[Pkg-freeipa-devel] [Git][freeipa-team/bind-dyndb-ldap][master] 52 commits: bind-9.16: Lowercase DNS_SSUMATCHTYPE_* -> dns_ssumatchtype_*

Timo Aaltonen gitlab at salsa.debian.org
Fri Sep 18 10:02:39 BST 2020



Timo Aaltonen pushed to branch master at FreeIPA packaging / bind-dyndb-ldap


Commits:
491eb9fe by Thomas Woerner at 2020-09-02T11:28:22+03:00
bind-9.16: Lowercase DNS_SSUMATCHTYPE_* -> dns_ssumatchtype_*

The extra defines for uppercase DNS_SSUMATCHTYPE_* have been removed.
Only the dns_ssumatchtype_t enum is there now.

- - - - -
73f730de by Thomas Woerner at 2020-09-02T11:28:23+03:00
bind-9.16: cfg_parse_buffer changes

cfg_parse_buffer2 has been renamed to cfg_parse_buffer and
cfg_parse_buffer has two addtional parameters.

- - - - -
78cc8c62 by Thomas Woerner at 2020-09-02T11:28:29+03:00
bind-9.16: isc_buffer_allocate is now void

isc_buffer_allocate is not returning a results anymore. according to
bind9: a038f77d92a857bc11750683c9317d70da6fcfdf isc_buffer_allocate is
void and can not fail anymore.

- - - - -
96053a69 by Thomas Woerner at 2020-09-02T11:28:30+03:00
bind-9.16: Replace removed isc_string_ functions

The functions isc_string_copy, isc_string_printf, isc_string_append and
isc_string_printf_truncate have been removed in bind. The have been
replaced by normal c functions.

- - - - -
32ffcc3a by Thomas Woerner at 2020-09-02T11:28:31+03:00
bind-9.16: isc_mutex_ fuctions are void and failures are fatal

The isc_mutex_ functions are now void and the failures are fatal.
RUNTIME_CHECK and CHECK are not used any more. There is no code right
now to handle the failures gracefully in bind-dyndb-ldap.

- - - - -
e672e7a5 by Thomas Woerner at 2020-09-02T11:28:32+03:00
bind-9.16: Use reworked isc_refcount_ functions

isc_refcount_increment and isc_refcount_decrement now are returning the
second parameter. isc_refcount_increment0 has been removed,
isc_refcount_increment is used now in this case.

- - - - -
83a2005f by Thomas Woerner at 2020-09-02T11:28:33+03:00
bind-9.16: isc_thread_ functions are void and failures are fatal

isc_thread_create and isc_thread_join are now void and failures are fatal..
There is no code right now to handle the failures gracefully in
bind-dyndb-ldap.

- - - - -
3381e798 by Thomas Woerner at 2020-09-02T11:28:33+03:00
bind-9.16: Remove isc_ondestroy_init

The whole ondestroy callback mechanism has been unused and removed from
bind.

- - - - -
8ac3cd90 by Thomas Woerner at 2020-09-02T11:28:34+03:00
bind-9.16: Handle dns_db_rpz_ deprecations

dns_db_rpz_attach has been deprecated. It has been replaced by alternative
code. dns_db_rpz_ready has been depreacted, it has been commented out.

- - - - -
3284b986 by Thomas Woerner at 2020-09-02T11:28:35+03:00
bind-9.16: STATIC_ASSERT is now provided by isc/util.h

STATIC_ASSERT is now provided by isc/util.h, therefore the defines in
src/util.h have been removed.

- - - - -
3f46a0c2 by Thomas Woerner at 2020-09-02T11:28:36+03:00
bind-9.16: Use const for dns_name_t root name

dns_name_t root name needs to be const now.

- - - - -
ace129ea by Thomas Woerner at 2020-09-02T11:28:37+03:00
bind-9.16: dns_view_flushcache has an additional parameter

Because of the libdns refactoring there is only one version of
dns_view_flushcache now. Therefore there is the additional parameter
fixuponly now.

- - - - -
25297cdd by Thomas Woerner at 2020-09-02T11:28:38+03:00
bind-9.16: dns_rbtnodechain_init has only one parameter

dns_rbtnodechain_init has been simplified by removing the unnecessary
'mctx' parameter.

- - - - -
f8404593 by Thomas Woerner at 2020-09-02T11:28:39+03:00
bind-9.16: isc_refcount_t is now atomic_uint_fast32_t only

isc_refcount_t is now using the fixed type atomic_uint_fast32_t. It is not
a struct anymore.

- - - - -
eb114487 by Thomas Woerner at 2020-09-02T11:28:39+03:00
bind-9.16: dns_zone_setdbtype is now void

dns_zone_setdbtype is now void as it could no longer return anything.
Calls to it no longer check for a result.

- - - - -
d3553b7a by Thomas Woerner at 2020-09-02T11:28:40+03:00
bind-9.16: Use dns_zone_getserial instead of dns_zone_getserial2

Because of the libdns refactoring there is only one version of
dns_zone_getserial now.

- - - - -
05450e6f by Thomas Woerner at 2020-09-02T11:28:41+03:00
bind-9.16: Use dns_byaddr_createptrname instead of dns_byaddr_createptrname2

Because of the libdns refactoring there is only one version of
dns_byaddr_createptrname.

- - - - -
764f8890 by Thomas Woerner at 2020-09-02T11:28:42+03:00
bind-9.16: cfg_print_grammar has additional parameter

bind9 changelog: update docbook grammar, removing dnssec-looksaide

- - - - -
9cccfbf9 by Thomas Woerner at 2020-09-02T11:28:43+03:00
bind-9.16: dns_fwdtable_find has additional parameter

dns_fwdtable_find has the additional parameter foundname now.

- - - - -
22fdfa9d by Thomas Woerner at 2020-09-02T11:28:44+03:00
bins-9.16: dns_zone_setfile has additional parameters

Because of the libdns refactoring there is only one version of
dns_zone_setfile with addtional parameters format and style.

dns_masterformat_text and dns_master_style_default are used as the
default.

- - - - -
44e645d3 by Thomas Woerner at 2020-09-02T11:28:45+03:00
bind-9.16: dns_zone_load has additional parameter

rndc reconfig should not touch already loaded zones, some refactoring of dns
_{zone,view,zt}_{async,}load happened in bind9.

- - - - -
962179e6 by Thomas Woerner at 2020-09-02T11:28:46+03:00
bind-9.16: findzonecut and dns_db_findzonecut has additional parameter

bind9 commit:
QNAME miminimization should create a separate fetch context for each fetch -
this makes the cache more efficient and eliminates duplicates queries.

- - - - -
28754ac0 by Thomas Woerner at 2020-09-02T11:28:47+03:00
bind-9.16: dns_dbmethods_t has three more entries

setservestalettl and getservestalettl has been added to be able to allow
named to provide stale cached answers when the authoritative server is
under attack.

setgluecachestats has been added to add statistics for glue cache usage.

- - - - -
1c695e29 by Thomas Woerner at 2020-09-02T11:28:48+03:00
isc-bind 9.16: Temporary define HAVE_TLS and HAVE_THREAD_LOCAL

As the isc-bind is not containing the config.h file, HAVE_TLS and
HAVE_THREAD_LOCAL are not defined, but they are needed to be able to
include isc/thread.h.

- - - - -
15e363f1 by Thomas Woerner at 2020-09-02T11:28:49+03:00
bind-9.16: Use dns_name_copynf(...) for RUNTIME_CHECK(dns_name_copy(..., NULL))

This is bind9 upstream change c2dad0dcb2523a7711380e4409144745231b5282

Replace RUNTIME_CHECK(dns_name_copy(..., NULL)) with dns_name_copynf()

Use the semantic patch from the previous commit to replace all the calls to
dns_name_copy() with NULL as third argument with dns_name_copynf().

- - - - -
719e3189 by Stanislav Levin at 2020-09-02T11:29:07+03:00
bind-9.11.6: Remove compat defines

`update-policy` matchtype is no longer defined as preprocessor
directive, but enum type.

https://gitlab.isc.org/isc-projects/bind9/-/commit/995c41e8f04aa14299c72af684a2e58507f4c55b

- - - - -
19eb13fe by Stanislav Levin at 2020-09-02T11:29:08+03:00
bind-9.16: Follow project's cleanup rule

RUNTIME_CHECK aborts the execution of named while CHECK jumps to
cleanup label with the result code.

- - - - -
70c37462 by Stanislav Levin at 2020-09-02T11:29:28+03:00
bind-9.16: isc_condition_destroy is still neither void nor fatal

https://gitlab.isc.org/isc-projects/bind9/-/blob/v9_16/lib/isc/pthreads/include/isc/condition.h#L54

- - - - -
54209627 by Stanislav Levin at 2020-09-02T11:29:30+03:00
bind-9.16: Correct reference counting

With [0] BIND atomic functions for reference counting have the
identical interface as their C11 counter parts. This means that
these functions return the _previous_ refcount instead of the
current one.

[0]: https://gitlab.isc.org/isc-projects/bind9/-/commit/bef8ac5bae0f95dbff76ec99a7994024a5d6c64e

- - - - -
3fe682fb by Stanislav Levin at 2020-09-02T11:29:32+03:00
bind-9.16: Clean up isc_ondestroy_init

- - - - -
f056cbb4 by Stanislav Levin at 2020-09-02T11:29:33+03:00
bind-9.16: Fix assertions on isc_refcount_init

Since [0] isc_refcount_init doesn't return isc_result_t and
fallbacks to C11 atomic_init.

[0]: https://gitlab.isc.org/isc-projects/bind9/-/commit/0a7535ac81b2305b320794a8bad45c03c186021e

- - - - -
9dbab462 by Stanislav Levin at 2020-09-02T11:29:34+03:00
bind-9.16: Refactor dns_fixedname_name

Use dns_fixedname_initname() where possible.

This is the backport of
https://gitlab.isc.org/isc-projects/bind9/-/commit/4df4a8e73149dd4df1b9aad44db3c33e1c4f1880

- - - - -
29d0c722 by Stanislav Levin at 2020-09-02T11:29:36+03:00
bind-9.16: Refactor detach dyndb

This is the backport of
https://gitlab.isc.org/isc-projects/bind9/-/commit/0f24c55d38efe99fe72980f6e443ba60c2b4edc6

- - - - -
7aa8eeaf by Stanislav Levin at 2020-09-02T11:29:39+03:00
bind-9.16: Don't re-initialize hash in BIND-only mode

That has been done by named server.

This is the backport of
https://gitlab.isc.org/isc-projects/bind9/-/commit/2e7d82443fa415398f37e145325cca26d501a942

- - - - -
ee1d0f50 by Stanislav Levin at 2020-09-02T11:29:42+03:00
bind-9.16: isc_mem_get cannot fail gracefully now

Since [0] malloc is handled directly in default_memalloc and
it aborts on NULL pointer result. Further check is no longer
needed. Thus, isc_mem_get based macro can be safely removed [1].

[0]: https://gitlab.isc.org/isc-projects/bind9/-/commit/8de2451756
[1]: https://gitlab.isc.org/isc-projects/bind9/-/commit/f63e696967
     https://gitlab.isc.org/isc-projects/bind9/-/commit/ae83801e2b

- - - - -
64066396 by Stanislav Levin at 2020-09-02T11:29:43+03:00
bind-9.16: isc_mem_allocate cannot fail gracefully now

Since [0] malloc is handled directly in default_memalloc and
it aborts on NULL pointer result. Further check is no longer
needed. Thus, isc_mem_allocate based macro can be safely removed [1].

[0]: https://gitlab.isc.org/isc-projects/bind9/-/commit/8de2451756
[1]: https://gitlab.isc.org/isc-projects/bind9/-/commit/3c1d4298af
     https://gitlab.isc.org/isc-projects/bind9/-/commit/601cb4e4cc

- - - - -
5fb71812 by Stanislav Levin at 2020-09-02T11:29:45+03:00
bind-9.16: isc_mem_strdup cannot fail gracefully now

Since [0] malloc is handled directly in default_memalloc and
it aborts on NULL pointer result. Further check is no longer
needed. Thus, isc_mem_strdup based macro can be safely removed [1].

[0]: https://gitlab.isc.org/isc-projects/bind9/-/commit/8de2451756
[1]: https://gitlab.isc.org/isc-projects/bind9/-/commit/49f244406c
     https://gitlab.isc.org/isc-projects/bind9/-/commit/9bdc24a9fd

- - - - -
8e53c80b by Stanislav Levin at 2020-09-02T11:29:46+03:00
bind-9.16: Clean up outdated static assertions

_Static_assert is a compile time assertion which is the part of
ISO C11 and is implemented in GCC since 4.6.

So, macros taken from [0] is no longer needed.

[0]: https://www.pixelbeat.org/programming/gcc/static_assert.html

- - - - -
91180218 by Stanislav Levin at 2020-09-02T11:30:20+03:00
bind-9.16: isc_event_allocate cannot fail gracefully now

isc_event_allocate internally uses isc_mem_get which cannot
return NULL. So NULL-check is redundant.

sync_barrierev_create and sync_finishev_create are always
successful(except fatals which abort).

https://gitlab.isc.org/isc-projects/bind9/-/commit/50e109d659

- - - - -
2bc70d6a by Petr Menšík at 2020-09-02T11:30:23+03:00
Attempt to support both BIND 9.11 and 9.16

Use LIBDNS_VERSION_MAJOR compatibility macro to provide
few workarounds to compile even with 9.11. Try to minimize
changes of public API, but not everywhere it was possible.

ldapdb_associate should be moved back to header, but it would require
header modified on configure time.

- - - - -
6eaf1f78 by Petr Menšík at 2020-09-02T11:30:25+03:00
Return back resetting of detached pointer

- - - - -
c2c13742 by Petr Menšík at 2020-09-02T11:30:26+03:00
Change REQUIRE to match ISC code style

REQUIRE should follow variables definitions.

- - - - -
43f0d27d by Petr Menšík at 2020-09-02T11:30:27+03:00
Remove locked variable when it has no alternatives

No conditions allow different value when checked. Remove unnecessary
variables.

- - - - -
31ad57de by Petr Menšík at 2020-09-02T11:30:28+03:00
Sync db interface with BIND 9.16.6

Add new method of db.h into ldap_driver. Just forward it to rbtdb
implementation detail.

- - - - -
79474061 by Alexander Bokovoy at 2020-09-02T11:47:51+03:00
spec: add gcc explicitly to build requirements

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
13409382 by Alexander Bokovoy at 2020-09-02T14:30:19+03:00
spec: support building against bind 9.16

Signed-off-by: Petr Menšík <pemensik at redhat.com>
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
67b2558a by Alexander Bokovoy at 2020-09-14T16:22:13+03:00
Fix memory limits in docker-compose to use strings, not numbers

docker-compose with commit https://github.com/docker/compose/commit/2b4d409ac3da2096c43284e262f2b0c1b66c488b
started to require memory limits to be specified as strings.

Related: https://pagure.io/freeipa/issue/8494
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
a7af6b56 by Alexander Bokovoy at 2020-09-14T18:14:20+03:00
Update version to 11.4

Includes experimental support to build against both bind 9.11 and 9.16.

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
7c36fc1f by Timo Aaltonen at 2020-09-18T11:57:26+03:00
Merge branch 'upstream'

- - - - -
740ed21a by Timo Aaltonen at 2020-09-18T11:59:16+03:00
bump the version

- - - - -
182fb637 by Timo Aaltonen at 2020-09-18T12:00:06+03:00
bind-9.16-support.diff: Dropped, upstream.

- - - - -
d1038db8 by Timo Aaltonen at 2020-09-18T12:01:15+03:00
releasing package bind-dyndb-ldap version 11.4-1

- - - - -


29 changed files:

- configure.ac
- contrib/bind-dyndb-ldap.spec
- debian/changelog
- − debian/patches/bind-9.16-support.diff
- debian/patches/series
- src/acl.c
- src/bindcfg.c
- src/empty_zones.c
- src/empty_zones.h
- src/fs.c
- src/fwd.c
- src/fwd.h
- src/fwd_register.c
- src/ldap_convert.c
- src/ldap_driver.c
- src/ldap_driver.h
- src/ldap_entry.c
- src/ldap_helper.c
- src/metadb.c
- src/mldap.c
- src/rbt_helper.c
- src/semaphore.c
- src/settings.c
- src/syncptr.c
- src/syncrepl.c
- src/util.h
- src/zone_register.c
- src/zone_register.h
- tests/azure/Dockerfiles/docker-compose.yml


Changes:

=====================================
configure.ac
=====================================
@@ -1,5 +1,5 @@
 AC_PREREQ([2.59])
-AC_INIT([bind-dyndb-ldap], [11.3], [freeipa-devel at redhat.com])
+AC_INIT([bind-dyndb-ldap], [11.4], [freeipa-devel at redhat.com])
 
 AM_INIT_AUTOMAKE([-Wall foreign dist-bzip2])
 


=====================================
contrib/bind-dyndb-ldap.spec
=====================================
@@ -3,7 +3,7 @@
 %define bind_version 32:9.11.17-1
 
 Name:           bind-dyndb-ldap
-Version:        11.3
+Version:        11.4
 Release:        0%{?dist}
 Summary:        LDAP back-end plug-in for BIND
 
@@ -18,7 +18,7 @@ BuildRequires:  bind-devel >= %{bind_version}, bind-lite-devel >= %{bind_version
 BuildRequires:  krb5-devel
 BuildRequires:  openldap-devel
 BuildRequires:  libuuid-devel
-BuildRequires:  automake, autoconf, libtool
+BuildRequires:  automake, autoconf, libtool, gcc
 
 Requires:       bind >= %{bind_version}
 
@@ -33,13 +33,13 @@ off of your LDAP server.
 
 %build
 autoreconf -fiv
+[ -z "`type -p isc-config.sh`" ] && export BIND9_CFLAGS='-I/usr/include/bind9'
 %configure
-make %{?_smp_mflags}
+%make_build
 
 
 %install
-rm -rf %{buildroot}
-make install DESTDIR=%{buildroot}
+%make_install
 mkdir -m 770 -p %{buildroot}/%{_localstatedir}/named/dyndb-ldap
 
 # Remove unwanted files
@@ -116,6 +116,9 @@ rm -rf %{buildroot}
 
 
 %changelog
+* Mon Sep 14 2020 Alexander Bokovoy <abokovoy at redhat.com>
+- Merge unified support for both bind 9.11 and 91.6
+
 * Fri Jun 05 2020 Alexander Bokovoy <abokovoy at redhat.com>
 - Bump BIND version to 9.11.17
 


=====================================
debian/changelog
=====================================
@@ -1,3 +1,10 @@
+bind-dyndb-ldap (11.4-1) unstable; urgency=medium
+
+  * New upstream release.
+  * bind-9.16-support.diff: Dropped, upstream.
+
+ -- Timo Aaltonen <tjaalton at debian.org>  Fri, 18 Sep 2020 12:01:09 +0300
+
 bind-dyndb-ldap (11.3-2) unstable; urgency=medium
 
   * bind-9.16-support.diff: Attempt to fix build on 32bit.


