diff --git a/bin/named/config.c b/bin/named/config.c
index ec8e1a9ecd..c5e70b95aa 100644
--- a/bin/named/config.c
+++ b/bin/named/config.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: config.c,v 1.84 2008/01/22 23:28:04 tbox Exp $ */
+/* $Id: config.c,v 1.85 2008/04/02 02:37:41 marka Exp $ */
 
 /*! \file */
 
@@ -172,6 +172,9 @@ options {\n\
 	min-refresh-time 300;\n\
 	multi-master no;\n\
 	sig-validity-interval 30; /* days */\n\
+	sig-signing-nodes 100;\n\
+	sig-signing-signatures 10;\n\
+	sig-signing-type 65535;\n\
 	zone-statistics false;\n\
 	max-journal-size unlimited;\n\
 	ixfr-from-differences false;\n\
diff --git a/bin/named/named.conf.docbook b/bin/named/named.conf.docbook
index 45f9cc9d69..51b0ac157b 100644
--- a/bin/named/named.conf.docbook
+++ b/bin/named/named.conf.docbook
@@ -17,7 +17,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: named.conf.docbook,v 1.36 2008/01/02 23:47:01 tbox Exp $ -->
+<!-- $Id: named.conf.docbook,v 1.37 2008/04/02 02:37:41 marka Exp $ -->
 <refentry>
   <refentryinfo>
     <date>Aug 13, 2004</date>
@@ -316,7 +316,12 @@ options {
 	max-refresh-time <replaceable>integer</replaceable>;
 	min-refresh-time <replaceable>integer</replaceable>;
 	multi-master <replaceable>boolean</replaceable>;
+
 	sig-validity-interval <replaceable>integer</replaceable>;
+	sig-re-signing-interval <replaceable>integer</replaceable>;
+	sig-signing-nodes <replaceable>integer</replaceable>;
+	sig-signing-signatures <replaceable>integer</replaceable>;
+	sig-signing-type <replaceable>integer</replaceable>;
 
 	transfer-source ( <replaceable>ipv4_address</replaceable> | * )
 		<optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
diff --git a/bin/named/update.c b/bin/named/update.c
index 1b3362e64c..4d06542931 100644
--- a/bin/named/update.c
+++ b/bin/named/update.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: update.c,v 1.144 2008/04/01 23:47:10 tbox Exp $ */
+/* $Id: update.c,v 1.145 2008/04/02 02:37:41 marka Exp $ */
 
 #include <config.h>
 
@@ -322,6 +322,7 @@ do_one_tuple(dns_difftuple_t **tuple, dns_db_t *db, dns_dbversion_t *ver,
 	 * Create a singleton diff.
 	 */
 	dns_diff_init(diff->mctx, &temp_diff);
+	temp_diff.resign = diff->resign;
 	ISC_LIST_APPEND(temp_diff.tuples, *tuple, link);
 
 	/*
@@ -1842,8 +1843,6 @@ del_keysigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
 	dns_rdata_rrsig_t rrsig;
 	isc_boolean_t found;
 
-fprintf(stderr, "del_keysigs\n");
-
 	dns_rdataset_init(&rdataset);
 
 	result = dns_db_findnode(db, name, ISC_FALSE, &node);
@@ -1944,6 +1943,7 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 	dns_diff_init(client->mctx, &affected);
 
 	dns_diff_init(client->mctx, &sig_diff);
+	sig_diff.resign = dns_zone_getsigresigninginterval(zone);
 	dns_diff_init(client->mctx, &nsec_diff);
 	dns_diff_init(client->mctx, &nsec_mindiff);
 
@@ -2037,7 +2037,6 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 			 * Special case changes to the zone's DNSKEY records
 			 * to support offline KSKs.
 			 */
-fprintf(stderr, "delete signatures %u\n", type);
 			if (type == dns_rdatatype_dnskey)
 				del_keysigs(db, newver, name, &sig_diff,
 					    zone_keys, nkeys);
@@ -2547,7 +2546,7 @@ check_mx(ns_client_t *client, dns_zone_t *zone,
 
 static isc_result_t
 add_signing_records(dns_db_t *db, dns_name_t *name, dns_dbversion_t *ver,
-		    dns_diff_t *diff)
+		    dns_rdatatype_t privatetype, dns_diff_t *diff)
 {
 	isc_result_t result = ISC_R_SUCCESS;
 	dns_difftuple_t *tuple, *newtuple = NULL;
@@ -2579,7 +2578,7 @@ add_signing_records(dns_db_t *db, dns_name_t *name, dns_dbversion_t *ver,
 		buf[3] = 0;
 		rdata.data = buf;
 		rdata.length = sizeof(buf);
-		rdata.type = 0xFFFF;	/* XXXMPA make user settable */
+		rdata.type = privatetype;
 		rdata.rdclass = tuple->rdata.rdclass;
 
 		CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, name,
@@ -2812,18 +2811,17 @@ update_action(isc_task_t *task, isc_event_t *event) {
 		 * "Unlike traditional dynamic update, the client
 		 * is forbidden from updating NSEC records."
 		 */
-		if (dns_db_isdnssec(db)) {
+		if (dns_db_issecure(db)) {
 			if (rdata.type == dns_rdatatype_nsec) {
 				FAILC(DNS_R_REFUSED,
 				      "explicit NSEC updates are not allowed "
 				      "in secure zones");
-			}
-			else if (rdata.type == dns_rdatatype_rrsig &&
-				 !dns_name_equal(name, zonename)) {
+			} else if (rdata.type == dns_rdatatype_rrsig &&
+				   !dns_name_equal(name, zonename)) {
 				FAILC(DNS_R_REFUSED,
 				      "explicit RRSIG updates are currently "
 				      "not supported in secure zones except "
-				      "at the apex.");
+				      "at the apex");
 			}
 		}
 
@@ -3113,7 +3111,9 @@ update_action(isc_task_t *task, isc_event_t *event) {
 
 		CHECK(remove_orphaned_ds(db, ver, &diff));
 
-		CHECK(add_signing_records(db, zonename, ver, &diff));
+		CHECK(add_signing_records(db, zonename, ver,
+					  dns_zone_getprivatetype(zone),
+					  &diff));
 
 		CHECK(rrset_exists(db, ver, zonename, dns_rdatatype_dnskey,
 				   0, &has_dnskey));
diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c
index 3f1a13d6d0..db16b50040 100644
--- a/bin/named/zoneconf.c
+++ b/bin/named/zoneconf.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zoneconf.c,v 1.142 2008/01/18 23:46:57 tbox Exp $ */
+/* $Id: zoneconf.c,v 1.143 2008/04/02 02:37:41 marka Exp $ */
 
 /*% */
 
@@ -365,6 +365,7 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 	isc_boolean_t warn = ISC_FALSE, ignore = ISC_FALSE;
 	isc_boolean_t ixfrdiff;
 	dns_masterformat_t masterformat;
+	int seconds;
 
 	i = 0;
 	if (zconfig != NULL) {
@@ -665,8 +666,26 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 		obj = NULL;
 		result = ns_config_get(maps, "sig-validity-interval", &obj);
 		INSIST(result == ISC_R_SUCCESS);
-		dns_zone_setsigvalidityinterval(zone,
-						cfg_obj_asuint32(obj) * 86400);
+		{
+			const cfg_obj_t *validity, *resign;
+
+			validity = cfg_tuple_get(obj, "validity");
+			seconds = cfg_obj_asuint32(validity) * 86400;
+			dns_zone_setsigvalidityinterval(zone, seconds);
+
+			resign = cfg_tuple_get(obj, "re-sign");
+			if (cfg_obj_isvoid(resign)) {
+				seconds /= 4;
+			} else {
+				if (seconds > 7 * 86400)
+					seconds = cfg_obj_asuint32(resign) *
+							86400;
+				else
+					seconds = cfg_obj_asuint32(resign) *
+							3600;
+			}
+			dns_zone_setsigresigninginterval(zone, seconds);
+		}
 
 		obj = NULL;
 		result = ns_config_get(maps, "key-directory", &obj);
@@ -681,6 +700,39 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 			RETERR(dns_zone_setkeydirectory(zone, filename));
 		}
 
+		obj = NULL;
+		result = ns_config_get(maps, "sig-signing-signatures", &obj);
+		INSIST(result == ISC_R_SUCCESS);
+		dns_zone_setsignatures(zone, cfg_obj_asuint32(obj));
+
+		obj = NULL;
+		result = ns_config_get(maps, "sig-signing-nodes", &obj);
+		INSIST(result == ISC_R_SUCCESS);
+		dns_zone_setnodes(zone, cfg_obj_asuint32(obj));
+
+		obj = NULL;
+		result = ns_config_get(maps, "sig-signing-type", &obj);
+		INSIST(result == ISC_R_SUCCESS);
+		dns_zone_setprivatetype(zone, cfg_obj_asuint32(obj));
+
+		obj = NULL;
+		result = ns_config_get(maps, "update-check-ksk", &obj);
+		INSIST(result == ISC_R_SUCCESS);
+		dns_zone_setoption(zone, DNS_ZONEOPT_UPDATECHECKKSK,
+				   cfg_obj_asboolean(obj));
+
+	} else if (ztype == dns_zone_slave) {
+		RETERR(configure_zone_acl(zconfig, vconfig, config,
+					  "allow-update-forwarding", ac, zone,
+					  dns_zone_setforwardacl,
+					  dns_zone_clearforwardacl));
+	}
+
+
+	/*%
+	 * Primary master functionality.
+	 */
+	if (ztype == dns_zone_master) {
 		obj = NULL;
 		result = ns_config_get(maps, "check-wildcard", &obj);
 		if (result == ISC_R_SUCCESS)
@@ -739,59 +791,6 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 			INSIST(0);
 		dns_zone_setoption(zone, DNS_ZONEOPT_WARNSRVCNAME, warn);
 		dns_zone_setoption(zone, DNS_ZONEOPT_IGNORESRVCNAME, ignore);
-
-		obj = NULL;
-		result = ns_config_get(maps, "update-check-ksk", &obj);
-		INSIST(result == ISC_R_SUCCESS);
-		dns_zone_setoption(zone, DNS_ZONEOPT_UPDATECHECKKSK,
-				   cfg_obj_asboolean(obj));
-	}
-
-	/*
-	 * Configure update-related options.  These apply to
-	 * primary masters only.
-	 */
-	if (ztype == dns_zone_master) {
-		dns_acl_t *updateacl;
-		RETERR(configure_zone_acl(zconfig, vconfig, config,
-					  "allow-update", ac, zone,
-					  dns_zone_setupdateacl,
-					  dns_zone_clearupdateacl));
-
-		updateacl = dns_zone_getupdateacl(zone);
-		if (updateacl != NULL  && dns_acl_isinsecure(updateacl))
-			isc_log_write(ns_g_lctx, DNS_LOGCATEGORY_SECURITY,
-				      NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
-				      "zone '%s' allows updates by IP "
-				      "address, which is insecure",
-				      zname);
-
-		RETERR(configure_zone_ssutable(zoptions, zone));
-
-		obj = NULL;
-		result = ns_config_get(maps, "sig-validity-interval", &obj);
-		INSIST(result == ISC_R_SUCCESS);
-		dns_zone_setsigvalidityinterval(zone,
-						cfg_obj_asuint32(obj) * 86400);
-
-		obj = NULL;
-		result = ns_config_get(maps, "key-directory", &obj);
-		if (result == ISC_R_SUCCESS) {
-			filename = cfg_obj_asstring(obj);
-			if (!isc_file_isabsolute(filename)) {
-				cfg_obj_log(obj, ns_g_lctx, ISC_LOG_ERROR,
-					    "key-directory '%s' "
-					    "is not absolute", filename);
-				return (ISC_R_FAILURE);
-			}
-			RETERR(dns_zone_setkeydirectory(zone, filename));
-		}
-
-	} else if (ztype == dns_zone_slave) {
-		RETERR(configure_zone_acl(zconfig, vconfig, config,
-					  "allow-update-forwarding", ac, zone,
-					  dns_zone_setforwardacl,
-					  dns_zone_clearforwardacl));
 	}
 
 	/*
diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c
index 3779ccc123..b7b4dec5e2 100644
--- a/bin/nsupdate/nsupdate.c
+++ b/bin/nsupdate/nsupdate.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: nsupdate.c,v 1.158 2008/04/01 01:37:24 marka Exp $ */
+/* $Id: nsupdate.c,v 1.159 2008/04/02 02:37:41 marka Exp $ */
 
 /*! \file */
 
@@ -1126,8 +1126,7 @@ make_prereq(char *cmdline, isc_boolean_t ispositive, isc_boolean_t isrrset) {
 	result = dns_message_gettemprdata(updatemsg, &rdata);
 	check_result(result, "dns_message_gettemprdata");
 
-	rdata->data = NULL;
-	rdata->length = 0;
+	dns_rdata_init(rdata);
 
 	if (isrrset && ispositive) {
 		retval = parse_rdata(&cmdline, rdataclass, rdatatype,
@@ -1446,10 +1445,7 @@ update_addordelete(char *cmdline, isc_boolean_t isdelete) {
 	result = dns_message_gettemprdata(updatemsg, &rdata);
 	check_result(result, "dns_message_gettemprdata");
 
-	rdata->rdclass = 0;
-	rdata->type = 0;
-	rdata->data = NULL;
-	rdata->length = 0;
+	dns_rdata_init(rdata);
 
 	/*
 	 * If this is an add, read the TTL and verify that it's in range.
diff --git a/bin/tests/system/lwresd/lwtest.c b/bin/tests/system/lwresd/lwtest.c
index bfab9ade72..534e9992c0 100644
--- a/bin/tests/system/lwresd/lwtest.c
+++ b/bin/tests/system/lwresd/lwtest.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwtest.c,v 1.31 2008/01/14 23:46:56 tbox Exp $ */
+/* $Id: lwtest.c,v 1.32 2008/04/02 02:37:42 marka Exp $ */
 
