Merge pull request #20047 from keszybz/doc-fix

Update dnssec-trust-anchors comment syntax description and put rrs in index

man/directives-template.xml

@@ -132,11 +132,17 @@
   <refsect1>
     <title>Constants</title>
 
-    <para>Various constant used and/or defined by systemd.</para>
+    <para>Various constants used and/or defined by systemd.</para>
 
     <variablelist id='constants' />
   </refsect1>
 
+  <refsect1>
+    <title>DNS resource record types</title>
+
+    <variablelist id='dns' />
+  </refsect1>
+
   <refsect1>
     <title>Miscellaneous options and directives</title>
 

man/dnssec-trust-anchors.d.xml

@@ -43,12 +43,10 @@
   <refsect1>
     <title>Positive Trust Anchors</title>
 
-    <para>Positive trust anchor configuration files contain DNSKEY and
+    <para>Positive trust anchor configuration files contain <constant class='dns'>DNSKEY</constant> and
-    DS resource record definitions to use as base for DNSSEC integrity
+    <constant class='dns'>DS</constant> resource record definitions to use as base for DNSSEC integrity
-    proofs. See <ulink
+    proofs. See <ulink url="https://tools.ietf.org/html/rfc4035#section-4.4">RFC 4035, Section 4.4</ulink>
-    url="https://tools.ietf.org/html/rfc4035#section-4.4">RFC 4035,
+    for more information about DNSSEC trust anchors.</para>
-    Section 4.4</ulink> for more information about DNSSEC trust
-    anchors.</para>
 
     <para>Positive trust anchors are read from files with the suffix
     <filename>.positive</filename> located in
@@ -64,13 +62,12 @@
     <filename>/run/dnssec-trust-anchors.d/</filename> that is either
     empty or a symlink to <filename>/dev/null</filename> ("masked").</para>
 
-    <para>Positive trust anchor files are simple text files resembling
+    <para>Positive trust anchor files are simple text files resembling DNS zone files, as documented in
-    DNS zone files, as documented in <ulink
+    <ulink url="https://tools.ietf.org/html/rfc1035#section-5">RFC 1035, Section 5</ulink>. One <constant
-    url="https://tools.ietf.org/html/rfc1035#section-5">RFC 1035, Section
+    class='dns'>DS</constant> or <constant class='dns'>DNSKEY</constant> resource record may be listed per
-    5</ulink>. One DS or DNSKEY resource record may be listed per
+    line. Empty lines and lines starting with <literal>#</literal> or <literal>;</literal> are ignored, which
-    line. Empty lines and lines starting with a semicolon
+    may be used for commenting. A <consant class='dns'>DS</consant> resource record is specified like in the
-    (<literal>;</literal>) are ignored and considered comments. A DS
+    following example:</para>
-    resource record is specified like in the following example:</para>
 
     <programlisting>. IN DS 19036 8 2 49aac11d7b6f6446702e54a1607371607a1a41855200fd2ce1cdde32f24e8fb5</programlisting>
 
@@ -85,24 +82,20 @@
     Section 5</ulink> for details about the precise syntax and meaning
     of these fields.</para>
 
-    <para>Alternatively, DNSKEY resource records may be used to define
+    <para>Alternatively, <constant class='dns'>DNSKEY</constant> resource records may be used to define trust
-    trust anchors, like in the following example:</para>
+    anchors, like in the following example:</para>
 
     <programlisting>. IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=</programlisting>
 
-    <para>The first word specifies the domain again, the second word
+    <para>The first word specifies the domain again, the second word must be <literal>IN</literal>, followed
-    must be <literal>IN</literal>, followed by
+    by <literal>DNSKEY</literal>. The subsequent words encode the <constant class='dns'>DNSKEY</constant>
-    <literal>DNSKEY</literal>. The subsequent words encode the DNSKEY
+    flags, protocol and algorithm fields, followed by the key data encoded in Base64. See <ulink
-    flags, protocol and algorithm fields, followed by the key data
+    url="https://tools.ietf.org/html/rfc4034#section-2">RFC 4034, Section 2</ulink> for details about the
-    encoded in Base64. See <ulink
+    precise syntax and meaning of these fields.</para>
-    url="https://tools.ietf.org/html/rfc4034#section-2">RFC 4034,
-    Section 2</ulink> for details about the precise syntax and meaning
-    of these fields.</para>
 
