philipp / rpms / dhcp

Forked from rpms/dhcp 4 years ago
Clone

Blame SOURCES/dhcp-4.2.5-standard_ddns.patch

a512de
diff --git a/client/dhclient.8 b/client/dhclient.8
a512de
index a29757a..c66a912 100644
a512de
--- a/client/dhclient.8
a512de
+++ b/client/dhclient.8
a512de
@@ -56,6 +56,12 @@ dhclient - Dynamic Host Configuration Protocol Client
a512de
 ]
a512de
 ]
a512de
 [
a512de
+.B -i
a512de
+]
a512de
+[
072f0f
+.B -C
a512de
+]
a512de
+[
a512de
 .B -D
a512de
 .I LL|LLT
a512de
 ]
a512de
@@ -441,6 +447,17 @@ Set the giaddr field of all packets to the \fIrelay\fR IP address
a512de
 simulating a relay agent.  This is for testing pruposes only and
a512de
 should not be expected to work in any consistent or useful way.
a512de
 .TP
a512de
+.BI \-i
a512de
+Use a DUID with DHCPv4 clients.  If no DUID is available in the
a512de
+lease file one will be constructed and saved.  The DUID will be
a512de
+used to contstuct a RFC4361 style client id that will be included
a512de
+in the client's messages.  This client id can be overridden by
a512de
+setting a client id in the configuration file.  Overridding the
a512de
+client id in this fashion is discouraged.
a512de
+.TP
072f0f
+.BI \-C
a512de
+Use the standard DDNS scheme from RFCs 4701 & 4702.  
a512de
+.TP
a512de
 .BI \--version
a512de
 Print version number and exit.
a512de
 .PP
a512de
@@ -470,8 +487,10 @@ DHCPv6 \fBdhclient\fR creates an identifier based on the link-layer address
a512de
 (DUID-LL) if it is running in stateless mode (with \fB\-S\fR, not
a512de
 requesting an address), or it creates an identifier based on the
a512de
 link-layer address plus a timestamp (DUID-LLT) if it is running in
a512de
-stateful mode (without \fB\-S\fR, requesting an address).  \fB\-D\fR
a512de
-overrides this default, with a value of either \fILL\fR or \fILLT\fR.
a512de
+stateful mode (without \fB\-S\fR, requesting an address).  When DHCPv4
a512de
+is configued to use a DUID using \fB\-i\fR option the default is to use
a512de
+a DUID-LLT.  \fB\-D\fR
a512de
+overrides these default, with a value of either \fILL\fR or \fILLT\fR.
a512de
 .TP
a512de
 .BI \-N
a512de
 .\" TODO: is this for telling an already running dhclient?
a512de
diff --git a/client/dhclient.c b/client/dhclient.c
a512de
index 0db4703..6403754 100644
a512de
--- a/client/dhclient.c
a512de
+++ b/client/dhclient.c
a512de
@@ -79,6 +79,8 @@ struct sockaddr_in sockaddr_broadcast;
a512de
 struct in_addr giaddr;
a512de
 struct data_string default_duid;
a512de
 int duid_type = 0;
a512de
+int duid_v4 = 0;
a512de
+int std_dhcid = 0;
a512de
 
a512de
 /* ASSERT_STATE() does nothing now; it used to be
a512de
    assert (state_is == state_shouldbe). */
a512de
@@ -325,12 +327,9 @@ main(int argc, char **argv) {
a512de
 				wanted_ia_na = 0;
a512de
 			}
a512de
 			wanted_ia_pd++;
a512de
+#endif /* DHCPv6 */
a512de
 		} else if (!strcmp(argv[i], "-D")) {
a512de
-			if (local_family_set && (local_family == AF_INET)) {
a512de
-				usage();
a512de
-			}
a512de
-			local_family_set = 1;
a512de
-			local_family = AF_INET6;
a512de
+			duid_v4 = 1;
a512de
 			if (++i == argc)
a512de
 				usage();
a512de
 			if (!strcasecmp(argv[i], "LL")) {
a512de
@@ -340,7 +339,12 @@ main(int argc, char **argv) {
a512de
 			} else {
a512de
 				usage();
a512de
 			}
a512de
-#endif /* DHCPv6 */
a512de
+		} else if (!strcmp(argv[i], "-i")) {
a512de
+			/* enable DUID support for DHCPv4 clients */
a512de
+			duid_v4 = 1;
072f0f
+		} else if (!strcmp(argv[i], "-C")) {
a512de
+			/* enable standard DHCID support for DDNS updates */
a512de
+			std_dhcid = 1;
a512de
 		} else if (!strcmp(argv[i], "-v")) {
a512de
 			quiet = 0;
a512de
 		} else if (!strcmp(argv[i], "--version")) {
a512de
@@ -970,12 +974,13 @@ main(int argc, char **argv) {
a512de
 		}
a512de
 	}
a512de
 
a512de
-	/* Start a configuration state machine for each interface. */
a512de
-#ifdef DHCPv6
a512de
-	if (local_family == AF_INET6) {
a512de
-		/* Establish a default DUID.  This may be moved to the
a512de
-		 * DHCPv4 area later.
a512de
-		 */
a512de
+
a512de
+	/*
a512de
+	 * Establish a default DUID.  We always do so for v6 and
a512de
+	 * do so if desired for v4 via the -D or -i options
a512de
+	 */
a512de
+	if ((local_family == AF_INET6) ||
a512de
+	    ((local_family == AF_INET) && (duid_v4 == 1))) {
a512de
 		if (default_duid.len == 0) {
a512de
 			if (default_duid.buffer != NULL)
a512de
 				data_string_forget(&default_duid, MDL);
a512de
@@ -983,7 +988,11 @@ main(int argc, char **argv) {
a512de
 			if (form_duid(&default_duid, MDL) == ISC_R_SUCCESS)
a512de
 				write_duid(&default_duid);
a512de
 		}
a512de
+	}
a512de
 
a512de
+	/* Start a configuration state machine for each interface. */
a512de
+#ifdef DHCPv6
a512de
+	if (local_family == AF_INET6) {
a512de
 		for (ip = interfaces ; ip != NULL ; ip = ip->next) {
a512de
 			for (client = ip->client ; client != NULL ;
a512de
 			     client = client->next) {
a512de
@@ -1115,9 +1124,9 @@ static void usage()
a512de
 
a512de
 	log_fatal("Usage: dhclient "
a512de
 #ifdef DHCPv6
a512de
-		  "[-4|-6] [-SNTP1dvrx] [-nw] [-p <port>] [-D LL|LLT]\n"
072f0f
+		  "[-4|-6] [-SNTPI1dvrxc] [-nw] [-p <port>] [-D LL|LLT] \n"
a512de
 #else /* DHCPv6 */
a512de
-		  "[-1dvrx] [-nw] [-p <port>]\n"
072f0f
+		  "[-C1dvrxc] [-nw] [-p <port>] [-D LL|LLT] \n"
a512de
 #endif /* DHCPv6 */
a512de
 		  "                [-s server-addr] [-cf config-file] "
a512de
 		  "[-lf lease-file]\n"
a512de
@@ -2823,24 +2832,24 @@ make_client_options(struct client_state *client, struct client_lease *lease,
a512de
 	unsigned i;
a512de
 	struct option_cache *oc;
a512de
 	struct option *option = NULL;
a512de
-	struct buffer *bp = (struct buffer *)0;
a512de
+	struct buffer *bp = NULL;
a512de
 
a512de
 	/* If there are any leftover options, get rid of them. */
a512de
 	if (*op)
a512de
-		option_state_dereference (op, MDL);
a512de
+		option_state_dereference(op, MDL);
a512de
 
a512de
 	/* Allocate space for options. */
a512de
-	option_state_allocate (op, MDL);
a512de
+	option_state_allocate(op, MDL);
a512de
 
a512de
 	/* Send the server identifier if provided. */
a512de
 	if (sid)
a512de
-		save_option (&dhcp_universe, *op, sid);
a512de
+		save_option(&dhcp_universe, *op, sid);
a512de
 
a512de
-	oc = (struct option_cache *)0;
a512de
+	oc = NULL;
a512de
 
a512de
 	/* Send the requested address if provided. */
a512de
 	if (rip) {
a512de
-		client -> requested_address = *rip;
a512de
+		client->requested_address = *rip;
a512de
 		i = DHO_DHCP_REQUESTED_ADDRESS;
a512de
 		if (!(option_code_hash_lookup(&option, dhcp_universe.code_hash,
a512de
 					      &i, 0, MDL) &&
a512de
@@ -2848,22 +2857,22 @@ make_client_options(struct client_state *client, struct client_lease *lease,
a512de
 					      option, MDL)))
a512de
 			log_error ("can't make requested address cache.");
a512de
 		else {
a512de
-			save_option (&dhcp_universe, *op, oc);
a512de
-			option_cache_dereference (&oc, MDL);
a512de
+			save_option(&dhcp_universe, *op, oc);
a512de
+			option_cache_dereference(&oc, MDL);
a512de
 		}
a512de
 		option_dereference(&option, MDL);
a512de
 	} else {
a512de
-		client -> requested_address.len = 0;
a512de
+		client->requested_address.len = 0;
a512de
 	}
a512de
 
a512de
 	i = DHO_DHCP_MESSAGE_TYPE;
a512de
 	if (!(option_code_hash_lookup(&option, dhcp_universe.code_hash, &i, 0,
a512de
 				      MDL) &&
a512de
 	      make_const_option_cache(&oc, NULL, type, 1, option, MDL)))
a512de
-		log_error ("can't make message type.");
a512de
+		log_error("can't make message type.");
a512de
 	else {
a512de
-		save_option (&dhcp_universe, *op, oc);
a512de
-		option_cache_dereference (&oc, MDL);
a512de
+		save_option(&dhcp_universe, *op, oc);
a512de
+		option_cache_dereference(&oc, MDL);
a512de
 	}
a512de
 	option_dereference(&option, MDL);
a512de
 
a512de
@@ -2876,8 +2885,8 @@ make_client_options(struct client_state *client, struct client_lease *lease,
a512de
 			if (prl[i]->universe == &dhcp_universe)
a512de
 				len++;
a512de
 
a512de
-		if (!buffer_allocate (&bp, len, MDL))
a512de
-			log_error ("can't make parameter list buffer.");
a512de
+		if (!buffer_allocate(&bp, len, MDL))
a512de
+			log_error("can't make parameter list buffer.");
a512de
 		else {
a512de
 			unsigned code = DHO_DHCP_PARAMETER_REQUEST_LIST;
a512de
 
a512de
@@ -2891,15 +2900,69 @@ make_client_options(struct client_state *client, struct client_lease *lease,
a512de
 						      &code, 0, MDL) &&
a512de
 			      make_const_option_cache(&oc, &bp, NULL, len,
a512de
 						      option, MDL)))
a512de
-				log_error ("can't make option cache");
a512de
+				log_error("can't make option cache");
a512de
 			else {
a512de
-				save_option (&dhcp_universe, *op, oc);
a512de
-				option_cache_dereference (&oc, MDL);
a512de
+				save_option(&dhcp_universe, *op, oc);
a512de
+				option_cache_dereference(&oc, MDL);
a512de
 			}
a512de
 			option_dereference(&option, MDL);
a512de
 		}
a512de
 	}
a512de
 
a512de
+	/*
a512de
+	 * If requested (duid_v4 == 1) add an RFC4361 compliant client-identifier
a512de
+	 * This can be overridden by including a client id in the configuration
a512de
+	 * file.
a512de
+	 */
a512de
+ 	if (duid_v4 == 1) {
a512de
+		struct data_string client_identifier;
a512de
+		int hw_idx, hw_len;
a512de
+
a512de
+		memset(&client_identifier, 0, sizeof(client_identifier));
a512de
+		client_identifier.len = 1 + 4 + default_duid.len;
a512de
+		if (!buffer_allocate(&client_identifier.buffer,
a512de
+				     client_identifier.len, MDL))
a512de
+			log_fatal("no memory for default DUID!");
a512de
+		client_identifier.data = client_identifier.buffer->data;
a512de
+
a512de
+		i = DHO_DHCP_CLIENT_IDENTIFIER;
a512de
+
a512de
+		/* Client-identifier type : 1 byte */
a512de
+		*client_identifier.buffer->data = 255;
a512de
+		
a512de
+		/* IAID : 4 bytes
a512de
+		 * we use the low 4 bytes from the interface address
a512de
+		 */
a512de
+		if (client->interface->hw_address.hlen > 4) {
a512de
+			hw_idx = client->interface->hw_address.hlen - 4;
a512de
+			hw_len = 4;
a512de
+		} else {
a512de
+			hw_idx = 0;
a512de
+			hw_len = client->interface->hw_address.hlen;
a512de
+		}
a512de
+		memcpy(&client_identifier.buffer->data + 5 - hw_len,
a512de
+		       client->interface->hw_address.hbuf + hw_idx,
a512de
+		       hw_len);
a512de
+	
a512de
+		/* Add the default duid */
a512de
+		memcpy(&client_identifier.buffer->data+(1+4),
a512de
+		       default_duid.data, default_duid.len);
a512de
+
a512de
+		/* And save the option */
a512de
+		if (!(option_code_hash_lookup(&option, dhcp_universe.code_hash,
a512de
+					      &i, 0, MDL) &&
a512de
+		      make_const_option_cache(&oc, NULL,
a512de
+					      (u_int8_t *)client_identifier.data,
a512de
+					      client_identifier.len,
a512de
+					      option, MDL)))
a512de
+			log_error ("can't make requested client id cache..");
a512de
+		else {
a512de
+			save_option (&dhcp_universe, *op, oc);
a512de
+			option_cache_dereference (&oc, MDL);
a512de
+		}
a512de
+		option_dereference(&option, MDL);
a512de
+	}
a512de
+
a512de
 	/* Run statements that need to be run on transmission. */
a512de
 	if (client -> config -> on_transmission)
a512de
 		execute_statements_in_scope
a512de
@@ -4522,6 +4585,7 @@ client_dns_update(struct client_state *client, dhcp_ddns_cb_t *ddns_cb)
a512de
 	struct option_cache *oc;
a512de
 	int ignorep;
a512de
 	int result;
a512de
+	int ddns_v4_type;
a512de
 	isc_result_t rcode;
a512de
 
a512de
 	/* If we didn't send an FQDN option, we certainly aren't going to
a512de
@@ -4564,47 +4628,82 @@ client_dns_update(struct client_state *client, dhcp_ddns_cb_t *ddns_cb)
a512de
 				    &global_scope, oc, MDL))
a512de
 		return ISC_R_SUCCESS;
a512de
 
