310562
From 620b1c9d90d0a59a0d892fef089ce4f5f6f61742 Mon Sep 17 00:00:00 2001
310562
From: Tomas Hozza <thozza@redhat.com>
310562
Date: Fri, 1 Apr 2016 15:20:27 +0200
310562
Subject: [PATCH] Added support for CAA records
310562
310562
Signed-off-by: Tomas Hozza <thozza@redhat.com>
310562
---
310562
 bin/tests/rdata_test.c           |   17 +-
310562
 doc/rfc/rfc6844.txt              | 1011 ++++++++++++++++++++++++++++++++++++++
310562
 lib/dns/rdata.c                  |   95 ++--
310562
 lib/dns/rdata/generic/caa_257.c  |  370 ++++++++++++++
310562
 lib/dns/rdata/generic/caa_257.h  |   32 ++
310562
 lib/dns/rdata/generic/gpos_27.c  |    2 +-
310562
 lib/dns/rdata/generic/hinfo_13.c |    4 +-
310562
 lib/dns/rdata/generic/isdn_20.c  |    4 +-
310562
 lib/dns/rdata/generic/naptr_35.c |    6 +-
310562
 lib/dns/rdata/generic/spf_99.c   |    2 +-
310562
 lib/dns/rdata/generic/txt_16.c   |    2 +-
310562
 lib/dns/rdata/generic/uri_256.c  |   23 +-
310562
 lib/dns/rdata/generic/x25_19.c   |    2 +-
310562
 13 files changed, 1478 insertions(+), 92 deletions(-)
310562
 create mode 100644 doc/rfc/rfc6844.txt
310562
 create mode 100644 lib/dns/rdata/generic/caa_257.c
310562
 create mode 100644 lib/dns/rdata/generic/caa_257.h
310562
310562
diff --git a/bin/tests/rdata_test.c b/bin/tests/rdata_test.c
310562
index 51cc406..0f25364 100644
310562
--- a/bin/tests/rdata_test.c
310562
+++ b/bin/tests/rdata_test.c
310562
@@ -15,8 +15,6 @@
310562
  * PERFORMANCE OF THIS SOFTWARE.
310562
  */
310562
 
310562
-/* $Id: rdata_test.c,v 1.52 2011/08/28 09:10:41 marka Exp $ */
310562
-
310562
 #include <config.h>
310562
 
