review fixes.

git-svn-id: file:///svn/unbound/trunk@1901 be551aaa-1e26-0410-a405-d3ace91eadb9

doc/Changelog

@@ -1,5 +1,8 @@
 12 November 2009: Wouter
 	- iana portlist updated.
+	- fix manpage errors reported by debian lintian.
+	- review comments.
+	- fixup very long vallog2 level error strings.
 	
 11 November 2009: Wouter
 	- ldns tarball updated (to 1.6.2).

doc/libunbound.3.in

@@ -219,7 +219,7 @@ ub_ctx_add_ta
 Add a trust anchor to the given context.
 At this time it is only possible to add trusted keys before the
 first resolve is done.
-The format is a string, similar to the zone-file format,
+The format is a string, similar to the zone\-file format,
 [domainname] [type] [rdata contents]. Both DS and DNSKEY records are accepted.
 .TP
 .B ub_ctx_add_ta_file
@@ -230,13 +230,13 @@ first resolve is done.
 .TP
 .B ub_ctx_trustedkeys
 Add trust anchors to the given context.
-Pass the name of a bind-style config file with trusted-keys{}.
+Pass the name of a bind\-style config file with trusted\-keys{}.
 At this time it is only possible to add trusted keys before the
 first resolve is done.
 .TP
 .B ub_ctx_debugout
 Set debug and error log output to the given stream. Pass NULL to disable
-output. Default is stderr. File-names or using syslog can be enabled
+output. Default is stderr. File\-names or using syslog can be enabled
 using config options, this routine is for using your own stream.
 .TP
 .B ub_ctx_debuglevel
@@ -369,7 +369,7 @@ returns NULL on an error (a malloc failure).
 .B ub_poll
 returns true if some information may be available, false otherwise.
 .B ub_fd
-returns a file descriptor or -1 on error.
+returns a file descriptor or \-1 on error.
 .SH "SEE ALSO"
 \fIunbound.conf\fR(5), 
 \fIunbound\fR(8).

doc/unbound-checkconf.8.in

@@ -9,16 +9,16 @@
 .\"
 .SH "NAME"
 .LP
-unbound-checkconf
+unbound\-checkconf
 \- Check unbound configuration file for errors.
 .SH "SYNOPSIS"
-.B unbound-checkconf
+.B unbound\-checkconf
 .RB [ \-h ]
 .RB [ \-o
 .IR option ]
 .RI [ cfgfile ]
 .SH "DESCRIPTION"
-.B Unbound-checkconf
+.B Unbound\-checkconf
 checks the configuration file for the
 \fIunbound\fR(8)
 DNS resolver for syntax and other errors. 
@@ -38,7 +38,7 @@ printed to stdout.  For "" (disabled) options an empty line is printed.
 The config file to read with settings for unbound. It is checked.
 If omitted, the config file at the default location is checked.
 .SH "EXIT CODE"
-The unbound-checkconf program exits with status code 1 on error, 
+The unbound\-checkconf program exits with status code 1 on error, 
 0 for a correct config file.
 .SH "FILES"
 .TP

doc/unbound-control.8.in

@@ -9,10 +9,11 @@
 .\"
 .SH "NAME"
 .LP
-unbound-control
+.B unbound\-control,
+.B unbound\-control\-setup
 \- Unbound remote server control utility.
 .SH "SYNOPSIS"
-.B unbound-control
+.B unbound\-control
 .RB [ \-h ]
 .RB [ \-c 
 .IR cfgfile ]
@@ -20,7 +21,7 @@ unbound-control
 .IR server ]
 .IR command
 .SH "DESCRIPTION"
-.B Unbound-control
+.B Unbound\-control
 performs remote administration on the \fIunbound\fR(8) DNS server.
 It reads the configuration file, contacts the unbound server over SSL
 sends the command and displays the result.
@@ -142,11 +143,11 @@ nameservers, should go to the internet root nameservers itself, or show
 the current config.  You could pass the nameservers after a DHCP update.
 .IP
 Without arguments the current list of addresses used to forward all queries
-to is printed.  On startup this is from the forward-zone "." configuration.
+to is printed.  On startup this is from the forward\-zone "." configuration.
 Afterwards it shows the status.  It prints off when no forwarding is used.
 .IP
 If \fIoff\fR is passed, forwarding is disabled and the root nameservers
-are used.  This can be used to avoid to avoid buggy or non-DNSSEC supporting
+are used.  This can be used to avoid to avoid buggy or non\-DNSSEC supporting
 nameservers returned from DHCP.  But may not work in hotels or hotspots.
 .IP
 If one or more IPv4 or IPv6 addresses are given, those are then used to forward
@@ -157,7 +158,7 @@ By default the forwarder information from the config file for the root "." is
 used.  The config file is not changed, so after a reload these changes are
 gone.  Other forward zones from the config file are not affected by this command.
 .SH "EXIT CODE"
-The unbound-control program exits with status code 1 on error, 0 on success.
+The unbound\-control program exits with status code 1 on error, 0 on success.
 .SH "SET UP"
 The setup requires a self\-signed certificate and private keys for both 
 the server and client.  The script \fIunbound\-control\-setup\fR generates
@@ -171,7 +172,7 @@ If you have not configured
 a username in unbound.conf, the keys need read permission for the user
 credentials under which the daemon is started.
 The script preserves private keys present in the directory.
-After running the script as root, turn on \fBcontrol-enable\fR in 
+After running the script as root, turn on \fBcontrol\-enable\fR in 
 \fIunbound.conf\fR.
 .SH "STATISTIC COUNTERS"
 The \fIstats\fR command shows a number of statistic counters.
@@ -285,13 +286,13 @@ Printed for the other query types as well, but only for the types for which
 queries were received, thus =0 entries are omitted for brevity.
 .TP
 .I num.query.type.other
-Number of queries with query types 256-65535.
+Number of queries with query types 256\-65535.
 .TP
 .I num.query.class.IN
 The total number of queries over all threads with query class IN (internet).
 Also printed for other classes (such as CH (CHAOS) sometimes used for
 debugging), or NONE, ANY, used by dynamic update.
-num.query.class.other is printed for classes 256-65535.
+num.query.class.other is printed for classes 256\-65535.
 .TP
 .I num.query.opcode.QUERY
 The total number of queries over all threads with query opcode QUERY.
@@ -357,7 +358,7 @@ unbound configuration file.
 .TP
 .I @UNBOUND_RUN_DIR@
 directory with private keys (unbound_server.key and unbound_control.key) and
-self-signed certificates (unbound_server.pem and unbound_control.pem).
+self\-signed certificates (unbound_server.pem and unbound_control.pem).
 .SH "SEE ALSO"
 \fIunbound.conf\fR(5), 
 \fIunbound\fR(8).

