zone.lisp: Support for TLSA records.

[zone] / zone.lisp

diff --git a/zone.lisp b/zone.lisp
index 9e5795d..7db70b1 100644 (file)
--- a/zone.lisp
+++ b/zone.lisp
@@ -27,7 +27,8 @@
 (defpackage #:zone
   (:use #:common-lisp
        #:mdw.base #:mdw.str #:collect #:safely
 (defpackage #:zone
   (:use #:common-lisp
        #:mdw.base #:mdw.str #:collect #:safely

-       #:net #:services))
+       #:net #:services)
+  (:import-from #:net #:round-down #:round-up))

 
 (in-package #:zone)
 
 
 (in-package #:zone)
 


@@ -110,6 +111,110 @@
       (when timep
        (format s "~2,'0D:~2,'0D:~2,'0D" hr min sec)))))
 
       (when timep
        (format s "~2,'0D:~2,'0D:~2,'0D" hr min sec)))))
 

+(deftype octet () '(unsigned-byte 8))
+(deftype octet-vector (&optional n) `(array octet (,n)))
+
+(defun decode-hex (hex &key (start 0) end)
+  "Decode a hexadecimal-encoded string, returning a vector of octets."
+  (let* ((end (or end (length hex)))
+        (len (- end start))
+        (raw (make-array (floor len 2) :element-type 'octet)))
+    (unless (evenp len)
+      (error "Invalid hex string `~A' (odd length)" hex))
+    (do ((i start (+ i 2)))
+       ((>= i end) raw)
+      (let ((high (digit-char-p (char hex i) 16))
+           (low (digit-char-p (char hex (1+ i)) 16)))
+       (unless (and high low)
+         (error "Invalid hex string `~A' (bad digit)" hex))
+       (setf (aref raw (/ (- i start) 2)) (+ (* 16 high) low))))))
+
+(defun slurp-file (file &optional (element-type 'character))
+  "Read and return the contents of FILE as a vector."
+  (with-open-file (in file :element-type element-type)
+    (let ((buf (make-array 1024 :element-type element-type))
+         (pos 0))
+      (loop
+       (let ((end (read-sequence buf in :start pos)))
+         (when (< end (length buf))
+           (return (adjust-array buf end)))
+         (setf pos end
+               buf (adjust-array buf (* 2 pos))))))))
+
+(defmacro defenum (name (&key export) &body values)
+  "Set up symbol properties for manifest constants.
+
+   The VALUES are a list of (TAG VALUE) pairs. Each TAG is a symbol; we set
+   the NAME property on TAG to VALUE, and export TAG.  There are also handy
+   hash-tables mapping in the forward and reverse directions, in the name
+   symbol's `enum-forward' and `enum-reverse' properties."
+  `(eval-when (:compile-toplevel :load-toplevel :execute)
+     ,(let*/gensyms (export)
+       (with-gensyms (forward reverse valtmp)
+         `(let ((,forward (make-hash-table))
+                (,reverse (make-hash-table)))
+            (when ,export (export ',name))
+            ,@(mapcar (lambda (item)
+                        (destructuring-bind (tag value) item
+                          (let ((constant
+                                 (intern (concatenate 'string
+                                                      (symbol-name name)
+                                                      "/"
+                                                      (symbol-name tag)))))
+                            `(let ((,valtmp ,value))
+                               (when ,export
+                                 (export ',constant)
+                                 (when (eq (symbol-package ',tag) *package*)
+                                   (export ',tag)))
+                               (defconstant ,constant ,valtmp)
+                               (setf (get ',tag ',name) ,value
+                                     (gethash ',tag ,forward) ,valtmp
+                                     (gethash ,valtmp ,reverse) ',tag)))))
+                      values)
+            (setf (get ',name 'enum-forward) ,forward
+                  (get ',name 'enum-reverse) ,reverse))))))
+
+(defun lookup-enum (name tag &key min max)
+  "Look up a TAG in an enumeration.
+
+   If TAG is a symbol, check its NAME property; if it's a fixnum then take it
+   as it is.  Make sure that it's between MIN and MAX, if they're not nil."
+  (let ((value (etypecase tag
+               (fixnum tag)
+               (symbol (or (get tag name)
+                           (error "~S is not a known ~A" tag name))))))
+    (unless (and (or (null min) (<= min value))
+               (or (null max) (<= value max)))
+      (error "Value ~S out of range for ~A" value name))
+    value))
+
+(defun reverse-enum (name value)
+  "Reverse-lookup of a VALUE in enumeration NAME.
+
+   If a tag for the VALUE is found, return it and `t'; otherwise return VALUE
+   unchanged and `nil'."
+  (multiple-value-bind (tag foundp) (gethash value (get name 'enum-reverse))
+    (if foundp
+       (values tag t)
+       (values value nil))))
+
+(defun mapenum (func name)
+  "Call FUNC on TAG/VALUE pairs from the enumeration called NAME."
+  (maphash func (get name 'enum-forward)))
+
+(defun hash-file (hash file context)
+  "Hash the FILE using the OpenSSL HASH function, returning an octet string.
+
+   CONTEXT is a temporary-files context."
+  (let ((temp (temporary-file context "hash")))
+    (run-program (list "openssl" "dgst" (concatenate 'string "-" hash))
+                :input file :output temp)
+    (with-open-file (in temp)
+      (let ((line (read-line in)))
+       (assert (and (>= (length line) 9)
+                    (string= line "(stdin)= " :end1 9)))
+       (decode-hex line :start 9)))))
+

 ;;;--------------------------------------------------------------------------
 ;;; Zone types.
 
 ;;;--------------------------------------------------------------------------
 ;;; Zone types.
 


@@ -124,6 +229,10 @@
   min-ttl
   serial)
 
   min-ttl
   serial)
 

+(export 'zone-text-name)
+(defun zone-text-name (zone)
+  (princ-to-string (zone-name zone)))
+

 (export 'mx)
 (defstruct (mx (:predicate mxp))
   "Mail-exchange record information."
 (export 'mx)
 (defstruct (mx (:predicate mxp))
   "Mail-exchange record information."


@@ -257,6 +366,68 @@
                        (cdr clause))))
              clauses)))
 
                        (cdr clause))))
              clauses)))
 

+(export 'zone-parse-host)
+(defun zone-parse-host (form &optional tail)
+  "Parse a host name FORM from a value in a zone form.
+
+   The underlying parsing is done using `parse-domain-name'.  Here, we
+   interpret various kinds of Lisp object specially.  In particular: `nil'
+   refers to the TAIL zone (just like a plain `@'); and a symbol is downcased
+   before use."
+  (let ((name (etypecase form
+               (null (make-domain-name :labels nil :absolutep nil))
+               (domain-name form)
+               (symbol (parse-domain-name (string-downcase form)))
+               (string (parse-domain-name form)))))
+    (if (null tail) name
+       (domain-name-concat name tail))))
+
+(export 'zone-records-sorted)
+(defun zone-records-sorted (zone)
+  "Return the ZONE's records, in a pleasant sorted order."
+  (sort (copy-seq (zone-records zone))
+       (lambda (zr-a zr-b)
+         (multiple-value-bind (precp follp)
+             (domain-name< (zr-name zr-a) (zr-name zr-b))
+           (cond (precp t)
+                 (follp nil)
+                 (t (string< (zr-type zr-a) (zr-type zr-b))))))))
+
+;;;--------------------------------------------------------------------------
+;;; Serial numbering.
+
+(export 'make-zone-serial)
+(defun make-zone-serial (name)
+  "Given a zone NAME, come up with a new serial number.
+
+   This will (very carefully) update a file ZONE.serial in the current
+   directory."
+  (let* ((file (zone-file-name name :serial))
+        (last (with-open-file (in file
+                                  :direction :input
+                                  :if-does-not-exist nil)
+                (if in (read in)
+                    (list 0 0 0 0))))
+        (now (multiple-value-bind
+                 (sec min hr dy mon yr dow dstp tz)
+                 (get-decoded-time)
+               (declare (ignore sec min hr dow dstp tz))
+               (list dy mon yr)))
+        (seq (cond ((not (equal now (cdr last))) 0)
+                   ((< (car last) 99) (1+ (car last)))
+                   (t (error "Run out of sequence numbers for ~A" name)))))
+    (safely-writing (out file)
+      (format out
+             ";; Serial number file for zone ~A~%~
+              ;;   (LAST-SEQ DAY MONTH YEAR)~%~
+              ~S~%"
+             name
+             (cons seq now)))
+    (from-mixed-base '(100 100 100) (reverse (cons seq now)))))
+
+;;;--------------------------------------------------------------------------
+;;; Zone form parsing.
+

 (defun zone-process-records (rec ttl func)
   "Sort out the list of records in REC, calling FUNC for each one.
 