310562
 #include <stdlib.h>
310562
@@ -284,6 +282,11 @@ viastruct(dns_rdata_t *rdata, isc_mem_t *mctx,
310562
 		result = dns_rdata_tostruct(rdata, sp = &uri, NULL);
310562
 		break;
310562
 	}
310562
+	case dns_rdatatype_caa: {
310562
+		static dns_rdata_caa_t caa;
310562
+		result = dns_rdata_tostruct(rdata, sp = &caa, NULL);
310562
+		break;
310562
+	}
310562
 	case dns_rdatatype_wks: {
310562
 		static dns_rdata_in_wks_t in_wks;
310562
 		result = dns_rdata_tostruct(rdata, sp = &in_wks, NULL);
310562
@@ -551,6 +554,11 @@ viastruct(dns_rdata_t *rdata, isc_mem_t *mctx,
310562
 		result = dns_rdata_tostruct(rdata, sp = &uri, mctx);
310562
 		break;
310562
 	}
310562
+	case dns_rdatatype_caa: {
310562
+		static dns_rdata_caa_t caa;
310562
+		result = dns_rdata_tostruct(rdata, sp = &caa, mctx);
310562
+		break;
310562
+	}
310562
 	case dns_rdatatype_wks: {
310562
 		static dns_rdata_in_wks_t in_wks;
310562
 		result = dns_rdata_tostruct(rdata, sp = &in_wks, mctx);
310562
@@ -848,6 +856,11 @@ viastruct(dns_rdata_t *rdata, isc_mem_t *mctx,
310562
 		result = dns_rdata_fromstruct(rdata2, rdc, rdt, &uri, b);
310562
 		break;
310562
 	}
310562
+	case dns_rdatatype_caa: {
310562
+		dns_rdata_caa_t caa;
310562
+		result = dns_rdata_fromstruct(rdata2, rdc, rdt, &caa, b);
310562
+		break;
310562
+	}
310562
 	case dns_rdatatype_wks: {
310562
 		dns_rdata_in_wks_t in_wks;
310562
 		result = dns_rdata_fromstruct(rdata2, rdc, rdt, &in_wks, b);
310562
diff --git a/doc/rfc/rfc6844.txt b/doc/rfc/rfc6844.txt
310562
new file mode 100644
310562
index 0000000..d923649
310562
--- /dev/null
310562
+++ b/doc/rfc/rfc6844.txt
310562
@@ -0,0 +1,1011 @@
310562
+
310562
+
310562
+
310562
+
310562
+
310562
+
310562
+Internet Engineering Task Force (IETF)                   P. Hallam-Baker
310562
+Request for Comments: 6844                            Comodo Group, Inc.
310562
+Category: Standards Track                                   R. Stradling
310562
+ISSN: 2070-1721                                          Comodo CA, Ltd.
310562
+                                                            January 2013
310562
+
310562
+
310562
+    DNS Certification Authority Authorization (CAA) Resource Record
310562
+
310562
+Abstract
310562
+
310562
+   The Certification Authority Authorization (CAA) DNS Resource Record
310562
+   allows a DNS domain name holder to specify one or more Certification
310562
+   Authorities (CAs) authorized to issue certificates for that domain.
310562
+   CAA Resource Records allow a public Certification Authority to
310562
+   implement additional controls to reduce the risk of unintended
310562
+   certificate mis-issue.  This document defines the syntax of the CAA
310562
+   record and rules for processing CAA records by certificate issuers.
310562
+
310562
+Status of This Memo
310562
+
310562
+   This is an Internet Standards Track document.
310562
+
310562
+   This document is a product of the Internet Engineering Task Force
310562
+   (IETF).  It represents the consensus of the IETF community.  It has
310562
+   received public review and has been approved for publication by the
310562
+   Internet Engineering Steering Group (IESG).  Further information on
310562
+   Internet Standards is available in Section 2 of RFC 5741.
310562
+
310562
+   Information about the current status of this document, any errata,
310562
+   and how to provide feedback on it may be obtained at
310562
+   http://www.rfc-editor.org/info/rfc6844.
310562
+
310562
+Copyright Notice
310562
+
310562
+   Copyright (c) 2013 IETF Trust and the persons identified as the
310562
+   document authors.  All rights reserved.
310562
+
310562
+   This document is subject to BCP 78 and the IETF Trust's Legal
310562
+   Provisions Relating to IETF Documents
310562
+   (http://trustee.ietf.org/license-info) in effect on the date of
310562
+   publication of this document.  Please review these documents
310562
+   carefully, as they describe your rights and restrictions with respect
310562
+   to this document.  Code Components extracted from this document must
310562
+   include Simplified BSD License text as described in Section 4.e of
310562
+   the Trust Legal Provisions and are provided without warranty as
310562
+   described in the Simplified BSD License.
310562
+
310562
+
310562
+
310562
+
310562
+Hallam-Baker & Stradling     Standards Track                    [Page 1]
310562
+
310562
+RFC 6844          Certification Authority Authorization     January 2013
310562
+
310562
+
310562
+Table of Contents
310562
+
310562
+   1. Introduction ....................................................2
310562
+   2. Definitions .....................................................3
310562
+      2.1. Requirements Language ......................................3
310562
+      2.2. Defined Terms ..............................................3
310562
+   3. The CAA RR Type .................................................5
310562
+   4. Certification Authority Processing ..............................7
310562
+      4.1. Use of DNS Security ........................................8
310562
+   5. Mechanism .......................................................8
310562
+      5.1. Syntax .....................................................8
310562
+           5.1.1. Canonical Presentation Format ......................10
310562
+      5.2. CAA issue Property ........................................10
310562
+      5.3. CAA issuewild Property ....................................12
310562
+      5.4. CAA iodef Property ........................................12
310562
+   6. Security Considerations ........................................13
310562
+      6.1. Non-Compliance by Certification Authority .................13
310562
+      6.2. Mis-Issue by Authorized Certification Authority ...........13
310562
+      6.3. Suppression or Spoofing of CAA Records ....................13
310562
+      6.4. Denial of Service .........................................14
310562
+      6.5. Abuse of the Critical Flag ................................14
310562
+   7. IANA Considerations ............................................14
310562
+      7.1. Registration of the CAA Resource Record Type ..............14
310562
+      7.2. Certification Authority Restriction Properties ............15
310562
+      7.3. Certification Authority Restriction Flags .................15
310562
+   8. Acknowledgements ...............................................16
310562
+   9. References .....................................................16
310562
+      9.1. Normative References ......................................16
310562
+      9.2. Informative References ....................................17
310562
+
310562
+1.  Introduction
310562
+
310562
+   The Certification Authority Authorization (CAA) DNS Resource Record
310562
+   allows a DNS domain name holder to specify the Certification
310562
+   Authorities (CAs) authorized to issue certificates for that domain.
310562
+   Publication of CAA Resource Records allows a public Certification
310562
+   Authority to implement additional controls to reduce the risk of
310562
+   unintended certificate mis-issue.
310562
+
310562
+   Like the TLSA record defined in DNS-Based Authentication of Named
310562
+   Entities (DANE) [RFC6698], CAA records are used as a part of a
310562
+   mechanism for checking PKIX certificate data.  The distinction
310562
+   between the two specifications is that CAA records specify an
310562
+   authorization control to be performed by a certificate issuer before
310562
+   issue of a certificate and TLSA records specify a verification
310562
+   control to be performed by a relying party after the certificate is
310562
+   issued.
310562
+
310562
+
310562
+
310562
+
310562
+Hallam-Baker & Stradling     Standards Track                    [Page 2]
310562
+
310562
+RFC 6844          Certification Authority Authorization     January 2013
310562
+
310562
+
310562
+   Conformance with a published CAA record is a necessary but not
310562
+   sufficient condition for issuance of a certificate.  Before issuing a
310562
+   certificate, a PKIX CA is required to validate the request according
310562
+   to the policies set out in its Certificate Policy.  In the case of a
310562
+   public CA that validates certificate requests as a third party, the
310562
+   certificate will typically be issued under a public trust anchor
310562
+   certificate embedded in one or more relevant Relying Applications.
310562
+
310562
+   Criteria for inclusion of embedded trust anchor certificates in
310562
+   applications are outside the scope of this document.  Typically, such
310562
+   criteria require the CA to publish a Certificate Practices Statement
310562
+   (CPS) that specifies how the requirements of the Certificate Policy
310562
+   (CP) are achieved.  It is also common for a CA to engage an
310562
+   independent third-party auditor to prepare an annual audit statement
310562
+   of its performance against its CPS.
310562
+
310562
+   A set of CAA records describes only current grants of authority to
310562
+   issue certificates for the corresponding DNS domain.  Since a
310562
+   certificate is typically valid for at least a year, it is possible
310562
+   that a certificate that is not conformant with the CAA records
310562
+   currently published was conformant with the CAA records published at
310562
+   the time that the certificate was issued.  Relying Applications MUST
310562
+   NOT use CAA records as part of certificate validation.
310562
+
310562
+   CAA records MAY be used by Certificate Evaluators as a possible
310562
+   indicator of a security policy violation.  Such use SHOULD take
310562
+   account of the possibility that published CAA records changed between
310562
+   the time a certificate was issued and the time at which the
310562
+   certificate was observed by the Certificate Evaluator.
310562
+
310562
+2.  Definitions
310562
+
310562
+2.1.  Requirements Language
310562
+
310562
+   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
310562
+   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
310562
+   document are to be interpreted as described in [RFC2119].
310562
+
310562
+2.2.  Defined Terms
310562
+
310562
+   The following terms are used in this document:
310562
+
310562
+   Authorization Entry:  An authorization assertion that grants or
310562
+      denies a specific set of permissions to a specific group of
310562
+      entities.
310562
+
310562
+   Certificate:  An X.509 Certificate, as specified in [RFC5280].
310562
+
310562
+
310562
+
310562
+
310562
+Hallam-Baker & Stradling     Standards Track                    [Page 3]
310562
+
310562
+RFC 6844          Certification Authority Authorization     January 2013
310562
+
310562
+
310562
+   Certificate Evaluator:  A party other than a relying party that
310562
+      evaluates the trustworthiness of certificates issued by
310562
+      Certification Authorities.
310562
+
310562
+   Certification Authority (CA):  An issuer that issues certificates in
310562
+      accordance with a specified Certificate Policy.
310562
+
310562
+   Certificate Policy (CP):  Specifies the criteria that a Certification
310562
+      Authority undertakes to meet in its issue of certificates.  See
310562
+      [RFC3647].
310562
+
310562
+   Certification Practices Statement (CPS):  Specifies the means by
310562
+      which the criteria of the Certificate Policy are met.  In most
310562
+      cases, this will be the document against which the operations of
310562
+      the Certification Authority are audited.  See [RFC3647].
310562
+
310562
+   Domain:  A DNS Domain Name.
310562
+
310562
+   Domain Name:  A DNS Domain Name as specified in [STD13].
310562
+
310562
+   Domain Name System (DNS):  The Internet naming system specified in
310562
+      [STD13].
310562
+
310562
+   DNS Security (DNSSEC):  Extensions to the DNS that provide
310562
+      authentication services as specified in [RFC4033], [RFC4034],
310562
+      [RFC4035], [RFC5155], and revisions.
310562
+
310562
+   Issuer:  An entity that issues certificates.  See [RFC5280].
310562
+
310562
+   Property:  The tag-value portion of a CAA Resource Record.
310562
+
310562
+   Property Tag:  The tag portion of a CAA Resource Record.
310562
+
310562
+   Property Value:  The value portion of a CAA Resource Record.
310562
+
310562
+   Public Key Infrastructure X.509 (PKIX):  Standards and specifications
310562
+      issued by the IETF that apply the [X.509] certificate standards
310562
+      specified by the ITU to Internet applications as specified in
310562
+      [RFC5280] and related documents.
310562
+
310562
+   Resource Record (RR):  A particular entry in the DNS including the
310562
+      owner name, class, type, time to live, and data, as defined in
310562
+      [STD13] and [RFC2181].
310562
+
310562
+   Resource Record Set (RRSet):  A set of Resource Records or a
310562
+      particular owner name, class, and type.  The time to live on all
310562
+      RRs with an RRSet is always the same, but the data may be
310562
+      different among RRs in the RRSet.
310562
+
310562
+
310562
+
310562
+Hallam-Baker & Stradling     Standards Track                    [Page 4]
310562
+
310562
+RFC 6844          Certification Authority Authorization     January 2013
310562
+
310562
+
310562
+   Relying Party:  A party that makes use of an application whose
310562
+      operation depends on use of a certificate for making a security
310562
+      decision.  See [RFC5280].
310562
+
310562
+   Relying Application:  An application whose operation depends on use
310562
+      of a certificate for making a security decision.
310562
+
310562
+3.  The CAA RR Type
310562
+
310562
+   A CAA RR consists of a flags byte and a tag-value pair referred to as
310562
+   a property.  Multiple properties MAY be associated with the same
310562
+   domain name by publishing multiple CAA RRs at that domain name.  The
310562
+   following flag is defined:
310562
+
310562
+   Issuer Critical:  If set to '1', indicates that the corresponding
310562
+      property tag MUST be understood if the semantics of the CAA record
310562
+      are to be correctly interpreted by an issuer.
310562
+
310562
+      Issuers MUST NOT issue certificates for a domain if the relevant
310562
+      CAA Resource Record set contains unknown property tags that have
310562
+      the Critical bit set.
310562
+
310562
+   The following property tags are defined:
310562
+
310562
+   issue <Issuer Domain Name> [; <name>=<value> ]* :  The issue property
310562
+      entry authorizes the holder of the domain name 
310562
+      Name> or a party acting under the explicit authority of the holder
310562
+      of that domain name to issue certificates for the domain in which
310562
+      the property is published.
310562
+
310562
+   issuewild <Issuer Domain Name> [; <name>=<value> ]* :  The issuewild
310562
+      property entry authorizes the holder of the domain name 
310562
+      Domain Name> or a party acting under the explicit authority of the
310562
+      holder of that domain name to issue wildcard certificates for the
310562
+      domain in which the property is published.
310562
+
310562
+   iodef <URL> :  Specifies a URL to which an issuer MAY report
310562
+      certificate issue requests that are inconsistent with the issuer's
310562
+      Certification Practices or Certificate Policy, or that a
310562
