c88997
From b154e9fd7a4acc87435f858d43b8c234885a8763 Mon Sep 17 00:00:00 2001
c88997
From: Evan Hunt <each@isc.org>
c88997
Date: Tue, 18 Feb 2014 22:36:14 -0800
c88997
Subject: [PATCH 1/2] add "--with-tuning=large" option
c88997
c88997
3745.	[func]		"configure --with-tuning=large" adjusts various
c88997
			compiled-in constants and default settings to
c88997
			values suited to large servers with abundant
c88997
			memory. [RT #29538]
c88997
c88997
(cherry picked from commit 6a3fa181d1253db5191139e20231512eebaddeeb)
c88997
---
c88997
 README                     |    8 +
c88997
 bin/named/bind9.ver3.xsl.h |    6 +-
c88997
 bin/named/interfacemgr.c   |    9 +-
c88997
 bin/named/named.docbook    |    3 +
c88997
 bin/named/server.c         |   21 +-
c88997
 bin/named/update.c         |    2 +-
c88997
 config.h.in                |    3 +
c88997
 configure                  | 1064 ++++++++++++++++++++++++++++++++++++--------
c88997
 configure.in               |   25 ++
c88997
 lib/dns/client.c           |    8 +-
c88997
 lib/isc/unix/socket.c      |   12 +
c88997
 11 files changed, 975 insertions(+), 186 deletions(-)
c88997
c88997
diff --git a/README b/README
c88997
index b22e9ce..7451acb 100644
c88997
--- a/README
c88997
+++ b/README
c88997
@@ -221,6 +221,14 @@ Building
c88997
 	To build shared libraries, specify "--with-libtool" on the
c88997
 	configure command line.
c88997
 
c88997
+	Certain compiled-in constants and default settings can be
c88997
+	increased to values better suited to large servers with abundant
c88997
+	memory resources (e.g, 64-bit servers with 12G or more of memory)
c88997
+	by specifying "--with-tuning=large" on the configure command
c88997
+	line. This can improve performance on big servers, but will
c88997
+	consume more memory and may degrade performance on smaller
c88997
+	systems.
c88997
+
c88997
 	For the server to support DNSSEC, you need to build it
c88997
 	with crypto support.  You must have OpenSSL 0.9.5a
c88997
 	or newer installed and specify "--with-openssl" on the
c88997
diff --git a/bin/named/bind9.ver3.xsl.h b/bin/named/bind9.ver3.xsl.h
c88997
index c55714a..8c0a4a9 100644
c88997
--- a/bin/named/bind9.ver3.xsl.h
c88997
+++ b/bin/named/bind9.ver3.xsl.h
c88997
@@ -210,7 +210,7 @@ static char xslmsg[] =
c88997
 	" 

Incoming Requests

\n"
c88997
 	" <xsl:if test=\"system-property('xsl:vendor')!='Transformiix'\">\n"
c88997
 	" \n"
c88997
-	" 
[graph incoming requests]
\n"
c88997
+	" 
[no incoming requests]
\n"
c88997
 	" </xsl:if>\n"
c88997
 	" \n"
c88997
 	" <xsl:for-each select=\"server/counters[@type="opcode"]/counter\">\n"
c88997
@@ -235,7 +235,7 @@ static char xslmsg[] =
c88997
 	" 

Incoming Queries by Type

\n"
c88997
 	" <xsl:if test=\"system-property('xsl:vendor')!='Transformiix'\">\n"
c88997
 	" \n"
c88997
-	" 
[graph incoming qtypes]
\n"
c88997
+	" 
[no incoming queries]
\n"
c88997
 	" </xsl:if>\n"
c88997
 	" \n"
c88997
 	" <xsl:for-each select=\"server/counters[@type="qtype"]/counter\">\n"
c88997
@@ -307,7 +307,7 @@ static char xslmsg[] =
c88997
 	" \n"
c88997
 	" <script type=\"text/javascript\">\n"
c88997
 	" graphs.push({\n"
c88997
-	" 'title' : \"Server Response Types\",\n"
c88997
+	" 'title' : \"Server Counters\",\n"
c88997
 	" 'target': 'chart_server_nsstat_restype',\n"
c88997
 	" 'data': [['Type','Counter'],<xsl:for-each select=\"server/counters[@type="nsstat"]/counter[.>0]\">['<xsl:value-of select=\"@name\"/>',<xsl:value-of select=\".\"/>],</xsl:for-each>]\n"
c88997
 	" });\n"
c88997
diff --git a/bin/named/interfacemgr.c b/bin/named/interfacemgr.c
c88997
index a9aa4a4..4aee47a 100644
c88997
--- a/bin/named/interfacemgr.c
c88997
+++ b/bin/named/interfacemgr.c
c88997
@@ -56,6 +56,12 @@
c88997
 #endif
c88997
 #endif
c88997
 
c88997
+#ifdef TUNE_LARGE
c88997
+#define UDPBUFFERS 32768 
c88997
+#else
c88997
+#define UDPBUFFERS 1000
c88997
+#endif /* TUNE_LARGE */
c88997
+
c88997
 #define IFMGR_MAGIC			ISC_MAGIC('I', 'F', 'M', 'G')
c88997
 #define NS_INTERFACEMGR_VALID(t)	ISC_MAGIC_VALID(t, IFMGR_MAGIC)
c88997
 
c88997
@@ -422,7 +428,8 @@ ns_interface_listenudp(ns_interface_t *ifp) {
c88997
 		result = dns_dispatch_getudp_dup(ifp->mgr->dispatchmgr,
c88997
 						 ns_g_socketmgr,
c88997
 						 ns_g_taskmgr, &ifp->addr,
c88997
-						 4096, 32768, 32768, 8219, 8237,
c88997
+						 4096, UDPBUFFERS,
c88997
+						 32768, 8219, 8237,
c88997
 						 attrs, attrmask,
c88997
 						 &ifp->udpdispatch[disp],
c88997
 						 disp == 0
c88997
diff --git a/bin/named/named.docbook b/bin/named/named.docbook
c88997
index 8f46aac..33f962e 100644
c88997
--- a/bin/named/named.docbook
c88997
+++ b/bin/named/named.docbook
c88997
@@ -248,6 +248,9 @@
c88997
 	  <para>
c88997
 	    Allow <command>named</command> to use up to
c88997
 	    <replaceable class="parameter">#max-socks</replaceable> sockets.
c88997
+            The default value is 4096 on systems built with default
c88997
+            configuration options, and 21000 on systems built with
c88997
+            "configure --with-tuning=large".
c88997
 	  </para>
c88997
           <warning>
c88997
             <para>
c88997
diff --git a/bin/named/server.c b/bin/named/server.c
c88997
index b1681b4..48a7ef0 100644
c88997
--- a/bin/named/server.c
c88997
+++ b/bin/named/server.c
c88997
@@ -127,6 +127,16 @@
c88997
 #define SIZE_MAX ((size_t)-1)
c88997
 #endif
c88997
 
c88997
+#ifdef TUNE_LARGE
c88997
+#define RESOLVER_NTASKS 523
c88997
+#define UDPBUFFERS 32768
c88997
+#define EXCLBUFFERS 32768
c88997
+#else
c88997
+#define RESOLVER_NTASKS 31
c88997
+#define UDPBUFFERS 1000
c88997
+#define EXCLBUFFERS 4096
c88997
+#endif /* TUNE_LARGE */
c88997
+
c88997
 /*%
c88997
  * Check an operation for failure.  Assumes that the function
c88997
  * using it has a 'result' variable and a 'cleanup' label.
c88997
@@ -948,7 +958,7 @@ get_view_querysource_dispatch(const cfg_obj_t **maps,
c88997
 	isc_sockaddr_t sa;
c88997
 	unsigned int attrs, attrmask;
c88997
 	const cfg_obj_t *obj = NULL;
c88997
-	unsigned int maxdispatchbuffers;
c88997
+	unsigned int maxdispatchbuffers = UDPBUFFERS;
c88997
 
c88997
 	switch (af) {
c88997
 	case AF_INET:
c88997
@@ -997,7 +1007,7 @@ get_view_querysource_dispatch(const cfg_obj_t **maps,
c88997
 	}
c88997
 	if (isc_sockaddr_getport(&sa) == 0) {
c88997
 		attrs |= DNS_DISPATCHATTR_EXCLUSIVE;
c88997
-		maxdispatchbuffers = 32768;
c88997
+		maxdispatchbuffers = EXCLBUFFERS;
c88997
 	} else {
c88997
 		INSIST(obj != NULL);
c88997
 		if (is_firstview) {
c88997
@@ -1006,7 +1016,6 @@ get_view_querysource_dispatch(const cfg_obj_t **maps,
c88997
 				    "suppresses port randomization and can be "
c88997
 				    "insecure.");
c88997
 		}
c88997
-		maxdispatchbuffers = 32768;
c88997
 	}
c88997
 
c88997
 	attrmask = 0;
c88997
@@ -2718,8 +2727,8 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
c88997
 	}
c88997
 
c88997
 	ndisp = 4 * ISC_MIN(ns_g_udpdisp, MAX_UDP_DISPATCH);
c88997
-	CHECK(dns_view_createresolver(view, ns_g_taskmgr, 31, ndisp,
c88997
-				      ns_g_socketmgr, ns_g_timermgr,
c88997
+	CHECK(dns_view_createresolver(view, ns_g_taskmgr, RESOLVER_NTASKS,
c88997
+				      ndisp, ns_g_socketmgr, ns_g_timermgr,
c88997
 				      resopts, ns_g_dispatchmgr,
c88997
 				      dispatch4, dispatch6));
c88997
 
c88997
@@ -6502,7 +6511,7 @@ ns_add_reserved_dispatch(ns_server_t *server, const isc_sockaddr_t *addr) {
c88997
 
c88997
 	result = dns_dispatch_getudp(ns_g_dispatchmgr, ns_g_socketmgr,
c88997
 				     ns_g_taskmgr, &dispatch->addr, 4096,
c88997
-				     32768, 32768, 16411, 16433,
c88997
+				     UDPBUFFERS, 32768, 16411, 16433,
c88997
 				     attrs, attrmask, &dispatch->dispatch);
c88997
 	if (result != ISC_R_SUCCESS)
c88997
 		goto cleanup;
c88997
diff --git a/bin/named/update.c b/bin/named/update.c
c88997
index 2263382..14687ea 100644
c88997
--- a/bin/named/update.c
c88997
+++ b/bin/named/update.c
c88997
@@ -2454,7 +2454,7 @@ update_action(isc_task_t *task, isc_event_t *event) {
c88997
 	unsigned int options;
c88997
 	dns_difftuple_t *tuple;
c88997
 	dns_rdata_dnskey_t dnskey;
c88997
-	isc_boolean_t had_dnskey;
c88997
+	isc_boolean_t had_dnskey = ISC_FALSE;
c88997
 	dns_rdatatype_t privatetype = dns_zone_getprivatetype(zone);
c88997
 
c88997
 	INSIST(event->ev_type == DNS_EVENT_UPDATE);
c88997
diff --git a/config.h.in b/config.h.in
c88997
index 3515f69..eca525c 100644
c88997
--- a/config.h.in
c88997
+++ b/config.h.in
c88997
@@ -457,6 +457,9 @@ int sigwait(const unsigned int *set, int *sig);
c88997
 /* Define to 1 if you can safely include both <sys/time.h> and <time.h>. */
c88997
 #undef TIME_WITH_SYS_TIME
c88997
 
