Index: /branches/releng-11/nanobsd/cfg/wlpkgbuild11_0-node-options/dns_nsd/options
===================================================================
--- /branches/releng-11/nanobsd/cfg/wlpkgbuild11_0-node-options/dns_nsd/options	(revision 13754)
+++ /branches/releng-11/nanobsd/cfg/wlpkgbuild11_0-node-options/dns_nsd/options	(revision 13755)
@@ -15,3 +15,3 @@
 OPTIONS_FILE_UNSET+=ROOT_SERVER
 OPTIONS_FILE_SET+=RRL
-OPTIONS_FILE_UNSET+=ZONE_STATS
+OPTIONS_FILE_SET+=ZONE_STATS
Index: /branches/releng-11/nanobsd/files/usr/local/etc/nsd/nsd.conf
===================================================================
--- /branches/releng-11/nanobsd/files/usr/local/etc/nsd/nsd.conf	(revision 13755)
+++ /branches/releng-11/nanobsd/files/usr/local/etc/nsd/nsd.conf	(revision 13755)
@@ -0,0 +1,316 @@
+#
+# nsd.conf -- the NSD(8) configuration file, nsd.conf(5).
+#
+# Copyright (c) 2001-2011, NLnet Labs. All rights reserved.
+#
+# See LICENSE for the license.
+#
+
+# This is a comment.
+# Sample configuration file
+# include: "file" # include that file's text over here.  Globbed, "*.conf"
+
+# options for the nsd server
+server:
+	# Number of NSD servers to fork.  Put the number of CPUs to use here.
+	# server-count: 1
+
+	# uncomment to specify specific interfaces to bind (default are the
+	# wildcard interfaces 0.0.0.0 and ::0).
+	# For servers with multiple IP addresses, list them one by one,
+	# or the source address of replies could be wrong.
+	# Use ip-transparent to be able to list addresses that turn on later.
+	# ip-address: 1.2.3.4
+	# ip-address: 1.2.3.4@5678
+	# ip-address: 12fe::8ef0
+    ip-address: 127.0.0.1
+
+	# Allow binding to non local addresses. Default no.
+	# ip-transparent: no
+
+	# Allow binding to addresses that are down.  Default no.
+	# ip-freebind: no
+
+	# use the reuseport socket option for performance. Default no.
+	# reuseport: no
+
+	# enable debug mode, does not fork daemon process into the background.
+	# debug-mode: no
+
+	# listen on IPv4 connections
+	# do-ip4: yes
+
+	# listen on IPv6 connections
+	# do-ip6: yes
+
+	# port to answer queries on. default is 53.
+	port: 5353
+
+	# Verbosity level.
+	# verbosity: 0
+
+	# After binding socket, drop user privileges.
+	# can be a username, id or id.gid.
+	# username: nsd
+
+	# Run NSD in a chroot-jail.
+	# make sure to have pidfile and database reachable from there.
+	# by default, no chroot-jail is used.
+	# chroot: "/usr/local/etc/nsd"
+
+	# The directory for zonefile: files.  The daemon chdirs here.
+	# zonesdir: "/usr/local/etc/nsd"
+	
+	# the list of dynamically added zones.
+	# zonelistfile: "/var/db/nsd/zone.list"
+
+	# the database to use
+	# if set to "" then no disk-database is used, less memory usage.
+	# database: "/var/db/nsd/nsd.db"
+
+	# log messages to file. Default to stderr and syslog (with
+	# facility LOG_DAEMON).  stderr disappears when daemon goes to bg.
+	# logfile: "/var/log/nsd.log"
+
+	# File to store pid for nsd in.
+	# pidfile: "/var/run/nsd/nsd.pid"
+
+	# The file where secondary zone refresh and expire timeouts are kept.
+	# If you delete this file, all secondary zones are forced to be 
+	# 'refreshing' (as if nsd got a notify).  Set to "" to disable.
+	# xfrdfile: "/var/db/nsd/xfrd.state"
+
+	# The directory where zone transfers are stored, in a subdir of it.
+	# xfrdir: "/tmp"
+
+	# don't answer VERSION.BIND and VERSION.SERVER CHAOS class queries
+	# hide-version: no
+
+	# version string the server responds with for chaos queries.
+	# default is 'NSD x.y.z' with the server's version number.
+	# version: "NSD"
+
+	# identify the server (CH TXT ID.SERVER entry).
+	# identity: "unidentified server"
+
+	# NSID identity (hex string, or "ascii_somestring"). default disabled.
+	# nsid: "aabbccdd"
+
+	# Maximum number of concurrent TCP connections per server.
+	# tcp-count: 100
+
+	# Maximum number of queries served on a single TCP connection.
+	# By default 0, which means no maximum.
+	# tcp-query-count: 0
+
+	# Override the default (120 seconds) TCP timeout.
+	# tcp-timeout: 120
+
+	# Maximum segment size (MSS) of TCP socket on which the server
+	# responds to queries. Default is 0, system default MSS.
+	# tcp-mss: 0
+
+	# Maximum segment size (MSS) of TCP socket for outgoing AXFR request.
+	# Default is 0, system default MSS.
+	# outgoing-tcp-mss: 0
+
+	# Preferred EDNS buffer size for IPv4.
+	# ipv4-edns-size: 4096
+
+	# Preferred EDNS buffer size for IPv6.
+	# ipv6-edns-size: 4096
+
+	# statistics are produced every number of seconds. Prints to log.
+	# Default is 0, meaning no statistics are produced.
+	# statistics: 3600
+
+	# Number of seconds between reloads triggered by xfrd.
+	# xfrd-reload-timeout: 1
+	
+	# log timestamp in ascii (y-m-d h:m:s.msec), yes is default.
