import ldns 1.7.0

svn path=/vendor/ldns/dist/; revision=313156 svn path=/vendor/ldns/1.7.0/; revision=313157; tag=vendor/ldns/1.7.0
2017-02-03 13:01:00 +00:00 · 2017-02-03 13:01:00 +00:00 · c6342fe2e9 · 2020-12-20 02:59:44 +00:00
commit c6342fe2e9
parent 65be028f32
158 changed files with 15134 additions and 16991 deletions
--- a/115
+++ b/115
@ -1,3 +1,118 @@
+1.7.0	2016-12-20
+	* Fix lookup of relative names in ldns_resolver_search.
+	* bugfix #548: Double free for answers > 4096 in ldns_resolver_send_pkt
+	* Follow CNAME's when tracing with drill (TODO dnssec trace)
+	* Fix #551 change Regent to Copyright holder in BSD license in
+	  some of the headings of the file, to match the opensource.org
+	  BSD license.
+	* -e option makes ldns-compare-zones exit with status code 2 on difference
+	* Filter out specified RR types with ldns-read-zone -e and -E options
+	* bugfix #563: Correct DNSKEY from DSA private key. Thanks Peter Koch.
+	* bugfix #562: ldns-keygen match DSA key maximum size with library.
+	  And check keysizes with all algorithms. Thanks Peter Koch.
+	* ldns-verify-zone accepts only one single zonefile as argument.
+	* bugfix #573: ldns-keygen write private keys with mode 0600.
+	  Thanks Leon Weber
+	* Fix configure to make ldns compile with LibreSSL 2.0
+	* drill now also accepts dig style -y option
+	  (-y <[algo:]name:key> i.s.o. -y <name:key[:algo]>)
+	* OPENPGPKEY draft rr types. Enable with: --enable-rrtype-openpgpkey
+	* bugfix #608: Correct comment about escaped characters
+	* CDS and CDNSKEY rr type from RFC 7344.
+	  --enable-rrtype-cds configure option removed
+	* fix: Memory leak in ldns_pkt_rr_list_by_name()
+	  Thanks Johannes Naab
+	* fix: Memory leak in ldns_dname2buffer_wire_compress()
+	  Thanks Max Liebkies
+	* bugfix #613: Allow tab as whitespace too in last rdata field of types
+	  of variable length.  Thanks Xiali Yan
+	* bugfix: strip trailing whitespace from $ORIGIN lines in zone files
+	* Let ldns-keygen output .ds files only for KSK keys
+	* Parse RFC7218 TLSA mnemonics, but do not output them
+	* Let ldns-dane use SPKI as the default selector i.s.o. Cert
+	* bugfix: Fit left over NSEC3s once more before adding empty non
+	  terminals.  Thanks Stuart Browne
+	* bugfix #605: Determine default trust anchor location at compile time
+	  Thanks Peter Koch
+	* bugfix #697: Double free with ldns-dane create
+	  Thanks Carsten Strotmann
+	* bugfix #623: Do not redefine bool type and boolean values
+	  Thanks Jakob Petsovits
+	* bugfix #570: Add TLSA, CDS, CDNSKEY and OPENPGPKEY RR types to ldnsx
+	  Thanks Shussain
+	* bugfix #575: ldns_pkt_clone() does not copy timestamp field
+	  Thanks Calle Dybedahl 
+	* bugfix #584: ldns-update fixes.  Send update to port 53, bring manpage
+	  in sync with the usage text, and don't alter the ldns_resolver passed
+	  to ldns_update_soa_zone_mname().  Created a ldns_resolver_clone()
+	  function in the process.  Thanks Nicholas Riley.
+	* bugfix #633: ldns_pkt_clone() parameter isn't const.
+	  Thanks Jakop Petsovits
+	* bugfix: ldns-dane manpage correction
+	  Thanks Erwin Lansing
+	* Spelling fixes.  Thanks Andreas Schulze
+	* Hyphen used as minus in manpages.  Thanks Andreas Schulze.
+	* RFC7553 RR Type URI is supported by default.
+	* Fix ECDSA signature generation, do not omit leading zeroes.
+	* bugfix: Get rid of superfluous newline in ldns-keyfetcher
+	  Thanks Jan-Piet Mens
+	* bugfix: -U option to ldns-signzone to sign with every algorithm
+	  Thanks Guido Kroon
+	* const function parameters whenever possible.
+	  Thanks Ray Bellis
+	* bugfix #725: allow RR-types on the type bitmap window border
+	  Thanks Pieter Lexis
+	* bugfix #726: 2 typos in drill manpage.
+	  Thanks Hugo Lombard
+	* Add type CSYNC support, RFC 7477.
+	* Prepare for ED25519, ED448 support: todo convert* routines in
+	  dnssec.h, once openssl has support for signing with these algorithms.
+	  The dns algorithm number is not yet allocated. These features are
+	  not fully implemented yet, openssl (1.1) does not support the
+	  algorithms enough to generate keys and sign and verify with them.
+	* Fix _answerfrom comment in ldns_struct_pkt.
+	* Fix drill axfr ipv4/ipv6 queries.
+	* Fix comment referring to mk_query in packet.h to pkt_query_new.
+	* Fix description of QR flag in packet.h.
+	* Fix for openssl 1.1.0 API changes.
+	* Remove commented out macro.  Thanks Thiago Farina
+	* bugfix #641: Include install-sh in .gitignore
+	* bugfix #825: Module import breaks with newer SWIG versions.
+	  Thanks Christoph Egger
+	* bugfix #796 - #792: Fix miscellaneous compiler warning issues.
+	  Thanks Ngie Cooper
+	* bugfix #769: Add support for :: in an IPv6 address
+	  Thanks Hajimu UMEMOTO
+	* bugfix #760: Detect superfluous text in presentation format
+	  Thanks Xiali Yan
+	* bugfix #708: warnings and errors with xcode 6.1/7.0
+	* bugfix #754: Memory leak in ldns_str2rdf_ipseckey
+	  Thanks Xiali Yan
+	* bugfix #661: Fail NSEC3 signing when NSEC domainname length
+	  would overflow.  Thanks Jan-Piet Mens.
+	* bugfix #771: hmac-sha224, hmac-sha384 and hmac-sha512 keys.
+	  Thanks Harald Jenny
+	* bugfix #680: ldns fails to reject invalidly formatted
+	  RFC 7553 URI RRs.  Thanks Robert Edmonds
+	* bugfix #678: Use poll i.s.o. select to support > 1024 fds
+	  Thanks William King
+	* Use OpenSSL DANE functions for verification (unless explicitly
+	  disabled with --disable-dane-ta-usage).
+	* Bumb .so version
+	* Include OPENPGPKEY RR type by default
+	* rdata processing for SMIMEA RR type
+	* Fix crash in displaying TLSA RR's.
+	  Thanks Andreas Schulze
+	* Update ldns-key2ds man page to mention GOST and SHA384 hash
+	  functions.  Thanks Harald Jenny
+	* Add sha384 and sha512 tsig algorithm. Thanks Michael Weiser
+	* Clarify data ownership with consts for tsig parameters.
+	  Thanks Michael Weiser
+	* bugfix: Fix detection of DSA support with OpenSSL >= 1.1.0
+	* bugfix #1160: Provide sha256 for release tarballs
+	* --enable-gost-anyway compiles GOST support with OpenSSL >= 1.1.0
+	  even when the GOST engine is not available.
+
 1.6.17	2014-01-10
 	* Fix ldns_dnssec_zone_new_frm_fp_l to allow the last parsed line of a
 	  zone to be an NSEC3 (or its RRSIG) covering an empty non terminal.
--- a/Makefile.in
+++ b/Makefile.in
@ -12,6 +12,7 @@ datarootdir	= @datarootdir@
 datadir		= @datadir@
 libdir		= @libdir@
 includedir	= @includedir@
+sysconfdir      = @sysconfdir@
 doxygen		= @doxygen@
 pywrapdir       = $(srcdir)/contrib/python
 pyldnsxwrapdir  = $(srcdir)/contrib/ldnsx
@ -27,13 +28,21 @@ pyldnsx_uninst	= @PYLDNSXUNINST@
 libtool		= @libtool@
 CONFIG_FILES	= @CONFIG_FILES@

+LDNS_TRUST_ANCHOR_FILE = @LDNS_TRUST_ANCHOR_FILE@
+DEFAULT_CAFILE = @DEFAULT_CAFILE@
+DEFAULT_CAPATH = @DEFAULT_CAPATH@
+
+edit = sed \
+	-e 's|@LDNS_TRUST_ANCHOR_FILE[@]|$(LDNS_TRUST_ANCHOR_FILE)|g' \
+	-e 's|@DEFAULT_CAFILE[@]|$(DEFAULT_CAFILE)|g' \
+	-e 's|@DEFAULT_CAPATH[@]|$(DEFAULT_CAPATH)|g'
+
 # override $U variable which is used by autotools for deansification (for
 # K&R C compilers), but causes problems if $U is defined in the env).
 U=
-
 CC 		= @CC@
 CFLAGS		= @CFLAGS@
-CPPFLAGS	= -I. -I$(srcdir) @CPPFLAGS@ @DEFS@
+CPPFLAGS	= -I. -I$(srcdir) @CPPFLAGS@ @DEFS@ -DLDNS_TRUST_ANCHOR_FILE="\"$(LDNS_TRUST_ANCHOR_FILE)\""
 LDFLAGS		= @LDFLAGS@
 LIBS 		= @LIBS@
 LIBOBJDIR	= compat/
@ -92,11 +101,10 @@ LDNS_DANE_LOBJS	= examples/ldns-dane.lo
 EX_SSL_PROGS	= examples/ldns-nsec3-hash examples/ldns-revoke examples/ldns-signzone examples/ldns-verify-zone
 EX_SSL_LOBJS	= examples/ldns-nsec3-hash.lo examples/ldns-revoke.lo examples/ldns-signzone.lo examples/ldns-verify-zone.lo

-
 COMPILE		= $(CC) $(CPPFLAGS) $(CFLAGS)
 COMP_LIB	= $(LIBTOOL) --mode=compile $(CC) $(CPPFLAGS) $(CFLAGS)
 LINK		= $(CC) $(CFLAGS) $(LDFLAGS) $(LIBS)
-LINK_LIB	= $(LIBTOOL) --mode=link $(CC) $(CFLAGS) $(LDFLAGS) $(LIBS) -version-number $(version_info) -no-undefined
+LINK_LIB	= $(LIBTOOL) --mode=link $(CC) $(CFLAGS) $(LDFLAGS) $(LIBS) -version-info $(version_info) -no-undefined
 LINK_EXE	= $(LIBTOOL) --mode=link $(CC) $(CFLAGS) $(LDFLAGS) $(LIBSSL_LDFLAGS)

 .PHONY:	clean realclean docclean manpages doc lint all lib pyldns test
@ -129,7 +137,7 @@ putdown-builddir:
 	if test -d drill    -a ! -f drill/README   ; then rmdir drill    || : ; fi
 	if test -d compat   -a ! -f compat/malloc.c; then rmdir compat   || : ; fi

-drill: no-drill-config-h drill/drill
+drill: no-drill-config-h drill/drill drill/drill.1
 no-drill-config-h:
 	@if test -e $(srcdir)/drill/config.h -o -e drill/config.h ; \
 	then echo "A config.h was detected in the drill subdirectory." ; \
@ -138,10 +146,14 @@ no-drill-config-h:
 	     echo "or build drill there." ; \
 	     exit -1 ; \
 	fi
+
 drill/drill: $(DRILL_LOBJS) $(LIB)
 	$(LINK_EXE) $(DRILL_LOBJS) $(LIBS) $(LIBSSL_LIBS) -lldns -o drill/drill

-install-drill: drill/drill
+drill/drill.1: $(srcdir)/drill/drill.1.in
+	$(edit) $(srcdir)/drill/drill.1.in > drill/drill.1
+
+install-drill: drill/drill drill/drill.1
 	$(INSTALL) -m 755 -d $(DESTDIR)$(bindir)
 	$(INSTALL) -m 755 -d $(DESTDIR)$(mandir)
 	$(INSTALL) -m 755 -d $(DESTDIR)$(mandir)/man1
@ -154,9 +166,9 @@ uninstall-drill:
 	test ! -d $(DESTDIR)$(bindir) || rmdir -p $(DESTDIR)$(bindir) || : ;

 clean-drill:
-	$(LIBTOOL) --mode clean rm -f $(DRILL_LOBJS) drill/drill
+	$(LIBTOOL) --mode clean rm -f $(DRILL_LOBJS) drill/drill drill/drill.1

-examples: no-examples-config-h $(EXAMPLE_PROGS) $(TESTNS) $(LDNS_DPA) $(LDNS_DANE) $(EX_SSL_PROGS)
+examples: no-examples-config-h $(EXAMPLE_PROGS) $(TESTNS) $(LDNS_DPA) $(LDNS_DANE) $(EX_SSL_PROGS) examples/ldns-dane.1 examples/ldns-verify-zone.1
 no-examples-config-h:
 	@if test -e $(srcdir)/examples/config.h -o -e examples/config.h ; \
 	then echo "A config.h was detected in the examples subdirectory." ; \
@ -165,6 +177,7 @@ no-examples-config-h:
 	     echo "or build examples there." ; \
 	     exit -1 ; \
 	fi
+
 $(EXAMPLE_PROGS):
 	$(LINK_EXE) $@.lo $(LIBS) -lldns -o $@

@ -182,7 +195,13 @@ $(LDNS_DANE):
 $(EX_SSL_PROGS):
 	$(LINK_EXE) $@.lo $(LIBS) $(LIBSSL_LIBS) -lldns -o $@

-install-examples: $(EXAMPLE_PROGS) $(TESTNS) $(LDNS_DPA) $(LDNS_DANE) $(EX_SSL_PROGS)
+examples/ldns-dane.1: $(srcdir)/examples/ldns-dane.1.in
+	$(edit) $(srcdir)/examples/ldns-dane.1.in > examples/ldns-dane.1
+
+examples/ldns-verify-zone.1: $(srcdir)/examples/ldns-verify-zone.1.in
+	$(edit) $(srcdir)/examples/ldns-verify-zone.1.in > examples/ldns-verify-zone.1
+
+install-examples: $(EXAMPLE_PROGS) $(TESTNS) $(LDNS_DPA) $(LDNS_DANE) $(EX_SSL_PROGS) examples/ldns-dane.1 examples/ldns-verify-zone.1
 	$(INSTALL) -m 755 -d $(DESTDIR)$(bindir)
 	$(INSTALL) -m 755 -d $(DESTDIR)$(mandir)
 	$(INSTALL) -m 755 -d $(DESTDIR)$(mandir)/man1
@ -205,6 +224,7 @@ clean-examples:
 	$(LIBTOOL) --mode clean rm -f $(EXAMPLE_PROGS) 
 	$(LIBTOOL) --mode clean rm -f $(TESTNS) $(LDNS_DPA) $(LDNS_DANE) $(EX_SSL_PROGS)
 	$(LIBTOOL) --mode clean rm -f $(EXAMPLE_LOBJS)
+	$(LIBTOOL) --mode clean rm -f examples/ldns-dane.1 examples/ldns-verify-zone.1

 linktest: $(srcdir)/linktest.c libldns.la
 	$(COMP_LIB) $(LIBSSL_CPPFLAGS) -c $(srcdir)/linktest.c -o linktest.lo
@ -224,7 +244,7 @@ mancheck:
 	sh -c 'find . -name \*.\[13\] -exec troff -z {} \;' 2>&1 | sed "s/^\.\///" | sed "s/\(:[0\-9]\+:\)/\1 warning:/g"

 doxygen: manpages
-	if test ! -e doc/header.html ; then \
+	@if test ! -e doc/header.html ; then \
 		$(INSTALL) -c -m 644 $(srcdir)/doc/header.html doc/ ; \
 	fi ;
 	$(doxygen) $(srcdir)/libdns.doxygen
@ -236,22 +256,40 @@ manpages: $(srcdir)/doc/function_manpages
 	@$(INSTALL) -d doc
 	@cat $(srcdir)/ldns/*.h \
 	| $(srcdir)/doc/doxyparse.pl \
-		-m $(srcdir)/doc/function_manpages 2>&1 \
+		-m $(srcdir)/doc/function_manpages \
 	| grep -v ^doxygen | grep -v ^cat  > doc/ldns_manpages

+manpage-create-errors: $(srcdir)/doc/function_manpages 
+	@$(INSTALL) -d doc
+	@cat $(srcdir)/ldns/*.h \
+	| $(srcdir)/doc/doxyparse.pl -e \
+		-m $(srcdir)/doc/function_manpages >/dev/null
+
+manpage-errors:
+	@man --version >/dev/null 2>&1 && \
+	for m in `cat $(srcdir)/ldns/*.h | $(srcdir)/doc/doxyparse.pl -m $(srcdir)/doc/function_manpages 2>&1 | grep -v ^doxygen | grep -v ^cat` ; do\
+		LC_ALL=en_US.UTF-8 MANROFFSEQ='' MANWIDTH=80 \
+			man --warnings -E UTF-8 -l -Tutf8 -Z doc/man/man3/$${m}.3 2>&1 >/dev/null \
+			| awk "-vpage=$${m}.3" '{printf("%s: ", page);print}'; \
+		if ! lexgrog doc/man/man3/$${m}.3 >/dev/null 2>&1 ; \
+		then \
+			echo doc/man/man3/$${m}.3: manpage-has-bad-whatis-entry; \
+		fi; \
+	done || echo "WARNING!: Cannot detect manpage errors on `uname`"
+	
 pyldns: _ldns.la

 $(pywrapdir)/ldns_wrapper.c: $(PYLDNS_I_FILES) ldns/config.h
-	$(swig) $(swigpy_flags) -o $@ $(CPPFLAGS) $(PYTHON_CPPFLAGS) $(pywrapdir)/ldns.i
+	$(swig) $(swigpy_flags) -o $@ $(PYTHON_CPPFLAGS) $(pywrapdir)/ldns.i

 ldns_wrapper.lo: $(pywrapdir)/ldns_wrapper.c ldns/config.h
-	$(COMP_LIB) -I./include/ldns $(PYTHON_CPPFLAGS) $(PYTHON_X_CFLAGS) -c $(pywrapdir)/ldns_wrapper.c -o $@
+	$(COMP_LIB) -I./include/ldns $(LIBSSL_CPPFLAGS) $(PYTHON_CPPFLAGS) $(PYTHON_X_CFLAGS) -c $(pywrapdir)/ldns_wrapper.c -o $@

 _ldns.la: ldns_wrapper.lo libldns.la 
-	$(LIBTOOL) --tag=CC --mode=link $(CC) $(CFLAGS) $(PYTHON_CFLAGS) $(LDFLAGS) $(PYTHON_LDFLAGS) -module -version-number $(version_info) -no-undefined -o $@ ldns_wrapper.lo -rpath $(python_site) -L. -L.libs -lldns $(LIBS)
+	$(LIBTOOL) --tag=CC --mode=link $(CC) $(CFLAGS) $(PYTHON_CFLAGS) $(LDFLAGS) $(PYTHON_LDFLAGS) -module -version-info $(version_info) -no-undefined -o $@ ldns_wrapper.lo -rpath $(python_site) -L. -L.libs -lldns $(LIBS)

 $(p5_dns_ldns_dir)/Makefile: $(p5_dns_ldns_dir)/Makefile.PL
-	BUILDDIR=`pwd`; cd $(p5_dns_ldns_dir); $(PERL) Makefile.PL PREFIX="$(prefix)" LIBS="-L$$BUILDDIR/.libs -lldns" INC="-I$$BUILDDIR"
+	BUILDDIR=`pwd`; cd $(p5_dns_ldns_dir); LD_LIBRARY_PATH="$$BUILDDIR/.libs:$$LD_LIBRARY_PATH" DYLD_LIBRARY_PATH="$$BUILDDIR/.libs:$$DYLD_LIBRARY_PATH" $(PERL) Makefile.PL LIBS="-L$$BUILDDIR/.libs -lldns" INC="-I$$BUILDDIR"

 $(p5_dns_ldns_dir)/blib/arch/auto/DNS/LDNS/LDNS.so: $(p5_dns_ldns_dir)/Makefile
 	cd $(p5_dns_ldns_dir); $(MAKE)
--- a/12
+++ b/12
@ -42,7 +42,9 @@ INSTALLATION
 If you are building from the repository you will need to have (gnu)
 autotools like libtool and autoreconf installed. A list of all the commands
 needed to build everything can be found in README.git. Note that the actual
-commands may be a little bit different on your machine. Most notable, you'll need to run libtoolize (or glibtoolize), if you skip this step, you'll get an error about missing config.sub.
+commands may be a little bit different on your machine. Most notably, you'll
+need to run libtoolize (or glibtoolize). If you skip this step, you'll get
+an error about missing config.sub.

 * Developers
 ldns is developed by the ldns team at NLnet Labs. This team currently
@ -85,7 +87,7 @@ for more information.

 SOLARIS

-In Solaris multi-architecture systems (that have both 32-bit and
+In Solaris multi-architecture systems (which have both 32-bit and
 64-bit support), it can be a bit taxing to convince the system to
 compile in 64-bit mode. Jakob Schlyter has kindly contributed a build
 script that sets the right build and link options. You can find it in
@ -99,13 +101,13 @@ http://www.nlnetlabs.nl/projects/ldns/bugs
 * pyldns
 Compiling pyldns produces many ``unused parameter'' warnings.  Those are
 harmless and may safely be ignored.
-Also when building with Swig which version is before 2.0.4, compiling
+Also, when building with SWIG older than 2.0.4, compiling
 pyldns produces many ``missing initializer'' warnings. Those are harmless
 too.

 Your Support
-NLnet Labs offers all of its software products as open source, most are
-published under a BDS license. You can download them, not only from the
+NLnet Labs offers all of its software products as open source, most
+published under a BSD license. You can download them, not only from the
 NLnet Labs website but also through the various OS distributions for
 which NSD, ldns, and Unbound are packaged. We therefore have little idea
 who uses our software in production environments and have no direct ties
--- a/README.git
+++ b/README.git
@ -13,8 +13,9 @@
 # older versions of libtoolize do not support --install
 # so you might need to remove that (with newer versions
 # it is needed)
-libtoolize -c --install
-autoreconf --install
+git submodule update --init
+libtoolize -ci
+autoreconf -fi
 ./configure --with-examples --with-drill # --with-pyldns --with-p5-dns-ldns
 make
 make doc  # needs doxygen for the html pages
--- a/aclocal.m4
+++ b/aclocal.m4
--- a/acx_nlnetlabs.m4
+++ b/acx_nlnetlabs.m4
@ -2,7 +2,15 @@
 # Copyright 2009, Wouter Wijngaards, NLnet Labs.   
 # BSD licensed.
 #
-# Version 26
+# Version 34
+# 2016-03-21 Check -ldl -pthread for libcrypto for ldns and openssl 1.1.0.
+# 2016-03-21 Use HMAC_Update instead of HMAC_CTX_Init (for openssl-1.1.0).
+# 2016-01-04 -D_DEFAULT_SOURCE defined with -D_BSD_SOURCE for Linux glibc 2.20
+# 2015-12-11 FLTO check for new OSX, clang.
+# 2015-11-18 spelling check fix.
+# 2015-11-05 ACX_SSL_CHECKS no longer adds -ldl needlessly.
+# 2015-08-28 ACX_CHECK_PIE and ACX_CHECK_RELRO_NOW added.
+# 2015-03-17 AHX_CONFIG_REALLOCARRAY added
 # 2013-09-19 FLTO help text improved.
 # 2013-07-18 Enable ACX_CHECK_COMPILER_FLAG to test for -Wstrict-prototypes
 # 2013-06-25 FLTO has --disable-flto option.
@ -93,6 +101,8 @@
 # ACX_CHECK_MEMCMP_SIGNED	- check if memcmp uses signed characters.
 # AHX_MEMCMP_BROKEN		- replace memcmp func for CHECK_MEMCMP_SIGNED.
 # ACX_CHECK_SS_FAMILY           - check for sockaddr_storage.ss_family
+# ACX_CHECK_PIE			- add --enable-pie option and check if works
+# ACX_CHECK_RELRO_NOW		- add --enable-relro-now option and check it
 #

 dnl Escape backslashes as \\, for C:\ paths, for the C preprocessor defines.
@ -235,7 +245,7 @@ ACX_CHECK_COMPILER_FLAG(xc99, [C99FLAG="-xc99"])

 AC_CHECK_HEADERS([getopt.h time.h],,, [AC_INCLUDES_DEFAULT])

-ACX_CHECK_COMPILER_FLAG_NEEDED($C99FLAG -D__EXTENSIONS__ -D_BSD_SOURCE -D_POSIX_C_SOURCE=200112 -D_XOPEN_SOURCE=600 -D_XOPEN_SOURCE_EXTENDED=1 -D_ALL_SOURCE,
+ACX_CHECK_COMPILER_FLAG_NEEDED($C99FLAG -D__EXTENSIONS__ -D_BSD_SOURCE -D_DEFAULT_SOURCE -D_POSIX_C_SOURCE=200112 -D_XOPEN_SOURCE=600 -D_XOPEN_SOURCE_EXTENDED=1 -D_ALL_SOURCE,
 [
 #include "confdefs.h"
 #include <stdlib.h>
@ -270,9 +280,9 @@ int test() {
 		a = 0;
 	return a;
 }
-], [CFLAGS="$CFLAGS $C99FLAG -D__EXTENSIONS__ -D_BSD_SOURCE -D_POSIX_C_SOURCE=200112 -D_XOPEN_SOURCE=600 -D_XOPEN_SOURCE_EXTENDED=1 -D_ALL_SOURCE"])
+], [CFLAGS="$CFLAGS $C99FLAG -D__EXTENSIONS__ -D_BSD_SOURCE -D_DEFAULT_SOURCE -D_POSIX_C_SOURCE=200112 -D_XOPEN_SOURCE=600 -D_XOPEN_SOURCE_EXTENDED=1 -D_ALL_SOURCE"])

-ACX_CHECK_COMPILER_FLAG_NEEDED($C99FLAG -D__EXTENSIONS__ -D_BSD_SOURCE -D_POSIX_C_SOURCE=200112 -D_XOPEN_SOURCE=600 -D_ALL_SOURCE,
+ACX_CHECK_COMPILER_FLAG_NEEDED($C99FLAG -D__EXTENSIONS__ -D_BSD_SOURCE -D_DEFAULT_SOURCE -D_POSIX_C_SOURCE=200112 -D_XOPEN_SOURCE=600 -D_ALL_SOURCE,
 [
 #include "confdefs.h"
 #include <stdlib.h>
@ -307,7 +317,7 @@ int test() {
 		a = 0;
 	return a;
 }
-], [CFLAGS="$CFLAGS $C99FLAG -D__EXTENSIONS__ -D_BSD_SOURCE -D_POSIX_C_SOURCE=200112 -D_XOPEN_SOURCE=600 -D_ALL_SOURCE"])
+], [CFLAGS="$CFLAGS $C99FLAG -D__EXTENSIONS__ -D_BSD_SOURCE -D_DEFAULT_SOURCE -D_POSIX_C_SOURCE=200112 -D_XOPEN_SOURCE=600 -D_ALL_SOURCE"])

 ACX_CHECK_COMPILER_FLAG_NEEDED($C99FLAG,
 [
@ -319,7 +329,7 @@ int test() {
 }
 ], [CFLAGS="$CFLAGS $C99FLAG"])

-ACX_CHECK_COMPILER_FLAG_NEEDED(-D_BSD_SOURCE,
+ACX_CHECK_COMPILER_FLAG_NEEDED(-D_BSD_SOURCE -D_DEFAULT_SOURCE,
 [
 #include <ctype.h>

@ -328,7 +338,7 @@ int test() {
        a = isascii(32);
        return a;
 }
-], [CFLAGS="$CFLAGS -D_BSD_SOURCE"])
+], [CFLAGS="$CFLAGS -D_BSD_SOURCE -D_DEFAULT_SOURCE"])

 ACX_CHECK_COMPILER_FLAG_NEEDED(-D_GNU_SOURCE,
 [
@ -417,7 +427,7 @@ AC_DEFUN([ACX_CHECK_FLTO], [
        BAKCFLAGS="$CFLAGS"
        CFLAGS="$CFLAGS -flto"
        AC_LINK_IFELSE([AC_LANG_PROGRAM([], [])], [
-            if $CC $CFLAGS -o conftest conftest.c 2>&1 | grep "warning: no debug symbols in executable" >/dev/null; then
+            if $CC $CFLAGS -o conftest conftest.c 2>&1 | $GREP -e "warning: no debug symbols in executable" -e "warning: object" >/dev/null; then
                CFLAGS="$BAKCFLAGS"
                AC_MSG_RESULT(no)
            else
@ -663,16 +673,16 @@ AC_DEFUN([ACX_SSL_CHECKS], [
                ACX_RUNTIME_PATH_ADD([$ssldir/lib])
            fi
        
-            AC_MSG_CHECKING([for HMAC_CTX_init in -lcrypto])
+            AC_MSG_CHECKING([for HMAC_Update in -lcrypto])
            LIBS="$LIBS -lcrypto"
            LIBSSL_LIBS="$LIBSSL_LIBS -lcrypto"
            AC_TRY_LINK(, [
-                int HMAC_CTX_init(void);
-                (void)HMAC_CTX_init();
+                int HMAC_Update(void);
+                (void)HMAC_Update();
              ], [
                AC_MSG_RESULT(yes)
-                AC_DEFINE([HAVE_HMAC_CTX_INIT], 1, 
-                          [If you have HMAC_CTX_init])
+                AC_DEFINE([HAVE_HMAC_UPDATE], 1, 
+                          [If you have HMAC_Update])
              ], [
                AC_MSG_RESULT(no)
                # check if -lwsock32 or -lgdi32 are needed.	
@ -682,11 +692,11 @@ AC_DEFUN([ACX_SSL_CHECKS], [
                LIBSSL_LIBS="$LIBSSL_LIBS -lgdi32"
                AC_MSG_CHECKING([if -lcrypto needs -lgdi32])
                AC_TRY_LINK([], [
-                    int HMAC_CTX_init(void);
-                    (void)HMAC_CTX_init();
+                    int HMAC_Update(void);
+                    (void)HMAC_Update();
                  ],[
-                    AC_DEFINE([HAVE_HMAC_CTX_INIT], 1, 
-                        [If you have HMAC_CTX_init])
+                    AC_DEFINE([HAVE_HMAC_UPDATE], 1, 
+                        [If you have HMAC_Update])
                    AC_MSG_RESULT(yes) 
                  ],[
                    AC_MSG_RESULT(no)
@ -696,27 +706,36 @@ AC_DEFUN([ACX_SSL_CHECKS], [
                    LIBSSL_LIBS="$LIBSSL_LIBS -ldl"
                    AC_MSG_CHECKING([if -lcrypto needs -ldl])
                    AC_TRY_LINK([], [
-                        int HMAC_CTX_init(void);
-                        (void)HMAC_CTX_init();
+                        int HMAC_Update(void);
+                        (void)HMAC_Update();
                      ],[
-                        AC_DEFINE([HAVE_HMAC_CTX_INIT], 1, 
-                            [If you have HMAC_CTX_init])
+                        AC_DEFINE([HAVE_HMAC_UPDATE], 1, 
+                            [If you have HMAC_Update])
                        AC_MSG_RESULT(yes) 
                      ],[
                        AC_MSG_RESULT(no)
-                    AC_MSG_ERROR([OpenSSL found in $ssldir, but version 0.9.7 or higher is required])
+                        LIBS="$BAKLIBS"
+                        LIBSSL_LIBS="$BAKSSLLIBS"
+                        LIBS="$LIBS -ldl -pthread"
+                        LIBSSL_LIBS="$LIBSSL_LIBS -ldl -pthread"
+                        AC_MSG_CHECKING([if -lcrypto needs -ldl -pthread])
+                        AC_TRY_LINK([], [
+                            int HMAC_Update(void);
+                            (void)HMAC_Update();
+                          ],[
+                            AC_DEFINE([HAVE_HMAC_UPDATE], 1, 
+                                [If you have HMAC_Update])
+                            AC_MSG_RESULT(yes) 
+                          ],[
+                            AC_MSG_RESULT(no)
+                            AC_MSG_ERROR([OpenSSL found in $ssldir, but version 0.9.7 or higher is required])
+			])
                    ])
                ])
            ])
        fi
        AC_SUBST(HAVE_SSL)
        AC_SUBST(RUNTIME_PATH)
-	# openssl engine functionality needs dlopen().
-	BAKLIBS="$LIBS"
-	AC_SEARCH_LIBS([dlopen], [dl])
-	if test "$LIBS" != "$BAKLIBS"; then
-		LIBSSL_LIBS="$LIBSSL_LIBS -ldl"
-	fi
    fi
 AC_CHECK_HEADERS([openssl/ssl.h],,, [AC_INCLUDES_DEFAULT])
 AC_CHECK_HEADERS([openssl/err.h],,, [AC_INCLUDES_DEFAULT])
@ -1213,6 +1232,16 @@ struct tm *gmtime_r(const time_t *timep, struct tm *result);
 #endif
 ])

+dnl provide reallocarray compat prototype.
+dnl $1: unique name for compat code
+AC_DEFUN([AHX_CONFIG_REALLOCARRAY],
+[
+#ifndef HAVE_REALLOCARRAY
+#define reallocarray reallocarray$1
+void* reallocarray(void *ptr, size_t nmemb, size_t size);
+#endif
+])
+
 dnl provide w32 compat definition for sleep
 AC_DEFUN([AHX_CONFIG_W32_SLEEP],
 [
@ -1274,6 +1303,7 @@ AC_DEFUN([ACX_STRIP_EXT_FLAGS],
  AC_MSG_NOTICE([Stripping extension flags...])
  ACX_CFLAGS_STRIP(-D_GNU_SOURCE)
  ACX_CFLAGS_STRIP(-D_BSD_SOURCE)
+  ACX_CFLAGS_STRIP(-D_DEFAULT_SOURCE)
  ACX_CFLAGS_STRIP(-D__EXTENSIONS__)
  ACX_CFLAGS_STRIP(-D_POSIX_C_SOURCE=200112)
  ACX_CFLAGS_STRIP(-D_XOPEN_SOURCE=600)
@ -1301,6 +1331,7 @@ dnl config.h part to define omitted cflags, use with ACX_STRIP_EXT_FLAGS.
 AC_DEFUN([AHX_CONFIG_EXT_FLAGS],
 [AHX_CONFIG_FLAG_EXT(-D_GNU_SOURCE)
 AHX_CONFIG_FLAG_EXT(-D_BSD_SOURCE)
+AHX_CONFIG_FLAG_EXT(-D_DEFAULT_SOURCE)
 AHX_CONFIG_FLAG_EXT(-D__EXTENSIONS__)
 AHX_CONFIG_FLAG_EXT(-D_POSIX_C_SOURCE=200112)
 AHX_CONFIG_FLAG_EXT(-D_XOPEN_SOURCE=600)
@ -1375,4 +1406,46 @@ AC_DEFUN([ACX_CHECK_SS_FAMILY],
 #endif
 ]) ])

+dnl Check if CC and linker support -fPIE and -pie.
+dnl If so, sets them in CFLAGS / LDFLAGS.
+AC_DEFUN([ACX_CHECK_PIE], [
+    AC_ARG_ENABLE([pie], AS_HELP_STRING([--enable-pie], [Enable Position-Independent Executable (eg. to fully benefit from ASLR, small performance penalty)]))
+    AS_IF([test "x$enable_pie" = "xyes"], [
+	AC_MSG_CHECKING([if $CC supports PIE])
+	BAKLDFLAGS="$LDFLAGS"
+	BAKCFLAGS="$CFLAGS"
+	LDFLAGS="$LDFLAGS -pie"
+	CFLAGS="$CFLAGS -fPIE"
+	AC_LINK_IFELSE([AC_LANG_PROGRAM([], [])], [
+	    if $CC $CFLAGS $LDFLAGS -o conftest conftest.c 2>&1 | grep "warning: no debug symbols in executable" >/dev/null; then
+		LDFLAGS="$BAKLDFLAGS"
+		AC_MSG_RESULT(no)
+	    else
+		AC_MSG_RESULT(yes)
+	    fi
+	    rm -f conftest conftest.c conftest.o
+	], [LDFLAGS="$BAKLDFLAGS" ; CFLAGS="$BAKCFLAGS" ; AC_MSG_RESULT(no)])
+    ])
+])
+
+dnl Check if linker supports -Wl,-z,relro,-z,now.
+dnl If so, adds it to LDFLAGS.
+AC_DEFUN([ACX_CHECK_RELRO_NOW], [
+    AC_ARG_ENABLE([relro_now], AS_HELP_STRING([--enable-relro-now], [Enable full relocation binding at load-time (RELRO NOW, to protect GOT and .dtor areas)]))
+    AS_IF([test "x$enable_relro_now" = "xyes"], [
+	AC_MSG_CHECKING([if $CC supports -Wl,-z,relro,-z,now])
+	BAKLDFLAGS="$LDFLAGS"
+	LDFLAGS="$LDFLAGS -Wl,-z,relro,-z,now"
+	AC_LINK_IFELSE([AC_LANG_PROGRAM([], [])], [
+	    if $CC $CFLAGS $LDFLAGS -o conftest conftest.c 2>&1 | grep "warning: no debug symbols in executable" >/dev/null; then
+		LDFLAGS="$BAKLDFLAGS"
+		AC_MSG_RESULT(no)
+	    else
+		AC_MSG_RESULT(yes)
+	    fi
+	    rm -f conftest conftest.c conftest.o
+	], [LDFLAGS="$BAKLDFLAGS" ; AC_MSG_RESULT(no)])
+    ])
+])
+
 dnl End of file
--- a/buffer.c
+++ b/buffer.c
@ -38,7 +38,7 @@ ldns_buffer_new(size_t capacity)
 }

 void
-ldns_buffer_new_frm_data(ldns_buffer *buffer, void *data, size_t size)
+ldns_buffer_new_frm_data(ldns_buffer *buffer, const void *data, size_t size)
 {
 	assert(data != NULL);

@ -165,7 +165,7 @@ ldns_bgetc(ldns_buffer *buffer)
 }

 void 
-ldns_buffer_copy(ldns_buffer* result, ldns_buffer* from)
+ldns_buffer_copy(ldns_buffer* result, const ldns_buffer* from)
 {
 	size_t tocopy = ldns_buffer_limit(from);

--- a/compat/b64_pton.c
+++ b/compat/b64_pton.c
@ -118,15 +118,16 @@ static const char Pad64 = '=';
 */

 int
-ldns_b64_pton(char const *src, uint8_t *target, size_t targsize)
+ldns_b64_pton(char const *origsrc, uint8_t *target, size_t targsize)
 {
+	unsigned char const* src = (unsigned char*)origsrc;
 	int tarindex, state, ch;
 	char *pos;

 	state = 0;
 	tarindex = 0;

-	if (strlen(src) == 0) {
+	if (strlen(origsrc) == 0) {
 		return 0;
 	}

--- a/compat/malloc.c
+++ b/compat/malloc.c
@ -8,7 +8,7 @@

 #include <sys/types.h>

-void *malloc ();
+void *malloc (size_t n);

 /* Allocate an N-byte block of memory from the heap.
   If N is zero, allocate a 1-byte block.  */
--- a/compat/snprintf.c
+++ b/compat/snprintf.c
@ -20,16 +20,16 @@
 * specific prior written permission.
 * 
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
- * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE
- * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
- * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
+ * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */

 #include <ldns/config.h>
--- a/config.guess
+++ b/config.guess
@ -1,14 +1,12 @@
 #! /bin/sh
 # Attempt to guess a canonical system name.
-#   Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999,
-#   2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010,
-#   2011, 2012 Free Software Foundation, Inc.
+#   Copyright 1992-2016 Free Software Foundation, Inc.

-timestamp='2012-02-10'
+timestamp='2016-04-02'

 # This file is free software; you can redistribute it and/or modify it
 # under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
+# the Free Software Foundation; either version 3 of the License, or
 # (at your option) any later version.
 #
 # This program is distributed in the hope that it will be useful, but
@ -22,19 +20,17 @@ timestamp='2012-02-10'
 # As a special exception to the GNU General Public License, if you
 # distribute this file as part of a program that contains a
 # configuration script generated by Autoconf, you may include it under
-# the same distribution terms that you use for the rest of that program.
-
-
-# Originally written by Per Bothner.  Please send patches (context
-# diff format) to <config-patches@gnu.org> and include a ChangeLog
-# entry.
+# the same distribution terms that you use for the rest of that
+# program.  This Exception is an additional permission under section 7
+# of the GNU General Public License, version 3 ("GPLv3").
 #
-# This script attempts to guess a canonical system name similar to
-# config.sub.  If it succeeds, it prints the system name on stdout, and
-# exits with 0.  Otherwise, it exits with 1.
+# Originally written by Per Bothner; maintained since 2000 by Ben Elliston.
 #
 # You can get the latest version of this script from:
-# http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.guess;hb=HEAD
+# http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.guess
+#
+# Please send patches to <config-patches@gnu.org>.
+

 me=`echo "$0" | sed -e 's,.*/,,'`

@ -54,9 +50,7 @@ version="\
 GNU config.guess ($timestamp)

 Originally written by Per Bothner.
-Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000,
-2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012
-Free Software Foundation, Inc.
+Copyright 1992-2016 Free Software Foundation, Inc.

 This is free software; see the source for copying conditions.  There is NO
 warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
@ -138,6 +132,27 @@ UNAME_RELEASE=`(uname -r) 2>/dev/null` || UNAME_RELEASE=unknown
 UNAME_SYSTEM=`(uname -s) 2>/dev/null`  || UNAME_SYSTEM=unknown
 UNAME_VERSION=`(uname -v) 2>/dev/null` || UNAME_VERSION=unknown

+case "${UNAME_SYSTEM}" in
+Linux|GNU|GNU/*)
+	# If the system lacks a compiler, then just pick glibc.
+	# We could probably try harder.
+	LIBC=gnu
+
+	eval $set_cc_for_build
+	cat <<-EOF > $dummy.c
+	#include <features.h>
+	#if defined(__UCLIBC__)
+	LIBC=uclibc
+	#elif defined(__dietlibc__)
+	LIBC=dietlibc
+	#else
+	LIBC=gnu
+	#endif
+	EOF
+	eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^LIBC' | sed 's, ,,g'`
+	;;
+esac
+
 # Note: order is significant - the case branches are not exclusive.

 case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
@ -153,20 +168,27 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
 	# Note: NetBSD doesn't particularly care about the vendor
 	# portion of the name.  We always set it to "unknown".
 	sysctl="sysctl -n hw.machine_arch"
-	UNAME_MACHINE_ARCH=`(/sbin/$sysctl 2>/dev/null || \
-	    /usr/sbin/$sysctl 2>/dev/null || echo unknown)`
+	UNAME_MACHINE_ARCH=`(uname -p 2>/dev/null || \
+	    /sbin/$sysctl 2>/dev/null || \
+	    /usr/sbin/$sysctl 2>/dev/null || \
+	    echo unknown)`
 	case "${UNAME_MACHINE_ARCH}" in
 	    armeb) machine=armeb-unknown ;;
 	    arm*) machine=arm-unknown ;;
 	    sh3el) machine=shl-unknown ;;
 	    sh3eb) machine=sh-unknown ;;
 	    sh5el) machine=sh5le-unknown ;;
+	    earmv*)
+		arch=`echo ${UNAME_MACHINE_ARCH} | sed -e 's,^e\(armv[0-9]\).*$,\1,'`
+		endian=`echo ${UNAME_MACHINE_ARCH} | sed -ne 's,^.*\(eb\)$,\1,p'`
+		machine=${arch}${endian}-unknown
+		;;
 	    *) machine=${UNAME_MACHINE_ARCH}-unknown ;;
 	esac
 	# The Operating System including object format, if it has switched
 	# to ELF recently, or will in the future.
 	case "${UNAME_MACHINE_ARCH}" in
-	    arm*|i386|m68k|ns32k|sh3*|sparc|vax)
+	    arm*|earm*|i386|m68k|ns32k|sh3*|sparc|vax)
 		eval $set_cc_for_build
 		if echo __ELF__ | $CC_FOR_BUILD -E - 2>/dev/null \
 			| grep -q __ELF__
@ -182,6 +204,13 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
 		os=netbsd
 		;;
 	esac
+	# Determine ABI tags.
+	case "${UNAME_MACHINE_ARCH}" in
+	    earm*)
+		expr='s/^earmv[0-9]/-eabi/;s/eb$//'
+		abi=`echo ${UNAME_MACHINE_ARCH} | sed -e "$expr"`
+		;;
+	esac
 	# The OS release
 	# Debian GNU/NetBSD machines have a different userland, and
 	# thus, need a distinct triplet. However, they do not need
@ -192,18 +221,26 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
 		release='-gnu'
 		;;
 	    *)
-		release=`echo ${UNAME_RELEASE}|sed -e 's/[-_].*/\./'`
+		release=`echo ${UNAME_RELEASE} | sed -e 's/[-_].*//' | cut -d. -f1,2`
 		;;
 	esac
 	# Since CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM:
 	# contains redundant information, the shorter form:
 	# CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM is used.
-	echo "${machine}-${os}${release}"
+	echo "${machine}-${os}${release}${abi}"
+	exit ;;
+    *:Bitrig:*:*)
+	UNAME_MACHINE_ARCH=`arch | sed 's/Bitrig.//'`
+	echo ${UNAME_MACHINE_ARCH}-unknown-bitrig${UNAME_RELEASE}
 	exit ;;
    *:OpenBSD:*:*)
 	UNAME_MACHINE_ARCH=`arch | sed 's/OpenBSD.//'`
 	echo ${UNAME_MACHINE_ARCH}-unknown-openbsd${UNAME_RELEASE}
 	exit ;;
+    *:LibertyBSD:*:*)
+	UNAME_MACHINE_ARCH=`arch | sed 's/^.*BSD\.//'`
+	echo ${UNAME_MACHINE_ARCH}-unknown-libertybsd${UNAME_RELEASE}
+	exit ;;
    *:ekkoBSD:*:*)
 	echo ${UNAME_MACHINE}-unknown-ekkobsd${UNAME_RELEASE}
 	exit ;;
@ -216,6 +253,9 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
    *:MirBSD:*:*)
 	echo ${UNAME_MACHINE}-unknown-mirbsd${UNAME_RELEASE}
 	exit ;;
+    *:Sortix:*:*)
+	echo ${UNAME_MACHINE}-unknown-sortix
+	exit ;;
    alpha:OSF1:*:*)
 	case $UNAME_RELEASE in
 	*4.0)
@ -232,42 +272,42 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
 	ALPHA_CPU_TYPE=`/usr/sbin/psrinfo -v | sed -n -e 's/^  The alpha \(.*\) processor.*$/\1/p' | head -n 1`
 	case "$ALPHA_CPU_TYPE" in
 	    "EV4 (21064)")
-		UNAME_MACHINE="alpha" ;;
+		UNAME_MACHINE=alpha ;;
 	    "EV4.5 (21064)")
-		UNAME_MACHINE="alpha" ;;
+		UNAME_MACHINE=alpha ;;
 	    "LCA4 (21066/21068)")
-		UNAME_MACHINE="alpha" ;;
+		UNAME_MACHINE=alpha ;;
 	    "EV5 (21164)")
-		UNAME_MACHINE="alphaev5" ;;
+		UNAME_MACHINE=alphaev5 ;;
 	    "EV5.6 (21164A)")
-		UNAME_MACHINE="alphaev56" ;;
+		UNAME_MACHINE=alphaev56 ;;
 	    "EV5.6 (21164PC)")
-		UNAME_MACHINE="alphapca56" ;;
+		UNAME_MACHINE=alphapca56 ;;
 	    "EV5.7 (21164PC)")
-		UNAME_MACHINE="alphapca57" ;;
+		UNAME_MACHINE=alphapca57 ;;
 	    "EV6 (21264)")
-		UNAME_MACHINE="alphaev6" ;;
+		UNAME_MACHINE=alphaev6 ;;
 	    "EV6.7 (21264A)")
-		UNAME_MACHINE="alphaev67" ;;
+		UNAME_MACHINE=alphaev67 ;;
 	    "EV6.8CB (21264C)")
-		UNAME_MACHINE="alphaev68" ;;
+		UNAME_MACHINE=alphaev68 ;;
 	    "EV6.8AL (21264B)")
-		UNAME_MACHINE="alphaev68" ;;
+		UNAME_MACHINE=alphaev68 ;;
 	    "EV6.8CX (21264D)")
-		UNAME_MACHINE="alphaev68" ;;
+		UNAME_MACHINE=alphaev68 ;;
 	    "EV6.9A (21264/EV69A)")
-		UNAME_MACHINE="alphaev69" ;;
+		UNAME_MACHINE=alphaev69 ;;
 	    "EV7 (21364)")
-		UNAME_MACHINE="alphaev7" ;;
+		UNAME_MACHINE=alphaev7 ;;
 	    "EV7.9 (21364A)")
-		UNAME_MACHINE="alphaev79" ;;
+		UNAME_MACHINE=alphaev79 ;;
 	esac
 	# A Pn.n version is a patched version.
 	# A Vn.n version is a released version.
 	# A Tn.n version is a released field test version.
 	# A Xn.n version is an unreleased experimental baselevel.
 	# 1.2 uses "1.2" for uname -r.
-	echo ${UNAME_MACHINE}-dec-osf`echo ${UNAME_RELEASE} | sed -e 's/^[PVTX]//' | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'`
+	echo ${UNAME_MACHINE}-dec-osf`echo ${UNAME_RELEASE} | sed -e 's/^[PVTX]//' | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz`
 	# Reset EXIT trap before exiting to avoid spurious non-zero exit code.
 	exitcode=$?
 	trap '' 0
@ -302,7 +342,7 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
    arm:RISC*:1.[012]*:*|arm:riscix:1.[012]*:*)
 	echo arm-acorn-riscix${UNAME_RELEASE}
 	exit ;;
-    arm:riscos:*:*|arm:RISCOS:*:*)
+    arm*:riscos:*:*|arm*:RISCOS:*:*)
 	echo arm-unknown-riscos
 	exit ;;
    SR2?01:HI-UX/MPP:*:* | SR8000:HI-UX/MPP:*:*)
@ -340,16 +380,16 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
 	exit ;;
    i86pc:SunOS:5.*:* | i86xen:SunOS:5.*:*)
 	eval $set_cc_for_build
-	SUN_ARCH="i386"
+	SUN_ARCH=i386
 	# If there is a compiler, see if it is configured for 64-bit objects.
 	# Note that the Sun cc does not turn __LP64__ into 1 like gcc does.
 	# This test works for both compilers.
-	if [ "$CC_FOR_BUILD" != 'no_compiler_found' ]; then
+	if [ "$CC_FOR_BUILD" != no_compiler_found ]; then
 	    if (echo '#ifdef __amd64'; echo IS_64BIT_ARCH; echo '#endif') | \
-		(CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | \
+		(CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) | \
 		grep IS_64BIT_ARCH >/dev/null
 	    then
-		SUN_ARCH="x86_64"
+		SUN_ARCH=x86_64
 	    fi
 	fi
 	echo ${SUN_ARCH}-pc-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
@ -374,7 +414,7 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
 	exit ;;
    sun*:*:4.2BSD:*)
 	UNAME_RELEASE=`(sed 1q /etc/motd | awk '{print substr($5,1,3)}') 2>/dev/null`
-	test "x${UNAME_RELEASE}" = "x" && UNAME_RELEASE=3
+	test "x${UNAME_RELEASE}" = x && UNAME_RELEASE=3
 	case "`/bin/arch`" in
 	    sun3)
 		echo m68k-sun-sunos${UNAME_RELEASE}
@ -560,8 +600,9 @@ EOF
 	else
 		IBM_ARCH=powerpc
 	fi
-	if [ -x /usr/bin/oslevel ] ; then
-		IBM_REV=`/usr/bin/oslevel`
+	if [ -x /usr/bin/lslpp ] ; then
+		IBM_REV=`/usr/bin/lslpp -Lqc bos.rte.libc |
+			   awk -F: '{ print $3 }' | sed s/[0-9]*$/0/`
 	else
 		IBM_REV=${UNAME_VERSION}.${UNAME_RELEASE}
 	fi
@ -598,13 +639,13 @@ EOF
 		    sc_cpu_version=`/usr/bin/getconf SC_CPU_VERSION 2>/dev/null`
 		    sc_kernel_bits=`/usr/bin/getconf SC_KERNEL_BITS 2>/dev/null`
 		    case "${sc_cpu_version}" in
-		      523) HP_ARCH="hppa1.0" ;; # CPU_PA_RISC1_0
-		      528) HP_ARCH="hppa1.1" ;; # CPU_PA_RISC1_1
+		      523) HP_ARCH=hppa1.0 ;; # CPU_PA_RISC1_0
+		      528) HP_ARCH=hppa1.1 ;; # CPU_PA_RISC1_1
 		      532)                      # CPU_PA_RISC2_0
 			case "${sc_kernel_bits}" in
-			  32) HP_ARCH="hppa2.0n" ;;
-			  64) HP_ARCH="hppa2.0w" ;;
-			  '') HP_ARCH="hppa2.0" ;;   # HP-UX 10.20
+			  32) HP_ARCH=hppa2.0n ;;
+			  64) HP_ARCH=hppa2.0w ;;
+			  '') HP_ARCH=hppa2.0 ;;   # HP-UX 10.20
 			esac ;;
 		    esac
 		fi
@ -643,11 +684,11 @@ EOF
 		    exit (0);
 		}
 EOF
-		    (CCOPTS= $CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null) && HP_ARCH=`$dummy`
+		    (CCOPTS="" $CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null) && HP_ARCH=`$dummy`
 		    test -z "$HP_ARCH" && HP_ARCH=hppa
 		fi ;;
 	esac
-	if [ ${HP_ARCH} = "hppa2.0w" ]
+	if [ ${HP_ARCH} = hppa2.0w ]
 	then
 	    eval $set_cc_for_build

@ -660,12 +701,12 @@ EOF
 	    # $ CC_FOR_BUILD="cc +DA2.0w" ./config.guess
 	    # => hppa64-hp-hpux11.23

-	    if echo __LP64__ | (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) |
+	    if echo __LP64__ | (CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) |
 		grep -q __LP64__
 	    then
-		HP_ARCH="hppa2.0w"
+		HP_ARCH=hppa2.0w
 	    else
-		HP_ARCH="hppa64"
+		HP_ARCH=hppa64
 	    fi
 	fi
 	echo ${HP_ARCH}-hp-hpux${HPUX_REV}
@ -770,14 +811,14 @@ EOF
 	echo craynv-cray-unicosmp${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
 	exit ;;
    F30[01]:UNIX_System_V:*:* | F700:UNIX_System_V:*:*)
-	FUJITSU_PROC=`uname -m | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'`
-	FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'`
+	FUJITSU_PROC=`uname -m | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz`
+	FUJITSU_SYS=`uname -p | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz | sed -e 's/\///'`
 	FUJITSU_REL=`echo ${UNAME_RELEASE} | sed -e 's/ /_/'`
 	echo "${FUJITSU_PROC}-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}"
 	exit ;;
    5000:UNIX_System_V:4.*:*)
-	FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'`
-	FUJITSU_REL=`echo ${UNAME_RELEASE} | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/ /_/'`
+	FUJITSU_SYS=`uname -p | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz | sed -e 's/\///'`
+	FUJITSU_REL=`echo ${UNAME_RELEASE} | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz | sed -e 's/ /_/'`
 	echo "sparc-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}"
 	exit ;;
    i*86:BSD/386:*:* | i*86:BSD/OS:*:* | *:Ascend\ Embedded/OS:*:*)
@ -801,10 +842,13 @@ EOF
    i*:CYGWIN*:*)
 	echo ${UNAME_MACHINE}-pc-cygwin
 	exit ;;
+    *:MINGW64*:*)
+	echo ${UNAME_MACHINE}-pc-mingw64
+	exit ;;
    *:MINGW*:*)
 	echo ${UNAME_MACHINE}-pc-mingw32
 	exit ;;
-    i*:MSYS*:*)
+    *:MSYS*:*)
 	echo ${UNAME_MACHINE}-pc-msys
 	exit ;;
    i*:windows32*:*)
@ -852,21 +896,21 @@ EOF
 	exit ;;
    *:GNU:*:*)
 	# the GNU system
-	echo `echo ${UNAME_MACHINE}|sed -e 's,[-/].*$,,'`-unknown-gnu`echo ${UNAME_RELEASE}|sed -e 's,/.*$,,'`
+	echo `echo ${UNAME_MACHINE}|sed -e 's,[-/].*$,,'`-unknown-${LIBC}`echo ${UNAME_RELEASE}|sed -e 's,/.*$,,'`
 	exit ;;
    *:GNU/*:*:*)
 	# other systems with GNU libc and userland
-	echo ${UNAME_MACHINE}-unknown-`echo ${UNAME_SYSTEM} | sed 's,^[^/]*/,,' | tr '[A-Z]' '[a-z]'``echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`-gnu
+	echo ${UNAME_MACHINE}-unknown-`echo ${UNAME_SYSTEM} | sed 's,^[^/]*/,,' | tr "[:upper:]" "[:lower:]"``echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`-${LIBC}
 	exit ;;
    i*86:Minix:*:*)
 	echo ${UNAME_MACHINE}-pc-minix
 	exit ;;
    aarch64:Linux:*:*)
-	echo ${UNAME_MACHINE}-unknown-linux-gnu
+	echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
 	exit ;;
    aarch64_be:Linux:*:*)
 	UNAME_MACHINE=aarch64_be
-	echo ${UNAME_MACHINE}-unknown-linux-gnu
+	echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
 	exit ;;
    alpha:Linux:*:*)
 	case `sed -n '/^cpu model/s/^.*: \(.*\)/\1/p' < /proc/cpuinfo` in
@ -879,59 +923,60 @@ EOF
 	  EV68*) UNAME_MACHINE=alphaev68 ;;
 	esac
 	objdump --private-headers /bin/sh | grep -q ld.so.1
-	if test "$?" = 0 ; then LIBC="libc1" ; else LIBC="" ; fi
-	echo ${UNAME_MACHINE}-unknown-linux-gnu${LIBC}
+	if test "$?" = 0 ; then LIBC=gnulibc1 ; fi
+	echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
+	exit ;;
+    arc:Linux:*:* | arceb:Linux:*:*)
+	echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
 	exit ;;
    arm*:Linux:*:*)
 	eval $set_cc_for_build
 	if echo __ARM_EABI__ | $CC_FOR_BUILD -E - 2>/dev/null \
 	    | grep -q __ARM_EABI__
 	then
-	    echo ${UNAME_MACHINE}-unknown-linux-gnu
+	    echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
 	else
 	    if echo __ARM_PCS_VFP | $CC_FOR_BUILD -E - 2>/dev/null \
 		| grep -q __ARM_PCS_VFP
 	    then
-		echo ${UNAME_MACHINE}-unknown-linux-gnueabi
+		echo ${UNAME_MACHINE}-unknown-linux-${LIBC}eabi
 	    else
-		echo ${UNAME_MACHINE}-unknown-linux-gnueabihf
+		echo ${UNAME_MACHINE}-unknown-linux-${LIBC}eabihf
 	    fi
 	fi
 	exit ;;
    avr32*:Linux:*:*)
-	echo ${UNAME_MACHINE}-unknown-linux-gnu
+	echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
 	exit ;;
    cris:Linux:*:*)
-	echo ${UNAME_MACHINE}-axis-linux-gnu
+	echo ${UNAME_MACHINE}-axis-linux-${LIBC}
 	exit ;;
    crisv32:Linux:*:*)
-	echo ${UNAME_MACHINE}-axis-linux-gnu
+	echo ${UNAME_MACHINE}-axis-linux-${LIBC}
+	exit ;;
+    e2k:Linux:*:*)
+	echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
 	exit ;;
    frv:Linux:*:*)
-	echo ${UNAME_MACHINE}-unknown-linux-gnu
+	echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
 	exit ;;
    hexagon:Linux:*:*)
-	echo ${UNAME_MACHINE}-unknown-linux-gnu
+	echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
 	exit ;;
    i*86:Linux:*:*)
-	LIBC=gnu
-	eval $set_cc_for_build
-	sed 's/^	//' << EOF >$dummy.c
-	#ifdef __dietlibc__
-	LIBC=dietlibc
-	#endif
-EOF
-	eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^LIBC'`
-	echo "${UNAME_MACHINE}-pc-linux-${LIBC}"
+	echo ${UNAME_MACHINE}-pc-linux-${LIBC}
 	exit ;;
    ia64:Linux:*:*)
-	echo ${UNAME_MACHINE}-unknown-linux-gnu
+	echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
+	exit ;;
+    k1om:Linux:*:*)
+	echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
 	exit ;;
    m32r*:Linux:*:*)
-	echo ${UNAME_MACHINE}-unknown-linux-gnu
+	echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
 	exit ;;
    m68*:Linux:*:*)
-	echo ${UNAME_MACHINE}-unknown-linux-gnu
+	echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
 	exit ;;
    mips:Linux:*:* | mips64:Linux:*:*)
 	eval $set_cc_for_build
@ -950,54 +995,63 @@ EOF
 	#endif
 EOF
 	eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^CPU'`
-	test x"${CPU}" != x && { echo "${CPU}-unknown-linux-gnu"; exit; }
+	test x"${CPU}" != x && { echo "${CPU}-unknown-linux-${LIBC}"; exit; }
 	;;
-    or32:Linux:*:*)
-	echo ${UNAME_MACHINE}-unknown-linux-gnu
+    openrisc*:Linux:*:*)
+	echo or1k-unknown-linux-${LIBC}
+	exit ;;
+    or32:Linux:*:* | or1k*:Linux:*:*)
+	echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
 	exit ;;
    padre:Linux:*:*)
-	echo sparc-unknown-linux-gnu
+	echo sparc-unknown-linux-${LIBC}
 	exit ;;
    parisc64:Linux:*:* | hppa64:Linux:*:*)
-	echo hppa64-unknown-linux-gnu
+	echo hppa64-unknown-linux-${LIBC}
 	exit ;;
    parisc:Linux:*:* | hppa:Linux:*:*)
 	# Look for CPU level
 	case `grep '^cpu[^a-z]*:' /proc/cpuinfo 2>/dev/null | cut -d' ' -f2` in
-	  PA7*) echo hppa1.1-unknown-linux-gnu ;;
-	  PA8*) echo hppa2.0-unknown-linux-gnu ;;
-	  *)    echo hppa-unknown-linux-gnu ;;
+	  PA7*) echo hppa1.1-unknown-linux-${LIBC} ;;
+	  PA8*) echo hppa2.0-unknown-linux-${LIBC} ;;
+	  *)    echo hppa-unknown-linux-${LIBC} ;;
 	esac
 	exit ;;
    ppc64:Linux:*:*)
-	echo powerpc64-unknown-linux-gnu
+	echo powerpc64-unknown-linux-${LIBC}
 	exit ;;
    ppc:Linux:*:*)
-	echo powerpc-unknown-linux-gnu
+	echo powerpc-unknown-linux-${LIBC}
+	exit ;;
+    ppc64le:Linux:*:*)
+	echo powerpc64le-unknown-linux-${LIBC}
+	exit ;;
+    ppcle:Linux:*:*)
+	echo powerpcle-unknown-linux-${LIBC}
 	exit ;;
    s390:Linux:*:* | s390x:Linux:*:*)
-	echo ${UNAME_MACHINE}-ibm-linux
+	echo ${UNAME_MACHINE}-ibm-linux-${LIBC}
 	exit ;;
    sh64*:Linux:*:*)
-	echo ${UNAME_MACHINE}-unknown-linux-gnu
+	echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
 	exit ;;
    sh*:Linux:*:*)
-	echo ${UNAME_MACHINE}-unknown-linux-gnu
+	echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
 	exit ;;
    sparc:Linux:*:* | sparc64:Linux:*:*)
-	echo ${UNAME_MACHINE}-unknown-linux-gnu
+	echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
 	exit ;;
    tile*:Linux:*:*)
-	echo ${UNAME_MACHINE}-unknown-linux-gnu
+	echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
 	exit ;;
    vax:Linux:*:*)
-	echo ${UNAME_MACHINE}-dec-linux-gnu
+	echo ${UNAME_MACHINE}-dec-linux-${LIBC}
 	exit ;;
    x86_64:Linux:*:*)
-	echo ${UNAME_MACHINE}-unknown-linux-gnu
+	echo ${UNAME_MACHINE}-pc-linux-${LIBC}
 	exit ;;
    xtensa*:Linux:*:*)
-	echo ${UNAME_MACHINE}-unknown-linux-gnu
+	echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
 	exit ;;
    i*86:DYNIX/ptx:4*:*)
 	# ptx 4.0 does uname -s correctly, with DYNIX/ptx in there.
@ -1073,7 +1127,7 @@ EOF
 	# uname -m prints for DJGPP always 'pc', but it prints nothing about
 	# the processor, so we play safe by assuming i586.
 	# Note: whatever this is, it MUST be the same as what config.sub
-	# prints for the "djgpp" host, or else GDB configury will decide that
+	# prints for the "djgpp" host, or else GDB configure will decide that
 	# this is a cross-build.
 	echo i586-pc-msdosdjgpp
 	exit ;;
@ -1201,6 +1255,9 @@ EOF
    BePC:Haiku:*:*)	# Haiku running on Intel PC compatible.
 	echo i586-pc-haiku
 	exit ;;
+    x86_64:Haiku:*:*)
+	echo x86_64-unknown-haiku
+	exit ;;
    SX-4:SUPER-UX:*:*)
 	echo sx4-nec-superux${UNAME_RELEASE}
 	exit ;;
@ -1219,6 +1276,9 @@ EOF
    SX-8R:SUPER-UX:*:*)
 	echo sx8r-nec-superux${UNAME_RELEASE}
 	exit ;;
+    SX-ACE:SUPER-UX:*:*)
+	echo sxace-nec-superux${UNAME_RELEASE}
+	exit ;;
    Power*:Rhapsody:*:*)
 	echo powerpc-apple-rhapsody${UNAME_RELEASE}
 	exit ;;
@ -1227,24 +1287,36 @@ EOF
 	exit ;;
    *:Darwin:*:*)
 	UNAME_PROCESSOR=`uname -p` || UNAME_PROCESSOR=unknown
-	case $UNAME_PROCESSOR in
-	    i386)
-		eval $set_cc_for_build
-		if [ "$CC_FOR_BUILD" != 'no_compiler_found' ]; then
-		  if (echo '#ifdef __LP64__'; echo IS_64BIT_ARCH; echo '#endif') | \
-		      (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | \
-		      grep IS_64BIT_ARCH >/dev/null
-		  then
-		      UNAME_PROCESSOR="x86_64"
-		  fi
-		fi ;;
-	    unknown) UNAME_PROCESSOR=powerpc ;;
-	esac
+	eval $set_cc_for_build
+	if test "$UNAME_PROCESSOR" = unknown ; then
+	    UNAME_PROCESSOR=powerpc
+	fi
+	if test `echo "$UNAME_RELEASE" | sed -e 's/\..*//'` -le 10 ; then
+	    if [ "$CC_FOR_BUILD" != no_compiler_found ]; then
+		if (echo '#ifdef __LP64__'; echo IS_64BIT_ARCH; echo '#endif') | \
+		    (CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) | \
+		    grep IS_64BIT_ARCH >/dev/null
+		then
+		    case $UNAME_PROCESSOR in
+			i386) UNAME_PROCESSOR=x86_64 ;;
+			powerpc) UNAME_PROCESSOR=powerpc64 ;;
+		    esac
+		fi
+	    fi
+	elif test "$UNAME_PROCESSOR" = i386 ; then
+	    # Avoid executing cc on OS X 10.9, as it ships with a stub
+	    # that puts up a graphical alert prompting to install
+	    # developer tools.  Any system running Mac OS X 10.7 or
+	    # later (Darwin 11 and later) is required to have a 64-bit
+	    # processor. This is not true of the ARM version of Darwin
+	    # that Apple uses in portable devices.
+	    UNAME_PROCESSOR=x86_64
+	fi
 	echo ${UNAME_PROCESSOR}-apple-darwin${UNAME_RELEASE}
 	exit ;;
    *:procnto*:*:* | *:QNX:[0123456789]*:*)
 	UNAME_PROCESSOR=`uname -p`
-	if test "$UNAME_PROCESSOR" = "x86"; then
+	if test "$UNAME_PROCESSOR" = x86; then
 		UNAME_PROCESSOR=i386
 		UNAME_MACHINE=pc
 	fi
@ -1256,7 +1328,7 @@ EOF
    NEO-?:NONSTOP_KERNEL:*:*)
 	echo neo-tandem-nsk${UNAME_RELEASE}
 	exit ;;
-    NSE-?:NONSTOP_KERNEL:*:*)
+    NSE-*:NONSTOP_KERNEL:*:*)
 	echo nse-tandem-nsk${UNAME_RELEASE}
 	exit ;;
    NSR-?:NONSTOP_KERNEL:*:*)
@ -1275,7 +1347,7 @@ EOF
 	# "uname -m" is not consistent, so use $cputype instead. 386
 	# is converted to i386 for consistency with other x86
 	# operating systems.
-	if test "$cputype" = "386"; then
+	if test "$cputype" = 386; then
 	    UNAME_MACHINE=i386
 	else
 	    UNAME_MACHINE="$cputype"
@ -1317,7 +1389,7 @@ EOF
 	echo i386-pc-xenix
 	exit ;;
    i*86:skyos:*:*)
-	echo ${UNAME_MACHINE}-pc-skyos`echo ${UNAME_RELEASE}` | sed -e 's/ .*$//'
+	echo ${UNAME_MACHINE}-pc-skyos`echo ${UNAME_RELEASE} | sed -e 's/ .*$//'`
 	exit ;;
    i*86:rdos:*:*)
 	echo ${UNAME_MACHINE}-pc-rdos
@ -1328,159 +1400,11 @@ EOF
    x86_64:VMkernel:*:*)
 	echo ${UNAME_MACHINE}-unknown-esx
 	exit ;;
+    amd64:Isilon\ OneFS:*:*)
+	echo x86_64-unknown-onefs
+	exit ;;
 esac

