Remove trailing whitespace from all text files

I've used the following command to remove the trailing whitespace for
all tracked text files:

git grep -Il '' | xargs sed -i 's/[ \t]*$//'

.dir-locals.el

@@ -52,7 +52,7 @@
 	       ;; libtest
 	       (expand-file-name
 		(concat directory-of-current-dir-locals-file "tests/include"))
-	       
+
 	       ;; bin
 	       (expand-file-name
 		(concat directory-of-current-dir-locals-file "bin/check"))
@@ -61,7 +61,7 @@
 	       (expand-file-name
 		(concat directory-of-current-dir-locals-file "bin/confgen"))
 	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "bin/confgen/include"))	       
+		(concat directory-of-current-dir-locals-file "bin/confgen/include"))
 	       (expand-file-name
 		(concat directory-of-current-dir-locals-file "bin/dig/include"))
 	       (expand-file-name
@@ -79,7 +79,7 @@
 
 	       (expand-file-name "/usr/include/libxml2")
 	       (expand-file-name "/usr/include/json-c")
-	       
+
 	       (expand-file-name "/usr/local/opt/openssl@1.1/include")
 	       (expand-file-name "/usr/local/opt/libxml2/include/libxml2")
 	       (expand-file-name "/usr/local/opt/json-c/include/json-c/")

COPYRIGHT

@@ -133,7 +133,7 @@ modification, are permitted provided that the following conditions are met:
 3. Neither the name of the University nor the names of its contributors may
    be used to endorse or promote products derived from this software
    without specific prior written permission.
- 
+
 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -149,35 +149,35 @@ POSSIBILITY OF SUCH DAMAGE.
  -----------------------------------------------------------------------------
 
 Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
-(Royal Institute of Technology, Stockholm, Sweden). 
+(Royal Institute of Technology, Stockholm, Sweden).
-All rights reserved. 
+All rights reserved.
 
-Redistribution and use in source and binary forms, with or without 
+Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions 
+modification, are permitted provided that the following conditions
-are met: 
+are met:
 
-1. Redistributions of source code must retain the above copyright 
+1. Redistributions of source code must retain the above copyright
-   notice, this list of conditions and the following disclaimer. 
+   notice, this list of conditions and the following disclaimer.
 
-2. Redistributions in binary form must reproduce the above copyright 
+2. Redistributions in binary form must reproduce the above copyright
-   notice, this list of conditions and the following disclaimer in the 
+   notice, this list of conditions and the following disclaimer in the
-   documentation and/or other materials provided with the distribution. 
+   documentation and/or other materials provided with the distribution.
 
-3. Neither the name of the Institute nor the names of its contributors 
+3. Neither the name of the Institute nor the names of its contributors
-   may be used to endorse or promote products derived from this software 
+   may be used to endorse or promote products derived from this software
-   without specific prior written permission. 
+   without specific prior written permission.
 
-THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
-ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
-FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-SUCH DAMAGE. 
+SUCH DAMAGE.
 
  -----------------------------------------------------------------------------
 

bin/delv/delv.rst

@@ -293,7 +293,7 @@ assign values to options like the timeout interval. They have the form
 
    This option toggles logging of messages sent. This produces a detailed
    dump of the queries sent by :program:`delv` in the process of carrying
-   out the resolution and validation process. Turning on this option 
+   out the resolution and validation process. Turning on this option
    also activates ``+mtrace``.
 
    This is equivalent to setting the debug level to 11 for the "packets"

bin/dnssec/dnssec-settime.rst

@@ -148,7 +148,7 @@ All these formats are case-insensitive.
 .. option:: -A date/offset
 
    This option sets the date on which the key is to be activated. After that date,
-   the key is included in the zone and used to sign it. 
+   the key is included in the zone and used to sign it.
 
 .. option:: -R date/offset
 

bin/tests/startperf/makenames.pl

@@ -19,7 +19,7 @@ $len = @ARGV[1] if (@ARGV == 2);
 
 my @chars = split("", "abcdefghijklmnopqrstuvwxyz123456789");
 
-srand; 
+srand;
 for (my $i = 0; $i < @ARGV[0]; $i++) {
         my $name = "";
         for (my $j = 0; $j < $len; $j++) {

bin/tests/startperf/mkzonefile.pl

@@ -31,7 +31,7 @@ print"\$TTL 300	; 5 minutes
 			NS	ns
 ns			A	10.53.0.3\n";
 
-srand; 
+srand;
 for (my $i = 0; $i < $nrecords; $i++) {
         my $name = "";
         for (my $j = 0; $j < 8; $j++) {

bin/tests/system/ans.pl

@@ -205,7 +205,7 @@ sub handleUDP {
 							 $prev_tsig->mac);
 					}
 				}
-				
+
 				$packet->sign_tsig($tsig);
 			}
 			last;
@@ -253,7 +253,7 @@ sub packetlen {
 	} else {
 		($header, $offset) = Net::DNS::Header->parse(\$data);
 	}
-		
+
 	for (1 .. $header->qdcount) {
 		if ($decode) {
 			($q, $offset) =
@@ -339,7 +339,7 @@ sub handleTCP {
 		($request, $err) = new Net::DNS::Packet(\$buf, 0);
 		$err and die $err;
 	}
-	
+
 	my @questions = $request->question;
 	my $qname = $questions[0]->qname;
 	my $qtype = $questions[0]->qtype;
@@ -387,7 +387,7 @@ sub handleTCP {
 			if (defined($key_name) && defined($key_data)) {
 				my $tsig;
 				# sign the packet
-				print "  Signing the data with " . 
+				print "  Signing the data with " .
 				      "$key_name/$key_data\n";
 
 				if ($Net::DNS::VERSION < 0.69) {
@@ -431,7 +431,7 @@ sub handleTCP {
 							 $prev_tsig->mac);
 					}
 				}
-				
+
 				$tsig->sign_func($signer) if defined($signer);
 				$tsig->continuation($continuation) if
 					 ($Net::DNS::VERSION >= 0.71 &&

bin/tests/system/checkconf/dnssec.2

@@ -1,6 +1,6 @@
 /*
  * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- * 
+ *
  * SPDX-License-Identifier: MPL-2.0
  *
  * This Source Code Form is subject to the terms of the Mozilla Public

bin/tests/system/checkconf/dnssec.3

@@ -1,6 +1,6 @@
 /*
  * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- * 
+ *
  * SPDX-License-Identifier: MPL-2.0
  *
  * This Source Code Form is subject to the terms of the Mozilla Public

bin/tests/system/digdelv/clean.sh

@@ -31,7 +31,7 @@ rm -f ./ns*/named.lock
 rm -f ./ns*/K* ./ns*/keyid ./ns*/keydata
 rm -f ./ns1/root.db
 rm -f ./ns*/dsset-*
-rm -f ./ns2/example.db 
+rm -f ./ns2/example.db
 rm -f ./ns2/example.tld.db
 rm -f ./nslookup.out.test*
 rm -f ./nsupdate.out.test*

bin/tests/system/doth/CA/certs/srv01.client01.example.com.pem

@@ -22,7 +22,7 @@ Certificate:
                 ASN1 OID: secp384r1
                 NIST CURVE: P-384
         X509v3 extensions:
-            X509v3 Subject Alternative Name: 
+            X509v3 Subject Alternative Name:
                 DNS:srv01.client01.example.com
     Signature Algorithm: sha256WithRSAEncryption
          82:bd:eb:8f:4e:a5:d2:46:c7:d8:70:3c:34:1d:58:43:1b:81:

bin/tests/system/doth/CA/certs/srv01.client02-ns2.example.com.pem

@@ -22,7 +22,7 @@ Certificate:
                 ASN1 OID: secp384r1
                 NIST CURVE: P-384
         X509v3 extensions:
-            X509v3 Subject Alternative Name: 
+            X509v3 Subject Alternative Name:
                 DNS:srv01.client02-ns2.example.com
     Signature Algorithm: sha256WithRSAEncryption
          43:ec:0f:62:17:f6:f4:90:3b:7c:36:21:f2:18:94:a6:42:51:

bin/tests/system/doth/CA/certs/srv01.client03-ns2-expired.example.com.pem

@@ -22,7 +22,7 @@ Certificate:
                 ASN1 OID: secp384r1
                 NIST CURVE: P-384
         X509v3 extensions:
-            X509v3 Subject Alternative Name: 
+            X509v3 Subject Alternative Name:
                 DNS:srv01.client03-ns2-expired.example.com
     Signature Algorithm: sha256WithRSAEncryption
          38:12:1f:5f:26:b6:8e:9b:3f:77:89:5a:b8:e8:46:78:c3:d6:

bin/tests/system/doth/CA/certs/srv01.crt01.example.com.pem

@@ -22,7 +22,7 @@ Certificate:
                 ASN1 OID: secp384r1
                 NIST CURVE: P-384
         X509v3 extensions:
-            X509v3 Subject Alternative Name: 
+            X509v3 Subject Alternative Name:
                 DNS:srv01.crt01.example.com, IP Address:10.53.0.1, IP Address:FD92:7065:B8E:FFFF:0:0:0:1
     Signature Algorithm: sha256WithRSAEncryption
          79:0f:08:ab:18:cc:f9:7a:bd:47:21:99:a1:a3:76:04:7f:d7:

bin/tests/system/doth/CA/certs/srv01.crt03-expired.example.com.pem

@@ -22,7 +22,7 @@ Certificate:
                 ASN1 OID: secp384r1
                 NIST CURVE: P-384
         X509v3 extensions:
-            X509v3 Subject Alternative Name: 
+            X509v3 Subject Alternative Name:
                 DNS:srv01.crt03-expired.example.com, IP Address:10.53.0.1, IP Address:FD92:7065:B8E:FFFF:0:0:0:1
     Signature Algorithm: sha256WithRSAEncryption
          25:35:08:f6:e7:f0:83:81:be:65:31:1b:78:a8:04:84:fe:6a:

bin/tests/system/doth/CA/certs/srv02.crt01.example.com.pem

@@ -22,7 +22,7 @@ Certificate:
                 ASN1 OID: secp384r1
                 NIST CURVE: P-384
         X509v3 extensions:
-            X509v3 Subject Alternative Name: 
+            X509v3 Subject Alternative Name:
                 DNS:srv02.crt01.example.com, IP Address:10.53.0.2, IP Address:FD92:7065:B8E:FFFF:0:0:0:2
     Signature Algorithm: sha256WithRSAEncryption
          89:ba:ae:4f:f8:3e:da:48:1f:5c:8f:ff:ee:d8:42:b0:0b:9b:

bin/tests/system/doth/CA/certs/srv03.crt01.example.com.pem

@@ -22,7 +22,7 @@ Certificate:
                 ASN1 OID: secp384r1
                 NIST CURVE: P-384
         X509v3 extensions:
-            X509v3 Subject Alternative Name: 
+            X509v3 Subject Alternative Name:
                 DNS:srv03.crt01.example.com, IP Address:10.53.0.3, IP Address:FD92:7065:B8E:FFFF:0:0:0:3
     Signature Algorithm: sha256WithRSAEncryption
          8f:96:88:82:94:76:8e:97:b6:75:8b:e9:2b:4f:f3:8f:14:5c:

bin/tests/system/doth/CA/certs/srv04.crt01.example.com.pem

@@ -22,7 +22,7 @@ Certificate:
                 ASN1 OID: secp384r1
                 NIST CURVE: P-384
         X509v3 extensions:
-            X509v3 Subject Alternative Name: 
+            X509v3 Subject Alternative Name:
                 DNS:srv04.crt01.example.com, IP Address:10.53.0.4, IP Address:FD92:7065:B8E:FFFF:0:0:0:4
     Signature Algorithm: sha256WithRSAEncryption
          48:b5:38:59:79:e6:51:a6:ea:80:d7:d1:3c:29:03:70:31:e4:

bin/tests/system/doth/CA/newcerts/6BB3183CDEF52001.pem

@@ -22,7 +22,7 @@ Certificate:
                 ASN1 OID: secp384r1
                 NIST CURVE: P-384
         X509v3 extensions:
-            X509v3 Subject Alternative Name: 
+            X509v3 Subject Alternative Name:
                 DNS:srv01.crt01.example.com, IP Address:10.53.0.1, IP Address:FD92:7065:B8E:FFFF:0:0:0:1
     Signature Algorithm: sha256WithRSAEncryption
          79:0f:08:ab:18:cc:f9:7a:bd:47:21:99:a1:a3:76:04:7f:d7:

bin/tests/system/doth/CA/newcerts/6BB3183CDEF52003.pem

@@ -22,7 +22,7 @@ Certificate:
                 ASN1 OID: secp384r1
                 NIST CURVE: P-384
         X509v3 extensions:
-            X509v3 Subject Alternative Name: 
+            X509v3 Subject Alternative Name:
                 DNS:srv02.crt01.example.com, IP Address:10.53.0.2, IP Address:FD92:7065:B8E:FFFF:0:0:0:2
     Signature Algorithm: sha256WithRSAEncryption
          89:ba:ae:4f:f8:3e:da:48:1f:5c:8f:ff:ee:d8:42:b0:0b:9b:

bin/tests/system/doth/CA/newcerts/6BB3183CDEF52004.pem

@@ -22,7 +22,7 @@ Certificate:
                 ASN1 OID: secp384r1
                 NIST CURVE: P-384
         X509v3 extensions:
-            X509v3 Subject Alternative Name: 
+            X509v3 Subject Alternative Name:
                 DNS:srv03.crt01.example.com, IP Address:10.53.0.3, IP Address:FD92:7065:B8E:FFFF:0:0:0:3
     Signature Algorithm: sha256WithRSAEncryption
          8f:96:88:82:94:76:8e:97:b6:75:8b:e9:2b:4f:f3:8f:14:5c:

bin/tests/system/doth/CA/newcerts/6BB3183CDEF52005.pem

@@ -22,7 +22,7 @@ Certificate:
                 ASN1 OID: secp384r1
                 NIST CURVE: P-384
         X509v3 extensions:
-            X509v3 Subject Alternative Name: 
+            X509v3 Subject Alternative Name:
                 DNS:srv04.crt01.example.com, IP Address:10.53.0.4, IP Address:FD92:7065:B8E:FFFF:0:0:0:4
     Signature Algorithm: sha256WithRSAEncryption
          48:b5:38:59:79:e6:51:a6:ea:80:d7:d1:3c:29:03:70:31:e4:

bin/tests/system/doth/CA/newcerts/6BB3183CDEF52006.pem

@@ -22,7 +22,7 @@ Certificate:
                 ASN1 OID: secp384r1
                 NIST CURVE: P-384
         X509v3 extensions:
-            X509v3 Subject Alternative Name: 
+            X509v3 Subject Alternative Name:
                 DNS:srv01.crt03-expired.example.com, IP Address:10.53.0.1, IP Address:FD92:7065:B8E:FFFF:0:0:0:1
     Signature Algorithm: sha256WithRSAEncryption
          25:35:08:f6:e7:f0:83:81:be:65:31:1b:78:a8:04:84:fe:6a:

bin/tests/system/doth/CA/newcerts/6BB3183CDEF52007.pem

@@ -22,7 +22,7 @@ Certificate:
                 ASN1 OID: secp384r1
                 NIST CURVE: P-384
         X509v3 extensions:
-            X509v3 Subject Alternative Name: 
+            X509v3 Subject Alternative Name:
                 DNS:srv01.client01.example.com
     Signature Algorithm: sha256WithRSAEncryption
          82:bd:eb:8f:4e:a5:d2:46:c7:d8:70:3c:34:1d:58:43:1b:81:

bin/tests/system/doth/CA/newcerts/6BB3183CDEF52008.pem

@@ -22,7 +22,7 @@ Certificate:
                 ASN1 OID: secp384r1
                 NIST CURVE: P-384
         X509v3 extensions:
-            X509v3 Subject Alternative Name: 
+            X509v3 Subject Alternative Name:
                 DNS:srv01.client02-ns2.example.com
     Signature Algorithm: sha256WithRSAEncryption
          43:ec:0f:62:17:f6:f4:90:3b:7c:36:21:f2:18:94:a6:42:51:

bin/tests/system/doth/CA/newcerts/6BB3183CDEF52009.pem

@@ -22,7 +22,7 @@ Certificate:
                 ASN1 OID: secp384r1
                 NIST CURVE: P-384
         X509v3 extensions:
-            X509v3 Subject Alternative Name: 
+            X509v3 Subject Alternative Name:
                 DNS:srv01.client03-ns2-expired.example.com
     Signature Algorithm: sha256WithRSAEncryption
          38:12:1f:5f:26:b6:8e:9b:3f:77:89:5a:b8:e8:46:78:c3:d6:

bin/tests/system/doth/example.axfr.good

@@ -17,7 +17,7 @@ amtrelay04.example.	3600	IN	AMTRELAY 0 0 2 ::
 amtrelay05.example.	3600	IN	AMTRELAY 0 0 3 example.net.
 amtrelay06.example.	3600	IN	AMTRELAY \# 2 0004
 apl01.example.		3600	IN	APL	!1:10.0.0.1/32 1:10.0.0.0/24
-apl02.example.		3600	IN	APL	
+apl02.example.		3600	IN	APL
 atma01.example.		3600	IN	ATMA	+61200000000
 atma02.example.		3600	IN	ATMA	+61200000000
 atma03.example.		3600	IN	ATMA	1234567890abcdef

bin/tests/system/doth/example8.axfr.good

@@ -17,7 +17,7 @@ amtrelay04.example8.	3600	IN	AMTRELAY 0 0 2 ::
 amtrelay05.example8.	3600	IN	AMTRELAY 0 0 3 example.net.
 amtrelay06.example8.	3600	IN	AMTRELAY \# 2 0004
 apl01.example8.		3600	IN	APL	!1:10.0.0.1/32 1:10.0.0.0/24
-apl02.example8.		3600	IN	APL	
+apl02.example8.		3600	IN	APL
 atma01.example8.	3600	IN	ATMA	+61200000000
 atma02.example8.	3600	IN	ATMA	+61200000000
 atma03.example8.	3600	IN	ATMA	1234567890abcdef

bin/tests/system/fetchlimit/tests.sh

@@ -38,7 +38,7 @@ burst() {
 }
 
 stat() {
-    clients=`rndccmd ${1} status | grep "recursive clients" | 
+    clients=`rndccmd ${1} status | grep "recursive clients" |
             sed 's;.*: \([^/][^/]*\)/.*;\1;'`
     echo_i "clients: $clients"
     [ "$clients" = "" ] && return 1

bin/tests/system/formerr/clean.sh

@@ -11,9 +11,9 @@
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
 
-rm -f nametoolong.out 
+rm -f nametoolong.out
-rm -f twoquestions.out 
+rm -f twoquestions.out
-rm -f noquestions.out 
+rm -f noquestions.out
 rm -f ns*/named.conf
 rm -f ns*/named.lock
 rm -f ns*/named.run

bin/tests/system/formerr/formerr.pl

@@ -16,7 +16,7 @@
 # the standard input, in the form of a series of bytes in hexadecimal.
 # Whitespace is ignored, as is anything following a '#' symbol.
 #
-# For example, the following input would generate normal query for 
+# For example, the following input would generate normal query for
 # isc.org/NS/IN":
 #
 #     # QID:

bin/tests/system/forward/CA/certs/srv02.crt01.example.nil.pem

@@ -41,11 +41,11 @@ Certificate:
                     87:aa:71:a8:6d:39:96:fe:e7:a9
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
-            X509v3 Subject Alternative Name: 
+            X509v3 Subject Alternative Name:
                 DNS:srv02.crt01.example.nil, IP Address:10.53.0.2
-            X509v3 Subject Key Identifier: 
+            X509v3 Subject Key Identifier:
                 70:90:94:81:4A:B2:BF:13:D6:29:1A:90:D9:33:A4:C5:74:29:CF:59
-            X509v3 Authority Key Identifier: 
+            X509v3 Authority Key Identifier:
                 7C:89:E8:5C:EB:E5:1F:72:48:04:C5:8F:FB:92:08:9C:F5:60:26:39
     Signature Algorithm: sha256WithRSAEncryption
     Signature Value:

bin/tests/system/forward/CA/certs/srv02.crt02-expired.example.nil.pem

@@ -41,11 +41,11 @@ Certificate:
                     1f:2f:1a:15:15:cc:61:f3:b9:6f
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
-            X509v3 Subject Alternative Name: 
+            X509v3 Subject Alternative Name:
                 DNS:srv02.crt02-expired.example.nil, IP Address:10.53.0.2
-            X509v3 Subject Key Identifier: 
+            X509v3 Subject Key Identifier:
                 A7:8A:6D:EA:10:B4:6B:B8:13:16:6B:BA:A0:26:C3:9A:E7:A6:71:7E
-            X509v3 Authority Key Identifier: 
+            X509v3 Authority Key Identifier:
                 7C:89:E8:5C:EB:E5:1F:72:48:04:C5:8F:FB:92:08:9C:F5:60:26:39
     Signature Algorithm: sha256WithRSAEncryption
     Signature Value:

bin/tests/system/forward/CA/certs/srv04.crt01.example.nil.pem

@@ -41,11 +41,11 @@ Certificate:
                     ff:1b:ad:59:35:c1:d1:d3:a6:ff
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
-            X509v3 Subject Alternative Name: 
+            X509v3 Subject Alternative Name:
                 DNS:srv04.crt01.example.nil, IP Address:10.53.0.4
-            X509v3 Subject Key Identifier: 
+            X509v3 Subject Key Identifier:
                 CA:83:06:FB:3E:57:50:DD:FD:BF:00:5A:60:E2:6D:98:71:CD:2C:F2
-            X509v3 Authority Key Identifier: 
+            X509v3 Authority Key Identifier:
                 7C:89:E8:5C:EB:E5:1F:72:48:04:C5:8F:FB:92:08:9C:F5:60:26:39
     Signature Algorithm: sha256WithRSAEncryption
     Signature Value:

bin/tests/system/forward/CA/newcerts/CCC118082632E18B.pem

@@ -41,11 +41,11 @@ Certificate:
                     87:aa:71:a8:6d:39:96:fe:e7:a9
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
-            X509v3 Subject Alternative Name: 
+            X509v3 Subject Alternative Name:
                 DNS:srv02.crt01.example.nil, IP Address:10.53.0.2
-            X509v3 Subject Key Identifier: 
+            X509v3 Subject Key Identifier:
                 70:90:94:81:4A:B2:BF:13:D6:29:1A:90:D9:33:A4:C5:74:29:CF:59
-            X509v3 Authority Key Identifier: 
+            X509v3 Authority Key Identifier:
                 7C:89:E8:5C:EB:E5:1F:72:48:04:C5:8F:FB:92:08:9C:F5:60:26:39
     Signature Algorithm: sha256WithRSAEncryption
     Signature Value:

bin/tests/system/forward/CA/newcerts/CCC118082632E18C.pem

@@ -41,11 +41,11 @@ Certificate:
                     1f:2f:1a:15:15:cc:61:f3:b9:6f
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
-            X509v3 Subject Alternative Name: 
+            X509v3 Subject Alternative Name:
                 DNS:srv02.crt02-expired.example.nil, IP Address:10.53.0.2
-            X509v3 Subject Key Identifier: 
+            X509v3 Subject Key Identifier:
                 A7:8A:6D:EA:10:B4:6B:B8:13:16:6B:BA:A0:26:C3:9A:E7:A6:71:7E
-            X509v3 Authority Key Identifier: 
+            X509v3 Authority Key Identifier:
                 7C:89:E8:5C:EB:E5:1F:72:48:04:C5:8F:FB:92:08:9C:F5:60:26:39
     Signature Algorithm: sha256WithRSAEncryption
     Signature Value:

bin/tests/system/forward/CA/newcerts/CCC118082632E18D.pem

@@ -41,11 +41,11 @@ Certificate:
                     ff:1b:ad:59:35:c1:d1:d3:a6:ff
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
-            X509v3 Subject Alternative Name: 
+            X509v3 Subject Alternative Name:
                 DNS:srv04.crt01.example.nil, IP Address:10.53.0.4
-            X509v3 Subject Key Identifier: 
+            X509v3 Subject Key Identifier:
                 CA:83:06:FB:3E:57:50:DD:FD:BF:00:5A:60:E2:6D:98:71:CD:2C:F2
-            X509v3 Authority Key Identifier: 
+            X509v3 Authority Key Identifier:
                 7C:89:E8:5C:EB:E5:1F:72:48:04:C5:8F:FB:92:08:9C:F5:60:26:39
     Signature Algorithm: sha256WithRSAEncryption
     Signature Value:

bin/tests/system/genzone.sh

@@ -96,7 +96,7 @@ hinfo02			HINFO	PC NetBSD
 
 ; type 14
 minfo01			MINFO	rmailbx emailbx
-minfo02			MINFO	. . 
+minfo02			MINFO	. .
 
 ; type 15
 mx01			MX	10 mail
@@ -121,7 +121,7 @@ txt15			TXT	"bar\\;"
 
 ; type 17
 rp01			RP	mbox-dname txt-dname
-rp02			RP	. . 
+rp02			RP	. .
 
 ; type 18
 afsdb01			AFSDB	0 hostname
@@ -154,7 +154,7 @@ nsap-ptr01		NSAP-PTR .
 
 ; type 24
 ;sig01			SIG	NXT 1 3 ( 3600 20000102030405
-;				19961211100908 2143 foo.nil. 
+;				19961211100908 2143 foo.nil.
 ;				MxFcby9k/yvedMfQgKzhH5er0Mu/vILz45I
 ;				kskceFGgiWCn/GxHhai6VAuHAoNUz4YoU1t
 ;				VfSCSqQYn6//11U6Nld80jEeC8aTrO+KKmCaY= )
@@ -205,7 +205,7 @@ atma03			ATMA	1234567890abcdef
 atma04			ATMA	f.e.d.c.b.a.0.9.8.7.6.5.4.3.2.1
 
 ; type 35
-naptr01			NAPTR   0 0 "" "" "" . 
+naptr01			NAPTR   0 0 "" "" "" .
 naptr02			NAPTR   65535 65535 blurgh blorf blllbb foo.
 naptr02			NAPTR   65535 65535 "blurgh" "blorf" "blllbb" foo.
 
@@ -214,7 +214,7 @@ kx01			KX	10 kdc
 kx02			KX	10 .
 
 ; type 37
-cert01			CERT	65534 65535 254 ( 
+cert01			CERT	65534 65535 254 (
 				MxFcby9k/yvedMfQgKzhH5er0Mu/vILz45I
 				kskceFGgiWCn/GxHhai6VAuHAoNUz4YoU1t
 				VfSCSqQYn6//11U6Nld80jEeC8aTrO+KKmCaY= )
@@ -266,7 +266,7 @@ ipseckey05		IPSECKEY	( 10 2 2
 
 ; type 46
 rrsig01			RRSIG	NSEC 1 3 ( 3600 20000102030405
-				19961211100908 2143 foo.nil. 
+				19961211100908 2143 foo.nil.
 				MxFcby9k/yvedMfQgKzhH5er0Mu/vILz45I
 				kskceFGgiWCn/GxHhai6VAuHAoNUz4YoU1t
 				VfSCSqQYn6//11U6Nld80jEeC8aTrO+KKmCaY= )
@@ -503,7 +503,7 @@ svcb1			SVCB	1 . port=60
 
 ; keydata (internal type used for managed keys)
 keydata			TYPE65533	\# 0
-keydata			TYPE65533	\# 6 010203040506 
+keydata			TYPE65533	\# 6 010203040506
 keydata			TYPE65533	\# 18 010203040506010203040506010203040506
 
 ; type 65535 (reserved)

bin/tests/system/inline/ns3/sign.sh

@@ -148,11 +148,11 @@ do
     $DSFROMKEY -T 1200 $k4 >> ../ns1/root.db
 
     # Convert k1 and k2 in to External Keys.
-    rm -f $k1.private 
+    rm -f $k1.private
     mv $k1.key a-file
     $IMPORTKEY -P now -D now+3600 -f a-file $zone > /dev/null 2>&1 ||
         ( echo_i "importkey failed: $alg" )
-    rm -f $k2.private 
+    rm -f $k2.private
     mv $k2.key a-file
     $IMPORTKEY -f a-file $zone > /dev/null 2>&1 ||
         ( echo_i "importkey failed: $alg" )

bin/tests/system/legacy/ns6/sign.sh

@@ -22,7 +22,7 @@ infile=edns512.db.in
 zonefile=edns512.db
 outfile=edns512.db.signed
 
-keyname1=`$KEYGEN -a RSASHA512 -b 4096 -n zone $zone 2> /dev/null` 
+keyname1=`$KEYGEN -a RSASHA512 -b 4096 -n zone $zone 2> /dev/null`
 keyname2=`$KEYGEN -f KSK -a RSASHA512 -b 4096 -n zone $zone 2> /dev/null`
 
 cat $infile $keyname1.key $keyname2.key >$zonefile

bin/tests/system/legacy/ns7/sign.sh

@@ -22,7 +22,7 @@ infile=edns512-notcp.db.in
 zonefile=edns512-notcp.db
 outfile=edns512-notcp.db.signed
 
-keyname1=`$KEYGEN -a RSASHA512 -b 4096 -n zone $zone 2> /dev/null` 
+keyname1=`$KEYGEN -a RSASHA512 -b 4096 -n zone $zone 2> /dev/null`
 keyname2=`$KEYGEN -f KSK -a RSASHA512 -b 4096 -n zone $zone 2> /dev/null`
 
 cat $infile $keyname1.key $keyname2.key >$zonefile

bin/tests/system/metadata/clean.sh

@@ -12,7 +12,7 @@
 # information regarding copyright ownership.
 
