(ZKT, 1.1.2, Holger Zuleger hznet.de)
+dnl AC_REVISION($Revision: 1.397 $)
### Files to test to check if src dir contains the package
AC_CONFIG_SRCDIR([zkt-signer.c])
AC_PROG_CC
### find out the path to BIND utils and version
-AC_PATH_PROG([SIGNZONE_PROG], dnssec-signzone)
-if test -z "$SIGNZONE_PROG" ; then
- AC_MSG_WARN([*** 'BIND dnssec-signzone' missing, use default BIND_UTIL_PATH and BIND_VERSION setting out of config_zkt.h ***])
+AC_ARG_ENABLE([bind_util_path], AS_HELP_STRING( [--enable-bind_util_path=PATH], [Define path to BIND utilities, default is path to dnssec-signzone]), [bind_util_path=$enableval])
+if test -n "$bind_util_path"
+then
+ if test -x "$bind_util_path/dnssec-signzone"
+ then
+ AC_MSG_NOTICE([BIND utilities path successfully set to $bind_util_path.])
+ SIGNZONE_PROG=$bind_util_path/dnssec-signzone
+ else
+ AC_MSG_ERROR([*** 'BIND utility not found in $bind_util_path, please use --enable-bind_util_path= to set it manually' ***])
+ fi
else
- bind_util_path=`dirname "$SIGNZONE_PROG"`
- # define BIND_UTIL_PATH in config.h.in
- AC_DEFINE_UNQUOTED(BIND_UTIL_PATH, "$bind_util_path/", Path to BIND utilities)
- # define BIND_VERSION in config.h.in
- bind_version=`$SIGNZONE_PROG 2>&1 | grep "Version:" | tr -cd "[[0-9]]\012" | sed "s/^\(...\).*/\1/"`
- AC_DEFINE_UNQUOTED(BIND_VERSION, $bind_version, BIND version as integer number without dots)
+ AC_PATH_PROG([SIGNZONE_PROG], dnssec-signzone)
+ if test -n "$SIGNZONE_PROG"
+ then
+ bind_util_path=`dirname "$SIGNZONE_PROG"`
+ AC_MSG_NOTICE([BIND utilities path automatically set to $bind_util_path.])
+ else
+ AC_MSG_ERROR([*** 'could not determine BIND utility path, please use --enable-bind_util_path= ' to set it manually ***])
+ fi
fi
+### By now, we have a path. We'll use it.
+# define BIND_UTIL_PATH in config.h.in
+AC_DEFINE_UNQUOTED(BIND_UTIL_PATH, "$bind_util_path/", Path to BIND utilities)
+# define BIND_VERSION in config.h.in
+bind_version=`$SIGNZONE_PROG 2>&1 | grep "Version:" | tr -cd "[[0-9]]\012" | sed "s/^\(...\).*/\1/"`
+AC_DEFINE_UNQUOTED(BIND_VERSION, $bind_version, BIND version as integer number without dots)
+
AC_CHECK_TYPE(uint, unsigned int)
AC_CHECK_TYPE(ulong, unsigned long)
AC_DEFINE_UNQUOTED(PRINT_TIMEZONE, $printtimezone, print out timezone)
AC_ARG_ENABLE([printyear], AS_HELP_STRING( [--enable-print-age], [print age with year]))
-test "$printyear" = yes && printyear=1
printyear=0
AS_IF([test "$enable_printyear" = "yes"], [printyear=1])
AC_DEFINE_UNQUOTED(PRINT_AGE_WITH_YEAR, $printyear, print age with year)
AC_DEFINE_UNQUOTED(USE_TREE, $usetree, Use TREE data structure for dnssec-zkt)
AC_DEFINE_UNQUOTED(ZKT_VERSION, "$t$PACKAGE_VERSION", ZKT version string)
-AC_DEFINE_UNQUOTED(ZKT_COPYRIGHT, "(c) Feb 2005 - Mar 2010 Holger Zuleger hznet.de", ZKT copyright string)
+AC_DEFINE_UNQUOTED(ZKT_COPYRIGHT, "(c) Feb 2005 - Nov 2012 Holger Zuleger hznet.de", ZKT copyright string)
### Checks for libraries.
--- /dev/null
+#################################################################
+#
+# @(#) distribute.sh -- distribute and reload command for dnssec-signer
+#
+# (c) Jul 2008 Holger Zuleger hznet.de
+#
+# Feb 2010 action "distkeys" added but currently not used
+#
+# This shell script will be run by zkt-signer as a distribution
+# and reload command if:
+#
+# a) the dnssec.conf file parameter Distribute_Cmd: points
+# to this file
+# and
+# b) the user running the zkt-signer command is not
+# root (uid==0)
+# and
+# c) the owner of this shell script is the same as the
+# running user and the access rights don't allow writing
+# for anyone except the owner
+# or
+# d) the group of this shell script is the same as the
+# running user and the access rights don't allow writing
+# for anyone except the group
+#
+#################################################################
+
+# set path to rndc and scp
+PATH="/bin:/usr/bin:/usr/local/sbin"
+
+# remote server and directory
+server=localhost # fqdn of remote name server
+dir=/var/named # zone directory on remote name server
+
+progname=$0
+usage()
+{
+ echo "usage: $progname distkeys|distribute|reload <zone> <path_to_zonefile> [<viewname>]" 1>&2
+ test $# -gt 0 && echo $* 1>&2
+ exit 1
+}
+
+if test $# -lt 3
+then
+ usage
+fi
+action="$1"
+zone="$2"
+zonefile="$3"
+view=""
+test $# -gt 3 && view="$4"
+
+case $action in
+distkeys)
+ if test -n "$view"
+ then
+ : echo "scp K$zone+* $server:$dir/$view/$zone/"
+ scp K$zone+* $server:$dir/$view/$zone/
+ else
+ : echo "scp K$zone+* $server:$dir/$zone/"
+ scp K$zone+* $server:$dir/$zone/
+ fi
+ ;;
+distribute)
+ if test -n "$view"
+ then
+ : echo "scp $zonefile $server:$dir/$view/$zone/"
+ scp $zonefile $server:$dir/$view/$zone/
+ else
+ : echo "scp $zonefile $server:$dir/$zone/"
+ scp $zonefile $server:$dir/$zone/
+ fi
+ ;;
+reload)
+ : echo "rndc $action $zone $view"
+ rndc $action $zone $view
+ ;;
+*)
+ usage "illegal action $action"
+ ;;
+esac
+
return len;
}
+/*****************************************************************
+** dki_prt_managedkey ()
+*****************************************************************/
+int dki_prt_managedkey (const dki_t *dkp, FILE *fp)
+{
+ char *p;
+ int spaces;
+ int len = 0;
+
+ if ( dkp == NULL )
+ return len;
+ len += fprintf (fp, "\"%s\" ", dkp->name);
+ spaces = 22 - (strlen (dkp->name) + 3);
+ len += fprintf (fp, "initial-key ");
+ spaces -= 13;
+ len += fprintf (fp, "%*s", spaces > 0 ? spaces : 0 , " ");
+ len += fprintf (fp, "%d 3 %d ", dkp->flags, dkp->algo);
+ if ( spaces < 0 )
+ len += fprintf (fp, "\n\t\t\t%7s", " ");
+ len += fprintf (fp, "\"");
+ for ( p = dkp->pubkey; *p ; p++ )
+ if ( *p == ' ' )
+ len += fprintf (fp, "\n\t\t\t\t");
+ else
+ putc (*p, fp), len += 1;
+
+ if ( dki_isrevoked (dkp) )
+ len += fprintf (fp, "\" ; # key id = %u (original key id = %u)\n\n", (dkp->tag + 128) % 65535, dkp->tag);
+ else
+ len += fprintf (fp, "\" ; # key id = %u\n\n", dkp->tag);
+ return len;
+}
+
/*****************************************************************
** dki_cmp () return <0 | 0 | >0
extern dki_t *dki_read (const char *dir, const char *fname);
extern int dki_readdir (const char *dir, dki_t **listp, int recursive);
extern int dki_prt_trustedkey (const dki_t *dkp, FILE *fp);
+extern int dki_prt_managedkey (const dki_t *dkp, FILE *fp);
extern int dki_prt_dnskey (const dki_t *dkp, FILE *fp);
extern int dki_prt_dnskeyttl (const dki_t *dkp, FILE *fp, int ttl);
extern int dki_prt_dnskey_raw (const dki_t *dkp, FILE *fp);
--- /dev/null
+%!PS-Adobe-3.0
+%%Creator: groff version 1.19.2
+%%CreationDate: Mon Jul 14 23:23:30 2008
+%%DocumentNeededResources: font Times-Bold
+%%+ font Times-Roman
+%%+ font Courier
+%%+ font Symbol
+%%DocumentSuppliedResources: procset grops 1.19 2
+%%Pages: 1
+%%PageOrder: Ascend
+%%DocumentMedia: Default 595 842 0 () ()
+%%Orientation: Portrait
+%%EndComments
+%%BeginDefaults
+%%PageMedia: Default
+%%EndDefaults
+%%BeginProlog
+%%BeginResource: procset grops 1.19 2
+%!PS-Adobe-3.0 Resource-ProcSet
+/setpacking where{
+pop
+currentpacking
+true setpacking
+}if
+/grops 120 dict dup begin
+/SC 32 def
+/A/show load def
+/B{0 SC 3 -1 roll widthshow}bind def
+/C{0 exch ashow}bind def
+/D{0 exch 0 SC 5 2 roll awidthshow}bind def
+/E{0 rmoveto show}bind def
+/F{0 rmoveto 0 SC 3 -1 roll widthshow}bind def
+/G{0 rmoveto 0 exch ashow}bind def
+/H{0 rmoveto 0 exch 0 SC 5 2 roll awidthshow}bind def
+/I{0 exch rmoveto show}bind def
+/J{0 exch rmoveto 0 SC 3 -1 roll widthshow}bind def
+/K{0 exch rmoveto 0 exch ashow}bind def
+/L{0 exch rmoveto 0 exch 0 SC 5 2 roll awidthshow}bind def
+/M{rmoveto show}bind def
+/N{rmoveto 0 SC 3 -1 roll widthshow}bind def
+/O{rmoveto 0 exch ashow}bind def
+/P{rmoveto 0 exch 0 SC 5 2 roll awidthshow}bind def
+/Q{moveto show}bind def
+/R{moveto 0 SC 3 -1 roll widthshow}bind def
+/S{moveto 0 exch ashow}bind def
+/T{moveto 0 exch 0 SC 5 2 roll awidthshow}bind def
+/SF{
+findfont exch
+[exch dup 0 exch 0 exch neg 0 0]makefont
+dup setfont
+[exch/setfont cvx]cvx bind def
+}bind def
+/MF{
+findfont
+[5 2 roll
+0 3 1 roll
+neg 0 0]makefont
+dup setfont
+[exch/setfont cvx]cvx bind def
+}bind def
+/level0 0 def
+/RES 0 def
+/PL 0 def
+/LS 0 def
+/MANUAL{
+statusdict begin/manualfeed true store end
+}bind def
+/PLG{
+gsave newpath clippath pathbbox grestore
+exch pop add exch pop
+}bind def
+/BP{
+/level0 save def
+1 setlinecap
+1 setlinejoin
+72 RES div dup scale
+LS{
+90 rotate
+}{
+0 PL translate
+}ifelse
+1 -1 scale
+}bind def
+/EP{
+level0 restore
+showpage
+}def
+/DA{
+newpath arcn stroke
+}bind def
+/SN{
+transform
+.25 sub exch .25 sub exch
+round .25 add exch round .25 add exch
+itransform
+}bind def
+/DL{
+SN
+moveto
+SN
+lineto stroke
+}bind def
+/DC{
+newpath 0 360 arc closepath
+}bind def
+/TM matrix def
+/DE{
+TM currentmatrix pop
+translate scale newpath 0 0 .5 0 360 arc closepath
+TM setmatrix
+}bind def
+/RC/rcurveto load def
+/RL/rlineto load def
+/ST/stroke load def
+/MT/moveto load def
+/CL/closepath load def
+/Fr{
+setrgbcolor fill
+}bind def
+/setcmykcolor where{
+pop
+/Fk{
+setcmykcolor fill
+}bind def
+}if
+/Fg{
+setgray fill
+}bind def
+/FL/fill load def
+/LW/setlinewidth load def
+/Cr/setrgbcolor load def
+/setcmykcolor where{
+pop
+/Ck/setcmykcolor load def
+}if
+/Cg/setgray load def
+/RE{
+findfont
+dup maxlength 1 index/FontName known not{1 add}if dict begin
+{
+1 index/FID ne{def}{pop pop}ifelse
+}forall
+/Encoding exch def
+dup/FontName exch def
+currentdict end definefont pop
+}bind def
+/DEFS 0 def
+/EBEGIN{
+moveto
+DEFS begin
+}bind def
+/EEND/end load def
+/CNT 0 def
+/level1 0 def
+/PBEGIN{
+/level1 save def
+translate
+div 3 1 roll div exch scale
+neg exch neg exch translate
+0 setgray
+0 setlinecap
+1 setlinewidth
+0 setlinejoin
+10 setmiterlimit
+[]0 setdash
+/setstrokeadjust where{
+pop
+false setstrokeadjust
+}if
+/setoverprint where{
+pop
+false setoverprint
+}if
+newpath
+/CNT countdictstack def
+userdict begin
+/showpage{}def
+/setpagedevice{}def
+}bind def
+/PEND{
+countdictstack CNT sub{end}repeat
+level1 restore
+}bind def
+end def
+/setpacking where{
+pop
+setpacking
+}if
+%%EndResource
+%%EndProlog
+%%BeginSetup
+%%BeginFeature: *PageSize Default
+<< /PageSize [ 595 842 ] /ImagingBBox null >> setpagedevice
+%%EndFeature
+%%IncludeResource: font Times-Bold
+%%IncludeResource: font Times-Roman
+%%IncludeResource: font Courier
+%%IncludeResource: font Symbol
+grops begin/DEFS 1 dict def DEFS begin/u{.001 mul}bind def end/RES 72
+def/PL 841.89 def/LS false def/ENC0[/asciicircum/asciitilde/Scaron
+/Zcaron/scaron/zcaron/Ydieresis/trademark/quotesingle/Euro/.notdef
+/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef
+/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef
+/.notdef/.notdef/.notdef/space/exclam/quotedbl/numbersign/dollar/percent
+/ampersand/quoteright/parenleft/parenright/asterisk/plus/comma/hyphen
+/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon
+/semicolon/less/equal/greater/question/at/A/B/C/D/E/F/G/H/I/J/K/L/M/N/O
+/P/Q/R/S/T/U/V/W/X/Y/Z/bracketleft/backslash/bracketright/circumflex
+/underscore/quoteleft/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y
+/z/braceleft/bar/braceright/tilde/.notdef/quotesinglbase/guillemotleft
+/guillemotright/bullet/florin/fraction/perthousand/dagger/daggerdbl
+/endash/emdash/ff/fi/fl/ffi/ffl/dotlessi/dotlessj/grave/hungarumlaut
+/dotaccent/breve/caron/ring/ogonek/quotedblleft/quotedblright/oe/lslash
+/quotedblbase/OE/Lslash/.notdef/exclamdown/cent/sterling/currency/yen
+/brokenbar/section/dieresis/copyright/ordfeminine/guilsinglleft
+/logicalnot/minus/registered/macron/degree/plusminus/twosuperior
+/threesuperior/acute/mu/paragraph/periodcentered/cedilla/onesuperior
+/ordmasculine/guilsinglright/onequarter/onehalf/threequarters
+/questiondown/Agrave/Aacute/Acircumflex/Atilde/Adieresis/Aring/AE
+/Ccedilla/Egrave/Eacute/Ecircumflex/Edieresis/Igrave/Iacute/Icircumflex
+/Idieresis/Eth/Ntilde/Ograve/Oacute/Ocircumflex/Otilde/Odieresis
+/multiply/Oslash/Ugrave/Uacute/Ucircumflex/Udieresis/Yacute/Thorn
+/germandbls/agrave/aacute/acircumflex/atilde/adieresis/aring/ae/ccedilla
+/egrave/eacute/ecircumflex/edieresis/igrave/iacute/icircumflex/idieresis
+/eth/ntilde/ograve/oacute/ocircumflex/otilde/odieresis/divide/oslash
+/ugrave/uacute/ucircumflex/udieresis/yacute/thorn/ydieresis]def
+/Courier@0 ENC0/Courier RE/Times-Roman@0 ENC0/Times-Roman RE
+/Times-Bold@0 ENC0/Times-Bold RE
+%%EndSetup
+%%Page: 1 1
+%%BeginPageSetup
+BP
+%%EndPageSetup
+/F0 10/Times-Bold@0 SF 2.5(1. DNS)72 84 R -.25(Ke)2.5 G 2.5(yS).25 G
+(tatus T)-2.5 E(ypes and Filenames)-.74 E -.25(Ke)189.22 105.6 S 63.235
+(yF).25 G 40.415(ilename used)-63.235 F -.25(fo)2.5 G 29.33(rd).25 G
+(nssec-zkt)-29.33 E -.74(Ty)168.35 117.6 S 12.5(pe Flags).74 F 23.57
+(public pri)16.95 F -.1(va)-.1 G 21.62(te signing?).1 F(label)40.72 E
+(Status)99.34 111.6 Q .4 LW 473.8 122.1 72 122.1 DL/F1 10/Times-Roman@0
+SF(acti)72 131.6 Q 70.67 -.15(ve Z)-.25 H 18.43(SK 256).15 F(.k)18.89 E
+26.69 -.15(ey .)-.1 H(pri).15 E -.25(va)-.25 G 46.605(te y).25 F/F2 10
+/Courier@0 SF(act ive)30.285 E F1 17.32(KSK 257)168.35 143.6 R(.k)18.89
+E 26.69 -.15(ey .)-.1 H(pri).15 E -.25(va)-.25 G 46.605(te y).25 F F2
+(act ive)30.285 E F1 54.96(published ZSK)72 158 R 16.39(256 .k)20.93 F
+26.69 -.15(ey .)-.1 H 34.985(published n).15 F F2(pub lished)30.285 E F1
+17.32(KSK 257)168.35 170 R(.k)18.89 E 26.69 -.15(ey .)-.1 H(pri).15 E
+-.25(va)-.25 G 46.605(te n).25 F F2(sta ndby)30.285 E F1
+(depreciated \(retired\))72 184.4 Q 18.43(ZSK 256)15 F(.k)18.89 E 26.69
+-.15(ey .)-.1 H 27.785(depreciated n).15 F F2(dep reciated)30.285 E F1
+(re)72 198.8 Q -.2(vo)-.25 G -.1(ke).2 G 64.69(dK).1 G 17.32(SK 385)
+-64.69 F(.k)18.89 E 26.69 -.15(ey .)-.1 H(pri).15 E -.25(va)-.25 G
+46.605(te y).25 F F2(rev oked)30.285 E F1(remo)72 213.2 Q -.15(ve)-.15 G
+61.66(dK).15 G 17.32(SK 257)-61.66 F(k*.k)18.89 E 16.69 -.15(ey k)-.1 H
+(*.pri).15 E -.25(va)-.25 G 36.605(te n).25 F F2(-)30.285 E F1 80.52
+(sep KSK)72 227.6 R 16.39(257 .k)19.82 F 26.69 -.15(ey -)-.1 H(n)75.695
+E F2(sep)30.285 E 394.3 96.1 394.3 230.1 DL 343.73 96.1 343.73 230.1 DL
+280.14 108.1 280.14 230.1 DL 234.56 96.1 234.56 230.1 DL 196.78 108.1
+196.78 230.1 DL 160.85 96.1 160.85 230.1 DL F0 2.5(2. K)72 257.6 R(ey r)
+-.25 E(ollo)-.18 E -.1(ve)-.1 G(r).1 E 2.5(2.1. Zone)72 285.2 R
+(signing k)2.5 E(ey r)-.1 E(ollo)-.18 E -.1(ve)-.1 G 2.5(r\().1 G(pr)
+-2.5 E(e-publish RFC4641\))-.18 E 57.47(action cr)75.34 306.8 R 27.035
+(eate change)-.18 F -.18(re)23.045 G(mo).18 E -.1(ve)-.1 G -.1(ke)72
+318.8 S 65.025(ys newk).1 F 24.395(ey sig)-.1 F -.1(ke)2.5 G 23.775(yo)
+.1 G(ld k)-23.775 E(ey)-.1 E 301.18 323.3 72 323.3 DL F1 23.62
+(zsk1 acti)72 332.8 R 12.8 -.15(ve a)-.25 H(cti).15 E 28.21 -.15(ve d)
+-.25 H(epreciated).15 E 62.1(zsk2 published)72 344.8 R(acti)15 E 35.41
+-.15(ve a)-.25 H(cti).15 E -.15(ve)-.25 G 12.5(RRSIG zsk1)72 360.4 R
+33.06(zsk1 zsk2)20.15 F(zsk2)42.76 E 262.41 297.3 262.41 362.9 DL 201.32
+297.3 201.32 362.9 DL 147.43 297.3 147.43 362.9 DL 108.95 309.3 108.95
+362.9 DL F0 2.5(2.2. K)72 390.4 R(ey signing k)-.25 E(ey r)-.1 E(ollo)
+-.18 E -.1(ve)-.1 G 2.5(r\().1 G(double signatur)-2.5 E 2.5(eR)-.18 G
+(FC4641\))-2.5 E 58.165(action cr)118.39 412 R 26.63(eate change)-.18 F
+-.18(re)21.945 G(mo).18 E -.1(ve)-.1 G -.1(ke)72 424 S 108.77(ys newk).1
+F 16.58(ey delegation)-.1 F(old k)15.265 E(ey)-.1 E 343.42 428.5 72
+428.5 DL F1(ksk)72 438 Q(1)5 I(acti)68.61 -5 M 12.8 -.15(ve a)-.25 H
+(cti).15 E 29.6 -.15(ve a)-.25 H(cti).15 E -.15(ve)-.25 G(ksk)72 450 Q
+(2)5 I(acti)107.09 -5 M 29.6 -.15(ve a)-.25 H(cti).15 E 33.21 -.15(ve a)
+-.25 H(cti).15 E -.15(ve)-.25 G(DNSKEY RRSIG)72 465.6 Q 17.09
+(ksk1 ksk1,ksk2)15 F 16.11(ksk1,ksk2 ksk2)15 F(DS at parent)72 481.2 Q
+(DS)37.51 E(1)5 I(DS)20.7 -5 M(1)5 I(DS)37.5 -5 M(2)5 I(DS)41.11 -5 M(2)
+5 I 304.65 402.5 304.65 483.7 DL 245.76 402.5 245.76 483.7 DL 190.48
+402.5 190.48 483.7 DL 152 414.5 152 483.7 DL F0 2.5(2.3. K)72 511.2 R
+(ey signing k)-.25 E(ey r)-.1 E(ollo)-.18 E -.1(ve)-.1 G 2.5(r\().1 G
+(rfc5011\))-2.5 E 63.465(action newk)118.39 532.8 R 19.855(ey change)-.1
+F(delegation)2.5 E -.1(ke)72 544.8 S 112.32(ys &).1 F -.18(ro)2.5 G(llo)
+.18 E -.1(ve)-.1 G 15.525(r&).1 G -.18(re)-13.025 G(mo).18 E .2 -.1
+(ve o)-.1 H(ld k).1 E(ey)-.1 E 341.33 549.3 72 549.3 DL F1(ksk)72 558.8
+Q(1)5 I(acti)68.61 -5 M 20.43 -.15(ve r)-.25 H -2.2 -.25(ev o).15 H -.1
+(ke).25 G<87>.1 -2.4 M(ksk)72 570.8 Q(2)5 I 12.5(standby acti)68.61 -5 N
+33.65 -.15(ve a)-.25 H(cti).15 E -.15(ve)-.25 G(ksk)72 582.8 Q(3)5 I
+(standby)114.72 -5 M<88>-2.4 I(standby)23.22 2.4 M(DNSKEY RRSIG)72 598.4
+Q 24.72(ksk1 ksk1,ksk2)15 F(ksk2)19.05 E -.15(Pa)72 614 S(rent DS).15 E
+(DS)46.82 E(1)5 I(DS)28.33 -5 M(1)5 I(DS)41.55 -5 M(2)5 I(DS)159.5 626 Q
+(2)5 I(DS)28.33 -5 M(2)5 I(DS)41.55 -5 M(3)5 I 257.44 523.3 257.44 628.5
+DL 198.11 523.3 198.11 628.5 DL 152 535.3 152 628.5 DL<87>72 645.2 Q(Ha)
+2.5 2.4 M .3 -.15(ve t)-.2 H 2.5(or).15 G(emain until the remo)-2.5 E .3
+-.15(ve h)-.15 H(old-do).15 E(wn time is e)-.25 E
+(xpired, which is 30days at a minimum.)-.15 E<88>72 660.8 Q -.4(Wi)2.5
+2.4 O(ll be the standby k).4 E .3 -.15(ey a)-.1 H(fter the hold-do).15 E
+(wn time is e)-.25 E(xpired)-.15 E(Add holdtime)72 675.2 Q/F3 10/Symbol
+SF(=)2.5 E F1(max\(30days, TTL of DNSKEY\))2.5 E 0 Cg EP
+%%Trailer
+end
+%%EOF
--- /dev/null
+
+
+
+Intended Status: Informational O. Gudmundsson
+Network Working Group OGUD Consulting LLC
+Internet-Draft J. Ihren
+Expires: August 21, 2008 AAB
+ February 18, 2008
+
+
+ Names of States in the life of a DNSKEY
+ draft-gudmundsson-life-of-dnskey-00
+
+Status of this Memo
+
+ By submitting this Internet-Draft, each author represents that any
+ applicable patent or other IPR claims of which he or she is aware
+ have been or will be disclosed, and any of which he or she becomes
+ aware will be disclosed, in accordance with Section 6 of BCP 79.
+
+ Internet-Drafts are working documents of the Internet Engineering
+ Task Force (IETF), its areas, and its working groups. Note that
+ other groups may also distribute working documents as Internet-
+ Drafts.
+
+ Internet-Drafts are draft documents valid for a maximum of six months
+ and may be updated, replaced, or obsoleted by other documents at any
+ time. It is inappropriate to use Internet-Drafts as reference
+ material or to cite them other than as "work in progress."
+
+ The list of current Internet-Drafts can be accessed at
+ http://www.ietf.org/ietf/1id-abstracts.txt.
+
+ The list of Internet-Draft Shadow Directories can be accessed at
+ http://www.ietf.org/shadow.html.
+
+ This Internet-Draft will expire on August 21, 2008.
+
+Copyright Notice
+
+ Copyright (C) The IETF Trust (2008).
+
+
+
+
+
+
+
+
+
+
+
+
+
+Gudmundsson & Ihren Expires August 21, 2008 [Page 1]
+\f
+Internet-Draft DNSSEC Key life stages. February 2008
+
+
+Abstract
+
+ This document recommends a specific terminology to use when
+ expressing the state that a DNSKEY is in at particular time. This
+ does not affect how the protocol operates in any way.
+
+
+Table of Contents
+
+ 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
+ 2. DNSKEY timeline . . . . . . . . . . . . . . . . . . . . . . . 4
+ 3. Life stages of a DNSKEY . . . . . . . . . . . . . . . . . . . 5
+ 3.1. Generated . . . . . . . . . . . . . . . . . . . . . . . . 5
+ 3.2. Published . . . . . . . . . . . . . . . . . . . . . . . . 5
+ 3.2.1. Pre-Publication . . . . . . . . . . . . . . . . . . . 5
+ 3.2.2. Out-Of-Band Publication . . . . . . . . . . . . . . . 5
+ 3.3. Active . . . . . . . . . . . . . . . . . . . . . . . . . . 5
+ 3.4. Retired . . . . . . . . . . . . . . . . . . . . . . . . . 5
+ 3.5. Removed . . . . . . . . . . . . . . . . . . . . . . . . . 6
+ 3.5.1. Lame . . . . . . . . . . . . . . . . . . . . . . . . . 6
+ 3.5.2. Stale . . . . . . . . . . . . . . . . . . . . . . . . 6
+ 3.6. Revoked . . . . . . . . . . . . . . . . . . . . . . . . . 6
+ 4. Security considerations . . . . . . . . . . . . . . . . . . . 7
+ 5. IANA considerations . . . . . . . . . . . . . . . . . . . . . 8
+ 6. References . . . . . . . . . . . . . . . . . . . . . . . . . . 9
+ 6.1. Normative References . . . . . . . . . . . . . . . . . . . 9
+ 6.2. Informative References . . . . . . . . . . . . . . . . . . 9
+ Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 10
+ Intellectual Property and Copyright Statements . . . . . . . . . . 11
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Gudmundsson & Ihren Expires August 21, 2008 [Page 2]
+\f
+Internet-Draft DNSSEC Key life stages. February 2008
+
+
+1. Introduction
+
+ When the editors of this document where comparing their DNSSEC key
+ management projects they discovered that they where discussing
+ roughly the same thing but using different terminology.
+
+ This document presents a unified terminology to use when describing
+ the current state of a DNSKEY.
+
+ The DNSSEC standards documents ([1], [2] and [3]) do not address the
+ required states for the key management of a DNSSEC key. The DNSSEC
+ Operational Practices [4] document does propose that keys be
+ published before use but uses inconsistent or confusing terms. This
+ document assumes basic understanding of DNSSEC and key management.
+
+ The terms proposed in this document attempt to avoid any confusion
+ and make the states of keys to be as clear as possible. The terms
+ used in this document are intended as a operational supplement to the
+ terms defined in Section 2 of [1].
+
+ To large extent this discussion is motivated by Trust anchor keys but
+ the same terminology can be used for zone signing keys.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Gudmundsson & Ihren Expires August 21, 2008 [Page 3]
+\f
+Internet-Draft DNSSEC Key life stages. February 2008
+
+
+2. DNSKEY timeline
+
+ The model in this document is that keys progress through a state
+ machine along a one-way path, keys never move to an earlier states.
+
+
+
+ GENERATED----------> PUBLISHED ---> ACTIVE ---> RETIRED --> REMOVED
+ | ^ | | | ^
+ | | | | v |
+ +--> Pre-PUBLISHED--+ +--------+---------> REVOKED ---+
+
+
+ DNSKEY time line.
+
+ There are few more states that are defined below but these apply only
+ to the publisher of TA's and the consumer of TA's. Two of these are
+ sub-sets of the Published state, the other two are error states.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Gudmundsson & Ihren Expires August 21, 2008 [Page 4]
+\f
+Internet-Draft DNSSEC Key life stages. February 2008
+
+
+3. Life stages of a DNSKEY
+
+3.1. Generated
+
+ Once a key is generated it enters state Generated and stays there
+ until the next state. While in this state only the owner of the key
+ is aware of its existence and can prepare for its future use.
+
+3.2. Published
+
+ Once the key is added to the DNSKEY set of a zone the key is there
+ for the world to see, or published. The key needs to remain in this
+ state for some time to propagate to all validators that have cached
+ the prior version of the DNSKEY set. In the case of KSK the key
+ should remain in this state for a longer time as documented in DNSSEC
+ Timers RFC [5].
+
+3.2.1. Pre-Publication
+
+ In certain circumstances a zone owner may want to give out a new
+ Trust Anchor before exposing the actual public key. In this case the
+ zone can publish a DS record of the key. This allows others to
+ configure the trust anchor but will not be able to use the key until
+ the key is published in the DNSKEY RRset.
+
+3.2.2. Out-Of-Band Publication
+
+ In certain circumstances a domain may want to give out a new Trust
+ Anchor outside DNS to give others a long lead time to configure the
+ new key as trust anchor. The reason people may want to do this is to
+ keep the size of the DNSKEY set smaller and only add new trust anchor
+ just before the key goes into use. One likely use for this is the
+ DNS "." root key as it does not have a parent that can publish a DS
+ record for it. The publication mechanism does not matter it can be
+ any one of web-site, advertisement in Financial Times and other
+ international publication, e-mail to DNS related mailing lists, etc..
+
+3.3. Active
+
+ The key is in ACTIVE state while it is actively signing data in the
+ zone it resides in. It is one of the the keys that are signing the
+ zone or parts of the zone.
+
+3.4. Retired
+
+ When the key is no longer used for signing the zone it enters state
+ Retired. In this state there may still be signatures by the key in
+ cached data from the zone available at recursive servers, but the
+
+
+
+Gudmundsson & Ihren Expires August 21, 2008 [Page 5]
+\f
+Internet-Draft DNSSEC Key life stages. February 2008
+
+
+ authoritative servers for the zone do no longer carry any signatures
+ generated by the key.
+
+3.5. Removed
+
+ Once the key is removed from the DNSKEY RRset it enters the state
+ Removed. At this point all signatures by the key that may still be
+ temporarily valid will fail to verify once the validator refreshes
+ the DNSKEY RRset in its memory.
+
+ Therefore "removal" of a key is typically not done until all the
+ cached signatures have expired. Entering this state too early may
+ cause number of validators to end up with STALE Trust Anchors.
+
+3.5.1. Lame
+
+ A Trust Anchor is Lame if the parent continues to publish DS pointing
+ to the key after it has been removed from the DNSKEY RRset. A Trust
+ Anchor is arguably Lame if there are no signatures by a Retired KSK
+ in the zone.
+
+3.5.2. Stale
+
+ A Stale Trust Anchor is an old TA that remains in a validators list
+ of active key(s) after the key has been removed from the zone's
+ DNSKEY RRset.
+
+3.6. Revoked
+
+ There are times when a zone wants to signal that a particular key
+ should not be used at all. The mechanism to do this is to set the
+ REVOKE bit [5]. Any key in any of the while the key is the DNSSKEY
+ set can be exited to Revoked state. After some time in the Revoke
+ state the key will be Removed.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Gudmundsson & Ihren Expires August 21, 2008 [Page 6]
+\f
+Internet-Draft DNSSEC Key life stages. February 2008
+
+
+4. Security considerations
+
+ TBD
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Gudmundsson & Ihren Expires August 21, 2008 [Page 7]
+\f
+Internet-Draft DNSSEC Key life stages. February 2008
+
+
+5. IANA considerations
+
+ This document does not have any IANA actions.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Gudmundsson & Ihren Expires August 21, 2008 [Page 8]
+\f
+Internet-Draft DNSSEC Key life stages. February 2008
+
+
+6. References
+
+6.1. Normative References
+
+6.2. Informative References
+
+ [1] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
+ "DNS Security Introduction and Requirements", RFC 4033,
+ March 2005.
+
+ [2] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
+ "Resource Records for the DNS Security Extensions", RFC 4034,
+ March 2005.
+
+ [3] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
+ "Protocol Modifications for the DNS Security Extensions",
+ RFC 4035, March 2005.
+
+ [4] Kolkman, O. and R. Gieben, "DNSSEC Operational Practices",
+ RFC 4641, September 2006.
+
+ [5] StJohns, M., "Automated Updates of DNS Security (DNSSEC) Trust
+ Anchors", RFC 5011, September 2007.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Gudmundsson & Ihren Expires August 21, 2008 [Page 9]
+\f
+Internet-Draft DNSSEC Key life stages. February 2008
+
+
+Authors' Addresses
+
+ Olafur Gudmundsson
+ OGUD Consulting LLC
+ 3821 Village Park Drive
+ Chevy Chase, MD 20815
+ USA
+
+ Email: ogud@ogud.com
+
+
+ Johan Ihren
+ Automatica, AB
+ Bellmansgatan 30
+ Stockholm, SE-118 47
+ Sweden
+
+ Email: johani@automatica.se
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Gudmundsson & Ihren Expires August 21, 2008 [Page 10]
+\f
+Internet-Draft DNSSEC Key life stages. February 2008
+
+
+Full Copyright Statement
+
+ Copyright (C) The IETF Trust (2008).
+
+ This document is subject to the rights, licenses and restrictions
+ contained in BCP 78, and except as set forth therein, the authors
+ retain all their rights.
+
+ This document and the information contained herein are provided on an
+ "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+ OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
+ THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
+ OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
+ THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+ WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+
+Intellectual Property
+
+ The IETF takes no position regarding the validity or scope of any
+ Intellectual Property Rights or other rights that might be claimed to
+ pertain to the implementation or use of the technology described in
+ this document or the extent to which any license under such rights
+ might or might not be available; nor does it represent that it has
+ made any independent effort to identify any such rights. Information
+ on the procedures with respect to rights in RFC documents can be
+ found in BCP 78 and BCP 79.
+
+ Copies of IPR disclosures made to the IETF Secretariat and any
+ assurances of licenses to be made available, or the result of an
+ attempt made to obtain a general license or permission for the use of
+ such proprietary rights by implementers or users of this
+ specification can be obtained from the IETF on-line IPR repository at
+ http://www.ietf.org/ipr.
+
+ The IETF invites any interested party to bring to its attention any
+ copyrights, patents or patent applications, or other proprietary
+ rights that may cover technology that may be required to implement
+ this standard. Please address the information to the IETF at
+ ietf-ipr@ietf.org.
+
+
+Acknowledgment
+
+ Funding for the RFC Editor function is provided by the IETF
+ Administrative Support Activity (IASA).
+
+
+
+
+
+Gudmundsson & Ihren Expires August 21, 2008 [Page 11]
+\f
--- /dev/null
+
+
+
+DNSOP O. Kolkman
+Internet-Draft NLnet Labs
+Obsoletes: 2541 (if approved) R. Gieben
+Intended status: BCP
+Expires: September 8, 2009 March 7, 2009
+
+
+ DNSSEC Operational Practices, Version 2
+ draft-ietf-dnsop-rfc4641bis-01
+
+Status of This Memo
+
+ This Internet-Draft is submitted to IETF in full conformance with the
+ provisions of BCP 78 and BCP 79. This document may contain material
+ from IETF Documents or IETF Contributions published or made publicly
+ available before November 10, 2008. The person(s) controlling the
+ copyright in some of this material may not have granted the IETF
+ Trust the right to allow modifications of such material outside the
+ IETF Standards Process. Without obtaining an adequate license from
+ the person(s) controlling the copyright in such materials, this
+ document may not be modified outside the IETF Standards Process, and
+ derivative works of it may not be created outside the IETF Standards
+ Process, except to format it for publication as an RFC or to
+ translate it into languages other than English.
+
+ Internet-Drafts are working documents of the Internet Engineering
+ Task Force (IETF), its areas, and its working groups. Note that
+ other groups may also distribute working documents as Internet-
+ Drafts.
+
+ Internet-Drafts are draft documents valid for a maximum of six months
+ and may be updated, replaced, or obsoleted by other documents at any
+ time. It is inappropriate to use Internet-Drafts as reference
+ material or to cite them other than as "work in progress."
+
+ The list of current Internet-Drafts can be accessed at
+ http://www.ietf.org/ietf/1id-abstracts.txt.
+
+ The list of Internet-Draft Shadow Directories can be accessed at
+ http://www.ietf.org/shadow.html.
+
+ This Internet-Draft will expire on September 8, 2009.
+
+Copyright Notice
+
+ Copyright (c) 2009 IETF Trust and the persons identified as the
+ document authors. All rights reserved.
+
+
+
+
+Kolkman & Gieben Expires September 8, 2009 [Page 1]
+\f
+Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
+
+
+ This document is subject to BCP 78 and the IETF Trust's Legal
+ Provisions Relating to IETF Documents in effect on the date of
+ publication of this document (http://trustee.ietf.org/license-info).
+ Please review these documents carefully, as they describe your rights
+ and restrictions with respect to this document.
+
+Abstract
+
+ This document describes a set of practices for operating the DNS with
+ security extensions (DNSSEC). The target audience is zone
+ administrators deploying DNSSEC.
+
+ The document discusses operational aspects of using keys and
+ signatures in the DNS. It discusses issues of key generation, key
+ storage, signature generation, key rollover, and related policies.
+
+ This document obsoletes RFC 2541, as it covers more operational
+ ground and gives more up-to-date requirements with respect to key
+ sizes and the new DNSSEC specification.
+
+Table of Contents
+
+ 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
+ 1.1. The Use of the Term 'key' . . . . . . . . . . . . . . . . 5
+ 1.2. Time Definitions . . . . . . . . . . . . . . . . . . . . . 5
+ 2. Keeping the Chain of Trust Intact . . . . . . . . . . . . . . 5
+ 3. Keys Generation and Storage . . . . . . . . . . . . . . . . . 6
+ 3.1. Zone and Key Signing Keys . . . . . . . . . . . . . . . . 6
+ 3.1.1. Motivations for the KSK and ZSK Separation . . . . . . 7
+ 3.1.2. Differentiation for 'High-Level' Zones . . . . . . . . 9
+ 3.2. Key Generation . . . . . . . . . . . . . . . . . . . . . . 9
+ 3.3. Key Effectivity Period . . . . . . . . . . . . . . . . . . 9
+ 3.4. Key Algorithm . . . . . . . . . . . . . . . . . . . . . . 10
+ 3.5. Key Sizes . . . . . . . . . . . . . . . . . . . . . . . . 10
+ 3.6. Private Key Storage . . . . . . . . . . . . . . . . . . . 11
+ 4. Signature Generation, Key Rollover, and Related Policies . . . 12
+ 4.1. Time in DNSSEC . . . . . . . . . . . . . . . . . . . . . . 12
+ 4.1.1. Time Considerations . . . . . . . . . . . . . . . . . 13
+ 4.2. Key Rollovers . . . . . . . . . . . . . . . . . . . . . . 15
+ 4.2.1. Zone Signing Key Rollovers . . . . . . . . . . . . . . 15
+ 4.2.1.1. Pre-Publish Key Rollover . . . . . . . . . . . . . 15
+ 4.2.1.2. Double Signature Zone Signing Key Rollover . . . . 17
+ 4.2.1.3. Pros and Cons of the Schemes . . . . . . . . . . . 19
+ 4.2.2. Key Signing Key Rollovers . . . . . . . . . . . . . . 19
+ 4.2.3. Difference Between ZSK and KSK Rollovers . . . . . . . 21
+ 4.2.4. Key algorithm rollover . . . . . . . . . . . . . . . . 22
+ 4.2.5. Automated Key Rollovers . . . . . . . . . . . . . . . 23
+ 4.3. Planning for Emergency Key Rollover . . . . . . . . . . . 24
+
+
+
+Kolkman & Gieben Expires September 8, 2009 [Page 2]
+\f
+Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
+
+
+ 4.3.1. KSK Compromise . . . . . . . . . . . . . . . . . . . . 24
+ 4.3.1.1. Keeping the Chain of Trust Intact . . . . . . . . 25
+ 4.3.1.2. Breaking the Chain of Trust . . . . . . . . . . . 26
+ 4.3.2. ZSK Compromise . . . . . . . . . . . . . . . . . . . . 26
+ 4.3.3. Compromises of Keys Anchored in Resolvers . . . . . . 26
+ 4.4. Parental Policies . . . . . . . . . . . . . . . . . . . . 27
+ 4.4.1. Initial Key Exchanges and Parental Policies
+ Considerations . . . . . . . . . . . . . . . . . . . . 27
+ 4.4.2. Storing Keys or Hashes? . . . . . . . . . . . . . . . 27
+ 4.4.3. Security Lameness . . . . . . . . . . . . . . . . . . 28
+ 4.4.4. DS Signature Validity Period . . . . . . . . . . . . . 28
+ 4.4.5. (Non) Cooperating Registrars . . . . . . . . . . . . . 29
+ 5. Security Considerations . . . . . . . . . . . . . . . . . . . 30
+ 6. IANA considerations . . . . . . . . . . . . . . . . . . . . . 30
+ 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 30
+ 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 31
+ 8.1. Normative References . . . . . . . . . . . . . . . . . . . 31
+ 8.2. Informative References . . . . . . . . . . . . . . . . . . 31
+ Appendix A. Terminology . . . . . . . . . . . . . . . . . . . . . 32
+ Appendix B. Zone Signing Key Rollover How-To . . . . . . . . . . 34
+ Appendix C. Typographic Conventions . . . . . . . . . . . . . . . 34
+ Appendix D. Document Editing History . . . . . . . . . . . . . . 37
+ D.1. draft-ietf-dnsop-rfc4641-00 . . . . . . . . . . . . . . . 37
+ D.2. version 0->1 . . . . . . . . . . . . . . . . . . . . . . . 37
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Kolkman & Gieben Expires September 8, 2009 [Page 3]
+\f
+Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
+
+
+1. Introduction
+
+ This document describes how to run a DNS Security (DNSSEC)-enabled
+ environment. It is intended for operators who have knowledge of the
+ DNS (see RFC 1034 [1] and RFC 1035 [2]) and want to deploy DNSSEC.
+ See RFC 4033 [3] for an introduction to DNSSEC, RFC 4034 [4] for the
+ newly introduced Resource Records (RRs), and RFC 4035 [5] for the
+ protocol changes.
+
+ During workshops and early operational deployment tests, operators
+ and system administrators have gained experience about operating the
+ DNS with security extensions (DNSSEC). This document translates
+ these experiences into a set of practices for zone administrators.
+ At the time of writing, there exists very little experience with
+ DNSSEC in production environments; this document should therefore
+ explicitly not be seen as representing 'Best Current Practices'.
+ [OK: Is this document ripe enough to shoot for BCP?]
+
+ The procedures herein are focused on the maintenance of signed zones
+ (i.e., signing and publishing zones on authoritative servers). It is
+ intended that maintenance of zones such as re-signing or key
+ rollovers be transparent to any verifying clients on the Internet.
+
+ The structure of this document is as follows. In Section 2, we
+ discuss the importance of keeping the "chain of trust" intact.
+ Aspects of key generation and storage of private keys are discussed
+ in Section 3; the focus in this section is mainly on the private part
+ of the key(s). Section 4 describes considerations concerning the
+ public part of the keys. Since these public keys appear in the DNS
+ one has to take into account all kinds of timing issues, which are
+ discussed in Section 4.1. Section 4.2 and Section 4.3 deal with the
+ rollover, or supercession, of keys. Finally, Section 4.4 discusses
+ considerations on how parents deal with their children's public keys
+ in order to maintain chains of trust.
+
+ The typographic conventions used in this document are explained in
+ Appendix C.
+
+ Since this is a document with operational suggestions and there are
+ no protocol specifications, the RFC 2119 [6] language does not apply.
+
+ This document [OK: when approved] obsoletes RFC 4641 [16].
+
+ [OK: Editorial comments and questions are indicated by square
+ brackets and editor innitials]
+
+
+
+
+
+
+Kolkman & Gieben Expires September 8, 2009 [Page 4]
+\f
+Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
+
+
+1.1. The Use of the Term 'key'
+
+ It is assumed that the reader is familiar with the concept of
+ asymmetric keys on which DNSSEC is based (public key cryptography
+ RFC4949 [17]). Therefore, this document will use the term 'key'
+ rather loosely. Where it is written that 'a key is used to sign
+ data' it is assumed that the reader understands that it is the
+ private part of the key pair that is used for signing. It is also
+ assumed that the reader understands that the public part of the key
+ pair is published in the DNSKEY Resource Record and that it is the
+ public part that is used in key exchanges.
+
+1.2. Time Definitions
+
+ In this document, we will be using a number of time-related terms.
+ The following definitions apply:
+
+ o "Signature validity period" The period that a signature is valid.
+ It starts at the time specified in the signature inception field
+ of the RRSIG RR and ends at the time specified in the expiration
+ field of the RRSIG RR.
+
+ o "Signature publication period" Time after which a signature (made
+ with a specific key) is replaced with a new signature (made with
+ the same key). This replacement takes place by publishing the
+ relevant RRSIG in the master zone file. After one stops
+ publishing an RRSIG in a zone, it may take a while before the
+ RRSIG has expired from caches and has actually been removed from
+ the DNS.
+
+ o "Key effectivity period" The period during which a key pair is
+ expected to be effective. This period is defined as the time
+ between the first inception time stamp and the last expiration
+ date of any signature made with this key, regardless of any
+ discontinuity in the use of the key. The key effectivity period
+ can span multiple signature validity periods.
+
+ o "Maximum/Minimum Zone Time to Live (TTL)" The maximum or minimum
+ value of the TTLs from the complete set of RRs in a zone. Note
+ that the minimum TTL is not the same as the MINIMUM field in the
+ SOA RR. See [9] for more information.
+
+2. Keeping the Chain of Trust Intact
+
+ Maintaining a valid chain of trust is important because broken chains
+ of trust will result in data being marked as Bogus (as defined in [3]
+ Section 5), which may cause entire (sub)domains to become invisible
+ to verifying clients. The administrators of secured zones have to
+
+
+
+Kolkman & Gieben Expires September 8, 2009 [Page 5]
+\f
+Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
+
+
+ realize that their zone is, to verifying clients, part of a chain of
+ trust.
+
+ As mentioned in the introduction, the procedures herein are intended
+ to ensure that maintenance of zones, such as re-signing or key
+ rollovers, will be transparent to the verifying clients on the
+ Internet.
+
+ Administrators of secured zones will have to keep in mind that data
+ published on an authoritative primary server will not be immediately
+ seen by verifying clients; it may take some time for the data to be
+ transferred to other secondary authoritative nameservers and clients
+ may be fetching data from caching non-authoritative servers. In this
+ light, note that the time for a zone transfer from master to slave is
+ negligible when using NOTIFY [8] and incremental transfer (IXFR) [7].
+ It increases when full zone transfers (AXFR) are used in combination
+ with NOTIFY. It increases even more if you rely on full zone
+ transfers based on only the SOA timing parameters for refresh.
+
+ For the verifying clients, it is important that data from secured
+ zones can be used to build chains of trust regardless of whether the
+ data came directly from an authoritative server, a caching
+ nameserver, or some middle box. Only by carefully using the
+ available timing parameters can a zone administrator ensure that the
+ data necessary for verification can be obtained.
+
+ The responsibility for maintaining the chain of trust is shared by
+ administrators of secured zones in the chain of trust. This is most
+ obvious in the case of a 'key compromise' when a trade-off between
+ maintaining a valid chain of trust and replacing the compromised keys
+ as soon as possible must be made. Then zone administrators will have
+ to make a trade-off, between keeping the chain of trust intact --
+ thereby allowing for attacks with the compromised key -- or
+ deliberately breaking the chain of trust and making secured
+ subdomains invisible to security-aware resolvers. Also see
+ Section 4.3.
+
+3. Keys Generation and Storage
+
+ This section describes a number of considerations with respect to the
+ security of keys. It deals with the generation, effectivity period,
+ size, and storage of private keys.
+
+3.1. Zone and Key Signing Keys
+
+ The DNSSEC validation protocol does not distinguish between different
+ types of DNSKEYs. All DNSKEYs can be used during the validation. In
+ practice, operators use Key Signing and Zone Signing Keys and use the
+
+
+
+Kolkman & Gieben Expires September 8, 2009 [Page 6]
+\f
+Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
+
+
+ so-called Secure Entry Point (SEP) [5] flag to distinguish between
+ them during operations. The dynamics and considerations are
+ discussed below.
+
+ To make zone re-signing and key rollover procedures easier to
+ implement, it is possible to use one or more keys as Key Signing Keys
+ (KSKs). These keys will only sign the apex DNSKEY RRSet in a zone.
+ Other keys can be used to sign all the RRSets in a zone and are
+ referred to as Zone Signing Keys (ZSKs). In this document, we assume
+ that KSKs are the subset of keys that are used for key exchanges with
+ the parent and potentially for configuration as trusted anchors --
+ the SEP keys. In this document, we assume a one-to-one mapping
+ between KSK and SEP keys and we assume the SEP flag to be set on all
+ KSKs.
+
+3.1.1. Motivations for the KSK and ZSK Separation
+
+ Differentiating between the KSK and ZSK functions has several
+ advantages:
+
+ o No parent/child interaction is required when ZSKs are updated.
+
+ o [OK: Bullet removed, strawman Paul Hoffman]
+
+ o As the KSK is only used to sign a key set, which is most probably
+ updated less frequently than other data in the zone, it can be
+ stored separately from and in a safer location than the ZSK.
+
+ o A KSK can have a longer key effectivity period.
+
+ For almost any method of key management and zone signing, the KSK is
+ used less frequently than the ZSK. Once a key set is signed with the
+ KSK, all the keys in the key set can be used as ZSKs. If a ZSK is
+ compromised, it can be simply dropped from the key set. The new key
+ set is then re-signed with the KSK.
+
+ Given the assumption that for KSKs the SEP flag is set, the KSK can
+ be distinguished from a ZSK by examining the flag field in the DNSKEY
+ RR. If the flag field is an odd number it is a KSK. If it is an
+ even number it is a ZSK.
+
+ The Zone Signing Key can be used to sign all the data in a zone on a
+ regular basis. When a Zone Signing Key is to be rolled, no
+ interaction with the parent is needed. This allows for signature
+ validity periods on the order of days.
+
+ The Key Signing Key is only to be used to sign the DNSKEY RRs in a
+ zone. If a Key Signing Key is to be rolled over, there will be
+
+
+
+Kolkman & Gieben Expires September 8, 2009 [Page 7]
+\f
+Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
+
+
+ interactions with parties other than the zone administrator. If
+ there is a parent zone, these can include the registry of the parent
+ zone or administrators of verifying resolvers that have the
+ particular key configured as secure entry points. If this is a trust
+ anchor, everyone relying on the trust anchor needs to roll over to
+ the new key. The latter may be subject to stability costs if
+ automated trust-anchor rollover mechanisms (such as e.g. RFC5011
+ [18]) are not in place. Hence, the key effectivity period of these
+ keys can and should be made much longer.
+
+ There are two schools of thought on rolling a KSK that is not a trust
+ anchor [OK: One can never be sure a KSK is _not_ a trust anchor]:
+
+ o It should be done regularly (possibly every few months) so that a
+ key rollover remains an operational routine.
+
+ o It should only be done when it is known or strongly suspected that
+ the key has been compromised in order to reduce the stability
+ issues on systems where the rollover does not happen cleanly.
+
+ There is no widespread agreement on which of these two schools of
+ thought is better for different deployments of DNSSEC. There is a
+ stability cost every time a non-anchor KSK is rolled over, but it is
+ possibly low if the communication between the child and the parent is
+ good. On the other hand, the only completely effective way to tell
+ if the communication is good is to test it periodically. Thus,
+ rolling a KSK with a parent is only done for two reasons: to test and
+ verify the rolling system to prepare for an emergency, and in the
+ case of an actual emergency.
+
+ [OK: The paragraph below is a straw-man by Paul Hoffman] Because of
+ the difficulty of getting all users of a trust anchor to replace an
+ old trust anchor with a new one, a KSK that is a trust anchor should
+ never be rolled unless it is known or strongly suspected that the key
+ has been compromised.
+
+ [OK: This is an alternative straw-man by Olaf Kolkman] The same
+ operational concerns apply to the rollover of KSKs that are used as
+ trust-anchors. Since the administrator of a zone can not be certain
+ that the zone's KSK is in use as a trust-anchor she will have to
+ assume that a rollover will cause a stability cost for the users that
+ did configure her key as a trust-anchor. Those costs can be
+ minimized by automating the rollover RFC5011 [18] and by rolling the
+ key regularly, and advertising such, so that the operators of
+ recursive nameservers will put the appropriate mechanism in place to
+ deal with these stability costs, or, in other words, budget for these
+ costs instead of incuring them unexpectedly.
+
+
+
+
+Kolkman & Gieben Expires September 8, 2009 [Page 8]
+\f
+Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
+
+
+3.1.2. Differentiation for 'High-Level' Zones
+
+ In an earlier version of this document we made a differentiation
+ between KSKs used for zones that are high in the DNS hierarchy versus
+ KSKs used for zones low in that hierarchy. We have come to realize
+ that there are other considerations that argue such differentiation
+ does not need to be made.
+
+ Longer keys are not useful because the crypto guidance is that
+ everyone should use keys that no one can break. Also, it is
+ impossible to judge which zones are more or less valuable to an
+ attacker. An attack can only be used if the compromise is unnoticed
+ and the attacker can act as an man-in-the-middle attack (MITM) in an
+ unnoticed way. If .example is compromised and the attacker forges
+ answers for somebank.example and sends them out as an MITM, when the
+ attack is discovered it will be simple to prove that .example has
+ been compromised and the KSK will be rolled. Defining a long-term
+ successful attack is difficult for keys at any level.
+
+3.2. Key Generation
+
+ Careful generation of all keys is a sometimes overlooked but
+ absolutely essential element in any cryptographically secure system.
+ The strongest algorithms used with the longest keys are still of no
+ use if an adversary can guess enough to lower the size of the likely
+ key space so that it can be exhaustively searched. Technical
+ suggestions for the generation of random keys will be found in RFC
+ 4086 [14] and NIST SP 800-900 [20]. One should carefully assess if
+ the random number generator used during key generation adheres to
+ these suggestions.
+
+ Keys with a long effectivity period are particularly sensitive as
+ they will represent a more valuable target and be subject to attack
+ for a longer time than short-period keys. It is strongly recommended
+ that long-term key generation occur off-line in a manner isolated
+ from the network via an air gap or, at a minimum, high-level secure
+ hardware.
+
+3.3. Key Effectivity Period
+
+ From a purely operational perspective, a reasonable key effectivity
+ period for KSKs that have a parent zone is 13 months, with the intent
+ to replace them after 12 months. An intended key effectivity period
+ of a month is reasonable for Zone Signing Keys. This annual rollover
+ gives operational practice to rollovers.
+
+ Ignoring the operational perspective, a reasonable effectivity period
+ for KSKs that have a parent zone is of the order of 2 decades or
+
+
+
+Kolkman & Gieben Expires September 8, 2009 [Page 9]
+\f
+Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
+
+
+ longer. That is, if one does not plan to test the rollover
+ procedure, the key should be effective essentially forever, and then
+ only rolled over in case of emergency.
+
+ The "operational habit" argument also applies to trust anchor
+ reconfiguration. If a short key effectivity period is used and the
+ trust anchor configuration has to be revisited on a regular basis,
+ the odds that the configuration tends to be forgotten is smaller.
+ The trade-off is against a system that is so dynamic that
+ administrators of the validating clients will not be able to follow
+ the modifications.Note that if a trust anchor replacement is done
+ incorrectly, the entire zone that the trust anchor covers will become
+ bogus until the trust anchor is corrected.
+
+ Key effectivity periods can be made very short, as in a few minutes.
+ But when replacing keys one has to take the considerations from
+ Section 4.1 and Section 4.2 into account.
+
+3.4. Key Algorithm
+
+ There are currently two types of signature algorithms that can be
+ used in DNSSEC: RSA and DSA. Both are fully specified in many
+ freely-available documents, and both are widely considered to be
+ patent-free. The creation of signatures wiht RSA and DSA takes
+ roughly the same time, but DSA is about ten times slower for
+ signature verification.
+
+ We suggest the use of either RSA/SHA-1 or RSA/SHA-256 as the
+ preferred signature algorithms. Both have advantages and
+ disadvantages. RSA/SHA-1 has been deployed for many years, while
+ RSA/SHA-256 has only begun to be deployed. On the other hand, it is
+ expected that if effective attacks on either algorithm appeark, they
+ will appear for RSA/SHA-1 first. RSA/MD5 should not be considered
+ for use because RSA/MD5 will very likely be the first common-use
+ signature algorithm to have an effective attack.
+
+ At the time of publication, it is known that the SHA-1 hash has
+ cryptanalysis issues. There is work in progress on addressing these
+ issues. We recommend the use of public key algorithms based on
+ hashes stronger than SHA-1 (e.g., SHA-256), as soon as these
+ algorithms are available in protocol specifications (see [21] and
+ [22]) and implementations.
+
+3.5. Key Sizes
+
+ DNSSEC signing keys should be large enough to avoid all know
+ cryptographic attacks during the lifetime of the key. To date,
+ despite huge efforts, no one has broken a regular 1024-bit key; in
+
+
+
+Kolkman & Gieben Expires September 8, 2009 [Page 10]
+\f
+Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
+
+
+ fact, the best completed attack is estimated to be the equivalent of
+ a 700-bit key. An attacker breaking a 1024-bit signing key would
+ need expend phenominal amounts of networked computing power in a way
+ that would not be detected in order to break a single key. Because
+ of this, it is estimated that most zones can safely use 1024-bit keys
+ for at least the next ten years. A 1024-bit asymmetric key has an
+ approximate equivalent strength of a symmetric 80-bit key.
+
+ Keys that are used as extremely high value trust anchors, or non-
+ anchor keys that may be difficult to roll over, may want to use
+ lengths longer than 1024 bits. Typically, the next larger key size
+ used is 2048 bits, which have the approximate equivalent strength of
+ a symmetric 112-bit key. In a standard CPU, it takes about four
+ times as long to sign or verify with a 2048-bit key as it does with a
+ 1024-bit key.
+
+ Another way to decide on the size of key to use is to remember that
+ the phenominal effort it takes for an attacker to break a 1024-bit
+ key is the same regardless of how the key is used. If an attacker
+ has the capability of breaking a 1024-bit DNSSEC key, he also has the
+ capability of breaking one of the many 1024-bit TLS trust anchor keys
+ that are installed with web browsers. If the value of a DNSSEC key
+ is lower to the attacker than the value of a TLS trust anchor, the
+ attacker will use the resources to attack the TLS trust anchor.
+
+ It is possible that there is a unexpected improvement in the ability
+ for attackers to beak keys, and that such an attack would make it
+ feasible to break 1024-bit keys but not 2048-bit keys. If such an
+ improvement happens, it is likely that there will be a huge amount of
+ publicity, particularly because of the large number of 1024-bit TLS
+ trust anchors build into popular web browsers. At that time, all
+ 1024-bit keys (both ones with parent zones and ones that are trust
+ anchors) can be rolled over and replaced with larger keys.
+
+ Earlier documents (including the previous version of this document)
+ urged the use of longer keys in situations where a particular key was
+ "heavily used". That advice may have been true 15 years ago, but it
+ is not true today when using RSA or DSA algorithms and keys of 1024
+ bits or higher.
+
+3.6. Private Key Storage
+
+ It is recommended that, where possible, zone private keys and the
+ zone file master copy that is to be signed be kept and used in off-
+ line, non-network-connected, physically secure machines only.
+ Periodically, an application can be run to add authentication to a
+ zone by adding RRSIG and NSEC RRs. Then the augmented file can be
+ transferred.
+
+
+
+Kolkman & Gieben Expires September 8, 2009 [Page 11]
+\f
+Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
+
+
+ When relying on dynamic update to manage a signed zone [11], be aware
+ that at least one private key of the zone will have to reside on the
+ master server. This key is only as secure as the amount of exposure
+ the server receives to unknown clients and the security of the host.
+ Although not mandatory, one could administer the DNS in the following
+ way. The master that processes the dynamic updates is unavailable
+ from generic hosts on the Internet, it is not listed in the NS RRSet,
+ although its name appears in the SOA RRs MNAME field. The
+ nameservers in the NS RRSet are able to receive zone updates through
+ NOTIFY, IXFR, AXFR, or an out-of-band distribution mechanism. This
+ approach is known as the "hidden master" setup.
+
+ The ideal situation is to have a one-way information flow to the
+ network to avoid the possibility of tampering from the network.
+ Keeping the zone master file on-line on the network and simply
+ cycling it through an off-line signer does not do this. The on-line
+ version could still be tampered with if the host it resides on is
+ compromised. For maximum security, the master copy of the zone file
+ should be off-net and should not be updated based on an unsecured
+ network mediated communication.
+
+ In general, keeping a zone file off-line will not be practical and
+ the machines on which zone files are maintained will be connected to
+ a network. Operators are advised to take security measures to shield
+ unauthorized access to the master copy.
+
+ For dynamically updated secured zones [11], both the master copy and
+ the private key that is used to update signatures on updated RRs will
+ need to be on-line.
+
+4. Signature Generation, Key Rollover, and Related Policies
+
+4.1. Time in DNSSEC
+
+ Without DNSSEC, all times in the DNS are relative. The SOA fields
+ REFRESH, RETRY, and EXPIRATION are timers used to determine the time
+ elapsed after a slave server synchronized with a master server. The
+ Time to Live (TTL) value and the SOA RR minimum TTL parameter [9] are
+ used to determine how long a forwarder should cache data after it has
+ been fetched from an authoritative server. By using a signature
+ validity period, DNSSEC introduces the notion of an absolute time in
+ the DNS. Signatures in DNSSEC have an expiration date after which
+ the signature is marked as invalid and the signed data is to be
+ considered Bogus.
+
+
+
+
+
+
+
+Kolkman & Gieben Expires September 8, 2009 [Page 12]
+\f
+Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
+
+
+4.1.1. Time Considerations
+
+ Because of the expiration of signatures, one should consider the
+ following:
+
+ o We suggest the Maximum Zone TTL of your zone data to be a fraction
+ of your signature validity period.
+
+ If the TTL would be of similar order as the signature validity
+ period, then all RRSets fetched during the validity period
+ would be cached until the signature expiration time. Section
+ 7.1 of [3] suggests that "the resolver may use the time
+ remaining before expiration of the signature validity period of
+ a signed RRSet as an upper bound for the TTL". As a result,
+ query load on authoritative servers would peak at signature
+ expiration time, as this is also the time at which records
+ simultaneously expire from caches.
+
+ To avoid query load peaks, we suggest the TTL on all the RRs in
+ your zone to be at least a few times smaller than your
+ signature validity period.
+
+ o We suggest the signature publication period to end at least one
+ Maximum Zone TTL duration before the end of the signature validity
+ period.
+
+ Re-signing a zone shortly before the end of the signature
+ validity period may cause simultaneous expiration of data from
+ caches. This in turn may lead to peaks in the load on
+ authoritative servers.
+
+ o We suggest the Minimum Zone TTL to be long enough to both fetch
+ and verify all the RRs in the trust chain. In workshop
+ environments, it has been demonstrated [19] that a low TTL (under
+ 5 to 10 minutes) caused disruptions because of the following two
+ problems:
+
+ 1. During validation, some data may expire before the
+ validation is complete. The validator should be able to keep
+ all data until it is completed. This applies to all RRs needed
+ to complete the chain of trust: DSes, DNSKEYs, RRSIGs, and the
+ final answers, i.e., the RRSet that is returned for the initial
+ query.
+
+ 2. Frequent verification causes load on recursive nameservers.
+ Data at delegation points, DSes, DNSKEYs, and RRSIGs benefit
+ from caching. The TTL on those should be relatively long.
+
+
+
+
+Kolkman & Gieben Expires September 8, 2009 [Page 13]
+\f
+Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
+
+
+ o Slave servers will need to be able to fetch newly signed zones
+ well before the RRSIGs in the zone served by the slave server pass
+ their signature expiration time.
+
+ When a slave server is out of sync with its master and data in
+ a zone is signed by expired signatures, it may be better for
+ the slave server not to give out any answer.
+
+ Normally, a slave server that is not able to contact a master
+ server for an extended period will expire a zone. When that
+ happens, the server will respond differently to queries for
+ that zone. Some servers issue SERVFAIL, whereas others turn
+ off the 'AA' bit in the answers. The time of expiration is set
+ in the SOA record and is relative to the last successful
+ refresh between the master and the slave servers. There exists
+ no coupling between the signature expiration of RRSIGs in the
+ zone and the expire parameter in the SOA.
+
+ If the server serves a DNSSEC zone, then it may well happen
+ that the signatures expire well before the SOA expiration timer
+ counts down to zero. It is not possible to completely prevent
+ this from happening by tweaking the SOA parameters.
+
+ However, the effects can be minimized where the SOA expiration
+ time is equal to or shorter than the signature validity period.
+
+ The consequence of an authoritative server not being able to
+ update a zone, whilst that zone includes expired signatures, is
+ that non-secure resolvers will continue to be able to resolve
+ data served by the particular slave servers while security-
+ aware resolvers will experience problems because of answers
+ being marked as Bogus.
+
+ We suggest the SOA expiration timer being approximately one
+ third or one fourth of the signature validity period. It will
+ allow problems with transfers from the master server to be
+ noticed before the actual signature times out.
+
+ We also suggest that operators of nameservers that supply
+ secondary services develop 'watch dogs' to spot upcoming
+ signature expirations in zones they slave, and take appropriate
+ action.
+
+ When determining the value for the expiration parameter one has
+ to take the following into account: What are the chances that
+ all my secondaries expire the zone? How quickly can I reach an
+ administrator of secondary servers to load a valid zone? These
+ questions are not DNSSEC specific but may influence the choice
+
+
+
+Kolkman & Gieben Expires September 8, 2009 [Page 14]
+\f
+Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
+
+
+ of your signature validity intervals.
+
+4.2. Key Rollovers
+
+ Regardless of whether a zone uses periodic key rollovers in order to
+ practice for emergencies, or only rolls over keys in an emergency,
+ key rollovers are a fact of life when using DNSSEC. Zone
+ administrators who are in the process of rolling their keys have to
+ take into account that data published in previous versions of their
+ zone still lives in caches. When deploying DNSSEC, this becomes an
+ important consideration; ignoring data that may be in caches may lead
+ to loss of service for clients.
+
+ The most pressing example of this occurs when zone material signed
+ with an old key is being validated by a resolver that does not have
+ the old zone key cached. If the old key is no longer present in the
+ current zone, this validation fails, marking the data "Bogus".
+ Alternatively, an attempt could be made to validate data that is
+ signed with a new key against an old key that lives in a local cache,
+ also resulting in data being marked "Bogus".
+
+4.2.1. Zone Signing Key Rollovers
+
+ For "Zone Signing Key rollovers", there are two ways to make sure
+ that during the rollover data still cached can be verified with the
+ new key sets or newly generated signatures can be verified with the
+ keys still in caches. One schema, described in Section 4.2.1.2, uses
+ double signatures; the other uses key pre-publication
+ (Section 4.2.1.1). The pros, cons, and recommendations are described
+ in Section 4.2.1.3.
+
+4.2.1.1. Pre-Publish Key Rollover
+
+ This section shows how to perform a ZSK rollover without the need to
+ sign all the data in a zone twice -- the "pre-publish key rollover".
+ This method has advantages in the case of a key compromise. If the
+ old key is compromised, the new key has already been distributed in
+ the DNS. The zone administrator is then able to quickly switch to
+ the new key and remove the compromised key from the zone. Another
+ major advantage is that the zone size does not double, as is the case
+ with the double signature ZSK rollover. A small "how-to" for this
+ kind of rollover can be found in Appendix B.
+
+
+
+
+
+
+
+
+
+Kolkman & Gieben Expires September 8, 2009 [Page 15]
+\f
+Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
+
+
+ Pre-publish key rollover involves four stages as follows:
+
+ ----------------------------------------------------------------
+ initial new DNSKEY new RRSIGs DNSKEY removal
+ ----------------------------------------------------------------
+ SOA0 SOA1 SOA2 SOA3
+ RRSIG10(SOA0) RRSIG10(SOA1) RRSIG11(SOA2) RRSIG11(SOA3)
+
+ DNSKEY1 DNSKEY1 DNSKEY1 DNSKEY1
+ DNSKEY10 DNSKEY10 DNSKEY10 DNSKEY11
+ DNSKEY11 DNSKEY11
+ RRSIG1 (DNSKEY) RRSIG1 (DNSKEY) RRSIG1(DNSKEY) RRSIG1 (DNSKEY)
+ RRSIG10(DNSKEY) RRSIG10(DNSKEY) RRSIG11(DNSKEY) RRSIG11(DNSKEY)
+ ----------------------------------------------------------------
+
+ Pre-Publish Key Rollover
+
+ initial: Initial version of the zone: DNSKEY 1 is the Key Signing
+ Key. DNSKEY 10 is used to sign all the data of the zone, the Zone
+ Signing Key.
+
+ new DNSKEY: DNSKEY 11 is introduced into the key set. Note that no
+ signatures are generated with this key yet, but this does not
+ secure against brute force attacks on the public key. The minimum
+ duration of this pre-roll phase is the time it takes for the data
+ to propagate to the authoritative servers plus TTL value of the
+ key set.
+
+ new RRSIGs: At the "new RRSIGs" stage (SOA serial 2), DNSKEY 11 is
+ used to sign the data in the zone exclusively (i.e., all the
+ signatures from DNSKEY 10 are removed from the zone). DNSKEY 10
+ remains published in the key set. This way data that was loaded
+ into caches from version 1 of the zone can still be verified with
+ key sets fetched from version 2 of the zone. The minimum time
+ that the key set including DNSKEY 10 is to be published is the
+ time that it takes for zone data from the previous version of the
+ zone to expire from old caches, i.e., the time it takes for this
+ zone to propagate to all authoritative servers plus the Maximum
+ Zone TTL value of any of the data in the previous version of the
+ zone.
+
+ DNSKEY removal: DNSKEY 10 is removed from the zone. The key set,
+ now only containing DNSKEY 1 and DNSKEY 11, is re-signed with the
+ DNSKEY 1.
+
+ The above scheme can be simplified by always publishing the "future"
+ key immediately after the rollover. The scheme would look as follows
+ (we show two rollovers); the future key is introduced in "new DNSKEY"
+
+
+
+Kolkman & Gieben Expires September 8, 2009 [Page 16]
+\f
+Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
+
+
+ as DNSKEY 12 and again a newer one, numbered 13, in "new DNSKEY
+ (II)":
+
+
+ initial new RRSIGs new DNSKEY
+ -----------------------------------------------------------------
+ SOA0 SOA1 SOA2
+ RRSIG10(SOA0) RRSIG11(SOA1) RRSIG11(SOA2)
+
+ DNSKEY1 DNSKEY1 DNSKEY1
+ DNSKEY10 DNSKEY10 DNSKEY11
+ DNSKEY11 DNSKEY11 DNSKEY12
+ RRSIG1(DNSKEY) RRSIG1 (DNSKEY) RRSIG1(DNSKEY)
+ RRSIG10(DNSKEY) RRSIG11(DNSKEY) RRSIG11(DNSKEY)
+ ----------------------------------------------------------------
+
+ ----------------------------------------------------------------
+ new RRSIGs (II) new DNSKEY (II)
+ ----------------------------------------------------------------
+ SOA3 SOA4
+ RRSIG12(SOA3) RRSIG12(SOA4)
+
+ DNSKEY1 DNSKEY1
+ DNSKEY11 DNSKEY12
+ DNSKEY12 DNSKEY13
+ RRSIG1(DNSKEY) RRSIG1(DNSKEY)
+ RRSIG12(DNSKEY) RRSIG12(DNSKEY)
+ ----------------------------------------------------------------
+
+ Pre-Publish Key Rollover, Showing Two Rollovers
+
+ Note that the key introduced in the "new DNSKEY" phase is not used
+ for production yet; the private key can thus be stored in a
+ physically secure manner and does not need to be 'fetched' every time
+ a zone needs to be signed.
+
+4.2.1.2. Double Signature Zone Signing Key Rollover
+
+ This section shows how to perform a ZSK key rollover using the double
+ zone data signature scheme, aptly named "double signature rollover".
+
+ During the "new DNSKEY" stage the new version of the zone file will
+ need to propagate to all authoritative servers and the data that
+ exists in (distant) caches will need to expire, requiring at least
+ the Maximum Zone TTL.
+
+
+
+
+
+
+Kolkman & Gieben Expires September 8, 2009 [Page 17]
+\f
+Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
+
+
+ Double signature ZSK rollover involves three stages as follows:
+
+ ----------------------------------------------------------------
+ initial new DNSKEY DNSKEY removal
+ ----------------------------------------------------------------
+ SOA0 SOA1 SOA2
+ RRSIG10(SOA0) RRSIG10(SOA1) RRSIG11(SOA2)
+ RRSIG11(SOA1)
+ DNSKEY1 DNSKEY1 DNSKEY1
+ DNSKEY10 DNSKEY10 DNSKEY11
+ DNSKEY11
+ RRSIG1(DNSKEY) RRSIG1(DNSKEY) RRSIG1(DNSKEY)
+ RRSIG10(DNSKEY) RRSIG10(DNSKEY) RRSIG11(DNSKEY)
+ RRSIG11(DNSKEY)
+ ----------------------------------------------------------------
+
+ Double Signature Zone Signing Key Rollover
+
+ initial: Initial Version of the zone: DNSKEY 1 is the Key Signing
+ Key. DNSKEY 10 is used to sign all the data of the zone, the Zone
+ Signing Key.
+
+ new DNSKEY: At the "New DNSKEY" stage (SOA serial 1) DNSKEY 11 is
+ introduced into the key set and all the data in the zone is signed
+ with DNSKEY 10 and DNSKEY 11. The rollover period will need to
+ continue until all data from version 0 of the zone has expired
+ from remote caches. This will take at least the Maximum Zone TTL
+ of version 0 of the zone.
+
+ DNSKEY removal: DNSKEY 10 is removed from the zone. All the
+ signatures from DNSKEY 10 are removed from the zone. The key set,
+ now only containing DNSKEY 11, is re-signed with DNSKEY 1.
+
+ At every instance, RRSIGs from the previous version of the zone can
+ be verified with the DNSKEY RRSet from the current version and the
+ other way around. The data from the current version can be verified
+ with the data from the previous version of the zone. The duration of
+ the "new DNSKEY" phase and the period between rollovers should be at
+ least the Maximum Zone TTL.
+
+ Making sure that the "new DNSKEY" phase lasts until the signature
+ expiration time of the data in the initial version of the zone is
+ recommended. This way all caches are cleared of the old signatures.
+ However, this duration could be considerably longer than the Maximum
+ Zone TTL, making the rollover a lengthy procedure.
+
+ Note that in this example we assumed that the zone was not modified
+ during the rollover. New data can be introduced in the zone as long
+
+
+
+Kolkman & Gieben Expires September 8, 2009 [Page 18]
+\f
+Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
+
+
+ as it is signed with both keys.
+
+4.2.1.3. Pros and Cons of the Schemes
+
+ Pre-publish key rollover: This rollover does not involve signing the
+ zone data twice. Instead, before the actual rollover, the new key
+ is published in the key set and thus is available for
+ cryptanalysis attacks. A small disadvantage is that this process
+ requires four steps. Also the pre-publish scheme involves more
+ parental work when used for KSK rollovers as explained in
+ Section 4.2.3.
+
+ Double signature ZSK rollover: The drawback of this signing scheme
+ is that during the rollover the number of signatures in your zone
+ doubles; this may be prohibitive if you have very big zones. An
+ advantage is that it only requires three steps.
+
+4.2.2. Key Signing Key Rollovers
+
+ For the rollover of a Key Signing Key, the same considerations as for
+ the rollover of a Zone Signing Key apply. However, we can use a
+ double signature scheme to guarantee that old data (only the apex key
+ set) in caches can be verified with a new key set and vice versa.
+ Since only the key set is signed with a KSK, zone size considerations
+ do not apply.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Kolkman & Gieben Expires September 8, 2009 [Page 19]
+\f
+Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
+
+
+ --------------------------------------------------------------------
+ initial new DNSKEY DS change DNSKEY removal
+ --------------------------------------------------------------------
+ Parent:
+ SOA0 --------> SOA1 -------->
+ RRSIGpar(SOA0) --------> RRSIGpar(SOA1) -------->
+ DS1 --------> DS2 -------->
+ RRSIGpar(DS) --------> RRSIGpar(DS) -------->
+
+
+ Child:
+ SOA0 SOA1 --------> SOA2
+ RRSIG10(SOA0) RRSIG10(SOA1) --------> RRSIG10(SOA2)
+ -------->
+ DNSKEY1 DNSKEY1 --------> DNSKEY2
+ DNSKEY2 -------->
+ DNSKEY10 DNSKEY10 --------> DNSKEY10
+ RRSIG1 (DNSKEY) RRSIG1 (DNSKEY) --------> RRSIG2 (DNSKEY)
+ RRSIG2 (DNSKEY) -------->
+ RRSIG10(DNSKEY) RRSIG10(DNSKEY) --------> RRSIG10(DNSKEY)
+ --------------------------------------------------------------------
+
+ Stages of Deployment for a Double Signature Key Signing Key Rollover
+
+ initial: Initial version of the zone. The parental DS points to
+ DNSKEY1. Before the rollover starts, the child will have to
+ verify what the TTL is of the DS RR that points to DNSKEY1 -- it
+ is needed during the rollover and we refer to the value as TTL_DS.
