2708. [func] Insecure to secure and NSEC3 parameter changes via

update are now fully supported and no longer require defines to enable. We now no longer overload the NSEC3PARAM flag field, nor the NSEC OPT bit at the apex. Secure to insecure changes are controlled by by the named.conf option 'secure-to-insecure'. Warning: If you had previously enabled support by adding defines at compile time to BIND 9.6 you should ensure that all changes that are in progress have completed prior to upgrading to BIND 9.7. BIND 9.7 is not backwards compatible.
2026-06-08 18:32:10 -04:00 · 2009-10-08 23:13:07 +00:00 · 2009-10-08 23:13:07 +00:00 · 2847930722
commit 2847930722
parent 169b900303
24 changed files with 1248 additions and 580 deletions
--- a/13
+++ b/13
@ -1,3 +1,16 @@
+2708.	[func]		Insecure to secure and NSEC3 parameter changes via
+			update are now fully supported and no longer require
+			defines to enable.  We now no longer overload the
+			NSEC3PARAM flag field, nor the NSEC OPT bit at the
+			apex.  Secure to insecure changes are controlled by
+			by the named.conf option 'secure-to-insecure'.
+
+			Warning: If you had previously enabled support by
+			adding defines at compile time to BIND 9.6 you should
+			ensure that all changes that are in progress have
+			completed prior to upgrading to BIND 9.7.  BIND 9.7
+			is not backwards compatible.
+
 2707.	[func]		dnssec-keyfromlabel no longer require engine name
 			to be specified in the label if there is a default
 			engine or the -E option has been used.  Also, it
--- a/42
+++ b/42
@ -32,18 +32,36 @@ generated as part of the initial signing process.

 While the update request will complete almost immediately the zone
 will not be completely signed until named has had time to walk the
-zone and generate the NSEC and RRSIG records.  Initially the NSEC
-record at the zone apex will have the OPT bit set.  When the NSEC
-chain is complete the OPT bit will be cleared.  Additionally when
-the zone is fully signed the private type (default TYPE65534) records
-will have a non zero value for the final octet. 
+zone and generate the NSEC and RRSIG records.  The NSEC record at the
+apex will be added last to signal that there is a complete NSEC chain.
+Additionally when the zone is fully signed the private type (default
+TYPE65534) records will have a non zero value for the final octet for
+those record with a none zero initial octet.
+
+The private type record format:
+If the first octet is non-zero then the record indicates that the zone needs
+to be signed with the key matching the record or that all signatures that
+match the record should be removed.

-The private type record has 5 octets.
 	algorithm (octet 1)
 	key id in network order (octet 2 and 3)
 	removal flag (octet 4)
 	complete flag (octet 5)

+Only records with the complete flag set can be removed via nsupdate.
+Attempts to remove other private type records will be silently ignored.
+
+If the first octet is zero (this is a reserved algorithm number
+that should never appear in a DNSKEY record) then the record indicates
+changes to the NSEC3 chains are in progress.  The rest of the record
+contains a NSEC3PARAM record.  The flag field tells what operation
+to perform based on the flag bits.
+
+	0x01 OPTOUT
+	0x80 CREATE
+	0x40 REMOVE
+	0x20 NONSEC
+
 If you wish to go straight to a secure zone using NSEC3 you should
 also add a NSECPARAM record to the update request with the flags
 field set to indicate whether the NSEC3 chain will have the OPTOUT
@ -56,10 +74,11 @@ bit set or not.
 	> update add example.net NSEC3PARAM 1 1 100 1234567890
 	> send

-Again the update request will complete almost immediately however the
-NSEC3PARAM record will have additional flag bits set indicating that the
-NSEC3 chain is under construction.  When the NSEC3 chain is complete the
-flags field will be set to zero. 
+Again the update request will complete almost immediately however
+the record won't show up or be deleted until named has had a chance
+to build/remove the relevent chain.  A private type record will be
+created to record the operatation and will be removed once the
+operation completes.

 While the initial signing and NSEC/NSEC3 chain generation is happening
 other updates are possible.
@ -109,7 +128,8 @@ NSEC chain will be generated before the NSEC3 chain is removed.

 To do this remove all the DNSKEY records.  Any NSEC or NSEC3 chains
 will be removed as well as associated NSEC3PARAM records.  This will
-take place after the update requests completes.
+take place after the update requests completes.  This requires
+secure-to-insecure to be set in named.conf.

 		Periodic re-signing.

--- a/5
+++ b/5
@ -73,6 +73,11 @@ BIND 9.7.0
        - Improved PKCS#11 support, including Keyper support and explicit
          OpenSSL engine selection (see README.pkcs11 for additional details).

+	Warning: If you had built BIND 9.6 with any of ALLOW_NSEC3PARAM_UPDATE,
+	ALLOW_SECURE_TO_INSECURE or ALLOW_INSECURE_TO_SECURE defined then
+	you should ensure that all changes that are in progress have completed
+	prior to upgrading to BIND 9.7.  BIND 9.7 is not backwards compatible.
+
 BIND 9.6.0

        BIND 9.6.0 includes a number of changes from BIND 9.5 and earlier
--- a/bin/named/config.c
+++ b/bin/named/config.c
@ -15,7 +15,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: config.c,v 1.101 2009/09/01 07:14:25 each Exp $ */
+/* $Id: config.c,v 1.102 2009/10/08 23:13:05 marka Exp $ */

 /*! \file */

@ -185,6 +185,7 @@ options {\n\
 	max-refresh-time 2419200; /* 4 weeks */\n\
 	min-refresh-time 300;\n\
 	multi-master no;\n\
+	secure-to-insecure no;\n\
 	sig-validity-interval 30; /* days */\n\
 	sig-signing-nodes 100;\n\
 	sig-signing-signatures 10;\n\
--- a/bin/named/named.conf.docbook
+++ b/bin/named/named.conf.docbook
@ -17,7 +17,7 @@
 - PERFORMANCE OF THIS SOFTWARE.
 -->

-<!-- $Id: named.conf.docbook,v 1.39 2008/09/24 02:46:21 marka Exp $ -->
+<!-- $Id: named.conf.docbook,v 1.40 2009/10/08 23:13:05 marka Exp $ -->
 <refentry>
  <refentryinfo>
    <date>Aug 13, 2004</date>
@ -340,6 +340,7 @@ options {
 	try-tcp-refresh <replaceable>boolean</replaceable>;
 	zero-no-soa-ttl <replaceable>boolean</replaceable>;
 	zero-no-soa-ttl-cache <replaceable>boolean</replaceable>;
+	secure-to-insecure <replaceable>boolean</replaceable>;

 	nsec3-test-zone <replaceable>boolean</replaceable>;  // testing only

@ -499,6 +500,7 @@ view <replaceable>string</replaceable> <replaceable>optional_class</replaceable>
 	key-directory <replaceable>quoted_string</replaceable>;
 	zero-no-soa-ttl <replaceable>boolean</replaceable>;
 	zero-no-soa-ttl-cache <replaceable>boolean</replaceable>;
+	secure-to-insecure <replaceable>boolean</replaceable>;

 	allow-v6-synthesis { <replaceable>address_match_element</replaceable>; ... }; // obsolete
 	fetch-glue <replaceable>boolean</replaceable>; // obsolete
@ -533,6 +535,7 @@ zone <replaceable>string</replaceable> <replaceable>optional_class</replaceable>
 	ixfr-from-differences <replaceable>boolean</replaceable>;
 	journal <replaceable>quoted_string</replaceable>;
 	zero-no-soa-ttl <replaceable>boolean</replaceable>;
+	secure-to-insecure <replaceable>boolean</replaceable>;

 	allow-query { <replaceable>address_match_element</replaceable>; ... };
 	allow-query-on { <replaceable>address_match_element</replaceable>; ... };
--- a/bin/named/update.c
+++ b/bin/named/update.c
@ -15,7 +15,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: update.c,v 1.159 2009/08/17 07:18:41 marka Exp $ */
+/* $Id: update.c,v 1.160 2009/10/08 23:13:05 marka Exp $ */

 #include <config.h>

@ -38,6 +38,7 @@
 #include <dns/message.h>
 #include <dns/nsec.h>
 #include <dns/nsec3.h>
+#include <dns/private.h>
 #include <dns/rdataclass.h>
 #include <dns/rdataset.h>
 #include <dns/rdatasetiter.h>
@ -1211,8 +1212,8 @@ replaces_p(dns_rdata_t *update_rr, dns_rdata_t *db_rr) {
 		 * Replace records added in this UPDATE request.
 		 */
 		if (db_rr->data[0] == update_rr->data[0] &&
-		    db_rr->data[1] & DNS_NSEC3FLAG_UPDATE &&
-		    update_rr->data[1] & DNS_NSEC3FLAG_UPDATE &&
+		    (db_rr->data[1] & DNS_NSEC3FLAG_UPDATE) != 0 &&
+		    (update_rr->data[1] & DNS_NSEC3FLAG_UPDATE) != 0 &&
 		    memcmp(db_rr->data+2, update_rr->data+2,
 			   update_rr->length - 2) == 0)
 			return (ISC_TRUE);
@ -1717,35 +1718,6 @@ next_active(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 	return (result);
 }

-static isc_boolean_t
-has_opt_bit(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node) {
-	isc_result_t result;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	dns_rdataset_t rdataset;
-	isc_boolean_t has_bit = ISC_FALSE;
-
-	dns_rdataset_init(&rdataset);
-	CHECK(dns_db_findrdataset(db, node, version, dns_rdatatype_nsec,
-				  dns_rdatatype_none, 0, &rdataset, NULL));
-	CHECK(dns_rdataset_first(&rdataset));
-	dns_rdataset_current(&rdataset, &rdata);
-	has_bit = dns_nsec_typepresent(&rdata, dns_rdatatype_opt);
- failure:
-	if (dns_rdataset_isassociated(&rdataset))
-		dns_rdataset_disassociate(&rdataset);
-	return (has_bit);
-}
-
-static void
-set_bit(unsigned char *array, unsigned int index) {
-	unsigned int shift, bit;
-
-	shift = 7 - (index % 8);
-	bit = 1 << shift;
-
-	array[index / 8] |= bit;
-}
-
 /*%
 * Add a NSEC record for "name", recording the change in "diff".
 * The existing NSEC is removed.
@ -1777,24 +1749,6 @@ add_nsec(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 	CHECK(dns_db_findnode(db, name, ISC_FALSE, &node));
 	dns_rdata_init(&rdata);
 	CHECK(dns_nsec_buildrdata(db, ver, node, target, buffer, &rdata));
-	/*
-	 * Preserve the status of the OPT bit in the origin's NSEC record.
-	 */
-	if (dns_name_equal(dns_db_origin(db), name) &&
-	    has_opt_bit(db, ver, node))
-	{
-			isc_region_t region;
-			dns_name_t next;
-
-			dns_name_init(&next, NULL);
-			dns_rdata_toregion(&rdata, &region);
-			dns_name_fromregion(&next, &region);
-			isc_region_consume(&region, next.length);
-			INSIST(region.length > (2 + dns_rdatatype_opt / 8) &&
-			       region.base[0] == 0 &&
-			       region.base[1] > dns_rdatatype_opt / 8);
-			set_bit(region.base + 2, dns_rdatatype_opt);
-	}
 	dns_db_detachnode(db, &node);