c88997
+/* Define to use large-system tuning. */
c88997
+#undef TUNE_LARGE
c88997
+
c88997
 /* Defined if you need to use ioctl(FIONBIO) instead a fcntl call to make
c88997
    non-blocking. */
c88997
 #undef USE_FIONBIO_IOCTL
c88997
diff --git a/configure b/configure
c88997
index c62da63..31c518a 100755
c88997
--- a/configure
c88997
+++ b/configure
c88997
@@ -162,7 +162,7 @@
c88997
 #
c88997
 #  -----------------------------------------------------------------------------
c88997
 #
c88997
-# Copyright (c) 1997 - 2003 Kungliga Tekniska H�gskolan
c88997
+# Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
c88997
 # (Royal Institute of Technology, Stockholm, Sweden).
c88997
 # All rights reserved.
c88997
 #
c88997
@@ -517,6 +517,21 @@
c88997
 # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
c88997
 # OF THE POSSIBILITY OF SUCH DAMAGE.
c88997
 #
c88997
+# -----------------------------------------------------------------------------
c88997
+#
c88997
+# Copyright (C) 2008-2011  Red Hat, Inc.
c88997
+#
c88997
+# Permission to use, copy, modify, and/or distribute this software for any
c88997
+# purpose with or without fee is hereby granted, provided that the above
c88997
+# copyright notice and this permission notice appear in all copies.
c88997
+#
c88997
+# THE SOFTWARE IS PROVIDED "AS IS" AND Red Hat DISCLAIMS ALL WARRANTIES WITH
c88997
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
c88997
+# AND FITNESS.  IN NO EVENT SHALL Red Hat BE LIABLE FOR ANY SPECIAL, DIRECT,
c88997
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
c88997
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
c88997
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
c88997
+# PERFORMANCE OF THIS SOFTWARE.
c88997
 # From configure.in Revision: 1.533 .
c88997
 # Guess values for system-dependent variables and create Makefiles.
c88997
 # Generated by GNU Autoconf 2.69.
c88997
@@ -1305,6 +1320,8 @@ THREADOPTSRCS
c88997
 THREADOPTOBJS
c88997
 ISC_PLATFORM_USETHREADS
c88997
 ALWAYS_DEFINES
c88997
+CHECK_DSA
c88997
+DNS_CRYPTO_PK11_LIBS
c88997
 DNS_CRYPTO_LIBS
c88997
 DNS_GSSAPI_LIBS
c88997
 DST_GSSAPI_INC
c88997
@@ -1313,7 +1330,25 @@ ISC_PLATFORM_KRB5HEADER
c88997
 ISC_PLATFORM_GSSAPI_KRB5_HEADER
c88997
 ISC_PLATFORM_GSSAPIHEADER
c88997
 ISC_PLATFORM_HAVEGSSAPI
c88997
+GEOIPLINKOBJS
c88997
+GEOIPLINKSRCS
c88997
+PKCS11_TEST
c88997
+PKCS11_GOST
c88997
+PKCS11_ECDSA
c88997
+CRYPTO_PK11
c88997
+CRYPTO
c88997
+PKCS11LINKSRCS
c88997
+PKCS11LINKOBJS
c88997
 PKCS11_PROVIDER
c88997
+ISC_ISCPK11_API_O
c88997
+ISC_ISCPK11_API_C
c88997
+ISC_PK11_RESULT_O
c88997
+ISC_PK11_RESULT_C
c88997
+ISC_PK11_API_O
c88997
+ISC_PK11_API_C
c88997
+ISC_PK11_O
c88997
+ISC_PK11_C
c88997
+PKCS11_ENGINE
c88997
 PKCS11_TOOLS
c88997
 USE_PKCS11
c88997
 ISC_OPENSSL_INC
c88997
@@ -1325,7 +1360,6 @@ OPENSSLLINKOBJS
c88997
 OPENSSLGOSTLINKSRCS
c88997
 OPENSSLGOSTLINKOBJS
c88997
 DST_OPENSSL_INC
c88997
-USE_OPENSSL
c88997
 LWRES_PLATFORM_NEEDSYSSELECTH
c88997
 ISC_PLATFORM_NEEDSYSSELECTH
c88997
 ISC_PLATFORM_HAVEDEVPOLL
c88997
@@ -1434,6 +1468,7 @@ PATH_SEPARATOR
c88997
 SHELL'
c88997
 ac_subst_files='BIND9_MAKE_INCLUDES
c88997
 BIND9_MAKE_RULES
c88997
+LIBISCPK11_API
c88997
 LIBISC_API
c88997
 LIBISCCC_API
c88997
 LIBISCCFG_API
c88997
@@ -1460,18 +1495,20 @@ enable_kqueue
c88997
 enable_epoll
c88997
 enable_devpoll
c88997
 with_openssl
c88997
-enable_openssl_version_check
c88997
-with_ecdsa
c88997
+enable_native_pkcs11
c88997
+with_pkcs11
c88997
 with_gost
c88997
+with_ecdsa
c88997
+enable_openssl_version_check
c88997
 enable_openssl_hash
c88997
-with_pkcs11
c88997
+with_libtool
c88997
+with_geoip
c88997
 with_gssapi
c88997
 with_randomdev
c88997
 enable_threads
c88997
 with_libxml2
c88997
 enable_largefile
c88997
 with_purify
c88997
-with_libtool
c88997
 enable_backtrace
c88997
 enable_symtable
c88997
 enable_exportlib
c88997
@@ -1496,6 +1533,7 @@ with_libiconv
c88997
 with_iconv
c88997
 with_idnlib
c88997
 with_atf
c88997
+with_tuning
c88997
 with_dlopen
c88997
 with_dlz_postgres
c88997
 with_dlz_mysql
c88997
@@ -2139,6 +2177,7 @@ Optional Features:
c88997
   --enable-kqueue         use BSD kqueue when available [default=yes]
c88997
   --enable-epoll          use Linux epoll when available [default=auto]
c88997
   --enable-devpoll        use /dev/poll when available [default=yes]
c88997
+  --enable-native-pkcs11  use native PKCS11 for all crypto [default=no]
c88997
   --enable-openssl-version-check
c88997
                           Check OpenSSL Version [default=yes]
c88997
   --enable-openssl-hash   use OpenSSL for hash functions [default=no]
c88997
@@ -2175,15 +2214,16 @@ Optional Packages:
c88997
   --with-python=PATH      Specify path to python interpreter
c88997
   --with-openssl=PATH     Build with OpenSSL yes|no|path.
c88997
 			  (Required for DNSSEC)
c88997
-  --with-ecdsa            OpenSSL ECDSA
c88997
-  --with-gost             OpenSSL GOST
c88997
   --with-pkcs11=PATH      Build with PKCS11 support yes|no|path
c88997
                           (PATH is for the PKCS11 provider)
c88997
+  --with-gost             Crypto GOST yes|no|raw|asn1.
c88997
+  --with-ecdsa            OpenSSL ECDSA
c88997
+  --with-libtool          use GNU libtool
c88997
+  --with-geoip=PATH       Build with GeoIP support (yes|no|path)
c88997
   --with-gssapi=PATH      Specify path for system-supplied GSSAPI [default=yes]
c88997
   --with-randomdev=PATH   Specify path for random device
c88997
   --with-libxml2=PATH     Build with libxml2 library yes|no|path
c88997
   --with-purify=PATH      use Rational purify
c88997
-  --with-libtool          use GNU libtool
c88997
   --with-export-libdir=PATH
c88997
                           installation directory for the export library
c88997
                           [EPREFIX/lib/bind9]
c88997
@@ -2199,6 +2239,7 @@ Optional Packages:
c88997
   --with-iconv=LIBSPEC    specify iconv library default -liconv
c88997
   --with-idnlib=ARG       specify libidnkit
c88997
   --with-atf=ARG          Automated Test Framework support
c88997
+  --with-tuning=ARG       Specify server tuning (large or default)
c88997
   --with-dlopen=ARG       Support dynamically loadable DLZ drivers
c88997
   --with-dlz-postgres=PATH   Build with Postgres DLZ driver yes|no|path.
c88997
                                (Required to use Postgres with DLZ)
c88997
@@ -13056,13 +13097,16 @@ $as_echo "#define STDC_HEADERS 1" >>confdefs.h
c88997
 fi
c88997
 
c88997
 
c88997
-for ac_header in fcntl.h regex.h sys/time.h unistd.h sys/sockio.h sys/select.h sys/param.h sys/sysctl.h net/if6.h
c88997
+for ac_header in fcntl.h regex.h sys/time.h unistd.h sys/sockio.h sys/select.h sys/param.h sys/sysctl.h net/if6.h sys/socket.h net/route.h linux/netlink.h linux/rtnetlink.h
c88997
 do :
c88997
   as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
c88997
 ac_fn_c_check_header_compile "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default
c88997
 #ifdef HAVE_SYS_PARAM_H
c88997
 # include <sys/param.h>
c88997
 #endif
c88997
+#ifdef HAVE_SYS_SOCKET_H
c88997
+# include <sys/socket.h>
c88997
+#endif
c88997
 
c88997
 "
c88997
 if eval test \"x\$"$as_ac_Header"\" = x"yes"; then :
c88997
@@ -14008,26 +14052,98 @@ else
c88997
 fi
c88997
 
c88997
 
c88997
+#
c88997
+# was --enable-native-pkcs11 specified?
c88997
+#  (note it implies both --without-openssl and --with-pkcs11)
c88997
+#
c88997
+# Check whether --enable-native-pkcs11 was given.
c88997
+if test "${enable_native_pkcs11+set}" = set; then :
c88997
+  enableval=$enable_native_pkcs11; want_native_pkcs11="$enableval"
c88997
+else
c88997
+  want_native_pkcs11="no"
c88997
+fi
c88997
+
c88997
+
c88997
+
c88997
+# Check whether --with-pkcs11 was given.
c88997
+if test "${with_pkcs11+set}" = set; then :
c88997
+  withval=$with_pkcs11; use_pkcs11="$withval"
c88997
+else
c88997
+  use_pkcs11="auto"
c88997
+fi
c88997
+
c88997
+
c88997
 openssldirs="/usr /usr/local /usr/local/ssl /usr/pkg /usr/sfw"
c88997
 if test "$use_openssl" = "auto"
c88997
 then
c88997
-	for d in $openssldirs
c88997
-	do
c88997
-		if test -f $d/include/openssl/opensslv.h
c88997
-		then
c88997
-			use_openssl=$d
c88997
-			break
c88997
-		fi
c88997
-	done
c88997
+#    if test "$want_native_pkcs11" = "yes"
c88997
+#    then
c88997
+#        use_openssl="native_pkcs11"
c88997
+#    else
c88997
+	    for d in $openssldirs
c88997
+    	do
c88997
+	    	if test -f $d/include/openssl/opensslv.h
c88997
+		    then
c88997
+			    use_openssl=$d
c88997
+    			break
c88997
+		    fi
c88997
+    	done
c88997
+#    fi
c88997
 fi
c88997
 OPENSSL_ECDSA=""
c88997
 OPENSSL_GOST=""
c88997
+
c88997
+# Check whether --with-gost was given.
c88997
+if test "${with_gost+set}" = set; then :
c88997
+  withval=$with_gost; with_gost="$withval"
c88997
+else
c88997
+  with_gost="auto"
c88997
+fi
c88997
+
c88997
+
c88997
+# Check whether --with-ecdsa was given.
c88997
+if test "${with_ecdsa+set}" = set; then :
c88997
+  withval=$with_ecdsa; with_ecdsa="$withval"
c88997
+else
c88997
+  with_ecdsa="auto"
c88997
+fi
c88997
+
c88997
+
c88997
+gosttype="raw"
c88997
+case "$with_gost" in
c88997
+	raw)
c88997
+		with_gost="yes"
c88997
+		;;
c88997
+	asn1)
c88997
+
c88997
+$as_echo "#define PREFER_GOSTASN1 1" >>confdefs.h
c88997
+
c88997
+                gosttype="asn1"
c88997
+		with_gost="yes"
c88997
+		;;
c88997
+	auto|yes|no)
c88997
+		;;
c88997
+	*)
c88997
+		as_fn_error $? "unknown GOST private key encoding" "$LINENO" 5
c88997
+		;;
c88997
+esac
c88997
+
c88997
 case "$use_openssl" in
c88997
+    native_pkcs11)
c88997
+		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: disabled because of native PKCS11" >&5
c88997
+$as_echo "disabled because of native PKCS11" >&6; }
c88997
+		DST_OPENSSL_INC=""
c88997
+		CRYPTO=""
c88997
+		OPENSSLGOSTLINKOBJS=""
c88997
+		OPENSSLGOSTLINKSRS=""
c88997
+		OPENSSLLINKOBJS=""
c88997
+		OPENSSLLINKSRCS=""
c88997
+		;;
c88997
 	no)
c88997
 		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
c88997
 $as_echo "no" >&6; }
c88997
 		DST_OPENSSL_INC=""
c88997
-		USE_OPENSSL=""
c88997
+		CRYPTO=""
c88997
 		OPENSSLGOSTLINKOBJS=""
c88997
 		OPENSSLGOSTLINKSRS=""
c88997
 		OPENSSLLINKOBJS=""
c88997
@@ -14035,7 +14151,7 @@ $as_echo "no" >&6; }
c88997
 		;;
c88997
 	auto)
c88997
 		DST_OPENSSL_INC=""
c88997
-		USE_OPENSSL=""
c88997
+		CRYPTO=""
c88997
 		OPENSSLGOSTLINKOBJS=""
c88997
 		OPENSSLGOSTLINKSRS=""
c88997
 		OPENSSLLINKOBJS=""
c88997
@@ -14044,6 +14160,11 @@ $as_echo "no" >&6; }
c88997
 If you don't want OpenSSL, use --without-openssl" "$LINENO" 5
c88997
 		;;
c88997
 	*)
c88997
+#		if test "$want_native_pkcs11" = "yes"
c88997
+#		then
c88997
+#                        AC_MSG_RESULT()
c88997
+#			AC_MSG_ERROR([OpenSSL and native PKCS11 cannot be used together.])
c88997
+#		fi
c88997
 		if test "$use_openssl" = "yes"
c88997
 		then
c88997
 			# User did not specify a path - guess it
c88997
@@ -14065,7 +14186,7 @@ $as_echo "not found" >&6; }
c88997
 		then
c88997
 			as_fn_error $? "\"$use_openssl/include/openssl/opensslv.h\" not found" "$LINENO" 5
c88997
 		fi
c88997
-		USE_OPENSSL='-DOPENSSL'
c88997
+		CRYPTO='-DOPENSSL'
c88997
 		if test "$use_openssl" = "/usr"
c88997
 		then
c88997
 			DST_OPENSSL_INC=""
c88997
@@ -14102,6 +14223,7 @@ $as_echo "not found" >&6; }
c88997
 		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: using OpenSSL from $use_openssl/lib and $use_openssl/include" >&5
c88997
 $as_echo "using OpenSSL from $use_openssl/lib and $use_openssl/include" >&6; }
c88997
 
c88997
+		saved_cc="$CC"
c88997
 		saved_cflags="$CFLAGS"
c88997
 		saved_libs="$LIBS"
c88997
 		CFLAGS="$CFLAGS $DST_OPENSSL_INC"
c88997
@@ -14305,13 +14427,6 @@ rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
c88997
 fi
c88997
 
c88997
 
c88997
-# Check whether --with-ecdsa was given.
c88997
-if test "${with_ecdsa+set}" = set; then :
c88997
-  withval=$with_ecdsa; with_ecdsa="$withval"
c88997
-else
c88997
-  with_ecdsa="auto"
c88997
-fi
c88997
-
c88997
         case "$with_ecdsa" in
c88997
         yes)
c88997
             case "$have_ecdsa" in
c88997
@@ -14342,6 +14457,15 @@ $as_echo "#define HAVE_OPENSSL_ECDSA 1" >>confdefs.h
c88997
         { $as_echo "$as_me:${as_lineno-$LINENO}: checking for OpenSSL GOST support" >&5
c88997
 $as_echo_n "checking for OpenSSL GOST support... " >&6; }
c88997
         have_gost=""
c88997
+		case "$use_pkcs11" in
c88997
+                auto|no)
c88997
+                        ;;
c88997
+                *)
c88997
+                        if $use_threads; then
c88997
+                                CC="$CC -pthread"
c88997
+                        fi
c88997
+                        ;;
c88997
+        esac
c88997
         if test "$cross_compiling" = yes; then :
c88997
   { $as_echo "$as_me:${as_lineno-$LINENO}: result: using --with-gost" >&5
c88997
 $as_echo "using --with-gost" >&6; }
c88997
@@ -14385,13 +14509,6 @@ rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
c88997
 fi
c88997
 