+	# log-time-ascii: yes
+
+	# round robin rotation of records in the answer.
+	# round-robin: no
+
+	# check mtime of all zone files on start and sighup
+	# zonefiles-check: yes
+	
+	# write changed zonefiles to disk, every N seconds.
+	# default is 0(disabled) or 3600(if database is "").
+	# zonefiles-write: 3600
+
+	# RRLconfig
+	# Response Rate Limiting, size of the hashtable. Default 1000000.
+	# rrl-size: 1000000
+
+	# Response Rate Limiting, maximum QPS allowed (from one query source).
+	# If set to 0, ratelimiting is disabled. Also set
+	# rrl-whitelist-ratelimit to 0 to disable ratelimit processing.
+	# Default is on.
+	# rrl-ratelimit: 200
+
+	# Response Rate Limiting, number of packets to discard before
+	# sending a SLIP response (a truncated one, allowing an honest
+	# resolver to retry with TCP). Default is 2 (one half of the
+	# queries will receive a SLIP response, 0 disables SLIP (all
+	# packets are discarded), 1 means every request will get a
+	# SLIP response.  When the ratelimit is hit the traffic is
+	# divided by the rrl-slip value.
+	# rrl-slip: 2
+
+	# Response Rate Limiting, IPv4 prefix length. Addresses are
+	# grouped by netblock. 
+	# rrl-ipv4-prefix-length: 24
+
+	# Response Rate Limiting, IPv6 prefix length. Addresses are
+	# grouped by netblock. 
+	# rrl-ipv6-prefix-length: 64
+
+	# Response Rate Limiting, maximum QPS allowed (from one query source)
+	# for whitelisted types. Default is on.
+	# rrl-whitelist-ratelimit: 2000
+	# RRLend
+
+# Remote control config section. 
+remote-control:
+	# Enable remote control with nsd-control(8) here.
+	# set up the keys and certificates with nsd-control-setup.
+	control-enable: yes
+
+	# what interfaces are listened to for control, default is on localhost.
+	# control-interface: 127.0.0.1
+	# control-interface: ::1
+
+	# port number for remote control operations (uses TLS over TCP).
+	# control-port: 8952
+
+	# nsd server key file for remote control.
+	# server-key-file: "/usr/local/etc/nsd/nsd_server.key"
+
+	# nsd server certificate file for remote control.
+	# server-cert-file: "/usr/local/etc/nsd/nsd_server.pem"
+
+	# nsd-control key file.
+	# control-key-file: "/usr/local/etc/nsd/nsd_control.key"
+
+	# nsd-control certificate file.
+	# control-cert-file: "/usr/local/etc/nsd/nsd_control.pem"
+
+
+# Secret keys for TSIGs that secure zone transfers.
+# You could include: "secret.keys" and put the 'key:' statements in there,
+# and give that file special access control permissions.
+#
+# key:
+	# The key name is sent to the other party, it must be the same
+	#name: "keyname"
+	# algorithm hmac-md5, or sha1, sha256, sha224, sha384, sha512
+	#algorithm: sha256
+	# secret material, must be the same as the other party uses.
+	# base64 encoded random number.
+	# e.g. from dd if=/dev/random of=/dev/stdout count=1 bs=32 | base64
+	#secret: "K2tf3TRjvQkVCmJF3/Z9vA=="
+
+
+# Patterns have zone configuration and they are shared by one or more zones.
+# 
+# pattern:
+	# name by which the pattern is referred to
+	#name: "myzones"
+	# the zonefile for the zones that use this pattern.
+	# if relative then from the zonesdir (inside the chroot).
+	# the name is processed: %s - zone name (as appears in zone:name).
+	# %1 - first character of zone name, %2 second, %3 third.
+	# %z - topleveldomain label of zone, %y, %x next labels in name.
+	# if label or character does not exist you get a dot '.'.
+	# for example "%s.zone" or "zones/%1/%2/%3/%s" or "secondary/%z/%s"
+	#zonefile: "%s.zone"
+	
+	# If no master and slave access control elements are provided,
+	# this zone will not be served to/from other servers.
+
+	# A master zone needs notify: and provide-xfr: lists.  A slave
+	# may also allow zone transfer (for debug or other secondaries).
+	# notify these slaves when the master zone changes, address TSIG|NOKEY
+	# IP can be ipv4 and ipv6, with @port for a nondefault port number.
+	#notify: 192.0.2.1 NOKEY
+	# allow these IPs and TSIG to transfer zones, addr TSIG|NOKEY|BLOCKED
+	# address range 192.0.2.0/24, 1.2.3.4&255.255.0.0, 3.0.2.20-3.0.2.40
+	#provide-xfr: 192.0.2.0/24 my_tsig_key_name
+	# set the number of retries for notify.
+	#notify-retry: 5
+
+	# uncomment to provide AXFR to all the world
+	# provide-xfr: 0.0.0.0/0 NOKEY
+	# provide-xfr: ::0/0 NOKEY
+
+	# A slave zone needs allow-notify: and request-xfr: lists.
+	#allow-notify: 2001:db8::0/64 my_tsig_key_name
+	# By default, a slave will request a zone transfer with IXFR/TCP.
+	# If you want to make use of IXFR/UDP use: UDP addr tsigkey
+	# for a master that only speaks AXFR (like NSD) use AXFR addr tsigkey
+	#request-xfr: 192.0.2.2 the_tsig_key_name
+	# Attention: You cannot use UDP and AXFR together. AXFR is always over 
+	# TCP. If you use UDP, we higly recommend you to deploy TSIG.
+	# Allow AXFR fallback if the master does not support IXFR. Default
+	# is yes.
+	#allow-axfr-fallback: yes
+	# set local interface for sending zone transfer requests.
