"Fossies" - the Fresh Open Source Software Archive
As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard
) with prefixed line numbers.
Alternatively you can here view
the uninterpreted source code file.
3 BIND 9
7 1. Introduction
8 2. Reporting bugs and getting help
9 3. Contributing to BIND
10 4. BIND 9.11 features
11 5. Building BIND
12 6. macOS
13 7. Dependencies
14 8. Compile-time options
15 9. Automated testing
16 10. Documentation
17 11. Change log
18 12. Acknowledgments
22 BIND (Berkeley Internet Name Domain) is a complete, highly portable
23 implementation of the DNS (Domain Name System) protocol.
25 The BIND name server, named, is able to serve as an authoritative name
26 server, recursive resolver, DNS forwarder, or all three simultaneously. It
27 implements views for split-horizon DNS, automatic DNSSEC zone signing and
28 key management, catalog zones to facilitate provisioning of zone data
29 throughout a name server constellation, response policy zones (RPZ) to
30 protect clients from malicious data, response rate limiting (RRL) and
31 recursive query limits to reduce distributed denial of service attacks,
32 and many other advanced DNS features. BIND also includes a suite of
33 administrative tools, including the dig and delv DNS lookup tools,
34 nsupdate for dynamic DNS zone updates, rndc for remote name server
35 administration, and more.
37 BIND 9 is a complete re-write of the BIND architecture that was used in
38 versions 4 and 8. Internet Systems Consortium (https://www.isc.org), a 501
39 (c)(3) public benefit corporation dedicated to providing software and
40 services in support of the Internet infrastructure, developed BIND 9 and
41 is responsible for its ongoing maintenance and improvement. BIND is open
42 source software licensed under the terms of ISC License for all versions
43 up to and including BIND 9.10, and the Mozilla Public License version 2.0
44 for all subsequent versions.
46 For a summary of features introduced in past major releases of BIND, see
47 the file HISTORY.
49 For a detailed list of changes made throughout the history of BIND 9, see
50 the file CHANGES. See below for details on the CHANGES file format.
52 For up-to-date versions and release notes, see https://www.isc.org/
55 Reporting bugs and getting help
57 To report non-security-sensitive bugs or request new features, you may
58 open an Issue in the BIND 9 project on the ISC GitLab server at https://
61 Please note that, unless you explicitly mark the newly created Issue as
62 "confidential", it will be publicly readable. Please do not include any
63 information in bug reports that you consider to be confidential unless the
64 issue has been marked as such. In particular, if submitting the contents
65 of your configuration file in a non-confidential Issue, it is advisable to
66 obscure key secrets: this can be done automatically by using
67 named-checkconf -px.
69 If the bug you are reporting is a potential security issue, such as an
70 assertion failure or other crash in named, please do NOT use GitLab to
71 report it. Instead, send mail to firstname.lastname@example.org using our
72 OpenPGP key to secure your message. (Information about OpenPGP and links
73 to our key can be found at https://www.isc.org/pgpkey.) Please do not
74 discuss the bug on any public mailing list.
76 For a general overview of ISC security policies, read the Knowledge Base
77 article at https://kb.isc.org/docs/aa-00861.
79 Professional support and training for BIND are available from ISC at
82 To join the BIND Users mailing list, or view the archives, visit https://
85 If you're planning on making changes to the BIND 9 source code, you may
86 also want to join the BIND Workers mailing list, at https://lists.isc.org/
89 Contributing to BIND
91 ISC maintains a public git repository for BIND; details can be found at
94 Information for BIND contributors can be found in the following files: -
95 General information: doc/dev/contrib.md - BIND 9 code style: doc/dev/
96 style.md - BIND architecture and developer guide: doc/dev/dev.md
98 Patches for BIND may be submitted as merge requests in the ISC GitLab
99 server at at https://gitlab.isc.org/isc-projects/bind9/merge_requests.
101 By default, external contributors don't have ability to fork BIND in the
102 GitLab server, but if you wish to contribute code to BIND, you may request
103 permission to do so. Thereafter, you can create git branches and directly
104 submit requests that they be reviewed and merged.