 	/*
@ -2129,7 +2083,7 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 	dns_diff_t sig_diff;
 	dns_diff_t nsec_diff;
 	dns_diff_t nsec_mindiff;
-	isc_boolean_t flag;
+	isc_boolean_t flag, build_nsec, build_nsec3;
 	dst_key_t *zone_keys[MAXZONEKEYS];
 	unsigned int nkeys = 0;
 	unsigned int i;
@ -2142,6 +2096,7 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 	isc_boolean_t check_ksk;
 	isc_boolean_t unsecure;
 	isc_boolean_t cut;
+	dns_rdatatype_t privatetype = dns_zone_getprivatetype(zone);

 	dns_diff_init(client->mctx, &diffnames);
 	dns_diff_init(client->mctx, &affected);
@ -2288,12 +2243,11 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 		   "removed any orphaned NSEC records");

 	/*
-	 * If we don't have a NSEC record at the origin then we need to
-	 * update the NSEC3 records.
+	 * See if we need to build NSEC or NSEC3 chains.
 	 */
-	CHECK(rrset_exists(db, newver, dns_db_origin(db), dns_rdatatype_nsec,
-			   0, &flag));
-	if (!flag)
+	CHECK(dns_private_chains(db, newver, privatetype, &build_nsec,
+				 &build_nsec3));
+	if (!build_nsec)
 		goto update_nsec3;

 	update_log(client, zone, ISC_LOG_DEBUG(3), "rebuilding NSEC chain");
@ -2397,13 +2351,18 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 					dns_rdatatype_any, 0, NULL, diff));
 		} else {
 			/*
-			 * This name is not obscured.  It should have a NSEC.
+			 * This name is not obscured.  It should have a NSEC
+			 * unless it is the at the origin, in which case it
+			 * should already exist.
 			 */
-			CHECK(rrset_exists(db, newver, name,
-					   dns_rdatatype_nsec, 0, &flag));
-			if (! flag)
-				CHECK(add_placeholder_nsec(db, newver, name,
-							   diff));
+			if (!dns_name_equal(name, dns_db_origin(db))) {
+				CHECK(dns_private_chains(db, newver,
+							 privatetype, &flag,
+							 NULL));
+				if (flag)
+					CHECK(add_placeholder_nsec(db, newver,
+								   name, diff));
+			}
 			CHECK(add_exposed_sigs(client, zone, db, newver, name,
 					       cut, diff, zone_keys, nkeys,
 					       inception, expire, check_ksk));
@ -2490,13 +2449,7 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 	INSIST(ISC_LIST_EMPTY(nsec_diff.tuples));
 	INSIST(ISC_LIST_EMPTY(nsec_mindiff.tuples));

-	/*
-	 * Check if we have any active NSEC3 chains by looking for a
-	 * NSEC3PARAM RRset.
-	 */
-	CHECK(rrset_exists(db, newver, dns_db_origin(db),
-			   dns_rdatatype_nsec3param, 0, &flag));
-	if (!flag) {
+	if (!build_nsec3) {
 		update_log(client, zone, ISC_LOG_DEBUG(3),
 			   "no NSEC3 chains to rebuild");
 		goto failure;
@ -2520,6 +2473,7 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,

 		isc_boolean_t ns_existed, dname_existed;
 		isc_boolean_t ns_exists, dname_exists;
+		isc_boolean_t exists, existed;

 		if (t->rdata.type == dns_rdatatype_nsec ||
 		    t->rdata.type == dns_rdatatype_rrsig) {
@ -2538,7 +2492,9 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 		CHECK(rrset_exists(db, newver, name, dns_rdatatype_dname, 0,
 				   &dname_exists));

-		if ((ns_exists || dname_exists) == (ns_existed || dname_existed))
+		exists = ns_exists || dname_exists;
+		existed = ns_existed || dname_existed;
+		if (exists == existed)
 			goto nextname;
 		/*
 		 * There was a delegation change.  Mark all subdomains
@ -2562,14 +2518,15 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 		if (!flag) {
 			CHECK(delete_if(rrsig_p, db, newver, name,
 					dns_rdatatype_any, 0, NULL, diff));
-			CHECK(dns_nsec3_delnsec3s(db, newver, name,
-						  &nsec_diff));
+			CHECK(dns_nsec3_delnsec3sx(db, newver, name,
+						   privatetype, &nsec_diff));
 		} else {
 			CHECK(add_exposed_sigs(client, zone, db, newver, name,
 					       cut, diff, zone_keys, nkeys,
 					       inception, expire, check_ksk));
-			CHECK(dns_nsec3_addnsec3s(db, newver, name, nsecttl,
-						  unsecure, &nsec_diff));
+			CHECK(dns_nsec3_addnsec3sx(db, newver, name, nsecttl,
+						   unsecure, privatetype,
+						   &nsec_diff));
 		}
 	}

@ -2960,7 +2917,9 @@ rr_exists(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
 }

 static isc_result_t
-get_iterations(dns_db_t *db, dns_dbversion_t *ver, unsigned int *iterationsp) {
+get_iterations(dns_db_t *db, dns_dbversion_t *ver, dns_rdatatype_t privatetype,
+	       unsigned int *iterationsp)
+{
 	dns_dbnode_t *node = NULL;
 	dns_rdata_nsec3param_t nsec3param;
 	dns_rdataset_t rdataset;
@ -2974,9 +2933,8 @@ get_iterations(dns_db_t *db, dns_dbversion_t *ver, unsigned int *iterationsp) {
 		return (result);
 	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_nsec3param,
 				     0, (isc_stdtime_t) 0, &rdataset, NULL);
-	dns_db_detachnode(db, &node);
 	if (result == ISC_R_NOTFOUND)
-		goto success;
+		goto try_private;
 	if (result != ISC_R_SUCCESS)
 		goto failure;

@ -2994,11 +2952,46 @@ get_iterations(dns_db_t *db, dns_dbversion_t *ver, unsigned int *iterationsp) {
 	if (result != ISC_R_NOMORE)
 		goto failure;

+	dns_rdataset_disassociate(&rdataset);
+
+ try_private:
+	if (privatetype == 0)
+		goto success;
+
+	result = dns_db_findrdataset(db, node, ver, privatetype,
+				     0, (isc_stdtime_t) 0, &rdataset, NULL);
+	if (result == ISC_R_NOTFOUND)
+		goto success;
+	if (result != ISC_R_SUCCESS)
+		goto failure;
+
+	for (result = dns_rdataset_first(&rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset)) {
+		unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
+		dns_rdata_t private = DNS_RDATA_INIT;
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+
+		dns_rdataset_current(&rdataset, &rdata);
+		if (!dns_nsec3param_fromprivate(&private, &rdata,
+						buf, sizeof(buf)))
+			continue;
+		CHECK(dns_rdata_tostruct(&rdata, &nsec3param, NULL));
+		if ((nsec3param.flags & DNS_NSEC3FLAG_REMOVE) != 0)
+			continue;
+		if (nsec3param.iterations > iterations)
+			iterations = nsec3param.iterations;
+	}
+	if (result != ISC_R_NOMORE)
+		goto failure;
+
 success:
 	*iterationsp = iterations;
 	result = ISC_R_SUCCESS;

 failure:
+	if (node != NULL)
+		dns_db_detachnode(db, &node);
 	if (dns_rdataset_isassociated(&rdataset))
 		dns_rdataset_disassociate(&rdataset);
 	return (result);
@ -3018,18 +3011,19 @@ check_dnssec(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 	isc_boolean_t flag;
 	isc_result_t result;
 	unsigned int iterations = 0, max;
+	dns_rdatatype_t privatetype = dns_zone_getprivatetype(zone);

 	dns_diff_init(diff->mctx, &temp_diff);

 	CHECK(dns_nsec_nseconly(db, ver, &flag));

 	if (flag)
-		CHECK(dns_nsec3_active(db, ver, ISC_FALSE, &flag));
+		CHECK(dns_nsec3_activex(db, ver, ISC_FALSE, privatetype, &flag));
 	if (flag) {
 		update_log(client, zone, ISC_LOG_WARNING,
 			   "NSEC only DNSKEYs and NSEC3 chains not allowed");
 	} else {
-		CHECK(get_iterations(db, ver, &iterations));
+		CHECK(get_iterations(db, ver, privatetype, &iterations));
 		CHECK(dns_nsec3_maxiterations(db, ver, client->mctx, &max));
 		if (iterations > max) {
 			flag = ISC_TRUE;
@ -3068,21 +3062,22 @@ check_dnssec(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 	return (result);
 }

-#ifdef ALLOW_NSEC3PARAM_UPDATE
 /*
 * Delay NSEC3PARAM changes as they need to be applied to the whole zone.
 */
 static isc_result_t
 add_nsec3param_records(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
-		       dns_name_t *name, dns_dbversion_t *ver, dns_diff_t *diff)
+		       dns_dbversion_t *ver, dns_diff_t *diff)
 {
 	isc_result_t result = ISC_R_SUCCESS;
 	dns_difftuple_t *tuple, *newtuple = NULL, *next;
 	dns_rdata_t rdata = DNS_RDATA_INIT;
-	unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
+	unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE + 1];
 	dns_diff_t temp_diff;
 	dns_diffop_t op;
 	isc_boolean_t flag;
+	dns_name_t *name = dns_zone_getorigin(zone);
+	dns_rdatatype_t privatetype = dns_zone_getprivatetype(zone);;

 	update_log(client, zone, ISC_LOG_DEBUG(3),
 		    "checking for NSEC3PARAM changes");
@ -3140,12 +3135,10 @@ add_nsec3param_records(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 			/*
 			 * See if we already have a CREATE request in progress.
 			 */
-			dns_rdata_clone(&tuple->rdata, &rdata);
-			INSIST(rdata.length <= sizeof(buf));
-			memcpy(buf, rdata.data, rdata.length);
-			buf[1] |= DNS_NSEC3FLAG_CREATE;
-			buf[1] &= ~DNS_NSEC3FLAG_UPDATE;
-			rdata.data = buf;
+			dns_nsec3param_toprivate(&tuple->rdata, &rdata,
+						 privatetype, buf, sizeof(buf));
+			buf[2] |= DNS_NSEC3FLAG_CREATE;
+			buf[2] &= ~DNS_NSEC3FLAG_UPDATE;