+	# default is let the OS choose.
+	#outgoing-interface: 10.0.0.10
+	# limit the refresh and retry interval in seconds.
+	#max-refresh-time: 2419200
+	#min-refresh-time: 0
+	#max-retry-time: 1209600
+	#min-retry-time: 0
+	# Slave server tries zone transfer to all masters and picks highest
+	# zone version available, for when masters have different versions.
+	#multi-master-check: no
+
+	# limit the zone transfer size (in bytes), stops very large transfers
+	# 0 is no limits enforced.
+	# size-limit-xfr: 0
+
+	# if compiled with --enable-zone-stats, give name of stat block for
+	# this zone (or group of zones).  Output from nsd-control stats.
+	# zonestats: "%s"
+
+	# if you give another pattern name here, at this point the settings
+	# from that pattern are inserted into this one (as if it were a 
+	# macro).  The statement can be given in between other statements,
+	# because the order of access control elements can make a difference
+	# (which master to request from first, which slave to notify first).
+	#include-pattern: "common-masters"
+
+
+# Fixed zone entries.  Here you can config zones that cannot be deleted.
+# Zones that are dynamically added and deleted are put in the zonelist file.
+#
+# zone:
+ 	# name: "example.com"
+ 	# you can give a pattern here, all the settings from that pattern
+ 	# are then inserted at this point
+ 	# include-pattern: "master"
+ 	# You can also specify (additional) options directly for this zone.
+ 	# zonefile: "example.com.zone"
+ 	# request-xfr: 192.0.2.1 example.com.key
+
+	# RRLconfig
+	# Response Rate Limiting, whitelist types
+	# rrl-whitelist: nxdomain
+	# rrl-whitelist: error
+	# rrl-whitelist: referral
+	# rrl-whitelist: any
+	# rrl-whitelist: rrsig
+	# rrl-whitelist: wildcard
+	# rrl-whitelist: nodata
+	# rrl-whitelist: dnskey
+	# rrl-whitelist: positive
+	# rrl-whitelist: all
+	# RRLend
+
+zone:
+	name: 16.172.in-addr.arpa
+	zonefile: /usr/local/etc/nsd/16.172.in-addr.arpa.zone
+
Index: /branches/releng-11/nanobsd/files/usr/local/etc/nsd/nsd.conf.sample
===================================================================
--- /branches/releng-11/nanobsd/files/usr/local/etc/nsd/nsd.conf.sample	(revision 13755)
+++ /branches/releng-11/nanobsd/files/usr/local/etc/nsd/nsd.conf.sample	(revision 13755)
@@ -0,0 +1,311 @@
+#
+# nsd.conf -- the NSD(8) configuration file, nsd.conf(5).
+#
+# Copyright (c) 2001-2011, NLnet Labs. All rights reserved.
+#
+# See LICENSE for the license.
+#
+
+# This is a comment.
+# Sample configuration file
+# include: "file" # include that file's text over here.  Globbed, "*.conf"
+
+# options for the nsd server
+server:
+	# Number of NSD servers to fork.  Put the number of CPUs to use here.
+	# server-count: 1
+
+	# uncomment to specify specific interfaces to bind (default are the
+	# wildcard interfaces 0.0.0.0 and ::0).
+	# For servers with multiple IP addresses, list them one by one,
+	# or the source address of replies could be wrong.
+	# Use ip-transparent to be able to list addresses that turn on later.
+	# ip-address: 1.2.3.4
+	# ip-address: 1.2.3.4@5678
+	# ip-address: 12fe::8ef0
+
+	# Allow binding to non local addresses. Default no.
+	# ip-transparent: no
+
+	# Allow binding to addresses that are down.  Default no.
+	# ip-freebind: no
+
+	# use the reuseport socket option for performance. Default no.
+	# reuseport: no
+
+	# enable debug mode, does not fork daemon process into the background.
+	# debug-mode: no
+
+	# listen on IPv4 connections
+	# do-ip4: yes
+
+	# listen on IPv6 connections
+	# do-ip6: yes
+
+	# port to answer queries on. default is 53.
+	# port: 53
+
+	# Verbosity level.
+	# verbosity: 0
+
+	# After binding socket, drop user privileges.
+	# can be a username, id or id.gid.
+	# username: nsd
+
+	# Run NSD in a chroot-jail.
+	# make sure to have pidfile and database reachable from there.
+	# by default, no chroot-jail is used.
+	# chroot: "/usr/local/etc/nsd"
+
+	# The directory for zonefile: files.  The daemon chdirs here.
+	# zonesdir: "/usr/local/etc/nsd"
+	
+	# the list of dynamically added zones.
+	# zonelistfile: "/var/db/nsd/zone.list"
+
+	# the database to use
+	# if set to "" then no disk-database is used, less memory usage.
+	# database: "/var/db/nsd/nsd.db"
+
+	# log messages to file. Default to stderr and syslog (with
+	# facility LOG_DAEMON).  stderr disappears when daemon goes to bg.
+	# logfile: "/var/log/nsd.log"
+
+	# File to store pid for nsd in.
+	# pidfile: "/var/run/nsd/nsd.pid"
+
+	# The file where secondary zone refresh and expire timeouts are kept.
+	# If you delete this file, all secondary zones are forced to be 
+	# 'refreshing' (as if nsd got a notify).  Set to "" to disable.
+	# xfrdfile: "/var/db/nsd/xfrd.state"
+
+	# The directory where zone transfers are stored, in a subdir of it.
+	# xfrdir: "/tmp"
+
+	# don't answer VERSION.BIND and VERSION.SERVER CHAOS class queries
+	# hide-version: no
+
+	# version string the server responds with for chaos queries.
