From 48ad6477eb2f476bc4e42a0f79358c1d994b0f3d Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Sun, 24 Mar 2019 10:43:57 +0100
Subject: [PATCH 01/14] AXFR over TLS

Enable by specifying an auth name, like this:
```
auth-zone:
        name: nlnetlabs.nl
        master: 185.49.140.60#ns.nlnetlabs.nl
```
---
 services/authzone.c        | 21 +++++++++++++---
 services/outside_network.c | 49 +++++++++++++++++++++++++++++++++++++-
 services/outside_network.h |  2 +-
 3 files changed, 67 insertions(+), 5 deletions(-)

diff --git a/services/authzone.c b/services/authzone.c
index a87c2274f..2649867ed 100644
--- a/services/authzone.c
+++ b/services/authzone.c
@@ -5034,6 +5034,7 @@ xfr_transfer_init_fetch(struct auth_xfer* xfr, struct module_env* env)
 	struct sockaddr_storage addr;
 	socklen_t addrlen = 0;
 	struct auth_master* master = xfr->task_transfer->master;
+	char *auth_name = NULL;
 	if(!master) return 0;
 	if(master->allow_notify) return 0; /* only for notify */
 
@@ -5042,7 +5043,7 @@ xfr_transfer_init_fetch(struct auth_xfer* xfr, struct module_env* env)
 		addrlen = xfr->task_transfer->scan_addr->addrlen;
 		memmove(&addr, &xfr->task_transfer->scan_addr->addr, addrlen);
 	} else {
-		if(!extstrtoaddr(master->host, &addr, &addrlen)) {
+		if(!authextstrtoaddr(master->host, &addr, &addrlen, &auth_name)) {
 			/* the ones that are not in addr format are supposed
 			 * to be looked up.  The lookup has failed however,
 			 * so skip them */
@@ -5091,7 +5092,8 @@ xfr_transfer_init_fetch(struct auth_xfer* xfr, struct module_env* env)
 	/* connect on fd */
 	xfr->task_transfer->cp = outnet_comm_point_for_tcp(env->outnet,
 		auth_xfer_transfer_tcp_callback, xfr, &addr, addrlen,
-		env->scratch_buffer, AUTH_TRANSFER_TIMEOUT);
+		env->scratch_buffer, AUTH_TRANSFER_TIMEOUT,
+		auth_name != NULL, auth_name);
 	if(!xfr->task_transfer->cp) {
 		char zname[255+1];
 		dname_str(xfr->name, zname);
@@ -5809,6 +5811,7 @@ xfr_probe_send_probe(struct auth_xfer* xfr, struct module_env* env,
 	struct timeval t;
 	/* pick master */
 	struct auth_master* master = xfr_probe_current_master(xfr);
+	char *auth_name = NULL;
 	if(!master) return 0;
 	if(master->allow_notify) return 0; /* only for notify */
 	if(master->http) return 0; /* only masters get SOA UDP probe,
@@ -5819,7 +5822,7 @@ xfr_probe_send_probe(struct auth_xfer* xfr, struct module_env* env,
 		addrlen = xfr->task_probe->scan_addr->addrlen;
 		memmove(&addr, &xfr->task_probe->scan_addr->addr, addrlen);
 	} else {
-		if(!extstrtoaddr(master->host, &addr, &addrlen)) {
+		if(!authextstrtoaddr(master->host, &addr, &addrlen, &auth_name)) {
 			/* the ones that are not in addr format are supposed
 			 * to be looked up.  The lookup has failed however,
 			 * so skip them */
@@ -5829,6 +5832,18 @@ xfr_probe_send_probe(struct auth_xfer* xfr, struct module_env* env,
 				zname, master->host);
 			return 0;
 		}
+		if (auth_name != NULL) {
+			if (addr.ss_family == AF_INET
+			&&  ntohs(((struct sockaddr_in *)&addr)->sin_port)
+		            == 853)
+				((struct sockaddr_in *)&addr)->sin_port
+					= htons(53);
+			else if (addr.ss_family == AF_INET6
+			&&  ntohs(((struct sockaddr_in6 *)&addr)->sin6_port)
+		            == 853)
+                        	((struct sockaddr_in6 *)&addr)->sin6_port
+					= htons(853);
+		}
 	}
 