 #include <config.h>
 
@@ -764,7 +764,7 @@ main(void) {
 	test_getrrsetbyname("a.example1.", 1, 1, 1, 0, 1);
 	test_getrrsetbyname("e.example1.", 1, 1, 1, 1, 1);
 	test_getrrsetbyname("e.example1.", 1, 255, 1, 1, 0);
-	test_getrrsetbyname("e.example1.", 1, 46, 1, 0, 1);
+	test_getrrsetbyname("e.example1.", 1, 46, 2, 0, 1);
 	test_getrrsetbyname("", 1, 1, 0, 0, 0);
 
 	if (fails == 0)
diff --git a/bin/tests/system/lwresd/ns1/e.example1.db b/bin/tests/system/lwresd/ns1/e.example1.db
new file mode 100644
index 0000000000..2d9587c4e9
--- /dev/null
+++ b/bin/tests/system/lwresd/ns1/e.example1.db
@@ -0,0 +1,54 @@
+; File written on Wed Mar  5 10:20:40 2008
+; dnssec_signzone version 9.3.4-P1
+e.example1.		300	IN SOA	mname1. . (
+					2002082210 ; serial
+					20         ; refresh (20 seconds)
+					20         ; retry (20 seconds)
+					1814400    ; expire (3 weeks)
+					3600       ; minimum (1 hour)
+					)
+			300	RRSIG	SOA 5 2 300 20010101000000 (
+					20000101000000 14043 e.example1.
+					KtYwrnKM7Tu53BNf8XuTix53r9kDdCneJ1X7
+					xklFbp4YjRKC3NhwVK9PFe0jdHOkIDMtrwxn
+					n7/Rp07xIyURqw== )
+			300	NS	ns.e.example1.
+			300	RRSIG	NS 5 2 300 20010101000000 (
+					20000101000000 14043 e.example1.
+					KBPx3XmNl4swVPdwuUEFuzZedMSfsyK2a0Fu
+					o2wBnbCuS7G7DtfW9690lP/eTyixLOIwlFLQ
+					MrjN3+XgpkdgIw== )
+			300	A	10.0.1.1
+			300	RRSIG	A 5 2 300 20010101000000 (
+					20000101000000 14043 e.example1.
+					KYlxMQUvv8DQtVgS23lNL5tFYmRppJ7vTgH3
+					btvgKbyHxW/04ewRsgCa82iu3iJipdEhKM11
+					ALkRNhqL7frnig== )
+			3600	NSEC	ns.e.example1. A NS SOA RRSIG NSEC DNSKEY
+			3600	RRSIG	NSEC 5 2 3600 20010101000000 (
+					20000101000000 14043 e.example1.
+					azSgagb7bldM06qSZg8nDZWOY2FbqeZY0/T8
+					nC+6VhCs7YTfNvXynLWmvmpqL7gVT6/O+Yi2
+					2lmdntld7GORrQ== )
+			300	DNSKEY	256 3 5 (
+					AwEAAcvAUMfH7wA0z077fJaF7RMrxAFyvo0/
+					7aAL4d2/yA5TqTaUCVnJtE+XgGO34kH9mwae
+					we+Nyv2kRWDeLl6nhGk=
+					) ; key id = 14043
+			300	RRSIG	DNSKEY 5 2 300 20010101000000 (
+					20000101000000 14043 e.example1.
+					BQFWOHopXuBNdzcopkdl1YVKGF0QvIaYpywM
+					fcpG5gi+sy9EoTofQ1UGsLOjU3nFXCvJFG4K
+					1gUhzEEti440/g== )
+ns.e.example1.		300	IN A	10.53.0.1
+			300	RRSIG	A 5 3 300 20010101000000 (
+					20000101000000 14043 e.example1.
+					cYPzsWNQ/eL4h2lihKRjKT2jhGpOqV9woGJA
+					/Jstx2iethOAvYtgY22CsAbCUr/6E4bSgBZR
+					TMoC604cNdFzIw== )
+			3600	NSEC	e.example1. A RRSIG NSEC
+			3600	RRSIG	NSEC 5 3 3600 20010101000000 (
+					20000101000000 14043 e.example1.
+					J8Md544zDLP4GjyAtkjH/rSFvpzXY/7bgJRS
+					YDoARwFQRmlrJvavXEjqElb2fTQqlNNz1cal
+					QROz/WJ3GLwOWw== )
diff --git a/bin/tests/system/lwresd/ns1/example1.db b/bin/tests/system/lwresd/ns1/example1.db
index 5a24410fbc..df9de1afc4 100644
--- a/bin/tests/system/lwresd/ns1/example1.db
+++ b/bin/tests/system/lwresd/ns1/example1.db
@@ -13,7 +13,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: example1.db,v 1.17 2007/06/19 23:47:04 tbox Exp $
+; $Id: example1.db,v 1.18 2008/04/02 02:37:42 marka Exp $
 
 $TTL 300	; 5 minutes
 @			IN SOA	mname1. . (
@@ -32,7 +32,4 @@ a3			CNAME	nowhere
 b			AAAA	eeee:eeee:eeee:eeee:ffff:ffff:ffff:ffff
 8.8.7.7			DNAME	net
 0.0.f.f.e.e.d.d.c.c.b.b.a.a.9.9.net PTR     dname
-e			A	10.0.1.1
-			RRSIG	A 1 1 300 20001202003412 (
-				20001102003412 1 example. abcd )
-
+e			NS	ns.e
diff --git a/bin/tests/system/lwresd/ns1/named.conf b/bin/tests/system/lwresd/ns1/named.conf
index 54a272efdd..2e1f305fa4 100644
--- a/bin/tests/system/lwresd/ns1/named.conf
+++ b/bin/tests/system/lwresd/ns1/named.conf
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.19 2007/06/19 23:47:04 tbox Exp $ */
+/* $Id: named.conf,v 1.20 2008/04/02 02:37:42 marka Exp $ */
 
 controls { /* empty */ };
 
@@ -43,6 +43,11 @@ zone "example1." {
 	file "example1.db";
 };
 
+zone "e.example1." {
+	type master;
+	file "e.example1.db";
+};
+
 zone "example2." {
 	type master;
 	file "example2.db";
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index 793c5de09e..9aa72c440f 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- File: $Id: Bv9ARM-book.xml,v 1.347 2008/03/31 14:42:50 fdupont Exp $ -->
+<!-- File: $Id: Bv9ARM-book.xml,v 1.348 2008/04/02 02:37:42 marka Exp $ -->
 <book xmlns:xi="http://www.w3.org/2001/XInclude">
   <title>BIND 9 Administrator Reference Manual</title>
 
@@ -4553,6 +4553,10 @@ category notify { null; };
     <optional> max-ncache-ttl <replaceable>number</replaceable>; </optional>
     <optional> max-cache-ttl <replaceable>number</replaceable>; </optional>
     <optional> sig-validity-interval <replaceable>number</replaceable> ; </optional>
+    <optional> sig-re-signing-interval <replaceable>number</replaceable> ; </optional>
+    <optional> sig-signing-nodes <replaceable>number</replaceable> ; </optional>
+    <optional> sig-signing-signatures <replaceable>number</replaceable> ; </optional>
+    <optional> sig-signing-type <replaceable>number</replaceable> ; </optional>
     <optional> min-roots <replaceable>number</replaceable>; </optional>
     <optional> use-ixfr <replaceable>yes_or_no</replaceable> ; </optional>
     <optional> provide-ixfr <replaceable>yes_or_no</replaceable>; </optional>
@@ -7256,22 +7260,76 @@ query-source-v6 address * port *;
               </listitem>
             </varlistentry>
 
-            <varlistentry>
-              <term><command>sig-validity-interval</command></term>
-              <listitem>
-                <para>
-                  Specifies the number of days into the
-                  future when DNSSEC signatures automatically generated as a
-                  result
-                  of dynamic updates (<xref linkend="dynamic_update"/>)
-                  will expire. The default is <literal>30</literal> days.
-                  The maximum value is 10 years (3660 days). The signature
-                  inception time is unconditionally set to one hour before the
-                  current time
-                  to allow for a limited amount of clock skew.
-                </para>
-              </listitem>
-            </varlistentry>
+	    <varlistentry>
+	      <term><command>sig-validity-interval</command></term>
+	      <listitem>
+		<para>
+		  Specifies the number of days into the future when
+		  DNSSEC signatures automatically generated as a
+		  result of dynamic updates (<xref
+		  linkend="dynamic_update"/>) will expire.  There
+		  is a optional second field which specifies how
+		  long before expiry that the signatures will be
+		  regenerated.  If not specified the signatures will
+		  be regenerated at 1/4 of base interval.  The second
+		  field is specified in days if the base interval is
+		  greater than 7 days otherwise it is specified in hours.
+		  The default base interval is <literal>30</literal> days
+		  giving a re-signing interval of 7 1/2 days .  The maximum
+		  values are 10 years (3660 days).
+		</para>
+		<para>
+		  The signature inception time is unconditionally
+		  set to one hour before the current time to allow
+		  for a limited amount of clock skew.
+		</para>
+		<para>
+		  The <command>sig-validity-interval</command>
+		  should be, at least, several multiples of the SOA
+		  expire interval to allow for reasonable interaction
+		  between the various timer and expiry dates.
+		</para>
+	      </listitem>
+	    </varlistentry>
+
+	    <varlistentry>
+	      <term><command>sig-signing-nodes</command></term>
+	      <listitem>
+		<para>
+		  Specify the number of maximum number nodes to be
+		  examined in each quantum when signing a zone with
+		  a new DNSKEY. The default is
+		  <literal>100</literal>.
+		</para>
+	      </listitem>
+	    </varlistentry>
+
+	    <varlistentry>
+	      <term><command>sig-signing-signatures</command></term>
+	      <listitem>
+		<para>
+		  Specify a threshold number of signatures that
+		  will terminate processing a quantum when signing
+		  a zone with a new DNSKEY.  The default is
+		  <literal>10</literal>.
+		</para>
+	      </listitem>
+	    </varlistentry>
+
+	    <varlistentry>
+	      <term><command>sig-signing-type</command></term>
+	      <listitem>
+		<para>
+		  Specify a private rdata type to be used when generating
+		  key signing records.  The default is
+		  <literal>65535</literal>.
+		</para>
+		<para>
+		  It is expected that this parameter may be removed
+		  in a future version once there is a standard type.
+		</para>
+	      </listitem>
+	    </varlistentry>
 
             <varlistentry>
               <term><command>min-refresh-time</command></term>
@@ -8384,6 +8442,10 @@ view "external" {
     <optional> notify-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
     <optional> zone-statistics <replaceable>yes_or_no</replaceable> ; </optional>
     <optional> sig-validity-interval <replaceable>number</replaceable> ; </optional>
+    <optional> sig-re-signing-interval <replaceable>number</replaceable> ; </optional>
+    <optional> sig-signing-nodes <replaceable>number</replaceable> ; </optional>
+    <optional> sig-signing-signatures <replaceable>number</replaceable> ; </optional>
+    <optional> sig-signing-type <replaceable>number</replaceable> ; </optional>
     <optional> database <replaceable>string</replaceable> ; </optional>
     <optional> min-refresh-time <replaceable>number</replaceable> ; </optional>
     <optional> max-refresh-time <replaceable>number</replaceable> ; </optional>
@@ -9131,6 +9193,46 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
                 </listitem>
               </varlistentry>
 
+              <varlistentry>
+                <term><command>sig-re-signing-interval</command></term>
+                <listitem>
+                  <para>
+                    See the description of
+                    <command>sig-re-signing-interval</command> in <xref linkend="tuning"/>.
+                  </para>
+                </listitem>
+              </varlistentry>
+
+              <varlistentry>
+                <term><command>sig-signing-nodes</command></term>
+                <listitem>
+                  <para>
+                    See the description of
+                    <command>sig-signing-nodes</command> in <xref linkend="tuning"/>.
+                  </para>
+                </listitem>
+              </varlistentry>
+
+              <varlistentry>
+                <term><command>sig-signing-signatures</command></term>
+                <listitem>
+                  <para>
+                    See the description of
+                    <command>sig-signing-signatures</command> in <xref linkend="tuning"/>.
+                  </para>
+                </listitem>
+              </varlistentry>
+
+              <varlistentry>
+                <term><command>sig-signing-type</command></term>
+                <listitem>
+                  <para>
+                    See the description of
+                    <command>sig-signing-type</command> in <xref linkend="tuning"/>.
+                  </para>
+                </listitem>
+              </varlistentry>
+
               <varlistentry>
                 <term><command>transfer-source</command></term>
                 <listitem>
diff --git a/lib/bind9/check.c b/lib/bind9/check.c
index 3d880d222c..3422f92cb4 100644
--- a/lib/bind9/check.c
+++ b/lib/bind9/check.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: check.c,v 1.90 2008/04/01 01:37:24 marka Exp $ */
+/* $Id: check.c,v 1.91 2008/04/02 02:37:42 marka Exp $ */
 
 /*! \file */
 
@@ -508,6 +508,7 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx) {
 	isc_result_t tresult;
 	unsigned int i;
 	const cfg_obj_t *obj = NULL;
+	const cfg_obj_t *resignobj = NULL;
 	const cfg_listelt_t *element;
 	isc_symtab_t *symtab = NULL;
 	dns_fixedname_t fixed;
@@ -523,7 +524,6 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx) {
 	{ "max-transfer-idle-out", 60, 28 * 24 * 60 },	/* 28 days */
 	{ "max-transfer-time-in", 60, 28 * 24 * 60 },	/* 28 days */
 	{ "max-transfer-time-out", 60, 28 * 24 * 60 },	/* 28 days */
-	{ "sig-validity-interval", 86400, 10 * 366 },	/* 10 years */
 	{ "statistics-interval", 60, 28 * 24 * 60 },	/* 28 days */
 	};
 
