Merge branch 'master' into doh

2025-12-20 23:00:56 -05:00 · 2020-09-16 18:38:51 +02:00 · 2020-09-16 18:38:51 +02:00 · 4ae823fbc2
commit 4ae823fbc2
parent 42a35ac26e 4cc559d7eb
207 changed files with 10351 additions and 12992 deletions
--- a/aclocal.m4
+++ b/aclocal.m4
@ -736,7 +736,6 @@ _LT_CONFIG_SAVE_COMMANDS([
    cat <<_LT_EOF >> "$cfgfile"
 #! $SHELL
 # Generated automatically by $as_me ($PACKAGE) $VERSION
 # Libtool was configured on host `(hostname || uname -n) 2>/dev/null | sed 1q`:
 # NOTE: Changes made to this file will be lost: look at ltmain.sh.
 # Provide generalized library-building support services.
@ -1048,8 +1047,8 @@ int forced_loaded() { return 2;}
 _LT_EOF
      echo "$LTCC $LTCFLAGS -c -o conftest.o conftest.c" >&AS_MESSAGE_LOG_FD
      $LTCC $LTCFLAGS -c -o conftest.o conftest.c 2>&AS_MESSAGE_LOG_FD
-      echo "$AR cru libconftest.a conftest.o" >&AS_MESSAGE_LOG_FD
+      echo "$AR cr libconftest.a conftest.o" >&AS_MESSAGE_LOG_FD
-      $AR cru libconftest.a conftest.o 2>&AS_MESSAGE_LOG_FD
+      $AR cr libconftest.a conftest.o 2>&AS_MESSAGE_LOG_FD
      echo "$RANLIB libconftest.a" >&AS_MESSAGE_LOG_FD
      $RANLIB libconftest.a 2>&AS_MESSAGE_LOG_FD
      cat > conftest.c << _LT_EOF
@ -1499,7 +1498,7 @@ need_locks=$enable_libtool_lock
 m4_defun([_LT_PROG_AR],
 [AC_CHECK_TOOLS(AR, [ar], false)
 : ${AR=ar}
-: ${AR_FLAGS=cru}
+: ${AR_FLAGS=cr}
 _LT_DECL([], [AR], [1], [The archiver])
 _LT_DECL([], [AR_FLAGS], [1], [Flags to create an archive])
@ -2873,9 +2872,6 @@ linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*)
  # before this can be enabled.
  hardcode_into_libs=yes
  # Add ABI-specific directories to the system library path.
  sys_lib_dlsearch_path_spec="/lib64 /usr/lib64 /lib /usr/lib"
  # Ideally, we could use ldconfig to report *all* directores which are
  # searched for libraries, however this is still not possible.  Aside from not
  # being certain /sbin/ldconfig is available, command
@ -2884,7 +2880,7 @@ linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*)
  # appending ld.so.conf contents (and includes) to the search path.
  if test -f /etc/ld.so.conf; then
    lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \[$]2)); skip = 1; } { if (!skip) print \[$]0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[	 ]*hwcap[	 ]/d;s/[:,	]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;s/"//g;/^$/d' | tr '\n' ' '`
-    sys_lib_dlsearch_path_spec="$sys_lib_dlsearch_path_spec $lt_ld_extra"
+    sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra"
  fi
  # We used to test for /lib/ld.so.1 and disable shared libraries on
@ -2896,6 +2892,18 @@ linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*)
  dynamic_linker='GNU/Linux ld.so'
  ;;
 netbsdelf*-gnu)
  version_type=linux
  need_lib_prefix=no
  need_version=no
  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
  soname_spec='${libname}${release}${shared_ext}$major'
  shlibpath_var=LD_LIBRARY_PATH
  shlibpath_overrides_runpath=no
  hardcode_into_libs=yes
  dynamic_linker='NetBSD ld.elf_so'
  ;;
 netbsd*)
  version_type=sunos
  need_lib_prefix=no
@ -3555,7 +3563,7 @@ linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*)
  lt_cv_deplibs_check_method=pass_all
  ;;
-netbsd*)
+netbsd* | netbsdelf*-gnu)
  if echo __ELF__ | $CC -E - | $GREP __ELF__ > /dev/null; then
    lt_cv_deplibs_check_method='match_pattern /lib[[^/]]+(\.so\.[[0-9]]+\.[[0-9]]+|_pic\.a)$'
  else
@ -4061,7 +4069,8 @@ _LT_EOF
  if AC_TRY_EVAL(ac_compile); then
    # Now try to grab the symbols.
    nlist=conftest.nm
-    if AC_TRY_EVAL(NM conftest.$ac_objext \| "$lt_cv_sys_global_symbol_pipe" \> $nlist) && test -s "$nlist"; then
+    $ECHO "$as_me:$LINENO: $NM conftest.$ac_objext | $lt_cv_sys_global_symbol_pipe > $nlist" >&AS_MESSAGE_LOG_FD
    if eval "$NM" conftest.$ac_objext \| "$lt_cv_sys_global_symbol_pipe" \> $nlist 2>&AS_MESSAGE_LOG_FD && test -s "$nlist"; then
      # Try sorting and uniquifying the output.
      if sort "$nlist" | uniq > "$nlist"T; then
 	mv -f "$nlist"T "$nlist"
@ -4433,7 +4442,7 @@ m4_if([$1], [CXX], [
 	    ;;
 	esac
 	;;
-      netbsd*)
+      netbsd* | netbsdelf*-gnu)
 	;;
      *qnx* | *nto*)
        # QNX uses GNU C++, but need to define -shared option too, otherwise
@ -4701,6 +4710,12 @@ m4_if([$1], [CXX], [
 	_LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
 	_LT_TAGVAR(lt_prog_compiler_static, $1)='-static'
        ;;
      # flang / f18. f95 an alias for gfortran or flang on Debian
      flang* | f18* | f95*)
 	_LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
 	_LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
 	_LT_TAGVAR(lt_prog_compiler_static, $1)='-static'
        ;;
      # icc used to be incompatible with GCC.
      # ICC 10 doesn't accept -KPIC any more.
      icc* | ifort*)
@ -4945,6 +4960,9 @@ m4_if([$1], [CXX], [
      ;;
    esac
    ;;
  linux* | k*bsd*-gnu | gnu*)
    _LT_TAGVAR(link_all_deplibs, $1)=no
    ;;
  *)
    _LT_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols'
    ;;
@ -5007,6 +5025,9 @@ dnl Note also adjust exclude_expsyms for C++ above.
  openbsd* | bitrig*)
    with_gnu_ld=no
    ;;
  linux* | k*bsd*-gnu | gnu*)
    _LT_TAGVAR(link_all_deplibs, $1)=no
    ;;
  esac
  _LT_TAGVAR(ld_shlibs, $1)=yes
@ -5261,7 +5282,7 @@ _LT_EOF
      fi
      ;;
-    netbsd*)
+    netbsd* | netbsdelf*-gnu)
      if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then
 	_LT_TAGVAR(archive_cmds, $1)='$LD -Bshareable $libobjs $deplibs $linker_flags -o $lib'
 	wlarc=
@ -5782,6 +5803,7 @@ _LT_EOF
 	if test yes = "$lt_cv_irix_exported_symbol"; then
          _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags $wl-soname $wl$soname `test -n "$verstring" && func_echo_all "$wl-set_version $wl$verstring"` $wl-update_registry $wl$output_objdir/so_locations $wl-exports_file $wl$export_symbols -o $lib'
 	fi
 	_LT_TAGVAR(link_all_deplibs, $1)=no
      else
 	_LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry $output_objdir/so_locations -o $lib'
 	_LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry $output_objdir/so_locations -exports_file $export_symbols -o $lib'
@ -5803,7 +5825,7 @@ _LT_EOF
      esac
      ;;
-    netbsd*)
+    netbsd* | netbsdelf*-gnu)
      if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then
 	_LT_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'  # a.out
      else
@ -6425,7 +6447,7 @@ if test yes != "$_lt_caught_CXX_error"; then
      # Commands to make compiler produce verbose output that lists
      # what "hidden" libraries, object files and flags are used when
      # linking a shared library.
-      output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP "\-L"'
+      output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP " \-L"'
    else
      GXX=no
@ -6800,7 +6822,7 @@ if test yes != "$_lt_caught_CXX_error"; then
            # explicitly linking system object files so we need to strip them
            # from the output so that they don't get included in the library
            # dependencies.
-            output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | $EGREP "\-L"`; list= ; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; func_echo_all "$list"'
+            output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | $EGREP " \-L"`; list= ; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; func_echo_all "$list"'
            ;;
          *)
            if test yes = "$GXX"; then
@ -6865,7 +6887,7 @@ if test yes != "$_lt_caught_CXX_error"; then
 	    # explicitly linking system object files so we need to strip them
 	    # from the output so that they don't get included in the library
 	    # dependencies.
-	    output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | $GREP "\-L"`; list= ; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; func_echo_all "$list"'
+	    output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | $GREP " \-L"`; list= ; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; func_echo_all "$list"'
 	    ;;
          *)
 	    if test yes = "$GXX"; then
@ -7204,7 +7226,7 @@ if test yes != "$_lt_caught_CXX_error"; then
 	      # Commands to make compiler produce verbose output that lists
 	      # what "hidden" libraries, object files and flags are used when
 	      # linking a shared library.
-	      output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP "\-L"'
+	      output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP " \-L"'
 	    else
 	      # FIXME: insert proper C++ library support
@ -7288,7 +7310,7 @@ if test yes != "$_lt_caught_CXX_error"; then
 	        # Commands to make compiler produce verbose output that lists
 	        # what "hidden" libraries, object files and flags are used when
 	        # linking a shared library.
-	        output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP "\-L"'
+	        output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP " \-L"'
 	      else
 	        # g++ 2.7 appears to require '-G' NOT '-shared' on this
 	        # platform.
@ -7299,7 +7321,7 @@ if test yes != "$_lt_caught_CXX_error"; then
 	        # Commands to make compiler produce verbose output that lists
 	        # what "hidden" libraries, object files and flags are used when
 	        # linking a shared library.
-	        output_verbose_link_cmd='$CC -G $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP "\-L"'
+	        output_verbose_link_cmd='$CC -G $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP " \-L"'
 	      fi
 	      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='$wl-R $wl$libdir'
@ -9044,9 +9066,9 @@ m4_ifndef([_LT_PROG_F77],		[AC_DEFUN([_LT_PROG_F77])])
 m4_ifndef([_LT_PROG_FC],		[AC_DEFUN([_LT_PROG_FC])])
 m4_ifndef([_LT_PROG_CXX],		[AC_DEFUN([_LT_PROG_CXX])])
-# pkg.m4 - Macros to locate and utilise pkg-config.   -*- Autoconf -*-
+dnl pkg.m4 - Macros to locate and utilise pkg-config.   -*- Autoconf -*-
-# serial 11 (pkg-config-0.29.1)
+dnl serial 11 (pkg-config-0.29.1)
-
+dnl
 dnl Copyright © 2004 Scott James Remnant <scott@netsplit.com>.
 dnl Copyright © 2012-2015 Dan Nicholson <dbn.lists@gmail.com>
 dnl
@ -9320,74 +9342,6 @@ AS_VAR_COPY([$1], [pkg_cv_][$1])
 AS_VAR_IF([$1], [""], [$5], [$4])dnl
 ])dnl PKG_CHECK_VAR
 dnl PKG_WITH_MODULES(VARIABLE-PREFIX, MODULES,
 dnl   [ACTION-IF-FOUND],[ACTION-IF-NOT-FOUND],
 dnl   [DESCRIPTION], [DEFAULT])
 dnl ------------------------------------------
 dnl
 dnl Prepare a "--with-" configure option using the lowercase
 dnl [VARIABLE-PREFIX] name, merging the behaviour of AC_ARG_WITH and
 dnl PKG_CHECK_MODULES in a single macro.
 AC_DEFUN([PKG_WITH_MODULES],
 [
 m4_pushdef([with_arg], m4_tolower([$1]))
 m4_pushdef([description],
           [m4_default([$5], [build with ]with_arg[ support])])
 m4_pushdef([def_arg], [m4_default([$6], [auto])])
 m4_pushdef([def_action_if_found], [AS_TR_SH([with_]with_arg)=yes])
 m4_pushdef([def_action_if_not_found], [AS_TR_SH([with_]with_arg)=no])
 m4_case(def_arg,
            [yes],[m4_pushdef([with_without], [--without-]with_arg)],
            [m4_pushdef([with_without],[--with-]with_arg)])
 AC_ARG_WITH(with_arg,
     AS_HELP_STRING(with_without, description[ @<:@default=]def_arg[@:>@]),,
    [AS_TR_SH([with_]with_arg)=def_arg])
 AS_CASE([$AS_TR_SH([with_]with_arg)],
            [yes],[PKG_CHECK_MODULES([$1],[$2],$3,$4)],
            [auto],[PKG_CHECK_MODULES([$1],[$2],
                                        [m4_n([def_action_if_found]) $3],
                                        [m4_n([def_action_if_not_found]) $4])])
 m4_popdef([with_arg])
 m4_popdef([description])
 m4_popdef([def_arg])
 ])dnl PKG_WITH_MODULES
 dnl PKG_HAVE_WITH_MODULES(VARIABLE-PREFIX, MODULES,
 dnl   [DESCRIPTION], [DEFAULT])
 dnl -----------------------------------------------
 dnl
 dnl Convenience macro to trigger AM_CONDITIONAL after PKG_WITH_MODULES
 dnl check._[VARIABLE-PREFIX] is exported as make variable.
 AC_DEFUN([PKG_HAVE_WITH_MODULES],
 [
 PKG_WITH_MODULES([$1],[$2],,,[$3],[$4])
 AM_CONDITIONAL([HAVE_][$1],
               [test "$AS_TR_SH([with_]m4_tolower([$1]))" = "yes"])
 ])dnl PKG_HAVE_WITH_MODULES
 dnl PKG_HAVE_DEFINE_WITH_MODULES(VARIABLE-PREFIX, MODULES,
 dnl   [DESCRIPTION], [DEFAULT])
 dnl ------------------------------------------------------
 dnl
 dnl Convenience macro to run AM_CONDITIONAL and AC_DEFINE after
 dnl PKG_WITH_MODULES check. HAVE_[VARIABLE-PREFIX] is exported as make
 dnl and preprocessor variable.
 AC_DEFUN([PKG_HAVE_DEFINE_WITH_MODULES],
 [
 PKG_HAVE_WITH_MODULES([$1],[$2],[$3],[$4])
 AS_IF([test "$AS_TR_SH([with_]m4_tolower([$1]))" = "yes"],
        [AC_DEFINE([HAVE_][$1], 1, [Enable ]m4_tolower([$1])[ support])])
 ])dnl PKG_HAVE_DEFINE_WITH_MODULES
 # AM_CONDITIONAL                                            -*- Autoconf -*-
 # Copyright (C) 1997-2018 Free Software Foundation, Inc.
--- a/acx_nlnetlabs.m4
+++ b/acx_nlnetlabs.m4
@ -2,7 +2,8 @@
 # Copyright 2009, Wouter Wijngaards, NLnet Labs.   
 # BSD licensed.
 #
-# Version 34
+# Version 35
 # 2020-08-24 Use EVP_sha256 instead of HMAC_Update (for openssl-3.0.0).
 # 2016-03-21 Check -ldl -pthread for libcrypto for ldns and openssl 1.1.0.
 # 2016-03-21 Use HMAC_Update instead of HMAC_CTX_Init (for openssl-1.1.0).
 # 2016-01-04 -D_DEFAULT_SOURCE defined with -D_BSD_SOURCE for Linux glibc 2.20
@ -673,16 +674,16 @@ AC_DEFUN([ACX_SSL_CHECKS], [
                ACX_RUNTIME_PATH_ADD([$ssldir/lib])
            fi
-            AC_MSG_CHECKING([for HMAC_Update in -lcrypto])
+            AC_MSG_CHECKING([for EVP_sha256 in -lcrypto])
            LIBS="$LIBS -lcrypto"
            LIBSSL_LIBS="$LIBSSL_LIBS -lcrypto"
            AC_TRY_LINK(, [
-                int HMAC_Update(void);
+                int EVP_sha256(void);
-                (void)HMAC_Update();
+                (void)EVP_sha256();
              ], [
                AC_MSG_RESULT(yes)
-                AC_DEFINE([HAVE_HMAC_UPDATE], 1, 
+                AC_DEFINE([HAVE_EVP_SHA256], 1,
-                          [If you have HMAC_Update])
+                          [If you have EVP_sha256])
              ], [
                AC_MSG_RESULT(no)
                # check if -lwsock32 or -lgdi32 are needed.	
@ -692,11 +693,11 @@ AC_DEFUN([ACX_SSL_CHECKS], [
 		LIBSSL_LIBS="$LIBSSL_LIBS -lgdi32 -lws2_32"
                AC_MSG_CHECKING([if -lcrypto needs -lgdi32])
                AC_TRY_LINK([], [
-                    int HMAC_Update(void);
+                    int EVP_sha256(void);
-                    (void)HMAC_Update();
+                    (void)EVP_sha256();
                  ],[
-                    AC_DEFINE([HAVE_HMAC_UPDATE], 1, 
+                    AC_DEFINE([HAVE_EVP_SHA256], 1,
-                        [If you have HMAC_Update])
+                        [If you have EVP_sha256])
                    AC_MSG_RESULT(yes) 
                  ],[
                    AC_MSG_RESULT(no)
@ -706,11 +707,11 @@ AC_DEFUN([ACX_SSL_CHECKS], [
                    LIBSSL_LIBS="$LIBSSL_LIBS -ldl"
                    AC_MSG_CHECKING([if -lcrypto needs -ldl])
                    AC_TRY_LINK([], [
-                        int HMAC_Update(void);
+                        int EVP_sha256(void);
-                        (void)HMAC_Update();
+                        (void)EVP_sha256();
                      ],[
-                        AC_DEFINE([HAVE_HMAC_UPDATE], 1, 
+                        AC_DEFINE([HAVE_EVP_SHA256], 1,
-                            [If you have HMAC_Update])
+                            [If you have EVP_sha256])
                        AC_MSG_RESULT(yes) 
                      ],[
                        AC_MSG_RESULT(no)
@ -720,11 +721,11 @@ AC_DEFUN([ACX_SSL_CHECKS], [
                        LIBSSL_LIBS="$LIBSSL_LIBS -ldl -pthread"
                        AC_MSG_CHECKING([if -lcrypto needs -ldl -pthread])
                        AC_TRY_LINK([], [
-                            int HMAC_Update(void);
+                            int EVP_sha256(void);
-                            (void)HMAC_Update();
+                            (void)EVP_sha256();
                          ],[
-                            AC_DEFINE([HAVE_HMAC_UPDATE], 1, 
+                            AC_DEFINE([HAVE_EVP_SHA256], 1,
-                                [If you have HMAC_Update])
+                                [If you have EVP_sha256])
                            AC_MSG_RESULT(yes) 
                          ],[
                            AC_MSG_RESULT(no)
--- a/config.h.in
+++ b/config.h.in
@ -225,6 +225,9 @@
 /* Define to 1 if you have the `EVP_EncryptInit_ex' function. */
 #undef HAVE_EVP_ENCRYPTINIT_EX
 /* Define to 1 if you have the `EVP_MAC_CTX_set_params' function. */
 #undef HAVE_EVP_MAC_CTX_SET_PARAMS
 /* Define to 1 if you have the `EVP_MD_CTX_new' function. */
 #undef HAVE_EVP_MD_CTX_NEW
@ -273,6 +276,9 @@
 /* Define to 1 if you have the `getentropy' function. */
 #undef HAVE_GETENTROPY
 /* Define to 1 if you have the `getifaddrs' function. */
 #undef HAVE_GETIFADDRS
 /* Define to 1 if you have the <getopt.h> header file. */
 #undef HAVE_GETOPT_H
@ -300,12 +306,12 @@
 /* Define to 1 if you have the `HMAC_Init_ex' function. */
 #undef HAVE_HMAC_INIT_EX
 /* If you have HMAC_Update */
 #undef HAVE_HMAC_UPDATE
 /* If we have htobe64 */
 #undef HAVE_HTOBE64
 /* Define to 1 if you have the <ifaddrs.h> header file. */
 #undef HAVE_IFADDRS_H
 /* Define to 1 if you have the `inet_aton' function. */
 #undef HAVE_INET_ATON
@ -375,6 +381,9 @@
 /* Define to 1 if you have the <nettle/eddsa.h> header file. */
 #undef HAVE_NETTLE_EDDSA_H
 /* Define to 1 if you have the <net/if.h> header file. */
 #undef HAVE_NET_IF_H
 /* Define this to use nghttp2 client. */
 #undef HAVE_NGHTTP2
@ -396,6 +405,9 @@
 /* Define to 1 if you have the <openssl/conf.h> header file. */
 #undef HAVE_OPENSSL_CONF_H
 /* Define to 1 if you have the <openssl/core_names.h> header file. */
 #undef HAVE_OPENSSL_CORE_NAMES_H
 /* Define to 1 if you have the <openssl/dh.h> header file. */
 #undef HAVE_OPENSSL_DH_H
@ -513,8 +525,9 @@
 /* Define to 1 if you have the `SSL_CTX_set_security_level' function. */
 #undef HAVE_SSL_CTX_SET_SECURITY_LEVEL
-/* Define to 1 if you have the `SSL_CTX_set_tlsext_ticket_key_cb' function. */
+/* Define to 1 if you have the `SSL_CTX_set_tlsext_ticket_key_evp_cb'
-#undef HAVE_SSL_CTX_SET_TLSEXT_TICKET_KEY_CB
+   function. */
 #undef HAVE_SSL_CTX_SET_TLSEXT_TICKET_KEY_EVP_CB
 /* Define to 1 if you have the `SSL_get0_peername' function. */
 #undef HAVE_SSL_GET0_PEERNAME
@ -582,6 +595,9 @@
 /* Define to 1 if you have the <sys/resource.h> header file. */
 #undef HAVE_SYS_RESOURCE_H
 /* Define to 1 if you have the <sys/select.h> header file. */
 #undef HAVE_SYS_SELECT_H
 /* Define to 1 if you have the <sys/sha2.h> header file. */
 #undef HAVE_SYS_SHA2_H
--- a/118
+++ b/118
@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for unbound 1.10.2.
+# Generated by GNU Autoconf 2.69 for unbound 1.11.1.
 #
 # Report bugs to <unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues>.
 #
@ -591,8 +591,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='unbound'
 PACKAGE_TARNAME='unbound'
-PACKAGE_VERSION='1.10.2'
+PACKAGE_VERSION='1.11.1'
-PACKAGE_STRING='unbound 1.10.2'
+PACKAGE_STRING='unbound 1.11.1'
 PACKAGE_BUGREPORT='unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues'
 PACKAGE_URL=''
@ -1470,7 +1470,7 @@ if test "$ac_init_help" = "long"; then
  # Omit some internal or obsolete options to make the list less imposing.
  # This message is too long to be a string in the A/UX 3.1 sh.
  cat <<_ACEOF
-\`configure' configures unbound 1.10.2 to adapt to many kinds of systems.
+\`configure' configures unbound 1.11.1 to adapt to many kinds of systems.
 Usage: $0 [OPTION]... [VAR=VALUE]...
@ -1536,7 +1536,7 @@ fi
 if test -n "$ac_init_help"; then
  case $ac_init_help in
-     short | recursive ) echo "Configuration of unbound 1.10.2:";;
+     short | recursive ) echo "Configuration of unbound 1.11.1:";;
   esac
  cat <<\_ACEOF
@ -1764,7 +1764,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
  cat <<\_ACEOF
-unbound configure 1.10.2
+unbound configure 1.11.1
 generated by GNU Autoconf 2.69
 Copyright (C) 2012 Free Software Foundation, Inc.
@ -2473,7 +2473,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
-It was created by unbound $as_me 1.10.2, which was
+It was created by unbound $as_me 1.11.1, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
  $ $0 $@
@ -2823,13 +2823,13 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu
 UNBOUND_VERSION_MAJOR=1
-UNBOUND_VERSION_MINOR=10
+UNBOUND_VERSION_MINOR=11
-UNBOUND_VERSION_MICRO=2
+UNBOUND_VERSION_MICRO=1
 LIBUNBOUND_CURRENT=9
-LIBUNBOUND_REVISION=9
+LIBUNBOUND_REVISION=10
 LIBUNBOUND_AGE=1
 # 1.0.0 had 0:12:0
 # 1.0.1 had 0:13:0
@ -2905,7 +2905,8 @@ LIBUNBOUND_AGE=1
 # 1.9.6 had 9:6:1
 # 1.10.0 had 9:7:1
 # 1.10.1 had 9:8:1
-# 1.10.2 had 9:9:1
+# 1.11.0 had 9:9:1
 # 1.11.1 had 9:10:1
 #   Current  -- the number of the binary API that we're implementing
 #   Revision -- which iteration of the implementation of the binary
@ -8080,7 +8081,7 @@ linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*)
  lt_cv_deplibs_check_method=pass_all
  ;;
-netbsd*)
+netbsd* | netbsdelf*-gnu)
  if echo __ELF__ | $CC -E - | $GREP __ELF__ > /dev/null; then
    lt_cv_deplibs_check_method='match_pattern /lib[^/]+(\.so\.[0-9]+\.[0-9]+|_pic\.a)$'
  else
@ -8442,7 +8443,7 @@ esac
 fi
 : ${AR=ar}
-: ${AR_FLAGS=cru}
+: ${AR_FLAGS=cr}
@ -8985,11 +8986,8 @@ _LT_EOF
  test $ac_status = 0; }; then
    # Now try to grab the symbols.
    nlist=conftest.nm
-    if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$NM conftest.$ac_objext \| "$lt_cv_sys_global_symbol_pipe" \> $nlist\""; } >&5
+    $ECHO "$as_me:$LINENO: $NM conftest.$ac_objext | $lt_cv_sys_global_symbol_pipe > $nlist" >&5
-  (eval $NM conftest.$ac_objext \| "$lt_cv_sys_global_symbol_pipe" \> $nlist) 2>&5
+    if eval "$NM" conftest.$ac_objext \| "$lt_cv_sys_global_symbol_pipe" \> $nlist 2>&5 && test -s "$nlist"; then
  ac_status=$?
  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
  test $ac_status = 0; } && test -s "$nlist"; then
      # Try sorting and uniquifying the output.
      if sort "$nlist" | uniq > "$nlist"T; then
 	mv -f "$nlist"T "$nlist"
@ -10208,8 +10206,8 @@ int forced_loaded() { return 2;}
 _LT_EOF
      echo "$LTCC $LTCFLAGS -c -o conftest.o conftest.c" >&5
      $LTCC $LTCFLAGS -c -o conftest.o conftest.c 2>&5
-      echo "$AR cru libconftest.a conftest.o" >&5
+      echo "$AR cr libconftest.a conftest.o" >&5
-      $AR cru libconftest.a conftest.o 2>&5
+      $AR cr libconftest.a conftest.o 2>&5
      echo "$RANLIB libconftest.a" >&5
      $RANLIB libconftest.a 2>&5
      cat > conftest.c << _LT_EOF
@ -11069,6 +11067,12 @@ lt_prog_compiler_static=
 	lt_prog_compiler_pic='-KPIC'
 	lt_prog_compiler_static='-static'
        ;;
      # flang / f18. f95 an alias for gfortran or flang on Debian
      flang* | f18* | f95*)
 	lt_prog_compiler_wl='-Wl,'
 	lt_prog_compiler_pic='-fPIC'
 	lt_prog_compiler_static='-static'
        ;;
      # icc used to be incompatible with GCC.
      # ICC 10 doesn't accept -KPIC any more.
      icc* | ifort*)
@ -11545,6 +11549,9 @@ $as_echo_n "checking whether the $compiler linker ($LD) supports shared librarie
  openbsd* | bitrig*)
    with_gnu_ld=no
    ;;
  linux* | k*bsd*-gnu | gnu*)
    link_all_deplibs=no
    ;;
  esac
  ld_shlibs=yes
@ -11799,7 +11806,7 @@ _LT_EOF
      fi
      ;;
-    netbsd*)
+    netbsd* | netbsdelf*-gnu)
      if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then
 	archive_cmds='$LD -Bshareable $libobjs $deplibs $linker_flags -o $lib'
 	wlarc=
@ -12469,6 +12476,7 @@ $as_echo "$lt_cv_irix_exported_symbol" >&6; }
 	if test yes = "$lt_cv_irix_exported_symbol"; then
          archive_expsym_cmds='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags $wl-soname $wl$soname `test -n "$verstring" && func_echo_all "$wl-set_version $wl$verstring"` $wl-update_registry $wl$output_objdir/so_locations $wl-exports_file $wl$export_symbols -o $lib'
 	fi
 	link_all_deplibs=no
      else
 	archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry $output_objdir/so_locations -o $lib'
 	archive_expsym_cmds='$CC -shared $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry $output_objdir/so_locations -exports_file $export_symbols -o $lib'
@ -12490,7 +12498,7 @@ $as_echo "$lt_cv_irix_exported_symbol" >&6; }
      esac
      ;;
-    netbsd*)
+    netbsd* | netbsdelf*-gnu)
      if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then
 	archive_cmds='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'  # a.out
      else
@ -13585,9 +13593,6 @@ fi
  # before this can be enabled.
  hardcode_into_libs=yes
  # Add ABI-specific directories to the system library path.
  sys_lib_dlsearch_path_spec="/lib64 /usr/lib64 /lib /usr/lib"
  # Ideally, we could use ldconfig to report *all* directores which are
  # searched for libraries, however this is still not possible.  Aside from not
  # being certain /sbin/ldconfig is available, command
@ -13596,7 +13601,7 @@ fi
  # appending ld.so.conf contents (and includes) to the search path.
  if test -f /etc/ld.so.conf; then
    lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[	 ]*hwcap[	 ]/d;s/[:,	]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;s/"//g;/^$/d' | tr '\n' ' '`
-    sys_lib_dlsearch_path_spec="$sys_lib_dlsearch_path_spec $lt_ld_extra"
+    sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra"
  fi
  # We used to test for /lib/ld.so.1 and disable shared libraries on
@ -13608,6 +13613,18 @@ fi
  dynamic_linker='GNU/Linux ld.so'
  ;;
 netbsdelf*-gnu)
  version_type=linux
  need_lib_prefix=no
  need_version=no
  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
  soname_spec='${libname}${release}${shared_ext}$major'
  shlibpath_var=LD_LIBRARY_PATH
  shlibpath_overrides_runpath=no
  hardcode_into_libs=yes
  dynamic_linker='NetBSD ld.elf_so'
  ;;
 netbsd*)
  version_type=sunos
  need_lib_prefix=no
@ -14739,7 +14756,7 @@ $as_echo "no" >&6; }
 fi
 # Checks for header files.
-for ac_header in stdarg.h stdbool.h netinet/in.h netinet/tcp.h sys/param.h sys/socket.h sys/un.h sys/uio.h sys/resource.h arpa/inet.h syslog.h netdb.h sys/wait.h pwd.h glob.h grp.h login_cap.h winsock2.h ws2tcpip.h endian.h sys/endian.h libkern/OSByteOrder.h sys/ipc.h sys/shm.h
+for ac_header in stdarg.h stdbool.h netinet/in.h netinet/tcp.h sys/param.h sys/select.h sys/socket.h sys/un.h sys/uio.h sys/resource.h arpa/inet.h syslog.h netdb.h sys/wait.h pwd.h glob.h grp.h login_cap.h winsock2.h ws2tcpip.h endian.h sys/endian.h libkern/OSByteOrder.h sys/ipc.h sys/shm.h ifaddrs.h net/if.h
 do :
  as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
 ac_fn_c_check_header_compile "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default
@ -17956,8 +17973,8 @@ $as_echo "found in $ssldir" >&6; }
            fi
-            { $as_echo "$as_me:${as_lineno-$LINENO}: checking for HMAC_Update in -lcrypto" >&5
+            { $as_echo "$as_me:${as_lineno-$LINENO}: checking for EVP_sha256 in -lcrypto" >&5
-$as_echo_n "checking for HMAC_Update in -lcrypto... " >&6; }
+$as_echo_n "checking for EVP_sha256 in -lcrypto... " >&6; }
            LIBS="$LIBS -lcrypto"
            LIBSSL_LIBS="$LIBSSL_LIBS -lcrypto"
            cat confdefs.h - <<_ACEOF >conftest.$ac_ext
@ -17967,8 +17984,8 @@ int
 main ()
 {
-                int HMAC_Update(void);
+                int EVP_sha256(void);
-                (void)HMAC_Update();
+                (void)EVP_sha256();
  ;
  return 0;
@ -17979,7 +17996,7 @@ if ac_fn_c_try_link "$LINENO"; then :
                { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
 $as_echo "yes" >&6; }
-$as_echo "#define HAVE_HMAC_UPDATE 1" >>confdefs.h
+$as_echo "#define HAVE_EVP_SHA256 1" >>confdefs.h
 else
@ -18000,8 +18017,8 @@ int
 main ()
 {
-                    int HMAC_Update(void);
+                    int EVP_sha256(void);
-                    (void)HMAC_Update();
+                    (void)EVP_sha256();
  ;
  return 0;
@ -18010,7 +18027,7 @@ _ACEOF
 if ac_fn_c_try_link "$LINENO"; then :
-$as_echo "#define HAVE_HMAC_UPDATE 1" >>confdefs.h
+$as_echo "#define HAVE_EVP_SHA256 1" >>confdefs.h
                    { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
 $as_echo "yes" >&6; }
@ -18032,8 +18049,8 @@ int
 main ()
 {
-                        int HMAC_Update(void);
+                        int EVP_sha256(void);
-                        (void)HMAC_Update();
+                        (void)EVP_sha256();
  ;
  return 0;
@ -18042,7 +18059,7 @@ _ACEOF
 if ac_fn_c_try_link "$LINENO"; then :
-$as_echo "#define HAVE_HMAC_UPDATE 1" >>confdefs.h
+$as_echo "#define HAVE_EVP_SHA256 1" >>confdefs.h
                        { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
 $as_echo "yes" >&6; }
@ -18064,8 +18081,8 @@ int
 main ()
 {
-                            int HMAC_Update(void);
+                            int EVP_sha256(void);
-                            (void)HMAC_Update();
+                            (void)EVP_sha256();
  ;
  return 0;
@ -18074,7 +18091,7 @@ _ACEOF
 if ac_fn_c_try_link "$LINENO"; then :
-$as_echo "#define HAVE_HMAC_UPDATE 1" >>confdefs.h
+$as_echo "#define HAVE_EVP_SHA256 1" >>confdefs.h
                            { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
 $as_echo "yes" >&6; }
@ -18259,11 +18276,11 @@ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 #ifdef __cplusplus
 extern "C"
 #endif
-char HMAC_Update ();
+char EVP_sha256 ();
 int
 main ()
 {
-return HMAC_Update ();
+return EVP_sha256 ();
  ;
  return 0;
 }
@ -18340,7 +18357,7 @@ else
 	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 $as_echo "no" >&6; }
 fi
-for ac_header in openssl/conf.h openssl/engine.h openssl/bn.h openssl/dh.h openssl/dsa.h openssl/rsa.h
+for ac_header in openssl/conf.h openssl/engine.h openssl/bn.h openssl/dh.h openssl/dsa.h openssl/rsa.h openssl/core_names.h
 do :
  as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
 ac_fn_c_check_header_compile "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default
@ -18354,7 +18371,7 @@ fi
 done
-for ac_func in OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ENGINE_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1 EVP_DigestVerify SSL_CTX_set_tlsext_ticket_key_cb EVP_aes_256_cbc EVP_EncryptInit_ex HMAC_Init_ex CRYPTO_THREADID_set_callback
+for ac_func in OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ENGINE_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1 EVP_DigestVerify EVP_aes_256_cbc EVP_EncryptInit_ex HMAC_Init_ex CRYPTO_THREADID_set_callback EVP_MAC_CTX_set_params
 do :
  as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
 ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
@ -18370,7 +18387,7 @@ done
 # these check_funcs need -lssl
 BAKLIBS="$LIBS"
 LIBS="-lssl $LIBS"
-for ac_func in OPENSSL_init_ssl SSL_CTX_set_security_level SSL_set1_host SSL_get0_peername X509_VERIFY_PARAM_set1_host SSL_CTX_set_ciphersuites SSL_CTX_set_alpn_select_cb
+for ac_func in OPENSSL_init_ssl SSL_CTX_set_security_level SSL_set1_host SSL_get0_peername X509_VERIFY_PARAM_set1_host SSL_CTX_set_ciphersuites SSL_CTX_set_tlsext_ticket_key_evp_cb SSL_CTX_set_alpn_select_cb
 do :
  as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
 ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
@ -20301,7 +20318,7 @@ if test "$ac_res" != no; then :
 fi
-for ac_func in tzset sigprocmask fcntl getpwnam endpwent getrlimit setrlimit setsid chroot kill chown sleep usleep random srandom recvmsg sendmsg writev socketpair glob initgroups strftime localtime_r setusercontext _beginthreadex endservent endprotoent fsync shmget accept4
+for ac_func in tzset sigprocmask fcntl getpwnam endpwent getrlimit setrlimit setsid chroot kill chown sleep usleep random srandom recvmsg sendmsg writev socketpair glob initgroups strftime localtime_r setusercontext _beginthreadex endservent endprotoent fsync shmget accept4 getifaddrs
 do :
  as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
 ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
@ -21697,7 +21714,7 @@ _ACEOF
-version=1.10.2
+version=1.11.1
 date=`date +'%b %e, %Y'`
@ -22216,7 +22233,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by unbound $as_me 1.10.2, which was
+This file was extended by unbound $as_me 1.11.1, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
  CONFIG_FILES    = $CONFIG_FILES
@ -22282,7 +22299,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-unbound config.status 1.10.2
+unbound config.status 1.11.1
 configured by $0, generated by GNU Autoconf 2.69,
  with options \\"\$ac_cs_config\\"
@ -23275,7 +23292,6 @@ $as_echo "$as_me: executing $ac_file commands" >&6;}
    cat <<_LT_EOF >> "$cfgfile"
 #! $SHELL
 # Generated automatically by $as_me ($PACKAGE) $VERSION
 # Libtool was configured on host `(hostname || uname -n) 2>/dev/null | sed 1q`:
 # NOTE: Changes made to this file will be lost: look at ltmain.sh.
 # Provide generalized library-building support services.
--- a/configure.ac
+++ b/configure.ac
@ -10,15 +10,15 @@ sinclude(dnscrypt/dnscrypt.m4)
 # must be numbers. ac_defun because of later processing
 m4_define([VERSION_MAJOR],[1])
-m4_define([VERSION_MINOR],[10])
+m4_define([VERSION_MINOR],[11])
-m4_define([VERSION_MICRO],[2])
+m4_define([VERSION_MICRO],[1])
 AC_INIT(unbound, m4_defn([VERSION_MAJOR]).m4_defn([VERSION_MINOR]).m4_defn([VERSION_MICRO]), unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues, unbound)
 AC_SUBST(UNBOUND_VERSION_MAJOR, [VERSION_MAJOR])
 AC_SUBST(UNBOUND_VERSION_MINOR, [VERSION_MINOR])
 AC_SUBST(UNBOUND_VERSION_MICRO, [VERSION_MICRO])
 LIBUNBOUND_CURRENT=9
-LIBUNBOUND_REVISION=9
+LIBUNBOUND_REVISION=10
 LIBUNBOUND_AGE=1
 # 1.0.0 had 0:12:0
 # 1.0.1 had 0:13:0
@ -94,7 +94,8 @@ LIBUNBOUND_AGE=1
 # 1.9.6 had 9:6:1
 # 1.10.0 had 9:7:1
 # 1.10.1 had 9:8:1
-# 1.10.2 had 9:9:1
+# 1.11.0 had 9:9:1
 # 1.11.1 had 9:10:1
 #   Current  -- the number of the binary API that we're implementing
 #   Revision -- which iteration of the implementation of the binary
@ -398,7 +399,7 @@ ACX_LIBTOOL_C_ONLY
 PKG_PROG_PKG_CONFIG
 # Checks for header files.
-AC_CHECK_HEADERS([stdarg.h stdbool.h netinet/in.h netinet/tcp.h sys/param.h sys/socket.h sys/un.h sys/uio.h sys/resource.h arpa/inet.h syslog.h netdb.h sys/wait.h pwd.h glob.h grp.h login_cap.h winsock2.h ws2tcpip.h endian.h sys/endian.h libkern/OSByteOrder.h sys/ipc.h sys/shm.h],,, [AC_INCLUDES_DEFAULT])
+AC_CHECK_HEADERS([stdarg.h stdbool.h netinet/in.h netinet/tcp.h sys/param.h sys/select.h sys/socket.h sys/un.h sys/uio.h sys/resource.h arpa/inet.h syslog.h netdb.h sys/wait.h pwd.h glob.h grp.h login_cap.h winsock2.h ws2tcpip.h endian.h sys/endian.h libkern/OSByteOrder.h sys/ipc.h sys/shm.h ifaddrs.h net/if.h],,, [AC_INCLUDES_DEFAULT])
 # Check for Apple header. This uncovers TARGET_OS_IPHONE, TARGET_OS_TV or TARGET_OS_WATCH
 AC_CHECK_HEADERS([TargetConditionals.h])
@ -831,7 +832,7 @@ AC_SUBST(PC_CRYPTO_DEPENDENCY)
 BAKLIBS="$LIBS"
 LIBS="-lssl $LIBS"
 AC_MSG_CHECKING([if libssl needs -lcrypt32])
-AC_TRY_LINK_FUNC([HMAC_Update], [
+AC_TRY_LINK_FUNC([EVP_sha256], [
 	AC_MSG_RESULT([no])
 	LIBS="$BAKLIBS"
 ], [
@ -850,13 +851,13 @@ if grep VERSION_TEXT $ssldir/include/openssl/opensslv.h | grep "LibreSSL" >/dev/
 else
 	AC_MSG_RESULT([no])
 fi
-AC_CHECK_HEADERS([openssl/conf.h openssl/engine.h openssl/bn.h openssl/dh.h openssl/dsa.h openssl/rsa.h],,, [AC_INCLUDES_DEFAULT])
+AC_CHECK_HEADERS([openssl/conf.h openssl/engine.h openssl/bn.h openssl/dh.h openssl/dsa.h openssl/rsa.h openssl/core_names.h],,, [AC_INCLUDES_DEFAULT])
-AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ENGINE_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1 EVP_DigestVerify SSL_CTX_set_tlsext_ticket_key_cb EVP_aes_256_cbc EVP_EncryptInit_ex HMAC_Init_ex CRYPTO_THREADID_set_callback])
+AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ENGINE_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1 EVP_DigestVerify EVP_aes_256_cbc EVP_EncryptInit_ex HMAC_Init_ex CRYPTO_THREADID_set_callback EVP_MAC_CTX_set_params])
 # these check_funcs need -lssl
 BAKLIBS="$LIBS"
 LIBS="-lssl $LIBS"
-AC_CHECK_FUNCS([OPENSSL_init_ssl SSL_CTX_set_security_level SSL_set1_host SSL_get0_peername X509_VERIFY_PARAM_set1_host SSL_CTX_set_ciphersuites SSL_CTX_set_alpn_select_cb])
+AC_CHECK_FUNCS([OPENSSL_init_ssl SSL_CTX_set_security_level SSL_set1_host SSL_get0_peername X509_VERIFY_PARAM_set1_host SSL_CTX_set_ciphersuites SSL_CTX_set_tlsext_ticket_key_evp_cb SSL_CTX_set_alpn_select_cb])
 LIBS="$BAKLIBS"
 AC_CHECK_DECLS([SSL_COMP_get_compression_methods,sk_SSL_COMP_pop_free,SSL_CTX_set_ecdh_auto], [], [], [
@ -1584,7 +1585,7 @@ AC_LINK_IFELSE([AC_LANG_PROGRAM([
  AC_MSG_RESULT(no))
 AC_SEARCH_LIBS([setusercontext], [util])
-AC_CHECK_FUNCS([tzset sigprocmask fcntl getpwnam endpwent getrlimit setrlimit setsid chroot kill chown sleep usleep random srandom recvmsg sendmsg writev socketpair glob initgroups strftime localtime_r setusercontext _beginthreadex endservent endprotoent fsync shmget accept4])
+AC_CHECK_FUNCS([tzset sigprocmask fcntl getpwnam endpwent getrlimit setrlimit setsid chroot kill chown sleep usleep random srandom recvmsg sendmsg writev socketpair glob initgroups strftime localtime_r setusercontext _beginthreadex endservent endprotoent fsync shmget accept4 getifaddrs])
 AC_CHECK_FUNCS([setresuid],,[AC_CHECK_FUNCS([setreuid])])
 AC_CHECK_FUNCS([setresgid],,[AC_CHECK_FUNCS([setregid])])
--- a/contrib/aaaa-filter-iterator.patch
+++ b/contrib/aaaa-filter-iterator.patch
@ -1,10 +1,10 @@
-Index: trunk/doc/unbound.conf.5.in
+diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in
-===================================================================
+index f426ac5f..147fbfa9 100644
--- trunk/doc/unbound.conf.5.in	(revision 4357)
+--- a/doc/unbound.conf.5.in
-+++ trunk/doc/unbound.conf.5.in	(working copy)
+++ b/doc/unbound.conf.5.in
-@@ -701,6 +701,13 @@
+@@ -872,6 +872,13 @@ potentially broken nameservers. A lot of domains will not be resolvable when
 this option in enabled. Only use if you know what you are doing.