c88997
 
c88997
-# Check whether --with-gost was given.
c88997
-if test "${with_gost+set}" = set; then :
c88997
-  withval=$with_gost; with_gost="$withval"
c88997
-else
c88997
-  with_gost="auto"
c88997
-fi
c88997
-
c88997
         case "$with_gost" in
c88997
         yes)
c88997
             case "$have_gost" in
c88997
@@ -14404,7 +14521,7 @@ fi
c88997
         *)
c88997
             case "$have_gost" in
c88997
             yes|no) ;;
c88997
-            *) as_fn_error $? "need --with-gost=[yes or no]" "$LINENO" 5 ;;
c88997
+            *) as_fn_error $? "need --with-gost=[yes, no, raw or asn1]" "$LINENO" 5 ;;
c88997
             esac
c88997
             ;;
c88997
         esac
c88997
@@ -14441,8 +14558,8 @@ esac
c88997
 
c88997
 
c88997
 
c88997
-
c88997
 DNS_CRYPTO_LIBS="$DNS_CRYPTO_LIBS $DNS_OPENSSL_LIBS"
c88997
+DNS_CRYPTO_PK11_LIBS="$DNS_CRYPTO_LIBS"
c88997
 
c88997
 #
c88997
 # Use OpenSSL for hash functions
c88997
@@ -14457,7 +14574,7 @@ fi
c88997
 
c88997
 case $want_openssl_hash in
c88997
 	yes)
c88997
-		if test "$USE_OPENSSL" = ""
c88997
+		if test "$CRYPTO" = ""
c88997
 		then
c88997
 			as_fn_error $? "No OpenSSL for hash functions" "$LINENO" 5
c88997
 		fi
c88997
@@ -14472,6 +14589,46 @@ esac
c88997
 
c88997
 
c88997
 
c88997
+
c88997
+# Check whether --with-libtool was given.
c88997
+if test "${with_libtool+set}" = set; then :
c88997
+  withval=$with_libtool; use_libtool="$withval"
c88997
+else
c88997
+  use_libtool="no"
c88997
+fi
c88997
+
c88997
+
c88997
+case $use_libtool in
c88997
+	yes)
c88997
+
c88997
+		O=lo
c88997
+		A=la
c88997
+		LIBTOOL_MKDEP_SED='s;\.o;\.lo;'
c88997
+		LIBTOOL_MODE_COMPILE='--mode=compile --tag=CC'
c88997
+		LIBTOOL_MODE_INSTALL='--mode=install --tag=CC'
c88997
+		LIBTOOL_MODE_LINK='--mode=link --tag=CC'
c88997
+		case "$host" in
c88997
+		*) LIBTOOL_ALLOW_UNDEFINED= ;;
c88997
+		esac
c88997
+		case "$host" in
c88997
+		*-ibm-aix*) LIBTOOL_IN_MAIN="-Wl,-bI:T_testlist.imp" ;;
c88997
+		*) LIBTOOL_IN_MAIN= ;;
c88997
+		esac;
c88997
+		;;
c88997
+	*)
c88997
+		O=o
c88997
+		A=a
c88997
+		LIBTOOL=
c88997
+
c88997
+		LIBTOOL_MKDEP_SED=
c88997
+		LIBTOOL_MODE_COMPILE=
c88997
+		LIBTOOL_MODE_INSTALL=
c88997
+		LIBTOOL_MODE_LINK=
c88997
+		LIBTOOL_ALLOW_UNDEFINED=
c88997
+		LIBTOOL_IN_MAIN=
c88997
+		;;
c88997
+esac
c88997
+
c88997
 #
c88997
 # PKCS11 (aka crypto hardware) support
c88997
 #
c88997
@@ -14481,31 +14638,125 @@ esac
c88997
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for PKCS11 support" >&5
c88997
 $as_echo_n "checking for PKCS11 support... " >&6; }
c88997
 
c88997
-# Check whether --with-pkcs11 was given.
c88997
-if test "${with_pkcs11+set}" = set; then :
c88997
-  withval=$with_pkcs11; use_pkcs11="$withval"
c88997
-else
c88997
-  use_pkcs11="no"
c88997
+if test "$use_pkcs11" = "auto"
c88997
+then
c88997
+	if test "$want_native_pkcs11" = "yes"
c88997
+	then
c88997
+		use_pkcs11="yes"
c88997
+	else
c88997
+		use_pkcs11="no"
c88997
+	fi
c88997
 fi
c88997
 
c88997
-
c88997
 case "$use_pkcs11" in
c88997
 	no|'')
c88997
-		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: disabled" >&5
c88997
-$as_echo "disabled" >&6; }
c88997
-		USE_PKCS11=''
c88997
-		PKCS11_TOOLS=''
c88997
+		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
c88997
+$as_echo "no" >&6; }
c88997
+		USE_PKCS11=""
c88997
+		PKCS11_TEST=""
c88997
+		PKCS11_TOOLS=""
c88997
+		ISC_PK11_C=""
c88997
+		ISC_PK11_O=""
c88997
+		ISC_PK11_API_C=""
c88997
+		ISC_PK11_API_O=""
c88997
+		ISC_PK11_RESULT_C=""
c88997
+		ISC_PK11_RESULT_O=""
c88997
+		ISC_ISCPK11_API_C=""
c88997
+		ISC_ISCPK11_API_O=""
c88997
 		;;
c88997
 	yes|*)
c88997
-		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: using OpenSSL with PKCS11 support" >&5
c88997
-$as_echo "using OpenSSL with PKCS11 support" >&6; }
c88997
+        { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
c88997
+$as_echo "yes" >&6; }
c88997
+                if ! $use_threads; then
c88997
+			as_fn_error $? "PKCS11 requires thread support" "$LINENO" 5
c88997
+                fi
c88997
+		if test "$CRYPTO" != ""
c88997
+		then
c88997
+			{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for OpenSSL with PKCS11 support" >&5
c88997
+$as_echo_n "checking for OpenSSL with PKCS11 support... " >&6; }
c88997
+                        saved_cc="$CC"
c88997
+			saved_cflags="$CFLAGS"
c88997
+			saved_libs="$LIBS"
c88997
+                        CC="$CC -pthread"
c88997
+			CFLAGS="$CFLAGS $DST_OPENSSL_INC"
c88997
+			LIBS="$LIBS $DNS_OPENSSL_LIBS"
c88997
+			if test "$cross_compiling" = yes; then :
c88997
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: cross compile" >&5
c88997
+$as_echo "cross compile" >&6; }
c88997
+			PKCS11_TEST=''
c88997
+			PKCS11_ENGINE='-DPKCS11_ENGINE=NULL'
c88997
+else
c88997
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
c88997
+/* end confdefs.h.  */
c88997
+
c88997
+#include <openssl/conf.h>
c88997
+#include <openssl/engine.h>
c88997
+int main() {
c88997
+	ENGINE *e;
c88997
+
c88997
+	OPENSSL_config(NULL);
c88997
+	e = ENGINE_by_id("pkcs11");
c88997
+	if (e == NULL)
c88997
+		return (1);
c88997
+	if (ENGINE_init(e) <= 0)
c88997
+		return (1);
c88997
+	return (0);
c88997
+}
c88997
+
c88997
+_ACEOF
c88997
+if ac_fn_c_try_run "$LINENO"; then :
c88997
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
c88997
+$as_echo "yes" >&6; }
c88997
+			PKCS11_TEST=pkcs11ssl
c88997
+			PKCS11_ENGINE='-DPKCS11_ENGINE="\"pkcs11\""'
c88997
+else
c88997
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
c88997
+$as_echo "no" >&6; }
c88997
+			PKCS11_TEST=''
c88997
+			PKCS11_ENGINE='-DPKCS11_ENGINE=NULL'
c88997
+fi
c88997
+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
c88997
+  conftest.$ac_objext conftest.beam conftest.$ac_ext
c88997
+fi
c88997
+
c88997
+                        CC="$saved_cc"
c88997
+			CFLAGS="$saved_cflags"
c88997
+			LIBS="$saved_libs"
c88997
+		else
c88997
+			PKCS11_TEST=''
c88997
+			PKCS11_ENGINE='-DPKCS11_ENGINE=NULL'
c88997
+
c88997
+		fi
c88997
 		USE_PKCS11='-DUSE_PKCS11'
c88997
 		PKCS11_TOOLS=pkcs11
c88997
-		;;
c88997
+		ac_fn_c_check_func "$LINENO" "getpassphrase" "ac_cv_func_getpassphrase"
c88997
+if test "x$ac_cv_func_getpassphrase" = xyes; then :
c88997
+  $as_echo "#define HAVE_GETPASSPHRASE 1" >>confdefs.h
c88997
+
c88997
+fi
c88997
+
c88997
+		ISC_PK11_C="pk11.c"
c88997
+		ISC_PK11_O="pk11.$O"
c88997
+		ISC_PK11_API_C="pk11_api.c"
c88997
+		ISC_PK11_API_O="pk11_api.$O"
c88997
+		ISC_PK11_RESULT_C="pk11_result.c"
c88997
+		ISC_PK11_RESULT_O="pk11_result.$O"
c88997
+		ISC_ISCPK11_API_C="unix/pk11_api.c"
c88997
+		ISC_ISCPK11_API_O="unix/pk11_api.$O"
c88997
+ 		;;
c88997
 esac
c88997
 
c88997
 
c88997
 
c88997
+
c88997
+
c88997
+
c88997
+
c88997
+
c88997
+
c88997
+
c88997
+
c88997
+
c88997
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for PKCS11 tools" >&5
c88997
 $as_echo_n "checking for PKCS11 tools... " >&6; }
c88997
 case "$use_pkcs11" in
c88997
@@ -14514,68 +14765,448 @@ case "$use_pkcs11" in
c88997
 $as_echo "disabled" >&6; }
c88997
 		PKCS11_PROVIDER="undefined"
c88997
 		;;
c88997
-       *)
c88997
-		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: PKCS11 provider is \"$use_pkcs11\"" >&5
c88997
-$as_echo "PKCS11 provider is \"$use_pkcs11\"" >&6; }
c88997
+    yes|'')
c88997
+		PKCS11_PROVIDER="undefined"
c88997
+		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: enabled" >&5
c88997
+$as_echo "enabled" >&6; }
c88997
+		;;
c88997
+ 	*)
c88997
 		PKCS11_PROVIDER="$use_pkcs11"
c88997
+		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: enabled, PKCS11 provider is $PKCS11_PROVIDER" >&5
c88997
+$as_echo "enabled, PKCS11 provider is $PKCS11_PROVIDER" >&6; }
c88997
 		;;
c88997
 esac
c88997
 
c88997
 
c88997
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for GSSAPI library" >&5
c88997
-$as_echo_n "checking for GSSAPI library... " >&6; }
c88997
+CRYPTO_PK11=""
c88997
+PKCS11_ECDSA=""
c88997
+PKCS11_GOST=""
c88997
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for native PKCS11" >&5
c88997
+$as_echo_n "checking for native PKCS11... " >&6; }
c88997
 
c88997
-# Check whether --with-gssapi was given.
c88997
-if test "${with_gssapi+set}" = set; then :
c88997
-  withval=$with_gssapi; use_gssapi="$withval"
c88997
-else
c88997
-  use_gssapi="yes"
c88997
-fi
c88997
+case "$want_native_pkcs11" in
c88997
+	yes)
c88997
+		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: using native PKCS11 crypto" >&5
c88997
+$as_echo "using native PKCS11 crypto" >&6; }
c88997
+		CRYPTO_PK11="-DPKCS11CRYPTO"
c88997
+		PKCS11LINKOBJS='${PKCS11LINKOBJS}'
c88997
+		PKCS11LINKSRCS='${PKCS11LINKSRCS}'
c88997
+                PKCS11_TEST=pkcs11
c88997
+		{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for PKCS11 ECDSA" >&5
c88997
+$as_echo_n "checking for PKCS11 ECDSA... " >&6; }
c88997
+		case "$with_ecdsa" in
c88997
+		no)
c88997
+			{ $as_echo "$as_me:${as_lineno-$LINENO}: result: disabled" >&5
c88997
+$as_echo "disabled" >&6; }
c88997
+ 			;;
c88997
+		*)
c88997
+			{ $as_echo "$as_me:${as_lineno-$LINENO}: result: enabled" >&5
c88997
+$as_echo "enabled" >&6; }
c88997
+			PKCS11_ECDSA="yes"
c88997
 
c88997
+$as_echo "#define HAVE_PKCS11_ECDSA 1" >>confdefs.h
c88997
 
c88997
-# gssapi is just the framework, we really require kerberos v5, so
c88997
-# look for those headers (the gssapi headers must be there, too)
c88997
-# The problem with this implementation is that it doesn't allow
c88997
-# for the specification of gssapi and krb5 headers in different locations,
c88997
-# which probably ought to be fixed although fixing might raise the issue of
c88997
-# trying to build with incompatible versions of gssapi and krb5.
c88997
-if test "$use_gssapi" = "yes"
c88997
-then
c88997
-	# first, deal with the obvious
c88997
-	if test \( -f /usr/include/kerberosv5/krb5.h -o \
c88997
-		   -f /usr/include/krb5/krb5.h -o \
c88997
-		   -f /usr/include/krb5.h \)   -a \
c88997
-		\( -f /usr/include/gssapi.h -o \
c88997
-		   -f /usr/include/gssapi/gssapi.h \)
c88997
-	then
c88997
-		use_gssapi=/usr
c88997
-	else
c88997
-	    krb5dirs="/usr/local /usr/local/krb5 /usr/local/kerberosv5 /usr/local/kerberos /usr/pkg /usr/krb5 /usr/kerberosv5 /usr/kerberos /usr"
c88997
-	    for d in $krb5dirs
c88997
-	    do
c88997
-		if test -f $d/include/gssapi/gssapi_krb5.h -o \
c88997
-		        -f $d/include/krb5.h
c88997
-		then
c88997
-			if test -f $d/include/gssapi/gssapi.h -o \
c88997
-			        -f $d/include/gssapi.h
c88997
-			then
c88997
-				use_gssapi=$d
c88997
-				break
c88997
-			fi
c88997
-		fi
c88997
-		use_gssapi="no"
c88997
-	    done
c88997
-	fi
c88997
-fi
c88997
+ 			;;
c88997
+ 		esac
c88997
+		{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for PKCS11 GOST" >&5
c88997
+$as_echo_n "checking for PKCS11 GOST... " >&6; }
c88997
+		case "$with_gost" in
c88997
+		yes)
c88997
+			{ $as_echo "$as_me:${as_lineno-$LINENO}: result: enabled" >&5
c88997
+$as_echo "enabled" >&6; }
c88997
+			PKCS11_GOST="yes"
c88997
 