doc/unbound.conf.5.in

@@ -52,8 +52,8 @@ server:
 	username: unbound
 	# make sure unbound can access entropy from inside the chroot.
 	# e.g. on linux the use these commands (on BSD, devfs(8) is used):
-	#      mount --bind -n /dev/random /etc/unbound/dev/random
-	# and  mount --bind -n /dev/log /etc/unbound/dev/log
+	#      mount \-\-bind \-n /dev/random /etc/unbound/dev/random
+	# and  mount \-\-bind \-n /dev/log /etc/unbound/dev/log
 	chroot: "/etc/unbound"
 	# logfile: "/etc/unbound/unbound.log"  #uncomment to use logfile.
 	pidfile: "/etc/unbound/unbound.pid"
@@ -115,10 +115,10 @@ Can be given multiple times to work on several interfaces. If none are
 given the default is to listen to localhost.
 The interfaces are not changed on a reload (kill \-HUP) but only on restart.
 .TP
-.B interface-automatic: \fI<yes or no>
+.B interface\-automatic: \fI<yes or no>
 Detect source interface on UDP queries and copy them to replies.  This 
 feature is experimental, and needs support in your OS for IPv6 
-(and its socket options) and IPv4 (and have source-interface socket options). 
+(and its socket options) and IPv4 (and have source\-interface socket options). 
 Default value is no.
 .TP
 .B outgoing\-interface: \fI<ip address>
@@ -142,7 +142,7 @@ Permit unbound to open this port or range of ports for use to send queries.
 A larger number of permitted outgoing ports increases resilience against
 spoofing attempts. Make sure these ports are not needed by other daemons. 
 By default only ports above 1024 that have not been assigned by IANA are used.
-Give a port number or a range of the form "low-high", without spaces.
+Give a port number or a range of the form "low\-high", without spaces.
 .IP
 The \fBoutgoing\-port\-permit\fR and \fBoutgoing\-port\-avoid\fR statements 
 are processed in the line order of the config file, adding the permitted ports 
@@ -155,7 +155,7 @@ Do not permit unbound to open this port or range of ports for use to send
 queries. Use this to make sure unbound does not grab a port that another
 daemon needs. The port is avoided on all outgoing interfaces, both IP4 and IP6.
 By default only ports above 1024 that have not been assigned by IANA are used.
-Give a port number or a range of the form "low-high", without spaces.
+Give a port number or a range of the form "low\-high", without spaces.
 .TP
 .B outgoing\-num\-tcp: \fI<number>
 Number of outgoing TCP buffers to allocate per thread. Default is 10. If set
@@ -454,7 +454,7 @@ not RFC standard, and could lead to performance problems because of the
 extra query load that is generated.  Experimental option.
 .TP
 .B use\-caps\-for\-id: \fI<yes or no>
-Use 0x20-encoded random bits in the query to foil spoof attempts.
+Use 0x20\-encoded random bits in the query to foil spoof attempts.
 This perturbs the lowercase and uppercase of query names sent to 
 authority servers and checks if the reply still has the correct casing. 
 Disabled by default. 
@@ -465,7 +465,7 @@ Give IPv4 of IPv6 addresses or classless subnets. These are addresses
 on your private network, and are not allowed to be returned for public
 internet names.  Any occurence of such addresses are removed from
 DNS answers. Additionally, the DNSSEC validator may mark the answers
-bogus. This protects against so-called DNS Rebinding, where a user browser
+bogus. This protects against so\-called DNS Rebinding, where a user browser
 is turned into a network proxy, allowing remote access through the browser
 to other parts of your private network.  Some names can be allowed to
 contain your private addresses, by default all the \fBlocal\-data\fR
@@ -776,7 +776,7 @@ Reverse data for zones 8.E.F.ip6.arpa to B.E.F.ip6.arpa.
 Reverse data for zone 8.B.D.0.1.0.0.2.ip6.arpa. This zone is used for
 tutorials and examples. You can remove the block on this zone with:
 .nf
-  local-zone: 8.B.D.0.1.0.0.2.ip6.arpa. nodefault
+  local\-zone: 8.B.D.0.1.0.0.2.ip6.arpa. nodefault
 .fi
 This also works with the other default zones.
 .\" End of local-zone listing.
@@ -806,7 +806,7 @@ enabled, the \fIunbound\-control\fR(8) utility can be used to send
 commands to the running unbound server.  The server uses these clauses
 to setup SSLv3 / TLSv1 security for the connection.  The
 \fIunbound\-control\fR(8) utility also reads the \fBremote\-control\fR
-section for options.  To setup the correct self-signed certificates use the
+section for options.  To setup the correct self\-signed certificates use the
 \fIunbound\-control\-setup\fR(8) utility.
 .TP 5
 .B control\-enable:     \fI<yes or no>
@@ -893,7 +893,7 @@ There may be multiple
 clauses. Each with a \fBname:\fR and zero or more hostnames or IP
 addresses.  For the forward zone this list of nameservers is used to
 forward the queries to. The servers listed as \fBforward\-host:\fR and
-\fBforward-addr:\fR have to handle further recursion for the query.  Thus,
+\fBforward\-addr:\fR have to handle further recursion for the query.  Thus,
 those servers are not authority servers, but are (just like unbound is)
 recursive servers too; unbound does not perform recursion itself for the
 forward zone, it lets the remote server do it.  Class IN is assumed.
@@ -929,7 +929,7 @@ supported. Very large data and high TCP loads are exceptional for the DNS.
 DNSSEC validation is enabled, just add trust anchors.
 If you do not have to worry about programs using more than 3 Mb of memory,
 the below example is not for you. Use the defaults to receive full service,
-which on BSD-32bit tops out at 30-40 Mb after heavy usage. 
+which on BSD\-32bit tops out at 30\-40 Mb after heavy usage. 
 .P
 .nf
 # example settings that reduce memory usage

