From 1d761cb453c76353deb8423c78e98d00c5f86ffa Mon Sep 17 00:00:00 2001
From: Evan Hunt <each@isc.org>
Date: Sun, 16 Feb 2014 13:03:17 -0800
Subject: [PATCH] [master] delve

3741.	[func]		"delve" (domain entity lookup and validation engine):
			A new tool with dig-like semantics for performing DNS
			lookups, with internal DNSSEC validation, using the
			same resolver and validator logic as named. This
			allows easy validation of DNSSEC data in environments
			with untrustworthy resolvers, and assists with
			troubleshooting of DNSSEC problems. (Note: not yet
			available on win32.) [RT #32406]
---
 CHANGES                              |    9 +
 Makefile.in                          |    5 +
 bin/Makefile.in                      |    2 +-
 bin/delve/Makefile.in                |   84 ++
 bin/delve/delve.1                    |  388 +++++++
 bin/delve/delve.c                    | 1607 ++++++++++++++++++++++++++
 bin/delve/delve.docbook              |  639 ++++++++++
 bin/delve/delve.html                 |  445 +++++++
 bin/dig/dig.c                        |    2 +-
 bin/named/Makefile.in                |    6 +-
 bin/named/config.c                   |    2 +-
 bin/named/server.c                   |    7 +-
 bin/named/bind.keys.h => bind.keys.h |    0
 configure                            |    7 +-
 configure.in                         |    4 +
 doc/arm/Bv9ARM-book.xml              |    1 +
 doc/arm/man.delve.html               |  483 ++++++++
 lib/dns/adb.c                        |    6 +-
 lib/dns/client.c                     |   82 +-
 lib/dns/include/dns/client.h         |   26 +-
 lib/dns/include/dns/log.h            |    1 +
 lib/dns/include/dns/masterdump.h     |    9 +
 lib/dns/include/dns/message.h        |    7 +
 lib/dns/include/dns/resolver.h       |    5 +-
 lib/dns/include/dns/validator.h      |    5 +-
 lib/dns/log.c                        |    1 +
 lib/dns/masterdump.c                 |   26 +
 lib/dns/message.c                    |   13 +-
 lib/dns/resolver.c                   |   44 +-
 lib/dns/validator.c                  |   33 +-
 lib/isc/include/isc/log.h            |    6 +-
 lib/isc/log.c                        |   20 +-
 lib/isc/unix/app.c                   |    1 -
 lib/samples/.gitignore               |    1 +
 lib/samples/Makefile.in              |   11 +-
 lib/samples/resolve.c                |    2 +-
 make/includes.in                     |    3 +
 make/rules.in                        |    3 +-
 {bin/named => util}/bindkeys.pl      |    0
 util/kit.sh                          |    4 +-
 40 files changed, 3918 insertions(+), 82 deletions(-)
 create mode 100644 bin/delve/Makefile.in
 create mode 100644 bin/delve/delve.1
 create mode 100644 bin/delve/delve.c
 create mode 100644 bin/delve/delve.docbook
 create mode 100644 bin/delve/delve.html
 rename bin/named/bind.keys.h => bind.keys.h (100%)
 create mode 100644 doc/arm/man.delve.html
 rename {bin/named => util}/bindkeys.pl (100%)

diff --git a/CHANGES b/CHANGES
index 75b15e552d..11f47daf1e 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,12 @@
+3741.	[func]		"delve" (domain entity lookup and validation engine):
+			A new tool with dig-like semantics for performing DNS
+			lookups, with internal DNSSEC validation, using the
+			same resolver and validator logic as named. This
+			allows easy validation of DNSSEC data in environments
+			with untrustworthy resolvers, and assists with
+			troubleshooting of DNSSEC problems. (Note: not yet
+			available on win32.) [RT #32406]
+
 3740.	[contrib]	Minor fixes to configure --with-dlz-bdb,
 			--with-dlz-postgres and --with-dlz-odbc. [RT #35340]
 
diff --git a/Makefile.in b/Makefile.in
index 2c5985f81f..5f755774ca 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -23,6 +23,7 @@ top_srcdir =	@top_srcdir@
 
 SUBDIRS =	make unit lib bin doc @LIBEXPORT@
 TARGETS =
+PREREQS =	bind.keys.h
 
 MANPAGES =	isc-config.sh.1
 
@@ -32,6 +33,9 @@ MANOBJS =	${MANPAGES} ${HTMLPAGES}
 
 @BIND9_MAKE_RULES@
 
+bind.keys.h: ${top_srcdir}/bind.keys ${srcdir}/util/bindkeys.pl
+	${PERL} ${srcdir}/util/bindkeys.pl < ${top_srcdir}/bind.keys > $@
+
 distclean::
 	rm -f config.cache config.h config.log config.status TAGS
 	rm -f libtool isc-config.sh configure.lineno
@@ -41,6 +45,7 @@ distclean::
 # to make it.
 maintainer-clean::
 	rm -f configure
+	rm -f bind.keys.h
 
 docclean manclean maintainer-clean::
 	rm -f ${MANOBJS}
diff --git a/bin/Makefile.in b/bin/Makefile.in
index 87ca5b2705..b1b477805f 100644
--- a/bin/Makefile.in
+++ b/bin/Makefile.in
@@ -19,7 +19,7 @@ srcdir =	@srcdir@
 VPATH =		@srcdir@
 top_srcdir =	@top_srcdir@
 
-SUBDIRS =	named rndc dig dnssec tools tests nsupdate \
+SUBDIRS =	named rndc dig delve dnssec tools tests nsupdate \
 		check confgen @PYTHON_TOOLS@ @PKCS11_TOOLS@
 TARGETS =
 