-#echo '(No uname command or uname output not recognized.)' 1>&2
-#echo "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" 1>&2
-
-eval $set_cc_for_build
-cat >$dummy.c <<EOF
-#ifdef _SEQUENT_
-# include <sys/types.h>
-# include <sys/utsname.h>
-#endif
-main ()
-{
-#if defined (sony)
-#if defined (MIPSEB)
-  /* BFD wants "bsd" instead of "newsos".  Perhaps BFD should be changed,
-     I don't know....  */
-  printf ("mips-sony-bsd\n"); exit (0);
-#else
-#include <sys/param.h>
-  printf ("m68k-sony-newsos%s\n",
-#ifdef NEWSOS4
-	"4"
-#else
-	""
-#endif
-	); exit (0);
-#endif
-#endif
-
-#if defined (__arm) && defined (__acorn) && defined (__unix)
-  printf ("arm-acorn-riscix\n"); exit (0);
-#endif
-
-#if defined (hp300) && !defined (hpux)
-  printf ("m68k-hp-bsd\n"); exit (0);
-#endif
-
-#if defined (NeXT)
-#if !defined (__ARCHITECTURE__)
-#define __ARCHITECTURE__ "m68k"
-#endif
-  int version;
-  version=`(hostinfo | sed -n 's/.*NeXT Mach \([0-9]*\).*/\1/p') 2>/dev/null`;
-  if (version < 4)
-    printf ("%s-next-nextstep%d\n", __ARCHITECTURE__, version);
-  else
-    printf ("%s-next-openstep%d\n", __ARCHITECTURE__, version);
-  exit (0);
-#endif
-
-#if defined (MULTIMAX) || defined (n16)
-#if defined (UMAXV)
-  printf ("ns32k-encore-sysv\n"); exit (0);
-#else
-#if defined (CMU)
-  printf ("ns32k-encore-mach\n"); exit (0);
-#else
-  printf ("ns32k-encore-bsd\n"); exit (0);
-#endif
-#endif
-#endif
-
-#if defined (__386BSD__)
-  printf ("i386-pc-bsd\n"); exit (0);
-#endif
-
-#if defined (sequent)
-#if defined (i386)
-  printf ("i386-sequent-dynix\n"); exit (0);
-#endif
-#if defined (ns32000)
-  printf ("ns32k-sequent-dynix\n"); exit (0);
-#endif
-#endif
-
-#if defined (_SEQUENT_)
-    struct utsname un;
-
-    uname(&un);
-
-    if (strncmp(un.version, "V2", 2) == 0) {
-	printf ("i386-sequent-ptx2\n"); exit (0);
-    }
-    if (strncmp(un.version, "V1", 2) == 0) { /* XXX is V1 correct? */
-	printf ("i386-sequent-ptx1\n"); exit (0);
-    }
-    printf ("i386-sequent-ptx\n"); exit (0);
-
-#endif
-
-#if defined (vax)
-# if !defined (ultrix)
-#  include <sys/param.h>
-#  if defined (BSD)
-#   if BSD == 43
-      printf ("vax-dec-bsd4.3\n"); exit (0);
-#   else
-#    if BSD == 199006
-      printf ("vax-dec-bsd4.3reno\n"); exit (0);
-#    else
-      printf ("vax-dec-bsd\n"); exit (0);
-#    endif
-#   endif
-#  else
-    printf ("vax-dec-bsd\n"); exit (0);
-#  endif
-# else
-    printf ("vax-dec-ultrix\n"); exit (0);
-# endif
-#endif
-
-#if defined (alliant) && defined (i860)
-  printf ("i860-alliant-bsd\n"); exit (0);
-#endif
-
-  exit (1);
-}
-EOF
-
-$CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null && SYSTEM_NAME=`$dummy` &&
-	{ echo "$SYSTEM_NAME"; exit; }
-
-# Apollos put the system type in the environment.
-
-test -d /usr/apollo && { echo ${ISP}-apollo-${SYSTYPE}; exit; }
-
-# Convex versions that predate uname can use getsysinfo(1)
-
-if [ -x /usr/convex/getsysinfo ]
-then
-    case `getsysinfo -f cpu_type` in
-    c1*)
-	echo c1-convex-bsd
-	exit ;;
-    c2*)
-	if getsysinfo -f scalar_acc
-	then echo c32-convex-bsd
-	else echo c2-convex-bsd
-	fi
-	exit ;;
-    c34*)
-	echo c34-convex-bsd
-	exit ;;
-    c38*)
-	echo c38-convex-bsd
-	exit ;;
-    c4*)
-	echo c4-convex-bsd
-	exit ;;
-    esac
-fi
-
 cat >&2 <<EOF
 $0: unable to guess system type

@ -1488,9 +1412,9 @@ This script, last modified $timestamp, has failed to recognize
 the operating system you are using. It is advised that you
 download the most up to date version of the config scripts from

-  http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.guess;hb=HEAD
+  http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.guess
 and
-  http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.sub;hb=HEAD
+  http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.sub

 If the version you run ($0) is already up to date, please
 send the following data and any information you think might be
--- a/config.sub
+++ b/config.sub
@ -1,24 +1,18 @@
 #! /bin/sh
 # Configuration validation subroutine script.
-#   Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999,
-#   2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010,
-#   2011, 2012 Free Software Foundation, Inc.
+#   Copyright 1992-2016 Free Software Foundation, Inc.

-timestamp='2012-02-10'
+timestamp='2016-03-30'

-# This file is (in principle) common to ALL GNU software.
-# The presence of a machine in this file suggests that SOME GNU software
-# can handle that machine.  It does not imply ALL GNU software can.
-#
-# This file is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
+# This file is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
 # (at your option) any later version.
 #
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program; if not, see <http://www.gnu.org/licenses/>.
@ -26,11 +20,12 @@ timestamp='2012-02-10'
 # As a special exception to the GNU General Public License, if you
 # distribute this file as part of a program that contains a
 # configuration script generated by Autoconf, you may include it under
-# the same distribution terms that you use for the rest of that program.
+# the same distribution terms that you use for the rest of that
+# program.  This Exception is an additional permission under section 7
+# of the GNU General Public License, version 3 ("GPLv3").


-# Please send patches to <config-patches@gnu.org>.  Submit a context
-# diff and a properly formatted GNU ChangeLog entry.
+# Please send patches to <config-patches@gnu.org>.
 #
 # Configuration subroutine to validate and canonicalize a configuration type.
 # Supply the specified configuration type as an argument.
@ -38,7 +33,7 @@ timestamp='2012-02-10'
 # Otherwise, we print the canonical config type on stdout and succeed.

 # You can get the latest version of this script from:
-# http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.sub;hb=HEAD
+# http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.sub

 # This file is supposed to be the same for all GNU packages
 # and recognize all the CPU types, system types and aliases
@ -58,8 +53,7 @@ timestamp='2012-02-10'
 me=`echo "$0" | sed -e 's,.*/,,'`

 usage="\
-Usage: $0 [OPTION] CPU-MFR-OPSYS
-       $0 [OPTION] ALIAS
+Usage: $0 [OPTION] CPU-MFR-OPSYS or ALIAS

 Canonicalize a configuration name.

@ -73,9 +67,7 @@ Report bugs and patches to <config-patches@gnu.org>."
 version="\
 GNU config.sub ($timestamp)

-Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000,
-2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012
-Free Software Foundation, Inc.
+Copyright 1992-2016 Free Software Foundation, Inc.

 This is free software; see the source for copying conditions.  There is NO
 warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
@ -123,8 +115,8 @@ esac
 maybe_os=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\2/'`
 case $maybe_os in
  nto-qnx* | linux-gnu* | linux-android* | linux-dietlibc | linux-newlib* | \
-  linux-uclibc* | uclinux-uclibc* | uclinux-gnu* | kfreebsd*-gnu* | \
-  knetbsd*-gnu* | netbsd*-gnu* | \
+  linux-musl* | linux-uclibc* | uclinux-uclibc* | uclinux-gnu* | kfreebsd*-gnu* | \
+  knetbsd*-gnu* | netbsd*-gnu* | netbsd*-eabi* | \
  kopensolaris*-gnu* | \
  storm-chaos* | os2-emx* | rtmk-nova*)
    os=-$maybe_os
@ -156,7 +148,7 @@ case $os in
 	-convergent* | -ncr* | -news | -32* | -3600* | -3100* | -hitachi* |\
 	-c[123]* | -convex* | -sun | -crds | -omron* | -dg | -ultra | -tti* | \
 	-harris | -dolphin | -highlevel | -gould | -cbm | -ns | -masscomp | \
-	-apple | -axis | -knuth | -cray | -microblaze)
+	-apple | -axis | -knuth | -cray | -microblaze*)
 		os=
 		basic_machine=$1
 		;;
@ -225,6 +217,12 @@ case $os in
 	-isc*)
 		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
 		;;
+	-lynx*178)
+		os=-lynxos178
+		;;
+	-lynx*5)
+		os=-lynxos5
+		;;
 	-lynx*)
 		os=-lynxos
 		;;
@ -253,21 +251,25 @@ case $basic_machine in
 	| alpha | alphaev[4-8] | alphaev56 | alphaev6[78] | alphapca5[67] \
 	| alpha64 | alpha64ev[4-8] | alpha64ev56 | alpha64ev6[78] | alpha64pca5[67] \
 	| am33_2.0 \
-	| arc | arm | arm[bl]e | arme[lb] | armv[2345] | armv[345][lb] | avr | avr32 \
-        | be32 | be64 \
+	| arc | arceb \
+	| arm | arm[bl]e | arme[lb] | armv[2-8] | armv[3-8][lb] | armv7[arm] \
+	| avr | avr32 \
+	| ba \
+	| be32 | be64 \
 	| bfin \
-	| c4x | clipper \
+	| c4x | c8051 | clipper \
 	| d10v | d30v | dlx | dsp16xx \
-	| epiphany \
-	| fido | fr30 | frv \
+	| e2k | epiphany \
+	| fido | fr30 | frv | ft32 \
 	| h8300 | h8500 | hppa | hppa1.[01] | hppa2.0 | hppa2.0[nw] | hppa64 \
 	| hexagon \
 	| i370 | i860 | i960 | ia64 \
 	| ip2k | iq2000 \
+	| k1om \
 	| le32 | le64 \
 	| lm32 \
 	| m32c | m32r | m32rle | m68000 | m68k | m88k \
-	| maxq | mb | microblaze | mcore | mep | metag \
+	| maxq | mb | microblaze | microblazeel | mcore | mep | metag \
 	| mips | mipsbe | mipseb | mipsel | mipsle \
 	| mips16 \
 	| mips64 | mips64el \
@ -281,26 +283,29 @@ case $basic_machine in
 	| mips64vr5900 | mips64vr5900el \
 	| mipsisa32 | mipsisa32el \
 	| mipsisa32r2 | mipsisa32r2el \
+	| mipsisa32r6 | mipsisa32r6el \
 	| mipsisa64 | mipsisa64el \
 	| mipsisa64r2 | mipsisa64r2el \
+	| mipsisa64r6 | mipsisa64r6el \
 	| mipsisa64sb1 | mipsisa64sb1el \
 	| mipsisa64sr71k | mipsisa64sr71kel \
+	| mipsr5900 | mipsr5900el \
 	| mipstx39 | mipstx39el \
 	| mn10200 | mn10300 \
 	| moxie \
 	| mt \
 	| msp430 \
 	| nds32 | nds32le | nds32be \
-	| nios | nios2 \
+	| nios | nios2 | nios2eb | nios2el \
 	| ns16k | ns32k \
-	| open8 \
-	| or32 \
+	| open8 | or1k | or1knd | or32 \
 	| pdp10 | pdp11 | pj | pjl \
 	| powerpc | powerpc64 | powerpc64le | powerpcle \
 	| pyramid \
+	| riscv32 | riscv64 \
 	| rl78 | rx \
 	| score \
-	| sh | sh[1234] | sh[24]a | sh[24]aeb | sh[23]e | sh[34]eb | sheb | shbe | shle | sh[1234]le | sh3ele \
+	| sh | sh[1234] | sh[24]a | sh[24]aeb | sh[23]e | sh[234]eb | sheb | shbe | shle | sh[1234]le | sh3ele \
 	| sh64 | sh64le \
 	| sparc | sparc64 | sparc64b | sparc64v | sparc86x | sparclet | sparclite \
 	| sparcv8 | sparcv9 | sparcv9b | sparcv9v \
@ -308,6 +313,7 @@ case $basic_machine in
 	| tahoe | tic4x | tic54x | tic55x | tic6x | tic80 | tron \
 	| ubicom32 \
 	| v850 | v850e | v850e1 | v850e2 | v850es | v850e2v3 \
+	| visium \
 	| we32k \
 	| x86 | xc16x | xstormy16 | xtensa \
 	| z8k | z80)
@ -322,7 +328,10 @@ case $basic_machine in
 	c6x)
 		basic_machine=tic6x-unknown
 		;;
-	m6811 | m68hc11 | m6812 | m68hc12 | m68hcs12x | picochip)
+	leon|leon[3-9])
+		basic_machine=sparc-$basic_machine
+		;;
+	m6811 | m68hc11 | m6812 | m68hc12 | m68hcs12x | nvptx | picochip)
 		basic_machine=$basic_machine-unknown
 		os=-none
 		;;
@ -364,26 +373,29 @@ case $basic_machine in
 	| aarch64-* | aarch64_be-* \
 	| alpha-* | alphaev[4-8]-* | alphaev56-* | alphaev6[78]-* \
 	| alpha64-* | alpha64ev[4-8]-* | alpha64ev56-* | alpha64ev6[78]-* \
-	| alphapca5[67]-* | alpha64pca5[67]-* | arc-* \
+	| alphapca5[67]-* | alpha64pca5[67]-* | arc-* | arceb-* \
 	| arm-*  | armbe-* | armle-* | armeb-* | armv*-* \
 	| avr-* | avr32-* \
+	| ba-* \
 	| be32-* | be64-* \
 	| bfin-* | bs2000-* \
 	| c[123]* | c30-* | [cjt]90-* | c4x-* \
-	| clipper-* | craynv-* | cydra-* \
+	| c8051-* | clipper-* | craynv-* | cydra-* \
 	| d10v-* | d30v-* | dlx-* \
-	| elxsi-* \
+	| e2k-* | elxsi-* \
 	| f30[01]-* | f700-* | fido-* | fr30-* | frv-* | fx80-* \
 	| h8300-* | h8500-* \
 	| hppa-* | hppa1.[01]-* | hppa2.0-* | hppa2.0[nw]-* | hppa64-* \
 	| hexagon-* \
 	| i*86-* | i860-* | i960-* | ia64-* \
 	| ip2k-* | iq2000-* \
+	| k1om-* \
 	| le32-* | le64-* \
 	| lm32-* \
 	| m32c-* | m32r-* | m32rle-* \
 	| m68000-* | m680[012346]0-* | m68360-* | m683?2-* | m68k-* \
-	| m88110-* | m88k-* | maxq-* | mcore-* | metag-* | microblaze-* \
+	| m88110-* | m88k-* | maxq-* | mcore-* | metag-* \
+	| microblaze-* | microblazeel-* \
 	| mips-* | mipsbe-* | mipseb-* | mipsel-* | mipsle-* \
 	| mips16-* \
 	| mips64-* | mips64el-* \
@ -397,28 +409,33 @@ case $basic_machine in
 	| mips64vr5900-* | mips64vr5900el-* \
 	| mipsisa32-* | mipsisa32el-* \
 	| mipsisa32r2-* | mipsisa32r2el-* \
+	| mipsisa32r6-* | mipsisa32r6el-* \
 	| mipsisa64-* | mipsisa64el-* \
 	| mipsisa64r2-* | mipsisa64r2el-* \
+	| mipsisa64r6-* | mipsisa64r6el-* \
 	| mipsisa64sb1-* | mipsisa64sb1el-* \
 	| mipsisa64sr71k-* | mipsisa64sr71kel-* \
+	| mipsr5900-* | mipsr5900el-* \
 	| mipstx39-* | mipstx39el-* \
 	| mmix-* \
 	| mt-* \
 	| msp430-* \
 	| nds32-* | nds32le-* | nds32be-* \
-	| nios-* | nios2-* \
+	| nios-* | nios2-* | nios2eb-* | nios2el-* \
 	| none-* | np1-* | ns16k-* | ns32k-* \
 	| open8-* \
+	| or1k*-* \
 	| orion-* \
 	| pdp10-* | pdp11-* | pj-* | pjl-* | pn-* | power-* \
 	| powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* \
 	| pyramid-* \
+	| riscv32-* | riscv64-* \
 	| rl78-* | romp-* | rs6000-* | rx-* \
 	| sh-* | sh[1234]-* | sh[24]a-* | sh[24]aeb-* | sh[23]e-* | sh[34]eb-* | sheb-* | shbe-* \
 	| shle-* | sh[1234]le-* | sh3ele-* | sh64-* | sh64le-* \
 	| sparc-* | sparc64-* | sparc64b-* | sparc64v-* | sparc86x-* | sparclet-* \
 	| sparclite-* \
-	| sparcv8-* | sparcv9-* | sparcv9b-* | sparcv9v-* | sv1-* | sx?-* \
+	| sparcv8-* | sparcv9-* | sparcv9b-* | sparcv9v-* | sv1-* | sx*-* \
 	| tahoe-* \
 	| tic30-* | tic4x-* | tic54x-* | tic55x-* | tic6x-* | tic80-* \
 	| tile*-* \
@ -426,6 +443,7 @@ case $basic_machine in
 	| ubicom32-* \
 	| v850-* | v850e-* | v850e1-* | v850es-* | v850e2-* | v850e2v3-* \
 	| vax-* \
+	| visium-* \
 	| we32k-* \
 	| x86-* | x86_64-* | xc16x-* | xps100-* \
 	| xstormy16-* | xtensa*-* \
@ -502,6 +520,9 @@ case $basic_machine in
 		basic_machine=i386-pc
 		os=-aros
 		;;
+	asmjs)
+		basic_machine=asmjs-unknown
+		;;
 	aux)
 		basic_machine=m68k-apple
 		os=-aux
@ -763,6 +784,9 @@ case $basic_machine in
 		basic_machine=m68k-isi
 		os=-sysv
 		;;
+	leon-*|leon[3-9]-*)
+		basic_machine=sparc-`echo $basic_machine | sed 's/-.*//'`
+		;;
 	m68knommu)
 		basic_machine=m68k-unknown
 		os=-linux
@ -782,11 +806,15 @@ case $basic_machine in
 		basic_machine=ns32k-utek
 		os=-sysv
 		;;
-	microblaze)
+	microblaze*)
 		basic_machine=microblaze-xilinx
 		;;
+	mingw64)
+		basic_machine=x86_64-pc
+		os=-mingw64
+		;;
 	mingw32)
-		basic_machine=i386-pc
+		basic_machine=i686-pc
 		os=-mingw32
 		;;
 	mingw32ce)
@ -814,6 +842,10 @@ case $basic_machine in
 		basic_machine=powerpc-unknown
 		os=-morphos
 		;;
+	moxiebox)
+		basic_machine=moxie-unknown
+		os=-moxiebox
+		;;
 	msdos)
 		basic_machine=i386-pc
 		os=-msdos
@ -822,7 +854,7 @@ case $basic_machine in
 		basic_machine=`echo $basic_machine | sed -e 's/ms1-/mt-/'`
 		;;
 	msys)
-		basic_machine=i386-pc
+		basic_machine=i686-pc
 		os=-msys
 		;;
 	mvs)
@ -1013,7 +1045,11 @@ case $basic_machine in
 		basic_machine=i586-unknown
 		os=-pw32
 		;;
-	rdos)
+	rdos | rdos64)
+		basic_machine=x86_64-pc
+		os=-rdos
+		;;
+	rdos32)
 		basic_machine=i386-pc
 		os=-rdos
 		;;
@ -1340,29 +1376,30 @@ case $os in
 	-gnu* | -bsd* | -mach* | -minix* | -genix* | -ultrix* | -irix* \
 	      | -*vms* | -sco* | -esix* | -isc* | -aix* | -cnk* | -sunos | -sunos[34]*\
 	      | -hpux* | -unos* | -osf* | -luna* | -dgux* | -auroraux* | -solaris* \
-	      | -sym* | -kopensolaris* \
+	      | -sym* | -kopensolaris* | -plan9* \
 	      | -amigaos* | -amigados* | -msdos* | -newsos* | -unicos* | -aof* \
-	      | -aos* | -aros* \
+	      | -aos* | -aros* | -cloudabi* | -sortix* \
 	      | -nindy* | -vxsim* | -vxworks* | -ebmon* | -hms* | -mvs* \
 	      | -clix* | -riscos* | -uniplus* | -iris* | -rtu* | -xenix* \
 	      | -hiux* | -386bsd* | -knetbsd* | -mirbsd* | -netbsd* \
-	      | -openbsd* | -solidbsd* \
+	      | -bitrig* | -openbsd* | -solidbsd* | -libertybsd* \
 	      | -ekkobsd* | -kfreebsd* | -freebsd* | -riscix* | -lynxos* \
 	      | -bosx* | -nextstep* | -cxux* | -aout* | -elf* | -oabi* \
 	      | -ptx* | -coff* | -ecoff* | -winnt* | -domain* | -vsta* \
 	      | -udi* | -eabi* | -lites* | -ieee* | -go32* | -aux* \
 	      | -chorusos* | -chorusrdb* | -cegcc* \
 	      | -cygwin* | -msys* | -pe* | -psos* | -moss* | -proelf* | -rtems* \
-	      | -mingw32* | -linux-gnu* | -linux-android* \
-	      | -linux-newlib* | -linux-uclibc* \
-	      | -uxpv* | -beos* | -mpeix* | -udk* \
+	      | -mingw32* | -mingw64* | -linux-gnu* | -linux-android* \
+	      | -linux-newlib* | -linux-musl* | -linux-uclibc* \
+	      | -uxpv* | -beos* | -mpeix* | -udk* | -moxiebox* \
 	      | -interix* | -uwin* | -mks* | -rhapsody* | -darwin* | -opened* \
 	      | -openstep* | -oskit* | -conix* | -pw32* | -nonstopux* \
 	      | -storm-chaos* | -tops10* | -tenex* | -tops20* | -its* \
 	      | -os2* | -vos* | -palmos* | -uclinux* | -nucleus* \
 	      | -morphos* | -superux* | -rtmk* | -rtmk-nova* | -windiss* \
 	      | -powermax* | -dnix* | -nx6 | -nx7 | -sei* | -dragonfly* \
-	      | -skyos* | -haiku* | -rdos* | -toppers* | -drops* | -es*)
+	      | -skyos* | -haiku* | -rdos* | -toppers* | -drops* | -es* \
+	      | -onefs* | -tirtos*)
 	# Remember, each alternative MUST END IN *, to match a version number.
 		;;
 	-qnx*)
@ -1486,9 +1523,6 @@ case $os in
 	-aros*)
 		os=-aros
 		;;
-	-kaos*)
-		os=-kaos
-		;;
 	-zvmoe)
 		os=-zvmoe
 		;;
@ -1497,6 +1531,8 @@ case $os in
 		;;
 	-nacl*)
 		;;
+	-ios)
+		;;
 	-none)
 		;;
 	*)
@ -1537,6 +1573,12 @@ case $basic_machine in
 	c4x-* | tic4x-*)
 		os=-coff
 		;;
+	c8051-*)
+		os=-elf
+		;;
+	hexagon-*)
+		os=-elf
+		;;
 	tic54x-*)
 		os=-coff
 		;;
--- a/3343
+++ b/3343
--- a/configure.ac
+++ b/configure.ac
@ -5,17 +5,35 @@ sinclude(acx_nlnetlabs.m4)

 # must be numbers. ac_defun because of later processing.
 m4_define([VERSION_MAJOR],[1])
-m4_define([VERSION_MINOR],[6])
-m4_define([VERSION_MICRO],[17])
+m4_define([VERSION_MINOR],[7])
+m4_define([VERSION_MICRO],[0])
 AC_INIT(ldns, m4_defn([VERSION_MAJOR]).m4_defn([VERSION_MINOR]).m4_defn([VERSION_MICRO]), libdns@nlnetlabs.nl, libdns)
 AC_CONFIG_SRCDIR([packet.c])
 # needed to build correct soname
 AC_SUBST(LDNS_VERSION_MAJOR, [VERSION_MAJOR])
 AC_SUBST(LDNS_VERSION_MINOR, [VERSION_MINOR])
 AC_SUBST(LDNS_VERSION_MICRO, [VERSION_MICRO])
-AC_SUBST(VERSION_INFO, [VERSION_MAJOR:VERSION_MINOR:VERSION_MICRO])
+
+# Library version
+# ---------------
+# current:revision:age
+# (binary-api-number):(which-binary-api-version):(how-many-nrs-backwardscompat)
+# if source code changes increment revision
+# if any interfaces have been added/removed/changed since last update then
+#   increment current and set revision to 0
+# if any interfaces have been added since the last public release then increment age
+# if any interfaces have been removed or changed since the last public release then
+#   set age to 0
+#
+# ldns-1.6.17 and before had a .so with version same as VERSION_INFO
+# ldns-1.7.0 will have libversion 2:0:0
+#
+AC_SUBST(VERSION_INFO, [2:0:0])

 AC_AIX
+if test "$ac_cv_header_minix_config_h" = "yes"; then
+	AC_DEFINE(_NETBSD_SOURCE,1, [Enable for compile on Minix])
+fi
 LT_INIT
 AC_CONFIG_MACRO_DIR([m4])

@ -74,7 +92,9 @@ ACX_CHECK_COMPILER_FLAG(Wall, [CFLAGS="-Wall $CFLAGS"])
 ACX_CHECK_COMPILER_FLAG(W, [CFLAGS="-W $CFLAGS"])
 ACX_CHECK_COMPILER_FLAG(Wwrite-strings, [CFLAGS="-Wwrite-strings $CFLAGS"])
 ACX_CHECK_COMPILER_FLAG(Wstrict-prototypes, [CFLAGS="-Wstrict-prototypes $CFLAGS"])
-
+#ACX_CHECK_COMPILER_FLAG(Wshadow, [CFLAGS="-Wshadow $CFLAGS"])
+ACX_CHECK_COMPILER_FLAG(Wunused-function, [CFLAGS="-Wunused-function $CFLAGS"])
+ACX_CHECK_COMPILER_FLAG(Wmissing-prototypes, [CFLAGS="-Wmissing-prototypes $CFLAGS"])

 AC_CHECK_HEADERS([getopt.h time.h],,, [AC_INCLUDES_DEFAULT])

@ -118,14 +138,12 @@ This does not work with the --with-drill option.
 Please remove the config.h from the drill subdirectory 
 or do not use the --with-drill option.])
 	fi
-	DRILL_CONFIG=" drill/drill.1"
 else
 	AC_SUBST(DRILL,[""])
 	AC_SUBST(INSTALL_DRILL,[""])
 	AC_SUBST(UNINSTALL_DRILL,[""])
 	AC_SUBST(CLEAN_DRILL,[""])
 	AC_SUBST(LINT_DRILL,[""])
-	DRILL_CONFIG=""
 fi


@ -145,14 +163,12 @@ This does not work with the --with-examples option.
 Please remove the config.h from the examples subdirectory 
 or do not use the --with-examples option.])
 	fi
-	EXAMPLES_CONFIG=" examples/ldns-dane.1 examples/ldns-verify-zone.1"
 else
 	AC_SUBST(EXAMPLES,[""])
 	AC_SUBST(INSTALL_EXAMPLES,[""])
 	AC_SUBST(UNINSTALL_EXAMPLES,[""])
 	AC_SUBST(CLEAN_EXAMPLES,[""])
 	AC_SUBST(LINT_EXAMPLES,[""])
-	EXAMPLES_CONFIG=""
 fi

 # add option to disable installation of ldns-config script
@ -180,6 +196,13 @@ case "$enable_stderr_msgs" in
        ;;
 esac

+AX_HAVE_POLL(
+  [AX_CONFIG_FEATURE_ENABLE(poll)],
+  [AX_CONFIG_FEATURE_DISABLE(poll)])
+AX_CONFIG_FEATURE(
+  [poll], [This platform supports poll(7)],
+  [HAVE_POLL], [This platform supports poll(7).])
+
 # check for python
 PYTHON_X_CFLAGS=""
 ldns_with_pyldns=no
@ -301,8 +324,14 @@ tmp_LDFLAGS=$LDFLAGS
 tmp_LIBS=$LIBS

 ACX_WITH_SSL_OPTIONAL
-
-AC_CHECK_FUNCS([EVP_sha256])
+AC_MSG_CHECKING([for LibreSSL])
+if grep VERSION_TEXT $ssldir/include/openssl/opensslv.h | grep "LibreSSL" >/dev/null; then
+	AC_MSG_RESULT([yes])
+	AC_DEFINE([HAVE_LIBRESSL], [1], [Define if we have LibreSSL])
+else
+	AC_MSG_RESULT([no])
+fi
+AC_CHECK_FUNCS([EVP_sha256 EVP_sha384 EVP_sha512 ENGINE_load_cryptodev EVP_PKEY_keygen ECDSA_SIG_get0 EVP_MD_CTX_new EVP_PKEY_base_id DSA_SIG_set0 DSA_SIG_get0 EVP_dss1 DSA_get0_pqg DSA_get0_key])

 # for macosx, see if glibtool exists and use that
 # BSD's need to know the version...
@ -325,6 +354,103 @@ case "$enable_sha2" in
        ;;
 esac

+# check wether gost also works
+AC_DEFUN([AC_CHECK_GOST_WORKS],
+[AC_REQUIRE([AC_PROG_CC])
+AC_MSG_CHECKING([if GOST works])
+if test c${cross_compiling} = cno; then
+BAKCFLAGS="$CFLAGS"
+if test -n "$ssldir"; then
+	CFLAGS="$CFLAGS -Wl,-rpath,$ssldir/lib"
+fi
+AC_RUN_IFELSE([AC_LANG_SOURCE([[
+#include <string.h>
+#include <openssl/ssl.h>
+#include <openssl/evp.h>
+#include <openssl/engine.h>
+#include <openssl/conf.h>
+/* routine to load gost (from sldns) */
+int load_gost_id(void)
+{
+	static int gost_id = 0;
+	const EVP_PKEY_ASN1_METHOD* meth;
+	ENGINE* e;
+
+	if(gost_id) return gost_id;
+
+	/* see if configuration loaded gost implementation from other engine*/
+	meth = EVP_PKEY_asn1_find_str(NULL, "gost2001", -1);
+	if(meth) {
+		EVP_PKEY_asn1_get0_info(&gost_id, NULL, NULL, NULL, NULL, meth);
+		return gost_id;
+	}
+
+	/* see if engine can be loaded already */
+	e = ENGINE_by_id("gost");
+	if(!e) {
+		/* load it ourself, in case statically linked */
+		ENGINE_load_builtin_engines();
+		ENGINE_load_dynamic();
+		e = ENGINE_by_id("gost");
+	}
+	if(!e) {
+		/* no gost engine in openssl */
+		return 0;
+	}
+	if(!ENGINE_set_default(e, ENGINE_METHOD_ALL)) {
+		ENGINE_finish(e);
+		ENGINE_free(e);
+		return 0;
+	}
+
+	meth = EVP_PKEY_asn1_find_str(&e, "gost2001", -1);
+	if(!meth) {
+		/* algo not found */
+		ENGINE_finish(e);
+		ENGINE_free(e);
+		return 0;
+	}
+	EVP_PKEY_asn1_get0_info(&gost_id, NULL, NULL, NULL, NULL, meth);
+	return gost_id;
+}
+int main(void) { 
+	EVP_MD_CTX* ctx;
+	const EVP_MD* md;
+	unsigned char digest[64]; /* its a 256-bit digest, so uses 32 bytes */
+	const char* str = "Hello world";
+	const unsigned char check[] = {
+		0x40 , 0xed , 0xf8 , 0x56 , 0x5a , 0xc5 , 0x36 , 0xe1 ,
+		0x33 , 0x7c , 0x7e , 0x87 , 0x62 , 0x1c , 0x42 , 0xe0 ,
+		0x17 , 0x1b , 0x5e , 0xce , 0xa8 , 0x46 , 0x65 , 0x4d ,
+		0x8d , 0x3e , 0x22 , 0x9b , 0xe1 , 0x30 , 0x19 , 0x9d
+	};
+	OPENSSL_config(NULL);
+	(void)load_gost_id();
+	md = EVP_get_digestbyname("md_gost94");
+	if(!md) return 1;
+	memset(digest, 0, sizeof(digest));
+	ctx = EVP_MD_CTX_create();
+	if(!ctx) return 2;
+	if(!EVP_DigestInit_ex(ctx, md, NULL)) return 3;
+	if(!EVP_DigestUpdate(ctx, str, 10)) return 4;
+	if(!EVP_DigestFinal_ex(ctx, digest, NULL)) return 5;
+	/* uncomment to see the hash calculated.
+		{int i;
+		for(i=0; i<32; i++)
+			printf(" %2.2x", (int)digest[i]);
+		printf("\n");}
+	*/
+	if(memcmp(digest, check, sizeof(check)) != 0)
+		return 6;
+	return 0;
+}
+]])] , [eval "ac_cv_c_gost_works=yes"], [eval "ac_cv_c_gost_works=no"])
+CFLAGS="$BAKCFLAGS"
+else
+eval "ac_cv_c_gost_works=maybe"
+fi
+])dnl
+
 AC_ARG_ENABLE(gost, AC_HELP_STRING([--disable-gost], [Disable GOST support]))
 case "$enable_gost" in
    no)
@ -336,7 +462,22 @@ case "$enable_gost" in
        AC_MSG_CHECKING(for GOST)
        AC_CHECK_FUNC(EVP_PKEY_set_type_str, [],[AC_MSG_ERROR([OpenSSL >= 1.0.0 is needed for GOST support or rerun with --disable-gost])])
        AC_CHECK_FUNC(EC_KEY_new, [], [AC_MSG_ERROR([No ECC functions found in OpenSSL: please upgrade OpenSSL or rerun with --disable-gost])])
-        AC_DEFINE_UNQUOTED([USE_GOST], [1], [Define this to enable GOST support.])
+	AC_CHECK_GOST_WORKS
+	AC_ARG_ENABLE(gost-anyway, AC_HELP_STRING([--enable-gost-anyway], [Enable GOST even whithout a GOST engine installed]))
+	if test "$ac_cv_c_gost_works" != "no" -o "$enable_gost_anyway" = "yes"; then
+		if test "$ac_cv_c_gost_works" = "no"; then
+			AC_MSG_RESULT([no, but compiling with GOST support anyway])
+		else
+			AC_MSG_RESULT([yes])
+		fi
+		use_gost="yes"
+		AC_DEFINE([USE_GOST], [1], [Define this to enable GOST support.])
+	else
+		AC_MSG_RESULT([no])
+		AC_MSG_WARN([Gost support does not work because the engine is missing.])
+		AC_MSG_WARN([Install gost-engine first or use the --enable-gost-anyway to compile with GOST support anyway])
+		AC_MSG_WARN([See also https://github.com/gost-engine/engine/wiki for information about gost-engine])
+	fi
        ;;
 esac

@ -358,18 +499,102 @@ case "$enable_ecdsa" in
      ;;
 esac

+AC_ARG_ENABLE(dsa, AC_HELP_STRING([--disable-dsa], [Disable DSA support]))
+case "$enable_dsa" in
+    no)
+      ;;
+    *) dnl default
+      # detect if DSA is supported, and turn it off if not.
+      AC_CHECK_FUNC(DSA_SIG_new, [
+	AC_DEFINE_UNQUOTED([USE_DSA], [1], [Define this to enable DSA support.])
+      ], [if test "x$enable_dsa" = "xyes"; then AC_MSG_ERROR([OpenSSL does not support DSA and you used --enable-dsa.])
+	  fi ])
+      ;;
+esac
+
+AC_ARG_ENABLE(ed25519, AC_HELP_STRING([--enable-ed25519], [Enable ED25519 support (experimental)]))
+case "$enable_ed25519" in
+    yes)
+      if test "x$HAVE_SSL" != "xyes"; then
+        AC_MSG_ERROR([ED25519 enabled, but no SSL support])
+      fi
+      AC_CHECK_DECLS([NID_X25519], [], [AC_MSG_ERROR([OpenSSL does not support the EDDSA curve: please upgrade OpenSSL or rerun with --disable-ed25519])], [AC_INCLUDES_DEFAULT
+#include <openssl/evp.h>
+      ])
+      AC_DEFINE_UNQUOTED([USE_ED25519], [1], [Define this to enable ED25519 support.])
+      ;;
+    *|no) dnl default
+      ;;
+esac
+
+AC_ARG_ENABLE(ed448, AC_HELP_STRING([--enable-ed448], [Enable ED448 support (experimental)]))
+case "$enable_ed448" in
+    yes)
+      if test "x$HAVE_SSL" != "xyes"; then
+        AC_MSG_ERROR([ED448 enabled, but no SSL support])
+      fi
+      AC_CHECK_DECLS([NID_X448], [], [AC_MSG_ERROR([OpenSSL does not support the EDDSA curve: please upgrade OpenSSL or rerun with --disable-ed448])], [AC_INCLUDES_DEFAULT
+#include <openssl/evp.h>
+      ])
+      AC_DEFINE_UNQUOTED([USE_ED448], [1], [Define this to enable ED448 support.])
+      ;;
+    *|no) dnl default
+      ;;
+esac
+
 AC_ARG_ENABLE(dane, AC_HELP_STRING([--disable-dane], [Disable DANE support]))
+AC_ARG_ENABLE(dane-verify, AC_HELP_STRING([--disable-dane-verify], [Disable DANE verify support]))
+AC_ARG_ENABLE(dane-ta-usage, AC_HELP_STRING([--disable-dane-ta-usage], [Disable DANE-TA usage type support]))
+
+AC_ARG_ENABLE(full-dane,, [
+	enable_dane_ta_usage=yes
+	enable_dane_verify=yes
+	enable_dane=yes
+])
+AC_ARG_ENABLE(no-dane-ta-usage,, [
+	enable_dane_ta_usage=no
+	enable_dane_verify=yes
+	enable_dane=yes
+])
+AC_ARG_ENABLE(no-dane-verify,, [
+	enable_dane_ta_usage=no
+	enable_dane_verify=no
+	enable_dane=yes
+])
 case "$enable_dane" in
    no)
      AC_SUBST(ldns_build_config_use_dane, 0)
+      AC_SUBST(ldns_build_config_use_dane_verify, 0)
+      AC_SUBST(ldns_build_config_use_dane_ta_usage, 0)
      ;;
    *) dnl default
      if test "x$HAVE_SSL" != "xyes"; then
        AC_MSG_ERROR([DANE enabled, but no SSL support])
      fi
      AC_CHECK_FUNC(X509_check_ca, [], [AC_MSG_ERROR([OpenSSL does not support DANE: please upgrade OpenSSL or rerun with --disable-dane])])
-      AC_DEFINE_UNQUOTED([USE_DANE], [1], [Define this to enable DANE support.])
      AC_SUBST(ldns_build_config_use_dane, 1)
+      AC_DEFINE_UNQUOTED([USE_DANE], [1], [Define this to enable DANE support.])
+      case "$enable_dane_verify" in
+          no)
+            AC_SUBST(ldns_build_config_use_dane_verify, 0)
+            AC_SUBST(ldns_build_config_use_dane_ta_usage, 0)
+	    ;;
+	  *)
+	    AC_SUBST(ldns_build_config_use_dane_verify, 1)
+	    AC_DEFINE_UNQUOTED([USE_DANE_VERIFY], [1], [Define this to enable DANE verify support.])
+            case "$enable_dane_ta_usage" in
+                no)
+                  AC_SUBST(ldns_build_config_use_dane_ta_usage, 0)
+                  ;;
+                *) dnl default
+      	    LIBS="-lssl $LIBS"
+                  AC_CHECK_FUNC(SSL_get0_dane, [], [AC_MSG_ERROR([OpenSSL does not support offline DANE verification (Needed for the DANE-TA usage type).  Please upgrade OpenSSL to version >= 1.1.0 or rerun with --disable-dane-verify or --disable-dane-ta-usage])])
+                  LIBSSL_LIBS="$LIBSSL_LIBS -lssl"
+                  AC_SUBST(ldns_build_config_use_dane_ta_usage, 1)
+                  AC_DEFINE_UNQUOTED([USE_DANE_TA_USAGE], [1], [Define this to enable DANE-TA usage type support.])
+                  ;;
+            esac
+      esac
      ;;
 esac

@ -389,20 +614,12 @@ case "$enable_rrtype_rkey" in
 	no|*)
 		;;
 esac
-AC_ARG_ENABLE(rrtype-cds, AC_HELP_STRING([--enable-rrtype-cds], [Enable draft RR type cds.]))
-case "$enable_rrtype_cds" in
-	yes)
-		AC_DEFINE_UNQUOTED([RRTYPE_CDS], [], [Define this to enable RR type CDS.])
+AC_ARG_ENABLE(rrtype-openpgpkey, AC_HELP_STRING([--disable-rrtype-openpgpkey], [Disable openpgpkey RR type.]))
+case "$enable_rrtype_openpgpkey" in
+	no)
 		;;
-	no|*)
-		;;
-esac
-AC_ARG_ENABLE(rrtype-uri, AC_HELP_STRING([--enable-rrtype-uri], [Enable draft RR type uri.]))
-case "$enable_rrtype_uri" in
-	yes)
-		AC_DEFINE_UNQUOTED([RRTYPE_URI], [], [Define this to enable RR type URI.])
-		;;
-	no|*)
+	yes|*)
+		AC_DEFINE_UNQUOTED([RRTYPE_OPENPGPKEY], [], [Define this to enable RR type OPENPGPKEY.])
 		;;
 esac
 AC_ARG_ENABLE(rrtype-ta, AC_HELP_STRING([--enable-rrtype-ta], [Enable draft RR type ta.]))
@ -413,6 +630,14 @@ case "$enable_rrtype_ta" in
 	no|*)
 		;;
 esac
+AC_ARG_ENABLE(rrtype-avc, AC_HELP_STRING([--enable-rrtype-avc], [Enable draft RR type avc.]))
+case "$enable_rrtype_avc" in
+	yes)
+		AC_DEFINE_UNQUOTED([RRTYPE_AVC], [], [Define this to enable RR type AVC.])
+		;;
+	no|*)
+		;;
+esac

 AC_SUBST(LIBSSL_CPPFLAGS)
 AC_SUBST(LIBSSL_LDFLAGS)
@ -616,31 +841,26 @@ ACX_FUNC_IOCTLSOCKET
 ACX_CHECK_FORMAT_ATTRIBUTE
 ACX_CHECK_UNUSED_ATTRIBUTE

-# check OSX deployment target which is needed
+# check OSX deployment target, if needed
 if echo $build_os | grep darwin > /dev/null; then
- 	export MACOSX_DEPLOYMENT_TARGET="10.4"
+  sdk_p=`xcode-select -print-path`;
+  sdk_v="$( /usr/bin/xcrun --show-sdk-version )";
+  case $sdk_v in
+       10.9|10.8)   sdk_c="10.7";;
+       10.11|10.10|*) sdk_c="10.10";;
+  esac
+  export MACOSX_DEPLOYMENT_TARGET="${sdk_c}";
+  export CFLAGS="$CFLAGS -mmacosx-version-min=${sdk_c} -isysroot ${sdk_p}/Platforms/MacOSX.platform/Developer/SDKs/MacOSX${sdk_v}.sdk";
 fi

 AC_DEFINE([SYSCONFDIR], [sysconfdir], [System configuration dir])

 AC_ARG_WITH(trust-anchor, AC_HELP_STRING([--with-trust-anchor=KEYFILE], [Default location of the trust anchor file for drill and ldns-dane. [default=SYSCONFDIR/unbound/root.key]]), [
- LDNS_TRUST_ANCHOR_FILE="$withval"
+ AC_SUBST([LDNS_TRUST_ANCHOR_FILE], ["$withval"])
+ AC_MSG_NOTICE([Default trust anchor: $withval])
 ],[
- if test "x$LDNS_TRUST_ANCHOR_FILE" = "x"; then
-  if test "x$sysconfdir" = 'x${prefix}/etc' ; then
-   if test "x$prefix" = 'xNONE' ; then
-    LDNS_TRUST_ANCHOR_FILE="/etc/unbound/root.key"
-   else
-    LDNS_TRUST_ANCHOR_FILE="${prefix}/etc/unbound/root.key"
-   fi
-  else
-    LDNS_TRUST_ANCHOR_FILE="${sysconfdir}/unbound/root.key"
-  fi
- fi
+ AC_SUBST([LDNS_TRUST_ANCHOR_FILE], ["\$(sysconfdir)/unbound/root.key"])
 ])
-AC_DEFINE_UNQUOTED([LDNS_TRUST_ANCHOR_FILE], ["$LDNS_TRUST_ANCHOR_FILE"], [Default trust anchor file])
-AC_SUBST(LDNS_TRUST_ANCHOR_FILE)
-AC_MSG_NOTICE([Default trust anchor: $LDNS_TRUST_ANCHOR_FILE])

 AC_ARG_WITH(ca-file, AC_HELP_STRING([--with-ca-file=CAFILE], [File containing CA certificates for ldns-dane]), [
 AC_DEFINE([HAVE_DANE_CA_FILE], [1], [Is a CAFILE given at configure time])
@ -793,6 +1013,15 @@ void *memmove(void *dest, const void *src, size_t n);
 #ifndef HAVE_STRLCPY
 size_t strlcpy(char *dst, const char *src, size_t siz);
 #endif
+
+#ifdef USE_WINSOCK
+#define SOCK_INVALID INVALID_SOCKET
+#define close_socket(_s) do { if (_s > SOCK_INVALID) {closesocket(_s); _s = SOCK_INVALID;} } while(0)
+#else
+#define SOCK_INVALID -1
+#define close_socket(_s) do { if (_s > SOCK_INVALID) {close(_s); _s = SOCK_INVALID;} } while(0)
+#endif
+
 #ifdef __cplusplus
 }
 #endif
@ -820,7 +1049,7 @@ else
  AC_SUBST(ldns_build_config_have_attr_unused, 0)
 fi

-CONFIG_FILES="Makefile ldns/common.h ldns/net.h ldns/util.h packaging/libldns.pc packaging/ldns-config $DRILL_CONFIG $EXAMPLES_CONFIG"
+CONFIG_FILES="Makefile ldns/common.h ldns/net.h ldns/util.h packaging/libldns.pc packaging/ldns-config"
 AC_SUBST(CONFIG_FILES)
 AC_CONFIG_FILES([$CONFIG_FILES])

--- a/contrib/DNS-LDNS/Changes
+++ b/contrib/DNS-LDNS/Changes
@ -21,3 +21,25 @@ Revision history for Perl extension DNS::LDNS.

 0.06  Tue Dec 31 12:17:00 2013
        - Corrected pod syntax
+
+0.50  Sun Mar 30 11:05:23 2014
+        - Added prev parameter to the DNS::LDNS::RR::new(str) constructor.
+        - Corrected DNS::LDNS::RR::new(file/filename) constructor. Added prev
+          parameter, changed the default_ttl and origin parameters to 
+          references so they can return data back to the caller as intended.
+          Using the 'built-in' default values for ttl and origin, rather than
+          my own values.
+        - Corrected the DNS::LDNS::Zone::new() constructor. Corrected file
+          option for reading zone from stream. Using the 'built-in' default
+          values for ttl and origin, rather than my own values.
+        - Removed the $DNS::LDNS::DEFAULT_* variables, they proved to be less 
+          useful after modifying the Zone and RR constructors.
+        - More robust Makefile.PL. Check for existence of ldns library
+          and perl modules required for the test suite.
+
+0.51  Wed Apr 2 09:12:00 2014
+        - Added META.yml, and added some more package dependencies.
+        - Compatibility with ldns < 1.6.12.
+
+0.52  Tue May 5 09:13:00 2015
+        - Fixed typo in META.yml
--- a/contrib/DNS-LDNS/LDNS.xs
+++ b/contrib/DNS-LDNS/LDNS.xs
@ -89,6 +89,22 @@ ldns_rr_list *ldns_validate_domain_dnskey_time(
 ldns_rr_list *ldns_validate_domain_ds_time(
                const ldns_resolver *res, const ldns_rdf *domain, 
                const ldns_rr_list * keys, time_t check_time);
+ldns_status ldns_verify_rrsig_keylist_time(
+                ldns_rr_list *rrset, ldns_rr *rrsig, 
+                const ldns_rr_list *keys, time_t check_time,
+                ldns_rr_list *good_keys);
+ldns_status ldns_verify_trusted_time(
+                ldns_resolver *res, ldns_rr_list *rrset, 
+                ldns_rr_list *rrsigs, time_t check_time,
+                ldns_rr_list *validating_keys);
+ldns_status ldns_verify_rrsig_time(
+                ldns_rr_list *rrset, ldns_rr *rrsig, 
+                ldns_rr *key, time_t check_time);
+ldns_status ldns_verify_time(ldns_rr_list *rrset,
+                                    ldns_rr_list *rrsig,
+                                    const ldns_rr_list *keys,
+                                    time_t check_time,
+                                    ldns_rr_list *good_keys);   

 ldns_dnssec_trust_tree *ldns_dnssec_derive_trust_tree_time(
                ldns_dnssec_data_chain *data_chain, 
@ -114,6 +130,33 @@ ldns_rr_list *ldns_validate_domain_ds_time(
    Perl_croak(aTHX_ "function ldns_validate_domain_ds_time is not implemented in this version of ldns");
 }

+ldns_status ldns_verify_rrsig_keylist_time(
+                ldns_rr_list *rrset, ldns_rr *rrsig, 
+                const ldns_rr_list *keys, time_t check_time,
+                ldns_rr_list *good_keys) {
+    Perl_croak(aTHX_ "function ldns_verify_rrsig_keylist_time is not implemented in this version of ldns");
+}
+
+ldns_status ldns_verify_trusted_time(
+                ldns_resolver *res, ldns_rr_list *rrset, 
+                ldns_rr_list *rrsigs, time_t check_time,
+                ldns_rr_list *validating_keys) {
+    Perl_croak(aTHX_ "function ldns_verify_trusted_time is not implemented in this version of ldns");
+}
+
+ldns_status ldns_verify_rrsig_time(
+                ldns_rr_list *rrset, ldns_rr *rrsig, 
+                ldns_rr *key, time_t check_time) {
+    Perl_croak(aTHX_ "function ldns_verify_rrsig_time is not implemented in this version of ldns");
+}
+
+ldns_status ldns_verify_time(ldns_rr_list *rrset,
+                                    ldns_rr_list *rrsig,
+                                    const ldns_rr_list *keys,
+                                    time_t check_time,
+                                    ldns_rr_list *good_keys) {
+    Perl_croak(aTHX_ "function ldns_verify_time is not implemented in this version of ldns");
+}

 #endif

@ -709,45 +752,70 @@ ldns_rr_new_frm_type(t)
 	_new_from_type = 1

 DNS__LDNS__RR
-_new_from_str(str, default_ttl, origin, s)
+_new_from_str(str, default_ttl, origin, prev, s)
 	const char* str;
 	uint32_t default_ttl;
 	DNS__LDNS__RData__Opt origin;
+	DNS__LDNS__RData__Opt prev;
 	LDNS_Status s;
 	PREINIT:
 	    DNS__LDNS__RR rr = NULL;
+	    ldns_rdf *pclone = NULL;
 	CODE:
-	s = ldns_rr_new_frm_str(&rr, str, default_ttl, origin, NULL);
+
+	if (prev != NULL) {
+	    pclone = ldns_rdf_clone(prev);
+        }
+
+	s = ldns_rr_new_frm_str(&rr, str, default_ttl, origin, &prev);
+	if (prev != NULL) {
+	    prev = pclone;
+	}
+
 	if (s == LDNS_STATUS_OK) {
 	    RETVAL = rr;
 	}
 	OUTPUT:
 	RETVAL
 	s
+	prev

 DNS__LDNS__RR
-_new_from_file(fp, origin, default_ttl, s, line_nr)
+_new_from_file(fp, default_ttl, origin, prev, s, line_nr)
 	FILE*         fp;
-	DNS__LDNS__RData__Opt origin;
 	uint32_t      default_ttl;
+	DNS__LDNS__RData__Opt origin;
+	DNS__LDNS__RData__Opt prev;
 	LDNS_Status   s;
 	int           line_nr;
        PREINIT:
            ldns_rr *rr;
 	    ldns_rdf *oclone = NULL;
+	    ldns_rdf *pclone = NULL;
        CODE:
-	RETVAL = NULL;
-	/* Clone the origin object because the call may change/replace it and 
-	   then it must be freed */
-	if (origin) {
+
+	/* Must clone origin and prev because new_frm_fp_l may change 
+ 	   them and may not (we do not know for certain). The perl layer 
+	   will take care of freeing the old structs. */
+	if (origin != NULL) {
 	    oclone = ldns_rdf_clone(origin);
        }
-	s = ldns_rr_new_frm_fp_l(&rr, fp, &default_ttl, &oclone, NULL, 
+	if (prev != NULL) {
+	    pclone = ldns_rdf_clone(prev);
+        }
+
+	RETVAL = NULL;
+	s = ldns_rr_new_frm_fp_l(&rr, fp, &default_ttl, &oclone, &pclone, 
 	    &line_nr);

-	if (oclone) {
-	    ldns_rdf_deep_free(oclone);
-        }
+	/* Replace the input origin with our new clone. The perl layer will
+	   take care of freeing it later. */
+	if (origin != NULL) {
+	    origin = oclone;
+	}
+	if (prev != NULL) {
+	    prev = pclone;
+	}

 	if (s == LDNS_STATUS_OK) {
 	    RETVAL = rr;
@ -757,6 +825,9 @@ _new_from_file(fp, origin, default_ttl, s, line_nr)
        RETVAL
 	s
 	line_nr
+        default_ttl
+        origin
+	prev

 DNS__LDNS__RR
 ldns_rr_clone(rr)
@ -1223,7 +1294,7 @@ ldns_rdf_clone(rdf)
 	ALIAS:
 	clone = 1

-const char*
+Mortal_PV
 ldns_rdf2str(rdf)
 	DNS__LDNS__RData rdf;
 	ALIAS:
@ -2113,7 +2184,7 @@ ldns_resolver_nameservers_randomize(resolver)
 	ALIAS:
 	nameservers_randomize = 1

-char*
+const char*
 ldns_resolver_tsig_keyname(resolver)
 	DNS__LDNS__Resolver resolver;
 	ALIAS:
@ -2126,7 +2197,7 @@ ldns_resolver_set_tsig_keyname(resolver, tsig_keyname)
 	ALIAS:
 	set_tsig_keyname = 1

-char*
+const char*
 ldns_resolver_tsig_algorithm(resolver)
 	DNS__LDNS__Resolver resolver;
 	ALIAS:
@ -2139,7 +2210,7 @@ ldns_resolver_set_tsig_algorithm(resolver, tsig_algorithm)
 	ALIAS:
 	set_tsig_algorithm = 1

-char*
+const char*
 ldns_resolver_tsig_keydata(resolver)
 	DNS__LDNS__Resolver resolver;
 	ALIAS:
--- a/contrib/DNS-LDNS/META.yml
+++ b/contrib/DNS-LDNS/META.yml
@ -0,0 +1,26 @@
+---
+abstract: 'Perl extension for the ldns library'
+author:
+  - 'Erik Pihl Ostlyngen <erik.ostlyngen@uninett.no>'
+build_requires:
+  FindBin: 0
+  Test::Exception: 0
+  Test::More: 0
+configure_requires:
+  Devel::CheckLib: 0
+  ExtUtils::MakeMaker: 0
+distribution_type: module
+dynamic_config: 0
+generated_by: 'ExtUtils::MakeMaker version 6.57_05'
+license: perl
+meta-spec:
+  url: http://module-build.sourceforge.net/META-spec-v1.4.html
+  version: 1.4
+name: DNS-LDNS
+no_index:
+  directory:
+    - t
+    - inc
+requires:
+  XSLoader: 0
+version: 0.52
--- a/contrib/DNS-LDNS/Makefile.PL
+++ b/contrib/DNS-LDNS/Makefile.PL
@ -1,14 +1,35 @@
 use 5.014002;
 use ExtUtils::MakeMaker;
+
+use Devel::CheckLib;
+
+check_lib_or_exit( 
+    lib      => 'ldns', 
+    header   => 'ldns/ldns.h', 
+    function => 'if(atof(ldns_version()) >= 1.6) return 0; else return 1;'
+);
+
 # See lib/ExtUtils/MakeMaker.pm for details of how to influence
 # the contents of the Makefile that is written.
 WriteMakefile(
    NAME              => 'DNS::LDNS',
    VERSION_FROM      => 'lib/DNS/LDNS.pm', # finds $VERSION
-    PREREQ_PM         => {}, # e.g., Module::Name => 1.1
+    CONFIGURE_REQUIRES => {
+        'Devel::CheckLib'    => 0,
+        'ExtUtils::MakeMaker' => 0,
+    },
+    BUILD_REQUIRES    => { # Actually required only by the tests
+	'FindBin'         => 0,
+        'Test::More'      => 0,
+	'Test::Exception' => 0,
+    },
+    PREREQ_PM         => {
+        'XSLoader'        => 0,
+    },
    ($] >= 5.005 ?     ## Add these new keywords supported since 5.005
      (ABSTRACT_FROM  => 'lib/DNS/LDNS.pm', # retrieve abstract from module
-       AUTHOR         => 'Erik Pihl Ostlyngen <erik.ostlyngen@uninett.no>') : ()),
+       AUTHOR         => 'Erik Pihl Ostlyngen <erik.ostlyngen@uninett.no>',
+       LICENSE        => 'perl') : ()),
    LIBS              => ['-lldns'],
    DEFINE            => '',
    INC               => '-I.',
--- a/contrib/DNS-LDNS/README
+++ b/contrib/DNS-LDNS/README
@ -1,4 +1,4 @@
-DNS::LDNS version 0.06
+DNS::LDNS version 0.52
 ======================

 DESCRIPTION
--- a/contrib/DNS-LDNS/lib/DNS/LDNS.pm
+++ b/contrib/DNS-LDNS/lib/DNS/LDNS.pm
@ -651,7 +651,7 @@ our @EXPORT = qw(
 	read_anchor_file
 );

-our $VERSION = '0.06';
+our $VERSION = '0.52';

 sub AUTOLOAD {
    # This AUTOLOAD is used to 'autoload' constants from the constant()
@ -706,15 +706,6 @@ require DNS::LDNS::KeyList;
 require DNS::LDNS::DNSSecDataChain;
 require DNS::LDNS::DNSSecTrustTree;

-# Some default values used by the constructors
-our $DEFAULT_CLASS = &LDNS_RR_CLASS_IN;
-our $DEFAULT_TTL = 86400;         # 1d
-our $DEFAULT_ORIGIN = new DNS::LDNS::RData(&LDNS_RDF_TYPE_DNAME, '.');
-our $DEFAULT_SOA_REFRESH = 86400; # 1d
-our $DEFAULT_SOA_RETRY = 3600;    # 1h
-our $DEFAULT_SOA_EXPIRE = 604800; # 1w
-our $DEFAULT_SOA_MINIMUM = 10800; # 3h
-
 # Autoload methods go after =cut, and are processed by the autosplit program.

