aboutsummaryrefslogtreecommitdiffstats
path: root/dns/bind911
diff options
context:
space:
mode:
authormat <mat@FreeBSD.org>2016-07-04 17:47:25 +0800
committermat <mat@FreeBSD.org>2016-07-04 17:47:25 +0800
commitd86001faa8e6e543a77573b339e895636a2ede9d (patch)
treed06a5bee3625e68355c60162fc55b2398be2aa82 /dns/bind911
parent0cc650e3d0653125cc40daf06b831df547993a83 (diff)
downloadfreebsd-ports-gnome-d86001faa8e6e543a77573b339e895636a2ede9d.tar.gz
freebsd-ports-gnome-d86001faa8e6e543a77573b339e895636a2ede9d.tar.zst
freebsd-ports-gnome-d86001faa8e6e543a77573b339e895636a2ede9d.zip
Introduce BIND9 9.11.0b1. (beta1)
BIND 9.11 brings many changes to BIND, including a new license (the Mozilla Public License 2.0 -- you can read about it here: https://www.isc.org/blogs/bind9-adopts-the-mpl-2-0-license-with-bind-9-11-0/) and many new features, including: - Catalog zones, a new way to provision zones on slave servers - dyndb api, a fast new api enabling BIND to serve zones stored in a database (Developed by Petr Spacek of RedHat) - RNDC showzone, view-only mode and other improvements - dnstap query and response logging (Robert Edmonds is the author of dnstap, see www.dnstap.info) - EDNS Client-subnet (authoritative server functions) - DNSSEC key manager, a new utility (Thanks to Sebastián Castro for helping with development.) - Automatic CDS/CDSKEY generation - Negative Trust Anchors for DNSSEC validators - IPv6 bias to encourage use of IPv6 DNS servers - Minimal response to “any” queries (Thanks to Tony Finch for the contribution) - DNS Cookies are now enabled by default, using the standardized code point Changes: https://lists.isc.org/pipermail/bind-announce/2016-June/000994.html Sponsored by: Absolight
Diffstat (limited to 'dns/bind911')
-rw-r--r--dns/bind911/Makefile304
-rw-r--r--dns/bind911/distinfo3
-rw-r--r--dns/bind911/files/BIND.chroot.dist24
-rw-r--r--dns/bind911/files/BIND.chroot.local.dist20
-rw-r--r--dns/bind911/files/empty.db11
-rw-r--r--dns/bind911/files/extrapatch-bind-min-override-ttl73
-rw-r--r--dns/bind911/files/localhost-forward.db11
-rw-r--r--dns/bind911/files/localhost-reverse.db13
-rw-r--r--dns/bind911/files/named.conf.in360
-rw-r--r--dns/bind911/files/named.in401
-rw-r--r--dns/bind911/files/named.root94
-rw-r--r--dns/bind911/files/patch-bin_tests_system_dlzexternal_Makefile.in11
-rw-r--r--dns/bind911/files/patch-configure90
-rw-r--r--dns/bind911/files/pkg-message.in22
-rw-r--r--dns/bind911/pkg-descr15
-rw-r--r--dns/bind911/pkg-help30
-rw-r--r--dns/bind911/pkg-install32
-rw-r--r--dns/bind911/pkg-plist437
18 files changed, 1951 insertions, 0 deletions
diff --git a/dns/bind911/Makefile b/dns/bind911/Makefile
new file mode 100644
index 000000000000..ab43db04c8a2
--- /dev/null
+++ b/dns/bind911/Makefile
@@ -0,0 +1,304 @@
+# $FreeBSD$
+# pkg-help formatted with fmt 59 63
+
+PORTNAME= bind
+PORTVERSION= ${ISCVERSION:S/-P/P/:S/b/.b/:S/a/.a/}
+.if defined(BIND_TOOLS_SLAVE)
+# dns/bind-tools here
+PORTREVISION= 0
+.else
+# dns/bind910 here
+PORTREVISION= 0
+.endif
+CATEGORIES= dns net ipv6
+MASTER_SITES= ISC/bind9/${ISCVERSION}
+.if defined(BIND_TOOLS_SLAVE)
+PKGNAMESUFFIX= -tools
+.else
+PKGNAMESUFFIX= 911
+.endif
+DISTNAME= ${PORTNAME}-${ISCVERSION}
+
+MAINTAINER= mat@FreeBSD.org
+.if defined(BIND_TOOLS_SLAVE)
+COMMENT= Command line tools from BIND: delv, dig, host, nslookup...
+.else
+COMMENT= BIND DNS suite with updated DNSSEC and DNS64
+.endif
+
+LICENSE= MPL
+
+# ISC releases things like 9.8.0-P1, which our versioning doesn't like
+ISCVERSION= 9.11.0b1
+
+MAKE_JOBS_UNSAFE= yes
+
+USES= cpe libedit
+
+CPE_VENDOR= isc
+CPE_VERSION= ${ISCVERSION:C/-.*//}
+.if ${ISCVERSION:M*-*}
+CPE_UPDATE= ${ISCVERSION:C/.*-//:tl}
+.endif
+
+LIB_DEPENDS= libxml2.so:textproc/libxml2
+
+GNU_CONFIGURE= yes
+CONFIGURE_ARGS+= --localstatedir=/var --disable-linux-caps \
+ --disable-symtable \
+ --with-randomdev=/dev/random \
+ --with-libxml2=${LOCALBASE} \
+ --with-readline=-ledit \
+ --with-dlopen=yes \
+ --sysconfdir=${ETCDIR}
+.if defined(BIND_TOOLS_SLAVE)
+CONFIGURE_ARGS+= --disable-shared
+.endif
+ETCDIR= ${PREFIX}/etc/namedb
+
+CONFLICTS+= bind9*-9.[456789].* bind910-* bind9*-sdb-9.[456789].*
+
+.if !defined(BIND_TOOLS_SLAVE)
+SUB_FILES= pkg-message
+.endif
+
+OPTIONS_DEFAULT= SSL THREADS SIGCHASE IDN GSSAPI_NONE
+OPTIONS_DEFINE= IDN LARGE_FILE PYTHON START_LATE \
+ FIXED_RRSET SIGCHASE IPV6 THREADS FILTER_AAAA
+OPTIONS_RADIO= CRYPTO GOSTDEF
+OPTIONS_RADIO_CRYPTO= SSL NATIVE_PKCS11
+OPTIONS_RADIO_GOSTDEF= GOST GOST_ASN1
+
+.if !defined(BIND_TOOLS_SLAVE)
+OPTIONS_DEFAULT+= RRL DLZ_FILESYSTEM
+OPTIONS_DEFINE+= LINKS RPZ_NSIP RPZ_NSDNAME RRL DOCS NEWSTATS GEOIP \
+ MINCACHE PORTREVISION FETCHLIMIT QUERYTRACE
+OPTIONS_GROUP= DLZ
+OPTIONS_GROUP_DLZ= DLZ_POSTGRESQL DLZ_MYSQL DLZ_BDB \
+ DLZ_LDAP DLZ_FILESYSTEM DLZ_STUB
+.endif # BIND_TOOLS_SLAVE
+OPTIONS_SINGLE= GSSAPI
+OPTIONS_SINGLE_GSSAPI= GSSAPI_BASE GSSAPI_HEIMDAL GSSAPI_MIT GSSAPI_NONE
+
+OPTIONS_SUB= yes
+
+SSL_DESC= Build with OpenSSL (Required for DNSSEC)
+LARGE_FILE_DESC= 64-bit file support
+FIXED_RRSET_DESC= Enable fixed rrset ordering
+SIGCHASE_DESC= dig/host/nslookup will do DNSSEC validation
+FILTER_AAAA_DESC= Enable filtering of AAAA records
+CRYPTO_DESC= Choose which crypto engine to use
+NATIVE_PKCS11_DESC= Use PKCS\#11 native API (**READ HELP**)
+GEOIP_DESC= Allow geographically based ACL.