c88997
-case "$use_gssapi" in
c88997
-	no)
c88997
+$as_echo "#define HAVE_PKCS11_GOST 1" >>confdefs.h
c88997
+
c88997
+ 			;;
c88997
+		*)
c88997
+			{ $as_echo "$as_me:${as_lineno-$LINENO}: result: disabled" >&5
c88997
+$as_echo "disabled" >&6; }
c88997
+ 			;;
c88997
+ 		esac
c88997
+ 		;;
c88997
+	no|'')
c88997
 		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: disabled" >&5
c88997
 $as_echo "disabled" >&6; }
c88997
-		USE_GSSAPI=''
c88997
 		;;
c88997
-	yes)
c88997
-		as_fn_error $? "--with-gssapi must specify a path" "$LINENO" 5
c88997
+esac
c88997
+
c88997
+
c88997
+
c88997
+
c88997
+
c88997
+
c88997
+
c88997
+
c88997
+
c88997
+# for PKCS11 benchmarks
c88997
+have_clock_gt=no
c88997
+ac_fn_c_check_func "$LINENO" "clock_gettime" "ac_cv_func_clock_gettime"
c88997
+if test "x$ac_cv_func_clock_gettime" = xyes; then :
c88997
+  have_clock_gt=yes
c88997
+fi
c88997
+
c88997
+if test "$have_clock_gt" = "no"; then
c88997
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for clock_gettime in -lrt" >&5
c88997
+$as_echo_n "checking for clock_gettime in -lrt... " >&6; }
c88997
+if ${ac_cv_lib_rt_clock_gettime+:} false; then :
c88997
+  $as_echo_n "(cached) " >&6
c88997
+else
c88997
+  ac_check_lib_save_LIBS=$LIBS
c88997
+LIBS="-lrt  $LIBS"
c88997
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
c88997
+/* end confdefs.h.  */
c88997
+
c88997
+/* Override any GCC internal prototype to avoid an error.
c88997
+   Use char because int might match the return type of a GCC
c88997
+   builtin and then its argument prototype would still apply.  */
c88997
+#ifdef __cplusplus
c88997
+extern "C"
c88997
+#endif
c88997
+char clock_gettime ();
c88997
+int
c88997
+main ()
c88997
+{
c88997
+return clock_gettime ();
c88997
+  ;
c88997
+  return 0;
c88997
+}
c88997
+_ACEOF
c88997
+if ac_fn_c_try_link "$LINENO"; then :
c88997
+  ac_cv_lib_rt_clock_gettime=yes
c88997
+else
c88997
+  ac_cv_lib_rt_clock_gettime=no
c88997
+fi
c88997
+rm -f core conftest.err conftest.$ac_objext \
c88997
+    conftest$ac_exeext conftest.$ac_ext
c88997
+LIBS=$ac_check_lib_save_LIBS
c88997
+fi
c88997
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_rt_clock_gettime" >&5
c88997
+$as_echo "$ac_cv_lib_rt_clock_gettime" >&6; }
c88997
+if test "x$ac_cv_lib_rt_clock_gettime" = xyes; then :
c88997
+  have_clock_gt=ye
c88997
+fi
c88997
+
c88997
+ fi
c88997
+if test "$have_clock_gt" = "yes"; then
c88997
+
c88997
+$as_echo "#define HAVE_CLOCK_GETTIME 1" >>confdefs.h
c88997
+
c88997
+fi
c88997
+
c88997
+
c88997
+GEOIPLINKSRCS=
c88997
+GEOIPLINKOBJS=
c88997
+
c88997
+# Check whether --with-geoip was given.
c88997
+if test "${with_geoip+set}" = set; then :
c88997
+  withval=$with_geoip; use_geoip="$withval"
c88997
+else
c88997
+  use_geoip="no"
c88997
+fi
c88997
+
c88997
+
c88997
+if test "$use_geoip" = "yes"
c88997
+then
c88997
+	for d in /usr /usr/local /opt/local
c88997
+	do
c88997
+		if test -f $d/include/GeoIP.h
c88997
+		then
c88997
+			use_geoip=$d
c88997
+			break
c88997
+		fi
c88997
+	done
c88997
+fi
c88997
+
c88997
+case "$use_geoip" in
c88997
+	no|'')
c88997
+		{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for GeoIP support" >&5
c88997
+$as_echo_n "checking for GeoIP support... " >&6; }
c88997
+		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: disabled" >&5
c88997
+$as_echo "disabled" >&6; }
c88997
+		;;
c88997
+	*)
c88997
+		if test -d "$use_geoip" -o -L "$use_geoip"
c88997
+		then
c88997
+			CFLAGS="$CFLAGS -I$use_geoip/include"
c88997
+			CPPFLAGS="$CPPFLAGS -I$use_geoip/include"
c88997
+			LIBS="$LIBS -L$use_geoip/lib"
c88997
+			case "$host_os" in
c88997
+				netbsd*|openbsd*|solaris*)
c88997
+					LIBS="$LIBS -Wl,-rpath=$use_geoip/lib"
c88997
+					;;
c88997
+			esac
c88997
+		elif test "$use_geoip" = "yes"
c88997
+                then
c88997
+			as_fn_error $? "GeoIP path not found" "$LINENO" 5
c88997
+		else
c88997
+			as_fn_error $? "GeoIP path $use_geoip does not exist" "$LINENO" 5
c88997
+		fi
c88997
+		ac_fn_c_check_header_mongrel "$LINENO" "GeoIP.h" "ac_cv_header_GeoIP_h" "$ac_includes_default"
c88997
+if test "x$ac_cv_header_GeoIP_h" = xyes; then :
c88997
+
c88997
+else
c88997
+  as_fn_error $? "GeoIP header file not found" "$LINENO" 5
c88997
+
c88997
+fi
c88997
+
c88997
+
c88997
+		{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing GeoIP_open" >&5
c88997
+$as_echo_n "checking for library containing GeoIP_open... " >&6; }
c88997
+if ${ac_cv_search_GeoIP_open+:} false; then :
c88997
+  $as_echo_n "(cached) " >&6
c88997
+else
c88997
+  ac_func_search_save_LIBS=$LIBS
c88997
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
c88997
+/* end confdefs.h.  */
c88997
+
c88997
+/* Override any GCC internal prototype to avoid an error.
c88997
+   Use char because int might match the return type of a GCC
c88997
+   builtin and then its argument prototype would still apply.  */
c88997
+#ifdef __cplusplus
c88997
+extern "C"
c88997
+#endif
c88997
+char GeoIP_open ();
c88997
+int
c88997
+main ()
c88997
+{
c88997
+return GeoIP_open ();
c88997
+  ;
c88997
+  return 0;
c88997
+}
c88997
+_ACEOF
c88997
+for ac_lib in '' GeoIP; do
c88997
+  if test -z "$ac_lib"; then
c88997
+    ac_res="none required"
c88997
+  else
c88997
+    ac_res=-l$ac_lib
c88997
+    LIBS="-l$ac_lib  $ac_func_search_save_LIBS"
c88997
+  fi
c88997
+  if ac_fn_c_try_link "$LINENO"; then :
c88997
+  ac_cv_search_GeoIP_open=$ac_res
c88997
+fi
c88997
+rm -f core conftest.err conftest.$ac_objext \
c88997
+    conftest$ac_exeext
c88997
+  if ${ac_cv_search_GeoIP_open+:} false; then :
c88997
+  break
c88997
+fi
c88997
+done
c88997
+if ${ac_cv_search_GeoIP_open+:} false; then :
c88997
+
c88997
+else
c88997
+  ac_cv_search_GeoIP_open=no
c88997
+fi
c88997
+rm conftest.$ac_ext
c88997
+LIBS=$ac_func_search_save_LIBS
c88997
+fi
c88997
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_GeoIP_open" >&5
c88997
+$as_echo "$ac_cv_search_GeoIP_open" >&6; }
c88997
+ac_res=$ac_cv_search_GeoIP_open
c88997
+if test "$ac_res" != no; then :
c88997
+  test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
c88997
+
c88997
+else
c88997
+  as_fn_error $? "GeoIP library not found" "$LINENO" 5
c88997
+
c88997
+fi
c88997
+
c88997
+		{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing fabsf" >&5
c88997
+$as_echo_n "checking for library containing fabsf... " >&6; }
c88997
+if ${ac_cv_search_fabsf+:} false; then :
c88997
+  $as_echo_n "(cached) " >&6
c88997
+else
c88997
+  ac_func_search_save_LIBS=$LIBS
c88997
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
c88997
+/* end confdefs.h.  */
c88997
+
c88997
+/* Override any GCC internal prototype to avoid an error.
c88997
+   Use char because int might match the return type of a GCC
c88997
+   builtin and then its argument prototype would still apply.  */
c88997
+#ifdef __cplusplus
c88997
+extern "C"
c88997
+#endif
c88997
+char fabsf ();
c88997
+int
c88997
+main ()
c88997
+{
c88997
+return fabsf ();
c88997
+  ;
c88997
+  return 0;
c88997
+}
c88997
+_ACEOF
c88997
+for ac_lib in '' m; do
c88997
+  if test -z "$ac_lib"; then
c88997
+    ac_res="none required"
c88997
+  else
c88997
+    ac_res=-l$ac_lib
c88997
+    LIBS="-l$ac_lib  $ac_func_search_save_LIBS"
c88997
+  fi
c88997
+  if ac_fn_c_try_link "$LINENO"; then :
c88997
+  ac_cv_search_fabsf=$ac_res
c88997
+fi
c88997
+rm -f core conftest.err conftest.$ac_objext \
c88997
+    conftest$ac_exeext
c88997
+  if ${ac_cv_search_fabsf+:} false; then :
c88997
+  break
c88997
+fi
c88997
+done
c88997
+if ${ac_cv_search_fabsf+:} false; then :
c88997
+
c88997
+else
c88997
+  ac_cv_search_fabsf=no
c88997
+fi
c88997
+rm conftest.$ac_ext
c88997
+LIBS=$ac_func_search_save_LIBS
c88997
+fi
c88997
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_fabsf" >&5
c88997
+$as_echo "$ac_cv_search_fabsf" >&6; }
c88997
+ac_res=$ac_cv_search_fabsf
c88997
+if test "$ac_res" != no; then :
c88997
+  test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
c88997
+
c88997
+else
c88997
+  as_fn_error $? "Math library not found" "$LINENO" 5
c88997
+
c88997
+fi
c88997
+
c88997
+
c88997
+$as_echo "#define HAVE_GEOIP 1" >>confdefs.h
c88997
+
c88997
+		GEOIPLINKSRCS='${GEOIPLINKSRCS}'
c88997
+		GEOIPLINKOBJS='${GEOIPLINKOBJS}'
c88997
+		{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for GeoIP support" >&5
c88997
+$as_echo_n "checking for GeoIP support... " >&6; }
c88997
+		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
c88997
+$as_echo "yes" >&6; }
c88997
+
c88997
+		{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for GeoIP Country IPv6 support" >&5
c88997
+$as_echo_n "checking for GeoIP Country IPv6 support... " >&6; }
c88997
+		cat confdefs.h - <<_ACEOF >conftest.$ac_ext
c88997
+/* end confdefs.h.  */
c88997
+
c88997
+				#include <GeoIP.h>
c88997
+				#include <netinet/in.h>
c88997
+
c88997
+int
c88997
+main ()
c88997
+{
c88997
+
c88997
+				struct in6_addr in6;
c88997
+				GeoIP_country_name_by_ipnum_v6(NULL, in6);
c88997
+
c88997
+  ;
c88997
+  return 0;
c88997
+}
c88997
+_ACEOF
c88997
+if ac_fn_c_try_compile "$LINENO"; then :
c88997
+
c88997
+				{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
c88997
+$as_echo "yes" >&6; }
c88997
+
c88997
+$as_echo "#define HAVE_GEOIP_V6 1" >>confdefs.h
c88997
+
c88997
+
c88997
+else
c88997
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
c88997
+$as_echo "no" >&6; }
c88997
+
c88997
+fi
c88997
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
c88997
+
c88997
+		{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for GeoIP City IPv6 support" >&5
c88997
+$as_echo_n "checking for GeoIP City IPv6 support... " >&6; }
c88997
+		cat confdefs.h - <<_ACEOF >conftest.$ac_ext
c88997
+/* end confdefs.h.  */
c88997
+
c88997
+				#include <GeoIP.h>
c88997
+				#include <GeoIPCity.h>
c88997
+				#include <netinet/in.h>
c88997
+
c88997
+int
c88997
+main ()
c88997
+{
c88997
+
c88997
+				struct in6_addr in6;
c88997
+                                int i = GEOIP_CITY_EDITION_REV0_V6;
c88997
+				GeoIP_record_by_ipnum_v6(NULL, in6);
c88997
+
c88997
+  ;
c88997
+  return 0;
c88997
+}
c88997
+_ACEOF
c88997
+if ac_fn_c_try_compile "$LINENO"; then :
c88997
+
c88997
+				{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
c88997
+$as_echo "yes" >&6; }
c88997
+
c88997
+$as_echo "#define HAVE_GEOIP_CITY_V6 1" >>confdefs.h
c88997
+
c88997
+
c88997
+else
c88997
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
c88997
+$as_echo "no" >&6; }
c88997
+
c88997
+fi
c88997
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
c88997
+		;;
c88997
+esac
c88997
+
c88997
+
c88997
+
c88997
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for GSSAPI library" >&5
c88997
+$as_echo_n "checking for GSSAPI library... " >&6; }
c88997
+
c88997
+# Check whether --with-gssapi was given.
c88997
+if test "${with_gssapi+set}" = set; then :
c88997
+  withval=$with_gssapi; use_gssapi="$withval"
c88997
+else
c88997
+  use_gssapi="yes"
c88997
+fi
c88997
+
c88997
+
c88997
+# gssapi is just the framework, we really require kerberos v5, so
c88997
+# look for those headers (the gssapi headers must be there, too)
c88997
+# The problem with this implementation is that it doesn't allow
c88997
+# for the specification of gssapi and krb5 headers in different locations,
c88997
+# which probably ought to be fixed although fixing might raise the issue of
c88997
+# trying to build with incompatible versions of gssapi and krb5.
c88997
+if test "$use_gssapi" = "yes"
c88997
+then
c88997
+	# first, deal with the obvious
c88997
+	if test \( -f /usr/include/kerberosv5/krb5.h -o \
c88997
+		   -f /usr/include/krb5/krb5.h -o \
c88997
+		   -f /usr/include/krb5.h \)   -a \
c88997
+		\( -f /usr/include/gssapi.h -o \
c88997
+		   -f /usr/include/gssapi/gssapi.h \)
c88997
+	then
c88997
+		use_gssapi=/usr
c88997
+	else
c88997
+	    krb5dirs="/usr/local /usr/local/krb5 /usr/local/kerberosv5 /usr/local/kerberos /usr/pkg /usr/krb5 /usr/kerberosv5 /usr/kerberos /usr"
c88997
+	    for d in $krb5dirs
c88997
+	    do
c88997
+		if test -f $d/include/gssapi/gssapi_krb5.h -o \
c88997
+		        -f $d/include/krb5.h
c88997
+		then
c88997
+			if test -f $d/include/gssapi/gssapi.h -o \
c88997
+			        -f $d/include/gssapi.h
c88997
+			then
c88997
+				use_gssapi=$d
c88997
+				break
c88997
+			fi
c88997
+		fi
c88997
+		use_gssapi="no"
c88997
+	    done
c88997
+	fi
c88997
+fi
c88997
+
c88997
+case "$use_gssapi" in
c88997
+	no)
c88997
+		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: disabled" >&5
c88997
+$as_echo "disabled" >&6; }
c88997
+		USE_GSSAPI=''
c88997
+		;;
c88997
+	yes)
c88997
+		as_fn_error $? "--with-gssapi must specify a path" "$LINENO" 5
c88997
 		;;
c88997
 	*)
c88997
 		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: looking in $use_gssapi/lib" >&5
c88997
@@ -14766,13 +15397,14 @@ esac
c88997
 