+      Certificate Evaluator may use to report observation of a possible
310562
+      policy violation.  The Incident Object Description Exchange Format
310562
+      (IODEF) format is used [RFC5070].
310562
+
310562
+   The following example is a DNS zone file (see [RFC1035]) that informs
310562
+   CAs that certificates are not to be issued except by the holder of
310562
+   the domain name 'ca.example.net' or an authorized agent thereof.
310562
+   This policy applies to all subordinate domains under example.com.
310562
+
310562
+
310562
+
310562
+
310562
+Hallam-Baker & Stradling     Standards Track                    [Page 5]
310562
+
310562
+RFC 6844          Certification Authority Authorization     January 2013
310562
+
310562
+
310562
+   $ORIGIN example.com
310562
+   .       CAA 0 issue "ca.example.net"
310562
+
310562
+   If the domain name holder specifies one or more iodef properties, a
310562
+   certificate issuer MAY report invalid certificate requests to that
310562
+   address.  In the following example, the domain name holder specifies
310562
+   that reports may be made by means of email with the IODEF data as an
310562
+   attachment, a Web service [RFC6546], or both:
310562
+
310562
+   $ORIGIN example.com
310562
+   .       CAA 0 issue "ca.example.net"
310562
+   .       CAA 0 iodef "mailto:security@example.com"
310562
+   .       CAA 0 iodef "http://iodef.example.com/"
310562
+
310562
+   A certificate issuer MAY specify additional parameters that allow
310562
+   customers to specify additional parameters governing certificate
310562
+   issuance.  This might be the Certificate Policy under which the
310562
+   certificate is to be issued, the authentication process to be used
310562
+   might be specified, or an account number specified by the CA to
310562
+   enable these parameters to be retrieved.
310562
+
310562
+   For example, the CA 'ca.example.net' has requested its customer
310562
+   'example.com' to specify the CA's account number '230123' in each of
310562
+   the customer's CAA records.
310562
+
310562
+   $ORIGIN example.com
310562
+   .       CAA 0 issue "ca.example.net; account=230123"
310562
+
310562
+   The syntax of additional parameters is a sequence of name-value pairs
310562
+   as defined in Section 5.2.  The semantics of such parameters is left
310562
+   to site policy and is outside the scope of this document.
310562
+
310562
+   The critical flag is intended to permit future versions CAA to
310562
+   introduce new semantics that MUST be understood for correct
310562
+   processing of the record, preventing conforming CAs that do not
310562
+   recognize the new semantics from issuing certificates for the
310562
+   indicated domains.
310562
+
310562
+   In the following example, the property 'tbs' is flagged as critical.
310562
+   Neither the example.net CA nor any other issuer is authorized to
310562
+   issue under either policy unless the processing rules for the 'tbs'
310562
+   property tag are understood.
310562
+
310562
+   $ORIGIN example.com
310562
+   .       CAA 0 issue "ca.example.net; policy=ev"
310562
+   .       CAA 128 tbs "Unknown"
310562
+
310562
+
310562
+
310562
+
310562
+
310562
+Hallam-Baker & Stradling     Standards Track                    [Page 6]
310562
+
310562
+RFC 6844          Certification Authority Authorization     January 2013
310562
+
310562
+
310562
+   Note that the above restrictions only apply at certificate issue.
310562
+   Since the validity of an end entity certificate is typically a year
310562
+   or more, it is quite possible that the CAA records published at a
310562
+   domain will change between the time a certificate was issued and
310562
+   validation by a relying party.
310562
+
310562
+4.  Certification Authority Processing
310562
+
310562
+   Before issuing a certificate, a compliant CA MUST check for
310562
+   publication of a relevant CAA Resource Record set.  If such a record
310562
+   set exists, a CA MUST NOT issue a certificate unless the CA
310562
+   determines that either (1) the certificate request is consistent with
310562
+   the applicable CAA Resource Record set or (2) an exception specified
310562
+   in the relevant Certificate Policy or Certification Practices
310562
+   Statement applies.
310562
+
310562
+   A certificate request MAY specify more than one domain name and MAY
310562
+   specify wildcard domains.  Issuers MUST verify authorization for all
310562
+   the domains and wildcard domains specified in the request.
310562
+
310562
+   The search for a CAA record climbs the DNS name tree from the
310562
+   specified label up to but not including the DNS root '.'.
310562
+
310562
+   Given a request for a specific domain X, or a request for a wildcard
310562
+   domain *.X, the relevant record set R(X) is determined as follows:
310562
+
310562
+   Let CAA(X) be the record set returned in response to performing a CAA
310562
+   record query on the label X, P(X) be the DNS label immediately above
310562
+   X in the DNS hierarchy, and A(X) be the target of a CNAME or DNAME
310562
+   alias record specified at the label X.
310562
+
310562
+   o  If CAA(X) is not empty, R(X) = CAA (X), otherwise
310562
+
310562
+   o  If A(X) is not null, and R(A(X)) is not empty, then R(X) =
310562
+      R(A(X)), otherwise
310562
+
310562
+   o  If X is not a top-level domain, then R(X) = R(P(X)), otherwise
310562
+
310562
+   o  R(X) is empty.
310562
+
310562
+   For example, if a certificate is requested for X.Y.Z the issuer will
310562
+   search for the relevant CAA record set in the following order:
310562
+
310562
+      X.Y.Z
310562
+
310562
+      Alias (X.Y.Z)
310562
+
310562
+      Y.Z
310562
+
310562
+
310562
+
310562
+Hallam-Baker & Stradling     Standards Track                    [Page 7]
310562
+
310562
+RFC 6844          Certification Authority Authorization     January 2013
310562
+
310562
+
310562
+      Alias (Y.Z)
310562
+
310562
+      Z
310562
+
310562
+      Alias (Z)
310562
+
310562
+      Return Empty
310562
+
310562
+4.1.  Use of DNS Security
310562
+
310562
+   Use of DNSSEC to authenticate CAA RRs is strongly RECOMMENDED but not
310562
+   required.  An issuer MUST NOT issue certificates if doing so would
310562
+   conflict with the relevant CAA Resource Record set, irrespective of
310562
+   whether the corresponding DNS records are signed.
310562
+
310562
+   DNSSEC provides a proof of non-existence for both DNS domains and RR
310562
+   set within domains.  DNSSEC verification thus enables an issuer to
310562
+   determine if the answer to a CAA record query is empty because the RR
310562
+   set is empty or if it is non-empty but the response has been
310562
+   suppressed.
310562
+
310562
+   Use of DNSSEC allows an issuer to acquire and archive a proof that
310562
+   they were authorized to issue certificates for the domain.
310562
+   Verification of such archives MAY be an audit requirement to verify
310562
+   CAA record processing compliance.  Publication of such archives MAY
310562
+   be a transparency requirement to verify CAA record processing
310562
+   compliance.
310562
+
310562
+5.  Mechanism
310562
+
310562
+5.1.  Syntax
310562
+
310562
+   A CAA RR contains a single property entry consisting of a tag-value
310562
+   pair.  Each tag represents a property of the CAA record.  The value
310562
+   of a CAA property is that specified in the corresponding value field.
310562
+
310562
+   A domain name MAY have multiple CAA RRs associated with it and a
310562
+   given property MAY be specified more than once.
310562
+
310562
+   The CAA data field contains one property entry.  A property entry
310562
+   consists of the following data fields:
310562
+
310562
+
310562
+
310562
+
310562
+
310562
+
310562
+
310562
+
310562
+
310562
+
310562
+Hallam-Baker & Stradling     Standards Track                    [Page 8]
310562
+
310562
+RFC 6844          Certification Authority Authorization     January 2013
310562
+
310562
+
310562
+   +0-1-2-3-4-5-6-7-|0-1-2-3-4-5-6-7-|
310562
+   | Flags          | Tag Length = n |
310562
+   +----------------+----------------+...+---------------+
310562
+   | Tag char 0     | Tag char 1     |...| Tag char n-1  |
310562
+   +----------------+----------------+...+---------------+
310562
+   +----------------+----------------+.....+----------------+
310562
+   | Value byte 0   | Value byte 1   |.....| Value byte m-1 |
310562
+   +----------------+----------------+.....+----------------+
310562
+
310562
+   Where n is the length specified in the Tag length field and m is the
310562
+   remaining octets in the Value field (m = d - n - 2) where d is the
310562
+   length of the RDATA section.
310562
+
310562
+   The data fields are defined as follows:
310562
+
310562
+   Flags:  One octet containing the following fields:
310562
+
310562
+      Bit 0, Issuer Critical Flag:  If the value is set to '1', the
310562
+         critical flag is asserted and the property MUST be understood
310562
+         if the CAA record is to be correctly processed by a certificate
310562
+         issuer.
310562
+
310562
+         A Certification Authority MUST NOT issue certificates for any
310562
+         Domain that contains a CAA critical property for an unknown or
310562
+         unsupported property tag that for which the issuer critical
310562
+         flag is set.
310562
+
310562
+      Note that according to the conventions set out in [RFC1035], bit 0
310562
+      is the Most Significant Bit and bit 7 is the Least Significant
310562
+      Bit. Thus, the Flags value 1 means that bit 7 is set while a value
310562
+      of 128 means that bit 0 is set according to this convention.
310562
+
310562
+      All other bit positions are reserved for future use.
310562
+
310562
+      To ensure compatibility with future extensions to CAA, DNS records
310562
+      compliant with this version of the CAA specification MUST clear
310562
+      (set to "0") all reserved flags bits.  Applications that interpret
310562
+      CAA records MUST ignore the value of all reserved flag bits.
310562
+
310562
+   Tag Length:  A single octet containing an unsigned integer specifying
310562
+      the tag length in octets.  The tag length MUST be at least 1 and
310562
+      SHOULD be no more than 15.
310562
+
310562
+
310562
+
310562
+
310562
+
310562
+
310562
+
310562
+
310562
+
310562
+Hallam-Baker & Stradling     Standards Track                    [Page 9]
310562
+
310562
+RFC 6844          Certification Authority Authorization     January 2013
310562
+
310562
+
310562
+   Tag:  The property identifier, a sequence of US-ASCII characters.
310562
+
310562
+      Tag values MAY contain US-ASCII characters 'a' through 'z', 'A'
310562
+      through 'Z', and the numbers 0 through 9.  Tag values SHOULD NOT
310562
+      contain any other characters.  Matching of tag values is case
310562
+      insensitive.
310562
+
310562
+      Tag values submitted for registration by IANA MUST NOT contain any
310562
+      characters other than the (lowercase) US-ASCII characters 'a'
310562
+      through 'z' and the numbers 0 through 9.
310562
+
310562
+   Value:  A sequence of octets representing the property value.
310562
+      Property values are encoded as binary values and MAY employ sub-
310562
+      formats.
310562
+
310562
+      The length of the value field is specified implicitly as the
310562
+      remaining length of the enclosing Resource Record data field.
310562
+
310562
+5.1.1.  Canonical Presentation Format
310562
+
310562
+   The canonical presentation format of the CAA record is:
310562
+
310562
+   CAA <flags> <tag> <value>
310562
+
310562
+   Where:
310562
+
310562
+   Flags:  Is an unsigned integer between 0 and 255.
310562
+
310562
+   Tag:  Is a non-zero sequence of US-ASCII letters and numbers in lower
310562
+      case.
310562
+
310562
+   Value:  Is the <character-string> encoding of the value field as
310562
+      specified in [RFC1035], Section 5.1.
310562
+
310562
+5.2.  CAA issue Property
310562
+
310562
+   The issue property tag is used to request that certificate issuers
310562
+   perform CAA issue restriction processing for the domain and to grant
310562
+   authorization to specific certificate issuers.
310562
+
310562
+   The CAA issue property value has the following sub-syntax (specified
310562
+   in ABNF as per [RFC5234]).
310562
+
310562
+
310562
+
310562
+
310562
+
310562
+
310562
+
310562
+
310562
+
310562
+Hallam-Baker & Stradling     Standards Track                   [Page 10]
310562
+
310562
+RFC 6844          Certification Authority Authorization     January 2013
310562
+
310562
+
310562
+   issuevalue  = space [domain] space [";" *(space parameter) space]
310562
+
310562
+   domain = label *("." label)
310562
+   label = (ALPHA / DIGIT) *( *("-") (ALPHA / DIGIT))
310562
+
310562
+   space = *(SP / HTAB)
310562
+
310562
+   parameter =  tag "=" value
310562
+
310562
+   tag = 1*(ALPHA / DIGIT)
310562
+
310562
+   value = *VCHAR
310562
+
310562
+   For consistency with other aspects of DNS administration, domain name
310562
+   values are specified in letter-digit-hyphen Label (LDH-Label) form.
310562
+
310562
+   A CAA record with an issue parameter tag that does not specify a
310562
+   domain name is a request that certificate issuers perform CAA issue
310562
+   restriction processing for the corresponding domain without granting
310562
+   authorization to any certificate issuer.
310562
+
310562
+   This form of issue restriction would be appropriate to specify that
310562
+   no certificates are to be issued for the domain in question.
310562
+
310562
+   For example, the following CAA record set requests that no
310562
+   certificates be issued for the domain 'nocerts.example.com' by any
310562
+   certificate issuer.
310562
+
310562
+   nocerts.example.com       CAA 0 issue ";"
310562
+
310562
+   A CAA record with an issue parameter tag that specifies a domain name
310562
+   is a request that certificate issuers perform CAA issue restriction
310562
+   processing for the corresponding domain and grants authorization to
310562
+   the certificate issuer specified by the domain name.
310562
+
310562
+   For example, the following CAA record set requests that no
310562
+   certificates be issued for the domain 'certs.example.com' by any
310562
+   certificate issuer other than the example.net certificate issuer.
310562
+
310562
+   certs.example.com       CAA 0 issue "example.net"
310562
+
310562
+   CAA authorizations are additive; thus, the result of specifying both
310562
+   the empty issuer and a specified issuer is the same as specifying
310562
+   just the specified issuer alone.
310562
+
310562
+
310562
+
310562
+
310562
+
310562
+
310562
+
310562
+Hallam-Baker & Stradling     Standards Track                   [Page 11]
310562
+
310562
+RFC 6844          Certification Authority Authorization     January 2013
310562
+
310562
+
310562
+   An issuer MAY choose to specify issuer-parameters that further
310562
+   constrain the issue of certificates by that issuer, for example,
310562
+   specifying that certificates are to be subject to specific validation
310562
+   polices, billed to certain accounts, or issued under specific trust
310562
+   anchors.
310562
+
310562
+   The semantics of issuer-parameters are determined by the issuer
310562
+   alone.
310562
+
310562
+5.3.  CAA issuewild Property
310562
+
310562
+   The issuewild property has the same syntax and semantics as the issue