-    <para>If multiple DS or DNSKEY records are defined for the same
+    <para>If multiple <constant class='dns'>DS</constant> or <constant class='dns'>DNSKEY</constant> records
-    domain (possibly even in different trust anchor files), all keys
+    are defined for the same domain (possibly even in different trust anchor files), all keys are used and
-    are used and are considered equivalent as base for DNSSEC
+    are considered equivalent as base for DNSSEC proofs.</para>
-    proofs.</para>
 
     <para>Note that <filename>systemd-resolved</filename> will
     automatically use a built-in trust anchor key for the Internet
@@ -112,17 +105,15 @@
     as soon as at least one trust anchor key for the root domain is
     defined in trust anchor files.</para>
 
-    <para>It is generally recommended to encode trust anchors in DS
+    <para>It is generally recommended to encode trust anchors in <constant class='dns'>DS</constant> resource
-    resource records, rather than DNSKEY resource records.</para>
+    records, rather than <constant class='dns'>DNSKEY</constant> resource records.</para>
 
-    <para>If a trust anchor specified via a DS record is found revoked
+    <para>If a trust anchor specified via a <constant class='dns'>DS</constant> record is found revoked it is
-    it is automatically removed from the trust anchor database for the
+    automatically removed from the trust anchor database for the runtime. See <ulink
-    runtime. See <ulink url="https://tools.ietf.org/html/rfc5011">RFC
+    url="https://tools.ietf.org/html/rfc5011">RFC 5011</ulink> for details about revoked trust anchors. Note
-    5011</ulink> for details about revoked trust anchors. Note that
+    that <filename>systemd-resolved</filename> will not update its trust anchor database from DNS servers
-    <filename>systemd-resolved</filename> will not update its trust
+    automatically. Instead, it is recommended to update the resolver software or update the new trust anchor
-    anchor database from DNS servers automatically. Instead, it is
+    via adding in new trust anchor files.</para>
-    recommended to update the resolver software or update the new
-    trust anchor via adding in new trust anchor files.</para>
 
     <para>The current DNSSEC trust anchor for the Internet's root
     domain is available at the <ulink

man/org.freedesktop.resolve1.xml

@@ -308,12 +308,15 @@ node /org/freedesktop/resolve1 {
       records of many types, it is crucial that clients using this API understand that the RR data originates
       from the network and should be thoroughly validated before use.</para>
 
-      <para><function>ResolveService()</function> may be used to resolve a DNS SRV service record, as well as the
+      <para><function>ResolveService()</function> may be used to resolve a DNS
-      hostnames referenced in it, and possibly an accompanying DNS-SD TXT record containing additional
+      <constant class="dns">SRV</constant> service record, as well as the hostnames referenced in it, and
+      possibly an accompanying DNS-SD <constant class="dns">TXT</constant> record containing additional
       service metadata.  The primary benefit of using this method over <function>ResolveRecord()</function>
-      specifying the SRV type is that it will resolve the SRV and TXT RRs as well as the hostnames referenced
+      specifying the <constant class="dns">SRV</constant> type is that it will resolve the
-      in the SRV in a single operation. As parameters it takes a Linux network interface index, a service
+      <constant class="dns">SRV</constant> and <constant class="dns">TXT</constant> RRs as well as the
-      name, a service type and a service domain. This method may be invoked in three different modes:</para>
+      hostnames referenced in the SRV in a single operation. As parameters it takes a Linux network interface
+      index, a service name, a service type and a service domain. This method may be invoked in three
+      different modes:</para>
 
       <orderedlist>
         <listitem><para>To resolve a DNS-SD service, specify the service name (e.g. <literal>Lennart's
@@ -323,13 +326,13 @@ node /org/freedesktop/resolve1 {
         specifications). However, if necessary, IDNA conversion is applied to the domain parameter.</para>
         </listitem>
 
-        <listitem><para>To resolve a plain SRV record, set the service name parameter to the empty string
+        <listitem><para>To resolve a plain <constant class="dns">SRV</constant> record, set the service name
-        and set the service type and domain properly. (IDNA conversion is applied to the domain, if
+        parameter to the empty string and set the service type and domain properly. (IDNA conversion is
-        necessary.)</para></listitem>
+        applied to the domain, if necessary.)</para></listitem>
 