@@ -551,6 +551,43 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx) {
 			result = ISC_R_RANGE;
 		}
 	}
+
+	obj = NULL;
+	cfg_map_get(options, "sig-validity-interval", &obj);
+	if (obj != NULL) {
+		isc_uint32_t validity, resign = 0;
+
+		validity = cfg_obj_asuint32(cfg_tuple_get(obj, "validity"));
+		resignobj = cfg_tuple_get(obj, "re-sign");
+		if (!cfg_obj_isvoid(resignobj))
+			resign = cfg_obj_asuint32(resignobj);
+
+		if (validity > 3660 || validity == 0) { /* 10 years */
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "%s '%u' is out of range (1..3660)",
+				    "sig-validity-interval", validity);
+			result = ISC_R_RANGE;
+		}
+
+		if (!cfg_obj_isvoid(resignobj)) {
+			if (resign > 3660 || resign == 0) { /* 10 years */
+				cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+					    "%s '%u' is out of range (1..3660)",
+					    "sig-validity-interval (re-sign)",
+					    validity);
+				result = ISC_R_RANGE;
+			} else if ((validity > 7 && validity < resign) ||
+				   (validity <= 7 && validity * 24 < resign)) {
+				cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+					    "validity interval (%u days) "
+					    "less than re-signing interval "
+					    "(%u %s)", validity, resign,
+					    (validity > 7) ? "days" : "hours");
+				result = ISC_R_RANGE;
+			}
+		}
+	}
+
 	obj = NULL;
 	(void)cfg_map_get(options, "preferred-glue", &obj);
 	if (obj != NULL) {
@@ -563,6 +600,7 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx) {
 				    "preferred-glue unexpected value '%s'",
 				    str);
 	}
+
 	obj = NULL;
 	(void)cfg_map_get(options, "root-delegation-only", &obj);
 	if (obj != NULL) {
@@ -654,7 +692,6 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx) {
 				if (tresult != ISC_R_SUCCESS &&
 				    result == ISC_R_SUCCESS)
 					result = tresult;
-				goto trust_anchor;
 			}
 			/*
 			 * XXXMPA to be removed when multiple lookaside
@@ -667,7 +704,6 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx) {
 				if (result == ISC_R_SUCCESS)
 					result = ISC_R_FAILURE;
 			}
- trust_anchor:
 			dlv = cfg_obj_asstring(cfg_tuple_get(obj,
 					       "trust-anchor"));
 			isc_buffer_init(&b, dlv, strlen(dlv));
@@ -1018,6 +1054,10 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 	{ "max-refresh-time", SLAVEZONE | STUBZONE },
 	{ "min-refresh-time", SLAVEZONE | STUBZONE },
 	{ "sig-validity-interval", MASTERZONE },
+	{ "sig-re-signing-interval", MASTERZONE },
+	{ "sig-signing-nodes", MASTERZONE },
+	{ "sig-signing-type", MASTERZONE },
+	{ "sig-signing-signatures", MASTERZONE },
 	{ "zone-statistics", MASTERZONE | SLAVEZONE | STUBZONE },
 	{ "allow-update", MASTERZONE | CHECKACL },
 	{ "allow-update-forwarding", SLAVEZONE | CHECKACL },
@@ -1208,6 +1248,17 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 		} else if (res2 == ISC_R_SUCCESS &&
 			   check_update_policy(obj, logctx) != ISC_R_SUCCESS)
 			result = ISC_R_FAILURE;
+		obj = NULL;
+		res1 = cfg_map_get(zoptions, "sig-signing-type", &obj);
+		if (res1 == ISC_R_SUCCESS) {
+			isc_uint32_t type = cfg_obj_asuint32(obj);
+			if (type < 0xff00U || type > 0xffffU)
+				cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+					    "sig-signing-type: %u out of "
+					    "range [%u..%u]", type,
+					    0xff00U, 0xffffU);
+			result = ISC_R_FAILURE;
+		}
 	}
 
 	/*
diff --git a/lib/dns/diff.c b/lib/dns/diff.c
index 2e84f9c98e..af90e953f0 100644
--- a/lib/dns/diff.c
+++ b/lib/dns/diff.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: diff.c,v 1.16 2008/04/01 23:47:10 tbox Exp $ */
+/* $Id: diff.c,v 1.17 2008/04/02 02:37:42 marka Exp $ */
 
 /*! \file */
 
@@ -121,6 +121,7 @@ dns_difftuple_copy(dns_difftuple_t *orig, dns_difftuple_t **copyp) {
 void
 dns_diff_init(isc_mem_t *mctx, dns_diff_t *diff) {
 	diff->mctx = mctx;
+	diff->resign = 0;
 	ISC_LIST_INIT(diff->tuples);
 	diff->magic = DNS_DIFF_MAGIC;
 }
@@ -194,23 +195,20 @@ dns_diff_appendminimal(dns_diff_t *diff, dns_difftuple_t **tuplep)
 }
 
 static isc_stdtime_t
-setresign(dns_rdataset_t *modified, dns_diffop_t op) {
+setresign(dns_rdataset_t *modified, isc_uint32_t delta) {
 	dns_rdata_t rdata = DNS_RDATA_INIT;
 	dns_rdata_rrsig_t sig;
 	isc_stdtime_t when;
-	unsigned int delta;
 	isc_result_t result;
 
 	result = dns_rdataset_first(modified);
 	INSIST(result == ISC_R_SUCCESS);
 	dns_rdataset_current(modified, &rdata);
 	(void)dns_rdata_tostruct(&rdata, &sig, NULL);
-	if ((rdata.flags & DNS_RDATA_OFFLINE) != 0) {
+	if ((rdata.flags & DNS_RDATA_OFFLINE) != 0)
 		when = 0;
-	} else {
-		delta = (sig.timeexpire - sig.timesigned) * 3 / 4;
-		when = sig.timesigned + delta;
-	}
+	else
+		when = sig.timeexpire - delta;
 	dns_rdata_reset(&rdata);
 
 	result = dns_rdataset_next(modified);
@@ -220,22 +218,13 @@ setresign(dns_rdataset_t *modified, dns_diffop_t op) {
 		if ((rdata.flags & DNS_RDATA_OFFLINE) != 0) {
 			goto next_rr;
 		}
-		delta = (sig.timeexpire - sig.timesigned)* 3 / 4;
-		switch (op) {
-		case DNS_DIFFOP_ADDRESIGN:
-		case DNS_DIFFOP_DELRESIGN:
-			if (when == 0 || sig.timesigned + delta < when)
-				when = sig.timesigned + delta;
-			break;
-		default:
-			INSIST(0);
-		}
+		if (when == 0 || sig.timeexpire - delta < when)
+			when = sig.timeexpire - delta;
  next_rr:
 		dns_rdata_reset(&rdata);
 		result = dns_rdataset_next(modified);
 	}
 	INSIST(result == ISC_R_NOMORE);
-fprintf(stderr, "setresign %u %u\n", modified->covers, when);
 	return (when);
 }
 
@@ -327,10 +316,8 @@ diff_apply(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *ver,
 						namebuf, typebuf, classbuf,
 						(unsigned long) t->ttl,
 						(unsigned long) rdl.ttl);
-				if (t->rdata.flags &DNS_RDATA_OFFLINE) {
-					fprintf(stderr, "diff_apply offline\n");
+				if (t->rdata.flags & DNS_RDATA_OFFLINE)
 					offline = ISC_TRUE;
-				}
 				ISC_LIST_APPEND(rdl.rdata, &t->rdata, link);
 				t = ISC_LIST_NEXT(t, link);
 			}
@@ -379,7 +366,8 @@ diff_apply(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *ver,
 			if (result == ISC_R_SUCCESS) {
 				if (modified != NULL) {
 					isc_stdtime_t resign;
-					resign = setresign(modified, op);
+					resign = setresign(modified,
+							   diff->resign);
 					dns_db_setsigningtime(db, modified,
 							      resign);
 				}
@@ -409,8 +397,6 @@ diff_apply(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *ver,
 			if (modified != NULL &&
 			    dns_rdataset_isassociated(modified))
 				dns_rdataset_disassociate(modified);
-			if (offline)
-				fprintf(stderr, "end offline\n");
 		}
 		dns_db_detachnode(db, &node);
 	}
diff --git a/lib/dns/include/dns/diff.h b/lib/dns/include/dns/diff.h
index db6ab1ecb6..a60343e461 100644
--- a/lib/dns/include/dns/diff.h
+++ b/lib/dns/include/dns/diff.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: diff.h,v 1.14 2008/04/01 23:47:10 tbox Exp $ */
+/* $Id: diff.h,v 1.15 2008/04/02 02:37:42 marka Exp $ */
 
 #ifndef DNS_DIFF_H
 #define DNS_DIFF_H 1
@@ -60,7 +60,9 @@
  * prerequisite set.  In this case, op==DNS_DIFFOP_EXISTS,
  * and the TTL is ignored.
  *
- * DNS_DIFFOP_*RESIGN will cause the 'resign' attribute to be recomputed.
+ * DNS_DIFFOP_*RESIGN will cause the 'resign' attribute of the resulting
+ * RRset to be recomputed to be 'resign' seconds before the earliest RRSIG
+ * timeexpire.
  */
 
 typedef enum {
@@ -100,6 +102,11 @@ typedef struct dns_diff dns_diff_t;
 struct dns_diff {
 	unsigned int			magic;
 	isc_mem_t *			mctx;
+	/*
+	 * Set the 'resign' attribute to this many second before the
+	 * earliest RRSIG timeexpire.
+	 */
+	isc_uint32_t			resign;
 	ISC_LIST(dns_difftuple_t)	tuples;
 };
 
diff --git a/lib/dns/include/dns/master.h b/lib/dns/include/dns/master.h
index e5e24c3352..93a782d82c 100644
--- a/lib/dns/include/dns/master.h
+++ b/lib/dns/include/dns/master.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: master.h,v 1.50 2008/04/01 23:47:10 tbox Exp $ */
+/* $Id: master.h,v 1.51 2008/04/02 02:37:42 marka Exp $ */
 
 #ifndef DNS_MASTER_H
 #define DNS_MASTER_H 1
@@ -114,6 +114,17 @@ dns_master_loadfile2(const char *master_file,
 		     isc_mem_t *mctx,
 		     dns_masterformat_t format);
 
+isc_result_t
+dns_master_loadfile3(const char *master_file,
+		     dns_name_t *top,
+		     dns_name_t *origin,
+		     dns_rdataclass_t zclass,
+		     unsigned int options,
+		     isc_uint32_t resign,
+		     dns_rdatacallbacks_t *callbacks,
+		     isc_mem_t *mctx,
+		     dns_masterformat_t format);
+
 isc_result_t
 dns_master_loadstream(FILE *stream,
 		      dns_name_t *top,
@@ -164,6 +175,19 @@ dns_master_loadfileinc2(const char *master_file,
 			dns_loadctx_t **ctxp, isc_mem_t *mctx,
 			dns_masterformat_t format);
 
+isc_result_t
+dns_master_loadfileinc3(const char *master_file,
+			dns_name_t *top,
+			dns_name_t *origin,
+			dns_rdataclass_t zclass,
+			unsigned int options,
+			isc_uint32_t resign,
+			dns_rdatacallbacks_t *callbacks,
+			isc_task_t *task,
+			dns_loaddonefunc_t done, void *done_arg,
+			dns_loadctx_t **ctxp, isc_mem_t *mctx,
+			dns_masterformat_t format);
+
 isc_result_t
 dns_master_loadstreaminc(FILE *stream,
 			 dns_name_t *top,
@@ -214,6 +238,9 @@ dns_master_loadlexerinc(isc_lex_t *lex,
  * is completed or has failed.  If the initial setup fails 'done' is
  * not called.
  *
+ * 'resign' the number of seconds before a RRSIG expires that it should
+ * be re-signed.  0 is used if not provided.
+ *
  * Requires:
  *\li	'master_file' points to a valid string.
  *\li	'lexer' points to a valid lexer.
diff --git a/lib/dns/include/dns/rdata.h b/lib/dns/include/dns/rdata.h
index 36e83439a6..6ea185001c 100644
--- a/lib/dns/include/dns/rdata.h
+++ b/lib/dns/include/dns/rdata.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdata.h,v 1.69 2008/04/01 23:47:10 tbox Exp $ */
+/* $Id: rdata.h,v 1.70 2008/04/02 02:37:42 marka Exp $ */
 
 #ifndef DNS_RDATA_H
 #define DNS_RDATA_H 1
@@ -126,11 +126,6 @@ struct dns_rdata {
 
 #define DNS_RDATA_UPDATE	0x0001		/*%< update pseudo record. */
 #define DNS_RDATA_OFFLINE	0x0002		/*%< RRSIG has a offline key. */
-#define DNS_RDATA_WARNMASK	0x001c		/*%< RRSIG(DNSKEY) expired
-						     warnings number mask. */
-#define DNS_RDATA_WARNSHIFT	2		/*%< How many bits to shift
-						     to find remaining
-						     expired warning number. */
 
 /*
  * Flags affecting rdata formatting style.  Flags 0xFFFF0000
diff --git a/lib/dns/include/dns/zone.h b/lib/dns/include/dns/zone.h
index 10892d7c51..d5b80e364e 100644
--- a/lib/dns/include/dns/zone.h
+++ b/lib/dns/include/dns/zone.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zone.h,v 1.157 2008/04/02 01:48:32 marka Exp $ */
+/* $Id: zone.h,v 1.158 2008/04/02 02:37:42 marka Exp $ */
 