c88997
 
c88997
 DNS_CRYPTO_LIBS="$DNS_GSSAPI_LIBS $DNS_CRYPTO_LIBS"
c88997
-
c88997
+DNS_CRYPTO_PK11_LIBS="$DNS_GSSAPI_LIBS $DNS_CRYPTO_PK11_LIBS"
c88997
 #
c88997
 # Applications linking with libdns also need to link with these libraries.
c88997
 #
c88997
 
c88997
 
c88997
 
c88997
+
c88997
 #
c88997
 # was --with-randomdev specified?
c88997
 #
c88997
@@ -14849,6 +15481,21 @@ $as_echo "using \"$use_randomdev\"" >&6; }
c88997
 esac
c88997
 
c88997
 #
c88997
+# Only check dsa signature generation on these platforms when performing
c88997
+# system tests.
c88997
+#
c88997
+CHECK_DSA=0
c88997
+if grep "#define PATH_RANDOMDEV " confdefs.h > /dev/null
c88997
+then
c88997
+	case "$host" in
c88997
+	*darwin*|*freebsd*)
c88997
+		CHECK_DSA=1
c88997
+		;;
c88997
+	esac
c88997
+fi
c88997
+
c88997
+
c88997
+#
c88997
 # Do we have arc4random() ?
c88997
 #
c88997
 ac_fn_c_check_func "$LINENO" "arc4random" "ac_cv_func_arc4random"
c88997
@@ -16224,46 +16871,6 @@ esac
c88997
 
c88997
 
c88997
 
c88997
-
c88997
-# Check whether --with-libtool was given.
c88997
-if test "${with_libtool+set}" = set; then :
c88997
-  withval=$with_libtool; use_libtool="$withval"
c88997
-else
c88997
-  use_libtool="no"
c88997
-fi
c88997
-
c88997
-
c88997
-case $use_libtool in
c88997
-	yes)
c88997
-
c88997
-		O=lo
c88997
-		A=la
c88997
-		LIBTOOL_MKDEP_SED='s;\.o;\.lo;'
c88997
-		LIBTOOL_MODE_COMPILE='--mode=compile --tag=CC'
c88997
-		LIBTOOL_MODE_INSTALL='--mode=install --tag=CC'
c88997
-		LIBTOOL_MODE_LINK='--mode=link --tag=CC'
c88997
-		case "$host" in
c88997
-		*) LIBTOOL_ALLOW_UNDEFINED= ;;
c88997
-		esac
c88997
-		case "$host" in
c88997
-		*-ibm-aix*) LIBTOOL_IN_MAIN="-Wl,-bI:T_testlist.imp" ;;
c88997
-		*) LIBTOOL_IN_MAIN= ;;
c88997
-		esac;
c88997
-		;;
c88997
-	*)
c88997
-		O=o
c88997
-		A=a
c88997
-		LIBTOOL=
c88997
-
c88997
-		LIBTOOL_MKDEP_SED=
c88997
-		LIBTOOL_MODE_COMPILE=
c88997
-		LIBTOOL_MODE_INSTALL=
c88997
-		LIBTOOL_MODE_LINK=
c88997
-		LIBTOOL_ALLOW_UNDEFINED=
c88997
-		LIBTOOL_IN_MAIN=
c88997
-		;;
c88997
-esac
c88997
-
c88997
 #
c88997
 # enable/disable dumping stack backtrace.  Also check if the system supports
c88997
 # glibc-compatible backtrace() function.
c88997
@@ -17308,7 +17915,9 @@ _ACEOF
c88997
 if ac_fn_c_try_compile "$LINENO"; then :
c88997
   { $as_echo "$as_me:${as_lineno-$LINENO}: result: size_t for buflen; int for flags" >&5
c88997
 $as_echo "size_t for buflen; int for flags" >&6; }
c88997
-	 $as_echo "#define IRS_GETNAMEINFO_BUFLEN_T size_t" >>confdefs.h
c88997
+	# Changed to solve multilib conflict on Fedora
c88997
+	#AC_DEFINE(IRS_GETNAMEINFO_BUFLEN_T, size_t)
c88997
+	 $as_echo "#define IRS_GETNAMEINFO_BUFLEN_T socklen_t" >>confdefs.h
c88997
 
c88997
 	 $as_echo "#define IRS_GETNAMEINFO_FLAGS_T int" >>confdefs.h
c88997
 
c88997
@@ -18504,6 +19113,10 @@ _ACEOF
c88997
 $as_echo "$arch" >&6; }
c88997
 fi
c88997
 
c88997
+if test ! "$arch" = "x86_64" -a "$have_xaddq" = "yes"; then
c88997
+	as_fn_error $? "XADDQ present but disabled by Fedora patch!" "$LINENO" 5
c88997
+fi
c88997
+
c88997
 if test "$have_atomic" = "yes"; then
c88997
 	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking compiler support for inline assembly code" >&5
c88997
 $as_echo_n "checking compiler support for inline assembly code... " >&6; }
c88997
@@ -19547,6 +20160,38 @@ done
c88997
 
c88997
 
c88997
 #
c88997
+# was --with-tuning specified?
c88997
+#
c88997
+
c88997
+# Check whether --with-tuning was given.
c88997
+if test "${with_tuning+set}" = set; then :
c88997
+  withval=$with_tuning; use_tuning="$withval"
c88997
+else
c88997
+  use_tuning="no"
c88997
+fi
c88997
+
c88997
+
c88997
+case "$use_tuning" in
c88997
+	large)
c88997
+		if ! $use_threads; then
c88997
+			as_fn_error $? "Large-system tuning requires threads." "$LINENO" 5
c88997
+		fi
c88997
+
c88997
+$as_echo "#define TUNE_LARGE 1" >>confdefs.h
c88997
+
c88997
+		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: using large-system tuning" >&5
c88997
+$as_echo "using large-system tuning" >&6; }
c88997
+		;;
c88997
+	no|default)
c88997
+		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: using default tuning" >&5
c88997
+$as_echo "using default tuning" >&6; }
c88997
+		;;
c88997
+	yes|*)
c88997
+                as_fn_error $? "You must specify \"large\" or \"default\" for --with-tuning." "$LINENO" 5
c88997
+		;;
c88997
+esac
c88997
+
c88997
+#
c88997
 # Substitutions
c88997
 #
c88997
 
c88997
@@ -19611,6 +20256,9 @@ BIND9_CONFIGARGS="CONFIGARGS=${BIND9_CONFIGARGS}"
c88997
 
c88997
 
c88997
 
c88997
+LIBISCPK11_API="$srcdir/lib/iscpk11/api"
c88997
+
c88997
+
c88997
 LIBISC_API="$srcdir/lib/isc/api"
c88997
 
c88997
 
c88997
@@ -19810,6 +20458,30 @@ CFLAGS="$CFLAGS $SO_CFLAGS"
c88997
 #
c88997
 dlzdir='${DLZ_DRIVER_DIR}'
c88997
 
c88997
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for target libdir" >&5
c88997
+$as_echo_n "checking for target libdir... " >&6; }
c88997
+if test "$cross_compiling" = yes; then :
c88997
+  { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
c88997
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
c88997
+as_fn_error $? "cannot run test program while cross compiling
c88997
+See \`config.log' for more details" "$LINENO" 5; }
c88997
+else
c88997
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
c88997
+/* end confdefs.h.  */
c88997
+int main(void) {exit((sizeof(void *) == 8) ? 0 : 1);}
c88997
+_ACEOF
c88997
+if ac_fn_c_try_run "$LINENO"; then :
c88997
+  target_lib=lib64
c88997
+else
c88997
+  target_lib=lib
c88997
+fi
c88997
+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
c88997
+  conftest.$ac_objext conftest.beam conftest.$ac_ext
c88997
+fi
c88997
+
c88997
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: \"$target_lib\"" >&5
c88997
+$as_echo "\"$target_lib\"" >&6; }
c88997
+
c88997
 #
c88997
 # Private autoconf macro to simplify configuring drivers:
c88997
 #
c88997
@@ -19982,9 +20654,9 @@ then
c88997
 		then
c88997
 			use_dlz_mysql=$d
c88997
 			mysql_include=$d/include/mysql
c88997
-			if test -d $d/lib/mysql
c88997
+			if test -d $d/${target_lib}/mysql
c88997
 			then
c88997
-				mysql_lib=$d/lib/mysql
c88997
+				mysql_lib=$d/${target_lib}/mysql
c88997
 			else
c88997
 				mysql_lib=$d/lib
c88997
 			fi
c88997
@@ -20118,7 +20790,7 @@ $as_echo "not found" >&6; }
c88997
 			# Check other locations for includes.
c88997
 			# Order is important (sigh).
c88997
 
c88997
-			bdb_incdirs="/ /db48/ /db47/ /db46/ /db45/ /db44/ /db43/ /db42/ /db41/ /db4/ /db/"
c88997
+			bdb_incdirs="/ /db48/ /db47/ /db46/ /db45/ /db44/ /db43/ /db42/ /db41/ /db4/ /libdb/ /db/"
c88997
 			for d in $bdb_incdirs
c88997
 			do
c88997
 				if test -f "$dd/include${d}db.h"
c88997
@@ -20142,15 +20814,9 @@ $as_echo "not found" >&6; }
c88997
 			bdb_libnames="db48 db-4.8 db47 db-4.7 db46 db-4.6 db45 db-4.5 db44 db-4.4 db43 db-4.3 db42 db-4.2 db41 db-4.1 db"
c88997
 			for d in $bdb_libnames
c88997
 			do
c88997
-				if test -f "$dd/lib/lib${d}.so"
c88997
+				if test -f "$dd/${target_lib}/lib${d}.so"
c88997
 				then
c88997
-					if test "$dd" != "/usr"
c88997
-					then
c88997
-						dlz_bdb_libs="-L${dd}/lib "
c88997
-					else
c88997
-						dlz_bdb_libs=""
c88997
-					fi
c88997
-					dlz_bdb_libs="${dlz_bdb_libs}-l${d}"
c88997
+					dlz_bdb_libs="-L${dd}/${target_lib}/libdb -l${d}"
c88997
 					break
c88997
 				fi
c88997
 			done
c88997
@@ -20306,9 +20972,9 @@ $as_echo "no" >&6; }
c88997
 	then
c88997
 		DLZ_DRIVER_INCLUDES="$DLZ_DRIVER_INCLUDES -I$use_dlz_ldap/include"
c88997
 	fi
c88997
-	if test -n "-L$use_dlz_ldap/lib -lldap -llber"
c88997
+	if test -n "-L$use_dlz_ldap/${target_lib} -lldap -llber"
c88997
 	then
c88997
-		DLZ_DRIVER_LIBS="$DLZ_DRIVER_LIBS -L$use_dlz_ldap/lib -lldap -llber"
c88997
+		DLZ_DRIVER_LIBS="$DLZ_DRIVER_LIBS -L$use_dlz_ldap/${target_lib} -lldap -llber"
c88997
 	fi
c88997
 
c88997
 
c88997
@@ -20339,7 +21005,7 @@ then
c88997
 	odbcdirs="/usr /usr/local /usr/pkg"
c88997
 	for d in $odbcdirs
c88997
 	do
c88997
-		if test -f $d/include/sql.h -a -f $d/lib/libodbc.a
c88997
+		if test -f $d/include/sql.h -a -f $d/${target_lib}/libodbc.a
c88997
 		then
c88997
 			use_dlz_odbc=$d
c88997
 			break
c88997
@@ -20369,9 +21035,9 @@ $as_echo "not found" >&6; }
c88997
 	then
c88997
 		DLZ_DRIVER_INCLUDES="$DLZ_DRIVER_INCLUDES -I$use_dlz_odbc/include"
c88997
 	fi
c88997
-	if test -n "-L$use_dlz_odbc/lib -lodbc"
c88997
+	if test -n "-L$use_dlz_odbc/${target_lib} -lodbc"
c88997
 	then
c88997
-		DLZ_DRIVER_LIBS="$DLZ_DRIVER_LIBS -L$use_dlz_odbc/lib -lodbc"
c88997
+		DLZ_DRIVER_LIBS="$DLZ_DRIVER_LIBS -L$use_dlz_odbc/${target_lib} -lodbc"
c88997
 	fi
c88997
 