 (defun zone-process-records (rec ttl func)
   "Sort out the list of records in REC, calling FUNC for each one.
 


@@ -313,9 +484,9 @@
                                   top))
                         ((listp r)
                          (dolist (name (listify (car r)))
                                   top))
                         ((listp r)
                          (dolist (name (listify (car r)))

-                           (collect (make-zone-subdomain :name name
-                                                         :ttl ttl
-                                                         :records (cdr r))
+                           (collect (make-zone-subdomain
+                                     :name (zone-parse-host name)
+                                     :ttl ttl :records (cdr r))

                                     sub)))
                         (t
                          (error "Unexpected record form ~A" (car r))))))))
                                     sub)))
                         (t
                          (error "Unexpected record form ~A" (car r))))))))


@@ -329,143 +500,30 @@
             (multiple-value-bind (top sub) (sift rec ttl)
               (if (and dom (null top) sub)
                   (let ((preferred
             (multiple-value-bind (top sub) (sift rec ttl)
               (if (and dom (null top) sub)
                   (let ((preferred

-                         (or (find-if (lambda (s)
-                                        (some #'zone-preferred-subnet-p
-                                              (listify (zs-name s))))
-                                      sub)
+                         (or (find-if
+                              (lambda (s)
+                                (let ((ll (domain-name-labels (zs-name s))))
+                                  (and (consp ll) (null (cdr ll))
+                                       (zone-preferred-subnet-p (car ll)))))
+                              sub)

                              (car sub))))
                     (when preferred
                       (process (zs-records preferred)
                                dom
                                (zs-ttl preferred))))
                              (car sub))))
                     (when preferred
                       (process (zs-records preferred)
                                dom
                                (zs-ttl preferred))))

-                  (let ((name (and dom
-                                   (string-downcase
-                                    (join-strings #\. (reverse dom))))))
+                  (let ((name dom))

                     (dolist (zr top)
                       (setf (zr-name zr) name)
                       (funcall func zr))))
               (dolist (s sub)
                 (process (zs-records s)
                     (dolist (zr top)
                       (setf (zr-name zr) name)
                       (funcall func zr))))
               (dolist (s sub)
                 (process (zs-records s)

-                         (cons (zs-name s) dom)
+                         (if (null dom) (zs-name s)
+                             (domain-name-concat dom (zs-name s)))

                          (zs-ttl s))))))
 
     ;; Process the records we're given with no prefix.
     (process rec nil ttl)))
 
                          (zs-ttl s))))))
 
     ;; Process the records we're given with no prefix.
     (process rec nil ttl)))
 

-(export 'zone-parse-host)
-(defun zone-parse-host (f zname)
-  "Parse a host name F.
-
-   If F ends in a dot then it's considered absolute; otherwise it's relative
-   to ZNAME."
-  (setf f (stringify f))
-  (cond ((string= f "@") (stringify zname))
-       ((and (plusp (length f))
-             (char= (char f (1- (length f))) #\.))
-        (string-downcase (subseq f 0 (1- (length f)))))
-       (t (string-downcase (concatenate 'string f "."
-                                        (stringify zname))))))
-(defun default-rev-zone (base bytes)
-  "Return the default reverse-zone name for the given BASE address and number
-   of fixed leading BYTES."
-  (join-strings #\. (collecting ()
-                     (loop for i from (- 3 bytes) downto 0
-                           do (collect (ipaddr-byte base i)))
-                     (collect "in-addr.arpa"))))
-
-(defun zone-name-from-net (net &optional bytes)
-  "Given a NET, and maybe the BYTES to use, convert to the appropriate
-   subdomain of in-addr.arpa."
-  (let ((ipn (net-get-as-ipnet net)))
-    (with-ipnet (net mask) ipn
-      (unless bytes
-       (setf bytes (- 4 (ipnet-changeable-bytes mask))))
-      (join-strings #\.
-                   (append (loop
-                              for i from (- 4 bytes) below 4
-                              collect (logand #xff (ash net (* -8 i))))
-                           (list "in-addr.arpa"))))))
-
-(defun zone-net-from-name (name)
-  "Given a NAME in the in-addr.arpa space, convert it to an ipnet."
-  (let* ((name (string-downcase (stringify name)))
-        (len (length name))
-        (suffix ".in-addr.arpa")
-        (sufflen (length suffix))
-        (addr 0)
-        (n 0)
-        (end (- len sufflen)))
-    (unless (and (> len sufflen)
-                (string= name suffix :start1 end))
-      (error "`~A' not in ~A." name suffix))
-    (loop
-       with start = 0
-       for dot = (position #\. name :start start :end end)
-       for byte = (parse-integer name
-                                :start start
-                                :end (or dot end))
-       do (setf addr (logior addr (ash byte (* 8 n))))
-         (incf n)
-       when (>= n 4)
-       do (error "Can't deduce network from ~A." name)
-       while dot
-       do (setf start (1+ dot)))
-    (setf addr (ash addr (* 8 (- 4 n))))
-    (make-ipnet addr (* 8 n))))
-
-(defun zone-parse-net (net name)
-  "Given a NET, and the NAME of a domain to guess from if NET is null, return
-   the ipnet for the network."
-  (if net
-      (net-get-as-ipnet net)
-      (zone-net-from-name name)))
-
-(defun zone-cidr-delg-default-name (ipn bytes)
-  "Given a delegated net IPN and the parent's number of changing BYTES,
-   return the default deletate zone prefix."
-  (with-ipnet (net mask) ipn
-    (join-strings #\.
-                 (reverse
-                  (loop
-                     for i from (1- bytes) downto 0
-                     until (zerop (logand mask (ash #xff (* 8 i))))
-                     collect (logand #xff (ash net (* -8 i))))))))
-
-;;;--------------------------------------------------------------------------
-;;; Serial numbering.
-
-(export 'make-zone-serial)
-(defun make-zone-serial (name)
-  "Given a zone NAME, come up with a new serial number.
-
-   This will (very carefully) update a file ZONE.serial in the current
-   directory."
-  (let* ((file (zone-file-name name :serial))
-        (last (with-open-file (in file
-                                  :direction :input
-                                  :if-does-not-exist nil)
-                (if in (read in)
-                    (list 0 0 0 0))))
-        (now (multiple-value-bind
-                 (sec min hr dy mon yr dow dstp tz)
-                 (get-decoded-time)
-               (declare (ignore sec min hr dow dstp tz))
-               (list dy mon yr)))
-        (seq (cond ((not (equal now (cdr last))) 0)
-                   ((< (car last) 99) (1+ (car last)))
-                   (t (error "Run out of sequence numbers for ~A" name)))))
-    (safely-writing (out file)
-      (format out
-             ";; Serial number file for zone ~A~%~
-              ;;   (LAST-SEQ DAY MONTH YEAR)~%~
-              ~S~%"
-             name
-             (cons seq now)))
-    (from-mixed-base '(100 100 100) (reverse (cons seq now)))))
-
-;;;--------------------------------------------------------------------------
-;;; Zone form parsing.
-

 (defun zone-parse-head (head)
   "Parse the HEAD of a zone form.
 
 (defun zone-parse-head (head)
   "Parse the HEAD of a zone form.
 


@@ -477,17 +535,19 @@
    though a singleton NAME needn't be a list.  Returns the default TTL and an
    soa structure representing the zone head."
   (destructuring-bind
    though a singleton NAME needn't be a list.  Returns the default TTL and an
    soa structure representing the zone head."
   (destructuring-bind

-      (zname
+      (raw-zname

        &key
        (source *default-zone-source*)
        (admin (or *default-zone-admin*
        &key
        (source *default-zone-source*)
        (admin (or *default-zone-admin*

-                 (format nil "hostmaster@~A" zname)))
+                 (format nil "hostmaster@~A" raw-zname)))

        (refresh *default-zone-refresh*)
        (retry *default-zone-retry*)
        (expire *default-zone-expire*)
        (min-ttl *default-zone-min-ttl*)
        (ttl min-ttl)
        (refresh *default-zone-refresh*)
        (retry *default-zone-retry*)
        (expire *default-zone-expire*)
        (min-ttl *default-zone-min-ttl*)
        (ttl min-ttl)

-       (serial (make-zone-serial zname)))
+       (serial (make-zone-serial raw-zname))
+       &aux
+       (zname (zone-parse-host raw-zname root-domain)))

       (listify head)
     (values zname
            (timespec-seconds ttl)
       (listify head)
     (values zname
            (timespec-seconds ttl)


@@ -499,20 +559,6 @@
                      :min-ttl (timespec-seconds min-ttl)
                      :serial serial))))
 
                      :min-ttl (timespec-seconds min-ttl)
                      :serial serial))))
 

-(export 'zone-make-name)
-(defun zone-make-name (prefix zone-name)
-  "Compute a full domain name from a PREFIX and a ZONE-NAME.
-
-   If the PREFIX ends with `.' then it's absolute already; otherwise, append
-   the ZONE-NAME, separated with a `.'.  If PREFIX is nil, or `@', then
-   return the ZONE-NAME only."
-  (if (or (not prefix) (string= prefix "@"))
-      zone-name
-      (let ((len (length prefix)))
-       (if (or (zerop len) (char/= (char prefix (1- len)) #\.))
-           (join-strings #\. (list prefix zone-name))
-           prefix))))
-

 (export 'defzoneparse)
 (defmacro defzoneparse (types (name data list
                               &key (prefix (gensym "PREFIX"))
 (export 'defzoneparse)
 (defmacro defzoneparse (types (name data list
                               &key (prefix (gensym "PREFIX"))


@@ -548,6 +594,7 @@
 
    These (except MAKE-PTR-P, which defaults to nil) default to the above
    arguments (even if you didn't accept the arguments)."
 