- This option only has effect when qname-minimisation is enabled. Default is off.
+ This option only has effect when qname-minimisation is enabled. Default is no.
 .TP
 +.B aaaa\-filter: \fI<yes or no>
 +Activate behavior similar to BIND's AAAA-filter.
@ -16,14 +16,15 @@ Index: trunk/doc/unbound.conf.5.in
 .B aggressive\-nsec: \fI<yes or no>
 Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN
 and other denials, using information from previous NXDOMAINs answers.
-Index: trunk/iterator/iter_scrub.c
+diff --git a/iterator/iter_scrub.c b/iterator/iter_scrub.c
-===================================================================
+index aae934dd..55c55de0 100644
--- trunk/iterator/iter_scrub.c	(revision 4357)
+--- a/iterator/iter_scrub.c
-+++ trunk/iterator/iter_scrub.c	(working copy)
+++ b/iterator/iter_scrub.c
-@@ -617,6 +617,32 @@
+@@ -667,6 +667,32 @@ static int sanitize_nsec_is_overreach(struct rrset_parse* rrset,
 	return 0;
 }
- /**
+/**
 + * ASN: Lookup A records from rrset cache.
 + * @param qinfo: the question originally asked.
 + * @param env: module environment with config and cache.
@ -49,11 +50,10 @@ Index: trunk/iterator/iter_scrub.c
 +	return 0;
 +}
 +
-+/**
+ /**
  * Given a response event, remove suspect RRsets from the response.
  * "Suspect" rrsets are potentially poison. Note that this routine expects
-  * the response to be in a "normalized" state -- that is, all "irrelevant"
+@@ -686,6 +712,7 @@ scrub_sanitize(sldns_buffer* pkt, struct msg_parse* msg,
@@ -635,6 +661,7 @@
 	struct query_info* qinfo, uint8_t* zonename, struct module_env* env,
 	struct iter_env* ie)
 {
@ -61,7 +61,7 @@ Index: trunk/iterator/iter_scrub.c
 	int del_addi = 0; /* if additional-holding rrsets are deleted, we
 		do not trust the normalized additional-A-AAAA any more */
 	struct rrset_parse* rrset, *prev;
-@@ -670,6 +697,13 @@
+@@ -721,6 +748,13 @@ scrub_sanitize(sldns_buffer* pkt, struct msg_parse* msg,
 		rrset = rrset->rrset_all_next;
 	}
@ -75,11 +75,10 @@ Index: trunk/iterator/iter_scrub.c
 	/* At this point, we brutally remove ALL rrsets that aren't 
 	 * children of the originating zone. The idea here is that, 
 	 * as far as we know, the server that we contacted is ONLY 
-@@ -680,6 +714,24 @@
+@@ -732,6 +766,24 @@ scrub_sanitize(sldns_buffer* pkt, struct msg_parse* msg,
 	prev = NULL;
 	rrset = msg->rrset_first;
 	while(rrset) {
-+
+ 
 +		/* ASN: For AAAA records only... */
 +		if((ie->aaaa_filter) && (rrset->type == LDNS_RR_TYPE_AAAA)) {
 +			/* ASN: If this is not a AAAA query, then remove AAAA
@ -97,14 +96,15 @@ Index: trunk/iterator/iter_scrub.c
 +				LDNS_RR_TYPE_AAAA, qinfo->qclass);
 +		}
 +		/* ASN: End of added code */
- 
+
 		/* remove private addresses */
 		if( (rrset->type == LDNS_RR_TYPE_A || 
-Index: trunk/iterator/iter_utils.c
+ 			rrset->type == LDNS_RR_TYPE_AAAA)) {
-===================================================================
+diff --git a/iterator/iter_utils.c b/iterator/iter_utils.c
--- trunk/iterator/iter_utils.c	(revision 4357)
+index 7bc67da6..e10f547a 100644
-+++ trunk/iterator/iter_utils.c	(working copy)
+--- a/iterator/iter_utils.c
-@@ -175,6 +175,7 @@
+++ b/iterator/iter_utils.c
@@ -175,6 +175,7 @@ iter_apply_cfg(struct iter_env* iter_env, struct config_file* cfg)
 	}
 	iter_env->supports_ipv6 = cfg->do_ip6;
 	iter_env->supports_ipv4 = cfg->do_ip4;
@ -112,11 +112,11 @@ Index: trunk/iterator/iter_utils.c
 	return 1;
 }
-Index: trunk/iterator/iterator.c
+diff --git a/iterator/iterator.c b/iterator/iterator.c
-===================================================================
+index 23b07ea9..ca29b48c 100644
--- trunk/iterator/iterator.c	(revision 4357)
+--- a/iterator/iterator.c
-+++ trunk/iterator/iterator.c	(working copy)
+++ b/iterator/iterator.c
-@@ -1847,6 +1847,53 @@
+@@ -2127,6 +2127,53 @@ processDSNSFind(struct module_qstate* qstate, struct iter_qstate* iq, int id)
 	return 0;
 }
@ -170,7 +170,7 @@ Index: trunk/iterator/iterator.c
 /** 
  * This is the request event state where the request will be sent to one of
-@@ -1894,6 +1941,13 @@
+@@ -2186,6 +2233,13 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
 		return error_response(qstate, id, LDNS_RCODE_SERVFAIL);
 	}
@ -184,7 +184,7 @@ Index: trunk/iterator/iterator.c
 	/* Make sure we have a delegation point, otherwise priming failed
 	 * or another failure occurred */
 	if(!iq->dp) {
-@@ -3095,6 +3149,61 @@
+@@ -3574,6 +3628,61 @@ processFinished(struct module_qstate* qstate, struct iter_qstate* iq,
 	return 0;
 }
@ -246,7 +246,7 @@ Index: trunk/iterator/iterator.c
 /*
  * Return priming query results to interested super querystates.
  * 
-@@ -3114,6 +3223,9 @@
+@@ -3593,6 +3702,9 @@ iter_inform_super(struct module_qstate* qstate, int id,
 	else if(super->qinfo.qtype == LDNS_RR_TYPE_DS && ((struct iter_qstate*)
 		super->minfo[id])->state == DSNS_FIND_STATE)
 		processDSNSResponse(qstate, id, super);
@ -256,7 +256,7 @@ Index: trunk/iterator/iterator.c
 	else if(qstate->return_rcode != LDNS_RCODE_NOERROR)
 		error_supers(qstate, id, super);
 	else if(qstate->is_priming)
-@@ -3151,6 +3263,9 @@
+@@ -3630,6 +3742,9 @@ iter_handle(struct module_qstate* qstate, struct iter_qstate* iq,
 			case INIT_REQUEST_3_STATE:
 				cont = processInitRequest3(qstate, iq, id);
 				break;
@ -266,7 +266,7 @@ Index: trunk/iterator/iterator.c
 			case QUERYTARGETS_STATE:
 				cont = processQueryTargets(qstate, iq, ie, id);
 				break;
-@@ -3460,6 +3575,8 @@
+@@ -3961,6 +4076,8 @@ iter_state_to_string(enum iter_state state)
 		return "INIT REQUEST STATE (stage 2)";
 	case INIT_REQUEST_3_STATE:
 		return "INIT REQUEST STATE (stage 3)";
@ -275,7 +275,7 @@ Index: trunk/iterator/iterator.c
 	case QUERYTARGETS_STATE :
 		return "QUERY TARGETS STATE";
 	case PRIME_RESP_STATE :
-@@ -3484,6 +3601,7 @@
+@@ -3985,6 +4102,7 @@ iter_state_is_responsestate(enum iter_state s)
 		case INIT_REQUEST_STATE :
 		case INIT_REQUEST_2_STATE :
 		case INIT_REQUEST_3_STATE :
@ -283,11 +283,11 @@ Index: trunk/iterator/iterator.c
 		case QUERYTARGETS_STATE :
 		case COLLECT_CLASS_STATE :
 			return 0;
-Index: trunk/iterator/iterator.h
+diff --git a/iterator/iterator.h b/iterator/iterator.h
-===================================================================
+index 342ac207..731948d1 100644
--- trunk/iterator/iterator.h	(revision 4357)
+--- a/iterator/iterator.h
-+++ trunk/iterator/iterator.h	(working copy)
+++ b/iterator/iterator.h
-@@ -130,6 +130,9 @@
+@@ -135,6 +135,9 @@ struct iter_env {
 	 */
 	int* target_fetch_policy;
@ -297,10 +297,11 @@ Index: trunk/iterator/iterator.h
 	/** lock on ratelimit counter */
 	lock_basic_type queries_ratelimit_lock;
 	/** number of queries that have been ratelimited */
-@@ -182,6 +185,14 @@
+@@ -186,6 +189,14 @@ enum iter_state {
 	 */
 	INIT_REQUEST_3_STATE,
- 	/**
+	/**
 +	 * This state is responsible for intercepting AAAA queries,
 +	 * and launch a A subquery on the same target, to populate the
 +	 * cache with A records, so the AAAA filter scrubbing logic can
@ -308,29 +309,28 @@ Index: trunk/iterator/iterator.h
 +	 */
 +	ASN_FETCH_A_FOR_AAAA_STATE,
 +
-+	/**
+ 	/**
 	 * Each time a delegation point changes for a given query or a 
 	 * query times out and/or wakes up, this state is (re)visited. 
- 	 * This state is responsible for iterating through a list of 
+@@ -375,6 +386,13 @@ struct iter_qstate {
@@ -364,6 +375,13 @@
 	 * be used when creating the state. A higher one will be attempted.
 	 */
 	int refetch_glue;
-+
+ 
 +	/**
 +	 * ASN: This is a flag that, if true, means that this query is
 +	 * for fetching A records to populate cache and determine if we must
 +	 * return AAAA records or not.
 +	 */
 +	int fetch_a_for_aaaa;
- 
+
 	/** list of pending queries to authoritative servers. */
 	struct outbound_list outlist;
-Index: trunk/pythonmod/interface.i
+ 
-===================================================================
+diff --git a/pythonmod/interface.i b/pythonmod/interface.i
--- trunk/pythonmod/interface.i	(revision 4357)
+index f08b575d..47f1bb2e 100644
-+++ trunk/pythonmod/interface.i	(working copy)
+--- a/pythonmod/interface.i
-@@ -851,6 +851,7 @@
+++ b/pythonmod/interface.i
@@ -975,6 +975,7 @@ struct config_file {
    int harden_dnssec_stripped;
    int harden_referral_path;
    int use_caps_bits_for_id;
@ -338,11 +338,11 @@ Index: trunk/pythonmod/interface.i
    struct config_strlist* private_address;
    struct config_strlist* private_domain;
    size_t unwanted_threshold;
-Index: trunk/util/config_file.c
+diff --git a/util/config_file.c b/util/config_file.c
-===================================================================
+index 0ab8614a..729fb147 100644
--- trunk/util/config_file.c	(revision 4357)
+--- a/util/config_file.c
-+++ trunk/util/config_file.c	(working copy)
+++ b/util/config_file.c
-@@ -195,6 +195,7 @@
+@@ -218,6 +218,7 @@ config_create(void)
 	cfg->harden_referral_path = 0;
 	cfg->harden_algo_downgrade = 0;
 	cfg->use_caps_bits_for_id = 0;
@ -350,11 +350,11 @@ Index: trunk/util/config_file.c
 	cfg->caps_whitelist = NULL;
 	cfg->private_address = NULL;
 	cfg->private_domain = NULL;
-Index: trunk/util/config_file.h
+diff --git a/util/config_file.h b/util/config_file.h
-===================================================================
+index e61257a3..dabaa7bb 100644
--- trunk/util/config_file.h	(revision 4357)
+--- a/util/config_file.h
-+++ trunk/util/config_file.h	(working copy)
+++ b/util/config_file.h
-@@ -209,6 +209,8 @@
+@@ -260,6 +260,8 @@ struct config_file {
 	int harden_algo_downgrade;
 	/** use 0x20 bits in query as random ID bits */
 	int use_caps_bits_for_id;
@ -363,11 +363,11 @@ Index: trunk/util/config_file.h
 	/** 0x20 whitelist, domains that do not use capsforid */
 	struct config_strlist* caps_whitelist;
 	/** strip away these private addrs from answers, no DNS Rebinding */
-Index: trunk/util/configlexer.lex
+diff --git a/util/configlexer.lex b/util/configlexer.lex
-===================================================================
+index 79a0edca..4eaec678 100644
--- trunk/util/configlexer.lex	(revision 4357)
+--- a/util/configlexer.lex
-+++ trunk/util/configlexer.lex	(working copy)
+++ b/util/configlexer.lex
-@@ -279,6 +279,7 @@
+@@ -304,6 +304,7 @@ harden-algo-downgrade{COLON}	{ YDVAR(1, VAR_HARDEN_ALGO_DOWNGRADE) }
 use-caps-for-id{COLON}		{ YDVAR(1, VAR_USE_CAPS_FOR_ID) }
 caps-whitelist{COLON}		{ YDVAR(1, VAR_CAPS_WHITELIST) }
 unwanted-reply-threshold{COLON}	{ YDVAR(1, VAR_UNWANTED_REPLY_THRESHOLD) }
@ -375,11 +375,11 @@ Index: trunk/util/configlexer.lex
 private-address{COLON}		{ YDVAR(1, VAR_PRIVATE_ADDRESS) }
 private-domain{COLON}		{ YDVAR(1, VAR_PRIVATE_DOMAIN) }
 prefetch-key{COLON}		{ YDVAR(1, VAR_PREFETCH_KEY) }
-Index: trunk/util/configparser.y
+diff --git a/util/configparser.y b/util/configparser.y
-===================================================================
+index 1d0e8658..f284dd43 100644
--- trunk/util/configparser.y	(revision 4357)
+--- a/util/configparser.y
-+++ trunk/util/configparser.y	(working copy)
+++ b/util/configparser.y
-@@ -95,6 +95,7 @@
+@@ -97,6 +97,7 @@ extern struct config_parser_state* cfg_parser;
 %token VAR_STATISTICS_CUMULATIVE VAR_OUTGOING_PORT_PERMIT 
 %token VAR_OUTGOING_PORT_AVOID VAR_DLV_ANCHOR_FILE VAR_DLV_ANCHOR
 %token VAR_NEG_CACHE_SIZE VAR_HARDEN_REFERRAL_PATH VAR_PRIVATE_ADDRESS
@ -387,7 +387,7 @@ Index: trunk/util/configparser.y
 %token VAR_PRIVATE_DOMAIN VAR_REMOTE_CONTROL VAR_CONTROL_ENABLE
 %token VAR_CONTROL_INTERFACE VAR_CONTROL_PORT VAR_SERVER_KEY_FILE
 %token VAR_SERVER_CERT_FILE VAR_CONTROL_KEY_FILE VAR_CONTROL_CERT_FILE
-@@ -203,6 +204,7 @@
+@@ -233,6 +234,7 @@ content_server: server_num_threads | server_verbosity | server_port |
 	server_dlv_anchor_file | server_dlv_anchor | server_neg_cache_size |
 	server_harden_referral_path | server_private_address |
 	server_private_domain | server_extended_statistics | 
@ -395,12 +395,10 @@ Index: trunk/util/configparser.y
 	server_local_data_ptr | server_jostle_timeout | 
 	server_unwanted_reply_threshold | server_log_time_ascii | 
 	server_domain_insecure | server_val_sig_skew_min | 
-@@ -1183,6 +1185,15 @@
+@@ -1563,6 +1565,15 @@ server_caps_whitelist: VAR_CAPS_WHITELIST STRING_ARG
 		OUTYY(("P(server_caps_whitelist:%s)\n", $2));
 		if(!cfg_strlist_insert(&cfg_parser->cfg->caps_whitelist, $2))
 			yyerror("out of memory");
-+	}
+ 	}
-+	;
+ 	;
 +server_aaaa_filter: VAR_AAAA_FILTER STRING_ARG
 +	{
 +		OUTYY(("P(server_aaaa_filter:%s)\n", $2));
@ -408,6 +406,8 @@ Index: trunk/util/configparser.y
 +			yyerror("expected yes or no.");
 +		else cfg_parser->cfg->aaaa_filter = (strcmp($2, "yes")==0);
 +		free($2);
- 	}
+	}
- 	;
+	;
 server_private_address: VAR_PRIVATE_ADDRESS STRING_ARG
 	{
 		OUTYY(("P(server_private_address:%s)\n", $2));
--- a/contrib/fastrpz.patch
+++ b/contrib/fastrpz.patch
@ -2,7 +2,7 @@ Description: based on the included patch contrib/fastrpz.patch
 Author: fastrpz@farsightsecurity.com
 ---
 diff --git a/Makefile.in b/Makefile.in
-index a20058cc..495779cc 100644
+index bac212df..4824927f 100644
 --- a/Makefile.in
 +++ b/Makefile.in
@@ -23,6 +23,8 @@ CHECKLOCK_SRC=testcode/checklocks.c
@ -13,8 +13,8 @@ index a20058cc..495779cc 100644
 +FASTRPZ_OBJ=@FASTRPZ_OBJ@
 DNSCRYPT_SRC=@DNSCRYPT_SRC@
 DNSCRYPT_OBJ=@DNSCRYPT_OBJ@
- WITH_PYTHONMODULE=@WITH_PYTHONMODULE@
+ WITH_DYNLIBMODULE=@WITH_DYNLIBMODULE@
-@@ -127,7 +129,7 @@ validator/val_sigcrypt.c validator/val_utils.c dns64/dns64.c \
+@@ -134,7 +136,7 @@ validator/val_sigcrypt.c validator/val_utils.c dns64/dns64.c \
 edns-subnet/edns-subnet.c edns-subnet/subnetmod.c \
 edns-subnet/addrtree.c edns-subnet/subnet-whitelist.c \
 cachedb/cachedb.c cachedb/redis.c respip/respip.c $(CHECKLOCK_SRC) \
@ -23,16 +23,16 @@ index a20058cc..495779cc 100644
 COMMON_OBJ_WITHOUT_NETCALL=dns.lo infra.lo rrset.lo dname.lo msgencode.lo \
 as112.lo msgparse.lo msgreply.lo packed_rrset.lo iterator.lo iter_delegpt.lo \
 iter_donotq.lo iter_fwd.lo iter_hints.lo iter_priv.lo iter_resptype.lo \
-@@ -140,7 +142,7 @@ autotrust.lo val_anchor.lo rpz.lo \
+@@ -147,7 +149,7 @@ autotrust.lo val_anchor.lo rpz.lo \
 validator.lo val_kcache.lo val_kentry.lo val_neg.lo val_nsec3.lo val_nsec.lo \
 val_secalgo.lo val_sigcrypt.lo val_utils.lo dns64.lo cachedb.lo redis.lo authzone.lo \
 $(SUBNET_OBJ) $(PYTHONMOD_OBJ) $(CHECKLOCK_OBJ) $(DNSTAP_OBJ) $(DNSCRYPT_OBJ) \
-$(IPSECMOD_OBJ) $(IPSET_OBJ) respip.lo
+-$(IPSECMOD_OBJ) $(IPSET_OBJ) $(DYNLIBMOD_OBJ) respip.lo
-+$(FASTRPZ_OBJ) $(IPSECMOD_OBJ) $(IPSET_OBJ) respip.lo
+$(FASTRPZ_OBJ) $(IPSECMOD_OBJ) $(IPSET_OBJ) $(DYNLIBMOD_OBJ) respip.lo
 COMMON_OBJ_WITHOUT_UB_EVENT=$(COMMON_OBJ_WITHOUT_NETCALL) netevent.lo listen_dnsport.lo \
 outside_network.lo
 COMMON_OBJ=$(COMMON_OBJ_WITHOUT_UB_EVENT) ub_event.lo
-@@ -410,6 +412,11 @@ dnscrypt.lo dnscrypt.o: $(srcdir)/dnscrypt/dnscrypt.c config.h \
+@@ -428,6 +430,11 @@ dnscrypt.lo dnscrypt.o: $(srcdir)/dnscrypt/dnscrypt.c config.h \
 	$(srcdir)/util/config_file.h $(srcdir)/util/log.h \
 	$(srcdir)/util/netevent.h
@ -45,10 +45,10 @@ index a20058cc..495779cc 100644
 pythonmod.lo pythonmod.o: $(srcdir)/pythonmod/pythonmod.c config.h \
 	pythonmod/interface.h \
 diff --git a/config.h.in b/config.h.in
-index 78d47fed..e33073e4 100644
+index f7a4095e..d5a4fa01 100644
 --- a/config.h.in
 +++ b/config.h.in
-@@ -1345,4 +1345,11 @@ void *unbound_stat_realloc_log(void *ptr, size_t size, const char* file,
+@@ -1364,4 +1364,11 @@ void *unbound_stat_realloc_log(void *ptr, size_t size, const char* file,
 /** the version of unbound-control that this software implements */
 #define UNBOUND_CONTROL_VERSION 1
@ -62,7 +62,7 @@ index 78d47fed..e33073e4 100644
 +/** turn on fastrpz response policy zones */
 +#undef ENABLE_FASTRPZ
 diff --git a/configure.ac b/configure.ac
-index 2b91dd3c..e6063d17 100644
+index 5c373d9d..e45abd89 100644
 --- a/configure.ac
 +++ b/configure.ac
@@ -6,6 +6,7 @@ sinclude(ax_pthread.m4)
@ -73,10 +73,10 @@ index 2b91dd3c..e6063d17 100644
 sinclude(dnscrypt/dnscrypt.m4)
 # must be numbers. ac_defun because of later processing
-@@ -1778,6 +1779,9 @@ case "$enable_ipset" in
+@@ -1819,6 +1820,9 @@ case "$enable_explicit_port_randomisation" in
 		;;
 esac
 +# check for Fastrpz with fastrpz/rpz.m4
 +ck_FASTRPZ
 +
@ -84,7 +84,7 @@ index 2b91dd3c..e6063d17 100644
 # on openBSD, the implicit rule make $< work.
 # on Solaris, it does not work ($? is changed sources, $^ lists dependencies).
 diff --git a/daemon/daemon.c b/daemon/daemon.c
-index 8b0fc348..7ffb9221 100644
+index 5d427925..f89f1437 100644
 --- a/daemon/daemon.c
 +++ b/daemon/daemon.c
@@ -91,6 +91,9 @@
@ -97,8 +97,8 @@ index 8b0fc348..7ffb9221 100644
 #ifdef HAVE_SYSTEMD
 #include <systemd/sd-daemon.h>
-@@ -458,6 +461,14 @@ daemon_create_workers(struct daemon* daemon)
+@@ -456,6 +459,14 @@ daemon_create_workers(struct daemon* daemon)
- 		dt_apply_cfg(daemon->dtenv, daemon->cfg);
+ 			fatal_exit("dt_create failed");
 #else
 		fatal_exit("dnstap enabled in config but not built with dnstap support");
 +#endif
@ -112,7 +112,7 @@ index 8b0fc348..7ffb9221 100644
 #endif
 	}
 	for(i=0; i<daemon->num; i++) {
-@@ -731,6 +742,9 @@ daemon_cleanup(struct daemon* daemon)
+@@ -729,6 +740,9 @@ daemon_cleanup(struct daemon* daemon)
 #ifdef USE_DNSCRYPT
 	dnsc_delete(daemon->dnscenv);
 	daemon->dnscenv = NULL;
@ -139,7 +139,7 @@ index 3effbafb..4d4c34da 100644
 /**
 diff --git a/daemon/worker.c b/daemon/worker.c
-index eb7fdf2f..1982228d 100644
+index 23e3244c..b63d49b7 100644
 --- a/daemon/worker.c
 +++ b/daemon/worker.c
@@ -76,6 +76,9 @@
@ -152,7 +152,7 @@ index eb7fdf2f..1982228d 100644
 #include "sldns/wire2str.h"
 #include "util/shm_side/shm_main.h"
 #include "dnscrypt/dnscrypt.h"
-@@ -534,8 +537,27 @@ answer_norec_from_cache(struct worker* worker, struct query_info* qinfo,
+@@ -535,8 +538,27 @@ answer_norec_from_cache(struct worker* worker, struct query_info* qinfo,
 			/* not secure */
 			secure = 0;
 			break;
@ -180,7 +180,7 @@ index eb7fdf2f..1982228d 100644
 	/* return this delegation from the cache */
 	edns_bak = *edns;
 	edns->edns_version = EDNS_ADVERTISED_VERSION;
-@@ -710,6 +732,23 @@ answer_from_cache(struct worker* worker, struct query_info* qinfo,
+@@ -711,6 +733,23 @@ answer_from_cache(struct worker* worker, struct query_info* qinfo,
 			*is_secure_answer = 0;
 		}
 	} else *is_secure_answer = 0;
@ -204,7 +204,7 @@ index eb7fdf2f..1982228d 100644
 	edns_bak = *edns;
 	edns->edns_version = EDNS_ADVERTISED_VERSION;
-@@ -1435,6 +1474,15 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
+@@ -1436,6 +1475,15 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 		log_addr(VERB_ALGO, "refused nonrec (cache snoop) query from",
 			&repinfo->addr, repinfo->addrlen);
 		goto send_reply;
@ -220,7 +220,7 @@ index eb7fdf2f..1982228d 100644
 	}
 	/* If we've found a local alias, replace the qname with the alias
-@@ -1485,12 +1533,21 @@ lookup_cache:
+@@ -1486,12 +1534,21 @@ lookup_cache:
 		h = query_info_hash(lookup_qinfo, sldns_buffer_read_u16_at(c->buffer, 2));
 		if((e=slabhash_lookup(worker->env.msg_cache, h, lookup_qinfo, 0))) {
 			/* answer from cache - we have acquired a readlock on it */
@ -244,7 +244,7 @@ index eb7fdf2f..1982228d 100644
 				/* prefetch it if the prefetch TTL expired.
 				 * Note that if there is more than one pass
 				 * its qname must be that used for cache
-@@ -1547,11 +1604,19 @@ lookup_cache:
+@@ -1548,11 +1605,19 @@ lookup_cache:
 			lock_rw_unlock(&e->lock);
 		}
 		if(!LDNS_RD_WIRE(sldns_buffer_begin(c->buffer))) {
@ -267,10 +267,10 @@ index eb7fdf2f..1982228d 100644
 			}
 			verbose(VERB_ALGO, "answer norec from cache -- "
 diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in
-index 38c2d298..3b07f392 100644
+index cd43f04e..b92a1af8 100644
 --- a/doc/unbound.conf.5.in
 +++ b/doc/unbound.conf.5.in
-@@ -1828,6 +1828,81 @@ List domain for which the AAAA records are ignored and the A record is
+@@ -1878,6 +1878,81 @@ List domain for which the AAAA records are ignored and the A record is
 used by dns64 processing instead.  Can be entered multiple times, list a
 new domain for which it applies, one per line.  Applies also to names
 underneath the name given.
@ -2888,7 +2888,7 @@ index 00000000..21235355
 +  fi
 +])
 diff --git a/iterator/iterator.c b/iterator/iterator.c
-index 1e0113a8..2fcbf547 100644
+index 23b07ea9..c3d31a33 100644
 --- a/iterator/iterator.c
 +++ b/iterator/iterator.c
@@ -68,6 +68,9 @@
@ -2901,7 +2901,7 @@ index 1e0113a8..2fcbf547 100644
 /* in msec */
 int UNKNOWN_SERVER_NICENESS = 376;
-@@ -555,6 +558,23 @@ handle_cname_response(struct module_qstate* qstate, struct iter_qstate* iq,
+@@ -563,6 +566,23 @@ handle_cname_response(struct module_qstate* qstate, struct iter_qstate* iq,
 		if(ntohs(r->rk.type) == LDNS_RR_TYPE_CNAME &&
 			query_dname_compare(*mname, r->rk.dname) == 0 &&
 			!iter_find_rrset_in_prepend_answer(iq, r)) {
@ -2925,7 +2925,7 @@ index 1e0113a8..2fcbf547 100644
 			/* Add this relevant CNAME rrset to the prepend list.*/
 			if(!iter_add_prepend_answer(qstate, iq, r))
 				return 0;
-@@ -563,6 +583,9 @@ handle_cname_response(struct module_qstate* qstate, struct iter_qstate* iq,
+@@ -571,6 +591,9 @@ handle_cname_response(struct module_qstate* qstate, struct iter_qstate* iq,
 		/* Other rrsets in the section are ignored. */
 	}
@ -2935,7 +2935,7 @@ index 1e0113a8..2fcbf547 100644
 	/* add authority rrsets to authority prepend, for wildcarded CNAMEs */
 	for(i=msg->rep->an_numrrsets; i<msg->rep->an_numrrsets +
 		msg->rep->ns_numrrsets; i++) {
-@@ -1199,6 +1222,7 @@ processInitRequest(struct module_qstate* qstate, struct iter_qstate* iq,
+@@ -1231,6 +1254,7 @@ processInitRequest(struct module_qstate* qstate, struct iter_qstate* iq,
 	uint8_t* delname;
 	size_t delnamelen;
 	struct dns_msg* msg = NULL;
@ -2943,7 +2943,7 @@ index 1e0113a8..2fcbf547 100644
 	log_query_info(VERB_DETAIL, "resolving", &qstate->qinfo);
 	/* check effort */
-@@ -1285,8 +1309,7 @@ processInitRequest(struct module_qstate* qstate, struct iter_qstate* iq,
+@@ -1317,8 +1341,7 @@ processInitRequest(struct module_qstate* qstate, struct iter_qstate* iq,
 	}
 	if(msg) {
 		/* handle positive cache response */
@ -2953,7 +2953,7 @@ index 1e0113a8..2fcbf547 100644
 		if(verbosity >= VERB_ALGO) {
 			log_dns_msg("msg from cache lookup", &msg->qinfo, 
 				msg->rep);
-@@ -1294,7 +1317,22 @@ processInitRequest(struct module_qstate* qstate, struct iter_qstate* iq,
+@@ -1326,7 +1349,22 @@ processInitRequest(struct module_qstate* qstate, struct iter_qstate* iq,
 				(int)msg->rep->ttl, 
 				(int)msg->rep->prefetch_ttl);
 		}
@ -2976,7 +2976,7 @@ index 1e0113a8..2fcbf547 100644
 		if(type == RESPONSE_TYPE_CNAME) {
 			uint8_t* sname = 0;
 			size_t slen = 0;
-@@ -2718,6 +2756,62 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
+@@ -2801,6 +2839,62 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
 			sock_list_insert(&qstate->reply_origin, 
 				&qstate->reply->addr, qstate->reply->addrlen, 
 				qstate->region);
@ -3039,7 +3039,7 @@ index 1e0113a8..2fcbf547 100644
 		if(iq->minimisation_state != DONOT_MINIMISE_STATE
 			&& !(iq->chase_flags & BIT_RD)) {
 			if(FLAGS_GET_RCODE(iq->response->rep->flags) != 
-@@ -3471,12 +3565,44 @@ processFinished(struct module_qstate* qstate, struct iter_qstate* iq,
+@@ -3563,12 +3657,44 @@ processFinished(struct module_qstate* qstate, struct iter_qstate* iq,
 		 * but only if we did recursion. The nonrecursion referral
 		 * from cache does not need to be stored in the msg cache. */
 		if(!qstate->no_cache_store && qstate->query_flags&BIT_RD) {
@ -3085,10 +3085,10 @@ index 1e0113a8..2fcbf547 100644
 	qstate->return_msg = iq->response;
 	return 0;
 diff --git a/iterator/iterator.h b/iterator/iterator.h
-index a2f1b570..e1e4a738 100644
+index 342ac207..49b0ecdd 100644
 --- a/iterator/iterator.h
 +++ b/iterator/iterator.h
-@@ -386,6 +386,16 @@ struct iter_qstate {
+@@ -396,6 +396,16 @@ struct iter_qstate {
 	 */
 	int minimise_count;
@ -3104,12 +3104,12 @@ index a2f1b570..e1e4a738 100644
 +
 	/**
 	 * Count number of time-outs. Used to prevent resolving failures when
- 	 * the QNAME minimisation QTYPE is blocked. */
+ 	 * the QNAME minimisation QTYPE is blocked. Used to determine if
 diff --git a/services/cache/dns.c b/services/cache/dns.c
-index 2a5bca4a..6de8863a 100644
+index 7b6e142c..6d7449f5 100644
 --- a/services/cache/dns.c
 +++ b/services/cache/dns.c
-@@ -967,6 +967,14 @@ dns_cache_store(struct module_env* env, struct query_info* msgqinf,
+@@ -969,6 +969,14 @@ dns_cache_store(struct module_env* env, struct query_info* msgqinf,
 	struct regional* region, uint32_t flags)
 {
 	struct reply_info* rep = NULL;
@ -3125,7 +3125,7 @@ index 2a5bca4a..6de8863a 100644
 	rep = reply_info_copy(msgrep, env->alloc, NULL);
 	if(!rep)
 diff --git a/services/mesh.c b/services/mesh.c
-index 9114ef4c..3dc518e5 100644
+index 4b0c5db4..eb9cfa5b 100644
 --- a/services/mesh.c
 +++ b/services/mesh.c
@@ -61,6 +61,9 @@
@ -3138,7 +3138,7 @@ index 9114ef4c..3dc518e5 100644
 #include "respip/respip.h"
 #include "services/listen_dnsport.h"
-@@ -1195,6 +1198,13 @@ mesh_send_reply(struct mesh_state* m, int rcode, struct reply_info* rep,
+@@ -1207,6 +1210,13 @@ mesh_send_reply(struct mesh_state* m, int rcode, struct reply_info* rep,
 	else	secure = 0;
 	if(!rep && rcode == LDNS_RCODE_NOERROR)
 		rcode = LDNS_RCODE_SERVFAIL;
@ -3152,7 +3152,7 @@ index 9114ef4c..3dc518e5 100644
 	/* send the reply */
 	/* We don't reuse the encoded answer if either the previous or current
 	 * response has a local alias.  We could compare the alias records
-@@ -1415,6 +1425,7 @@ struct mesh_state* mesh_area_find(struct mesh_area* mesh,
+@@ -1434,6 +1444,7 @@ struct mesh_state* mesh_area_find(struct mesh_area* mesh,
 	key.s.is_valrec = valrec;
 	key.s.qinfo = *qinfo;
 	key.s.query_flags = qflags;
@ -3160,7 +3160,7 @@ index 9114ef4c..3dc518e5 100644
 	/* We are searching for a similar mesh state when we DO want to
 	 * aggregate the state. Thus unique is set to NULL. (default when we
 	 * desire aggregation).*/
-@@ -1461,6 +1472,10 @@ int mesh_state_add_reply(struct mesh_state* s, struct edns_data* edns,
+@@ -1480,6 +1491,10 @@ int mesh_state_add_reply(struct mesh_state* s, struct edns_data* edns,
 	if(!r)
 		return 0;
 	r->query_reply = *rep;
@ -3172,11 +3172,11 @@ index 9114ef4c..3dc518e5 100644
 	if(edns->opt_list) {
 		r->edns.opt_list = edns_opt_copy_region(edns->opt_list,
 diff --git a/util/config_file.c b/util/config_file.c
-index 52ca5a18..0660248f 100644
+index 0e9ee471..a5fd72e0 100644
 --- a/util/config_file.c
 +++ b/util/config_file.c
-@@ -1460,6 +1460,8 @@ config_delete(struct config_file* cfg)
+@@ -1495,6 +1495,8 @@ config_delete(struct config_file* cfg)
- 	free(cfg->dnstap_socket_path);
+ 	free(cfg->dnstap_tls_client_cert_file);
 	free(cfg->dnstap_identity);
 	free(cfg->dnstap_version);
 +	if (cfg->rpz_cstr)
@ -3185,10 +3185,10 @@ index 52ca5a18..0660248f 100644
 	config_deldblstrlist(cfg->ratelimit_below_domain);
 	config_delstrlist(cfg->python_script);
 diff --git a/util/config_file.h b/util/config_file.h
-index 8739ca2a..a2dcf215 100644
+index 66e5025d..504f4f92 100644
 --- a/util/config_file.h
 +++ b/util/config_file.h
-@@ -499,6 +499,11 @@ struct config_file {
+@@ -522,6 +522,11 @@ struct config_file {
 	/** true to disable DNSSEC lameness check in iterator */
 	int disable_dnssec_lame_check;
@ -3201,10 +3201,10 @@ index 8739ca2a..a2dcf215 100644
 	int ip_ratelimit;
 	/** number of slabs for ip_ratelimit cache */
 diff --git a/util/configlexer.lex b/util/configlexer.lex
-index deedffa5..301458a3 100644
+index 83cea4b9..9a7feea4 100644
 --- a/util/configlexer.lex
 +++ b/util/configlexer.lex
-@@ -446,6 +446,10 @@ dnstap-log-forwarder-query-messages{COLON}	{
+@@ -467,6 +467,10 @@ dnstap-log-forwarder-query-messages{COLON}	{
 		YDVAR(1, VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES) }
 dnstap-log-forwarder-response-messages{COLON}	{
 		YDVAR(1, VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES) }
@ -3216,18 +3216,18 @@ index deedffa5..301458a3 100644
 ip-ratelimit{COLON}		{ YDVAR(1, VAR_IP_RATELIMIT) }
 ratelimit{COLON}		{ YDVAR(1, VAR_RATELIMIT) }
 diff --git a/util/configparser.y b/util/configparser.y
-index d471babe..cb6b1d63 100644
+index fe600a99..ce43390f 100644
 --- a/util/configparser.y
 +++ b/util/configparser.y
-@@ -125,6 +125,7 @@ extern struct config_parser_state* cfg_parser;
+@@ -128,6 +128,7 @@ extern struct config_parser_state* cfg_parser;
 %token VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES
 %token VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES
 %token VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES
 +%token VAR_RPZ VAR_RPZ_ENABLE VAR_RPZ_ZONE VAR_RPZ_OPTION
 %token VAR_RESPONSE_IP_TAG VAR_RESPONSE_IP VAR_RESPONSE_IP_DATA
 %token VAR_HARDEN_ALGO_DOWNGRADE VAR_IP_TRANSPARENT
- %token VAR_DISABLE_DNSSEC_LAME_CHECK
+ %token VAR_IP_DSCP
-@@ -173,7 +174,7 @@ extern struct config_parser_state* cfg_parser;
+@@ -179,7 +180,7 @@ extern struct config_parser_state* cfg_parser;
 %%
 toplevelvars: /* empty */ | toplevelvars toplevelvar ;
@ -3236,7 +3236,7 @@ index d471babe..cb6b1d63 100644
 	forwardstart contents_forward | pythonstart contents_py | 
 	rcstart contents_rc | dtstart contents_dt | viewstart contents_view |
 	dnscstart contents_dnsc | cachedbstart contents_cachedb |
-@@ -2837,6 +2838,50 @@ dt_dnstap_log_forwarder_response_messages: VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MES
+@@ -2939,6 +2940,50 @@ dt_dnstap_log_forwarder_response_messages: VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MES
 		free($2);
 	}
 	;
@ -3384,7 +3384,7 @@ index 729877ba..ccd1a0c2 100644
 /**
 diff --git a/util/netevent.c b/util/netevent.c
-index 9fe5da2d..037e70d1 100644
+index 3e7a433e..f20d806f 100644
 --- a/util/netevent.c
 +++ b/util/netevent.c
@@ -57,6 +57,9 @@
@ -3397,7 +3397,7 @@ index 9fe5da2d..037e70d1 100644
 /* -------- Start of local definitions -------- */
 /** if CMSG_ALIGN is not defined on this platform, a workaround */
-@@ -590,6 +593,9 @@ comm_point_udp_ancil_callback(int fd, short event, void* arg)
+@@ -596,6 +599,9 @@ comm_point_udp_ancil_callback(int fd, short event, void* arg)
 	struct cmsghdr* cmsg;
 #endif /* S_SPLINT_S */
@ -3407,7 +3407,7 @@ index 9fe5da2d..037e70d1 100644
 	rep.c = (struct comm_point*)arg;
 	log_assert(rep.c->type == comm_udp);
-@@ -679,6 +685,9 @@ comm_point_udp_callback(int fd, short event, void* arg)
+@@ -685,6 +691,9 @@ comm_point_udp_callback(int fd, short event, void* arg)
 	int i;
 	struct sldns_buffer *buffer;
@ -3417,7 +3417,7 @@ index 9fe5da2d..037e70d1 100644
 	rep.c = (struct comm_point*)arg;
 	log_assert(rep.c->type == comm_udp);
-@@ -722,6 +731,9 @@ comm_point_udp_callback(int fd, short event, void* arg)
+@@ -728,6 +737,9 @@ comm_point_udp_callback(int fd, short event, void* arg)
 			(void)comm_point_send_udp_msg(rep.c, buffer,
 				(struct sockaddr*)&rep.addr, rep.addrlen);
 		}
@ -3427,7 +3427,7 @@ index 9fe5da2d..037e70d1 100644
 		if(!rep.c || rep.c->fd != fd) /* commpoint closed to -1 or reused for
 		another UDP port. Note rep.c cannot be reused with TCP fd. */
 			break;
-@@ -3192,6 +3204,9 @@ comm_point_send_reply(struct comm_reply *repinfo)
+@@ -3175,6 +3187,9 @@ comm_point_send_reply(struct comm_reply *repinfo)
 				repinfo->c->tcp_timeout_msec);
 		}
 	}
@ -3437,7 +3437,7 @@ index 9fe5da2d..037e70d1 100644
 }
 void 
-@@ -3201,6 +3216,9 @@ comm_point_drop_reply(struct comm_reply* repinfo)
+@@ -3184,6 +3199,9 @@ comm_point_drop_reply(struct comm_reply* repinfo)
 		return;
 	log_assert(repinfo->c);
 	log_assert(repinfo->c->type != comm_tcp_accept);
@ -3447,7 +3447,7 @@ index 9fe5da2d..037e70d1 100644
 	if(repinfo->c->type == comm_udp)
 		return;
 	if(repinfo->c->tcp_req_info)
-@@ -3222,6 +3240,9 @@ comm_point_start_listening(struct comm_point* c, int newfd, int msec)
+@@ -3205,6 +3223,9 @@ comm_point_start_listening(struct comm_point* c, int newfd, int msec)
 {
 	verbose(VERB_ALGO, "comm point start listening %d (%d msec)", 
 		c->fd==-1?newfd:c->fd, msec);
@ -3458,7 +3458,7 @@ index 9fe5da2d..037e70d1 100644
 		/* no use to start listening no free slots. */
 		return;
 diff --git a/util/netevent.h b/util/netevent.h
-index d80c72b3..0233292f 100644
+index bb2cd1e5..666067e8 100644
 --- a/util/netevent.h
 +++ b/util/netevent.h
@@ -120,6 +120,10 @@ struct comm_reply {
--- a/contrib/unbound.service.in
+++ b/contrib/unbound.service.in
@ -42,9 +42,9 @@
 [Unit]
 Description=Validating, recursive, and caching DNS resolver
 Documentation=man:unbound(8)
-After=network.target
+After=network-online.target
-Before=network-online.target nss-lookup.target
+Before=nss-lookup.target
-Wants=nss-lookup.target
+Wants=network-online.target nss-lookup.target
 [Install]
 WantedBy=multi-user.target
--- a/contrib/unbound_munin_
+++ b/contrib/unbound_munin_
@ -174,11 +174,11 @@ get_state ( ) {
 if test "$1" = "autoconf" ; then
 	if test ! -f $conf; then
 		echo no "($conf does not exist)"
-		exit 1
+		exit 0
 	fi
 	if test ! -d `dirname $state`; then
 		echo no "(`dirname $state` directory does not exist)"
-		exit 1
+		exit 0
 	fi
 	echo yes
 	exit 0
--- a/daemon/acl_list.c
+++ b/daemon/acl_list.c
@ -273,7 +273,7 @@ check_data(const char* data, const struct config_strlist* head)
 	if(res == 0)
 		return 1;
 	log_err("rr data [char %d] parse error %s",
-		(int)LDNS_WIREPARSE_OFFSET(res)-13,
+		(int)LDNS_WIREPARSE_OFFSET(res)-2,
 		sldns_get_errorstr_parse(res));
 	return 0;
 }
--- a/daemon/daemon.c
+++ b/daemon/daemon.c
@ -77,6 +77,7 @@
 #include "util/storage/lookup3.h"
 #include "util/storage/slabhash.h"
 #include "util/tcp_conn_limit.h"
 #include "util/edns.h"
 #include "services/listen_dnsport.h"
 #include "services/cache/rrset.h"
 #include "services/cache/infra.h"
@ -290,6 +291,15 @@ daemon_init(void)
 		free(daemon);
 		return NULL;
 	}
 	if(!(daemon->env->edns_tags = edns_tags_create())) {
 		auth_zones_delete(daemon->env->auth_zones);
 		acl_list_delete(daemon->acl);
 		tcl_list_delete(daemon->tcl);
 		edns_known_options_delete(daemon->env);
 		free(daemon->env);
 		free(daemon);
 		return NULL;
 	}
 	return daemon;	
 }
@ -298,6 +308,8 @@ daemon_open_shared_ports(struct daemon* daemon)
 {
 	log_assert(daemon);
 	if(daemon->cfg->port != daemon->listening_port) {
 		char** resif = NULL;
 		int num_resif = 0;
 		size_t i;
 		struct listen_port* p0;
 		daemon->reuseport = 0;
@ -308,15 +320,18 @@ daemon_open_shared_ports(struct daemon* daemon)
 			free(daemon->ports);
 			daemon->ports = NULL;
 		}
 		if(!resolve_interface_names(daemon->cfg, &resif, &num_resif))
 			return 0;
 		/* see if we want to reuseport */
 #ifdef SO_REUSEPORT
 		if(daemon->cfg->so_reuseport && daemon->cfg->num_threads > 0)
 			daemon->reuseport = 1;
 #endif
 		/* try to use reuseport */
-		p0 = listening_ports_open(daemon->cfg, &daemon->reuseport);
+		p0 = listening_ports_open(daemon->cfg, resif, num_resif, &daemon->reuseport);
 		if(!p0) {
 			listening_ports_free(p0);
 			config_del_strarray(resif, num_resif);
 			return 0;
 		}
 		if(daemon->reuseport) {
@ -330,6 +345,7 @@ daemon_open_shared_ports(struct daemon* daemon)
 		if(!(daemon->ports = (struct listen_port**)calloc(
 			daemon->num_ports, sizeof(*daemon->ports)))) {
 			listening_ports_free(p0);
 			config_del_strarray(resif, num_resif);
 			return 0;
 		}
 		daemon->ports[0] = p0;
@ -338,16 +354,19 @@ daemon_open_shared_ports(struct daemon* daemon)
 			for(i=1; i<daemon->num_ports; i++) {
 				if(!(daemon->ports[i]=
 					listening_ports_open(daemon->cfg,
 						resif, num_resif,
 						&daemon->reuseport))
 					|| !daemon->reuseport ) {
 					for(i=0; i<daemon->num_ports; i++)
 						listening_ports_free(daemon->ports[i]);
 					free(daemon->ports);
 					daemon->ports = NULL;
 					config_del_strarray(resif, num_resif);
 					return 0;
 				}
 			}
 		}
 		config_del_strarray(resif, num_resif);
 		daemon->listening_port = daemon->cfg->port;
 	}
 	if(!daemon->cfg->remote_control_enable && daemon->rc_port) {
@ -619,6 +638,10 @@ daemon_fork(struct daemon* daemon)
 		&daemon->use_rpz))
 		fatal_exit("auth_zones could not be setup");
 	/* Set-up EDNS tags */
 	if(!edns_tags_apply_cfg(daemon->env->edns_tags, daemon->cfg))
 		fatal_exit("Could not set up EDNS tags");
 	/* setup modules */
 	daemon_setup_modules(daemon);
@ -750,6 +773,7 @@ daemon_delete(struct daemon* daemon)
 		rrset_cache_delete(daemon->env->rrset_cache);
 		infra_delete(daemon->env->infra_cache);
 		edns_known_options_delete(daemon->env);
 		edns_tags_delete(daemon->env->edns_tags);
 		auth_zones_delete(daemon->env->auth_zones);
 	}
 	ub_randfree(daemon->rand);
--- a/daemon/remote.c
+++ b/daemon/remote.c
@ -349,11 +349,7 @@ add_open(const char* ip, int nr, struct listen_port** list, int noproto_is_err,
 	/* alloc */
 	n = (struct listen_port*)calloc(1, sizeof(*n));
 	if(!n) {
-#ifndef USE_WINSOCK
+		sock_close(fd);
 		close(fd);
 #else
 		closesocket(fd);
 #endif
 		log_err("out of memory");
 		return 0;
 	}
@ -462,11 +458,7 @@ int remote_accept_callback(struct comm_point* c, void* arg, int err,
 	if(rc->active >= rc->max_active) {
 		log_warn("drop incoming remote control: too many connections");
 	close_exit:
-#ifndef USE_WINSOCK
+		sock_close(newfd);
 		close(newfd);
 #else
 		closesocket(newfd);
 #endif
 		return 0;
 	}
@ -575,11 +567,8 @@ ssl_print_text(RES* res, const char* text)
 			if(r == -1) {
 				if(errno == EAGAIN || errno == EINTR)
 					continue;
-#ifndef USE_WINSOCK
+				log_err("could not send: %s",
-				log_err("could not send: %s", strerror(errno));
+					sock_strerror(errno));
 #else
 				log_err("could not send: %s", wsa_strerror(WSAGetLastError()));
 #endif
 				return 0;
 			}
 			at += r;
@ -636,11 +625,8 @@ ssl_read_line(RES* res, char* buf, size_t max)
 					}
 					if(errno == EINTR || errno == EAGAIN)
 						continue;
-#ifndef USE_WINSOCK
+					log_err("could not recv: %s",
-					log_err("could not recv: %s", strerror(errno));
+						sock_strerror(errno));
 #else
 					log_err("could not recv: %s", wsa_strerror(WSAGetLastError()));
 #endif
 					return 0;
 				}
 				break;
@ -3125,11 +3111,7 @@ handle_req(struct daemon_remote* rc, struct rc_state* s, RES* res)
 				if(rr == 0) return;
 				if(errno == EINTR || errno == EAGAIN)
 					continue;
-#ifndef USE_WINSOCK
+				log_err("could not recv: %s", sock_strerror(errno));
 				log_err("could not recv: %s", strerror(errno));
 #else
 				log_err("could not recv: %s", wsa_strerror(WSAGetLastError()));
 #endif
 				return;
 			}
 			r = (int)rr;
--- a/daemon/stats.c
+++ b/daemon/stats.c
@ -271,6 +271,7 @@ server_stats_compile(struct worker* worker, struct ub_stats_info* s, int reset)
 	s->svr.ans_secure += (long long)worker->env.mesh->ans_secure;
 	s->svr.ans_bogus += (long long)worker->env.mesh->ans_bogus;
 	s->svr.ans_rcode_nodata += (long long)worker->env.mesh->ans_nodata;
 	s->svr.ans_expired += (long long)worker->env.mesh->ans_expired;
 	for(i=0; i<UB_STATS_RCODE_NUM; i++)
 		s->svr.ans_rcode[i] += (long long)worker->env.mesh->ans_rcode[i];
 	for(i=0; i<UB_STATS_RPZ_ACTION_NUM; i++)
--- a/daemon/unbound.c
+++ b/daemon/unbound.c
@ -92,7 +92,7 @@
 #include <TargetConditionals.h>
 #endif
-#if defined(TARGET_OS_TV) || defined(TARGET_OS_WATCH)
+#if (defined(TARGET_OS_TV) && TARGET_OS_TV) || (defined(TARGET_OS_WATCH) && TARGET_OS_WATCH)
 #undef HAVE_FORK
 #endif
@ -534,6 +534,8 @@ perform_setup(struct daemon* daemon, struct config_file* cfg, int debug_mode,
 			LOGIN_SETALL & ~LOGIN_SETUSER & ~LOGIN_SETGROUP) != 0)
 			log_warn("unable to setusercontext %s: %s",
 				cfg->username, strerror(errno));
 #else
 		(void)pwd;
 #endif /* HAVE_SETUSERCONTEXT */
 	}
 #endif /* HAVE_GETPWNAM */
--- a/daemon/worker.c
+++ b/daemon/worker.c
@ -1219,7 +1219,6 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 		LDNS_QR_SET(sldns_buffer_begin(c->buffer));
 		LDNS_RCODE_SET(sldns_buffer_begin(c->buffer), 
 			LDNS_RCODE_FORMERR);
 		server_stats_insrcode(&worker->stats, c->buffer);
 		goto send_reply;
 	}
 	if(worker->env.cfg->log_queries) {
@ -1237,7 +1236,6 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 			LDNS_RCODE_REFUSED);
 		if(worker->stats.extended) {
 			worker->stats.qtype[qinfo.qtype]++;
 			server_stats_insrcode(&worker->stats, c->buffer);
 		}
 		goto send_reply;
 	}
@ -1259,7 +1257,6 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 			LDNS_RCODE_FORMERR);
 		if(worker->stats.extended) {
 			worker->stats.qtype[qinfo.qtype]++;
 			server_stats_insrcode(&worker->stats, c->buffer);
 		}
 		goto send_reply;
 	}
@ -1275,7 +1272,6 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 			*(uint16_t*)(void *)sldns_buffer_begin(c->buffer),
 			sldns_buffer_read_u16_at(c->buffer, 2), &reply_edns);
 		regional_free_all(worker->scratchpad);
 		server_stats_insrcode(&worker->stats, c->buffer);
 		goto send_reply;
 	}
 	if(edns.edns_present) {
@ -1354,7 +1350,6 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 		edns.udp_size = 65535; /* max size for TCP replies */
 	if(qinfo.qclass == LDNS_RR_CLASS_CH && answer_chaos(worker, &qinfo,
 		&edns, repinfo, c->buffer)) {
 		server_stats_insrcode(&worker->stats, c->buffer);
 		regional_free_all(worker->scratchpad);
 		goto send_reply;
 	}
@ -1375,7 +1370,6 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 			comm_point_drop_reply(repinfo);
 			return 0;
 		}
 		server_stats_insrcode(&worker->stats, c->buffer);
 		goto send_reply;
 	}
 	if(worker->env.auth_zones &&
@ -1387,7 +1381,6 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 			comm_point_drop_reply(repinfo);
 			return 0;
 		}
 		server_stats_insrcode(&worker->stats, c->buffer);
 		goto send_reply;
 	}
 	if(worker->env.auth_zones &&
@ -1403,7 +1396,6 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 		if(LDNS_RD_WIRE(sldns_buffer_begin(c->buffer)) &&
 		   acl != acl_deny_non_local && acl != acl_refuse_non_local)
 			LDNS_RA_SET(sldns_buffer_begin(c->buffer));
 		server_stats_insrcode(&worker->stats, c->buffer);
 		goto send_reply;
 	}
@ -1432,7 +1424,6 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 			*(uint16_t*)(void *)sldns_buffer_begin(c->buffer),
 			sldns_buffer_read_u16_at(c->buffer, 2), NULL);
 		regional_free_all(worker->scratchpad);
 		server_stats_insrcode(&worker->stats, c->buffer);
 		log_addr(VERB_ALGO, "refused nonrec (cache snoop) query from",
 			&repinfo->addr, repinfo->addrlen);
 		goto send_reply;
@ -1588,9 +1579,9 @@ send_reply_rc:
 	if(is_expired_answer) {
 		worker->stats.ans_expired++;
 	}
 	server_stats_insrcode(&worker->stats, c->buffer);
 	if(worker->stats.extended) {
 		if(is_secure_answer) worker->stats.ans_secure++;
 		server_stats_insrcode(&worker->stats, repinfo->c->buffer);
 	}
 #ifdef USE_DNSTAP
 	if(worker->dtenv.log_client_response_messages)
--- a/dnstap/dnstap.c
+++ b/dnstap/dnstap.c
@ -134,9 +134,15 @@ dt_create(struct config_file* cfg)
 	if(cfg->dnstap && cfg->dnstap_socket_path && cfg->dnstap_socket_path[0] &&
 		(cfg->dnstap_ip==NULL || cfg->dnstap_ip[0]==0)) {
 		char* p = fname_after_chroot(cfg->dnstap_socket_path, cfg, 1);
 		if(!p) {
 			log_err("malloc failure");
 			return NULL;
 		}
 		verbose(VERB_OPS, "attempting to connect to dnstap socket %s",
-			cfg->dnstap_socket_path);
+			p);
-		check_socket_file(cfg->dnstap_socket_path);
+		check_socket_file(p);
 		free(p);
 	}
 	env = (struct dt_env *) calloc(1, sizeof(struct dt_env));
--- a/dnstap/dnstap_fstrm.c
+++ b/dnstap/dnstap_fstrm.c
@ -92,6 +92,34 @@ void* fstrm_create_control_frame_stop(size_t* len)
 	return control;
 }
 void* fstrm_create_control_frame_ready(char* contenttype, size_t* len)
 {
 	uint32_t* control;
 	size_t n;
 	/* start bidirectional stream:
 	 * 4 bytes 0 escape
 	 * 4 bytes bigendian length of frame
 	 * 4 bytes bigendian type READY
 	 * 4 bytes bigendian frame option content type
 	 * 4 bytes bigendian length of string
 	 * string of content type.