310562
+   property except that issuewild properties only grant authorization to
310562
+   issue certificates that specify a wildcard domain and issuewild
310562
+   properties take precedence over issue properties when specified.
310562
+   Specifically:
310562
+
310562
+      issuewild properties MUST be ignored when processing a request for
310562
+      a domain that is not a wildcard domain.
310562
+
310562
+      If at least one issuewild property is specified in the relevant
310562
+      CAA record set, all issue properties MUST be ignored when
310562
+      processing a request for a domain that is a wildcard domain.
310562
+
310562
+5.4.  CAA iodef Property
310562
+
310562
+   The iodef property specifies a means of reporting certificate issue
310562
+   requests or cases of certificate issue for the corresponding domain
310562
+   that violate the security policy of the issuer or the domain name
310562
+   holder.
310562
+
310562
+   The Incident Object Description Exchange Format (IODEF) [RFC5070] is
310562
+   used to present the incident report in machine-readable form.
310562
+
310562
+   The iodef property takes a URL as its parameter.  The URL scheme type
310562
+   determines the method used for reporting:
310562
+
310562
+   mailto:  The IODEF incident report is reported as a MIME email
310562
+      attachment to an SMTP email that is submitted to the mail address
310562
+      specified.  The mail message sent SHOULD contain a brief text
310562
+      message to alert the recipient to the nature of the attachment.
310562
+
310562
+   http or https:  The IODEF report is submitted as a Web service
310562
+      request to the HTTP address specified using the protocol specified
310562
+      in [RFC6546].
310562
+
310562
+
310562
+
310562
+
310562
+
310562
+
310562
+Hallam-Baker & Stradling     Standards Track                   [Page 12]
310562
+
310562
+RFC 6844          Certification Authority Authorization     January 2013
310562
+
310562
+
310562
+6.  Security Considerations
310562
+
310562
+   CAA records assert a security policy that the holder of a domain name
310562
+   wishes to be observed by certificate issuers.  The effectiveness of
310562
+   CAA records as an access control mechanism is thus dependent on
310562
+   observance of CAA constraints by issuers.
310562
+
310562
+   The objective of the CAA record properties described in this document
310562
+   is to reduce the risk of certificate mis-issue rather than avoid
310562
+   reliance on a certificate that has been mis-issued.  DANE [RFC6698]
310562
+   describes a mechanism for avoiding reliance on mis-issued
310562
+   certificates.
310562
+
310562
+6.1.  Non-Compliance by Certification Authority
310562
+
310562
+   CAA records offer CAs a cost-effective means of mitigating the risk
310562
+   of certificate mis-issue: the cost of implementing CAA checks is very
310562
+   small and the potential costs of a mis-issue event include the
310562
+   removal of an embedded trust anchor.
310562
+
310562
+6.2.  Mis-Issue by Authorized Certification Authority
310562
+
310562
+   Use of CAA records does not prevent mis-issue by an authorized
310562
+   Certification Authority, i.e., a CA that is authorized to issue
310562
+   certificates for the domain in question by CAA records.
310562
+
310562
+   Domain name holders SHOULD verify that the CAs they authorize to
310562
+   issue certificates for their domains employ appropriate controls to
310562
+   ensure that certificates are issued only to authorized parties within
310562
+   their organization.
310562
+
310562
+   Such controls are most appropriately determined by the domain name
310562
+   holder and the authorized CA(s) directly and are thus out of scope of
310562
+   this document.
310562
+
310562
+6.3.  Suppression or Spoofing of CAA Records
310562
+
310562
+   Suppression of the CAA record or insertion of a bogus CAA record
310562
+   could enable an attacker to obtain a certificate from an issuer that
310562
+   was not authorized to issue for that domain name.
310562
+
310562
+   Where possible, issuers SHOULD perform DNSSEC validation to detect
310562
+   missing or modified CAA record sets.
310562
+
310562
+   In cases where DNSSEC is not deployed in a corresponding domain, an
310562
+   issuer SHOULD attempt to mitigate this risk by employing appropriate
310562
+   DNS security controls.  For example, all portions of the DNS lookup
310562
+
310562
+
310562
+
310562
+
310562
+Hallam-Baker & Stradling     Standards Track                   [Page 13]
310562
+
310562
+RFC 6844          Certification Authority Authorization     January 2013
310562
+
310562
+
310562
+   process SHOULD be performed against the authoritative name server.
310562
+   Data cached by third parties MUST NOT be relied on but MAY be used to
310562
+   support additional anti-spoofing or anti-suppression controls.
310562
+
310562
+6.4.  Denial of Service
310562
+
310562
+   Introduction of a malformed or malicious CAA RR could in theory
310562
+   enable a Denial-of-Service (DoS) attack.
310562
+
310562
+   This specific threat is not considered to add significantly to the
310562
+   risk of running an insecure DNS service.
310562
+
310562
+   An attacker could, in principle, perform a DoS attack against an
310562
+   issuer by requesting a certificate with a maliciously long DNS name.
310562
+   In practice, the DNS protocol imposes a maximum name length and CAA
310562
+   processing does not exacerbate the existing need to mitigate DoS
310562
+   attacks to any meaningful degree.
310562
+
310562
+6.5.  Abuse of the Critical Flag
310562
+
310562
+   A Certification Authority could make use of the critical flag to
310562
+   trick customers into publishing records that prevent competing
310562
+   Certification Authorities from issuing certificates even though the
310562
+   customer intends to authorize multiple providers.
310562
+
310562
+   In practice, such an attack would be of minimal effect since any
310562
+   competent competitor that found itself unable to issue certificates
310562
+   due to lack of support for a property marked critical SHOULD
310562
+   investigate the cause and report the reason to the customer.  The
310562
+   customer will thus discover that they had been deceived.
310562
+
310562
+7.  IANA Considerations
310562
+
310562
+7.1.  Registration of the CAA Resource Record Type
310562
+
310562
+   IANA has assigned Resource Record Type 257 for the CAA Resource
310562
+   Record Type and added the line depicted below to the registry named
310562
+   "Resource Record (RR) TYPEs" and QTYPEs as defined in BCP 42
310562
+   [RFC6195] and located at
310562
+   http://www.iana.org/assignments/dns-parameters.
310562
+
310562
+ RR Name      Value and meaning                                Reference
310562
+ -----------  ---------------------------------------------    ---------
310562
+ CAA          257 Certification Authority Restriction          [RFC6844]
310562
+
310562
+
310562
+
310562
+
310562
+
310562
+
310562
+
310562
+Hallam-Baker & Stradling     Standards Track                   [Page 14]
310562
+
310562
+RFC 6844          Certification Authority Authorization     January 2013
310562
+
310562
+
310562
+7.2.  Certification Authority Restriction Properties
310562
+
310562
+   IANA has created the "Certification Authority Restriction Properties"
310562
+   registry with the following initial values:
310562
+
310562
+
310562
+   Tag          Meaning                                Reference
310562
+   -----------  -------------------------------------- ---------
310562
+   issue        Authorization Entry by Domain          [RFC6844]
310562
+   issuewild    Authorization Entry by Wildcard Domain [RFC6844]
310562
+   iodef        Report incident by IODEF report        [RFC6844]
310562
+   auth         Reserved                               [HB2011]
310562
+   path         Reserved                               [HB2011]
310562
+   policy       Reserved                               [HB2011]
310562
+
310562
+
310562
+   Although [HB2011] has expired, deployed clients implement the CAA
310562
+   properties specified in the document and reuse of these property tags
310562
+   for a different purpose could cause unexpected behavior.
310562
+
310562
+   Addition of tag identifiers requires a public specification and
310562
+   Expert Review as set out in [RFC6195], Section 3.1.1.
310562
+
310562
+   The tag space is designed to be sufficiently large that exhausting
310562
+   the possible tag space need not be a concern.  The scope of Expert
310562
+   Review SHOULD be limited to the question of whether the specification
310562
+   provided is sufficiently clear to permit implementation and to avoid
310562
+   unnecessary duplication of functionality.
310562
+
310562
+7.3.  Certification Authority Restriction Flags
310562
+
310562
+   IANA has created the "Certification Authority Restriction Flags"
310562
+   registry with the following initial values:
310562
+
310562
+
310562
+             Flag         Meaning                            Reference
310562
+   -----------  ---------------------------------- ---------
310562
+   0            Issuer Critical Flag               [RFC6844]
310562
+   1-7          Reserved>                          [RFC6844]
310562
+
310562
+   Assignment of new flags follows the RFC Required policy set out in
310562
+   [RFC5226], Section 4.1.
310562
+
310562
+
310562
+
310562
+
310562
+
310562
+
310562
+
310562
+
310562
+
310562
+Hallam-Baker & Stradling     Standards Track                   [Page 15]
310562
+
310562
+RFC 6844          Certification Authority Authorization     January 2013
310562
+
310562
+
310562
+8.  Acknowledgements
310562
+
310562
+   The authors would like to thank the following people who contributed
310562
+   to the design and documentation of this work item: Chris Evans,
310562
+   Stephen Farrell, Jeff Hodges, Paul Hoffman, Stephen Kent, Adam
310562
+   Langley, Ben Laurie, James Manager, Chris Palmer, Scott Schmit, Sean
310562
+   Turner, and Ben Wilson.
310562
+
310562
+9.  References
310562
+
310562
+9.1.  Normative References
310562
+
310562
+   [RFC1035]  Mockapetris, P., "Domain names - implementation and
310562
+              specification", STD 13, RFC 1035, November 1987.
310562
+
310562
+   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
310562
+              Requirement Levels", BCP 14, RFC 2119, March 1997.
310562
+
310562
+   [RFC2181]  Elz, R. and R. Bush, "Clarifications to the DNS
310562
+              Specification", RFC 2181, July 1997.
310562
+
310562
+   [RFC4033]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
310562
+              Rose, "DNS Security Introduction and Requirements",
310562
+              RFC 4033, March 2005.
310562
+
310562
+   [RFC4034]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
310562
+              Rose, "Resource Records for the DNS Security Extensions",
310562
+              RFC 4034, March 2005.
310562
+
310562
+   [RFC4035]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
310562
+              Rose, "Protocol Modifications for the DNS Security
310562
+              Extensions", RFC 4035, March 2005.
310562
+
310562
+   [RFC5070]  Danyliw, R., Meijer, J., and Y. Demchenko, "The Incident
310562
+              Object Description Exchange Format", RFC 5070,
310562
+              December 2007.
310562
+
310562
+   [RFC5155]  Laurie, B., Sisson, G., Arends, R., and D. Blacka, "DNS
310562
+              Security (DNSSEC) Hashed Authenticated Denial of
310562
+              Existence", RFC 5155, March 2008.
310562
+
310562
+   [RFC5226]  Narten, T. and H. Alvestrand, "Guidelines for Writing an
310562
+              IANA Considerations Section in RFCs", BCP 26, RFC 5226,
310562
+              May 2008.
310562
+
310562
+   [RFC5234]  Crocker, D. and P. Overell, "Augmented BNF for Syntax
310562
+              Specifications: ABNF", STD 68, RFC 5234, January 2008.
310562
+
310562
+
310562
+
310562
+
310562
+Hallam-Baker & Stradling     Standards Track                   [Page 16]
310562
+
310562
+RFC 6844          Certification Authority Authorization     January 2013
310562
+
310562
+
310562
+   [RFC5280]  Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
310562
+              Housley, R., and W. Polk, "Internet X.509 Public Key
310562
+              Infrastructure Certificate and Certificate Revocation List
310562
+              (CRL) Profile", RFC 5280, May 2008.
310562
+
310562
+   [RFC6195]  Eastlake, D., "Domain Name System (DNS) IANA
310562
+              Considerations", BCP 42, RFC 6195, March 2011.
310562
+
310562
+   [RFC6546]  Trammell, B., "Transport of Real-time Inter-network
310562
+              Defense (RID) Messages over HTTP/TLS", RFC 6546,
310562
+              April 2012.
310562
+
310562
+   [RFC6698]  Hoffman, P. and J. Schlyter, "The DNS-Based Authentication
310562
+              of Named Entities (DANE) Transport Layer Security (TLS)
310562
+              Protocol: TLSA", RFC 6698, August 2012.
310562
+
310562
+   [STD13]    Mockapetris, P., "Domain names - concepts and facilities",
310562
+              STD 13, RFC 1034, November 1987.
310562
+
310562
+              Mockapetris, P., "Domain names - implementation and
310562
+              specification", STD 13, RFC 1035, November 1987.
310562
+
310562
+   [X.509]    International Telecommunication Union, "ITU-T
310562
+              Recommendation X.509 (11/2008): Information technology -
310562
+              Open systems interconnection - The Directory: Public-key
310562
+              and attribute certificate frameworks", ITU-T
310562
+              Recommendation X.509, November 2008.
310562
+
310562
+9.2.  Informative References
310562
+
310562
+   [HB2011]   Hallam-Baker, P., Stradling, R., and B. Laurie, "DNS
310562
+              Certification Authority Authorization (CAA) Resource
310562
+              Record", Work in Progress, May 2011.
310562
+
310562
+   [RFC3647]  Chokhani, S., Ford, W., Sabett, R., Merrill, C., and S.
310562
+              Wu, "Internet X.509 Public Key Infrastructure Certificate
310562
+              Policy and Certification Practices Framework", RFC 3647,
310562
+              November 2003.
310562
+
310562
+
310562
+
310562
+
310562
+
310562
+
310562
+
310562
+
310562
+
310562
+
310562
+
310562
+
310562
+
310562
+Hallam-Baker & Stradling     Standards Track                   [Page 17]
310562
+
310562
+RFC 6844          Certification Authority Authorization     January 2013
310562
+
310562
+
310562
+Authors' Addresses
310562
+
310562
+   Phillip Hallam-Baker
310562
+   Comodo Group, Inc.
310562
+
310562
+   EMail: philliph@comodo.com
310562
+
310562
+
310562
+   Rob Stradling
310562
+   Comodo CA, Ltd.
310562
+
310562
+   EMail: rob.stradling@comodo.com
310562
+
310562
+
310562
+
310562
+
310562
+
310562
+
310562
+
310562
+
310562
+
310562
+
310562
+
310562
+
310562
+
310562
+
310562
+
310562
+
310562
+
310562
+
310562
+
310562
+
310562
+
310562
+
310562
+
310562
+
310562
+
310562
+
310562
+
310562
+
310562
+
310562
+
310562
+
310562
+
310562
+
310562
+
310562
+
310562
+
310562
+
310562
+
310562
+
310562
+Hallam-Baker & Stradling     Standards Track                   [Page 18]
310562
+
310562
diff --git a/lib/dns/rdata.c b/lib/dns/rdata.c
310562
index a83dab4..9bf83a4 100644
310562
--- a/lib/dns/rdata.c
310562
+++ b/lib/dns/rdata.c
310562
@@ -116,7 +116,7 @@ typedef struct dns_rdata_textctx {
310562
 } dns_rdata_textctx_t;
310562
 