+GOSTDEF_DESC= Enable GOST ciphers, needs SSL (see help on 8 and 9)
+GOST_DESC= GOST raw keys (new default)
+GOST_ASN1_DESC= GOST using ASN.1
+PYTHON_DESC= Build with Python utilities
+START_LATE_DESC= Start BIND late in the boot process
+MINCACHE_DESC= Use the mincachettl patch
+PORTREVISION_DESC= Show PORTREVISION in the version string
+FETCHLIMIT_DESC= Enable the query quotas for resolvers
+QUERYTRACE_DESC= Enable the very verbose query tracelogging
+
+LINKS_DESC= Create conf file symlinks in ${PREFIX}
+NEWSTATS_DESC= Enable alternate xml statistics channel format
+RPZ_NSIP_DESC= Enable RPZ NSIP trigger rules
+RPZ_NSDNAME_DESC= Enable RPZ NSDNAME policy records
+RRL_DESC= Response Rate Limiting
+DLZ_DESC= Dynamically Loadable Zones
+DLZ_POSTGRESQL_DESC= DLZ Postgres driver
+DLZ_MYSQL_DESC= DLZ MySQL driver (no threading)
+DLZ_BDB_DESC= DLZ BDB driver
+DLZ_LDAP_DESC= DLZ LDAP driver
+DLZ_FILESYSTEM_DESC= DLZ filesystem driver
+DLZ_STUB_DESC= DLZ stub driver
+GSSAPI_BASE_DESC= Using Heimdal in base
+GSSAPI_HEIMDAL_DESC= Using security/heimdal
+GSSAPI_MIT_DESC= Using security/krb5
+GSSAPI_NONE_DESC= Disable
+MINCACHE_EXTRA_PATCHES= ${FILESDIR}/extrapatch-bind-min-override-ttl
+FETCHLIMIT_CONFIGURE_ENABLE= fetchlimit
+QUERYTRACE_CONFIGURE_ENABLE= querytrace
+
+.if defined(BIND_TOOLS_SLAVE)
+CONFLICTS+= bind910-9.10.*
+.else
+CONFLICTS+= bind-tools-9.*
+.endif # BIND_TOOLS_SLAVE
+
+SSL_CONFIGURE_ON= --with-openssl=${OPENSSLBASE}
+SSL_USES= ssl
+SSL_CONFIGURE_OFF= --disable-openssl-version-check --without-openssl
+
+NEWSTATS_CONFIGURE_ENABLE= newstats
+
+IDN_USES= iconv
+IDN_CONFIGURE_ON= --with-idn=${LOCALBASE} ${ICONV_CONFIGURE_BASE}
+IDN_LIB_DEPENDS= libidnkit.so:dns/idnkit
+IDN_CONFIGURE_OFF= --without-idn
+
+LARGE_FILE_CONFIGURE_ENABLE= largefile
+
+SIGCHASE_CONFIGURE_ON= STD_CDEFINES="-DDIG_SIGCHASE=1"
+
+IPV6_CONFIGURE_ENABLE= ipv6
+
+FILTER_AAAA_CONFIGURE_ENABLE= filter-aaaa
+
+NATIVE_PKCS11_CONFIGURE_ENABLE= native-pkcs11
+
+GEOIP_CONFIGURE_WITH= geoip
+GEOIP_LIB_DEPENDS= libGeoIP.so:net/GeoIP
+
+GOST_CONFIGURE_ON= --with-gost
+GOST_ASN1_CONFIGURE_ON= --with-gost=asn1
+
+PYTHON_CONFIGURE_WITH= python=${PYTHON_CMD}
+PYTHON_USES= python
+PYTHON_BUILD_DEPENDS= ${PYTHON_PKGNAMEPREFIX}ply>=0:devel/py-ply
+PYTHON_RUN_DEPENDS= ${PYTHON_PKGNAMEPREFIX}ply>=0:devel/py-ply
+
+DLZ_POSTGRESQL_CONFIGURE_ON= --with-dlz-postgres=yes
+DLZ_POSTGRESQL_USES= pgsql
+
+FIXED_RRSET_CONFIGURE_ENABLE= fixed-rrset
+
+RPZ_NSIP_CONFIGURE_ENABLE= rpz-nsip
+
+RPZ_NSDNAME_CONFIGURE_ENABLE= rpz-nsdname
+
+RRL_CONFIGURE_ENABLE= rrl
+
+DLZ_MYSQL_CONFIGURE_ON= --with-dlz-mysql=yes
+DLZ_MYSQL_USES= mysql
+
+DLZ_BDB_CONFIGURE_ON= --with-dlz-bdb=yes
+DLZ_BDB_USES= bdb
+
+DLZ_LDAP_CONFIGURE_ON= --with-dlz-ldap=yes
+DLZ_LDAP_USE= openldap=yes
+
+DLZ_FILESYSTEM_CONFIGURE_ON= --with-dlz-filesystem=yes
+
+DLZ_STUB_CONFIGURE_ON= --with-dlz-stub=yes
+
+START_LATE_SUB_LIST= NAMED_REQUIRE="SERVERS cleanvar" \
+ NAMED_BEFORE="LOGIN"
+START_LATE_SUB_LIST_OFF=NAMED_REQUIRE="NETWORKING ldconfig syslogd" \
+ NAMED_BEFORE="SERVERS"
+
+GSSAPI_BASE_USES= gssapi
+GSSAPI_BASE_CONFIGURE_ON= \
+ --with-gssapi=${GSSAPIBASEDIR} KRB5CONFIG="${KRB5CONFIG}"
+GSSAPI_HEIMDAL_USES= gssapi:heimdal
+GSSAPI_HEIMDAL_CONFIGURE_ON= \
+ --with-gssapi=${GSSAPIBASEDIR} KRB5CONFIG="${KRB5CONFIG}"
+GSSAPI_MIT_USES= gssapi:mit
+GSSAPI_MIT_CONFIGURE_ON= \
+ --with-gssapi=${GSSAPIBASEDIR} KRB5CONFIG="${KRB5CONFIG}"
+GSSAPI_NONE_CONFIGURE_ON= --without-gssapi
+
+.include <bsd.port.options.mk>
+
+.if !${PORT_OPTIONS:MGOST} && !${PORT_OPTIONS:MGOST_ASN1}
+CONFIGURE_ARGS+= --without-gost
+.endif
+
+.if !${PORT_OPTIONS:MLINKS}
+PKGINSTALL=${NONEXISTENT}
+.endif
+
+.if ${PORT_OPTIONS:MTHREADS} && !${PORT_OPTIONS:MDLZ_MYSQL}
+CONFIGURE_ARGS+= --enable-threads
+.else
+CONFIGURE_ARGS+= --disable-threads
+.endif
+
+.if ${OPSYS} == DragonFly || (${OPSYS} == FreeBSD && ${OSVERSION} >= 1000100)
+PKGINSTALL= ${NONEXISTENT}
+PLIST_SUB+= NOBASE="" BASE="@comment "
+SUB_LIST+= NOBASE="" BASE="@comment "
+.if !defined(BIND_TOOLS_SLAVE)
+USE_RC_SUBR+= named
+SUB_FILES+= named.conf
+.endif # !defined(BIND_TOOLS_SLAVE)
+.else
+PLIST_SUB+= NOBASE="@comment " BASE=""
+SUB_LIST+= NOBASE="@comment " BASE=""
+.endif
+
+PKGDEINSTALL= ${PKGINSTALL}
+
+
+PORTDOCS= *
+
+.include <bsd.port.pre.mk>
+
+.if ( ${PORT_OPTIONS:MGOST} || ${PORT_OPTIONS:MGOST_ASN1} ) && ${SSL_DEFAULT} == base
+BROKEN= OpenSSL from the base system does not support GOST, add \
+ DEFAULT_VERSIONS+=ssl=openssl to your /etc/make.conf and rebuild everything \
+ that needs SSL.
+.endif
+
+post-patch:
+ @${REINPLACE_CMD} -e 's|readline/readline.h|editline/readline.h|; \
+ s|readline/history.h|histedit.h|' \
+ ${WRKSRC}/bin/dig/nslookup.c ${WRKSRC}/bin/nsupdate/nsupdate.c
+.if defined(BIND_TOOLS_SLAVE)
+ @${REINPLACE_CMD} -e 's#^SUBDIRS.*#SUBDIRS = lib bin#' \
+ -e 's#isc-config.sh installdirs#installdirs#' \
+ -e 's#.*INSTALL.*isc-config.*##' \
+ -e 's#.*INSTALL.*bind.keys.*##' \
+ ${WRKSRC}/Makefile.in
+ @${REINPLACE_CMD} -e 's#^SUBDIRS.*#SUBDIRS = delv dig dnssec nsupdate \\#' \
+ -e 's#^ .*check confgen ##' \
+ ${WRKSRC}/bin/Makefile.in
+.else
+. for FILE in check/named-checkconf.8 named/named.8 nsupdate/nsupdate.1 \
+ rndc/rndc.8
+ @${REINPLACE_CMD} -e 's#/etc/named.conf#${ETCDIR}/named.conf#g' \
+ -e 's#/etc/rndc.conf#${ETCDIR}/rndc.conf#g' \
+ -e "s#/var\/run\/named\/named.pid#/var/run/named/pid#" \
+ ${WRKSRC}/bin/${FILE}
+. endfor
+.endif
+
+.if !defined(BIND_TOOLS_SLAVE)
+.if ${PORTREVISION:N0}
+post-patch-PORTREVISION-on:
+ @${REINPLACE_CMD} -e '/EXTENSIONS/s#=$$#=_${PORTREVISION}#' \
+ ${WRKSRC}/version
+.endif
+
+post-install:
+.if ${PORT_OPTIONS:MDOCS}
+ ${MKDIR} ${STAGEDIR}${DOCSDIR}/arm
+ ${INSTALL_DATA} ${WRKSRC}/doc/arm/*.html ${STAGEDIR}${DOCSDIR}/arm
+ ${INSTALL_DATA} ${WRKSRC}/doc/arm/Bv9ARM.pdf ${STAGEDIR}${DOCSDIR}
+ ${INSTALL_DATA} ${WRKSRC}/CHANGES ${WRKSRC}/COPYRIGHT ${WRKSRC}/FAQ \
+ ${WRKSRC}/HISTORY ${WRKSRC}/README ${STAGEDIR}${DOCSDIR}
+.endif
+
+.if ${OPSYS} == DragonFly || (${OPSYS} == FreeBSD && ${OSVERSION} >= 1000100)
+ ${MKDIR} ${STAGEDIR}${PREFIX}/etc/mtree
+ ${MKDIR} ${STAGEDIR}${ETCDIR}
+.for i in dynamic master slave working
+ @${MKDIR} ${STAGEDIR}${ETCDIR}/$i
+.endfor
+ ${INSTALL_DATA} ${WRKDIR}/named.conf ${STAGEDIR}${ETCDIR}/named.conf.sample
+ ${INSTALL_DATA} ${FILESDIR}/named.root ${STAGEDIR}${ETCDIR}
+ ${INSTALL_DATA} ${FILESDIR}/empty.db ${STAGEDIR}${ETCDIR}/master
+ ${INSTALL_DATA} ${FILESDIR}/localhost-forward.db ${STAGEDIR}${ETCDIR}/master
+ ${INSTALL_DATA} ${FILESDIR}/localhost-reverse.db ${STAGEDIR}${ETCDIR}/master
+ ${INSTALL_DATA} ${FILESDIR}/BIND.chroot.dist ${STAGEDIR}${PREFIX}/etc/mtree
+ ${INSTALL_DATA} ${FILESDIR}/BIND.chroot.local.dist ${STAGEDIR}${PREFIX}/etc/mtree
+.endif
+ ${INSTALL_DATA} ${WRKSRC}/bin/rndc/rndc.conf \
+ ${STAGEDIR}${ETCDIR}/rndc.conf.sample
+
+# Can't use USE_PYTHON=autoplist
+post-install-PYTHON-on:
+ @${FIND} ${STAGEDIR}${PYTHON_SITELIBDIR} -type f | ${SED} -e 's|${STAGEDIR}||' >> ${TMPPLIST}
+.endif # BIND_TOOLS_SLAVE
+
+.include <bsd.port.post.mk>
diff --git a/dns/bind911/distinfo b/dns/bind911/distinfo
new file mode 100644
index 000000000000..426daf5ab600
--- /dev/null
+++ b/dns/bind911/distinfo
@@ -0,0 +1,3 @@
+TIMESTAMP = 1467624274
+SHA256 (bind-9.11.0b1.tar.gz) = de0f974225dfa8261ab624034cbeef715fe3f767aa3742cd7a2279002399f5d6
+SIZE (bind-9.11.0b1.tar.gz) = 9707184
diff --git a/dns/bind911/files/BIND.chroot.dist b/dns/bind911/files/BIND.chroot.dist
new file mode 100644
index 000000000000..c3863a6a4e7b
--- /dev/null
+++ b/dns/bind911/files/BIND.chroot.dist
@@ -0,0 +1,24 @@
+# $FreeBSD$
+#
+# mtree -deU -f files/BIND.chroot.dist -p tmp
+# mtree -cjnb -k uname,gname,mode -p tmp
+
+/set type=file uname=root gname=wheel mode=0755
+. type=dir
+ dev type=dir mode=0555
+ ..
+ etc type=dir
+ ..
+/set type=file uname=bind gname=bind mode=0755
+ var type=dir uname=root gname=wheel
+ dump type=dir
+ ..
+ log type=dir
+ ..
+ run type=dir
+ named type=dir
+ ..
+ ..
+ stats type=dir
+ ..