diff --git a/bin/delve/Makefile.in b/bin/delve/Makefile.in
new file mode 100644
index 0000000000..986d9bb3cb
--- /dev/null
+++ b/bin/delve/Makefile.in
@@ -0,0 +1,84 @@
+# Copyright (C) 2014  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+@BIND9_VERSION@
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES =	-I${srcdir}/include ${DNS_INCLUDES} ${ISC_INCLUDES} \
+		${IRS_INCLUDES} ${ISCCFG_INCLUDES}
+
+CDEFINES =	-DVERSION=\"${VERSION}\" -DSYSCONFDIR=\"${sysconfdir}\"
+CWARNINGS =
+
+ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
+DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
+ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@
+ISCLIBS =	../../lib/isc/libisc.@A@
+IRSLIBS =	../../lib/irs/libirs.@A@
+
+ISCCFGDEPLIBS =	../../lib/isccfg/libisccfg.@A@
+DNSDEPLIBS =	../../lib/dns/libdns.@A@
+ISCDEPLIBS =	../../lib/isc/libisc.@A@
+IRSDEPLIBS =	../../lib/irs/libirs.@A@
+
+DEPLIBS =	${DNSDEPLIBS} ${IRSDEPLIBS} ${ISCCFGDEPLIBS} ${ISCDEPLIBS}
+
+LIBS =		${DNSLIBS} ${IRSLIBS} ${ISCCFGLIBS} ${ISCLIBS} @LIBS@
+NOSYMLIBS =	${DNSLIBS} ${IRSLIBS} ${ISCCFGLIBS} ${ISCNOSYMLIBS} @LIBS@
+
+SUBDIRS =
+
+TARGETS =	delve@EXEEXT@
+
+OBJS =		delve.@O@
+
+SRCS =		delve.c
+
+MANPAGES =	delve.1
+
+HTMLPAGES =	delve.html
+
+MANOBJS =	${MANPAGES} ${HTMLPAGES}
+
+@BIND9_MAKE_RULES@
+
+delve@EXEEXT@: delve.@O@ ${DEPLIBS}
+	export BASEOBJS="delve.@O@"; \
+	export LIBS0="${DNSLIBS}"; \
+	${FINALBUILDCMD}
+
+#	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+#	delve.@O@ ${LIBS}
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${bindir}
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man1
+
+install:: delve@EXEEXT@
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} \
+		delve@EXEEXT@ ${DESTDIR}${bindir}
+	${INSTALL_DATA} ${srcdir}/delve.1 ${DESTDIR}${mandir}/man1
+
+doc man:: ${MANOBJS}
+
+docclean manclean maintainer-clean::
+	rm -f ${MANOBJS}
+
+clean distclean maintainer-clean::
+	rm -f ${TARGETS}
diff --git a/bin/delve/delve.1 b/bin/delve/delve.1
new file mode 100644
index 0000000000..54abfcce7e
--- /dev/null
+++ b/bin/delve/delve.1
@@ -0,0 +1,388 @@
+.\" Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC")
+.\" 
+.\" Permission to use, copy, modify, and/or distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\" 
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+.\" PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" $Id$
+.\"
+.hy 0
+.ad l
+.\"     Title: delve
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
+.\"      Date: February 12, 2014
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
+.TH "DELVE" "1" "February 12, 2014" "BIND9" "BIND9"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
+delve \- DNS lookup and validation utility
+.SH "SYNOPSIS"
+.HP 6
+\fBdelve\fR [@server] [\fB\-4\fR] [\fB\-6\fR] [\fB\-a\ \fR\fB\fIanchor\-file\fR\fR] [\fB\-b\ \fR\fB\fIaddress\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-d\ \fR\fB\fIlevel\fR\fR] [\fB\-i\fR] [\fB\-m\fR] [\fB\-p\ \fR\fB\fIport#\fR\fR] [\fB\-q\ \fR\fB\fIname\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-x\ \fR\fB\fIaddr\fR\fR] [name] [type] [class] [queryopt...]
+.HP 6
+\fBdelve\fR [\fB\-h\fR]
+.HP 6
+\fBdelve\fR [queryopt...] [query...]
+.SH "DESCRIPTION"
+.PP
+\fBdelve\fR
+(Domain Entity Lookup & Validation Engine) is a tool for sending DNS queries and validating the results, using the the same internal resolver and validator logic as
+\fBnamed\fR.
+.PP
+\fBdelve\fR
+will send to a specified name server all queries needed to fetch and validate the requested data; this includes the original requested query, subsequent queries to follow CNAME or DNAME chains, and queries for DNSKEY, DS and DLV records to establish a chain of trust for DNSSEC validation. It does not perform iterative resolution, but simulates the behavior of a name server configured for DNSSEC validating and forwarding.
+.PP
+By default, responses are validated using built\-in DNSSEC trust anchors for the root zone (".") and for the ISC DNSSEC lookaside validation zone ("dlv.isc.org"). Records returned by
+\fBdelve\fR
+are either fully validated or were not signed. If validation fails, an explanation of the failure is included in the output; the validation process can be traced in detail. Because
+\fBdelve\fR
+does not rely on an external server to carry out validation, it can be used to check the validity of DNS responses in environments where local name servers may not be trustworthy.
+.PP
+Unless it is told to query a specific name server,
+\fBdelve\fR
+will try each of the servers listed in
+\fI/etc/resolv.conf\fR. If no usable server addresses are found,
+\fBdelve\fR
+will send queries to the localhost addresses (127.0.0.1 for IPv4, ::1 for IPv6).
+.PP
+When no command line arguments or options are given,
+\fBdelve\fR
+will perform an NS query for "." (the root zone).
+.SH "SIMPLE USAGE"
+.PP
+A typical invocation of
+\fBdelve\fR
+looks like:
+.sp
+.RS 4
+.nf
+ delve @server name type 
+.fi
+.RE
+.sp
+where:
+.PP
+\fBserver\fR
+.RS 4
+is the name or IP address of the name server to query. This can be an IPv4 address in dotted\-decimal notation or an IPv6 address in colon\-delimited notation. When the supplied
+\fIserver\fR
+argument is a hostname,
+\fBdelve\fR
+resolves that name before querying that name server (note, however, that this initial lookup is
+\fInot\fR
+validated by DNSSEC).
+.sp
+If no
+\fIserver\fR
+argument is provided,
+\fBdelve\fR
+consults
+\fI/etc/resolv.conf\fR; if an address is found there, it queries the name server at that address. If either of the
+\fB\-4\fR
+or
+\fB\-6\fR
+options are in use, then only addresses for the corresponding transport will be tried. If no usable addresses are found,
+\fBdelve\fR
+will send queries to the localhost addresses (127.0.0.1 for IPv4, ::1 for IPv6).
+.RE
+.PP
+\fBname\fR
+.RS 4
+is the domain name to be looked up.
+.RE
+.PP
+\fBtype\fR
+.RS 4
+indicates what type of query is required \(em ANY, A, MX, etc.
+\fItype\fR
+can be any valid query type. If no
+\fItype\fR
+argument is supplied,
+\fBdelve\fR
+will perform a lookup for an A record.
+.RE
+.SH "OPTIONS"
+.PP
+\-a
+.RS 4
+Specifies a file from which to read DNSSEC trust anchors. The default is
+\fI/etc/bind.keys\fR, which is included with
+BIND
+9 and contains trust anchors for the root zone (".") and for the ISC DNSSEC lookaside validation zone ("dlv.isc.org").
+.sp
+Keys that do not match the root or DLV trust\-anchor names are ignored; these key names can be overridden using the
+\fB+dlv=NAME\fR
+or
+\fB+root=NAME\fR
+options.
+.sp
+Note: When reading the trust anchor file,
+\fBdelve\fR
+treats
+\fBmanaged\-keys\fR
+statements and
+\fBtrusted\-keys\fR
+statements identically. That is, for a managed key, it is the
+\fIinitial\fR
+key that is trusted; RFC 5011 key management is not supported.
+\fBdelve\fR
+will not consult the managed\-keys database maintained by
+\fBnamed\fR. This means that if either of the keys in
+\fI/etc/bind.keys\fR
+is revoked and rolled over, it will be necessary to update
+\fI/etc/bind.keys\fR
+to use DNSSEC validation in
+\fBdelve\fR.
+.RE
+.PP
+\-b
+.RS 4
+Sets the source IP address of the query to
+\fIaddress\fR. This must be a valid address on one of the host's network interfaces or "0.0.0.0" or "::". An optional source port may be specified by appending "#<port>"
+.RE
+.PP
+\-c
+.RS 4
+Sets the query class for the requested data. Currently, only class "IN" is supported in
+\fBdelve\fR
+and any other value is ignored.
+.RE
+.PP
+\-i
+.RS 4
+Insecure mode. This disables internal DNSSEC validation. (Note, however, this does not set the CD bit on upstream queries. If the server being queried is performing DNSSEC validation, then it will not return invalid data; this can cause
+\fBdelve\fR
+to time out. When it is necessary to examine invalid data to debug a DNSSEC problem, use
+\fBdig +cd\fR.)
+.RE
+.PP
+\-m
+.RS 4
+Enables memory usage debugging.
+.RE
+.PP
+\-p
+.RS 4
+Specifies a destination port to use for queries instead of the standard DNS port number 53. This option would be used with a name server that has been configured to listen for queries on a non\-standard port number.
+.RE
+.PP
+\-4
+.RS 4
+Forces
+\fBdelve\fR
+to only use IPv4.
+.RE
+.PP
+\-6
+.RS 4
+Forces
+\fBdelve\fR
+to only use IPv6.
+.RE
+.PP
+\-q
+.RS 4
+Sets the query name to
+\fIname\fR. While the query name can be specified without using the
+\fB\-q\fR, it is sometimes necessary to disambiguate names from types or classes (for example, when looking up the name "ns", which could be misinterpreted as the type NS, or "ch", which could be misinterpreted as class CH).
+.RE
+.PP
+\-t
+.RS 4
+Sets the query type to
+\fItype\fR, which can be any valid query type supported in BIND 9 except for zone transfer types AXFR and IXFR. As with
+\fB\-q\fR, this is useful to distinguish query name type or class when they are ambiguous. it is sometimes necessary to disambiguate names from types.
+.sp
+The default query type is "A", unless the
+\fB\-x\fR
+option is supplied to indicate a reverse lookup, in which case it is "PTR".
+.RE
+.PP
+\-x
+.RS 4
+Performs a reverse lookup, mapping an addresses to a name.
+\fIaddr\fR
+is an IPv4 address in dotted\-decimal notation, or a colon\-delimited IPv6 address. When
+\fB\-x\fR
+is used, there is no need to provide the
+\fIname\fR
+or
+\fItype\fR
+arguments.
+\fBdelve\fR
+automatically performs a lookup for a name like
+11.12.13.10.in\-addr.arpa
+and sets the query type to PTR. IPv6 addresses are looked up using nibble format under the IP6.ARPA domain.
+.RE
+.SH "QUERY OPTIONS"
+.PP
+\fBdelve\fR
+provides a number of query options which affect the way results are displayed, and in some cases the way lookups are performed.
+.PP
+Each query option is identified by a keyword preceded by a plus sign (+). Some keywords set or reset an option. These may be preceded by the string
+no
+to negate the meaning of that keyword. Other keywords assign values to options like the timeout interval. They have the form
+\fB+keyword=value\fR. The query options are:
+.PP
+\fB+[no]cdflag\fR
+.RS 4
+Controls whether to set the CD (checking disabled) bit in queries sent by
+\fBdelve\fR. This may be useful when troubleshooting DNSSEC problems from behind a validating resolver. A validating resolver will block invalid responses, making it difficult to retrieve them for analysis. Setting the CD flag on queries will cause the resolver to return invalid responses, which
+\fBdelve\fR
+can then validate internally and report the errors in detail.
+.RE
+.PP
+\fB+[no]class\fR
+.RS 4
+Controls whether to display the CLASS when printing a record. The default is to display the CLASS.
+.RE
+.PP
+\fB+[no]ttl\fR
+.RS 4
+Controls whether to display the TTL when printing a record. The default is to display the TTL.
+.RE
+.PP
+\fB+[no]rtrace\fR
+.RS 4
+Toggle resolver fetch logging. This reports the name and type of each query sent by
+\fBdelve\fR
+in the process of carrying out the resolution and validation process: this includes including the original query and all subsequent queries to follow CNAMEs and to establish a chain of trust for DNSSEC validation.
+.sp
+This is equivalent to setting the debug level to 1 in the "resolver" logging category. Setting the systemwide debug level to 1 using the
+\fB\-d\fR
+option will product the same output (but will affect other logging categories as well).
+.RE
+.PP
+\fB+[no]mtrace\fR
+.RS 4
+Toggle message logging. This produces a detailed dump of the responses received by
+\fBdelve\fR
+in the process of carrying out the resolution and validation process.
+.sp
+This is equivalent to setting the debug level to 10 for the the "packets" module of the "resolver" logging category. Setting the systemwide debug level to 10 using the
+\fB\-d\fR
+option will produce the same output (but will affect other logging categories as well).
+.RE
+.PP
+\fB+[no]vtrace\fR
+.RS 4
+Toggle validation logging. This shows the internal process of the validator as it determines whether an answer is validly signed, unsigned, or invalid.
+.sp
+This is equivalent to setting the debug level to 3 for the the "validator" module of the "dnssec" logging category. Setting the systemwide debug level to 3 using the
+\fB\-d\fR
+option will produce the same output (but will affect other logging categories as well).
+.RE
+.PP
+\fB+[no]short\fR
+.RS 4
+Provide a terse answer. The default is to print the answer in a verbose form.
+.RE
+.PP
+\fB+[no]comments\fR
+.RS 4
+Toggle the display of comment lines in the output. The default is to print comments.
+.RE
+.PP
+\fB+[no]rrcomments\fR
+.RS 4
+Toggle the display of per\-record comments in the output (for example, human\-readable key information about DNSKEY records). The default is to print per\-record comments.
+.RE
+.PP
+\fB+[no]crypto\fR
+.RS 4
+Toggle the display of cryptographic fields in DNSSEC records. The contents of these field are unnecessary to debug most DNSSEC validation failures and removing them makes it easier to see the common failures. The default is to display the fields. When omitted they are replaced by the string "[omitted]" or in the DNSKEY case the key id is displayed as the replacement, e.g. "[ key id = value ]".
+.RE
+.PP
+\fB+[no]trust\fR
+.RS 4
+Controls whether to display the trust level when printing a record. The default is to display the trust level.
+.RE
+.PP
+\fB+[no]split[=W]\fR
+.RS 4
+Split long hex\- or base64\-formatted fields in resource records into chunks of
+\fIW\fR
+characters (where
+\fIW\fR
+is rounded up to the nearest multiple of 4).
+\fI+nosplit\fR
+or
+\fI+split=0\fR
+causes fields not to be split at all. The default is 56 characters, or 44 characters when multiline mode is active.
+.RE
+.PP
+\fB+[no]all\fR
+.RS 4
+Set or clear the display options
+\fB+[no]comments\fR,
+\fB+[no]rrcomments\fR, and
+\fB+[no]trust\fR
+as a group.
+.RE
+.PP
+\fB+[no]multiline\fR
+.RS 4
+Print long records (such as RRSIG, DNSKEY, and SOA records) in a verbose multi\-line format with human\-readable comments. The default is to print each record on a single line, to facilitate machine parsing of the
+\fBdelve\fR
+output.
+.RE
+.PP
+\fB+[no]dnssec\fR
+.RS 4
+Indicates whether to display RRSIG records in the
+\fBdelve\fR
+output. The default is to do so. Note that (unlike in
+\fBdig\fR) this does
+\fInot\fR
+control whether to request DNSSEC records or whether to validate them. DNSSEC records are always requested, and validation will always occur unless suppressed by the use of
+\fB\-i\fR
+or
+\fB+noroot\fR
+and
+\fB+nodlv\fR.
+.RE
+.PP
+\fB+[no]root[=ROOT]\fR
+.RS 4
+Indicates whether to perform conventional (non\- lookaside) DNSSEC validation, and if so, specifies the name of a trust anchor. The default is to validate using a trust anchor of "." (the root zone), for which there is a built\-in key. If specifying a different trust anchor, then
+\fB\-a\fR
+must be used to specify a file containing the key.
+.RE
+.PP
+\fB+[no]dlv[=DLV]\fR
+.RS 4
+Indicates whether to perform DNSSEC lookaside validation, and if so, specifies the name of the DLV trust anchor. The default is to perform lookaside validation using a trust anchor of "dlv.isc.org", for which there is a built\-in key. If specifying a different name, then
+\fB\-a\fR
+must be used to specify a file containing the DLV key.
+.RE
+.SH "FILES"
+.PP
+\fI/etc/bind.keys\fR
+.PP
+\fI/etc/resolv.conf\fR
+.SH "SEE ALSO"
+.PP
+\fBdig\fR(1),
+\fBnamed\fR(8),
+RFC4034,
+RFC4035,
+RFC4431,
+RFC5074,
+RFC5155.
+.SH "COPYRIGHT"
+Copyright \(co 2014 Internet Systems Consortium, Inc. ("ISC")
+.br
diff --git a/bin/delve/delve.c b/bin/delve/delve.c
new file mode 100644
index 0000000000..36672ee22b
--- /dev/null
+++ b/bin/delve/delve.c
@@ -0,0 +1,1607 @@
+/*
+ * Copyright (C) 2014  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <config.h>
+#include <bind.keys.h>
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/signal.h>
+
+#include <netinet/in.h>
+
+#include <arpa/inet.h>
+
+#include <unistd.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <netdb.h>
+
+#include <isc/app.h>
+#include <isc/base64.h>
+#include <isc/buffer.h>
+#include <isc/lib.h>
+#include <isc/log.h>
+#include <isc/mem.h>
+#include <isc/parseint.h>
+#include <isc/sockaddr.h>
+#include <isc/socket.h>
+#include <isc/task.h>
+#include <isc/timer.h>
+#include <isc/util.h>
+
+#include <irs/resconf.h>
+#include <irs/netdb.h>
+
+#include <isccfg/log.h>
+#include <isccfg/namedconf.h>
+
+#include <dns/byaddr.h>
+#include <dns/client.h>
+#include <dns/fixedname.h>
+#include <dns/keytable.h>
+#include <dns/keyvalues.h>
+#include <dns/lib.h>
+#include <dns/log.h>
+#include <dns/masterdump.h>
+#include <dns/name.h>
+#include <dns/rdata.h>
+#include <dns/rdataclass.h>
+#include <dns/rdataset.h>
+#include <dns/rdatastruct.h>
+#include <dns/rdatatype.h>
+#include <dns/result.h>
+#include <dns/secalg.h>
+#include <dns/view.h>
+
+#include <dst/dst.h>
+#include <dst/result.h>
+
+#define CHECK(r) \
+	do { \
+		result = (r); \
+		if (result != ISC_R_SUCCESS) \
+			goto cleanup; \
+	} while (0)
+
+#define MAXNAME (DNS_NAME_MAXTEXT+1)
+
+/* Variables used internally by delve. */
+char *progname;
+static isc_mem_t *mctx = NULL;
+static isc_log_t *lctx = NULL;
+
+/* Configurables */
+static char *server = NULL;
+static const char *port = "53";
+static isc_sockaddr_t *srcaddr4 = NULL, *srcaddr6 = NULL;
+static char *curqname = NULL, *qname = NULL;
+static isc_boolean_t classset = ISC_FALSE;
+static dns_rdatatype_t qtype = dns_rdatatype_none;
+static isc_boolean_t typeset = ISC_FALSE;
+
+static unsigned int styleflags = 0;
+static isc_uint32_t splitwidth = 0xffffffff;
+static isc_boolean_t
+	showcomments = ISC_TRUE,
+	showdnssec = ISC_TRUE,
+	showtrust = ISC_TRUE,
+	rrcomments = ISC_TRUE,
+	noclass = ISC_FALSE,
+	nocrypto = ISC_FALSE,
+	nottl = ISC_FALSE,
+	multiline = ISC_FALSE,
+	short_form = ISC_FALSE;
+
+static isc_boolean_t
+	resolve_trace = ISC_FALSE,
+	validator_trace = ISC_FALSE,
+	message_trace = ISC_FALSE;
+
+static isc_boolean_t
+	use_ipv4 = ISC_TRUE,
+	use_ipv6 = ISC_TRUE;
+
+static isc_boolean_t
+	cdflag = ISC_FALSE,
+	no_sigs = ISC_FALSE,
+	root_validation = ISC_TRUE,
+	dlv_validation = ISC_TRUE;
+
+static char *anchorfile = NULL;
+static char *trust_anchor = NULL;
+static char *dlv_anchor = NULL;
+static int trusted_keys = 0;
+
+static dns_fixedname_t afn, dfn;
+static dns_name_t *anchor_name = NULL, *dlv_name = NULL;
+
+/* Default bind.keys contents */
+static char anchortext[] = MANAGED_KEYS;
+
+/*
+ * Static function prototypes
+ */
+static isc_result_t
+get_reverse(char *reverse, size_t len, char *value, isc_boolean_t strict);
+
+static isc_result_t
+parse_uint(isc_uint32_t *uip, const char *value, isc_uint32_t max,
+	   const char *desc);
+
+static void
+usage(void) {
+	fputs(
+"Usage:  delve [@server] {q-opt} {d-opt} [domain] [q-type] [q-class]\n"
+"Where:  domain	  is in the Domain Name System\n"
+"        q-class  is one of (in,hs,ch,...) [default: in]\n"
+"        q-type   is one of (a,any,mx,ns,soa,hinfo,axfr,txt,...) [default:a]\n"
+"        q-opt    is one of:\n"
+"                 -x dot-notation     (shortcut for reverse lookups)\n"
+"                 -d level            (set debugging level)\n"
+"                 -a anchor-file      (specify root and dlv trust anchors)\n"
+"                 -b address[#port]   (bind to source address/port)\n"
+"                 -p port             (specify port number)\n"
+"                 -q name             (specify query name)\n"
+"                 -t type             (specify query type)\n"
+"                 -c class            (specify query class)\n"
+"                 -4                  (use IPv4 query transport only)\n"
+"                 -6                  (use IPv6 query transport only)\n"
+"                 -i                  (disable DNSSEC validation)\n"
+"                 -m                  (enable memory usage debugging)\n"
+"        d-opt    is of the form +keyword[=value], where keyword is:\n"
+"                 +[no]all            (Set or clear all display flags)\n"
+"                 +[no]class          (Control display of class)\n"
+"                 +[no]crypto         (Control display of cryptographic\n"
+"                                      fields in records)\n"
+"                 +[no]multiline      (Print records in an expanded format)\n"
+"                 +[no]comments       (Control display of comment lines)\n"
+"                 +[no]rrcomments     (Control display of per-record "
+				       "comments)\n"
+"                 +[no]short          (Short form answer)\n"
+"                 +[no]split=##       (Split hex/base64 fields into chunks)\n"
+"                 +[no]ttl            (Control display of ttls in records)\n"
+"                 +[no]trust          (Control display of trust level)\n"
+"                 +[no]rtrace         (Trace resolver fetches)\n"
+"                 +[no]mtrace         (Trace messages received)\n"
+"                 +[no]vtrace         (Trace validation process)\n"
+"                 +[no]dlv            (DNSSEC lookaside validation anchor)\n"
+"                 +[no]root           (DNSSEC validation trust anchor)\n"
+"                 +[no]dnssec         (Display DNSSEC records)\n"
+"        -h                           (print help and exit)\n"
+"        -v                           (print version and exit)\n",
+	stderr);
+	exit(1);
+}
+
+static void
+fatal(const char *format, ...) {
+	va_list args;
+
+	fflush(stdout);
+	fprintf(stderr, "%s: ", progname);
+	va_start(args, format);
+	vfprintf(stderr, format, args);
+	va_end(args);
+	fprintf(stderr, "\n");
+	exit(1);
+}
+
+static void
+warn(const char *format, ...) {
+	va_list args;
+
+	fflush(stdout);
+	fprintf(stderr, "%s: warning: ", progname);
+	va_start(args, format);
+	vfprintf(stderr, format, args);
+	va_end(args);
+	fprintf(stderr, "\n");
+}
+
+static isc_logcategory_t categories[] = {
+	{ "delve",	     0 },
+	{ NULL,		     0 }
+};
+#define LOGCATEGORY_DEFAULT		(&categories[0])
+#define LOGMODULE_DEFAULT		(&modules[0])
+
+static isc_logmodule_t modules[] = {
+	{ "delve",	 		0 },
+	{ NULL, 			0 }
+};
+
+static void
+delve_log(int level, const char *fmt, ...) {
+	va_list ap;
+	char msgbuf[2048];
+
+	if (! isc_log_wouldlog(lctx, level))
+		return;
+
+	va_start(ap, fmt);
+
+	vsnprintf(msgbuf, sizeof(msgbuf), fmt, ap);
+	isc_log_write(lctx, LOGCATEGORY_DEFAULT, LOGMODULE_DEFAULT,
+		      level, "%s", msgbuf);
+	va_end(ap);
+}
+
+static int loglevel = 0;
+
+static void
+setup_logging(FILE *errout) {
+	isc_result_t result;
+	isc_logdestination_t destination;
+	isc_logconfig_t *logconfig = NULL;
+
+	result = isc_log_create(mctx, &lctx, &logconfig);
+	if (result != ISC_R_SUCCESS)
+		fatal("Couldn't set up logging");
+
+	isc_log_registercategories(lctx, categories);
+	isc_log_registermodules(lctx, modules);
+	isc_log_setcontext(lctx);
+	dns_log_init(lctx);
+	dns_log_setcontext(lctx);
+	cfg_log_init(lctx);
+
+	destination.file.stream = errout;
+	destination.file.name = NULL;
+	destination.file.versions = ISC_LOG_ROLLNEVER;
+	destination.file.maximum_size = 0;
+
+	result = isc_log_createchannel(logconfig, "stderr",
+				       ISC_LOG_TOFILEDESC, ISC_LOG_DYNAMIC,
+				       &destination, ISC_LOG_PRINTPREFIX);
+	if (result != ISC_R_SUCCESS)
+		fatal("Couldn't set up log channel 'stderr'");
+
+	isc_log_setdebuglevel(lctx, loglevel);
+
+	result = isc_log_settag(logconfig, ";; ");
+	if (result != ISC_R_SUCCESS)
+		fatal("Couldn't set log tag");
+
+	result = isc_log_usechannel(logconfig, "stderr",
+				    ISC_LOGCATEGORY_DEFAULT, NULL);
+	if (result != ISC_R_SUCCESS)
+		fatal("Couldn't attach to log channel 'stderr'");
+
+	if (resolve_trace && loglevel < 1) {
+		result = isc_log_createchannel(logconfig, "resolver",
+					       ISC_LOG_TOFILEDESC,
+					       ISC_LOG_DEBUG(1),
+					       &destination,
+					       ISC_LOG_PRINTPREFIX);
+		if (result != ISC_R_SUCCESS)
+			fatal("Couldn't set up log channel 'resolver'");
+
+		result = isc_log_usechannel(logconfig, "resolver",
+					    DNS_LOGCATEGORY_RESOLVER,
+					    DNS_LOGMODULE_RESOLVER);
+		if (result != ISC_R_SUCCESS)
+			fatal("Couldn't attach to log channel 'resolver'");
+	}
+
+	if (validator_trace && loglevel < 3) {
+		result = isc_log_createchannel(logconfig, "validator",
+					       ISC_LOG_TOFILEDESC,
+					       ISC_LOG_DEBUG(3),
+					       &destination,
+					       ISC_LOG_PRINTPREFIX);
+		if (result != ISC_R_SUCCESS)
+			fatal("Couldn't set up log channel 'validator'");
+
+		result = isc_log_usechannel(logconfig, "validator",
+					    DNS_LOGCATEGORY_DNSSEC,
+					    DNS_LOGMODULE_VALIDATOR);
+		if (result != ISC_R_SUCCESS)
+			fatal("Couldn't attach to log channel 'validator'");
+	}
+
+	if (message_trace && loglevel < 10) {
+		result = isc_log_createchannel(logconfig, "messages",
+					       ISC_LOG_TOFILEDESC,
+					       ISC_LOG_DEBUG(10),
+					       &destination,
+					       ISC_LOG_PRINTPREFIX);
+		if (result != ISC_R_SUCCESS)
+			fatal("Couldn't set up log channel 'messages'");
+
+		result = isc_log_usechannel(logconfig, "messages",
+					    DNS_LOGCATEGORY_RESOLVER,
+					    DNS_LOGMODULE_PACKETS);
+		if (result != ISC_R_SUCCESS)
+			fatal("Couldn't attach to log channel 'messagse'");
+	}
+}
+
+static void
+print_status(dns_rdataset_t *rdataset) {
+	const char *astr = "", *tstr = "";
+
+	REQUIRE(rdataset != NULL);
+
+	if (!showtrust || !dns_rdataset_isassociated(rdataset))
+		return;
+
+	if ((rdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0)
+		astr = "negative response, ";
+
+	switch (rdataset->trust) {
+	case dns_trust_none:
+		tstr = "untrusted";
+		break;
+	case dns_trust_pending_additional:
+		tstr = "signed additional data, pending validation";
+		break;
+	case dns_trust_pending_answer:
+		tstr = "signed answer, pending validation";
+		break;
+	case dns_trust_additional:
+		tstr = "unsigned additional data";
+		break;
+	case dns_trust_glue:
+		tstr = "glue data";
+		break;
+	case dns_trust_answer:
+		if (root_validation || dlv_validation)
+			tstr = "unsigned answer";
+		else
+			tstr = "answer not validated";
+		break;
+	case dns_trust_authauthority:
+		tstr = "authority data";
+		break;
+	case dns_trust_authanswer:
+		tstr = "authoritative";
+		break;
+	case dns_trust_secure:
+		tstr = "fully validated";
+		break;
+	case dns_trust_ultimate:
+		tstr = "ultimate trust";
+		break;
+	}
+
+	printf("; %s%s\n", astr, tstr);
+}
+
+static isc_result_t
+printdata(dns_rdataset_t *rdataset, dns_name_t *owner,
+	  dns_master_style_t *style)
+{
+	isc_result_t result = ISC_R_SUCCESS;
+	static dns_trust_t trust;
+	static isc_boolean_t first = ISC_TRUE;
+	isc_buffer_t target;
+	isc_region_t r;
+	char *t = NULL;
+	int len = 2048;
+
+	if (!dns_rdataset_isassociated(rdataset)) {
+		char namebuf[DNS_NAME_FORMATSIZE];
+		dns_name_format(owner, namebuf, sizeof(namebuf));
+		delve_log(ISC_LOG_DEBUG(4),
+			  "WARN: empty rdataset %s", namebuf);
+		return (ISC_R_SUCCESS);
+	}
+
+	if (!showdnssec && rdataset->type == dns_rdatatype_rrsig)
+		return (ISC_R_SUCCESS);
+
+	isc_buffer_init(&target, t, sizeof(t));
+
+	if (first || rdataset->trust != trust) {
+		if (!first && showtrust && !short_form)
+			putchar('\n');
+		print_status(rdataset);
+		trust = rdataset->trust;
+		first = ISC_FALSE;
+	}
+
+	do {
+		t = isc_mem_get(mctx, len);
+		if (t == NULL)
+			return (ISC_R_NOMEMORY);
+
+		isc_buffer_init(&target, t, len);
+		if (short_form) {
+			dns_rdata_t rdata = DNS_RDATA_INIT;
+			for (result = dns_rdataset_first(rdataset);
+			     result == ISC_R_SUCCESS;
+			     result = dns_rdataset_next(rdataset))
+			{
+				isc_region_t r;
+
+				if ((rdataset->attributes &
+				     DNS_RDATASETATTR_NEGATIVE) != 0)
+					continue;
+
+				dns_rdataset_current(rdataset, &rdata);
+				result = dns_rdata_tofmttext(&rdata,
+							     dns_rootname,
+							     styleflags,
+							     0, 60, " ",
+							     &target);
+				if (result != ISC_R_SUCCESS)
+					break;
+
+				isc_buffer_availableregion(&target, &r);
+				if (r.length < 1) {
+					result = ISC_R_NOSPACE;
+					break;
+				}
+
+				r.base[0] = '\n';
+				isc_buffer_add(&target, 1);
+
+				dns_rdata_reset(&rdata);
+			}
+		} else {
+			if ((rdataset->attributes &
+			     DNS_RDATASETATTR_NEGATIVE) != 0)
+				isc_buffer_putstr(&target, "; ");
+
+			result = dns_master_rdatasettotext(owner, rdataset,
+							   style, &target);
+		}
+
+		if (result == ISC_R_NOSPACE) {
+			isc_mem_put(mctx, t, len);
+			len += 1024;
+		} else
+			CHECK(result);
+	} while (result == ISC_R_NOSPACE);
+
+	isc_buffer_usedregion(&target, &r);
+	printf("%.*s", (int)r.length, (char *)r.base);
+
+ cleanup:
+	if (t != NULL)
+		isc_mem_put(mctx, t, len);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+setup_style(dns_master_style_t **stylep) {
+	isc_result_t result;
+	dns_master_style_t *style = NULL;
+
+	REQUIRE(stylep != NULL || *stylep == NULL);
+
+	styleflags |= DNS_STYLEFLAG_REL_OWNER;
+	if (showcomments)
+		styleflags |= DNS_STYLEFLAG_COMMENT;
+	if (rrcomments)
+		styleflags |= DNS_STYLEFLAG_RRCOMMENT;
+	if (nottl)
+		styleflags |= DNS_STYLEFLAG_NO_TTL;
+	if (noclass)
+		styleflags |= DNS_STYLEFLAG_NO_CLASS;
+	if (nocrypto)
+		styleflags |= DNS_STYLEFLAG_NOCRYPTO;
+	if (multiline) {
+		styleflags |= DNS_STYLEFLAG_MULTILINE;
+		styleflags |= DNS_STYLEFLAG_COMMENT;
+	}
+
+	if (multiline || (nottl && noclass))
+		result = dns_master_stylecreate2(&style, styleflags,
+						 24, 24, 24, 32, 80, 8,
+						 splitwidth, mctx);
+	else if (nottl || noclass)
+		result = dns_master_stylecreate2(&style, styleflags,
+						 24, 24, 32, 40, 80, 8,
+						 splitwidth, mctx);
+	else
+		result = dns_master_stylecreate2(&style, styleflags,
+						 24, 32, 40, 48, 80, 8,
+						 splitwidth, mctx);
+
+	if (result == ISC_R_SUCCESS)
+		*stylep = style;
+	return (result);
+}
+
+static isc_result_t
+convert_name(dns_fixedname_t *fn, dns_name_t **name, const char *text) {
+	isc_result_t result;
+	isc_buffer_t b;
+	dns_name_t *n;
+	size_t len;
+
+	REQUIRE(fn != NULL && name != NULL && text != NULL);
+	len = strlen(text);
+
+	isc_buffer_constinit(&b, text, len);
+	isc_buffer_add(&b, len);
+	dns_fixedname_init(fn);
+	n = dns_fixedname_name(fn);
+
+	result = dns_name_fromtext(n, &b, dns_rootname, 0, NULL);
+	if (result != ISC_R_SUCCESS) {
+		delve_log(ISC_LOG_ERROR, "failed to convert QNAME %s: %s",
+			  text, isc_result_totext(result));
+		return (result);
+	}
+
+	*name = n;
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+key_fromconfig(const cfg_obj_t *key, dns_client_t *client) {
+	dns_rdata_dnskey_t keystruct;
+	isc_uint32_t flags, proto, alg;
+	const char *keystr, *keynamestr;
+	unsigned char keydata[4096];
+	isc_buffer_t keydatabuf;
+	unsigned char rrdata[4096];
+	isc_buffer_t rrdatabuf;
+	isc_region_t r;
+	dns_fixedname_t fkeyname;
+	dns_name_t *keyname;
+	isc_result_t result;
+	isc_boolean_t match_root, match_dlv;
+
+	keynamestr = cfg_obj_asstring(cfg_tuple_get(key, "name"));
+	CHECK(convert_name(&fkeyname, &keyname, keynamestr));
+
+	if (!root_validation && !dlv_validation)
+		return (ISC_R_SUCCESS);
+
+	match_root = dns_name_equal(keyname, anchor_name);
+	match_dlv = dns_name_equal(keyname, dlv_name);
+
+	if (!match_root && !match_dlv)
+		return (ISC_R_SUCCESS);
+	if ((!root_validation && match_root) || (!dlv_validation && match_dlv))
+		return (ISC_R_SUCCESS);
+
+	if (match_root)
+		delve_log(ISC_LOG_DEBUG(3), "adding trust anchor %s",
+			  trust_anchor);
+	if (match_dlv)
+		delve_log(ISC_LOG_DEBUG(3), "adding DLV trust anchor %s",
+			  dlv_anchor);
+
+	flags = cfg_obj_asuint32(cfg_tuple_get(key, "flags"));
+	proto = cfg_obj_asuint32(cfg_tuple_get(key, "protocol"));
+	alg = cfg_obj_asuint32(cfg_tuple_get(key, "algorithm"));
+
+	keystruct.common.rdclass = dns_rdataclass_in;
+	keystruct.common.rdtype = dns_rdatatype_dnskey;
+	/*
+	 * The key data in keystruct is not dynamically allocated.
+	 */
+	keystruct.mctx = NULL;
+
+	ISC_LINK_INIT(&keystruct.common, link);
+
+	if (flags > 0xffff)
+		CHECK(ISC_R_RANGE);
+	if (proto > 0xff)
+		CHECK(ISC_R_RANGE);
+	if (alg > 0xff)
+		CHECK(ISC_R_RANGE);
+
+	keystruct.flags = (isc_uint16_t)flags;
+	keystruct.protocol = (isc_uint8_t)proto;
+	keystruct.algorithm = (isc_uint8_t)alg;
+
+	isc_buffer_init(&keydatabuf, keydata, sizeof(keydata));
+	isc_buffer_init(&rrdatabuf, rrdata, sizeof(rrdata));
+
+	keystr = cfg_obj_asstring(cfg_tuple_get(key, "key"));
+	CHECK(isc_base64_decodestring(keystr, &keydatabuf));
+	isc_buffer_usedregion(&keydatabuf, &r);
+	keystruct.datalen = r.length;
+	keystruct.data = r.base;
+
+	CHECK(dns_rdata_fromstruct(NULL,
+				   keystruct.common.rdclass,
+				   keystruct.common.rdtype,
+				   &keystruct, &rrdatabuf));
+
+	CHECK(dns_client_addtrustedkey(client, dns_rdataclass_in,
+				       keyname, &rrdatabuf));
+	trusted_keys++;
+
+ cleanup:
+	if (result == DST_R_NOCRYPTO)
+		cfg_obj_log(key, lctx, ISC_LOG_ERROR, "no crypto support");
+	else if (result == DST_R_UNSUPPORTEDALG) {
+		cfg_obj_log(key, lctx, ISC_LOG_WARNING,
+			    "skipping trusted key '%s': %s",
+			    keynamestr, isc_result_totext(result));
+		result = ISC_R_SUCCESS;
+	} else if (result != ISC_R_SUCCESS) {
+		cfg_obj_log(key, lctx, ISC_LOG_ERROR,
+			    "failed to add trusted key '%s': %s",
+			    keynamestr, isc_result_totext(result));
+		result = ISC_R_FAILURE;
+	}
+
+	return (result);
+}
+
+static isc_result_t
+load_keys(const cfg_obj_t *keys, dns_client_t *client) {
+	const cfg_listelt_t *elt, *elt2;
+	const cfg_obj_t *key, *keylist;