c88997
 
c88997
@@ -20595,7 +21261,7 @@ ac_config_commands="$ac_config_commands chmod"
c88997
 # elsewhere if there's a good reason for doing so.
c88997
 #
c88997
 
c88997
-ac_config_files="$ac_config_files make/Makefile make/mkdep Makefile bin/Makefile bin/check/Makefile bin/confgen/Makefile bin/confgen/unix/Makefile bin/dig/Makefile bin/dnssec/Makefile bin/named/Makefile bin/named/unix/Makefile bin/nsupdate/Makefile bin/pkcs11/Makefile bin/python/Makefile bin/python/dnssec-checkds.py bin/python/dnssec-coverage.py bin/rndc/Makefile bin/tests/Makefile bin/tests/atomic/Makefile bin/tests/db/Makefile bin/tests/dst/Makefile bin/tests/dst/Kdh.+002+18602.key bin/tests/dst/Kdh.+002+18602.private bin/tests/dst/Kdh.+002+48957.key bin/tests/dst/Kdh.+002+48957.private bin/tests/dst/Ktest.+001+00002.key bin/tests/dst/Ktest.+001+54622.key bin/tests/dst/Ktest.+001+54622.private bin/tests/dst/Ktest.+003+23616.key bin/tests/dst/Ktest.+003+23616.private bin/tests/dst/Ktest.+003+49667.key bin/tests/dst/dst_2_data bin/tests/dst/t2_data_1 bin/tests/dst/t2_data_2 bin/tests/dst/t2_dsasig bin/tests/dst/t2_rsasig bin/tests/hashes/Makefile bin/tests/headerdep_test.sh bin/tests/master/Makefile bin/tests/mem/Makefile bin/tests/names/Makefile bin/tests/net/Makefile bin/tests/rbt/Makefile bin/tests/resolver/Makefile bin/tests/sockaddr/Makefile bin/tests/system/Makefile bin/tests/system/conf.sh bin/tests/system/dlz/prereq.sh bin/tests/system/dlzexternal/Makefile bin/tests/system/dlzexternal/ns1/named.conf bin/tests/system/dyndb/Makefile bin/tests/system/dyndb/driver/Makefile bin/tests/system/ecdsa/prereq.sh bin/tests/system/filter-aaaa/Makefile bin/tests/system/gost/prereq.sh bin/tests/system/lwresd/Makefile bin/tests/system/rpz/Makefile bin/tests/system/rrl/Makefile bin/tests/system/rsabigexponent/Makefile bin/tests/system/tkey/Makefile bin/tests/system/tsiggss/Makefile bin/tests/tasks/Makefile bin/tests/timers/Makefile bin/tests/virtual-time/Makefile bin/tests/virtual-time/conf.sh bin/tools/Makefile contrib/check-secure-delegation.pl contrib/zone-edit.sh doc/Makefile doc/arm/Makefile doc/doxygen/Doxyfile doc/doxygen/Makefile doc/doxygen/doxygen-input-filter doc/misc/Makefile doc/xsl/Makefile doc/xsl/isc-docbook-chunk.xsl doc/xsl/isc-docbook-html.xsl doc/xsl/isc-docbook-latex.xsl doc/xsl/isc-manpage.xsl isc-config.sh lib/Makefile lib/bind9/Makefile lib/bind9/include/Makefile lib/bind9/include/bind9/Makefile lib/dns/Makefile lib/dns/include/Makefile lib/dns/include/dns/Makefile lib/dns/include/dst/Makefile lib/dns/tests/Makefile lib/export/Makefile lib/export/dns/Makefile lib/export/dns/include/Makefile lib/export/dns/include/dns/Makefile lib/export/dns/include/dst/Makefile lib/export/irs/Makefile lib/export/irs/include/Makefile lib/export/irs/include/irs/Makefile lib/export/isc/$thread_dir/Makefile lib/export/isc/$thread_dir/include/Makefile lib/export/isc/$thread_dir/include/isc/Makefile lib/export/isc/Makefile lib/export/isc/include/Makefile lib/export/isc/include/isc/Makefile lib/export/isc/nls/Makefile lib/export/isc/unix/Makefile lib/export/isc/unix/include/Makefile lib/export/isc/unix/include/isc/Makefile lib/export/isccfg/Makefile lib/export/isccfg/include/Makefile lib/export/isccfg/include/isccfg/Makefile lib/export/samples/Makefile lib/export/samples/Makefile-postinstall lib/irs/Makefile lib/irs/include/Makefile lib/irs/include/irs/Makefile lib/irs/include/irs/netdb.h lib/irs/include/irs/platform.h lib/isc/$arch/Makefile lib/isc/$arch/include/Makefile lib/isc/$arch/include/isc/Makefile lib/isc/$thread_dir/Makefile lib/isc/$thread_dir/include/Makefile lib/isc/$thread_dir/include/isc/Makefile lib/isc/Makefile lib/isc/include/Makefile lib/isc/include/isc/Makefile lib/isc/include/isc/platform.h lib/isc/tests/Makefile lib/isc/nls/Makefile lib/isc/unix/Makefile lib/isc/unix/include/Makefile lib/isc/unix/include/isc/Makefile lib/isccc/Makefile lib/isccc/include/Makefile lib/isccc/include/isccc/Makefile lib/isccfg/Makefile lib/isccfg/include/Makefile lib/isccfg/include/isccfg/Makefile lib/lwres/Makefile lib/lwres/include/Makefile lib/lwres/include/lwres/Makefile lib/lwres/include/lwres/netdb.h lib/lwres/include/lwres/platform.h lib/lwres/man/Makefile lib/lwres/unix/Makefile lib/lwres/unix/include/Makefile lib/lwres/unix/include/lwres/Makefile lib/tests/Makefile lib/tests/include/Makefile lib/tests/include/tests/Makefile unit/Makefile unit/unittest.sh"
c88997
+ac_config_files="$ac_config_files make/Makefile make/mkdep Makefile bin/Makefile bin/check/Makefile bin/confgen/Makefile bin/confgen/unix/Makefile bin/dig/Makefile bin/dnssec/Makefile bin/dnssec-pkcs11/Makefile bin/named/Makefile bin/named-pkcs11/Makefile bin/named-pkcs11/unix/Makefile bin/named/unix/Makefile bin/named-sdb/Makefile bin/named-sdb/unix/Makefile bin/nsupdate/Makefile bin/pkcs11/Makefile bin/python/Makefile bin/python/dnssec-checkds.py bin/python/dnssec-coverage.py bin/rndc/Makefile bin/sdb_tools/Makefile bin/tests/Makefile bin/tests/atomic/Makefile bin/tests/db/Makefile bin/tests/dst/Makefile bin/tests/dst/Kdh.+002+18602.key bin/tests/dst/Kdh.+002+18602.private bin/tests/dst/Kdh.+002+48957.key bin/tests/dst/Kdh.+002+48957.private bin/tests/dst/Ktest.+001+00002.key bin/tests/dst/Ktest.+001+54622.key bin/tests/dst/Ktest.+001+54622.private bin/tests/dst/Ktest.+003+23616.key bin/tests/dst/Ktest.+003+23616.private bin/tests/dst/Ktest.+003+49667.key bin/tests/dst/dst_2_data bin/tests/dst/t2_data_1 bin/tests/dst/t2_data_2 bin/tests/dst/t2_dsasig bin/tests/dst/t2_rsasig bin/tests/hashes/Makefile bin/tests/headerdep_test.sh bin/tests/master/Makefile bin/tests/mem/Makefile bin/tests/names/Makefile bin/tests/net/Makefile bin/tests/pkcs11/Makefile bin/tests/pkcs11/benchmarks/Makefile bin/tests/rbt/Makefile bin/tests/resolver/Makefile bin/tests/sockaddr/Makefile bin/tests/system/Makefile bin/tests/system/conf.sh bin/tests/system/dlz/prereq.sh bin/tests/system/dlzexternal/Makefile bin/tests/system/dlzexternal/ns1/named.conf bin/tests/system/dyndb/Makefile bin/tests/system/dyndb/driver/Makefile bin/tests/system/ecdsa/prereq.sh bin/tests/system/filter-aaaa/Makefile bin/tests/system/geoip/Makefile bin/tests/system/gost/prereq.sh bin/tests/system/lwresd/Makefile bin/tests/system/rpz/Makefile bin/tests/system/rrl/Makefile bin/tests/system/rsabigexponent/Makefile bin/tests/system/tkey/Makefile bin/tests/system/tsiggss/Makefile bin/tests/tasks/Makefile bin/tests/timers/Makefile bin/tests/virtual-time/Makefile bin/tests/virtual-time/conf.sh bin/tools/Makefile contrib/check-secure-delegation.pl contrib/zone-edit.sh doc/Makefile doc/arm/Makefile doc/doxygen/Doxyfile doc/doxygen/Makefile doc/doxygen/doxygen-input-filter doc/misc/Makefile doc/xsl/Makefile doc/xsl/isc-docbook-chunk.xsl doc/xsl/isc-docbook-html.xsl doc/xsl/isc-docbook-latex.xsl doc/xsl/isc-manpage.xsl isc-config.sh lib/Makefile lib/bind9/Makefile lib/bind9/include/Makefile lib/bind9/include/bind9/Makefile lib/dns/Makefile lib/dns/include/Makefile lib/dns/include/dns/Makefile lib/dns/include/dst/Makefile lib/dns/tests/Makefile lib/dns-pkcs11/Makefile lib/dns-pkcs11/include/Makefile lib/dns-pkcs11/include/dns/Makefile lib/dns-pkcs11/include/dst/Makefile lib/export/Makefile lib/export/dns/Makefile lib/export/dns/include/Makefile lib/export/dns/include/dns/Makefile lib/export/dns/include/dst/Makefile lib/export/dns-pkcs11/Makefile lib/export/dns-pkcs11/include/Makefile lib/export/dns-pkcs11/include/dns/Makefile lib/export/dns-pkcs11/include/dst/Makefile lib/export/irs/Makefile lib/export/irs/include/Makefile lib/export/irs/include/irs/Makefile lib/export/isc/$thread_dir/Makefile lib/export/isc/$thread_dir/include/Makefile lib/export/isc/$thread_dir/include/isc/Makefile lib/export/isc/Makefile lib/export/isc/include/Makefile lib/export/isc/include/isc/Makefile lib/export/isc/nls/Makefile lib/export/isc/unix/Makefile lib/export/isc/unix/include/Makefile lib/export/isc/unix/include/isc/Makefile lib/export/isc-pkcs11/$thread_dir/Makefile lib/export/isc-pkcs11/$thread_dir/include/Makefile lib/export/isc-pkcs11/$thread_dir/include/isc/Makefile lib/export/isc-pkcs11/Makefile lib/export/isc-pkcs11/include/Makefile lib/export/isc-pkcs11/include/isc/Makefile lib/export/isc-pkcs11/nls/Makefile lib/export/isc-pkcs11/unix/Makefile lib/export/isc-pkcs11/unix/include/Makefile lib/export/isc-pkcs11/unix/include/isc/Makefile lib/export/isccfg/Makefile lib/export/isccfg/include/Makefile lib/export/isccfg/include/isccfg/Makefile lib/export/samples/Makefile lib/export/samples/Makefile-postinstall lib/irs/Makefile lib/irs/include/Makefile lib/irs/include/irs/Makefile lib/irs/include/irs/netdb.h lib/irs/include/irs/platform.h lib/isc/$arch/Makefile lib/isc/$arch/include/Makefile lib/isc/$arch/include/isc/Makefile lib/isc/$thread_dir/Makefile lib/isc/$thread_dir/include/Makefile lib/isc/$thread_dir/include/isc/Makefile lib/isc/Makefile lib/isc/include/Makefile lib/isc/include/isc/Makefile lib/isc/include/isc/platform.h lib/isc/include/pk11/Makefile lib/isc/include/pkcs11/Makefile lib/isc/tests/Makefile lib/isc/nls/Makefile lib/isc/unix/Makefile lib/isc/unix/include/Makefile lib/isc/unix/include/isc/Makefile lib/isc/unix/include/pkcs11/Makefile lib/isc-pkcs11/$arch/Makefile lib/isc-pkcs11/$arch/include/Makefile lib/isc-pkcs11/$arch/include/isc/Makefile lib/isc-pkcs11/$thread_dir/Makefile lib/isc-pkcs11/$thread_dir/include/Makefile lib/isc-pkcs11/$thread_dir/include/isc/Makefile lib/isc-pkcs11/Makefile lib/isc-pkcs11/include/Makefile lib/isc-pkcs11/include/isc/Makefile lib/isc-pkcs11/include/isc/platform.h lib/isc-pkcs11/include/pk11/Makefile lib/isc-pkcs11/include/pkcs11/Makefile lib/isc-pkcs11/tests/Makefile lib/isc-pkcs11/nls/Makefile lib/isc-pkcs11/unix/Makefile lib/isc-pkcs11/unix/include/Makefile lib/isc-pkcs11/unix/include/isc/Makefile lib/isc-pkcs11/unix/include/pkcs11/Makefile lib/isccc/Makefile lib/isccc/include/Makefile lib/isccc/include/isccc/Makefile lib/isccfg/Makefile lib/isccfg/include/Makefile lib/isccfg/include/isccfg/Makefile lib/lwres/Makefile lib/lwres/include/Makefile lib/lwres/include/lwres/Makefile lib/lwres/include/lwres/netdb.h lib/lwres/include/lwres/platform.h lib/lwres/man/Makefile lib/lwres/unix/Makefile lib/lwres/unix/include/Makefile lib/lwres/unix/include/lwres/Makefile lib/tests/Makefile lib/tests/include/Makefile lib/tests/include/tests/Makefile unit/Makefile unit/unittest.sh"
c88997
 