a512de
-	/* If this is a DHCPv6 client update, make a dhcid string out of
a512de
-	 * the DUID.  If this is a DHCPv4 client update, choose either
a512de
-	 * the client identifier, if there is one, or the interface's
a512de
-	 * MAC address.
a512de
+        /*
a512de
+	 * Construct the DHCID value for use in the DDNS update process
a512de
+	 * We have the newer standard version and the older interim version
072f0f
+	 * chosen by the '-C' option.  The interim version is left as is
a512de
+	 * for backwards compatibility.  The standard version is based on
a512de
+	 * RFC 4701 section 3.3
a512de
 	 */
a512de
+
a512de
 	result = 0;
a512de
 	memset(&client_identifier, 0, sizeof(client_identifier));
a512de
-	if (client->active_lease != NULL) {
a512de
-		if (((oc =
a512de
-		      lookup_option(&dhcpv6_universe, client->sent_options,
a512de
-				    D6O_CLIENTID)) != NULL) &&
a512de
-		    evaluate_option_cache(&client_identifier, NULL, NULL,
a512de
-					  client, client->sent_options, NULL,
a512de
+
a512de
+        if (std_dhcid == 1) {
a512de
+          /* standard style */
a512de
+          ddns_cb->dhcid_class = dns_rdatatype_dhcid;
a512de
+          ddns_v4_type = 1;
a512de
+	} else {
a512de
+          /* interim style */
a512de
+          ddns_cb->dhcid_class = dns_rdatatype_txt;
a512de
+          /* for backwards compatibility */
a512de
+          ddns_v4_type = DHO_DHCP_CLIENT_IDENTIFIER;
a512de
+	}
a512de
+
a512de
+        	if (client->active_lease != NULL) {
a512de
+		/* V6 request, get the client identifier, then
a512de
+		 * construct the dhcid for either standard 
a512de
+		 * or interim */
a512de
+		if (((oc = lookup_option(&dhcpv6_universe,
a512de
+					 client->sent_options,
a512de
+					 D6O_CLIENTID)) != NULL) &&
a512de
+		    evaluate_option_cache(&client_identifier, NULL,
a512de
+					  NULL, client,
a512de
+					  client->sent_options, NULL,
a512de
 					  &global_scope, oc, MDL)) {
a512de
-			/* RFC4701 defines type '2' as being for the DUID
a512de
-			 * field.  We aren't using RFC4701 DHCID RR's yet,
a512de
-			 * but this is as good a value as any.
a512de
-			 */
a512de
-			result = get_dhcid(&ddns_cb->dhcid, 2,
a512de
+			result = get_dhcid(ddns_cb, 2,
a512de
 					   client_identifier.data,
a512de
 					   client_identifier.len);
a512de
 			data_string_forget(&client_identifier, MDL);
a512de
 		} else
a512de
 			log_fatal("Impossible condition at %s:%d.", MDL);
a512de
 	} else {
a512de
-		if (((oc =
a512de
-		      lookup_option(&dhcp_universe, client->sent_options,
a512de
-				    DHO_DHCP_CLIENT_IDENTIFIER)) != NULL) &&
a512de
-		    evaluate_option_cache(&client_identifier, NULL, NULL,
a512de
-					  client, client->sent_options, NULL,
a512de
+		/*
a512de
+		 * V4 request, use the client id if there is one or the
a512de
+		 * mac address if there isn't.  If we have a client id
a512de
+		 * we check to see if it is an embedded DUID.
a512de
+		 */
a512de
+		if (((oc = lookup_option(&dhcp_universe,
a512de
+					 client->sent_options,
a512de
+					 DHO_DHCP_CLIENT_IDENTIFIER)) != NULL) &&
a512de
+		    evaluate_option_cache(&client_identifier, NULL,
a512de
+					  NULL, client,
a512de
+					  client->sent_options, NULL,
a512de
 					  &global_scope, oc, MDL)) {
a512de
-			result = get_dhcid(&ddns_cb->dhcid,
a512de
-					   DHO_DHCP_CLIENT_IDENTIFIER,
a512de
-					   client_identifier.data,
a512de
-					   client_identifier.len);
a512de
+			if ((std_dhcid == 1) && (duid_v4 == 1) &&
a512de
+			    (client_identifier.data[0] == 255)) {
a512de
+				/*
a512de
+				 * This appears to be an embedded DUID,
a512de
+				 * extract it and treat it as such
a512de
+				 */
a512de
+				if (client_identifier.len <= 5)
a512de
+					log_fatal("Impossible condition at %s:%d.",
a512de
+						  MDL);
a512de
+				result = get_dhcid(ddns_cb, 2,
a512de
+						   client_identifier.data + 5,
a512de
+						   client_identifier.len - 5);
a512de
+			} else {
a512de
+				result = get_dhcid(ddns_cb, ddns_v4_type,
a512de
+						   client_identifier.data,
a512de
+						   client_identifier.len);
a512de
+			}
a512de
 			data_string_forget(&client_identifier, MDL);
a512de
 		} else
a512de
-			result = get_dhcid(&ddns_cb->dhcid, 0,
a512de
+			result = get_dhcid(ddns_cb, 0,
a512de
 					   client->interface->hw_address.hbuf,
a512de
 					   client->interface->hw_address.hlen);
a512de
 	}
a512de
+
a512de
 	if (!result) {
a512de
 		return ISC_R_SUCCESS;
a512de
 	}
a512de
@@ -4886,3 +4985,4 @@ dhclient_ddns_cb_free(dhcp_ddns_cb_t *ddns_cb, char* file, int line) {
a512de
         ddns_cb_free(ddns_cb, file, line);
a512de
     }
a512de
 }
a512de
+
a512de
diff --git a/common/conflex.c b/common/conflex.c
a512de
index 4611616..c99732e 100644
a512de
--- a/common/conflex.c
a512de
+++ b/common/conflex.c
a512de
@@ -879,10 +879,6 @@ intern(char *atom, enum dhcp_token dfv) {
a512de
 	      case 'd':
a512de
 		if (!strcasecmp(atom + 1, "b-time-format"))
a512de
 			return DB_TIME_FORMAT;
a512de
-		if (!strcasecmp (atom + 1, "ns-update"))
a512de
-			return DNS_UPDATE;
a512de
-		if (!strcasecmp (atom + 1, "ns-delete"))
a512de
-			return DNS_DELETE;
a512de
 		if (!strcasecmp (atom + 1, "omain"))
a512de
 			return DOMAIN;
a512de
 		if (!strncasecmp (atom + 1, "omain-", 6)) {
a512de
@@ -1178,8 +1174,6 @@ intern(char *atom, enum dhcp_token dfv) {
a512de
 			return TOKEN_NOT;
a512de
 		if (!strcasecmp (atom + 1, "o"))
a512de
 			return TOKEN_NO;
a512de
-		if (!strcasecmp (atom + 1, "s-update"))
a512de
-			return NS_UPDATE;
a512de
 		if (!strcasecmp (atom + 1, "oerror"))
a512de
 			return NS_NOERROR;
a512de
 		if (!strcasecmp (atom + 1, "otauth"))
a512de
@@ -1496,8 +1490,6 @@ intern(char *atom, enum dhcp_token dfv) {
a512de
 		}
a512de
 		if (!strcasecmp (atom + 1, "nauthenticated"))
a512de
 			return UNAUTHENTICATED;
a512de
-		if (!strcasecmp (atom + 1, "pdated-dns-rr"))
a512de
-			return UPDATED_DNS_RR;
a512de
 		if (!strcasecmp (atom + 1, "pdate"))
a512de
 			return UPDATE;
a512de
 		break;
a512de
diff --git a/common/dns.c b/common/dns.c
a512de
index d3ac966..a04c61d 100644
a512de
--- a/common/dns.c
a512de
+++ b/common/dns.c
a512de
@@ -30,10 +30,12 @@
a512de
  * asynchronous DNS routines.
a512de
  */
a512de
 
a512de
+/*! \file common/dns.c
a512de
+ */
a512de
 #include "dhcpd.h"
a512de
 #include "arpa/nameser.h"
a512de
 #include <isc/md5.h>
a512de
-
a512de
+#include <isc/sha2.h>
a512de
 #include <dns/result.h>
a512de
 
a512de
 /*
a512de
@@ -823,45 +825,123 @@ void repudiate_zone (struct dns_zone **zone)
a512de
 	dns_zone_dereference (zone, MDL);
a512de
 }
a512de
 
a512de
-/* Have to use TXT records for now. */
a512de
-#define T_DHCID T_TXT
a512de
+/*!
a512de
+ * \brief Create an id for a client
a512de
+ *
a512de
+ * This function is used to create an id for a client to use with DDNS
a512de
+ * This version of the function is for the standard style, RFC 4701
a512de
+ *
a512de
+ * This function takes information from the type and data fields and
a512de
+ * mangles it into a dhcid string which it places in ddns_cb.  It also
a512de
+ * sets a field in ddns_cb to specify the class that should be used
a512de
+ * when sending the dhcid, in this case it is a DHCID record so we use
a512de
+ * dns_rdatatype_dhcid
a512de
+ *
a512de
+ * The DHCID we construct is:
a512de
+ *  2 bytes - identifier type (see 4701 and IANA)
a512de
+ *  1 byte  - digest type, currently only SHA256 (1)
a512de
+ *  n bytes - digest, length depends on digest type, currently 32 for
a512de
+ *            SHA256
a512de
+ *
a512de
+ * What we base the digest on is up to the calling code for an id type of
a512de
+ * 0 - 1 octet htype followed by hlen octets of chaddr from v4 client request
a512de
+ * 1 - data octets from a dhcpv4 client's client identifier option
a512de
+ * 2 - the client DUID from a v4 or v6 client's client id option
a512de
+ * This identifier is concatenated with the fqdn and the result is digested.
a512de
+ */
a512de
+int get_std_dhcid(dhcp_ddns_cb_t *ddns_cb,
a512de
+		  int type,
a512de
+		  const u_int8_t *identifier,
a512de
+		  unsigned id_len)
a512de
+{
a512de
+	struct data_string *id = &ddns_cb->dhcid;
a512de
+	isc_sha256_t sha256;
a512de
+	unsigned char buf[ISC_SHA256_DIGESTLENGTH];
a512de
+	unsigned char fwd_buf[256];
a512de
+	unsigned fwd_buflen = 0;
a512de
+
a512de
+	/* Types can only be 0..(2^16)-1. */
a512de
+	if (type < 0 || type > 65535)
a512de
+		return (0);
a512de
+
a512de
+	/* We need to convert the fwd name to wire representation */
a512de
+	if (MRns_name_pton((char *)ddns_cb->fwd_name.data, fwd_buf, 256) == -1)
a512de
+		return (0);
a512de
+	while(fwd_buf[fwd_buflen] != 0) {
a512de
+		fwd_buflen += fwd_buf[fwd_buflen] + 1;
a512de
+	}
a512de
+	fwd_buflen++;
a512de
+
a512de
+	if (!buffer_allocate(&id->buffer,
a512de
+			     ISC_SHA256_DIGESTLENGTH + 2 + 1,
a512de
+			     MDL))
a512de
+		return (0);
a512de
+	id->data = id->buffer->data;
a512de
+
a512de
+	/* The two first bytes contain the type identifier. */
a512de
+	putUShort(id->buffer->data, (unsigned)type);
a512de
+
a512de
+	/* The next is the digest type, SHA-256 is 1 */
a512de
+	putUChar(id->buffer->data + 2, 1u);
a512de
+
a512de
+	/* Computing the digest */
a512de
+	isc_sha256_init(&sha256);
a512de
+	isc_sha256_update(&sha256, identifier, id_len);
a512de
+	isc_sha256_update(&sha256, fwd_buf, fwd_buflen);
a512de
+	isc_sha256_final(buf, &sha256);
a512de
 
a512de
-int get_dhcid (struct data_string *id,
a512de
-	       int type, const u_int8_t *data, unsigned len)
a512de
+	memcpy(id->buffer->data + 3, &buf, ISC_SHA256_DIGESTLENGTH);
a512de
+
a512de
+	id->len = ISC_SHA256_DIGESTLENGTH + 2 + 1;
a512de
+
a512de
+	return (1);
a512de
+}
a512de
+
a512de
+/*!
a512de
+ *
a512de
+ * \brief Create an id for a client
a512de
+ *
a512de
+ * This function is used to create an id for a client to use with DDNS
a512de
+ * This version of the function is for the interim style.  It is retained
a512de
+ * to allow users to continue using the interim style but they should
a512de
+ * switch to the standard style (which uses get_std_dhcid) for better
a512de
+ * interoperability.  
a512de
+ *
a512de
+ * This function takes information from the type and data fields and
a512de
+ * mangles it into a dhcid string which it places in ddns_cb.  It also
a512de
+ * sets a field in ddns_cb to specify the class that should be used
a512de
+ * when sending the dhcid, in this case it is a txt record so we use
a512de
+ * dns_rdata_type_txt
a512de
+ *
a512de
+ * NOTE WELL: this function has issues with how it calculates the
a512de
+ * dhcid, they can't be changed now as that would break the records
a512de
+ * already in use.
a512de
+ */
a512de
+
a512de
+int get_int_dhcid (dhcp_ddns_cb_t *ddns_cb,
a512de
+		   int type,
a512de
+		   const u_int8_t *data,
a512de
+		   unsigned len)
a512de
 {
a512de
+	struct data_string *id = &ddns_cb->dhcid;
a512de
 	unsigned char buf[ISC_MD5_DIGESTLENGTH];
a512de
 	isc_md5_t md5;
a512de
 	int i;
a512de
 
a512de
 	/* Types can only be 0..(2^16)-1. */
a512de
 	if (type < 0 || type > 65535)
a512de
-		return 0;
a512de
+		return (0);
a512de
 
a512de
 	/*
a512de
 	 * Hexadecimal MD5 digest plus two byte type, NUL,
a512de
 	 * and one byte for length for dns.
a512de
 	 */
a512de
-	if (!buffer_allocate (&id -> buffer,
a512de
-			      (ISC_MD5_DIGESTLENGTH * 2) + 4, MDL))
a512de
-		return 0;
a512de
-	id -> data = id -> buffer -> data;
a512de
+	if (!buffer_allocate(&id -> buffer,
a512de
+			     (ISC_MD5_DIGESTLENGTH * 2) + 4, MDL))
a512de
+		return (0);
a512de
+	id->data = id->buffer->data;
a512de
 
a512de
 	/*
a512de
-	 * DHCP clients and servers should use the following forms of client
a512de
-	 * identification, starting with the most preferable, and finishing
a512de
-	 * with the least preferable.  If the client does not send any of these
a512de
-	 * forms of identification, the DHCP/DDNS interaction is not defined by
a512de
-	 * this specification.  The most preferable form of identification is
a512de
-	 * the Globally Unique Identifier Option [TBD].  Next is the DHCP
a512de
-	 * Client Identifier option.  Last is the client's link-layer address,
a512de
-	 * as conveyed in its DHCPREQUEST message.  Implementors should note
a512de
-	 * that the link-layer address cannot be used if there are no
a512de
-	 * significant bytes in the chaddr field of the DHCP client's request,
a512de
-	 * because this does not constitute a unique identifier.
a512de
-	 *   -- "Interaction between DHCP and DNS"
a512de
-	 *      <draft-ietf-dhc-dhcp-dns-12.txt>
a512de
-	 *      M. Stapp, Y. Rekhter
a512de
-	 *
a512de
 	 * We put the length into the first byte to turn 
a512de
 	 * this into a dns text string.  This avoid needing to
a512de
 	 * copy the string to add the byte later.
a512de
@@ -893,7 +973,18 @@ int get_dhcid (struct data_string *id,
a512de
 	id->buffer->data[id->len] = 0;
a512de
 	id->terminated = 1;
a512de
 
a512de
-	return 1;
a512de
+	return (1);
a512de
+}
a512de
+
a512de
+int get_dhcid(dhcp_ddns_cb_t *ddns_cb,
a512de
+	      int type,
a512de
+	      const u_int8_t *identifier,
a512de
+	      unsigned id_len)
a512de
+{
a512de
+	if (ddns_cb->dhcid_class == dns_rdatatype_dhcid)
a512de
+		return get_std_dhcid(ddns_cb, type, identifier, id_len);
a512de
+	else 
a512de
+		return get_int_dhcid(ddns_cb, type, identifier, id_len);
a512de
 }
a512de
 
a512de
 /*
a512de
@@ -1015,12 +1106,12 @@ make_dns_dataset(dns_rdataclass_t  dataclass,
a512de
  * For the server the first step will have a request of:
a512de
  * The name is not in use
a512de
  * Add an A RR
a512de
- * Add a DHCID RR (currently txt)
a512de
+ * Add a DHCID RR
a512de
  *
a512de
  * For the client the first step will have a request of:
a512de
  * The A RR does not exist
a512de
  * Add an A RR
a512de
- * Add a DHCID RR (currently txt)
a512de
+ * Add a DHCID RR
a512de
  */
a512de
 
a512de
 static isc_result_t
a512de
@@ -1062,7 +1153,7 @@ ddns_modify_fwd_add1(dhcp_ddns_cb_t   *ddns_cb,
a512de
 	dataspace++;
a512de
 
a512de
 	/* Add the DHCID RR */
a512de
-	result = make_dns_dataset(dns_rdataclass_in, dns_rdatatype_txt,
a512de
+	result = make_dns_dataset(dns_rdataclass_in, ddns_cb->dhcid_class,
a512de
 				  dataspace, 
a512de
 				  (unsigned char *)ddns_cb->dhcid.data,
a512de
 				  ddns_cb->dhcid.len, ddns_cb->ttl);
a512de
@@ -1108,7 +1199,7 @@ ddns_modify_fwd_add2(dhcp_ddns_cb_t   *ddns_cb,
a512de
 		     dns_name_t       *pname,
a512de
 		     dns_name_t       *uname)
a512de
 {
a512de
-	isc_result_t result;
a512de
+	isc_result_t result = ISC_R_SUCCESS;
a512de
 
a512de
 	/*
a512de
 	 * If we are doing conflict resolution (unset) we use a prereq list.
a512de
@@ -1117,7 +1208,7 @@ ddns_modify_fwd_add2(dhcp_ddns_cb_t   *ddns_cb,
a512de
 	if ((ddns_cb->flags & DDNS_CONFLICT_OVERRIDE) == 0) {
a512de
 		/* Construct the prereq list */
a512de
 		/* The DHCID RR exists and matches the client identity */
a512de
-		result = make_dns_dataset(dns_rdataclass_in, dns_rdatatype_txt,
a512de
+		result = make_dns_dataset(dns_rdataclass_in, ddns_cb->dhcid_class,
a512de
 					  dataspace, 
a512de
 					  (unsigned char *)ddns_cb->dhcid.data,
a512de
 					  ddns_cb->dhcid.len, 0);
a512de
@@ -1130,7 +1221,7 @@ ddns_modify_fwd_add2(dhcp_ddns_cb_t   *ddns_cb,
a512de
 		/* Start constructing the update list.
a512de
 		 * Conflict detection override: delete DHCID RRs */
a512de
 		result = make_dns_dataset(dns_rdataclass_any,
a512de
-					  dns_rdatatype_txt,
a512de
+					  ddns_cb->dhcid_class,
a512de
 					  dataspace, NULL, 0, 0);
a512de
 		if (result != ISC_R_SUCCESS) {
a512de
 			return(result);
a512de
@@ -1139,7 +1230,7 @@ ddns_modify_fwd_add2(dhcp_ddns_cb_t   *ddns_cb,
a512de
 		dataspace++;
a512de
 