106 If you prefer, you may also submit code by opening a GitLab Issue and
107 including your patch as an attachment, preferably generated by git
110 BIND 9.11 features
112 BIND 9.11.0 includes a number of changes from BIND 9.10 and earlier
113 releases. New features include:
115 • Added support for Catalog Zones, a new method for provisioning
116 servers: a list of zones to be served is stored in a DNS zone, along
117 with their configuration parameters. Changes to the catalog zone are
118 propagated to slaves via normal AXFR/IXFR, whereupon the zones that
119 are listed in it are automatically added, deleted or reconfigured.
120 • Added support for "dnstap", a fast and flexible method of capturing
121 and logging DNS traffic.
122 • Added support for "dyndb", a new API for loading zone data from an
123 external database, developed by Red Hat for the FreeIPA project.
124 • "fetchlimit" quotas are now compiled in by default. These are for the
125 use of recursive resolvers that are are under high query load for
126 domains whose authoritative servers are nonresponsive or are
127 experiencing a denial of service attack:
128 □ fetches-per-server limits the number of simultaneous queries that
129 can be sent to any single authoritative server. The configured
130 value is a starting point; it is automatically adjusted downward
131 if the server is partially or completely non-responsive. The
132 algorithm used to adjust the quota can be configured via the
133 "fetch-quota-params" option.
134 □ fetches-per-zone limits the number of simultaneous queries that
135 can be sent for names within a single domain. (Note: Unlike
136 fetches-per-server, this value is not self-tuning.)
137 □ New stats counters have been added to count queries spilled due to
138 these quotas.
139 • Added a new dnssec-keymgr key maintenance utility, which can generate
140 or update keys as needed to ensure that a zone's keys match a defined
141 DNSSEC policy.
142 • The experimental "SIT" feature in BIND 9.10 has been renamed "COOKIE"
143 and is no longer optional. EDNS COOKIE is a mechanism enabling clients
144 to detect off-path spoofed responses, and servers to detect
145 spoofed-source queries. Clients that identify themselves using COOKIE
146 options are not subject to response rate limiting (RRL) and can
147 receive larger UDP responses.
148 • SERVFAIL responses can now be cached for a limited time (defaulting to
149 1 second, with an upper limit of 30). This can reduce the frequency of
150 retries when a query is persistently failing.
151 • Added an nsip-wait-recurse switch to RPZ. This causes NSIP rules to be
152 skipped if a name server IP address isn't in the cache yet; the
153 address will be looked up and the rule will be applied on future
155 • Added a Python RNDC module. This allows multiple commands to sent over
156 a persistent RNDC channel, which saves time.
157 • The controls block in named.conf can now grant read-only rndc access
158 to specified clients or keys. Read-only clients could, for example,
159 check rndc status but could not reconfigure or shut down the server.
160 • rndc commands can now return arbitrarily large amounts of text to the
162 • The zone serial number of a dynamically updatable zone can now be set
163 via rndc signing -serial <number> <zonename>. This allows
164 inline-signing zones to be set to a specific serial number.
165 • The new rndc nta command can be used to set a Negative Trust Anchor
166 (NTA), disabling DNSSEC validation for a specific domain; this can be
167 used when responses from a domain are known to be failing validation
168 due to administrative error rather than because of a spoofing attack.
169 Negative trust anchors are strictly temporary; by default they expire
170 after one hour, but can be configured to last up to one week.
171 • rndc delzone can now be used on zones that were not originally created
172 by "rndc addzone".
173 • rndc modzone reconfigures a single zone, without requiring the entire
174 server to be reconfigured.
175 • rndc showzone displays the current configuration of a zone.
176 • rndc managed-keys can be used to check the status of RFC 5001 managed
177 trust anchors, or to force trust anchors to be refreshed.
178 • max-cache-size can now be set to a percentage of available memory. The
179 default is 90%.
180 • Update forwarding performance has been improved by allowing a single
181 TCP connection to be shared by multiple updates.
182 • The EDNS Client Subnet (ECS) option is now supported for authoritative
183 servers; if a query contains an ECS option then ACLs containing geoip
184 or ecs elements can match against the the address encoded in the
185 option. This can be used to select a view for a query, so that
186 different answers can be provided depending on the client network.
187 • The EDNS EXPIRE option has been implemented on the client side,
188 allowing a slave server to set the expiration timer correctly when
189 transferring zone data from another slave server.