 	 */
 	/* len includes the escape and framelength */
 	n = 4+4+4+4+4+strlen(contenttype);
 	control = malloc(n);
 	if(!control) {
 		return NULL;
 	}
 	control[0] = 0;
 	control[1] = htonl(4+4+4+strlen(contenttype));
 	control[2] = htonl(FSTRM_CONTROL_FRAME_READY);
 	control[3] = htonl(FSTRM_CONTROL_FIELD_TYPE_CONTENT_TYPE);
 	control[4] = htonl(strlen(contenttype));
 	memmove(&control[5], contenttype, strlen(contenttype));
 	*len = n;
 	return control;
 }
 void* fstrm_create_control_frame_accept(char* contenttype, size_t* len)
 {
 	uint32_t* control;
--- a/dnstap/dnstap_fstrm.h
+++ b/dnstap/dnstap_fstrm.h
@ -127,6 +127,21 @@
 */
 void* fstrm_create_control_frame_start(char* contenttype, size_t* len);
 /**
 * This creates an FSTRM control frame of type READY.
 * @param contenttype: a zero delimited string with the content type.
 * 	eg. use the constant DNSTAP_CONTENT_TYPE, which is defined as
 * 	"protobuf:dnstap.Dnstap", for a dnstap frame stream.
 * @param len: if a buffer is returned this is the length of that buffer.
 * @return NULL on malloc failure.  Returns a malloced buffer with the
 * protocol message.  The buffer starts with the 4 bytes of 0 that indicate
 * a control frame.  The buffer should be sent without preceding it with
 * the 'len' variable (like data frames are), but straight the content of the
 * buffer, because the lengths are included in the buffer.  This is so that
 * the zero control indicator can be included before the control frame length.
 */
 void* fstrm_create_control_frame_ready(char* contenttype, size_t* len);
 /**
 * This creates an FSTRM control frame of type STOP.
 * @param len: if a buffer is returned this is the length of that buffer.
--- a/dnstap/dtstream.c
+++ b/dnstap/dtstream.c
@ -48,6 +48,7 @@
 #include "util/ub_event.h"
 #include "util/net_help.h"
 #include "services/outside_network.h"
 #include "sldns/sbuffer.h"
 #ifdef HAVE_SYS_UN_H
 #include <sys/un.h>
 #endif
@ -68,6 +69,9 @@
 /** the msec to wait for reconnect slow, to stop busy spinning on reconnect */
 #define DTIO_RECONNECT_TIMEOUT_SLOW 1000
 /** maximum length of received frame */
 #define DTIO_RECV_FRAME_MAX_LEN 1000
 struct stop_flush_info;
 /** DTIO command channel commands */
 enum {
@ -85,9 +89,13 @@ static int dtio_add_output_event_write(struct dt_io_thread* dtio);
 static void dtio_reconnect_enable(struct dt_io_thread* dtio);
 /** stop from stop_flush event loop */
 static void dtio_stop_flush_exit(struct stop_flush_info* info);
 /** setup a start control message */
 static int dtio_control_start_send(struct dt_io_thread* dtio);
 #ifdef HAVE_SSL
 /** enable briefly waiting for a read event, for SSL negotiation */
 static int dtio_enable_brief_read(struct dt_io_thread* dtio);
 /** enable briefly waiting for a write event, for SSL negotiation */
 static int dtio_enable_brief_write(struct dt_io_thread* dtio);
 #endif
 struct dt_msg_queue*
@ -141,15 +149,14 @@ static void dtio_wakeup(struct dt_io_thread* dtio)
 #ifndef USE_WINSOCK
 			if(errno == EINTR || errno == EAGAIN)
 				continue;
 			log_err("dnstap io wakeup: write: %s", strerror(errno));
 #else
 			if(WSAGetLastError() == WSAEINPROGRESS)
 				continue;
 			if(WSAGetLastError() == WSAEWOULDBLOCK)
 				continue;
 			log_err("dnstap io stop: write: %s",
 				wsa_strerror(WSAGetLastError()));
 #endif
 			log_err("dnstap io wakeup: write: %s",
 				sock_strerror(errno));
 			break;
 		}
 		break;
@ -261,6 +268,7 @@ int dt_io_thread_apply_cfg(struct dt_io_thread* dtio, struct config_file *cfg)
 	} else {
 		dtio->upstream_is_unix = 1;
 	}
 	dtio->is_bidirectional = cfg->dnstap_bidirectional;
 	if(dtio->upstream_is_unix) {
 		if(!cfg->dnstap_socket_path ||
@ -270,7 +278,8 @@ int dt_io_thread_apply_cfg(struct dt_io_thread* dtio, struct config_file *cfg)
 			return 0;
 		}
 		free(dtio->socket_path);
-		dtio->socket_path = strdup(cfg->dnstap_socket_path);
+		dtio->socket_path = fname_after_chroot(cfg->dnstap_socket_path,
 			cfg, 1);
 		if(!dtio->socket_path) {
 			log_err("dnstap setup: malloc failure");
 			return 0;
@ -551,6 +560,20 @@ static void dtio_cur_msg_free(struct dt_io_thread* dtio)
 	dtio->cur_msg_len_done = 0;
 }
 /** delete the buffer and counters used to read frame */
 static void dtio_read_frame_free(struct dt_frame_read_buf* rb)
 {
 	if(rb->buf) {
 		free(rb->buf);
 		rb->buf = NULL;
 	}
 	rb->buf_count = 0;
 	rb->buf_cap = 0;
 	rb->frame_len = 0;
 	rb->frame_len_done = 0;
 	rb->control_frame = 0;
 }
 /** del the output file descriptor event for listening */
 static void dtio_del_output_event(struct dt_io_thread* dtio)
 {
@ -564,11 +587,7 @@ static void dtio_del_output_event(struct dt_io_thread* dtio)
 /** close dtio socket and set it to -1 */
 static void dtio_close_fd(struct dt_io_thread* dtio)
 {
-#ifndef USE_WINSOCK
+	sock_close(dtio->fd);
 	close(dtio->fd);
 #else
 	closesocket(dtio->fd);
 #endif
 	dtio->fd = -1;
 }
@ -594,6 +613,11 @@ static void dtio_close_output(struct dt_io_thread* dtio)
 	if(dtio->cur_msg) {
 		dtio_cur_msg_free(dtio);
 	}
 	dtio->ready_frame_sent = 0;
 	dtio->accept_frame_received = 0;
 	dtio_read_frame_free(&dtio->read_frame);
 	dtio_reconnect_enable(dtio);
 }
@ -631,13 +655,8 @@ static int dtio_check_nb_connect(struct dt_io_thread* dtio)
 		char* to = dtio->socket_path;
 		if(!to) to = dtio->ip_str;
 		if(!to) to = "";
 #ifndef USE_WINSOCK
 		log_err("dnstap io: failed to connect to \"%s\": %s",
-			to, strerror(error));
+			to, sock_strerror(error));
 #else
 		log_err("dnstap io: failed to connect to \"%s\": %s",
 			to, wsa_strerror(error));
 #endif
 		return -1; /* error, close it */
 	}
@ -714,7 +733,6 @@ static int dtio_write_buf(struct dt_io_thread* dtio, uint8_t* buf,
 #ifndef USE_WINSOCK
 		if(errno == EINTR || errno == EAGAIN)
 			return 0;
 		log_err("dnstap io: failed send: %s", strerror(errno));
 #else
 		if(WSAGetLastError() == WSAEINPROGRESS)
 			return 0;
@ -724,9 +742,8 @@ static int dtio_write_buf(struct dt_io_thread* dtio, uint8_t* buf,
 				UB_EV_WRITE);
 			return 0;
 		}
 		log_err("dnstap io: failed send: %s",
 			wsa_strerror(WSAGetLastError()));
 #endif
 		log_err("dnstap io: failed send: %s", sock_strerror(errno));
 		return -1;
 	}
 	return ret;
@ -750,7 +767,6 @@ static int dtio_write_with_writev(struct dt_io_thread* dtio)
 #ifndef USE_WINSOCK
 		if(errno == EINTR || errno == EAGAIN)
 			return 0;
 		log_err("dnstap io: failed writev: %s", strerror(errno));
 #else
 		if(WSAGetLastError() == WSAEINPROGRESS)
 			return 0;
@ -760,9 +776,8 @@ static int dtio_write_with_writev(struct dt_io_thread* dtio)
 				UB_EV_WRITE);
 			return 0;
 		}
 		log_err("dnstap io: failed writev: %s",
 			wsa_strerror(WSAGetLastError()));
 #endif
 		log_err("dnstap io: failed writev: %s", sock_strerror(errno));
 		/* close the channel */
 		dtio_del_output_event(dtio);
 		dtio_close_output(dtio);
@ -855,6 +870,94 @@ static int dtio_write_more(struct dt_io_thread* dtio)
 	return 1;
 }
 /** Receive bytes from dtio->fd, store in buffer. Returns 0: closed,
 * -1: continue, >0: number of bytes read into buffer */
 static ssize_t receive_bytes(struct dt_io_thread* dtio, void* buf, size_t len) {
 	ssize_t r;
 	r = recv(dtio->fd, (void*)buf, len, 0);
 	if(r == -1) {
 		char* to = dtio->socket_path;
 		if(!to) to = dtio->ip_str;
 		if(!to) to = "";
 #ifndef USE_WINSOCK
 		if(errno == EINTR || errno == EAGAIN)
 			return -1; /* try later */
 #else
 		if(WSAGetLastError() == WSAEINPROGRESS) {
 			return -1; /* try later */
 		} else if(WSAGetLastError() == WSAEWOULDBLOCK) {
 			ub_winsock_tcp_wouldblock(
 				(dtio->stop_flush_event?
 				dtio->stop_flush_event:dtio->event),
 				UB_EV_READ);
 			return -1; /* try later */
 		}
 #endif
 		if(dtio->reconnect_timeout > DTIO_RECONNECT_TIMEOUT_MIN &&
 			verbosity < 4)
 			return 0; /* no log retries on low verbosity */
 		log_err("dnstap io: output closed, recv %s: %s", to,
 			strerror(errno));
 		/* and close below */
 		return 0;
 	}
 	if(r == 0) {
 		if(dtio->reconnect_timeout > DTIO_RECONNECT_TIMEOUT_MIN &&
 			verbosity < 4)
 			return 0; /* no log retries on low verbosity */
 		verbose(VERB_DETAIL, "dnstap io: output closed by the other side");
 		/* and close below */
 		return 0;
 	}
 	/* something was received */
 	return r;
 }
 #ifdef HAVE_SSL
 /** Receive bytes over TLS from dtio->fd, store in buffer. Returns 0: closed,
 * -1: continue, >0: number of bytes read into buffer */
 static int ssl_read_bytes(struct dt_io_thread* dtio, void* buf, size_t len)
 {
 	int r;
 	ERR_clear_error();
 	r = SSL_read(dtio->ssl, buf, len);
 	if(r <= 0) {
 		int want = SSL_get_error(dtio->ssl, r);
 		if(want == SSL_ERROR_ZERO_RETURN) {
 			if(dtio->reconnect_timeout > DTIO_RECONNECT_TIMEOUT_MIN &&
 				verbosity < 4)
 				return 0; /* no log retries on low verbosity */
 			verbose(VERB_DETAIL, "dnstap io: output closed by the "
 				"other side");
 			return 0;
 		} else if(want == SSL_ERROR_WANT_READ) {
 			/* continue later */
 			return -1;
 		} else if(want == SSL_ERROR_WANT_WRITE) {
 			(void)dtio_enable_brief_write(dtio);
 			return -1;
 		} else if(want == SSL_ERROR_SYSCALL) {
 #ifdef ECONNRESET
 			if(dtio->reconnect_timeout > DTIO_RECONNECT_TIMEOUT_MIN &&
 				errno == ECONNRESET && verbosity < 4)
 				return 0; /* silence reset by peer */
 #endif
 			if(errno != 0)
 				log_err("SSL_read syscall: %s",
 					strerror(errno));
 			verbose(VERB_DETAIL, "dnstap io: output closed by the "
 				"other side");
 			return 0;
 		}
 		log_crypto_err("could not SSL_read");
 		verbose(VERB_DETAIL, "dnstap io: output closed by the "
 				"other side");
 		return 0;
 	}
 	return r;
 }
 #endif /* HAVE_SSL */
 /** check if the output fd has been closed,
 * it returns false if the stream is closed. */
 static int dtio_check_close(struct dt_io_thread* dtio)
@ -864,44 +967,17 @@ static int dtio_check_close(struct dt_io_thread* dtio)
 	 * packets is okay for the framestream protocol.  And also, the
 	 * read call can return that the stream has been closed by the
 	 * other side. */
 	ssize_t r;
 	uint8_t buf[1024];
 	int r = -1;
 	if(dtio->fd == -1) return 0;
-	while(1) {
+
-		r = recv(dtio->fd, (void*)buf, sizeof(buf), 0);
+	while(r != 0) {
-		if(r == -1) {
+		/* not interested in buffer content, overwrite */
-			char* to = dtio->socket_path;
+		r = receive_bytes(dtio, (void*)buf, sizeof(buf));
-			if(!to) to = dtio->ip_str;
+		if(r == -1)
-			if(!to) to = "";
+			return 1;
 #ifndef USE_WINSOCK
 			if(errno == EINTR || errno == EAGAIN)
 				return 1; /* try later */
 #else
 			if(WSAGetLastError() == WSAEINPROGRESS) {
 				return 1; /* try later */
 			} else if(WSAGetLastError() == WSAEWOULDBLOCK) {
 				ub_winsock_tcp_wouldblock(
 					(dtio->stop_flush_event?
 					dtio->stop_flush_event:dtio->event),
 					UB_EV_READ);
 				return 1; /* try later */
 			}
 #endif
 			if(dtio->reconnect_timeout > DTIO_RECONNECT_TIMEOUT_MIN && verbosity < 4)
 				break; /* no log retries on low verbosity */
 			log_err("dnstap io: output closed, recv %s: %s", to,
 				strerror(errno));
 			/* and close below */
 			break;
 		}
 		if(r == 0) {
 			if(dtio->reconnect_timeout > DTIO_RECONNECT_TIMEOUT_MIN && verbosity < 4)
 				break; /* no log retries on low verbosity */
 			verbose(VERB_DETAIL, "dnstap io: output closed by the other side");
 			/* and close below */
 			break;
 		}
 		/* something was received, ignore it */
 	}
 	/* the other end has been closed */
 	/* close the channel */
@ -910,6 +986,143 @@ static int dtio_check_close(struct dt_io_thread* dtio)
 	return 0;
 }
 /** Read accept frame. Returns -1: continue reading, 0: closed,
 * 1: valid accept received. */
 static int dtio_read_accept_frame(struct dt_io_thread* dtio)
 {
 	int r;
 	size_t read_frame_done;
 	while(dtio->read_frame.frame_len_done < 4) {
 #ifdef HAVE_SSL
 		if(dtio->ssl) {
 			r = ssl_read_bytes(dtio,
 				(uint8_t*)&dtio->read_frame.frame_len+
 				dtio->read_frame.frame_len_done,
 				4-dtio->read_frame.frame_len_done);
 		} else {
 #endif
 			r = receive_bytes(dtio,
 				(uint8_t*)&dtio->read_frame.frame_len+
 				dtio->read_frame.frame_len_done,
 				4-dtio->read_frame.frame_len_done);
 #ifdef HAVE_SSL
 		}
 #endif
 		if(r == -1)
 			return -1; /* continue reading */
 		if(r == 0) {
 			 /* connection closed */
 			goto close_connection;
 		}
 		dtio->read_frame.frame_len_done += r;
 		if(dtio->read_frame.frame_len_done < 4)
 			return -1; /* continue reading */
 		if(dtio->read_frame.frame_len == 0) {
 			dtio->read_frame.frame_len_done = 0;
 			dtio->read_frame.control_frame = 1;
 			continue;
 		}
 		dtio->read_frame.frame_len = ntohl(dtio->read_frame.frame_len);
 		if(dtio->read_frame.frame_len > DTIO_RECV_FRAME_MAX_LEN) {
 			verbose(VERB_OPS, "dnstap: received frame exceeds max "
 				"length of %d bytes, closing connection",
 				DTIO_RECV_FRAME_MAX_LEN);
 			goto close_connection;
 		}
 		dtio->read_frame.buf = calloc(1, dtio->read_frame.frame_len);
 		dtio->read_frame.buf_cap = dtio->read_frame.frame_len;
 		if(!dtio->read_frame.buf) {
 			log_err("dnstap io: out of memory (creating read "
 				"buffer)");
 			goto close_connection;
 		}
 	}
 	if(dtio->read_frame.buf_count < dtio->read_frame.frame_len) {
 #ifdef HAVE_SSL
 		if(dtio->ssl) {
 			r = ssl_read_bytes(dtio, dtio->read_frame.buf+
 				dtio->read_frame.buf_count,
 				dtio->read_frame.buf_cap-
 				dtio->read_frame.buf_count);
 		} else {
 #endif
 			r = receive_bytes(dtio, dtio->read_frame.buf+
 				dtio->read_frame.buf_count,
 				dtio->read_frame.buf_cap-
 				dtio->read_frame.buf_count);
 #ifdef HAVE_SSL
 		}
 #endif
 		if(r == -1)
 			return -1; /* continue reading */
 		if(r == 0) {
 			 /* connection closed */
 			goto close_connection;
 		}
 		dtio->read_frame.buf_count += r;
 		if(dtio->read_frame.buf_count < dtio->read_frame.frame_len)
 			return -1; /* continue reading */
 	}
 	/* Complete frame received, check if this is a valid ACCEPT control
 	 * frame. */
 	if(dtio->read_frame.frame_len < 4) {
 		verbose(VERB_OPS, "dnstap: invalid data received");
 		goto close_connection;
 	}
 	if(sldns_read_uint32(dtio->read_frame.buf) !=
 		FSTRM_CONTROL_FRAME_ACCEPT) {
 		verbose(VERB_ALGO, "dnstap: invalid control type received, "
 			"ignored");
 		dtio->ready_frame_sent = 0;
 		dtio->accept_frame_received = 0;
 		dtio_read_frame_free(&dtio->read_frame);
 		return -1;
 	}
 	read_frame_done = 4; /* control frame type */
 	/* Iterate over control fields, ignore unknown types.
 	 * Need to be able to read at least 8 bytes (control field type +
 	 * length). */
 	while(read_frame_done+8 < dtio->read_frame.frame_len) {
 		uint32_t type = sldns_read_uint32(dtio->read_frame.buf +
 			read_frame_done);
 		uint32_t len = sldns_read_uint32(dtio->read_frame.buf +
 			read_frame_done + 4);
 		if(type == FSTRM_CONTROL_FIELD_TYPE_CONTENT_TYPE) {
 			if(len == strlen(DNSTAP_CONTENT_TYPE) &&
 				read_frame_done+8+len <=
 				dtio->read_frame.frame_len &&
 				memcmp(dtio->read_frame.buf + read_frame_done +
 					+ 8, DNSTAP_CONTENT_TYPE, len) == 0) {
 				if(!dtio_control_start_send(dtio)) {
 					verbose(VERB_OPS, "dnstap io: out of "
 					 "memory while sending START frame");
 					goto close_connection;
 				}
 				dtio->accept_frame_received = 1;
 				return 1;
 			} else {
 				/* unknow content type */
 				verbose(VERB_ALGO, "dnstap: ACCEPT frame "
 					"contains unknown content type, "
 					"closing connection");
 				goto close_connection;
 			}
 		}
 		/* unknown option, try next */
 		read_frame_done += 8+len;
 	}
 close_connection:
 	dtio_del_output_event(dtio);
 	dtio_reconnect_slow(dtio, DTIO_RECONNECT_TIMEOUT_SLOW);
 	dtio_close_output(dtio);
 	return 0;
 }
 /** add the output file descriptor event for listening, read only */
 static int dtio_add_output_event_read(struct dt_io_thread* dtio)
 {
@ -1002,6 +1215,24 @@ static int dtio_disable_brief_read(struct dt_io_thread* dtio)
 }
 #endif /* HAVE_SSL */
 #ifdef HAVE_SSL
 /** enable the brief write condition */
 static int dtio_enable_brief_write(struct dt_io_thread* dtio)
 {
 	dtio->ssl_brief_write = 1;
 	return dtio_add_output_event_write(dtio);
 }
 #endif /* HAVE_SSL */
 #ifdef HAVE_SSL
 /** disable the brief write condition */
 static int dtio_disable_brief_write(struct dt_io_thread* dtio)
 {
 	dtio->ssl_brief_write = 0;
 	return dtio_add_output_event_read(dtio);
 }
 #endif /* HAVE_SSL */
 #ifdef HAVE_SSL
 /** check peer verification after ssl handshake connection, false if closed*/
 static int dtio_ssl_check_peer(struct dt_io_thread* dtio)
@ -1175,8 +1406,13 @@ void dtio_output_cb(int ATTR_UNUSED(fd), short bits, void* arg)
 	}
 #endif
-	if((bits&UB_EV_READ)) {
+	if((bits&UB_EV_READ || dtio->ssl_brief_write)) {
-		if(!dtio_check_close(dtio))
+		if(dtio->ssl_brief_write)
 			(void)dtio_disable_brief_write(dtio);
 		if(dtio->ready_frame_sent && !dtio->accept_frame_received) {
 			if(dtio_read_accept_frame(dtio) <= 0)
 				return;
 		} else if(!dtio_check_close(dtio))
 			return;
 	}
@ -1208,6 +1444,15 @@ void dtio_output_cb(int ATTR_UNUSED(fd), short bits, void* arg)
 		/* done with the current message */
 		dtio_cur_msg_free(dtio);
 		/* If this is a bidirectional stream the first message will be
 		 * the READY control frame. We can only continue writing after
 		 * receiving an ACCEPT control frame. */
 		if(dtio->is_bidirectional && !dtio->ready_frame_sent) {
 			dtio->ready_frame_sent = 1;
 			(void)dtio_add_output_event_read(dtio);
 			break;
 		}
 	}
 }
@ -1224,15 +1469,13 @@ void dtio_cmd_cb(int fd, short ATTR_UNUSED(bits), void* arg)
 #ifndef USE_WINSOCK
 		if(errno == EINTR || errno == EAGAIN)
 			return; /* ignore this */
 		log_err("dnstap io: failed to read: %s", strerror(errno));
 #else
 		if(WSAGetLastError() == WSAEINPROGRESS)
 			return;
 		if(WSAGetLastError() == WSAEWOULDBLOCK)
 			return;
 		log_err("dnstap io: failed to read: %s",
 			wsa_strerror(WSAGetLastError()));
 #endif
 		log_err("dnstap io: failed to read: %s", sock_strerror(errno));
 		/* and then fall through to quit the thread */
 	} else if(r == 0) {
 		verbose(VERB_ALGO, "dnstap io: cmd channel closed");
@ -1240,6 +1483,13 @@ void dtio_cmd_cb(int fd, short ATTR_UNUSED(bits), void* arg)
 		verbose(VERB_ALGO, "dnstap io: cmd channel cmd quit");
 	} else if(r == 1 && cmd == DTIO_COMMAND_WAKEUP) {
 		verbose(VERB_ALGO, "dnstap io: cmd channel cmd wakeup");
 		if(dtio->is_bidirectional && !dtio->accept_frame_received) {
 			verbose(VERB_ALGO, "dnstap io: cmd wakeup ignored, "
 				"waiting for ACCEPT control frame");
 			return;
 		}
 		/* reregister event */
 		if(!dtio_add_output_event_write(dtio))
 			return;
@ -1561,6 +1811,25 @@ static int dtio_control_start_send(struct dt_io_thread* dtio)
 	return 1;
 }
 /** setup a ready control message */
 static int dtio_control_ready_send(struct dt_io_thread* dtio)
 {
 	log_assert(dtio->cur_msg == NULL && dtio->cur_msg_len == 0);
 	dtio->cur_msg = fstrm_create_control_frame_ready(DNSTAP_CONTENT_TYPE,
 		&dtio->cur_msg_len);
 	if(!dtio->cur_msg) {
 		return 0;
 	}
 	/* setup to send the control message */
 	/* set that the buffer needs to be sent, but the length
 	 * of that buffer is already written, that way the buffer can
 	 * start with 0 length and then the length of the control frame
 	 * in it */
 	dtio->cur_msg_done = 0;
 	dtio->cur_msg_len_done = 4;
 	return 1;
 }
 /** open the output file descriptor for af_local */
 static int dtio_open_output_local(struct dt_io_thread* dtio)
 {
@ -1568,13 +1837,8 @@ static int dtio_open_output_local(struct dt_io_thread* dtio)
 	struct sockaddr_un s;
 	dtio->fd = socket(AF_LOCAL, SOCK_STREAM, 0);
 	if(dtio->fd == -1) {
 #ifndef USE_WINSOCK
 		log_err("dnstap io: failed to create socket: %s",
-			strerror(errno));
+			sock_strerror(errno));
 #else
 		log_err("dnstap io: failed to create socket: %s",
 			wsa_strerror(WSAGetLastError()));
 #endif
 		return 0;
 	}
 	memset(&s, 0, sizeof(s));
@ -1589,13 +1853,13 @@ static int dtio_open_output_local(struct dt_io_thread* dtio)
 	if(connect(dtio->fd, (struct sockaddr*)&s, (socklen_t)sizeof(s))
 		== -1) {
 		char* to = dtio->socket_path;
-#ifndef USE_WINSOCK
+		if(dtio->reconnect_timeout > DTIO_RECONNECT_TIMEOUT_MIN &&
 			verbosity < 4) {
 			dtio_close_fd(dtio);
 			return 0; /* no log retries on low verbosity */
 		}
 		log_err("dnstap io: failed to connect to \"%s\": %s",
-			to, strerror(errno));
+			to, sock_strerror(errno));
 #else
 		log_err("dnstap io: failed to connect to \"%s\": %s",
 			to, wsa_strerror(WSAGetLastError()));
 #endif
 		dtio_close_fd(dtio);
 		return 0;
 	}
@ -1620,18 +1884,18 @@ static int dtio_open_output_tcp(struct dt_io_thread* dtio)
 	}
 	dtio->fd = socket(addr.ss_family, SOCK_STREAM, 0);
 	if(dtio->fd == -1) {
-#ifndef USE_WINSOCK
+		log_err("can't create socket: %s", sock_strerror(errno));
 		log_err("can't create socket: %s", strerror(errno));
 #else
 		log_err("can't create socket: %s",
 			wsa_strerror(WSAGetLastError()));
 #endif
 		return 0;
 	}
 	fd_set_nonblock(dtio->fd);
 	if(connect(dtio->fd, (struct sockaddr*)&addr, addrlen) == -1) {
 		if(errno == EINPROGRESS)
 			return 1; /* wait until connect done*/
 		if(dtio->reconnect_timeout > DTIO_RECONNECT_TIMEOUT_MIN &&
 			verbosity < 4) {
 			dtio_close_fd(dtio);
 			return 0; /* no log retries on low verbosity */
 		}
 #ifndef USE_WINSOCK
 		if(tcp_connect_errno_needs_log(
 			(struct sockaddr *)&addr, addrlen)) {
@ -1693,7 +1957,8 @@ static void dtio_open_output(struct dt_io_thread* dtio)
 	}
 	dtio->check_nb_connect = 1;
-	/* the EV_READ is to catch channel close, write to write packets */
+	/* the EV_READ is to read ACCEPT control messages, and catch channel
 	 * close. EV_WRITE is to write packets */
 	ev = ub_event_new(dtio->event_base, dtio->fd,
 		UB_EV_READ | UB_EV_WRITE | UB_EV_PERSIST, &dtio_output_cb,
 		dtio);
@ -1712,7 +1977,8 @@ static void dtio_open_output(struct dt_io_thread* dtio)
 	dtio->event = ev;
 	/* setup protocol control message to start */
-	if(!dtio_control_start_send(dtio)) {
+	if((!dtio->is_bidirectional && !dtio_control_start_send(dtio)) ||
 		(dtio->is_bidirectional && !dtio_control_ready_send(dtio)) ) {
 		log_err("dnstap io: out of memory");
 		ub_event_free(dtio->event);
 		dtio->event = NULL;
@ -1811,15 +2077,14 @@ void dt_io_thread_stop(struct dt_io_thread* dtio)
 #ifndef USE_WINSOCK
 			if(errno == EINTR || errno == EAGAIN)
 				continue;
 			log_err("dnstap io stop: write: %s", strerror(errno));
 #else
 			if(WSAGetLastError() == WSAEINPROGRESS)
 				continue;
 			if(WSAGetLastError() == WSAEWOULDBLOCK)
 				continue;
 			log_err("dnstap io stop: write: %s",
 				wsa_strerror(WSAGetLastError()));
 #endif
 			log_err("dnstap io stop: write: %s",
 				sock_strerror(errno));
 			break;
 		}
 		break;
--- a/dnstap/dtstream.h
+++ b/dnstap/dtstream.h
@ -88,6 +88,27 @@ struct dt_msg_entry {
 	size_t len;
 };
 /**
 * Containing buffer and counter for reading DNSTAP frames.
 */
 struct dt_frame_read_buf {
 	/** Buffer containing frame, except length counter(s). */
 	void* buf;
 	/** Number of bytes written to buffer. */
 	size_t buf_count;
 	/** Capacity of the buffer. */
 	size_t buf_cap;
 	/** Frame length field. Will contain the 2nd length field for control
 	 * frames. */
 	uint32_t frame_len;
 	/** Number of bytes that have been written to the frame_length field. */
 	size_t frame_len_done;
 	/** Set to 1 if this is a control frame, 0 otherwise (ie data frame). */
 	int control_frame;
 };
 /**
 * IO thread that reads from the queues and writes them.