+	isc_result_t result = ISC_R_SUCCESS;
+
+	for (elt = cfg_list_first(keys);
+	     elt != NULL;
+	     elt = cfg_list_next(elt))
+	{
+		keylist = cfg_listelt_value(elt);
+
+		for (elt2 = cfg_list_first(keylist);
+		     elt2 != NULL;
+		     elt2 = cfg_list_next(elt2))
+		{
+			key = cfg_listelt_value(elt2);
+			CHECK(key_fromconfig(key, client)); 
+		}
+	}
+
+ cleanup:
+	if (result == DST_R_NOCRYPTO)
+		result = ISC_R_SUCCESS;
+	return (result);
+}
+
+static isc_result_t
+setup_dnsseckeys(dns_client_t *client) {
+	isc_result_t result;
+	cfg_parser_t *parser = NULL;
+	const cfg_obj_t *keys = NULL;
+	const cfg_obj_t *managed_keys = NULL;
+	cfg_obj_t *bindkeys = NULL;
+	const char *filename = anchorfile;
+
+	if (!root_validation && !dlv_validation)
+		return (ISC_R_SUCCESS);
+
+	if (filename == NULL)
+		filename = SYSCONFDIR "/bind.keys";
+
+	if (trust_anchor == NULL)
+		trust_anchor = isc_mem_strdup(mctx, ".");
+	if (dlv_anchor == NULL)
+		dlv_anchor = isc_mem_strdup(mctx, "dlv.isc.org");
+
+	CHECK(convert_name(&afn, &anchor_name, trust_anchor));
+	CHECK(convert_name(&dfn, &dlv_name, dlv_anchor));
+
+	CHECK(cfg_parser_create(mctx, dns_lctx, &parser));
+
+	if (access(filename, R_OK) != 0) {
+		if (anchorfile != NULL)
+			fatal("Unable to read key file '%s'", anchorfile);
+	} else {
+		result = cfg_parse_file(parser, filename,
+					&cfg_type_bindkeys, &bindkeys);
+		if (result != ISC_R_SUCCESS)
+			if (anchorfile != NULL)
+				fatal("Unable to load keys from '%s'",
+				      anchorfile);
+	}
+
+	if (bindkeys == NULL) {
+		isc_buffer_t b;
+
+		isc_buffer_init(&b, anchortext, sizeof(anchortext) - 1);
+		isc_buffer_add(&b, sizeof(anchortext) - 1);
+		result = cfg_parse_buffer(parser, &b, &cfg_type_bindkeys,
+					  &bindkeys);
+		if (result != ISC_R_SUCCESS)
+			fatal("Unable to parse built-in keys");
+	}
+
+	INSIST(bindkeys != NULL);
+	cfg_map_get(bindkeys, "trusted-keys", &keys);
+	cfg_map_get(bindkeys, "managed-keys", &managed_keys);
+
+	if (keys != NULL)
+		CHECK(load_keys(keys, client));
+	if (managed_keys != NULL)
+		CHECK(load_keys(managed_keys, client));
+	result = ISC_R_SUCCESS;
+
+	if (trusted_keys == 0)
+		fatal("No trusted keys were loaded");
+
+	if (dlv_validation)
+		dns_client_setdlv(client, dns_rdataclass_in, dlv_anchor);
+
+ cleanup:
+	if (result != ISC_R_SUCCESS)
+		delve_log(ISC_LOG_ERROR, "setup_dnsseckeys: %s",
+			  isc_result_totext(result));
+	return (result);
+}
+
+static isc_result_t
+addserver(dns_client_t *client) {
+	struct addrinfo hints, *res, *cur;
+	int gai_error;
+	struct in_addr in4;
+	struct in6_addr in6;
+	isc_sockaddr_t *sa;
+	isc_sockaddrlist_t servers;
+	isc_uint32_t destport;
+	isc_result_t result;
+	dns_name_t *name = NULL;
+
+	result = parse_uint(&destport, port, 0xffff, "port");
+	if (result != ISC_R_SUCCESS)
+		fatal("Couldn't parse port number");
+
+	ISC_LIST_INIT(servers);
+
+	if (use_ipv4 && inet_pton(AF_INET, server, &in4) == 1) {
+		sa = isc_mem_get(mctx, sizeof(*sa));
+		ISC_LINK_INIT(sa, link);
+		isc_sockaddr_fromin(sa, &in4, destport);
+		ISC_LIST_APPEND(servers, sa, link);
+	} else if (use_ipv6 && inet_pton(AF_INET6, server, &in6) == 1) {
+		sa = isc_mem_get(mctx, sizeof(*sa));
+		ISC_LINK_INIT(sa, link);
+		isc_sockaddr_fromin6(sa, &in6, destport);
+		ISC_LIST_APPEND(servers, sa, link);
+	} else {
+		memset(&hints, 0, sizeof(hints));
+		if (!use_ipv6)
+			hints.ai_family = AF_INET;
+		else if (!use_ipv4)
+			hints.ai_family = AF_INET6;
+		else
+			hints.ai_family = AF_UNSPEC;
+		hints.ai_socktype = SOCK_DGRAM;
+		hints.ai_protocol = IPPROTO_UDP;
+		gai_error = getaddrinfo(server, port, &hints, &res);
+		if (gai_error != 0) {
+			delve_log(ISC_LOG_ERROR,
+				  "getaddrinfo failed: %s",
+				  gai_strerror(gai_error));
+			return (ISC_R_FAILURE);
+		}
+
+		for (cur = res; cur != NULL; cur = res->ai_next) {
+			sa = isc_mem_get(mctx, sizeof(*sa));
+			memset(sa, 0, sizeof(*sa));
+			ISC_LINK_INIT(sa, link);
+			memmove(&sa->type, res->ai_addr, res->ai_addrlen);
+			sa->length = res->ai_addrlen;
+			ISC_LIST_APPEND(servers, sa, link);
+			freeaddrinfo(res);
+		}
+	}
+
+
+	CHECK(dns_client_setservers(client, dns_rdataclass_in, name, &servers));
+
+ cleanup:
+	while (!ISC_LIST_EMPTY(servers)) {
+		sa = ISC_LIST_HEAD(servers);
+		ISC_LIST_UNLINK(servers, sa, link);
+		isc_mem_put(mctx, sa, sizeof(*sa));
+	}
+
+	if (result != ISC_R_SUCCESS)
+		delve_log(ISC_LOG_ERROR, "addserver: %s",
+			  isc_result_totext(result));
+
+	return (result);
+}
+
+static isc_result_t
+findserver(dns_client_t *client) {
+	isc_result_t result;
+	irs_resconf_t *resconf = NULL;
+	isc_sockaddrlist_t *nameservers;
+	isc_sockaddr_t *sa, *next;
+
+	result = irs_resconf_load(mctx, "/etc/resolv.conf", &resconf);
+	if (result != ISC_R_SUCCESS && result != ISC_R_FILENOTFOUND) {
+		delve_log(ISC_LOG_ERROR, "irs_resconf_load: %s",
+			  isc_result_totext(result));
+		goto cleanup;
+	}
+
+	/* Get nameservers from resolv.conf */
+	nameservers = irs_resconf_getnameservers(resconf);
+
+	/* Remove nameservers using incompatible protocol family */
+	for (sa = ISC_LIST_HEAD(*nameservers); sa != NULL; sa = next) {
+		next = ISC_LIST_NEXT(sa, link);
+		if (!use_ipv4 && sa->type.sa.sa_family == AF_INET) {
+			ISC_LIST_UNLINK(*nameservers, sa, link);
+			isc_mem_put(mctx, sa, sizeof(*sa));
+		}
+		if (!use_ipv6 && sa->type.sa.sa_family == AF_INET6) {
+			ISC_LIST_UNLINK(*nameservers, sa, link);
+			isc_mem_put(mctx, sa, sizeof(*sa));
+		}
+	}
+
+	/* None found, use localhost */
+	if (ISC_LIST_EMPTY(*nameservers)) {
+		isc_uint32_t destport;
+		result = parse_uint(&destport, port, 0xffff, "port");
+		if (result != ISC_R_SUCCESS)
+			fatal("Couldn't parse port number");
+
+		if (use_ipv4) {
+			struct in_addr localhost;
+			localhost.s_addr = htonl(INADDR_LOOPBACK);
+			sa = isc_mem_get(mctx, sizeof(*sa));
+			if (sa == NULL) {
+				result = ISC_R_NOMEMORY;
+				goto cleanup;
+			}
+			isc_sockaddr_fromin(sa, &localhost, destport);
+
+			ISC_LINK_INIT(sa, link);
+			ISC_LIST_APPEND(*nameservers, sa, link);
+		}
+
+		if (use_ipv6) {
+			sa = isc_mem_get(mctx, sizeof(*sa));
+			if (sa == NULL) {
+				result = ISC_R_NOMEMORY;
+				goto cleanup;
+			}
+			isc_sockaddr_fromin6(sa, &in6addr_loopback,
+					     destport);
+
+			ISC_LINK_INIT(sa, link);
+			ISC_LIST_APPEND(*nameservers, sa, link);
+		}
+	}
+
+	result = dns_client_setservers(client, dns_rdataclass_in, NULL,
+				       nameservers);
+	if (result != ISC_R_SUCCESS)
+		delve_log(ISC_LOG_ERROR, "dns_client_setservers: %s",
+			  isc_result_totext(result));
+
+cleanup:
+	if (resconf != NULL)
+		irs_resconf_destroy(&resconf);
+	return (result);
+}
+
+static char *
+next_token(char **stringp, const char *delim) {
+	char *res;
+
+	do {
+		res = strsep(stringp, delim);
+		if (res == NULL)
+			break;
+	} while (*res == '\0');
+	return (res);
+}
+
+static isc_result_t
+parse_uint(isc_uint32_t *uip, const char *value, isc_uint32_t max,
+	   const char *desc) {
+	isc_uint32_t n;
+	isc_result_t result = isc_parse_uint32(&n, value, 10);
+	if (result == ISC_R_SUCCESS && n > max)
+		result = ISC_R_RANGE;
+	if (result != ISC_R_SUCCESS) {
+		printf("invalid %s '%s': %s\n", desc,
+		       value, isc_result_totext(result));
+		return (result);
+	}
+	*uip = n;
+	return (ISC_R_SUCCESS);
+}
+
+static void
+plus_option(char *option) {
+	isc_result_t result;
+	char option_store[256];
+	char *cmd, *value, *ptr;
+	isc_boolean_t state = ISC_TRUE;
+
+	strncpy(option_store, option, sizeof(option_store));
+	option_store[sizeof(option_store)-1]=0;
+	ptr = option_store;
+	cmd = next_token(&ptr,"=");
+	if (cmd == NULL) {
+		printf(";; Invalid option %s\n", option_store);
+		return;
+	}
+	value = ptr;
+	if (strncasecmp(cmd, "no", 2)==0) {
+		cmd += 2;
+		state = ISC_FALSE;
+	}
+
+#define FULLCHECK(A) \
+	do { \
+		size_t _l = strlen(cmd); \
+		if (_l >= sizeof(A) || strncasecmp(cmd, A, _l) != 0) \
+			goto invalid_option; \
+	} while (0)
+
+	switch (cmd[0]) {
+	case 'a': /* all */
+		FULLCHECK("all");
+		showcomments = state;
+		rrcomments = state;
+		showtrust = state;
+		break;
+	case 'c':
+		switch (cmd[1]) {
+		case 'd': /* cdflag */
+			FULLCHECK("cdflag");
+			cdflag = state;
+			break;
+		case 'l': /* class */
+			FULLCHECK("class");
+			noclass = ISC_TF(!state);
+			break;
+		case 'o': /* comments */
+			FULLCHECK("comments");
+			showcomments = state;
+			break;
+		case 'r': /* crypto */
+			FULLCHECK("crypto");
+			nocrypto = ISC_TF(!state);
+			break;
+		default:
+			goto invalid_option;
+		}
+		break;
+	case 'd':
+		switch (cmd[1]) {
+		case 'l': /* dlv */
+			FULLCHECK("dlv");
+			if (state && no_sigs)
+				break;
+			dlv_validation = state;
+			if (value != NULL)
+				dlv_anchor = isc_mem_strdup(mctx, value);
+			break;
+		case 'n': /* dnssec */
+			FULLCHECK("dnssec");
+			showdnssec = state;
+			break;
+		default:
+			goto invalid_option;
+		}
+		break;
+	case 'm':
+		switch (cmd[1]) {
+		case 't': /* mtrace */
+			message_trace = state;
+			if (state)
+				resolve_trace = state;
+			break;
+		case 'u': /* multiline */
+			FULLCHECK("multiline");
+			multiline = state;
+			break;
+		default:
+			goto invalid_option;
+		}
+		break;
+	case 'r':
+		switch (cmd[1]) {
+		case 'o': /* root */
+			FULLCHECK("root");
+			if (state && no_sigs)
+				break;
+			root_validation = state;
+			if (value != NULL)
+				trust_anchor = isc_mem_strdup(mctx, value);
+			break;
+		case 'r': /* rrcomments */
+			FULLCHECK("rrcomments");
+			rrcomments = state;
+			break;
+		case 't': /* rtrace */
+			FULLCHECK("rtrace");
+			resolve_trace = state;
+			break;
+		default:
+			goto invalid_option;
+		}
+		break;
+	case 's':
+		switch (cmd[1]) {
+		case 'h': /* short */
+			FULLCHECK("short");
+			short_form = state;
+			if (short_form) {
+				multiline = ISC_FALSE;
+				showcomments = ISC_FALSE;
+				showtrust = ISC_FALSE;
+				showdnssec = ISC_FALSE;
+			}
+			break;
+		case 'p': /* split */
+			FULLCHECK("split");
+			if (value != NULL && !state)
+				goto invalid_option;
+			if (!state) {
+				splitwidth = 0;
+				break;
+			} else if (value == NULL)
+				break;
+
+			result = parse_uint(&splitwidth, value,
+					    1023, "split");
+			if (splitwidth % 4 != 0) {
+				splitwidth = ((splitwidth + 3) / 4) * 4;
+				warn("split must be a multiple of 4; "
+				     "adjusting to %d", splitwidth);
+			}
+			/*
+			 * There is an adjustment done in the
+			 * totext_<rrtype>() functions which causes
+			 * splitwidth to shrink.  This is okay when we're
+			 * using the default width but incorrect in this
+			 * case, so we correct for it
+			 */
+			if (splitwidth)
+				splitwidth += 3;
+			if (result != ISC_R_SUCCESS)
+				fatal("Couldn't parse split");
+			break;
+		default:
+			goto invalid_option;
+		}
+		break;
+	case 't':
+		switch (cmd[1]) {
+		case 'r': /* trust */
+			FULLCHECK("trust");
+			showtrust = state;
+			break;
+		case 't': /* ttl */
+			FULLCHECK("ttl");
+			nottl = ISC_TF(!state);
+			break;
+		default:
+			goto invalid_option;
+		}
+		break;
+	case 'v': /* vtrace */
+		FULLCHECK("vtrace");
+		validator_trace = state;
+		if (state)
+			resolve_trace = state;
+		break;
+	default:
+	invalid_option:
+		/*
+		 * We can also add a "need_value:" case here if we ever
+		 * add a plus-option that requires a specified value
+		 */
+		fprintf(stderr, "Invalid option: +%s\n", option);
+		usage();
+	}
+	return;
+}
+
+/*
+ * options: "46a:b:c:d:himp:q:t:vx:";
+ */
+static const char *single_dash_opts = "46himv";
+static isc_boolean_t
+dash_option(char *option, char *next, isc_boolean_t *open_type_class) {
+	char opt, *value;
+	isc_result_t result;
+	isc_boolean_t value_from_next;
+	isc_textregion_t tr;
+	dns_rdatatype_t rdtype;
+	dns_rdataclass_t rdclass;
+	char textname[MAXNAME];
+	struct in_addr in4;
+	struct in6_addr in6;
+	isc_sockaddr_t a4, a6;
+	in_port_t srcport;
+	isc_uint32_t num;
+	char *hash;
+
+	while (strpbrk(option, single_dash_opts) == &option[0]) {
+		/*
+		 * Since the -[46himv] options do not take an argument,
+		 * account for them (in any number and/or combination)
+		 * if they appear as the first character(s) of a q-opt.
+		 */
+		opt = option[0];
+		switch (opt) {
+		case '4':
+			if (isc_net_probeipv4() != ISC_R_SUCCESS)
+				fatal("IPv4 networking not available");
+			if (use_ipv6) {
+				isc_net_disableipv6();
+				use_ipv6 = ISC_FALSE;
+			}
+			break;
+		case '6':
+			if (isc_net_probeipv6() != ISC_R_SUCCESS)
+				fatal("IPv6 networking not available");
+			if (use_ipv4) {
+				isc_net_disableipv4();
+				use_ipv4 = ISC_FALSE;
+			}
+			break;
+		case 'h':
+			usage();
+			exit(0);
+			/* NOTREACHED */
+		case 'i':
+			no_sigs = ISC_TRUE;
+			dlv_validation = ISC_FALSE;
+			root_validation = ISC_FALSE;
+			break;
+		case 'm':
+			/* handled in preparse_args() */
+			break;
+		case 'v':
+			fputs("delve " VERSION "\n", stderr);
+			exit(0);
+			/* NOTREACHED */
+		default:
+			INSIST(0);
+		}
+		if (strlen(option) > 1U)
+			option = &option[1];
+		else
+			return (ISC_FALSE);
+	}
+	opt = option[0];
+	if (strlen(option) > 1U) {
+		value_from_next = ISC_FALSE;
+		value = &option[1];
+	} else {
+		value_from_next = ISC_TRUE;
+		value = next;
+	}
+	if (value == NULL)
+		goto invalid_option;
+	switch (opt) {
+	case 'a':
+		anchorfile = isc_mem_strdup(mctx, value);
+		return (value_from_next);
+	case 'b':
+		hash = strchr(value, '#');
+		if (hash != NULL) {
+			result = parse_uint(&num, hash + 1, 0xffff, "port");
+			if (result != ISC_R_SUCCESS)
+				fatal("Couldn't parse port number");
+			srcport = num;
+			*hash = '\0';
+		} else
+			srcport = 0;
+
+		if (inet_pton(AF_INET, value, &in4) == 1) {
+			if (srcaddr4 != NULL)
+				fatal("Only one local address per family "
+				      "can be specified\n");
+			isc_sockaddr_fromin(&a4, &in4, srcport);
+			srcaddr4 = &a4;
+		} else if (inet_pton(AF_INET6, value, &in6) == 1) {
+			if (srcaddr6 != NULL)
+				fatal("Only one local address per family "
+				      "can be specified\n");
+			isc_sockaddr_fromin6(&a6, &in6, srcport);
+			srcaddr6 = &a6;
+		} else {
+			if (hash != NULL)
+				*hash = '#';
+			fatal("Invalid address %s", value);
+		}
+		if (hash != NULL)
+			*hash = '#';
+		return (value_from_next);
+	case 'c':
+		if (classset)
+			warn("extra query class");
+
+		*open_type_class = ISC_FALSE;
+		tr.base = value;
+		tr.length = strlen(value);
+		result = dns_rdataclass_fromtext(&rdclass,
+						 (isc_textregion_t *)&tr);
+		if (result == ISC_R_SUCCESS)
+			classset = ISC_TRUE;
+		else if (rdclass != dns_rdataclass_in)
+			warn("ignoring non-IN query class");
+		else
+			warn("ignoring invalid class");
+		return (value_from_next);
+	case 'd':
+		result = parse_uint(&num, value, 99, "debug level");
+		if (result != ISC_R_SUCCESS)
+			fatal("Couldn't parse debug level");
+		loglevel = num;
+		return (value_from_next);
+	case 'p':
+		port = value;
+		return (value_from_next);
+	case 'q':
+		if (qname != NULL) {
+			warn("extra query name");
+			isc_mem_free(mctx, qname);
+		}
+		curqname = value;
+		return (value_from_next);
+	case 't':
+		*open_type_class = ISC_FALSE;
+		tr.base = value;
+		tr.length = strlen(value);
+		result = dns_rdatatype_fromtext(&rdtype,
+					(isc_textregion_t *)&tr);
+		if (result == ISC_R_SUCCESS) {
+			if (typeset)
+				warn("extra query type");
+			if (rdtype == dns_rdatatype_ixfr ||
+			    rdtype == dns_rdatatype_axfr)
+				fatal("Transfer not supported");
+			qtype = rdtype;
+			typeset = ISC_TRUE;
+		} else
+			warn("ignoring invalid type");
+		return (value_from_next);
+	case 'x':
+		result = get_reverse(textname, sizeof(textname), value,
+				     ISC_FALSE);
+		if (result == ISC_R_SUCCESS) {
+			if (curqname != NULL)
+				warn("extra query name");
+			curqname = isc_mem_strdup(mctx, textname);
+			if (typeset)
+				warn("extra query type");
+			qtype = dns_rdatatype_ptr;
+			typeset = ISC_TRUE;
+		} else {
+			fprintf(stderr, "Invalid IP address %s\n", value);
+			exit(1);
+		}
+		return (value_from_next);
+	invalid_option:
+	default:
+		fprintf(stderr, "Invalid option: -%s\n", option);
+		usage();
+	}
+	/* NOTREACHED */
+	return (ISC_FALSE);
+}
+
+/*
+ * Check for -m first to determine whether to enable
+ * memory debugging when setting up the memory context.
+ */
+static void
+preparse_args(int argc, char **argv) {
+	char *option;
+
+	for (argc--, argv++; argc > 0; argc--, argv++) {
+		if (argv[0][0] != '-')
+			continue;
+		option = &argv[0][1];
+		while (strpbrk(option, single_dash_opts) == &option[0]) {
+			if (option[0] == 'm') {
+				isc_mem_debugging = ISC_MEM_DEBUGTRACE |
+					ISC_MEM_DEBUGRECORD;
+				return;
+			}
+			option = &option[1];
+		}
+	}
+}
+
+/*
+ * Argument parsing is based on dig, but simplified: only one
+ * QNAME/QCLASS/QTYPE tuple can be specified, and options have
+ * been removed that aren't applicable to delve. The interface
+ * should be familiar to dig users, however.
+ */
+static void
+parse_args(int argc, char **argv) {
+	isc_result_t result;
+	isc_textregion_t tr;
+	dns_rdatatype_t rdtype;
+	dns_rdataclass_t rdclass;
+	isc_boolean_t open_type_class = ISC_TRUE;
+
+	for (; argc > 0; argc--, argv++) {
+		if (argv[0][0] == '@') {
+			server = &argv[0][1];
+		} else if (argv[0][0] == '+') {
+			plus_option(&argv[0][1]);
+		} else if (argv[0][0] == '-') {
+			if (argc <= 1) {
+				if (dash_option(&argv[0][1], NULL,
+						&open_type_class))
+				{
+					argc--;
+					argv++;
+				}
+			} else {
+				if (dash_option(&argv[0][1], argv[1],
+						&open_type_class))
+				{
+					argc--;
+					argv++;
+				}
+			}
+		} else {
+			/*
+			 * Anything which isn't an option
+			 */
+			if (open_type_class) {
+				tr.base = argv[0];
+				tr.length = strlen(argv[0]);
+				result = dns_rdatatype_fromtext(&rdtype,
+					(isc_textregion_t *)&tr);
+				if (result == ISC_R_SUCCESS) {
+					if (typeset)
+						warn("extra query type");
+					if (rdtype == dns_rdatatype_ixfr ||
+					    rdtype == dns_rdatatype_axfr)
+						fatal("Transfer not supported");
+					qtype = rdtype;
+					typeset = ISC_TRUE;
+					continue;
+				}
+				result = dns_rdataclass_fromtext(&rdclass,
+						     (isc_textregion_t *)&tr);
+				if (result == ISC_R_SUCCESS) {
+					if (classset)
+						warn("extra query class");
+					else if (rdclass != dns_rdataclass_in)
+						warn("ignoring non-IN "
+						     "query class");
+					continue;
+				}
+			}
+
+			if (curqname == NULL)
+				curqname = argv[0];
+		}
+	}
+
+	/*
+	 * If no qname or qtype specified, search for root/NS
+	 * If no qtype specified, use A
+	 */
+	if (!typeset)
+		qtype = dns_rdatatype_a;
+
+	if (curqname == NULL) {
+		qname = isc_mem_strdup(mctx, ".");
+		if (!typeset)
+			qtype = dns_rdatatype_ns;
+	} else
+		qname = isc_mem_strdup(mctx, curqname);
+}
+
+static isc_result_t
+append_str(const char *text, int len, char **p, char *end) {
+	if (len > end - *p)
+		return (ISC_R_NOSPACE);
+	memmove(*p, text, len);
+	*p += len;
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+reverse_octets(const char *in, char **p, char *end) {
+	char *dot = strchr(in, '.');
+	int len;
+	if (dot != NULL) {
+		isc_result_t result;
+		result = reverse_octets(dot + 1, p, end);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+		result = append_str(".", 1, p, end);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+		len = (int)(dot - in);
+	} else
+		len = strlen(in);
+	return (append_str(in, len, p, end));
+}
+
+static isc_result_t
+get_reverse(char *reverse, size_t len, char *value, isc_boolean_t strict) {
+	int r;
+	isc_result_t result;
+	isc_netaddr_t addr;
+
+	addr.family = AF_INET6;
+	r = inet_pton(AF_INET6, value, &addr.type.in6);
+	if (r > 0) {
+		/* This is a valid IPv6 address. */
+		dns_fixedname_t fname;
+		dns_name_t *name;
+		unsigned int options = 0;
+
+		dns_fixedname_init(&fname);
+		name = dns_fixedname_name(&fname);
+		result = dns_byaddr_createptrname2(&addr, options, name);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+		dns_name_format(name, reverse, (unsigned int)len);
+		return (ISC_R_SUCCESS);
+	} else {
+		/*
+		 * Not a valid IPv6 address.  Assume IPv4.
+		 * If 'strict' is not set, construct the
+		 * in-addr.arpa name by blindly reversing
+		 * octets whether or not they look like integers,
+		 * so that this can be used for RFC2317 names
+		 * and such.
+		 */
+		char *p = reverse;
+		char *end = reverse + len;
+		if (strict && inet_pton(AF_INET, value, &addr.type.in) != 1)
+			return (DNS_R_BADDOTTEDQUAD);
+		result = reverse_octets(value, &p, end);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+		result = append_str(".in-addr.arpa.", 15, &p, end);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+		return (ISC_R_SUCCESS);
+	}
+}
+
+int
+main(int argc, char *argv[]) {
+	dns_client_t *client = NULL;
+	isc_result_t result;
+	dns_fixedname_t qfn;
+	dns_name_t *query_name, *response_name;
+	dns_rdataset_t *rdataset;
+	dns_namelist_t namelist;
+	unsigned int resopt;
+	isc_appctx_t *actx = NULL;
+	isc_taskmgr_t *taskmgr = NULL;
+	isc_socketmgr_t *socketmgr = NULL;
+	isc_timermgr_t *timermgr = NULL;
+	dns_master_style_t *style = NULL;
+	struct sigaction sa;
+
+	preparse_args(argc, argv);
+	progname = argv[0];
+
+	argc -= optind;
+	argv += optind;
+
+	isc_lib_register();
+	result = dns_lib_init();
+	if (result != ISC_R_SUCCESS)
+		fatal("dns_lib_init failed: %d", result);
+
+	result = isc_mem_create(0, 0, &mctx);
+	if (result != ISC_R_SUCCESS)
+		fatal("failed to create mctx");
+
+	CHECK(isc_appctx_create(mctx, &actx));
+	CHECK(isc_taskmgr_createinctx(mctx, actx, 1, 0, &taskmgr));
+	CHECK(isc_socketmgr_createinctx(mctx, actx, &socketmgr));
+	CHECK(isc_timermgr_createinctx(mctx, actx, &timermgr));
+
+	parse_args(argc, argv);
+
+	CHECK(setup_style(&style));
+
+	setup_logging(stderr);
+
+	CHECK(isc_app_ctxstart(actx));
+
+	/* Unblock SIGINT if it's been blocked by isc_app_ctxstart() */
+	memset(&sa, 0, sizeof(sa));
+	sa.sa_handler = SIG_DFL;
+	if (sigfillset(&sa.sa_mask) != 0 || sigaction(SIGINT, &sa, NULL) < 0)
+		fatal("Couldn't set up signal handler");
+
+	/* Create client */
+	result = dns_client_createx2(mctx, actx, taskmgr, socketmgr, timermgr,
+				     0, &client, srcaddr4, srcaddr6);
+	if (result != ISC_R_SUCCESS) {
+		delve_log(ISC_LOG_ERROR, "dns_client_create: %s",
+			  isc_result_totext(result));
+		goto cleanup;
+	}
+
+	/* Set the nameserver */
+	if (server != NULL)
+		addserver(client);
+	else
+		findserver(client);
+
+	CHECK(setup_dnsseckeys(client));
+
+	/* Construct QNAME */
+	convert_name(&qfn, &query_name, qname);
+
+	/* Set up resolution options */
+	resopt = DNS_CLIENTRESOPT_ALLOWRUN | DNS_CLIENTRESOPT_NOCDFLAG;
+	if (no_sigs)
+		resopt |= DNS_CLIENTRESOPT_NODNSSEC;
+	if (!root_validation && !dlv_validation)
+		resopt |= DNS_CLIENTRESOPT_NOVALIDATE;
+	if (cdflag)
+		resopt &= ~DNS_CLIENTRESOPT_NOCDFLAG;
+
+	/* Perform resolution */
+	ISC_LIST_INIT(namelist);
+	result = dns_client_resolve(client, query_name, dns_rdataclass_in,
+				    qtype, resopt, &namelist);
+	if (result != ISC_R_SUCCESS)
+		delve_log(ISC_LOG_ERROR, "resolution failed: %s",
+			  isc_result_totext(result));
+
+	for (response_name = ISC_LIST_HEAD(namelist);
+	     response_name != NULL;
+	     response_name = ISC_LIST_NEXT(response_name, link)) {
+		for (rdataset = ISC_LIST_HEAD(response_name->list);
+		     rdataset != NULL;
+		     rdataset = ISC_LIST_NEXT(rdataset, link)) {
+			result = printdata(rdataset, response_name, style);
+			if (result != ISC_R_SUCCESS)
+				delve_log(ISC_LOG_ERROR, "print data failed");
+		}
+	}
+
+	dns_client_freeresanswer(client, &namelist);
+
+cleanup:
+	if (dlv_anchor != NULL)
+		isc_mem_free(mctx, dlv_anchor);
+	if (trust_anchor != NULL)
+		isc_mem_free(mctx, trust_anchor);
+	if (anchorfile != NULL)
+		isc_mem_free(mctx, anchorfile);
+	if (qname != NULL)
+		isc_mem_free(mctx, qname);
+	if (style != NULL)
+		dns_master_styledestroy(&style, mctx);
+	if (client != NULL)
+		dns_client_destroy(&client);
+	if (taskmgr != NULL)
+		isc_taskmgr_destroy(&taskmgr);
+	if (timermgr != NULL)
+		isc_timermgr_destroy(&timermgr);
+	if (socketmgr != NULL)
+		isc_socketmgr_destroy(&socketmgr);
+	if (actx != NULL)
+		isc_appctx_destroy(&actx);
+	if (lctx != NULL)
+		isc_log_destroy(&lctx);
+	isc_mem_detach(&mctx);
+
+	dns_lib_shutdown();
+
+	exit(0);
+}
diff --git a/bin/delve/delve.docbook b/bin/delve/delve.docbook
new file mode 100644
index 0000000000..12ff996ba4
--- /dev/null
+++ b/bin/delve/delve.docbook
@@ -0,0 +1,639 @@
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+	       "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
+	       [<!ENTITY mdash "&#8212;">]>
+<!--
+ - Copyright (C) 2014  Internet Systems Consortium, Inc. ("ISC")
+ -
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<refentry id="man.delve">
+
+  <refentryinfo>
+    <date>February 12, 2014</date>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle>delve</refentrytitle>
+    <manvolnum>1</manvolnum>
+    <refmiscinfo>BIND9</refmiscinfo>
+  </refmeta>
+
+  <refnamediv>
+    <refname>delve</refname>
+    <refpurpose>DNS lookup and validation utility</refpurpose>
+  </refnamediv>
+
+  <docinfo>
+    <copyright>
+      <year>2014</year>
+      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
+    </copyright>
+  </docinfo>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>delve</command>
+      <arg choice="opt">@server</arg>
+      <arg><option>-4</option></arg>
+      <arg><option>-6</option></arg>
+      <arg><option>-a <replaceable class="parameter">anchor-file</replaceable></option></arg>
+      <arg><option>-b <replaceable class="parameter">address</replaceable></option></arg>
+      <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
+      <arg><option>-d <replaceable class="parameter">level</replaceable></option></arg>
+      <arg><option>-i</option></arg>
+      <arg><option>-m</option></arg>
+      <arg><option>-p <replaceable class="parameter">port#</replaceable></option></arg>
+      <arg><option>-q <replaceable class="parameter">name</replaceable></option></arg>
+      <arg><option>-t <replaceable class="parameter">type</replaceable></option></arg>
+      <arg><option>-x <replaceable class="parameter">addr</replaceable></option></arg>
+      <arg choice="opt">name</arg>
+      <arg choice="opt">type</arg>
+      <arg choice="opt">class</arg>
+      <arg choice="opt" rep="repeat">queryopt</arg>
+    </cmdsynopsis>
+
+    <cmdsynopsis>
+      <command>delve</command>
+      <arg><option>-h</option></arg>
+    </cmdsynopsis>
+
+    <cmdsynopsis>
+      <command>delve</command>
+      <arg choice="opt" rep="repeat">queryopt</arg>
+      <arg choice="opt" rep="repeat">query</arg>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>DESCRIPTION</title>
+    <para><command>delve</command>
+      (Domain Entity Lookup &amp; Validation Engine) is a tool for sending
+      DNS queries and validating the results, using the the same internal
+      resolver and validator logic as <command>named</command>.
+    </para>
+    <para>
+      <command>delve</command> will send to a specified name server all
+      queries needed to fetch and validate the requested data; this
+      includes the original requested query, subsequent queries to follow
+      CNAME or DNAME chains, and queries for DNSKEY, DS and DLV records
+      to establish a chain of trust for DNSSEC validation.
+      It does not perform iterative resolution, but simulates the
+      behavior of a name server configured for DNSSEC validating and
+      forwarding.
+    </para>
+    <para>
+      By default, responses are validated using built-in DNSSEC trust
+      anchors for the root zone (".") and for the ISC DNSSEC lookaside
+      validation zone ("dlv.isc.org").  Records returned by
+      <command>delve</command> are either fully validated or
+      were not signed.  If validation fails, an explanation of
+      the failure is included in the output; the validation process
+      can be traced in detail.  Because <command>delve</command> does
+      not rely on an external server to carry out validation, it can
+      be used to check the validity of DNS responses in environments
+      where local name servers may not be trustworthy.
+    </para>
+    <para>
+      Unless it is told to query a specific name server,
+      <command>delve</command> will try each of the servers listed in
+      <filename>/etc/resolv.conf</filename>. If no usable server
+      addresses are found, <command>delve</command> will send
+      queries to the localhost addresses (127.0.0.1 for IPv4, ::1
+      for IPv6).
+    </para>
+    <para>
+      When no command line arguments or options are given,
+      <command>delve</command> will perform an NS query for "."
+      (the root zone).
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>SIMPLE USAGE</title>
+
+    <para>
+      A typical invocation of <command>delve</command> looks like:
+      <programlisting> delve @server name type </programlisting>
+      where:
+
+      <variablelist>
+	<varlistentry>
+	  <term><constant>server</constant></term>
+	  <listitem>
+	    <para>
+	      is the name or IP address of the name server to query.  This
+	      can be an IPv4 address in dotted-decimal notation or an IPv6
+	      address in colon-delimited notation.  When the supplied
+	      <parameter>server</parameter> argument is a hostname,
+	      <command>delve</command> resolves that name before
+	      querying that name server (note, however, that this
+	      initial lookup is <emphasis>not</emphasis> validated
+	      by DNSSEC).
+	    </para>
+	    <para>
+	      If no <parameter>server</parameter> argument is
+	      provided, <command>delve</command> consults
+	      <filename>/etc/resolv.conf</filename>; if an
+	      address is found there, it queries the name server at
+	      that address. If either of the <option>-4</option> or
+	      <option>-6</option> options are in use, then
+	      only addresses for the corresponding transport
+	      will be tried.  If no usable addresses are found,
+	      <command>delve</command> will send queries to
+	      the localhost addresses (127.0.0.1 for IPv4,
+	      ::1 for IPv6).
+	    </para>
+	  </listitem>
+	</varlistentry>
+
+	<varlistentry>
+	  <term><constant>name</constant></term>
+	  <listitem>
+	    <para>
+	      is the domain name to be looked up.
+	    </para>
+	  </listitem>
+	</varlistentry>
+
+	<varlistentry>
+	  <term><constant>type</constant></term>
+	  <listitem>
+	    <para>
+	      indicates what type of query is required &mdash;
+	      ANY, A, MX, etc.
+	      <parameter>type</parameter> can be any valid query
+	      type.  If no
+	      <parameter>type</parameter> argument is supplied,
+	      <command>delve</command> will perform a lookup for an
+	      A record.
+	    </para>
+	  </listitem>
+	</varlistentry>
+
+      </variablelist>
+    </para>
+
+  </refsect1>
+
+  <refsect1>
+    <title>OPTIONS</title>
+    <variablelist>
+      <varlistentry>
+	<term>-a</term>
+	<listitem>
+	  <para>
+	    Specifies a file from which to read DNSSEC trust anchors.
+	    The default is <filename>/etc/bind.keys</filename>, which
+	    is included with <acronym>BIND</acronym> 9 and contains
+	    trust anchors for the root zone (".") and for the ISC
+	    DNSSEC lookaside validation zone ("dlv.isc.org").
+	  </para>
+	  <para>
+	    Keys that do not match the root or DLV trust-anchor
+	    names are ignored; these key names can be overridden
+	    using the <option>+dlv=NAME</option> or
+	    <option>+root=NAME</option> options.
+	  </para>
+	  <para>
+	    Note: When reading the trust anchor file,
+	    <command>delve</command> treats <option>managed-keys</option>
+	    statements and <option>trusted-keys</option> statements
+	    identically.  That is, for a managed key, it is the
+	    <emphasis>initial</emphasis> key that is trusted; RFC 5011
+	    key management is not supported. <command>delve</command>
+	    will not consult the managed-keys database maintained by
+	    <command>named</command>. This means that if either of the
+	    keys in <filename>/etc/bind.keys</filename> is revoked
+	    and rolled over, it will be necessary to update
+	    <filename>/etc/bind.keys</filename> to use DNSSEC
+	    validation in <command>delve</command>.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-b</term>
+	<listitem>
+	  <para>
+	    Sets the source IP address of the query to
+	    <parameter>address</parameter>.  This must be a valid address
+	    on one of the host's network interfaces or "0.0.0.0" or "::".
+	    An optional source port may be specified by appending
+	    "#&lt;port&gt;"
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-c</term>
+	<listitem>
+	  <para>
+	    Sets the query class for the requested data. Currently,
+	    only class "IN" is supported in <command>delve</command>
+	    and any other value is ignored.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-i</term>
+	<listitem>
+	  <para>
+	    Insecure mode. This disables internal DNSSEC validation.
+	    (Note, however, this does not set the CD bit on upstream
+	    queries. If the server being queried is performing DNSSEC
+	    validation, then it will not return invalid data; this
+	    can cause <command>delve</command> to time out. When it
+	    is necessary to examine invalid data to debug a DNSSEC
+	    problem, use <command>dig +cd</command>.)
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-m</term>
+	<listitem>
+	  <para>
+	    Enables memory usage debugging.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-p</term>