    These (except MAKE-PTR-P, which defaults to nil) default to the above
    arguments (even if you didn't accept the arguments)."

+

   (setf types (listify types))
   (let* ((type (car types))
         (func (intern (format nil "ZONE-PARSE/~:@(~A~)" type))))
   (setf types (listify types))
   (let* ((type (car types))
         (func (intern (format nil "ZONE-PARSE/~:@(~A~)" type))))


@@ -559,7 +606,8 @@
           (defun ,func (,prefix ,zname ,data ,ttl ,col)
             ,@doc
             ,@decls
           (defun ,func (,prefix ,zname ,data ,ttl ,col)
             ,@doc
             ,@decls

-            (let ((,name (zone-make-name ,prefix ,zname)))
+            (let ((,name (if (null ,prefix) ,zname
+                             (domain-name-concat ,prefix ,zname))))

               (flet ((,list (&key ((:name ,tname) ,name)
                                   ((:type ,ttype) ,type)
                                   ((:data ,tdata) ,data)
               (flet ((,list (&key ((:name ,tname) ,name)
                                   ((:type ,ttype) ,type)
                                   ((:data ,tdata) ,data)


@@ -586,7 +634,7 @@
             (let ((func (or (get (zr-type zr) 'zone-parse)
                             (error "No parser for record ~A."
                                    (zr-type zr))))
             (let ((func (or (get (zr-type zr) 'zone-parse)
                             (error "No parser for record ~A."
                                    (zr-type zr))))

-                  (name (and (zr-name zr) (stringify (zr-name zr)))))
+                  (name (and (zr-name zr) (zr-name zr))))

               (funcall func name zname (zr-data zr) (zr-ttl zr) rec))))
       (zone-process-records records ttl #'parse-record))))
 
               (funcall func name zname (zr-data zr) (zr-ttl zr) rec))))
       (zone-process-records records ttl #'parse-record))))
 


@@ -610,51 +658,211 @@
 
 (export 'zone-create)
 (defun zone-create (zf)
 
 (export 'zone-create)
 (defun zone-create (zf)

-  "Zone construction function.  Given a zone form ZF, construct the zone and
-   add it to the table."
+  "Zone construction function.
+
+   Given a zone form ZF, construct the zone and add it to the table."

   (let* ((zone (zone-parse zf))
   (let* ((zone (zone-parse zf))

-        (name (zone-name zone)))
+        (name (zone-text-name zone)))

     (setf (zone-find name) zone)
     name))
 
 (export 'defzone)
     (setf (zone-find name) zone)
     name))
 
 (export 'defzone)

-(defmacro defzone (soa &rest zf)
+(defmacro defzone (soa &body zf)

   "Zone definition macro."
   `(zone-create '(,soa ,@zf)))
 
   "Zone definition macro."
   `(zone-create '(,soa ,@zf)))
 

+(export '*address-family*)
+(defvar *address-family* t
+  "The default address family.  This is bound by `defrevzone'.")
+

 (export 'defrevzone)
 (export 'defrevzone)

-(defmacro defrevzone (head &rest zf)
+(defmacro defrevzone (head &body zf)

   "Define a reverse zone, with the correct name."
   "Define a reverse zone, with the correct name."

-  (destructuring-bind
-      (net &rest soa-args)
+  (destructuring-bind (nets &rest args
+                           &key &allow-other-keys
+                                (family '*address-family*)
+                                prefix-bits)

       (listify head)
       (listify head)

-    (let ((bytes nil))
-      (when (and soa-args (integerp (car soa-args)))
-       (setf bytes (pop soa-args)))
-      `(zone-create '((,(zone-name-from-net net bytes) ,@soa-args) ,@zf)))))
+    (with-gensyms (ipn)
+      `(dolist (,ipn (net-parse-to-ipnets ',nets ,family))
+        (let ((*address-family* (ipnet-family ,ipn)))
+          (zone-create `((,(format nil "~A." (reverse-domain ,ipn
+                                                             ,prefix-bits))
+                           ,@',(loop for (k v) on args by #'cddr
+                                     unless (member k
+                                                    '(:family :prefix-bits))
+                                     nconc (list k v)))
+                         ,@',zf)))))))
+
+(export 'map-host-addresses)
+(defun map-host-addresses (func addr &key (family *address-family*))
+  "Call FUNC for each address denoted by ADDR (a `host-parse' address)."
+
+  (dolist (a (host-addrs (host-parse addr family)))
+    (funcall func a)))
+
+(export 'do-host)
+(defmacro do-host ((addr spec &key (family *address-family*)) &body body)
+  "Evaluate BODY, binding ADDR to each address denoted by SPEC."
+  `(dolist (,addr (host-addrs (host-parse ,spec ,family)))
+     ,@body))
+
+(export 'zone-set-address)
+(defun zone-set-address (rec addrspec &rest args
+                        &key (family *address-family*) name ttl make-ptr-p)
+  "Write records (using REC) defining addresses for ADDRSPEC."
+  (declare (ignore name ttl make-ptr-p))
+  (let ((key-args (loop for (k v) on args by #'cddr
+                       unless (eq k :family)
+                       nconc (list k v))))
+    (do-host (addr addrspec :family family)
+      (apply rec :type (ipaddr-rrtype addr) :data addr key-args))))
+
+;;;--------------------------------------------------------------------------
+;;; Building raw record vectors.
+
+(defvar *record-vector* nil
+  "The record vector under construction.")
+
+(defun rec-ensure (n)
+  "Ensure that at least N octets are spare in the current record."
+  (let ((want (+ n (fill-pointer *record-vector*)))
+       (have (array-dimension *record-vector* 0)))
+    (unless (<= want have)
+      (adjust-array *record-vector*
+                   (do ((new (* 2 have) (* 2 new)))
+                       ((<= want new) new))))))
+
+(export 'rec-octet-vector)
+(defun rec-octet-vector (vector &key (start 0) end)
+  "Copy (part of) the VECTOR to the output."
+  (let* ((end (or end (length vector)))
+        (len (- end start)))
+    (rec-ensure len)
+    (do ((i start (1+ i)))
+       ((>= i end))
+      (vector-push (aref vector i) *record-vector*))))
+
+(export 'rec-byte)
+(defun rec-byte (octets value)
+  "Append an unsigned byte, OCTETS octets wide, with VALUE, to the record."
+  (rec-ensure octets)
+  (do ((i (1- octets) (1- i)))
+      ((minusp i))
+    (vector-push (ldb (byte 8 (* 8 i)) value) *record-vector*)))
+
+(export 'rec-u8)
+(defun rec-u8 (value)
+  "Append an 8-bit VALUE to the current record."
+  (rec-byte 1 value))
+
+(export 'rec-u16)
+(defun rec-u16 (value)
+  "Append a 16-bit VALUE to the current record."
+  (rec-byte 2 value))
+
+(export 'rec-u32)
+(defun rec-u32 (value)
+  "Append a 32-bit VALUE to the current record."
+  (rec-byte 4 value))
+
+(export 'rec-raw-string)
+(defun rec-raw-string (s &key (start 0) end)
+  "Append (a (substring of) a raw string S to the current record.
+
+   No arrangement is made for reporting the length of the string.  That must
+   be done by the caller, if necessary."
+  (setf-default end (length s))
+  (rec-ensure (- end start))
+  (do ((i start (1+ i)))
+      ((>= i end))
+    (vector-push (char-code (char s i)) *record-vector*)))
+
+(export 'rec-string)
+(defun rec-string (s &key (start 0) end (max 255))
+  (let* ((end (or end (length s)))
+        (len (- end start)))
+    (unless (<= len max)
+      (error "String `~A' too long" (subseq s start end)))
+    (rec-u8 (- end start))
+    (rec-raw-string s :start start :end end)))
+
+(export 'rec-name)
+(defun rec-name (name)
+  "Append a domain NAME.
+
+   No attempt is made to perform compression of the name."
+  (dolist (label (reverse (domain-name-labels name)))
+    (rec-string label :max 63))
+  (rec-u8 0))
+
+(export 'build-record)
+(defmacro build-record (&body body)
+  "Build a raw record, and return it as a vector of octets."
+  `(let ((*record-vector* (make-array 256
+                                     :element-type '(unsigned-byte 8)
+                                     :fill-pointer 0
+                                     :adjustable t)))
+     ,@body
+     (copy-seq *record-vector*)))
+
+(export 'zone-record-rrdata)
+(defgeneric zone-record-rrdata (type zr)
+  (:documentation "Emit (using the `build-record' protocol) RRDATA for ZR.
+
+   The TYPE is a keyword naming the record type.  Return the numeric RRTYPE
+   code."))