 */
@ -130,6 +151,9 @@ struct dt_io_thread {
 	 * This happens during negotiation, we then do not want to write,
 	 * but wait for a read event. */
 	int ssl_brief_read;
 	/** true if SSL_read is waiting for a write event. Set back to 0 after
 	 * single write event is handled. */
 	int ssl_brief_write;
 	/** the buffer that currently getting written, or NULL if no
 	 * (partial) message written now */
@ -171,6 +195,16 @@ struct dt_io_thread {
 	 * and client certificates can be used for authentication. */
 	int upstream_is_tls;
 	/** Perform bidirectional Frame Streams handshake before sending
 	 * messages. */
 	int is_bidirectional;
 	/** Set if the READY control frame has been sent. */
 	int ready_frame_sent;
 	/** Set if valid ACCEPT frame is received. */
 	int accept_frame_received;
 	/** (partially) read frame */
 	struct dt_frame_read_buf read_frame;
 	/** the file path for unix socket (or NULL) */
 	char* socket_path;
 	/** the ip address and port number (or NULL) */
--- a/dnstap/unbound-dnstap-socket.c
+++ b/dnstap/unbound-dnstap-socket.c
@ -278,57 +278,31 @@ static int make_tcp_accept(char* ip)
 	}
 	if((s = socket(addr.ss_family, SOCK_STREAM, 0)) == -1) {
-#ifndef USE_WINSOCK
+		log_err("can't create socket: %s", sock_strerror(errno));
 		log_err("can't create socket: %s", strerror(errno));
 #else
 		log_err("can't create socket: %s",
 			wsa_strerror(WSAGetLastError()));
 #endif
 		return -1;
 	}
 #ifdef SO_REUSEADDR
 	if(setsockopt(s, SOL_SOCKET, SO_REUSEADDR, (void*)&on,
 		(socklen_t)sizeof(on)) < 0) {
 #ifndef USE_WINSOCK
 		log_err("setsockopt(.. SO_REUSEADDR ..) failed: %s",
-			strerror(errno));
+			sock_strerror(errno));
-		close(s);
+		sock_close(s);
 #else
 		log_err("setsockopt(.. SO_REUSEADDR ..) failed: %s",
 			wsa_strerror(WSAGetLastError()));
 		closesocket(s);
 #endif
 		return -1;
 	}
 #endif /* SO_REUSEADDR */
 	if(bind(s, (struct sockaddr*)&addr, len) != 0) {
-#ifndef USE_WINSOCK
+		log_err_addr("can't bind socket", sock_strerror(errno),
 		log_err_addr("can't bind socket", strerror(errno),
 			&addr, len);
-		close(s);
+		sock_close(s);
 #else
 		log_err_addr("can't bind socket",
 			wsa_strerror(WSAGetLastError()), &addr, len);
 		closesocket(s);
 #endif
 		return -1;
 	}
 	if(!fd_set_nonblock(s)) {
-#ifndef USE_WINSOCK
+		sock_close(s);
 		close(s);
 #else
 		closesocket(s);
 #endif
 		return -1;
 	}
 	if(listen(s, LISTEN_BACKLOG) == -1) {
-#ifndef USE_WINSOCK
+		log_err("can't listen: %s", sock_strerror(errno));
-		log_err("can't listen: %s", strerror(errno));
+		sock_close(s);
 		close(s);
 #else
 		log_err("can't listen: %s", wsa_strerror(WSAGetLastError()));
 		closesocket(s);
 #endif
 		return -1;
 	}
 	return s;
@ -654,7 +628,6 @@ static ssize_t receive_bytes(struct tap_data* data, int fd, void* buf,
 #ifndef USE_WINSOCK
 		if(errno == EINTR || errno == EAGAIN)
 			return -1;
 		log_err("could not recv: %s", strerror(errno));
 #else /* USE_WINSOCK */
 		if(WSAGetLastError() == WSAEINPROGRESS)
 			return -1;
@ -662,9 +635,8 @@ static ssize_t receive_bytes(struct tap_data* data, int fd, void* buf,
 			ub_winsock_tcp_wouldblock(data->ev, UB_EV_READ);
 			return -1;
 		}
 		log_err("could not recv: %s",
 			wsa_strerror(WSAGetLastError()));
 #endif
 		log_err("could not recv: %s", sock_strerror(errno));
 		if(verbosity) log_info("dnstap client stream closed from %s",
 			(data->id?data->id:""));
 		return 0;
@ -770,10 +742,11 @@ void tap_data_free(struct tap_data* data)
 /** reply with ACCEPT control frame to bidirectional client,
 * returns 0 on error */
-static int reply_with_accept(int fd)
+static int reply_with_accept(struct tap_data* data)
 {
 #ifdef USE_DNSTAP
 	/* len includes the escape and framelength */
 	int r;
 	size_t len = 0;
 	void* acceptframe = fstrm_create_control_frame_accept(
 		DNSTAP_CONTENT_TYPE, &len);
@ -782,26 +755,34 @@ static int reply_with_accept(int fd)
 		return 0;
 	}
-	fd_set_block(fd);
+	fd_set_block(data->fd);
-	if(send(fd, acceptframe, len, 0) == -1) {
+	if(data->ssl) {
-#ifndef USE_WINSOCK
+		if((r=SSL_write(data->ssl, acceptframe, len)) <= 0) {
-		log_err("send failed: %s", strerror(errno));
+			if(SSL_get_error(data->ssl, r) == SSL_ERROR_ZERO_RETURN)
-#else
+				log_err("SSL_write, peer closed connection");
-		log_err("send failed: %s", wsa_strerror(WSAGetLastError()));
+			else
-#endif
+				log_err("could not SSL_write");
-		fd_set_nonblock(fd);
+			fd_set_nonblock(data->fd);
-		free(acceptframe);
+			free(acceptframe);
-		return 0;
+			return 0;
 		}
 	} else {
 		if(send(data->fd, acceptframe, len, 0) == -1) {
 			log_err("send failed: %s", sock_strerror(errno));
 			fd_set_nonblock(data->fd);
 			free(acceptframe);
 			return 0;
 		}
 	}
 	if(verbosity) log_info("sent control frame(accept) content-type:(%s)",
 			DNSTAP_CONTENT_TYPE);
-	fd_set_nonblock(fd);
+	fd_set_nonblock(data->fd);
 	free(acceptframe);
 	return 1;
 #else
 	log_err("no dnstap compiled, no reply");
-	(void)fd;
+	(void)data;
 	return 0;
 #endif
 }
@ -820,11 +801,7 @@ static int reply_with_finish(int fd)
 	fd_set_block(fd);
 	if(send(fd, finishframe, len, 0) == -1) {
-#ifndef USE_WINSOCK
+		log_err("send failed: %s", sock_strerror(errno));
 		log_err("send failed: %s", strerror(errno));
 #else
 		log_err("send failed: %s", wsa_strerror(WSAGetLastError()));
 #endif
 		fd_set_nonblock(fd);
 		free(finishframe);
 		return 0;
@ -1033,7 +1010,7 @@ void dtio_tap_callback(int fd, short ATTR_UNUSED(bits), void* arg)
 		FSTRM_CONTROL_FRAME_READY) {
 		data->is_bidirectional = 1;
 		if(verbosity) log_info("bidirectional stream");
-		if(!reply_with_accept(fd)) {
+		if(!reply_with_accept(data)) {
 			tap_data_free(data);
 		}
 	} else if(data->len >= 4 && sldns_read_uint32(data->frame) ==
@ -1080,7 +1057,6 @@ void dtio_mainfdcallback(int fd, short ATTR_UNUSED(bits), void* arg)
 #endif /* EPROTO */
 			)
 			return;
 		log_err_addr("accept failed", strerror(errno), &addr, addrlen);
 #else /* USE_WINSOCK */
 		if(WSAGetLastError() == WSAEINPROGRESS ||
 			WSAGetLastError() == WSAECONNRESET)
@ -1089,9 +1065,9 @@ void dtio_mainfdcallback(int fd, short ATTR_UNUSED(bits), void* arg)
 			ub_winsock_tcp_wouldblock(maindata->ev, UB_EV_READ);
 			return;
 		}
 		log_err_addr("accept failed", wsa_strerror(WSAGetLastError()),
 			&addr, addrlen);
 #endif
 		log_err_addr("accept failed", sock_strerror(errno), &addr,
 			addrlen);
 		return;
 	}
 	fd_set_nonblock(s);
--- a/doc/Changelog
+++ b/doc/Changelog
@ -1,3 +1,149 @@
 15 September 2020: George
 	- Introduce test for statistics.
 15 September 2020: Wouter
 	- Spelling fix.
 11 September 2020: Wouter
 	- Remove x file mode on ipset/ipset.c and h files.
 9 September 2020: Wouter
 	- Fix num.expired statistics output.
 31 August 2020: Wouter
 	- Merge PR #293: Add missing prototype.  Also refactor to use the new
 	  shorthand function to clean up the code.
 	- Refactor to use sock_strerr shorthand function.
 	- Fix #296: systemd nss-lookup.target is reached before unbound can
 	  successfully answer queries. Changed contrib/unbound.service.in.
 27 August 2020: Wouter
 	- Similar to NSD PR#113, implement that interface names can be used,
 	  eg. something like interface: eth0 is resolved at server start and
 	  uses the IP addresses for that named interface.
 	- Review fix, doxygen and assign null in case of error free.
 26 August 2020: George
 	- Update documentation in python example code.
 24 August 2020: Wouter
 	- Fix that dnstap reconnects do not spam the log with the repeated
 	  attempts.  Attempts on the timer are only logged on high verbosity,
 	  if they produce a connection failure error.
 	- Fix to apply chroot to dnstap-socket-path, if chroot is enabled.
 	- Change configure to use EVP_sha256 instead of HMAC_Update for
 	  openssl-3.0.0.
 20 August 2020: Ralph
 	- Fix stats double count issue (#289).
 13 August 2020: Ralph
 	- Create and init edns tags data for libunbound.
 10 August 2020: Ralph
 	- Merge (modified) PR #277, use EVP_MAC_CTX_set_params if available,
 	  by Vítězslav Čížek.
 10 August 2020: Wouter
 	- Fix #287: doc typo: "Additionaly".
 	- Rerun autoconf
 6 August 2020: Wouter
 	- Merge PR #284 and Fix #246: Remove DLV entirely from Unbound.
 	  The DLV has been decommisioned and in unbound 1.5.4, in 2015, there
 	  was advise to stop using it.  The current code base does not contain
 	  DLV code any more.  The use of dlv options displays a warning.
 5 August 2020: Wouter
 	- contrib/aaaa-filter-iterator.patch file renewed diff content to
 	  apply cleanly to the current coderepo for the current code version.
 5 August 2020: Ralph
 	- Merge PR #272: Add EDNS client tag functionality.
 4 August 2020: George
 	- Improve error log message when inserting rpz RR.
 	- Merge PR #280, Make tvOS & watchOS checks verify truthiness as well as
 	  definedness, by Felipe Gasper.
 4 August 2020: Wouter
 	- Fix mini_event.h on OpenBSD cannot find fd_set.
 31 July 2020: Wouter
 	- Fix doxygen comment for no ssl for tls session ticket key callback
 	  routine.
 27 July 2020: George
 	- Merge PR #268, draft-ietf-dnsop-serve-stale-10 has become RFC 8767 on
 	  March 2020, by and0x000.
 27 July 2020: Ralph
 	- Merge PR #269, Fix python module len() implementations, by Torbjörn
 	  Lönnemark
 27 July 2020: Wouter
 	- branch now named 1.11.1.  1.11.0rc1 became the 1.11.0 release.
 	- Merge PR #270 from cgzones: munin plugin: always exit 0 in autoconf
 20 July 2020: Wouter
 	- Fix streamtcp to print packet data to stdout.  This makes the
 	  stdout and stderr not mix together lines, when parsing its output.
 	- Fix contrib/fastrpz.patch to apply cleanly.  It fixes for changes
 	  due to added libdynmod, but it does not compile, it conflicts with
 	  new rpz code.
 	- branch now named 1.11.0 and 1.11.0rc1 tag.
 17 July 2020: Wouter
 	- Fix libnettle compile for session ticket key callback function
 	  changes.
 	- Fix lock dependency cycle in rpz zone config setup.
 17 July 2020: Ralph
 	- Merge PR #234 - Ensure proper alignment of cmsg buffers by Jérémie
 	  Courrèges-Anglas.
 	- Fix PR #234 log_assert sizeof to use union buffer.
 16 July 2020: Wouter
 	- Fix check conf test for referencing installation paths.
 	- Fix unused variable warning for clang analyzer.
 16 July 2020: George
 	- Introduce 'include-toplevel:' configuration option.
 16 July 2020: Ralph
 	- Add bidirectional frame streams support.
 8 July 2020: Wouter
 	- Fix add missing DSA header, for compilation without deprecated
 	  OpenSSL APIs.
 	- Fix to use SSL_CTX_set_tlsext_ticket_key_evp_cb in OpenSSL
 	  3.0.0-alpha4.
 	- Longer keys for the test set, this avoids weak crypto errors.
 7 July 2020: Wouter
 	- Fix #259: Fix unbound-checkconf does not check view existence.
 	  unbound-checkconf checks access-control-view, access-control-tags,
 	  access-control-tag-actions and access-control-tag-datas.
 	- Fix offset of error printout for access-control-tag-datas.
 	- Review fixes for checkconf #259 change.
 6 July 2020: Wouter
 	- run_vm cleanup better and removes trailing slash on single argument.
 29 June 2020: Wouter
 	- Move reply list clean for serve expired mesh callback to after
 	  the reply is sent, so that script callbacks have reply_info.
 	- Also move reply list clean for mesh callbacks to the scrip callback
 	  can see the reply_info.
 	- Fix for mesh accounting if the reply list already empty to begin
 	  with.
 	- Fix for mesh accounting when rpz decides to drop a reply with a
 	  tcp stream waiting for it.
 	- Review fix for number of detached states due to use of variable
 	  after end of loop.
 	- Fix tcp req info drop due to size call into mesh accounting
 	  removal of mesh state during mesh send reply.
 24 June 2020: Wouter
 	- iana portlist updated.
 	- doxygen file comments for dynlibmodule.
--- a/doc/example.conf.in
+++ b/doc/example.conf.in
@ -5,9 +5,13 @@
 #
 # this is a comment.
-#Use this to include other text into the file.
+# Use this anywhere in the file to include other text into this file.
 #include: "otherfile.conf"
 # Use this anywhere in the file to include other text, that explicitly starts a
 # clause, into this file. Text after this directive needs to start a clause.
 #include-toplevel: "otherfile.conf"
 # The server clause sets the main parameters.
 server:
 	# whitespace is not necessary, but looks cleaner.
@ -505,11 +509,6 @@ server:
 	# Root key trust anchor sentinel (draft-ietf-dnsop-kskroll-sentinel)
 	# root-key-sentinel: yes
 	# File with DLV trusted keys. Same format as trust-anchor-file.
 	# There can be only one DLV configured, it is trusted from root down.
 	# DLV is going to be decommissioned.  Please do not use it any more.
 	# dlv-anchor-file: "dlv.isc.org.key"
 	# File with trusted keys for validation. Specify more than one file
 	# with several entries, one file per entry.
 	# Zone file format, with DS and DNSKEY entries.
@ -585,7 +584,7 @@ server:
 	#
 	# Time in milliseconds before replying to the client with expired data.
 	# This essentially enables the serve-stale behavior as specified in
-	# draft-ietf-dnsop-serve-stale-10 that first tries to resolve before
+	# RFC 8767 that first tries to resolve before
 	# immediately responding with expired data.  0 disables this behavior.
 	# A recommended value is 1800.
 	# serve-expired-client-timeout: 0
@ -623,7 +622,7 @@ server:
 	# more slabs reduce lock contention, but fragment memory usage.
 	# key-cache-slabs: 4
-	# the amount of memory to use for the negative cache (used for DLV).
+	# the amount of memory to use for the negative cache.
 	# plain value in bytes or you can append k, m or G. default is "1Mb".
 	# neg-cache-size: 1m
@ -1064,6 +1063,8 @@ remote-control:
 # upstream log destination, by socket path, TCP or TLS destination.
 # dnstap:
 # 	dnstap-enable: no
 # 	# if set to yes frame streams will be used in bidirectional mode
 # 	dnstap-bidirectional: yes
 # 	dnstap-socket-path: "@DNSTAP_SOCKET_PATH@"
 # 	# if "" use the unix socket in dnstap-socket-path, otherwise,
 # 	# set it to "IPaddress[@port]" of the destination.
--- a/doc/unbound.conf.5.in
+++ b/doc/unbound.conf.5.in
@ -77,6 +77,12 @@ for the included files works, relative pathnames for the included names work
 if the directory where the daemon is started equals its chroot/working
 directory or is specified before the include statement with directory: dir.
 Wildcards can be used to include multiple files, see \fIglob\fR(7).
 .P
 For a more structural include option, the
 .B include\-toplevel:
 directive can be used.  This closes whatever clause is currently active (if any)
 and forces the use of clauses in the included files and right after this
 directive.
 .SS "Server Options"
 These options are part of the
 .B server:
@ -116,7 +122,8 @@ The port number, default 53, on which the server responds to queries.
 Interface to use to connect to the network. This interface is listened to
 for queries from clients, and answers to clients are given from it.
 Can be given multiple times to work on several interfaces. If none are
-given the default is to listen to localhost.
+given the default is to listen to localhost.  If an interface name is used
 instead of an ip address, the list of ip addresses on that interface are used.
 The interfaces are not changed on a reload (kill \-HUP) but only on restart.
 A port number can be specified with @port (without spaces between
 interface and port number), if not specified the default port (from
@ -1034,26 +1041,11 @@ Send RFC8145 key tag query after trust anchor priming. Default is yes.
 .B root\-key\-sentinel: \fI<yes or no>
 Root key trust anchor sentinel. Default is yes.
 .TP
 .B dlv\-anchor\-file: \fI<filename>
 This option was used during early days DNSSEC deployment when no parent-side
 DS record registrations were easily available.  Nowadays, it is best to have
 DS records registered with the parent zone (many top level zones are signed).
 File with trusted keys for DLV (DNSSEC Lookaside Validation). Both DS and
 DNSKEY entries can be used in the file, in the same format as for
 \fItrust\-anchor\-file:\fR statements. Only one DLV can be configured, more
 would be slow. The DLV configured is used as a root trusted DLV, this
 means that it is a lookaside for the root. Default is "", or no dlv anchor
 file. DLV is going to be decommissioned.  Please do not use it any more.
 .TP
 .B dlv\-anchor: \fI<"Resource Record">
 Much like trust\-anchor, this is a DLV anchor with the DS or DNSKEY inline.
 DLV is going to be decommissioned.  Please do not use it any more.
 .TP
 .B domain\-insecure: \fI<domain name>
 Sets domain name to be insecure, DNSSEC chain of trust is ignored towards
 the domain name.  So a trust anchor above the domain name can not make the
 domain secure with a DS record, such a DS record is then ignored.
-Also keys from DLV are ignored for the domain.  Can be given multiple times
+Can be given multiple times
 to specify multiple domains that are treated as if unsigned.  If you set
 trust anchors for the domain they override this setting (and the domain
 is secured).
@ -1132,7 +1124,7 @@ later on.  Default is "no".
 .B serve\-expired\-ttl: \fI<seconds>
 Limit serving of expired responses to configured seconds after expiration. 0
 disables the limit.  This option only applies when \fBserve\-expired\fR is
-enabled.  A suggested value per draft-ietf-dnsop-serve-stale-10 is between
+enabled.  A suggested value per RFC 8767 is between
 86400 (1 day) and 259200 (3 days).  The default is 0.
 .TP
 .B serve\-expired\-ttl\-reset: \fI<yes or no>
@ -1144,14 +1136,14 @@ expired records will be served as long as there are queries for it.  Default is
 .B serve\-expired\-reply\-ttl: \fI<seconds>
 TTL value to use when replying with expired data.  If
 \fBserve\-expired\-client\-timeout\fR is also used then it is RECOMMENDED to
-use 30 as the value (draft-ietf-dnsop-serve-stale-10).  The default is 30.
+use 30 as the value (RFC 8767).  The default is 30.
 .TP
 .B serve\-expired\-client\-timeout: \fI<msec>
 Time in milliseconds before replying to the client with expired data.  This
 essentially enables the serve-stale behavior as specified in
-draft-ietf-dnsop-serve-stale-10 that first tries to resolve before immediately
+RFC 8767 that first tries to resolve before immediately
 responding with expired data.  A recommended value per
-draft-ietf-dnsop-serve-stale-10 is 1800.  Setting this to 0 will disable this
+RFC 8767 is 1800.  Setting this to 0 will disable this
 behavior.  Default is 0.
 .TP
 .B val\-nsec3\-keysize\-iterations: \fI<"list of values">
@ -1540,6 +1532,12 @@ servers set. The default for fast\-server\-permil is 0.
 Set the number of servers that should be used for fast server selection. Only
 use the fastest specified number of servers with the fast\-server\-permil
 option, that turns this on or off. The default is to use the fastest 3 servers.
 .TP 5
 .B edns\-client\-tag: \fI<IP netblock> <tag data>
 Include an edns-client-tag option in queries with destination address matching
 the configured IP netblock. This configuration option can be used multiple
 times. The most specific match will be used. The tag data is configured in
 decimal format, from 0 to 65535.
 .SS "Remote Control Options"
 In the
 .B remote\-control:
@ -2134,7 +2132,7 @@ even if some data have expired in terms of DNS TTL or the Redis server has
 cached too much data;
 if necessary the Redis server must be configured to limit the cache size,
 preferably with some kind of least-recently-used eviction policy.
-Additionaly, the \fBredis\-expire\-records\fR option can be used in order to
+Additionally, the \fBredis\-expire\-records\fR option can be used in order to
 set the relative DNS TTL of the message as timeout to the Redis records; keep
 in mind that some additional memory is used per key and that the expire
 information is stored as absolute Unix timestamps in Redis (computer time must
@ -2213,6 +2211,10 @@ If dnstap is enabled.  Default no.  If yes, it connects to the dnstap server
 and if any of the dnstap-log-..-messages options is enabled it sends logs
 for those messages to the server.
 .TP
 .B dnstap-bidirectional: \fI<yes or no>
 Use frame streams in bidirectional mode to transfer DNSTAP messages. Default is
 yes.
 .TP
 .B dnstap-socket-path: \fI<file name>
 Sets the unix socket file name for connecting to the server that is
 listening on that socket.  Default is "@DNSTAP_SOCKET_PATH@".
--- a/ipset/ipset.c
+++ b/ipset/ipset.c
--- a/ipset/ipset.h
+++ b/ipset/ipset.h
--- a/iterator/iterator.c
+++ b/iterator/iterator.c
@ -3191,7 +3191,7 @@ processPrimeResponse(struct module_qstate* qstate, int id)
 	/* validate the root or stub after priming (if enabled).
 	 * This is the same query as the prime query, but with validation.
 	 * Now that we are primed, the additional queries that validation
-	 * may need can be resolved, such as DLV. */
+	 * may need can be resolved. */
 	if(qstate->env->cfg->harden_referral_path) {
 		struct module_qstate* subq = NULL;
 		log_nametypeclass(VERB_ALGO, "schedule prime validation", 
--- a/libunbound/context.c
+++ b/libunbound/context.c
@ -50,6 +50,7 @@
 #include "services/authzone.h"
 #include "util/data/msgreply.h"
 #include "util/storage/slabhash.h"
 #include "util/edns.h"
 #include "sldns/sbuffer.h"
 int 
@ -79,6 +80,8 @@ context_finalize(struct ub_ctx* ctx)
 		return UB_INITFAIL;
 	if(!auth_zones_apply_cfg(ctx->env->auth_zones, cfg, 1, &is_rpz))
 		return UB_INITFAIL;
 	if(!edns_tags_apply_cfg(ctx->env->edns_tags, cfg))
 		return UB_INITFAIL;
 	if(!slabhash_is_size(ctx->env->msg_cache, cfg->msg_cache_size,
 		cfg->msg_cache_slabs)) {
 		slabhash_delete(ctx->env->msg_cache);
--- a/libunbound/libunbound.c
+++ b/libunbound/libunbound.c
@ -58,6 +58,7 @@
 #include "util/net_help.h"
 #include "util/tube.h"
 #include "util/ub_event.h"
 #include "util/edns.h"
 #include "services/modstack.h"
 #include "services/localzone.h"
 #include "services/cache/infra.h"
@ -153,6 +154,18 @@ static struct ub_ctx* ub_ctx_create_nopipe(void)
 		errno = ENOMEM;
 		return NULL;
 	}
 	ctx->env->edns_tags = edns_tags_create();
 	if(!ctx->env->edns_tags) {
 		auth_zones_delete(ctx->env->auth_zones);
 		edns_known_options_delete(ctx->env);
 		config_delete(ctx->env->cfg);
 		free(ctx->env);
 		ub_randfree(ctx->seed_rnd);
 		free(ctx);
 		errno = ENOMEM;
 		return NULL;
 	}
 	ctx->env->alloc = &ctx->superalloc;
 	ctx->env->worker = NULL;
 	ctx->env->need_to_validate = 0;
--- a/libunbound/libworker.c
+++ b/libunbound/libworker.c
@ -78,7 +78,7 @@
 #include <TargetConditionals.h>
 #endif
-#if defined(TARGET_OS_TV) || defined(TARGET_OS_WATCH)
+#if (defined(TARGET_OS_TV) && TARGET_OS_TV) || (defined(TARGET_OS_WATCH) && TARGET_OS_WATCH)
 #undef HAVE_FORK
 #endif
--- a/pythonmod/doc/modules/config.rst
+++ b/pythonmod/doc/modules/config.rst
@ -256,14 +256,6 @@ config_file
      Files with trusted DNSKEYs in named.conf format, list.
   .. attribute:: dlv_anchor_file
      DLV anchor file.
   .. attribute:: dlv_anchor_list
      DLV anchor inline.
   .. attribute:: max_ttl
      The number of seconds maximal TTL used for RRsets and messages.
--- a/pythonmod/examples/avahi-resolver.py
+++ b/pythonmod/examples/avahi-resolver.py
@ -59,6 +59,8 @@
 # |   num-threads: 32
 # |   cache-max-negative-ttl: 60
 # |   cache-max-ttl: 60
 # | python:
 # |   python-script: path/to/this/file
 #
 #
 # The plugin can also be run interactively. Provide the name and
--- a/pythonmod/interface.i
+++ b/pythonmod/interface.i
@ -314,16 +314,16 @@ struct packed_rrset_data {
    class RRSetData_RRLen:
        def __init__(self, obj): self.obj = obj
        def __getitem__(self, index): return _unboundmodule._get_data_rr_len(self.obj, index)
-        def __len__(self): return obj.count + obj.rrsig_count
+        def __len__(self): return self.obj.count + self.obj.rrsig_count
    class RRSetData_RRTTL:
        def __init__(self, obj): self.obj = obj
        def __getitem__(self, index): return _unboundmodule._get_data_rr_ttl(self.obj, index)
        def __setitem__(self, index, value): _unboundmodule._set_data_rr_ttl(self.obj, index, value)
-        def __len__(self): return obj.count + obj.rrsig_count
+        def __len__(self): return self.obj.count + self.obj.rrsig_count
    class RRSetData_RRData:
        def __init__(self, obj): self.obj = obj
        def __getitem__(self, index): return _unboundmodule._get_data_rr_data(self.obj, index)
-        def __len__(self): return obj.count + obj.rrsig_count
+        def __len__(self): return self.obj.count + self.obj.rrsig_count
 %}
 %inline %{
@ -404,12 +404,12 @@ struct dns_msg {
    class ReplyInfo_RRSet:
        def __init__(self, obj): self.obj = obj
        def __getitem__(self, index): return _unboundmodule._rrset_rrsets_get(self.obj, index)
-        def __len__(self): return obj.rrset_count
+        def __len__(self): return self.obj.rrset_count
    class ReplyInfo_Ref:
        def __init__(self, obj): self.obj = obj
        def __getitem__(self, index): return _unboundmodule._rrset_ref_get(self.obj, index)
-        def __len__(self): return obj.rrset_count
+        def __len__(self): return self.obj.rrset_count
 %}
 %inline %{
@ -992,8 +992,6 @@ struct config_file {
   struct config_strlist* trust_anchor_file_list;
   struct config_strlist* trust_anchor_list;
   struct config_strlist* trusted_keys_file_list;
   char* dlv_anchor_file;
   struct config_strlist* dlv_anchor_list;
   int max_ttl;
   int32_t val_date_override;
   int bogus_ttl;
--- a/services/authzone.c
+++ b/services/authzone.c
@ -1866,15 +1866,26 @@ auth_zones_cfg(struct auth_zones* az, struct config_auth* c)
 	struct auth_xfer* x = NULL;
 	/* create zone */
 	if(c->isrpz) {
 		/* if the rpz lock is needed, grab it before the other
 		 * locks to avoid a lock dependency cycle */
 		lock_rw_wrlock(&az->rpz_lock);
 	}
 	lock_rw_wrlock(&az->lock);
 	if(!(z=auth_zones_find_or_add_zone(az, c->name))) {
 		lock_rw_unlock(&az->lock);
 		if(c->isrpz) {
 			lock_rw_unlock(&az->rpz_lock);
 		}
 		return 0;
 	}
 	if(c->masters || c->urls) {
 		if(!(x=auth_zones_find_or_add_xfer(az, z))) {
 			lock_rw_unlock(&az->lock);
 			lock_rw_unlock(&z->lock);
 			if(c->isrpz) {
 				lock_rw_unlock(&az->rpz_lock);
 			}
 			return 0;
 		}
 	}
@ -1889,6 +1900,9 @@ auth_zones_cfg(struct auth_zones* az, struct config_auth* c)
 			lock_basic_unlock(&x->lock);
 		}
 		lock_rw_unlock(&z->lock);
 		if(c->isrpz) {
 			lock_rw_unlock(&az->rpz_lock);
 		}
 		return 0;
 	}
 	z->for_downstream = c->for_downstream;
@ -1900,11 +1914,13 @@ auth_zones_cfg(struct auth_zones* az, struct config_auth* c)
 			return 0;
 		}
 		lock_protect(&z->lock, &z->rpz->local_zones, sizeof(*z->rpz));
-		lock_rw_wrlock(&az->rpz_lock);
+		/* the az->rpz_lock is locked above */
 		z->rpz_az_next = az->rpz_first;
 		if(az->rpz_first)
 			az->rpz_first->rpz_az_prev = z;
 		az->rpz_first = z;
 	}
 	if(c->isrpz) {
 		lock_rw_unlock(&az->rpz_lock);
 	}
--- a/services/cache/dns.c
+++ b/services/cache/dns.c
@ -890,9 +890,8 @@ dns_cache_lookup(struct module_env* env,
 		lock_rw_unlock(&rrset->entry.lock);
 	}
-	/* construct DS, DNSKEY, DLV messages from rrset cache. */
+	/* construct DS, DNSKEY messages from rrset cache. */
-	if((qtype == LDNS_RR_TYPE_DS || qtype == LDNS_RR_TYPE_DNSKEY ||
+	if((qtype == LDNS_RR_TYPE_DS || qtype == LDNS_RR_TYPE_DNSKEY) &&
 		qtype == LDNS_RR_TYPE_DLV) &&
 		(rrset=rrset_cache_lookup(env->rrset_cache, qname, qnamelen, 
 		qtype, qclass, 0, now, 0))) {
 		/* if the rrset is from the additional section, and the
--- a/services/listen_dnsport.c
+++ b/services/listen_dnsport.c
@ -71,6 +71,13 @@
 #include <systemd/sd-daemon.h>
 #endif
 #ifdef HAVE_IFADDRS_H
 #include <ifaddrs.h>
 #endif
 #ifdef HAVE_NET_IF_H
 #include <net/if.h>
 #endif
 /** number of queued TCP connections for listen() */
 #define TCP_BACKLOG 256 
@ -234,16 +241,14 @@ create_udp_sock(int family, int socktype, struct sockaddr* addr,
 			*noproto = 1;
 			return -1;
 		}
 		log_err("can't create socket: %s", strerror(errno));
 #else
 		if(WSAGetLastError() == WSAEAFNOSUPPORT || 
 			WSAGetLastError() == WSAEPROTONOSUPPORT) {
 			*noproto = 1;
 			return -1;
 		}
 		log_err("can't create socket: %s", 
 			wsa_strerror(WSAGetLastError()));
 #endif
 		log_err("can't create socket: %s", sock_strerror(errno));
 		*noproto = 0;
 		return -1;
 	}
@ -256,9 +261,9 @@ create_udp_sock(int family, int socktype, struct sockaddr* addr,
 #ifdef SO_REUSEADDR
 		if(setsockopt(s, SOL_SOCKET, SO_REUSEADDR, (void*)&on, 
 			(socklen_t)sizeof(on)) < 0) {
 #ifndef USE_WINSOCK
 			log_err("setsockopt(.. SO_REUSEADDR ..) failed: %s",
-				strerror(errno));
+				sock_strerror(errno));
 #ifndef USE_WINSOCK
 			if(errno != ENOSYS) {
 				close(s);
 				*noproto = 0;
@ -266,8 +271,6 @@ create_udp_sock(int family, int socktype, struct sockaddr* addr,
 				return -1;
 			}
 #else
 			log_err("setsockopt(.. SO_REUSEADDR ..) failed: %s",
 				wsa_strerror(WSAGetLastError()));
 			closesocket(s);
 			*noproto = 0;
 			*inuse = 0;
@ -359,16 +362,9 @@ create_udp_sock(int family, int socktype, struct sockaddr* addr,
 		if(setsockopt(s, SOL_SOCKET, SO_RCVBUFFORCE, (void*)&rcv, 
 			(socklen_t)sizeof(rcv)) < 0) {
 			if(errno != EPERM) {
 #    ifndef USE_WINSOCK
 				log_err("setsockopt(..., SO_RCVBUFFORCE, "
-					"...) failed: %s", strerror(errno));
+					"...) failed: %s", sock_strerror(errno));
-				close(s);
+				sock_close(s);
 #    else
 				log_err("setsockopt(..., SO_RCVBUFFORCE, "
 					"...) failed: %s", 
 					wsa_strerror(WSAGetLastError()));
 				closesocket(s);
 #    endif
 				*noproto = 0;
 				*inuse = 0;
 				return -1;
@ -376,16 +372,9 @@ create_udp_sock(int family, int socktype, struct sockaddr* addr,
 #  endif /* SO_RCVBUFFORCE */
 			if(setsockopt(s, SOL_SOCKET, SO_RCVBUF, (void*)&rcv, 
 				(socklen_t)sizeof(rcv)) < 0) {
 #  ifndef USE_WINSOCK
 				log_err("setsockopt(..., SO_RCVBUF, "
-					"...) failed: %s", strerror(errno));
+					"...) failed: %s", sock_strerror(errno));
-				close(s);
+				sock_close(s);
 #  else
 				log_err("setsockopt(..., SO_RCVBUF, "
 					"...) failed: %s", 
 					wsa_strerror(WSAGetLastError()));
 				closesocket(s);
 #  endif
 				*noproto = 0;
 				*inuse = 0;
 				return -1;
@ -418,16 +407,9 @@ create_udp_sock(int family, int socktype, struct sockaddr* addr,
 		if(setsockopt(s, SOL_SOCKET, SO_SNDBUFFORCE, (void*)&snd, 
 			(socklen_t)sizeof(snd)) < 0) {
 			if(errno != EPERM) {
 #    ifndef USE_WINSOCK
 				log_err("setsockopt(..., SO_SNDBUFFORCE, "
-					"...) failed: %s", strerror(errno));
+					"...) failed: %s", sock_strerror(errno));
-				close(s);
+				sock_close(s);
 #    else
 				log_err("setsockopt(..., SO_SNDBUFFORCE, "
 					"...) failed: %s", 
 					wsa_strerror(WSAGetLastError()));
 				closesocket(s);
 #    endif
 				*noproto = 0;
 				*inuse = 0;
 				return -1;
@ -435,16 +417,9 @@ create_udp_sock(int family, int socktype, struct sockaddr* addr,
 #  endif /* SO_SNDBUFFORCE */
 			if(setsockopt(s, SOL_SOCKET, SO_SNDBUF, (void*)&snd, 
 				(socklen_t)sizeof(snd)) < 0) {
 #  ifndef USE_WINSOCK
 				log_err("setsockopt(..., SO_SNDBUF, "
-					"...) failed: %s", strerror(errno));
+					"...) failed: %s", sock_strerror(errno));
-				close(s);
+				sock_close(s);
 #  else
 				log_err("setsockopt(..., SO_SNDBUF, "
 					"...) failed: %s", 
 					wsa_strerror(WSAGetLastError()));
 				closesocket(s);
 #  endif
 				*noproto = 0;
 				*inuse = 0;
 				return -1;
@ -474,16 +449,9 @@ create_udp_sock(int family, int socktype, struct sockaddr* addr,
 			int val=(v6only==2)?0:1;
 			if (setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY, 
 				(void*)&val, (socklen_t)sizeof(val)) < 0) {
 #ifndef USE_WINSOCK
 				log_err("setsockopt(..., IPV6_V6ONLY"
-					", ...) failed: %s", strerror(errno));
+					", ...) failed: %s", sock_strerror(errno));
-				close(s);
+				sock_close(s);
 #else
 				log_err("setsockopt(..., IPV6_V6ONLY"
 					", ...) failed: %s", 
 					wsa_strerror(WSAGetLastError()));
 				closesocket(s);
 #endif
 				*noproto = 0;
 				*inuse = 0;
 				return -1;
@ -501,16 +469,9 @@ create_udp_sock(int family, int socktype, struct sockaddr* addr,
 		 */
 		if (setsockopt(s, IPPROTO_IPV6, IPV6_USE_MIN_MTU,
 			(void*)&on, (socklen_t)sizeof(on)) < 0) {
 #  ifndef USE_WINSOCK
 			log_err("setsockopt(..., IPV6_USE_MIN_MTU, "
-				"...) failed: %s", strerror(errno));
+				"...) failed: %s", sock_strerror(errno));
-			close(s);
+			sock_close(s);
 #  else
 			log_err("setsockopt(..., IPV6_USE_MIN_MTU, "
 				"...) failed: %s", 
 				wsa_strerror(WSAGetLastError()));
 			closesocket(s);
 #  endif
 			*noproto = 0;
 			*inuse = 0;
 			return -1;
@ -523,15 +484,9 @@ create_udp_sock(int family, int socktype, struct sockaddr* addr,
 		 */
 		if (setsockopt(s, IPPROTO_IPV6, IPV6_MTU,
 			(void*)&mtu, (socklen_t)sizeof(mtu)) < 0) {
 #  ifndef USE_WINSOCK
 			log_err("setsockopt(..., IPV6_MTU, ...) failed: %s", 
-				strerror(errno));
+				sock_strerror(errno));
-			close(s);
+			sock_close(s);
 #  else
 			log_err("setsockopt(..., IPV6_MTU, ...) failed: %s", 
 				wsa_strerror(WSAGetLastError()));
 			closesocket(s);
 #  endif
 			*noproto = 0;
 			*inuse = 0;
 			return -1;
@ -555,12 +510,7 @@ create_udp_sock(int family, int socktype, struct sockaddr* addr,
 			if (errno != EINVAL) {
 				log_err("setsockopt(..., IP_MTU_DISCOVER, IP_PMTUDISC_OMIT...) failed: %s",
 					strerror(errno));
-
+				sock_close(s);
 #    ifndef USE_WINSOCK
 				close(s);
 #    else
 				closesocket(s);
 #    endif
 				*noproto = 0;
 				*inuse = 0;
 				return -1;
@ -577,11 +527,7 @@ create_udp_sock(int family, int socktype, struct sockaddr* addr,
 				&action, (socklen_t)sizeof(action)) < 0) {
 				log_err("setsockopt(..., IP_MTU_DISCOVER, IP_PMTUDISC_DONT...) failed: %s",
 					strerror(errno));
-#    ifndef USE_WINSOCK
+				sock_close(s);
 				close(s);
 #    else
 				closesocket(s);
 #    endif
 				*noproto = 0;
 				*inuse = 0;
 				return -1;
@ -593,11 +539,7 @@ create_udp_sock(int family, int socktype, struct sockaddr* addr,
 			&off, (socklen_t)sizeof(off)) < 0) {
 			log_err("setsockopt(..., IP_DONTFRAG, ...) failed: %s",
 				strerror(errno));
-#    ifndef USE_WINSOCK
+			sock_close(s);
 			close(s);
 #    else
 			closesocket(s);
 #    endif
 			*noproto = 0;
 			*inuse = 0;
 			return -1;
@ -627,7 +569,6 @@ create_udp_sock(int family, int socktype, struct sockaddr* addr,
 				(struct sockaddr_storage*)addr, addrlen);
 		}
 #endif /* EADDRINUSE */
 		close(s);
 #else /* USE_WINSOCK */
 		if(WSAGetLastError() != WSAEADDRINUSE &&
 			WSAGetLastError() != WSAEADDRNOTAVAIL &&
@ -636,18 +577,14 @@ create_udp_sock(int family, int socktype, struct sockaddr* addr,
 				wsa_strerror(WSAGetLastError()),
 				(struct sockaddr_storage*)addr, addrlen);
 		}
 		closesocket(s);
 #endif /* USE_WINSOCK */
 		sock_close(s);
 		return -1;
 	}
 	if(!fd_set_nonblock(s)) {
 		*noproto = 0;
 		*inuse = 0;
-#ifndef USE_WINSOCK
+		sock_close(s);
 		close(s);
 #else
 		closesocket(s);
 #endif
 		return -1;
 	}
 	return s;
@ -692,16 +629,14 @@ create_tcp_accept_sock(struct addrinfo *addr, int v6only, int* noproto,
 			*noproto = 1;
 			return -1;
 		}
 		log_err("can't create socket: %s", strerror(errno));
 #else
 		if(WSAGetLastError() == WSAEAFNOSUPPORT ||
 			WSAGetLastError() == WSAEPROTONOSUPPORT) {
 			*noproto = 1;
 			return -1;
 		}
 		log_err("can't create socket: %s", 
 			wsa_strerror(WSAGetLastError()));
 #endif
 		log_err("can't create socket: %s", sock_strerror(errno));
 		return -1;
 	}
 	if(nodelay) {
@ -724,13 +659,8 @@ create_tcp_accept_sock(struct addrinfo *addr, int v6only, int* noproto,
 #if defined(IPPROTO_TCP) && defined(TCP_MAXSEG)
 		if(setsockopt(s, IPPROTO_TCP, TCP_MAXSEG, (void*)&mss,
 			(socklen_t)sizeof(mss)) < 0) {
 			#ifndef USE_WINSOCK
 			log_err(" setsockopt(.. TCP_MAXSEG ..) failed: %s",
-				strerror(errno));
+				sock_strerror(errno));
 			#else
 			log_err(" setsockopt(.. TCP_MAXSEG ..) failed: %s",
 				wsa_strerror(WSAGetLastError()));
 			#endif
 		} else {
 			verbose(VERB_ALGO,
 				" tcp socket mss set to %d", mss);
@ -747,15 +677,9 @@ create_tcp_accept_sock(struct addrinfo *addr, int v6only, int* noproto,
 #ifdef SO_REUSEADDR
 	if(setsockopt(s, SOL_SOCKET, SO_REUSEADDR, (void*)&on, 
 		(socklen_t)sizeof(on)) < 0) {
 #ifndef USE_WINSOCK
 		log_err("setsockopt(.. SO_REUSEADDR ..) failed: %s",
-			strerror(errno));
+			sock_strerror(errno));
-		close(s);
+		sock_close(s);
 #else
 		log_err("setsockopt(.. SO_REUSEADDR ..) failed: %s",
 			wsa_strerror(WSAGetLastError()));
 		closesocket(s);
 #endif
 		return -1;
 	}
 #endif /* SO_REUSEADDR */
@ -790,15 +714,9 @@ create_tcp_accept_sock(struct addrinfo *addr, int v6only, int* noproto,
 	if(addr->ai_family == AF_INET6 && v6only) {
 		if(setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY, 
 			(void*)&on, (socklen_t)sizeof(on)) < 0) {
 #ifndef USE_WINSOCK
 			log_err("setsockopt(..., IPV6_V6ONLY, ...) failed: %s",
-				strerror(errno));
+				sock_strerror(errno));
-			close(s);
+			sock_close(s);
 #else
 			log_err("setsockopt(..., IPV6_V6ONLY, ...) failed: %s",
 				wsa_strerror(WSAGetLastError()));
 			closesocket(s);
 #endif
 			return -1;
 		}
 	}
@ -845,32 +763,22 @@ create_tcp_accept_sock(struct addrinfo *addr, int v6only, int* noproto,
 				(struct sockaddr_storage*)addr->ai_addr,
 				addr->ai_addrlen);
 		}
 		close(s);
 #else
 		log_err_addr("can't bind socket", 
 			wsa_strerror(WSAGetLastError()),
 			(struct sockaddr_storage*)addr->ai_addr,
 			addr->ai_addrlen);
 		closesocket(s);
 #endif
 		sock_close(s);
 		return -1;
 	}
 	if(!fd_set_nonblock(s)) {
-#ifndef USE_WINSOCK
+		sock_close(s);
 		close(s);
 #else
 		closesocket(s);
 #endif
 		return -1;
 	}
 	if(listen(s, TCP_BACKLOG) == -1) {
-#ifndef USE_WINSOCK
+		log_err("can't listen: %s", sock_strerror(errno));
-		log_err("can't listen: %s", strerror(errno));
+		sock_close(s);
 		close(s);
 #else
 		log_err("can't listen: %s", wsa_strerror(WSAGetLastError()));
 		closesocket(s);
 #endif
 		return -1;
 	}
 #ifdef USE_TCP_FASTOPEN
@ -925,34 +833,6 @@ set_ip_dscp(int socket, int addrfamily, int dscp)
 	return NULL;
 }
 #  ifndef USE_WINSOCK
 char*
 sock_strerror(int errn)
 {
 	return strerror(errn);
 }
 void
 sock_close(int socket)
 {
 	close(socket);
 }
 #  else
 char*
 sock_strerror(int ATTR_UNUSED(errn))
 {
 	return wsa_strerror(WSAGetLastError());
 }
 void
 sock_close(int socket)
 {
 	closesocket(socket);
 }
 #  endif /* USE_WINSOCK */
 int
 create_local_accept_sock(const char *path, int* noproto, int use_systemd)
 {
@ -1013,11 +893,7 @@ create_local_accept_sock(const char *path, int* noproto, int use_systemd)
 	return s;
 err:
-#ifndef USE_WINSOCK
+	sock_close(s);
 	close(s);
 #else
 	closesocket(s);
 #endif
 	return -1;
 #ifdef HAVE_SYSTEMD
@ -1289,20 +1165,12 @@ ports_create_if(const char* ifname, int do_auto, int do_udp, int do_tcp,
 		}
 		/* getting source addr packet info is highly non-portable */
 		if(!set_recvpktinfo(s, hints->ai_family)) {
-#ifndef USE_WINSOCK
+			sock_close(s);
 			close(s);
 #else
 			closesocket(s);
 #endif
 			return 0;
 		}
 		if(!port_insert(list, s,
 		   is_dnscrypt?listen_type_udpancil_dnscrypt:listen_type_udpancil)) {
-#ifndef USE_WINSOCK
+			sock_close(s);
 			close(s);
 #else
 			closesocket(s);
 #endif
 			return 0;
 		}
 	} else if(do_udp) {
@ -1318,11 +1186,7 @@ ports_create_if(const char* ifname, int do_auto, int do_udp, int do_tcp,
 		}
 		if(!port_insert(list, s,
 		   is_dnscrypt?listen_type_udp_dnscrypt:listen_type_udp)) {
-#ifndef USE_WINSOCK
+			sock_close(s);
 			close(s);
 #else
 			closesocket(s);
 #endif
 			return 0;
 		}
 	}
@ -1350,11 +1214,7 @@ ports_create_if(const char* ifname, int do_auto, int do_udp, int do_tcp,
 		if(is_ssl)
 			verbose(VERB_ALGO, "setup TCP for SSL service");
 		if(!port_insert(list, s, port_type)) {
-#ifndef USE_WINSOCK
+			sock_close(s);
 			close(s);
 #else
 			closesocket(s);
 #endif
 			return 0;
 		}
 	}
@ -1537,8 +1397,163 @@ listen_delete(struct listen_dnsport* front)
 	}
 }
 #ifdef HAVE_GETIFADDRS
 static int
 resolve_ifa_name(struct ifaddrs *ifas, const char *search_ifa, char ***ip_addresses, int *ip_addresses_size)
 {
 	struct ifaddrs *ifa;
 	int last_ip_addresses_size = *ip_addresses_size;
 	for(ifa = ifas; ifa != NULL; ifa = ifa->ifa_next) {
 		sa_family_t family;
 		const char* atsign;
 #ifdef INET6      /* |   address ip    | % |  ifa name  | @ |  port  | nul */
 		char addr_buf[INET6_ADDRSTRLEN + 1 + IF_NAMESIZE + 1 + 16 + 1];
 #else
 		char addr_buf[INET_ADDRSTRLEN + 1 + 16 + 1];
 #endif
 		if((atsign=strrchr(search_ifa, '@')) != NULL) {
 			if(strlen(ifa->ifa_name) != (size_t)(atsign-search_ifa)
 			   || strncmp(ifa->ifa_name, search_ifa,
 			   atsign-search_ifa) != 0)
 				continue;
 		} else {
 			if(strcmp(ifa->ifa_name, search_ifa) != 0)
 				continue;
 			atsign = "";
 		}
 		if(ifa->ifa_addr == NULL)
 			continue;
 		family = ifa->ifa_addr->sa_family;
 		if(family == AF_INET) {
 			char a4[INET_ADDRSTRLEN + 1];
 			struct sockaddr_in *in4 = (struct sockaddr_in *)
 				ifa->ifa_addr;
 			if(!inet_ntop(family, &in4->sin_addr, a4, sizeof(a4))) {
 				log_err("inet_ntop failed");
 				return 0;
 			}
 			snprintf(addr_buf, sizeof(addr_buf), "%s%s",
 				a4, atsign);
 		}
 #ifdef INET6
 		else if(family == AF_INET6) {
 			struct sockaddr_in6 *in6 = (struct sockaddr_in6 *)
 				ifa->ifa_addr;
 			char a6[INET6_ADDRSTRLEN + 1];
 			char if_index_name[IF_NAMESIZE + 1];
 			if_index_name[0] = 0;
 			if(!inet_ntop(family, &in6->sin6_addr, a6, sizeof(a6))) {
 				log_err("inet_ntop failed");
 				return 0;
 			}
 			if_indextoname(in6->sin6_scope_id,
 				(char *)if_index_name);
 			if (strlen(if_index_name) != 0) {
 				snprintf(addr_buf, sizeof(addr_buf),
 					"%s%%%s%s", a6, if_index_name, atsign);
 			} else {
 				snprintf(addr_buf, sizeof(addr_buf), "%s%s",
 					a6, atsign);
 			}
 		}
 #endif
 		else {
 			continue;
 		}
 		verbose(4, "interface %s has address %s", search_ifa, addr_buf);
 		*ip_addresses = realloc(*ip_addresses, sizeof(char *) * (*ip_addresses_size + 1));
 		if(!*ip_addresses) {
 			log_err("realloc failed: out of memory");
 			return 0;
 		}
 		(*ip_addresses)[*ip_addresses_size] = strdup(addr_buf);
 		if(!(*ip_addresses)[*ip_addresses_size]) {
 			log_err("strdup failed: out of memory");
 			return 0;
 		}
 		(*ip_addresses_size)++;
 	}
 	if (*ip_addresses_size == last_ip_addresses_size) {
 		*ip_addresses = realloc(*ip_addresses, sizeof(char *) * (*ip_addresses_size + 1));
 		if(!*ip_addresses) {
 			log_err("realloc failed: out of memory");
 			return 0;
 		}
 		(*ip_addresses)[*ip_addresses_size] = strdup(search_ifa);
 		if(!(*ip_addresses)[*ip_addresses_size]) {
 			log_err("strdup failed: out of memory");
 			return 0;
 		}
 		(*ip_addresses_size)++;
 	}
 	return 1;
 }
 #endif /* HAVE_GETIFADDRS */
 int resolve_interface_names(struct config_file* cfg, char*** resif,
 	int* num_resif)
 {
 #ifdef HAVE_GETIFADDRS
 	int i;
 	struct ifaddrs *addrs = NULL;
 	if(cfg->num_ifs == 0) {
 		*resif = NULL;
 		*num_resif = 0;
 		return 1;
 	}
 	if(getifaddrs(&addrs) == -1) {
 		log_err("failed to list interfaces: getifaddrs: %s",
 			strerror(errno));
 		freeifaddrs(addrs);
 		return 0;
 	}
 	for(i=0; i<cfg->num_ifs; i++) {
 		if(!resolve_ifa_name(addrs, cfg->ifs[i], resif, num_resif)) {
 			freeifaddrs(addrs);
 			config_del_strarray(*resif, *num_resif);
 			*resif = NULL;
 			*num_resif = 0;
 			return 0;
 		}
 	}
 	freeifaddrs(addrs);
 	return 1;
 #else
 	int i;
 	if(cfg->num_ifs == 0) {
 		*resif = NULL;
 		*num_resif = 0;
 		return 1;
 	}
 	*num_resif = cfg->num_ifs;
 	*resif = calloc(*num_resif, sizeof(**resif));
 	if(!*resif) {
 		log_err("out of memory");
 		return 0;
 	}
 	for(i=0; i<*num_resif; i++) {
 		(*resif)[i] = strdup(cfg->ifs[i]);
 		if(!((*resif)[i])) {
 			log_err("out of memory");
 			config_del_strarray(*resif, *num_resif);
 			*resif = NULL;
 			*num_resif = 0;
 			return 0;
 		}
 	}
 	return 1;
 #endif /* HAVE_GETIFADDRS */
 }
 struct listen_port* 
-listening_ports_open(struct config_file* cfg, int* reuseport)
+listening_ports_open(struct config_file* cfg, char** ifs, int num_ifs,
 	int* reuseport)
 {
 	struct listen_port* list = NULL;
 	struct addrinfo hints;
@ -1557,7 +1572,7 @@ listening_ports_open(struct config_file* cfg, int* reuseport)
 	memset(&hints, 0, sizeof(hints));
 	hints.ai_flags = AI_PASSIVE;
 	/* no name lookups on our listening ports */
-	if(cfg->num_ifs > 0)
+	if(num_ifs > 0)
 		hints.ai_flags |= AI_NUMERICHOST;
 	hints.ai_family = AF_UNSPEC;
 #ifndef INET6
@ -1567,7 +1582,7 @@ listening_ports_open(struct config_file* cfg, int* reuseport)
 		return NULL;
 	}
 	/* create ip4 and ip6 ports so that return addresses are nice. */
-	if(do_auto || cfg->num_ifs == 0) {
+	if(do_auto || num_ifs == 0) {
 		if(do_ip6) {
 			hints.ai_family = AF_INET6;
 			if(!ports_create_if(do_auto?"::0":"::1", 
@ -1598,12 +1613,12 @@ listening_ports_open(struct config_file* cfg, int* reuseport)
 				return NULL;
 			}
 		}
-	} else for(i = 0; i<cfg->num_ifs; i++) {
+	} else for(i = 0; i<num_ifs; i++) {
-		if(str_is_ip6(cfg->ifs[i])) {
+		if(str_is_ip6(ifs[i])) {
 			if(!do_ip6)
 				continue;
 			hints.ai_family = AF_INET6;
-			if(!ports_create_if(cfg->ifs[i], 0, cfg->do_udp, 
+			if(!ports_create_if(ifs[i], 0, cfg->do_udp,
 				do_tcp, &hints, portbuf, &list, 
 				cfg->so_rcvbuf, cfg->so_sndbuf,
 				cfg->ssl_port, cfg->tls_additional_port,
@ -1618,7 +1633,7 @@ listening_ports_open(struct config_file* cfg, int* reuseport)
 			if(!do_ip4)
 				continue;
 			hints.ai_family = AF_INET;
-			if(!ports_create_if(cfg->ifs[i], 0, cfg->do_udp, 
+			if(!ports_create_if(ifs[i], 0, cfg->do_udp,
 				do_tcp, &hints, portbuf, &list, 
 				cfg->so_rcvbuf, cfg->so_sndbuf,
 				cfg->ssl_port, cfg->tls_additional_port,
@ -1640,11 +1655,7 @@ void listening_ports_free(struct listen_port* list)
 	while(list) {
 		nx = list->next;
 		if(list->fd != -1) {
-#ifndef USE_WINSOCK
+			sock_close(list->fd);
 			close(list->fd);
 #else
 			closesocket(list->fd);
 #endif
 		}
 		free(list);
 		list = nx;
--- a/services/listen_dnsport.h
+++ b/services/listen_dnsport.h
@ -121,19 +121,32 @@ struct listen_port {
 * interfaces for IP4 and/or IP6, for UDP and/or TCP.