+ ..
diff --git a/dns/bind911/files/BIND.chroot.local.dist b/dns/bind911/files/BIND.chroot.local.dist
new file mode 100644
index 000000000000..53b36a87c082
--- /dev/null
+++ b/dns/bind911/files/BIND.chroot.local.dist
@@ -0,0 +1,20 @@
+# $FreeBSD$
+#
+# mtree -deU -f files/BIND.etc.dist -p tmp
+# mtree -cjnb -k uname,gname,mode -p tmp
+
+/set type=file uname=root gname=wheel mode=0755
+. type=dir
+ etc type=dir
+/set type=file uname=bind gname=wheel mode=0755
+ namedb type=dir uname=root
+ dynamic type=dir
+ ..
+ master type=dir uname=root
+ ..
+ slave type=dir
+ ..
+ working type=dir
+ ..
+ ..
+ ..
diff --git a/dns/bind911/files/empty.db b/dns/bind911/files/empty.db
new file mode 100644
index 000000000000..070f6634825a
--- /dev/null
+++ b/dns/bind911/files/empty.db
@@ -0,0 +1,11 @@
+
+; $FreeBSD$
+
+$TTL 3h
+@ SOA @ nobody.localhost. 42 1d 12h 1w 3h
+ ; Serial, Refresh, Retry, Expire, Neg. cache TTL
+
+@ NS @
+
+; Silence a BIND warning
+@ A 127.0.0.1
diff --git a/dns/bind911/files/extrapatch-bind-min-override-ttl b/dns/bind911/files/extrapatch-bind-min-override-ttl
new file mode 100644
index 000000000000..b522fea8033f
--- /dev/null
+++ b/dns/bind911/files/extrapatch-bind-min-override-ttl
@@ -0,0 +1,73 @@
+--- bin/named/config.c.orig 2016-06-27 17:38:13 UTC
++++ bin/named/config.c
+@@ -151,6 +151,8 @@ options {\n\
+ lame-ttl 600;\n\
+ servfail-ttl 1;\n\
+ max-ncache-ttl 10800; /* 3 hours */\n\
++ override-cache-ttl 0; /* do not override */\n\
++ min-cache-ttl 0; /* no minimal, zero is allowed */\n\
+ max-cache-ttl 604800; /* 1 week */\n\
+ transfer-format many-answers;\n\
+ max-cache-size 90%;\n\
+--- bin/named/server.c.orig 2016-06-27 17:38:13 UTC
++++ bin/named/server.c
+@@ -3521,6 +3521,16 @@ configure_view(dns_view_t *view, dns_vie
+ }
+
+ obj = NULL;
++ result = ns_config_get(maps, "override-cache-ttl", &obj);
++ INSIST(result == ISC_R_SUCCESS);
++ view->overridecachettl = cfg_obj_asuint32(obj);
++
++ obj = NULL;
++ result = ns_config_get(maps, "min-cache-ttl", &obj);
++ INSIST(result == ISC_R_SUCCESS);
++ view->mincachettl = cfg_obj_asuint32(obj);
++
++ obj = NULL;
+ result = ns_config_get(maps, "max-cache-ttl", &obj);
+ INSIST(result == ISC_R_SUCCESS);
+ view->maxcachettl = cfg_obj_asuint32(obj);
+--- lib/dns/include/dns/view.h.orig 2016-06-27 17:38:13 UTC
++++ lib/dns/include/dns/view.h
+@@ -145,6 +145,8 @@ struct dns_view {
+ isc_boolean_t requestnsid;
+ isc_boolean_t sendcookie;
+ dns_ttl_t maxcachettl;
++ dns_ttl_t mincachettl;
++ dns_ttl_t overridecachettl;
+ dns_ttl_t maxncachettl;
+ isc_uint32_t nta_lifetime;
+ isc_uint32_t nta_recheck;
+--- lib/dns/resolver.c.orig 2016-06-27 17:38:13 UTC
++++ lib/dns/resolver.c
+@@ -5431,6 +5431,18 @@ cache_name(fetchctx_t *fctx, dns_name_t
+ }
+
+ /*
++ * Enforce the configure cache TTL override.
++ */
++ if (res->view->overridecachettl)
++ rdataset->ttl = res->view->overridecachettl;
++
++ /*
++ * Enforce the configure minimum cache TTL.
++ */
++ if (rdataset->ttl < res->view->mincachettl)
++ rdataset->ttl = res->view->mincachettl;
++
++ /*
+ * Enforce the configure maximum cache TTL.
+ */
+ if (rdataset->ttl > res->view->maxcachettl)
+--- lib/isccfg/namedconf.c.orig 2016-06-27 17:38:13 UTC
++++ lib/isccfg/namedconf.c
+@@ -1707,6 +1707,8 @@ view_clauses[] = {
+ { "nosit-udp-size", &cfg_type_uint32, CFG_CLAUSEFLAG_OBSOLETE },
+ { "max-acache-size", &cfg_type_sizenodefault, 0 },
+ { "max-cache-size", &cfg_type_sizeorpercent, 0 },
++ { "override-cache-ttl", &cfg_type_uint32, 0 },
++ { "min-cache-ttl", &cfg_type_uint32, 0 },
+ { "max-cache-ttl", &cfg_type_uint32, 0 },
+ { "max-clients-per-query", &cfg_type_uint32, 0 },
+ { "max-ncache-ttl", &cfg_type_uint32, 0 },
diff --git a/dns/bind911/files/localhost-forward.db b/dns/bind911/files/localhost-forward.db
new file mode 100644
index 000000000000..9156d2f09978
--- /dev/null
+++ b/dns/bind911/files/localhost-forward.db
@@ -0,0 +1,11 @@
+
+; $FreeBSD$
+
+$TTL 3h
+localhost. SOA localhost. nobody.localhost. 42 1d 12h 1w 3h
+ ; Serial, Refresh, Retry, Expire, Neg. cache TTL
+
+ NS localhost.
+
+ A 127.0.0.1
+ AAAA ::1
diff --git a/dns/bind911/files/localhost-reverse.db b/dns/bind911/files/localhost-reverse.db
new file mode 100644
index 000000000000..ceabe059ba77
--- /dev/null
+++ b/dns/bind911/files/localhost-reverse.db
@@ -0,0 +1,13 @@
+
+; $FreeBSD$
+
+$TTL 3h
+@ SOA localhost. nobody.localhost. 42 1d 12h 1w 3h
+ ; Serial, Refresh, Retry, Expire, Neg. cache TTL
+
+ NS localhost.
+
+1.0.0 PTR localhost.
+
+1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 PTR localhost.
+
diff --git a/dns/bind911/files/named.conf.in b/dns/bind911/files/named.conf.in
new file mode 100644
index 000000000000..a7ab7d7b7ced
--- /dev/null
+++ b/dns/bind911/files/named.conf.in
@@ -0,0 +1,360 @@
+// $FreeBSD$
+//
+// Refer to the named.conf(5) and named(8) man pages, and the documentation
+// in /usr/local/share/doc/bind for more details.
+//
+// If you are going to set up an authoritative server, make sure you
+// understand the hairy details of how DNS works. Even with
+// simple mistakes, you can break connectivity for affected parties,
+// or cause huge amounts of useless Internet traffic.
+
+options {
+ // All file and path names are relative to the chroot directory,
+ // if any, and should be fully qualified.
+ directory "%%ETCDIR%%/working";
+ pid-file "/var/run/named/pid";
+ dump-file "/var/dump/named_dump.db";
+ statistics-file "/var/stats/named.stats";
+
+// If named is being used only as a local resolver, this is a safe default.
+// For named to be accessible to the network, comment this option, specify
+// the proper IP address, or delete this option.
+ listen-on { 127.0.0.1; };
+
+// If you have IPv6 enabled on this system, uncomment this option for
+// use as a local resolver. To give access to the network, specify
+// an IPv6 address, or the keyword "any".
+// listen-on-v6 { ::1; };
+
+// These zones are already covered by the empty zones listed below.
+// If you remove the related empty zones below, comment these lines out.
+ disable-empty-zone "255.255.255.255.IN-ADDR.ARPA";
+ disable-empty-zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";
+ disable-empty-zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";
+
+// If you've got a DNS server around at your upstream provider, enter
+// its IP address here, and enable the line below. This will make you
+// benefit from its cache, thus reduce overall DNS traffic in the Internet.
+/*
+ forwarders {
+ 127.0.0.1;
+ };
+*/
+
+// If the 'forwarders' clause is not empty the default is to 'forward first'
+// which will fall back to sending a query from your local server if the name
+// servers in 'forwarders' do not have the answer. Alternatively you can
+// force your name server to never initiate queries of its own by enabling the
+// following line:
+// forward only;
+
+// If you wish to have forwarding configured automatically based on
+// the entries in /etc/resolv.conf, uncomment the following line and
+// set named_auto_forward=yes in /etc/rc.conf. You can also enable
+// named_auto_forward_only (the effect of which is described above).
+// include "%%ETCDIR%%/auto_forward.conf";
+
+ /*
+ Modern versions of BIND use a random UDP port for each outgoing
+ query by default in order to dramatically reduce the possibility
+ of cache poisoning. All users are strongly encouraged to utilize
+ this feature, and to configure their firewalls to accommodate it.
+
+ AS A LAST RESORT in order to get around a restrictive firewall
+ policy you can try enabling the option below. Use of this option
+ will significantly reduce your ability to withstand cache poisoning
+ attacks, and should be avoided if at all possible.
+
+ Replace NNNNN in the example with a number between 49160 and 65530.
+ */
+ // query-source address * port NNNNN;
+};
+
+// If you enable a local name server, don't forget to enter 127.0.0.1
+// first in your /etc/resolv.conf so this server will be queried.
+// Also, make sure to enable it in /etc/rc.conf.
+
+// The traditional root hints mechanism. Use this, OR the slave zones below.
+zone "." { type hint; file "%%ETCDIR%%/named.root"; };
+
+/* Slaving the following zones from the root name servers has some
+ significant advantages:
+ 1. Faster local resolution for your users
+ 2. No spurious traffic will be sent from your network to the roots
+ 3. Greater resilience to any potential root server failure/DDoS
+
+ On the other hand, this method requires more monitoring than the
+ hints file to be sure that an unexpected failure mode has not
+ incapacitated your server. Name servers that are serving a lot
+ of clients will benefit more from this approach than individual
+ hosts. Use with caution.
+
+ To use this mechanism, uncomment the entries below, and comment
+ the hint zone above.
+
+ As documented at http://dns.icann.org/services/axfr/ these zones:
+ "." (the root), ARPA, IN-ADDR.ARPA, IP6.ARPA, and ROOT-SERVERS.NET
+ are available for AXFR from these servers on IPv4 and IPv6:
+ xfr.lax.dns.icann.org, xfr.cjr.dns.icann.org
+*/
+/*
+zone "." {
+ type slave;
+ file "%%ETCDIR%%/slave/root.slave";
+ masters {
+ 192.5.5.241; // F.ROOT-SERVERS.NET.