 			CHECK(rr_exists(db, ver, name, &rdata, &flag));

@ -3157,6 +3150,7 @@ add_nsec3param_records(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 							   &newtuple));
 				CHECK(do_one_tuple(&newtuple, db, ver, diff));
 			}
+
 			/*
 			 * Remove the temporary add record.
 			 */
@ -3199,11 +3193,9 @@ add_nsec3param_records(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 		/*
 		 * See if we already have a REMOVE request in progress.
 		 */
-		dns_rdata_clone(&tuple->rdata, &rdata);
-		INSIST(rdata.length <= sizeof(buf));
-		memcpy(buf, rdata.data, rdata.length);
-		buf[1] |= DNS_NSEC3FLAG_REMOVE;
-		rdata.data = buf;
+		dns_nsec3param_toprivate(&tuple->rdata, &rdata,
+					 privatetype, buf, sizeof(buf));
+		buf[2] |= DNS_NSEC3FLAG_REMOVE;

 		CHECK(rr_exists(db, ver, name, &rdata, &flag));

@ -3227,15 +3219,74 @@ add_nsec3param_records(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 	dns_diff_clear(&temp_diff);
 	return (result);
 }
-#endif
+
+static isc_result_t
+rollback_private(dns_db_t *db, dns_rdatatype_t privatetype,
+		 dns_dbversion_t *ver, dns_diff_t *diff)
+{
+	dns_diff_t temp_diff;
+	dns_diffop_t op;
+	dns_difftuple_t *tuple, *newtuple = NULL, *next;
+	dns_name_t *name = dns_db_origin(db);
+	isc_mem_t *mctx = diff->mctx;
+	isc_result_t result;
+
+	if (privatetype == 0)
+		return (ISC_R_SUCCESS);
+
+	dns_diff_init(mctx, &temp_diff);
+
+	/*
+	 * Extract the changes to be rolled back.
+	 */
+	for (tuple = ISC_LIST_HEAD(diff->tuples);
+	     tuple != NULL;
+	     tuple = next) {
+
+		next = ISC_LIST_NEXT(tuple, link);
+
+		if (tuple->rdata.type != privatetype ||
+		    !dns_name_equal(name, &tuple->name))
+			continue;
+
+		/*
+		 * Allow records which indicate that a zone has been
+		 * signed with a DNSKEY to be be removed.
+		 */
+		if (tuple->op == DNS_DIFFOP_DEL &&
+		    tuple->rdata.length == 5 &&
+		    tuple->rdata.data[0] != 0 &&
+		    tuple->rdata.data[4] != 0)
+			continue;
+
+		ISC_LIST_UNLINK(diff->tuples, tuple, link);
+		ISC_LIST_PREPEND(temp_diff.tuples, tuple, link);
+	}
+
+	/*
+	 * Rollback the changes.
+	 */
+	while ((tuple = ISC_LIST_HEAD(temp_diff.tuples)) != NULL) {
+		op = (tuple->op == DNS_DIFFOP_DEL) ?
+		      DNS_DIFFOP_ADD : DNS_DIFFOP_DEL;
+		CHECK(dns_difftuple_create(mctx, op, name, tuple->ttl,
+					   &tuple->rdata, &newtuple));
+		CHECK(do_one_tuple(&newtuple, db, ver, &temp_diff));
+	}
+	result = ISC_R_SUCCESS;
+
+ failure:
+	dns_diff_clear(&temp_diff);
+	return (result);
+}

 /*
 * Add records to cause the delayed signing of the zone by added DNSKEY
 * to remove the RRSIG records generated by a deleted DNSKEY.
 */
 static isc_result_t
-add_signing_records(dns_db_t *db, dns_name_t *name, dns_dbversion_t *ver,
-		    dns_rdatatype_t privatetype, dns_diff_t *diff)
+add_signing_records(dns_db_t *db, dns_rdatatype_t privatetype,
+		    dns_dbversion_t *ver, dns_diff_t *diff)
 {
 	dns_difftuple_t *tuple, *newtuple = NULL;
 	dns_rdata_dnskey_t dnskey;
@ -3245,6 +3296,7 @@ add_signing_records(dns_db_t *db, dns_name_t *name, dns_dbversion_t *ver,
 	isc_result_t result = ISC_R_SUCCESS;
 	isc_uint16_t keyid;
 	unsigned char buf[5];
+	dns_name_t *name = dns_db_origin(db);

 	for (tuple = ISC_LIST_HEAD(diff->tuples);
 	     tuple != NULL;
@ -3259,6 +3311,7 @@ add_signing_records(dns_db_t *db, dns_name_t *name, dns_dbversion_t *ver,
 			continue;

 		dns_rdata_toregion(&tuple->rdata, &r);
+
 		keyid = dst_region_computeid(&r, dnskey.algorithm);

 		buf[0] = dnskey.algorithm;
@ -3295,13 +3348,12 @@ add_signing_records(dns_db_t *db, dns_name_t *name, dns_dbversion_t *ver,
 	return (result);
 }

-#ifdef ALLOW_NSEC3PARAM_UPDATE
 /*
 * Mark all NSEC3 chains for deletion without creating a NSEC chain as
 * a side effect of deleting the last chain.
 */
 static isc_result_t
-delete_chains(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *origin,
+delete_chains(dns_db_t *db, dns_dbversion_t *ver, dns_zone_t *zone,
 	      dns_diff_t *diff)
 {
 	dns_dbnode_t *node = NULL;
@ -3311,7 +3363,9 @@ delete_chains(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *origin,
 	dns_rdataset_t rdataset;
 	isc_boolean_t flag;
 	isc_result_t result = ISC_R_SUCCESS;
-	unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
+	unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE + 1];
+	dns_name_t *origin = dns_zone_getorigin(zone);
+	dns_rdatatype_t privatetype = dns_zone_getprivatetype(zone);

 	dns_name_init(&next, NULL);
 	dns_rdataset_init(&rdataset);
@ -3325,6 +3379,47 @@ delete_chains(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *origin,
 	 */
 	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_nsec3param,
 				     0, (isc_stdtime_t) 0, &rdataset, NULL);
+	if (result == ISC_R_NOTFOUND)
+		goto try_private;
+	if (result != ISC_R_SUCCESS)
+		goto failure;
+
+	for (result = dns_rdataset_first(&rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset)) {
+		dns_rdata_t private = DNS_RDATA_INIT;
+
+		dns_rdataset_current(&rdataset, &rdata);
+
+		CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_DEL, origin,
+					   rdataset.ttl, &rdata, &tuple));
+		CHECK(do_one_tuple(&tuple, db, ver, diff));
+		INSIST(tuple == NULL);
+
+		dns_nsec3param_toprivate(&rdata, &private, privatetype,
+					 buf, sizeof(buf));
+		buf[2] = DNS_NSEC3FLAG_REMOVE | DNS_NSEC3FLAG_NONSEC;
+
+		CHECK(rr_exists(db, ver, origin, &rdata, &flag));
+
+		if (!flag) {
+			CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD,
+						   origin, 0, &rdata, &tuple));
+			CHECK(do_one_tuple(&tuple, db, ver, diff));
+			INSIST(tuple == NULL);
+		}
+		dns_rdata_reset(&rdata);
+	}
+	if (result != ISC_R_NOMORE)
+		goto failure;
+
+	dns_rdataset_disassociate(&rdataset);
+
+ try_private:
+	if (privatetype == 0)
+		goto success;
+	result = dns_db_findrdataset(db, node, ver, privatetype, 0,
+				     (isc_stdtime_t) 0, &rdataset, NULL);
 	if (result == ISC_R_NOTFOUND)
 		goto success;
 	if (result != ISC_R_SUCCESS)
@ -3337,18 +3432,18 @@ delete_chains(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *origin,
 		INSIST(rdata.length <= sizeof(buf));
 		memcpy(buf, rdata.data, rdata.length);

-		if (buf[1] == (DNS_NSEC3FLAG_REMOVE | DNS_NSEC3FLAG_NONSEC)) {
+		if (buf[0] != 0 ||
+		    buf[2] == (DNS_NSEC3FLAG_REMOVE | DNS_NSEC3FLAG_NONSEC)) {
 			dns_rdata_reset(&rdata);
 			continue;
 		}

-		CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_DEL,
-					   origin, 0, &rdata, &tuple));
+		CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_DEL, origin,
+					   0, &rdata, &tuple));
 		CHECK(do_one_tuple(&tuple, db, ver, diff));
 		INSIST(tuple == NULL);

-		buf[1] = DNS_NSEC3FLAG_REMOVE | DNS_NSEC3FLAG_NONSEC;
-		rdata.data = buf;
+		buf[2] = DNS_NSEC3FLAG_REMOVE | DNS_NSEC3FLAG_NONSEC;

 		CHECK(rr_exists(db, ver, origin, &rdata, &flag));

@ -3371,7 +3466,20 @@ delete_chains(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *origin,
 	dns_db_detachnode(db, &node);
 	return (result);
 }
-#endif
+
+static isc_boolean_t
+isdnssec(dns_db_t *db, dns_dbversion_t *ver, dns_rdatatype_t privatetype) {
+	isc_result_t result;
+	isc_boolean_t build_nsec, build_nsec3;
+
+	if (dns_db_issecure(db))
+		return (ISC_TRUE);
+	
+	result = dns_private_chains(db, ver, privatetype,
+				    &build_nsec, &build_nsec3);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	return (build_nsec || build_nsec3);
+}

 static void
 update_action(isc_task_t *task, isc_event_t *event) {
@ -3398,12 +3506,9 @@ update_action(isc_task_t *task, isc_event_t *event) {
 	isc_boolean_t deleted_zsk;
 	dns_difftuple_t *tuple;
 	dns_rdata_dnskey_t dnskey;
-#ifdef ALLOW_NSEC3PARAM_UPDATE
 	unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
-#endif
-#if !defined(ALLOW_SECURE_TO_INSECURE) || !defined(ALLOW_INSECURE_TO_SECURE)
 	isc_boolean_t had_dnskey;
-#endif
+	dns_rdatatype_t privatetype = dns_zone_getprivatetype(zone);

 	INSIST(event->ev_type == DNS_EVENT_UPDATE);