 * On the given port number. It creates the sockets.
 * @param cfg: settings on what ports to open.
 * @param ifs: interfaces to open, array of IP addresses, "ip[@port]".
 * @param num_ifs: length of ifs.
 * @param reuseport: set to true if you want reuseport, or NULL to not have it,
 *   set to false on exit if reuseport failed to apply (because of no
 *   kernel support).
 * @return: linked list of ports or NULL on error.
 */
 struct listen_port* listening_ports_open(struct config_file* cfg,
-	int* reuseport);
+	char** ifs, int num_ifs, int* reuseport);
 /**
 * Close and delete the (list of) listening ports.
 */
 void listening_ports_free(struct listen_port* list);
 /**
 * Resolve interface names in config and store result IP addresses
 * @param cfg: config
 * @param resif: string array (malloced array of malloced strings) with
 * 	result.  NULL if cfg has none.
 * @param num_resif: length of resif.  Zero if cfg has zero num_ifs.
 * @return 0 on failure.
 */
 int resolve_interface_names(struct config_file* cfg, char*** resif,
 	int* num_resif);
 /**
 * Create commpoints with for this thread for the shared ports.
 * @param base: the comm_base that provides event functionality.
@ -408,6 +421,5 @@ int http2_submit_dns_response(void* v);
 #endif /* HAVE_NGHTTP2 */
 char* set_ip_dscp(int socket, int addrfamily, int ds);
 char* sock_strerror(int errn);
 #endif /* LISTEN_DNSPORT_H */
--- a/services/mesh.c
+++ b/services/mesh.c
@ -1306,7 +1306,7 @@ mesh_send_reply(struct mesh_state* m, int rcode, struct reply_info* rep,
 void mesh_query_done(struct mesh_state* mstate)
 {
-	struct mesh_reply* r, *reply_list = NULL;
+	struct mesh_reply* r;
 	struct mesh_reply* prev = NULL;
 	struct sldns_buffer* prev_buffer = NULL;
 	struct mesh_cb* c;
@ -1330,27 +1330,7 @@ void mesh_query_done(struct mesh_state* mstate)
 			free(err);
 		}
 	}
-	if(mstate->reply_list) {
+	for(r = mstate->reply_list; r; r = r->next) {
 		/* set the reply_list to NULL during the mesh_query_done
 		 * processing, so that calls back into the mesh from
 		 * tcp_req_info (deciding to drop the reply and thus
 		 * unregister the mesh_reply from the mstate) are stopped
 		 * because the list is empty.
 		 * The mstate is then likely not a reply_state, and maybe
 		 * also a detached_state.
 		 */
 		reply_list = mstate->reply_list;
 		mstate->reply_list = NULL;
 		if(!mstate->reply_list && !mstate->cb_list) {
 			/* was a reply state, not anymore */
 			log_assert(mstate->s.env->mesh->num_reply_states > 0);
 			mstate->s.env->mesh->num_reply_states--;
 		}
 		if(!mstate->reply_list && !mstate->cb_list &&
 			mstate->super_set.count == 0)
 			mstate->s.env->mesh->num_detached_states++;
 	}
 	for(r = reply_list; r; r = r->next) {
 		/* if a response-ip address block has been stored the
 		 *  information should be logged for each client. */
 		if(mstate->s.respip_action_info &&
@ -1374,15 +1354,31 @@ void mesh_query_done(struct mesh_state* mstate)
 		/* if this query is determined to be dropped during the
 		 * mesh processing, this is the point to take that action. */
 		if(mstate->s.is_drop) {
 			/* briefly set the reply_list to NULL, so that the
 			 * tcp req info cleanup routine that calls the mesh
 			 * to deregister the meshstate for it is not done
 			 * because the list is NULL and also accounting is not
 			 * done there, but instead we do that here. */
 			struct mesh_reply* reply_list = mstate->reply_list;
 			mstate->reply_list = NULL;
 			comm_point_drop_reply(&r->query_reply);
 			mstate->reply_list = reply_list;
 		} else {
 			struct sldns_buffer* r_buffer = r->query_reply.c->buffer;
 			struct mesh_reply* rlist = mstate->reply_list;
 			if(r->query_reply.c->tcp_req_info) {
 				r_buffer = r->query_reply.c->tcp_req_info->spool_buffer;
 				prev_buffer = NULL;
 			}
 			/* briefly set the replylist to null in case the
 			 * meshsendreply calls tcpreqinfo sendreply that
 			 * comm_point_drops because of size, and then the
 			 * null stops the mesh state remove and thus
 			 * reply_list modification and accounting */
 			mstate->reply_list = NULL;
 			mesh_send_reply(mstate, mstate->s.return_rcode, rep,
 				r, r_buffer, prev, prev_buffer);
 			mstate->reply_list = rlist;
 			if(r->query_reply.c->tcp_req_info) {
 				tcp_req_info_remove_mesh_state(r->query_reply.c->tcp_req_info, mstate);
 				r_buffer = NULL;
@ -1391,6 +1387,17 @@ void mesh_query_done(struct mesh_state* mstate)
 			prev_buffer = r_buffer;
 		}
 	}
 	if(mstate->reply_list) {
 		mstate->reply_list = NULL;
 		if(!mstate->reply_list && !mstate->cb_list) {
 			/* was a reply state, not anymore */
 			log_assert(mstate->s.env->mesh->num_reply_states > 0);
 			mstate->s.env->mesh->num_reply_states--;
 		}
 		if(!mstate->reply_list && !mstate->cb_list &&
 			mstate->super_set.count == 0)
 			mstate->s.env->mesh->num_detached_states++;
 	}
 	mstate->replies_sent = 1;
 	while((c = mstate->cb_list) != NULL) {
 		/* take this cb off the list; so that the list can be
@ -1887,7 +1894,7 @@ mesh_serve_expired_callback(void* arg)
 {
 	struct mesh_state* mstate = (struct mesh_state*) arg;
 	struct module_qstate* qstate = &mstate->s;
-	struct mesh_reply* r;
+	struct mesh_reply* r, *rlist;
 	struct mesh_area* mesh = qstate->env->mesh;
 	struct dns_msg* msg;
 	struct mesh_cb* c;
@ -1970,16 +1977,7 @@ mesh_serve_expired_callback(void* arg)
 	if(verbosity >= VERB_ALGO)
 		log_dns_msg("Serve expired lookup", &qstate->qinfo, msg->rep);
-	r = mstate->reply_list;
+	for(r = mstate->reply_list; r; r = r->next) {
 	mstate->reply_list = NULL;
 	if(!mstate->reply_list && !mstate->cb_list && r) {
 		log_assert(mesh->num_reply_states > 0);
 		mesh->num_reply_states--;
 		if(mstate->super_set.count == 0) {
 			mesh->num_detached_states++;
 		}
 	}
 	for(; r; r = r->next) {
 		/* If address info is returned, it means the action should be an
 		* 'inform' variant and the information should be logged. */
 		if(actinfo.addrinfo) {
@ -2001,8 +1999,15 @@ mesh_serve_expired_callback(void* arg)
 		r_buffer = r->query_reply.c->buffer;
 		if(r->query_reply.c->tcp_req_info)
 			r_buffer = r->query_reply.c->tcp_req_info->spool_buffer;
 		/* briefly set the replylist to null in case the meshsendreply
 		 * calls tcpreqinfo sendreply that comm_point_drops because
 		 * of size, and then the null stops the mesh state remove and
 		 * thus reply_list modification and accounting */
 		rlist = mstate->reply_list;
 		mstate->reply_list = NULL;
 		mesh_send_reply(mstate, LDNS_RCODE_NOERROR, msg->rep,
 			r, r_buffer, prev, prev_buffer);
 		mstate->reply_list = rlist;
 		if(r->query_reply.c->tcp_req_info)
 			tcp_req_info_remove_mesh_state(r->query_reply.c->tcp_req_info, mstate);
 		prev = r;
@ -2012,6 +2017,16 @@ mesh_serve_expired_callback(void* arg)
 		mesh->ans_expired++;
 	}
 	if(mstate->reply_list) {
 		mstate->reply_list = NULL;
 		if(!mstate->reply_list && !mstate->cb_list) {
 			log_assert(mesh->num_reply_states > 0);
 			mesh->num_reply_states--;
 			if(mstate->super_set.count == 0) {
 				mesh->num_detached_states++;
 			}
 		}
 	}
 	while((c = mstate->cb_list) != NULL) {
 		/* take this cb off the list; so that the list can be
 		 * changed, eg. by adds from the callback routine */
--- a/services/outside_network.c
+++ b/services/outside_network.c
@ -58,6 +58,7 @@
 #include "util/net_help.h"
 #include "util/random.h"
 #include "util/fptr_wlist.h"
 #include "util/edns.h"
 #include "sldns/sbuffer.h"
 #include "dnstap/dnstap.h"
 #ifdef HAVE_OPENSSL_SSL_H
@ -165,11 +166,7 @@ pick_outgoing_tcp(struct waiting_tcp* w, int s)
 	if(num == 0) {
 		log_err("no TCP outgoing interfaces of family");
 		log_addr(VERB_OPS, "for addr", &w->addr, w->addrlen);
-#ifndef USE_WINSOCK
+		sock_close(s);
 		close(s);
 #else
 		closesocket(s);
 #endif
 		return 0;
 	}
 #ifdef INET6
@ -188,14 +185,8 @@ pick_outgoing_tcp(struct waiting_tcp* w, int s)
 		((struct sockaddr_in6*)&pi->addr)->sin6_port = 0;
 	else	((struct sockaddr_in*)&pi->addr)->sin_port = 0;
 	if(bind(s, (struct sockaddr*)&pi->addr, pi->addrlen) != 0) {
-#ifndef USE_WINSOCK
+		log_err("outgoing tcp: bind: %s", sock_strerror(errno));
-		log_err("outgoing tcp: bind: %s", strerror(errno));
+		sock_close(s);
 		close(s);
 #else
 		log_err("outgoing tcp: bind: %s", 
 			wsa_strerror(WSAGetLastError()));
 		closesocket(s);
 #endif
 		return 0;
 	}
 	log_addr(VERB_ALGO, "tcp bound to src", &pi->addr, pi->addrlen);
@ -225,13 +216,8 @@ outnet_get_tcp_fd(struct sockaddr_storage* addr, socklen_t addrlen, int tcp_mss,
 		s = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
 	}
 	if(s == -1) {
-#ifndef USE_WINSOCK
+		log_err_addr("outgoing tcp: socket", sock_strerror(errno),
 		log_err_addr("outgoing tcp: socket", strerror(errno),
 			addr, addrlen);
 #else
 		log_err_addr("outgoing tcp: socket", 
 			wsa_strerror(WSAGetLastError()), addr, addrlen);
 #endif
 		return -1;
 	}
@ -2111,9 +2097,20 @@ outnet_serviced_query(struct outside_network* outnet,
 {
 	struct serviced_query* sq;
 	struct service_callback* cb;
 	struct edns_tag_addr* client_tag_addr;
 	if(!inplace_cb_query_call(env, qinfo, flags, addr, addrlen, zone, zonelen,
 		qstate, qstate->region))
 			return NULL;
 	if((client_tag_addr = edns_tag_addr_lookup(&env->edns_tags->client_tags,
 		addr, addrlen))) {
 		uint16_t client_tag = htons(client_tag_addr->tag_data);
 		edns_opt_list_append(&qstate->edns_opts_back_out,
 			LDNS_EDNS_CLIENT_TAG, 2,
 			(uint8_t*)&client_tag, qstate->region);
 	}
 	serviced_gen_query(buff, qinfo->qname, qinfo->qname_len, qinfo->qtype,
 		qinfo->qclass, flags);
 	sq = lookup_serviced(outnet, buff, dnssec, addr, addrlen,
--- a/services/rpz.c
+++ b/services/rpz.c
@ -597,8 +597,18 @@ rpz_insert_rr(struct rpz* r, uint8_t* azname, size_t aznamelen, uint8_t* dname,
 	uint8_t* policydname;
 	if(!dname_subdomain_c(dname, azname)) {
-		log_err("RPZ: name of record to insert into RPZ is not a "
+		char* dname_str = sldns_wire2str_dname(dname, dnamelen);
-			"subdomain of the configured name of the RPZ zone");
+		char* azname_str = sldns_wire2str_dname(azname, aznamelen);
 		if(dname_str && azname_str) {
 			log_err("RPZ: name of record (%s) to insert into RPZ is not a "
 				"subdomain of the configured name of the RPZ zone (%s)",
 				dname_str, azname_str);
 		} else {
 			log_err("RPZ: name of record to insert into RPZ is not a "
 				"subdomain of the configured name of the RPZ zone");
 		}
 		free(dname_str);
 		free(azname_str);
 		return 0;
 	}
--- a/sldns/rrdef.h
+++ b/sldns/rrdef.h
@ -426,7 +426,8 @@ enum sldns_enum_edns_option
 	LDNS_EDNS_N3U = 7, /* RFC6975 */
 	LDNS_EDNS_CLIENT_SUBNET = 8, /* RFC7871 */
 	LDNS_EDNS_KEEPALIVE = 11, /* draft-ietf-dnsop-edns-tcp-keepalive*/
-	LDNS_EDNS_PADDING = 12 /* RFC7830 */
+	LDNS_EDNS_PADDING = 12, /* RFC7830 */
 	LDNS_EDNS_CLIENT_TAG = 16 /* draft-bellis-dnsop-edns-tags-01 */
 };
 typedef enum sldns_enum_edns_option sldns_edns_option;
--- a/smallapp/unbound-checkconf.c
+++ b/smallapp/unbound-checkconf.c
@ -58,6 +58,7 @@
 #include "services/authzone.h"
 #include "respip/respip.h"
 #include "sldns/sbuffer.h"
 #include "sldns/str2wire.h"
 #ifdef HAVE_GETOPT_H
 #include <getopt.h>
 #endif
@ -194,6 +195,94 @@ localzonechecks(struct config_file* cfg)
 	local_zones_delete(zs);
 }
 /** checks for acl and views */
 static void
 acl_view_tag_checks(struct config_file* cfg, struct views* views)
 {
 	int d;
 	struct sockaddr_storage a;
 	socklen_t alen;
 	struct config_str2list* acl;
 	struct config_str3list* s3;
 	struct config_strbytelist* sb;
 	/* acl_view */
 	for(acl=cfg->acl_view; acl; acl = acl->next) {
 		struct view* v;
 		if(!netblockstrtoaddr(acl->str, UNBOUND_DNS_PORT, &a, &alen,
 			&d)) {
 			fatal_exit("cannot parse access-control-view "
 				"address %s %s", acl->str, acl->str2);
 		}
 		v = views_find_view(views, acl->str2, 0);
 		if(!v) {
 			fatal_exit("cannot find view for "
 				"access-control-view: %s %s",
 				acl->str, acl->str2);
 		}
 		lock_rw_unlock(&v->lock);
 	}
 	/* acl_tags */
 	for(sb=cfg->acl_tags; sb; sb = sb->next) {
 		if(!netblockstrtoaddr(sb->str, UNBOUND_DNS_PORT, &a, &alen,
 			&d)) {
 			fatal_exit("cannot parse access-control-tags "
 				"address %s", sb->str);
 		}
 	}
 	/* acl_tag_actions */
 	for(s3=cfg->acl_tag_actions; s3; s3 = s3->next) {
 		enum localzone_type t;
 		if(!netblockstrtoaddr(s3->str, UNBOUND_DNS_PORT, &a, &alen,
 			&d)) {
 			fatal_exit("cannot parse access-control-tag-actions "
 				"address %s %s %s",
 				s3->str, s3->str2, s3->str3);
 		}
 		if(find_tag_id(cfg, s3->str2) == -1) {
 			fatal_exit("cannot parse tag %s (define-tag it), "
 				"for access-control-tag-actions: %s %s %s",
 				s3->str2, s3->str, s3->str2, s3->str3);
 		}
 		if(!local_zone_str2type(s3->str3, &t)) {
 			fatal_exit("cannot parse access control action type %s"
 				" for access-control-tag-actions: %s %s %s",
 				s3->str3, s3->str, s3->str2, s3->str3);
 		}
 	}
 	/* acl_tag_datas */
 	for(s3=cfg->acl_tag_datas; s3; s3 = s3->next) {
 		char buf[65536];
 		uint8_t rr[LDNS_RR_BUF_SIZE];
 		size_t len = sizeof(rr);
 		int res;
 		if(!netblockstrtoaddr(s3->str, UNBOUND_DNS_PORT, &a, &alen,
 			&d)) {
 			fatal_exit("cannot parse access-control-tag-datas address %s %s '%s'",
 				s3->str, s3->str2, s3->str3);
 		}
 		if(find_tag_id(cfg, s3->str2) == -1) {
 			fatal_exit("cannot parse tag %s (define-tag it), "
 				"for access-control-tag-datas: %s %s '%s'",
 				s3->str2, s3->str, s3->str2, s3->str3);
 		}
 		/* '.' is sufficient for validation, and it makes the call to
 		 * sldns_wirerr_get_type() simpler below. */
 		snprintf(buf, sizeof(buf), "%s %s", ".", s3->str3);
 		res = sldns_str2wire_rr_buf(buf, rr, &len, NULL, 3600, NULL,
 			0, NULL, 0);
 		if(res != 0) {
 			fatal_exit("cannot parse rr data [char %d] parse error %s, for access-control-tag-datas: %s %s '%s'",
 				(int)LDNS_WIREPARSE_OFFSET(res)-2,
 				sldns_get_errorstr_parse(res),
 				s3->str, s3->str2, s3->str3);
 		}
 	}
 }
 /** check view and response-ip configuration */
 static void
 view_and_respipchecks(struct config_file* cfg)
@ -211,6 +300,7 @@ view_and_respipchecks(struct config_file* cfg)
 		fatal_exit("Could not setup respip set");
 	if(!respip_views_apply_cfg(views, cfg, &ignored))
 		fatal_exit("Could not setup per-view respip sets");
 	acl_view_tag_checks(cfg, views);
 	views_delete(views);
 	respip_set_delete(respip);
 }
@ -534,8 +624,6 @@ morechecks(struct config_file* cfg)
 		cfg->auto_trust_anchor_file_list, cfg->chrootdir, cfg);
 	check_chroot_filelist_wild("trusted-keys-file",
 		cfg->trusted_keys_file_list, cfg->chrootdir, cfg);
 	check_chroot_string("dlv-anchor-file", &cfg->dlv_anchor_file,
 		cfg->chrootdir, cfg);
 #ifdef USE_IPSECMOD
 	if(cfg->ipsecmod_enabled && strstr(cfg->module_conf, "ipsecmod")) {
 		/* only check hook if enabled */
--- a/smallapp/unbound-control.c
+++ b/smallapp/unbound-control.c
@ -596,11 +596,7 @@ contact_server(const char* svr, struct config_file* cfg, int statuscmd)
 		addrfamily = addr_is_ip6(&addr, addrlen)?PF_INET6:PF_INET;
 	fd = socket(addrfamily, SOCK_STREAM, proto);
 	if(fd == -1) {
-#ifndef USE_WINSOCK
+		fatal_exit("socket: %s", sock_strerror(errno));
 		fatal_exit("socket: %s", strerror(errno));
 #else
 		fatal_exit("socket: %s", wsa_strerror(WSAGetLastError()));
 #endif
 	}
 	if(connect(fd, (struct sockaddr*)&addr, addrlen) < 0) {
 #ifndef USE_WINSOCK
@ -684,11 +680,7 @@ remote_read(SSL* ssl, int fd, char* buf, size_t len)
 				/* EOF */
 				return 0;
 			}
-#ifndef USE_WINSOCK
+			fatal_exit("could not recv: %s", sock_strerror(errno));
 			fatal_exit("could not recv: %s", strerror(errno));
 #else
 			fatal_exit("could not recv: %s", wsa_strerror(WSAGetLastError()));
 #endif
 		}
 		buf[rr] = 0;
 	}
@ -704,11 +696,7 @@ remote_write(SSL* ssl, int fd, const char* buf, size_t len)
 			ssl_err("could not SSL_write");
 	} else {
 		if(send(fd, buf, len, 0) < (ssize_t)len) {
-#ifndef USE_WINSOCK
+			fatal_exit("could not send: %s", sock_strerror(errno));
 			fatal_exit("could not send: %s", strerror(errno));
 #else
 			fatal_exit("could not send: %s", wsa_strerror(WSAGetLastError()));
 #endif
 		}
 	}
 }
@ -827,11 +815,7 @@ go(const char* cfgfile, char* svr, int quiet, int argc, char* argv[])
 	ret = go_cmd(ssl, fd, quiet, argc, argv);
 	if(ssl) SSL_free(ssl);
-#ifndef USE_WINSOCK
+	sock_close(fd);
 	close(fd);
 #else
 	closesocket(fd);
 #endif
 	if(ctx) SSL_CTX_free(ctx);
 	config_delete(cfg);
 	return ret;
@ -889,7 +873,7 @@ int main(int argc, char* argv[])
 	if(argc == 0)
 		usage();
 	if(argc >= 1 && strcmp(argv[0], "start")==0) {
-#if defined(TARGET_OS_TV) || defined(TARGET_OS_WATCH)
+#if (defined(TARGET_OS_TV) && TARGET_OS_TV) || (defined(TARGET_OS_WATCH) && TARGET_OS_WATCH)
 		fatal_exit("could not exec unbound: %s",
 			strerror(ENOSYS));
 #else
--- a/testcode/delayer.c
+++ b/testcode/delayer.c
@ -372,11 +372,7 @@ service_send(struct ringbuf* ring, struct timeval* now, sldns_buffer* pkt,
 			sldns_buffer_limit(pkt), 0, 
 			(struct sockaddr*)srv_addr, srv_len);
 		if(sent == -1) {
-#ifndef USE_WINSOCK
+			log_err("sendto: %s", sock_strerror(errno));
 			log_err("sendto: %s", strerror(errno));
 #else
 			log_err("sendto: %s", wsa_strerror(WSAGetLastError()));
 #endif
 		} else if(sent != (ssize_t)sldns_buffer_limit(pkt)) {
 			log_err("sendto: partial send");
 		}
@ -398,13 +394,12 @@ do_proxy(struct proxy* p, int retsock, sldns_buffer* pkt)
 #ifndef USE_WINSOCK
 			if(errno == EAGAIN || errno == EINTR)
 				return;
 			log_err("recv: %s", strerror(errno));
 #else
 			if(WSAGetLastError() == WSAEINPROGRESS ||
 				WSAGetLastError() == WSAEWOULDBLOCK)
 				return;
 			log_err("recv: %s", wsa_strerror(WSAGetLastError()));
 #endif
 			log_err("recv: %s", sock_strerror(errno));
 			return;
 		}
 		sldns_buffer_set_limit(pkt, (size_t)r);
@ -414,11 +409,7 @@ do_proxy(struct proxy* p, int retsock, sldns_buffer* pkt)
 		r = sendto(retsock, (void*)sldns_buffer_begin(pkt), (size_t)r, 
 			0, (struct sockaddr*)&p->addr, p->addr_len);
 		if(r == -1) {
-#ifndef USE_WINSOCK
+			log_err("sendto: %s", sock_strerror(errno));
 			log_err("sendto: %s", strerror(errno));
 #else
 			log_err("sendto: %s", wsa_strerror(WSAGetLastError()));
 #endif
 		}
 	}
 }
@ -469,11 +460,7 @@ find_create_proxy(struct sockaddr_storage* from, socklen_t from_len,
 	if(!p) fatal_exit("out of memory");
 	p->s = socket(serv_ip6?AF_INET6:AF_INET, SOCK_DGRAM, 0);
 	if(p->s == -1) {
-#ifndef USE_WINSOCK
+		fatal_exit("socket: %s", sock_strerror(errno));
 		fatal_exit("socket: %s", strerror(errno));
 #else
 		fatal_exit("socket: %s", wsa_strerror(WSAGetLastError()));
 #endif
 	}
 	fd_set_nonblock(p->s);
 	memmove(&p->addr, from, from_len);
@ -507,14 +494,12 @@ service_recv(int s, struct ringbuf* ring, sldns_buffer* pkt,
 #ifndef USE_WINSOCK
 			if(errno == EAGAIN || errno == EINTR)
 				return;
 			fatal_exit("recvfrom: %s", strerror(errno));
 #else
 			if(WSAGetLastError() == WSAEWOULDBLOCK || 
 				WSAGetLastError() == WSAEINPROGRESS)
 				return;
 			fatal_exit("recvfrom: %s", 
 				wsa_strerror(WSAGetLastError()));
 #endif
 			fatal_exit("recvfrom: %s", sock_strerror(errno));
 		}
 		sldns_buffer_set_limit(pkt, (size_t)len);
 		/* find its proxy element */
@ -550,15 +535,9 @@ tcp_proxy_delete(struct tcp_proxy* p)
 		free(s);
 		s = sn;
 	}
-#ifndef USE_WINSOCK
+	sock_close(p->client_s);
 	close(p->client_s);
 	if(p->server_s != -1)
-		close(p->server_s);
+		sock_close(p->server_s);
 #else
 	closesocket(p->client_s);
 	if(p->server_s != -1)
 		closesocket(p->server_s);
 #endif
 	free(p);
 }
@ -577,14 +556,13 @@ service_tcp_listen(int s, fd_set* rorig, int* max, struct tcp_proxy** proxies,
 #ifndef USE_WINSOCK
 		if(errno == EAGAIN || errno == EINTR)
 			return;
 		fatal_exit("accept: %s", strerror(errno));
 #else
 		if(WSAGetLastError() == WSAEWOULDBLOCK || 
 			WSAGetLastError() == WSAEINPROGRESS ||
 			WSAGetLastError() == WSAECONNRESET)
 			return;
 		fatal_exit("accept: %s", wsa_strerror(WSAGetLastError()));
 #endif
 		fatal_exit("accept: %s", sock_strerror(errno));
 	}
 	p = (struct tcp_proxy*)calloc(1, sizeof(*p));
 	if(!p) fatal_exit("out of memory");
@ -595,11 +573,7 @@ service_tcp_listen(int s, fd_set* rorig, int* max, struct tcp_proxy** proxies,
 	p->server_s = socket(addr_is_ip6(srv_addr, srv_len)?AF_INET6:AF_INET,
 		SOCK_STREAM, 0);
 	if(p->server_s == -1) {
-#ifndef USE_WINSOCK
+		fatal_exit("tcp socket: %s", sock_strerror(errno));
 		fatal_exit("tcp socket: %s", strerror(errno));
 #else
 		fatal_exit("tcp socket: %s", wsa_strerror(WSAGetLastError()));
 #endif
 	}
 	fd_set_nonblock(p->client_s);
 	fd_set_nonblock(p->server_s);
@ -607,16 +581,14 @@ service_tcp_listen(int s, fd_set* rorig, int* max, struct tcp_proxy** proxies,
 #ifndef USE_WINSOCK
 		if(errno != EINPROGRESS) {
 			log_err("tcp connect: %s", strerror(errno));
 			close(p->server_s);
 			close(p->client_s);
 #else
 		if(WSAGetLastError() != WSAEWOULDBLOCK &&
 			WSAGetLastError() != WSAEINPROGRESS) {
 			log_err("tcp connect: %s", 
 				wsa_strerror(WSAGetLastError()));
 			closesocket(p->server_s);
 			closesocket(p->client_s);
 #endif
 			sock_close(p->server_s);
 			sock_close(p->client_s);
 			free(p);
 			return;
 		}
@ -650,13 +622,12 @@ tcp_relay_read(int s, struct tcp_send_list** first,
 #ifndef USE_WINSOCK
 		if(errno == EINTR || errno == EAGAIN)
 			return 1;
 		log_err("tcp read: %s", strerror(errno));
 #else
 		if(WSAGetLastError() == WSAEINPROGRESS || 
 			WSAGetLastError() == WSAEWOULDBLOCK)
 			return 1;
 		log_err("tcp read: %s", wsa_strerror(WSAGetLastError()));
 #endif
 		log_err("tcp read: %s", sock_strerror(errno));
 		return 0;
 	} else if(r == 0) {
 		/* connection closed */
@ -708,14 +679,12 @@ tcp_relay_write(int s, struct tcp_send_list** first,
 #ifndef USE_WINSOCK
 			if(errno == EAGAIN || errno == EINTR)
 				return 1;
 			log_err("tcp write: %s", strerror(errno));
 #else
 			if(WSAGetLastError() == WSAEWOULDBLOCK || 
 				WSAGetLastError() == WSAEINPROGRESS)
 				return 1;
 			log_err("tcp write: %s", 
 				wsa_strerror(WSAGetLastError()));
 #endif
 			log_err("tcp write: %s", sock_strerror(errno));
 			return 0;
 		} else if(r == 0) {
 			/* closed */
@ -769,11 +738,7 @@ service_tcp_relay(struct tcp_proxy** tcp_proxies, struct timeval* now,
 			log_addr(1, "read tcp answer", &p->addr, p->addr_len);
 			if(!tcp_relay_read(p->server_s, &p->answerlist, 
 				&p->answerlast, now, delay, pkt)) {
-#ifndef USE_WINSOCK
+				sock_close(p->server_s);
 				close(p->server_s);
 #else
 				closesocket(p->server_s);
 #endif
 				FD_CLR(FD_SET_T p->server_s, worig);
 				FD_CLR(FD_SET_T p->server_s, rorig);
 				p->server_s = -1;
@ -901,11 +866,7 @@ proxy_list_clear(struct proxy* p)
 			"%u returned\n", i++, from, port, (int)p->numreuse+1,
 			(unsigned)p->numwait, (unsigned)p->numsent, 
 			(unsigned)p->numreturn);
-#ifndef USE_WINSOCK
+		sock_close(p->s);
 		close(p->s);
 #else
 		closesocket(p->s);
 #endif
 		free(p);
 		p = np;
 	}
@ -1034,11 +995,7 @@ service(const char* bind_str, int bindport, const char* serv_str,
 	/* bind UDP port */
 	if((s = socket(str_is_ip6(bind_str)?AF_INET6:AF_INET,
 		SOCK_DGRAM, 0)) == -1) {
-#ifndef USE_WINSOCK
+		fatal_exit("socket: %s", sock_strerror(errno));
 		fatal_exit("socket: %s", strerror(errno));
 #else
 		fatal_exit("socket: %s", wsa_strerror(WSAGetLastError()));
 #endif
 	}
 	i=0;
 	if(bindport == 0) {
@ -1051,11 +1008,7 @@ service(const char* bind_str, int bindport, const char* serv_str,
 			exit(1);
 		}
 		if(bind(s, (struct sockaddr*)&bind_addr, bind_len) == -1) {
-#ifndef USE_WINSOCK
+			log_err("bind: %s", sock_strerror(errno));
 			log_err("bind: %s", strerror(errno));
 #else
 			log_err("bind: %s", wsa_strerror(WSAGetLastError()));
 #endif
 			if(i--==0)
 				fatal_exit("cannot bind any port");
 			bindport = 1024 + ((int)arc4random())%64000;
@ -1065,39 +1018,22 @@ service(const char* bind_str, int bindport, const char* serv_str,
 	/* and TCP port */
 	if((listen_s = socket(str_is_ip6(bind_str)?AF_INET6:AF_INET,
 		SOCK_STREAM, 0)) == -1) {
-#ifndef USE_WINSOCK
+		fatal_exit("tcp socket: %s", sock_strerror(errno));
 		fatal_exit("tcp socket: %s", strerror(errno));
 #else
 		fatal_exit("tcp socket: %s", wsa_strerror(WSAGetLastError()));
 #endif
 	}
 #ifdef SO_REUSEADDR
 	if(1) {
 		int on = 1;
 		if(setsockopt(listen_s, SOL_SOCKET, SO_REUSEADDR, (void*)&on,
 			(socklen_t)sizeof(on)) < 0)
 #ifndef USE_WINSOCK
 			fatal_exit("setsockopt(.. SO_REUSEADDR ..) failed: %s",
-				strerror(errno));
+				sock_strerror(errno));
 #else
 			fatal_exit("setsockopt(.. SO_REUSEADDR ..) failed: %s",
 				wsa_strerror(WSAGetLastError()));
 #endif
 	}
 #endif
 	if(bind(listen_s, (struct sockaddr*)&bind_addr, bind_len) == -1) {
-#ifndef USE_WINSOCK
+		fatal_exit("tcp bind: %s", sock_strerror(errno));
 		fatal_exit("tcp bind: %s", strerror(errno));
 #else
 		fatal_exit("tcp bind: %s", wsa_strerror(WSAGetLastError()));
 #endif
 	}
 	if(listen(listen_s, 5) == -1) {
-#ifndef USE_WINSOCK
+		fatal_exit("tcp listen: %s", sock_strerror(errno));
 		fatal_exit("tcp listen: %s", strerror(errno));
 #else
 		fatal_exit("tcp listen: %s", wsa_strerror(WSAGetLastError()));
 #endif
 	}
 	fd_set_nonblock(listen_s);
 	printf("listening on port: %d\n", bindport);
@ -1109,13 +1045,8 @@ service(const char* bind_str, int bindport, const char* serv_str,
 	/* cleanup */
 	verbose(1, "cleanup");
-#ifndef USE_WINSOCK
+	sock_close(s);
-	close(s);
+	sock_close(listen_s);
 	close(listen_s);
 #else
 	closesocket(s);
 	closesocket(listen_s);
 #endif
 	sldns_buffer_free(pkt);
 	ring_delete(ring);
 }
--- a/testcode/fake_event.c
+++ b/testcode/fake_event.c
@ -52,6 +52,7 @@
 #include "util/data/msgreply.h"
 #include "util/data/msgencode.h"
 #include "util/data/dname.h"
 #include "util/edns.h"
 #include "util/config_file.h"
 #include "services/listen_dnsport.h"
 #include "services/outside_network.h"
@ -1183,7 +1184,7 @@ struct serviced_query* outnet_serviced_query(struct outside_network* outnet,
 	socklen_t addrlen, uint8_t* zone, size_t zonelen,
 	struct module_qstate* qstate, comm_point_callback_type* callback,
 	void* callback_arg, sldns_buffer* ATTR_UNUSED(buff),
-	struct module_env* ATTR_UNUSED(env))
+	struct module_env* env)
 {
 	struct replay_runtime* runtime = (struct replay_runtime*)outnet->base;
 	struct fake_pending* pend = (struct fake_pending*)calloc(1,
@ -1212,6 +1213,7 @@ struct serviced_query* outnet_serviced_query(struct outside_network* outnet,
 	sldns_buffer_flip(pend->buffer);
 	if(1) {
 		struct edns_data edns;
 		struct edns_tag_addr* client_tag_addr;
 		if(!inplace_cb_query_call(env, qinfo, flags, addr, addrlen,
 			zone, zonelen, qstate, qstate->region)) {
 			free(pend);
@ -1223,9 +1225,17 @@ struct serviced_query* outnet_serviced_query(struct outside_network* outnet,
 		edns.edns_version = EDNS_ADVERTISED_VERSION;
 		edns.udp_size = EDNS_ADVERTISED_SIZE;
 		edns.bits = 0;
 		edns.opt_list = qstate->edns_opts_back_out;
 		if(dnssec)
 			edns.bits = EDNS_DO;
 		if((client_tag_addr = edns_tag_addr_lookup(
 			&env->edns_tags->client_tags,
 			addr, addrlen))) {
 			uint16_t client_tag = htons(client_tag_addr->tag_data);
 			edns_opt_list_append(&qstate->edns_opts_back_out,
 				LDNS_EDNS_CLIENT_TAG, 2,
 				(uint8_t*)&client_tag, qstate->region);
 		}
 		edns.opt_list = qstate->edns_opts_back_out;
 		attach_edns_record(pend->buffer, &edns);
 	}
 	memcpy(&pend->addr, addr, addrlen);
@ -1293,7 +1303,14 @@ void outnet_serviced_query_stop(struct serviced_query* sq, void* cb_arg)
 	log_info("double delete of pending serviced query");
 }
 int resolve_interface_names(struct config_file* ATTR_UNUSED(cfg),
 	char*** ATTR_UNUSED(resif), int* ATTR_UNUSED(num_resif))
 {
 	return 1;
 }
 struct listen_port* listening_ports_open(struct config_file* ATTR_UNUSED(cfg),
 	char** ATTR_UNUSED(ifs), int ATTR_UNUSED(num_ifs),
 	int* ATTR_UNUSED(reuseport))
 {
 	return calloc(1, 1);
--- a/testcode/perf.c
+++ b/testcode/perf.c
@ -233,12 +233,7 @@ perfsetup(struct perfinfo* info)
 			addr_is_ip6(&info->dest, info->destlen)?