c88997
 
c88997
 #
c88997
@@ -21597,14 +22263,20 @@ do
c88997
     "bin/confgen/unix/Makefile") CONFIG_FILES="$CONFIG_FILES bin/confgen/unix/Makefile" ;;
c88997
     "bin/dig/Makefile") CONFIG_FILES="$CONFIG_FILES bin/dig/Makefile" ;;
c88997
     "bin/dnssec/Makefile") CONFIG_FILES="$CONFIG_FILES bin/dnssec/Makefile" ;;
c88997
+    "bin/dnssec-pkcs11/Makefile") CONFIG_FILES="$CONFIG_FILES bin/dnssec-pkcs11/Makefile" ;;
c88997
     "bin/named/Makefile") CONFIG_FILES="$CONFIG_FILES bin/named/Makefile" ;;
c88997
+    "bin/named-pkcs11/Makefile") CONFIG_FILES="$CONFIG_FILES bin/named-pkcs11/Makefile" ;;
c88997
+    "bin/named-pkcs11/unix/Makefile") CONFIG_FILES="$CONFIG_FILES bin/named-pkcs11/unix/Makefile" ;;
c88997
     "bin/named/unix/Makefile") CONFIG_FILES="$CONFIG_FILES bin/named/unix/Makefile" ;;
c88997
+    "bin/named-sdb/Makefile") CONFIG_FILES="$CONFIG_FILES bin/named-sdb/Makefile" ;;
c88997
+    "bin/named-sdb/unix/Makefile") CONFIG_FILES="$CONFIG_FILES bin/named-sdb/unix/Makefile" ;;
c88997
     "bin/nsupdate/Makefile") CONFIG_FILES="$CONFIG_FILES bin/nsupdate/Makefile" ;;
c88997
     "bin/pkcs11/Makefile") CONFIG_FILES="$CONFIG_FILES bin/pkcs11/Makefile" ;;
c88997
     "bin/python/Makefile") CONFIG_FILES="$CONFIG_FILES bin/python/Makefile" ;;
c88997
     "bin/python/dnssec-checkds.py") CONFIG_FILES="$CONFIG_FILES bin/python/dnssec-checkds.py" ;;
c88997
     "bin/python/dnssec-coverage.py") CONFIG_FILES="$CONFIG_FILES bin/python/dnssec-coverage.py" ;;
c88997
     "bin/rndc/Makefile") CONFIG_FILES="$CONFIG_FILES bin/rndc/Makefile" ;;
c88997
+    "bin/sdb_tools/Makefile") CONFIG_FILES="$CONFIG_FILES bin/sdb_tools/Makefile" ;;
c88997
     "bin/tests/Makefile") CONFIG_FILES="$CONFIG_FILES bin/tests/Makefile" ;;
c88997
     "bin/tests/atomic/Makefile") CONFIG_FILES="$CONFIG_FILES bin/tests/atomic/Makefile" ;;
c88997
     "bin/tests/db/Makefile") CONFIG_FILES="$CONFIG_FILES bin/tests/db/Makefile" ;;
c88997
@@ -21630,6 +22302,8 @@ do
c88997
     "bin/tests/mem/Makefile") CONFIG_FILES="$CONFIG_FILES bin/tests/mem/Makefile" ;;
c88997
     "bin/tests/names/Makefile") CONFIG_FILES="$CONFIG_FILES bin/tests/names/Makefile" ;;
c88997
     "bin/tests/net/Makefile") CONFIG_FILES="$CONFIG_FILES bin/tests/net/Makefile" ;;
c88997
+    "bin/tests/pkcs11/Makefile") CONFIG_FILES="$CONFIG_FILES bin/tests/pkcs11/Makefile" ;;
c88997
+    "bin/tests/pkcs11/benchmarks/Makefile") CONFIG_FILES="$CONFIG_FILES bin/tests/pkcs11/benchmarks/Makefile" ;;
c88997
     "bin/tests/rbt/Makefile") CONFIG_FILES="$CONFIG_FILES bin/tests/rbt/Makefile" ;;
c88997
     "bin/tests/resolver/Makefile") CONFIG_FILES="$CONFIG_FILES bin/tests/resolver/Makefile" ;;
c88997
     "bin/tests/sockaddr/Makefile") CONFIG_FILES="$CONFIG_FILES bin/tests/sockaddr/Makefile" ;;
c88997
@@ -21642,6 +22316,7 @@ do
c88997
     "bin/tests/system/dyndb/driver/Makefile") CONFIG_FILES="$CONFIG_FILES bin/tests/system/dyndb/driver/Makefile" ;;
c88997
     "bin/tests/system/ecdsa/prereq.sh") CONFIG_FILES="$CONFIG_FILES bin/tests/system/ecdsa/prereq.sh" ;;
c88997
     "bin/tests/system/filter-aaaa/Makefile") CONFIG_FILES="$CONFIG_FILES bin/tests/system/filter-aaaa/Makefile" ;;
c88997
+    "bin/tests/system/geoip/Makefile") CONFIG_FILES="$CONFIG_FILES bin/tests/system/geoip/Makefile" ;;
c88997
     "bin/tests/system/gost/prereq.sh") CONFIG_FILES="$CONFIG_FILES bin/tests/system/gost/prereq.sh" ;;
c88997
     "bin/tests/system/lwresd/Makefile") CONFIG_FILES="$CONFIG_FILES bin/tests/system/lwresd/Makefile" ;;
c88997
     "bin/tests/system/rpz/Makefile") CONFIG_FILES="$CONFIG_FILES bin/tests/system/rpz/Makefile" ;;
c88997
@@ -21677,11 +22352,19 @@ do
c88997
     "lib/dns/include/dns/Makefile") CONFIG_FILES="$CONFIG_FILES lib/dns/include/dns/Makefile" ;;
c88997
     "lib/dns/include/dst/Makefile") CONFIG_FILES="$CONFIG_FILES lib/dns/include/dst/Makefile" ;;
c88997
     "lib/dns/tests/Makefile") CONFIG_FILES="$CONFIG_FILES lib/dns/tests/Makefile" ;;
c88997
+    "lib/dns-pkcs11/Makefile") CONFIG_FILES="$CONFIG_FILES lib/dns-pkcs11/Makefile" ;;
c88997
+    "lib/dns-pkcs11/include/Makefile") CONFIG_FILES="$CONFIG_FILES lib/dns-pkcs11/include/Makefile" ;;
c88997
+    "lib/dns-pkcs11/include/dns/Makefile") CONFIG_FILES="$CONFIG_FILES lib/dns-pkcs11/include/dns/Makefile" ;;
c88997
+    "lib/dns-pkcs11/include/dst/Makefile") CONFIG_FILES="$CONFIG_FILES lib/dns-pkcs11/include/dst/Makefile" ;;
c88997
     "lib/export/Makefile") CONFIG_FILES="$CONFIG_FILES lib/export/Makefile" ;;
c88997
     "lib/export/dns/Makefile") CONFIG_FILES="$CONFIG_FILES lib/export/dns/Makefile" ;;
c88997
     "lib/export/dns/include/Makefile") CONFIG_FILES="$CONFIG_FILES lib/export/dns/include/Makefile" ;;
c88997
     "lib/export/dns/include/dns/Makefile") CONFIG_FILES="$CONFIG_FILES lib/export/dns/include/dns/Makefile" ;;
c88997
     "lib/export/dns/include/dst/Makefile") CONFIG_FILES="$CONFIG_FILES lib/export/dns/include/dst/Makefile" ;;
c88997
+    "lib/export/dns-pkcs11/Makefile") CONFIG_FILES="$CONFIG_FILES lib/export/dns-pkcs11/Makefile" ;;
c88997
+    "lib/export/dns-pkcs11/include/Makefile") CONFIG_FILES="$CONFIG_FILES lib/export/dns-pkcs11/include/Makefile" ;;
c88997
+    "lib/export/dns-pkcs11/include/dns/Makefile") CONFIG_FILES="$CONFIG_FILES lib/export/dns-pkcs11/include/dns/Makefile" ;;
c88997
+    "lib/export/dns-pkcs11/include/dst/Makefile") CONFIG_FILES="$CONFIG_FILES lib/export/dns-pkcs11/include/dst/Makefile" ;;
c88997
     "lib/export/irs/Makefile") CONFIG_FILES="$CONFIG_FILES lib/export/irs/Makefile" ;;
c88997
     "lib/export/irs/include/Makefile") CONFIG_FILES="$CONFIG_FILES lib/export/irs/include/Makefile" ;;
c88997
     "lib/export/irs/include/irs/Makefile") CONFIG_FILES="$CONFIG_FILES lib/export/irs/include/irs/Makefile" ;;
c88997
@@ -21695,6 +22378,16 @@ do
c88997
     "lib/export/isc/unix/Makefile") CONFIG_FILES="$CONFIG_FILES lib/export/isc/unix/Makefile" ;;
c88997
     "lib/export/isc/unix/include/Makefile") CONFIG_FILES="$CONFIG_FILES lib/export/isc/unix/include/Makefile" ;;
c88997
     "lib/export/isc/unix/include/isc/Makefile") CONFIG_FILES="$CONFIG_FILES lib/export/isc/unix/include/isc/Makefile" ;;
c88997
+    "lib/export/isc-pkcs11/$thread_dir/Makefile") CONFIG_FILES="$CONFIG_FILES lib/export/isc-pkcs11/$thread_dir/Makefile" ;;
c88997
+    "lib/export/isc-pkcs11/$thread_dir/include/Makefile") CONFIG_FILES="$CONFIG_FILES lib/export/isc-pkcs11/$thread_dir/include/Makefile" ;;
c88997
+    "lib/export/isc-pkcs11/$thread_dir/include/isc/Makefile") CONFIG_FILES="$CONFIG_FILES lib/export/isc-pkcs11/$thread_dir/include/isc/Makefile" ;;
c88997
+    "lib/export/isc-pkcs11/Makefile") CONFIG_FILES="$CONFIG_FILES lib/export/isc-pkcs11/Makefile" ;;
c88997
+    "lib/export/isc-pkcs11/include/Makefile") CONFIG_FILES="$CONFIG_FILES lib/export/isc-pkcs11/include/Makefile" ;;
c88997
+    "lib/export/isc-pkcs11/include/isc/Makefile") CONFIG_FILES="$CONFIG_FILES lib/export/isc-pkcs11/include/isc/Makefile" ;;
c88997
+    "lib/export/isc-pkcs11/nls/Makefile") CONFIG_FILES="$CONFIG_FILES lib/export/isc-pkcs11/nls/Makefile" ;;
c88997
+    "lib/export/isc-pkcs11/unix/Makefile") CONFIG_FILES="$CONFIG_FILES lib/export/isc-pkcs11/unix/Makefile" ;;
c88997
+    "lib/export/isc-pkcs11/unix/include/Makefile") CONFIG_FILES="$CONFIG_FILES lib/export/isc-pkcs11/unix/include/Makefile" ;;
c88997
+    "lib/export/isc-pkcs11/unix/include/isc/Makefile") CONFIG_FILES="$CONFIG_FILES lib/export/isc-pkcs11/unix/include/isc/Makefile" ;;
c88997
     "lib/export/isccfg/Makefile") CONFIG_FILES="$CONFIG_FILES lib/export/isccfg/Makefile" ;;
c88997
     "lib/export/isccfg/include/Makefile") CONFIG_FILES="$CONFIG_FILES lib/export/isccfg/include/Makefile" ;;
c88997
     "lib/export/isccfg/include/isccfg/Makefile") CONFIG_FILES="$CONFIG_FILES lib/export/isccfg/include/isccfg/Makefile" ;;
c88997
@@ -21715,11 +22408,32 @@ do
c88997
     "lib/isc/include/Makefile") CONFIG_FILES="$CONFIG_FILES lib/isc/include/Makefile" ;;
c88997
     "lib/isc/include/isc/Makefile") CONFIG_FILES="$CONFIG_FILES lib/isc/include/isc/Makefile" ;;
c88997
     "lib/isc/include/isc/platform.h") CONFIG_FILES="$CONFIG_FILES lib/isc/include/isc/platform.h" ;;
c88997
+    "lib/isc/include/pk11/Makefile") CONFIG_FILES="$CONFIG_FILES lib/isc/include/pk11/Makefile" ;;
c88997
+    "lib/isc/include/pkcs11/Makefile") CONFIG_FILES="$CONFIG_FILES lib/isc/include/pkcs11/Makefile" ;;
c88997
     "lib/isc/tests/Makefile") CONFIG_FILES="$CONFIG_FILES lib/isc/tests/Makefile" ;;
c88997
     "lib/isc/nls/Makefile") CONFIG_FILES="$CONFIG_FILES lib/isc/nls/Makefile" ;;
c88997
     "lib/isc/unix/Makefile") CONFIG_FILES="$CONFIG_FILES lib/isc/unix/Makefile" ;;
c88997
     "lib/isc/unix/include/Makefile") CONFIG_FILES="$CONFIG_FILES lib/isc/unix/include/Makefile" ;;
c88997
     "lib/isc/unix/include/isc/Makefile") CONFIG_FILES="$CONFIG_FILES lib/isc/unix/include/isc/Makefile" ;;
c88997
+    "lib/isc/unix/include/pkcs11/Makefile") CONFIG_FILES="$CONFIG_FILES lib/isc/unix/include/pkcs11/Makefile" ;;
c88997
+    "lib/isc-pkcs11/$arch/Makefile") CONFIG_FILES="$CONFIG_FILES lib/isc-pkcs11/$arch/Makefile" ;;
c88997
+    "lib/isc-pkcs11/$arch/include/Makefile") CONFIG_FILES="$CONFIG_FILES lib/isc-pkcs11/$arch/include/Makefile" ;;
c88997
+    "lib/isc-pkcs11/$arch/include/isc/Makefile") CONFIG_FILES="$CONFIG_FILES lib/isc-pkcs11/$arch/include/isc/Makefile" ;;
c88997
+    "lib/isc-pkcs11/$thread_dir/Makefile") CONFIG_FILES="$CONFIG_FILES lib/isc-pkcs11/$thread_dir/Makefile" ;;
c88997
+    "lib/isc-pkcs11/$thread_dir/include/Makefile") CONFIG_FILES="$CONFIG_FILES lib/isc-pkcs11/$thread_dir/include/Makefile" ;;
c88997
+    "lib/isc-pkcs11/$thread_dir/include/isc/Makefile") CONFIG_FILES="$CONFIG_FILES lib/isc-pkcs11/$thread_dir/include/isc/Makefile" ;;
c88997
+    "lib/isc-pkcs11/Makefile") CONFIG_FILES="$CONFIG_FILES lib/isc-pkcs11/Makefile" ;;
c88997
+    "lib/isc-pkcs11/include/Makefile") CONFIG_FILES="$CONFIG_FILES lib/isc-pkcs11/include/Makefile" ;;
c88997
+    "lib/isc-pkcs11/include/isc/Makefile") CONFIG_FILES="$CONFIG_FILES lib/isc-pkcs11/include/isc/Makefile" ;;
c88997
+    "lib/isc-pkcs11/include/isc/platform.h") CONFIG_FILES="$CONFIG_FILES lib/isc-pkcs11/include/isc/platform.h" ;;
c88997
+    "lib/isc-pkcs11/include/pk11/Makefile") CONFIG_FILES="$CONFIG_FILES lib/isc-pkcs11/include/pk11/Makefile" ;;
c88997
+    "lib/isc-pkcs11/include/pkcs11/Makefile") CONFIG_FILES="$CONFIG_FILES lib/isc-pkcs11/include/pkcs11/Makefile" ;;
c88997
+    "lib/isc-pkcs11/tests/Makefile") CONFIG_FILES="$CONFIG_FILES lib/isc-pkcs11/tests/Makefile" ;;
c88997
+    "lib/isc-pkcs11/nls/Makefile") CONFIG_FILES="$CONFIG_FILES lib/isc-pkcs11/nls/Makefile" ;;
c88997
+    "lib/isc-pkcs11/unix/Makefile") CONFIG_FILES="$CONFIG_FILES lib/isc-pkcs11/unix/Makefile" ;;
c88997
+    "lib/isc-pkcs11/unix/include/Makefile") CONFIG_FILES="$CONFIG_FILES lib/isc-pkcs11/unix/include/Makefile" ;;
c88997
+    "lib/isc-pkcs11/unix/include/isc/Makefile") CONFIG_FILES="$CONFIG_FILES lib/isc-pkcs11/unix/include/isc/Makefile" ;;
c88997
+    "lib/isc-pkcs11/unix/include/pkcs11/Makefile") CONFIG_FILES="$CONFIG_FILES lib/isc-pkcs11/unix/include/pkcs11/Makefile" ;;
c88997
     "lib/isccc/Makefile") CONFIG_FILES="$CONFIG_FILES lib/isccc/Makefile" ;;
c88997
     "lib/isccc/include/Makefile") CONFIG_FILES="$CONFIG_FILES lib/isccc/include/Makefile" ;;
c88997
     "lib/isccc/include/isccc/Makefile") CONFIG_FILES="$CONFIG_FILES lib/isccc/include/isccc/Makefile" ;;
c88997
@@ -23043,6 +23757,7 @@ echo "------------------------------------------------------------------------"
c88997
 echo "Optional features enabled:"
c88997
 $use_threads && echo "    Multiprocessing support (--enable-threads)"
c88997
 