@ -3600,27 +3705,26 @@ update_action(isc_task_t *task, isc_event_t *event) {
 				   update_class);
 			FAIL(DNS_R_FORMERR);
 		}
+
 		/*
 		 * draft-ietf-dnsind-simple-secure-update-01 says
 		 * "Unlike traditional dynamic update, the client
 		 * is forbidden from updating NSEC records."
 		 */
-		if (dns_db_issecure(db)) {
-			if (rdata.type == dns_rdatatype_nsec3) {
-				FAILC(DNS_R_REFUSED,
-				      "explicit NSEC3 updates are not allowed "
-				      "in secure zones");
-			} else if (rdata.type == dns_rdatatype_nsec) {
-				FAILC(DNS_R_REFUSED,
-				      "explicit NSEC updates are not allowed "
-				      "in secure zones");
-			} else if (rdata.type == dns_rdatatype_rrsig &&
-				   !dns_name_equal(name, zonename)) {
-				FAILC(DNS_R_REFUSED,
-				      "explicit RRSIG updates are currently "
-				      "not supported in secure zones except "
-				      "at the apex");
-			}
+		if (rdata.type == dns_rdatatype_nsec3) {
+			FAILC(DNS_R_REFUSED,
+			      "explicit NSEC3 updates are not allowed "
+			      "in secure zones");
+		} else if (rdata.type == dns_rdatatype_nsec) {
+			FAILC(DNS_R_REFUSED,
+			      "explicit NSEC updates are not allowed "
+			      "in secure zones");
+		} else if (rdata.type == dns_rdatatype_rrsig &&
+			   !dns_name_equal(name, zonename)) {
+			FAILC(DNS_R_REFUSED,
+			      "explicit RRSIG updates are currently "
+			      "not supported in secure zones except "
+			      "at the apex");
 		}

 		if (ssutable != NULL) {
@ -3755,7 +3859,14 @@ update_action(isc_task_t *task, isc_event_t *event) {
 				soa_serial_changed = ISC_TRUE;
 			}

-#ifdef ALLOW_NSEC3PARAM_UPDATE
+			if (rdata.type == privatetype) {
+				update_log(client, zone, LOGLEVEL_PROTOCOL,
+					   "attempt to add a private type "
+					   "(%u) record rejected internal "
+					   "use only", privatetype);
+				continue;
+			}
+
 			if (rdata.type == dns_rdatatype_nsec3param) {
 				/*
 				 * Ignore attempts to add NSEC3PARAM records
@ -3771,7 +3882,7 @@ update_action(isc_task_t *task, isc_event_t *event) {
 				}

 				/*
-				 * Set the NSEC3CHAIN creation flag.
+				 * NSEC3CHAIN creation flag.
 				 */
 				INSIST(rdata.length <= sizeof(buf));
 				memcpy(buf, rdata.data, rdata.length);
@ -3782,14 +3893,6 @@ update_action(isc_task_t *task, isc_event_t *event) {
 				 */
 				ttl = 0;
 			}
-#else
-			if (rdata.type == dns_rdatatype_nsec3param) {
-				update_log(client, zone, LOGLEVEL_PROTOCOL,
-					   "attempt to add NSEC3PARAM "
-					   "record ignored");
-				continue;
-			};
-#endif

 			if ((options & DNS_ZONEOPT_CHECKWILDCARD) != 0 &&
 			    dns_name_internalwildcard(name)) {
@ -3866,13 +3969,6 @@ update_action(isc_task_t *task, isc_event_t *event) {
 							dns_rdatatype_any, 0,
 							&rdata, &diff));
 				}
-#ifndef ALLOW_NSEC3PARAM_UPDATE
-			} else if (rdata.type == dns_rdatatype_nsec3param) {
-				update_log(client, zone, LOGLEVEL_PROTOCOL,
-					   "attempt to delete a NSEC3PARAM "
-					   "records ignored");
-				continue;
-#endif
 			} else if (dns_name_equal(name, zonename) &&
 				   (rdata.type == dns_rdatatype_soa ||
 				    rdata.type == dns_rdatatype_ns)) {
@ -3976,37 +4072,28 @@ update_action(isc_task_t *task, isc_event_t *event) {
 		CHECK(rrset_exists(db, ver, zonename, dns_rdatatype_dnskey,
 				   0, &has_dnskey));

-#if !defined(ALLOW_SECURE_TO_INSECURE) || !defined(ALLOW_INSECURE_TO_SECURE)
-		CHECK(rrset_exists(db, oldver, zonename, dns_rdatatype_dnskey,
-				   0, &had_dnskey));
+#define ALLOW_SECURE_TO_INSECURE(zone) \
+	((dns_zone_getoptions(zone) & DNS_ZONEOPT_SECURETOINSECURE) != 0)

-#ifndef ALLOW_SECURE_TO_INSECURE
-		if (had_dnskey && !has_dnskey) {
-			update_log(client, zone, LOGLEVEL_PROTOCOL,
-				   "update rejected: all DNSKEY records "
-				   "removed");
-			result = DNS_R_REFUSED;
-			goto failure;
+		if (!ALLOW_SECURE_TO_INSECURE(zone)) {
+			CHECK(rrset_exists(db, oldver, zonename,
+					   dns_rdatatype_dnskey, 0,
+					   &had_dnskey));
+			if (had_dnskey && !has_dnskey) {
+				update_log(client, zone, LOGLEVEL_PROTOCOL,
+					   "update rejected: all DNSKEY records "
+					   "removed and 'secure-to-insecure' "
+					   "not set");
+				result = DNS_R_REFUSED;
+				goto failure;
+			}
 		}
-#endif
-#ifndef ALLOW_INSECURE_TO_SECURE
-		if (!had_dnskey && has_dnskey) {
-			update_log(client, zone, LOGLEVEL_PROTOCOL,
-				   "update rejected: DNSKEY record added");
-			result = DNS_R_REFUSED;
-			goto failure;
-		}
-#endif
-#endif

-		CHECK(add_signing_records(db, zonename, ver,
-					  dns_zone_getprivatetype(zone),
-					  &diff));
+		CHECK(rollback_private(db, privatetype, ver, &diff));

-#ifdef ALLOW_NSEC3PARAM_UPDATE
-		CHECK(add_nsec3param_records(client, zone, db, zonename,
-					     ver, &diff));
-#endif
+		CHECK(add_signing_records(db, privatetype, ver, &diff));
+
+		CHECK(add_nsec3param_records(client, zone, db, ver, &diff));

 		if (!has_dnskey) {
 			/*
@ -4015,10 +4102,8 @@ update_action(isc_task_t *task, isc_event_t *event) {
 			 * the last signature for the DNSKEY records are
 			 * remove any NSEC chain present will also be removed.
 			 */
-#ifdef ALLOW_NSEC3PARAM_UPDATE
-			 CHECK(delete_chains(db, ver, zonename, &diff));
-#endif
-		} else if (has_dnskey && dns_db_isdnssec(db)) {
+			 CHECK(delete_chains(db, ver, zone, &diff));
+		} else if (has_dnskey && isdnssec(db, ver, privatetype)) {
 			isc_uint32_t interval;
 			interval = dns_zone_getsigvalidityinterval(zone);
 			result = update_signatures(client, zone, db, oldver,
@ -4109,7 +4194,6 @@ update_action(isc_task_t *task, isc_event_t *event) {
 			}
 		}

-#ifdef ALLOW_NSEC3PARAM_UPDATE
 		/*
 		 * Cause the zone to add/delete NSEC3 chains for the
 		 * deferred NSEC3PARAM changes.
@ -4119,13 +4203,18 @@ update_action(isc_task_t *task, isc_event_t *event) {
 		for (tuple = ISC_LIST_HEAD(diff.tuples);
 		     tuple != NULL;
 		     tuple = ISC_LIST_NEXT(tuple, link)) {
+			unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
+			dns_rdata_t rdata = DNS_RDATA_INIT;
 			dns_rdata_nsec3param_t nsec3param;

-			if (tuple->rdata.type != dns_rdatatype_nsec3param ||
+			if (tuple->rdata.type != privatetype ||
 			    tuple->op != DNS_DIFFOP_ADD)
 				continue;

-			dns_rdata_tostruct(&tuple->rdata, &nsec3param, NULL);
+			if (!dns_nsec3param_fromprivate(&tuple->rdata, &rdata,
+						   buf, sizeof(buf)))
+				continue;
+			dns_rdata_tostruct(&rdata, &nsec3param, NULL);
 			if (nsec3param.flags == 0)
 				continue;

@ -4136,7 +4225,6 @@ update_action(isc_task_t *task, isc_event_t *event) {
 					   dns_result_totext(result));
 			}
 		}
-#endif
 	} else {
 		update_log(client, zone, LOGLEVEL_DEBUG, "redundant request");
 		dns_db_closeversion(db, &ver, ISC_TRUE);
--- a/bin/named/zoneconf.c
+++ b/bin/named/zoneconf.c
@ -15,7 +15,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: zoneconf.c,v 1.154 2009/09/01 00:22:25 jinmei Exp $ */
+/* $Id: zoneconf.c,v 1.155 2009/10/08 23:13:06 marka Exp $ */

 /*% */

@ -929,6 +929,12 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 			INSIST(0);
 		dns_zone_setoption(zone, DNS_ZONEOPT_WARNSRVCNAME, warn);
 		dns_zone_setoption(zone, DNS_ZONEOPT_IGNORESRVCNAME, ignore);
+
+		obj = NULL;
+		result = ns_config_get(maps, "secure-to-insecure", &obj);
+		INSIST(obj != NULL);
+		dns_zone_setoption(zone, DNS_ZONEOPT_SECURETOINSECURE,
+				   cfg_obj_asboolean(obj));
 	}

 	/*
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@ -18,7 +18,7 @@
 - PERFORMANCE OF THIS SOFTWARE.
 -->

-<!-- File: $Id: Bv9ARM-book.xml,v 1.430 2009/10/05 01:49:59 each Exp $ -->
+<!-- File: $Id: Bv9ARM-book.xml,v 1.431 2009/10/08 23:13:06 marka Exp $ -->
 <book xmlns:xi="http://www.w3.org/2001/XInclude">
  <title>BIND 9 Administrator Reference Manual</title>

@ -4891,6 +4891,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
    <optional> allow-update { <replaceable>address_match_list</replaceable> }; </optional>
    <optional> allow-update-forwarding { <replaceable>address_match_list</replaceable> }; </optional>
    <optional> update-check-ksk <replaceable>yes_or_no</replaceable>; </optional>
+    <optional> secure-to-insecure <replaceable>yes_or_no</replaceable> ;</optional>
    <optional> try-tcp-refresh <replaceable>yes_or_no</replaceable>; </optional>
    <optional> allow-v6-synthesis { <replaceable>address_match_list</replaceable> }; </optional>
    <optional> blackhole { <replaceable>address_match_list</replaceable> }; </optional>
@ -6442,6 +6443,17 @@ options {
 	      </listitem>
 	    </varlistentry>

+	    <varlistentry>
+	      <term><command>secure-to-insecure</command></term>
+	      <listitem>
+	        <para>
+		  Allow a zone to transition from secure to insecure by
+		  deleting all DNSKEY records.  The default is
+		  <command>no</command>.
+		</para>
+	      </listitem>
+	    </varlistentry>
+
          </variablelist>