 
 ;;;--------------------------------------------------------------------------
 ;;; Zone record parsers.
 
 (defzoneparse :a (name data rec)
   ":a IPADDR"
 
 ;;;--------------------------------------------------------------------------
 ;;; Zone record parsers.
 
 (defzoneparse :a (name data rec)
   ":a IPADDR"

-  (rec :data (parse-ipaddr data) :make-ptr-p t))
+  (zone-set-address #'rec data :make-ptr-p t :family :ipv4))
+
+(defmethod zone-record-rrdata ((type (eql :a)) zr)
+  (rec-u32 (ipaddr-addr (zr-data zr)))
+  1)
+
+(defzoneparse :aaaa (name data rec)
+  ":aaaa IPADDR"
+  (zone-set-address #'rec data :make-ptr-p t :family :ipv6))
+
+(defmethod zone-record-rrdata ((type (eql :aaaa)) zr)
+  (rec-byte 16 (ipaddr-addr (zr-data zr)))
+  28)
+
+(defzoneparse :addr (name data rec)
+  ":addr IPADDR"
+  (zone-set-address #'rec data :make-ptr-p t))

 
 (defzoneparse :svc (name data rec)
   ":svc IPADDR"
 
 (defzoneparse :svc (name data rec)
   ":svc IPADDR"

-  (rec :type :a :data (parse-ipaddr data)))
+  (zone-set-address #'rec data))

 
 (defzoneparse :ptr (name data rec :zname zname)
   ":ptr HOST"
   (rec :data (zone-parse-host data zname)))
 
 
 (defzoneparse :ptr (name data rec :zname zname)
   ":ptr HOST"
   (rec :data (zone-parse-host data zname)))
 

+(defmethod zone-record-rrdata ((type (eql :ptr)) zr)
+  (rec-name (zr-data zr))
+  12)
+

 (defzoneparse :cname (name data rec :zname zname)
   ":cname HOST"
   (rec :data (zone-parse-host data zname)))
 
 (defzoneparse :cname (name data rec :zname zname)
   ":cname HOST"
   (rec :data (zone-parse-host data zname)))
 

+(defmethod zone-record-rrdata ((type (eql :cname)) zr)
+  (rec-name (zr-data zr))
+  5)
+

 (defzoneparse :txt (name data rec)
 (defzoneparse :txt (name data rec)

-  ":txt TEXT"
-  (rec :data data))
+  ":txt (TEXT*)"
+  (rec :data (listify data)))
+
+(defmethod zone-record-rrdata ((type (eql :txt)) zr)
+  (mapc #'rec-string (zr-data zr))
+  16)

 
 (export '*dkim-pathname-defaults*)
 (defvar *dkim-pathname-defaults*
 
 (export '*dkim-pathname-defaults*)
 (defvar *dkim-pathname-defaults*


@@ -677,13 +885,15 @@
                     (flush))
                   (when (plusp len)
                     (cond ((< len 64)
                     (flush))
                   (when (plusp len)
                     (cond ((< len 64)

-                           (unless out (setf out (make-string-output-stream)))
+                           (unless out
+                             (setf out (make-string-output-stream)))

                            (write-string text out))
                           (t
                            (do ((i 0 j)
                                 (j 64 (+ j 64)))
                                ((>= i len))
                            (write-string text out))
                           (t
                            (do ((i 0 j)
                                 (j 64 (+ j 64)))
                                ((>= i len))

-                             (push (subseq text i (min j len)) things))))))))
+                             (push (subseq text i (min j len))
+                                   things))))))))

        (do ((p plist (cddr p)))
            ((endp p))
          (emit (format nil "~(~A~)=~A;" (car p) (cadr p))))
        (do ((p plist (cddr p)))
            ((endp p))
          (emit (format nil "~(~A~)=~A;" (car p) (cadr p))))


@@ -704,15 +914,8 @@
       (rec :type :txt
           :data (nreverse things)))))
 
       (rec :type :txt
           :data (nreverse things)))))
 

-(eval-when (:load-toplevel :execute)
-  (dolist (item '((sshfp-algorithm rsa 1)
-                 (sshfp-algorithm dsa 2)
-                 (sshfp-algorithm ecdsa 3)
-                 (sshfp-type sha-1 1)
-                 (sshfp-type sha-256 2)))
-    (destructuring-bind (prop sym val) item
-      (setf (get sym prop) val)
-      (export sym))))
+(defenum sshfp-algorithm () (:rsa 1) (:dsa 2) (:ecdsa 3))
+(defenum sshfp-type () (:sha-1 1) (:sha-256 2))

 
 (export '*sshfp-pathname-defaults*)
 (defvar *sshfp-pathname-defaults*
 
 (export '*sshfp-pathname-defaults*)
 (defvar *sshfp-pathname-defaults*


@@ -736,17 +939,198 @@
                    (rec :data (list (parse-integer alg)
                                     (parse-integer type)
                                     fpr)))))))
                    (rec :data (list (parse-integer alg)
                                     (parse-integer type)
                                     fpr)))))))