+	# default is 'NSD x.y.z' with the server's version number.
+	# version: "NSD"
+
+	# identify the server (CH TXT ID.SERVER entry).
+	# identity: "unidentified server"
+
+	# NSID identity (hex string, or "ascii_somestring"). default disabled.
+	# nsid: "aabbccdd"
+
+	# Maximum number of concurrent TCP connections per server.
+	# tcp-count: 100
+
+	# Maximum number of queries served on a single TCP connection.
+	# By default 0, which means no maximum.
+	# tcp-query-count: 0
+
+	# Override the default (120 seconds) TCP timeout.
+	# tcp-timeout: 120
+
+	# Maximum segment size (MSS) of TCP socket on which the server
+	# responds to queries. Default is 0, system default MSS.
+	# tcp-mss: 0
+
+	# Maximum segment size (MSS) of TCP socket for outgoing AXFR request.
+	# Default is 0, system default MSS.
+	# outgoing-tcp-mss: 0
+
+	# Preferred EDNS buffer size for IPv4.
+	# ipv4-edns-size: 4096
+
+	# Preferred EDNS buffer size for IPv6.
+	# ipv6-edns-size: 4096
+
+	# statistics are produced every number of seconds. Prints to log.
+	# Default is 0, meaning no statistics are produced.
+	# statistics: 3600
+
+	# Number of seconds between reloads triggered by xfrd.
+	# xfrd-reload-timeout: 1
+	
+	# log timestamp in ascii (y-m-d h:m:s.msec), yes is default.
+	# log-time-ascii: yes
+
+	# round robin rotation of records in the answer.
+	# round-robin: no
+
+	# check mtime of all zone files on start and sighup
+	# zonefiles-check: yes
+	
+	# write changed zonefiles to disk, every N seconds.
+	# default is 0(disabled) or 3600(if database is "").
+	# zonefiles-write: 3600
+
+	# RRLconfig
+	# Response Rate Limiting, size of the hashtable. Default 1000000.
+	# rrl-size: 1000000
+
+	# Response Rate Limiting, maximum QPS allowed (from one query source).
+	# If set to 0, ratelimiting is disabled. Also set
+	# rrl-whitelist-ratelimit to 0 to disable ratelimit processing.
+	# Default is on.
+	# rrl-ratelimit: 200
+
+	# Response Rate Limiting, number of packets to discard before
+	# sending a SLIP response (a truncated one, allowing an honest
+	# resolver to retry with TCP). Default is 2 (one half of the
+	# queries will receive a SLIP response, 0 disables SLIP (all
+	# packets are discarded), 1 means every request will get a
+	# SLIP response.  When the ratelimit is hit the traffic is
+	# divided by the rrl-slip value.
+	# rrl-slip: 2
+
+	# Response Rate Limiting, IPv4 prefix length. Addresses are
+	# grouped by netblock. 
+	# rrl-ipv4-prefix-length: 24
+
+	# Response Rate Limiting, IPv6 prefix length. Addresses are
+	# grouped by netblock. 
+	# rrl-ipv6-prefix-length: 64
+
+	# Response Rate Limiting, maximum QPS allowed (from one query source)
+	# for whitelisted types. Default is on.
+	# rrl-whitelist-ratelimit: 2000
+	# RRLend
+
+# Remote control config section. 
+remote-control:
+	# Enable remote control with nsd-control(8) here.
+	# set up the keys and certificates with nsd-control-setup.
+	# control-enable: no
+
+	# what interfaces are listened to for control, default is on localhost.
+	# control-interface: 127.0.0.1
+	# control-interface: ::1
+
+	# port number for remote control operations (uses TLS over TCP).
+	# control-port: 8952
+
+	# nsd server key file for remote control.
+	# server-key-file: "/usr/local/etc/nsd/nsd_server.key"
+
+	# nsd server certificate file for remote control.
+	# server-cert-file: "/usr/local/etc/nsd/nsd_server.pem"
+
+	# nsd-control key file.
+	# control-key-file: "/usr/local/etc/nsd/nsd_control.key"
+
+	# nsd-control certificate file.
+	# control-cert-file: "/usr/local/etc/nsd/nsd_control.pem"
+
+
+# Secret keys for TSIGs that secure zone transfers.
+# You could include: "secret.keys" and put the 'key:' statements in there,
+# and give that file special access control permissions.
+#
+# key:
+	# The key name is sent to the other party, it must be the same
+	#name: "keyname"
+	# algorithm hmac-md5, or sha1, sha256, sha224, sha384, sha512
+	#algorithm: sha256
+	# secret material, must be the same as the other party uses.
+	# base64 encoded random number.
+	# e.g. from dd if=/dev/random of=/dev/stdout count=1 bs=32 | base64
+	#secret: "K2tf3TRjvQkVCmJF3/Z9vA=="
+
+
+# Patterns have zone configuration and they are shared by one or more zones.
+# 
+# pattern:
+	# name by which the pattern is referred to
+	#name: "myzones"
+	# the zonefile for the zones that use this pattern.
+	# if relative then from the zonesdir (inside the chroot).
+	# the name is processed: %s - zone name (as appears in zone:name).
+	# %1 - first character of zone name, %2 second, %3 third.
+	# %z - topleveldomain label of zone, %y, %x next labels in name.
+	# if label or character does not exist you get a dot '.'.
+	# for example "%s.zone" or "zones/%1/%2/%3/%s" or "secondary/%z/%s"
+	#zonefile: "%s.zone"
+	
+	# If no master and slave access control elements are provided,
+	# this zone will not be served to/from other servers.
+
+	# A master zone needs notify: and provide-xfr: lists.  A slave
+	# may also allow zone transfer (for debug or other secondaries).