-        <listitem><para>Alternatively, leave both the service name and type empty and specify the full
+        <listitem><para>Alternatively, leave both the service name and type empty and specify the full domain
-        domain name of the SRV record (i.e. prefixed with the service type) in the domain parameter. (No IDNA
+        name of the <constant class="dns">SRV</constant> record (i.e. prefixed with the service type) in the
-        conversion is applied in this mode.)</para></listitem>
+        domain parameter. (No IDNA conversion is applied in this mode.)</para></listitem>
       </orderedlist>
 
       <para>The <varname>family</varname> parameter of the <function>ResolveService()</function> method encodes
@@ -339,15 +342,16 @@ node /org/freedesktop/resolve1 {
       <varname>flags</varname> parameter takes a couple of flags that may be used to alter the resolver
       operation.</para>
 
-      <para>On completion, <function>ResolveService()</function> returns an array of SRV record structures. Each
+      <para>On completion, <function>ResolveService()</function> returns an array of
-      items consisting of the priority, weight and port fields as well as the hostname to contact, as encoded in the SRV
+      <constant class="dns">SRV</constant> record structures. Each items consisting of the priority, weight and port
+      fields as well as the hostname to contact, as encoded in the <constant class="dns">SRV</constant>
       record. Immediately following is an array of the addresses of this hostname, with each item consisting
       of the interface index, the address family and the address data in a byte array. This address array is
-      followed by the canonicalized hostname. After this array of SRV record structures an array of byte
+      followed by the canonicalized hostname. After this array of <constant class="dns">SRV</constant> record
-      arrays follows that encodes the TXT RR strings, in case DNS-SD look-ups are enabled. The next parameters
+      structures an array of byte arrays follows that encodes the TXT RR strings, in case DNS-SD look-ups are
-      are the canonical service name, type and domain. This may or may not be identical to the parameters
+      enabled. The next parameters are the canonical service name, type and domain. This may or may not be
-      passed in. Finally, a <varname>flags</varname> field is returned that contains information about the
+      identical to the parameters passed in. Finally, a <varname>flags</varname> field is returned that
-      resolver operation performed.</para>
+      contains information about the resolver operation performed.</para>
 
       <para>The <function>ResetStatistics()</function> method resets the various statistics counters that
       <filename>systemd-resolved</filename> maintains to zero. (For details, see the statistics properties below.)</para>
@@ -779,8 +783,8 @@ node /org/freedesktop/resolve1/link/_1 {
       </varlistentry>
 
       <varlistentry><term><constant>org.freedesktop.resolve1.NoSuchService</constant></term>
-      <listitem><para>A service look-up was successful, but the SRV record reported that the service is not
+      <listitem><para>A service look-up was successful, but the <constant class="dns">SRV</constant> record
-      available.</para></listitem></varlistentry>
+      reported that the service is not available.</para></listitem></varlistentry>
 
       <varlistentry><term><constant>org.freedesktop.resolve1.DnssecFailed</constant></term>
       <listitem><para>The acquired response did not pass DNSSEC validation.</para></listitem>

man/resolvectl.xml

@@ -75,21 +75,26 @@
         [[<replaceable>NAME</replaceable>] <replaceable>TYPE</replaceable>]
         <replaceable>DOMAIN</replaceable></term>
 
-        <listitem><para>Resolve <ulink url="https://tools.ietf.org/html/rfc6763">DNS-SD</ulink> and
+        <listitem><para>Resolve <ulink url="https://tools.ietf.org/html/rfc6763">DNS-SD</ulink> and <ulink
-        <ulink url="https://tools.ietf.org/html/rfc2782">SRV</ulink> services, depending on the specified list of parameters.
+        url="https://tools.ietf.org/html/rfc2782">SRV</ulink> services, depending on the specified list of
-        If three parameters are passed the first is assumed to be the DNS-SD service name, the second the SRV service type,
+        parameters.  If three parameters are passed the first is assumed to be the DNS-SD service name, the
-        and the third the domain to search in. In this case a full DNS-SD style SRV and TXT lookup is executed. If only two
+        second the <constant class='dns'>SRV</constant> service type, and the third the domain to search in.
-        parameters are specified, the first is assumed to be the SRV service type, and the second the domain to look in. In
+        In this case a full DNS-SD style <constant class='dns'>SRV</constant> and <constant
-        this case no TXT RR is requested. Finally, if only one parameter is specified, it is assumed to be a domain name,
+        class='dns'>TXT</constant> lookup is executed. If only two parameters are specified, the first is
-        that is already prefixed with an SRV type, and an SRV lookup is done (no TXT).</para></listitem>
+        assumed to be the <constant class='dns'>SRV</constant> service type, and the second the domain to look
+        in. In this case no <constant class='dns'>TXT</constant> resource record is requested. Finally, if
+        only one parameter is specified, it is assumed to be a domain name, that is already prefixed with an
+        <constant class='dns'>SRV</constant> type, and an <constant class='dns'>SRV</constant> lookup is done
+        (no <constant class='dns'>TXT</constant>).</para></listitem>
       </varlistentry>
 