=====================================
debian/patches/bind-9.16-support.diff deleted
=====================================
@@ -1,2097 +0,0 @@
---- a/src/acl.c
-+++ b/src/acl.c
-@@ -105,40 +105,25 @@ get_match_type(const cfg_obj_t *obj, uns
- 	}
- 	str = cfg_obj_asstring(obj);
- 
--	MATCH("name", DNS_SSUMATCHTYPE_NAME);
--	MATCH("subdomain", DNS_SSUMATCHTYPE_SUBDOMAIN);
--	MATCH("zonesub", DNS_SSUMATCHTYPE_SUBDOMAIN);
--	MATCH("wildcard", DNS_SSUMATCHTYPE_WILDCARD);
--	MATCH("self", DNS_SSUMATCHTYPE_SELF);
--#if defined(DNS_SSUMATCHTYPE_SELFSUB) && defined(DNS_SSUMATCHTYPE_SELFWILD)
--	MATCH("selfsub", DNS_SSUMATCHTYPE_SELFSUB);
--	MATCH("selfwild", DNS_SSUMATCHTYPE_SELFWILD);
--#endif
--#ifdef DNS_SSUMATCHTYPE_SELFMS
--	MATCH("ms-self", DNS_SSUMATCHTYPE_SELFMS);
--#endif
--#ifdef DNS_SSUMATCHTYPE_SELFKRB5
--	MATCH("krb5-self", DNS_SSUMATCHTYPE_SELFKRB5);
--#endif
--
-+	MATCH("name", dns_ssumatchtype_name);
-+	MATCH("subdomain", dns_ssumatchtype_subdomain);
-+	MATCH("zonesub", dns_ssumatchtype_subdomain);
-+	MATCH("wildcard", dns_ssumatchtype_wildcard);
-+	MATCH("self", dns_ssumatchtype_self);
-+	MATCH("selfsub", dns_ssumatchtype_selfsub);
-+	MATCH("selfwild", dns_ssumatchtype_selfwild);
-+	MATCH("ms-self", dns_ssumatchtype_selfms);
-+	MATCH("krb5-self", dns_ssumatchtype_selfkrb5);
- 	/* At least bind 9.11.5 or 9.12.3 is required for it
- 	 * as these match types are part of CVE-2018-5741 fixes */
- 	MATCH("ms-selfsub", dns_ssumatchtype_selfsubms);
- 	MATCH("krb5-selfsub", dns_ssumatchtype_selfsubkrb5);
- 
--#ifdef DNS_SSUMATCHTYPE_SUBDOMAINMS
--	MATCH("ms-subdomain", DNS_SSUMATCHTYPE_SUBDOMAINMS);
--#endif
--#ifdef DNS_SSUMATCHTYPE_SUBDOMAINKRB5
--	MATCH("krb5-subdomain", DNS_SSUMATCHTYPE_SUBDOMAINKRB5);
--#endif
--#if defined(DNS_SSUMATCHTYPE_TCPSELF) && defined(DNS_SSUMATCHTYPE_6TO4SELF)
--	MATCH("tcp-self", DNS_SSUMATCHTYPE_TCPSELF);
--	MATCH("6to4-self", DNS_SSUMATCHTYPE_6TO4SELF);
--#endif
--#if defined(DNS_SSUMATCHTYPE_EXTERNAL)
--	MATCH("external", DNS_SSUMATCHTYPE_EXTERNAL);
--#endif
-+	MATCH("ms-subdomain", dns_ssumatchtype_subdomainms);
-+	MATCH("krb5-subdomain", dns_ssumatchtype_subdomainkrb5);
-+	MATCH("tcp-self", dns_ssumatchtype_tcpself);
-+	MATCH("6to4-self", dns_ssumatchtype_6to4self);
-+	MATCH("external", dns_ssumatchtype_external);
- 
- 	log_bug("unsupported match type '%s'", str);
- 	return ISC_R_NOTIMPLEMENTED;
-@@ -178,9 +163,7 @@ get_fixed_name(const cfg_obj_t *obj, con
- 	else
- 		isc_buffer_add(&buf, len);
- 
--	dns_fixedname_init(fname);
--
--	result = dns_name_fromtext(dns_fixedname_name(fname), &buf,
-+	result = dns_name_fromtext(dns_fixedname_initname(fname), &buf,
- 				   dns_rootname, false, NULL);
- 	if (result != ISC_R_SUCCESS)
- 		log_error("'%s' is not a valid name", str);
-@@ -217,9 +200,9 @@ get_types(isc_mem_t *mctx, const cfg_obj
- 	obj = cfg_tuple_get(obj, "types");
- 
- 	n = count_list_elements(obj);
--	if (n > 0)
--		CHECKED_MEM_GET(mctx, types, n * sizeof(dns_rdatatype_t));
--
-+	if (n > 0) {
-+		types = isc_mem_get(mctx, n * sizeof(dns_rdatatype_t));
-+	}
- 	i = 0;
- 	for (el = cfg_list_first(obj); el != NULL; el = cfg_list_next(el)) {
- 		const cfg_obj_t *typeobj;
-@@ -319,10 +302,9 @@ acl_configure_zone_ssutable(const char *
- 		/* Use zone name for 'zonesub' match type */
- 		result = get_fixed_name(stmt, "name", &fname);
- 		if (result == ISC_R_NOTFOUND &&
--		    match_type == DNS_SSUMATCHTYPE_SUBDOMAIN) {
--			dns_fixedname_init(&fname);
-+		    match_type == dns_ssumatchtype_subdomain) {
- 			CHECK(dns_name_copy(dns_zone_getorigin(zone),
--					    dns_fixedname_name(&fname),
-+					    dns_fixedname_initname(&fname),
- 					    &fname.buffer));
- 		}
- 		else if (result != ISC_R_SUCCESS)
-@@ -330,7 +312,7 @@ acl_configure_zone_ssutable(const char *
- 
- 		CHECK(get_types(mctx, stmt, &types, &n));
- 
--		if (match_type == DNS_SSUMATCHTYPE_WILDCARD &&
-+		if (match_type == dns_ssumatchtype_wildcard &&
- 		    !dns_name_iswildcard(dns_fixedname_name(&fname))) {
- 			char name[DNS_NAME_FORMATSIZE];
- 			dns_name_format(dns_fixedname_name(&fname), name,
---- a/src/bindcfg.c
-+++ b/src/bindcfg.c
-@@ -108,7 +108,7 @@ cfg_parse_strbuf(cfg_parser_t *parser, c
- 	isc_buffer_init(&buffer, (char *)string, string_len);
- 	isc_buffer_add(&buffer, string_len);
- 
--	result = cfg_parse_buffer(parser, &buffer, *type, &ret);
-+	result = cfg_parse_buffer(parser, &buffer, NULL, 0, *type, 0, &ret);
- 
- 	if (result == ISC_R_SUCCESS)
- 		*objp = ret;
---- a/src/fwd.c
-+++ b/src/fwd.c
-@@ -49,7 +49,6 @@ buffer_append_str(void *closure, const c
- 	isc_buffer_region(out_buf, &old_space);
- 	new_space.length = isc_buffer_length(out_buf) + textlen + 1;
- 	new_space.base = isc_mem_get(out_buf->mctx, new_space.length);
--	RUNTIME_CHECK(new_space.base != NULL);
- 	isc_buffer_reinit(out_buf, new_space.base, new_space.length);
- 	if (old_space.base != NULL)
- 		isc_mem_put(out_buf->mctx, old_space.base, old_space.length);
-@@ -86,7 +85,6 @@ fwd_list_len(dns_forwarders_t *fwdrs) {
- static isc_result_t
- fwd_list_gen_dummy_config_string(isc_mem_t *mctx, size_t list_len,
- 				 isc_buffer_t **dummy_string) {
--	isc_result_t result;
- 	const char prefix[] = "{ ";
- 	const char suffix[] = "} // dummy string, please ignore";
- 	const char fill[] = "127.0.0.1; ";
-@@ -98,7 +96,9 @@ fwd_list_gen_dummy_config_string(isc_mem
- 
- 	REQUIRE(dummy_string != NULL && *dummy_string == NULL);
- 
--	CHECK(isc_buffer_allocate(mctx, &output, target_size));
-+	/* No CHECK here as isc_buffer_allocate is void and can not fail.
-+	 *  See bind9: a038f77d92a857bc11750683c9317d70da6fcfdf */
-+	isc_buffer_allocate(mctx, &output, target_size);
- 	isc_buffer_putstr(output, prefix);
- 	for (size_t i = 0; i < list_len; i++)
- 		isc_buffer_putstr(output, fill);
-@@ -106,11 +106,7 @@ fwd_list_gen_dummy_config_string(isc_mem
- 	isc_buffer_putuint8(output, '\0');
- 	*dummy_string = output;
- 
--cleanup:
--	if (result != ISC_R_SUCCESS && output != NULL)
--		isc_buffer_free(&output);
--
--	return result;
-+	return ISC_R_SUCCESS;
- }
- 
- /**
-@@ -122,7 +118,6 @@ cleanup:
- isc_result_t
- fwd_print_bracketed_values_buf(isc_mem_t *mctx, ldap_valuelist_t *values,
- 			      isc_buffer_t **string) {
--	isc_result_t result;
- 	ldap_value_t *value;
- 	const char prefix[] = "{ ";
- 	const char suffix[] = "}";
-@@ -143,13 +138,14 @@ fwd_print_bracketed_values_buf(isc_mem_t
- 	buffer_append_str(&tmp_buf, suffix, 2);
- 
- 	/* create and copy string from tmp to output buffer */
--	CHECK(isc_buffer_allocate(mctx, string, tmp_buf.used));
-+        /* No CHECK here as isc_buffer_allocate is void and can not fail.
-+         *  See bind9: a038f77d92a857bc11750683c9317d70da6fcfdf */
-+	isc_buffer_allocate(mctx, string, tmp_buf.used);
- 	isc_buffer_putmem(*string, isc_buffer_base(&tmp_buf), tmp_buf.used);
- 
--cleanup:
- 	if (tmp_buf.base != NULL)
- 		isc_mem_put(mctx, tmp_buf.base, tmp_buf.length);
--	return result;
-+	return ISC_R_SUCCESS;
- }
- 
- isc_result_t
-@@ -182,8 +178,8 @@ fwd_print_list_buff(isc_mem_t *mctx, dns
- 	list_len = fwd_list_len(fwdrs);
- 	CHECK(fwd_list_gen_dummy_config_string(mctx,
- 					       list_len, &dummy_fwdr_buf));
--	CHECK(cfg_parse_buffer(parser, dummy_fwdr_buf,
--			       cfg_type_forwarders, &forwarders_cfg));
-+	CHECK(cfg_parse_buffer(parser, dummy_fwdr_buf, NULL, 0,
-+			       cfg_type_forwarders, 0, &forwarders_cfg));
- 
- 	/* Walk through internal representation and cfg representation and copy
- 	 * data from the internal one to cfg data structures.*/
-@@ -199,7 +195,7 @@ fwd_print_list_buff(isc_mem_t *mctx, dns
- 	cfg_print(faddresses, buffer_append_str, &tmp_buf);
- 
- 	/* create and copy string from tmp to output buffer */
--	CHECK(isc_buffer_allocate(mctx, out_buf, tmp_buf.used));
-+	isc_buffer_allocate(mctx, out_buf, tmp_buf.used);
- 	isc_buffer_putmem(*out_buf, isc_buffer_base(&tmp_buf),
- 			  isc_buffer_usedlength(&tmp_buf));
- 
-@@ -275,7 +271,7 @@ fwd_parse_str(const char *fwdrs_str, isc
- 		addr = *cfg_obj_assockaddr(fwdr_cfg);
- 		if (isc_sockaddr_getport(&addr) == 0)
- 			isc_sockaddr_setport(&addr, port);
--		CHECKED_MEM_GET_PTR(mctx, fwdr);
-+		fwdr = isc_mem_get(mctx, sizeof(*(fwdr)));
- 		fwdr->addr = addr;
- 		fwdr->dscp = cfg_obj_getdscp(fwdr_cfg);
- 		ISC_LINK_INIT(fwdr, link);
-@@ -494,7 +490,7 @@ cleanup:
-  */
- isc_result_t
- fwd_configure_zone(const settings_set_t *set, ldap_instance_t *inst,
--		   dns_name_t *name)
-+		   const dns_name_t *name)
- {
- 	isc_result_t result;
- 	isc_mem_t *mctx = NULL;
-@@ -582,7 +578,7 @@ fwd_configure_zone(const settings_set_t
- 		CHECK(dns_fwdtable_addfwd(view->fwdtable, name, &fwdrs,
- 					  fwdpolicy));
- 	}
--	dns_view_flushcache(view);
-+	dns_view_flushcache(view, false);
- 	run_exclusive_exit(inst, lock_state);
- 	lock_state = ISC_R_IGNORE; /* prevent double-unlock */
- 	log_debug(5, "%s %s: forwarder table was updated: %s",
-@@ -607,7 +603,7 @@ cleanup:
- }
- 
- isc_result_t
--fwd_delete_table(dns_view_t *view, dns_name_t *name,
-+fwd_delete_table(dns_view_t *view, const dns_name_t *name,
- 		 const char *msg_obj_type, const char *logname) {
- 	isc_result_t result;
- 
---- a/src/settings.c
-+++ b/src/settings.c
-@@ -279,9 +279,12 @@ set_value(isc_mem_t *mctx, const setting
- 		len = strlen(value) + 1;
- 		if (setting->is_dynamic)
- 			isc_mem_free(mctx, setting->value.value_char);
--		CHECKED_MEM_ALLOCATE(mctx, setting->value.value_char, len);
-+		setting->value.value_char = isc_mem_allocate(mctx, len);
- 		setting->is_dynamic = true;
--		CHECK(isc_string_copy(setting->value.value_char, len, value));
-+		/* isc_string_copy has been removed */
-+		if (strlcpy(setting->value.value_char, value, len) >= len) {
-+			CLEANUP_WITH(ISC_R_NOSPACE);
-+		}
- 		break;
- 
- 	case ST_UNSIGNED_INTEGER:
-@@ -481,37 +484,30 @@ settings_set_create(isc_mem_t *mctx, con
- 		    const unsigned int default_set_length, const char *set_name,
- 		    const settings_set_t *const parent_set,
- 		    settings_set_t **target) {
--	isc_result_t result = ISC_R_FAILURE;
- 	settings_set_t *new_set = NULL;
- 
- 	REQUIRE(target != NULL && *target == NULL);
- 	REQUIRE(default_settings != NULL);
- 	REQUIRE(default_set_length > 0);
- 
--	CHECKED_MEM_ALLOCATE(mctx, new_set, default_set_length);
-+	new_set = isc_mem_allocate(mctx, default_set_length);
- 	ZERO_PTR(new_set);
- 	isc_mem_attach(mctx, &new_set->mctx);
- 
--	CHECKED_MEM_GET_PTR(mctx, new_set->lock);
--	result = isc_mutex_init(new_set->lock);
--	INSIST(result == ISC_R_SUCCESS);
-+	new_set->lock = isc_mem_get(mctx, sizeof(*(new_set->lock)));
-+	/* isc_mutex_init failures are now fatal */
-+	isc_mutex_init(new_set->lock);
- 
- 	new_set->parent_set = parent_set;
- 
--	CHECKED_MEM_ALLOCATE(mctx, new_set->first_setting, default_set_length);
-+	new_set->first_setting = isc_mem_allocate(mctx, default_set_length);
- 	memcpy(new_set->first_setting, default_settings, default_set_length);
- 
--	CHECKED_MEM_ALLOCATE(mctx, new_set->name, strlen(set_name) + 1);
-+	new_set->name = isc_mem_allocate(mctx, strlen(set_name) + 1);
- 	strcpy(new_set->name, set_name);
- 
- 	*target = new_set;
--	result = ISC_R_SUCCESS;
--
--cleanup:
--	if (result != ISC_R_SUCCESS)
--		settings_set_free(&new_set);
--
--	return result;
-+	return ISC_R_SUCCESS;
- }
- 
- /**
-@@ -531,7 +527,8 @@ settings_set_free(settings_set_t **set)
- 		mctx = (*set)->mctx;
- 
- 		if ((*set)->lock != NULL) {
--			DESTROYLOCK((*set)->lock);
-+			/* isc_mutex_destroy failures are now fatal */
-+			isc_mutex_destroy((*set)->lock);
- 			SAFE_MEM_PUT_PTR(mctx, (*set)->lock);
- 		}
- 
-@@ -577,7 +574,7 @@ cfg_printer(void *closure, const char *t
- static isc_result_t
- settings_set_fill(const cfg_obj_t *config, settings_set_t *set)
- {
--	isc_result_t result;
-+	isc_result_t result = ISC_R_SUCCESS;
- 	setting_t *setting;
- 	isc_buffer_t *buf_value = NULL;
- 	const cfg_obj_t *cfg_value;
-@@ -585,7 +582,8 @@ settings_set_fill(const cfg_obj_t *confi
- 
- 	REQUIRE(cfg_obj_ismap(config) == true);
- 
--	CHECK(isc_buffer_allocate(set->mctx, &buf_value, ISC_BUFFER_INCR));
-+	/* isc_buffer_allocate can no longer fail */
-+	isc_buffer_allocate(set->mctx, &buf_value, ISC_BUFFER_INCR);
- 	isc_buffer_setautorealloc(buf_value, true);
- 
- 	for (setting = set->first_setting;
-@@ -678,7 +676,8 @@ setting_set_parse_conf(isc_mem_t *mctx,
- 
- 	REQUIRE(parameters != NULL);
- 
--	CHECK(isc_buffer_allocate(mctx, &log_buf, ISC_BUFFER_INCR));
-+	/* isc_buffer_allocate can no longer fail */
-+	isc_buffer_allocate(mctx, &log_buf, ISC_BUFFER_INCR);
- 	isc_buffer_setautorealloc(log_buf, true);
- 
- 	len = strlen(parameters);
-@@ -686,8 +685,8 @@ setting_set_parse_conf(isc_mem_t *mctx,
- 	isc_buffer_add(&in_buf, len);
- 
- 	CHECK(cfg_parser_create(mctx, dns_lctx, &parser));
--	result = cfg_parse_buffer2(parser, &in_buf, name, cfg_type_conf,
--				   &config);
-+	result = cfg_parse_buffer(parser, &in_buf, name, 0, cfg_type_conf, 0,
-+				  &config);
- 	if (result == ISC_R_SUCCESS) {
- 		cfg_printx(config, CFG_PRINTER_XKEY, cfg_printer, log_buf);
- 		cfg_obj_log(config, dns_lctx, ISC_LOG_DEBUG(10),
-@@ -700,7 +699,7 @@ setting_set_parse_conf(isc_mem_t *mctx,
- 		log_error("configuration for dyndb instance '%s' "
- 			  "(starting in file %s on line %lu) is invalid",
- 			  name, file, line);
--		cfg_print_grammar(cfg_type_conf, cfg_printer, log_buf);
-+		cfg_print_grammar(cfg_type_conf, 0, cfg_printer, log_buf);
- 		log_info("expected grammar:\n"
- 			 "%.*s", isc_buffer_usedlength(log_buf),
- 			 (char *)isc_buffer_base(log_buf));
---- a/src/fs.c
-+++ b/src/fs.c
-@@ -79,7 +79,10 @@ fs_dirs_create(const char *path) {
- 	char curr_path[PATH_MAX + 1];
- 	char *end = NULL;
- 
--	CHECK(isc_string_copy(curr_path, PATH_MAX, path));
-+	/* isc_string_copy has been removed */
-+	if (strlcpy(curr_path, path, PATH_MAX) >= PATH_MAX) {
-+		CLEANUP_WITH(ISC_R_NOSPACE);
-+	}
- 
- 	for (end = strchr(curr_path, '/');
- 	     end != NULL;
---- a/src/ldap_convert.c
-+++ b/src/ldap_convert.c
-@@ -131,7 +131,7 @@ dn_to_dnsname(isc_mem_t *mctx, const cha
- 	} else if (idx == 1) { /* zone only */
- 		if (iszone != NULL)
- 			*iszone = true;
--		CHECK(dns_name_copy(dns_rootname, &origin, NULL));
-+		dns_name_copynf(dns_rootname, &origin);
- 		CHECK(dns_name_fromtext(&name, &name_buf, dns_rootname, 0, NULL));
- 	} else if (idx == 2) { /* owner and zone */
- 		if (iszone != NULL)
-@@ -237,6 +237,7 @@ dns_to_ldap_dn_escape(isc_mem_t *mctx, c
- 	int idx_symb_first = -1; /* index of first "nice" printable symbol in dns_str */
- 	int dns_idx = 0;
- 	int esc_idx = 0;
-+	int s_len;
- 
- 	REQUIRE(dns_str != NULL);
- 	REQUIRE(ldap_name != NULL && *ldap_name == NULL);
-@@ -247,7 +248,7 @@ dns_to_ldap_dn_escape(isc_mem_t *mctx, c
- 	 * In worst case each symbol from DNS dns_str will be represented
- 	 * as "\xy" in ldap_name. (xy are hexadecimal digits)
- 	 */
--	CHECKED_MEM_ALLOCATE(mctx, *ldap_name, 3 * dns_str_len + 1);
-+	*ldap_name = isc_mem_allocate(mctx, 3 * dns_str_len + 1);
- 	esc_name = *ldap_name;
- 
- 	for (dns_idx = 0; dns_idx < dns_str_len; dns_idx++) {
-@@ -286,8 +287,13 @@ dns_to_ldap_dn_escape(isc_mem_t *mctx, c
- 			}
- 			/* LDAP uses \xy escaping. "xy" represent two hexadecimal digits.*/
- 			/* TODO: optimize to bit mask & rotate & dec->hex table? */
--			CHECK(isc_string_printf(esc_name + esc_idx, 4, "\\%02x", ascii_val));
--			esc_idx += 3; /* isc_string_printf wrote 4 bytes including '\0' */
-+			/* isc_string_printf has been removed */
-+			s_len = snprintf(esc_name + esc_idx,
-+					 4, "\\%02x", ascii_val);
-+			if (s_len < 0 || s_len >= 4) {
-+				CLEANUP_WITH(ISC_R_NOSPACE);
-+			}
-+			esc_idx += 3; /* snprintf wrote 4 bytes including '\0' */
- 		}
- 	}
- 	if (idx_symb_first != -1) { /* copy last nice part */
-@@ -302,10 +308,8 @@ cleanup:
- 	if (result == DNS_R_BADESCAPE)
- 		log_bug("improperly escaped DNS string: '%s'", dns_str);
- 
--	if (*ldap_name) {
--		isc_mem_free(mctx, *ldap_name);
--		*ldap_name = NULL;
--	}
-+	isc_mem_free(mctx, *ldap_name);
-+	*ldap_name = NULL;
- 	return result;
- }
- 
-@@ -430,20 +434,30 @@ isc_result_t
- rdatatype_to_ldap_attribute(dns_rdatatype_t rdtype, char *target,
- 			    unsigned int size, bool unknown)
- {
--	isc_result_t result;
-+	isc_result_t result = ISC_R_SUCCESS;
- 	char rdtype_str[DNS_RDATATYPE_FORMATSIZE];
- 
- 	if (unknown) {
- 		/* "UnknownRecord;TYPE65333" */
--		CHECK(isc_string_copy(target, size,
--				      LDAP_RDATATYPE_UNKNOWN_PREFIX));
-+		/* isc_string_copy and isc_string_append have been removed */
-+		if (strlcpy(target, LDAP_RDATATYPE_UNKNOWN_PREFIX, size)
-+		    >= size) {
-+			CLEANUP_WITH(ISC_R_NOSPACE);
-+		}
- 		snprintf(rdtype_str, sizeof(rdtype_str), "TYPE%u", rdtype);
--		CHECK(isc_string_append(target, size, rdtype_str));
-+		if (strlcat(target, rdtype_str, size) >= size) {
-+			CLEANUP_WITH(ISC_R_NOSPACE);
-+		}
- 	} else {
- 		/* "ARecord" */
- 		dns_rdatatype_format(rdtype, rdtype_str, DNS_RDATATYPE_FORMATSIZE);
--		CHECK(isc_string_copy(target, size, rdtype_str));
--		CHECK(isc_string_append(target, size, LDAP_RDATATYPE_SUFFIX));
-+		/* isc_string_copy and isc_string_append have been removed */
-+		if (strlcpy(target, rdtype_str, size) >= size) {
-+			CLEANUP_WITH(ISC_R_NOSPACE);
-+		}
-+		if (strlcat(target, LDAP_RDATATYPE_SUFFIX, size) >= size) {
-+			CLEANUP_WITH(ISC_R_NOSPACE);
-+		}
- 	}
- 
- cleanup:
-@@ -463,8 +477,9 @@ rdata_to_generic(dns_rdata_t *rdata, isc
- 	dns_rdata_toregion(rdata, &rdata_reg);
- 	REQUIRE(rdata_reg.length <= 65535);
- 
--	result = isc_string_printf(buf, sizeof(buf), "\\# %u", rdata_reg.length);
--	INSIST(result == ISC_R_SUCCESS);
-+	/* isc_string_printf has been removed */
-+	result = snprintf(buf, sizeof(buf), "\\# %u", rdata_reg.length);
-+	RUNTIME_CHECK(result < sizeof(buf));
- 	isc_buffer_putstr(target, buf);
- 	if (rdata_reg.length != 0U) {
- 		isc_buffer_putstr(target, " ");
---- a/src/ldap_helper.c
-+++ b/src/ldap_helper.c
-@@ -3,6 +3,8 @@
-  */
- 
- #include "config.h"
-+#define HAVE_TLS 1
-+#define HAVE_THREAD_LOCAL 1
- 
- #include <dns/dyndb.h>
- #include <dns/diff.h>
-@@ -390,6 +392,7 @@ validate_local_instance_settings(ldap_in
- 	char print_buff[PRINT_BUFF_SIZE];
- 	const char *auth_method_str = NULL;
- 	ldap_auth_t auth_method_enum = AUTH_INVALID;
-+	int s_len;
- 
- 	if (strlen(inst->db_name) <= 0) {
- 		log_error("LDAP instance name cannot be empty");
-@@ -445,7 +448,12 @@ validate_local_instance_settings(ldap_in
- 			  auth_method_str);
- 		CLEANUP_WITH(ISC_R_FAILURE);
- 	}
--	CHECK(isc_string_printf(print_buff, PRINT_BUFF_SIZE, "%u", auth_method_enum));
-+	/* isc_string_printf has been removed */
-+	s_len = snprintf(print_buff, PRINT_BUFF_SIZE, "%u", auth_method_enum);
-+	if (s_len < 0 || s_len >= PRINT_BUFF_SIZE) {
-+		CLEANUP_WITH(ISC_R_NOSPACE);
-+	}
-+
- 	CHECK(setting_set("auth_method_enum", inst->local_settings, print_buff));
- 
- 	/* check we have the right data when SASL/GSSAPI is selected */
-@@ -543,11 +551,11 @@ new_ldap_instance(isc_mem_t *mctx, const
- 
- 	REQUIRE(ldap_instp != NULL && *ldap_instp == NULL);
- 
--	CHECKED_MEM_GET_PTR(mctx, ldap_inst);
-+	ldap_inst = isc_mem_get(mctx, sizeof(*(ldap_inst)));
- 	ZERO_PTR(ldap_inst);
--	CHECK(isc_refcount_init(&ldap_inst->errors, 0));
-+	isc_refcount_init(&ldap_inst->errors, 0);
- 	isc_mem_attach(mctx, &ldap_inst->mctx);
--	CHECKED_MEM_STRDUP(mctx, db_name, ldap_inst->db_name);
-+	ldap_inst->db_name = isc_mem_strdup(mctx, db_name);
- 	dns_view_attach(dctx->view, &ldap_inst->view);
- 	dns_zonemgr_attach(dctx->zmgr, &ldap_inst->zmgr);
- 	isc_task_attach(dctx->task, &ldap_inst->task);
-@@ -555,16 +563,18 @@ new_ldap_instance(isc_mem_t *mctx, const
- 	ldap_inst->watcher = 0;
- 	CHECK(sync_ctx_init(ldap_inst->mctx, ldap_inst, &ldap_inst->sctx));
- 
--	isc_string_printf_truncate(settings_name, PRINT_BUFF_SIZE,
--				   SETTING_SET_NAME_LOCAL " for database %s",
--				   ldap_inst->db_name);
-+	/* truncation is allowed */
-+	snprintf(settings_name, PRINT_BUFF_SIZE,
-+		 SETTING_SET_NAME_LOCAL " for database %s",
-+		 ldap_inst->db_name);
- 	CHECK(settings_set_create(mctx, settings_local_default,
- 	      sizeof(settings_local_default), settings_name,
- 	      &settings_default_set, &ldap_inst->local_settings));
- 
--	isc_string_printf_truncate(settings_name, PRINT_BUFF_SIZE,
--				   SETTING_SET_NAME_GLOBAL " for database %s",
--				   ldap_inst->db_name);
-+	/* truncation is allowed */
-+	snprintf(settings_name, PRINT_BUFF_SIZE,
-+		 SETTING_SET_NAME_GLOBAL " for database %s",
-+		 ldap_inst->db_name);
- 	CHECK(settings_set_create(mctx, settings_global_default,
- 	      sizeof(settings_global_default), settings_name,
- 	      ldap_inst->local_settings, &ldap_inst->global_settings));
-@@ -576,7 +586,7 @@ new_ldap_instance(isc_mem_t *mctx, const
- 	/* copy global forwarders setting for configuration roll back in
- 	 * configure_zone_forwarders() */
- 	result = dns_fwdtable_find(ldap_inst->view->fwdtable, dns_rootname,
--				   &named_conf_forwarders);
-+				   NULL, &named_conf_forwarders);
- 	if (result == ISC_R_SUCCESS) {
- 		/* Copy forwarding config from named.conf into local_settings */
- 		CHECK(fwd_print_list_buff(mctx, named_conf_forwarders,
-@@ -602,8 +612,6 @@ new_ldap_instance(isc_mem_t *mctx, const
- 					empty_zone_handle_globalfwd_ev,
- 					ldap_inst->view->zonetable,
- 					sizeof(ldap_globalfwd_handleez_t));
--		if (gfwdevent == NULL)
--			CLEANUP_WITH(ISC_R_NOMEMORY);
- 		/* policy == first does not override automatic empty zones */
- 		gfwdevent->warn_only = (named_conf_forwarders->fwdpolicy
- 					== dns_fwdpolicy_first);
-@@ -628,14 +636,16 @@ new_ldap_instance(isc_mem_t *mctx, const
- 	/* zero-length server_id means undefined value */
- 	CHECK(setting_get_str("server_id", ldap_inst->local_settings,
- 			      &server_id));
--	if (strlen(server_id) == 0)
--		isc_string_printf_truncate(settings_name, PRINT_BUFF_SIZE,
--					   SETTING_SET_NAME_SERVER
--					   " for undefined server_id");
--	else
--		isc_string_printf_truncate(settings_name, PRINT_BUFF_SIZE,
--					   SETTING_SET_NAME_SERVER
--					   " for server id %s", server_id);
-+	if (strlen(server_id) == 0) {
-+		/* truncation is allowed */
-+		snprintf(settings_name, PRINT_BUFF_SIZE,
-+			 SETTING_SET_NAME_SERVER " for undefined server_id");
-+	} else {
-+		/* truncation is allowed */
-+		snprintf(settings_name, PRINT_BUFF_SIZE,
-+			 SETTING_SET_NAME_SERVER
-+			 " for server id %s", server_id);
-+	}
- 
- 	CHECK(settings_set_create(mctx, settings_server_ldap_default,
- 	      sizeof(settings_server_ldap_default), settings_name,
-@@ -656,7 +666,8 @@ new_ldap_instance(isc_mem_t *mctx, const
- 	CHECK(fwdr_create(ldap_inst->mctx, &ldap_inst->fwd_register));
- 	CHECK(mldap_new(mctx, &ldap_inst->mldapdb));
- 
--	CHECK(isc_mutex_init(&ldap_inst->kinit_lock));
-+	/* isc_mutex_init and isc_condition_init failures are now fatal */
-+	isc_mutex_init(&ldap_inst->kinit_lock);
- 
- 	CHECK(ldap_pool_create(mctx, connections, &ldap_inst->pool));
- 	CHECK(ldap_pool_connect(ldap_inst->pool, ldap_inst));
-@@ -666,13 +677,16 @@ new_ldap_instance(isc_mem_t *mctx, const
- 			      mctx, &ldap_inst->db_imp));
- 
- 	/* Start the watcher thread */
--	result = isc_thread_create(ldap_syncrepl_watcher, ldap_inst,
--				   &ldap_inst->watcher);
--	if (result != ISC_R_SUCCESS) {
--		ldap_inst->watcher = 0;
--		log_error("Failed to create syncrepl watcher thread");
--		goto cleanup;
--	}
-+	/* isc_thread_create assert internally on failure */
-+	isc_thread_create(ldap_syncrepl_watcher, ldap_inst,
-+			  &ldap_inst->watcher);
-+	/*
-+	 * if (result != ISC_R_SUCCESS) {
-+	 *	ldap_inst->watcher = 0;
-+	 *	log_error("Failed to create syncrepl watcher thread");
-+	 *	goto cleanup;
-+	 * }
-+	 */
- 
- cleanup:
- 	if (forwarders_list != NULL)
-@@ -714,8 +728,8 @@ ldap_syncrepl_watcher_shutdown(ldap_inst
- 				  "(already terminated?)");
- 	}
- 
--	RUNTIME_CHECK(isc_thread_join(ldap_inst->watcher, NULL)
--		      == ISC_R_SUCCESS);