 rm -f K* dsset-* *.signed *.new
-rm -f zsk.key ksk.key parent.ksk.key parent.zsk.key 
+rm -f zsk.key ksk.key parent.ksk.key parent.zsk.key
 rm -f pending.key rolling.key standby.key inact.key
 rm -f prerev.key postrev.key oldstyle.key
 rm -f keys sigs

bin/tests/system/nsupdate/CA/certs/srv01.client01.example.nil.pem

@@ -40,7 +40,7 @@ Certificate:
                     42:89:b8:e3:f8:b1:24:08:7e:99
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
-            X509v3 Subject Alternative Name: 
+            X509v3 Subject Alternative Name:
                 DNS:srv01.client01.example.nil, IP Address:10.53.0.1
     Signature Algorithm: sha256WithRSAEncryption
          07:97:69:51:12:50:6a:e1:02:a0:b0:dc:93:75:16:c4:38:0f:

bin/tests/system/nsupdate/CA/certs/srv01.client02-expired.example.nil.pem

@@ -40,7 +40,7 @@ Certificate:
                     af:8d:0c:fb:7c:ea:c7:73:9c:9b
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
-            X509v3 Subject Alternative Name: 
+            X509v3 Subject Alternative Name:
                 DNS:srv01.client02-expired.example.nil, IP Address:10.53.0.1
     Signature Algorithm: sha256WithRSAEncryption
          18:f1:7c:24:5b:d2:03:b0:60:0e:60:e6:32:f9:a7:47:d1:e4:

bin/tests/system/nsupdate/CA/certs/srv01.crt01.example.nil.pem

@@ -40,7 +40,7 @@ Certificate:
                     74:ab:fb:cc:a3:5d:a6:84:80:0b
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
-            X509v3 Subject Alternative Name: 
+            X509v3 Subject Alternative Name:
                 DNS:srv01.crt01.example.nil, IP Address:10.53.0.1
     Signature Algorithm: sha256WithRSAEncryption
          94:15:c0:4a:f1:aa:15:30:f7:cb:fe:f9:fa:ba:5f:f0:18:1f:

bin/tests/system/nsupdate/CA/certs/srv01.crt02-expired.example.nil.pem

@@ -40,7 +40,7 @@ Certificate:
                     76:74:77:ce:3d:4d:fe:02:b1:33
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
-            X509v3 Subject Alternative Name: 
+            X509v3 Subject Alternative Name:
                 DNS:srv01.crt02-expired.example.nil, IP Address:10.53.0.1
     Signature Algorithm: sha256WithRSAEncryption
          2a:52:c4:cb:a9:2f:f7:2b:ed:04:b5:03:d5:06:59:ed:5c:7c:

bin/tests/system/nsupdate/CA/newcerts/70B9F4EB2FA19598.pem

@@ -40,7 +40,7 @@ Certificate:
                     74:ab:fb:cc:a3:5d:a6:84:80:0b
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
-            X509v3 Subject Alternative Name: 
+            X509v3 Subject Alternative Name:
                 DNS:srv01.crt01.example.nil, IP Address:10.53.0.1
     Signature Algorithm: sha256WithRSAEncryption
          94:15:c0:4a:f1:aa:15:30:f7:cb:fe:f9:fa:ba:5f:f0:18:1f:

bin/tests/system/nsupdate/CA/newcerts/70B9F4EB2FA19599.pem

@@ -40,7 +40,7 @@ Certificate:
                     76:74:77:ce:3d:4d:fe:02:b1:33
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
-            X509v3 Subject Alternative Name: 
+            X509v3 Subject Alternative Name:
                 DNS:srv01.crt02-expired.example.nil, IP Address:10.53.0.1
     Signature Algorithm: sha256WithRSAEncryption
          2a:52:c4:cb:a9:2f:f7:2b:ed:04:b5:03:d5:06:59:ed:5c:7c:

bin/tests/system/nsupdate/CA/newcerts/70B9F4EB2FA1959A.pem

@@ -40,7 +40,7 @@ Certificate:
                     42:89:b8:e3:f8:b1:24:08:7e:99
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
-            X509v3 Subject Alternative Name: 
+            X509v3 Subject Alternative Name:
                 DNS:srv01.client01.example.nil, IP Address:10.53.0.1
     Signature Algorithm: sha256WithRSAEncryption
          07:97:69:51:12:50:6a:e1:02:a0:b0:dc:93:75:16:c4:38:0f:

bin/tests/system/nsupdate/CA/newcerts/70B9F4EB2FA1959B.pem

@@ -40,7 +40,7 @@ Certificate:
                     af:8d:0c:fb:7c:ea:c7:73:9c:9b
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
-            X509v3 Subject Alternative Name: 
+            X509v3 Subject Alternative Name:
                 DNS:srv01.client02-expired.example.nil, IP Address:10.53.0.1
     Signature Algorithm: sha256WithRSAEncryption
          18:f1:7c:24:5b:d2:03:b0:60:0e:60:e6:32:f9:a7:47:d1:e4:

bin/tests/system/pending/ns1/sign.sh

@@ -1,4 +1,4 @@
-#!/bin/sh 
+#!/bin/sh
 
 # Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 #

bin/tests/system/resolver/tests.sh

@@ -163,7 +163,7 @@ do
         # Expected queries = 2 * number of NS records, up to a maximum of 10.
         expected=$((nscount*2))
         if [ "$expected" -gt 10 ]; then expected=10; fi
-        # Count the number of logged fetches 
+        # Count the number of logged fetches
         nextpart ns5/named.run > /dev/null
         dig_with_opts @10.53.0.5 target${nscount}.sourcens A > dig.ns5.out.${nscount}.${n} || ret=1
         retry_quiet 5 count_fetches ns5/named.run $nscount $expected || {

bin/tests/system/rndc/ns6/named.args

@@ -1,3 +1,3 @@
-# teardown of a huge zone with tracing enabled takes way too long 
+# teardown of a huge zone with tracing enabled takes way too long
 # -m none is set so that stop.pl does not timeout
 -D rndc-ns6 -X named.lock -m none -c named.conf -d 99 -g -U 4 -T maxcachesize=2097152

bin/tests/system/rrl/tests.sh

@@ -118,23 +118,23 @@ ck_result() {
     NXDOMAIN=`grep -E "^NXDOMAIN|NXDOMAINTC$" mdig.out-$1		2>/dev/null | wc -l`
     SERVFAIL=`grep -E "^SERVFAIL$" mdig.out-$1			2>/dev/null | wc -l`
     NOERROR=`grep -E "^NOERROR$" mdig.out-$1			2>/dev/null | wc -l`
-    
+
     range $ADDRS "$3" 1 ||
     setret "$ADDRS instead of $3 '$2' responses for $1" &&
     BAD=yes
-    
+
     range $TC "$4" 1 ||
     setret "$TC instead of $4 truncation responses for $1" &&
     BAD=yes
-    
+
     range $DROP "$5" 1 ||
     setret "$DROP instead of $5 dropped responses for $1" &&
     BAD=yes
-    
+
     range $NXDOMAIN "$6" 1 ||
     setret "$NXDOMAIN instead of $6 NXDOMAIN responses for $1" &&
     BAD=yes
-    
+
     range $SERVFAIL "$7" 1 ||
     setret "$SERVFAIL instead of $7 error responses for $1" &&
     BAD=yes
@@ -142,7 +142,7 @@ ck_result() {
     range $NOERROR "$8" 1 ||
     setret "$NOERROR instead of $8 NOERROR responses for $1" &&
     BAD=yes
-    
+
     if test -z "$BAD"; then
 	rm -f mdig.out-$1
     fi
@@ -157,7 +157,7 @@ ckstats () {
         sed -n -e "s/[	 ]*\([0-9]*\).responses $TYPE for rate limits.*/\1/p" |
         tail -1`
     C=`expr 0$C + 0`
-    
+
     range "$C" $EXPECTED 1 ||
     setret "wrong $LABEL $TYPE statistics of $C instead of $EXPECTED"
 }

bin/tests/system/rsabigexponent/ns1/root.db.in

@@ -15,7 +15,7 @@ $TTL	300
 			3600		; refresh
 			1200		; retry
 			604800		; expire
-			60		; minimum			
+			60		; minimum
 			)
 @		NS	a.root-servers.nil.
 a.root-servers.nil.	A	10.53.0.1

bin/tests/system/runtime/setup.sh

@@ -13,7 +13,7 @@
 
 . ../conf.sh
 
-$SHELL clean.sh 
+$SHELL clean.sh
 
 copy_setports ns2/named1.conf.in ns2/named.conf
 

bin/tests/system/staticstub/ns3/sign.sh

@@ -1,4 +1,4 @@
-#!/bin/sh 
+#!/bin/sh
 
 # Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 #

bin/tests/system/stop.pl

@@ -195,7 +195,7 @@ sub stop_rndc {
 
 sub server_died {
 	my ( $server, $signal ) = @_;
-	
+
 	print "I:$test:$server died before a SIG$signal was sent\n";
 	$errors = 1;
 

bin/tests/system/stress/setup.pl

@@ -43,11 +43,11 @@ for ($z = 0; $z < $n_zones; $z++) {
 	my $zn = sprintf("zone%06d.example", $z);
 	foreach $ns (qw(2 3 4)) {
 		print $rootdelegations "$zn.		NS	ns$ns.$zn.\n";
-		print $rootdelegations "ns$ns.$zn.	A	10.53.0.$ns\n";		
+		print $rootdelegations "ns$ns.$zn.	A	10.53.0.$ns\n";
 	}
 }
 close $rootdelegations;
-	
+
 sub make_zones {
 	my ($nsno, $secondaried_from) = @_;
 	my $namedconf = new FileHandle("ns$nsno/zones.conf", "w") or die;

bin/tests/system/tsig/tests.sh

@@ -154,7 +154,7 @@ fi
 #
 if $FEATURETEST --md5
 then
-	echo_i "fetching using hmac-md5-80 (BADTRUNC)" 
+	echo_i "fetching using hmac-md5-80 (BADTRUNC)"
 	ret=0
 	$DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5:$md5" @10.53.0.1 soa > dig.out.md5-80 || ret=1
 	grep -i "md5.*TSIG.*BADTRUNC" dig.out.md5-80 > /dev/null || ret=1
@@ -162,7 +162,7 @@ then
 		echo_i "failed"; status=1
 	fi
 else
-	echo_i "skipping using hmac-md5-80 (BADTRUNC)" 
+	echo_i "skipping using hmac-md5-80 (BADTRUNC)"
 fi
 
 echo_i "fetching using hmac-sha1-80 (BADTRUNC)"

bin/tests/system/tsiggss/ns1/example.nil.db.in

@@ -10,7 +10,7 @@
 ; information regarding copyright ownership.
 