+
+ new DNSKEY: During the "new DNSKEY" phase, the zone administrator
+ generates a second KSK, DNSKEY2. The key is provided to the
+ parent, and the child will have to wait until a new DS RR has been
+ generated that points to DNSKEY2. After that DS RR has been
+ published on all servers authoritative for the parent's zone, the
+ zone administrator has to wait at least TTL_DS to make sure that
+ the old DS RR has expired from caches.
+
+ DS change: The parent replaces DS1 with DS2.
+
+ DNSKEY removal: DNSKEY1 has been removed.
+
+ The scenario above puts the responsibility for maintaining a valid
+ chain of trust with the child. It also is based on the premise that
+ the parent only has one DS RR (per algorithm) per zone. An
+ alternative mechanism has been considered. Using an established
+ trust relation, the interaction can be performed in-band, and the
+ removal of the keys by the child can possibly be signaled by the
+ parent. In this mechanism, there are periods where there are two DS
+
+
+
+Kolkman & Gieben Expires September 8, 2009 [Page 20]
+\f
+Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
+
+
+ RRs at the parent. Since at the moment of writing the protocol for
+ this interaction has not been developed, further discussion is out of
+ scope for this document.
+
+4.2.3. Difference Between ZSK and KSK Rollovers
+
+ Note that KSK rollovers and ZSK rollovers are different in the sense
+ that a KSK rollover requires interaction with the parent (and
+ possibly replacing of trust anchors) and the ensuing delay while
+ waiting for it.
+
+ A zone key rollover can be handled in two different ways: pre-publish
+ (Section 4.2.1.1) and double signature (Section 4.2.1.2).
+
+ As the KSK is used to validate the key set and because the KSK is not
+ changed during a ZSK rollover, a cache is able to validate the new
+ key set of the zone. The pre-publish method would also work for a
+ KSK rollover. The records that are to be pre-published are the
+ parental DS RRs. The pre-publish method has some drawbacks for KSKs.
+ We first describe the rollover scheme and then indicate these
+ drawbacks.
+
+
+ --------------------------------------------------------------------
+ initial new DS new DNSKEY DS/DNSKEY removal
+ --------------------------------------------------------------------
+ Parent:
+ SOA0 SOA1 --------> SOA2
+ RRSIGpar(SOA0) RRSIGpar(SOA1) --------> RRSIGpar(SOA2)
+ DS1 DS1 --------> DS2
+ DS2 -------->
+ RRSIGpar(DS) RRSIGpar(DS) --------> RRSIGpar(DS)
+
+ Child:
+ SOA0 --------> SOA1 SOA1
+ RRSIG10(SOA0) --------> RRSIG10(SOA1) RRSIG10(SOA1)
+ -------->
+ DNSKEY1 --------> DNSKEY2 DNSKEY2
+ -------->
+ DNSKEY10 --------> DNSKEY10 DNSKEY10
+ RRSIG1 (DNSKEY) --------> RRSIG2(DNSKEY) RRSIG2 (DNSKEY)
+ RRSIG10(DNSKEY) --------> RRSIG10(DNSKEY) RRSIG10(DNSKEY)
+ --------------------------------------------------------------------
+
+ Stages of Deployment for a Pre-Publish Key Signing Key Rollover
+
+ When the child zone wants to roll, it notifies the parent during the
+ "new DS" phase and submits the new key (or the corresponding DS) to
+
+
+
+Kolkman & Gieben Expires September 8, 2009 [Page 21]
+\f
+Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
+
+
+ the parent. The parent publishes DS1 and DS2, pointing to DNSKEY1
+ and DNSKEY2, respectively. During the rollover ("new DNSKEY" phase),
+ which can take place as soon as the new DS set propagated through the
+ DNS, the child replaces DNSKEY1 with DNSKEY2. Immediately after that
+ ("DS/DNSKEY removal" phase), it can notify the parent that the old DS
+ record can be deleted.
+
+ The drawbacks of this scheme are that during the "new DS" phase the
+ parent cannot verify the match between the DS2 RR and DNSKEY2 using
+ the DNS -- as DNSKEY2 is not yet published. Besides, we introduce a
+ "security lame" key (see Section 4.4.3). Finally, the child-parent
+ interaction consists of two steps. The "double signature" method
+ only needs one interaction.
+
+4.2.4. Key algorithm rollover
+
+ [OK: The txt of this section is a strawman for the issue in: http://
+ www.nlnetlabs.nl/svn/rfc4641bis/trunk/open-issues/Key_algorithm_roll
+ ]
+
+ A special class of keyrollover is the rollover of key algorithms
+ (either adding a new algorithm, removing an old algorithm, or both),
+ additional steps are needed to retain integrity during the rollover.
+
+ Because of the algorithm downgrade protection in RFC4035 section 2.2,
+ you may not have a key of an algorithm for which you do not have
+ signatures.
+
+ When adding a new algorithm, the signatures should be added first.
+ After the TTL has expired, and caches have dropped the old data
+ covered by those signatures, the DNSKEY with the new algorithm can be
+ added. When removing an old algorithm, the DNSKEY should be removed
+ first.
+
+ To do both, the following steps can be used. For simplicity, we use
+ a zone that is only signed by one zone signing key.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Kolkman & Gieben Expires September 8, 2009 [Page 22]
+\f
+Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
+
+
+ ----------------------------------------------------------------
+ 1 Initial 2 New RRSIGS 3 New DNSKEY
+ ----------------------------------------------------------------
+ SOA0 SOA1 SOA2
+ RRSIG1(SOA0) RRSIG1(SOA1) RRSIG1(SOA2)
+ RRSIG2(SOA1) RRSIG2(SOA2)
+
+ DNSKEY1 DNSKEY1 DNSKEY1
+ RRSIG1(DNSKEY) RRSIG1(DNSKEY) DNSKEY2
+ RRSIG2(DNSKEY) RRSIG1(DNSKEY)
+ RRSIG2(DNSKEY)
+ ----------------------------------------------------------------
+ 4 Remove DNSKEY 5 Remove RRSIGS
+ ----------------------------------------------------------------
+ SOA3 SOA4
+ RRSIG1(SOA3) RRSIG2(SOA4)
+ RRSIG2(SOA3)
+
+ DNSKEY2 DNSKEY2
+ RRSIG1(DNSKEY) RRSIG2(DNSKEY)
+ RRSIG2(DNSKEY)
+ ----------------------------------------------------------------
+
+ Stages of Deployment during an Algorithm Rollover.
+
+ In step 2, the signatures for the new key are added, but the key
+ itself is not. While in theory, the signatures of the keyset should
+ always be synchronized with the keyset itself, it can be possible
+ that RRSIGS are requested separately, so it might be prudent to also
+ sign the DNSKEY set with the new signature.
+
+ After the cache data has expired, the new key can be added to the
+ zone, as done in step 3.
+
+ The next step is to remove the old algorithm. This time the key
+ needs to be removed first, before removing the signatures. The key
+ is removed in step 4, and after the cache data has expired, the
+ signatures can be removed in step 5.
+
+ The above steps ensure that during the rollover to a new algorithm,
+ the integrity of the zone is never broken.
+
+4.2.5. Automated Key Rollovers
+
+ As keys must be renewed periodically, there is some motivation to
+ automate the rollover process. Consider the following:
+
+
+
+
+
+Kolkman & Gieben Expires September 8, 2009 [Page 23]
+\f
+Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
+
+
+ o ZSK rollovers are easy to automate as only the child zone is
+ involved.
+
+ o A KSK rollover needs interaction between parent and child. Data
+ exchange is needed to provide the new keys to the parent;
+ consequently, this data must be authenticated and integrity must
+ be guaranteed in order to avoid attacks on the rollover.
+
+4.3. Planning for Emergency Key Rollover
+
+ This section deals with preparation for a possible key compromise.
+ Our advice is to have a documented procedure ready for when a key
+ compromise is suspected or confirmed.
+
+ When the private material of one of your keys is compromised it can
+ be used for as long as a valid trust chain exists. A trust chain
+ remains intact for
+
+ o as long as a signature over the compromised key in the trust chain
+ is valid,
+
+ o as long as a parental DS RR (and signature) points to the
+ compromised key,
+
+ o as long as the key is anchored in a resolver and is used as a
+ starting point for validation (this is generally the hardest to
+ update).
+
+ While a trust chain to your compromised key exists, your namespace is
+ vulnerable to abuse by anyone who has obtained illegitimate
+ possession of the key. Zone operators have to make a trade-off if
+ the abuse of the compromised key is worse than having data in caches
+ that cannot be validated. If the zone operator chooses to break the
+ trust chain to the compromised key, data in caches signed with this
+ key cannot be validated. However, if the zone administrator chooses
+ to take the path of a regular rollover, the malicious key holder can
+ spoof data so that it appears to be valid.
+
+4.3.1. KSK Compromise
+
+ A zone containing a DNSKEY RRSet with a compromised KSK is vulnerable
+ as long as the compromised KSK is configured as trust anchor or a
+ parental DS points to it.
+
+ A compromised KSK can be used to sign the key set of an attacker's
+ zone. That zone could be used to poison the DNS.
+
+ Therefore, when the KSK has been compromised, the trust anchor or the
+
+
+
+Kolkman & Gieben Expires September 8, 2009 [Page 24]
+\f
+Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
+
+
+ parental DS should be replaced as soon as possible. It is local
+ policy whether to break the trust chain during the emergency
+ rollover. The trust chain would be broken when the compromised KSK
+ is removed from the child's zone while the parent still has a DS
+ pointing to the compromised KSK (the assumption is that there is only
+ one DS at the parent. If there are multiple DSes this does not apply
+ -- however the chain of trust of this particular key is broken).
+
+ Note that an attacker's zone still uses the compromised KSK and the
+ presence of a parental DS would cause the data in this zone to appear
+ as valid. Removing the compromised key would cause the attacker's
+ zone to appear as valid and the child's zone as Bogus. Therefore, we
+ advise not to remove the KSK before the parent has a DS to a new KSK
+ in place.
+
+4.3.1.1. Keeping the Chain of Trust Intact
+
+ If we follow this advice, the timing of the replacement of the KSK is
+ somewhat critical. The goal is to remove the compromised KSK as soon
+ as the new DS RR is available at the parent. And also make sure that
+ the signature made with a new KSK over the key set with the
+ compromised KSK in it expires just after the new DS appears at the
+ parent, thus removing the old cruft in one swoop.
+
+ The procedure is as follows:
+
+ 1. Introduce a new KSK into the key set, keep the compromised KSK in
+ the key set.
+
+ 2. Sign the key set, with a short validity period. The validity
+ period should expire shortly after the DS is expected to appear
+ in the parent and the old DSes have expired from caches.
+
+ 3. Upload the DS for this new key to the parent.
+
+ 4. Follow the procedure of the regular KSK rollover: Wait for the DS
+ to appear in the authoritative servers and then wait as long as
+ the TTL of the old DS RRs. If necessary re-sign the DNSKEY RRSet
+ and modify/extend the expiration time.
+
+ 5. Remove the compromised DNSKEY RR from the zone and re-sign the
+ key set using your "normal" validity interval.
+
+ An additional danger of a key compromise is that the compromised key
+ could be used to facilitate a legitimate DNSKEY/DS rollover and/or
+ nameserver changes at the parent. When that happens, the domain may
+ be in dispute. An authenticated out-of-band and secure notify
+ mechanism to contact a parent is needed in this case.
+
+
+
+Kolkman & Gieben Expires September 8, 2009 [Page 25]
+\f
+Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
+
+
+ Note that this is only a problem when the DNSKEY and or DS records
+ are used for authentication at the parent.
+
+4.3.1.2. Breaking the Chain of Trust
+
+ There are two methods to break the chain of trust. The first method
+ causes the child zone to appear 'Bogus' to validating resolvers. The
+ other causes the child zone to appear 'insecure'. These are
+ described below.
+
+ In the method that causes the child zone to appear 'Bogus' to
+ validating resolvers, the child zone replaces the current KSK with a
+ new one and re-signs the key set. Next it sends the DS of the new
+ key to the parent. Only after the parent has placed the new DS in
+ the zone is the child's chain of trust repaired.
+
+ An alternative method of breaking the chain of trust is by removing
+ the DS RRs from the parent zone altogether. As a result, the child
+ zone would become insecure.
+
+4.3.2. ZSK Compromise
+
+ Primarily because there is no parental interaction required when a
+ ZSK is compromised, the situation is less severe than with a KSK
+ compromise. The zone must still be re-signed with a new ZSK as soon
+ as possible. As this is a local operation and requires no
+ communication between the parent and child, this can be achieved
+ fairly quickly. However, one has to take into account that just as
+ with a normal rollover the immediate disappearance of the old
+ compromised key may lead to verification problems. Also note that as
+ long as the RRSIG over the compromised ZSK is not expired the zone
+ may be still at risk.
+
+4.3.3. Compromises of Keys Anchored in Resolvers
+
+ A key can also be pre-configured in resolvers. For instance, if
+ DNSSEC is successfully deployed the root key may be pre-configured in
+ most security aware resolvers.
+
+ If trust-anchor keys are compromised, the resolvers using these keys
+ should be notified of this fact. Zone administrators may consider
+ setting up a mailing list to communicate the fact that a SEP key is
+ about to be rolled over. This communication will of course need to
+ be authenticated, e.g., by using digital signatures.
+
+ End-users faced with the task of updating an anchored key should
+ always validate the new key. New keys should be authenticated out-
+ of-band, for example, through the use of an announcement website that
+
+
+
+Kolkman & Gieben Expires September 8, 2009 [Page 26]
+\f
+Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
+
+
+ is secured using secure sockets (TLS) [23].
+
+4.4. Parental Policies
+
+4.4.1. Initial Key Exchanges and Parental Policies Considerations
+
+ The initial key exchange is always subject to the policies set by the
+ parent. When designing a key exchange policy one should take into
+ account that the authentication and authorization mechanisms used
+ during a key exchange should be as strong as the authentication and
+ authorization mechanisms used for the exchange of delegation
+ information between parent and child. That is, there is no implicit
+ need in DNSSEC to make the authentication process stronger than it
+ was in DNS.
+
+ Using the DNS itself as the source for the actual DNSKEY material,
+ with an out-of-band check on the validity of the DNSKEY, has the
+ benefit that it reduces the chances of user error. A DNSKEY query
+ tool can make use of the SEP bit [5] to select the proper key from a
+ DNSSEC key set, thereby reducing the chance that the wrong DNSKEY is
+ sent. It can validate the self-signature over a key; thereby
+ verifying the ownership of the private key material. Fetching the
+ DNSKEY from the DNS ensures that the chain of trust remains intact
+ once the parent publishes the DS RR indicating the child is secure.
+
+ Note: the out-of-band verification is still needed when the key
+ material is fetched via the DNS. The parent can never be sure
+ whether or not the DNSKEY RRs have been spoofed.
+
+4.4.2. Storing Keys or Hashes?
+
+ When designing a registry system one should consider which of the
+ DNSKEYs and/or the corresponding DSes to store. Since a child zone
+ might wish to have a DS published using a message digest algorithm
+ not yet understood by the registry, the registry can't count on being
+ able to generate the DS record from a raw DNSKEY. Thus, we recommend
+ that registry systems at least support storing DS records.
+
+ It may also be useful to store DNSKEYs, since having them may help
+ during troubleshooting and, as long as the child's chosen message
+ digest is supported, the overhead of generating DS records from them
+ is minimal. Having an out-of-band mechanism, such as a registry
+ directory (e.g., Whois), to find out which keys are used to generate
+ DS Resource Records for specific owners and/or zones may also help
+ with troubleshooting.
+
+ The storage considerations also relate to the design of the customer
+ interface and the method by which data is transferred between
+
+
+
+Kolkman & Gieben Expires September 8, 2009 [Page 27]
+\f
+Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
+
+
+ registrant and registry; Will the child zone administrator be able to
+ upload DS RRs with unknown hash algorithms or does the interface only
+ allow DNSKEYs? In the registry-registrar model, one can use the
+ DNSSEC extensions to the Extensible Provisioning Protocol (EPP) [15],
+ which allows transfer of DS RRs and optionally DNSKEY RRs.
+
+4.4.3. Security Lameness
+
+ Security lameness is defined as what happens when a parent has a DS
+ RR pointing to a non-existing DNSKEY RR. When this happens, the
+ child's zone may be marked "Bogus" by verifying DNS clients.
+
+ As part of a comprehensive delegation check, the parent could, at key
+ exchange time, verify that the child's key is actually configured in
+ the DNS. However, if a parent does not understand the hashing
+ algorithm used by child, the parental checks are limited to only
+ comparing the key id.
+
+ Child zones should be very careful in removing DNSKEY material,
+ specifically SEP keys, for which a DS RR exists.
+
+ Once a zone is "security lame", a fix (e.g., removing a DS RR) will
+ take time to propagate through the DNS.
+
+4.4.4. DS Signature Validity Period
+
+ Since the DS can be replayed as long as it has a valid signature, a
+ short signature validity period over the DS minimizes the time a
+ child is vulnerable in the case of a compromise of the child's
+ KSK(s). A signature validity period that is too short introduces the
+ possibility that a zone is marked "Bogus" in case of a configuration
+ error in the signer. There may not be enough time to fix the
+ problems before signatures expire. Something as mundane as operator
+ unavailability during weekends shows the need for DS signature
+ validity periods longer than 2 days. We recommend an absolute
+ minimum for a DS signature validity period of a few days.
+
+ The maximum signature validity period of the DS record depends on how
+ long child zones are willing to be vulnerable after a key compromise.
+ On the other hand, shortening the DS signature validity interval
+ increases the operational risk for the parent. Therefore, the parent
+ may have policy to use a signature validity interval that is
+ considerably longer than the child would hope for.
+
+ A compromise between the operational constraints of the parent and
+ minimizing damage for the child may result in a DS signature validity
+ period somewhere between a week and months.
+
+
+
+
+Kolkman & Gieben Expires September 8, 2009 [Page 28]
+\f
+Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
+
+
+ In addition to the signature validity period, which sets a lower
+ bound on the number of times the zone owner will need to sign the
+ zone data and which sets an upper bound to the time a child is
+ vulnerable after key compromise, there is the TTL value on the DS
+ RRs. Shortening the TTL means that the authoritative servers will
+ see more queries. But on the other hand, a short TTL lowers the
+ persistence of DS RRSets in caches thereby increasing the speed with
+ which updated DS RRSets propagate through the DNS.
+
+4.4.5. (Non) Cooperating Registrars
+
+ [OK: this is a first strawman, and is intended to start the
+ discussion of the issue. By no means this is intended to be a final
+ text.]
+
+ The parent-child relation is often described in terms of a (thin)
+ registry model. Where a registry maintains the parent zone, and the
+ registrant (the user of the child-domain name), deals with the
+ registry through an intermediary called a registrar. (See [12] for a
+ comprehensive definition). Registrants may out-source the
+ maintenance of their DNS system, including the maintenance of DNSSEC
+ key material, to the registrar or to another third party. The entity
+ that has control over the DNS zone and its keys may prevent the
+ registrant to make a timely move to a different registrar. [OK: I
+ use the term registrar below while it is the operator of the DNS zone
+ who is the actual culprit. For instance, the case also applies when
+ a registrant passes a zone to another registrant. Should I just use
+ "DNS Administrator"?]
+
+ Suppose that the registrant wants to move from losing registrar A to
+ gaining registrar B. Let us first look what would happen in a
+ cooperative environment. The assumption is that registrar A will not
+ hand off any private key material to registrar B because that would
+ be a trivial case.
+
+ In a cooperating environment one could proceed with a pre-publish ZSK
+ rollover whereby registrar A pre-publishes the ZSK of registrar B,
+ combined with a double signature KSK rollover where the two
+ registrars exchange public keys and independently generate a
+ signature over the keysets that they combine and both publish in the
+ zone.
+
+ In the non-cooperative case matters are more complicated. The
+ loosing registrar A may not cooperate and leave the data in the DNS
+ as is. In the extreme case registrar A may become obstructive and
+ publish a DNSKEY RR with a high TTL and corresponding signature
+ validity so that registrar A's DNSKEY, would end up in caches for, in
+ theory, tens of years.
+
+
+
+Kolkman & Gieben Expires September 8, 2009 [Page 29]
+\f
+Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
+
+
+ The problem arises when a validator tries to validate with A's key
+ and there is no signature material produced with Registrars A
+ available in the delegation path after redelegation from registrar A
+ to registrar B has taken place. One could imagine a rollover
+ scenario where registrar B pulls all RRSIGs created by registar A and
+ publishes those in conjunction with its own signatures, but that
+ would not allow any changes in the zone content. Since a
+ redelegation took place the NS RRset has -- per definition-- changed
+ so such rollover scenario will not work. Besides if zone transfers
+ are not allowed by A and NSEC3 is deployed in the A's zone then
+ registrar B will not have certainty that all of A's RRSIGs are
+ transfered.
+
+ The only viable option for the registrant is to publish its zone
+ unsigned and ask the registry to remove the DS pointing to registrar
+ A for as long as the DNSKEY of registrar A, or any of the signatures
+ produced by registrar A are likely to appear in caches, which as
+ mentioned above could in theory be for tens of years. [OK: Some
+ implementations limit the time data is cached. Although that is not
+ a protocol requirement (and may even be considered a protocol
+ violation) it seems that that practice may limit the impact of this
+ problem, is that worth mentioning?]
+
+ [OK: This is really the point that I'm trying to make, is the above
+ text needed?] There is no operational methodology to work around
+ this business issue and proper contractual relations ships between
+ registrants and their registrars seem to be the only solution to cope
+ with these problems.
+
+5. Security Considerations
+
+ DNSSEC adds data integrity to the DNS. This document tries to assess
+ the operational considerations to maintain a stable and secure DNSSEC
+ service. Not taking into account the 'data propagation' properties
+ in the DNS will cause validation failures and may make secured zones
+ unavailable to security-aware resolvers.
+
+6. IANA considerations
+
+ There are no IANA considerations with respect to this document
+
+7. Acknowledgments
+
+ Most of the text of this document is copied from RFC4641 [16] people
+ involved in that work were in random order: Rip Loomis, Olafur
+ Gudmundsson, Wesley Griffin, Michael Richardson, Scott Rose, Rick van
+ Rein, Tim McGinnis, Gilles Guette Olivier Courtay, Sam Weiler, Jelte
+ Jansen, Niall O'Reilly, Holger Zuleger, Ed Lewis, Hilarie Orman,
+
+
+
+Kolkman & Gieben Expires September 8, 2009 [Page 30]
+\f
+Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
+
+
+ Marcos Sanz, Peter Koch, Mike StJohns, Emmar Bretherick, Adrian
+ Bedford, and Lindy Foster, G. Guette, and O. Courtay.
+
+ For this version of the document we would like to acknowldge:
+
+ o Paul Hoffman for his contribution on the choice of cryptographic
+ paramenters and addressing some of the trust anchor issues.
+
+ o Jelte Jansen provided the text in Section 4.2.4
+
+8. References
+
+8.1. Normative References
+
+ [1] Mockapetris, P., "Domain names - concepts and facilities",
+ STD 13, RFC 1034, November 1987.
+
+ [2] Mockapetris, P., "Domain names - implementation and
+ specification", STD 13, RFC 1035, November 1987.
+
+ [3] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
+ "DNS Security Introduction and Requirements", RFC 4033,
+ March 2005.
+
+ [4] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
+ "Resource Records for the DNS Security Extensions", RFC 4034,
+ March 2005.
+
+ [5] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
+ "Protocol Modifications for the DNS Security Extensions",
+ RFC 4035, March 2005.
+
+8.2. Informative References
+
+ [6] Bradner, S., "Key words for use in RFCs to Indicate Requirement
+ Levels", BCP 14, RFC 2119, March 1997.
+
+ [7] Ohta, M., "Incremental Zone Transfer in DNS", RFC 1995,
+ August 1996.
+
+ [8] Vixie, P., "A Mechanism for Prompt Notification of Zone Changes
+ (DNS NOTIFY)", RFC 1996, August 1996.
+
+ [9] Andrews, M., "Negative Caching of DNS Queries (DNS NCACHE)",
+ RFC 2308, March 1998.
+
+ [10] Eastlake, D., "DNS Security Operational Considerations",
+ RFC 2541, March 1999.
+
+
+
+Kolkman & Gieben Expires September 8, 2009 [Page 31]
+\f
+Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
+
+
+ [11] Wellington, B., "Secure Domain Name System (DNS) Dynamic
+ Update", RFC 3007, November 2000.
+
+ [12] Hollenbeck, S., "Generic Registry-Registrar Protocol
+ Requirements", RFC 3375, September 2002.
+
+ [13] Orman, H. and P. Hoffman, "Determining Strengths For Public
+ Keys Used For Exchanging Symmetric Keys", BCP 86, RFC 3766,
+ April 2004.
+
+ [14] Eastlake, D., Schiller, J., and S. Crocker, "Randomness
+ Requirements for Security", BCP 106, RFC 4086, June 2005.
+
+ [15] Hollenbeck, S., "Domain Name System (DNS) Security Extensions
+ Mapping for the Extensible Provisioning Protocol (EPP)",
+ RFC 4310, December 2005.
+
+ [16] Kolkman, O. and R. Gieben, "DNSSEC Operational Practices",
+ RFC 4641, September 2006.
+
+ [17] Shirey, R., "Internet Security Glossary, Version 2", RFC 4949,
+ August 2007.
+
+ [18] StJohns, M., "Automated Updates of DNS Security (DNSSEC) Trust
+ Anchors", RFC 5011, September 2007.
+
+ [19] Rose, S., "NIST DNSSEC workshop notes", , June 2001.
+
+ [20] Barker, E. and J. Kelsey, "Recommendation for Random Number
+ Generation Using Deterministic Random Bit Generators
+ (Revised)", Nist Special Publication 800-90, March 2007.
+
+ [21] Jansen, J., "Use of SHA-2 algorithms with RSA in DNSKEY and
+ RRSIG Resource Records for DNSSEC",
+ draft-ietf-dnsext-dnssec-rsasha256-05 (work in progress),
+ July 2008.
+
+ [22] Hardaker, W., "Use of SHA-256 in DNSSEC Delegation Signer (DS)
+ Resource Records (RRs)", RFC 4509, May 2006.
+
+ [23] Blake-Wilson, S., Nystrom, M., Hopwood, D., Mikkelsen, J., and
+ T. Wright, "Transport Layer Security (TLS) Extensions",
+ RFC 4366, April 2006.
+
+Appendix A. Terminology
+
+ In this document, there is some jargon used that is defined in other
+ documents. In most cases, we have not copied the text from the
+
+
+
+Kolkman & Gieben Expires September 8, 2009 [Page 32]
+\f
+Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
+
+
+ documents defining the terms but have given a more elaborate
+ explanation of the meaning. Note that these explanations should not
+ be seen as authoritative.
+
+ Anchored key: A DNSKEY configured in resolvers around the globe.
+ This key is hard to update, hence the term anchored.
+
+ Bogus: Also see Section 5 of [3]. An RRSet in DNSSEC is marked
+ "Bogus" when a signature of an RRSet does not validate against a
+ DNSKEY.
+
+ Key Signing Key or KSK: A Key Signing Key (KSK) is a key that is
+ used exclusively for signing the apex key set. The fact that a
+ key is a KSK is only relevant to the signing tool.
+
+ Key size: The term 'key size' can be substituted by 'modulus size'
+ throughout the document. It is mathematically more correct to use
+ modulus size, but as this is a document directed at operators we
+ feel more at ease with the term key size.
+
+ Private and public keys: DNSSEC secures the DNS through the use of
+ public key cryptography. Public key cryptography is based on the
+ existence of two (mathematically related) keys, a public key and a
+ private key. The public keys are published in the DNS by use of
+ the DNSKEY Resource Record (DNSKEY RR). Private keys should
+ remain private.
+
+ Key rollover: A key rollover (also called key supercession in some
+ environments) is the act of replacing one key pair with another at
+ the end of a key effectivity period.
+
+ Secure Entry Point (SEP) key: A KSK that has a parental DS record
+ pointing to it or is configured as a trust anchor. Although not
+ required by the protocol, we recommend that the SEP flag [5] is
+ set on these keys.
+
+ Self-signature: This only applies to signatures over DNSKEYs; a
+ signature made with DNSKEY x, over DNSKEY x is called a self-
+ signature. Note: without further information, self-signatures
+ convey no trust. They are useful to check the authenticity of the
+ DNSKEY, i.e., they can be used as a hash.
+
+ Singing the zone file: The term used for the event where an
+ administrator joyfully signs its zone file while producing melodic
+ sound patterns.
+
+
+
+
+
+
+Kolkman & Gieben Expires September 8, 2009 [Page 33]
+\f
+Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
+
+
+ Signer: The system that has access to the private key material and
+ signs the Resource Record sets in a zone. A signer may be
+ configured to sign only parts of the zone, e.g., only those RRSets
+ for which existing signatures are about to expire.
+
+ Zone Signing Key (ZSK): A key that is used for signing all data in a
+ zone (except, perhaps, the DNSKEY RRSet). The fact that a key is
+ a ZSK is only relevant to the signing tool.
+
+ Zone administrator: The 'role' that is responsible for signing a
+ zone and publishing it on the primary authoritative server.
+
+Appendix B. Zone Signing Key Rollover How-To
+
+ Using the pre-published signature scheme and the most conservative
+ method to assure oneself that data does not live in caches, here
+ follows the "how-to".
+
+ Step 0: The preparation: Create two keys and publish both in your
+ key set. Mark one of the keys "active" and the other "published".
+ Use the "active" key for signing your zone data. Store the
+ private part of the "published" key, preferably off-line. The
+ protocol does not provide for attributes to mark a key as active
+ or published. This is something you have to do on your own,
+ through the use of a notebook or key management tool.
+
+ Step 1: Determine expiration: At the beginning of the rollover make
+ a note of the highest expiration time of signatures in your zone
+ file created with the current key marked as active. Wait until
+ the expiration time marked in Step 1 has passed.
+
+ Step 2: Then start using the key that was marked "published" to sign
+ your data (i.e., mark it "active"). Stop using the key that was
+ marked "active"; mark it "rolled".
+
+ Step 3: It is safe to engage in a new rollover (Step 1) after at
+ least one signature validity period.
+
+Appendix C. Typographic Conventions
+
+ The following typographic conventions are used in this document:
+
+ Key notation: A key is denoted by DNSKEYx, where x is a number or an
+ identifier, x could be thought of as the key id.
+
+
+
+
+
+
+
+Kolkman & Gieben Expires September 8, 2009 [Page 34]
+\f
+Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
+
+
+ RRSet notations: RRs are only denoted by the type. All other
+ information -- owner, class, rdata, and TTL -- is left out. Thus:
+ "example.com 3600 IN A 192.0.2.1" is reduced to "A". RRSets are a
+ list of RRs. A example of this would be "A1, A2", specifying the
+ RRSet containing two "A" records. This could again be abbreviated
+ to just "A".
+
+ Signature notation: Signatures are denoted as RRSIGx(RRSet), which
+ means that RRSet is signed with DNSKEYx.
+
+ Zone representation: Using the above notation we have simplified the
+ representation of a signed zone by leaving out all unnecessary
+ details such as the names and by representing all data by "SOAx"
+
+ SOA representation: SOAs are represented as SOAx, where x is the
+ serial number.
+
+ Using this notation the following signed zone:
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Kolkman & Gieben Expires September 8, 2009 [Page 35]
+\f
+Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
+
+
+ example.net. 86400 IN SOA ns.example.net. bert.example.net. (
+ 2006022100 ; serial
+ 86400 ; refresh ( 24 hours)
+ 7200 ; retry ( 2 hours)
+ 3600000 ; expire (1000 hours)
+ 28800 ) ; minimum ( 8 hours)
+ 86400 RRSIG SOA 5 2 86400 20130522213204 (
+ 20130422213204 14 example.net.
+ cmL62SI6iAX46xGNQAdQ... )
+ 86400 NS a.example.net.
+ 86400 NS b.example.net.
+ 86400 RRSIG NS 5 2 86400 20130507213204 (
+ 20130407213204 14 example.net.
+ SO5epiJei19AjXoUpFnQ ... )
+ 86400 DNSKEY 256 3 5 (
+ EtRB9MP5/AvOuVO0I8XDxy0... ) ; id = 14
+ 86400 DNSKEY 257 3 5 (
+ gsPW/Yy19GzYIY+Gnr8HABU... ) ; id = 15
+ 86400 RRSIG DNSKEY 5 2 86400 20130522213204 (
+ 20130422213204 14 example.net.
+ J4zCe8QX4tXVGjV4e1r9... )
+ 86400 RRSIG DNSKEY 5 2 86400 20130522213204 (
+ 20130422213204 15 example.net.
+ keVDCOpsSeDReyV6O... )
+ 86400 RRSIG NSEC 5 2 86400 20130507213204 (
+ 20130407213204 14 example.net.
+ obj3HEp1GjnmhRjX... )
+ a.example.net. 86400 IN TXT "A label"
+ 86400 RRSIG TXT 5 3 86400 20130507213204 (
+ 20130407213204 14 example.net.
+ IkDMlRdYLmXH7QJnuF3v... )
+ 86400 NSEC b.example.com. TXT RRSIG NSEC
+ 86400 RRSIG NSEC 5 3 86400 20130507213204 (
+ 20130407213204 14 example.net.
+ bZMjoZ3bHjnEz0nIsPMM... )
+ ...
+
+ is reduced to the following representation:
+
+ SOA2006022100
+ RRSIG14(SOA2006022100)
+ DNSKEY14
+ DNSKEY15
+
+ RRSIG14(KEY)
+ RRSIG15(KEY)
+
+ The rest of the zone data has the same signature as the SOA record,
+
+
+
+Kolkman & Gieben Expires September 8, 2009 [Page 36]
+\f
+Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
+
+
+ i.e., an RRSIG created with DNSKEY 14.
+
+Appendix D. Document Editing History
+
+ [To be removed prior to publication as an RFC]
+
+D.1. draft-ietf-dnsop-rfc4641-00
+
+ Version 0 was differs from RFC4641 in the following ways.
+
+ o Status of this memo appropriate for I-D
+
+ o TOC formatting differs.
+
+ o Whitespaces, linebreaks, and pagebreaks may be slightly different
+ because of xml2rfc generation.
+
+ o References slightly reordered.
+
+ o Applied the errata from
+ http://www.rfc-editor.org/errata_search.php?rfc=4641
+
+ o Inserted trivial "IANA considertations" section.
+
+ In other words it should not contain substantive changes in content
+ as intended by the workinggroup for the original RFC4641.
+
+D.2. version 0->1
+
+ Cryptography details rewritten. (See http://www.nlnetlabs.nl/svn/
+ rfc4641bis/trunk/open-issues/cryptography_flawed)
+
+ o Reference to NIST 800-90 added
+
+ o RSA/SHA256 is being recommended in addition to RSA/SHA1.
+
+ o Complete rewrite of Section 3.5 removing the table and suggesting
+ a keysize of 1024 for keys in use for less than 8 years, issued up
+ to at least 2015.
+
+ o Replaced the reference to Schneiers' applied cryptograpy with a
+ reference to RFC4949.
+
+ o Removed the KSK for high level zones consideration
+
+ Applied some differentiation with respect of the use of a KSK for
+ parent or trust-anchor relation http://www.nlnetlabs.nl/svn/
+ rfc4641bis/trunk/open-issues/differentiation_trustanchor_parent
+
+
+
+Kolkman & Gieben Expires September 8, 2009 [Page 37]
+\f
+Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
+
+
+ http://www.nlnetlabs.nl/svn/rfc4641bis/trunk/open-issues/
+ rollover_assumptions
+
+ Added Section 4.2.4 as suggested by Jelte Jansen in http://
+ www.nlnetlabs.nl/svn/rfc4641bis/trunk/open-issues/Key_algorithm_roll
+
+ Added Section 4.4.5 Issue identified by Antoin Verschuur http://
+ www.nlnetlabs.nl/svn/rfc4641bis/trunk/open-issues/
+ non-cooperative-registrars
+
+ In Appendix A: ZSK does not nescessarily sign the DNSKEY RRset.
+
+ $Id: draft-ietf-dnsop-rfc4641bis-01.txt 28 2009-03-06 14:03:57Z olaf $
+
+Authors' Addresses
+
+ Olaf M. Kolkman
+ NLnet Labs
+ Kruislaan 419
+ Amsterdam 1098 VA
+ The Netherlands
+
+ EMail: olaf@nlnetlabs.nl
+ URI: http://www.nlnetlabs.nl
+
+
+ Miek Gieben
+
+
+ EMail: miek@miek.nl
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Kolkman & Gieben Expires September 8, 2009 [Page 38]
+\f
--- /dev/null
+
+
+
+
+
+
+Network Working Group O. Kolkman
+Request for Comments: 4641 R. Gieben
+Obsoletes: 2541 NLnet Labs
+Category: Informational September 2006
+
+
+ DNSSEC Operational Practices
+
+Status of This Memo
+
+ This memo provides information for the Internet community. It does
+ not specify an Internet standard of any kind. Distribution of this
+ memo is unlimited.
+
+Copyright Notice
+
+ Copyright (C) The Internet Society (2006).
+
+Abstract
+
+ This document describes a set of practices for operating the DNS with
+ security extensions (DNSSEC). The target audience is zone
+ administrators deploying DNSSEC.
+
+ The document discusses operational aspects of using keys and
+ signatures in the DNS. It discusses issues of key generation, key
+ storage, signature generation, key rollover, and related policies.
+
+ This document obsoletes RFC 2541, as it covers more operational
+ ground and gives more up-to-date requirements with respect to key
+ sizes and the new DNSSEC specification.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Kolkman & Gieben Informational [Page 1]
+\f
+RFC 4641 DNSSEC Operational Practices September 2006
+
+
+Table of Contents
+
+ 1. Introduction ....................................................3
+ 1.1. The Use of the Term 'key' ..................................4
+ 1.2. Time Definitions ...........................................4
+ 2. Keeping the Chain of Trust Intact ...............................5
+ 3. Keys Generation and Storage .....................................6
+ 3.1. Zone and Key Signing Keys ..................................6
+ 3.1.1. Motivations for the KSK and ZSK Separation ..........6
+ 3.1.2. KSKs for High-Level Zones ...........................7
+ 3.2. Key Generation .............................................8
+ 3.3. Key Effectivity Period .....................................8
+ 3.4. Key Algorithm ..............................................9
+ 3.5. Key Sizes ..................................................9
+ 3.6. Private Key Storage .......................................11
+ 4. Signature Generation, Key Rollover, and Related Policies .......12
+ 4.1. Time in DNSSEC ............................................12
+ 4.1.1. Time Considerations ................................12
+ 4.2. Key Rollovers .............................................14
+ 4.2.1. Zone Signing Key Rollovers .........................14
+ 4.2.1.1. Pre-Publish Key Rollover ..................15
+ 4.2.1.2. Double Signature Zone Signing Key
+ Rollover ..................................17
+ 4.2.1.3. Pros and Cons of the Schemes ..............18
+ 4.2.2. Key Signing Key Rollovers ..........................18
+ 4.2.3. Difference Between ZSK and KSK Rollovers ...........20
+ 4.2.4. Automated Key Rollovers ............................21
+ 4.3. Planning for Emergency Key Rollover .......................21
+ 4.3.1. KSK Compromise .....................................22
+ 4.3.1.1. Keeping the Chain of Trust Intact .........22
+ 4.3.1.2. Breaking the Chain of Trust ...............23
+ 4.3.2. ZSK Compromise .....................................23
+ 4.3.3. Compromises of Keys Anchored in Resolvers ..........24
+ 4.4. Parental Policies .........................................24
+ 4.4.1. Initial Key Exchanges and Parental Policies
+ Considerations .....................................24
+ 4.4.2. Storing Keys or Hashes? ............................25
+ 4.4.3. Security Lameness ..................................25
+ 4.4.4. DS Signature Validity Period .......................26
+ 5. Security Considerations ........................................26
+ 6. Acknowledgments ................................................26
+ 7. References .....................................................27
+ 7.1. Normative References ......................................27
+ 7.2. Informative References ....................................28
+ Appendix A. Terminology ...........................................30
+ Appendix B. Zone Signing Key Rollover How-To ......................31
+ Appendix C. Typographic Conventions ...............................32
+
+
+
+
+Kolkman & Gieben Informational [Page 2]
+\f
+RFC 4641 DNSSEC Operational Practices September 2006
+
+
+1. Introduction
+
+ This document describes how to run a DNS Security (DNSSEC)-enabled
+ environment. It is intended for operators who have knowledge of the
+ DNS (see RFC 1034 [1] and RFC 1035 [2]) and want to deploy DNSSEC.
+ See RFC 4033 [4] for an introduction to DNSSEC, RFC 4034 [5] for the
+ newly introduced Resource Records (RRs), and RFC 4035 [6] for the
+ protocol changes.
+
+ During workshops and early operational deployment tests, operators
+ and system administrators have gained experience about operating the
+ DNS with security extensions (DNSSEC). This document translates
+ these experiences into a set of practices for zone administrators.
+ At the time of writing, there exists very little experience with
+ DNSSEC in production environments; this document should therefore
+ explicitly not be seen as representing 'Best Current Practices'.
+
+ The procedures herein are focused on the maintenance of signed zones
+ (i.e., signing and publishing zones on authoritative servers). It is
+ intended that maintenance of zones such as re-signing or key
+ rollovers be transparent to any verifying clients on the Internet.
+
+ The structure of this document is as follows. In Section 2, we
+ discuss the importance of keeping the "chain of trust" intact.
+ Aspects of key generation and storage of private keys are discussed
+ in Section 3; the focus in this section is mainly on the private part
+ of the key(s). Section 4 describes considerations concerning the
+ public part of the keys. Since these public keys appear in the DNS
+ one has to take into account all kinds of timing issues, which are
+ discussed in Section 4.1. Section 4.2 and Section 4.3 deal with the
+ rollover, or supercession, of keys. Finally, Section 4.4 discusses
+ considerations on how parents deal with their children's public keys
+ in order to maintain chains of trust.
+
+ The typographic conventions used in this document are explained in
+ Appendix C.
+
+ Since this is a document with operational suggestions and there are
+ no protocol specifications, the RFC 2119 [7] language does not apply.
+
+ This document obsoletes RFC 2541 [12] to reflect the evolution of the
+ underlying DNSSEC protocol since then. Changes in the choice of
+ cryptographic algorithms, DNS record types and type names, and the
+ parent-child key and signature exchange demanded a major rewrite and
+ additional information and explanation.
+
+
+
+
+
+
+Kolkman & Gieben Informational [Page 3]
+\f
+RFC 4641 DNSSEC Operational Practices September 2006
+
+
+1.1. The Use of the Term 'key'
+
+ It is assumed that the reader is familiar with the concept of
+ asymmetric keys on which DNSSEC is based (public key cryptography
+ [17]). Therefore, this document will use the term 'key' rather
+ loosely. Where it is written that 'a key is used to sign data' it is
+ assumed that the reader understands that it is the private part of
+ the key pair that is used for signing. It is also assumed that the
+ reader understands that the public part of the key pair is published
+ in the DNSKEY Resource Record and that it is the public part that is
+ used in key exchanges.
+
+1.2. Time Definitions
+
+ In this document, we will be using a number of time-related terms.
+ The following definitions apply:
+
+ o "Signature validity period" The period that a signature is valid.
+ It starts at the time specified in the signature inception field
+ of the RRSIG RR and ends at the time specified in the expiration
+ field of the RRSIG RR.
+
+ o "Signature publication period" Time after which a signature (made
+ with a specific key) is replaced with a new signature (made with
+ the same key). This replacement takes place by publishing the
+ relevant RRSIG in the master zone file. After one stops
+ publishing an RRSIG in a zone, it may take a while before the
+ RRSIG has expired from caches and has actually been removed from
+ the DNS.
+
+ o "Key effectivity period" The period during which a key pair is
+ expected to be effective. This period is defined as the time
+ between the first inception time stamp and the last expiration
+ date of any signature made with this key, regardless of any
+ discontinuity in the use of the key. The key effectivity period
+ can span multiple signature validity periods.
+
+ o "Maximum/Minimum Zone Time to Live (TTL)" The maximum or minimum
+ value of the TTLs from the complete set of RRs in a zone. Note
+ that the minimum TTL is not the same as the MINIMUM field in the
+ SOA RR. See [11] for more information.
+
+
+
+
+
+
+
+
+
+
+Kolkman & Gieben Informational [Page 4]
+\f
+RFC 4641 DNSSEC Operational Practices September 2006
+
+
+2. Keeping the Chain of Trust Intact
+
+ Maintaining a valid chain of trust is important because broken chains
+ of trust will result in data being marked as Bogus (as defined in [4]
+ Section 5), which may cause entire (sub)domains to become invisible
+ to verifying clients. The administrators of secured zones have to
+ realize that their zone is, to verifying clients, part of a chain of
+ trust.
+
+ As mentioned in the introduction, the procedures herein are intended
+ to ensure that maintenance of zones, such as re-signing or key
+ rollovers, will be transparent to the verifying clients on the
+ Internet.
+
+ Administrators of secured zones will have to keep in mind that data
+ published on an authoritative primary server will not be immediately
+ seen by verifying clients; it may take some time for the data to be
+ transferred to other secondary authoritative nameservers and clients
+ may be fetching data from caching non-authoritative servers. In this
+ light, note that the time for a zone transfer from master to slave is
+ negligible when using NOTIFY [9] and incremental transfer (IXFR) [8].
+ It increases when full zone transfers (AXFR) are used in combination
+ with NOTIFY. It increases even more if you rely on full zone
+ transfers based on only the SOA timing parameters for refresh.
+
+ For the verifying clients, it is important that data from secured
+ zones can be used to build chains of trust regardless of whether the
+ data came directly from an authoritative server, a caching
+ nameserver, or some middle box. Only by carefully using the
+ available timing parameters can a zone administrator ensure that the
+ data necessary for verification can be obtained.
+
+ The responsibility for maintaining the chain of trust is shared by
+ administrators of secured zones in the chain of trust. This is most
+ obvious in the case of a 'key compromise' when a trade-off between
+ maintaining a valid chain of trust and replacing the compromised keys
+ as soon as possible must be made. Then zone administrators will have
+ to make a trade-off, between keeping the chain of trust intact --
+ thereby allowing for attacks with the compromised key -- or
+ deliberately breaking the chain of trust and making secured
+ subdomains invisible to security-aware resolvers. Also see Section
+ 4.3.
+
+
+
+
+
+
+
+
+
+Kolkman & Gieben Informational [Page 5]
+\f
+RFC 4641 DNSSEC Operational Practices September 2006
+
+
+3. Keys Generation and Storage
+
+ This section describes a number of considerations with respect to the
+ security of keys. It deals with the generation, effectivity period,
+ size, and storage of private keys.
+
+3.1. Zone and Key Signing Keys
+
+ The DNSSEC validation protocol does not distinguish between different
+ types of DNSKEYs. All DNSKEYs can be used during the validation. In
+ practice, operators use Key Signing and Zone Signing Keys and use the
+ so-called Secure Entry Point (SEP) [3] flag to distinguish between
+ them during operations. The dynamics and considerations are
+ discussed below.
+
+ To make zone re-signing and key rollover procedures easier to
+ implement, it is possible to use one or more keys as Key Signing Keys
+ (KSKs). These keys will only sign the apex DNSKEY RRSet in a zone.
+ Other keys can be used to sign all the RRSets in a zone and are
+ referred to as Zone Signing Keys (ZSKs). In this document, we assume
+ that KSKs are the subset of keys that are used for key exchanges with
+ the parent and potentially for configuration as trusted anchors --
+ the SEP keys. In this document, we assume a one-to-one mapping
+ between KSK and SEP keys and we assume the SEP flag to be set on all
+ KSKs.
+
+3.1.1. Motivations for the KSK and ZSK Separation
+
+ Differentiating between the KSK and ZSK functions has several
+ advantages:
+
+ o No parent/child interaction is required when ZSKs are updated.
+
+ o The KSK can be made stronger (i.e., using more bits in the key
+ material). This has little operational impact since it is only
+ used to sign a small fraction of the zone data. Also, the KSK is
+ only used to verify the zone's key set, not for other RRSets in
+ the zone.
+
+ o As the KSK is only used to sign a key set, which is most probably
+ updated less frequently than other data in the zone, it can be
+ stored separately from and in a safer location than the ZSK.
+
+ o A KSK can have a longer key effectivity period.
+
+ For almost any method of key management and zone signing, the KSK is
+ used less frequently than the ZSK. Once a key set is signed with the
+ KSK, all the keys in the key set can be used as ZSKs. If a ZSK is
+
+
+
+Kolkman & Gieben Informational [Page 6]
+\f
+RFC 4641 DNSSEC Operational Practices September 2006
+
+
+ compromised, it can be simply dropped from the key set. The new key
+ set is then re-signed with the KSK.
+
+ Given the assumption that for KSKs the SEP flag is set, the KSK can
+ be distinguished from a ZSK by examining the flag field in the DNSKEY
+ RR. If the flag field is an odd number it is a KSK. If it is an
+ even number it is a ZSK.
+
+ The Zone Signing Key can be used to sign all the data in a zone on a
+ regular basis. When a Zone Signing Key is to be rolled, no
+ interaction with the parent is needed. This allows for signature
+ validity periods on the order of days.
+
+ The Key Signing Key is only to be used to sign the DNSKEY RRs in a
+ zone. If a Key Signing Key is to be rolled over, there will be
+ interactions with parties other than the zone administrator. These
+ can include the registry of the parent zone or administrators of
+ verifying resolvers that have the particular key configured as secure
+ entry points. Hence, the key effectivity period of these keys can
+ and should be made much longer. Although, given a long enough key,
+ the key effectivity period can be on the order of years, we suggest
+ planning for a key effectivity on the order of a few months so that a
+ key rollover remains an operational routine.
+
+3.1.2. KSKs for High-Level Zones
+
+ Higher-level zones are generally more sensitive than lower-level
+ zones. Anyone controlling or breaking the security of a zone thereby
+ obtains authority over all of its subdomains (except in the case of
+ resolvers that have locally configured the public key of a subdomain,
+ in which case this, and only this, subdomain wouldn't be affected by
+ the compromise of the parent zone). Therefore, extra care should be
+ taken with high-level zones, and strong keys should be used.
+
+ The root zone is the most critical of all zones. Someone controlling
+ or compromising the security of the root zone would control the
+ entire DNS namespace of all resolvers using that root zone (except in
+ the case of resolvers that have locally configured the public key of
+ a subdomain). Therefore, the utmost care must be taken in the
+ securing of the root zone. The strongest and most carefully handled
+ keys should be used. The root zone private key should always be kept
+ off-line.
+
+ Many resolvers will start at a root server for their access to and
+ authentication of DNS data. Securely updating the trust anchors in
+ an enormous population of resolvers around the world will be
+ extremely difficult.
+
+
+
+
+Kolkman & Gieben Informational [Page 7]
+\f
+RFC 4641 DNSSEC Operational Practices September 2006
+
+
+3.2. Key Generation
+
+ Careful generation of all keys is a sometimes overlooked but
+ absolutely essential element in any cryptographically secure system.
+ The strongest algorithms used with the longest keys are still of no
+ use if an adversary can guess enough to lower the size of the likely
+ key space so that it can be exhaustively searched. Technical
+ suggestions for the generation of random keys will be found in RFC
+ 4086 [14]. One should carefully assess if the random number
+ generator used during key generation adheres to these suggestions.
+
+ Keys with a long effectivity period are particularly sensitive as
+ they will represent a more valuable target and be subject to attack
+ for a longer time than short-period keys. It is strongly recommended
+ that long-term key generation occur off-line in a manner isolated
+ from the network via an air gap or, at a minimum, high-level secure
+ hardware.
+
+3.3. Key Effectivity Period
+
+ For various reasons, keys in DNSSEC need to be changed once in a
+ while. The longer a key is in use, the greater the probability that
+ it will have been compromised through carelessness, accident,
+ espionage, or cryptanalysis. Furthermore, when key rollovers are too
+ rare an event, they will not become part of the operational habit and
+ there is risk that nobody on-site will remember the procedure for
+ rollover when the need is there.
+
+ From a purely operational perspective, a reasonable key effectivity
+ period for Key Signing Keys is 13 months, with the intent to replace
+ them after 12 months. An intended key effectivity period of a month
+ is reasonable for Zone Signing Keys.
+
+ For key sizes that match these effectivity periods, see Section 3.5.
+
+ As argued in Section 3.1.2, securely updating trust anchors will be
+ extremely difficult. On the other hand, the "operational habit"
+ argument does also apply to trust anchor reconfiguration. If a short
+ key effectivity period is used and the trust anchor configuration has
+ to be revisited on a regular basis, the odds that the configuration
+ tends to be forgotten is smaller. The trade-off is against a system
+ that is so dynamic that administrators of the validating clients will
+ not be able to follow the modifications.
+
+ Key effectivity periods can be made very short, as in a few minutes.
+ But when replacing keys one has to take the considerations from
+ Section 4.1 and Section 4.2 into account.
+
+
+
+
+Kolkman & Gieben Informational [Page 8]
+\f
+RFC 4641 DNSSEC Operational Practices September 2006
+
+
+3.4. Key Algorithm
+
+ There are currently three different types of algorithms that can be
+ used in DNSSEC: RSA, DSA, and elliptic curve cryptography. The
+ latter is fairly new and has yet to be standardized for usage in
+ DNSSEC.
+
+ RSA has been developed in an open and transparent manner. As the
+ patent on RSA expired in 2000, its use is now also free.
+
+ DSA has been developed by the National Institute of Standards and
+ Technology (NIST). The creation of signatures takes roughly the same
+ time as with RSA, but is 10 to 40 times as slow for verification
+ [17].
+
+ We suggest the use of RSA/SHA-1 as the preferred algorithm for the
+ key. The current known attacks on RSA can be defeated by making your
+ key longer. As the MD5 hashing algorithm is showing cracks, we
+ recommend the usage of SHA-1.
+
+ At the time of publication, it is known that the SHA-1 hash has
+ cryptanalysis issues. There is work in progress on addressing these
+ issues. We recommend the use of public key algorithms based on
+ hashes stronger than SHA-1 (e.g., SHA-256), as soon as these
+ algorithms are available in protocol specifications (see [19] and
+ [20]) and implementations.
+
+3.5. Key Sizes
+
+ When choosing key sizes, zone administrators will need to take into
+ account how long a key will be used, how much data will be signed
+ during the key publication period (see Section 8.10 of [17]), and,
+ optionally, how large the key size of the parent is. As the chain of
+ trust really is "a chain", there is not much sense in making one of
+ the keys in the chain several times larger then the others. As
+ always, it's the weakest link that defines the strength of the entire
+ chain. Also see Section 3.1.1 for a discussion of how keys serving
+ different roles (ZSK vs. KSK) may need different key sizes.
+
+ Generating a key of the correct size is a difficult problem; RFC 3766
+ [13] tries to deal with that problem. The first part of the
+ selection procedure in Section 1 of the RFC states:
+
+ 1. Determine the attack resistance necessary to satisfy the
+ security requirements of the application. Do this by
+ estimating the minimum number of computer operations that the
+ attacker will be forced to do in order to compromise the
+
+
+
+
+Kolkman & Gieben Informational [Page 9]
+\f
+RFC 4641 DNSSEC Operational Practices September 2006
+
+
+ security of the system and then take the logarithm base two of
+ that number. Call that logarithm value "n".
+
+ A 1996 report recommended 90 bits as a good all-around choice
+ for system security. The 90 bit number should be increased by
+ about 2/3 bit/year, or about 96 bits in 2005.
+
+ [13] goes on to explain how this number "n" can be used to calculate
+ the key sizes in public key cryptography. This culminated in the
+ table given below (slightly modified for our purpose):
+
+ +-------------+-----------+--------------+
+ | System | | |
+ | requirement | Symmetric | RSA or DSA |
+ | for attack | key size | modulus size |
+ | resistance | (bits) | (bits) |
+ | (bits) | | |
+ +-------------+-----------+--------------+
+ | 70 | 70 | 947 |
+ | 80 | 80 | 1228 |
+ | 90 | 90 | 1553 |
+ | 100 | 100 | 1926 |
+ | 150 | 150 | 4575 |
+ | 200 | 200 | 8719 |
+ | 250 | 250 | 14596 |
+ +-------------+-----------+--------------+
+
+ The key sizes given are rather large. This is because these keys are
+ resilient against a trillionaire attacker. Assuming this rich
+ attacker will not attack your key and that the key is rolled over
+ once a year, we come to the following recommendations about KSK
+ sizes: 1024 bits for low-value domains, 1300 bits for medium-value
+ domains, and 2048 bits for high-value domains.
+
+ Whether a domain is of low, medium, or high value depends solely on
+ the views of the zone owner. One could, for instance, view leaf
+ nodes in the DNS as of low value, and top-level domains (TLDs) or the
+ root zone of high value. The suggested key sizes should be safe for
+ the next 5 years.
+
+ As ZSKs can be rolled over more easily (and thus more often), the key
+ sizes can be made smaller. But as said in the introduction of this
+ paragraph, making the ZSKs' key sizes too small (in relation to the
+ KSKs' sizes) doesn't make much sense. Try to limit the difference in
+ size to about 100 bits.
+
+
+
+
+
+
+Kolkman & Gieben Informational [Page 10]
+\f
+RFC 4641 DNSSEC Operational Practices September 2006
+
+
+ Note that nobody can see into the future and that these key sizes are
+ only provided here as a guide. Further information can be found in
+ [16] and Section 7.5 of [17]. It should be noted though that [16] is
+ already considered overly optimistic about what key sizes are
+ considered safe.
+
+ One final note concerning key sizes. Larger keys will increase the
+ sizes of the RRSIG and DNSKEY records and will therefore increase the
+ chance of DNS UDP packet overflow. Also, the time it takes to
+ validate and create RRSIGs increases with larger keys, so don't
+ needlessly double your key sizes.
+
+3.6. Private Key Storage
+
+ It is recommended that, where possible, zone private keys and the
+ zone file master copy that is to be signed be kept and used in off-
+ line, non-network-connected, physically secure machines only.
+ Periodically, an application can be run to add authentication to a
+ zone by adding RRSIG and NSEC RRs. Then the augmented file can be
+ transferred.
+
+ When relying on dynamic update to manage a signed zone [10], be aware
+ that at least one private key of the zone will have to reside on the
+ master server. This key is only as secure as the amount of exposure
+ the server receives to unknown clients and the security of the host.
+ Although not mandatory, one could administer the DNS in the following
+ way. The master that processes the dynamic updates is unavailable
+ from generic hosts on the Internet, it is not listed in the NS RR
+ set, although its name appears in the SOA RRs MNAME field. The
+ nameservers in the NS RRSet are able to receive zone updates through
+ NOTIFY, IXFR, AXFR, or an out-of-band distribution mechanism. This
+ approach is known as the "hidden master" setup.
+
+ The ideal situation is to have a one-way information flow to the
+ network to avoid the possibility of tampering from the network.
+ Keeping the zone master file on-line on the network and simply
+ cycling it through an off-line signer does not do this. The on-line
+ version could still be tampered with if the host it resides on is
+ compromised. For maximum security, the master copy of the zone file
+ should be off-net and should not be updated based on an unsecured
+ network mediated communication.
+
+ In general, keeping a zone file off-line will not be practical and
+ the machines on which zone files are maintained will be connected to
+ a network. Operators are advised to take security measures to shield
+ unauthorized access to the master copy.
+
+
+
+
+
+Kolkman & Gieben Informational [Page 11]
+\f
+RFC 4641 DNSSEC Operational Practices September 2006
+
+
+ For dynamically updated secured zones [10], both the master copy and
+ the private key that is used to update signatures on updated RRs will
+ need to be on-line.
+
+4. Signature Generation, Key Rollover, and Related Policies
+
+4.1. Time in DNSSEC
+
+ Without DNSSEC, all times in the DNS are relative. The SOA fields
+ REFRESH, RETRY, and EXPIRATION are timers used to determine the time
+ elapsed after a slave server synchronized with a master server. The
+ Time to Live (TTL) value and the SOA RR minimum TTL parameter [11]
+ are used to determine how long a forwarder should cache data after it
+ has been fetched from an authoritative server. By using a signature
+ validity period, DNSSEC introduces the notion of an absolute time in
+ the DNS. Signatures in DNSSEC have an expiration date after which
+ the signature is marked as invalid and the signed data is to be
+ considered Bogus.
+
+4.1.1. Time Considerations
+
+ Because of the expiration of signatures, one should consider the
+ following:
+
+ o We suggest the Maximum Zone TTL of your zone data to be a fraction
+ of your signature validity period.
+
+ If the TTL would be of similar order as the signature validity
+ period, then all RRSets fetched during the validity period
+ would be cached until the signature expiration time. Section
+ 7.1 of [4] suggests that "the resolver may use the time
+ remaining before expiration of the signature validity period of
+ a signed RRSet as an upper bound for the TTL". As a result,
+ query load on authoritative servers would peak at signature
+ expiration time, as this is also the time at which records
+ simultaneously expire from caches.
+
+ To avoid query load peaks, we suggest the TTL on all the RRs in
+ your zone to be at least a few times smaller than your
+ signature validity period.
+
+ o We suggest the signature publication period to end at least one
+ Maximum Zone TTL duration before the end of the signature validity
+ period.
+
+
+
+
+
+
+
+Kolkman & Gieben Informational [Page 12]
+\f
+RFC 4641 DNSSEC Operational Practices September 2006
+
+
+ Re-signing a zone shortly before the end of the signature
+ validity period may cause simultaneous expiration of data from
+ caches. This in turn may lead to peaks in the load on
+ authoritative servers.
+
+ o We suggest the Minimum Zone TTL to be long enough to both fetch
+ and verify all the RRs in the trust chain. In workshop
+ environments, it has been demonstrated [18] that a low TTL (under
+ 5 to 10 minutes) caused disruptions because of the following two
+ problems:
+
+ 1. During validation, some data may expire before the
+ validation is complete. The validator should be able to
+ keep all data until it is completed. This applies to all
+ RRs needed to complete the chain of trust: DSes, DNSKEYs,
+ RRSIGs, and the final answers, i.e., the RRSet that is
+ returned for the initial query.
+
+ 2. Frequent verification causes load on recursive nameservers.
+ Data at delegation points, DSes, DNSKEYs, and RRSIGs
+ benefit from caching. The TTL on those should be
+ relatively long.
+
+ o Slave servers will need to be able to fetch newly signed zones
+ well before the RRSIGs in the zone served by the slave server pass
+ their signature expiration time.
+
+ When a slave server is out of sync with its master and data in
+ a zone is signed by expired signatures, it may be better for
+ the slave server not to give out any answer.
+
+ Normally, a slave server that is not able to contact a master
+ server for an extended period will expire a zone. When that
+ happens, the server will respond differently to queries for
+ that zone. Some servers issue SERVFAIL, whereas others turn
+ off the 'AA' bit in the answers. The time of expiration is set
+ in the SOA record and is relative to the last successful
+ refresh between the master and the slave servers. There exists
+ no coupling between the signature expiration of RRSIGs in the
+ zone and the expire parameter in the SOA.
+
+ If the server serves a DNSSEC zone, then it may well happen
+ that the signatures expire well before the SOA expiration timer
+ counts down to zero. It is not possible to completely prevent
+ this from happening by tweaking the SOA parameters. However,
+ the effects can be minimized where the SOA expiration time is
+ equal to or shorter than the signature validity period. The
+ consequence of an authoritative server not being able to update
+
+
+
+Kolkman & Gieben Informational [Page 13]
+\f
+RFC 4641 DNSSEC Operational Practices September 2006
+
+
+ a zone, whilst that zone includes expired signatures, is that
+ non-secure resolvers will continue to be able to resolve data
+ served by the particular slave servers while security-aware
+ resolvers will experience problems because of answers being
+ marked as Bogus.
+
+ We suggest the SOA expiration timer being approximately one
+ third or one fourth of the signature validity period. It will
+ allow problems with transfers from the master server to be
+ noticed before the actual signature times out. We also suggest
+ that operators of nameservers that supply secondary services
+ develop 'watch dogs' to spot upcoming signature expirations in
+ zones they slave, and take appropriate action.
+
+ When determining the value for the expiration parameter one has
+ to take the following into account: What are the chances that
+ all my secondaries expire the zone? How quickly can I reach an
+ administrator of secondary servers to load a valid zone? These
+ questions are not DNSSEC specific but may influence the choice
+ of your signature validity intervals.
+
+4.2. Key Rollovers
+
+ A DNSSEC key cannot be used forever (see Section 3.3). So key
+ rollovers -- or supercessions, as they are sometimes called -- are a
+ fact of life when using DNSSEC. Zone administrators who are in the
+ process of rolling their keys have to take into account that data
+ published in previous versions of their zone still lives in caches.
+ When deploying DNSSEC, this becomes an important consideration;
+ ignoring data that may be in caches may lead to loss of service for
+ clients.
+
+ The most pressing example of this occurs when zone material signed
+ with an old key is being validated by a resolver that does not have
+ the old zone key cached. If the old key is no longer present in the
+ current zone, this validation fails, marking the data "Bogus".
+ Alternatively, an attempt could be made to validate data that is
+ signed with a new key against an old key that lives in a local cache,
+ also resulting in data being marked "Bogus".
+
+4.2.1. Zone Signing Key Rollovers
+
+ For "Zone Signing Key rollovers", there are two ways to make sure
+ that during the rollover data still cached can be verified with the
+ new key sets or newly generated signatures can be verified with the
+ keys still in caches. One schema, described in Section 4.2.1.2, uses
+
+
+
+
+
+Kolkman & Gieben Informational [Page 14]
+\f
+RFC 4641 DNSSEC Operational Practices September 2006
+
+
+ double signatures; the other uses key pre-publication (Section
+ 4.2.1.1). The pros, cons, and recommendations are described in
+ Section 4.2.1.3.
+
+4.2.1.1. Pre-Publish Key Rollover
+
+ This section shows how to perform a ZSK rollover without the need to
+ sign all the data in a zone twice -- the "pre-publish key rollover".
+ This method has advantages in the case of a key compromise. If the
+ old key is compromised, the new key has already been distributed in
+ the DNS. The zone administrator is then able to quickly switch to
+ the new key and remove the compromised key from the zone. Another
+ major advantage is that the zone size does not double, as is the case
+ with the double signature ZSK rollover. A small "how-to" for this
+ kind of rollover can be found in Appendix B.
+
+ Pre-publish key rollover involves four stages as follows:
+
+ ----------------------------------------------------------------
+ initial new DNSKEY new RRSIGs DNSKEY removal
+ ----------------------------------------------------------------
+ SOA0 SOA1 SOA2 SOA3
+ RRSIG10(SOA0) RRSIG10(SOA1) RRSIG11(SOA2) RRSIG11(SOA3)
+
+ DNSKEY1 DNSKEY1 DNSKEY1 DNSKEY1
+ DNSKEY10 DNSKEY10 DNSKEY10 DNSKEY11
+ DNSKEY11 DNSKEY11
+ RRSIG1 (DNSKEY) RRSIG1 (DNSKEY) RRSIG1(DNSKEY) RRSIG1 (DNSKEY)
+ RRSIG10(DNSKEY) RRSIG10(DNSKEY) RRSIG11(DNSKEY) RRSIG11(DNSKEY)
+ ----------------------------------------------------------------
+
+ Pre-Publish Key Rollover
+
+ initial: Initial version of the zone: DNSKEY 1 is the Key Signing
+ Key. DNSKEY 10 is used to sign all the data of the zone, the Zone
+ Signing Key.
+
+ new DNSKEY: DNSKEY 11 is introduced into the key set. Note that no
+ signatures are generated with this key yet, but this does not
+ secure against brute force attacks on the public key. The minimum
+ duration of this pre-roll phase is the time it takes for the data
+ to propagate to the authoritative servers plus TTL value of the
+ key set.
+
+ new RRSIGs: At the "new RRSIGs" stage (SOA serial 2), DNSKEY 11 is
+ used to sign the data in the zone exclusively (i.e., all the
+ signatures from DNSKEY 10 are removed from the zone). DNSKEY 10
+ remains published in the key set. This way data that was loaded
+
+
+
+Kolkman & Gieben Informational [Page 15]
+\f
+RFC 4641 DNSSEC Operational Practices September 2006
+
+
+ into caches from version 1 of the zone can still be verified with
+ key sets fetched from version 2 of the zone. The minimum time
+ that the key set including DNSKEY 10 is to be published is the
+ time that it takes for zone data from the previous version of the
+ zone to expire from old caches, i.e., the time it takes for this
+ zone to propagate to all authoritative servers plus the Maximum
+ Zone TTL value of any of the data in the previous version of the
+ zone.
+
+ DNSKEY removal: DNSKEY 10 is removed from the zone. The key set, now
+ only containing DNSKEY 1 and DNSKEY 11, is re-signed with the
+ DNSKEY 1.
+
+ The above scheme can be simplified by always publishing the "future"
+ key immediately after the rollover. The scheme would look as follows
+ (we show two rollovers); the future key is introduced in "new DNSKEY"
+ as DNSKEY 12 and again a newer one, numbered 13, in "new DNSKEY
+ (II)":
+
+ ----------------------------------------------------------------
+ initial new RRSIGs new DNSKEY
+ ----------------------------------------------------------------
+ SOA0 SOA1 SOA2
+ RRSIG10(SOA0) RRSIG11(SOA1) RRSIG11(SOA2)
+
+ DNSKEY1 DNSKEY1 DNSKEY1
+ DNSKEY10 DNSKEY10 DNSKEY11
+ DNSKEY11 DNSKEY11 DNSKEY12
+ RRSIG1(DNSKEY) RRSIG1 (DNSKEY) RRSIG1(DNSKEY)
+ RRSIG10(DNSKEY) RRSIG11(DNSKEY) RRSIG11(DNSKEY)
+ ----------------------------------------------------------------
+
+ ----------------------------------------------------------------
+ new RRSIGs (II) new DNSKEY (II)
+ ----------------------------------------------------------------
+ SOA3 SOA4
+ RRSIG12(SOA3) RRSIG12(SOA4)
+
+ DNSKEY1 DNSKEY1
+ DNSKEY11 DNSKEY12
+ DNSKEY12 DNSKEY13
+ RRSIG1(DNSKEY) RRSIG1(DNSKEY)
+ RRSIG12(DNSKEY) RRSIG12(DNSKEY)
+ ----------------------------------------------------------------
+
+ Pre-Publish Key Rollover, Showing Two Rollovers
+
+
+
+
+
+Kolkman & Gieben Informational [Page 16]
+\f
+RFC 4641 DNSSEC Operational Practices September 2006
+
+
+ Note that the key introduced in the "new DNSKEY" phase is not used
+ for production yet; the private key can thus be stored in a
+ physically secure manner and does not need to be 'fetched' every time
+ a zone needs to be signed.
+
+4.2.1.2. Double Signature Zone Signing Key Rollover
+
+ This section shows how to perform a ZSK key rollover using the double
+ zone data signature scheme, aptly named "double signature rollover".
+
+ During the "new DNSKEY" stage the new version of the zone file will
+ need to propagate to all authoritative servers and the data that
+ exists in (distant) caches will need to expire, requiring at least
+ the Maximum Zone TTL.
+
+ Double signature ZSK rollover involves three stages as follows:
+
+ ----------------------------------------------------------------
+ initial new DNSKEY DNSKEY removal
+ ----------------------------------------------------------------
+ SOA0 SOA1 SOA2
+ RRSIG10(SOA0) RRSIG10(SOA1) RRSIG11(SOA2)
+ RRSIG11(SOA1)
+
+ DNSKEY1 DNSKEY1 DNSKEY1
+ DNSKEY10 DNSKEY10 DNSKEY11
+ DNSKEY11
+ RRSIG1(DNSKEY) RRSIG1(DNSKEY) RRSIG1(DNSKEY)
+ RRSIG10(DNSKEY) RRSIG10(DNSKEY) RRSIG11(DNSKEY)
+ RRSIG11(DNSKEY)
+ ----------------------------------------------------------------
+
+ Double Signature Zone Signing Key Rollover
+
+ initial: Initial Version of the zone: DNSKEY 1 is the Key Signing
+ Key. DNSKEY 10 is used to sign all the data of the zone, the Zone
+ Signing Key.
+
+ new DNSKEY: At the "New DNSKEY" stage (SOA serial 1) DNSKEY 11 is
+ introduced into the key set and all the data in the zone is signed
+ with DNSKEY 10 and DNSKEY 11. The rollover period will need to
+ continue until all data from version 0 of the zone has expired
+ from remote caches. This will take at least the Maximum Zone TTL
+ of version 0 of the zone.
+
+ DNSKEY removal: DNSKEY 10 is removed from the zone. All the
+ signatures from DNSKEY 10 are removed from the zone. The key set,
+ now only containing DNSKEY 11, is re-signed with DNSKEY 1.
+
+
+
+Kolkman & Gieben Informational [Page 17]
+\f
+RFC 4641 DNSSEC Operational Practices September 2006
+
+
+ At every instance, RRSIGs from the previous version of the zone can
+ be verified with the DNSKEY RRSet from the current version and the
+ other way around. The data from the current version can be verified
+ with the data from the previous version of the zone. The duration of
+ the "new DNSKEY" phase and the period between rollovers should be at
+ least the Maximum Zone TTL.
+
+ Making sure that the "new DNSKEY" phase lasts until the signature
+ expiration time of the data in initial version of the zone is
+ recommended. This way all caches are cleared of the old signatures.
+ However, this duration could be considerably longer than the Maximum
+ Zone TTL, making the rollover a lengthy procedure.
+
+ Note that in this example we assumed that the zone was not modified
+ during the rollover. New data can be introduced in the zone as long
+ as it is signed with both keys.
+
+4.2.1.3. Pros and Cons of the Schemes
+
+ Pre-publish key rollover: This rollover does not involve signing the
+ zone data twice. Instead, before the actual rollover, the new key
+ is published in the key set and thus is available for
+ cryptanalysis attacks. A small disadvantage is that this process
+ requires four steps. Also the pre-publish scheme involves more
+ parental work when used for KSK rollovers as explained in Section
+ 4.2.3.
+
+ Double signature ZSK rollover: The drawback of this signing scheme is
+ that during the rollover the number of signatures in your zone
+ doubles; this may be prohibitive if you have very big zones. An
+ advantage is that it only requires three steps.
+
+4.2.2. Key Signing Key Rollovers
+
+ For the rollover of a Key Signing Key, the same considerations as for
+ the rollover of a Zone Signing Key apply. However, we can use a
+ double signature scheme to guarantee that old data (only the apex key
+ set) in caches can be verified with a new key set and vice versa.
+ Since only the key set is signed with a KSK, zone size considerations
+ do not apply.
+
+
+
+
+
+
+
+
+
+
+
+Kolkman & Gieben Informational [Page 18]
+\f
+RFC 4641 DNSSEC Operational Practices September 2006
+
+
+ --------------------------------------------------------------------
+ initial new DNSKEY DS change DNSKEY removal
+ --------------------------------------------------------------------
+ Parent:
+ SOA0 --------> SOA1 -------->
+ RRSIGpar(SOA0) --------> RRSIGpar(SOA1) -------->
+ DS1 --------> DS2 -------->
+ RRSIGpar(DS) --------> RRSIGpar(DS) -------->
+
+
+ Child:
+ SOA0 SOA1 --------> SOA2
+ RRSIG10(SOA0) RRSIG10(SOA1) --------> RRSIG10(SOA2)
+ -------->
+ DNSKEY1 DNSKEY1 --------> DNSKEY2
+ DNSKEY2 -------->
+ DNSKEY10 DNSKEY10 --------> DNSKEY10
+ RRSIG1 (DNSKEY) RRSIG1 (DNSKEY) --------> RRSIG2 (DNSKEY)
+ RRSIG2 (DNSKEY) -------->
+ RRSIG10(DNSKEY) RRSIG10(DNSKEY) --------> RRSIG10(DNSKEY)
+ --------------------------------------------------------------------
+
+ Stages of Deployment for a Double Signature Key Signing Key Rollover
+
+ initial: Initial version of the zone. The parental DS points to
+ DNSKEY1. Before the rollover starts, the child will have to
+ verify what the TTL is of the DS RR that points to DNSKEY1 -- it
+ is needed during the rollover and we refer to the value as TTL_DS.
+
+ new DNSKEY: During the "new DNSKEY" phase, the zone administrator
+ generates a second KSK, DNSKEY2. The key is provided to the
+ parent, and the child will have to wait until a new DS RR has been
+ generated that points to DNSKEY2. After that DS RR has been
+ published on all servers authoritative for the parent's zone, the
+ zone administrator has to wait at least TTL_DS to make sure that
+ the old DS RR has expired from caches.
+
+ DS change: The parent replaces DS1 with DS2.
+
+ DNSKEY removal: DNSKEY1 has been removed.
+
+ The scenario above puts the responsibility for maintaining a valid
+ chain of trust with the child. It also is based on the premise that
+ the parent only has one DS RR (per algorithm) per zone. An
+ alternative mechanism has been considered. Using an established
+ trust relation, the interaction can be performed in-band, and the
+ removal of the keys by the child can possibly be signaled by the
+ parent. In this mechanism, there are periods where there are two DS
+
+
+
+Kolkman & Gieben Informational [Page 19]
+\f
+RFC 4641 DNSSEC Operational Practices September 2006
+
+
+ RRs at the parent. Since at the moment of writing the protocol for
+ this interaction has not been developed, further discussion is out of
+ scope for this document.
+
+4.2.3. Difference Between ZSK and KSK Rollovers
+
+ Note that KSK rollovers and ZSK rollovers are different in the sense
+ that a KSK rollover requires interaction with the parent (and
+ possibly replacing of trust anchors) and the ensuing delay while
+ waiting for it.
+
+ A zone key rollover can be handled in two different ways: pre-publish
+ (Section 4.2.1.1) and double signature (Section 4.2.1.2).
+
+ As the KSK is used to validate the key set and because the KSK is not
+ changed during a ZSK rollover, a cache is able to validate the new
+ key set of the zone. The pre-publish method would also work for a
+ KSK rollover. The records that are to be pre-published are the
+ parental DS RRs. The pre-publish method has some drawbacks for KSKs.
+ We first describe the rollover scheme and then indicate these
+ drawbacks.
+
+ --------------------------------------------------------------------
+ initial new DS new DNSKEY DS/DNSKEY removal
+ --------------------------------------------------------------------
+ Parent:
+ SOA0 SOA1 --------> SOA2
+ RRSIGpar(SOA0) RRSIGpar(SOA1) --------> RRSIGpar(SOA2)
+ DS1 DS1 --------> DS2
+ DS2 -------->
+ RRSIGpar(DS) RRSIGpar(DS) --------> RRSIGpar(DS)
+
+
+ Child:
+ SOA0 --------> SOA1 SOA1
+ RRSIG10(SOA0) --------> RRSIG10(SOA1) RRSIG10(SOA1)
+ -------->
+ DNSKEY1 --------> DNSKEY2 DNSKEY2
+ -------->
+ DNSKEY10 --------> DNSKEY10 DNSKEY10
+ RRSIG1 (DNSKEY) --------> RRSIG2(DNSKEY) RRSIG2 (DNSKEY)
+ RRSIG10(DNSKEY) --------> RRSIG10(DNSKEY) RRSIG10(DNSKEY)
+ --------------------------------------------------------------------
+
+ Stages of Deployment for a Pre-Publish Key Signing Key Rollover
+
+
+
+
+
+
+Kolkman & Gieben Informational [Page 20]
+\f
+RFC 4641 DNSSEC Operational Practices September 2006
+
+
+ When the child zone wants to roll, it notifies the parent during the
+ "new DS" phase and submits the new key (or the corresponding DS) to
+ the parent. The parent publishes DS1 and DS2, pointing to DNSKEY1
+ and DNSKEY2, respectively. During the rollover ("new DNSKEY" phase),
+ which can take place as soon as the new DS set propagated through the
+ DNS, the child replaces DNSKEY1 with DNSKEY2. Immediately after that
+ ("DS/DNSKEY removal" phase), it can notify the parent that the old DS
+ record can be deleted.