        </sect3>
@ -9347,6 +9359,7 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
    <optional> allow-transfer { <replaceable>address_match_list</replaceable> }; </optional>
    <optional> allow-update-forwarding { <replaceable>address_match_list</replaceable> }; </optional>
    <optional> update-check-ksk <replaceable>yes_or_no</replaceable>; </optional>
+    <optional> secure-to-insecure <replaceable>yes_or_no</replaceable> ; </optional>
    <optional> try-tcp-refresh <replaceable>yes_or_no</replaceable>; </optional>
    <optional> also-notify { <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ;
                  <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
@ -10259,6 +10272,16 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
 		</listitem>
 	      </varlistentry>

+              <varlistentry>
+                <term><command>secure-to-insecure</command></term>
+                <listitem>
+                  <para>
+                    See the description of
+                    <command>secure-to-insecure</command> in <xref linkend="boolean_options"/>.
+                  </para>
+                </listitem>
+              </varlistentry>
+
            </variablelist>

          </sect3>
--- a/lib/bind9/check.c
+++ b/lib/bind9/check.c
@ -15,7 +15,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: check.c,v 1.108 2009/09/02 16:10:03 each Exp $ */
+/* $Id: check.c,v 1.109 2009/10/08 23:13:06 marka Exp $ */

 /*! \file */

@ -23,6 +23,7 @@

 #include <stdlib.h>

+#include <isc/base64.h>
 #include <isc/buffer.h>
 #include <isc/log.h>
 #include <isc/mem.h>
@ -1100,6 +1101,7 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 	{ "min-retry-time", SLAVEZONE | STUBZONE },
 	{ "max-refresh-time", SLAVEZONE | STUBZONE },
 	{ "min-refresh-time", SLAVEZONE | STUBZONE },
+	{ "secure-to-insecure", MASTERZONE },
 	{ "sig-validity-interval", MASTERZONE },
 	{ "sig-re-signing-interval", MASTERZONE },
 	{ "sig-signing-nodes", MASTERZONE },
@ -1404,6 +1406,9 @@ bind9_check_key(const cfg_obj_t *key, isc_log_t *logctx) {
 	const char *algorithm;
 	int i;
 	size_t len = 0;
+	isc_result_t result;
+	isc_buffer_t buf;
+	unsigned char secretbuf[1024];
 	static const algorithmtable algorithms[] = {
 		{ "hmac-md5", 128 },
 		{ "hmac-md5.sig-alg.reg.int", 0 },
@ -1426,6 +1431,14 @@ bind9_check_key(const cfg_obj_t *key, isc_log_t *logctx) {
 		return (ISC_R_FAILURE);
 	}

+	isc_buffer_init(&buf, secretbuf, sizeof(secretbuf));
+	result = isc_base64_decodestring(cfg_obj_asstring(secretobj), &buf);
+	if (result != ISC_R_SUCCESS) {
+		cfg_obj_log(secretobj, logctx, ISC_LOG_ERROR,
+			    "bad secret '%s'", isc_result_totext(result));
+		return (result);
+	}
+
 	algorithm = cfg_obj_asstring(algobj);
 	for (i = 0; algorithms[i].name != NULL; i++) {
 		len = strlen(algorithms[i].name);
--- a/lib/dns/Makefile.in
+++ b/lib/dns/Makefile.in
@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.

-# $Id: Makefile.in,v 1.167 2009/10/05 17:30:49 fdupont Exp $
+# $Id: Makefile.in,v 1.168 2009/10/08 23:13:06 marka Exp $

 srcdir =	@srcdir@
 VPATH =		@srcdir@
@ -61,7 +61,7 @@ DNSOBJS =	acache.@O@ acl.@O@ adb.@O@ byaddr.@O@ \
 		keydata.@O@ keytable.@O@ lib.@O@ log.@O@ lookup.@O@ \
 		master.@O@ masterdump.@O@ message.@O@ \
 		name.@O@ ncache.@O@ nsec.@O@ nsec3.@O@ order.@O@ peer.@O@ \
-		portlist.@O@ \
+		portlist.@O@ private.@O@ \
 		rbt.@O@ rbtdb.@O@ rbtdb64.@O@ rcode.@O@ rdata.@O@ \
 		rdatalist.@O@ \
 		rdataset.@O@ rdatasetiter.@O@ rdataslab.@O@ request.@O@ \
--- a/lib/dns/db.c
+++ b/lib/dns/db.c
@ -15,7 +15,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: db.c,v 1.94 2009/09/01 00:22:26 jinmei Exp $ */
+/* $Id: db.c,v 1.95 2009/10/08 23:13:06 marka Exp $ */

 /*! \file */

@ -938,9 +938,9 @@ dns_db_getsigningtime(dns_db_t *db, dns_rdataset_t *rdataset, dns_name_t *name)
 }

 void
-dns_db_resigned(dns_db_t *db, dns_rdataset_t *rdataset, dns_dbversion_t *version)
+dns_db_resigned(dns_db_t *db, dns_rdataset_t *rdataset,
+		dns_dbversion_t *version)
 {
 	if (db->methods->resigned != NULL)
 		(db->methods->resigned)(db, rdataset, version);
 }
-
--- a/lib/dns/include/dns/Makefile.in
+++ b/lib/dns/include/dns/Makefile.in
@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.

-# $Id: Makefile.in,v 1.55 2008/11/14 23:47:33 tbox Exp $
+# $Id: Makefile.in,v 1.56 2009/10/08 23:13:07 marka Exp $

 srcdir =	@srcdir@
 VPATH =		@srcdir@
@ -21,19 +21,17 @@ top_srcdir =	@top_srcdir@

@BIND9_VERSION@

-HEADERS =	acl.h adb.h byaddr.h cache.h callbacks.h \
-		cert.h compress.h \
+HEADERS =	acl.h adb.h byaddr.h cache.h callbacks.h cert.h compress.h \
 		db.h dbiterator.h dbtable.h diff.h dispatch.h dlz.h \
-		dnssec.h ds.h events.h fixedname.h iptable.h journal.h keyflags.h \
-		keytable.h keyvalues.h lib.h log.h master.h masterdump.h \
-		message.h name.h ncache.h \
-		nsec.h peer.h portlist.h rbt.h rcode.h \
+		dnssec.h ds.h events.h fixedname.h iptable.h journal.h \
+		keyflags.h keytable.h keyvalues.h lib.h log.h \
+		master.h masterdump.h message.h name.h ncache.h nsec.h \
+		peer.h portlist.h private.h rbt.h rcode.h \
 		rdata.h rdataclass.h rdatalist.h rdataset.h rdatasetiter.h \
 		rdataslab.h rdatatype.h request.h resolver.h result.h \
 		rootns.h sdb.h sdlz.h secalg.h secproto.h soa.h ssu.h \
-		tcpmsg.h time.h tkey.h \
-		tsig.h ttl.h types.h validator.h version.h view.h xfrin.h \
-		zone.h zonekey.h zt.h
+		tcpmsg.h time.h tkey.h tsig.h ttl.h types.h \
+		validator.h version.h view.h xfrin.h zone.h zonekey.h zt.h

 GENHEADERS =	enumclass.h enumtype.h rdatastruct.h

--- a/lib/dns/include/dns/nsec3.h
+++ b/lib/dns/include/dns/nsec3.h
@ -14,7 +14,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: nsec3.h,v 1.8 2009/10/06 21:20:45 each Exp $ */
+/* $Id: nsec3.h,v 1.9 2009/10/08 23:13:07 marka Exp $ */

 #ifndef DNS_NSEC3_H
 #define DNS_NSEC3_H 1
@ -110,6 +110,12 @@ isc_result_t
 dns_nsec3_addnsec3s(dns_db_t *db, dns_dbversion_t *version,
 		    dns_name_t *name, dns_ttl_t nsecttl,
 		    isc_boolean_t unsecure, dns_diff_t *diff);
+
+isc_result_t
+dns_nsec3_addnsec3sx(dns_db_t *db, dns_dbversion_t *version,
+		     dns_name_t *name, dns_ttl_t nsecttl,
+		     isc_boolean_t unsecure, dns_rdatatype_t private,
+		     dns_diff_t *diff);
 /*%<
 * Add NSEC3 records for 'name', recording the change in 'diff'.
 * Adjust previous NSEC3 records, if any, to reflect the addition.
@ -130,6 +136,10 @@ dns_nsec3_addnsec3s(dns_db_t *db, dns_dbversion_t *version,
 * NSEC3PARAM record otherwise OPTOUT will be inherited from the previous
 * record in the chain.
 *
+ * dns_nsec3_addnsec3sx() is similar to dns_nsec3_addnsec3s() but 'private'
+ * specifies the type of the private rdataset to be checked in addition to
+ * the nsec3param rdataset at the zone apex.
+ *
 * Requires:
 *	'db' to be valid.
 *	'version' to be valid or NULL.
@ -145,6 +155,10 @@ dns_nsec3_delnsec3(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
 isc_result_t
 dns_nsec3_delnsec3s(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
 		    dns_diff_t *diff);
+
+isc_result_t
+dns_nsec3_delnsec3sx(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
+		     dns_rdatatype_t private, dns_diff_t *diff);
 /*%<
 * Remove NSEC3 records for 'name', recording the change in 'diff'.
 * Adjust previous NSEC3 records, if any, to reflect the removal.
@ -156,6 +170,10 @@ dns_nsec3_delnsec3s(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
 * to dns_nsec3_addnsec3s().  Unlike dns_nsec3_addnsec3s() updated NSEC3
 * records have the OPTOUT flag preserved.
 *
+ * dns_nsec3_delnsec3sx() is similar to dns_nsec3_delnsec3s() but 'private'
+ * specifies the type of the private rdataset to be checked in addition to
+ * the nsec3param rdataset at the zone apex.
+ *
 * Requires:
 *	'db' to be valid.
 *	'version' to be valid or NULL.
@ -167,10 +185,19 @@ dns_nsec3_delnsec3s(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
 isc_result_t
 dns_nsec3_active(dns_db_t *db, dns_dbversion_t *version,
 		 isc_boolean_t complete, isc_boolean_t *answer);
+
+isc_result_t
+dns_nsec3_activex(dns_db_t *db, dns_dbversion_t *version,
+		  isc_boolean_t complete, dns_rdatatype_t private,
+		  isc_boolean_t *answer);
 /*%<
 * Check if there are any complete/to be built NSEC3 chains.
 * If 'complete' is ISC_TRUE only complete chains will be recognized.
 *
+ * dns_nsec3_activex() is similar to dns_nsec3_active() but 'private'
+ * specifies the type of the private rdataset to be checked in addition to
+ * the nsec3param rdataset at the zone apex.
+ *
 * Requires:
 *	'db' to be valid.
 *	'version' to be valid or NULL.
@ -191,6 +218,27 @@ dns_nsec3_maxiterations(dns_db_t *db, dns_dbversion_t *version,
 *	'iterationsp' to be non NULL.
 */