-      (flet ((lookup (what prop)
-              (etypecase what
-                (fixnum what)
-                (symbol (or (get what prop)
-                            (error "~S is not a known ~A" what prop))))))
-       (dolist (item (listify data))
-         (destructuring-bind (fpr &key (alg 'rsa) (type 'sha-1))
-             (listify item)
-           (rec :data (list (lookup alg 'sshfp-algorithm)
-                            (lookup type 'sshfp-type)
-                            fpr)))))))
+      (dolist (item (listify data))
+       (destructuring-bind (fpr &key (alg 'rsa) (type 'sha-1))
+           (listify item)
+         (rec :data (list (lookup-enum alg 'sshfp-algorithm :min 0 :max 255)
+                          (lookup-enum type 'sshfp-type :min 0 :max 255)
+                          fpr))))))
+
+(defmethod zone-record-rrdata ((type (eql :sshfp)) zr)
+  (destructuring-bind (alg type fpr) (zr-data zr)
+    (rec-u8 alg)
+    (rec-u8 type)
+    (do ((i 0 (+ i 2))
+        (n (length fpr)))
+       ((>= i n))
+      (rec-u8 (parse-integer fpr :start i :end (+ i 2) :radix 16))))
+  44)
+
+(defenum tlsa-usage ()
+  (:ca-constraint 0)
+  (:service-certificate-constraint 1)
+  (:trust-anchor-assertion 2)
+  (:domain-issued-certificate 3))
+
+(defenum tlsa-selector ()
+  (:certificate 0)
+  (:public-key 1))
+
+(defenum tlsa-match ()
+  (:exact 0)
+  (:sha-256 1)
+  (:sha-512 2))
+
+(defparameter tlsa-pem-alist
+  `(("CERTIFICATE" . ,tlsa-selector/certificate)
+    ("PUBLIC-KEY" . ,tlsa-selector/public-key)))
+
+(defgeneric raw-tlsa-assoc-data (have want file context)
+  (:documentation
+   "Convert FILE, and strip off PEM encoding.
+
+   The FILE contains PEM-encoded data of type HAVE -- one of the
+   `tlsa-selector' codes.  Return the name of a file containing binary
+   DER-encoded data of type WANT instead.  The CONTEXT is a temporary-files
+   context.")
+
+  (:method (have want file context)
+    (declare (ignore context))
+    (error "Can't convert `~A' from selector type ~S to type ~S" file
+          (reverse-enum 'tlsa-selector have)
+          (reverse-enum 'tlsa-selector want)))
+
+  (:method ((have (eql tlsa-selector/certificate))
+           (want (eql tlsa-selector/certificate))
+           file context)
+    (let ((temp (temporary-file context "cert")))
+      (run-program (list "openssl" "x509" "-outform" "der")
+                  :input file :output temp)
+      temp))
+
+  (:method ((have (eql tlsa-selector/public-key))
+           (want (eql tlsa-selector/public-key))
+           file context)
+    (let ((temp (temporary-file context "pubkey-der")))
+      (run-program (list "openssl" "pkey" "-pubin" "-outform" "der")
+                  :input file :output temp)
+      temp))
+
+  (:method ((have (eql tlsa-selector/certificate))
+           (want (eql tlsa-selector/public-key))
+           file context)
+    (let ((temp (temporary-file context "pubkey")))
+      (run-program (list "openssl" "x509" "-noout" "-pubkey")
+                  :input file :output temp)
+      (raw-tlsa-assoc-data want want temp context))))
+
+(defgeneric tlsa-match-data-valid-p (match data)
+  (:documentation
+   "Check whether the DATA (an octet vector) is valid for the MATCH type.")
+
+  (:method (match data)
+    (declare (ignore match data))
+    ;; We don't know: assume the user knows what they're doing.
+    t)
+
+  (:method ((match (eql tlsa-match/sha-256)) data) (= (length data) 32))
+  (:method ((match (eql tlsa-match/sha-512)) data) (= (length data) 64)))
+
+(defgeneric read-tlsa-match-data (match file context)
+  (:documentation
+   "Read FILE, and return an octet vector for the correct MATCH type.
+
+   CONTEXT is a temporary-files context.")
+  (:method ((match (eql tlsa-match/exact)) file context)
+    (declare (ignore context))
+    (slurp-file file 'octet))
+  (:method ((match (eql tlsa-match/sha-256)) file context)
+    (hash-file "sha256" file context))
+  (:method ((match (eql tlsa-match/sha-512)) file context)
+    (hash-file "sha512" file context)))
+
+(defgeneric tlsa-selector-pem-boundary (selector)
+  (:documentation
+   "Return the PEM boundary string for objects of the SELECTOR type")
+  (:method ((selector (eql tlsa-selector/certificate))) "CERTIFICATE")
+  (:method ((selector (eql tlsa-selector/public-key))) "PUBLIC KEY")
+  (:method (selector) (declare (ignore selector)) nil))
+
+(defun identify-tlsa-selector-file (file)
+  "Return the selector type for the data stored in a PEM-format FILE."
+  (with-open-file (in file)
+    (loop
+      (let* ((line (read-line in nil))
+            (len (length line)))
+       (unless line
+         (error "No PEM boundary in `~A'" file))
+       (when (and (>= len 11)
+                  (string= line "-----BEGIN " :end1 11)
+                  (string= line "-----" :start1 (- len 5)))
+         (mapenum (lambda (tag value)
+                    (declare (ignore tag))
+                    (when (string= line
+                                   (tlsa-selector-pem-boundary value)
+                                   :start1 11 :end1 (- len 5))
+                      (return value)))
+                  'tlsa-selector))))))
+
+(defun convert-tlsa-selector-data (data selector match)
+  "Convert certificate association DATA as required by SELECTOR and MATCH.
+
+   If DATA is a hex string, we assume that it's already in the appropriate
+   form (but if MATCH specifies a hash then we check that it's the right
+   length).  If DATA is a pathname, then it should name a PEM file: we
+   identify the kind of object stored in the file from the PEM header, and
+   convert as necessary.
+
+   The output is an octet vector containing the raw certificate association
+   data to include in rrdata."
+
+  (etypecase data
+    (string
+     (let ((bin (decode-hex data)))
+       (unless (tlsa-match-data-valid-p match bin)
+        (error "Invalid data for match type ~S"
+               (reverse-enum 'tlsa-match match)))
+       bin))
+    (pathname
+     (with-temporary-files (context :base "tmpfile.tmp")
+       (let* ((kind (identify-tlsa-selector-file data))
+             (raw (raw-tlsa-assoc-data kind selector data context)))
+        (read-tlsa-match-data match raw context))))))
+
+(defzoneparse :tlsa (name data rec)
+  ":tlsa (((SERVICE|PORT &key :protocol)*) (USAGE SELECTOR MATCH DATA)*)"
+
+  (destructuring-bind (services &rest certinfos) data
+
+    ;; First pass: build the raw-format TLSA record data.
+    (let ((records nil))
+      (dolist (certinfo certinfos)
+       (destructuring-bind (usage-tag selector-tag match-tag data) certinfo
+         (let* ((usage (lookup-enum 'tlsa-usage usage-tag :min 0 :max 255))
+                (selector (lookup-enum 'tlsa-selector selector-tag
+                                       :min 0 :max 255))
+                (match (lookup-enum 'tlsa-match match-tag :min 0 :max 255))
+                (raw (convert-tlsa-selector-data data selector match)))
+           (push (list usage selector match raw) records))))
+      (setf records (nreverse records))
+
+      ;; Second pass: attach records for the requested services.
+      (dolist (service (listify services))
+       (destructuring-bind (svc &key (protocol :tcp)) (listify service)
+         (let* ((port (etypecase svc
+                        (integer svc)
+                        (keyword (let ((serv (serv-by-name svc protocol)))
+                                   (unless serv
+                                     (error "Unknown service `~A'" svc))
+                                   (serv-port serv)))))
+                (prefixed (domain-name-concat
+                           (make-domain-name
+                            :labels (list (format nil "_~(~A~)" protocol)
+                                          (format nil "_~A" port)))
+                           name)))
+           (dolist (record records)
+             (rec :name prefixed :data record))))))))
+
+(defmethod zone-record-rrdata ((type (eql :tlsa)) zr)
+  (destructuring-bind (usage selector match data) (zr-data zr)
+    (rec-u8 usage)
+    (rec-u8 selector)
+    (rec-u8 match)
+    (rec-octet-vector data))
+  52)

 
 (defzoneparse :mx (name data rec :zname zname)
   ":mx ((HOST :prio INT :ip IPADDR)*)"
 
 (defzoneparse :mx (name data rec :zname zname)
   ":mx ((HOST :prio INT :ip IPADDR)*)"


@@ -755,9 +1139,16 @@
        (mxname &key (prio *default-mx-priority*) ip)
        (listify mx)
       (let ((host (zone-parse-host mxname zname)))
        (mxname &key (prio *default-mx-priority*) ip)
        (listify mx)
       (let ((host (zone-parse-host mxname zname)))

-       (when ip (rec :name host :type :a :data (parse-ipaddr ip)))
+       (when ip (zone-set-address #'rec ip :name host))

        (rec :data (cons host prio))))))
 
        (rec :data (cons host prio))))))
 

+(defmethod zone-record-rrdata ((type (eql :mx)) zr)
+  (let ((name (car (zr-data zr)))
+       (prio (cdr (zr-data zr))))
+    (rec-u16 prio)
+    (rec-name name))
+  15)
+

 (defzoneparse :ns (name data rec :zname zname)
   ":ns ((HOST :ip IPADDR)*)"
   (dolist (ns (listify data))
 (defzoneparse :ns (name data rec :zname zname)
   ":ns ((HOST :ip IPADDR)*)"
   (dolist (ns (listify data))


@@ -765,9 +1156,13 @@
        (nsname &key ip)
        (listify ns)
       (let ((host (zone-parse-host nsname zname)))
        (nsname &key ip)
        (listify ns)
       (let ((host (zone-parse-host nsname zname)))

-       (when ip (rec :name host :type :a :data (parse-ipaddr ip)))
+       (when ip (zone-set-address #'rec ip :name host))

        (rec :data host)))))
 
        (rec :data host)))))
 

+(defmethod zone-record-rrdata ((type (eql :ns)) zr)
+  (rec-name (zr-data zr))
+  2)
+

 (defzoneparse :alias (name data rec :zname zname)
   ":alias (LABEL*)"
   (dolist (a (listify data))
 (defzoneparse :alias (name data rec :zname zname)
   ":alias (LABEL*)"
   (dolist (a (listify data))


@@ -776,7 +1171,8 @@
         :data name)))
 
 (defzoneparse :srv (name data rec :zname zname)
         :data name)))
 
 (defzoneparse :srv (name data rec :zname zname)

-  ":srv (((SERVICE &key :port) (PROVIDER &key :port :prio :weight :ip)*)*)"
+  ":srv (((SERVICE &key :port :protocol)
+         (PROVIDER &key :port :prio :weight :ip)*)*)"

   (dolist (srv data)
     (destructuring-bind (servopts &rest providers) srv
       (destructuring-bind
   (dolist (srv data)
     (destructuring-bind (servopts &rest providers) srv
       (destructuring-bind


@@ -785,7 +1181,12 @@
        (unless default-port
          (let ((serv (serv-by-name service protocol)))
            (setf default-port (and serv (serv-port serv)))))
        (unless default-port
          (let ((serv (serv-by-name service protocol)))
            (setf default-port (and serv (serv-port serv)))))