+
+ The drawbacks of this scheme are that during the "new DS" phase the
+ parent cannot verify the match between the DS2 RR and DNSKEY2 using
+ the DNS -- as DNSKEY2 is not yet published. Besides, we introduce a
+ "security lame" key (see Section 4.4.3). Finally, the child-parent
+ interaction consists of two steps. The "double signature" method
+ only needs one interaction.
+
+4.2.4. Automated Key Rollovers
+
+ As keys must be renewed periodically, there is some motivation to
+ automate the rollover process. Consider the following:
+
+ o ZSK rollovers are easy to automate as only the child zone is
+ involved.
+
+ o A KSK rollover needs interaction between parent and child. Data
+ exchange is needed to provide the new keys to the parent;
+ consequently, this data must be authenticated and integrity must
+ be guaranteed in order to avoid attacks on the rollover.
+
+4.3. Planning for Emergency Key Rollover
+
+ This section deals with preparation for a possible key compromise.
+ Our advice is to have a documented procedure ready for when a key
+ compromise is suspected or confirmed.
+
+ When the private material of one of your keys is compromised it can
+ be used for as long as a valid trust chain exists. A trust chain
+ remains intact for
+
+ o as long as a signature over the compromised key in the trust chain
+ is valid,
+
+ o as long as a parental DS RR (and signature) points to the
+ compromised key,
+
+ o as long as the key is anchored in a resolver and is used as a
+ starting point for validation (this is generally the hardest to
+ update).
+
+
+
+Kolkman & Gieben Informational [Page 21]
+\f
+RFC 4641 DNSSEC Operational Practices September 2006
+
+
+ While a trust chain to your compromised key exists, your namespace is
+ vulnerable to abuse by anyone who has obtained illegitimate
+ possession of the key. Zone operators have to make a trade-off if
+ the abuse of the compromised key is worse than having data in caches
+ that cannot be validated. If the zone operator chooses to break the
+ trust chain to the compromised key, data in caches signed with this
+ key cannot be validated. However, if the zone administrator chooses
+ to take the path of a regular rollover, the malicious key holder can
+ spoof data so that it appears to be valid.
+
+4.3.1. KSK Compromise
+
+ A zone containing a DNSKEY RRSet with a compromised KSK is vulnerable
+ as long as the compromised KSK is configured as trust anchor or a
+ parental DS points to it.
+
+ A compromised KSK can be used to sign the key set of an attacker's
+ zone. That zone could be used to poison the DNS.
+
+ Therefore, when the KSK has been compromised, the trust anchor or the
+ parental DS should be replaced as soon as possible. It is local
+ policy whether to break the trust chain during the emergency
+ rollover. The trust chain would be broken when the compromised KSK
+ is removed from the child's zone while the parent still has a DS
+ pointing to the compromised KSK (the assumption is that there is only
+ one DS at the parent. If there are multiple DSes this does not apply
+ -- however the chain of trust of this particular key is broken).
+
+ Note that an attacker's zone still uses the compromised KSK and the
+ presence of a parental DS would cause the data in this zone to appear
+ as valid. Removing the compromised key would cause the attacker's
+ zone to appear as valid and the child's zone as Bogus. Therefore, we
+ advise not to remove the KSK before the parent has a DS to a new KSK
+ in place.
+
+4.3.1.1. Keeping the Chain of Trust Intact
+
+ If we follow this advice, the timing of the replacement of the KSK is
+ somewhat critical. The goal is to remove the compromised KSK as soon
+ as the new DS RR is available at the parent. And also make sure that
+ the signature made with a new KSK over the key set with the
+ compromised KSK in it expires just after the new DS appears at the
+ parent, thus removing the old cruft in one swoop.
+
+ The procedure is as follows:
+
+ 1. Introduce a new KSK into the key set, keep the compromised KSK in
+ the key set.
+
+
+
+Kolkman & Gieben Informational [Page 22]
+\f
+RFC 4641 DNSSEC Operational Practices September 2006
+
+
+ 2. Sign the key set, with a short validity period. The validity
+ period should expire shortly after the DS is expected to appear
+ in the parent and the old DSes have expired from caches.
+
+ 3. Upload the DS for this new key to the parent.
+
+ 4. Follow the procedure of the regular KSK rollover: Wait for the DS
+ to appear in the authoritative servers and then wait as long as
+ the TTL of the old DS RRs. If necessary re-sign the DNSKEY RRSet
+ and modify/extend the expiration time.
+
+ 5. Remove the compromised DNSKEY RR from the zone and re-sign the
+ key set using your "normal" validity interval.
+
+ An additional danger of a key compromise is that the compromised key
+ could be used to facilitate a legitimate DNSKEY/DS rollover and/or
+ nameserver changes at the parent. When that happens, the domain may
+ be in dispute. An authenticated out-of-band and secure notify
+ mechanism to contact a parent is needed in this case.
+
+ Note that this is only a problem when the DNSKEY and or DS records
+ are used for authentication at the parent.
+
+4.3.1.2. Breaking the Chain of Trust
+
+ There are two methods to break the chain of trust. The first method
+ causes the child zone to appear 'Bogus' to validating resolvers. The
+ other causes the child zone to appear 'insecure'. These are
+ described below.
+
+ In the method that causes the child zone to appear 'Bogus' to
+ validating resolvers, the child zone replaces the current KSK with a
+ new one and re-signs the key set. Next it sends the DS of the new
+ key to the parent. Only after the parent has placed the new DS in
+ the zone is the child's chain of trust repaired.
+
+ An alternative method of breaking the chain of trust is by removing
+ the DS RRs from the parent zone altogether. As a result, the child
+ zone would become insecure.
+
+4.3.2. ZSK Compromise
+
+ Primarily because there is no parental interaction required when a
+ ZSK is compromised, the situation is less severe than with a KSK
+ compromise. The zone must still be re-signed with a new ZSK as soon
+ as possible. As this is a local operation and requires no
+ communication between the parent and child, this can be achieved
+ fairly quickly. However, one has to take into account that just as
+
+
+
+Kolkman & Gieben Informational [Page 23]
+\f
+RFC 4641 DNSSEC Operational Practices September 2006
+
+
+ with a normal rollover the immediate disappearance of the old
+ compromised key may lead to verification problems. Also note that as
+ long as the RRSIG over the compromised ZSK is not expired the zone
+ may be still at risk.
+
+4.3.3. Compromises of Keys Anchored in Resolvers
+
+ A key can also be pre-configured in resolvers. For instance, if
+ DNSSEC is successfully deployed the root key may be pre-configured in
+ most security aware resolvers.
+
+ If trust-anchor keys are compromised, the resolvers using these keys
+ should be notified of this fact. Zone administrators may consider
+ setting up a mailing list to communicate the fact that a SEP key is
+ about to be rolled over. This communication will of course need to
+ be authenticated, e.g., by using digital signatures.
+
+ End-users faced with the task of updating an anchored key should
+ always validate the new key. New keys should be authenticated out-
+ of-band, for example, through the use of an announcement website that
+ is secured using secure sockets (TLS) [21].
+
+4.4. Parental Policies
+
+4.4.1. Initial Key Exchanges and Parental Policies Considerations
+
+ The initial key exchange is always subject to the policies set by the
+ parent. When designing a key exchange policy one should take into
+ account that the authentication and authorization mechanisms used
+ during a key exchange should be as strong as the authentication and
+ authorization mechanisms used for the exchange of delegation
+ information between parent and child. That is, there is no implicit
+ need in DNSSEC to make the authentication process stronger than it
+ was in DNS.
+
+ Using the DNS itself as the source for the actual DNSKEY material,
+ with an out-of-band check on the validity of the DNSKEY, has the
+ benefit that it reduces the chances of user error. A DNSKEY query
+ tool can make use of the SEP bit [3] to select the proper key from a
+ DNSSEC key set, thereby reducing the chance that the wrong DNSKEY is
+ sent. It can validate the self-signature over a key; thereby
+ verifying the ownership of the private key material. Fetching the
+ DNSKEY from the DNS ensures that the chain of trust remains intact
+ once the parent publishes the DS RR indicating the child is secure.
+
+ Note: the out-of-band verification is still needed when the key
+ material is fetched via the DNS. The parent can never be sure
+ whether or not the DNSKEY RRs have been spoofed.
+
+
+
+Kolkman & Gieben Informational [Page 24]
+\f
+RFC 4641 DNSSEC Operational Practices September 2006
+
+
+4.4.2. Storing Keys or Hashes?
+
+ When designing a registry system one should consider which of the
+ DNSKEYs and/or the corresponding DSes to store. Since a child zone
+ might wish to have a DS published using a message digest algorithm
+ not yet understood by the registry, the registry can't count on being
+ able to generate the DS record from a raw DNSKEY. Thus, we recommend
+ that registry systems at least support storing DS records.
+
+ It may also be useful to store DNSKEYs, since having them may help
+ during troubleshooting and, as long as the child's chosen message
+ digest is supported, the overhead of generating DS records from them
+ is minimal. Having an out-of-band mechanism, such as a registry
+ directory (e.g., Whois), to find out which keys are used to generate
+ DS Resource Records for specific owners and/or zones may also help
+ with troubleshooting.
+
+ The storage considerations also relate to the design of the customer
+ interface and the method by which data is transferred between
+ registrant and registry; Will the child zone administrator be able to
+ upload DS RRs with unknown hash algorithms or does the interface only
+ allow DNSKEYs? In the registry-registrar model, one can use the
+ DNSSEC extensions to the Extensible Provisioning Protocol (EPP) [15],
+ which allows transfer of DS RRs and optionally DNSKEY RRs.
+
+4.4.3. Security Lameness
+
+ Security lameness is defined as what happens when a parent has a DS
+ RR pointing to a non-existing DNSKEY RR. When this happens, the
+ child's zone may be marked "Bogus" by verifying DNS clients.
+
+ As part of a comprehensive delegation check, the parent could, at key
+ exchange time, verify that the child's key is actually configured in
+ the DNS. However, if a parent does not understand the hashing
+ algorithm used by child, the parental checks are limited to only
+ comparing the key id.
+
+ Child zones should be very careful in removing DNSKEY material,
+ specifically SEP keys, for which a DS RR exists.
+
+ Once a zone is "security lame", a fix (e.g., removing a DS RR) will
+ take time to propagate through the DNS.
+
+
+
+
+
+
+
+
+
+Kolkman & Gieben Informational [Page 25]
+\f
+RFC 4641 DNSSEC Operational Practices September 2006
+
+
+4.4.4. DS Signature Validity Period
+
+ Since the DS can be replayed as long as it has a valid signature, a
+ short signature validity period over the DS minimizes the time a
+ child is vulnerable in the case of a compromise of the child's
+ KSK(s). A signature validity period that is too short introduces the
+ possibility that a zone is marked "Bogus" in case of a configuration
+ error in the signer. There may not be enough time to fix the
+ problems before signatures expire. Something as mundane as operator
+ unavailability during weekends shows the need for DS signature
+ validity periods longer than 2 days. We recommend an absolute
+ minimum for a DS signature validity period of a few days.
+
+ The maximum signature validity period of the DS record depends on how
+ long child zones are willing to be vulnerable after a key compromise.
+ On the other hand, shortening the DS signature validity interval
+ increases the operational risk for the parent. Therefore, the parent
+ may have policy to use a signature validity interval that is
+ considerably longer than the child would hope for.
+
+ A compromise between the operational constraints of the parent and
+ minimizing damage for the child may result in a DS signature validity
+ period somewhere between a week and months.
+
+ In addition to the signature validity period, which sets a lower
+ bound on the number of times the zone owner will need to sign the
+ zone data and which sets an upper bound to the time a child is
+ vulnerable after key compromise, there is the TTL value on the DS
+ RRs. Shortening the TTL means that the authoritative servers will
+ see more queries. But on the other hand, a short TTL lowers the
+ persistence of DS RRSets in caches thereby increasing the speed with
+ which updated DS RRSets propagate through the DNS.
+
+5. Security Considerations
+
+ DNSSEC adds data integrity to the DNS. This document tries to assess
+ the operational considerations to maintain a stable and secure DNSSEC
+ service. Not taking into account the 'data propagation' properties
+ in the DNS will cause validation failures and may make secured zones
+ unavailable to security-aware resolvers.
+
+6. Acknowledgments
+
+ Most of the ideas in this document were the result of collective
+ efforts during workshops, discussions, and tryouts.
+
+ At the risk of forgetting individuals who were the original
+ contributors of the ideas, we would like to acknowledge people who
+
+
+
+Kolkman & Gieben Informational [Page 26]
+\f
+RFC 4641 DNSSEC Operational Practices September 2006
+
+
+ were actively involved in the compilation of this document. In
+ random order: Rip Loomis, Olafur Gudmundsson, Wesley Griffin, Michael
+ Richardson, Scott Rose, Rick van Rein, Tim McGinnis, Gilles Guette
+ Olivier Courtay, Sam Weiler, Jelte Jansen, Niall O'Reilly, Holger
+ Zuleger, Ed Lewis, Hilarie Orman, Marcos Sanz, and Peter Koch.
+
+ Some material in this document has been copied from RFC 2541 [12].
+
+ Mike StJohns designed the key exchange between parent and child
+ mentioned in the last paragraph of Section 4.2.2
+
+ Section 4.2.4 was supplied by G. Guette and O. Courtay.
+
+ Emma Bretherick, Adrian Bedford, and Lindy Foster corrected many of
+ the spelling and style issues.
+
+ Kolkman and Gieben take the blame for introducing all miscakes (sic).
+
+ While working on this document, Kolkman was employed by the RIPE NCC
+ and Gieben was employed by NLnet Labs.
+
+7. References
+
+7.1. Normative References
+
+ [1] Mockapetris, P., "Domain names - concepts and facilities", STD
+ 13, RFC 1034, November 1987.
+
+ [2] Mockapetris, P., "Domain names - implementation and
+ specification", STD 13, RFC 1035, November 1987.
+
+ [3] Kolkman, O., Schlyter, J., and E. Lewis, "Domain Name System
+ KEY (DNSKEY) Resource Record (RR) Secure Entry Point (SEP)
+ Flag", RFC 3757, May 2004.
+
+ [4] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
+ "DNS Security Introduction and Requirements", RFC 4033, March
+ 2005.
+
+ [5] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
+ "Resource Records for the DNS Security Extensions", RFC 4034,
+ March 2005.
+
+ [6] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
+ "Protocol Modifications for the DNS Security Extensions", RFC
+ 4035, March 2005.
+
+
+
+
+
+Kolkman & Gieben Informational [Page 27]
+\f
+RFC 4641 DNSSEC Operational Practices September 2006
+
+
+7.2. Informative References
+
+ [7] Bradner, S., "Key words for use in RFCs to Indicate Requirement
+ Levels", BCP 14, RFC 2119, March 1997.
+
+ [8] Ohta, M., "Incremental Zone Transfer in DNS", RFC 1995, August
+ 1996.
+
+ [9] Vixie, P., "A Mechanism for Prompt Notification of Zone Changes
+ (DNS NOTIFY)", RFC 1996, August 1996.
+
+ [10] Wellington, B., "Secure Domain Name System (DNS) Dynamic
+ Update", RFC 3007, November 2000.
+
+ [11] Andrews, M., "Negative Caching of DNS Queries (DNS NCACHE)",
+ RFC 2308, March 1998.
+
+ [12] Eastlake, D., "DNS Security Operational Considerations", RFC
+ 2541, March 1999.
+
+ [13] Orman, H. and P. Hoffman, "Determining Strengths For Public
+ Keys Used For Exchanging Symmetric Keys", BCP 86, RFC 3766,
+ April 2004.
+
+ [14] Eastlake, D., Schiller, J., and S. Crocker, "Randomness
+ Requirements for Security", BCP 106, RFC 4086, June 2005.
+
+ [15] Hollenbeck, S., "Domain Name System (DNS) Security Extensions
+ Mapping for the Extensible Provisioning Protocol (EPP)", RFC
+ 4310, December 2005.
+
+ [16] Lenstra, A. and E. Verheul, "Selecting Cryptographic Key
+ Sizes", The Journal of Cryptology 14 (255-293), 2001.
+
+ [17] Schneier, B., "Applied Cryptography: Protocols, Algorithms, and
+ Source Code in C", ISBN (hardcover) 0-471-12845-7, ISBN
+ (paperback) 0-471-59756-2, Published by John Wiley & Sons Inc.,
+ 1996.
+
+ [18] Rose, S., "NIST DNSSEC workshop notes", June 2001.
+
+ [19] Jansen, J., "Use of RSA/SHA-256 DNSKEY and RRSIG Resource
+ Records in DNSSEC", Work in Progress, January 2006.
+
+ [20] Hardaker, W., "Use of SHA-256 in DNSSEC Delegation Signer (DS)
+ Resource Records (RRs)", RFC 4509, May 2006.
+
+
+
+
+
+Kolkman & Gieben Informational [Page 28]
+\f
+RFC 4641 DNSSEC Operational Practices September 2006
+
+
+ [21] Blake-Wilson, S., Nystrom, M., Hopwood, D., Mikkelsen, J., and
+ T. Wright, "Transport Layer Security (TLS) Extensions", RFC
+ 4366, April 2006.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Kolkman & Gieben Informational [Page 29]
+\f
+RFC 4641 DNSSEC Operational Practices September 2006
+
+
+Appendix A. Terminology
+
+ In this document, there is some jargon used that is defined in other
+ documents. In most cases, we have not copied the text from the
+ documents defining the terms but have given a more elaborate
+ explanation of the meaning. Note that these explanations should not
+ be seen as authoritative.
+
+ Anchored key: A DNSKEY configured in resolvers around the globe.
+ This key is hard to update, hence the term anchored.
+
+ Bogus: Also see Section 5 of [4]. An RRSet in DNSSEC is marked
+ "Bogus" when a signature of an RRSet does not validate against a
+ DNSKEY.
+
+ Key Signing Key or KSK: A Key Signing Key (KSK) is a key that is used
+ exclusively for signing the apex key set. The fact that a key is
+ a KSK is only relevant to the signing tool.
+
+ Key size: The term 'key size' can be substituted by 'modulus size'
+ throughout the document. It is mathematically more correct to use
+ modulus size, but as this is a document directed at operators we
+ feel more at ease with the term key size.
+
+ Private and public keys: DNSSEC secures the DNS through the use of
+ public key cryptography. Public key cryptography is based on the
+ existence of two (mathematically related) keys, a public key and a
+ private key. The public keys are published in the DNS by use of
+ the DNSKEY Resource Record (DNSKEY RR). Private keys should
+ remain private.
+
+ Key rollover: A key rollover (also called key supercession in some
+ environments) is the act of replacing one key pair with another at
+ the end of a key effectivity period.
+
+ Secure Entry Point (SEP) key: A KSK that has a parental DS record
+ pointing to it or is configured as a trust anchor. Although not
+ required by the protocol, we recommend that the SEP flag [3] is
+ set on these keys.
+
+ Self-signature: This only applies to signatures over DNSKEYs; a
+ signature made with DNSKEY x, over DNSKEY x is called a self-
+ signature. Note: without further information, self-signatures
+ convey no trust. They are useful to check the authenticity of the
+ DNSKEY, i.e., they can be used as a hash.
+
+
+
+
+
+
+Kolkman & Gieben Informational [Page 30]
+\f
+RFC 4641 DNSSEC Operational Practices September 2006
+
+
+ Singing the zone file: The term used for the event where an
+ administrator joyfully signs its zone file while producing melodic
+ sound patterns.
+
+ Signer: The system that has access to the private key material and
+ signs the Resource Record sets in a zone. A signer may be
+ configured to sign only parts of the zone, e.g., only those RRSets
+ for which existing signatures are about to expire.
+
+ Zone Signing Key (ZSK): A key that is used for signing all data in a
+ zone. The fact that a key is a ZSK is only relevant to the
+ signing tool.
+
+ Zone administrator: The 'role' that is responsible for signing a zone
+ and publishing it on the primary authoritative server.
+
+Appendix B. Zone Signing Key Rollover How-To
+
+ Using the pre-published signature scheme and the most conservative
+ method to assure oneself that data does not live in caches, here
+ follows the "how-to".
+
+ Step 0: The preparation: Create two keys and publish both in your key
+ set. Mark one of the keys "active" and the other "published".
+ Use the "active" key for signing your zone data. Store the
+ private part of the "published" key, preferably off-line. The
+ protocol does not provide for attributes to mark a key as active
+ or published. This is something you have to do on your own,
+ through the use of a notebook or key management tool.
+
+ Step 1: Determine expiration: At the beginning of the rollover make a
+ note of the highest expiration time of signatures in your zone
+ file created with the current key marked as active. Wait until
+ the expiration time marked in Step 1 has passed.
+
+ Step 2: Then start using the key that was marked "published" to sign
+ your data (i.e., mark it "active"). Stop using the key that was
+ marked "active"; mark it "rolled".
+
+ Step 3: It is safe to engage in a new rollover (Step 1) after at
+ least one signature validity period.
+
+
+
+
+
+
+
+
+
+
+Kolkman & Gieben Informational [Page 31]
+\f
+RFC 4641 DNSSEC Operational Practices September 2006
+
+
+Appendix C. Typographic Conventions
+
+ The following typographic conventions are used in this document:
+
+ Key notation: A key is denoted by DNSKEYx, where x is a number or an
+ identifier, x could be thought of as the key id.
+
+ RRSet notations: RRs are only denoted by the type. All other
+ information -- owner, class, rdata, and TTL--is left out. Thus:
+ "example.com 3600 IN A 192.0.2.1" is reduced to "A". RRSets are a
+ list of RRs. A example of this would be "A1, A2", specifying the
+ RRSet containing two "A" records. This could again be abbreviated to
+ just "A".
+
+ Signature notation: Signatures are denoted as RRSIGx(RRSet), which
+ means that RRSet is signed with DNSKEYx.
+
+ Zone representation: Using the above notation we have simplified the
+ representation of a signed zone by leaving out all unnecessary
+ details such as the names and by representing all data by "SOAx"
+
+ SOA representation: SOAs are represented as SOAx, where x is the
+ serial number.
+
+ Using this notation the following signed zone:
+
+ example.net. 86400 IN SOA ns.example.net. bert.example.net. (
+ 2006022100 ; serial
+ 86400 ; refresh ( 24 hours)
+ 7200 ; retry ( 2 hours)
+ 3600000 ; expire (1000 hours)
+ 28800 ) ; minimum ( 8 hours)
+ 86400 RRSIG SOA 5 2 86400 20130522213204 (
+ 20130422213204 14 example.net.
+ cmL62SI6iAX46xGNQAdQ... )
+ 86400 NS a.iana-servers.net.
+ 86400 NS b.iana-servers.net.
+ 86400 RRSIG NS 5 2 86400 20130507213204 (
+ 20130407213204 14 example.net.
+ SO5epiJei19AjXoUpFnQ ... )
+ 86400 DNSKEY 256 3 5 (
+ EtRB9MP5/AvOuVO0I8XDxy0... ) ; id = 14
+ 86400 DNSKEY 257 3 5 (
+ gsPW/Yy19GzYIY+Gnr8HABU... ) ; id = 15
+ 86400 RRSIG DNSKEY 5 2 86400 20130522213204 (
+ 20130422213204 14 example.net.
+ J4zCe8QX4tXVGjV4e1r9... )
+
+
+
+
+Kolkman & Gieben Informational [Page 32]
+\f
+RFC 4641 DNSSEC Operational Practices September 2006
+
+
+ 86400 RRSIG DNSKEY 5 2 86400 20130522213204 (
+ 20130422213204 15 example.net.
+ keVDCOpsSeDReyV6O... )
+ 86400 RRSIG NSEC 5 2 86400 20130507213204 (
+ 20130407213204 14 example.net.
+ obj3HEp1GjnmhRjX... )
+ a.example.net. 86400 IN TXT "A label"
+ 86400 RRSIG TXT 5 3 86400 20130507213204 (
+ 20130407213204 14 example.net.
+ IkDMlRdYLmXH7QJnuF3v... )
+ 86400 NSEC b.example.com. TXT RRSIG NSEC
+ 86400 RRSIG NSEC 5 3 86400 20130507213204 (
+ 20130407213204 14 example.net.
+ bZMjoZ3bHjnEz0nIsPMM... )
+ ...
+
+ is reduced to the following representation:
+
+ SOA2006022100
+ RRSIG14(SOA2006022100)
+ DNSKEY14
+ DNSKEY15
+
+ RRSIG14(KEY)
+ RRSIG15(KEY)
+
+ The rest of the zone data has the same signature as the SOA record,
+ i.e., an RRSIG created with DNSKEY 14.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Kolkman & Gieben Informational [Page 33]
+\f
+RFC 4641 DNSSEC Operational Practices September 2006
+
+
+Authors' Addresses
+
+ Olaf M. Kolkman
+ NLnet Labs
+ Kruislaan 419
+ Amsterdam 1098 VA
+ The Netherlands
+
+ EMail: olaf@nlnetlabs.nl
+ URI: http://www.nlnetlabs.nl
+
+
+ R. (Miek) Gieben
+
+ EMail: miek@miek.nl
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Kolkman & Gieben Informational [Page 34]
+\f
+RFC 4641 DNSSEC Operational Practices September 2006
+
+
+Full Copyright Statement
+
+ Copyright (C) The Internet Society (2006).
+
+ This document is subject to the rights, licenses and restrictions
+ contained in BCP 78, and except as set forth therein, the authors
+ retain all their rights.
+
+ This document and the information contained herein are provided on an
+ "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+ OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
+ ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
+ INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
+ INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+ WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Intellectual Property
+
+ The IETF takes no position regarding the validity or scope of any
+ Intellectual Property Rights or other rights that might be claimed to
+ pertain to the implementation or use of the technology described in
+ this document or the extent to which any license under such rights
+ might or might not be available; nor does it represent that it has
+ made any independent effort to identify any such rights. Information
+ on the procedures with respect to rights in RFC documents can be
+ found in BCP 78 and BCP 79.
+
+ Copies of IPR disclosures made to the IETF Secretariat and any
+ assurances of licenses to be made available, or the result of an
+ attempt made to obtain a general license or permission for the use of
+ such proprietary rights by implementers or users of this
+ specification can be obtained from the IETF on-line IPR repository at
+ http://www.ietf.org/ipr.
+
+ The IETF invites any interested party to bring to its attention any
+ copyrights, patents or patent applications, or other proprietary
+ rights that may cover technology that may be required to implement
+ this standard. Please address the information to the IETF at
+ ietf-ipr@ietf.org.
+
+Acknowledgement
+
+ Funding for the RFC Editor function is provided by the IETF
+ Administrative Support Activity (IASA).
+
+
+
+
+
+
+
+Kolkman & Gieben Informational [Page 35]
+\f
--- /dev/null
+#################################################################
+#
+# @(#) dist.sh -- distribute and reload command for dnssec-signer
+#
+# (c) Jul 2008 Holger Zuleger hznet.de
+#
+# Feb 2010 action "distkeys" added
+#
+# This shell script will be run by dnssec-signer as a distribution
+# and reload command if:
+#
+# a) the dnssec.conf file parameter Distribute_Cmd: points
+# to this file
+# and
+# b) the user running the dnssec-signer command is not
+# root (uid==0)
+# and
+# c) the owner of this shell script is the same as the
+# running user and the access rights don't allow writing
+# for anyone except the owner
+# or
+# d) the group of this shell script is the same as the
+# running user and the access rights don't allow writing
+# for anyone except the group
+#
+#################################################################
+
+# set path to rndc and scp
+PATH="/bin:/usr/bin:/usr/local/sbin"
+
+# remote server and directory
+server=localhost # fqdn of remote name server
+dir=/var/named # zone directory on remote name server
+
+progname=$0
+usage()
+{
+ echo "usage: $progname distribute|reload <domain> <path_to_zonefile> [<viewname>]" 1>&2
+ test $# -gt 0 && echo $* 1>&2
+ exit 1
+}
+
+if test $# -lt 3
+then
+ usage
+fi
+action="$1"
+domain="$2"
+zonefile="$3"
+view=""
+test $# -gt 3 && view="$4"
+
+case $action in
+distkeys)
+ if test -n "$view"
+ then
+ echo "scp K$zone+* $server:$dir/$view/$zone/"
+ : scp K$zone+* $server:$dir/$view/$zone/
+ else
+ echo "scp K$zone+* $server:$dir/$zone/"
+ : scp K$zone+* $server:$dir/$zone/
+ fi
+ ;;
+distribute)
+ if test -n "$view"
+ then
+ echo "scp $zonefile $server:$dir/$view/$domain/"
+ : scp $zonefile $server:$dir/$view/$domain/
+ else
+ echo "scp $zonefile $server:$dir/$domain/"
+ : scp $zonefile $server:$dir/$domain/
+ fi
+ ;;
+reload)
+ echo "rndc $action $domain $view"
+ : rndc $action $domain $view
+ ;;
+*)
+ usage "illegal action $action"
+ ;;
+esac
+
--- /dev/null
+#
+# @(#) dnssec.conf T1.0rc1 (c) Feb 2005 - Mar 2010 Holger Zuleger hznet.de
+#
+
+# dnssec-zkt options
+Zonedir: "."
+Recursive: True
+PrintTime: False
+PrintAge: True
+LeftJustify: False
+
+# zone specific values
+ResignInterval: 2d # (172800 seconds)
+Sigvalidity: 6d # (518400 seconds)
+Max_TTL: 8h # (28800 seconds)
+Propagation: 5m # (300 seconds)
+KEY_TTL: 1h # (3600 seconds)
+Serialformat: incremental
+
+# signing key parameters
+Key_Algo: RSASHA512
+KSK_lifetime: 60d # (5184000 seconds)
+KSK_bits: 1300
+KSK_randfile: "/dev/urandom"
+ZSK_lifetime: 2w # (1209600 seconds)
+ZSK_bits: 1024
+ZSK_randfile: "/dev/urandom"
+SaltBits: 24
+
+# dnssec-signer options
+LogFile: "zkt.log"
+LogLevel: DEBUG
+LogDomainDir: "."
+SyslogFacility: USER
+SyslogLevel: NOTICE
+VerboseLog: 2
+Keyfile: "dnskey.db"
+Zonefile: "zone.db"
+KeySetDir: "../keysets"
+DLV_Domain: ""
+Sig_Pseudorand: True
+Sig_GenerateDS: True
+Sig_DnsKeyKSK: False
+Sig_Parameter: "-n 1"
+Distribute_Cmd: "./dist.sh"
--- /dev/null
+;
+; !!! Don't edit this file by hand.
+; !!! It will be generated by zkt-signer.
+;
+; Last generation time Mar 02 2010 10:59:46
+;
+
+; *** List of Key Signing Keys ***
+; dyn.example.net. tag=52935 algo=NSEC3RSASHA1 generated Feb 21 2010 19:43:15
+dyn.example.net. 3600 IN DNSKEY 257 3 7 (
+ AwEAAeqEDYgA5lns1VsMJiZfTWMEguameVmOoBYx8s1uLzmS/3APsh1e
+ WCeoBgAjRry1tpM/bPowyuygE4H0LpzNQLm9RbjDmpDN8Gwi3AjEnG4H
+ CT58TuAVxjiefN+vb1pvyFlAL58YOkuGf9tG/NJMNc+XrULAU1ey2dT9
+ Fh+SCVO3
+ ) ; key id = 52935
+
+; *** List of Zone Signing Keys ***
+; dyn.example.net. tag=30323 algo=NSEC3RSASHA1 generated Feb 21 2010 19:43:15
+dyn.example.net. 3600 IN DNSKEY 256 3 7 (
+ AwEAAfqG0rb9Ear+Pv7xBg9lc9czF+2YUa8Ris63E/oRRGQEH5U/ZS3A
+ xz3aOhPFKzAAhjfaG3vTNW3Wl4bl4ITFZrk=
+ ) ; key id = 30323
+
--- /dev/null
+Key_Algo: NSEC3RSASHA1 # (Algorithm ID 7)
+KSK_lifetime: 60d # (5184000 seconds)
+KSK_bits: 1024
--- /dev/null
+; File written on Thu Feb 25 23:42:29 2010
+; dnssec_signzone version 9.7.0
+dyn.example.net. 7200 IN SOA ns1.example.net. hostmaster.example.net. (
+ 18 ; serial
+ 43200 ; refresh (12 hours)
+ 1800 ; retry (30 minutes)
+ 1209600 ; expire (2 weeks)
+ 7200 ; minimum (2 hours)
+ )
+ 7200 RRSIG SOA 7 3 7200 20100303214229 (
+ 20100225214229 30323 dyn.example.net.
+ Ih9WgRBKZVDT3zJR9eFcB0VKU0o2G7h13XHZ
+ W6j2Jr1H4Db5IC1xiHXq+hI9UMkVQA3fu1Ub
+ +tjqAJE+y3hUFg== )
+ 7200 NS ns1.example.net.
+ 7200 NS ns2.example.net.
+ 7200 RRSIG NS 7 3 7200 20100227180048 (
+ 20100221180048 30323 dyn.example.net.
+ uvTn2MCWjTfS/piH3kKEmF1gPoeN8jIdcFFJ
+ 5t3b8RIwjorD81gWIRmzkGDE59hoL4mMvEnO
+ 32sAi8qkYhvBOA== )
+ 3600 DNSKEY 256 3 7 (
+ AwEAAfqG0rb9Ear+Pv7xBg9lc9czF+2YUa8R
+ is63E/oRRGQEH5U/ZS3Axz3aOhPFKzAAhjfa
+ G3vTNW3Wl4bl4ITFZrk=
+ ) ; key id = 30323
+ 3600 DNSKEY 257 3 7 (
+ AwEAAeqEDYgA5lns1VsMJiZfTWMEguameVmO
+ oBYx8s1uLzmS/3APsh1eWCeoBgAjRry1tpM/
+ bPowyuygE4H0LpzNQLm9RbjDmpDN8Gwi3AjE
+ nG4HCT58TuAVxjiefN+vb1pvyFlAL58YOkuG
+ f9tG/NJMNc+XrULAU1ey2dT9Fh+SCVO3
+ ) ; key id = 52935
+ 3600 RRSIG DNSKEY 7 3 3600 20100227180048 (
+ 20100221180048 30323 dyn.example.net.
+ je5kBhDdp9b9fjH/lJ1o9WDBL2YxZ+6UNuF9
+ zNbeeDlfBHe7XlTGw9MHyvZh46wx2OUmLoGM
+ DFhPfIwUwtttUA== )
+ 3600 RRSIG DNSKEY 7 3 3600 20100227180048 (
+ 20100221180048 52935 dyn.example.net.
+ MuyIUCa3XlttWuSnaQegQnRgTrTsx0Mj4EGI
+ fwtZs2H3L079Y/brqMvtlIGxtlr9meLg43oo
+ jX1w48ilerzf1PwYhUVpFefZTgmClK0h2ej4
+ Ho9Qh4/6snesVj06kWsQDkhuVs58zHmhRtEy
+ P4YlqP/R1CAk166RhwSmGuSx1O8= )
+ 0 NSEC3PARAM 1 0 10 76931F
+ 0 RRSIG NSEC3PARAM 7 3 0 20100227180048 (
+ 20100221180048 30323 dyn.example.net.
+ LGD8bq/sX9yvDUpmyaRczfTshrR6T9HmQ5/a
+ MwMSY+5LDAD/YdwtpVF7uNwdMa6ydJFQW37u
+ Rma0TxEqKPGPyQ== )
+localhost.dyn.example.net. 7200 IN A 127.0.0.1
+ 7200 RRSIG A 7 4 7200 20100227180048 (
+ 20100221180048 30323 dyn.example.net.
+ SHLL1lIJZaEGKphkFm3NShS6H33mBnwwACkH
+ eF3JE5vWwTuT7hffdJlwcahYQfcr3egPv64d
+ iyCNYNjdvlJpsg== )
+ns1.dyn.example.net. 7200 IN A 1.0.0.5
+ 7200 RRSIG A 7 4 7200 20100227180048 (
+ 20100221180048 30323 dyn.example.net.
+ 6PF5dGgOJdolEyxrHqyA66BFLrUORQLZvVBw
+ 9fX9uGWWKiu6yRR3i4LwIkQ+VelTpCbTsLh4
+ gm+rcSMFNeOtxA== )
+ 7200 AAAA 2001:db8::53
+ 7200 RRSIG AAAA 7 4 7200 20100227180048 (
+ 20100221180048 30323 dyn.example.net.
+ dk1DfG0y9qjCi3VD4e9B1NGKWEig7q8hFdaR
+ 3hElCIzGlflvgHRiE7iTJxDMB+kTA0by4BMZ
+ yssUuXP2FMlB2g== )
+ns2.dyn.example.net. 7200 IN A 1.2.0.6
+ 7200 RRSIG A 7 4 7200 20100227180048 (
+ 20100221180048 30323 dyn.example.net.
+ Ei5VGwE7CNBQ7ZOHpyKZXtuC8I7lusZ4d+gx
+ MwpLROH+6OSu26x2ScPdwg1qpZ5Mui01ss6O
+ IcJL36PRqAM26A== )
+x.dyn.example.net. 7200 IN A 1.2.3.4
+ 7200 RRSIG A 7 4 7200 20100227180048 (
+ 20100221180048 30323 dyn.example.net.
+ ieiExNeDjeucDjtMVj0F9kwIsL0ngZfAmEU/
+ /UlYe8/8pg2NzFulOviI09ekgOOnMfcnb4n4
+ /pRIkFddCEOt0g== )
+y.dyn.example.net. 7200 IN A 1.2.3.5
+ 7200 RRSIG A 7 4 7200 20100227180048 (
+ 20100221180048 30323 dyn.example.net.
+ NfDUCrArDXCTPrTpiesQYCoZ039YE/KwlN25
+ EZ9vOVt6dE2R9KkAWezkdY9zDmJMGTN1XYI/
+ vgd56J8B5Y/uQQ== )
+z.dyn.example.net. 7200 IN A 1.2.3.6
+ 7200 RRSIG A 7 4 7200 20100227180048 (
+ 20100221180048 30323 dyn.example.net.
+ VH3BsA8JLlqmL0xkXgXlPXT0xfRcdFy7vPYh
+ 27exw16LDbQF15KjkHvUJ+Bkei/SmRa20Dll
+ Yy536Dj+ar5ABQ== )
+A54T6DKFVU4QCAFFNJ0KEU0FH0I4OJSN.dyn.example.net. 7200 IN NSEC3 1 0 10 76931F AJHVGTICN6K0VDA53GCHFMT219SRRQLM A RRSIG
+ 7200 RRSIG NSEC3 7 4 7200 20100227180048 (
+ 20100221180048 30323 dyn.example.net.
+ 9BhZcQdLwRPU/Dz38uMis/nCcddyhKEm0Zb+
+ Mhh3V3OsGI202cebTaxbwVEbQQOeowpUmf8l
+ AmK/cNX7+IS2rw== )
+AJHVGTICN6K0VDA53GCHFMT219SRRQLM.dyn.example.net. 7200 IN NSEC3 1 0 10 76931F FQ7RBG86KRMACA1NAAKP2KQRQALBA0C7 A RRSIG
+ 7200 RRSIG NSEC3 7 4 7200 20100227180048 (
+ 20100221180048 30323 dyn.example.net.
+ lVyEaxejO5qFlyyBp8gYyQnG+DkIm8vofj+B
+ SuTxalc2l+TYen1RnSTeeXfMqc9YpGu4SCaG
+ Fyznu1K88oUhMg== )
+FQ7RBG86KRMACA1NAAKP2KQRQALBA0C7.dyn.example.net. 7200 IN NSEC3 1 0 10 76931F I7A7A184GGMI35K1E3IR650LKO7NOB5R A AAAA RRSIG
+ 7200 RRSIG NSEC3 7 4 7200 20100227180048 (
+ 20100221180048 30323 dyn.example.net.
+ 577WZnTQemStx+ciON9rEGXAGnU7C0KLjrFL
+ VyhocnBnNtxJS8eRMSWvb9XuYCMNhYKOurtt
+ Ar4qh4VW1+unmA== )
+I7A7A184GGMI35K1E3IR650LKO7NOB5R.dyn.example.net. 7200 IN NSEC3 1 0 10 76931F IMQ912BREQP1POLAH3RMONG3UED541AS A RRSIG
+ 7200 RRSIG NSEC3 7 4 7200 20100227180048 (
+ 20100221180048 30323 dyn.example.net.
+ +PKntiPlw2om9e0KJX/L2VxSCbxL95eIV2f+
+ 5YBMq3npDguHaUiBwan8Vsm+aNsdr1NDDLY/
+ HdJzEfVmSNGs7Q== )
+IMQ912BREQP1POLAH3RMONG3UED541AS.dyn.example.net. 7200 IN NSEC3 1 0 10 76931F S3USV4M1HLVJ8F88EDSG8N9PVQRQ20N7 A RRSIG
+ 7200 RRSIG NSEC3 7 4 7200 20100227180048 (
+ 20100221180048 30323 dyn.example.net.
+ smsg35snQ9PpeG2r8ZGxBl44pwSReh/1rIil
+ u/n8aa5nKbBpkqtbcc7q1OpUgb1Q7+Tl/wes
+ kB6bohsRdrwEJA== )
+S3USV4M1HLVJ8F88EDSG8N9PVQRQ20N7.dyn.example.net. 7200 IN NSEC3 1 0 10 76931F T320G5LC07QE1BLR074KORIJTG9DPTI9 A RRSIG
+ 7200 RRSIG NSEC3 7 4 7200 20100227180048 (
+ 20100221180048 30323 dyn.example.net.
+ XalRIESpdeVK1aNbwu9ym2Spk981Y127rKua
+ xsoals0Zn2tTjF9wpOYVGVOto3FcWBbyKD1g
+ 69BTRlv634UIOw== )
+T320G5LC07QE1BLR074KORIJTG9DPTI9.dyn.example.net. 7200 IN NSEC3 1 0 10 76931F A54T6DKFVU4QCAFFNJ0KEU0FH0I4OJSN NS SOA RRSIG DNSKEY NSEC3PARAM
+ 7200 RRSIG NSEC3 7 4 7200 20100227180048 (
+ 20100221180048 30323 dyn.example.net.
+ D3xq+CkK/a8YSbh9o8WwWnenjDQ3weVdtZ0x
+ i6bOv3iRITOfCRjYgbeIYtjMFb1rZwgCPD40
+ JQgGu5mx1TjnGA== )
--- /dev/null
+; File written on Tue Mar 2 10:59:46 2010
+; dnssec_signzone version 9.7.0
+dyn.example.net. 7200 IN SOA ns1.example.net. hostmaster.example.net. (
+ 19 ; serial
+ 43200 ; refresh (12 hours)
+ 1800 ; retry (30 minutes)
+ 1209600 ; expire (2 weeks)
+ 7200 ; minimum (2 hours)
+ )
+ 7200 RRSIG SOA 7 3 7200 20100308085946 (
+ 20100302085946 30323 dyn.example.net.
+ eNZruaQkUB/jteZtRkZ957BX65zjXIGaKlkf
+ Bq0XW8OgyHYCvJiB7waJYyiWKeQskp0Z90JF
+ 34WMUztuTvWUTA== )
+ 7200 NS ns1.example.net.
+ 7200 NS ns2.example.net.
+ 7200 RRSIG NS 7 3 7200 20100308085946 (
+ 20100302085946 30323 dyn.example.net.
+ obQoowLwuBixnopoSvUsXvwveB7Pqmeblt2S
+ 5SXo7ztPNcM1hTdWfIEwRDpQ2DhOfGYi0Ov0
+ xEmMlPheVZkW6g== )
+ 3600 DNSKEY 256 3 7 (
+ AwEAAfqG0rb9Ear+Pv7xBg9lc9czF+2YUa8R
+ is63E/oRRGQEH5U/ZS3Axz3aOhPFKzAAhjfa
+ G3vTNW3Wl4bl4ITFZrk=
+ ) ; key id = 30323
+ 3600 DNSKEY 257 3 7 (
+ AwEAAeqEDYgA5lns1VsMJiZfTWMEguameVmO
+ oBYx8s1uLzmS/3APsh1eWCeoBgAjRry1tpM/
+ bPowyuygE4H0LpzNQLm9RbjDmpDN8Gwi3AjE
+ nG4HCT58TuAVxjiefN+vb1pvyFlAL58YOkuG
+ f9tG/NJMNc+XrULAU1ey2dT9Fh+SCVO3
+ ) ; key id = 52935
+ 3600 RRSIG DNSKEY 7 3 3600 20100308085946 (
+ 20100302085946 30323 dyn.example.net.
+ 4xQy+G1g8IHVp3NTxHtUIaz/G+h6+ce4SRum
+ bftLFS9rXV13wSa761J1YoDYx8lj98IDBuED
+ 94980qJWjgNfdw== )
+ 3600 RRSIG DNSKEY 7 3 3600 20100308085946 (
+ 20100302085946 52935 dyn.example.net.
+ VmL0mzUoBzSX+5gB/9MsHUFWBbHrVoyMUjnw
+ mR7FyrZMfNgz4rf6J2bZ8a8zYGvSXEBrangQ
+ kkPlxuvNxzn2s+Ji+crfUNa2ZFzRKA8BBczU
+ 0WLETC5QKonjiAzofCcP15OPN4H18y9WMfE/
+ wU0oPhcd8d31Ckf2jPaSdTS8NMk= )
+ 0 NSEC3PARAM 1 0 10 76931F
+ 0 RRSIG NSEC3PARAM 7 3 0 20100308085946 (
+ 20100302085946 30323 dyn.example.net.
+ GSTGjHni3oZ1Nod57kXFkxcOiKXTzjfJ0PDy
+ hjDfzYS1QKtKA6LzkaBzyl5HK+Yy3DOcep7G
+ dj7VJG8bsa9S/A== )
+localhost.dyn.example.net. 7200 IN A 127.0.0.1
+ 7200 RRSIG A 7 4 7200 20100308085946 (
+ 20100302085946 30323 dyn.example.net.
+ N5t+OxMeH2rozoIM1ZtXUpnpSep3Qd1J/KUE
+ LjkisP6KvmwVhkbdcv44KbgS5aR16RJOlFdW
+ +ilc8QpZ4bvqlQ== )
+ns1.dyn.example.net. 7200 IN A 1.0.0.5
+ 7200 RRSIG A 7 4 7200 20100308085946 (
+ 20100302085946 30323 dyn.example.net.
+ 2DoRBkfIQEBmEeo2Z02SA329ebgp2lFQ2Ykl
+ Qe5S+J6ZMjVdZyjW8XqBCiqEg6fNbQyUFn3X
+ pSVvabUPjJpHWA== )
+ 7200 AAAA 2001:db8::53
+ 7200 RRSIG AAAA 7 4 7200 20100308085946 (
+ 20100302085946 30323 dyn.example.net.
+ XD+JHAergnT3NDQqEUGv52GNdcF1U1SitccE
+ y5iL4Dk0qVu+uEA4TVupnMhwOK+wl8759Yw/
+ SF6h6CzzKx0Eiw== )
+ns2.dyn.example.net. 7200 IN A 1.2.0.6
+ 7200 RRSIG A 7 4 7200 20100308085946 (
+ 20100302085946 30323 dyn.example.net.
+ S+CpXVolhedS2bFTNdoNAPd+T2Bi/5iKVcKJ
+ 9S27k/tpifBNVjAQPktM9iya60upXxuOkHqt
+ /uuF4iTlh9Yukw== )
+x.dyn.example.net. 7200 IN A 1.2.3.4
+ 7200 RRSIG A 7 4 7200 20100308085946 (
+ 20100302085946 30323 dyn.example.net.
+ Fb+8g0K+/6ZkXctNOprGKyJC1Y5pFizibI3o
+ k2E6aDN8hUJ5FK/1fkRl5IQ7HDpAUZviWaQp
+ j9tfr9r9xW0bMw== )
+y.dyn.example.net. 7200 IN A 1.2.3.5
+ 7200 RRSIG A 7 4 7200 20100308085946 (
+ 20100302085946 30323 dyn.example.net.
+ S1l/dM/Ez91B4Py7mI/GESjgqccGIwi9clyc
+ Vj3S40uF4dGaAgxoCDS0pMvyS0k7ir0g1qbK
+ /csopbL0wHSaVg== )
+z.dyn.example.net. 7200 IN A 1.2.3.6
+ 7200 RRSIG A 7 4 7200 20100308085946 (
+ 20100302085946 30323 dyn.example.net.
+ SgorWJQS6SiDvv6KRmWQEcUaaCkMCHZDcSMx
+ JiOT84ygkUBCzwTykQskoNtbUSIfAASU3lE7
+ e31RZotcxlkirQ== )
+A54T6DKFVU4QCAFFNJ0KEU0FH0I4OJSN.dyn.example.net. 7200 IN NSEC3 1 0 10 76931F AJHVGTICN6K0VDA53GCHFMT219SRRQLM A RRSIG
+ 7200 RRSIG NSEC3 7 4 7200 20100308085946 (
+ 20100302085946 30323 dyn.example.net.
+ hp879kZpD/Qe+d4FoanRewI4CXMuTOMcao5G
+ S7quT3mr+Mgi1nrSSz+/IBhlzCipziFjY42a
+ TNt8FoYo9Z8irw== )
+AJHVGTICN6K0VDA53GCHFMT219SRRQLM.dyn.example.net. 7200 IN NSEC3 1 0 10 76931F FQ7RBG86KRMACA1NAAKP2KQRQALBA0C7 A RRSIG
+ 7200 RRSIG NSEC3 7 4 7200 20100308085946 (
+ 20100302085946 30323 dyn.example.net.
+ 1MC5bqNXkVG4gaFKJQJBG7v4ZKOht6EJEkUZ
+ nAwTF2Nw5mWFFMBbOwVMtbJFA+ewHrebB6cK
+ FitvPi3yLDW8aA== )
+FQ7RBG86KRMACA1NAAKP2KQRQALBA0C7.dyn.example.net. 7200 IN NSEC3 1 0 10 76931F I7A7A184GGMI35K1E3IR650LKO7NOB5R A AAAA RRSIG
+ 7200 RRSIG NSEC3 7 4 7200 20100308085946 (
+ 20100302085946 30323 dyn.example.net.
+ 7Y+yhH11EojLDu43C8dCuD6D0F4RZYUt9J0+
+ KUfRVUMhftYsMl6G2qgkfsgJE+FG1Nj/nI+b
+ pO7VSJGfV5Za4A== )
+I7A7A184GGMI35K1E3IR650LKO7NOB5R.dyn.example.net. 7200 IN NSEC3 1 0 10 76931F IMQ912BREQP1POLAH3RMONG3UED541AS A RRSIG
+ 7200 RRSIG NSEC3 7 4 7200 20100308085946 (
+ 20100302085946 30323 dyn.example.net.
+ K0ggT6yH7z1YshOb08se84cRWvWWeQFdMTDG
+ XhA/2UEamfE1NHetPuYzJZQdrVPeX3tgjCjS
+ Jmb3YuSE1XD3zQ== )
+IMQ912BREQP1POLAH3RMONG3UED541AS.dyn.example.net. 7200 IN NSEC3 1 0 10 76931F S3USV4M1HLVJ8F88EDSG8N9PVQRQ20N7 A RRSIG
+ 7200 RRSIG NSEC3 7 4 7200 20100308085946 (
+ 20100302085946 30323 dyn.example.net.
+ mQoG3VBXfi7u2+zlmJttsGaStP3WvDPDQ99T
+ l2ha4zmpZPd1JUKHMXYTLTlUuWAq7BcS9MUn
+ hfhXcmSEr96K1Q== )
+S3USV4M1HLVJ8F88EDSG8N9PVQRQ20N7.dyn.example.net. 7200 IN NSEC3 1 0 10 76931F T320G5LC07QE1BLR074KORIJTG9DPTI9 A RRSIG
+ 7200 RRSIG NSEC3 7 4 7200 20100308085946 (
+ 20100302085946 30323 dyn.example.net.
+ 0/TWe9HMZiA+yW0oLHkYKeIXrrXU/1ec8XDy
+ cbZM1IGPjHlMEjKKorZgx983FuiyKFLa97+3
+ bB3abnKo7e2yRQ== )
+T320G5LC07QE1BLR074KORIJTG9DPTI9.dyn.example.net. 7200 IN NSEC3 1 0 10 76931F A54T6DKFVU4QCAFFNJ0KEU0FH0I4OJSN NS SOA RRSIG DNSKEY NSEC3PARAM
+ 7200 RRSIG NSEC3 7 4 7200 20100308085946 (
+ 20100302085946 30323 dyn.example.net.
+ BXRjHUGEmoz1cMAXSCmfFVe6+qCYVyivjeAT
+ 7hPcfB8iS2ck8Sq/CjOAKBu0BeSBim+9Oduu
+ kKNL3thgyMPcug== )
--- /dev/null
+;-----------------------------------------------------------------
+;
+; @(#) dyn.example.net/zone.org
+;
+;-----------------------------------------------------------------
+
+$TTL 7200
+
+@ IN SOA ns1.example.net. hostmaster.example.net. (
+ 1 ; Serial
+ 43200 ; Refresh
+ 1800 ; Retry
+ 2W ; Expire
+ 7200 ) ; Minimum
+
+ IN NS ns1.example.net.
+ IN NS ns2.example.net.
+
+ns1 IN A 1.0.0.5
+ IN AAAA 2001:db8::53
+ns2 IN A 1.2.0.6
+
+localhost IN A 127.0.0.1
+
+x IN A 1.2.3.4
+y IN A 1.2.3.5
+z IN A 1.2.3.6
+
+$INCLUDE dnskey.db
+
--- /dev/null
+;% generationtime=20110125190230
+;% lifetime=63d
+example.net. IN DNSKEY 256 3 8 BQEAAAAB7desjYpHAzsGmTzPFFuG4KGIG7ne8tII7DIMRIFaxuSYbQz0 kwC61utqnqzcgCXJQiKJxpKBt/Ikaf2K4JW0gQ==
--- /dev/null
+Private-key-format: v1.2
+Algorithm: 8 (RSASHA256)
+Modulus: 7desjYpHAzsGmTzPFFuG4KGIG7ne8tII7DIMRIFaxuSYbQz0kwC61utqnqzcgCXJQiKJxpKBt/Ikaf2K4JW0gQ==
+PublicExponent: AQAAAAE=
+PrivateExponent: IVO4lg5Ev/f/GpSRfYuXmUMH3qrv5Cr+ZAMqT+xGNJdyvlMAVV0ZDZehj/ar8brkm+sdrJ3LepVTEz0vLXPCgQ==
+Prime1: /Ru1X3jzyO19+aLhf/Hsu0WOdjn0MAWzKx0KwWPkxcs=
+Prime2: 8I9Q89DvF0qZqkF9kVzZ4B1LYdHz3uhKaxD40vu4xWM=
+Exponent1: fSAVRShndbuiQZtsVHyekvPH4Xjl1dJ3hF03O4InOAc=
+Exponent2: JJDvU+0J0KXaBArxDjoblXTKWVC3kGnLR+2AEpxei7k=
+Coefficient: RviZPpnVpS30oBPH1freoUgcXJ4bKnivP41BUxcVh4U=
--- /dev/null
+;% generationtime=20110125091121
+;% lifetime=84d
+example.net. IN DNSKEY 256 3 8 BQEAAAABvX6JNSNXHzrqpKi2REOwcsAuGjWI1VCJlz1NzV/pIt9PqGnJ DqtlV3vxuy7fAu85Z5Syaikiyx/z2uT4VMCvxw==
--- /dev/null
+Private-key-format: v1.2
+Algorithm: 8 (RSASHA256)
+Modulus: vX6JNSNXHzrqpKi2REOwcsAuGjWI1VCJlz1NzV/pIt9PqGnJDqtlV3vxuy7fAu85Z5Syaikiyx/z2uT4VMCvxw==
+PublicExponent: AQAAAAE=
+PrivateExponent: a77DD9J85SYlVi2lIKdzfHFkqtTFvQjTiLih+sx3lnhefQ5N20ABJVpTMwMOoA5tiDanSmKkk7O+GJXvI6E+KQ==
+Prime1: 7S87u5BoQFYbGZzGaBPAqznZt7X1g2J/qop4W9rziy0=
+Prime2: zIbOBuf2onI1ThmHXGPQEdQoFoJx3GqTkYjzUQQOL0M=
+Exponent1: YfyQEtL2twRiwb8RIlKR3OE/rhnfqZYr9dwgRa0qjAU=
+Exponent2: x73r1pDdvUShLs8hvmY0soX6a2Dcbokdf1D82/iCDU8=
+Coefficient: 1r/5mih7lqQx4ZIEcr8TmQWMscwDGk3eERsFuSYGt0c=
--- /dev/null
+;% generationtime=20100924112635
+;% lifetime=365d
+example.net. IN DNSKEY 257 3 8 BQEAAAABC6qZRCQRp2qnmxvWal1kergOJ1xQ5wGD+HZFLEvsvD8sU0i1 BGJoeDK5N/07S7s0aYVdIViQ1/CmpqBgahnlOKAoMO3eYnTuFRE7HqJK 1CSN2+nvN1m+miz+vfSPSOLeP2u8GAwIJmq/gb78AWStvW6HAXrDfaiq vqb4MDZCvplachhyHfngVLFYI22tyivUmzN/pRBePYGQ1nVsK1cPYDPp 4Q==
--- /dev/null
+Private-key-format: v1.2
+Algorithm: 8 (RSASHA256)
+Modulus: C6qZRCQRp2qnmxvWal1kergOJ1xQ5wGD+HZFLEvsvD8sU0i1BGJoeDK5N/07S7s0aYVdIViQ1/CmpqBgahnlOKAoMO3eYnTuFRE7HqJK1CSN2+nvN1m+miz+vfSPSOLeP2u8GAwIJmq/gb78AWStvW6HAXrDfaiqvqb4MDZCvplachhyHfngVLFYI22tyivUmzN/pRBePYGQ1nVsK1cPYDPp4Q==
+PublicExponent: AQAAAAE=
+PrivateExponent: A3MjVh+KkQuwpnsGnr/xPRs8PfwUIDu7NYQVKpQAttLnZPOEXsjPniy3QuBpIMnnBCbxYaOV0ctiYQOx6vU8qprrSD8OfXXI8OhBNgExvw/Bsfki3MQINAHX0wY9juuIoMLKdqcMpsUC6ILE4FSkcc+jVFbTrDqjQgDDykkpABrlG1SUz51hLOZMAz2vu8QE8m57LaPUPpRhNPf4J2dDfkX/KQ==
+Prime1: A3lFNBrVdcJBUq0ekPjtEZ0xCOTgSgUHAB+KJkdpiB0tV0jYf1Yaj7Kr98pKIM8jaZOhQnEKhAD947h4XG6IuxgraCNWonOyt5Yo9WjXFHzK0w==
+Prime2: A1vFf9Tp7MxblYWLsFUsMZxXVRxPpeoGtwmNm24k5bUPpH6/B7Yd8DcE6O3cYyHcShq8sZcuOuPhNkGwgg7IMRABXcLyCXqoEKvy0nhnbKCf+w==
+Exponent1: AQKRURkK7K15jiVVpw4nhd7Qtck1GkZon10UCQ5p2iE+weL+qhzi5L9u5mXLVaeGffwGkMkU6wvj5KSAuEiJr08+AxWfLy3Tf1fbiaiimPGDNQ==
+Exponent2: AfnXuwDet4BuUGa8EHswqADRk0XeWtxztKQ48YOh5Q5/3rauIIMm+6ERfu0gWfnkYaRNamKSXMDVC5PUQHT33u0gGnopMipao6xICXGxbrGhCQ==
+Coefficient: AYM1htjFUUAPKrVoajGJF+wLlQHBR3vrylKNpT5IFqr6Qczw54kfhx9n/18vIvtGIpj07xSEIfgBf+itZIRxPOwphkwaJXmHZKpYHpEvdqiyjA==
--- /dev/null
+Private-key-format: v1.2
+Algorithm: 8 (RSASHA256)
+Modulus: 2IOedrEUxH0Mxn3f24ZP9b5r+SHcFyFZ2vXNIqmuILVO40MrW+R4H0UsQURAfKTFZeka2EsC7CEIyuEgkloDBQ==
+PublicExponent: AQAAAAE=
+PrivateExponent: FzC3Jdpl35o/UUyvZ/7sc8BRpfDuIgMnHA1a9WwxZz20Tqki3snE/Nz4ePNNv/5LGrzFlOnPtEd1GT2biUKzVQ==
+Prime1: /4YvvO0nbMJxZ4dHbYKl2pGe0hSgEUYnTNnuVbSEKrM=
+Prime2: 2OrV7XGOYCMXr/WIrD0NCBnqU1tsizPQNMIjwXuuV2c=
+Exponent1: 63ub+oH78z6TercHscYOS7HpYttDzC1YV3oupGyRNDs=
+Exponent2: A4HpxW8K6ivUb2RbKDBaze8ivr5u41hJPsbn4FQzB3E=
+Coefficient: Lz1Gg/PtC9HOrhFORXlzzkzb+5PeFIGq43mtGx7oAUo=
--- /dev/null
+;% generationtime=20100924112635
+;% lifetime=84d
+example.net. IN DNSKEY 256 3 8 BQEAAAAB2IOedrEUxH0Mxn3f24ZP9b5r+SHcFyFZ2vXNIqmuILVO40Mr W+R4H0UsQURAfKTFZeka2EsC7CEIyuEgkloDBQ==
--- /dev/null
+;
+; !!! Don't edit this file by hand.
+; !!! It will be generated by zkt-signer.
+;
+; Last generation time Jan 25 2011 20:02:30
+;
+
+; *** List of Key Signing Keys ***
+; example.net. tag=52101 algo=RSASHA256 generated Sep 24 2010 13:26:35
+example.net. 14400 IN DNSKEY 257 3 8 (
+ BQEAAAABC6qZRCQRp2qnmxvWal1kergOJ1xQ5wGD+HZFLEvsvD8sU0i1
+ BGJoeDK5N/07S7s0aYVdIViQ1/CmpqBgahnlOKAoMO3eYnTuFRE7HqJK
+ 1CSN2+nvN1m+miz+vfSPSOLeP2u8GAwIJmq/gb78AWStvW6HAXrDfaiq
+ vqb4MDZCvplachhyHfngVLFYI22tyivUmzN/pRBePYGQ1nVsK1cPYDPp
+ 4Q==
+ ) ; key id = 52101
+
+; *** List of Zone Signing Keys ***
+; example.net. tag=21605 algo=RSASHA256 generated Jan 25 2011 19:39:25
+example.net. 14400 IN DNSKEY 256 3 8 (
+ BQEAAAABvX6JNSNXHzrqpKi2REOwcsAuGjWI1VCJlz1NzV/pIt9PqGnJ
+ DqtlV3vxuy7fAu85Z5Syaikiyx/z2uT4VMCvxw==
+ ) ; key id = 21605
+
+; example.net. tag=56360 algo=RSASHA256 generated Jan 25 2011 19:39:25
+example.net. 14400 IN DNSKEY 256 3 8 (
+ BQEAAAAB2IOedrEUxH0Mxn3f24ZP9b5r+SHcFyFZ2vXNIqmuILVO40Mr
+ W+R4H0UsQURAfKTFZeka2EsC7CEIyuEgkloDBQ==
+ ) ; key id = 56360
+
+; example.net. tag=2957 algo=RSASHA256 generated Jan 25 2011 20:02:30
+example.net. 14400 IN DNSKEY 256 3 8 (
+ BQEAAAAB7desjYpHAzsGmTzPFFuG4KGIG7ne8tII7DIMRIFaxuSYbQz0
+ kwC61utqnqzcgCXJQiKJxpKBt/Ikaf2K4JW0gQ==
+ ) ; key id = 2957
+
Key_Algo: RSASHA256 # (Algorithm ID 8)
NSEC3: OPTOUT
+ZSKpermanent: true
2010-03-11 23:53:27.856: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -A -3 67AA7F -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1"
2010-03-11 23:53:27.920: debug: Cmd dnssec-signzone return: "zone.db.signed"
2010-03-11 23:53:27.920: debug: Signing completed after 0s.
+2010-07-05 08:15:24.179: debug: Check RFC5011 status
+2010-07-05 08:15:24.179: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-07-05 08:15:24.179: debug: Check KSK status
+2010-07-05 08:15:24.179: warning: "example.net.": lifetime of key signing key 8406 exceeded since 4w5d12h49m44s
+2010-07-05 08:15:24.179: debug: Check ZSK status
+2010-07-05 08:15:24.179: debug: Lifetime(1209600 +/-150 sec) of active key 36257 exceeded (8081384 sec)
+2010-07-05 08:15:24.179: debug: ->waiting for published key
+2010-07-05 08:15:24.179: notice: "example.net.": lifetime of zone signing key 36257 exceeded since 11w2d12h49m44s: ZSK rollover deferred: waiting for published key
+2010-07-05 08:15:24.179: debug: New key for publishing needed
+2010-07-05 08:15:24.278: debug: ->creating new key 48476
+2010-07-05 08:15:24.278: info: "example.net.": new key 48476 generated for publishing
+2010-07-05 08:15:24.278: debug: Re-signing necessary: Modfied zone key set
+2010-07-05 08:15:24.278: notice: "example.net.": re-signing triggered: Modfied zone key set
+2010-07-05 08:15:24.278: debug: Writing key file "./example.net/dnskey.db"
+2010-07-05 08:15:24.278: debug: Incrementing serial number in file "./example.net/zone.db"
+2010-07-05 08:15:24.278: debug: Signing zone "example.net."
+2010-07-05 08:15:24.278: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -A -3 5816F0 -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1"
+2010-07-05 08:15:24.315: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2010-07-05 08:15:24.315: debug: Signing completed after 0s.
+2010-07-05 08:15:28.174: debug: Check RFC5011 status
+2010-07-05 08:15:28.174: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-07-05 08:15:28.174: debug: Check KSK status
+2010-07-05 08:15:28.174: warning: "example.net.": lifetime of key signing key 8406 exceeded since 4w5d12h49m48s
+2010-07-05 08:15:28.174: debug: Check ZSK status
+2010-07-05 08:15:28.174: debug: Lifetime(1209600 +/-150 sec) of active key 36257 exceeded (8081388 sec)
+2010-07-05 08:15:28.174: debug: ->waiting for published key
+2010-07-05 08:15:28.174: notice: "example.net.": lifetime of zone signing key 36257 exceeded since 11w2d12h49m48s: ZSK rollover deferred: waiting for published key
+2010-07-05 08:15:28.174: debug: Re-signing not necessary!
+2010-07-05 08:15:28.174: debug: Check if there is a parent file to copy
+2010-07-05 08:15:58.502: debug: Check RFC5011 status
+2010-07-05 08:15:58.502: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-07-05 08:15:58.503: debug: Check KSK status
+2010-07-05 08:15:58.503: warning: "example.net.": lifetime of key signing key 8406 exceeded since 4w5d12h50m18s
+2010-07-05 08:15:58.503: debug: Check ZSK status
+2010-07-05 08:15:58.503: debug: Lifetime(1209600 +/-150 sec) of active key 36257 exceeded (8081418 sec)
+2010-07-05 08:15:58.503: debug: ->waiting for published key
+2010-07-05 08:15:58.503: notice: "example.net.": lifetime of zone signing key 36257 exceeded since 11w2d12h50m18s: ZSK rollover deferred: waiting for published key
+2010-07-05 08:15:58.503: debug: Re-signing not necessary!
+2010-07-05 08:15:58.503: debug: Check if there is a parent file to copy
+2010-07-05 08:16:04.937: debug: Check RFC5011 status
+2010-07-05 08:16:04.937: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-07-05 08:16:04.937: debug: Check KSK status
+2010-07-05 08:16:04.937: warning: "example.net.": lifetime of key signing key 8406 exceeded since 4w5d12h50m24s
+2010-07-05 08:16:04.937: debug: Check ZSK status
+2010-07-05 08:16:04.937: debug: Lifetime(1209600 +/-150 sec) of active key 36257 exceeded (8081424 sec)
+2010-07-05 08:16:04.937: debug: ->waiting for published key
+2010-07-05 08:16:04.937: notice: "example.net.": lifetime of zone signing key 36257 exceeded since 11w2d12h50m24s: ZSK rollover deferred: waiting for published key
+2010-07-05 08:16:04.937: debug: Re-signing necessary: Option -f
+2010-07-05 08:16:04.937: notice: "example.net.": re-signing triggered: Option -f
+2010-07-05 08:16:04.937: debug: Writing key file "./example.net/dnskey.db"
+2010-07-05 08:16:04.937: debug: Incrementing serial number in file "./example.net/zone.db"
+2010-07-05 08:16:04.937: debug: Signing zone "example.net."
+2010-07-05 08:16:04.937: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -A -3 C58544 -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1"
+2010-07-05 08:16:04.993: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2010-07-05 08:16:04.993: debug: Signing completed after 0s.
+2010-07-05 08:16:33.604: debug: Check RFC5011 status
+2010-07-05 08:16:33.604: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-07-05 08:16:33.604: debug: Check KSK status
+2010-07-05 08:16:33.604: warning: "example.net.": lifetime of key signing key 8406 exceeded since 4w5d12h50m53s
+2010-07-05 08:16:33.604: debug: Check ZSK status
+2010-07-05 08:16:33.604: debug: Lifetime(1209600 +/-150 sec) of active key 36257 exceeded (8081453 sec)
+2010-07-05 08:16:33.604: debug: ->waiting for published key
+2010-07-05 08:16:33.604: notice: "example.net.": lifetime of zone signing key 36257 exceeded since 11w2d12h50m53s: ZSK rollover deferred: waiting for published key
+2010-07-05 08:16:33.604: debug: Re-signing necessary: Option -f
+2010-07-05 08:16:33.604: notice: "example.net.": re-signing triggered: Option -f
+2010-07-05 08:16:33.604: debug: Writing key file "./example.net/dnskey.db"
+2010-07-05 08:16:33.605: debug: Incrementing serial number in file "./example.net/zone.db"
+2010-07-05 08:16:33.605: debug: Signing zone "example.net."
+2010-07-05 08:16:33.605: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -A -3 FCB8E2 -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1"
+2010-07-05 08:16:33.648: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2010-07-05 08:16:33.648: debug: Signing completed after 0s.
+2010-07-30 01:30:55.411: debug: Check RFC5011 status
+2010-07-30 01:30:55.411: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-07-30 01:30:55.411: debug: Check KSK status
+2010-07-30 01:30:55.411: debug: Check ZSK status
+2010-07-30 01:30:55.411: debug: Lifetime(1209600 +/-150 sec) of active key 36257 exceeded (2130473 sec)
+2010-07-30 01:30:55.411: debug: ->depreciate it
+2010-07-30 01:30:55.411: debug: ->activate published key 48476
+2010-07-30 01:30:55.411: notice: "example.net.": lifetime of zone signing key 36257 exceeded: ZSK rollover done
+2010-07-30 01:30:55.411: debug: New key for publishing needed
+2010-07-30 01:30:55.493: debug: ->creating new key 1775
+2010-07-30 01:30:55.493: info: "example.net.": new key 1775 generated for publishing
+2010-07-30 01:30:55.493: debug: Re-signing necessary: Modfied zone key set
+2010-07-30 01:30:55.493: notice: "example.net.": re-signing triggered: Modfied zone key set
+2010-07-30 01:30:55.493: debug: Writing key file "./example.net/dnskey.db"
+2010-07-30 01:30:55.493: debug: Incrementing serial number in file "./example.net/zone.db"
+2010-07-30 01:30:55.493: debug: Signing zone "example.net."
+2010-07-30 01:30:55.494: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -A -3 3723BA -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1"
+2010-07-30 01:30:55.563: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2010-07-30 01:30:55.563: debug: Signing completed after 0s.
+2010-08-26 22:52:09.539: debug: Check RFC5011 status
+2010-08-26 22:52:09.539: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-08-26 22:52:09.539: debug: Check KSK status
+2010-08-26 22:52:09.539: debug: Check ZSK status
+2010-08-26 22:52:09.539: debug: Lifetime(29100 sec) of depreciated key 36257 exceeded (2409674 sec)
+2010-08-26 22:52:09.539: info: "example.net.": old ZSK 36257 removed
+2010-08-26 22:52:09.572: debug: ->remove it
+2010-08-26 22:52:09.572: debug: Lifetime(1209600 +/-150 sec) of active key 48476 exceeded (2409674 sec)
+2010-08-26 22:52:09.572: debug: ->depreciate it
+2010-08-26 22:52:09.572: debug: ->activate published key 1775
+2010-08-26 22:52:09.572: notice: "example.net.": lifetime of zone signing key 48476 exceeded: ZSK rollover done
+2010-08-26 22:52:09.572: debug: New key for publishing needed
+2010-08-26 22:52:09.640: debug: ->creating new key 26477
+2010-08-26 22:52:09.640: info: "example.net.": new key 26477 generated for publishing
+2010-08-26 22:52:09.640: debug: Re-signing necessary: Modfied zone key set
+2010-08-26 22:52:09.640: notice: "example.net.": re-signing triggered: Modfied zone key set
+2010-08-26 22:52:09.640: debug: Writing key file "./example.net/dnskey.db"
+2010-08-26 22:52:09.641: debug: Incrementing serial number in file "./example.net/zone.db"
+2010-08-26 22:52:09.641: debug: Signing zone "example.net."
+2010-08-26 22:52:09.641: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -A -3 2F41F9 -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1"
+2010-08-26 22:52:09.704: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2010-08-26 22:52:09.704: debug: Signing completed after 0s.
+2010-08-26 22:56:02.938: debug: Check RFC5011 status
+2010-08-26 22:56:02.938: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-08-26 22:56:02.938: debug: Check KSK status
+2010-08-26 22:56:02.938: debug: Check ZSK status
+2010-08-26 22:56:02.938: debug: Re-signing not necessary!
+2010-08-26 22:56:02.938: debug: Check if there is a parent file to copy
+2010-08-26 23:06:00.593: debug: Check RFC5011 status
+2010-08-26 23:06:00.593: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-08-26 23:06:00.593: debug: Check KSK status
+2010-08-26 23:06:00.593: debug: Check ZSK status
+2010-08-26 23:06:00.593: debug: New key for publishing needed
+2010-08-26 23:06:00.631: debug: ->creating new key 18026
+2010-08-26 23:06:00.631: info: "example.net.": new key 18026 generated for publishing
+2010-08-26 23:06:00.631: debug: Re-signing necessary: Modfied zone key set
+2010-08-26 23:06:00.631: notice: "example.net.": re-signing triggered: Modfied zone key set
+2010-08-26 23:06:00.631: debug: Writing key file "./example.net/dnskey.db"
+2010-08-26 23:06:00.631: debug: Incrementing serial number in file "./example.net/zone.db"
+2010-08-26 23:06:00.631: debug: Signing zone "example.net."
+2010-08-26 23:06:00.631: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -A -3 5EA89E -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1"
+2010-08-26 23:06:00.672: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2010-08-26 23:06:00.672: debug: Signing completed after 0s.
+2010-08-26 23:11:33.808: debug: Check RFC5011 status
+2010-08-26 23:11:33.808: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-08-26 23:11:33.809: debug: Check KSK status
+2010-08-26 23:11:33.809: debug: Check ZSK status
+2010-08-26 23:11:33.809: debug: Re-signing not necessary!
+2010-08-26 23:11:33.809: debug: Check if there is a parent file to copy
+2010-08-26 23:12:51.012: debug: Check RFC5011 status
+2010-08-26 23:12:51.012: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-08-26 23:12:51.012: debug: Check KSK status
+2010-08-26 23:12:51.012: debug: Check ZSK status
+2010-08-26 23:12:51.012: debug: Re-signing not necessary!
+2010-08-26 23:12:51.012: debug: Check if there is a parent file to copy
+2010-08-26 23:23:47.886: debug: Check RFC5011 status
+2010-08-26 23:23:47.886: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-08-26 23:23:47.886: debug: Check KSK status
+2010-08-26 23:23:47.886: debug: Check ZSK status
+2010-08-26 23:23:47.886: debug: Re-signing not necessary!
+2010-08-26 23:23:47.886: debug: Check if there is a parent file to copy
+2010-08-26 23:50:15.724: debug: Check RFC5011 status
+2010-08-26 23:50:15.724: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-08-26 23:50:15.724: debug: Check KSK status
+2010-08-26 23:50:15.724: debug: Check ZSK status
+2010-08-26 23:50:15.725: debug: Re-signing not necessary!
+2010-08-26 23:50:15.725: debug: Check if there is a parent file to copy
+2010-08-26 23:50:55.124: debug: Check RFC5011 status
+2010-08-26 23:50:55.124: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-08-26 23:50:55.124: debug: Check KSK status
+2010-08-26 23:50:55.124: debug: Check ZSK status
+2010-08-26 23:50:55.124: debug: Re-signing not necessary!
+2010-08-26 23:50:55.124: debug: Check if there is a parent file to copy
+2010-08-26 23:51:46.719: debug: Check RFC5011 status
+2010-08-26 23:51:46.719: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-08-26 23:51:46.719: debug: Check KSK status
+2010-08-26 23:51:46.719: debug: Check ZSK status
+2010-08-26 23:51:46.719: debug: Re-signing not necessary!
+2010-08-26 23:51:46.719: debug: Check if there is a parent file to copy
+2010-08-26 23:54:22.824: debug: Check RFC5011 status
+2010-08-26 23:54:22.824: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-08-26 23:54:22.824: debug: Check KSK status
+2010-08-26 23:54:22.824: debug: Check ZSK status
+2010-08-26 23:54:22.824: debug: Re-signing not necessary!
+2010-08-26 23:54:22.825: debug: Check if there is a parent file to copy
+2010-08-26 23:55:00.018: debug: Check RFC5011 status
+2010-08-26 23:55:00.018: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-08-26 23:55:00.018: debug: Check KSK status
+2010-08-26 23:55:00.018: debug: Check ZSK status
+2010-08-26 23:55:00.018: debug: New key for pre-publishing needed
+2010-08-26 23:55:00.110: debug: ->creating new key 18293
+2010-08-26 23:55:00.110: info: "example.net.": new key 18293 generated for pre-publishing
+2010-08-26 23:55:00.110: debug: Re-signing necessary: Modfied zone key set
+2010-08-26 23:55:00.110: notice: "example.net.": re-signing triggered: Modfied zone key set
+2010-08-26 23:55:00.110: debug: Writing key file "./example.net/dnskey.db"
+2010-08-26 23:55:00.110: debug: Incrementing serial number in file "./example.net/zone.db"
+2010-08-26 23:55:00.110: debug: Signing zone "example.net."
+2010-08-26 23:55:00.111: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -A -3 EBE919 -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1"
+2010-08-26 23:55:00.168: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2010-08-26 23:55:00.169: debug: Signing completed after 0s.
+2010-08-26 23:56:17.466: debug: Check RFC5011 status
+2010-08-26 23:56:17.466: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-08-26 23:56:17.466: debug: Check KSK status
+2010-08-26 23:56:17.466: debug: Check ZSK status
+2010-08-26 23:56:17.466: debug: Re-signing necessary: Modfied zone key set
+2010-08-26 23:56:17.466: notice: "example.net.": re-signing triggered: Modfied zone key set
+2010-08-26 23:56:17.466: debug: Writing key file "./example.net/dnskey.db"
+2010-08-26 23:56:17.467: debug: Incrementing serial number in file "./example.net/zone.db"
+2010-08-26 23:56:17.467: debug: Signing zone "example.net."
+2010-08-26 23:56:17.467: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -A -3 A876E5 -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1"
+2010-08-26 23:56:17.531: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2010-08-26 23:56:17.531: debug: Signing completed after 0s.