a512de
 		/* Add current DHCID RR */
a512de
-		result = make_dns_dataset(dns_rdataclass_in, dns_rdatatype_txt,
a512de
+		result = make_dns_dataset(dns_rdataclass_in, ddns_cb->dhcid_class,
a512de
 					  dataspace, 
a512de
 					  (unsigned char *)ddns_cb->dhcid.data,
a512de
 					  ddns_cb->dhcid.len, ddns_cb->ttl);
a512de
@@ -1201,11 +1292,11 @@ ddns_modify_fwd_rem1(dhcp_ddns_cb_t   *ddns_cb,
a512de
 		     dns_name_t       *pname,
a512de
 		     dns_name_t       *uname)
a512de
 {
a512de
-	isc_result_t result;
a512de
+	isc_result_t result = ISC_R_SUCCESS;
a512de
 
a512de
 	/* Consruct the prereq list */
a512de
 	/* The DHCID RR exists and matches the client identity */
a512de
-	result = make_dns_dataset(dns_rdataclass_in, dns_rdatatype_txt,
a512de
+	result = make_dns_dataset(dns_rdataclass_in, ddns_cb->dhcid_class,
a512de
 				  dataspace, 
a512de
 				  (unsigned char *)ddns_cb->dhcid.data,
a512de
 				  ddns_cb->dhcid.len, 0);
a512de
@@ -1271,7 +1362,7 @@ ddns_modify_fwd_rem2(dhcp_ddns_cb_t   *ddns_cb,
a512de
 
a512de
 	/* Construct the update list */
a512de
 	/* Delete DHCID RR */
a512de
-	result = make_dns_dataset(dns_rdataclass_none, dns_rdatatype_txt,
a512de
+	result = make_dns_dataset(dns_rdataclass_none, ddns_cb->dhcid_class,
a512de
 				  dataspace,
a512de
 				  (unsigned char *)ddns_cb->dhcid.data,
a512de
 				  ddns_cb->dhcid.len, 0);
a512de
diff --git a/common/parse.c b/common/parse.c
a512de
index fc51327..7477543 100644
a512de
--- a/common/parse.c
a512de
+++ b/common/parse.c
a512de
@@ -3558,42 +3558,7 @@ int parse_numeric_expression (expr, cfile, lose)
a512de
 	}
a512de
 	return 1;
a512de
 }
a512de
-#if defined (NSUPDATE_OLD)
a512de
-/*
a512de
- * dns-expression :==
a512de
- *	UPDATE LPAREN ns-class COMMA ns-type COMMA data-expression COMMA
a512de
- *				data-expression COMMA numeric-expression RPAREN
a512de
- *	DELETE LPAREN ns-class COMMA ns-type COMMA data-expression COMMA
a512de
- *				data-expression RPAREN
a512de
- *	EXISTS LPAREN ns-class COMMA ns-type COMMA data-expression COMMA
a512de
- *				data-expression RPAREN
a512de
- *	NOT EXISTS LPAREN ns-class COMMA ns-type COMMA data-expression COMMA
a512de
- *				data-expression RPAREN
a512de
- * ns-class :== IN | CHAOS | HS | NUMBER
a512de
- * ns-type :== A | PTR | MX | TXT | NUMBER
a512de
- */
a512de
-
a512de
-int parse_dns_expression (expr, cfile, lose)
a512de
-	struct expression **expr;
a512de
-	struct parse *cfile;
a512de
-	int *lose;
a512de
-{
a512de
-	/* Parse an expression... */
a512de
-	if (!parse_expression (expr, cfile, lose, context_dns,
a512de
-			       (struct expression **)0, expr_none))
a512de
-		return 0;
a512de
 
a512de
-	if (!is_dns_expression (*expr) &&
a512de
-	    (*expr) -> op != expr_variable_reference &&
a512de
-	    (*expr) -> op != expr_funcall) {
a512de
-		expression_dereference (expr, MDL);
a512de
-		parse_warn (cfile, "Expecting a dns update subexpression.");
a512de
-		*lose = 1;
a512de
-		return 0;
a512de
-	}
a512de
-	return 1;
a512de
-}
a512de
-#endif /* NSUPDATE_OLD */
a512de
 /* Parse a subexpression that does not contain a binary operator. */
a512de
 
a512de
 int parse_non_binary (expr, cfile, lose, context)
a512de
@@ -3608,11 +3573,6 @@ int parse_non_binary (expr, cfile, lose, context)
a512de
 	struct expression *nexp, **ep;
a512de
 	int known;
a512de
 	char *cptr;
a512de
-#if defined (NSUPDATE_OLD)
a512de
-	enum expr_op opcode;
a512de
-	const char *s;
a512de
-	unsigned long u;
a512de
-#endif 
a512de
 	isc_result_t status;
a512de
 	unsigned len;
a512de
 
a512de
@@ -3645,12 +3605,7 @@ int parse_non_binary (expr, cfile, lose, context)
a512de
 
a512de
 	      case TOKEN_NOT:
a512de
 		token = next_token (&val, (unsigned *)0, cfile);
a512de
-#if defined(NSUPDATE_OLD)
a512de
-		if (context == context_dns) {
a512de
-			token = peek_token (&val, (unsigned *)0, cfile);
a512de
-			goto not_exists;
a512de
-		}
a512de
-#endif
a512de
+
a512de
 		if (!expression_allocate (expr, MDL))
a512de
 			log_fatal ("can't allocate expression");
a512de
 		(*expr) -> op = expr_not;
a512de
@@ -3662,7 +3617,7 @@ int parse_non_binary (expr, cfile, lose, context)
a512de
 			}
a512de
 			*lose = 1;
a512de
 			expression_dereference (expr, MDL);
a512de
-			return 0;
a512de
+			return (0);
a512de
 		}
a512de
 		if (!is_boolean_expression ((*expr) -> data.not)) {
a512de
 			*lose = 1;
a512de
@@ -3694,10 +3649,6 @@ int parse_non_binary (expr, cfile, lose, context)
a512de
 		break;
a512de
 
a512de
 	      case EXISTS:
a512de
-#if defined(NSUPDATE_OLD)
a512de
-		if (context == context_dns)
a512de
-			goto ns_exists;
a512de
-#endif
a512de
 		token = next_token (&val, (unsigned *)0, cfile);
a512de
 		if (!expression_allocate (expr, MDL))
a512de
 			log_fatal ("can't allocate expression");
a512de
@@ -3710,7 +3661,7 @@ int parse_non_binary (expr, cfile, lose, context)
a512de
 		    (*expr)->data.option == NULL) {
a512de
 			*lose = 1;
a512de
 			expression_dereference (expr, MDL);
a512de
-			return 0;
a512de
+			return (0);
a512de
 		}
a512de
 		break;
a512de
 
a512de
@@ -4011,285 +3962,7 @@ int parse_non_binary (expr, cfile, lose, context)
a512de
 			goto norparen;
a512de
 		break;
a512de
 
a512de
-#if defined(NSUPDATE_OLD)
a512de
-		/* dns-update and dns-delete are present for historical
a512de
-		   purposes, but are deprecated in favor of ns-update
a512de
-		   in combination with update, delete, exists and not
a512de
-		   exists. */
a512de
-	      case DNS_UPDATE:
a512de
-	      case DNS_DELETE:
a512de
-#if !defined (NSUPDATE)
a512de
-		parse_warn (cfile,
a512de
-			    "Please rebuild dhcpd with --with-nsupdate.");
a512de
-#endif
a512de
-		token = next_token (&val, (unsigned *)0, cfile);
a512de
-		if (token == DNS_UPDATE)
a512de
-			opcode = expr_ns_add;
a512de
-		else
a512de
-			opcode = expr_ns_delete;
a512de
-
a512de
-		token = next_token (&val, (unsigned *)0, cfile);
a512de
-		if (token != LPAREN)
a512de
-			goto nolparen;
a512de
-
a512de
-		token = next_token (&val, (unsigned *)0, cfile);
a512de
-		if (token != STRING) {
a512de
-			parse_warn (cfile,
a512de
-				    "parse_expression: expecting string.");
a512de
-		      badnsupdate:
a512de
-			skip_to_semi (cfile);
a512de
-			*lose = 1;
a512de
-			return 0;
a512de
-		}
a512de
-			
a512de
-		if (!strcasecmp (val, "a"))
a512de
-			u = T_A;
a512de
-		else if (!strcasecmp (val, "aaaa"))
a512de
-			u = T_AAAA;
a512de
-		else if (!strcasecmp (val, "ptr"))
a512de
-			u = T_PTR;
a512de
-		else if (!strcasecmp (val, "mx"))
a512de
-			u = T_MX;
a512de
-		else if (!strcasecmp (val, "cname"))
a512de
-			u = T_CNAME;
a512de
-		else if (!strcasecmp (val, "TXT"))
a512de
-			u = T_TXT;
a512de
-		else {
a512de
-			parse_warn (cfile, "unexpected rrtype: %s", val);
a512de
-			goto badnsupdate;
a512de
-		}
a512de
-
a512de
-		s = (opcode == expr_ns_add
a512de
-		     ? "old-dns-update"
a512de
-		     : "old-dns-delete");
a512de
-		cptr = dmalloc (strlen (s) + 1, MDL);
a512de
-		if (!cptr)
a512de
-			log_fatal ("can't allocate name for %s", s);
a512de
-		strcpy (cptr, s);
a512de
-		if (!expression_allocate (expr, MDL))
a512de
-			log_fatal ("can't allocate expression");
a512de
-		(*expr) -> op = expr_funcall;
a512de
-		(*expr) -> data.funcall.name = cptr;
a512de
-
a512de
-		/* Fake up a function call. */
a512de
-		ep = &(*expr) -> data.funcall.arglist;
a512de
-		if (!expression_allocate (ep, MDL))
a512de
-			log_fatal ("can't allocate expression");
a512de
-		(*ep) -> op = expr_arg;
a512de
-		if (!make_const_int (&(*ep) -> data.arg.val, u))
a512de
-			log_fatal ("can't allocate rrtype value.");
a512de
-
a512de
-		token = next_token (&val, (unsigned *)0, cfile);
a512de
-		if (token != COMMA)
a512de
-			goto nocomma;
a512de
-		ep = &((*ep) -> data.arg.next);
a512de
-		if (!expression_allocate (ep, MDL))
a512de
-			log_fatal ("can't allocate expression");
a512de
-		(*ep) -> op = expr_arg;
a512de
-		if (!(parse_data_expression (&(*ep) -> data.arg.val,
a512de
-					     cfile, lose)))
a512de
-			goto nodata;
a512de
-
a512de
-		token = next_token (&val, (unsigned *)0, cfile);
a512de
-		if (token != COMMA)
a512de
-			goto nocomma;
a512de
-
a512de
-		ep = &((*ep) -> data.arg.next);
a512de
-		if (!expression_allocate (ep, MDL))
a512de
-			log_fatal ("can't allocate expression");
a512de
-		(*ep) -> op = expr_arg;
a512de
-		if (!(parse_data_expression (&(*ep) -> data.arg.val,
a512de
-					     cfile, lose)))
a512de
-			goto nodata;
a512de
-
a512de
-		if (opcode == expr_ns_add) {
a512de
-			token = next_token (&val, (unsigned *)0, cfile);
a512de
-			if (token != COMMA)
a512de
-				goto nocomma;
a512de
-			
a512de
-			ep = &((*ep) -> data.arg.next);
a512de
-			if (!expression_allocate (ep, MDL))
a512de
-				log_fatal ("can't allocate expression");
a512de
-			(*ep) -> op = expr_arg;
a512de
-			if (!(parse_numeric_expression (&(*ep) -> data.arg.val,
a512de
-							cfile, lose))) {
a512de
-				parse_warn (cfile,
a512de
-					    "expecting numeric expression.");
a512de
-				goto badnsupdate;
a512de
-			}
a512de
-		}
a512de
-
a512de
-		token = next_token (&val, (unsigned *)0, cfile);
a512de
-		if (token != RPAREN)
a512de
-			goto norparen;
a512de
-		break;
a512de
-
a512de
-	      case NS_UPDATE:
a512de
-#if !defined (NSUPDATE)
a512de
-		parse_warn (cfile,
a512de
-			    "Please rebuild dhcpd with --with-nsupdate.");
a512de
-#endif
a512de
-		token = next_token (&val, (unsigned *)0, cfile);
a512de
-		if (!expression_allocate (expr, MDL))
a512de
-			log_fatal ("can't allocate expression");
a512de
-
a512de
-		token = next_token (&val, (unsigned *)0, cfile);
a512de
-		if (token != LPAREN)
a512de
-			goto nolparen;
a512de
-
a512de
-		nexp = *expr;
a512de
-		do {
a512de
-			nexp -> op = expr_dns_transaction;
a512de
-			if (!(parse_dns_expression
a512de
-			      (&nexp -> data.dns_transaction.car,
a512de
-			       cfile, lose)))
a512de
-			{
a512de
-				if (!*lose)
a512de
-					parse_warn
a512de
-						(cfile,
a512de
-						 "expecting dns expression.");
a512de
-				expression_dereference (expr, MDL);
a512de
-				*lose = 1;
a512de
-				return 0;
a512de
-			}
a512de
-
a512de
-			token = next_token (&val, (unsigned *)0, cfile);
a512de
-			
a512de
-			if (token == COMMA) {
a512de
-				if (!(expression_allocate
a512de
-				      (&nexp -> data.dns_transaction.cdr,
a512de
-				       MDL)))
a512de
-					log_fatal
a512de
-						("can't allocate expression");
a512de
-				nexp = nexp -> data.dns_transaction.cdr;
a512de
-			}
a512de
-		} while (token == COMMA);
a512de
-
a512de
-		if (token != RPAREN)
a512de
-			goto norparen;
a512de
-		break;
a512de
-
a512de
-		/* NOT EXISTS is special cased above... */
a512de
-	      not_exists:
a512de
-		token = peek_token (&val, (unsigned *)0, cfile);
a512de
-		if (token != EXISTS) {
a512de
-			parse_warn (cfile, "expecting DNS prerequisite.");
a512de
-			*lose = 1;
a512de
-			return 0;
a512de
-		}
a512de
-		opcode = expr_ns_not_exists;
a512de
-		goto nsupdatecode;
a512de
-	      case TOKEN_ADD:
a512de
-		opcode = expr_ns_add;
a512de
-		goto nsupdatecode;
a512de
-	      case TOKEN_DELETE:
a512de
-		opcode = expr_ns_delete;
a512de
-		goto nsupdatecode;
a512de
-	      ns_exists:
a512de
-		opcode = expr_ns_exists;
a512de
-	      nsupdatecode:
a512de
-		token = next_token (&val, (unsigned *)0, cfile);
a512de
-
a512de
-#if !defined (NSUPDATE)
a512de
-		parse_warn (cfile,
a512de
-			    "Please rebuild dhcpd with --with-nsupdate.");
a512de
-#endif
a512de
-		if (!expression_allocate (expr, MDL))
a512de
-			log_fatal ("can't allocate expression");
a512de
-		(*expr) -> op = opcode;
a512de
-
a512de
-		token = next_token (&val, (unsigned *)0, cfile);
a512de
-		if (token != LPAREN)
a512de
-			goto nolparen;
a512de
-
a512de
-		token = next_token (&val, (unsigned *)0, cfile);
a512de
-		if (!is_identifier (token) && token != NUMBER) {
a512de
-			parse_warn (cfile, "expecting identifier or number.");
a512de
-		      badnsop:
a512de
-			expression_dereference (expr, MDL);
a512de
-			skip_to_semi (cfile);
a512de
-			*lose = 1;
a512de
-			return 0;
a512de
-		}
a512de
-			
a512de
-		if (token == NUMBER)
a512de
-			(*expr) -> data.ns_add.rrclass = atoi (val);
a512de
-		else if (!strcasecmp (val, "in"))
a512de
-			(*expr) -> data.ns_add.rrclass = C_IN;
a512de
-		else if (!strcasecmp (val, "chaos"))
a512de
-			(*expr) -> data.ns_add.rrclass = C_CHAOS;
a512de
-		else if (!strcasecmp (val, "hs"))
a512de
-			(*expr) -> data.ns_add.rrclass = C_HS;
a512de
-		else {
a512de
-			parse_warn (cfile, "unexpected rrclass: %s", val);
a512de
-			goto badnsop;
a512de
-		}
a512de
-		
a512de
-		token = next_token (&val, (unsigned *)0, cfile);
a512de
-		if (token != COMMA)
a512de
-			goto nocomma;
a512de
 