 	/* create packet */
diff --git a/services/outside_network.c b/services/outside_network.c
index 3347c38e7..e687e405e 100644
--- a/services/outside_network.c
+++ b/services/outside_network.c
@@ -2285,7 +2285,7 @@ struct comm_point*
 outnet_comm_point_for_tcp(struct outside_network* outnet,
 	comm_point_callback_type* cb, void* cb_arg,
 	struct sockaddr_storage* to_addr, socklen_t to_addrlen,
-	sldns_buffer* query, int timeout)
+	sldns_buffer* query, int timeout, int ssl, char* host)
 {
 	struct comm_point* cp;
 	int fd = outnet_get_tcp_fd(to_addr, to_addrlen, outnet->tcp_mss);
@@ -2305,6 +2305,53 @@ outnet_comm_point_for_tcp(struct outside_network* outnet,
 	}
 	cp->repinfo.addrlen = to_addrlen;
 	memcpy(&cp->repinfo.addr, to_addr, to_addrlen);
+
+	/* setup for SSL (if needed) */
+	if(ssl) {
+		cp->ssl = outgoing_ssl_fd(outnet->sslctx, fd);
+		if(!cp->ssl) {
+			log_err("cannot setup https");
+			comm_point_delete(cp);
+			return NULL;
+		}
+#ifdef USE_WINSOCK
+		comm_point_tcp_win_bio_cb(cp, cp->ssl);
+#endif
+		cp->ssl_shake_state = comm_ssl_shake_write;
+		/* https verification */
+#ifdef HAVE_SSL_SET1_HOST
+		if((SSL_CTX_get_verify_mode(outnet->sslctx)&SSL_VERIFY_PEER)) {
+			/* because we set SSL_VERIFY_PEER, in netevent in
+			 * ssl_handshake, it'll check if the certificate
+			 * verification has succeeded */
+			/* SSL_VERIFY_PEER is set on the sslctx */
+			/* and the certificates to verify with are loaded into
+			 * it with SSL_load_verify_locations or
+			 * SSL_CTX_set_default_verify_paths */
+			/* setting the hostname makes openssl verify the
+			 * host name in the x509 certificate in the
+			 * SSL connection*/
+		 	if(!SSL_set1_host(cp->ssl, host)) {
+				log_err("SSL_set1_host failed");
+				comm_point_delete(cp);
+				return NULL;
+			}
+		}
+#elif defined(HAVE_X509_VERIFY_PARAM_SET1_HOST)
+		/* openssl 1.0.2 has this function that can be used for
+		 * set1_host like verification */
+		if((SSL_CTX_get_verify_mode(outnet->sslctx)&SSL_VERIFY_PEER)) {
+			X509_VERIFY_PARAM* param = SSL_get0_param(cp->ssl);
+			X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
+			if(!X509_VERIFY_PARAM_set1_host(param, host, strlen(host))) {
+				log_err("X509_VERIFY_PARAM_set1_host failed");
+				comm_point_delete(cp);
+				return NULL;
+			}
+		}
+#endif /* HAVE_SSL_SET1_HOST */
+	}
+
 	/* set timeout on TCP connection */
 	comm_point_start_listening(cp, fd, timeout);
 	/* copy scratch buffer to cp->buffer */
diff --git a/services/outside_network.h b/services/outside_network.h
index 48ef03edb..79e32bcbf 100644
--- a/services/outside_network.h
+++ b/services/outside_network.h
@@ -575,7 +575,7 @@ struct comm_point* outnet_comm_point_for_udp(struct outside_network* outnet,
 struct comm_point* outnet_comm_point_for_tcp(struct outside_network* outnet,
 	comm_point_callback_type* cb, void* cb_arg,
 	struct sockaddr_storage* to_addr, socklen_t to_addrlen,
-	struct sldns_buffer* query, int timeout);
+	struct sldns_buffer* query, int timeout, int ssl, char* host);
 
 /**
  * Create http commpoint suitable for communication to the destination.