+isc_boolean_t
+dns_nsec3param_fromprivate(dns_rdata_t *src, dns_rdata_t *target,
+                           unsigned char *buf, size_t buflen);
+/*%<
+ * Convert a private rdata to a nsec3param rdata.
+ *
+ * Return ISC_TRUE if 'src' could be successfully converted.
+ *
+ * 'buf' should be at least DNS_NSEC3PARAM_BUFFERSIZE in size.
+ */
+
+void
+dns_nsec3param_toprivate(dns_rdata_t *src, dns_rdata_t *target,
+                         dns_rdatatype_t privatetype,
+                         unsigned char *buf, size_t buflen);
+/*%<
+ * Convert a nsec3param rdata to a private rdata.
+ *
+ * 'buf' should be at least src->length + 1 in size.
+ */
+
 ISC_LANG_ENDDECLS

 #endif /* DNS_NSEC3_H */
--- a/lib/dns/include/dns/rdata.h
+++ b/lib/dns/include/dns/rdata.h
@ -15,7 +15,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: rdata.h,v 1.74 2009/09/01 00:22:26 jinmei Exp $ */
+/* $Id: rdata.h,v 1.75 2009/10/08 23:13:07 marka Exp $ */

 #ifndef DNS_RDATA_H
 #define DNS_RDATA_H 1
@ -125,9 +125,27 @@ struct dns_rdata {

 #define DNS_RDATA_INIT { NULL, 0, 0, 0, 0, {(void*)(-1), (void *)(-1)}}

+#define DNS_RDATA_CHECKINITIALIZED
+#ifdef DNS_RDATA_CHECKINITIALIZED
+#define DNS_RDATA_INITIALIZED(rdata) \
+        ((rdata)->data == NULL && (rdata)->length == 0 && \
+         (rdata)->rdclass == 0 && (rdata)->type == 0 && (rdata)->flags == 0 && \
+         !ISC_LINK_LINKED((rdata), link))
+#else   
+#ifdef ISC_LIST_CHECKINIT
+#define DNS_RDATA_INITIALIZED(rdata) \
+        (!ISC_LINK_LINKED((rdata), link))
+#else
+#define DNS_RDATA_INITIALIZED(rdata) ISC_TRUE
+#endif
+#endif
+
 #define DNS_RDATA_UPDATE	0x0001		/*%< update pseudo record. */
 #define DNS_RDATA_OFFLINE	0x0002		/*%< RRSIG has a offline key. */

+#define DNS_RDATA_VALIDFLAGS(rdata) \
+        (((rdata)->flags & ~(DNS_RDATA_UPDATE|DNS_RDATA_OFFLINE)) == 0)
+
 /*
 * Flags affecting rdata formatting style.  Flags 0xFFFF0000
 * are used by masterfile-level formatting and defined elsewhere.
--- a/lib/dns/include/dns/zone.h
+++ b/lib/dns/include/dns/zone.h
@ -15,7 +15,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: zone.h,v 1.167 2009/10/05 19:39:20 each Exp $ */
+/* $Id: zone.h,v 1.168 2009/10/08 23:13:07 marka Exp $ */

 #ifndef DNS_ZONE_H
 #define DNS_ZONE_H 1
@ -71,6 +71,7 @@ typedef enum {
 #define DNS_ZONEOPT_TRYTCPREFRESH 0x01000000U	/*%< try tcp refresh on udp failure */
 #define DNS_ZONEOPT_NOTIFYTOSOA	  0x02000000U	/*%< Notify the SOA MNAME */
 #define DNS_ZONEOPT_NSEC3TESTZONE 0x04000000U	/*%< nsec3-test-zone */
+#define DNS_ZONEOPT_SECURETOINSECURE 0x08000000U /*%< secure-to-insecure */

 #ifndef NOMINUM_PUBLIC
 /*
--- a/lib/dns/nsec3.c
+++ b/lib/dns/nsec3.c
@ -14,7 +14,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: nsec3.c,v 1.8 2009/06/04 02:56:47 tbox Exp $ */
+/* $Id: nsec3.c,v 1.9 2009/10/08 23:13:06 marka Exp $ */

 #include <config.h>

@ -28,6 +28,7 @@
 #include <dst/dst.h>

 #include <dns/db.h>
+#include <dns/compress.h>
 #include <dns/dbiterator.h>
 #include <dns/diff.h>
 #include <dns/fixedname.h>
@ -457,7 +458,6 @@ delete(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
 	return (result);
 }

-#ifndef RFC5155_STRICT
 static isc_boolean_t
 better_param(dns_rdataset_t *nsec3paramset, dns_rdata_t *param) {
 	dns_rdataset_t rdataset;
@ -472,7 +472,17 @@ better_param(dns_rdataset_t *nsec3paramset, dns_rdata_t *param) {
 	     result == ISC_R_SUCCESS;
 	     result = dns_rdataset_next(&rdataset)) {
 		dns_rdata_t rdata =  DNS_RDATA_INIT;
-		dns_rdataset_current(&rdataset, &rdata);
+		unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
+
+		if (rdataset.type != dns_rdatatype_nsec3param) {
+			dns_rdata_t tmprdata =  DNS_RDATA_INIT;
+			dns_rdataset_current(&rdataset, &tmprdata);
+			if (!dns_nsec3param_fromprivate(&tmprdata, &rdata,
+							buf, sizeof(buf)))
+				continue;
+		} else
+			dns_rdataset_current(&rdataset, &rdata);
+		
 		if (rdata.length != param->length)
 			continue;
 		if (rdata.data[0] != param->data[0] ||
@ -490,7 +500,6 @@ better_param(dns_rdataset_t *nsec3paramset, dns_rdata_t *param) {
 	dns_rdataset_disassociate(&rdataset);
 	return (ISC_FALSE);
 }
-#endif

 static isc_result_t
 find_nsec3(dns_rdata_nsec3_t *nsec3, dns_rdataset_t *rdataset,
@ -913,18 +922,10 @@ dns_nsec3_addnsec3s(dns_db_t *db, dns_dbversion_t *version,
 		dns_rdata_t rdata = DNS_RDATA_INIT;

 		dns_rdataset_current(&rdataset, &rdata);
-		dns_rdata_tostruct(&rdata, &nsec3param, NULL);
+		CHECK(dns_rdata_tostruct(&rdata, &nsec3param, NULL));

-#ifdef RFC5155_STRICT
 		if (nsec3param.flags != 0)
 			continue;
-#else
-		if ((nsec3param.flags & DNS_NSEC3FLAG_REMOVE) != 0)
-			continue;
-		if (better_param(&rdataset, &rdata))
-			continue;
-#endif
-
 		/*
 		 * We have a active chain.  Update it.
 		 */
@ -943,6 +944,158 @@ dns_nsec3_addnsec3s(dns_db_t *db, dns_dbversion_t *version,
 	return (result);
 }

+isc_boolean_t
+dns_nsec3param_fromprivate(dns_rdata_t *src, dns_rdata_t *target,
+			   unsigned char *buf, size_t buflen)
+{
+        dns_decompress_t dctx;
+        isc_result_t result;
+	isc_buffer_t buf1;
+	isc_buffer_t buf2;
+
+	/*
+	 * Algorithm 0 (reserved by RFC 4034) is used to identify
+	 * NSEC3PARAM records from DNSKEY pointers.
+	 */
+	if (src->length < 1 || src->data[0] != 0)
+		return (ISC_FALSE);
+
+	isc_buffer_init(&buf1, src->data + 1, src->length - 1);
+	isc_buffer_add(&buf1, src->length - 1);
+        isc_buffer_setactive(&buf1, src->length - 1);
+	isc_buffer_init(&buf2, buf, buflen);
+        dns_decompress_init(&dctx, -1, DNS_DECOMPRESS_NONE);
+        result = dns_rdata_fromwire(target, src->rdclass,
+				    dns_rdatatype_nsec3param,
+				    &buf1, &dctx, 0, &buf2);
+        dns_decompress_invalidate(&dctx);
+
+        return (ISC_TF(result == ISC_R_SUCCESS));
+}
+
+void
+dns_nsec3param_toprivate(dns_rdata_t *src, dns_rdata_t *target,
+			 dns_rdatatype_t privatetype, 
+			 unsigned char *buf, size_t buflen)
+{
+	REQUIRE(buflen >= src->length + 1);
+
+	REQUIRE(DNS_RDATA_INITIALIZED(target));
+
+	memcpy(buf + 1, src->data, src->length);
+	buf[0] = 0;
+	target->data = buf;
+	target->length = src->length + 1;
+	target->type = privatetype;
+	target->rdclass = src->rdclass;
+	target->flags = 0;
+	ISC_LINK_INIT(target, link);
+}
+
+isc_result_t
+dns_nsec3_addnsec3sx(dns_db_t *db, dns_dbversion_t *version,
+		     dns_name_t *name, dns_ttl_t nsecttl,
+		     isc_boolean_t unsecure, dns_rdatatype_t type,
+		     dns_diff_t *diff)
+{
+	dns_dbnode_t *node = NULL;
+	dns_rdata_nsec3param_t nsec3param;
+	dns_rdataset_t rdataset;
+	dns_rdataset_t prdataset;
+	isc_result_t result;
+
+	dns_rdataset_init(&rdataset);
+	dns_rdataset_init(&prdataset);
+
+	/*
+	 * Find the NSEC3 parameters for this zone.
+	 */
+	result = dns_db_getoriginnode(db, &node);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	result = dns_db_findrdataset(db, node, version, type, 0, 0,
+				     &prdataset, NULL);
+	if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND)
+		goto failure;
+
+	result = dns_db_findrdataset(db, node, version,
+				     dns_rdatatype_nsec3param, 0, 0,
+				     &rdataset, NULL);
+	if (result == ISC_R_NOTFOUND)
+		goto try_private;
+	if (result != ISC_R_SUCCESS)
+		goto failure;
+
+	/*
+	 * Update each active NSEC3 chain.
+	 */
+	for (result = dns_rdataset_first(&rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset)) {
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+
+		dns_rdataset_current(&rdataset, &rdata);
+		CHECK(dns_rdata_tostruct(&rdata, &nsec3param, NULL));
+
+		if (nsec3param.flags != 0)
+			continue;
+
+		/*
+		 * We have a active chain.  Update it.
+		 */
+		CHECK(dns_nsec3_addnsec3(db, version, name, &nsec3param,
+					 nsecttl, unsecure, diff));
+	}
+	if (result != ISC_R_NOMORE)
+		goto failure;
+
+	dns_rdataset_disassociate(&rdataset);
+
+ try_private:
+	if (!dns_rdataset_isassociated(&prdataset))
+		goto success;
+	/*
+	 * Update each active NSEC3 chain.
+	 */
+	for (result = dns_rdataset_first(&prdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&prdataset)) {
+		dns_rdata_t rdata1 = DNS_RDATA_INIT;
+		dns_rdata_t rdata2 = DNS_RDATA_INIT;
+		unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
+
+		dns_rdataset_current(&prdataset, &rdata1);
+		if (!dns_nsec3param_fromprivate(&rdata1, &rdata2,
+						buf, sizeof(buf)))
+			continue;
+		CHECK(dns_rdata_tostruct(&rdata2, &nsec3param, NULL));
+
+		if ((nsec3param.flags & DNS_NSEC3FLAG_REMOVE) != 0)
+			continue;
+		if (better_param(&prdataset, &rdata2))
+			continue;
+
+		/*
+		 * We have a active chain.  Update it.
+		 */
+		CHECK(dns_nsec3_addnsec3(db, version, name, &nsec3param,
+					 nsecttl, unsecure, diff));
+	}
+	if (result == ISC_R_NOMORE)
+ success:
+		result = ISC_R_SUCCESS;
+ failure:
+	if (dns_rdataset_isassociated(&rdataset))
+		dns_rdataset_disassociate(&rdataset);
+	if (dns_rdataset_isassociated(&prdataset))
+		dns_rdataset_disassociate(&prdataset);
+	if (node != NULL)
+		dns_db_detachnode(db, &node);
+
+	return (result);
+}
+
 /*%
 * Determine whether any NSEC3 records that were associated with
 * 'name' should be deleted or if they should continue to exist.
@ -1241,6 +1394,13 @@ dns_nsec3_delnsec3(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
 isc_result_t
 dns_nsec3_delnsec3s(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
 		    dns_diff_t *diff)
+{
+	return (dns_nsec3_delnsec3sx(db, version, name, 0, diff));
+}
+
+isc_result_t
+dns_nsec3_delnsec3sx(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
+		     dns_rdatatype_t type, dns_diff_t *diff)
 {
 	dns_dbnode_t *node = NULL;
 	dns_rdata_nsec3param_t nsec3param;
@ -1259,11 +1419,10 @@ dns_nsec3_delnsec3s(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
 	result = dns_db_findrdataset(db, node, version,
 				     dns_rdatatype_nsec3param, 0, 0,
 				     &rdataset, NULL);
-	dns_db_detachnode(db, &node);
 	if (result == ISC_R_NOTFOUND)
-		return (ISC_R_SUCCESS);
+		goto try_private;
 	if (result != ISC_R_SUCCESS)
-		return (result);
+		goto failure;