 #ifndef DNS_ZONE_H
 #define DNS_ZONE_H 1
@@ -1173,7 +1173,7 @@ dns_zone_getmgr(dns_zone_t *zone);
 void
 dns_zone_setsigvalidityinterval(dns_zone_t *zone, isc_uint32_t interval);
 /*%<
- * Set the zone's SIG validity interval.  This is the length of time
+ * Set the zone's RRSIG validity interval.  This is the length of time
  * for which DNSSEC signatures created as a result of dynamic updates
  * to secure zones will remain valid, in seconds.
  *
@@ -1184,7 +1184,26 @@ dns_zone_setsigvalidityinterval(dns_zone_t *zone, isc_uint32_t interval);
 isc_uint32_t
 dns_zone_getsigvalidityinterval(dns_zone_t *zone);
 /*%<
- * Get the zone's SIG validity interval.
+ * Get the zone's RRSIG validity interval.
+ *
+ * Requires:
+ * \li	'zone' to be a valid zone.
+ */
+
+void
+dns_zone_setsigresigninginterval(dns_zone_t *zone, isc_uint32_t interval);
+/*%<
+ * Set the zone's RRSIG re-signing interval.  A dynamic zone's RRSIG's
+ * will be re-signed 'interval' amount of time before they expire.
+ *
+ * Requires:
+ * \li	'zone' to be a valid zone.
+ */
+
+isc_uint32_t
+dns_zone_getsigresigninginterval(dns_zone_t *zone);
+/*%<
+ * Get the zone's RRSIG re-signing interval.
  *
  * Requires:
  * \li	'zone' to be a valid zone.
@@ -1640,9 +1659,34 @@ dns_zone_setisself(dns_zone_t *zone, dns_isselffunc_t isself, void *arg);
  * delivered to 'myview'.
  */
 
+void
+dns_zone_setnodes(dns_zone_t *zone, isc_uint32_t nodes);
+/*
+ * Set the number of nodes that will be checked per quantum.
+ */
+
+void
+dns_zone_setsignatures(dns_zone_t *zone, isc_uint32_t signatures);
+/*
+ * Set the number of signatures that will be generated per quantum.
+ */
+
 isc_result_t
 dns_zone_signwithkey(dns_zone_t *zone, dns_secalg_t algorithm,
-                     isc_uint16_t keyid);
+		     isc_uint16_t keyid);
+/*
+ * Initiate/resume signing of the entire zone with the zone DNSKEY(s)
+ * that match the given algorithm and keyid.
+ */
+
+void
+dns_zone_setprivatetype(dns_zone_t *zone, dns_rdatatype_t type);
+dns_rdatatype_t
+dns_zone_getprivatetype(dns_zone_t *zone);
+/*
+ * Get/Set the private record type.  It is expected that these interfaces
+ * will not be permanent.
+ */
 
 #ifdef HAVE_LIBXML2
 
diff --git a/lib/dns/master.c b/lib/dns/master.c
index fe41ab8396..743e87bfaf 100644
--- a/lib/dns/master.c
+++ b/lib/dns/master.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: master.c,v 1.170 2008/04/01 01:37:24 marka Exp $ */
+/* $Id: master.c,v 1.171 2008/04/02 02:37:42 marka Exp $ */
 
 /*! \file */
 
@@ -139,6 +139,7 @@ struct dns_loadctx {
 	/* locked by lock */
 	isc_uint32_t		references;
 	dns_incctx_t		*inc;
+	isc_uint32_t		resign;
 };
 
 struct dns_incctx {
@@ -503,7 +504,7 @@ incctx_create(isc_mem_t *mctx, dns_name_t *origin, dns_incctx_t **ictxp) {
 
 static isc_result_t
 loadctx_create(dns_masterformat_t format, isc_mem_t *mctx,
-	       unsigned int options, dns_name_t *top,
+	       unsigned int options, isc_uint32_t resign, dns_name_t *top,
 	       dns_rdataclass_t zclass, dns_name_t *origin,
 	       dns_rdatacallbacks_t *callbacks, isc_task_t *task,
 	       dns_loaddonefunc_t done, void *done_arg, isc_lex_t *lex,
@@ -580,6 +581,7 @@ loadctx_create(dns_masterformat_t format, isc_mem_t *mctx,
 	lctx->options = options;
 	lctx->seen_include = ISC_FALSE;
 	lctx->zclass = zclass;
+	lctx->resign = resign;
 	lctx->result = ISC_R_SUCCESS;
 
 	dns_fixedname_init(&lctx->fixed_top);
@@ -2323,8 +2325,8 @@ dns_master_loadfile(const char *master_file, dns_name_t *top,
 		    dns_rdataclass_t zclass, unsigned int options,
 		    dns_rdatacallbacks_t *callbacks, isc_mem_t *mctx)
 {
-	return (dns_master_loadfile2(master_file, top, origin, zclass, options,
-				     callbacks, mctx, dns_masterformat_text));
+	return (dns_master_loadfile3(master_file, top, origin, zclass, options,
+				     0, callbacks, mctx, dns_masterformat_text));
 }
 
 isc_result_t
@@ -2333,12 +2335,24 @@ dns_master_loadfile2(const char *master_file, dns_name_t *top,
 		     dns_rdataclass_t zclass, unsigned int options,
 		     dns_rdatacallbacks_t *callbacks, isc_mem_t *mctx,
 		     dns_masterformat_t format)
+{
+	return (dns_master_loadfile3(master_file, top, origin, zclass, options,
+				     0, callbacks, mctx, format));
+}
+
+isc_result_t
+dns_master_loadfile3(const char *master_file, dns_name_t *top,
+		     dns_name_t *origin, dns_rdataclass_t zclass,
+		     unsigned int options, isc_uint32_t resign,
+		     dns_rdatacallbacks_t *callbacks, isc_mem_t *mctx,
+		     dns_masterformat_t format)
 {
 	dns_loadctx_t *lctx = NULL;
 	isc_result_t result;
 
-	result = loadctx_create(format, mctx, options, top, zclass, origin,
-				callbacks, NULL, NULL, NULL, NULL, &lctx);
+	result = loadctx_create(format, mctx, options, resign, top, zclass,
+				origin, callbacks, NULL, NULL, NULL, NULL,
+				&lctx);
 	if (result != ISC_R_SUCCESS)
 		return (result);
 
@@ -2361,8 +2375,8 @@ dns_master_loadfileinc(const char *master_file, dns_name_t *top,
 		       isc_task_t *task, dns_loaddonefunc_t done,
 		       void *done_arg, dns_loadctx_t **lctxp, isc_mem_t *mctx)
 {
-	return (dns_master_loadfileinc2(master_file, top, origin, zclass,
-					options, callbacks, task, done,
+	return (dns_master_loadfileinc3(master_file, top, origin, zclass,
+					options, 0, callbacks, task, done,
 					done_arg, lctxp, mctx,
 					dns_masterformat_text));
 }
@@ -2374,6 +2388,20 @@ dns_master_loadfileinc2(const char *master_file, dns_name_t *top,
 			isc_task_t *task, dns_loaddonefunc_t done,
 			void *done_arg, dns_loadctx_t **lctxp, isc_mem_t *mctx,
 			dns_masterformat_t format)
+{
+	return (dns_master_loadfileinc3(master_file, top, origin, zclass,
+					options, 0, callbacks, task, done,
+					done_arg, lctxp, mctx, format));
+}
+
+isc_result_t
+dns_master_loadfileinc3(const char *master_file, dns_name_t *top,
+			dns_name_t *origin, dns_rdataclass_t zclass,
+			unsigned int options, isc_uint32_t resign,
+			dns_rdatacallbacks_t *callbacks, isc_task_t *task,
+			dns_loaddonefunc_t done, void *done_arg,
+			dns_loadctx_t **lctxp, isc_mem_t *mctx,
+			dns_masterformat_t format)
 {
 	dns_loadctx_t *lctx = NULL;
 	isc_result_t result;
@@ -2381,8 +2409,9 @@ dns_master_loadfileinc2(const char *master_file, dns_name_t *top,
 	REQUIRE(task != NULL);
 	REQUIRE(done != NULL);
 
-	result = loadctx_create(format, mctx, options, top, zclass, origin,
-				callbacks, task, done, done_arg, NULL, &lctx);
+	result = loadctx_create(format, mctx, options, resign, top, zclass,
+				origin, callbacks, task, done, done_arg, NULL,
+				&lctx);
 	if (result != ISC_R_SUCCESS)
 		return (result);
 
@@ -2411,7 +2440,7 @@ dns_master_loadstream(FILE *stream, dns_name_t *top, dns_name_t *origin,
 
 	REQUIRE(stream != NULL);
 
-	result = loadctx_create(dns_masterformat_text, mctx, options, top,
+	result = loadctx_create(dns_masterformat_text, mctx, options, 0, top,
 				zclass, origin, callbacks, NULL, NULL, NULL,
 				NULL, &lctx);
 	if (result != ISC_R_SUCCESS)
@@ -2444,7 +2473,7 @@ dns_master_loadstreaminc(FILE *stream, dns_name_t *top, dns_name_t *origin,
 	REQUIRE(task != NULL);
 	REQUIRE(done != NULL);
 
-	result = loadctx_create(dns_masterformat_text, mctx, options, top,
+	result = loadctx_create(dns_masterformat_text, mctx, options, 0, top,
 				zclass, origin, callbacks, task, done,
 				done_arg, NULL, &lctx);
 	if (result != ISC_R_SUCCESS)
@@ -2477,7 +2506,7 @@ dns_master_loadbuffer(isc_buffer_t *buffer, dns_name_t *top,
 
 	REQUIRE(buffer != NULL);
 
-	result = loadctx_create(dns_masterformat_text, mctx, options, top,
+	result = loadctx_create(dns_masterformat_text, mctx, options, 0, top,
 				zclass, origin, callbacks, NULL, NULL, NULL,
 				NULL, &lctx);
 	if (result != ISC_R_SUCCESS)
@@ -2510,7 +2539,7 @@ dns_master_loadbufferinc(isc_buffer_t *buffer, dns_name_t *top,
 	REQUIRE(task != NULL);
 	REQUIRE(done != NULL);
 
-	result = loadctx_create(dns_masterformat_text, mctx, options, top,
+	result = loadctx_create(dns_masterformat_text, mctx, options, 0, top,
 				zclass, origin, callbacks, task, done,
 				done_arg, NULL, &lctx);
 	if (result != ISC_R_SUCCESS)
@@ -2542,7 +2571,7 @@ dns_master_loadlexer(isc_lex_t *lex, dns_name_t *top,
 
 	REQUIRE(lex != NULL);
 
-	result = loadctx_create(dns_masterformat_text, mctx, options, top,
+	result = loadctx_create(dns_masterformat_text, mctx, options, 0, top,
 				zclass, origin, callbacks, NULL, NULL, NULL,
 				lex, &lctx);
 	if (result != ISC_R_SUCCESS)
@@ -2570,7 +2599,7 @@ dns_master_loadlexerinc(isc_lex_t *lex, dns_name_t *top,
 	REQUIRE(task != NULL);
 	REQUIRE(done != NULL);
 
-	result = loadctx_create(dns_masterformat_text, mctx, options, top,
+	result = loadctx_create(dns_masterformat_text, mctx, options, 0, top,
 				zclass, origin, callbacks, task, done,
 				done_arg, lex, &lctx);
 	if (result != ISC_R_SUCCESS)
@@ -2700,23 +2729,21 @@ grow_rdata(int new_len, dns_rdata_t *old, int old_len,
 }
 
 static isc_uint32_t
-resign_fromlist(dns_rdatalist_t *this) {
+resign_fromlist(dns_rdatalist_t *this, isc_uint32_t resign) {
 	dns_rdata_t *rdata;
 	dns_rdata_rrsig_t sig;
-	isc_uint32_t when, delta;
+	isc_uint32_t when;
 
 	rdata = ISC_LIST_HEAD(this->rdata);
 	INSIST(rdata != NULL);
 	(void)dns_rdata_tostruct(rdata, &sig, NULL);
-	delta = (sig.timeexpire - sig.timesigned)* 3 / 4;
-	when = sig.timesigned + delta;
+	when = sig.timeexpire - resign;
 
 	rdata = ISC_LIST_NEXT(rdata, link);
 	while (rdata != NULL) {
 		(void)dns_rdata_tostruct(rdata, &sig, NULL);
-		delta = (sig.timeexpire - sig.timesigned)* 3 / 4;
-		if (sig.timesigned + delta < when)
-			when = sig.timesigned + delta;
+		if (sig.timeexpire - resign < when)
+			when = sig.timeexpire - resign;
 		rdata = ISC_LIST_NEXT(rdata, link);
 	}
 	return (when);
@@ -2755,7 +2782,7 @@ commit(dns_rdatacallbacks_t *callbacks, dns_loadctx_t *lctx,
 		    (lctx->options & DNS_MASTER_RESIGN) != 0) {
 			dataset.attributes |= DNS_RDATASETATTR_RESIGN;
 			dns_name_format(owner, namebuf, sizeof(namebuf));
-			dataset.resign = resign_fromlist(this);
+			dataset.resign = resign_fromlist(this, lctx->resign);
 		}
 		result = ((*callbacks->add)(callbacks->add_private, owner,
 					    &dataset));
diff --git a/lib/dns/message.c b/lib/dns/message.c
index 7fbb6f1ee0..c1d8a589c8 100644
--- a/lib/dns/message.c
+++ b/lib/dns/message.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: message.c,v 1.240 2008/01/18 23:46:58 tbox Exp $ */
+/* $Id: message.c,v 1.241 2008/04/02 02:37:42 marka Exp $ */
 
 /*! \file */
 
@@ -3022,6 +3022,7 @@ dns_message_checksig(dns_message_t *msg, dns_view_t *view) {
 		{
 			dst_key_t *key = NULL;
 
+			dns_rdata_reset(&rdata);
 			dns_rdataset_current(&keyset, &rdata);
 			isc_buffer_init(&b, rdata.data, rdata.length);
 			isc_buffer_add(&b, rdata.length);
diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
index 8eaff9a742..9821bc4147 100644
--- a/lib/dns/rbtdb.c
+++ b/lib/dns/rbtdb.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rbtdb.c,v 1.254 2008/04/01 23:47:10 tbox Exp $ */
+/* $Id: rbtdb.c,v 1.255 2008/04/02 02:37:42 marka Exp $ */
 