-+	/* isc_thread_join assert internally on failure */
-+	isc_thread_join(ldap_inst->watcher, NULL);
- }
- 
- void
-@@ -749,7 +763,8 @@ destroy_ldap_instance(ldap_instance_t **
- 	if (ldap_inst->task != NULL)
- 		isc_task_detach(&ldap_inst->task);
- 
--	DESTROYLOCK(&ldap_inst->kinit_lock);
-+	/* isc_mutex_init and isc_condition_init failures are now fatal */
-+	isc_mutex_destroy(&ldap_inst->kinit_lock);
- 
- 	settings_set_free(&ldap_inst->global_settings);
- 	settings_set_free(&ldap_inst->local_settings);
-@@ -773,31 +788,28 @@ destroy_ldap_instance(ldap_instance_t **
- static isc_result_t ATTR_NONNULLS ATTR_CHECKRESULT
- new_ldap_connection(ldap_pool_t *pool, ldap_connection_t **ldap_connp)
- {
--	isc_result_t result;
- 	ldap_connection_t *ldap_conn;
- 
- 	REQUIRE(pool != NULL);
- 	REQUIRE(ldap_connp != NULL && *ldap_connp == NULL);
- 
--	CHECKED_MEM_GET_PTR(pool->mctx, ldap_conn);
-+	ldap_conn = isc_mem_get(pool->mctx, sizeof(*(ldap_conn)));
- 	ZERO_PTR(ldap_conn);
- 
--	result = isc_mutex_init(&ldap_conn->lock);
--	if (result != ISC_R_SUCCESS) {
--		SAFE_MEM_PUT_PTR(pool->mctx, ldap_conn);
--		return result;
--	}
-+	/* isc_mutex_init and isc_condition_init failures are now fatal */
-+	isc_mutex_init(&ldap_conn->lock);
-+	/*
-+	 * if (result != ISC_R_SUCCESS) {
-+	 *	SAFE_MEM_PUT_PTR(pool->mctx, ldap_conn);
-+	 *	return result;
-+	 * }
-+	 */
- 
- 	isc_mem_attach(pool->mctx, &ldap_conn->mctx);
- 
- 	*ldap_connp = ldap_conn;
- 
- 	return ISC_R_SUCCESS;
--
--cleanup:
--	destroy_ldap_connection(&ldap_conn);
--
--	return result;
- }
- 
- static void
-@@ -811,7 +823,8 @@ destroy_ldap_connection(ldap_connection_
- 	if (ldap_conn == NULL)
- 		return;
- 
--	DESTROYLOCK(&ldap_conn->lock);
-+	 /* isc_mutex_init and isc_condition_init failures are now fatal */
-+	isc_mutex_destroy(&ldap_conn->lock);
- 	if (ldap_conn->handle != NULL)
- 		ldap_unbind_ext_s(ldap_conn->handle, NULL, NULL);
- 
-@@ -825,6 +838,7 @@ cleanup_zone_files(dns_zone_t *zone) {
- 	const char *filename = NULL;
- 	dns_zone_t *raw = NULL;
- 	int namelen;
-+	int s_len;
- 	char bck_filename[PATH_MAX];
- 
- 	dns_zone_getraw(zone, &raw);
-@@ -847,8 +861,11 @@ cleanup_zone_files(dns_zone_t *zone) {
- 	namelen = strlen(filename);
- 	if (namelen > 4 && strcmp(filename + namelen - 4, ".jnl") == 0)
- 		namelen -= 4;
--	CHECK(isc_string_printf(bck_filename, sizeof(bck_filename),
--				"%.*s.jbk", namelen, filename));
-+	s_len = snprintf(bck_filename, sizeof(bck_filename),
-+			 "%.*s.jbk", namelen, filename);
-+	if (s_len < 0 || (unsigned)s_len >= sizeof(bck_filename)) {
-+		CLEANUP_WITH(ISC_R_NOSPACE);
-+	}
- 	CHECK(fs_file_remove(bck_filename));
- 
- cleanup:
-@@ -941,7 +958,8 @@ configure_paths(isc_mem_t *mctx, ldap_in
- 	CHECK(zr_get_zone_path(mctx, ldap_instance_getsettings_local(inst),
- 			       dns_zone_getorigin(zone),
- 			       (issecure ? "signed" : "raw"), &file_name));
--	CHECK(dns_zone_setfile(zone, str_buf(file_name)));
-+	CHECK(dns_zone_setfile(zone, str_buf(file_name), dns_masterformat_text,
-+			       &dns_master_style_default));
- 	if (issecure == true) {
- 		CHECK(zr_get_zone_path(mctx,
- 				       ldap_instance_getsettings_local(inst),
-@@ -990,8 +1008,9 @@ create_zone(ldap_instance_t * const inst
- 	dns_zone_setclass(raw, dns_rdataclass_in);
- 	dns_zone_settype(raw, dns_zone_master);
- 	/* dns_zone_setview(raw, view); */
--	CHECK(dns_zone_setdbtype(raw, sizeof(ldap_argv)/sizeof(ldap_argv[0]),
--				 ldap_argv));
-+	/* dns_zone_setdbtype is now void as it could no longer return */
-+	dns_zone_setdbtype(raw, sizeof(ldap_argv)/sizeof(ldap_argv[0]),
-+			   ldap_argv);
- 	CHECK(configure_paths(inst->mctx, inst, raw, false));
- 
- 	if (want_secure == false) {
-@@ -1003,7 +1022,9 @@ create_zone(ldap_instance_t * const inst
- 		dns_zone_setclass(secure, dns_rdataclass_in);
- 		dns_zone_settype(secure, dns_zone_master);
- 		/* dns_zone_setview(secure, view); */
--		CHECK(dns_zone_setdbtype(secure, 1, rbt_argv));
-+		/* dns_zone_setdbtype is now void as it could no longer
-+		 * return */
-+		dns_zone_setdbtype(secure, 1, rbt_argv);
- 		CHECK(dns_zonemgr_managezone(inst->zmgr, secure));
- 		CHECK(dns_zone_link(secure, raw));
- 		dns_zone_rekey(secure, true);
-@@ -1055,7 +1076,7 @@ load_zone(dns_zone_t *zone, bool log) {
- 	uint32_t serial;
- 	dns_zone_t *raw = NULL;
- 
--	result = dns_zone_load(zone);
-+	result = dns_zone_load(zone, false);
- 	if (result != ISC_R_SUCCESS && result != DNS_R_UPTODATE
- 	    && result != DNS_R_DYNAMIC && result != DNS_R_CONTINUE)
- 		goto cleanup;
-@@ -1067,11 +1088,11 @@ load_zone(dns_zone_t *zone, bool log) {
- 		zone = NULL;
- 	}
- 
--	CHECK(dns_zone_getserial2(raw, &serial));
-+	CHECK(dns_zone_getserial(raw, &serial));
- 	if (log == true)
- 		dns_zone_log(raw, ISC_LOG_INFO, "loaded serial %u", serial);
- 	if (zone != NULL) {
--		result = dns_zone_getserial2(zone, &serial);
-+		result = dns_zone_getserial(zone, &serial);
- 		if (result == ISC_R_SUCCESS && log == true)
- 			dns_zone_log(zone, ISC_LOG_INFO, "loaded serial %u",
- 				     serial);
-@@ -1708,6 +1729,7 @@ ldap_replace_serial(ldap_instance_t *ins
- 	LDAPMod change;
- 	LDAPMod *changep[2] = { &change, NULL };
- 	ld_string_t *dn = NULL;
-+	int s_len;
- 
- 	REQUIRE(inst != NULL);
- 
-@@ -1717,7 +1739,10 @@ ldap_replace_serial(ldap_instance_t *ins
- 	change.mod_op = LDAP_MOD_REPLACE;
- 	change.mod_type = "idnsSOAserial";
- 	change.mod_values = values;
--	CHECK(isc_string_printf(serial_char, MAX_SERIAL_LENGTH, "%u", serial));
-+	s_len = snprintf(serial_char, MAX_SERIAL_LENGTH, "%u", serial);
-+	if (s_len < 0 || (unsigned)s_len >= MAX_SERIAL_LENGTH) {
-+		CLEANUP_WITH(ISC_R_NOSPACE);
-+	}
- 
- 	CHECK(ldap_modify_do(inst, str_buf(dn), changep, false));
- 
-@@ -2250,7 +2275,7 @@ findrdatatype_or_create(isc_mem_t *mctx,
- 
- 	result = ldapdb_rdatalist_findrdatatype(rdatalist, rdtype, &rdlist);
- 	if (result != ISC_R_SUCCESS) {
--		CHECKED_MEM_GET_PTR(mctx, rdlist);
-+		rdlist = isc_mem_get(mctx, sizeof(*(rdlist)));
- 
- 		dns_rdatalist_init(rdlist);
- 		rdlist->rdclass = rdclass;
-@@ -2371,7 +2396,7 @@ ldap_substitute_rr_template(isc_mem_t *m
- 		CLEANUP_WITH(ISC_R_UNEXPECTED);
- 
- 	CHECK(str_new(mctx, &replaced));
--	CHECKED_MEM_STRDUP(mctx, str_buf(orig_val), tmp);
-+	tmp = isc_mem_strdup(mctx, str_buf(orig_val));
- 
- 	while (regexec(&regex, tmp + processed,
- 		       sizeof(matches)/sizeof(regmatch_t),
-@@ -2419,9 +2444,7 @@ ldap_substitute_rr_template(isc_mem_t *m
- 	result = ISC_R_SUCCESS;
- 
- cleanup:
--	if (tmp != NULL)
--		isc_mem_free(mctx, tmp);
--
-+	isc_mem_free(mctx, tmp);
- 	str_destroy(&replaced);
- 	return result;
- }
-@@ -2659,11 +2682,11 @@ parse_rdata(isc_mem_t *mctx, ldap_entry_
- 	CHECK(dns_rdata_fromtext(NULL, rdclass, rdtype, entry->lex, origin,
- 				 0, mctx, &entry->rdata_target, NULL));
- 
--	CHECKED_MEM_GET_PTR(mctx, rdata);
-+	rdata = isc_mem_get(mctx, sizeof(*(rdata)));
- 	dns_rdata_init(rdata);
- 
- 	rdatamem.length = isc_buffer_usedlength(&entry->rdata_target);
--	CHECKED_MEM_GET(mctx, rdatamem.base, rdatamem.length);
-+	rdatamem.base = isc_mem_get(mctx, rdatamem.length);
- 
- 	memcpy(rdatamem.base, isc_buffer_base(&entry->rdata_target),
- 	       rdatamem.length);
-@@ -3144,22 +3167,15 @@ isc_result_t ATTR_NONNULLS ATTR_CHECKRES
- ldap_mod_create(isc_mem_t *mctx, LDAPMod **changep)
- {
- 	LDAPMod *change = NULL;
--	isc_result_t result;
- 
- 	REQUIRE(changep != NULL && *changep == NULL);
- 
--	CHECKED_MEM_GET_PTR(mctx, change);
-+	change = isc_mem_get(mctx, sizeof(*(change)));
- 	ZERO_PTR(change);
--	CHECKED_MEM_GET(mctx, change->mod_type, LDAP_ATTR_FORMATSIZE);
-+	change->mod_type = isc_mem_get(mctx, LDAP_ATTR_FORMATSIZE);
- 
- 	*changep = change;
- 	return ISC_R_SUCCESS;
--
--cleanup:
--	if (change != NULL)
--		SAFE_MEM_PUT_PTR(mctx, change);
--
--	return result;
- }
- 
- /**
-@@ -3204,7 +3220,7 @@ static isc_result_t ATTR_NONNULLS ATTR_C
- ldap_rdata_to_char_array(isc_mem_t *mctx, dns_rdata_t *rdata_head,
- 			 bool unknown, char ***valsp)
- {
--	isc_result_t result;
-+	isc_result_t result = ISC_R_FAILURE;
- 	char **vals;
- 	unsigned int i;
- 	unsigned int rdata_count = 0;
-@@ -3219,7 +3235,7 @@ ldap_rdata_to_char_array(isc_mem_t *mctx
- 
- 	vals_size = (rdata_count + 1) * sizeof(char *);
- 
--	CHECKED_MEM_ALLOCATE(mctx, vals, vals_size);
-+	vals = isc_mem_allocate(mctx, vals_size);
- 	memset(vals, 0, vals_size);
- 
- 	rdata = rdata_head;
-@@ -3237,7 +3253,7 @@ ldap_rdata_to_char_array(isc_mem_t *mctx
- 		isc_buffer_usedregion(&buffer, &region);
- 
- 		/* Now allocate the string with the right size. */
--		CHECKED_MEM_ALLOCATE(mctx, vals[i], region.length + 1);
-+		vals[i] = isc_mem_allocate(mctx, region.length + 1);
- 		memcpy(vals[i], region.base, region.length);
- 		vals[i][region.length] = '\0';
- 		
-@@ -3287,13 +3303,17 @@ ldap_rdttl_to_ldapmod(isc_mem_t *mctx, d
- 
- 	CHECK(ldap_mod_create(mctx, &change));
- 	change->mod_op = LDAP_MOD_REPLACE;
--	CHECK(isc_string_copy(change->mod_type, LDAP_ATTR_FORMATSIZE, "dnsTTL"));
-+	/* isc_string_copy has been removed */
-+	if (strlcpy(change->mod_type, "dnsTTL", LDAP_ATTR_FORMATSIZE)
-+	   >= LDAP_ATTR_FORMATSIZE) {
-+		CLEANUP_WITH(ISC_R_NOSPACE);
-+	}
- 
--	CHECKED_MEM_ALLOCATE(mctx, vals, 2 * sizeof(char *));
-+	vals = isc_mem_allocate(mctx, 2 * sizeof(char *));
- 	memset(vals, 0, 2 * sizeof(char *));
- 	change->mod_values = vals;
- 
--	CHECKED_MEM_ALLOCATE(mctx, vals[0], str_len(ttlval) + 1);
-+	vals[0] = isc_mem_allocate(mctx, str_len(ttlval) + 1);
- 	memcpy(vals[0], str_buf(ttlval), str_len(ttlval) + 1);
- 
- 	*changep = change;
-@@ -3314,8 +3334,9 @@ static isc_result_t ATTR_NONNULLS ATTR_C
- modify_soa_record(ldap_instance_t *ldap_inst, const char *zone_dn,
- 		  dns_rdata_t *rdata)
- {
--	isc_result_t result;
-+	isc_result_t result = ISC_R_SUCCESS;
- 	dns_rdata_soa_t soa;
-+	int s_len;
- 	LDAPMod change[5];
- 	LDAPMod *changep[6] = {
- 		&change[0], &change[1], &change[2], &change[3], &change[4],
-@@ -3332,8 +3353,11 @@ modify_soa_record(ldap_instance_t *ldap_
- 	change[index].mod_values = alloca(2 * sizeof(char *)); \
- 	change[index].mod_values[0] = alloca(MAX_SOANUM_LENGTH); \
- 	change[index].mod_values[1] = NULL; \
--	CHECK(isc_string_printf(change[index].mod_values[0], \
--		MAX_SOANUM_LENGTH, "%u", soa.name));
-+	s_len = snprintf(change[index].mod_values[0], MAX_SOANUM_LENGTH, \
-+			 "%u", soa.name); \
-+	if (s_len < 0 || s_len >= MAX_SOANUM_LENGTH) { \
-+		CLEANUP_WITH(ISC_R_NOSPACE); \
-+	}
- 
- 	dns_rdata_tostruct(rdata, (void *)&soa, ldap_inst->mctx);
- 
-@@ -3500,8 +3524,10 @@ remove_rdtype_from_ldap(dns_name_t *owne
- 		change[0]->mod_vals.modv_strvals = NULL;
- 		CHECK(rdatatype_to_ldap_attribute(type, attr, sizeof(attr),
- 						  unknown_type));
--		CHECK(isc_string_copy(change[0]->mod_type, LDAP_ATTR_FORMATSIZE,
--				      attr));
-+		if (strlcpy(change[0]->mod_type, attr, LDAP_ATTR_FORMATSIZE)
-+		    >= LDAP_ATTR_FORMATSIZE) {
-+			CLEANUP_WITH(ISC_R_NOSPACE);
-+		}
- 		CHECK(ldap_modify_do(ldap_inst, str_buf(dn), change, false));
- 		ldap_mod_free(ldap_inst->mctx, &change[0]);
- 		unknown_type = !unknown_type;
-@@ -3561,13 +3587,13 @@ ldap_pool_create(isc_mem_t *mctx, unsign
- 
- 	REQUIRE(poolp != NULL && *poolp == NULL);
- 
--	CHECKED_MEM_GET(mctx, pool, sizeof(*pool));
-+	pool = isc_mem_get(mctx, sizeof(*pool));
- 	ZERO_PTR(pool);
- 	isc_mem_attach(mctx, &pool->mctx);
- 	
- 	CHECK(semaphore_init(&pool->conn_semaphore, connections));
--	CHECKED_MEM_GET(mctx, pool->conns,
--			connections * sizeof(ldap_connection_t *));
-+	pool->conns = isc_mem_get(mctx,
-+				  connections * sizeof(ldap_connection_t *));
- 	memset(pool->conns, 0, connections * sizeof(ldap_connection_t *));
- 	pool->connections = connections;
- 
-@@ -3973,7 +3999,7 @@ update_restart:
- 	/* Check if the zone is loaded or not.
- 	 * No other function above returns DNS_R_NOTLOADED. */
- 	if (sync_state == sync_finished)
--		result = dns_zone_getserial2(raw, &serial);
-+		result = dns_zone_getserial(raw, &serial);
- 
- cleanup:
- #ifdef RBTDB_DEBUG
-@@ -4010,7 +4036,7 @@ cleanup:
- 				     "caused by change in %s",
- 				     ldap_entry_logname(entry));
- 			zone_reloaded = true;
--			result = dns_zone_getserial2(raw, &serial);
-+			result = dns_zone_getserial(raw, &serial);
- 			if (result == ISC_R_SUCCESS)
- 				goto update_restart;
- 		} else {
-@@ -4146,7 +4172,7 @@ syncrepl_update(ldap_instance_t *inst, l
- 
- 	/* This code is disabled because we don't have UUID->DN database yet.
- 	if (SYNCREPL_MODDN(chgtype)) {
--		CHECKED_MEM_STRDUP(mctx, prevdn_ldap, prevdn);
-+		prevdn = isc_mem_strdup(mctx, prevdn_ldap);
- 	}
- 	*/
- 
-@@ -4171,11 +4197,6 @@ syncrepl_update(ldap_instance_t *inst, l
- 				action, NULL,
- 				sizeof(ldap_syncreplevent_t));
- 
--	if (pevent == NULL) {
--		result = ISC_R_NOMEMORY;
--		goto cleanup;
--	}
--
- 	pevent->mctx = NULL;
- 	isc_mem_attach(inst->mctx, &pevent->mctx);
- 	pevent->inst = inst;
-@@ -4607,6 +4628,7 @@ ldap_sync_doit(ldap_instance_t *inst, ld
- 	       const char * const filter_objcs, int mode) {
- 	isc_result_t result;
- 	int ret;
-+	int s_len;
- 	ldap_sync_t *ldap_sync = NULL;
- 	const char *err_hint = "";
- 	char filter[1024];
-@@ -4620,14 +4642,22 @@ ldap_sync_doit(ldap_instance_t *inst, ld
- 
- 	/* request idnsServerConfig object only if server_id is specified */
- 	CHECK(setting_get_str("server_id", inst->server_ldap_settings, &server_id));
--	if (strlen(server_id) == 0)
--		CHECK(isc_string_printf(filter, sizeof(filter), config_template,
--				        "", "", "", filter_objcs));
--	else
--		CHECK(isc_string_printf(filter, sizeof(filter), config_template,
--					"  (&(objectClass=idnsServerConfigObject)"
--				        "    (idnsServerId=", server_id, "))",
--					filter_objcs));
-+	if (strlen(server_id) == 0) {
-+		s_len = snprintf(filter, sizeof(filter),
-+				 config_template, "", "", "", filter_objcs);
-+		if (s_len < 0 || (unsigned)s_len >= sizeof(filter)) {
-+			CLEANUP_WITH(ISC_R_NOSPACE);
-+		}
-+	} else {
-+		s_len = snprintf(filter, sizeof(filter),
-+				 config_template,
-+				 "  (&(objectClass=idnsServerConfigObject)"
-+				 "    (idnsServerId=", server_id, "))",
-+				 filter_objcs);
-+		if (s_len < 0 || (unsigned)s_len >= sizeof(filter)) {
-+			CLEANUP_WITH(ISC_R_NOSPACE);
-+		}
-+	}
- 
- 	result = ldap_sync_prepare(inst, inst->server_ldap_settings,
- 				   filter, conn, &ldap_sync);
-@@ -4821,7 +4851,7 @@ ldap_instance_isexiting(ldap_instance_t
-  * (if it is even possible). */
- void
- ldap_instance_taint(ldap_instance_t *ldap_inst) {
--	isc_refcount_increment0(&ldap_inst->errors, NULL);
-+	isc_refcount_increment0(&ldap_inst->errors);
- }
- 
- bool
-@@ -4850,13 +4880,12 @@ ldap_instance_untaint_start(ldap_instanc
-  */
- isc_result_t
- ldap_instance_untaint_finish(ldap_instance_t *ldap_inst, unsigned int count) {
--	unsigned int remaining = 0;
- 	while (count > 0) {
--		isc_refcount_decrement(&ldap_inst->errors, &remaining);
-+		isc_refcount_decrement(&ldap_inst->errors);
- 		count--;
- 	}
--	if (remaining != 0)
--		return DNS_R_CONTINUE;
--	else
-+	if (isc_refcount_current(&ldap_inst->errors) == 0) {
- 		return ISC_R_SUCCESS;
-+	}
-+	return DNS_R_CONTINUE;
- }
---- a/src/zone_register.c
-+++ b/src/zone_register.c
-@@ -111,7 +111,7 @@ zr_create(isc_mem_t *mctx, ldap_instance
- 	REQUIRE(glob_settings != NULL);
- 	REQUIRE(zrp != NULL && *zrp == NULL);
- 
--	CHECKED_MEM_GET_PTR(mctx, zr);
-+	zr = isc_mem_get(mctx, sizeof(*(zr)));
- 	ZERO_PTR(zr);
- 	isc_mem_attach(mctx, &zr->mctx);
- 	CHECK(dns_rbt_create(mctx, delete_zone_info, mctx, &zr->rbt));
-@@ -123,11 +123,10 @@ zr_create(isc_mem_t *mctx, ldap_instance
- 	return ISC_R_SUCCESS;
- 
- cleanup:
--	if (zr != NULL) {
--		if (zr->rbt != NULL)
--			dns_rbt_destroy(&zr->rbt);
--		MEM_PUT_AND_DETACH(zr);
-+	if (zr->rbt != NULL) {
-+		dns_rbt_destroy(&zr->rbt);
- 	}
-+	MEM_PUT_AND_DETACH(zr);
- 
- 	return result;
- }
-@@ -272,17 +271,17 @@ create_zone_info(isc_mem_t * const mctx,
- 	REQUIRE(dn != NULL);
- 	REQUIRE(zinfop != NULL && *zinfop == NULL);
- 
--	CHECKED_MEM_GET_PTR(mctx, zinfo);
-+	zinfo = isc_mem_get(mctx, sizeof(*(zinfo)));
- 	ZERO_PTR(zinfo);
--	CHECKED_MEM_STRDUP(mctx, dn, zinfo->dn);
-+	zinfo->dn = isc_mem_strdup(mctx, dn);
- 	dns_zone_attach(raw, &zinfo->raw);
- 	if (secure != NULL)
- 		dns_zone_attach(secure, &zinfo->secure);
- 
- 	zinfo->settings = NULL;
--	isc_string_printf_truncate(settings_name, PRINT_BUFF_SIZE,
--				   SETTING_SET_NAME_ZONE " %s",
--				   dn);
-+	/* truncation is allowed */
-+	snprintf(settings_name, PRINT_BUFF_SIZE, SETTING_SET_NAME_ZONE " %s",
-+		 dn);
- 	CHECK(settings_set_create(mctx, zone_settings, sizeof(zone_settings),
- 				  settings_name, global_settings,
- 				  &zinfo->settings));
-@@ -341,7 +340,9 @@ delete_zone_info(void *arg1, void *arg2)
-  * @pre Zone registed is locked.
-  */
- static isc_result_t
--getzinfo(zone_register_t * const zr, dns_name_t *name, zone_info_t **zinfo) {
-+getzinfo(zone_register_t * const zr, const dns_name_t *name,
-+	 zone_info_t **zinfo)
-+{
- 	isc_result_t result;
- 	void *data = NULL;
- 
-@@ -438,8 +439,8 @@ cleanup:
-  * Either ldapdbp or rbtdbp can be NULL.
-  */
- isc_result_t
--zr_get_zone_dbs(zone_register_t *zr, dns_name_t *name, dns_db_t **ldapdbp,
--		dns_db_t **rbtdbp)
-+zr_get_zone_dbs(zone_register_t *zr, const dns_name_t *name,
-+		dns_db_t **ldapdbp, dns_db_t **rbtdbp)
- {
- 	isc_result_t result;
- 	zone_info_t *zinfo = NULL;
-@@ -539,7 +540,8 @@ zr_get_zone_ptr(zone_register_t * const
-  * 'set'.
-  */
- isc_result_t
--zr_get_zone_settings(zone_register_t *zr, dns_name_t *name, settings_set_t **set)
-+zr_get_zone_settings(zone_register_t *zr, const dns_name_t *name,
-+	             settings_set_t **set)
- {
- 	isc_result_t result;
- 	zone_info_t *zinfo = NULL;
---- a/src/ldap_driver.c
-+++ b/src/ldap_driver.c
-@@ -30,6 +30,7 @@
- #include <dns/result.h>
- #include <dns/soa.h>
- #include <dns/types.h>
-+#include <dns/rpz.h>
- 
- #include <string.h> /* For memcpy */
- 
-@@ -118,7 +119,7 @@ attach(dns_db_t *source, dns_db_t **targ
- 
- 	REQUIRE(VALID_LDAPDB(ldapdb));
- 
--	isc_refcount_increment(&ldapdb->refs, NULL);
-+	isc_refcount_increment(&ldapdb->refs);
- 	*targetp = source;
- }
- 
-@@ -126,6 +127,8 @@ attach(dns_db_t *source, dns_db_t **targ
- static void ATTR_NONNULLS
- free_ldapdb(ldapdb_t *ldapdb)
- {
-+	REQUIRE(VALID_LDAPDB(ldapdb));
-+
- #ifdef RBTDB_DEBUG
- 	isc_result_t result;
- 	dns_dbversion_t *version = NULL;
-@@ -153,8 +156,8 @@ cleanup:
- #endif
- 	dns_db_detach(&ldapdb->rbtdb);
- 	dns_name_free(&ldapdb->common.origin, ldapdb->common.mctx);
--	RUNTIME_CHECK(isc_mutex_destroy(&ldapdb->newversion_lock)
--		      == ISC_R_SUCCESS);
-+	/* isc_mutex_destroy is failing fatal now */
-+	isc_mutex_destroy(&ldapdb->newversion_lock);
- 	isc_mem_putanddetach(&ldapdb->common.mctx, ldapdb, sizeof(*ldapdb));
- }
- 
-@@ -162,17 +165,14 @@ cleanup:
- static void
- detach(dns_db_t **dbp)
- {
-+	REQUIRE(dbp != NULL && VALID_LDAPDB((ldapdb_t *)(*dbp)));
- 	ldapdb_t *ldapdb = (ldapdb_t *)(*dbp);
--	unsigned int refs;
--
--	REQUIRE(VALID_LDAPDB(ldapdb));
- 
--	isc_refcount_decrement(&ldapdb->refs, &refs);
-+	*dbp = NULL;
- 
--	if (refs == 0)
-+	if (isc_refcount_decrement(&ldapdb->refs) == 1) {
- 		free_ldapdb(ldapdb);
--
--	*dbp = NULL;
-+	}
- }
- 
- 
-@@ -322,7 +322,7 @@ closeversion(dns_db_t *db, dns_dbversion
- }
- 
- static isc_result_t
--findnode(dns_db_t *db, dns_name_t *name, bool create,
-+findnode(dns_db_t *db, const dns_name_t *name, bool create,
- 	 dns_dbnode_t **nodep)
- {
- 	ldapdb_t *ldapdb = (ldapdb_t *) db;
-@@ -333,7 +333,7 @@ findnode(dns_db_t *db, dns_name_t *name,
- }
- 
- static isc_result_t
--find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
-+find(dns_db_t *db, const dns_name_t *name, dns_dbversion_t *version,
-      dns_rdatatype_t type, unsigned int options, isc_stdtime_t now,
-      dns_dbnode_t **nodep, dns_name_t *foundname, dns_rdataset_t *rdataset,
-      dns_rdataset_t *sigrdataset)
-@@ -347,16 +347,17 @@ find(dns_db_t *db, dns_name_t *name, dns
- }
- 
- static isc_result_t
--findzonecut(dns_db_t *db, dns_name_t *name, unsigned int options,
-+findzonecut(dns_db_t *db, const dns_name_t *name, unsigned int options,
- 	    isc_stdtime_t now, dns_dbnode_t **nodep, dns_name_t *foundname,
--	    dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset)
-+	    dns_name_t *dcname, dns_rdataset_t *rdataset,
-+	    dns_rdataset_t *sigrdataset)
- {
- 	ldapdb_t *ldapdb = (ldapdb_t *) db;
- 
- 	REQUIRE(VALID_LDAPDB(ldapdb));
- 
- 	return dns_db_findzonecut(ldapdb->rbtdb, name, options, now, nodep,
--				  foundname, rdataset, sigrdataset);
-+				  foundname, dcname, rdataset, sigrdataset);
- }
- 
- static void
-@@ -473,9 +474,7 @@ node_isempty(dns_db_t *db, dns_dbnode_t
- 	char buff[DNS_NAME_FORMATSIZE];
- 	isc_result_t result;
- 
--	dns_fixedname_init(&fname);
--
--	CHECK(ldapdb_name_fromnode(node, dns_fixedname_name(&fname)));
-+	CHECK(ldapdb_name_fromnode(node, dns_fixedname_initname(&fname)));
- 
- 	result = dns_db_allrdatasets(db, node, version, now, &rds_iter);
- 	if (result == ISC_R_NOTFOUND) {
-@@ -683,7 +682,7 @@ getnsec3parameters(dns_db_t *db, dns_dbv
- }
- 
- static isc_result_t
--findnsec3node(dns_db_t *db, dns_name_t *name, bool create,
-+findnsec3node(dns_db_t *db, const dns_name_t *name, bool create,
- 	      dns_dbnode_t **nodep)
- {
- 	ldapdb_t *ldapdb = (ldapdb_t *) db;
-@@ -745,15 +744,22 @@ getrrsetstats(dns_db_t *db) {
- }
- 
- void
--rpz_attach(dns_db_t *db, dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num)
-+rpz_attach(dns_db_t *db, void *void_rpzs, uint8_t rpz_num)
- {
- 	ldapdb_t *ldapdb = (ldapdb_t *) db;
-+	dns_rpz_zones_t *rpzs = (dns_rpz_zones_t *) void_rpzs;
-+	isc_result_t result;
- 
- 	REQUIRE(VALID_LDAPDB(ldapdb));
- 
--	dns_db_rpz_attach(ldapdb->rbtdb, rpzs, rpz_num);
-+	rpzs->zones[rpz_num]->db_registered = true;
-+	result = dns_db_updatenotify_register(ldapdb->rbtdb,
-+					      dns_rpz_dbupdate_callback,
-+					      rpzs->zones[rpz_num]);
-+	REQUIRE(result == ISC_R_SUCCESS);
- }
- 
-+/*
- isc_result_t
- rpz_ready(dns_db_t *db)
- {
-@@ -763,9 +769,10 @@ rpz_ready(dns_db_t *db)
- 
- 	return dns_db_rpz_ready(ldapdb->rbtdb);
- }
-+*/
- 
- static isc_result_t
--findnodeext(dns_db_t *db, dns_name_t *name,
-+findnodeext(dns_db_t *db, const dns_name_t *name,
- 		   bool create, dns_clientinfomethods_t *methods,
- 		   dns_clientinfo_t *clientinfo, dns_dbnode_t **nodep)
- {
-@@ -778,7 +785,7 @@ findnodeext(dns_db_t *db, dns_name_t *na
- }
- 
- static isc_result_t
--findext(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
-+findext(dns_db_t *db, const dns_name_t *name, dns_dbversion_t *version,
- 	       dns_rdatatype_t type, unsigned int options, isc_stdtime_t now,
- 	       dns_dbnode_t **nodep, dns_name_t *foundname,
- 	       dns_clientinfomethods_t *methods, dns_clientinfo_t *clientinfo,
-@@ -882,7 +889,7 @@ static dns_dbmethods_t ldapdb_methods =
- 	isdnssec,
- 	getrrsetstats,
- 	rpz_attach,
--	rpz_ready,
-+	NULL, /* rpz_ready */
- 	findnodeext,
- 	findext,
- 	setcachestats,
-@@ -893,6 +900,7 @@ static dns_dbmethods_t ldapdb_methods =
- 	setservestalettl,
- 	getservestalettl,
- #endif
-+	NULL /* setgluecachestats */
- };
- 
- isc_result_t ATTR_NONNULLS
-@@ -942,7 +950,7 @@ dns_ns_buildrdata(dns_name_t *origin, dn
-  * @param[in] argv [0] is database instance name
-  */
- isc_result_t
--ldapdb_associate(isc_mem_t *mctx, dns_name_t *name, dns_dbtype_t type,
-+ldapdb_associate(isc_mem_t *mctx, const dns_name_t *name, dns_dbtype_t type,
- 		 dns_rdataclass_t rdclass, unsigned int argc, char *argv[],
- 		 void *driverarg, dns_db_t **dbp) {
- 
-@@ -982,14 +990,14 @@ ldapdb_create(isc_mem_t *mctx, dns_name_
- 	REQUIRE(driverarg != NULL);
- 	REQUIRE(dbp != NULL && *dbp == NULL);
- 
--	CHECKED_MEM_GET_PTR(mctx, ldapdb);
-+	ldapdb = isc_mem_get(mctx, sizeof(*(ldapdb)));
- 	ZERO_PTR(ldapdb);
- 
- 	isc_mem_attach(mctx, &ldapdb->common.mctx);