+ };
+ notify no;
+};
+zone "arpa" {
+ type slave;
+ file "%%ETCDIR%%/slave/arpa.slave";
+ masters {
+ 192.5.5.241; // F.ROOT-SERVERS.NET.
+ };
+ notify no;
+};
+*/
+
+/* Serving the following zones locally will prevent any queries
+ for these zones leaving your network and going to the root
+ name servers. This has two significant advantages:
+ 1. Faster local resolution for your users
+ 2. No spurious traffic will be sent from your network to the roots
+*/
+// RFCs 1912, 5735 and 6303 (and BCP 32 for localhost)
+zone "localhost" { type master; file "%%ETCDIR%%/master/localhost-forward.db"; };
+zone "127.in-addr.arpa" { type master; file "%%ETCDIR%%/master/localhost-reverse.db"; };
+zone "255.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+
+// RFC 1912-style zone for IPv6 localhost address (RFC 6303)
+zone "0.ip6.arpa" { type master; file "%%ETCDIR%%/master/localhost-reverse.db"; };
+
+// "This" Network (RFCs 1912, 5735 and 6303)
+zone "0.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+
+// Private Use Networks (RFCs 1918, 5735 and 6303)
+zone "10.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "16.172.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "17.172.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "18.172.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "19.172.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "20.172.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "21.172.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "22.172.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "23.172.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "24.172.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "25.172.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "26.172.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "27.172.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "28.172.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "29.172.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "30.172.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "31.172.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "168.192.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+
+// Shared Address Space (RFC 6598)
+zone "64.100.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "65.100.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "66.100.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "67.100.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "68.100.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "69.100.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "70.100.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "71.100.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "72.100.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "73.100.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "74.100.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "75.100.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "76.100.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "77.100.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "78.100.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "79.100.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "80.100.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "81.100.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "82.100.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "83.100.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "84.100.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "85.100.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "86.100.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "87.100.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "88.100.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "89.100.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "90.100.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "91.100.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "92.100.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "93.100.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "94.100.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "95.100.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "96.100.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "97.100.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "98.100.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "99.100.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "100.100.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "101.100.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "102.100.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "103.100.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "104.100.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "105.100.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "106.100.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "107.100.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "108.100.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "109.100.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "110.100.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "111.100.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "112.100.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "113.100.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "114.100.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "115.100.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "116.100.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "117.100.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "118.100.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "119.100.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "120.100.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "121.100.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "122.100.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "123.100.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "124.100.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "125.100.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "126.100.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "127.100.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+
+// Link-local/APIPA (RFCs 3927, 5735 and 6303)
+zone "254.169.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+
+// IETF protocol assignments (RFCs 5735 and 5736)
+zone "0.0.192.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+
+// TEST-NET-[1-3] for Documentation (RFCs 5735, 5737 and 6303)
+zone "2.0.192.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "100.51.198.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "113.0.203.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+
+// IPv6 Example Range for Documentation (RFCs 3849 and 6303)
+zone "8.b.d.0.1.0.0.2.ip6.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+
+// Domain Names for Documentation and Testing (BCP 32)
+zone "test" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "example" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "invalid" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "example.com" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "example.net" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "example.org" { type master; file "%%ETCDIR%%/master/empty.db"; };
+
+// Router Benchmark Testing (RFCs 2544 and 5735)
+zone "18.198.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "19.198.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+
+// IANA Reserved - Old Class E Space (RFC 5735)
+zone "240.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "241.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "242.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "243.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "244.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "245.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "246.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "247.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "248.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "249.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "250.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "251.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "252.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "253.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "254.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+
+// IPv6 Unassigned Addresses (RFC 4291)
+zone "1.ip6.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "3.ip6.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "4.ip6.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "5.ip6.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "6.ip6.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "7.ip6.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "8.ip6.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "9.ip6.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "a.ip6.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "b.ip6.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "c.ip6.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "d.ip6.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "e.ip6.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "0.f.ip6.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "1.f.ip6.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "2.f.ip6.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "3.f.ip6.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "4.f.ip6.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "5.f.ip6.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "6.f.ip6.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "7.f.ip6.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "8.f.ip6.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "9.f.ip6.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "a.f.ip6.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "b.f.ip6.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "0.e.f.ip6.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "1.e.f.ip6.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "2.e.f.ip6.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "3.e.f.ip6.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "4.e.f.ip6.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "5.e.f.ip6.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "6.e.f.ip6.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "7.e.f.ip6.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+
+// IPv6 ULA (RFCs 4193 and 6303)
+zone "c.f.ip6.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "d.f.ip6.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+
+// IPv6 Link Local (RFCs 4291 and 6303)
+zone "8.e.f.ip6.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "9.e.f.ip6.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "a.e.f.ip6.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "b.e.f.ip6.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+
+// IPv6 Deprecated Site-Local Addresses (RFCs 3879 and 6303)
+zone "c.e.f.ip6.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "d.e.f.ip6.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "e.e.f.ip6.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "f.e.f.ip6.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+
+// IP6.INT is Deprecated (RFC 4159)
+zone "ip6.int" { type master; file "%%ETCDIR%%/master/empty.db"; };
+
+// NB: Do not use the IP addresses below, they are faked, and only
+// serve demonstration/documentation purposes!
+//
+// Example slave zone config entries. It can be convenient to become
+// a slave at least for the zone your own domain is in. Ask
+// your network administrator for the IP address of the responsible
+// master name server.
+//
+// Do not forget to include the reverse lookup zone!
+// This is named after the first bytes of the IP address, in reverse
+// order, with ".IN-ADDR.ARPA" appended, or ".IP6.ARPA" for IPv6.
+//
+// Before starting to set up a master zone, make sure you fully
+// understand how DNS and BIND work. There are sometimes
+// non-obvious pitfalls. Setting up a slave zone is usually simpler.
+//
+// NB: Don't blindly enable the examples below. :-) Use actual names
+// and addresses instead.
+
+/* An example dynamic zone
+key "exampleorgkey" {
+ algorithm hmac-md5;
+ secret "sf87HJqjkqh8ac87a02lla==";
+};
+zone "example.org" {
+ type master;
+ allow-update {
+ key "exampleorgkey";
+ };
+ file "%%ETCDIR%%/dynamic/example.org";
+};
+*/
+
+/* Example of a slave reverse zone
+zone "1.168.192.in-addr.arpa" {
+ type slave;
+ file "%%ETCDIR%%/slave/1.168.192.in-addr.arpa";
+ masters {
+ 192.168.1.1;
+ };
+};
+*/
diff --git a/dns/bind911/files/named.in b/dns/bind911/files/named.in
new file mode 100644
index 000000000000..5d5f92b45f84
--- /dev/null
+++ b/dns/bind911/files/named.in
@@ -0,0 +1,401 @@
+#!/bin/sh
+#
+# $FreeBSD$
+#
+
+# PROVIDE: named
+# REQUIRE: %%NAMED_REQUIRE%%
+# BEFORE: %%NAMED_BEFORE%%
+# KEYWORD: shutdown
+
+#
+# Add the following lines to /etc/rc.conf to enable BIND:
+# named_enable (bool): Run named, the DNS server (or NO).
+# named_program (str): Path to named, if you want a different one.
+# named_conf (str): Path to the configuration file
+# named_flags (str): Use this for flags OTHER than -u and -c
+# named_uid (str): User to run named as
+# named_chrootdir (str): Chroot directory (or "" not to auto-chroot it)
+# Historically, was /var/named
+# named_chroot_autoupdate (bool): Automatically install/update chrooted
+# components of named.
+# named_symlink_enable (bool): Symlink the chrooted pid file
+# named_wait (bool): Wait for working name service before exiting
+# named_wait_host (str): Hostname to check if named_wait is enabled
+# named_auto_forward (str): Set up forwarders from /etc/resolv.conf
+# named_auto_forward_only (str): Do "forward only" instead of "forward first"
+%%NATIVE_PKCS11%%# named_pkcs11_engine (str): Path to the PKCS#11 library to use.
+#
+
+. /etc/rc.subr
+
+name=named
+desc="named BIND startup script"
+rcvar=named_enable
+
+load_rc_config ${name}
+
+extra_commands=reload
+
+start_precmd=named_prestart
+start_postcmd=named_poststart
+reload_cmd=named_reload
+stop_cmd=named_stop
+stop_postcmd=named_poststop
+
+named_enable=${named_enable:-"NO"}
+named_program=${named_program:-"%%PREFIX%%/sbin/named"}
+named_conf=${named_conf:-"%%ETCDIR%%/named.conf"}
+named_flags=${named_flags:-""}
+named_uid=${named_uid:-"bind"}
+named_chrootdir=${named_chrootdir:-""}
+named_chroot_autoupdate=${named_chroot_autoupdate:-"YES"}
+named_symlink_enable=${named_symlink_enable:-"YES"}
+named_wait=${named_wait:-"NO"}
+named_wait_host=${named_wait_host:-"localhost"}
+named_auto_forward=${named_auto_forward:-"NO"}
+named_auto_forward_only=${named_auto_forward_only:-"NO"}
+%%NATIVE_PKCS11%%named_pkcs11_engine=${named_pkcs11_engine:-""}
+
+# Not configuration variables but having them here keeps rclint happy
+required_dirs="${named_chrootdir}"
+_named_confdirroot="${named_conf%/*}"
+_named_confdir="${named_chrootdir}${_named_confdirroot}"
+_named_program_root="${named_program%/sbin/named}"
+_openssl_engines="%%LOCALBASE%%/lib/engines"
+
+# Needed if named.conf and rndc.conf are moved or if rndc.conf is used
+rndc_conf=${rndc_conf:-"$_named_confdir/rndc.conf"}
+rndc_key=${rndc_key:-"$_named_confdir/rndc.key"}
+
+# If running in a chroot cage, ensure that the appropriate files
+# exist inside the cage, as well as helper symlinks into the cage
+# from outside.
+#
+# As this is called after the is_running and required_dir checks
+# are made in run_rc_command(), we can safely assume ${named_chrootdir}
+# exists and named isn't running at this point (unless forcestart
+# is used).
+#
+chroot_autoupdate()
+{
+ local file
+
+ # If it's the first time around, fiddle with things and move the
+ # current configuration to the chroot.
+ if [ -d ${_named_confdirroot} -a ! -d ${_named_confdir} ]; then
+ warn "named chroot: Moving current configuration in the chroot!"