 			AF_INET6:AF_INET, SOCK_DGRAM, 0);
 		if(info->io[i].fd == -1) {
-#ifndef USE_WINSOCK
+			fatal_exit("socket: %s", sock_strerror(errno));
 			fatal_exit("socket: %s", strerror(errno));
 #else
 			fatal_exit("socket: %s", 
 				wsa_strerror(WSAGetLastError()));
 #endif
 		}
 		if(info->io[i].fd > info->maxfd)
 			info->maxfd = info->io[i].fd;
@ -260,11 +255,7 @@ perffree(struct perfinfo* info)
 	if(!info) return;
 	if(info->io) {
 		for(i=0; i<info->io_num; i++) {
-#ifndef USE_WINSOCK
+			sock_close(info->io[i].fd);
 			close(info->io[i].fd);
 #else
 			closesocket(info->io[i].fd);
 #endif
 		}
 		free(info->io);
 	}
@ -285,11 +276,7 @@ perfsend(struct perfinfo* info, size_t n, struct timeval* now)
 	/*log_hex("send", info->qlist_data[info->qlist_idx],
 		info->qlist_len[info->qlist_idx]);*/
 	if(r == -1) {
-#ifndef USE_WINSOCK
+		log_err("sendto: %s", sock_strerror(errno));
 		log_err("sendto: %s", strerror(errno));
 #else
 		log_err("sendto: %s", wsa_strerror(WSAGetLastError()));
 #endif
 	} else if(r != (ssize_t)info->qlist_len[info->qlist_idx]) {
 		log_err("partial sendto");
 	}
@ -309,11 +296,7 @@ perfreply(struct perfinfo* info, size_t n, struct timeval* now)
 	r = recv(info->io[n].fd, (void*)sldns_buffer_begin(info->buf),
 		sldns_buffer_capacity(info->buf), 0);
 	if(r == -1) {
-#ifndef USE_WINSOCK
+		log_err("recv: %s", sock_strerror(errno));
 		log_err("recv: %s", strerror(errno));
 #else
 		log_err("recv: %s", wsa_strerror(WSAGetLastError()));
 #endif
 	} else {
 		info->by_rcode[LDNS_RCODE_WIRE(sldns_buffer_begin(
 			info->buf))]++;
--- a/testcode/run_vm.sh
+++ b/testcode/run_vm.sh
@ -26,12 +26,17 @@ cd testdata
 TPKG=../testcode/mini_tdir.sh
 #RUNLIST=`(ls -1d *.tdir|grep -v '^0[016]')`
 RUNLIST=`(ls -1d *.tdir)`
-if test "$#" = "1"; then RUNLIST="$1"; fi
+if test "$#" = "1"; then
 	RUNLIST="$1";
 	if echo "$RUNLIST" | grep '/$' >/dev/null; then
 		RUNLIST=`echo "$RUNLIST" | sed -e 's?/$??'`
 	fi
 fi
 # fix up tdir that was edited on keyboard interrupt.
 cleanup() {
 	echo cleanup
-	if test -f "$t.bak"; then mv "$t.bak" "$t"; fi
+	if test -f "$t.bak"; then rm -fr "${t}"; mv "$t.bak" "$t"; fi
 	exit 0
 }
 trap cleanup INT
--- a/testcode/streamtcp.c
+++ b/testcode/streamtcp.c
@ -200,6 +200,7 @@ write_q(int fd, int udp, SSL* ssl, sldns_buffer* buf, uint16_t id,
 static void
 recv_one(int fd, int udp, SSL* ssl, sldns_buffer* buf)
 {
 	size_t i;
 	char* pktstr;
 	uint16_t len;
 	if(!udp) {
@ -270,7 +271,13 @@ recv_one(int fd, int udp, SSL* ssl, sldns_buffer* buf)
 		len = (size_t)l;
 	}
 	printf("\nnext received packet\n");
-	log_buf(0, "data", buf);
+	printf("data[%d] ", (int)sldns_buffer_limit(buf));
 	for(i=0; i<sldns_buffer_limit(buf); i++) {
 		const char* hex = "0123456789ABCDEF";
 		printf("%c%c", hex[(sldns_buffer_read_u8_at(buf, i)&0xf0)>>4],
                        hex[sldns_buffer_read_u8_at(buf, i)&0x0f]);
 	}
 	printf("\n");
 	pktstr = sldns_wire2str_pkt(sldns_buffer_begin(buf), len);
 	printf("%s", pktstr);
@ -381,11 +388,7 @@ send_em(const char* svr, int udp, int usessl, int noanswer, int onarrival,
 		SSL_free(ssl);
 		SSL_CTX_free(ctx);
 	}
-#ifndef USE_WINSOCK
+	sock_close(fd);
 	close(fd);
 #else
 	closesocket(fd);
 #endif
 	sldns_buffer_free(buf);
 	printf("orderly exit\n");
 }
--- a/testdata/04-checkconf.tdir/bad.badfwd
+++ b/testdata/04-checkconf.tdir/bad.badfwd
@ -2,6 +2,7 @@ server:
 	# to make sure the check doesn't fail on username or chrootdir.
 	username: ""	
 	chroot: ""
 	directory: ""
 forward-zone:
 	name: "example.com"
--- a/testdata/04-checkconf.tdir/bad.include-toplevel.1
+++ b/testdata/04-checkconf.tdir/bad.include-toplevel.1
@ -0,0 +1,3 @@
 include-toplevel: include.withoutclauses.*
 server:
    identity: "top 1"
--- a/testdata/04-checkconf.tdir/bad.include-toplevel.2
+++ b/testdata/04-checkconf.tdir/bad.include-toplevel.2
@ -0,0 +1,5 @@
 include-toplevel: include.withclauses.*
 server:
    identity: "top 1"
    include: include.withoutclauses.*
    include-toplevel: include.withoutclauses.*
--- a/testdata/04-checkconf.tdir/bad.include-toplevel.3
+++ b/testdata/04-checkconf.tdir/bad.include-toplevel.3
@ -0,0 +1,6 @@
 include-toplevel: include.withclauses.*
 server:
    identity: "top 1"
    include: include.withoutclauses.*
    include-toplevel: include.withclauses.*
 include: include.withoutclauses.*
--- a/testdata/04-checkconf.tdir/bad.include-toplevel.4
+++ b/testdata/04-checkconf.tdir/bad.include-toplevel.4
@ -0,0 +1,7 @@
 include-toplevel: include.withclauses.*
 server:
    identity: "top 1"
    include: include.withoutclauses.*
    include-toplevel: include.withclauses.*
 include: include.withclauses.*
 include-toplevel: include.withoutclauses.*
--- a/testdata/04-checkconf.tdir/bad.include-toplevel.5
+++ b/testdata/04-checkconf.tdir/bad.include-toplevel.5
@ -0,0 +1,8 @@
 include-toplevel: include.withclauses.*
 server:
    identity: "top 1"
    include: include.withoutclauses.*
    include-toplevel: include.withsomeclauses.*
 include: include.withclauses.*
 include-toplevel: include.withclauses.*
 server: identity: "top 2"
--- a/testdata/04-checkconf.tdir/bad.include-toplevel.6
+++ b/testdata/04-checkconf.tdir/bad.include-toplevel.6
@ -0,0 +1,10 @@
 include-toplevel: include.withclauses.*
 include-toplevel: include.withclauses.*
 server:
    identity: "top 1"
    include: include.withoutclauses.*
    include-toplevel: include.withclauses.*
 include: include.withclauses.*
 include-toplevel: include.withclauses.*
 server: identity: "top 2"
 include-toplevel: include.includetop.withoutclauses.*
--- a/testdata/04-checkconf.tdir/bad.include-toplevel.7
+++ b/testdata/04-checkconf.tdir/bad.include-toplevel.7
@ -0,0 +1,11 @@
 include-toplevel: include.withclauses.*
 include-toplevel: include.withclauses.*
 server:
    identity: "top 1"
    include: include.withoutclauses.*
    include-toplevel: include.withclauses.*
 include: include.withclauses.*
 include-toplevel: include.withclauses.*
 server: identity: "top 2"
 include-toplevel: include.includetop.withclauses.*
 include-toplevel: include.include.withoutclauses.*
--- a/testdata/04-checkconf.tdir/bad.user
+++ b/testdata/04-checkconf.tdir/bad.user
@ -1,2 +1,4 @@
 server:
 	username: blabla_noexist_user
 	chroot: ""
 	directory: ""
--- a/testdata/04-checkconf.tdir/good.include-toplevel
+++ b/testdata/04-checkconf.tdir/good.include-toplevel
@ -0,0 +1,16 @@
 include-toplevel: include.withclauses.*
 include-toplevel: include.withclauses.*
 server:
    identity: "top 1"
    include: include.withoutclauses.*
    include-toplevel: include.withclauses.*
 include: include.withclauses.*
 include-toplevel: include.withclauses.*
 server: identity: "top 2"
 include-toplevel: include.includetop.withclauses.*
 include-toplevel: include.include.withclauses.*
 include-toplevel: include.include.withclauses.*
 server:
 	chroot: ""
 	directory: ""
 	username: ""
--- a/testdata/04-checkconf.tdir/include.include.withclauses.1
+++ b/testdata/04-checkconf.tdir/include.include.withclauses.1
@ -0,0 +1 @@
 include: include.withclauses.*
--- a/testdata/04-checkconf.tdir/include.include.withclauses.2
+++ b/testdata/04-checkconf.tdir/include.include.withclauses.2
@ -0,0 +1 @@
 include: include.withclauses.*
--- a/testdata/04-checkconf.tdir/include.include.withclauses.3
+++ b/testdata/04-checkconf.tdir/include.include.withclauses.3
@ -0,0 +1 @@
 include: include.withclauses.*
--- a/testdata/04-checkconf.tdir/include.include.withoutclauses.1
+++ b/testdata/04-checkconf.tdir/include.include.withoutclauses.1
@ -0,0 +1 @@
 include: include.withoutclauses.*
--- a/testdata/04-checkconf.tdir/include.include.withoutclauses.2
+++ b/testdata/04-checkconf.tdir/include.include.withoutclauses.2
@ -0,0 +1 @@
 include: include.withoutclauses.*
--- a/testdata/04-checkconf.tdir/include.include.withoutclauses.3
+++ b/testdata/04-checkconf.tdir/include.include.withoutclauses.3
@ -0,0 +1 @@
 include: include.withoutclauses.*
--- a/testdata/04-checkconf.tdir/include.includetop.withclauses.1
+++ b/testdata/04-checkconf.tdir/include.includetop.withclauses.1
@ -0,0 +1 @@
 include-toplevel: include.withclauses.*
--- a/testdata/04-checkconf.tdir/include.includetop.withclauses.2
+++ b/testdata/04-checkconf.tdir/include.includetop.withclauses.2
@ -0,0 +1 @@
 include-toplevel: include.withclauses.*
--- a/testdata/04-checkconf.tdir/include.includetop.withclauses.3
+++ b/testdata/04-checkconf.tdir/include.includetop.withclauses.3
@ -0,0 +1 @@
 include-toplevel: include.withclauses.*
--- a/testdata/04-checkconf.tdir/include.includetop.withoutclauses.1
+++ b/testdata/04-checkconf.tdir/include.includetop.withoutclauses.1
@ -0,0 +1 @@
 include-toplevel: include.withoutclauses.*
--- a/testdata/04-checkconf.tdir/include.includetop.withoutclauses.2
+++ b/testdata/04-checkconf.tdir/include.includetop.withoutclauses.2
@ -0,0 +1 @@
 include-toplevel: include.withoutclauses.*
--- a/testdata/04-checkconf.tdir/include.includetop.withoutclauses.3
+++ b/testdata/04-checkconf.tdir/include.includetop.withoutclauses.3
@ -0,0 +1 @@
 include-toplevel: include.withoutclauses.*
--- a/testdata/04-checkconf.tdir/include.withclauses.1
+++ b/testdata/04-checkconf.tdir/include.withclauses.1
@ -0,0 +1 @@
 server: identity: "withclauses1"
--- a/testdata/04-checkconf.tdir/include.withclauses.2
+++ b/testdata/04-checkconf.tdir/include.withclauses.2
@ -0,0 +1 @@
 server: identity: "withclauses2"
--- a/testdata/04-checkconf.tdir/include.withclauses.3
+++ b/testdata/04-checkconf.tdir/include.withclauses.3
@ -0,0 +1 @@
 server: identity: "withclauses3"
--- a/testdata/04-checkconf.tdir/include.withoutclauses.1
+++ b/testdata/04-checkconf.tdir/include.withoutclauses.1
@ -0,0 +1 @@
 identity: "withoutclauses1"
--- a/testdata/04-checkconf.tdir/include.withoutclauses.2
+++ b/testdata/04-checkconf.tdir/include.withoutclauses.2
@ -0,0 +1 @@
 identity: "withoutclauses2"
--- a/testdata/04-checkconf.tdir/include.withoutclauses.3
+++ b/testdata/04-checkconf.tdir/include.withoutclauses.3
@ -0,0 +1 @@
 identity: "withoutclauses3"
--- a/testdata/04-checkconf.tdir/include.withsomeclauses.1
+++ b/testdata/04-checkconf.tdir/include.withsomeclauses.1
@ -0,0 +1 @@
 server: identity: "withsomeclauses1"
--- a/testdata/04-checkconf.tdir/include.withsomeclauses.2
+++ b/testdata/04-checkconf.tdir/include.withsomeclauses.2
@ -0,0 +1 @@
 identity: "withsomeclauses2"
--- a/testdata/04-checkconf.tdir/include.withsomeclauses.3
+++ b/testdata/04-checkconf.tdir/include.withsomeclauses.3
@ -0,0 +1 @@
 identity: "withsomeclauses3"
--- a/testdata/09-unbound-control.tdir/bad_control.key
+++ b/testdata/09-unbound-control.tdir/bad_control.key
@ -1,15 +1,39 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIICXAIBAAKBgQDti51Z6qASvAjPFFhLLlq8BwtsnmfqMPMn57dKAghb4OifeL4G
+MIIG5AIBAAKCAYEAt/3PPZGM7eSdCnEQ04f6Y+Xnmp105gtxqoHxHfyGFG8ljNSd
-SLOE02/hKDkdkOvaUG2UqDNh2OoPTuJk4A+mG2LJoziFhHKlIebo9v2YiFWOBVtO
+T1hKBjrg1BRVszTg+Td5V+Y4vAHW25Etvuvg0DQBNDKtrMTTbTZKQbT6A7Xgyp42
-DWc3tXPT1IlSEN0xnAGelMmeLcPeCPe+A5IDlIHzF/+YiDgS38S9dL17owIDAQAB
+Oj8EyXFWs8BNx/joI1sAMUiCjPKpKAI5bIHV18It4n28MXWTVX5mfwcj82XPTQlO
-AoGAG3w/DatfMCu/nS5OdQx9BSqPgNbnUSqux9xA0fhgPTlN0T3oRtPcqa7JUDUW
+6OhTXtA45idPLFKkCp4H879EIfIo1sfk+OTLjoSNLXFN3BoI9CIT6WZKrY0pAieL
-PryI/a62ry+zGkw98N2AxolCZg3N7Z3vuRx2FMcKKNwpTzDmcZW7TmMk5FPof6gE
+jdotSlirx/UpwpojAp6IVxzjZ2PHnJZbBwHxVPYnysMogcKQ9CyL1jBT2phWVe2J
-PnYl/ff0w+kxqA+L2EexH3Xi6ApLSZcjyzKWj+dL2AuT9gkCQQD3dPitwITxgCAD
+YJFwwGgziJH5CJEGVgWkctEtguKubzSCIf9RuX6j/n32ZRtAechm2Oi2WwxGr9tF
-IaHw23e3FRkM/hw1Gp8bt6nbuxitVxxpO96q1EQ+fCy/mf0bMEJDp3xzMEIfP3r4
+uzLXgYsu/MQ+AhzcFP1MEGlyCkyL2fxgDry34Rq7RVQQL9PolhBYk2orYTlsjCVR
-GmNbaxa1AkEA9b8LeBLbQ2cm2+UMeUgygBsRirdUQ786auqH38Jbvi/j6S9sDl2x
+kGzXvpFIF8OPDEEsXz2TTM2nkiCla1GqsGXL3xuPFjGD+CEMI5jB7U+j1uL2+xb/
-q1vRtikEBZJWfkhsOzrzwFDKe1bI/EEn9wJAAzOwRA9JqRZPU7sLrWIpmmTbfh+L
+gVUMAxvpNHADcW1/AgMBAAECggGAFEXF8N25rniTCRR+KyB/aURqqXGR8MrwAj6B
-neRKSsGFoSI6n4ORCouLxgoZF/XjXldPvxpQwS9ZnOPy9xSLMsqknno0QQJAeDtA
+B7HMQDIi7Ap9LsHmnhscrKF08+Luqub+2r2GIMj/GIA9jxzET4x7WXoAAtpJBW6G
-IT8Yh6GwIWWu9KeeDY8wxe1sDLlCm4yjbZZpzGMh3rSU6XJtuqjxsW3fydoO9zn3
+7gh3x7LhitG13eMVrvBrAjE9ILx/L24Wblez8r3F/5+HHjqMClLd5We/NZ/j1Pax
-ugLdvvnIFxAexUwbgQJBANyM13xcObfUJOj9rjlGCh0CDh/04ONl8SH8HBnM8guA
+amup/WaJWc6dwDHhBcBhlJJeOd79LiJNdADuC+N3tnqd8wKanyBhwdELKCZCOEwM
-RJI5S6vBHweVRopEZcF1sQm6wMf3ej/sGkyyNvJxRkY=
+75mSvt6f1xnuWXnhpaBxhP2xVTzQUNz1jxA2j/ybDbnBdhjLn9QlBY604t8nwRz8
 dwCV6NRFbj85C1Fkw3FSzLSKzkzLGxYBvLpq6vjXiUHuY17bVDskCrgHOx/q0SXb
 ivPdmJWhThfPUMRgSTQXXvWpQfEdBP9FDXLFPN6yI9Xocxa4oaalNaK+xIJyXt9w
 ZkLb+ZB8+m4JqvgdrQiO0yEXM498aCdRfVnZV/e+GdbB90FW9SFf4/guca/I4SPD
 sFpA96LOyxkX4h5AQxyeoDDriKopAoHBAOEQXDMIXxp9gmkZNRo/mW7RvnmUyDic
 eCwCbcsLGjay/hKpyOTelXSF7bxdi6GuO5N9UWBQX2FK+//T/uT1kHjmUYTeLa47
 iSDJG73TT6ZSwI0D8Ak+4GEneS3xjldpPW1oFZt/kwuji6yfUFw6orsPa/l5Uf7/
 MCOzoFObtvDZKgd0BkBrQhlIG+u6jicrGfrVkCDX/ONqoQXr3a21b4nl52/r+ezj
 N2kKSQOTll5pUQ00+M0SPDwytFJbhbkTpQKBwQDRSCzHPTGVW5R+8BPQY2mRRyjp
 Pr1BmJXG05f2wjXeGhafWJ91RCwP7mOBbJDA15w3KoY9N64Rk6Mv5q0Ywwna7+Ea
 pTXCfzeuoC+sLL6llCA4kbpJsvrLAeCYyvMuiPjgXfDo2S8qMqAnZ+ZKD16OjBzE
 W6H2OI7Zmwjy7+C683Ac2kX+lIvbBeOu9oVtaSw/5nudScUi4njDz89Ha3g3j1AI
 98crCLQdjTO94d5k4Mx4FFVdbxPwSa5iZcHWo1MCgcAnHI25PKIyW09Xbk8BIb5L
 ON3uCQIGfIKRu1ZTK7nBebeXjLPhuiCk4EVhL6x9S2cFCYkjwLPil4JVggTQyy/x
 Iq1V9rpfhe8dqHVOtrMnx0e4+c8z/B5II/D2H/1JiXtoUOc4X6IxKpmyRPlVHcd7
 1IFCGGg8dSJrgeLBxNS05DhelTYk6b7R3+siOwhLHD1mjsh+PKqw5q3W9pdOgbJB
 d5eRpqOHHDFb6rKnkXVXMNwp/GOkV5/qIjGeAlOpxxUCgcEAlXLFB0Jbthy/3iXz
 AEz9hhEa1fVHkSA1VNalHkFx1jkrDn9q34LfNEE4LaQpeox9sadcVTr9wu97CSnh
 Ul11HDNQvIZd7ZaLXNhnMryBKByvJbZrIVX+YhnlGTdUkVae4xoyfxUY6TldxMYd
 XaW8EG9d25rT/dBFsn9T1KgYA2j0FqaIdVP+y1lZTggdIBSK1NbyT0/uxwqS0sID
 cyz7nDFrJfxK7iA4/yFmYaJ5/e/KE7Xxf9dilaUIMpwX3/6hAoHBAIYjfpbPfK21
 AwHgZiopxOODsjbMuO/f4VCaMhkt8bm7LRmbsNl/Sk9paTNKf20fttKLi2cSUIn8
 sP8iuwdrUNNhVd4cfsh+ncF4GitRs3WrZXEz8AB7m8frpzNr2pYcqVTPL8yl9i8t
 ix0XEoVwMWgFroWaN/G+ujEoPZUgXI9z5DuArkNOiLgbpcqVJ8e/+SWTeKILIkWT
 ZrFABevmFIaXSZLjI9Avk7cTqEKOVeZy9gag9lmbtVAzFFitdR4aWA==
 -----END RSA PRIVATE KEY-----
--- a/testdata/09-unbound-control.tdir/bad_control.pem
+++ b/testdata/09-unbound-control.tdir/bad_control.pem
@ -1,11 +1,22 @@
 -----BEGIN CERTIFICATE-----
-MIIBozCCAQwCCQDd5/rocjG5vDANBgkqhkiG9w0BAQUFADASMRAwDgYDVQQDEwd1
+MIIDszCCAhsCFEm6EpzKglG+V66IyIlx6Q2y3y8nMA0GCSqGSIb3DQEBCwUAMBIx
-bmJvdW5kMB4XDTA4MDkyNjEyMjQ0NFoXDTI4MDYxMzEyMjQ0NFowGjEYMBYGA1UE
+EDAOBgNVBAMMB3VuYm91bmQwHhcNMjAwNzA4MTMzMzA3WhcNNDAwMzI1MTMzMzA3
-AxMPdW5ib3VuZC1jb250cm9sMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDt
+WjAaMRgwFgYDVQQDDA91bmJvdW5kLWNvbnRyb2wwggGiMA0GCSqGSIb3DQEBAQUA
-i51Z6qASvAjPFFhLLlq8BwtsnmfqMPMn57dKAghb4OifeL4GSLOE02/hKDkdkOva
+A4IBjwAwggGKAoIBgQC3/c89kYzt5J0KcRDTh/pj5eeanXTmC3GqgfEd/IYUbyWM
-UG2UqDNh2OoPTuJk4A+mG2LJoziFhHKlIebo9v2YiFWOBVtODWc3tXPT1IlSEN0x
+1J1PWEoGOuDUFFWzNOD5N3lX5ji8AdbbkS2+6+DQNAE0Mq2sxNNtNkpBtPoDteDK
-nAGelMmeLcPeCPe+A5IDlIHzF/+YiDgS38S9dL17owIDAQABMA0GCSqGSIb3DQEB
+njY6PwTJcVazwE3H+OgjWwAxSIKM8qkoAjlsgdXXwi3ifbwxdZNVfmZ/ByPzZc9N
-BQUAA4GBAHpvcKqY48X9WsqogV16L+zT7iXhZ4tySA9EBk1a+0gud/iDPKSBi7mK
+CU7o6FNe0DjmJ08sUqQKngfzv0Qh8ijWx+T45MuOhI0tcU3cGgj0IhPpZkqtjSkC
-4rzphVfb4S207dVmTG+1WNpa6l3pTGML6XLElxqIu/kr7w4cF0rKvZxWPsBRqYjH
+J4uN2i1KWKvH9SnCmiMCnohXHONnY8ecllsHAfFU9ifKwyiBwpD0LIvWMFPamFZV
-5HrK8CrQ0+YvUHXiu7IaACLGvKXY4Tqa3HQyvEtzLWJ4HhOrGx8F
+7YlgkXDAaDOIkfkIkQZWBaRy0S2C4q5vNIIh/1G5fqP+ffZlG0B5yGbY6LZbDEav
 20W7MteBiy78xD4CHNwU/UwQaXIKTIvZ/GAOvLfhGrtFVBAv0+iWEFiTaithOWyM
 JVGQbNe+kUgXw48MQSxfPZNMzaeSIKVrUaqwZcvfG48WMYP4IQwjmMHtT6PW4vb7
 Fv+BVQwDG+k0cANxbX8CAwEAATANBgkqhkiG9w0BAQsFAAOCAYEATI+xHWEiq3SK
 9Dw2FBiD7GPaaPAh/u5h+QxaLS9G5a6Djh6F9RT3To+gRVeiaAaIPg53asGM5TGR
 ojv9nI8cIvi3dL6VKhHSdomldFjfQYmF/uSKEYsHaggceGE/GsG8J8g79HXGRp2y
 m5hkACKFh5ZcSHeJBplv7agDbBZ6w5qQaY6QsnYLrAK7B3Jo1Xx+JEKzmgnp4TwV
 Ni4wezgLiG+buJ5lXEYr2Rm7HR/cxLRN7CFrpUoavFUvqLKNpXO8MJFx+BkO5/JT
 pgv0O/ll9aT+kuegUpf9kcUzhpsw1N4W/JzZOyJAdxrrQ88aNZm+7d433wDBt/WF
 BCV4d5wEASxfQALEQa+/1FebIsDfQyBAOHdTAVkupZ00oeNerKe+mHFmNjj04vn8
 LwGgVuADCBJVCDhEqHLEXUqiGeSHJhAJO9pjma7r7H81OtAs/xVC8j8hqe8wLBKg
 XNjWQ9QmNXt9VVQCMomro9lmoDozr9k1vsGtUsT3yQEAABQYwIjp
 -----END CERTIFICATE-----
--- a/testdata/09-unbound-control.tdir/bad_server.key
+++ b/testdata/09-unbound-control.tdir/bad_server.key
@ -1,15 +1,39 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIICWwIBAAKBgQC9hurNHBtB7QFEuPJOnCylUWUF2/US3v9yQQQXnstuXMQXRaq1
+MIIG4wIBAAKCAYEAr7FId+AlZUWP6MK9xfV0hJ9ooJdcL0sm9yZsWY4UYOlqcTGE
-1uviLmwaGurV9tngX59HITsBT74NQrtFKfEDLViLrm2arAM9Ozsn4tnv30HXPRDj
+Rah/XvQmsOaKcMg8Wof24LAvo2vmariBYZoS61AAi6MeHHrPh8M2ZDMZQgW4nZC8
-UOc1M05Q7UzjaSrOv+TkPEqyhtUyaP1DYo0bcmbxtSkYc2ZEWCwhPklUwQIDAQAB
+A0biro93nMLU1VxgycSVmj29p18IdNzsYWxC7t+/6AWQSlwD+9YFOYrVWQYxEcSZ
-AoGATjzZxN4ramWaNnJapJTX4U7eczK/0pB3xwSL2exVcjOdRzYdKH+WVIJxYb1m
+7gZqoh08mDsNRjnVs7nagPAbk/B9jj9zhvgp+0d5h25Ms7Td22t7DfsGlL8Ei3ew
-3/jNLFCNAeH356yxeevoPr73nG75YJ9I1ZWQWTnS3SDK6JD1+3pmAD0bQWFoitpf
+FwaqjThhhVHEVwARBLYGb2ZsZS5EMJv2W/V0k6yQZ+rV07+i0oZQ0cGxOuUy9TNO
-FoSH9H4X5gFB5vCZ99YVoYH1UXWPcgvUHwxz0voImt6lCKECQQD4YQ4A3M0+Ki8v
+7HfiI4ri2x26Wm0YH1qgK5miUIAkbL2E/iWVxMfQOdEAZuOmUpUFOFpm/XHL1/pC
-Hl+5FKULnS0UtBkweCvkF/X1zZRjjYr6hLnqldFkkgTBKWe17pUXX0nwRMbP1YZX
+yiqOb98jjLE93UoNPZdsjrbjfQ/WPkap+vtigVZJJPet6F9x4S5XvrhXkV2JWIYM
-i+vDq5JNAkEAw1eYsmC0nVAMawo57N6LYavGv/n5u1cvpTpKDtn4cXH0Uqq13Kyu
+vhnrs9NpveCOe1lcxNVSsIAtMxsZKi2dIq+mRhfm9/UGoOmj8UxIQUepJJv1IHcd
-2FUTzan2NhCEK78UzbWaeewBJmxYda1+RQJAdShKk6uTAEyjnwUjv8h2JWlJN2fQ
+ASWkTAMmUSyF7z7DAgMBAAECggGAKwY+GeURI1C6oiR2drDaPNQQuir2zzoXK7UE
-LeWxRlDrCruiz+aW9J4gl/99GoQpy/c83TshhjnDRZsbcDNWv/rXBZ/rTQJAFQva
+GZY6lVTz1Q5sNubBck5V30JFqsLOTNk48uMSd3Gn9oCCZpVlhqyLxaZHbHACvFto
-CtX6f7yBKgM3DHtJvyM3zbVMH9Ab9QxbsE/xwZ9KeKGl6Hm+eNZpxM3cFiUfaGs0
+yXbd+5YNFMDp2d+VCWxmvUPU/P7nUOHMRP5ToFYcawni9SSe64Jtq3MZV6xa6WQK
-/ZjkZOB1m0MvILaplQJAXC3PJ/E+87banGZRJl5qtS6/HoX5lH9TPkL8Essy7ANO
+2YGPJ4Llp1U+4NQ/br28JgdoA8eL9rxPrv2ds0fUZ25Qa0AAf+GL+Edhjyx+nAoh
-2BT2OTQawD1A+VKIrQHXs085Of8tQUfrfHHt7s3Kqg==
+E1Zi0TBJ+6FuxOTEBVtGPnC8pRWFrYDfiMX4y8qkbbanAQCNgLn0PC0JdKpFAtk/
 hnpGsZ4/oh0D3ogi6o5Xnn9Gl5+1uqqaEs/n6A4kojcJ/Z0uO7zJultSUDeggbA9
 VoTQucFY1Cqj68d56Rf3kS5FGgAOx7Q6LVCIH7C9+bfs7N6z/2zl6sF72ey88kpK
 ZxsPjGUw2OHnwdrkfZHVMjiNUgrEH+KYe8EVmoBxoafGvxcs9mppqeczP3zbf5WX
 8LBLQcIqNaSWAsuKQbJTNsbKEIT5AoHBANcs1QPluTGTY3BXvGMwjl3dDyf1h10u
 iaGi1tDB60YtF++RnwOl40Zi1Gu8GqmmzY9j32EG5moRO6IhuZ2U+lZcK/AiwY00
 +4hnzc0hBInFlq3lLRa6zVj4rEeQJxuKXykJGLQyKtSqtppcAo7hWE08ZZ6DlnvP
 4o4R9ii6gCZcajhr5Bh9FxZOHv+5gMRzOVWmMF0JSjnVToCi0UUY6b3roRdH/U+M
 3EOVCOUT1WE7cGuZffkcQ3jQEsC9zRHFFwKBwQDRBsKIfm0FMjP2Z0aQDpHO5wR6
 Vcjw2kmVukTPqlYPcDGaYbUVuQJIR7+ffd8xk0YbIeOfO/bXGngLAjKSGz20JIIW
 E/B5RkVycwjD/WeD5NMvKc3NaiT3aiXmnwz1YUzxDHByAtskAKsoXE/GIsyVCbV2
 vDaBn3MCywTvcC9RR4KYeTepKMvd4N8KLgP9n/+hKd1ElsBVnPJUyYabmaOC1tpx
 DUyWu3dbhKBKcfEcyt1+YT1bPrfRnG9oxyRStzUCgcA8R9sFVH4lXV0mQ+4K+7dm
 pF9yml5pxHfaSHxVz33SEx/5hZo+s2KQfW91HyV5EbnUye3yiLRUUq+aJEiT1QCs
 4PWOOK5wmL8+35XQOcfDsQ8deG7BR2Pv4PqiscfC92jhXiMFmGhXW9v8Mnqk/Ix4
 VstBNSwbU4nssyt7DYSJOqqnU9J66dBl90zH53gjkQQm8n/qEIgy24c6kmJ+MRSK
 mFBw7UIR3yx14nKzenL04moEOuQHvdtJJUGbrZCdwdECgcBCra9cr0fDwpIE5kkC
 J0OoBtXM2JSzEE8s7jCJNkMhxZ5tKwIDHfN2bzzXeeW7AMn6WcMsxoolcBIfIOJU
 7U+vqX294Tpy1VHOApgnPSzKTDJ59xHplxSXwEq62L3fgNx0gI1WMUcKoxP2Wgww
 nmU4ndI/QCb7Dow3td+rKdROT0t/rBtvYM43x0YfDzLCs0luddZZzOUp6lj7ZxYD
 iO06DaO9MIrgAok+rn4bgWFy19v0NrzF4KnuucJoYC5cHIkCgcEAzG+0oppa1L+e
 Tw+511VtO070XJ0Kx4DNKjP2F5nFSqTkDAyEEiLoIArO5dYGG5nHy3lXSoj+wvOe
 1+3KTZPeFA7ZByceehFXrULT4GbHwbsimzLWBXAF2Dgzb2OZYMnKuFR/tjlW0+vP
 OP86cEkQXNJm4SsxxeFjJAcxxif305OzgL8oqndOsohopB+XCbKUP231HBMGJ4MR
 EljQHXm63wWWiBUmrX0ZYzWkX5KiAbDlfhvde80fKsDOUrzZfoBw
 -----END RSA PRIVATE KEY-----
--- a/testdata/09-unbound-control.tdir/bad_server.pem
+++ b/testdata/09-unbound-control.tdir/bad_server.pem
@ -1,11 +1,22 @@
 -----BEGIN CERTIFICATE-----
-MIIBmzCCAQQCCQCDugnhq8B6LzANBgkqhkiG9w0BAQUFADASMRAwDgYDVQQDEwd1
+MIIDqzCCAhMCFFzmVNbhjiApmjK3VeO/j9TBp8yOMA0GCSqGSIb3DQEBCwUAMBIx
-bmJvdW5kMB4XDTA4MDkyNjEyMjQ0M1oXDTI4MDYxMzEyMjQ0M1owEjEQMA4GA1UE
+EDAOBgNVBAMMB3VuYm91bmQwHhcNMjAwNzA4MTMzMzA3WhcNNDAwMzI1MTMzMzA3
-AxMHdW5ib3VuZDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAvYbqzRwbQe0B
+WjASMRAwDgYDVQQDDAd1bmJvdW5kMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIB
-RLjyTpwspVFlBdv1Et7/ckEEF57LblzEF0Wqtdbr4i5sGhrq1fbZ4F+fRyE7AU++
+igKCAYEAr7FId+AlZUWP6MK9xfV0hJ9ooJdcL0sm9yZsWY4UYOlqcTGERah/XvQm
-DUK7RSnxAy1Yi65tmqwDPTs7J+LZ799B1z0Q41DnNTNOUO1M42kqzr/k5DxKsobV
+sOaKcMg8Wof24LAvo2vmariBYZoS61AAi6MeHHrPh8M2ZDMZQgW4nZC8A0biro93
-Mmj9Q2KNG3Jm8bUpGHNmRFgsIT5JVMECAwEAATANBgkqhkiG9w0BAQUFAAOBgQCy
+nMLU1VxgycSVmj29p18IdNzsYWxC7t+/6AWQSlwD+9YFOYrVWQYxEcSZ7gZqoh08
-zGMW35/9xXoEWsuLFWUOaEKVq5DXuXtXbcMpDW6k2ELoraa305vh7Zwhj5JSqfcm
+mDsNRjnVs7nagPAbk/B9jj9zhvgp+0d5h25Ms7Td22t7DfsGlL8Ei3ewFwaqjThh
-O0xyqIzXvz/cYdyOTgEkdMDZ/EvQsxKTwvj6eA4614yB1r3Ju5eZd4Gpo6BHhSpu
+hVHEVwARBLYGb2ZsZS5EMJv2W/V0k6yQZ+rV07+i0oZQ0cGxOuUy9TNO7HfiI4ri
-oqsrr0duJ+JOANTyaBplIxM1sjHbR4FGtmrFknBYBQ==
+2x26Wm0YH1qgK5miUIAkbL2E/iWVxMfQOdEAZuOmUpUFOFpm/XHL1/pCyiqOb98j
 jLE93UoNPZdsjrbjfQ/WPkap+vtigVZJJPet6F9x4S5XvrhXkV2JWIYMvhnrs9Np
 veCOe1lcxNVSsIAtMxsZKi2dIq+mRhfm9/UGoOmj8UxIQUepJJv1IHcdASWkTAMm
 USyF7z7DAgMBAAEwDQYJKoZIhvcNAQELBQADggGBAG+IhOsdEiaVCOB8PBRGJQ8F
 /kyeQOtE7pPPkH57qYwAW9cxdSoiIxrvase30IGLWmOzjiAc/igf1qz/bVpwFXQr
 XohzyeQJ2znlGzUbo67c8rocvWxHzvZwFuQEysJp/E9ft5kiWwoU/xVpoK5p9sxW
 zRTTdpA24x6rqvk1ZFzwWGSg0yhjOYfwvwg3kGCbwe3GzAk1J65E+uJPFoLySbNL
 p3eUDA2rUKDjVobJOEhtV8k/l+hB0kKwiz/A2sbMT/OoByWMNFKSkmDbNi5m5gJH
 FHsZsucbL6ppLy7fmOiPlx6xejbiTR3uAn0aQImdHA5kyfAXLKhTkyYdjWHiHqdQ