From 92121f7878c892420c1751f535e649aab0a6eb5c Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Wed, 3 Apr 2019 12:41:14 +0200
Subject: [PATCH 02/14] Report XoT failure as XoT failure, not https

---
 services/outside_network.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/services/outside_network.c b/services/outside_network.c
index e687e405e..53b0e7839 100644
--- a/services/outside_network.c
+++ b/services/outside_network.c
@@ -2310,7 +2310,7 @@ outnet_comm_point_for_tcp(struct outside_network* outnet,
 	if(ssl) {
 		cp->ssl = outgoing_ssl_fd(outnet->sslctx, fd);
 		if(!cp->ssl) {
-			log_err("cannot setup https");
+			log_err("cannot setup XoT");
 			comm_point_delete(cp);
 			return NULL;
 		}
@@ -2318,7 +2318,7 @@ outnet_comm_point_for_tcp(struct outside_network* outnet,
 		comm_point_tcp_win_bio_cb(cp, cp->ssl);
 #endif
 		cp->ssl_shake_state = comm_ssl_shake_write;
-		/* https verification */
+		/* XoT verification */
 #ifdef HAVE_SSL_SET1_HOST
 		if((SSL_CTX_get_verify_mode(outnet->sslctx)&SSL_VERIFY_PEER)) {
 			/* because we set SSL_VERIFY_PEER, in netevent in

From af11b5407161567c97d6fa1670e9ceb432e4c6de Mon Sep 17 00:00:00 2001
From: "W.C.A. Wijngaards" <wouter@nlnetlabs.nl>
Date: Mon, 29 Apr 2019 10:25:19 +0200
Subject: [PATCH 03/14] Review changes for the XoT branch

With doc, SSL setup function, and function parameter doc.
---
 doc/unbound.conf.5.in      |   1 +
 services/outside_network.c | 125 +++++++++++++++----------------------
 services/outside_network.h |   2 +
 3 files changed, 52 insertions(+), 76 deletions(-)

diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in
index 0567c4d34..326e6fcb2 100644
--- a/doc/unbound.conf.5.in
+++ b/doc/unbound.conf.5.in
@@ -1675,6 +1675,7 @@ Name of the authority zone.
 .B master: \fI<IP address or host name>
 Where to download a copy of the zone from, with AXFR and IXFR.  Multiple
 masters can be specified.  They are all tried if one fails.
+With the "ip#name" notation a AXFR over TLS can be used.
 .TP
 .B url: \fI<url to zonefile>
 Where to download a zonefile for the zone.  With http or https.  An example
diff --git a/services/outside_network.c b/services/outside_network.c
index 53b0e7839..a7f6f0d09 100644
--- a/services/outside_network.c
+++ b/services/outside_network.c
@@ -2281,6 +2281,53 @@ outnet_comm_point_for_udp(struct outside_network* outnet,
 	return cp;
 }
 