 ; -*- zone -*-
-; this was generated by a Samba4 provision, and is typical 
+; this was generated by a Samba4 provision, and is typical
 ; of a AD DNS zone
 $ORIGIN example.nil.
 $TTL 1W

bin/tests/system/upforwd/ans4/ans.pl

@@ -156,7 +156,7 @@ sub handleUDP {
                                         $tsig->{"request_mac"} =
                                                 unpack("H*", $rmac);
                                 }
-                                
+
 				$packet->sign_tsig($tsig);
 			}
                         last;
@@ -258,10 +258,10 @@ sub handleTCP {
 		($packet, $err) = new Net::DNS::Packet(\$buf, 0);
 		$err and die $err;
 	}
-	
+
 	$packet->header->qr(1);
 	$packet->header->aa(1);
-	
+
 	my @questions = $packet->question;
 	my $qname = $questions[0]->qname;
 	my $qtype = $questions[0]->qtype;
@@ -291,7 +291,7 @@ sub handleTCP {
 			}
 			if(defined($key_name) && defined($key_data)) {
 				# sign the packet
-				print "  Signing the data with " . 
+				print "  Signing the data with " .
                                       "$key_name/$key_data\n";
 
                                 my $tsig = Net::DNS::RR->
@@ -314,7 +314,7 @@ sub handleTCP {
                                         $tsig->{"request_mac"} =
                                                 unpack("H*", $rmac);
                                 }
-                                
+
                                 $tsig->sign_func($signer) if defined($signer);
 				$packet->sign_tsig($tsig);
                                 $signer = \&sign_tcp_continuation;

bin/tests/system/zonechecks/tests.sh

@@ -160,7 +160,7 @@ fi
 
 #
 echo_i "checking 'rdnc zonestatus' output"
-ret=0 
+ret=0
 for i in 0 1 2 3 4 5 6 7 8 9
 do
 	$RNDCCMD 10.53.0.1 zonestatus primary.example > rndc.out.pri 2>&1
@@ -235,7 +235,7 @@ if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 
 echo_i "checking 'rdnc zonestatus' with duplicated zone name"
-ret=0 
+ret=0
 $RNDCCMD 10.53.0.1 zonestatus duplicate.example > rndc.out.duplicate 2>&1
 checkfor "zone 'duplicate.example' was found in multiple views" rndc.out.duplicate
 $RNDCCMD 10.53.0.1 zonestatus duplicate.example in primary > rndc.out.duplicate 2>&1

contrib/README

@@ -17,7 +17,7 @@ be fixed as time permits.
 
     - scripts/
 
-      Assorted useful scripts, including 'nanny' which monitors 
+      Assorted useful scripts, including 'nanny' which monitors
       named and restarts it in the event of a crash, 'zone-edit'
       which enables editing of a dynamic zone, and others.
 

contrib/dlz/modules/bdbhpt/testing/bdbhpt-populate.pl

@@ -65,10 +65,10 @@ foreach my $zone (@zones) {
         my $ttl = $r->{ttl};
         my $type = $r->{type};
         my $data = $r->{data};
-        
+
         $data =~ s/\%zone\%/$zone/g;
         $data =~ s/\%driver\%/bdbhpt-dynamic/g;
-        
+
         my $row_name  = "$zone $name";
         my $row_value = "$replId $name $ttl $type $data";
         if ($dns_data->db_put($row_name, $row_value) != 0) {
@@ -183,7 +183,7 @@ sub validate_record {
     foreach my $t (@TYPES) {
         $VALID_TYPE->{$t} = 1;
     }
-    
+
     if (!defined $r->{name} || $r->{name} eq '') {
         die "Record name must be set";
     }

contrib/dlz/modules/ldap/testing/slapd.conf

@@ -21,12 +21,12 @@ database      hdb
 
 # This is the root of the LDAP server.  You still need to add
 # an entry to this location via a LDIF file, or you won't be
-# able to add anything else into the LDAP server. 
+# able to add anything else into the LDAP server.
 suffix                "o=bind-dlz"
 
 # this is the "username" you have to use when connecting to the
 # ldap server to make updates.  Type the whole thing exactly
-# as you see it as a parameter to ldapadd. 
+# as you see it as a parameter to ldapadd.
 rootdn                "cn=Manager,o=bind-dlz"
 
 # this is the "password" you have to use when connecting to the

contrib/dlz/modules/mysqldyn/README

@@ -73,7 +73,7 @@ The database for this module uses the following schema:
  - writeable: set to true if the zone can be updated via DDNS
 
 'ZoneData' contains the individual records within the zone:
- - zone_id: the 'id' from the corresponding record in Zones 
+ - zone_id: the 'id' from the corresponding record in Zones
  - name: domain name, relative to the zone apex. (Data at the zone
    apex itself may use a blank name or "@".)
  - type: the RR type, expressed as text

contrib/scripts/zone-edit.sh.in

@@ -72,8 +72,8 @@ then
         then
 	    if ${checkzone} -q -D "$zone" ${dir}/new > ${dir}/nnn
 	    then
-	        sort ${dir}/ooo > ${dir}/s1 
+	        sort ${dir}/ooo > ${dir}/s1
-	        sort ${dir}/nnn > ${dir}/s2 
+	        sort ${dir}/nnn > ${dir}/s2
 	        comm -23 ${dir}/s1 ${dir}/s2 |
 		sed 's/^/update delete /' > ${dir}/ccc
 	        comm -13 ${dir}/s1 ${dir}/s2 |
@@ -111,7 +111,7 @@ then
 		    done
 		else
 		    while :
-		    do 
+		    do
 		        echo ${echo_arg} "Abort (a), Redo (r), Modify (m) : $bsc"
 		        read ans
 		        case "$ans" in
@@ -130,7 +130,7 @@ then
 	        fi
 	    else
 		while :
-		do 
+		do
 		    echo ${echo_arg} "Abort (a), Redo (r), Modify (m) : $bsc"
 		    read ans
 		    case "$ans" in

doc/arm/dns-ops.inc.rst

@@ -19,7 +19,7 @@ Name Server Operations
 Tools for Use With the Name Server Daemon
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-This section describes several indispensable diagnostic, administrative, 
+This section describes several indispensable diagnostic, administrative,
 and monitoring tools available to the system administrator for
 controlling and debugging the name server daemon.
 

doc/arm/intro-dns-bind.inc.rst

@@ -14,14 +14,14 @@
 The Domain Name System (DNS)
 ----------------------------
 
-This is a brief description of the functionality and organization of the Domain Name System (DNS). 
+This is a brief description of the functionality and organization of the Domain Name System (DNS).
-It is provided to familiarize users with the concepts involved, the (often confusing) terminology 
+It is provided to familiarize users with the concepts involved, the (often confusing) terminology
-used, and how all the parts fit together to form an operational system. 
+used, and how all the parts fit together to form an operational system.
 
-All network systems operate with network addresses, such as IPv4 and IPv6. The vast majority of 
+All network systems operate with network addresses, such as IPv4 and IPv6. The vast majority of
-humans find it easier to work with names rather than seemingly endless strings of network address digits. The earliest ARPANET systems 
+humans find it easier to work with names rather than seemingly endless strings of network address digits. The earliest ARPANET systems
-(from which the Internet evolved) mapped names to addresses using a **hosts** file that was distributed to all entities 
+(from which the Internet evolved) mapped names to addresses using a **hosts** file that was distributed to all entities
-whenever changes occurred. Operationally, such a system became rapidly unsustainable once there were more 
+whenever changes occurred. Operationally, such a system became rapidly unsustainable once there were more
 than 100 networked entities, which led to the specification and implementation of the Domain Name System that we use today.
 
 .. _dns_fundamentals:
@@ -29,16 +29,16 @@ than 100 networked entities, which led to the specification and implementation o
 DNS Fundamentals
 ~~~~~~~~~~~~~~~~
 
-The DNS naming system is organized as a tree structure comprised of multiple levels and 
+The DNS naming system is organized as a tree structure comprised of multiple levels and
-thus it naturally creates a distributed system. Each node 
+thus it naturally creates a distributed system. Each node
-in the tree is given a label which defines its **Domain** (its area or zone) of **Authority**. 
+in the tree is given a label which defines its **Domain** (its area or zone) of **Authority**.
 The topmost node in the tree is the **Root Domain**; it delegates to **Domains** at the next level which are generically
-known as the **Top-Level Domains (TLDs)**. They in turn delegate to **Second-Level Domains (SLDs)**, and so on. 
+known as the **Top-Level Domains (TLDs)**. They in turn delegate to **Second-Level Domains (SLDs)**, and so on.
 The Top-Level Domains (TLDs) include a special group of TLDs called the **Country Code Top-Level Domains (ccTLDs)**,
 in which every country is assigned a unique two-character country code from ISO 3166 as its domain.
 
-.. Note:: The Domain Name System is controlled by ICANN (https://www.icann.org) (a 501c non-profit entity); their current policy 
+.. Note:: The Domain Name System is controlled by ICANN (https://www.icann.org) (a 501c non-profit entity); their current policy
-	is that any new TLD, consisting of three or more characters, may be proposed by any group of commercial sponsors and 
+	is that any new TLD, consisting of three or more characters, may be proposed by any group of commercial sponsors and
 	if it meets ICANN's criteria will be added to the TLDs.
 
 The concept of delegation and authority flows down the DNS tree (the DNS hierarchy) as shown:
@@ -48,7 +48,7 @@ The concept of delegation and authority flows down the DNS tree (the DNS hierarc
 
    Delegation and Authority in the DNS Name Space
 
-A domain is the label of a node in the tree. A **domain name** uniquely identifies any node in the DNS tree and is written, left to right, 
+A domain is the label of a node in the tree. A **domain name** uniquely identifies any node in the DNS tree and is written, left to right,
 by combining all the domain labels (each of which are unique within their parent's zone or domain of authority), with a dot
 separating each component, up to the root domain. In the above diagram the following are all domain names:
 
@@ -60,7 +60,7 @@ separating each component, up to the root domain. In the above diagram the follo
 	us
 	org
 
-The root has a unique label of "." (dot), which is normally omitted when it is written as 
+The root has a unique label of "." (dot), which is normally omitted when it is written as
 a domain name, but when it is written as a **Fully Qualified Domain Name (FQDN)** the dot must be present. Thus:
 
 .. code-block::
@@ -71,11 +71,11 @@ a domain name, but when it is written as a **Fully Qualified Domain Name (FQDN)*
 Authority and Delegation
 ~~~~~~~~~~~~~~~~~~~~~~~~
 
-Each domain (node) has been **delegated** the authority from its parent domain. The delegated authority includes 
+Each domain (node) has been **delegated** the authority from its parent domain. The delegated authority includes
-specific responsibilities to ensure that every domain it delegates has a unique name or label within its zone or domain of authority, and 
+specific responsibilities to ensure that every domain it delegates has a unique name or label within its zone or domain of authority, and
-that it maintains an **authoritative** list of its delegated domains. The responsibilities further include an operational requirement to 
+that it maintains an **authoritative** list of its delegated domains. The responsibilities further include an operational requirement to
-operate two (or more) name servers (which may be contracted to a third party) which will contain the authoritative data 
+operate two (or more) name servers (which may be contracted to a third party) which will contain the authoritative data
-for all the domain labels within its zone of authority in a :ref:`zone file<zone_file>`. Again, the 
+for all the domain labels within its zone of authority in a :ref:`zone file<zone_file>`. Again, the
 tree structure ensures that the DNS name space is naturally distributed.
 