+	# notify these slaves when the master zone changes, address TSIG|NOKEY
+	# IP can be ipv4 and ipv6, with @port for a nondefault port number.
+	#notify: 192.0.2.1 NOKEY
+	# allow these IPs and TSIG to transfer zones, addr TSIG|NOKEY|BLOCKED
+	# address range 192.0.2.0/24, 1.2.3.4&255.255.0.0, 3.0.2.20-3.0.2.40
+	#provide-xfr: 192.0.2.0/24 my_tsig_key_name
+	# set the number of retries for notify.
+	#notify-retry: 5
+
+	# uncomment to provide AXFR to all the world
+	# provide-xfr: 0.0.0.0/0 NOKEY
+	# provide-xfr: ::0/0 NOKEY
+
+	# A slave zone needs allow-notify: and request-xfr: lists.
+	#allow-notify: 2001:db8::0/64 my_tsig_key_name
+	# By default, a slave will request a zone transfer with IXFR/TCP.
+	# If you want to make use of IXFR/UDP use: UDP addr tsigkey
+	# for a master that only speaks AXFR (like NSD) use AXFR addr tsigkey
+	#request-xfr: 192.0.2.2 the_tsig_key_name
+	# Attention: You cannot use UDP and AXFR together. AXFR is always over 
+	# TCP. If you use UDP, we higly recommend you to deploy TSIG.
+	# Allow AXFR fallback if the master does not support IXFR. Default
+	# is yes.
+	#allow-axfr-fallback: yes
+	# set local interface for sending zone transfer requests.
+	# default is let the OS choose.
+	#outgoing-interface: 10.0.0.10
+	# limit the refresh and retry interval in seconds.
+	#max-refresh-time: 2419200
+	#min-refresh-time: 0
+	#max-retry-time: 1209600
+	#min-retry-time: 0
+	# Slave server tries zone transfer to all masters and picks highest
+	# zone version available, for when masters have different versions.
+	#multi-master-check: no
+
+	# limit the zone transfer size (in bytes), stops very large transfers
+	# 0 is no limits enforced.
+	# size-limit-xfr: 0
+
+	# if compiled with --enable-zone-stats, give name of stat block for
+	# this zone (or group of zones).  Output from nsd-control stats.
+	# zonestats: "%s"
+
+	# if you give another pattern name here, at this point the settings
+	# from that pattern are inserted into this one (as if it were a 
+	# macro).  The statement can be given in between other statements,
+	# because the order of access control elements can make a difference
+	# (which master to request from first, which slave to notify first).
+	#include-pattern: "common-masters"
+
+
+# Fixed zone entries.  Here you can config zones that cannot be deleted.
+# Zones that are dynamically added and deleted are put in the zonelist file.
+#
+# zone:
+ 	# name: "example.com"
+ 	# you can give a pattern here, all the settings from that pattern
+ 	# are then inserted at this point
+ 	# include-pattern: "master"
+ 	# You can also specify (additional) options directly for this zone.
+ 	# zonefile: "example.com.zone"
+ 	# request-xfr: 192.0.2.1 example.com.key
+
+	# RRLconfig
+	# Response Rate Limiting, whitelist types
+	# rrl-whitelist: nxdomain
+	# rrl-whitelist: error
+	# rrl-whitelist: referral
+	# rrl-whitelist: any
+	# rrl-whitelist: rrsig
+	# rrl-whitelist: wildcard
+	# rrl-whitelist: nodata
+	# rrl-whitelist: dnskey
+	# rrl-whitelist: positive