-       (let ((rname (format nil "~(_~A._~A~).~A" service protocol name)))
+       (let ((rname (flet ((prepend (tag tail)
+                             (domain-name-concat
+                              (make-domain-name
+                               :labels (list (format nil "_~(~A~)" tag)))
+                              tail)))
+                      (prepend service (prepend protocol name)))))

          (dolist (prov providers)
            (destructuring-bind
                (srvname
          (dolist (prov providers)
            (destructuring-bind
                (srvname


@@ -796,107 +1197,124 @@
                 ip)
                (listify prov)
              (let ((host (zone-parse-host srvname zname)))
                 ip)
                (listify prov)
              (let ((host (zone-parse-host srvname zname)))

-               (when ip (rec :name host :type :a :data (parse-ipaddr ip)))
+               (when ip (zone-set-address #'rec ip :name host))

                (rec :name rname
                     :data (list prio weight port host))))))))))
 
                (rec :name rname
                     :data (list prio weight port host))))))))))
 

+(defmethod zone-record-rrdata ((type (eql :srv)) zr)
+  (destructuring-bind (prio weight port host) (zr-data zr)
+    (rec-u16 prio)
+    (rec-u16 weight)
+    (rec-u16 port)
+    (rec-name host))
+  33)
+

 (defzoneparse :net (name data rec)
   ":net (NETWORK*)"
   (dolist (net (listify data))
 (defzoneparse :net (name data rec)
   ":net (NETWORK*)"
   (dolist (net (listify data))

-    (let ((n (net-get-as-ipnet net)))
-      (rec :name (zone-parse-host "net" name)
-          :type :a
-          :data (ipnet-net n))
-      (rec :name (zone-parse-host "mask" name)
-          :type :a
-          :data (ipnet-mask n))
-      (rec :name (zone-parse-host "bcast" name)
-          :type :a
-          :data (ipnet-broadcast n)))))
+    (dolist (ipn (net-ipnets (net-must-find net)))
+      (let* ((base (ipnet-net ipn))
+            (rrtype (ipaddr-rrtype base)))
+       (flet ((frob (kind addr)
+                (when addr
+                  (rec :name (zone-parse-host kind name)
+                       :type rrtype
+                       :data addr))))
+         (frob "net" base)
+         (frob "mask" (ipaddr (ipnet-mask ipn) (ipnet-family ipn)))
+         (frob "bcast" (ipnet-broadcast ipn)))))))

 
 (defzoneparse (:rev :reverse) (name data rec)
 
 (defzoneparse (:rev :reverse) (name data rec)

-  ":reverse ((NET :bytes BYTES) ZONE*)
+  ":reverse ((NET &key :prefix-bits :family) ZONE*)

 
    Add a reverse record each host in the ZONEs (or all zones) that lies
 
    Add a reverse record each host in the ZONEs (or all zones) that lies

-   within NET.  The BYTES give the number of prefix labels generated; this
-   defaults to the smallest number of bytes needed to enumerate the net."
+   within NET."

   (setf data (listify data))
   (setf data (listify data))

-  (destructuring-bind (net &key bytes) (listify (car data))
-    (setf net (zone-parse-net net name))
-    (unless bytes
-      (setf bytes (ipnet-changeable-bytes (ipnet-mask net))))
-    (let ((seen (make-hash-table :test #'equal)))
-      (dolist (z (or (cdr data)
-                    (hash-table-keys *zones*)))
-       (dolist (zr (zone-records (zone-find z)))
-         (when (and (eq (zr-type zr) :a)
-                    (zr-make-ptr-p zr)
-                    (ipaddr-networkp (zr-data zr) net))
-           (let ((name (string-downcase
-                        (join-strings
-                         #\.
-                         (collecting ()
-                           (dotimes (i bytes)
-                             (collect (logand #xff (ash (zr-data zr)
-                                                        (* -8 i)))))
-                           (collect name))))))
-             (unless (gethash name seen)
-               (rec :name name :type :ptr
-                    :ttl (zr-ttl zr) :data (zr-name zr))
-               (setf (gethash name seen) t)))))))))
-
-(defzoneparse (:cidr-delegation :cidr) (name data rec :zname zname)
-  ":cidr-delegation ((NET :bytes BYTES) ((TARGET-NET*) [TARGET-ZONE])*)
-
-   Insert CNAME records for delegating a portion of the reverse-lookup
-   namespace which doesn't align with an octet boundary.
-
-   The NET specifies the origin network, in which the reverse records
-   naturally lie.  The BYTES are the number of labels to supply for each
-   address; the default is the smallest number which suffices to enumerate
-   the entire NET.  The TARGET-NETs are subnets of NET which are to be
-   delegated.  The TARGET-ZONEs are the zones to which we are delegating
-   authority for the reverse records: the default is to append labels for those
-   octets of the subnet base address which are not the same in all address in
-   the subnet."
-  (setf data (listify data))
-  (destructuring-bind (net &key bytes) (listify (car data))
-    (setf net (zone-parse-net net name))
-    (unless bytes
-      (setf bytes (ipnet-changeable-bytes (ipnet-mask net))))
-    (dolist (map (or (cdr data) (list (list net))))
-      (destructuring-bind (tnets &optional tdom) (listify map)
-       (dolist (tnet (listify tnets))
-         (setf tnet (zone-parse-net tnet name))
-         (unless (ipnet-subnetp net tnet)
-           (error "~A is not a subnet of ~A."
-                  (ipnet-pretty tnet)
-                  (ipnet-pretty net)))
-         (unless tdom
-           (with-ipnet (net mask) tnet
-             (setf tdom
-                   (join-strings
-                    #\.
-                    (append (reverse (loop
-                                      for i from (1- bytes) downto 0
-                                      until (zerop (logand mask
-                                                           (ash #xff
-                                                                (* 8 i))))
-                                      collect (ldb (byte 8 (* i 8)) net)))
-                            (list name))))))
-         (setf tdom (string-downcase (stringify tdom)))
-         (dotimes (i (ipnet-hosts tnet))
-           (unless (zerop i)
-             (let* ((addr (ipnet-host tnet i))
-                    (tail (join-strings #\.
-                                        (loop
-                                         for i from 0 below bytes
-                                         collect
-                                         (logand #xff
-                                                 (ash addr (* 8 i)))))))
-               (rec :name (format nil "~A.~A" tail name)
-                    :type :cname
-                    :data (format nil "~A.~A" tail tdom))))))))))
+  (destructuring-bind (net &key prefix-bits (family *address-family*))
+      (listify (car data))
+
+    (dolist (ipn (net-parse-to-ipnets net family))
+      (let* ((seen (make-hash-table :test #'equal))
+            (width (ipnet-width ipn))
+            (frag-len (if prefix-bits (- width prefix-bits)
+                          (ipnet-changeable-bits width (ipnet-mask ipn)))))
+       (dolist (z (or (cdr data) (hash-table-keys *zones*)))
+         (dolist (zr (zone-records (zone-find z)))
+           (when (and (eq (zr-type zr) (ipaddr-rrtype (ipnet-net ipn)))
+                      (zr-make-ptr-p zr)
+                      (ipaddr-networkp (ipaddr-addr (zr-data zr)) ipn))
+             (let* ((frag (reverse-domain-fragment (zr-data zr)
+                                                   0 frag-len))
+                    (name (domain-name-concat frag name))
+                    (name-string (princ-to-string name)))
+               (unless (gethash name-string seen)
+                 (rec :name name :type :ptr
+                      :ttl (zr-ttl zr) :data (zr-name zr))
+                 (setf (gethash name-string seen) t))))))))))
+
+(defzoneparse :multi (name data rec :zname zname :ttl ttl)
+  ":multi (((NET*) &key :start :end :family :suffix) . REC)
+
+   Output multiple records covering a portion of the reverse-resolution
+   namespace corresponding to the particular NETs.  The START and END bounds
+   default to the most significant variable component of the
+   reverse-resolution domain.
+
+   The REC tail is a sequence of record forms (as handled by
+   `zone-process-records') to be emitted for each covered address.  Within
+   the bodies of these forms, the symbol `*' will be replaced by the
+   domain-name fragment corresponding to the current host, optionally
+   followed by the SUFFIX.
+
+   Examples:
+
+       (:multi ((delegated-subnet :start 8)
+                :ns (some.ns.delegated.example :ip \"169.254.5.2\")))
+
+       (:multi ((tiny-subnet :suffix \"128.10.254.169.in-addr.arpa\")
+                :cname *))
+
+   Obviously, nested `:multi' records won't work well."
+
+  (destructuring-bind (nets
+                      &key start end ((:suffix raw-suffix))
+                      (family *address-family*))
+      (listify (car data))
+    (let ((suffix (if (not raw-suffix)
+                     (make-domain-name :labels nil :absolutep nil)
+                     (zone-parse-host raw-suffix))))
+      (dolist (net (listify nets))
+       (dolist (ipn (net-parse-to-ipnets net family))
+         (let* ((addr (ipnet-net ipn))
+                (width (ipaddr-width addr))
+                (comp-width (reverse-domain-component-width addr))
+                (end (round-up (or end
+                                   (ipnet-changeable-bits width
+                                                          (ipnet-mask ipn)))
+                               comp-width))
+                (start (round-down (or start (- end comp-width))
+                                   comp-width))
+                (map (ipnet-host-map ipn)))
+           (multiple-value-bind (host-step host-limit)
+               (ipnet-index-bounds map start end)
+             (do ((index 0 (+ index host-step)))
+                 ((> index host-limit))
+               (let* ((addr (ipnet-index-host map index))
+                      (frag (reverse-domain-fragment addr start end))
+                      (target (reduce #'domain-name-concat
+                                      (list frag suffix zname)
+                                      :from-end t
+                                      :initial-value root-domain)))
+                 (dolist (zr (zone-parse-records (domain-name-concat frag
+                                                                     zname)
+                                                 ttl
+                                                 (subst target '*
+                                                        (cdr data))))
+                   (rec :name (zr-name zr)
+                        :type (zr-type zr)
+                        :data (zr-data zr)
+                        :ttl (zr-ttl zr)
+                        :make-ptr-p (zr-make-ptr-p zr))))))))))))