--	CHECK(isc_mutex_init(&ldapdb->newversion_lock));
-+	/* isc_mutex_init and isc_condition_init failures are now fatal */
-+	isc_mutex_init(&ldapdb->newversion_lock);
- 	lock_ready = true;
- 	dns_name_init(&ldapdb->common.origin, NULL);
--	isc_ondestroy_init(&ldapdb->common.ondest);
- 
- 	ldapdb->common.magic = DNS_DB_MAGIC;
- 	ldapdb->common.impmagic = LDAPDB_MAGIC;
-@@ -1000,7 +1008,7 @@ ldapdb_create(isc_mem_t *mctx, dns_name_
- 
- 	CHECK(dns_name_dupwithoffsets(name, mctx, &ldapdb->common.origin));
- 
--	CHECK(isc_refcount_init(&ldapdb->refs, 1));
-+	isc_refcount_init(&ldapdb->refs, 1);
- 	ldapdb->ldap_inst = driverarg;
- 
- 	CHECK(dns_db_create(mctx, "rbt", name, dns_dbtype_zone,
-@@ -1012,9 +1020,10 @@ ldapdb_create(isc_mem_t *mctx, dns_name_
- 
- cleanup:
- 	if (ldapdb != NULL) {
--		if (lock_ready == true)
--			RUNTIME_CHECK(isc_mutex_destroy(&ldapdb->newversion_lock)
--				      == ISC_R_SUCCESS);
-+		if (lock_ready == true) {
-+			/* isc_mutex_destroy errors are now fatal */
-+			isc_mutex_destroy(&ldapdb->newversion_lock);
-+		}
- 		if (dns_name_dynamic(&ldapdb->common.origin))
- 			dns_name_free(&ldapdb->common.origin, mctx);
- 
-@@ -1088,11 +1097,10 @@ dyndb_init(isc_mem_t *mctx, const char *
- 		isc_lib_register();
- 		isc_log_setcontext(dctx->lctx);
- 		dns_log_setcontext(dctx->lctx);
-+		isc_hash_set_initializer(dctx->hashinit);
- 		log_debug(5, "registering library from dynamic ldap driver, %p != %p.", dctx->refvar, &isc_bind9);
- 	}
- 
--	isc_hash_set_initializer(dctx->hashinit);
--
- 	log_debug(2, "registering dynamic ldap driver for %s.", name);
- 
- 	/* Finally, create the instance. */
---- a/src/metadb.c
-+++ b/src/metadb.c
-@@ -40,12 +40,13 @@ metadb_new(isc_mem_t *mctx, metadb_t **m
- 
- 	REQUIRE(mdbp != NULL && *mdbp == NULL);
- 
--	CHECKED_MEM_GET_PTR(mctx, mdb);
-+	mdb = isc_mem_get(mctx, sizeof(*(mdb)));
- 	ZERO_PTR(mdb);
- 
- 	isc_mem_attach(mctx, &mdb->mctx);
- 
--	CHECK(isc_mutex_init(&mdb->newversion_lock));
-+	/* isc_mutex_init and isc_condition_init failures are now fatal */
-+	isc_mutex_init(&mdb->newversion_lock);
- 	lock_ready = true;
- 	CHECK(dns_db_create(mctx, "rbt", dns_rootname, dns_dbtype_zone,
- 			    dns_rdataclass_in, 0, NULL, &mdb->rbtdb));
-@@ -54,12 +55,11 @@ metadb_new(isc_mem_t *mctx, metadb_t **m
- 	return result;
- 
- cleanup:
--	if (mdb != NULL) {
--		if (lock_ready == true)
--			RUNTIME_CHECK(isc_mutex_destroy(&mdb->newversion_lock)
--				      == ISC_R_SUCCESS);
--		MEM_PUT_AND_DETACH(mdb);
-+	if (lock_ready == true) {
-+	/* isc_mutex_destroy errors are now fatal */
-+		isc_mutex_destroy(&mdb->newversion_lock);
- 	}
-+	MEM_PUT_AND_DETACH(mdb);
- 	return result;
- }
- 
-@@ -79,7 +79,8 @@ metadb_destroy(metadb_t **mdbp) {
- 	dns_db_dump(mdb->rbtdb, NULL, "/tmp/mdb.db");
- #endif
- 	dns_db_detach(&mdb->rbtdb);
--	RUNTIME_CHECK(isc_mutex_destroy(&mdb->newversion_lock) == ISC_R_SUCCESS);
-+	/* isc_mutex_destroy errors are now fatal */
-+	isc_mutex_destroy(&mdb->newversion_lock);
- 	MEM_PUT_AND_DETACH(mdb);
- 
- 	*mdbp = NULL;
-@@ -160,7 +161,7 @@ metadb_iterator_create(metadb_t *mdb, me
- 	REQUIRE(mdb != NULL);
- 	REQUIRE(miterp != NULL && *miterp == NULL);
- 
--	CHECKED_MEM_GET_PTR(mdb->mctx, miter);
-+	miter = isc_mem_get(mdb->mctx, sizeof(*(miter)));
- 	ZERO_PTR(miter);
- 
- 	isc_mem_attach(mdb->mctx, &miter->mctx);
-@@ -258,7 +259,7 @@ metadb_node_init(metadb_t *mdb, dns_dbve
- 
- 	REQUIRE(nodep != NULL && *nodep == NULL);
- 
--	CHECKED_MEM_GET_PTR(mdb->mctx, node);
-+	node = isc_mem_get(mdb->mctx, sizeof(*(node)));
- 	ZERO_PTR(node);
- 
- 	isc_mem_attach(mdb->mctx, &node->mctx);
---- a/src/semaphore.c
-+++ b/src/semaphore.c
-@@ -34,19 +34,21 @@ isc_interval_t conn_wait_timeout = { 3,
- isc_result_t
- semaphore_init(semaphore_t *sem, int value)
- {
--	isc_result_t result;
-+	isc_result_t result = ISC_R_SUCCESS;
- 
- 	REQUIRE(sem != NULL);
- 	REQUIRE(value > 0);
- 
- 	sem->value = value;
--	result = isc_mutex_init(&sem->mutex);
--	if (result != ISC_R_SUCCESS)
--		return result;
--
--	result = isc_condition_init(&sem->cond);
--	if (result != ISC_R_SUCCESS)
--		DESTROYLOCK(&sem->mutex);
-+	/* isc_mutex_init and isc_condition_init failures are now fatal */
-+	isc_mutex_init(&sem->mutex);
-+	isc_condition_init(&sem->cond);
-+	/*
-+	 * if (result != ISC_R_SUCCESS) {
-+	 *	// isc_mutex_destroy failures are now fatal
-+	 *	isc_mutex_destroy(&sem->mutex);
-+	 * }
-+	 */
- 
- 	return result;
- }
-@@ -62,7 +64,8 @@ semaphore_destroy(semaphore_t *sem)
- 	if (sem == NULL)
- 		return;
- 
--	RUNTIME_CHECK(isc_mutex_destroy(&sem->mutex) == ISC_R_SUCCESS);
-+	/* isc_mutex_destroy is now fatal */
-+	isc_mutex_destroy(&sem->mutex);
- 	RUNTIME_CHECK(isc_condition_destroy(&sem->cond) == ISC_R_SUCCESS);
- }
- 
---- a/src/syncrepl.c
-+++ b/src/syncrepl.c
-@@ -157,7 +157,7 @@ finish(isc_task_t *task, isc_event_t *ev
- 	return;
- }
- 
--static isc_result_t ATTR_NONNULLS ATTR_CHECKRESULT
-+static void ATTR_NONNULLS
- sync_finishev_create(sync_ctx_t *sctx, ldap_instance_t *inst,
- 		      sync_barrierev_t **evp) {
- 	sync_barrierev_t *ev = NULL;
-@@ -170,14 +170,12 @@ sync_finishev_create(sync_ctx_t *sctx, l
- 				sctx, LDAPDB_EVENT_SYNCREPL_BARRIER,
- 				finish, NULL,
- 				sizeof(sync_barrierev_t));
--	if (ev == NULL)
--		return ISC_R_NOMEMORY;
- 
- 	ev->inst = inst;
- 	ev->sctx = sctx;
- 	*evp = ev;
- 
--	return ISC_R_SUCCESS;
-+	return;
- }
- 
- /**
-@@ -198,37 +196,32 @@ sync_finishev_create(sync_ctx_t *sctx, l
-  */
- void
- barrier_decrement(isc_task_t *task, isc_event_t *event) {
--	isc_result_t result = ISC_R_SUCCESS;
- 	sync_barrierev_t *bev = NULL;
- 	sync_barrierev_t *fev = NULL;
- 	isc_event_t *ev = NULL;
--	uint32_t cnt;
- 	bool locked = false;
- 
- 	REQUIRE(ISCAPI_TASK_VALID(task));
- 	REQUIRE(event != NULL);
- 
- 	bev = (sync_barrierev_t *)event;
--	isc_refcount_decrement(&bev->sctx->task_cnt, &cnt);
--	if (cnt == 0) {
-+	if (isc_refcount_decrement(&bev->sctx->task_cnt) == 1) {
- 		log_debug(1, "sync_barrier_wait(): barrier reached");
- 		LOCK(&bev->sctx->mutex);
- 		locked = true;
--		CHECK(sync_finishev_create(bev->sctx, bev->inst, &fev));
-+		sync_finishev_create(bev->sctx, bev->inst, &fev);
- 		ev = (isc_event_t *)fev;
- 		isc_task_send(ldap_instance_gettask(bev->sctx->inst), &ev);
- 	}
- 
--cleanup:
--	if (locked)
-+	if (locked) {
- 		UNLOCK(&bev->sctx->mutex);
--	if (result != ISC_R_SUCCESS)
--		log_error_r("barrier_decrement() failed");
-+	}
- 	isc_event_free(&event);
- 	return;
- }
- 
--static isc_result_t ATTR_NONNULLS ATTR_CHECKRESULT
-+static void ATTR_NONNULLS
- sync_barrierev_create(sync_ctx_t *sctx, ldap_instance_t *inst,
- 		      sync_barrierev_t **evp) {
- 	sync_barrierev_t *ev = NULL;
-@@ -241,14 +234,12 @@ sync_barrierev_create(sync_ctx_t *sctx,
- 				sctx, LDAPDB_EVENT_SYNCREPL_BARRIER,
- 				barrier_decrement, NULL,
- 				sizeof(sync_barrierev_t));
--	if (ev == NULL)
--		return ISC_R_NOMEMORY;
- 
- 	ev->inst = inst;
- 	ev->sctx = sctx;
- 	*evp = ev;
- 
--	return ISC_R_SUCCESS;
-+	return;
- }
- 
- /**
-@@ -271,19 +262,21 @@ sync_ctx_init(isc_mem_t *mctx, ldap_inst
- 
- 	REQUIRE(sctxp != NULL && *sctxp == NULL);
- 
--	CHECKED_MEM_GET_PTR(mctx, sctx);
-+	sctx = isc_mem_get(mctx, sizeof(*(sctx)));
- 	ZERO_PTR(sctx);
- 	isc_mem_attach(mctx, &sctx->mctx);
- 
- 	sctx->inst = inst;
- 
--	CHECK(isc_mutex_init(&sctx->mutex));
-+	/* isc_mutex_init failures are now fatal */
-+	isc_mutex_init(&sctx->mutex);
- 	lock_ready = true;
--	CHECK(isc_condition_init(&sctx->cond));
-+	/* isc_mutex_init failures are now fatal */
-+	isc_condition_init(&sctx->cond);
- 	cond_ready = true;
- 
- 	/* refcount includes ldap_inst->task implicitly */
--	CHECK(isc_refcount_init(&sctx->task_cnt, 0));
-+	isc_refcount_init(&sctx->task_cnt, 0);
- 	refcount_ready = true;
- 
- 	ISC_LIST_INIT(sctx->tasks);
-@@ -297,8 +290,10 @@ sync_ctx_init(isc_mem_t *mctx, ldap_inst
- 	return ISC_R_SUCCESS;
- 
- cleanup:
--	if (lock_ready == true)
--		DESTROYLOCK(&sctx->mutex);
-+	if (lock_ready == true) {
-+		/* isc_mutex_destroy failures are now fatal */
-+		isc_mutex_destroy(&sctx->mutex);
-+	}
- 	if (cond_ready == true)
- 		RUNTIME_CHECK(isc_condition_destroy(&sctx->cond)
- 			      == ISC_R_SUCCESS);
-@@ -330,14 +325,15 @@ sync_ctx_free(sync_ctx_t **sctxp) {
- 		next_taskel = NEXT(taskel, link);
- 		UNLINK(sctx->tasks, taskel, link);
- 		isc_task_detach(&taskel->task);
--		isc_refcount_decrement(&sctx->task_cnt, NULL);
-+		(void)isc_refcount_decrement(&sctx->task_cnt);
- 		SAFE_MEM_PUT_PTR(sctx->mctx, taskel);
- 	}
- 	RUNTIME_CHECK(isc_condition_destroy(&sctx->cond) == ISC_R_SUCCESS);
- 	isc_refcount_destroy(&sctx->task_cnt);
- 	UNLOCK(&sctx->mutex);
- 
--	DESTROYLOCK(&(*sctxp)->mutex);
-+	/* isc_mutex_destroy is void now */
-+	isc_mutex_destroy(&(*sctxp)->mutex);
- 	MEM_PUT_AND_DETACH(*sctxp);
- }
- 
-@@ -444,14 +440,12 @@ sync_state_reset(sync_ctx_t *sctx) {
-  */
- isc_result_t
- sync_task_add(sync_ctx_t *sctx, isc_task_t *task) {
--	isc_result_t result = ISC_R_SUCCESS;
--	uint32_t cnt;
- 	task_element_t *newel = NULL;
- 
- 	REQUIRE(sctx != NULL);
- 	REQUIRE(ISCAPI_TASK_VALID(task));
- 
--	CHECKED_MEM_GET_PTR(sctx->mctx, newel);
-+	newel = isc_mem_get(sctx->mctx, sizeof(*(newel)));
- 	ZERO_PTR(newel);
- 	ISC_LINK_INIT(newel, link);
- 	newel->task = NULL;
-@@ -460,14 +454,13 @@ sync_task_add(sync_ctx_t *sctx, isc_task
- 	LOCK(&sctx->mutex);
- 	REQUIRE(sctx->state == sync_configinit || sctx->state == sync_datainit);
- 	ISC_LIST_APPEND(sctx->tasks, newel, link);
--	isc_refcount_increment0(&sctx->task_cnt, &cnt);
-+	isc_refcount_increment0(&sctx->task_cnt);
- 	UNLOCK(&sctx->mutex);
- 
--	log_debug(2, "adding task %p to syncrepl list; %u tasks in list",
--		  task, cnt);
-+	log_debug(2, "adding task %p to syncrepl list; %u tasks in list",
-+		  task, isc_refcount_current(&sctx->task_cnt));
- 
--cleanup:
--	return result;
-+	return ISC_R_SUCCESS;
- }
- 
- /**
-@@ -483,7 +476,6 @@ cleanup:
-  */
- isc_result_t
- sync_barrier_wait(sync_ctx_t *sctx, ldap_instance_t *inst) {
--	isc_result_t result;
- 	isc_event_t *ev = NULL;
- 	sync_barrierev_t *bev = NULL;
- 	sync_state_t barrier_state;
-@@ -518,7 +510,7 @@ sync_barrier_wait(sync_ctx_t *sctx, ldap
- 	     taskel != NULL;
- 	     taskel = next_taskel) {
- 		bev = NULL;
--		CHECK(sync_barrierev_create(sctx, inst, &bev));
-+		sync_barrierev_create(sctx, inst, &bev);
- 		next_taskel = NEXT(taskel, link);
- 		UNLINK(sctx->tasks, taskel, link);
- 		ev = (isc_event_t *)bev;
-@@ -531,12 +523,12 @@ sync_barrier_wait(sync_ctx_t *sctx, ldap
- 		WAIT(&sctx->cond, &sctx->mutex);
- 	log_debug(1, "sync_barrier_wait(): all events were processed");
- 
--cleanup:
- 	UNLOCK(&sctx->mutex);
- 
--	if (ev != NULL)
-+	if (ev != NULL) {
- 		isc_event_free(&ev);
--	return result;
-+	}
-+	return ISC_R_SUCCESS;
- }
- 
- /**
---- a/src/mldap.c
-+++ b/src/mldap.c
-@@ -59,11 +59,11 @@ mldap_new(isc_mem_t *mctx, mldapdb_t **m
- 
- 	REQUIRE(mldapp != NULL && *mldapp == NULL);
- 
--	CHECKED_MEM_GET_PTR(mctx, mldap);
-+	mldap = isc_mem_get(mctx, sizeof(*(mldap)));
- 	ZERO_PTR(mldap);
- 	isc_mem_attach(mctx, &mldap->mctx);
- 
--	CHECK(isc_refcount_init(&mldap->generation, 0));
-+	isc_refcount_init(&mldap->generation, 0);
- 	CHECK(metadb_new(mctx, &mldap->mdb));
- 
- 	*mldapp = mldap;
-@@ -107,7 +107,7 @@ mldap_closeversion(mldapdb_t *mldap, boo
- void mldap_cur_generation_bump(mldapdb_t *mldap) {
- 	REQUIRE(mldap != NULL);
- 
--	isc_refcount_increment0(&mldap->generation, NULL);
-+	isc_refcount_increment0(&mldap->generation);
- }
- 
- /*
-@@ -118,17 +118,12 @@ void mldap_cur_generation_bump(mldapdb_t
-  * isc_refcount_t abstractions and returns underlying type used for storing the
-  * reference counter value.
-  */
--STATIC_ASSERT((uint32_t)
--		(typeof(((isc_refcount_t *)0)->refs))
--		-1
--	      == 0xFFFFFFFF, \
--	      "negative isc_refcount_t cannot be properly shortened to 32 bits");
- 
--STATIC_ASSERT((uint32_t)
--		(typeof(((isc_refcount_t *)0)->refs))
--		0x90ABCDEF12345678
--	      == 0x12345678, \
--	      "positive isc_refcount_t cannot be properly shortened to 32 bits");
-+/* isc_refcount_t is simply atomic_uint_fast32_t now */
-+STATIC_ASSERT((uint32_t)((isc_refcount_t) -1) == 0xFFFFFFFF, \
-+	      "negative isc_refcount_t cannot be properly shortened to 32 bits");
-+STATIC_ASSERT((uint32_t)((isc_refcount_t) 0x90ABCDEF12345678) == 0x12345678, \
-+	      "negative isc_refcount_t cannot be properly shortened to 32 bits");
- 
- /**
-  * Get current MetaLDAP generation number.
-@@ -327,8 +322,8 @@ mldap_dnsname_get(metadb_node_t *node, d
- 	CHECK(metadb_rdataset_get(node, dns_rdatatype_rp, &rdataset));
- 	dns_rdataset_current(&rdataset, &rdata);
- 	CHECK(dns_rdata_tostruct(&rdata, &rp, NULL));
--	CHECK(dns_name_copy(&rp.mail, fqdn, NULL));
--	CHECK(dns_name_copy(&rp.text, zone, NULL));
-+	dns_name_copynf(&rp.mail, fqdn);
-+	dns_name_copynf(&rp.text, zone);
- 
- cleanup:
- 	if (dns_rdataset_isassociated(&rdataset))
-@@ -430,7 +425,7 @@ mldap_iter_deadnodes_start(mldapdb_t *ml
- 	REQUIRE(iterp != NULL && *iterp == NULL);
- 
- 	CHECK(metadb_iterator_create(mldap->mdb, &iter));
--	CHECKED_MEM_GET(mldap->mctx, iter->state, sizeof(uint32_t));
-+	iter->state = isc_mem_get(mldap->mctx, sizeof(uint32_t));
- 	result = dns_dbiterator_seek(iter->iter, &uuid_rootname);
- 	if (result == ISC_R_NOTFOUND) /* metaLDAP is empty */
- 		CLEANUP_WITH(ISC_R_NOMORE);
---- a/src/util.h
-+++ b/src/util.h
-@@ -35,39 +35,6 @@ extern bool verbose_checks; /* from sett
- 		}						\
- 	} while (0)
- 
--#define CHECKED_MEM_ALLOCATE(m, target_ptr, s)			\
--	do {							\
--		(target_ptr) = isc_mem_allocate((m), (s));	\
--		if ((target_ptr) == NULL) {			\
--			result = ISC_R_NOMEMORY;		\
--			log_error_position("Memory allocation failed");	\
--			goto cleanup;				\
--		}						\
--	} while (0)
--
--#define CHECKED_MEM_GET(m, target_ptr, s)			\
--	do {							\
--		(target_ptr) = isc_mem_get((m), (s));		\
--		if ((target_ptr) == NULL) {			\
--			result = ISC_R_NOMEMORY;		\
--			log_error_position("Memory allocation failed");	\
--			goto cleanup;				\
--		}						\
--	} while (0)
--
--#define CHECKED_MEM_GET_PTR(m, target_ptr)			\
--	CHECKED_MEM_GET(m, target_ptr, sizeof(*(target_ptr)))
--
--#define CHECKED_MEM_STRDUP(m, source, target)			\
--	do {							\
--		(target) = isc_mem_strdup((m), (source));	\
--		if ((target) == NULL) {				\
--			result = ISC_R_NOMEMORY;		\
--			log_error_position("Memory allocation failed");	\
--			goto cleanup;				\
--		}						\
--	} while (0)
--
- #define ZERO_PTR(ptr) memset((ptr), 0, sizeof(*(ptr)))
- 
- #define SAFE_MEM_PUT(m, target_ptr, target_size)		\
-@@ -117,38 +84,4 @@ extern bool verbose_checks; /* from sett
- #define ATTR_CHECKRESULT
- #endif
- 
--/*
-- * Static (compile-time) assert for C:
-- * C99 doesn't require support for "sizeof" in preprocessor conditionals so
-- * we can't do something like #if (sizeof(my_struct) != 512).
-- *
-- * This macro has no runtime side affects as it just defines an enum whose name
-- * depends on the current line, and whose value will give a divide by zero error
-- * at compile time if the assertion is false.
-- *
-- * Taken from
-- * http://www.pixelbeat.org/programming/gcc/static_assert.html
-- * version 10 Feb 2015. Padraig Brady told me that it is licensed under
-- * "GNU All-Permissive License":
-- *
-- * Copying and distribution of this file, with or without modification,
-- * are permitted in any medium without royalty provided the copyright notice
-- * and this notice are preserved. This code is offered as-is,
-- * without any warranty.
-- */
--#define ASSERT_CONCAT_(a, b) a##b
--#define ASSERT_CONCAT(a, b) ASSERT_CONCAT_(a, b)
--/* These can't be used after statements in c89. */
--#ifdef __COUNTER__
--  #define STATIC_ASSERT(e, m) \
--    ;enum { ASSERT_CONCAT(static_assert_, __COUNTER__) = 1/(!!(e)) }
--#else
--  /* This can't be used twice on the same line so ensure if using in headers
--   * that the headers are not included twice (by wrapping in #ifndef...#endif)
--   * Note it doesn't cause an issue when used on same line of separate modules
--   * compiled with gcc -combine -fwhole-program.  */
--  #define STATIC_ASSERT(e, m) \
--    ;enum { ASSERT_CONCAT(assert_line_, __LINE__) = 1/(!!(e)) }
--#endif
--
- #endif /* !_LD_UTIL_H_ */
---- a/src/empty_zones.c
-+++ b/src/empty_zones.c
-@@ -226,15 +226,13 @@ empty_zone_search_stop(empty_zone_search
-  * @returns @see empty_zone_search_next
-  */
- isc_result_t
--empty_zone_search_init(empty_zone_search_t *iter, dns_name_t *qname,
-+empty_zone_search_init(empty_zone_search_t *iter, const dns_name_t *qname,
-                        dns_zt_t *ztable) {
--	isc_result_t result;
--
- 	REQUIRE(iter != NULL);
- 	REQUIRE(dns_name_isabsolute(qname));
- 
- 	INIT_BUFFERED_NAME(iter->qname);
--	CHECK(dns_name_copy(qname, &iter->qname, NULL));
-+	dns_name_copynf(qname, &iter->qname);
- 
- 	INIT_BUFFERED_NAME(iter->ezname);
- 	iter->nextidx = 0;
-@@ -243,9 +241,6 @@ empty_zone_search_init(empty_zone_search
- 	dns_zt_attach(ztable, &iter->zonetable);
- 
- 	return empty_zone_search_next(iter);
--
--cleanup:
--	return result;
- }
- 
- /**
-@@ -298,7 +293,7 @@ cleanup:
-  *    it failed and user configured policy != only.
-  */
- isc_result_t
--empty_zone_handle_conflicts(dns_name_t *name, dns_zt_t *zonetable,
-+empty_zone_handle_conflicts(const dns_name_t *name, dns_zt_t *zonetable,
- 			    bool warn_only)
- {
- 	isc_result_t result;
---- a/src/empty_zones.h
-+++ b/src/empty_zones.h
-@@ -21,11 +21,11 @@ void
- empty_zone_search_stop(empty_zone_search_t *iter) ATTR_NONNULLS;
- 
- isc_result_t
--empty_zone_search_init(empty_zone_search_t *iter, dns_name_t *qname,
-+empty_zone_search_init(empty_zone_search_t *iter, const dns_name_t *qname,
- 		       dns_zt_t *ztable) ATTR_NONNULLS ATTR_CHECKRESULT;
- 
- isc_result_t
--empty_zone_handle_conflicts(dns_name_t *name, dns_zt_t *zonetable,
-+empty_zone_handle_conflicts(const dns_name_t *name, dns_zt_t *zonetable,
- 			    bool warn_only) ATTR_NONNULLS ATTR_CHECKRESULT;
- 
- /* Trigger to execute empty_zone_handle_conflicts() for dns_rootname. */
---- a/src/fwd.h
-+++ b/src/fwd.h
-@@ -26,11 +26,11 @@ fwd_parse_ldap(ldap_entry_t *entry, sett
- 	       ATTR_NONNULLS ATTR_CHECKRESULT;
- 
- isc_result_t
--fwd_configure_zone(const settings_set_t *set, ldap_instance_t *inst, dns_name_t *name)
-+fwd_configure_zone(const settings_set_t *set, ldap_instance_t *inst, const dns_name_t *name)
- 		   ATTR_NONNULLS ATTR_CHECKRESULT;
- 
- isc_result_t
--fwd_delete_table(dns_view_t *view, dns_name_t *name,
-+fwd_delete_table(dns_view_t *view, const dns_name_t *name,
- 		 const char *msg_obj_type, const char *logname)
- 		 ATTR_NONNULLS ATTR_CHECKRESULT;
- 
---- a/src/ldap_driver.h
-+++ b/src/ldap_driver.h
-@@ -23,7 +23,7 @@ ldapdb_create(isc_mem_t *mctx, dns_name_
- 	      ATTR_NONNULL(1,2,5,6);
- 
- isc_result_t
--ldapdb_associate(isc_mem_t *mctx, dns_name_t *name, dns_dbtype_t type,
-+ldapdb_associate(isc_mem_t *mctx, const dns_name_t *name, dns_dbtype_t type,
- 		 dns_rdataclass_t rdclass, unsigned int argc, char *argv[],
- 		 void *driverarg, dns_db_t **dbp) ATTR_NONNULL(1,2,7,8);
- dns_db_t *
---- a/src/zone_register.h
-+++ b/src/zone_register.h
-@@ -28,7 +28,7 @@ isc_result_t
- zr_del_zone(zone_register_t *zr, dns_name_t *origin) ATTR_NONNULLS ATTR_CHECKRESULT;
- 
- isc_result_t
--zr_get_zone_dbs(zone_register_t *zr, dns_name_t *name, dns_db_t **ldapdbp,
-+zr_get_zone_dbs(zone_register_t *zr, const dns_name_t *name, dns_db_t **ldapdbp,
- 		dns_db_t **rbtdbp) ATTR_NONNULL(1, 2) ATTR_CHECKRESULT;
- 
- isc_result_t
-@@ -40,7 +40,7 @@ zr_get_zone_ptr(zone_register_t * const
- 		ATTR_NONNULL(1,2,3) ATTR_CHECKRESULT;
- 
- isc_result_t
--zr_get_zone_settings(zone_register_t *zr, dns_name_t *name, settings_set_t **set) ATTR_NONNULLS ATTR_CHECKRESULT;
-+zr_get_zone_settings(zone_register_t *zr, const dns_name_t *name, settings_set_t **set) ATTR_NONNULLS ATTR_CHECKRESULT;
- 
- isc_result_t
- zr_get_zone_path(isc_mem_t *mctx, settings_set_t *settings,
---- a/src/rbt_helper.c
-+++ b/src/rbt_helper.c
-@@ -87,11 +87,11 @@ rbt_iter_first(isc_mem_t *mctx, dns_rbt_
- 	REQUIRE(rwlock != NULL);
- 	REQUIRE(iterp != NULL && *iterp == NULL);
- 
--	CHECKED_MEM_GET_PTR(mctx, iter);
-+	iter = isc_mem_get(mctx, sizeof(*(iter)));
- 	ZERO_PTR(iter);
- 
- 	isc_mem_attach(mctx, &iter->mctx);
--	dns_rbtnodechain_init(&iter->chain, mctx);
-+	dns_rbtnodechain_init(&iter->chain);
- 	iter->rbt = rbt;
- 	iter->rwlock = rwlock;
- 	iter->locktype = isc_rwlocktype_read;
---- a/src/syncptr.c
-+++ b/src/syncptr.c
-@@ -134,7 +134,7 @@ sync_ptr_find(dns_zt_t *zonetable, zone_
- 	 * @example
- 	 * 192.168.0.1 -> 1.0.168.192.in-addr.arpa
- 	 */
--	CHECK(dns_byaddr_createptrname2(&isc_ip, 0, ptr_name));
-+	CHECK(dns_byaddr_createptrname(&isc_ip, 0, ptr_name));
- 
- 	/* Find an active zone containing owner name of the PTR record. */
- 	result = dns_zt_find(zonetable, ptr_name, 0, NULL, zone);
-@@ -392,14 +392,12 @@ sync_ptr_init(isc_mem_t *mctx, dns_zt_t
- 						LDAPDB_EVENT_SYNCPTR,
- 						sync_ptr_handler, NULL,
- 						sizeof(sync_ptrev_t));
--	if (ev == NULL)
--		CLEANUP_WITH(ISC_R_NOMEMORY);
- 
- 	ev->mctx = NULL;
- 	isc_mem_attach(mctx, &ev->mctx);
- 	INIT_BUFFERED_NAME(ev->a_name);
- 	INIT_BUFFERED_NAME(ev->ptr_name);
--	CHECK(dns_name_copy(a_name, &ev->a_name, NULL));
-+	dns_name_copynf(a_name, &ev->a_name);
- 	ev->mod_op = mod_op;
- 	strncpy(ev->ip_str, ip_str, sizeof(ev->ip_str));
- 	ev->ip_str[sizeof(ev->ip_str) - 1] = '\0';
---- a/src/fwd_register.c
-+++ b/src/fwd_register.c
-@@ -31,7 +31,7 @@ fwdr_create(isc_mem_t *mctx, fwd_registe
- 
- 	REQUIRE(fwdrp != NULL && *fwdrp == NULL);
- 
--	CHECKED_MEM_GET_PTR(mctx, fwdr);
-+	fwdr = isc_mem_get(mctx, sizeof(*(fwdr)));
- 	ZERO_PTR(fwdr);
- 	isc_mem_attach(mctx, &fwdr->mctx);
- 	CHECK(dns_rbt_create(mctx, NULL, NULL, &fwdr->rbt));
-@@ -41,11 +41,10 @@ fwdr_create(isc_mem_t *mctx, fwd_registe
- 	return ISC_R_SUCCESS;
- 
- cleanup:
--	if (fwdr != NULL) {
--		if (fwdr->rbt != NULL)
--			dns_rbt_destroy(&fwdr->rbt);
--		MEM_PUT_AND_DETACH(fwdr);
-+	if (fwdr->rbt != NULL) {
-+		dns_rbt_destroy(&fwdr->rbt);
- 	}
-+	MEM_PUT_AND_DETACH(fwdr);
- 
- 	return result;
- }
---- a/src/ldap_entry.c
-+++ b/src/ldap_entry.c
-@@ -68,7 +68,6 @@ static isc_result_t ATTR_NONNULLS ATTR_C
- ldap_attr_create(isc_mem_t *mctx, LDAP *ld, LDAPMessage *ldap_entry,
- 		 ldap_attribute_t *attr)
- {
--	isc_result_t result;
- 	char **values;
- 	ldap_value_t *val;
- 
-@@ -84,7 +83,7 @@ ldap_attr_create(isc_mem_t *mctx, LDAP *
- 	attr->ldap_values = values;
- 
- 	for (unsigned int i = 0; values[i] != NULL; i++) {
--		CHECKED_MEM_GET_PTR(mctx, val);
-+		val = isc_mem_get(mctx, sizeof(*(val)));
- 		val->value = values[i];
- 		INIT_LINK(val, link);
- 
-@@ -92,12 +91,6 @@ ldap_attr_create(isc_mem_t *mctx, LDAP *
- 	}
- 
- 	return ISC_R_SUCCESS;
--
--cleanup:
--	ldap_valuelist_destroy(mctx, &attr->values);
--	ldap_value_free(values);
--
--	return result;
- }
- 
- /**
-@@ -112,7 +105,7 @@ ldap_entry_init(isc_mem_t *mctx, ldap_en
- 	REQUIRE(entryp != NULL);
- 	REQUIRE(*entryp == NULL);
- 
--	CHECKED_MEM_GET_PTR(mctx, entry);
-+	entry = isc_mem_get(mctx, sizeof(*(entry)));
- 	ZERO_PTR(entry);
- 	isc_mem_attach(mctx, &entry->mctx);
- 	INIT_LIST(entry->attrs);
-@@ -120,7 +113,7 @@ ldap_entry_init(isc_mem_t *mctx, ldap_en
- 	INIT_BUFFERED_NAME(entry->fqdn);
- 	INIT_BUFFERED_NAME(entry->zone_name);
- 
--	CHECKED_MEM_GET(mctx, entry->rdata_target_mem, DNS_RDATA_MAXLENGTH);
-+	entry->rdata_target_mem = isc_mem_get(mctx, DNS_RDATA_MAXLENGTH);
- 	CHECK(isc_lex_create(mctx, TOKENSIZ, &entry->lex));
- 
- 	*entryp = entry;
-@@ -203,7 +196,7 @@ ldap_entry_parse(isc_mem_t *mctx, LDAP *
- 	for (attribute = ldap_first_attribute(ld, ldap_entry, &ber);
- 	     attribute != NULL;
- 	     attribute = ldap_next_attribute(ld, ldap_entry, ber)) {
--		CHECKED_MEM_GET_PTR(mctx, attr);
-+		attr = isc_mem_get(mctx, sizeof(*(attr)));
- 		ZERO_PTR(attr);
- 
- 		attr->name = attribute;