 	/*
 	 * Update each active NSEC3 chain.
@ -1274,17 +1433,46 @@ dns_nsec3_delnsec3s(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
 		dns_rdata_t rdata = DNS_RDATA_INIT;

 		dns_rdataset_current(&rdataset, &rdata);
-		dns_rdata_tostruct(&rdata, &nsec3param, NULL);
+		CHECK(dns_rdata_tostruct(&rdata, &nsec3param, NULL));

-#ifdef RFC5155_STRICT
 		if (nsec3param.flags != 0)
 			continue;
-#else
+		/*
+		 * We have a active chain.  Update it.
+		 */
+		CHECK(dns_nsec3_delnsec3(db, version, name, &nsec3param, diff));
+	}
+
+ try_private:
+	if (type == 0)
+		goto success;
+	result = dns_db_findrdataset(db, node, version, type, 0, 0,
+				     &rdataset, NULL);
+	if (result == ISC_R_NOTFOUND)
+		goto success;
+	if (result != ISC_R_SUCCESS)
+		goto failure;
+
+	/*
+	 * Update each NSEC3 chain being built.
+	 */
+	for (result = dns_rdataset_first(&rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset)) {
+		dns_rdata_t rdata1 = DNS_RDATA_INIT;
+		dns_rdata_t rdata2 = DNS_RDATA_INIT;
+		unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
+
+		dns_rdataset_current(&rdataset, &rdata1);
+		if (!dns_nsec3param_fromprivate(&rdata1,  &rdata2,
+						buf, sizeof(buf)))
+			continue;
+		CHECK(dns_rdata_tostruct(&rdata2, &nsec3param, NULL));
+
 		if ((nsec3param.flags & DNS_NSEC3FLAG_REMOVE) != 0)
 			continue;
-		if (better_param(&rdataset, &rdata))
+		if (better_param(&rdataset, &rdata2))
 			continue;
-#endif

 		/*
 		 * We have a active chain.  Update it.
@ -1292,6 +1480,7 @@ dns_nsec3_delnsec3s(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
 		CHECK(dns_nsec3_delnsec3(db, version, name, &nsec3param, diff));
 	}
 	if (result == ISC_R_NOMORE)
+ success:
 		result = ISC_R_SUCCESS;

 failure:
@ -1306,6 +1495,14 @@ dns_nsec3_delnsec3s(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
 isc_result_t
 dns_nsec3_active(dns_db_t *db, dns_dbversion_t *version,
 		 isc_boolean_t complete, isc_boolean_t *answer)
+{
+	return (dns_nsec3_activex(db, version, complete, 0, answer));
+}
+
+isc_result_t
+dns_nsec3_activex(dns_db_t *db, dns_dbversion_t *version,
+		  isc_boolean_t complete, dns_rdatatype_t type,
+		  isc_boolean_t *answer)
 {
 	dns_dbnode_t *node = NULL;
 	dns_rdataset_t rdataset;
@ -1323,14 +1520,14 @@ dns_nsec3_active(dns_db_t *db, dns_dbversion_t *version,
 	result = dns_db_findrdataset(db, node, version,
 				     dns_rdatatype_nsec3param, 0, 0,
 				     &rdataset, NULL);
-	dns_db_detachnode(db, &node);

-	if (result == ISC_R_NOTFOUND) {
-		*answer = ISC_FALSE;
-		return (ISC_R_SUCCESS);
-	}
-	if (result != ISC_R_SUCCESS)
+	if (result == ISC_R_NOTFOUND)
+		goto try_private;
+
+	if (result != ISC_R_SUCCESS) {
+		dns_db_detachnode(db, &node);
 		return (result);
+	}
 	for (result = dns_rdataset_first(&rdataset);
 	     result == ISC_R_SUCCESS;
 	     result = dns_rdataset_next(&rdataset)) {
@ -1340,17 +1537,61 @@ dns_nsec3_active(dns_db_t *db, dns_dbversion_t *version,
 		result = dns_rdata_tostruct(&rdata, &nsec3param, NULL);
 		RUNTIME_CHECK(result == ISC_R_SUCCESS);

-		if ((nsec3param.flags) == 0 ||
-		    (!complete && CREATE(nsec3param.flags)))
+		if (nsec3param.flags == 0)
 			break;
 	}
 	dns_rdataset_disassociate(&rdataset);
-	if (result == ISC_R_SUCCESS)
+	if (result == ISC_R_SUCCESS) {
+		dns_db_detachnode(db, &node);
 		*answer = ISC_TRUE;
+		return (ISC_R_SUCCESS);
+	}
+	if (result == ISC_R_NOMORE)
+		*answer = ISC_FALSE;
+
+ try_private:
+	if (type == 0 || complete) {
+		*answer = ISC_FALSE;
+		return (ISC_R_SUCCESS);
+	}
+	result = dns_db_findrdataset(db, node, version, type, 0, 0,
+				     &rdataset, NULL);
+
+	dns_db_detachnode(db, &node);
+	if (result == ISC_R_NOTFOUND) {
+		*answer = ISC_FALSE;
+		return (ISC_R_SUCCESS);
+	}
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	for (result = dns_rdataset_first(&rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset)) {
+		dns_rdata_t rdata1 = DNS_RDATA_INIT;
+		dns_rdata_t rdata2 = DNS_RDATA_INIT;
+		unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
+
+		dns_rdataset_current(&rdataset, &rdata1);
+		if (!dns_nsec3param_fromprivate(&rdata1, &rdata2,
+						buf, sizeof(buf)))
+			continue;
+		result = dns_rdata_tostruct(&rdata2, &nsec3param, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+		if (!complete && CREATE(nsec3param.flags))
+			break;
+	}
+	dns_rdataset_disassociate(&rdataset);
+	if (result == ISC_R_SUCCESS) {
+		*answer = ISC_TRUE;
+		result = ISC_R_SUCCESS;
+	}
 	if (result == ISC_R_NOMORE) {
 		*answer = ISC_FALSE;
 		result = ISC_R_SUCCESS;
 	}
+
 	return (result);
 }

--- a/lib/dns/rbtdb.c
+++ b/lib/dns/rbtdb.c
@ -15,7 +15,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: rbtdb.c,v 1.282 2009/10/06 21:20:45 each Exp $ */
+/* $Id: rbtdb.c,v 1.283 2009/10/08 23:13:06 marka Exp $ */

 /*! \file */

@ -613,8 +613,7 @@ static void free_rbtdb(dns_rbtdb_t *rbtdb, isc_boolean_t log,
 		       isc_event_t *event);
 static void overmem(dns_db_t *db, isc_boolean_t overmem);
 #ifdef BIND9
-static void setnsec3parameters(dns_db_t *db, rbtdb_version_t *version,
-			       isc_boolean_t *nsec3createflag);
+static void setnsec3parameters(dns_db_t *db, rbtdb_version_t *version);
 #endif

 /*%
@ -1925,11 +1924,8 @@ iszonesecure(dns_db_t *db, rbtdb_version_t *version, dns_dbnode_t *origin) {
 #else
 	dns_rdataset_t keyset;
 	dns_rdataset_t nsecset, signsecset;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
 	isc_boolean_t haszonekey = ISC_FALSE;
 	isc_boolean_t hasnsec = ISC_FALSE;
-	isc_boolean_t hasoptbit = ISC_FALSE;
-	isc_boolean_t nsec3createflag = ISC_FALSE;
 	isc_result_t result;

 	dns_rdataset_init(&keyset);
@ -1961,29 +1957,18 @@ iszonesecure(dns_db_t *db, rbtdb_version_t *version, dns_dbnode_t *origin) {
 	if (result == ISC_R_SUCCESS) {
 		if (dns_rdataset_isassociated(&signsecset)) {
 			hasnsec = ISC_TRUE;
-			result = dns_rdataset_first(&nsecset);
-			if (result == ISC_R_SUCCESS) {
-				dns_rdataset_current(&nsecset, &rdata);
-				hasoptbit = dns_nsec_typepresent(&rdata,
-							     dns_rdatatype_opt);
-			}
 			dns_rdataset_disassociate(&signsecset);
 		}
 		dns_rdataset_disassociate(&nsecset);
 	}

-	setnsec3parameters(db, version, &nsec3createflag);
+	setnsec3parameters(db, version);