190 • The key generation and manipulation tools (dnssec-keygen,
191 dnssec-settime, dnssec-importkey, dnssec-keyfromlabel) now take -Psync
192 and -Dsync options to set the publication and deletion times of CDS
193 and CDNSKEY parent-synchronization records. Both named and
194 dnssec-signzone can now publish and remove these records at the
195 scheduled times.
196 • A new minimal-any option reduces the size of UDP responses for query
197 type ANY by returning a single arbitrarily selected RRset instead of
198 all RRsets.
199 • A new masterfile-style zone option controls the formatting of text
200 zone files: When set to full, a zone file is dumped in
201 single-line-per-record format.
202 • serial-update-method can now be set to date. On update, the serial
203 number will be set to the current date in YYYYMMDDNN format.
204 • dnssec-signzone -N date sets the serial number to YYYYMMDDNN.
205 • named -L <filename> causes named to send log messages to the specified
206 file by default instead of to the system log.
207 • dig +ttlunits prints TTL values with time-unit suffixes: w, d, h, m, s
208 for weeks, days, hours, minutes, and seconds.
209 • dig +unknownformat prints dig output in RFC 3597 "unknown record"
210 presentation format.
211 • dig +ednsopt allows dig to set arbitrary EDNS options on requests.
212 • dig +ednsflags allows dig to set yet-to-be-defined EDNS flags on
214 • mdig is an alternate version of dig which sends multiple pipelined TCP
215 queries to a server. Instead of waiting for a response after sending a
216 query, it sends all queries immediately and displays responses in the
217 order received.
218 • serial-query-rate no longer controls NOTIFY messages. These are
219 separately controlled by notify-rate and startup-notify-rate.
220 • nsupdate now performs check-names processing by default on records to
221 be added. This can be disabled with check-names no.
222 • The statistics channel now supports DEFLATE compression, reducing the
223 size of the data sent over the network when querying statistics.
224 • New counters have been added to the statistics channel to track the
225 sizes of incoming queries and outgoing responses in histogram buckets,
226 as specified in RSSAC002.
227 • A new NXDOMAIN redirect method (option nxdomain-redirect) has been
228 added, allowing redirection to a specified DNS namespace instead of a
229 single redirect zone.
230 • When starting up, named now ensures that no other named process is
231 already running.
232 • Files created by named to store information, including mkeys and nzf
233 files, are now named after their corresponding views unless the view
234 name contains characters incompatible with use as a filename. Old
235 style filenames (based on the hash of the view name) will still work.
237 BIND 9.11.1
239 BIND 9.11.1 is a maintenance release, and addresses the security flaws
240 disclosed in CVE-2016-6170, CVE-2016-8864, CVE-2016-9131, CVE-2016-9147,
241 CVE-2016-9444, CVE-2016-9778, CVE-2017-3135, CVE-2017-3136, CVE-2017-3137
242 and CVE-2017-3138.
244 BIND 9.11.2
246 BIND 9.11.2 is a maintenance release, and addresses the security flaws
247 disclosed in CVE-2017-3140, CVE-2017-3141, CVE-2017-3142 and
248 CVE-2017-3143. It also addresses several bugs related to the use of an
249 LMDB database to store data related to zones added via rndc addzone or
250 catalog zones.
252 BIND 9.11.3
254 BIND 9.11.3 is a maintenance release, and addresses the security flaw
255 disclosed in CVE-2017-3145.
257 BIND 9.11.4
259 BIND 9.11.4 is a maintenance release, and addresses the security flaw
260 disclosed in CVE-2018-5738. It also introduces "root key sentinel"
261 support, enabling validating resolvers to indicate via a special query
262 which trust anchors are configured for the root zone.
264 BIND 9.11.5
266 BIND 9.11.5 is a maintenance release, and also addresses CVE-2018-5741 by
267 correcting faulty documentation and introducing the following new feature:
269 • New krb5-selfsub and ms-selfsub rule types for update-policy
270 statements allow updating of subdomains based on a Kerberos or Active
271 Directory machine principal.
273 BIND 9.11.6
275 BIND 9.11.6 is a maintenance release, and also addresses the security
276 flaws disclosed in CVE-2018-5743, CVE-2018-5745, CVE-2018-5744, and
279 BIND 9.11.7
281 BIND 9.11.7 is a maintenance release, and also addresses the security flaw
282 disclosed in CVE-2018-5743.