=====================================
debian/patches/series
=====================================
@@ -1,3 +1,2 @@
-bind-9.16-support.diff
 fix-keytab-path.diff
 fix-werror-build.diff


=====================================
src/acl.c
=====================================
@@ -105,40 +105,25 @@ get_match_type(const cfg_obj_t *obj, unsigned int *value)
 	}
 	str = cfg_obj_asstring(obj);
 
-	MATCH("name", DNS_SSUMATCHTYPE_NAME);
-	MATCH("subdomain", DNS_SSUMATCHTYPE_SUBDOMAIN);
-	MATCH("zonesub", DNS_SSUMATCHTYPE_SUBDOMAIN);
-	MATCH("wildcard", DNS_SSUMATCHTYPE_WILDCARD);
-	MATCH("self", DNS_SSUMATCHTYPE_SELF);
-#if defined(DNS_SSUMATCHTYPE_SELFSUB) && defined(DNS_SSUMATCHTYPE_SELFWILD)
-	MATCH("selfsub", DNS_SSUMATCHTYPE_SELFSUB);
-	MATCH("selfwild", DNS_SSUMATCHTYPE_SELFWILD);
-#endif
-#ifdef DNS_SSUMATCHTYPE_SELFMS
-	MATCH("ms-self", DNS_SSUMATCHTYPE_SELFMS);
-#endif
-#ifdef DNS_SSUMATCHTYPE_SELFKRB5
-	MATCH("krb5-self", DNS_SSUMATCHTYPE_SELFKRB5);
-#endif
-
+	MATCH("name", dns_ssumatchtype_name);
+	MATCH("subdomain", dns_ssumatchtype_subdomain);
+	MATCH("zonesub", dns_ssumatchtype_subdomain);
+	MATCH("wildcard", dns_ssumatchtype_wildcard);
+	MATCH("self", dns_ssumatchtype_self);
+	MATCH("selfsub", dns_ssumatchtype_selfsub);
+	MATCH("selfwild", dns_ssumatchtype_selfwild);
+	MATCH("ms-self", dns_ssumatchtype_selfms);
+	MATCH("krb5-self", dns_ssumatchtype_selfkrb5);
 	/* At least bind 9.11.5 or 9.12.3 is required for it
 	 * as these match types are part of CVE-2018-5741 fixes */
 	MATCH("ms-selfsub", dns_ssumatchtype_selfsubms);
 	MATCH("krb5-selfsub", dns_ssumatchtype_selfsubkrb5);
 
-#ifdef DNS_SSUMATCHTYPE_SUBDOMAINMS
-	MATCH("ms-subdomain", DNS_SSUMATCHTYPE_SUBDOMAINMS);
-#endif
-#ifdef DNS_SSUMATCHTYPE_SUBDOMAINKRB5
-	MATCH("krb5-subdomain", DNS_SSUMATCHTYPE_SUBDOMAINKRB5);
-#endif
-#if defined(DNS_SSUMATCHTYPE_TCPSELF) && defined(DNS_SSUMATCHTYPE_6TO4SELF)
-	MATCH("tcp-self", DNS_SSUMATCHTYPE_TCPSELF);
-	MATCH("6to4-self", DNS_SSUMATCHTYPE_6TO4SELF);
-#endif
-#if defined(DNS_SSUMATCHTYPE_EXTERNAL)
-	MATCH("external", DNS_SSUMATCHTYPE_EXTERNAL);
-#endif
+	MATCH("ms-subdomain", dns_ssumatchtype_subdomainms);
+	MATCH("krb5-subdomain", dns_ssumatchtype_subdomainkrb5);
+	MATCH("tcp-self", dns_ssumatchtype_tcpself);
+	MATCH("6to4-self", dns_ssumatchtype_6to4self);
+	MATCH("external", dns_ssumatchtype_external);
 
 	log_bug("unsupported match type '%s'", str);
 	return ISC_R_NOTIMPLEMENTED;
@@ -178,9 +163,7 @@ get_fixed_name(const cfg_obj_t *obj, const char *name, dns_fixedname_t *fname)
 	else
 		isc_buffer_add(&buf, len);
 
-	dns_fixedname_init(fname);
-
-	result = dns_name_fromtext(dns_fixedname_name(fname), &buf,
+	result = dns_name_fromtext(dns_fixedname_initname(fname), &buf,
 				   dns_rootname, false, NULL);
 	if (result != ISC_R_SUCCESS)
 		log_error("'%s' is not a valid name", str);
@@ -217,9 +200,9 @@ get_types(isc_mem_t *mctx, const cfg_obj_t *obj, dns_rdatatype_t **typesp,
 	obj = cfg_tuple_get(obj, "types");
 
 	n = count_list_elements(obj);
-	if (n > 0)
-		CHECKED_MEM_GET(mctx, types, n * sizeof(dns_rdatatype_t));
-
+	if (n > 0) {
+		types = isc_mem_get(mctx, n * sizeof(dns_rdatatype_t));
+	}
 	i = 0;
 	for (el = cfg_list_first(obj); el != NULL; el = cfg_list_next(el)) {
 		const cfg_obj_t *typeobj;
@@ -319,10 +302,9 @@ acl_configure_zone_ssutable(const char *policy_str, dns_zone_t *zone)
 		/* Use zone name for 'zonesub' match type */
 		result = get_fixed_name(stmt, "name", &fname);
 		if (result == ISC_R_NOTFOUND &&
-		    match_type == DNS_SSUMATCHTYPE_SUBDOMAIN) {
-			dns_fixedname_init(&fname);
+		    match_type == dns_ssumatchtype_subdomain) {
 			CHECK(dns_name_copy(dns_zone_getorigin(zone),
-					    dns_fixedname_name(&fname),
+					    dns_fixedname_initname(&fname),
 					    &fname.buffer));
 		}
 		else if (result != ISC_R_SUCCESS)
@@ -330,7 +312,7 @@ acl_configure_zone_ssutable(const char *policy_str, dns_zone_t *zone)
 
 		CHECK(get_types(mctx, stmt, &types, &n));
 
-		if (match_type == DNS_SSUMATCHTYPE_WILDCARD &&
+		if (match_type == dns_ssumatchtype_wildcard &&
 		    !dns_name_iswildcard(dns_fixedname_name(&fname))) {
 			char name[DNS_NAME_FORMATSIZE];
 			dns_name_format(dns_fixedname_name(&fname), name,


=====================================
src/bindcfg.c
=====================================
@@ -14,6 +14,10 @@
 
 #include "bindcfg.h"
 
+#if LIBDNS_VERSION_MAJOR < 1600
+#define cfg_parse_buffer cfg_parse_buffer4
+#endif
+
 cfg_type_t *cfg_type_update_policy;
 cfg_type_t *cfg_type_allow_query;
 cfg_type_t *cfg_type_allow_transfer;
@@ -108,7 +112,7 @@ cfg_parse_strbuf(cfg_parser_t *parser, const char *string, cfg_type_t **type,
 	isc_buffer_init(&buffer, (char *)string, string_len);
 	isc_buffer_add(&buffer, string_len);
 
-	result = cfg_parse_buffer(parser, &buffer, *type, &ret);
+	result = cfg_parse_buffer(parser, &buffer, NULL, 0, *type, 0, &ret);
 
 	if (result == ISC_R_SUCCESS)
 		*objp = ret;


=====================================
src/empty_zones.c
=====================================
@@ -12,6 +12,10 @@
 #include "util.h"
 #include "zone_register.h"
 
+#if LIBDNS_VERSION_MAJOR < 1600
+#define dns_name_copynf(src, dst) dns_name_copy((src), (dst), NULL)
+#endif
+
 /**
  * These zones should not leak onto the Internet.
  * The list matches BIND commit 8f20f6c9d7ce5a0f0af6ee4c5361832d97b1c5d4
@@ -226,15 +230,13 @@ empty_zone_search_stop(empty_zone_search_t *iter) {
  * @returns @see empty_zone_search_next
  */
 isc_result_t
-empty_zone_search_init(empty_zone_search_t *iter, dns_name_t *qname,
+empty_zone_search_init(empty_zone_search_t *iter, const dns_name_t *qname,
                        dns_zt_t *ztable) {
-	isc_result_t result;
-
 	REQUIRE(iter != NULL);
 	REQUIRE(dns_name_isabsolute(qname));
 
 	INIT_BUFFERED_NAME(iter->qname);
-	CHECK(dns_name_copy(qname, &iter->qname, NULL));
+	dns_name_copynf(qname, &iter->qname);
 
 	INIT_BUFFERED_NAME(iter->ezname);
 	iter->nextidx = 0;
@@ -243,9 +245,6 @@ empty_zone_search_init(empty_zone_search_t *iter, dns_name_t *qname,
 	dns_zt_attach(ztable, &iter->zonetable);
 
 	return empty_zone_search_next(iter);
-
-cleanup:
-	return result;
 }
 
 /**
@@ -298,7 +297,7 @@ cleanup:
  *    it failed and user configured policy != only.
  */
 isc_result_t
-empty_zone_handle_conflicts(dns_name_t *name, dns_zt_t *zonetable,
+empty_zone_handle_conflicts(const dns_name_t *name, dns_zt_t *zonetable,
 			    bool warn_only)
 {
 	isc_result_t result;


=====================================
src/empty_zones.h
=====================================
@@ -21,11 +21,11 @@ void
 empty_zone_search_stop(empty_zone_search_t *iter) ATTR_NONNULLS;
 
 isc_result_t
-empty_zone_search_init(empty_zone_search_t *iter, dns_name_t *qname,
+empty_zone_search_init(empty_zone_search_t *iter, const dns_name_t *qname,
 		       dns_zt_t *ztable) ATTR_NONNULLS ATTR_CHECKRESULT;
 
 isc_result_t
-empty_zone_handle_conflicts(dns_name_t *name, dns_zt_t *zonetable,
+empty_zone_handle_conflicts(const dns_name_t *name, dns_zt_t *zonetable,
 			    bool warn_only) ATTR_NONNULLS ATTR_CHECKRESULT;
 
 /* Trigger to execute empty_zone_handle_conflicts() for dns_rootname. */


=====================================
src/fs.c
=====================================
@@ -79,7 +79,10 @@ fs_dirs_create(const char *path) {
 	char curr_path[PATH_MAX + 1];
 	char *end = NULL;
 
-	CHECK(isc_string_copy(curr_path, PATH_MAX, path));
+	/* isc_string_copy has been removed */
+	if (strlcpy(curr_path, path, PATH_MAX) >= PATH_MAX) {
+		CLEANUP_WITH(ISC_R_NOSPACE);
+	}
 
 	for (end = strchr(curr_path, '/');
 	     end != NULL;


=====================================
src/fwd.c
=====================================
@@ -20,6 +20,14 @@
 #include "settings.h"
 #include "zone_register.h"
 
+#if LIBDNS_VERSION_MAJOR < 1600
+#define cfg_parse_buffer cfg_parse_buffer4
+#define dns_view_flushcache(view, fixup) dns_view_flushcache((view))
+typedef dns_name_t       node_name_t;
+#else
+typedef const dns_name_t node_name_t;
+#endif
+
 const enum_txt_assoc_t forwarder_policy_txts[] = {
 	{ dns_fwdpolicy_none,	"none"	},
 	{ dns_fwdpolicy_first,	"first"	},
@@ -49,7 +57,6 @@ buffer_append_str(void *closure, const char *text, int textlen) {
 	isc_buffer_region(out_buf, &old_space);
 	new_space.length = isc_buffer_length(out_buf) + textlen + 1;
 	new_space.base = isc_mem_get(out_buf->mctx, new_space.length);
-	RUNTIME_CHECK(new_space.base != NULL);
 	isc_buffer_reinit(out_buf, new_space.base, new_space.length);
 	if (old_space.base != NULL)
 		isc_mem_put(out_buf->mctx, old_space.base, old_space.length);
@@ -86,7 +93,6 @@ fwd_list_len(dns_forwarders_t *fwdrs) {
 static isc_result_t
 fwd_list_gen_dummy_config_string(isc_mem_t *mctx, size_t list_len,
 				 isc_buffer_t **dummy_string) {
-	isc_result_t result;
 	const char prefix[] = "{ ";
 	const char suffix[] = "} // dummy string, please ignore";
 	const char fill[] = "127.0.0.1; ";
@@ -98,7 +104,9 @@ fwd_list_gen_dummy_config_string(isc_mem_t *mctx, size_t list_len,
 
 	REQUIRE(dummy_string != NULL && *dummy_string == NULL);
 
-	CHECK(isc_buffer_allocate(mctx, &output, target_size));
+	/* No CHECK here as isc_buffer_allocate is void and can not fail.
+	 *  See bind9: a038f77d92a857bc11750683c9317d70da6fcfdf */
+	isc_buffer_allocate(mctx, &output, target_size);
 	isc_buffer_putstr(output, prefix);
 	for (size_t i = 0; i < list_len; i++)
 		isc_buffer_putstr(output, fill);
@@ -106,11 +114,7 @@ fwd_list_gen_dummy_config_string(isc_mem_t *mctx, size_t list_len,
 	isc_buffer_putuint8(output, '\0');
 	*dummy_string = output;
 
-cleanup:
-	if (result != ISC_R_SUCCESS && output != NULL)
-		isc_buffer_free(&output);
-
-	return result;
+	return ISC_R_SUCCESS;
 }
 
 /**
@@ -122,7 +126,6 @@ cleanup:
 isc_result_t
 fwd_print_bracketed_values_buf(isc_mem_t *mctx, ldap_valuelist_t *values,
 			      isc_buffer_t **string) {
-	isc_result_t result;
 	ldap_value_t *value;
 	const char prefix[] = "{ ";
 	const char suffix[] = "}";
@@ -143,13 +146,14 @@ fwd_print_bracketed_values_buf(isc_mem_t *mctx, ldap_valuelist_t *values,
 	buffer_append_str(&tmp_buf, suffix, 2);
 
 	/* create and copy string from tmp to output buffer */
-	CHECK(isc_buffer_allocate(mctx, string, tmp_buf.used));
+        /* No CHECK here as isc_buffer_allocate is void and can not fail..
+         *  See bind9: a038f77d92a857bc11750683c9317d70da6fcfdf */
+	isc_buffer_allocate(mctx, string, tmp_buf.used);
 	isc_buffer_putmem(*string, isc_buffer_base(&tmp_buf), tmp_buf.used);
 
-cleanup:
 	if (tmp_buf.base != NULL)
 		isc_mem_put(mctx, tmp_buf.base, tmp_buf.length);
-	return result;
+	return ISC_R_SUCCESS;
 }
 
 isc_result_t
@@ -182,8 +186,8 @@ fwd_print_list_buff(isc_mem_t *mctx, dns_forwarders_t *fwdrs,
 	list_len = fwd_list_len(fwdrs);
 	CHECK(fwd_list_gen_dummy_config_string(mctx,
 					       list_len, &dummy_fwdr_buf));
-	CHECK(cfg_parse_buffer(parser, dummy_fwdr_buf,
-			       cfg_type_forwarders, &forwarders_cfg));
+	CHECK(cfg_parse_buffer(parser, dummy_fwdr_buf, NULL, 0,
+			       cfg_type_forwarders, 0, &forwarders_cfg));
 
 	/* Walk through internal representation and cfg representation and copy
 	 * data from the internal one to cfg data structures.*/
@@ -199,7 +203,7 @@ fwd_print_list_buff(isc_mem_t *mctx, dns_forwarders_t *fwdrs,
 	cfg_print(faddresses, buffer_append_str, &tmp_buf);
 
 	/* create and copy string from tmp to output buffer */
-	CHECK(isc_buffer_allocate(mctx, out_buf, tmp_buf.used));
+	isc_buffer_allocate(mctx, out_buf, tmp_buf.used);
 	isc_buffer_putmem(*out_buf, isc_buffer_base(&tmp_buf),
 			  isc_buffer_usedlength(&tmp_buf));
 
@@ -275,7 +279,7 @@ fwd_parse_str(const char *fwdrs_str, isc_mem_t *mctx,
 		addr = *cfg_obj_assockaddr(fwdr_cfg);
 		if (isc_sockaddr_getport(&addr) == 0)
 			isc_sockaddr_setport(&addr, port);
-		CHECKED_MEM_GET_PTR(mctx, fwdr);
+		fwdr = isc_mem_get(mctx, sizeof(*(fwdr)));
 		fwdr->addr = addr;
 		fwdr->dscp = cfg_obj_getdscp(fwdr_cfg);
 		ISC_LINK_INIT(fwdr, link);
@@ -494,7 +498,7 @@ cleanup:
  */
 isc_result_t
 fwd_configure_zone(const settings_set_t *set, ldap_instance_t *inst,
-		   dns_name_t *name)
+		   const dns_name_t *name)
 {
 	isc_result_t result;
 	isc_mem_t *mctx = NULL;
@@ -579,10 +583,11 @@ fwd_configure_zone(const settings_set_t *set, ldap_instance_t *inst,
 	run_exclusive_enter(inst, &lock_state);
 	CHECK(fwd_delete_table(view, name, msg_obj_type, set->name));
 	if (isconfigured == true) {
-		CHECK(dns_fwdtable_addfwd(view->fwdtable, name, &fwdrs,
+		CHECK(dns_fwdtable_addfwd(view->fwdtable,
+					  (node_name_t *) name, &fwdrs,
 					  fwdpolicy));
 	}
-	dns_view_flushcache(view);
+	dns_view_flushcache(view, false);
 	run_exclusive_exit(inst, lock_state);
 	lock_state = ISC_R_IGNORE; /* prevent double-unlock */
 	log_debug(5, "%s %s: forwarder table was updated: %s",
@@ -607,11 +612,11 @@ cleanup:
 }
 
 isc_result_t
-fwd_delete_table(dns_view_t *view, dns_name_t *name,
+fwd_delete_table(dns_view_t *view, const dns_name_t *name,
 		 const char *msg_obj_type, const char *logname) {
 	isc_result_t result;
 
-	result = dns_fwdtable_delete(view->fwdtable, name);
+	result = dns_fwdtable_delete(view->fwdtable, (node_name_t *) name);
 	if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND) {
 		log_error_r("%s %s: failed to delete forwarders",
 			    msg_obj_type, logname);


=====================================
src/fwd.h
=====================================
@@ -26,11 +26,11 @@ fwd_parse_ldap(ldap_entry_t *entry, settings_set_t *set)
 	       ATTR_NONNULLS ATTR_CHECKRESULT;
 
 isc_result_t
-fwd_configure_zone(const settings_set_t *set, ldap_instance_t *inst, dns_name_t *name)
+fwd_configure_zone(const settings_set_t *set, ldap_instance_t *inst, const dns_name_t *name)
 		   ATTR_NONNULLS ATTR_CHECKRESULT;
 
 isc_result_t
-fwd_delete_table(dns_view_t *view, dns_name_t *name,
+fwd_delete_table(dns_view_t *view, const dns_name_t *name,
 		 const char *msg_obj_type, const char *logname)
 		 ATTR_NONNULLS ATTR_CHECKRESULT;
 


=====================================
src/fwd_register.c
=====================================
@@ -31,7 +31,7 @@ fwdr_create(isc_mem_t *mctx, fwd_register_t **fwdrp)
 
 	REQUIRE(fwdrp != NULL && *fwdrp == NULL);
 
-	CHECKED_MEM_GET_PTR(mctx, fwdr);
+	fwdr = isc_mem_get(mctx, sizeof(*(fwdr)));
 	ZERO_PTR(fwdr);
 	isc_mem_attach(mctx, &fwdr->mctx);
 	CHECK(dns_rbt_create(mctx, NULL, NULL, &fwdr->rbt));
@@ -41,11 +41,10 @@ fwdr_create(isc_mem_t *mctx, fwd_register_t **fwdrp)
 	return ISC_R_SUCCESS;
 
 cleanup:
-	if (fwdr != NULL) {
-		if (fwdr->rbt != NULL)
-			dns_rbt_destroy(&fwdr->rbt);
-		MEM_PUT_AND_DETACH(fwdr);
+	if (fwdr->rbt != NULL) {
+		dns_rbt_destroy(&fwdr->rbt);
 	}
+	MEM_PUT_AND_DETACH(fwdr);
 
 	return result;
 }


=====================================
src/ldap_convert.c
=====================================
@@ -26,6 +26,10 @@
 #include "util.h"
 #include "zone_register.h"
 
+#if LIBDNS_VERSION_MAJOR < 1600
+#define dns_name_copynf(src, dst) dns_name_copy((src), (dst), NULL)
+#endif
+
 /**
  * Convert LDAP DN to absolute DNS names.
  *
@@ -131,7 +135,7 @@ dn_to_dnsname(isc_mem_t *mctx, const char *dn_str, dns_name_t *target,
 	} else if (idx == 1) { /* zone only */
 		if (iszone != NULL)
 			*iszone = true;
-		CHECK(dns_name_copy(dns_rootname, &origin, NULL));
+		dns_name_copynf(dns_rootname, &origin);
 		CHECK(dns_name_fromtext(&name, &name_buf, dns_rootname, 0, NULL));
 	} else if (idx == 2) { /* owner and zone */
 		if (iszone != NULL)
@@ -237,6 +241,7 @@ dns_to_ldap_dn_escape(isc_mem_t *mctx, const char * const dns_str, char ** ldap_
 	int idx_symb_first = -1; /* index of first "nice" printable symbol in dns_str */
 	int dns_idx = 0;
 	int esc_idx = 0;
+	int s_len;
 
 	REQUIRE(dns_str != NULL);
 	REQUIRE(ldap_name != NULL && *ldap_name == NULL);
@@ -247,7 +252,7 @@ dns_to_ldap_dn_escape(isc_mem_t *mctx, const char * const dns_str, char ** ldap_
 	 * In worst case each symbol from DNS dns_str will be represented
 	 * as "\xy" in ldap_name. (xy are hexadecimal digits)
 	 */
-	CHECKED_MEM_ALLOCATE(mctx, *ldap_name, 3 * dns_str_len + 1);
+	*ldap_name = isc_mem_allocate(mctx, 3 * dns_str_len + 1);
 	esc_name = *ldap_name;
 
 	for (dns_idx = 0; dns_idx < dns_str_len; dns_idx++) {
@@ -286,8 +291,13 @@ dns_to_ldap_dn_escape(isc_mem_t *mctx, const char * const dns_str, char ** ldap_
 			}
 			/* LDAP uses \xy escaping. "xy" represent two hexadecimal digits.*/
 			/* TODO: optimize to bit mask & rotate & dec->hex table? */
-			CHECK(isc_string_printf(esc_name + esc_idx, 4, "\\%02x", ascii_val));
-			esc_idx += 3; /* isc_string_printf wrote 4 bytes including '\0' */
+			/* isc_string_printf has been removed */
+			s_len = snprintf(esc_name + esc_idx,
+					 4, "\\%02x", ascii_val);
+			if (s_len < 0 || s_len >= 4) {
+				CLEANUP_WITH(ISC_R_NOSPACE);
+			}
+			esc_idx += 3; /* snprintf wrote 4 bytes including '\0' */
 		}
 	}
 	if (idx_symb_first != -1) { /* copy last nice part */
@@ -302,10 +312,8 @@ cleanup:
 	if (result == DNS_R_BADESCAPE)
 		log_bug("improperly escaped DNS string: '%s'", dns_str);
 
-	if (*ldap_name) {
-		isc_mem_free(mctx, *ldap_name);
-		*ldap_name = NULL;
-	}
+	isc_mem_free(mctx, *ldap_name);
+	*ldap_name = NULL;
 	return result;
 }
 
@@ -430,20 +438,30 @@ isc_result_t
 rdatatype_to_ldap_attribute(dns_rdatatype_t rdtype, char *target,
 			    unsigned int size, bool unknown)
 {
-	isc_result_t result;
+	isc_result_t result = ISC_R_SUCCESS;
 	char rdtype_str[DNS_RDATATYPE_FORMATSIZE];
 
 	if (unknown) {
 		/* "UnknownRecord;TYPE65333" */
-		CHECK(isc_string_copy(target, size,
-				      LDAP_RDATATYPE_UNKNOWN_PREFIX));
+		/* isc_string_copy and isc_string_append have been removed */
+		if (strlcpy(target, LDAP_RDATATYPE_UNKNOWN_PREFIX, size)
+		    >= size) {
+			CLEANUP_WITH(ISC_R_NOSPACE);
+		}
 		snprintf(rdtype_str, sizeof(rdtype_str), "TYPE%u", rdtype);
-		CHECK(isc_string_append(target, size, rdtype_str));
+		if (strlcat(target, rdtype_str, size) >= size) {
+			CLEANUP_WITH(ISC_R_NOSPACE);
+		}
 	} else {
 		/* "ARecord" */
 		dns_rdatatype_format(rdtype, rdtype_str, DNS_RDATATYPE_FORMATSIZE);
-		CHECK(isc_string_copy(target, size, rdtype_str));
-		CHECK(isc_string_append(target, size, LDAP_RDATATYPE_SUFFIX));
+		/* isc_string_copy and isc_string_append have been removed */
+		if (strlcpy(target, rdtype_str, size) >= size) {
+			CLEANUP_WITH(ISC_R_NOSPACE);
+		}
+		if (strlcat(target, LDAP_RDATATYPE_SUFFIX, size) >= size) {
+			CLEANUP_WITH(ISC_R_NOSPACE);
+		}
 	}
 
 cleanup:
@@ -463,8 +481,9 @@ rdata_to_generic(dns_rdata_t *rdata, isc_buffer_t *target)
 	dns_rdata_toregion(rdata, &rdata_reg);
 	REQUIRE(rdata_reg.length <= 65535);
 
-	result = isc_string_printf(buf, sizeof(buf), "\\# %u", rdata_reg.length);
-	INSIST(result == ISC_R_SUCCESS);
+	/* isc_string_printf has been removed */
+	result = snprintf(buf, sizeof(buf), "\\# %u", rdata_reg.length);
+	RUNTIME_CHECK(result < sizeof(buf));
 	isc_buffer_putstr(target, buf);
 	if (rdata_reg.length != 0U) {
 		isc_buffer_putstr(target, " ");