 1;
@ -778,7 +769,7 @@ Represents a parsed zonefile (maps to the ldns_zone struct)
 =item B<DNS::LDNS::RRList>

 Represents a list of RRs. This class is also used to represent an
-RRSet  all the dnames and types are equal, (maps to the the
+RRSet if all the dnames and types are equal, (maps to the the
 ldns_rr_list struct)

 =item B<DNS::LDNS::RR>
@ -909,15 +900,13 @@ freed.

 The purpose for writing this wrapper class has been to be able to
 process zone file data with good time performance. Data checking and
-error handling is a bit sparse. Calling a method with wrong argument
-types will some times kill the application with an intelligible error
-message, in other cases it may provoke a segmentation fault. Using
-out-of-range data values, e.g. in array indexes, may also cause
-unexpected results.
+error handling is a bit sparse.

-Most constructors and all methods returning a status will update the
-static DNS::LDNS::last_status variable. Most methods do not return a
-status and will not reset this variable even though they succeeds.
+Most constructors will update the DNS::LDNS::last_status variable if 
+they fail (return undef). Wrapper methods to ldns functions which would 
+return a status will update the static DNS::LDNS::last_status variable. 
+Most methods do not return a status and will not reset this variable 
+even though they succeeds.

 =head2 EXPORT

@ -1286,10 +1275,9 @@ None by default.

 =head1 BUGS

-This package is currently in a very early stage of development. There
-are probably some bugs. You may also expect that method names and
-behaviour could still change without much considerations to backward
-compatibility.
+This package is still in the beta stage of development. There no known bugs, 
+although parts of the code has not yet been very well tested. Bugreports will 
+be greatly appreciated.

 =head1 SEE ALSO

--- a/contrib/DNS-LDNS/lib/DNS/LDNS/DNSSecDataChain.pm
+++ b/contrib/DNS-LDNS/lib/DNS/LDNS/DNSSecDataChain.pm
@ -6,7 +6,7 @@ use warnings;

 use DNS::LDNS;

-our $VERSION = '0.06';
+our $VERSION = '0.52';

 sub rrset {
    my $self = shift;
--- a/contrib/DNS-LDNS/lib/DNS/LDNS/DNSSecName.pm
+++ b/contrib/DNS-LDNS/lib/DNS/LDNS/DNSSecName.pm
@ -6,7 +6,7 @@ use warnings;

 use DNS::LDNS ':all';

-our $VERSION = '0.06';
+our $VERSION = '0.52';

 sub new {
    my $class = shift;
--- a/contrib/DNS-LDNS/lib/DNS/LDNS/DNSSecRRSets.pm
+++ b/contrib/DNS-LDNS/lib/DNS/LDNS/DNSSecRRSets.pm
@ -6,7 +6,7 @@ use warnings;

 use DNS::LDNS;

-our $VERSION = '0.06';
+our $VERSION = '0.52';

 # Note: Since this class does not have a constructor, we can let its child
 # objects be owned by the parent. This reduces the recursion depth on
--- a/contrib/DNS-LDNS/lib/DNS/LDNS/DNSSecRRs.pm
+++ b/contrib/DNS-LDNS/lib/DNS/LDNS/DNSSecRRs.pm
@ -6,7 +6,7 @@ use warnings;

 use DNS::LDNS;

-our $VERSION = '0.06';
+our $VERSION = '0.52';

 # Note: This class does not have a constructor. Thus, it can not be created
 # as an individual object. The data structure of the node is owned 
--- a/contrib/DNS-LDNS/lib/DNS/LDNS/DNSSecTrustTree.pm
+++ b/contrib/DNS-LDNS/lib/DNS/LDNS/DNSSecTrustTree.pm
@ -6,7 +6,7 @@ use warnings;

 use DNS::LDNS;

-our $VERSION = '0.06';
+our $VERSION = '0.52';

 sub add_parent {
    my ($self, $parent, $sig, $parent_status) = @_;
--- a/contrib/DNS-LDNS/lib/DNS/LDNS/DNSSecZone.pm
+++ b/contrib/DNS-LDNS/lib/DNS/LDNS/DNSSecZone.pm
@ -6,7 +6,7 @@ use warnings;

 use DNS::LDNS ':all';

-our $VERSION = '0.06';
+our $VERSION = '0.52';

 sub new {
    my ($class, %args) = @_;
@ -31,9 +31,9 @@ sub new {

    if ($file) {
 	$zone = _new_from_file($file, 
-			       $args{origin} || $LDNS::DEFAULT_ORIGIN, 
-			       $args{ttl} || $LDNS::DEFAULT_TTL, 
-			       $args{class} || $LDNS::DEFAULT_CLASS, 
+			       $args{origin}, 
+			       $args{ttl} || 0, 
+			       $args{class} || 0, 
 			       $status, $line_nr);
    }
    else {
--- a/contrib/DNS-LDNS/lib/DNS/LDNS/GC.pm
+++ b/contrib/DNS-LDNS/lib/DNS/LDNS/GC.pm
@ -3,7 +3,7 @@ package DNS::LDNS::GC;
 use strict;
 use warnings;

-our $VERSION = '0.06';
+our $VERSION = '0.52';

 my %ref_count;
 my %owned_by;
--- a/contrib/DNS-LDNS/lib/DNS/LDNS/Key.pm
+++ b/contrib/DNS-LDNS/lib/DNS/LDNS/Key.pm
@ -6,7 +6,7 @@ use warnings;

 use DNS::LDNS ':all';

-our $VERSION = '0.06';
+our $VERSION = '0.52';

 sub new {
    my ($class, %args) = @_;
--- a/contrib/DNS-LDNS/lib/DNS/LDNS/KeyList.pm
+++ b/contrib/DNS-LDNS/lib/DNS/LDNS/KeyList.pm
@ -6,7 +6,7 @@ use warnings;

 use DNS::LDNS ':all';

-our $VERSION = '0.06';
+our $VERSION = '0.52';

 sub new {
    my $class = shift;
--- a/contrib/DNS-LDNS/lib/DNS/LDNS/Packet.pm
+++ b/contrib/DNS-LDNS/lib/DNS/LDNS/Packet.pm
@ -6,7 +6,7 @@ use warnings;

 use DNS::LDNS;

-our $VERSION = '0.06';
+our $VERSION = '0.52';

 sub new {
    my ($class, %args) = @_;
--- a/contrib/DNS-LDNS/lib/DNS/LDNS/RBNode.pm
+++ b/contrib/DNS-LDNS/lib/DNS/LDNS/RBNode.pm
@ -6,7 +6,7 @@ use warnings;

 use DNS::LDNS;

-our $VERSION = '0.06';
+our $VERSION = '0.52';

 # Note: This class does not have a constructor. Thus, it can not be created
 # as an individual object. The data structure of the object will always be 
--- a/contrib/DNS-LDNS/lib/DNS/LDNS/RBTree.pm
+++ b/contrib/DNS-LDNS/lib/DNS/LDNS/RBTree.pm
@ -6,7 +6,7 @@ use warnings;

 use DNS::LDNS;

-our $VERSION = '0.06';
+our $VERSION = '0.52';

 # Note: Since this class does not have a constructor, we can let its child
 # objects be owned by the parent. This reduces the recursion depth on
--- a/contrib/DNS-LDNS/lib/DNS/LDNS/RData.pm
+++ b/contrib/DNS-LDNS/lib/DNS/LDNS/RData.pm
@ -6,7 +6,7 @@ use warnings;

 use DNS::LDNS;

-our $VERSION = '0.06';
+our $VERSION = '0.52';

 sub new {
    my ($class, $type, $str) = @_;
--- a/contrib/DNS-LDNS/lib/DNS/LDNS/RR.pm
+++ b/contrib/DNS-LDNS/lib/DNS/LDNS/RR.pm
@ -5,9 +5,8 @@ use strict;
 use warnings;

 use DNS::LDNS ':all';
-use Carp 'croak';

-our $VERSION = '0.06';
+our $VERSION = '0.52';

 sub new {
    my $class = shift;
@ -19,17 +18,19 @@ sub new {
 	$rr = _new;
    }
    elsif (scalar(@_) == 1) {
-	$rr = _new_from_str($_[0], $DNS::LDNS::DEFAULT_TTL, 
-	    $DNS::LDNS::DEFAULT_ORIGIN, $status);
+	$rr = _new_from_str($_[0], 0, 
+	    undef, undef,
+	    $status);
    }
    else {
 	my %args = @_;

 	if ($args{str}) {
 	    $rr = _new_from_str($args{str}, 
-				$args{default_ttl} || $DNS::LDNS::DEFAULT_TTL, 
-				$args{origin} || $DNS::LDNS::DEFAULT_ORIGIN, 
-				$status);
+		$args{default_ttl} || 0,
+		$args{origin},
+		$args{prev} ? ${$args{prev}} : undef,
+		$status);
 	}
 	elsif ($args{filename} or $args{file}) {
 	    my $line_nr = 0;
@ -43,10 +44,13 @@ sub new {
 		$file = \*FILE;
 	    }

+	    my $ttl = 0;
 	    $rr = _new_from_file($file, 
-				 $args{default_ttl} || $DNS::LDNS::DEFAULT_TTL, 
-				 $args{origin} || $DNS::LDNS::DEFAULT_ORIGIN, 
-				 $status, $line_nr);
+		 $args{default_ttl} ? ${$args{default_ttl}} : $ttl,
+		 $args{origin} ? ${$args{origin}} : undef,
+		 $args{prev} ? ${$args{prev}} : undef,
+		 $status,
+		 $line_nr);
 	    if ($args{filename}) {
 		close $file;
 	    }
@ -56,11 +60,11 @@ sub new {
 	elsif ($args{type}) {
 	    $rr = _new_from_type($args{type});
 	    if ($args{owner}) {
-		$rr->set_owner(new DNS::LDNS::RData(
-		    &LDNS_RDF_TYPE_DNAME, $args{owner}));
+		$rr->set_owner(ref $args{owner} ? $args{owner} : 
+		    new DNS::LDNS::RData(&LDNS_RDF_TYPE_DNAME, $args{owner}));
 	    }
-	    $rr->set_ttl($args{ttl} || $DNS::LDNS::DEFAULT_TTL);
-	    $rr->set_class($args{class} || $DNS::LDNS::DEFAULT_CLASS);
+	    $rr->set_ttl($args{ttl}) if ($args{ttl});
+	    $rr->set_class($args{class}) if ($args{class});

 	    if ($args{rdata}) {
 		if (!$rr->set_rdata(@{$args{rdata}})) {
@ -369,21 +373,26 @@ DNS::LDNS::RR - Resource record
  my rr = new DNS::LDNS::RR('mylabel 3600 IN A 168.10.10.10')
  my rr = new DNS::LDNS::RR(
    str => 'mylabel 3600 IN A 168.10.10.10',
-    default_ttl => 3600, # optional,
-    origin => new DNS::LDNS::RData(LDNS_RDF_TYPE_NAME, 'myzone.'), " # optional
+    default_ttl => 3600,     # optional
+    origin => $origin_rdata, # optional
+    prev => \$prev_rdata,    # optional
  )
  my rr = new DNS::LDNS::RR(
    filename => '/path/to/rr',
-    origin => ...)
+    default_ttl => \$ttl,     # optional
+    origin => \$origin_rdata, # optional
+    prev => \$prev_rdata)     # optional
  my rr = new DNS::LDNS::RR(
    file => \*FILE,
-    origin => ...)
+    default_ttl => \$ttl,     # optional
+    origin => \$origin_rdata, # optional
+    prev => \$prev_rdata)     # optional
  my rr = new DNS::LDNS::RR(
    type => LDNS_RR_TYPE_A,
    rdata => [new DNS::LDNS::RData(...), new DNS::LDNS::RData(...), ...],
    class => LDNS_RR_CLASS_IN, # optional
    ttl => 3600, # optional
-    owner => new DNS::LDNS::RData(LDNS_RDF_TYPE_NAME, 'mylabel'), # optional)
+    owner => new DNS::LDNS::RData(LDNS_RDF_TYPE_DNAME, 'mylabel'), # optional)
  my rr = new DNS::LDNS::RR

  rr2 = rr->clone
--- a/contrib/DNS-LDNS/lib/DNS/LDNS/RRList.pm
+++ b/contrib/DNS-LDNS/lib/DNS/LDNS/RRList.pm
@ -6,7 +6,7 @@ use warnings;

 use DNS::LDNS;

-our $VERSION = '0.06';
+our $VERSION = '0.52';

 sub new {
    my ($class, %args) = @_;
--- a/contrib/DNS-LDNS/lib/DNS/LDNS/Resolver.pm
+++ b/contrib/DNS-LDNS/lib/DNS/LDNS/Resolver.pm
@ -6,7 +6,7 @@ use warnings;

 use DNS::LDNS ':all';

-our $VERSION = '0.06';
+our $VERSION = '0.52';

 sub new {
    my ($class, %args) = @_;
--- a/contrib/DNS-LDNS/lib/DNS/LDNS/Zone.pm
+++ b/contrib/DNS-LDNS/lib/DNS/LDNS/Zone.pm
@ -6,7 +6,7 @@ use warnings;

 use DNS::LDNS ':all';

-our $VERSION = '0.06';
+our $VERSION = '0.52';

 sub new {
    my ($class, %args) = @_;
@ -25,12 +25,15 @@ sub new {

 	$file = \*FILE;
    }
+    elsif ($args{file}) {
+	$file = $args{file};
+    }

    if ($file) {
 	$zone = _new_from_file($file, 
-			       $args{origin} || $DNS::LDNS::DEFAULT_ORIGIN, 
-			       $args{default_ttl} || $DNS::LDNS::DEFAULT_TTL, 
-			       $args{class} || $DNS::LDNS::DEFAULT_CLASS, 
+			       $args{origin},
+			       $args{default_ttl} || 0,
+			       $args{class} || 0,
 			       $status, $line_nr);
    }
    else {
--- a/contrib/DNS-LDNS/t/dnssec_datachain.t
+++ b/contrib/DNS-LDNS/t/dnssec_datachain.t
@ -18,39 +18,43 @@ my $p = $r->query(
    new DNS::LDNS::RData(LDNS_RDF_TYPE_DNAME, 'iis.se.'),
    LDNS_RR_TYPE_SOA, LDNS_RR_CLASS_IN, LDNS_RD);

-isa_ok($p, 'DNS::LDNS::Packet');
+SKIP: {
+    skip "Resolver is not dnssec able. Skip this test.", 9 unless ($p->ad);

-my $rrset = $p->rr_list_by_type(LDNS_RR_TYPE_SOA, LDNS_SECTION_ANSWER);
+    isa_ok($p, 'DNS::LDNS::Packet');

-ok($rrset->rr_count > 0, 'Got an answer with some content');
+    my $rrset = $p->rr_list_by_type(LDNS_RR_TYPE_SOA, LDNS_SECTION_ANSWER);

-my $chain = $r->build_data_chain(LDNS_RD, $rrset, $p, undef);
+    ok($rrset->rr_count > 0, 'Got an answer with some content');

-isa_ok($chain, 'DNS::LDNS::DNSSecDataChain');
+    my $chain = $r->build_data_chain(LDNS_RD, $rrset, $p, undef);

-isa_ok($chain->parent, 'DNS::LDNS::DNSSecDataChain');
+    isa_ok($chain, 'DNS::LDNS::DNSSecDataChain');

-dies_ok { 
-    my $new_rr = new DNS::LDNS::RR(str => 'test.test. 1234 IN A 10.0.0.1');
-    my $t = $chain->derive_trust_tree($new_rr); 
-} 'Making a trust tree with foreign rr fails.';
+    isa_ok($chain->parent, 'DNS::LDNS::DNSSecDataChain');

-my $rr = $chain->rrset->rr(0);
+    dies_ok { 
+        my $new_rr = new DNS::LDNS::RR(str => 'test.test. 1234 IN A 10.0.0.1');
+        my $t = $chain->derive_trust_tree($new_rr); 
+    } 'Making a trust tree with foreign rr fails.';

-my $tree = $chain->derive_trust_tree($rr);
+    my $rr = $chain->rrset->rr(0);

-isa_ok($tree, 'DNS::LDNS::DNSSecTrustTree');
+    my $tree = $chain->derive_trust_tree($rr);

-# Get root keys.
-my $root_keys_pk = $r->query(
-    new DNS::LDNS::RData(LDNS_RDF_TYPE_DNAME, '.'),
-    LDNS_RR_TYPE_DNSKEY, LDNS_RR_CLASS_IN, LDNS_RD);
-my $root_keys = $root_keys_pk->rr_list_by_type(
-    LDNS_RR_TYPE_DNSKEY, LDNS_SECTION_ANSWER);
+    isa_ok($tree, 'DNS::LDNS::DNSSecTrustTree');

-is($tree->contains_keys($root_keys), LDNS_STATUS_OK, 
-   'Root key found in trust chain');
+    # Get root keys.
+    my $root_keys_pk = $r->query(
+        new DNS::LDNS::RData(LDNS_RDF_TYPE_DNAME, '.'),
+        LDNS_RR_TYPE_DNSKEY, LDNS_RR_CLASS_IN, LDNS_RD);
+    my $root_keys = $root_keys_pk->rr_list_by_type(
+        LDNS_RR_TYPE_DNSKEY, LDNS_SECTION_ANSWER);

-ok($tree->depth > 1, 'The trust tree is more than one node.');
+    is($tree->contains_keys($root_keys), LDNS_STATUS_OK, 
+        'Root key found in trust chain');

-isa_ok($tree->parent(0), 'DNS::LDNS::DNSSecTrustTree');
+    ok($tree->depth > 1, 'The trust tree is more than one node.');
+
+    isa_ok($tree->parent(0), 'DNS::LDNS::DNSSecTrustTree');
+}
--- a/contrib/DNS-LDNS/t/rr.t
+++ b/contrib/DNS-LDNS/t/rr.t
@ -1,4 +1,6 @@
-use Test::More tests => 14;
+use Test::More tests => 19;
+
+use FindBin qw/$Bin/;

 use DNS::LDNS ':all';

@ -22,6 +24,7 @@ $rr1 = new DNS::LDNS::RR(
 	new DNS::LDNS::RData(LDNS_RDF_TYPE_PERIOD, '87654')
    ],
 );
+
 isa_ok($rr1, 'DNS::LDNS::RR', 'Create SOA rr with rdata');

 like($rr1->to_string, qr/^myzone\.org\.\s+1234\s+CH\s+SOA\s+hostmaster\.myzone\.org\.\s+master\.myzone\.org\.\s+2012113030\s+12345\s+1827\s+2345678\s+87654$/,
@ -45,3 +48,27 @@ my $rr3 = new DNS::LDNS::RR(str => 'ozone.org. 1234 IN SOA hostmaster.ozone.org.
 ok($rr3->compare_dname($rr1) > 0, 'Compare dname, greater than');
 ok($rr1->compare_dname($rr3) < 0, 'Compare dname, less than');
 is($rr1->compare_dname($rr2), 0, 'Compare dname, equal');
+
+# Read records from a zonefile
+my $origin = new DNS::LDNS::RData(LDNS_RDF_TYPE_DNAME, '.');
+my $prev = $origin->clone;
+my $ttl = 0;
+my $count = 0;
+open(ZONE, "$Bin/testdata/myzone.org");
+my $rr4 = new DNS::LDNS::RR(file => \*ZONE, default_ttl => \$ttl,
+    origin => \$origin, prev => \$prev);
+is($DNS::LDNS::last_status, LDNS_STATUS_SYNTAX_TTL, "Read ttl statement.");
+is($ttl, 4500, "TTL is 4500");
+
+$rr4 = new DNS::LDNS::RR(file => \*ZONE, default_ttl => \$ttl,
+    origin => \$origin, prev => \$prev);
+is($DNS::LDNS::last_status, LDNS_STATUS_SYNTAX_ORIGIN, "Read origin statement.");
+is($origin->to_string, "myzone.org.", "Origin is myzone.org.");
+
+while (!eof(\*ZONE)) {
+    $rr4 = new DNS::LDNS::RR(file => \*ZONE, default_ttl => \$ttl,
+        origin => \$origin, prev => \$prev);
+    last unless ($rr4);
+    $count++;
+}
+is($count, 6);
--- a/contrib/DNS-LDNS/typemap
+++ b/contrib/DNS-LDNS/typemap
@ -46,7 +46,7 @@ LDNS_GENERIC_STRUCT_OPT
                $var = INT2PTR($type, tmp);
                }
        else
-                croak(\"$var is not of type ${(my $ntt=$ntype)=~s/__/::/g;\$ntt}\")
+                croak(\"$var is not of type ${(my $ntt=$ntype)=~s/__/::/g;$ntt=~s/::Opt$//;\$ntt}\")

 INPUT
 LDNS_GENERIC_STRUCT
@ -61,6 +61,10 @@ OUTPUT
 LDNS_GENERIC_STRUCT
 	sv_setref_pv($arg, \"${(my $ntt=$ntype)=~s/__/::/g;\$ntt}\", (void*)$var);

+OUTPUT
+LDNS_GENERIC_STRUCT_OPT
+	sv_setref_pv($arg, \"${(my $ntt=$ntype)=~s/__/::/g;$ntt=~s/::Opt$//;\$ntt}\", (void*)$var);
+
 OUTPUT
 Mortal_PV
        sv_setsv($arg, sv_2mortal(newSVpv($var, 0)));
--- a/contrib/ldnsx/ldnsx.py
+++ b/contrib/ldnsx/ldnsx.py
@ -855,6 +855,8 @@ def flags(self):
 	"APL"  : ldns.LDNS_RR_TYPE_APL,
 	"ATMA" : ldns.LDNS_RR_TYPE_ATMA,
 	"AXFR" : ldns.LDNS_RR_TYPE_AXFR,
+	"CDNSKEY" : ldns.LDNS_RR_TYPE_CDNSKEY,
+	"CDS" : ldns.LDNS_RR_TYPE_CDS,
 	"CERT" : ldns.LDNS_RR_TYPE_CERT,
 	"CNAME": ldns.LDNS_RR_TYPE_CNAME,
 	"COUNT": ldns.LDNS_RR_TYPE_COUNT,
@ -895,6 +897,7 @@ def flags(self):
 	"NSEC3PARAMS" : ldns.LDNS_RR_TYPE_NSEC3PARAMS,
 	"NULL" : ldns.LDNS_RR_TYPE_NULL,
 	"NXT"  : ldns.LDNS_RR_TYPE_NXT,
+	"OPENPGPKEY" : ldns.LDNS_RR_TYPE_OPENPGPKEY,
 	"OPT"  : ldns.LDNS_RR_TYPE_OPT,
 	"PTR"  : ldns.LDNS_RR_TYPE_PTR,
 	"PX"   : ldns.LDNS_RR_TYPE_PX,
@ -906,6 +909,7 @@ def flags(self):
 	"SOA"  : ldns.LDNS_RR_TYPE_SOA,
 	"SRV"  : ldns.LDNS_RR_TYPE_SRV,
 	"SSHFP": ldns.LDNS_RR_TYPE_SSHFP,
+	"TLSA" : ldns.LDNS_RR_TYPE_TLSA,
 	"TSIG" : ldns.LDNS_RR_TYPE_TSIG,
 	"TXT"  : ldns.LDNS_RR_TYPE_TXT,
 	"UID"  : ldns.LDNS_RR_TYPE_UID,
--- a/contrib/python/Makefile
+++ b/contrib/python/Makefile
@ -34,7 +34,7 @@
 help:
 	@echo "Please use \`make <target>' where <target> is one of"
 	@echo "  testenv   to make test environment and run bash "
-	@echo "            usefull in case you don't want to install ldns but want to test examples"
+	@echo "            useful in case you don't want to install ldns but want to test examples"
 	@echo "  doc       to make documentation"
 	@echo "  clean     clean all"

--- a/contrib/python/ldns.i
+++ b/contrib/python/ldns.i
@ -126,6 +126,9 @@ uint32_t ldns_read_timeval_usec(struct timeval* t) {
 %immutable ldns_struct_rr_descriptor::_name;
 %immutable ldns_error_str;
 %immutable ldns_signing_algorithms;
+%immutable ldns_tsig_credentials_struct::algorithm;
+%immutable ldns_tsig_credentials_struct::keyname;
+%immutable ldns_tsig_credentials_struct::keydata;

 //*_new_frm_fp_l
 %apply int *OUTPUT { (int *line_nr) };
@ -139,6 +142,8 @@ uint32_t ldns_read_timeval_usec(struct timeval* t) {
 %include "ldns_resolver.i"
 %include "ldns_rr.i"

+%include <ldns/rr.h>
+
 %inline %{
 int Python_str_Check(PyObject *o) {
 #if PY_VERSION_HEX>=0x03000000
@ -168,7 +173,6 @@ int Python_str_Check(PyObject *o) {
  %include <ldns/packet.h>
  %include <ldns/rdata.h>
  %include <ldns/resolver.h>
-  %include <ldns/rr.h>
 %include <ldns/str2host.h>
 %include <ldns/tsig.h>
  %include <ldns/update.h>
--- a/contrib/python/ldns_key.i
+++ b/contrib/python/ldns_key.i
@ -116,7 +116,7 @@ This class can contains all types of keys that are used in DNSSEC. Mostly used t
            #retvals: ldns_rr *

        def print_to_file(self, file):
-            """print a private key to the file ouput
+            """print a private key to the file output
               
               :param file: output file pointer
            """
--- a/contrib/python/ldns_rdf.i
+++ b/contrib/python/ldns_rdf.i
@ -221,6 +221,11 @@
                        case LDNS_RDF_TYPE_EUI64:      return "EUI64";
                        case LDNS_RDF_TYPE_TAG:        return "TAG";
                        case LDNS_RDF_TYPE_LONG_STR:   return "LONG_STR";
+                        case LDNS_RDF_TYPE_CERTIFICATE_USAGE:
+                            return "CERTIFICATE_USAGE";
+                        case LDNS_RDF_TYPE_SELECTOR:   return "SELECTOR";
+                        case LDNS_RDF_TYPE_MATCHING_TYPE:
+                            return "MATCHING_TYPE";
 			}
 		}
 		return 0;
--- a/contrib/python/ldns_resolver.i
+++ b/contrib/python/ldns_resolver.i
@ -113,9 +113,9 @@
 %rename(__ldns_resolver_tsig_algorithm) ldns_resolver_tsig_algorithm;
 %inline
 %{
-  char * _ldns_resolver_tsig_algorithm(const ldns_resolver *res)
+  const char * _ldns_resolver_tsig_algorithm(const ldns_resolver *res)
  {
-    char *str;
+    const char *str;
    str = ldns_resolver_tsig_algorithm(res);
    if (str != NULL) {
      str = strdup(str);
@ -128,9 +128,9 @@
 %rename(__ldns_resolver_tsig_keydata) ldns_resolver_tsig_keydata;
 %inline
 %{
-  char * _ldns_resolver_tsig_keydata(const ldns_resolver *res)
+  const char * _ldns_resolver_tsig_keydata(const ldns_resolver *res)
  {
-    char *str;
+    const char *str;
    str = ldns_resolver_tsig_keydata(res);
    if (str != NULL) {
      str = strdup(str);
@ -143,9 +143,9 @@
 %rename(__ldns_resolver_tsig_keyname) ldns_resolver_tsig_keyname;
 %inline
 %{
-  char * _ldns_resolver_tsig_keyname(const ldns_resolver *res)
+  const char * _ldns_resolver_tsig_keyname(const ldns_resolver *res)
  {
-    char *str;
+    const char *str;
    str = ldns_resolver_tsig_keyname(res);
    if (str != NULL) {
      str = strdup(str);
--- a/dane.c
+++ b/dane.c
@ -327,8 +327,8 @@ ldns_dane_pkix_get_last_self_signed(X509** out_cert,

 	}
 	(void) X509_verify_cert(vrfy_ctx);
-	if (vrfy_ctx->error == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN ||
-	    vrfy_ctx->error == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT){
+	if (X509_STORE_CTX_get_error(vrfy_ctx) == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN ||
+	    X509_STORE_CTX_get_error(vrfy_ctx) == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT){

 		*out_cert = X509_STORE_CTX_get_current_cert( vrfy_ctx);
 		s = LDNS_STATUS_OK;
@ -356,7 +356,7 @@ ldns_dane_select_certificate(X509** selected_cert,
 	assert(selected_cert != NULL);
 	assert(cert != NULL);

-	/* With PKIX validation explicitely turned off (pkix_validation_store
+	/* With PKIX validation explicitly turned off (pkix_validation_store
 	 *  == NULL), treat the "CA constraint" and "Service certificate
 	 * constraint" the same as "Trust anchor assertion" and "Domain issued
 	 * certificate" respectively.
@ -504,6 +504,7 @@ ldns_dane_create_tlsa_rr(ldns_rr** tlsa,
 }


+#ifdef USE_DANE_VERIFY
 /* Return tlsas that actually are TLSA resource records with known values
 * for the Certificate usage, Selector and Matching type rdata fields.
 */
@ -535,6 +536,7 @@ ldns_dane_filter_unusable_records(const ldns_rr_list* tlsas)
 }


+#if !defined(USE_DANE_TA_USAGE)
 /* Return whether cert/selector/matching_type matches data.
 */
 static ldns_status
@ -591,34 +593,108 @@ ldns_dane_match_any_cert_with_data(STACK_OF(X509)* chain,
 	}
 	return s;
 }
+#endif /* !defined(USE_DANE_TA_USAGE) */
+#endif /* USE_DANE_VERIFY */

-
+#ifdef USE_DANE_VERIFY
 ldns_status
 ldns_dane_verify_rr(const ldns_rr* tlsa_rr,
 		X509* cert, STACK_OF(X509)* extra_certs,
 		X509_STORE* pkix_validation_store)
 {
-	ldns_status s;
-
+#if defined(USE_DANE_TA_USAGE)
+	SSL_CTX *ssl_ctx = NULL;
+	SSL *ssl = NULL;
+	X509_STORE_CTX *store_ctx = NULL;
+#else
 	STACK_OF(X509)* pkix_validation_chain = NULL;
+#endif
+	ldns_status s = LDNS_STATUS_OK;

-	ldns_tlsa_certificate_usage cert_usage;
+	ldns_tlsa_certificate_usage usage;
 	ldns_tlsa_selector          selector;
-	ldns_tlsa_matching_type     matching_type;
+	ldns_tlsa_matching_type     mtype;
 	ldns_rdf*                   data;

-	if (! tlsa_rr) {
-		/* No TLSA, so regular PKIX validation
+	if (! tlsa_rr || ldns_rr_get_type(tlsa_rr) != LDNS_RR_TYPE_TLSA ||
+			ldns_rr_rd_count(tlsa_rr) != 4 ||
+			ldns_rdf2native_int8(ldns_rr_rdf(tlsa_rr, 0)) > 3 ||
+			ldns_rdf2native_int8(ldns_rr_rdf(tlsa_rr, 1)) > 1 ||
+			ldns_rdf2native_int8(ldns_rr_rdf(tlsa_rr, 2)) > 2 ) {
+		/* No (usable) TLSA, so regular PKIX validation
 		 */
 		return ldns_dane_pkix_validate(cert, extra_certs,
 				pkix_validation_store);
 	}
-	cert_usage    = ldns_rdf2native_int8(ldns_rr_rdf(tlsa_rr, 0));
-	selector      = ldns_rdf2native_int8(ldns_rr_rdf(tlsa_rr, 1));
-	matching_type = ldns_rdf2native_int8(ldns_rr_rdf(tlsa_rr, 2));
-	data          =                      ldns_rr_rdf(tlsa_rr, 3) ;
+	usage    = ldns_rdf2native_int8(ldns_rr_rdf(tlsa_rr, 0));
+	selector = ldns_rdf2native_int8(ldns_rr_rdf(tlsa_rr, 1));
+	mtype    = ldns_rdf2native_int8(ldns_rr_rdf(tlsa_rr, 2));
+	data     =                      ldns_rr_rdf(tlsa_rr, 3) ;

-	switch (cert_usage) {
+#if defined(USE_DANE_TA_USAGE)
+	/* Rely on OpenSSL dane functions.
+	 *
+	 * OpenSSL does not provide offline dane verification.  The dane unit
+	 * tests within openssl use the undocumented SSL_get0_dane() and 
+	 * X509_STORE_CTX_set0_dane() to convey dane parameters set on SSL and
+	 * SSL_CTX to a X509_STORE_CTX that can be used to do offline
+	 * verification.  We use these undocumented means with the ldns
+	 * dane function prototypes which did only offline dane verification.
+	 */
+	if (!(ssl_ctx = SSL_CTX_new(TLS_client_method())))
+		s = LDNS_STATUS_MEM_ERR;
+
+	else if (SSL_CTX_dane_enable(ssl_ctx) <= 0)
+		s = LDNS_STATUS_SSL_ERR;
+
+	else if (SSL_CTX_dane_set_flags(
+				ssl_ctx, DANE_FLAG_NO_DANE_EE_NAMECHECKS),
+			!(ssl = SSL_new(ssl_ctx)))
+		s = LDNS_STATUS_MEM_ERR;
+
+	else if (SSL_set_connect_state(ssl),
+			(SSL_dane_enable(ssl, NULL) <= 0))
+		s = LDNS_STATUS_SSL_ERR;
+
+	else if (SSL_dane_tlsa_add(ssl, usage, selector, mtype,
+				ldns_rdf_data(data), ldns_rdf_size(data)) <= 0)
+		s = LDNS_STATUS_SSL_ERR;
+
+	else if (!(store_ctx =  X509_STORE_CTX_new()))
+		s = LDNS_STATUS_MEM_ERR;
+
+	else if (!X509_STORE_CTX_init(store_ctx, pkix_validation_store, cert, extra_certs))
+		s = LDNS_STATUS_SSL_ERR;
+
+	else {
+		int ret;
+
+		X509_STORE_CTX_set_default(store_ctx,
+				SSL_is_server(ssl) ? "ssl_client" : "ssl_server");
+		X509_VERIFY_PARAM_set1(X509_STORE_CTX_get0_param(store_ctx),
+				SSL_get0_param(ssl));
+		X509_STORE_CTX_set0_dane(store_ctx, SSL_get0_dane(ssl));
+		if (SSL_get_verify_callback(ssl))
+			X509_STORE_CTX_set_verify_cb(store_ctx, SSL_get_verify_callback(ssl));
+
+		ret = X509_verify_cert(store_ctx);
+		if (!ret) {
+			if (X509_STORE_CTX_get_error(store_ctx) == X509_V_ERR_DANE_NO_MATCH)
+				s = LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH;
+			else
+				s = LDNS_STATUS_DANE_PKIX_DID_NOT_VALIDATE;
+		}
+		X509_STORE_CTX_cleanup(store_ctx);
+	}
+	if (store_ctx)
+		X509_STORE_CTX_free(store_ctx);
+	if (ssl)
+		SSL_free(ssl);
+	if (ssl_ctx)
+		SSL_CTX_free(ssl_ctx);
+	return s;
+#else
+	switch (usage) {
 	case LDNS_TLSA_USAGE_CA_CONSTRAINT:
 		s = ldns_dane_pkix_validate_and_get_chain(
 				&pkix_validation_chain, 
@ -638,7 +714,7 @@ ldns_dane_verify_rr(const ldns_rr* tlsa_rr,
 			 */
 			s = ldns_dane_match_any_cert_with_data(
 					pkix_validation_chain,
-					selector, matching_type, data, true);
+					selector, mtype, data, true);

 			if (s == LDNS_STATUS_OK) {
 				/* A TLSA record did match a cert from the
@ -653,15 +729,16 @@ ldns_dane_verify_rr(const ldns_rr* tlsa_rr,

 			s = ldns_dane_match_any_cert_with_data(
 					pkix_validation_chain,
-					selector, matching_type, data, true);
+					selector, mtype, data, true);
 		}
 		sk_X509_pop_free(pkix_validation_chain, X509_free);
 		return s;
 		break;

 	case LDNS_TLSA_USAGE_SERVICE_CERTIFICATE_CONSTRAINT:
+
 		s = ldns_dane_match_cert_with_data(cert,
-				selector, matching_type, data);
+				selector, mtype, data);

 		if (s == LDNS_STATUS_OK) {
 			return ldns_dane_pkix_validate(cert, extra_certs,
@ -671,78 +748,194 @@ ldns_dane_verify_rr(const ldns_rr* tlsa_rr,
 		break;

 	case LDNS_TLSA_USAGE_TRUST_ANCHOR_ASSERTION:
+#if 0
 		s = ldns_dane_pkix_get_chain(&pkix_validation_chain,
 				cert, extra_certs);

 		if (s == LDNS_STATUS_OK) {
 			s = ldns_dane_match_any_cert_with_data(
 					pkix_validation_chain,
-					selector, matching_type, data, false);
+					selector, mtype, data, false);

 		} else if (! pkix_validation_chain) {
 			return s;
 		}
 		sk_X509_pop_free(pkix_validation_chain, X509_free);
 		return s;
+#else
+		return LDNS_STATUS_DANE_NEED_OPENSSL_GE_1_1_FOR_DANE_TA;
+#endif
 		break;

 	case LDNS_TLSA_USAGE_DOMAIN_ISSUED_CERTIFICATE:
 		return ldns_dane_match_cert_with_data(cert,
-				selector, matching_type, data);
+				selector, mtype, data);
 		break;

 	default:
 		break;
 	}
+#endif
 	return LDNS_STATUS_DANE_UNKNOWN_CERTIFICATE_USAGE;
 }


 ldns_status
-ldns_dane_verify(ldns_rr_list* tlsas,
+ldns_dane_verify(const ldns_rr_list* tlsas,
 		X509* cert, STACK_OF(X509)* extra_certs,
 		X509_STORE* pkix_validation_store)
 {
+#if defined(USE_DANE_TA_USAGE)
+	SSL_CTX *ssl_ctx = NULL;
+	ldns_rdf *basename_rdf = NULL;
+	char *basename = NULL;
+	SSL *ssl = NULL;
+	X509_STORE_CTX *store_ctx = NULL;
+#else
+	ldns_status ps;
+#endif
 	size_t i;
 	ldns_rr* tlsa_rr;
-	ldns_status s = LDNS_STATUS_OK, ps;
+	ldns_rr_list *usable_tlsas;
+	ldns_status s = LDNS_STATUS_OK;

 	assert(cert != NULL);

-	if (tlsas && ldns_rr_list_rr_count(tlsas) > 0) {
-		tlsas = ldns_dane_filter_unusable_records(tlsas);
-		if (! tlsas) {
-			return LDNS_STATUS_MEM_ERR;
-		}
-	}
-	if (! tlsas || ldns_rr_list_rr_count(tlsas) == 0) {
+	if (! tlsas || ldns_rr_list_rr_count(tlsas) == 0)
 		/* No TLSA's, so regular PKIX validation
 		 */
 		return ldns_dane_pkix_validate(cert, extra_certs,
 				pkix_validation_store);
-	} else {
-		for (i = 0; i < ldns_rr_list_rr_count(tlsas); i++) {
-			tlsa_rr = ldns_rr_list_rr(tlsas, i);
-			ps = s;
-			s = ldns_dane_verify_rr(tlsa_rr, cert, extra_certs,
-					pkix_validation_store);

-			if (s != LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH &&
-			    s != LDNS_STATUS_DANE_PKIX_DID_NOT_VALIDATE) {
+/* To enable name checks (which we don't) */
+#if defined(USE_DANE_TA_USAGE) && 0
+	else if (!(basename_rdf = ldns_dname_clone_from(
+					ldns_rr_list_owner(tlsas), 2)))
+		/* Could nog get DANE base name */
+		s = LDNS_STATUS_ERR;

-				/* which would be LDNS_STATUS_OK (match)
-				 * or some fatal error preventing use from
-				 * trying the next TLSA record.
-				 */
-				break;
-			}
-			s = (s > ps ? s : ps); /* prefer PKIX_DID_NOT_VALIDATE
-						* over   TLSA_DID_NOT_MATCH
-						*/
-		}
-		ldns_rr_list_free(tlsas);
+	else if (!(basename = ldns_rdf2str(basename_rdf)))
+		s = LDNS_STATUS_MEM_ERR;
+
+	else if (strlen(basename) && (basename[strlen(basename)-1]  = 0))
+		s = LDNS_STATUS_ERR; /* Intended to be unreachable */
+#endif
+
+	else if (!(usable_tlsas = ldns_dane_filter_unusable_records(tlsas)))
+		return LDNS_STATUS_MEM_ERR;
+
+	else if (ldns_rr_list_rr_count(usable_tlsas) == 0) {
+		/* No TLSA's, so regular PKIX validation
+		 */
+		ldns_rr_list_free(usable_tlsas);
+		return ldns_dane_pkix_validate(cert, extra_certs,
+				pkix_validation_store);
 	}
+#if defined(USE_DANE_TA_USAGE)
+	/* Rely on OpenSSL dane functions.
+	 *
+	 * OpenSSL does not provide offline dane verification.  The dane unit
+	 * tests within openssl use the undocumented SSL_get0_dane() and 
+	 * X509_STORE_CTX_set0_dane() to convey dane parameters set on SSL and
+	 * SSL_CTX to a X509_STORE_CTX that can be used to do offline
+	 * verification.  We use these undocumented means with the ldns
+	 * dane function prototypes which did only offline dane verification.
+	 */
+	if (!(ssl_ctx = SSL_CTX_new(TLS_client_method())))
+		s = LDNS_STATUS_MEM_ERR;
+
+	else if (SSL_CTX_dane_enable(ssl_ctx) <= 0)
+		s = LDNS_STATUS_SSL_ERR;
+
+	else if (SSL_CTX_dane_set_flags(
+				ssl_ctx, DANE_FLAG_NO_DANE_EE_NAMECHECKS),
+			!(ssl = SSL_new(ssl_ctx)))
+		s = LDNS_STATUS_MEM_ERR;
+
+	else if (SSL_set_connect_state(ssl),
+			(SSL_dane_enable(ssl, basename) <= 0))
+		s = LDNS_STATUS_SSL_ERR;
+
+	else for (i = 0; i < ldns_rr_list_rr_count(usable_tlsas); i++) {
+		ldns_tlsa_certificate_usage usage;
+		ldns_tlsa_selector          selector;
+		ldns_tlsa_matching_type     mtype;
+		ldns_rdf*                   data;
+
+		tlsa_rr = ldns_rr_list_rr(usable_tlsas, i);
+		usage   = ldns_rdf2native_int8(ldns_rr_rdf(tlsa_rr,0));
+		selector= ldns_rdf2native_int8(ldns_rr_rdf(tlsa_rr,1));
+		mtype   = ldns_rdf2native_int8(ldns_rr_rdf(tlsa_rr,2));
+		data    =                      ldns_rr_rdf(tlsa_rr,3) ;
+
+		if (SSL_dane_tlsa_add(ssl, usage, selector, mtype,
+					ldns_rdf_data(data),
+					ldns_rdf_size(data)) <= 0) {
+			s = LDNS_STATUS_SSL_ERR;
+			break;
+		}
+	}
+	if (!s && !(store_ctx =  X509_STORE_CTX_new()))
+		s = LDNS_STATUS_MEM_ERR;
+
+	else if (!X509_STORE_CTX_init(store_ctx, pkix_validation_store, cert, extra_certs))
+		s = LDNS_STATUS_SSL_ERR;
+
+	else {
+		int ret;
+
+		X509_STORE_CTX_set_default(store_ctx,
+				SSL_is_server(ssl) ? "ssl_client" : "ssl_server");
+		X509_VERIFY_PARAM_set1(X509_STORE_CTX_get0_param(store_ctx),
+				SSL_get0_param(ssl));
+		X509_STORE_CTX_set0_dane(store_ctx, SSL_get0_dane(ssl));
+		if (SSL_get_verify_callback(ssl))
+			X509_STORE_CTX_set_verify_cb(store_ctx, SSL_get_verify_callback(ssl));
+
+		ret = X509_verify_cert(store_ctx);
+		if (!ret) {
+			if (X509_STORE_CTX_get_error(store_ctx) == X509_V_ERR_DANE_NO_MATCH)
+				s = LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH;
+			else
+				s = LDNS_STATUS_DANE_PKIX_DID_NOT_VALIDATE;
+		}
+		X509_STORE_CTX_cleanup(store_ctx);
+	}
+	if (store_ctx)
+		X509_STORE_CTX_free(store_ctx);
+	if (ssl)
+		SSL_free(ssl);
+	if (ssl_ctx)
+		SSL_CTX_free(ssl_ctx);
+	if (basename)
+		free(basename);
+	ldns_rdf_deep_free(basename_rdf);
+#else
+	for (i = 0; i < ldns_rr_list_rr_count(usable_tlsas); i++) {
+		tlsa_rr = ldns_rr_list_rr(usable_tlsas, i);
+		ps = s;
+		s = ldns_dane_verify_rr(tlsa_rr, cert, extra_certs,
+				pkix_validation_store);
+
+		if (s != LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH &&
+		    s != LDNS_STATUS_DANE_PKIX_DID_NOT_VALIDATE &&
+		    s != LDNS_STATUS_DANE_NEED_OPENSSL_GE_1_1_FOR_DANE_TA) {
+
+			/* which would be LDNS_STATUS_OK (match)
+			 * or some fatal error preventing use from
+			 * trying the next TLSA record.
+			 */
+			break;
+		}
+		s = (s > ps ? s : ps); /* pref NEED_OPENSSL_GE_1_1_FOR_DANE_TA
+		                        * over PKIX_DID_NOT_VALIDATE
+					* over TLSA_DID_NOT_MATCH
+					*/
+	}
+#endif
+	ldns_rr_list_free(usable_tlsas);
 	return s;
 }
+#endif /* USE_DANE_VERIFY */
 #endif /* HAVE_SSL */
 #endif /* USE_DANE */
--- a/dname.c
+++ b/dname.c
@ -87,7 +87,7 @@ ldns_dname_cat_clone(const ldns_rdf *rd1, const ldns_rdf *rd2)
 }

 ldns_status
-ldns_dname_cat(ldns_rdf *rd1, ldns_rdf *rd2)
+ldns_dname_cat(ldns_rdf *rd1, const ldns_rdf *rd2)
 {
 	uint16_t left_size;
 	uint16_t size;
@ -251,6 +251,9 @@ ldns_dname_new(uint16_t s, void *d)
 {
        ldns_rdf *rd;

+        if (!s || !d) {
+                return NULL;
+        }
        rd = LDNS_MALLOC(ldns_rdf);
        if (!rd) {
                return NULL;
@ -527,10 +530,11 @@ ldns_dname_str_absolute(const char *dname_str)
        for(s=dname_str; *s; s++) {
                if(*s == '\\') {
                        if(s[1] && s[2] && s[3] /* check length */
-                                && isdigit(s[1]) && isdigit(s[2]) && 
-                                isdigit(s[3]))
+                                && isdigit((unsigned char)s[1])
+				&& isdigit((unsigned char)s[2])
+				&& isdigit((unsigned char)s[3]))
                                s += 3;
-                        else if(!s[1] || isdigit(s[1])) /* escape of nul,0-9 */
+                        else if(!s[1] || isdigit((unsigned char)s[1])) /* escape of nul,0-9 */
                                return 0; /* parse error */
                        else s++; /* another character escaped */
                }
--- a/dnssec.c
+++ b/dnssec.c
@ -81,7 +81,7 @@ ldns_dnssec_get_dnskey_for_rrsig(const ldns_rr *rrsig,
 }

 ldns_rdf *
-ldns_nsec_get_bitmap(ldns_rr *nsec) {
+ldns_nsec_get_bitmap(const ldns_rr *nsec) {
 	if (ldns_rr_get_type(nsec) == LDNS_RR_TYPE_NSEC) {
 		return ldns_rr_rdf(nsec, 1);
 	} else if (ldns_rr_get_type(nsec) == LDNS_RR_TYPE_NSEC3) {
@ -94,9 +94,9 @@ ldns_nsec_get_bitmap(ldns_rr *nsec) {
 /*return the owner name of the closest encloser for name from the list of rrs */
 /* this is NOT the hash, but the original name! */
 ldns_rdf *
-ldns_dnssec_nsec3_closest_encloser(ldns_rdf *qname,
+ldns_dnssec_nsec3_closest_encloser(const ldns_rdf *qname,
                                   ATTR_UNUSED(ldns_rr_type qtype),
-                                   ldns_rr_list *nsec3s)
+                                   const ldns_rr_list *nsec3s)
 {
 	/* remember parameters, they must match */
 	uint8_t algorithm;
@ -215,7 +215,7 @@ ldns_dnssec_pkt_has_rrsigs(const ldns_pkt *pkt)

 ldns_rr_list *
 ldns_dnssec_pkt_get_rrsigs_for_name_and_type(const ldns_pkt *pkt,
-									ldns_rdf *name,
+									const ldns_rdf *name,
 									ldns_rr_type type)
 {
 	uint16_t t_netorder;
@ -298,7 +298,7 @@ ldns_calc_keytag(const ldns_rr *key)
 	return ac16;
 }

-uint16_t ldns_calc_keytag_raw(uint8_t* key, size_t keysize)
+uint16_t ldns_calc_keytag_raw(const uint8_t* key, size_t keysize)
 {
 	unsigned int i;
 	uint32_t ac32;
@ -327,14 +327,14 @@ uint16_t ldns_calc_keytag_raw(uint8_t* key, size_t keysize)

 #ifdef HAVE_SSL
 DSA *
-ldns_key_buf2dsa(ldns_buffer *key)
+ldns_key_buf2dsa(const ldns_buffer *key)
 {
-	return ldns_key_buf2dsa_raw((unsigned char*)ldns_buffer_begin(key),
+	return ldns_key_buf2dsa_raw((const unsigned char*)ldns_buffer_begin(key),
 						   ldns_buffer_position(key));
 }

 DSA *
-ldns_key_buf2dsa_raw(unsigned char* key, size_t len)
+ldns_key_buf2dsa_raw(const unsigned char* key, size_t len)
 {
 	uint8_t T;
 	uint16_t length;
@ -375,25 +375,43 @@ ldns_key_buf2dsa_raw(unsigned char* key, size_t len)
 		BN_free(Y);
 		return NULL;
 	}
+#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL)
 #ifndef S_SPLINT_S
 	dsa->p = P;
 	dsa->q = Q;
 	dsa->g = G;
 	dsa->pub_key = Y;
 #endif /* splint */
+#else /* OPENSSL_VERSION_NUMBER */
+	if (!DSA_set0_pqg(dsa, P, Q, G)) {
+		/* QPG not yet attached, need to free */
+		BN_free(Q);
+		BN_free(P);
+		BN_free(G);

+		DSA_free(dsa);
+		BN_free(Y);
+		return NULL;
+	}
+	if (!DSA_set0_key(dsa, Y, NULL)) {
+		/* QPG attached, cleaned up by DSA_fre() */
+		DSA_free(dsa);
+		BN_free(Y);
+		return NULL;
+	}
+#endif /* OPENSSL_VERSION_NUMBER */
 	return dsa;
 }

 RSA *
-ldns_key_buf2rsa(ldns_buffer *key)
+ldns_key_buf2rsa(const ldns_buffer *key)
 {
-	return ldns_key_buf2rsa_raw((unsigned char*)ldns_buffer_begin(key),
+	return ldns_key_buf2rsa_raw((const unsigned char*)ldns_buffer_begin(key),
 						   ldns_buffer_position(key));
 }

 RSA *
-ldns_key_buf2rsa_raw(unsigned char* key, size_t len)
+ldns_key_buf2rsa_raw(const unsigned char* key, size_t len)
 {
 	uint16_t offset;
 	uint16_t exp;
@ -443,16 +461,25 @@ ldns_key_buf2rsa_raw(unsigned char* key, size_t len)
 		BN_free(modulus);
 		return NULL;
 	}
+#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL)
 #ifndef S_SPLINT_S
 	rsa->n = modulus;
 	rsa->e = exponent;
 #endif /* splint */
+#else /* OPENSSL_VERSION_NUMBER */
+	if (!RSA_set0_key(rsa, modulus, exponent, NULL)) {
+		BN_free(exponent);
+		BN_free(modulus);
+		RSA_free(rsa);
+		return NULL;
+	}
+#endif /* OPENSSL_VERSION_NUMBER */

 	return rsa;
 }

 int
-ldns_digest_evp(unsigned char* data, unsigned int len, unsigned char* dest,
+ldns_digest_evp(const unsigned char* data, unsigned int len, unsigned char* dest,
 	const EVP_MD* md)
 {
 	EVP_MD_CTX* ctx;
@ -688,11 +715,8 @@ ldns_dnssec_create_nsec_bitmap(ldns_rr_type rr_type_list[],
 {
 	uint8_t  window;		/*  most significant octet of type */
 	uint8_t  subtype;		/* least significant octet of type */
-	uint16_t windows[256]		/* Max subtype per window */
-#ifndef S_SPLINT_S
-	                      = { 0 }	/* Initialize ALL elements with 0 */
-#endif
-	                             ;
+	int      windows[256];		/* Max subtype per window */
+	uint8_t  windowpresent[256];	/* bool if window appears in bitmap */
 	ldns_rr_type* d;	/* used to traverse rr_type_list*/
 	size_t i;		/* used to traverse windows array */

@ -705,14 +729,17 @@ ldns_dnssec_create_nsec_bitmap(ldns_rr_type rr_type_list[],
 	    nsec_type != LDNS_RR_TYPE_NSEC3) {
 		return NULL;
 	}
+	memset(windows, 0, sizeof(int)*256);
+	memset(windowpresent, 0, 256);

 	/* Which other windows need to be in the bitmap rdf?
 	 */
 	for (d = rr_type_list; d < rr_type_list + size; d++) {
 		window  = *d >> 8;
 		subtype = *d & 0xff;
-		if (windows[window] < subtype) {
-			windows[window] = subtype;
+		windowpresent[window] = 1;
+		if (windows[window] < (int)subtype) {
+			windows[window] = (int)subtype;
 		}
 	}

@ -720,7 +747,7 @@ ldns_dnssec_create_nsec_bitmap(ldns_rr_type rr_type_list[],
 	 */
 	sz = 0;
 	for (i = 0; i < 256; i++) {
-		if (windows[i]) {
+		if (windowpresent[i]) {
 			sz += windows[i] / 8 + 3;
 		}
 	}
@ -732,14 +759,14 @@ ldns_dnssec_create_nsec_bitmap(ldns_rr_type rr_type_list[],
 			return NULL;
 		}
 		for (i = 0; i < 256; i++) {
-			if (windows[i]) {
+			if (windowpresent[i]) {
 				*dptr++ = (uint8_t)i;
 				*dptr++ = (uint8_t)(windows[i] / 8 + 1);

 				/* Now let windows[i] index the bitmap
 				 * within data
 				 */
-				windows[i] = (uint16_t)(dptr - data);
+				windows[i] = (int)(dptr - data);

 				dptr += dptr[-1];
 			}
@ -764,10 +791,10 @@ ldns_dnssec_create_nsec_bitmap(ldns_rr_type rr_type_list[],
 }

 int
-ldns_dnssec_rrsets_contains_type(ldns_dnssec_rrsets *rrsets,
+ldns_dnssec_rrsets_contains_type(const ldns_dnssec_rrsets *rrsets,
                                 ldns_rr_type type)
 {
-	ldns_dnssec_rrsets *cur_rrset = rrsets;
+	const ldns_dnssec_rrsets *cur_rrset = rrsets;
 	while (cur_rrset) {
 		if (cur_rrset->type == type) {
 			return 1;
@ -778,8 +805,8 @@ ldns_dnssec_rrsets_contains_type(ldns_dnssec_rrsets *rrsets,
 }

 ldns_rr *
-ldns_dnssec_create_nsec(ldns_dnssec_name *from,
-                        ldns_dnssec_name *to,
+ldns_dnssec_create_nsec(const ldns_dnssec_name *from,
+                        const ldns_dnssec_name *to,
                        ldns_rr_type nsec_type)
 {
 	ldns_rr *nsec_rr;
@ -832,14 +859,14 @@ ldns_dnssec_create_nsec(ldns_dnssec_name *from,
 }

 ldns_rr *
-ldns_dnssec_create_nsec3(ldns_dnssec_name *from,
-					ldns_dnssec_name *to,
-					ldns_rdf *zone_name,
+ldns_dnssec_create_nsec3(const ldns_dnssec_name *from,
+					const ldns_dnssec_name *to,
+					const ldns_rdf *zone_name,
 					uint8_t algorithm,
 					uint8_t flags,
 					uint16_t iterations,
 					uint8_t salt_length,
-					uint8_t *salt)
+					const uint8_t *salt)
 {
 	ldns_rr *nsec_rr;
 	ldns_rr_type types[65536];
@ -971,11 +998,11 @@ ldns_create_nsec(ldns_rdf *cur_owner, ldns_rdf *next_owner, ldns_rr_list *rrs)
 }

 ldns_rdf *
-ldns_nsec3_hash_name(ldns_rdf *name,
+ldns_nsec3_hash_name(const ldns_rdf *name,
 				 uint8_t algorithm,
 				 uint16_t iterations,
 				 uint8_t salt_length,
-				 uint8_t *salt)
+				 const uint8_t *salt)
 {
 	size_t hashed_owner_str_len;
 	ldns_rdf *cann;
@ -1075,7 +1102,7 @@ ldns_nsec3_add_param_rdfs(ldns_rr *rr,
 					 uint8_t flags,
 					 uint16_t iterations,
 					 uint8_t salt_length,
-					 uint8_t *salt)
+					 const uint8_t *salt)
 {
 	ldns_rdf *salt_rdf = NULL;
 	uint8_t *salt_data = NULL;
@ -1121,7 +1148,7 @@ ldns_nsec3_add_param_rdfs(ldns_rr *rr,
 }

 static int
-rr_list_delegation_only(ldns_rdf *origin, ldns_rr_list *rr_list)
+rr_list_delegation_only(const ldns_rdf *origin, const ldns_rr_list *rr_list)
 {
 	size_t i;
 	ldns_rr *cur_rr;
@ -1141,14 +1168,14 @@ rr_list_delegation_only(ldns_rdf *origin, ldns_rr_list *rr_list)
 /* this will NOT return the NSEC3  completed, you will have to run the
   finalize function on the rrlist later! */
 ldns_rr *
-ldns_create_nsec3(ldns_rdf *cur_owner,
-                  ldns_rdf *cur_zone,
-                  ldns_rr_list *rrs,
+ldns_create_nsec3(const ldns_rdf *cur_owner,
+                  const ldns_rdf *cur_zone,
+                  const ldns_rr_list *rrs,
                  uint8_t algorithm,
                  uint8_t flags,
                  uint16_t iterations,
                  uint8_t salt_length,
-                  uint8_t *salt,
+                  const uint8_t *salt,
                  bool emptynonterminal)
 {
 	size_t i;
@ -1329,7 +1356,7 @@ ldns_nsec3_bitmap(const ldns_rr *nsec3_rr)
 }

 ldns_rdf *
-ldns_nsec3_hash_name_frm_nsec3(const ldns_rr *nsec, ldns_rdf *name)
+ldns_nsec3_hash_name_frm_nsec3(const ldns_rr *nsec, const ldns_rdf *name)
 {
 	uint8_t algorithm;
 	uint16_t iterations;
@ -1354,7 +1381,7 @@ ldns_nsec3_hash_name_frm_nsec3(const ldns_rr *nsec, ldns_rdf *name)
 }

 bool
-ldns_nsec_bitmap_covers_type(const  ldns_rdf* bitmap, ldns_rr_type type)
+ldns_nsec_bitmap_covers_type(const ldns_rdf* bitmap, ldns_rr_type type)
 {
 	uint8_t* dptr;
 	uint8_t* dend;
@ -1520,8 +1547,8 @@ ldns_nsec_covers_name(const ldns_rr *nsec, const ldns_rdf *name)
 /* sig may be null - if so look in the packet */

 ldns_status
-ldns_pkt_verify_time(ldns_pkt *p, ldns_rr_type t, ldns_rdf *o, 
-		ldns_rr_list *k, ldns_rr_list *s, 
+ldns_pkt_verify_time(const ldns_pkt *p, ldns_rr_type t, const ldns_rdf *o, 
+		const ldns_rr_list *k, const ldns_rr_list *s, 
 		time_t check_time, ldns_rr_list *good_keys)
 {
 	ldns_rr_list *rrset;
@ -1542,7 +1569,7 @@ ldns_pkt_verify_time(ldns_pkt *p, ldns_rr_type t, ldns_rdf *o,

 	if (s) {
 		/* if s is not NULL, the sigs are given to use */
-		sigs = s;
+		sigs = (ldns_rr_list *)s;
 	} else {
 		/* otherwise get them from the packet */
 		sigs = ldns_pkt_rr_list_by_name_and_type(p, o,
@ -1584,8 +1611,8 @@ ldns_pkt_verify_time(ldns_pkt *p, ldns_rr_type t, ldns_rdf *o,
 }

 ldns_status
-ldns_pkt_verify(ldns_pkt *p, ldns_rr_type t, ldns_rdf *o, 
-		ldns_rr_list *k, ldns_rr_list *s, ldns_rr_list *good_keys)
+ldns_pkt_verify(const ldns_pkt *p, ldns_rr_type t, const ldns_rdf *o, 
+		const ldns_rr_list *k, const ldns_rr_list *s, ldns_rr_list *good_keys)
 {
 	return ldns_pkt_verify_time(p, t, o, k, s, ldns_time(NULL), good_keys);
 }
@ -1707,8 +1734,10 @@ ldns_rdf *
 ldns_convert_dsa_rrsig_asn12rdf(const ldns_buffer *sig,
 						  const long sig_len)
 {
+#ifdef USE_DSA
 	ldns_rdf *sigdata_rdf;
 	DSA_SIG *dsasig;
+	const BIGNUM *R, *S;
 	unsigned char *dsasig_data = (unsigned char*)ldns_buffer_begin(sig);
 	size_t byte_offset;