a512de
-		token = next_token (&val, (unsigned *)0, cfile);
a512de
-		if (!is_identifier (token) && token != NUMBER) {
a512de
-			parse_warn (cfile, "expecting identifier or number.");
a512de
-			goto badnsop;
a512de
-		}
a512de
-			
a512de
-		if (token == NUMBER)
a512de
-			(*expr) -> data.ns_add.rrtype = atoi (val);
a512de
-		else if (!strcasecmp (val, "a"))
a512de
-			(*expr) -> data.ns_add.rrtype = T_A;
a512de
-		else if (!strcasecmp (val, "aaaa"))
a512de
-			(*expr) -> data.ns_add.rrtype = T_AAAA;
a512de
-		else if (!strcasecmp (val, "ptr"))
a512de
-			(*expr) -> data.ns_add.rrtype = T_PTR;
a512de
-		else if (!strcasecmp (val, "mx"))
a512de
-			(*expr) -> data.ns_add.rrtype = T_MX;
a512de
-		else if (!strcasecmp (val, "cname"))
a512de
-			(*expr) -> data.ns_add.rrtype = T_CNAME;
a512de
-		else if (!strcasecmp (val, "TXT"))
a512de
-			(*expr) -> data.ns_add.rrtype = T_TXT;
a512de
-		else {
a512de
-			parse_warn (cfile, "unexpected rrtype: %s", val);
a512de
-			goto badnsop;
a512de
-		}
a512de
-
a512de
-		token = next_token (&val, (unsigned *)0, cfile);
a512de
-		if (token != COMMA)
a512de
-			goto nocomma;
a512de
-
a512de
-		if (!(parse_data_expression
a512de
-		      (&(*expr) -> data.ns_add.rrname, cfile, lose)))
a512de
-			goto nodata;
a512de
-
a512de
-		token = next_token (&val, (unsigned *)0, cfile);
a512de
-		if (token != COMMA)
a512de
-			goto nocomma;
a512de
-
a512de
-		if (!(parse_data_expression
a512de
-		      (&(*expr) -> data.ns_add.rrdata, cfile, lose)))
a512de
-			goto nodata;
a512de
-
a512de
-		if (opcode == expr_ns_add) {
a512de
-			token = next_token (&val, (unsigned *)0, cfile);
a512de
-			if (token != COMMA)
a512de
-				goto nocomma;
a512de
-			
a512de
-			if (!(parse_numeric_expression
a512de
-			      (&(*expr) -> data.ns_add.ttl, cfile,
a512de
-			       lose))) {
a512de
-			    if (!*lose)
a512de
-				parse_warn (cfile,
a512de
-					    "expecting numeric expression.");
a512de
-			    goto badnsupdate;
a512de
-			}
a512de
-		}
a512de
-
a512de
-		token = next_token (&val, (unsigned *)0, cfile);
a512de
-		if (token != RPAREN)
a512de
-			goto norparen;
a512de
-		break;
a512de
-#endif /* NSUPDATE_OLD */
a512de
 	      case OPTION:
a512de
 	      case CONFIG_OPTION:
a512de
 		if (!expression_allocate (expr, MDL))
a512de
@@ -4366,44 +4039,7 @@ int parse_non_binary (expr, cfile, lose, context)
a512de
 		(*expr) -> op = expr_host_decl_name;
a512de
 		break;
a512de
 
a512de
-#if defined(NSUPDATE_OLD)
a512de
-	      case UPDATED_DNS_RR:
a512de
-		token = next_token (&val, (unsigned *)0, cfile);
a512de
-
a512de
-		token = next_token (&val, (unsigned *)0, cfile);
a512de
-		if (token != LPAREN)
a512de
-			goto nolparen;
a512de
 
a512de
-		token = next_token (&val, (unsigned *)0, cfile);
a512de
-		if (token != STRING) {
a512de
-			parse_warn (cfile, "expecting string.");
a512de
-		      bad_rrtype:
a512de
-			*lose = 1;
a512de
-			return 0;
a512de
-		}
a512de
-		if (!strcasecmp (val, "a"))
a512de
-			s = "ddns-fwd-name";
a512de
-		else if (!strcasecmp (val, "ptr"))
a512de
-			s = "ddns-rev-name";
a512de
-		else {
a512de
-			parse_warn (cfile, "invalid DNS rrtype: %s", val);
a512de
-			goto bad_rrtype;
a512de
-		}
a512de
-
a512de
-		token = next_token (&val, (unsigned *)0, cfile);
a512de
-		if (token != RPAREN)
a512de
-			goto norparen;
a512de
-
a512de
-		if (!expression_allocate (expr, MDL))
a512de
-			log_fatal ("can't allocate expression");
a512de
-		(*expr) -> op = expr_variable_reference;
a512de
-		(*expr) -> data.variable =
a512de
-			dmalloc (strlen (s) + 1, MDL);
a512de
-		if (!(*expr) -> data.variable)
a512de
-			log_fatal ("can't allocate variable name.");
a512de
-		strcpy ((*expr) -> data.variable, s);
a512de
-		break;
a512de
-#endif /* NSUPDATE_OLD */
a512de
 	      case PACKET:
a512de
 		token = next_token (&val, (unsigned *)0, cfile);
a512de
 		if (!expression_allocate (expr, MDL))
a512de
diff --git a/common/tree.c b/common/tree.c
a512de
index 8c2056c..26e0add 100644
a512de
--- a/common/tree.c
a512de
+++ b/common/tree.c
a512de
@@ -645,15 +645,6 @@ int evaluate_expression (result, packet, lease, client_state,
a512de
 		status = (evaluate_data_expression
a512de
 			  (&bv -> value.data, packet, lease, client_state,
a512de
 			   in_options, cfg_options, scope, expr, MDL));
a512de
-#if defined (NSUPDATE_OLD)
a512de
-	} else if (is_dns_expression (expr)) {
a512de
-		if (!binding_value_allocate (&bv, MDL))
a512de
-			return 0;
a512de
-		bv -> type = binding_dns;
a512de
-		status = (evaluate_dns_expression
a512de
-			  (&bv -> value.dns, packet, lease, client_state,
a512de
-			   in_options, cfg_options, scope, expr));
a512de
-#endif
a512de
 	} else {
a512de
 		log_error ("%s: invalid expression type: %d",
a512de
 			   "evaluate_expression", expr -> op);
a512de
@@ -699,19 +690,6 @@ int binding_value_dereference (struct binding_value **v,
a512de
 		if (bv -> value.data.buffer)
a512de
 			data_string_forget (&bv -> value.data, file, line);
a512de
 		break;
a512de
-	      case binding_dns:
a512de
-#if defined (NSUPDATE_OLD)
a512de
-		if (bv -> value.dns) {
a512de
-			if (bv -> value.dns -> r_data) {
a512de
-				dfree (bv -> value.dns -> r_data_ephem, MDL);
a512de
-				bv -> value.dns -> r_data = (unsigned char *)0;
a512de
-				bv -> value.dns -> r_data_ephem =
a512de
-					(unsigned char *)0;
a512de
-			}
a512de
-			minires_freeupdrec (bv -> value.dns);
a512de
-		}
a512de
-		break;
a512de
-#endif
a512de
 	      default:
a512de
 		log_error ("%s(%d): invalid binding type: %d",
a512de
 			   file, line, bv -> type);
a512de
@@ -721,270 +699,6 @@ int binding_value_dereference (struct binding_value **v,
a512de
 	return 1;
a512de
 }
a512de
 
a512de
-#if defined (NSUPDATE_OLD)
a512de
-int evaluate_dns_expression (result, packet, lease, client_state, in_options,
a512de
-			     cfg_options, scope, expr)
a512de
-	ns_updrec **result;
a512de
-	struct packet *packet;
a512de
-	struct lease *lease;
a512de
-	struct client_state *client_state;
a512de
-	struct option_state *in_options;
a512de
-	struct option_state *cfg_options;
a512de
-	struct binding_scope **scope;
a512de
-	struct expression *expr;
a512de
-{
a512de
-	unsigned long ttl = 0;
a512de
-	char *tname;
a512de
-	struct data_string name, data;
a512de
-	int r0, r1, r2;
a512de
-
a512de
-	if (!result || *result) {
a512de
-		log_error ("evaluate_dns_expression called with non-null %s",
a512de
-			   "result pointer");
a512de
-#if defined (POINTER_DEBUG)
a512de
-		abort ();
a512de
-#else
a512de
-		return 0;
a512de
-#endif
a512de
-	}
a512de
-		
a512de
-	switch (expr -> op) {
a512de
-#if defined (NSUPDATE)
a512de
-	      case expr_ns_add:
a512de
-		r0 = evaluate_numeric_expression (&ttl, packet, lease,
a512de
-						  client_state,
a512de
-						  in_options, cfg_options,
a512de
-						  scope,
a512de
-						  expr -> data.ns_add.ttl);
a512de
-		goto nsfinish;
a512de
-
a512de
-	      case expr_ns_exists:
a512de
-		ttl = 1;
a512de
-
a512de
-	      case expr_ns_delete:
a512de
-	      case expr_ns_not_exists:
a512de
-		r0 = 1;
a512de
-	      nsfinish:
a512de
-		memset (&name, 0, sizeof name);
a512de
-		r1 = evaluate_data_expression (&name, packet, lease,
a512de
-					       client_state,
a512de
-					       in_options, cfg_options, scope,
a512de
-					       expr -> data.ns_add.rrname,
a512de
-					       MDL);
a512de
-		if (r1) {
a512de
-			/* The result of the evaluation may or may not
a512de
-			   be NUL-terminated, but we need it
a512de
-			   terminated for sure, so we have to allocate
a512de
-			   a buffer and terminate it. */
a512de
-			tname = dmalloc (name.len + 1, MDL);
a512de
-			if (!tname) {
a512de
-				r2 = 0;
a512de
-				r1 = 0;
a512de
-				data_string_forget (&name, MDL);
a512de
-			} else {
a512de
-				memcpy (tname, name.data, name.len);
a512de
-				tname [name.len] = 0;
a512de
-				memset (&data, 0, sizeof data);
a512de
-				r2 = evaluate_data_expression
a512de
-					(&data, packet, lease, client_state,
a512de
-					 in_options, cfg_options, scope,
a512de
-					 expr -> data.ns_add.rrdata, MDL);
a512de
-			}
a512de
-		} else {
a512de
-			r2 = 0;
a512de
-			tname = NULL;
a512de
-		}
a512de
-		if (r0 && r1 && (r2 || expr -> op != expr_ns_add)) {
a512de
-		    *result = minires_mkupdrec (((expr -> op == expr_ns_add ||
a512de
-						  expr -> op == expr_ns_delete)
a512de
-						 ? S_UPDATE : S_PREREQ),
a512de
-						tname,
a512de
-						expr -> data.ns_add.rrclass,
a512de
-						expr -> data.ns_add.rrtype,
a512de
-						ttl);
a512de
-		    if (!*result) {
a512de
-			  ngood:
a512de
-			    if (r2) {
a512de
-				data_string_forget (&data, MDL);
a512de
-				r2 = 0;
a512de
-			    }
a512de
-		    } else {
a512de
-			if (data.len) {
a512de
-				/* As a special case, if we get exactly
a512de
-				   four bytes of data, it's an IP address
a512de
-				   represented as a 32-bit quantity, which
a512de
-				   is actually what we *should* be getting
a512de
-				   here.   Because res_mkupdrec is currently
a512de
-				   broken and expects a dotted quad, convert
a512de
-				   it.   This should be fixed when the new
a512de
-				   resolver is merged. */
a512de
-				if (data.len == 4) {
a512de
-				    (*result) -> r_data_ephem =
a512de
-					    dmalloc (16, MDL);
a512de
-				    if (!(*result) -> r_data_ephem)
a512de
-					goto dpngood;
a512de
-				    (*result) -> r_data =
a512de
-					    (*result) -> r_data_ephem;
a512de
-				    /*%Audit% 16 bytes max. %2004.06.17,Safe%*/
a512de
-				    sprintf ((char *)(*result) -> r_data_ephem,
a512de
-					     "%u.%u.%u.%u",
a512de
-					     data.data [0] & 0xff,
a512de
-					     data.data [1] & 0xff,
a512de
-					     data.data [2] & 0xff,
a512de
-					     data.data [3] & 0xff);
a512de
-				    (*result) -> r_size = 
a512de
-					    strlen ((const char *)
a512de
-						    (*result) -> r_data);
a512de
-				} else {
a512de
-				    (*result) -> r_size = data.len;
a512de
-				    (*result) -> r_data_ephem =
a512de
-					    dmalloc (data.len, MDL);
a512de
-				    if (!(*result) -> r_data_ephem) {
a512de
-				      dpngood: /* double plus ungood. */
a512de
-					minires_freeupdrec (*result);
a512de
-					*result = 0;
a512de
-					goto ngood;
a512de
-				    }
a512de
-				    (*result) -> r_data =
a512de
-					    (*result) -> r_data_ephem;
a512de
-				    memcpy ((*result) -> r_data_ephem,
a512de
-					    data.data, data.len);
a512de
-				}
a512de
-			} else {
a512de
-				(*result) -> r_data = 0;
a512de
-				(*result) -> r_size = 0;
a512de
-			}
a512de
-			switch (expr -> op) {
a512de
-			      case expr_ns_add:
a512de
-				(*result) -> r_opcode = ADD;
a512de
-				break;
a512de
-			      case expr_ns_delete:
a512de
-				(*result) -> r_opcode = DELETE;
a512de
-				break;
a512de
-			      case expr_ns_exists:
a512de
-				(*result) -> r_opcode = YXRRSET;
a512de
-				break;
a512de
-			      case expr_ns_not_exists:
a512de
-				(*result) -> r_opcode = NXRRSET;
a512de
-				break;
a512de
-
a512de
-				/* Can't happen, but satisfy gcc. */
a512de
-			      default:
a512de
-				break;
a512de
-			}
a512de
-		    }
a512de
-		}
a512de
-		if (r1) {
a512de
-			data_string_forget (&name, MDL);
a512de
-			dfree (tname, MDL);
a512de
-		}
a512de
-		if (r2)
a512de
-			data_string_forget (&data, MDL);
a512de
-		/* One flaw in the thinking here: an IP address and an
a512de
-		   ASCII string both look like data expressions, but
a512de
-		   for A records, we want an ASCII string, not a
a512de
-		   binary IP address.  Do I need to turn binary IP
a512de
-		   addresses into a separate type?  */
a512de
-		return (r0 && r1 &&
a512de
-			(r2 || expr -> op != expr_ns_add) && *result);
a512de
-
a512de
-#else
a512de
-	      case expr_ns_add:
a512de
-	      case expr_ns_delete:
a512de
-	      case expr_ns_exists:
a512de
-	      case expr_ns_not_exists:
a512de
-		return 0;
a512de
-#endif
a512de
-	      case expr_funcall:
a512de
-		log_error ("%s: dns values for functions not supported.",
a512de
-			   expr -> data.funcall.name);
a512de
-		break;
a512de
-
a512de
-	      case expr_variable_reference:
a512de
-		log_error ("%s: dns values for variables not supported.",
a512de
-			   expr -> data.variable);
a512de
-		break;
a512de
-
a512de
-	      case expr_check:
a512de
-	      case expr_equal:
a512de
-	      case expr_not_equal:
a512de
-	      case expr_regex_match:
a512de
-	      case expr_iregex_match:
a512de
-	      case expr_and:
a512de
-	      case expr_or:
a512de
-	      case expr_not:
a512de
-	      case expr_match:
a512de
-	      case expr_static:
a512de
-	      case expr_known:
a512de
-	      case expr_exists:
a512de
-	      case expr_variable_exists:
a512de
-		log_error ("Boolean opcode in evaluate_dns_expression: %d",
a512de
-		      expr -> op);
a512de
-		return 0;
a512de
-
a512de
-	      case expr_none:
a512de
-	      case expr_substring:
a512de
-	      case expr_suffix:
a512de
-	      case expr_lcase:
a512de
-	      case expr_ucase:
a512de
-	      case expr_option:
a512de
-	      case expr_hardware:
a512de
-	      case expr_const_data:
a512de
-	      case expr_packet:
a512de
-	      case expr_concat:
a512de
-	      case expr_encapsulate:
a512de
-	      case expr_host_lookup:
a512de
-	      case expr_encode_int8:
a512de
-	      case expr_encode_int16:
a512de
-	      case expr_encode_int32:
a512de
-	      case expr_binary_to_ascii:
a512de
-	      case expr_reverse:
a512de
-	      case expr_filename:
a512de
-	      case expr_sname:
a512de
-	      case expr_pick_first_value:
a512de
-	      case expr_host_decl_name:
a512de
-	      case expr_config_option:
a512de
-	      case expr_leased_address:
a512de
-	      case expr_null:
a512de
-	      case expr_gethostname:
a512de
-		log_error ("Data opcode in evaluate_dns_expression: %d",
a512de
-		      expr -> op);
a512de
-		return 0;
a512de
-
a512de
-	      case expr_extract_int8:
a512de
-	      case expr_extract_int16:
a512de
-	      case expr_extract_int32:
a512de
-	      case expr_const_int:
a512de
-	      case expr_lease_time:
a512de
-	      case expr_dns_transaction:
a512de
-	      case expr_add:
a512de
-	      case expr_subtract:
a512de
-	      case expr_multiply:
a512de
-	      case expr_divide:
a512de
-	      case expr_remainder:
a512de
-	      case expr_binary_and:
a512de
-	      case expr_binary_or:
a512de
-	      case expr_binary_xor:
a512de
-	      case expr_client_state:
a512de
-		log_error ("Numeric opcode in evaluate_dns_expression: %d",
a512de
-		      expr -> op);
a512de
-		return 0;
a512de
-
a512de
-	      case expr_function:
a512de
-		log_error ("Function opcode in evaluate_dns_expression: %d",
a512de
-		      expr -> op);
a512de
-		return 0;
a512de
-
a512de
-	      case expr_arg:
a512de
-		break;
a512de
-	}
a512de
-
a512de
-	log_error ("Bogus opcode in evaluate_dns_expression: %d",
a512de
-		   expr -> op);
a512de
-	return 0;
a512de
-}
a512de
-#endif /* defined (NSUPDATE_OLD) */
a512de
-
a512de
 int evaluate_boolean_expression (result, packet, lease, client_state,
a512de
 				 in_options, cfg_options, scope, expr)
a512de
 	int *result;
a512de
@@ -1056,20 +770,7 @@ int evaluate_boolean_expression (result, packet, lease, client_state,
a512de
 			    else
a512de
 				*result = expr -> op == expr_not_equal;
a512de
 			    break;
a512de
-#if defined (NSUPDATE_OLD)
a512de
-			  case binding_dns:
a512de
-#if defined (NSUPDATE)
a512de
-			    /* XXX This should be a comparison for equal
a512de
-			       XXX values, not for identity. */
a512de
-			    if (bv -> value.dns == obv -> value.dns)
a512de
-				*result = expr -> op == expr_equal;
a512de
-			    else
a512de
-				*result = expr -> op == expr_not_equal;
a512de
-#else
a512de
-				*result = expr -> op == expr_not_equal;
a512de
-#endif
a512de
-			    break;
a512de
-#endif /* NSUPDATE_OLD */
a512de
+
a512de
 			  case binding_function:
a512de
 			    if (bv -> value.fundef == obv -> value.fundef)
a512de
 				*result = expr -> op == expr_equal;
a512de
@@ -2369,7 +2070,7 @@ int evaluate_data_expression (result, packet, lease, client_state,
a512de
 	      case expr_ns_delete:
a512de
 	      case expr_ns_exists:
a512de
 	      case expr_ns_not_exists:
a512de
-		log_error ("dns update opcode in evaluate_data_expression: %d",
a512de
+		log_error ("dns opcode in evaluate_boolean_expression: %d",
a512de
 		      expr -> op);
a512de
 		return 0;
a512de
 