       <varlistentry>
         <term><command>openpgp</command> <replaceable>EMAIL@DOMAIN</replaceable>…</term>
 
-        <listitem><para>Query PGP keys stored as <ulink url="https://tools.ietf.org/html/rfc7929">OPENPGPKEY</ulink>
+        <listitem><para>Query PGP keys stored as <constant class='dns'>OPENPGPKEY</constant> resource records,
-        resource records. Specified e-mail addresses are converted to the corresponding DNS domain name, and any
+        ssee <ulink url="https://tools.ietf.org/html/rfc7929">RFC 7929</ulink>. Specified e-mail addresses
-        OPENPGPKEY keys are printed.</para></listitem>
+        are converted to the corresponding DNS domain name, and any <constant class='dns'>OPENPGPKEY</constant>
+        keys are printed.</para></listitem>
       </varlistentry>
 
       <varlistentry>
@@ -97,11 +102,13 @@
         [<replaceable>FAMILY</replaceable>]
         <replaceable>DOMAIN</replaceable>[:<replaceable>PORT</replaceable>]…</term>
 
-        <listitem><para>Query TLS public keys stored as <ulink url="https://tools.ietf.org/html/rfc6698">TLSA</ulink>
+        <listitem><para>Query TLS public keys stored as <constant class='dns'>TLSA</constant> resource
-        resource records. A query will be performed for each of the specified names prefixed with the port and family
+        records, see <ulink url="https://tools.ietf.org/html/rfc6698">RFC 6698</ulink>. A query will be
+        performed for each of the specified names prefixed with the port and family
         (<literal>_<replaceable>port</replaceable>._<replaceable>family</replaceable>.<replaceable>domain</replaceable></literal>).
-        The port number may be specified after a colon (<literal>:</literal>), otherwise <constant>443</constant> will be used
+        The port number may be specified after a colon (<literal>:</literal>), otherwise
-        by default. The family may be specified as the first argument, otherwise <constant>tcp</constant> will be used.</para></listitem>
+        <constant>443</constant> will be used by default. The family may be specified as the first argument,
+        otherwise <constant>tcp</constant> will be used.</para></listitem>
       </varlistentry>
 
       <varlistentry>
@@ -128,8 +135,8 @@
       <varlistentry>
         <term><command>flush-caches</command></term>
 
-        <listitem><para>Flushes all DNS resource record caches the service maintains locally. This is mostly equivalent
+        <listitem><para>Flushes all DNS resource record caches the service maintains locally. This is mostly
-        to sending the <constant>SIGUSR2</constant> to the <command>systemd-resolved</command>
+        equivalent to sending the <constant>SIGUSR2</constant> to the <command>systemd-resolved</command>
         service.</para></listitem>
       </varlistentry>
 
@@ -246,10 +253,11 @@
         <term><option>--class=</option><replaceable>CLASS</replaceable></term>
 
         <listitem><para>When used in conjunction with the <command>query</command> command, specifies the DNS
-        resource record type (e.g. A, AAAA, MX, …) and class (e.g. IN, ANY, …) to look up. If these options
+        resource record type (e.g. <constant class='dns'>A</constant>, <constant class='dns'>AAAA</constant>,
-        are used a DNS resource record set matching the specified class and type is requested. The class
+        <constant class='dns'>MX</constant>, …) and class (e.g. <constant>IN</constant>,
-        defaults to IN if only a type is specified. The special value <literal>help</literal> may be used to
+        <constant>ANY</constant>, …) to look up. If these options are used a DNS resource record set matching
-        list known values.</para>
+        the specified class and type is requested. The class defaults to <constant>IN</constant> if only a
+        type is specified. The special value <literal>help</literal> may be used to list known values.</para>
 