+	<listitem>
+	  <para>
+	    Specifies a destination port to use for queries instead of
+	    the standard DNS port number 53.  This option would be used
+	    with a name server that has been configured to listen
+	    for queries on a non-standard port number.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-4</term>
+	<listitem>
+	  <para>
+	    Forces <command>delve</command> to only use IPv4.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-6</term>
+	<listitem>
+	  <para>
+	    Forces <command>delve</command> to only use IPv6.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-q</term>
+	<listitem>
+	  <para>
+	    Sets the query name to <parameter>name</parameter>.
+	    While the query name can be specified without using the
+	    <option>-q</option>, it is sometimes necessary to disambiguate
+	    names from types or classes (for example, when looking up the
+	    name "ns", which could be misinterpreted as the type NS,
+	    or "ch", which could be misinterpreted as class CH).
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-t</term>
+	<listitem>
+	  <para>
+	    Sets the query type to <parameter>type</parameter>, which
+	    can be any valid query type supported in BIND 9 except
+	    for zone transfer types AXFR and IXFR. As with
+	    <option>-q</option>, this is useful to distinguish
+	    query name type or class when they are ambiguous.
+	    it is sometimes necessary to disambiguate names from types.
+	  </para>
+	  <para>
+	    The default query type is "A", unless the <option>-x</option>
+	    option is supplied to indicate a reverse lookup, in which case
+	    it is "PTR".
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-x</term>
+	<listitem>
+	  <para>
+	    Performs a reverse lookup, mapping an addresses to
+	    a name.  <parameter>addr</parameter> is an IPv4 address in
+	    dotted-decimal notation, or a colon-delimited IPv6 address.
+	    When <option>-x</option> is used, there is no need to provide
+	    the <parameter>name</parameter> or <parameter>type</parameter>
+	    arguments.  <command>delve</command> automatically performs a
+	    lookup for a name like <literal>11.12.13.10.in-addr.arpa</literal>
+	    and sets the query type to PTR.  IPv6 addresses are looked up
+	    using nibble format under the IP6.ARPA domain.
+	  </para>
+	</listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1>
+    <title>QUERY OPTIONS</title>
+
+    <para><command>delve</command>
+      provides a number of query options which affect the way results are
+      displayed, and in some cases the way lookups are performed.
+    </para>
+
+    <para>
+      Each query option is identified by a keyword preceded by a plus sign
+      (<literal>+</literal>).  Some keywords set or reset an
+      option.  These may be preceded by the string
+      <literal>no</literal> to negate the meaning of that keyword.
+      Other keywords assign values to options like the timeout interval.
+      They have the form <option>+keyword=value</option>.
+      The query options are:
+
+      <variablelist>
+	<varlistentry>
+	  <term><option>+[no]cdflag</option></term>
+	  <listitem>
+	    <para>
+	      Controls whether to set the CD (checking disabled) bit in
+	      queries sent by <command>delve</command>. This may be useful
+	      when troubleshooting DNSSEC problems from behind a validating
+	      resolver. A validating resolver will block invalid responses,
+	      making it difficult to retrieve them for analysis. Setting
+	      the CD flag on queries will cause the resolver to return
+	      invalid responses, which <command>delve</command> can then
+	      validate internally and report the errors in detail.
+	    </para>
+	  </listitem>
+	</varlistentry>
+
+	<varlistentry>
+	  <term><option>+[no]class</option></term>
+	  <listitem>
+	    <para>
+	      Controls whether to display the CLASS when printing
+	      a record. The default is to display the CLASS.
+	    </para>
+	  </listitem>
+	</varlistentry>
+
+	<varlistentry>
+	  <term><option>+[no]ttl</option></term>
+	  <listitem>
+	    <para>
+	      Controls whether to display the TTL when printing
+	      a record. The default is to display the TTL.
+	    </para>
+	  </listitem>
+	</varlistentry>
+
+	<varlistentry>
+	  <term><option>+[no]rtrace</option></term>
+	  <listitem>
+	    <para>
+	      Toggle resolver fetch logging. This reports the
+	      name and type of each query sent by <command>delve</command>
+	      in the process of carrying out the resolution and validation
+	      process: this includes including the original query and
+	      all subsequent queries to follow CNAMEs and to establish a
+	      chain of trust for DNSSEC validation.
+	    </para>
+	    <para>
+	      This is equivalent to setting the debug level to 1 in
+	      the "resolver" logging category. Setting the systemwide
+	      debug level to 1 using the <option>-d</option> option will
+	      product the same output (but will affect other logging
+	      categories as well).
+	    </para>
+	  </listitem>
+	</varlistentry>
+
+	<varlistentry>
+	  <term><option>+[no]mtrace</option></term>
+	  <listitem>
+	    <para>
+	      Toggle message logging. This produces a detailed dump of
+	      the responses received by <command>delve</command> in the
+	      process of carrying out the resolution and validation process.
+	    </para>
+	    <para>
+	      This is equivalent to setting the debug level to 10
+	      for the the "packets" module of the "resolver" logging
+	      category. Setting the systemwide debug level to 10 using
+	      the <option>-d</option> option will produce the same output
+	      (but will affect other logging categories as well).
+	    </para>
+	  </listitem>
+	</varlistentry>
+
+	<varlistentry>
+	  <term><option>+[no]vtrace</option></term>
+	  <listitem>
+	    <para>
+	      Toggle validation logging. This shows the internal
+	      process of the validator as it determines whether an
+	      answer is validly signed, unsigned, or invalid.
+	    </para>
+	    <para>
+	      This is equivalent to setting the debug level to 3
+	      for the the "validator" module of the "dnssec" logging
+	      category. Setting the systemwide debug level to 3 using
+	      the <option>-d</option> option will produce the same output
+	      (but will affect other logging categories as well).
+	    </para>
+	  </listitem>
+	</varlistentry>
+
+	<varlistentry>
+	  <term><option>+[no]short</option></term>
+	  <listitem>
+	    <para>
+	      Provide a terse answer.  The default is to print the answer in a
+	      verbose form.
+	    </para>
+	  </listitem>
+	</varlistentry>
+
+	<varlistentry>
+	  <term><option>+[no]comments</option></term>
+	  <listitem>
+	    <para>
+	      Toggle the display of comment lines in the output.  The default
+	      is to print comments.
+	    </para>
+	  </listitem>
+	</varlistentry>
+
+	<varlistentry>
+	  <term><option>+[no]rrcomments</option></term>
+	  <listitem>
+	    <para>
+	      Toggle the display of per-record comments in the output (for
+	      example, human-readable key information about DNSKEY records).
+	      The default is to print per-record comments.
+	    </para>
+	  </listitem>
+	</varlistentry>
+
+	<varlistentry>
+	  <term><option>+[no]crypto</option></term>
+	  <listitem>
+	    <para>
+	      Toggle the display of cryptographic fields in DNSSEC records.
+	      The contents of these field are unnecessary to debug most DNSSEC
+	      validation failures and removing them makes it easier to see
+	      the common failures.  The default is to display the fields.
+	      When omitted they are replaced by the string "[omitted]" or
+	      in the DNSKEY case the key id is displayed as the replacement,
+	      e.g. "[ key id = value ]".
+	    </para>
+	  </listitem>
+	</varlistentry>
+
+	<varlistentry>
+	  <term><option>+[no]trust</option></term>
+	  <listitem>
+	    <para>
+	      Controls whether to display the trust level when printing
+	      a record. The default is to display the trust level.
+	    </para>
+	  </listitem>
+	</varlistentry>
+
+	<varlistentry>
+	  <term><option>+[no]split[=W]</option></term>
+	  <listitem>
+	    <para>
+	      Split long hex- or base64-formatted fields in resource
+	      records into chunks of <parameter>W</parameter> characters
+	      (where <parameter>W</parameter> is rounded up to the nearest
+	      multiple of 4).
+	      <parameter>+nosplit</parameter> or
+	      <parameter>+split=0</parameter> causes fields not to be
+	      split at all.  The default is 56 characters, or 44 characters
+	      when multiline mode is active.
+	    </para>
+	  </listitem>
+	</varlistentry>
+
+	<varlistentry>
+	  <term><option>+[no]all</option></term>
+	  <listitem>
+	    <para>
+	      Set or clear the display options
+	      <option>+[no]comments</option>, 
+	      <option>+[no]rrcomments</option>, and
+	      <option>+[no]trust</option> as a group.
+	    </para>
+	  </listitem>
+	</varlistentry>
+
+	<varlistentry>
+	  <term><option>+[no]multiline</option></term>
+	  <listitem>
+	    <para>
+	      Print long records (such as RRSIG, DNSKEY, and SOA records)
+	      in a verbose multi-line format with human-readable comments.
+	      The default is to print each record on a single line, to
+	      facilitate machine parsing of the <command>delve</command>
+	      output.
+	    </para>
+	  </listitem>
+	</varlistentry>
+
+	<varlistentry>
+	  <term><option>+[no]dnssec</option></term>
+	  <listitem>
+	    <para>
+	      Indicates whether to display RRSIG records in the
+	      <command>delve</command> output.  The default is to
+	      do so.  Note that (unlike in <command>dig</command>)
+	      this does <emphasis>not</emphasis> control whether to
+	      request DNSSEC records or whether to validate them.
+	      DNSSEC records are always requested, and validation
+	      will always occur unless suppressed by the use of
+	      <option>-i</option> or <option>+noroot</option> and
+	      <option>+nodlv</option>.
+	    </para>
+	  </listitem>
+	</varlistentry>
+
+	<varlistentry>
+	  <term><option>+[no]root[=ROOT]</option></term>
+	  <listitem>
+	    <para>
+	      Indicates whether to perform conventional (non-
+	      lookaside) DNSSEC validation, and if so, specifies the
+	      name of a trust anchor.  The default is to validate using
+	      a trust anchor of "." (the root zone), for which there is
+	      a built-in key.  If specifying a different trust anchor,
+	      then <option>-a</option> must be used to specify a file
+	      containing the key.
+	    </para>
+	  </listitem>
+	</varlistentry>
+
+	<varlistentry>
+	  <term><option>+[no]dlv[=DLV]</option></term>
+	  <listitem>
+	    <para>
+	      Indicates whether to perform DNSSEC lookaside validation,
+	      and if so, specifies the name of the DLV trust anchor.
+	      The default is to perform lookaside validation using
+	      a trust anchor of "dlv.isc.org", for which there is a
+	      built-in key.  If specifying a different name, then
+	      <option>-a</option> must be used to specify a file
+	      containing the DLV key.
+	    </para>
+	  </listitem>
+	</varlistentry>
+      </variablelist>
+
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>FILES</title>
+    <para><filename>/etc/bind.keys</filename></para>
+    <para><filename>/etc/resolv.conf</filename></para>
+  </refsect1>
+
+  <refsect1>
+    <title>SEE ALSO</title>
+    <para><citerefentry>
+	<refentrytitle>dig</refentrytitle><manvolnum>1</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+	<refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>,
+      <citetitle>RFC4034</citetitle>,
+      <citetitle>RFC4035</citetitle>,
+      <citetitle>RFC4431</citetitle>,
+      <citetitle>RFC5074</citetitle>,
+      <citetitle>RFC5155</citetitle>.
+    </para>
+  </refsect1>
+</refentry><!--
+ - Local variables:
+ - mode: sgml
+ - End:
+-->
diff --git a/bin/delve/delve.html b/bin/delve/delve.html
new file mode 100644
index 0000000000..34c30d2cdd
--- /dev/null
+++ b/bin/delve/delve.html
@@ -0,0 +1,445 @@
+<!--
+ - Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC")
+ - 
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ - 
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+<!-- $Id$ -->
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>delve</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
+<a name="man.delve"></a><div class="titlepage"></div>
+<div class="refnamediv">
+<h2>Name</h2>
+<p>delve &#8212; DNS lookup and validation utility</p>
+</div>
+<div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+<div class="cmdsynopsis"><p><code class="command">delve</code>  [@server] [<code class="option">-4</code>] [<code class="option">-6</code>] [<code class="option">-a <em class="replaceable"><code>anchor-file</code></em></code>] [<code class="option">-b <em class="replaceable"><code>address</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>level</code></em></code>] [<code class="option">-i</code>] [<code class="option">-m</code>] [<code class="option">-p <em class="replaceable"><code>port#</code></em></code>] [<code class="option">-q <em class="replaceable"><code>name</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-x <em class="replaceable"><code>addr</code></em></code>] [name] [type] [class] [queryopt...]</p></div>
+<div class="cmdsynopsis"><p><code class="command">delve</code>  [<code class="option">-h</code>]</p></div>
+<div class="cmdsynopsis"><p><code class="command">delve</code>  [queryopt...] [query...]</p></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543478"></a><h2>DESCRIPTION</h2>
+<p><span><strong class="command">delve</strong></span>
+      (Domain Entity Lookup &amp; Validation Engine) is a tool for sending
+      DNS queries and validating the results, using the the same internal
+      resolver and validator logic as <span><strong class="command">named</strong></span>.
+    </p>
+<p>
+      <span><strong class="command">delve</strong></span> will send to a specified name server all
+      queries needed to fetch and validate the requested data; this
+      includes the original requested query, subsequent queries to follow
+      CNAME or DNAME chains, and queries for DNSKEY, DS and DLV records
+      to establish a chain of trust for DNSSEC validation.
+      It does not perform iterative resolution, but simulates the
+      behavior of a name server configured for DNSSEC validating and
+      forwarding.
+    </p>
+<p>
+      By default, responses are validated using built-in DNSSEC trust
+      anchors for the root zone (".") and for the ISC DNSSEC lookaside
+      validation zone ("dlv.isc.org").  Records returned by
+      <span><strong class="command">delve</strong></span> are either fully validated or
+      were not signed.  If validation fails, an explanation of
+      the failure is included in the output; the validation process
+      can be traced in detail.  Because <span><strong class="command">delve</strong></span> does
+      not rely on an external server to carry out validation, it can
+      be used to check the validity of DNS responses in environments
+      where local name servers may not be trustworthy.
+    </p>
+<p>
+      Unless it is told to query a specific name server,
+      <span><strong class="command">delve</strong></span> will try each of the servers listed in
+      <code class="filename">/etc/resolv.conf</code>. If no usable server
+      addresses are found, <span><strong class="command">delve</strong></span> will send
+      queries to the localhost addresses (127.0.0.1 for IPv4, ::1
+      for IPv6).
+    </p>
+<p>
+      When no command line arguments or options are given,
+      <span><strong class="command">delve</strong></span> will perform an NS query for "."
+      (the root zone).
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543531"></a><h2>SIMPLE USAGE</h2>
+<p>
+      A typical invocation of <span><strong class="command">delve</strong></span> looks like:
+      </p>
+<pre class="programlisting"> delve @server name type </pre>
+<p>
+      where:
+
+      </p>
+<div class="variablelist"><dl>
+<dt><span class="term"><code class="constant">server</code></span></dt>
+<dd>
+<p>
+	      is the name or IP address of the name server to query.  This
+	      can be an IPv4 address in dotted-decimal notation or an IPv6
+	      address in colon-delimited notation.  When the supplied
+	      <em class="parameter"><code>server</code></em> argument is a hostname,
+	      <span><strong class="command">delve</strong></span> resolves that name before
+	      querying that name server (note, however, that this
+	      initial lookup is <span class="emphasis"><em>not</em></span> validated
+	      by DNSSEC).
+	    </p>
+<p>
+	      If no <em class="parameter"><code>server</code></em> argument is
+	      provided, <span><strong class="command">delve</strong></span> consults
+	      <code class="filename">/etc/resolv.conf</code>; if an
+	      address is found there, it queries the name server at
+	      that address. If either of the <code class="option">-4</code> or
+	      <code class="option">-6</code> options are in use, then
+	      only addresses for the corresponding transport
+	      will be tried.  If no usable addresses are found,
+	      <span><strong class="command">delve</strong></span> will send queries to
+	      the localhost addresses (127.0.0.1 for IPv4,
+	      ::1 for IPv6).
+	    </p>
+</dd>
+<dt><span class="term"><code class="constant">name</code></span></dt>
+<dd><p>
+	      is the domain name to be looked up.
+	    </p></dd>
+<dt><span class="term"><code class="constant">type</code></span></dt>
+<dd><p>
+	      indicates what type of query is required &#8212;
+	      ANY, A, MX, etc.
+	      <em class="parameter"><code>type</code></em> can be any valid query
+	      type.  If no
+	      <em class="parameter"><code>type</code></em> argument is supplied,
+	      <span><strong class="command">delve</strong></span> will perform a lookup for an
+	      A record.
+	    </p></dd>
+</dl></div>
+<p>
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543640"></a><h2>OPTIONS</h2>
+<div class="variablelist"><dl>
+<dt><span class="term">-a</span></dt>
+<dd>
+<p>
+	    Specifies a file from which to read DNSSEC trust anchors.
+	    The default is <code class="filename">/etc/bind.keys</code>, which
+	    is included with <acronym class="acronym">BIND</acronym> 9 and contains
+	    trust anchors for the root zone (".") and for the ISC
+	    DNSSEC lookaside validation zone ("dlv.isc.org").
+	  </p>
+<p>
+	    Keys that do not match the root or DLV trust-anchor
+	    names are ignored; these key names can be overridden
+	    using the <code class="option">+dlv=NAME</code> or
+	    <code class="option">+root=NAME</code> options.
+	  </p>
+<p>
+	    Note: When reading the trust anchor file,
+	    <span><strong class="command">delve</strong></span> treats <code class="option">managed-keys</code>
+	    statements and <code class="option">trusted-keys</code> statements
+	    identically.  That is, for a managed key, it is the
+	    <span class="emphasis"><em>initial</em></span> key that is trusted; RFC 5011
+	    key management is not supported. <span><strong class="command">delve</strong></span>
+	    will not consult the managed-keys database maintained by
+	    <span><strong class="command">named</strong></span>. This means that if either of the
+	    keys in <code class="filename">/etc/bind.keys</code> is revoked
+	    and rolled over, it will be necessary to update
+	    <code class="filename">/etc/bind.keys</code> to use DNSSEC
+	    validation in <span><strong class="command">delve</strong></span>.
+	  </p>
+</dd>
+<dt><span class="term">-b</span></dt>
+<dd><p>
+	    Sets the source IP address of the query to
+	    <em class="parameter"><code>address</code></em>.  This must be a valid address
+	    on one of the host's network interfaces or "0.0.0.0" or "::".
+	    An optional source port may be specified by appending
+	    "#&lt;port&gt;"
+	  </p></dd>
+<dt><span class="term">-c</span></dt>
+<dd><p>
+	    Sets the query class for the requested data. Currently,
+	    only class "IN" is supported in <span><strong class="command">delve</strong></span>
+	    and any other value is ignored.
+	  </p></dd>
+<dt><span class="term">-i</span></dt>
+<dd><p>
+	    Insecure mode. This disables internal DNSSEC validation.
+	    (Note, however, this does not set the CD bit on upstream
+	    queries. If the server being queried is performing DNSSEC
+	    validation, then it will not return invalid data; this
+	    can cause <span><strong class="command">delve</strong></span> to time out. When it
+	    is necessary to examine invalid data to debug a DNSSEC
+	    problem, use <span><strong class="command">dig +cd</strong></span>.)
+	  </p></dd>
+<dt><span class="term">-m</span></dt>
+<dd><p>
+	    Enables memory usage debugging.
+	  </p></dd>
+<dt><span class="term">-p</span></dt>
+<dd><p>
+	    Specifies a destination port to use for queries instead of
+	    the standard DNS port number 53.  This option would be used
+	    with a name server that has been configured to listen
+	    for queries on a non-standard port number.
+	  </p></dd>
+<dt><span class="term">-4</span></dt>
+<dd><p>
+	    Forces <span><strong class="command">delve</strong></span> to only use IPv4.
+	  </p></dd>
+<dt><span class="term">-6</span></dt>
+<dd><p>
+	    Forces <span><strong class="command">delve</strong></span> to only use IPv6.
+	  </p></dd>
+<dt><span class="term">-q</span></dt>
+<dd><p>
+	    Sets the query name to <em class="parameter"><code>name</code></em>.
+	    While the query name can be specified without using the
+	    <code class="option">-q</code>, it is sometimes necessary to disambiguate
+	    names from types or classes (for example, when looking up the
+	    name "ns", which could be misinterpreted as the type NS,
+	    or "ch", which could be misinterpreted as class CH).
+	  </p></dd>
+<dt><span class="term">-t</span></dt>
+<dd>
+<p>
+	    Sets the query type to <em class="parameter"><code>type</code></em>, which
+	    can be any valid query type supported in BIND 9 except
+	    for zone transfer types AXFR and IXFR. As with
+	    <code class="option">-q</code>, this is useful to distinguish
+	    query name type or class when they are ambiguous.
+	    it is sometimes necessary to disambiguate names from types.
+	  </p>
+<p>
+	    The default query type is "A", unless the <code class="option">-x</code>
+	    option is supplied to indicate a reverse lookup, in which case
+	    it is "PTR".
+	  </p>
+</dd>
+<dt><span class="term">-x</span></dt>
+<dd><p>
+	    Performs a reverse lookup, mapping an addresses to
+	    a name.  <em class="parameter"><code>addr</code></em> is an IPv4 address in
+	    dotted-decimal notation, or a colon-delimited IPv6 address.
+	    When <code class="option">-x</code> is used, there is no need to provide
+	    the <em class="parameter"><code>name</code></em> or <em class="parameter"><code>type</code></em>
+	    arguments.  <span><strong class="command">delve</strong></span> automatically performs a
+	    lookup for a name like <code class="literal">11.12.13.10.in-addr.arpa</code>
+	    and sets the query type to PTR.  IPv6 addresses are looked up
+	    using nibble format under the IP6.ARPA domain.
+	  </p></dd>
+</dl></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2544042"></a><h2>QUERY OPTIONS</h2>
+<p><span><strong class="command">delve</strong></span>
+      provides a number of query options which affect the way results are
+      displayed, and in some cases the way lookups are performed.
+    </p>
+<p>
+      Each query option is identified by a keyword preceded by a plus sign
+      (<code class="literal">+</code>).  Some keywords set or reset an
+      option.  These may be preceded by the string
+      <code class="literal">no</code> to negate the meaning of that keyword.
+      Other keywords assign values to options like the timeout interval.
+      They have the form <code class="option">+keyword=value</code>.
+      The query options are:
+
+      </p>
+<div class="variablelist"><dl>
+<dt><span class="term"><code class="option">+[no]cdflag</code></span></dt>
+<dd><p>
+	      Controls whether to set the CD (checking disabled) bit in
+	      queries sent by <span><strong class="command">delve</strong></span>. This may be useful
+	      when troubleshooting DNSSEC problems from behind a validating
+	      resolver. A validating resolver will block invalid responses,
+	      making it difficult to retrieve them for analysis. Setting
+	      the CD flag on queries will cause the resolver to return
+	      invalid responses, which <span><strong class="command">delve</strong></span> can then
+	      validate internally and report the errors in detail.
+	    </p></dd>
+<dt><span class="term"><code class="option">+[no]class</code></span></dt>
+<dd><p>
+	      Controls whether to display the CLASS when printing
+	      a record. The default is to display the CLASS.
+	    </p></dd>
+<dt><span class="term"><code class="option">+[no]ttl</code></span></dt>
+<dd><p>
+	      Controls whether to display the TTL when printing
+	      a record. The default is to display the TTL.
+	    </p></dd>
+<dt><span class="term"><code class="option">+[no]rtrace</code></span></dt>
+<dd>
+<p>
+	      Toggle resolver fetch logging. This reports the
+	      name and type of each query sent by <span><strong class="command">delve</strong></span>
+	      in the process of carrying out the resolution and validation
+	      process: this includes including the original query and
+	      all subsequent queries to follow CNAMEs and to establish a
+	      chain of trust for DNSSEC validation.
+	    </p>
+<p>
+	      This is equivalent to setting the debug level to 1 in
+	      the "resolver" logging category. Setting the systemwide
+	      debug level to 1 using the <code class="option">-d</code> option will
+	      product the same output (but will affect other logging
+	      categories as well).
+	    </p>
+</dd>
+<dt><span class="term"><code class="option">+[no]mtrace</code></span></dt>
+<dd>
+<p>
+	      Toggle message logging. This produces a detailed dump of
+	      the responses received by <span><strong class="command">delve</strong></span> in the
+	      process of carrying out the resolution and validation process.
+	    </p>
+<p>
+	      This is equivalent to setting the debug level to 10
+	      for the the "packets" module of the "resolver" logging
+	      category. Setting the systemwide debug level to 10 using
+	      the <code class="option">-d</code> option will produce the same output
+	      (but will affect other logging categories as well).
+	    </p>
+</dd>
+<dt><span class="term"><code class="option">+[no]vtrace</code></span></dt>
+<dd>
+<p>
+	      Toggle validation logging. This shows the internal
+	      process of the validator as it determines whether an
+	      answer is validly signed, unsigned, or invalid.
+	    </p>
+<p>
+	      This is equivalent to setting the debug level to 3
+	      for the the "validator" module of the "dnssec" logging
+	      category. Setting the systemwide debug level to 3 using
+	      the <code class="option">-d</code> option will produce the same output
+	      (but will affect other logging categories as well).
+	    </p>
+</dd>
+<dt><span class="term"><code class="option">+[no]short</code></span></dt>
+<dd><p>
+	      Provide a terse answer.  The default is to print the answer in a
+	      verbose form.
+	    </p></dd>
+<dt><span class="term"><code class="option">+[no]comments</code></span></dt>
+<dd><p>
+	      Toggle the display of comment lines in the output.  The default
+	      is to print comments.
+	    </p></dd>
+<dt><span class="term"><code class="option">+[no]rrcomments</code></span></dt>
+<dd><p>
+	      Toggle the display of per-record comments in the output (for
+	      example, human-readable key information about DNSKEY records).
+	      The default is to print per-record comments.
+	    </p></dd>
+<dt><span class="term"><code class="option">+[no]crypto</code></span></dt>
+<dd><p>
+	      Toggle the display of cryptographic fields in DNSSEC records.
+	      The contents of these field are unnecessary to debug most DNSSEC
+	      validation failures and removing them makes it easier to see
+	      the common failures.  The default is to display the fields.
+	      When omitted they are replaced by the string "[omitted]" or
+	      in the DNSKEY case the key id is displayed as the replacement,
+	      e.g. "[ key id = value ]".
+	    </p></dd>
+<dt><span class="term"><code class="option">+[no]trust</code></span></dt>
+<dd><p>
+	      Controls whether to display the trust level when printing
+	      a record. The default is to display the trust level.
+	    </p></dd>
+<dt><span class="term"><code class="option">+[no]split[=W]</code></span></dt>
+<dd><p>
+	      Split long hex- or base64-formatted fields in resource
+	      records into chunks of <em class="parameter"><code>W</code></em> characters
+	      (where <em class="parameter"><code>W</code></em> is rounded up to the nearest
+	      multiple of 4).
+	      <em class="parameter"><code>+nosplit</code></em> or
+	      <em class="parameter"><code>+split=0</code></em> causes fields not to be
+	      split at all.  The default is 56 characters, or 44 characters
+	      when multiline mode is active.
+	    </p></dd>
+<dt><span class="term"><code class="option">+[no]all</code></span></dt>
+<dd><p>
+	      Set or clear the display options
+	      <code class="option">+[no]comments</code>, 
+	      <code class="option">+[no]rrcomments</code>, and
+	      <code class="option">+[no]trust</code> as a group.
+	    </p></dd>
+<dt><span class="term"><code class="option">+[no]multiline</code></span></dt>
+<dd><p>
+	      Print long records (such as RRSIG, DNSKEY, and SOA records)
+	      in a verbose multi-line format with human-readable comments.
+	      The default is to print each record on a single line, to
+	      facilitate machine parsing of the <span><strong class="command">delve</strong></span>
+	      output.
+	    </p></dd>
+<dt><span class="term"><code class="option">+[no]dnssec</code></span></dt>
+<dd><p>
+	      Indicates whether to display RRSIG records in the
+	      <span><strong class="command">delve</strong></span> output.  The default is to
+	      do so.  Note that (unlike in <span><strong class="command">dig</strong></span>)
+	      this does <span class="emphasis"><em>not</em></span> control whether to
+	      request DNSSEC records or whether to validate them.
+	      DNSSEC records are always requested, and validation
+	      will always occur unless suppressed by the use of
+	      <code class="option">-i</code> or <code class="option">+noroot</code> and
+	      <code class="option">+nodlv</code>.
+	    </p></dd>
+<dt><span class="term"><code class="option">+[no]root[=ROOT]</code></span></dt>
+<dd><p>
+	      Indicates whether to perform conventional (non-
+	      lookaside) DNSSEC validation, and if so, specifies the
+	      name of a trust anchor.  The default is to validate using
+	      a trust anchor of "." (the root zone), for which there is
+	      a built-in key.  If specifying a different trust anchor,
+	      then <code class="option">-a</code> must be used to specify a file
+	      containing the key.
+	    </p></dd>
+<dt><span class="term"><code class="option">+[no]dlv[=DLV]</code></span></dt>
+<dd><p>
+	      Indicates whether to perform DNSSEC lookaside validation,
+	      and if so, specifies the name of the DLV trust anchor.
+	      The default is to perform lookaside validation using
+	      a trust anchor of "dlv.isc.org", for which there is a
+	      built-in key.  If specifying a different name, then
+	      <code class="option">-a</code> must be used to specify a file
+	      containing the DLV key.
+	    </p></dd>
+</dl></div>
+<p>
+
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2544529"></a><h2>FILES</h2>
+<p><code class="filename">/etc/bind.keys</code></p>
+<p><code class="filename">/etc/resolv.conf</code></p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2544544"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">dig</span>(1)</span>,
+      <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
+      <em class="citetitle">RFC4034</em>,
+      <em class="citetitle">RFC4035</em>,
+      <em class="citetitle">RFC4431</em>,
+      <em class="citetitle">RFC5074</em>,
+      <em class="citetitle">RFC5155</em>.
+    </p>
+</div>
+</div></body>
+</html>
diff --git a/bin/dig/dig.c b/bin/dig/dig.c
index 348c1fd9f7..2ddec12f71 100644
--- a/bin/dig/dig.c
+++ b/bin/dig/dig.c
@@ -1637,7 +1637,7 @@ parse_args(isc_boolean_t is_batchfile, isc_boolean_t config_only,
 		debug("main parsing %s", rv[0]);
 		if (strncmp(rv[0], "%", 1) == 0)
 			break;
-		if (strncmp(rv[0], "@", 1) == 0) {
+		if (argv[0][0] == '@') {
 			addresscount = getaddresses(lookup, &rv[0][1], NULL);
 		} else if (rv[0][0] == '+') {
 			plus_option(&rv[0][1], is_batchfile,
diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in
index c30c66b8f6..efc58bcf3f 100644
--- a/bin/named/Makefile.in
+++ b/bin/named/Makefile.in
@@ -132,10 +132,7 @@ main.@O@: main.c
 		-DNS_LOCALSTATEDIR=\"${localstatedir}\" \
 		-DNS_SYSCONFDIR=\"${sysconfdir}\" -c ${srcdir}/main.c
 