c88997
+test "$use_tuning" = "large" && echo "    Large-system tuning (--with-tuning)"
c88997
 test "$enable_fixed" = "yes" && \
c88997
     echo "    Fixed RRset order (--enable-fixed-rrset)"
c88997
 test "$atf" = "no" || echo "    Automated Testing Framework (--with-atf)"
c88997
@@ -23062,12 +23777,8 @@ test "$use_pkcs11" = "no" || echo "    PKCS#11/Cryptoki support (--with-pkcs11)"
c88997
 if test "$enable_full_report" = "yes"; then
c88997
     test "$enable_ipv6" = "no" -o "$found_ipv6" = "no" || \
c88997
         echo "    IPv6 support (--enable-ipv6)"
c88997
-    test "X$USE_OPENSSL" = "X" || \
c88997
+    test "X$CRYPTO" = "X" -o "$want_native_pkcs11" = "yes" || \
c88997
             echo "    OpenSSL cryptography/DNSSEC (--with-openssl)"
c88997
-    test "$OPENSSL_GOST" != "yes" || \
c88997
-            echo "    GOST algorithm support (--with-gost)"
c88997
-    test "$OPENSSL_ECDSA" != "yes" || \
c88997
-            echo "    ECDSA algorithm support (--with-ecdsa)"
c88997
     test "X$PYTHON" = "X" || echo "    Python tools (--with-python)"
c88997
     test "X$libxml2_libs" = "X" || echo "    XML statistics (--with-libxml2)"
c88997
 fi
c88997
@@ -23092,6 +23803,7 @@ echo
c88997
 
c88997
 echo "Features disabled or unavailable on this platform:"
c88997
 $use_threads || echo "    Multiprocessing support (--enable-threads)"
c88997
+test "$use_tuning" = "large" || echo "    Large-system tuning (--with-tuning)"
c88997
 test "$enable_fixed" = "yes" || \
c88997
     echo "    Fixed RRset order (--enable-fixed-rrset)"
c88997
 test "$atf" = "no" && echo "    Automated Testing Framework (--with-atf)"
c88997
@@ -23100,24 +23812,28 @@ test "$enable_filter" = "yes" || \
c88997
 test "$use_gssapi" = "no" && echo "    GSS-API (--with-gssapi)"
c88997
 test "$want_backtrace" = "yes" || \
c88997
     echo "    Print backtrace on crash (--enable-backtrace)"
c88997
-test "$use_pkcs11" = "no" && echo "    PKCS#11/Cryptoki support (--with-pkcs11)"
c88997
 
c88997
-test "$enable_ipv6" = "no" -o "$found_ipv6" = "no" && \
c88997
-        echo "    IPv6 support (--enable-ipv6)"
c88997
-test "X$USE_OPENSSL" = "X" && \
c88997
-        echo "    OpenSSL cryptography/DNSSEC (--with-openssl)"
c88997
-test "X$USE_OPENSSL" != "X" -a "$OPENSSL_GOST" != "yes" && \
c88997
+test "X$CRYPTO" = "X" -o "$want_native_pkcs11" = "yes" && \
c88997
+    echo "    OpenSSL cryptography/DNSSEC (--with-openssl)"
c88997
+test "$want_native_pkcs11" != "yes" && \
c88997
+    echo "    Native PKCS#11 cryptography/DNSSEC (--enable-native-pkcs11)"
c88997
+test "X$CRYPTO" = "X" -o "$OPENSSL_GOST" = "yes" -o "$PKCS11_GOST" = "yes" || \
c88997
     echo "    GOST algorithm support (--with-gost)"
c88997
-test "X$USE_OPENSSL" != "X" -a "$OPENSSL_ECDSA" != "yes" && \
c88997
+test "X$CRYPTO" = "X" -o "$OPENSSL_ECDSA" = "yes" -o "$PKCS11_ECDSA" = "yes" || \
c88997
     echo "    ECDSA algorithm support (--with-ecdsa)"
c88997
+test "$use_pkcs11" = "no" && echo "    PKCS#11/Cryptoki support (--with-pkcs11)"
c88997
+test "$enable_ipv6" = "no" -o "$found_ipv6" = "no" && \
c88997
+        echo "    IPv6 support (--enable-ipv6)"
c88997
 test "X$PYTHON" = "X" && echo "    Python tools (--with-python)"
c88997
 test "X$libxml2_libs" = "X" && echo "    XML statistics (--with-libxml2)"
c88997
 
c88997
 echo "========================================================================"
c88997
 
c88997
-if test "X$USE_OPENSSL" = "X"; then
c88997
+if test "X$CRYPTO" = "X"; then
c88997
 cat << \EOF
c88997
-BIND is being built without OpenSSL. This means it will not have DNSSEC support.
c88997
+BIND 9 is being built without cryptography support. This means it will
c88997
+not have DNSSEC support. Use --with-openssl, or --with-pkcs11 and
c88997
+--enable-native-pkcs11 to enable cryptography.
c88997
 EOF
c88997
 fi
c88997
 
c88997
diff --git a/configure.in b/configure.in
c88997
index 5c79d6d..529989d 100644
c88997
--- a/configure.in
c88997
+++ b/configure.in
c88997
@@ -3671,6 +3671,29 @@ AC_CHECK_HEADERS(locale.h)
c88997
 AC_CHECK_FUNCS(setlocale)
c88997
 
c88997
 #
c88997
+# was --with-tuning specified?
c88997
+#
c88997
+AC_ARG_WITH(tuning,
c88997
+	[  --with-tuning=ARG       Specify server tuning (large or default)],
c88997
+	use_tuning="$withval", use_tuning="no")
c88997
+
c88997
+case "$use_tuning" in
c88997
+	large)
c88997
+		if ! $use_threads; then
c88997
+			AC_MSG_ERROR([Large-system tuning requires threads.])
c88997
+		fi
c88997
+                AC_DEFINE(TUNE_LARGE, 1, [Define to use large-system tuning.])
c88997
+		AC_MSG_RESULT(using large-system tuning)
c88997
+		;;
c88997
+	no|default)
c88997
+		AC_MSG_RESULT(using default tuning)
c88997
+		;;
c88997
+	yes|*)
c88997
+                AC_MSG_ERROR([You must specify "large" or "default" for --with-tuning.])
c88997
+		;;
c88997
+esac
c88997
+
c88997
+#
c88997
 # Substitutions
c88997
 #
c88997
 AC_SUBST(BIND9_TOP_BUILDDIR)
c88997
@@ -4193,6 +4216,7 @@ echo "------------------------------------------------------------------------"
c88997
 echo "Optional features enabled:"
c88997
 $use_threads && echo "    Multiprocessing support (--enable-threads)"
c88997
 
c88997
+test "$use_tuning" = "large" && echo "    Large-system tuning (--with-tuning)"
c88997
 test "$enable_fixed" = "yes" && \
c88997
     echo "    Fixed RRset order (--enable-fixed-rrset)"
c88997
 test "$atf" = "no" || echo "    Automated Testing Framework (--with-atf)"
c88997
@@ -4238,6 +4262,7 @@ echo
c88997
 
c88997
 echo "Features disabled or unavailable on this platform:"
c88997
 $use_threads || echo "    Multiprocessing support (--enable-threads)"
c88997
+test "$use_tuning" = "large" || echo "    Large-system tuning (--with-tuning)"
c88997
 test "$enable_fixed" = "yes" || \
c88997
     echo "    Fixed RRset order (--enable-fixed-rrset)"
c88997
 test "$atf" = "no" && echo "    Automated Testing Framework (--with-atf)"
c88997
diff --git a/lib/dns/client.c b/lib/dns/client.c
c88997
index e9e8bde..d3b371b 100644
c88997
--- a/lib/dns/client.c
c88997
+++ b/lib/dns/client.c
c88997
@@ -67,6 +67,12 @@
c88997
 
c88997
 #define MAX_RESTARTS 16
c88997
 
c88997
+#ifdef TUNE_LARGE
c88997
+#define RESOLVER_NTASKS 523
c88997
+#else
c88997
+#define RESOLVER_NTASKS 31
c88997
+#endif /* TUNE_LARGE */
c88997
+
c88997
 /*%
c88997
  * DNS client object
c88997
  */
c88997
@@ -480,7 +486,7 @@ dns_client_createx(isc_mem_t *mctx, isc_appctx_t *actx, isc_taskmgr_t *taskmgr,
c88997
 
c88997
 	/* Create the default view for class IN */
c88997
 	result = dns_client_createview(mctx, dns_rdataclass_in, options,
c88997
-				       taskmgr, 31, socketmgr, timermgr,
c88997
+				       taskmgr, RESOLVER_NTASKS, socketmgr, timermgr,
c88997
 				       dispatchmgr, dispatchv4, dispatchv6,
c88997
 				       &view);
c88997
 	if (result != ISC_R_SUCCESS)
c88997
diff --git a/lib/isc/unix/socket.c b/lib/isc/unix/socket.c
c88997
index cbc506b..af0c3bc 100644
c88997
--- a/lib/isc/unix/socket.c
c88997
+++ b/lib/isc/unix/socket.c
c88997
@@ -157,7 +157,11 @@ struct isc_socketwait {
c88997
  */
c88997
 #ifndef ISC_SOCKET_MAXSOCKETS
c88997
 #if defined(USE_KQUEUE) || defined(USE_EPOLL) || defined(USE_DEVPOLL)
c88997
+#ifdef TUNE_LARGE
c88997
+#define ISC_SOCKET_MAXSOCKETS 21000
c88997
+#else
c88997
 #define ISC_SOCKET_MAXSOCKETS 4096
c88997
+#endif /* TUNE_LARGE */
c88997
 #elif defined(USE_SELECT)
c88997
 #define ISC_SOCKET_MAXSOCKETS FD_SETSIZE
c88997
 #endif	/* USE_KQUEUE... */
c88997
@@ -219,7 +223,11 @@ typedef enum { poll_idle, poll_active, poll_checking } pollstate_t;
c88997
  */
c88997
 #if defined(USE_KQUEUE) || defined(USE_EPOLL) || defined(USE_DEVPOLL)
c88997
 #ifndef ISC_SOCKET_MAXEVENTS
c88997
+#ifdef TUNE_LARGE
c88997
 #define ISC_SOCKET_MAXEVENTS	2048
c88997
+#else
c88997
+#define ISC_SOCKET_MAXEVENTS	64
c88997
+#endif /* TUNE_LARGE */
c88997
 #endif
c88997
 #endif
c88997
 
c88997
@@ -295,7 +303,11 @@ typedef isc_event_t intev_t;
c88997
 /*%
c88997
  * The size to raise the receive buffer to (from BIND 8).
c88997
  */
c88997
+#ifdef TUNE_LARGE
c88997
+#define RCVBUFSIZE (16*1024*1024)
c88997
+#else
c88997
 #define RCVBUFSIZE (32*1024)
c88997
+#endif /* TUNE_LARGE */
c88997
 
c88997
 /*%
c88997
  * The number of times a send operation is repeated if the result is EINTR.
c88997
-- 
c88997
2.9.5
c88997