 The following diagram illustrates that **Authoritative Name Servers** exist for every level and every domain in the DNS name space:
@@ -85,8 +85,8 @@ The following diagram illustrates that **Authoritative Name Servers** exist for
 
    Authoritative Name Servers in the DNS Name Space
 
-.. Note:: The difference between a domain and a zone can appear confusing. Practically, the terms are generally used synonymously in the DNS. 
+.. Note:: The difference between a domain and a zone can appear confusing. Practically, the terms are generally used synonymously in the DNS.
-	If, however, you are into directed graphs and tree structure theory or similar exotica, a zone can be considered as 
+	If, however, you are into directed graphs and tree structure theory or similar exotica, a zone can be considered as
 	an arc through any node (or domain) with the domain at its apex. The zone therefore encompasses all the name space below the domain.
 	This can, however, lead to the concept of subzones and these were indeed defined in the original DNS specifications.
 	Thankfully the term subzone has been lost in the mists of time.
@@ -96,35 +96,35 @@ The following diagram illustrates that **Authoritative Name Servers** exist for
 Root Servers
 ~~~~~~~~~~~~
 
-The **root servers** are a critical part of the DNS authoritative infrastructure. There are 13 root servers (*a.root-servers.net* 
+The **root servers** are a critical part of the DNS authoritative infrastructure. There are 13 root servers (*a.root-servers.net*
-to *m.root-servers.net*). The number 13 is historically based on the maximum amount of name and IPv4 data 
+to *m.root-servers.net*). The number 13 is historically based on the maximum amount of name and IPv4 data
 that could be packed into a 512-byte UDP message, and not a perverse affinity for a number that certain
-cultures treat as unlucky. The 512-byte UDP data limit 
+cultures treat as unlucky. The 512-byte UDP data limit
 is no longer a limiting factor and all root servers now support both IPv4 and IPv6. In addition, almost all the
-root servers use **anycast**, with well over 
+root servers use **anycast**, with well over
-300 instances of the root servers now providing service worldwide (see further information at https://www.root-servers.org). 
+300 instances of the root servers now providing service worldwide (see further information at https://www.root-servers.org).
 The root servers are the starting point for all **name resolution** within the DNS.
 
 Name Resolution
 ~~~~~~~~~~~~~~~
 
-So far all the emphasis has been on how the DNS stores its authoritative domain (zone) data. End-user systems 
+So far all the emphasis has been on how the DNS stores its authoritative domain (zone) data. End-user systems
-use names (an email address or a web address) and need to access this authoritative data to obtain an IP address, which 
+use names (an email address or a web address) and need to access this authoritative data to obtain an IP address, which
-they use to contact the required network resources such as web, FTP, or mail servers. The process of converting a 
+they use to contact the required network resources such as web, FTP, or mail servers. The process of converting a
-domain name to a result (typically an IP address, though other types of data may be obtained) is generically called **name resolution**, and is handled by 
+domain name to a result (typically an IP address, though other types of data may be obtained) is generically called **name resolution**, and is handled by
-**resolvers** (also known as **caching name servers** and many other terms). The following diagram shows the typical name resolution process: 
+**resolvers** (also known as **caching name servers** and many other terms). The following diagram shows the typical name resolution process:
 
 .. figure:: name-resolution.png
    :align: center
 
    Authoritative Name Servers and Name Resolution
 
-An end-user application, such as a browser (1), when needing to resolve a name such as **www.example.com**, makes an 
+An end-user application, such as a browser (1), when needing to resolve a name such as **www.example.com**, makes an
-internal system call to a minimal function resolution entity called a **stub resolver** (2). The stub resolver (using stored 
+internal system call to a minimal function resolution entity called a **stub resolver** (2). The stub resolver (using stored
-IP addresses) contacts a resolver (a caching name server or full-service resolver) (3), which in turn contacts all the necessary 
+IP addresses) contacts a resolver (a caching name server or full-service resolver) (3), which in turn contacts all the necessary
 authoritative name servers (4, 5, and 6) to provide the answer that it then returns to the user (2, 1). To improve performance,
-all resolvers (including most stub resolvers) cache (store) their results such that a subsequent request for the same data 
+all resolvers (including most stub resolvers) cache (store) their results such that a subsequent request for the same data
-is taken from the resolver's cache, removing the need to repeat the name resolution process and use time-consuming resources. All communication between 
+is taken from the resolver's cache, removing the need to repeat the name resolution process and use time-consuming resources. All communication between
 the stub resolver, the resolver, and the authoritative name servers uses the DNS protocol's query and response message pair.
 