@ -1726,22 +1755,28 @@ ldns_convert_dsa_rrsig_asn12rdf(const ldns_buffer *sig,
                return NULL;
        }
 	dsasig_data[0] = 0;
-	byte_offset = (size_t) (20 - BN_num_bytes(dsasig->r));
+# ifdef HAVE_DSA_SIG_GET0
+	DSA_SIG_get0(dsasig, &R, &S);
+# else
+	R = dsasig->r;
+	S = dsasig->s;
+# endif
+	byte_offset = (size_t) (20 - BN_num_bytes(R));
 	if (byte_offset > 20) {
                DSA_SIG_free(dsasig);
                LDNS_FREE(dsasig_data);
 		return NULL;
 	}
 	memset(&dsasig_data[1], 0, byte_offset);
-	BN_bn2bin(dsasig->r, &dsasig_data[1 + byte_offset]);
-	byte_offset = (size_t) (20 - BN_num_bytes(dsasig->s));
+	BN_bn2bin(R, &dsasig_data[1 + byte_offset]);
+	byte_offset = (size_t) (20 - BN_num_bytes(S));
 	if (byte_offset > 20) {
                DSA_SIG_free(dsasig);
                LDNS_FREE(dsasig_data);
 		return NULL;
 	}
 	memset(&dsasig_data[21], 0, byte_offset);
-	BN_bn2bin(dsasig->s, &dsasig_data[21 + byte_offset]);
+	BN_bn2bin(S, &dsasig_data[21 + byte_offset]);

 	sigdata_rdf = ldns_rdf_new(LDNS_RDF_TYPE_B64, 41, dsasig_data);
        if(!sigdata_rdf) {
@ -1750,12 +1785,17 @@ ldns_convert_dsa_rrsig_asn12rdf(const ldns_buffer *sig,
 	DSA_SIG_free(dsasig);

 	return sigdata_rdf;
+#else
+	(void)sig; (void)sig_len;
+	return NULL;
+#endif
 }

 ldns_status
 ldns_convert_dsa_rrsig_rdf2asn1(ldns_buffer *target_buffer,
 						  const ldns_rdf *sig_rdf)
 {
+#ifdef USE_DSA
 	/* the EVP api wants the DER encoding of the signature... */
 	BIGNUM *R, *S;
 	DSA_SIG *dsasig;
@ -1783,9 +1823,13 @@ ldns_convert_dsa_rrsig_rdf2asn1(ldns_buffer *target_buffer,
 		BN_free(S);
 		return LDNS_STATUS_MEM_ERR;
 	}
-
+# ifdef HAVE_DSA_SIG_SET0
+       if (! DSA_SIG_set0(dsasig, R, S))
+	       return LDNS_STATUS_SSL_ERR;
+# else
 	dsasig->r = R;
 	dsasig->s = S;
+# endif

 	raw_sig_len = i2d_DSA_SIG(dsasig, &raw_sig);
 	if (raw_sig_len < 0) {
@ -1801,30 +1845,48 @@ ldns_convert_dsa_rrsig_rdf2asn1(ldns_buffer *target_buffer,
 	free(raw_sig);

 	return ldns_buffer_status(target_buffer);
+#else
+	(void)target_buffer; (void)sig_rdf;
+	return LDNS_STATUS_CRYPTO_ALGO_NOT_IMPL;
+#endif
 }

 #ifdef USE_ECDSA
 #ifndef S_SPLINT_S
 ldns_rdf *
-ldns_convert_ecdsa_rrsig_asn12rdf(const ldns_buffer *sig, const long sig_len)
+ldns_convert_ecdsa_rrsig_asn1len2rdf(const ldns_buffer *sig,
+	const long sig_len, int num_bytes)
 {
        ECDSA_SIG* ecdsa_sig;
+	const BIGNUM *r, *s;
 	unsigned char *data = (unsigned char*)ldns_buffer_begin(sig);
        ldns_rdf* rdf;
 	ecdsa_sig = d2i_ECDSA_SIG(NULL, (const unsigned char **)&data, sig_len);
        if(!ecdsa_sig) return NULL;

+#ifdef HAVE_ECDSA_SIG_GET0
+	ECDSA_SIG_get0(ecdsa_sig, &r, &s);
+#else
+	r = ecdsa_sig->r;
+	s = ecdsa_sig->s;
+#endif
        /* "r | s". */
-        data = LDNS_XMALLOC(unsigned char,
-                BN_num_bytes(ecdsa_sig->r) + BN_num_bytes(ecdsa_sig->s));
+        if(BN_num_bytes(r) > num_bytes ||
+		BN_num_bytes(s) > num_bytes) {
+                ECDSA_SIG_free(ecdsa_sig);
+		return NULL; /* numbers too big for passed curve size */
+	}
+        data = LDNS_XMALLOC(unsigned char, num_bytes*2);
        if(!data) {
                ECDSA_SIG_free(ecdsa_sig);
                return NULL;
        }
-        BN_bn2bin(ecdsa_sig->r, data);
-        BN_bn2bin(ecdsa_sig->s, data+BN_num_bytes(ecdsa_sig->r));
-	rdf = ldns_rdf_new(LDNS_RDF_TYPE_B64, (size_t)(
-		BN_num_bytes(ecdsa_sig->r) + BN_num_bytes(ecdsa_sig->s)), data);
+	/* write the bignums (in big-endian) a little offset if the BN code
+	 * wants to write a shorter number of bytes, with zeroes prefixed */
+	memset(data, 0, num_bytes*2);
+        BN_bn2bin(r, data+num_bytes-BN_num_bytes(r));
+        BN_bn2bin(s, data+num_bytes*2-BN_num_bytes(s));
+	rdf = ldns_rdf_new(LDNS_RDF_TYPE_B64, (size_t)(num_bytes*2), data);
        ECDSA_SIG_free(ecdsa_sig);
        return rdf;
 }
@ -1833,37 +1895,116 @@ ldns_status
 ldns_convert_ecdsa_rrsig_rdf2asn1(ldns_buffer *target_buffer,
        const ldns_rdf *sig_rdf)
 {
-        ECDSA_SIG* sig;
-	int raw_sig_len;
+        /* convert from two BIGNUMs in the rdata buffer, to ASN notation.
+	 * ASN preable:  30440220 <R 32bytefor256> 0220 <S 32bytefor256>
+	 * the '20' is the length of that field (=bnsize).
+	 * the '44' is the total remaining length.
+	 * if negative, start with leading zero.
+	 * if starts with 00s, remove them from the number.
+	 */
+        uint8_t pre[] = {0x30, 0x44, 0x02, 0x20};
+        int pre_len = 4;
+        uint8_t mid[] = {0x02, 0x20};
+        int mid_len = 2;
+        int raw_sig_len, r_high, s_high, r_rem=0, s_rem=0;
        long bnsize = (long)ldns_rdf_size(sig_rdf) / 2;
+        uint8_t* d = ldns_rdf_data(sig_rdf);
        /* if too short, or not even length, do not bother */
        if(bnsize < 16 || (size_t)bnsize*2 != ldns_rdf_size(sig_rdf))
                return LDNS_STATUS_ERR;
-        
-        /* use the raw data to parse two evenly long BIGNUMs, "r | s". */
-        sig = ECDSA_SIG_new();
-        if(!sig) return LDNS_STATUS_MEM_ERR;
-        sig->r = BN_bin2bn((const unsigned char*)ldns_rdf_data(sig_rdf),
-                bnsize, sig->r);
-        sig->s = BN_bin2bn((const unsigned char*)ldns_rdf_data(sig_rdf)+bnsize,
-                bnsize, sig->s);
-        if(!sig->r || !sig->s) {
-                ECDSA_SIG_free(sig);
-                return LDNS_STATUS_MEM_ERR;
+        /* strip leading zeroes from r (but not last one) */
+        while(r_rem < bnsize-1 && d[r_rem] == 0)
+                r_rem++;
+        /* strip leading zeroes from s (but not last one) */
+        while(s_rem < bnsize-1 && d[bnsize+s_rem] == 0)
+                s_rem++;
+
+        r_high = ((d[0+r_rem]&0x80)?1:0);
+        s_high = ((d[bnsize+s_rem]&0x80)?1:0);
+        raw_sig_len = pre_len + r_high + bnsize - r_rem + mid_len +
+		s_high + bnsize - s_rem;
+        if(ldns_buffer_reserve(target_buffer, (size_t) raw_sig_len)) {
+                ldns_buffer_write_u8(target_buffer, pre[0]);
+                ldns_buffer_write_u8(target_buffer, raw_sig_len-2);
+                ldns_buffer_write_u8(target_buffer, pre[2]);
+                ldns_buffer_write_u8(target_buffer, bnsize + r_high - r_rem);
+                if(r_high)
+                        ldns_buffer_write_u8(target_buffer, 0);
+                ldns_buffer_write(target_buffer, d+r_rem, bnsize-r_rem);
+                ldns_buffer_write(target_buffer, mid, mid_len-1);
+                ldns_buffer_write_u8(target_buffer, bnsize + s_high - s_rem);
+                if(s_high)
+                        ldns_buffer_write_u8(target_buffer, 0);
+                ldns_buffer_write(target_buffer, d+bnsize+s_rem, bnsize-s_rem);
        }
-
-	raw_sig_len = i2d_ECDSA_SIG(sig, NULL);
-	if (ldns_buffer_reserve(target_buffer, (size_t) raw_sig_len)) {
-                unsigned char* pp = (unsigned char*)
-			ldns_buffer_current(target_buffer);
-	        raw_sig_len = i2d_ECDSA_SIG(sig, &pp);
-                ldns_buffer_skip(target_buffer, (ssize_t) raw_sig_len);
-	}
-        ECDSA_SIG_free(sig);
-
-	return ldns_buffer_status(target_buffer);
+        return ldns_buffer_status(target_buffer);
 }

 #endif /* S_SPLINT_S */
 #endif /* USE_ECDSA */
+
+#if defined(USE_ED25519) || defined(USE_ED448)
+/* debug printout routine */
+static void print_hex(const char* str, uint8_t* d, int len)
+{
+	const char hex[] = "0123456789abcdef";
+	int i;
+	printf("%s [len=%d]: ", str, len);
+	for(i=0; i<len; i++) {
+		int x = (d[i]&0xf0)>>4;
+		int y = (d[i]&0x0f);
+		printf("%c%c", hex[x], hex[y]);
+	}
+	printf("\n");
+}
+#endif
+
+#ifdef USE_ED25519
+ldns_rdf *
+ldns_convert_ed25519_rrsig_asn12rdf(const ldns_buffer *sig, long sig_len)
+{
+	unsigned char *data = (unsigned char*)ldns_buffer_begin(sig);
+        ldns_rdf* rdf = NULL;
+
+	/* TODO when Openssl supports signing and you can test this */
+	print_hex("sig in ASN", data, sig_len);
+
+        return rdf;
+}
+
+ldns_status
+ldns_convert_ed25519_rrsig_rdf2asn1(ldns_buffer *target_buffer,
+        const ldns_rdf *sig_rdf)
+{
+	/* TODO when Openssl supports signing and you can test this. */
+	/* convert sig_buf into ASN1 into the target_buffer */
+	print_hex("sig raw", ldns_rdf_data(sig_rdf), ldns_rdf_size(sig_rdf));
+        return ldns_buffer_status(target_buffer);
+}
+#endif /* USE_ED25519 */
+
+#ifdef USE_ED448
+ldns_rdf *
+ldns_convert_ed448_rrsig_asn12rdf(const ldns_buffer *sig, long sig_len)
+{
+	unsigned char *data = (unsigned char*)ldns_buffer_begin(sig);
+        ldns_rdf* rdf = NULL;
+
+	/* TODO when Openssl supports signing and you can test this */
+	print_hex("sig in ASN", data, sig_len);
+
+	return rdf;
+}
+
+ldns_status
+ldns_convert_ed448_rrsig_rdf2asn1(ldns_buffer *target_buffer,
+        const ldns_rdf *sig_rdf)
+{
+	/* TODO when Openssl supports signing and you can test this. */
+	/* convert sig_buf into ASN1 into the target_buffer */
+	print_hex("sig raw", ldns_rdf_data(sig_rdf), ldns_rdf_size(sig_rdf));
+        return ldns_buffer_status(target_buffer);
+}
+#endif /* USE_ED448 */
+
 #endif /* HAVE_SSL */
--- a/dnssec_sign.c
+++ b/dnssec_sign.c
@ -20,8 +20,8 @@
 #endif /* HAVE_SSL */

 ldns_rr *
-ldns_create_empty_rrsig(ldns_rr_list *rrset,
-                        ldns_key *current_key)
+ldns_create_empty_rrsig(const ldns_rr_list *rrset,
+                        const ldns_key *current_key)
 {
 	uint32_t orig_ttl;
 	ldns_rr_class orig_class;
@ -122,13 +122,20 @@ ldns_sign_public_buffer(ldns_buffer *sign_buf, ldns_key *current_key)
 	ldns_rdf *b64rdf = NULL;

 	switch(ldns_key_algorithm(current_key)) {
+#ifdef USE_DSA
 	case LDNS_SIGN_DSA:
 	case LDNS_SIGN_DSA_NSEC3:
 		b64rdf = ldns_sign_public_evp(
 				   sign_buf,
 				   ldns_key_evp_key(current_key),
-				   EVP_dss1());
+# ifdef HAVE_EVP_DSS1
+				   EVP_dss1()
+# else
+				   EVP_sha1()
+# endif
+				   );
 		break;
+#endif /* USE_DSA */
 	case LDNS_SIGN_RSASHA1:
 	case LDNS_SIGN_RSASHA1_NSEC3:
 		b64rdf = ldns_sign_public_evp(
@ -171,6 +178,22 @@ ldns_sign_public_buffer(ldns_buffer *sign_buf, ldns_key *current_key)
 				   ldns_key_evp_key(current_key),
 				   EVP_sha384());
                break;
+#endif
+#ifdef USE_ED25519
+        case LDNS_SIGN_ED25519:
+		b64rdf = ldns_sign_public_evp(
+				   sign_buf,
+				   ldns_key_evp_key(current_key),
+				   EVP_sha512());
+                break;
+#endif
+#ifdef USE_ED448
+        case LDNS_SIGN_ED448:
+		b64rdf = ldns_sign_public_evp(
+				   sign_buf,
+				   ldns_key_evp_key(current_key),
+				   EVP_sha512());
+                break;
 #endif
 	case LDNS_SIGN_RSAMD5:
 		b64rdf = ldns_sign_public_evp(
@ -308,11 +331,13 @@ ldns_sign_public(ldns_rr_list *rrset, ldns_key_list *keys)
 ldns_rdf *
 ldns_sign_public_dsa(ldns_buffer *to_sign, DSA *key)
 {
+#ifdef USE_DSA
 	unsigned char *sha1_hash;
 	ldns_rdf *sigdata_rdf;
 	ldns_buffer *b64sig;

 	DSA_SIG *sig;
+	const BIGNUM *R, *S;
 	uint8_t *data;
 	size_t pad;

@ -342,17 +367,23 @@ ldns_sign_public_dsa(ldns_buffer *to_sign, DSA *key)
        }

 	data[0] = 1;
-	pad = 20 - (size_t) BN_num_bytes(sig->r);
+# ifdef HAVE_DSA_SIG_GET0
+	DSA_SIG_get0(sig, &R, &S);
+# else
+	R = sig->r;
+	S = sig->s;
+# endif
+	pad = 20 - (size_t) BN_num_bytes(R);
 	if (pad > 0) {
 		memset(data + 1, 0, pad);
 	}
-	BN_bn2bin(sig->r, (unsigned char *) (data + 1) + pad);
+	BN_bn2bin(R, (unsigned char *) (data + 1) + pad);

-	pad = 20 - (size_t) BN_num_bytes(sig->s);
+	pad = 20 - (size_t) BN_num_bytes(S);
 	if (pad > 0) {
 		memset(data + 1 + SHA_DIGEST_LENGTH, 0, pad);
 	}
-	BN_bn2bin(sig->s, (unsigned char *) (data + 1 + SHA_DIGEST_LENGTH + pad));
+	BN_bn2bin(S, (unsigned char *) (data + 1 + SHA_DIGEST_LENGTH + pad));

 	sigdata_rdf = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_B64,
 								 1 + 2 * SHA_DIGEST_LENGTH,
@ -363,28 +394,40 @@ ldns_sign_public_dsa(ldns_buffer *to_sign, DSA *key)
        DSA_SIG_free(sig);

 	return sigdata_rdf;
+#else
+	(void)to_sign; (void)key;
+	return NULL;
+#endif
 }

 #ifdef USE_ECDSA
 #ifndef S_SPLINT_S
+/** returns the number of bytes per signature-component (i.e. bits/8), or 0. */
 static int
 ldns_pkey_is_ecdsa(EVP_PKEY* pkey)
 {
        EC_KEY* ec;
        const EC_GROUP* g;
-        if(EVP_PKEY_type(pkey->type) != EVP_PKEY_EC)
+#ifdef HAVE_EVP_PKEY_BASE_ID
+        if(EVP_PKEY_base_id(pkey) != EVP_PKEY_EC)
                return 0;
+#else
+        if(EVP_PKEY_type(key->type) != EVP_PKEY_EC)
+                return 0;
+#endif
        ec = EVP_PKEY_get1_EC_KEY(pkey);
        g = EC_KEY_get0_group(ec);
        if(!g) {
                EC_KEY_free(ec);
                return 0;
        }
-        if(EC_GROUP_get_curve_name(g) == NID_secp224r1 ||
-                EC_GROUP_get_curve_name(g) == NID_X9_62_prime256v1 ||
-                EC_GROUP_get_curve_name(g) == NID_secp384r1) {
+        if(EC_GROUP_get_curve_name(g) == NID_X9_62_prime256v1) {
                EC_KEY_free(ec);
-                return 1;
+                return 32; /* 256/8 */
+	}
+        if(EC_GROUP_get_curve_name(g) == NID_secp384r1) {
+                EC_KEY_free(ec);
+                return 48; /* 384/8 */
        }
        /* downref the eckey, the original is still inside the pkey */
        EC_KEY_free(ec);
@ -399,9 +442,9 @@ ldns_sign_public_evp(ldns_buffer *to_sign,
 				 const EVP_MD *digest_type)
 {
 	unsigned int siglen;
-	ldns_rdf *sigdata_rdf;
+	ldns_rdf *sigdata_rdf = NULL;
 	ldns_buffer *b64sig;
-	EVP_MD_CTX ctx;
+	EVP_MD_CTX *ctx;
 	const EVP_MD *md_type;
 	int r;

@ -419,45 +462,94 @@ ldns_sign_public_evp(ldns_buffer *to_sign,
 		return NULL;
 	}

-	EVP_MD_CTX_init(&ctx);
-	r = EVP_SignInit(&ctx, md_type);
-	if(r == 1) {
-		r = EVP_SignUpdate(&ctx, (unsigned char*)
-					    ldns_buffer_begin(to_sign),
-					    ldns_buffer_position(to_sign));
-	} else {
-		ldns_buffer_free(b64sig);
-		return NULL;
-	}
-	if(r == 1) {
-		r = EVP_SignFinal(&ctx, (unsigned char*)
-					   ldns_buffer_begin(b64sig), &siglen, key);
-	} else {
-		ldns_buffer_free(b64sig);
-		return NULL;
-	}
-	if(r != 1) {
+#ifdef HAVE_EVP_MD_CTX_NEW
+	ctx = EVP_MD_CTX_new();
+#else
+	ctx = (EVP_MD_CTX*)malloc(sizeof(*ctx));
+	if(ctx) EVP_MD_CTX_init(ctx);
+#endif
+	if(!ctx) {
 		ldns_buffer_free(b64sig);
 		return NULL;
 	}

-	/* unfortunately, OpenSSL output is differenct from DNS DSA format */
-#ifndef S_SPLINT_S
-	if (EVP_PKEY_type(key->type) == EVP_PKEY_DSA) {
-		sigdata_rdf = ldns_convert_dsa_rrsig_asn12rdf(b64sig, siglen);
-#ifdef USE_ECDSA
-        } else if(EVP_PKEY_type(key->type) == EVP_PKEY_EC &&
-                ldns_pkey_is_ecdsa(key)) {
-                sigdata_rdf = ldns_convert_ecdsa_rrsig_asn12rdf(b64sig, siglen);
-#endif
+	r = EVP_SignInit(ctx, md_type);
+	if(r == 1) {
+		r = EVP_SignUpdate(ctx, (unsigned char*)
+					    ldns_buffer_begin(to_sign),
+					    ldns_buffer_position(to_sign));
 	} else {
+		ldns_buffer_free(b64sig);
+		EVP_MD_CTX_destroy(ctx);
+		return NULL;
+	}
+	if(r == 1) {
+		r = EVP_SignFinal(ctx, (unsigned char*)
+					   ldns_buffer_begin(b64sig), &siglen, key);
+	} else {
+		ldns_buffer_free(b64sig);
+		EVP_MD_CTX_destroy(ctx);
+		return NULL;
+	}
+	if(r != 1) {
+		ldns_buffer_free(b64sig);
+		EVP_MD_CTX_destroy(ctx);
+		return NULL;
+	}
+
+	/* OpenSSL output is different, convert it */
+	r = 0;
+#ifdef USE_DSA
+#ifndef S_SPLINT_S
+	/* unfortunately, OpenSSL output is different from DNS DSA format */
+# ifdef HAVE_EVP_PKEY_BASE_ID
+	if (EVP_PKEY_base_id(key) == EVP_PKEY_DSA) {
+# else
+	if (EVP_PKEY_type(key->type) == EVP_PKEY_DSA) {
+# endif
+		r = 1;
+		sigdata_rdf = ldns_convert_dsa_rrsig_asn12rdf(b64sig, siglen);
+	}
+#endif
+#endif
+#if defined(USE_ECDSA) || defined(USE_ED25519) || defined(USE_ED448)
+	if(
+#  ifdef HAVE_EVP_PKEY_BASE_ID
+		EVP_PKEY_base_id(key)
+#  else
+		EVP_PKEY_type(key->type)
+#  endif
+		== EVP_PKEY_EC) {
+#  ifdef USE_ECDSA
+                if(ldns_pkey_is_ecdsa(key)) {
+			r = 1;
+			sigdata_rdf = ldns_convert_ecdsa_rrsig_asn1len2rdf(
+				b64sig, (long)siglen, ldns_pkey_is_ecdsa(key));
+		}
+#  endif /* USE_ECDSA */
+#  ifdef USE_ED25519
+		if(EVP_PKEY_id(key) == NID_X25519) {
+			r = 1;
+			sigdata_rdf = ldns_convert_ed25519_rrsig_asn12rdf(
+				b64sig, siglen);
+		}
+#  endif /* USE_ED25519 */
+#  ifdef USE_ED448
+		if(EVP_PKEY_id(key) == NID_X448) {
+			r = 1;
+			sigdata_rdf = ldns_convert_ed448_rrsig_asn12rdf(
+				b64sig, siglen);
+		}
+#  endif /* USE_ED448 */
+	}
+#endif /* PKEY_EC */
+	if(r == 0) {
 		/* ok output for other types is the same */
 		sigdata_rdf = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_B64, siglen,
 									 ldns_buffer_begin(b64sig));
 	}
-#endif /* splint */
 	ldns_buffer_free(b64sig);
-	EVP_MD_CTX_cleanup(&ctx);
+	EVP_MD_CTX_destroy(ctx);
 	return sigdata_rdf;
 }

@ -816,6 +908,10 @@ ldns_dnssec_zone_create_nsec3s_mkmap(ldns_dnssec_zone *zone,
 		nsec_ttl = LDNS_DEFAULT_TTL;
 	}

+	if (ldns_rdf_size(zone->soa->name) > 222) {
+		return LDNS_STATUS_NSEC3_DOMAINNAME_OVERFLOW;
+	}
+
 	if (zone->hashed_names) {
 		ldns_traverse_postorder(zone->hashed_names,
 				ldns_hashed_names_node_free, NULL);
@ -1019,39 +1115,86 @@ ldns_dnssec_zone_create_rrsigs(ldns_dnssec_zone *zone,

 /** If there are KSKs use only them and mark ZSKs unused */
 static void
-ldns_key_list_filter_for_dnskey(ldns_key_list *key_list)
+ldns_key_list_filter_for_dnskey(ldns_key_list *key_list, int flags)
 {
-	int saw_ksk = 0;
+	bool algos[256]
+#ifndef S_SPLINT_S
+	                = { false }
+#endif
+	                           ;
+	ldns_signing_algorithm saw_ksk = 0;
+	ldns_key *key;
 	size_t i;
-	for(i=0; i<ldns_key_list_key_count(key_list); i++)
-		if((ldns_key_flags(ldns_key_list_key(key_list, i))&LDNS_KEY_SEP_KEY)) {
-			saw_ksk = 1;
-			break;
-		}
-	if(!saw_ksk)
+
+	if (!ldns_key_list_key_count(key_list))
 		return;
-	for(i=0; i<ldns_key_list_key_count(key_list); i++)
-		if(!(ldns_key_flags(ldns_key_list_key(key_list, i))&LDNS_KEY_SEP_KEY))
-			ldns_key_set_use(ldns_key_list_key(key_list, i), 0);
+
+	for (i = 0; i < ldns_key_list_key_count(key_list); i++) {
+		key = ldns_key_list_key(key_list, i);
+		if ((ldns_key_flags(key) & LDNS_KEY_SEP_KEY) && !saw_ksk)
+			saw_ksk = ldns_key_algorithm(key);
+		algos[ldns_key_algorithm(key)] = true;
+	}
+	if (!saw_ksk)
+		return;
+	else
+		algos[saw_ksk] = 0;
+
+	for (i =0; i < ldns_key_list_key_count(key_list); i++) {
+		key = ldns_key_list_key(key_list, i);
+		if (!(ldns_key_flags(key) & LDNS_KEY_SEP_KEY)) {
+			/* We have a ZSK.
+			 * Still use it if it has a unique algorithm though!
+			 */
+			if ((flags & LDNS_SIGN_WITH_ALL_ALGORITHMS) &&
+			    algos[ldns_key_algorithm(key)])
+				algos[ldns_key_algorithm(key)] = false;
+			else
+				ldns_key_set_use(key, 0);
+		}
+	}
 }

 /** If there are no ZSKs use KSK as ZSK */
 static void
-ldns_key_list_filter_for_non_dnskey(ldns_key_list *key_list)
+ldns_key_list_filter_for_non_dnskey(ldns_key_list *key_list, int flags)
 {
-	int saw_zsk = 0;
+	bool algos[256]
+#ifndef S_SPLINT_S
+	                = { false }
+#endif
+	                           ;
+	ldns_signing_algorithm saw_zsk = 0;
+	ldns_key *key;
 	size_t i;
-	for(i=0; i<ldns_key_list_key_count(key_list); i++)
-		if(!(ldns_key_flags(ldns_key_list_key(key_list, i))&LDNS_KEY_SEP_KEY)) {
-			saw_zsk = 1;
-			break;
-		}
-	if(!saw_zsk)
+	
+	if (!ldns_key_list_key_count(key_list))
 		return;
-	/* else filter all KSKs */
-	for(i=0; i<ldns_key_list_key_count(key_list); i++)
-		if((ldns_key_flags(ldns_key_list_key(key_list, i))&LDNS_KEY_SEP_KEY))
-			ldns_key_set_use(ldns_key_list_key(key_list, i), 0);
+
+	for (i = 0; i < ldns_key_list_key_count(key_list); i++) {
+		key = ldns_key_list_key(key_list, i);
+		if (!(ldns_key_flags(key) & LDNS_KEY_SEP_KEY) && !saw_zsk)
+			saw_zsk = ldns_key_algorithm(key);
+		algos[ldns_key_algorithm(key)] = true;
+	}
+	if (!saw_zsk)
+		return;
+	else
+		algos[saw_zsk] = 0;
+
+	for (i = 0; i < ldns_key_list_key_count(key_list); i++) {
+		key = ldns_key_list_key(key_list, i);
+		if((ldns_key_flags(key) & LDNS_KEY_SEP_KEY)) {
+			/* We have a KSK.
+			 * Still use it if it has a unique algorithm though!
+			 */
+			if ((flags & LDNS_SIGN_WITH_ALL_ALGORITHMS) &&
+			    algos[ldns_key_algorithm(key)])
+				algos[ldns_key_algorithm(key)] = false;
+			else
+				ldns_key_set_use(key, 0);
+		}
+	}
 }

 ldns_status
@ -1110,10 +1253,10 @@ ldns_dnssec_zone_create_rrsigs_flg( ldns_dnssec_zone *zone
 											arg);
 				if(!(flags&LDNS_SIGN_DNSKEY_WITH_ZSK) &&
 					cur_rrset->type == LDNS_RR_TYPE_DNSKEY)
-					ldns_key_list_filter_for_dnskey(key_list);
+					ldns_key_list_filter_for_dnskey(key_list, flags);

 				if(cur_rrset->type != LDNS_RR_TYPE_DNSKEY)
-					ldns_key_list_filter_for_non_dnskey(key_list);
+					ldns_key_list_filter_for_non_dnskey(key_list, flags);

 				/* TODO: just set count to zero? */
 				rr_list = ldns_rr_list_new();
@ -1166,7 +1309,7 @@ ldns_dnssec_zone_create_rrsigs_flg( ldns_dnssec_zone *zone
 										key_list,
 										func,
 										arg);
-			ldns_key_list_filter_for_non_dnskey(key_list);
+			ldns_key_list_filter_for_non_dnskey(key_list, flags);

 			rr_list = ldns_rr_list_new();
 			ldns_rr_list_push_rr(rr_list, cur_name->nsec);
--- a/dnssec_verify.c
+++ b/dnssec_verify.c
@ -1088,8 +1088,8 @@ ldns_dnssec_trust_tree_contains_keys(ldns_dnssec_trust_tree *tree,

 ldns_status
 ldns_verify_time(
-		ldns_rr_list *rrset,
-		ldns_rr_list *rrsig, 
+		const ldns_rr_list *rrset,
+		const ldns_rr_list *rrsig, 
 		const ldns_rr_list *keys, 
 		time_t check_time,
 		ldns_rr_list *good_keys
@ -1809,7 +1809,7 @@ ldns_dnssec_verify_denial_nsec3(ldns_rr *rr,

 #ifdef USE_GOST
 EVP_PKEY*
-ldns_gost2pkey_raw(unsigned char* key, size_t keylen)
+ldns_gost2pkey_raw(const unsigned char* key, size_t keylen)
 {
 	/* prefix header for X509 encoding */
 	uint8_t asn[37] = { 0x30, 0x63, 0x30, 0x1c, 0x06, 0x06, 0x2a, 0x85, 
@ -1832,8 +1832,8 @@ ldns_gost2pkey_raw(unsigned char* key, size_t keylen)
 }

 static ldns_status
-ldns_verify_rrsig_gost_raw(unsigned char* sig, size_t siglen, 
-	ldns_buffer* rrset, unsigned char* key, size_t keylen)
+ldns_verify_rrsig_gost_raw(const unsigned char* sig, size_t siglen, 
+	const ldns_buffer* rrset, const unsigned char* key, size_t keylen)
 {
 	EVP_PKEY *evp_key;
 	ldns_status result;
@ -1854,9 +1854,103 @@ ldns_verify_rrsig_gost_raw(unsigned char* sig, size_t siglen,
 }
 #endif

+#ifdef USE_ED25519
+EVP_PKEY*
+ldns_ed255192pkey_raw(const unsigned char* key, size_t keylen)
+{
+        const unsigned char* pp = key; /* pp gets modified by o2i() */
+        EVP_PKEY *evp_key;
+        EC_KEY *ec;
+	if(keylen != 32)
+		return NULL; /* wrong length */
+        ec = EC_KEY_new_by_curve_name(NID_X25519);
+	if(!ec) return NULL;
+        if(!o2i_ECPublicKey(&ec, &pp, (int)keylen)) {
+                EC_KEY_free(ec);
+                return NULL;
+	}
+        evp_key = EVP_PKEY_new();
+        if(!evp_key) {
+                EC_KEY_free(ec);
+                return NULL;
+        }
+        if (!EVP_PKEY_assign_EC_KEY(evp_key, ec)) {
+		EVP_PKEY_free(evp_key);
+		EC_KEY_free(ec);
+		return NULL;
+	}
+        return evp_key;
+}
+
+static ldns_status
+ldns_verify_rrsig_ed25519_raw(unsigned char* sig, size_t siglen,
+	ldns_buffer* rrset, unsigned char* key, size_t keylen)
+{
+        EVP_PKEY *evp_key;
+        ldns_status result;
+
+        evp_key = ldns_ed255192pkey_raw(key, keylen);
+        if(!evp_key) {
+		/* could not convert key */
+		return LDNS_STATUS_CRYPTO_BOGUS;
+        }
+	result = ldns_verify_rrsig_evp_raw(sig, siglen, rrset, evp_key,
+		EVP_sha512());
+	EVP_PKEY_free(evp_key);
+	return result;
+}
+#endif /* USE_ED25519 */
+
+#ifdef USE_ED448
+EVP_PKEY*
+ldns_ed4482pkey_raw(const unsigned char* key, size_t keylen)
+{
+        const unsigned char* pp = key; /* pp gets modified by o2i() */
+        EVP_PKEY *evp_key;
+        EC_KEY *ec;
+	if(keylen != 57)
+		return NULL; /* wrong length */
+        ec = EC_KEY_new_by_curve_name(NID_X448);
+	if(!ec) return NULL;
+        if(!o2i_ECPublicKey(&ec, &pp, (int)keylen)) {
+                EC_KEY_free(ec);
+                return NULL;
+	}
+        evp_key = EVP_PKEY_new();
+        if(!evp_key) {
+                EC_KEY_free(ec);
+                return NULL;
+        }
+        if (!EVP_PKEY_assign_EC_KEY(evp_key, ec)) {
+		EVP_PKEY_free(evp_key);
+		EC_KEY_free(ec);
+		return NULL;
+	}
+        return evp_key;
+}
+
+static ldns_status
+ldns_verify_rrsig_ed448_raw(unsigned char* sig, size_t siglen,
+	ldns_buffer* rrset, unsigned char* key, size_t keylen)
+{
+        EVP_PKEY *evp_key;
+        ldns_status result;
+
+        evp_key = ldns_ed4482pkey_raw(key, keylen);
+        if(!evp_key) {
+		/* could not convert key */
+		return LDNS_STATUS_CRYPTO_BOGUS;
+        }
+	result = ldns_verify_rrsig_evp_raw(sig, siglen, rrset, evp_key,
+		EVP_sha512());
+	EVP_PKEY_free(evp_key);
+	return result;
+}
+#endif /* USE_ED448 */
+
 #ifdef USE_ECDSA
 EVP_PKEY*
-ldns_ecdsa2pkey_raw(unsigned char* key, size_t keylen, uint8_t algo)
+ldns_ecdsa2pkey_raw(const unsigned char* key, size_t keylen, uint8_t algo)
 {
 	unsigned char buf[256+2]; /* sufficient for 2*384/8+1 */
        const unsigned char* pp = buf;
@ -1935,6 +2029,7 @@ ldns_verify_rrsig_buffers_raw(unsigned char* sig, size_t siglen,
 {
 	/* check for right key */
 	switch(algo) {
+#ifdef USE_DSA
 	case LDNS_DSA:
 	case LDNS_DSA_NSEC3:
 		return ldns_verify_rrsig_dsa_raw(sig,
@ -1943,6 +2038,7 @@ ldns_verify_rrsig_buffers_raw(unsigned char* sig, size_t siglen,
 								   key,
 								   keylen);
 		break;
+#endif
 	case LDNS_RSASHA1:
 	case LDNS_RSASHA1_NSEC3:
 		return ldns_verify_rrsig_rsasha1_raw(sig,
@ -1979,6 +2075,18 @@ ldns_verify_rrsig_buffers_raw(unsigned char* sig, size_t siglen,
 		return ldns_verify_rrsig_ecdsa_raw(sig, siglen, verify_buf,
 			key, keylen, algo);
 		break;
+#endif
+#ifdef USE_ED25519
+	case LDNS_ED25519:
+		return ldns_verify_rrsig_ed25519_raw(sig, siglen, verify_buf,
+			key, keylen);
+		break;
+#endif
+#ifdef USE_ED448
+	case LDNS_ED448:
+		return ldns_verify_rrsig_ed448_raw(sig, siglen, verify_buf,
+			key, keylen);
+		break;
 #endif
 	case LDNS_RSAMD5:
 		return ldns_verify_rrsig_rsamd5_raw(sig,
@ -2002,7 +2110,7 @@ ldns_verify_rrsig_buffers_raw(unsigned char* sig, size_t siglen,
 * @param sig: signature to take TTL and wildcard values from
 */
 static void
-ldns_rrset_use_signature_ttl(ldns_rr_list* rrset_clone, ldns_rr* rrsig)
+ldns_rrset_use_signature_ttl(ldns_rr_list* rrset_clone, const ldns_rr* rrsig)
 {
 	uint32_t orig_ttl;
 	uint16_t i;
@ -2051,7 +2159,7 @@ ldns_rrset_use_signature_ttl(ldns_rr_list* rrset_clone, ldns_rr* rrsig)
 * @return OK or more specific error.
 */
 static ldns_status
-ldns_rrsig2rawsig_buffer(ldns_buffer* rawsig_buf, ldns_rr* rrsig)
+ldns_rrsig2rawsig_buffer(ldns_buffer* rawsig_buf, const ldns_rr* rrsig)
 {
 	uint8_t sig_algo;
       
@ -2088,6 +2196,7 @@ ldns_rrsig2rawsig_buffer(ldns_buffer* rawsig_buf, ldns_rr* rrsig)
 			return LDNS_STATUS_MEM_ERR;
 		}
 		break;
+#ifdef USE_DSA
 	case LDNS_DSA:
 	case LDNS_DSA_NSEC3:
 		/* EVP takes rfc2459 format, which is a tad longer than dns format */
@ -2104,6 +2213,7 @@ ldns_rrsig2rawsig_buffer(ldns_buffer* rawsig_buf, ldns_rr* rrsig)
 			return LDNS_STATUS_MEM_ERR;
 		}
 		break;
+#endif
 #ifdef USE_ECDSA
        case LDNS_ECDSAP256SHA256:
        case LDNS_ECDSAP384SHA384:
@ -2118,6 +2228,32 @@ ldns_rrsig2rawsig_buffer(ldns_buffer* rawsig_buf, ldns_rr* rrsig)
 			return LDNS_STATUS_MEM_ERR;
                }
                break;
+#endif
+#ifdef USE_ED25519
+	case LDNS_ED25519:
+                /* EVP produces an ASN prefix on the signature, which is
+                 * not used in the DNS */
+		if (ldns_rr_rdf(rrsig, 8) == NULL) {
+			return LDNS_STATUS_MISSING_RDATA_FIELDS_RRSIG;
+		}
+		if (ldns_convert_ed25519_rrsig_rdf2asn1(
+			rawsig_buf, ldns_rr_rdf(rrsig, 8)) != LDNS_STATUS_OK) {
+			return LDNS_STATUS_MEM_ERR;
+                }
+		break;
+#endif
+#ifdef USE_ED448
+	case LDNS_ED448:
+                /* EVP produces an ASN prefix on the signature, which is
+                 * not used in the DNS */
+		if (ldns_rr_rdf(rrsig, 8) == NULL) {
+			return LDNS_STATUS_MISSING_RDATA_FIELDS_RRSIG;
+		}
+		if (ldns_convert_ed448_rrsig_rdf2asn1(
+			rawsig_buf, ldns_rr_rdf(rrsig, 8)) != LDNS_STATUS_OK) {
+			return LDNS_STATUS_MEM_ERR;
+                }
+		break;
 #endif
 	case LDNS_DH:
 	case LDNS_ECC:
@ -2136,7 +2272,7 @@ ldns_rrsig2rawsig_buffer(ldns_buffer* rawsig_buf, ldns_rr* rrsig)
 * @return status code LDNS_STATUS_OK if all is fine.
 */
 static ldns_status
-ldns_rrsig_check_timestamps(ldns_rr* rrsig, time_t now)
+ldns_rrsig_check_timestamps(const ldns_rr* rrsig, time_t now)
 {
 	int32_t inception, expiration;
 	
@ -2171,7 +2307,7 @@ ldns_rrsig_check_timestamps(ldns_rr* rrsig, time_t now)
 */
 static ldns_status
 ldns_prepare_for_verify(ldns_buffer* rawsig_buf, ldns_buffer* verify_buf, 
-	ldns_rr_list* rrset_clone, ldns_rr* rrsig)
+	ldns_rr_list* rrset_clone, const ldns_rr* rrsig)
 {
 	ldns_status result;

@ -2218,7 +2354,7 @@ ldns_prepare_for_verify(ldns_buffer* rawsig_buf, ldns_buffer* verify_buf,
 */
 static ldns_status
 ldns_verify_test_sig_key(ldns_buffer* rawsig_buf, ldns_buffer* verify_buf, 
-	ldns_rr* rrsig, ldns_rr* key)
+	const ldns_rr* rrsig, ldns_rr* key)
 {
 	uint8_t sig_algo;
       
@ -2285,8 +2421,8 @@ ldns_verify_test_sig_key(ldns_buffer* rawsig_buf, ldns_buffer* verify_buf,
 */
 ldns_status
 ldns_verify_rrsig_keylist_time(
-		ldns_rr_list *rrset,
-		ldns_rr *rrsig,
+		const ldns_rr_list *rrset,
+		const ldns_rr *rrsig,
 		const ldns_rr_list *keys, 
 		time_t check_time,
 		ldns_rr_list *good_keys)
@ -2334,8 +2470,8 @@ ldns_verify_rrsig_keylist(ldns_rr_list *rrset,
 }

 ldns_status
-ldns_verify_rrsig_keylist_notime(ldns_rr_list *rrset,
-					 ldns_rr *rrsig,
+ldns_verify_rrsig_keylist_notime(const ldns_rr_list *rrset,
+					 const ldns_rr *rrsig,
 					 const ldns_rr_list *keys, 
 					 ldns_rr_list *good_keys)
 {
@ -2482,21 +2618,28 @@ ldns_verify_rrsig_evp(ldns_buffer *sig,
 }

 ldns_status
-ldns_verify_rrsig_evp_raw(unsigned char *sig, size_t siglen, 
-					 ldns_buffer *rrset, EVP_PKEY *key, const EVP_MD *digest_type)
+ldns_verify_rrsig_evp_raw(const unsigned char *sig, size_t siglen, 
+					 const ldns_buffer *rrset, EVP_PKEY *key, const EVP_MD *digest_type)
 {
-	EVP_MD_CTX ctx;
+	EVP_MD_CTX *ctx;
 	int res;

-	EVP_MD_CTX_init(&ctx);
+#ifdef HAVE_EVP_MD_CTX_NEW
+	ctx = EVP_MD_CTX_new();
+#else
+	ctx = (EVP_MD_CTX*)malloc(sizeof(*ctx));
+	if(ctx) EVP_MD_CTX_init(ctx);
+#endif
+	if(!ctx)
+		return LDNS_STATUS_MEM_ERR;
 	
-	EVP_VerifyInit(&ctx, digest_type);
-	EVP_VerifyUpdate(&ctx,
+	EVP_VerifyInit(ctx, digest_type);
+	EVP_VerifyUpdate(ctx,
 				  ldns_buffer_begin(rrset),
 				  ldns_buffer_position(rrset));
-	res = EVP_VerifyFinal(&ctx, sig, (unsigned int) siglen, key);
+	res = EVP_VerifyFinal(ctx, sig, (unsigned int) siglen, key);
 	
-	EVP_MD_CTX_cleanup(&ctx);
+	EVP_MD_CTX_destroy(ctx);
 	
 	if (res == 1) {
 		return LDNS_STATUS_OK;
@ -2545,6 +2688,7 @@ ldns_status
 ldns_verify_rrsig_dsa_raw(unsigned char* sig, size_t siglen,
 					 ldns_buffer* rrset, unsigned char* key, size_t keylen)
 {
+#ifdef USE_DSA
 	EVP_PKEY *evp_key;
 	ldns_status result;

@ -2554,13 +2698,21 @@ ldns_verify_rrsig_dsa_raw(unsigned char* sig, size_t siglen,
 								siglen,
 								rrset,
 								evp_key,
-								EVP_dss1());
+# ifdef HAVE_EVP_DSS1
+								EVP_dss1()
+# else
+								EVP_sha1()
+# endif
+								);
 	} else {
 		result = LDNS_STATUS_SSL_ERR;
 	}
 	EVP_PKEY_free(evp_key);
 	return result;
-
+#else
+	(void)sig; (void)siglen; (void)rrset; (void)key; (void)keylen;
+	return LDNS_STATUS_CRYPTO_ALGO_NOT_IMPL;
+#endif
 }

 ldns_status
--- a/dnssec_zone.c
+++ b/dnssec_zone.c
@ -78,7 +78,7 @@ ldns_dnssec_rrs_add_rr(ldns_dnssec_rrs *rrs, ldns_rr *rr)

 void
 ldns_dnssec_rrs_print_fmt(FILE *out, const ldns_output_format *fmt,
-	       ldns_dnssec_rrs *rrs)
+	       const ldns_dnssec_rrs *rrs)
 {
 	if (!rrs) {
 		if ((fmt->flags & LDNS_COMMENT_LAYOUT))
@ -94,7 +94,7 @@ ldns_dnssec_rrs_print_fmt(FILE *out, const ldns_output_format *fmt,
 }

 void
-ldns_dnssec_rrs_print(FILE *out, ldns_dnssec_rrs *rrs)
+ldns_dnssec_rrs_print(FILE *out, const ldns_dnssec_rrs *rrs)
 {
 	ldns_dnssec_rrs_print_fmt(out, ldns_output_format_default, rrs);
 }
@ -143,7 +143,7 @@ ldns_dnssec_rrsets_deep_free(ldns_dnssec_rrsets *rrsets)
 }

 ldns_rr_type
-ldns_dnssec_rrsets_type(ldns_dnssec_rrsets *rrsets)
+ldns_dnssec_rrsets_type(const ldns_dnssec_rrsets *rrsets)
 {
 	if (rrsets) {
 		return rrsets->type;
@ -271,7 +271,7 @@ ldns_dnssec_rrsets_add_rr(ldns_dnssec_rrsets *rrsets, ldns_rr *rr)

 static void
 ldns_dnssec_rrsets_print_soa_fmt(FILE *out, const ldns_output_format *fmt,
-		ldns_dnssec_rrsets *rrsets,
+		const ldns_dnssec_rrsets *rrsets,
 		bool follow,
 		bool show_soa)
 {
@ -300,14 +300,14 @@ ldns_dnssec_rrsets_print_soa_fmt(FILE *out, const ldns_output_format *fmt,

 void
 ldns_dnssec_rrsets_print_fmt(FILE *out, const ldns_output_format *fmt,
-		ldns_dnssec_rrsets *rrsets, 
+		const ldns_dnssec_rrsets *rrsets, 
 		bool follow)
 {
 	ldns_dnssec_rrsets_print_soa_fmt(out, fmt, rrsets, follow, true);
 }

 void
-ldns_dnssec_rrsets_print(FILE *out, ldns_dnssec_rrsets *rrsets, bool follow)
+ldns_dnssec_rrsets_print(FILE *out, const ldns_dnssec_rrsets *rrsets, bool follow)
 {
 	ldns_dnssec_rrsets_print_fmt(out, ldns_output_format_default, 
 			rrsets, follow);
@ -391,7 +391,7 @@ ldns_dnssec_name_deep_free(ldns_dnssec_name *name)
 }

 ldns_rdf *
-ldns_dnssec_name_name(ldns_dnssec_name *name)
+ldns_dnssec_name_name(const ldns_dnssec_name *name)
 {
 	if (name) {
 		return name->name;
@ -400,7 +400,7 @@ ldns_dnssec_name_name(ldns_dnssec_name *name)
 }

 bool
-ldns_dnssec_name_is_glue(ldns_dnssec_name *name)
+ldns_dnssec_name_is_glue(const ldns_dnssec_name *name)
 {
 	if (name) {
 		return name->is_glue;
@ -489,7 +489,7 @@ ldns_dnssec_name_add_rr(ldns_dnssec_name *name,
 }

 ldns_dnssec_rrsets *
-ldns_dnssec_name_find_rrset(ldns_dnssec_name *name,
+ldns_dnssec_name_find_rrset(const ldns_dnssec_name *name,
 					   ldns_rr_type type) {
 	ldns_dnssec_rrsets *result;

@ -505,13 +505,13 @@ ldns_dnssec_name_find_rrset(ldns_dnssec_name *name,
 }

 ldns_dnssec_rrsets *
-ldns_dnssec_zone_find_rrset(ldns_dnssec_zone *zone,
-					   ldns_rdf *dname,
+ldns_dnssec_zone_find_rrset(const ldns_dnssec_zone *zone,
+					   const ldns_rdf *dname,
 					   ldns_rr_type type)
 {
 	ldns_rbnode_t *node;

-	if (!zone || !dname) {
+	if (!zone || !dname || !zone->names) {
 		return NULL;
 	}

@ -526,7 +526,7 @@ ldns_dnssec_zone_find_rrset(ldns_dnssec_zone *zone,

 static void
 ldns_dnssec_name_print_soa_fmt(FILE *out, const ldns_output_format *fmt,
-		ldns_dnssec_name *name, 
+		const ldns_dnssec_name *name, 
 		bool show_soa)
 {
 	if (name) {
@ -553,13 +553,13 @@ ldns_dnssec_name_print_soa_fmt(FILE *out, const ldns_output_format *fmt,

 void
 ldns_dnssec_name_print_fmt(FILE *out, const ldns_output_format *fmt,
-		ldns_dnssec_name *name)
+		const ldns_dnssec_name *name)
 {
 	ldns_dnssec_name_print_soa_fmt(out, fmt, name, true);
 }

 void
-ldns_dnssec_name_print(FILE *out, ldns_dnssec_name *name)
+ldns_dnssec_name_print(FILE *out, const ldns_dnssec_name *name)
 {
 	ldns_dnssec_name_print_fmt(out, ldns_output_format_default, name);
 }
@ -593,8 +593,19 @@ rr_is_rrsig_covering(ldns_rr* rr, ldns_rr_type t)
 */
 #define FASTER_DNSSEC_ZONE_NEW_FRM_FP 1 /* Because of L2 cache efficiency */

+static ldns_status
+ldns_dnssec_zone_add_empty_nonterminals_nsec3(
+		ldns_dnssec_zone *zone, ldns_rbtree_t *nsec3s);
+
+static void
+ldns_todo_nsec3_ents_node_free(ldns_rbnode_t *node, void *arg) {
+	(void) arg;
+	ldns_rdf_deep_free((ldns_rdf *)node->key);
+	LDNS_FREE(node);
+}
+
 ldns_status
-ldns_dnssec_zone_new_frm_fp_l(ldns_dnssec_zone** z, FILE* fp, ldns_rdf* origin,
+ldns_dnssec_zone_new_frm_fp_l(ldns_dnssec_zone** z, FILE* fp, const ldns_rdf* origin,
 	       	uint32_t ttl, ldns_rr_class ATTR_UNUSED(c), int* line_nr)
 {
 	ldns_rr* cur_rr;
@ -604,34 +615,58 @@ ldns_dnssec_zone_new_frm_fp_l(ldns_dnssec_zone** z, FILE* fp, ldns_rdf* origin,
 	ldns_rdf *my_prev = NULL;

 	ldns_dnssec_zone *newzone = ldns_dnssec_zone_new();
+	/* NSEC3s may occur before the names they refer to. We must remember
+	   them and add them to the name later on, after the name is read.
+	   We track not yet  matching NSEC3s*n the todo_nsec3s list */
+	ldns_rr_list* todo_nsec3s = ldns_rr_list_new();
 	/* when reading NSEC3s, there is a chance that we encounter nsecs
 	   for empty nonterminals, whose nonterminals we cannot derive yet
-	   because the needed information is to be read later. in that case
-	   we keep a list of those nsec3's and retry to add them later */
-	ldns_rr_list* todo_nsec3s = ldns_rr_list_new();
+	   because the needed information is to be read later.
+
+	   nsec3_ents (where ent is e.n.t.; i.e. empty non terminal) will
+	   hold the NSEC3s that still didn't have a matching name in the
+	   zone tree, even after all names were read.  They can only match
+	   after the zone is equiped with all the empty non terminals. */
+	ldns_rbtree_t todo_nsec3_ents;
+	ldns_rbnode_t *new_node;
 	ldns_rr_list* todo_nsec3_rrsigs = ldns_rr_list_new();

-	ldns_status status = LDNS_STATUS_MEM_ERR;
+	ldns_status status;

 #ifdef FASTER_DNSSEC_ZONE_NEW_FRM_FP
 	ldns_zone* zone = NULL;
-	if (ldns_zone_new_frm_fp_l(&zone, fp, origin,ttl, c, line_nr)
-			!= LDNS_STATUS_OK) goto error;
 #else
 	uint32_t  my_ttl = ttl;
 #endif

-	if (!newzone || !todo_nsec3s || !todo_nsec3_rrsigs ) goto error;
+	ldns_rbtree_init(&todo_nsec3_ents, ldns_dname_compare_v);

+#ifdef FASTER_DNSSEC_ZONE_NEW_FRM_FP
+	status = ldns_zone_new_frm_fp_l(&zone, fp, origin,ttl, c, line_nr);
+	if (status != LDNS_STATUS_OK)
+		goto error;
+#endif
+	if (!newzone || !todo_nsec3s || !todo_nsec3_rrsigs ) {
+		status = LDNS_STATUS_MEM_ERR;
+		goto error;
+	}
 	if (origin) {
-		if (!(my_origin = ldns_rdf_clone(origin))) goto error;
-		if (!(my_prev   = ldns_rdf_clone(origin))) goto error;
+		if (!(my_origin = ldns_rdf_clone(origin))) {
+			status = LDNS_STATUS_MEM_ERR;
+			goto error;
+		}
+		if (!(my_prev   = ldns_rdf_clone(origin))) {
+			status = LDNS_STATUS_MEM_ERR;
+			goto error;
+		}
 	}

 #ifdef FASTER_DNSSEC_ZONE_NEW_FRM_FP
-	if (ldns_dnssec_zone_add_rr(newzone, ldns_zone_soa(zone))
-			!= LDNS_STATUS_OK) goto error;
-
+	if (ldns_zone_soa(zone)) {
+		status = ldns_dnssec_zone_add_rr(newzone, ldns_zone_soa(zone));
+		if (status != LDNS_STATUS_OK)
+			goto error;
+	}
 	for (i = 0; i < ldns_rr_list_rr_count(ldns_zone_rrs(zone)); i++) {
 		cur_rr = ldns_rr_list_rr(ldns_zone_rrs(zone), i);
 		status = LDNS_STATUS_OK;
@ -679,23 +714,33 @@ ldns_dnssec_zone_new_frm_fp_l(ldns_dnssec_zone** z, FILE* fp, ldns_rdf* origin,
 		}
 	}

-	if (ldns_rr_list_rr_count(todo_nsec3s) > 0) {
-		(void) ldns_dnssec_zone_add_empty_nonterminals(newzone);
-		for (i = 0; status == LDNS_STATUS_OK &&
-				i < ldns_rr_list_rr_count(todo_nsec3s); i++) {
-			cur_rr = ldns_rr_list_rr(todo_nsec3s, i);
-			status = ldns_dnssec_zone_add_rr(newzone, cur_rr);
-		}
-	} 
-	if (ldns_rr_list_rr_count(todo_nsec3_rrsigs) > 0) {
-		for (i = 0; status == LDNS_STATUS_OK &&
-				i < ldns_rr_list_rr_count(todo_nsec3_rrsigs);
-				i++){
-			cur_rr = ldns_rr_list_rr(todo_nsec3_rrsigs, i);
-			status = ldns_dnssec_zone_add_rr(newzone, cur_rr);
+	for (i = 0; status == LDNS_STATUS_OK &&
+			i < ldns_rr_list_rr_count(todo_nsec3s); i++) {
+		cur_rr = ldns_rr_list_rr(todo_nsec3s, i);
+		status = ldns_dnssec_zone_add_rr(newzone, cur_rr);
+		if (status == LDNS_STATUS_DNSSEC_NSEC3_ORIGINAL_NOT_FOUND) {
+			if (!(new_node = LDNS_MALLOC(ldns_rbnode_t))) {
+				status = LDNS_STATUS_MEM_ERR;
+				break;
+			}
+			new_node->key  = ldns_dname_label(ldns_rr_owner(cur_rr), 0);
+			new_node->data = cur_rr;
+			if (!ldns_rbtree_insert(&todo_nsec3_ents, new_node)) {
+				LDNS_FREE(new_node);
+				status = LDNS_STATUS_MEM_ERR;
+				break;
+			}
+			status = LDNS_STATUS_OK;
 		}
 	}
-
+	if (todo_nsec3_ents.count > 0)
+		(void) ldns_dnssec_zone_add_empty_nonterminals_nsec3(
+				newzone, &todo_nsec3_ents);
+	for (i = 0; status == LDNS_STATUS_OK &&
+			i < ldns_rr_list_rr_count(todo_nsec3_rrsigs); i++) {
+		cur_rr = ldns_rr_list_rr(todo_nsec3_rrsigs, i);
+		status = ldns_dnssec_zone_add_rr(newzone, cur_rr);
+	}
 	if (z) {
 		*z = newzone;
 		newzone = NULL;
@ -710,6 +755,8 @@ ldns_dnssec_zone_new_frm_fp_l(ldns_dnssec_zone** z, FILE* fp, ldns_rdf* origin,
 	}
 #endif
 	ldns_rr_list_free(todo_nsec3_rrsigs);
+	ldns_traverse_postorder(&todo_nsec3_ents,
+			ldns_todo_nsec3_ents_node_free, NULL);
 	ldns_rr_list_free(todo_nsec3s);

 	if (my_origin) {
@ -725,7 +772,7 @@ ldns_dnssec_zone_new_frm_fp_l(ldns_dnssec_zone** z, FILE* fp, ldns_rdf* origin,
 }

 ldns_status
-ldns_dnssec_zone_new_frm_fp(ldns_dnssec_zone** z, FILE* fp, ldns_rdf* origin,
+ldns_dnssec_zone_new_frm_fp(ldns_dnssec_zone** z, FILE* fp, const ldns_rdf* origin,
 		uint32_t ttl, ldns_rr_class ATTR_UNUSED(c))
 {
 	return ldns_dnssec_zone_new_frm_fp_l(z, fp, origin, ttl, c, NULL);
@ -932,7 +979,7 @@ ldns_dnssec_zone_add_rr(ldns_dnssec_zone *zone, ldns_rr *rr)

 void
 ldns_dnssec_zone_names_print_fmt(FILE *out, const ldns_output_format *fmt,
-		ldns_rbtree_t *tree, 
+		const ldns_rbtree_t *tree, 
 		bool print_soa)
 {
 	ldns_rbnode_t *node;
@ -949,7 +996,7 @@ ldns_dnssec_zone_names_print_fmt(FILE *out, const ldns_output_format *fmt,
 }

 void
-ldns_dnssec_zone_names_print(FILE *out, ldns_rbtree_t *tree, bool print_soa)
+ldns_dnssec_zone_names_print(FILE *out, const ldns_rbtree_t *tree, bool print_soa)
 {
 	ldns_dnssec_zone_names_print_fmt(out, ldns_output_format_default,
 		       tree, print_soa);
@ -957,7 +1004,7 @@ ldns_dnssec_zone_names_print(FILE *out, ldns_rbtree_t *tree, bool print_soa)

 void
 ldns_dnssec_zone_print_fmt(FILE *out, const ldns_output_format *fmt,
-	       ldns_dnssec_zone *zone)
+	       const ldns_dnssec_zone *zone)
 {
 	if (zone) {
 		if (zone->soa) {
@ -984,13 +1031,14 @@ ldns_dnssec_zone_print_fmt(FILE *out, const ldns_output_format *fmt,
 }

 void
-ldns_dnssec_zone_print(FILE *out, ldns_dnssec_zone *zone)
+ldns_dnssec_zone_print(FILE *out, const ldns_dnssec_zone *zone)
 {
 	ldns_dnssec_zone_print_fmt(out, ldns_output_format_default, zone);
 }

-ldns_status
-ldns_dnssec_zone_add_empty_nonterminals(ldns_dnssec_zone *zone)
+static ldns_status
+ldns_dnssec_zone_add_empty_nonterminals_nsec3(
+		ldns_dnssec_zone *zone, ldns_rbtree_t *nsec3s)
 {
 	ldns_dnssec_name *new_name;
 	ldns_rdf *cur_name;
@ -1053,12 +1101,34 @@ ldns_dnssec_zone_add_empty_nonterminals(ldns_dnssec_zone *zone)
 				/* We have an empty nonterminal, add it to the
 				 * tree
 				 */
+				ldns_rbnode_t *node = NULL;
+				ldns_rdf *ent_name;
+
+				if (!(ent_name = ldns_dname_clone_from(
+						next_name, i)))
+					return LDNS_STATUS_MEM_ERR;
+
+				if (nsec3s && zone->_nsec3params) {
+					ldns_rdf *ent_hashed_name;
+
+					if (!(ent_hashed_name =
+					    ldns_nsec3_hash_name_frm_nsec3(
+							zone->_nsec3params,
+							ent_name)))
+						return LDNS_STATUS_MEM_ERR;
+					node = ldns_rbtree_search(nsec3s, 
+							ent_hashed_name);
+					if (!node) {
+						ldns_rdf_deep_free(l1);
+						ldns_rdf_deep_free(l2);
+						continue;
+					}
+				}
 				new_name = ldns_dnssec_name_new();
 				if (!new_name) {
 					return LDNS_STATUS_MEM_ERR;
 				}
-				new_name->name = ldns_dname_clone_from(next_name,
-				                                       i);
+				new_name->name = ent_name;
 				if (!new_name->name) {
 					ldns_dnssec_name_free(new_name);
 					return LDNS_STATUS_MEM_ERR;
@ -1074,6 +1144,9 @@ ldns_dnssec_zone_add_empty_nonterminals(ldns_dnssec_zone *zone)
 				(void)ldns_rbtree_insert(zone->names, new_node);
 				ldns_dnssec_name_make_hashed_name(
 						zone, new_name, NULL);
+				if (node)
+					(void) ldns_dnssec_zone_add_rr(zone,
+							(ldns_rr *)node->data);
 			}
 			ldns_rdf_deep_free(l1);
 			ldns_rdf_deep_free(l2);
@ -1091,8 +1164,14 @@ ldns_dnssec_zone_add_empty_nonterminals(ldns_dnssec_zone *zone)
 	return LDNS_STATUS_OK;
 }

+ldns_status
+ldns_dnssec_zone_add_empty_nonterminals(ldns_dnssec_zone *zone)
+{
+	return ldns_dnssec_zone_add_empty_nonterminals_nsec3(zone, NULL);
+}
+
 bool
-ldns_dnssec_zone_is_nsec3_optout(ldns_dnssec_zone* zone)
+ldns_dnssec_zone_is_nsec3_optout(const ldns_dnssec_zone* zone)
 {
 	ldns_rr* nsec3;
 	ldns_rbnode_t* node;
--- a/doc/TODO
+++ b/doc/TODO
@ -1,13 +1,6 @@
 TODO