+	# rrl-whitelist: all
+	# RRLend
+
Index: /branches/releng-11/nanobsd/files/usr/local/etc/nsd/nsd_control.key
===================================================================
--- /branches/releng-11/nanobsd/files/usr/local/etc/nsd/nsd_control.key	(revision 13755)
+++ /branches/releng-11/nanobsd/files/usr/local/etc/nsd/nsd_control.key	(revision 13755)
@@ -0,0 +1,39 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIG5AIBAAKCAYEAtED+f/n+0mpW1BgclKWKF7QUW2lsCv1D0n1JzJT8FRtHY8s0
+a+Lg9rLXdVOQmN/J1GQ0wQ1CBe2KpasPOmSIaY09uibTKbaoqe9CQ2yfyuKqymN+
+nmAbFCYird4PdUqhwrGjD+Ap4uzlzALyb07lgrBVjEOKVlTtzHaNozTvzfYsyOzV
+zRYBnXIrSphtP9zUcGcrqXfq1txpLbdiLiBkVa4el53hOVyHKq+fleQoXReeDCP6
+2KwLAT7C5qBiPAonNcWshe6FvFkqemRK7jwkv1uGWWOv8x/42WT+IHM5EaxagNYU
+mjilzaH5K+wAnZkj0F6rKliM/GoFGxO9ViTYECEyKsYfud3+mwTH8fcEdDHftouo
+Gd0iBLbZk5sIShLBmlgdG0pXd2yR638yNgZr6Em5zI41KePeZpfopGQDXX+WP/ty
+mys6F/8W5iG3W4kNuzKmbcDuKbHHOYn8m/nzrC4NtBBLnVJbyMG+/+yu88U8xnwR
+iegZqsT81lV1y1mjAgMBAAECggGAN6QQa2S6Gi2lG9dNiz0GQYbe+dCy/zlqpCD0
+lOgwYDuJb+6cAemI094k0By5d9cssBk2h5kWFkpbEASbsMSzrxFgSoQNjsTJj5tB
+cxqmwLPzUIIh5bV45mFXNyBi2SvufvDiitYBWAEUdkM6ns1V31+bKK74lumkdgbq
+dcSzeXpSHLuuy53NZdKGNoKSxrHeCcxvF+LiZOyosun2rpJlJmWXH+omSdScDLsl
+odlJ9GKD8O9yUUvaIcpD03kSmcHwD1ZBg0KmiTkxRAag+2bAz2vlqURZPSFi+8De
+d4iGlEzFi7nitP0adVuDvphFuaZ2gpnOMnctX5UIfK4Vqg2FYxYG4qmwgad2uMLs
+uO4i/AEVhKgT8gk8IXjeToT7CnpzhQX/3aMWbaLjneUO7GpaPXH81DJ3pxc59fv5
+QpIc/F1Dur3Wy5ToycXWs8TwiyE5sFxzn/YNdxSHoKdD3cgRlrGE/j1UOCJxvOGe
+Lu3xG2aR0PN0nP6qJDFl+x9WhE6hAoHBAOyVKylib08uGb4IMhTDmkFuW7livcYC
+genCNOYlKN1xmZ9eUsJxDiINK0ERlhoUv1qP+VHVothL6Nal7ffz8ik3e+ndotK+
+Ax0h9OKkII1J1C/+A/Fsj+HbDsyNVRjEkXpW6JNiz/x4U3/59xTQlJUXlyUY4Lgs
+LEDz5RX+aaxvwQCevJ18wQa0H9rzAsUu06D/y1GAKLIHZJH/7ln3Ou7pWbUQnaWs
+XkVEHFdIge2/cP+qOnxcmSen21q1VDewGQKBwQDDDE2CdTx3pknXuFXedceV4pLb
+mywdcOGmRGGBsFygaH0Y2dlk+w1zxn9H9u9peMyEYaDcKe4uT93vW7wumF49BXno
+haREPKcVY84tVE8B9fiSjgnfiPdwXgJqE9SOf9gbbgw35Aknd++MIpd2ox3qCMbu
+os/bMbJvd7uYlDmc4y/UAc6ZO+uBh7NSaAa2xrDU85vooHjEWgu6gntTf/vMY5v7
+H1XSttkAWRNnN1JWVP9jPPp0VW1+iegM4dZ23xsCgcEArx+8U2YJ/xKg+4oViElC
+ZizKuO/eijRQ9jhL8BCRr1nn3ZB0snn9fDdDTWc3NRcmjmMEqw74/CM0t68b9+8b
+0ma/0t29KUJ+C5KXMy1K60s7RktBn/Q8jXMaAVCdLThUd7rdbjw2uSxYouLlgwLi
++Xn85/kCX1JTb8EaUq2Ai6QtucfG1s0CFXRAIFLCOjPvc73lQu8bMK1IRMquJOpd
+NXyGawFhsMFnBt7kG7gQdWzAuH/Jy0TAGhqmxP502MQBAoHBAI0IrFMUqnBp0SMm
+qxB8YaDDgCVDApcXNFKhR1AbUh667xm1DDi0P3njoc1LhLnjGx7t6P7JYuwh2/xj
+fKLEkf/Vody8JZchtD8HN+IXADoOvXpbMlBsHV8m2uARDrUrQ/wxiqwvO19Kne/a
+Y2Lpd4vuZMnQ+DMqsDdhgEhHhZEnxUGrPNQYO6YhlUyU46Xt7ZdNvwJqZmi0I57t
+EnfCJzQXIoZmlgwTIr3ZquoLWoIKW9BKG19bFh1VYnFOK2Ew2QKBwB77L7NnajTm
+caov5SQ9VfhueNeUEzXz3VW6EXS1t5XzeEGHDKzfHxb5yLDJeoAB0zhu4DJvozwD
+2nJo5jLbupheTKqOOt/NAGmyGdlL4e5eCoKoxTD59ztCzqmttHWiMVfbxsk610ZZ
+A/vpnU5SztrPoy5/CT5XE4EuS+61jMOsVnSHEmz3pIm9feOCRgUCFaL+Or/4cjVt
+MuIqSoNpgIaCYTS/vRqebOQiY4osXA5m/I8yzouLQkw6/fxX7gXntw==
+-----END RSA PRIVATE KEY-----
Index: /branches/releng-11/nanobsd/files/usr/local/etc/nsd/nsd_control.pem
===================================================================