+ install -d ${_named_confdir%/*}
+ mv ${_named_confdirroot} ${_named_confdir}
+ fi
+
+ # Create (or update) the chroot directory structure
+ #
+ if [ -r %%PREFIX%%/etc/mtree/BIND.chroot.dist ]; then
+ mtree -deU -f %%PREFIX%%/etc/mtree/BIND.chroot.dist \
+ -p ${named_chrootdir}
+ else
+ warn "%%PREFIX%%/etc/mtree/BIND.chroot.dist missing,"
+ warn "${named_chrootdir} directory structure not updated"
+ fi
+ if [ -r %%PREFIX%%/etc/mtree/BIND.chroot.local.dist ]; then
+ mkdir -p ${named_chrootdir}%%PREFIX%%
+ mtree -deU -f %%PREFIX%%/etc/mtree/BIND.chroot.local.dist \
+ -p ${named_chrootdir}%%PREFIX%%
+ else
+ warn "%%PREFIX%%/etc/mtree/BIND.chroot.local.dist missing,"
+ warn "${named_chrootdir}%%PREFIX%% directory structure not updated"
+ fi
+
+ # Create (or update) the configuration directory symlink
+ #
+ if [ ! -L "${_named_confdirroot}" ]; then
+ if [ -d "${_named_confdirroot}" ]; then
+ warn "named chroot: ${_named_confdirroot} is a directory!"
+ elif [ -e "${_named_confdirroot}" ]; then
+ warn "named chroot: ${_named_confdirroot} exists!"
+ else
+ ln -s ${_named_confdir} ${_named_confdirroot}
+ fi
+ else
+ # Make sure it points to the right place.
+ ln -shf ${_named_confdir} ${_named_confdirroot}
+ fi
+
+ # Mount a devfs in the chroot directory if needed
+ #
+ if [ `${SYSCTL_N} security.jail.jailed` -eq 0 ]; then
+ umount ${named_chrootdir}/dev 2>/dev/null
+ devfs_domount ${named_chrootdir}/dev devfsrules_hide_all
+ devfs -m ${named_chrootdir}/dev rule apply path null unhide
+ devfs -m ${named_chrootdir}/dev rule apply path random unhide
+ else
+ if [ -c ${named_chrootdir}/dev/null -a \
+ -c ${named_chrootdir}/dev/random ]; then
+ info "named chroot: using pre-mounted devfs."
+ else
+ err 1 "named chroot: devfs cannot be mounted from " \
+ "within a jail. Thus a chrooted named cannot " \
+ "be run from within a jail. Either mount the " \
+ "devfs with null and random from the host, or " \
+ "run named without chrooting it, set " \
+ "named_chrootdir=\"\" in /etc/rc.conf."
+ fi
+ fi
+
+ # If OpenSSL from ports, then the engines should be present in the
+ # chroot, named loads them after chrooting.
+ if [ -d ${_openssl_engines} ]; then
+ # FIXME when 8.4 is gone see if
+ # security.jail.param.allow.mount.nullfs can be used.
+ if [ `${SYSCTL_N} security.jail.jailed` -eq 0 -o `${SYSCTL_N} security.jail.mount_allowed` -eq 1 ]; then
+ mkdir -p ${named_chrootdir}${_openssl_engines}
+ mount -t nullfs ${_openssl_engines} ${named_chrootdir}${_openssl_engines}
+ else
+ warn "named chroot: cannot nullfs mount OpenSSL" \
+ "engines into the chroot, will copy the shared" \
+ "libraries instead."
+ mkdir -p ${named_chrootdir}${_openssl_engines}
+ cp -f ${_openssl_engines}/*.so ${named_chrootdir}${_openssl_engines}
+ fi
+ fi
+
+ # Copy and/or update key files to the chroot /etc
+ #
+ for file in localtime protocols services; do
+ if [ -r /etc/${file} ] && \
+ ! cmp -s /etc/${file} "${named_chrootdir}/etc/${file}"; then
+ cp -p /etc/${file} "${named_chrootdir}/etc/${file}"
+ fi
+ done
+}
+
+# Make symlinks to the correct pid file
+#
+make_symlinks()
+{
+ checkyesno named_symlink_enable &&
+ ln -fs "${named_chrootdir}${pidfile}" ${pidfile}
+}
+
+named_poststart()
+{
+ make_symlinks
+
+ if checkyesno named_wait; then
+ until ${_named_program_root}/bin/host ${named_wait_host} >/dev/null 2>&1; do
+ echo " Waiting for nameserver to resolve ${named_wait_host}"
+ sleep 1
+ done
+ fi
+}
+
+named_reload()
+{
+ # This is a one line function, but ${named_program} is not defined early
+ # enough to be there when the reload_cmd variable is defined up there.
+ ${_named_program_root}/sbin/rndc ${rndc_flags} reload
+}
+
+find_pidfile()
+{
+ if get_pidfile_from_conf pid-file ${named_conf}; then
+ pidfile="${_pidfile_from_conf}"
+ else
+ pidfile="/var/run/named/pid"
+ fi
+}
+
+named_stop()
+{
+ find_pidfile
+
+ # This duplicates an undesirably large amount of code from the stop
+ # routine in rc.subr in order to use rndc to shut down the process,
+ # and to give it a second chance in case rndc fails.
+ rc_pid=$(check_pidfile ${pidfile} ${command})
+ if [ -z "${rc_pid}" ]; then
+ [ -n "${rc_fast}" ] && return 0
+ _run_rc_notrunning
+ return 1
+ fi
+ echo 'Stopping named.'
+ if ${_named_program_root}/sbin/rndc ${rndc_flags} stop 2>/dev/null; then
+ wait_for_pids ${rc_pid}
+ else
+ echo -n 'rndc failed, trying kill: '
+ kill -TERM ${rc_pid}
+ wait_for_pids ${rc_pid}
+ fi
+}
+
+named_poststop()
+{
+ if [ -n "${named_chrootdir}" -a -c ${named_chrootdir}/dev/null ]; then
+ # if using OpenSSL from ports, unmount OpenSSL engines, if they
+ # were not mounted but only copied, do nothing.
+ if [ -d ${_openssl_engines} -a \( `${SYSCTL_N} security.jail.jailed` -eq 0 -o `${SYSCTL_N} security.jail.mount_allowed` -eq 1 \) ]; then
+ umount ${named_chrootdir}${_openssl_engines}
+ fi
+ # unmount /dev
+ if [ `${SYSCTL_N} security.jail.jailed` -eq 0 ]; then
+ umount ${named_chrootdir}/dev 2>/dev/null || true
+ else
+ warn "named chroot:" \
+ "cannot unmount devfs from inside jail!"
+ fi
+ fi
+}
+
+create_file()
+{
+ if [ -e "$1" ]; then
+ unlink $1
+ fi
+ install -o root -g wheel -m 0644 /dev/null $1
+}
+
+named_prestart()
+{
+ find_pidfile
+
+ if [ -n "${named_pidfile}" ]; then
+ warn 'named_pidfile: now determined from the conf file'
+ fi
+
+ piddir=`/usr/bin/dirname ${pidfile}`
+ if [ ! -d ${piddir} ]; then
+ install -d -o ${named_uid} -g ${named_uid} ${piddir}
+ fi
+
+ command_args="-u ${named_uid:=root} -c ${named_conf} ${command_args}"
+
+ if [ -z "${rndc_flags}" ]; then
+ if [ -s ${rndc_conf} ] ; then
+ rndc_flags="-c ${rndc_conf}"
+ elif [ -s ${rndc_key} ] ; then
+ rndc_flags="-k ${rndc_key}"
+ else
+ rndc_flags=""
+ fi
+ fi
+
+%%NATIVE_PKCS11%% if [ -z "${named_pkcs11_engine}"]; then
+%%NATIVE_PKCS11%% err 3 "named_pkcs11_engine has to be set to the PKCS#11 engine's library you want to use"
+%%NATIVE_PKCS11%% elif [ ! -f ${named_pkcs11_engine} ]; then
+%%NATIVE_PKCS11%% err 3 "named_pkcs11_engine the PKCS#11 engine's library you want to use doesn't exist"
+%%NATIVE_PKCS11%% else
+%%NATIVE_PKCS11%% mkdir -p ${named_chrootdir}${named_pkcs11_engine%/*}
+%%NATIVE_PKCS11%% cp -p ${named_pkcs11_engine} ${named_chrootdir}${named_pkcs11_engine}
+%%NATIVE_PKCS11%% command_args="-E ${named_pkcs11_engine} ${command_args}"
+%%NATIVE_PKCS11%% fi
+
+ local line nsip firstns
+
+ # Is the user using a sandbox?
+ #
+ if [ -n "${named_chrootdir}" ]; then
+ rc_flags="${rc_flags} -t ${named_chrootdir}"
+ checkyesno named_chroot_autoupdate && chroot_autoupdate
+ else
+ named_symlink_enable=NO
+ fi
+
+ # Create an rndc.key file for the user if none exists
+ #
+ confgen_command="${_named_program_root}/sbin/rndc-confgen -a -b256 -u ${named_uid} \
+ -c ${_named_confdir}/rndc.key"
+ if [ -s "${_named_confdir}/rndc.conf" ]; then
+ unset confgen_command
+ fi
+ if [ -s "${_named_confdir}/rndc.key" ]; then
+ case `stat -f%Su ${_named_confdir}/rndc.key` in
+ root|${named_uid}) ;;
+ *) ${confgen_command} ;;
+ esac
+ else
+ ${confgen_command}
+ fi
+
+ local checkconf
+
+ checkconf="${_named_program_root}/sbin/named-checkconf"
+ if ! checkyesno named_chroot_autoupdate && [ -n "${named_chrootdir}" ]; then
+ checkconf="${checkconf} -t ${named_chrootdir}"
+ fi
+
+ # Create a forwarder configuration based on /etc/resolv.conf
+ if checkyesno named_auto_forward; then
+ if [ ! -s /etc/resolv.conf ]; then
+ warn "named_auto_forward enabled, but no /etc/resolv.conf"
+
+ # Empty the file in case it is included in named.conf
+ [ -s "${_named_confdir}/auto_forward.conf" ] &&
+ create_file ${_named_confdir}/auto_forward.conf
+
+ ${checkconf} ${named_conf} ||
+ err 3 'named-checkconf for ${named_conf} failed'
+ return
+ fi
+
+ create_file /var/run/naf-resolv.conf
+ create_file /var/run/auto_forward.conf
+
+ echo ' forwarders {' > /var/run/auto_forward.conf
+
+ while read line; do
+ case "${line}" in
+ 'nameserver '*|'nameserver '*)
+ nsip=${line##nameserver[ ]}
+
+ if [ -z "${firstns}" ]; then
+ if [ ! "${nsip}" = '127.0.0.1' ]; then
+ echo 'nameserver 127.0.0.1'
+ echo " ${nsip};" >> /var/run/auto_forward.conf
+ fi
+
+ firstns=1
+ else
+ [ "${nsip}" = '127.0.0.1' ] && continue
+ echo " ${nsip};" >> /var/run/auto_forward.conf
+ fi
+ ;;
+ esac
+
+ echo ${line}
+ done < /etc/resolv.conf > /var/run/naf-resolv.conf
+
+ echo ' };' >> /var/run/auto_forward.conf
+ echo '' >> /var/run/auto_forward.conf
+ if checkyesno named_auto_forward_only; then
+ echo " forward only;" >> /var/run/auto_forward.conf
+ else
+ echo " forward first;" >> /var/run/auto_forward.conf
+ fi
+
+ if cmp -s /etc/resolv.conf /var/run/naf-resolv.conf; then
+ unlink /var/run/naf-resolv.conf
+ else
+ [ -e /etc/resolv.conf ] && unlink /etc/resolv.conf
+ mv /var/run/naf-resolv.conf /etc/resolv.conf
+ fi
+
+ if cmp -s ${_named_confdir}/auto_forward.conf \
+ /var/run/auto_forward.conf; then
+ unlink /var/run/auto_forward.conf
+ else
+ [ -e "${_named_confdir}/auto_forward.conf" ] &&
+ unlink ${_named_confdir}/auto_forward.conf
+ mv /var/run/auto_forward.conf \
+ ${_named_confdir}/auto_forward.conf
+ fi
+ else
+ # Empty the file in case it is included in named.conf
+ [ -s "${_named_confdir}/auto_forward.conf" ] &&
+ create_file ${_named_confdir}/auto_forward.conf
+ fi
+
+ ${checkconf} ${named_conf} || err 3 "named-checkconf for ${named_conf} failed"
+}
+
+run_rc_command "$1"
diff --git a/dns/bind911/files/named.root b/dns/bind911/files/named.root
new file mode 100644
index 000000000000..21ec7ca71f9b
--- /dev/null
+++ b/dns/bind911/files/named.root
@@ -0,0 +1,94 @@
+;
+; $FreeBSD$
+;
+
+; This file holds the information on root name servers needed to
+; initialize cache of Internet domain name servers
+; (e.g. reference this file in the "cache . <file>"
+; configuration file of BIND domain name servers).