 Features:
-* Multi-line zone file parsing
-* Configure option for not printing DNSSEC RR comments
-* HMAC and MD5 without OpenSSL
-* HIP RR support
-* Parse 'search' attribute in /etc/resolv.conf
-* Make use of automake (Bug #173)
-* ./configure --with-tools --with-drill (Bug #264)
 * Drill: print appropriate DS RRs (relates to Bug #355)
 * ldns-signzone optout to be really optout
 * Compression when generating wireformat. Preferably with a configurable 
@ -18,5 +11,4 @@ Bugfixes:
 * Bug #279: fix return values for net.h functions, and related: make return
  values for functions that cannot return memory-failure today. Needs medium
  version increase because of API change.
-* Long out-standing packaging bugs (debian)
 * Lazy ABI
--- a/doc/doxyparse.pl
+++ b/doc/doxyparse.pl
@ -1,6 +1,6 @@
 #!/usr/bin/env perl

-# Doxygen is usefull for html documentation, but sucks 
+# Doxygen is useful for html documentation, but sucks
 # in making manual pages. Still tool also parses the .h
 # files with the doxygen documentation and creates
 # the man page we want
@ -35,7 +35,7 @@ my %see_also;

 my $BASE="doc/man";
 my $MAN_SECTION = "3";
-my $MAN_HEADER = ".TH ldns $MAN_SECTION \"30 May 2006\"\n";
+my $MAN_HEADER = ".ad l\n.TH ldns $MAN_SECTION \"30 May 2006\"\n";
 my $MAN_MIDDLE = ".SH AUTHOR
 The ldns team at NLnet Labs. Which consists out of
 Jelte Jansen and Miek Gieben.
@ -53,14 +53,19 @@ MERCHANTABILITY or
 FITNESS FOR A PARTICULAR PURPOSE.
 ";
 my $MAN_FOOTER = ".SH REMARKS
-This manpage was automaticly generated from the ldns source code by
+This manpage was automatically generated from the ldns source code by
 use of Doxygen and some perl.
 ";

-getopts("m:",\%options);
+getopts("em:",\%options);
 # if -m manpage file is given process that file
 # parse the file which tells us what manpages go together
-my $functions, $see_also;
+my $functions, $see_also, $shorts;
+my $i = 0;
+my $report_errors = defined $options{'e'};
+my $errors = 0;
+my %unique;
+
 if (defined $options{'m'}) {
 	# process
 	open(MAN, "<$options{'m'}") or die "Cannot open $options{'m'}";
@ -68,18 +73,41 @@ if (defined $options{'m'}) {
 		# func1, func2, .. | see_also1, see_also2, ...
 		while(<MAN>) {
 			chomp;
+			$i += 1;
 			if (/^#/) { next; }
 			if (/^$/) { next; }
-			($functions, $see_also) = split /[\t ]*\|[\t ]*/, $_;
+			my @parts = split /[\t ]*\|[\t ]*/, $_;
+			$functions = shift @parts;
+			@parts = split /[\t ]*-[\t ]*/, join ', ', @parts;
+			$see_also = shift @parts;
+			if (! $see_also) {
+				@parts = split /[\t ]*-[\t ]*/, $_;
+				$functions = shift @parts;
+			}
 			#print "{$functions}\n";
 			#print "{$see_also}\n";
 			my @funcs = split /[\t ]*,[\t ]*/, $functions;
 			my @also = split /[\t ]*,[\t ]*/, $see_also;
 			$manpages{$funcs[0]} = \@funcs;
 			$see_also{$funcs[0]} = \@also;
+			$shorts{$funcs[0]} = join '', @parts;
+			foreach (@funcs) {
+				if ($unique{$_}) {
+					push @{$unique{$_}}, ($i,);
+				} else {
+					$unique{$_} = [$i];
+				}
+			}
 			#print "[", $funcs[0], "]\n";
 		}
 	close(MAN);
+	while (($func, $lines) = each %unique ) {
+		if (scalar @$lines > 1) {
+			print STDERR "$func in function_manpages on lines: "
+			    . join(", ",@$lines) . "\n" if $report_errors;
+			$errors += 1;
+		}
+	}
 } else {
 	print "Need -m file to process the .h files\n";
 	exit 1;
@ -95,7 +123,7 @@ mkdir "doc/man";
 mkdir "doc/man/man$MAN_SECTION";

 $state = 0;
-my $i;
+$i = 0;
 my @lines = <STDIN>;
 my $max = @lines;

@ -227,6 +255,7 @@ while($i < $max) {
 foreach (keys %manpages) {
 	$name = $manpages{$_};
 	$also = $see_also{$_};
+	my $shrt = $shorts{$_};

 	$filename = @$name[0];
 	$filename = "$BASE/man$MAN_SECTION/$filename.$MAN_SECTION";
@ -239,6 +268,9 @@ foreach (keys %manpages) {
 	print MAN  $MAN_HEADER;
 	print MAN  ".SH NAME\n";
 	print MAN  join ", ", @$name;
+	if ($shrt) {
+		print MAN " \\- $shrt";
+	}
 	print MAN  "\n\n";
 	print MAN  ".SH SYNOPSIS\n";

@ -273,7 +305,7 @@ foreach (keys %manpages) {

 	print MAN $MAN_MIDDLE;

-	if (defined(@$also)) {
+	if (@$also) {
 		print MAN "\n.SH SEE ALSO\n\\fI";
 		print MAN join "\\fR, \\fI", @$also;
 		print MAN "\\fR.\nAnd ";
@ -290,7 +322,7 @@ foreach (keys %manpages) {
 	# create symlinks
 	chdir("$BASE/man$MAN_SECTION");
 	foreach (@$name) {
-		print STDERR $_,"\n";
+		print STDOUT $_,"\n";
 		my $new_file = $_ . "." . $MAN_SECTION;
 		if ($new_file eq $symlink_file) {
 			next;
@ -301,3 +333,12 @@ foreach (keys %manpages) {
 	chdir("../../.."); # and back, tricky and fragile...
 	close(MAN);
 }
+foreach (keys %api) {
+	next if (/ / || /^$/);
+	if (not $unique{$_}) {
+		print STDERR "no man page for $_\n" if $report_errors;
+		#$errors += 1;
+	}
+}
+
+exit ($report_errors and $errors != 0);
--- a/doc/function_manpages
+++ b/doc/function_manpages
@ -8,221 +8,213 @@

 ### host2wire.h
 # conversion functions
-ldns_rr2wire, ldns_pkt2wire, ldns_rdf2wire | ldns_wire2rr, ldns_wire2pkt, ldns_wire2rdf
+ldns_rr2wire, ldns_pkt2wire, ldns_rdf2wire | ldns_wire2rr, ldns_wire2pkt, ldns_wire2rdf - conversion functions
 # lower level conversions, some are from host2str.h
-ldns_pkt2buffer_str, ldns_pktheader2buffer_str, ldns_rr2buffer_str, ldns_rr_list2buffer_str, ldns_rdf2buffer_str, ldns_key2buffer_str, ldns_pkt2buffer_wire, ldns_rr2buffer_wire, ldns_rdf2buffer_wire, ldns_rrsig2buffer_wire, ldns_rr_rdata2buffer_wire | ldns_pkt2str, ldns_rr2str, ldns_rdf2str, ldns_rr_list2str, ldns_key2str
+ldns_pkt2buffer_str, ldns_pktheader2buffer_str, ldns_rr2buffer_str, ldns_rr_list2buffer_str, ldns_rdf2buffer_str, ldns_key2buffer_str, ldns_pkt2buffer_wire, ldns_rr2buffer_wire, ldns_rdf2buffer_wire, ldns_rrsig2buffer_wire, ldns_rr_rdata2buffer_wire | ldns_pkt2str, ldns_rr2str, ldns_rdf2str, ldns_rr_list2str, ldns_key2str - lower level conversions
 ### /host2wire.h

 ### host2str.h
-ldns_rr2str, ldns_pkt2str, ldns_rdf2str, ldns_rr_list2str, ldns_key2str | ldns_rr_print, ldns_rdf_print, ldns_pkt_print, ldns_rr_list_print, ldns_resolver_print, ldns_zone_print
-ldns_rr_print, ldns_rdf_print, ldns_pkt_print, ldns_rr_list_print, ldns_resolver_print, ldns_zone_print | ldns_rr2str, ldns_rdf2str, ldns_pkt2str, ldns_rr_list2str, ldns_key2str
+ldns_rr2str, ldns_pkt2str, ldns_rdf2str, ldns_rr_list2str, ldns_key2str | ldns_rr_print, ldns_rdf_print, ldns_pkt_print, ldns_rr_list_print, ldns_resolver_print, ldns_zone_print - functions for conversions to string
 ### /host2str.h

 ### host2str.h
 # and even lower
-ldns_rdf2buffer_str_a, ldns_rdf2buffer_str_aaaa, ldns_rdf2buffer_str_str, ldns_rdf2buffer_str_b64, ldns_rdf2buffer_str_hex, ldns_rdf2buffer_str_type, ldns_rdf2buffer_str_class, ldns_rdf2buffer_str_alg, ldns_rdf2buffer_str_loc, ldns_rdf2buffer_str_unknown, ldns_rdf2buffer_str_nsap, ldns_rdf2buffer_str_wks, ldns_rdf2buffer_str_nsec, ldns_rdf2buffer_str_period, ldns_rdf2buffer_str_tsigtime, ldns_rdf2buffer_str_apl, ldns_rdf2buffer_str_int16_data, ldns_rdf2buffer_str_int16, ldns_rdf2buffer_str_ipseckey
+ldns_rdf2buffer_str_a, ldns_rdf2buffer_str_aaaa, ldns_rdf2buffer_str_str, ldns_rdf2buffer_str_b64, ldns_rdf2buffer_str_hex, ldns_rdf2buffer_str_type, ldns_rdf2buffer_str_class, ldns_rdf2buffer_str_alg, ldns_rdf2buffer_str_loc, ldns_rdf2buffer_str_unknown, ldns_rdf2buffer_str_nsap, ldns_rdf2buffer_str_wks, ldns_rdf2buffer_str_nsec, ldns_rdf2buffer_str_period, ldns_rdf2buffer_str_tsigtime, ldns_rdf2buffer_str_apl, ldns_rdf2buffer_str_int16_data, ldns_rdf2buffer_str_int16, ldns_rdf2buffer_str_ipseckey - lower level to string conversion functions
 ### /host2str.h

 ### wire2host.h
 # wirefunctions
-ldns_wire2rr, ldns_wire2pkt, ldns_wire2rdf, ldns_wire2dname | ldns_rr2wire, ldns_pkt2wire, ldns_rdf2wire, ldns_dname2wire
-ldns_buffer2pkt_wire
+ldns_wire2rr, ldns_wire2pkt, ldns_wire2rdf, ldns_wire2dname | ldns_rr2wire, ldns_pkt2wire, ldns_rdf2wire, ldns_dname2wire  -  convert from wire format to host type
+ldns_buffer2pkt_wire - convert buffer/wire format to ldns_pkt
 ### /wire2host.h

 ### dname.h
-ldns_dname_left_chop, ldns_dname_label_count | ldns_dname
-ldns_dname2canonical | ldns_dname
-ldns_dname_cat_clone, ldns_dname_cat | ldns_dname
-ldns_dname_new, ldns_dname_new_frm_str, ldns_dname_new_frm_data | ldns_dname, ldns_pkt_query_new_frm_str, ldns_rdf_new_frm_str, ldns_rr_new_frm_str
-ldns_dname_is_subdomain, ldns_dname_str_absolute, ldns_dname_label | ldns_dname
-ldns_dname_compare, ldns_dname_interval | ldns_dname_is_subdomain | ldns_dname
-ldns_dname | ldns_dname_left_chop, ldns_dname_label_count, ldns_dname2canonical, ldns_dname_cat, ldns_dname_cat_clone, ldns_dname_new, ldns_dname_new_frm_str, ldns_dname_new_frm_data, ldns_dname_is_subdomain, ldns_dname_str_absolute, ldns_dname_label, ldns_dname_compare, ldns_dname_interval
+ldns_dname_left_chop, ldns_dname_label_count - dname label functions
+ldns_dname2canonical - canonicalize dname
+ldns_dname_cat_clone, ldns_dname_cat - concatenate two dnames
+ldns_dname_new, ldns_dname_new_frm_str, ldns_dname_new_frm_data | ldns_pkt_query_new_frm_str, ldns_rdf_new_frm_str, ldns_rr_new_frm_str -  create a dname
+ldns_dname_is_subdomain, ldns_dname_str_absolute, ldns_dname_label - check properties of dnames
+ldns_dname_compare, ldns_dname_interval | ldns_dname_is_subdomain  - compare two dnames
 ### /dname.h

 ### dane.h
-ldns_dane_create_tlsa_owner, ldns_dane_cert2rdf, ldns_dane_select_certificate, ldns_dane_create_tlsa_rr | ldns_dane_verify, ldns_dane_verify_rr
-ldns_dane_verify, ldns_dane_verify_rr | ldns_dane_create_tlsa_owner, ldns_dane_cert2rdf, ldns_dane_select_certificate, ldns_dane_create_tlsa_rr
+ldns_dane_create_tlsa_rr, ldns_dane_create_tlsa_owner, ldns_dane_cert2rdf, ldns_dane_select_certificate | ldns_dane_verify, ldns_dane_verify_rr - TLSA RR creation functions
+ldns_dane_verify, ldns_dane_verify_rr | ldns_dane_create_tlsa_owner, ldns_dane_cert2rdf, ldns_dane_select_certificate, ldns_dane_create_tlsa_rr - TLSA RR verification functions
 ### /dane.h

 ### rdata.h
-ldns_rdf, ldns_rdf_type | ldns_rdf_set_size, ldns_rdf_set_type, ldns_rdf_set_data, ldns_rdf_size, ldns_rdf_get_type, ldns_rdf_data, ldns_rdf_compare, ldns_rdf_new, ldns_rdf_clone, ldns_rdf_new_frm_data, ldns_rdf_new_frm_str, ldns_rdf_new_frm_fp, ldns_rdf_free, ldns_rdf_deep_free, ldns_rdf_print, ldns_native2rdf_int8, ldns_native2rdf_int16, ldns_native2rdf_int32, ldns_native2rdf_int16_data, ldns_rdf2native_int8, ldns_rdf2native_int16, ldns_rdf2native_int32, ldns_rdf2native_sockaddr_storage, ldns_rdf2native_time_t, ldns_native2rdf_int8, ldns_native2rdf_int16, ldns_native2rdf_int32, ldns_native2rdf_int16_data, ldns_rdf2native_int8, ldns_rdf2native_int16, ldns_rdf2native_int32, ldns_rdf2native_sockaddr_storage, ldns_rdf2native_time_t, ldns_native2rdf_int8, ldns_native2rdf_int16, ldns_native2rdf_int32, ldns_native2rdf_int16_data, ldns_rdf2native_int8, ldns_rdf2native_int16, ldns_rdf2native_int32, ldns_rdf2native_sockaddr_storage, ldns_rdf2native_time_t
-ldns_rdf_set_size, ldns_rdf_set_type, ldns_rdf_set_data | ldns_rdf
-ldns_rdf_size, ldns_rdf_get_type, ldns_rdf_data, ldns_rdf_compare | ldns_rdf
-ldns_rdf_new, ldns_rdf_clone, ldns_rdf_new_frm_data, ldns_rdf_new_frm_str, ldns_rdf_new_frm_fp, ldns_rdf_free, ldns_rdf_deep_free, ldns_rdf_print | ldns_rdf
-ldns_native2rdf_int8, ldns_native2rdf_int16, ldns_native2rdf_int32, ldns_native2rdf_int16_data, ldns_rdf2native_int8, ldns_rdf2native_int16, ldns_rdf2native_int32, ldns_rdf2native_sockaddr_storage, ldns_rdf2native_time_t | ldns_rdf
-ldns_rdf_address_reverse | ldns_rdf
-ldns_octet | ldns_rdf
+ldns_rdf, ldns_rdf_type | ldns_rdf_set_size, ldns_rdf_set_type, ldns_rdf_set_data, ldns_rdf_size, ldns_rdf_get_type, ldns_rdf_data, ldns_rdf_compare, ldns_rdf_new, ldns_rdf_clone, ldns_rdf_new_frm_data, ldns_rdf_new_frm_str, ldns_rdf_new_frm_fp, ldns_rdf_free, ldns_rdf_deep_free, ldns_rdf_print, ldns_native2rdf_int8, ldns_native2rdf_int16, ldns_native2rdf_int32, ldns_native2rdf_int16_data, ldns_rdf2native_int8, ldns_rdf2native_int16, ldns_rdf2native_int32, ldns_rdf2native_sockaddr_storage, ldns_rdf2native_time_t, ldns_native2rdf_int8, ldns_native2rdf_int16, ldns_native2rdf_int32, ldns_native2rdf_int16_data, ldns_rdf2native_int8, ldns_rdf2native_int16, ldns_rdf2native_int32, ldns_rdf2native_sockaddr_storage, ldns_rdf2native_time_t, ldns_native2rdf_int8, ldns_native2rdf_int16, ldns_native2rdf_int32, ldns_native2rdf_int16_data, ldns_rdf2native_int8, ldns_rdf2native_int16, ldns_rdf2native_int32, ldns_rdf2native_sockaddr_storage, ldns_rdf2native_time_t - rdata field type
+ldns_rdf_set_size, ldns_rdf_set_type, ldns_rdf_set_data | ldns_rdf - set rdf attributes
+ldns_rdf_size, ldns_rdf_get_type, ldns_rdf_data, ldns_rdf_compare | ldns_rdf - get rdf attributes
+ldns_rdf_new, ldns_rdf_clone, ldns_rdf_new_frm_data, ldns_rdf_new_frm_str, ldns_rdf_new_frm_fp, ldns_rdf_free, ldns_rdf_deep_free, ldns_rdf_print | ldns_rdf - ldns_rdf creation, destruction and printing
+ldns_native2rdf_int8, ldns_native2rdf_int16, ldns_native2rdf_int32, ldns_native2rdf_int16_data, ldns_rdf2native_int8, ldns_rdf2native_int16, ldns_rdf2native_int32, ldns_rdf2native_sockaddr_storage, ldns_rdf2native_time_t | ldns_rdf - rdf numeric converion functions
+ldns_rdf_address_reverse | ldns_rdf - reverse an address rdf
+ldns_octet | ldns_rdf - removes escaped from the input
 # why is this in rdata.h?
-ldns_str2period
+ldns_str2period - converts a ttl value (like 5d2h) to a long
 ### /rdata.h

 ### higher.h
-ldns_get_rr_list_addr_by_name, ldns_get_rr_list_name_by_addr | ldns_rr_list, ldns_rr
-ldns_get_rr_list_hosts_frm_fp, ldns_get_rr_list_hosts_frm_file | ldns_rr_list, ldns_rr, ldns_get_rr_list_hosts_frm_fp_l
-ldns_get_rr_list_hosts_frm_fp_l | ldns_rr_list
-ldns_getaddrinfo
+ldns_get_rr_list_addr_by_name, ldns_get_rr_list_name_by_addr | ldns_rr_list, ldns_rr - get addresses by name or names by address
+ldns_get_rr_list_hosts_frm_file, ldns_get_rr_list_hosts_frm_fp, ldns_get_rr_list_hosts_frm_fp_l | ldns_rr_list, ldns_rr - parse /etc/hosts file
+ldns_getaddrinfo - mimic libc getaddrinfo
 ### /higher.h

 #
 ### dnssec.h
 #
-ldns_calc_keytag, ldns_verify, ldns_verify_rrsig, ldns_verify_rrsig_dsa, ldns_verify_rrsig_rsasha1, ldns_verify_rrsig_rsamd5, ldns_key_rr2ds, ldns_key_buf2dsa, ldns_key_buf2rsa | ldns_key, ldns_sign_public, ldns_zone_sign, ldns_verify, ldns_verify_rrsig
-
 # algs
-ldns_verify_rrsig_dsa, ldns_verify_rrsig_rsasha1, ldns_verify_rrsig_rsamd5 | ldns_key, ldns_sign_public, ldns_zone_sign, ldns_verify, ldns_verify_rrsig
+ldns_verify_rrsig_dsa, ldns_verify_rrsig_rsasha1, ldns_verify_rrsig_rsamd5 | ldns_key, ldns_sign_public, ldns_zone_sign, ldns_verify, ldns_verify_rrsig - verify signature data buffers

 # tsig
-ldns_pkt_tsig_verify, ldns_pkt_tsig_sign | ldns_key
+ldns_pkt_tsig_verify, ldns_pkt_tsig_sign | ldns_key - tsig signing and verification

 # verify
-ldns_verify, ldns_verify_rrsig, ldns_verify_rrsig_keylist, ldns_verify_rrsig_keylist_notime, ldns_verify_notime | ldns_verify_rrsig_evp | ldns_verify_rrsig_dsa, ldns_verify_rrsig_rsasha1, ldns_verify_rrsig_rsamd5, ldns_sign_public, ldns_zone_sign, ldns_key
+ldns_verify, ldns_verify_rrsig, ldns_verify_rrsig_keylist, ldns_verify_rrsig_keylist_notime, ldns_verify_notime | ldns_verify_rrsig_evp | ldns_verify_rrsig_dsa, ldns_verify_rrsig_rsasha1, ldns_verify_rrsig_rsamd5, ldns_sign_public, ldns_zone_sign, ldns_key - verify rrsigs

 # convert
-ldns_key_buf2dsa, ldns_key_buf2rsa | ldns_key_rr2ds
-ldns_key_rr2ds | ldns_key
-ldns_create_nsec | ldns_sign_public
+ldns_key_buf2dsa, ldns_key_buf2rsa | ldns_key_rr2ds - convert buffer to openssl key
+ldns_key_rr2ds | ldns_key - create DS rr from DNSKEY rr
+ldns_create_nsec | ldns_sign_public - Create a NSEC record

 # signing
-ldns_sign_public | ldns_sign_public_dsa, ldns_sign_public_rsamd5, ldns_sign_public_rsasha1, ldns_verify, ldns_verify_rrsig, ldns_key
-ldns_sign_public_dsa, ldns_sign_public_rsamd5, ldns_sign_public_rsasha1 | ldns_sign_public
-ldns_dnssec_zone_sign, ldns_dnssec_zone_sign_nsec3 | ldns_zone_sign, ldns_zone_sign_nsec3 | ldns_sign_public, ldns_key, ldns_init_random
-ldns_init_random | ldns_sign_public, ldns_key
-ldns_pkt_verify | ldns_verify, ldns_sign_public, ldns_zone_sign
+ldns_sign_public | ldns_sign_public_dsa, ldns_sign_public_rsamd5, ldns_sign_public_rsasha1, ldns_verify, ldns_verify_rrsig, ldns_key - sign an rrset
+ldns_sign_public_dsa, ldns_sign_public_rsamd5, ldns_sign_public_rsasha1 | ldns_sign_public - sign buffer
+ldns_init_random | ldns_sign_public, ldns_key - seed the random function
+ldns_pkt_verify | ldns_verify, ldns_sign_public, ldns_zone_sign - verify a packet
+ldns_zone_sign, ldns_zone_sign_nsec3 - dnssec sign a zone

 # new family of dnssec functions
-ldns_dnssec_zone, ldns_dnssec_name, ldns_dnssec_rrs, ldns_dnssec_rrsets | ldns_dnssec_zone_new, ldns_dnssec_name_new, ldns_dnssec_rrs_new, ldns_dnssec_rrsets_new
-ldns_dnssec_zone_find_rrset, ldns_dnssec_zone_new, ldns_dnssec_zone_free, ldns_dnssec_zone_add_rr, ldns_dnssec_zone_names_print, ldns_dnssec_zone_print, ldns_dnssec_zone_add_empty_nonterminals | ldns_dnssec_zone
-ldns_dnssec_name_new, ldns_dnssec_name_new_frm_rr, ldns_dnssec_name_free, ldns_dnssec_name_name, ldns_dnssec_name_set_name, ldns_dnssec_name_set_nsec, ldns_dnssec_name_cmp, ldns_dnssec_name_add_rr, ldns_dnssec_name_find_rrset, ldns_dnssec_name_print | ldns_dnssec_zone
-ldns_dnssec_rrsets_new, ldns_dnssec_rrsets_free, ldns_dnssec_rrsets_type, ldns_dnssec_rrsets_set_type, ldns_dnssec_rrsets_add_rr, ldns_dnssec_rrsets_print | ldns_dnssec_zone
-ldns_dnssec_rrs_new, ldns_dnssec_rrs_free, ldns_dnssec_rrs_add_rr, ldns_dnssec_rrs_print | ldns_dnssec_zone
+ldns_dnssec_zone, ldns_dnssec_name, ldns_dnssec_rrs, ldns_dnssec_rrsets | ldns_dnssec_zone_new, ldns_dnssec_name_new, ldns_dnssec_rrs_new, ldns_dnssec_rrsets_new - data structures
+ldns_dnssec_zone_find_rrset, ldns_dnssec_zone_new, ldns_dnssec_zone_free, ldns_dnssec_zone_add_rr, ldns_dnssec_zone_names_print, ldns_dnssec_zone_print, ldns_dnssec_zone_add_empty_nonterminals | ldns_dnssec_zone - functions for ldns_dnssec_zone
+ldns_dnssec_name_new, ldns_dnssec_name_new_frm_rr, ldns_dnssec_name_free, ldns_dnssec_name_name, ldns_dnssec_name_set_name, ldns_dnssec_name_set_nsec, ldns_dnssec_name_cmp, ldns_dnssec_name_add_rr, ldns_dnssec_name_find_rrset, ldns_dnssec_name_print | ldns_dnssec_zone - functions for ldns_dnssec_name
+ldns_dnssec_rrsets_new, ldns_dnssec_rrsets_free, ldns_dnssec_rrsets_type, ldns_dnssec_rrsets_set_type, ldns_dnssec_rrsets_add_rr, ldns_dnssec_rrsets_print | ldns_dnssec_zone - functions for ldns_dnssec_rrsets
+ldns_dnssec_rrs_new, ldns_dnssec_rrs_free, ldns_dnssec_rrs_add_rr, ldns_dnssec_rrs_print | ldns_dnssec_zone - functions for ldns_dnssec-rrs

 # verification
-ldns_dnssec_data_chain, ldns_dnssec_data_chain_struct, ldns_dnssec_trust_tree | ldns_dnssec_data_chain_new, ldns_dnssec_trust_tree_new, ldns_dnssec_verify_denial
-ldns_dnssec_data_chain_new, ldns_dnssec_data_chain_free, ldns_dnssec_data_chain_deep_free, ldns_dnssec_build_data_chain, ldns_dnssec_data_chain_print | ldns_dnssec_data_chain
-ldns_dnssec_trust_tree_new, ldns_dnssec_trust_tree_free, ldns_dnssec_trust_tree_depth, ldns_dnssec_derive_trust_tree, ldns_dnssec_trust_tree_contains_keys, ldns_dnssec_trust_tree_print, ldns_dnssec_trust_tree_print_sm, ldns_dnssec_trust_tree_add_parent, ldns_dnssec_derive_trust_tree_normal_rrset, ldns_dnssec_derive_trust_tree_dnskey_rrset, ldns_dnssec_derive_trust_tree_ds_rrset, ldns_dnssec_derive_trust_tree_no_sig | ldns_dnssec_data_chain, ldns_dnssec_trust_tree
-ldns_dnssec_verify_denial, ldns_dnssec_verify_denial_nsec3 | ldns_dnssec_trust_tree, ldns_dnssec_data_chain
+ldns_dnssec_data_chain, ldns_dnssec_data_chain_struct, ldns_dnssec_trust_tree | ldns_dnssec_data_chain_new, ldns_dnssec_trust_tree_new, ldns_dnssec_verify_denial - data structures for validation chains
+ldns_dnssec_data_chain_new, ldns_dnssec_data_chain_free, ldns_dnssec_data_chain_deep_free, ldns_dnssec_build_data_chain, ldns_dnssec_data_chain_print | ldns_dnssec_data_chain - ldns_chain creation, destruction and printing
+ldns_dnssec_trust_tree_new, ldns_dnssec_trust_tree_free, ldns_dnssec_trust_tree_depth, ldns_dnssec_derive_trust_tree, ldns_dnssec_trust_tree_contains_keys, ldns_dnssec_trust_tree_print, ldns_dnssec_trust_tree_print_sm, ldns_dnssec_trust_tree_add_parent, ldns_dnssec_derive_trust_tree_normal_rrset, ldns_dnssec_derive_trust_tree_dnskey_rrset, ldns_dnssec_derive_trust_tree_ds_rrset, ldns_dnssec_derive_trust_tree_no_sig | ldns_dnssec_data_chain, ldns_dnssec_trust_tree - functions for ldns_dnssec_trust_tree
+ldns_dnssec_verify_denial, ldns_dnssec_verify_denial_nsec3 | ldns_dnssec_trust_tree, ldns_dnssec_data_chain - verify denial of existence

 # new signing functions
-ldns_dnssec_zone_sign, ldns_dnssec_zone_sign_nsec3, ldns_dnssec_zone_mark_glue, ldns_dnssec_name_node_next_nonglue, ldns_dnssec_zone_create_nsecs, ldns_dnssec_remove_signatures, ldns_dnssec_zone_create_rrsigs | ldns_dnssec_zone
+ldns_dnssec_zone_sign, ldns_dnssec_zone_sign_nsec3, ldns_dnssec_zone_mark_glue, ldns_dnssec_name_node_next_nonglue, ldns_dnssec_zone_create_nsecs, ldns_dnssec_remove_signatures, ldns_dnssec_zone_create_rrsigs | ldns_dnssec_zone - sign ldns_dnssec_zone

 ### /dnssec.h

 ### dnskey.h
-ldns_key_new | ldns_key, ldns_key_list_new
-ldns_key_new_frm_algorithm, ldns_key_new_frm_fp, ldns_key_new_frm_fp_l | ldns_key
-ldns_key_new_frm_fp_rsa, ldns_key_new_frm_fp_rsa_l | ldns_key_new_frm_fp, ldns_key
-ldns_key_new_frm_fp_dsa, ldns_key_new_frm_fp_dsa_l | ldns_key_new_frm_fp, ldns_key
-ldns_key_list_new | ldns_key_new, ldns_key
+ldns_key_new, ldns_key_new_frm_algorithm, ldns_key_new_frm_fp, ldns_key_new_frm_fp_l, ldns_key_new_frm_fp_rsa, ldns_key_new_frm_fp_rsa_l, ldns_key_new_frm_fp_dsa, ldns_key_new_frm_fp_dsa_l | ldns_key - create a ldns_key
+ldns_key_list_new  - create a ldns_key_list
 # access, write
-ldns_key_set_algorithm, ldns_key_set_rsa_key, ldns_key_set_dsa_key, ldns_key_set_hmac_key, ldns_key_set_origttl, ldns_key_set_inception, ldns_key_set_expiration, ldns_key_set_pubkey_owner, ldns_key_set_keytag, ldns_key_set_flags, ldns_key_list_set_key_count, ldns_key_algo_supported | ldns_key_push_key, ldns_key
-ldns_key_list_push_key | ldns_key_list_pop_key, ldns_key
-ldns_key_list_pop_key | ldns_key_list_push_key, ldns_key
+ldns_key_set_algorithm, ldns_key_set_rsa_key, ldns_key_set_dsa_key, ldns_key_set_hmac_key, ldns_key_set_origttl, ldns_key_set_inception, ldns_key_set_expiration, ldns_key_set_pubkey_owner, ldns_key_set_keytag, ldns_key_set_flags, ldns_key_list_set_key_count, ldns_key_algo_supported | ldns_key_push_key, ldns_key - set ldns_key attributes
+ldns_key_list_push_key, ldns_key_list_pop_key | ldns_key - manipulate ldns_key_list
 # access, read
-ldns_key_list_key_count, ldns_key_list_key, ldns_key_rsa_key, ldns_key_dsa_key, ldns_key_algorithm, ldns_key_hmac_key, ldns_key_origttl, ldns_key_inception, ldns_key_expiration, ldns_key_keytag, ldns_key_pubkey_owner, ldns_key_flags | ldns_key
+ldns_key_list_key_count, ldns_key_list_key, ldns_key_rsa_key, ldns_key_dsa_key, ldns_key_algorithm, ldns_key_hmac_key, ldns_key_origttl, ldns_key_inception, ldns_key_expiration, ldns_key_keytag, ldns_key_pubkey_owner, ldns_key_flags | ldns_key - read ldns_keys
 # convert
-ldns_key2rr | ldns_key
-ldns_key_free, ldns_key_deep_free, ldns_key_list_free | ldns_key
+ldns_key2rr | ldns_key - convert ldns_key to rr
+ldns_key_free, ldns_key_deep_free, ldns_key_list_free | ldns_key - free a ldns_key
 #
-ldns_key_print | ldns_key_new, ldns_key
-ldns_key | ldns_key_new, ldns_key_new_frm_algorithm,ldns_key_new_frm_fp,ldns_key_new_frm_fp_l, ldns_key_new_frm_fp_rsa, ldns_key_new_frm_fp_rsa_l, ldns_key_new_frm_fp_dsa, ldns_key_new_frm_fp_dsa_l, ldns_key_list_new, ldns_key_set_algorithm, ldns_key_set_rsa_key, ldns_key_set_dsa_key, ldns_key_set_hmac_key, ldns_key_set_origttl, ldns_key_set_inception, ldns_key_set_expiration, ldns_key_set_pubkey_owner, ldns_key_set_keytag, ldns_key_set_flags, ldns_key_list_set_key_count, ldns_key_list_push_key, ldns_key_list_pop_key, ldns_key_list_key_count, ldns_key_list_key, ldns_key_rsa_key, ldns_key_dsa_key, ldns_key_algorithm, ldns_key_hmac_key, ldns_key_origttl, ldns_key_inception, ldns_key_expiration, ldns_key_keytag, ldns_key_pubkey_owner, ldns_key_flags, ldns_key2rr, ldns_key_free, ldns_key_deep_free, ldns_key_list_free, ldns_key_print
+ldns_key_print | ldns_key_new, ldns_key - print a ldns_key
+ldns_calc_keytag, ldns_calc_keytag_raw | ldns_key - calculate ldns keytag
+ldns_key | ldns_key_new, ldns_key_new_frm_algorithm,ldns_key_new_frm_fp,ldns_key_new_frm_fp_l, ldns_key_new_frm_fp_rsa, ldns_key_new_frm_fp_rsa_l, ldns_key_new_frm_fp_dsa, ldns_key_new_frm_fp_dsa_l, ldns_key_list_new, ldns_key_set_algorithm, ldns_key_set_rsa_key, ldns_key_set_dsa_key, ldns_key_set_hmac_key, ldns_key_set_origttl, ldns_key_set_inception, ldns_key_set_expiration, ldns_key_set_pubkey_owner, ldns_key_set_keytag, ldns_key_set_flags, ldns_key_list_set_key_count, ldns_key_list_push_key, ldns_key_list_pop_key, ldns_key_list_key_count, ldns_key_list_key, ldns_key_rsa_key, ldns_key_dsa_key, ldns_key_algorithm, ldns_key_hmac_key, ldns_key_origttl, ldns_key_inception, ldns_key_expiration, ldns_key_keytag, ldns_key_pubkey_owner, ldns_key_flags, ldns_key2rr, ldns_key_free, ldns_key_deep_free, ldns_key_list_free, ldns_key_print - ldns_key data structure
 ### /dnskey.h

 ### MIEK TOT HIER TOT HIER

-#	lists
-ldns_key_list_new, ldns_key_list_push_key, ldns_key_list_pop_key, ldns_key_list_key_count, ldns_key_list_key | ldns_key_list, ldns_key
-ldns_key_rsa_key, ldns_key_dsa_key, ldns_key_algorithm, ldns_key_hmac_key | ldns_key_list, ldns_key
-
-#	gets/sets
-ldns_key_origttl, ldns_key_inception, ldns_key_expiration, ldns_key_keytag, ldns_key_pubkey_owner, ldns_key_flags | ldns_key
-ldns_key_set_algorithm, ldns_key_set_rsa_key, ldns_key_set_dsa_key, ldns_key_set_hmac_key, ldns_key_set_origttl, ldns_key_set_inception, ldns_key_set_expiration, ldns_key_set_pubkey_owner, ldns_key_set_keytag, ldns_key_set_flags, ldns_key_list_set_key_count | ldns_key
-
 # errr.h
-ldns_get_errorstr_by_id | ldns_status
-ldns_status | ldns_get_errorstr_by_id
+ldns_get_errorstr_by_id, ldns_status - errors

 ### net.h
-ldns_send | ldns_pkt, ldns_resolver
-ldns_tcp_send_query, ldns_tcp_read_wire, ldns_tcp_connect | ldns_send, ldns_pkt, ldns_resolver
+ldns_send | ldns_pkt, ldns_resolver - send a packet
+ldns_tcp_send_query, ldns_tcp_read_wire, ldns_tcp_connect | ldns_send, ldns_pkt, ldns_resolver - tcp queries
 ### /net.h

 ### buffer.h
 # general
-ldns_buffer | ldns_buffer_new, ldns_buffer_new_frm_data, ldns_buffer_clear, ldns_buffer_printf, ldns_buffer_free, ldns_buffer_export, ldns_buffer_flip, ldns_buffer_rewind, ldns_buffer_position, ldns_buffer_set_position, ldns_buffer_skip, ldns_buffer_limit, ldns_buffer_set_limit, ldns_buffer_capacity, ldns_buffer_set_capacity, ldns_buffer_reserve, ldns_buffer_at, ldns_buffer_begin, ldns_buffer_end, ldns_buffer_current, ldns_buffer_remaining_at, ldns_buffer_remaining, ldns_buffer_available_at, ldns_buffer_available, ldns_buffer_status, ldns_buffer_status_ok, ldns_buffer_write_at, ldns_buffer_write_at, ldns_buffer_write, ldns_buffer_write_string_at, ldns_buffer_write_string, ldns_buffer_write_u8_at, ldns_buffer_write_u8, ldns_buffer_write_u16_at, ldns_buffer_write_u16, ldns_buffer_read_at, ldns_buffer_read, ldns_buffer_read_u8_at, ldns_buffer_read_u8, ldns_buffer_read_u16_at, ldns_buffer_read_u16, ldns_buffer_read_u32_at, ldns_buffer_read_u32
-ldns_buffer_new, ldns_buffer_new_frm_data, ldns_buffer_clear, ldns_buffer_printf, ldns_buffer_free, ldns_buffer_export | ldns_buffer
+ldns_buffer, ldns_buffer_new, ldns_buffer_new_frm_data, ldns_buffer_clear, ldns_buffer_printf, ldns_buffer_free, ldns_buffer_copy, ldns_buffer_export, ldns_buffer_export2str, ldns_buffer2str | ldns_buffer_flip, ldns_buffer_rewind, ldns_buffer_position, ldns_buffer_set_position, ldns_buffer_skip, ldns_buffer_limit, ldns_buffer_set_limit, ldns_buffer_capacity, ldns_buffer_set_capacity, ldns_buffer_reserve, ldns_buffer_at, ldns_buffer_begin, ldns_buffer_end, ldns_buffer_current, ldns_buffer_remaining_at, ldns_buffer_remaining, ldns_buffer_available_at, ldns_buffer_available, ldns_buffer_status, ldns_buffer_status_ok, ldns_buffer_write_at, ldns_buffer_write, ldns_buffer_write_string_at, ldns_buffer_write_string, ldns_buffer_write_u8_at, ldns_buffer_write_u8, ldns_buffer_write_u16_at, ldns_buffer_write_u16, ldns_buffer_read_at, ldns_buffer_read, ldns_buffer_read_u8_at, ldns_buffer_read_u8, ldns_buffer_read_u16_at, ldns_buffer_read_u16, ldns_buffer_read_u32_at, ldns_buffer_read_u32, ldns_buffer_write_u32, ldns_buffer_write_u32_at - buffers
 # position
-ldns_buffer_flip, ldns_buffer_rewind, ldns_buffer_position, ldns_buffer_set_position, ldns_buffer_skip | ldns_buffer
+ldns_buffer_flip, ldns_buffer_rewind, ldns_buffer_position, ldns_buffer_set_position, ldns_buffer_skip | ldns_buffer - buffer positioning
 # values and pointers
-ldns_buffer_limit, ldns_buffer_set_limit, ldns_buffer_capacity, ldns_buffer_set_capacity, ldns_buffer_reserve, ldns_buffer_at, ldns_buffer_begin, ldns_buffer_end, ldns_buffer_current | ldns_buffer
+ldns_buffer_limit, ldns_buffer_set_limit, ldns_buffer_capacity, ldns_buffer_set_capacity, ldns_buffer_reserve, ldns_buffer_at, ldns_buffer_begin, ldns_buffer_end, ldns_buffer_current | ldns_buffer - buffer limits and pointers
 # info
-ldns_buffer_remaining_at, ldns_buffer_remaining, ldns_buffer_available_at, ldns_buffer_available, ldns_buffer_status, ldns_buffer_status_ok | ldns_buffer
+ldns_buffer_remaining_at, ldns_buffer_remaining, ldns_buffer_available_at, ldns_buffer_available, ldns_buffer_status, ldns_buffer_status_ok | ldns_buffer - check buffer status
 # read and write
-ldns_buffer_write_at, ldns_buffer_write_at, ldns_buffer_write, ldns_buffer_write_string_at, ldns_buffer_write_string, ldns_buffer_write_u8_at, ldns_buffer_write_u8, ldns_buffer_write_u16_at, ldns_buffer_write_u16, ldns_buffer_read_at, ldns_buffer_read, ldns_buffer_read_u8_at, ldns_buffer_read_u8, ldns_buffer_read_u16_at, ldns_buffer_read_u16, ldns_buffer_read_u32_at, ldns_buffer_read_u32 | ldns_buffer
+ldns_buffer_write_at, ldns_buffer_write, ldns_buffer_write_string_at, ldns_buffer_write_string, ldns_buffer_write_u8_at, ldns_buffer_write_u8, ldns_buffer_write_u16_at, ldns_buffer_write_u16, ldns_buffer_read_at, ldns_buffer_read, ldns_buffer_read_u8_at, ldns_buffer_read_u8, ldns_buffer_read_u16_at, ldns_buffer_read_u16, ldns_buffer_read_u32_at, ldns_buffer_read_u32, ldns_buffer_write_u32, ldns_buffer_write_u32_at | ldns_buffer - reading and writing buffers
 ### /buffer.h

 # parse.h
-ldns_bget_token, ldns_bgetc, ldns_bskipcs | ldns_buffer
-ldns_fget_token, ldns_fskipcs | ldns_buffer
-ldns_str_remove_comment
-
+ldns_bget_token, ldns_bgetc, ldns_bskipcs | ldns_buffer - get tokens from buffers
+ldns_fget_token, ldns_fskipcs | ldns_buffer - get tokens from files

 # rr.h and other general rr funcs
-ldns_rr, ldns_rr_class, ldns_rr_type, ldns_rr_compress, ldns_rr_list | ldns_rr_new, ldns_rr_new_frm_type, ldns_rr_new_frm_str, ldns_rr_new_frm_fp, ldns_rr_free, ldns_rr_print, ldns_rr_set_owner, ldns_rr_set_ttl, ldns_rr_set_type, ldns_rr_set_rd_count, ldns_rr_set_class, ldns_rr_set_rdf, ldns_rr_push_rdf, ldns_rr_pop_rdf, ldns_rr_rdf, ldns_rr_owner, ldns_rr_rd_count, ldns_rr_ttl, ldns_rr_get_class, ldns_rr_list_rr_count, ldns_rr_list_set_rr_count, ldns_rr_list_new, ldns_rr_list_free, ldns_rr_list_cat, ldns_rr_list_push_rr, ldns_rr_list_pop_rr, ldns_is_rrset, ldns_rr_set_push_rr, ldns_rr_set_pop_rr, ldns_get_rr_class_by_name, ldns_get_rr_type_by_name, ldns_rr_list_clone, ldns_rr_list_sort, ldns_rr_compare, ldns_rr_compare_ds, ldns_rr_uncompressed_size, ldns_rr2canonical, ldns_rr_label_count, ldns_is_rrset, ldns_rr_descriptor, ldns_rr_descript
-ldns_rr_new, ldns_rr_new_frm_type, ldns_rr_new_frm_str, ldns_rr_new_frm_fp, ldns_rr_free, ldns_rr_print | ldns_rr, ldns_rr_list
-ldns_rr_set_owner, ldns_rr_set_ttl, ldns_rr_set_type, ldns_rr_set_rd_count, ldns_rr_set_class, ldns_rr_set_rdf | ldns_rr, ldns_rr_list
-ldns_rr_push_rdf, ldns_rr_pop_rdf | ldns_rr, ldns_rr_list
-ldns_rr_rdf, ldns_rr_owner, ldns_rr_rd_count, ldns_rr_ttl, ldns_rr_get_class | ldns_rr, ldns_rr_list
-ldns_rr_list_rr_count, ldns_rr_list_set_rr_count | ldns_rr, ldns_rr_list
-ldns_rr_list_new, ldns_rr_list_free | ldns_rr, ldns_rr_list
-ldns_rr_list_cat, ldns_rr_list_push_rr, ldns_rr_list_pop_rr | ldns_rr, ldns_rr_list
-ldns_is_rrset | ldns_rr, ldns_rr_list
-ldns_rr_set_push_rr, ldns_rr_set_pop_rr | ldns_rr, ldns_rr_list
-ldns_get_rr_class_by_name, ldns_get_rr_type_by_name | ldns_rr, ldns_rr_list
-ldns_rr_list_clone | ldns_rr, ldns_rr_list
-ldns_rr_list_sort | ldns_rr, ldns_rr_list
-ldns_rr_compare, ldns_rr_compare_ds | ldns_rr, ldns_rr_list
-ldns_rr_uncompressed_size | ldns_rr, ldns_rr_list
-ldns_rr2canonical | ldns_rr, ldns_rr_list
-ldns_rr_label_count | ldns_rr, ldns_rr_list
-ldns_is_rrset | ldns_rr
+ldns_rr, ldns_rr_class, ldns_rr_type, ldns_rr_compress, ldns_rr_list | ldns_rr_new, ldns_rr_new_frm_type, ldns_rr_new_frm_str, ldns_rr_new_frm_fp, ldns_rr_free, ldns_rr_print, ldns_rr_set_owner, ldns_rr_set_ttl, ldns_rr_set_type, ldns_rr_set_rd_count, ldns_rr_set_class, ldns_rr_set_rdf, ldns_rr_push_rdf, ldns_rr_pop_rdf, ldns_rr_rdf, ldns_rr_owner, ldns_rr_rd_count, ldns_rr_ttl, ldns_rr_get_class, ldns_rr_list_rr_count, ldns_rr_list_set_rr_count, ldns_rr_list_new, ldns_rr_list_free, ldns_rr_list_cat, ldns_rr_list_push_rr, ldns_rr_list_pop_rr, ldns_is_rrset, ldns_rr_set_push_rr, ldns_rr_set_pop_rr, ldns_get_rr_class_by_name, ldns_get_rr_type_by_name, ldns_rr_list_clone, ldns_rr_list_sort, ldns_rr_compare, ldns_rr_compare_ds, ldns_rr_uncompressed_size, ldns_rr2canonical, ldns_rr_label_count, ldns_is_rrset, ldns_rr_descriptor, ldns_rr_descript - types representing dns resource records
+ldns_rr_new, ldns_rr_new_frm_type, ldns_rr_new_frm_str, ldns_rr_new_frm_fp, ldns_rr_free, ldns_rr_print | ldns_rr, ldns_rr_list - ldns_rr creation, destruction and printing
+ldns_rr_set_owner, ldns_rr_set_ttl, ldns_rr_set_type, ldns_rr_set_rd_count, ldns_rr_set_class, ldns_rr_set_rdf | ldns_rr, ldns_rr_list - set ldns_rr attributes
+ldns_rr_push_rdf, ldns_rr_pop_rdf | ldns_rr, ldns_rr_list - push and pop rdata fields
+ldns_rr_rdf, ldns_rr_owner, ldns_rr_rd_count, ldns_rr_ttl, ldns_rr_get_class | ldns_rr, ldns_rr_list - access rdata fields on ldns_rr
+ldns_rr_list_rr_count, ldns_rr_list_set_rr_count | ldns_rr, ldns_rr_list - get and set ldns_rr_list length
+ldns_rr_list_new, ldns_rr_list_free | ldns_rr, ldns_rr_list - ldns_rr_list creation and destruction
+ldns_rr_list_cat, ldns_rr_list_push_rr, ldns_rr_list_pop_rr | ldns_rr, ldns_rr_list - ldns_rr_list manipulation
+ldns_is_rrset | ldns_rr, ldns_rr_list - is rr_list a rrset
+ldns_rr_set_push_rr, ldns_rr_set_pop_rr | ldns_rr, ldns_rr_list - push and pop rr on a rrset
+ldns_get_rr_class_by_name, ldns_get_rr_type_by_name | ldns_rr, ldns_rr_list - lookup class or type by name
+ldns_rr_list_clone | ldns_rr, ldns_rr_list - clone a ldns_rr_list
+ldns_rr_list_sort | ldns_rr, ldns_rr_list - sort a ldns_rr_list
+ldns_rr_compare, ldns_rr_compare_ds | ldns_rr, ldns_rr_list - compare a ldns_rr
+ldns_rr_uncompressed_size | ldns_rr, ldns_rr_list - calculates the uncompressed size of an RR
+ldns_rr2canonical | ldns_rr, ldns_rr_list - canonicalize a RR
+ldns_rr_label_count | ldns_rr, ldns_rr_list - return ownername label count

 # rr descriptors
-ldns_rr_descriptor, ldns_rr_descript, ldns_rr_descriptor_minimum, ldns_rr_descriptor_maximum, ldns_rr_descriptor_field_type | ldns_rr, ldns_rdf
+ldns_rr_descriptor, ldns_rr_descript, ldns_rr_descriptor_minimum, ldns_rr_descriptor_maximum, ldns_rr_descriptor_field_type | ldns_rr, ldns_rdf - rdata field descriptors

 # packet.h
-ldns_pkt, ldns_pkt_section, ldns_pkt_type | ldns_pkt_new, ldns_pkt_free, ldns_pkt_print, ldns_pkt_query_new, ldns_pkt_query_new_frm_str, ldns_pkt_reply_type, ldns_pkt_id, ldns_pkt_qr, ldns_pkt_aa, ldns_pkt_tc, ldns_pkt_rd, ldns_pkt_cd, ldns_pkt_ra, ldns_pkt_ad, ldns_pkt_get_opcode, ldns_pkt_get_rcode, ldns_pkt_qdcount, ldns_pkt_ancount, ldns_pkt_nscount, ldns_pkt_arcount, ldns_pkt_answerfrom, ldns_pkt_querytime, ldns_pkt_size, ldns_pkt_tsig, ldns_pkt_question, ldns_pkt_answer, ldns_pkt_authority, ldns_pkt_additional, ldns_pkt_get_section_clone, ldns_pkt_rr_list_by_name, ldns_pkt_rr_list_by_type, ldns_pkt_rr_list_by_name_and_type, ldns_pkt_set_flags, ldns_pkt_set_id, ldns_pkt_set_qr, ldns_pkt_set_aa, ldns_pkt_set_tc, ldns_pkt_set_rd, ldns_pkt_set_cd, ldns_pkt_set_ra, ldns_pkt_set_ad, ldns_pkt_set_opcode, ldns_pkt_set_rcode, ldns_pkt_set_qdcount, ldns_pkt_set_ancount, ldns_pkt_set_nscount, ldns_pkt_set_arcount, ldns_pkt_set_answerfrom, ldns_pkt_set_querytime, ldns_pkt_set_size, ldns_pkt_set_section_count, ldns_pkt_set_tsig, ldns_pkt_edns, ldns_pkt_edns_udp_size, ldns_pkt_edns_extended_rcode, ldns_pkt_edns_version, ldns_pkt_edns_z, ldns_pkt_edns_data, ldns_pkt_set_edns_udp_size, ldns_pkt_set_edns_extended_rcode, ldns_pkt_set_edns_version, ldns_pkt_set_edns_z, ldns_pkt_set_edns_data
+ldns_pkt, ldns_pkt_section, ldns_pkt_type | ldns_pkt_new, ldns_pkt_free, ldns_pkt_print, ldns_pkt_query_new, ldns_pkt_query_new_frm_str, ldns_pkt_reply_type, ldns_pkt_id, ldns_pkt_qr, ldns_pkt_aa, ldns_pkt_tc, ldns_pkt_rd, ldns_pkt_cd, ldns_pkt_ra, ldns_pkt_ad, ldns_pkt_get_opcode, ldns_pkt_get_rcode, ldns_pkt_qdcount, ldns_pkt_ancount, ldns_pkt_nscount, ldns_pkt_arcount, ldns_pkt_answerfrom, ldns_pkt_querytime, ldns_pkt_size, ldns_pkt_tsig, ldns_pkt_question, ldns_pkt_answer, ldns_pkt_authority, ldns_pkt_additional, ldns_pkt_get_section_clone, ldns_pkt_rr_list_by_name, ldns_pkt_rr_list_by_type, ldns_pkt_rr_list_by_name_and_type, ldns_pkt_set_flags, ldns_pkt_set_id, ldns_pkt_set_qr, ldns_pkt_set_aa, ldns_pkt_set_tc, ldns_pkt_set_rd, ldns_pkt_set_cd, ldns_pkt_set_ra, ldns_pkt_set_ad, ldns_pkt_set_opcode, ldns_pkt_set_rcode, ldns_pkt_set_qdcount, ldns_pkt_set_ancount, ldns_pkt_set_nscount, ldns_pkt_set_arcount, ldns_pkt_set_answerfrom, ldns_pkt_set_querytime, ldns_pkt_set_size, ldns_pkt_set_section_count, ldns_pkt_set_tsig, ldns_pkt_edns, ldns_pkt_edns_udp_size, ldns_pkt_edns_extended_rcode, ldns_pkt_edns_version, ldns_pkt_edns_z, ldns_pkt_edns_data, ldns_pkt_set_edns_udp_size, ldns_pkt_set_edns_extended_rcode, ldns_pkt_set_edns_version, ldns_pkt_set_edns_z, ldns_pkt_set_edns_data - request or anser packets types

-ldns_pkt_new, ldns_pkt_free, ldns_pkt_print, ldns_pkt_query_new, ldns_pkt_query_new_frm_str, ldns_pkt_reply_type | ldns_pkt
+ldns_pkt_new, ldns_pkt_free, ldns_pkt_print, ldns_pkt_query_new, ldns_pkt_query_new_frm_str, ldns_pkt_reply_type | ldns_pkt - ldns_pkt creation, destruction and printing
 #	gets
-ldns_pkt_id, ldns_pkt_qr, ldns_pkt_aa, ldns_pkt_tc, ldns_pkt_rd, ldns_pkt_cd, ldns_pkt_ra, ldns_pkt_ad, ldns_pkt_get_opcode, ldns_pkt_get_rcode, ldns_pkt_qdcount, ldns_pkt_ancount, ldns_pkt_nscount, ldns_pkt_arcount, ldns_pkt_answerfrom, ldns_pkt_querytime, ldns_pkt_size, ldns_pkt_tsig, ldns_pkt_question, ldns_pkt_answer, ldns_pkt_authority, ldns_pkt_additional, ldns_pkt_get_section_clone, ldns_pkt_rr_list_by_name, ldns_pkt_rr_list_by_type, ldns_pkt_rr_list_by_name_and_type | ldns_pkt 
+ldns_pkt_id, ldns_pkt_qr, ldns_pkt_aa, ldns_pkt_tc, ldns_pkt_rd, ldns_pkt_cd, ldns_pkt_ra, ldns_pkt_ad, ldns_pkt_get_opcode, ldns_pkt_get_rcode, ldns_pkt_qdcount, ldns_pkt_ancount, ldns_pkt_nscount, ldns_pkt_arcount, ldns_pkt_answerfrom, ldns_pkt_querytime, ldns_pkt_size, ldns_pkt_tsig, ldns_pkt_question, ldns_pkt_answer, ldns_pkt_authority, ldns_pkt_additional, ldns_pkt_get_section_clone, ldns_pkt_rr_list_by_name, ldns_pkt_rr_list_by_type, ldns_pkt_rr_list_by_name_and_type | ldns_pkt - get ldns_pkt attributes
 #	sets
-ldns_pkt_set_flags, ldns_pkt_set_id, ldns_pkt_set_qr, ldns_pkt_set_aa, ldns_pkt_set_tc, ldns_pkt_set_rd, ldns_pkt_set_cd, ldns_pkt_set_ra, ldns_pkt_set_ad, ldns_pkt_set_opcode, ldns_pkt_set_rcode, ldns_pkt_set_qdcount, ldns_pkt_set_ancount, ldns_pkt_set_nscount, ldns_pkt_set_arcount, ldns_pkt_set_answerfrom, ldns_pkt_set_querytime, ldns_pkt_set_size, ldns_pkt_set_section_count, ldns_pkt_set_tsig | ldns_pkt 
+ldns_pkt_set_flags, ldns_pkt_set_id, ldns_pkt_set_qr, ldns_pkt_set_aa, ldns_pkt_set_tc, ldns_pkt_set_rd, ldns_pkt_set_cd, ldns_pkt_set_ra, ldns_pkt_set_ad, ldns_pkt_set_opcode, ldns_pkt_set_rcode, ldns_pkt_set_qdcount, ldns_pkt_set_ancount, ldns_pkt_set_nscount, ldns_pkt_set_arcount, ldns_pkt_set_answerfrom, ldns_pkt_set_querytime, ldns_pkt_set_size, ldns_pkt_set_section_count, ldns_pkt_set_tsig | ldns_pkt - set ldns_pkt attributes
 #	EDNS0
-ldns_pkt_edns, ldns_pkt_edns_udp_size, ldns_pkt_edns_extended_rcode, ldns_pkt_edns_version, ldns_pkt_edns_z, ldns_pkt_edns_data, ldns_pkt_set_edns_udp_size, ldns_pkt_set_edns_extended_rcode, ldns_pkt_set_edns_version, ldns_pkt_set_edns_z, ldns_pkt_set_edns_data | ldns_pkt
+ldns_pkt_edns, ldns_pkt_edns_udp_size, ldns_pkt_edns_extended_rcode, ldns_pkt_edns_version, ldns_pkt_edns_z, ldns_pkt_edns_data, ldns_pkt_set_edns_udp_size, ldns_pkt_set_edns_extended_rcode, ldns_pkt_set_edns_version, ldns_pkt_set_edns_z, ldns_pkt_set_edns_data | ldns_pkt - ldns_pkt ends0 related functions

 # rr_functions.h
-ldns_rr_ns_nsdname
+ldns_rr_ns_nsdname - get dname rdata field from NS RR
 #
-ldns_rr_mx_preference, ldns_rr_mx_exchange
+ldns_rr_mx_preference, ldns_rr_mx_exchange - get MX RR rdata fields
 #
-ldns_rr_rrsig_typecovered, ldns_rr_rrsig_set_typecovered, ldns_rr_rrsig_algorithm, ldns_rr_rrsig_set_algorithm, ldns_rr_rrsig_labels, ldns_rr_rrsig_set_labels, ldns_rr_rrsig_origttl, ldns_rr_rrsig_set_origttl, ldns_rr_rrsig_expiration, ldns_rr_rrsig_set_expiration, ldns_rr_rrsig_inception, ldns_rr_rrsig_set_inception, ldns_rr_rrsig_keytag, ldns_rr_rrsig_set_keytag, ldns_rr_rrsig_signame, ldns_rr_rrsig_set_signame, ldns_rr_rrsig_sig, ldns_rr_rrsig_set_sig
+ldns_rr_rrsig_typecovered, ldns_rr_rrsig_set_typecovered, ldns_rr_rrsig_algorithm, ldns_rr_rrsig_set_algorithm, ldns_rr_rrsig_labels, ldns_rr_rrsig_set_labels, ldns_rr_rrsig_origttl, ldns_rr_rrsig_set_origttl, ldns_rr_rrsig_expiration, ldns_rr_rrsig_set_expiration, ldns_rr_rrsig_inception, ldns_rr_rrsig_set_inception, ldns_rr_rrsig_keytag, ldns_rr_rrsig_set_keytag, ldns_rr_rrsig_signame, ldns_rr_rrsig_set_signame, ldns_rr_rrsig_sig, ldns_rr_rrsig_set_sig - get and set RRSIG RR rdata fields
 #
-ldns_rr_dnskey_flags, ldns_rr_dnskey_set_flags, ldns_rr_dnskey_protocol, ldns_rr_dnskey_set_protocol, ldns_rr_dnskey_algorithm, ldns_rr_dnskey_set_algorithm, ldns_rr_dnskey_key, ldns_rr_dnskey_set_key | ldns_rr
+ldns_rr_dnskey_flags, ldns_rr_dnskey_set_flags, ldns_rr_dnskey_protocol, ldns_rr_dnskey_set_protocol, ldns_rr_dnskey_algorithm, ldns_rr_dnskey_set_algorithm, ldns_rr_dnskey_key, ldns_rr_dnskey_set_key | ldns_rr - get and set DNSKEY RR rdata fields

 ### zone.h
-ldns_zone |  ldns_zone_new, ldns_zone_deep_free, ldns_zone_new_frm_fp, ldns_zone_new_frm_fp_l, ldns_zone_sort, ldns_zone_glue_rr_list, ldns_zone_push_rr, ldns_zone_push_rr_list, ldns_zone_set_rrs, ldns_zone_set_soa, ldns_zone_rrs, ldns_zone_soa, ldns_zone_rr_count,
-
-
-ldns_zone_new, ldns_zone_deep_free, ldns_zone_new_frm_fp, ldns_zone_new_frm_fp_l | ldns_zone
-ldns_zone_sort, ldns_zone_glue_rr_list | ldns_zone
-ldns_zone_push_rr, ldns_zone_push_rr_list | ldns_zone
-ldns_zone_set_rrs, ldns_zone_set_soa | ldns_zone, ldns_zone_rrs, ldns_zone_soa
-ldns_zone_rrs, ldns_zone_soa | ldns_zone ldns_zone_set_rrs
-ldns_zone_rr_count | ldns_zone
+ldns_zone, ldns_zone_new, ldns_zone_free, ldns_zone_deep_free, ldns_zone_new_frm_fp, ldns_zone_new_frm_fp_l,  ldns_zone_print, ldns_zone_print_fmt - ldns_zone creation, destruction and printing
+ldns_zone_sort, ldns_zone_glue_rr_list | ldns_zone - sort a zone and get the glue records
+ldns_zone_push_rr, ldns_zone_push_rr_list | ldns_zone - add rr's to a ldns_zone
+ldns_zone_set_rrs, ldns_zone_set_soa | ldns_zone, ldns_zone_rrs, ldns_zone_soa - ldns_zone set content
+ldns_zone_rrs, ldns_zone_soa | ldns_zone ldns_zone_set_rrs - ldns_zone get content
+ldns_zone_rr_count | ldns_zone - get ldns_zone size