+2010-08-26 23:57:00.178: debug: Check RFC5011 status
+2010-08-26 23:57:00.178: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-08-26 23:57:00.178: debug: Check KSK status
+2010-08-26 23:57:00.178: debug: Check ZSK status
+2010-08-26 23:57:00.178: debug: Re-signing not necessary!
+2010-08-26 23:57:00.178: debug: Check if there is a parent file to copy
+2010-10-21 14:01:35.546: debug: Check RFC5011 status
+2010-10-21 14:01:35.546: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-10-21 14:01:35.546: debug: Check KSK status
+2010-10-21 14:01:35.546: debug: Check ZSK status
+2010-10-21 14:01:35.546: debug: Re-signing necessary: re-signing interval (2d) reached
+2010-10-21 14:01:35.546: notice: "example.net.": re-signing triggered: re-signing interval (2d) reached
+2010-10-21 14:01:35.546: debug: Writing key file "./example.net/dnskey.db"
+2010-10-21 14:01:35.607: debug: Incrementing serial number in file "./example.net/zone.db"
+2010-10-21 14:01:35.607: debug: Signing zone "example.net."
+2010-10-21 14:01:35.607: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -A -3 9FC981 -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1"
+2010-10-21 14:01:35.761: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2010-10-21 14:01:35.761: debug: Signing completed after 0s.
+2010-10-21 14:02:09.209: debug: Check RFC5011 status
+2010-10-21 14:02:09.209: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-10-21 14:02:09.209: debug: Check KSK status
+2010-10-21 14:02:09.209: debug: Check ZSK status
+2010-10-21 14:02:09.209: debug: Re-signing not necessary!
+2010-10-21 14:02:09.209: debug: Check if there is a parent file to copy
+2010-10-21 14:05:36.170: debug: Check RFC5011 status
+2010-10-21 14:05:36.170: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-10-21 14:05:36.170: debug: Check KSK status
+2010-10-21 14:05:36.170: debug: Check ZSK status
+2010-10-21 14:05:36.170: debug: Re-signing not necessary!
+2010-10-21 14:05:36.170: debug: Check if there is a parent file to copy
+2010-10-21 14:30:43.892: debug: Check RFC5011 status
+2010-10-21 14:30:43.892: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-10-21 14:30:43.892: debug: Check KSK status
+2010-10-21 14:30:43.892: debug: Check ZSK status
+2010-10-21 14:30:43.892: debug: Re-signing not necessary!
+2010-10-21 14:30:43.892: debug: Check if there is a parent file to copy
--- /dev/null
+;-----------------------------------------------------------------
+;
+; @(#) example.net/zone.db
+;
+;-----------------------------------------------------------------
+
+$TTL 7200
+
+; Ensure that the serial number below is left
+; justified in a field of at least 10 chars!!
+; 0123456789;
+; It's also possible to use the date format e.g. 2005040101
+@ IN SOA ns1.example.net. hostmaster.example.net. (
+ 386 ; Serial
+ 43200 ; Refresh
+ 1800 ; Retry
+ 2W ; Expire
+ 7200 ) ; Minimum
+
+ IN NS ns1.example.net.
+ IN NS ns2.example.net.
+
+ns1 IN A 1.0.0.5
+ IN AAAA 2001:db8::53
+ns2 IN A 1.2.0.6
+
+localhost IN A 127.0.0.1
+
+a IN A 1.2.3.1
+b IN MX 10 a
+;c IN A 1.2.3.2
+d IN A 1.2.3.3
+ IN AAAA 2001:0db8::3
+
+; Delegation to secure zone; The DS resource record will
+; be added by dnssec-signzone automatically if the
+; keyset-sub.example.net file is present (run dnssec-signzone
+; with option -g or use the dnssec-signer tool) ;-)
+sub IN NS ns1.example.net.
+
+; this file will contain all the zone keys
+$INCLUDE dnskey.db
+
--- /dev/null
+; File written on Thu Oct 21 14:01:35 2010
+; dnssec_signzone version 9.7.2-P2
+example.net. 7200 IN SOA ns1.example.net. hostmaster.example.net. (
+ 384 ; serial
+ 43200 ; refresh (12 hours)
+ 1800 ; retry (30 minutes)
+ 1209600 ; expire (2 weeks)
+ 7200 ; minimum (2 hours)
+ )
+ 7200 RRSIG SOA 8 2 7200 20101027110135 (
+ 20101021110135 56360 example.net.
+ f+HC41CGvNmlXSvPzzMbtVreNYKWyBhvbeb+
+ NUSvbBfuSlVt6VbyPUBYSe5Vg1QJO3YKu0ZR
+ Pw5Y9TNCaWqZCA== )
+ 7200 NS ns1.example.net.
+ 7200 NS ns2.example.net.
+ 7200 RRSIG NS 8 2 7200 20101027110135 (
+ 20101021110135 56360 example.net.
+ aQpW5SQJ8Yx7++QWtRWMDoV+3OPjgTRC0PQC
+ zns3MTbpk2wIlhE7hqty+b+1EktEoMzmx73u
+ 5Fu0OPKO+2PS5w== )
+ 3600 DNSKEY 256 3 8 (
+ BQEAAAAB2IOedrEUxH0Mxn3f24ZP9b5r+SHc
+ FyFZ2vXNIqmuILVO40MrW+R4H0UsQURAfKTF
+ Zeka2EsC7CEIyuEgkloDBQ==
+ ) ; key id = 56360
+ 3600 DNSKEY 257 3 8 (
+ BQEAAAABC6qZRCQRp2qnmxvWal1kergOJ1xQ
+ 5wGD+HZFLEvsvD8sU0i1BGJoeDK5N/07S7s0
+ aYVdIViQ1/CmpqBgahnlOKAoMO3eYnTuFRE7
+ HqJK1CSN2+nvN1m+miz+vfSPSOLeP2u8GAwI
+ Jmq/gb78AWStvW6HAXrDfaiqvqb4MDZCvpla
+ chhyHfngVLFYI22tyivUmzN/pRBePYGQ1nVs
+ K1cPYDPp4Q==
+ ) ; key id = 52101
+ 3600 RRSIG DNSKEY 8 2 3600 20101027110135 (
+ 20101021110135 52101 example.net.
+ BlWP6PoxZFRZoLav7/+yPEgNIss17oxEJZtB
+ rVSiVb0BfwhL96KJ1uIOhK9r1+Tj8w3Ed7Oi
+ pocSTkZueV3OxFkBgSQAgc1JeUQTOVKYe80L
+ UFjl7UzV0eITIV1DE/QqWTBBblxjXF3Egy6O
+ 6/9IrD65LWOGnLFFOSUZQ9IU8jFX/zqq5FWQ
+ Sta2/tQkzhq5F42qw3dRBNsoUC1bQ38UsYSk
+ SQ== )
+ 3600 RRSIG DNSKEY 8 2 3600 20101027110135 (
+ 20101021110135 56360 example.net.
+ VXJh+xZt8/5Eeo8oQyI89nXGJ0bWeBN25kpw
+ asam+qpoKsH6g8qJRyL3mEwIFOaud2mlQx9y
+ cdv42Vf3kfY71w== )
+ 0 NSEC3PARAM 1 0 10 9FC981
+ 0 RRSIG NSEC3PARAM 8 2 0 20101027110135 (
+ 20101021110135 56360 example.net.
+ Fr4DrVORiEYUVCBmlRzjcEaKQ2VymMiMeJfd
+ gSWJzTzXbcuBbXDCfBRdph96Nz1xFvdOWvFn
+ xXxVOXW996AfEw== )
+a.example.net. 7200 IN A 1.2.3.1
+ 7200 RRSIG A 8 3 7200 20101027110135 (
+ 20101021110135 56360 example.net.
+ ZAuaFsvYdV1i4EqIgQoSzpkhMFJpJOOPIG9h
+ RXTT+LAUSFjOrFx2ovSgnySSiUV/LOsIV7bj
+ 08ZkIzSPYKi4Ow== )
+b.example.net. 7200 IN MX 10 a.example.net.
+ 7200 RRSIG MX 8 3 7200 20101027110135 (
+ 20101021110135 56360 example.net.
+ SEIMAVtIT/2TGxkS2NFMRQfrUROKO1pbxYcS
+ FHImCGhWILb1E7qQ0saLi9QTMftCwRmYtJ4w
+ aDwAukjuLXOAnA== )
+d.example.net. 7200 IN A 1.2.3.3
+ 7200 RRSIG A 8 3 7200 20101027110135 (
+ 20101021110135 56360 example.net.
+ 1URwzkjdIhBCBtBWV9aUhJQ3yFwqwgscvcVN
+ 9dvNqH5g7xLz+maqdeva065z0AkO5Et/9809
+ tm/0X2g0wQcoMQ== )
+ 7200 AAAA 2001:db8::3
+ 7200 RRSIG AAAA 8 3 7200 20101027110135 (
+ 20101021110135 56360 example.net.
+ fIUOcVYR9Ut+iWzE+R3N01bzLJ0gpSI1E0y0
+ cqEGpaU8mbgwnm4tAh57GKs8XZBbLEOH2zO8
+ 5WTEjWHpKjqx3Q== )
+localhost.example.net. 7200 IN A 127.0.0.1
+ 7200 RRSIG A 8 3 7200 20101027110135 (
+ 20101021110135 56360 example.net.
+ iIfD1pCP+uHs1RarezGlZZhoyQ6R+3K3s6ba
+ xZZ5JCremDhFYPeMinRMjZSPos2QyEM1aHI8
+ 2gXlxcb/y4+XRA== )
+ns1.example.net. 7200 IN A 1.0.0.5
+ 7200 RRSIG A 8 3 7200 20101027110135 (
+ 20101021110135 56360 example.net.
+ xBwgaFNo7+s4n4KnyZPR+1CESNVvXwUZHroC
+ dkEcLo8EF7+rbzFdDooJvD8wzlpy2nhwjLOL
+ ZxIfgZfNgkVXBw== )
+ 7200 AAAA 2001:db8::53
+ 7200 RRSIG AAAA 8 3 7200 20101027110135 (
+ 20101021110135 56360 example.net.
+ uSuzZH2J+pwcP1PKKgrdJrwyvh1kpWBsprgd
+ 9h59q9HYKR56LPx/3iuW7oCAO5fBFTp9pvcK
+ BI6f+4cs1Qpp6g== )
+ns2.example.net. 7200 IN A 1.2.0.6
+ 7200 RRSIG A 8 3 7200 20101027110135 (
+ 20101021110135 56360 example.net.
+ N+U/A0VJU9HWwk1j0CJtUN7Nw9g0A3oNeKP1
+ 7YJ1p0H6QvgRHDe9w8oX3iCg+IEBS9oLdTer
+ DXsbWVlZNXjTSw== )
+sub.example.net. 7200 IN NS ns1.example.net.
+ 7200 DS 855 7 1 (
+ 338E1808511D3E533F1C6B1DF27E0AABA8CC
+ 6FE8 )
+ 7200 DS 855 7 2 (
+ C07C1F2004ED12D40EEC82E4358BD8D2EDC1
+ 99C8E6126DD293A8E402E591C98A )
+ 7200 DS 33176 10 1 (
+ B7D045F9D7176BD0D00AF389856D18C0E361
+ C443 )
+ 7200 DS 33176 10 2 (
+ 627102FACA12A10C88F6C67915B720CC6888
+ 7CF1C10BC3E8EB864160F1965A18 )
+ 7200 RRSIG DS 8 3 7200 20101027110135 (
+ 20101021110135 56360 example.net.
+ N8A1y3qpsaJ0lP6d2I1y8YEuda7c2GY1kuCt
+ 9Mdao6oh7tL6XP2b/ELIBo6fsghfuW1KZfou
+ WkTbI4/HV5732g== )
+0SFBC13DNQA2CKBS24U09GPJMGD5QCF2.example.net. 7200 IN NSEC3 1 1 10 9FC981 16DIB0QP1341N7TSMI2MGCQ2MDNP6TFO NS SOA RRSIG DNSKEY NSEC3PARAM
+ 7200 RRSIG NSEC3 8 3 7200 20101027110135 (
+ 20101021110135 56360 example.net.
+ irEoMAQ1uehoU51rEkuM20++pBX8iPrFzQZk
+ 4VAe0AXbeMBphSh3oBB0I3p7w4UGXLuYR7MW
+ bDPNteuoui5QmQ== )
+16DIB0QP1341N7TSMI2MGCQ2MDNP6TFO.example.net. 7200 IN NSEC3 1 1 10 9FC981 222FFA4JCL3KC4NLGH9R685ISJKB205Q MX RRSIG
+ 7200 RRSIG NSEC3 8 3 7200 20101027110135 (
+ 20101021110135 56360 example.net.
+ 1rCPDG0uz8PbKQ98WLlu1R39HhKOrfjory5r
+ tTi/e3RA2IAksL8ZQaVW+EyRzLGSDM7TtciM
+ UEgK/utbE0WlqQ== )
+222FFA4JCL3KC4NLGH9R685ISJKB205Q.example.net. 7200 IN NSEC3 1 1 10 9FC981 AMEE10EPLHBGI9Q6ICVFSNVP2U0D0TVB A RRSIG
+ 7200 RRSIG NSEC3 8 3 7200 20101027110135 (
+ 20101021110135 56360 example.net.
+ 1jS0RwIW59DFCr2d+ghFW8yFdcaGJDCQFgVh
+ pNiTIijvvyiObt7EqfJJ5PPV8CqJsZEiIoh+
+ JRDEuSSrKCU6eA== )
+AMEE10EPLHBGI9Q6ICVFSNVP2U0D0TVB.example.net. 7200 IN NSEC3 1 1 10 9FC981 BOS6983BFUCMFRIQF1QMC1U4AU37TR6O A AAAA RRSIG
+ 7200 RRSIG NSEC3 8 3 7200 20101027110135 (
+ 20101021110135 56360 example.net.
+ OHYj80ju8hKFNSDNj//yDIXgTKM2NUyRO2cs
+ K1knzM/3L/GvmEm5nvHNepxj+surAl6mmaiT
+ k2wl4DOdTml60w== )
+BOS6983BFUCMFRIQF1QMC1U4AU37TR6O.example.net. 7200 IN NSEC3 1 1 10 9FC981 D8S4S8KU5O1TCASTGO9FEHHGUGO696U4 A AAAA RRSIG
+ 7200 RRSIG NSEC3 8 3 7200 20101027110135 (
+ 20101021110135 56360 example.net.
+ HwT0gQ7fVc5TYTc/SDQw9zMPmlSwlEW3cmVk
+ mjIQANQPFi597frcuVt26xAoUB71TXgGp+62
+ 3y2MyRs66kCrNg== )
+D8S4S8KU5O1TCASTGO9FEHHGUGO696U4.example.net. 7200 IN NSEC3 1 1 10 9FC981 DBLIJ0LAN19DVGU1E46BJ9R9SN5BRETC NS DS RRSIG
+ 7200 RRSIG NSEC3 8 3 7200 20101027110135 (
+ 20101021110135 56360 example.net.
+ R/YtEmQgd+tHTNQ8itKrFhy880QLYTpAVaER
+ 0dd9vITUKHG7Fhr67ACkWBOEec+d9kiL76cH
+ DHrDGZ+wKksLxg== )
+DBLIJ0LAN19DVGU1E46BJ9R9SN5BRETC.example.net. 7200 IN NSEC3 1 1 10 9FC981 H108GFD5147KMF1CLFQLQQBNSD733MPQ A RRSIG
+ 7200 RRSIG NSEC3 8 3 7200 20101027110135 (
+ 20101021110135 56360 example.net.
+ KTPX36NTHepXsZoUGwBTq6Qt86mSF4Z0hlaP
+ HbhF9A+BJwLx+Sg0ifX0qobfMwh+BZZQZ8E3
+ nSSyA5sIJWL39Q== )
+H108GFD5147KMF1CLFQLQQBNSD733MPQ.example.net. 7200 IN NSEC3 1 1 10 9FC981 0SFBC13DNQA2CKBS24U09GPJMGD5QCF2 A RRSIG
+ 7200 RRSIG NSEC3 8 3 7200 20101027110135 (
+ 20101021110135 56360 example.net.
+ dmGULq6gwCxRscDm0oCeFD6RnDkXWtaw85DO
+ UGwgczRooNDBkbD608EJgqDT+ds0IGwZazGq
+ ufB2hCiFNnNjyg== )
--- /dev/null
+sub.example.net.dlv.trusted-keys.de. IN DLV 42834 7 1 9660E85E9542C823D4E9860D778350AA5D8904E9
+sub.example.net.dlv.trusted-keys.de. IN DLV 42834 7 2 1337FB51C697B7CD20C8D6BBC498310588C78B3595FB53F35C871DBF EC86DAAE
+sub.example.net.dlv.trusted-keys.de. IN DLV 48516 7 1 CC5E20F75F02BE11BC040960669A3F5058F30DC0
+sub.example.net.dlv.trusted-keys.de. IN DLV 48516 7 2 D124B0B50CF51780707FFBF91DC305617832C09E21F32F28B8A88EFB E1F03ACE
--- /dev/null
+dyn.example.net. IN DS 52935 7 1 C8B16DDC8AFC66AFAB2E9BB5DD6D047A393870A9
+dyn.example.net. IN DS 52935 7 2 56D089B139FEB68FB9D09038920E51DF067C4FCFE62D6C67C61395BC 24E7D425
--- /dev/null
+example.net. IN DS 52101 8 1 F362C7CD57C0D663B783B763564C00C40A85AA69
+example.net. IN DS 52101 8 2 0F94D302E97BBAFD0495E7C13B2428E8597084604053183DE9C8C4C3 EF2FAED1
--- /dev/null
+sub.example.net. IN DS 855 7 1 338E1808511D3E533F1C6B1DF27E0AABA8CC6FE8
+sub.example.net. IN DS 855 7 2 C07C1F2004ED12D40EEC82E4358BD8D2EDC199C8E6126DD293A8E402 E591C98A
+sub.example.net. IN DS 33176 10 1 B7D045F9D7176BD0D00AF389856D18C0E361C443
+sub.example.net. IN DS 33176 10 2 627102FACA12A10C88F6C67915B720CC68887CF1C10BC3E8EB864160 F1965A18
--- /dev/null
+$ORIGIN .
+dyn.example.net 7200 IN DNSKEY 257 3 7 (
+ AwEAAeqEDYgA5lns1VsMJiZfTWMEguameVmO
+ oBYx8s1uLzmS/3APsh1eWCeoBgAjRry1tpM/
+ bPowyuygE4H0LpzNQLm9RbjDmpDN8Gwi3AjE
+ nG4HCT58TuAVxjiefN+vb1pvyFlAL58YOkuG
+ f9tG/NJMNc+XrULAU1ey2dT9Fh+SCVO3
+ ) ; key id = 52935
--- /dev/null
+$ORIGIN .
+example.net 7200 IN DNSKEY 257 3 8 (
+ BQEAAAABC6qZRCQRp2qnmxvWal1kergOJ1xQ
+ 5wGD+HZFLEvsvD8sU0i1BGJoeDK5N/07S7s0
+ aYVdIViQ1/CmpqBgahnlOKAoMO3eYnTuFRE7
+ HqJK1CSN2+nvN1m+miz+vfSPSOLeP2u8GAwI
+ Jmq/gb78AWStvW6HAXrDfaiqvqb4MDZCvpla
+ chhyHfngVLFYI22tyivUmzN/pRBePYGQ1nVs
+ K1cPYDPp4Q==
+ ) ; key id = 52101
--- /dev/null
+$ORIGIN .
+sub.example.net 7200 IN DNSKEY 257 3 7 (
+ AwEAAcN4oi+shB1ZNhIXtSBuhAJKDp95Bc4H
+ 3MyhMxUos7VWVrsAxNK8u900fdubtofcoLR4
+ FAoaPpX7LhQ1OPh+9RR4VIYrwilGkf2ZtZh0
+ URwOruYqvJAIf6ZTxyakaUaY5m0ABl1learg
+ +XhjBHcMz3Lvx4Opnw5qsM+vnqJT15vd
+ ) ; key id = 855
+ 7200 IN DNSKEY 257 3 10 (
+ BQEAAAABug/pvRR/mv4qDN3gWFRiir/6UNpn
+ uBuVC4z7xeaNk/KdvcdDibLrSZaGfcq7no3c
+ PvRsJ/U7S6VvYXFZNaXvqJ66ZGcCtImIoaCZ
+ IQboz3hFelJb/62KqZWcj1anv7+LmfYpuA1U
+ JCWpFriWYhzuT3q98lG/c7XqiX79Ytoy6P0=
+ ) ; key id = 33176
--- /dev/null
+/*****************************************************************
+**
+** #(@) named.conf (c) 6. May 2004 (hoz)
+**
+*****************************************************************/
+
+/*****************************************************************
+** logging options
+*****************************************************************/
+logging {
+ channel "named-log" {
+ file "/var/log/named" versions 3 size 2m;
+ print-time yes;
+ print-category yes;
+ print-severity yes;
+ severity info;
+ };
+ channel "resolver-log" {
+ file "/var/log/named";
+ print-time yes;
+ print-category yes;
+ print-severity yes;
+ severity debug 1;
+ };
+ channel "dnssec-log" {
+# file "/var/log/named-dnssec" ;
+ file "/var/log/named" ;
+ print-time yes;
+ print-category yes;
+ print-severity yes;
+ severity debug 3;
+ };
+ category "dnssec" { "dnssec-log"; };
+ category "default" { "named-log"; };
+ category "resolver" { "resolver-log"; };
+ category "client" { "resolver-log"; };
+ category "queries" { "resolver-log"; };
+};
+
+/*****************************************************************
+** name server options
+*****************************************************************/
+options {
+ directory ".";
+
+ dump-file "/var/log/named_dump.db";
+ statistics-file "/var/log/named.stats";
+
+ listen-on-v6 { any; };
+
+ query-source address * port 53;
+ transfer-source * port 53;
+ notify-source * port 53;
+
+ recursion yes;
+ dnssec-enable yes;
+ edns-udp-size 4096;
+
+# dnssec-lookaside "." trust-anchor "trusted-keys.de.";
+
+ querylog yes;
+
+};
+
+/*****************************************************************
+** include shared secrets...
+*****************************************************************/
+/** for control sessions ... **/
+controls {
+ inet 127.0.0.1
+ allow { localhost; };
+ inet ::1
+ allow { localhost; };
+};
+
+/*****************************************************************
+** ... and trusted_keys
+*****************************************************************/
+# include "trusted-keys.conf" ;
+
+/*****************************************************************
+** root server hints and required 127 stuff
+*****************************************************************/
+zone "." in {
+ type hint;
+ file "root.hint";
+};
+
+zone "localhost" in {
+ type master;
+ file "localhost.zone";
+};
+
+zone "0.0.127.in-addr.ARPA" in {
+ type master;
+ file "127.0.0.zone";
+};
+
+#include "zone.conf";
+
+zone "example.NET." in {
+ type master;
+ file "example.net/zone.db.signed";
+ zone-statistics yes;
+};
+
+zone "sub.example.NET." in {
+ type master;
+ file "sub.example.net/zone.db.signed";
+ zone-statistics no;
+};
--- /dev/null
+;% generationtime=20110125091121
+;% lifetime=365d
+sub.example.net. IN DNSKEY 257 3 5 BQEAAAABCwsLhN2Fe4nAorCoXf8CU2c4QqxPyNDVOoGrOSw/u883bF0w hFeEDwQjnHD5xMwNvMk8gNJnxv2kp6lgUcx7CgC08VQD2ko9e4zLSvoR WqFZ57LXKDpKdNLuVHDA6RObDX1PG0wjeWTa2lXshlhGgnGnrQhnCjYl nnCCxgKdxwvRdLRpnqnpGCHRtj9THHOlkJuAC6bor4qlNlODIcDFBsFf +Q==
--- /dev/null
+Private-key-format: v1.2
+Algorithm: 5 (RSASHA1)
+Modulus: CwsLhN2Fe4nAorCoXf8CU2c4QqxPyNDVOoGrOSw/u883bF0whFeEDwQjnHD5xMwNvMk8gNJnxv2kp6lgUcx7CgC08VQD2ko9e4zLSvoRWqFZ57LXKDpKdNLuVHDA6RObDX1PG0wjeWTa2lXshlhGgnGnrQhnCjYlnnCCxgKdxwvRdLRpnqnpGCHRtj9THHOlkJuAC6bor4qlNlODIcDFBsFf+Q==
+PublicExponent: AQAAAAE=
+PrivateExponent: BEip8I3ZrAekBP8C78C/uCkGVPhLKRUmRzrtHIw+v1winCPwresHjn3RYzkG1ZRe+976t472XQK7hTqUjCRz6sHdboDr9JB3XX3szZc8oIRN+mE4ubolYA6KsKsXNPFZCR/njFe9q6pgW83o9KFls3zmERI2Au4dgahvMBurAQd0ALgnDeWQ9D6sHduUVsE9y8QNj2ePxwMoqaa7z2YLNjNHgQ==
+Prime1: A5oDBCAqjh1f1jvQp1QSlnnwcU8TkS3bZHvWsD2Mb8IDpUvEHgPtLk8B1mxOQ37X9r7Acv8qLaQghBNSKE/eQtI9xboJhzqAEXlGn3FMPHMJSQ==
+Prime2: AxDwhsYfyz+524Ox+PF4S1RvKidLrFg+W+xvSxmX5hoFPtUVM6Rg5o1Gszb41YrRhOUOTu0EUg3s68F/H90Y8Z3upU5joDfDYt5irPEaIOjRMQ==
+Exponent1: Af2chU+hAR/vDAfC+sRSYF/b6A8OgpV66oTymQ3vd9Epy0HtSPo6Pbp7ocI9NC0gXX8RpshsWuGY0Vp9Q1iNg/k0GcxNlmBhVbEICfUovKikQQ==
+Exponent2: AeaYvLF2gEOPhE2A6SVd/wavTtozTK7MHUvGzxhUrzcQpr6Q9J+jt1KuQFy12SXtEx5Ksmb9X8HM8wSYp4LWoWDUT3dr6vm81TXk282DtDMPsQ==
+Coefficient: Af+eH8CX1yPFLO/zkmGfl6O0jbTlaMLyCpVat/gcnuP99Njpir9T66c0AUYplmAU39gRp/Fes5v4Zg0k3oqMKDETqIDUAzLAw/jPtG4lleP93Q==
--- /dev/null
+;% generationtime=20110125091121
+;% lifetime=84d
+sub.example.net. IN DNSKEY 256 3 5 BQEAAAABn6df/D+TwBypmBlabmitCSWnYLJFa/8Kk3W7Zj+ODS/kJA6s QZIQiLUK0sd/dM+A8+qAVlgwgQDxkAiuwrc7Lw==
--- /dev/null
+Private-key-format: v1.2
+Algorithm: 5 (RSASHA1)
+Modulus: n6df/D+TwBypmBlabmitCSWnYLJFa/8Kk3W7Zj+ODS/kJA6sQZIQiLUK0sd/dM+A8+qAVlgwgQDxkAiuwrc7Lw==
+PublicExponent: AQAAAAE=
+PrivateExponent: PG5iufxb7TEulI2ByOZ0XgY2PTGWg0S7yN4ac+sXC290afYP5ZHDaq95YVQk99951eB9qshc1kSZ/NBD+fNa+Q==
+Prime1: zDTjPGm+Np3hO4B5bz3KJgFqi1KwsU7ZQ+lj+M91G9s=
+Prime2: yCWuBVdxUKUebhrEcaLc7SRVXXxqtlzBOIF+o/oOSD0=
+Exponent1: yEjJnrWAGD79aaNqjzo2vCM3Cnfl7KxZxIXSdRisHXc=
+Exponent2: gJhrWsLDkyZq42RRAt7Krhvc0CUF0w50uzn6X8yqjLE=
+Coefficient: LgMQFUiUSrbRtwKnzWmOo94ssIVB91TQIVQSVuuqvHQ=
--- /dev/null
+;% generationtime=20100924112625
+;% lifetime=7d
+sub.example.net. IN DNSKEY 257 3 7 AwEAAcN4oi+shB1ZNhIXtSBuhAJKDp95Bc4H3MyhMxUos7VWVrsAxNK8 u900fdubtofcoLR4FAoaPpX7LhQ1OPh+9RR4VIYrwilGkf2ZtZh0URwO ruYqvJAIf6ZTxyakaUaY5m0ABl1learg+XhjBHcMz3Lvx4Opnw5qsM+v nqJT15vd
--- /dev/null
+Private-key-format: v1.2
+Algorithm: 7 (NSEC3RSASHA1)
+Modulus: w3iiL6yEHVk2Ehe1IG6EAkoOn3kFzgfczKEzFSiztVZWuwDE0ry73TR925u2h9ygtHgUCho+lfsuFDU4+H71FHhUhivCKUaR/Zm1mHRRHA6u5iq8kAh/plPHJqRpRpjmbQAGXWV5quD5eGMEdwzPcu/Hg6mfDmqwz6+eolPXm90=
+PublicExponent: AQAB
+PrivateExponent: fNWHzqaAYTXeIEPfuuyZhdTB7fqeSGwhCNZSB0tNKZwQG7FsAaHi4GxrjFqvgajXQSoGskT8f1BAp0suLRT3cpKH/FXeYknuwGMETTKk+4zZ7LAcSqU6b/dQptYdBJK1IdwMJjEAf5XT5y3OpPUbcm+o/9KxuepPsxXpQnu8rUk=
+Prime1: 8xZNFTO8y0gbq93Qo9Hg0BVxrR9byVBVg++p/7n5Qvr+bftE7FQ0OGbRCYksSf00jPbVBdzfn1IxlQL7Gipomw==
+Prime2: zdrP9WaH7jYWbBuTEnsPDDcE1wHBNer2bHtGCvD6FFpCahP8zq//p2OvYEvljxXe2gqbzYASaeMd7c8EZeEo5w==
+Exponent1: HjMxFGc/F0o4FdwS5adXdMKVQtrYfmQ6m4+U4S5rp0Sjg2pqH6o+aptrcPHXzMFmW/T2dioApjyB6G9cXt3R7Q==
+Exponent2: ftqygGVYqsEF/ETZ0u+mjD5zaxOXvuQ2Sw+EUEXDtjsQ5lG+3peykbJqZosewZgWpoMXFAIyVrIwxVVnPmkMTQ==
+Coefficient: GZcwPOtNNbsqM2Qw1oS9m4/rPwYp6iwDcSSnypmn1jliaDMZOEiHqEUZ223khlhJxlW21kQAtZGgL2kX1LETaQ==
--- /dev/null
+;% generationtime=20100924112625
+;% lifetime=3d
+sub.example.net. IN DNSKEY 256 3 7 AwEAAa5bMLD0fx/ZGgiuhgslScPhm3c3sbLKn5Kc9w63+VBcq5Bg9td+ pME6uVtNvvAsgjoE2ORcqULqPp6ITd7VpTE=
--- /dev/null
+Private-key-format: v1.2
+Algorithm: 7 (NSEC3RSASHA1)
+Modulus: rlswsPR/H9kaCK6GCyVJw+Gbdzexssqfkpz3Drf5UFyrkGD2136kwTq5W02+8CyCOgTY5FypQuo+nohN3tWlMQ==
+PublicExponent: AQAB
+PrivateExponent: p+LU2r9CnWcOA2gRWDAafEwDx+LP74nd523PEtQhc7eA9YL1d0w5DsxNUbGp1a2fuYCO/V1jew7E/PQkBOEHQQ==
+Prime1: 1S2btDM6sqSVM66/V5x8T3d6tqLxZz/+0hP2064u68k=
+Prime2: 0WE3l1yD6SzCKYaCHRdmOvMvzwcoooHOFu7nIqIv0ik=
+Exponent1: SoSn4gTqZtoLYcabEkgcWDb+yWsKEbqYG91osbQ4qKk=
+Exponent2: QHZO2DHqhtJ54LEBxBUdK08NzA5nK0kNezAIRzhpwqk=
+Coefficient: c6ICoCH4ZQeCVuEn5HwBof93cBjc0A4s5AIOw3YhmYE=
--- /dev/null
+;% generationtime=20101127101703
+;% lifetime=7d
+sub.example.net. IN DNSKEY 257 3 7 AwEAAbv0XLM9qAEncwc4HjBamccNu/z+gPmnsp4bFEdz6YgPtSSIdUA+ OChIBJg2fADBupHsmibB5E6IVHcuKO0OF4uiSv4FSk9p/2mioI9RxeSR xGQ6gds3DJBN8sw86LH8BjLynqY/Jw/D3BudvcDHJtz7HtCH0mNEL9eG hjzq+GW/
--- /dev/null
+Private-key-format: v1.2
+Algorithm: 7 (NSEC3RSASHA1)
+Modulus: u/Rcsz2oASdzBzgeMFqZxw27/P6A+aeynhsUR3PpiA+1JIh1QD44KEgEmDZ8AMG6keyaJsHkTohUdy4o7Q4Xi6JK/gVKT2n/aaKgj1HF5JHEZDqB2zcMkE3yzDzosfwGMvKepj8nD8PcG529wMcm3Pse0IfSY0Qv14aGPOr4Zb8=
+PublicExponent: AQAB
+PrivateExponent: I3QCkGTO7fjM/82cFC7i1uNGVICFP5JcZOpitt+sa1fbKVr8EvQpj5+WDkgot9PTJ3dj1G+6av3YQOraGW0RD5hVfuuJD3B10e7wVuaYRwA1uF/Lj0UTjag5d1KV0L38Zj73jEhA50ZAqDKNykwV3Ir4mVlIH0t4AINYrL84vCE=
+Prime1: +H9jAgtRG+/Co4e+ef8JKkiwFlM3deV1PUa8EjvnLuY5g3de+RARJQ5stDdHPik4xaau3sQB/5atI4zxDTqBNw==
+Prime2: waELRgLV2acQzUQu1zbGWqucgItEmx1bg9SJhKatJpAA0dBGvU42rOMA+eKm47uRY2CZkNaJneiQFFbbIW2juQ==
+Exponent1: j3Sq6aEy39fYG6Pf2HndBqYT0a+U0uD2f7t4E2a1naOXDEg7cblOzH+5TYij/kS525DQXxX0uWJ47Y8OEb72nQ==
+Exponent2: iBfYI6I0iqF5Fr04qv2N1wbNni/Ezb2JqBQHgBvikbsfSFk6jy3dEhEPi5M5t9EK9C1eYkXYPgvK0PDnXgyAyQ==
+Coefficient: oZYj4nmY+QE6/sOjBelpaEm7BgGasIIZqQN2D3DBpiVUmQDtJ6XTcpcdZ14IVsTIijvS7mXM+hzbCH/UG/pL0Q==
--- /dev/null
+;% generationtime=20101127101703
+;% lifetime=3d
+sub.example.net. IN DNSKEY 256 3 7 AwEAAcbKVFdrzJmGoQCMYf9vwxdKrGrLk86OqVHVlXAwoHgdGpAjsga0 FenJ7FwC4eqAxK0dUC86/dUX/YUFz0fBLo0=
--- /dev/null
+Private-key-format: v1.2
+Algorithm: 7 (NSEC3RSASHA1)
+Modulus: xspUV2vMmYahAIxh/2/DF0qsasuTzo6pUdWVcDCgeB0akCOyBrQV6cnsXALh6oDErR1QLzr91Rf9hQXPR8EujQ==
+PublicExponent: AQAB
+PrivateExponent: nuTaxYXE5HJX/rg3HJWYuuVVK4fNfS1K6b5u1F4J5fbzBR+NZnWpRWMG3qQ9rlMp1jZOKCKfmJPjrYpahjbQAQ==
+Prime1: +Ns6U9aZkGqxp+tfNwwCueu6zyIyQZKgLGVPcEZpbK0=
+Prime2: zH8uZiJTrlY39Az3+eiTMS4SGgBxAWeXlMC4DUrCJWE=
+Exponent1: +CZrwERDNy4dX2ums5aHdWvqCTh5UsfqbrrLfxLHd7U=
+Exponent2: Rz5Hu+1ZmfMPq0aZXcdZAFk8lTJyLDsa5AgAFyFkYgE=
+Coefficient: Rf2NFyo0bBow/KT2fAww0ePV8X24wk2Y/TPKWn8a99Y=
--- /dev/null
+;% generationtime=20101021120536
+;% lifetime=3d
+sub.example.net. IN DNSKEY 256 3 10 BQEAAAABn8UTQYIEkX5bd7hPSpQ1VPJKNxl6iRQVozij1a5r4LcRPK3v mvMhZCOIvD3A1iym6hGnwkUHbmzpQx7W+J9uZbCtMA+NjnEwqR7Ac4WO 4ZJPovWjQhDpHuZzy6++9X5BY6GS2KSB6k5YE7Rtuc5SY+fIZhQnZ7Si fjGNJVWF98k=
--- /dev/null
+Private-key-format: v1.2
+Algorithm: 10 (RSASHA512)
+Modulus: n8UTQYIEkX5bd7hPSpQ1VPJKNxl6iRQVozij1a5r4LcRPK3vmvMhZCOIvD3A1iym6hGnwkUHbmzpQx7W+J9uZbCtMA+NjnEwqR7Ac4WO4ZJPovWjQhDpHuZzy6++9X5BY6GS2KSB6k5YE7Rtuc5SY+fIZhQnZ7SifjGNJVWF98k=
+PublicExponent: AQAAAAE=
+PrivateExponent: JGn91bZcjzq8WiGhHg5kIsbDfb5kSpjhqbAypDkYPpby4T2Hd6rDqhRZMEZH5o7mC9tuzwwaY0jp7uZKiy0IZ62IqAUAsj/u1pjWh1TWQ7XrOIxkd2dNgkvvJ1sm7aAoDaSi/MrwinaFaqHoO0zmpMosBNL1parHedn5yWxeZQE=
+Prime1: 0ANDDIRnVYwNkuKYZ+TbawYq7DLdixk3L01nNt8BHts7Q8WXACfj3dfHO3qB/dT/xxbUDYWMOTGQXpXN2p5SoQ==
+Prime2: xKCziYPsyGD2yezOC9Awvy2vfb1Ev5zYAdXLSsbuy3sOGSJp7QiTuE+wazyUbkhhaKu5FpBnMdmFQgY2YK08KQ==
+Exponent1: SxN8PWTIv5haN0Mz4DE+9lN9qCxEqeuu9644AcD4w1GvgQEKN+nR5nYHhrSAgjQchD0G52sTVAAg9RVjSN/RgQ==
+Exponent2: CgqfFKLaSOmao8l4vmFyWjc1VWKSVHaVEOwYCqwFeXceni/OaN4ba5aXxhqxavj+M4/w2kURppUms00lkrv3QQ==
+Coefficient: nnIoXkPAvUfT5ypPCg4sM+OnZ38I4BlIdnjrWcNl340TG83bSH4mdf9mkIfvjpBBue9fHQ7WPRnawIUiU3/iNQ==
--- /dev/null
+;% generationtime=20101021113820
+;% lifetime=7d
+sub.example.net. IN DNSKEY 257 3 10 BQEAAAABug/pvRR/mv4qDN3gWFRiir/6UNpnuBuVC4z7xeaNk/KdvcdD ibLrSZaGfcq7no3cPvRsJ/U7S6VvYXFZNaXvqJ66ZGcCtImIoaCZIQbo z3hFelJb/62KqZWcj1anv7+LmfYpuA1UJCWpFriWYhzuT3q98lG/c7Xq iX79Ytoy6P0=
--- /dev/null
+Private-key-format: v1.2
+Algorithm: 10 (RSASHA512)
+Modulus: ug/pvRR/mv4qDN3gWFRiir/6UNpnuBuVC4z7xeaNk/KdvcdDibLrSZaGfcq7no3cPvRsJ/U7S6VvYXFZNaXvqJ66ZGcCtImIoaCZIQboz3hFelJb/62KqZWcj1anv7+LmfYpuA1UJCWpFriWYhzuT3q98lG/c7XqiX79Ytoy6P0=
+PublicExponent: AQAAAAE=
+PrivateExponent: IFVOvH94pIiUBAq8ix/GuYg0kLLpKFM0iBQ+j8OmyiZIKQUDSWSP7IU7UMFgh2DELdzwF6cTqBO5gjbesotzPvPny1/isM7N8Z1FN7j4/zBTDAXVHMYdcIZEC+UZkCEu6g206BnCCsLSQm1gcDFxkaqYtSD+I/dJ82YeWVM66OU=
+Prime1: 5hNJZCTszlcCQvDmXffAjt3oV4qDd1HJDcknvcmtimRqVFIDgK8UcCD2DMI1PBA+SmPSSiSU3mo4y/YKjXBvQw==
+Prime2: zwcHpDKsA5Pr9e+KcjFmZbNTCEqY2GiABxvOcmuqYvLf5pkjTkEiZm3pn23/eypzjpxnyDFzk6NM0HkKQkMivw==
+Exponent1: ZDECG7FYUKBEtvsq1t1lNUkyH9LAYl1eEt1rpnPXXK/JDSy5tMQeq4iCJY8hy+BE/WlxYQQ3OUENqhvhLgtC6Q==
+Exponent2: FifCGPMN4sIq/+rZC/F4AfEe8f0ZmTshsfVilVVkqUnavPahK9kk2jSEInk50CKpMqNCywF+fer/77+mxW7fCQ==
+Coefficient: yvTbE7YdfrvskUqVo+/KjEH3cu0oYl99AshpIOeBaQ5sNJtuZzHA6UEnVY0rc5Apli7sRVSsrJSZSqBeD6hMdQ==
--- /dev/null
+sub.example.net.dlv.trusted-keys.de. IN DLV 48516 7 1 CC5E20F75F02BE11BC040960669A3F5058F30DC0
+sub.example.net.dlv.trusted-keys.de. IN DLV 48516 7 2 D124B0B50CF51780707FFBF91DC305617832C09E21F32F28B8A88EFB E1F03ACE
--- /dev/null
+;
+; !!! Don't edit this file by hand.
+; !!! It will be generated by zkt-signer.
+;
+; Last generation time Jan 25 2011 20:02:30
+;
+
+; *** List of Key Signing Keys ***
+; sub.example.net. tag=855 algo=NSEC3RSASHA1 generated Sep 24 2010 13:26:25
+sub.example.net. 14400 IN DNSKEY 257 3 7 (
+ AwEAAcN4oi+shB1ZNhIXtSBuhAJKDp95Bc4H3MyhMxUos7VWVrsAxNK8
+ u900fdubtofcoLR4FAoaPpX7LhQ1OPh+9RR4VIYrwilGkf2ZtZh0URwO
+ ruYqvJAIf6ZTxyakaUaY5m0ABl1learg+XhjBHcMz3Lvx4Opnw5qsM+v
+ nqJT15vd
+ ) ; key id = 855
+
+; sub.example.net. tag=33176 algo=RSASHA512 generated Oct 21 2010 13:38:20
+sub.example.net. 14400 IN DNSKEY 257 3 10 (
+ BQEAAAABug/pvRR/mv4qDN3gWFRiir/6UNpnuBuVC4z7xeaNk/KdvcdD
+ ibLrSZaGfcq7no3cPvRsJ/U7S6VvYXFZNaXvqJ66ZGcCtImIoaCZIQbo
+ z3hFelJb/62KqZWcj1anv7+LmfYpuA1UJCWpFriWYhzuT3q98lG/c7Xq
+ iX79Ytoy6P0=
+ ) ; key id = 33176
+
+; sub.example.net. tag=55983 algo=NSEC3RSASHA1 generated Nov 27 2010 11:17:03
+sub.example.net. 14400 IN DNSKEY 257 3 7 (
+ AwEAAbv0XLM9qAEncwc4HjBamccNu/z+gPmnsp4bFEdz6YgPtSSIdUA+
+ OChIBJg2fADBupHsmibB5E6IVHcuKO0OF4uiSv4FSk9p/2mioI9RxeSR
+ xGQ6gds3DJBN8sw86LH8BjLynqY/Jw/D3BudvcDHJtz7HtCH0mNEL9eG
+ hjzq+GW/
+ ) ; key id = 55983
+
+; sub.example.net. tag=24183 algo=RSASHA1 generated Jan 25 2011 10:11:21
+sub.example.net. 14400 IN DNSKEY 257 3 5 (
+ BQEAAAABCwsLhN2Fe4nAorCoXf8CU2c4QqxPyNDVOoGrOSw/u883bF0w
+ hFeEDwQjnHD5xMwNvMk8gNJnxv2kp6lgUcx7CgC08VQD2ko9e4zLSvoR
+ WqFZ57LXKDpKdNLuVHDA6RObDX1PG0wjeWTa2lXshlhGgnGnrQhnCjYl
+ nnCCxgKdxwvRdLRpnqnpGCHRtj9THHOlkJuAC6bor4qlNlODIcDFBsFf
+ +Q==
+ ) ; key id = 24183
+
+; *** List of Zone Signing Keys ***
+; sub.example.net. tag=34493 algo=NSEC3RSASHA1 generated Sep 24 2010 13:26:25
+sub.example.net. 14400 IN DNSKEY 256 3 7 (
+ AwEAAa5bMLD0fx/ZGgiuhgslScPhm3c3sbLKn5Kc9w63+VBcq5Bg9td+
+ pME6uVtNvvAsgjoE2ORcqULqPp6ITd7VpTE=
+ ) ; key id = 34493
+
+; sub.example.net. tag=7987 algo=RSASHA512 generated Oct 21 2010 14:05:36
+sub.example.net. 14400 IN DNSKEY 256 3 10 (
+ BQEAAAABn8UTQYIEkX5bd7hPSpQ1VPJKNxl6iRQVozij1a5r4LcRPK3v
+ mvMhZCOIvD3A1iym6hGnwkUHbmzpQx7W+J9uZbCtMA+NjnEwqR7Ac4WO
+ 4ZJPovWjQhDpHuZzy6++9X5BY6GS2KSB6k5YE7Rtuc5SY+fIZhQnZ7Si
+ fjGNJVWF98k=
+ ) ; key id = 7987
+
+; sub.example.net. tag=59870 algo=NSEC3RSASHA1 generated Nov 27 2010 11:17:03
+sub.example.net. 14400 IN DNSKEY 256 3 7 (
+ AwEAAcbKVFdrzJmGoQCMYf9vwxdKrGrLk86OqVHVlXAwoHgdGpAjsga0
+ FenJ7FwC4eqAxK0dUC86/dUX/YUFz0fBLo0=
+ ) ; key id = 59870
+
+; sub.example.net. tag=44660 algo=RSASHA1 generated Jan 25 2011 10:11:21
+sub.example.net. 14400 IN DNSKEY 256 3 5 (
+ BQEAAAABn6df/D+TwBypmBlabmitCSWnYLJFa/8Kk3W7Zj+ODS/kJA6s
+ QZIQiLUK0sd/dM+A8+qAVlgwgQDxkAiuwrc7Lw==
+ ) ; key id = 44660
+
--- /dev/null
+ResignInterval: 1d # (86400 seconds)
+SigValidity: 2d # (172800 seconds)
+MaximumTTL: 90s # (90 seconds)
+KSKlifetime: 1w # (604800 seconds)
+KSKbits: 1024
+ZSKlifetime: 3d # (259200 seconds)
+NSEC3: On # (On|Off|OptOut)
--- /dev/null
+1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDE
\ No newline at end of file
--- /dev/null
+1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDE1
\ No newline at end of file
--- /dev/null
+2010-10-21 14:01:35.486: debug: Check RFC5011 status
+2010-10-21 14:01:35.486: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-10-21 14:01:35.486: debug: Check KSK status
+2010-10-21 14:01:35.486: debug: Check ZSK status
+2010-10-21 14:01:35.486: debug: No active ZSK found: generate new one
+2010-10-21 14:01:35.495: error: sub.example.net.": can't generate new ZSK
+2010-10-21 14:01:35.495: debug: Re-signing necessary: Modfied zone key set
+2010-10-21 14:01:35.496: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
+2010-10-21 14:01:35.496: debug: Writing key file "./sub.example.net/dnskey.db"
+2010-10-21 14:01:35.496: debug: Incrementing serial number in file "./sub.example.net/zone.db"
+2010-10-21 14:01:35.496: debug: Signing zone "sub.example.net."
+2010-10-21 14:01:35.496: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -3 9FC981 -C -g -p -d ../keysets -o sub.example.net. -e +172800 zone.db K*.private 2>&1"
+2010-10-21 14:01:35.546: debug: Cmd dnssec-signzone return: "dnssec-signzone: fatal: DNSSEC completeness test failed."
+2010-10-21 14:01:35.546: error: "sub.example.net.": signing failed!
+2010-10-21 14:02:09.146: debug: Check RFC5011 status
+2010-10-21 14:02:09.146: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-10-21 14:02:09.146: debug: Check KSK status
+2010-10-21 14:02:09.146: debug: Check ZSK status
+2010-10-21 14:02:09.146: debug: No active ZSK found: generate new one
+2010-10-21 14:02:09.156: error: sub.example.net.": can't generate new ZSK
+2010-10-21 14:02:09.156: debug: Re-signing necessary: Modified keys
+2010-10-21 14:02:09.156: notice: "sub.example.net.": re-signing triggered: Modified keys
+2010-10-21 14:02:09.156: debug: Writing key file "./sub.example.net/dnskey.db"
+2010-10-21 14:02:09.157: debug: Incrementing serial number in file "./sub.example.net/zone.db"
+2010-10-21 14:02:09.157: debug: Signing zone "sub.example.net."
+2010-10-21 14:02:09.157: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -3 BD326D -C -g -p -d ../keysets -o sub.example.net. -e +172800 zone.db K*.private 2>&1"
+2010-10-21 14:02:09.208: debug: Cmd dnssec-signzone return: "dnssec-signzone: fatal: DNSSEC completeness test failed."
+2010-10-21 14:02:09.208: error: "sub.example.net.": signing failed!
+2010-10-21 14:05:35.988: debug: Check RFC5011 status
+2010-10-21 14:05:35.988: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-10-21 14:05:35.988: debug: Check KSK status
+2010-10-21 14:05:35.988: debug: Check ZSK status
+2010-10-21 14:05:35.988: debug: No active ZSK found: generate new one
+2010-10-21 14:05:36.091: info: "sub.example.net.": generated new ZSK 7987
+2010-10-21 14:05:36.091: debug: Re-signing necessary: Modfied zone key set
+2010-10-21 14:05:36.091: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
+2010-10-21 14:05:36.091: debug: Writing key file "./sub.example.net/dnskey.db"
+2010-10-21 14:05:36.091: debug: Incrementing serial number in file "./sub.example.net/zone.db"
+2010-10-21 14:05:36.091: debug: Signing zone "sub.example.net."
+2010-10-21 14:05:36.091: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -3 75DE06 -C -g -p -d ../keysets -o sub.example.net. -e +172800 zone.db K*.private 2>&1"
+2010-10-21 14:05:36.170: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2010-10-21 14:05:36.170: debug: Signing completed after 0s.
+2010-10-21 14:30:43.892: debug: Check RFC5011 status
+2010-10-21 14:30:43.892: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-10-21 14:30:43.892: debug: Check KSK status
+2010-10-21 14:30:43.892: debug: Check ZSK status
+2010-10-21 14:30:43.892: debug: Re-signing not necessary!
+2010-10-21 14:30:43.892: debug: Check if there is a parent file to copy
--- /dev/null
+;-----------------------------------------------------------------
+;
+; @(#) sub.example.net/zone.db
+;
+;-----------------------------------------------------------------
+
+$TTL 7200
+
+@ IN SOA ns1.example.net. hostmaster.example.net. (
+ 8 ; Serial
+ 86400 ; Refresh (RIPE recommendation if NOTIFY is used)
+ 1800 ; Retry
+ 2W ; Expire
+ 7200 ) ; Minimum
+
+
+ IN NS ns1.example.net.
+
+$INCLUDE dnskey.db
+
+localhost IN A 127.0.0.1
+
+a IN A 1.2.3.4
+b IN A 1.2.3.5
+c IN A 1.2.3.6
--- /dev/null
+; File written on Thu Oct 21 14:05:36 2010
+; dnssec_signzone version 9.7.2-P2
+sub.example.net. 7200 IN SOA ns1.example.net. hostmaster.example.net. (
+ 6 ; serial
+ 86400 ; refresh (1 day)
+ 1800 ; retry (30 minutes)
+ 1209600 ; expire (2 weeks)
+ 7200 ; minimum (2 hours)
+ )
+ 7200 RRSIG SOA 7 3 7200 20101023110536 (
+ 20101021110536 34493 sub.example.net.
+ MgaHCyEt33DXRMiHMpZr4x52phpp8hdqu05a
+ bcQ7E2KGxpvsH8DtBDixo0WV73qDM45XT8mA
+ 9xLn3HBRSXP8Ag== )
+ 7200 RRSIG SOA 10 3 7200 20101023110536 (
+ 20101021110536 7987 sub.example.net.
+ H3B12qsYiBhrloBItfIOkakV6kUfFEhdplBv
+ T4n0rVihInOkC6SssFEMbe69rGvMgnzL8aCX
+ rIsYDT7z0fCD5mvdFJ+rsYFCAW35nlZil9Lc
+ xB27U+lMIngODjHiNShtjEXtKaQPKxbvbgSX
+ nkZ0joeWdMIEYhihgCvWc+A1mv4= )
+ 7200 NS ns1.example.net.
+ 7200 RRSIG NS 7 3 7200 20101023110536 (
+ 20101021110536 34493 sub.example.net.
+ QAt2BZsV7nxer/TFQLtQ/Xp8TYwiqqkmAcLa
+ pLf8wBWMXFTxz3O29QF+RBSdmLqeoCgW+Q5g
+ ygScSISe5nvKfw== )
+ 7200 RRSIG NS 10 3 7200 20101023110536 (
+ 20101021110536 7987 sub.example.net.
+ cZHqQnIA/fTFZx6LroJNWj9jPLxrnZtTHvlp
+ NqkTbLG5uu/+sljkOUOqHVqK9ubUESkRNP3u
+ Nl/oROMcgISsDWRcEOu4Vc48zBn/90vJK5WY
+ ZcXeGcp34pFMK7/03vEH4U1tZKc7Guvm3reh
+ gcfNBotu57wvctbjlqq3DM4axwI= )
+ 3600 DNSKEY 256 3 7 (
+ AwEAAa5bMLD0fx/ZGgiuhgslScPhm3c3sbLK
+ n5Kc9w63+VBcq5Bg9td+pME6uVtNvvAsgjoE
+ 2ORcqULqPp6ITd7VpTE=
+ ) ; key id = 34493
+ 3600 DNSKEY 256 3 10 (
+ BQEAAAABn8UTQYIEkX5bd7hPSpQ1VPJKNxl6
+ iRQVozij1a5r4LcRPK3vmvMhZCOIvD3A1iym
+ 6hGnwkUHbmzpQx7W+J9uZbCtMA+NjnEwqR7A
+ c4WO4ZJPovWjQhDpHuZzy6++9X5BY6GS2KSB
+ 6k5YE7Rtuc5SY+fIZhQnZ7SifjGNJVWF98k=
+ ) ; key id = 7987
+ 3600 DNSKEY 257 3 7 (
+ AwEAAcN4oi+shB1ZNhIXtSBuhAJKDp95Bc4H
+ 3MyhMxUos7VWVrsAxNK8u900fdubtofcoLR4
+ FAoaPpX7LhQ1OPh+9RR4VIYrwilGkf2ZtZh0
+ URwOruYqvJAIf6ZTxyakaUaY5m0ABl1learg
+ +XhjBHcMz3Lvx4Opnw5qsM+vnqJT15vd
+ ) ; key id = 855
+ 3600 DNSKEY 257 3 10 (
+ BQEAAAABug/pvRR/mv4qDN3gWFRiir/6UNpn
+ uBuVC4z7xeaNk/KdvcdDibLrSZaGfcq7no3c
+ PvRsJ/U7S6VvYXFZNaXvqJ66ZGcCtImIoaCZ
+ IQboz3hFelJb/62KqZWcj1anv7+LmfYpuA1U
+ JCWpFriWYhzuT3q98lG/c7XqiX79Ytoy6P0=
+ ) ; key id = 33176
+ 3600 RRSIG DNSKEY 7 3 3600 20101023110536 (
+ 20101021110536 855 sub.example.net.
+ NcmO3PoVofXHe6EbmnSCkr4eTfuTkdtEQQWv
+ 8pbHY0Ze8NR4ISjzJf1zC4U4fJsYeS9AUL5A
+ 2l6qEWoY8cbPRdDnf2iKfHKTllXFubM6EtYF
+ aKmK38BU1Ldh6jdcJ0bFUN4cMPVhX9BA+yTM
+ Hm0EdYZvC6QICrlQBdJuyzS3FSA= )
+ 3600 RRSIG DNSKEY 7 3 3600 20101023110536 (
+ 20101021110536 34493 sub.example.net.
+ GLVb5YgQWtP2bHWBihGhCymm9P7pjDdN9s0c
+ 9nK6Pi8OWoa2uK7k/ebVXDNc/yBI/hp5Xsxs
+ x332lhi8AdMW3Q== )
+ 3600 RRSIG DNSKEY 10 3 3600 20101023110536 (
+ 20101021110536 7987 sub.example.net.
+ UwnLE8FmOtd0DbTXzv9QJZigJThWAw29ov6N
+ HnSI4cO4pyFRjiGee7+/u4DfKFUkzQp2ySIW
+ +jhGsF/b2TEpLyLSwY/r8iDhO0GkaU5t/tzr
+ wCX7HCmr6VAJaPpZhf/xLEh7pbB60jQmiHXy
+ 4tEfQtpkPx6ncQ95lcoN2ia43Ow= )
+ 3600 RRSIG DNSKEY 10 3 3600 20101023110536 (
+ 20101021110536 33176 sub.example.net.
+ HclPEAN+ii66jqPzYE4hbSnUNg1/xFfM0R/a
+ iVh40da5Wre0GzzfYouOdJegJoyDGsz+xEzN
+ g+RiUYFDg2cK9Y7HqX3T3nEtMMavRbb+4q93
+ PRk0kZ9H/xjSqK+qTipCMz6IubOXZjzvK+sB
+ VOxv3uzhmR8WmKoVraB5uDeK+vA= )
+ 0 NSEC3PARAM 1 0 10 75DE06
+ 0 RRSIG NSEC3PARAM 7 3 0 20101023110536 (
+ 20101021110536 34493 sub.example.net.
+ hPzjAlPJldxukEVzgVKHbJdGI/0M5JhvfOu5
+ +s5+5mst1tp6goSpOxdyklpBSC4eJmPFQk2A
+ gWenAJCHr6s5NQ== )
+ 0 RRSIG NSEC3PARAM 10 3 0 20101023110536 (
+ 20101021110536 7987 sub.example.net.
+ hEjMFl/Znyvr73gN4fAvWHsy2Sxlga8L6xu+
+ IffQTRiA0itHseM2G4TfAZju7g9HmFxSsCZO
+ EKdn3WwsyxBD0mfaBdHSaNrQu6EttiMyoMVu
+ WhiitsOAXB1iHRzE21jfZJpQSFBHPiNMCz1F
+ cQoRlBqYUWeyRMJN+wEHthuSpl0= )
+a.sub.example.net. 7200 IN A 1.2.3.4
+ 7200 RRSIG A 7 4 7200 20101023110536 (
+ 20101021110536 34493 sub.example.net.
+ oGoHPU1IgTXwKhHef6Dsq7X2r1eRbSK+8fsD
+ zPGfmYo4BMKBrTPiKvTapulXIWxNslLbJhoq
+ Mx3prAl4n0JbBw== )
+ 7200 RRSIG A 10 4 7200 20101023110536 (
+ 20101021110536 7987 sub.example.net.
+ ePqwuNrBwH2rkAFoHR1nHCIc9Daz/Hsze5R0
+ x9p2GXujziIuvLPz9G7DpytY+pDpJr9m0djG
+ J1jcceazK11q53FN9gby2Tv39hEoyaySEoiy
+ cv1ArJaeppfeUgJmBp6GsHznz6amGXG0vig3
+ 4I6tdWpwfbl+rnOUDAf5AIxUHEE= )
+b.sub.example.net. 7200 IN A 1.2.3.5
+ 7200 RRSIG A 7 4 7200 20101023110536 (
+ 20101021110536 34493 sub.example.net.
+ X2X5/rztMhu0Es2A7dsENoAf/sCTahSa6cPL
+ M4j/r9ofiV+tQDn8cnfnrArA5d9/wND+5Iv+
+ /O1GOzwOhzhLHg== )
+ 7200 RRSIG A 10 4 7200 20101023110536 (
+ 20101021110536 7987 sub.example.net.
+ TxLKcfmsmHovdKvzgmqTOI5x1ve4VrLNxXnv
+ 0cBflqfHTTVH6glO1nsC9q15wI4xt3INq6fp
+ /+CRhIASy63i1UA5PPQ4UgxcgOTEuSgu51XJ
+ SVvxBatjzTVPWO5K+bNJRz9O7sDbFbKLuSIv
+ 94ZmQIpBERh5pLglmYESwcCwv/U= )
+c.sub.example.net. 7200 IN A 1.2.3.6
+ 7200 RRSIG A 7 4 7200 20101023110536 (
+ 20101021110536 34493 sub.example.net.
+ S1BC7yaofioxw9W6lH5EXOjGrj0nSCdbnwcX
+ orVRkaWq4Ic8rDsvmlL70UMLUwwUKv7cmUEH
+ 61KhLHI6L7bk0Q== )
+ 7200 RRSIG A 10 4 7200 20101023110536 (
+ 20101021110536 7987 sub.example.net.
+ NRiWhJ8oTAyyJUiJI9bBWDG/OzF0dQ6WqBES
+ pJq5LyN10EeHSX96xcgPHMdGw9VGqep1e9G4
+ B+sYfmcsET7LdUNncyKS8Plvs/9rO7QW2lfE
+ S0gnoCmLe8PK8Z33Bh8k/tXjJjB5GpYCwXnn
+ WnBuKZk6KL6yr/BRz7SpmYYn7zY= )
+localhost.sub.example.net. 7200 IN A 127.0.0.1
+ 7200 RRSIG A 7 4 7200 20101023110536 (
+ 20101021110536 34493 sub.example.net.
+ jYhG4Tp8AxSnwl9bFIzNcLHj+MMi2QY8cW+U
+ Mbw2++3fDsDyrzV9qOAkemUTeTw+wX/z7Iu8
+ wtPCTzy6oKPZew== )
+ 7200 RRSIG A 10 4 7200 20101023110536 (
+ 20101021110536 7987 sub.example.net.
+ F03HIz1yPabXrvyaByqN6tvGCThqI/FVZXl1
+ l5oSJJ4gGE9wjtbgSbyMnQQ09Vp/FxZD5nk0
+ zWYJXSyJCi1eWD3CV1xp6zbl2Z5jh6X70qpq
+ Z8mAj+tt8gFrlvR49doEnIKtz7Nupmk8VM0Q
+ ir091k0On6d6xkAaG2DdB6Cd8IY= )
+E23J36747M9QAHTBMRSQ0EHB5D8JF31O.sub.example.net. 7200 IN NSEC3 1 0 10 75DE06 GMMG72L8KNTF7A2QLCMLH1I5RG5V8RKK A RRSIG
+ 7200 RRSIG NSEC3 7 4 7200 20101023110536 (
+ 20101021110536 34493 sub.example.net.
+ YnvMl6XcqOZq4T/nz688NADoYegQu6Ct1+wU
+ Abx5vuVLb5CkwK6cGTPazni2xZnNTiXiIi87
+ dzLHGQTaup4xxg== )
+ 7200 RRSIG NSEC3 10 4 7200 20101023110536 (
+ 20101021110536 7987 sub.example.net.
+ P/8DdSZU4Ag3ibdsalE+FBDa7+a0W4R/jB5a
+ pqvmkox4fZB20k8MrMxn8hbHJOxFD4FAdOrm
+ Bc+ut45HYx4c0wE3WekmuBIkS5gWWGsvCqji
+ hquZMORyZjT9Tk/VezHXuJ9jMA4vCuPbqTsX
+ Y2liJS0Vzrr6rssF5Mz36OQrG/w= )
+GMMG72L8KNTF7A2QLCMLH1I5RG5V8RKK.sub.example.net. 7200 IN NSEC3 1 0 10 75DE06 H856ATS51TP5R6A4PJ4H623HBD22MMP8 A RRSIG
+ 7200 RRSIG NSEC3 7 4 7200 20101023110536 (
+ 20101021110536 34493 sub.example.net.
+ IHxHqJw0w0yzAdM9Dc0wdH9t9vdqXO9Xxx7/
+ CSyL+852/nuflS/a/+AwDyZhuMwqKR021/Jm
+ 0E2bTZvH8qNuGA== )
+ 7200 RRSIG NSEC3 10 4 7200 20101023110536 (
+ 20101021110536 7987 sub.example.net.
+ VssB9MTMT6Meh7pVOF0aWcpx6PLRR7z97Jf4
+ LeWFPhw3w5BTWff4BL45omopYaMCDamqirYa
+ zmhlKyqE7qEtGop8fUiNmFdK5+cPhhGGVbhV
+ B+k7ZWC5H9fwI61owUG2btP+oLaOgJejXLqr
+ 27EnZ8aE2bmGdYcN1Ji8QtRWaXQ= )
+H856ATS51TP5R6A4PJ4H623HBD22MMP8.sub.example.net. 7200 IN NSEC3 1 0 10 75DE06 T9JU0DUS5QPJR2HUCAOK4CTRF8OFCVCJ A RRSIG
+ 7200 RRSIG NSEC3 7 4 7200 20101023110536 (
+ 20101021110536 34493 sub.example.net.
+ LKo4fE/ql/oQCkZeNxNcT6o/201bdnpEvreO
+ EcOTjUGfGiJ5KCUH4dSz8aQFdVwBfJEmA0v1
+ NpjbLSeDJ2ArNg== )
+ 7200 RRSIG NSEC3 10 4 7200 20101023110536 (
+ 20101021110536 7987 sub.example.net.
+ ePRVEMqfub0TQ7NciAg+PXzIBa2CJ8226mqn
+ wuSymuImvb5TJ6uwNX1b17WJ3XrXxE/mBbZ6
+ LqpU3KNEsi0hb3mx9atSy9d3/oAi/A1QeC78
+ y/LxyyYoIgoBrnQ6AF7zsqX1SWz+DjFl8E58
+ uaZnYfL0q6RbGZ5cJxu1bhPw1Vo= )
+T9JU0DUS5QPJR2HUCAOK4CTRF8OFCVCJ.sub.example.net. 7200 IN NSEC3 1 0 10 75DE06 V5QI8VK5I93U0UCL19L7B0SU5SVTJQS7 NS SOA RRSIG DNSKEY NSEC3PARAM
+ 7200 RRSIG NSEC3 7 4 7200 20101023110536 (
+ 20101021110536 34493 sub.example.net.
+ BZ8wR07wrdenmmNFWKhMGckWQwZlfVuZhULf
+ 4VZfWLo+8NFhDk6MjdVV3QrpEsF5XhR8r+0V
+ ZxU2ZsHWpcYbsw== )
+ 7200 RRSIG NSEC3 10 4 7200 20101023110536 (
+ 20101021110536 7987 sub.example.net.
+ TnOhLkcIl30DqXTbGMarRvLPfGbv/HHBG44E
+ 07Gpcq2M/+nbPW8A35sHsaalTi7Jdr870mk8
+ XvvgUzoLlm200ssnGX+PAfzz7MyISqO2XBaa
+ k54+2A3V20Aecgk0sjkG8uS1vIcWmXqXUxcp
+ JpkNIio9S/WjTX85sVo+ug3qDYQ= )
+V5QI8VK5I93U0UCL19L7B0SU5SVTJQS7.sub.example.net. 7200 IN NSEC3 1 0 10 75DE06 E23J36747M9QAHTBMRSQ0EHB5D8JF31O A RRSIG
+ 7200 RRSIG NSEC3 7 4 7200 20101023110536 (
+ 20101021110536 34493 sub.example.net.
+ VDvPAecgBeCvTDTaE7zA4TQR5jgOBTmygaWd
+ GyxEI9uOCXAocdMjrfNq+c/SIymog6CYXCcT
+ hbdOetaD3duYJw== )
+ 7200 RRSIG NSEC3 10 4 7200 20101023110536 (
+ 20101021110536 7987 sub.example.net.