         <para>Without these options <command>resolvectl query</command> provides high-level domain name to
         address and address to domain name resolution. With these options it provides low-level DNS resource
@@ -264,20 +272,23 @@
         <term><option>--service-address=</option><replaceable>BOOL</replaceable></term>
 
         <listitem><para>Takes a boolean parameter. If true (the default), when doing a service lookup with
-        <option>--service</option> the hostnames contained in the SRV resource records are resolved as well.</para></listitem>
+        <option>--service</option> the hostnames contained in the <constant class='dns'>SRV</constant>
+        resource records are resolved as well.</para></listitem>
       </varlistentry>
 
       <varlistentry>
         <term><option>--service-txt=</option><replaceable>BOOL</replaceable></term>
 
-        <listitem><para>Takes a boolean parameter. If true (the default), when doing a DNS-SD service lookup with
+        <listitem><para>Takes a boolean parameter. If true (the default), when doing a DNS-SD service lookup
-        <option>--service</option> the TXT service metadata record is resolved as well.</para></listitem>
+        with <option>--service</option> the <constant class='dns'>TXT</constant> service metadata record is
+        resolved as well.</para></listitem>
       </varlistentry>
 
       <varlistentry>
         <term><option>--cname=</option><replaceable>BOOL</replaceable></term>
 
-        <listitem><para>Takes a boolean parameter. If true (the default), DNS CNAME or DNAME redirections are
+        <listitem><para>Takes a boolean parameter. If true (the default), DNS <constant
+        class='dns'>CNAME</constant> or <constant class='dns'>DNAME</constant> redirections are
         followed. Otherwise, if a CNAME or DNAME record is encountered while resolving, an error is
         returned.</para></listitem>
       </varlistentry>
@@ -465,7 +476,7 @@
     <title>Examples</title>
 
     <example>
-      <title>Retrieve the addresses of the <literal>www.0pointer.net</literal> domain</title>
+      <title>Retrieve the addresses of the <literal>www.0pointer.net</literal> domain (<constant class='dns'>A</constant> and <constant class='dns'>AAAA</constant> resource records)</title>
 
       <programlisting>$ resolvectl query www.0pointer.net
 www.0pointer.net: 2a01:238:43ed:c300:10c3:bcf3:3266:da74
@@ -477,7 +488,8 @@ www.0pointer.net: 2a01:238:43ed:c300:10c3:bcf3:3266:da74
     </example>
 
     <example>
-      <title>Retrieve the domain of the <literal>85.214.157.71</literal> IP address</title>
+      <title>Retrieve the domain of the <literal>85.214.157.71</literal> IP address
+      (<constant class='dns'>PTR</constant> resource record)</title>
 
       <programlisting>$ resolvectl query 85.214.157.71
 85.214.157.71: gardel.0pointer.net
@@ -488,7 +500,8 @@ www.0pointer.net: 2a01:238:43ed:c300:10c3:bcf3:3266:da74
     </example>
 
     <example>
-      <title>Retrieve the MX record of the <literal>yahoo.com</literal> domain</title>
+      <title>Retrieve the <constant class='dns'>MX</constant> record of the <literal>yahoo.com</literal>
+      domain</title>
 
       <programlisting>$ resolvectl --legend=no -t MX query yahoo.com
 yahoo.com. IN MX    1 mta7.am0.yahoodns.net
@@ -498,7 +511,7 @@ yahoo.com. IN MX    1 mta5.am0.yahoodns.net
     </example>
 
     <example>
-      <title>Resolve an SRV service</title>
+      <title>Resolve an <constant class='dns'>SRV</constant> service</title>
 
       <programlisting>$ resolvectl service _xmpp-server._tcp gmail.com
 _xmpp-server._tcp/gmail.com: alt1.xmpp-server.l.google.com:5269 [priority=20, weight=0]
@@ -510,7 +523,7 @@ _xmpp-server._tcp/gmail.com: alt1.xmpp-server.l.google.com:5269 [priority=20, we
     </example>
 
     <example>
-      <title>Retrieve a PGP key</title>
+      <title>Retrieve a PGP key (<constant class='dns'>OPENPGP</constant> resource record)</title>
 