284 BIND 9.11.8
286 BIND 9.11.8 is a maintenance release, and also addresses the security flaw
287 disclosed in CVE-2019-6471.
289 BIND 9.11.9
291 BIND 9.11.9 is a maintenance release, and also adds support for the new
292 MaxMind GeoIP2 geolocation API when built with configure --with-geoip2.
294 BIND 9.11.10
296 BIND 9.11.10 is a maintenance release.
298 BIND 9.11.11
300 BIND 9.11.11 is a maintenance release.
302 BIND 9.11.12
304 BIND 9.11.12 is a maintenance release.
306 BIND 9.11.13
308 BIND 9.11.13 is a maintenance release, and also addresses the security
309 vulnerability disclosed in CVE-2019-6477.
311 BIND 9.11.14
313 BIND 9.11.14 is a maintenance release.
315 BIND 9.11.15
317 BIND 9.11.15 is a maintenance release.
319 BIND 9.11.16
321 BIND 9.11.16 is a maintenance release.
323 BIND 9.11.17
325 BIND 9.11.17 is a maintenance release.
327 BIND 9.11.18
329 BIND 9.11.18 is a maintenance release.
331 BIND 9.11.19
333 BIND 9.11.19 is a maintenance release, and also addresses the security
334 vulnerabilities disclosed in CVE-2020-8616 and CVE-2020-8617.
336 BIND 9.11.20
338 BIND 9.11.20 is a maintenance release, and also addresses the security
339 vulnerability disclosed in CVE-2020-8619.
341 BIND 9.11.21
343 BIND 9.11.21 is a maintenance release.
345 BIND 9.11.22
347 BIND 9.11.22 is a maintenance release, and also addresses the security
348 vulnerabilities disclosed in CVE-2020-8622, CVE-2020-8623, and
351 BIND 9.11.23
353 BIND 9.11.23 is a maintenance release.
355 Building BIND
357 Minimally, BIND requires a UNIX or Linux system with an ANSI C compiler,
358 basic POSIX support, and a 64-bit integer type. Successful builds have
359 been observed on many versions of Linux and UNIX, including RHEL/CentOS,
360 Fedora, Debian, Ubuntu, SLES, openSUSE, Slackware, Alpine, FreeBSD,
361 NetBSD, OpenBSD, macOS, Solaris, OpenIndiana, OmniOS CE, HP-UX, and
364 BIND is also available for Windows Server 2008 and higher. See win32utils/
365 build.txt for details on building for Windows systems.
367 To build on a UNIX or Linux system, use:
369 $ ./configure
370 $ make
372 If you're planning on making changes to the BIND 9 source, you should run
373 make depend. If you're using Emacs, you might find make tags helpful.
375 Several environment variables that can be set before running configure
376 will affect compilation. Significant ones are:
378 Variable Description
379 CC The C compiler to use. configure tries to figure out the
380 right one for supported systems.
381 C compiler flags. Defaults to include -g and/or -O2 as
382 CFLAGS supported by the compiler. Please include '-g' if you need
383 to set CFLAGS.
384 System header file directories. Can be used to specify
385 STD_CINCLUDES where add-on thread or IPv6 support is, for example.
386 Defaults to empty string.
387 Any additional preprocessor symbols you want defined.
388 STD_CDEFINES Defaults to empty string. For a list of possible settings,
389 see the file OPTIONS.
390 LDFLAGS Linker flags. Defaults to empty string.
391 BUILD_CC Needed when cross-compiling: the native C compiler to use
392 when building for the target system.
393 BUILD_CFLAGS CFLAGS for the target system during cross-compiling.
394 BUILD_CPPFLAGS CPPFLAGS for the target system during cross-compiling.
395 BUILD_LDFLAGS LDFLAGS for the target system during cross-compiling.
396 BUILD_LIBS LIBS for the target system during cross-compiling.
398 Additional environment variables affecting the build are listed at the end
399 of the configure help text, which can be obtained by running the command:
401 $ ./configure --help
403 On platforms where neither the C11 Atomic operations library nor custom
404 ISC atomic operations are available, updating the statistics counters is
405 not locked due to performance reasons and therefore the counters might be
406 inaccurate. Anybody building BIND 9 is strongly advised to use a modern
407 C11 compiler with C11 Atomic operations library support.
411 Building on macOS assumes that the "Command Tools for Xcode" is installed.
412 This can be downloaded from https://developer.apple.com/download/more/ or,
413 if you have Xcode already installed, you can run xcode-select --install.