 ### update.h
-ldns_update_pkt_new | ldns_update_pkt_tsig_add, ldns_update_pkt_tsig_add, ldns_update_zocount, ldns_update_prcount, ldns_update_upcount, ldns_update_adcount, ldns_update_set_zocount, ldns_update_set_prcount, ldns_update_set_upcount, ldns_update_set_adcount,
+ldns_update_pkt_new | ldns_update_pkt_tsig_add, ldns_update_pkt_tsig_add, ldns_update_zocount, ldns_update_prcount, ldns_update_upcount, ldns_update_adcount, ldns_update_set_zocount, ldns_update_set_prcount, ldns_update_set_upcount, ldns_update_set_adcount - create an update packet
+
+ldns_update_pkt_tsig_add | ldns_update_pkt_new - add resolver's tsig credentials to an ldns_pkt
+ldns_update_zocount, ldns_update_prcount, ldns_update_upcount, ldns_update_adcount | ldns_update_pkt_new - return update packet counters
+ldns_update_set_zocount, ldns_update_set_prcount, ldns_update_set_upcount, ldns_update_set_adcount | ldns_update_pkt_new - set the update packet counters
+
+### keys.h
+ldns_algorithm - numbers assigned to algorithms used in dns
+
+
+ldns_axfr_start, ldns_axfr_next, ldns_axfr_abort, ldns_axfr_complete, ldns_axfr_last_pkt - functions for full zone transfer
+
+ldns_b32_ntop_calculate_size, ldns_b32_pton_calculate_size, ldns_b64_ntop_calculate_size, ldns_b64_pton_calculate_size - return size needed for b32 or b64 encoded or decoded data
+
+ldns_duration_type, ldns_duration_create, ldns_duration_create_from_string, ldns_duration_cleanup, ldns_duration_compare, ldns_duration2string, ldns_duration2time - duration type and related functions
+
+ldns_bubblebabble - encode data as BubbleBabble
+
+ldns_version - return library version
+

-ldns_update_pkt_tsig_add | ldns_update_pkt_new
-ldns_update_zocount, ldns_update_prcount, ldns_update_upcount, ldns_update_adcount | ldns_update_pkt_new
-ldns_update_set_zocount, ldns_update_set_prcount, ldns_update_set_upcount, ldns_update_set_adcount | ldns_update_pkt_new
--- a/doc/header.html
+++ b/doc/header.html
@ -1,10 +1,55 @@
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
-<html><head><meta http-equiv="Content-Type"
-content="text/html;charset=iso-8859-1">
-<title>ldns documentation</title>
-<link href="doxygen.css" rel="stylesheet" type="text/css">
-<link href="tabs.css" rel="stylesheet" type="text/css">
-</head><body>
-<div class="logo">
-<img src="LogoInGradientBar2-y100.png"/>
+<!-- HTML header for doxygen 1.8.11-->
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+<meta http-equiv="Content-Type" content="text/xhtml;charset=UTF-8"/>
+<meta http-equiv="X-UA-Compatible" content="IE=9"/>
+<meta name="generator" content="Doxygen $doxygenversion"/>
+<!--BEGIN PROJECT_NAME--><title>$projectname: $title</title><!--END PROJECT_NAME-->
+<!--BEGIN !PROJECT_NAME--><title>$title</title><!--END !PROJECT_NAME-->
+<link href="$relpath^tabs.css" rel="stylesheet" type="text/css"/>
+<script type="text/javascript" src="$relpath^jquery.js"></script>
+<script type="text/javascript" src="$relpath^dynsections.js"></script>
+$treeview
+$search
+$mathjax
+<link href="$relpath^$stylesheet" rel="stylesheet" type="text/css" />
+$extrastylesheet
+</head>
+<body>
+<div id="top"><!-- do not remove this div, it is closed by doxygen! -->
+
+<!--BEGIN TITLEAREA-->
+<div id="titlearea">
+<table cellspacing="0" cellpadding="0">
+ <tbody>
+ <tr style="height: 56px;">
+  <!--BEGIN PROJECT_LOGO-->
+  <td id="projectlogo"><img alt="Logo" src="$relpath^$projectlogo"/></td>
+  <!--END PROJECT_LOGO-->
+  <!--BEGIN PROJECT_NAME-->
+  <td id="projectalign" style="padding-left: 0.5em;">
+   <div id="projectname">$projectname
+   <!--BEGIN PROJECT_NUMBER-->&#160;<span id="projectnumber">$projectnumber</span><!--END PROJECT_NUMBER-->
+   </div>
+   <!--BEGIN PROJECT_BRIEF--><div id="projectbrief">$projectbrief</div><!--END PROJECT_BRIEF-->
+  </td>
+  <!--END PROJECT_NAME-->
+  <!--BEGIN !PROJECT_NAME-->
+   <!--BEGIN PROJECT_BRIEF-->
+    <td style="padding-left: 0.5em;">
+    <div id="projectbrief">$projectbrief</div>
+    </td>
+   <!--END PROJECT_BRIEF-->
+  <!--END !PROJECT_NAME-->
+  <!--BEGIN DISABLE_INDEX-->
+   <!--BEGIN SEARCHENGINE-->
+   <td>$searchbox</td>
+   <!--END SEARCHENGINE-->
+  <!--END DISABLE_INDEX-->
+ </tr>
+ </tbody>
+</table>
 </div>
+<!--END TITLEAREA-->
+<!-- end header part -->
--- a/drill/chasetrace.c
+++ b/drill/chasetrace.c
@ -11,51 +11,163 @@
 #include "drill.h"
 #include <ldns/ldns.h>

+/* Cache all RRs from rr_list "rr_list" to "referrals" database for lookup
+ * later on.  Print the NS RRs that were not already present.
+ */
+static void add_rr_list_to_referrals(
+    ldns_dnssec_zone *referrals, ldns_rr_list *rr_list)
+{
+	size_t i;
+	ldns_rr *rr;
+	ldns_dnssec_rrsets *rrset;
+	ldns_dnssec_rrs *rrs;
+
+	for (i = 0; i < ldns_rr_list_rr_count(rr_list); i++) {
+		rr = ldns_rr_list_rr(rr_list, i);
+		/* Check if a RR equal to "rr" is present in "referrals" */
+		rrset = ldns_dnssec_zone_find_rrset(
+		    referrals, ldns_rr_owner(rr), ldns_rr_get_type(rr));
+		if (rrset) {
+			for (rrs = rrset->rrs; rrs; rrs = rrs->next)
+				if (ldns_rr_compare(rr, rrs->rr) == 0)
+					break;
+			if (rrs) continue; /* "rr" is present, next! */
+		}
+		if (ldns_rr_get_type(rr) == LDNS_RR_TYPE_NS && verbosity != -1)
+			ldns_rr_print(stdout, rr);
+		(void) ldns_dnssec_zone_add_rr(referrals, rr);
+	}
+}
+
+/* Cache all RRs from packet "p" to "referrals" database for lookup later on.
+ * Print the NS RRs that were not already present.
+ */
+static void add_referrals(ldns_dnssec_zone *referrals, ldns_pkt *p)
+{
+	ldns_rr_list *l = ldns_pkt_all_noquestion(p);
+	if (l) {
+		add_rr_list_to_referrals(referrals, l);
+		ldns_rr_list_free(l);
+	}
+}
+
+/* Equip name-server "res" with the name-servers authoritative for as much
+ * of "name" as possible.  Lookup addresses if needed.
+ */
+static bool set_nss_for_name(
+    ldns_resolver *res, ldns_dnssec_zone *referrals, ldns_rdf *name,
+    ldns_resolver *local_res, ldns_rr_class c)
+{
+	ldns_dnssec_rrsets *nss = NULL;
+	ldns_dnssec_rrs *nss_rrs;
+	ldns_dnssec_rrsets *as = NULL;
+	ldns_dnssec_rrs *as_rrs;
+	ldns_rdf *lookup = ldns_rdf_clone(name);
+	ldns_rdf *new_lookup;
+	ldns_rdf *addr;
+	ldns_rr_list *addrs;
+
+	/* nss will become the rrset of as much of "name" as possible */
+	for (;;) {
+		nss = ldns_dnssec_zone_find_rrset(
+		    referrals, lookup, LDNS_RR_TYPE_NS);
+		if (nss != NULL) {
+			ldns_rdf_deep_free(lookup);
+			break;
+		}
+		new_lookup = ldns_dname_left_chop(lookup);
+		ldns_rdf_deep_free(lookup);
+		lookup = new_lookup;
+		if (!lookup) {
+			error("No referrals for name found");
+			return false;
+		}
+	}
+
+	/* remove the old nameserver from the resolver */
+	while ((addr = ldns_resolver_pop_nameserver(res)))
+		ldns_rdf_deep_free(addr);
+
+	/* Find and add the address records for the rrset as name-servers */
+	for (nss_rrs = nss->rrs; nss_rrs; nss_rrs = nss_rrs->next) {
+
+		if ((as = ldns_dnssec_zone_find_rrset(
+		    referrals, ldns_rr_rdf(nss_rrs->rr, 0), LDNS_RR_TYPE_A)))
+			for (as_rrs = as->rrs; as_rrs; as_rrs = as_rrs->next)
+				(void) ldns_resolver_push_nameserver(
+				    res, ldns_rr_rdf(as_rrs->rr, 0));
+
+		if ((as = ldns_dnssec_zone_find_rrset(
+		    referrals, ldns_rr_rdf(nss_rrs->rr, 0), LDNS_RR_TYPE_AAAA)))
+			for (as_rrs = as->rrs; as_rrs; as_rrs = as_rrs->next)
+				(void) ldns_resolver_push_nameserver(
+				    res, ldns_rr_rdf(as_rrs->rr, 0));
+	}
+	/* Is our resolver equipped with name-servers? Good! We're done */
+	if (ldns_resolver_nameserver_count(res) > 0)
+		return true;
+
+	/* Lookup addresses with local resolver add add to "referrals" database */
+	addrs = ldns_rr_list_new();
+	for (nss_rrs = nss->rrs; nss_rrs; nss_rrs = nss_rrs->next) {
+		ldns_rr_list *addrs_by_name =
+		    ldns_get_rr_list_addr_by_name(
+			local_res, ldns_rr_rdf(nss_rrs->rr, 0), c, 0);
+		ldns_rr_list_cat(addrs, addrs_by_name);
+		ldns_rr_list_free(addrs_by_name);
+	}
+
+	if (ldns_rr_list_rr_count(addrs) == 0)
+		error("Could not find the nameserver ip addr; abort");
+
+	else if (ldns_resolver_push_nameserver_rr_list(res, addrs) !=
+	    LDNS_STATUS_OK)
+
+		error("Error adding new nameservers");
+	else {
+		ldns_rr_list_deep_free(addrs);
+		return true;
+	}
+	add_rr_list_to_referrals(referrals, addrs);
+	ldns_rr_list_deep_free(addrs);
+	return false;
+}
+
 /**
 * trace down from the root to name
 */

 /* same naive method as in drill0.9 
- * We resolver _ALL_ the names, which is ofcourse not needed
+ * We resolve _ALL_ the names, which is of course not needed.
 * We _do_ use the local resolver to do that, so it still is
- * fast, but it can be made to run much faster
+ * fast, but it can be made to run much faster.
 */
-ldns_pkt *
+void
 do_trace(ldns_resolver *local_res, ldns_rdf *name, ldns_rr_type t,
 		ldns_rr_class c)
 {
-	ldns_resolver *res;
-	ldns_pkt *p;
-	ldns_rr_list *new_nss_a;
-	ldns_rr_list *new_nss_aaaa;
+
+	static uint8_t zero[1] = { 0 };
+	static const ldns_rdf root_dname = { 1, LDNS_RDF_TYPE_DNAME, &zero };
+
+	ldns_resolver *res = NULL;
+	ldns_pkt *p = NULL;
 	ldns_rr_list *final_answer;
 	ldns_rr_list *new_nss;
-	ldns_rr_list *ns_addr;
+	ldns_rr_list *cname = NULL;
+	ldns_rr_list *answers = NULL;
 	uint16_t loop_count;
-	ldns_rdf *pop; 
 	ldns_status status;
-	size_t i;
+	ldns_dnssec_zone* referrals = NULL;
+	ldns_rdf *addr;
 	
 	loop_count = 0;
-	new_nss_a = NULL;
-	new_nss_aaaa = NULL;
-	new_nss = NULL;
-	ns_addr = NULL;
 	final_answer = NULL;
-	p = ldns_pkt_new();
 	res = ldns_resolver_new();

-	if (!p) {
-		if (res) {
-			ldns_resolver_free(res);
-		}
-                error("Memory allocation failed");
-                return NULL;
-	}
 	if (!res) {
-		ldns_pkt_free(p);
                error("Memory allocation failed");
-                return NULL;
+		goto cleanup;
        }

 	/* transfer some properties of local_res to res,
@ -83,16 +195,13 @@ do_trace(ldns_resolver *local_res, ldns_rdf *name, ldns_rr_type t,
 	if (status != LDNS_STATUS_OK) {
 		fprintf(stderr, "Error adding root servers to resolver: %s\n", ldns_get_errorstr_by_id(status));
 		ldns_rr_list_print(stdout, global_dns_root);
-		ldns_resolver_free(res);
-		ldns_pkt_free(p);
-		return NULL;
+		goto cleanup;
 	}

 	/* this must be a real query to local_res */
-	status = ldns_resolver_send(&p, res, ldns_dname_new_frm_str("."), LDNS_RR_TYPE_NS, c, 0);
+	status = ldns_resolver_send(&p, res, &root_dname, LDNS_RR_TYPE_NS, c, 0);
 	/* p can still be NULL */

-
 	if (ldns_pkt_empty(p)) {
 		warning("No root server information received");
 	} 
@ -101,111 +210,95 @@ do_trace(ldns_resolver *local_res, ldns_rdf *name, ldns_rr_type t,
 		if (!ldns_pkt_empty(p)) {
 			drill_pkt_print(stdout, local_res, p);
 		}
+		referrals = ldns_dnssec_zone_new();
+		add_referrals(referrals, p);
 	} else {
 		error("cannot use local resolver");
-		return NULL;
+		goto cleanup;
 	}
-
+	if (! set_nss_for_name(res, referrals, name, local_res, c)) {
+		goto cleanup;
+	}
+	ldns_pkt_free(p);
+	p = NULL;
 	status = ldns_resolver_send(&p, res, name, t, c, 0);
-
 	while(status == LDNS_STATUS_OK && 
 	      ldns_pkt_reply_type(p) == LDNS_PACKET_REFERRAL) {

 		if (!p) {
-			/* some error occurred, bail out */
-			return NULL;
+			/* some error occurred -- bail out */
+			goto cleanup;
 		}
+		add_referrals(referrals, p);

-		new_nss_a = ldns_pkt_rr_list_by_type(p,
-				LDNS_RR_TYPE_A, LDNS_SECTION_ADDITIONAL);
-		new_nss_aaaa = ldns_pkt_rr_list_by_type(p,
-				LDNS_RR_TYPE_AAAA, LDNS_SECTION_ADDITIONAL);
-		new_nss = ldns_pkt_rr_list_by_type(p,
-				LDNS_RR_TYPE_NS, LDNS_SECTION_AUTHORITY);
-
-		if (verbosity != -1) {
-			ldns_rr_list_print(stdout, new_nss);
-		}
 		/* checks itself for verbosity */
 		drill_pkt_print_footer(stdout, local_res, p);
 		
-		/* remove the old nameserver from the resolver */
-		while(ldns_resolver_pop_nameserver(res)) { /* do it */ }
-
-		/* also check for new_nss emptyness */
-
-		if (!new_nss_aaaa && !new_nss_a) {
-			/* 
-			 * no nameserver found!!! 
-			 * try to resolve the names we do got 
-			 */
-			for(i = 0; i < ldns_rr_list_rr_count(new_nss); i++) {
-				/* get the name of the nameserver */
-				pop = ldns_rr_rdf(ldns_rr_list_rr(new_nss, i), 0);
-				if (!pop) {
-					break;
-				}
-
-				ldns_rr_list_print(stdout, new_nss);
-				ldns_rdf_print(stdout, pop);
-				/* retrieve it's addresses */
-				ns_addr = ldns_rr_list_cat_clone(ns_addr,
-					ldns_get_rr_list_addr_by_name(local_res, pop, c, 0));
-			}
-
-			if (ns_addr) {
-				if (ldns_resolver_push_nameserver_rr_list(res, ns_addr) != 
-						LDNS_STATUS_OK) {
-					error("Error adding new nameservers");
-					ldns_pkt_free(p); 
-					return NULL;
-				}
-				ldns_rr_list_free(ns_addr);
-			} else {
-				ldns_rr_list_print(stdout, ns_addr);
-				error("Could not find the nameserver ip addr; abort");
-				ldns_pkt_free(p);
-				return NULL;
-			}
+		if (! set_nss_for_name(res, referrals, name, local_res, c)) {
+			goto cleanup;
 		}
-
-		/* add the new ones */
-		if (new_nss_aaaa) {
-			if (ldns_resolver_push_nameserver_rr_list(res, new_nss_aaaa) != 
-					LDNS_STATUS_OK) {
-				error("adding new nameservers");
-				ldns_pkt_free(p); 
-				return NULL;
-			}
-		}
-		if (new_nss_a) {
-			if (ldns_resolver_push_nameserver_rr_list(res, new_nss_a) != 
-					LDNS_STATUS_OK) {
-				error("adding new nameservers");
-				ldns_pkt_free(p); 
-				return NULL;
-			}
-		}
-
 		if (loop_count++ > 20) {
-			/* unlikely that we are doing something usefull */
+			/* unlikely that we are doing anything useful */
 			error("Looks like we are looping");
-			ldns_pkt_free(p); 
-			return NULL;
+			goto cleanup;
 		}
-		
+		ldns_pkt_free(p);
+		p = NULL;
+		status = ldns_resolver_send(&p, res, name, t, c, 0);
+
+		/* Exit trace on error */
+		if (status != LDNS_STATUS_OK)
+			break;
+
+		/* An answer might be the desired answer (and no referral) */
+		if (ldns_pkt_reply_type(p) != LDNS_PACKET_ANSWER)
+			continue;
+
+		/* Exit trace when the requested type is found */
+		answers = ldns_pkt_rr_list_by_type(p, t, LDNS_SECTION_ANSWER);
+		if (answers && ldns_rr_list_rr_count(answers) > 0) {
+			ldns_rr_list_free(answers);
+			answers = NULL;
+			break;
+		}
+		ldns_rr_list_free(answers);
+		answers = NULL;
+
+		/* Get the CNAMEs from the answer */
+		cname = ldns_pkt_rr_list_by_type(
+		    p, LDNS_RR_TYPE_CNAME, LDNS_SECTION_ANSWER);
+
+		/* No CNAME either: exit trace */
+		if (ldns_rr_list_rr_count(cname) == 0)
+			break;
+
+		/* Print CNAME referral */
+		ldns_rr_list_print(stdout, cname);
+
+		/* restart with the CNAME */
+		name = ldns_rr_rdf(ldns_rr_list_rr(cname, 0), 0);
+		ldns_rr_list_free(cname);
+		cname = NULL;
+
+		/* remove the old nameserver from the resolver */
+		while((addr = ldns_resolver_pop_nameserver(res)))
+			ldns_rdf_deep_free(addr);
+
+		/* Restart trace from the root up */
+		(void) ldns_resolver_push_nameserver_rr_list(
+		    res, global_dns_root);
+
+		ldns_pkt_free(p);
+		p = NULL;
 		status = ldns_resolver_send(&p, res, name, t, c, 0);
-		new_nss_aaaa = NULL;
-		new_nss_a = NULL;
-		ns_addr = NULL;
 	}

+	ldns_pkt_free(p);
+	p = NULL;
 	status = ldns_resolver_send(&p, res, name, t, c, 0);
-
 	if (!p) {
-		return NULL;
+		goto cleanup;
 	}
-
 	new_nss = ldns_pkt_authority(p);
 	final_answer = ldns_pkt_answer(p);

@ -215,8 +308,16 @@ do_trace(ldns_resolver *local_res, ldns_rdf *name, ldns_rr_type t,

 	}
 	drill_pkt_print_footer(stdout, local_res, p);
-	ldns_pkt_free(p); 
-	return NULL;
+cleanup:
+	if (res) {
+		while((addr = ldns_resolver_pop_nameserver(res)))
+			ldns_rdf_deep_free(addr);
+		ldns_resolver_free(res);
+	}
+	if (referrals)
+		ldns_dnssec_zone_deep_free(referrals);
+	if (p)
+		ldns_pkt_free(p); 
 }


@ -237,8 +338,7 @@ do_chase(ldns_resolver *res,
 	    ldns_rr_list *trusted_keys,
 	    ldns_pkt *pkt_o,
 	    uint16_t qflags,
-	    ldns_rr_list * ATTR_UNUSED(prev_key_list),
-	    int verbosity)
+	    ldns_rr_list * ATTR_UNUSED(prev_key_list))
 {
 	ldns_rr_list *rrset = NULL;
 	ldns_status result;
--- a/drill/config.h.in
+++ b/drill/config.h.in
@ -15,8 +15,8 @@
 /* Define to 1 if you have the <getopt.h> header file. */
 #undef HAVE_GETOPT_H

-/* If you have HMAC_CTX_init */
-#undef HAVE_HMAC_CTX_INIT
+/* If you have HMAC_Update */
+#undef HAVE_HMAC_UPDATE

 /* Define to 1 if you have the <inttypes.h> header file. */
 #undef HAVE_INTTYPES_H
@ -279,9 +279,6 @@
 #include <ws2tcpip.h>
 #endif

-extern char *optarg;
-extern int optind, opterr;
-
 #ifndef EXIT_FAILURE
 #define EXIT_FAILURE  1
 #endif
--- a/drill/configure
+++ b/drill/configure
@ -1,13 +1,11 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.68 for ldns 1.6.17.
+# Generated by GNU Autoconf 2.69 for ldns 1.7.0.
 #
 # Report bugs to <libdns@nlnetlabs.nl>.
 #
 #
-# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
-# 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 Free Software
-# Foundation, Inc.
+# Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc.
 #
 #
 # This configure script is free software; the Free Software Foundation
@ -136,6 +134,31 @@ export LANGUAGE
 # CDPATH.
 (unset CDPATH) >/dev/null 2>&1 && unset CDPATH

+# Use a proper internal environment variable to ensure we don't fall
+  # into an infinite loop, continuously re-executing ourselves.
+  if test x"${_as_can_reexec}" != xno && test "x$CONFIG_SHELL" != x; then
+    _as_can_reexec=no; export _as_can_reexec;
+    # We cannot yet assume a decent shell, so we have to provide a
+# neutralization value for shells without unset; and this also
+# works around shells that cannot unset nonexistent variables.
+# Preserve -v and -x to the replacement shell.
+BASH_ENV=/dev/null
+ENV=/dev/null
+(unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV
+case $- in # ((((
+  *v*x* | *x*v* ) as_opts=-vx ;;
+  *v* ) as_opts=-v ;;
+  *x* ) as_opts=-x ;;
+  * ) as_opts= ;;
+esac
+exec $CONFIG_SHELL $as_opts "$as_myself" ${1+"$@"}
+# Admittedly, this is quite paranoid, since all the known shells bail
+# out after a failed `exec'.
+$as_echo "$0: could not re-execute with $CONFIG_SHELL" >&2
+as_fn_exit 255
+  fi
+  # We don't want this to propagate to other subprocesses.
+          { _as_can_reexec=; unset _as_can_reexec;}
 if test "x$CONFIG_SHELL" = x; then
  as_bourne_compatible="if test -n \"\${ZSH_VERSION+set}\" && (emulate sh) >/dev/null 2>&1; then :
  emulate sh
@ -169,7 +192,8 @@ if ( set x; as_fn_ret_success y && test x = \"\$1\" ); then :
 else
  exitcode=1; echo positional parameters were not saved.
 fi
-test x\$exitcode = x0 || exit 1"
+test x\$exitcode = x0 || exit 1
+test -x / || exit 1"
  as_suggested="  as_lineno_1=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_1a=\$LINENO
  as_lineno_2=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_2a=\$LINENO
  eval 'test \"x\$as_lineno_1'\$as_run'\" != \"x\$as_lineno_2'\$as_run'\" &&
@ -214,21 +238,25 @@ IFS=$as_save_IFS


      if test "x$CONFIG_SHELL" != x; then :
-  # We cannot yet assume a decent shell, so we have to provide a
-	# neutralization value for shells without unset; and this also
-	# works around shells that cannot unset nonexistent variables.
-	# Preserve -v and -x to the replacement shell.
-	BASH_ENV=/dev/null
-	ENV=/dev/null
-	(unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV
-	export CONFIG_SHELL
-	case $- in # ((((
-	  *v*x* | *x*v* ) as_opts=-vx ;;
-	  *v* ) as_opts=-v ;;
-	  *x* ) as_opts=-x ;;
-	  * ) as_opts= ;;
-	esac
-	exec "$CONFIG_SHELL" $as_opts "$as_myself" ${1+"$@"}
+  export CONFIG_SHELL
+             # We cannot yet assume a decent shell, so we have to provide a
+# neutralization value for shells without unset; and this also
+# works around shells that cannot unset nonexistent variables.
+# Preserve -v and -x to the replacement shell.
+BASH_ENV=/dev/null
+ENV=/dev/null
+(unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV
+case $- in # ((((
+  *v*x* | *x*v* ) as_opts=-vx ;;
+  *v* ) as_opts=-v ;;
+  *x* ) as_opts=-x ;;
+  * ) as_opts= ;;
+esac
+exec $CONFIG_SHELL $as_opts "$as_myself" ${1+"$@"}
+# Admittedly, this is quite paranoid, since all the known shells bail
+# out after a failed `exec'.
+$as_echo "$0: could not re-execute with $CONFIG_SHELL" >&2
+exit 255
 fi

    if test x$as_have_required = xno; then :
@ -331,6 +359,14 @@ $as_echo X"$as_dir" |


 } # as_fn_mkdir_p
+
+# as_fn_executable_p FILE
+# -----------------------
+# Test if FILE is an executable regular file.
+as_fn_executable_p ()
+{
+  test -f "$1" && test -x "$1"
+} # as_fn_executable_p
 # as_fn_append VAR VALUE
 # ----------------------
 # Append the text in VALUE to the end of the definition contained in VAR. Take
@ -452,6 +488,10 @@ as_cr_alnum=$as_cr_Letters$as_cr_digits
  chmod +x "$as_me.lineno" ||
    { $as_echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2; as_fn_exit 1; }

+  # If we had to re-execute with $CONFIG_SHELL, we're ensured to have
+  # already done that, so ensure we don't try to do so again and fall
+  # in an infinite loop.  This has already happened in practice.
+  _as_can_reexec=no; export _as_can_reexec
  # Don't try to exec as it changes $[0], causing all sort of problems
  # (the dirname of $[0] is not the place where we might find the
  # original and so on.  Autoconf is especially sensitive to this).
@ -486,16 +526,16 @@ if (echo >conf$$.file) 2>/dev/null; then
    # ... but there are two gotchas:
    # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail.
    # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable.
-    # In both cases, we have to default to `cp -p'.
+    # In both cases, we have to default to `cp -pR'.
    ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe ||
-      as_ln_s='cp -p'
+      as_ln_s='cp -pR'
  elif ln conf$$.file conf$$ 2>/dev/null; then
    as_ln_s=ln
  else
-    as_ln_s='cp -p'
+    as_ln_s='cp -pR'
  fi
 else
-  as_ln_s='cp -p'
+  as_ln_s='cp -pR'
 fi
 rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file
 rmdir conf$$.dir 2>/dev/null
@ -507,28 +547,8 @@ else
  as_mkdir_p=false
 fi

-if test -x / >/dev/null 2>&1; then
-  as_test_x='test -x'
-else
-  if ls -dL / >/dev/null 2>&1; then
-    as_ls_L_option=L
-  else
-    as_ls_L_option=
-  fi
-  as_test_x='
-    eval sh -c '\''
-      if test -d "$1"; then
-	test -d "$1/.";
-      else
-	case $1 in #(
-	-*)set "./$1";;
-	esac;
-	case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in #((
-	???[sx]*):;;*)false;;esac;fi
-    '\'' sh
-  '
-fi
-as_executable_p=$as_test_x
+as_test_x='test -x'
+as_executable_p=as_fn_executable_p

 # Sed expression to map a string onto a valid CPP name.
 as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'"
@ -560,8 +580,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='ldns'
 PACKAGE_TARNAME='libdns'
-PACKAGE_VERSION='1.6.17'
-PACKAGE_STRING='ldns 1.6.17'
+PACKAGE_VERSION='1.7.0'
+PACKAGE_STRING='ldns 1.7.0'
 PACKAGE_BUGREPORT='libdns@nlnetlabs.nl'
 PACKAGE_URL=''

@ -640,6 +660,7 @@ infodir
 docdir
 oldincludedir
 includedir
+runstatedir
 localstatedir
 sharedstatedir
 sysconfdir
@ -714,6 +735,7 @@ datadir='${datarootdir}'
 sysconfdir='${prefix}/etc'
 sharedstatedir='${prefix}/com'
 localstatedir='${prefix}/var'
+runstatedir='${localstatedir}/run'
 includedir='${prefix}/include'
 oldincludedir='/usr/include'
 docdir='${datarootdir}/doc/${PACKAGE_TARNAME}'
@ -966,6 +988,15 @@ do
  | -silent | --silent | --silen | --sile | --sil)
    silent=yes ;;

+  -runstatedir | --runstatedir | --runstatedi | --runstated \
+  | --runstate | --runstat | --runsta | --runst | --runs \
+  | --run | --ru | --r)
+    ac_prev=runstatedir ;;
+  -runstatedir=* | --runstatedir=* | --runstatedi=* | --runstated=* \
+  | --runstate=* | --runstat=* | --runsta=* | --runst=* | --runs=* \
+  | --run=* | --ru=* | --r=*)
+    runstatedir=$ac_optarg ;;
+
  -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb)
    ac_prev=sbindir ;;
  -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \
@ -1103,7 +1134,7 @@ fi
 for ac_var in	exec_prefix prefix bindir sbindir libexecdir datarootdir \
 		datadir sysconfdir sharedstatedir localstatedir includedir \
 		oldincludedir docdir infodir htmldir dvidir pdfdir psdir \
-		libdir localedir mandir
+		libdir localedir mandir runstatedir
 do
  eval ac_val=\$$ac_var
  # Remove trailing slashes.
@ -1131,8 +1162,6 @@ target=$target_alias
 if test "x$host_alias" != x; then
  if test "x$build_alias" = x; then
    cross_compiling=maybe
-    $as_echo "$as_me: WARNING: if you wanted to set the --build type, don't use --host.
-    If a cross compiler is detected then cross compile mode will be used" >&2
  elif test "x$build_alias" != "x$host_alias"; then
    cross_compiling=yes
  fi
@ -1218,7 +1247,7 @@ if test "$ac_init_help" = "long"; then
  # Omit some internal or obsolete options to make the list less imposing.
  # This message is too long to be a string in the A/UX 3.1 sh.
  cat <<_ACEOF
-\`configure' configures ldns 1.6.17 to adapt to many kinds of systems.
+\`configure' configures ldns 1.7.0 to adapt to many kinds of systems.

 Usage: $0 [OPTION]... [VAR=VALUE]...

@ -1258,6 +1287,7 @@ Fine tuning of the installation directories:
  --sysconfdir=DIR        read-only single-machine data [PREFIX/etc]
  --sharedstatedir=DIR    modifiable architecture-independent data [PREFIX/com]
  --localstatedir=DIR     modifiable single-machine data [PREFIX/var]
+  --runstatedir=DIR       modifiable per-process data [LOCALSTATEDIR/run]
  --libdir=DIR            object code libraries [EPREFIX/lib]
  --includedir=DIR        C header files [PREFIX/include]
  --oldincludedir=DIR     C header files for non-gcc [/usr/include]
@ -1279,7 +1309,7 @@ fi

 if test -n "$ac_init_help"; then
  case $ac_init_help in
-     short | recursive ) echo "Configuration of ldns 1.6.17:";;
+     short | recursive ) echo "Configuration of ldns 1.7.0:";;
   esac
  cat <<\_ACEOF

@ -1378,10 +1408,10 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
  cat <<\_ACEOF
-ldns configure 1.6.17
-generated by GNU Autoconf 2.68
+ldns configure 1.7.0
+generated by GNU Autoconf 2.69

-Copyright (C) 2010 Free Software Foundation, Inc.
+Copyright (C) 2012 Free Software Foundation, Inc.
 This configure script is free software; the Free Software Foundation
 gives unlimited permission to copy, distribute and modify it.
 _ACEOF
@ -1712,7 +1742,7 @@ $as_echo "$ac_try_echo"; } >&5
 	 test ! -s conftest.err
       } && test -s conftest$ac_exeext && {
 	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
+	 test -x conftest$ac_exeext
       }; then :
  ac_retval=0
 else
@ -1801,8 +1831,8 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.

-It was created by ldns $as_me 1.6.17, which was
-generated by GNU Autoconf 2.68.  Invocation command line was
+It was created by ldns $as_me 1.7.0, which was
+generated by GNU Autoconf 2.69.  Invocation command line was

  $ $0 $@

@ -2154,7 +2184,15 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu
 # Copyright 2009, Wouter Wijngaards, NLnet Labs.
 # BSD licensed.
 #
-# Version 26
+# Version 34
+# 2016-03-21 Check -ldl -pthread for libcrypto for ldns and openssl 1.1.0.
+# 2016-03-21 Use HMAC_Update instead of HMAC_CTX_Init (for openssl-1.1.0).
+# 2016-01-04 -D_DEFAULT_SOURCE defined with -D_BSD_SOURCE for Linux glibc 2.20
+# 2015-12-11 FLTO check for new OSX, clang.
+# 2015-11-18 spelling check fix.
+# 2015-11-05 ACX_SSL_CHECKS no longer adds -ldl needlessly.
+# 2015-08-28 ACX_CHECK_PIE and ACX_CHECK_RELRO_NOW added.
+# 2015-03-17 AHX_CONFIG_REALLOCARRAY added
 # 2013-09-19 FLTO help text improved.
 # 2013-07-18 Enable ACX_CHECK_COMPILER_FLAG to test for -Wstrict-prototypes
 # 2013-06-25 FLTO has --disable-flto option.
@ -2245,6 +2283,8 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu
 # ACX_CHECK_MEMCMP_SIGNED	- check if memcmp uses signed characters.
 # AHX_MEMCMP_BROKEN		- replace memcmp func for CHECK_MEMCMP_SIGNED.
 # ACX_CHECK_SS_FAMILY           - check for sockaddr_storage.ss_family
+# ACX_CHECK_PIE			- add --enable-pie option and check if works
+# ACX_CHECK_RELRO_NOW		- add --enable-relro-now option and check it
 #


@ -2341,6 +2381,12 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu



+
+
+
+
+
+



@ -2378,7 +2424,7 @@ do
  IFS=$as_save_IFS
  test -z "$as_dir" && as_dir=.
    for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
    ac_cv_prog_CC="${ac_tool_prefix}gcc"
    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
    break 2
@ -2418,7 +2464,7 @@ do
  IFS=$as_save_IFS
  test -z "$as_dir" && as_dir=.
    for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
    ac_cv_prog_ac_ct_CC="gcc"
    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
    break 2
@ -2471,7 +2517,7 @@ do
  IFS=$as_save_IFS
  test -z "$as_dir" && as_dir=.
    for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
    ac_cv_prog_CC="${ac_tool_prefix}cc"
    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
    break 2
@ -2512,7 +2558,7 @@ do
  IFS=$as_save_IFS
  test -z "$as_dir" && as_dir=.
    for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
    if test "$as_dir/$ac_word$ac_exec_ext" = "/usr/ucb/cc"; then
       ac_prog_rejected=yes
       continue
@ -2570,7 +2616,7 @@ do
  IFS=$as_save_IFS
  test -z "$as_dir" && as_dir=.
    for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
    ac_cv_prog_CC="$ac_tool_prefix$ac_prog"
    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
    break 2
@ -2614,7 +2660,7 @@ do
  IFS=$as_save_IFS
  test -z "$as_dir" && as_dir=.
    for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
    ac_cv_prog_ac_ct_CC="$ac_prog"
    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
    break 2
@ -3060,8 +3106,7 @@ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 #include <stdarg.h>
 #include <stdio.h>
-#include <sys/types.h>
-#include <sys/stat.h>
+struct stat;
 /* Most of the following tests are stolen from RCS 5.7's src/conf.sh.  */
 struct buf { int x; };
 FILE * (*rcsopen) (struct buf *, struct stat *, int);
@ -3301,7 +3346,7 @@ do
    for ac_prog in grep ggrep; do
    for ac_exec_ext in '' $ac_executable_extensions; do
      ac_path_GREP="$as_dir/$ac_prog$ac_exec_ext"
-      { test -f "$ac_path_GREP" && $as_test_x "$ac_path_GREP"; } || continue
+      as_fn_executable_p "$ac_path_GREP" || continue
 # Check for GNU ac_path_GREP and select it if it is found.
  # Check for GNU $ac_path_GREP
 case `"$ac_path_GREP" --version 2>&1` in
@ -3367,7 +3412,7 @@ do
    for ac_prog in egrep; do
    for ac_exec_ext in '' $ac_executable_extensions; do
      ac_path_EGREP="$as_dir/$ac_prog$ac_exec_ext"
-      { test -f "$ac_path_EGREP" && $as_test_x "$ac_path_EGREP"; } || continue
+      as_fn_executable_p "$ac_path_EGREP" || continue
 # Check for GNU ac_path_EGREP and select it if it is found.
  # Check for GNU $ac_path_EGREP
 case `"$ac_path_EGREP" --version 2>&1` in
@ -3574,8 +3619,8 @@ else
  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */

-#	  define __EXTENSIONS__ 1
-	  $ac_includes_default
+#         define __EXTENSIONS__ 1
+          $ac_includes_default
 int
 main ()
 {
@ -3629,7 +3674,7 @@ do
  IFS=$as_save_IFS
  test -z "$as_dir" && as_dir=.
    for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
    ac_cv_prog_CC="${ac_tool_prefix}gcc"
    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
    break 2
@ -3669,7 +3714,7 @@ do
  IFS=$as_save_IFS
  test -z "$as_dir" && as_dir=.
    for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
    ac_cv_prog_ac_ct_CC="gcc"
    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
    break 2
@ -3722,7 +3767,7 @@ do
  IFS=$as_save_IFS
  test -z "$as_dir" && as_dir=.
    for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
    ac_cv_prog_CC="${ac_tool_prefix}cc"
    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
    break 2
@ -3763,7 +3808,7 @@ do
  IFS=$as_save_IFS
  test -z "$as_dir" && as_dir=.
    for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
    if test "$as_dir/$ac_word$ac_exec_ext" = "/usr/ucb/cc"; then
       ac_prog_rejected=yes
       continue
@ -3821,7 +3866,7 @@ do
  IFS=$as_save_IFS
  test -z "$as_dir" && as_dir=.
    for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
    ac_cv_prog_CC="$ac_tool_prefix$ac_prog"
    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
    break 2
@ -3865,7 +3910,7 @@ do
  IFS=$as_save_IFS
  test -z "$as_dir" && as_dir=.
    for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
    ac_cv_prog_ac_ct_CC="$ac_prog"
    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
    break 2
@ -4061,8 +4106,7 @@ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 #include <stdarg.h>
 #include <stdio.h>
-#include <sys/types.h>
-#include <sys/stat.h>
+struct stat;
 /* Most of the following tests are stolen from RCS 5.7's src/conf.sh.  */
 struct buf { int x; };
 FILE * (*rcsopen) (struct buf *, struct stat *, int);
@ -4196,7 +4240,7 @@ do
  IFS=$as_save_IFS
  test -z "$as_dir" && as_dir=.
    for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
    ac_cv_prog_libtool="$ac_prog"
    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
    break 2
@ -4988,8 +5032,8 @@ $as_echo "found in $ssldir" >&6; }

            fi

-            { $as_echo "$as_me:${as_lineno-$LINENO}: checking for HMAC_CTX_init in -lcrypto" >&5
-$as_echo_n "checking for HMAC_CTX_init in -lcrypto... " >&6; }
+            { $as_echo "$as_me:${as_lineno-$LINENO}: checking for HMAC_Update in -lcrypto" >&5
+$as_echo_n "checking for HMAC_Update in -lcrypto... " >&6; }
            LIBS="$LIBS -lcrypto"
            LIBSSL_LIBS="$LIBSSL_LIBS -lcrypto"
            cat confdefs.h - <<_ACEOF >conftest.$ac_ext
@ -4999,8 +5043,8 @@ int
 main ()
 {

-                int HMAC_CTX_init(void);
-                (void)HMAC_CTX_init();
+                int HMAC_Update(void);
+                (void)HMAC_Update();

  ;
  return 0;
@ -5011,7 +5055,7 @@ if ac_fn_c_try_link "$LINENO"; then :
                { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
 $as_echo "yes" >&6; }

-$as_echo "#define HAVE_HMAC_CTX_INIT 1" >>confdefs.h
+$as_echo "#define HAVE_HMAC_UPDATE 1" >>confdefs.h


 else
@ -5032,8 +5076,8 @@ int
 main ()
 {

-                    int HMAC_CTX_init(void);
-                    (void)HMAC_CTX_init();
+                    int HMAC_Update(void);
+                    (void)HMAC_Update();

  ;
  return 0;
@ -5042,7 +5086,7 @@ _ACEOF
 if ac_fn_c_try_link "$LINENO"; then :


-$as_echo "#define HAVE_HMAC_CTX_INIT 1" >>confdefs.h
+$as_echo "#define HAVE_HMAC_UPDATE 1" >>confdefs.h

                    { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
 $as_echo "yes" >&6; }
@ -5064,8 +5108,8 @@ int
 main ()
 {

-                        int HMAC_CTX_init(void);
-                        (void)HMAC_CTX_init();
+                        int HMAC_Update(void);
+                        (void)HMAC_Update();

  ;
  return 0;
@ -5074,7 +5118,7 @@ _ACEOF
 if ac_fn_c_try_link "$LINENO"; then :


-$as_echo "#define HAVE_HMAC_CTX_INIT 1" >>confdefs.h
+$as_echo "#define HAVE_HMAC_UPDATE 1" >>confdefs.h

                        { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
 $as_echo "yes" >&6; }
@ -5083,7 +5127,43 @@ else

                        { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 $as_echo "no" >&6; }
-                    as_fn_error $? "OpenSSL found in $ssldir, but version 0.9.7 or higher is required" "$LINENO" 5
+                        LIBS="$BAKLIBS"
+                        LIBSSL_LIBS="$BAKSSLLIBS"
+                        LIBS="$LIBS -ldl -pthread"
+                        LIBSSL_LIBS="$LIBSSL_LIBS -ldl -pthread"
+                        { $as_echo "$as_me:${as_lineno-$LINENO}: checking if -lcrypto needs -ldl -pthread" >&5
+$as_echo_n "checking if -lcrypto needs -ldl -pthread... " >&6; }
+                        cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+int
+main ()
+{
+
+                            int HMAC_Update(void);
+                            (void)HMAC_Update();
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+
+
+$as_echo "#define HAVE_HMAC_UPDATE 1" >>confdefs.h
+
+                            { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+
+else
+
+                            { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+                            as_fn_error $? "OpenSSL found in $ssldir, but version 0.9.7 or higher is required" "$LINENO" 5
+
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext

 fi
 rm -f core conftest.err conftest.$ac_objext \
@ -5099,67 +5179,6 @@ rm -f core conftest.err conftest.$ac_objext \
        fi


-	# openssl engine functionality needs dlopen().
-	BAKLIBS="$LIBS"
-	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing dlopen" >&5
-$as_echo_n "checking for library containing dlopen... " >&6; }
-if ${ac_cv_search_dlopen+:} false; then :
-  $as_echo_n "(cached) " >&6
-else
-  ac_func_search_save_LIBS=$LIBS
-cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h.  */
-
-/* Override any GCC internal prototype to avoid an error.
-   Use char because int might match the return type of a GCC
-   builtin and then its argument prototype would still apply.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-char dlopen ();
-int
-main ()
-{
-return dlopen ();
-  ;
-  return 0;
-}
-_ACEOF
-for ac_lib in '' dl; do
-  if test -z "$ac_lib"; then
-    ac_res="none required"
-  else
-    ac_res=-l$ac_lib
-    LIBS="-l$ac_lib  $ac_func_search_save_LIBS"
-  fi
-  if ac_fn_c_try_link "$LINENO"; then :
-  ac_cv_search_dlopen=$ac_res
-fi
-rm -f core conftest.err conftest.$ac_objext \
-    conftest$ac_exeext
-  if ${ac_cv_search_dlopen+:} false; then :
-  break
-fi
-done
-if ${ac_cv_search_dlopen+:} false; then :
-
-else
-  ac_cv_search_dlopen=no
-fi
-rm conftest.$ac_ext
-LIBS=$ac_func_search_save_LIBS
-fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_dlopen" >&5
-$as_echo "$ac_cv_search_dlopen" >&6; }
-ac_res=$ac_cv_search_dlopen
-if test "$ac_res" != no; then :
-  test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
-
-fi
-
-	if test "$LIBS" != "$BAKLIBS"; then
-		LIBSSL_LIBS="$LIBSSL_LIBS -ldl"
-	fi
    fi
 for ac_header in openssl/ssl.h
 do :
@ -5839,16 +5858,16 @@ if (echo >conf$$.file) 2>/dev/null; then
    # ... but there are two gotchas:
    # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail.
    # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable.
-    # In both cases, we have to default to `cp -p'.
+    # In both cases, we have to default to `cp -pR'.
    ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe ||
-      as_ln_s='cp -p'
+      as_ln_s='cp -pR'
  elif ln conf$$.file conf$$ 2>/dev/null; then
    as_ln_s=ln
  else
-    as_ln_s='cp -p'
+    as_ln_s='cp -pR'
  fi
 else
-  as_ln_s='cp -p'
+  as_ln_s='cp -pR'
 fi
 rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file
 rmdir conf$$.dir 2>/dev/null
@ -5908,28 +5927,16 @@ else
  as_mkdir_p=false
 fi

-if test -x / >/dev/null 2>&1; then
-  as_test_x='test -x'
-else
-  if ls -dL / >/dev/null 2>&1; then
-    as_ls_L_option=L
-  else
-    as_ls_L_option=
-  fi
-  as_test_x='
-    eval sh -c '\''
-      if test -d "$1"; then
-	test -d "$1/.";
-      else
-	case $1 in #(
-	-*)set "./$1";;
-	esac;
-	case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in #((
-	???[sx]*):;;*)false;;esac;fi
-    '\'' sh
-  '
-fi
-as_executable_p=$as_test_x
+
+# as_fn_executable_p FILE
+# -----------------------
+# Test if FILE is an executable regular file.
+as_fn_executable_p ()
+{
+  test -f "$1" && test -x "$1"
+} # as_fn_executable_p
+as_test_x='test -x'
+as_executable_p=as_fn_executable_p

 # Sed expression to map a string onto a valid CPP name.
 as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'"
@ -5950,8 +5957,8 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by ldns $as_me 1.6.17, which was
-generated by GNU Autoconf 2.68.  Invocation command line was
+This file was extended by ldns $as_me 1.7.0, which was
+generated by GNU Autoconf 2.69.  Invocation command line was

  CONFIG_FILES    = $CONFIG_FILES
  CONFIG_HEADERS  = $CONFIG_HEADERS
@ -6012,11 +6019,11 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-ldns config.status 1.6.17
-configured by $0, generated by GNU Autoconf 2.68,
+ldns config.status 1.7.0
+configured by $0, generated by GNU Autoconf 2.69,
  with options \\"\$ac_cs_config\\"

-Copyright (C) 2010 Free Software Foundation, Inc.
+Copyright (C) 2012 Free Software Foundation, Inc.
 This config.status script is free software; the Free Software Foundation
 gives unlimited permission to copy, distribute and modify it."

@ -6104,7 +6111,7 @@ fi
 _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 if \$ac_cs_recheck; then
-  set X '$SHELL' '$0' $ac_configure_args \$ac_configure_extra_args --no-create --no-recursion
+  set X $SHELL '$0' $ac_configure_args \$ac_configure_extra_args --no-create --no-recursion
  shift
  \$as_echo "running CONFIG_SHELL=$SHELL \$*" >&6
  CONFIG_SHELL='$SHELL'
--- a/drill/configure.ac
+++ b/drill/configure.ac
@ -2,7 +2,7 @@
 # Process this file with autoconf to produce a configure script.

 AC_PREREQ(2.56)
-AC_INIT(ldns, 1.6.17, libdns@nlnetlabs.nl,libdns)
+AC_INIT(ldns, 1.7.0, libdns@nlnetlabs.nl,libdns)
 AC_CONFIG_SRCDIR([drill.c])
 sinclude(../acx_nlnetlabs.m4)

@ -258,9 +258,6 @@ AH_BOTTOM([
 #include <ws2tcpip.h>
 #endif

-extern char *optarg;
-extern int optind, opterr;
-
 #ifndef EXIT_FAILURE
 #define EXIT_FAILURE  1
 #endif
--- a/drill/drill.1.in
+++ b/drill/drill.1.in
@ -40,7 +40,7 @@ Send to query to this server. If not specified use the nameservers from
 .PP
 \fItype\fR
 Ask for this RR type. If type is not given on the command line it defaults
-to 'A'. Except when doing to reverse lookup when it defaults to 'PTR'.
+to 'A'. Except when doing a reverse lookup when it defaults to 'PTR'.

 .PP
 \fIclass\fR
@ -51,17 +51,17 @@ Use this class when querying.
 Show the MX records of the domain miek.nl

 .TP
-\fBdrill -S jelte.nlnetlabs.nl\fR
+\fBdrill \-S jelte.nlnetlabs.nl\fR
 Chase any signatures in the jelte.nlnetlab.nl domain. This option is
 only available when ldns has been compiled with openssl-support.

 .TP
-\fBdrill -TD www.example.com\fR
-Do a DNSSEC (-D) trace (-T) from the rootservers down to www.example.com.
+\fBdrill \-TD www.example.com\fR
+Do a DNSSEC (\-D) trace (\-T) from the rootservers down to www.example.com.
 This option only works when ldns has been compiled with openssl support.

 .TP
-\fBdrill -s dnskey jelte.nlnetlabs.nl\fR
+\fBdrill \-s dnskey jelte.nlnetlabs.nl\fR
 Show the DNSKEY record(s) for jelte.nlnetlabs.nl. For each found DNSKEY
 record also print the DS record.

@ -70,12 +70,12 @@ record also print the DS record.
 .TP
 \fB\-D
 Enable DNSSEC in the query. When querying for DNSSEC types (DNSKEY, RRSIG,
-DS and NSEC) this is \fInot\fR automaticly enabled.
+DS and NSEC) this is \fInot\fR automatically enabled.

 .TP
 \fB\-T
-Trace \fIname\fR from the root down. When using this option the @server and
-the type arguments are not used.
+Trace \fIname\fR from the root down. When using this option the @server
+arguments is not used.

 .TP
 \fB\-S
@ -93,11 +93,11 @@ Be more verbose. Set level to 5 to see the actual query that is sent.

 .TP
 \fB\-Q
-Quiet mode, this overrules -V. 
+Quiet mode, this overrules \-V.

 .TP
 \fB\-f \fIfile\fR
-Read the query from a file. The query must be dumped with -w. 
+Read the query from a file. The query must be dumped with \-w.

 .TP
 \fB\-i \fIfile\fR
@ -153,7 +153,7 @@ Use file instead of /etc/resolv.conf for nameserver configuration.

 .TP
 \fB\-d \fIdomain\fR
-When tracing (-T), start from this domain instead of the root.
+When tracing (\-T), start from this domain instead of the root.

 .TP
 \fB\-t
@ -195,7 +195,7 @@ Use this port instead of the default of 53.

 .TP
 \fB\-r \fIfile\fR
-When tracing (-T), use file as a root servers hint file.
+When tracing (\-T), use file as a root servers hint file.

 .TP
 \fB\-s
@ -208,11 +208,11 @@ Use UDP when querying a server. This is the default.
 .TP
 \fB\-w \fIfile\fR
 write the answer to a file. The file will contain a hexadecimal dump
-of the query. This can be used in conjunction with -f.
+of the query. This can be used in conjunction with \-f.

 .TP
 \fB\-x
-Do a reverse loopup. The type argument is not used, it is preset to PTR.
+Do a reverse lookup. The type argument is not used, it is preset to PTR.

 .TP
 \fB\-y \fI<name:key[:algo]>\fR
--- a/drill/drill.c
+++ b/drill/drill.c
@ -14,11 +14,22 @@
 #include <openssl/err.h>
 #endif

-#define IP6_ARPA_MAX_LEN 65
-
 /* query debug, 2 hex dumps */
 int		verbosity;

+static int
+is_ixfr_with_serial(const char* name, uint32_t *serial)
+{
+	char* end;
+	if (strlen(name) > 5 &&
+		strncasecmp(name, "IXFR", 4) == 0 &&
+		name[4] == '=') {
+		*serial = (uint32_t) strtol((name+5), &end, 10);
+		return 1;
+	}
+	return 0;
+}
+
 static void
 usage(FILE *stream, const char *progname)
 {
@ -31,7 +42,7 @@ usage(FILE *stream, const char *progname)
 	fprintf(stream, "\t-D\t\tenable DNSSEC (DO bit)\n");
 #ifdef HAVE_SSL
 	fprintf(stream, "\t-T\t\ttrace from the root down to <name>\n");
-	fprintf(stream, "\t-S\t\tchase signature(s) from <name> to a know key [*]\n");
+	fprintf(stream, "\t-S\t\tchase signature(s) from <name> to a known key [*]\n");
 #endif /*HAVE_SSL*/
 	fprintf(stream, "\t-I <address>\tsource address to query from\n");
 	fprintf(stream, "\t-V <number>\tverbosity (0-5)\n");
@ -106,15 +117,14 @@ main(int argc, char *argv[])
        char 		*serv;
        char 		*src = NULL;
        const char 	*name;
-        char 		*name2;
 	char		*progname;
 	char 		*query_file = NULL;
 	char		*answer_file = NULL;
 	ldns_buffer	*query_buffer = NULL;
 	ldns_rdf 	*serv_rdf;
 	ldns_rdf 	*src_rdf = NULL;
-        ldns_rr_type 	type;
-        ldns_rr_class	clas;
+	ldns_rr_type 	type;
+	ldns_rr_class	clas;
 #if 0
 	ldns_pkt_opcode opcode = LDNS_PACKET_QUERY;
 #endif
@ -130,7 +140,7 @@ main(int argc, char *argv[])
 	ldns_rr		*axfr_rr;
 	ldns_status	status;
 	char *type_str;
-	
+	uint32_t	serial = 0;
 	/* list of keys used in dnssec operations */
 	ldns_rr_list	*key_list = ldns_rr_list_new(); 
 	/* what key verify the current answer */
@ -153,6 +163,9 @@ main(int argc, char *argv[])

 	int		result = 0;

+	uint8_t         s6addr[16];
+	char            ip6_arpa_str[74];
+
 #ifdef USE_WINSOCK
 	int r;
 	WSADATA wsa_data;
@ -188,12 +201,6 @@ main(int argc, char *argv[])

 	ldns_init_random(NULL, 0);

-	if (argc == 0) {
-		usage(stdout, progname);
-		result = EXIT_FAILURE;
-		goto exit;
-	}
-
 	/* string from orig drill: "i:w:I46Sk:TNp:b:DsvhVcuaq:f:xr" */
 	/* global first, query opt next, option with parm's last
 	 * and sorted */ /*  "46DITSVQf:i:w:q:achuvxzy:so:p:b:k:" */
@ -363,9 +370,7 @@ main(int argc, char *argv[])
 						tsig_algorithm[strlen(optarg) - tsig_separator2 - 1] = '\0';
 					} else {
 						tsig_separator2 = strlen(optarg);
-						tsig_algorithm = xmalloc(26);
-						strncpy(tsig_algorithm, "hmac-md5.sig-alg.reg.int.", 25);
-						tsig_algorithm[25] = '\0';
+						tsig_algorithm = strdup("hmac-md5.sig-alg.reg.int");
 					}
 					tsig_name = xmalloc(tsig_separator + 1);
 					tsig_data = xmalloc(tsig_separator2 - tsig_separator);
@ -453,6 +458,10 @@ main(int argc, char *argv[])
 			if (type != 0) {
 				int_type = 0;
 				continue;
+			} else if (is_ixfr_with_serial(argv[i], &serial)) {
+				type = LDNS_RR_TYPE_IXFR;
+				int_type = 0;
+				continue;
 			}
 		}
 		/* if it matches a class, it's a class */
@ -488,14 +497,20 @@ main(int argc, char *argv[])
 	if (src) {
 		src_rdf = ldns_rdf_new_addr_frm_str(src);
 		if(!src_rdf) {
-			fprintf(stderr, "-I must be (or resolve) to a valid IP[v6] address.\n");
+			fprintf(stderr, "-I must be a valid IP[v6] address.\n");
 			exit(EXIT_FAILURE);
 		}
+		if (ldns_rdf_size(src_rdf) == 4) {
+			qfamily = LDNS_RESOLV_INET;
+
+		} else if (ldns_rdf_size(src_rdf) == 16) {
+			qfamily = LDNS_RESOLV_INET6;
+		}
 	}

 	/* set the nameserver to use */
 	if (!serv) {
-		/* no server given make a resolver from /etc/resolv.conf */
+		/* no server given -- make a resolver from /etc/resolv.conf */
 		status = ldns_resolver_new_frm_file(&res, resolv_conf_file);
 		if (status != LDNS_STATUS_OK) {
 			warning("Could not create a resolver structure: %s (%s)\n"
@ -516,7 +531,7 @@ main(int argc, char *argv[])
 		if (!serv_rdf) {
 			/* try to resolv the name if possible */
 			status = ldns_resolver_new_frm_file(&cmdline_res, resolv_conf_file);
-			
+
 			if (status != LDNS_STATUS_OK) {
 				error("%s", "@server ip could not be converted");
 			}
@ -554,6 +569,7 @@ main(int argc, char *argv[])
 		}
 	}
 	/* set the resolver options */
+	ldns_resolver_set_ixfr_serial(res, serial);
 	ldns_resolver_set_port(res, qport);
 	ldns_resolver_set_source(res, src_rdf);
 	if (verbosity >= 5) {
@ -581,6 +597,39 @@ main(int argc, char *argv[])
 	}

 	if (tsig_name && tsig_data) {
+		/* With dig TSIG keys are also specified with -y,
+		 * but format with drill is: -y <name:key[:algo]>
+		 *             and with dig: -y [hmac:]name:key
+		 *
+		 * When we detect an unknown tsig algorithm in algo,
+		 * but a known algorithm in name, we cane assume dig
+		 * order was used.
+		 *
+		 * Following if statement is to anticipate and correct dig order
+		 */
+		if (   strcasecmp(tsig_algorithm, "hmac-md5.sig-alg.reg.int")
+		    && strcasecmp(tsig_algorithm, "hmac-md5")
+		    && strcasecmp(tsig_algorithm, "hmac-sha1")
+		    && strcasecmp(tsig_algorithm, "hmac-sha256")
+		    && (
+		       strcasecmp(tsig_name, "hmac-md5.sig-alg.reg.int")  == 0
+		    || strcasecmp(tsig_name, "hmac-md5")                  == 0
+		    || strcasecmp(tsig_name, "hmac-sha1")                 == 0
+		    || strcasecmp(tsig_name, "hmac-sha256")               == 0
+		       )) {
+
+			/* Roll options */
+			char *tmp_tsig_algorithm = tsig_name;
+			tsig_name      = tsig_data;
+			tsig_data      = tsig_algorithm;
+			tsig_algorithm = tmp_tsig_algorithm;
+		}
+
+		if (strcasecmp(tsig_algorithm, "hmac-md5") == 0) {
+			free(tsig_algorithm);
+			tsig_algorithm = strdup("hmac-md5.sig-alg.reg.int");
+		}
+
 		ldns_resolver_set_tsig_keyname(res, tsig_name);
 		ldns_resolver_set_tsig_keydata(res, tsig_data);
 		ldns_resolver_set_tsig_algorithm(res, tsig_algorithm);
@ -598,7 +647,7 @@ main(int argc, char *argv[])
 				error("%s", "parsing query name");
 			}
 			/* don't care about return packet */
-			(void)do_trace(res, qname, type, clas);
+			do_trace(res, qname, type, clas);
 			clear_root();
 			break;
 		case DRILL_SECTRACE:
@ -650,8 +699,7 @@ main(int argc, char *argv[])
 					ldns_resolver_set_dnssec_anchors(res, ldns_rr_list_clone(key_list));
 					result = do_chase(res, qname, type,
 					                  clas, key_list, 
-					                  pkt, qflags, NULL,
-								   verbosity);
+					                  pkt, qflags, NULL);
 					if (result == LDNS_STATUS_OK) {
 						if (verbosity != -1) {
 							mesg("Chase successful");
@ -682,7 +730,6 @@ main(int argc, char *argv[])
 			if (!qname) {
 				error("%s", "making qname");
 			}
-
 			status = ldns_resolver_prepare_query_pkt(&qpkt, res, qname, type, clas, qflags);
 			if(status != LDNS_STATUS_OK) {
 				error("%s", "making query: %s", 
@ -696,55 +743,48 @@ main(int argc, char *argv[])
 		case DRILL_REVERSE:
 			/* ipv4 or ipv6 addr? */
 			if (strchr(name, ':')) {
-				if (strchr(name, '.')) {
-					error("Syntax error: both '.' and ':' seen in address\n");
+				if (!inet_pton(AF_INET6, name, &s6addr)) {
+					error("Syntax error: cannot parse IPv6 address\n");
 				}
-				name2 = malloc(IP6_ARPA_MAX_LEN + 20);
-				c = 0;
-				for (i=0; i<(int)strlen(name); i++) {
-					if (i >= IP6_ARPA_MAX_LEN) {
-						error("%s", "reverse argument to long");
-					}
-					if (name[i] == ':') {
-						if (i < (int) strlen(name) && name[i + 1] == ':') {
-							error("%s", ":: not supported (yet)");
-						} else {
-							if (i + 2 == (int) strlen(name) || name[i + 2] == ':') {
-								name2[c++] = '0';
-								name2[c++] = '.';
-								name2[c++] = '0';
-								name2[c++] = '.';
-								name2[c++] = '0';
-								name2[c++] = '.';
-							} else if (i + 3 == (int) strlen(name) || name[i + 3] == ':') {
-								name2[c++] = '0';
-								name2[c++] = '.';
-								name2[c++] = '0';
-								name2[c++] = '.';
-							} else if (i + 4 == (int) strlen(name) || name[i + 4] == ':') {
-								name2[c++] = '0';
-								name2[c++] = '.';
-							}
-						}
-					} else {
-						name2[c++] = name[i];
-						name2[c++] = '.';
-					}
-				}
-				name2[c++] = '\0';
+				(void) snprintf(ip6_arpa_str, sizeof(ip6_arpa_str),
+				    "%x.%x.%x.%x.%x.%x.%x.%x."
+				    "%x.%x.%x.%x.%x.%x.%x.%x."
+				    "%x.%x.%x.%x.%x.%x.%x.%x."
+				    "%x.%x.%x.%x.%x.%x.%x.%x.ip6.arpa.",
+				    (unsigned int)(s6addr[15] & 0x0F),
+				    (unsigned int)(s6addr[15] >> 4),
+				    (unsigned int)(s6addr[14] & 0x0F),
+				    (unsigned int)(s6addr[14] >> 4),
+				    (unsigned int)(s6addr[13] & 0x0F),
+				    (unsigned int)(s6addr[13] >> 4),
+				    (unsigned int)(s6addr[12] & 0x0F),
+				    (unsigned int)(s6addr[12] >> 4),
+				    (unsigned int)(s6addr[11] & 0x0F),
+				    (unsigned int)(s6addr[11] >> 4),
+				    (unsigned int)(s6addr[10] & 0x0F),
+				    (unsigned int)(s6addr[10] >> 4),
+				    (unsigned int)(s6addr[9] & 0x0F),
+				    (unsigned int)(s6addr[9] >> 4),
+				    (unsigned int)(s6addr[8] & 0x0F),
+				    (unsigned int)(s6addr[8] >> 4),
+				    (unsigned int)(s6addr[7] & 0x0F),
+				    (unsigned int)(s6addr[7] >> 4),
+				    (unsigned int)(s6addr[6] & 0x0F),
+				    (unsigned int)(s6addr[6] >> 4),
+				    (unsigned int)(s6addr[5] & 0x0F),
+				    (unsigned int)(s6addr[5] >> 4),
+				    (unsigned int)(s6addr[4] & 0x0F),
+				    (unsigned int)(s6addr[4] >> 4),
+				    (unsigned int)(s6addr[3] & 0x0F),
+				    (unsigned int)(s6addr[3] >> 4),
+				    (unsigned int)(s6addr[2] & 0x0F),
+				    (unsigned int)(s6addr[2] >> 4),
+				    (unsigned int)(s6addr[1] & 0x0F),
+				    (unsigned int)(s6addr[1] >> 4),
+				    (unsigned int)(s6addr[0] & 0x0F),
+				    (unsigned int)(s6addr[0] >> 4));