+;
+; This file is made available by InterNIC
+; under anonymous FTP as
+; file /domain/named.cache
+; on server FTP.INTERNIC.NET
+; -OR- RS.INTERNIC.NET
+;
+; last update: March 23, 2016
+; related version of root zone: 2016032301
+;
+; formerly NS.INTERNIC.NET
+;
+. 3600000 NS A.ROOT-SERVERS.NET.
+A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4
+A.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:ba3e::2:30
+;
+; FORMERLY NS1.ISI.EDU
+;
+. 3600000 NS B.ROOT-SERVERS.NET.
+B.ROOT-SERVERS.NET. 3600000 A 192.228.79.201
+B.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:84::b
+;
+; FORMERLY C.PSI.NET
+;
+. 3600000 NS C.ROOT-SERVERS.NET.
+C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12
+C.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2::c
+;
+; FORMERLY TERP.UMD.EDU
+;
+. 3600000 NS D.ROOT-SERVERS.NET.
+D.ROOT-SERVERS.NET. 3600000 A 199.7.91.13
+D.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2d::d
+;
+; FORMERLY NS.NASA.GOV
+;
+. 3600000 NS E.ROOT-SERVERS.NET.
+E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10
+;
+; FORMERLY NS.ISC.ORG
+;
+. 3600000 NS F.ROOT-SERVERS.NET.
+F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241
+F.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2f::f
+;
+; FORMERLY NS.NIC.DDN.MIL
+;
+. 3600000 NS G.ROOT-SERVERS.NET.
+G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4
+;
+; FORMERLY AOS.ARL.ARMY.MIL
+;
+. 3600000 NS H.ROOT-SERVERS.NET.
+H.ROOT-SERVERS.NET. 3600000 A 198.97.190.53
+H.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:1::53
+;
+; FORMERLY NIC.NORDU.NET
+;
+. 3600000 NS I.ROOT-SERVERS.NET.
+I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17
+I.ROOT-SERVERS.NET. 3600000 AAAA 2001:7fe::53
+;
+; OPERATED BY VERISIGN, INC.
+;
+. 3600000 NS J.ROOT-SERVERS.NET.
+J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30
+J.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:c27::2:30
+;
+; OPERATED BY RIPE NCC
+;
+. 3600000 NS K.ROOT-SERVERS.NET.
+K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129
+K.ROOT-SERVERS.NET. 3600000 AAAA 2001:7fd::1
+;
+; OPERATED BY ICANN
+;
+. 3600000 NS L.ROOT-SERVERS.NET.
+L.ROOT-SERVERS.NET. 3600000 A 199.7.83.42
+L.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:9f::42
+;
+; OPERATED BY WIDE
+;
+. 3600000 NS M.ROOT-SERVERS.NET.
+M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33
+M.ROOT-SERVERS.NET. 3600000 AAAA 2001:dc3::35
+; End of file
diff --git a/dns/bind911/files/patch-bin_tests_system_dlzexternal_Makefile.in b/dns/bind911/files/patch-bin_tests_system_dlzexternal_Makefile.in
new file mode 100644
index 000000000000..8d9fcefc5c53
--- /dev/null
+++ b/dns/bind911/files/patch-bin_tests_system_dlzexternal_Makefile.in
@@ -0,0 +1,11 @@
+--- bin/tests/system/dlzexternal/Makefile.in.orig 2016-06-27 17:38:13 UTC
++++ bin/tests/system/dlzexternal/Makefile.in
+@@ -35,7 +35,7 @@ OBJS = ${DLOPENOBJS}
+ @BIND9_MAKE_RULES@
+
+ CFLAGS = @CFLAGS@ @SO_CFLAGS@
+-SO_LDFLAGS = @LDFLAGS@ @SO_LDFLAGS@
++SO_LDFLAGS = @SO_LDFLAGS@
+
+ dlopen@EXEEXT@: ${DLOPENOBJS}
+ ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} \
diff --git a/dns/bind911/files/patch-configure b/dns/bind911/files/patch-configure
new file mode 100644
index 000000000000..a501f24472ca
--- /dev/null
+++ b/dns/bind911/files/patch-configure
@@ -0,0 +1,90 @@
+--- configure.orig 2016-06-27 17:38:13 UTC
++++ configure
+@@ -14205,27 +14205,9 @@ done
+ # problems start to show up.
+ saved_libs="$LIBS"
+ for TRY_LIBS in \
+- "-lgssapi_krb5" \
+- "-lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err" \
+- "-lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err -lresolv" \
+- "-lgssapi" \
+- "-lgssapi -lkrb5 -ldes -lcrypt -lasn1 -lroken -lcom_err" \
+- "-lgssapi -lkrb5 -lcrypto -lcrypt -lasn1 -lroken -lcom_err" \
+- "-lgssapi -lkrb5 -lgssapi_krb5 -lcrypto -lcrypt -lasn1 -lroken -lcom_err" \
+- "-lgssapi -lkrb5 -lhx509 -lcrypto -lcrypt -lasn1 -lroken -lcom_err" \
+- "-lgss -lkrb5"
++ "$($KRB5CONFIG gssapi --libs)"; \
+ do
+- # Note that this does not include $saved_libs, because
+- # on FreeBSD machines this configure script has added
+- # -L/usr/local/lib to LIBS, which can make the
+- # -lgssapi_krb5 test succeed with shared libraries even
+- # when you are trying to build with KTH in /usr/lib.
+- if test "$use_gssapi" = "/usr"
+- then
+- LIBS="$TRY_LIBS"
+- else
+- LIBS="-L$use_gssapi/lib $TRY_LIBS"
+- fi
++ LIBS="$TRY_LIBS"
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking linking as $TRY_LIBS" >&5
+ $as_echo_n "checking linking as $TRY_LIBS... " >&6; }
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+@@ -14268,47 +14250,7 @@ $as_echo "no" >&6; } ;;
+ no) as_fn_error $? "could not determine proper GSSAPI linkage" "$LINENO" 5 ;;
+ esac
+
+- #
+- # XXXDCL Major kludge. Tries to cope with KTH in /usr/lib
+- # but MIT in /usr/local/lib and trying to build with KTH.
+- # /usr/local/lib can end up earlier on the link lines.
+- # Like most kludges, this one is not only inelegant it
+- # is also likely to be the wrong thing to do at least as
+- # many times as it is the right thing. Something better
+- # needs to be done.
+- #
+- if test "$use_gssapi" = "/usr" -a \
+- -f /usr/local/lib/libkrb5.a; then
+- FIX_KTH_VS_MIT=yes
+- fi
+-
+- case "$FIX_KTH_VS_MIT" in
+- yes)
+- case "$enable_static_linking" in
+- yes) gssapi_lib_suffix=".a" ;;
+- *) gssapi_lib_suffix=".so" ;;
+- esac
+-
+- for lib in $LIBS; do
+- case $lib in
+- -L*)
+- ;;
+- -l*)
+- new_lib=`echo $lib |
+- sed -e s%^-l%$use_gssapi/lib/lib% \
+- -e s%$%$gssapi_lib_suffix%`
+- NEW_LIBS="$NEW_LIBS $new_lib"
+- ;;
+- *)
+- as_fn_error $? "KTH vs MIT Kerberos confusion!" "$LINENO" 5
+- ;;
+- esac
+- done
+- LIBS="$NEW_LIBS"
+- ;;
+- esac
+-
+- DST_GSSAPI_INC="-I$use_gssapi/include"
++ DST_GSSAPI_INC="$($KRB5CONFIG gssapi --cflags)"
+ DNS_GSSAPI_LIBS="$LIBS"
+
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: using GSSAPI from $use_gssapi/lib and $use_gssapi/include" >&5
+@@ -22147,7 +22089,7 @@ $as_echo "" >&6; }
+ # Check other locations for includes.
+ # Order is important (sigh).