 XMxi0Ci7/HO9mRupbcjRZEPs//ozMxjOAg4VNasDLdnDI4EKrClqYPjsfoXXXiZf
 YTPH9QypxJFGmGEH865BNacEjDBeag8ck1ZTiK/GlrAJMqfV5/60GWBGRQVV/Tvd
 WXWY2x0gVp2fxtxF8JCvHKAcfUg2+LrUS7fbMx2Niw==
 -----END CERTIFICATE-----
--- a/testdata/09-unbound-control.tdir/unbound_control.key
+++ b/testdata/09-unbound-control.tdir/unbound_control.key
@ -1,15 +1,39 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIICXAIBAAKBgQDD6DogNCsSeEa1u99+6PUVbGzjMzzei9MIK6s94+zcpp7OAOBa
+MIIG4gIBAAKCAYEAstEp+Pyh8XGrtZ77A4FhYjvbeB3dMa7Q2rGWxobzlA9przhA
-rzPA0vlyuNtUsEN3qwPomQQQmIgbT7OXkzC1wqioxwa609xoL8oW/I7e336rEyvH
+1aChAvUtCOAuM+rB6NTNB8YWfZJbQHawyMNpmC77cg6vXLYCGUQHZyAqidN049RJ
-ST6JwUdIg0Lzg/USJ81eTwMnzYSd4Bpsqr9eP33ubaR7Gh/6o76loLOlcQIDAQAB
+F5T7j4N8Vniv17LiRdr0S6swy4PRvEnIPPV43EQHZqC5jVvHsKkhIfmBF/Dj5TXR
-AoGAFT3e35MIgI4uDJJ8X0RfHp2NCO2LUg4TKbWical/C0W9vlR1/x80G1pE1d2Z
+ypeawWV/m5jeU6/4HRYMfytBZdO1mPXuWLh0lgbQ4SCbgrOUVD3rniMk1yZIbQOm
-WotqJVWTrOq6eBox19RCgtLg2wPGk9uD62+9SDT37heWFlUCElWq50pQG6k9ThiG
+vlDHYqekjDb/vOW2KxUQLG04aZMJ1mWfdbwG0CKQkSjISEDZ1l76vhM6mTM0fwXb
-DDypkZyZ/52+DdWybiaQJkuK6O5qQXuNAtVJMpghu4GnHAECQQDsupnZUQDpapzr
+IvyFZ9yPPCle1mF5aSlxS2cmGuGVSRQaw8XF9fe3a9ACJJTr33HdSpyaZkKRAUzL
-4FC4MSkL2+A1PRt6g4VhwoqOpJXaHfVnH6F7AwUuOLNwGdR5Cvv70pfJ7Jqg8L2m
+cKqLCl323daKv3NwwAT03Tj4iQM416ASMoiyfFa/2GWTKQVjddu8Crar7tGaf5xr
-Kxyl5bORAkEA09rn34YQ0pHJdHidbl2kInIuYTz09+TO3LWwan17nISH9aaYvVDr
+lig4DBmrBvdYA3njy72/RD71hLwmlRoCGU7dRuDr9O6KASUm1Ri91ONZ/qdjMvov
-p9x1B4Qzw9qyxT9oll7ze/5Rw/7C3AQj4QJAT2B2a+b8bkgAXBs4FbruL3rHoDJg
+15l2vj4GV+KXR00dAgMBAAECggGAHepIL1N0dEQkCdpy+/8lH54L9WhpnOo2HqAf
-P2FQXSpVOWU4lg2LlsuFYvDtUMVUbZdLplanjZXcral3Y9W1Ub2M+ped8QJAYQN+
+LU9eaKK7d4jdr9+TkD8cLaPzltPrZNxVALvu/0sA4SP6J1wpyj/x6P7z73qzly5+
-aRpge7ys7vwIw7B36Bo3aOncF+ScYe+FkM5Tm7II/JHEofT7ZQwMP1vnxIlSkgbe
+Xo5PD4fEwmi9YaiW/UduAblnEZrnp/AddptJKoL/D5T4XtpiQddPtael4zQ7kB57
-YvWqNB6a3NC99LikoQJBAM4UhDdRg63Tr6Idky6CQaH///zAN7nArJfffKGWFdw9
+YIexRSQTvEDovA/o3/nvA0TrzOxfgd4ycQP3iOWGN/TMzyLsvjydrUwbOB567iz9
-DKrWpNqvYZtX/cfEJucKcRCm5YL8CKFYbQy4VoCxUcE=
+whL3Etdgvnwh5Sz2blbFfH+nAR8ctvFFz+osPvuIVR21VMEI6wm7kTpSNnQ6sh/c
 lrLb/bTADn4g7z/LpIZJ+MrLvyEcoqValrLYeFBhM9CV8woPxvkO2P3pU47HVGax
 tC7GV6a/kt5RoKFd/TNdiA3OC7NGZtaeXv9VkPf4fVwBtSO9d5ZZXTGEynDD/rUQ
 U4KFJe6OD23APjse08HiiKqTPhsOneOONU67iqoaTdIkT2R4EdlkVEDpXVtWb+G9
 Q+IqYzVljlzuyHrhWXLJw/FMa2aBAoHBAOnZbi4gGpH+P6886WDWVgIlTccuXoyc
 Mg9QQYk9UDeXxL0AizR5bZy49Sduegz9vkHpAiZARQsUnizHjZ8YlRcrmn4t6tx3
 ahTIKAjdprnxJfYINM580j8CGbXvX5LhIlm3O267D0Op+co3+7Ujy+cjsIuFQrP+
 1MqMgXSeBjzC1APivmps7HeFE+4w0k2PfN5wSMDNCzLo99PZuUG5XZ93OVOS5dpN
 b+WskdcD8NOoJy/X/5A08veEI/jYO/DyqQKBwQDDwUQCOWf41ecvJLtBHKmEnHDz
 ftzHino9DRKG8a9XaN4rmetnoWEaM2vHGX3pf3mwH+dAe8vJdAQueDhBKYeEpm6C
 TYNOpou1+Zs5s99BilCTNYo8fkMOAyqwRwmz9zgHS6QxXuPwsghKefLJGt6o6RFF
 tfWVTfLlYJ+I3GQe3ySsk3wjVz4oUTKiyiq5+KzD+HhEkS7u+RQ7Z0ZI2xd2cF8Y
 aN2hjKDpcOiFf3CDoqka5D1qMNLgIHO52AHww1UCgcA1h7o7AMpURRka6hyaODY0
 A4oMYEbwdQjYjIyT998W+rzkbu1us6UtzQEBZ760npkgyU/epbOoV63lnkCC/MOU
 LD0PST+L/CHiY/cWIHb79YG1EifUZKpUFg0Aoq0EGFkepF0MefGCkbRGYA5UZr9U
 R80wAu9D+L+JJiS0J0BSRF74DL196zUuHt5zFeXuLzxsRtPAnq9DliS08BACRYZy
 7H3I7cWD9Vn5/0jbKWHFcaaWwyETR6uekTcSzZzbCRECgcBeoE3/xUA9SSk34Mmj
 7/cB4522Ft0imA3+9RK/qJTZ7Bd5fC4PKjOGNtUiqW/0L2rjeIiQ40bfWvWqgPKw
 jSK1PL6uvkl6+4cNsFsYyZpiVDoe7wKju2UuoNlB3RUTqa2r2STFuNj2wRjA57I1
 BIgdnox65jqQsd14g/yaa+75/WP9CE45xzKEyrtvdcqxm0Pod3OrsYK+gikFjiar
 kT0GQ8u0QPzh2tjt/2ZnIfOBrl+QYERP0MofDZDjhUdq2wECgcB0Lu841+yP5cdR
 qbJhXO4zJNh7oWNcJlOuQp3ZMNFrA1oHpe9pmLukiROOy01k9WxIMQDzU5GSqRv3
 VLkYOIcbhJ3kClKAcM3j95SkKbU2H5/RENb3Ck52xtl4pNU1x/3PnVFZfDVuuHO9
 MZ9YBcIeK98MyP2jr5JtFKnOyPE7xKq0IHIhXadpbc2wjje5FtZ1cUtMyEECCXNa
 C1TpXebHGyXGpY9WdWXhjdE/1jPvfS+uO5WyuDpYPr339gsdq1g=
 -----END RSA PRIVATE KEY-----
--- a/testdata/09-unbound-control.tdir/unbound_control.pem
+++ b/testdata/09-unbound-control.tdir/unbound_control.pem
@ -1,11 +1,22 @@
 -----BEGIN CERTIFICATE-----
-MIIBozCCAQwCCQD6XaN6FzW/4DANBgkqhkiG9w0BAQUFADASMRAwDgYDVQQDEwd1
+MIIDszCCAhsCFGD5193whHQ2bVdzbaQfdf1gc4SkMA0GCSqGSIb3DQEBCwUAMBIx
-bmJvdW5kMB4XDTA4MDkxMTA5MDk0MFoXDTI4MDUyOTA5MDk0MFowGjEYMBYGA1UE
+EDAOBgNVBAMMB3VuYm91bmQwHhcNMjAwNzA4MTMzMjMwWhcNNDAwMzI1MTMzMjMw
-AxMPdW5ib3VuZC1jb250cm9sMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDD
+WjAaMRgwFgYDVQQDDA91bmJvdW5kLWNvbnRyb2wwggGiMA0GCSqGSIb3DQEBAQUA
-6DogNCsSeEa1u99+6PUVbGzjMzzei9MIK6s94+zcpp7OAOBarzPA0vlyuNtUsEN3
+A4IBjwAwggGKAoIBgQCy0Sn4/KHxcau1nvsDgWFiO9t4Hd0xrtDasZbGhvOUD2mv
-qwPomQQQmIgbT7OXkzC1wqioxwa609xoL8oW/I7e336rEyvHST6JwUdIg0Lzg/US
+OEDVoKEC9S0I4C4z6sHo1M0HxhZ9kltAdrDIw2mYLvtyDq9ctgIZRAdnICqJ03Tj
-J81eTwMnzYSd4Bpsqr9eP33ubaR7Gh/6o76loLOlcQIDAQABMA0GCSqGSIb3DQEB
+1EkXlPuPg3xWeK/XsuJF2vRLqzDLg9G8Scg89XjcRAdmoLmNW8ewqSEh+YEX8OPl
-BQUAA4GBAGFAXmaQHuFgAuc6HVhYZJdToxLBhfxGpot4oZNjcb1Cdoz3OL34MU1B
+NdHKl5rBZX+bmN5Tr/gdFgx/K0Fl07WY9e5YuHSWBtDhIJuCs5RUPeueIyTXJkht
-9E5psj2PpGPIi8/RwoqBtAJHJ+J5cWngo03o4ZmdwKNSzaxlp141z/3rUtFqEHEC
+A6a+UMdip6SMNv+85bYrFRAsbThpkwnWZZ91vAbQIpCRKMhIQNnWXvq+EzqZMzR/
-iO6gPCT3U7dt6MyC7r6vdMqyW6aldP3CtwD0gQziKAMoj+TAfAcq
+Bdsi/IVn3I88KV7WYXlpKXFLZyYa4ZVJFBrDxcX197dr0AIklOvfcd1KnJpmQpEB
 TMtwqosKXfbd1oq/c3DABPTdOPiJAzjXoBIyiLJ8Vr/YZZMpBWN127wKtqvu0Zp/
 nGuWKDgMGasG91gDeePLvb9EPvWEvCaVGgIZTt1G4Ov07ooBJSbVGL3U41n+p2My
 +i/XmXa+PgZX4pdHTR0CAwEAATANBgkqhkiG9w0BAQsFAAOCAYEAd++Wen6l8Ifj
 4h3p/y16PhSsWJWuJ4wdNYy3/GM84S26wGjzlEEwiW76HpH6VJzPOiBAeWnFKE83
 hFyetEIxgJeIPbcs9ZP/Uoh8GZH9tRISBSN9Hgk2Slr9llo4t1H0g/XTgA5HqMQU
 9YydlBh43G7Vw3FVwh09OM6poNOGQKNc/tq2/QdKeUMtyBbLWpRmjH5XcCT35fbn
 ZiVOUldqSHD4kKrFO4nJYXZyipRbcXybsLiX9GP0GLemc3IgIvOXyJ2RPp06o/SJ
 pzlMlkcAfLJaSuEW57xRakhuNK7m051TKKzJzIEX+NFYOVdafFHS8VwGrYsdrFvD
 72tMfu+Fu55y3awdWWGc6YlaGogZiuMnJkvQphwgn+5qE/7CGEckoKEsH601rqIZ
 muaIc85+nEcHJeijd/ZlBN9zeltjFoMuqTUENgmv8+tUAdVm/UMY9Vjme6b43ydP
 uv6DS02+k9z8toxXworLiPr94BGaiGV1NxgwZKLZigYJt/Fi2Qte
 -----END CERTIFICATE-----
--- a/testdata/09-unbound-control.tdir/unbound_server.key
+++ b/testdata/09-unbound-control.tdir/unbound_server.key
@ -1,15 +1,39 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIICWwIBAAKBgQC3F7Jsv2u01pLL9rFnjsMU/IaCFUIz/624DcaE84Z4gjMl5kWA
+MIIG5AIBAAKCAYEAvjSVSN2QMXudpzukdLCqgg/IOhCX8KYkD0FFFfWcQjgKq5wI
-3axQcqul1wlwSrbKwrony+d9hH/+MX0tZwvl8w3OmhmOAiaQ+SHCsIuOjVwQjX0s
+0x41iG32a6wbGanre4IX7VxaSPu9kkHfnGgynCk5nwDRedE/FLFhAU78PoT0+Nqq
-RLB61Pz5+PAiVvnPa9JIYB5QrK6DVEsxIHj8MOc5JKORrnESsFDh6yeMeQIDAQAB
+GRS7XVQ24vLmIz9Hqc2Ozx1um1BXBTmIT0UfN2e22I0LWQ6a3seZlEDRj45gnk7Z
-AoGAAuWoGBprTOA8UGfl5LqYkaNxSWumsYXxLMFjC8WCsjN1NbtQDDr1uAwodSZS
+uh9MDgotaBdm+v1JAbupSf6Zis4VEH3JNdvVGE3O1DHEIeuuz/3BDhpf6WBDH+8K
-6ujzvX+ZTHnofs7y64XC8k34HTOCD2zlW7kijWbT8YjRYFU6o9F5zUGD9RCan0ds
+WaBe1ca4TZHr9ThL2gEMEfAQl0wXDwRWRoi3NjNMH+mw0L1rjwThI5GXqNIee7o5
-sVscT2psLSzfdsmFAcbmnGdxYkXk2PC1FHtaqExxehralGUCQQDcqrg9uQKXlhQi
+FzUReSXZuTdFMyGe3Owcx+XoYnwi6cplSNoGsDBu4B9bKKglR9YleJVw4L4Xi8xP
-XAaPr8SiWvtRm2a9IMMZkRfUWZclPHq6fCWNuUaCD+cTat4wAuqeknAz33VEosw3
+q6O9UPj4+nypHk/DOoC7DIM3ufN0yxPBsFo5TVowxfhdjZXJbbftd2TZv7AH8+XL
-fXGsok//AkEA1GjIHXrOcSlpfVJb6NeOBugjRtZ7ZDT5gbtnMS9ob0qntKV6saaL
+A5UoZgRzXgzECelXSCTBFlMTnT48LfA9pMLydyjAz2UdPHs5Iv+TK5nnI+aJoeaP
-CNmJwuD9Q3XkU5j1+uHvYGP2NzcJd2CjhwJACV0hNlVMe9w9fHvFN4Gw6WbM9ViP
+7kFZSngxdy1+A/bNAgMBAAECggGBALpTOIqQwVg4CFBylL/a8K1IWJTI/I65sklf
-0oS6YrJafYNTu5vGZXVxLoNnL4u3NYa6aPUmuZXjNwBLfJ8f5VboZPf6RwJAINd2
+XxYL7G7SB2HlEJ//z+E+F0+S4Vlao1vyLQ5QkgE82pAUB8FoMWvY1qF0Y8A5wtm6
-oYA8bSi/A755MX4qmozH74r4Fx1Nuq5UHTm8RwDe/0Javx8F/j9MWpJY9lZDEF3l
+iZSGk4OLK488ZbT8Ii9i+AGKgPe2XbVxsJwj8N4k7Zooqec9hz73Up8ATEWJkRz7
-In5OebPa/NyInSmW/wJAZuP9aRn0nDBkHYri++1A7NykMiJ/nH0mDECbnk+wxx0S
+2u7oMGG4z91E0PULA64dOi3l/vOQe5w/Aa+CwVbAWtI05o7kMvQEBMDJn6C7CByo
-LwqIetBhxb8eQwMg45+iAH7CHAMQ8BQuF/nFE6eotg==
+MB5op9wueJMnz7PM7hns+U7Dy6oE4ljuolJUy51bDzFWwoM54cRoQqLFNHd8JVQj
 WxldCkbfF43iyprlsEcUrTyUjtdA+ZeiG39vg/mtdmgNpGmdupHJZQvSuG8IcVlz
 O+eMSeQS1QXPD6Ik8UK4SU0h+zOl8xIWtRrsxQuh4fnTN40udm/YUWl/6gOebsBI
 IrVLlKGqJSfB3tMjpCRqdTzJ0dA9keVpkqm2ugZkxEf1+/efq/rFIQ2pUBLCqNTN
 qpNqruK8y8FphP30I2uI4Ej2UIB8AQKBwQDd2Yptj2FyDyaXCycsyde0wYkNyzGU
 dRnzdibfHnMZwjgTjwAwgIUBVIS8H0/z7ZJQKN7osJfddMrtjJtYYUk9g/dCpHXs
 bNh2QSoWah3FdzNGuWd0iRf9+LFxhjAAMo/FS8zFJAJKrFsBdCGTfFUMdsLC0bjr
 YjiWBuvV72uKf8XIZX5KIZruKdWBBcWukcb21R1UDyFYyXRBsly5XHaIYKZql3km
 7pV7MKWO0IYgHbHIqGUqPQlzZ/lkunS1jKECgcEA23wHffD6Ou9/x3okPx2AWpTr
 gh8rgqbyo6hQkBW5Y90Wz824cqaYebZDaBR/xlVx/YwjKkohv8Bde2lpH/ZxRZ1Z
 5Sk2s6GJ/vU0L9RsJZgCgj4L6Coal1NMxuZtCXAlnOpiCdxSZgfqbshbTVz30KsG
 ZJG361Cua1ScdAHxlZBxT52/1Sm0zRC2hnxL7h4qo7Idmtzs40LAJvYOKekR0pPN
 oWeJfra7vgx/jVNvMFWoOoSLpidVO4g+ot4ery6tAoHAdW3rCic1C2zdnmH28Iw+
 s50l8Lk3mz+I5wgJd1zkzCO0DxZIoWPGA3g7cmCYr6N3KRsZMs4W9NAXgjpFGDkW
 zYsG3K21BdpvkdjYcFjnPVjlOXB2RIc0vehf9Jl02wXoeCSxVUDEPcaRvWk9RJYx
 ZpGOchUU7vNkxHURbIJ4yCzuAi9G8/Jp0dsu+kaV5tufF5SjG5WOrzKjaQsCbdN1
 oqaWMCHRrTvov/Z2C+xwsptFOdN5CSyZzg6hQiI4GMlBAoHAXyb6KINcOEi0YMp3
 BFXJ23tMTnEs78tozcKeipigcsbaqORK3omS+NEnj+uzKUzJyl4CsMbKstK2tFYS
 mSTCHqgE3PBtIpsZtEqhgUraR8IK9GPpzZDTTl9ynZgwFTNlWw3RyuyVXF56J+T8
 kCGJ3hEHCHqT/ZRQyX85BKIDFhA0z4tYKxWVqIFiYBNq56R0X9tMMmMs36mEnF93
 7Ht6mowxTZQRa7nU0qOgeKh/P7ki4Zus3y+WJ+T9IqahLtlRAoHBAIhqMrcxSAB8
 RpB9jukJlAnidw2jCMPgrFE8tP0khhVvGrXMldxAUsMKntDIo8dGCnG1KTcWDI0O
 jepvSPHSsxVLFugL79h0eVIS5z4huW48i9xgU8VlHdgAcgEPIAOFcOw2BCu/s0Vp
 O+MM/EyUOdo3NsibB3qc/GJI6iNBYS7AljYEVo6rXo5V/MZvZUF4vClen6Obzsre
 MTTb+4sJjfqleWuvr1XNMeu2mBfXBQkWGZP1byBK0MvD/aQ2PWq92A==
 -----END RSA PRIVATE KEY-----
--- a/testdata/09-unbound-control.tdir/unbound_server.pem
+++ b/testdata/09-unbound-control.tdir/unbound_server.pem
@ -1,11 +1,22 @@
 -----BEGIN CERTIFICATE-----
-MIIBmzCCAQQCCQDsNJ1UmphEFzANBgkqhkiG9w0BAQUFADASMRAwDgYDVQQDEwd1
+MIIDqzCCAhMCFBHWXeQ6ZIa9QcQbXLFfC6tj+KA+MA0GCSqGSIb3DQEBCwUAMBIx
-bmJvdW5kMB4XDTA4MDkxMTA5MDk0MFoXDTI4MDUyOTA5MDk0MFowEjEQMA4GA1UE
+EDAOBgNVBAMMB3VuYm91bmQwHhcNMjAwNzA4MTMzMjI5WhcNNDAwMzI1MTMzMjI5
-AxMHdW5ib3VuZDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAtxeybL9rtNaS
+WjASMRAwDgYDVQQDDAd1bmJvdW5kMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIB
-y/axZ47DFPyGghVCM/+tuA3GhPOGeIIzJeZFgN2sUHKrpdcJcEq2ysK6J8vnfYR/
+igKCAYEAvjSVSN2QMXudpzukdLCqgg/IOhCX8KYkD0FFFfWcQjgKq5wI0x41iG32
-/jF9LWcL5fMNzpoZjgImkPkhwrCLjo1cEI19LESwetT8+fjwIlb5z2vSSGAeUKyu
+a6wbGanre4IX7VxaSPu9kkHfnGgynCk5nwDRedE/FLFhAU78PoT0+NqqGRS7XVQ2
-g1RLMSB4/DDnOSSjka5xErBQ4esnjHkCAwEAATANBgkqhkiG9w0BAQUFAAOBgQAZ
+4vLmIz9Hqc2Ozx1um1BXBTmIT0UfN2e22I0LWQ6a3seZlEDRj45gnk7Zuh9MDgot
-9N0lnLENs4JMvPS+mn8C5m9bkkFITd32IiLjf0zgYpIUbFXH6XaEr9GNZBUG8feG
+aBdm+v1JAbupSf6Zis4VEH3JNdvVGE3O1DHEIeuuz/3BDhpf6WBDH+8KWaBe1ca4
-l/6WRXnbnVSblI5odQ4XxGZ9inYY6qtW30uv76HvoKp+QZ1c3460ddR8NauhcCHH
+TZHr9ThL2gEMEfAQl0wXDwRWRoi3NjNMH+mw0L1rjwThI5GXqNIee7o5FzUReSXZ
-Z7S+QbLXi+r2JAhpPozZCjBHlRD0ixzA1mKQTJhJZg==
+uTdFMyGe3Owcx+XoYnwi6cplSNoGsDBu4B9bKKglR9YleJVw4L4Xi8xPq6O9UPj4
 +nypHk/DOoC7DIM3ufN0yxPBsFo5TVowxfhdjZXJbbftd2TZv7AH8+XLA5UoZgRz
 XgzECelXSCTBFlMTnT48LfA9pMLydyjAz2UdPHs5Iv+TK5nnI+aJoeaP7kFZSngx
 dy1+A/bNAgMBAAEwDQYJKoZIhvcNAQELBQADggGBABunf93MKaCUHiZgnoOTinsW
 84/EgInrgtKzAyH+BhnKkJOhhR0kkIAx5d9BpDlaSiRTACFon9moWCgDIIsK/Ar7
 JE0Kln9cV//wiiNoFU0O4mnzyGUIMvlaEX6QHMJJQYvL05+w/3AAcf5XmMJtR5ca
 fJ8FqvGC34b2WxX9lTQoyT52sRt+1KnQikiMEnEyAdKktMG+MwKsFDdOwDXyZhZg
 XZhRrfX3/NVJolqB6EahjWIGXDeKuSSKZVtCyib6LskyeMzN5lcRfvubKDdlqFVF
 qlD7rHBsKhQUWK/IO64mGf7y/de+CgHtED5vDvr/p2uj/9sABATfbrOQR3W/Of25
 sLBj4OEfrJ7lX8hQgFaxkMI3x6VFT3W8dTCp7xnQgb6bgROWB5fNEZ9jk/gjSRmD
 yIU+r0UbKe5kBk/CmZVFXL2TyJ92V5NYEQh8V4DGy19qZ6u/XKYyNJL4ocs35GGe
 CA8SBuyrmdhx38h1RHErR2Skzadi1S7MwGf1y431fQ==
 -----END CERTIFICATE-----
--- a/testdata/10-unbound-anchor.tdir/keys/test_cert.pem
+++ b/testdata/10-unbound-anchor.tdir/keys/test_cert.pem
@ -1,15 +1,15 @@
 -----BEGIN CERTIFICATE-----
-MIICWTCCAYKgAwIBAgIJAN5YIkuCvJf5MA0GCSqGSIb3DQEBBQUAMCYxDjAMBgNV
+MIICZDCCAY2gAwIBAgIURC8vM7SbxPTMmosTyBzLlqxgsUAwDQYJKoZIhvcNAQEF
-BAMTBXBldGFsMRQwEgYJKoZIhvcNAQkBFgVwZXRhbDAeFw0xMzAxMTcxMTUyNDVa
+BQAwJjEOMAwGA1UEAwwFcGV0YWwxFDASBgkqhkiG9w0BCQEWBXBldGFsMB4XDTIw
-Fw0zMjEwMDQxMTUyNDVaMCYxDjAMBgNVBAMTBXBldGFsMRQwEgYJKoZIhvcNAQkB
+MDcwODE0MDk0MloXDTQwMDMyNTE0MDk0MlowJjEOMAwGA1UEAwwFcGV0YWwxFDAS
-FgVwZXRhbDCB3zANBgkqhkiG9w0BAQEFAAOBzQAwgckCgcEAuPBoYZiFOuk2SnN0
+BgkqhkiG9w0BCQEWBXBldGFsMIHfMA0GCSqGSIb3DQEBAQUAA4HNADCByQKBwQC4
-IsheC+W7JvAJcv8tksyz/hgAnqStDnDrQ4trF607aCQ7xjj2fSAqpiMvLv0P3Ctu
+8GhhmIU66TZKc3QiyF4L5bsm8Aly/y2SzLP+GACepK0OcOtDi2sXrTtoJDvGOPZ9
-rcTRHmRXApS3GBf1PjWqoxMK8JBxCIHN4PKpyq4czOtSPH6AFlU+3KsRRwymLgpT
+ICqmIy8u/Q/cK26txNEeZFcClLcYF/U+NaqjEwrwkHEIgc3g8qnKrhzM61I8foAW
-SE15NYv/2M6Z3/cL1SkOdVvVDrZv1gO4OCAxwrgI6HMsjQtwe16mGsBQzrHTCOGV
+VT7cqxFHDKYuClNITXk1i//Yzpnf9wvVKQ51W9UOtm/WA7g4IDHCuAjocyyNC3B7
-u4QtISEUDrwZL272PFsZrEpHXd9LtSpqCEoOMujr54pKxBEJAgMBAAGjDzANMAsG
+XqYawFDOsdMI4ZW7hC0hIRQOvBkvbvY8WxmsSkdd30u1KmoISg4y6OvnikrEEQkC
-A1UdDwQEAwIChDANBgkqhkiG9w0BAQUFAAOBwQCaA3ys5hDPMNV1oXIxH6u2KfAX
+AwEAAaMPMA0wCwYDVR0PBAQDAgKEMA0GCSqGSIb3DQEBBQUAA4HBAHX0rIirg2Rt
-C9tYJId/SR0x8whsZuNaSEZAgImdM5dnyWdjey8Pio772E9/F2aUBGFkdadZx4My
+rp7BnR3riq81b0cWm4Y/UUdGmLtbPTJLuZogfLZhb9hf+185ub/8ZbuwuUFaiUY
-d7hBfEi/NECEKs86k9g0ijbin41NKtnajb6GwyNQ9vDx7Z5FS8BZ3CD0BZIdCQUE
+zEcAjaOlPjBeRbNku1xnAVhlgtCIsCOyI37Ey+65OuJxL+0Rpwsyfh0WuR8SdBE5
-gKuDSWBROQU3tqrjdk2QTwGQkj2mgzT871Jn1MwZw0mczPjS1y469Ejym8wi3uCd
+OdJ2DuH2yRkTd2JEsNi+DZVIEeaKwXtLGUvsqYWu0GrnXORwGsezfiLM4uAJW+tp
-EboDOoGBCpmUQbxBv6JI75cUCdmNNEwjQjZ0XQw=
+VA95CKpfS98l1MJIHtlcpffAjfRVZAJnGcXv+P/DtefC8aNukoiqvA==
 -----END CERTIFICATE-----
--- a/testdata/10-unbound-anchor.tdir/keys/unbound-control-setup
+++ b/testdata/10-unbound-anchor.tdir/keys/unbound-control-setup
@ -46,7 +46,7 @@ CLIENTNAME=unbound-anchor
 DAYS=7200
 # size of keys in bits
-BITS=1536
+BITS=3072
 # hash algorithm
 HASH=sha1
--- a/testdata/10-unbound-anchor.tdir/keys/unbound_control.key
+++ b/testdata/10-unbound-anchor.tdir/keys/unbound_control.key
@ -1,21 +1,39 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIDfAIBAAKBwQC2p0MTVVEfvOpaWlI6rLKGxaHfw/4JUxXCwDHRkkyB0hkISRMx
+MIIG4gIBAAKCAYEAzDESJ2lpIno7KpSrYBeBshT8H5dbtNF9rVBONsCmwSSqclLR
-8imB+io0aY2Uck9zl0BTgPaKtFeA0+lukZk75keOuATPFZwbCGs+6Tx5AoN4+NzI
+ixZ62OKrUKMVCEpZ0zj4yZOu3DGTfL9V9pEk3dCD8mFmylidYeLh5GHGMcDVWOzD
-aVay5AuO8E1u6AVdmcAqByP+R92yz5f3T93/cSsYzqPZ6Y1wO9sabtrkGTYwnfMg
+VPsnQ9y43KWYeURpGy4QSCxYDb5rrPysleSZwuN5D4lbs/AKdpubAHj6z37Zbrs2
-nSttyvlBIhRDWbEO+rWL2CCi0JtrnpiK8sa2ysQCq9Y6ZiGjT9PEWIZwkxQ6y5TI
+GjofHp6TaD6ck7jyRXDtqShrnsVXq9U1CadYDOPiE4aZ1TvusRzhhjmDm8GQXalr
-WVtyitoknpDheZcCAwEAAQKBwAgeXSPh2e5ANmZ3t0n2XSUSacSJcKQ3djMm2dAH
+tIBJ5j5EcmRamFhONGLshfj5ECZrKo9L17kOd8PyRMaXNfvl2tpx1qtMxmp7FDpb
-4bCvhv9QSDMjIWcumGul+W4Muq1XnrtXcx3tMCqAwNJyVE5OSQX19fjCbCLjd+je
+oGGIzP7F7hyaWMI/zAzkTMAtjGkAJWqHgTbSfvlVul23RLvovM3fD/ZiugBuTWY/
-8xop23AoF6As1nazHjRnR/nTBD7QNx2xbaW8RNbaGpTe2G2lpdbg9myRpyqiB8Pk
+CRpmN7CQFFV6iFyLGjRp8vV7BojUIQX7is8QTxSqW12SsElMXOuUmcCnuIaoGF4n
-73x/AQcPqm4SHBJS+kU/Q9k9yZRHGQ/PhYlvAmY0SCndew28Pcs+IdCI32k7e/aP
+AoG6vNLFECtSdLTjQ0uXawIp7dOww4zS8j1/dZzXsVF4G4V7GjeWD8eX7n+HNWoc
-SCEQvVqKeIiSJ0Zj8RSk8Pz1cQJhANtNsvcEa2V8NxI9yL2zwvBXwoBuU+d9Pszt
+3ojjuYzbWfWvLIQbAgMBAAECggGANUTD8KYuOEFc+BHK14mqWxPgZjltQjG4sKMX
-Ooqc/kmvU0FV06HgiIPtTSoHLI7Zh9h5Xn4DFGmtS8WeGhwSVCN1iwcW9F2ldgAw
+lG8T0aVIFgUHB1r492XCvYmd7gi/gDwHo0a0wlromA2uVmGtFXTVR0EjuLv/as7u
-LXcoXjEK21KXYFNAYeo07vul/Ly/yQJhANU3lM8hAqq7FB4R5zgUCcp08FOVA8tl
+kU70jnw47DbwClZu+uQ1EdLdgR1Ysi+FLd7rpcI8gudz+rKlblM7fNMfqkR/5ktX
-kEK1JoAdfp6Wv4M2xGJ6tmKcf92r0F8zBDV6oZX/dtPwFzWhBZUi+zaA8PcEqbwt
+13q4K7Ny89FBHvx0q99Ao1xaKquAAJ+iUJPr54KiCYDYkkkmzk4Q53kg3qEA9xGK
-CJtmM5ycoX6kkkIfXtAVNZiTIYHn01beXwJgQBFA+V03KtzREeku3gzIJILe9bpF
+wCJ29AY+LEELiQ5CuR8baiBGBiJa5QegeThbQox0jBlezNWAMOg1seCchpbZ4tHm
-lNlIIYIkmh4nQ8uOnQW/4AjCmRgYdPDHmav/PcSnUFUB/6V6/26i3hSUtA9A4H9a
+zuM+IRjZ9GRgkxNctQu8nx3Z6QcClpNFW2WfdThI4nzjqvE9C2nQBR+i/a+v0D90
-QIl4IbHxdmA6tEUhsc07fNbQRCXWs3nYjiPRAmEAjDe4MhsYYOUUzs2hTFzJL46F
+bX3LbCcPBE5Hr6sdI+pSQ0C3eFOuGZaCdfRxVs6ymWti3STdlMtTgaEOsCswmU0e
-ucHGtA0/uM7e2eQLsAmdOpJaxhTDOsiGwmXKa8DmJLFX8IgHQkujR850GGbf5DEZ
+DasWVYbezyPHImb34r0/q1ux4BZkxon1AqjLLYOCF5LQ91v868jdwOIITGL3gviN
-xqkXYrwO6/tjN7w97EYYNUniFV/NVmBz6bVmY7trAmAvvg7MoBlb/o6nwoCQqnUM
+/TYW0ObbJ3Szav860B9vlGUtG86JAoHBAPNcY2LLCVMWkzrsmkyLL8+MmF1dChsF
-QyjIy9A0t8+KHNMFSQwUldG+HIwiU4/7y2zCqBYJg8NOjrdj/3+73A24rP8wRp15
+/rVt8QIiiStZkV2q3f3F522kVVvH3dYwh6MyzBNPFBAAXHmaY2IjczL3gKWEz0OA
-zqQCS7mLLWmYx7pWE1ZHN8eY3xGoHmr7LzlB+dzYG+w=
+YlKv5+KoEBlRtonJIHSs6GCjdnl6EJ9NyF8NHq/tgpab326Dpb7RyXzMv2EZV5uY
 kp3WVqJZONa1xEHYud9SOA7TA3X/7td7bC49b07n0SidH2N93ZZMd+oApjsHx97q
 9J1BxCbaJdPX7mK15pPPWD7vPZqsxyeSjQKBwQDWy+hH1jrr26UUAdIq6SgQxPXh
 Y2+epVbHGD0UK51Io0rAg0m3Nlaxr28EPc/MLfjwzwPs6cHdM1j1FMqwGCYiO8mw
 CV+XqPVDc6Xqzklf+awMqhn71j+M4Y4Dr6K71fXQ9ek5X+9I47I6iuVLOOegLm29
 qSlg/x1fOkQUKnJNQw6aEJmPj7mi6q693E+oa6hzVO160AGe4tAJoidaR7ifwKU1
 ySOhXtugs2I2P7lc07UtkIwftiYS69d1CRE2G0cCgcA41hj4F8dDuoAEQQIAYnl2
 FbX4CCS2Dv5fzR9+iiZTE4YZxDA4dqIIP1sYJmOvBIKJIPH8iHl9CziNxfr0Dqd2
 /crz3UKy1ycffKnBi9LGtwjUwT5tQXy8JTEkSdfb/MSRPnUuTWA0YI8cNm7dVA2k
 sgT4XnzRgB6t8kMlg4T80FLXthAjEga5n5qtUmqrtM2dNwfp+8YjoB6Wk+zOj2lq
 I2CvZK/PZjxfBd8T29r90O6B603As6o+eI2AtF2G5nkCgcAuhHBkhleyVpoUkCRk
 2KOtpgod6rv0npgBfBVWNe/VGFALCyO+wszZpEWlpIFJFbew5xRRjXpHnmQoh30x
 z7kKdupB7nW+UX/0QKpxBIXNfDOvdnM0H/0ZVIu97p6OkVKwE2GT5Fvc7DrgBM6N
 kOBQx11K0sS8VeOViPfPajXg16Hk6a1n8tdgGfUH9xtlPRN5Dq5zh3KiZzpoq65c
 FeY86qqc0FegDfwAfHjLiNdq7ApzuLcv8vGh7WN23CTXE+cCgcAhhnUawfKcOvwh
 3+Tt+vX6dBU7x+JVUiaI27zirE4dbKAsNN8MY7hT5pEwYYArtS9szWqmce3VT8dN
 t5kJdn0ZLh4tnZcWd8z+xTXjgxgKeSqoUqPjOd9V8f4ceiPeLGnDV/6xPiVdCrHi
 /R/fLidzApQKg7kGDyB1IX0gW+9mT24/zD+M52TjRdmYL6E7/1nZlNlr2JWfIdb+
 RLg/+EujuZo36hR59XQVEnvuhZFQ+MQeHC82yP4gjG0ADpLQ3cY=
 -----END RSA PRIVATE KEY-----
--- a/testdata/10-unbound-anchor.tdir/keys/unbound_control.pem
+++ b/testdata/10-unbound-anchor.tdir/keys/unbound_control.pem
@ -1,14 +1,19 @@
 -----BEGIN CERTIFICATE-----
-MIICNjCCAV8CCQCbt2WrJa/ewzANBgkqhkiG9w0BAQUFADAmMQ4wDAYDVQQDEwVw
+MIIDBTCCAi4CFG36qDt2k02biKtMYGtLy9khnP+eMA0GCSqGSIb3DQEBBQUAMCYx
-ZXRhbDEUMBIGCSqGSIb3DQEJARYFcGV0YWwwHhcNMTMwMTE3MTE1MjQ1WhcNMzIx
+DjAMBgNVBAMMBXBldGFsMRQwEgYJKoZIhvcNAQkBFgVwZXRhbDAeFw0yMDA3MDgx
-MDA0MTE1MjQ1WjAZMRcwFQYDVQQDEw51bmJvdW5kLWFuY2hvcjCB3zANBgkqhkiG
+NDA5NDJaFw00MDAzMjUxNDA5NDJaMBkxFzAVBgNVBAMMDnVuYm91bmQtYW5jaG9y
-9w0BAQEFAAOBzQAwgckCgcEAtqdDE1VRH7zqWlpSOqyyhsWh38P+CVMVwsAx0ZJM
+MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAzDESJ2lpIno7KpSrYBeB
-gdIZCEkTMfIpgfoqNGmNlHJPc5dAU4D2irRXgNPpbpGZO+ZHjrgEzxWcGwhrPuk8
+shT8H5dbtNF9rVBONsCmwSSqclLRixZ62OKrUKMVCEpZ0zj4yZOu3DGTfL9V9pEk
-eQKDePjcyGlWsuQLjvBNbugFXZnAKgcj/kfdss+X90/d/3ErGM6j2emNcDvbGm7a
+3dCD8mFmylidYeLh5GHGMcDVWOzDVPsnQ9y43KWYeURpGy4QSCxYDb5rrPysleSZ
-5Bk2MJ3zIJ0rbcr5QSIUQ1mxDvq1i9ggotCba56YivLGtsrEAqvWOmYho0/TxFiG
+wuN5D4lbs/AKdpubAHj6z37Zbrs2GjofHp6TaD6ck7jyRXDtqShrnsVXq9U1CadY
-cJMUOsuUyFlbcoraJJ6Q4XmXAgMBAAEwDQYJKoZIhvcNAQEFBQADgcEAhc3wYcbD
+DOPiE4aZ1TvusRzhhjmDm8GQXalrtIBJ5j5EcmRamFhONGLshfj5ECZrKo9L17kO
-Uu9Osbu3bhbxLCkhedq/3weEO8RDU3AyB8diioAikagIOb99UeVE3WIds+JIPD6J
+d8PyRMaXNfvl2tpx1qtMxmp7FDpboGGIzP7F7hyaWMI/zAzkTMAtjGkAJWqHgTbS
-mK5UvS+lPR8SEOMRd0H91bEEp1Zn+gHAS/Z7k/x9t38Xk1N0jOnElc6n4vl42KLO
+fvlVul23RLvovM3fD/ZiugBuTWY/CRpmN7CQFFV6iFyLGjRp8vV7BojUIQX7is8Q
-z2laJWcte7YXjzFjaNxP9fsGgEx1vRxcjtpXQWSY+oj+RVm5kRs5WKX5MCyD/p+y
+TxSqW12SsElMXOuUmcCnuIaoGF4nAoG6vNLFECtSdLTjQ0uXawIp7dOww4zS8j1/
-Xitg7/a0ITKbW1GpVwaX6nPaeoze68m3qmy64l080XCna3igbhi3h2ay
+dZzXsVF4G4V7GjeWD8eX7n+HNWoc3ojjuYzbWfWvLIQbAgMBAAEwDQYJKoZIhvcN
 AQEFBQADgcEAPz9Iw956A8piiC5y3hJXAEJ0JYdNrpsgdj7n6iAXRU2EY+juzcKU
 D+zcNEcebQJJxayr4eEMfUOUO1wH5uPkWBhKOC/qm6T6i/+/xNsksOeHm12G4/vH
 VYPXTxMS+K+mz5HLmLcR0kuQMnCK22FFQj86fhr2vHBGHqINR6MxwvLCES37FWvr
 qVZSseK6/6IwRgsjN101JUpaSnM88cMDpuUcqQrAbSSBRKDvjYMkcYcYuvchab26
 G0jEU4KgxaOs
 -----END CERTIFICATE-----
--- a/testdata/10-unbound-anchor.tdir/keys/unbound_server.key
+++ b/testdata/10-unbound-anchor.tdir/keys/unbound_server.key
@ -1,21 +1,39 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIDfQIBAAKBwQC1xQ/Kca6zszZbcCtdOTIH2Uy2gOy/DfabMUU7TmNPm0dVE0NJ
+MIIG5AIBAAKCAYEAvjSVSN2QMXudpzukdLCqgg/IOhCX8KYkD0FFFfWcQjgKq5wI
-RuN+Rm304SonpwghfP2/ULZNnuDgpG03/32yI7k/VzG6iA4hiF7tT/KAAWC/+2l1
+0x41iG32a6wbGanre4IX7VxaSPu9kkHfnGgynCk5nwDRedE/FLFhAU78PoT0+Nqq
-QCsawCV2bSrFK0VhcZr7ALqXd8vkDaQ867K029ypjOQtAJ85qdO3mERy7TGtdUcu
+GRS7XVQ24vLmIz9Hqc2Ozx1um1BXBTmIT0UfN2e22I0LWQ6a3seZlEDRj45gnk7Z
-O6hLeVet419YeQ2F8cfNxn63d7bOzNGLPW5xwaCd3UcgD+Ib0k4xfFvbinvPQUeU
+uh9MDgotaBdm+v1JAbupSf6Zis4VEH3JNdvVGE3O1DHEIeuuz/3BDhpf6WBDH+8K
-J/i4YDWexFYSL+ECAwEAAQKBwCLXXQl+9O+5AEhSnd1Go1Jh0pSA7eBJOuXQcebG
+WaBe1ca4TZHr9ThL2gEMEfAQl0wXDwRWRoi3NjNMH+mw0L1rjwThI5GXqNIee7o5
-Rb7ykp+6C4G2NtDziwwPRNdI6wQQQ0sym18RfyVQHydGr78/nbiIbB3HCn5e92Mh
+FzUReSXZuTdFMyGe3Owcx+XoYnwi6cplSNoGsDBu4B9bKKglR9YleJVw4L4Xi8xP
-mefzW6ow9Kvm2txLzGKA1lvoyRbNm81jnG/eygi3u7Nqd5PNv+4dHj2RkTlmxOeh
+q6O9UPj4+nypHk/DOoC7DIM3ufN0yxPBsFo5TVowxfhdjZXJbbftd2TZv7AH8+XL
-qnDMVP5md8uZPv6lYNnrnIzvLCR5vnPNdVwn89AqzI85IcDZdy0R9ZX4NBbsDgAU
+A5UoZgRzXgzECelXSCTBFlMTnT48LfA9pMLydyjAz2UdPHs5Iv+TK5nnI+aJoeaP
-6ig6uXuRXvSGiyJ/OUXSrnogaQJhAOjvkHUhVZQkPOxO90TNH4j0GdKKtbSWxIdz
+7kFZSngxdy1+A/bNAgMBAAECggGBALpTOIqQwVg4CFBylL/a8K1IWJTI/I65sklf
-lKfuJeBAEqs0TL+C6vbS81Xw3W1alyDdUBk3rJMOBqW6Ryq5HNL+j5H+Jfsh7fvc
+XxYL7G7SB2HlEJ//z+E+F0+S4Vlao1vyLQ5QkgE82pAUB8FoMWvY1qF0Y8A5wtm6
-Yle+5wHGci0P9zCFZCrY8It7n9XFIwJhAMfEi6oJa2G8waPJ1bQhxka82Tf9pnKM
+iZSGk4OLK488ZbT8Ii9i+AGKgPe2XbVxsJwj8N4k7Zooqec9hz73Up8ATEWJkRz7
-XCn/1BBOFjVIx5F842cpA+zp5a62GENTGYPQTTRBB/2/ZwnW5aIkrlg54AtmbqBZ
+2u7oMGG4z91E0PULA64dOi3l/vOQe5w/Aa+CwVbAWtI05o7kMvQEBMDJn6C7CByo
-Oh+2kJdJQD/tfoVmc5soUE2ScTHadK5RKwJhAN4w9kjkXS+MSZjX0kIMsBIBVkhh
+MB5op9wueJMnz7PM7hns+U7Dy6oE4ljuolJUy51bDzFWwoM54cRoQqLFNHd8JVQj
-C+aREjJqa9ir7/Ey7RvmLXdYuCxtGLRXp7/R8+rjcK49Tx6O+IRJZe042mfhbq3C
+WxldCkbfF43iyprlsEcUrTyUjtdA+ZeiG39vg/mtdmgNpGmdupHJZQvSuG8IcVlz