a512de
@@ -2398,11 +2099,6 @@ int evaluate_numeric_expression (result, packet, lease, client_state,
a512de
 {
a512de
 	struct data_string data;
a512de
 	int status, sleft, sright;
a512de
-#if defined (NSUPDATE_OLD)
a512de
-	ns_updrec *nut;
a512de
-	ns_updque uq;
a512de
-	struct expression *cur, *next;
a512de
-#endif
a512de
 
a512de
 	struct binding *binding;
a512de
 	struct binding_value *bv;
a512de
@@ -2541,53 +2237,6 @@ int evaluate_numeric_expression (result, packet, lease, client_state,
a512de
 #endif
a512de
 		return (1);
a512de
  
a512de
-	      case expr_dns_transaction:
a512de
-#if !defined (NSUPDATE_OLD)
a512de
-		return 0;
a512de
-#else
a512de
-		if (!resolver_inited) {
a512de
-			minires_ninit (&resolver_state);
a512de
-			resolver_inited = 1;
a512de
-			resolver_state.retrans = 1;
a512de
-			resolver_state.retry = 1;
a512de
-		}
a512de
-		ISC_LIST_INIT (uq);
a512de
-		cur = expr;
a512de
-		do {
a512de
-		    next = cur -> data.dns_transaction.cdr;
a512de
-		    nut = 0;
a512de
-		    status = (evaluate_dns_expression
a512de
-			      (&nut, packet,
a512de
-			       lease, client_state, in_options, cfg_options,
a512de
-			       scope, cur -> data.dns_transaction.car));
a512de
-		    if (!status)
a512de
-			    goto dns_bad;
a512de
-		    ISC_LIST_APPEND (uq, nut, r_link);
a512de
-		    cur = next;
a512de
-		} while (next);
a512de
-
a512de
-		/* Do the update and record the error code, if there was
a512de
-		   an error; otherwise set it to NOERROR. */
a512de
-		*result = minires_nupdate (&resolver_state,
a512de
-					   ISC_LIST_HEAD (uq));
a512de
-		status = 1;
a512de
-
a512de
-		print_dns_status ((int)*result, &uq;;
a512de
-
a512de
-	      dns_bad:
a512de
-		while (!ISC_LIST_EMPTY (uq)) {
a512de
-			ns_updrec *tmp = ISC_LIST_HEAD (uq);
a512de
-			ISC_LIST_UNLINK (uq, tmp, r_link);
a512de
-			if (tmp -> r_data_ephem) {
a512de
-				dfree (tmp -> r_data_ephem, MDL);
a512de
-				tmp -> r_data = (unsigned char *)0;
a512de
-				tmp -> r_data_ephem = (unsigned char *)0;
a512de
-			}
a512de
-			minires_freeupdrec (tmp);
a512de
-		}
a512de
-		return status;
a512de
-#endif /* NSUPDATE_OLD */
a512de
-
a512de
 	      case expr_variable_reference:
a512de
 		if (scope && *scope) {
a512de
 		    binding = find_binding (*scope, expr -> data.variable);
a512de
@@ -2877,14 +2526,6 @@ int evaluate_numeric_expression (result, packet, lease, client_state,
a512de
 			return 0;
a512de
 		}
a512de
 
a512de
-	      case expr_ns_add:
a512de
-	      case expr_ns_delete:
a512de
-	      case expr_ns_exists:
a512de
-	      case expr_ns_not_exists:
a512de
-		log_error ("dns opcode in evaluate_numeric_expression: %d",
a512de
-		      expr -> op);
a512de
-		return 0;
a512de
-
a512de
 	      case expr_function:
a512de
 		log_error ("function definition in evaluate_numeric_expr");
a512de
 		return 0;
a512de
@@ -3182,38 +2823,6 @@ void expression_dereference (eptr, file, line)
a512de
 				(&expr -> data.reverse.buffer, file, line);
a512de
 		break;
a512de
 
a512de
-	      case expr_dns_transaction:
a512de
-		if (expr -> data.dns_transaction.car)
a512de
-		    expression_dereference (&expr -> data.dns_transaction.car,
a512de
-					    file, line);
a512de
-		if (expr -> data.dns_transaction.cdr)
a512de
-		    expression_dereference (&expr -> data.dns_transaction.cdr,
a512de
-					    file, line);
a512de
-		break;
a512de
-
a512de
-	      case expr_ns_add:
a512de
-		if (expr -> data.ns_add.rrname)
a512de
-		    expression_dereference (&expr -> data.ns_add.rrname,
a512de
-					    file, line);
a512de
-		if (expr -> data.ns_add.rrdata)
a512de
-		    expression_dereference (&expr -> data.ns_add.rrdata,
a512de
-					    file, line);
a512de
-		if (expr -> data.ns_add.ttl)
a512de
-		    expression_dereference (&expr -> data.ns_add.ttl,
a512de
-					    file, line);
a512de
-		break;
a512de
-
a512de
-	      case expr_ns_delete:
a512de
-	      case expr_ns_exists:
a512de
-	      case expr_ns_not_exists:
a512de
-		if (expr -> data.ns_delete.rrname)
a512de
-		    expression_dereference (&expr -> data.ns_delete.rrname,
a512de
-					    file, line);
a512de
-		if (expr -> data.ns_delete.rrdata)
a512de
-		    expression_dereference (&expr -> data.ns_delete.rrdata,
a512de
-					    file, line);
a512de
-		break;
a512de
-
a512de
 	      case expr_variable_reference:
a512de
 	      case expr_variable_exists:
a512de
 		if (expr -> data.variable)
a512de
@@ -3262,15 +2871,6 @@ void expression_dereference (eptr, file, line)
a512de
 	free_expression (expr, MDL);
a512de
 }
a512de
 
a512de
-int is_dns_expression (expr)
a512de
-	struct expression *expr;
a512de
-{
a512de
-      return (expr -> op == expr_ns_add ||
a512de
-	      expr -> op == expr_ns_delete ||
a512de
-	      expr -> op == expr_ns_exists ||
a512de
-	      expr -> op == expr_ns_not_exists);
a512de
-}
a512de
-
a512de
 int is_boolean_expression (expr)
a512de
 	struct expression *expr;
a512de
 {
a512de
@@ -3325,7 +2925,6 @@ int is_numeric_expression (expr)
a512de
 		expr -> op == expr_extract_int32 ||
a512de
 		expr -> op == expr_const_int ||
a512de
 		expr -> op == expr_lease_time ||
a512de
-		expr -> op == expr_dns_transaction ||
a512de
 		expr -> op == expr_add ||
a512de
 		expr -> op == expr_subtract ||
a512de
 		expr -> op == expr_multiply ||
a512de
@@ -3340,11 +2939,7 @@ int is_numeric_expression (expr)
a512de
 int is_compound_expression (expr)
a512de
 	struct expression *expr;
a512de
 {
a512de
-	return (expr -> op == expr_ns_add ||
a512de
-		expr -> op == expr_ns_delete ||
a512de
-		expr -> op == expr_ns_exists ||
a512de
-		expr -> op == expr_ns_not_exists ||
a512de
-		expr -> op == expr_substring ||
a512de
+	return (expr -> op == expr_substring ||
a512de
 		expr -> op == expr_suffix ||
a512de
 		expr -> op == expr_option ||
a512de
 		expr -> op == expr_concat ||
a512de
@@ -3357,8 +2952,7 @@ int is_compound_expression (expr)
a512de
 		expr -> op == expr_config_option ||
a512de
 		expr -> op == expr_extract_int8 ||
a512de
 		expr -> op == expr_extract_int16 ||
a512de
-		expr -> op == expr_extract_int32 ||
a512de
-		expr -> op == expr_dns_transaction);
a512de
+		expr -> op == expr_extract_int32);
a512de
 }
a512de
 
a512de
 static int op_val (enum expr_op);
a512de
@@ -3456,8 +3050,6 @@ enum expression_context expression_context (struct expression *expr)
a512de
 		return context_numeric;
a512de
 	if (is_boolean_expression (expr))
a512de
 		return context_boolean;
a512de
-	if (is_dns_expression (expr))
a512de
-		return context_dns;
a512de
 	return context_any;
a512de
 }
a512de
 
a512de
@@ -3928,99 +3520,6 @@ int write_expression (file, expr, col, indent, firstp)
a512de
 					  "lease-time");
a512de
 		break;
a512de
 
a512de
-	      case expr_dns_transaction:
a512de
-		col = token_print_indent (file, col, indent, "", "",
a512de
-					  "ns-update");
a512de
-		col = token_print_indent (file, col, indent, " ", "",
a512de
-					  "(");
a512de
-		scol = 0;
a512de
-		for (e = expr;
a512de
-		     e && e -> op == expr_dns_transaction;
a512de
-		     e = e -> data.dns_transaction.cdr) {
a512de
-			if (!scol) {
a512de
-				scol = col;
a512de
-				firstp = 1;
a512de
-			} else
a512de
-				firstp = 0;
a512de
-			col = write_expression (file,
a512de
-						e -> data.dns_transaction.car,
a512de
-						col, scol, firstp);
a512de
-			if (e -> data.dns_transaction.cdr)
a512de
-				col = token_print_indent (file, col, scol,
a512de
-							  "", " ", ",");
a512de
-		}
a512de
-		if (e)
a512de
-			col = write_expression (file, e, col, scol, 0);
a512de
-		col = token_print_indent (file, col, indent, "", "", ")");
a512de
-		break;
a512de
-
a512de
-	      case expr_ns_add:
a512de
-		col = token_print_indent (file, col, indent, "", "",
a512de
-					  "update");
a512de
-		col = token_print_indent (file, col, indent, " ", "",
a512de
-					  "(");
a512de
-		scol = col;
a512de
-		sprintf (obuf, "%d", expr -> data.ns_add.rrclass);
a512de
-		col = token_print_indent (file, col, scol, "", "", obuf);
a512de
-		col = token_print_indent (file, col, scol, "", " ",
a512de
-					  ",");
a512de
-		sprintf (obuf, "%d", expr -> data.ns_add.rrtype);
a512de
-		col = token_print_indent (file, col, scol, "", "", obuf);
a512de
-		col = token_print_indent (file, col, scol, "", " ",
a512de
-					  ",");
a512de
-		col = write_expression (file, expr -> data.ns_add.rrname,
a512de
-					col, scol, 0);
a512de
-		col = token_print_indent (file, col, scol, "", " ",
a512de
-					  ",");
a512de
-		col = write_expression (file, expr -> data.ns_add.rrdata,
a512de
-					col, scol, 0);
a512de
-		col = token_print_indent (file, col, scol, "", " ",
a512de
-					  ",");
a512de
-		col = write_expression (file, expr -> data.ns_add.ttl,
a512de
-					col, scol, 0);
a512de
-		col = token_print_indent (file, col, indent, "", "",
a512de
-					  ")");
a512de
-		break;
a512de
-
a512de
-	      case expr_ns_delete:
a512de
-		col = token_print_indent (file, col, indent, "", "",
a512de
-					  "delete");
a512de
-		col = token_print_indent (file, col, indent, " ", "",
a512de
-					  "(");
a512de
-	      finish_ns_small:
a512de
-		scol = col;
a512de
-		sprintf (obuf, "%d", expr -> data.ns_add.rrclass);
a512de
-		col = token_print_indent (file, col, scol, "", "", obuf);
a512de
-		col = token_print_indent (file, col, scol, "", " ",
a512de
-					  ",");
a512de
-		sprintf (obuf, "%d", expr -> data.ns_add.rrtype);
a512de
-		col = token_print_indent (file, col, scol, "", "", obuf);
a512de
-		col = token_print_indent (file, col, scol, "", " ",
a512de
-					  ",");
a512de
-		col = write_expression (file, expr -> data.ns_add.rrname,
a512de
-					col, scol, 0);
a512de
-		col = token_print_indent (file, col, scol, "", " ",
a512de
-					  ",");
a512de
-		col = write_expression (file, expr -> data.ns_add.rrdata,
a512de
-					col, scol, 0);
a512de
-		col = token_print_indent (file, col, indent, "", "",
a512de
-					  ")");
a512de
-		break;
a512de
-
a512de
-	      case expr_ns_exists:
a512de
-		col = token_print_indent (file, col, indent, "", "",
a512de
-					  "exists");
a512de
-		col = token_print_indent (file, col, indent, " ", "",
a512de
-					  "(");
a512de
-		goto finish_ns_small;
a512de
-
a512de
-	      case expr_ns_not_exists:
a512de
-		col = token_print_indent (file, col, indent, "", "",
a512de
-					  "not exists");
a512de
-		col = token_print_indent (file, col, indent, " ", "",
a512de
-					  "(");
a512de
-		goto finish_ns_small;
a512de
-
a512de
 	      case expr_static:
a512de
 		col = token_print_indent (file, col, indent, "", "",
a512de
 					  "static");
a512de
@@ -4293,12 +3792,7 @@ int data_subexpression_length (int *rv,
a512de
 	      case expr_const_int:
a512de
 	      case expr_exists:
a512de
 	      case expr_known:
a512de
-	      case expr_dns_transaction:
a512de
 	      case expr_static:
a512de
-	      case expr_ns_add:
a512de
-	      case expr_ns_delete:
a512de
-	      case expr_ns_exists:
a512de
-	      case expr_ns_not_exists:
a512de
 	      case expr_not_equal:
a512de
 	      case expr_null:
a512de
 	      case expr_variable_exists:
a512de
@@ -4349,12 +3843,6 @@ int expr_valid_for_context (struct expression *expr,
a512de
 			return 1;
a512de
 		return 0;
a512de
 
a512de
-	      case context_dns:
a512de
-		if (is_dns_expression (expr)) {
a512de
-			return 1;
a512de
-		}
a512de
-		return 0;
a512de
-
a512de
 	      case context_data_or_numeric:
a512de
 		if (is_numeric_expression (expr) ||
a512de
 		    is_data_expression (expr)) {
a512de
diff --git a/includes/dhcpd.h b/includes/dhcpd.h
a512de
index 1d2bf2c..7e756e0 100644
a512de
--- a/includes/dhcpd.h
a512de
+++ b/includes/dhcpd.h
a512de
@@ -638,6 +638,7 @@ struct lease_state {
a512de
 #define DDNS_UPDATE_STYLE_NONE		0
a512de
 #define DDNS_UPDATE_STYLE_AD_HOC	1
a512de
 #define DDNS_UPDATE_STYLE_INTERIM	2
a512de
+#define DDNS_UPDATE_STYLE_STANDARD	3
a512de
 
a512de
 /* Server option names. */
a512de
 
a512de
@@ -1627,6 +1628,9 @@ typedef struct dhcp_ddns_cb {
a512de
 
a512de
 	void *transaction;
a512de
 	void *dataspace;
a512de
+
a512de
+	dns_rdataclass_t dhcid_class;
a512de
+	char *lease_tag;
a512de
 } dhcp_ddns_cb_t;
a512de
 
a512de
 extern struct ipv6_pool **pools;
a512de
@@ -2047,11 +2051,6 @@ struct expression *parse_domain_list(struct parse *cfile, int);
a512de
 
a512de
 
a512de
 /* tree.c */
a512de
-#if defined (NSUPDATE)
a512de
-extern struct __res_state resolver_state;
a512de
-extern int resolver_inited;
a512de
-#endif
a512de
-
a512de
 extern struct binding_scope *global_scope;
a512de
 pair cons (caddr_t, pair);
a512de
 int make_const_option_cache (struct option_cache **, struct buffer **,
a512de
@@ -2079,15 +2078,6 @@ int evaluate_expression (struct binding_value **, struct packet *,
a512de
 			 struct binding_scope **, struct expression *,
a512de
 			 const char *, int);
a512de
 int binding_value_dereference (struct binding_value **, const char *, int);
a512de
-#if defined (NSUPDATE_OLD)
a512de
-int evaluate_dns_expression (ns_updrec **, struct packet *,
a512de
-			     struct lease *,
a512de
-			     struct client_state *,
a512de
-			     struct option_state *,
a512de
-			     struct option_state *,
a512de
-			     struct binding_scope **,
a512de
-			     struct expression *);
a512de
-#endif
a512de
 int evaluate_boolean_expression (int *,
a512de
 				 struct packet *,  struct lease *,
a512de
 				 struct client_state *,
a512de
@@ -2913,21 +2903,18 @@ int icmp_echorequest (struct iaddr *);
a512de
 isc_result_t icmp_echoreply (omapi_object_t *);
a512de
 