+ BuJnVwod8SlcTwNnb8RPmhPDsycpRpmD69BZ
+ 778M9p3BvHkYyr8xbWP8+OmhO880V3dRdpqx
+ Hq0tyvarF8SVN8J7jMCZ1W9V2NxiLp50S/rN
+ sDkl9l4LzSClgELSeNTFdyA/22asyYZ5XO6N
+ t/f5BtsYe9W80n87cnAOmbAUIgg= )
--- /dev/null
+../zkt-ls.sh
\ No newline at end of file
--- /dev/null
+../zkt-signer.sh
\ No newline at end of file
--- /dev/null
+2010-02-07 13:53:47.881: notice: ------------------------------------------------------------
+2010-02-07 13:53:47.881: notice: running ../../zkt-signer -v -v
+2010-02-07 13:53:47.883: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
+2010-02-07 13:53:48.304: debug:
+2010-02-07 13:53:48.304: debug: parsing zone "example.net." in dir "./example.net"
+2010-02-07 13:53:48.305: debug:
+2010-02-07 13:53:48.305: notice: end of run: 0 errors occured
+2010-02-07 13:54:03.463: notice: ------------------------------------------------------------
+2010-02-07 13:54:03.464: notice: running ../../zkt-signer -r -v -v
+2010-02-07 13:54:03.465: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
+2010-02-07 13:54:03.466: debug:
+2010-02-07 13:54:03.466: debug: parsing zone "example.net." in dir "./example.net"
+2010-02-07 13:54:03.466: debug:
+2010-02-07 13:54:03.466: notice: end of run: 0 errors occured
+2010-02-07 13:54:07.953: notice: ------------------------------------------------------------
+2010-02-07 13:54:07.953: notice: running ../../zkt-signer -f -r -v -v
+2010-02-07 13:54:07.955: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
+2010-02-07 13:54:08.019: debug:
+2010-02-07 13:54:08.019: debug: parsing zone "example.net." in dir "./example.net"
+2010-02-07 13:54:08.139: debug:
+2010-02-07 13:54:08.139: notice: end of run: 0 errors occured
+2010-02-07 14:06:27.666: notice: ------------------------------------------------------------
+2010-02-07 14:06:27.666: notice: running ../../zkt-signer -r -v -v
+2010-02-07 14:06:27.668: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
+2010-02-07 14:06:27.670: debug:
+2010-02-07 14:06:27.670: debug: parsing zone "example.net." in dir "./example.net"
+2010-02-07 14:06:27.671: debug:
+2010-02-07 14:06:27.671: notice: end of run: 0 errors occured
+2010-02-07 14:06:33.711: notice: ------------------------------------------------------------
+2010-02-07 14:06:33.711: notice: running ../../zkt-signer -f -r -v -v
+2010-02-07 14:06:33.713: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
+2010-02-07 14:06:33.753: debug:
+2010-02-07 14:06:33.753: debug: parsing zone "example.net." in dir "./example.net"
+2010-02-07 14:06:33.797: debug:
+2010-02-07 14:06:33.797: notice: end of run: 0 errors occured
+2010-02-07 14:07:49.243: notice: ------------------------------------------------------------
+2010-02-07 14:07:49.243: notice: running ../../zkt-signer -d -r -v -v
+2010-02-07 14:07:49.245: debug: parsing zone "dyn.example.net." in dir "./dyn.example.net"
+2010-02-07 14:07:49.832: debug:
+2010-02-07 14:07:49.832: notice: end of run: 1 error occured
+2010-02-07 14:09:41.710: notice: ------------------------------------------------------------
+2010-02-07 14:09:41.710: notice: running ../../zkt-signer -d -r -v -v
+2010-02-07 14:09:41.712: debug: parsing zone "dyn.example.net." in dir "./dyn.example.net"
+2010-02-07 14:09:41.799: debug:
+2010-02-07 14:09:41.799: notice: end of run: 1 error occured
+2010-02-07 14:10:24.426: notice: ------------------------------------------------------------
+2010-02-07 14:10:24.427: notice: running ../../zkt-signer -d -v -v
+2010-02-07 14:10:24.429: debug: parsing zone "dyn.example.net." in dir "./dyn.example.net"
+2010-02-07 14:10:24.429: debug:
+2010-02-07 14:10:24.429: notice: end of run: 0 errors occured
+2010-02-07 14:11:00.715: notice: ------------------------------------------------------------
+2010-02-07 14:11:00.715: notice: running ../../zkt-signer -f -d -v -v
+2010-02-07 14:11:00.717: debug: parsing zone "dyn.example.net." in dir "./dyn.example.net"
+2010-02-07 14:11:00.803: debug:
+2010-02-07 14:11:00.803: notice: end of run: 1 error occured
+2010-02-07 15:11:02.629: notice: ------------------------------------------------------------
+2010-02-07 15:11:02.629: notice: running ../../zkt-signer -f -d -v -v
+2010-02-07 15:11:02.630: debug: parsing zone "dyn.example.net." in dir "./dyn.example.net"
+2010-02-07 15:11:03.799: debug:
+2010-02-07 15:11:03.799: notice: end of run: 1 error occured
+2010-02-07 15:15:02.094: notice: ------------------------------------------------------------
+2010-02-07 15:15:02.094: notice: running ../../zkt-signer -f -d -v -v
+2010-02-07 15:15:02.095: debug: parsing zone "dyn.example.net." in dir "./dyn.example.net"
+2010-02-07 15:15:02.270: debug:
+2010-02-07 15:15:02.270: notice: end of run: 0 errors occured
+2010-02-07 15:32:48.955: notice: ------------------------------------------------------------
+2010-02-07 15:32:48.955: notice: running ../../zkt-signer -f -d -v -v
+2010-02-07 15:32:48.957: debug: parsing zone "dyn.example.net." in dir "./dyn.example.net"
+2010-02-07 15:32:49.007: debug:
+2010-02-07 15:32:49.007: notice: end of run: 0 errors occured
+2010-02-07 15:38:31.400: notice: ------------------------------------------------------------
+2010-02-07 15:38:31.400: notice: running ../../zkt-signer -f -d -v -v
+2010-02-07 15:38:31.402: debug: parsing zone "dyn.example.net." in dir "./dyn.example.net"
+2010-02-07 15:38:31.456: debug:
+2010-02-07 15:38:31.456: notice: end of run: 0 errors occured
+2010-02-21 12:50:43.100: notice: ------------------------------------------------------------
+2010-02-21 12:50:43.100: notice: running ../../zkt-signer
+2010-02-21 12:50:43.176: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
+2010-02-21 12:50:43.586: debug:
+2010-02-21 12:50:43.586: debug: parsing zone "example.net." in dir "./example.net"
+2010-02-21 12:50:43.733: debug:
+2010-02-21 12:50:43.733: notice: end of run: 0 errors occured
+2010-02-21 12:50:51.156: notice: ------------------------------------------------------------
+2010-02-21 12:50:51.156: notice: running ../../zkt-signer -v -v
+2010-02-21 12:50:51.158: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
+2010-02-21 12:50:51.205: debug:
+2010-02-21 12:50:51.205: debug: parsing zone "example.net." in dir "./example.net"
+2010-02-21 12:50:51.205: debug:
+2010-02-21 12:50:51.205: notice: end of run: 0 errors occured
+2010-02-21 12:51:23.495: notice: ------------------------------------------------------------
+2010-02-21 12:51:23.495: notice: running ../../zkt-signer -v -v
+2010-02-21 12:51:23.497: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
+2010-02-21 12:51:23.497: debug:
+2010-02-21 12:51:23.497: debug: parsing zone "example.net." in dir "./example.net"
+2010-02-21 12:51:23.497: debug:
+2010-02-21 12:51:23.497: notice: end of run: 0 errors occured
+2010-02-21 19:16:18.383: notice: ------------------------------------------------------------
+2010-02-21 19:16:18.383: notice: running ../../zkt-signer -v -v
+2010-02-21 19:16:18.384: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
+2010-02-21 19:16:18.593: debug:
+2010-02-21 19:16:18.594: debug: parsing zone "example.net." in dir "./example.net"
+2010-02-21 19:16:18.594: debug:
+2010-02-21 19:16:18.594: notice: end of run: 0 errors occured
+2010-02-21 19:16:23.964: notice: ------------------------------------------------------------
+2010-02-21 19:16:23.964: notice: running ../../zkt-signer -d -v -v
+2010-02-21 19:16:24.018: debug: parsing zone "dyn.example.net." in dir "./dyn.example.net"
+2010-02-21 19:16:24.440: debug:
+2010-02-21 19:16:24.440: notice: end of run: 0 errors occured
+2010-02-21 19:32:05.895: notice: ------------------------------------------------------------
+2010-02-21 19:32:05.895: notice: running ../../zkt-signer -d -v -v
+2010-02-21 19:32:05.896: debug: parsing zone "dyn.example.net." in dir "./dyn.example.net"
+2010-02-21 19:32:05.897: debug:
+2010-02-21 19:32:05.897: notice: end of run: 0 errors occured
+2010-02-21 19:32:11.376: notice: ------------------------------------------------------------
+2010-02-21 19:32:11.376: notice: running ../../zkt-signer -v -v
+2010-02-21 19:32:11.378: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
+2010-02-21 19:32:11.378: debug:
+2010-02-21 19:32:11.378: debug: parsing zone "example.net." in dir "./example.net"
+2010-02-21 19:32:11.378: debug:
+2010-02-21 19:32:11.378: notice: end of run: 0 errors occured
+2010-02-21 19:32:15.928: notice: ------------------------------------------------------------
+2010-02-21 19:32:15.928: notice: running ../../zkt-signer -f -v -v
+2010-02-21 19:32:15.930: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
+2010-02-21 19:32:15.982: debug:
+2010-02-21 19:32:15.982: debug: parsing zone "example.net." in dir "./example.net"
+2010-02-21 19:32:16.019: debug:
+2010-02-21 19:32:16.019: notice: end of run: 0 errors occured
+2010-02-21 19:32:32.201: notice: ------------------------------------------------------------
+2010-02-21 19:32:32.201: notice: running ../../zkt-signer -f -v -v
+2010-02-21 19:32:32.202: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
+2010-02-21 19:32:32.232: debug:
+2010-02-21 19:32:32.232: debug: parsing zone "example.net." in dir "./example.net"
+2010-02-21 19:32:32.273: debug:
+2010-02-21 19:32:32.273: notice: end of run: 0 errors occured
+2010-02-21 19:32:37.105: notice: ------------------------------------------------------------
+2010-02-21 19:32:37.105: notice: running ../../zkt-signer -d -f -v -v
+2010-02-21 19:32:37.107: debug: parsing zone "dyn.example.net." in dir "./dyn.example.net"
+2010-02-21 19:32:37.156: debug:
+2010-02-21 19:32:37.156: notice: end of run: 0 errors occured
+2010-02-21 19:43:15.017: notice: ------------------------------------------------------------
+2010-02-21 19:43:15.017: notice: running ../../zkt-signer -d -v -v
+2010-02-21 19:43:15.018: debug: parsing zone "dyn.example.net." in dir "./dyn.example.net"
+2010-02-21 19:43:15.387: debug:
+2010-02-21 19:43:15.387: notice: end of run: 1 error occured
+2010-02-21 19:45:36.413: notice: ------------------------------------------------------------
+2010-02-21 19:45:36.413: notice: running ../../zkt-signer -d -v -v
+2010-02-21 19:45:36.415: debug: parsing zone "dyn.example.net." in dir "./dyn.example.net"
+2010-02-21 19:45:36.416: debug:
+2010-02-21 19:45:36.416: notice: end of run: 0 errors occured
+2010-02-21 19:45:41.446: notice: ------------------------------------------------------------
+2010-02-21 19:45:41.446: notice: running ../../zkt-signer -f -d -v -v
+2010-02-21 19:45:41.448: debug: parsing zone "dyn.example.net." in dir "./dyn.example.net"
+2010-02-21 19:45:41.482: debug:
+2010-02-21 19:45:41.482: notice: end of run: 1 error occured
+2010-02-21 19:47:06.897: notice: ------------------------------------------------------------
+2010-02-21 19:47:06.897: notice: running ../../zkt-signer -f -d -v -v
+2010-02-21 19:47:06.899: debug: parsing zone "dyn.example.net." in dir "./dyn.example.net"
+2010-02-21 19:47:06.935: debug:
+2010-02-21 19:47:06.935: notice: end of run: 1 error occured
+2010-02-21 19:58:40.971: notice: ------------------------------------------------------------
+2010-02-21 19:58:40.971: notice: running ../../zkt-signer -f -d -v -v
+2010-02-21 19:58:40.972: debug: parsing zone "dyn.example.net." in dir "./dyn.example.net"
+2010-02-21 19:58:41.008: debug:
+2010-02-21 19:58:41.008: notice: end of run: 1 error occured
+2010-02-21 20:00:48.831: notice: ------------------------------------------------------------
+2010-02-21 20:00:48.831: notice: running ../../zkt-signer -f -d -v -v
+2010-02-21 20:00:48.832: debug: parsing zone "dyn.example.net." in dir "./dyn.example.net"
+2010-02-21 20:00:48.884: debug:
+2010-02-21 20:00:48.884: notice: end of run: 0 errors occured
+2010-02-21 20:01:11.175: notice: ------------------------------------------------------------
+2010-02-21 20:01:11.175: notice: running ../../zkt-signer -f -d -v -v
+2010-02-21 20:01:11.175: debug: parsing zone "dyn.example.net." in dir "./dyn.example.net"
+2010-02-21 20:01:11.208: debug:
+2010-02-21 20:01:11.208: notice: end of run: 0 errors occured
+2010-02-21 20:01:17.174: notice: ------------------------------------------------------------
+2010-02-21 20:01:17.174: notice: running ../../zkt-signer -d -v -v
+2010-02-21 20:01:17.175: debug: parsing zone "dyn.example.net." in dir "./dyn.example.net"
+2010-02-21 20:01:17.176: debug:
+2010-02-21 20:01:17.176: notice: end of run: 0 errors occured
+2010-02-25 00:12:26.362: notice: ------------------------------------------------------------
+2010-02-25 00:12:26.362: notice: running ../../zkt-signer -v -v
+2010-02-25 00:12:26.442: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
+2010-02-25 00:12:27.060: debug:
+2010-02-25 00:12:27.060: debug: parsing zone "example.net." in dir "./example.net"
+2010-02-25 00:12:27.177: debug:
+2010-02-25 00:12:27.177: notice: end of run: 0 errors occured
+2010-02-25 23:42:20.621: notice: ------------------------------------------------------------
+2010-02-25 23:42:20.621: notice: running ../../zkt-signer -v -v
+2010-02-25 23:42:20.653: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
+2010-02-25 23:42:21.012: debug:
+2010-02-25 23:42:21.013: debug: parsing zone "example.net." in dir "./example.net"
+2010-02-25 23:42:21.021: debug:
+2010-02-25 23:42:21.021: notice: end of run: 0 errors occured
+2010-02-25 23:42:29.324: notice: ------------------------------------------------------------
+2010-02-25 23:42:29.324: notice: running ../../zkt-signer -d -v -v
+2010-02-25 23:42:29.326: debug: parsing zone "dyn.example.net." in dir "./dyn.example.net"
+2010-02-25 23:42:29.497: debug:
+2010-02-25 23:42:29.497: notice: end of run: 0 errors occured
+2010-03-02 10:59:11.813: notice: ------------------------------------------------------------
+2010-03-02 10:59:11.813: notice: running ../../zkt-signer -v -v
+2010-03-02 10:59:11.845: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
+2010-03-02 10:59:12.416: debug:
+2010-03-02 10:59:12.416: debug: parsing zone "example.net." in dir "./example.net"
+2010-03-02 10:59:12.531: debug:
+2010-03-02 10:59:12.531: notice: end of run: 0 errors occured
+2010-03-02 10:59:46.768: notice: ------------------------------------------------------------
+2010-03-02 10:59:46.768: notice: running ../../zkt-signer -d -v -v
+2010-03-02 10:59:46.769: debug: parsing zone "dyn.example.net." in dir "./dyn.example.net"
+2010-03-02 10:59:46.995: debug:
+2010-03-02 10:59:46.995: notice: end of run: 0 errors occured
+2010-03-03 23:22:00.105: notice: ------------------------------------------------------------
+2010-03-03 23:22:00.105: notice: running ../../zkt-signer -v -v
+2010-03-03 23:22:00.127: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
+2010-03-03 23:22:00.415: debug:
+2010-03-03 23:22:00.415: debug: parsing zone "example.net." in dir "./example.net"
+2010-03-03 23:22:00.416: debug:
+2010-03-03 23:22:00.416: notice: end of run: 0 errors occured
+2010-03-08 23:11:49.633: notice: ------------------------------------------------------------
+2010-03-08 23:11:49.633: notice: running ../../zkt-signer -v -v -N named.conf
+2010-03-08 23:11:49.663: debug: parsing zone "sub.example.net." in dir "././sub.example.net"
+2010-03-08 23:11:50.170: debug:
+2010-03-08 23:11:50.170: debug: parsing zone "example.net." in dir "././example.net"
+2010-03-08 23:11:50.295: debug:
+2010-03-08 23:11:50.295: notice: end of run: 0 errors occured
+2010-03-08 23:12:56.211: notice: ------------------------------------------------------------
+2010-03-08 23:12:56.211: notice: running ../../zkt-signer -v -v -N named.conf
+2010-03-08 23:12:56.212: debug: parsing zone "example.net." in dir "././example.net"
+2010-03-08 23:12:56.279: debug:
+2010-03-08 23:12:56.279: notice: end of run: 0 errors occured
+2010-03-08 23:13:36.982: notice: ------------------------------------------------------------
+2010-03-08 23:13:36.983: notice: running ../../zkt-signer -v -v -N named.conf
+2010-03-08 23:13:36.984: debug: parsing zone "example.net." in dir "././example.net"
+2010-03-08 23:13:36.985: debug:
+2010-03-08 23:13:36.985: notice: end of run: 0 errors occured
+2010-03-08 23:18:52.241: notice: ------------------------------------------------------------
+2010-03-08 23:18:52.241: notice: running ../../zkt-signer -v -v -N named.conf
+2010-03-08 23:18:52.243: debug: parsing zone "sub.example.net." in dir "././sub.example.net"
+2010-03-08 23:18:52.287: debug:
+2010-03-08 23:18:52.287: debug: parsing zone "example.net." in dir "././example.net"
+2010-03-08 23:18:52.287: debug:
+2010-03-08 23:18:52.287: notice: end of run: 0 errors occured
+2010-03-11 23:46:35.453: notice: ------------------------------------------------------------
+2010-03-11 23:46:35.453: notice: running ../../zkt-signer -v -v
+2010-03-11 23:46:35.497: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
+2010-03-11 23:46:35.831: debug:
+2010-03-11 23:46:35.831: debug: parsing zone "example.net." in dir "./example.net"
+2010-03-11 23:46:35.929: debug:
+2010-03-11 23:46:35.930: notice: end of run: 0 errors occured
+2010-03-11 23:52:33.130: notice: ------------------------------------------------------------
+2010-03-11 23:52:33.130: notice: running ../../zkt-signer -v -v
+2010-03-11 23:52:33.132: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
+2010-03-11 23:52:33.132: debug:
+2010-03-11 23:52:33.132: debug: parsing zone "example.net." in dir "./example.net"
+2010-03-11 23:52:33.408: debug:
+2010-03-11 23:52:33.408: notice: end of run: 1 error occured
+2010-03-11 23:53:27.802: notice: ------------------------------------------------------------
+2010-03-11 23:53:27.802: notice: running ../../zkt-signer -v -v
+2010-03-11 23:53:27.804: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
+2010-03-11 23:53:27.856: debug:
+2010-03-11 23:53:27.856: debug: parsing zone "example.net." in dir "./example.net"
+2010-03-11 23:53:27.920: debug:
+2010-03-11 23:53:27.920: notice: end of run: 0 errors occured
+2010-07-05 08:15:23.500: notice: ------------------------------------------------------------
+2010-07-05 08:15:23.500: notice: running ../../zkt-signer
+2010-07-05 08:15:23.502: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
+2010-07-05 08:15:24.179: debug:
+2010-07-05 08:15:24.179: debug: parsing zone "example.net." in dir "./example.net"
+2010-07-05 08:15:24.316: debug:
+2010-07-05 08:15:24.316: notice: end of run: 0 errors occured
+2010-07-05 08:15:28.171: notice: ------------------------------------------------------------
+2010-07-05 08:15:28.171: notice: running ../../zkt-signer -v -v
+2010-07-05 08:15:28.173: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
+2010-07-05 08:15:28.173: debug:
+2010-07-05 08:15:28.174: debug: parsing zone "example.net." in dir "./example.net"
+2010-07-05 08:15:28.174: debug:
+2010-07-05 08:15:28.174: notice: end of run: 0 errors occured
+2010-07-05 08:15:58.498: notice: ------------------------------------------------------------
+2010-07-05 08:15:58.498: notice: running ../../zkt-signer -v -v
+2010-07-05 08:15:58.501: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
+2010-07-05 08:15:58.502: debug:
+2010-07-05 08:15:58.502: debug: parsing zone "example.net." in dir "./example.net"
+2010-07-05 08:15:58.503: debug:
+2010-07-05 08:15:58.504: notice: end of run: 0 errors occured
+2010-07-05 08:16:04.892: notice: ------------------------------------------------------------
+2010-07-05 08:16:04.892: notice: running ../../zkt-signer -f -v -v
+2010-07-05 08:16:04.894: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
+2010-07-05 08:16:04.937: debug:
+2010-07-05 08:16:04.937: debug: parsing zone "example.net." in dir "./example.net"
+2010-07-05 08:16:04.993: debug:
+2010-07-05 08:16:04.993: notice: end of run: 0 errors occured
+2010-07-05 08:16:33.557: notice: ------------------------------------------------------------
+2010-07-05 08:16:33.557: notice: running ../../zkt-signer -f -v -v
+2010-07-05 08:16:33.559: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
+2010-07-05 08:16:33.604: debug:
+2010-07-05 08:16:33.604: debug: parsing zone "example.net." in dir "./example.net"
+2010-07-05 08:16:33.648: debug:
+2010-07-05 08:16:33.648: notice: end of run: 0 errors occured
+2010-07-30 01:30:54.873: notice: ------------------------------------------------------------
+2010-07-30 01:30:54.873: notice: running ../../zkt-signer -v -v
+2010-07-30 01:30:54.879: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
+2010-07-30 01:30:55.411: debug:
+2010-07-30 01:30:55.411: debug: parsing zone "example.net." in dir "./example.net"
+2010-07-30 01:30:55.563: debug:
+2010-07-30 01:30:55.563: notice: end of run: 0 errors occured
+2010-08-26 22:52:09.066: notice: ------------------------------------------------------------
+2010-08-26 22:52:09.066: notice: running ../../zkt-signer -v -v
+2010-08-26 22:52:09.092: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
+2010-08-26 22:52:09.538: debug:
+2010-08-26 22:52:09.539: debug: parsing zone "example.net." in dir "./example.net"
+2010-08-26 22:52:09.704: debug:
+2010-08-26 22:52:09.704: notice: end of run: 0 errors occured
+2010-08-26 22:56:02.935: notice: ------------------------------------------------------------
+2010-08-26 22:56:02.935: notice: running ../../zkt-signer -v -v
+2010-08-26 22:56:02.937: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
+2010-08-26 22:56:02.938: debug:
+2010-08-26 22:56:02.938: debug: parsing zone "example.net." in dir "./example.net"
+2010-08-26 22:56:02.938: debug:
+2010-08-26 22:56:02.938: notice: end of run: 0 errors occured
+2010-08-26 23:06:00.453: notice: ------------------------------------------------------------
+2010-08-26 23:06:00.453: notice: running ../../zkt-signer -v -v
+2010-08-26 23:06:00.456: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
+2010-08-26 23:06:00.593: debug:
+2010-08-26 23:06:00.593: debug: parsing zone "example.net." in dir "./example.net"
+2010-08-26 23:06:00.672: debug:
+2010-08-26 23:06:00.672: notice: end of run: 0 errors occured
+2010-08-26 23:11:33.804: notice: ------------------------------------------------------------
+2010-08-26 23:11:33.805: notice: running ../../zkt-signer -v -v
+2010-08-26 23:11:33.807: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
+2010-08-26 23:11:33.808: debug:
+2010-08-26 23:11:33.808: debug: parsing zone "example.net." in dir "./example.net"
+2010-08-26 23:11:33.809: debug:
+2010-08-26 23:11:33.809: notice: end of run: 0 errors occured
+2010-08-26 23:12:51.008: notice: ------------------------------------------------------------
+2010-08-26 23:12:51.008: notice: running ../../zkt-signer -v -v
+2010-08-26 23:12:51.010: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
+2010-08-26 23:12:51.011: debug:
+2010-08-26 23:12:51.012: debug: parsing zone "example.net." in dir "./example.net"
+2010-08-26 23:12:51.012: debug:
+2010-08-26 23:12:51.012: notice: end of run: 0 errors occured
+2010-08-26 23:23:47.879: notice: ------------------------------------------------------------
+2010-08-26 23:23:47.880: notice: running ../../zkt-signer -v -v
+2010-08-26 23:23:47.886: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
+2010-08-26 23:23:47.886: debug:
+2010-08-26 23:23:47.886: debug: parsing zone "example.net." in dir "./example.net"
+2010-08-26 23:23:47.886: debug:
+2010-08-26 23:23:47.886: notice: end of run: 0 errors occured
+2010-08-26 23:50:15.720: notice: ------------------------------------------------------------
+2010-08-26 23:50:15.720: notice: running ../../zkt-signer -v -v
+2010-08-26 23:50:15.722: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
+2010-08-26 23:50:15.724: debug:
+2010-08-26 23:50:15.724: debug: parsing zone "example.net." in dir "./example.net"
+2010-08-26 23:50:15.725: debug:
+2010-08-26 23:50:15.725: notice: end of run: 0 errors occured
+2010-08-26 23:50:55.121: notice: ------------------------------------------------------------
+2010-08-26 23:50:55.121: notice: running ../../zkt-signer -v -v
+2010-08-26 23:50:55.123: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
+2010-08-26 23:50:55.124: debug:
+2010-08-26 23:50:55.124: debug: parsing zone "example.net." in dir "./example.net"
+2010-08-26 23:50:55.124: debug:
+2010-08-26 23:50:55.124: notice: end of run: 0 errors occured
+2010-08-26 23:51:46.603: notice: ------------------------------------------------------------
+2010-08-26 23:51:46.604: notice: running ../../zkt-signer -v -v
+2010-08-26 23:51:46.606: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
+2010-08-26 23:51:46.719: debug:
+2010-08-26 23:51:46.719: debug: parsing zone "example.net." in dir "./example.net"
+2010-08-26 23:51:46.719: debug:
+2010-08-26 23:51:46.719: notice: end of run: 0 errors occured
+2010-08-26 23:54:22.818: notice: ------------------------------------------------------------
+2010-08-26 23:54:22.819: notice: running ../../zkt-signer -v -v
+2010-08-26 23:54:22.821: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
+2010-08-26 23:54:22.823: debug:
+2010-08-26 23:54:22.823: debug: parsing zone "example.net." in dir "./example.net"
+2010-08-26 23:54:22.825: debug:
+2010-08-26 23:54:22.825: notice: end of run: 0 errors occured
+2010-08-26 23:55:00.013: notice: ------------------------------------------------------------
+2010-08-26 23:55:00.013: notice: running ../../zkt-signer -v -v
+2010-08-26 23:55:00.017: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
+2010-08-26 23:55:00.018: debug:
+2010-08-26 23:55:00.018: debug: parsing zone "example.net." in dir "./example.net"
+2010-08-26 23:55:00.169: debug:
+2010-08-26 23:55:00.169: notice: end of run: 0 errors occured
+2010-08-26 23:56:17.462: notice: ------------------------------------------------------------
+2010-08-26 23:56:17.462: notice: running ../../zkt-signer -v -v
+2010-08-26 23:56:17.464: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
+2010-08-26 23:56:17.465: debug:
+2010-08-26 23:56:17.465: debug: parsing zone "example.net." in dir "./example.net"
+2010-08-26 23:56:17.531: debug:
+2010-08-26 23:56:17.531: notice: end of run: 0 errors occured
+2010-08-26 23:57:00.176: notice: ------------------------------------------------------------
+2010-08-26 23:57:00.176: notice: running ../../zkt-signer -v -v
+2010-08-26 23:57:00.178: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
+2010-08-26 23:57:00.178: debug:
+2010-08-26 23:57:00.178: debug: parsing zone "example.net." in dir "./example.net"
+2010-08-26 23:57:00.179: debug:
+2010-08-26 23:57:00.179: notice: end of run: 0 errors occured
+2010-10-21 14:01:35.484: notice: ------------------------------------------------------------
+2010-10-21 14:01:35.484: notice: running zkt-signer -c dnssec.conf -D .
+2010-10-21 14:01:35.486: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
+2010-10-21 14:01:35.546: debug:
+2010-10-21 14:01:35.546: debug: parsing zone "example.net." in dir "./example.net"
+2010-10-21 14:01:35.794: debug:
+2010-10-21 14:01:35.794: notice: end of run: 2 errors occured
+2010-10-21 14:02:09.144: notice: ------------------------------------------------------------
+2010-10-21 14:02:09.144: notice: running zkt-signer -v -v -c dnssec.conf -D .
+2010-10-21 14:02:09.146: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
+2010-10-21 14:02:09.209: debug:
+2010-10-21 14:02:09.209: debug: parsing zone "example.net." in dir "./example.net"
+2010-10-21 14:02:09.209: debug:
+2010-10-21 14:02:09.209: notice: end of run: 2 errors occured
+2010-10-21 14:05:35.986: notice: ------------------------------------------------------------
+2010-10-21 14:05:35.986: notice: running ../../zkt-signer -v -v
+2010-10-21 14:05:35.988: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
+2010-10-21 14:05:36.170: debug:
+2010-10-21 14:05:36.170: debug: parsing zone "example.net." in dir "./example.net"
+2010-10-21 14:05:36.170: debug:
+2010-10-21 14:05:36.170: notice: end of run: 0 errors occured
+2010-10-21 14:30:43.890: notice: ------------------------------------------------------------
+2010-10-21 14:30:43.890: notice: running ../../zkt-signer -v -v
+2010-10-21 14:30:43.892: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
+2010-10-21 14:30:43.892: debug:
+2010-10-21 14:30:43.892: debug: parsing zone "example.net." in dir "./example.net"
+2010-10-21 14:30:43.893: debug:
+2010-10-21 14:30:43.893: notice: end of run: 0 errors occured
--- /dev/null
+
+zone "example.NET." in {
+ type master;
+ file "example.net/zone.db.signed";
+};
+
+zone "sub.example.NET." in {
+ type master;
+ file "sub.example.net/zone.db.signed";
+};
--- /dev/null
+;% generationtime=20110125091120
+;% lifetime=84d
+example.de. IN DNSKEY 256 3 5 BQEAAAAB13b8+4oBaYaLYdDvH6fwVwDfohlzGdSu5A9nO/wJ1taCB+4T wn3TSAtlttLmzYad5EbBUIn+4CLBKmc4sKn/cw==
--- /dev/null
+Private-key-format: v1.2
+Algorithm: 5 (RSASHA1)
+Modulus: 13b8+4oBaYaLYdDvH6fwVwDfohlzGdSu5A9nO/wJ1taCB+4Twn3TSAtlttLmzYad5EbBUIn+4CLBKmc4sKn/cw==
+PublicExponent: AQAAAAE=
+PrivateExponent: Hr+/WEVR20WhmLb/zS+1qqrw9YDpgmw2hTb9Qs5wa5el38OEzQV5OvBdfQC/aDj7SW1PPSw0iYvcoVS3ZPZh
+Prime1: 84w3+p6VYYdrwuju6BrMdISLRla1pPo+synV7D7IR4M=
+Prime2: 4nsxmxk0VLrAzzVDfxvEcF3uEOPIKDgayiB1YCvJ9VE=
+Exponent1: XzmWw18psVyeqhhEZygfbffj2N61WpM0OulCViv4upM=
+Exponent2: Qvo4lPrZBicpnQoC+TTYN2MhzXfIm4IPATGftVC6oFE=
+Coefficient: 6J4QOm1lunyBgAiluqGKhs9FJs9y1ZQ62Lzgauf6XVA=
--- /dev/null
+;% generationtime=20081116180040
+;% lifetime=365d
+example.de. IN DNSKEY 257 3 5 BQEAAAABDOkPawC/tCqSITj6lvzcIPwcMEX+Nvz17GBu85jmigMuvZQU YZBVUmJNNBbCNStlz+Y+1pGg9HbWFvn0tpH/bm4mZPlJmk+WxQhHz7eT m5xhSaSEEzq0uf087tAbaq1yaTpTtA2R7JXIPxt6CuD9Ou5bbYOzrFnB q1VBAYrwB6t/us10+Ab7T6Jvie/W+v4jto1Xx912Z8HHTbU48Mlp1+mU jQ==
--- /dev/null
+Private-key-format: v1.2
+Algorithm: 5 (RSASHA1)
+Modulus: DOkPawC/tCqSITj6lvzcIPwcMEX+Nvz17GBu85jmigMuvZQUYZBVUmJNNBbCNStlz+Y+1pGg9HbWFvn0tpH/bm4mZPlJmk+WxQhHz7eTm5xhSaSEEzq0uf087tAbaq1yaTpTtA2R7JXIPxt6CuD9Ou5bbYOzrFnBq1VBAYrwB6t/us10+Ab7T6Jvie/W+v4jto1Xx912Z8HHTbU48Mlp1+mUjQ==
+PublicExponent: AQAAAAE=
+PrivateExponent: AcxmOS9ewHH4UTWVHOSEyONodDImWb5DFyMOUzn3FCkdBEnsOAYTO8/noT3PP0uoMK0s7/BlIReEqsyCVcgQVrTbJszoKlwhHT+XO60i3wPJIWF9u8ouFDnGLkbSRpw6L72uRZy9SdSWUWHdlRayK6T3uJGrcsCLIlzaSue1vXjdUobHMVxQ+mPCFNjSgRWOvTxGcsoXPKx5MjrmAUEnLyQuoQ==
+Prime1: A50KZhIYCkyx48okZHgirDXs0cVYf2OOvLcNKF4AvBBTwoV9+oFfTd+wKy9f+G/FqVBV1s4rv/M7UCpAFJPCqaDkt+EEv5DNnX69RgvwBrHyxQ==
+Prime2: A5KoV2IkWEM9Djm8pZay/fQpM8coQxVutNDb9G4ADMwpwK5ddGifS38jPlHenUKDxSFtfOZBQbyf7ra/lSttpOqSnr/e6s6HHRn5TYfdR9IXKQ==
+Exponent1: eWP9FtwMjnnrsAhQlO7Fbko74gKGRVaygSe4Pd+TGM22dHDZCCoc//IBL+s2Dhezy1l8xiOPVbcxzxHMbqrQhPENi7HihDwiR1WfuSaoIfod
+Exponent2: AweXUxlW7qBg+v2qV5cCZl+gvTBW/1vP7llsoOqbHR69xLklXEV96TlEbKU8hoSnq8ts8qqh4/HFj1d+KRTeHWpseUm0GXdK/k7ZvYfr7KVHUQ==
+Coefficient: AwVZtbgFX0bAOj9J2p48qYAn3EaIuCvzDYoIE3E/m3NZS8UXQ5MK12AFhulRYpWOgZCIWK9fH0MTvtDFk3I5vyFTMhovDBrSWNn/+TJ47CwrBQ==
--- /dev/null
+;% generationtime=20080914221502
+;% lifetime=365d
+example.de. IN DNSKEY 257 3 5 BQEAAAABDV7kFHqVcWLoSAShdlXU5LKUdyU4LlsJGYMr8oIpjEzvwonR mX5pRiEjVhTwx+vx6eWluv6txXVu+F0g2ykmqUQdMfPYWmD9AJOqvc2t CKVSRePqZ+HeIZR+heBnFKr5kWQmB5XOlMdWNRA3y78s/LufVB8hD7r2 60jrVJ0W6wSMGDjN4zQce8rHCe+LNB1GfaIASkMWjdgxNNAsK9bqDM8E uw==
--- /dev/null
+Private-key-format: v1.2
+Algorithm: 5 (RSASHA1)
+Modulus: DV7kFHqVcWLoSAShdlXU5LKUdyU4LlsJGYMr8oIpjEzvwonRmX5pRiEjVhTwx+vx6eWluv6txXVu+F0g2ykmqUQdMfPYWmD9AJOqvc2tCKVSRePqZ+HeIZR+heBnFKr5kWQmB5XOlMdWNRA3y78s/LufVB8hD7r260jrVJ0W6wSMGDjN4zQce8rHCe+LNB1GfaIASkMWjdgxNNAsK9bqDM8Euw==
+PublicExponent: AQAAAAE=
+PrivateExponent: CxINUgbVqMf0BnMNYq3aL8ucN4fael2ljQYgDCpcTMfqVuRo+Vo6sMEr3C6Bw8MTHWo2jMxdulyS4tsiMQVVjWUArFL/sfFYLwopjOExcneji6noi8n9dzgslNpo3QAdnKwDGUwj+k7CBzCbLSZ5xpt/eaHcN4l1buQ0tcqShthdh7sNHFX1nAqjsLa7xxCiBsliA6LD/QTAAzcbED0Xw7SJWQ==
+Prime1: A+RY6jx9urFg5GeyRqrAiqqClEzyWgEM4HsJn/oQ38PE6NrPzcG9U95um79u1WwWtXe5xTifInhN40CpxQYH45NFjZEuEvROvkXk5JHV9b5UHw==
+Prime2: A2949khdV+cKgI2EHmRIu7PJUFkBgrMXacwVpGdaN41NpJYFRYW8qoPmKRrw/Fji7GZj0rrro51XT7JNDbC44dX/bGdNa/eWvslPJGfCR4Gb5Q==
+Exponent1: rVHNFnlV2HXIOzi9+2Hit8m7bNXrVXA/DJ3lGCzDL2PzpvQcrL6mMXzaYznP9XaSgyR9M8u+Tdwqq11lHsnWhNLyWKTyAlO5WP3syQD3+0Jp
+Exponent2: ArQCCQS8lPgDvu7LI3q5tanr2nmM2uMzPNud9EPSqAql8iEIgOZDLDsMDZd9QHm2Dicjc2UifTcJgQlc3OACSVYkkxjvHKO7t03KNoZkhceTTQ==
+Coefficient: GUOOUFWtz0iCPZx1ljdxpP3T4hW7Jux1zcfV6PwX+Nx+8KcawXFfNxjsC1+Sla9Txv02Kgqg9Mh3mCNGynimcbkmmOcfyozKOttAD1sheFK0
--- /dev/null
+;% generationtime=20101127093934
+;% lifetime=63d
+example.de. IN DNSKEY 256 3 5 BQEAAAABw62oxcUQ8mF4T6zH+tAkM0FU3nXJ4sgnBSUa884gZL2AlG+t 7FpwrRm/Hish/hxVRzmM8q2srgLHBYAk12VkMQ==
--- /dev/null
+Private-key-format: v1.2
+Algorithm: 5 (RSASHA1)
+Modulus: w62oxcUQ8mF4T6zH+tAkM0FU3nXJ4sgnBSUa884gZL2AlG+t7FpwrRm/Hish/hxVRzmM8q2srgLHBYAk12VkMQ==
+PublicExponent: AQAAAAE=
+PrivateExponent: IwUfBuvY5VY30HNbiboZAUkgEkSiFAj86peg2ue+PhllmtSP+Vxl7bguyEq0JJgk8AcQB0fxD9b8VdkgksSwgQ==
+Prime1: 54rg6aJKRFWczUKRDwD0/aRC+VKc6gJAtw3RrAnW/Nc=
+Prime2: 2Fj7RLozuJFUHRkDTFIQWrPEInCGmrIPU+tLPH6vPjc=
+Exponent1: gwVUTriIA6KGdAqT+sX/5cpwaIC0v5Nnl70WXoOkiOs=
+Exponent2: RI+e2Q3LGyTFTRf64HiGzl67T84jor3EM+1LTugfpSs=
+Coefficient: CNfuRUw+kKfO99T09DeD1y4N7QwyGG03NfazSa4GvPU=
--- /dev/null
+;
+; !!! Don't edit this file by hand.
+; !!! It will be generated by zkt-signer.
+;
+; Last generation time Jan 25 2011 19:39:31
+;
+
+; *** List of Key Signing Keys ***
+; example.de. tag=47280 algo=RSASHA1 generated Jul 05 2010 09:43:02
+example.de. 14400 IN DNSKEY 257 3 5 (
+ BQEAAAABDV7kFHqVcWLoSAShdlXU5LKUdyU4LlsJGYMr8oIpjEzvwonR
+ mX5pRiEjVhTwx+vx6eWluv6txXVu+F0g2ykmqUQdMfPYWmD9AJOqvc2t
+ CKVSRePqZ+HeIZR+heBnFKr5kWQmB5XOlMdWNRA3y78s/LufVB8hD7r2
+ 60jrVJ0W6wSMGDjN4zQce8rHCe+LNB1GfaIASkMWjdgxNNAsK9bqDM8E
+ uw==
+ ) ; key id = 47280
+
+; example.de. tag=37983 algo=RSASHA1 generated Jul 05 2010 09:43:02
+example.de. 14400 IN DNSKEY 257 3 5 (
+ BQEAAAABDOkPawC/tCqSITj6lvzcIPwcMEX+Nvz17GBu85jmigMuvZQU
+ YZBVUmJNNBbCNStlz+Y+1pGg9HbWFvn0tpH/bm4mZPlJmk+WxQhHz7eT
+ m5xhSaSEEzq0uf087tAbaq1yaTpTtA2R7JXIPxt6CuD9Ou5bbYOzrFnB
+ q1VBAYrwB6t/us10+Ab7T6Jvie/W+v4jto1Xx912Z8HHTbU48Mlp1+mU
+ jQ==
+ ) ; key id = 37983
+
+; *** List of Zone Signing Keys ***
+; example.de. tag=60407 algo=RSASHA1 generated Nov 27 2010 19:46:33
+example.de. 14400 IN DNSKEY 256 3 5 (
+ BQEAAAABw62oxcUQ8mF4T6zH+tAkM0FU3nXJ4sgnBSUa884gZL2AlG+t
+ 7FpwrRm/Hish/hxVRzmM8q2srgLHBYAk12VkMQ==
+ ) ; key id = 60407
+
+; example.de. tag=25598 algo=RSASHA1 generated Jan 25 2011 10:11:20
+example.de. 14400 IN DNSKEY 256 3 5 (
+ BQEAAAAB13b8+4oBaYaLYdDvH6fwVwDfohlzGdSu5A9nO/wJ1taCB+4T
+ wn3TSAtlttLmzYad5EbBUIn+4CLBKmc4sKn/cw==
+ ) ; key id = 25598
+
--- /dev/null
+example.de. IN DS 37983 5 1 635B486D53D19B16BC4A87366BC2D5626978F4B9
+example.de. IN DS 37983 5 2 5B8412FE443D8F4F77AC4C89FF12289DA88998D864EC68E3E5A4EE2C B192F9DC
+example.de. IN DS 47280 5 1 149C886C8175B220A964D4293EB4FCFAC1650974
+example.de. IN DS 47280 5 2 466E738B6913F7081DE5E17FC3567771618AB1D6CB0A333270A4AC24 7DB14DD0
--- /dev/null
+$ORIGIN .
+example.de 7200 IN DNSKEY 257 3 5 (
+ BQEAAAABDOkPawC/tCqSITj6lvzcIPwcMEX+
+ Nvz17GBu85jmigMuvZQUYZBVUmJNNBbCNStl
+ z+Y+1pGg9HbWFvn0tpH/bm4mZPlJmk+WxQhH
+ z7eTm5xhSaSEEzq0uf087tAbaq1yaTpTtA2R
+ 7JXIPxt6CuD9Ou5bbYOzrFnBq1VBAYrwB6t/
+ us10+Ab7T6Jvie/W+v4jto1Xx912Z8HHTbU4
+ 8Mlp1+mUjQ==
+ ) ; key id = 37983
+ 7200 IN DNSKEY 257 3 5 (
+ BQEAAAABDV7kFHqVcWLoSAShdlXU5LKUdyU4
+ LlsJGYMr8oIpjEzvwonRmX5pRiEjVhTwx+vx
+ 6eWluv6txXVu+F0g2ykmqUQdMfPYWmD9AJOq
+ vc2tCKVSRePqZ+HeIZR+heBnFKr5kWQmB5XO
+ lMdWNRA3y78s/LufVB8hD7r260jrVJ0W6wSM
+ GDjN4zQce8rHCe+LNB1GfaIASkMWjdgxNNAs
+ K9bqDM8Euw==
+ ) ; key id = 47280
--- /dev/null
+; KSK rollover phase1 (new key generated but this is alread the old one)
+sub.example.de. 14400 IN DNSKEY 257 3 5 (
+ BQEAAAABzRcWJYuBn9eY8u4x+04jkYmSmfRaGuNc4soput6Fo2/HViu1
+ 1Jo2uMnp4Z4MeGzti4IGsL2Lp5vC66qXeX0Qqk+aIJBQUyHCF1nPmPad
+ 2hDVFpD4Lp/uArmHaaLxQ4px6LEe0PMG1W/a/gJWNxuiTmkSN5c9vXsQ
+ m3SuRnb0ef0=
+ ) ; key id = 38331
--- /dev/null
+;% generationtime=20101127093933
+;% lifetime=3d
+sub.example.de. IN DNSKEY 256 3 5 BQEAAAAB5tuyJuCMHTySqvnPpVSbFcnFK6jI/BG3Va5Yu0ou7jPArylc mziNb9AIJ2PBaVcXbeH6h9YWd9MLCLKPZqRLKQ==
--- /dev/null
+Private-key-format: v1.2
+Algorithm: 5 (RSASHA1)
+Modulus: 5tuyJuCMHTySqvnPpVSbFcnFK6jI/BG3Va5Yu0ou7jPArylcmziNb9AIJ2PBaVcXbeH6h9YWd9MLCLKPZqRLKQ==
+PublicExponent: AQAAAAE=
+PrivateExponent: JzR1JHrF/sD4IW5yUk+u1Kk3EuBcKPbD8wqOMseG34SyEm1jPU+o2QlTA2DPw49ApfKrkq+ikDZ7+mRwRGOHAQ==
+Prime1: 9OdVjN/tX8KeuG8oURXKri8YD04kz07isqeYTYyksfE=
+Prime2: 8VFyYFkvnx5UuYdOTuoIIJcQqK0HeC+JwB1wAyRm9Lk=
+Exponent1: ATIpC4/KM7AKHLlt3vvxyyov3pPBnCwF9NC4L4gpNEE=
+Exponent2: 8UV1SqMZEk9tI8NTvRa2Z6xRB0b7D2MNnedSZqOXi/E=
+Coefficient: mUOK9cs0xozwdcUZPkP+FDoxJvfN6eeidsFqya3JLOo=
--- /dev/null
+;% generationtime=20110125183931
+;% lifetime=7d
+sub.example.de. IN DNSKEY 257 3 5 BQEAAAABocb52XnOJzaKKv90SFZxTddP7OuzI/qaeOqptm7BH3QKGTBj ZmgfJ6J2uNXamzVEUGiAV5yLvPbxSAUK/R7HWP22ENqRxouZrQVUYfMC pVS69kTGagTnMmywpg5LtCic9+18YRX2NhkxNvUpBjlTn7BbjXW36yy5 sA1Uq+Rg2cU=
--- /dev/null
+Private-key-format: v1.2
+Algorithm: 5 (RSASHA1)
+Modulus: ocb52XnOJzaKKv90SFZxTddP7OuzI/qaeOqptm7BH3QKGTBjZmgfJ6J2uNXamzVEUGiAV5yLvPbxSAUK/R7HWP22ENqRxouZrQVUYfMCpVS69kTGagTnMmywpg5LtCic9+18YRX2NhkxNvUpBjlTn7BbjXW36yy5sA1Uq+Rg2cU=
+PublicExponent: AQAAAAE=
+PrivateExponent: JpNUVc04LC+jHSd/SN4bbbUXotjoQMNxsR0OmiGAQqOdWL6NWZ2XRr1dYS0NWy6lLxPCtA5MhnS5TgY633Vfd2KM8ywkNy3Dwtd/ynHRqv6poAhSoSZtYds/RrPATwMMzKmuwXoH9YAG4IHhG9y4mUA9cVB84xT/5ZVxoaatYgE=
+Prime1: 1hrTq3BjlThxhlNym2qSx5Kop2rtn6J3LSM7wlQ8vd2vR9lNuj8TrM8yig3S1tRh4RSKLWtOgb3eBo26nrp+EQ==
+Prime2: wW7mdWIEe1UkZVFnH2J2If5D5v1mn0o8umik+tE3aQJun9WOVjbZ/PjwlaMM+nFAID08Plj25ec0z8hu8cV8dQ==
+Exponent1: iVUvqW8WSh0JJt2Cs6Eokp6fhJveVPMTmTtWWkKtYFnQx/peBxb55x+ULMQvHG3Iz06Y445k61629mCvyB9qwQ==
+Exponent2: Ewn17+1cExPMS+ZITVszVdouSCvnteVj7V/AL8C0iSK0x7XlBx3F8D9vNfYWL+7WOjF5t+v0dmBM+J0TKLUZzQ==
+Coefficient: AhCRWPVu5lQcfR94r8G5sQik3ZmZf1uJbO2mf+24yHQA0qjzYiEo42jCwXSDA3JtBwAbTwukmmTn4gOWHex7JQ==
--- /dev/null
+;% generationtime=20100826211144
+;% lifetime=7d
+sub.example.de. IN DNSKEY 257 3 5 BQEAAAABzRcWJYuBn9eY8u4x+04jkYmSmfRaGuNc4soput6Fo2/HViu1 1Jo2uMnp4Z4MeGzti4IGsL2Lp5vC66qXeX0Qqk+aIJBQUyHCF1nPmPad 2hDVFpD4Lp/uArmHaaLxQ4px6LEe0PMG1W/a/gJWNxuiTmkSN5c9vXsQ m3SuRnb0ef0=
--- /dev/null
+Private-key-format: v1.2
+Algorithm: 5 (RSASHA1)
+Modulus: zRcWJYuBn9eY8u4x+04jkYmSmfRaGuNc4soput6Fo2/HViu11Jo2uMnp4Z4MeGzti4IGsL2Lp5vC66qXeX0Qqk+aIJBQUyHCF1nPmPad2hDVFpD4Lp/uArmHaaLxQ4px6LEe0PMG1W/a/gJWNxuiTmkSN5c9vXsQm3SuRnb0ef0=
+PublicExponent: AQAAAAE=
+PrivateExponent: YcpriBuIcizNJGNwVPxNTYDgzz4nQsZ2z7F5fr5BmfC9Ukx7Mdl8wzS/8dikD3FhTqEbDdANf5L/LuPiE0XvvFzMEweRtoSQnYDlnvpYQPGcFcTXlbY1Jn6h3WvVyfLWMWK0/2lsLtHzRhToyI1WyO6wFqrun9e+HvHb71SwP6k=
+Prime1: 9aHh1J2wdRibYZI01fQqegxMuZn5+NlvxWxO2Bzwbm4e68cMQjVeyn7N0j46hE7kv+z07422AgXq1kLllqIpNw==
+Prime2: 1b8i4culx54km/hid+U9qLFcorXX9e2QF2LFxd5/+YYBBILp7RGk9sD/PWTCPcYZbviPzkRhq+3ignTfwdzAaw==
+Exponent1: 2fQGWETsC1OVxzQamORV4JQzBB8haAYNHaCcvgidlQgQFQA2pR4PNaLj77DUHBOrjb2pKjsCS7xumwVu1F8T2w==
+Exponent2: EX6aW8lr4Fizn0QwEumQAYnRv7Z32Tfmnr/s6gHPVxPK7spfiPhK0Lb3Q04OfFkJdHNaG9YMpqmNI8ZW/PyJsw==
+Coefficient: YvQ1SQqRz/y9ApJSUmswljwbA6NGxS5Mh9ZA8Ui1jNPYClQ6Ncn2A4FatnLBfyLaalCLzR3rf22LoNvwc9g8rg==
--- /dev/null
+;% generationtime=20101127101703
+;% lifetime=7d
+sub.example.de. IN DNSKEY 257 3 5 BQEAAAAB2CMCmaITzL7L6UmI0Y+u16LiyINgkYc3dxYunDYWK0FEXGa5 L7ss8jepJnBM6KD/rekwqb5wgso/5VnSprhUUnQqec6ESuJ/9/ThI6i7 zD6AnwdtXagTOaTRqWhUEcjgMIG4oJK/Pb5mZAlXvzPqmRkyeStRw0cU AEWQvdtuDcc=
--- /dev/null
+Private-key-format: v1.2
+Algorithm: 5 (RSASHA1)
+Modulus: 2CMCmaITzL7L6UmI0Y+u16LiyINgkYc3dxYunDYWK0FEXGa5L7ss8jepJnBM6KD/rekwqb5wgso/5VnSprhUUnQqec6ESuJ/9/ThI6i7zD6AnwdtXagTOaTRqWhUEcjgMIG4oJK/Pb5mZAlXvzPqmRkyeStRw0cUAEWQvdtuDcc=
+PublicExponent: AQAAAAE=
+PrivateExponent: BTyLOYpzVpf3iu0C8TsgWOjkBxZYFrHY/A1FOznBnvmYoGo/R3VEoeiZ8rNeizi5z123O37vROe8lz78HGacZbAdOJN2641uSsIN291KQk5phA9udaR6LT+mc0pIb9jg++M0F3Hf5i5PYEu/er/JGSHFT6/h9NpnbyqcXYjV6yE=
+Prime1: 8+mFlmHUdJ730AoP0NGVCaQXmU0YRTKsbR/6nQLOerKE9XBfedI9yqBR3c/jxko6dt8f6d/vhizdeTfmQU/xJQ==
+Prime2: 4tka/vWR5lFqC3IGnKH0Dudiwurzz/dDoPwc1WWdpKWdKBss3D+aFFr61NFTgJCT2vw7/5EJY0RGX7JVMKQdew==
+Exponent1: ZKJzEF60uVnkVEg+IyIS7mBmUVL91FmieU1ZOXSeV683uCdVKSTSdPr/+l18R7IgjOnCOs9ityOfGb0eVrqHKQ==
+Exponent2: af/TPglQaRZJKRwT8Jh6PbuBtK1RpMmudpVF/M+t7VSCpkhIEa+MPQP3f/9POSHT/Th8oe7PE/JLhqEllQTgsQ==
+Coefficient: PlboG/Rm7dd/QQirRpQ/fZZdFPjNI0J1VjfRst+Qb/yuB2m81CU6GNwDyJujX7L5JQpfQGlqIRvk9jw2cpRBJQ==
--- /dev/null
+;% generationtime=20110125091120
+;% lifetime=3d
+sub.example.de. IN DNSKEY 256 3 5 BQEAAAAB1+QMKtDQA7dd2FA5IMVv5Y/VQa1ueCB4ZgDqvDUkdmQ2STLE DwQuCoL26XId1SjEPQS47v3GBqTkSb0M/mSIsw==
--- /dev/null
+Private-key-format: v1.2
+Algorithm: 5 (RSASHA1)
+Modulus: 1+QMKtDQA7dd2FA5IMVv5Y/VQa1ueCB4ZgDqvDUkdmQ2STLEDwQuCoL26XId1SjEPQS47v3GBqTkSb0M/mSIsw==
+PublicExponent: AQAAAAE=
+PrivateExponent: Kye03nJBn261AzC2UQAIVVOz0IUDAmIO/LqThB87QJc9xFPk+KQZDvn7+XaLReYSUZrgDadZozVyGCBwmTbKEQ==
+Prime1: 8c3ijRfD1wTzd2CKDyO9Zzsq0r/DvH/30BL7QzB1/7s=
+Prime2: 5JC0mXeSA3vDweMKht4bH44IXBPLuq9EGTVWDLolH2k=
+Exponent1: jCN5Qm3qprCbs+lLPNJ1fIWWD6Zzg6tObVCputLFRqE=
+Exponent2: ooEJXApdOWOj2g9rLuZ0jCEkARFtLd/fnvlEZfWOJFk=
+Coefficient: GZIo2y2pmmjsXCZaHPzd6CGGkXRq1kOw2OCZ1NUcPWY=
--- /dev/null
+sub.example.de.dlv.trusted-keys.net. IN DLV 32679 5 1 B2B115076F5BC2F2864D8ED1D63279193E5E7999
+sub.example.de.dlv.trusted-keys.net. IN DLV 32679 5 2 71B3896274A524028F131983D780C12CB38EA40E435815E9CC301749 26BFD367
+sub.example.de.dlv.trusted-keys.net. IN DLV 38331 5 1 8F7E90EE2686DAE4D31CEE40142AD6A25670B0A0
+sub.example.de.dlv.trusted-keys.net. IN DLV 38331 5 2 7B791220D03926DC6D3531CD155EF1E2AB202CE5955DF61079BEDD48 67400707
+sub.example.de.dlv.trusted-keys.net. IN DLV 51846 5 1 F0B3607F13FFE0C5AEF2ED24978FC8D42B391361
+sub.example.de.dlv.trusted-keys.net. IN DLV 51846 5 2 B067543FEAC9F203E9508672D802DEFD9F8AFF6CDBCC298B25C2CCED EDC813D8
--- /dev/null
+;
+; !!! Don't edit this file by hand.
+; !!! It will be generated by zkt-signer.
+;
+; Last generation time Jan 25 2011 19:39:31
+;
+
+; *** List of Key Signing Keys ***
+; sub.example.de. tag=38331 algo=RSASHA1 generated Aug 26 2010 23:11:44
+sub.example.de. 14400 IN DNSKEY 257 3 5 (
+ BQEAAAABzRcWJYuBn9eY8u4x+04jkYmSmfRaGuNc4soput6Fo2/HViu1
+ 1Jo2uMnp4Z4MeGzti4IGsL2Lp5vC66qXeX0Qqk+aIJBQUyHCF1nPmPad
+ 2hDVFpD4Lp/uArmHaaLxQ4px6LEe0PMG1W/a/gJWNxuiTmkSN5c9vXsQ
+ m3SuRnb0ef0=
+ ) ; key id = 38331
+
+; sub.example.de. tag=51846 algo=RSASHA1 generated Nov 27 2010 11:17:03
+sub.example.de. 14400 IN DNSKEY 257 3 5 (
+ BQEAAAAB2CMCmaITzL7L6UmI0Y+u16LiyINgkYc3dxYunDYWK0FEXGa5
+ L7ss8jepJnBM6KD/rekwqb5wgso/5VnSprhUUnQqec6ESuJ/9/ThI6i7
+ zD6AnwdtXagTOaTRqWhUEcjgMIG4oJK/Pb5mZAlXvzPqmRkyeStRw0cU
+ AEWQvdtuDcc=
+ ) ; key id = 51846
+
+; sub.example.de. tag=32679 algo=RSASHA1 generated Jan 25 2011 19:39:31
+sub.example.de. 14400 IN DNSKEY 257 3 5 (
+ BQEAAAABocb52XnOJzaKKv90SFZxTddP7OuzI/qaeOqptm7BH3QKGTBj
+ ZmgfJ6J2uNXamzVEUGiAV5yLvPbxSAUK/R7HWP22ENqRxouZrQVUYfMC
+ pVS69kTGagTnMmywpg5LtCic9+18YRX2NhkxNvUpBjlTn7BbjXW36yy5
+ sA1Uq+Rg2cU=
+ ) ; key id = 32679
+
+; *** List of Zone Signing Keys ***
+; sub.example.de. tag=27647 algo=RSASHA1 generated Jan 25 2011 10:11:20
+sub.example.de. 14400 IN DNSKEY 256 3 5 (
+ BQEAAAAB5tuyJuCMHTySqvnPpVSbFcnFK6jI/BG3Va5Yu0ou7jPArylc
+ mziNb9AIJ2PBaVcXbeH6h9YWd9MLCLKPZqRLKQ==
+ ) ; key id = 27647
+
+; sub.example.de. tag=55550 algo=RSASHA1 generated Jan 25 2011 10:11:20
+sub.example.de. 14400 IN DNSKEY 256 3 5 (
+ BQEAAAAB1+QMKtDQA7dd2FA5IMVv5Y/VQa1ueCB4ZgDqvDUkdmQ2STLE
+ DwQuCoL26XId1SjEPQS47v3GBqTkSb0M/mSIsw==
+ ) ; key id = 55550
+
--- /dev/null
+##
+## dnssec-zkt v0.4 (c) Jan 2005 hoz <at> hznet <dot> de ##
+##
+
+resigninterval 12h
+sigvalidity 1d
+max_ttl 90s
+
+ksk_lifetime 7d
+key_algo RSASHA1
+ksk_bits 1024
+
+zsk_lifetime 3d
+zsk_bits 512
+
+dlv_domain "dlv.trusted-keys.net"
--- /dev/null
+sub.example.de. IN DS 32679 5 1 B2B115076F5BC2F2864D8ED1D63279193E5E7999
+sub.example.de. IN DS 32679 5 2 71B3896274A524028F131983D780C12CB38EA40E435815E9CC301749 26BFD367
+sub.example.de. IN DS 38331 5 1 8F7E90EE2686DAE4D31CEE40142AD6A25670B0A0
+sub.example.de. IN DS 38331 5 2 7B791220D03926DC6D3531CD155EF1E2AB202CE5955DF61079BEDD48 67400707
+sub.example.de. IN DS 51846 5 1 F0B3607F13FFE0C5AEF2ED24978FC8D42B391361
+sub.example.de. IN DS 51846 5 2 B067543FEAC9F203E9508672D802DEFD9F8AFF6CDBCC298B25C2CCED EDC813D8
--- /dev/null
+$ORIGIN .
+sub.example.de 7200 IN DNSKEY 257 3 5 (
+ BQEAAAABocb52XnOJzaKKv90SFZxTddP7Ouz
+ I/qaeOqptm7BH3QKGTBjZmgfJ6J2uNXamzVE
+ UGiAV5yLvPbxSAUK/R7HWP22ENqRxouZrQVU
+ YfMCpVS69kTGagTnMmywpg5LtCic9+18YRX2
+ NhkxNvUpBjlTn7BbjXW36yy5sA1Uq+Rg2cU=
+ ) ; key id = 32679
+ 7200 IN DNSKEY 257 3 5 (
+ BQEAAAABzRcWJYuBn9eY8u4x+04jkYmSmfRa
+ GuNc4soput6Fo2/HViu11Jo2uMnp4Z4MeGzt
+ i4IGsL2Lp5vC66qXeX0Qqk+aIJBQUyHCF1nP
+ mPad2hDVFpD4Lp/uArmHaaLxQ4px6LEe0PMG
+ 1W/a/gJWNxuiTmkSN5c9vXsQm3SuRnb0ef0=
+ ) ; key id = 38331
+ 7200 IN DNSKEY 257 3 5 (
+ BQEAAAAB2CMCmaITzL7L6UmI0Y+u16LiyINg
+ kYc3dxYunDYWK0FEXGa5L7ss8jepJnBM6KD/
+ rekwqb5wgso/5VnSprhUUnQqec6ESuJ/9/Th
+ I6i7zD6AnwdtXagTOaTRqWhUEcjgMIG4oJK/
+ Pb5mZAlXvzPqmRkyeStRw0cUAEWQvdtuDcc=
+ ) ; key id = 51846
--- /dev/null
+; KSK rollover phase1 (new key generated but this is alread the old one)
+sub.example.de. 14400 IN DNSKEY 257 3 5 (
+ BQEAAAABzRcWJYuBn9eY8u4x+04jkYmSmfRaGuNc4soput6Fo2/HViu1
+ 1Jo2uMnp4Z4MeGzti4IGsL2Lp5vC66qXeX0Qqk+aIJBQUyHCF1nPmPad
+ 2hDVFpD4Lp/uArmHaaLxQ4px6LEe0PMG1W/a/gJWNxuiTmkSN5c9vXsQ
+ m3SuRnb0ef0=
+ ) ; key id = 38331
--- /dev/null
+;-----------------------------------------------------------------
+;
+; @(#) sub.example.de/zone.db
+;
+;-----------------------------------------------------------------
+
+$TTL 7200
+
+@ IN SOA ns1.example.de. hostmaster.example.de. (
+ 2011012503; Serial (up to 10 digits)
+ 86400 ; Refresh (RIPE recommendation if NOTIFY is used)
+ 1800 ; Retry
+ 2W ; Expire
+ 7200 ) ; Minimum
+
+
+ IN NS ns1.example.de.
+
+$INCLUDE dnskey.db
+
+localhost IN A 127.0.0.1
+
+a IN A 1.2.3.4
+b IN A 1.2.3.5
+c IN A 1.2.3.6
--- /dev/null
+; File written on Tue Jan 25 19:39:31 2011
+; dnssec_signzone version 9.7.2-P2
+sub.example.de. 7200 IN SOA ns1.example.de. hostmaster.example.de. (
+ 2011012503 ; serial
+ 86400 ; refresh (1 day)
+ 1800 ; retry (30 minutes)
+ 1209600 ; expire (2 weeks)
+ 7200 ; minimum (2 hours)
+ )
+ 7200 RRSIG SOA 5 3 7200 20110126173931 (
+ 20110125173931 27647 sub.example.de.
+ wbTvANOCw3T6BjH3ibeVrgAG2WJPmX09LZmX
+ P7xtuj9F1Kaj+EpXvQv37SaA8ldr0Ge25q3+
+ KB0+dtpmxel7NQ== )
+ 7200 NS ns1.example.de.
+ 7200 RRSIG NS 5 3 7200 20110126173931 (
+ 20110125173931 27647 sub.example.de.
+ hvliLSJ7kw/6nZfrDHJ3nnvW3RjiYZMbYASL
+ IdKLGsytfU6zaypMXGiwxDo/k+BafY7V4xAM
+ RGxgMNRthCqOaQ== )
+ 7200 NSEC a.sub.example.de. NS SOA RRSIG NSEC DNSKEY
+ 7200 RRSIG NSEC 5 3 7200 20110126173931 (
+ 20110125173931 27647 sub.example.de.
+ fCX2CjTIm3XyOXhPZni/e21bTKmdZlW9keBX
+ pb9hEYY5/D3UJWzkVNpVeQ0e1n3QQvwklLda
+ ezrP/SfZDzIwbg== )
+ 14400 DNSKEY 256 3 5 (
+ BQEAAAAB1+QMKtDQA7dd2FA5IMVv5Y/VQa1u
+ eCB4ZgDqvDUkdmQ2STLEDwQuCoL26XId1SjE
+ PQS47v3GBqTkSb0M/mSIsw==
+ ) ; key id = 55550
+ 14400 DNSKEY 256 3 5 (
+ BQEAAAAB5tuyJuCMHTySqvnPpVSbFcnFK6jI
+ /BG3Va5Yu0ou7jPArylcmziNb9AIJ2PBaVcX
+ beH6h9YWd9MLCLKPZqRLKQ==
+ ) ; key id = 27647
+ 14400 DNSKEY 257 3 5 (
+ BQEAAAABocb52XnOJzaKKv90SFZxTddP7Ouz
+ I/qaeOqptm7BH3QKGTBjZmgfJ6J2uNXamzVE
+ UGiAV5yLvPbxSAUK/R7HWP22ENqRxouZrQVU
+ YfMCpVS69kTGagTnMmywpg5LtCic9+18YRX2
+ NhkxNvUpBjlTn7BbjXW36yy5sA1Uq+Rg2cU=
+ ) ; key id = 32679
+ 14400 DNSKEY 257 3 5 (
+ BQEAAAABzRcWJYuBn9eY8u4x+04jkYmSmfRa
+ GuNc4soput6Fo2/HViu11Jo2uMnp4Z4MeGzt
+ i4IGsL2Lp5vC66qXeX0Qqk+aIJBQUyHCF1nP
+ mPad2hDVFpD4Lp/uArmHaaLxQ4px6LEe0PMG
+ 1W/a/gJWNxuiTmkSN5c9vXsQm3SuRnb0ef0=
+ ) ; key id = 38331
+ 14400 DNSKEY 257 3 5 (
+ BQEAAAAB2CMCmaITzL7L6UmI0Y+u16LiyINg
+ kYc3dxYunDYWK0FEXGa5L7ss8jepJnBM6KD/
+ rekwqb5wgso/5VnSprhUUnQqec6ESuJ/9/Th
+ I6i7zD6AnwdtXagTOaTRqWhUEcjgMIG4oJK/
+ Pb5mZAlXvzPqmRkyeStRw0cUAEWQvdtuDcc=
+ ) ; key id = 51846
+ 14400 RRSIG DNSKEY 5 3 14400 20110126173931 (
+ 20110125173931 27647 sub.example.de.
+ sg/apLP8ejq7KT+djaUwJqizKG4tq1jTLMLt
+ NHLn/68rX5w4dY8DTeYxexb4r8Z23kVb0bg+
+ lJmmBy5j2r8SMg== )
+ 14400 RRSIG DNSKEY 5 3 14400 20110126173931 (
+ 20110125173931 32679 sub.example.de.
+ bzzolxuy/5cXaTOvYDGz+xiRffMSQUSCRicG
+ jN2InbD0oghm9IlZYaerY3Cx4ta0xitl63Fa
+ 9n8DAb409BU+uR3SKw+EMQwdEhn1ixslf7Er
+ N9nyPz+3hCteJ89htoyGBRehQbw3LkFsHPKS
+ 1q62yU3+dLOLqiJUGgXinFwZ81o= )
+ 14400 RRSIG DNSKEY 5 3 14400 20110126173931 (
+ 20110125173931 38331 sub.example.de.
+ nflCKXmANdTDh1g72GpT5JzeaE9u+kZ6Kkds
+ q4VbnnZjmv8flpsqH9XHV6QU7W7pFhLQ9i9X
+ qYVPL5HzoZn0q4m08h2z9VCrfCVzfOZVr6S2
+ TnL/RTbSRXMHwU63bMM7FNbPz2JlajNAIpfW
+ 7uHjqoQEWRcJ8ee7JkW5tiu5/5A= )
+ 14400 RRSIG DNSKEY 5 3 14400 20110126173931 (
+ 20110125173931 51846 sub.example.de.
+ WaCBxN/IXv3g2NtoBm2epHkZqBTMONadExfN
+ 0rWSV0mazdli950enMmBwwIEZK+0FVwLpv4Z
+ zgL5BHuPim7ObqnR6wM1gOpi65lU8IX5Ilbv
+ OIrUZ5g0O1rYHUjaQKtKBTcgOo7ZtutIj4gc
+ Xn+2dark9is8EoDHripF5TkDJgU= )
+a.sub.example.de. 7200 IN A 1.2.3.4
+ 7200 RRSIG A 5 4 7200 20110126173931 (
+ 20110125173931 27647 sub.example.de.
+ zXzioVSpADspftLWazy+jcGRxHytDuZtUBkD
+ dsjcU3fy6a8atHbcwUjd43rwzazxphVcL/sM
+ CeWz5ZcXkYCWeQ== )
+ 7200 NSEC b.sub.example.de. A RRSIG NSEC
+ 7200 RRSIG NSEC 5 4 7200 20110126173931 (
+ 20110125173931 27647 sub.example.de.
+ k6LWx56HsWiDm7DLUShd97q7dprzDXaocGVL
+ UPB35LGLUzZIGx/80K+ppeqAD2KoiJ/d+jBi
+ ZwtomkSGusfVIA== )
+b.sub.example.de. 7200 IN A 1.2.3.5
+ 7200 RRSIG A 5 4 7200 20110126173931 (
+ 20110125173931 27647 sub.example.de.
+ b90i/duKEbOBKWDJ39xTlMbGJ3DqdTUCdH1y
+ sTs96Ea2PZFNoCenAssREGxLG/SdArErfdOC
+ Q1zCi5z2cYYeyg== )
+ 7200 NSEC c.sub.example.de. A RRSIG NSEC
+ 7200 RRSIG NSEC 5 4 7200 20110126173931 (
+ 20110125173931 27647 sub.example.de.
+ EGurYn3qRMV+uwzTGq9asXnpKvLhX3qZhQh/
+ Tb3AiQ+Oyl+PzfDjP1BI8jqejNTwvlRWBL4H
+ RRBZMN/Pnn22bw== )
+c.sub.example.de. 7200 IN A 1.2.3.6
+ 7200 RRSIG A 5 4 7200 20110126173931 (
+ 20110125173931 27647 sub.example.de.
+ DCFyTIcXCMd3wIdwLjDNXOINmMcQ1tYBzgry
+ JnZZecok5A6TPXCQ5PrErgwWl6h9URa8M6Kd
+ Yg6jLpDMcmdNug== )
+ 7200 NSEC localhost.sub.example.de. A RRSIG NSEC
+ 7200 RRSIG NSEC 5 4 7200 20110126173931 (
+ 20110125173931 27647 sub.example.de.
+ cUvw2e+2VlJVaFGF5zciADg3W/DMz2zeLTlp
+ bEav7jr7xFJdg9twcr+WtKh9xyAraH/0eqT8
+ cs3z8i81I/Dgzg== )
+localhost.sub.example.de. 7200 IN A 127.0.0.1
+ 7200 RRSIG A 5 4 7200 20110126173931 (
+ 20110125173931 27647 sub.example.de.
+ eKi4L2xErnSUAPH3jGWtLShBTab/ZMC86wdf
+ F8jRpWkNzMqpxhmEOgeCnCA1cm3Ua/vrSSpA
+ HmPpxba/FXtOkg== )
+ 7200 NSEC sub.example.de. A RRSIG NSEC
+ 7200 RRSIG NSEC 5 4 7200 20110126173931 (
+ 20110125173931 27647 sub.example.de.
+ texCzbZHYWVAyNKaR2otusOB3nzL3NMPYApC
+ Lg7vi4wuk08gC4CvTbEHz+4I7ZeWrMIHwNTp
+ vsE/tnmaVsHM6Q== )
--- /dev/null
+;-----------------------------------------------------------------
+;
+; @(#) example.de/zone.db
+;
+;-----------------------------------------------------------------
+
+$TTL 7200
+
+; Ensure that the serial number below is left
+; justified in a field of at least 10 chars!!
+; 0123456789;
+; It's also possible to use the date format e.g. 2005040101
+@ IN SOA ns1.example.de. hostmaster.example.de. (
+ 315 ; Serial
+ 43200 ; Refresh
+ 1800 ; Retry
+ 2W ; Expire
+ 7200 ) ; Minimum
+
+
+ IN NS ns1.example.de.
+ IN NS ns2.example.de.
+
+ns1 IN A 1.0.0.5
+ IN AAAA 2001:db8::53
+ns2 IN A 1.2.0.6
+
+localhost IN A 127.0.0.1
+
+; Delegation to secure zone; The DS resource record will
+; be added by dnssec-signzone automatically if the
+; keyset-sub.example.de file is present (run dnssec-signzone
+; with option -g or use the dnssec-signer tool) ;-)
+sub IN NS ns1.example.de.
+
+; this file will contain all the zone keys
+$INCLUDE dnskey.db
+
--- /dev/null
+; File written on Tue Jan 25 19:39:31 2011
+; dnssec_signzone version 9.7.2-P2
+example.de. 7200 IN SOA ns1.example.de. hostmaster.example.de. (
+ 315 ; serial
+ 43200 ; refresh (12 hours)
+ 1800 ; retry (30 minutes)
+ 1209600 ; expire (2 weeks)
+ 7200 ; minimum (2 hours)
+ )
+ 7200 RRSIG SOA 5 2 7200 20110215173931 (
+ 20110125173931 60407 example.de.
+ D25r9o5y0UlIClgAHwOq9P1/prHCO3/KI/91
+ ZHUOA1HPvRt/EW4vQdHNsZPzTgbEZlkrzK1B
+ f9Z8FRjiPwwuTg== )
+ 7200 NS ns1.example.de.
+ 7200 NS ns2.example.de.
+ 7200 RRSIG NS 5 2 7200 20110215173931 (
+ 20110125173931 60407 example.de.
+ UDFg0Wr335Zhx2JZNw7ctla8EpFv+8eVjh8Y
+ YDv47XmCXuazL4EZV3efeU4wnuxmphL02j8X
+ NLpnUVnRP2QufQ== )
+ 7200 NSEC localhost.example.de. NS SOA RRSIG NSEC DNSKEY
+ 7200 RRSIG NSEC 5 2 7200 20110215173931 (
+ 20110125173931 60407 example.de.
+ K2wUxsJtWVpASeYbWyG58uK4DK8w+TRTSRiJ
+ aYtgUDjUGeUeNbHaT1FhfXl4xpNts/irmB6K
+ YDeVNvnB7piRPw== )
+ 14400 DNSKEY 256 3 5 (
+ BQEAAAABw62oxcUQ8mF4T6zH+tAkM0FU3nXJ
+ 4sgnBSUa884gZL2AlG+t7FpwrRm/Hish/hxV
+ RzmM8q2srgLHBYAk12VkMQ==
+ ) ; key id = 60407
+ 14400 DNSKEY 256 3 5 (
+ BQEAAAAB13b8+4oBaYaLYdDvH6fwVwDfohlz
+ GdSu5A9nO/wJ1taCB+4Twn3TSAtlttLmzYad
+ 5EbBUIn+4CLBKmc4sKn/cw==
+ ) ; key id = 25598
+ 14400 DNSKEY 257 3 5 (
+ BQEAAAABDOkPawC/tCqSITj6lvzcIPwcMEX+
+ Nvz17GBu85jmigMuvZQUYZBVUmJNNBbCNStl
+ z+Y+1pGg9HbWFvn0tpH/bm4mZPlJmk+WxQhH
+ z7eTm5xhSaSEEzq0uf087tAbaq1yaTpTtA2R
+ 7JXIPxt6CuD9Ou5bbYOzrFnBq1VBAYrwB6t/
+ us10+Ab7T6Jvie/W+v4jto1Xx912Z8HHTbU4
+ 8Mlp1+mUjQ==
+ ) ; key id = 37983
+ 14400 DNSKEY 257 3 5 (
+ BQEAAAABDV7kFHqVcWLoSAShdlXU5LKUdyU4
+ LlsJGYMr8oIpjEzvwonRmX5pRiEjVhTwx+vx
+ 6eWluv6txXVu+F0g2ykmqUQdMfPYWmD9AJOq
+ vc2tCKVSRePqZ+HeIZR+heBnFKr5kWQmB5XO
+ lMdWNRA3y78s/LufVB8hD7r260jrVJ0W6wSM
+ GDjN4zQce8rHCe+LNB1GfaIASkMWjdgxNNAs
+ K9bqDM8Euw==
+ ) ; key id = 47280
+ 14400 RRSIG DNSKEY 5 2 14400 20110215173931 (
+ 20110125173931 47280 example.de.
+ AiQOEpltQhIL1w1bnStthur44g28NqsYjUfV
+ BU5yNlEs84I+U3N2qpTC8dske08pwOikBCFG
+ Yao6Dglj4zi5dbFbp+ssErNWTOX1khHe8FvI
+ keq7lkbMDoOeiecJ5paN2/yV5gX3Vn0RZXJb
+ CQFVdrNLQ8gKdMga9YKw70n43MxdgkDJRIVo
+ gUxKkMaMo/g2KORJf4iOZPRvLfkwFb/QgTsx
+ Eg== )
+ 14400 RRSIG DNSKEY 5 2 14400 20110215173931 (
+ 20110125173931 60407 example.de.
+ iomqvy1Na7p8UHNl9U8hgHqg+BBe7lwPNMv7
+ Tur+g2ss3LYZkvkwZgdhP/MNQgF0BTrFIK/n
+ vjk+0gQ9RFqKbA== )
+localhost.example.de. 7200 IN A 127.0.0.1
+ 7200 RRSIG A 5 3 7200 20110215173931 (
+ 20110125173931 60407 example.de.
+ EzoKkOXLzlKf9rTaxofUW5uAmsaIZe2Jrf/R
+ FgPsnDvXDkGIeA54f+uw0+alWKb4gMgynJJ+
+ jjuF3d4TsoLC4A== )
+ 7200 NSEC ns1.example.de. A RRSIG NSEC
+ 7200 RRSIG NSEC 5 3 7200 20110215173931 (
+ 20110125173931 60407 example.de.
+ BPjsJrlWAQNSqVOJ5hRb1iL8ABPdGID+qdYF
+ AWHYpZOsMg3TXsmOfsrZ8tzJ44Ag0FmHdWYr
+ cSaie8XqF3dndw== )
+ns1.example.de. 7200 IN A 1.0.0.5
+ 7200 RRSIG A 5 3 7200 20110215173931 (
+ 20110125173931 60407 example.de.
+ FZu2Oy/7txl4G47fh2gn/f0k4+9YqbdMaCoj
+ DK/5LCUjQIzK+YHMKnurZVmMSbvFCCCcKgUd
+ rBO1Kbc3ZFRUDg== )
+ 7200 AAAA 2001:db8::53
+ 7200 RRSIG AAAA 5 3 7200 20110215173931 (
+ 20110125173931 60407 example.de.
+ ckrkMyljZdlHRMzYceGk/Upzbmijw2bPrhda
+ 6y9l+yS/zOCYQ3qGfzLFDLUPeMDLEL5f7gxa
+ adKw2t8cu/BLnw== )
+ 7200 NSEC ns2.example.de. A AAAA RRSIG NSEC
+ 7200 RRSIG NSEC 5 3 7200 20110215173931 (
+ 20110125173931 60407 example.de.
+ fZadcPS/Zhf+DKNupxsEZOSWm8mC1aimYHSi
+ 00zMJL5oZdUCXgsJYha69s8gtOn12K95doRw
+ 2AP6FArRosKy3Q== )
+ns2.example.de. 7200 IN A 1.2.0.6
+ 7200 RRSIG A 5 3 7200 20110215173931 (
+ 20110125173931 60407 example.de.
+ QXIJk7GcV6+LlGEtrClHCS2ddj/9fqtqKD9h
+ BfADqhMYLlVKjQe8grBdgOdbvvmAiSibdbJI
+ 4lFjh6EkXglPIg== )
+ 7200 NSEC sub.example.de. A RRSIG NSEC
+ 7200 RRSIG NSEC 5 3 7200 20110215173931 (
+ 20110125173931 60407 example.de.
+ HbXCvcFWhQZwhPsyHxht7auAMyYrqOhhI3/Q
+ S+1jwao3ejHJRMdTWrTgyBAXMJpS1SeMnD9i
+ Dx7A5OvtVUoj7g== )
+sub.example.de. 7200 IN NS ns1.example.de.
+ 7200 DS 38331 5 1 (
+ 8F7E90EE2686DAE4D31CEE40142AD6A25670
+ B0A0 )
+ 7200 DS 38331 5 2 (
+ 7B791220D03926DC6D3531CD155EF1E2AB20
+ 2CE5955DF61079BEDD4867400707 )
+ 7200 RRSIG DS 5 3 7200 20110215173931 (
+ 20110125173931 60407 example.de.
+ GJcNtYbOxbVYA73qgH9bpPvrVIBbUqD0y/dX
+ ZAA1ZpXc3Kz7a4Dzr4fn20KiGF0/huYoo5vt
+ kU+GHU3wuUTtTQ== )
+ 7200 NSEC example.de. NS DS RRSIG NSEC
+ 7200 RRSIG NSEC 5 3 7200 20110215173931 (
+ 20110125173931 60407 example.de.
+ LQT1mxY77PpPtpdrjZ5HAzxsQDar+6bsodd9
+ TWNvagqjzvfLTC5Lc5Jy63YmdVkZNmH0RCBP
+ ciRqPQYlvMx8rg== )
--- /dev/null
+; Be sure that the serial number below is left
+; justified in a field of at least 10 chars!!
+; 0123456789;
+; It's also possible to use the date form e.g. 2005040101
+@ IN SOA ns1.example.de. hostmaster.example.de. (
+ 267 ; Serial
+ 43200 ; Refresh
+ 1800 ; Retry
+ 2W ; Expire
+ 7200 ) ; Minimum
--- /dev/null
+$ORIGIN .
+example.de 7200 IN DNSKEY 257 3 5 (
+ BQEAAAABDOkPawC/tCqSITj6lvzcIPwcMEX+
+ Nvz17GBu85jmigMuvZQUYZBVUmJNNBbCNStl
+ z+Y+1pGg9HbWFvn0tpH/bm4mZPlJmk+WxQhH
+ z7eTm5xhSaSEEzq0uf087tAbaq1yaTpTtA2R
+ 7JXIPxt6CuD9Ou5bbYOzrFnBq1VBAYrwB6t/
+ us10+Ab7T6Jvie/W+v4jto1Xx912Z8HHTbU4
+ 8Mlp1+mUjQ==
+ ) ; key id = 37983
+ 7200 IN DNSKEY 257 3 5 (
+ BQEAAAABDV7kFHqVcWLoSAShdlXU5LKUdyU4
+ LlsJGYMr8oIpjEzvwonRmX5pRiEjVhTwx+vx
+ 6eWluv6txXVu+F0g2ykmqUQdMfPYWmD9AJOq
+ vc2tCKVSRePqZ+HeIZR+heBnFKr5kWQmB5XO
+ lMdWNRA3y78s/LufVB8hD7r260jrVJ0W6wSM
+ GDjN4zQce8rHCe+LNB1GfaIASkMWjdgxNNAs
+ K9bqDM8Euw==
+ ) ; key id = 47280
--- /dev/null
+#
+# @(#) dnssec.conf T1.0rc1 (c) Feb 2005 - Mar 2010 Holger Zuleger hznet.de
+#
+
+# dnssec-zkt options
+Zonedir: "."
+Recursive: True
+PrintTime: False
+PrintAge: True
+LeftJustify: False
+
+# zone specific values
+ResignInterval: 1w # (604800 seconds)
+Sigvalidity: 10d # (864000 seconds)
+Max_TTL: 6h # (21600 seconds)
+Propagation: 5m # (300 seconds)
+KEY_TTL: 1h # (3600 seconds)
+Serialformat: incremental
+
+# signing key parameters
+Key_Algo: RSASHA1 # (Algorithm ID 5)
+KSK_lifetime: 30d
+KSK_bits: 1300
+KSK_randfile: "/dev/urandom"
+ZSK_lifetime: 10d
+ZSK_bits: 512
+ZSK_randfile: "/dev/urandom"
+SaltBits: 24
+
+# dnssec-signer options
+LogFile: "log"
+LogLevel: INFO
+LogDomainDir: "log"
+SyslogFacility: USER
+SyslogLevel: NOTICE
+VerboseLog: 0
+Keyfile: "dnskey.db"
+Zonefile: "zone.db"
+KeySetDir: ".."
+DLV_Domain: ""
+Sig_Pseudorand: True
+Sig_GenerateDS: True
+Sig_DnsKeyKSK: True
+Sig_Parameter: ""
2010-04-01 01:05:48.848: notice: "example.de.": lifetime of zone signing key 39599 exceeded since 43m41s: ZSK rollover deferred: waiting for published key
2010-04-01 01:05:48.928: info: "example.de.": new key 9743 generated for publishing
2010-04-01 01:05:48.929: notice: "example.de.": re-signing triggered: Modfied zone key set
+2010-08-26 22:54:24.762: notice: "example.de.": lifetime of zone signing key 39599 exceeded: ZSK rollover done
+2010-08-26 22:54:24.837: info: "example.de.": new key 18539 generated for publishing
+2010-08-26 22:54:24.837: notice: "example.de.": re-signing triggered: Modfied zone key set
+2010-08-26 23:11:44.548: notice: "example.de.": re-signing triggered: Modified KSK in delegated domain
+2010-10-21 13:41:23.152: info: "example.de.": old ZSK 39599 removed
+2010-10-21 13:41:23.152: notice: "example.de.": lifetime of zone signing key 9743 exceeded: ZSK rollover done
+2010-10-21 13:41:23.152: notice: "example.de.": re-signing triggered: Modfied zone key set
+2011-01-25 10:13:58.477: notice: "example.de.": re-signing triggered: Modified KSK in delegated domain
2010-04-01 01:05:48.169: notice: "sub.example.de.": lifetime of zone signing key 63530 exceeded: ZSK rollover done
2010-04-01 01:05:48.650: info: "sub.example.de.": new key 40559 generated for publishing
2010-04-01 01:05:48.650: notice: "sub.example.de.": re-signing triggered: Modfied zone key set
+2010-08-26 22:54:24.495: info: "sub.example.de.": kskrollover phase3: Remove old key 8544
+2010-08-26 22:54:24.495: info: "sub.example.de.": old ZSK 63530 removed
+2010-08-26 22:54:24.513: notice: "sub.example.de.": lifetime of zone signing key 7295 exceeded: ZSK rollover done
+2010-08-26 22:54:24.617: info: "sub.example.de.": new key 25007 generated for publishing
+2010-08-26 22:54:24.617: notice: "sub.example.de.": re-signing triggered: Modfied zone key set
+2010-08-26 23:11:44.485: info: "sub.example.de.": kskrollover phase1: New key 38331 generated
+2010-08-26 23:11:44.485: info: "sub.example.de.": old ZSK 7295 removed
+2010-08-26 23:11:44.513: notice: "sub.example.de.": re-signing triggered: Modfied zone key set
+2010-10-21 13:41:22.956: info: "sub.example.de.": kskrollover phase2: send new key 27861 to the parent zone
+2010-10-21 13:41:22.956: notice: "sub.example.de.": lifetime of zone signing key 40559 exceeded: ZSK rollover done
+2010-10-21 13:41:22.956: notice: "sub.example.de.": re-signing triggered: Modfied zone key set
+2010-10-21 14:30:47.663: info: "sub.example.de.": old ZSK 40559 removed
+2010-10-21 14:30:47.663: notice: "sub.example.de.": re-signing triggered: Modfied zone key set
+2011-01-25 10:15:57.334: notice: "sub.example.de.": re-signing triggered: Zone file edited
--- /dev/null
+/*****************************************************************
+**
+** #(@) named.conf (c) 6. May 2004 (hoz)
+**
+*****************************************************************/
+
+/*****************************************************************
+** logging options
+*****************************************************************/
+logging {
+ channel "named-log" {
+ file "/var/log/named" versions 3 size 2m;
+ print-time yes;
+ print-category yes;
+ print-severity yes;
+ severity info;
+ };
+ channel "resolver-log" {
+ file "/var/log/named";
+ print-time yes;
+ print-category yes;
+ print-severity yes;
+ severity debug 1;
+ };
+ channel "dnssec-log" {
+# file "/var/log/named-dnssec" ;
+ file "/var/log/named" ;
+ print-time yes;
+ print-category yes;
+ print-severity yes;
+ severity debug 3;
+ };
+ category "dnssec" { "dnssec-log"; };
+ category "default" { "named-log"; };
+ category "resolver" { "resolver-log"; };
+ category "client" { "resolver-log"; };
+ category "queries" { "resolver-log"; };
+};
+
+/*****************************************************************
+** name server options
+*****************************************************************/
+options {
+ directory ".";
+
+ dump-file "/var/log/named_dump.db";
+ statistics-file "/var/log/named.stats";
+
+ listen-on-v6 { any; };
+
+ query-source address * port 53;
+ transfer-source * port 53;
+ notify-source * port 53;
+
+ recursion yes;
+ dnssec-enable yes;
+ edns-udp-size 4096;
+
+# dnssec-lookaside "." trust-anchor "trusted-keys.de.";
+
+ querylog yes;
+
+};
+
+/*****************************************************************
+** include shared secrets...