414 (Note that an Apple ID may be required to access the download page.)
418 Portions of BIND that are written in Python, including dnssec-keymgr,
419 dnssec-coverage, dnssec-checkds, and some of the system tests, require the
420 argparse, ply and distutils.core modules to be available. argparse is a
421 standard module as of Python 2.7 and Python 3.2. ply is available from
422 https://pypi.python.org/pypi/ply. distutils.core is required for
425 Compile-time options
427 To see a full list of configuration options, run configure --help.
429 On most platforms, BIND 9 is built with multithreading support, allowing
430 it to take advantage of multiple CPUs. You can configure this by
431 specifying --enable-threads or --disable-threads on the configure command
432 line. The default is to enable threads, except on some older operating
433 systems on which threads are known to have had problems in the past.
434 (Note: Prior to BIND 9.10, the default was to disable threads on Linux
435 systems; this has now been reversed. On Linux systems, the threaded build
436 is known to change BIND's behavior with respect to file permissions; it
437 may be necessary to specify a user with the -u option when running named.)
439 To build shared libraries, specify --with-libtool on the configure command
442 For the server to support DNSSEC, you need to build it with crypto
443 support. To use OpenSSL, you should have OpenSSL 1.0.2e or newer
444 installed. If the OpenSSL library is installed in a nonstandard location,
445 specify the prefix using --with-openssl=<PREFIX> on the configure command
446 line. To use a PKCS#11 hardware service module for cryptographic
447 operations, specify the path to the PKCS#11 provider library using
448 --with-pkcs11=<PREFIX>, and configure BIND with "--enable-native-pkcs11".
450 To support the HTTP statistics channel, the server must be linked with at
451 least one of the following libraries: libxml2 http://xmlsoft.org or json-c
452 https://github.com/json-c/json-c. If these are installed at a nonstandard
453 location, then:
455 • for libxml2, specify the prefix using --with-libxml2=/prefix,
456 • for json-c, adjust PKG_CONFIG_PATH.
458 To support compression on the HTTP statistics channel, the server must be
459 linked against libzlib. If this is installed in a nonstandard location,
460 specify the prefix using --with-zlib=/prefix.
462 To support storing configuration data for runtime-added zones in an LMDB
463 database, the server must be linked with liblmdb. If this is installed in
464 a nonstandard location, specify the prefix using with-lmdb=/prefix.
466 To support GeoIP location-based ACLs, the server must be linked with
467 libGeoIP. This is not turned on by default; BIND must be configured with
468 "--with-geoip". If the library is installed in a nonstandard location, use
469 specify the prefix using "--with-geoip=/prefix".
471 For DNSTAP packet logging, you must have installed libfstrm https://
472 github.com/farsightsec/fstrm and libprotobuf-c https://
473 developers.google.com/protocol-buffers, and BIND must be configured with
476 Certain compiled-in constants and default settings can be increased to
477 values better suited to large servers with abundant memory resources (e.g,
478 64-bit servers with 12G or more of memory) by specifying --with-tuning=
479 large on the configure command line. This can improve performance on big
480 servers, but will consume more memory and may degrade performance on
481 smaller systems.
483 On some platforms it is necessary to explicitly request large file support
484 to handle files bigger than 2GB. This can be done by using
485 --enable-largefile on the configure command line.
487 Support for the "fixed" rrset-order option can be enabled or disabled by
488 specifying --enable-fixed-rrset or --disable-fixed-rrset on the configure
489 command line. By default, fixed rrset-order is disabled to reduce memory
492 If your operating system has integrated support for IPv6, it will be used
493 automatically. If you have installed KAME IPv6 separately, use --with-kame
494 [=PATH] to specify its location.
496 The --enable-querytrace option causes named to log every step of
497 processing every query. This should only be enabled when debugging,
498 because it has a significant negative impact on query performance.
500 make install will install named and the various BIND 9 libraries. By
501 default, installation is into /usr/local, but this can be changed with the
502 --prefix option when running configure.
504 You may specify the option --sysconfdir to set the directory where
505 configuration files like named.conf go by default, and --localstatedir to
506 set the default parent directory of run/named.pid. For backwards
507 compatibility with BIND 8, --sysconfdir defaults to /etc and
508 --localstatedir defaults to /var if no --prefix option is given. If there
509 is a --prefix option, sysconfdir defaults to $prefix/etc and localstatedir
510 defaults to $prefix/var.