 /*! \file */
 
@@ -25,6 +25,8 @@
 
 #include <config.h>
 
+#define inline
+
 #include <isc/event.h>
 #include <isc/heap.h>
 #include <isc/mem.h>
@@ -690,7 +692,7 @@ set_ttl(dns_rbtdb_t *rbtdb, rdatasetheader_t *header, dns_ttl_t newttl) {
 }
 
 /*%
- * These functions allows the heap code to rank the priority of each
+ * These functions allow the heap code to rank the priority of each
  * element.  It returns ISC_TRUE if v1 happens "sooner" than v2.
  */
 static isc_boolean_t
@@ -5357,12 +5359,12 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
 #endif
 			} else if (RESIGN(newheader))
 				resign_insert(rbtdb, idx, newheader);
-			}
-		} else {
-			/*
-			 * No non-IGNORED rdatasets of the given type exist at
-			 * this node.
-			 */
+		}
+	} else {
+		/*
+		 * No non-IGNORED rdatasets of the given type exist at
+		 * this node.
+		 */
 
 		/*
 		 * If we're trying to delete the type, don't bother.
@@ -6363,6 +6365,7 @@ dns_rbtdb_create
 	isc_result_t result;
 	int i;
 	dns_name_t name;
+	isc_boolean_t (*sooner)(void *, void *);
 
 	/* Keep the compiler happy. */
 	UNUSED(argc);
@@ -6418,9 +6421,8 @@ dns_rbtdb_create
 		}
 		for (i = 0; i < (int)rbtdb->node_lock_count; i++)
 			ISC_LIST_INIT(rbtdb->rdatasets[i]);
-	} else {
+	} else
 		rbtdb->rdatasets = NULL;
-	}
 
 	/*
 	 * Create the heaps.
@@ -6433,19 +6435,17 @@ dns_rbtdb_create
 	}
 	for (i = 0; i < (int)rbtdb->node_lock_count; i++)
 		rbtdb->heaps[i] = NULL;
-
+	sooner = IS_CACHE(rbtdb) ? ttl_sooner : resign_sooner;
 	for (i = 0; i < (int)rbtdb->node_lock_count; i++) {
-		if (IS_CACHE(rbtdb))
-			result = isc_heap_create(mctx, ttl_sooner, set_index,
-						 0, &rbtdb->heaps[i]);
-		else
-			result = isc_heap_create(mctx, resign_sooner,
-						 set_index, 0,
-						 &rbtdb->heaps[i]);
+		result = isc_heap_create(mctx, sooner, set_index, 0,
+					 &rbtdb->heaps[i]);
 		if (result != ISC_R_SUCCESS)
 			goto cleanup_heaps;
 	}
 
+	/*
+	 * Create deadnode lists.
+	 */
 	rbtdb->deadnodes = isc_mem_get(mctx, rbtdb->node_lock_count *
 				       sizeof(rbtnodelist_t));
 	if (rbtdb->deadnodes == NULL) {
@@ -6725,9 +6725,6 @@ rdataset_current(dns_rdataset_t *rdataset, dns_rdata_t *rdata) {
 	raw += 2;
 #endif
 	if (rdataset->type == dns_rdatatype_rrsig) {
-		flags = ((*raw & DNS_RDATASLAB_WARNMASK)
-			  >> DNS_RDATASLAB_WARNSHIFT)
-			 << DNS_RDATA_WARNSHIFT;
 		if (*raw & DNS_RDATASLAB_OFFLINE)
 			flags |= DNS_RDATA_OFFLINE;
 		length--;
diff --git a/lib/dns/rdataslab.c b/lib/dns/rdataslab.c
index 8e67641803..13e223337e 100644
--- a/lib/dns/rdataslab.c
+++ b/lib/dns/rdataslab.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdataslab.c,v 1.45 2008/04/01 23:47:10 tbox Exp $ */
+/* $Id: rdataslab.c,v 1.46 2008/04/02 02:37:42 marka Exp $ */
 
 /*! \file */
 
@@ -171,8 +171,6 @@ dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
 #if DNS_RDATASET_FIXED
 		x[i].order = i;
 #endif
-		if (x[i].rdata.flags & DNS_RDATA_OFFLINE)
-			fprintf(stderr, "OFFLINE\n");
 		result = dns_rdataset_next(rdataset);
 	}
 	if (result != ISC_R_NOMORE)
@@ -307,13 +305,8 @@ dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
 		 * Store the per RR meta data.
 		 */
 		if (rdataset->type == dns_rdatatype_rrsig) {
-			*rawbuf = ((x[i].rdata.flags & DNS_RDATA_WARNMASK)
-				   >> DNS_RDATA_WARNSHIFT)
-				  << DNS_RDATASLAB_WARNSHIFT;
 			*rawbuf++ |= (x[i].rdata.flags & DNS_RDATA_OFFLINE) ?
 					    DNS_RDATASLAB_OFFLINE : 0;
-		if (x[i].rdata.flags & DNS_RDATA_OFFLINE)
-			fprintf(stderr, "set DNS_RDATASLAB_OFFLINE\n");
 		}
 		memcpy(rawbuf, x[i].rdata.data, x[i].rdata.length);
 		rawbuf += x[i].rdata.length;
@@ -402,9 +395,6 @@ rdataset_current(dns_rdataset_t *rdataset, dns_rdata_t *rdata) {
 	raw += 2;
 #endif
 	if (rdataset->type == dns_rdatatype_rrsig) {
-		flags = ((*raw & DNS_RDATASLAB_WARNMASK)
-			  >> DNS_RDATASLAB_WARNSHIFT)
-			 << DNS_RDATA_WARNSHIFT;
 		if (*raw & DNS_RDATASLAB_OFFLINE)
 			flags |= DNS_RDATA_OFFLINE;
 		length--;
@@ -536,10 +526,8 @@ rdata_from_slab(unsigned char **current,
 	region.base = tcurrent;
 	tcurrent += region.length;
 	dns_rdata_fromregion(rdata, rdclass, type, &region);
-	if (offline) {
+	if (offline)
 		rdata->flags |= DNS_RDATA_OFFLINE;
-		fprintf(stderr, "rdata_from_slab: DNS_RDATA_OFFLINE\n");
-	}
 	*current = tcurrent;
 }
 
diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c
index 5f22c54cb2..1aa194dcb9 100644
--- a/lib/dns/tsig.c
+++ b/lib/dns/tsig.c
@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: tsig.c,v 1.134 2008/04/01 01:37:25 marka Exp $
+ * $Id: tsig.c,v 1.135 2008/04/02 02:37:42 marka Exp $
  */
 /*! \file */
 #include <config.h>
@@ -445,7 +445,7 @@ cleanup_ring(dns_tsig_keyring_t *ring)
 		dns_rbtnodechain_current(&chain, &foundname, origin, &node);
 		tkey = node->data;
 		if (tkey != NULL) {
-			tsig_log(tkey, 2, "tsig expire: generated=%d, refs=%d, expire=%d", tkey->generated, isc_refcount_current(&tkey->refs), now - tkey->expire);
+			tsig_log(tkey, 2, "tsig expire: generated=%d, refs=%d, expire=%d)", tkey->generated, isc_refcount_current(&tkey->refs), now - tkey->expire);
 			if (tkey->generated
 			    && isc_refcount_current(&tkey->refs) == 1
 			    && tkey->inception != tkey->expire
diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 07ccf66acd..2ad569c736 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zone.c,v 1.475 2008/04/02 01:48:32 marka Exp $ */
+/* $Id: zone.c,v 1.476 2008/04/02 02:37:42 marka Exp $ */
 
 /*! \file */
 
@@ -248,6 +248,7 @@ struct dns_zone {
 	isc_event_t		ctlevent;
 	dns_ssutable_t		*ssutable;
 	isc_uint32_t		sigvalidityinterval;
+	isc_uint32_t		sigresigninginterval;
 	dns_view_t		*view;
 	dns_acache_t		*acache;
 	dns_checkmxfunc_t	checkmx;
@@ -283,6 +284,12 @@ struct dns_zone {
 	 * Keys that are signing the zone for the first time.
 	 */
 	ISC_LIST(dns_signing_t)	signing;
+	/*%
+	 * Signing / re-signing quantum stopping parameters.
+	 */
+	isc_uint32_t		signatures;
+	isc_uint32_t		nodes;
+	dns_rdatatype_t		privatetype;
 };
 
 #define DNS_ZONE_FLAG(z,f) (ISC_TF(((z)->flags & (f)) != 0))
@@ -456,7 +463,7 @@ struct dns_io {
 
 /*%
  *	Hold state for when we are signing a zone with a new
- *	DNSKEY as result of a update.
+ *	DNSKEY as result of an update.
  */
 struct dns_signing {
 	unsigned int    	magic;
@@ -631,7 +638,7 @@ dns_zone_create(dns_zone_t **zonep, isc_mem_t *mctx) {
 	zone->strrdclass = NULL;
 	zone->strviewname = NULL;
 	zone->masterfile = NULL;
-	zone->masterformat =  dns_masterformat_none;
+	zone->masterformat = dns_masterformat_none;
 	zone->keydirectory = NULL;
 	zone->journalsize = -1;
 	zone->journal = NULL;
@@ -697,7 +704,7 @@ dns_zone_create(dns_zone_t **zonep, isc_mem_t *mctx) {
 	zone->maxxfrout = MAX_XFER_TIME;
 	zone->ssutable = NULL;
 	zone->sigvalidityinterval = 30 * 24 * 3600;
-	zone->sigvalidityinterval = 3600; /* XXMPA */
+	zone->sigresigninginterval = 7 * 24 * 3600;
 	zone->view = NULL;
 	zone->acache = NULL;
 	zone->checkmx = NULL;
@@ -710,6 +717,9 @@ dns_zone_create(dns_zone_t **zonep, isc_mem_t *mctx) {
 	zone->isself = NULL;
 	zone->isselfarg = NULL;
 	ISC_LIST_INIT(zone->signing);
+	zone->signatures = 10;
+	zone->nodes = 100;
+	zone->privatetype = (dns_rdatatype_t)0xffffU;
 
 	zone->magic = ZONE_MAGIC;
 
@@ -1414,11 +1424,12 @@ zone_gotreadhandle(isc_task_t *task, isc_event_t *event) {
 
 	options = get_master_options(load->zone);
 
-	result = dns_master_loadfileinc2(load->zone->masterfile,
+	result = dns_master_loadfileinc3(load->zone->masterfile,
 					 dns_db_origin(load->db),
 					 dns_db_origin(load->db),
 					 load->zone->rdclass,
 					 options,
+					 load->zone->sigresigninginterval,
 					 &load->callbacks, task,
 					 zone_loaddone, load,
 					 &load->zone->lctx, load->zone->mctx,
@@ -1519,9 +1530,10 @@ zone_startload(dns_db_t *db, dns_zone_t *zone, isc_time_t loadtime) {
 					  &callbacks.add_private);
 		if (result != ISC_R_SUCCESS)
 			return (result);
-		result = dns_master_loadfile2(zone->masterfile, &zone->origin,
+		result = dns_master_loadfile3(zone->masterfile, &zone->origin,
 					      &zone->origin, zone->rdclass,
-					      options, &callbacks, zone->mctx,
+					      options, zone->sigresigninginterval,
+					      &callbacks, zone->mctx,
 					      zone->masterformat);
 		tresult = dns_db_endload(db, &callbacks.add_private);
 		if (result == ISC_R_SUCCESS)
@@ -2028,7 +2040,7 @@ set_signingtime(dns_zone_t *zone) {
 	dns_db_currentversion(zone->db, &version);
 	dns_rdataset_init(&rdataset);
 	result = dns_db_findrdataset(zone->db, node, version,
-				     (dns_rdatatype_t)0xffff,
+				     zone->privatetype,
 				     dns_rdatatype_none, 0,
 				     &rdataset, NULL);
 	if (result != ISC_R_SUCCESS)
@@ -2048,7 +2060,7 @@ set_signingtime(dns_zone_t *zone) {
 					  (rdata.data[1] << 8) | rdata.data[2]);
 		if (result != ISC_R_SUCCESS) {
 			dns_zone_log(zone, ISC_LOG_ERROR,
-				     "dns_zone_signwithkey failed: %s",
+				     "zone_signwithkey failed: %s",
 				     dns_result_totext(result));
 		}
 		dns_rdata_reset(&rdata);
@@ -2081,7 +2093,6 @@ set_resigntime(dns_zone_t *zone) {
 		return;
 	}
 	resign = rdataset.resign;
-fprintf(stderr, "set_resigntime %u\n", resign);
 	dns_name_format(dns_fixedname_name(&fixed), namebuf, sizeof(namebuf));
 	dns_rdataset_disassociate(&rdataset);
 	isc_random_get(&nanosecs);
@@ -2254,11 +2265,11 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
 
 		if (zone->type == dns_zone_master &&
 		    (zone->update_acl != NULL || zone->ssutable != NULL) &&
-		    (zone->sigvalidityinterval / 4) < (3 * refresh) &&
+		    zone->sigresigninginterval < (3 * refresh) &&
 		    dns_db_issecure(db))
 		{
 			dns_zone_log(zone, ISC_LOG_WARNING,
-				     "1/4 sig-validity-interval less than "
+				     "sig-re-signing-interval less than "
 				     "3 * refresh.");
 		}
 
@@ -3168,6 +3179,7 @@ do_one_tuple(dns_difftuple_t **tuple, dns_db_t *db, dns_dbversion_t *ver,
 	 * Create a singleton diff.
 	 */
 	dns_diff_init(diff->mctx, &temp_diff);
+	temp_diff.resign = diff->resign;
 	ISC_LIST_APPEND(temp_diff.tuples, *tuple, link);
 