+*****************************************************************/
+/** for control sessions ... **/
+# include "rndc.key";
+controls {
+ inet 127.0.0.1
+ allow { localhost; }
+ keys { "rndc-key"; };
+ inet ::1
+ allow { localhost; }
+ keys { "rndc-key"; };
+};
+
+/*****************************************************************
+** ... and trusted_keys
+*****************************************************************/
+# include "trusted-keys.conf" ;
+
+/*****************************************************************
+** root server hints and required 127 stuff
+*****************************************************************/
+zone "." in {
+ type hint;
+ file "root.hint";
+};
+
+zone "localhost" in {
+ type master;
+ file "localhost.zone";
+};
+
+zone "0.0.127.in-addr.arpa" in {
+ type master;
+ file "127.0.0.zone";
+};
+
+include "zone.conf";
--- /dev/null
+../zkt-ls.sh
\ No newline at end of file
--- /dev/null
+../zkt-signer.sh
\ No newline at end of file
--- /dev/null
+
+zone "example.de." in {
+ type master;
+ file "de/example.de/zone.db.signed";
+};
+
+zone "sub.example.de." in {
+ type master;
+ file "de/example.de/sub.example.de/zone.db.signed";
+};
--- /dev/null
+#
+# @(#) dnssec.conf vT0.96 (c) Feb 2005 - May 2008 Holger Zuleger hznet.de
+#
+
+# dnssec-zkt options
+Zonedir: "extern"
+Recursive: True
+PrintTime: False
+PrintAge: True
+LeftJustify: False
+
+# zone specific values
+ResignInterval: 1w # (604800 seconds)
+Sigvalidity: 10d # (864000 seconds)
+Max_TTL: 8h # (28800 seconds)
+Propagation: 5m # (300 seconds)
+KEY_TTL: 1h # (3600 seconds)
+Serialformat: unixtime
+
+# signing key parameters
+KSK_lifetime: 1y # (31536000 seconds)
+KSK_algo: RSASHA1 # (Algorithm ID 5)
+KSK_bits: 1300
+KSK_randfile: "/dev/urandom"
+ZSK_lifetime: 30d # (2592000 seconds)
+ZSK_algo: RSASHA1 # (Algorithm ID 5)
+ZSK_bits: 512
+ZSK_randfile: "/dev/urandom"
+
+# dnssec-signer options
+LogFile: "zkt-ext.log"
+LogLevel: "debug"
+SyslogFacility: "none"
+SyslogLevel: "notice"
+VerboseLog: 2
+Keyfile: "dnskey.db"
+Zonefile: "zone.db"
+DLV_Domain: ""
+Sig_Pseudorand: True
--- /dev/null
+#
+# @(#) dnssec.conf vT0.96 (c) Feb 2005 - May 2008 Holger Zuleger hznet.de
+#
+
+# dnssec-zkt options
+Zonedir: "intern"
+Recursive: True
+PrintTime: False
+PrintAge: True
+LeftJustify: False
+
+# zone specific values
+ResignInterval: 5h # (18000 seconds)
+Sigvalidity: 1d # (86400 seconds)
+Max_TTL: 30m # (1800 seconds)
+Propagation: 1m # (60 seconds)
+KEY_TTL: 30m # (1800 seconds)
+Serialformat: unixtime
+
+# signing key parameters
+KSK_lifetime: 1y # (31536000 seconds)
+KSK_algo: RSASHA1 # (Algorithm ID 5)
+KSK_bits: 1300
+KSK_randfile: "/dev/urandom"
+ZSK_lifetime: 30d # (2592000 seconds)
+ZSK_algo: RSASHA1 # (Algorithm ID 5)
+ZSK_bits: 512
+ZSK_randfile: "/dev/urandom"
+
+# dnssec-signer options
+LogFile: "zkt-int.log"
+LogLevel: "debug"
+SyslogFacility: "none"
+SyslogLevel: "notice"
+VerboseLog: 2
+Keyfile: "dnskey.db"
+Zonefile: "zone.db"
+DLV_Domain: ""
+Sig_Pseudorand: True
--- /dev/null
+#!/bin/sh
+#
+# Shell script to start the dnssec-signer
+# command out of the view directory
+#
+
+ZKT_CONFFILE=`pwd`/dnssec.conf ../../dnssec-signer -V extern "$@"
--- /dev/null
+#!/bin/sh
+#
+# Shell script to start the dnssec-signer
+# command out of the view directory
+#
+
+ZKT_CONFFILE=`pwd`/dnssec.conf ../../dnssec-signer -V intern "$@"
--- /dev/null
+#!/bin/sh
+#
+# Shell script to start the dnssec-zkt command
+# out of the view directory
+#
+
+ZKT_CONFFILE=`pwd`/dnssec.conf ../../dnssec-zkt --view extern "$@"
--- /dev/null
+#!/bin/sh
+#
+# Shell script to start the dnssec-zkt command
+# out of the view directory
+#
+
+ZKT_CONFFILE=`pwd`/dnssec.conf ../../dnssec-zkt --view intern "$@"
--- /dev/null
+;% generationtime=20110125091121
+;% lifetime=84d
+example.net. IN DNSKEY 256 3 5 BQEAAAABqSWPYNt6RitV7CJxyFXjIPeP6zSXtBki5cAiVVA3SdX0cBs6 gWttgt+wxEPMApn/ncgjqcUHTJEVHyd/TrL/Aw==
--- /dev/null
+Private-key-format: v1.2
+Algorithm: 5 (RSASHA1)
+Modulus: qSWPYNt6RitV7CJxyFXjIPeP6zSXtBki5cAiVVA3SdX0cBs6gWttgt+wxEPMApn/ncgjqcUHTJEVHyd/TrL/Aw==
+PublicExponent: AQAAAAE=
+PrivateExponent: ZcFZXvGGkc0uEOtIHBJaTdBpl/aTKs4xGhG/eOMinMPHbUPlL5R1KL/27O+KQnfs1xjwz48w5Xos8CoTG+1n0Q==
+Prime1: 1ho0OW0hJVUICO4jthhzFp2ETYke7vssfhq2oKrsjgk=
+Prime2: yj87c5Ewsksm+SsHsBQVC6Gd6P19Yu+ZY7dPeBvW56s=
+Exponent1: LwSIjbnndDmgi0pCo0CW95qvG1VEUniUQQmYmda/L7k=
+Exponent2: jsIwd0hy3NXOjUbXkeT25G/3QNQcXcIwHzupbZLpuh0=
+Coefficient: VRdfIjOr87SWcUBSP9wQGjD1GcCsV3OQ0u03QQwofmo=
--- /dev/null
+example.net. IN DNSKEY 257 3 5 BQEAAAABDEEycfY6uqWNTpQO8ygi9xms6NOFYGhCjijN109fVGJ4KDnI ZtLhoFrOKru9rZn+pyqurlyZG4vESg0BMty6xljVDlr/TegDYFTN19mQ uwvlasJhZPv9pjROPqQGnqLaw3O4OKCY9HgTTPdXK1hQ4Mg2rNU4SM2T u5ki91f5AQqiXF8KYMics0mwVvpj5C2YTDvE9SafLrce68JM6DaiC6E1 sQ==
--- /dev/null
+Private-key-format: v1.2
+Algorithm: 5 (RSASHA1)
+Modulus: DEEycfY6uqWNTpQO8ygi9xms6NOFYGhCjijN109fVGJ4KDnIZtLhoFrOKru9rZn+pyqurlyZG4vESg0BMty6xljVDlr/TegDYFTN19mQuwvlasJhZPv9pjROPqQGnqLaw3O4OKCY9HgTTPdXK1hQ4Mg2rNU4SM2Tu5ki91f5AQqiXF8KYMics0mwVvpj5C2YTDvE9SafLrce68JM6DaiC6E1sQ==
+PublicExponent: AQAAAAE=
+PrivateExponent: A3ZXTF8afjlxddgO/sDxotc0XLBMa3sNrXhCpdFzeDV1HszZbz1lP8rrZjA1wQgSo56DjiGRKTsHjAAm4xN1lGYKBZuVF4U3uiWie2PhJStt7kckNduKOfV9Nofow5Jh8I2lXKqcOJ8Qd+EJYIsajdBoGQ72PGGfDaHphbN/mW13n59PlilMF4RRRybcMA6jTAOfvIcv5Mes3+ADh0TktHdHQQ==
+Prime1: A+SKyrgtNzGVpAXPQysMQ9O/10B/+nhy6//1F5Epxihyuln+d2euh+TjVneojx4D2JUflDUSD5BQAdflDb+KiBXdQjBEmqfWwY+INwSQzv4M5Q==
+Prime2: AyXovkiIs7ywIRS6FfRolMMUeh3yeYNtCVAvLB6EC2MiNCzfkDOFB7rpmUkZR8HYUWuz1hQfR781RDO81Sp3RIpSyL7SwOqkpMZyaSgK/GKE3Q==
+Exponent1: D1vC405mkcUVfno92EuBXomRiOG7VeSyjwofgCpa0JKR6J2BThdCGrcVbq68ucIddn+cbkD8JsZB3k4aeDYFxm6d1En1Z2C1cVHrzCFi2zFV
+Exponent2: N+iliM1Qp3spcsR06kXImb/N4FosHrZkXtcbRIMWhV8NBcyqLDIfGlNluaiztv4rf6Kn2UyVeiGC822nqZHcW5PiXJnBEWs9AC4Di1QzZh0h
+Coefficient: AtZ4sYqGgyB5kfdcQBBlIkPbsRRNKrUVAsZkjabdZTQa+ox6tYnlVjh7BgPMHJlj/Z4VTRJ5rfAUPnB4ZwO/r1eAJLd+vxjJb9M7DaGMc+RqQA==
--- /dev/null
+;% generationtime=20101127101704
+;% lifetime=63d
+example.net. IN DNSKEY 256 3 5 BQEAAAABw6SqqsNvYqmiYNMlroODy8rMZdbo2Pe8ldEblO9qtxI5oR4i UeUW/q3rZgCTuZI+ymMiLmaFSF1DXsAyG0M03Q==
--- /dev/null
+Private-key-format: v1.2
+Algorithm: 5 (RSASHA1)
+Modulus: w6SqqsNvYqmiYNMlroODy8rMZdbo2Pe8ldEblO9qtxI5oR4iUeUW/q3rZgCTuZI+ymMiLmaFSF1DXsAyG0M03Q==
+PublicExponent: AQAAAAE=
+PrivateExponent: lYq/wM8BLiaU+Ij/0JP6Csv8Pp/2WdNfsuCbLMU3IBJGimSxx7bvCLSZkDL5mV1E0HJqLrhb2l7GRr3PZKuWMQ==
+Prime1: 5KAIpenYhEVE2U3Wzb2Lwp67HgGM/kV46RrvKFOYe08=
+Prime2: 2xGmcIPYhuD7BKThg0/ldRhfapASbOw3RvSxY6GxkhM=
+Exponent1: X9Z0wkwNnnme2hvoyDMigAYoLZvhx0Tz2ivdw41izlc=
+Exponent2: VXrrgqEDOafxQ+jF6vhubWUdAsxz44nyXPHlwduJCtc=
+Coefficient: 0pIJlBNZWGPdhykMXN3rPnbZoXUeSecEkpGPLBdw5oE=
--- /dev/null
+;
+; !!! Don't edit this file by hand.
+; !!! It will be generated by zkt-signer.
+;
+; Last generation time Jan 25 2011 20:02:30
+;
+
+; *** List of Key Signing Keys ***
+; example.net. tag=23553 algo=RSASHA1 generated Jul 05 2010 09:43:02
+example.net. 14400 IN DNSKEY 257 3 5 (
+ BQEAAAABDEEycfY6uqWNTpQO8ygi9xms6NOFYGhCjijN109fVGJ4KDnI
+ ZtLhoFrOKru9rZn+pyqurlyZG4vESg0BMty6xljVDlr/TegDYFTN19mQ
+ uwvlasJhZPv9pjROPqQGnqLaw3O4OKCY9HgTTPdXK1hQ4Mg2rNU4SM2T
+ u5ki91f5AQqiXF8KYMics0mwVvpj5C2YTDvE9SafLrce68JM6DaiC6E1
+ sQ==
+ ) ; key id = 23553
+
+; *** List of Zone Signing Keys ***
+; example.net. tag=8885 algo=RSASHA1 generated Jan 25 2011 10:11:21
+example.net. 14400 IN DNSKEY 256 3 5 (
+ BQEAAAABqSWPYNt6RitV7CJxyFXjIPeP6zSXtBki5cAiVVA3SdX0cBs6
+ gWttgt+wxEPMApn/ncgjqcUHTJEVHyd/TrL/Aw==
+ ) ; key id = 8885
+
+; example.net. tag=38930 algo=RSASHA1 generated Jan 25 2011 10:11:21
+example.net. 14400 IN DNSKEY 256 3 5 (
+ BQEAAAABw6SqqsNvYqmiYNMlroODy8rMZdbo2Pe8ldEblO9qtxI5oR4i
+ UeUW/q3rZgCTuZI+ymMiLmaFSF1DXsAyG0M03Q==
+ ) ; key id = 38930
+
--- /dev/null
+example.net. IN DS 23553 5 1 A1A6D06CB84D619730F605AEF2A6DD4148DD9D5B
+example.net. IN DS 23553 5 2 B0DCAB8A32C230495CEC1FD61CEC03849450909CA6636FD9BC53D1B3 3B4F3A2D
--- /dev/null
+$ORIGIN .
+example.net 7200 IN DNSKEY 257 3 5 (
+ BQEAAAABDEEycfY6uqWNTpQO8ygi9xms6NOF
+ YGhCjijN109fVGJ4KDnIZtLhoFrOKru9rZn+
+ pyqurlyZG4vESg0BMty6xljVDlr/TegDYFTN
+ 19mQuwvlasJhZPv9pjROPqQGnqLaw3O4OKCY
+ 9HgTTPdXK1hQ4Mg2rNU4SM2Tu5ki91f5AQqi
+ XF8KYMics0mwVvpj5C2YTDvE9SafLrce68JM
+ 6DaiC6E1sQ==
+ ) ; key id = 23553
--- /dev/null
+;-----------------------------------------------------------------
+;
+; @(#) extern/example.net/zone.db
+;
+;-----------------------------------------------------------------
+
+$TTL 7200
+
+@ IN SOA ns1.example.net. hostmaster.example.net. (
+ 0 ; Serial
+ 43200 ; Refresh
+ 1800 ; Retry
+ 2W ; Expire
+ 7200 ) ; Minimum
+
+ IN NS ns1.example.net.
+ IN NS ns2.example.net.
+
+ns1 IN A 1.0.0.5
+ IN AAAA 2001:db8::53
+ns2 IN A 1.2.0.6
+
+localhost IN A 127.0.0.1
+
+; Delegation to secure zone; The DS resource record will
+; be added by dnssec-signzone automatically if the
+; keyset-sub.example.net file is present (run dnssec-signzone
+; with option -g or use the dnssec-signer tool) ;-)
+sub IN NS ns1.example.net.
+
+; this file will have all the zone keys
+$INCLUDE dnskey.db
+
--- /dev/null
+; File written on Tue Jan 25 20:02:30 2011
+; dnssec_signzone version 9.7.2-P2
+example.net. 7200 IN SOA ns1.example.net. hostmaster.example.net. (
+ 1295982150 ; serial
+ 43200 ; refresh (12 hours)
+ 1800 ; retry (30 minutes)
+ 1209600 ; expire (2 weeks)
+ 7200 ; minimum (2 hours)
+ )
+ 7200 RRSIG SOA 5 2 7200 20110215180230 (
+ 20110125180230 38930 example.net.
+ CIEzsLXkJjCehSXcubmncFE46Mdo6duV35FA
+ 83ynRO2fDHNGEMGcgc1JR0uNRPUs1AySfvMe
+ 64sN9M5jw7bs+g== )
+ 7200 NS ns1.example.net.
+ 7200 NS ns2.example.net.
+ 7200 RRSIG NS 5 2 7200 20110215180230 (
+ 20110125180230 38930 example.net.
+ WaUhQqPwY1IGpdo3gG5D7hJrnNsk0GnIXPKa
+ zw1WGnFj0vcwDxsiEsk9L1NSb/c1j+uPepon
+ GcCFU8lkAkPJwg== )
+ 7200 NSEC localhost.example.net. NS SOA RRSIG NSEC DNSKEY
+ 7200 RRSIG NSEC 5 2 7200 20110215180230 (
+ 20110125180230 38930 example.net.
+ wkdRRnjfyPQSFb5jju3cEPfVM5T6SlMteEe9
+ Vx09wy9b9aZIO6aT2Q83RUr/GIhkC7JeVPWi
+ c3SftwVD4IKF2Q== )
+ 14400 DNSKEY 256 3 5 (
+ BQEAAAABqSWPYNt6RitV7CJxyFXjIPeP6zSX
+ tBki5cAiVVA3SdX0cBs6gWttgt+wxEPMApn/
+ ncgjqcUHTJEVHyd/TrL/Aw==
+ ) ; key id = 8885
+ 14400 DNSKEY 256 3 5 (
+ BQEAAAABw6SqqsNvYqmiYNMlroODy8rMZdbo
+ 2Pe8ldEblO9qtxI5oR4iUeUW/q3rZgCTuZI+
+ ymMiLmaFSF1DXsAyG0M03Q==
+ ) ; key id = 38930
+ 14400 DNSKEY 257 3 5 (
+ BQEAAAABDEEycfY6uqWNTpQO8ygi9xms6NOF
+ YGhCjijN109fVGJ4KDnIZtLhoFrOKru9rZn+
+ pyqurlyZG4vESg0BMty6xljVDlr/TegDYFTN
+ 19mQuwvlasJhZPv9pjROPqQGnqLaw3O4OKCY
+ 9HgTTPdXK1hQ4Mg2rNU4SM2Tu5ki91f5AQqi
+ XF8KYMics0mwVvpj5C2YTDvE9SafLrce68JM
+ 6DaiC6E1sQ==
+ ) ; key id = 23553
+ 14400 RRSIG DNSKEY 5 2 14400 20110215180230 (
+ 20110125180230 23553 example.net.
+ A44WHsFr4O7Rzuflm19mFBAu7e6asUF5hkzB
+ KjVkCkxH2NkIcTnDdzpxM/LzXMXyZGzxYQrI
+ AjStvUqfoDpaay+Jl87/IXd77Owbc762EF6U
+ Ew1NqHGG0UdO+os5STwPNT7UUi5i8HVVPglx
+ gpHti4RS6icrcsYMTeuf4yrffMr9xWlI/S2l
+ vu9b6maVqqAMds1dj9ZEDUWKLrylTngtc33R
+ BQ== )
+ 14400 RRSIG DNSKEY 5 2 14400 20110215180230 (
+ 20110125180230 38930 example.net.
+ P/9UIYie44cvptFvxgny+zKNDilIMUsswBkg
+ aEJVqCzUnbpA7x5xvzGhlilb38MRv9fvYEtr
+ AsBz1D2Uo3ZULQ== )
+localhost.example.net. 7200 IN A 127.0.0.1
+ 7200 RRSIG A 5 3 7200 20110215180230 (
+ 20110125180230 38930 example.net.
+ iM76gTURcaiYI2yrAIgVcJS1//ZfhCbcVU6o
+ +aeTvwHCyT4kes8uLluV5sS24MuR1fi+E9I3
+ AIeGM/7HdIIi/g== )
+ 7200 NSEC ns1.example.net. A RRSIG NSEC
+ 7200 RRSIG NSEC 5 3 7200 20110215180230 (
+ 20110125180230 38930 example.net.
+ nEzM1RA6blYjp6PkXp5QPfJd1kWdcVwByMrM
+ LWWoLI70W9ilxuD3xHOFwmjWwjED/r+NH+53
+ DCjTN5DE/RtNkA== )
+ns1.example.net. 7200 IN A 1.0.0.5
+ 7200 RRSIG A 5 3 7200 20110215180230 (
+ 20110125180230 38930 example.net.
+ UmtBBwApnfVqXzj76BIVJtuajos1Qr8LfqaT
+ x0FMOrpjhg9p1JN25jUEIkexUmBqkvt9VEam
+ my5k3FrYQZpAcw== )
+ 7200 AAAA 2001:db8::53
+ 7200 RRSIG AAAA 5 3 7200 20110215180230 (
+ 20110125180230 38930 example.net.
+ dWIIV6h276aolyfUWyoup6svZygotNuZpUlE
+ LhXOr3MU2QgnEo8a1akuhMYf245B76VXd657
+ TBjQBuexeFt1ww== )
+ 7200 NSEC ns2.example.net. A AAAA RRSIG NSEC
+ 7200 RRSIG NSEC 5 3 7200 20110215180230 (
+ 20110125180230 38930 example.net.
+ AjKEeI3cjcxi7DxYwr4cvAeycPNETAm+R74G
+ /k3Cr8WaPkenxX5n9Meb0rOJRur1RGe0LApr
+ PuFixxEFVo2EUg== )
+ns2.example.net. 7200 IN A 1.2.0.6
+ 7200 RRSIG A 5 3 7200 20110215180230 (
+ 20110125180230 38930 example.net.
+ NqBJpDCmIi/XcjCIl8YGbw0mpVnp8+kT81l3
+ wciY/V07AI1ucghehgMJIaG1ZSkPnPlllc5o
+ trsxvawJv/irEw== )
+ 7200 NSEC sub.example.net. A RRSIG NSEC
+ 7200 RRSIG NSEC 5 3 7200 20110215180230 (
+ 20110125180230 38930 example.net.
+ NssXK84EXEa1XUWKD+7aeSJFtg3JNnq3J/Ox
+ ItxpbWdaCgqEqJ87oHNWYGic6POmWPc5P8LI
+ yLgte5CwMN8ufg== )
+sub.example.net. 7200 IN NS ns1.example.net.
+ 7200 NSEC example.net. NS RRSIG NSEC
+ 7200 RRSIG NSEC 5 3 7200 20110215180230 (
+ 20110125180230 38930 example.net.
+ BslSne1rxv0Rkahw4vdoqh3vlVkiVOQsrsa1
+ 1ofMNaBxphwoTj8nkICePawKby4cTFX0kuRL
+ MiloJ6y9vkvC3Q== )
--- /dev/null
+$ORIGIN .
+example.net 7200 IN DNSKEY 257 3 5 (
+ BQEAAAABDEEycfY6uqWNTpQO8ygi9xms6NOF
+ YGhCjijN109fVGJ4KDnIZtLhoFrOKru9rZn+
+ pyqurlyZG4vESg0BMty6xljVDlr/TegDYFTN
+ 19mQuwvlasJhZPv9pjROPqQGnqLaw3O4OKCY
+ 9HgTTPdXK1hQ4Mg2rNU4SM2Tu5ki91f5AQqi
+ XF8KYMics0mwVvpj5C2YTDvE9SafLrce68JM
+ 6DaiC6E1sQ==
+ ) ; key id = 23553
--- /dev/null
+2008-06-12 17:59:04.194: notice: running as ../../dnssec-signer -V extern -v -v
+2008-06-12 17:59:04.195: debug: parsing zone "example.net." in dir "extern/example.net."
+2008-06-12 17:59:04.196: debug: Check RFC5011 status
+2008-06-12 17:59:04.196: debug: ->ksk5011status returns 0
+2008-06-12 17:59:04.196: debug: Check ksk status
+2008-06-12 17:59:04.196: debug: Re-signing not necessary!
+2008-06-12 17:59:04.196: notice: end of run: 0 errors occured
+2008-06-12 17:59:17.435: notice: running as ../../dnssec-signer -V extern -v -v
+2008-06-12 17:59:17.436: debug: parsing zone "example.net." in dir "extern/example.net."
+2008-06-12 17:59:17.436: debug: Check RFC5011 status
+2008-06-12 17:59:17.436: debug: ->ksk5011status returns 0
+2008-06-12 17:59:17.436: debug: Check ksk status
+2008-06-12 17:59:17.436: debug: Re-signing not necessary!
+2008-06-12 17:59:17.436: notice: end of run: 0 errors occured
+2008-06-12 18:00:07.818: notice: running as ../../dnssec-signer -V extern -v -v
+2008-06-12 18:00:07.819: debug: parsing zone "example.net." in dir "extern/example.net."
+2008-06-12 18:00:07.819: debug: Check RFC5011 status
+2008-06-12 18:00:07.819: debug: ->ksk5011status returns 0
+2008-06-12 18:00:07.819: debug: Check ksk status
+2008-06-12 18:00:07.819: debug: Re-signing not necessary!
+2008-06-12 18:00:07.819: notice: end of run: 0 errors occured
+2008-06-12 18:00:39.019: notice: running as ../../dnssec-signer -V extern -v -v
+2008-06-12 18:00:39.020: debug: parsing zone "example.net." in dir "extern/example.net."
+2008-06-12 18:00:39.020: debug: Check RFC5011 status
+2008-06-12 18:00:39.020: debug: ->ksk5011status returns 0
+2008-06-12 18:00:39.020: debug: Check ksk status
+2008-06-12 18:00:39.020: debug: Re-signing not necessary!
+2008-06-12 18:00:39.020: notice: end of run: 0 errors occured
+2008-10-03 01:00:45.544: notice: ------------------------------------------------------------
+2008-10-03 01:00:45.544: notice: running ../../dnssec-signer -V extern -v -v
+2008-10-03 01:00:45.545: debug: parsing zone "example.net" in dir "extern/example.net"
+2008-10-03 01:00:45.545: debug: Check RFC5011 status
+2008-10-03 01:00:45.545: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2008-10-03 01:00:45.545: debug: Check KSK status
+2008-10-03 01:00:45.545: debug: Check ZSK status
+2008-10-03 01:00:45.545: debug: Lifetime(2592000 +/-150 sec) of active key 35744 exceeded (5018328 sec)
+2008-10-03 01:00:45.546: debug: ->depreciate it
+2008-10-03 01:00:45.546: debug: ->activate published key 10367
+2008-10-03 01:00:45.546: notice: "example.net": lifetime of zone signing key 35744 exceeded: ZSK rollover done
+2008-10-03 01:00:45.546: debug: New key for publishing needed
+2008-10-03 01:00:45.614: debug: ->creating new key 14714
+2008-10-03 01:00:45.614: info: "example.net": new key 14714 generated for publishing
+2008-10-03 01:00:45.614: debug: Re-signing necessary: New zone key
+2008-10-03 01:00:45.614: notice: "example.net": re-signing triggered: New zone key
+2008-10-03 01:00:45.614: debug: Writing key file "extern/example.net/dnskey.db"
+2008-10-03 01:00:45.614: debug: Signing zone "example.net"
+2008-10-03 01:00:45.614: debug: Run cmd "cd extern/example.net; /usr/local/sbin/dnssec-signzone -g -p -o example.net -e +864000 -N unixtime zone.db K*.private"
+2008-10-03 01:00:46.114: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2008-10-03 01:00:46.114: debug: Signing completed after 1s.
+2008-10-03 01:00:46.114: debug:
+2008-10-03 01:00:46.114: notice: end of run: 0 errors occured
--- /dev/null
+example.net. IN DNSKEY 257 3 5 BQEAAAABC+JLXRgWPqqGe0cta8CR95tz7PkkgRDlXyxESD+XkpVDkJ3W ey/1Lh7083Ve1WmIuUAo3N4d7HjLgrFVZxiumGGRz/aV3s01OFFS5JqI wF9BTNrNPGLPzzbBaQMHErO88HIbbg4sot7e6bSrtpAEf23MhZ3qZJC9 +nN+DknmsgTE6EpK6ZyUrZc64/0K68EWhtk1gf95NQEzTD4QgrOD6IYq Lw==
--- /dev/null
+Private-key-format: v1.2
+Algorithm: 5 (RSASHA1)
+Modulus: C+JLXRgWPqqGe0cta8CR95tz7PkkgRDlXyxESD+XkpVDkJ3Wey/1Lh7083Ve1WmIuUAo3N4d7HjLgrFVZxiumGGRz/aV3s01OFFS5JqIwF9BTNrNPGLPzzbBaQMHErO88HIbbg4sot7e6bSrtpAEf23MhZ3qZJC9+nN+DknmsgTE6EpK6ZyUrZc64/0K68EWhtk1gf95NQEzTD4QgrOD6IYqLw==
+PublicExponent: AQAAAAE=
+PrivateExponent: CF6/bss8OtQFdcjO6kJh9EamPFXAsaXFCdcYpHF55CU4H3jBuu7teLFEanvgm6M+wROYF0Yohiyb2aeSBdGLRIfTC9l3xfHD+XixuZVoNk6DqR1/8Wlxwu/a/hW9dq7pUXqDfTbzdZKR6SVRPa4MAdQ0p8aSF4S926NRqZC6E/anqhqNPSlBpxTs3TrRk+wY6u8wMXxPGNjJYoID8Y0Qau/H6Q==
+Prime1: A50B7etEtQCDudL8+KBxU1/2sVT3ORMfoZPsOe+ZLFrwcOO9Iyrr6saymuD4QvcIHECdLUM5rsT1JBo87wgvVysibco7oVLxlIfsTcbM70l2Kw==
+Prime2: A0n3+qM3ng3WAFzlpYRNUZpH/CW1pMq3nOHjx2olWwDxDZ4tAsUPKuW9n3kVZAR+4FkeUKn2ePR7xRtO3AzvA6QmZuZN6EHuLPlSKRufzeZ+DQ==
+Exponent1: Hk5KY5PiXs6pf8T8rSvVs6PJqDX491R01ZDdAIDYjmhIUHKWQ2STAlPEpSAGXi+oqOo4dD1eJWgw36hT0JakjXU4aIvPoSdmVPMs8aod0NUh
+Exponent2: AXKBZ5sYApCCj/0fGBTkmU6Zc89/ddQNrFm2lVLrwSTILHQWm/aXDvI+5icpF5kdrukVcNHUeCz1R/RTgeV4N9/qvr5YzbPWieqDNvpG1RcNRQ==
+Coefficient: BZxK+fKwUNWoJ5huBqLsi8UMWgrCMqAfXvge4+Y4n4IL0VCU1UUEXZQEEeiATh0g52CuetOMej6FZ4QKbNryWg036ZKl81ataMGtDX/i/yZG
--- /dev/null
+;% generationtime=20110125091121
+;% lifetime=84d
+example.net. IN DNSKEY 256 3 5 BQEAAAAB0WcmwbQoLbDFommP0H2zyiHXC1ekz3VMR+zl69pZZb5nLL/j 66zL43Op/UVNhNlmwqH10QVie/oJf/ag07n8Jw==
--- /dev/null
+Private-key-format: v1.2
+Algorithm: 5 (RSASHA1)
+Modulus: 0WcmwbQoLbDFommP0H2zyiHXC1ekz3VMR+zl69pZZb5nLL/j66zL43Op/UVNhNlmwqH10QVie/oJf/ag07n8Jw==
+PublicExponent: AQAAAAE=
+PrivateExponent: jKRY6rToay8xyeGq5FZclg8nBubVeiu90mF5yKtUcCW1AEdiwAzyCkhhC+1I3jOgzuY6h8rKYs09HrGKap3/8Q==
+Prime1: 8mXlFt4dXw7fPEG/XutzjHcy0GZe9XJkTWm39fvVZ6s=
+Prime2: 3SdGMdlT+QzR5kfCkRJ6IT78B4yGeVXrXWgPDlmt0XU=
+Exponent1: oNNInlF/En5spkcgs3jG8Nu8HoNiqLnCc/XtHwKF6xc=
+Exponent2: M4FLC8tRFOF9LuCNcRYHmh6cSnZpWzQjcZ1uLvmsxp0=
+Coefficient: pXldDiEWVr7Z5BTFXunGzpXoX+cs+oW0qit/1uqGv84=
--- /dev/null
+;% generationtime=20101127101704
+;% lifetime=63d
+example.net. IN DNSKEY 256 3 5 BQEAAAABp57sZfLQTLH4pU1vFRNfxU7IKonyz/BcaNqh2jywFbz/EzPP jB0M4UOfR7iwChoqiFgatnKg02Qazs+MbD8uyw==
--- /dev/null
+Private-key-format: v1.2
+Algorithm: 5 (RSASHA1)
+Modulus: p57sZfLQTLH4pU1vFRNfxU7IKonyz/BcaNqh2jywFbz/EzPPjB0M4UOfR7iwChoqiFgatnKg02Qazs+MbD8uyw==
+PublicExponent: AQAAAAE=
+PrivateExponent: jGofatbQPs8FyTAJmAWZZF+XzHKd9jhSQaDzrjMBf23DwDuu/GnyF7AcASTdHhzDqPXWkPIulsPDqYsewdLVMQ==
+Prime1: 1VB6Wv92Rl/nEGuc9/P+Own4QLbsebgXceG7Eih0Fhk=
+Prime2: ySmvvq+Qmh1o7os/4x7BB5/qI0vi4yZqp+OycM3S4IM=
+Exponent1: jb0CEguKt/4oCHM5s/aLfSf5KGSNWrKew0CjNFprx8k=
+Exponent2: wcyaaYEfMDYy9Hrzka7/L29W97KH+qVm7wZrUfQWoC0=
+Coefficient: 0B7KgaK213Z/2VYJ/7hnCZGFlmHoJtYcwV790fwNilY=
--- /dev/null
+;
+; !!! Don't edit this file by hand.
+; !!! It will be generated by zkt-signer.
+;
+; Last generation time Jan 25 2011 20:02:30
+;
+
+; *** List of Key Signing Keys ***
+; example.net. tag=126 algo=RSASHA1 generated Jul 05 2010 09:43:02
+example.net. 14400 IN DNSKEY 257 3 5 (
+ BQEAAAABC+JLXRgWPqqGe0cta8CR95tz7PkkgRDlXyxESD+XkpVDkJ3W
+ ey/1Lh7083Ve1WmIuUAo3N4d7HjLgrFVZxiumGGRz/aV3s01OFFS5JqI
+ wF9BTNrNPGLPzzbBaQMHErO88HIbbg4sot7e6bSrtpAEf23MhZ3qZJC9
+ +nN+DknmsgTE6EpK6ZyUrZc64/0K68EWhtk1gf95NQEzTD4QgrOD6IYq
+ Lw==
+ ) ; key id = 126
+
+; *** List of Zone Signing Keys ***
+; example.net. tag=57602 algo=RSASHA1 generated Jan 25 2011 10:11:21
+example.net. 14400 IN DNSKEY 256 3 5 (
+ BQEAAAABp57sZfLQTLH4pU1vFRNfxU7IKonyz/BcaNqh2jywFbz/EzPP
+ jB0M4UOfR7iwChoqiFgatnKg02Qazs+MbD8uyw==
+ ) ; key id = 57602
+
+; example.net. tag=52235 algo=RSASHA1 generated Jan 25 2011 10:11:21
+example.net. 14400 IN DNSKEY 256 3 5 (
+ BQEAAAAB0WcmwbQoLbDFommP0H2zyiHXC1ekz3VMR+zl69pZZb5nLL/j
+ 66zL43Op/UVNhNlmwqH10QVie/oJf/ag07n8Jw==
+ ) ; key id = 52235
+
--- /dev/null
+example.net. IN DS 126 5 1 D32161DCFCA120944CB9C0394CBED1389FDB72CA
+example.net. IN DS 126 5 2 351C6807B25E47223D7A6AA222291E8D7D7DDDA61D64CE839F937F22 47481FC9
--- /dev/null
+$ORIGIN .
+example.net 7200 IN DNSKEY 257 3 5 (
+ BQEAAAABC+JLXRgWPqqGe0cta8CR95tz7Pkk
+ gRDlXyxESD+XkpVDkJ3Wey/1Lh7083Ve1WmI
+ uUAo3N4d7HjLgrFVZxiumGGRz/aV3s01OFFS
+ 5JqIwF9BTNrNPGLPzzbBaQMHErO88HIbbg4s
+ ot7e6bSrtpAEf23MhZ3qZJC9+nN+DknmsgTE
+ 6EpK6ZyUrZc64/0K68EWhtk1gf95NQEzTD4Q
+ grOD6IYqLw==
+ ) ; key id = 126
--- /dev/null
+;-----------------------------------------------------------------
+;
+; @(#) intern/example.net/zone.db
+;
+;-----------------------------------------------------------------
+
+$TTL 7200
+
+@ IN SOA ns1.example.net. hostmaster.example.net. (
+ 0 ; Serial
+ 43200 ; Refresh
+ 1800 ; Retry
+ 2W ; Expire
+ 7200 ) ; Minimum
+
+ IN NS ns1.example.net.
+ IN NS ns2.example.net.
+
+ns1 IN A 192.168.1.53
+ IN AAAA fd12:063c:cdbb::53
+ns2 IN A 10.1.2.3
+
+localhost IN A 127.0.0.1
+
+; Delegation to secure zone; The DS resource record will
+; be added by dnssec-signzone automatically if the
+; keyset-sub.example.net file is present (run dnssec-signzone
+; with option -g or use the dnssec-signer tool) ;-)
+sub IN NS ns1.example.net.
+
+; this file will have all the zone keys
+$INCLUDE dnskey.db
+
--- /dev/null
+; File written on Tue Jan 25 20:02:30 2011
+; dnssec_signzone version 9.7.2-P2
+example.net. 7200 IN SOA ns1.example.net. hostmaster.example.net. (
+ 1295982150 ; serial
+ 43200 ; refresh (12 hours)
+ 1800 ; retry (30 minutes)
+ 1209600 ; expire (2 weeks)
+ 7200 ; minimum (2 hours)
+ )
+ 7200 RRSIG SOA 5 2 7200 20110215180230 (
+ 20110125180230 57602 example.net.
+ G+lTux2CtT0K4DoG9SDhvOHYHecTP+zQAFhx
+ 21fAFnHrV26q5OEL3XG2MqtFIBRzBVyWOQky
+ HjA0OrT2h0QMbQ== )
+ 7200 NS ns1.example.net.
+ 7200 NS ns2.example.net.
+ 7200 RRSIG NS 5 2 7200 20110215180230 (
+ 20110125180230 57602 example.net.
+ jWqP9xbY7F8AtNaHjKaLBKURY9MHkMdwlsv/
+ h6Ood+Dktz/Cc2WC6Ce4twTQSPp4fZtIsIfl
+ Y50zl5acgD3fcA== )
+ 7200 NSEC localhost.example.net. NS SOA RRSIG NSEC DNSKEY
+ 7200 RRSIG NSEC 5 2 7200 20110215180230 (
+ 20110125180230 57602 example.net.
+ lPfwTBz3QYn6NzJPnYzFuwqAskF9AjE65UFQ
+ aTqwZpQ+puYATzTMbe4Aa7x1fOzMoffZCADV
+ RwJhuqle8AED1w== )
+ 14400 DNSKEY 256 3 5 (
+ BQEAAAABp57sZfLQTLH4pU1vFRNfxU7IKony
+ z/BcaNqh2jywFbz/EzPPjB0M4UOfR7iwChoq
+ iFgatnKg02Qazs+MbD8uyw==
+ ) ; key id = 57602
+ 14400 DNSKEY 256 3 5 (
+ BQEAAAAB0WcmwbQoLbDFommP0H2zyiHXC1ek
+ z3VMR+zl69pZZb5nLL/j66zL43Op/UVNhNlm
+ wqH10QVie/oJf/ag07n8Jw==
+ ) ; key id = 52235
+ 14400 DNSKEY 257 3 5 (
+ BQEAAAABC+JLXRgWPqqGe0cta8CR95tz7Pkk
+ gRDlXyxESD+XkpVDkJ3Wey/1Lh7083Ve1WmI
+ uUAo3N4d7HjLgrFVZxiumGGRz/aV3s01OFFS
+ 5JqIwF9BTNrNPGLPzzbBaQMHErO88HIbbg4s
+ ot7e6bSrtpAEf23MhZ3qZJC9+nN+DknmsgTE
+ 6EpK6ZyUrZc64/0K68EWhtk1gf95NQEzTD4Q
+ grOD6IYqLw==
+ ) ; key id = 126
+ 14400 RRSIG DNSKEY 5 2 14400 20110215180230 (
+ 20110125180230 126 example.net.
+ BZPPo0GqOxCxCzx78nwK4Qbwj9kAYTyo7mYB
+ 5wx53cGRn7gD26tw/l12w4Vp5Q4/UCvZ1QCf
+ pk0xJM4qkd1wfMXQtxmYL/95aHIbrfW4uyE8
+ UD7wMjD7ufDTGEc40unLunJ7FEXZ3iLTHdwL
+ J/moCVAPKq+jQznC0eIcqAoIrSSbTHK4QRZc
+ s9OLmfm0W3xPAPr14imqExL76r57sILcKFfC
+ jQ== )
+ 14400 RRSIG DNSKEY 5 2 14400 20110215180230 (
+ 20110125180230 57602 example.net.
+ c3xZnvGx3v6Ccjz+o9YbKCFPWDbD+i6Gw/IF
+ RlxpOD41xQxoDWnqZlmqPu/gc0afQ0IbuJen
+ BV6v2Q1tnSWtIQ== )
+localhost.example.net. 7200 IN A 127.0.0.1
+ 7200 RRSIG A 5 3 7200 20110215180230 (
+ 20110125180230 57602 example.net.
+ DqPVfZUI44qRqPnoTclRf9EKixcqpPv8/3vc
+ QK2Y6HAj3YBcmVFDD5T6L31mv5ay34psfUu7
+ hDJvYtCJFor/lw== )
+ 7200 NSEC ns1.example.net. A RRSIG NSEC
+ 7200 RRSIG NSEC 5 3 7200 20110215180230 (
+ 20110125180230 57602 example.net.
+ E9k/RxN76Z2eFfHPJTdDcGz/TrthOQDihNoZ
+ k4bh858HkuPgXgfgdHJ2QL6xwS0oncP4JgqY
+ gKcmYxPyCqct5g== )
+ns1.example.net. 7200 IN A 192.168.1.53
+ 7200 RRSIG A 5 3 7200 20110215180230 (
+ 20110125180230 57602 example.net.
+ ku/0VTBFiNgLoBG9lWRvoJOzuyFUyOColXz2
+ ZTtmrZWLPpnFapDsEC2ZOkWhlzpysbuCnZeq
+ +Tn35JziKPaCnQ== )
+ 7200 AAAA fd12:63c:cdbb::53
+ 7200 RRSIG AAAA 5 3 7200 20110215180230 (
+ 20110125180230 57602 example.net.
+ ZepJB6jcivMqxfdR+B1qO8ZPsQrH6UmoLKN7
+ 3S4X3/UbFEYXbEb/RF6p9Fb7pHPjnSAQyob2
+ 2jBPrkol58C8hA== )
+ 7200 NSEC ns2.example.net. A AAAA RRSIG NSEC
+ 7200 RRSIG NSEC 5 3 7200 20110215180230 (
+ 20110125180230 57602 example.net.
+ Rq2gPDo+xpndSV1TfK7AzWemTd3qtsKDFN+/
+ jjmUzilm/2R1E/X7eNpIaF9oOtzPggTms8MJ
+ dhb5HUcMpe1idQ== )
+ns2.example.net. 7200 IN A 10.1.2.3
+ 7200 RRSIG A 5 3 7200 20110215180230 (
+ 20110125180230 57602 example.net.
+ ArSVm6tZqguzW2eVycpq//OvjGjWAy2/nrpv
+ P2uvavxWKJVdqIIUg3Yyvb5W6h4qUa+u0br4
+ Yz213ghrj8exKg== )
+ 7200 NSEC sub.example.net. A RRSIG NSEC
+ 7200 RRSIG NSEC 5 3 7200 20110215180230 (
+ 20110125180230 57602 example.net.
+ TCmdUAxSnk5oliX8/r9Z8odEHCtUOm87EAqK
+ 3JNlzlknuhYYvm7HaoEurXqdU4hMnU8h3LbW
+ W+Lus6YDeEyAtw== )
+sub.example.net. 7200 IN NS ns1.example.net.
+ 7200 NSEC example.net. NS RRSIG NSEC
+ 7200 RRSIG NSEC 5 3 7200 20110215180230 (
+ 20110125180230 57602 example.net.
+ mlIuEvQU5KrqBbP/qoM+tAx+MilvdI5g4X/o
+ 2w42OZ563C9ki9Q4lxCMQ67BQRKmVLiPZDX9
+ U40oapBFIpDYTw== )
--- /dev/null
+$ORIGIN .
+example.net 7200 IN DNSKEY 257 3 5 (
+ BQEAAAABC+JLXRgWPqqGe0cta8CR95tz7Pkk
+ gRDlXyxESD+XkpVDkJ3Wey/1Lh7083Ve1WmI
+ uUAo3N4d7HjLgrFVZxiumGGRz/aV3s01OFFS
+ 5JqIwF9BTNrNPGLPzzbBaQMHErO88HIbbg4s
+ ot7e6bSrtpAEf23MhZ3qZJC9+nN+DknmsgTE
+ 6EpK6ZyUrZc64/0K68EWhtk1gf95NQEzTD4Q
+ grOD6IYqLw==
+ ) ; key id = 126
--- /dev/null
+2008-06-12 18:02:13.593: notice: running as ../../dnssec-signer -V intern -v -v
+2008-06-12 18:02:13.594: debug: parsing zone "example.net." in dir "intern/example.net."
+2008-06-12 18:02:13.594: debug: Check RFC5011 status
+2008-06-12 18:02:13.595: debug: ->ksk5011status returns 0
+2008-06-12 18:02:13.595: debug: Check ksk status
+2008-06-12 18:02:13.595: debug: Lifetime(2592000 +/-150 sec) of active key 5972 exceeded (17727466 sec)
+2008-06-12 18:02:13.595: debug: ->waiting for pre-publish key
+2008-06-12 18:02:13.595: notice: "example.net.": lifetime of zone signing key 5972 exceeded since 25w4h17m46s: ZSK rollover deferred: waiting for pre-publish key
+2008-06-12 18:02:13.595: debug: Re-signing necessary: Modified keys
+2008-06-12 18:02:13.595: notice: "example.net.": re-signing triggered: Modified keys
+2008-06-12 18:02:13.595: debug: Writing key file "intern/example.net./dnskey.db"
+2008-06-12 18:02:13.596: debug: Signing zone "example.net."
+2008-06-12 18:02:13.596: debug: Run cmd "cd intern/example.net.; /usr/local/sbin/dnssec-signzone -p -o example.net. -e +86400 -g -N unixtime zone.db K*.private"
+2008-06-12 18:02:13.705: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2008-06-12 18:02:13.705: debug: Signing completed after 0s.
+2008-06-12 18:02:13.705: debug:
+2008-06-12 18:02:13.705: notice: end of run: 0 errors occured
+2008-06-12 18:03:13.208: notice: running as ../../dnssec-signer -V intern -r -v -v
+2008-06-12 18:03:13.209: debug: parsing zone "example.net." in dir "intern/example.net."
+2008-06-12 18:03:13.209: debug: Check RFC5011 status
+2008-06-12 18:03:13.209: debug: ->ksk5011status returns 0
+2008-06-12 18:03:13.209: debug: Check ksk status
+2008-06-12 18:03:13.209: debug: Lifetime(2592000 +/-150 sec) of active key 5972 exceeded (17727526 sec)
+2008-06-12 18:03:13.209: debug: ->waiting for pre-publish key
+2008-06-12 18:03:13.209: notice: "example.net.": lifetime of zone signing key 5972 exceeded since 25w4h18m46s: ZSK rollover deferred: waiting for pre-publish key
+2008-06-12 18:03:13.209: debug: Re-signing not necessary!
+2008-06-12 18:03:13.209: notice: end of run: 0 errors occured
+2008-06-12 18:03:19.287: notice: running as ../../dnssec-signer -V intern -r -v -v
+2008-06-12 18:03:19.288: debug: parsing zone "example.net." in dir "intern/example.net."
+2008-06-12 18:03:19.288: debug: Check RFC5011 status
+2008-06-12 18:03:19.289: debug: ->ksk5011status returns 0
+2008-06-12 18:03:19.289: debug: Check ksk status
+2008-06-12 18:03:19.289: debug: Lifetime(2592000 +/-150 sec) of active key 5972 exceeded (17727532 sec)
+2008-06-12 18:03:19.289: debug: ->waiting for pre-publish key
+2008-06-12 18:03:19.289: notice: "example.net.": lifetime of zone signing key 5972 exceeded since 25w4h18m52s: ZSK rollover deferred: waiting for pre-publish key
+2008-06-12 18:03:19.289: debug: Re-signing not necessary!
+2008-06-12 18:03:19.289: notice: end of run: 0 errors occured
+2008-06-12 18:03:23.617: notice: running as ../../dnssec-signer -V intern -f -r -v -v
+2008-06-12 18:03:23.618: debug: parsing zone "example.net." in dir "intern/example.net."
+2008-06-12 18:03:23.618: debug: Check RFC5011 status
+2008-06-12 18:03:23.618: debug: ->ksk5011status returns 0
+2008-06-12 18:03:23.618: debug: Check ksk status
+2008-06-12 18:03:23.618: debug: Lifetime(2592000 +/-150 sec) of active key 5972 exceeded (17727536 sec)
+2008-06-12 18:03:23.618: debug: ->waiting for pre-publish key
+2008-06-12 18:03:23.618: notice: "example.net.": lifetime of zone signing key 5972 exceeded since 25w4h18m56s: ZSK rollover deferred: waiting for pre-publish key
+2008-06-12 18:03:23.618: debug: Re-signing necessary: Option -f
+2008-06-12 18:03:23.618: notice: "example.net.": re-signing triggered: Option -f
+2008-06-12 18:03:23.618: debug: Writing key file "intern/example.net./dnskey.db"
+2008-06-12 18:03:23.619: debug: Signing zone "example.net."
+2008-06-12 18:03:23.619: debug: Run cmd "cd intern/example.net.; /usr/local/sbin/dnssec-signzone -p -o example.net. -e +86400 -g -N unixtime zone.db K*.private"
+2008-06-12 18:03:23.719: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2008-06-12 18:03:23.719: debug: Signing completed after 0s.
+2008-06-12 18:03:23.720: notice: ""example.net." in view "intern"": reload triggered
+2008-06-12 18:03:23.772: debug:
+2008-06-12 18:03:23.772: notice: end of run: 0 errors occured
+2008-06-12 18:05:39.532: notice: running as ../../dnssec-signer -V intern -f -r -v -v
+2008-06-12 18:05:39.533: debug: parsing zone "example.net." in dir "intern/example.net."
+2008-06-12 18:05:39.533: debug: Check RFC5011 status
+2008-06-12 18:05:39.533: debug: ->ksk5011status returns 0
+2008-06-12 18:05:39.533: debug: Check ksk status
+2008-06-12 18:05:39.533: debug: Lifetime(2592000 +/-150 sec) of active key 5972 exceeded (17727672 sec)
+2008-06-12 18:05:39.533: debug: ->waiting for pre-publish key
+2008-06-12 18:05:39.533: notice: "example.net.": lifetime of zone signing key 5972 exceeded since 25w4h21m12s: ZSK rollover deferred: waiting for pre-publish key
+2008-06-12 18:05:39.533: debug: Re-signing necessary: Option -f
+2008-06-12 18:05:39.533: notice: "example.net.": re-signing triggered: Option -f
+2008-06-12 18:05:39.533: debug: Writing key file "intern/example.net./dnskey.db"
+2008-06-12 18:05:39.534: debug: Signing zone "example.net."
+2008-06-12 18:05:39.534: debug: Run cmd "cd intern/example.net.; /usr/local/sbin/dnssec-signzone -p -o example.net. -e +86400 -g -N unixtime zone.db K*.private"
+2008-06-12 18:05:39.629: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2008-06-12 18:05:39.630: debug: Signing completed after 0s.
+2008-06-12 18:05:39.630: notice: ""example.net."": reload triggered
+2008-06-12 18:05:39.640: debug:
+2008-06-12 18:05:39.640: notice: end of run: 0 errors occured
+2008-06-12 18:07:47.753: notice: running as ../../dnssec-signer -V intern -f -r -v -v
+2008-06-12 18:07:47.754: debug: parsing zone "example.net." in dir "intern/example.net."
+2008-06-12 18:07:47.754: debug: Check RFC5011 status
+2008-06-12 18:07:47.754: debug: ->ksk5011status returns 0
+2008-06-12 18:07:47.754: debug: Check ksk status
+2008-06-12 18:07:47.754: debug: Lifetime(2592000 +/-150 sec) of active key 5972 exceeded (17727800 sec)
+2008-06-12 18:07:47.754: debug: ->waiting for pre-publish key
+2008-06-12 18:07:47.754: notice: "example.net.": lifetime of zone signing key 5972 exceeded since 25w4h23m20s: ZSK rollover deferred: waiting for pre-publish key
+2008-06-12 18:07:47.754: debug: Re-signing necessary: Option -f
+2008-06-12 18:07:47.754: notice: "example.net.": re-signing triggered: Option -f
+2008-06-12 18:07:47.754: debug: Writing key file "intern/example.net./dnskey.db"
+2008-06-12 18:07:47.754: debug: Signing zone "example.net."
+2008-06-12 18:07:47.754: debug: Run cmd "cd intern/example.net.; /usr/local/sbin/dnssec-signzone -p -o example.net. -e +86400 -g -N unixtime zone.db K*.private"
+2008-06-12 18:07:47.856: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2008-06-12 18:07:47.856: debug: Signing completed after 0s.
+2008-06-12 18:07:47.856: notice: ""example.net."": reload triggered
+2008-06-12 18:07:47.866: debug:
+2008-06-12 18:07:47.867: notice: end of run: 0 errors occured
+2008-06-12 18:10:57.978: notice: running as ../../dnssec-signer -V intern -f -r -v -v
+2008-06-12 18:10:57.978: debug: parsing zone "example.net." in dir "intern/example.net."
+2008-06-12 18:10:57.978: debug: Check RFC5011 status
+2008-06-12 18:10:57.978: debug: ->ksk5011status returns 0
+2008-06-12 18:10:57.978: debug: Check ksk status
+2008-06-12 18:10:57.978: debug: Lifetime(2592000 +/-150 sec) of active key 5972 exceeded (17727990 sec)
+2008-06-12 18:10:57.978: debug: ->waiting for pre-publish key
+2008-06-12 18:10:57.978: notice: "example.net.": lifetime of zone signing key 5972 exceeded since 25w4h26m30s: ZSK rollover deferred: waiting for pre-publish key
+2008-06-12 18:10:57.978: debug: Re-signing necessary: Option -f
+2008-06-12 18:10:57.978: notice: "example.net.": re-signing triggered: Option -f
+2008-06-12 18:10:57.978: debug: Writing key file "intern/example.net./dnskey.db"
+2008-06-12 18:10:57.979: debug: Signing zone "example.net."
+2008-06-12 18:10:57.979: debug: Run cmd "cd intern/example.net.; /usr/local/sbin/dnssec-signzone -p -o example.net. -e +86400 -g -N unixtime zone.db K*.private"
+2008-06-12 18:10:58.081: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2008-06-12 18:10:58.081: debug: Signing completed after 1s.
+2008-06-12 18:10:58.081: notice: ""example.net." in view "intern"": reload triggered
+2008-06-12 18:10:58.093: debug:
+2008-06-12 18:10:58.093: notice: end of run: 0 errors occured
+2008-06-12 18:13:29.511: notice: running as ../../dnssec-signer -V intern -f -r -v -v
+2008-06-12 18:13:29.512: debug: parsing zone "example.net." in dir "intern/example.net."
+2008-06-12 18:13:29.512: debug: Check RFC5011 status
+2008-06-12 18:13:29.512: debug: ->ksk5011status returns 0
+2008-06-12 18:13:29.512: debug: Check ksk status
+2008-06-12 18:13:29.512: debug: Lifetime(2592000 +/-150 sec) of active key 5972 exceeded (17728142 sec)
+2008-06-12 18:13:29.512: debug: ->waiting for pre-publish key
+2008-06-12 18:13:29.512: notice: "example.net.": lifetime of zone signing key 5972 exceeded since 25w4h29m2s: ZSK rollover deferred: waiting for pre-publish key
+2008-06-12 18:13:29.512: debug: Re-signing necessary: Option -f
+2008-06-12 18:13:29.512: notice: "example.net.": re-signing triggered: Option -f
+2008-06-12 18:13:29.512: debug: Writing key file "intern/example.net./dnskey.db"
+2008-06-12 18:13:29.513: debug: Signing zone "example.net."
+2008-06-12 18:13:29.513: debug: Run cmd "cd intern/example.net.; /usr/local/sbin/dnssec-signzone -p -o example.net. -e +86400 -g -N unixtime zone.db K*.private"
+2008-06-12 18:13:29.612: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2008-06-12 18:13:29.612: debug: Signing completed after 0s.
+2008-06-12 18:13:29.612: notice: ""example.net." in view "intern"": reload triggered
+2008-06-12 18:13:29.612: debug: Reload zone "example.net." in view "intern"
+2008-06-12 18:13:29.612: debug: Run cmd "/usr/local/sbin/rndc reload example.net. IN intern"
+2008-06-12 18:13:29.623: debug:
+2008-06-12 18:13:29.623: notice: end of run: 0 errors occured
+2008-06-12 18:13:38.707: notice: running as ../../dnssec-signer -V intern -f -r -v
+2008-06-12 18:13:38.708: debug: parsing zone "example.net." in dir "intern/example.net."
+2008-06-12 18:13:38.709: debug: Check RFC5011 status
+2008-06-12 18:13:38.709: debug: ->ksk5011status returns 0
+2008-06-12 18:13:38.709: debug: Check ksk status
+2008-06-12 18:13:38.709: debug: Lifetime(2592000 +/-150 sec) of active key 5972 exceeded (17728151 sec)
+2008-06-12 18:13:38.709: debug: ->waiting for pre-publish key
+2008-06-12 18:13:38.709: notice: "example.net.": lifetime of zone signing key 5972 exceeded since 25w4h29m11s: ZSK rollover deferred: waiting for pre-publish key
+2008-06-12 18:13:38.709: debug: Re-signing necessary: Option -f
+2008-06-12 18:13:38.709: notice: "example.net.": re-signing triggered: Option -f
+2008-06-12 18:13:38.709: debug: Writing key file "intern/example.net./dnskey.db"
+2008-06-12 18:13:38.710: debug: Signing zone "example.net."
+2008-06-12 18:13:38.710: debug: Run cmd "cd intern/example.net.; /usr/local/sbin/dnssec-signzone -p -o example.net. -e +86400 -g -N unixtime zone.db K*.private"
+2008-06-12 18:13:39.163: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2008-06-12 18:13:39.163: debug: Signing completed after 1s.
+2008-06-12 18:13:39.163: notice: ""example.net." in view "intern"": reload triggered
+2008-06-12 18:13:39.163: debug: Reload zone "example.net." in view "intern"
+2008-06-12 18:13:39.163: debug: Run cmd "/usr/local/sbin/rndc reload example.net. IN intern"
+2008-06-12 18:13:39.174: debug:
+2008-06-12 18:13:39.174: notice: end of run: 0 errors occured
+2008-06-12 18:13:43.163: notice: running as ../../dnssec-signer -V intern -f -r -v -v
+2008-06-12 18:13:43.164: debug: parsing zone "example.net." in dir "intern/example.net."
+2008-06-12 18:13:43.164: debug: Check RFC5011 status
+2008-06-12 18:13:43.164: debug: ->ksk5011status returns 0
+2008-06-12 18:13:43.164: debug: Check ksk status
+2008-06-12 18:13:43.164: debug: Lifetime(2592000 +/-150 sec) of active key 5972 exceeded (17728156 sec)
+2008-06-12 18:13:43.164: debug: ->waiting for pre-publish key
+2008-06-12 18:13:43.164: notice: "example.net.": lifetime of zone signing key 5972 exceeded since 25w4h29m16s: ZSK rollover deferred: waiting for pre-publish key
+2008-06-12 18:13:43.164: debug: Re-signing necessary: Option -f
+2008-06-12 18:13:43.164: notice: "example.net.": re-signing triggered: Option -f
+2008-06-12 18:13:43.164: debug: Writing key file "intern/example.net./dnskey.db"
+2008-06-12 18:13:43.164: debug: Signing zone "example.net."
+2008-06-12 18:13:43.164: debug: Run cmd "cd intern/example.net.; /usr/local/sbin/dnssec-signzone -p -o example.net. -e +86400 -g -N unixtime zone.db K*.private"
+2008-06-12 18:13:43.262: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2008-06-12 18:13:43.262: debug: Signing completed after 0s.
+2008-06-12 18:13:43.262: notice: ""example.net." in view "intern"": reload triggered
+2008-06-12 18:13:43.262: debug: Reload zone "example.net." in view "intern"
+2008-06-12 18:13:43.262: debug: Run cmd "/usr/local/sbin/rndc reload example.net. IN intern"
+2008-06-12 18:13:43.273: debug:
+2008-06-12 18:13:43.273: notice: end of run: 0 errors occured
+2008-10-03 01:00:38.404: notice: ------------------------------------------------------------
+2008-10-03 01:00:38.404: notice: running ../../dnssec-signer -V intern
+2008-10-03 01:00:38.405: debug: parsing zone "example.net" in dir "intern/example.net"
+2008-10-03 01:00:38.405: debug: Check RFC5011 status
+2008-10-03 01:00:38.405: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2008-10-03 01:00:38.405: debug: Check KSK status
+2008-10-03 01:00:38.405: debug: Check ZSK status
+2008-10-03 01:00:38.405: debug: Lifetime(2592000 +/-150 sec) of active key 5972 exceeded (5018321 sec)
+2008-10-03 01:00:38.405: debug: ->depreciate it
+2008-10-03 01:00:38.405: debug: ->activate published key 23375
+2008-10-03 01:00:38.405: notice: "example.net": lifetime of zone signing key 5972 exceeded: ZSK rollover done
+2008-10-03 01:00:38.405: debug: New key for publishing needed
+2008-10-03 01:00:38.491: debug: ->creating new key 55745
+2008-10-03 01:00:38.492: info: "example.net": new key 55745 generated for publishing
+2008-10-03 01:00:38.492: debug: Re-signing necessary: New zone key
+2008-10-03 01:00:38.492: notice: "example.net": re-signing triggered: New zone key
+2008-10-03 01:00:38.492: debug: Writing key file "intern/example.net/dnskey.db"
+2008-10-03 01:00:38.492: debug: Signing zone "example.net"
+2008-10-03 01:00:38.492: debug: Run cmd "cd intern/example.net; /usr/local/sbin/dnssec-signzone -g -p -o example.net -e +86400 -N unixtime zone.db K*.private"
+2008-10-03 01:00:38.796: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2008-10-03 01:00:38.796: debug: Signing completed after 0s.
+2008-10-03 01:00:38.796: debug:
+2008-10-03 01:00:38.796: notice: end of run: 0 errors occured
--- /dev/null
+/*****************************************************************
+**
+** #(@) named.conf (c) 6. May 2004 (hoz)
+*****************************************************************/
+
+/*****************************************************************
+** logging options
+*****************************************************************/
+logging {
+ channel "named-log" {
+ file "named.log";
+ print-time yes;
+ print-category yes;
+ print-severity yes;
+ severity info;
+ };
+ category "dnssec" { "named-log"; };
+ category "edns-disabled" { "named-log"; };
+ category "default" { "named-log"; };
+};
+
+/*****************************************************************
+** name server options
+*****************************************************************/
+options {
+ directory ".";
+
+ pid-file "named.pid";
+ listen-on-v6 port 1053 { any; };
+ listen-on port 1053 { any; };
+
+ empty-zones-enable no;
+
+ port 1053;
+ query-source address * port 1053;
+ query-source-v6 address * port 1053;
+ transfer-source * port 53;
+ transfer-source-v6 * port 53;
+ use-alt-transfer-source no;
+ notify-source * port 53;
+ notify-source-v6 * port 53;
+
+ recursion yes;
+ dnssec-enable yes;
+ dnssec-validation yes; /* required by BIND 9.4.0 */
+ dnssec-accept-expired false; /* added since BIND 9.5.0 */
+ edns-udp-size 1460; /* (M4) */
+ max-udp-size 1460; /* (M5) */
+
+ # allow-query { localhost; }; /* default in 9.4.0 */
+ # allow-query-cache { localhost; }; /* default in 9.4.0 */
+
+ dnssec-must-be-secure "." no;
+
+ querylog yes;
+
+ stats-server 127.0.0.1 port 8881; /* added since BIND 9.5.0 */
+};
+
+/*****************************************************************
+** view intern
+*****************************************************************/
+view "intern" {
+ match-clients { 127.0.0.1; ::1; };
+ recursion yes;
+ zone "." in {
+ type hint;
+ file "root.hint";
+ };
+
+ zone "0.0.127.in-addr.arpa" in {
+ type master;
+ file "127.0.0.zone";
+ };
+
+ zone "example.net" in {
+ type master;
+ file "intern/example.net/zone.db.signed";
+ };
+};
+
+/*****************************************************************
+** view extern
+*****************************************************************/
+view "extern" {
+ match-clients { any; };
+ recursion no;
+ zone "." in {
+ type hint;
+ file "root.hint";
+ };
+
+ zone "example.net" in {
+ type master;
+ file "extern/example.net/zone.db.signed";
+ };
+};
--- /dev/null
+20-Nov-2007 17:12:58.092 general: critical: couldn't open pid file '/var/run/named.pid': Permission denied
+20-Nov-2007 17:12:58.092 general: critical: exiting (due to early fatal error)
+20-Nov-2007 17:20:24.941 general: critical: couldn't open pid file '/var/run/named.pid': Permission denied
+20-Nov-2007 17:20:24.941 general: critical: exiting (due to early fatal error)
+20-Nov-2007 17:28:22.686 general: critical: couldn't open pid file '/var/run/named.pid': Permission denied
+20-Nov-2007 17:28:22.686 general: critical: exiting (due to early fatal error)
+20-Nov-2007 17:40:12.389 general: error: zone 0.0.127.in-addr.arpa/IN/intern: loading from master file 127.0.0.zone failed: file not found
+20-Nov-2007 17:40:12.391 general: info: zone example.net/IN/intern: loaded serial 1195574789 (signed)
+20-Nov-2007 17:40:12.393 general: info: zone example.net/IN/extern: loaded serial 1195561217 (signed)
+20-Nov-2007 17:40:12.393 general: notice: running
+20-Nov-2007 17:40:12.393 notify: info: zone example.net/IN/intern: sending notifies (serial 1195574789)
+20-Nov-2007 17:40:12.394 notify: info: zone example.net/IN/extern: sending notifies (serial 1195561217)
+20-Nov-2007 19:07:04.016 general: info: shutting down
+20-Nov-2007 19:07:04.017 network: info: no longer listening on ::#1053
+20-Nov-2007 19:07:04.017 network: info: no longer listening on 127.0.0.1#1053
+20-Nov-2007 19:07:04.017 network: info: no longer listening on 145.253.100.51#1053
+20-Nov-2007 19:07:04.020 general: notice: exiting
--- /dev/null
+; <<>> DiG 9.5.0a6 <<>> ns . @a.root-servers.net
+;; global options: printcmd
+;; Got answer:
+;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33355
+;; flags: qr aa rd; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 13
+;; WARNING: recursion requested but not available
+
+;; QUESTION SECTION:
+;. IN NS
+
+;; ANSWER SECTION:
+. 518400 IN NS H.ROOT-SERVERS.NET.
+. 518400 IN NS I.ROOT-SERVERS.NET.
+. 518400 IN NS J.ROOT-SERVERS.NET.
+. 518400 IN NS K.ROOT-SERVERS.NET.
+. 518400 IN NS L.ROOT-SERVERS.NET.
+. 518400 IN NS M.ROOT-SERVERS.NET.
+. 518400 IN NS A.ROOT-SERVERS.NET.
+. 518400 IN NS B.ROOT-SERVERS.NET.
+. 518400 IN NS C.ROOT-SERVERS.NET.
+. 518400 IN NS D.ROOT-SERVERS.NET.
+. 518400 IN NS E.ROOT-SERVERS.NET.
+. 518400 IN NS F.ROOT-SERVERS.NET.
+. 518400 IN NS G.ROOT-SERVERS.NET.
+
+;; ADDITIONAL SECTION:
+A.ROOT-SERVERS.NET. 3600000 IN A 198.41.0.4
+B.ROOT-SERVERS.NET. 3600000 IN A 192.228.79.201
+C.ROOT-SERVERS.NET. 3600000 IN A 192.33.4.12
+D.ROOT-SERVERS.NET. 3600000 IN A 128.8.10.90
+E.ROOT-SERVERS.NET. 3600000 IN A 192.203.230.10
+F.ROOT-SERVERS.NET. 3600000 IN A 192.5.5.241
+G.ROOT-SERVERS.NET. 3600000 IN A 192.112.36.4
+H.ROOT-SERVERS.NET. 3600000 IN A 128.63.2.53
+I.ROOT-SERVERS.NET. 3600000 IN A 192.36.148.17
+J.ROOT-SERVERS.NET. 3600000 IN A 192.58.128.30
+K.ROOT-SERVERS.NET. 3600000 IN A 193.0.14.129
+L.ROOT-SERVERS.NET. 3600000 IN A 199.7.83.42
+M.ROOT-SERVERS.NET. 3600000 IN A 202.12.27.33
+
+;; Query time: 114 msec
+;; SERVER: 198.41.0.4#53(198.41.0.4)
+;; WHEN: Mon Nov 5 07:28:00 2007
+;; MSG SIZE rcvd: 436
+
--- /dev/null
+
+
+ZKT_CONFFILE=dnssec.conf
+export ZKT_CONFFILE
+
+if true
+then
+ echo "All internal keys:"
+ ./dnssec-zkt-intern
+ echo
+
+ echo "All external keys:"
+ ./dnssec-zkt-extern
+ echo
+fi
+
+echo "Sign both views"
+./dnssec-signer-intern -v -v -f -r
+echo
+./dnssec-signer-extern -v -v
.TP
.BI \-R " keyid" ", \-\-revoke=" keyid
Revoke the key signing key with the given keyid.
-A revoked key has bit 8 in the flags filed set (see RFC5011).
+A revoked key has bit 8 in the flags field set (see RFC5011).
The keyid is the numeric keytag with an optionally added zone name separated by a colon.
.TP
.BI \-\-rename=" keyid
.fam T
Create a new key signing key for the zone "example.net".
Store the key in the same directory below "zonedir" where the other
-"example.net" keys live.
+"example.net" keys life.
.TP
.fam C
.B "zkt-keyman \-D 123245 \-r .
<!-- Creator : groff version 1.20.1 -->
-<!-- CreationDate: Tue Mar 23 23:47:31 2010 -->
+<!-- CreationDate: Sat Aug 28 01:15:12 2010 -->
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<i>keyid</i><b>, −−revoke=</b><i>keyid</i></p>
<p style="margin-left:22%;">Revoke the key signing key with
-the given keyid. A revoked key has bit 8 in the flags filed
+the given keyid. A revoked key has bit 8 in the flags field
set (see RFC5011). The keyid is the numeric keytag with an
optionally added zone name separated by a colon.</p>
<p style="margin-left:22%;">Create a new key signing key
for the zone "example.net". Store the key in the
same directory below "zonedir" where the other
-"example.net" keys live.</p>
+"example.net" keys life.</p>
<p style="margin-left:11%;"><b>zkt-keyman −D 123245
−r .</b></p>
.RI [{ keyfile | dir }
.RI "" ... ]
+.B zkt\-ls
+.B \-M
+.RB [ \-V|--view
+.IR "view" ]
+.RB [ \-c
+.IR "file" ]
+.RB [ \-l
+.IR "list" ]
+.RB [ \-dhrz ]
+.RI [{ keyfile | dir }
+.RI "" ... ]
+.br
+.B zkt\-ls
+.B \-\-list-managedkeys
+.RB [ \-V|--view
+.IR "view" ]
+.RB [ \-c
+.IR "file" ]
+.RB [ \-l
+.IR "list" ]
+.RB [ \-dhrz ]
+.RI [{ keyfile | dir }
+.RI "" ... ]
+
.B zkt\-ls
.B \-K
.RB [ \-V|--view
may be helpful to find the location of the keyfile in the directory tree.
.PP
Other forms of the command, print out keys in a format suitable for
-a trusted-key section
-.RB ( \-T )
+a trusted- or managed-key section
+.RB ( \-T or \-M )
or as a DNSKEY
.RB ( \-K )
resource record.
Also settable in the dnssec.conf file (Parameter: PrintTime).
.TP
.B \-h
-No header or trusted-key section header and trailer in -T mode
+No header or trusted-key resp. managed-key section header and trailer in \-T or \-M mode.
.SH COMMAND OPTIONS
.TP
<!-- Creator : groff version 1.20.1 -->
-<!-- CreationDate: Tue Mar 23 23:47:33 2010 -->
+<!-- CreationDate: Tue Aug 3 17:20:51 2010 -->
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<i>...</i>]</p>
+<p style="margin-left:11%; margin-top: 1em"><b>zkt−ls
+−M</b> [<b>−V|--view</b> <i>view</i>]
+[<b>−c</b> <i>file</i>] [<b>−l</b> <i>list</i>]
+[<b>−dhrz</b>] [{<i>keyfile</i>|<i>dir</i>}
+<i>...</i>] <b><br>
+zkt−ls −−list-managedkeys</b>
+[<b>−V|--view</b> <i>view</i>] [<b>−c</b>
+<i>file</i>] [<b>−l</b> <i>list</i>]
+[<b>−dhrz</b>] [{<i>keyfile</i>|<i>dir</i>}
+<i>...</i>]</p>
+
+
<p style="margin-left:11%; margin-top: 1em"><b>zkt−ls
−K</b> [<b>−V|--view</b> <i>view</i>]
[<b>−c</b> <i>file</i>] [<b>−l</b> <i>list</i>]
<p style="margin-left:11%; margin-top: 1em">Other forms of
the command, print out keys in a format suitable for a
-trusted-key section (<b>−T</b>) or as a DNSKEY
+trusted- or managed-key section
+(<b>−T</b>or<b>−M</b>) or as a DNSKEY
(<b>−K</b>) resource record.</p>
<h2>GENERAL OPTIONS
<td width="78%">
-<p>No header or trusted-key section header and trailer in
--T mode</p></td></tr>
+<p>No header or trusted-key resp. managed-key section
+header and trailer in −T or −M mode.</p></td></tr>
</table>
<h2>COMMAND OPTIONS
-.TH zkt-signer 8 "Feb 2, 2010" "ZKT 1.0" ""
+.TH zkt-signer 8 "Nov 27, 2010" "ZKT 1.1" ""
\" turn off hyphenation
.\" if n .nh
.nh
.SH SYNOPSYS
.na
.B zkt-signer
-.RB [ \-L|--logfile
+.RB [ \-L
.IR "file" ]
-.RB [ \-V|--view
+.RB [ \-V
.IR "view" ]
.RB [ \-c
.IR "file" ]
+.RB [ \-O
+.IR "optstr" ]
.RB [ \-fhnr ]
.RB [ \-v
.RB [ \-v ]]
.RI "" ... ]
.br
.B zkt-signer
-.RB [ \-L|--logfile
+.RB [ \-L
.IR "file" ]
-.RB [ \-V|--view
+.RB [ \-V
.IR "view" ]
.RB [ \-c
.IR "file" ]
+.RB [ \-O
+.IR "optstr" ]
.RB [ \-fhnr ]
.RB [ \-v
.RB [ \-v ]]
.RI "" ... ]
.br
.B zkt-signer
-.RB [ \-L|--logfile
+.RB [ \-L
.IR "file" ]
-.RB [ \-V|--view
+.RB [ \-V
.IR "view" ]
.RB [ \-c
.IR "file" ]
+.RB [ \-O
+.IR "optstr" ]
.RB [ \-fhnr ]
.RB [ \-v
.RB [ \-v ]]
Alternately you could link the executable file to a second name like
.I zkt-signer-viewname
and use that command to specify the name of the view.
+.br
All master zone statements will be scanned for filenames
ending with ".signed".
These zones will be checked if the necessary zone- and key signing keys
will be signed.
However, it is also possible to reduce the signing to those
zones given as arguments.
-.ig
-In directory mode the pre-requisite is, that the directory name is
-exactly (including the trailing dot) the same as the zone name.
-..
-.PP
-In the last form of the command, the functionality is more or less the same
-as the
-.I dnssec-signzone (8)
-command.
-The parameter specifies the zone file name and the option
-.B \-o
-takes the name of the zone.
-.PP
-If neither
-.B \-N
-nor
+.br
+If
.B \-D
+is ommitted (and neither
+.B \-N
nor
-.B \-o
-is given, then the default directory specified in the
+.BI \-o origin
+is specified) the default directory specified in the
.I dnssec.conf
file by the parameter
.I zonedir
will be used as top level directory.
+.ig
+In directory mode the pre-requisite is, that the directory name is
+exactly (including the trailing dot) the same as the zone name.
+..
.SH OPTIONS
.TP
.TP
.fam C
.B "zkt-signer \-\-config-option='ResignInterval 1d; Sigvalidity 28h; \e
-.B ZSK_lifetime 2d;' \-v \-v \-o example.net. zone.db
+.B ZSKlifetime 2d;' \-v \-v \-o example.net. zone.db
.fam T
.br
Sign the example.net zone but override some config file values with parameters
.RI ( zone.db ),
there is a signed zone file
.RI ( zone.db.signed),
-a minimum of four files containing the keying material,
+a minimum of four files containing the key material,
a file called
.I dnskey.db
with the current used keys,
extension
.IR .signed .
Create an empty file with the name
-.IB zonefile .signed
+.IB zone.db .signed
in the zone directory.
.TP
Include the keyfile in the zone.
left justified in a field of at least 10 spaces!
.if t \{\
.fam C
-.fi 0
+.\"fi 0
+.nf
@ IN SOA ns1.example.net. hostmaster.example.net. (
60 ; Serial
43200 ; Refresh
.\}
If you use BIND version 9.4 or later and
use the unixtime format for the serial number (which is the default since ZKT-1.0)
-than this is not necessary.
+this is not necessary.
See also the parameter Serialformat in
.IR dnssec.conf .
.TP
.SH ENVIRONMENT VARIABLES
.TP
ZKT_CONFFILE
-Specifies the name of the default global configuration files.
+Specifies the name of the default global configuration file.