310562
 static isc_result_t
310562
-txt_totext(isc_region_t *source, isc_buffer_t *target);
310562
+txt_totext(isc_region_t *source, isc_boolean_t quote, isc_buffer_t *target);
310562
 
310562
 static isc_result_t
310562
 txt_fromtext(isc_textregion_t *source, isc_buffer_t *target);
310562
@@ -130,9 +130,6 @@ multitxt_totext(isc_region_t *source, isc_buffer_t *target);
310562
 static isc_result_t
310562
 multitxt_fromtext(isc_textregion_t *source, isc_buffer_t *target);
310562
 
310562
-static isc_result_t
310562
-multitxt_fromwire(isc_buffer_t *source, isc_buffer_t *target);
310562
-
310562
 static isc_boolean_t
310562
 name_prefix(dns_name_t *name, dns_name_t *origin, dns_name_t *target);
310562
 
310562
@@ -1131,7 +1128,7 @@ name_length(dns_name_t *name) {
310562
 }
310562
 
310562
 static isc_result_t
310562
-txt_totext(isc_region_t *source, isc_buffer_t *target) {
310562
+txt_totext(isc_region_t *source, isc_boolean_t quote, isc_buffer_t *target) {
310562
 	unsigned int tl;
310562
 	unsigned int n;
310562
 	unsigned char *sp;
310562
@@ -1146,13 +1143,20 @@ txt_totext(isc_region_t *source, isc_buffer_t *target) {
310562
 	n = *sp++;
310562
 
310562
 	REQUIRE(n + 1 <= source->length);
310562
+	if (n == 0U)
310562
+		REQUIRE(quote == ISC_TRUE);
310562
 
310562
-	if (tl < 1)
310562
-		return (ISC_R_NOSPACE);
310562
-	*tp++ = '"';
310562
-	tl--;
310562
+	if (quote) {
310562
+		if (tl < 1)
310562
+			return (ISC_R_NOSPACE);
310562
+		*tp++ = '"';
310562
+		tl--;
310562
+	}
310562
 	while (n--) {
310562
-		if (*sp < 0x20 || *sp >= 0x7f) {
310562
+		/*
310562
+		 * \DDD space (0x20) if not quoting.
310562
+		 */
310562
+		if (*sp < (quote ? 0x20 : 0x21) || *sp >= 0x7f) {
310562
 			if (tl < 4)
310562
 				return (ISC_R_NOSPACE);
310562
 			*tp++ = 0x5c;
310562
@@ -1163,8 +1167,13 @@ txt_totext(isc_region_t *source, isc_buffer_t *target) {
310562
 			tl -= 4;
310562
 			continue;
310562
 		}
310562
-		/* double quote, semi-colon, backslash */
310562
-		if (*sp == 0x22 || *sp == 0x3b || *sp == 0x5c) {
310562
+		/*
310562
+		 * Escape double quote, semi-colon, backslash.
310562
+		 * If we are not enclosing the string in double
310562
+		 * quotes also escape at sign.
310562
+		 */
310562
+		if (*sp == 0x22 || *sp == 0x3b || *sp == 0x5c ||
310562
+		    (!quote && *sp == 0x40)) {
310562
 			if (tl < 2)
310562
 				return (ISC_R_NOSPACE);
310562
 			*tp++ = '\\';
310562
@@ -1175,10 +1184,12 @@ txt_totext(isc_region_t *source, isc_buffer_t *target) {
310562
 		*tp++ = *sp++;
310562
 		tl--;
310562
 	}
310562
-	if (tl < 1)
310562
-		return (ISC_R_NOSPACE);
310562
-	*tp++ = '"';
310562
-	tl--;
310562
+	if (quote) {
310562
+		if (tl < 1)
310562
+			return (ISC_R_NOSPACE);
310562
+		*tp++ = '"';
310562
+		tl--;
310562
+	}
310562
 	isc_buffer_add(target, tp - (char *)region.base);
310562
 	isc_region_consume(source, *source->base + 1);
310562
 	return (ISC_R_SUCCESS);
310562
@@ -1274,6 +1285,9 @@ txt_fromwire(isc_buffer_t *source, isc_buffer_t *target) {
310562
 	return (ISC_R_SUCCESS);
310562
 }
310562
 