validator/autotrust.c

@@ -551,7 +551,7 @@ autr_assemble(struct trust_anchor* tp)
 	}
 	/* we have prepared the new keys so nothing can go wrong any more.
 	 * And we are sure we cannot be left without trustanchor after
-	 * an errors. Put in the new keys and remove old ones. */
+	 * any errors. Put in the new keys and remove old ones. */
 
 	/* free the old data */
 	autr_rrset_delete(tp->ds_rrset);
@@ -593,10 +593,12 @@ parse_id(struct val_anchors* anchors, char* line)
 	uint16_t dclass;
 	/* read the owner name */
 	char* next = strchr(line, ' ');
-	if(!next) return NULL;
+	if(!next)
+		return NULL;
 	next[0] = 0;
 	rdf = ldns_dname_new_frm_str(line);
-	if(!rdf) return NULL;
+	if(!rdf)
+		return NULL;
 	labs = dname_count_size_labels(ldns_rdf_data(rdf), &len);
 	log_assert(len == ldns_rdf_size(rdf));
 
@@ -707,6 +709,8 @@ read_multiline(char* buf, size_t len, FILE* in, int* linenr)
 		(*linenr)++;
 
 		/* check what the new depth is after the line */
+		/* this routine cannot handle braces inside quotes,
+		   say for TXT records, but this routine only has to read keys */
 		for(i=0; i<poslen; i++) {
 			if(pos[i] == '(') {
 				depth++;
@@ -983,7 +987,7 @@ min_expiry(struct module_env* env, ldns_rr_list* rrset)
 		if(ldns_rr_get_type(rr) != LDNS_RR_TYPE_RRSIG)
 			continue;
 		t = ldns_rdf2native_int32(ldns_rr_rrsig_expiration(rr));
-		if(t > *env->now) {
+		if(t - *env->now > 0) {
 			t -= *env->now;
 			if(t < r)
 				r = t;
@@ -1052,8 +1056,8 @@ ldns_rr_compare_wire_skip_revbit(ldns_buffer* rr1_buf, ldns_buffer* rr2_buf)
 	offset = 0;
 	while (offset < rr1_len && *ldns_buffer_at(rr1_buf, offset) != 0)
 		offset += *ldns_buffer_at(rr1_buf, offset) + 1;
-	/* jump to rdata section (PAST the rdata length field */
-	offset += 11;
+	/* jump to rdata section (PAST the rdata length field) */
+	offset += 11; /* 0-dname-end + type + class + ttl + rdatalen */
 	min_len = (rr1_len < rr2_len) ? rr1_len : rr2_len;
 	/* compare RRs RDATA byte for byte. */
 	for(i = offset; i < min_len; i++)