-bind.keys.h: ${top_srcdir}/bind.keys ${srcdir}/bindkeys.pl
-	${PERL} ${srcdir}/bindkeys.pl < ${top_srcdir}/bind.keys > $@
-
-config.@O@: config.c bind.keys.h
+config.@O@: config.c
 	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
 		-DVERSION=\"${VERSION}\" \
 		-DSRCID=\"${SRCID}\" \
@@ -161,7 +158,6 @@ clean distclean maintainer-clean::
 	rm -f ${TARGETS} ${OBJS}
 
 maintainer-clean::
-	rm -f bind.keys.h
 
 bind9.xsl.h: bind9.xsl ${srcdir}/convertxsl.pl
 	${PERL} ${srcdir}/convertxsl.pl < ${srcdir}/bind9.xsl > bind9.xsl.h
diff --git a/bin/named/config.c b/bin/named/config.c
index 20395c5253..22d31bed69 100644
--- a/bin/named/config.c
+++ b/bin/named/config.c
@@ -47,7 +47,7 @@
 #include <named/config.h>
 #include <named/globals.h>
 
-#include "bind.keys.h"
+#include <bind.keys.h>
 
 /*% default configuration */
 static char defaultconf[] = "\
diff --git a/bin/named/server.c b/bin/named/server.c
index cb0b2c2aa1..604fb58940 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -5358,9 +5358,10 @@ load_configuration(const char *filename, ns_server_t *server,
 	maps[i] = NULL;
 
 	/*
-	 * If bind.keys exists, load it.  If "dnssec-lookaside auto"
-	 * is turned on, the keys found there will be used as default
-	 * trust anchors.
+	 * If bind.keys exists, load it.  If "dnssec-validation auto"
+	 * is turned on, the root key found there will be used as a
+	 * default trust anchor, and if "dnssec-lookaside auto" is
+	 * turned on, then the DLV key found there will too.
 	 */
 	obj = NULL;
 	result = ns_config_get(maps, "bindkeys-file", &obj);
diff --git a/bin/named/bind.keys.h b/bind.keys.h
similarity index 100%
rename from bin/named/bind.keys.h
rename to bind.keys.h
diff --git a/configure b/configure
index 02be74a94d..598d044875 100755
--- a/configure
+++ b/configure
@@ -670,6 +670,7 @@ BIND9_MAJOR
 BIND9_VERSION
 BIND9_DESCRIPTION
 BIND9_PRODUCT
+BIND9_IRS_BUILDINCLUDE
 BIND9_BIND9_BUILDINCLUDE
 BIND9_LWRES_BUILDINCLUDE
 BIND9_DNS_BUILDINCLUDE
@@ -19753,6 +19754,7 @@ BIND9_TOP_BUILDDIR=`pwd`
 
 
 
+
 if test "X$srcdir" != "X"; then
 	BIND9_ISC_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/isc/include"
 	BIND9_ISCCC_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/isccc/include"
@@ -19760,6 +19762,7 @@ if test "X$srcdir" != "X"; then
 	BIND9_DNS_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/dns/include"
 	BIND9_LWRES_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/lwres/include"
 	BIND9_BIND9_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/bind9/include"
+	BIND9_IRS_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/irs/include"
 else
 	BIND9_ISC_BUILDINCLUDE=""
 	BIND9_ISCCC_BUILDINCLUDE=""
@@ -19767,6 +19770,7 @@ else
 	BIND9_DNS_BUILDINCLUDE=""
 	BIND9_LWRES_BUILDINCLUDE=""
 	BIND9_BIND9_BUILDINCLUDE=""
+	BIND9_IRS_BUILDINCLUDE=""
 fi
 
 
@@ -20992,7 +20996,7 @@ ac_config_commands="$ac_config_commands chmod"
 # elsewhere if there's a good reason for doing so.
 #
 