 
 ;;;--------------------------------------------------------------------------
 ;;; Zone file output.
 
 ;;;--------------------------------------------------------------------------
 ;;; Zone file output.


@@ -911,11 +1329,59 @@
 (defvar *zone-output-stream* nil
   "Stream to write zone data on.")
 
 (defvar *zone-output-stream* nil
   "Stream to write zone data on.")
 

-(defmethod zone-write :around (format zone stream)
-  (declare (ignore format))
+(export 'zone-write-raw-rrdata)
+(defgeneric zone-write-raw-rrdata (format zr type data)
+  (:documentation "Write an otherwise unsupported record in a given FORMAT.
+
+   ZR gives the record object, which carries the name and TTL; the TYPE is
+   the numeric RRTYPE code; and DATA is an octet vector giving the RRDATA.
+   This is used by the default `zone-write-record' method to handle record
+   types which aren't directly supported by the format driver."))
+
+(export 'zone-write-header)
+(defgeneric zone-write-header (format zone)
+  (:documentation "Emit the header for a ZONE, in a given FORMAT.
+
+   The header includes any kind of initial comment, the SOA record, and any
+   other necessary preamble.  There is no default implementation.
+
+   This is part of the protocol used by the default method on `zone-write';
+   if you override that method."))
+
+(export 'zone-write-trailer)
+(defgeneric zone-write-trailer (format zone)
+  (:documentation "Emit the header for a ZONE, in a given FORMAT.
+
+   The footer may be empty, and is so by default.
+
+   This is part of the protocol used by the default method on `zone-write';
+   if you override that method.")
+  (:method (format zone)
+    (declare (ignore format zone))
+    nil))
+
+(export 'zone-write-record)
+(defgeneric zone-write-record (format type zr)
+  (:documentation "Emit a record of the given TYPE (a keyword).
+
+   The default implementation builds the raw RRDATA and passes it to
+   `zone-write-raw-rrdata'.")
+  (:method (format type zr)
+    (let* (code
+          (data (build-record (setf code (zone-record-rrdata type zr)))))
+      (zone-write-raw-rrdata format zr code data))))
+
+(defmethod zone-write (format zone stream)
+  "This default method calls `zone-write-header', then `zone-write-record'
+   for each record in the zone, and finally `zone-write-trailer'.  While it's
+   running, `*writing-zone*' is bound to the zone object, and
+  `*zone-output-stream*' to the output stream."

   (let ((*writing-zone* zone)
        (*zone-output-stream* stream))
   (let ((*writing-zone* zone)
        (*zone-output-stream* stream))

-    (call-next-method)))
+    (zone-write-header format zone)
+    (dolist (zr (zone-records-sorted zone))
+      (zone-write-record format (zr-type zr) zr))
+    (zone-write-trailer format zone)))

 
 (export 'zone-save)
 (defun zone-save (zones &key (format :bind))
 
 (export 'zone-save)
 (defun zone-save (zones &key (format :bind))


@@ -935,23 +1401,44 @@
 ;;;--------------------------------------------------------------------------
 ;;; Bind format output.
 
 ;;;--------------------------------------------------------------------------
 ;;; Bind format output.
 

+(defvar *bind-last-record-name* nil
+  "The previously emitted record name.
+
+   Used for eliding record names on output.")
+

 (export 'bind-hostname)
 (defun bind-hostname (hostname)
 (export 'bind-hostname)
 (defun bind-hostname (hostname)

-  (if (not hostname)
-      "@"
-      (let* ((h (string-downcase (stringify hostname)))
-            (hl (length h))
-            (r (string-downcase (zone-name *writing-zone*)))
-            (rl (length r)))
-       (cond ((string= r h) "@")
-             ((and (> hl rl)
-                   (char= (char h (- hl rl 1)) #\.)
-                   (string= h r :start1 (- hl rl)))
-              (subseq h 0 (- hl rl 1)))
-             (t (concatenate 'string h "."))))))
-
-(defmethod zone-write ((format (eql :bind)) zone stream)
-  (format stream "~
+  (let ((zone (domain-name-labels (zone-name *writing-zone*)))
+       (name (domain-name-labels hostname)))
+    (loop
+      (unless (and zone name (string= (car zone) (car name)))
+       (return))
+      (pop zone) (pop name))
+    (flet ((stitch (labels absolutep)
+            (format nil "~{~A~^.~}~@[.~]"
+                    (reverse (mapcar #'quotify-label labels))
+                    absolutep)))
+      (cond (zone (stitch (domain-name-labels hostname) t))
+           (name (stitch name nil))
+           (t "@")))))
+
+(export 'bind-output-hostname)
+(defun bind-output-hostname (hostname)
+  (let ((name (bind-hostname hostname)))
+    (cond ((and *bind-last-record-name*
+               (string= name *bind-last-record-name*))
+          "")
+         (t
+          (setf *bind-last-record-name* name)
+          name))))
+
+(defmethod zone-write :around ((format (eql :bind)) zone stream)
+  (declare (ignorable zone stream))
+  (let ((*bind-last-record-name* nil))
+    (call-next-method)))
+
+(defmethod zone-write-header ((format (eql :bind)) zone)
+  (format *zone-output-stream* "~

 ;;; Zone file `~(~A~)'
 ;;;   (generated ~A)
 
 ;;; Zone file `~(~A~)'
 ;;;   (generated ~A)
 


@@ -967,64 +1454,168 @@ $TTL ~2@*~D~2%"
                  (when at
                    (setf (char copy at) #\.))
                  copy)))
                  (when at
                    (setf (char copy at) #\.))
                  copy)))

-      (format stream "~
-~A~30TIN SOA~40T~A ~A (
+      (format *zone-output-stream* "~
+~A~30TIN SOA~40T~A (
+~55@A~60T ;administrator

 ~45T~10D~60T ;serial
 ~45T~10D~60T ;refresh
 ~45T~10D~60T ;retry
 ~45T~10D~60T ;expire
 ~45T~10D )~60T ;min-ttl~2%"
 ~45T~10D~60T ;serial
 ~45T~10D~60T ;refresh
 ~45T~10D~60T ;retry
 ~45T~10D~60T ;expire
 ~45T~10D )~60T ;min-ttl~2%"

-             (bind-hostname (zone-name zone))
+             (bind-output-hostname (zone-name zone))

              (bind-hostname (soa-source soa))
              admin
              (soa-serial soa)
              (soa-refresh soa)
              (soa-retry soa)
              (soa-expire soa)
              (bind-hostname (soa-source soa))
              admin
              (soa-serial soa)
              (soa-refresh soa)
              (soa-retry soa)
              (soa-expire soa)

-             (soa-min-ttl soa)))
-  (dolist (zr (zone-records zone))
-    (bind-record (zr-type zr) zr)))
-
-(export 'bind-record)
-(defgeneric bind-record (type zr))
+             (soa-min-ttl soa))))

 
 (export 'bind-format-record)
 
 (export 'bind-format-record)

-(defun bind-format-record (name ttl type format args)
+(defun bind-format-record (zr format &rest args)