310562
+/*
310562
+ * Conversion of TXT-like rdata fields without length limits.
310562
+ */
310562
 static isc_result_t
310562
 multitxt_totext(isc_region_t *source, isc_buffer_t *target) {
310562
 	unsigned int tl;
310562
@@ -1292,9 +1306,8 @@ multitxt_totext(isc_region_t *source, isc_buffer_t *target) {
310562
 	*tp++ = '"';
310562
 	tl--;
310562
 	do {
310562
-		n0 = n = *sp++;
310562
-
310562
-		REQUIRE(n0 + 1 <= source->length);
310562
+		n = source->length;
310562
+		n0 = source->length - 1;
310562
 
310562
 		while (n--) {
310562
 			if (*sp < 0x20 || *sp >= 0x7f) {
310562
@@ -1346,17 +1359,11 @@ multitxt_fromtext(isc_textregion_t *source, isc_buffer_t *target) {
310562
 
310562
 	do {
310562
 		isc_buffer_availableregion(target, &tregion);
310562
-		t0 = tregion.base;
310562
+		t0 = t = tregion.base;
310562
 		nrem = tregion.length;
310562
 		if (nrem < 1)
310562
 			return (ISC_R_NOSPACE);
310562
-		/* length byte */
310562
-		t = t0;
310562
-		nrem--;
310562
-		t++;
310562
-		/* 255 byte character-string slice */
310562
-		if (nrem > 255)
310562
-			nrem = 255;
310562
+
310562
 		while (n != 0) {
310562
 			--n;
310562
 			c = (*s++) & 0xff;
310562
@@ -1390,39 +1397,9 @@ multitxt_fromtext(isc_textregion_t *source, isc_buffer_t *target) {
310562
 		}
310562
 		if (escape)
310562
 			return (DNS_R_SYNTAX);
310562
-		*t0 = t - t0 - 1;
310562
-		isc_buffer_add(target, *t0 + 1);
310562
-	} while (n != 0);
310562
-	return (ISC_R_SUCCESS);
310562
-}
310562
-
310562
-static isc_result_t
310562
-multitxt_fromwire(isc_buffer_t *source, isc_buffer_t *target) {
310562
-	unsigned int n;
310562
-	isc_region_t sregion;
310562
-	isc_region_t tregion;
310562
-
310562
-	isc_buffer_activeregion(source, &sregion);
310562
-	if (sregion.length == 0)
310562
-		return(ISC_R_UNEXPECTEDEND);
310562
-	n = 256U;
310562
-	do {
310562
-		if (n != 256U)
310562
-			return (DNS_R_SYNTAX);
310562
-		n = *sregion.base + 1;
310562
-		if (n > sregion.length)
310562
-			return (ISC_R_UNEXPECTEDEND);
310562
 
310562
-		isc_buffer_availableregion(target, &tregion);
310562
-		if (n > tregion.length)
310562
-			return (ISC_R_NOSPACE);
310562
-
310562
-		if (tregion.base != sregion.base)
310562
-			memcpy(tregion.base, sregion.base, n);
310562
-		isc_buffer_forward(source, n);
310562
-		isc_buffer_add(target, n);
310562
-		isc_buffer_activeregion(source, &sregion);
310562
-	} while (sregion.length != 0);
310562
+		isc_buffer_add(target, t - t0);
310562
+	} while (n != 0);
310562
 	return (ISC_R_SUCCESS);
310562
 }
310562
 