512 Automated testing
514 A system test suite can be run with make test. The system tests require
515 you to configure a set of virtual IP addresses on your system (this allows
516 multiple servers to run locally and communicate with one another). These
517 IP addresses can be configured by running the command bin/tests/system/
518 ifconfig.sh up as root.
520 Some tests require Perl and the Net::DNS and/or IO::Socket::INET6 modules,
521 and will be skipped if these are not available. Some tests require Python
522 and the dnspython module and will be skipped if these are not available.
523 See bin/tests/system/README for further details.
525 Unit tests are implemented using the CMocka unit testing framework. To
526 build them, use configure --with-cmocka. Execution of tests is done by the
527 Kyua test execution engine; if the kyua command is available, then unit
528 tests can be run via make test or make unit.
532 The BIND 9 Administrator Reference Manual is included with the source
533 distribution, in DocBook XML, HTML, and PDF format, in the doc/arm
536 Some of the programs in the BIND 9 distribution have man pages in their
537 directories. In particular, the command line options of named are
538 documented in bin/named/named.8.
540 Frequently (and not-so-frequently) asked questions and their answers can
541 be found in the ISC Knowledge Base at https://kb.isc.org.
543 Additional information on various subjects can be found in other README
544 files throughout the source tree.
546 Change log
548 A detailed list of all changes that have been made throughout the
549 development BIND 9 is included in the file CHANGES, with the most recent
550 changes listed first. Change notes include tags indicating the category of
551 the change that was made; these categories are:
553 Category Description
554 [func] New feature
555 [bug] General bug fix
556 [security] Fix for a significant security flaw
557 [experimental] Used for new features when the syntax or other aspects of
558 the design are still in flux and may change
559 [port] Portability enhancement
560 [maint] Updates to built-in data such as root server addresses and
562 [tuning] Changes to built-in configuration defaults and constants to
563 improve performance
564 [performance] Other changes to improve server performance
565 [protocol] Updates to the DNS protocol such as new RR types
566 [test] Changes to the automatic tests, not affecting server
568 [cleanup] Minor corrections and refactoring
569 [doc] Documentation
570 [contrib] Changes to the contributed tools and libraries in the
571 'contrib' subdirectory
572 Used in the master development branch to reserve change
573 [placeholder] numbers for use in other branches, e.g. when fixing a bug
574 that only exists in older releases
576 In general, [func] and [experimental] tags will only appear in new-feature
577 releases (i.e., those with version numbers ending in zero). Some new
578 functionality may be backported to older releases on a case-by-case basis.
579 All other change types may be applied to all currently-supported releases.
581 Bug report identifiers
583 Most notes in the CHANGES file include a reference to a bug report or
584 issue number. Prior to 2018, these were usually of the form [RT #NNN] and
585 referred to entries in the "bind9-bugs" RT database, which was not open to
586 the public. More recent entries use the form [GL #NNN] or, less often, [GL
587 !NNN], which, respectively, refer to issues or merge requests in the
588 GitLab database. Most of these are publicly readable, unless they include
589 information which is confidential or security sensitive.
591 To look up a GitLab issue by its number, use the URL https://
592 gitlab.isc.org/isc-projects/bind9/issues/NNN. To look up a merge request,
593 use https://gitlab.isc.org/isc-projects/bind9/merge_requests/NNN.
595 In rare cases, an issue or merge request number may be followed with the
596 letter "P". This indicates that the information is in the private ISC
597 GitLab instance, which is not visible to the public.
601 • The original development of BIND 9 was underwritten by the following
604 Sun Microsystems, Inc.
605 Hewlett Packard
606 Compaq Computer Corporation
608 Process Software Corporation
609 Silicon Graphics, Inc.
610 Network Associates, Inc.
611 U.S. Defense Information Systems Agency
612 USENIX Association
613 Stichting NLnet - NLnet Foundation
614 Nominum, Inc.
616 • This product includes software developed by the OpenSSL Project for
617 use in the OpenSSL Toolkit. http://www.OpenSSL.org/
619 • This product includes cryptographic software written by Eric Young
622 • This product includes software written by Tim Hudson