--- /branches/releng-11/nanobsd/files/usr/local/etc/nsd/nsd_control.pem	(revision 13755)
+++ /branches/releng-11/nanobsd/files/usr/local/etc/nsd/nsd_control.pem	(revision 13755)
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDoDCCAggCCQCGg5s3/0psDTANBgkqhkiG9w0BAQsFADAOMQwwCgYDVQQDDANu
+c2QwHhcNMTcwMTIxMjIwNjAwWhcNMzYxMDA4MjIwNjAwWjAWMRQwEgYDVQQDDAtu
+c2QtY29udHJvbDCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBALRA/n/5
+/tJqVtQYHJSlihe0FFtpbAr9Q9J9ScyU/BUbR2PLNGvi4Pay13VTkJjfydRkNMEN
+QgXtiqWrDzpkiGmNPbom0ym2qKnvQkNsn8riqspjfp5gGxQmIq3eD3VKocKxow/g
+KeLs5cwC8m9O5YKwVYxDilZU7cx2jaM07832LMjs1c0WAZ1yK0qYbT/c1HBnK6l3
+6tbcaS23Yi4gZFWuHped4Tlchyqvn5XkKF0Xngwj+tisCwE+wuagYjwKJzXFrIXu
+hbxZKnpkSu48JL9bhlljr/Mf+Nlk/iBzORGsWoDWFJo4pc2h+SvsAJ2ZI9BeqypY
+jPxqBRsTvVYk2BAhMirGH7nd/psEx/H3BHQx37aLqBndIgS22ZObCEoSwZpYHRtK
+V3dsket/MjYGa+hJucyONSnj3maX6KRkA11/lj/7cpsrOhf/FuYht1uJDbsypm3A
+7imxxzmJ/Jv586wuDbQQS51SW8jBvv/srvPFPMZ8EYnoGarE/NZVdctZowIDAQAB
+MA0GCSqGSIb3DQEBCwUAA4IBgQBsliXByWQpFCfH04/c73qOQCuU5ucos2csUlbs
+ZSmf0o1uY1hf1ESohNW1BVFZfw9udFe5wh3W0QjbUExm8yj/+3tSnvQiW3uPcYQX
+QX9qu9flC5SOPBs6MYVGsKug4XwDrq0YSE3KH7ZhCdPobG8u5m2hCsRNueyZ1QdQ
+3Hb7KzZnMbnNEQQFqAsmDhLwO8BVGr60HOuGogN9gRz/YrfIkhcZ01GjWtdcOpf2
+tp4FCPGArb+cTOn1fVCKMoDHfSxYIyqjDuP80MgpvMlV7bvSXmXP4RBPAKsKtkfI
+X7sf+gS5gz5gGoJmB4c3GrEaHM4mimO8oY5hRQokWS9CoBVZ/Xj8JrEHn/Blm4J6
+9QknocG2A9lfGAZ+IkOXWpPWsZwvBwkQvEAzgIAGxjdeBXl99Tcu6NTrm8+q2FZJ
+NtNbx886fInPaQDV58FMJNMsiEGDybdGvNwJlYg9YPGWLcymU/szwY3bXoDDpkMh
+X23X1+Kj5Mw/f8UqG1l47SD3eZ8=
+-----END CERTIFICATE-----
Index: /branches/releng-11/nanobsd/files/usr/local/etc/nsd/nsd_server.key
===================================================================
--- /branches/releng-11/nanobsd/files/usr/local/etc/nsd/nsd_server.key	(revision 13755)
+++ /branches/releng-11/nanobsd/files/usr/local/etc/nsd/nsd_server.key	(revision 13755)
@@ -0,0 +1,39 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIG5QIBAAKCAYEA0JljTQtB9vmGWLWQPT+f3FWSH2IIamzpnnrIksDQ7ymbNvwl
+yHqFtscLNsm7cT2BxvHshqt5LtVGg8u9lmYVzZLFz2Ev66bnRW90hQLkgemX9w+z
+D0OujC0AZqhaNAwVZokCJBaR/meJLxamAY4xZtCMhJIc1Vf8eOp0VQ9/pOhLRJH1
+xT7JvzZ1Ip3SY1UMiOOWu7cYt/hkm3zm3O7IDB44LN7IZOvSnJafJx6Tyk18EWID
+UbJfXbzr/oLZr5gap2qm+ZDIFYSQJbXmlGXfMWFAtIA2+XmepiGgnyUH7nk18Eqe
+A143Tk8XKCNC+v/TWj8rAIqs7syVk9YW6r2hkmBv5Kk+1jhqN1AdeQ9HswylFLlY
+E6SYBHkzTUAUNc/syKCd21dmITtYAsxNPFQQ4cD7Ll0t3G+SyBzTyl1hcEkJrD8W
+TIHYCC7WZpF2mVdn9Yvl/tj4yVkGfXCpyxHPrINnhhuWk+wxGtFT6qhKurjLkpCX
+A7dqTS22WuriVmTjAgMBAAECggGAO7o/uZaom5vUwN+z3iWykzcZMM00Faz7s3n6
+pjJ5YJFsNPE7rEyQrsYNSvG2LvVqjFlG3USJ3UQJ/cC/lynBwmvtIbT1MKdIfxQr
+q84pOZ11+rLPFWbOuqpD/CDmOxLeqc4/A7BGuy5QFGCKxdU+Be9e3LKteNTJoKGZ
+D6XxaXlt28NjOMgCojJolbHUxMZcYXGw/iyt8jc4L2EzBT2FoBqjAQ4FGQiA9H8Y
+MO5LaNiI1r1Wr/S/46otdGFpDSMisiVNgZly05CTFxyGA1TyIHKoQZD+dipuwSZj
+2froJxUefiRVDiCs/z5hOmy8tYl26jGOShSxOL12CjkpsWylibQbX6jJQ5Q12QFP
+5C9vMDWpNNQoy7zior5fDKkWWpYE6HE31+/vFhJSTVcOPQZ61nUuTDdGre4mCWuA
+7Gk7ul1LGA0hhVHyKHIDzBtQg23unPoHE+Xy1Ga0QBndn4MF9w++NoBisTOuJXuH
+I3GYPp6dZA1QXsY1U2KvnjBCtRK5AoHBAPH9B1y0xi/F18Q3PgfQ7gc1ITs/Nd6F