-				qname = ldns_dname_new_frm_str(name2);
-				qname_tmp = ldns_dname_reverse(qname);
-				ldns_rdf_deep_free(qname);
-				qname = qname_tmp;
-				qname_tmp = ldns_dname_new_frm_str("ip6.arpa.");
-				status = ldns_dname_cat(qname, qname_tmp);
-				if (status != LDNS_STATUS_OK) {
-					error("%s", "could not create reverse address for ip6: %s\n", ldns_get_errorstr_by_id(status));
-				}
-				ldns_rdf_deep_free(qname_tmp);
-
-				free(name2);
+				qname = ldns_dname_new_frm_str(ip6_arpa_str);
 			} else {
 				qname = ldns_dname_new_frm_str(name);
 				qname_tmp = ldns_dname_reverse(qname);
@ -974,7 +1014,6 @@ main(int argc, char *argv[])
 	xfree(tsig_algorithm);

 #ifdef HAVE_SSL
-	ERR_remove_state(0);
 	CRYPTO_cleanup_all_ex_data();
 	ERR_free_strings();
 	EVP_cleanup();
--- a/drill/drill.h
+++ b/drill/drill.h
@ -30,10 +30,9 @@
 (VAR) = (VAR) & ~(BIT)

 extern ldns_rr_list *global_dns_root;
-extern bool qds;
 extern int verbosity;

-ldns_pkt *do_trace(ldns_resolver *res,
+void do_trace(ldns_resolver *res,
 			    ldns_rdf *name,
 			    ldns_rr_type type, 
 			    ldns_rr_class c);
@ -44,8 +43,7 @@ ldns_status do_chase(ldns_resolver *res,
 				 ldns_rr_list *trusted_keys, 
 				 ldns_pkt *pkt_o,
 				 uint16_t qflags,
-				 ldns_rr_list *prev_key_list,
-				 int verbosity);
+				 ldns_rr_list *prev_key_list);
 int do_secure_trace(ldns_resolver *res,
 				ldns_rdf *name,
 				ldns_rr_type type, 
--- a/drill/error.c
+++ b/drill/error.c
@ -69,6 +69,7 @@ mesg(const char *fmt, ...)
 	va_end(args);
 }

+#if 0
 /* print stuff when in verbose mode (1) */
 void
 verbose(const char *fmt, ...)
@ -82,34 +83,4 @@ verbose(const char *fmt, ...)
 	verbose_va_list(fmt, args);
 	va_end(args);
 }
-
-/* print stuff when in vverbose mode (2) */
-void
-vverbose(const char *fmt, ...)
-{
-	va_list args;
-	if (verbosity < 2) {
-		return;
-	}
-
-	va_start(args, fmt);
-	verbose_va_list(fmt, args);
-	va_end(args);
-}
-
-static void
-debug_va_list(const char *fmt, va_list args)
-{
-        vfprintf(stderr, fmt, args);
-        fprintf(stderr, "\n");
-}
-
-void
-debug(const char *fmt, ...)
-{
-	va_list args;
-	fprintf(stderr, "[DEBUG] ");
-	va_start(args, fmt);
-	debug_va_list(fmt, args);
-	va_end(args);
-}
+#endif
--- a/drill/securetrace.c
+++ b/drill/securetrace.c
@ -62,7 +62,7 @@ ds_key_match(ldns_rr_list *ds, ldns_rr_list *trusted)
 }
 #endif

-ldns_pkt *
+static ldns_pkt *
 get_dnssec_pkt(ldns_resolver *r, ldns_rdf *name, ldns_rr_type t) 
 {
 	ldns_pkt *p = NULL;
@ -97,7 +97,7 @@ get_ds(ldns_pkt *p, ldns_rdf *ownername, ldns_rr_list **rrlist, ldns_rr_list **o
 }
 #endif /* HAVE_SSL */

-void
+static void
 remove_resolver_nameservers(ldns_resolver *res)
 {
 	ldns_rdf *pop;
@ -109,17 +109,6 @@ remove_resolver_nameservers(ldns_resolver *res)

 }

-void
-show_current_nameservers(FILE *out, ldns_resolver *res)
-{
-	size_t i;
-	fprintf(out, "Current nameservers for resolver object:\n");
-	for (i = 0; i < ldns_resolver_nameserver_count(res); i++) {
-		ldns_rdf_print(out, ldns_resolver_nameservers(res)[i]);
-		fprintf(out, "\n");
-	}
-}
-	
 /*ldns_pkt **/
 #ifdef HAVE_SSL
 int
--- a/drill/work.c
+++ b/drill/work.c
@ -18,7 +18,7 @@
 *
 * This function returns the length of the result
 */
-size_t
+static size_t
 hexstr2bin(char *hexstr, int len, uint8_t *buf, size_t offset, size_t buf_len)
 {
 	char c;
@ -64,7 +64,7 @@ hexstr2bin(char *hexstr, int len, uint8_t *buf, size_t offset, size_t buf_len)
        return bufpos;
 }

-size_t
+static size_t
 packetbuffromfile(char *filename, uint8_t *wire)
 {
 	FILE *fp = NULL;
--- a/duration.c
+++ b/duration.c
@ -75,7 +75,7 @@ ldns_duration_create(void)
 *
 */
 int
-ldns_duration_compare(ldns_duration_type* d1, ldns_duration_type* d2)
+ldns_duration_compare(const ldns_duration_type* d1, const ldns_duration_type* d2)
 {
    if (!d1 && !d2) {
        return 0;
@ -213,7 +213,7 @@ digits_in_number(time_t duration)
 *
 */
 char*
-ldns_duration2string(ldns_duration_type* duration)
+ldns_duration2string(const ldns_duration_type* duration)
 {
    char* str = NULL, *num = NULL;
    size_t count = 2;
@ -316,7 +316,7 @@ ldns_duration2string(ldns_duration_type* duration)
 *
 */
 time_t
-ldns_duration2time(ldns_duration_type* duration)
+ldns_duration2time(const ldns_duration_type* duration)
 {
    time_t period = 0;

--- a/error.c
+++ b/error.c
@ -143,6 +143,20 @@ ldns_lookup_table ldns_error_str[] = {
        { LDNS_STATUS_INVALID_RDF_TYPE, 
 		"The rdata field was not of the expected type" },
        { LDNS_STATUS_RDATA_OVERFLOW, "Rdata size overflow" },
+	{ LDNS_STATUS_SYNTAX_SUPERFLUOUS_TEXT_ERR,
+		"Syntax error, superfluous text present" },
+        { LDNS_STATUS_NSEC3_DOMAINNAME_OVERFLOW,
+		"The NSEC3 domainname length overflow" },
+#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL)
+        { LDNS_STATUS_DANE_NEED_OPENSSL_GE_1_1_FOR_DANE_TA,
+		"ldns needs to be linked with OpenSSL >= 1.1.0 to be able "
+       		"to verify the DANE-TA usage type." },
+#else
+        { LDNS_STATUS_DANE_NEED_OPENSSL_GE_1_1_FOR_DANE_TA,
+		"ldns depends on the availability of the SSL_get0_dane() and "
+		"X509_STORE_CTX_set0_dane() functions within OpenSSL >= 1.1.0 "
+		"to be able to verify the DANE-TA usage type." },
+#endif
 	{ 0, NULL }
 };

--- a/examples/config.h.in
+++ b/examples/config.h.in
@ -36,8 +36,8 @@
 /* Define to 1 if you have the <getopt.h> header file. */
 #undef HAVE_GETOPT_H

-/* If you have HMAC_CTX_init */
-#undef HAVE_HMAC_CTX_INIT
+/* If you have HMAC_Update */
+#undef HAVE_HMAC_UPDATE

 /* Define to 1 if you have the <inttypes.h> header file. */
 #undef HAVE_INTTYPES_H
--- a/examples/configure
+++ b/examples/configure
@ -1,13 +1,11 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.68 for ldns 1.6.17.
+# Generated by GNU Autoconf 2.69 for ldns 1.7.0.
 #
 # Report bugs to <libdns@nlnetlabs.nl>.
 #
 #
-# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
-# 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 Free Software
-# Foundation, Inc.
+# Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc.
 #
 #
 # This configure script is free software; the Free Software Foundation
@ -136,6 +134,31 @@ export LANGUAGE
 # CDPATH.
 (unset CDPATH) >/dev/null 2>&1 && unset CDPATH

+# Use a proper internal environment variable to ensure we don't fall
+  # into an infinite loop, continuously re-executing ourselves.
+  if test x"${_as_can_reexec}" != xno && test "x$CONFIG_SHELL" != x; then
+    _as_can_reexec=no; export _as_can_reexec;
+    # We cannot yet assume a decent shell, so we have to provide a
+# neutralization value for shells without unset; and this also
+# works around shells that cannot unset nonexistent variables.
+# Preserve -v and -x to the replacement shell.
+BASH_ENV=/dev/null
+ENV=/dev/null
+(unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV
+case $- in # ((((
+  *v*x* | *x*v* ) as_opts=-vx ;;
+  *v* ) as_opts=-v ;;
+  *x* ) as_opts=-x ;;
+  * ) as_opts= ;;
+esac
+exec $CONFIG_SHELL $as_opts "$as_myself" ${1+"$@"}
+# Admittedly, this is quite paranoid, since all the known shells bail
+# out after a failed `exec'.
+$as_echo "$0: could not re-execute with $CONFIG_SHELL" >&2
+as_fn_exit 255
+  fi
+  # We don't want this to propagate to other subprocesses.
+          { _as_can_reexec=; unset _as_can_reexec;}
 if test "x$CONFIG_SHELL" = x; then
  as_bourne_compatible="if test -n \"\${ZSH_VERSION+set}\" && (emulate sh) >/dev/null 2>&1; then :
  emulate sh
@ -169,7 +192,8 @@ if ( set x; as_fn_ret_success y && test x = \"\$1\" ); then :
 else
  exitcode=1; echo positional parameters were not saved.
 fi
-test x\$exitcode = x0 || exit 1"
+test x\$exitcode = x0 || exit 1
+test -x / || exit 1"
  as_suggested="  as_lineno_1=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_1a=\$LINENO
  as_lineno_2=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_2a=\$LINENO
  eval 'test \"x\$as_lineno_1'\$as_run'\" != \"x\$as_lineno_2'\$as_run'\" &&
@ -214,21 +238,25 @@ IFS=$as_save_IFS


      if test "x$CONFIG_SHELL" != x; then :
-  # We cannot yet assume a decent shell, so we have to provide a
-	# neutralization value for shells without unset; and this also
-	# works around shells that cannot unset nonexistent variables.
-	# Preserve -v and -x to the replacement shell.
-	BASH_ENV=/dev/null
-	ENV=/dev/null
-	(unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV
-	export CONFIG_SHELL
-	case $- in # ((((
-	  *v*x* | *x*v* ) as_opts=-vx ;;
-	  *v* ) as_opts=-v ;;
-	  *x* ) as_opts=-x ;;
-	  * ) as_opts= ;;
-	esac
-	exec "$CONFIG_SHELL" $as_opts "$as_myself" ${1+"$@"}
+  export CONFIG_SHELL
+             # We cannot yet assume a decent shell, so we have to provide a
+# neutralization value for shells without unset; and this also
+# works around shells that cannot unset nonexistent variables.
+# Preserve -v and -x to the replacement shell.
+BASH_ENV=/dev/null
+ENV=/dev/null
+(unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV
+case $- in # ((((
+  *v*x* | *x*v* ) as_opts=-vx ;;
+  *v* ) as_opts=-v ;;
+  *x* ) as_opts=-x ;;
+  * ) as_opts= ;;
+esac
+exec $CONFIG_SHELL $as_opts "$as_myself" ${1+"$@"}
+# Admittedly, this is quite paranoid, since all the known shells bail
+# out after a failed `exec'.
+$as_echo "$0: could not re-execute with $CONFIG_SHELL" >&2
+exit 255
 fi

    if test x$as_have_required = xno; then :
@ -331,6 +359,14 @@ $as_echo X"$as_dir" |


 } # as_fn_mkdir_p
+
+# as_fn_executable_p FILE
+# -----------------------
+# Test if FILE is an executable regular file.
+as_fn_executable_p ()
+{
+  test -f "$1" && test -x "$1"
+} # as_fn_executable_p
 # as_fn_append VAR VALUE
 # ----------------------
 # Append the text in VALUE to the end of the definition contained in VAR. Take
@ -452,6 +488,10 @@ as_cr_alnum=$as_cr_Letters$as_cr_digits
  chmod +x "$as_me.lineno" ||
    { $as_echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2; as_fn_exit 1; }

+  # If we had to re-execute with $CONFIG_SHELL, we're ensured to have
+  # already done that, so ensure we don't try to do so again and fall
+  # in an infinite loop.  This has already happened in practice.
+  _as_can_reexec=no; export _as_can_reexec
  # Don't try to exec as it changes $[0], causing all sort of problems
  # (the dirname of $[0] is not the place where we might find the
  # original and so on.  Autoconf is especially sensitive to this).
@ -486,16 +526,16 @@ if (echo >conf$$.file) 2>/dev/null; then
    # ... but there are two gotchas:
    # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail.
    # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable.
-    # In both cases, we have to default to `cp -p'.
+    # In both cases, we have to default to `cp -pR'.
    ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe ||
-      as_ln_s='cp -p'
+      as_ln_s='cp -pR'
  elif ln conf$$.file conf$$ 2>/dev/null; then
    as_ln_s=ln
  else
-    as_ln_s='cp -p'
+    as_ln_s='cp -pR'
  fi
 else
-  as_ln_s='cp -p'
+  as_ln_s='cp -pR'
 fi
 rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file
 rmdir conf$$.dir 2>/dev/null
@ -507,28 +547,8 @@ else
  as_mkdir_p=false
 fi

-if test -x / >/dev/null 2>&1; then
-  as_test_x='test -x'
-else
-  if ls -dL / >/dev/null 2>&1; then
-    as_ls_L_option=L
-  else
-    as_ls_L_option=
-  fi
-  as_test_x='
-    eval sh -c '\''
-      if test -d "$1"; then
-	test -d "$1/.";
-      else
-	case $1 in #(
-	-*)set "./$1";;
-	esac;
-	case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in #((
-	???[sx]*):;;*)false;;esac;fi
-    '\'' sh
-  '
-fi
-as_executable_p=$as_test_x
+as_test_x='test -x'
+as_executable_p=as_fn_executable_p

 # Sed expression to map a string onto a valid CPP name.
 as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'"
@ -560,8 +580,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='ldns'
 PACKAGE_TARNAME='libdns'
-PACKAGE_VERSION='1.6.17'
-PACKAGE_STRING='ldns 1.6.17'
+PACKAGE_VERSION='1.7.0'
+PACKAGE_STRING='ldns 1.7.0'
 PACKAGE_BUGREPORT='libdns@nlnetlabs.nl'
 PACKAGE_URL=''

@ -646,6 +666,7 @@ infodir
 docdir
 oldincludedir
 includedir
+runstatedir
 localstatedir
 sharedstatedir
 sysconfdir
@ -726,6 +747,7 @@ datadir='${datarootdir}'
 sysconfdir='${prefix}/etc'
 sharedstatedir='${prefix}/com'
 localstatedir='${prefix}/var'
+runstatedir='${localstatedir}/run'
 includedir='${prefix}/include'
 oldincludedir='/usr/include'
 docdir='${datarootdir}/doc/${PACKAGE_TARNAME}'
@ -978,6 +1000,15 @@ do
  | -silent | --silent | --silen | --sile | --sil)
    silent=yes ;;

+  -runstatedir | --runstatedir | --runstatedi | --runstated \
+  | --runstate | --runstat | --runsta | --runst | --runs \
+  | --run | --ru | --r)
+    ac_prev=runstatedir ;;
+  -runstatedir=* | --runstatedir=* | --runstatedi=* | --runstated=* \
+  | --runstate=* | --runstat=* | --runsta=* | --runst=* | --runs=* \
+  | --run=* | --ru=* | --r=*)
+    runstatedir=$ac_optarg ;;
+
  -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb)
    ac_prev=sbindir ;;
  -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \
@ -1115,7 +1146,7 @@ fi
 for ac_var in	exec_prefix prefix bindir sbindir libexecdir datarootdir \
 		datadir sysconfdir sharedstatedir localstatedir includedir \
 		oldincludedir docdir infodir htmldir dvidir pdfdir psdir \
-		libdir localedir mandir
+		libdir localedir mandir runstatedir
 do
  eval ac_val=\$$ac_var
  # Remove trailing slashes.
@ -1143,8 +1174,6 @@ target=$target_alias
 if test "x$host_alias" != x; then
  if test "x$build_alias" = x; then
    cross_compiling=maybe
-    $as_echo "$as_me: WARNING: if you wanted to set the --build type, don't use --host.
-    If a cross compiler is detected then cross compile mode will be used" >&2
  elif test "x$build_alias" != "x$host_alias"; then
    cross_compiling=yes
  fi
@ -1230,7 +1259,7 @@ if test "$ac_init_help" = "long"; then
  # Omit some internal or obsolete options to make the list less imposing.
  # This message is too long to be a string in the A/UX 3.1 sh.
  cat <<_ACEOF
-\`configure' configures ldns 1.6.17 to adapt to many kinds of systems.
+\`configure' configures ldns 1.7.0 to adapt to many kinds of systems.

 Usage: $0 [OPTION]... [VAR=VALUE]...

@ -1270,6 +1299,7 @@ Fine tuning of the installation directories:
  --sysconfdir=DIR        read-only single-machine data [PREFIX/etc]
  --sharedstatedir=DIR    modifiable architecture-independent data [PREFIX/com]
  --localstatedir=DIR     modifiable single-machine data [PREFIX/var]
+  --runstatedir=DIR       modifiable per-process data [LOCALSTATEDIR/run]
  --libdir=DIR            object code libraries [EPREFIX/lib]
  --includedir=DIR        C header files [PREFIX/include]
  --oldincludedir=DIR     C header files for non-gcc [/usr/include]
@ -1291,7 +1321,7 @@ fi

 if test -n "$ac_init_help"; then
  case $ac_init_help in
-     short | recursive ) echo "Configuration of ldns 1.6.17:";;
+     short | recursive ) echo "Configuration of ldns 1.7.0:";;
   esac
  cat <<\_ACEOF

@ -1397,10 +1427,10 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
  cat <<\_ACEOF
-ldns configure 1.6.17
-generated by GNU Autoconf 2.68
+ldns configure 1.7.0
+generated by GNU Autoconf 2.69

-Copyright (C) 2010 Free Software Foundation, Inc.
+Copyright (C) 2012 Free Software Foundation, Inc.
 This configure script is free software; the Free Software Foundation
 gives unlimited permission to copy, distribute and modify it.
 _ACEOF
@ -1731,7 +1761,7 @@ $as_echo "$ac_try_echo"; } >&5
 	 test ! -s conftest.err
       } && test -s conftest$ac_exeext && {
 	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
+	 test -x conftest$ac_exeext
       }; then :
  ac_retval=0
 else
@ -1866,8 +1896,8 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.

-It was created by ldns $as_me 1.6.17, which was
-generated by GNU Autoconf 2.68.  Invocation command line was
+It was created by ldns $as_me 1.7.0, which was
+generated by GNU Autoconf 2.69.  Invocation command line was

  $ $0 $@

@ -2219,7 +2249,15 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu
 # Copyright 2009, Wouter Wijngaards, NLnet Labs.
 # BSD licensed.
 #
-# Version 26
+# Version 34
+# 2016-03-21 Check -ldl -pthread for libcrypto for ldns and openssl 1.1.0.
+# 2016-03-21 Use HMAC_Update instead of HMAC_CTX_Init (for openssl-1.1.0).
+# 2016-01-04 -D_DEFAULT_SOURCE defined with -D_BSD_SOURCE for Linux glibc 2.20
+# 2015-12-11 FLTO check for new OSX, clang.
+# 2015-11-18 spelling check fix.
+# 2015-11-05 ACX_SSL_CHECKS no longer adds -ldl needlessly.
+# 2015-08-28 ACX_CHECK_PIE and ACX_CHECK_RELRO_NOW added.
+# 2015-03-17 AHX_CONFIG_REALLOCARRAY added
 # 2013-09-19 FLTO help text improved.
 # 2013-07-18 Enable ACX_CHECK_COMPILER_FLAG to test for -Wstrict-prototypes
 # 2013-06-25 FLTO has --disable-flto option.
@ -2310,6 +2348,8 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu
 # ACX_CHECK_MEMCMP_SIGNED	- check if memcmp uses signed characters.
 # AHX_MEMCMP_BROKEN		- replace memcmp func for CHECK_MEMCMP_SIGNED.
 # ACX_CHECK_SS_FAMILY           - check for sockaddr_storage.ss_family
+# ACX_CHECK_PIE			- add --enable-pie option and check if works
+# ACX_CHECK_RELRO_NOW		- add --enable-relro-now option and check it
 #


@ -2406,6 +2446,12 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu



+
+
+
+
+
+



@ -2443,7 +2489,7 @@ do
  IFS=$as_save_IFS
  test -z "$as_dir" && as_dir=.
    for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
    ac_cv_prog_CC="${ac_tool_prefix}gcc"
    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
    break 2
@ -2483,7 +2529,7 @@ do
  IFS=$as_save_IFS
  test -z "$as_dir" && as_dir=.
    for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
    ac_cv_prog_ac_ct_CC="gcc"
    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
    break 2
@ -2536,7 +2582,7 @@ do
  IFS=$as_save_IFS
  test -z "$as_dir" && as_dir=.
    for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
    ac_cv_prog_CC="${ac_tool_prefix}cc"
    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
    break 2
@ -2577,7 +2623,7 @@ do
  IFS=$as_save_IFS
  test -z "$as_dir" && as_dir=.
    for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
    if test "$as_dir/$ac_word$ac_exec_ext" = "/usr/ucb/cc"; then
       ac_prog_rejected=yes
       continue
@ -2635,7 +2681,7 @@ do
  IFS=$as_save_IFS
  test -z "$as_dir" && as_dir=.
    for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
    ac_cv_prog_CC="$ac_tool_prefix$ac_prog"
    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
    break 2
@ -2679,7 +2725,7 @@ do
  IFS=$as_save_IFS
  test -z "$as_dir" && as_dir=.
    for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
    ac_cv_prog_ac_ct_CC="$ac_prog"
    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
    break 2
@ -3125,8 +3171,7 @@ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 #include <stdarg.h>
 #include <stdio.h>
-#include <sys/types.h>
-#include <sys/stat.h>
+struct stat;
 /* Most of the following tests are stolen from RCS 5.7's src/conf.sh.  */
 struct buf { int x; };
 FILE * (*rcsopen) (struct buf *, struct stat *, int);
@ -3366,7 +3411,7 @@ do
    for ac_prog in grep ggrep; do
    for ac_exec_ext in '' $ac_executable_extensions; do
      ac_path_GREP="$as_dir/$ac_prog$ac_exec_ext"
-      { test -f "$ac_path_GREP" && $as_test_x "$ac_path_GREP"; } || continue
+      as_fn_executable_p "$ac_path_GREP" || continue
 # Check for GNU ac_path_GREP and select it if it is found.
  # Check for GNU $ac_path_GREP
 case `"$ac_path_GREP" --version 2>&1` in
@ -3432,7 +3477,7 @@ do
    for ac_prog in egrep; do
    for ac_exec_ext in '' $ac_executable_extensions; do
      ac_path_EGREP="$as_dir/$ac_prog$ac_exec_ext"
-      { test -f "$ac_path_EGREP" && $as_test_x "$ac_path_EGREP"; } || continue
+      as_fn_executable_p "$ac_path_EGREP" || continue
 # Check for GNU ac_path_EGREP and select it if it is found.
  # Check for GNU $ac_path_EGREP
 case `"$ac_path_EGREP" --version 2>&1` in
@ -3639,8 +3684,8 @@ else
  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */

-#	  define __EXTENSIONS__ 1
-	  $ac_includes_default
+#         define __EXTENSIONS__ 1
+          $ac_includes_default
 int
 main ()
 {
@ -3694,7 +3739,7 @@ do
  IFS=$as_save_IFS
  test -z "$as_dir" && as_dir=.
    for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
    ac_cv_prog_CC="${ac_tool_prefix}gcc"
    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
    break 2
@ -3734,7 +3779,7 @@ do
  IFS=$as_save_IFS
  test -z "$as_dir" && as_dir=.
    for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
    ac_cv_prog_ac_ct_CC="gcc"
    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
    break 2
@ -3787,7 +3832,7 @@ do
  IFS=$as_save_IFS
  test -z "$as_dir" && as_dir=.
    for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
    ac_cv_prog_CC="${ac_tool_prefix}cc"
    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
    break 2
@ -3828,7 +3873,7 @@ do
  IFS=$as_save_IFS
  test -z "$as_dir" && as_dir=.
    for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
    if test "$as_dir/$ac_word$ac_exec_ext" = "/usr/ucb/cc"; then
       ac_prog_rejected=yes
       continue
@ -3886,7 +3931,7 @@ do
  IFS=$as_save_IFS
  test -z "$as_dir" && as_dir=.
    for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
    ac_cv_prog_CC="$ac_tool_prefix$ac_prog"
    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
    break 2
@ -3930,7 +3975,7 @@ do
  IFS=$as_save_IFS
  test -z "$as_dir" && as_dir=.
    for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
    ac_cv_prog_ac_ct_CC="$ac_prog"
    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
    break 2
@ -4126,8 +4171,7 @@ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 #include <stdarg.h>
 #include <stdio.h>
-#include <sys/types.h>
-#include <sys/stat.h>
+struct stat;
 /* Most of the following tests are stolen from RCS 5.7's src/conf.sh.  */
 struct buf { int x; };
 FILE * (*rcsopen) (struct buf *, struct stat *, int);
@ -4261,7 +4305,7 @@ do
  IFS=$as_save_IFS
  test -z "$as_dir" && as_dir=.
    for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
    ac_cv_prog_libtool="$ac_prog"
    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
    break 2
@ -5060,8 +5104,8 @@ $as_echo "found in $ssldir" >&6; }

            fi

-            { $as_echo "$as_me:${as_lineno-$LINENO}: checking for HMAC_CTX_init in -lcrypto" >&5
-$as_echo_n "checking for HMAC_CTX_init in -lcrypto... " >&6; }
+            { $as_echo "$as_me:${as_lineno-$LINENO}: checking for HMAC_Update in -lcrypto" >&5
+$as_echo_n "checking for HMAC_Update in -lcrypto... " >&6; }
            LIBS="$LIBS -lcrypto"
            LIBSSL_LIBS="$LIBSSL_LIBS -lcrypto"
            cat confdefs.h - <<_ACEOF >conftest.$ac_ext
@ -5071,8 +5115,8 @@ int
 main ()
 {

-                int HMAC_CTX_init(void);
-                (void)HMAC_CTX_init();
+                int HMAC_Update(void);
+                (void)HMAC_Update();

  ;
  return 0;
@ -5083,7 +5127,7 @@ if ac_fn_c_try_link "$LINENO"; then :
                { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
 $as_echo "yes" >&6; }

-$as_echo "#define HAVE_HMAC_CTX_INIT 1" >>confdefs.h
+$as_echo "#define HAVE_HMAC_UPDATE 1" >>confdefs.h


 else
@ -5104,8 +5148,8 @@ int
 main ()
 {

-                    int HMAC_CTX_init(void);
-                    (void)HMAC_CTX_init();
+                    int HMAC_Update(void);
+                    (void)HMAC_Update();

  ;
  return 0;
@ -5114,7 +5158,7 @@ _ACEOF
 if ac_fn_c_try_link "$LINENO"; then :


-$as_echo "#define HAVE_HMAC_CTX_INIT 1" >>confdefs.h
+$as_echo "#define HAVE_HMAC_UPDATE 1" >>confdefs.h

                    { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
 $as_echo "yes" >&6; }
@ -5136,8 +5180,8 @@ int
 main ()
 {

-                        int HMAC_CTX_init(void);
-                        (void)HMAC_CTX_init();
+                        int HMAC_Update(void);
+                        (void)HMAC_Update();

  ;
  return 0;
@ -5146,7 +5190,7 @@ _ACEOF
 if ac_fn_c_try_link "$LINENO"; then :


-$as_echo "#define HAVE_HMAC_CTX_INIT 1" >>confdefs.h
+$as_echo "#define HAVE_HMAC_UPDATE 1" >>confdefs.h

                        { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
 $as_echo "yes" >&6; }
@ -5155,7 +5199,43 @@ else

                        { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 $as_echo "no" >&6; }
-                    as_fn_error $? "OpenSSL found in $ssldir, but version 0.9.7 or higher is required" "$LINENO" 5
+                        LIBS="$BAKLIBS"
+                        LIBSSL_LIBS="$BAKSSLLIBS"
+                        LIBS="$LIBS -ldl -pthread"
+                        LIBSSL_LIBS="$LIBSSL_LIBS -ldl -pthread"
+                        { $as_echo "$as_me:${as_lineno-$LINENO}: checking if -lcrypto needs -ldl -pthread" >&5
+$as_echo_n "checking if -lcrypto needs -ldl -pthread... " >&6; }
+                        cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+int
+main ()
+{
+
+                            int HMAC_Update(void);
+                            (void)HMAC_Update();
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+
+
+$as_echo "#define HAVE_HMAC_UPDATE 1" >>confdefs.h
+
+                            { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+
+else
+
+                            { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+                            as_fn_error $? "OpenSSL found in $ssldir, but version 0.9.7 or higher is required" "$LINENO" 5
+
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext

 fi
 rm -f core conftest.err conftest.$ac_objext \
@ -5171,67 +5251,6 @@ rm -f core conftest.err conftest.$ac_objext \
        fi


-	# openssl engine functionality needs dlopen().
-	BAKLIBS="$LIBS"
-	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing dlopen" >&5
-$as_echo_n "checking for library containing dlopen... " >&6; }
-if ${ac_cv_search_dlopen+:} false; then :
-  $as_echo_n "(cached) " >&6
-else
-  ac_func_search_save_LIBS=$LIBS
-cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h.  */
-
-/* Override any GCC internal prototype to avoid an error.
-   Use char because int might match the return type of a GCC
-   builtin and then its argument prototype would still apply.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-char dlopen ();
-int
-main ()
-{
-return dlopen ();
-  ;
-  return 0;
-}
-_ACEOF
-for ac_lib in '' dl; do
-  if test -z "$ac_lib"; then
-    ac_res="none required"
-  else
-    ac_res=-l$ac_lib
-    LIBS="-l$ac_lib  $ac_func_search_save_LIBS"
-  fi
-  if ac_fn_c_try_link "$LINENO"; then :
-  ac_cv_search_dlopen=$ac_res
-fi
-rm -f core conftest.err conftest.$ac_objext \
-    conftest$ac_exeext
-  if ${ac_cv_search_dlopen+:} false; then :
-  break
-fi
-done
-if ${ac_cv_search_dlopen+:} false; then :
-
-else
-  ac_cv_search_dlopen=no
-fi
-rm conftest.$ac_ext
-LIBS=$ac_func_search_save_LIBS
-fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_dlopen" >&5
-$as_echo "$ac_cv_search_dlopen" >&6; }
-ac_res=$ac_cv_search_dlopen
-if test "$ac_res" != no; then :
-  test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
-
-fi
-
-	if test "$LIBS" != "$BAKLIBS"; then
-		LIBSSL_LIBS="$LIBSSL_LIBS -ldl"
-	fi
    fi
 for ac_header in openssl/ssl.h
 do :
@ -6448,16 +6467,16 @@ if (echo >conf$$.file) 2>/dev/null; then
    # ... but there are two gotchas:
    # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail.
    # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable.
-    # In both cases, we have to default to `cp -p'.
+    # In both cases, we have to default to `cp -pR'.
    ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe ||
-      as_ln_s='cp -p'
+      as_ln_s='cp -pR'
  elif ln conf$$.file conf$$ 2>/dev/null; then
    as_ln_s=ln
  else
-    as_ln_s='cp -p'
+    as_ln_s='cp -pR'
  fi
 else
-  as_ln_s='cp -p'
+  as_ln_s='cp -pR'
 fi
 rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file
 rmdir conf$$.dir 2>/dev/null
@ -6517,28 +6536,16 @@ else
  as_mkdir_p=false
 fi

-if test -x / >/dev/null 2>&1; then
-  as_test_x='test -x'
-else
-  if ls -dL / >/dev/null 2>&1; then
-    as_ls_L_option=L
-  else
-    as_ls_L_option=
-  fi
-  as_test_x='
-    eval sh -c '\''
-      if test -d "$1"; then
-	test -d "$1/.";
-      else
-	case $1 in #(
-	-*)set "./$1";;
-	esac;
-	case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in #((
-	???[sx]*):;;*)false;;esac;fi
-    '\'' sh
-  '
-fi
-as_executable_p=$as_test_x
+
+# as_fn_executable_p FILE
+# -----------------------
+# Test if FILE is an executable regular file.
+as_fn_executable_p ()
+{
+  test -f "$1" && test -x "$1"
+} # as_fn_executable_p
+as_test_x='test -x'
+as_executable_p=as_fn_executable_p

 # Sed expression to map a string onto a valid CPP name.
 as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'"
@ -6559,8 +6566,8 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by ldns $as_me 1.6.17, which was
-generated by GNU Autoconf 2.68.  Invocation command line was
+This file was extended by ldns $as_me 1.7.0, which was
+generated by GNU Autoconf 2.69.  Invocation command line was

  CONFIG_FILES    = $CONFIG_FILES
  CONFIG_HEADERS  = $CONFIG_HEADERS
@ -6621,11 +6628,11 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-ldns config.status 1.6.17
-configured by $0, generated by GNU Autoconf 2.68,
+ldns config.status 1.7.0
+configured by $0, generated by GNU Autoconf 2.69,
  with options \\"\$ac_cs_config\\"

-Copyright (C) 2010 Free Software Foundation, Inc.
+Copyright (C) 2012 Free Software Foundation, Inc.
 This config.status script is free software; the Free Software Foundation
 gives unlimited permission to copy, distribute and modify it."

@ -6713,7 +6720,7 @@ fi
 _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 if \$ac_cs_recheck; then
-  set X '$SHELL' '$0' $ac_configure_args \$ac_configure_extra_args --no-create --no-recursion
+  set X $SHELL '$0' $ac_configure_args \$ac_configure_extra_args --no-create --no-recursion
  shift
  \$as_echo "running CONFIG_SHELL=$SHELL \$*" >&6
  CONFIG_SHELL='$SHELL'
--- a/examples/configure.ac
+++ b/examples/configure.ac
@ -2,7 +2,7 @@
 # Process this file with autoconf to produce a configure script.

 AC_PREREQ(2.56)
-AC_INIT(ldns, 1.6.17, libdns@nlnetlabs.nl,libdns)
+AC_INIT(ldns, 1.7.0, libdns@nlnetlabs.nl,libdns)
 AC_CONFIG_SRCDIR([ldns-read-zone.c])
 sinclude(../acx_nlnetlabs.m4)

--- a/examples/ldns-compare-zones.1
+++ b/examples/ldns-compare-zones.1
@ -14,7 +14,7 @@ ldns-compare-zones \- read and compare two zonefiles and print differences
 \fBldns-compare-zones\fR reads two DNS zone files and prints number of differences.
 .nf
 Output is formated to:
-        +NUM_INS        -NUM_DEL        ~NUM_CHG
+        +NUM_INS        \-NUM_DEL        ~NUM_CHG

 .fi
 The major comparison is based on the owner name. If an owner name is present in zonefile 1, but not in zonefile 2, the resource records with this owner name are considered deleted, and counted as NUM_DEL. If an owner name is present in zonefile 2, but not in zonefile 1, the resource records with this owner name are considered inserted, and counted as NUM_INS. If an owner name is present in both, but there is a difference in the amount or content of the records, these are considered changed, and counted as NUM_CHG.
@ -30,8 +30,8 @@ Print resource records whose owner names are present only in ZONEFILE2 (a.k.a. i
 Print resource records whose owner names are present only in ZONEFILE1 (a.k.a. deleted)
 .TP
 \fB-a\fR
-Print all changes. Specifying this option is the same as specifying -c -i
-amd -d.
+Print all changes. Specifying this option is the same as specifying \-c \-i
+amd \-d.
 .TP
 \fB-z\fR
 Suppress zone sorting; this option is not recommended; it can cause records
@ -42,6 +42,9 @@ Do not exclude the SOA record from the comparison.  The SOA record may
 then show up as changed due to a new serial number.  Off by default since
 you may be interested to know if (other zone apex elements) have changed.
 .TP
+\fB-e\fR
+Exit with status code 2 when zones differ.
+.TP
 \fB-h\fR
 Show usage and exit
 .TP
--- a/examples/ldns-compare-zones.c
+++ b/examples/ldns-compare-zones.c
@ -25,14 +25,15 @@
 static void 
 usage(char *prog)
 {
-	printf("Usage: %s [-v] [-i] [-d] [-c] [-s] <zonefile1> <zonefile2>\n",
-		prog);
+	printf("Usage: %s [-v] [-i] [-d] [-c] [-s] [-e] "
+	       "<zonefile1> <zonefile2>\n", prog);
 	printf("       -i - print inserted\n");
 	printf("       -d - print deleted\n");
 	printf("       -c - print changed\n");
 	printf("       -a - print all differences (-i -d -c)\n");
 	printf("       -s - do not exclude SOA record from comparison\n");
 	printf("       -z - do not sort zones\n");
+	printf("       -e - exit with status 2 on changed zones\n");
 	printf("       -h - show usage and exit\n");
 	printf("       -v - show the version and exit\n");
 }
@ -54,9 +55,10 @@ main(int argc, char **argv)
 	int		c;
 	bool		opt_deleted = false, opt_inserted = false, opt_changed = false;
        bool		sort = true, inc_soa = false;
+	bool		opt_exit_status = false;
 	char		op = 0;

-	while ((c = getopt(argc, argv, "ahvdicsz")) != -1) {
+	while ((c = getopt(argc, argv, "ahvdicesz")) != -1) {
 		switch (c) {
 		case 'h':
 			usage(argv[0]);
@ -69,6 +71,9 @@ main(int argc, char **argv)
 				  ldns_version());
 			exit(EXIT_SUCCESS);
 			break;
+		case 'e':
+			opt_exit_status = true;
+			break;
 		case 's':
 			inc_soa = true;
 			break;
@ -281,5 +286,5 @@ main(int argc, char **argv)
 	ldns_zone_deep_free(z2);
 	ldns_zone_deep_free(z1);

-	return 0;
+	return opt_exit_status && (num_ins || num_del || num_chg) ? 2 : 0;
 }
--- a/examples/ldns-dane.1.in
+++ b/examples/ldns-dane.1.in
@ -17,9 +17,9 @@ ldns-dane \- verify or create TLS authentication with DANE (RFC6698)

 .B ldns-dane
 .IR [OPTIONS]
+.IR create
 .IR name
 .IR port
-.IR create
 .PP
          [
 .IR Certificate-usage
@ -55,38 +55,35 @@ The parameters for TLSA rr creation are:
 .PD 0
 .I Certificate-usage\fR:
 .RS
-.IP 0
+.IP "0 | PKIX-TA"
 CA constraint
-.IP 1
+.IP "1 | PKIX-EE"
 Service certificate constraint
-.IP 2
+.IP "2 | DANE-TA"
 Trust anchor assertion
-.IP 3
+.IP "3 | DANE-EE"
 Domain-issued certificate (default)
 .RE

 .I Selector\fR:
 .RS
-.IP 0
-Full certificate (default)
-.IP 1
-SubjectPublicKeyInfo
+.IP "0 | Cert"
+Full certificate
+.IP "1 | SPKI"
+SubjectPublicKeyInfo (default)
 .RE

 .I Matching-type\fR:
 .RS
-.IP 0
+.IP "0 | Full"
 No hash used
-.IP 1
+.IP "1 | SHA2-256"
 SHA-256 (default)
-.IP 2
+.IP "2 | SHA2-512"
 SHA-512
 .RE
 .PD 1

-In stead of numbers the first few letters of the value may be used.
-Except for the hash algorithm name, where the full name must be specified.
-
 .SH OPTIONS
 .IP -4
 TLS connect IPv4 only
@ -128,7 +125,7 @@ select the \fIoffset\fRth certificate offset from the end
 of the validation chain. 0 means the last certificate, 1 the one but last,
 2 the second but last, etc.

-When \fIoffset\fR is -1 (the default), the last certificate
+When \fIoffset\fR is \-1 (the default), the last certificate
 is used (like with 0) that MUST be self-signed. This can help to make
 sure that the intended (self signed) trust anchor is actually present
 in the server certificate chain (which is a DANE requirement).
--- a/examples/ldns-dane.c
+++ b/examples/ldns-dane.c
@ -58,37 +58,45 @@

 /* int verbosity = 3; */

-void
+static void
 print_usage(const char* progname)
 {
+#ifdef USE_DANE_VERIY
 	printf("Usage: %s [OPTIONS] verify <name> <port>\n", progname);
 	printf("   or: %s [OPTIONS] -t <tlsafile> verify\n", progname);
 	printf("\n\tVerify the TLS connection at <name>:<port> or"
 	       "\n\tuse TLSA record(s) from <tlsafile> to verify the\n"
 			"\tTLS service they reference.\n");
 	printf("\n   or: %s [OPTIONS] create <name> <port> [<usage> "
+#else
+	printf("Usage: %s [OPTIONS] create <name> <port> [<usage> "
+#endif
 			"[<selector> [<type>]]]\n", progname);
 	printf("\n\tUse the TLS connection(s) to <name> <port> "
 			"to create the TLSA\n\t"
 			"resource record(s) that would "
 			"authenticate the connection.\n");
 	printf("\n\t<usage>"
-			"\t\t0: CA constraint\n"
-			"\t\t\t1: Service certificate constraint\n"
-			"\t\t\t2: Trust anchor assertion\n"
-			"\t\t\t3: Domain-issued certificate (default)\n");
+			"\t\t0 | PKIX-TA  : CA constraint\n"
+			"\t\t\t1 | PKIX-EE  : Service certificate constraint\n"
+			"\t\t\t2 | DANE-TA  : Trust anchor assertion\n"
+			"\t\t\t3 | DANE-EE  : Domain-issued certificate "
+			"(default)\n");
 	printf("\n\t<selector>"
-			"\t0: Full certificate (default)\n"
-			"\t\t\t1: SubjectPublicKeyInfo\n");
+			"\t0 | Cert     : Full certificate\n"
+			"\t\t\t1 | SPKI     : SubjectPublicKeyInfo "
+			"(default)\n");
 	printf("\n\t<type>"
-			"\t\t0: No hash used\n"
-			"\t\t\t1: SHA-256 (default)\n"
-			"\t\t\t2: SHA-512\n");
+			"\t\t0 | Full     : No hash used\n"
+			"\t\t\t1 | SHA2-256 : SHA-256 (default)\n"
+			"\t\t\t2 | SHA2-512 : SHA-512\n");

 	printf("OPTIONS:\n");
 	printf("\t-h\t\tshow this text\n");
 	printf("\t-4\t\tTLS connect IPv4 only\n");
 	printf("\t-6\t\tTLS connect IPv6 only\n");
+	printf("\t-r <address>\t"
+	       "use resolver at <address> instead of local resolver\n");
 	printf("\t-a <address>\t"
 	       "don't resolve <name>, but connect to <address>(es)\n");
 	printf("\t-b\t\t"
@ -133,7 +141,7 @@ print_usage(const char* progname)
 	exit(EXIT_SUCCESS);
 }

-int
+static int
 dane_int_within_range(const char* arg, int max, const char* name)
 {
 	char* endptr; /* utility var for strtol usage */
@ -157,30 +165,52 @@ struct dane_param_choice_struct {
 typedef struct dane_param_choice_struct dane_param_choice;

 dane_param_choice dane_certificate_usage_table[] = {
-	{ "CA constraint"			, 0 },
-	{ "CA-constraint"			, 0 },
-	{ "Service certificate constraint"	, 1 },
-	{ "Service-certificate-constraint"	, 1 },
-	{ "Trust anchor assertion"		, 2 },
-	{ "Trust-anchor-assertion"		, 2 },
-	{ "anchor"				, 2 },
-	{ "Domain-issued certificate"		, 3 },
-	{ "Domain-issued-certificate"		, 3 },
+	{ "PKIX-TA"				,   0 },
+	{ "CA constraint"			,   0 },
+	{ "CA-constraint"			,   0 },
+	{ "PKIX-EE"				,   1 },
+	{ "Service certificate constraint"	,   1 },
+	{ "Service-certificate-constraint"	,   1 },
+	{ "DANE-TA"				,   2 },
+	{ "Trust anchor assertion"		,   2 },
+	{ "Trust-anchor-assertion"		,   2 },
+	{ "anchor"				,   2 },
+	{ "DANE-EE"				,   3 },
+	{ "Domain-issued certificate"		,   3 },
+	{ "Domain-issued-certificate"		,   3 },
+	{ "PrivCert"				, 255 },
 	{ NULL, -1 }
 };

 dane_param_choice dane_selector_table[] = {
-	{ "Full certificate"	, 0 },
-	{ "Full-certificate"	, 0 },
-	{ "certificate"		, 0 },
-	{ "SubjectPublicKeyInfo", 1 },
-	{ "PublicKey"		, 1 },
-	{ "pubkey"		, 1 },
-	{ "key"			, 1 },
+	{ "Cert"		,   0 },
+	{ "Full certificate"	,   0 },
+	{ "Full-certificate"	,   0 },
+	{ "certificate"		,   0 },
+	{ "SPKI"		,   1 },
+	{ "SubjectPublicKeyInfo",   1 },
+	{ "PublicKey"		,   1 },
+	{ "pubkey"		,   1 },
+	{ "key"			,   1 },
+	{ "PrivSel"		, 255 },
 	{ NULL, -1 }
 };

-int
+dane_param_choice dane_matching_type_table[] = {
+	{ "Full"		,   0 },
+	{ "no-hash-used"	,   0 },
+	{ "no hash used"	,   0 },
+	{ "SHA2-256"		,   1 },
+	{ "sha256"		,   1 },
+	{ "sha-256"		,   1 },
+	{ "SHA2-512"		,   2 },
+	{ "sha512"		,   2 },
+	{ "sha-512"		,   2 },
+	{ "PrivMatch"		, 255 },
+	{ NULL, -1 }
+};
+
+static int
 dane_int_within_range_table(const char* arg, int max, const char* name,
 		dane_param_choice table[])
 {
@ -196,7 +226,7 @@ dane_int_within_range_table(const char* arg, int max, const char* name,
 	return dane_int_within_range(arg, max, name);
 }

-void
+static void
 ssl_err(const char* s)
 {
 	fprintf(stderr, "error: %s\n", s);
@ -204,7 +234,7 @@ ssl_err(const char* s)
 	exit(EXIT_FAILURE);
 }

-void
+static void
 ldns_err(const char* s, ldns_status err)
 {
 	if (err == LDNS_STATUS_SSL_ERR) {
@ -215,7 +245,7 @@ ldns_err(const char* s, ldns_status err)
 	}
 }

-ldns_status
+static ldns_status
 ssl_connect_and_get_cert_chain(
 		X509** cert, STACK_OF(X509)** extra_certs,
 	       	SSL* ssl, const char* name_str,
@ -296,7 +326,8 @@ ssl_connect_and_get_cert_chain(
 }


-void
+#ifdef USE_DANE_VERIFY
+static void
 ssl_interact(SSL* ssl)
 {
 	fd_set rfds;
@ -382,9 +413,10 @@ ssl_interact(SSL* ssl)

 	} /* for (;;) */
 }
+#endif /* USE_DANE_VERIFY */


-ldns_rr_list*
+static ldns_rr_list*
 rr_list_filter_rr_type(ldns_rr_list* l, ldns_rr_type t)
 {
 	size_t i;
@ -414,7 +446,7 @@ rr_list_filter_rr_type(ldns_rr_list* l, ldns_rr_type t)
 *
 * This to check what would happen if PKIX validation was successfull always.
 */
-ldns_rr_list*
+static ldns_rr_list*
 dane_no_pkix_transform(const ldns_rr_list* tlas)
 {
 	size_t i;
@ -476,7 +508,7 @@ dane_no_pkix_transform(const ldns_rr_list* tlas)
 	return r;
 }

-void
+static void
 print_rr_as_TYPEXXX(FILE* out, ldns_rr* rr)
 {
 	size_t i, sz;
@ -507,7 +539,7 @@ print_rr_as_TYPEXXX(FILE* out, ldns_rr* rr)
 	LDNS_FREE(str);
 }

-void
+static void
 print_rr_list_as_TYPEXXX(FILE* out, ldns_rr_list* l)
 {
 	size_t i;
@ -517,7 +549,7 @@ print_rr_list_as_TYPEXXX(FILE* out, ldns_rr_list* l)
 	}
 }

-ldns_status
+static ldns_status
 read_key_file(const char *filename, ldns_rr_list *keys)
 {
 	ldns_status status = LDNS_STATUS_ERR;
@ -556,15 +588,24 @@ read_key_file(const char *filename, ldns_rr_list *keys)
 }


-ldns_status
-dane_setup_resolver(ldns_resolver** res,
+static ldns_status
+dane_setup_resolver(ldns_resolver** res, ldns_rdf* nameserver_addr,
 		ldns_rr_list* keys, bool dnssec_off)
 {
-	ldns_status s;
+	ldns_status s = LDNS_STATUS_OK;

 	assert(res != NULL);

-	s = ldns_resolver_new_frm_file(res, NULL);
+	if (nameserver_addr) {
+		*res = ldns_resolver_new();
+		if (*res) {
+			s = ldns_resolver_push_nameserver(*res, nameserver_addr);
+		} else {
+			s = LDNS_STATUS_MEM_ERR;
+		}
+	} else {
+	        s = ldns_resolver_new_frm_file(res, NULL);
+	}
 	if (s == LDNS_STATUS_OK) {
 		ldns_resolver_set_dnssec(*res, ! dnssec_off);

@ -578,7 +619,7 @@ dane_setup_resolver(ldns_resolver** res,
 }


-ldns_status
+static ldns_status
 dane_query(ldns_rr_list** rrs, ldns_resolver* r,
 		ldns_rdf *name, ldns_rr_type t, ldns_rr_class c,
 		bool insecure_is_ok)
@ -597,7 +638,7 @@ dane_query(ldns_rr_list** rrs, ldns_resolver* r,
 	}
 	*rrs = ldns_pkt_rr_list_by_type(p, t, LDNS_SECTION_ANSWER);

-	if (! ldns_resolver_dnssec(r)) { /* DNSSEC explicitely disabled,
+	if (! ldns_resolver_dnssec(r)) { /* DNSSEC explicitly disabled,
 					    anything goes */
 		ldns_pkt_free(p);
 		return LDNS_STATUS_OK;
@ -683,7 +724,7 @@ dane_query(ldns_rr_list** rrs, ldns_resolver* r,
 }


-ldns_rr_list*
+static ldns_rr_list*
 dane_lookup_addresses(ldns_resolver* res, ldns_rdf* dname,
 		int ai_family)
 {
@ -750,7 +791,7 @@ dane_lookup_addresses(ldns_resolver* res, ldns_rdf* dname,
 	return r;
 }

-ldns_status
+static ldns_status
 dane_read_tlsas_from_file(ldns_rr_list** tlsas,
 		char* filename, ldns_rdf* origin)
 {
@ -842,7 +883,7 @@ dane_read_tlsas_from_file(ldns_rr_list** tlsas,
 	return s;
 }

-bool
+static bool
 dane_wildcard_label_cmp(uint8_t iw, const char* w, uint8_t il, const char* l)
 {
 	if (iw == 0) { /* End of match label */
@ -885,7 +926,7 @@ dane_wildcard_label_cmp(uint8_t iw, const char* w, uint8_t il, const char* l)
 	return iw == 0 && il == 0;
 }

-bool
+static bool
 dane_label_matches_label(ldns_rdf* w, ldns_rdf* l)
 {
 	uint8_t iw;
@ -898,7 +939,7 @@ dane_label_matches_label(ldns_rdf* w, ldns_rdf* l)
 			il, (const char*)ldns_rdf_data(l) + 1);
 }

-bool
+static bool
 dane_name_matches_server_name(const char* name_str, ldns_rdf* server_name)
 {
 	ldns_rdf* name;
@ -938,7 +979,7 @@ dane_name_matches_server_name(const char* name_str, ldns_rdf* server_name)
 	return true;
 }

-bool
+static bool
 dane_X509_any_subject_alt_name_matches_server_name(
 		X509 *cert, ldns_rdf* server_name)
 {
@ -972,7 +1013,7 @@ dane_X509_any_subject_alt_name_matches_server_name(
 	return false;
 }

-bool
+static bool
 dane_X509_subject_name_matches_server_name(X509 *cert, ldns_rdf* server_name)
 {
 	X509_NAME* subject_name;
@ -1000,7 +1041,7 @@ dane_X509_subject_name_matches_server_name(X509 *cert, ldns_rdf* server_name)
 	}
 }

-bool
+static bool
 dane_verify_server_name(X509* cert, ldns_rdf* server_name)
 {
 	ldns_rdf* server_name_lc;
@ -1018,7 +1059,7 @@ dane_verify_server_name(X509* cert, ldns_rdf* server_name)
 	return r;
 }

-void
+static void
 dane_create(ldns_rr_list* tlsas, ldns_rdf* tlsa_owner,
 		ldns_tlsa_certificate_usage certificate_usage, int offset,
 		ldns_tlsa_selector          selector,
@ -1047,7 +1088,7 @@ dane_create(ldns_rr_list* tlsas, ldns_rdf* tlsa_owner,
 			selected_cert);
 	LDNS_ERR(s, "could not create tlsa rr");

-	ldns_rr_set_owner(tlsa_rr, tlsa_owner);
+	ldns_rr_set_owner(tlsa_rr, ldns_rdf_clone(tlsa_owner));
 			     
 	if (! ldns_rr_list_contains_rr(tlsas, tlsa_rr)) {
 		if (! ldns_rr_list_push_rr(tlsas, tlsa_rr)) {
@ -1056,7 +1097,8 @@ dane_create(ldns_rr_list* tlsas, ldns_rdf* tlsa_owner,
 	}
 }

-bool
+#if defined(USE_DANE_VERIFY) && ( OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL) )
+static bool
 dane_verify(ldns_rr_list* tlsas, ldns_rdf* address,
 		X509* cert, STACK_OF(X509)* extra_certs,
 		X509_STORE* validate_store,
@ -1096,6 +1138,22 @@ dane_verify(ldns_rr_list* tlsas, ldns_rdf* address,
 			ldns_get_errorstr_by_id(s));
 	return false;
 }
+#endif /* defined(USE_DANE_VERIFY) && OPENSSL_VERSION_NUMBER < 0x10100000 */
+
+/**
+ * Return either an A or AAAA rdf, based on the given
+ * string. If it it not a valid ip address, return null.
+ *
+ * Caller receives ownership of returned rdf (if not null),
+ * and must free it.
+ */
+static inline ldns_rdf* rdf_addr_frm_str(const char* str) {
+	ldns_rdf *a = ldns_rdf_new_frm_str(LDNS_RDF_TYPE_A, str);
+	if (!a) {
+		a = ldns_rdf_new_frm_str(LDNS_RDF_TYPE_AAAA, str);
+	}
+	return a;
+}


 int
@ -1107,6 +1165,11 @@ main(int argc, char* const* argv)
 	ldns_status   s;
 	size_t        i;

+#if OPENSSL_VERSION_NUMBER >= 0x10100000 && ! defined(HAVE_LIBRESSL)
+	size_t        j, usable_tlsas = 0;
+	X509_STORE_CTX *store_ctx = NULL;
+#endif /* OPENSSL_VERSION_NUMBER >= 0x10100000 */
+
 	bool print_tlsa_as_type52   = false;
 	bool assume_dnssec_validity = false;
 	bool assume_pkix_validity   = false;
@ -1143,6 +1206,7 @@ main(int argc, char* const* argv)
 	uint16_t      port = 0;		/* supress uninitialized warning */

 	ldns_resolver* res            = NULL;
+	ldns_rdf*      nameserver_rdf = NULL;
 	ldns_rdf*      tlsa_owner     = NULL;
 	char*          tlsa_owner_str = NULL;
 	ldns_rr_list*  tlsas          = NULL;
@ -1178,7 +1242,7 @@ main(int argc, char* const* argv)
 	if (! keys || ! addresses) {
 		MEMERR("ldns_rr_list_new");
 	}
-	while((c = getopt(argc, argv, "46a:bc:df:hik:no:p:sSt:TuvV:")) != -1){
+	while((c = getopt(argc, argv, "46a:bc:df:hik:no:p:r:sSt:TuvV:")) != -1){
 		switch(c) {
 		case 'h':
 			print_usage("ldns-dane");
@ -1189,6 +1253,19 @@ main(int argc, char* const* argv)
 		case '6':
 			ai_family = AF_INET6;
 			break;
+		case 'r':
+			if (nameserver_rdf) {
+				fprintf(stderr, "Can only specify -r once\n");
+				exit(EXIT_FAILURE);
+			}
+			nameserver_rdf = rdf_addr_frm_str(optarg);
+			if (!nameserver_rdf) {
+				fprintf(stderr,
+				        "Could not interpret address %s\n",
+				        optarg);
+				exit(EXIT_FAILURE);
+			}
+			break;
 		case 'a':
 			s = ldns_str2rdf_a(&address, optarg);
 			if (s == LDNS_STATUS_OK) {
@ -1336,6 +1413,7 @@ main(int argc, char* const* argv)
 		argc--;
 		argv++;

+#ifdef USE_DANE_VERIFY
 	} else if (strncasecmp(*argv, "verify", strlen(*argv)) == 0) {

 		mode = VERIFY;
@ -1344,9 +1422,20 @@ main(int argc, char* const* argv)

 	} else {
 		fprintf(stderr, "Specify create or verify mode\n");
+#else
+	} else {
+		fprintf(stderr, "Specify create mode\n");
+#endif
 		exit(EXIT_FAILURE);
 	}

+#ifndef USE_DANE_VERIFY
+	(void)transport_str;
+	(void)transport_rdf;
+	(void)port_str;
+	(void)port_rdf;
+	(void)interact;
+#else
 	if (mode == VERIFY && argc == 0) {

 		if (! tlsas_file) {
@ -1446,7 +1535,9 @@ main(int argc, char* const* argv)
 		}


-	} else if (argc < 2) {
+	} else 
+#endif /* USE_DANE_VERIFY */
+		if (argc < 2) {

 		print_usage("ldns-dane");

@ -1480,8 +1571,8 @@ main(int argc, char* const* argv)
 			LDNS_ERR(s, "could not read tlas from file");
 		} else {
 			/* lookup tlsas */
-			s = dane_setup_resolver(&res, keys,
-					assume_dnssec_validity);
+			s = dane_setup_resolver(&res, nameserver_rdf,
+			                        keys, assume_dnssec_validity);
 			LDNS_ERR(s, "could not dane_setup_resolver");
 			s = dane_query(&tlsas, res, tlsa_owner,
 					LDNS_RR_TYPE_TLSA, LDNS_RR_CLASS_IN,
@ -1532,8 +1623,7 @@ main(int argc, char* const* argv)
 					dane_certificate_usage_table);
 			argc--;
 		} else {
-			certificate_usage =
-				LDNS_TLSA_USAGE_DOMAIN_ISSUED_CERTIFICATE;
+			certificate_usage = LDNS_TLSA_USAGE_DANE_EE;
 		}
 		if (argc > 0) {
 			selector = dane_int_within_range_table(
@ -1541,35 +1631,16 @@ main(int argc, char* const* argv)
 					dane_selector_table);
 			argc--;
 		} else {
-			selector = LDNS_TLSA_SELECTOR_FULL_CERTIFICATE;
+			selector = LDNS_TLSA_SELECTOR_SPKI;
 		}
 		if (argc > 0) {
-			if (*argv && /* strlen(argv) > 0 */
-					(strncasecmp(*argv, "no-hash-used",
-						strlen(*argv)) == 0 ||
-					strncasecmp(*argv, "no hash used",
-						strlen(*argv)) == 0 )) {
-				matching_type =
-					LDNS_TLSA_MATCHING_TYPE_NO_HASH_USED;
+			matching_type = dane_int_within_range_table(
+					*argv++, 2, "matching type",
+					dane_matching_type_table);

-			} else if (strcasecmp(*argv, "sha256") == 0 ||
-					strcasecmp(*argv, "sha-256") == 0) {
-
-				matching_type = LDNS_TLSA_MATCHING_TYPE_SHA256;
-
-			} else if (strcasecmp(*argv, "sha512") == 0 ||
-					strcasecmp(*argv, "sha-512") == 0) {
-
-				matching_type = LDNS_TLSA_MATCHING_TYPE_SHA512;
-
-			} else {
-				matching_type = dane_int_within_range(
-						*argv, 2, "matching type");
-			}
-			argv++;
 			argc--;
 		} else {
-			matching_type = LDNS_TLSA_MATCHING_TYPE_SHA256;
+			matching_type = LDNS_TLSA_MATCHING_TYPE_SHA2_256;
 		}
 		if (argc > 0) {