=====================================
src/ldap_driver.c
=====================================
@@ -30,6 +30,7 @@
 #include <dns/result.h>
 #include <dns/soa.h>
 #include <dns/types.h>
+#include <dns/rpz.h>
 
 #include <string.h> /* For memcpy */
 
@@ -51,6 +52,17 @@
 #define VALID_LDAPDB(ldapdb) \
 	((ldapdb) != NULL && (ldapdb)->common.impmagic == LDAPDB_MAGIC)
 
+#if LIBDNS_VERSION_MAJOR < 1600
+typedef dns_name_t       node_name_t;
+#else
+typedef const dns_name_t node_name_t;
+#endif
+
+isc_result_t
+ldapdb_associate(isc_mem_t *mctx, node_name_t *name, dns_dbtype_t type,
+		 dns_rdataclass_t rdclass, unsigned int argc, char *argv[],
+		 void *driverarg, dns_db_t **dbp) ATTR_NONNULL(1,2,7,8);
+
 struct ldapdb {
 	dns_db_t			common;
 	isc_refcount_t			refs;
@@ -118,7 +130,11 @@ attach(dns_db_t *source, dns_db_t **targetp)
 
 	REQUIRE(VALID_LDAPDB(ldapdb));
 
+#if LIBDNS_VERSION_MAJOR < 1600
 	isc_refcount_increment(&ldapdb->refs, NULL);
+#else
+	isc_refcount_increment(&ldapdb->refs);
+#endif
 	*targetp = source;
 }
 
@@ -126,6 +142,8 @@ attach(dns_db_t *source, dns_db_t **targetp)
 static void ATTR_NONNULLS
 free_ldapdb(ldapdb_t *ldapdb)
 {
+	REQUIRE(VALID_LDAPDB(ldapdb));
+
 #ifdef RBTDB_DEBUG
 	isc_result_t result;
 	dns_dbversion_t *version = NULL;
@@ -153,8 +171,8 @@ cleanup:
 #endif
 	dns_db_detach(&ldapdb->rbtdb);
 	dns_name_free(&ldapdb->common.origin, ldapdb->common.mctx);
-	RUNTIME_CHECK(isc_mutex_destroy(&ldapdb->newversion_lock)
-		      == ISC_R_SUCCESS);
+	/* isc_mutex_destroy is failing fatal now */
+	isc_mutex_destroy(&ldapdb->newversion_lock);
 	isc_mem_putanddetach(&ldapdb->common.mctx, ldapdb, sizeof(*ldapdb));
 }
 
@@ -162,17 +180,24 @@ cleanup:
 static void
 detach(dns_db_t **dbp)
 {
-	ldapdb_t *ldapdb = (ldapdb_t *)(*dbp);
+	ldapdb_t *ldapdb;
 	unsigned int refs;
 
-	REQUIRE(VALID_LDAPDB(ldapdb));
+	REQUIRE(dbp != NULL && VALID_LDAPDB((ldapdb_t *)(*dbp)));
 
+	ldapdb = (ldapdb_t *)(*dbp);
+	*dbp = NULL;
+
+#if LIBDNS_VERSION_MAJOR < 1600
 	isc_refcount_decrement(&ldapdb->refs, &refs);
+#else
+	/* isc_refcount_decrement only has one argument now */
+	refs = isc_refcount_decrement(&ldapdb->refs);
+#endif
 
-	if (refs == 0)
+	if (refs == 1) {
 		free_ldapdb(ldapdb);
-
-	*dbp = NULL;
+	}
 }
 
 
@@ -322,7 +347,7 @@ closeversion(dns_db_t *db, dns_dbversion_t **versionp, bool commit)
 }
 
 static isc_result_t
-findnode(dns_db_t *db, dns_name_t *name, bool create,
+findnode(dns_db_t *db, node_name_t *name, bool create,
 	 dns_dbnode_t **nodep)
 {
 	ldapdb_t *ldapdb = (ldapdb_t *) db;
@@ -333,7 +358,7 @@ findnode(dns_db_t *db, dns_name_t *name, bool create,
 }
 
 static isc_result_t
-find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
+find(dns_db_t *db, node_name_t *name, dns_dbversion_t *version,
      dns_rdatatype_t type, unsigned int options, isc_stdtime_t now,
      dns_dbnode_t **nodep, dns_name_t *foundname, dns_rdataset_t *rdataset,
      dns_rdataset_t *sigrdataset)
@@ -342,21 +367,29 @@ find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 
 	REQUIRE(VALID_LDAPDB(ldapdb));
 
-	return dns_db_find(ldapdb->rbtdb, name, version, type, options, now,
-			   nodep, foundname, rdataset, sigrdataset);
+	return dns_db_find(ldapdb->rbtdb, name, version, type,
+			   options, now, nodep, foundname, rdataset,
+			   sigrdataset);
 }
 
 static isc_result_t
-findzonecut(dns_db_t *db, dns_name_t *name, unsigned int options,
+findzonecut(dns_db_t *db, node_name_t *name, unsigned int options,
 	    isc_stdtime_t now, dns_dbnode_t **nodep, dns_name_t *foundname,
+#if LIBDNS_VERSION_MAJOR >= 1600
+	    dns_name_t *dcname,
+#endif
 	    dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset)
 {
 	ldapdb_t *ldapdb = (ldapdb_t *) db;
 
 	REQUIRE(VALID_LDAPDB(ldapdb));
 
-	return dns_db_findzonecut(ldapdb->rbtdb, name, options, now, nodep,
-				  foundname, rdataset, sigrdataset);
+	return dns_db_findzonecut(ldapdb->rbtdb, name, options,
+				  now, nodep, foundname,
+#if LIBDNS_VERSION_MAJOR >= 1600
+				  dcname,
+#endif
+				  rdataset, sigrdataset);
 }
 
 static void
@@ -473,9 +506,7 @@ node_isempty(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 	char buff[DNS_NAME_FORMATSIZE];
 	isc_result_t result;
 
-	dns_fixedname_init(&fname);
-
-	CHECK(ldapdb_name_fromnode(node, dns_fixedname_name(&fname)));
+	CHECK(ldapdb_name_fromnode(node, dns_fixedname_initname(&fname)));
 
 	result = dns_db_allrdatasets(db, node, version, now, &rds_iter);
 	if (result == ISC_R_NOTFOUND) {
@@ -683,7 +714,7 @@ getnsec3parameters(dns_db_t *db, dns_dbversion_t *version,
 }
 
 static isc_result_t
-findnsec3node(dns_db_t *db, dns_name_t *name, bool create,
+findnsec3node(dns_db_t *db, node_name_t *name, bool create,
 	      dns_dbnode_t **nodep)
 {
 	ldapdb_t *ldapdb = (ldapdb_t *) db;
@@ -744,8 +775,9 @@ getrrsetstats(dns_db_t *db) {
 
 }
 
+#if LIBDNS_VERSION_MAJOR < 1600
 void
-rpz_attach(dns_db_t *db, dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num)
+rpz_attach(dns_db_t *db, dns_rpz_zones_t *rpzs, uint8_t rpz_num)
 {
 	ldapdb_t *ldapdb = (ldapdb_t *) db;
 
@@ -753,7 +785,25 @@ rpz_attach(dns_db_t *db, dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num)
 
 	dns_db_rpz_attach(ldapdb->rbtdb, rpzs, rpz_num);
 }
+#else
+void
+rpz_attach(dns_db_t *db, void *void_rpzs, uint8_t rpz_num)
+{
+	ldapdb_t *ldapdb = (ldapdb_t *) db;
+	dns_rpz_zones_t *rpzs = (dns_rpz_zones_t *) void_rpzs;
+	isc_result_t result;
+
+	REQUIRE(VALID_LDAPDB(ldapdb));
+
+	rpzs->zones[rpz_num]->db_registered = true;
+	result = dns_db_updatenotify_register(ldapdb->rbtdb,
+					      dns_rpz_dbupdate_callback,
+					      rpzs->zones[rpz_num]);
+	REQUIRE(result == ISC_R_SUCCESS);
+}
+#endif
 
+/*
 isc_result_t
 rpz_ready(dns_db_t *db)
 {
@@ -763,9 +813,10 @@ rpz_ready(dns_db_t *db)
 
 	return dns_db_rpz_ready(ldapdb->rbtdb);
 }
+*/
 
 static isc_result_t
-findnodeext(dns_db_t *db, dns_name_t *name,
+findnodeext(dns_db_t *db, node_name_t *name,
 		   bool create, dns_clientinfomethods_t *methods,
 		   dns_clientinfo_t *clientinfo, dns_dbnode_t **nodep)
 {
@@ -778,7 +829,7 @@ findnodeext(dns_db_t *db, dns_name_t *name,
 }
 
 static isc_result_t
-findext(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
+findext(dns_db_t *db, node_name_t *name, dns_dbversion_t *version,
 	       dns_rdatatype_t type, unsigned int options, isc_stdtime_t now,
 	       dns_dbnode_t **nodep, dns_name_t *foundname,
 	       dns_clientinfomethods_t *methods, dns_clientinfo_t *clientinfo,
@@ -843,6 +894,19 @@ getservestalettl(dns_db_t *db, dns_ttl_t *ttl) {
 }
 #endif
 
+#if LIBDNS_VERSION_MAJOR >= 1606
+/* Used for cache size adjustments, called by dns_cache_setcachesize.
+ * Just proxy to rbtdb implementation. */
+static isc_result_t
+adjusthashsize(dns_db_t *db, size_t size) {
+	ldapdb_t *ldapdb = (ldapdb_t *) db;
+
+	REQUIRE(VALID_LDAPDB(ldapdb));
+
+	return dns_db_adjusthashsize(ldapdb->rbtdb, size);
+}
+#endif
+
 static dns_dbmethods_t ldapdb_methods = {
 	attach,
 	detach,
@@ -882,7 +946,7 @@ static dns_dbmethods_t ldapdb_methods = {
 	isdnssec,
 	getrrsetstats,
 	rpz_attach,
-	rpz_ready,
+	NULL, /* rpz_ready */
 	findnodeext,
 	findext,
 	setcachestats,
@@ -893,6 +957,12 @@ static dns_dbmethods_t ldapdb_methods = {
 	setservestalettl,
 	getservestalettl,
 #endif
+#if LIBDNS_VERSION_MAJOR >= 1600
+	NULL, /* setgluecachestats */
+#endif
+#if LIBDNS_VERSION_MAJOR >= 1606
+	adjusthashsize, /* adjusthashsize */
+#endif
 };
 
 isc_result_t ATTR_NONNULLS
@@ -942,7 +1012,7 @@ dns_ns_buildrdata(dns_name_t *origin, dns_name_t *ns_name,
  * @param[in] argv [0] is database instance name
  */
 isc_result_t
-ldapdb_associate(isc_mem_t *mctx, dns_name_t *name, dns_dbtype_t type,
+ldapdb_associate(isc_mem_t *mctx, node_name_t *name, dns_dbtype_t type,
 		 dns_rdataclass_t rdclass, unsigned int argc, char *argv[],
 		 void *driverarg, dns_db_t **dbp) {
 
@@ -982,14 +1052,14 @@ ldapdb_create(isc_mem_t *mctx, dns_name_t *name, dns_dbtype_t type,
 	REQUIRE(driverarg != NULL);
 	REQUIRE(dbp != NULL && *dbp == NULL);
 
-	CHECKED_MEM_GET_PTR(mctx, ldapdb);
+	ldapdb = isc_mem_get(mctx, sizeof(*(ldapdb)));
 	ZERO_PTR(ldapdb);
 
 	isc_mem_attach(mctx, &ldapdb->common.mctx);
-	CHECK(isc_mutex_init(&ldapdb->newversion_lock));
+	/* isc_mutex_init and isc_condition_init failures are now fatal */
+	isc_mutex_init(&ldapdb->newversion_lock);
 	lock_ready = true;
 	dns_name_init(&ldapdb->common.origin, NULL);
-	isc_ondestroy_init(&ldapdb->common.ondest);
 
 	ldapdb->common.magic = DNS_DB_MAGIC;
 	ldapdb->common.impmagic = LDAPDB_MAGIC;
@@ -1000,7 +1070,7 @@ ldapdb_create(isc_mem_t *mctx, dns_name_t *name, dns_dbtype_t type,
 
 	CHECK(dns_name_dupwithoffsets(name, mctx, &ldapdb->common.origin));
 
-	CHECK(isc_refcount_init(&ldapdb->refs, 1));
+	isc_refcount_init(&ldapdb->refs, 1);
 	ldapdb->ldap_inst = driverarg;
 
 	CHECK(dns_db_create(mctx, "rbt", name, dns_dbtype_zone,
@@ -1012,9 +1082,10 @@ ldapdb_create(isc_mem_t *mctx, dns_name_t *name, dns_dbtype_t type,
 
 cleanup:
 	if (ldapdb != NULL) {
-		if (lock_ready == true)
-			RUNTIME_CHECK(isc_mutex_destroy(&ldapdb->newversion_lock)
-				      == ISC_R_SUCCESS);
+		if (lock_ready == true) {
+			/* isc_mutex_destroy errors are now fatal */
+			isc_mutex_destroy(&ldapdb->newversion_lock);
+		}
 		if (dns_name_dynamic(&ldapdb->common.origin))
 			dns_name_free(&ldapdb->common.origin, mctx);
 
@@ -1088,11 +1159,10 @@ dyndb_init(isc_mem_t *mctx, const char *name, const char *parameters,
 		isc_lib_register();
 		isc_log_setcontext(dctx->lctx);
 		dns_log_setcontext(dctx->lctx);
+		isc_hash_set_initializer(dctx->hashinit);
 		log_debug(5, "registering library from dynamic ldap driver, %p != %p.", dctx->refvar, &isc_bind9);
 	}
 
-	isc_hash_set_initializer(dctx->hashinit);
-
 	log_debug(2, "registering dynamic ldap driver for %s.", name);
 
 	/* Finally, create the instance. */


=====================================
src/ldap_driver.h
=====================================
@@ -22,10 +22,12 @@ ldapdb_create(isc_mem_t *mctx, dns_name_t *name, dns_dbtype_t type,
 	      dns_rdataclass_t rdclass, void *driverarg, dns_db_t **dbp)
 	      ATTR_NONNULL(1,2,5,6);
 
+#if 0
 isc_result_t
-ldapdb_associate(isc_mem_t *mctx, dns_name_t *name, dns_dbtype_t type,
+ldapdb_associate(isc_mem_t *mctx, const dns_name_t *name, dns_dbtype_t type,
 		 dns_rdataclass_t rdclass, unsigned int argc, char *argv[],
 		 void *driverarg, dns_db_t **dbp) ATTR_NONNULL(1,2,7,8);
+#endif
 dns_db_t *
 ldapdb_get_rbtdb(dns_db_t *db) ATTR_NONNULLS;
 


=====================================
src/ldap_entry.c
=====================================
@@ -68,7 +68,6 @@ static isc_result_t ATTR_NONNULLS ATTR_CHECKRESULT
 ldap_attr_create(isc_mem_t *mctx, LDAP *ld, LDAPMessage *ldap_entry,
 		 ldap_attribute_t *attr)
 {
-	isc_result_t result;
 	char **values;
 	ldap_value_t *val;
 
@@ -84,7 +83,7 @@ ldap_attr_create(isc_mem_t *mctx, LDAP *ld, LDAPMessage *ldap_entry,
 	attr->ldap_values = values;
 
 	for (unsigned int i = 0; values[i] != NULL; i++) {
-		CHECKED_MEM_GET_PTR(mctx, val);
+		val = isc_mem_get(mctx, sizeof(*(val)));
 		val->value = values[i];
 		INIT_LINK(val, link);
 
@@ -92,12 +91,6 @@ ldap_attr_create(isc_mem_t *mctx, LDAP *ld, LDAPMessage *ldap_entry,
 	}
 
 	return ISC_R_SUCCESS;
-
-cleanup:
-	ldap_valuelist_destroy(mctx, &attr->values);
-	ldap_value_free(values);
-
-	return result;
 }
 
 /**
@@ -112,7 +105,7 @@ ldap_entry_init(isc_mem_t *mctx, ldap_entry_t **entryp) {
 	REQUIRE(entryp != NULL);
 	REQUIRE(*entryp == NULL);
 
-	CHECKED_MEM_GET_PTR(mctx, entry);
+	entry = isc_mem_get(mctx, sizeof(*(entry)));
 	ZERO_PTR(entry);
 	isc_mem_attach(mctx, &entry->mctx);
 	INIT_LIST(entry->attrs);
@@ -120,7 +113,7 @@ ldap_entry_init(isc_mem_t *mctx, ldap_entry_t **entryp) {
 	INIT_BUFFERED_NAME(entry->fqdn);
 	INIT_BUFFERED_NAME(entry->zone_name);
 
-	CHECKED_MEM_GET(mctx, entry->rdata_target_mem, DNS_RDATA_MAXLENGTH);
+	entry->rdata_target_mem = isc_mem_get(mctx, DNS_RDATA_MAXLENGTH);
 	CHECK(isc_lex_create(mctx, TOKENSIZ, &entry->lex));
 
 	*entryp = entry;
@@ -203,7 +196,7 @@ ldap_entry_parse(isc_mem_t *mctx, LDAP *ld, LDAPMessage *ldap_entry,
 	for (attribute = ldap_first_attribute(ld, ldap_entry, &ber);
 	     attribute != NULL;
 	     attribute = ldap_next_attribute(ld, ldap_entry, ber)) {
-		CHECKED_MEM_GET_PTR(mctx, attr);
+		attr = isc_mem_get(mctx, sizeof(*(attr)));
 		ZERO_PTR(attr);
 
 		attr->name = attribute;


=====================================
src/ldap_helper.c
=====================================
@@ -3,6 +3,8 @@
  */
 
 #include "config.h"
+#define HAVE_TLS 1
+#define HAVE_THREAD_LOCAL 1
 
 #include <dns/dyndb.h>
 #include <dns/diff.h>
@@ -91,6 +93,16 @@
 		}							\
 	} while (0)
 
+#if LIBDNS_VERSION_MAJOR < 1600
+#define dns_fwdtable_find             dns_fwdtable_find2
+#define dns_zone_getserial            dns_zone_getserial2
+#define dns_zone_load(zone, newonly)  dns_zone_load((zone))
+#define dns_zone_setfile              dns_zone_setfile3
+typedef dns_name_t       node_name_t;
+#else
+typedef const dns_name_t node_name_t;
+#endif
+
 /*
  * LDAP related typedefs and structs.
  */
@@ -371,6 +383,12 @@ static isc_result_t ATTR_NONNULLS ATTR_CHECKRESULT
 zone_master_reconfigure_nsec3param(settings_set_t *zone_settings,
 				   dns_zone_t *secure);
 
+/* external function from ldap_driver.c */
+isc_result_t
+ldapdb_associate(isc_mem_t *mctx, node_name_t *name, dns_dbtype_t type,
+		 dns_rdataclass_t rdclass, unsigned int argc, char *argv[],
+		 void *driverarg, dns_db_t **dbp) ATTR_NONNULL(1,2,7,8);
+
 #define PRINT_BUFF_SIZE 10 /* for unsigned int 2^32 */
 isc_result_t
 validate_local_instance_settings(ldap_instance_t *inst, settings_set_t *set) {
@@ -390,6 +408,7 @@ validate_local_instance_settings(ldap_instance_t *inst, settings_set_t *set) {
 	char print_buff[PRINT_BUFF_SIZE];
 	const char *auth_method_str = NULL;
 	ldap_auth_t auth_method_enum = AUTH_INVALID;
+	int s_len;
 
 	if (strlen(inst->db_name) <= 0) {
 		log_error("LDAP instance name cannot be empty");
@@ -445,7 +464,12 @@ validate_local_instance_settings(ldap_instance_t *inst, settings_set_t *set) {
 			  auth_method_str);
 		CLEANUP_WITH(ISC_R_FAILURE);
 	}
-	CHECK(isc_string_printf(print_buff, PRINT_BUFF_SIZE, "%u", auth_method_enum));
+	/* isc_string_printf has been removed */
+	s_len = snprintf(print_buff, PRINT_BUFF_SIZE, "%u", auth_method_enum);
+	if (s_len < 0 || s_len >= PRINT_BUFF_SIZE) {
+		CLEANUP_WITH(ISC_R_NOSPACE);
+	}
+
 	CHECK(setting_set("auth_method_enum", inst->local_settings, print_buff));
 
 	/* check we have the right data when SASL/GSSAPI is selected */
@@ -543,11 +567,11 @@ new_ldap_instance(isc_mem_t *mctx, const char *db_name, const char *parameters,
 
 	REQUIRE(ldap_instp != NULL && *ldap_instp == NULL);
 
-	CHECKED_MEM_GET_PTR(mctx, ldap_inst);
+	ldap_inst = isc_mem_get(mctx, sizeof(*(ldap_inst)));
 	ZERO_PTR(ldap_inst);
-	CHECK(isc_refcount_init(&ldap_inst->errors, 0));
+	isc_refcount_init(&ldap_inst->errors, 0);
 	isc_mem_attach(mctx, &ldap_inst->mctx);
-	CHECKED_MEM_STRDUP(mctx, db_name, ldap_inst->db_name);
+	ldap_inst->db_name = isc_mem_strdup(mctx, db_name);
 	dns_view_attach(dctx->view, &ldap_inst->view);
 	dns_zonemgr_attach(dctx->zmgr, &ldap_inst->zmgr);
 	isc_task_attach(dctx->task, &ldap_inst->task);
@@ -555,16 +579,18 @@ new_ldap_instance(isc_mem_t *mctx, const char *db_name, const char *parameters,
 	ldap_inst->watcher = 0;
 	CHECK(sync_ctx_init(ldap_inst->mctx, ldap_inst, &ldap_inst->sctx));
 
-	isc_string_printf_truncate(settings_name, PRINT_BUFF_SIZE,
-				   SETTING_SET_NAME_LOCAL " for database %s",
-				   ldap_inst->db_name);
+	/* truncation is allowed */
+	snprintf(settings_name, PRINT_BUFF_SIZE,
+		 SETTING_SET_NAME_LOCAL " for database %s",
+		 ldap_inst->db_name);
 	CHECK(settings_set_create(mctx, settings_local_default,
 	      sizeof(settings_local_default), settings_name,
 	      &settings_default_set, &ldap_inst->local_settings));
 
-	isc_string_printf_truncate(settings_name, PRINT_BUFF_SIZE,
-				   SETTING_SET_NAME_GLOBAL " for database %s",
-				   ldap_inst->db_name);
+	/* truncation is allowed */
+	snprintf(settings_name, PRINT_BUFF_SIZE,
+		 SETTING_SET_NAME_GLOBAL " for database %s",
+		 ldap_inst->db_name);
 	CHECK(settings_set_create(mctx, settings_global_default,
 	      sizeof(settings_global_default), settings_name,
 	      ldap_inst->local_settings, &ldap_inst->global_settings));
@@ -576,7 +602,7 @@ new_ldap_instance(isc_mem_t *mctx, const char *db_name, const char *parameters,
 	/* copy global forwarders setting for configuration roll back in
 	 * configure_zone_forwarders() */
 	result = dns_fwdtable_find(ldap_inst->view->fwdtable, dns_rootname,
-				   &named_conf_forwarders);
+				   NULL, &named_conf_forwarders);
 	if (result == ISC_R_SUCCESS) {
 		/* Copy forwarding config from named.conf into local_settings */
 		CHECK(fwd_print_list_buff(mctx, named_conf_forwarders,
@@ -602,8 +628,6 @@ new_ldap_instance(isc_mem_t *mctx, const char *db_name, const char *parameters,
 					empty_zone_handle_globalfwd_ev,
 					ldap_inst->view->zonetable,
 					sizeof(ldap_globalfwd_handleez_t));
-		if (gfwdevent == NULL)
-			CLEANUP_WITH(ISC_R_NOMEMORY);
 		/* policy == first does not override automatic empty zones */
 		gfwdevent->warn_only = (named_conf_forwarders->fwdpolicy
 					== dns_fwdpolicy_first);
@@ -628,14 +652,16 @@ new_ldap_instance(isc_mem_t *mctx, const char *db_name, const char *parameters,
 	/* zero-length server_id means undefined value */
 	CHECK(setting_get_str("server_id", ldap_inst->local_settings,
 			      &server_id));
-	if (strlen(server_id) == 0)
-		isc_string_printf_truncate(settings_name, PRINT_BUFF_SIZE,
-					   SETTING_SET_NAME_SERVER
-					   " for undefined server_id");
-	else
-		isc_string_printf_truncate(settings_name, PRINT_BUFF_SIZE,
-					   SETTING_SET_NAME_SERVER
-					   " for server id %s", server_id);
+	if (strlen(server_id) == 0) {
+		/* truncation is allowed */
+		snprintf(settings_name, PRINT_BUFF_SIZE,
+			 SETTING_SET_NAME_SERVER " for undefined server_id");
+	} else {
+		/* truncation is allowed */
+		snprintf(settings_name, PRINT_BUFF_SIZE,
+			 SETTING_SET_NAME_SERVER
+			 " for server id %s", server_id);
+	}
 
 	CHECK(settings_set_create(mctx, settings_server_ldap_default,
 	      sizeof(settings_server_ldap_default), settings_name,
@@ -656,7 +682,8 @@ new_ldap_instance(isc_mem_t *mctx, const char *db_name, const char *parameters,
 	CHECK(fwdr_create(ldap_inst->mctx, &ldap_inst->fwd_register));
 	CHECK(mldap_new(mctx, &ldap_inst->mldapdb));
 
-	CHECK(isc_mutex_init(&ldap_inst->kinit_lock));
+	/* isc_mutex_init and isc_condition_init failures are now fatal */
+	isc_mutex_init(&ldap_inst->kinit_lock);
 
 	CHECK(ldap_pool_create(mctx, connections, &ldap_inst->pool));
 	CHECK(ldap_pool_connect(ldap_inst->pool, ldap_inst));
@@ -666,13 +693,16 @@ new_ldap_instance(isc_mem_t *mctx, const char *db_name, const char *parameters,
 			      mctx, &ldap_inst->db_imp));
 
 	/* Start the watcher thread */
-	result = isc_thread_create(ldap_syncrepl_watcher, ldap_inst,
-				   &ldap_inst->watcher);
-	if (result != ISC_R_SUCCESS) {
-		ldap_inst->watcher = 0;
-		log_error("Failed to create syncrepl watcher thread");
-		goto cleanup;
-	}
+	/* isc_thread_create assert internally on failure */
+	isc_thread_create(ldap_syncrepl_watcher, ldap_inst,
+			  &ldap_inst->watcher);
+	/*
+	 * if (result != ISC_R_SUCCESS) {
+	 *	ldap_inst->watcher = 0;
+	 *	log_error("Failed to create syncrepl watcher thread");
+	 *	goto cleanup;
+	 * }
+	 */
 
 cleanup:
 	if (forwarders_list != NULL)
@@ -714,8 +744,8 @@ ldap_syncrepl_watcher_shutdown(ldap_instance_t *ldap_inst)
 				  "(already terminated?)");
 	}
 
-	RUNTIME_CHECK(isc_thread_join(ldap_inst->watcher, NULL)
-		      == ISC_R_SUCCESS);
+	/* isc_thread_join assert internally on failure */
+	isc_thread_join(ldap_inst->watcher, NULL);
 }
 
 void
@@ -749,7 +779,8 @@ destroy_ldap_instance(ldap_instance_t **ldap_instp)
 	if (ldap_inst->task != NULL)
 		isc_task_detach(&ldap_inst->task);
 
-	DESTROYLOCK(&ldap_inst->kinit_lock);
+	/* isc_mutex_init and isc_condition_init failures are now fatal */
+	isc_mutex_destroy(&ldap_inst->kinit_lock);
 
 	settings_set_free(&ldap_inst->global_settings);
 	settings_set_free(&ldap_inst->local_settings);
@@ -773,31 +804,28 @@ destroy_ldap_instance(ldap_instance_t **ldap_instp)
 static isc_result_t ATTR_NONNULLS ATTR_CHECKRESULT
 new_ldap_connection(ldap_pool_t *pool, ldap_connection_t **ldap_connp)
 {
-	isc_result_t result;
 	ldap_connection_t *ldap_conn;
 
 	REQUIRE(pool != NULL);
 	REQUIRE(ldap_connp != NULL && *ldap_connp == NULL);
 
-	CHECKED_MEM_GET_PTR(pool->mctx, ldap_conn);
+	ldap_conn = isc_mem_get(pool->mctx, sizeof(*(ldap_conn)));
 	ZERO_PTR(ldap_conn);
 
-	result = isc_mutex_init(&ldap_conn->lock);
-	if (result != ISC_R_SUCCESS) {
-		SAFE_MEM_PUT_PTR(pool->mctx, ldap_conn);
-		return result;
-	}
+	/* isc_mutex_init and isc_condition_init failures are now fatal */
+	isc_mutex_init(&ldap_conn->lock);
+	/*
+	 * if (result != ISC_R_SUCCESS) {
+	 *	SAFE_MEM_PUT_PTR(pool->mctx, ldap_conn);
+	 *	return result;
+	 * }
+	 */
 
 	isc_mem_attach(pool->mctx, &ldap_conn->mctx);
 
 	*ldap_connp = ldap_conn;
 
 	return ISC_R_SUCCESS;
-
-cleanup:
-	destroy_ldap_connection(&ldap_conn);
-
-	return result;
 }
 
 static void
@@ -811,7 +839,8 @@ destroy_ldap_connection(ldap_connection_t **ldap_connp)
 	if (ldap_conn == NULL)
 		return;
 