310562
diff --git a/lib/dns/rdata/generic/caa_257.c b/lib/dns/rdata/generic/caa_257.c
310562
new file mode 100644
310562
index 0000000..671f332
310562
--- /dev/null
310562
+++ b/lib/dns/rdata/generic/caa_257.c
310562
@@ -0,0 +1,370 @@
310562
+/*
310562
+ * Copyright (C) 2014  Internet Systems Consortium, Inc. ("ISC")
310562
+ *
310562
+ * Permission to use, copy, modify, and/or distribute this software for any
310562
+ * purpose with or without fee is hereby granted, provided that the above
310562
+ * copyright notice and this permission notice appear in all copies.
310562
+ *
310562
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
310562
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
310562
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
310562
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
310562
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
310562
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
310562
+ * PERFORMANCE OF THIS SOFTWARE.
310562
+ */
310562
+
310562
+#ifndef GENERIC_CAA_257_C
310562
+#define GENERIC_CAA_257_C 1
310562
+
310562
+#define RRTYPE_CAA_ATTRIBUTES (0)
310562
+
310562
+static unsigned char const alphanumeric[256] = {
310562
+	/* 0x00-0x0f */ 0, 0, 0, 0, 0, 0, 0, 0,  0, 0, 0, 0, 0, 0, 0, 0,
310562
+	/* 0x10-0x1f */ 0, 0, 0, 0, 0, 0, 0, 0,  0, 0, 0, 0, 0, 0, 0, 0,
310562
+	/* 0x20-0x2f */ 0, 0, 0, 0, 0, 0, 0, 0,  0, 0, 0, 0, 0, 0, 0, 0,
310562
+	/* 0x30-0x3f */ 1, 1, 1, 1, 1, 1, 1, 1,  1, 1, 0, 0, 0, 0, 0, 0,
310562
+	/* 0x40-0x4f */ 0, 1, 1, 1, 1, 1, 1, 1,  1, 1, 1, 1, 1, 1, 1, 1,
310562
+	/* 0x50-0x5f */ 1, 1, 1, 1, 1, 1, 1, 1,  1, 1, 1, 0, 0, 0, 0, 0,
310562
+	/* 0x60-0x6f */ 0, 1, 1, 1, 1, 1, 1, 1,  1, 1, 1, 1, 1, 1, 1, 1,
310562
+	/* 0x70-0x7f */ 1, 1, 1, 1, 1, 1, 1, 1,  1, 1, 1, 0, 0, 0, 0, 0,
310562
+	/* 0x80-0x8f */ 0, 0, 0, 0, 0, 0, 0, 0,  0, 0, 0, 0, 0, 0, 0, 0,
310562
+	/* 0x90-0x9f */ 0, 0, 0, 0, 0, 0, 0, 0,  0, 0, 0, 0, 0, 0, 0, 0,
310562
+	/* 0xa0-0xaf */ 0, 0, 0, 0, 0, 0, 0, 0,  0, 0, 0, 0, 0, 0, 0, 0,
310562
+	/* 0xb0-0xbf */ 0, 0, 0, 0, 0, 0, 0, 0,  0, 0, 0, 0, 0, 0, 0, 0,
310562
+	/* 0xc0-0xcf */ 0, 0, 0, 0, 0, 0, 0, 0,  0, 0, 0, 0, 0, 0, 0, 0,
310562
+	/* 0xd0-0xdf */ 0, 0, 0, 0, 0, 0, 0, 0,  0, 0, 0, 0, 0, 0, 0, 0,
310562
+	/* 0xe0-0xef */ 0, 0, 0, 0, 0, 0, 0, 0,  0, 0, 0, 0, 0, 0, 0, 0,
310562
+	/* 0xf0-0xff */ 0, 0, 0, 0, 0, 0, 0, 0,  0, 0, 0, 0, 0, 0, 0, 0,
310562
+};
310562
+
310562
+static inline isc_result_t
310562
+fromtext_caa(ARGS_FROMTEXT) {
310562
+	isc_token_t token;
310562
+	isc_textregion_t tr;
310562
+	isc_uint8_t flags;
310562
+	unsigned int i;
310562
+
310562
+	REQUIRE(type == 257);
310562
+
310562
+	UNUSED(type);
310562
+	UNUSED(rdclass);
310562
+	UNUSED(origin);
310562
+	UNUSED(options);
310562
+	UNUSED(callbacks);
310562
+
310562
+	/* Flags. */
310562
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
310562
+				      ISC_FALSE));
310562
+	if (token.value.as_ulong > 255U)
310562
+		RETTOK(ISC_R_RANGE);
310562
+	flags = token.value.as_ulong & 255U;
310562
+	RETERR(uint8_tobuffer(flags, target));
310562
+
310562
+	/*
310562
+	 * Tag
310562
+	 */
310562
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
310562
+				      ISC_FALSE));
310562
+	tr = token.value.as_textregion;
310562
+	for (i = 0; i < tr.length; i++)
310562
+		if (!alphanumeric[(unsigned char) tr.base[i]])
310562
+			RETTOK(DNS_R_SYNTAX);
310562
+	RETERR(uint8_tobuffer(tr.length, target));
310562
+	RETERR(mem_tobuffer(target, tr.base, tr.length));
310562
+
310562
+	/*
310562
+	 * Value
310562
+	 */
310562
+	RETERR(isc_lex_getmastertoken(lexer, &token,
310562
+				      isc_tokentype_qstring, ISC_FALSE));
310562
+	if (token.type != isc_tokentype_qstring &&
310562
+	    token.type != isc_tokentype_string)
310562
+		RETERR(DNS_R_SYNTAX);
310562
+	RETERR(multitxt_fromtext(&token.value.as_textregion, target));
310562
+	return (ISC_R_SUCCESS);
310562
+}
310562
+
310562
+static inline isc_result_t
310562
+totext_caa(ARGS_TOTEXT) {
310562
+	isc_region_t region;
310562
+	isc_uint8_t flags;
310562
+	char buf[256];
310562
+
310562
+	UNUSED(tctx);
310562
+
310562
+	REQUIRE(rdata->type == 257);
310562
+	REQUIRE(rdata->length >= 3U);
310562
+	REQUIRE(rdata->data != NULL);
310562
+
310562
+	dns_rdata_toregion(rdata, &region);
310562
+
310562
+	/*
310562
+	 * Flags
310562
+	 */
310562
+	flags = uint8_consume_fromregion(&region);
310562
+	sprintf(buf, "%u ", flags);
310562
+	RETERR(str_totext(buf, target));
310562
+
310562
+	/*
310562
+	 * Tag
310562
+	 */
310562
+	RETERR(txt_totext(&region, ISC_FALSE, target));
310562
+	RETERR(str_totext(" ", target));
310562
+
310562
+	/*
310562
+	 * Value
310562
+	 */
310562
+	RETERR(multitxt_totext(&region, target));
310562
+	return (ISC_R_SUCCESS);
310562
+}
310562
+
310562
+static inline isc_result_t
310562
+fromwire_caa(ARGS_FROMWIRE) {
310562
+	isc_region_t sr;
310562
+	unsigned int len, i;
310562
+
310562
+	REQUIRE(type == 257);
310562
+
310562
+	UNUSED(type);
310562
+	UNUSED(rdclass);
310562
+	UNUSED(dctx);
310562
+	UNUSED(options);
310562
+
310562
+	/*
310562
+	 * Flags
310562
+	 */
310562
+	isc_buffer_activeregion(source, &sr);
310562
+	if (sr.length < 2)
310562
+		return (ISC_R_UNEXPECTEDEND);
310562
+
310562
+	/*
310562
+	 * Flags, tag length
310562
+	 */
310562
+	RETERR(mem_tobuffer(target, sr.base, 2));
310562
+	len = sr.base[1];
310562
+	isc_region_consume(&sr, 2);
310562
+	isc_buffer_forward(source, 2);
310562
+
310562
+	/*
310562
+	 * Zero length tag fields are illegal.
310562
+	 */
310562
+	if (sr.length < len || len == 0)
310562
+		RETERR(DNS_R_FORMERR);
310562
+
310562
+	/* Check the Tag's value */
310562
+	for (i = 0; i < len; i++)
310562
+		if (!alphanumeric[sr.base[i]])
310562
+			RETERR(DNS_R_FORMERR);
310562
+	/*
310562
+	 * Tag + Value
310562
+	 */
310562
+	isc_buffer_forward(source, sr.length);
310562
+	return (mem_tobuffer(target, sr.base, sr.length));
310562
+}
310562
+
310562
+static inline isc_result_t
310562
+towire_caa(ARGS_TOWIRE) {
310562
+	isc_region_t region;
310562
+
310562
+	REQUIRE(rdata->type == 257);
310562
+	REQUIRE(rdata->length >= 3U);
310562
+	REQUIRE(rdata->data != NULL);
310562
+
310562
+	UNUSED(cctx);
310562
+
310562
+	dns_rdata_toregion(rdata, &region);
310562
+	return (mem_tobuffer(target, region.base, region.length));
310562
+}
310562
+
310562
+static inline int
310562
+compare_caa(ARGS_COMPARE) {
310562
+	isc_region_t r1, r2;
310562
+
310562
+	REQUIRE(rdata1->type == rdata2->type);
310562
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
310562
+	REQUIRE(rdata1->type == 257);
310562
+	REQUIRE(rdata1->length >= 3U);
310562
+	REQUIRE(rdata2->length >= 3U);
310562
+	REQUIRE(rdata1->data != NULL);
310562
+	REQUIRE(rdata2->data != NULL);
310562
+
310562
+	dns_rdata_toregion(rdata1, &r1;;
310562
+	dns_rdata_toregion(rdata2, &r2;;
310562
+	return (isc_region_compare(&r1, &r2));
310562
+}
310562
+
310562
+static inline isc_result_t
310562
+fromstruct_caa(ARGS_FROMSTRUCT) {
310562
+	dns_rdata_caa_t *caa = source;
310562
+	isc_region_t region;
310562
+	unsigned int i;
310562
+
310562
+	REQUIRE(type == 257);
310562
+	REQUIRE(source != NULL);
310562
+	REQUIRE(caa->common.rdtype == type);
310562
+	REQUIRE(caa->common.rdclass == rdclass);
310562
+	REQUIRE(caa->tag != NULL && caa->tag_len != 0);
310562
+	REQUIRE(caa->value != NULL);
310562
+
310562
+	UNUSED(type);
310562
+	UNUSED(rdclass);
310562
+
310562
+	/*
310562
+	 * Flags
310562
+	 */
310562
+	RETERR(uint8_tobuffer(caa->flags, target));
310562
+
310562
+	/*
310562
+	 * Tag length
310562
+	 */
310562
+	RETERR(uint8_tobuffer(caa->tag_len, target));
310562
+
310562
+	/*
310562
+	 * Tag
310562
+	 */
310562
+	region.base = caa->tag;
310562
+	region.length = caa->tag_len;
310562
+	for (i = 0; i < region.length; i++)
310562
+		if (!alphanumeric[region.base[i]])
310562
+			RETERR(DNS_R_SYNTAX);
310562
+	RETERR(isc_buffer_copyregion(target, &region));
310562
+
310562
+	/*
310562
+	 * Value
310562
+	 */
310562
+	region.base = caa->value;
310562
+	region.length = caa->value_len;
310562
+	return (isc_buffer_copyregion(target, &region));
310562
+}
310562
+
310562
+static inline isc_result_t
310562
+tostruct_caa(ARGS_TOSTRUCT) {
310562
+	dns_rdata_caa_t *caa = target;
310562
+	isc_region_t sr;
310562
+
310562
+	REQUIRE(rdata->type == 257);
310562
+	REQUIRE(target != NULL);
310562
+	REQUIRE(rdata->length >= 3U);
310562
+	REQUIRE(rdata->data != NULL);
310562
+
310562
+	caa->common.rdclass = rdata->rdclass;
310562
+	caa->common.rdtype = rdata->type;
310562
+	ISC_LINK_INIT(&caa->common, link);
310562
+
310562
+	dns_rdata_toregion(rdata, &sr);
310562
+
310562
+	/*
310562
+	 * Flags
310562
+	 */
310562
+	if (sr.length < 1)
310562
+		return (ISC_R_UNEXPECTEDEND);
310562
+	caa->flags = uint8_fromregion(&sr);
310562
+	isc_region_consume(&sr, 1);
310562
+
310562
+	/*
310562
+	 * Tag length
310562
+	 */
310562
+	if (sr.length < 1)
310562
+		return (ISC_R_UNEXPECTEDEND);
310562
+	caa->tag_len = uint8_fromregion(&sr);
310562
+	isc_region_consume(&sr, 1);
310562
+
310562
+	/*
310562
+	 * Tag
310562
+	 */
310562
+	if (sr.length < caa->tag_len)
310562
+		return (ISC_R_UNEXPECTEDEND);
310562
+	caa->tag = mem_maybedup(mctx, sr.base, caa->tag_len);
310562
+	if (caa->tag == NULL)
310562
+		return (ISC_R_NOMEMORY);
310562
+	isc_region_consume(&sr, caa->tag_len);
310562
+
310562
+	/*
310562
+	 * Value
310562
+	 */
310562
+	caa->value_len = sr.length;
310562
+	caa->value = mem_maybedup(mctx, sr.base, sr.length);
310562
+	if (caa->value == NULL)
310562
+		return (ISC_R_NOMEMORY);
310562
+
310562
+	caa->mctx = mctx;
310562
+	return (ISC_R_SUCCESS);
310562
+}
310562
+
310562
+static inline void
310562
+freestruct_caa(ARGS_FREESTRUCT) {
310562
+	dns_rdata_caa_t *caa = (dns_rdata_caa_t *) source;
310562
+
310562
+	REQUIRE(source != NULL);
310562
+	REQUIRE(caa->common.rdtype == 257);
310562
+
310562
+	if (caa->mctx == NULL)
310562
+		return;
310562
+
310562
+	if (caa->tag != NULL)
310562
+		isc_mem_free(caa->mctx, caa->tag);
310562
+	if (caa->value != NULL)
310562
+		isc_mem_free(caa->mctx, caa->value);
310562
+	caa->mctx = NULL;
310562
+}
310562
+
310562
+static inline isc_result_t
310562
+additionaldata_caa(ARGS_ADDLDATA) {
310562
+	REQUIRE(rdata->type == 257);
310562
+	REQUIRE(rdata->data != NULL);
310562
+	REQUIRE(rdata->length >= 3U);
310562
+
310562
+	UNUSED(rdata);
310562
+	UNUSED(add);
310562
+	UNUSED(arg);
310562
+
310562
+	return (ISC_R_SUCCESS);
310562
+}
310562
+
310562
+static inline isc_result_t
310562
+digest_caa(ARGS_DIGEST) {
310562
+	isc_region_t r;
310562
+
310562
+	REQUIRE(rdata->type == 257);
310562
+	REQUIRE(rdata->data != NULL);
310562
+	REQUIRE(rdata->length >= 3U);
310562
+
310562
+	dns_rdata_toregion(rdata, &r);
310562
+
310562
+	return ((digest)(arg, &r);;
310562
+}
310562
+
310562
+static inline isc_boolean_t
310562
+checkowner_caa(ARGS_CHECKOWNER) {
310562
+
310562
+	REQUIRE(type == 257);
310562
+
310562
+	UNUSED(name);
310562
+	UNUSED(type);
310562
+	UNUSED(rdclass);
310562
+	UNUSED(wildcard);
310562
+
310562
+	return (ISC_TRUE);
310562
+}
310562
+
310562
+static inline isc_boolean_t
310562
+checknames_caa(ARGS_CHECKNAMES) {
310562
+
310562
+	REQUIRE(rdata->type == 257);
310562
+	REQUIRE(rdata->data != NULL);
310562
+	REQUIRE(rdata->length >= 3U);
310562
+
310562
+	UNUSED(rdata);
310562
+	UNUSED(owner);
310562
+	UNUSED(bad);
310562
+
310562
+	return (ISC_TRUE);
310562
+}
310562
+
310562
+static inline int
310562
+casecompare_caa(ARGS_COMPARE) {
310562
+	return (compare_caa(rdata1, rdata2));
310562
+}
310562
+
310562
+#endif /* GENERIC_CAA_257_C */
310562
diff --git a/lib/dns/rdata/generic/caa_257.h b/lib/dns/rdata/generic/caa_257.h
310562
new file mode 100644
310562
index 0000000..79866a5
310562
--- /dev/null
310562
+++ b/lib/dns/rdata/generic/caa_257.h
310562
@@ -0,0 +1,32 @@
310562
+/*
310562
+ * Copyright (C) 2014  Internet Systems Consortium, Inc. ("ISC")
310562
+ *
310562
+ * Permission to use, copy, modify, and/or distribute this software for any
310562
+ * purpose with or without fee is hereby granted, provided that the above
310562
+ * copyright notice and this permission notice appear in all copies.
310562
+ *
310562
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
310562
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
310562
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
310562
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
310562
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
310562
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
310562
+ * PERFORMANCE OF THIS SOFTWARE.
310562
+ */
310562
+
310562
+#ifndef GENERIC_CAA_257_H
310562
+#define GENERIC_CAA_257_H 1
310562
+
310562
+/* $Id$ */
310562
+
310562
+typedef struct dns_rdata_caa {
310562
+	dns_rdatacommon_t	common;
310562
+	isc_mem_t *		mctx;
310562
+	isc_uint8_t		flags;
310562
+	unsigned char *		tag;
310562
+	isc_uint8_t		tag_len;
310562
+        unsigned char		*value;
310562
+        isc_uint8_t		value_len;
310562
+} dns_rdata_caa_t;
310562
+
310562
+#endif /* GENERIC_CAA_257_H */
310562
diff --git a/lib/dns/rdata/generic/gpos_27.c b/lib/dns/rdata/generic/gpos_27.c
310562
index ce71822..5a90216 100644
310562
--- a/lib/dns/rdata/generic/gpos_27.c
310562
+++ b/lib/dns/rdata/generic/gpos_27.c
310562
@@ -61,7 +61,7 @@ totext_gpos(ARGS_TOTEXT) {
310562
 	dns_rdata_toregion(rdata, &region);
310562
 