-ac_config_files="$ac_config_files make/Makefile make/mkdep Makefile bin/Makefile bin/check/Makefile bin/confgen/Makefile bin/confgen/unix/Makefile bin/dig/Makefile bin/dnssec/Makefile bin/named/Makefile bin/named/unix/Makefile bin/nsupdate/Makefile bin/pkcs11/Makefile bin/python/Makefile bin/python/dnssec-checkds.py bin/python/dnssec-coverage.py bin/rndc/Makefile bin/tests/Makefile bin/tests/atomic/Makefile bin/tests/db/Makefile bin/tests/dst/Makefile bin/tests/dst/Kdh.+002+18602.key bin/tests/dst/Kdh.+002+18602.private bin/tests/dst/Kdh.+002+48957.key bin/tests/dst/Kdh.+002+48957.private bin/tests/dst/Ktest.+001+00002.key bin/tests/dst/Ktest.+001+54622.key bin/tests/dst/Ktest.+001+54622.private bin/tests/dst/Ktest.+003+23616.key bin/tests/dst/Ktest.+003+23616.private bin/tests/dst/Ktest.+003+49667.key bin/tests/dst/dst_2_data bin/tests/dst/t2_data_1 bin/tests/dst/t2_data_2 bin/tests/dst/t2_dsasig bin/tests/dst/t2_rsasig bin/tests/hashes/Makefile bin/tests/headerdep_test.sh bin/tests/master/Makefile bin/tests/mem/Makefile bin/tests/names/Makefile bin/tests/net/Makefile bin/tests/pkcs11/Makefile bin/tests/pkcs11/benchmarks/Makefile bin/tests/rbt/Makefile bin/tests/resolver/Makefile bin/tests/sockaddr/Makefile bin/tests/system/Makefile bin/tests/system/conf.sh bin/tests/system/dlz/prereq.sh bin/tests/system/dlzexternal/Makefile bin/tests/system/dlzexternal/ns1/named.conf bin/tests/system/dlzredir/prereq.sh bin/tests/system/filter-aaaa/Makefile bin/tests/system/geoip/Makefile bin/tests/system/inline/checkdsa.sh bin/tests/system/lwresd/Makefile bin/tests/system/rpz/Makefile bin/tests/system/rsabigexponent/Makefile bin/tests/system/tkey/Makefile bin/tests/system/tsiggss/Makefile bin/tests/tasks/Makefile bin/tests/timers/Makefile bin/tests/virtual-time/Makefile bin/tests/virtual-time/conf.sh bin/tools/Makefile contrib/scripts/check-secure-delegation.pl contrib/scripts/zone-edit.sh doc/Makefile doc/arm/Makefile doc/doxygen/Doxyfile doc/doxygen/Makefile doc/doxygen/doxygen-input-filter doc/misc/Makefile doc/xsl/Makefile doc/xsl/isc-docbook-chunk.xsl doc/xsl/isc-docbook-html.xsl doc/xsl/isc-docbook-latex.xsl doc/xsl/isc-manpage.xsl isc-config.sh lib/Makefile lib/bind9/Makefile lib/bind9/include/Makefile lib/bind9/include/bind9/Makefile lib/dns/Makefile lib/dns/include/Makefile lib/dns/include/dns/Makefile lib/dns/include/dst/Makefile lib/dns/tests/Makefile lib/irs/Makefile lib/irs/include/Makefile lib/irs/include/irs/Makefile lib/irs/include/irs/netdb.h lib/irs/include/irs/platform.h lib/isc/$arch/Makefile lib/isc/$arch/include/Makefile lib/isc/$arch/include/isc/Makefile lib/isc/$thread_dir/Makefile lib/isc/$thread_dir/include/Makefile lib/isc/$thread_dir/include/isc/Makefile lib/isc/Makefile lib/isc/include/Makefile lib/isc/include/isc/Makefile lib/isc/include/isc/platform.h lib/isc/include/pk11/Makefile lib/isc/include/pkcs11/Makefile lib/isc/tests/Makefile lib/isc/nls/Makefile lib/isc/unix/Makefile lib/isc/unix/include/Makefile lib/isc/unix/include/isc/Makefile lib/isc/unix/include/pkcs11/Makefile lib/isccc/Makefile lib/isccc/include/Makefile lib/isccc/include/isccc/Makefile lib/isccfg/Makefile lib/isccfg/include/Makefile lib/isccfg/include/isccfg/Makefile lib/lwres/Makefile lib/lwres/include/Makefile lib/lwres/include/lwres/Makefile lib/lwres/include/lwres/netdb.h lib/lwres/include/lwres/platform.h lib/lwres/man/Makefile lib/lwres/unix/Makefile lib/lwres/unix/include/Makefile lib/lwres/unix/include/lwres/Makefile lib/tests/Makefile lib/tests/include/Makefile lib/tests/include/tests/Makefile lib/samples/Makefile lib/samples/Makefile-postinstall unit/Makefile unit/unittest.sh"
+ac_config_files="$ac_config_files make/Makefile make/mkdep Makefile bin/Makefile bin/check/Makefile bin/confgen/Makefile bin/confgen/unix/Makefile bin/delve/Makefile bin/dig/Makefile bin/dnssec/Makefile bin/named/Makefile bin/named/unix/Makefile bin/nsupdate/Makefile bin/pkcs11/Makefile bin/python/Makefile bin/python/dnssec-checkds.py bin/python/dnssec-coverage.py bin/rndc/Makefile bin/tests/Makefile bin/tests/atomic/Makefile bin/tests/db/Makefile bin/tests/dst/Makefile bin/tests/dst/Kdh.+002+18602.key bin/tests/dst/Kdh.+002+18602.private bin/tests/dst/Kdh.+002+48957.key bin/tests/dst/Kdh.+002+48957.private bin/tests/dst/Ktest.+001+00002.key bin/tests/dst/Ktest.+001+54622.key bin/tests/dst/Ktest.+001+54622.private bin/tests/dst/Ktest.+003+23616.key bin/tests/dst/Ktest.+003+23616.private bin/tests/dst/Ktest.+003+49667.key bin/tests/dst/dst_2_data bin/tests/dst/t2_data_1 bin/tests/dst/t2_data_2 bin/tests/dst/t2_dsasig bin/tests/dst/t2_rsasig bin/tests/hashes/Makefile bin/tests/headerdep_test.sh bin/tests/master/Makefile bin/tests/mem/Makefile bin/tests/names/Makefile bin/tests/net/Makefile bin/tests/pkcs11/Makefile bin/tests/pkcs11/benchmarks/Makefile bin/tests/rbt/Makefile bin/tests/resolver/Makefile bin/tests/sockaddr/Makefile bin/tests/system/Makefile bin/tests/system/conf.sh bin/tests/system/dlz/prereq.sh bin/tests/system/dlzexternal/Makefile bin/tests/system/dlzexternal/ns1/named.conf bin/tests/system/dlzredir/prereq.sh bin/tests/system/filter-aaaa/Makefile bin/tests/system/geoip/Makefile bin/tests/system/inline/checkdsa.sh bin/tests/system/lwresd/Makefile bin/tests/system/rpz/Makefile bin/tests/system/rsabigexponent/Makefile bin/tests/system/tkey/Makefile bin/tests/system/tsiggss/Makefile bin/tests/tasks/Makefile bin/tests/timers/Makefile bin/tests/virtual-time/Makefile bin/tests/virtual-time/conf.sh bin/tools/Makefile contrib/scripts/check-secure-delegation.pl contrib/scripts/zone-edit.sh doc/Makefile doc/arm/Makefile doc/doxygen/Doxyfile doc/doxygen/Makefile doc/doxygen/doxygen-input-filter doc/misc/Makefile doc/xsl/Makefile doc/xsl/isc-docbook-chunk.xsl doc/xsl/isc-docbook-html.xsl doc/xsl/isc-docbook-latex.xsl doc/xsl/isc-manpage.xsl isc-config.sh lib/Makefile lib/bind9/Makefile lib/bind9/include/Makefile lib/bind9/include/bind9/Makefile lib/dns/Makefile lib/dns/include/Makefile lib/dns/include/dns/Makefile lib/dns/include/dst/Makefile lib/dns/tests/Makefile lib/irs/Makefile lib/irs/include/Makefile lib/irs/include/irs/Makefile lib/irs/include/irs/netdb.h lib/irs/include/irs/platform.h lib/isc/$arch/Makefile lib/isc/$arch/include/Makefile lib/isc/$arch/include/isc/Makefile lib/isc/$thread_dir/Makefile lib/isc/$thread_dir/include/Makefile lib/isc/$thread_dir/include/isc/Makefile lib/isc/Makefile lib/isc/include/Makefile lib/isc/include/isc/Makefile lib/isc/include/isc/platform.h lib/isc/include/pk11/Makefile lib/isc/include/pkcs11/Makefile lib/isc/tests/Makefile lib/isc/nls/Makefile lib/isc/unix/Makefile lib/isc/unix/include/Makefile lib/isc/unix/include/isc/Makefile lib/isc/unix/include/pkcs11/Makefile lib/isccc/Makefile lib/isccc/include/Makefile lib/isccc/include/isccc/Makefile lib/isccfg/Makefile lib/isccfg/include/Makefile lib/isccfg/include/isccfg/Makefile lib/lwres/Makefile lib/lwres/include/Makefile lib/lwres/include/lwres/Makefile lib/lwres/include/lwres/netdb.h lib/lwres/include/lwres/platform.h lib/lwres/man/Makefile lib/lwres/unix/Makefile lib/lwres/unix/include/Makefile lib/lwres/unix/include/lwres/Makefile lib/tests/Makefile lib/tests/include/Makefile lib/tests/include/tests/Makefile lib/samples/Makefile lib/samples/Makefile-postinstall unit/Makefile unit/unittest.sh"
 
 
 #
@@ -21992,6 +21996,7 @@ do
     "bin/check/Makefile") CONFIG_FILES="$CONFIG_FILES bin/check/Makefile" ;;
     "bin/confgen/Makefile") CONFIG_FILES="$CONFIG_FILES bin/confgen/Makefile" ;;
     "bin/confgen/unix/Makefile") CONFIG_FILES="$CONFIG_FILES bin/confgen/unix/Makefile" ;;
+    "bin/delve/Makefile") CONFIG_FILES="$CONFIG_FILES bin/delve/Makefile" ;;
     "bin/dig/Makefile") CONFIG_FILES="$CONFIG_FILES bin/dig/Makefile" ;;
     "bin/dnssec/Makefile") CONFIG_FILES="$CONFIG_FILES bin/dnssec/Makefile" ;;
     "bin/named/Makefile") CONFIG_FILES="$CONFIG_FILES bin/named/Makefile" ;;
diff --git a/configure.in b/configure.in
index 5b5ed52ed7..6f31037b9c 100644
--- a/configure.in
+++ b/configure.in
@@ -3664,6 +3664,7 @@ AC_SUBST(BIND9_ISCCFG_BUILDINCLUDE)
 AC_SUBST(BIND9_DNS_BUILDINCLUDE)
 AC_SUBST(BIND9_LWRES_BUILDINCLUDE)
 AC_SUBST(BIND9_BIND9_BUILDINCLUDE)
+AC_SUBST(BIND9_IRS_BUILDINCLUDE)
 if test "X$srcdir" != "X"; then
 	BIND9_ISC_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/isc/include"
 	BIND9_ISCCC_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/isccc/include"
@@ -3671,6 +3672,7 @@ if test "X$srcdir" != "X"; then
 	BIND9_DNS_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/dns/include"
 	BIND9_LWRES_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/lwres/include"
 	BIND9_BIND9_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/bind9/include"
+	BIND9_IRS_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/irs/include"
 else
 	BIND9_ISC_BUILDINCLUDE=""
 	BIND9_ISCCC_BUILDINCLUDE=""
@@ -3678,6 +3680,7 @@ else
 	BIND9_DNS_BUILDINCLUDE=""
 	BIND9_LWRES_BUILDINCLUDE=""
 	BIND9_BIND9_BUILDINCLUDE=""
+	BIND9_IRS_BUILDINCLUDE=""
 fi
 
 AC_SUBST_FILE(BIND9_MAKE_INCLUDES)
@@ -4042,6 +4045,7 @@ AC_CONFIG_FILES([
 	bin/check/Makefile
 	bin/confgen/Makefile
 	bin/confgen/unix/Makefile
+	bin/delve/Makefile
 	bin/dig/Makefile
 	bin/dnssec/Makefile
 	bin/named/Makefile
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index 21e0ce8a8e..75c091e942 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -17529,6 +17529,7 @@ zone "example.com" {
       <title>Manual pages</title>
       <xi:include href="../../bin/dig/dig.docbook"/>
       <xi:include href="../../bin/dig/host.docbook"/>
+      <xi:include href="../../bin/delve/delve.docbook"/>
       <xi:include href="../../bin/python/dnssec-checkds.docbook"/>
       <xi:include href="../../bin/python/dnssec-coverage.docbook"/>
       <xi:include href="../../bin/dnssec/dnssec-dsfromkey.docbook"/>
diff --git a/doc/arm/man.delve.html b/doc/arm/man.delve.html
new file mode 100644
index 0000000000..c5f6cb6b1a
--- /dev/null
+++ b/doc/arm/man.delve.html
@@ -0,0 +1,483 @@
+<!--
+ - Copyright (C) 2004-2014 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2003 Internet Software Consortium.
+ - 
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ - 
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+<!-- $Id$ -->
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>delve</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
+<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
+<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
+<link rel="prev" href="man.host.html" title="host">
+<link rel="next" href="man.dnssec-checkds.html" title="dnssec-checkds">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
+<div class="navheader">
+<table width="100%" summary="Navigation header">
+<tr><th colspan="3" align="center">delve</th></tr>
+<tr>
+<td width="20%" align="left">
+<a accesskey="p" href="man.host.html">Prev</a> </td>
+<th width="60%" align="center">Manual pages</th>
+<td width="20%" align="right"> <a accesskey="n" href="man.dnssec-checkds.html">Next</a>
+</td>
+</tr>
+</table>
+<hr>
+</div>
+<div class="refentry" lang="en">
+<a name="man.delve"></a><div class="titlepage"></div>
+<div class="refnamediv">
+<h2>Name</h2>
+<p>delve &#8212; DNS lookup and validation utility</p>
+</div>
+<div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+<div class="cmdsynopsis"><p><code class="command">delve</code>  [@server] [<code class="option">-4</code>] [<code class="option">-6</code>] [<code class="option">-a <em class="replaceable"><code>anchor-file</code></em></code>] [<code class="option">-b <em class="replaceable"><code>address</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>level</code></em></code>] [<code class="option">-i</code>] [<code class="option">-m</code>] [<code class="option">-p <em class="replaceable"><code>port#</code></em></code>] [<code class="option">-q <em class="replaceable"><code>name</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-x <em class="replaceable"><code>addr</code></em></code>] [name] [type] [class] [queryopt...]</p></div>
+<div class="cmdsynopsis"><p><code class="command">delve</code>  [<code class="option">-h</code>]</p></div>
+<div class="cmdsynopsis"><p><code class="command">delve</code>  [queryopt...] [query...]</p></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2614254"></a><h2>DESCRIPTION</h2>
+<p><span><strong class="command">delve</strong></span>
+      (Domain Entity Lookup &amp; Validation Engine) is a tool for sending
+      DNS queries and validating the results, using the the same internal
+      resolver and validator logic as <span><strong class="command">named</strong></span>.
+    </p>
+<p>
+      <span><strong class="command">delve</strong></span> will send to a specified name server all
+      queries needed to fetch and validate the requested data; this
+      includes the original requested query, subsequent queries to follow
+      CNAME or DNAME chains, and queries for DNSKEY, DS and DLV records
+      to establish a chain of trust for DNSSEC validation.
+      It does not perform iterative resolution, but simulates the
+      behavior of a name server configured for DNSSEC validating and
+      forwarding.
+    </p>
+<p>
+      By default, responses are validated using built-in DNSSEC trust
+      anchors for the root zone (".") and for the ISC DNSSEC lookaside
+      validation zone ("dlv.isc.org").  Records returned by
+      <span><strong class="command">delve</strong></span> are either fully validated or
+      were not signed.  If validation fails, an explanation of
+      the failure is included in the output; the validation process
+      can be traced in detail.  Because <span><strong class="command">delve</strong></span> does
+      not rely on an external server to carry out validation, it can
+      be used to check the validity of DNS responses in environments
+      where local name servers may not be trustworthy.
+    </p>
+<p>
+      Unless it is told to query a specific name server,
+      <span><strong class="command">delve</strong></span> will try each of the servers listed in
+      <code class="filename">/etc/resolv.conf</code>. If no usable server
+      addresses are found, <span><strong class="command">delve</strong></span> will send
+      queries to the localhost addresses (127.0.0.1 for IPv4, ::1
+      for IPv6).
+    </p>
+<p>
+      When no command line arguments or options are given,
+      <span><strong class="command">delve</strong></span> will perform an NS query for "."
+      (the root zone).
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2614327"></a><h2>SIMPLE USAGE</h2>
+<p>
+      A typical invocation of <span><strong class="command">delve</strong></span> looks like:
+      </p>
+<pre class="programlisting"> delve @server name type </pre>
+<p>
+      where:
+
+      </p>
+<div class="variablelist"><dl>
+<dt><span class="term"><code class="constant">server</code></span></dt>
+<dd>
+<p>
+	      is the name or IP address of the name server to query.  This
+	      can be an IPv4 address in dotted-decimal notation or an IPv6
+	      address in colon-delimited notation.  When the supplied
+	      <em class="parameter"><code>server</code></em> argument is a hostname,
+	      <span><strong class="command">delve</strong></span> resolves that name before
+	      querying that name server (note, however, that this
+	      initial lookup is <span class="emphasis"><em>not</em></span> validated
+	      by DNSSEC).
+	    </p>
+<p>
+	      If no <em class="parameter"><code>server</code></em> argument is
+	      provided, <span><strong class="command">delve</strong></span> consults
+	      <code class="filename">/etc/resolv.conf</code>; if an
+	      address is found there, it queries the name server at
+	      that address. If either of the <code class="option">-4</code> or
+	      <code class="option">-6</code> options are in use, then
+	      only addresses for the corresponding transport
+	      will be tried.  If no usable addresses are found,
+	      <span><strong class="command">delve</strong></span> will send queries to
+	      the localhost addresses (127.0.0.1 for IPv4,
+	      ::1 for IPv6).
+	    </p>
+</dd>
+<dt><span class="term"><code class="constant">name</code></span></dt>
+<dd><p>
+	      is the domain name to be looked up.
+	    </p></dd>
+<dt><span class="term"><code class="constant">type</code></span></dt>
+<dd><p>
+	      indicates what type of query is required &#8212;
+	      ANY, A, MX, etc.
+	      <em class="parameter"><code>type</code></em> can be any valid query
+	      type.  If no
+	      <em class="parameter"><code>type</code></em> argument is supplied,
+	      <span><strong class="command">delve</strong></span> will perform a lookup for an
+	      A record.
+	    </p></dd>
+</dl></div>
+<p>
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2614800"></a><h2>OPTIONS</h2>
+<div class="variablelist"><dl>
+<dt><span class="term">-a</span></dt>
+<dd>
+<p>
+	    Specifies a file from which to read DNSSEC trust anchors.
+	    The default is <code class="filename">/etc/bind.keys</code>, which
+	    is included with <acronym class="acronym">BIND</acronym> 9 and contains
+	    trust anchors for the root zone (".") and for the ISC
+	    DNSSEC lookaside validation zone ("dlv.isc.org").
+	  </p>
+<p>
+	    Keys that do not match the root or DLV trust-anchor
+	    names are ignored; these key names can be overridden
+	    using the <code class="option">+dlv=NAME</code> or
+	    <code class="option">+root=NAME</code> options.
+	  </p>
+<p>
+	    Note: When reading the trust anchor file,
+	    <span><strong class="command">delve</strong></span> treats <code class="option">managed-keys</code>
+	    statements and <code class="option">trusted-keys</code> statements
+	    identically.  That is, for a managed key, it is the
+	    <span class="emphasis"><em>initial</em></span> key that is trusted; RFC 5011
+	    key management is not supported. <span><strong class="command">delve</strong></span>
+	    will not consult the managed-keys database maintained by
+	    <span><strong class="command">named</strong></span>. This means that if either of the
+	    keys in <code class="filename">/etc/bind.keys</code> is revoked
+	    and rolled over, it will be necessary to update
+	    <code class="filename">/etc/bind.keys</code> to use DNSSEC
+	    validation in <span><strong class="command">delve</strong></span>.
+	  </p>
+</dd>
+<dt><span class="term">-b</span></dt>
+<dd><p>
+	    Sets the source IP address of the query to
+	    <em class="parameter"><code>address</code></em>.  This must be a valid address
+	    on one of the host's network interfaces or "0.0.0.0" or "::".
+	    An optional source port may be specified by appending
+	    "#&lt;port&gt;"
+	  </p></dd>
+<dt><span class="term">-c</span></dt>
+<dd><p>
+	    Sets the query class for the requested data. Currently,
+	    only class "IN" is supported in <span><strong class="command">delve</strong></span>
+	    and any other value is ignored.
+	  </p></dd>
+<dt><span class="term">-i</span></dt>
+<dd><p>
+	    Insecure mode. This disables internal DNSSEC validation.
+	    (Note, however, this does not set the CD bit on upstream
+	    queries. If the server being queried is performing DNSSEC
+	    validation, then it will not return invalid data; this
+	    can cause <span><strong class="command">delve</strong></span> to time out. When it
+	    is necessary to examine invalid data to debug a DNSSEC
+	    problem, use <span><strong class="command">dig +cd</strong></span>.)
+	  </p></dd>
+<dt><span class="term">-m</span></dt>
+<dd><p>
+	    Enables memory usage debugging.
+	  </p></dd>
+<dt><span class="term">-p</span></dt>
+<dd><p>
+	    Specifies a destination port to use for queries instead of
+	    the standard DNS port number 53.  This option would be used
+	    with a name server that has been configured to listen
+	    for queries on a non-standard port number.
+	  </p></dd>
+<dt><span class="term">-4</span></dt>
+<dd><p>
+	    Forces <span><strong class="command">delve</strong></span> to only use IPv4.
+	  </p></dd>
+<dt><span class="term">-6</span></dt>
+<dd><p>
+	    Forces <span><strong class="command">delve</strong></span> to only use IPv6.
+	  </p></dd>
+<dt><span class="term">-q</span></dt>
+<dd><p>
+	    Sets the query name to <em class="parameter"><code>name</code></em>.
+	    While the query name can be specified without using the
+	    <code class="option">-q</code>, it is sometimes necessary to disambiguate
+	    names from types or classes (for example, when looking up the
+	    name "ns", which could be misinterpreted as the type NS,
+	    or "ch", which could be misinterpreted as class CH).
+	  </p></dd>
+<dt><span class="term">-t</span></dt>
+<dd>
+<p>
+	    Sets the query type to <em class="parameter"><code>type</code></em>, which
+	    can be any valid query type supported in BIND 9 except
+	    for zone transfer types AXFR and IXFR. As with
+	    <code class="option">-q</code>, this is useful to distinguish
+	    query name type or class when they are ambiguous.
+	    it is sometimes necessary to disambiguate names from types.
+	  </p>
+<p>
+	    The default query type is "A", unless the <code class="option">-x</code>
+	    option is supplied to indicate a reverse lookup, in which case
+	    it is "PTR".
+	  </p>
+</dd>
+<dt><span class="term">-x</span></dt>
+<dd><p>
+	    Performs a reverse lookup, mapping an addresses to
+	    a name.  <em class="parameter"><code>addr</code></em> is an IPv4 address in
+	    dotted-decimal notation, or a colon-delimited IPv6 address.
+	    When <code class="option">-x</code> is used, there is no need to provide
+	    the <em class="parameter"><code>name</code></em> or <em class="parameter"><code>type</code></em>
+	    arguments.  <span><strong class="command">delve</strong></span> automatically performs a
+	    lookup for a name like <code class="literal">11.12.13.10.in-addr.arpa</code>
+	    and sets the query type to PTR.  IPv6 addresses are looked up
+	    using nibble format under the IP6.ARPA domain.
+	  </p></dd>
+</dl></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2670131"></a><h2>QUERY OPTIONS</h2>
+<p><span><strong class="command">delve</strong></span>
+      provides a number of query options which affect the way results are
+      displayed, and in some cases the way lookups are performed.
+    </p>
+<p>
+      Each query option is identified by a keyword preceded by a plus sign
+      (<code class="literal">+</code>).  Some keywords set or reset an
+      option.  These may be preceded by the string
+      <code class="literal">no</code> to negate the meaning of that keyword.
+      Other keywords assign values to options like the timeout interval.
+      They have the form <code class="option">+keyword=value</code>.
+      The query options are:
+
+      </p>
+<div class="variablelist"><dl>
+<dt><span class="term"><code class="option">+[no]cdflag</code></span></dt>
+<dd><p>
+	      Controls whether to set the CD (checking disabled) bit in
+	      queries sent by <span><strong class="command">delve</strong></span>. This may be useful
+	      when troubleshooting DNSSEC problems from behind a validating
+	      resolver. A validating resolver will block invalid responses,
+	      making it difficult to retrieve them for analysis. Setting
+	      the CD flag on queries will cause the resolver to return
+	      invalid responses, which <span><strong class="command">delve</strong></span> can then
+	      validate internally and report the errors in detail.
+	    </p></dd>
+<dt><span class="term"><code class="option">+[no]class</code></span></dt>
+<dd><p>
+	      Controls whether to display the CLASS when printing
+	      a record. The default is to display the CLASS.
+	    </p></dd>
+<dt><span class="term"><code class="option">+[no]ttl</code></span></dt>
+<dd><p>
+	      Controls whether to display the TTL when printing
+	      a record. The default is to display the TTL.
+	    </p></dd>
+<dt><span class="term"><code class="option">+[no]rtrace</code></span></dt>
+<dd>
+<p>
+	      Toggle resolver fetch logging. This reports the
+	      name and type of each query sent by <span><strong class="command">delve</strong></span>
+	      in the process of carrying out the resolution and validation
+	      process: this includes including the original query and
+	      all subsequent queries to follow CNAMEs and to establish a
+	      chain of trust for DNSSEC validation.
+	    </p>
+<p>
+	      This is equivalent to setting the debug level to 1 in
+	      the "resolver" logging category. Setting the systemwide
+	      debug level to 1 using the <code class="option">-d</code> option will
+	      product the same output (but will affect other logging
+	      categories as well).
+	    </p>
+</dd>
+<dt><span class="term"><code class="option">+[no]mtrace</code></span></dt>
+<dd>
+<p>
+	      Toggle message logging. This produces a detailed dump of
+	      the responses received by <span><strong class="command">delve</strong></span> in the
+	      process of carrying out the resolution and validation process.
+	    </p>
+<p>
+	      This is equivalent to setting the debug level to 10
+	      for the the "packets" module of the "resolver" logging
+	      category. Setting the systemwide debug level to 10 using
+	      the <code class="option">-d</code> option will produce the same output
+	      (but will affect other logging categories as well).
+	    </p>
+</dd>
+<dt><span class="term"><code class="option">+[no]vtrace</code></span></dt>
+<dd>
+<p>
+	      Toggle validation logging. This shows the internal
+	      process of the validator as it determines whether an
+	      answer is validly signed, unsigned, or invalid.
+	    </p>
+<p>
+	      This is equivalent to setting the debug level to 3
+	      for the the "validator" module of the "dnssec" logging
+	      category. Setting the systemwide debug level to 3 using
+	      the <code class="option">-d</code> option will produce the same output
+	      (but will affect other logging categories as well).
+	    </p>
+</dd>
+<dt><span class="term"><code class="option">+[no]short</code></span></dt>
+<dd><p>
+	      Provide a terse answer.  The default is to print the answer in a
+	      verbose form.
+	    </p></dd>
+<dt><span class="term"><code class="option">+[no]comments</code></span></dt>
+<dd><p>
+	      Toggle the display of comment lines in the output.  The default
+	      is to print comments.
+	    </p></dd>
+<dt><span class="term"><code class="option">+[no]rrcomments</code></span></dt>
+<dd><p>
+	      Toggle the display of per-record comments in the output (for
+	      example, human-readable key information about DNSKEY records).
+	      The default is to print per-record comments.
+	    </p></dd>
+<dt><span class="term"><code class="option">+[no]crypto</code></span></dt>
+<dd><p>
+	      Toggle the display of cryptographic fields in DNSSEC records.
+	      The contents of these field are unnecessary to debug most DNSSEC
+	      validation failures and removing them makes it easier to see
+	      the common failures.  The default is to display the fields.
+	      When omitted they are replaced by the string "[omitted]" or
+	      in the DNSKEY case the key id is displayed as the replacement,
+	      e.g. "[ key id = value ]".
+	    </p></dd>
+<dt><span class="term"><code class="option">+[no]trust</code></span></dt>
+<dd><p>
+	      Controls whether to display the trust level when printing
+	      a record. The default is to display the trust level.
+	    </p></dd>
+<dt><span class="term"><code class="option">+[no]split[=W]</code></span></dt>
+<dd><p>
+	      Split long hex- or base64-formatted fields in resource
+	      records into chunks of <em class="parameter"><code>W</code></em> characters
+	      (where <em class="parameter"><code>W</code></em> is rounded up to the nearest
+	      multiple of 4).
+	      <em class="parameter"><code>+nosplit</code></em> or
+	      <em class="parameter"><code>+split=0</code></em> causes fields not to be
+	      split at all.  The default is 56 characters, or 44 characters
+	      when multiline mode is active.
+	    </p></dd>
+<dt><span class="term"><code class="option">+[no]all</code></span></dt>
+<dd><p>
+	      Set or clear the display options
+	      <code class="option">+[no]comments</code>, 
+	      <code class="option">+[no]rrcomments</code>, and
+	      <code class="option">+[no]trust</code> as a group.
+	    </p></dd>
+<dt><span class="term"><code class="option">+[no]multiline</code></span></dt>
+<dd><p>
+	      Print long records (such as RRSIG, DNSKEY, and SOA records)
+	      in a verbose multi-line format with human-readable comments.
+	      The default is to print each record on a single line, to
+	      facilitate machine parsing of the <span><strong class="command">delve</strong></span>
+	      output.
+	    </p></dd>
+<dt><span class="term"><code class="option">+[no]dnssec</code></span></dt>
+<dd><p>
+	      Indicates whether to display RRSIG records in the
+	      <span><strong class="command">delve</strong></span> output.  The default is to
+	      do so.  Note that (unlike in <span><strong class="command">dig</strong></span>)
+	      this does <span class="emphasis"><em>not</em></span> control whether to
+	      request DNSSEC records or whether to validate them.
+	      DNSSEC records are always requested, and validation
+	      will always occur unless suppressed by the use of
+	      <code class="option">-i</code> or <code class="option">+noroot</code> and
+	      <code class="option">+nodlv</code>.
+	    </p></dd>
+<dt><span class="term"><code class="option">+[no]root[=ROOT]</code></span></dt>
+<dd><p>
+	      Indicates whether to perform conventional (non-
+	      lookaside) DNSSEC validation, and if so, specifies the
+	      name of a trust anchor.  The default is to validate using
+	      a trust anchor of "." (the root zone), for which there is
+	      a built-in key.  If specifying a different trust anchor,
+	      then <code class="option">-a</code> must be used to specify a file
+	      containing the key.
+	    </p></dd>
+<dt><span class="term"><code class="option">+[no]dlv[=DLV]</code></span></dt>
+<dd><p>
+	      Indicates whether to perform DNSSEC lookaside validation,
+	      and if so, specifies the name of the DLV trust anchor.
+	      The default is to perform lookaside validation using
+	      a trust anchor of "dlv.isc.org", for which there is a
+	      built-in key.  If specifying a different name, then
+	      <code class="option">-a</code> must be used to specify a file
+	      containing the DLV key.
+	    </p></dd>
+</dl></div>
+<p>
+
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2670647"></a><h2>FILES</h2>
+<p><code class="filename">/etc/bind.keys</code></p>
+<p><code class="filename">/etc/resolv.conf</code></p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2670666"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">dig</span>(1)</span>,
+      <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
+      <em class="citetitle">RFC4034</em>,
+      <em class="citetitle">RFC4035</em>,
+      <em class="citetitle">RFC4431</em>,
+      <em class="citetitle">RFC5074</em>,
+      <em class="citetitle">RFC5155</em>.
+    </p>
+</div>
+</div>
+<div class="navfooter">
+<hr>
+<table width="100%" summary="Navigation footer">
+<tr>
+<td width="40%" align="left">
+<a accesskey="p" href="man.host.html">Prev</a> </td>
+<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
+<td width="40%" align="right"> <a accesskey="n" href="man.dnssec-checkds.html">Next</a>
+</td>
+</tr>
+<tr>
+<td width="40%" align="left" valign="top">host </td>
+<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
+<td width="40%" align="right" valign="top"> <span class="application">dnssec-checkds</span>
+</td>
+</tr>
+</table>
+</div>
+</body>
+</html>
diff --git a/lib/dns/adb.c b/lib/dns/adb.c
index a473d151c9..e411e274ab 100644
--- a/lib/dns/adb.c
+++ b/lib/dns/adb.c
@@ -2515,9 +2515,9 @@ dns_adb_create(isc_mem_t *mem, dns_view_t *view, isc_timermgr_t *timermgr,
 