-	DESTROYLOCK(&ldap_conn->lock);
+	 /* isc_mutex_init and isc_condition_init failures are now fatal */
+	isc_mutex_destroy(&ldap_conn->lock);
 	if (ldap_conn->handle != NULL)
 		ldap_unbind_ext_s(ldap_conn->handle, NULL, NULL);
 
@@ -825,6 +854,7 @@ cleanup_zone_files(dns_zone_t *zone) {
 	const char *filename = NULL;
 	dns_zone_t *raw = NULL;
 	int namelen;
+	int s_len;
 	char bck_filename[PATH_MAX];
 
 	dns_zone_getraw(zone, &raw);
@@ -847,8 +877,11 @@ cleanup_zone_files(dns_zone_t *zone) {
 	namelen = strlen(filename);
 	if (namelen > 4 && strcmp(filename + namelen - 4, ".jnl") == 0)
 		namelen -= 4;
-	CHECK(isc_string_printf(bck_filename, sizeof(bck_filename),
-				"%.*s.jbk", namelen, filename));
+	s_len = snprintf(bck_filename, sizeof(bck_filename),
+			 "%.*s.jbk", namelen, filename);
+	if (s_len < 0 || (unsigned)s_len >= sizeof(bck_filename)) {
+		CLEANUP_WITH(ISC_R_NOSPACE);
+	}
 	CHECK(fs_file_remove(bck_filename));
 
 cleanup:
@@ -941,7 +974,8 @@ configure_paths(isc_mem_t *mctx, ldap_instance_t *inst, dns_zone_t *zone,
 	CHECK(zr_get_zone_path(mctx, ldap_instance_getsettings_local(inst),
 			       dns_zone_getorigin(zone),
 			       (issecure ? "signed" : "raw"), &file_name));
-	CHECK(dns_zone_setfile(zone, str_buf(file_name)));
+	CHECK(dns_zone_setfile(zone, str_buf(file_name), dns_masterformat_text,
+			       &dns_master_style_default));
 	if (issecure == true) {
 		CHECK(zr_get_zone_path(mctx,
 				       ldap_instance_getsettings_local(inst),
@@ -990,8 +1024,9 @@ create_zone(ldap_instance_t * const inst, const char * const dn,
 	dns_zone_setclass(raw, dns_rdataclass_in);
 	dns_zone_settype(raw, dns_zone_master);
 	/* dns_zone_setview(raw, view); */
-	CHECK(dns_zone_setdbtype(raw, sizeof(ldap_argv)/sizeof(ldap_argv[0]),
-				 ldap_argv));
+	/* dns_zone_setdbtype is now void as it could no longer return */
+	dns_zone_setdbtype(raw, sizeof(ldap_argv)/sizeof(ldap_argv[0]),
+			   ldap_argv);
 	CHECK(configure_paths(inst->mctx, inst, raw, false));
 
 	if (want_secure == false) {
@@ -1003,7 +1038,9 @@ create_zone(ldap_instance_t * const inst, const char * const dn,
 		dns_zone_setclass(secure, dns_rdataclass_in);
 		dns_zone_settype(secure, dns_zone_master);
 		/* dns_zone_setview(secure, view); */
-		CHECK(dns_zone_setdbtype(secure, 1, rbt_argv));
+		/* dns_zone_setdbtype is now void as it could no longer
+		 * return */
+		dns_zone_setdbtype(secure, 1, rbt_argv);
 		CHECK(dns_zonemgr_managezone(inst->zmgr, secure));
 		CHECK(dns_zone_link(secure, raw));
 		dns_zone_rekey(secure, true);
@@ -1055,7 +1092,7 @@ load_zone(dns_zone_t *zone, bool log) {
 	uint32_t serial;
 	dns_zone_t *raw = NULL;
 
-	result = dns_zone_load(zone);
+	result = dns_zone_load(zone, false);
 	if (result != ISC_R_SUCCESS && result != DNS_R_UPTODATE
 	    && result != DNS_R_DYNAMIC && result != DNS_R_CONTINUE)
 		goto cleanup;
@@ -1067,11 +1104,11 @@ load_zone(dns_zone_t *zone, bool log) {
 		zone = NULL;
 	}
 
-	CHECK(dns_zone_getserial2(raw, &serial));
+	CHECK(dns_zone_getserial(raw, &serial));
 	if (log == true)
 		dns_zone_log(raw, ISC_LOG_INFO, "loaded serial %u", serial);
 	if (zone != NULL) {
-		result = dns_zone_getserial2(zone, &serial);
+		result = dns_zone_getserial(zone, &serial);
 		if (result == ISC_R_SUCCESS && log == true)
 			dns_zone_log(zone, ISC_LOG_INFO, "loaded serial %u",
 				     serial);
@@ -1708,6 +1745,7 @@ ldap_replace_serial(ldap_instance_t *inst, dns_name_t *zone,
 	LDAPMod change;
 	LDAPMod *changep[2] = { &change, NULL };
 	ld_string_t *dn = NULL;
+	int s_len;
 
 	REQUIRE(inst != NULL);
 
@@ -1717,7 +1755,10 @@ ldap_replace_serial(ldap_instance_t *inst, dns_name_t *zone,
 	change.mod_op = LDAP_MOD_REPLACE;
 	change.mod_type = "idnsSOAserial";
 	change.mod_values = values;
-	CHECK(isc_string_printf(serial_char, MAX_SERIAL_LENGTH, "%u", serial));
+	s_len = snprintf(serial_char, MAX_SERIAL_LENGTH, "%u", serial);
+	if (s_len < 0 || (unsigned)s_len >= MAX_SERIAL_LENGTH) {
+		CLEANUP_WITH(ISC_R_NOSPACE);
+	}
 
 	CHECK(ldap_modify_do(inst, str_buf(dn), changep, false));
 
@@ -2250,7 +2291,7 @@ findrdatatype_or_create(isc_mem_t *mctx, ldapdb_rdatalist_t *rdatalist,
 
 	result = ldapdb_rdatalist_findrdatatype(rdatalist, rdtype, &rdlist);
 	if (result != ISC_R_SUCCESS) {
-		CHECKED_MEM_GET_PTR(mctx, rdlist);
+		rdlist = isc_mem_get(mctx, sizeof(*(rdlist)));
 
 		dns_rdatalist_init(rdlist);
 		rdlist->rdclass = rdclass;
@@ -2371,7 +2412,7 @@ ldap_substitute_rr_template(isc_mem_t *mctx, const settings_set_t * set,
 		CLEANUP_WITH(ISC_R_UNEXPECTED);
 
 	CHECK(str_new(mctx, &replaced));
-	CHECKED_MEM_STRDUP(mctx, str_buf(orig_val), tmp);
+	tmp = isc_mem_strdup(mctx, str_buf(orig_val));
 
 	while (regexec(&regex, tmp + processed,
 		       sizeof(matches)/sizeof(regmatch_t),
@@ -2419,9 +2460,7 @@ ldap_substitute_rr_template(isc_mem_t *mctx, const settings_set_t * set,
 	result = ISC_R_SUCCESS;
 
 cleanup:
-	if (tmp != NULL)
-		isc_mem_free(mctx, tmp);
-
+	isc_mem_free(mctx, tmp);
 	str_destroy(&replaced);
 	return result;
 }
@@ -2659,11 +2698,11 @@ parse_rdata(isc_mem_t *mctx, ldap_entry_t *entry,
 	CHECK(dns_rdata_fromtext(NULL, rdclass, rdtype, entry->lex, origin,
 				 0, mctx, &entry->rdata_target, NULL));
 
-	CHECKED_MEM_GET_PTR(mctx, rdata);
+	rdata = isc_mem_get(mctx, sizeof(*(rdata)));
 	dns_rdata_init(rdata);
 
 	rdatamem.length = isc_buffer_usedlength(&entry->rdata_target);
-	CHECKED_MEM_GET(mctx, rdatamem.base, rdatamem.length);
+	rdatamem.base = isc_mem_get(mctx, rdatamem.length);
 
 	memcpy(rdatamem.base, isc_buffer_base(&entry->rdata_target),
 	       rdatamem.length);
@@ -3144,22 +3183,15 @@ isc_result_t ATTR_NONNULLS ATTR_CHECKRESULT
 ldap_mod_create(isc_mem_t *mctx, LDAPMod **changep)
 {
 	LDAPMod *change = NULL;
-	isc_result_t result;
 
 	REQUIRE(changep != NULL && *changep == NULL);
 
-	CHECKED_MEM_GET_PTR(mctx, change);
+	change = isc_mem_get(mctx, sizeof(*(change)));
 	ZERO_PTR(change);
-	CHECKED_MEM_GET(mctx, change->mod_type, LDAP_ATTR_FORMATSIZE);
+	change->mod_type = isc_mem_get(mctx, LDAP_ATTR_FORMATSIZE);
 
 	*changep = change;
 	return ISC_R_SUCCESS;
-
-cleanup:
-	if (change != NULL)
-		SAFE_MEM_PUT_PTR(mctx, change);
-
-	return result;
 }
 
 /**
@@ -3204,7 +3236,7 @@ static isc_result_t ATTR_NONNULLS ATTR_CHECKRESULT
 ldap_rdata_to_char_array(isc_mem_t *mctx, dns_rdata_t *rdata_head,
 			 bool unknown, char ***valsp)
 {
-	isc_result_t result;
+	isc_result_t result = ISC_R_FAILURE;
 	char **vals;
 	unsigned int i;
 	unsigned int rdata_count = 0;
@@ -3219,7 +3251,7 @@ ldap_rdata_to_char_array(isc_mem_t *mctx, dns_rdata_t *rdata_head,
 
 	vals_size = (rdata_count + 1) * sizeof(char *);
 
-	CHECKED_MEM_ALLOCATE(mctx, vals, vals_size);
+	vals = isc_mem_allocate(mctx, vals_size);
 	memset(vals, 0, vals_size);
 
 	rdata = rdata_head;
@@ -3237,7 +3269,7 @@ ldap_rdata_to_char_array(isc_mem_t *mctx, dns_rdata_t *rdata_head,
 		isc_buffer_usedregion(&buffer, &region);
 
 		/* Now allocate the string with the right size. */
-		CHECKED_MEM_ALLOCATE(mctx, vals[i], region.length + 1);
+		vals[i] = isc_mem_allocate(mctx, region.length + 1);
 		memcpy(vals[i], region.base, region.length);
 		vals[i][region.length] = '\0';
 		
@@ -3287,13 +3319,17 @@ ldap_rdttl_to_ldapmod(isc_mem_t *mctx, dns_rdatalist_t *rdlist,
 
 	CHECK(ldap_mod_create(mctx, &change));
 	change->mod_op = LDAP_MOD_REPLACE;
-	CHECK(isc_string_copy(change->mod_type, LDAP_ATTR_FORMATSIZE, "dnsTTL"));
+	/* isc_string_copy has been removed */
+	if (strlcpy(change->mod_type, "dnsTTL", LDAP_ATTR_FORMATSIZE)
+	   >= LDAP_ATTR_FORMATSIZE) {
+		CLEANUP_WITH(ISC_R_NOSPACE);
+	}
 
-	CHECKED_MEM_ALLOCATE(mctx, vals, 2 * sizeof(char *));
+	vals = isc_mem_allocate(mctx, 2 * sizeof(char *));
 	memset(vals, 0, 2 * sizeof(char *));
 	change->mod_values = vals;
 
-	CHECKED_MEM_ALLOCATE(mctx, vals[0], str_len(ttlval) + 1);
+	vals[0] = isc_mem_allocate(mctx, str_len(ttlval) + 1);
 	memcpy(vals[0], str_buf(ttlval), str_len(ttlval) + 1);
 
 	*changep = change;
@@ -3314,8 +3350,9 @@ static isc_result_t ATTR_NONNULLS ATTR_CHECKRESULT
 modify_soa_record(ldap_instance_t *ldap_inst, const char *zone_dn,
 		  dns_rdata_t *rdata)
 {
-	isc_result_t result;
+	isc_result_t result = ISC_R_SUCCESS;
 	dns_rdata_soa_t soa;
+	int s_len;
 	LDAPMod change[5];
 	LDAPMod *changep[6] = {
 		&change[0], &change[1], &change[2], &change[3], &change[4],
@@ -3332,8 +3369,11 @@ modify_soa_record(ldap_instance_t *ldap_inst, const char *zone_dn,
 	change[index].mod_values = alloca(2 * sizeof(char *)); \
 	change[index].mod_values[0] = alloca(MAX_SOANUM_LENGTH); \
 	change[index].mod_values[1] = NULL; \
-	CHECK(isc_string_printf(change[index].mod_values[0], \
-		MAX_SOANUM_LENGTH, "%u", soa.name));
+	s_len = snprintf(change[index].mod_values[0], MAX_SOANUM_LENGTH, \
+			 "%u", soa.name); \
+	if (s_len < 0 || s_len >= MAX_SOANUM_LENGTH) { \
+		CLEANUP_WITH(ISC_R_NOSPACE); \
+	}
 
 	dns_rdata_tostruct(rdata, (void *)&soa, ldap_inst->mctx);
 
@@ -3500,8 +3540,10 @@ remove_rdtype_from_ldap(dns_name_t *owner, dns_name_t *zone,
 		change[0]->mod_vals.modv_strvals = NULL;
 		CHECK(rdatatype_to_ldap_attribute(type, attr, sizeof(attr),
 						  unknown_type));
-		CHECK(isc_string_copy(change[0]->mod_type, LDAP_ATTR_FORMATSIZE,
-				      attr));
+		if (strlcpy(change[0]->mod_type, attr, LDAP_ATTR_FORMATSIZE)
+		    >= LDAP_ATTR_FORMATSIZE) {
+			CLEANUP_WITH(ISC_R_NOSPACE);
+		}
 		CHECK(ldap_modify_do(ldap_inst, str_buf(dn), change, false));
 		ldap_mod_free(ldap_inst->mctx, &change[0]);
 		unknown_type = !unknown_type;
@@ -3561,13 +3603,13 @@ ldap_pool_create(isc_mem_t *mctx, unsigned int connections, ldap_pool_t **poolp)
 
 	REQUIRE(poolp != NULL && *poolp == NULL);
 
-	CHECKED_MEM_GET(mctx, pool, sizeof(*pool));
+	pool = isc_mem_get(mctx, sizeof(*pool));
 	ZERO_PTR(pool);
 	isc_mem_attach(mctx, &pool->mctx);
 	
 	CHECK(semaphore_init(&pool->conn_semaphore, connections));
-	CHECKED_MEM_GET(mctx, pool->conns,
-			connections * sizeof(ldap_connection_t *));
+	pool->conns = isc_mem_get(mctx,
+				  connections * sizeof(ldap_connection_t *));
 	memset(pool->conns, 0, connections * sizeof(ldap_connection_t *));
 	pool->connections = connections;
 
@@ -3973,7 +4015,7 @@ update_restart:
 	/* Check if the zone is loaded or not.
 	 * No other function above returns DNS_R_NOTLOADED. */
 	if (sync_state == sync_finished)
-		result = dns_zone_getserial2(raw, &serial);
+		result = dns_zone_getserial(raw, &serial);
 
 cleanup:
 #ifdef RBTDB_DEBUG
@@ -4010,7 +4052,7 @@ cleanup:
 				     "caused by change in %s",
 				     ldap_entry_logname(entry));
 			zone_reloaded = true;
-			result = dns_zone_getserial2(raw, &serial);
+			result = dns_zone_getserial(raw, &serial);
 			if (result == ISC_R_SUCCESS)
 				goto update_restart;
 		} else {
@@ -4146,7 +4188,7 @@ syncrepl_update(ldap_instance_t *inst, ldap_entry_t **entryp, int chgtype)
 
 	/* This code is disabled because we don't have UUID->DN database yet.
 	if (SYNCREPL_MODDN(chgtype)) {
-		CHECKED_MEM_STRDUP(mctx, prevdn_ldap, prevdn);
+		prevdn = isc_mem_strdup(mctx, prevdn_ldap);
 	}
 	*/
 
@@ -4171,11 +4213,6 @@ syncrepl_update(ldap_instance_t *inst, ldap_entry_t **entryp, int chgtype)
 				action, NULL,
 				sizeof(ldap_syncreplevent_t));
 
-	if (pevent == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto cleanup;
-	}
-
 	pevent->mctx = NULL;
 	isc_mem_attach(inst->mctx, &pevent->mctx);
 	pevent->inst = inst;
@@ -4607,6 +4644,7 @@ ldap_sync_doit(ldap_instance_t *inst, ldap_connection_t *conn,
 	       const char * const filter_objcs, int mode) {
 	isc_result_t result;
 	int ret;
+	int s_len;
 	ldap_sync_t *ldap_sync = NULL;
 	const char *err_hint = "";
 	char filter[1024];
@@ -4620,14 +4658,22 @@ ldap_sync_doit(ldap_instance_t *inst, ldap_connection_t *conn,
 
 	/* request idnsServerConfig object only if server_id is specified */
 	CHECK(setting_get_str("server_id", inst->server_ldap_settings, &server_id));
-	if (strlen(server_id) == 0)
-		CHECK(isc_string_printf(filter, sizeof(filter), config_template,
-				        "", "", "", filter_objcs));
-	else
-		CHECK(isc_string_printf(filter, sizeof(filter), config_template,
-					"  (&(objectClass=idnsServerConfigObject)"
-				        "    (idnsServerId=", server_id, "))",
-					filter_objcs));
+	if (strlen(server_id) == 0) {
+		s_len = snprintf(filter, sizeof(filter),
+				 config_template, "", "", "", filter_objcs);
+		if (s_len < 0 || (unsigned)s_len >= sizeof(filter)) {
+			CLEANUP_WITH(ISC_R_NOSPACE);
+		}
+	} else {
+		s_len = snprintf(filter, sizeof(filter),
+				 config_template,
+				 "  (&(objectClass=idnsServerConfigObject)"
+				 "    (idnsServerId=", server_id, "))",
+				 filter_objcs);
+		if (s_len < 0 || (unsigned)s_len >= sizeof(filter)) {
+			CLEANUP_WITH(ISC_R_NOSPACE);
+		}
+	}
 
 	result = ldap_sync_prepare(inst, inst->server_ldap_settings,
 				   filter, conn, &ldap_sync);
@@ -4821,7 +4867,11 @@ ldap_instance_isexiting(ldap_instance_t *ldap_inst)
  * (if it is even possible). */
 void
 ldap_instance_taint(ldap_instance_t *ldap_inst) {
+#if LIBDNS_VERSION_MAJOR < 1600
 	isc_refcount_increment0(&ldap_inst->errors, NULL);
+#else
+	isc_refcount_increment0(&ldap_inst->errors);
+#endif
 }
 
 bool
@@ -4850,13 +4900,16 @@ ldap_instance_untaint_start(ldap_instance_t *ldap_inst) {
  */
 isc_result_t
 ldap_instance_untaint_finish(ldap_instance_t *ldap_inst, unsigned int count) {
-	unsigned int remaining = 0;
 	while (count > 0) {
-		isc_refcount_decrement(&ldap_inst->errors, &remaining);
+#if LIBDNS_VERSION_MAJOR < 1600
+		isc_refcount_decrement(&ldap_inst->errors, NULL);
+#else
+		(void)isc_refcount_decrement(&ldap_inst->errors);
+#endif
 		count--;
 	}
-	if (remaining != 0)
-		return DNS_R_CONTINUE;
-	else
+	if (isc_refcount_current(&ldap_inst->errors) == 0) {
 		return ISC_R_SUCCESS;
+	}
+	return DNS_R_CONTINUE;
 }


=====================================
src/metadb.c
=====================================
@@ -40,12 +40,13 @@ metadb_new(isc_mem_t *mctx, metadb_t **mdbp) {
 
 	REQUIRE(mdbp != NULL && *mdbp == NULL);
 
-	CHECKED_MEM_GET_PTR(mctx, mdb);
+	mdb = isc_mem_get(mctx, sizeof(*(mdb)));
 	ZERO_PTR(mdb);
 
 	isc_mem_attach(mctx, &mdb->mctx);
 
-	CHECK(isc_mutex_init(&mdb->newversion_lock));
+	/* isc_mutex_init and isc_condition_init failures are now fatal */
+	isc_mutex_init(&mdb->newversion_lock);
 	lock_ready = true;
 	CHECK(dns_db_create(mctx, "rbt", dns_rootname, dns_dbtype_zone,
 			    dns_rdataclass_in, 0, NULL, &mdb->rbtdb));
@@ -54,12 +55,11 @@ metadb_new(isc_mem_t *mctx, metadb_t **mdbp) {
 	return result;
 
 cleanup:
-	if (mdb != NULL) {
-		if (lock_ready == true)
-			RUNTIME_CHECK(isc_mutex_destroy(&mdb->newversion_lock)
-				      == ISC_R_SUCCESS);
-		MEM_PUT_AND_DETACH(mdb);
+	if (lock_ready == true) {
+	/* isc_mutex_destroy errors are now fatal */
+		isc_mutex_destroy(&mdb->newversion_lock);
 	}
+	MEM_PUT_AND_DETACH(mdb);
 	return result;
 }
 
@@ -79,7 +79,8 @@ metadb_destroy(metadb_t **mdbp) {
 	dns_db_dump(mdb->rbtdb, NULL, "/tmp/mdb.db");
 #endif
 	dns_db_detach(&mdb->rbtdb);
-	RUNTIME_CHECK(isc_mutex_destroy(&mdb->newversion_lock) == ISC_R_SUCCESS);
+	/* isc_mutex_destroy errors are now fatal */
+	isc_mutex_destroy(&mdb->newversion_lock);
 	MEM_PUT_AND_DETACH(mdb);
 
 	*mdbp = NULL;
@@ -160,7 +161,7 @@ metadb_iterator_create(metadb_t *mdb, metadb_iter_t **miterp) {
 	REQUIRE(mdb != NULL);
 	REQUIRE(miterp != NULL && *miterp == NULL);
 
-	CHECKED_MEM_GET_PTR(mdb->mctx, miter);
+	miter = isc_mem_get(mdb->mctx, sizeof(*(miter)));
 	ZERO_PTR(miter);
 
 	isc_mem_attach(mdb->mctx, &miter->mctx);
@@ -258,7 +259,7 @@ metadb_node_init(metadb_t *mdb, dns_dbversion_t *ver, dns_name_t *mname,
 
 	REQUIRE(nodep != NULL && *nodep == NULL);
 
-	CHECKED_MEM_GET_PTR(mdb->mctx, node);
+	node = isc_mem_get(mdb->mctx, sizeof(*(node)));
 	ZERO_PTR(node);
 
 	isc_mem_attach(mdb->mctx, &node->mctx);


=====================================
src/mldap.c
=====================================
@@ -27,6 +27,24 @@
 #include "metadb.h"
 #include "mldap.h"
 #include "util.h"
+#include "config.h"
+
+#if LIBDNS_VERSION_MAJOR < 1600
+#define dns_name_copynf(src, dst) dns_name_copy((src), (dst), NULL)
+#define REFCOUNT_CAST(n) ((typeof(((isc_refcount_t *)0)->refs)) (n))
+
+/* Static assert is not provided yet, copy from 9.16 */
+#if __GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR >= 6)
+#define STATIC_ASSERT(cond, msg) _Static_assert(cond, msg)
+#elif __has_feature(c_static_assert)
+#define STATIC_ASSERT(cond, msg) _Static_assert(cond, msg)
+#else /* if __GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR >= 6) */
+#define STATIC_ASSERT(cond, msg) INSIST(cond)
+#endif /* if __GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR >= 6) */
+#else
+/* BIND 9.16+ */
+#define REFCOUNT_CAST(n) ((isc_refcount_t) (n))
+#endif
 
 /* name "ldap.uuid." */
 static unsigned char uuid_rootname_ndata[]
@@ -59,11 +77,11 @@ mldap_new(isc_mem_t *mctx, mldapdb_t **mldapp) {
 
 	REQUIRE(mldapp != NULL && *mldapp == NULL);
 
-	CHECKED_MEM_GET_PTR(mctx, mldap);
+	mldap = isc_mem_get(mctx, sizeof(*(mldap)));
 	ZERO_PTR(mldap);
 	isc_mem_attach(mctx, &mldap->mctx);
 
-	CHECK(isc_refcount_init(&mldap->generation, 0));
+	isc_refcount_init(&mldap->generation, 0);
 	CHECK(metadb_new(mctx, &mldap->mdb));
 
 	*mldapp = mldap;
@@ -107,7 +125,11 @@ mldap_closeversion(mldapdb_t *mldap, bool commit) {
 void mldap_cur_generation_bump(mldapdb_t *mldap) {
 	REQUIRE(mldap != NULL);
 
+#if LIBDNS_VERSION_MAJOR < 1600
 	isc_refcount_increment0(&mldap->generation, NULL);
+#else
+	isc_refcount_increment0(&mldap->generation);
+#endif
 }
 
 /*
@@ -118,17 +140,12 @@ void mldap_cur_generation_bump(mldapdb_t *mldap) {
  * isc_refcount_t abstractions and returns underlying type used for storing the
  * reference counter value.
  */
-STATIC_ASSERT((uint32_t)
-		(typeof(((isc_refcount_t *)0)->refs))
-		-1
-	      == 0xFFFFFFFF, \
-	      "negative isc_refcount_t cannot be properly shortened to 32 bits");
 
-STATIC_ASSERT((uint32_t)
-		(typeof(((isc_refcount_t *)0)->refs))
-		0x90ABCDEF12345678
-	      == 0x12345678, \
-	      "positive isc_refcount_t cannot be properly shortened to 32 bits");
+/* isc_refcount_t is simply atomic_uint_fast32_t now */
+STATIC_ASSERT((uint32_t)REFCOUNT_CAST(-1) == 0xFFFFFFFF, \
+	      "negative isc_refcount_t cannot be properly shortened to 32 bits");
+STATIC_ASSERT((uint32_t)REFCOUNT_CAST(0x90ABCDEF12345678) == 0x12345678, \
+	      "negative isc_refcount_t cannot be properly shortened to 32 bits");
 
 /**
  * Get current MetaLDAP generation number.
@@ -327,8 +344,8 @@ mldap_dnsname_get(metadb_node_t *node, dns_name_t *fqdn, dns_name_t *zone) {
 	CHECK(metadb_rdataset_get(node, dns_rdatatype_rp, &rdataset));
 	dns_rdataset_current(&rdataset, &rdata);
 	CHECK(dns_rdata_tostruct(&rdata, &rp, NULL));
-	CHECK(dns_name_copy(&rp.mail, fqdn, NULL));
-	CHECK(dns_name_copy(&rp.text, zone, NULL));
+	dns_name_copynf(&rp.mail, fqdn);
+	dns_name_copynf(&rp.text, zone);
 
 cleanup:
 	if (dns_rdataset_isassociated(&rdataset))
@@ -430,7 +447,7 @@ mldap_iter_deadnodes_start(mldapdb_t *mldap, metadb_iter_t **iterp,
 	REQUIRE(iterp != NULL && *iterp == NULL);
 
 	CHECK(metadb_iterator_create(mldap->mdb, &iter));
-	CHECKED_MEM_GET(mldap->mctx, iter->state, sizeof(uint32_t));
+	iter->state = isc_mem_get(mldap->mctx, sizeof(uint32_t));
 	result = dns_dbiterator_seek(iter->iter, &uuid_rootname);
 	if (result == ISC_R_NOTFOUND) /* metaLDAP is empty */
 		CLEANUP_WITH(ISC_R_NOMORE);


=====================================
src/rbt_helper.c
=====================================
@@ -7,6 +7,7 @@
 
 #include "util.h"
 #include "rbt_helper.h"
+#include "config.h"
 
 #define LDAPDB_RBTITER_MAGIC ISC_MAGIC('L', 'D', 'P', 'I')
 
@@ -87,11 +88,15 @@ rbt_iter_first(isc_mem_t *mctx, dns_rbt_t *rbt, isc_rwlock_t *rwlock,
 	REQUIRE(rwlock != NULL);
 	REQUIRE(iterp != NULL && *iterp == NULL);
 
-	CHECKED_MEM_GET_PTR(mctx, iter);
+	iter = isc_mem_get(mctx, sizeof(*(iter)));
 	ZERO_PTR(iter);
 
 	isc_mem_attach(mctx, &iter->mctx);
+#if LIBDNS_VERSION_MAJOR < 1600
 	dns_rbtnodechain_init(&iter->chain, mctx);
+#else
+	dns_rbtnodechain_init(&iter->chain);
+#endif
 	iter->rbt = rbt;
 	iter->rwlock = rwlock;
 	iter->locktype = isc_rwlocktype_read;


=====================================
src/semaphore.c
=====================================
@@ -34,19 +34,21 @@ isc_interval_t conn_wait_timeout = { 3, 0 };
 isc_result_t
 semaphore_init(semaphore_t *sem, int value)
 {
-	isc_result_t result;
+	isc_result_t result = ISC_R_SUCCESS;
 
 	REQUIRE(sem != NULL);
 	REQUIRE(value > 0);
 
 	sem->value = value;
-	result = isc_mutex_init(&sem->mutex);
-	if (result != ISC_R_SUCCESS)
-		return result;
-
-	result = isc_condition_init(&sem->cond);
-	if (result != ISC_R_SUCCESS)
-		DESTROYLOCK(&sem->mutex);
+	/* isc_mutex_init and isc_condition_init failures are now fatal */
+	isc_mutex_init(&sem->mutex);
+	isc_condition_init(&sem->cond);
+	/*
+	 * if (result != ISC_R_SUCCESS) {
+	 *	// isc_mutex_destroy failures are now fatal
+	 *	isc_mutex_destroy(&sem->mutex);
+	 * }
+	 */
 
 	return result;
 }
@@ -62,7 +64,8 @@ semaphore_destroy(semaphore_t *sem)
 	if (sem == NULL)
 		return;
 