 	/*
@@ -3302,11 +3314,8 @@ offline(dns_db_t *db, dns_dbversion_t *ver, dns_diff_t *diff, dns_name_t *name,
 {
 	isc_result_t result;
 
-	if ((rdata->flags & DNS_RDATA_OFFLINE) != 0) {
-fprintf(stderr, "rdata is already marked as offline\n");
+	if ((rdata->flags & DNS_RDATA_OFFLINE) != 0)
 		return (ISC_R_SUCCESS);
-	}
-fprintf(stderr, "mark as offline\n");
 	result = update_one_rr(db, ver, diff, DNS_DIFFOP_DELRESIGN,
 			       name, ttl, rdata);
 	if (result != ISC_R_SUCCESS)
@@ -3400,7 +3409,8 @@ del_sigs(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
 		 */
 		found = ISC_FALSE;
 		for (i = 0; i < nkeys; i++) {
-			if (rrsig.keyid == dst_key_id(keys[i])) {
+			if (rrsig.algorithm == dst_key_alg(keys[i]) &&
+			    rrsig.keyid == dst_key_id(keys[i])) {
 				found = ISC_TRUE;
 				/*
 				 * Mark offline RRSIG(DNSKEY).
@@ -3450,7 +3460,7 @@ del_sigs(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
 		result = ISC_R_SUCCESS;
 	if (warn != 0)
 		set_key_expiry_warning(zone, warn, now);
-failure:
+ failure:
 	if (node != NULL)
 		dns_db_detachnode(db, &node);
 	return (result);
@@ -3533,6 +3543,7 @@ zone_resigninc(dns_zone_t *zone) {
 	dns_rdataset_init(&rdataset);
 	dns_fixedname_init(&fixed);
 	dns_diff_init(zone->mctx, &sig_diff);
+	sig_diff.resign = zone->sigresigninginterval;
 
 	/*
 	 * Updates are disabled.  Pause for 5 minutes.
@@ -3565,7 +3576,6 @@ zone_resigninc(dns_zone_t *zone) {
 
 	isc_stdtime_get(&now);
 	inception = now - 3600;	/* Allow for clock skew. */
-	inception = now - 4;	/* XXXMPA */
 	soaexpire = now + dns_zone_getsigvalidityinterval(zone);
 	/*
 	 * Spread out signatures over time if they happen to be
@@ -3574,7 +3584,6 @@ zone_resigninc(dns_zone_t *zone) {
 	 */
 	isc_random_get(&jitter);
 	expire = soaexpire - jitter % 3600;
-	expire = soaexpire; /* XXXMPA */
 	stop = now + 5;
 
 	check_ksk = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_UPDATECHECKKSK);
@@ -3599,7 +3608,8 @@ zone_resigninc(dns_zone_t *zone) {
 		 * recent signature.
 		 */
 		/* XXXMPA increase number of RRsets signed pre call */
-		if (covers == dns_rdatatype_soa || i++ > 3 || resign > stop) {
+		if (covers == dns_rdatatype_soa || i++ > zone->signatures ||
+		    resign > stop) {
 			/*
 			 * Ensure that we don't loop resigning the SOA.
 			 */
@@ -3813,7 +3823,7 @@ sign_a_node(dns_db_t *db, dns_name_t *name, dns_dbnode_t *node,
 	    isc_stdtime_t inception, isc_stdtime_t expire,
 	    unsigned int minimum,
 	    isc_boolean_t is_ksk, isc_boolean_t *delegation,
-	    dns_diff_t *diff, int *signatures, isc_mem_t *mctx)
+	    dns_diff_t *diff, isc_int32_t *signatures, isc_mem_t *mctx)
 {
 	isc_result_t result;
 	dns_rdatasetiter_t *iterator = NULL;
@@ -3977,7 +3987,8 @@ updatesecure(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
 
 static isc_result_t
 updatesignwithkey(dns_signing_t *signing, dns_dbversion_t *version,
-		  dns_name_t *name, dns_diff_t *diff)
+		  dns_name_t *name, dns_rdatatype_t privatetype,
+		  dns_diff_t *diff)
 {
 	isc_result_t result;
 	dns_dbnode_t *node = NULL;
@@ -3990,7 +4001,7 @@ updatesignwithkey(dns_signing_t *signing, dns_dbversion_t *version,
 	if (result != ISC_R_SUCCESS)
 		goto failure;
 
-	result = dns_db_findrdataset(signing->db, node, version, 0xffff,
+	result = dns_db_findrdataset(signing->db, node, version, privatetype,
 				     dns_rdatatype_none, 0, &rdataset, NULL);
 	if (result == ISC_R_NOTFOUND) {
 		result = ISC_R_SUCCESS;
@@ -4047,7 +4058,7 @@ zone_sign(dns_zone_t *zone) {
 	dns_signing_t *signing, *nextsigning;
 	dns_signinglist_t cleanup;
 	dst_key_t *zone_keys[MAXZONEKEYS];
-	int signatures;
+	isc_int32_t signatures;
 	isc_boolean_t check_ksk, is_ksk;
 	isc_boolean_t delegation;
 	isc_boolean_t finishedakey = ISC_FALSE;
@@ -4058,7 +4069,7 @@ zone_sign(dns_zone_t *zone) {
 	isc_uint32_t jitter;
 	unsigned int i;
 	unsigned int nkeys = 0;
-	unsigned int nodes;
+	isc_uint32_t nodes;
 
 	dns_rdataset_init(&rdataset);
 	dns_fixedname_init(&fixed);
@@ -4066,10 +4077,9 @@ zone_sign(dns_zone_t *zone) {
 	dns_fixedname_init(&nextfixed);
 	nextname = dns_fixedname_name(&nextfixed);
 	dns_diff_init(zone->mctx, &sig_diff);
+	sig_diff.resign = zone->sigresigninginterval;
 	ISC_LIST_INIT(cleanup);
 
-fprintf(stderr, "zone_sign\n");
-
 	/*
 	 * Updates are disabled.  Pause for 5 minutes.
 	 */
@@ -4101,7 +4111,6 @@ fprintf(stderr, "zone_sign\n");
 
 	isc_stdtime_get(&now);
 	inception = now - 3600;	/* Allow for clock skew. */
-	inception = now - 4;	/* XXXMPA */
 	soaexpire = now + dns_zone_getsigvalidityinterval(zone);
 	/*
 	 * Spread out signatures over time if they happen to be
@@ -4110,7 +4119,6 @@ fprintf(stderr, "zone_sign\n");
 	 */
 	isc_random_get(&jitter);
 	expire = soaexpire - jitter % 3600;
-	expire = soaexpire; /* XXXMPA */
 	stop = now + 5;
 
 	check_ksk = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_UPDATECHECKKSK);
@@ -4122,8 +4130,8 @@ fprintf(stderr, "zone_sign\n");
 	 * we have no more noded to pull off or we reach the limits
 	 * for this quantum.
 	 */
-	nodes = 10;
-	signatures = 3;
+	nodes = zone->nodes;
+	signatures = zone->signatures;
 	signing = ISC_LIST_HEAD(zone->signing);
 	first = ISC_TRUE;
 	while (signing != NULL && nodes-- > 0 && signatures > 0) {
@@ -4235,6 +4243,7 @@ fprintf(stderr, "zone_sign\n");
 				}
 				result = updatesignwithkey(signing, version,
 							   &zone->origin,
+							   zone->privatetype,
 							   &sig_diff);
 				if (result != ISC_R_SUCCESS) {
 					dns_zone_log(zone, ISC_LOG_ERROR,
@@ -4296,8 +4305,8 @@ fprintf(stderr, "zone_sign\n");
 		 * the signatures.
 		 */
 		result = del_sigs(zone, db, version, &zone->origin,
-				  (dns_rdatatype_t)0xffff, &sig_diff,
-				   zone_keys, nkeys, now);
+				  zone->privatetype, &sig_diff,
+				  zone_keys, nkeys, now);
 		if (result != ISC_R_SUCCESS) {
 			dns_zone_log(zone, ISC_LOG_ERROR,
 				     "zone_sign:del_sigs -> %s\n",
@@ -4305,7 +4314,7 @@ fprintf(stderr, "zone_sign\n");
 			goto failure;
 		}
 		result = add_sigs(db, version, &zone->origin,
-				  (dns_rdatatype_t)0xffff, &sig_diff,
+				  zone->privatetype, &sig_diff,
 				  zone_keys, nkeys, zone->mctx, inception,
 				  soaexpire, check_ksk);
 		if (result != ISC_R_SUCCESS) {
@@ -4416,12 +4425,9 @@ fprintf(stderr, "zone_sign\n");
 			isc_interval_set(&i, 60, 0);		/* 1 minute */
 		else
 			isc_interval_set(&i, 0, 10000000);	/* 10 ms */
-		isc_interval_set(&i, 120, 0);	   /* XXXMPA */
 		isc_time_nowplusinterval(&zone->signingtime, &i);
-	} else {
-		fprintf(stderr, "sign_zone done\n");
+	} else
 		isc_time_settoepoch(&zone->signingtime);
-	}
 }
 
 static void
@@ -8378,7 +8384,6 @@ dns_zone_setsigvalidityinterval(dns_zone_t *zone, isc_uint32_t interval) {
 	REQUIRE(DNS_ZONE_VALID(zone));
 
 	zone->sigvalidityinterval = interval;
-	zone->sigvalidityinterval = 3600;	/* XXXMPA */
 }
 
 isc_uint32_t
@@ -8388,6 +8393,20 @@ dns_zone_getsigvalidityinterval(dns_zone_t *zone) {
 	return (zone->sigvalidityinterval);
 }
 
+void
+dns_zone_setsigresigninginterval(dns_zone_t *zone, isc_uint32_t interval) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	zone->sigresigninginterval = interval;
+}
+
+isc_uint32_t
+dns_zone_getsigresigninginterval(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (zone->sigresigninginterval);
+}
+
 static void
 queue_xfrin(dns_zone_t *zone) {
 	const char me[] = "queue_xfrin";
@@ -9776,7 +9795,8 @@ dns_zone_getnotifydelay(dns_zone_t *zone) {
 
 isc_result_t
 dns_zone_signwithkey(dns_zone_t *zone, dns_secalg_t algorithm,
-                     isc_uint16_t keyid) {
+		     isc_uint16_t keyid)
+{
 	isc_result_t result;
 	REQUIRE(DNS_ZONE_VALID(zone));
 
@@ -9790,8 +9810,44 @@ dns_zone_signwithkey(dns_zone_t *zone, dns_secalg_t algorithm,
 	return (result);
 }
 
+void
+dns_zone_setnodes(dns_zone_t *zone, isc_uint32_t nodes) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	if (nodes == 0)
+		nodes = 1;
+	zone->nodes = nodes;
+}
+
+void
+dns_zone_setsignatures(dns_zone_t *zone, isc_uint32_t signatures) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	/*
+	 * We treat signatures as a signed value so explicitly
+	 * limit its range here.
+	 */
+	if (signatures > ISC_INT32_MAX)
+		signatures = ISC_INT32_MAX;
+	else if (signatures == 0)
+		signatures = 1;
+	zone->signatures = signatures;
+}
+
+void
+dns_zone_setprivatetype(dns_zone_t *zone, dns_rdatatype_t type) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	zone->privatetype = type;
+}
+
+dns_rdatatype_t
+dns_zone_getprivatetype(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	return (zone->privatetype);
+}
+
 static isc_result_t
-zone_signwithkey(dns_zone_t *zone, dns_secalg_t algorithm, uint16_t keyid) {
+zone_signwithkey(dns_zone_t *zone, dns_secalg_t algorithm, isc_uint16_t keyid) {
 	dns_signing_t *signing;
 	isc_result_t result;
 	isc_time_t now;
diff --git a/lib/isc/mem.c b/lib/isc/mem.c
index bd4c068d74..8f030a336c 100644
--- a/lib/isc/mem.c
+++ b/lib/isc/mem.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: mem.c,v 1.144 2008/04/01 01:37:25 marka Exp $ */
+/* $Id: mem.c,v 1.145 2008/04/02 02:37:42 marka Exp $ */
 
 /*! \file */
 
@@ -112,7 +112,7 @@ typedef ISC_LIST(debuglink_t)	debuglist_t;
 
 static ISC_LIST(isc_mem_t)	contexts;
 static isc_once_t		once = ISC_ONCE_INIT;
-static isc_mutex_t		contextlock;
+static isc_mutex_t		lock;
 
 /*%
  * Total size of lost memory due to a bug of external library.
@@ -124,7 +124,7 @@ struct isc_mem {
 	unsigned int		magic;
 	isc_ondestroy_t		ondestroy;
 	unsigned int		flags;
-	isc_mutex_t		memlock;
+	isc_mutex_t		lock;
 	isc_memalloc_t		memalloc;
 	isc_memfree_t		memfree;
 	void *			arg;
@@ -702,7 +702,7 @@ default_memfree(void *arg, void *ptr) {
 
 static void
 initialize_action(void) {
-	RUNTIME_CHECK(isc_mutex_init(&contextlock) == ISC_R_SUCCESS);
+	RUNTIME_CHECK(isc_mutex_init(&lock) == ISC_R_SUCCESS);
 	ISC_LIST_INIT(contexts);
 	totallost = 0;
 }
@@ -742,7 +742,7 @@ isc_mem_createx2(size_t init_max_size, size_t target_size,
 		return (ISC_R_NOMEMORY);
 
 	if ((flags & ISC_MEMFLAG_NOLOCK) == 0) {
-		result = isc_mutex_init(&ctx->memlock);
+		result = isc_mutex_init(&ctx->lock);
 		if (result != ISC_R_SUCCESS) {
 			(memfree)(arg, ctx);
 			return (result);
@@ -827,9 +827,9 @@ isc_mem_createx2(size_t init_max_size, size_t target_size,
 
 	ctx->memalloc_failures = 0;
 