+/** setup SSL for comm point */
+static int
+setup_comm_ssl(struct comm_point* cp, struct outside_network* outnet,
+	char* host)
+{
+	cp->ssl = outgoing_ssl_fd(outnet->sslctx, fd);
+	if(!cp->ssl) {
+		log_err("cannot create SSL object");
+		return NULL;
+	}
+#ifdef USE_WINSOCK
+	comm_point_tcp_win_bio_cb(cp, cp->ssl);
+#endif
+	cp->ssl_shake_state = comm_ssl_shake_write;
+	/* https verification */
+#ifdef HAVE_SSL_SET1_HOST
+	if((SSL_CTX_get_verify_mode(outnet->sslctx)&SSL_VERIFY_PEER)) {
+		/* because we set SSL_VERIFY_PEER, in netevent in
+		 * ssl_handshake, it'll check if the certificate
+		 * verification has succeeded */
+		/* SSL_VERIFY_PEER is set on the sslctx */
+		/* and the certificates to verify with are loaded into
+		 * it with SSL_load_verify_locations or
+		 * SSL_CTX_set_default_verify_paths */
+		/* setting the hostname makes openssl verify the
+		 * host name in the x509 certificate in the
+		 * SSL connection*/
+		if(!SSL_set1_host(cp->ssl, host)) {
+			log_err("SSL_set1_host failed");
+			return 0;
+		}
+	}
+#elif defined(HAVE_X509_VERIFY_PARAM_SET1_HOST)
+	/* openssl 1.0.2 has this function that can be used for
+	 * set1_host like verification */
+	if((SSL_CTX_get_verify_mode(outnet->sslctx)&SSL_VERIFY_PEER)) {
+		X509_VERIFY_PARAM* param = SSL_get0_param(cp->ssl);
+		X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
+		if(!X509_VERIFY_PARAM_set1_host(param, host, strlen(host))) {
+			log_err("X509_VERIFY_PARAM_set1_host failed");
+			return 0;
+		}
+	}
+#endif /* HAVE_SSL_SET1_HOST */
+	return 1;
+}
+
 struct comm_point*
 outnet_comm_point_for_tcp(struct outside_network* outnet,
 	comm_point_callback_type* cb, void* cb_arg,
@@ -2308,48 +2355,11 @@ outnet_comm_point_for_tcp(struct outside_network* outnet,
 
 	/* setup for SSL (if needed) */
 	if(ssl) {
-		cp->ssl = outgoing_ssl_fd(outnet->sslctx, fd);
-		if(!cp->ssl) {
+		if(!setup_comm_ssl(cp, outnet, host)) {
 			log_err("cannot setup XoT");
 			comm_point_delete(cp);
 			return NULL;
 		}
-#ifdef USE_WINSOCK
-		comm_point_tcp_win_bio_cb(cp, cp->ssl);
-#endif
-		cp->ssl_shake_state = comm_ssl_shake_write;
-		/* XoT verification */
-#ifdef HAVE_SSL_SET1_HOST
-		if((SSL_CTX_get_verify_mode(outnet->sslctx)&SSL_VERIFY_PEER)) {
-			/* because we set SSL_VERIFY_PEER, in netevent in
-			 * ssl_handshake, it'll check if the certificate
-			 * verification has succeeded */
-			/* SSL_VERIFY_PEER is set on the sslctx */
-			/* and the certificates to verify with are loaded into
-			 * it with SSL_load_verify_locations or
-			 * SSL_CTX_set_default_verify_paths */
-			/* setting the hostname makes openssl verify the
-			 * host name in the x509 certificate in the
-			 * SSL connection*/
-		 	if(!SSL_set1_host(cp->ssl, host)) {
-				log_err("SSL_set1_host failed");
-				comm_point_delete(cp);
-				return NULL;
-			}
-		}
-#elif defined(HAVE_X509_VERIFY_PARAM_SET1_HOST)
-		/* openssl 1.0.2 has this function that can be used for
-		 * set1_host like verification */
-		if((SSL_CTX_get_verify_mode(outnet->sslctx)&SSL_VERIFY_PEER)) {
-			X509_VERIFY_PARAM* param = SSL_get0_param(cp->ssl);
-			X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
-			if(!X509_VERIFY_PARAM_set1_host(param, host, strlen(host))) {
-				log_err("X509_VERIFY_PARAM_set1_host failed");
-				comm_point_delete(cp);
-				return NULL;
-			}
-		}
-#endif /* HAVE_SSL_SET1_HOST */
 	}
 