-	RUNTIME_CHECK(isc_mutex_destroy(&sem->mutex) == ISC_R_SUCCESS);
+	/* isc_mutex_destroy is now fatal */
+	isc_mutex_destroy(&sem->mutex);
 	RUNTIME_CHECK(isc_condition_destroy(&sem->cond) == ISC_R_SUCCESS);
 }
 


=====================================
src/settings.c
=====================================
@@ -24,6 +24,15 @@
 #include "types.h"
 #include "ldap_helper.h"
 #include "zone_register.h"
+#include "config.h"
+
+#if LIBDNS_VERSION_MAJOR < 1600
+#define cfg_parse_buffer cfg_parse_buffer4
+#define cfg_print_grammar(cfg_type_conf, flags, cfg_printer, log_buf) cfg_print_grammar((cfg_type_conf), (cfg_printer), (log_buf))
+typedef dns_name_t       node_name_t;
+#else
+typedef const dns_name_t node_name_t;
+#endif
 
 bool verbose_checks = false; /* log each failure in CHECK() macro */
 
@@ -279,9 +288,12 @@ set_value(isc_mem_t *mctx, const settings_set_t *set, setting_t *setting,
 		len = strlen(value) + 1;
 		if (setting->is_dynamic)
 			isc_mem_free(mctx, setting->value.value_char);
-		CHECKED_MEM_ALLOCATE(mctx, setting->value.value_char, len);
+		setting->value.value_char = isc_mem_allocate(mctx, len);
 		setting->is_dynamic = true;
-		CHECK(isc_string_copy(setting->value.value_char, len, value));
+		/* isc_string_copy has been removed */
+		if (strlcpy(setting->value.value_char, value, len) >= len) {
+			CLEANUP_WITH(ISC_R_NOSPACE);
+		}
 		break;
 
 	case ST_UNSIGNED_INTEGER:
@@ -481,37 +493,30 @@ settings_set_create(isc_mem_t *mctx, const setting_t default_settings[],
 		    const unsigned int default_set_length, const char *set_name,
 		    const settings_set_t *const parent_set,
 		    settings_set_t **target) {
-	isc_result_t result = ISC_R_FAILURE;
 	settings_set_t *new_set = NULL;
 
 	REQUIRE(target != NULL && *target == NULL);
 	REQUIRE(default_settings != NULL);
 	REQUIRE(default_set_length > 0);
 
-	CHECKED_MEM_ALLOCATE(mctx, new_set, default_set_length);
+	new_set = isc_mem_allocate(mctx, default_set_length);
 	ZERO_PTR(new_set);
 	isc_mem_attach(mctx, &new_set->mctx);
 
-	CHECKED_MEM_GET_PTR(mctx, new_set->lock);
-	result = isc_mutex_init(new_set->lock);
-	INSIST(result == ISC_R_SUCCESS);
+	new_set->lock = isc_mem_get(mctx, sizeof(*(new_set->lock)));
+	/* isc_mutex_init failures are now fatal */
+	isc_mutex_init(new_set->lock);
 
 	new_set->parent_set = parent_set;
 
-	CHECKED_MEM_ALLOCATE(mctx, new_set->first_setting, default_set_length);
+	new_set->first_setting = isc_mem_allocate(mctx, default_set_length);
 	memcpy(new_set->first_setting, default_settings, default_set_length);
 
-	CHECKED_MEM_ALLOCATE(mctx, new_set->name, strlen(set_name) + 1);
+	new_set->name = isc_mem_allocate(mctx, strlen(set_name) + 1);
 	strcpy(new_set->name, set_name);
 
 	*target = new_set;
-	result = ISC_R_SUCCESS;
-
-cleanup:
-	if (result != ISC_R_SUCCESS)
-		settings_set_free(&new_set);
-
-	return result;
+	return ISC_R_SUCCESS;
 }
 
 /**
@@ -531,7 +536,8 @@ settings_set_free(settings_set_t **set) {
 		mctx = (*set)->mctx;
 
 		if ((*set)->lock != NULL) {
-			DESTROYLOCK((*set)->lock);
+			/* isc_mutex_destroy failures are now fatal */
+			isc_mutex_destroy((*set)->lock);
 			SAFE_MEM_PUT_PTR(mctx, (*set)->lock);
 		}
 
@@ -577,7 +583,7 @@ cfg_printer(void *closure, const char *text, int textlen) {
 static isc_result_t
 settings_set_fill(const cfg_obj_t *config, settings_set_t *set)
 {
-	isc_result_t result;
+	isc_result_t result = ISC_R_SUCCESS;
 	setting_t *setting;
 	isc_buffer_t *buf_value = NULL;
 	const cfg_obj_t *cfg_value;
@@ -585,7 +591,8 @@ settings_set_fill(const cfg_obj_t *config, settings_set_t *set)
 
 	REQUIRE(cfg_obj_ismap(config) == true);
 
-	CHECK(isc_buffer_allocate(set->mctx, &buf_value, ISC_BUFFER_INCR));
+	/* isc_buffer_allocate can no longer fail */
+	isc_buffer_allocate(set->mctx, &buf_value, ISC_BUFFER_INCR);
 	isc_buffer_setautorealloc(buf_value, true);
 
 	for (setting = set->first_setting;
@@ -678,7 +685,8 @@ setting_set_parse_conf(isc_mem_t *mctx, const char *name,
 
 	REQUIRE(parameters != NULL);
 
-	CHECK(isc_buffer_allocate(mctx, &log_buf, ISC_BUFFER_INCR));
+	/* isc_buffer_allocate can no longer fail */
+	isc_buffer_allocate(mctx, &log_buf, ISC_BUFFER_INCR);
 	isc_buffer_setautorealloc(log_buf, true);
 
 	len = strlen(parameters);
@@ -686,8 +694,8 @@ setting_set_parse_conf(isc_mem_t *mctx, const char *name,
 	isc_buffer_add(&in_buf, len);
 
 	CHECK(cfg_parser_create(mctx, dns_lctx, &parser));
-	result = cfg_parse_buffer2(parser, &in_buf, name, cfg_type_conf,
-				   &config);
+	result = cfg_parse_buffer(parser, &in_buf, name, 0, cfg_type_conf, 0,
+				  &config);
 	if (result == ISC_R_SUCCESS) {
 		cfg_printx(config, CFG_PRINTER_XKEY, cfg_printer, log_buf);
 		cfg_obj_log(config, dns_lctx, ISC_LOG_DEBUG(10),
@@ -700,7 +708,7 @@ setting_set_parse_conf(isc_mem_t *mctx, const char *name,
 		log_error("configuration for dyndb instance '%s' "
 			  "(starting in file %s on line %lu) is invalid",
 			  name, file, line);
-		cfg_print_grammar(cfg_type_conf, cfg_printer, log_buf);
+		cfg_print_grammar(cfg_type_conf, 0, cfg_printer, log_buf);
 		log_info("expected grammar:\n"
 			 "%.*s", isc_buffer_usedlength(log_buf),
 			 (char *)isc_buffer_base(log_buf));


=====================================
src/syncptr.c
=====================================
@@ -31,6 +31,10 @@
 #define SYNCPTR_FMTPRE  SYNCPTR_PREF "(%s) for '%s A/AAAA %s' "
 #define SYNCPTR_FMTPOST ldap_modop_str(mod_op), a_name_str, ip_str
 
+#if LIBDNS_VERSION_MAJOR < 1600
+#define dns_name_copynf(src, dst) dns_name_copy((src), (dst), NULL)
+#endif
+
 /*
  * Event for asynchronous PTR record synchronization.
  */
@@ -134,7 +138,7 @@ sync_ptr_find(dns_zt_t *zonetable, zone_register_t *zone_register, const int af,
 	 * @example
 	 * 192.168.0.1 -> 1.0.168.192.in-addr.arpa
 	 */
-	CHECK(dns_byaddr_createptrname2(&isc_ip, 0, ptr_name));
+	CHECK(dns_byaddr_createptrname(&isc_ip, 0, ptr_name));
 
 	/* Find an active zone containing owner name of the PTR record. */
 	result = dns_zt_find(zonetable, ptr_name, 0, NULL, zone);
@@ -392,14 +396,12 @@ sync_ptr_init(isc_mem_t *mctx, dns_zt_t * zonetable,
 						LDAPDB_EVENT_SYNCPTR,
 						sync_ptr_handler, NULL,
 						sizeof(sync_ptrev_t));
-	if (ev == NULL)
-		CLEANUP_WITH(ISC_R_NOMEMORY);
 
 	ev->mctx = NULL;
 	isc_mem_attach(mctx, &ev->mctx);
 	INIT_BUFFERED_NAME(ev->a_name);
 	INIT_BUFFERED_NAME(ev->ptr_name);
-	CHECK(dns_name_copy(a_name, &ev->a_name, NULL));
+	dns_name_copynf(a_name, &ev->a_name);
 	ev->mod_op = mod_op;
 	strncpy(ev->ip_str, ip_str, sizeof(ev->ip_str));
 	ev->ip_str[sizeof(ev->ip_str) - 1] = '\0';


=====================================
src/syncrepl.c
=====================================
@@ -11,6 +11,7 @@
 #include <isc/time.h>
 #include <isc/util.h>
 
+#include "config.h"
 #include "ldap_helper.h"
 #include "util.h"
 #include "semaphore.h"
@@ -157,7 +158,7 @@ finish(isc_task_t *task, isc_event_t *event) {
 	return;
 }
 
-static isc_result_t ATTR_NONNULLS ATTR_CHECKRESULT
+static void ATTR_NONNULLS
 sync_finishev_create(sync_ctx_t *sctx, ldap_instance_t *inst,
 		      sync_barrierev_t **evp) {
 	sync_barrierev_t *ev = NULL;
@@ -170,14 +171,12 @@ sync_finishev_create(sync_ctx_t *sctx, ldap_instance_t *inst,
 				sctx, LDAPDB_EVENT_SYNCREPL_BARRIER,
 				finish, NULL,
 				sizeof(sync_barrierev_t));
-	if (ev == NULL)
-		return ISC_R_NOMEMORY;
 
 	ev->inst = inst;
 	ev->sctx = sctx;
 	*evp = ev;
 
-	return ISC_R_SUCCESS;
+	return;
 }
 
 /**
@@ -198,37 +197,35 @@ sync_finishev_create(sync_ctx_t *sctx, ldap_instance_t *inst,
  */
 void
 barrier_decrement(isc_task_t *task, isc_event_t *event) {
-	isc_result_t result = ISC_R_SUCCESS;
 	sync_barrierev_t *bev = NULL;
-	sync_barrierev_t *fev = NULL;
-	isc_event_t *ev = NULL;
 	uint32_t cnt;
-	bool locked = false;
 
 	REQUIRE(ISCAPI_TASK_VALID(task));
 	REQUIRE(event != NULL);
 
 	bev = (sync_barrierev_t *)event;
+#if LIBDNS_VERSION_MAJOR < 1600
 	isc_refcount_decrement(&bev->sctx->task_cnt, &cnt);
-	if (cnt == 0) {
+#else
+	cnt = isc_refcount_decrement(&bev->sctx->task_cnt);
+#endif
+	if (cnt == 1) {
+		sync_barrierev_t *fev = NULL;
+		isc_event_t *ev = NULL;
+
 		log_debug(1, "sync_barrier_wait(): barrier reached");
 		LOCK(&bev->sctx->mutex);
-		locked = true;
-		CHECK(sync_finishev_create(bev->sctx, bev->inst, &fev));
+		sync_finishev_create(bev->sctx, bev->inst, &fev);
 		ev = (isc_event_t *)fev;
 		isc_task_send(ldap_instance_gettask(bev->sctx->inst), &ev);
+		UNLOCK(&bev->sctx->mutex);
 	}
 
-cleanup:
-	if (locked)
-		UNLOCK(&bev->sctx->mutex);
-	if (result != ISC_R_SUCCESS)
-		log_error_r("barrier_decrement() failed");
 	isc_event_free(&event);
 	return;
 }
 
-static isc_result_t ATTR_NONNULLS ATTR_CHECKRESULT
+static void ATTR_NONNULLS
 sync_barrierev_create(sync_ctx_t *sctx, ldap_instance_t *inst,
 		      sync_barrierev_t **evp) {
 	sync_barrierev_t *ev = NULL;
@@ -241,14 +238,12 @@ sync_barrierev_create(sync_ctx_t *sctx, ldap_instance_t *inst,
 				sctx, LDAPDB_EVENT_SYNCREPL_BARRIER,
 				barrier_decrement, NULL,
 				sizeof(sync_barrierev_t));
-	if (ev == NULL)
-		return ISC_R_NOMEMORY;
 
 	ev->inst = inst;
 	ev->sctx = sctx;
 	*evp = ev;
 
-	return ISC_R_SUCCESS;
+	return;
 }
 
 /**
@@ -271,19 +266,21 @@ sync_ctx_init(isc_mem_t *mctx, ldap_instance_t *inst, sync_ctx_t **sctxp) {
 
 	REQUIRE(sctxp != NULL && *sctxp == NULL);
 
-	CHECKED_MEM_GET_PTR(mctx, sctx);
+	sctx = isc_mem_get(mctx, sizeof(*(sctx)));
 	ZERO_PTR(sctx);
 	isc_mem_attach(mctx, &sctx->mctx);
 
 	sctx->inst = inst;
 
-	CHECK(isc_mutex_init(&sctx->mutex));
+	/* isc_mutex_init failures are now fatal */
+	isc_mutex_init(&sctx->mutex);
 	lock_ready = true;
-	CHECK(isc_condition_init(&sctx->cond));
+	/* isc_mutex_init failures are now fatal */
+	isc_condition_init(&sctx->cond);
 	cond_ready = true;
 
 	/* refcount includes ldap_inst->task implicitly */
-	CHECK(isc_refcount_init(&sctx->task_cnt, 0));
+	isc_refcount_init(&sctx->task_cnt, 0);
 	refcount_ready = true;
 
 	ISC_LIST_INIT(sctx->tasks);
@@ -297,8 +294,10 @@ sync_ctx_init(isc_mem_t *mctx, ldap_instance_t *inst, sync_ctx_t **sctxp) {
 	return ISC_R_SUCCESS;
 
 cleanup:
-	if (lock_ready == true)
-		DESTROYLOCK(&sctx->mutex);
+	if (lock_ready == true) {
+		/* isc_mutex_destroy failures are now fatal */
+		isc_mutex_destroy(&sctx->mutex);
+	}
 	if (cond_ready == true)
 		RUNTIME_CHECK(isc_condition_destroy(&sctx->cond)
 			      == ISC_R_SUCCESS);
@@ -330,14 +329,19 @@ sync_ctx_free(sync_ctx_t **sctxp) {
 		next_taskel = NEXT(taskel, link);
 		UNLINK(sctx->tasks, taskel, link);
 		isc_task_detach(&taskel->task);
+#if LIBDNS_VERSION_MAJOR < 1600
 		isc_refcount_decrement(&sctx->task_cnt, NULL);
+#else
+		(void)isc_refcount_decrement(&sctx->task_cnt);
+#endif
 		SAFE_MEM_PUT_PTR(sctx->mctx, taskel);
 	}
 	RUNTIME_CHECK(isc_condition_destroy(&sctx->cond) == ISC_R_SUCCESS);
 	isc_refcount_destroy(&sctx->task_cnt);
 	UNLOCK(&sctx->mutex);
 
-	DESTROYLOCK(&(*sctxp)->mutex);
+	/* isc_mutex_destroy is void now */
+	isc_mutex_destroy(&(*sctxp)->mutex);
 	MEM_PUT_AND_DETACH(*sctxp);
 }
 
@@ -444,14 +448,13 @@ sync_state_reset(sync_ctx_t *sctx) {
  */
 isc_result_t
 sync_task_add(sync_ctx_t *sctx, isc_task_t *task) {
-	isc_result_t result = ISC_R_SUCCESS;
-	uint32_t cnt;
 	task_element_t *newel = NULL;
+	uint32_t cnt;
 
 	REQUIRE(sctx != NULL);
 	REQUIRE(ISCAPI_TASK_VALID(task));
 
-	CHECKED_MEM_GET_PTR(sctx->mctx, newel);
+	newel = isc_mem_get(sctx->mctx, sizeof(*(newel)));
 	ZERO_PTR(newel);
 	ISC_LINK_INIT(newel, link);
 	newel->task = NULL;
@@ -460,14 +463,17 @@ sync_task_add(sync_ctx_t *sctx, isc_task_t *task) {
 	LOCK(&sctx->mutex);
 	REQUIRE(sctx->state == sync_configinit || sctx->state == sync_datainit);
 	ISC_LIST_APPEND(sctx->tasks, newel, link);
+#if LIBDNS_VERSION_MAJOR < 1600
 	isc_refcount_increment0(&sctx->task_cnt, &cnt);
+#else
+	cnt = isc_refcount_increment0(&sctx->task_cnt);
+#endif
 	UNLOCK(&sctx->mutex);
 
 	log_debug(2, "adding task %p to syncrepl list; %u tasks in list",
 		  task, cnt);
 
-cleanup:
-	return result;
+	return ISC_R_SUCCESS;
 }
 
 /**
@@ -483,7 +489,6 @@ cleanup:
  */
 isc_result_t
 sync_barrier_wait(sync_ctx_t *sctx, ldap_instance_t *inst) {
-	isc_result_t result;
 	isc_event_t *ev = NULL;
 	sync_barrierev_t *bev = NULL;
 	sync_state_t barrier_state;
@@ -518,7 +523,7 @@ sync_barrier_wait(sync_ctx_t *sctx, ldap_instance_t *inst) {
 	     taskel != NULL;
 	     taskel = next_taskel) {
 		bev = NULL;
-		CHECK(sync_barrierev_create(sctx, inst, &bev));
+		sync_barrierev_create(sctx, inst, &bev);
 		next_taskel = NEXT(taskel, link);
 		UNLINK(sctx->tasks, taskel, link);
 		ev = (isc_event_t *)bev;
@@ -531,12 +536,12 @@ sync_barrier_wait(sync_ctx_t *sctx, ldap_instance_t *inst) {
 		WAIT(&sctx->cond, &sctx->mutex);
 	log_debug(1, "sync_barrier_wait(): all events were processed");
 
-cleanup:
 	UNLOCK(&sctx->mutex);
 
-	if (ev != NULL)
+	if (ev != NULL) {
 		isc_event_free(&ev);
-	return result;
+	}
+	return ISC_R_SUCCESS;
 }
 
 /**
@@ -594,12 +599,10 @@ sync_event_send(sync_ctx_t *sctx, isc_task_t *task, ldap_syncreplevent_t **ev,
 	isc_result_t result;
 	isc_time_t abs_timeout;
 	uint32_t seqid;
-	bool locked = false;
 
 	REQUIRE(sctx != NULL);
 
 	LOCK(&sctx->mutex);
-	locked = true;
 	/* overflow is not a problem as long as the modulo is smaller than
 	 * constant used by sync_concurr_limit_wait() */
 	(*ev)->seqid = seqid = ++sctx->next_id % 0xffffffff;
@@ -617,8 +620,7 @@ sync_event_send(sync_ctx_t *sctx, isc_task_t *task, ldap_syncreplevent_t **ev,
 	result = ISC_R_SUCCESS;
 
 cleanup:
-	if (locked == true)
-		UNLOCK(&sctx->mutex);
+	UNLOCK(&sctx->mutex);
 	return result;
 }
 


=====================================
src/util.h
=====================================
@@ -35,39 +35,6 @@ extern bool verbose_checks; /* from settings.c */
 		}						\
 	} while (0)
 
-#define CHECKED_MEM_ALLOCATE(m, target_ptr, s)			\
-	do {							\
-		(target_ptr) = isc_mem_allocate((m), (s));	\
-		if ((target_ptr) == NULL) {			\
-			result = ISC_R_NOMEMORY;		\
-			log_error_position("Memory allocation failed");	\
-			goto cleanup;				\
-		}						\
-	} while (0)
-
-#define CHECKED_MEM_GET(m, target_ptr, s)			\
-	do {							\
-		(target_ptr) = isc_mem_get((m), (s));		\
-		if ((target_ptr) == NULL) {			\
-			result = ISC_R_NOMEMORY;		\
-			log_error_position("Memory allocation failed");	\
-			goto cleanup;				\
-		}						\
-	} while (0)
-
-#define CHECKED_MEM_GET_PTR(m, target_ptr)			\
-	CHECKED_MEM_GET(m, target_ptr, sizeof(*(target_ptr)))
-
-#define CHECKED_MEM_STRDUP(m, source, target)			\
-	do {							\
-		(target) = isc_mem_strdup((m), (source));	\
-		if ((target) == NULL) {				\
-			result = ISC_R_NOMEMORY;		\
-			log_error_position("Memory allocation failed");	\
-			goto cleanup;				\
-		}						\
-	} while (0)
-
 #define ZERO_PTR(ptr) memset((ptr), 0, sizeof(*(ptr)))
 
 #define SAFE_MEM_PUT(m, target_ptr, target_size)		\
@@ -117,38 +84,4 @@ extern bool verbose_checks; /* from settings.c */
 #define ATTR_CHECKRESULT
 #endif
 
-/*
- * Static (compile-time) assert for C:
- * C99 doesn't require support for "sizeof" in preprocessor conditionals so
- * we can't do something like #if (sizeof(my_struct) != 512).
- *
- * This macro has no runtime side affects as it just defines an enum whose name
- * depends on the current line, and whose value will give a divide by zero error
- * at compile time if the assertion is false.
- *
- * Taken from
- * http://www.pixelbeat.org/programming/gcc/static_assert.html
- * version 10 Feb 2015. Padraig Brady told me that it is licensed under
- * "GNU All-Permissive License":
- *
- * Copying and distribution of this file, with or without modification,
- * are permitted in any medium without royalty provided the copyright notice
- * and this notice are preserved. This code is offered as-is,
- * without any warranty.
- */
-#define ASSERT_CONCAT_(a, b) a##b
-#define ASSERT_CONCAT(a, b) ASSERT_CONCAT_(a, b)
-/* These can't be used after statements in c89. */
-#ifdef __COUNTER__
-  #define STATIC_ASSERT(e, m) \
-    ;enum { ASSERT_CONCAT(static_assert_, __COUNTER__) = 1/(!!(e)) }
-#else
-  /* This can't be used twice on the same line so ensure if using in headers
-   * that the headers are not included twice (by wrapping in #ifndef...#endif)
-   * Note it doesn't cause an issue when used on same line of separate modules
-   * compiled with gcc -combine -fwhole-program.  */
-  #define STATIC_ASSERT(e, m) \
-    ;enum { ASSERT_CONCAT(assert_line_, __LINE__) = 1/(!!(e)) }
-#endif
-
 #endif /* !_LD_UTIL_H_ */


=====================================
src/zone_register.c
=====================================
@@ -111,7 +111,7 @@ zr_create(isc_mem_t *mctx, ldap_instance_t *ldap_inst,
 	REQUIRE(glob_settings != NULL);
 	REQUIRE(zrp != NULL && *zrp == NULL);
 
-	CHECKED_MEM_GET_PTR(mctx, zr);
+	zr = isc_mem_get(mctx, sizeof(*(zr)));
 	ZERO_PTR(zr);
 	isc_mem_attach(mctx, &zr->mctx);
 	CHECK(dns_rbt_create(mctx, delete_zone_info, mctx, &zr->rbt));
@@ -123,11 +123,10 @@ zr_create(isc_mem_t *mctx, ldap_instance_t *ldap_inst,
 	return ISC_R_SUCCESS;
 
 cleanup:
-	if (zr != NULL) {
-		if (zr->rbt != NULL)
-			dns_rbt_destroy(&zr->rbt);
-		MEM_PUT_AND_DETACH(zr);
+	if (zr->rbt != NULL) {
+		dns_rbt_destroy(&zr->rbt);
 	}
+	MEM_PUT_AND_DETACH(zr);
 
 	return result;
 }
@@ -272,17 +271,17 @@ create_zone_info(isc_mem_t * const mctx, dns_zone_t * const raw,
 	REQUIRE(dn != NULL);
 	REQUIRE(zinfop != NULL && *zinfop == NULL);
 
-	CHECKED_MEM_GET_PTR(mctx, zinfo);
+	zinfo = isc_mem_get(mctx, sizeof(*(zinfo)));
 	ZERO_PTR(zinfo);
-	CHECKED_MEM_STRDUP(mctx, dn, zinfo->dn);
+	zinfo->dn = isc_mem_strdup(mctx, dn);
 	dns_zone_attach(raw, &zinfo->raw);
 	if (secure != NULL)
 		dns_zone_attach(secure, &zinfo->secure);
 
 	zinfo->settings = NULL;
-	isc_string_printf_truncate(settings_name, PRINT_BUFF_SIZE,
-				   SETTING_SET_NAME_ZONE " %s",
-				   dn);
+	/* truncation is allowed */
+	snprintf(settings_name, PRINT_BUFF_SIZE, SETTING_SET_NAME_ZONE " %s",
+		 dn);
 	CHECK(settings_set_create(mctx, zone_settings, sizeof(zone_settings),
 				  settings_name, global_settings,
 				  &zinfo->settings));
@@ -341,7 +340,9 @@ delete_zone_info(void *arg1, void *arg2)
  * @pre Zone registed is locked.
  */
 static isc_result_t
-getzinfo(zone_register_t * const zr, dns_name_t *name, zone_info_t **zinfo) {
+getzinfo(zone_register_t * const zr, const dns_name_t *name,
+	 zone_info_t **zinfo)
+{
 	isc_result_t result;
 	void *data = NULL;
 
@@ -438,8 +439,8 @@ cleanup:
  * Either ldapdbp or rbtdbp can be NULL.
  */
 isc_result_t
-zr_get_zone_dbs(zone_register_t *zr, dns_name_t *name, dns_db_t **ldapdbp,
-		dns_db_t **rbtdbp)
+zr_get_zone_dbs(zone_register_t *zr, const dns_name_t *name,
+		dns_db_t **ldapdbp, dns_db_t **rbtdbp)
 {
 	isc_result_t result;
 	zone_info_t *zinfo = NULL;
@@ -539,7 +540,8 @@ zr_get_zone_ptr(zone_register_t * const zr, dns_name_t * const name,
  * 'set'.
  */
 isc_result_t
-zr_get_zone_settings(zone_register_t *zr, dns_name_t *name, settings_set_t **set)
+zr_get_zone_settings(zone_register_t *zr, const dns_name_t *name,
+	             settings_set_t **set)
 {
 	isc_result_t result;
 	zone_info_t *zinfo = NULL;


=====================================
src/zone_register.h
=====================================
@@ -28,7 +28,7 @@ isc_result_t
 zr_del_zone(zone_register_t *zr, dns_name_t *origin) ATTR_NONNULLS ATTR_CHECKRESULT;
 
 isc_result_t
-zr_get_zone_dbs(zone_register_t *zr, dns_name_t *name, dns_db_t **ldapdbp,
+zr_get_zone_dbs(zone_register_t *zr, const dns_name_t *name, dns_db_t **ldapdbp,
 		dns_db_t **rbtdbp) ATTR_NONNULL(1, 2) ATTR_CHECKRESULT;
 
 isc_result_t
@@ -40,7 +40,7 @@ zr_get_zone_ptr(zone_register_t * const zr, dns_name_t * const name,
 		ATTR_NONNULL(1,2,3) ATTR_CHECKRESULT;
 
 isc_result_t
-zr_get_zone_settings(zone_register_t *zr, dns_name_t *name, settings_set_t **set) ATTR_NONNULLS ATTR_CHECKRESULT;
+zr_get_zone_settings(zone_register_t *zr, const dns_name_t *name, settings_set_t **set) ATTR_NONNULLS ATTR_CHECKRESULT;
 
 isc_result_t
 zr_get_zone_path(isc_mem_t *mctx, settings_set_t *settings,


=====================================
tests/azure/Dockerfiles/docker-compose.yml
=====================================
@@ -8,7 +8,7 @@ services:
     security_opt:
     - apparmor:unconfined
     - seccomp:./seccomp.json
-    mem_limit: 1900m
+    mem_limit: "1900m"
     volumes:
     - /sys/fs/cgroup/systemd:/sys/fs/cgroup/systemd
     - ./test-config.yaml:/root/.ipa/ipa-test-config.yaml:ro
@@ -25,7 +25,7 @@ services:
     security_opt:
     - apparmor:unconfined
     - seccomp:./seccomp.json
-    mem_limit: 1900m
+    mem_limit: "1900m"
     volumes:
     - /sys/fs/cgroup/systemd:/sys/fs/cgroup/systemd
     networks:
@@ -39,7 +39,7 @@ services:
     security_opt:
     - apparmor:unconfined
     - seccomp:./seccomp.json
-    mem_limit: 536870912
+    mem_limit: "536870912"
     volumes:
     - /sys/fs/cgroup/systemd:/sys/fs/cgroup/systemd
     # nfs server



View it on GitLab: https://salsa.debian.org/freeipa-team/bind-dyndb-ldap/-/compare/84b0aae01bef9e5f143794c2340a42a32fe2b840...d1038db8d3a24e0f82ef7f1074d8e8c7475238a3

-- 
View it on GitLab: https://salsa.debian.org/freeipa-team/bind-dyndb-ldap/-/compare/84b0aae01bef9e5f143794c2340a42a32fe2b840...d1038db8d3a24e0f82ef7f1074d8e8c7475238a3
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20200918/72821d7f/attachment-0001.html>


More information about the Pkg-freeipa-devel mailing list