-	LOCK(&contextlock);
+	LOCK(&lock);
 	ISC_LIST_INITANDAPPEND(contexts, ctx, link);
-	UNLOCK(&contextlock);
+	UNLOCK(&lock);
 
 	*ctxp = ctx;
 	return (ISC_R_SUCCESS);
@@ -845,7 +845,7 @@ isc_mem_createx2(size_t init_max_size, size_t target_size,
 			(ctx->memfree)(ctx->arg, ctx->debuglist);
 #endif /* ISC_MEM_TRACKLINES */
 		if ((ctx->flags & ISC_MEMFLAG_NOLOCK) == 0)
-			DESTROYLOCK(&ctx->memlock);
+			DESTROYLOCK(&ctx->lock);
 		(memfree)(arg, ctx);
 	}
 
@@ -877,10 +877,10 @@ destroy(isc_mem_t *ctx) {
 
 	ctx->magic = 0;
 
-	LOCK(&contextlock);
+	LOCK(&lock);
 	ISC_LIST_UNLINK(contexts, ctx, link);
 	totallost += ctx->inuse;
-	UNLOCK(&contextlock);
+	UNLOCK(&lock);
 
 	INSIST(ISC_LIST_EMPTY(ctx->pools));
 
@@ -932,7 +932,7 @@ destroy(isc_mem_t *ctx) {
 	ondest = ctx->ondestroy;
 
 	if ((ctx->flags & ISC_MEMFLAG_NOLOCK) == 0)
-		DESTROYLOCK(&ctx->memlock);
+		DESTROYLOCK(&ctx->lock);
 	(ctx->memfree)(ctx->arg, ctx);
 
 	isc_ondestroy_notify(&ondest, ctx);
@@ -943,9 +943,9 @@ isc_mem_attach(isc_mem_t *source, isc_mem_t **targetp) {
 	REQUIRE(VALID_CONTEXT(source));
 	REQUIRE(targetp != NULL && *targetp == NULL);
 
-	MCTXLOCK(source, &source->memlock);
+	MCTXLOCK(source, &source->lock);
 	source->references++;
-	MCTXUNLOCK(source, &source->memlock);
+	MCTXUNLOCK(source, &source->lock);
 
 	*targetp = source;
 }
@@ -959,12 +959,12 @@ isc_mem_detach(isc_mem_t **ctxp) {
 	ctx = *ctxp;
 	REQUIRE(VALID_CONTEXT(ctx));
 
-	MCTXLOCK(ctx, &ctx->memlock);
+	MCTXLOCK(ctx, &ctx->lock);
 	INSIST(ctx->references > 0);
 	ctx->references--;
 	if (ctx->references == 0)
 		want_destroy = ISC_TRUE;
-	MCTXUNLOCK(ctx, &ctx->memlock);
+	MCTXUNLOCK(ctx, &ctx->lock);
 
 	if (want_destroy)
 		destroy(ctx);
@@ -1010,11 +1010,11 @@ isc__mem_putanddetach(isc_mem_t **ctxp, void *ptr, size_t size FLARG) {
 		}
 		isc__mem_free(ctx, ptr FLARG_PASS);
 
-		MCTXLOCK(ctx, &ctx->memlock);
+		MCTXLOCK(ctx, &ctx->lock);
 		ctx->references--;
 		if (ctx->references == 0)
 			want_destroy = ISC_TRUE;
-		MCTXUNLOCK(ctx, &ctx->memlock);
+		MCTXUNLOCK(ctx, &ctx->lock);
 		if (want_destroy)
 			destroy(ctx);
 
@@ -1022,11 +1022,11 @@ isc__mem_putanddetach(isc_mem_t **ctxp, void *ptr, size_t size FLARG) {
 	}
 
 	if ((ctx->flags & ISC_MEMFLAG_INTERNAL) != 0) {
-		MCTXLOCK(ctx, &ctx->memlock);
+		MCTXLOCK(ctx, &ctx->lock);
 		mem_putunlocked(ctx, ptr, size);
 	} else {
 		mem_put(ctx, ptr, size);
-		MCTXLOCK(ctx, &ctx->memlock);
+		MCTXLOCK(ctx, &ctx->lock);
 		mem_putstats(ctx, ptr, size);
 	}
 
@@ -1036,7 +1036,7 @@ isc__mem_putanddetach(isc_mem_t **ctxp, void *ptr, size_t size FLARG) {
 	if (ctx->references == 0)
 		want_destroy = ISC_TRUE;
 
-	MCTXUNLOCK(ctx, &ctx->memlock);
+	MCTXUNLOCK(ctx, &ctx->lock);
 
 	if (want_destroy)
 		destroy(ctx);
@@ -1055,14 +1055,14 @@ isc_mem_destroy(isc_mem_t **ctxp) {
 	ctx = *ctxp;
 	REQUIRE(VALID_CONTEXT(ctx));
 
-	MCTXLOCK(ctx, &ctx->memlock);
+	MCTXLOCK(ctx, &ctx->lock);
 #if ISC_MEM_TRACKLINES
 	if (ctx->references != 1)
 		print_active(ctx, stderr);
 #endif
 	REQUIRE(ctx->references == 1);
 	ctx->references--;
-	MCTXUNLOCK(ctx, &ctx->memlock);
+	MCTXUNLOCK(ctx, &ctx->lock);
 
 	destroy(ctx);
 
@@ -1073,9 +1073,9 @@ isc_result_t
 isc_mem_ondestroy(isc_mem_t *ctx, isc_task_t *task, isc_event_t **event) {
 	isc_result_t res;
 
-	MCTXLOCK(ctx, &ctx->memlock);
+	MCTXLOCK(ctx, &ctx->lock);
 	res = isc_ondestroy_register(&ctx->ondestroy, task, event);
-	MCTXUNLOCK(ctx, &ctx->memlock);
+	MCTXUNLOCK(ctx, &ctx->lock);
 
 	return (res);
 }
@@ -1092,11 +1092,11 @@ isc__mem_get(isc_mem_t *ctx, size_t size FLARG) {
 		return (isc__mem_allocate(ctx, size FLARG_PASS));
 
 	if ((ctx->flags & ISC_MEMFLAG_INTERNAL) != 0) {
-		MCTXLOCK(ctx, &ctx->memlock);
+		MCTXLOCK(ctx, &ctx->lock);
 		ptr = mem_getunlocked(ctx, size);
 	} else {
 		ptr = mem_get(ctx, size);
-		MCTXLOCK(ctx, &ctx->memlock);
+		MCTXLOCK(ctx, &ctx->lock);
 		if (ptr != NULL)
 			mem_getstats(ctx, size);
 	}
@@ -1113,7 +1113,7 @@ isc__mem_get(isc_mem_t *ctx, size_t size FLARG) {
 			fprintf(stderr, "maxinuse = %lu\n",
 				(unsigned long)ctx->inuse);
 	}
-	MCTXUNLOCK(ctx, &ctx->memlock);
+	MCTXUNLOCK(ctx, &ctx->lock);
 
 	if (call_water)
 		(ctx->water)(ctx->water_arg, ISC_MEM_HIWATER);
@@ -1144,11 +1144,11 @@ isc__mem_put(isc_mem_t *ctx, void *ptr, size_t size FLARG)
 	}
 
 	if ((ctx->flags & ISC_MEMFLAG_INTERNAL) != 0) {
-		MCTXLOCK(ctx, &ctx->memlock);
+		MCTXLOCK(ctx, &ctx->lock);
 		mem_putunlocked(ctx, ptr, size);
 	} else {
 		mem_put(ctx, ptr, size);
-		MCTXLOCK(ctx, &ctx->memlock);
+		MCTXLOCK(ctx, &ctx->lock);
 		mem_putstats(ctx, ptr, size);
 	}
 
@@ -1164,7 +1164,7 @@ isc__mem_put(isc_mem_t *ctx, void *ptr, size_t size FLARG)
 		if (ctx->water != NULL)
 			call_water = ISC_TRUE;
 	}
-	MCTXUNLOCK(ctx, &ctx->memlock);
+	MCTXUNLOCK(ctx, &ctx->lock);
 
 	if (call_water)
 		(ctx->water)(ctx->water_arg, ISC_MEM_LOWATER);
@@ -1174,12 +1174,12 @@ void
 isc_mem_waterack(isc_mem_t *ctx, int flag) {
 	REQUIRE(VALID_CONTEXT(ctx));
 
-	MCTXLOCK(ctx, &ctx->memlock);
+	MCTXLOCK(ctx, &ctx->lock);
 	if (flag == ISC_MEM_LOWATER)
 		ctx->hi_called = ISC_FALSE;
 	else if (flag == ISC_MEM_HIWATER)
 		ctx->hi_called = ISC_TRUE;
-	MCTXUNLOCK(ctx, &ctx->memlock);
+	MCTXUNLOCK(ctx, &ctx->lock);
 }
 
 #if ISC_MEM_TRACKLINES
@@ -1233,7 +1233,7 @@ isc_mem_stats(isc_mem_t *ctx, FILE *out) {
 	const isc_mempool_t *pool;
 
 	REQUIRE(VALID_CONTEXT(ctx));
-	MCTXLOCK(ctx, &ctx->memlock);
+	MCTXLOCK(ctx, &ctx->lock);
 
 	for (i = 0; i <= ctx->max_size; i++) {
 		s = &ctx->stats[i];
@@ -1254,7 +1254,7 @@ isc_mem_stats(isc_mem_t *ctx, FILE *out) {
 	 * Note that since a pool can be locked now, these stats might be
 	 * somewhat off if the pool is in active use at the time the stats
 	 * are dumped.  The link fields are protected by the isc_mem_t's
-	 * contextlock, however, so walking this list and extracting integers from
+	 * lock, however, so walking this list and extracting integers from
 	 * stats fields is always safe.
 	 */
 	pool = ISC_LIST_HEAD(ctx->pools);
@@ -1294,7 +1294,7 @@ isc_mem_stats(isc_mem_t *ctx, FILE *out) {
 	print_active(ctx, out);
 #endif
 
-	MCTXUNLOCK(ctx, &ctx->memlock);
+	MCTXUNLOCK(ctx, &ctx->lock);
 }
 
 /*
@@ -1333,11 +1333,11 @@ isc__mem_allocate(isc_mem_t *ctx, size_t size FLARG) {
 	REQUIRE(VALID_CONTEXT(ctx));
 
 	if ((ctx->flags & ISC_MEMFLAG_INTERNAL) != 0) {
-		MCTXLOCK(ctx, &ctx->memlock);
+		MCTXLOCK(ctx, &ctx->lock);
 		si = isc__mem_allocateunlocked(ctx, size);
 	} else {
 		si = isc__mem_allocateunlocked(ctx, size);
-		MCTXLOCK(ctx, &ctx->memlock);
+		MCTXLOCK(ctx, &ctx->lock);
 		if (si != NULL)
 			mem_getstats(ctx, si[-1].u.size);
 	}
@@ -1357,7 +1357,7 @@ isc__mem_allocate(isc_mem_t *ctx, size_t size FLARG) {
 			fprintf(stderr, "maxinuse = %lu\n",
 				(unsigned long)ctx->inuse);
 	}
-	MCTXUNLOCK(ctx, &ctx->memlock);
+	MCTXUNLOCK(ctx, &ctx->lock);
 
 	if (call_water)
 		(ctx->water)(ctx->water_arg, ISC_MEM_HIWATER);
@@ -1384,11 +1384,11 @@ isc__mem_free(isc_mem_t *ctx, void *ptr FLARG) {
 	}
 
 	if ((ctx->flags & ISC_MEMFLAG_INTERNAL) != 0) {
-		MCTXLOCK(ctx, &ctx->memlock);
+		MCTXLOCK(ctx, &ctx->lock);
 		mem_putunlocked(ctx, si, size);
 	} else {
 		mem_put(ctx, si, size);
-		MCTXLOCK(ctx, &ctx->memlock);
+		MCTXLOCK(ctx, &ctx->lock);
 		mem_putstats(ctx, si, size);
 	}
 
@@ -1406,7 +1406,7 @@ isc__mem_free(isc_mem_t *ctx, void *ptr FLARG) {
 		if (ctx->water != NULL)
 			call_water = ISC_TRUE;
 	}
-	MCTXUNLOCK(ctx, &ctx->memlock);
+	MCTXUNLOCK(ctx, &ctx->lock);
 
 	if (call_water)
 		(ctx->water)(ctx->water_arg, ISC_MEM_LOWATER);
@@ -1438,11 +1438,11 @@ isc__mem_strdup(isc_mem_t *mctx, const char *s FLARG) {
 void
 isc_mem_setdestroycheck(isc_mem_t *ctx, isc_boolean_t flag) {
 	REQUIRE(VALID_CONTEXT(ctx));
-	MCTXLOCK(ctx, &ctx->memlock);
+	MCTXLOCK(ctx, &ctx->lock);
 
 	ctx->checkfree = flag;
 
-	MCTXUNLOCK(ctx, &ctx->memlock);
+	MCTXUNLOCK(ctx, &ctx->lock);
 }
 
 /*
@@ -1452,11 +1452,11 @@ isc_mem_setdestroycheck(isc_mem_t *ctx, isc_boolean_t flag) {
 void
 isc_mem_setquota(isc_mem_t *ctx, size_t quota) {
 	REQUIRE(VALID_CONTEXT(ctx));
-	MCTXLOCK(ctx, &ctx->memlock);
+	MCTXLOCK(ctx, &ctx->lock);
 
 	ctx->quota = quota;
 
-	MCTXUNLOCK(ctx, &ctx->memlock);
+	MCTXUNLOCK(ctx, &ctx->lock);
 }
 
 size_t
@@ -1464,11 +1464,11 @@ isc_mem_getquota(isc_mem_t *ctx) {
 	size_t quota;
 