.SH FILES
.TP
<!-- Creator : groff version 1.20.1 -->
-<!-- CreationDate: Tue Mar 23 23:47:33 2010 -->
+<!-- CreationDate: Sat Nov 27 20:13:08 2010 -->
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<p style="margin-left:11%; margin-top: 1em"><b>zkt-signer</b>
-[<b>−L|--logfile</b> <i>file</i>]
-[<b>−V|--view</b> <i>view</i>] [<b>−c</b>
-<i>file</i>] [<b>−fhnr</b>] [<b>−v</b>
+[<b>−L</b> <i>file</i>] [<b>−V</b> <i>view</i>]
+[<b>−c</b> <i>file</i>] [<b>−O</b>
+<i>optstr</i>] [<b>−fhnr</b>] [<b>−v</b>
[<b>−v</b>]] <b>−N</b> <i>named.conf</i>
[<i>zone ...</i>] <b><br>
-zkt-signer</b> [<b>−L|--logfile</b> <i>file</i>]
-[<b>−V|--view</b> <i>view</i>] [<b>−c</b>
-<i>file</i>] [<b>−fhnr</b>] [<b>−v</b>
-[<b>−v</b>]] [<b>−D</b> <i>directory</i>]
-[<i>zone ...</i>] <b><br>
-zkt-signer</b> [<b>−L|--logfile</b> <i>file</i>]
-[<b>−V|--view</b> <i>view</i>] [<b>−c</b>
-<i>file</i>] [<b>−fhnr</b>] [<b>−v</b>
-[<b>−v</b>]] <b>−o</b> <i>origin</i>
-[<i>zonefile</i>]</p>
+zkt-signer</b> [<b>−L</b> <i>file</i>]
+[<b>−V</b> <i>view</i>] [<b>−c</b> <i>file</i>]
+[<b>−O</b> <i>optstr</i>] [<b>−fhnr</b>]
+[<b>−v</b> [<b>−v</b>]] [<b>−D</b>
+<i>directory</i>] [<i>zone ...</i>] <b><br>
+zkt-signer</b> [<b>−L</b> <i>file</i>]
+[<b>−V</b> <i>view</i>] [<b>−c</b> <i>file</i>]
+[<b>−O</b> <i>optstr</i>] [<b>−fhnr</b>]
+[<b>−v</b> [<b>−v</b>]] <b>−o</b>
+<i>origin</i> [<i>zonefile</i>]</p>
<h2>DESCRIPTION
<a name="DESCRIPTION"></a>
viewname to specify the name of the view. Alternately you
could link the executable file to a second name like
<i>zkt-signer-viewname</i> and use that command to specify
-the name of the view. All master zone statements will be
-scanned for filenames ending with ".signed". These
-zones will be checked if the necessary zone- and key signing
-keys are existent and fresh enough to be used in the signing
-process. If one or more out-dated keys are found, new keying
-material will be generated via the <i>dnssec-keygen(8)</i>
-command and the old keys will be marked as depreciated. So
-the command do anything needed for a zone key rollover as
-defined by [2].</p>
+the name of the view. <br>
+All master zone statements will be scanned for filenames
+ending with ".signed". These zones will be checked
+if the necessary zone- and key signing keys are existent and
+fresh enough to be used in the signing process. If one or
+more out-dated keys are found, new keying material will be
+generated via the <i>dnssec-keygen(8)</i> command and the
+old keys will be marked as depreciated. So the command do
+anything needed for a zone key rollover as defined by
+[2].</p>
<p style="margin-left:11%; margin-top: 1em">If the
resigning interval is reached or any new key must be
tree with the option <b>−D</b> <i>dir</i>. Every
secure zone found in a subdirectory below <i>dir</i> will be
signed. However, it is also possible to reduce the signing
-to those zones given as arguments.</p>
-
-<p style="margin-left:11%; margin-top: 1em">In the last
-form of the command, the functionality is more or less the
-same as the <i>dnssec-signzone (8)</i> command. The
-parameter specifies the zone file name and the option
-<b>−o</b> takes the name of the zone.</p>
-
-<p style="margin-left:11%; margin-top: 1em">If neither
-<b>−N</b> nor <b>−D</b> nor <b>−o</b> is
-given, then the default directory specified in the
-<i>dnssec.conf</i> file by the parameter <i>zonedir</i> will
-be used as top level directory.</p>
+to those zones given as arguments. <br>
+If <b>−D</b> is ommitted (and neither <b>−N</b>
+nor <b>−o</b><i>origin</i> is specified) the default
+directory specified in the <i>dnssec.conf</i> file by the
+parameter <i>zonedir</i> will be used as top level
+directory.</p>
<h2>OPTIONS
<a name="OPTIONS"></a>
−−config-option=’ResignInterval 1d;
Sigvalidity 28h; \</b></p>
-<p style="margin-left:22%;"><b>ZSK_lifetime 2d;’
+<p style="margin-left:22%;"><b>ZSKlifetime 2d;’
−v −v −o example.net. zone.db</b> <br>
Sign the example.net zone but override some config file
values with parameters given on the commandline.</p>
are many additional files needed to secure a zone. Besides
the zone file (<i>zone.db</i>), there is a signed zone file
(<i>zone.db.signed),</i> a minimum of four files containing
-the keying material, a file called <i>dnskey.db</i> with the
+the key material, a file called <i>dnskey.db</i> with the
current used keys, and the <i>dsset-</i> and
<i>keyset-</i>files created by the <i>dnssec-signzone(8)</i>
command. So in summary there is a minimum of nine files used
<p style="margin-left:22%;">The filename is the name of the
zone file with the extension <i>.signed</i>. Create an empty
-file with the name <i>zonefile</i><b>.signed</b> in the zone
+file with the name <i>zone.db</i><b>.signed</b> in the zone
directory.</p>
<p style="margin-left:11%;">Include the keyfile in the
** local function definition
*****************************************************************/
-static dki_t *genkey (dki_t **listp, const char *dir, const char *domain, int ksk, const zconf_t *conf, int status)
-{
- dki_t *dkp;
+static dki_t *genkey (int addkey, dki_t **listp, const char *dir, const char *domain, int ksk, const zconf_t *conf, int status);
- if ( listp == NULL || domain == NULL )
- return NULL;
-
- if ( ksk )
- dkp = dki_new (dir, domain, DKI_KSK, conf->k_algo, conf->k_bits, conf->k_random, conf->k_life / DAYSEC);
- else
- dkp = dki_new (dir, domain, DKI_ZSK, conf->k_algo, conf->z_bits, conf->z_random, conf->z_life / DAYSEC);
- dki_add (listp, dkp);
- dki_setstatus (dkp, status);
+/* generate the first (or primary) key (algorithm k_algo) */
+static dki_t *genfirstkey (dki_t **listp, const char *dir, const char *domain, int ksk, const zconf_t *conf, int status)
+{
+ return genkey (0, listp, dir, domain, ksk, conf, status);
+}
- return dkp;
+/* generate the additional (or second) key (algorithm k2_algo) */
+static dki_t *genaddkey (dki_t **listp, const char *dir, const char *domain, int ksk, const zconf_t *conf, int status)
+{
+ return genkey (1, listp, dir, domain, ksk, conf, status);
}
-static dki_t *genkey2 (dki_t **listp, const char *dir, const char *domain, int ksk, const zconf_t *conf, int status)
+
+/* generate a DNSKEY key */
+static dki_t *genkey (int addkey, dki_t **listp, const char *dir, const char *domain, int ksk, const zconf_t *conf, int status)
{
dki_t *dkp;
+ int confalgo;
+ int algo;
+#if 0
if ( listp == NULL || domain == NULL )
return NULL;
+#else
+ assert ( listp != NULL );
+ assert ( domain != NULL );
+#endif
+
+ if ( addkey ) /* generating an additional key ? */
+ confalgo = conf->k2_algo;
+ else
+ confalgo = conf->k_algo;
+
+ algo = confalgo;
+#if defined(BIND_VERSION) && BIND_VERSION >= 960
+ if ( conf->nsec3 != NSEC3_OFF ) /* is nsec3 turned on ? */
+ {
+ if ( confalgo == DK_ALGO_RSASHA1 )
+ algo = DK_ALGO_NSEC3RSASHA1;
+ else if ( confalgo == DK_ALGO_DSA )
+ algo = DK_ALGO_NSEC3DSA;
+ }
+#endif
if ( ksk )
- dkp = dki_new (dir, domain, DKI_KSK, conf->k2_algo, conf->k_bits, conf->k_random, conf->k_life / DAYSEC);
+ dkp = dki_new (dir, domain, DKI_KSK, algo, conf->k_bits, conf->k_random, conf->k_life / DAYSEC);
else
- dkp = dki_new (dir, domain, DKI_ZSK, conf->k2_algo, conf->z_bits, conf->z_random, conf->z_life / DAYSEC);
+ dkp = dki_new (dir, domain, DKI_ZSK, algo, conf->z_bits, conf->z_random, conf->z_life / DAYSEC);
dki_add (listp, dkp);
dki_setstatus (dkp, status);
return dkp;
}
+/* get expiration time */
static time_t get_exptime (dki_t *key, const zconf_t *z)
{
time_t exptime;
{
verbmesg (2, z, "\t\tkskrollover: create new key signing key\n");
/* create a new key: this is phase one of a double signing key rollover */
- ksk = genkey (&zp->keys, zp->dir, zp->zone, DKI_KSK, z, DKI_ACTIVE);
+ ksk = genfirstkey (&zp->keys, zp->dir, zp->zone, DKI_KSK, z, DKI_ACTIVE);
if ( ksk == NULL )
{
lg_mesg (LG_ERROR, "\"%s\": unable to generate new ksk for double signing rollover", zp->zone);
verbmesg (1, z, "\tLifetime of Key Signing Key %d exceeded (%s): Starting rfc5011 rollover!\n",
activekey->tag, str_delspace (age2str (dki_age (activekey, currtime))));
verbmesg (2, z, "\t\t=>Generating new standby key signing key\n");
- dkp = genkey (listp, dir, domain, DKI_KSK, z, DKI_PUBLISHED); /* gentime == now; lifetime = z->k_life; exp = 0 */
+ dkp = genfirstkey (listp, dir, domain, DKI_KSK, z, DKI_PUBLISHED); /* gentime == now; lifetime = z->k_life; exp = 0 */
if ( !dkp )
{
error ("\tcould not generate new standby KSK\n");
if ( akey == NULL )
{
verbmesg (1, z, "\tNo active KSK found: generate new one\n");
- akey = genkey (&zp->keys, zp->dir, zp->zone, DKI_KSK, z, DKI_ACTIVE);
+ akey = genfirstkey (&zp->keys, zp->dir, zp->zone, DKI_KSK, z, DKI_ACTIVE);
if ( !akey )
{
error ("\tcould not generate new KSK\n");
if ( akey == NULL )
{
verbmesg (1, z, "\tNo active KSK for additional algorithm found: generate new one\n");
- akey = genkey2 (&zp->keys, zp->dir, zp->zone, DKI_KSK, z, DKI_ACTIVE);
+ akey = genaddkey (&zp->keys, zp->dir, zp->zone, DKI_KSK, z, DKI_ACTIVE);
if ( !akey )
{
error ("\tcould not generate new KSK for additional algorithm\n");
if ( akey == NULL && lifetime > 0 ) /* no active key found */
{
verbmesg (1, z, "\tNo active ZSK found: generate new one\n");
- akey = genkey (listp, dir, domain, DKI_ZSK, z, DKI_ACTIVE);
- lg_mesg (LG_INFO, "\"%s\": generated new ZSK %d", domain, akey->tag);
+ akey = genfirstkey (listp, dir, domain, DKI_ZSK, z, DKI_ACTIVE);
+ if ( !akey )
+ {
+ error ("\tcould not generate new ZSK\n");
+ lg_mesg (LG_ERROR, "\%s\": can't generate new ZSK", domain);
+ }
+ else
+ lg_mesg (LG_INFO, "\"%s\": generated new ZSK %d", domain, akey->tag);
}
else /* active key exist */
{
}
}
}
- /* Should we add a new publish key? This is necessary if the active
- * key will be expired at the next re-signing interval (The published
- * time will be checked just before the active key will be removed.
- * See above).
- */
- nextkey = (dki_t *)dki_findalgo (*listp, DKI_ZSK, z->k_algo, 'p', 1);
- if ( nextkey == NULL && lifetime > 0 && (akey == NULL ||
- dki_age (akey, currtime + z->resign) > lifetime - (OFFSET)) )
- {
- keychange = 1;
- verbmesg (1, z, "\tNew key for publishing needed\n");
- nextkey = genkey (listp, dir, domain, DKI_ZSK, z, DKI_PUB);
- if ( nextkey )
+ /* Should we add a new publish key? */
+ nextkey = (dki_t *)dki_findalgo (*listp, DKI_ZSK, z->k_algo, 'p', 1); /* is there a published ZSK? */
+#if defined(ALLOW_ALWAYS_PREPUBLISH_ZSK) && ALLOW_ALWAYS_PREPUBLISH_ZSK
+ if ( z->z_always ) /* always add a pre-publish ZSK (patch from Hrant Dadivanyan) */
+ {
+ if ( nextkey == NULL )
{
- verbmesg (1, z, "\t\t->creating new key %d\n", nextkey->tag);
- lg_mesg (LG_INFO, "\"%s\": new key %d generated for publishing", domain, nextkey->tag);
+ verbmesg (1, z, "\tNew key for pre-publishing needed\n");
+ nextkey = genfirstkey (listp, dir, domain, DKI_ZSK, z, DKI_PUB);
+ if ( nextkey )
+ {
+ keychange = 1;
+ verbmesg (1, z, "\t\t->creating new key %d\n", nextkey->tag);
+ lg_mesg (LG_INFO, "\"%s\": new key %d generated for pre-publishing", domain, nextkey->tag);
+ }
+ else
+ {
+ error ("\tcould not generate new ZSK: \"%s\"\n", dki_geterrstr());
+ lg_mesg (LG_ERROR, "\"%s\": can't generate new ZSK: \"%s\"",
+ domain, dki_geterrstr());
+ }
}
- else
+ }
+ else /* do we need a new ZSK ? */
+#endif
+ {
+ /* This is necessary if the active key will be expired at the
+ * next re-signing interval (The published time will be checked
+ * just before the active key will be removed. See above).
+ */
+ if ( nextkey == NULL && lifetime > 0 && (akey == NULL ||
+ dki_age (akey, currtime + z->resign) > lifetime - (OFFSET)) )
{
- error ("\tcould not generate new ZSK: \"%s\"\n", dki_geterrstr());
- lg_mesg (LG_ERROR, "\"%s\": can't generate new ZSK: \"%s\"",
- domain, dki_geterrstr());
+ verbmesg (1, z, "\tNew ZSK for publishing needed\n");
+ nextkey = genfirstkey (listp, dir, domain, DKI_ZSK, z, DKI_PUB);
+ if ( nextkey )
+ {
+ keychange = 1;
+ verbmesg (1, z, "\t\t->creating new key %d\n", nextkey->tag);
+ lg_mesg (LG_INFO, "\"%s\": new zone signing key %d generated for publishing", domain, nextkey->tag);
+ }
+ else
+ {
+ error ("\tcould not generate new ZSK: \"%s\"\n", dki_geterrstr());
+ lg_mesg (LG_ERROR, "\"%s\": can't generate new ZSK: \"%s\"",
+ domain, dki_geterrstr());
+ }
}
}
if ( akey == NULL )
{
verbmesg (1, z, "\tNo active ZSK for second algorithm found: generate new one\n");
- akey = genkey2 (listp, dir, domain, DKI_ZSK, z, DKI_ACTIVE);
+ akey = genaddkey (listp, dir, domain, DKI_ZSK, z, DKI_ACTIVE);
if ( !akey )
{
error ("\tcould not generate new ZSK for 2nd algorithm\n");
# define OFFSET ((int) (2.5 * MINSEC))
# define PARENT_PROPAGATION (5 * MINSEC)
# define ADD_HOLD_DOWN (30 * DAYSEC)
-#if 0
# define REMOVE_HOLD_DOWN (30 * DAYSEC)
-#else
-# define REMOVE_HOLD_DOWN (10 * DAYSEC) /* reduced for testiing purposes */
-#endif
extern int ksk5011status (dki_t **listp, const char *dir, const char *domain, const zconf_t *z);
extern int kskstatus (zone_t *zonelist, zone_t *zp);
# include <utime.h>
# include <assert.h>
#ifdef HAVE_CONFIG_H
-# include <config.h>
+# include "config.h"
#endif
# include "config_zkt.h"
# include "zconf.h"
** of at least 10 characters like this:
** <SPACEes or TABs> 1 ; Serial
**
+** Since ZKT 1.1.0 single line SOA records are also supported
+**
****************************************************************/
int inc_serial (const char *fname, int use_unixtime)
{
FILE *fp;
char buf[4095+1];
int error;
+ int serial_pos;
/**
since BIND 9.4, there is a dnssec-signzone option available for
return -1;
/* read until the line matches the beginning of a soa record ... */
- while ( fgets (buf, sizeof buf, fp) && !is_soa_rr (buf) )
- ;
+ while ( fgets (buf, sizeof buf, fp) )
+ {
+ dbg_val ("inc_serial() checking line for SOA RR \"%s\"\n", buf);
+ serial_pos = is_soa_rr (buf);
+ if ( serial_pos ) /* SOA record found ? */
+ break;
+ }
if ( feof (fp) )
{
fclose (fp);
return -2;
}
+ dbg_val ("serial_pos = %d\n", serial_pos);
+ if (serial_pos > 1 ) /* if we found a single line SOA RR */
+ fseek (fp, -(long)serial_pos, SEEK_CUR); /* go back to the beginning of the line */
error = inc_soa_serial (fp, use_unixtime); /* .. inc soa serial no ... */
+ dbg_val ("inc_soa_serial() returns %d\n", error);
- if ( fclose (fp) != 0 )
+ if ( fclose (fp) != 0 ) /* close the zone file in any case */
return -5;
return error;
}
+#if 0
/*****************************************************************
** check if line is the beginning of a SOA RR record, thus
** containing the string "IN .* SOA" and ends with a '('
assert ( line != NULL );
- if ( (p = strfindstr (line, "IN")) && strfindstr (p+2, "SOA") ) /* line contains "IN" and "SOA" */
+ /* line contains "IN" and "SOA" */
+ if ( (p = strfindstr (line, "IN")) && strfindstr (p+2, "SOA") )
{
p = line + strlen (line) - 1;
while ( p > line && isspace (*p) )
p--;
- if ( *p == '(' ) /* last character have to be a '(' to start a multi line record */
+ if ( *p == '(' ) /* last character must be a '(' to start a multi line record */
+ return 1;
+ }
+
+ return 0;
+}
+#else
+/*****************************************************************
+**
+** check if line is the beginning of a SOA RR record, thus
+** containing the string "IN .* SOA" and ends with a '('
+** (multiline record) or is a single line record.
+**
+** returns 1 if it is a multi line record (for compability to
+** the old function) or the position of the serial number
+** field counted from the end of the line
+**
+*****************************************************************/
+static int is_soa_rr (const char *line)
+{
+ const char *p;
+ const char *soa_p;
+
+ assert ( line != NULL );
+
+ /* line contains "IN" and "SOA" ? */
+ if ( (p = strfindstr (line, "IN")) && (soa_p = strfindstr (p+2, "SOA")) )
+ {
+ int len = strlen (line);
+
+ /* check for multiline record */
+ p = line + len - 1;
+ while ( p > line && isspace (*p) )
+ p--;
+ if ( *p == '(' ) /* last character must be a '(' to start a multi line record */
return 1;
+
+ /* line is single line record */
+ p = soa_p + 3; /* start just behind the SOA string */
+ dbg_val1 ("p = \"%s\"\n", p);
+ p += strspn (p, " \t"); /* skip white space */
+ p += strcspn (p, " \t"); /* skip primary master */
+ p += strspn (p, " \t"); /* skip white space */
+ p += strcspn (p, " \t"); /* skip mail address */
+ dbg_val1 ("p = \"%s\"\n", p);
+
+ dbg_val1 ("is_soa_rr returns = %d\n", (line+len) - p);
+ return (line+len) - p; /* position of serial nr from the end of the line */
}
return 0;
}
+#endif
/*****************************************************************
** Find string 'search' in 'str' and ignore case in comparison.
** inc_soa_serial (fp, use_unixtime)
** increment the soa serial number of the file 'fp'
** 'fp' must be opened "r+"
+** returns 0 on success or a negative value in case of an error
*****************************************************************/
static int inc_soa_serial (FILE *fp, int use_unixtime)
{
int digits;
ulong today;
- /* move forward until any non ws reached */
+ /* move forward until any non ws is reached */
while ( (c = getc (fp)) != EOF && isspace (c) )
;
ungetc (c, fp); /* push back the last char */
fseek (fp, pos, SEEK_SET); /* go back to the beginning */
fprintf (fp, "%-*lu", digits, serial); /* write as many chars as before */
- return 1; /* yep! */
+ return 0; /* yep! */
}
/*****************************************************************
now = serialtime (now);
printf ("now = %lu\n", now);
- if ( (err = inc_serial (argv[1], 0)) <= 0 )
+ if ( (err = inc_serial (argv[1], 0)) < 0 )
{
- error ("can't change serial errno=%d\n", err);
+ fprintf (stderr, "can't change serial no: errno=%d %s\n",
+ err, inc_errstr (err));
exit (1);
}
ISTRUE zconf.c 66;" d file:
KEYGEN_COMPMODE dki.c 231;" d file:
KEYGEN_COMPMODE dki.c 233;" d file:
-KEYSET_FILE_PFX zkt-signer.c 747;" d file:
+KEYSET_FILE_PFX zkt-signer.c 748;" d file:
KeyWords ncparse.c /^static struct KeyWords {$/;" s file:
MAXFNAME log.c 98;" d file:
-STRCONFIG_DELIMITER zconf.c 632;" d file:
+STRCONFIG_DELIMITER zconf.c 677;" d file:
TAINTEDCHARS misc.c 60;" d file:
TOK_DELEGATION ncparse.c 59;" d file:
TOK_DIR ncparse.c 49;" d file:
createkey zkt-keyman.c /^static void createkey (const char *keyname, const dki_t *list, const zconf_t *conf)$/;" f file:
ctype_t zconf.c /^} ctype_t;$/;" t typeref:enum:__anon2 file:
def zconf.c /^static zconf_t def = {$/;" v file:
+desc zconf.c /^ const char *desc;$/;" m struct:__anon3 file:
dirflag zkt-keyman.c /^static int dirflag = 0;$/;" v file:
dirflag zkt-ls.c /^static int dirflag = 0;$/;" v file:
dirname zkt-signer.c /^static const char *dirname = NULL;$/;" v file:
dki_prt_dnskey dki.c /^int dki_prt_dnskey (const dki_t *dkp, FILE *fp)$/;" f
dki_prt_dnskey_raw dki.c /^int dki_prt_dnskey_raw (const dki_t *dkp, FILE *fp)$/;" f
dki_prt_dnskeyttl dki.c /^int dki_prt_dnskeyttl (const dki_t *dkp, FILE *fp, int ttl)$/;" f
+dki_prt_managedkey dki.c /^int dki_prt_managedkey (const dki_t *dkp, FILE *fp)$/;" f
dki_prt_trustedkey dki.c /^int dki_prt_trustedkey (const dki_t *dkp, FILE *fp)$/;" f
dki_read dki.c /^dki_t *dki_read (const char *dirname, const char *filename)$/;" f
dki_readdir dki.c /^int dki_readdir (const char *dir, dki_t **listp, int recursive)$/;" f
extern tcap.c 33;" d file:
extern zconf.c 61;" d file:
extern zconf.c 63;" d file:
-extern zfparse.c 58;" d file:
-extern zfparse.c 60;" d file:
+extern zfparse.c 51;" d file:
+extern zfparse.c 53;" d file:
extern zkt.c 49;" d file:
extern zkt.c 51;" d file:
extern zone.c 53;" d file:
first zconf.c 74;" d file:
force zkt-signer.c /^static int force = 0;$/;" v file:
freeconfig zconf.c /^zconf_t *freeconfig (zconf_t *conf)$/;" f
-genkey rollover.c /^static dki_t *genkey (dki_t **listp, const char *dir, const char *domain, int ksk, const zconf_t *conf, int status)$/;" f file:
-genkey2 rollover.c /^static dki_t *genkey2 (dki_t **listp, const char *dir, const char *domain, int ksk, const zconf_t *conf, int status)$/;" f file:
+genaddkey rollover.c /^static dki_t *genaddkey (dki_t **listp, const char *dir, const char *domain, int ksk, const zconf_t *conf, int status)$/;" f file:
+genfirstkey rollover.c /^static dki_t *genfirstkey (dki_t **listp, const char *dir, const char *domain, int ksk, const zconf_t *conf, int status)$/;" f file:
+genkey rollover.c /^static dki_t *genkey (int addkey, dki_t **listp, const char *dir, const char *domain, int ksk, const zconf_t *conf, int status)$/;" f file:
gensalt misc.c /^int gensalt (char *salt, size_t saltsize, int saltbits, unsigned int seed)$/;" f
get_exptime rollover.c /^static time_t get_exptime (dki_t *key, const zconf_t *z)$/;" f file:
get_parent_phase rollover.c /^static int get_parent_phase (const char *file)$/;" f file:
kskrollover rollover.c /^static int kskrollover (dki_t *ksk, zone_t *zonelist, zone_t *zp)$/;" f file:
kskstatus rollover.c /^int kskstatus (zone_t *zonelist, zone_t *zp)$/;" f
kw ncparse.c /^} kw[] = {$/;" v typeref:struct:KeyWords file:
-label zconf.c /^ char *label; \/* the name of the paramter *\/$/;" m struct:__anon3 file:
+label zconf.c /^ char *label; \/* the name of the parameter *\/$/;" m struct:__anon3 file:
labellist zkt-keyman.c /^char *labellist = NULL;$/;" v
labellist zkt-ls.c /^char *labellist = NULL;$/;" v
last zconf.c 75;" d file:
linkfile misc.c /^int linkfile (const char *fromfile, const char *tofile)$/;" f
list_dnskey zkt.c /^static void list_dnskey (const dki_t **nodep, const VISIT which, int depth)$/;" f file:
list_key zkt.c /^static void list_key (const dki_t **nodep, const VISIT which, int depth)$/;" f file:
+list_managedkey zkt.c /^static void list_managedkey (const dki_t **nodep, const VISIT which, int depth)$/;" f file:
list_trustedkey zkt.c /^static void list_trustedkey (const dki_t **nodep, const VISIT which, int depth)$/;" f file:
ljustflag zkt-keyman.c /^int ljustflag = 0;$/;" v
ljustflag zkt-ls.c /^int ljustflag = 0;$/;" v
long_options zkt-keyman.c /^static struct option long_options[] = {$/;" v typeref:struct:option file:
long_options zkt-ls.c /^static struct option long_options[] = {$/;" v typeref:struct:option file:
long_options zkt-signer.c /^static struct option long_options[] = {$/;" v typeref:struct:option file:
-lopt_usage zkt-conf.c 306;" d file:
-lopt_usage zkt-conf.c 309;" d file:
+lopt_usage zkt-conf.c 319;" d file:
+lopt_usage zkt-conf.c 322;" d file:
lopt_usage zkt-keyman.c 334;" d file:
lopt_usage zkt-keyman.c 337;" d file:
-lopt_usage zkt-ls.c 314;" d file:
-lopt_usage zkt-ls.c 317;" d file:
-lopt_usage zkt-signer.c 341;" d file:
-lopt_usage zkt-signer.c 344;" d file:
-loptstr zkt-conf.c 307;" d file:
-loptstr zkt-conf.c 310;" d file:
+lopt_usage zkt-ls.c 325;" d file:
+lopt_usage zkt-ls.c 328;" d file:
+lopt_usage zkt-signer.c 342;" d file:
+lopt_usage zkt-signer.c 345;" d file:
+loptstr zkt-conf.c 320;" d file:
+loptstr zkt-conf.c 323;" d file:
loptstr zkt-keyman.c 335;" d file:
loptstr zkt-keyman.c 338;" d file:
-loptstr zkt-ls.c 315;" d file:
-loptstr zkt-ls.c 318;" d file:
-loptstr zkt-signer.c 342;" d file:
-loptstr zkt-signer.c 345;" d file:
+loptstr zkt-ls.c 326;" d file:
+loptstr zkt-ls.c 329;" d file:
+loptstr zkt-signer.c 343;" d file:
+loptstr zkt-signer.c 346;" d file:
main domaincmp.c /^main (int argc, char *argv[])$/;" f
main log.c /^int main (int argc, char *argv[])$/;" f
main misc.c /^main (int argc, char *argv[])$/;" f
main zkt-ls.c /^int main (int argc, char *argv[])$/;" f
main zkt-signer.c /^int main (int argc, char *const argv[])$/;" f
main zkt-soaserial.c /^int main (int argc, char *argv[])$/;" f
+managedkeyflag zkt-ls.c /^static int managedkeyflag = 0;$/;" v file:
maxcolor tcap.c /^static int maxcolor;$/;" v file:
name ncparse.c /^ char *name;$/;" m struct:KeyWords file:
namedconf zkt-signer.c /^static const char *namedconf = NULL;$/;" v file:
setminmax zfparse.c /^static void setminmax (long *pmin, long val, long *pmax)$/;" f file:
short_options zkt-conf.c 73;" d file:
short_options zkt-keyman.c 88;" d file:
-short_options zkt-ls.c 92;" d file:
-short_options zkt-ls.c 94;" d file:
+short_options zkt-ls.c 93;" d file:
+short_options zkt-ls.c 95;" d file:
short_options zkt-signer.c 68;" d file:
short_options zkt-signer.c 70;" d file:
sign_zone zkt-signer.c /^static int sign_zone (const zone_t *zp)$/;" f file:
skiplabel zfparse.c /^static const char *skiplabel (const char *s)$/;" f file:
skipws zfparse.c /^static const char *skipws (const char *s)$/;" f file:
-sopt_usage zkt-conf.c 304;" d file:
+sopt_usage zkt-conf.c 317;" d file:
sopt_usage zkt-keyman.c 332;" d file:
-sopt_usage zkt-ls.c 312;" d file:
-sopt_usage zkt-signer.c 339;" d file:
+sopt_usage zkt-ls.c 323;" d file:
+sopt_usage zkt-signer.c 340;" d file:
splitpath misc.c /^const char *splitpath (char *path, size_t psize, const char *filename)$/;" f
start_timer misc.c /^time_t start_timer ()$/;" f
stop_timer misc.c /^time_t stop_timer (time_t start)$/;" f
zconf_para_t zconf.c /^} zconf_para_t;$/;" t typeref:struct:__anon3 file:
zkt_list_dnskeys zkt.c /^void zkt_list_dnskeys (const dki_t *data)$/;" f
zkt_list_keys zkt.c /^void zkt_list_keys (const dki_t *data)$/;" f
+zkt_list_managedkeys zkt.c /^void zkt_list_managedkeys (const dki_t *data)$/;" f
zkt_list_trustedkeys zkt.c /^void zkt_list_trustedkeys (const dki_t *data)$/;" f
zkt_search zkt.c /^const dki_t *zkt_search (const dki_t *data, int searchtag, const char *keyname)$/;" f
zkt_setkeylifetime zkt.c /^void zkt_setkeylifetime (dki_t *data)$/;" f
**
** @(#) zconf.c -- configuration file parser for dnssec.conf
**
-** Most of the code is from the SixXS Heartbeat Client
+** The initial code of this module is from the SixXS Heartbeat Client
** written by Jeroen Massar <jeroen@sixxs.net>
**
** New config types and many code changes by Holger Zuleger
**
** Copyright (c) Aug 2005, Jeroen Massar.
-** Copyright (c) Aug 2005 - Apr 2010, Holger Zuleger.
+** Copyright (c) Aug 2005 - Nov 2010, Holger Zuleger.
** All rights reserved.
**
** This software is open source.
RESIGN_INT,
KEY_ALGO, ADDITIONAL_KEY_ALGO,
KSK_LIFETIME, KSK_BITS, KSK_RANDOM,
- ZSK_LIFETIME, ZSK_BITS, ZSK_RANDOM,
+ ZSK_LIFETIME, ZSK_BITS, ZSK_ALWAYS, ZSK_RANDOM,
NSEC3_OFF, SALTLEN,
NULL, /* viewname cmdline parameter */
0, /* noexec cmdline parameter */
};
typedef struct {
- char *label; /* the name of the paramter */
+ char *label; /* the name of the parameter */
short used_since; /* compability (from version; 0 == command line) */
short used_till; /* compability (to version) */
ctype_t type; /* the parameter type */
void *var; /* pointer to the parameter variable */
+ const char *desc;
const void *var2; /* pointer to a second parameter variable */
/* this is a ugly hack needed by cmpconfig () */
} zconf_para_t;
{ "", first, 99, CONF_COMMENT, "dnssec-zkt options" },
{ "", 100, last, CONF_COMMENT, "zkt-ls options" },
- { "ZoneDir", first, last, CONF_STRING, &def.zonedir },
- { "Recursive", first, last, CONF_BOOL, &def.recursive },
- { "PrintTime", first, last, CONF_BOOL, &def.printtime },
- { "PrintAge", first, last, CONF_BOOL, &def.printage },
- { "LeftJustify", first, last, CONF_BOOL, &def.ljust },
- { "lsColor", 100, last, CONF_STRING, &def.colorterm },
+ { "ZoneDir", first, last, CONF_STRING, &def.zonedir, "default zone file directory (also used by zkt-signer)"},
+ { "Recursive", first, last, CONF_BOOL, &def.recursive, "looking for keys down the directory tree?" },
+ { "PrintTime", first, last, CONF_BOOL, &def.printtime, "print absolute key generation time?" },
+ { "PrintAge", first, last, CONF_BOOL, &def.printage, "print relative key age?" },
+ { "LeftJustify", first, last, CONF_BOOL, &def.ljust, "zone name is printed left justified?" },
+ { "lsColor", 100, last, CONF_STRING, &def.colorterm, "terminal name (for coloring)" },
{ "", first, last, CONF_COMMENT, NULL },
{ "", first, last, CONF_COMMENT, "zone specific values" },
{ "", first, last, CONF_COMMENT, NULL },
{ "", first, last, CONF_COMMENT, "signing key parameters"},
- { "Key_Algo", 99, 100, CONF_ALGO, &def.k_algo }, /* now used as general KEY algoritjm (KSK & ZSK) */
- { "KeyAlgo", 101, last, CONF_ALGO, &def.k_algo }, /* now used as general KEY algoritjm (KSK & ZSK) */
+ { "Key_Algo", 99, 100, CONF_ALGO, &def.k_algo }, /* now used as general KEY algorithm (KSK & ZSK) */
+ { "KeyAlgo", 101, last, CONF_ALGO, &def.k_algo }, /* now used as general KEY algorithm (KSK & ZSK) */
{ "AddKey_Algo", 99, 100, CONF_ALGO, &def.k2_algo }, /* second key algorithm added (v0.99) */
{ "AddKeyAlgo", 101, last, CONF_ALGO, &def.k2_algo }, /* second key algorithm added (v0.99) */
{ "KSK_lifetime", first, 100, CONF_TIMEINT, &def.k_life },
{ "ZSK_algo", first, 98, CONF_ALGO, &def.k2_algo }, /* if someone using it already, map the algo to the additional key algorithm */
{ "ZSK_bits", first, 100, CONF_INT, &def.z_bits },
{ "ZSKbits", 101, last, CONF_INT, &def.z_bits },
+#if defined(ALLOW_ALWAYS_PREPUBLISH_ZSK) && ALLOW_ALWAYS_PREPUBLISH_ZSK
+ { "ZSKpermanent", 102, last, CONF_BOOL, &def.z_always, "Always add a pre-publish zone signing key?" },
+#endif
{ "ZSK_randfile", first, 100, CONF_STRING, &def.z_random },
{ "ZSKrandfile", 101, last, CONF_STRING, &def.z_random },
{ "NSEC3", 100, last, CONF_NSEC3, &def.nsec3 },
- { "SaltBits", 98, last, CONF_INT, &def.saltbits },
+ { "SaltBits", 98, last, CONF_INT, &def.saltbits, },
{ "", first, last, CONF_COMMENT, NULL },
{ "", first, 99, CONF_COMMENT, "dnssec-signer options"},
{ "DLV_Domain", first, 100, CONF_STRING, &def.lookaside },
{ "DLVdomain", 101, last, CONF_STRING, &def.lookaside },
{ "Sig_Randfile", first, 100, CONF_STRING, &def.sig_random },
- { "SigRandfile", 101, last, CONF_STRING, &def.sig_random },
+ { "SigRandfile", 101, last, CONF_STRING, &def.sig_random, "a file containing random data" },
{ "Sig_Pseudorand", first, 100, CONF_BOOL, &def.sig_pseudo },
- { "SigPseudorand", 101, last, CONF_BOOL, &def.sig_pseudo },
+ { "SigPseudorand", 101, last, CONF_BOOL, &def.sig_pseudo, "use pseudorandom data (faster but less secure)?" },
{ "Sig_GenerateDS", first, 100, CONF_BOOL, &def.sig_gends },
- { "SigGenerateDS", 101, last, CONF_BOOL, &def.sig_gends },
+ { "SigGenerateDS", 101, last, CONF_BOOL, &def.sig_gends, "update DS records based on child zone\' dsset-* files?" },
{ "Sig_DnsKeyKSK", 99, 100, CONF_BOOL, &def.sig_dnskeyksk },
- { "SigDnsKeyKSK", 101, last, CONF_BOOL, &def.sig_dnskeyksk },
+ { "SigDnsKeyKSK", 101, last, CONF_BOOL, &def.sig_dnskeyksk, "sign dns keyset with ksk only?" },
{ "Sig_Parameter", first, 100, CONF_STRING, &def.sig_param },
- { "SigParameter", 101, last, CONF_STRING, &def.sig_param },
+ { "SigParameter", 101, last, CONF_STRING, &def.sig_param, "additional dnssec-signzone parameter (if any)" },
{ "Distribute_Cmd", 97, 100, CONF_STRING, &def.dist_cmd },
{ "DistributeCmd", 101, last, CONF_STRING, &def.dist_cmd },
{ "NamedChrootDir", 99, last, CONF_STRING, &def.chroot_dir },
set_varptr ("resigninterval", &cp->resign, cp2 ? &cp2->resign: NULL);
set_varptr ("sigvalidity", &cp->sigvalidity, cp2 ? &cp2->sigvalidity: NULL);
set_varptr ("max_ttl", &cp->max_ttl, cp2 ? &cp2->max_ttl: NULL);
+ set_varptr ("maximumttl", &cp->max_ttl, cp2 ? &cp2->max_ttl: NULL);
set_varptr ("key_ttl", &cp->key_ttl, cp2 ? &cp2->key_ttl: NULL);
+ set_varptr ("dnskeyttl", &cp->key_ttl, cp2 ? &cp2->key_ttl: NULL);
set_varptr ("propagation", &cp->proptime, cp2 ? &cp2->proptime: NULL);
#if defined (DEF_TTL)
set_varptr ("def_ttl", &cp->def_ttl, cp2 ? &cp2->def_ttl: NULLl);
set_varptr ("serialformat", &cp->serialform, cp2 ? &cp2->serialform: NULL);
set_varptr ("key_algo", &cp->k_algo, cp2 ? &cp2->k_algo: NULL);
+ set_varptr ("keyalgo", &cp->k_algo, cp2 ? &cp2->k_algo: NULL);
set_varptr ("addkey_algo", &cp->k2_algo, cp2 ? &cp2->k2_algo: NULL);
+ set_varptr ("addkeyalgo", &cp->k2_algo, cp2 ? &cp2->k2_algo: NULL);
set_varptr ("ksk_lifetime", &cp->k_life, cp2 ? &cp2->k_life: NULL);
+ set_varptr ("ksklifetime", &cp->k_life, cp2 ? &cp2->k_life: NULL);
set_varptr ("ksk_algo", &cp->k_algo, cp2 ? &cp2->k_algo: NULL); /* used only in compability mode */
set_varptr ("ksk_bits", &cp->k_bits, cp2 ? &cp2->k_bits: NULL);
+ set_varptr ("kskbits", &cp->k_bits, cp2 ? &cp2->k_bits: NULL);
set_varptr ("ksk_randfile", &cp->k_random, cp2 ? &cp2->k_random: NULL);
+ set_varptr ("kskrandfile", &cp->k_random, cp2 ? &cp2->k_random: NULL);
set_varptr ("zsk_lifetime", &cp->z_life, cp2 ? &cp2->z_life: NULL);
+ set_varptr ("zsklifetime", &cp->z_life, cp2 ? &cp2->z_life: NULL);
// set_varptr ("zsk_algo", &cp->z_algo, cp2 ? &cp2->z_algo: NULL);
set_varptr ("zsk_algo", &cp->k2_algo, cp2 ? &cp2->k2_algo: NULL);
set_varptr ("zsk_bits", &cp->z_bits, cp2 ? &cp2->z_bits: NULL);
+ set_varptr ("zskbits", &cp->z_bits, cp2 ? &cp2->z_bits: NULL);
+#if defined(ALLOW_ALWAYS_PREPUBLISH_ZSK) && ALLOW_ALWAYS_PREPUBLISH_ZSK
+ set_varptr ("zskpermanent", &cp->z_always, cp2 ? &cp2->z_always: NULL);
+#endif
set_varptr ("zsk_randfile", &cp->z_random, cp2 ? &cp2->z_random: NULL);
+ set_varptr ("zskrandfile", &cp->z_random, cp2 ? &cp2->z_random: NULL);
set_varptr ("nsec3", &cp->nsec3, cp2 ? &cp2->nsec3: NULL);
set_varptr ("saltbits", &cp->saltbits, cp2 ? &cp2->saltbits: NULL);
set_varptr ("zonefile", &cp->zonefile, cp2 ? &cp2->zonefile: NULL);
set_varptr ("keysetdir", &cp->keysetdir, cp2 ? &cp2->keysetdir: NULL);
set_varptr ("dlv_domain", &cp->lookaside, cp2 ? &cp2->lookaside: NULL);
+ set_varptr ("dlvdomain", &cp->lookaside, cp2 ? &cp2->lookaside: NULL);
set_varptr ("sig_randfile", &cp->sig_random, cp2 ? &cp2->sig_random: NULL);
+ set_varptr ("sigrandfile", &cp->sig_random, cp2 ? &cp2->sig_random: NULL);
set_varptr ("sig_pseudorand", &cp->sig_pseudo, cp2 ? &cp2->sig_pseudo: NULL);
+ set_varptr ("sigpseudorand", &cp->sig_pseudo, cp2 ? &cp2->sig_pseudo: NULL);
set_varptr ("sig_generateds", &cp->sig_gends, cp2 ? &cp2->sig_gends: NULL);
+ set_varptr ("siggenerateds", &cp->sig_gends, cp2 ? &cp2->sig_gends: NULL);
set_varptr ("sig_dnskeyksk", &cp->sig_dnskeyksk, cp2 ? &cp2->sig_dnskeyksk: NULL);
+ set_varptr ("sigdnskeyksk", &cp->sig_dnskeyksk, cp2 ? &cp2->sig_dnskeyksk: NULL);
set_varptr ("sig_parameter", &cp->sig_param, cp2 ? &cp2->sig_param: NULL);
+ set_varptr ("sigparameter", &cp->sig_param, cp2 ? &cp2->sig_param: NULL);
set_varptr ("distribute_cmd", &cp->dist_cmd, cp2 ? &cp2->dist_cmd: NULL);
+ set_varptr ("distributecmd", &cp->dist_cmd, cp2 ? &cp2->dist_cmd: NULL);
set_varptr ("namedchrootdir", &cp->chroot_dir, cp2 ? &cp2->chroot_dir: NULL);
}
*((int *)c->var) = DK_ALGO_RSASHA256;
else if ( strcmp (val, "10") == 0 ||
strcasecmp (val, "rsasha5") == 0 ||
- strcasecmp (val, "rsasha212") == 0 ||
+ strcasecmp (val, "rsasha512") == 0 ||
strcasecmp (val, "nsec3rsasha5") == 0 ||
strcasecmp (val, "n3rsasha5") == 0 ||
strcasecmp (val, "nsec3rsasha512") == 0 ||
{
int i;
long lval;
+ int printnl;
assert (fp != NULL);
assert (cp != NULL);
+ printnl = 0;
switch ( cp->type )
{
case CONF_VERSION:
- fprintf (fp, "#\tZKT config file for version %d.%02d\n",
- compversion / 100, compversion % 100);
+ fprintf (fp, "#\tZKT config file for version %d.%d.%d\n",
+ compversion / 100,
+ (compversion / 10 ) % 10,
+ compversion % 10);
break;
case CONF_COMMENT:
if ( cp->var )
- fprintf (fp, "# %s\n", (char *)cp->var);
- else
- fprintf (fp, "\n");
+ fprintf (fp, "# %s", (char *)cp->var);
+ printnl = 1;
break;
case CONF_LEVEL:
case CONF_FACILITY:
fprintf (fp, "%s:\t", cp->label);
for ( p = *(char **)cp->var; *p; p++ )
putc (toupper (*p), fp);
- fprintf (fp, "\n");
+ // fprintf (fp, "\n");
}
else
fprintf (fp, "%s:\tNONE", cp->label);
}
+ if ( cp->type == CONF_LEVEL )
+ fprintf (fp, "\t\t# (NONE|DEBUG|INFO|NOTICE|WARNING|ERROR|FATAL)\n");
+ else
+ fprintf (fp, "\t\t# (NONE|USER|DAEMON|LOCAL[0-7])\n");
break;
case CONF_STRING:
if ( *(char **)cp->var )
- fprintf (fp, "%s:\t\"%s\"\n", cp->label, *(char **)cp->var);
+ printnl = fprintf (fp, "%s:\t\"%s\"", cp->label, *(char **)cp->var);
break;
case CONF_BOOL:
- fprintf (fp, "%s:\t%s\n", cp->label, bool2str ( *(int*)cp->var ));
+ fprintf (fp, "%s:\t%s", cp->label, bool2str ( *(int*)cp->var ));
+ printnl = 1;
break;
case CONF_TIMEINT:
lval = *(ulong*)cp->var; /* in that case it should be of type ulong */
fprintf (fp, "%s:\t%s", cp->label, timeint2str (lval));
if ( lval )
fprintf (fp, "\t\t# (%ld seconds)", lval);
- putc ('\n', fp);
+ printnl = 1;
break;
case CONF_ALGO:
i = *(int*)cp->var;
fprintf (fp, "\t\t# (On|Off|OptOut)\n");
break;
case CONF_INT:
- fprintf (fp, "%s:\t%d\n", cp->label, *(int *)cp->var);
+ fprintf (fp, "%s:\t%d", cp->label, *(int *)cp->var);
+ printnl = 1;
break;
case CONF_END:
/* NOTREACHED */
break;
}
+ if ( printnl )
+ {
+ if ( cp->desc )
+ {
+ if ( printnl < 20 )
+ putc ('\t', fp);
+ fprintf (fp, "\t# %s\n", cp->desc);
+ }
+ else
+ putc ('\n', fp);
+
+ }
}
/*****************************************************************
if ( iscmdline (cp) ) /* skip command line parameter */
continue;
+ if ( !iscompatible (cp) ) /* is parameter compatible to current version? */
+ continue;
+
+ if ( cp->type == CONF_VERSION || cp->type == CONF_END || cp->type == CONF_COMMENT )
+ continue;
+
+ dbg_val5 ("printconfigdiff: %d: %s %d %d %d\n", cp->type, cp->label,
+ compversion, cp->used_since, cp->used_till);
+ assert ( cp->var2 != NULL );
+
switch ( cp->type )
{
case CONF_VERSION:
max_ttl = z->sigvalidity;
ret = 0;
- if ( strcmp (z->k_random, "/dev/urandom") == 0 )
+ if ( z->k_random && strcmp (z->k_random, "/dev/urandom") == 0 )
ret = fprintf (stderr, "random device without enough entropie used for KSK generation \n");
- if ( strcmp (z->z_random, "/dev/urandom") == 0 )
+ if ( z->z_random && strcmp (z->z_random, "/dev/urandom") == 0 )
ret = fprintf (stderr, "random device without enough entropie used for ZSK generation\n");
+ if ( z->k_bits < 512 || z->z_bits < 512 )
+ ret = fprintf (stderr, "Algorithm requires a bit size of at least 512 \n");
+
+ if ( z->k_algo == DK_ALGO_RSASHA512 && ( z->k_bits < 1024 || z->z_bits < 1024 ) )
+ ret = fprintf (stderr, "Algorithm RSASHA 512 requires a bit size of at least 1024 \n");
+
if ( z->saltbits < 4 )
ret = fprintf (stderr, "Saltlength must be at least 4 bits\n");
if ( z->saltbits > 128 )
}
else
if ( max_ttl > z->sigvalidity/2 )
- ret = fprintf (stderr, "Max TTL (%ld) should be less or equal signature validity (%ld)\n",
+ ret = fprintf (stderr, "Max TTL (%ld) should be a few times smaller than the signature validity (%ld)\n",
max_ttl, z->sigvalidity);
// if ( z->resign > (z->sigvalidity*5/6) - (max_ttl + z->proptime) )
ret = fprintf (stderr, "signature lifetime (%ld) (%s)\n", z->sigvalidity, timeint2str(z->sigvalidity - max_ttl));
}
- if ( z->z_life > (12 * WEEKSEC) * (z->z_bits / 512.) )
+ if ( z->z_life > (24 * WEEKSEC) * (z->z_bits / 512.) )
{
fprintf (stderr, "Lifetime of zone signing key (%s) ", timeint2str (z->z_life));
fprintf (stderr, "seems a little bit high ");
fprintf (stderr, "Lifetime of key signing key (%s) ", timeint2str (z->k_life));
ret = fprintf (stderr, "should be greater than lifetime of zsk\n");
}
- if ( z->k_life > 0 && z->k_life > (26 * WEEKSEC) * (z->k_bits / 512.) )
+ if ( z->k_life > 0 && z->k_life > (52 * WEEKSEC) * (z->k_bits / 512.) )
{
fprintf (stderr, "Lifetime of key signing key (%s) ", timeint2str (z->k_life));
fprintf (stderr, "seems a little bit high ");
# define MONTH (DAY * 30)
# define YEAR (DAY * 365)
-# define SIG_VALID_DAYS (10) /* or 3 Weeks ? */
+# define SIG_VALID_DAYS (21) /* 3 Weeks */
# define SIG_VALIDITY (SIG_VALID_DAYS * DAYSEC)
# define MAX_TTL ( 8 * HOURSEC) /* default value of maximum ttl time */
# define KEY_TTL ( 4 * HOURSEC) /* default value of KEY TTL */
#endif
# define RESIGN_INT ((SIG_VALID_DAYS - (SIG_VALID_DAYS / 3)) * DAYSEC)
-# define KSK_LIFETIME (1 * YEARSEC)
-#if 0
+# define KSK_LIFETIME (2 * YEARSEC)
+#if 1
# define ZSK_LIFETIME ((SIG_VALID_DAYS * 3) * DAYSEC) /* set to three times the sig validity */
#else
-# if 0
-# define ZSK_LIFETIME ((MONTH * 3) * DAYSEC) /* set fixed to 3 month */
-# else
-# define ZSK_LIFETIME (12 * WEEKSEC) /* set fixed to 3 month */
-# endif
+# define ZSK_LIFETIME (12 * WEEKSEC) /* set fixed to 3 month */
#endif
/* # define KSK_ALGO (DK_ALGO_RSASHA1) KSK_ALGO renamed to KEY_ALGO (v0.99) */
# define KEY_ALGO (DK_ALGO_RSASHA1) /* general KEY_ALGO used for both ksk and zsk */
# define ADDITIONAL_KEY_ALGO 0
# define KSK_BITS (1300)
-# define KSK_RANDOM "/dev/urandom" /* was NULL before v0.94 */
+# define KSK_RANDOM NULL
/* # define ZSK_ALGO (DK_ALGO_RSASHA1) ZSK_ALGO has to be the same as KSK, so this is no longer used (v0.99) */
# define ZSK_BITS (512)
+# define ZSK_ALWAYS 0
# define ZSK_RANDOM "/dev/urandom"
# define NSEC3 0 /* by default nsec3 is off */
# define SALTLEN 24 /* salt length in bits (resolution is 4 bits)*/
+#if 0
# define ZONEDIR "."
+#else
+# define ZONEDIR CONFIG_PATH
+#endif
# define RECURSIVE 0
# define PRINTTIME 1
# define PRINTAGE 0
# define LJUST 0
# define LSCOLORTERM NULL /* or "" */
-# define KEYSETDIR NULL /* keysets */
+# define KEYSETDIR ".." /* keysets */
# define LOGFILE ""
# define LOGLEVEL "error"
# define LOGDOMAINDIR ""
long z_life;
/* int z_algo; no longer used; renamed to k2_algo (v0.99) */
int z_bits;
+ int z_always; /* always pre-publish zsk ? */
char *z_random;
nsec3_t nsec3; /* 0 == off; 1 == on; 2 == on with optout */
int saltbits;
# include <unistd.h> /* for link(), unlink() */
# include <ctype.h>
# include <assert.h>
-#if 0
-# include <sys/types.h>
-# include <sys/stat.h>
-# include <time.h>
-# include <utime.h>
-# include <errno.h>
-# include <fcntl.h>
-#endif
#ifdef HAVE_CONFIG_H
# include <config.h>
#endif
# include "config_zkt.h"
# include "zconf.h"
+# include "misc.h"
# include "log.h"
# include "debug.h"
#define extern
dbg_val4 ("parsezonefile (\"%s\", %ld, %ld, \"%s\")\n", file, *pminttl, *pmaxttl, keydbfile);
if ( (infp = fopen (file, "r")) == NULL )
+ {
+ error ("parsezonefile: couldn't open file \"%s\" for input\n", file);
return -1;
+ }
lnr = 0;
keydbfilefound = 0;
if ( keydbfile && strcmp (fname, keydbfile) == 0 )
keydbfilefound = 1;
else
- keydbfilefound = parsezonefile (fname, pminttl, pmaxttl, keydbfile);
+ {
+ int ret = parsezonefile (fname, pminttl, pmaxttl, keydbfile);
+ if ( ret ) /* keydb found or read error ? */
+ keydbfilefound = ret;
+ }
}
}
else if ( !isspace (*p) ) /* label ? */
int c;
int opt_index;
int action;
- int major;
- int minor;
+ int major = 0;
+ int minor = 0;
+ int revision = 0;
const char *file;
const char *defconfname = NULL;
const char *confname = NULL;
view = getnameappendix (progname, "zkt-conf");
defconfname = getdefconfname (view);
- dbg_val0 ("Load built in config \"%s\"\n");
+ dbg_val0 ("Load built in config\n");
config = loadconfig ("", (zconf_t *)NULL); /* load built in config */
if ( fileexist (defconfname) ) /* load default config file */
opterr = 0;
opt_index = 0;
action = 0;
- setconfigversion (100);
+
+ /* set current config version based on ZKT version */
+ switch ( sscanf (ZKT_VERSION, "%d.%d.%d", &major, &minor, &revision) )
+ {
+ case 3: major = (major * 100) + (minor * 10) + revision; break;
+ case 2: major = (major * 100) + (minor * 10); break;
+ case 1: major = major * 100; break;
+ default:
+ usage ("illegal release number");
+ }
+ setconfigversion (major);
+
#if defined(HAVE_GETOPT_LONG) && HAVE_GETOPT_LONG
while ( (c = getopt_long (argc, argv, short_options, long_options, &opt_index)) != -1 )
#else
config = loadconfig_fromstr (optarg, config);
break;
case 'C':
- switch ( sscanf (optarg, "%d.%d", &major, &minor) )
+ switch ( sscanf (optarg, "%d.%d.%d", &major, &minor, &revision) )
{
- case 2: major = major * 100 + minor;
- case 1: break;
+ case 3: major = (major * 100) + (minor * 10) + revision; break;
+ case 2: major = (major * 100) + (minor * 10); break;
+ case 1: major = major * 100; break;
default:
usage ("illegal release number");
}
}
if ( minttl < (10 * MINSEC) )
- fprintf (stderr, "Min_TTL of %s (%ld seconds) is too low to use it in a signed zone (see RFC4641)\n",
+ fprintf (stderr, "MinimumTTL of %s (%ld seconds) is too low to use it in a signed zone (see RFC4641)\n",
timeint2str (minttl), minttl);
else
- fprintf (stderr, "Min_TTL:\t%s\t# (%ld seconds)\n", timeint2str (minttl), minttl);
- fprintf (stdout, "Max_TTL:\t%s\t# (%ld seconds)\n", timeint2str (maxttl), maxttl);
+ fprintf (stderr, "MinimumTTL:\t%s\t# (%ld seconds)\n", timeint2str (minttl), minttl);
+ fprintf (stdout, "MaximumTTL:\t%s\t# (%ld seconds)\n", timeint2str (maxttl), maxttl);
if ( writeflag )
{
dbg_val ("Load local config file \"%s\"\n", LOCALCONF_FILE);
config = loadconfig (LOCALCONF_FILE, config);
}
- setconfigpar (config, "Max_TTL", &maxttl);
+ setconfigpar (config, "MaximumTTL", &maxttl);
printconfigdiff (confname, refconfig, config);
}
}
static int dirflag = 0;
static int recflag = RECURSIVE;
static int trustedkeyflag = 0;
+static int managedkeyflag = 0;
static const char *view = "";
static const char *term = NULL;
#if defined(COLOR_MODE) && COLOR_MODE
-# define short_options ":HKTV:afC::c:O:dhkLl:prstez"
+# define short_options ":HKTMV:afC::c:O:dhkLl:prstez"
#else
-# define short_options ":HKTV:af:c:O:dhkLl:prstez"
+# define short_options ":HKTMV:af:c:O:dhkLl:prstez"
#endif
#if defined(HAVE_GETOPT_LONG) && HAVE_GETOPT_LONG
static struct option long_options[] = {
{"list-dnskeys", no_argument, NULL, 'K'},
{"list-trustedkeys", no_argument, NULL, 'T'},
+ {"list-managedkeys", no_argument, NULL, 'M'},
{"ksk", no_argument, NULL, 'k'},
{"zsk", no_argument, NULL, 'z'},
{"age", no_argument, NULL, 'a'},
term = getenv ("TERM");
break;
#endif
+ case 'M':
+ managedkeyflag = 1;
+ subdomain_before_parent = 0;
+ zskflag = pathflag = 0;
+ action = c;
+ break;
case 'T':
trustedkeyflag = 1;
subdomain_before_parent = 0;
case 'T':
zkt_list_trustedkeys (data);
break;
+ case 'M':
+ zkt_list_managedkeys (data);
+ break;
default:
zkt_list_keys (data);
}
sopt_usage ("\tusage: %s -T [-dhrz] [-c config] [file|dir ...]\n", progname);
lopt_usage ("\tusage: %s --list-trustedkeys [-dhzr] [-c config] [file|dir ...]\n", progname);
fprintf (stderr, "\n");
+ fprintf (stderr, "List managed keys (output is suitable for managed-keys section)\n");
+ sopt_usage ("\tusage: %s -M [-dhrz] [-c config] [file|dir ...]\n", progname);
+ lopt_usage ("\tusage: %s --list-managedkeys [-dhzr] [-c config] [file|dir ...]\n", progname);
+ fprintf (stderr, "\n");
fprintf (stderr, "General options \n");
fprintf (stderr, "\t-c file%s", loptstr (", --config=file\n", ""));
fprintf (stderr, "\t\t read config from <file> instead of %s\n", CONFIG_FILE);
fprintf (stderr, "\t-O optstr%s", loptstr (", --config-option=\"optstr\"\n", ""));
fprintf (stderr, "\t\t read config options from commandline\n");
- fprintf (stderr, "\t-h%s\t no headline or trusted-key section header/trailer in -T mode\n", loptstr (", --nohead", "\t"));
+ fprintf (stderr, "\t-h%s\t no headline or trusted/managed-key section header/trailer in -T/-M mode\n", loptstr (", --nohead", "\t"));
fprintf (stderr, "\t-d%s\t skip directory arguments\n", loptstr (", --directory", "\t"));
fprintf (stderr, "\t-L%s\t print the domain name left justified (default: %s)\n", loptstr (", --leftjust", "\t"), ljustflag ? "on": "off");
fprintf (stderr, "\t-l list%s", loptstr (", --label=\"list\"\n\t", ""));
if ( lg_open (progname, config->syslogfacility, config->sysloglevel, config->zonedir, logfile, config->loglevel) < -1 )
fatal ("Couldn't open logfile %s in dir %s\n", logfile, config->zonedir);
-#if defined(DBG) && DBG
- for ( zp = zonelist; zp; zp = zp->next )
- zone_print ("in main: ", zp);
-#endif
lg_args (LG_NOTICE, argc, argv);
- /* 1.0rc1: If the ttl for dynamic zones is not known or if it is 0, use sig valid time for this */
+ /* 1.0rc1: If the ttl is 0 or not known because of dynamic zone signing, ... */
+ /* ... use sig valid time for this */
if ( config->max_ttl <= 0 || dynamic_zone )
{
// config = dupconfig (config);
free (dir);
}
- /* none of the above: read current directory tree */
+ /* none of the above: read default directory tree */
if ( zonelist == NULL )
parsedir (config->zonedir, &zonelist, config);
+#if defined(DBG) && DBG
+ for ( zp = zonelist; zp; zp = zp->next )
+ zone_print ("in main: ", zp);
+#endif
for ( zp = zonelist; zp; zp = zp->next )
if ( in_strarr (zp->zone, &argv[optind], argc - optind) )
{
if ( force )
snprintf (mesg, sizeof(mesg), "Option -f");
else if ( newkey )
- snprintf (mesg, sizeof(mesg), "Modfied zone key set");
+ snprintf (mesg, sizeof(mesg), "Modified zone key set");
else if ( newkeysetfile )
snprintf (mesg, sizeof(mesg), "Modified KSK in delegated domain");
else if ( file_mtime (path) > zfilesig_time )
}
/* at last, sign the zone file */
- if ( err > 0 )
+ if ( err >= 0 )
{
time_t timer;
}
}
}
+static void list_managedkey (const dki_t **nodep, const VISIT which, int depth)
+{
+ const dki_t *dkp;
+
+ if ( nodep == NULL )
+ return;
+
+ dkp = *nodep;
+ if ( which == INORDER || which == LEAF )
+ {
+// fprintf (stderr, "list_trustedkey order=%d(pre=0,in=1,post=2,leaf=3) depth=%d %s\n", which, depth, dkp->name);
+ if ( labellist && !isinlist (dkp->name, labellist) )
+ return;
+
+ if ( parent == NULL || !issubdomain (dkp->name, parent->name) )
+ {
+ const dki_t *dkp_head = NULL;
+ const dki_t *standby = NULL;
+
+ parent = dkp;
+
+ dkp_head = dkp;
+ /* look for a standby key */
+ for ( dkp = dkp_head; dkp; dkp = dkp->next )
+ if ( dki_isksk (dkp) && dki_ispublished (dkp) )
+ standby = dkp;
+
+ if ( !standby ) /* no standby key found ? */
+ return;
+
+ /* print all non-standby ksk */
+ for ( dkp = dkp_head; dkp; dkp = dkp->next )
+ if ( dki_isksk (dkp) && dkp != standby )
+ dki_prt_managedkey (dkp, stdout);
+ }
+ }
+}
# endif
#endif
printf ("};\n");
}
+void zkt_list_managedkeys (const dki_t *data)
+{
+
+ /* print headline if list is not empty */
+ if ( data && headerflag )
+ printf ("managed-keys {\n");
+
+#if defined(USE_TREE) && USE_TREE
+ twalk (data, list_managedkey);
+#else
+ for ( dkp = data; dkp; dkp = dkp->next ) /* loop through list */
+ if ( (dki_isksk (dkp) || zskflag) &&
+ (labellist == NULL || isinlist (dkp->name, labellist)) )
+ dki_prt_managedkey (dkp, stdout);
+#endif
+
+ /* print end of trusted-key section */
+ if ( data && headerflag )
+ printf ("};\n");
+}
+
#if defined(USE_TREE) && USE_TREE
static void list_dnskey (const dki_t **nodep, const VISIT which, int depth)
{
extern const dki_t *zkt_search (const dki_t *data, int searchtag, const char *keyname);
extern void zkt_list_keys (const dki_t *data);
extern void zkt_list_trustedkeys (const dki_t *data);
+extern void zkt_list_managedkeys (const dki_t *data);
extern void zkt_list_dnskeys (const dki_t *data);
extern void zkt_setkeylifetime (dki_t *data);
+++ /dev/null
-/*****************************************************************
-**
-** @(#) dnssec-zkt.c (c) Jan 2005 Holger Zuleger hznet.de
-**
-** Secure DNS zone key tool
-** A wrapper command around the BIND dnssec-keygen utility
-**
-** Copyright (c) 2005 - 2008, Holger Zuleger HZnet. All rights reserved.
-**
-** This software is open source.
-**
-** Redistribution and use in source and binary forms, with or without
-** modification, are permitted provided that the following conditions
-** are met:
-**
-** Redistributions of source code must retain the above copyright notice,
-** this list of conditions and the following disclaimer.
-**
-** Redistributions in binary form must reproduce the above copyright notice,
-** this list of conditions and the following disclaimer in the documentation
-** and/or other materials provided with the distribution.
-**
-** Neither the name of Holger Zuleger HZnet nor the names of its contributors may
-** be used to endorse or promote products derived from this software without
-** specific prior written permission.
-**
-** THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-** "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
-** TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-** PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE
-** LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-** CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-** SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-** INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-** CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-** ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-** POSSIBILITY OF SUCH DAMAGE.