 .. _referral:
@@ -136,7 +136,7 @@ the stub resolver, the resolver, and the authoritative name servers uses the DNS
 DNS Protocol and Queries
 ~~~~~~~~~~~~~~~~~~~~~~~~
 
-DNS **queries** use the UDP protocol over the reserved port 53 (but both TCP and TLS can optionally be used in some parts of the network). 
+DNS **queries** use the UDP protocol over the reserved port 53 (but both TCP and TLS can optionally be used in some parts of the network).
 
 The following diagram shows the name resolution process expressed in terms of DNS queries and responses.
 
@@ -145,7 +145,7 @@ The following diagram shows the name resolution process expressed in terms of DN
 
    Resolvers and Queries
 
-The stub resolver sends a **recursive query** message (with the required domain name in the QUESTION section of the query) (2) to the resolver. 
+The stub resolver sends a **recursive query** message (with the required domain name in the QUESTION section of the query) (2) to the resolver.
 A **recursive** query simply requests the resolver to find the complete answer. A stub resolver only ever sends recursive queries
 and always needs the service of a resolver. The response to a recursive query can be:
 
@@ -153,8 +153,8 @@ and always needs the service of a resolver. The response to a recursive query ca
 
 2. An error (such as NXDOMAIN - the name does not exist).
 
-The resolver, on receipt of the user's recursive query, either responds immediately, if the ANSWER is in its cache, or accesses 
+The resolver, on receipt of the user's recursive query, either responds immediately, if the ANSWER is in its cache, or accesses
-the DNS hierarchy to obtain the answer. The resolver always starts with root servers and sends an **iterative query** (4, 5, and 6). The 
+the DNS hierarchy to obtain the answer. The resolver always starts with root servers and sends an **iterative query** (4, 5, and 6). The
 response to an iterative query can be:
 
 1. The answer to the resolver's QUESTION in the ANSWER section of the query response.
@@ -164,19 +164,19 @@ and typically IP addresses in the ADDITIONAL section of the response).
 
 3. An error (such as NXDOMAIN - the name does not exist).
 
-If the response is either an answer or an error, these are returned immediately to the user (and cached for future use). If the response 
+If the response is either an answer or an error, these are returned immediately to the user (and cached for future use). If the response
 is a referral, the resolver needs to take additional action to respond to the user's recursive query.
 
-A referral, in essence, indicates that the queried server does not know the answer (the ANSWER section of the response is empty), but it 
+A referral, in essence, indicates that the queried server does not know the answer (the ANSWER section of the response is empty), but it
-refers the resolver to the authoritative name servers (in the AUTHORITY section of the response) which it knows about in the 
+refers the resolver to the authoritative name servers (in the AUTHORITY section of the response) which it knows about in the
-domain name supplied in the QUESTION section of the query. Thus, if the QUESTION is for the domain name **www.example.com**, the root 
+domain name supplied in the QUESTION section of the query. Thus, if the QUESTION is for the domain name **www.example.com**, the root
-server to which the iterative query was sent adds a list of the **.com authoritative name servers** in the AUTHORITY section. 
+server to which the iterative query was sent adds a list of the **.com authoritative name servers** in the AUTHORITY section.
-The resolver selects one of the servers from the AUTHORITY section and sends an 
+The resolver selects one of the servers from the AUTHORITY section and sends an
-iterative query to it. Similarly, the .com authoritative name servers send a referral containing a list of the **example.com** authoritative name servers.  
+iterative query to it. Similarly, the .com authoritative name servers send a referral containing a list of the **example.com** authoritative name servers.
-This process continues down the DNS hierarchy until either an ANSWER or an error is received, at which point the user's original recursive query 
+This process continues down the DNS hierarchy until either an ANSWER or an error is received, at which point the user's original recursive query
 is sent a response.
 
-.. Note:: The DNS hierarchy is always accessed starting at the root servers and working down; there is no concept of "up" in the DNS hierarchy. Clearly, 
+.. Note:: The DNS hierarchy is always accessed starting at the root servers and working down; there is no concept of "up" in the DNS hierarchy. Clearly,
 	if the resolver has already cached the list of .com authoritative name servers and the user's recursive query QUESTION contains a domain name
 	ending in .com, it can omit access to the root servers. However, that is simply an artifact (in this case a performance benefit) of
 	caching and does not change the concept of top-down access within the DNS hierarchy.
@@ -188,10 +188,10 @@ DNS and BIND 9
 
 BIND 9 is a complete implementation of the DNS protocol. BIND 9 can be configured (using its ``named.conf`` file) as
 an authoritative name server, a resolver, and, on supported hosts, a stub resolver. While large operators
-usually dedicate DNS servers to a single function per system, smaller operators will find that 
+usually dedicate DNS servers to a single function per system, smaller operators will find that
 BIND 9's flexible configuration features support multiple functions, such as a single DNS server acting
 as both an authoritative name server and a resolver.
 
 Example configurations of basic :ref:`authoritative name servers<config_auth_samples>` and
-:ref:`resolvers and forwarding resolvers<config_resolver_samples>`, as 
+:ref:`resolvers and forwarding resolvers<config_resolver_samples>`, as
 well as :ref:`advanced configurations<Advanced>` and :ref:`secure configurations<Security>`, are provided.

doc/arm/intro-security.inc.rst

@@ -14,20 +14,20 @@
 DNS Security Overview
 ---------------------
 
-DNS is a communications protocol. All communications protocols are potentially 
+DNS is a communications protocol. All communications protocols are potentially
 vulnerable to both subversion and eavesdropping. It is important for
-users to audit their exposure to the various threats within their operational environment and implement the 
+users to audit their exposure to the various threats within their operational environment and implement the
-appropriate solutions. BIND 9, a specific implementation of the DNS protocol, 
+appropriate solutions. BIND 9, a specific implementation of the DNS protocol,
-provides an extensive set of security features. The purpose of this section 
+provides an extensive set of security features. The purpose of this section
-is to help users to select from the range of available security features those 
+is to help users to select from the range of available security features those
 required for their specific user environment.
 
-A generic DNS network is shown below, followed by text descriptions. In general, 
+A generic DNS network is shown below, followed by text descriptions. In general,
-the further one goes from the left-hand side of the diagram, the more complex 
+the further one goes from the left-hand side of the diagram, the more complex
 the implementation.
 
-.. Note:: Historically, DNS data was regarded as public and security was 
+.. Note:: Historically, DNS data was regarded as public and security was
-	concerned, primarily, with ensuring the integrity of DNS data. DNS data privacy 
+	concerned, primarily, with ensuring the integrity of DNS data. DNS data privacy
 	is increasingly regarded as an important dimension of overall security, specifically :ref:`DNS over TLS<dns_over_tls>`.
 
 .. figure:: dns-security-overview.png
@@ -37,40 +37,40 @@ the implementation.
 
 The following notes refer to the numbered elements in the above diagram.
 
-1. A variety of system administration techniques and methods may be used to secure 
+1. A variety of system administration techniques and methods may be used to secure
-BIND 9's local environment, including :ref:`file permissions <file_permissions>`, running 
+BIND 9's local environment, including :ref:`file permissions <file_permissions>`, running
 BIND 9 in a :ref:`jail <chroot_and_setuid>`, and the use of :ref:`Access_Control_Lists`.
 
 2. The remote name daemon control (:ref:`rndc<ops_rndc>`) program allows the system
-administrator to control the operation of a name server. The majority of BIND 9 packages 
+administrator to control the operation of a name server. The majority of BIND 9 packages
-or ports come preconfigured with local (loopback address) security preconfigured. 
+or ports come preconfigured with local (loopback address) security preconfigured.
 If ``rndc`` is being invoked from a remote host, further configuration is required.
-The ``nsupdate`` tool uses **Dynamic DNS (DDNS)** features and allows users to dynamically 
+The ``nsupdate`` tool uses **Dynamic DNS (DDNS)** features and allows users to dynamically
-change the contents of the zone file(s). ``nsupdate`` access and security may be controlled 
+change the contents of the zone file(s). ``nsupdate`` access and security may be controlled
 using ``named.conf`` :ref:`statements or using TSIG or SIG(0) cryptographic methods <dynamic_update_security>`.
-Clearly, if the remote hosts used for either ``rndc`` or DDNS lie within a network entirely 
+Clearly, if the remote hosts used for either ``rndc`` or DDNS lie within a network entirely
 under the user's control, the security threat may be regarded as non-existent. Any implementation requirements,
 therefore, depend on the site's security policy.
 
-3. Zone transfer from a **primary** to one or more **secondary** authoritative name servers across a 
+3. Zone transfer from a **primary** to one or more **secondary** authoritative name servers across a
-public network carries risk. The zone transfer may be secured using 
+public network carries risk. The zone transfer may be secured using
 ``named.conf`` :ref:`statements, TSIG cryptographic methods or TLS<sec_file_transfer>`.
-Clearly, if the secondary authoritative name server(s) all lie within a network entirely 
+Clearly, if the secondary authoritative name server(s) all lie within a network entirely
-under the user's control, the security threat may be regarded as non-existent. Any implementation requirements 
+under the user's control, the security threat may be regarded as non-existent. Any implementation requirements
 again depend on the site's security policy.
 
-4. If the operator of an authoritative name server (primary or secondary) wishes to ensure that 
+4. If the operator of an authoritative name server (primary or secondary) wishes to ensure that
-DNS responses to user-initiated queries about the zone(s) for which they are responsible can only 
+DNS responses to user-initiated queries about the zone(s) for which they are responsible can only
-have come from their server, that the data received by the user is the same as that sent, and that 
+have come from their server, that the data received by the user is the same as that sent, and that
-non-existent names are genuine, then :ref:`DNSSEC` is the only solution. DNSSEC requires configuration 
+non-existent names are genuine, then :ref:`DNSSEC` is the only solution. DNSSEC requires configuration
-and operational changes both to the authoritative name servers and to any resolver which accesses 
+and operational changes both to the authoritative name servers and to any resolver which accesses
 those servers.
 
-5. The typical Internet-connected end-user device (PCs, laptops, and even mobile phones) either has  
+5. The typical Internet-connected end-user device (PCs, laptops, and even mobile phones) either has
-a stub resolver or operates via a DNS proxy. A stub resolver requires the services of an area 
+a stub resolver or operates via a DNS proxy. A stub resolver requires the services of an area
-or full-service resolver to completely answer user queries. Stub resolvers on the majority of PCs and laptops 
+or full-service resolver to completely answer user queries. Stub resolvers on the majority of PCs and laptops
-typically have a caching capability to increase performance. At this time there are no standard stub resolvers or proxy 
+typically have a caching capability to increase performance. At this time there are no standard stub resolvers or proxy
 DNS tools that implement DNSSEC. BIND 9 may be configured to provide such capability on supported Linux or Unix platforms.
-:ref:`DNS over TLS <dns_over_tls>` may be configured to verify the integrity of the data between the stub resolver and 
+:ref:`DNS over TLS <dns_over_tls>` may be configured to verify the integrity of the data between the stub resolver and
-area (or full-service) resolver. However, unless the resolver and the Authoritative Name Server implements DNSSEC, end-to-end integrity (from 
+area (or full-service) resolver. However, unless the resolver and the Authoritative Name Server implements DNSSEC, end-to-end integrity (from
 authoritative name server to stub resolver) cannot be guaranteed.

doc/arm/introduction.inc.rst

@@ -42,7 +42,7 @@ Organization of This Document
 
 :ref:`introduction` introduces the basic DNS and BIND concepts. Some tutorial material on
 :ref:`dns_overview` is presented for those unfamiliar with DNS. A
-:ref:`intro_dns_security` is provided to allow BIND operators to implement 
+:ref:`intro_dns_security` is provided to allow BIND operators to implement
 appropriate security for their operational environment.
 
 :ref:`requirements` describes the hardware and environment requirements for BIND 9
@@ -51,13 +51,13 @@ and lists both the supported and unsupported platforms.
 :ref:`configuration` is intended as a quickstart guide for newer users. Sample files
 are included for :ref:`config_auth_samples` (both :ref:`primary<sample_primary>` and
 :ref:`secondary<sample_secondary>`), as well as a simple :ref:`config_resolver_samples` and
-a :ref:`sample_forwarding`. Some reference material on the :ref:`Zone File<zone_file>` is included. 
+a :ref:`sample_forwarding`. Some reference material on the :ref:`Zone File<zone_file>` is included.
 
 :ref:`ns_operations` covers basic BIND 9 software and DNS operations, including some
 useful tools, Unix signals, and plugins.
 
 :ref:`advanced` builds on the configurations of :ref:`configuration`, adding
-functions and features the system administrator may need. 
+functions and features the system administrator may need.
 
 :ref:`security` covers most aspects of BIND 9 security, including file permissions,