       <programlisting>$ resolvectl openpgp zbyszek@fedoraproject.org
 d08ee310438ca124a6149ea5cc21b6313b390dce485576eff96f8722._openpgpkey.fedoraproject.org. IN OPENPGPKEY
@@ -521,8 +534,7 @@ d08ee310438ca124a6149ea5cc21b6313b390dce485576eff96f8722._openpgpkey.fedoraproje
     </example>
 
     <example>
-      <title>Retrieve a TLS key (<literal>tcp</literal> and
+      <title>Retrieve a TLS key (<constant class='dns'>TLSA</constant> resource record)</title>
-      <literal>:443</literal> could be skipped)</title>
 
       <programlisting>$ resolvectl tlsa tcp fedoraproject.org:443
 _443._tcp.fedoraproject.org IN TLSA 0 0 1 19400be5b7a31fb733917700789d2f0a2471c0c9d506c0e504c06c16d7cb17c0
@@ -530,6 +542,8 @@ _443._tcp.fedoraproject.org IN TLSA 0 0 1 19400be5b7a31fb733917700789d2f0a2471c0
         -- Selector: Full Certificate
         -- Matching type: SHA-256
 </programlisting>
+
+      <para><literal>tcp</literal> and <literal>:443</literal> are optional and could be skipped.</para>
     </example>
   </refsect1>
 

man/resolved.conf.xml

@@ -334,7 +334,7 @@ DNSStubListenerExtra=udp:[2001:db8:0:f102::13]:9953</programlisting>
       <citerefentry><refentrytitle>systemd-resolved.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
       <citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
       <citerefentry><refentrytitle>dnssec-trust-anchors.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
-      <citerefentry project='man-pages'><refentrytitle>resolv.conf</refentrytitle><manvolnum>4</manvolnum></citerefentry>
+      <citerefentry project='man-pages'><refentrytitle>resolv.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
       </para>
   </refsect1>
 

man/systemd.dnssd.xml

@@ -123,13 +123,15 @@
         <varlistentry>
           <term><varname>Priority=</varname></term>
           <listitem>
-            <para>A priority number set in SRV resource records corresponding to the network service.</para>
+            <para>A priority number set in <constant class='dns'>SRV</constant> resource records corresponding
+            to the network service.</para>
           </listitem>
         </varlistentry>
         <varlistentry>
           <term><varname>Weight=</varname></term>
           <listitem>
-            <para>A weight number set in SRV resource records corresponding to the network service.</para>
+            <para>A weight number set in <constant class='dns'>SRV</constant> resource records corresponding
+            to the network service.</para>
           </listitem>
         </varlistentry>
         <varlistentry>

src/resolve/resolved-dns-rr.c

@@ -1613,9 +1613,11 @@ DnsResourceRecord *dns_resource_record_copy(DnsResourceRecord *rr) {
                 copy->nsec.next_domain_name = strdup(rr->nsec.next_domain_name);
                 if (!copy->nsec.next_domain_name)
                         return NULL;
+                if (rr->nsec.types) {
                         copy->nsec.types = bitmap_copy(rr->nsec.types);
                         if (!copy->nsec.types)
                                 return NULL;
+                }
                 break;
 
         case DNS_TYPE_DS:
@@ -1640,9 +1642,11 @@ DnsResourceRecord *dns_resource_record_copy(DnsResourceRecord *rr) {
                 if (!copy->nsec3.next_hashed_name)
                         return NULL;
                 copy->nsec3.next_hashed_name_size = rr->nsec3.next_hashed_name_size;
+                if (rr->nsec3.types) {
                         copy->nsec3.types = bitmap_copy(rr->nsec3.types);
                         if (!copy->nsec3.types)
                                 return NULL;
+                }
                 break;
 
         case DNS_TYPE_TLSA:

tools/make-directive-index.py

@@ -77,13 +77,14 @@ def _extract_directives(directive_groups, formatting, page):
                 storfile[text].append((pagename, section))
                 formatting[text] = name
 
-    storfile = directive_groups['constants']
     for name in t.iterfind('.//constant'):
         if name.attrib.get('index') == 'false':
             continue
         name.tail = ''
         if name.text.startswith('('): # a cast, strip it
             name.text = name.text.partition(' ')[2]
+        klass = name.attrib.get('class') or 'constants'
+        storfile = directive_groups[klass]
         storfile[name.text].append((pagename, section))
         formatting[name.text] = name