a512de
 /* dns.c */
a512de
-#if defined (NSUPDATE)
a512de
-isc_result_t find_tsig_key (ns_tsig_key **, const char *, struct dns_zone *);
a512de
-void tkey_free (ns_tsig_key **);
a512de
-#endif
a512de
 isc_result_t enter_dns_zone (struct dns_zone *);
a512de
 isc_result_t dns_zone_lookup (struct dns_zone **, const char *);
a512de
 int dns_zone_dereference (struct dns_zone **, const char *, int);
a512de
 #if defined (NSUPDATE)
a512de
 #define FIND_FORWARD 0
a512de
 #define FIND_REVERSE 1
a512de
+isc_result_t find_tsig_key (ns_tsig_key **, const char *, struct dns_zone *);
a512de
+void tkey_free (ns_tsig_key **);
a512de
 isc_result_t find_cached_zone (dhcp_ddns_cb_t *, int);
a512de
 void forget_zone (struct dns_zone **);
a512de
 void repudiate_zone (struct dns_zone **);
a512de
-//void cache_found_zone (ns_class, char *, struct in_addr *, int);
a512de
-int get_dhcid (struct data_string *, int, const u_int8_t *, unsigned);
a512de
+int get_dhcid (dhcp_ddns_cb_t *, int, const u_int8_t *, unsigned);
a512de
 void dhcid_tolease (struct data_string *, struct data_string *);
a512de
 isc_result_t dhcid_fromlease (struct data_string *, struct data_string *);
a512de
 isc_result_t ddns_update_fwd(struct data_string *, struct iaddr,
a512de
@@ -2937,6 +2924,16 @@ isc_result_t ddns_remove_fwd(struct data_string *,
a512de
 			     struct iaddr, struct data_string *);
a512de
 #endif /* NSUPDATE */
a512de
 
a512de
+dhcp_ddns_cb_t *ddns_cb_alloc(const char *file, int line);
a512de
+void ddns_cb_free (dhcp_ddns_cb_t *ddns_cb, const char *file, int line);
a512de
+void ddns_cb_forget_zone (dhcp_ddns_cb_t *ddns_cb);
a512de
+isc_result_t
a512de
+ddns_modify_fwd(dhcp_ddns_cb_t *ddns_cb, const char *file, int line);
a512de
+isc_result_t
a512de
+ddns_modify_ptr(dhcp_ddns_cb_t *ddns_cb, const char *file, int line);
a512de
+void
a512de
+ddns_cancel(dhcp_ddns_cb_t *ddns_cb, const char *file, int line);
a512de
+
a512de
 /* resolv.c */
a512de
 extern char path_resolv_conf [];
a512de
 extern struct name_server *name_servers;
a512de
@@ -3302,21 +3299,6 @@ void dump_subnets (void);
a512de
 void free_everything (void);
a512de
 #endif
a512de
 
a512de
-/* nsupdate.c */
a512de
-char *ddns_rev_name (struct lease *, struct lease_state *, struct packet *);
a512de
-char *ddns_fwd_name (struct lease *, struct lease_state *, struct packet *);
a512de
-int nsupdateA (const char *, const unsigned char *, u_int32_t, int);
a512de
-int nsupdatePTR (const char *, const unsigned char *, u_int32_t, int);
a512de
-void nsupdate (struct lease *, struct lease_state *, struct packet *, int);
a512de
-int updateA (const struct data_string *, const struct data_string *,
a512de
-	     unsigned int, struct lease *);
a512de
-int updatePTR (const struct data_string *, const struct data_string *,
a512de
-	       unsigned int, struct lease *);
a512de
-int deleteA (const struct data_string *, const struct data_string *,
a512de
-	     struct lease *);
a512de
-int deletePTR (const struct data_string *, const struct data_string *,
a512de
-	       struct lease *);
a512de
-
a512de
 /* failover.c */
a512de
 #if defined (FAILOVER_PROTOCOL)
a512de
 extern dhcp_failover_state_t *failover_states;
a512de
@@ -3576,20 +3558,5 @@ void mark_hosts_unavailable(void);
a512de
 void mark_phosts_unavailable(void);
a512de
 void mark_interfaces_unavailable(void);
a512de
 
a512de
-dhcp_ddns_cb_t *ddns_cb_alloc(const char *file, int line);
a512de
-void ddns_cb_free (dhcp_ddns_cb_t *ddns_cb, const char *file, int line);
a512de
-void ddns_cb_forget_zone (dhcp_ddns_cb_t *ddns_cb);
a512de
-
a512de
-//void *key_from_zone(struct dns_zone *zone);
a512de
-
a512de
-isc_result_t
a512de
-ddns_modify_fwd(dhcp_ddns_cb_t *ddns_cb, const char *file, int line);
a512de
-
a512de
-isc_result_t
a512de
-ddns_modify_ptr(dhcp_ddns_cb_t *ddns_cb, const char *file, int line);
a512de
-
a512de
-void
a512de
-ddns_cancel(dhcp_ddns_cb_t *ddns_cb, const char *file, int line);
a512de
-
a512de
 #define MAX_ADDRESS_STRING_LEN \
a512de
    (sizeof("ffff:ffff:ffff:ffff:ffff:ffff:255.255.255.255"))
a512de
diff --git a/includes/dhctoken.h b/includes/dhctoken.h
a512de
index 3d9a21d..a75eb97 100644
a512de
--- a/includes/dhctoken.h
a512de
+++ b/includes/dhctoken.h
a512de
@@ -32,6 +32,11 @@
a512de
  * ``http://www.nominum.com''.
a512de
  */
a512de
 
a512de
+/*
a512de
+ * The following tokens have been deprecated and aren't in use anymore.
a512de
+ * They have been left in place to avoid disturbing the code.
a512de
+ * DNS_UPDATE, DNS_DELETE, NS_UPDATE, UPDATED_DNS_RR
a512de
+ */
a512de
 enum dhcp_token {
a512de
 	SEMI = ';',
a512de
 	DOT = '.',
a512de
diff --git a/includes/site.h b/includes/site.h
a512de
index 8ff2834..1c7ec96 100644
a512de
--- a/includes/site.h
a512de
+++ b/includes/site.h
a512de
@@ -281,3 +281,17 @@
a512de
    limit the number of TCP connections that the server will
a512de
    allow at one time.  A value of 0 means there is no limit.*/
a512de
 #define MAX_FD_VALUE 200
a512de
+
a512de
+
a512de
+/* Include code to do a slow transition of DDNS records
a512de
+   from the interim to the standard version, or backwards.
a512de
+   The normal code will handle removing an old style record
a512de
+   when the name on a lease is being changed.  This adds code
a512de
+   to handle the case where the name isn't being changed but
a512de
+   the old record should be removed to allow a new record to
a512de
+   be added.  This is the slow transition as leases are only
a512de
+   updated as a client touches them.  A fast transition would
a512de
+   entail updating all the records at once, probably at start
a512de
+   up. */
a512de
+#define DDNS_UPDATE_SLOW_TRANSITION
a512de
+   
a512de
diff --git a/includes/tree.h b/includes/tree.h
a512de
index 291c0f6..746d31c 100644
a512de
--- a/includes/tree.h
a512de
+++ b/includes/tree.h
a512de
@@ -116,9 +116,6 @@ struct binding_value {
a512de
 		struct data_string data;
a512de
 		unsigned long intval;
a512de
 		int boolean;
a512de
-#if defined (NSUPDATE_OLD)
a512de
-		ns_updrec *dns;
a512de
-#endif
a512de
 		struct fundef *fundef;
a512de
 		struct binding_value *bv;
a512de
 	} value;
a512de
diff --git a/server/ddns.c b/server/ddns.c
a512de
index 2a64bc9..3cf15ce 100644
a512de
--- a/server/ddns.c
a512de
+++ b/server/ddns.c
a512de
@@ -36,6 +36,9 @@
a512de
 #include "dhcpd.h"
a512de
 #include <dns/result.h>
a512de
 
a512de
+char *ddns_standard_tag = "ddns-dhcid";
a512de
+char *ddns_interim_tag  = "ddns-txt";
a512de
+
a512de
 #ifdef NSUPDATE
a512de
 
a512de
 static void ddns_fwd_srv_connector(struct lease          *lease,
a512de
@@ -71,16 +74,13 @@ ddns_updates(struct packet *packet, struct lease *lease, struct lease *old,
a512de
 	struct data_string ddns_domainname;
a512de
 	struct data_string old_ddns_fwd_name;
a512de
 	struct data_string ddns_fwd_name;
a512de
-	//struct data_string ddns_rev_name;
a512de
 	struct data_string ddns_dhcid;
a512de
 	struct binding_scope **scope = NULL;
a512de
-	//struct iaddr addr;
a512de
 	struct data_string d1;
a512de
 	struct option_cache *oc;
a512de
 	int s1, s2;
a512de
 	int result = 0;
a512de
 	int server_updates_a = 1;
a512de
-	//int server_updates_ptr = 1;
a512de
 	struct buffer *bp = (struct buffer *)0;
a512de
 	int ignorep = 0, client_ignorep = 0;
a512de
 	int rev_name_len;
a512de
@@ -89,8 +89,9 @@ ddns_updates(struct packet *packet, struct lease *lease, struct lease *old,
a512de
 	dhcp_ddns_cb_t *ddns_cb;
a512de
 	int do_remove = 0;
a512de
 
a512de
-	if (ddns_update_style != 2)
a512de
-		return 0;
a512de
+	if ((ddns_update_style != DDNS_UPDATE_STYLE_STANDARD) &&
a512de
+	    (ddns_update_style != DDNS_UPDATE_STYLE_INTERIM))
a512de
+		return (0);
a512de
 
a512de
 	/*
a512de
 	 * sigh, I want to cancel any previous udpates before we do anything
a512de
@@ -149,7 +150,6 @@ ddns_updates(struct packet *packet, struct lease *lease, struct lease *old,
a512de
 	memset (&ddns_domainname, 0, sizeof (ddns_domainname));
a512de
 	memset (&old_ddns_fwd_name, 0, sizeof (ddns_fwd_name));
a512de
 	memset (&ddns_fwd_name, 0, sizeof (ddns_fwd_name));
a512de
-	//memset (&ddns_rev_name, 0, sizeof (ddns_rev_name));
a512de
 	memset (&ddns_dhcid, 0, sizeof (ddns_dhcid));
a512de
 
a512de
 	/* If we are allowed to accept the client's update of its own A
a512de
@@ -263,31 +263,22 @@ ddns_updates(struct packet *packet, struct lease *lease, struct lease *old,
a512de
 			goto in;
a512de
 		}
a512de
 
a512de
-		/* See if there's a DHCID on the lease, and if not
a512de
-		 * then potentially look for 'on events' for ad-hoc ddns.
a512de
+#if defined  (DDNS_UPDATE_SLOW_TRANSITION)
a512de
+		/*
a512de
+		 * If the slow transition code is enabled check to see
a512de
+		 * if the stored type (standard or interim doesn't
a512de
+		 * match the type currently in use.  If it doesn't
a512de
+		 * try to remove and replace the DNS record
a512de
 		 */
a512de
-		if (!find_bound_string(&ddns_dhcid, *scope, "ddns-txt") &&
a512de
-		    (old != NULL)) {
a512de
-			/* If there's no DHCID, the update was probably
a512de
-			   done with the old-style ad-hoc DDNS updates.
a512de
-			   So if the expiry and release events look like
a512de
-			   they're the same, run them.   This should delete
a512de
-			   the old DDNS data. */
a512de
-			if (old -> on_expiry == old -> on_release) {
a512de
-				execute_statements(NULL, NULL, lease, NULL,
a512de
-						   NULL, NULL, scope,
a512de
-						   old->on_expiry);
a512de
-				if (old -> on_expiry)
a512de
-					executable_statement_dereference
a512de
-						(&old -> on_expiry, MDL);
a512de
-				if (old -> on_release)
a512de
-					executable_statement_dereference
a512de
-						(&old -> on_release, MDL);
a512de
-				/* Now, install the DDNS data the new way. */
a512de
-				goto in;
a512de
-			}
a512de
-		} else
a512de
+		if (((ddns_update_style == DDNS_UPDATE_STYLE_STANDARD) &&
a512de
+		     find_bound_string(&ddns_dhcid, *scope, ddns_interim_tag)) ||
a512de
+		    ((ddns_update_style == DDNS_UPDATE_STYLE_INTERIM) &&
a512de
+		     find_bound_string(&ddns_dhcid, *scope, ddns_standard_tag))) {
a512de
 			data_string_forget(&ddns_dhcid, MDL);
a512de
+			do_remove = 1;
a512de
+			goto in;
a512de
+		}
a512de
+#endif
a512de
 
a512de
 		/* See if the administrator wants to do updates even
a512de
 		   in cases where the update already appears to have been
a512de
@@ -486,22 +477,68 @@ ddns_updates(struct packet *packet, struct lease *lease, struct lease *old,
a512de
 	}
a512de
 
a512de
 	/*
a512de
+	 * copy the string now so we can pass it to the dhcid routines
a512de
+	 * via the ddns_cb pointer
a512de
+	 */
a512de
+	data_string_copy(&ddns_cb->fwd_name, &ddns_fwd_name, MDL);
a512de
+
a512de
+	/*
a512de
 	 * If we are updating the A record, compute the DHCID value.
a512de
+	 * We have two options for computing the DHCID value, the older
a512de
+	 * interim version and the newer standard version.  The interim
a512de
+	 * has some issues but is left as is to avoid compatibility issues.
a512de
+	 *
a512de
+	 * We select the type of DHCID to construct and the information to
a512de
+	 * use for the digest based on 4701 section 3.3
a512de
 	 */
a512de
 	if ((ddns_cb->flags & DDNS_UPDATE_ADDR) != 0) {
a512de
-		if (lease6 != NULL)
a512de
-			result = get_dhcid(&ddns_cb->dhcid, 2,
a512de
-					   lease6->ia->iaid_duid.data,
a512de
-					   lease6->ia->iaid_duid.len);
a512de
-		else if ((lease != NULL) && (lease->uid != NULL) &&
a512de
-			 (lease->uid_len != 0))
a512de
-			result = get_dhcid (&ddns_cb->dhcid,
a512de
-					    DHO_DHCP_CLIENT_IDENTIFIER,
a512de
-					    lease -> uid, lease -> uid_len);
a512de
-		else if (lease != NULL)
a512de
-			result = get_dhcid (&ddns_cb->dhcid, 0,
a512de
-					    lease -> hardware_addr.hbuf,
a512de
-					    lease -> hardware_addr.hlen);
a512de
+		int ddns_type;
a512de
+		int ddns_len;
a512de
+		if (ddns_update_style == DDNS_UPDATE_STYLE_STANDARD) {
a512de
+			/* The standard style */
a512de
+			ddns_cb->lease_tag = ddns_standard_tag;
a512de
+			ddns_cb->dhcid_class = dns_rdatatype_dhcid;
a512de
+			ddns_type = 1;
a512de
+			ddns_len = 4;
a512de
+		} else {
a512de
+			/* The older interim style */
a512de
+			ddns_cb->lease_tag = ddns_interim_tag;
a512de
+			ddns_cb->dhcid_class = dns_rdatatype_txt;
a512de
+			/* for backwards compatibility */
a512de
+			ddns_type = DHO_DHCP_CLIENT_IDENTIFIER;
a512de
+			/* IAID incorrectly included */
a512de
+			ddns_len = 0;
a512de
+		}
a512de
+
a512de
+
a512de
+		if (lease6 != NULL) {
a512de
+			if (lease6->ia->iaid_duid.len < ddns_len)
a512de
+				goto badfqdn;
a512de
+			result = get_dhcid(ddns_cb, 2,
a512de
+					   lease6->ia->iaid_duid.data + ddns_len,
a512de
+					   lease6->ia->iaid_duid.len - ddns_len);
a512de
+		} else if ((lease != NULL) &&
a512de
+			   (lease->uid != NULL) &&
a512de
+			   (lease->uid_len != 0)) {
a512de
+			/* If this is standard check for an RFC 4361
a512de
+			 * compliant client identifier
a512de
+			 */
a512de
+			if ((ddns_update_style == DDNS_UPDATE_STYLE_STANDARD) &&
a512de
+			    (lease->uid[0] == 255)) {
a512de
+				if (lease->uid_len < 5)
a512de
+					goto badfqdn;
a512de
+				result = get_dhcid(ddns_cb, 2,
a512de
+						   lease->uid + 5,
a512de
+						   lease->uid_len - 5);
a512de
+			} else {
a512de
+				result = get_dhcid(ddns_cb, ddns_type,
a512de
+						   lease->uid,
a512de
+						   lease->uid_len);
a512de
+			}
a512de
+		} else if (lease != NULL)
a512de
+			result = get_dhcid(ddns_cb, 0,
a512de
+					   lease->hardware_addr.hbuf,
a512de
+					   lease->hardware_addr.hlen);
a512de
 		else
a512de
 			log_fatal("Impossible condition at %s:%d.", MDL);
a512de
 