 	result = isc_taskmgr_excltask(adb->taskmgr, &adb->excl);
 	if (result != ISC_R_SUCCESS) {
-		DP(ISC_LOG_INFO, "adb: task-exclusive mode unavailable, "
-				 "intializing table sizes to %u\n",
-				 nbuckets[11]);
+		DP(DEF_LEVEL, "adb: task-exclusive mode unavailable, "
+			      "intializing table sizes to %u\n",
+			      nbuckets[11]);
 		adb->nentries = nbuckets[11];
 		adb->nnames= nbuckets[11];
 
diff --git a/lib/dns/client.c b/lib/dns/client.c
index cee4fb268d..d153cde9b0 100644
--- a/lib/dns/client.c
+++ b/lib/dns/client.c
@@ -21,6 +21,7 @@
 #include <stddef.h>
 
 #include <isc/app.h>
+#include <isc/buffer.h>
 #include <isc/mem.h>
 #include <isc/mutex.h>
 #include <isc/sockaddr.h>
@@ -123,6 +124,8 @@ typedef struct resctx {
 	isc_mutex_t		lock;
 	dns_client_t		*client;
 	isc_boolean_t		want_dnssec;
+	isc_boolean_t		want_validation;
+	isc_boolean_t		want_cdflag;
 
 	/* Locked */
 	ISC_LINK(struct resctx)	link;
@@ -300,12 +303,12 @@ getudpdispatch(int family, dns_dispatchmgr_t *dispatchmgr,
 }
 
 static isc_result_t
-dns_client_createview(isc_mem_t *mctx, dns_rdataclass_t rdclass,
-		      unsigned int options, isc_taskmgr_t *taskmgr,
-		      unsigned int ntasks, isc_socketmgr_t *socketmgr,
-		      isc_timermgr_t *timermgr, dns_dispatchmgr_t *dispatchmgr,
-		      dns_dispatch_t *dispatchv4, dns_dispatch_t *dispatchv6,
-		      dns_view_t **viewp)
+createview(isc_mem_t *mctx, dns_rdataclass_t rdclass,
+	   unsigned int options, isc_taskmgr_t *taskmgr,
+	   unsigned int ntasks, isc_socketmgr_t *socketmgr,
+	   isc_timermgr_t *timermgr, dns_dispatchmgr_t *dispatchmgr,
+	   dns_dispatch_t *dispatchv4, dns_dispatch_t *dispatchv6,
+	   dns_view_t **viewp)
 {
 	isc_result_t result;
 	dns_view_t *view = NULL;
@@ -322,9 +325,9 @@ dns_client_createview(isc_mem_t *mctx, dns_rdataclass_t rdclass,
 		return (result);
 	}
 
-	result = dns_view_createresolver(view, taskmgr, ntasks, 1, socketmgr,
-					 timermgr, 0, dispatchmgr,
-					 dispatchv4, dispatchv6);
+	result = dns_view_createresolver(view, taskmgr, ntasks, 1,
+					 socketmgr, timermgr, 0,
+					 dispatchmgr, dispatchv4, dispatchv6);
 	if (result != ISC_R_SUCCESS) {
 		dns_view_detach(&view);
 		return (result);
@@ -506,10 +509,9 @@ dns_client_createx2(isc_mem_t *mctx, isc_appctx_t *actx,
 	}
 
 	/* Create the default view for class IN */
-	result = dns_client_createview(mctx, dns_rdataclass_in, options,
-				       taskmgr, 31, socketmgr, timermgr,
-				       dispatchmgr, dispatchv4, dispatchv6,
-				       &view);
+	result = createview(mctx, dns_rdataclass_in, options, taskmgr, 31,
+			    socketmgr, timermgr, dispatchmgr,
+			    dispatchv4, dispatchv6, &view);
 	if (result != ISC_R_SUCCESS)
 		goto cleanup;
 	ISC_LIST_INIT(client->viewlist);
@@ -674,6 +676,46 @@ dns_client_clearservers(dns_client_t *client, dns_rdataclass_t rdclass,
 	return (result);
 }
 
+isc_result_t
+dns_client_setdlv(dns_client_t *client, dns_rdataclass_t rdclass,
+		  const char *dlvname)
+{
+	isc_result_t result;
+	isc_buffer_t b;
+	dns_view_t *view = NULL;
+
+	REQUIRE(DNS_CLIENT_VALID(client));
+
+	LOCK(&client->lock);
+	result = dns_viewlist_find(&client->viewlist, DNS_CLIENTVIEW_NAME,
+				   rdclass, &view);
+	UNLOCK(&client->lock);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	if (dlvname == NULL)
+		view->dlv = NULL;
+	else {
+		dns_name_t *newdlv;
+
+		isc_buffer_constinit(&b, dlvname, strlen(dlvname));
+		isc_buffer_add(&b, strlen(dlvname));
+		newdlv = dns_fixedname_name(&view->dlv_fixed);
+		result = dns_name_fromtext(newdlv, &b, dns_rootname,
+					   DNS_NAME_DOWNCASE, NULL);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
+
+		view->dlv = dns_fixedname_name(&view->dlv_fixed);
+	}
+
+ cleanup:
+	if (view != NULL)
+		dns_view_detach(&view);
+
+	return (result);
+}
+
 static isc_result_t
 getrdataset(isc_mem_t *mctx, dns_rdataset_t **rdatasetp) {
 	dns_rdataset_t *rdataset;
@@ -724,6 +766,7 @@ fetch_done(isc_task_t *task, isc_event_t *event) {
 static inline isc_result_t
 start_fetch(resctx_t *rctx) {
 	isc_result_t result;
+	int fopts = 0;
 
 	/*
 	 * The caller must be holding the rctx's lock.
@@ -731,10 +774,15 @@ start_fetch(resctx_t *rctx) {
 
 	REQUIRE(rctx->fetch == NULL);
 
+	if (!rctx->want_cdflag)
+		fopts |= DNS_FETCHOPT_NOCDFLAG;
+	if (!rctx->want_validation)
+		fopts |= DNS_FETCHOPT_NOVALIDATE;
+
 	result = dns_resolver_createfetch(rctx->view->resolver,
 					  dns_fixedname_name(&rctx->name),
 					  rctx->type,
-					  NULL, NULL, NULL, 0,
+					  NULL, NULL, NULL, fopts,
 					  rctx->task, fetch_done, rctx,
 					  rctx->rdataset,
 					  rctx->sigrdataset,
@@ -1277,7 +1325,7 @@ dns_client_startresolve(dns_client_t *client, dns_name_t *name,
 	isc_mem_t *mctx;
 	isc_result_t result;
 	dns_rdataset_t *rdataset, *sigrdataset;
-	isc_boolean_t want_dnssec;
+	isc_boolean_t want_dnssec, want_validation, want_cdflag;
 
 	REQUIRE(DNS_CLIENT_VALID(client));
 	REQUIRE(transp != NULL && *transp == NULL);
@@ -1293,6 +1341,8 @@ dns_client_startresolve(dns_client_t *client, dns_name_t *name,
 	rdataset = NULL;
 	sigrdataset = NULL;
 	want_dnssec = ISC_TF((options & DNS_CLIENTRESOPT_NODNSSEC) == 0);
+	want_validation = ISC_TF((options & DNS_CLIENTRESOPT_NOVALIDATE) == 0);
+	want_cdflag = ISC_TF((options & DNS_CLIENTRESOPT_NOCDFLAG) == 0);
 
 	/*
 	 * Prepare some intermediate resources
@@ -1348,6 +1398,8 @@ dns_client_startresolve(dns_client_t *client, dns_name_t *name,
 	rctx->restarts = 0;
 	rctx->fetch = NULL;
 	rctx->want_dnssec = want_dnssec;
+	rctx->want_validation = want_validation;
+	rctx->want_cdflag = want_cdflag;
 	ISC_LIST_INIT(rctx->namelist);
 	rctx->event = event;
 
diff --git a/lib/dns/include/dns/client.h b/lib/dns/include/dns/client.h
index 41baa0d6b9..eadf5674d6 100644
--- a/lib/dns/include/dns/client.h
+++ b/lib/dns/include/dns/client.h
@@ -77,10 +77,14 @@ ISC_LANG_BEGINDECLS
 /*%
  * Optional flags for dns_client_(start)resolve.
  */
-/*%< Disable DNSSEC validation. */
+/*%< Do not return DNSSEC data (e.g. RRSIGS) with response. */
 #define DNS_CLIENTRESOPT_NODNSSEC	0x01
 /*%< Allow running external context. */
 #define DNS_CLIENTRESOPT_ALLOWRUN	0x02
+/*%< Don't validate responses. */
+#define DNS_CLIENTRESOPT_NOVALIDATE	0x04
+/*%< Don't set the CD flag on upstream queries. */
+#define DNS_CLIENTRESOPT_NOCDFLAG	0x08
 
 /*%
  * Optional flags for dns_client_(start)request.
@@ -261,6 +265,26 @@ dns_client_clearservers(dns_client_t *client, dns_rdataclass_t rdclass,
  *\li	Anything else				Failure.
  */
 
+isc_result_t
+dns_client_setdlv(dns_client_t *client, dns_rdataclass_t rdclass,
+		  const char *dlvname);
+/*%<
+ * Specify a name to use for DNSSEC lookaside validation (e.g.,
+ * "dlv.isc.org"). If a trusted key has been added for that name,
+ * then DLV will be used during validation.  If 'dlvname' is NULL,
+ * then DLV will no longer be used for this client.
+ *
+ * Requires:
+ *
+ *\li	'client' is a valid client.
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS				On success.
+ *
+ *\li	Anything else				Failure.
+ */
+
 isc_result_t
 dns_client_resolve(dns_client_t *client, dns_name_t *name,
 		   dns_rdataclass_t rdclass, dns_rdatatype_t type,
diff --git a/lib/dns/include/dns/log.h b/lib/dns/include/dns/log.h
index e8c8c10547..e4865750e3 100644
--- a/lib/dns/include/dns/log.h
+++ b/lib/dns/include/dns/log.h
@@ -77,6 +77,7 @@ LIBDNS_EXTERNAL_DATA extern isc_logmodule_t dns_modules[];
 #define DNS_LOGMODULE_DLZ		(&dns_modules[26])
 #define DNS_LOGMODULE_DNSSEC		(&dns_modules[27])
 #define DNS_LOGMODULE_CRYPTO		(&dns_modules[28])
+#define DNS_LOGMODULE_PACKETS		(&dns_modules[29])
 
 ISC_LANG_BEGINDECLS
 
diff --git a/lib/dns/include/dns/masterdump.h b/lib/dns/include/dns/masterdump.h
index 5fe69deb95..b456a688cf 100644
--- a/lib/dns/include/dns/masterdump.h
+++ b/lib/dns/include/dns/masterdump.h
@@ -103,6 +103,10 @@ typedef struct dns_master_style dns_master_style_t;
 /*% Don't printout the cryptographic parts of DNSSEC records. */
 #define	DNS_STYLEFLAG_NOCRYPTO		0x08000000U
 
+/*% Comment out data by prepending with ";" */
+#define	DNS_STYLEFLAG_COMMENTDATA	0x10000000U
+
+
 ISC_LANG_BEGINDECLS
 
 /***
@@ -151,6 +155,11 @@ LIBDNS_EXTERNAL_DATA extern const dns_master_style_t dns_master_style_simple;
  */
 LIBDNS_EXTERNAL_DATA extern const dns_master_style_t dns_master_style_debug;
 
+/*%
+ * Similar to dns_master_style_debug but data is prepended with ";"
+ */
+LIBDNS_EXTERNAL_DATA extern const dns_master_style_t dns_master_style_comment;
+
 /*%
  * The style used for dumping "key" zones.
  */
diff --git a/lib/dns/include/dns/message.h b/lib/dns/include/dns/message.h
index b5ac3a835b..568c53a58b 100644
--- a/lib/dns/include/dns/message.h
+++ b/lib/dns/include/dns/message.h
@@ -139,6 +139,7 @@ typedef int dns_messagetextflag_t;
 #define DNS_MESSAGETEXTFLAG_NOHEADERS	0x0002
 #define DNS_MESSAGETEXTFLAG_ONESOA	0x0004
 #define DNS_MESSAGETEXTFLAG_OMITSOA	0x0008
+#define DNS_MESSAGETEXTFLAG_COMMENTDATA	0x0010
 
 /*
  * Dynamic update names for these sections.
@@ -1356,10 +1357,16 @@ dns_message_gettimeadjust(dns_message_t *msg);
  * Requires:
  *\li	msg be a valid message.
  */
+
 void
 dns_message_logpacket(dns_message_t *message, const char *description,
 		      isc_logcategory_t *category, isc_logmodule_t *module,
 		      int level, isc_mem_t *mctx);
+void
+dns_message_logfmtpacket(dns_message_t *message, const char *description,
+			 isc_logcategory_t *category, isc_logmodule_t *module,
+			 const dns_master_style_t *style, int level,
+			 isc_mem_t *mctx);
 /*%<
  * Log 'message' at the specified logging parameters.
  * 'description' will be emitted at the start of the message and will
diff --git a/lib/dns/include/dns/resolver.h b/lib/dns/include/dns/resolver.h
index e11419704c..33b4f9e27d 100644
--- a/lib/dns/include/dns/resolver.h
+++ b/lib/dns/include/dns/resolver.h
@@ -95,8 +95,9 @@ typedef struct dns_fetchevent {
 #define DNS_FETCHOPT_NOVALIDATE		0x020	     /*%< Disable validation. */
 #define DNS_FETCHOPT_EDNS512		0x040	     /*%< Advertise a 512 byte
 							  UDP buffer. */
-#define DNS_FETCHOPT_WANTNSID           0x080         /*%< Request NSID */
-#define DNS_FETCHOPT_PREFETCH           0x100         /*%< Request NSID */
+#define DNS_FETCHOPT_WANTNSID		0x080         /*%< Request NSID */
+#define DNS_FETCHOPT_PREFETCH		0x100         /*%< Request NSID */
+#define DNS_FETCHOPT_NOCDFLAG		0x200	     /*%< Don't set CD flag. */
 
 #define	DNS_FETCHOPT_EDNSVERSIONSET	0x00800000
 #define	DNS_FETCHOPT_EDNSVERSIONMASK	0xff000000
diff --git a/lib/dns/include/dns/validator.h b/lib/dns/include/dns/validator.h
index b3cfe9992f..9ca9e42d50 100644
--- a/lib/dns/include/dns/validator.h
+++ b/lib/dns/include/dns/validator.h
@@ -170,8 +170,9 @@ struct dns_validator {
 /*%
  * dns_validator_create() options.
  */
-#define DNS_VALIDATOR_DLV 1U
-#define DNS_VALIDATOR_DEFER 2U
+#define DNS_VALIDATOR_DLV		0x0001U
+#define DNS_VALIDATOR_DEFER		0x0002U
+#define DNS_VALIDATOR_NOCDFLAG		0x0004U
 