 	/* set timeout on TCP connection */
@@ -2408,48 +2418,11 @@ outnet_comm_point_for_http(struct outside_network* outnet,
 
 	/* setup for SSL (if needed) */
 	if(ssl) {
-		cp->ssl = outgoing_ssl_fd(outnet->sslctx, fd);
-		if(!cp->ssl) {
+		if(!setup_comm_ssl(cp, outnet, host)) {
 			log_err("cannot setup https");
 			comm_point_delete(cp);
 			return NULL;
 		}
-#ifdef USE_WINSOCK
-		comm_point_tcp_win_bio_cb(cp, cp->ssl);
-#endif
-		cp->ssl_shake_state = comm_ssl_shake_write;
-		/* https verification */
-#ifdef HAVE_SSL_SET1_HOST
-		if((SSL_CTX_get_verify_mode(outnet->sslctx)&SSL_VERIFY_PEER)) {
-			/* because we set SSL_VERIFY_PEER, in netevent in
-			 * ssl_handshake, it'll check if the certificate
-			 * verification has succeeded */
-			/* SSL_VERIFY_PEER is set on the sslctx */
-			/* and the certificates to verify with are loaded into
-			 * it with SSL_load_verify_locations or
-			 * SSL_CTX_set_default_verify_paths */
-			/* setting the hostname makes openssl verify the
-			 * host name in the x509 certificate in the
-			 * SSL connection*/
-		 	if(!SSL_set1_host(cp->ssl, host)) {
-				log_err("SSL_set1_host failed");
-				comm_point_delete(cp);
-				return NULL;
-			}
-		}
-#elif defined(HAVE_X509_VERIFY_PARAM_SET1_HOST)
-		/* openssl 1.0.2 has this function that can be used for
-		 * set1_host like verification */
-		if((SSL_CTX_get_verify_mode(outnet->sslctx)&SSL_VERIFY_PEER)) {
-			X509_VERIFY_PARAM* param = SSL_get0_param(cp->ssl);
-			X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
-			if(!X509_VERIFY_PARAM_set1_host(param, host, strlen(host))) {
-				log_err("X509_VERIFY_PARAM_set1_host failed");
-				comm_point_delete(cp);
-				return NULL;
-			}
-		}
-#endif /* HAVE_SSL_SET1_HOST */
 	}
 
 	/* set timeout on TCP connection */
diff --git a/services/outside_network.h b/services/outside_network.h
index 79e32bcbf..3456a3da3 100644
--- a/services/outside_network.h
+++ b/services/outside_network.h
@@ -570,6 +570,8 @@ struct comm_point* outnet_comm_point_for_udp(struct outside_network* outnet,
  * @param timeout: timeout for the TCP connection.
  * 	timeout in milliseconds, or -1 for no (change to the) timeout.
  *	So seconds*1000.
+ * @param ssl: set to true for TLS.
+ * @param host: hostname for host name verification of TLS (or NULL if no TLS).
  * @return tcp_out commpoint, or NULL.
  */
 struct comm_point* outnet_comm_point_for_tcp(struct outside_network* outnet,

From 6ce60bcb61f2dce528bf33c50251d5fe7c3a5777 Mon Sep 17 00:00:00 2001
From: "W.C.A. Wijngaards" <wouter@nlnetlabs.nl>
Date: Mon, 29 Apr 2019 10:40:12 +0200
Subject: [PATCH 04/14] Fixup fd pass.