a512de
@@ -513,8 +550,6 @@ ddns_updates(struct packet *packet, struct lease *lease, struct lease *old,
a512de
 	 * Perform updates.
a512de
 	 */
a512de
 
a512de
-	data_string_copy(&ddns_cb->fwd_name, &ddns_fwd_name, MDL);
a512de
-
a512de
 	if (ddns_cb->flags && DDNS_UPDATE_ADDR) {
a512de
 		oc = lookup_option(&server_universe, options,
a512de
 				   SV_DDNS_CONFLICT_DETECT);
a512de
@@ -707,8 +742,6 @@ ddns_updates(struct packet *packet, struct lease *lease, struct lease *old,
a512de
 	data_string_forget(&ddns_domainname, MDL);
a512de
 	data_string_forget(&old_ddns_fwd_name, MDL);
a512de
 	data_string_forget(&ddns_fwd_name, MDL);
a512de
-	//data_string_forget(&ddns_rev_name, MDL);
a512de
-	//data_string_forget(&ddns_dhcid, MDL);
a512de
 	if (bp)
a512de
 		buffer_dereference(&bp, MDL);
a512de
 
a512de
@@ -822,18 +855,21 @@ ddns_update_lease_text(dhcp_ddns_cb_t        *ddns_cb,
a512de
 	case DDNS_STATE_ADD_FW_NXDOMAIN:
a512de
 		bind_ds_value(scope, "ddns-fwd-name", &ddns_cb->fwd_name);
a512de
 
a512de
-		/* convert from dns version to lease version of dhcid */
a512de
-		memset(&lease_dhcid, 0, sizeof(lease_dhcid));
a512de
-		dhcid_tolease(&ddns_cb->dhcid, &lease_dhcid);
a512de
-		bind_ds_value(scope, "ddns-txt", &lease_dhcid);
a512de
-		data_string_forget(&lease_dhcid, MDL);
a512de
-
a512de
+		if (ddns_cb->lease_tag == ddns_standard_tag) {
a512de
+			bind_ds_value(scope, ddns_standard_tag, &ddns_cb->dhcid);
a512de
+		} else {
a512de
+			/* convert from dns version to lease version of dhcid */
a512de
+			memset(&lease_dhcid, 0, sizeof(lease_dhcid));
a512de
+			dhcid_tolease(&ddns_cb->dhcid, &lease_dhcid);
a512de
+			bind_ds_value(scope, ddns_interim_tag, &lease_dhcid);
a512de
+			data_string_forget(&lease_dhcid, MDL);
a512de
+		}
a512de
 		break;
a512de
 
a512de
 	case DDNS_STATE_REM_FW_NXRR:
a512de
 	case DDNS_STATE_REM_FW_YXDHCID:
a512de
 		unset(*scope, "ddns-fwd-name");
a512de
-		unset(*scope, "ddns-txt");
a512de
+		unset(*scope, ddns_cb->lease_tag);
a512de
 		break;
a512de
 	}
a512de
 		
a512de
@@ -1791,7 +1827,8 @@ ddns_removals(struct lease    *lease,
a512de
 	if (*scope == NULL)
a512de
 		goto cleanup;
a512de
 
a512de
-	if (ddns_update_style != 2)
a512de
+	if ((ddns_update_style != DDNS_UPDATE_STYLE_STANDARD) &&
a512de
+	    (ddns_update_style != DDNS_UPDATE_STYLE_INTERIM))
a512de
 		goto cleanup;
a512de
 
a512de
 	/* Assume that we are removing both records */
a512de
@@ -1823,15 +1860,22 @@ ddns_removals(struct lease    *lease,
a512de
 	}
a512de
 
a512de
 	/*
a512de
-	 * Find the ptr name and copy it to the control block.  If we don't
a512de
-	 * have it this isn't an interim or rfc3??? record so we can't delete
a512de
+	 * Find the txt or dhcid tag and copy it to the control block.  If we don't
a512de
+	 * have one this isn't an interim or standard record so we can't delete
a512de
 	 * the A record using this mechanism but we can delete the ptr record.
a512de
 	 * In this case we will attempt to do any requested next step.
a512de
 	 */
a512de
 	memset(&leaseid, 0, sizeof(leaseid));
a512de
-	if (!find_bound_string (&leaseid, *scope, "ddns-txt")) {
a512de
-		ddns_cb->flags &= ~DDNS_UPDATE_ADDR;
a512de
-	} else {
a512de
+	if (find_bound_string (&leaseid, *scope, ddns_standard_tag)) {
a512de
+		/* We have a standard tag */
a512de
+		ddns_cb->lease_tag = ddns_standard_tag;
a512de
+		ddns_cb->dhcid_class = dns_rdatatype_dhcid;
a512de
+		data_string_copy(&ddns_cb->dhcid, &leaseid, MDL);
a512de
+		data_string_forget(&leaseid, MDL);
a512de
+	} else 	if (find_bound_string (&leaseid, *scope, ddns_interim_tag)) {
a512de
+		/* we have an interim tag */
a512de
+		ddns_cb->lease_tag = ddns_interim_tag;
a512de
+		ddns_cb->dhcid_class = dns_rdatatype_txt;
a512de
 		if (dhcid_fromlease(&ddns_cb->dhcid, &leaseid) != 
a512de
 		    ISC_R_SUCCESS) {
a512de
 			/* We couldn't convert the dhcid from the lease
a512de
@@ -1841,7 +1885,9 @@ ddns_removals(struct lease    *lease,
a512de
 			ddns_cb->flags &= ~DDNS_UPDATE_ADDR;
a512de
 		}
a512de
 		data_string_forget(&leaseid, MDL);
a512de
-	}
a512de
+	} else {
a512de
+		ddns_cb->flags &= ~DDNS_UPDATE_ADDR;
a512de
+	}		
a512de
 
a512de
 	/*
a512de
 	 * Find the rev name and copy it to the control block.  If we don't
a512de
@@ -1888,7 +1934,7 @@ ddns_removals(struct lease    *lease,
a512de
 		else {
a512de
 			/*remove info from scope */
a512de
 			unset(*scope, "ddns-fwd-name");
a512de
-			unset(*scope, "ddns-txt");
a512de
+			unset(*scope, ddns_cb->lease_tag);
a512de
 		}
a512de
 	}
a512de
 
a512de
diff --git a/server/dhcpd.c b/server/dhcpd.c
a512de
index 67fec83..9617d75 100644
a512de
--- a/server/dhcpd.c
a512de
+++ b/server/dhcpd.c
a512de
@@ -82,86 +82,6 @@ option server.ddns-hostname =						    \n\
a512de
 option server.ddns-domainname =	config-option domain-name;		    \n\
a512de
 option server.ddns-rev-domainname = \"in-addr.arpa.\";";
a512de
 
a512de
-/* This is the old-style name service updater that is executed
a512de
-   whenever a lease is committed.  It does not follow the DHCP-DNS
a512de
-   draft at all. */
a512de
-
a512de
-char old_nsupdate [] = "						    \n\
a512de
-on commit {								    \n\
a512de
-  if (not static and							    \n\
a512de
-      ((config-option server.ddns-updates = null) or			    \n\
a512de
-       (config-option server.ddns-updates != 0))) {			    \n\
a512de
-    set new-ddns-fwd-name =						    \n\
a512de
-      concat (pick (config-option server.ddns-hostname,			    \n\
a512de
-		    option host-name), \".\",				    \n\
a512de
-	      pick (config-option server.ddns-domainname,		    \n\
a512de
-		    config-option domain-name));			    \n\
a512de
-    if (defined (ddns-fwd-name) and ddns-fwd-name != new-ddns-fwd-name) {   \n\
a512de
-      switch (ns-update (delete (IN, A, ddns-fwd-name, leased-address))) {  \n\
a512de
-      case NOERROR:							    \n\
a512de
-	unset ddns-fwd-name;						    \n\
a512de
-	on expiry or release {						    \n\
a512de
-	}								    \n\
a512de
-      }									    \n\
a512de
-    }									    \n\
a512de
-									    \n\
a512de
-    if (not defined (ddns-fwd-name)) {					    \n\
a512de
-      set ddns-fwd-name = new-ddns-fwd-name;				    \n\
a512de
-      if defined (ddns-fwd-name) {					    \n\
a512de
-	switch (ns-update (not exists (IN, A, ddns-fwd-name, null),	    \n\
a512de
-			   add (IN, A, ddns-fwd-name, leased-address,	    \n\
a512de
-				lease-time / 2))) {			    \n\
a512de
-	default:							    \n\
a512de
-	  unset ddns-fwd-name;						    \n\
a512de
-	  break;							    \n\
a512de
-									    \n\
a512de
-	case NOERROR:							    \n\
a512de
-	  set ddns-rev-name =						    \n\
a512de
-	    concat (binary-to-ascii (10, 8, \".\",			    \n\
a512de
-				     reverse (1,			    \n\
a512de
-					      leased-address)), \".\",	    \n\
a512de
-		    pick (config-option server.ddns-rev-domainname,	    \n\
a512de
-			  \"in-addr.arpa.\"));				    \n\
a512de
-	  switch (ns-update (delete (IN, PTR, ddns-rev-name, null),	    \n\
a512de
-			     add (IN, PTR, ddns-rev-name, ddns-fwd-name,    \n\
a512de
-				  lease-time / 2)))			    \n\
a512de
-	    {								    \n\
a512de
-	    default:							    \n\
a512de
-	      unset ddns-rev-name;					    \n\
a512de
-	      on release or expiry {					    \n\
a512de
-		switch (ns-update (delete (IN, A, ddns-fwd-name,	    \n\
a512de
-					   leased-address))) {		    \n\
a512de
-		case NOERROR:						    \n\
a512de
-		  unset ddns-fwd-name;					    \n\
a512de
-		  break;						    \n\
a512de
-		}							    \n\
a512de
-		on release or expiry;					    \n\
a512de
-	      }								    \n\
a512de
-	      break;							    \n\
a512de
-									    \n\
a512de
-	    case NOERROR:						    \n\
a512de
-	      on release or expiry {					    \n\
a512de
-		switch (ns-update (delete (IN, PTR, ddns-rev-name, null))) {\n\
a512de
-		case NOERROR:						    \n\
a512de
-		  unset ddns-rev-name;					    \n\
a512de
-		  break;						    \n\
a512de
-		}							    \n\
a512de
-		switch (ns-update (delete (IN, A, ddns-fwd-name,	    \n\
a512de
-					   leased-address))) {		    \n\
a512de
-		case NOERROR:						    \n\
a512de
-		  unset ddns-fwd-name;					    \n\
a512de
-		  break;						    \n\
a512de
-		}							    \n\
a512de
-		on release or expiry;					    \n\
a512de
-	      }								    \n\
a512de
-	    }								    \n\
a512de
-	}								    \n\
a512de
-      }									    \n\
a512de
-    }									    \n\
a512de
-    unset new-ddns-fwd-name;						    \n\
a512de
-  }									    \n\
a512de
-}";
a512de
-
a512de
 #endif /* NSUPDATE */
a512de
 int ddns_update_style;
a512de
 
a512de
@@ -897,9 +817,6 @@ void postconf_initialization (int quiet)
a512de
 	struct option_cache *oc;
a512de
 	char *s;
a512de
 	isc_result_t result;
a512de
-#if defined (NSUPDATE)
a512de
-	struct parse *parse;
a512de
-#endif
a512de
 	int tmp;
a512de
 
a512de
 	/* Now try to get the lease file name. */
a512de
@@ -1160,49 +1077,6 @@ void postconf_initialization (int quiet)
a512de
 
a512de
 	/* Don't need the options anymore. */
a512de
 	option_state_dereference (&options, MDL);
a512de
-	
a512de
-#if defined (NSUPDATE)
a512de
-	/* If old-style ddns updates have been requested, parse the
a512de
-	   old-style ddns updater. */
a512de
-	if (ddns_update_style == 1) {
a512de
-		struct executable_statement **e, *s;
a512de
-
a512de
-		if (root_group -> statements) {
a512de
-			s = (struct executable_statement *)0;
a512de
-			if (!executable_statement_allocate (&s, MDL))
a512de
-				log_fatal ("no memory for ddns updater");
a512de
-			executable_statement_reference
a512de
-				(&s -> next, root_group -> statements, MDL);
a512de
-			executable_statement_dereference
a512de
-				(&root_group -> statements, MDL);
a512de
-			executable_statement_reference
a512de
-				(&root_group -> statements, s, MDL);
a512de
-			s -> op = statements_statement;
a512de
-			e = &s -> data.statements;
a512de
-			executable_statement_dereference (&s, MDL);
a512de
-		} else {
a512de
-			e = &root_group -> statements;
a512de
-		}
a512de
-
a512de
-		/* Set up the standard name service updater routine. */
a512de
-		parse = NULL;
a512de
-		result = new_parse(&parse, -1, old_nsupdate,
a512de
-				   sizeof(old_nsupdate) - 1,
a512de
-				   "old name service update routine", 0);
a512de
-		if (result != ISC_R_SUCCESS)
a512de
-			log_fatal ("can't begin parsing old ddns updater!");
a512de
-
a512de
-		if (parse != NULL) {
a512de
-			tmp = 0;
a512de
-			if (!(parse_executable_statements(e, parse, &tmp,
a512de
-							  context_any))) {
a512de
-				end_parse(&parse;;
a512de
-				log_fatal("can't parse standard ddns updater!");
a512de
-			}
a512de
-		}
a512de
-		end_parse(&parse;;
a512de
-	}
a512de
-#endif
a512de
 }
a512de
 