-**
-*****************************************************************/
-
-# include <stdio.h>
-# include <stdlib.h> /* abort(), exit(), ... */
-# include <string.h>
-# include <dirent.h>
-# include <assert.h>
-# include <unistd.h>
-# include <ctype.h>
-
-#ifdef HAVE_CONFIG_H
-# include <config.h>
-#endif
-# include "config_zkt.h"
-#if defined(HAVE_GETOPT_LONG) && HAVE_GETOPT_LONG
-# include <getopt.h>
-#endif
-
-# include "debug.h"
-# include "misc.h"
-# include "strlist.h"
-# include "zconf.h"
-# include "dki.h"
-# include "zkt.h"
-
-extern int optopt;
-extern int opterr;
-extern int optind;
-extern char *optarg;
-const char *progname;
-
-char *labellist = NULL;
-
-int headerflag = 1;
-int ageflag = 0;
-int lifetime = 0;
-int lifetimeflag = 0;
-int timeflag = 1;
-int exptimeflag = 0;
-int pathflag = 0;
-int kskflag = 1;
-int zskflag = 1;
-int ljustflag = 0;
-
-static int dirflag = 0;
-static int recflag = RECURSIVE;
-static int trustedkeyflag = 0;
-static char *kskdomain = "";
-static const char *view = "";
-
-# define short_options ":0:1:2:3:9A:C:D:P:S:R:HKTs:ZV:afF:c:O:dhkLl:prtez"
-#if defined(HAVE_GETOPT_LONG) && HAVE_GETOPT_LONG
-static struct option long_options[] = {
- {"ksk-rollover", no_argument, NULL, '9'},
- {"ksk-status", required_argument, NULL, '0'},
- {"ksk-roll-status", required_argument, NULL, '0'},
- {"ksk-newkey", required_argument, NULL, '1'},
- {"ksk-publish", required_argument, NULL, '2'},
- {"ksk-delkey", required_argument, NULL, '3'},
- {"ksk-roll-phase1", required_argument, NULL, '1'},
- {"ksk-roll-phase2", required_argument, NULL, '2'},
- {"ksk-roll-phase3", required_argument, NULL, '3'},
- {"list-dnskeys", no_argument, NULL, 'K'},
- {"list-trustedkeys", no_argument, NULL, 'T'},
- {"ksk", no_argument, NULL, 'k'},
- {"zsk", no_argument, NULL, 'z'},
- {"age", no_argument, NULL, 'a'},
- {"lifetime", no_argument, NULL, 'f'},
- {"time", no_argument, NULL, 't'},
- {"expire", no_argument, NULL, 'e'},
- {"recursive", no_argument, NULL, 'r'},
- {"zone-config", no_argument, NULL, 'Z'},
- {"leftjust", no_argument, NULL, 'L'},
- {"path", no_argument, NULL, 'p'},
- {"nohead", no_argument, NULL, 'h'},
- {"directory", no_argument, NULL, 'd'},
- {"config", required_argument, NULL, 'c'},
- {"option", required_argument, NULL, 'O'},
- {"config-option", required_argument, NULL, 'O'},
- {"published", required_argument, NULL, 'P'},
- {"standby", required_argument, NULL, 'S'},
- {"active", required_argument, NULL, 'A'},
- {"depreciated", required_argument, NULL, 'D'},
- {"create", required_argument, NULL, 'C'},
- {"revoke", required_argument, NULL, 'R'},
- {"remove", required_argument, NULL, 19 },
- {"destroy", required_argument, NULL, 20 },
- {"setlifetime", required_argument, NULL, 'F' },
- {"view", required_argument, NULL, 'V' },
- {"help", no_argument, NULL, 'H'},
- {0, 0, 0, 0}
-};
-#endif
-
-static int parsedirectory (const char *dir, dki_t **listp);
-static void parsefile (const char *file, dki_t **listp);
-static void createkey (const char *keyname, const dki_t *list, const zconf_t *conf);
-static void ksk_roll (const char *keyname, int phase, const dki_t *list, const zconf_t *conf);
-static int create_parent_file (const char *fname, int phase, int ttl, const dki_t *dkp);
-static void usage (char *mesg, zconf_t *cp);
-static const char *parsetag (const char *str, int *tagp);
-
-static void setglobalflags (zconf_t *config)
-{
- recflag = config->recursive;
- ageflag = config->printage;
- timeflag = config->printtime;
- ljustflag = config->ljust;
-}
-
-int main (int argc, char *argv[])
-{
- dki_t *data = NULL;
- dki_t *dkp;
- int c;
- int opt_index;
- int action;
- const char *file;
- const char *defconfname = NULL;
- char *p;
- char str[254+1];
- const char *keyname = NULL;
- int searchtag;
- zconf_t *config;
-
- progname = *argv;
- if ( (p = strrchr (progname, '/')) )
- progname = ++p;
- view = getnameappendix (progname, "dnssec-zkt");
-
- defconfname = getdefconfname (view);
- config = loadconfig ("", (zconf_t *)NULL); /* load built in config */
- if ( fileexist (defconfname) ) /* load default config file */
- config = loadconfig (defconfname, config);
- if ( config == NULL )
- fatal ("Out of memory\n");
- setglobalflags (config);
-
- opterr = 0;
- opt_index = 0;
- action = 0;
-#if defined(HAVE_GETOPT_LONG) && HAVE_GETOPT_LONG
- while ( (c = getopt_long (argc, argv, short_options, long_options, &opt_index)) != -1 )
-#else
- while ( (c = getopt (argc, argv, short_options)) != -1 )
-#endif
- {
- switch ( c )
- {
- case '9': /* ksk rollover help */
- ksk_roll ("help", c - '0', NULL, NULL);
- exit (1);
- case '1': /* ksk rollover: create new key */
- case '2': /* ksk rollover: publish DS */
- case '3': /* ksk rollover: delete old key */
- case '0': /* ksk rollover: show current status */
- action = c;
- if ( !optarg )
- usage ("ksk rollover requires an domain argument", config);
- kskdomain = domain_canonicdup (optarg);
- break;
- case 'T':
- trustedkeyflag = 1;
- zskflag = pathflag = 0;
- /* fall through */
- case 'H':
- case 'K':
- case 'Z':
- action = c;
- break;
- case 'C':
- pathflag = !pathflag;
- /* fall through */
- case 'P':
- case 'S':
- case 'A':
- case 'D':
- case 'R':
- case 's':
- case 19:
- case 20:
- if ( (keyname = parsetag (optarg, &searchtag)) != NULL )
- keyname = domain_canonicdup (keyname);
- action = c;
- break;
- case 'a': /* age */
- ageflag = !ageflag;
- break;
- case 'f': /* key lifetime */
- lifetimeflag = !lifetimeflag;
- break;
- case 'F': /* set key lifetime */
- lifetime = atoi (optarg);
- lifetimeflag = 1; /* set some flags for more informative output */
- exptimeflag = 1;
- timeflag = 1;
- action = c;
- break;
- case 'V': /* view name */
- view = optarg;
- defconfname = getdefconfname (view);
- if ( fileexist (defconfname) ) /* load default config file */
- config = loadconfig (defconfname, config);
- if ( config == NULL )
- fatal ("Out of memory\n");
- setglobalflags (config);
- break;
- case 'c':
- config = loadconfig (optarg, config);
- setglobalflags (config);
- checkconfig (config);
- break;
- case 'O': /* read option from commandline */
- config = loadconfig_fromstr (optarg, config);
- setglobalflags (config);
- checkconfig (config);
- break;
- case 'd': /* ignore directory arg */
- dirflag = 1;
- break;
- case 'h': /* print no headline */
- headerflag = 0;
- break;
- case 'k': /* ksk only */
- zskflag = 0;
- break;
- case 'L': /* ljust */
- ljustflag = !ljustflag;
- break;
- case 'l': /* label list */
- labellist = prepstrlist (optarg, LISTDELIM);
- if ( labellist == NULL )
- fatal ("Out of memory\n");
- break;
- case 'p': /* print path */
- pathflag = 1;
- break;
- case 'r': /* switch recursive flag */
- recflag = !recflag;
- break;
- case 't': /* time */
- timeflag = !timeflag;
- break;
- case 'e': /* expire time */
- exptimeflag = !exptimeflag;
- break;
- case 'z': /* zsk only */
- kskflag = 0;
- break;
- case ':':
- snprintf (str, sizeof(str), "option \"-%c\" requires an argument.\n",
- optopt);
- usage (str, config);
- break;
- case '?':
- if ( isprint (optopt) )
- snprintf (str, sizeof(str), "Unknown option \"-%c\".\n",
- optopt);
- else
- snprintf (str, sizeof (str), "Unknown option char \\x%x.\n",
- optopt);
- usage (str, config);
- break;
- default:
- abort();
- }
- }
-
- /* it's better to do this before we read the whole directory tree */
- if ( action == 'Z' )
- {
- fprintf (stderr, "The use of -Z is deprecated. Please use zkt-conf instead\n");
- printconfig ("stdout", config);
- return 0;
- }
-
- if ( kskflag == 0 && zskflag == 0 )
- kskflag = zskflag = 1;
-
- c = optind;
- do {
- if ( c >= argc ) /* no args left */
- file = config->zonedir; /* use default directory */
- else
- file = argv[c++];
-
- if ( is_directory (file) )
- parsedirectory (file, &data);
- else
- parsefile (file, &data);
-
- } while ( c < argc ); /* for all arguments */
-
- switch ( action )
- {
- case 'H':
- usage ("", config);
- case 'C':
- createkey (keyname, data, config);
- break;
- case 'P':
- case 'S':
- case 'A':
- case 'D':
- if ( (dkp = (dki_t*)zkt_search (data, searchtag, keyname)) == NULL )
- fatal ("Key with tag %u not found\n", searchtag);
- else if ( dkp == (void *) 01 )
- fatal ("Key with tag %u found multiple times\n", searchtag);
- if ( (c = dki_setstatus_preservetime (dkp, action)) != 0 )
- fatal ("Couldn't change status of key %u: %d\n", searchtag, c);
- break;
- case 19: /* remove (rename) key file */
- if ( (dkp = (dki_t *)zkt_search (data, searchtag, keyname)) == NULL )
- fatal ("Key with tag %u not found\n", searchtag);
- else if ( dkp == (void *) 01 )
- fatal ("Key with tag %u found multiple times\n", searchtag);
- dki_remove (dkp);
- break;
- case 20: /* destroy the key (remove the files!) */
- if ( (dkp = (dki_t *)zkt_search (data, searchtag, keyname)) == NULL )
- fatal ("Key with tag %u not found\n", searchtag);
- else if ( dkp == (void *) 01 )
- fatal ("Key with tag %u found multiple times\n", searchtag);
- dki_destroy (dkp);
- break;
- case 'R':
- if ( (dkp = (dki_t *)zkt_search (data, searchtag, keyname)) == NULL )
- fatal ("Key with tag %u not found\n", searchtag);
- else if ( dkp == (void *) 01 )
- fatal ("Key with tag %u found multiple times\n", searchtag);
- if ( (c = dki_setstatus (dkp, action)) != 0 )
- fatal ("Couldn't change status of key %u: %d\n", searchtag, c);
- break;
- case 's':
- if ( (dkp = (dki_t *)zkt_search (data, searchtag, keyname)) == NULL )
- fatal ("Key with tag %u not found\n", searchtag);
- else if ( dkp == (void *) 01 )
- fatal ("Key with tag %u found multiple times\n", searchtag);
- dki_prt_dnskey (dkp, stdout);
- break;
- case 'K':
- zkt_list_dnskeys (data);
- break;
- case 'T':
- zkt_list_trustedkeys (data);
- break;
- case '1': /* ksk rollover new key */
- case '2': /* ksk rollover publish DS */
- case '3': /* ksk rollover delete old key */
- case '0': /* ksk rollover status */
- ksk_roll (kskdomain, action - '0', data, config);
- break;
- case 'F':
- zkt_setkeylifetime (data);
- /* fall through */
- default:
- zkt_list_keys (data);
- }
-
- return 0;
-}
-
-# define sopt_usage(mesg, value) fprintf (stderr, mesg, value)
-#if defined(HAVE_GETOPT_LONG) && HAVE_GETOPT_LONG
-# define lopt_usage(mesg, value) fprintf (stderr, mesg, value)
-# define loptstr(lstr, sstr) lstr
-#else
-# define lopt_usage(mesg, value)
-# define loptstr(lstr, sstr) sstr
-#endif
-static void usage (char *mesg, zconf_t *cp)
-{
- fprintf (stderr, "Secure DNS Zone Key Tool %s\n", ZKT_VERSION);
- fprintf (stderr, "\n");
- fprintf (stderr, "Show zone config parameter as %s file\n", LOCALCONF_FILE);
- sopt_usage ("\tusage: %s -Z\n", progname);
- lopt_usage ("\tusage: %s --zone-config\n", progname);
- fprintf (stderr, "\n");
- fprintf (stderr, "List keys in current or given directory (-r for recursive mode)\n");
- sopt_usage ("\tusage: %s [-dhatkzpr] [-c config] [file|dir ...]\n", progname);
- fprintf (stderr, "\n");
- fprintf (stderr, "List public part of keys in DNSKEY RR format\n");
- sopt_usage ("\tusage: %s -K [-dhkzr] [-c config] [file|dir ...]\n", progname);
- lopt_usage ("\tusage: %s --list-dnskeys [-dhkzr] [-c config] [file|dir ...]\n", progname);
- fprintf (stderr, "\n");
- fprintf (stderr, "List keys (output is suitable for trusted-keys section)\n");
- sopt_usage ("\tusage: %s -T [-dhzr] [-c config] [file|dir ...]\n", progname);
- lopt_usage ("\tusage: %s --list-trustedkeys [-dhzr] [-c config] [file|dir ...]\n", progname);
- fprintf (stderr, "\n");
- fprintf (stderr, "Create a new key \n");
- sopt_usage ("\tusage: %s -C <name> [-k] [-dpr] [-c config] [dir ...]\n", progname);
- lopt_usage ("\tusage: %s --create=<name> [-k] [-dpr] [-c config] [dir ...]\n", progname);
- fprintf (stderr, "\t\tKSK (use -k): %s %d bits\n", dki_algo2str (cp->k_algo), cp->k_bits);
- fprintf (stderr, "\t\tZSK (default): %s %d bits\n", dki_algo2str (cp->k_algo), cp->z_bits);
- fprintf (stderr, "\n");
- fprintf (stderr, "Change key status of specified key to published, active or depreciated\n");
- fprintf (stderr, "\t(<keyspec> := tag | tag:name) \n");
- sopt_usage ("\tusage: %s -P|-A|-D <keyspec> [-dr] [-c config] [dir ...]\n", progname);
- lopt_usage ("\tusage: %s --published=<keyspec> [-dr] [-c config] [dir ...]\n", progname);
- lopt_usage ("\tusage: %s --active=<keyspec> [-dr] [-c config] [dir ...]\n", progname);
- lopt_usage ("\tusage: %s --depreciated=<keyspec> [-dr] [-c config] [dir ...]\n", progname);
- fprintf (stderr, "\n");
- fprintf (stderr, "Revoke specified key (<keyspec> := tag | tag:name) \n");
- sopt_usage ("\tusage: %s -R <keyspec> [-dr] [-c config] [dir ...]\n", progname);
- lopt_usage ("\tusage: %s --revoke=<keyspec> [-dr] [-c config] [dir ...]\n", progname);
- fprintf (stderr, "\n");
- fprintf (stderr, "Remove (rename) or destroy (delete) specified key (<keyspec> := tag | tag:name) \n");
- lopt_usage ("\tusage: %s --remove=<keyspec> [-dr] [-c config] [dir ...]\n", progname);
- lopt_usage ("\tusage: %s --destroy=<keyspec> [-dr] [-c config] [dir ...]\n", progname);
- fprintf (stderr, "\n");
- fprintf (stderr, "Initiate a semi-automated KSK rollover");
- fprintf (stderr, "('%s -9%s' prints out a short description)\n", progname, loptstr ("|--ksk-rollover", ""));
- sopt_usage ("\tusage: %s {-1} do.ma.in.\n", progname);
- lopt_usage ("\tusage: %s {--ksk-roll-phase1|--ksk-newkey} do.ma.in.\n", progname);
- sopt_usage ("\tusage: %s {-2} do.ma.in.\n", progname);
- lopt_usage ("\tusage: %s {--ksk-roll-phase2|--ksk-publish} do.ma.in.\n", progname);
- sopt_usage ("\tusage: %s {-3} do.ma.in.\n", progname);
- lopt_usage ("\tusage: %s {--ksk-roll-phase3|--ksk-delkey} do.ma.in.\n", progname);
- sopt_usage ("\tusage: %s {-0} do.ma.in.\n", progname);
- lopt_usage ("\tusage: %s {--ksk-roll-status|--ksk-status} do.ma.in.\n", progname);
- fprintf (stderr, "\n");
-
- fprintf (stderr, "\n");
- fprintf (stderr, "General options \n");
- fprintf (stderr, "\t-c file%s", loptstr (", --config=file\n", ""));
- fprintf (stderr, "\t\t read config from <file> instead of %s\n", CONFIG_FILE);
- fprintf (stderr, "\t-O optstr%s", loptstr (", --config-option=\"optstr\"\n", ""));
- fprintf (stderr, "\t\t read config options from commandline\n");
- fprintf (stderr, "\t-h%s\t no headline or trusted-key section header/trailer in -T mode\n", loptstr (", --nohead", "\t"));
- fprintf (stderr, "\t-d%s\t skip directory arguments\n", loptstr (", --directory", "\t"));
- fprintf (stderr, "\t-L%s\t print the domain name left justified (default: %s)\n", loptstr (", --leftjust", "\t"), ljustflag ? "on": "off");
- fprintf (stderr, "\t-l list\t\t print out only zone keys out of the given domain list\n");
- fprintf (stderr, "\t-p%s\t show path of keyfile / create key in current directory\n", loptstr (", --path", "\t"));
- fprintf (stderr, "\t-r%s\t recursive mode on/off (default: %s)\n", loptstr(", --recursive", "\t"), recflag ? "on": "off");
- fprintf (stderr, "\t-a%s\t print age of key (default: %s)\n", loptstr (", --age", "\t"), ageflag ? "on": "off");
- fprintf (stderr, "\t-t%s\t print key generation time (default: %s)\n", loptstr (", --time", "\t"),
- timeflag ? "on": "off");
- fprintf (stderr, "\t-e%s\t print key expiration time\n", loptstr (", --expire", "\t"));
- fprintf (stderr, "\t-f%s\t print key lifetime\n", loptstr (", --lifetime", "\t"));
- fprintf (stderr, "\t-F days%s=days\t set key lifetime\n", loptstr (", --setlifetime", "\t"));
- fprintf (stderr, "\t-k%s\t key signing keys only\n", loptstr (", --ksk", "\t"));
- fprintf (stderr, "\t-z%s\t zone signing keys only\n", loptstr (", --zsk", "\t"));
- if ( mesg && *mesg )
- fprintf (stderr, "%s\n", mesg);
- exit (1);
-}
-
-static void createkey (const char *keyname, const dki_t *list, const zconf_t *conf)
-{
- const char *dir = "";
- dki_t *dkp;
-
- if ( keyname == NULL || *keyname == '\0' )
- fatal ("Create key: no keyname!");
-
- dbg_val2 ("createkey: keyname %s, pathflag = %d\n", keyname, pathflag);
- /* search for already existent key to get the directory name */
- if ( pathflag && (dkp = (dki_t *)zkt_search (list, 0, keyname)) != NULL )
- {
- char path[MAX_PATHSIZE+1];
- zconf_t localconf;
-
- dir = dkp->dname;
- pathname (path, sizeof (path), dir, LOCALCONF_FILE, NULL);
- if ( fileexist (path) ) /* load local config file */
- {
- dbg_val ("Load local config file \"%s\"\n", path);
- memcpy (&localconf, conf, sizeof (zconf_t));
- conf = loadconfig (path, &localconf);
- }
- }
-
- if ( zskflag )
- dkp = dki_new (dir, keyname, DKI_ZSK, conf->k_algo, conf->z_bits, conf->z_random, conf->z_life / DAYSEC);
- else
- dkp = dki_new (dir, keyname, DKI_KSK, conf->k_algo, conf->k_bits, conf->k_random, conf->k_life / DAYSEC);
- if ( dkp == NULL )
- fatal ("Can't create key %s: %s!\n", keyname, dki_geterrstr ());
-
- /* create a new key always in state published, which means "standby" for ksk */
- dki_setstatus (dkp, DKI_PUB);
-}
-
-static int get_parent_phase (const char *file)
-{
- FILE *fp;
- int phase;
-
- if ( (fp = fopen (file, "r")) == NULL )
- return -1;
-
- phase = 0;
- if ( fscanf (fp, "; KSK rollover phase%d", &phase) != 1 )
- phase = 0;
-
- fclose (fp);
- return phase;
-}
-
-static void ksk_roll (const char *keyname, int phase, const dki_t *list, const zconf_t *conf)
-{
- char path[MAX_PATHSIZE+1];
- zconf_t localconf;
- const char *dir;
- dki_t *keylist;
- dki_t *dkp;
- dki_t *standby;
- int parent_exist;
- int parent_age;
- int parent_phase;
- int parent_propagation;
- int key_ttl;
- int ksk;
-
- if ( phase == 9 ) /* usage */
- {
- fprintf (stderr, "A KSK rollover requires three consecutive steps:\n");
- fprintf (stderr, "\n");
- fprintf (stderr, "-1%s", loptstr ("|--ksk-roll-phase1 (--ksk-newkey)\n", ""));
- fprintf (stderr, "\t Create a new KSK.\n");
- fprintf (stderr, "\t This step also creates a parent-<domain> file which contains only\n");
- fprintf (stderr, "\t the _old_ key. This file will be copied in hierarchical mode\n");
- fprintf (stderr, "\t by dnssec-signer to the parent directory as keyset-<domain> file.\n");
- fprintf (stderr, "\t Wait until the new keyset is propagated, before going to the next step.\n");
- fprintf (stderr, "\n");
- fprintf (stderr, "-2%s", loptstr ("|--ksk-roll-phase2 (--ksk-publish)\n", ""));
- fprintf (stderr, "\t This step creates a parent-<domain> file with the _new_ key only.\n");
- fprintf (stderr, "\t Please send this file immediately to the parent (In hierarchical\n");
- fprintf (stderr, "\t mode this will be done automatically by the dnssec-signer command).\n");
- fprintf (stderr, "\t Then wait until the new DS is generated by the parent and propagated\n");
- fprintf (stderr, "\t to all the parent name server, plus the old DS TTL before going to step three.\n");
- fprintf (stderr, "\n");
- fprintf (stderr, "-3%s", loptstr ("|--ksk-roll-phase3 (--ksk-delkey)\n", ""));
- fprintf (stderr, "\t Remove (rename) the old KSK and the parent-<domain> file.\n");
- fprintf (stderr, "\t You have to manually delete the old KSK (look at file names beginning\n");
- fprintf (stderr, "\t with an lower 'k').\n");
- fprintf (stderr, "\n");
- fprintf (stderr, "-0%s", loptstr ("|--ksk-roll-stat (--ksk-status)\n", ""));
- fprintf (stderr, "\t Show the current KSK rollover state of a domain.\n");
-
- fprintf (stderr, "\n");
-
- return;
- }
-
- if ( keyname == NULL || *keyname == '\0' )
- fatal ("ksk rollover: no domain!");
-
- dbg_val2 ("ksk_roll: keyname %s, phase = %d\n", keyname, phase);
-
- /* search for already existent key to get the directory name */
- if ( (keylist = (dki_t *)zkt_search (list, 0, keyname)) == NULL )
- fatal ("ksk rollover: domain %s not found!\n", keyname);
- dkp = keylist;
-
- /* try to read local config file */
- dir = dkp->dname;
- pathname (path, sizeof (path), dir, LOCALCONF_FILE, NULL);
- if ( fileexist (path) ) /* load local config file */
- {
- dbg_val ("Load local config file \"%s\"\n", path);
- memcpy (&localconf, conf, sizeof (zconf_t));
- conf = loadconfig (path, &localconf);
- }
- key_ttl = conf->key_ttl;
-
- /* check if parent-file already exist */
- pathname (path, sizeof (path), dir, "parent-", keyname);
- parent_phase = parent_age = 0;
- if ( (parent_exist = fileexist (path)) != 0 )
- {
- parent_phase = get_parent_phase (path);
- parent_age = file_age (path);
- }
- // parent_propagation = 2 * DAYSEC;
- parent_propagation = 5 * MINSEC;
-
- ksk = 0; /* count active(!) key signing keys */
- standby = NULL; /* find standby key if available */
- for ( dkp = keylist; dkp; dkp = dkp->next )
- if ( dki_isksk (dkp) )
- {
- if ( dki_status (dkp) == DKI_ACT )
- ksk++;
- else if ( dki_status (dkp) == DKI_PUB )
- standby = dkp;
- }
-
- switch ( phase )
- {
- case 0: /* print status (debug) */
- fprintf (stdout, "ksk_rollover:\n");
- fprintf (stdout, "\t domain = %s\n", keyname);
- fprintf (stdout, "\t phase = %d\n", parent_phase);
- fprintf (stdout, "\t parent_file %s %s\n", path, parent_exist ? "exist": "not exist");
- if ( parent_exist )
- fprintf (stdout, "\t age of parent_file %d %s\n", parent_age, str_delspace (age2str (parent_age)));
- fprintf (stdout, "\t # of active key signing keys %d\n", ksk);
- fprintf (stdout, "\t parent_propagation %d %s\n", parent_propagation, str_delspace (age2str (parent_propagation)));
- fprintf (stdout, "\t keys ttl %d %s\n", key_ttl, age2str (key_ttl));
-
- for ( dkp = keylist; dkp; dkp = dkp->next )
- {
- /* TODO: Nur zum testen */
- dki_prt_dnskey (dkp, stdout);
- }
- break;
- case 1:
- if ( parent_exist || ksk > 1 )
- fatal ("Can\'t create new ksk because there is already an ksk rollover in progress\n");
-
- fprintf (stdout, "create new ksk \n");
- dkp = dki_new (dir, keyname, DKI_KSK, conf->k_algo, conf->k_bits, conf->k_random, conf->k_life / DAYSEC);
- if ( dkp == NULL )
- fatal ("Can't create key %s: %s!\n", keyname, dki_geterrstr ());
- if ( standby )
- {
- dki_setstatus (standby, DKI_ACT); /* activate standby key */
- dki_setstatus (dkp, DKI_PUB); /* new key will be the new standby */
- }
-
- // dkp = keylist; /* use old key to create the parent file */
- if ( (dkp = (dki_t *)dki_findalgo (keylist, 1, conf->k_algo, 'a', 1)) == NULL ) /* find the oldest active ksk to create the parent file */
- fatal ("ksk_rollover phase1: Couldn't find the old active key\n");
- if ( !create_parent_file (path, phase, key_ttl, dkp) )
- fatal ("Couldn't create parentfile %s\n", path);
- break;
-
- case 2:
- if ( ksk < 2 )
- fatal ("Can\'t publish new key because no one exist\n");
- if ( !parent_exist )
- fatal ("More than one KSK but no parent file found!\n");
- if ( parent_phase != 1 )
- fatal ("Parent file exists but is in wrong state (phase = %d)\n", parent_phase);
- if ( parent_age < conf->proptime + key_ttl )
- fatal ("ksk_rollover (phase2): you have to wait for the propagation of the new KSK (at least %dsec or %s)\n",
- conf->proptime + key_ttl - parent_age,
- str_delspace (age2str (conf->proptime + key_ttl - parent_age)));
-
- fprintf (stdout, "save new ksk in parent file\n");
- dkp = keylist->next; /* set dkp to new ksk */
- if ( !create_parent_file (path, phase, key_ttl, dkp) )
- fatal ("Couldn't create parentfile %s\n", path);
- break;
- case 3:
- if ( !parent_exist || ksk < 2 )
- fatal ("ksk-delkey only allowed after ksk-publish\n");
- if ( parent_phase != 2 )
- fatal ("Parent file exists but is in wrong state (phase = %d)\n", parent_phase);
- if ( parent_age < parent_propagation + key_ttl )
- fatal ("ksk_rollover (phase3): you have to wait for DS propagation (at least %dsec or %s)\n",
- parent_propagation + key_ttl - parent_age,
- str_delspace (age2str (parent_propagation + key_ttl - parent_age)));
- /* remove the parentfile */
- fprintf (stdout, "remove parentfile \n");
- unlink (path);
- /* remove or rename the old key */
- fprintf (stdout, "old ksk renamed \n");
- dkp = keylist; /* set dkp to old ksk */
- dki_remove (dkp);
- break;
- default: assert (phase == 1 || phase == 2 || phase == 3);
- }
-}
-
-/*****************************************************************
-** create_parent_file ()
-*****************************************************************/
-static int create_parent_file (const char *fname, int phase, int ttl, const dki_t *dkp)
-{
- FILE *fp;
-
- assert ( fname != NULL );
-
- if ( dkp == NULL || (phase != 1 && phase != 2) )
- return 0;
-
- if ( (fp = fopen (fname, "w")) == NULL )
- fatal ("can\'t create new parentfile \"%s\"\n", fname);
-
- if ( phase == 1 )
- fprintf (fp, "; KSK rollover phase1 (old key)\n");
- else
- fprintf (fp, "; KSK rollover phase2 (new key)\n");
-
- dki_prt_dnskeyttl (dkp, fp, ttl);
- fclose (fp);
-
- return phase;
-}
-
-static int parsedirectory (const char *dir, dki_t **listp)
-{
- dki_t *dkp;
- DIR *dirp;
- struct dirent *dentp;
- char path[MAX_PATHSIZE+1];
-
- if ( dirflag )
- return 0;
-
- dbg_val ("directory: opendir(%s)\n", dir);
- if ( (dirp = opendir (dir)) == NULL )
- return 0;
-
- while ( (dentp = readdir (dirp)) != NULL )
- {
- if ( is_dotfilename (dentp->d_name) )
- continue;
-
- dbg_val ("directory: check %s\n", dentp->d_name);
- pathname (path, sizeof (path), dir, dentp->d_name, NULL);
- if ( is_directory (path) && recflag )
- {
- dbg_val ("directory: recursive %s\n", path);
- parsedirectory (path, listp);
- }
- else if ( is_keyfilename (dentp->d_name) )
- if ( (dkp = dki_read (dir, dentp->d_name)) )
- {
- // fprintf (stderr, "parsedir: tssearch (%d %s)\n", dkp, dkp->name);
-#if defined (USE_TREE) && USE_TREE
- dki_tadd (listp, dkp, 1);
-#else
- dki_add (listp, dkp);
-#endif
- }
- }
- closedir (dirp);
- return 1;
-}
-
-static void parsefile (const char *file, dki_t **listp)
-{
- char path[MAX_PATHSIZE+1];
- dki_t *dkp;
-
- /* file arg contains path ? ... */
- file = splitpath (path, sizeof (path), file); /* ... then split of */
-
- if ( is_keyfilename (file) ) /* plain file name looks like DNS key file ? */
- {
- if ( (dkp = dki_read (path, file)) ) /* read DNS key file ... */
-#if defined (USE_TREE) && USE_TREE
- dki_tadd (listp, dkp, 1); /* ... and add to tree */
-#else
- dki_add (listp, dkp); /* ... and add to list */
-#endif
- else
- error ("error parsing %s: (%s)\n", file, dki_geterrstr());
- }
-}
-
-static const char *parsetag (const char *str, int *tagp)
-{
- const char *p;
-
- *tagp = 0;
- while ( isspace (*str) ) /* skip leading ws */
- str++;
-
- p = str;
- if ( isdigit (*p) ) /* keytag starts with digit */
- {
- sscanf (p, "%u", tagp); /* read keytag as number */
- do /* eat up to the end of the number */
- p++;
- while ( isdigit (*p) );
-
- if ( *p == ':' ) /* label follows ? */
- return p+1; /* return that */
- if ( *p == '\0' )
- return NULL; /* no label */
- }
- return str; /* return as label string if not a numeric keytag */
-}
-
+++ /dev/null
-;% generationtime=20100311225233
-;% lifetime=60d
-example.net. IN DNSKEY 257 3 8 BQEAAAABDUkWE4dtbBTfkAnlOJSbnYSikE7cyHPg6qFItoYObenlTGkG TECQb1flWaKLDhQZ54CdnYN3FdlRVHKmkkxZOwH0HvW+fGXTGv35adGJ JBDqlJWJC0bxHsrlUZTdczt2B6g9AHUUg2WSXTa5KZHJGjFiACFzfln9 SQlVj/UzWGv2sDwQb+XiOIHkZ2VmMPx3SvFOOIG4nmTla76XYTNfUJPY BQ==
+++ /dev/null
-Private-key-format: v1.2
-Algorithm: 8 (RSASHA256)
-Modulus: DUkWE4dtbBTfkAnlOJSbnYSikE7cyHPg6qFItoYObenlTGkGTECQb1flWaKLDhQZ54CdnYN3FdlRVHKmkkxZOwH0HvW+fGXTGv35adGJJBDqlJWJC0bxHsrlUZTdczt2B6g9AHUUg2WSXTa5KZHJGjFiACFzfln9SQlVj/UzWGv2sDwQb+XiOIHkZ2VmMPx3SvFOOIG4nmTla76XYTNfUJPYBQ==
-PublicExponent: AQAAAAE=
-PrivateExponent: AeHyClC8SYdKB3mQtwWx/z08pCjHEs18KF9HbWddQnQrrJKP1lh1r6DGmJ5oigg3i2x/NEBUXw345FYQ7ynaVewt4KoQ2c6vT1ZyOXuoCmJknMxXKaVma5L3+hrGwdaS7tbJXGQrq6FHaYOO/2un8G7qRU5zoods+iR8qCRktkYVk2PS7wrdeQu9XaGUl5pPwh7fmNmjpfe16kyk3M2xoThEUQ==
-Prime1: A9GgY74jQxKOqTEMivti0zJIuxjlN7k1+MlTDQliH8EiFy8b/6HqRqddgdeuPDt8s0jv1cGxnMig4761JszH7CQeHbefeoLw95OXu7v6hpw3Uw==
-Prime2: A3qansKrFaIwWJw7n0//qO52mEKCxoljeMzbeXx4f+pgADmyMcv8ysHMUPP6BEwVxlxHVyv9a3lxQRa8ZdPtFV+QK3Zy3PfAV8SoahbYgi2ARw==
-Exponent1: v6z/wlryoSYkgnlkxM6uC6AEc7ZQQdla7cG+iaeEJq8pfzPClkU+WiBP9MJroO8ExM1mj/bjIfw3/Vel5NuLD9uU+BIV1qzcWKbPwo7xZnqh
-Exponent2: OPEA/pb22DU0GDyS1UmOmJGjyp2Irxe1LJL6J16bK/lCqPNenT8qIYbLY2EKUoRhAirvurd4/fXqnzNVYdw369C/DBtfZ6AeAfs4no/+Fnfx
-Coefficient: /pte3nUM+M1VmAs7z3bhTdbPWIJZk7z0RkcBhFvUn4ZGgImUSFF8/psPzvQFy9pyGzinviE16aI0UVEBxL7NkFfSs9cMX0jpItFDyJTcxvjA
+++ /dev/null
-;% generationtime=20100311225233
-;% lifetime=14d
-example.net. IN DNSKEY 256 3 8 BQEAAAABy5vGV4emguE++EM1DlDEro5fPi7oHyQ4N95DZE//Wtr+/twH y339QiyRFhYcZrb8Wt6ZgT3qXbL2RUVQ9X8ZCQ==
+++ /dev/null
-Private-key-format: v1.2
-Algorithm: 8 (RSASHA256)
-Modulus: y5vGV4emguE++EM1DlDEro5fPi7oHyQ4N95DZE//Wtr+/twHy339QiyRFhYcZrb8Wt6ZgT3qXbL2RUVQ9X8ZCQ==
-PublicExponent: AQAAAAE=
-PrivateExponent: uHA+A2dABi4t2afEHHud8MajxjMLqxw/+t0yzsRgye6eiAkJVuhYSdxxqmlqMmSayrBNSX2jYHdKmY49W6kmUQ==
-Prime1: 6pzzNfud8Hzw9UdeitwJwVzFaAfV/RmRmTCm4OLBGD0=
-Prime2: 3itJLwoOTYkb2rOQNjZ/4hMNov3plClxo5e9iPSARL0=
-Exponent1: w/gumsQA0FOkuuMBp5PcTsbHbebL9SAVDURQgLo2ZMU=
-Exponent2: ILYpsGsfTcHDSAmGbQBRSsFQEKw7Ghx/mIcWoUIN250=
-Coefficient: cwmz0VwEQ4Jjc3+T0tDgH9fhUiyISbuV/0Bz25E5bYA=
+++ /dev/null
-;% generationtime=20100311224635
-;% lifetime=3d
-sub.example.net. IN DNSKEY 256 3 7 AwEAAZeWiMSfoNTQkZhKHK2+OXmKRSXgBjad7VBC9tZ40aIr5pPtDWCg 8iELYF4M6ybq0M1ffUO+GHZt89A624SkWps=
+++ /dev/null
-Private-key-format: v1.2
-Algorithm: 7 (NSEC3RSASHA1)
-Modulus: l5aIxJ+g1NCRmEocrb45eYpFJeAGNp3tUEL21njRoivmk+0NYKDyIQtgXgzrJurQzV99Q74Ydm3z0DrbhKRamw==
-PublicExponent: AQAB
-PrivateExponent: ItWA0E4uUzkqe+hr9rED3B4eDboRM3PPGOaKenaBFdbONA8X6GbCTCAE6oF7DGSebfi6I9HTjLs24ZItD7bHwQ==
-Prime1: yLZLkD+0SqDwPDKXlK6qHMRKwGDcNw5MxELfv3ftyRM=
-Prime2: wVginHuVgdmvAxTX51WmK922+KTwk/w+Od+/W2N6IVk=
-Exponent1: XE5aGhDyHZA+a7DovVxGp8wuhKMHI9rTuz72H9xL4zk=
-Exponent2: XemKfknFGBp9WNjR+kru+RWrn2C2fpsiOohE8YYDN5k=
-Coefficient: ZmS8ZDDLz6CtwYEvGJgTsNTw/bj6JMaZ8cFh3x1Zd4Y=
+++ /dev/null
-;% generationtime=20100308221149
-;% lifetime=3d
-sub.example.net. IN DNSKEY 256 3 7 AwEAAcIDTNHrG9ssCz/VueiPUQaw4IAM5GvECljWsX+SfXSCkhHg5loq +FXNRa80EJCyh5b0sicbdVOhJ9DVNaRKYxU=
+++ /dev/null
-Private-key-format: v1.2
-Algorithm: 7 (NSEC3RSASHA1)
-Modulus: wgNM0esb2ywLP9W56I9RBrDggAzka8QKWNaxf5J9dIKSEeDmWir4Vc1FrzQQkLKHlvSyJxt1U6En0NU1pEpjFQ==
-PublicExponent: AQAB
-PrivateExponent: fYBY/ynROTQCiuacfh3HUka00uCEGloUP2eSJm4CjYyQyy/he5haU0hcJw5JvxhI0pGj+eDEzaE+5oq1pKntOQ==
-Prime1: 4YRNB1cSh3F9+pQglY5/H4STx2pIADAO0mRFO2Lu+Mc=
-Prime2: 3DzZhCWENMYZvx9ovZTtIUIUpXEPtN4p7FqYC0OFgUM=
-Exponent1: Dk7UjEir9kfvFDzdrF90FU3WCmrl0o06A4M1GUV3n/U=
-Exponent2: ppnBUZ2vrNxOja2M5hzKZOZACAbHAuMsg4bkjWC+lVE=
-Coefficient: LA7G4rCRiDP8P+Cg+JQUKBUgZ8F+dpGA3E/aVOYhaWw=
+++ /dev/null
-;% generationtime=20100124184339
-;% lifetime=7d
-sub.example.net. IN DNSKEY 257 3 7 AwEAAfTQL8DTr3eYpPziT+cnKnzMewbEBtRxfkb697qoRK4pKkGYGVWu jIEyjts/aluYd+Nw85rvRFPNVJwmM63jvJapql1pKfyFPSl4YVJMxaCv OMhd1JATDnrTq70evQQmOHyxVKe8k9zk0GKeRgX8sl228AvdiGOfxWmT BoOxYowx
+++ /dev/null
-Private-key-format: v1.2
-Algorithm: 7 (NSEC3RSASHA1)
-Modulus: 9NAvwNOvd5ik/OJP5ycqfMx7BsQG1HF+Rvr3uqhErikqQZgZVa6MgTKO2z9qW5h343Dzmu9EU81UnCYzreO8lqmqXWkp/IU9KXhhUkzFoK84yF3UkBMOetOrvR69BCY4fLFUp7yT3OTQYp5GBfyyXbbwC92IY5/FaZMGg7FijDE=
-PublicExponent: AQAB
-PrivateExponent: nn1ZLQDejBKqXX02NXPJsdm/m/W0ZjzDf7hiQNlG/WlxDd4mKK5EEDBnA9HeTUY792bcjuVv2sEHkb+5nU3efHdZypvY8wsvKKNUtxWJl9O5ip7GXh4/7YQeNKW/zgE1Xz+Yu6ht3e8XuxaIXHuQ5mBC0E5AUUYPhVBCTR08CkE=
-Prime1: /MeAn2UCjXS8VIoi5Zp90w2qB6ub0wqeLCI0zpXCxWlLTrDSpFORdGuPEctE5cNlDX7y9gq6a5vxnN/b+DnNdQ==
-Prime2: 9+6zb1zEpyJzcscrSVVjacjNbyI9OwfrA7XjU5PppCyFLRvP3+L/pjqgDhyoZmCo3VMqnOjxpIeffvmDsUjATQ==
-Exponent1: ddE+4AwifnAUf4rK7R1u2/oYb+7KeDkQtB1VY5xl5cFH+mtsIm9Y8lxXmMGXYUgLR5kOASPK8/EBUk78pdu7KQ==
-Exponent2: OIT16sEfI2q7HsNAnusUSp04F8maY8aeUK46MGdbr81mXq4kaUl6Ng7PRehKi2wlkq7O3A5OZ89zEKMY3mVTUQ==
-Coefficient: ZO4OrBf5SCcbAccN63xHAlm/Pelu4wWw3yo/BaWPYE3Sf+FJt0O3TJQsmm5B+KbrruLsX6lWWHf4ZerizKFhKQ==
+++ /dev/null
-2010-02-06 00:26:54.532: debug: Check RFC5011 status
-2010-02-06 00:26:54.532: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
-2010-02-06 00:26:54.533: debug: Check KSK status
-2010-02-06 00:26:54.533: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 5d4h43m15s
-2010-02-06 00:26:54.533: debug: Check ZSK status
-2010-02-06 00:26:54.533: debug: Re-signing not necessary!
-2010-02-06 00:26:54.533: debug: Check if there is a parent file to copy
-2010-02-06 00:29:31.290: debug: Check RFC5011 status
-2010-02-06 00:29:31.290: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
-2010-02-06 00:29:31.290: debug: Check KSK status
-2010-02-06 00:29:31.290: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 5d4h45m52s
-2010-02-06 00:29:31.290: debug: Check ZSK status
-2010-02-06 00:29:31.290: debug: Re-signing not necessary!
-2010-02-06 00:29:31.290: debug: Check if there is a parent file to copy
-2010-02-06 00:40:35.043: debug: Check RFC5011 status
-2010-02-06 00:40:35.043: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
-2010-02-06 00:40:35.043: debug: Check KSK status
-2010-02-06 00:40:35.043: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 5d4h56m56s
-2010-02-06 00:40:35.043: debug: Check ZSK status
-2010-02-06 00:40:35.043: debug: Re-signing not necessary!
-2010-02-06 00:40:35.043: debug: Check if there is a parent file to copy
-2010-02-06 00:52:55.402: debug: Check RFC5011 status
-2010-02-06 00:52:55.402: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
-2010-02-06 00:52:55.402: debug: Check KSK status
-2010-02-06 00:52:55.403: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 5d5h9m16s
-2010-02-06 00:52:55.403: debug: Check ZSK status
-2010-02-06 00:52:55.403: debug: Re-signing not necessary!
-2010-02-06 00:52:55.403: debug: Check if there is a parent file to copy
-2010-02-07 13:53:47.883: debug: Check RFC5011 status
-2010-02-07 13:53:47.883: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
-2010-02-07 13:53:47.883: debug: Check KSK status
-2010-02-07 13:53:47.883: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 6d18h10m8s
-2010-02-07 13:53:47.883: debug: Check ZSK status
-2010-02-07 13:53:47.883: debug: Re-signing necessary: re-signing interval (1d) reached
-2010-02-07 13:53:47.884: notice: "sub.example.net.": re-signing triggered: re-signing interval (1d) reached
-2010-02-07 13:53:47.884: debug: Writing key file "./sub.example.net/dnskey.db"
-2010-02-07 13:53:47.884: debug: Signing zone "sub.example.net."
-2010-02-07 13:53:47.884: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -3 880820 -C -g -p -d ../keysets -o sub.example.net. -e +172800 -N unixtime zone.db K*.private 2>&1"
-2010-02-07 13:53:48.303: debug: Cmd dnssec-signzone return: "zone.db.signed"
-2010-02-07 13:53:48.304: debug: Signing completed after 1s.
-2010-02-07 13:54:03.465: debug: Check RFC5011 status
-2010-02-07 13:54:03.465: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
-2010-02-07 13:54:03.465: debug: Check KSK status
-2010-02-07 13:54:03.466: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 6d18h10m24s
-2010-02-07 13:54:03.466: debug: Check ZSK status
-2010-02-07 13:54:03.466: debug: Re-signing not necessary!
-2010-02-07 13:54:03.466: debug: Check if there is a parent file to copy
-2010-02-07 13:54:07.955: debug: Check RFC5011 status
-2010-02-07 13:54:07.955: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
-2010-02-07 13:54:07.955: debug: Check KSK status
-2010-02-07 13:54:07.955: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 6d18h10m28s
-2010-02-07 13:54:07.955: debug: Check ZSK status
-2010-02-07 13:54:07.956: debug: Re-signing necessary: Option -f
-2010-02-07 13:54:07.956: notice: "sub.example.net.": re-signing triggered: Option -f
-2010-02-07 13:54:07.956: debug: Writing key file "./sub.example.net/dnskey.db"
-2010-02-07 13:54:07.956: debug: Signing zone "sub.example.net."
-2010-02-07 13:54:07.956: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -3 325964 -C -g -p -d ../keysets -o sub.example.net. -e +172800 -N unixtime zone.db K*.private 2>&1"
-2010-02-07 13:54:08.003: debug: Cmd dnssec-signzone return: "zone.db.signed"
-2010-02-07 13:54:08.003: debug: Signing completed after 1s.
-2010-02-07 13:54:08.003: notice: "sub.example.net.": distribution triggered
-2010-02-07 13:54:08.003: debug: Distribute zone "sub.example.net."
-2010-02-07 13:54:08.003: debug: Run cmd "./dist.sh distribute sub.example.net. ./sub.example.net/zone.db.signed "
-2010-02-07 13:54:08.013: debug: ./dist.sh distribute return: "scp ./sub.example.net/zone.db.signed localhost:/var/named/sub.example.net./"
-2010-02-07 13:54:08.013: notice: "sub.example.net.": reload triggered
-2010-02-07 13:54:08.013: debug: Reload zone "sub.example.net."
-2010-02-07 13:54:08.013: debug: Run cmd "./dist.sh reload sub.example.net. ./sub.example.net/zone.db.signed "
-2010-02-07 13:54:08.019: debug: ./dist.sh reload return: "rndc reload sub.example.net. "
-2010-02-07 14:06:27.669: debug: Check RFC5011 status
-2010-02-07 14:06:27.669: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
-2010-02-07 14:06:27.669: debug: Check KSK status
-2010-02-07 14:06:27.669: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 6d18h22m48s
-2010-02-07 14:06:27.669: debug: Check ZSK status
-2010-02-07 14:06:27.669: debug: Re-signing not necessary!
-2010-02-07 14:06:27.670: debug: Check if there is a parent file to copy
-2010-02-07 14:06:33.713: debug: Check RFC5011 status
-2010-02-07 14:06:33.713: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
-2010-02-07 14:06:33.713: debug: Check KSK status
-2010-02-07 14:06:33.713: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 6d18h22m54s
-2010-02-07 14:06:33.713: debug: Check ZSK status
-2010-02-07 14:06:33.714: debug: Re-signing necessary: Option -f
-2010-02-07 14:06:33.714: notice: "sub.example.net.": re-signing triggered: Option -f
-2010-02-07 14:06:33.714: debug: Writing key file "./sub.example.net/dnskey.db"
-2010-02-07 14:06:33.714: debug: Signing zone "sub.example.net."
-2010-02-07 14:06:33.714: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -3 4A3DFB -C -g -p -d ../keysets -o sub.example.net. -e +172800 -N unixtime zone.db K*.private 2>&1"
-2010-02-07 14:06:33.745: debug: Cmd dnssec-signzone return: "zone.db.signed"
-2010-02-07 14:06:33.745: debug: Signing completed after 0s.
-2010-02-07 14:06:33.745: notice: "sub.example.net.": distribution triggered
-2010-02-07 14:06:33.745: debug: Distribute zone "sub.example.net."
-2010-02-07 14:06:33.745: debug: Run cmd "./dist.sh distribute sub.example.net. ./sub.example.net/zone.db.signed "
-2010-02-07 14:06:33.749: debug: ./dist.sh distribute return: "scp ./sub.example.net/zone.db.signed localhost:/var/named/sub.example.net./"
-2010-02-07 14:06:33.749: notice: "sub.example.net.": reload triggered
-2010-02-07 14:06:33.749: debug: Reload zone "sub.example.net."
-2010-02-07 14:06:33.749: debug: Run cmd "./dist.sh reload sub.example.net. ./sub.example.net/zone.db.signed "
-2010-02-07 14:06:33.753: debug: ./dist.sh reload return: "rndc reload sub.example.net. "
-2010-02-21 12:50:43.176: debug: Check RFC5011 status
-2010-02-21 12:50:43.176: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
-2010-02-21 12:50:43.176: debug: Check KSK status
-2010-02-21 12:50:43.176: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 2w6d17h7m4s
-2010-02-21 12:50:43.176: debug: Check ZSK status
-2010-02-21 12:50:43.176: debug: Lifetime(259200 +/-150 sec) of active key 7505 exceeded (1345179 sec)
-2010-02-21 12:50:43.176: debug: ->depreciate it
-2010-02-21 12:50:43.176: debug: ->activate published key 57167
-2010-02-21 12:50:43.176: notice: "sub.example.net.": lifetime of zone signing key 7505 exceeded: ZSK rollover done
-2010-02-21 12:50:43.176: debug: New key for publishing needed
-2010-02-21 12:50:43.445: debug: ->creating new key 49712
-2010-02-21 12:50:43.445: info: "sub.example.net.": new key 49712 generated for publishing
-2010-02-21 12:50:43.445: debug: Re-signing necessary: Modfied zone key set
-2010-02-21 12:50:43.445: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
-2010-02-21 12:50:43.445: debug: Writing key file "./sub.example.net/dnskey.db"
-2010-02-21 12:50:43.445: debug: Signing zone "sub.example.net."
-2010-02-21 12:50:43.445: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 2E31B5 -C -g -p -d ../keysets -o sub.example.net. -e +172800 -N unixtime zone.db K*.private 2>&1"
-2010-02-21 12:50:43.580: debug: Cmd dnssec-signzone return: "zone.db.signed"
-2010-02-21 12:50:43.580: debug: Signing completed after 0s.
-2010-02-21 12:50:51.158: debug: Check RFC5011 status
-2010-02-21 12:50:51.158: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
-2010-02-21 12:50:51.158: debug: Check KSK status
-2010-02-21 12:50:51.159: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 2w6d17h7m12s
-2010-02-21 12:50:51.159: debug: Check ZSK status
-2010-02-21 12:50:51.159: debug: Re-signing necessary: Modfied zone key set
-2010-02-21 12:50:51.159: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
-2010-02-21 12:50:51.159: debug: Writing key file "./sub.example.net/dnskey.db"
-2010-02-21 12:50:51.159: debug: Signing zone "sub.example.net."
-2010-02-21 12:50:51.159: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 41F65A -C -g -p -d ../keysets -o sub.example.net. -e +172800 -N unixtime zone.db K*.private 2>&1"
-2010-02-21 12:50:51.205: debug: Cmd dnssec-signzone return: "zone.db.signed"
-2010-02-21 12:50:51.205: debug: Signing completed after 0s.
-2010-02-21 12:51:23.497: debug: Check RFC5011 status
-2010-02-21 12:51:23.497: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
-2010-02-21 12:51:23.497: debug: Check KSK status
-2010-02-21 12:51:23.497: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 2w6d17h7m44s
-2010-02-21 12:51:23.497: debug: Check ZSK status
-2010-02-21 12:51:23.497: debug: Re-signing not necessary!
-2010-02-21 12:51:23.497: debug: Check if there is a parent file to copy
-2010-02-21 19:16:18.384: debug: Check RFC5011 status
-2010-02-21 19:16:18.384: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
-2010-02-21 19:16:18.384: debug: Check KSK status
-2010-02-21 19:16:18.385: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 2w6d23h32m39s
-2010-02-21 19:16:18.385: debug: Check ZSK status
-2010-02-21 19:16:18.385: debug: Lifetime(390 sec) of depreciated key 7505 exceeded (23135 sec)
-2010-02-21 19:16:18.385: info: "sub.example.net.": old ZSK 7505 removed
-2010-02-21 19:16:18.401: debug: ->remove it
-2010-02-21 19:16:18.401: debug: Re-signing necessary: Modfied zone key set
-2010-02-21 19:16:18.401: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
-2010-02-21 19:16:18.401: debug: Writing key file "./sub.example.net/dnskey.db"
-2010-02-21 19:16:18.401: debug: Signing zone "sub.example.net."
-2010-02-21 19:16:18.401: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 3DADF2 -C -g -p -d ../keysets -o sub.example.net. -e +172800 -N unixtime zone.db K*.private 2>&1"
-2010-02-21 19:16:18.593: debug: Cmd dnssec-signzone return: "zone.db.signed"
-2010-02-21 19:16:18.593: debug: Signing completed after 0s.
-2010-02-21 19:32:11.378: debug: Check RFC5011 status
-2010-02-21 19:32:11.378: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
-2010-02-21 19:32:11.378: debug: Check KSK status
-2010-02-21 19:32:11.378: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 2w6d23h48m32s
-2010-02-21 19:32:11.378: debug: Check ZSK status
-2010-02-21 19:32:11.378: debug: Re-signing not necessary!
-2010-02-21 19:32:11.378: debug: Check if there is a parent file to copy
-2010-02-21 19:32:15.930: debug: Check RFC5011 status
-2010-02-21 19:32:15.930: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
-2010-02-21 19:32:15.930: debug: Check KSK status
-2010-02-21 19:32:15.930: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 2w6d23h48m36s
-2010-02-21 19:32:15.930: debug: Check ZSK status
-2010-02-21 19:32:15.930: debug: Re-signing necessary: Option -f
-2010-02-21 19:32:15.930: notice: "sub.example.net.": re-signing triggered: Option -f
-2010-02-21 19:32:15.930: debug: Writing key file "./sub.example.net/dnskey.db"
-2010-02-21 19:32:15.931: debug: Signing zone "sub.example.net."
-2010-02-21 19:32:15.931: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 623FD7 -C -g -p -d ../keysets -o sub.example.net. -e +172800 -N unixtime zone.db K*.private 2>&1"
-2010-02-21 19:32:15.982: debug: Cmd dnssec-signzone return: "zone.db.signed"
-2010-02-21 19:32:15.982: debug: Signing completed after 0s.
-2010-02-21 19:32:32.203: debug: Check RFC5011 status
-2010-02-21 19:32:32.203: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
-2010-02-21 19:32:32.203: debug: Check KSK status
-2010-02-21 19:32:32.203: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 2w6d23h48m53s
-2010-02-21 19:32:32.203: debug: Check ZSK status
-2010-02-21 19:32:32.203: debug: Re-signing necessary: Option -f
-2010-02-21 19:32:32.203: notice: "sub.example.net.": re-signing triggered: Option -f
-2010-02-21 19:32:32.203: debug: Writing key file "./sub.example.net/dnskey.db"
-2010-02-21 19:32:32.203: debug: Signing zone "sub.example.net."
-2010-02-21 19:32:32.203: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 C522CA -C -g -p -d ../keysets -o sub.example.net. -e +172800 -N unixtime zone.db K*.private 2>&1"
-2010-02-21 19:32:32.232: debug: Cmd dnssec-signzone return: "zone.db.signed"
-2010-02-21 19:32:32.232: debug: Signing completed after 0s.
-2010-02-25 00:12:26.443: debug: Check RFC5011 status
-2010-02-25 00:12:26.443: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
-2010-02-25 00:12:26.443: debug: Check KSK status
-2010-02-25 00:12:26.443: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 3w3d4h28m47s
-2010-02-25 00:12:26.443: debug: Check ZSK status
-2010-02-25 00:12:26.443: debug: Lifetime(259200 +/-150 sec) of active key 57167 exceeded (300103 sec)
-2010-02-25 00:12:26.443: debug: ->depreciate it
-2010-02-25 00:12:26.444: debug: ->activate published key 49712
-2010-02-25 00:12:26.444: notice: "sub.example.net.": lifetime of zone signing key 57167 exceeded: ZSK rollover done
-2010-02-25 00:12:26.444: debug: New key for publishing needed
-2010-02-25 00:12:26.902: debug: ->creating new key 65009
-2010-02-25 00:12:26.902: info: "sub.example.net.": new key 65009 generated for publishing
-2010-02-25 00:12:26.902: debug: Re-signing necessary: Modfied zone key set
-2010-02-25 00:12:26.902: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
-2010-02-25 00:12:26.902: debug: Writing key file "./sub.example.net/dnskey.db"
-2010-02-25 00:12:26.902: debug: Signing zone "sub.example.net."
-2010-02-25 00:12:26.902: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -3 9AA7CB -C -g -p -d ../keysets -o sub.example.net. -e +172800 -N unixtime zone.db K*.private 2>&1"
-2010-02-25 00:12:27.016: debug: Cmd dnssec-signzone return: "zone.db.signed"
-2010-02-25 00:12:27.016: debug: Signing completed after 1s.
-2010-02-25 23:42:20.653: debug: Check RFC5011 status
-2010-02-25 23:42:20.653: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
-2010-02-25 23:42:20.653: debug: Check KSK status
-2010-02-25 23:42:20.653: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 3w4d3h58m41s
-2010-02-25 23:42:20.653: debug: Check ZSK status
-2010-02-25 23:42:20.653: debug: Lifetime(390 sec) of depreciated key 57167 exceeded (84594 sec)
-2010-02-25 23:42:20.653: info: "sub.example.net.": old ZSK 57167 removed
-2010-02-25 23:42:20.661: debug: ->remove it
-2010-02-25 23:42:20.661: debug: Re-signing necessary: Modfied zone key set
-2010-02-25 23:42:20.661: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
-2010-02-25 23:42:20.661: debug: Writing key file "./sub.example.net/dnskey.db"
-2010-02-25 23:42:20.662: debug: Signing zone "sub.example.net."
-2010-02-25 23:42:20.662: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -3 2942EB -C -g -p -d ../keysets -o sub.example.net. -e +172800 -N unixtime zone.db K*.private 2>&1"
-2010-02-25 23:42:21.012: debug: Cmd dnssec-signzone return: "zone.db.signed"
-2010-02-25 23:42:21.012: debug: Signing completed after 1s.
-2010-03-02 10:59:11.845: debug: Check RFC5011 status
-2010-03-02 10:59:11.845: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
-2010-03-02 10:59:11.845: debug: Check KSK status
-2010-03-02 10:59:11.846: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 4w1d15h15m32s
-2010-03-02 10:59:11.846: debug: Check ZSK status
-2010-03-02 10:59:11.846: debug: Lifetime(259200 +/-150 sec) of active key 49712 exceeded (470805 sec)
-2010-03-02 10:59:11.846: debug: ->depreciate it
-2010-03-02 10:59:11.846: debug: ->activate published key 65009
-2010-03-02 10:59:11.846: notice: "sub.example.net.": lifetime of zone signing key 49712 exceeded: ZSK rollover done
-2010-03-02 10:59:11.846: debug: New key for publishing needed
-2010-03-02 10:59:12.256: debug: ->creating new key 27377
-2010-03-02 10:59:12.256: info: "sub.example.net.": new key 27377 generated for publishing
-2010-03-02 10:59:12.256: debug: Re-signing necessary: Modfied zone key set
-2010-03-02 10:59:12.256: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
-2010-03-02 10:59:12.256: debug: Writing key file "./sub.example.net/dnskey.db"
-2010-03-02 10:59:12.256: debug: Signing zone "sub.example.net."
-2010-03-02 10:59:12.256: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -3 F9A34F -C -g -p -d ../keysets -o sub.example.net. -e +172800 -N unixtime zone.db K*.private 2>&1"
-2010-03-02 10:59:12.415: debug: Cmd dnssec-signzone return: "zone.db.signed"
-2010-03-02 10:59:12.416: debug: Signing completed after 0s.
-2010-03-03 23:22:00.127: debug: Check RFC5011 status
-2010-03-03 23:22:00.127: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
-2010-03-03 23:22:00.127: debug: Check KSK status
-2010-03-03 23:22:00.127: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 4w3d3h38m21s
-2010-03-03 23:22:00.127: debug: Check ZSK status
-2010-03-03 23:22:00.127: debug: Lifetime(390 sec) of depreciated key 49712 exceeded (130969 sec)
-2010-03-03 23:22:00.127: info: "sub.example.net.": old ZSK 49712 removed
-2010-03-03 23:22:00.127: debug: ->remove it
-2010-03-03 23:22:00.127: debug: Re-signing necessary: Modfied zone key set
-2010-03-03 23:22:00.127: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
-2010-03-03 23:22:00.127: debug: Writing key file "./sub.example.net/dnskey.db"
-2010-03-03 23:22:00.127: debug: Signing zone "sub.example.net."
-2010-03-03 23:22:00.127: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -3 A3B721 -C -g -p -d ../keysets -o sub.example.net. -e +172800 -N unixtime zone.db K*.private 2>&1"
-2010-03-03 23:22:00.394: debug: Cmd dnssec-signzone return: "zone.db.signed"
-2010-03-03 23:22:00.394: debug: Signing completed after 0s.
-2010-03-08 23:11:49.663: debug: Check RFC5011 status
-2010-03-08 23:11:49.663: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
-2010-03-08 23:11:49.663: debug: Check KSK status
-2010-03-08 23:11:49.663: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 5w1d3h28m10s
-2010-03-08 23:11:49.664: debug: Check ZSK status
-2010-03-08 23:11:49.664: debug: Lifetime(259200 +/-150 sec) of active key 65009 exceeded (562358 sec)
-2010-03-08 23:11:49.664: debug: ->depreciate it
-2010-03-08 23:11:49.664: debug: ->activate published key 27377
-2010-03-08 23:11:49.664: notice: "sub.example.net.": lifetime of zone signing key 65009 exceeded: ZSK rollover done
-2010-03-08 23:11:49.664: debug: New key for publishing needed
-2010-03-08 23:11:50.060: debug: ->creating new key 41747
-2010-03-08 23:11:50.060: info: "sub.example.net.": new key 41747 generated for publishing
-2010-03-08 23:11:50.060: debug: Re-signing necessary: Modfied zone key set
-2010-03-08 23:11:50.061: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
-2010-03-08 23:11:50.061: debug: Writing key file "././sub.example.net/dnskey.db"
-2010-03-08 23:11:50.061: debug: Signing zone "sub.example.net."
-2010-03-08 23:11:50.061: debug: Run cmd "cd ././sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -3 71C04F -C -g -p -d ../keysets -o sub.example.net. -e +172800 -N unixtime zone.db K*.private 2>&1"
-2010-03-08 23:11:50.169: debug: Cmd dnssec-signzone return: "zone.db.signed"
-2010-03-08 23:11:50.169: debug: Signing completed after 0s.
-2010-03-08 23:18:52.243: debug: Check RFC5011 status
-2010-03-08 23:18:52.243: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
-2010-03-08 23:18:52.243: debug: Check KSK status
-2010-03-08 23:18:52.243: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 5w1d3h35m13s
-2010-03-08 23:18:52.243: debug: Check ZSK status
-2010-03-08 23:18:52.243: debug: Lifetime(390 sec) of depreciated key 65009 exceeded (423 sec)
-2010-03-08 23:18:52.243: info: "sub.example.net.": old ZSK 65009 removed
-2010-03-08 23:18:52.243: debug: ->remove it
-2010-03-08 23:18:52.243: debug: Re-signing necessary: Modfied zone key set
-2010-03-08 23:18:52.243: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
-2010-03-08 23:18:52.243: debug: Writing key file "././sub.example.net/dnskey.db"
-2010-03-08 23:18:52.243: debug: Signing zone "sub.example.net."
-2010-03-08 23:18:52.243: debug: Run cmd "cd ././sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -3 CF729B -C -g -p -d ../keysets -o sub.example.net. -e +172800 -N unixtime zone.db K*.private 2>&1"
-2010-03-08 23:18:52.287: debug: Cmd dnssec-signzone return: "zone.db.signed"
-2010-03-08 23:18:52.287: debug: Signing completed after 0s.
-2010-03-11 23:46:35.497: debug: Check RFC5011 status
-2010-03-11 23:46:35.497: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
-2010-03-11 23:46:35.497: debug: Check KSK status
-2010-03-11 23:46:35.497: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 5w4d4h2m56s
-2010-03-11 23:46:35.498: debug: Check ZSK status
-2010-03-11 23:46:35.498: debug: Lifetime(259200 +/-150 sec) of active key 27377 exceeded (261286 sec)
-2010-03-11 23:46:35.498: debug: ->depreciate it
-2010-03-11 23:46:35.498: debug: ->activate published key 41747
-2010-03-11 23:46:35.498: notice: "sub.example.net.": lifetime of zone signing key 27377 exceeded: ZSK rollover done
-2010-03-11 23:46:35.498: debug: New key for publishing needed
-2010-03-11 23:46:35.768: debug: ->creating new key 2048
-2010-03-11 23:46:35.768: info: "sub.example.net.": new key 2048 generated for publishing
-2010-03-11 23:46:35.768: debug: Re-signing necessary: Modfied zone key set
-2010-03-11 23:46:35.768: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
-2010-03-11 23:46:35.768: debug: Writing key file "./sub.example.net/dnskey.db"
-2010-03-11 23:46:35.768: debug: Signing zone "sub.example.net."
-2010-03-11 23:46:35.768: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -3 B86C9F -C -g -p -d ../keysets -o sub.example.net. -e +172800 -N unixtime zone.db K*.private 2>&1"
-2010-03-11 23:46:35.814: debug: Cmd dnssec-signzone return: "zone.db.signed"
-2010-03-11 23:46:35.814: debug: Signing completed after 0s.
-2010-03-11 23:52:33.132: debug: Check RFC5011 status
-2010-03-11 23:52:33.132: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
-2010-03-11 23:52:33.132: debug: Check KSK status
-2010-03-11 23:52:33.132: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 5w4d4h8m54s
-2010-03-11 23:52:33.132: debug: Check ZSK status
-2010-03-11 23:52:33.132: debug: Re-signing not necessary!
-2010-03-11 23:52:33.132: debug: Check if there is a parent file to copy
-2010-03-11 23:53:27.804: debug: Check RFC5011 status
-2010-03-11 23:53:27.804: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
-2010-03-11 23:53:27.804: debug: Check KSK status
-2010-03-11 23:53:27.804: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 5w4d4h9m48s
-2010-03-11 23:53:27.804: debug: Check ZSK status
-2010-03-11 23:53:27.804: debug: Lifetime(390 sec) of depreciated key 27377 exceeded (412 sec)
-2010-03-11 23:53:27.804: info: "sub.example.net.": old ZSK 27377 removed
-2010-03-11 23:53:27.804: debug: ->remove it
-2010-03-11 23:53:27.804: debug: Re-signing necessary: Modfied zone key set
-2010-03-11 23:53:27.804: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
-2010-03-11 23:53:27.804: debug: Writing key file "./sub.example.net/dnskey.db"
-2010-03-11 23:53:27.804: debug: Signing zone "sub.example.net."
-2010-03-11 23:53:27.805: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -3 67AA7F -C -g -p -d ../keysets -o sub.example.net. -e +172800 -N unixtime zone.db K*.private 2>&1"
-2010-03-11 23:53:27.856: debug: Cmd dnssec-signzone return: "zone.db.signed"
-2010-03-11 23:53:27.856: debug: Signing completed after 0s.
+++ /dev/null
-;% generationtime=20100331230548
-;% lifetime=28d
-example.de. IN DNSKEY 256 3 5 BQEAAAABx4bzjHCRCraU9v/UP2O9dQ7YVF1vMhDWjWofWonrvX+T1Rb/ 2qIYq9kNPbQABLG5X/oe3dJIN4OGZAfL46sceQ==
+++ /dev/null
-Private-key-format: v1.2
-Algorithm: 5 (RSASHA1)
-Modulus: x4bzjHCRCraU9v/UP2O9dQ7YVF1vMhDWjWofWonrvX+T1Rb/2qIYq9kNPbQABLG5X/oe3dJIN4OGZAfL46sceQ==
-PublicExponent: AQAAAAE=
-PrivateExponent: MWWd0AvKmimZrtVrPrTAK/UD0ZrJuL3Rcxw6qzxPWE5S3KcdJNtt5HzOPeGWIZVN8rBtPCSRhiksjugrMqkMRQ==
-Prime1: 48VMTrU7heYjFQ5ou7rSOpqt2Eot+EBDjYUPKeOR268=
-Prime2: 4EGLA3LuyNrDfBHTn0xmGHdO3DvHn6YUmJKh/98WzFc=
-Exponent1: WhbPWcw2bisYr9cS59vOFmLxvbXUQgJZTZVYSDW3EF0=
-Exponent2: BoCEx7RES9scWl7PFrUZzrzjDIZiBUICbw4BViSUVWs=
-Coefficient: DmwngpeIb8+dzC9ETnQOojRJTv1MRpW4k0Jo1NfAC+c=
+++ /dev/null
-;% generationtime=20100224232104
-;% lifetime=28d
-example.de. IN DNSKEY 256 3 5 BQEAAAABsbG8YGFKUQkJl2jdfLpO6yhnttoFp8lmfzCQfbMdIG6riFes ZIO2aMevhBM/+RWN7lNSCu8+vA4Ph7Mzp8OMCQ==
+++ /dev/null
-Private-key-format: v1.2
-Algorithm: 5 (RSASHA1)
-Modulus: sbG8YGFKUQkJl2jdfLpO6yhnttoFp8lmfzCQfbMdIG6riFesZIO2aMevhBM/+RWN7lNSCu8+vA4Ph7Mzp8OMCQ==
-PublicExponent: AQAAAAE=
-PrivateExponent: PHPdKKwdgE+02a+6R+2xk7RfPUmjIW0dclILS0uQ2GL2lYJCaFKoMEZJb/30CkJLWBBGUS4XUPzplYQ8VLn6gQ==
-Prime1: 5efr+OinaF8nLpI/N1EuTxuoSbILnPn5pSWVpwJPgTk=
-Prime2: xdzEgtE9CEHT06oa0yM+lLMJp2K6RlBiByRo13Sd8VE=
-Exponent1: dE2UZNfo/uln1Yq9lz3pImp5gWDjeT+sYIdBBk8qfOk=
-Exponent2: TPXU6D9veGi9J41RR3KvLo4s3u/rQWHXyQrO6jQwX0E=
-Coefficient: t1ysP5l5JUhi+d3GvFN0EyZAv1nW31lsL+4979deLsw=
+++ /dev/null
-;% generationtime=20100311230027
-;% lifetime=3d
-sub.example.de. IN DNSKEY 256 3 5 BQEAAAABxKxfV/mwTsnyVaZLWg8vyG5U97RMupLke5t50q2pJdHLzb2+ fqswgt/pBwAYbYWTBQr2UTnQ4TBRunBiRSuapQ==
+++ /dev/null
-Private-key-format: v1.2
-Algorithm: 5 (RSASHA1)
-Modulus: xKxfV/mwTsnyVaZLWg8vyG5U97RMupLke5t50q2pJdHLzb2+fqswgt/pBwAYbYWTBQr2UTnQ4TBRunBiRSuapQ==
-PublicExponent: AQAAAAE=
-PrivateExponent: LDta/Lx7ETLqQamSm9XAERno+ixf6Dl/cq10zcd8QNLuvleFqMvtRURxfhFhNlrvFTuckz1IzIX7ufecSrarYQ==
-Prime1: 5x1rjqJnLrLUd+i4DUmSutQQrQZWg+vzwurpGkxBCTc=
-Prime2: 2dmVy5A1h7avKD9Ez0rcg1G96wxVkdp+/8AvXEYe+QM=
-Exponent1: Fx9QLrquictb9W74f5gmRs5wQcsyWjkNVXUE/eb84l0=
-Exponent2: kexPooMJG2rfGbnWG0Mnav28EcV7q7xNnIHELjRCfWU=
-Coefficient: Liq85Ma7Ki3tZePKv/v+he9UgH7J5tgDnmHof0370/M=
+++ /dev/null
-;% generationtime=20100331230548
-;% lifetime=3d
-sub.example.de. IN DNSKEY 256 3 5 BQEAAAABwp1NkMWtDJ+B7uvjb4nejqCDAtmqfy0LRTq13tdgm33A04T2 uvdzfFpnd/t3giXCC588xP/ZT0pXekaZEyfhew==
+++ /dev/null
-Private-key-format: v1.2
-Algorithm: 5 (RSASHA1)
-Modulus: wp1NkMWtDJ+B7uvjb4nejqCDAtmqfy0LRTq13tdgm33A04T2uvdzfFpnd/t3giXCC588xP/ZT0pXekaZEyfhew==
-PublicExponent: AQAAAAE=
-PrivateExponent: Xgmu9fyg1QoKridDOUywH7mZg92dEvGVIcz5QrpXMYZDhi/Z1NLB4UJwaO4Kmbg9EyAT+ms3fjjC8ncy+mVnEQ==
-Prime1: 9wrDpiFEJkYGuCC0JriZgA+uaLBYtzudTzUByr8BGU0=
-Prime2: yavdgu+a7BloewO3Fzg6JwxYvJYrfeAgYLVr4uXzwec=
-Exponent1: Z8tEYnN2N5LxFjL9+mdfnOjNhVxAouZ/wyyokWf0C4U=
-Exponent2: axnHnwpVRfb5Xt25+8oIVoVH4YdTXDCbr4nkcjru4As=
-Coefficient: dvqfAzS1VFtC6dvzFTgh+GoFt3EwIxHDXcskNmbFDto=
+++ /dev/null
-Private-key-format: v1.2
-Algorithm: 5 (RSASHA1)
-Modulus: wBxCT/MYqHr+xX1vViWWlt36h1dkkx+qtfeY3603p+J4QlglYkStawB4atu2je/RrEUQXco40iGnYuqqUWQsdw==
-PublicExponent: AQAAAAE=
-PrivateExponent: mcrUc9cypiq7j30rntMoCrIxE9SemJxzTJ/USNZPGqfa4MpfsfvIt6A+8JzgS0Sx+6piSk9d8QSdr55aVqgEYQ==
-Prime1: 6dRm4EGvg7WN5LFAMv/8HzeyZbNu7FlQwf08QZOmgYc=
-Prime2: 0lM7LrrOzTThb372TCC+7Wz0S6GuqfjhM33MWwNEeZE=
-Exponent1: Q8jFuxbjffHEGZxuUdLkkmWka0hDlACozr31blXYgCc=
-Exponent2: yqc1ijD9jaK8b5IUIqsx42nbJ6boeMyx77wfOUoXw7E=
-Coefficient: R4QnEkjxtLd7bPChAqblYPb9A8lcsD7KGh5fTR9LcFM=
+++ /dev/null
-;% generationtime=20100302100004
-;% lifetime=2d
-sub.example.de. IN DNSKEY 256 3 5 BQEAAAABwBxCT/MYqHr+xX1vViWWlt36h1dkkx+qtfeY3603p+J4Qlgl YkStawB4atu2je/RrEUQXco40iGnYuqqUWQsdw==
./bin/tests/system/ecdsa/ns1/root.db.in ZONE 2012
./bin/tests/system/ecdsa/ns1/sign.sh SH 2012,2014
./bin/tests/system/ecdsa/ns2/named.conf CONF-C 2012
-./bin/tests/system/ecdsa/prereq.sh SH 20122014,2014
+./bin/tests/system/ecdsa/prereq.sh SH 2012,2014
./bin/tests/system/ecdsa/setup.sh SH 2012,2014
./bin/tests/system/ecdsa/tests.sh SH 2012,2013
./bin/tests/system/emptyzones/clean.sh SH 2014
./conftools/perllib/dnsconf/Makefile.PL PERL 2000,2001,2004,2007,2012
./conftools/perllib/dnsconf/named1.conf CONF-C 2000,2001,2004,2007
./conftools/perllib/dnsconf/test.pl PERL 2000,2001,2004,2007,2012
-./contrib/.gitignore X 2012
-./contrib/check-secure-delegation.pl.in PERL 2010,2012
-./contrib/check5011.pl X 2013
+./contrib/README X 2014
./contrib/dane/mkdane.sh X 2012
./contrib/dane/tlsa6698.pem X 2012
./contrib/dlz/bin/dlzbdb/Makefile.in X 2005,2007,2009,2011,2012
./contrib/idn/idnkit-1.0-src/wsock/wsock20/dllstub.c X 2003
./contrib/idn/idnkit-1.0-src/wsock/wsock20/make.wnt X 2003
./contrib/idn/idnkit-1.0-src/wsock/wsock20/ws2_32.def X 2003
-./contrib/linux/coredump-patch X 2000,2001
-./contrib/named-bootconf/named-bootconf.sh SH.PORTION 1999,2000,2001,2004,2006,2007,2012,2014
-./contrib/nanny/nanny.pl PERL 2000,2001,2004,2007,2012
-./contrib/nslint-2.1a3/CHANGES X 2001
-./contrib/nslint-2.1a3/FILES X 2001
-./contrib/nslint-2.1a3/INSTALL X 2001
-./contrib/nslint-2.1a3/Makefile.in X 2001,2004
-./contrib/nslint-2.1a3/README X 2001
-./contrib/nslint-2.1a3/VERSION X 2001
-./contrib/nslint-2.1a3/aclocal.m4 X 2001
-./contrib/nslint-2.1a3/config.guess X 2001
-./contrib/nslint-2.1a3/config.sub X 2001
-./contrib/nslint-2.1a3/configure X 2001
-./contrib/nslint-2.1a3/configure.in X 2001
-./contrib/nslint-2.1a3/install-sh X 2001
-./contrib/nslint-2.1a3/lbl/gnuc.h X 2001
-./contrib/nslint-2.1a3/lbl/os-irix5.h X 2001
-./contrib/nslint-2.1a3/lbl/os-osf3.h X 2001
-./contrib/nslint-2.1a3/lbl/os-solaris2.h X 2001
-./contrib/nslint-2.1a3/lbl/os-sunos4.h X 2001
-./contrib/nslint-2.1a3/lbl/os-ultrix4.h X 2001
-./contrib/nslint-2.1a3/mkdep X 2001
-./contrib/nslint-2.1a3/nslint.8 X 2001
-./contrib/nslint-2.1a3/nslint.c X 2001,2011
-./contrib/nslint-2.1a3/savestr.c X 2001
-./contrib/nslint-2.1a3/savestr.h X 2001
-./contrib/nslint-2.1a3/strerror.c X 2001,2014
-./contrib/pkcs11-keygen/README X 2008,2009
+./contrib/nslint-3.0a2/CHANGES X 2001,2014
+./contrib/nslint-3.0a2/FILES X 2001,2014
+./contrib/nslint-3.0a2/INSTALL X 2001,2014
+./contrib/nslint-3.0a2/Makefile.in X 2001,2004,2014
+./contrib/nslint-3.0a2/README X 2001,2014
+./contrib/nslint-3.0a2/VERSION X 2001,2014
+./contrib/nslint-3.0a2/aclocal.m4 X 2001,2014
+./contrib/nslint-3.0a2/config.guess X 2001,2014
+./contrib/nslint-3.0a2/config.sub X 2001,2014
+./contrib/nslint-3.0a2/configure X 2001,2014
+./contrib/nslint-3.0a2/configure.in X 2001,2014
+./contrib/nslint-3.0a2/install-sh X 2001,2014
+./contrib/nslint-3.0a2/lbl/gnuc.h X 2001,2014
+./contrib/nslint-3.0a2/mkdep X 2001,2014
+./contrib/nslint-3.0a2/nslint.8 X 2001,2014
+./contrib/nslint-3.0a2/nslint.c X 2001,2011,2014
+./contrib/nslint-3.0a2/savestr.c X 2001,2014
+./contrib/nslint-3.0a2/savestr.h X 2001,2014
+./contrib/nslint-3.0a2/strerror.c X 2001,2014
./contrib/query-loc-0.4.0/ADDRESSES X 2008
./contrib/query-loc-0.4.0/ALGO X 2008
./contrib/query-loc-0.4.0/INSTALL X 2008
./contrib/queryperf/missing/getnameinfo.c X 2004
./contrib/queryperf/queryperf.c X 2001,2002,2003,2004,2005,2007,2012,2013,2014
./contrib/queryperf/utils/gen-data-queryperf.py X 2003,2008
+./contrib/scripts/.gitignore X 2012
+./contrib/scripts/check5011.pl X 2013
+./contrib/scripts/check-secure-delegation.pl.in PERL 2010,2012
+./contrib/scripts/named-bootconf.sh SH.PORTION 1999,2000,2001,2004,2006,2007,2012,2014
+./contrib/scripts/nanny.pl PERL 2000,2001,2004,2007,2012
+./contrib/scripts/zone-edit.sh.in SH 2010,2012
./contrib/sdb/bdb/README X 2002
./contrib/sdb/bdb/bdb.c X 2002,2011
./contrib/sdb/bdb/bdb.h X 2002
./contrib/sdb/tcl/tcldb.h C 2000,2001,2004,2007
./contrib/sdb/time/timedb.c C 2000,2001,2004,2007,2011
./contrib/sdb/time/timedb.h C 2000,2001,2004,2007
-./contrib/zkt/CHANGELOG X 2008,2009,2010
-./contrib/zkt/LICENSE X 2008
-./contrib/zkt/Makefile.in X 2008,2009,2010
-./contrib/zkt/README X 2008,2009,2010
-./contrib/zkt/README.logging X 2008,2009,2010
-./contrib/zkt/TODO X 2008,2009,2010
-./contrib/zkt/config.h.in X 2008,2009,2010
-./contrib/zkt/config_zkt.h X 2008,2009,2010
-./contrib/zkt/configure X 2008,2009,2010
-./contrib/zkt/configure.ac X 2009,2010
-./contrib/zkt/debug.h X 2008
-./contrib/zkt/dki.c X 2008,2009,2010,2013
-./contrib/zkt/dki.h X 2008,2009,2010
-./contrib/zkt/dnssec-zkt.c X 2008,2009,2010
-./contrib/zkt/doc/KeyRollover.ms X 2009
-./contrib/zkt/doc/rfc5011.txt X 2009
-./contrib/zkt/domaincmp.c X 2008,2010
-./contrib/zkt/domaincmp.h X 2008,2010
-./contrib/zkt/examples/dnssec.conf X 2010
-./contrib/zkt/examples/flat/dyn.example.net/Kdyn.example.net.+007+30323.key X 2010
-./contrib/zkt/examples/flat/dyn.example.net/Kdyn.example.net.+007+30323.private X 2010
-./contrib/zkt/examples/flat/dyn.example.net/Kdyn.example.net.+007+52935.key X 2010
-./contrib/zkt/examples/flat/dyn.example.net/Kdyn.example.net.+007+52935.private X 2010
-./contrib/zkt/examples/flat/dyn.example.net/zktlog-dyn.example.net. X 2010
-./contrib/zkt/examples/flat/example.net/Kexample.net.+008+08406.key X 2010
-./contrib/zkt/examples/flat/example.net/Kexample.net.+008+08406.private X 2010
-./contrib/zkt/examples/flat/example.net/Kexample.net.+008+36257.key X 2010
-./contrib/zkt/examples/flat/example.net/Kexample.net.+008+36257.private X 2010
-./contrib/zkt/examples/flat/example.net/dnssec.conf X 2010
-./contrib/zkt/examples/flat/example.net/z.db X 2010
-./contrib/zkt/examples/flat/example.net/zktlog-example.net. X 2010
-./contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+02048.key X 2010
-./contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+02048.published X 2010
-./contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+41747.key X 2010
-./contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+41747.private X 2010
-./contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+42834.key X 2010
-./contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+42834.private X 2010
-./contrib/zkt/examples/flat/sub.example.net/zktlog-sub.example.net. X 2010
-./contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+09743.key X 2010
-./contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+09743.published X 2010
-./contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+39599.key X 2010
-./contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+39599.private X 2010
-./contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+07295.key X 2010
-./contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+07295.private X 2010
-./contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+08544.key X 2010
-./contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+08544.private X 2010
-./contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+27861.key X 2010
-./contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+27861.private X 2010
-./contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+40559.key X 2010
-./contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+40559.published X 2010
-./contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+42639.key X 2010
-./contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+42639.private X 2010
-./contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+63530.depreciated X 2010
-./contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+63530.key X 2010
-./contrib/zkt/examples/hierarchical/log/zktlog-example.de. X 2010
-./contrib/zkt/examples/hierarchical/log/zktlog-sub.example.de. X 2010
-./contrib/zkt/examples/zkt-ls.sh X 2010
-./contrib/zkt/examples/zkt-signer.sh X 2010
-./contrib/zkt/log.c X 2008,2010
-./contrib/zkt/log.h X 2008,2010
-./contrib/zkt/man/dnssec-zkt.8 X 2009
-./contrib/zkt/man/dnssec-zkt.8.pdf X 2009
-./contrib/zkt/man/zkt-conf.8 X 2010
-./contrib/zkt/man/zkt-conf.8.html X 2010
-./contrib/zkt/man/zkt-conf.8.org X 2010
-./contrib/zkt/man/zkt-conf.8.pdf X 2010
-./contrib/zkt/man/zkt-keyman.8 X 2010
-./contrib/zkt/man/zkt-keyman.8.html X 2010
-./contrib/zkt/man/zkt-keyman.8.pdf X 2010
-./contrib/zkt/man/zkt-ls.8 X 2010
-./contrib/zkt/man/zkt-ls.8.html X 2010
-./contrib/zkt/man/zkt-ls.8.pdf X 2010
-./contrib/zkt/man/zkt-signer.8 X 2010
-./contrib/zkt/man/zkt-signer.8.html X 2010
-./contrib/zkt/man/zkt-signer.8.pdf X 2010
-./contrib/zkt/misc.c X 2008,2009,2010
-./contrib/zkt/misc.h X 2008,2009,2010
-./contrib/zkt/ncparse.c X 2008,2009,2010
-./contrib/zkt/ncparse.h X 2008,2009
-./contrib/zkt/nscomm.c X 2009,2010
-./contrib/zkt/nscomm.h X 2009,2010
-./contrib/zkt/rollover.c X 2008,2009,2010
-./contrib/zkt/rollover.h X 2008,2009
-./contrib/zkt/soaserial.c X 2009
-./contrib/zkt/soaserial.h X 2009
-./contrib/zkt/strlist.c X 2008,2009
-./contrib/zkt/strlist.h X 2008
-./contrib/zkt/tags X 2008,2009,2010
-./contrib/zkt/tcap.c X 2010
-./contrib/zkt/tcap.h X 2010
-./contrib/zkt/zconf.c X 2008,2009,2010
-./contrib/zkt/zconf.h X 2008,2009,2010
-./contrib/zkt/zfparse.c X 2010
-./contrib/zkt/zfparse.h X 2010
-./contrib/zkt/zkt-conf.c X 2010
-./contrib/zkt/zkt-keyman.c X 2010
-./contrib/zkt/zkt-ls.c X 2010
-./contrib/zkt/zkt-signer.c X 2010
-./contrib/zkt/zkt-soaserial.c X 2008,2013
-./contrib/zkt/zkt.c X 2008,2009,2010
-./contrib/zkt/zkt.h X 2008
-./contrib/zkt/zone.c X 2008,2009,2010
-./contrib/zkt/zone.h X 2008
-./contrib/zone-edit.sh.in SH 2010,2012
+./contrib/zkt-1.1.2/CHANGELOG X 2008,2009,2010,2014
+./contrib/zkt-1.1.2/LICENSE X 2008,2014
+./contrib/zkt-1.1.2/Makefile.in X 2008,2009,2010,2014
+./contrib/zkt-1.1.2/README X 2008,2009,2010,2014
+./contrib/zkt-1.1.2/README.logging X 2008,2009,2010,2014
+./contrib/zkt-1.1.2/TODO X 2008,2009,2010,2014
+./contrib/zkt-1.1.2/config.h.in X 2008,2009,2010,2014
+./contrib/zkt-1.1.2/config_zkt.h X 2008,2009,2010,2014
+./contrib/zkt-1.1.2/configure X 2008,2009,2010,2014
+./contrib/zkt-1.1.2/configure.ac X 2009,2010,2014
+./contrib/zkt-1.1.2/debug.h X 2008,2014
+./contrib/zkt-1.1.2/dki.c X 2008,2009,2010,2013,2014
+./contrib/zkt-1.1.2/dki.h X 2008,2009,2010,2014
+./contrib/zkt-1.1.2/doc/KeyRollover.ms X 2009,2014
+./contrib/zkt-1.1.2/doc/rfc5011.txt X 2009,2014
+./contrib/zkt-1.1.2/domaincmp.c X 2008,2010,2014
+./contrib/zkt-1.1.2/domaincmp.h X 2008,2010,2014
+./contrib/zkt-1.1.2/examples/dnssec.conf X 2010,2014
+./contrib/zkt-1.1.2/examples/flat/dyn.example.net/Kdyn.example.net.+007+30323.key X 2010,2014
+./contrib/zkt-1.1.2/examples/flat/dyn.example.net/Kdyn.example.net.+007+30323.private X 2010,2014
+./contrib/zkt-1.1.2/examples/flat/dyn.example.net/Kdyn.example.net.+007+52935.key X 2010,2014
+./contrib/zkt-1.1.2/examples/flat/dyn.example.net/Kdyn.example.net.+007+52935.private X 2010,2014
+./contrib/zkt-1.1.2/examples/flat/dyn.example.net/zktlog-dyn.example.net. X 2010,2014
+./contrib/zkt-1.1.2/examples/flat/example.net/dnssec.conf X 2010,2014
+./contrib/zkt-1.1.2/examples/flat/example.net/z.db X 2010,2014
+./contrib/zkt-1.1.2/examples/flat/example.net/zktlog-example.net. X 2010,2014
+./contrib/zkt-1.1.2/examples/flat/sub.example.net/zktlog-sub.example.net. X 2010,2014
+./contrib/zkt-1.1.2/examples/hierarchical/log/zktlog-example.de. X 2010,2014
+./contrib/zkt-1.1.2/examples/hierarchical/log/zktlog-sub.example.de. X 2010,2014
+./contrib/zkt-1.1.2/examples/zkt-ls.sh X 2010,2014
+./contrib/zkt-1.1.2/examples/zkt-signer.sh X 2010,2014
+./contrib/zkt-1.1.2/log.c X 2008,2010,2014
+./contrib/zkt-1.1.2/log.h X 2008,2010,2014
+./contrib/zkt-1.1.2/man/dnssec-zkt.8 X 2009,2014
+./contrib/zkt-1.1.2/man/zkt-conf.8 X 2010,2014
+./contrib/zkt-1.1.2/man/zkt-conf.8.html X 2010,2014
+./contrib/zkt-1.1.2/man/zkt-conf.8.org X 2010,2014
+./contrib/zkt-1.1.2/man/zkt-conf.8.pdf X 2010,2014
+./contrib/zkt-1.1.2/man/zkt-keyman.8 X 2010,2014
+./contrib/zkt-1.1.2/man/zkt-keyman.8.html X 2010,2014
+./contrib/zkt-1.1.2/man/zkt-keyman.8.pdf X 2010,2014
+./contrib/zkt-1.1.2/man/zkt-ls.8 X 2010,2014
+./contrib/zkt-1.1.2/man/zkt-ls.8.html X 2010,2014
+./contrib/zkt-1.1.2/man/zkt-ls.8.pdf X 2010,2014
+./contrib/zkt-1.1.2/man/zkt-signer.8 X 2010,2014
+./contrib/zkt-1.1.2/man/zkt-signer.8.html X 2010,2014
+./contrib/zkt-1.1.2/man/zkt-signer.8.pdf X 2010,2014
+./contrib/zkt-1.1.2/misc.c X 2008,2009,2010,2014
+./contrib/zkt-1.1.2/misc.h X 2008,2009,2010,2014
+./contrib/zkt-1.1.2/ncparse.c X 2008,2009,2010,2014
+./contrib/zkt-1.1.2/ncparse.h X 2008,2009,2014
+./contrib/zkt-1.1.2/nscomm.c X 2009,2010,2014
+./contrib/zkt-1.1.2/nscomm.h X 2009,2010,2014
+./contrib/zkt-1.1.2/rollover.c X 2008,2009,2010,2014
+./contrib/zkt-1.1.2/rollover.h X 2008,2009,2014
+./contrib/zkt-1.1.2/soaserial.c X 2009,2014
+./contrib/zkt-1.1.2/soaserial.h X 2009,2014
+./contrib/zkt-1.1.2/strlist.c X 2008,2009,2014
+./contrib/zkt-1.1.2/strlist.h X 2008,2014
+./contrib/zkt-1.1.2/tags X 2008,2009,2010,2014
+./contrib/zkt-1.1.2/tcap.c X 2010,2014
+./contrib/zkt-1.1.2/tcap.h X 2010,2014
+./contrib/zkt-1.1.2/zconf.c X 2008,2009,2010,2014
+./contrib/zkt-1.1.2/zconf.h X 2008,2009,2010,2014
+./contrib/zkt-1.1.2/zfparse.c X 2010,2014
+./contrib/zkt-1.1.2/zfparse.h X 2010,2014
+./contrib/zkt-1.1.2/zkt-conf.c X 2010,2014
+./contrib/zkt-1.1.2/zkt-keyman.c X 2010,2014
+./contrib/zkt-1.1.2/zkt-ls.c X 2010,2014
+./contrib/zkt-1.1.2/zkt-signer.c X 2010,2014
+./contrib/zkt-1.1.2/zkt-soaserial.c X 2008,2013,2014
+./contrib/zkt-1.1.2/zkt.c X 2008,2009,2010,2014
+./contrib/zkt-1.1.2/zkt.h X 2008,2014
+./contrib/zkt-1.1.2/zone.c X 2008,2009,2010,2014
+./contrib/zkt-1.1.2/zone.h X 2008,2014
./doc/Makefile.in MAKE 2000,2001,2004,2005,2006,2007,2012
./doc/arm/Bv9ARM-book.xml SGML 2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014
./doc/arm/Bv9ARM.ch01.html X 2000,2001,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014
projects / thirdparty / bind9.git / commitdiff