---
 services/outside_network.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/services/outside_network.c b/services/outside_network.c
index a7f6f0d09..779656fee 100644
--- a/services/outside_network.c
+++ b/services/outside_network.c
@@ -2284,7 +2284,7 @@ outnet_comm_point_for_udp(struct outside_network* outnet,
 /** setup SSL for comm point */
 static int
 setup_comm_ssl(struct comm_point* cp, struct outside_network* outnet,
-	char* host)
+	int fd, char* host)
 {
 	cp->ssl = outgoing_ssl_fd(outnet->sslctx, fd);
 	if(!cp->ssl) {
@@ -2355,7 +2355,7 @@ outnet_comm_point_for_tcp(struct outside_network* outnet,
 
 	/* setup for SSL (if needed) */
 	if(ssl) {
-		if(!setup_comm_ssl(cp, outnet, host)) {
+		if(!setup_comm_ssl(cp, outnet, fd, host)) {
 			log_err("cannot setup XoT");
 			comm_point_delete(cp);
 			return NULL;
@@ -2418,7 +2418,7 @@ outnet_comm_point_for_http(struct outside_network* outnet,
 
 	/* setup for SSL (if needed) */
 	if(ssl) {
-		if(!setup_comm_ssl(cp, outnet, host)) {
+		if(!setup_comm_ssl(cp, outnet, fd, host)) {
 			log_err("cannot setup https");
 			comm_point_delete(cp);
 			return NULL;

From d9a9f73e82ca1657a7e3c9939e82dc817bb2d7ec Mon Sep 17 00:00:00 2001
From: "W.C.A. Wijngaards" <wouter@nlnetlabs.nl>
Date: Mon, 29 Apr 2019 10:52:25 +0200
Subject: [PATCH 05/14] Fix test code for call change for XoT.

---
 testcode/fake_event.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/testcode/fake_event.c b/testcode/fake_event.c
index 4fb9bc8ed..713e24759 100644
--- a/testcode/fake_event.c
+++ b/testcode/fake_event.c
@@ -1629,7 +1629,8 @@ struct comm_point* outnet_comm_point_for_udp(struct outside_network* outnet,
 struct comm_point* outnet_comm_point_for_tcp(struct outside_network* outnet,
 	comm_point_callback_type* cb, void* cb_arg,
 	struct sockaddr_storage* to_addr, socklen_t to_addrlen,
-	struct sldns_buffer* query, int timeout)
+	struct sldns_buffer* query, int timeout, int ATTR_UNUSED(ssl),
+	char* ATTR_UNUSED(host))
 {
 	struct replay_runtime* runtime = (struct replay_runtime*)
 		outnet->base;

From b57a2f15dbd0c840c58453b6f72e07c91bfc6825 Mon Sep 17 00:00:00 2001
From: Wouter Wijngaards <wcawijngaards@users.noreply.github.com>
Date: Mon, 29 Apr 2019 11:23:11 +0200
Subject: [PATCH 06/14] Update services/authzone.c

Co-Authored-By: wtoorop <willem@nlnetlabs.nl>
---
 services/authzone.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/services/authzone.c b/services/authzone.c
index cabb00a84..954786a03 100644
--- a/services/authzone.c
+++ b/services/authzone.c
@@ -5964,7 +5964,7 @@ xfr_probe_send_probe(struct auth_xfer* xfr, struct module_env* env,
 		if (auth_name != NULL) {
 			if (addr.ss_family == AF_INET
 			&&  ntohs(((struct sockaddr_in *)&addr)->sin_port)
-		            == 853)
+		            == env->cfg->ssl_port)
 				((struct sockaddr_in *)&addr)->sin_port
 					= htons(53);
 			else if (addr.ss_family == AF_INET6

From 193cb2fcc42964bb487095097d4c5d5975bbbdb0 Mon Sep 17 00:00:00 2001
From: Wouter Wijngaards <wcawijngaards@users.noreply.github.com>
Date: Mon, 29 Apr 2019 11:23:23 +0200
Subject: [PATCH 07/14] Update services/authzone.c