a512de
 void postdb_startup (void)
a512de
diff --git a/server/dhcpd.conf.5 b/server/dhcpd.conf.5
a512de
index 74393c2..2351e21 100644
a512de
--- a/server/dhcpd.conf.5
a512de
+++ b/server/dhcpd.conf.5
a512de
@@ -1076,115 +1076,24 @@ the Domain Name System to be updated.  These updates are RFC 2136
a512de
 compliant so any DNS server supporting RFC 2136 should be able to
a512de
 accept updates from the DHCP server.
a512de
 .PP
a512de
-Two DNS update schemes are currently implemented, and another is
a512de
-planned.  The two that are currently implemented are the ad-hoc DNS
a512de
-update mode and the interim DHCP-DNS interaction draft update mode.
a512de
-In the future we plan to add a third mode which will be the standard
a512de
-DNS update method based on the RFCS for DHCP-DNS interaction and DHCID
a512de
-The DHCP server must be configured to use one of the two
a512de
-currently-supported methods, or not to do dns updates.
a512de
-This can be done with the
a512de
+There are two DNS schemes implemented.  The interim option is
a512de
+based on draft revisions of the DDNS documents while the standard
a512de
+option is based on the RFCs for DHCP-DNS interaction and DHCIDs.
a512de
+A third option, ad-hoc, was deprecated and has now been removed
a512de
+from the code base.  The DHCP server must be configured to use
a512de
+one of the two currently-supported methods, or not to do DNS updates.
a512de
+.PP
a512de
+New installations should use the standard option. Older
a512de
+installations may want to continue using the interim option for
a512de
+backwards compatibility with the DNS database until the database
a512de
+can be updated.  This can be done with the
a512de
 .I ddns-update-style
a512de
 configuration parameter.
a512de
-.SH THE AD-HOC DNS UPDATE SCHEME
a512de
-The ad-hoc Dynamic DNS update scheme is
a512de
-.B now deprecated
a512de
-and
a512de
-.B
a512de
-does not work.
a512de
-In future releases of the ISC DHCP server, this scheme will not likely be
a512de
-available.  The interim scheme works, allows for failover, and should now be
a512de
-used.  The following description is left here for informational purposes
a512de
-only.
a512de
-.PP
a512de
-The ad-hoc Dynamic DNS update scheme implemented in this version of
a512de
-the ISC DHCP server is a prototype design, which does not
a512de
-have much to do with the standard update method that is being
a512de
-standardized in the IETF DHC working group, but rather implements some
a512de
-very basic, yet useful, update capabilities.  This mode
a512de
-.B does not work
a512de
-with the
a512de
-.I failover protocol
a512de
-because it does not account for the possibility of two different DHCP
a512de
-servers updating the same set of DNS records.
a512de
-.PP
a512de
-For the ad-hoc DNS update method, the client's FQDN is derived in two
a512de
-parts.  First, the hostname is determined.  Then, the domain name is
a512de
-determined, and appended to the hostname.
a512de
-.PP
a512de
-The DHCP server determines the client's hostname by first looking for
a512de
-a \fIddns-hostname\fR configuration option, and using that if it is
a512de
-present.  If no such option is present, the server looks for a
a512de
-valid hostname in the FQDN option sent by the client.  If one is
a512de
-found, it is used; otherwise, if the client sent a host-name option,
a512de
-that is used.  Otherwise, if there is a host declaration that applies
a512de
-to the client, the name from that declaration will be used.  If none
a512de
-of these applies, the server will not have a hostname for the client,
a512de
-and will not be able to do a DNS update.
a512de
-.PP
a512de
-The domain name is determined from the
a512de
-.I ddns-domainname
a512de
-configuration option.  The default configuration for this option is:
a512de
-.nf
a512de
-.sp 1
a512de
-  option server.ddns-domainname = config-option domain-name;
a512de
-
a512de
-.fi
a512de
-So if this configuration option is not configured to a different
a512de
-value (over-riding the above default), or if a domain-name option
a512de
-has not been configured for the client's scope, then the server will
a512de
-not attempt to perform a DNS update.
a512de
-.PP
a512de
-The client's fully-qualified domain name, derived as we have
a512de
-described, is used as the name on which an "A" record will be stored.
a512de
-The A record will contain the IP address that the client was assigned
a512de
-in its lease.  If there is already an A record with the same name in
a512de
-the DNS server, no update of either the A or PTR records will occur -
a512de
-this prevents a client from claiming that its hostname is the name of
a512de
-some network server.  For example, if you have a fileserver called
a512de
-"fs.sneedville.edu", and the client claims its hostname is "fs", no
a512de
-DNS update will be done for that client, and an error message will be
a512de
-logged.
a512de
-.PP
a512de
-If the A record update succeeds, a PTR record update for the assigned
a512de
-IP address will be done, pointing to the A record.  This update is
a512de
-unconditional - it will be done even if another PTR record of the same
a512de
-name exists.  Since the IP address has been assigned to the DHCP
a512de
-server, this should be safe.
a512de
-.PP
a512de
-Please note that the current implementation assumes clients only have
a512de
-a single network interface.  A client with two network interfaces
a512de
-will see unpredictable behavior.  This is considered a bug, and will
a512de
-be fixed in a later release.  It may be helpful to enable the
a512de
-.I one-lease-per-client
a512de
-parameter so that roaming clients do not trigger this same behavior.
a512de
-.PP
a512de
-The DHCP protocol normally involves a four-packet exchange - first the
a512de
-client sends a DHCPDISCOVER message, then the server sends a
a512de
-DHCPOFFER, then the client sends a DHCPREQUEST, then the server sends
a512de
-a DHCPACK.  In the current version of the server, the server will do
a512de
-a DNS update after it has received the DHCPREQUEST, and before it has
a512de
-sent the DHCPACK.  It only sends the DNS update if it has not sent
a512de
-one for the client's address before, in order to minimize the impact
a512de
-on the DHCP server.
a512de
-.PP
a512de
-When the client's lease expires, the DHCP server (if it is operating
a512de
-at the time, or when next it operates) will remove the client's A and
a512de
-PTR records from the DNS database.  If the client releases its lease
a512de
-by sending a DHCPRELEASE message, the server will likewise remove the
a512de
-A and PTR records.
a512de
-.SH THE INTERIM DNS UPDATE SCHEME
a512de
-The interim DNS update scheme operates mostly according to several
a512de
-drafts considered by the IETF.  While the drafts have since become
a512de
-RFCs the code was written before they were finalized and there are
a512de
-some differences between our code and the final RFCs.  We plan to
a512de
-update our code, probably adding a standard DNS update option, at
a512de
-some time.  The basic framework is similar with the main material
a512de
-difference being that a DHCID RR was assigned in the RFCs whereas
a512de
-our code continues to use an experimental TXT record.  The format
a512de
-of the TXT record bears a resemblance to the DHCID RR but it is not
a512de
-equivalent (MD5 vs SHA1, field length differences etc).
a512de
-The standard RFCs are:
a512de
+.SH THE DNS UPDATE SCHEME
a512de
+the interim and standard DNS update schemes operate mostly according
a512de
+to work from the IETF.  The interim version was based on the drafts
a512de
+in progress at the time while the standard is based on the completed
a512de
+RFCs.  The standard RFCs are:
a512de
 .PP
a512de
 .nf
a512de
 .ce 3
a512de
@@ -1202,15 +1111,17 @@ draft-ietf-dhc-fqdn-option-??.txt
a512de
 draft-ietf-dhc-ddns-resolution-??.txt
a512de
 .fi
a512de
 .PP
a512de
-Because our implementation is slightly different than the standard, we
a512de
-will briefly document the operation of this update style here.
a512de
+The basic framework for the two schemes is similar with the main
a512de
+material difference being that a DHCID RR is used in the standard
a512de
+version while the interim versions uses a TXT RR.  The format
a512de
+of the TXT record bears a resemblance to the DHCID RR but it is not
a512de
+equivalent (MD5 vs SHA2, field length differences etc).
a512de
 .PP
a512de
-The first point to understand about this style of DNS update is that
a512de
-unlike the ad-hoc style, the DHCP server does not necessarily
a512de
+In these two schemes the DHCP server does not necessarily
a512de
 always update both the A and the PTR records.  The FQDN option
a512de
 includes a flag which, when sent by the client, indicates that the
a512de
 client wishes to update its own A record.  In that case, the server
a512de
-can be configured either to honor the client's intentions or ignore
a512de
+can be configured either to honor the client\'s intentions or ignore
a512de
 them.  This is done with the statement \fIallow client-updates;\fR or
a512de
 the statement \fIignore client-updates;\fR.  By default, client
a512de
 updates are allowed.
a512de
@@ -1230,15 +1141,14 @@ IP address, it can update its own A record, assuming that the
a512de
 "radish.org" DNS server will allow it to do so.
a512de
 .PP
a512de
 If the server is configured not to allow client updates, or if the
a512de
-client doesn't want to do its own update, the server will simply
a512de
+client doesn\'t want to do its own update, the server will simply
a512de
 choose a name for the client from either the fqdn option (if present)
a512de
 or the hostname option (if present).  It will use its own
a512de
-domain name for the client, just as in the ad-hoc update scheme.
a512de
-It will then update both the A and PTR record, using the name that it
a512de
-chose for the client.  If the client sends a fully-qualified domain
a512de
-name in the fqdn option, the server uses only the leftmost part of the
a512de
-domain name - in the example above, "jschmoe" instead of
a512de
-"jschmoe.radish.org".
a512de
+domain name for the client.  It will then update both the A and PTR
a512de
+record, using the name that it chose for the client.  If the client
a512de
+sends a fully-qualified domain name in the \fBfqdn\fR option, the
a512de
+server uses only the leftmost part of the domain name - in the
a512de
+example above, "jschmoe" instead of "jschmoe.radish.org".
a512de
 .PP
a512de
 Further, if the \fIignore client-updates;\fR directive is used, then
a512de
 the server will in addition send a response in the DHCP packet, using
a512de
@@ -1248,49 +1158,41 @@ response is sent which indicates the client may not perform updates.
a512de
 .PP
a512de
 Also, if the
a512de
 .I use-host-decl-names
a512de
-configuration option is enabled, then the host declaration's
a512de
+configuration option is enabled, then the host declaration\'s
a512de
 .I hostname
a512de
 will be used in place of the
a512de
 .I hostname
a512de
 option, and the same rules will apply as described above.
a512de
 .PP
a512de
-The other difference between the ad-hoc scheme and the interim
a512de
-scheme is that with the interim scheme, a method is used that
a512de
-allows more than one DHCP server to update the DNS database without
a512de
-accidentally deleting A records that shouldn't be deleted nor failing
a512de
-to add A records that should be added.  The scheme works as follows:
a512de
+Both the standard and interim options also include a method to 
a512de
+allow more than one DHCP server to update the DNS database without
a512de
+accidentally deleting A records that shouldn\'t be deleted nor failing
a512de
+to add A records that should be added.  For the standard option the
a512de
+method works as follows:
a512de
 .PP
a512de
 When the DHCP server issues a client a new lease, it creates a text
a512de
-string that is an MD5 hash over the DHCP client's identification (see
a512de
-draft-ietf-dnsext-dhcid-rr-??.txt for details).  The update adds an A
a512de
-record with the name the server chose and a TXT record containing the
a512de
+string that is an SHA hash over the DHCP client\'s identification (see
a512de
+RFCs 4701 & 4702 for details).  The update attempts to add an A
a512de
+record with the name the server chose and a DHCID record containing the
a512de
 hashed identifier string (hashid).  If this update succeeds, the
a512de
 server is done.
a512de
 .PP
a512de
 If the update fails because the A record already exists, then the DHCP
a512de
 server attempts to add the A record with the prerequisite that there
a512de
-must be a TXT record in the same name as the new A record, and that
a512de
-TXT record's contents must be equal to hashid.  If this update
a512de
+must be a DHCID record in the same name as the new A record, and that
a512de
+DHCID record\'s contents must be equal to hashid.  If this update
a512de
 succeeds, then the client has its A record and PTR record.  If it
a512de
 fails, then the name the client has been assigned (or requested) is in
a512de
-use, and can't be used by the client.  At this point the DHCP server
a512de
+use, and can\'t be used by the client.  At this point the DHCP server
a512de
 gives up trying to do a DNS update for the client until the client
a512de
 chooses a new name.
a512de
 .PP
a512de
-The interim DNS update scheme is called interim for two reasons.
a512de
-First, it does not quite follow the RFCs.  The RFCs call for a
a512de
-new DHCID RRtype while he interim DNS update scheme uses a TXT record.
a512de
-The ddns-resolution draft called for the DHCP server to put a DHCID RR
a512de
-on the PTR record, but the \fIinterim\fR update method does not do this.
a512de
-In the final RFC this requirement was relaxed such that a server may
a512de
-add a DHCID RR to the PTR record.
a512de
-.PP
a512de
-In addition to these differences, the server also does not update very
a512de
-aggressively.  Because each DNS update involves a round trip to the
a512de
-DNS server, there is a cost associated with doing updates even if they
a512de
-do not actually modify the DNS database.  So the DHCP server tracks
a512de
-whether or not it has updated the record in the past (this information
a512de
-is stored on the lease) and does not attempt to update records that it
a512de
+The server also does not update very aggressively.  Because each
a512de
+DNS update involves a round trip to the DNS server, there is a cost
a512de
+associated with doing updates even if they do not actually modify
a512de
+the DNS database.  So the DHCP server tracks whether or not it has
a512de
+updated the record in the past (this information is stored on the
a512de
+lease) and does not attempt to update records that it
a512de
 thinks it has already updated.
a512de
 .PP
a512de
 This can lead to cases where the DHCP server adds a record, and then
a512de
@@ -1299,6 +1201,15 @@ never again updates the DNS because it thinks the data is already
a512de
 there.  In this case the data can be removed from the lease through
a512de
 operator intervention, and once this has been done, the DNS will be
a512de
 updated the next time the client renews.
a512de
+.PP
a512de
+The interim DNS update scheme was written before the RFCs were finalized
a512de
+and does not quite follow them.  The RFCs call for a new DHCID RRtype
a512de
+while he interim DNS update scheme uses a TXT record.  In addition
a512de
+the ddns-resolution draft called for the DHCP server to put a DHCID RR
a512de
+on the PTR record, but the \fIinterim\fR update method does not do this.
a512de
+In the final RFC this requirement was relaxed such that a server may
a512de
+add a DHCID RR to the PTR record.
a512de
+.PP
a512de
 .SH DYNAMIC DNS UPDATE SECURITY
a512de
 .PP
a512de
 When you set your DNS server up to allow updates from the DHCP server,
a512de
@@ -1380,24 +1291,15 @@ Also keep in mind that zone names in your DHCP configuration should end in a
a512de
 configuration, zone names are not encapsulated in quotes where there are in
a512de
 the DNS configuration.
a512de
 .PP
a512de
-You should choose your own secret key, of course.  The ISC BIND 8 and
a512de
-9 distributions come with a program for generating secret keys called
a512de
-dnssec-keygen.  The version that comes with BIND 9 is likely to produce a
a512de
-substantially more random key, so we recommend you use that one even
a512de
-if you are not using BIND 9 as your DNS server.  If you are using BIND 9's
a512de
+You should choose your own secret key, of course.  The ISC BIND 9
a512de
+distribution comes with a program for generating secret keys called
a512de
+dnssec-keygen.  If you are using BIND 9\'s
a512de
 dnssec-keygen, the above key would be created as follows:
a512de
 .PP
a512de
 .nf
a512de
 	dnssec-keygen -a HMAC-MD5 -b 128 -n USER DHCP_UPDATER
a512de
 .fi
a512de
 .PP
a512de
-If you are using the BIND 8 dnskeygen program, the following command will
a512de
-generate a key as seen above:
a512de
-.PP
a512de
-.nf
a512de
-	dnskeygen -H 128 -u -c -n DHCP_UPDATER
a512de
-.fi
a512de
-.PP
a512de
 The key name, algorithm, and secret must match that being used by the DNS
a512de
 server. The DHCP server currently supports the following algorithms:
a512de
 .nf
a512de
@@ -1451,15 +1353,7 @@ and the expiry event, when the commitment expires.
a512de
 To declare a set of statements to execute when an event happens, you
a512de
 must use the \fBon\fR statement, followed by the name of the event,
a512de
 followed by a series of statements to execute when the event happens,
a512de
-enclosed in braces.  Events are used to implement DNS
a512de
-updates, so you should not define your own event handlers if you are
a512de
-using the built-in DNS update mechanism.
a512de
-.PP
a512de
-The built-in version of the DNS update mechanism is in a text
a512de
-string towards the top of server/dhcpd.c.  If you want to use events
a512de
-for things other than DNS updates, and you also want DNS updates, you
a512de
-will have to start out by copying this code into your dhcpd.conf file
a512de
-and modifying it.
a512de
+enclosed in braces.
a512de
 .SH REFERENCE: DECLARATIONS
a512de
 .PP
a512de
 .B The
a512de
@@ -2109,7 +2003,7 @@ The \fIddns-update-style\fR parameter
a512de
 .PP
a512de
 The
a512de
 .I style
a512de
-parameter must be one of \fBad-hoc\fR, \fBinterim\fR or \fBnone\fR.
a512de
+parameter must be one of \fBstandard\fR, \fBinterim\fR or \fBnone\fR.
a512de
 The \fIddns-update-style\fR statement is only meaningful in the outer
a512de
 scope - it is evaluated once after reading the dhcpd.conf file, rather
a512de
 than each time a client is assigned an IP address, so there is no way
a512de
@@ -2186,16 +2080,15 @@ statement
a512de
 .B do-forward-updates \fIflag\fB;\fR
a512de
 .PP
a512de
 The \fIdo-forward-updates\fR statement instructs the DHCP server as
a512de
-to whether it should attempt to update a DHCP client's A record
a512de
+to whether it should attempt to update a DHCP client\'s A record
a512de
 when the client acquires or renews a lease.  This statement has no
a512de
-effect unless DNS updates are enabled and \fBddns-update-style\fR is
a512de
-set to \fBinterim\fR.  Forward updates are enabled by default.  If
a512de
-this statement is used to disable forward updates, the DHCP server
a512de
-will never attempt to update the client's A record, and will only ever
a512de
-attempt to update the client's PTR record if the client supplies an
a512de
-FQDN that should be placed in the PTR record using the fqdn option.
a512de
-If forward updates are enabled, the DHCP server will still honor the
a512de
-setting of the \fBclient-updates\fR flag.
a512de
+effect unless DNS updates are enabled.  Forward updates are enabled
a512de
+by default.  If this statement is used to disable forward updates,
a512de
+the DHCP server will never attempt to update the client\'s A record,
a512de
+and will only ever attempt to update the client\'s PTR record if the
a512de
+client supplies an FQDN that should be placed in the PTR record using
a512de
+the \fBfqdn\fR option.  If forward updates are enabled, the DHCP server
a512de
+will still honor the setting of the \fBclient-updates\fR flag.
a512de
 .RE
a512de
 .PP
a512de
 The
a512de
@@ -2747,7 +2640,7 @@ on which the request arrived.
a512de
 The usual case where the
a512de
 \fIserver-identifier\fR statement needs to be sent is when a physical
a512de
 interface has more than one IP address, and the one being sent by default
a512de
-isn't appropriate for some or all clients served by that interface.
a512de
+isn\'t appropriate for some or all clients served by that interface.
a512de
 Another common case is when an alias is defined for the purpose of
a512de
 having a consistent IP address for the DHCP server, and it is desired
a512de
 that the clients use this IP address when contacting the server.
a512de
diff --git a/server/stables.c b/server/stables.c
a512de
index 6a900c8..8ef8bf2 100644
a512de
--- a/server/stables.c
a512de
+++ b/server/stables.c
a512de
@@ -3,7 +3,7 @@
a512de
    Tables of information only used by server... */
a512de
 
a512de
 /*
a512de
- * Copyright (c) 2004-2011 by Internet Systems Consortium, Inc. ("ISC")
a512de
+ * Copyright (c) 2004-2011,2013 by Internet Systems Consortium, Inc. ("ISC")
a512de
  * Copyright (c) 1995-2003 by Internet Software Consortium
a512de
  *
a512de
  * Permission to use, copy, modify, and distribute this software for any
a512de
@@ -330,6 +330,7 @@ struct enumeration_value ddns_styles_values [] = {
a512de
 	{ "none", 0 },
a512de
 	{ "ad-hoc", 1 },
a512de
 	{ "interim", 2 },
a512de
+	{ "standard", 3 },
a512de
 	{ (char *)0, 0 }
a512de
 };
a512de