+
+- bdb_incdirs="/db53 /db51 /db48 /db47 /db46 /db45 /db44 /db43 /db42 /db41 /db4 /db"
++ bdb_incdirs="/db6 /db5 /db48"
+ # include a blank element first
+ for d in "" $bdb_incdirs
+ do
diff --git a/dns/bind911/files/pkg-message.in b/dns/bind911/files/pkg-message.in
new file mode 100644
index 000000000000..8a62d5c244a3
--- /dev/null
+++ b/dns/bind911/files/pkg-message.in
@@ -0,0 +1,22 @@
+**********************************************************************
+* _ _____ _____ _____ _ _ _____ ___ ___ _ _ *
+* / \|_ _|_ _| ____| \ | |_ _|_ _/ _ \| \ | | *
+* / _ \ | | | | | _| | \| | | | | | | | | \| | *
+* / ___ \| | | | | |___| |\ | | | | | |_| | |\ | *
+* /_/ \_\_| |_| |_____|_| \_| |_| |___\___/|_| \_| *
+* *
+* BIND requires configuration of rndc, including a "secret" key. *
+* The easiest, and most secure way to configure rndc is to run *
+* 'rndc-confgen -a' to generate the proper conf file, with a new *
+* random key, and appropriate file permissions. *
+* *
+%%NOBASE%%* The %%PREFIX%%/etc/rc.d/named script will do that for you. *
+%%BASE%%* The /etc/rc.d/named script in the base will do that for you. *
+%%BASE%%* *
+%%BASE%%* You will need to make sure that you have the following line *
+%%BASE%%* in your /etc/rc.conf in order to have the startup script *
+%%BASE%%* run the named version from the port: *
+%%BASE%%* *
+%%BASE%%* named_program="%%PREFIX%%/sbin/named" *
+* *
+**********************************************************************
diff --git a/dns/bind911/pkg-descr b/dns/bind911/pkg-descr
new file mode 100644
index 000000000000..c1b342a73548
--- /dev/null
+++ b/dns/bind911/pkg-descr
@@ -0,0 +1,15 @@
+BIND version 9 is a major rewrite of nearly all aspects of the underlying BIND
+architecture. Some of the important features of BIND 9 are:
+
+DNS Security: DNSSEC (signed zones), TSIG (signed DNS requests)
+IP version 6: Answers DNS queries on IPv6 sockets, IPv6 resource records (AAAA)
+ Experimental IPv6 Resolver Library
+DNS Protocol Enhancements: IXFR, DDNS, Notify, EDNS0
+ Improved standards conformance
+Views: One server process can provide multiple "views" of the DNS namespace,
+ e.g. an "inside" view to certain clients, and an "outside" view to others.
+Multiprocessor Support
+
+See the CHANGES file for more information on new features.
+
+WWW: https://www.isc.org/software/bind
diff --git a/dns/bind911/pkg-help b/dns/bind911/pkg-help
new file mode 100644
index 000000000000..aa85330b21d7
--- /dev/null
+++ b/dns/bind911/pkg-help
@@ -0,0 +1,30 @@
+ NATIVE_PKCS11
+When using the NATIVE_PKCS11 option, BIND will use the PKCS#11
+engine specified by the named_pkcss11_engine variable in
+/etc/rc.conf for *all* crypto operations.
+
+This is primarily intended to be used in an authoritative
+case.
+
+If BIND is also operating as a validating resolver,
+NATIVE_PKCS11 should not be used, because the HSM will be
+used for all crypto, including DNSSEC validations, and the
+HSM is likely to be slower than the CPU for this purpose.
+Additionally, the HSM might not support all of the PKCS#11
+API functions needed for signature verification.
+
+
+ GOST
+If using a chrooted instance of BIND on FreeBSD 8.x and 9.x,
+the OpenSSL engines MUST be accessible from within the chroot.
+If BIND is chrooted in /var/named, this can be achieved by
+either copying content of /usr/local/lib/engines into
+/var/named/usr/local/lib/engines, or by creating that directory
+and adding this line to /etc/fstab:
+/usr/local/lib/engines /var/named/usr/local/lib/engines nullfs ro 0 0
+
+
+ START_LATE
+Most of the time, BIND needs to start early in the boot
+process. Enable this if BIND starts too early for you and
+you need it to start later.
diff --git a/dns/bind911/pkg-install b/dns/bind911/pkg-install
new file mode 100644
index 000000000000..12b2f98aaf25
--- /dev/null
+++ b/dns/bind911/pkg-install
@@ -0,0 +1,32 @@
+#!/bin/sh
+# ex:sw=8 sts=8
+
+if [ "$2" = 'POST-INSTALL' ]
+then
+ /bin/mkdir -p /var/named${PKG_PREFIX}/etc/namedb
+fi
+
+for DIR in ${PKG_PREFIX}/etc/namedb /var/named${PKG_PREFIX}/etc/namedb; do
+ for FILE in named.conf rndc.conf rndc.key; do
+ if [ "$2" = 'POST-INSTALL' ]
+ then
+ if [ -e ${PKG_PREFIX}/etc/${FILE} ]
+ then
+ /bin/cp -a ${PKG_PREFIX}/etc/${FILE} ${DIR}/${FILE}
+ else
+ /bin/ln -sf /etc/namedb/${FILE} ${DIR}/${FILE}
+ fi
+ fi
+ if [ "$2" = 'POST-DEINSTALL' ]
+ then
+ [ -L ${DIR}/${FILE} ] && rm -f ${DIR}/${FILE}
+ fi
+ done
+done
+
+if [ "$2" = 'POST-DEINSTALL' ]
+then
+ cd /var/named && /bin/rmdir -p ./${PKG_PREFIX}/etc/namedb > /dev/null 2>&1 || :
+fi
+
+exit 0
diff --git a/dns/bind911/pkg-plist b/dns/bind911/pkg-plist
new file mode 100644
index 000000000000..03d26fc1dacb
--- /dev/null
+++ b/dns/bind911/pkg-plist
@@ -0,0 +1,437 @@
+bin/bind9-config
+bin/delv
+bin/dig
+bin/host
+bin/isc-config.sh
+bin/mdig
+bin/nslookup
+bin/nsupdate
+include/bind9/check.h
+include/bind9/getaddresses.h
+include/bind9/version.h
+include/dns/acache.h
+include/dns/acl.h
+include/dns/adb.h
+include/dns/badcache.h
+include/dns/bit.h
+include/dns/byaddr.h
+include/dns/cache.h
+include/dns/callbacks.h
+include/dns/catz.h
+include/dns/cert.h
+include/dns/client.h
+include/dns/clientinfo.h
+include/dns/compress.h
+include/dns/db.h
+include/dns/dbiterator.h
+include/dns/dbtable.h
+include/dns/diff.h
+include/dns/dispatch.h
+include/dns/dlz.h
+include/dns/dlz_dlopen.h
+include/dns/dns64.h
+include/dns/dnssec.h
+include/dns/dnstap.h
+include/dns/ds.h
+include/dns/dsdigest.h
+include/dns/dyndb.h
+include/dns/ecdb.h
+include/dns/edns.h
+include/dns/enumclass.h
+include/dns/enumtype.h
+include/dns/events.h
+include/dns/fixedname.h
+include/dns/forward.h
+include/dns/geoip.h
+include/dns/ipkeylist.h
+include/dns/iptable.h
+include/dns/journal.h
+include/dns/keydata.h
+include/dns/keyflags.h
+include/dns/keytable.h
+include/dns/keyvalues.h
+include/dns/lib.h
+include/dns/log.h
+include/dns/lookup.h
+include/dns/master.h
+include/dns/masterdump.h
+include/dns/message.h
+include/dns/name.h
+include/dns/ncache.h
+include/dns/nsec.h
+include/dns/nsec3.h
+include/dns/nta.h
+include/dns/opcode.h
+include/dns/order.h
+include/dns/peer.h
+include/dns/portlist.h
+include/dns/private.h
+include/dns/rbt.h
+include/dns/rcode.h
+include/dns/rdata.h
+include/dns/rdataclass.h
+include/dns/rdatalist.h
+include/dns/rdataset.h
+include/dns/rdatasetiter.h
+include/dns/rdataslab.h
+include/dns/rdatastruct.h
+include/dns/rdatatype.h
+include/dns/request.h
+include/dns/resolver.h
+include/dns/result.h
+include/dns/rootns.h
+include/dns/rpz.h
+include/dns/rriterator.h
+include/dns/rrl.h
+include/dns/sdb.h
+include/dns/sdlz.h
+include/dns/secalg.h
+include/dns/secproto.h
+include/dns/soa.h
+include/dns/ssu.h
+include/dns/stats.h
+include/dns/tcpmsg.h
+include/dns/time.h
+include/dns/timer.h
+include/dns/tkey.h
+include/dns/tsec.h
+include/dns/tsig.h
+include/dns/ttl.h
+include/dns/types.h
+include/dns/update.h
+include/dns/validator.h
+include/dns/version.h
+include/dns/view.h
+include/dns/xfrin.h
+include/dns/zone.h
+include/dns/zonekey.h
+include/dns/zt.h
+include/dst/dst.h
+include/dst/gssapi.h
+include/dst/lib.h
+include/dst/result.h
+include/irs/context.h
+include/irs/dnsconf.h
+include/irs/netdb.h
+include/irs/platform.h
+include/irs/resconf.h
+include/irs/types.h
+include/irs/version.h
+include/isc/aes.h
+include/isc/app.h
+include/isc/assertions.h
+include/isc/atomic.h
+include/isc/backtrace.h
+include/isc/base32.h
+include/isc/base64.h
+include/isc/bind9.h
+include/isc/boolean.h
+include/isc/buffer.h
+include/isc/bufferlist.h
+include/isc/commandline.h
+include/isc/condition.h
+include/isc/counter.h
+include/isc/crc64.h
+include/isc/dir.h
+include/isc/entropy.h
+include/isc/error.h
+include/isc/event.h
+include/isc/eventclass.h
+include/isc/file.h
+include/isc/formatcheck.h
+include/isc/fsaccess.h
+include/isc/hash.h
+include/isc/heap.h
+include/isc/hex.h
+include/isc/hmacmd5.h
+include/isc/hmacsha.h
+include/isc/ht.h
+include/isc/httpd.h
+include/isc/int.h
+include/isc/interfaceiter.h