Co-Authored-By: wtoorop <willem@nlnetlabs.nl>
---
 services/authzone.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/services/authzone.c b/services/authzone.c
index 954786a03..629245e21 100644
--- a/services/authzone.c
+++ b/services/authzone.c
@@ -5966,7 +5966,7 @@ xfr_probe_send_probe(struct auth_xfer* xfr, struct module_env* env,
 			&&  ntohs(((struct sockaddr_in *)&addr)->sin_port)
 		            == env->cfg->ssl_port)
 				((struct sockaddr_in *)&addr)->sin_port
-					= htons(53);
+					= htons(env->port);
 			else if (addr.ss_family == AF_INET6
 			&&  ntohs(((struct sockaddr_in6 *)&addr)->sin6_port)
 		            == 853)

From 5e4cfcc665245b86c481f5aa3b283c5af8bb5b5d Mon Sep 17 00:00:00 2001
From: Wouter Wijngaards <wcawijngaards@users.noreply.github.com>
Date: Mon, 29 Apr 2019 11:24:45 +0200
Subject: [PATCH 08/14] Update services/authzone.c

Co-Authored-By: wtoorop <willem@nlnetlabs.nl>
---
 services/authzone.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/services/authzone.c b/services/authzone.c
index 629245e21..4547ef699 100644
--- a/services/authzone.c
+++ b/services/authzone.c
@@ -5969,7 +5969,7 @@ xfr_probe_send_probe(struct auth_xfer* xfr, struct module_env* env,
 					= htons(env->port);
 			else if (addr.ss_family == AF_INET6
 			&&  ntohs(((struct sockaddr_in6 *)&addr)->sin6_port)
-		            == 853)
+		            == env->cfg->ssl_port)
                         	((struct sockaddr_in6 *)&addr)->sin6_port
 					= htons(853);
 		}

From a9c8d00d6376de3bb12c5e8c9f40b088eea9b142 Mon Sep 17 00:00:00 2001
From: Wouter Wijngaards <wcawijngaards@users.noreply.github.com>
Date: Mon, 29 Apr 2019 11:25:04 +0200
Subject: [PATCH 09/14] Update services/outside_network.c

Co-Authored-By: wtoorop <willem@nlnetlabs.nl>
---
 services/outside_network.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/services/outside_network.c b/services/outside_network.c
index 779656fee..054acef66 100644
--- a/services/outside_network.c
+++ b/services/outside_network.c
@@ -2324,6 +2324,8 @@ setup_comm_ssl(struct comm_point* cp, struct outside_network* outnet,
 			return 0;
 		}
 	}
+#else
+	(void)host;
 #endif /* HAVE_SSL_SET1_HOST */
 	return 1;
 }

From 196654efec85ff00d3e44cf45954f0cf17830bde Mon Sep 17 00:00:00 2001
From: Wouter Wijngaards <wcawijngaards@users.noreply.github.com>
Date: Mon, 29 Apr 2019 11:25:09 +0200
Subject: [PATCH 10/14] Update services/authzone.c

Co-Authored-By: wtoorop <willem@nlnetlabs.nl>
---
 services/authzone.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/services/authzone.c b/services/authzone.c
index 4547ef699..dbfde9b48 100644
--- a/services/authzone.c
+++ b/services/authzone.c
@@ -5971,7 +5971,7 @@ xfr_probe_send_probe(struct auth_xfer* xfr, struct module_env* env,
 			&&  ntohs(((struct sockaddr_in6 *)&addr)->sin6_port)
 		            == env->cfg->ssl_port)
                         	((struct sockaddr_in6 *)&addr)->sin6_port
-					= htons(853);
+					= htons(env->port);
 		}
 	}
 

From f5a197f96e336bd1049ce2e8f965c7bafb22a446 Mon Sep 17 00:00:00 2001
From: Wouter Wijngaards <wcawijngaards@users.noreply.github.com>
Date: Mon, 29 Apr 2019 11:25:45 +0200
Subject: [PATCH 11/14] Update services/outside_network.c