@ -1617,7 +1688,14 @@ main(int argc, char* const* argv)
 		}
 	}

+#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL)
 	ctx =  SSL_CTX_new(SSLv23_client_method());
+#else
+	ctx =  SSL_CTX_new(TLS_client_method());
+	if (ctx && SSL_CTX_dane_enable(ctx) <= 0) {
+		ssl_err("could not SSL_CTX_dane_enable");
+	}
+#endif
 	if (! ctx) {
 		ssl_err("could not SSL_CTX_new");
 	}
@ -1636,16 +1714,23 @@ main(int argc, char* const* argv)
 		if (! cert) {
 			ssl_err("could not SSL_get_certificate");
 		}
+#ifndef SSL_CTX_get_extra_chain_certs
 #ifndef S_SPLINT_S
 		extra_certs = ctx->extra_certs;
+#endif /* splint */
+#else
+		if(!SSL_CTX_get_extra_chain_certs(ctx, &extra_certs)) {
+			ssl_err("could not SSL_CTX_get_extra_chain_certs");
+		}
 #endif
-
 		switch (mode) {
 		case CREATE: dane_create(tlsas, tlsa_owner, certificate_usage,
 					     offset, selector, matching_type,
 					     cert, extra_certs, store,
 					     verify_server_name, name);
 			     break;
+#ifdef USE_DANE_VERIFY
+#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL)
 		case VERIFY: if (! dane_verify(tlsas, NULL,
 			                       cert, extra_certs, store,
 					       verify_server_name, name,
@ -1653,6 +1738,82 @@ main(int argc, char* const* argv)
 				     success = false;
 			     }
 			     break;
+#else /* OPENSSL_VERSION_NUMBER < 0x10100000 */
+		case VERIFY: 
+			     usable_tlsas = 0;
+			     SSL_set_connect_state(ssl);
+			     if (SSL_dane_enable(ssl, name_str) <= 0) {
+			     	ssl_err("could not SSL_dane_enable");
+			     }
+			     if (!verify_server_name) {
+			     	SSL_dane_set_flags(ssl, DANE_FLAG_NO_DANE_EE_NAMECHECKS);
+			     }
+			     for (j = 0; j < ldns_rr_list_rr_count(tlsas); j++) {
+			     	int ret;
+			     	ldns_rr *tlsa_rr = ldns_rr_list_rr(tlsas, j);
+
+			     	if (ldns_rr_get_type(tlsa_rr) != LDNS_RR_TYPE_TLSA) {
+			     		fprintf(stderr, "Skipping non TLSA RR: ");
+			     		ldns_rr_print(stderr, tlsa_rr);
+			     		fprintf(stderr, "\n");
+			     		continue;
+			     	}
+			     	if (ldns_rr_rd_count(tlsa_rr) != 4) {
+			     		fprintf(stderr, "Skipping TLSA with wrong rdata RR: ");
+			     		ldns_rr_print(stderr, tlsa_rr);
+			     		fprintf(stderr, "\n");
+			     		continue;
+			     	}
+			     	ret = SSL_dane_tlsa_add(ssl,
+			     			ldns_rdf2native_int8(ldns_rr_rdf(tlsa_rr, 0)),
+			     			ldns_rdf2native_int8(ldns_rr_rdf(tlsa_rr, 1)),
+			     			ldns_rdf2native_int8(ldns_rr_rdf(tlsa_rr, 2)),
+			     			ldns_rdf_data(ldns_rr_rdf(tlsa_rr, 3)),
+			     			ldns_rdf_size(ldns_rr_rdf(tlsa_rr, 3)));
+			     	if (ret < 0) {
+			     		ssl_err("could not SSL_dane_tlsa_add");
+			     	}
+			     	if (ret == 0) {
+			     		fprintf(stderr, "Skipping unusable TLSA RR: ");
+			     		ldns_rr_print(stderr, tlsa_rr);
+			     		fprintf(stderr, "\n");
+			     		continue;
+			     	}
+			     	usable_tlsas += 1;
+			     }
+			     if (!usable_tlsas) {
+			     	fprintf(stderr, "No usable TLSA records were found.\n"
+			     			"PKIX validation without DANE will be performed.\n");
+			     }
+			     if (!(store_ctx = X509_STORE_CTX_new())) {
+				     ssl_err("could not SSL_new");
+			     }
+			     if (!X509_STORE_CTX_init(store_ctx, store, cert, extra_certs)) {
+				     ssl_err("could not X509_STORE_CTX_init");
+			     }
+			     X509_STORE_CTX_set_default(store_ctx,
+					     SSL_is_server(ssl) ? "ssl_client" : "ssl_server");
+			     X509_VERIFY_PARAM_set1(X509_STORE_CTX_get0_param(store_ctx),
+					     SSL_get0_param(ssl));
+			     X509_STORE_CTX_set0_dane(store_ctx, SSL_get0_dane(ssl));
+			     X509_NAME_print_ex_fp(stdout,
+					     X509_get_subject_name(cert), 0, 0);
+			     if (X509_verify_cert(store_ctx)) {
+				fprintf(stdout, " %s-validated successfully\n",
+						  usable_tlsas 
+						? "dane" : "PKIX");
+			     } else {
+				fprintf(stdout, " did not dane-validate, because: %s\n",
+						X509_verify_cert_error_string(
+							X509_STORE_CTX_get_error(store_ctx)));
+				success = false;
+			     }
+			     if (store_ctx) {
+				     X509_STORE_CTX_free(store_ctx);
+			     }
+			     break;
+#endif /* OPENSSL_VERSION_NUMBER < 0x10100000 */
+#endif /* ifdef USE_DANE_VERIFY */
 		default:     break; /* suppress warning */
 		}
 		SSL_free(ssl);
@ -1661,8 +1822,8 @@ main(int argc, char* const* argv)

 		/* We need addresses to connect to */
 		if (ldns_rr_list_rr_count(addresses) == 0) {
-			s = dane_setup_resolver(&res, keys,
-					assume_dnssec_validity);
+			s = dane_setup_resolver(&res, nameserver_rdf,
+			                        keys, assume_dnssec_validity);
 			LDNS_ERR(s, "could not dane_setup_resolver");
 			ldns_rr_list_free(addresses);
 			addresses =dane_lookup_addresses(res, name, ai_family);
@ -1683,7 +1844,54 @@ main(int argc, char* const* argv)
 			address = ldns_rr_a_address(
 					ldns_rr_list_rr(addresses, i));
 			assert(address != NULL);
-			
+#if OPENSSL_VERSION_NUMBER >= 0x10100000  && ! defined(HAVE_LIBRESSL)
+			if (mode == VERIFY) {
+				usable_tlsas = 0;
+				if (SSL_dane_enable(ssl, name_str) <= 0) {
+					ssl_err("could not SSL_dane_enable");
+				}
+				if (!verify_server_name) {
+					SSL_dane_set_flags(ssl, DANE_FLAG_NO_DANE_EE_NAMECHECKS);
+				}
+				for (j = 0; j < ldns_rr_list_rr_count(tlsas); j++) {
+					int ret;
+					ldns_rr *tlsa_rr = ldns_rr_list_rr(tlsas, j);
+
+					if (ldns_rr_get_type(tlsa_rr) != LDNS_RR_TYPE_TLSA) {
+						fprintf(stderr, "Skipping non TLSA RR: ");
+						ldns_rr_print(stderr, tlsa_rr);
+						fprintf(stderr, "\n");
+						continue;
+					}
+					if (ldns_rr_rd_count(tlsa_rr) != 4) {
+						fprintf(stderr, "Skipping TLSA with wrong rdata RR: ");
+						ldns_rr_print(stderr, tlsa_rr);
+						fprintf(stderr, "\n");
+						continue;
+					}
+					ret = SSL_dane_tlsa_add(ssl,
+							ldns_rdf2native_int8(ldns_rr_rdf(tlsa_rr, 0)),
+							ldns_rdf2native_int8(ldns_rr_rdf(tlsa_rr, 1)),
+							ldns_rdf2native_int8(ldns_rr_rdf(tlsa_rr, 2)),
+							ldns_rdf_data(ldns_rr_rdf(tlsa_rr, 3)),
+							ldns_rdf_size(ldns_rr_rdf(tlsa_rr, 3)));
+					if (ret < 0) {
+						ssl_err("could not SSL_dane_tlsa_add");
+					}
+					if (ret == 0) {
+						fprintf(stderr, "Skipping unusable TLSA RR: ");
+						ldns_rr_print(stderr, tlsa_rr);
+						fprintf(stderr, "\n");
+						continue;
+					}
+					usable_tlsas += 1;
+				}
+				if (!usable_tlsas) {
+					fprintf(stderr, "No usable TLSA records were found.\n"
+							"PKIX validation without DANE will be performed.\n");
+				}
+			}
+#endif /* OPENSSL_VERSION_NUMBER >= 0x10100000 */
 			s = ssl_connect_and_get_cert_chain(&cert, &extra_certs,
 					ssl, name_str, address,port, transport);
 			if (s == LDNS_STATUS_NETWORK_ERR) {
@ -1696,8 +1904,27 @@ main(int argc, char* const* argv)
 				continue;
 			}
 			LDNS_ERR(s, "could not get cert chain from ssl");
-			switch (mode) {
+#if OPENSSL_VERSION_NUMBER >= 0x10100000 && ! defined(HAVE_LIBRESSL)

+			if (mode == VERIFY) {
+				char *address_str = ldns_rdf2str(address);
+				long verify_result = SSL_get_verify_result(ssl);
+
+				fprintf(stdout, "%s", address_str ? address_str : "<address>");
+				free(address_str);
+
+				if (verify_result == X509_V_OK) {
+					fprintf(stdout, " %s-validated successfully\n",
+							  usable_tlsas 
+							? "dane" : "PKIX");
+				} else {
+					fprintf(stdout, " did not dane-validate, because: %s\n",
+							X509_verify_cert_error_string(verify_result));
+					success = false;
+				}
+			}
+#endif /* OPENSSL_VERSION_NUMBER >= 0x10100000 */
+			switch (mode) {
 			case CREATE: dane_create(tlsas, tlsa_owner,
 						     certificate_usage, offset,
 						     selector, matching_type,
@ -1705,16 +1932,23 @@ main(int argc, char* const* argv)
 						     verify_server_name, name);
 				     break;

-			case VERIFY: if (! dane_verify(tlsas, address,
+#ifdef USE_DANE_VERIFY
+			case VERIFY:
+#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL)
+				     if (! dane_verify(tlsas, address,
 						cert, extra_certs, store,
 						verify_server_name, name,
 						assume_pkix_validity)) {
 					success = false;

-				     } else if (interact) {
+				     }
+#endif /* OPENSSL_VERSION_NUMBER < 0x10100000 */
+				     if (success && interact) {
 					     ssl_interact(ssl);
 				     }
 				     break;
+#endif /* USE_DANE_VERIFY */
+
 			default:     break; /* suppress warning */
 			}
 			while (SSL_shutdown(ssl) == 0);
@ -1734,6 +1968,9 @@ main(int argc, char* const* argv)
 	/* cleanup */
 	SSL_CTX_free(ctx);

+	if (nameserver_rdf) {
+		ldns_rdf_deep_free(nameserver_rdf);
+	}
 	if (store) {
 		X509_STORE_free(store);
 	}
@ -1768,6 +2005,9 @@ main(int argc, char **argv)
 int
 main(int argc, char **argv)
 {
+	(void)argc;
+	(void)argv;
+
 	fprintf(stderr, "dane support was disabled with this build of ldns, "
 			"and has not been compiled in\n");
 	return 1;
--- a/examples/ldns-dpa.1
+++ b/examples/ldns-dpa.1
@ -26,17 +26,17 @@ Show usage

 .TP
 \fB-p\fR
-Show the total number of correct DNS packets, and percentage of -u and
-c values  (of the total of matching on the -f filter. if no filter is
+Show the total number of correct DNS packets, and percentage of \-u and
+\-c values  (of the total of matching on the \-f filter. if no filter is
 given, percentages are on all correct dns packets)

 .TP
 \fB-of\fR \fIfile\fR
-Write all packets that match the -f flag to file, as pcap data.
+Write all packets that match the \-f flag to file, as pcap data.

 .TP
 \fB-ofh\fR \fIfile\fR
-Write all packets that match the -f flag to file, in hexadecimal format,
+Write all packets that match the \-f flag to file, in hexadecimal format,
 readable by drill.

 .TP
@ -49,8 +49,8 @@ show possible match operators and values for name

 .TP
 \fB-sf\fR
-Only evaluate packets (in representation format) that match the -f filter.
-If no -f was given, evaluate all correct dns packets.
+Only evaluate packets (in representation format) that match the \-f filter.
+If no \-f was given, evaluate all correct dns packets.

 .TP
 \fB-u\fR \fImatchnamelist\fR
@ -58,15 +58,15 @@ Count every occurence of every value of the matchname (for instance, count all p

 .TP
 \fB-ua\fR
-For every matchname in -u, show the average value of all matches. Behaviour for match types that do not have an integer value is undefined.
+For every matchname in \-u, show the average value of all matches. Behaviour for match types that do not have an integer value is undefined.

 .TP
 \fB-uac\fR
-For every matchname in -u, show the average number of times this value was encountered.
+For every matchname in \-u, show the average number of times this value was encountered.

 .TP
 \fB-um\fR \fInumber\fR
-Only show the results from -u for values that occurred more than <number> times.
+Only show the results from \-u for values that occurred more than <number> times.

 .TP
 \fB-v\fR \fIlevel\fR
@ -86,7 +86,7 @@ Show version and exit

 .SH LIST AND MATCHES

-A <matchnamelist> is a comma separated list of match names (use -s to see possible match names).
+A <matchnamelist> is a comma separated list of match names (use \-s to see possible match names).
 A <expressionlist> is a comma separated list of expressions.

 An expression has the following form:
@ -106,36 +106,36 @@ An expression has the following form:
 	<=	lesser than or equal to <value>
 	~=	contains <value>

-See the -s option for possible matchnames, operators and values.
+See the \-s option for possible matchnames, operators and values.

 .SH EXAMPLES

 .TP
-ldns-dpa -u packetsize -p test.tr
+ldns-dpa \-u packetsize \-p test.tr
 Count all different packetsizes in test.tr and show the precentages.

 .TP
-ldns-dpa -f "edns=1&qr=0" -of edns.tr test.tr
+ldns-dpa \-f "edns=1&qr=0" \-of edns.tr test.tr
 Filter out all edns enable queries in test.tr and put them in edns.tr

 .TP
-ldns-dpa -f edns=1 -c tc=1 -u rcode test.tr
+ldns-dpa \-f edns=1 \-c tc=1 \-u rcode test.tr
 For all edns packets, count the number of truncated packets and all their rcodes in test.tr.

 .TP
-ldns-dpa -c tc=1,qr=0,qr=1,opcode=QUERY test.tr
+ldns-dpa \-c tc=1,qr=0,qr=1,opcode=QUERY test.tr
 For all packets, count the number of truncated packets, the number of packets with qr=0, the number of packets with qr=1 and the number of queries in test.tr.

 .TP
-ldns-dpa -u packetsize -ua test.tr
+ldns-dpa \-u packetsize \-ua test.tr
 Show all packet sizes and the average packet size per packet.

 .TP
-ldns-dpa -u srcaddress -uac test.tr
+ldns-dpa \-u srcaddress \-uac test.tr
 Show all packet source addresses and the average number of packets sent from this address.

 .TP
-sudo tcpdump -i eth0 -s 0 -U -w - port 53 | ldns-dpa -f qr=0 -sf 
+sudo tcpdump \-i eth0 \-s 0 \-U \-w \- port 53 | ldns-dpa \-f qr=0 \-sf
 Print all query packets seen on the specified interface.


--- a/examples/ldns-dpa.c
+++ b/examples/ldns-dpa.c
@ -920,7 +920,7 @@ match_opcode(type_operator operator,
 		a = lt->id;
 	} else {
 		i = atoi(value);
-		if (i >= 0 && !isdigit(value[0]) == 0) {
+		if (i >= 0 && isdigit((unsigned char)value[0])) {
 			lt = ldns_lookup_by_id(ldns_opcodes, i);
 			if (lt) {
 				a = lt->id;
@ -941,7 +941,7 @@ match_opcode(type_operator operator,
 		b = lt->id;
 	} else {
 		i = atoi(mvalue);
-		if (i >= 0 && !isdigit(mvalue[0]) == 0) {
+		if (i >= 0 && isdigit((unsigned char)mvalue[0])) {
 			lt = ldns_lookup_by_id(ldns_opcodes, i);
 			if (lt) {
 				b = lt->id;
@ -1053,7 +1053,7 @@ match_rcode(type_operator operator,
 		a = lt->id;
 	} else {
 		i = atoi(value);
-		if (i >= 0 && !isdigit(value[0]) == 0) {
+		if (i >= 0 && isdigit((unsigned char)value[0])) {
 			lt = ldns_lookup_by_id(ldns_rcodes, i);
 			if (lt) {
 				a = lt->id;
@ -1074,8 +1074,7 @@ match_rcode(type_operator operator,
 		b = lt->id;
 	} else {
 		i = atoi(mvalue);
-
-		if (i >= 0 && !isdigit(mvalue[0]) == 0) {
+		if (i >= 0 && isdigit((unsigned char)mvalue[0])) {
 			lt = ldns_lookup_by_id(ldns_rcodes, i);
 			if (lt) {
 				b = lt->id;
@ -1663,7 +1662,7 @@ parse_match_expression(char *string)

 	j = 0;
 	for (i = 0; i < strlen(string); i++) {
-		if(!isspace(string[i])) {
+		if(!isspace((unsigned char)string[i])) {
 			str[j] = string[i];
 			j++;
 		}
@ -2505,7 +2504,7 @@ parse_uniques(match_id ids[], size_t *count, char *string)
 	str = malloc(strlen(string) + 1);
 	j = 0;
 	for (i = 0; i < strlen(string); i++) {
-		if (!isspace(string[i])) {
+		if (!isspace((unsigned char)string[i])) {
 			str[j] = string[i];
 			j++;
 		}
--- a/examples/ldns-gen-zone.1
+++ b/examples/ldns-gen-zone.1
@ -62,13 +62,13 @@ Show version and exit.
 .SH EXAMPLES

 .TP
-\fBldns-gen-zone -a 100000 -p 10 -s ./zonefile.txt\fR
+\fBldns-gen-zone \-a 100000 \-p 10 \-s ./zonefile.txt\fR
 Read a zonefile, add 100.000 artificial NS RRSets and 10% of DS records,
 print it to standard output. Don't sort (will only work well if the input
 zonefile is already sorted and canonicalized).

 .TP
-\fBldns-gen-zone -p 10 -s -o nl zonefile.txt | named-compilezone -s relative -i none -o zonefile_10.txt nl /dev/stdin\fR
+\fBldns-gen-zone \-p 10 \-s \-o nl zonefile.txt | named-compilezone \-s relative \-i none \-o zonefile_10.txt nl /dev/stdin\fR
 This creates a nicely formatted zone file with the help of \fBnamed-compilezone\fR.
 It adds 10% DS records to the .nl zone, reformats it and saves it as \fBzonefile_10.txt\fR.

--- a/examples/ldns-gen-zone.c
+++ b/examples/ldns-gen-zone.c
@ -28,7 +28,7 @@ usage(FILE *fp, char *prog) {
        fprintf(fp, "\n\nUsage: %s [-hsv] [-ap NUM] [-o ORIGIN] [<zonefile>]\n", prog);
        fprintf(fp, "\tReads a zonefile and add some artificial NS RRsets and DS records.\n");
        fprintf(fp, "\tIf no zonefile is given, the zone is read from stdin.\n");
-        fprintf(fp, "\t-a <NUM> add NUM artifical delegations (NS RRSets) to output.\n");
+        fprintf(fp, "\t-a <NUM> add NUM artificial delegations (NS RRSets) to output.\n");
        fprintf(fp, "\t-p <NUM> add NUM percent of DS RRset's to the NS RRsets (1-%d RR's per DS RRset).\n", NUM_DS);
        fprintf(fp, "\t-o ORIGIN sets an $ORIGIN, which can be handy if the one in the zonefile is set to @.\n");
        fprintf(fp, "\t-s if input zone file is already sorted and canonicalized (ie all lowercase),\n\t   use this option to speed things up while inserting DS records.\n");
--- a/examples/ldns-key2ds.1
+++ b/examples/ldns-key2ds.1
@ -32,6 +32,13 @@ Use SHA1 as the hash function.
 \fB-2\fR
 Use SHA256 as the hash function

+.TP
+\fB-g\fR
+Use GOST as the hash function
+
+.TP
+\fB-4\fR
+Use SHA384 as the hash function

 .SH AUTHOR
 Written by the ldns team as an example for ldns usage.
--- a/examples/ldns-key2ds.c
+++ b/examples/ldns-key2ds.c
@ -62,6 +62,14 @@ suitable_hash(ldns_signing_algorithm algorithm)
 		return LDNS_SHA256;
 	case LDNS_SIGN_ECDSAP384SHA384:
 		return LDNS_SHA384;
+#endif
+#ifdef USE_ED25519
+	case LDNS_SIGN_ED25519:
+		return LDNS_SHA256;
+#endif
+#ifdef USE_ED448
+	case LDNS_SIGN_ED448:
+		return LDNS_SHA256;
 #endif
 	default: break;
 	}
--- a/examples/ldns-keyfetcher.c
+++ b/examples/ldns-keyfetcher.c
@ -377,7 +377,7 @@ retrieve_dnskeys(ldns_resolver *local_res, ldns_rdf *name, ldns_rr_type t,
 		authority_list = NULL;
 		
 		if (loop_count++ > 20) {
-			/* unlikely that we are doing something usefull */
+			/* unlikely that we are doing something useful */
 			fprintf(stderr, "Looks like we are looping");
 			ldns_pkt_free(p); 
 			return NULL;
@ -507,7 +507,7 @@ retrieve_dnskeys(ldns_resolver *local_res, ldns_rdf *name, ldns_rr_type t,
 * for the root zone and A records for those NS RRs.
 * Read them, check them, and append the a records to the rr list given.
 */
-ldns_rr_list *
+static ldns_rr_list *
 read_root_hints(const char *filename)
 {
 	FILE *fp = NULL;
@ -725,7 +725,6 @@ main(int argc, char *argv[])
 		fprintf(stderr, "no answer packet received, stub resolver config:\n");
 		ldns_resolver_print(stderr, res);
 	}
-	printf("\n");

 	ldns_rdf_deep_free(domain);
 	ldns_resolver_deep_free(res);
--- a/examples/ldns-keygen.1
+++ b/examples/ldns-keygen.1
@ -16,7 +16,7 @@ DNSKEY record.

 \fBldns-keygen\fR can also be used to create symmetric keys (for TSIG) by
 selecting the appropriate algorithm: \%\fIhmac-md5.sig-alg.reg.int\fR,
-\%\fIhmac-sha1\fR or \%\fIhmac-sha256\fR.
+\%\fIhmac-sha1\fR, \%\fIhmac-sha224\fR, \%\fIhmac-sha256\fR, \%\fIhmac-sha384\fR or \%\fIhmac-sha512\fR.
 In that case no DS record will be created and no .ds file.

 \fBldns-keygen\fR prints the basename for the key files:
--- a/examples/ldns-keygen.c
+++ b/examples/ldns-keygen.c
@ -10,6 +10,9 @@

 #include <ldns/ldns.h>

+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
 #include <errno.h>

 #ifdef HAVE_SSL
@ -28,7 +31,7 @@ usage(FILE *fp, char *prog) {
 	fprintf(fp, "  The following files will be created:\n");
 	fprintf(fp, "    K<name>+<alg>+<id>.key\tPublic key in RR format\n");
 	fprintf(fp, "    K<name>+<alg>+<id>.private\tPrivate key in key format\n");
-	fprintf(fp, "    K<name>+<alg>+<id>.ds\tDS in RR format (only for DNSSEC keys)\n");
+	fprintf(fp, "    K<name>+<alg>+<id>.ds\tDS in RR format (only for DNSSEC KSK keys)\n");
 	fprintf(fp, "  The base name (K<name>+<alg>+<id> will be printed to stdout\n");
 }

@ -48,11 +51,13 @@ int
 main(int argc, char *argv[])
 {
 	int c;
+	int fd;
 	char *prog;

 	/* default key size */
 	uint16_t def_bits = 1024;
 	uint16_t bits = def_bits;
+	bool had_bits = false;
 	bool ksk;

 	FILE *file;
@ -94,7 +99,8 @@ main(int argc, char *argv[])
 			if (bits == 0) {
 				fprintf(stderr, "%s: %s %d", prog, "Can not parse the -b argument, setting it to the default\n", (int) def_bits);
 				bits = def_bits;
-			}
+			} else
+				had_bits = true;
 			break;
 		case 'k':
 			ksk = true;
@ -133,16 +139,20 @@ main(int argc, char *argv[])
 	switch (algorithm) {
 	case LDNS_SIGN_RSAMD5:
 	case LDNS_SIGN_RSASHA1:
+	case LDNS_SIGN_RSASHA1_NSEC3:
+	case LDNS_SIGN_RSASHA256:
+	case LDNS_SIGN_RSASHA512:
 		if (bits < 512 || bits > 4096) {
 			fprintf(stderr, "For RSA, the key size must be between ");
-			fprintf(stderr, " 512 and 4096 bytes. Aborting.\n");
+			fprintf(stderr, " 512 and 4096 bits. Aborting.\n");
 			exit(1);
 		}
 		break;
 	case LDNS_SIGN_DSA:
-		if (bits < 512 || bits > 4096) {
+	case LDNS_SIGN_DSA_NSEC3:
+		if (bits < 512 || bits > 1024) {
 			fprintf(stderr, "For DSA, the key size must be between ");
-			fprintf(stderr, " 512 and 1024 bytes. Aborting.\n");
+			fprintf(stderr, " 512 and 1024 bits. Aborting.\n");
 			exit(1);
 		}
 		break;
@ -157,10 +167,66 @@ main(int argc, char *argv[])
 #ifdef USE_ECDSA
 	case LDNS_SIGN_ECDSAP256SHA256:
 	case LDNS_SIGN_ECDSAP384SHA384:
+		break;
 #endif
 	case LDNS_SIGN_HMACMD5:
+		if (!had_bits) {
+			bits = 512;
+		} else if (bits < 1 || bits > 512) {
+			fprintf(stderr, "For hmac-md5, the key size must be ");
+			fprintf(stderr, "between 1 and 512 bits. Aborting.\n");
+			exit(1);
+		}
+		break;
 	case LDNS_SIGN_HMACSHA1:
+		if (!had_bits) {
+			bits = 160;
+		} else if (bits < 1 || bits > 160) {
+			fprintf(stderr, "For hmac-sha1, the key size must be ");
+			fprintf(stderr, "between 1 and 160 bits. Aborting.\n");
+			exit(1);
+		}
+		break;
+
+	case LDNS_SIGN_HMACSHA224:
+		if (!had_bits) {
+			bits = 224;
+		} else if (bits < 1 || bits > 224) {
+			fprintf(stderr, "For hmac-sha224, the key size must be ");
+			fprintf(stderr, "between 1 and 224 bits. Aborting.\n");
+			exit(1);
+		}
+		break;
+
 	case LDNS_SIGN_HMACSHA256:
+		if (!had_bits) {
+			bits = 256;
+		} else if (bits < 1 || bits > 256) {
+			fprintf(stderr, "For hmac-sha256, the key size must be ");
+			fprintf(stderr, "between 1 and 256 bits. Aborting.\n");
+			exit(1);
+		}
+		break;
+
+	case LDNS_SIGN_HMACSHA384:
+		if (!had_bits) {
+			bits = 384;
+		} else if (bits < 1 || bits > 384) {
+			fprintf(stderr, "For hmac-sha384, the key size must be ");
+			fprintf(stderr, "between 1 and 384 bits. Aborting.\n");
+			exit(1);
+		}
+		break;
+
+	case LDNS_SIGN_HMACSHA512:
+		if (!had_bits) {
+			bits = 512;
+		} else if (bits < 1 || bits > 512) {
+			fprintf(stderr, "For hmac-sha512, the key size must be ");
+			fprintf(stderr, "between 1 and 512 bits. Aborting.\n");
+			exit(1);
+		}
+		break;
 	default:
 		break;
 	}
@ -181,6 +247,11 @@ main(int argc, char *argv[])

 	/* generate a new key */
 	key = ldns_key_new_frm_algorithm(algorithm, bits);
+	if(!key) {
+		fprintf(stderr, "cannot generate key of algorithm %s\n",
+			ldns_pkt_algorithm2str((ldns_algorithm)algorithm));
+		exit(EXIT_FAILURE);
+	}

 	/* set the owner name in the key - this is a /separate/ step */
 	ldns_key_set_pubkey_owner(key, domain);
@ -209,6 +280,12 @@ main(int argc, char *argv[])
 		ds = ldns_key_rr2ds(pubkey, LDNS_SHA384);
 		break;
 	case LDNS_SIGN_ECDSAP256SHA256:
+#endif
+#ifdef USE_ED25519
+	case LDNS_SIGN_ED25519:
+#endif
+#ifdef USE_ED448
+	case LDNS_SIGN_ED448:
 #endif
 	case LDNS_SIGN_RSASHA256:
 	case LDNS_SIGN_RSASHA512:
@ -250,25 +327,28 @@ main(int argc, char *argv[])
 	/* print the priv key to stderr */
 	filename = LDNS_XMALLOC(char, strlen(owner) + 21);
 	snprintf(filename, strlen(owner) + 20, "K%s+%03u+%05u.private", owner, algorithm, (unsigned int) ldns_key_keytag(key));
-	file = fopen(filename, "w");
-	if (!file) {
-		fprintf(stderr, "Unable to open %s: %s\n", filename, strerror(errno));
-		ldns_key_deep_free(key);
-		free(owner);
-		ldns_rr_free(pubkey);
-		ldns_rr_free(ds);
-		LDNS_FREE(filename);
-		exit(EXIT_FAILURE);
-	} else {
-		ldns_key_print(file, key);
-		fclose(file);
-		LDNS_FREE(filename);
+	/* use open() here to prevent creating world-readable private keys (CVE-2014-3209)*/
+	fd = open(filename, O_WRONLY | O_CREAT | O_TRUNC, S_IRUSR | S_IWUSR);
+	if (fd < 0) {
+		goto fail;
 	}

+	file = fdopen(fd, "w");
+	if (!file) {
+		goto fail;
+	}
+
+	ldns_key_print(file, key);
+	fclose(file);
+	LDNS_FREE(filename);
+
 	/* print the DS to .ds */
-	if (algorithm != LDNS_SIGN_HMACMD5 &&
+	if (ksk && algorithm != LDNS_SIGN_HMACMD5 &&
 		algorithm != LDNS_SIGN_HMACSHA1 &&
-		algorithm != LDNS_SIGN_HMACSHA256) {
+		algorithm != LDNS_SIGN_HMACSHA224 &&
+		algorithm != LDNS_SIGN_HMACSHA256 &&
+		algorithm != LDNS_SIGN_HMACSHA384 &&
+		algorithm != LDNS_SIGN_HMACSHA512) {
 		filename = LDNS_XMALLOC(char, strlen(owner) + 16);
 		snprintf(filename, strlen(owner) + 15, "K%s+%03u+%05u.ds", owner, algorithm, (unsigned int) ldns_key_keytag(key));
 		file = fopen(filename, "w");
@ -296,6 +376,15 @@ main(int argc, char *argv[])
 	ldns_rr_free(pubkey);
 	ldns_rr_free(ds);
 	exit(EXIT_SUCCESS);
+
+fail:
+	fprintf(stderr, "Unable to open %s: %s\n", filename, strerror(errno));
+	ldns_key_deep_free(key);
+	free(owner);
+	ldns_rr_free(pubkey);
+	ldns_rr_free(ds);
+	LDNS_FREE(filename);
+	exit(EXIT_FAILURE);
 }
 #else
 int
--- a/examples/ldns-mx.c
+++ b/examples/ldns-mx.c
@ -40,6 +40,15 @@ main(int argc, char *argv[])
 			usage(stdout, argv[0]);
 			exit(EXIT_FAILURE);
 		}
+		if (! ldns_dname_str_absolute(argv[1]) &&
+		    ldns_dname_absolute(domain)) {
+
+			/* ldns_dname_new_frm_str makes absolute dnames always!
+			 * So deabsolutify domain.
+			 * TODO: Create ldns_dname_new_frm_str_relative? Yuck!
+			 */
+			ldns_rdf_set_size(domain, ldns_rdf_size(domain) - 1);
+		}
 	}

 	/* create a new resolver from /etc/resolv.conf */
@ -52,11 +61,11 @@ main(int argc, char *argv[])
 	/* use the resolver to send a query for the mx 
 	 * records of the domain given on the command line
 	 */
-	p = ldns_resolver_query(res,
-	                        domain,
-	                        LDNS_RR_TYPE_MX,
-	                        LDNS_RR_CLASS_IN,
-	                        LDNS_RD);
+	p = ldns_resolver_search(res,
+	                         domain,
+	                         LDNS_RR_TYPE_MX,
+	                         LDNS_RR_CLASS_IN,
+	                         LDNS_RD);

 	ldns_rdf_deep_free(domain);
 	
--- a/examples/ldns-notify.1
+++ b/examples/ldns-notify.1
@ -4,7 +4,7 @@ ldns-notify \- notify DNS servers that updates are available
 .SH SYNOPSIS
 .B ldns-notify
 [options]
-z zone
+\-z zone
 .IR servers 

 .SH DESCRIPTION
--- a/examples/ldns-notify.c
+++ b/examples/ldns-notify.c
@ -182,6 +182,7 @@ main(int argc, char **argv)
 	uint8_t *wire = NULL;
 	size_t wiresize = 0;
 	const char *port = "53";
+	char *keydata;

 	srandom(time(NULL) ^ getpid());

@ -203,14 +204,14 @@ main(int argc, char **argv)
                case 'y':
 			tsig_cred.algorithm = (char*)"hmac-md5.sig-alg.reg.int.";
 			tsig_cred.keyname = optarg;
-			tsig_cred.keydata = strchr(optarg, ':');
-			if (tsig_cred.keydata == NULL) {
+			keydata = strchr(optarg, ':');
+			if (keydata == NULL) {
 				printf("TSIG argument is not in form "
 					"key:data: %s\n", optarg);
 				exit(1);
 			}
-			*tsig_cred.keydata = '\0';
-			tsig_cred.keydata++;
+			*keydata++ = '\0';
+			tsig_cred.keydata = keydata;
 			printf("Sign with %s : %s\n", tsig_cred.keyname,
 				tsig_cred.keydata);
 			break;
@ -306,7 +307,7 @@ main(int argc, char **argv)

 	for(i=0; i<argc; i++)
 	{
-		struct addrinfo hints, *res0, *res;
+		struct addrinfo hints, *res0, *ai_res;
 		int error;
 		int default_family = AF_INET;

@ -322,13 +323,13 @@ main(int argc, char **argv)
 				gai_strerror(error));
 			continue;
 		}
-		for (res = res0; res; res = res->ai_next) {
-			int s = socket(res->ai_family, res->ai_socktype, 
-				res->ai_protocol);
+		for (ai_res = res0; ai_res; ai_res = ai_res->ai_next) {
+			int s = socket(ai_res->ai_family, ai_res->ai_socktype, 
+				ai_res->ai_protocol);
 			if(s == -1)
 				continue;
 			/* send the notify */
-			notify_host(s, res, wire, wiresize, argv[i]);
+			notify_host(s, ai_res, wire, wiresize, argv[i]);
 		}
 		freeaddrinfo(res0);
 	}
--- a/examples/ldns-read-zone.1
+++ b/examples/ldns-read-zone.1
@ -12,24 +12,36 @@ resource record per line, and no pretty-printing makeup.

 .SH OPTIONS
 .TP
-\fB-c\fR
-Canonicalize all resource records in the zone before printing
-
-.TP
-\fB-d\fR
-Only print DNSSEC data from the zone. This option skips every record
-that is not of type NSEC, NSEC3, RRSIG or DNSKEY. DS records are not
-printed.
+\fB-0\fR
+Print a (null) for the RRSIG inception, expiry and key data. This option
+can be used when comparing different signing systems that use the same
+DNSKEYs for signing but would have a slightly different timings/jitter.

 .TP
 \fB-b\fR
 Include Bubble Babble encoding of DS's.

 .TP
-\fB-0\fR
-Print a (null) for the RRSIG inception, expiry and key data. This option
-can be used when comparing different signing systems that use the same
-DNSKEYs for signing but would have a slightly different timings/jitter.
+\fB-c\fR
+Canonicalize all resource records in the zone before printing
+
+.TP
+\fB-d\fR
+Only print DNSSEC data from the zone. This option skips every record
+that is not of type NSEC, NSEC3 or RRSIG. DNSKEY and DS records are not
+printed.
+
+.TP
+\fB-e\fR \fIRR type\fR
+Do not print RRs of the given \fIrr type\fR.
+This option may be given multiple times.
+\fB-e\fR is not meant to be used together with \fB-E\fR.
+
+.TP
+\fB-E\fR \fIRR type\fR
+Print only RRs of the given \fIrr type\fR.
+This option may be given multiple times.
+\fB-E\fR is not meant to be used together with \fB-e\fR.

 .TP
 \fB-h\fR
@ -47,7 +59,7 @@ take ten characters. This is useful for in file serial number increments.
 .TP
 \fB-s\fR
 Strip DNSSEC data from the zone. This option skips every record
-that is of type NSEC, NSEC3, RRSIG or DNSKEY. DS records are still
+that is of type NSEC, NSEC3 or RRSIG. DNSKEY and DS records are still
 printed.

 .TP
@ -86,7 +98,7 @@ Show the version and exit

 .TP
 \fB-z\fR
-Sort the zone before printing (this implies -c)
+Sort the zone before printing (this implies \-c)


 .SH AUTHOR
--- a/examples/ldns-read-zone.c
+++ b/examples/ldns-read-zone.c
@ -15,15 +15,23 @@

 #include <errno.h>

-void print_usage(const char* progname)
+static void print_usage(const char* progname)
 {
 	printf("Usage: %s [OPTIONS] <zonefile>\n", progname);
 	printf("\tReads the zonefile and prints it.\n");
 	printf("\tThe RR count of the zone is printed to stderr.\n");
-	printf("\t-b include Bubble Babble encoding of DS's.\n");
 	printf("\t-0 zeroize timestamps and signature in RRSIG records.\n");
+	printf("\t-b include Bubble Babble encoding of DS's.\n");
 	printf("\t-c canonicalize all rrs in the zone.\n");
 	printf("\t-d only show DNSSEC data from the zone\n");
+	printf("\t-e <rr type>\n");
+	printf("\t\tDo not print RRs of the given <rr type>.\n");
+	printf("\t\tThis option may be given multiple times.\n");
+	printf("\t\t-e is not meant to be used together with -E.\n");
+	printf("\t-E <rr type>\n");
+	printf("\t\tPrint only RRs of the given <rr type>.\n");
+	printf("\t\tThis option may be given multiple times.\n");
+	printf("\t\t-E is not meant to be used together with -e.\n");
 	printf("\t-h show this text\n");
 	printf("\t-n do not print the SOA record\n");
 	printf("\t-p prepend SOA serial with spaces so"
@ -61,6 +69,46 @@ void print_usage(const char* progname)
 	exit(EXIT_SUCCESS);
 }

+static void exclude_type(ldns_rdf **show_types, ldns_rr_type t)
+{
+	ldns_status s;
+
+	assert(show_types != NULL);
+
+	if (! *show_types && LDNS_STATUS_OK !=
+			(s = ldns_rdf_bitmap_known_rr_types(show_types)))
+		goto fail;
+
+	s =  ldns_nsec_bitmap_clear_type(*show_types, t);
+	if (s == LDNS_STATUS_OK)
+		return;
+fail:
+	fprintf(stderr, "Cannot exclude rr type %s: %s\n"
+	              , ldns_rr_descript(t)->_name
+		      , ldns_get_errorstr_by_id(s));
+	exit(EXIT_FAILURE);
+}
+
+static void include_type(ldns_rdf **show_types, ldns_rr_type t)
+{
+	ldns_status s;
+
+	assert(show_types != NULL);
+
+	if (! *show_types && LDNS_STATUS_OK !=
+			(s = ldns_rdf_bitmap_known_rr_types_space(show_types)))
+		goto fail;
+
+	s =  ldns_nsec_bitmap_set_type(*show_types, t);
+	if (s == LDNS_STATUS_OK)
+		return;
+fail:
+	fprintf(stderr, "Cannot exclude all rr types except %s: %s\n"
+	              , ldns_rr_descript(t)->_name
+		      , ldns_get_errorstr_by_id(s));
+	exit(EXIT_FAILURE);
+}
+
 int
 main(int argc, char **argv)
 {
@ -71,38 +119,43 @@ main(int argc, char **argv)
 	int c;
 	bool canonicalize = false;
 	bool sort = false;
-	bool strip = false;
-	bool only_dnssec = false;
 	bool print_soa = true;
 	ldns_status s;
 	size_t i;
 	ldns_rr_list *stripped_list;
 	ldns_rr *cur_rr;
-	ldns_rr_type cur_rr_type;
 	ldns_output_format_storage fmt_storage;
 	ldns_output_format* fmt = ldns_output_format_init(&fmt_storage);
+	ldns_rdf *show_types = NULL;

 	ldns_soa_serial_increment_func_t soa_serial_increment_func = NULL;
 	int soa_serial_increment_func_data = 0;

-        while ((c = getopt(argc, argv, "0bcdhnpsu:U:vzS:")) != -1) {
+        while ((c = getopt(argc, argv, "0bcde:E:hnpsS:u:U:vz")) != -1) {
                switch(c) {
+			case '0':
+				fmt->flags |= LDNS_FMT_ZEROIZE_RRSIGS;
+				break;
 			case 'b':
 				fmt->flags |= 
 					( LDNS_COMMENT_BUBBLEBABBLE |
 					  LDNS_COMMENT_FLAGS        );
 				break;
-			case '0':
-				fmt->flags |= LDNS_FMT_ZEROIZE_RRSIGS;
-				break;
                	case 'c':
                		canonicalize = true;
                		break;
                	case 'd':
-                		only_dnssec = true;
-                		if (strip) {
-                			fprintf(stderr, "Warning: stripping both DNSSEC and non-DNSSEC records. Output will be sparse.\n");
-				}
+				include_type(&show_types, LDNS_RR_TYPE_RRSIG);
+				include_type(&show_types, LDNS_RR_TYPE_NSEC);
+				include_type(&show_types, LDNS_RR_TYPE_NSEC3);
+				break;
+			case 'e':
+				exclude_type(&show_types, 
+					ldns_get_rr_type_by_name(optarg));
+				break;
+			case 'E':
+				include_type(&show_types, 
+					ldns_get_rr_type_by_name(optarg));
 				break;
 			case 'h':
 				print_usage("ldns-read-zone");
@ -113,12 +166,37 @@ main(int argc, char **argv)
 			case 'p':
 				fmt->flags |= LDNS_FMT_PAD_SOA_SERIAL;
 				break;
-                        case 's':
-                        	strip = true;
-                		if (only_dnssec) {
-                			fprintf(stderr, "Warning: stripping both DNSSEC and non-DNSSEC records. Output will be sparse.\n");
+			case 's':
+			case 'S':
+				exclude_type(&show_types, LDNS_RR_TYPE_RRSIG);
+				exclude_type(&show_types, LDNS_RR_TYPE_NSEC);
+				exclude_type(&show_types, LDNS_RR_TYPE_NSEC3);
+				if (c == 's') break;
+				if (*optarg == '+' || *optarg == '-') {
+					soa_serial_increment_func_data =
+						atoi(optarg);
+					soa_serial_increment_func =
+						ldns_soa_serial_increment_by;
+				} else if (! strtok(optarg, "0123456789")) {
+					soa_serial_increment_func_data =
+						atoi(optarg);
+					soa_serial_increment_func =
+						ldns_soa_serial_identity;
+				} else if (!strcasecmp(optarg, "YYYYMMDDxx")){
+					soa_serial_increment_func =
+						ldns_soa_serial_datecounter;
+				} else if (!strcasecmp(optarg, "unixtime")){
+					soa_serial_increment_func =
+						ldns_soa_serial_unixtime;
+				} else {
+					fprintf(stderr, "-S expects a number "
+						"optionally preceded by a "
+						"+ or - sign to indicate an "
+						"offset, or the text YYYYMM"
+						"DDxx or unixtime\n");
+					exit(EXIT_FAILURE);
 				}
-                        	break;
+				break;
 			case 'u':
 				s = ldns_output_format_set_type(fmt,
 					ldns_get_rr_type_by_name(optarg));
@ -159,36 +237,8 @@ main(int argc, char **argv)
                		canonicalize = true;
                                sort = true;
                                break;
-			case 'S':
-				strip = true;
-				if (*optarg == '+' || *optarg == '-') {
-					soa_serial_increment_func_data =
-						atoi(optarg);
-					soa_serial_increment_func =
-						ldns_soa_serial_increment_by;
-				} else if (! strtok(optarg, "0123456789")) {
-					soa_serial_increment_func_data =
-						atoi(optarg);
-					soa_serial_increment_func =
-						ldns_soa_serial_identity;
-				} else if (!strcasecmp(optarg, "YYYYMMDDxx")){
-					soa_serial_increment_func =
-						ldns_soa_serial_datecounter;
-				} else if (!strcasecmp(optarg, "unixtime")){
-					soa_serial_increment_func =
-						ldns_soa_serial_unixtime;
-				} else {
-					fprintf(stderr, "-S expects a number "
-						"optionally preceded by a "
-						"+ or - sign to indicate an "
-						"offset, or the text YYYYMM"
-						"DDxx or unixtime\n");
-					exit(EXIT_FAILURE);
-				}
-				break;
 		}
 	}
-
 	argc -= optind;
 	argv += optind;

@ -214,38 +264,17 @@ main(int argc, char **argv)
                exit(EXIT_FAILURE);
 	}

-
-	if (strip) {
+	if (show_types) {
+		if (print_soa)
+			print_soa = ldns_nsec_bitmap_covers_type(show_types,
+					LDNS_RR_TYPE_SOA);
 		stripped_list = ldns_rr_list_new();
-		while ((cur_rr = ldns_rr_list_pop_rr(ldns_zone_rrs(z)))) {
-			cur_rr_type = ldns_rr_get_type(cur_rr);
-			if (cur_rr_type == LDNS_RR_TYPE_RRSIG ||
-			    cur_rr_type == LDNS_RR_TYPE_NSEC ||
-			    cur_rr_type == LDNS_RR_TYPE_NSEC3 ||
-			    cur_rr_type == LDNS_RR_TYPE_NSEC3PARAM
-			   ) {
-				ldns_rr_free(cur_rr);
-			} else {
+		while ((cur_rr = ldns_rr_list_pop_rr(ldns_zone_rrs(z))))
+			if (ldns_nsec_bitmap_covers_type(show_types,
+						ldns_rr_get_type(cur_rr)))
 				ldns_rr_list_push_rr(stripped_list, cur_rr);
-			}
-		}
-		ldns_rr_list_free(ldns_zone_rrs(z));
-		ldns_zone_set_rrs(z, stripped_list);
-	}
-	if (only_dnssec) {
-		stripped_list = ldns_rr_list_new();
-		while ((cur_rr = ldns_rr_list_pop_rr(ldns_zone_rrs(z)))) {
-			cur_rr_type = ldns_rr_get_type(cur_rr);
-			if (cur_rr_type == LDNS_RR_TYPE_RRSIG ||
-			    cur_rr_type == LDNS_RR_TYPE_NSEC ||
-			    cur_rr_type == LDNS_RR_TYPE_NSEC3 ||
-			    cur_rr_type == LDNS_RR_TYPE_NSEC3PARAM
-			   ) {
-				ldns_rr_list_push_rr(stripped_list, cur_rr);
-			} else {
+			else
 				ldns_rr_free(cur_rr);
-			}
-		}
 		ldns_rr_list_free(ldns_zone_rrs(z));
 		ldns_zone_set_rrs(z, stripped_list);
 	}
--- a/examples/ldns-signzone.1
+++ b/examples/ldns-signzone.1
@ -121,11 +121,11 @@ Number of hash iterations
 .SH ENGINE OPTIONS
 You can modify the possible engines, if supported, by setting an
 OpenSSL configuration file. This is done through the environment
-variable OPENSSL_CONF. If you use -E with a non-existent engine name,
+variable OPENSSL_CONF. If you use \-E with a non-existent engine name,
 ldns-signzone will print a list of engines supported by your
 configuration.

-The key options (-k and -K) work as follows; you specify a key id, and a DNSSEC algorithm number (for instance, 5 for RSASHA1). The key id can be any of the following:
+The key options (\-k and \-K) work as follows; you specify a key id, and a DNSSEC algorithm number (for instance, 5 for RSASHA1). The key id can be any of the following:

    <id>
    <slot>:<id>
--- a/examples/ldns-signzone.c
+++ b/examples/ldns-signzone.c
@ -39,6 +39,7 @@ usage(FILE *fp, const char *prog) {
 	fprintf(fp, "  -o <domain>\torigin for the zone\n");
 	fprintf(fp, "  -v\t\tprint version and exit\n");
 	fprintf(fp, "  -A\t\tsign DNSKEY with all keys instead of minimal\n");
+	fprintf(fp, "  -U\t\tSign with every unique algorithm in the provided keys\n");
 	fprintf(fp, "  -E <name>\tuse <name> as the crypto engine for signing\n");
 	fprintf(fp, "           \tThis can have a lot of extra options, see the manual page for more info\n");
 	fprintf(fp, "  -k <id>,<int>\tuse key id with algorithm int from engine\n");
@ -287,29 +288,6 @@ find_or_create_pubkey(const char *keyfile_name_base, ldns_key *key, ldns_zone *o
 	}
 }

-void
-strip_dnssec_records(ldns_zone *zone)
-{
-	ldns_rr_list *new_list;
-	ldns_rr *cur_rr;
-	
-	new_list = ldns_rr_list_new();
-	
-	while ((cur_rr = ldns_rr_list_pop_rr(ldns_zone_rrs(zone)))) {
-		if (ldns_rr_get_type(cur_rr) == LDNS_RR_TYPE_RRSIG ||
-		    ldns_rr_get_type(cur_rr) == LDNS_RR_TYPE_NSEC ||
-		    ldns_rr_get_type(cur_rr) == LDNS_RR_TYPE_NSEC3
-		   ) {
-			
-			ldns_rr_free(cur_rr);
-		} else {
-			ldns_rr_list_push_rr(new_list, cur_rr);
-		}
-	}
-	ldns_rr_list_free(ldns_zone_rrs(zone));
-	ldns_zone_set_rrs(zone, new_list);
-}
-
 int
 main(int argc, char *argv[])
 {
@ -376,9 +354,7 @@ main(int argc, char *argv[])
 	
 	keys = ldns_key_list_new();

-	OPENSSL_config(NULL);
-
-	while ((c = getopt(argc, argv, "a:bde:f:i:k:no:ps:t:vAE:K:")) != -1) {
+	while ((c = getopt(argc, argv, "a:bde:f:i:k:no:ps:t:vAUE:K:")) != -1) {
 		switch (c) {
 		case 'a':
 			nsec3_algorithm = (uint8_t) atoi(optarg);
@ -473,7 +449,9 @@ main(int argc, char *argv[])
 		case 'E':
 			ENGINE_load_builtin_engines();
 			ENGINE_load_dynamic();
+#ifdef HAVE_ENGINE_LOAD_CRYPTODEV
 			ENGINE_load_cryptodev();
+#endif
 			engine = ENGINE_by_id(optarg);
 			if (!engine) {
 				printf("No such engine: %s\n", optarg);
@ -567,6 +545,9 @@ main(int argc, char *argv[])
 			printf("Not implemented yet\n");
 			exit(EXIT_FAILURE);
 			break;
+		case 'U':
+			signflags |= LDNS_SIGN_WITH_ALL_ALGORITHMS;
+			break;
 		case 's':
 			if (strlen(optarg) % 2 != 0) {
 				fprintf(stderr, "Salt value is not valid hex data, not a multiple of 2 characters\n");
--- a/examples/ldns-test-edns.c
+++ b/examples/ldns-test-edns.c
@ -15,13 +15,13 @@
 /** print error details */
 static int verb = 1;

-struct sockaddr_in6* cast_sockaddr_storage2sockaddr_in6(
+static struct sockaddr_in6* cast_sockaddr_storage2sockaddr_in6(
 		struct sockaddr_storage* s)
 {
 	return (struct sockaddr_in6*)s;
 }

-struct sockaddr_in* cast_sockaddr_storage2sockaddr_in(
+static struct sockaddr_in* cast_sockaddr_storage2sockaddr_in(
 		struct sockaddr_storage* s)
 {
 	return (struct sockaddr_in*)s;
--- a/examples/ldns-testns.c
+++ b/examples/ldns-testns.c
@ -150,7 +150,7 @@ struct sockaddr_storage;

 #define INBUF_SIZE 4096         /* max size for incoming queries */
 #define DEFAULT_PORT 53		/* default if no -p port is specified */
-#define CONN_BACKLOG 5		/* 5 connections queued up for tcp */
+#define CONN_BACKLOG 256	/* connections queued up for tcp */
 static const char* prog_name = "ldns-testns";
 static FILE* logfile = 0;
 static int do_verbose = 0;
@ -188,6 +188,7 @@ static void error(const char* msg, ...)
 	exit(EXIT_FAILURE);
 }

+void verbose(int lvl, const char* msg, ...) ATTR_FORMAT(printf, 2, 3);
 void verbose(int ATTR_UNUSED(lvl), const char* msg, ...)
 {
 	va_list args;
@ -280,6 +281,10 @@ read_n_bytes(int sock, uint8_t* buf, size_t sz)
 		if(nb < 0) {
 			log_msg("recv(): %s\n", strerror(errno));
 			return;
+		} else if(nb == 0) {
+			log_msg("recv: remote end closed the channel\n");
+			memset(buf+count, 0, sz-count);
+			return;
 		}
 		count += nb;
 	}
--- a/examples/ldns-testpkts.c
+++ b/examples/ldns-testpkts.c
@ -31,12 +31,8 @@ struct sockaddr_storage;
 /** string to show in warnings and errors */
 static const char* prog_name = "ldns-testpkts";

-#ifndef UTIL_LOG_H
-/** verbosity definition for compat */
-enum verbosity_value { NO_VERBOSE=0 };
-#endif
 /** logging routine, provided by caller */
-void verbose(enum verbosity_value lvl, const char* msg, ...) ATTR_FORMAT(printf, 2, 3);
+void verbose(int lvl, const char* msg, ...) ATTR_FORMAT(printf, 2, 3);

 /** print error and exit */
 static void error(const char* msg, ...)
@ -929,7 +925,7 @@ handle_query(uint8_t* inbuf, ssize_t inlen, struct entry* entries, int* count,
 }

 /** delete the list of reply packets */
-void delete_replylist(struct reply_packet* replist)
+static void delete_replylist(struct reply_packet* replist)
 {
 	struct reply_packet *p=replist, *np;
 	while(p) {
--- a/examples/ldns-update.1
+++ b/examples/ldns-update.1
@ -2,14 +2,17 @@
 .SH NAME
 ldns-update \- send a dynamic update packet
 .SH SYNOPSIS
-.B ldns-update 
+.B ldns-update
+.IR name
 [
 .IR zone
 ]
-.IR ip
 [
-.IR tsig_name 
-.IR tsig_als 
+.IR ip
+]
+[
+.IR tsig_name
+.IR tsig_alg
 .IR tsig_hmac
 ] 

@ -17,13 +20,18 @@ ldns-update \- send a dynamic update packet
 \fBldns-update\fR is used to send a dynamic update packet.

 .SH OPTIONS
+.TP
+\fBname\fR
+The domainname to associate with the given \fBip\fR address.
+
 .TP
 \fBzone\fR
-Use this zone instead of trying to read it from the zonefile's SOA record.
+When given uses this \fBzone\fR instead of trying to find and process \fBdomain\fR's SOA record.

 .TP
 \fBip\fR
-Send the update to this IP address
+Send the update to this IP address.
+Or, when the literal text \fBnone\fR is given, remove any previous addresses.

 .TP
 \fBtsig_name tsig_alg tsig_hmac\fR
--- a/examples/ldns-update.c
+++ b/examples/ldns-update.c
@ -262,7 +262,7 @@ main(int argc, char **argv)
 	ldns_tsig_credentials	tsig_cr, *tsig_cred;
 	int		c = 2;
 	uint32_t	defttl = 300;
-	uint32_t 	port = 5353;
+	uint32_t 	port = 53;
 	
 	prog = strdup(argv[0]);

--- a/examples/ldns-verify-zone.1.in
+++ b/examples/ldns-verify-zone.1.in
@ -49,7 +49,7 @@ Defaults to 100.
 .TP
 \fB-S\fR
 Chase signature(s) to a known key.
-The network may be accessed to validate the zone's DNSKEYs. (implies -k)
+The network may be accessed to validate the zone's DNSKEYs. (implies \-k)

 .TP
 \fB-t\fR \fIYYYYMMDDhhmmss | [+|-]offset\fR
--- a/examples/ldns-verify-zone.c
+++ b/examples/ldns-verify-zone.c
@ -55,7 +55,7 @@ print_type(FILE* stream, ldns_rr_type type)
 	}
 }

-ldns_status
+static ldns_status
 read_key_file(const char *filename, ldns_rr_list *keys)
 {
 	ldns_status status = LDNS_STATUS_ERR;
@ -655,6 +655,46 @@ verify_dnssec_zone(ldns_dnssec_zone *dnssec_zone, ldns_rdf *zone_name,
 	return result;
 }

+static void print_usage(FILE *out, const char *progname)
+{
+	fprintf(out, "Usage: %s [OPTIONS] <zonefile>\n", progname);
+	fprintf(out, "\tReads the zonefile and checks for DNSSEC errors.\n");
+	fprintf(out, "\nIt checks whether NSEC(3)s are present, "
+	       "and verifies all signatures\n");
+	fprintf(out, "It also checks the NSEC(3) chain, but it "
+	       "will error on opted-out delegations\n");
+	fprintf(out, "\nOPTIONS:\n");
+	fprintf(out, "\t-h\t\tshow this text\n");
+	fprintf(out, "\t-a\t\tapex only, check only the zone apex\n");
+	fprintf(out, "\t-e <period>\tsignatures may not expire "
+	       "within this period.\n\t\t\t"
+	       "(default no period is used)\n");
+	fprintf(out, "\t-i <period>\tsignatures must have been "
+	       "valid at least this long.\n\t\t\t"
+	       "(default signatures should just be valid now)\n");
+	fprintf(out, "\t-k <file>\tspecify a file that contains a "
+	       "trusted DNSKEY or DS rr.\n\t\t\t"
+	       "This option may be given more than once.\n"
+	       "\t\t\tDefault is %s\n", LDNS_TRUST_ANCHOR_FILE);
+	fprintf(out, "\t-p [0-100]\tonly checks this percentage of "
+	       "the zone.\n\t\t\tDefaults to 100\n");
+	fprintf(out, "\t-S\t\tchase signature(s) to a known key. "
+	       "The network may be\n\t\t\taccessed to "
+	       "validate the zone's DNSKEYs. (implies -k)\n");
+	fprintf(out, "\t-t YYYYMMDDhhmmss | [+|-]offset\n\t\t\t"
+	       "set the validation time either by an "
+	       "absolute time\n\t\t\tvalue or as an "
+	       "offset in seconds from <now>.\n\t\t\t"
+	       "For data that came from the network (while "
+	       "chasing),\n\t\t\tsystem time will be used "
+	       "for validating it regardless.\n");
+	fprintf(out, "\t-v\t\tshows the version and exits\n");
+	fprintf(out, "\t-V [0-5]\tset verbosity level (default 3)\n");
+	fprintf(out, "\n<period>s are given in ISO 8601 duration format: "
+	       "P[n]Y[n]M[n]DT[n]H[n]M[n]S\n");
+	fprintf(out, "\nif no file is given standard input is read\n");
+}
+
 int
 main(int argc, char **argv)
 {
@ -671,6 +711,7 @@ main(int argc, char **argv)
 	ldns_duration_type *duration;
 	ldns_rr_list *keys = ldns_rr_list_new();
 	size_t nkeys = 0;
+	const char *progname = argv[0];

 	check_time = ldns_time(NULL);
 	myout = stdout;
@ -682,48 +723,7 @@ main(int argc, char **argv)
                        apexonly = true;
                        break;
 		case 'h':
-			printf("Usage: %s [OPTIONS] <zonefile>\n", argv[0]);
-			printf("\tReads the zonefile and checks for DNSSEC "
-			       "errors.\n");
-			printf("\nIt checks whether NSEC(3)s are present, "
-			       "and verifies all signatures\n");
-			printf("It also checks the NSEC(3) chain, but it "
-			       "will error on opted-out delegations\n");
-			printf("\nOPTIONS:\n");
-			printf("\t-h\t\tshow this text\n");
-			printf("\t-a\t\tapex only, "
-			       "check only the zone apex\n");
-			printf("\t-e <period>\tsignatures may not expire "
-			       "within this period.\n\t\t\t"
-			       "(default no period is used)\n");
-			printf("\t-i <period>\tsignatures must have been "
-			       "valid at least this long.\n\t\t\t"
-			       "(default signatures should just be valid "
-			       "now)\n");
-			printf("\t-k <file>\tspecify a file that contains a "
-			       "trusted DNSKEY or DS rr.\n\t\t\t"
-			       "This option may be given more than once.\n"
-			       "\t\t\tDefault is %s", LDNS_TRUST_ANCHOR_FILE);
-			printf("\t-p [0-100]\tonly checks this percentage of "
-			       "the zone.\n\t\t\tDefaults to 100\n");
-			printf("\t-S\t\tchase signature(s) to a known key. "
-			       "The network may be\n\t\t\taccessed to "
-			       "validate the zone's DNSKEYs. (implies -k)\n");
-			printf("\t-t YYYYMMDDhhmmss | [+|-]offset\n\t\t\t"
-			       "set the validation time either by an "
-			       "absolute time\n\t\t\tvalue or as an "
-			       "offset in seconds from <now>.\n\t\t\t"
-			       "For data that came from the network (while "
-			       "chasing),\n\t\t\tsystem time will be used "
-			       "for validating it regardless.\n");
-			printf("\t-v\t\tshows the version and exits\n");
-			printf("\t-V [0-5]\tset verbosity level (default 3)\n"
-			      );
-			printf("\n<period>s are given "
-			       "in ISO 8601 duration format: "
-			       "P[n]Y[n]M[n]DT[n]H[n]M[n]S\n");
-			printf("\nif no file is given "
-			       "standard input is read\n");
+			print_usage(stdout, progname);
 			exit(EXIT_SUCCESS);
 			break;
 		case 'e':
@ -833,7 +833,7 @@ main(int argc, char **argv)

 	if (argc == 0) {
 		fp = stdin;
-	} else {
+	} else if (argc == 1) {
 		filename = argv[0];

 		fp = fopen(filename, "r");
@ -844,6 +844,9 @@ main(int argc, char **argv)
 			}
 			exit(EXIT_FAILURE);
 		}
+	} else {
+		print_usage(stderr, progname);
+		exit(EXIT_FAILURE);
 	}

 	s = ldns_dnssec_zone_new_frm_fp_l(&dnssec_zone, fp, NULL, 0,
--- a/examples/ldns-walk.c
+++ b/examples/ldns-walk.c
@ -27,7 +27,7 @@ usage(FILE *fp, char *prog) {
 	return 0;
 }

-ldns_rdf *
+static ldns_rdf *
 create_dname_plus_1(ldns_rdf *dname)
 {
 	uint8_t *wire;
@ -94,7 +94,7 @@ create_dname_plus_1(ldns_rdf *dname)
 	return newdname;
 }

-ldns_rdf *
+static ldns_rdf *
 create_plus_1_dname(ldns_rdf *dname)
 {
 	ldns_rdf *label;
@ -120,7 +120,7 @@ create_plus_1_dname(ldns_rdf *dname)
 	return label;
 }

-ldns_status
+static ldns_status
 query_type_bitmaps(ldns_resolver *res, 
                   uint16_t res_flags,
                   const ldns_rdf *name,
@ -259,7 +259,7 @@ main(int argc, char *argv[])
 				full = true;
 			} else if (strncmp(argv[i], "-s", 3) == 0) {
 				if (i + 1 < argc) {
-					if (!ldns_str2rdf_dname(&startpoint, argv[i + 1]) == LDNS_STATUS_OK) {
+					if (ldns_str2rdf_dname(&startpoint, argv[i + 1]) != LDNS_STATUS_OK) {
 						printf("Bad start point name: %s\n", argv[i + 1]);
 						exit(1);
 					}
--- a/examples/ldnsd.c
+++ b/examples/ldnsd.c
@ -30,7 +30,7 @@

 #define INBUF_SIZE 4096

-void usage(FILE *output)
+static void usage(FILE *output)
 {
 	fprintf(output, "Usage: ldnsd <address> <port> <zone> <zonefile>\n");
 	fprintf(output, "Listens on the specified port and answers queries for the given zone\n");
@ -63,7 +63,7 @@ static int udp_bind(int sock, int port, const char *my_address)
 }

 /* this will probably be moved to a better place in the library itself */
-ldns_rr_list *
+static ldns_rr_list *
 get_rrset(const ldns_zone *zone, const ldns_rdf *owner_name, const ldns_rr_type qtype, const ldns_rr_class qclass)
 {
 	uint16_t i;
--- a/Show More
+++ b/Show More