 	REQUIRE(VALID_CONTEXT(ctx));
-	MCTXLOCK(ctx, &ctx->memlock);
+	MCTXLOCK(ctx, &ctx->lock);
 
 	quota = ctx->quota;
 
-	MCTXUNLOCK(ctx, &ctx->memlock);
+	MCTXUNLOCK(ctx, &ctx->lock);
 
 	return (quota);
 }
@@ -1478,11 +1478,11 @@ isc_mem_inuse(isc_mem_t *ctx) {
 	size_t inuse;
 
 	REQUIRE(VALID_CONTEXT(ctx));
-	MCTXLOCK(ctx, &ctx->memlock);
+	MCTXLOCK(ctx, &ctx->lock);
 
 	inuse = ctx->inuse;
 
-	MCTXUNLOCK(ctx, &ctx->memlock);
+	MCTXUNLOCK(ctx, &ctx->lock);
 
 	return (inuse);
 }
@@ -1498,7 +1498,7 @@ isc_mem_setwater(isc_mem_t *ctx, isc_mem_water_t water, void *water_arg,
 	REQUIRE(VALID_CONTEXT(ctx));
 	REQUIRE(hiwater >= lowater);
 
-	MCTXLOCK(ctx, &ctx->memlock);
+	MCTXLOCK(ctx, &ctx->lock);
 	oldwater = ctx->water;
 	oldwater_arg = ctx->water_arg;
 	if (water == NULL) {
@@ -1519,7 +1519,7 @@ isc_mem_setwater(isc_mem_t *ctx, isc_mem_water_t water, void *water_arg,
 		ctx->lo_water = lowater;
 		ctx->hi_called = ISC_FALSE;
 	}
-	MCTXUNLOCK(ctx, &ctx->memlock);
+	MCTXUNLOCK(ctx, &ctx->lock);
 
 	if (callwater && oldwater != NULL)
 		(oldwater)(oldwater_arg, ISC_MEM_LOWATER);
@@ -1529,11 +1529,11 @@ void
 isc_mem_setname(isc_mem_t *ctx, const char *name, void *tag) {
 	REQUIRE(VALID_CONTEXT(ctx));
 
-	LOCK(&ctx->memlock);
+	LOCK(&ctx->lock);
 	memset(ctx->name, 0, sizeof(ctx->name));
 	strncpy(ctx->name, name, sizeof(ctx->name) - 1);
 	ctx->tag = tag;
-	UNLOCK(&ctx->memlock);
+	UNLOCK(&ctx->lock);
 }
 
 const char *
@@ -1587,10 +1587,10 @@ isc_mempool_create(isc_mem_t *mctx, size_t size, isc_mempool_t **mpctxp) {
 
 	*mpctxp = mpctx;
 
-	MCTXLOCK(mctx, &mctx->memlock);
+	MCTXLOCK(mctx, &mctx->lock);
 	ISC_LIST_INITANDAPPEND(mctx->pools, mpctx, link);
 	mctx->poolcnt++;
-	MCTXUNLOCK(mctx, &mctx->memlock);
+	MCTXUNLOCK(mctx, &mctx->lock);
 
 	return (ISC_R_SUCCESS);
 }
@@ -1643,7 +1643,7 @@ isc_mempool_destroy(isc_mempool_t **mpctxp) {
 	/*
 	 * Return any items on the free list
 	 */
-	MCTXLOCK(mctx, &mctx->memlock);
+	MCTXLOCK(mctx, &mctx->lock);
 	while (mpctx->items != NULL) {
 		INSIST(mpctx->freecount > 0);
 		mpctx->freecount--;
@@ -1657,15 +1657,15 @@ isc_mempool_destroy(isc_mempool_t **mpctxp) {
 			mem_putstats(mctx, item, mpctx->size);
 		}
 	}
-	MCTXUNLOCK(mctx, &mctx->memlock);
+	MCTXUNLOCK(mctx, &mctx->lock);
 
 	/*
 	 * Remove our linked list entry from the memory context.
 	 */
-	MCTXLOCK(mctx, &mctx->memlock);
+	MCTXLOCK(mctx, &mctx->lock);
 	ISC_LIST_UNLINK(mctx->pools, mpctx, link);
 	mctx->poolcnt--;
-	MCTXUNLOCK(mctx, &mctx->memlock);
+	MCTXUNLOCK(mctx, &mctx->lock);
 
 	mpctx->magic = 0;
 
@@ -1724,7 +1724,7 @@ isc__mempool_get(isc_mempool_t *mpctx FLARG) {
 	 * We need to dip into the well.  Lock the memory context here and
 	 * fill up our free list.
 	 */
-	MCTXLOCK(mctx, &mctx->memlock);
+	MCTXLOCK(mctx, &mctx->lock);
 	for (i = 0; i < mpctx->fillcount; i++) {
 		if ((mctx->flags & ISC_MEMFLAG_INTERNAL) != 0) {
 			item = mem_getunlocked(mctx, mpctx->size);
@@ -1739,7 +1739,7 @@ isc__mempool_get(isc_mempool_t *mpctx FLARG) {
 		mpctx->items = item;
 		mpctx->freecount++;
 	}
-	MCTXUNLOCK(mctx, &mctx->memlock);
+	MCTXUNLOCK(mctx, &mctx->lock);
 
 	/*
 	 * If we didn't get any items, return NULL.
@@ -1759,9 +1759,9 @@ isc__mempool_get(isc_mempool_t *mpctx FLARG) {
 
 #if ISC_MEM_TRACKLINES
 	if (item != NULL) {
-		MCTXLOCK(mctx, &mctx->memlock);
+		MCTXLOCK(mctx, &mctx->lock);
 		ADD_TRACE(mctx, item, mpctx->size, file, line);
-		MCTXUNLOCK(mctx, &mctx->memlock);
+		MCTXUNLOCK(mctx, &mctx->lock);
 	}
 #endif /* ISC_MEM_TRACKLINES */
 
@@ -1785,9 +1785,9 @@ isc__mempool_put(isc_mempool_t *mpctx, void *mem FLARG) {
 	mpctx->allocated--;
 
 #if ISC_MEM_TRACKLINES
-	MCTXLOCK(mctx, &mctx->memlock);
+	MCTXLOCK(mctx, &mctx->lock);
 	DELETE_TRACE(mctx, mem, mpctx->size, file, line);
-	MCTXUNLOCK(mctx, &mctx->memlock);
+	MCTXUNLOCK(mctx, &mctx->lock);
 #endif /* ISC_MEM_TRACKLINES */
 
 	/*
@@ -1795,14 +1795,14 @@ isc__mempool_put(isc_mempool_t *mpctx, void *mem FLARG) {
 	 */
 	if (mpctx->freecount >= mpctx->freemax) {
 		if ((mctx->flags & ISC_MEMFLAG_INTERNAL) != 0) {
-			MCTXLOCK(mctx, &mctx->memlock);
+			MCTXLOCK(mctx, &mctx->lock);
 			mem_putunlocked(mctx, mem, mpctx->size);
-			MCTXUNLOCK(mctx, &mctx->memlock);
+			MCTXUNLOCK(mctx, &mctx->lock);
 		} else {
 			mem_put(mctx, mem, mpctx->size);
-			MCTXLOCK(mctx, &mctx->memlock);
+			MCTXLOCK(mctx, &mctx->lock);
 			mem_putstats(mctx, mem, mpctx->size);
-			MCTXUNLOCK(mctx, &mctx->memlock);
+			MCTXUNLOCK(mctx, &mctx->lock);
 		}
 		if (mpctx->lock != NULL)
 			UNLOCK(mpctx->lock);
@@ -1975,14 +1975,14 @@ isc_mem_printallactive(FILE *file) {
 
 	RUNTIME_CHECK(isc_once_do(&once, initialize_action) == ISC_R_SUCCESS);
 
-	LOCK(&contextlock);
+	LOCK(&lock);
 	for (ctx = ISC_LIST_HEAD(contexts);
 	     ctx != NULL;
 	     ctx = ISC_LIST_NEXT(ctx, link)) {
 		fprintf(file, "context: %p\n", ctx);
 		print_active(ctx, file);
 	}
-	UNLOCK(&contextlock);
+	UNLOCK(&lock);
 #endif
 }
 
@@ -1991,7 +1991,7 @@ isc_mem_checkdestroyed(FILE *file) {
 
 	RUNTIME_CHECK(isc_once_do(&once, initialize_action) == ISC_R_SUCCESS);
 
-	LOCK(&contextlock);
+	LOCK(&lock);
 	if (!ISC_LIST_EMPTY(contexts))  {
 #if ISC_MEM_TRACKLINES
 		isc_mem_t *ctx;
@@ -2006,7 +2006,7 @@ isc_mem_checkdestroyed(FILE *file) {
 #endif
 		INSIST(0);
 	}
-	UNLOCK(&contextlock);
+	UNLOCK(&lock);
 }
 
 unsigned int
@@ -2014,9 +2014,9 @@ isc_mem_references(isc_mem_t *ctx) {
 	unsigned int references;
 	REQUIRE(VALID_CONTEXT(ctx));
 
-	MCTXLOCK(ctx, &ctx->memlock);
+	MCTXLOCK(ctx, &ctx->lock);
 	references = ctx->references;
-	MCTXUNLOCK(ctx, &ctx->memlock);
+	MCTXUNLOCK(ctx, &ctx->lock);
 
 	return (references);
 }
@@ -2047,7 +2047,7 @@ renderctx(isc_mem_t *ctx, summarystat_t *summary, xmlTextWriterPtr writer) {
 	}
 
 	REQUIRE(VALID_CONTEXT(ctx));
-	MCTXLOCK(ctx, &ctx->memlock);
+	MCTXLOCK(ctx, &ctx->lock);
 
 	summary->contextsize += sizeof(*ctx) +
 		(ctx->max_size + 1) * sizeof(struct stats) +
@@ -2110,7 +2110,7 @@ renderctx(isc_mem_t *ctx, summarystat_t *summary, xmlTextWriterPtr writer) {
 				       (isc_uint64_t)ctx->lo_water);
 	xmlTextWriterEndElement(writer); /* lowater */
 
-	MCTXUNLOCK(ctx, &ctx->memlock);
+	MCTXUNLOCK(ctx, &ctx->lock);
 
 	xmlTextWriterEndElement(writer); /* context */
 }
@@ -2127,14 +2127,14 @@ isc_mem_renderxml(xmlTextWriterPtr writer) {
 
 	RUNTIME_CHECK(isc_once_do(&once, initialize_action) == ISC_R_SUCCESS);
 
-	LOCK(&contextlock);
+	LOCK(&lock);
 	lost = totallost;
 	for (ctx = ISC_LIST_HEAD(contexts);
 	     ctx != NULL;
 	     ctx = ISC_LIST_NEXT(ctx, link)) {
 		renderctx(ctx, &summary, writer);
 	}
-	UNLOCK(&contextlock);
+	UNLOCK(&lock);
 
 	xmlTextWriterEndElement(writer); /* contexts */
 
diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
index dfccba50ff..b58495d267 100644
--- a/lib/isccfg/namedconf.c
+++ b/lib/isccfg/namedconf.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: namedconf.c,v 1.85 2008/03/27 03:30:53 marka Exp $ */
+/* $Id: namedconf.c,v 1.86 2008/04/02 02:37:42 marka Exp $ */
 
 /*! \file */
 
@@ -809,6 +809,47 @@ view_only_clauses[] = {
 	{ NULL, NULL, 0 }
 };
 
+/*%
+ * Sig-validity-interval.
+ */
+static isc_result_t
+parse_optional_uint32(cfg_parser_t *pctx, const cfg_type_t *type,
+		      cfg_obj_t **ret)
+{
+	isc_result_t result;
+	UNUSED(type);
+
+	CHECK(cfg_peektoken(pctx, ISC_LEXOPT_NUMBER | ISC_LEXOPT_CNUMBER));
+	if (pctx->token.type == isc_tokentype_number) {
+		CHECK(cfg_parse_obj(pctx, &cfg_type_uint32, ret));
+	} else {
+		CHECK(cfg_parse_obj(pctx, &cfg_type_void, ret));
+	}
+ cleanup:
+	return (result);
+}
+
+static void
+doc_optional_uint32(cfg_printer_t *pctx, const cfg_type_t *type) {
+	UNUSED(type);
+	cfg_print_chars(pctx, "[ <integer> ]", 13);
+}
+
+static cfg_type_t cfg_type_optional_uint32 = {
+	"optional_uint32", parse_optional_uint32, NULL, doc_optional_uint32,
+	NULL, NULL };
+
+static cfg_tuplefielddef_t validityinterval_fields[] = {
+	{ "validity", &cfg_type_uint32, 0 },
+	{ "re-sign", &cfg_type_optional_uint32, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_type_t cfg_type_validityinterval = {
+	"validityinterval", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple,
+	&cfg_rep_tuple, validityinterval_fields
+};
+
 /*%
  * Clauses that can be found in a 'zone' statement,
  * with defaults in the 'view' or 'options' statement.
@@ -852,7 +893,10 @@ zone_clauses[] = {
 	{ "notify-source", &cfg_type_sockaddr4wild, 0 },
 	{ "notify-source-v6", &cfg_type_sockaddr6wild, 0 },
 	{ "notify-to-soa", &cfg_type_boolean, 0 },
-	{ "sig-validity-interval", &cfg_type_uint32, 0 },
+	{ "sig-signing-nodes", &cfg_type_uint32, 0 },
+	{ "sig-signing-signatures", &cfg_type_uint32, 0 },
+	{ "sig-signing-type", &cfg_type_uint32, 0 },
+	{ "sig-validity-interval", &cfg_type_validityinterval, 0 },
 	{ "transfer-source", &cfg_type_sockaddr4wild, 0 },
 	{ "transfer-source-v6", &cfg_type_sockaddr6wild, 0 },
 	{ "try-tcp-refresh", &cfg_type_boolean, 0 },