+include/isc/iterated_hash.h
+include/isc/json.h
+include/isc/keyboard.h
+include/isc/lang.h
+include/isc/lex.h
+include/isc/lfsr.h
+include/isc/lib.h
+include/isc/list.h
+include/isc/log.h
+include/isc/magic.h
+include/isc/md5.h
+include/isc/mem.h
+include/isc/meminfo.h
+include/isc/msgcat.h
+include/isc/msgs.h
+include/isc/mutex.h
+include/isc/mutexblock.h
+include/isc/net.h
+include/isc/netaddr.h
+include/isc/netdb.h
+include/isc/netscope.h
+include/isc/offset.h
+include/isc/once.h
+include/isc/ondestroy.h
+include/isc/os.h
+include/isc/parseint.h
+include/isc/platform.h
+include/isc/pool.h
+include/isc/portset.h
+include/isc/print.h
+include/isc/queue.h
+include/isc/quota.h
+include/isc/radix.h
+include/isc/random.h
+include/isc/ratelimiter.h
+include/isc/refcount.h
+include/isc/regex.h
+include/isc/region.h
+include/isc/resource.h
+include/isc/result.h
+include/isc/resultclass.h
+include/isc/rwlock.h
+include/isc/safe.h
+include/isc/serial.h
+include/isc/sha1.h
+include/isc/sha2.h
+include/isc/sockaddr.h
+include/isc/socket.h
+include/isc/stat.h
+include/isc/stats.h
+include/isc/stdio.h
+include/isc/stdlib.h
+include/isc/stdtime.h
+include/isc/strerror.h
+include/isc/string.h
+include/isc/symtab.h
+include/isc/syslog.h
+include/isc/task.h
+include/isc/taskpool.h
+include/isc/thread.h
+include/isc/time.h
+include/isc/timer.h
+include/isc/tm.h
+include/isc/types.h
+include/isc/util.h
+include/isc/version.h
+include/isc/xml.h
+include/isccc/alist.h
+include/isccc/base64.h
+include/isccc/cc.h
+include/isccc/ccmsg.h
+include/isccc/events.h
+include/isccc/lib.h
+include/isccc/result.h
+include/isccc/sexpr.h
+include/isccc/symtab.h
+include/isccc/symtype.h
+include/isccc/types.h
+include/isccc/util.h
+include/isccc/version.h
+include/isccfg/aclconf.h
+include/isccfg/cfg.h
+include/isccfg/dnsconf.h
+include/isccfg/grammar.h
+include/isccfg/log.h
+include/isccfg/namedconf.h
+include/isccfg/version.h
+include/lwres/context.h
+include/lwres/int.h
+include/lwres/ipv6.h
+include/lwres/lang.h
+include/lwres/list.h
+include/lwres/lwbuffer.h
+include/lwres/lwpacket.h
+include/lwres/lwres.h
+include/lwres/net.h
+include/lwres/netdb.h
+include/lwres/platform.h
+include/lwres/result.h
+include/lwres/stdlib.h
+include/lwres/string.h
+include/lwres/version.h
+include/pk11/constants.h
+include/pk11/internal.h
+include/pk11/pk11.h
+include/pk11/result.h
+include/pkcs11/cryptoki.h
+include/pkcs11/pkcs11.h
+include/pkcs11/pkcs11f.h
+include/pkcs11/pkcs11t.h
+lib/libbind9.a
+lib/libdns.a
+lib/libirs.a
+lib/libisc.a
+lib/libisccc.a
+lib/libisccfg.a
+lib/liblwres.a
+man/man1/arpaname.1.gz
+man/man1/bind9-config.1.gz
+man/man1/delv.1.gz
+man/man1/dig.1.gz
+man/man1/dnstap-read.1.gz
+man/man1/host.1.gz
+man/man1/isc-config.sh.1.gz
+man/man1/mdig.1.gz
+man/man1/named-rrchecker.1.gz
+man/man1/nslookup.1.gz
+man/man1/nsupdate.1.gz
+man/man3/lwres.3.gz
+man/man3/lwres_addr_parse.3.gz
+man/man3/lwres_buffer.3.gz
+man/man3/lwres_buffer_add.3.gz
+man/man3/lwres_buffer_back.3.gz
+man/man3/lwres_buffer_clear.3.gz
+man/man3/lwres_buffer_first.3.gz
+man/man3/lwres_buffer_forward.3.gz
+man/man3/lwres_buffer_getmem.3.gz
+man/man3/lwres_buffer_getuint16.3.gz
+man/man3/lwres_buffer_getuint32.3.gz
+man/man3/lwres_buffer_getuint8.3.gz
+man/man3/lwres_buffer_init.3.gz
+man/man3/lwres_buffer_invalidate.3.gz
+man/man3/lwres_buffer_putmem.3.gz
+man/man3/lwres_buffer_putuint16.3.gz
+man/man3/lwres_buffer_putuint32.3.gz
+man/man3/lwres_buffer_putuint8.3.gz
+man/man3/lwres_buffer_subtract.3.gz
+man/man3/lwres_conf_clear.3.gz
+man/man3/lwres_conf_get.3.gz
+man/man3/lwres_conf_init.3.gz
+man/man3/lwres_conf_parse.3.gz
+man/man3/lwres_conf_print.3.gz
+man/man3/lwres_config.3.gz
+man/man3/lwres_context.3.gz
+man/man3/lwres_context_allocmem.3.gz
+man/man3/lwres_context_create.3.gz
+man/man3/lwres_context_destroy.3.gz
+man/man3/lwres_context_freemem.3.gz
+man/man3/lwres_context_initserial.3.gz
+man/man3/lwres_context_nextserial.3.gz
+man/man3/lwres_context_sendrecv.3.gz
+man/man3/lwres_endhostent.3.gz
+man/man3/lwres_endhostent_r.3.gz
+man/man3/lwres_freeaddrinfo.3.gz
+man/man3/lwres_freehostent.3.gz
+man/man3/lwres_gabn.3.gz
+man/man3/lwres_gabnrequest_free.3.gz
+man/man3/lwres_gabnrequest_parse.3.gz
+man/man3/lwres_gabnrequest_render.3.gz
+man/man3/lwres_gabnresponse_free.3.gz
+man/man3/lwres_gabnresponse_parse.3.gz
+man/man3/lwres_gabnresponse_render.3.gz
+man/man3/lwres_gai_strerror.3.gz
+man/man3/lwres_getaddrinfo.3.gz
+man/man3/lwres_getaddrsbyname.3.gz
+man/man3/lwres_gethostbyaddr.3.gz
+man/man3/lwres_gethostbyaddr_r.3.gz
+man/man3/lwres_gethostbyname.3.gz
+man/man3/lwres_gethostbyname2.3.gz
+man/man3/lwres_gethostbyname_r.3.gz
+man/man3/lwres_gethostent.3.gz
+man/man3/lwres_gethostent_r.3.gz
+man/man3/lwres_getipnode.3.gz
+man/man3/lwres_getipnodebyaddr.3.gz
+man/man3/lwres_getipnodebyname.3.gz
+man/man3/lwres_getnamebyaddr.3.gz
+man/man3/lwres_getnameinfo.3.gz
+man/man3/lwres_getrrsetbyname.3.gz
+man/man3/lwres_gnba.3.gz
+man/man3/lwres_gnbarequest_free.3.gz
+man/man3/lwres_gnbarequest_parse.3.gz
+man/man3/lwres_gnbarequest_render.3.gz
+man/man3/lwres_gnbaresponse_free.3.gz
+man/man3/lwres_gnbaresponse_parse.3.gz
+man/man3/lwres_gnbaresponse_render.3.gz
+man/man3/lwres_herror.3.gz
+man/man3/lwres_hstrerror.3.gz
+man/man3/lwres_inetntop.3.gz
+man/man3/lwres_lwpacket_parseheader.3.gz
+man/man3/lwres_lwpacket_renderheader.3.gz
+man/man3/lwres_net_ntop.3.gz
+man/man3/lwres_noop.3.gz
+man/man3/lwres_nooprequest_free.3.gz
+man/man3/lwres_nooprequest_parse.3.gz
+man/man3/lwres_nooprequest_render.3.gz
+man/man3/lwres_noopresponse_free.3.gz
+man/man3/lwres_noopresponse_parse.3.gz
+man/man3/lwres_noopresponse_render.3.gz
+man/man3/lwres_packet.3.gz
+man/man3/lwres_resutil.3.gz
+man/man3/lwres_sethostent.3.gz
+man/man3/lwres_sethostent_r.3.gz
+man/man3/lwres_string_parse.3.gz
+man/man5/named.conf.5.gz
+man/man5/rndc.conf.5.gz
+man/man8/ddns-confgen.8.gz
+%%PYTHON%%man/man8/dnssec-checkds.8.gz
+%%PYTHON%%man/man8/dnssec-coverage.8.gz
+man/man8/dnssec-dsfromkey.8.gz
+man/man8/dnssec-importkey.8.gz
+man/man8/dnssec-keyfromlabel.8.gz
+man/man8/dnssec-keygen.8.gz
+%%PYTHON%%man/man8/dnssec-keymgr.8.gz
+man/man8/dnssec-revoke.8.gz
+man/man8/dnssec-settime.8.gz
+man/man8/dnssec-signzone.8.gz
+man/man8/dnssec-verify.8.gz
+man/man8/genrandom.8.gz
+man/man8/isc-hmac-fixup.8.gz
+man/man8/lwresd.8.gz
+man/man8/named-checkconf.8.gz
+man/man8/named-checkzone.8.gz
+man/man8/named-compilezone.8.gz
+man/man8/named-journalprint.8.gz
+man/man8/named.8.gz
+man/man8/nsec3hash.8.gz
+%%NATIVE_PKCS11%%man/man8/pkcs11-destroy.8.gz
+%%NATIVE_PKCS11%%man/man8/pkcs11-keygen.8.gz
+%%NATIVE_PKCS11%%man/man8/pkcs11-list.8.gz
+%%NATIVE_PKCS11%%man/man8/pkcs11-tokens.8.gz
+man/man8/rndc-confgen.8.gz
+man/man8/rndc.8.gz
+man/man8/tsig-keygen.8.gz
+sbin/arpaname
+sbin/ddns-confgen
+%%PYTHON%%sbin/dnssec-checkds
+%%PYTHON%%sbin/dnssec-coverage
+sbin/dnssec-dsfromkey
+sbin/dnssec-importkey
+sbin/dnssec-keyfromlabel
+sbin/dnssec-keygen
+%%PYTHON%%sbin/dnssec-keymgr
+sbin/dnssec-revoke
+sbin/dnssec-settime
+sbin/dnssec-signzone
+sbin/dnssec-verify
+sbin/genrandom
+sbin/isc-hmac-fixup
+sbin/lwresd
+sbin/named
+sbin/named-checkconf
+sbin/named-checkzone
+sbin/named-compilezone
+sbin/named-journalprint
+sbin/named-rrchecker
+sbin/nsec3hash
+%%NATIVE_PKCS11%%sbin/pkcs11-destroy
+%%NATIVE_PKCS11%%sbin/pkcs11-keygen
+%%NATIVE_PKCS11%%sbin/pkcs11-list
+%%NATIVE_PKCS11%%sbin/pkcs11-tokens
+sbin/rndc
+sbin/rndc-confgen
+sbin/tsig-keygen
+%%ETCDIR%%/rndc.conf.sample
+%%ETCDIR%%/bind.keys
+%%NOBASE%%etc/mtree/BIND.chroot.dist
+%%NOBASE%%etc/mtree/BIND.chroot.local.dist
+%%NOBASE%%@sample %%ETCDIR%%/named.conf.sample
+%%NOBASE%%%%ETCDIR%%/named.root
+%%NOBASE%%%%ETCDIR%%/master/empty.db
+%%NOBASE%%%%ETCDIR%%/master/localhost-forward.db
+%%NOBASE%%%%ETCDIR%%/master/localhost-reverse.db
+%%NOBASE%%@dir(bind,bind,) %%ETCDIR%%/dynamic
+%%NOBASE%%@dir %%ETCDIR%%/master
+%%NOBASE%%@dir(bind,bind,) %%ETCDIR%%/slave
+%%NOBASE%%@dir(bind,bind,) %%ETCDIR%%/working