 running BIND 9 in a "jail," and securing file transfers and dynamic updates.
@@ -65,14 +65,14 @@ running BIND 9 in a "jail," and securing file transfers and dynamic updates.
 :ref:`dnssec` describes the theory and practice of cryptographic authentication of DNS
 information. The :ref:`dnssec_guide` is a practical guide to implementing DNSSEC.
 
-:ref:`Reference` gives exhaustive descriptions of all supported blocks, statements, 
+:ref:`Reference` gives exhaustive descriptions of all supported blocks, statements,
 and grammars used in BIND 9's ``named.conf`` configuration file.
 
 :ref:`troubleshooting` provides information on identifying and solving BIND 9 and DNS
 problems. Information about bug-reporting procedures is also provided.
 
-:ref:`build_bind` is a definitive guide for those occasions where the user requires 
+:ref:`build_bind` is a definitive guide for those occasions where the user requires
-special options not provided in the standard Linux or Unix distributions.  
+special options not provided in the standard Linux or Unix distributions.
 
 The **Appendices** contain useful reference information, such as a bibliography and historic
 information related to BIND and the Domain Name System, as well as the current *man*

doc/arm/logging-categories.inc.rst

@@ -35,9 +35,9 @@
 
 ``edns-disabled``
     Log queries that have been forced to use plain DNS due to timeouts. This is often due to the remote servers not being :rfc:`1034`-compliant (not always returning FORMERR or similar to EDNS queries and other extensions to the DNS when they are not understood). In other words, this is targeted at servers that fail to respond to DNS queries that they don't understand.
-    
+
     Note: the log message can also be due to packet loss. Before reporting servers for non-:rfc:`1034` compliance they should be re-tested to determine the nature of the non-compliance. This testing should prevent or reduce the number of false-positive reports.
-    
+
     Note: eventually :iscman:`named` will have to stop treating such timeouts as due to :rfc:`1034` non-compliance and start treating it as plain packet loss. Falsely classifying packet loss as due to :rfc:`1034` non-compliance impacts DNSSEC validation, which requires EDNS for the DNSSEC records to be returned.
 
 ``general``
@@ -57,16 +57,16 @@
 
 ``queries``
     A location where queries should be logged.
-    
+
     At startup, specifying the category ``queries`` also enables query logging unless the :any:`querylog` option has been specified.
-    
+
     The query log entry first reports a client object identifier in @0x<hexadecimal-number> format. Next, it reports the client's IP address and port number, and the query name, class, and type. Next, it reports whether the Recursion Desired flag was set (+ if set, - if not set), whether the query was signed (S), whether EDNS was in use along with the EDNS version number (E(#)), whether TCP was used (T), whether DO (DNSSEC Ok) was set (D), whether CD (Checking Disabled) was set (C), whether a valid DNS Server COOKIE was received (V), and whether a DNS COOKIE option without a valid Server COOKIE was present (K). After this, the destination address the query was sent to is reported. Finally, if any CLIENT-SUBNET option was present in the client query, it is included in square brackets in the format [ECS address/source/scope].
 
     ``client 127.0.0.1#62536 (www.example.com):``
     ``query: www.example.com IN AAAA +SE``
     ``client ::1#62537 (www.example.net):``
     ``query: www.example.net IN AAAA -SE``
-    
+
     The first part of this log message, showing the client address/port number and query name, is repeated in all subsequent log messages related to the same query.
 
 ``query-errors``
@@ -74,7 +74,7 @@
 
 ``rate-limit``
     Start, periodic, and final notices of the rate limiting of a stream of responses that are logged at ``info`` severity in this category. These messages include a hash value of the domain name of the response and the name itself, except when there is insufficient memory to record the name for the final notice. The final notice is normally delayed until about one minute after rate limiting stops. A lack of memory can hurry the final notice, which is indicated by an initial asterisk (\*). Various internal events are logged at debug level 1 and higher.
-    
+
     Rate limiting of individual requests is logged in the ``query-errors`` category.
 
 ``resolver``

doc/arm/reference.rst

@@ -2576,7 +2576,7 @@ Boolean Options
    ``configure --disable-auto-validation``, in which case the default is
    ``yes``.
 
-   The default root trust anchor is compiled into :iscman:`named` 
+   The default root trust anchor is compiled into :iscman:`named`
    and is current as of the release date. If the root key changes, a
    running BIND server will detect this and roll smoothly to the new
    key, but newly-installed servers will be unable to start validation,

doc/arm/security.inc.rst

@@ -179,7 +179,7 @@ point of view, ``/var/named`` is the root of the filesystem;
 the values of options like :any:`directory` and :any:`pid-file`
 must be adjusted to account for this.
 
-Unlike with earlier versions of BIND, 
+Unlike with earlier versions of BIND,
 :iscman:`named` does *not* typically need to be compiled statically, nor do shared libraries need to be installed under the new
 root. However, depending on the operating system, it may be necessary to set
 up locations such as ``/dev/zero``, ``/dev/random``, ``/dev/log``, and

doc/arm/troubleshooting.inc.rst

@@ -151,7 +151,7 @@ peer user support. In addition, ISC maintains a Knowledgebase of helpful article
 at https://kb.isc.org.
 
 Internet Systems Consortium (ISC) offers annual support agreements
-for BIND 9, ISC DHCP, and Kea DHCP. 
+for BIND 9, ISC DHCP, and Kea DHCP.
 All paid support contracts include advance security notifications; some levels include
 service level agreements (SLAs), premium software features, and increased priority on bug fixes
 and feature requests.

doc/design/cds-child

@@ -29,7 +29,7 @@ information regarding copyright ownership.
 
   Non-matching CDS and CDNSKEY are removed.
 
-* auto-dnssec maintain should cds and/or cdnskey to zone apex iff the 
+* auto-dnssec maintain should cds and/or cdnskey to zone apex iff the
   DNSKEY is published and is signing the DNSKEY RRset.   CDS and CDNSKEY
   records are only removed if there is a deletion date set (implicit on
   matching DNSKEY going inactive / unpublished or explicit).

doc/design/dnssec-policy

@@ -89,7 +89,7 @@ is set for a zone.
    `dnssec-policy` statement will override the existing `max-zone-ttl` value.
 
 1. `sig-signing-nodes`: This specifies the number of nodes to be examined
-   in a quantum when signing a zone with a new DNSKEY.  This presumable is 
+   in a quantum when signing a zone with a new DNSKEY.  This presumable is
    to avoid keeping the database connection open for a long time.  With the
    current database approach this probably needs to stay.
 

doc/design/netmgr.md

@@ -44,7 +44,7 @@ the socket event, but this is still sub-optimal.
 The `isc_nm_t` structure represents the network manager itself.  It
 contains a configurable number (generally the same as the number of CPUs)
 of 'networker' objects, each of which represents a thread for executing
-networking events. 
+networking events.
 
 The manager contains flags to indicate whether it has been paused or
 interlocked, and counters for the number of workers running and the
@@ -56,7 +56,7 @@ and a pool of buffers into which messages will be copied when received.
 ### `isc_nmsocket_t`
 
 `isc_nmsocket_t` is a wrapper around a libuv socket. It is configured
-with 
+with
 
 ### `isc_nmhandle_t`
 

doc/dev/dev.md

@@ -427,7 +427,7 @@ into 'consumed' and 'remaining'.
 
 When parsing a message, the message to be parsed in in the 'used'
 part of the buffer.  As the message is parsed, the 'consumed'
-subregion grows and the 'remaining' subregion shrinks. 
+subregion grows and the 'remaining' subregion shrinks.
 
 When creating a message, data is written into the 'available'
 subregion, which then becomes part of 'used'.
@@ -528,7 +528,7 @@ memory context is freed before all references have been cleaned up.
                 /* Populate other isc_foo members here */
 
                 foo->magic = ISC_FOO_MAGIC;
-                
+
                 *foop = foo;
                 return (ISC_R_SUCCESS);
         }
@@ -813,7 +813,7 @@ The return value may be:
 * `dns_name_commonancestor`: name1 and name2 share some labels
 * `dns_name_equal`: name1 and name2 are the same
 
-Some simpler comparison functions are provided for convenience when 
+Some simpler comparison functions are provided for convenience when
 not all of this information is required:
 
 * `dns_name_compare()`: returns the sort order of two names but
@@ -884,7 +884,7 @@ sets have been defined:
 
 Each of these has a `first()`, `next()` and `current()` function; for
 example, `dns_rdataset_first()`, `dns_rdataset_next()`, and
-`dns_rdataset_current()`. 
+`dns_rdataset_current()`.
 
 The `first()` and `next()` functions move the iterator's cursor and so that
 the data at a new location can be retrieved.  (Most of these can only step
@@ -1033,7 +1033,7 @@ messages up to the current debugging level are written to the channel.
 
 These objects -- the category, module, and channel -- direct hessages
 to desired destinations.  Each category/module pair can be associated
-with a specific channel, and the correct destination will be used 
+with a specific channel, and the correct destination will be used
 when a message is logged by `isc_log_write()`.
 
 In `isc_log_write()`, the logging system first looks up a list that
@@ -1166,7 +1166,7 @@ to control the closing of log files.
 
         void isc_log_setdebuglevel(isc_log_t *lctx, unsigned int level);
         unsigned int isc_log_getdebuglevel(isc_log_t *lctx);
-        
+
 These set and retrieve the current debugging level of the program.
 `isc_log_getdebuglevel()` can be used so that you need not keep track of
 the level yourself in another variable.

doc/dnssec-guide/introduction.rst

@@ -41,7 +41,7 @@ Who May Not Want to Read this Guide?
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 If you are already operating a DNSSEC-signed zone, you may not learn
-much from the first half of this document, and you may want to start with 
+much from the first half of this document, and you may want to start with
 :ref:`dnssec_advanced_discussions`. If you want to
 learn about details of the protocol extension, such as data fields and flags,
 or the new record types, this document can help you get started but it
@@ -221,7 +221,7 @@ trust one key: the root key.
 The 12-Step DNSSEC Validation Process (Simplified)
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-The following example shows the 12 steps of the DNSSEC validating process 
+The following example shows the 12 steps of the DNSSEC validating process
 at a very high level, looking up the name ``www.isc.org`` :
 
 .. figure:: ../dnssec-guide/img/dnssec-12-steps.png

doc/dnssec-guide/preface.rst

@@ -35,7 +35,7 @@ some examples of tools to verify that the resolver is properly validating
 answers.
 
 :ref:`dnssec_signing` explains how to set up a basic signed
-authoritative zone, details the relationship between a child and a parent zone, 
+authoritative zone, details the relationship between a child and a parent zone,
 and discusses ongoing maintenance tasks.
 
 :ref:`dnssec_troubleshooting` provides some tips on how to analyze

doc/dnssec-guide/recipes.rst

@@ -229,7 +229,7 @@ generate a successor key (51623):
 
    ./Kexample.com.+008+17694.private
    # dnssec-keygen -S Kexample.com.+008+17694
-   Generating key pair..++++++ ...........++++++ 
+   Generating key pair..++++++ ...........++++++
    Kexample.com.+008+51623
 
 The first command gets us into the key directory
@@ -261,7 +261,7 @@ file:
 ::
 
    # cd /etc/bind/keys/example.com
-   # cat Kexample.com.+008+51623.key 
+   # cat Kexample.com.+008+51623.key
    ; This is a zone-signing key, keyid 11623, for example.com.
    ; Created: 20201130160024 (Mon Dec  1 00:00:24 2020)
    ; Publish: 20201202000000 (Fri Dec  2 08:00:00 2020)
@@ -480,7 +480,7 @@ DS record based on the new key, 23550:
    ./Kexample.com.+007+24848.key
    ./Kexample.com.+007+24848.private
    # dnssec-keygen -S Kexample.com.+007+24848
-   Generating key pair.......................................................................................++ ...................................++ 
+   Generating key pair.......................................................................................++ ...................................++
    Kexample.com.+007+23550
    # dnssec-dsfromkey -a SHA-1 Kexample.com.+007+23550.key
    example.com. IN DS 23550 7 1 54FCF030AA1C79C0088FDEC1BD1C37DAA2E70DFB

doc/dnssec-guide/signing.rst

@@ -440,7 +440,7 @@ key, and we expect to see it returned when we query for it.
                    6saiq99qDBb5b4G4cx13cPjFTrIvUs3NW44SvbbHorHb
                    kXwOzeGAWyPORN+pwEV/LP9+FHAF/JzAJYdqp+o0dw==
                    ) ; KSK; alg = ECDSAP256SHA256 ; key id = 10376
-     
+
 
 .. _signing_verify_signature:
 
@@ -1106,7 +1106,7 @@ record) to the parent zone to complete the chain of trust.
    in this document. We trust you, a responsible DNS
    administrator, to take the necessary precautions to secure your
    system.
-   
+
    For our examples below, we work with the assumption that
    there is an existing insecure zone ``example.com`` that we are
    converting to a secure version. The secure version uses both a KSK

doc/dnssec-guide/troubleshooting.rst

@@ -139,7 +139,7 @@ With :iscman:`delv`, a "resolution failed" message is output instead:
    $ delv @10.53.0.3 www.example.org. A +rtrace
    ;; fetch: www.example.org/A
    ;; resolution failed: SERVFAIL
-   
+
 BIND 9 logging features may be useful when trying to identify
 DNSSEC errors.
 
@@ -545,7 +545,7 @@ NTAs are added using the :iscman:`rndc` command, e.g.:
 
    $ rndc nta example.com
     Negative trust anchor added: example.com/_default, expires 19-Mar-2020 19:57:42.000
-    
+
 
 The list of currently configured NTAs can also be examined using
 :iscman:`rndc`, e.g.:
@@ -554,7 +554,7 @@ The list of currently configured NTAs can also be examined using
 
    $ rndc nta -dump
     example.com/_default: expiry 19-Mar-2020 19:57:42.000
-    
+
 
 The default lifetime of an NTA is one hour, although by default, BIND
 polls the zone every five minutes to see if the zone correctly

util/check-pullups.pl

@@ -26,7 +26,7 @@ sub readfile {
 	my ($fn) = @_;
 	my $fh = new FileHandle($fn, "r")
 	    or die "open: $fn: $!";
-	
+
 	my $changes = { };
 
 	my ($changeid, $category);