 	/*
 	 * Do we have a valid NSEC/NSEC3 chain?
 	 */
-	if (version->havensec3 || (hasnsec && !hasoptbit))
+	if (version->havensec3 || hasnsec)
 		version->secure = dns_db_secure;
-	/*
-	 * Do we have a NSEC/NSEC3 chain under creation?
-	 */
-	else if (hasoptbit || nsec3createflag)
-		version->secure = dns_db_partial;
 	else
 		version->secure = dns_db_insecure;
 #endif
@ -1995,9 +1980,7 @@ iszonesecure(dns_db_t *db, rbtdb_version_t *version, dns_dbnode_t *origin) {
 */
 #ifdef BIND9
 static void
-setnsec3parameters(dns_db_t *db, rbtdb_version_t *version,
-		   isc_boolean_t *nsec3createflag)
-{
+setnsec3parameters(dns_db_t *db, rbtdb_version_t *version) {
 	dns_rbtnode_t *node;
 	dns_rdata_nsec3param_t nsec3param;
 	dns_rdata_t rdata = DNS_RDATA_INIT;
@ -2028,7 +2011,7 @@ setnsec3parameters(dns_db_t *db, rbtdb_version_t *version,
 		} while (header != NULL);

 		if (header != NULL &&
-		    header->type == dns_rdatatype_nsec3param) {
+		    (header->type == dns_rdatatype_nsec3param)) {
 			/*
 			 * Find A NSEC3PARAM with a supported algorithm.
 			 */
@ -2063,17 +2046,8 @@ setnsec3parameters(dns_db_t *db, rbtdb_version_t *version,
 				    !dns_nsec3_supportedhash(nsec3param.hash))
 					continue;

-#ifdef RFC5155_STRICT
 				if (nsec3param.flags != 0)
 					continue;
-#else
-				if ((nsec3param.flags & DNS_NSEC3FLAG_CREATE)
-				    != 0)
-					*nsec3createflag = ISC_TRUE;
-				if ((nsec3param.flags & ~DNS_NSEC3FLAG_OPTOUT)
-				    != 0)
-					continue;
-#endif

 				memcpy(version->salt, nsec3param.salt,
 				       nsec3param.salt_length);
--- a/lib/dns/rdata.c
+++ b/lib/dns/rdata.c
@ -15,7 +15,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: rdata.c,v 1.202 2009/09/02 23:48:02 tbox Exp $ */
+/* $Id: rdata.c,v 1.203 2009/10/08 23:13:07 marka Exp $ */

 /*! \file */

@ -276,23 +276,6 @@ dns_rdata_init(dns_rdata_t *rdata) {
 	/* ISC_LIST_INIT(rdata->list); */
 }

-#if 1
-#define DNS_RDATA_INITIALIZED(rdata) \
-	((rdata)->data == NULL && (rdata)->length == 0 && \
-	 (rdata)->rdclass == 0 && (rdata)->type == 0 && (rdata)->flags == 0 && \
-	 !ISC_LINK_LINKED((rdata), link))
-#else
-#ifdef ISC_LIST_CHECKINIT
-#define DNS_RDATA_INITIALIZED(rdata) \
-	(!ISC_LINK_LINKED((rdata), link))
-#else
-#define DNS_RDATA_INITIALIZED(rdata) ISC_TRUE
-#endif
-#endif
-
-#define DNS_RDATA_VALIDFLAGS(rdata) \
-	(((rdata)->flags & ~(DNS_RDATA_UPDATE|DNS_RDATA_OFFLINE)) == 0)
-
 void
 dns_rdata_reset(dns_rdata_t *rdata) {

--- a/lib/dns/sdb.c
+++ b/lib/dns/sdb.c
@ -15,7 +15,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: sdb.c,v 1.70 2009/09/01 00:22:26 jinmei Exp $ */
+/* $Id: sdb.c,v 1.71 2009/10/08 23:13:07 marka Exp $ */

 /*! \file */

@ -1260,7 +1260,7 @@ static dns_dbmethods_t sdb_methods = {
 	NULL,
 	NULL,
 	NULL,
-	NULL
+	NULL,
 };

 static isc_result_t
--- a/lib/dns/win32/libdns.def
+++ b/lib/dns/win32/libdns.def
@ -189,9 +189,9 @@ dns_dlzfindzone
 dns_dlzregister
 dns_dlzstrtoargv
 dns_dlzunregister
+dns_dnssec_findmatchingkeys
 dns_dnssec_findzonekeys
 dns_dnssec_findzonekeys2
-dns_dnssec_findmatchingkeys
 dns_dnssec_keyfromrdata
 dns_dnssec_selfsigns
 dns_dnssec_sign
@ -343,8 +343,8 @@ dns_name_equal
 dns_name_format
 dns_name_free
 dns_name_fromregion
-dns_name_fromtext
 dns_name_fromstring
+dns_name_fromtext
 dns_name_fromwire
 dns_name_fullcompare
 dns_name_getlabel
@ -373,16 +373,21 @@ dns_ncache_add
 dns_ncache_getrdataset
 dns_ncache_towire
 dns_nsec3_active
+dns_nsec3_activex
 dns_nsec3_addnsec3
 dns_nsec3_addnsec3s
+dns_nsec3_addnsec3sx
 dns_nsec3_buildrdata
 dns_nsec3_delnsec3
 dns_nsec3_delnsec3s
+dns_nsec3_delnsec3sx
 dns_nsec3_hashlength
 dns_nsec3_hashname
 dns_nsec3_maxiterations
 dns_nsec3_supportedhash
 dns_nsec3_typepresent
+dns_nsec3param_fromprivate
+dns_nsec3param_toprivate
 dns_nsec_build
 dns_nsec_buildrdata
 dns_nsec_nseconly
@ -431,6 +436,7 @@ dns_peerlist_peerbyaddr
 dns_portlist_add
 dns_portlist_create
 dns_portlist_detach
+dns_private_chains
 dns_rbt_addname
 dns_rbt_addnode
 dns_rbt_create
@ -574,8 +580,8 @@ dns_result_torcode
 dns_result_totext
 dns_rootns_create
 dns_rriterator_current
-dns_rriterator_first
 dns_rriterator_destroy
+dns_rriterator_first
 dns_rriterator_init
 dns_rriterator_next
 dns_rriterator_nextrrset
--- a/lib/dns/win32/libdns.dsp
+++ b/lib/dns/win32/libdns.dsp
@ -266,6 +266,10 @@ SOURCE=..\include\dns\portlist.h
 # End Source File
 # Begin Source File

+SOURCE=..\include\dns\private.h
+# End Source File
+# Begin Source File
+
 SOURCE=..\include\dns\rbt.h
 # End Source File
 # Begin Source File
@ -562,6 +566,10 @@ SOURCE=..\portlist.c
 # End Source File
 # Begin Source File

+SOURCE=..\private.c
+# End Source File
+# Begin Source File
+
 SOURCE=..\rbt.c
 # End Source File
 # Begin Source File
--- a/lib/dns/win32/libdns.mak
+++ b/lib/dns/win32/libdns.mak
@ -166,6 +166,7 @@ CLEAN :
 	-@erase "$(INTDIR)\order.obj"
 	-@erase "$(INTDIR)\peer.obj"
 	-@erase "$(INTDIR)\portlist.obj"
+	-@erase "$(INTDIR)\private.obj"
 	-@erase "$(INTDIR)\rbt.obj"
 	-@erase "$(INTDIR)\rbtdb.obj"
 	-@erase "$(INTDIR)\rbtdb64.obj"
@ -285,6 +286,7 @@ LINK32_OBJS= \
 	"$(INTDIR)\order.obj" \
 	"$(INTDIR)\peer.obj" \
 	"$(INTDIR)\portlist.obj" \
+	"$(INTDIR)\private.obj" \
 	"$(INTDIR)\rbt.obj" \
 	"$(INTDIR)\rbtdb.obj" \
 	"$(INTDIR)\rbtdb64.obj" \
@ -455,6 +457,8 @@ CLEAN :
 	-@erase "$(INTDIR)\peer.sbr"
 	-@erase "$(INTDIR)\portlist.obj"
 	-@erase "$(INTDIR)\portlist.sbr"
+	-@erase "$(INTDIR)\private.obj"
+	-@erase "$(INTDIR)\private.sbr"
 	-@erase "$(INTDIR)\rbt.obj"
 	-@erase "$(INTDIR)\rbt.sbr"
 	-@erase "$(INTDIR)\rbtdb.obj"
@ -606,6 +610,7 @@ BSC32_SBRS= \
 	"$(INTDIR)\order.sbr" \
 	"$(INTDIR)\peer.sbr" \
 	"$(INTDIR)\portlist.sbr" \
+	"$(INTDIR)\private.sbr" \
 	"$(INTDIR)\rbt.sbr" \
 	"$(INTDIR)\rbtdb.sbr" \
 	"$(INTDIR)\rbtdb64.sbr" \
@ -696,6 +701,7 @@ LINK32_OBJS= \
 	"$(INTDIR)\order.obj" \
 	"$(INTDIR)\peer.obj" \
 	"$(INTDIR)\portlist.obj" \
+	"$(INTDIR)\private.obj" \
 	"$(INTDIR)\rbt.obj" \
 	"$(INTDIR)\rbtdb.obj" \
 	"$(INTDIR)\rbtdb64.obj" \
@ -1375,6 +1381,25 @@ SOURCE=..\portlist.c
 	$(CPP) $(CPP_PROJ) $(SOURCE)


+!ENDIF 
+
+
+SOURCE=..\private.c
+
+!IF  "$(CFG)" == "libdns - Win32 Release"
+
+
+"$(INTDIR)\private.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"
+
+
+"$(INTDIR)\private.obj"	"$(INTDIR)\portlist.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
 !ENDIF 

 SOURCE=..\rbt.c
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
--- a/lib/isccfg/namedconf.c
+++ b/lib/isccfg/namedconf.c
@ -15,7 +15,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: namedconf.c,v 1.105 2009/09/02 16:10:03 each Exp $ */
+/* $Id: namedconf.c,v 1.106 2009/10/08 23:13:07 marka Exp $ */

 /*! \file */

@ -1135,6 +1135,7 @@ zone_clauses[] = {
 	{ "notify-source-v6", &cfg_type_sockaddr6wild, 0 },
 	{ "notify-to-soa", &cfg_type_boolean, 0 },
 	{ "nsec3-test-zone", &cfg_type_boolean, CFG_CLAUSEFLAG_TESTONLY },
+	{ "secure-to-insecure", &cfg_type_boolean, 0 },
 	{ "sig-signing-nodes", &cfg_type_uint32, 0 },
 	{ "sig-signing-signatures", &cfg_type_uint32, 0 },
 	{ "sig-signing-type", &cfg_type_uint32, 0 },