Co-Authored-By: wtoorop <willem@nlnetlabs.nl>
---
 services/outside_network.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/services/outside_network.c b/services/outside_network.c
index 054acef66..0323f1b30 100644
--- a/services/outside_network.c
+++ b/services/outside_network.c
@@ -2289,7 +2289,7 @@ setup_comm_ssl(struct comm_point* cp, struct outside_network* outnet,
 	cp->ssl = outgoing_ssl_fd(outnet->sslctx, fd);
 	if(!cp->ssl) {
 		log_err("cannot create SSL object");
-		return NULL;
+		return 0;
 	}
 #ifdef USE_WINSOCK
 	comm_point_tcp_win_bio_cb(cp, cp->ssl);

From 46b5e96c549f44f64d66f9b7743b85ccd8ef5d44 Mon Sep 17 00:00:00 2001
From: Wouter Wijngaards <wcawijngaards@users.noreply.github.com>
Date: Mon, 29 Apr 2019 11:41:45 +0200
Subject: [PATCH 12/14] Update services/authzone.c

Co-Authored-By: wtoorop <willem@nlnetlabs.nl>
---
 services/authzone.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/services/authzone.c b/services/authzone.c
index dbfde9b48..3f928296e 100644
--- a/services/authzone.c
+++ b/services/authzone.c
@@ -5971,7 +5971,7 @@ xfr_probe_send_probe(struct auth_xfer* xfr, struct module_env* env,
 			&&  ntohs(((struct sockaddr_in6 *)&addr)->sin6_port)
 		            == env->cfg->ssl_port)
                         	((struct sockaddr_in6 *)&addr)->sin6_port
-					= htons(env->port);
+					= htons(env->cfg->port);
 		}
 	}
 

From e60f92ea29d62faac07ed21d41cbbe02ee06a160 Mon Sep 17 00:00:00 2001
From: Wouter Wijngaards <wcawijngaards@users.noreply.github.com>
Date: Mon, 29 Apr 2019 11:41:56 +0200
Subject: [PATCH 13/14] Update services/authzone.c

Co-Authored-By: wtoorop <willem@nlnetlabs.nl>
---
 services/authzone.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/services/authzone.c b/services/authzone.c
index 3f928296e..1426f423a 100644
--- a/services/authzone.c
+++ b/services/authzone.c
@@ -5966,7 +5966,7 @@ xfr_probe_send_probe(struct auth_xfer* xfr, struct module_env* env,
 			&&  ntohs(((struct sockaddr_in *)&addr)->sin_port)
 		            == env->cfg->ssl_port)
 				((struct sockaddr_in *)&addr)->sin_port
-					= htons(env->port);
+					= htons(env->cfg->port);
 			else if (addr.ss_family == AF_INET6
 			&&  ntohs(((struct sockaddr_in6 *)&addr)->sin6_port)
 		            == env->cfg->ssl_port)

From ee0087d5c73991e988696ff6ee8a6af25fd31d25 Mon Sep 17 00:00:00 2001
From: "W.C.A. Wijngaards" <wouter@nlnetlabs.nl>
Date: Wed, 1 May 2019 16:41:09 +0200
Subject: [PATCH 14/14] - PR #16: XoT support, AXFR over TLS

Turn it on with master: <ip>#<authname> in unbound.conf.  This uses TLS to
download the AXFR (or IXFR).
---
 doc/Changelog | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/doc/Changelog b/doc/Changelog
index e85b4c1d2..eb8031aa1 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,6 +1,9 @@
 1 May 2019: Wouter
 	- Update makedist for git.
 	- Nicer travis output for clang analysis.
+	- PR #16: XoT support, AXFR over TLS, turn it on with
+	  master: <ip>#<authname> in unbound.conf.  This uses TLS to
+	  download the AXFR (or IXFR).
 
 25 April 2019: Wouter
 	- Fix wrong query name in local zone redirect answers with a CNAME,