+Q0IfEZ6UPfcs0U9wPZXwE4ig+Zt3PlsUgWeMlo6hCLfaA+nHyYlimvJFRwMN4AOQ
+XO+eUSZs+DOHw4naVfXI2E8aMGYlei5suBar/RxkxhFfeJkWStTlsrpsqO2g3Est
+6p1E/B3lxCnl2sqKnohrxfnf3Zriy4KBHuMhT70z8xfGTMXCaJ8TB8fjYwafKcUu
+iLoMVdscz772FyDTkNCukglhxIW7bbtpBwKBwQDcrW8PicdbjjLoXnXpE/XaNBSc
+eakw/QxdppFX+dHybKLLFCZN8nuvXqDVSoAOu/YLMWSpGLQkoU3aJINlcZPK2kZ5
+kVEl79wYoEFhsNknrXYoA17U+Kbs3k/DgkwpkgGZFW8c1oIFcbPKAgfcIdltaQUq
+9Fl2q3ROBQIB3dzFsr1NxvIM6q5dipKAzCsc+FYaCKI1TEE186/X0hVVZ6FFLSwE
+SW1RZyH7+9cSMfMPo7WKTHttbgr6r9BenupcukUCgcEA6Aa8o2h2S2JBE9QAN1Be
+myyXU461YUqYBfNyWoI7tCAWBjxR4M2UfUIUc7vvXzeXKKmFxvajPF3fuK4nEQMq
+HLjOcSBBtkkaw2si1lxP1GEN3cUq/QN6XMZ4t8ihkZgPHzYD+NCrlgbbxLW6RM6G
+A/iiNU8zSyaYuflmYGhqId5SXjhx786ewoujmZpylgymiBPtuDXylc4+2LQiyrxd
+joz562R7kaSf1vxy6iiDDdA6tvAFAAMS5coHvE7N1Y/LAoHBAKxcekZ0otWL948v
+WIE4KerIiuC81b2BqErtctB4O9dRqsVbc5+mKZ0MGCsACY14mfCcH7dDqFCD/L7J
+jieJ0pm6axlAu1UaR5qkcOzQqIwpHAScvVEy9Y5FBZ/7AWnmtIDREPxBP0TpTjgV
+5fW2KpEeWf7243mg6TKXDr5Of8WamelJ3nzgQFinh046KeJyxS2IWMmwSa7OKyYy
+3J7cVkYlxh+DCnNuTkj2p0F66hHpGD5xBmaucLzk3adKEFtk0QKBwQCudpSlDRHe
+4hyvUYYOxyWA+KJ3ikN2sn5d5vTt5lNeRGiJNUJ226sUenY1XMvGfSntPTLbAYkt
+kzx1P9BZdBIrWqwdtzufy3gh1G3p2UBOsc14k4Fns5UZ6yjZP2K8Z6BuSF59MPcj
+gr1GQpXax69LXLpb+tlaz3xkhOYIIo6/H4OTr5R+RlUmdzJ+9OpFW5A7k2kQ5ItB
+Gf5dPaee5hhodeosv+Tix3ErUT8alhJOvny1KjSOY3m67jgT1KGwBew=
+-----END RSA PRIVATE KEY-----
Index: /branches/releng-11/nanobsd/files/usr/local/etc/nsd/nsd_server.pem
===================================================================
--- /branches/releng-11/nanobsd/files/usr/local/etc/nsd/nsd_server.pem	(revision 13755)
+++ /branches/releng-11/nanobsd/files/usr/local/etc/nsd/nsd_server.pem	(revision 13755)
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDmDCCAgACCQDBwMxCT7V/AzANBgkqhkiG9w0BAQsFADAOMQwwCgYDVQQDDANu
+c2QwHhcNMTcwMTIxMjIwNTU3WhcNMzYxMDA4MjIwNTU3WjAOMQwwCgYDVQQDDANu
+c2QwggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQDQmWNNC0H2+YZYtZA9
+P5/cVZIfYghqbOmeesiSwNDvKZs2/CXIeoW2xws2ybtxPYHG8eyGq3ku1UaDy72W
+ZhXNksXPYS/rpudFb3SFAuSB6Zf3D7MPQ66MLQBmqFo0DBVmiQIkFpH+Z4kvFqYB
+jjFm0IyEkhzVV/x46nRVD3+k6EtEkfXFPsm/NnUindJjVQyI45a7txi3+GSbfObc
+7sgMHjgs3shk69Kclp8nHpPKTXwRYgNRsl9dvOv+gtmvmBqnaqb5kMgVhJAlteaU
+Zd8xYUC0gDb5eZ6mIaCfJQfueTXwSp4DXjdOTxcoI0L6/9NaPysAiqzuzJWT1hbq
+vaGSYG/kqT7WOGo3UB15D0ezDKUUuVgTpJgEeTNNQBQ1z+zIoJ3bV2YhO1gCzE08
+VBDhwPsuXS3cb5LIHNPKXWFwSQmsPxZMgdgILtZmkXaZV2f1i+X+2PjJWQZ9cKnL
+Ec+sg2eGG5aT7DEa0VPqqEq6uMuSkJcDt2pNLbZa6uJWZOMCAwEAATANBgkqhkiG
+9w0BAQsFAAOCAYEAGC2ICqU90St0afGESLHAeuquWOFTDQRku4/H7tLTHBlPI+Dw
+nY7w6XyrQ48kaX+y8mRduRNcz/J3f2QYCaiq0kI2vWR1c+SvRmpDw7UaI621yoJ0
+J89nbHwW+3NuBTsGeoM2vlI+ILoB3jVimcNII0hdvGgXnLhVUtjstLp9+tLMKKuV
+WQw8GGfZG1bdjvjIq+OhUXSjaQulX+shuoqI1pLU8eYpDVNhqyHXZK1D4fRrW5B7
+381RXHhF5kc/kYe1P3VBxjYltsCEUDmEUtkauGUO7qpD+xqQd93qmllSQbJ9sTeJ
+CxzqUguLj9Ijs47eFhN+lnHzu5sO5JvBk/Rvwr6i2IvsLkIukfgeUQVjTTEdzdH1
+/QJ2FsKgflAyo/a/AKFdugZnekVqLVYLPyoTY+jRnB9WrOOOXmoLZ3nBDoiMkhpi
++RxLX1aYO+AKij/uB2CRURUc8yBtIKRDsvIhs5PXyM/zYA5uEzR5PcHi2dcE1kFW
+jEDaTxHshaZEOrA2
+-----END CERTIFICATE-----