   (format *zone-output-stream*
   (format *zone-output-stream*

-         "~A~20T~@[~8D~]~30TIN ~A~40T~?~%"
-         (bind-hostname name)
-         (and (/= ttl (zone-default-ttl *writing-zone*))
-              ttl)
-         (string-upcase (symbol-name type))
+         "~A~20T~@[~8D~]~30TIN ~A~40T~?"
+         (bind-output-hostname (zr-name zr))
+         (let ((ttl (zr-ttl zr)))
+           (and (/= ttl (zone-default-ttl *writing-zone*))
+                ttl))
+         (string-upcase (symbol-name (zr-type zr)))

          format args))
 
          format args))
 

-(defmethod bind-record (type zr)
-  (destructuring-bind (format &rest args)
-      (bind-record-format-args type (zr-data zr))
-    (bind-format-record (zr-name zr)
-                       (zr-ttl zr)
-                       (bind-record-type type)
-                       format args)))
-
-(export 'bind-record-type)
-(defgeneric bind-record-type (type)
-  (:method (type) type))
-
-(export 'bind-record-format-args)
-(defgeneric bind-record-format-args (type data)
-  (:method ((type (eql :a)) data) (list "~A" (ipaddr-string data)))
-  (:method ((type (eql :ptr)) data) (list "~A" (bind-hostname data)))
-  (:method ((type (eql :cname)) data) (list "~A" (bind-hostname data)))
-  (:method ((type (eql :ns)) data) (list "~A" (bind-hostname data)))
-  (:method ((type (eql :mx)) data)
-    (list "~2D ~A" (cdr data) (bind-hostname (car data))))
-  (:method ((type (eql :srv)) data)
-    (destructuring-bind (prio weight port host) data
-      (list "~2D ~5D ~5D ~A" prio weight port (bind-hostname host))))
-  (:method ((type (eql :sshfp)) data)
-    (cons "~2D ~2D ~A" data))
-  (:method ((type (eql :txt)) data)
-    (cons "~#[\"\"~;~S~:;(~@{~%~8T~S~} )~]"
-         (mapcar #'stringify (listify data)))))
+(export 'bind-write-hex)
+(defun bind-write-hex (vector remain)
+  "Output the VECTOR as hex, in Bind format.
+
+   If the length (in bytes) is less than REMAIN then it's placed on the
+   current line; otherwise the Bind line-continuation syntax is used."
+  (flet ((output-octet (octet)
+          (format *zone-output-stream* "~(~2,'0X~)" octet)))
+    (let ((len (length vector)))
+      (cond ((< len remain)
+            (dotimes (i len) (output-octet (aref vector i)))
+            (terpri *zone-output-stream*))
+           (t
+            (format *zone-output-stream* "(")
+            (let ((i 0))
+            (loop
+              (when (>= i len) (return))
+              (let ((limit (min len (+ i 64))))
+                (format *zone-output-stream* "~%~8T")
+                (loop
+                  (when (>= i limit) (return))
+                  (output-octet (aref vector i))
+                  (incf i)))))
+            (format *zone-output-stream* " )~%"))))))
+
+(defmethod zone-write-raw-rrdata ((format (eql :bind)) zr type data)
+  (format *zone-output-stream*
+         "~A~20T~@[~8D~]~30TIN TYPE~A~40T\\# ~A "
+         (bind-output-hostname (zr-name zr))
+         (let ((ttl (zr-ttl zr)))
+           (and (/= ttl (zone-default-ttl *writing-zone*))
+                ttl))
+         type
+         (length data))
+  (bind-write-hex data 12))
+
+(defmethod zone-write-record ((format (eql :bind)) (type (eql :a)) zr)
+  (bind-format-record zr "~A~%" (ipaddr-string (zr-data zr))))
+
+(defmethod zone-write-record ((format (eql :bind)) (type (eql :aaaa)) zr)
+  (bind-format-record zr "~A~%" (ipaddr-string (zr-data zr))))
+
+(defmethod zone-write-record ((format (eql :bind)) (type (eql :ptr)) zr)
+  (bind-format-record zr "~A~%" (bind-hostname (zr-data zr))))
+
+(defmethod zone-write-record ((format (eql :bind)) (type (eql :cname)) zr)
+  (bind-format-record zr "~A~%" (bind-hostname (zr-data zr))))
+
+(defmethod zone-write-record ((format (eql :bind)) (type (eql :ns)) zr)
+  (bind-format-record zr "~A~%" (bind-hostname (zr-data zr))))
+
+(defmethod zone-write-record ((format (eql :bind)) (type (eql :mx)) zr)
+  (bind-format-record zr "~2D ~A~%"
+                     (cdr (zr-data zr))
+                     (bind-hostname (car (zr-data zr)))))
+
+(defmethod zone-write-record ((format (eql :bind)) (type (eql :srv)) zr)
+  (destructuring-bind (prio weight port host) (zr-data zr)
+    (bind-format-record zr "~2D ~5D ~5D ~A~%"
+                       prio weight port (bind-hostname host))))
+
+(defmethod zone-write-record ((format (eql :bind)) (type (eql :sshfp)) zr)
+  (bind-format-record zr "~{~2D ~2D ~A~}~%" (zr-data zr)))
+
+(defmethod zone-write-record ((format (eql :bind)) (type (eql :tlsa)) zr)
+  (destructuring-bind (usage selector match data) (zr-data zr)
+    (bind-format-record zr "~2D ~2D ~2D " usage selector match)
+    (bind-write-hex data 12)))
+
+(defmethod zone-write-record ((format (eql :bind)) (type (eql :txt)) zr)
+  (bind-format-record zr "~{~#[\"\"~;~S~:;(~@{~%~8T~S~} )~]~}~%"
+                     (zr-data zr)))
+
+;;;--------------------------------------------------------------------------
+;;; tinydns-data output format.
+
+(export 'tinydns-output)
+(defun tinydns-output (code &rest fields)
+  (format *zone-output-stream* "~C~{~@[~A~]~^:~}~%" code fields))
+
+(defmethod zone-write-raw-rrdata ((format (eql :tinydns)) zr type data)
+  (tinydns-output #\: (zr-name zr) type
+                 (with-output-to-string (out)
+                   (dotimes (i (length data))
+                     (let ((byte (aref data i)))
+                       (if (or (<= byte 32)
+                               (>= byte 127)
+                               (member byte '(#\: #\\) :key #'char-code))
+                           (format out "\\~3,'0O" byte)
+                           (write-char (code-char byte) out)))))
+                 (zr-ttl zr)))
+
+(defmethod zone-write-record ((format (eql :tinydns)) (type (eql :a)) zr)
+  (tinydns-output #\+ (zr-name zr)
+                 (ipaddr-string (zr-data zr)) (zr-ttl zr)))
+
+(defmethod zone-write-record ((format (eql :tinydns)) (type (eql :aaaa)) zr)
+  (tinydns-output #\3 (zr-name zr)
+                 (format nil "~(~32,'0X~)" (ipaddr-addr (zr-data zr)))
+                 (zr-ttl zr)))
+
+(defmethod zone-write-record ((format (eql :tinydns)) (type (eql :ptr)) zr)
+  (tinydns-output #\^ (zr-name zr) (zr-data zr) (zr-ttl zr)))
+
+(defmethod zone-write-record ((format (eql :tinydns)) (type (eql :cname)) zr)
+  (tinydns-output #\C (zr-name zr) (zr-data zr) (zr-ttl zr)))
+
+(defmethod zone-write-record ((format (eql :tinydns)) (type (eql :ns)) zr)
+  (tinydns-output #\& (zr-name zr) nil (zr-data zr) (zr-ttl zr)))
+
+(defmethod zone-write-record ((format (eql :tinydns)) (type (eql :mx)) zr)
+  (let ((name (car (zr-data zr)))
+       (prio (cdr (zr-data zr))))
+    (tinydns-output #\@ (zr-name zr) nil name prio (zr-ttl zr))))
+
+(defmethod zone-write-header ((format (eql :tinydns)) zone)
+  (format *zone-output-stream* "~
+### Zone file `~(~A~)'
+###   (generated ~A)
+~%"
+         (zone-name zone)
+         (iso-date :now :datep t :timep t))
+  (let ((soa (zone-soa zone)))
+    (tinydns-output #\Z
+                   (zone-name zone)
+                   (soa-source soa)
+                   (let* ((name (copy-seq (soa-admin soa)))
+                          (at (position #\@ name)))
+                     (when at (setf (char name at) #\.))
+                     name)
+                   (soa-serial soa)
+                   (soa-refresh soa)
+                   (soa-expire soa)
+                   (soa-min-ttl soa)
+                   (zone-default-ttl zone))))

 
 ;;;----- That's all, folks --------------------------------------------------
 
 ;;;----- That's all, folks --------------------------------------------------