 ISC_LANG_BEGINDECLS
 
diff --git a/lib/dns/log.c b/lib/dns/log.c
index 75e0d79ba3..1db6eac79c 100644
--- a/lib/dns/log.c
+++ b/lib/dns/log.c
@@ -83,6 +83,7 @@ LIBDNS_EXTERNAL_DATA isc_logmodule_t dns_modules[] = {
 	{ "dns/dlz",		0 },
 	{ "dns/dnssec",		0 },
 	{ "dns/crypto",		0 },
+	{ "dns/packets",	0 },
 	{ NULL, 		0 }
 };
 
diff --git a/lib/dns/masterdump.c b/lib/dns/masterdump.c
index 711534796b..18befdca41 100644
--- a/lib/dns/masterdump.c
+++ b/lib/dns/masterdump.c
@@ -174,6 +174,18 @@ dns_master_style_debug = {
 	24, 32, 40, 48, 80, 8, UINT_MAX
 };
 
+/*%
+ * Similar, but with each line commented out.
+ */
+LIBDNS_EXTERNAL_DATA const dns_master_style_t
+dns_master_style_comment = {
+	DNS_STYLEFLAG_REL_OWNER |
+	DNS_STYLEFLAG_MULTILINE |
+	DNS_STYLEFLAG_RRCOMMENT |
+	DNS_STYLEFLAG_COMMENTDATA,
+	24, 32, 40, 48, 80, 8, UINT_MAX
+};
+
 
 #define N_SPACES 10
 static char spaces[N_SPACES+1] = "          ";
@@ -305,6 +317,14 @@ totext_ctx_init(const dns_master_style_t *style, dns_totext_ctx_t *ctx) {
 		r.base[0] = '\n';
 		isc_buffer_add(&buf, 1);
 
+		if ((ctx->style.flags & DNS_STYLEFLAG_COMMENTDATA) != 0) {
+			isc_buffer_availableregion(&buf, &r);
+			if (r.length < 1)
+				return (DNS_R_TEXTTOOLONG);
+			r.base[0] = ';';
+			isc_buffer_add(&buf, 1);
+		}
+
 		result = indent(&col, ctx->style.rdata_column,
 				ctx->style.tab_width, &buf);
 		/*
@@ -441,6 +461,12 @@ rdataset_totext(dns_rdataset_t *rdataset,
 	while (result == ISC_R_SUCCESS) {
 		column = 0;
 
+		/*
+		 * Comment?
+		 */
+		if ((ctx->style.flags & DNS_STYLEFLAG_COMMENTDATA) != 0)
+			isc_buffer_putstr(target, ";");
+
 		/*
 		 * Owner name.
 		 */
diff --git a/lib/dns/message.c b/lib/dns/message.c
index ecfe1d7697..781ec2bc34 100644
--- a/lib/dns/message.c
+++ b/lib/dns/message.c
@@ -3464,6 +3464,16 @@ void
 dns_message_logpacket(dns_message_t *message, const char *description,
 		      isc_logcategory_t *category, isc_logmodule_t *module,
 		      int level, isc_mem_t *mctx)
+{
+	dns_message_logfmtpacket(message, description, category, module,
+				 &dns_master_style_debug, level, mctx);
+}
+
+void
+dns_message_logfmtpacket(dns_message_t *message, const char *description,
+			 isc_logcategory_t *category, isc_logmodule_t *module,
+			 const dns_master_style_t *style, int level,
+			 isc_mem_t *mctx)
 {
 	isc_buffer_t buffer;
 	char *buf = NULL;
@@ -3483,8 +3493,7 @@ dns_message_logpacket(dns_message_t *message, const char *description,
 		if (buf == NULL)
 			break;
 		isc_buffer_init(&buffer, buf, len);
-		result = dns_message_totext(message, &dns_master_style_debug,
-					    0, &buffer);
+		result = dns_message_totext(message, style, 0, &buffer);
 		if (result == ISC_R_NOSPACE) {
 			isc_mem_put(mctx, buf, len);
 			len += 1024;
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 7023a82002..4cb4515839 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -1827,13 +1827,17 @@ resquery_send(resquery_t *query) {
 		fctx->qmessage->flags |= DNS_MESSAGEFLAG_RD;
 
 	/*
-	 * Set CD if the client says don't validate or the question is
-	 * under a secure entry point and it is not a recursive query.
+	 * Set CD if the client says not to validate, or if the
+	 * question is under a secure entry point and this is a
+	 * recursive/forward query -- unless the client said not to.
 	 */
-	if ((query->options & DNS_FETCHOPT_NOVALIDATE) != 0) {
+	if ((query->options & DNS_FETCHOPT_NOCDFLAG) != 0)
+		/* Do nothing */
+		;
+	else if ((query->options & DNS_FETCHOPT_NOVALIDATE) != 0)
 		fctx->qmessage->flags |= DNS_MESSAGEFLAG_CD;
-	} else if (res->view->enablevalidation &&
-		   (fctx->qmessage->flags & DNS_MESSAGEFLAG_RD) != 0) {
+	else if (res->view->enablevalidation &&
+		 ((fctx->qmessage->flags & DNS_MESSAGEFLAG_RD) != 0)) {
 		result = dns_view_issecuredomain(res->view, &fctx->name,
 						 &secure_domain);
 		if (result != ISC_R_SUCCESS)
@@ -2509,8 +2513,8 @@ add_bad(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, isc_result_t reason,
 	isc_sockaddr_format(address, addrbuf, sizeof(addrbuf));
 	isc_log_write(dns_lctx, DNS_LOGCATEGORY_LAME_SERVERS,
 		      DNS_LOGMODULE_RESOLVER, ISC_LOG_INFO,
-		      "error (%s%s%s) resolving '%s/%s/%s': %s",
-		      dns_result_totext(reason), spc, code,
+		      "%s%s%s resolving '%s/%s/%s': %s",
+		      code, spc, dns_result_totext(reason),
 		      namebuf, typebuf, classbuf, addrbuf);
 }
 
@@ -4711,6 +4715,9 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
 		}
 	}
 
+	if ((fctx->options & DNS_FETCHOPT_NOCDFLAG) != 0)
+		valoptions |= DNS_VALIDATOR_NOCDFLAG;
+
 	if ((fctx->options & DNS_FETCHOPT_NOVALIDATE) != 0)
 		need_validation = ISC_FALSE;
 	else
@@ -5243,6 +5250,9 @@ ncache_message(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo,
 		}
 	}
 
+	if ((fctx->options & DNS_FETCHOPT_NOCDFLAG) != 0)
+		valoptions |= DNS_VALIDATOR_NOCDFLAG;
+
 	if ((fctx->options & DNS_FETCHOPT_NOVALIDATE) != 0)
 		need_validation = ISC_FALSE;
 	else
@@ -6736,7 +6746,8 @@ resume_dslookup(isc_task_t *task, isc_event_t *event) {
 		FCTXTRACE("continuing to look for parent's NS records");
 		result = dns_resolver_createfetch(fctx->res, &fctx->nsname,
 						  dns_rdatatype_ns, domain,
-						  nsrdataset, NULL, 0, task,
+						  nsrdataset, NULL,
+						  fctx->options, task,
 						  resume_dslookup, fctx,
 						  &fctx->nsrrset, NULL,
 						  &fctx->nsfetch);
@@ -6900,7 +6911,7 @@ process_opt(resquery_t *query, dns_rdataset_t *opt) {
 			case DNS_OPT_NSID:
 				if (query->options & DNS_FETCHOPT_WANTNSID)
 					log_nsid(&optbuf, optlen, query,
-						 ISC_LOG_INFO,
+						 ISC_LOG_DEBUG(3),
 						 query->fctx->res->mctx);
 				isc_buffer_forward(&optbuf, optlen);
 				break;
@@ -7106,10 +7117,12 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 	/*
 	 * Log the incoming packet.
 	 */
-	dns_message_logpacket(message, "received packet:\n",
-			      DNS_LOGCATEGORY_RESOLVER, DNS_LOGMODULE_RESOLVER,
-			      ISC_LOG_DEBUG(10), fctx->res->mctx);
-
+	dns_message_logfmtpacket(message, "received packet:\n",
+				 DNS_LOGCATEGORY_RESOLVER,
+				 DNS_LOGMODULE_PACKETS,
+				 &dns_master_style_comment,
+				 ISC_LOG_DEBUG(10),
+				 fctx->res->mctx);
 	/*
 	 * Process receive opt record.
 	 */
@@ -7700,7 +7713,8 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 
 		result = dns_resolver_createfetch(fctx->res, &fctx->nsname,
 						  dns_rdatatype_ns,
-						  NULL, NULL, NULL, 0, task,
+						  NULL, NULL, NULL,
+						  fctx->options, task,
 						  resume_dslookup, fctx,
 						  &fctx->nsrrset, NULL,
 						  &fctx->nsfetch);
@@ -8349,7 +8363,7 @@ log_fetch(dns_name_t *name, dns_rdatatype_t type) {
 
 	isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
 		      DNS_LOGMODULE_RESOLVER, level,
-		      "createfetch: %s %s", namebuf, typebuf);
+		      "fetch: %s/%s", namebuf, typebuf);
 }
 
 isc_result_t
diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index 8b2f92eb39..10d8d11dce 100644
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -1125,6 +1125,8 @@ static inline isc_result_t
 create_fetch(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type,
 	     isc_taskaction_t callback, const char *caller)
 {
+	unsigned int fopts = 0;
+
 	if (dns_rdataset_isassociated(&val->frdataset))
 		dns_rdataset_disassociate(&val->frdataset);
 	if (dns_rdataset_isassociated(&val->fsigrdataset))
@@ -1136,9 +1138,12 @@ create_fetch(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type,
 		return (DNS_R_NOVALIDSIG);
 	}
 
+	if ((val->options & DNS_VALIDATOR_NOCDFLAG) != 0)
+		fopts |= DNS_FETCHOPT_NOCDFLAG;
+
 	validator_logcreate(val, name, type, caller, "fetch");
 	return (dns_resolver_createfetch(val->view->resolver, name, type,
-					 NULL, NULL, NULL, 0,
+					 NULL, NULL, NULL, fopts,
 					 val->event->ev_sender,
 					 callback, val,
 					 &val->frdataset,
@@ -1155,6 +1160,7 @@ create_validator(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type,
 		 isc_taskaction_t action, const char *caller)
 {
 	isc_result_t result;
+	unsigned int vopts = 0;
 
 	if (check_deadlock(val, name, type, rdataset, sigrdataset)) {
 		validator_log(val, ISC_LOG_DEBUG(3),
@@ -1162,9 +1168,12 @@ create_validator(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type,
 		return (DNS_R_NOVALIDSIG);
 	}
 
+	/* OK to clear other options, but preserve NOCDFLAG */
+	vopts |= (val->options & DNS_VALIDATOR_NOCDFLAG);
+
 	validator_logcreate(val, name, type, caller, "validator");
 	result = dns_validator_create(val->view, name, type,
-				      rdataset, sigrdataset, NULL, 0,
+				      rdataset, sigrdataset, NULL, vopts,
 				      val->task, action, val,
 				      &val->subvalidator);
 	if (result == ISC_R_SUCCESS) {
@@ -1545,7 +1554,7 @@ verify(dns_validator_t *val, dst_key_t *key, dns_rdata_t *rdata,
  */
 static isc_result_t
 validate(dns_validator_t *val, isc_boolean_t resume) {
-	isc_result_t result;
+	isc_result_t result, vresult = DNS_R_NOVALIDSIG;
 	dns_validatorevent_t *event;
 	dns_rdata_t rdata = DNS_RDATA_INIT;
 
@@ -1610,9 +1619,9 @@ validate(dns_validator_t *val, isc_boolean_t resume) {
 		}
 
 		do {
-			result = verify(val, val->key, &rdata,
+			vresult = verify(val, val->key, &rdata,
 					val->siginfo->keyid);
-			if (result == ISC_R_SUCCESS)
+			if (vresult == ISC_R_SUCCESS)
 				break;
 			if (val->keynode != NULL) {
 				dns_keynode_t *nextnode = NULL;
@@ -1636,7 +1645,7 @@ validate(dns_validator_t *val, isc_boolean_t resume) {
 					break;
 			}
 		} while (1);
-		if (result != ISC_R_SUCCESS)
+		if (vresult != ISC_R_SUCCESS)
 			validator_log(val, ISC_LOG_DEBUG(3),
 				      "failed to verify rdataset");
 		else {
@@ -1670,12 +1679,12 @@ validate(dns_validator_t *val, isc_boolean_t resume) {
 			validator_log(val, ISC_LOG_DEBUG(3),
 				      "looking for noqname proof");
 			return (nsecvalidate(val, ISC_FALSE));
-		} else if (result == ISC_R_SUCCESS) {
+		} else if (vresult == ISC_R_SUCCESS) {
 			marksecure(event);
 			validator_log(val, ISC_LOG_DEBUG(3),
 				      "marking as secure, "
 				      "noqname proof not needed");
-			return (result);
+			return (ISC_R_SUCCESS);
 		} else {
 			validator_log(val, ISC_LOG_DEBUG(3),
 				      "verify failure: %s",
@@ -1691,7 +1700,7 @@ validate(dns_validator_t *val, isc_boolean_t resume) {
 	}
 
 	validator_log(val, ISC_LOG_INFO, "no valid signature found");
-	return (DNS_R_NOVALIDSIG);
+	return (vresult);
 }
 
 /*%
@@ -3886,7 +3895,7 @@ dns_validator_destroy(dns_validator_t **validatorp) {
 	LOCK(&val->lock);
 
 	val->attributes |= VALATTR_SHUTDOWN;
-	validator_log(val, ISC_LOG_DEBUG(3), "dns_validator_destroy");
+	validator_log(val, ISC_LOG_DEBUG(4), "dns_validator_destroy");
 
 	want_destroy = exit_check(val);
 
@@ -3919,8 +3928,8 @@ validator_logv(dns_validator_t *val, isc_logcategory_t *category,
 		dns_rdatatype_format(val->event->type, typebuf,
 				     sizeof(typebuf));
 		isc_log_write(dns_lctx, category, module, level,
-			      "%.*svalidating @%p: %s %s: %s", depth, spaces,
-			      val, namebuf, typebuf, msgbuf);
+			      "%.*svalidating %s/%s: %s", depth, spaces,
+			      namebuf, typebuf, msgbuf);
 	} else {
 		isc_log_write(dns_lctx, category, module, level,
 			      "%.*svalidator @%p: %s", depth, spaces,
diff --git a/lib/isc/include/isc/log.h b/lib/isc/include/isc/log.h
index 741c532429..e609d913b7 100644
--- a/lib/isc/include/isc/log.h
+++ b/lib/isc/include/isc/log.h
@@ -67,8 +67,9 @@
 #define ISC_LOG_PRINTLEVEL	0x0002
 #define ISC_LOG_PRINTCATEGORY	0x0004
 #define ISC_LOG_PRINTMODULE	0x0008
-#define ISC_LOG_PRINTTAG	0x0010
-#define ISC_LOG_PRINTALL	0x001F
+#define ISC_LOG_PRINTTAG	0x0010		/* tag and ":" */
+#define ISC_LOG_PRINTPREFIX	0x0020		/* tag only, no colon */
+#define ISC_LOG_PRINTALL	0x003F
 #define ISC_LOG_DEBUGONLY	0x1000
 #define ISC_LOG_OPENERR		0x8000		/* internal */
 /*@}*/
@@ -167,6 +168,7 @@ LIBISC_EXTERNAL_DATA extern isc_logmodule_t isc_modules[];
 #define ISC_LOGMODULE_INTERFACE (&isc_modules[2])
 #define ISC_LOGMODULE_TIMER (&isc_modules[3])
 #define ISC_LOGMODULE_FILE (&isc_modules[4])
+#define ISC_LOGMODULE_OTHER (&isc_modules[5])
 
 ISC_LANG_BEGINDECLS
 
diff --git a/lib/isc/log.c b/lib/isc/log.c
index 986ed61352..6bd6a2d6b5 100644
--- a/lib/isc/log.c
+++ b/lib/isc/log.c
@@ -205,6 +205,7 @@ LIBISC_EXTERNAL_DATA isc_logmodule_t isc_modules[] = {
 	{ "interface", 0 },
 	{ "timer", 0 },
 	{ "file", 0 },
+	{ "other", 0 },
 	{ NULL, 0 }
 };
 
@@ -1413,7 +1414,7 @@ isc_log_doit(isc_log_t *lctx, isc_logcategory_t *category,
 	const char *iformat;
 	struct stat statbuf;
 	isc_boolean_t matched = ISC_FALSE;
-	isc_boolean_t printtime, printtag;
+	isc_boolean_t printtime, printtag, printcolon;
 	isc_boolean_t printcategory, printmodule, printlevel;
 	isc_logconfig_t *lcfg;
 	isc_logchannel_t *channel;
@@ -1642,7 +1643,10 @@ isc_log_doit(isc_log_t *lctx, isc_logcategory_t *category,
 
 		printtime     = ISC_TF((channel->flags & ISC_LOG_PRINTTIME)
 				       != 0);
-		printtag      = ISC_TF((channel->flags & ISC_LOG_PRINTTAG)
+		printtag      = ISC_TF((channel->flags &
+					(ISC_LOG_PRINTTAG|ISC_LOG_PRINTPREFIX))
+				       != 0 && lcfg->tag != NULL);
+		printcolon    = ISC_TF((channel->flags & ISC_LOG_PRINTTAG)
 				       != 0 && lcfg->tag != NULL);
 		printcategory = ISC_TF((channel->flags & ISC_LOG_PRINTCATEGORY)
 				       != 0);
@@ -1696,11 +1700,12 @@ isc_log_doit(isc_log_t *lctx, isc_logcategory_t *category,
 			/* FALLTHROUGH */
 
 		case ISC_LOG_TOFILEDESC:
-			fprintf(FILE_STREAM(channel), "%s%s%s%s%s%s%s%s%s%s\n",
+			fprintf(FILE_STREAM(channel),
+				"%s%s%s%s%s%s%s%s%s%s\n",
 				printtime     ? time_string	: "",
 				printtime     ? " "		: "",
 				printtag      ? lcfg->tag	: "",
-				printtag      ? ": "		: "",
+				printcolon    ? ": "		: "",
 				printcategory ? category->name	: "",
 				printcategory ? ": "		: "",
 				printmodule   ? (module != NULL ? module->name
@@ -1743,11 +1748,12 @@ isc_log_doit(isc_log_t *lctx, isc_logcategory_t *category,
 			       printtime     ? time_string	: "",
 			       printtime     ? " "		: "",
 			       printtag      ? lcfg->tag	: "",
-			       printtag      ? ": "		: "",
+			       printcolon    ? ": "		: "",
 			       printcategory ? category->name	: "",
 			       printcategory ? ": "		: "",
-			       printmodule   ? (module != NULL	? module->name
-								: "no_module")
+			       printmodule   ? (module != NULL
+						 ? module->name
+						 : "no_module")
 								: "",
 			       printmodule   ? ": "		: "",
 			       printlevel    ? level_string	: "",
diff --git a/lib/isc/unix/app.c b/lib/isc/unix/app.c
index 2cea67ab5f..d46e240aa7 100644
--- a/lib/isc/unix/app.c
+++ b/lib/isc/unix/app.c
@@ -220,7 +220,6 @@ isc__app_ctxstart(isc_appctx_t *ctx0) {
 	sigset_t sset;
 	char strbuf[ISC_STRERRORSIZE];
 
-
 	REQUIRE(VALID_APPCTX(ctx));
 
 	/*
diff --git a/lib/samples/.gitignore b/lib/samples/.gitignore
index b132e89060..bfe33a230c 100644
--- a/lib/samples/.gitignore
+++ b/lib/samples/.gitignore
@@ -1,4 +1,5 @@
 Makefile-postinstall
+delve
 nsprobe
 process
 resolve
diff --git a/lib/samples/Makefile.in b/lib/samples/Makefile.in
index 6a2007c2b4..50f0553791 100644
--- a/lib/samples/Makefile.in
+++ b/lib/samples/Makefile.in
@@ -26,7 +26,7 @@ CINCLUDES =	-I${srcdir}/include -I../dns/include \
 		-I${top_srcdir}/lib/irs/include \
 		-I../../irs/include
 
-CDEFINES =
+CDEFINES =	-DVERSION=\"${VERSION}\" -DSYSCONFDIR=\"${sysconfdir}\"
 CWARNINGS =
 
 ISCLIBS =	../isc/libisc.@A@
@@ -45,15 +45,18 @@ LIBS =		${DNSLIBS} ${ISCCFGLIBS} ${ISCLIBS} @LIBS@
 
 SUBDIRS =
 
-TARGETS =	resolve@EXEEXT@ sample-async@EXEEXT@ sample-gai@EXEEXT@ \
+TARGETS =	resolve@EXEEXT@ \
+		sample-async@EXEEXT@ sample-gai@EXEEXT@ \
 		sample-update@EXEEXT@ sample-request@EXEEXT@ nsprobe@EXEEXT@
 
-OBJS =		resolve.@O@ sample-async.@O@ sample-gai.@O@ sample-update.@O@ \
+OBJS =		resolve.@O@ \
+		sample-async.@O@ sample-gai.@O@ sample-update.@O@ \
 		sample-request.@O@ nsprobe.@O@
 
 UOBJS =
 
-SRCS =		resolve.c sample-async.c sample-gai.c sample-update.c \
+SRCS =		resolve.c \
+		sample-async.c sample-gai.c sample-update.c \
 		sample-request.c nsprobe.c
 
 MANPAGES =
diff --git a/lib/samples/resolve.c b/lib/samples/resolve.c
index 278e0e292d..5a487584c9 100644
--- a/lib/samples/resolve.c
+++ b/lib/samples/resolve.c
@@ -116,7 +116,7 @@ set_key(dns_client_t *client, char *keynamestr, char *keystr,
 
 	result = isc_mem_create(0, 0, mctxp);
 	if (result != ISC_R_SUCCESS) {
-		fprintf(stderr, "failed to crate mctx\n");
+		fprintf(stderr, "failed to create mctx\n");
 		exit(1);
 	}
 
diff --git a/make/includes.in b/make/includes.in
index 66d22f30dd..1d5e7767c2 100644
--- a/make/includes.in
+++ b/make/includes.in
@@ -37,6 +37,9 @@ ISCCFG_INCLUDES = @BIND9_ISCCFG_BUILDINCLUDE@ \
 DNS_INCLUDES = @BIND9_DNS_BUILDINCLUDE@ \
 	-I${top_srcdir}/lib/dns/include
 
+IRS_INCLUDES = @BIND9_IRS_BUILDINCLUDE@ \
+	-I${top_srcdir}/lib/irs/include
+
 LWRES_INCLUDES = @BIND9_LWRES_BUILDINCLUDE@ \
 	-I${top_srcdir}/lib/lwres/unix/include \
 	-I${top_srcdir}/lib/lwres/include
diff --git a/make/rules.in b/make/rules.in
index 2530360225..97ce5bc982 100644
--- a/make/rules.in
+++ b/make/rules.in
@@ -46,9 +46,10 @@ top_builddir =	@BIND9_TOP_BUILDDIR@
 ### All
 ###
 ### Makefile may define:
+###	PREREQS
 ###	TARGETS
 
-all: subdirs ${TARGETS} testdirs
+all: ${PREREQS} subdirs ${TARGETS} testdirs
 
 ###
 ### Subdirectories
diff --git a/bin/named/bindkeys.pl b/util/bindkeys.pl
similarity index 100%
rename from bin/named/bindkeys.pl
rename to util/bindkeys.pl
diff --git a/util/kit.sh b/util/kit.sh
index 482695850f..f0354ebad1 100644
--- a/util/kit.sh
+++ b/util/kit.sh
@@ -149,8 +149,8 @@ rm -rf TODO EXCLUDED conftools doc/design doc/dev doc/draft doc/expired \
     lib/lwres/man/resolver.5 contrib/zkt/doc/rfc5011.txt \
     bin/tests/system/relay lib/cfg
 
-# Remove everything but mksymtbl.pl from util
-find util -name mksymtbl.pl -prune -o -type f -print | xargs rm -f
+# Remove everything but mksymtbl.pl and bindkeys.pl from util
+find util -name bindkeys.pl -o -name mksymtbl.pl -prune -o -type f -print | xargs rm -f
 find util -depth -type d -print | xargs rmdir 2>/dev/null
 
 # Remove all .gitignore files