310562
 	for (i = 0; i < 3; i++) {
310562
-		RETERR(txt_totext(&region, target));
310562
+		RETERR(txt_totext(&region, ISC_TRUE, target));
310562
 		if (i != 2)
310562
 			RETERR(str_totext(" ", target));
310562
 	}
310562
diff --git a/lib/dns/rdata/generic/hinfo_13.c b/lib/dns/rdata/generic/hinfo_13.c
310562
index 10b4fec..92038b7 100644
310562
--- a/lib/dns/rdata/generic/hinfo_13.c
310562
+++ b/lib/dns/rdata/generic/hinfo_13.c
310562
@@ -58,9 +58,9 @@ totext_hinfo(ARGS_TOTEXT) {
310562
 	REQUIRE(rdata->length != 0);
310562
 
310562
 	dns_rdata_toregion(rdata, &region);
310562
-	RETERR(txt_totext(&region, target));
310562
+	RETERR(txt_totext(&region, ISC_TRUE, target));
310562
 	RETERR(str_totext(" ", target));
310562
-	return (txt_totext(&region, target));
310562
+	return (txt_totext(&region, ISC_TRUE, target));
310562
 }
310562
 
310562
 static inline isc_result_t
310562
diff --git a/lib/dns/rdata/generic/isdn_20.c b/lib/dns/rdata/generic/isdn_20.c
310562
index 5aac73f..059c247 100644
310562
--- a/lib/dns/rdata/generic/isdn_20.c
310562
+++ b/lib/dns/rdata/generic/isdn_20.c
310562
@@ -65,11 +65,11 @@ totext_isdn(ARGS_TOTEXT) {
310562
 	UNUSED(tctx);
310562
 
310562
 	dns_rdata_toregion(rdata, &region);
310562
-	RETERR(txt_totext(&region, target));
310562
+	RETERR(txt_totext(&region, ISC_TRUE, target));
310562
 	if (region.length == 0)
310562
 		return (ISC_R_SUCCESS);
310562
 	RETERR(str_totext(" ", target));
310562
-	return (txt_totext(&region, target));
310562
+	return (txt_totext(&region, ISC_TRUE, target));
310562
 }
310562
 
310562
 static inline isc_result_t
310562
diff --git a/lib/dns/rdata/generic/naptr_35.c b/lib/dns/rdata/generic/naptr_35.c
310562
index 83439a5..be7d403 100644
310562
--- a/lib/dns/rdata/generic/naptr_35.c
310562
+++ b/lib/dns/rdata/generic/naptr_35.c
310562
@@ -224,19 +224,19 @@ totext_naptr(ARGS_TOTEXT) {
310562
 	/*
310562
 	 * Flags.
310562
 	 */
310562
-	RETERR(txt_totext(&region, target));
310562
+	RETERR(txt_totext(&region, ISC_TRUE, target));
310562
 	RETERR(str_totext(" ", target));
310562
 
310562
 	/*
310562
 	 * Service.
310562
 	 */
310562
-	RETERR(txt_totext(&region, target));
310562
+	RETERR(txt_totext(&region, ISC_TRUE, target));
310562
 	RETERR(str_totext(" ", target));
310562
 
310562
 	/*
310562
 	 * Regexp.
310562
 	 */
310562
-	RETERR(txt_totext(&region, target));
310562
+	RETERR(txt_totext(&region, ISC_TRUE, target));
310562
 	RETERR(str_totext(" ", target));
310562
 
310562
 	/*
310562
diff --git a/lib/dns/rdata/generic/spf_99.c b/lib/dns/rdata/generic/spf_99.c
310562
index 492e315..85594fd 100644
310562
--- a/lib/dns/rdata/generic/spf_99.c
310562
+++ b/lib/dns/rdata/generic/spf_99.c
310562
@@ -64,7 +64,7 @@ totext_spf(ARGS_TOTEXT) {
310562
 	dns_rdata_toregion(rdata, &region);
310562
 
310562
 	while (region.length > 0) {
310562
-		RETERR(txt_totext(&region, target));
310562
+		RETERR(txt_totext(&region, ISC_TRUE, target));
310562
 		if (region.length > 0)
310562
 			RETERR(str_totext(" ", target));
310562
 	}
310562
diff --git a/lib/dns/rdata/generic/txt_16.c b/lib/dns/rdata/generic/txt_16.c
310562
index e1bce6a..e0e8ea5 100644
310562
--- a/lib/dns/rdata/generic/txt_16.c
310562
+++ b/lib/dns/rdata/generic/txt_16.c
310562
@@ -71,7 +71,7 @@ totext_txt(ARGS_TOTEXT) {
310562
 	dns_rdata_toregion(rdata, &region);
310562
 
310562
 	while (region.length > 0) {
310562
-		RETERR(txt_totext(&region, target));
310562
+		RETERR(txt_totext(&region, ISC_TRUE, target));
310562
 		if (region.length > 0)
310562
 			RETERR(str_totext(" ", target));
310562
 	}
310562
diff --git a/lib/dns/rdata/generic/uri_256.c b/lib/dns/rdata/generic/uri_256.c
310562
index 799eb69..62bdd25 100644
310562
--- a/lib/dns/rdata/generic/uri_256.c
310562
+++ b/lib/dns/rdata/generic/uri_256.c
310562
@@ -115,15 +115,12 @@ fromwire_uri(ARGS_FROMWIRE) {
310562
 	isc_buffer_activeregion(source, &region);
310562
 	if (region.length < 4)
310562
 		return (ISC_R_UNEXPECTEDEND);
310562
-	RETERR(mem_tobuffer(target, region.base, 4));
310562
-	isc_buffer_forward(source, 4);
310562
 
310562
 	/*
310562
-	 * Target URI
310562
+	 * Priority, weight and target URI
310562
 	 */
310562
-	RETERR(multitxt_fromwire(source, target));
310562
-
310562
-	return (ISC_R_SUCCESS);
310562
+	isc_buffer_forward(source, region.length);
310562
+	return (mem_tobuffer(target, region.base, region.length));
310562
 }
310562
 
310562
 static inline isc_result_t
310562
@@ -178,8 +175,6 @@ compare_uri(ARGS_COMPARE) {
310562
 static inline isc_result_t
310562
 fromstruct_uri(ARGS_FROMSTRUCT) {
310562
 	dns_rdata_uri_t *uri = source;
310562
-	isc_region_t region;
310562
-	isc_uint8_t len;
310562
 
310562
 	REQUIRE(type == 256);
310562
 	REQUIRE(source != NULL);
310562
@@ -203,18 +198,6 @@ fromstruct_uri(ARGS_FROMSTRUCT) {
310562
 	/*
310562
 	 * Target URI
310562
 	 */
310562
-	len = 255U;
310562
-	region.base = uri->target;
310562
-	region.length = uri->tgt_len;
310562
-	while (region.length > 0) {
310562
-		REQUIRE(len == 255U);
310562
-		len = uint8_fromregion(&region);
310562
-		isc_region_consume(&region, 1);
310562
-		if (region.length < len)
310562
-			return (ISC_R_UNEXPECTEDEND);
310562
-		isc_region_consume(&region, len);
310562
-	}
310562
-
310562
 	return (mem_tobuffer(target, uri->target, uri->tgt_len));
310562
 }
310562
 
310562
diff --git a/lib/dns/rdata/generic/x25_19.c b/lib/dns/rdata/generic/x25_19.c
310562
index 6867fec..f9dfb8a 100644
310562
--- a/lib/dns/rdata/generic/x25_19.c
310562
+++ b/lib/dns/rdata/generic/x25_19.c
310562
@@ -60,7 +60,7 @@ totext_x25(ARGS_TOTEXT) {
310562
 	REQUIRE(rdata->length != 0);
310562
 
310562
 	dns_rdata_toregion(rdata, &region);
310562
-	return (txt_totext(&region, target));
310562
+	return (txt_totext(&region, ISC_TRUE, target));
310562
 }
310562
 
310562
 static inline isc_result_t
310562
-- 
310562
2.4.3
310562