-EhS1Tr86f4xXix9EXlDhs9bSxrOgcAN9Dv/opQJhAK7eBcPaav0rVfYh/8emqQHS
+O+eMSeQS1QXPD6Ik8UK4SU0h+zOl8xIWtRrsxQuh4fnTN40udm/YUWl/6gOebsBI
-3fJ9Pu6WnzbEksWTFS2ff9KDGCx9YspIFJ5TF/oXDAaumGZdZrlgirm6O1kr8tGY
+IrVLlKGqJSfB3tMjpCRqdTzJ0dA9keVpkqm2ugZkxEf1+/efq/rFIQ2pUBLCqNTN
-F97i04PZl1+bWAaWQH+1TUNI43m2WFUPE7coG2tb8QJgcddDg9VlXliZqgcETZfJ
+qpNqruK8y8FphP30I2uI4Ej2UIB8AQKBwQDd2Yptj2FyDyaXCycsyde0wYkNyzGU
-kJmYETxrcSn3ao6v116N8yxhEgUgjkmsCTiFgx36iDVnXwK6PIt+sIu8MC7eYNa3
+dRnzdibfHnMZwjgTjwAwgIUBVIS8H0/z7ZJQKN7osJfddMrtjJtYYUk9g/dCpHXs
-berrv/M21K0LRn20IWRxvUobG070weHCAgkko7fTWgr2
+bNh2QSoWah3FdzNGuWd0iRf9+LFxhjAAMo/FS8zFJAJKrFsBdCGTfFUMdsLC0bjr
 YjiWBuvV72uKf8XIZX5KIZruKdWBBcWukcb21R1UDyFYyXRBsly5XHaIYKZql3km
 7pV7MKWO0IYgHbHIqGUqPQlzZ/lkunS1jKECgcEA23wHffD6Ou9/x3okPx2AWpTr
 gh8rgqbyo6hQkBW5Y90Wz824cqaYebZDaBR/xlVx/YwjKkohv8Bde2lpH/ZxRZ1Z
 5Sk2s6GJ/vU0L9RsJZgCgj4L6Coal1NMxuZtCXAlnOpiCdxSZgfqbshbTVz30KsG
 ZJG361Cua1ScdAHxlZBxT52/1Sm0zRC2hnxL7h4qo7Idmtzs40LAJvYOKekR0pPN
 oWeJfra7vgx/jVNvMFWoOoSLpidVO4g+ot4ery6tAoHAdW3rCic1C2zdnmH28Iw+
 s50l8Lk3mz+I5wgJd1zkzCO0DxZIoWPGA3g7cmCYr6N3KRsZMs4W9NAXgjpFGDkW
 zYsG3K21BdpvkdjYcFjnPVjlOXB2RIc0vehf9Jl02wXoeCSxVUDEPcaRvWk9RJYx
 ZpGOchUU7vNkxHURbIJ4yCzuAi9G8/Jp0dsu+kaV5tufF5SjG5WOrzKjaQsCbdN1
 oqaWMCHRrTvov/Z2C+xwsptFOdN5CSyZzg6hQiI4GMlBAoHAXyb6KINcOEi0YMp3
 BFXJ23tMTnEs78tozcKeipigcsbaqORK3omS+NEnj+uzKUzJyl4CsMbKstK2tFYS
 mSTCHqgE3PBtIpsZtEqhgUraR8IK9GPpzZDTTl9ynZgwFTNlWw3RyuyVXF56J+T8
 kCGJ3hEHCHqT/ZRQyX85BKIDFhA0z4tYKxWVqIFiYBNq56R0X9tMMmMs36mEnF93
 7Ht6mowxTZQRa7nU0qOgeKh/P7ki4Zus3y+WJ+T9IqahLtlRAoHBAIhqMrcxSAB8
 RpB9jukJlAnidw2jCMPgrFE8tP0khhVvGrXMldxAUsMKntDIo8dGCnG1KTcWDI0O
 jepvSPHSsxVLFugL79h0eVIS5z4huW48i9xgU8VlHdgAcgEPIAOFcOw2BCu/s0Vp
 O+MM/EyUOdo3NsibB3qc/GJI6iNBYS7AljYEVo6rXo5V/MZvZUF4vClen6Obzsre
 MTTb+4sJjfqleWuvr1XNMeu2mBfXBQkWGZP1byBK0MvD/aQ2PWq92A==
 -----END RSA PRIVATE KEY-----
--- a/testdata/10-unbound-anchor.tdir/keys/unbound_server.pem
+++ b/testdata/10-unbound-anchor.tdir/keys/unbound_server.pem
@ -1,14 +1,22 @@
 -----BEGIN CERTIFICATE-----
-MIICFzCCAUACCQDO660L5y5LGDANBgkqhkiG9w0BAQUFADAQMQ4wDAYDVQQDEwVw
+MIIDqzCCAhMCFBHWXeQ6ZIa9QcQbXLFfC6tj+KA+MA0GCSqGSIb3DQEBCwUAMBIx
-ZXRhbDAeFw0xMDA5MzAxMzQzMDFaFw0zMDA2MTcxMzQzMDFaMBAxDjAMBgNVBAMT
+EDAOBgNVBAMMB3VuYm91bmQwHhcNMjAwNzA4MTMzMjI5WhcNNDAwMzI1MTMzMjI5
-BXBldGFsMIHfMA0GCSqGSIb3DQEBAQUAA4HNADCByQKBwQC1xQ/Kca6zszZbcCtd
+WjASMRAwDgYDVQQDDAd1bmJvdW5kMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIB
-OTIH2Uy2gOy/DfabMUU7TmNPm0dVE0NJRuN+Rm304SonpwghfP2/ULZNnuDgpG03
+igKCAYEAvjSVSN2QMXudpzukdLCqgg/IOhCX8KYkD0FFFfWcQjgKq5wI0x41iG32
-/32yI7k/VzG6iA4hiF7tT/KAAWC/+2l1QCsawCV2bSrFK0VhcZr7ALqXd8vkDaQ8
+a6wbGanre4IX7VxaSPu9kkHfnGgynCk5nwDRedE/FLFhAU78PoT0+NqqGRS7XVQ2
-67K029ypjOQtAJ85qdO3mERy7TGtdUcuO6hLeVet419YeQ2F8cfNxn63d7bOzNGL
+4vLmIz9Hqc2Ozx1um1BXBTmIT0UfN2e22I0LWQ6a3seZlEDRj45gnk7Zuh9MDgot
-PW5xwaCd3UcgD+Ib0k4xfFvbinvPQUeUJ/i4YDWexFYSL+ECAwEAATANBgkqhkiG
+aBdm+v1JAbupSf6Zis4VEH3JNdvVGE3O1DHEIeuuz/3BDhpf6WBDH+8KWaBe1ca4
-9w0BAQUFAAOBwQBBkX9KDP2RXbg+xPmdJ4P6CwvA5x1LZwC++ydVx4NlvT0pWicD
+TZHr9ThL2gEMEfAQl0wXDwRWRoi3NjNMH+mw0L1rjwThI5GXqNIee7o5FzUReSXZ
-ZUnXjcWAJlkeOuUBAqFG7WHTrXpUUAjmdqFVq2yFjteUYBdrFz0RDB2jM9feeKYO
+uTdFMyGe3Owcx+XoYnwi6cplSNoGsDBu4B9bKKglR9YleJVw4L4Xi8xPq6O9UPj4
-mTgxdZyT9a6humxCxt5VfgT02axLjm/2AqCyFPMbf4PASoJDln01AEuZLZ8Xl2gV
+nypHk/DOoC7DIM3ufN0yxPBsFo5TVowxfhdjZXJbbftd2TZv7AH8+XLA5UoZgRz
-bYHMnHTGoD1Hu6FNEzRgkMC6XT8X3YjHvzQhpc/qL5wEfEsinQGdX4twsuWbf8xd
+XgzECelXSCTBFlMTnT48LfA9pMLydyjAz2UdPHs5Iv+TK5nnI+aJoeaP7kFZSngx
-q7miNnkO8vd0maw=
+dy1+A/bNAgMBAAEwDQYJKoZIhvcNAQELBQADggGBABunf93MKaCUHiZgnoOTinsW
 84/EgInrgtKzAyH+BhnKkJOhhR0kkIAx5d9BpDlaSiRTACFon9moWCgDIIsK/Ar7
 JE0Kln9cV//wiiNoFU0O4mnzyGUIMvlaEX6QHMJJQYvL05+w/3AAcf5XmMJtR5ca
 fJ8FqvGC34b2WxX9lTQoyT52sRt+1KnQikiMEnEyAdKktMG+MwKsFDdOwDXyZhZg
 XZhRrfX3/NVJolqB6EahjWIGXDeKuSSKZVtCyib6LskyeMzN5lcRfvubKDdlqFVF
 qlD7rHBsKhQUWK/IO64mGf7y/de+CgHtED5vDvr/p2uj/9sABATfbrOQR3W/Of25
 sLBj4OEfrJ7lX8hQgFaxkMI3x6VFT3W8dTCp7xnQgb6bgROWB5fNEZ9jk/gjSRmD
 yIU+r0UbKe5kBk/CmZVFXL2TyJ92V5NYEQh8V4DGy19qZ6u/XKYyNJL4ocs35GGe
 CA8SBuyrmdhx38h1RHErR2Skzadi1S7MwGf1y431fQ==
 -----END CERTIFICATE-----
--- a/testdata/ctrl_itr.tdir/unbound_control.key
+++ b/testdata/ctrl_itr.tdir/unbound_control.key
@ -1,15 +1,39 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIICXAIBAAKBgQDD6DogNCsSeEa1u99+6PUVbGzjMzzei9MIK6s94+zcpp7OAOBa
+MIIG4gIBAAKCAYEAstEp+Pyh8XGrtZ77A4FhYjvbeB3dMa7Q2rGWxobzlA9przhA
-rzPA0vlyuNtUsEN3qwPomQQQmIgbT7OXkzC1wqioxwa609xoL8oW/I7e336rEyvH
+1aChAvUtCOAuM+rB6NTNB8YWfZJbQHawyMNpmC77cg6vXLYCGUQHZyAqidN049RJ
-ST6JwUdIg0Lzg/USJ81eTwMnzYSd4Bpsqr9eP33ubaR7Gh/6o76loLOlcQIDAQAB
+F5T7j4N8Vniv17LiRdr0S6swy4PRvEnIPPV43EQHZqC5jVvHsKkhIfmBF/Dj5TXR
-AoGAFT3e35MIgI4uDJJ8X0RfHp2NCO2LUg4TKbWical/C0W9vlR1/x80G1pE1d2Z
+ypeawWV/m5jeU6/4HRYMfytBZdO1mPXuWLh0lgbQ4SCbgrOUVD3rniMk1yZIbQOm
-WotqJVWTrOq6eBox19RCgtLg2wPGk9uD62+9SDT37heWFlUCElWq50pQG6k9ThiG
+vlDHYqekjDb/vOW2KxUQLG04aZMJ1mWfdbwG0CKQkSjISEDZ1l76vhM6mTM0fwXb
-DDypkZyZ/52+DdWybiaQJkuK6O5qQXuNAtVJMpghu4GnHAECQQDsupnZUQDpapzr
+IvyFZ9yPPCle1mF5aSlxS2cmGuGVSRQaw8XF9fe3a9ACJJTr33HdSpyaZkKRAUzL
-4FC4MSkL2+A1PRt6g4VhwoqOpJXaHfVnH6F7AwUuOLNwGdR5Cvv70pfJ7Jqg8L2m
+cKqLCl323daKv3NwwAT03Tj4iQM416ASMoiyfFa/2GWTKQVjddu8Crar7tGaf5xr
-Kxyl5bORAkEA09rn34YQ0pHJdHidbl2kInIuYTz09+TO3LWwan17nISH9aaYvVDr
+lig4DBmrBvdYA3njy72/RD71hLwmlRoCGU7dRuDr9O6KASUm1Ri91ONZ/qdjMvov
-p9x1B4Qzw9qyxT9oll7ze/5Rw/7C3AQj4QJAT2B2a+b8bkgAXBs4FbruL3rHoDJg
+15l2vj4GV+KXR00dAgMBAAECggGAHepIL1N0dEQkCdpy+/8lH54L9WhpnOo2HqAf
-P2FQXSpVOWU4lg2LlsuFYvDtUMVUbZdLplanjZXcral3Y9W1Ub2M+ped8QJAYQN+
+LU9eaKK7d4jdr9+TkD8cLaPzltPrZNxVALvu/0sA4SP6J1wpyj/x6P7z73qzly5+
-aRpge7ys7vwIw7B36Bo3aOncF+ScYe+FkM5Tm7II/JHEofT7ZQwMP1vnxIlSkgbe
+Xo5PD4fEwmi9YaiW/UduAblnEZrnp/AddptJKoL/D5T4XtpiQddPtael4zQ7kB57
-YvWqNB6a3NC99LikoQJBAM4UhDdRg63Tr6Idky6CQaH///zAN7nArJfffKGWFdw9
+YIexRSQTvEDovA/o3/nvA0TrzOxfgd4ycQP3iOWGN/TMzyLsvjydrUwbOB567iz9
-DKrWpNqvYZtX/cfEJucKcRCm5YL8CKFYbQy4VoCxUcE=
+whL3Etdgvnwh5Sz2blbFfH+nAR8ctvFFz+osPvuIVR21VMEI6wm7kTpSNnQ6sh/c
 lrLb/bTADn4g7z/LpIZJ+MrLvyEcoqValrLYeFBhM9CV8woPxvkO2P3pU47HVGax
 tC7GV6a/kt5RoKFd/TNdiA3OC7NGZtaeXv9VkPf4fVwBtSO9d5ZZXTGEynDD/rUQ
 U4KFJe6OD23APjse08HiiKqTPhsOneOONU67iqoaTdIkT2R4EdlkVEDpXVtWb+G9
 Q+IqYzVljlzuyHrhWXLJw/FMa2aBAoHBAOnZbi4gGpH+P6886WDWVgIlTccuXoyc
 Mg9QQYk9UDeXxL0AizR5bZy49Sduegz9vkHpAiZARQsUnizHjZ8YlRcrmn4t6tx3
 ahTIKAjdprnxJfYINM580j8CGbXvX5LhIlm3O267D0Op+co3+7Ujy+cjsIuFQrP+
 1MqMgXSeBjzC1APivmps7HeFE+4w0k2PfN5wSMDNCzLo99PZuUG5XZ93OVOS5dpN
 b+WskdcD8NOoJy/X/5A08veEI/jYO/DyqQKBwQDDwUQCOWf41ecvJLtBHKmEnHDz
 ftzHino9DRKG8a9XaN4rmetnoWEaM2vHGX3pf3mwH+dAe8vJdAQueDhBKYeEpm6C
 TYNOpou1+Zs5s99BilCTNYo8fkMOAyqwRwmz9zgHS6QxXuPwsghKefLJGt6o6RFF
 tfWVTfLlYJ+I3GQe3ySsk3wjVz4oUTKiyiq5+KzD+HhEkS7u+RQ7Z0ZI2xd2cF8Y
 aN2hjKDpcOiFf3CDoqka5D1qMNLgIHO52AHww1UCgcA1h7o7AMpURRka6hyaODY0
 A4oMYEbwdQjYjIyT998W+rzkbu1us6UtzQEBZ760npkgyU/epbOoV63lnkCC/MOU
 LD0PST+L/CHiY/cWIHb79YG1EifUZKpUFg0Aoq0EGFkepF0MefGCkbRGYA5UZr9U
 R80wAu9D+L+JJiS0J0BSRF74DL196zUuHt5zFeXuLzxsRtPAnq9DliS08BACRYZy
 7H3I7cWD9Vn5/0jbKWHFcaaWwyETR6uekTcSzZzbCRECgcBeoE3/xUA9SSk34Mmj
 7/cB4522Ft0imA3+9RK/qJTZ7Bd5fC4PKjOGNtUiqW/0L2rjeIiQ40bfWvWqgPKw
 jSK1PL6uvkl6+4cNsFsYyZpiVDoe7wKju2UuoNlB3RUTqa2r2STFuNj2wRjA57I1
 BIgdnox65jqQsd14g/yaa+75/WP9CE45xzKEyrtvdcqxm0Pod3OrsYK+gikFjiar
 kT0GQ8u0QPzh2tjt/2ZnIfOBrl+QYERP0MofDZDjhUdq2wECgcB0Lu841+yP5cdR
 qbJhXO4zJNh7oWNcJlOuQp3ZMNFrA1oHpe9pmLukiROOy01k9WxIMQDzU5GSqRv3
 VLkYOIcbhJ3kClKAcM3j95SkKbU2H5/RENb3Ck52xtl4pNU1x/3PnVFZfDVuuHO9
 MZ9YBcIeK98MyP2jr5JtFKnOyPE7xKq0IHIhXadpbc2wjje5FtZ1cUtMyEECCXNa
 C1TpXebHGyXGpY9WdWXhjdE/1jPvfS+uO5WyuDpYPr339gsdq1g=
 -----END RSA PRIVATE KEY-----
--- a/testdata/ctrl_itr.tdir/unbound_control.pem
+++ b/testdata/ctrl_itr.tdir/unbound_control.pem
@ -1,11 +1,22 @@
 -----BEGIN CERTIFICATE-----
-MIIBozCCAQwCCQD6XaN6FzW/4DANBgkqhkiG9w0BAQUFADASMRAwDgYDVQQDEwd1
+MIIDszCCAhsCFGD5193whHQ2bVdzbaQfdf1gc4SkMA0GCSqGSIb3DQEBCwUAMBIx
-bmJvdW5kMB4XDTA4MDkxMTA5MDk0MFoXDTI4MDUyOTA5MDk0MFowGjEYMBYGA1UE
+EDAOBgNVBAMMB3VuYm91bmQwHhcNMjAwNzA4MTMzMjMwWhcNNDAwMzI1MTMzMjMw
-AxMPdW5ib3VuZC1jb250cm9sMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDD
+WjAaMRgwFgYDVQQDDA91bmJvdW5kLWNvbnRyb2wwggGiMA0GCSqGSIb3DQEBAQUA
-6DogNCsSeEa1u99+6PUVbGzjMzzei9MIK6s94+zcpp7OAOBarzPA0vlyuNtUsEN3
+A4IBjwAwggGKAoIBgQCy0Sn4/KHxcau1nvsDgWFiO9t4Hd0xrtDasZbGhvOUD2mv
-qwPomQQQmIgbT7OXkzC1wqioxwa609xoL8oW/I7e336rEyvHST6JwUdIg0Lzg/US
+OEDVoKEC9S0I4C4z6sHo1M0HxhZ9kltAdrDIw2mYLvtyDq9ctgIZRAdnICqJ03Tj
-J81eTwMnzYSd4Bpsqr9eP33ubaR7Gh/6o76loLOlcQIDAQABMA0GCSqGSIb3DQEB
+1EkXlPuPg3xWeK/XsuJF2vRLqzDLg9G8Scg89XjcRAdmoLmNW8ewqSEh+YEX8OPl
-BQUAA4GBAGFAXmaQHuFgAuc6HVhYZJdToxLBhfxGpot4oZNjcb1Cdoz3OL34MU1B
+NdHKl5rBZX+bmN5Tr/gdFgx/K0Fl07WY9e5YuHSWBtDhIJuCs5RUPeueIyTXJkht
-9E5psj2PpGPIi8/RwoqBtAJHJ+J5cWngo03o4ZmdwKNSzaxlp141z/3rUtFqEHEC
+A6a+UMdip6SMNv+85bYrFRAsbThpkwnWZZ91vAbQIpCRKMhIQNnWXvq+EzqZMzR/
-iO6gPCT3U7dt6MyC7r6vdMqyW6aldP3CtwD0gQziKAMoj+TAfAcq
+Bdsi/IVn3I88KV7WYXlpKXFLZyYa4ZVJFBrDxcX197dr0AIklOvfcd1KnJpmQpEB
 TMtwqosKXfbd1oq/c3DABPTdOPiJAzjXoBIyiLJ8Vr/YZZMpBWN127wKtqvu0Zp/
 nGuWKDgMGasG91gDeePLvb9EPvWEvCaVGgIZTt1G4Ov07ooBJSbVGL3U41n+p2My
 +i/XmXa+PgZX4pdHTR0CAwEAATANBgkqhkiG9w0BAQsFAAOCAYEAd++Wen6l8Ifj
 4h3p/y16PhSsWJWuJ4wdNYy3/GM84S26wGjzlEEwiW76HpH6VJzPOiBAeWnFKE83
 hFyetEIxgJeIPbcs9ZP/Uoh8GZH9tRISBSN9Hgk2Slr9llo4t1H0g/XTgA5HqMQU
 9YydlBh43G7Vw3FVwh09OM6poNOGQKNc/tq2/QdKeUMtyBbLWpRmjH5XcCT35fbn
 ZiVOUldqSHD4kKrFO4nJYXZyipRbcXybsLiX9GP0GLemc3IgIvOXyJ2RPp06o/SJ
 pzlMlkcAfLJaSuEW57xRakhuNK7m051TKKzJzIEX+NFYOVdafFHS8VwGrYsdrFvD
 72tMfu+Fu55y3awdWWGc6YlaGogZiuMnJkvQphwgn+5qE/7CGEckoKEsH601rqIZ
 muaIc85+nEcHJeijd/ZlBN9zeltjFoMuqTUENgmv8+tUAdVm/UMY9Vjme6b43ydP
 uv6DS02+k9z8toxXworLiPr94BGaiGV1NxgwZKLZigYJt/Fi2Qte
 -----END CERTIFICATE-----
--- a/testdata/ctrl_itr.tdir/unbound_server.key
+++ b/testdata/ctrl_itr.tdir/unbound_server.key
@ -1,15 +1,39 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIICWwIBAAKBgQC3F7Jsv2u01pLL9rFnjsMU/IaCFUIz/624DcaE84Z4gjMl5kWA
+MIIG5AIBAAKCAYEAvjSVSN2QMXudpzukdLCqgg/IOhCX8KYkD0FFFfWcQjgKq5wI
-3axQcqul1wlwSrbKwrony+d9hH/+MX0tZwvl8w3OmhmOAiaQ+SHCsIuOjVwQjX0s
+0x41iG32a6wbGanre4IX7VxaSPu9kkHfnGgynCk5nwDRedE/FLFhAU78PoT0+Nqq
-RLB61Pz5+PAiVvnPa9JIYB5QrK6DVEsxIHj8MOc5JKORrnESsFDh6yeMeQIDAQAB
+GRS7XVQ24vLmIz9Hqc2Ozx1um1BXBTmIT0UfN2e22I0LWQ6a3seZlEDRj45gnk7Z
-AoGAAuWoGBprTOA8UGfl5LqYkaNxSWumsYXxLMFjC8WCsjN1NbtQDDr1uAwodSZS
+uh9MDgotaBdm+v1JAbupSf6Zis4VEH3JNdvVGE3O1DHEIeuuz/3BDhpf6WBDH+8K
-6ujzvX+ZTHnofs7y64XC8k34HTOCD2zlW7kijWbT8YjRYFU6o9F5zUGD9RCan0ds
+WaBe1ca4TZHr9ThL2gEMEfAQl0wXDwRWRoi3NjNMH+mw0L1rjwThI5GXqNIee7o5
-sVscT2psLSzfdsmFAcbmnGdxYkXk2PC1FHtaqExxehralGUCQQDcqrg9uQKXlhQi
+FzUReSXZuTdFMyGe3Owcx+XoYnwi6cplSNoGsDBu4B9bKKglR9YleJVw4L4Xi8xP
-XAaPr8SiWvtRm2a9IMMZkRfUWZclPHq6fCWNuUaCD+cTat4wAuqeknAz33VEosw3
+q6O9UPj4+nypHk/DOoC7DIM3ufN0yxPBsFo5TVowxfhdjZXJbbftd2TZv7AH8+XL
-fXGsok//AkEA1GjIHXrOcSlpfVJb6NeOBugjRtZ7ZDT5gbtnMS9ob0qntKV6saaL
+A5UoZgRzXgzECelXSCTBFlMTnT48LfA9pMLydyjAz2UdPHs5Iv+TK5nnI+aJoeaP
-CNmJwuD9Q3XkU5j1+uHvYGP2NzcJd2CjhwJACV0hNlVMe9w9fHvFN4Gw6WbM9ViP
+7kFZSngxdy1+A/bNAgMBAAECggGBALpTOIqQwVg4CFBylL/a8K1IWJTI/I65sklf
-0oS6YrJafYNTu5vGZXVxLoNnL4u3NYa6aPUmuZXjNwBLfJ8f5VboZPf6RwJAINd2
+XxYL7G7SB2HlEJ//z+E+F0+S4Vlao1vyLQ5QkgE82pAUB8FoMWvY1qF0Y8A5wtm6
-oYA8bSi/A755MX4qmozH74r4Fx1Nuq5UHTm8RwDe/0Javx8F/j9MWpJY9lZDEF3l
+iZSGk4OLK488ZbT8Ii9i+AGKgPe2XbVxsJwj8N4k7Zooqec9hz73Up8ATEWJkRz7
-In5OebPa/NyInSmW/wJAZuP9aRn0nDBkHYri++1A7NykMiJ/nH0mDECbnk+wxx0S
+2u7oMGG4z91E0PULA64dOi3l/vOQe5w/Aa+CwVbAWtI05o7kMvQEBMDJn6C7CByo
-LwqIetBhxb8eQwMg45+iAH7CHAMQ8BQuF/nFE6eotg==
+MB5op9wueJMnz7PM7hns+U7Dy6oE4ljuolJUy51bDzFWwoM54cRoQqLFNHd8JVQj
 WxldCkbfF43iyprlsEcUrTyUjtdA+ZeiG39vg/mtdmgNpGmdupHJZQvSuG8IcVlz
 O+eMSeQS1QXPD6Ik8UK4SU0h+zOl8xIWtRrsxQuh4fnTN40udm/YUWl/6gOebsBI
 IrVLlKGqJSfB3tMjpCRqdTzJ0dA9keVpkqm2ugZkxEf1+/efq/rFIQ2pUBLCqNTN
 qpNqruK8y8FphP30I2uI4Ej2UIB8AQKBwQDd2Yptj2FyDyaXCycsyde0wYkNyzGU
 dRnzdibfHnMZwjgTjwAwgIUBVIS8H0/z7ZJQKN7osJfddMrtjJtYYUk9g/dCpHXs
 bNh2QSoWah3FdzNGuWd0iRf9+LFxhjAAMo/FS8zFJAJKrFsBdCGTfFUMdsLC0bjr
 YjiWBuvV72uKf8XIZX5KIZruKdWBBcWukcb21R1UDyFYyXRBsly5XHaIYKZql3km
 7pV7MKWO0IYgHbHIqGUqPQlzZ/lkunS1jKECgcEA23wHffD6Ou9/x3okPx2AWpTr
 gh8rgqbyo6hQkBW5Y90Wz824cqaYebZDaBR/xlVx/YwjKkohv8Bde2lpH/ZxRZ1Z
 5Sk2s6GJ/vU0L9RsJZgCgj4L6Coal1NMxuZtCXAlnOpiCdxSZgfqbshbTVz30KsG
 ZJG361Cua1ScdAHxlZBxT52/1Sm0zRC2hnxL7h4qo7Idmtzs40LAJvYOKekR0pPN
 oWeJfra7vgx/jVNvMFWoOoSLpidVO4g+ot4ery6tAoHAdW3rCic1C2zdnmH28Iw+
 s50l8Lk3mz+I5wgJd1zkzCO0DxZIoWPGA3g7cmCYr6N3KRsZMs4W9NAXgjpFGDkW
 zYsG3K21BdpvkdjYcFjnPVjlOXB2RIc0vehf9Jl02wXoeCSxVUDEPcaRvWk9RJYx
 ZpGOchUU7vNkxHURbIJ4yCzuAi9G8/Jp0dsu+kaV5tufF5SjG5WOrzKjaQsCbdN1
 oqaWMCHRrTvov/Z2C+xwsptFOdN5CSyZzg6hQiI4GMlBAoHAXyb6KINcOEi0YMp3
 BFXJ23tMTnEs78tozcKeipigcsbaqORK3omS+NEnj+uzKUzJyl4CsMbKstK2tFYS
 mSTCHqgE3PBtIpsZtEqhgUraR8IK9GPpzZDTTl9ynZgwFTNlWw3RyuyVXF56J+T8
 kCGJ3hEHCHqT/ZRQyX85BKIDFhA0z4tYKxWVqIFiYBNq56R0X9tMMmMs36mEnF93
 7Ht6mowxTZQRa7nU0qOgeKh/P7ki4Zus3y+WJ+T9IqahLtlRAoHBAIhqMrcxSAB8
 RpB9jukJlAnidw2jCMPgrFE8tP0khhVvGrXMldxAUsMKntDIo8dGCnG1KTcWDI0O
 jepvSPHSsxVLFugL79h0eVIS5z4huW48i9xgU8VlHdgAcgEPIAOFcOw2BCu/s0Vp
 O+MM/EyUOdo3NsibB3qc/GJI6iNBYS7AljYEVo6rXo5V/MZvZUF4vClen6Obzsre
 MTTb+4sJjfqleWuvr1XNMeu2mBfXBQkWGZP1byBK0MvD/aQ2PWq92A==
 -----END RSA PRIVATE KEY-----
--- a/testdata/ctrl_itr.tdir/unbound_server.pem
+++ b/testdata/ctrl_itr.tdir/unbound_server.pem
@ -1,11 +1,22 @@
 -----BEGIN CERTIFICATE-----
-MIIBmzCCAQQCCQDsNJ1UmphEFzANBgkqhkiG9w0BAQUFADASMRAwDgYDVQQDEwd1
+MIIDqzCCAhMCFBHWXeQ6ZIa9QcQbXLFfC6tj+KA+MA0GCSqGSIb3DQEBCwUAMBIx
-bmJvdW5kMB4XDTA4MDkxMTA5MDk0MFoXDTI4MDUyOTA5MDk0MFowEjEQMA4GA1UE
+EDAOBgNVBAMMB3VuYm91bmQwHhcNMjAwNzA4MTMzMjI5WhcNNDAwMzI1MTMzMjI5
-AxMHdW5ib3VuZDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAtxeybL9rtNaS
+WjASMRAwDgYDVQQDDAd1bmJvdW5kMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIB
-y/axZ47DFPyGghVCM/+tuA3GhPOGeIIzJeZFgN2sUHKrpdcJcEq2ysK6J8vnfYR/
+igKCAYEAvjSVSN2QMXudpzukdLCqgg/IOhCX8KYkD0FFFfWcQjgKq5wI0x41iG32
-/jF9LWcL5fMNzpoZjgImkPkhwrCLjo1cEI19LESwetT8+fjwIlb5z2vSSGAeUKyu
+a6wbGanre4IX7VxaSPu9kkHfnGgynCk5nwDRedE/FLFhAU78PoT0+NqqGRS7XVQ2
-g1RLMSB4/DDnOSSjka5xErBQ4esnjHkCAwEAATANBgkqhkiG9w0BAQUFAAOBgQAZ
+4vLmIz9Hqc2Ozx1um1BXBTmIT0UfN2e22I0LWQ6a3seZlEDRj45gnk7Zuh9MDgot
-9N0lnLENs4JMvPS+mn8C5m9bkkFITd32IiLjf0zgYpIUbFXH6XaEr9GNZBUG8feG
+aBdm+v1JAbupSf6Zis4VEH3JNdvVGE3O1DHEIeuuz/3BDhpf6WBDH+8KWaBe1ca4
-l/6WRXnbnVSblI5odQ4XxGZ9inYY6qtW30uv76HvoKp+QZ1c3460ddR8NauhcCHH
+TZHr9ThL2gEMEfAQl0wXDwRWRoi3NjNMH+mw0L1rjwThI5GXqNIee7o5FzUReSXZ
-Z7S+QbLXi+r2JAhpPozZCjBHlRD0ixzA1mKQTJhJZg==
+uTdFMyGe3Owcx+XoYnwi6cplSNoGsDBu4B9bKKglR9YleJVw4L4Xi8xPq6O9UPj4
 +nypHk/DOoC7DIM3ufN0yxPBsFo5TVowxfhdjZXJbbftd2TZv7AH8+XLA5UoZgRz
 XgzECelXSCTBFlMTnT48LfA9pMLydyjAz2UdPHs5Iv+TK5nnI+aJoeaP7kFZSngx
 dy1+A/bNAgMBAAEwDQYJKoZIhvcNAQELBQADggGBABunf93MKaCUHiZgnoOTinsW
 84/EgInrgtKzAyH+BhnKkJOhhR0kkIAx5d9BpDlaSiRTACFon9moWCgDIIsK/Ar7
 JE0Kln9cV//wiiNoFU0O4mnzyGUIMvlaEX6QHMJJQYvL05+w/3AAcf5XmMJtR5ca
 fJ8FqvGC34b2WxX9lTQoyT52sRt+1KnQikiMEnEyAdKktMG+MwKsFDdOwDXyZhZg
 XZhRrfX3/NVJolqB6EahjWIGXDeKuSSKZVtCyib6LskyeMzN5lcRfvubKDdlqFVF
 qlD7rHBsKhQUWK/IO64mGf7y/de+CgHtED5vDvr/p2uj/9sABATfbrOQR3W/Of25
 sLBj4OEfrJ7lX8hQgFaxkMI3x6VFT3W8dTCp7xnQgb6bgROWB5fNEZ9jk/gjSRmD
 yIU+r0UbKe5kBk/CmZVFXL2TyJ92V5NYEQh8V4DGy19qZ6u/XKYyNJL4ocs35GGe
 CA8SBuyrmdhx38h1RHErR2Skzadi1S7MwGf1y431fQ==
 -----END CERTIFICATE-----
--- a/testdata/ctrl_pipe.tdir/unbound_control.key
+++ b/testdata/ctrl_pipe.tdir/unbound_control.key
@ -1,15 +1,39 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIICXAIBAAKBgQDD6DogNCsSeEa1u99+6PUVbGzjMzzei9MIK6s94+zcpp7OAOBa
+MIIG4gIBAAKCAYEAstEp+Pyh8XGrtZ77A4FhYjvbeB3dMa7Q2rGWxobzlA9przhA
-rzPA0vlyuNtUsEN3qwPomQQQmIgbT7OXkzC1wqioxwa609xoL8oW/I7e336rEyvH
+1aChAvUtCOAuM+rB6NTNB8YWfZJbQHawyMNpmC77cg6vXLYCGUQHZyAqidN049RJ
-ST6JwUdIg0Lzg/USJ81eTwMnzYSd4Bpsqr9eP33ubaR7Gh/6o76loLOlcQIDAQAB
+F5T7j4N8Vniv17LiRdr0S6swy4PRvEnIPPV43EQHZqC5jVvHsKkhIfmBF/Dj5TXR
-AoGAFT3e35MIgI4uDJJ8X0RfHp2NCO2LUg4TKbWical/C0W9vlR1/x80G1pE1d2Z
+ypeawWV/m5jeU6/4HRYMfytBZdO1mPXuWLh0lgbQ4SCbgrOUVD3rniMk1yZIbQOm
-WotqJVWTrOq6eBox19RCgtLg2wPGk9uD62+9SDT37heWFlUCElWq50pQG6k9ThiG
+vlDHYqekjDb/vOW2KxUQLG04aZMJ1mWfdbwG0CKQkSjISEDZ1l76vhM6mTM0fwXb
-DDypkZyZ/52+DdWybiaQJkuK6O5qQXuNAtVJMpghu4GnHAECQQDsupnZUQDpapzr
+IvyFZ9yPPCle1mF5aSlxS2cmGuGVSRQaw8XF9fe3a9ACJJTr33HdSpyaZkKRAUzL
-4FC4MSkL2+A1PRt6g4VhwoqOpJXaHfVnH6F7AwUuOLNwGdR5Cvv70pfJ7Jqg8L2m
+cKqLCl323daKv3NwwAT03Tj4iQM416ASMoiyfFa/2GWTKQVjddu8Crar7tGaf5xr
-Kxyl5bORAkEA09rn34YQ0pHJdHidbl2kInIuYTz09+TO3LWwan17nISH9aaYvVDr
+lig4DBmrBvdYA3njy72/RD71hLwmlRoCGU7dRuDr9O6KASUm1Ri91ONZ/qdjMvov
-p9x1B4Qzw9qyxT9oll7ze/5Rw/7C3AQj4QJAT2B2a+b8bkgAXBs4FbruL3rHoDJg
+15l2vj4GV+KXR00dAgMBAAECggGAHepIL1N0dEQkCdpy+/8lH54L9WhpnOo2HqAf
-P2FQXSpVOWU4lg2LlsuFYvDtUMVUbZdLplanjZXcral3Y9W1Ub2M+ped8QJAYQN+
+LU9eaKK7d4jdr9+TkD8cLaPzltPrZNxVALvu/0sA4SP6J1wpyj/x6P7z73qzly5+
-aRpge7ys7vwIw7B36Bo3aOncF+ScYe+FkM5Tm7II/JHEofT7ZQwMP1vnxIlSkgbe
+Xo5PD4fEwmi9YaiW/UduAblnEZrnp/AddptJKoL/D5T4XtpiQddPtael4zQ7kB57
-YvWqNB6a3NC99LikoQJBAM4UhDdRg63Tr6Idky6CQaH///zAN7nArJfffKGWFdw9
+YIexRSQTvEDovA/o3/nvA0TrzOxfgd4ycQP3iOWGN/TMzyLsvjydrUwbOB567iz9
-DKrWpNqvYZtX/cfEJucKcRCm5YL8CKFYbQy4VoCxUcE=
+whL3Etdgvnwh5Sz2blbFfH+nAR8ctvFFz+osPvuIVR21VMEI6wm7kTpSNnQ6sh/c
 lrLb/bTADn4g7z/LpIZJ+MrLvyEcoqValrLYeFBhM9CV8woPxvkO2P3pU47HVGax
 tC7GV6a/kt5RoKFd/TNdiA3OC7NGZtaeXv9VkPf4fVwBtSO9d5ZZXTGEynDD/rUQ
 U4KFJe6OD23APjse08HiiKqTPhsOneOONU67iqoaTdIkT2R4EdlkVEDpXVtWb+G9
 Q+IqYzVljlzuyHrhWXLJw/FMa2aBAoHBAOnZbi4gGpH+P6886WDWVgIlTccuXoyc
 Mg9QQYk9UDeXxL0AizR5bZy49Sduegz9vkHpAiZARQsUnizHjZ8YlRcrmn4t6tx3
 ahTIKAjdprnxJfYINM580j8CGbXvX5LhIlm3O267D0Op+co3+7Ujy+cjsIuFQrP+
 1MqMgXSeBjzC1APivmps7HeFE+4w0k2PfN5wSMDNCzLo99PZuUG5XZ93OVOS5dpN
 b+WskdcD8NOoJy/X/5A08veEI/jYO/DyqQKBwQDDwUQCOWf41ecvJLtBHKmEnHDz
 ftzHino9DRKG8a9XaN4rmetnoWEaM2vHGX3pf3mwH+dAe8vJdAQueDhBKYeEpm6C
 TYNOpou1+Zs5s99BilCTNYo8fkMOAyqwRwmz9zgHS6QxXuPwsghKefLJGt6o6RFF
 tfWVTfLlYJ+I3GQe3ySsk3wjVz4oUTKiyiq5+KzD+HhEkS7u+RQ7Z0ZI2xd2cF8Y
 aN2hjKDpcOiFf3CDoqka5D1qMNLgIHO52AHww1UCgcA1h7o7AMpURRka6hyaODY0
 A4oMYEbwdQjYjIyT998W+rzkbu1us6UtzQEBZ760npkgyU/epbOoV63lnkCC/MOU
 LD0PST+L/CHiY/cWIHb79YG1EifUZKpUFg0Aoq0EGFkepF0MefGCkbRGYA5UZr9U
 R80wAu9D+L+JJiS0J0BSRF74DL196zUuHt5zFeXuLzxsRtPAnq9DliS08BACRYZy
 7H3I7cWD9Vn5/0jbKWHFcaaWwyETR6uekTcSzZzbCRECgcBeoE3/xUA9SSk34Mmj
 7/cB4522Ft0imA3+9RK/qJTZ7Bd5fC4PKjOGNtUiqW/0L2rjeIiQ40bfWvWqgPKw
 jSK1PL6uvkl6+4cNsFsYyZpiVDoe7wKju2UuoNlB3RUTqa2r2STFuNj2wRjA57I1
 BIgdnox65jqQsd14g/yaa+75/WP9CE45xzKEyrtvdcqxm0Pod3OrsYK+gikFjiar
 kT0GQ8u0QPzh2tjt/2ZnIfOBrl+QYERP0MofDZDjhUdq2wECgcB0Lu841+yP5cdR
 qbJhXO4zJNh7oWNcJlOuQp3ZMNFrA1oHpe9pmLukiROOy01k9WxIMQDzU5GSqRv3
 VLkYOIcbhJ3kClKAcM3j95SkKbU2H5/RENb3Ck52xtl4pNU1x/3PnVFZfDVuuHO9
 MZ9YBcIeK98MyP2jr5JtFKnOyPE7xKq0IHIhXadpbc2wjje5FtZ1cUtMyEECCXNa
 C1TpXebHGyXGpY9WdWXhjdE/1jPvfS+uO5WyuDpYPr339gsdq1g=
 -----END RSA PRIVATE KEY-----
--- a/testdata/ctrl_pipe.tdir/unbound_control.pem
+++ b/testdata/ctrl_pipe.tdir/unbound_control.pem
@ -1,11 +1,22 @@
 -----BEGIN CERTIFICATE-----
-MIIBozCCAQwCCQD6XaN6FzW/4DANBgkqhkiG9w0BAQUFADASMRAwDgYDVQQDEwd1
+MIIDszCCAhsCFGD5193whHQ2bVdzbaQfdf1gc4SkMA0GCSqGSIb3DQEBCwUAMBIx
-bmJvdW5kMB4XDTA4MDkxMTA5MDk0MFoXDTI4MDUyOTA5MDk0MFowGjEYMBYGA1UE
+EDAOBgNVBAMMB3VuYm91bmQwHhcNMjAwNzA4MTMzMjMwWhcNNDAwMzI1MTMzMjMw
-AxMPdW5ib3VuZC1jb250cm9sMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDD
+WjAaMRgwFgYDVQQDDA91bmJvdW5kLWNvbnRyb2wwggGiMA0GCSqGSIb3DQEBAQUA
-6DogNCsSeEa1u99+6PUVbGzjMzzei9MIK6s94+zcpp7OAOBarzPA0vlyuNtUsEN3
+A4IBjwAwggGKAoIBgQCy0Sn4/KHxcau1nvsDgWFiO9t4Hd0xrtDasZbGhvOUD2mv
-qwPomQQQmIgbT7OXkzC1wqioxwa609xoL8oW/I7e336rEyvHST6JwUdIg0Lzg/US
+OEDVoKEC9S0I4C4z6sHo1M0HxhZ9kltAdrDIw2mYLvtyDq9ctgIZRAdnICqJ03Tj
-J81eTwMnzYSd4Bpsqr9eP33ubaR7Gh/6o76loLOlcQIDAQABMA0GCSqGSIb3DQEB
+1EkXlPuPg3xWeK/XsuJF2vRLqzDLg9G8Scg89XjcRAdmoLmNW8ewqSEh+YEX8OPl
-BQUAA4GBAGFAXmaQHuFgAuc6HVhYZJdToxLBhfxGpot4oZNjcb1Cdoz3OL34MU1B
+NdHKl5rBZX+bmN5Tr/gdFgx/K0Fl07WY9e5YuHSWBtDhIJuCs5RUPeueIyTXJkht
-9E5psj2PpGPIi8/RwoqBtAJHJ+J5cWngo03o4ZmdwKNSzaxlp141z/3rUtFqEHEC
+A6a+UMdip6SMNv+85bYrFRAsbThpkwnWZZ91vAbQIpCRKMhIQNnWXvq+EzqZMzR/
-iO6gPCT3U7dt6MyC7r6vdMqyW6aldP3CtwD0gQziKAMoj+TAfAcq
+Bdsi/IVn3I88KV7WYXlpKXFLZyYa4ZVJFBrDxcX197dr0AIklOvfcd1KnJpmQpEB
 TMtwqosKXfbd1oq/c3DABPTdOPiJAzjXoBIyiLJ8Vr/YZZMpBWN127wKtqvu0Zp/
 nGuWKDgMGasG91gDeePLvb9EPvWEvCaVGgIZTt1G4Ov07ooBJSbVGL3U41n+p2My
 +i/XmXa+PgZX4pdHTR0CAwEAATANBgkqhkiG9w0BAQsFAAOCAYEAd++Wen6l8Ifj
 4h3p/y16PhSsWJWuJ4wdNYy3/GM84S26wGjzlEEwiW76HpH6VJzPOiBAeWnFKE83
 hFyetEIxgJeIPbcs9ZP/Uoh8GZH9tRISBSN9Hgk2Slr9llo4t1H0g/XTgA5HqMQU
 9YydlBh43G7Vw3FVwh09OM6poNOGQKNc/tq2/QdKeUMtyBbLWpRmjH5XcCT35fbn
 ZiVOUldqSHD4kKrFO4nJYXZyipRbcXybsLiX9GP0GLemc3IgIvOXyJ2RPp06o/SJ
 pzlMlkcAfLJaSuEW57xRakhuNK7m051TKKzJzIEX+NFYOVdafFHS8VwGrYsdrFvD
 72tMfu+Fu55y3awdWWGc6YlaGogZiuMnJkvQphwgn+5qE/7CGEckoKEsH601rqIZ
 muaIc85+nEcHJeijd/ZlBN9zeltjFoMuqTUENgmv8+tUAdVm/UMY9Vjme6b43ydP
 uv6DS02+k9z8toxXworLiPr94BGaiGV1NxgwZKLZigYJt/Fi2Qte
 -----END CERTIFICATE-----
--- a/testdata/ctrl_pipe.tdir/unbound_server.key
+++ b/testdata/ctrl_pipe.tdir/unbound_server.key
@ -1,15 +1,39 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIICWwIBAAKBgQC3F7Jsv2u01pLL9rFnjsMU/IaCFUIz/624DcaE84Z4gjMl5kWA
+MIIG5AIBAAKCAYEAvjSVSN2QMXudpzukdLCqgg/IOhCX8KYkD0FFFfWcQjgKq5wI
-3axQcqul1wlwSrbKwrony+d9hH/+MX0tZwvl8w3OmhmOAiaQ+SHCsIuOjVwQjX0s
+0x41iG32a6wbGanre4IX7VxaSPu9kkHfnGgynCk5nwDRedE/FLFhAU78PoT0+Nqq
-RLB61Pz5+PAiVvnPa9JIYB5QrK6DVEsxIHj8MOc5JKORrnESsFDh6yeMeQIDAQAB
+GRS7XVQ24vLmIz9Hqc2Ozx1um1BXBTmIT0UfN2e22I0LWQ6a3seZlEDRj45gnk7Z
-AoGAAuWoGBprTOA8UGfl5LqYkaNxSWumsYXxLMFjC8WCsjN1NbtQDDr1uAwodSZS
+uh9MDgotaBdm+v1JAbupSf6Zis4VEH3JNdvVGE3O1DHEIeuuz/3BDhpf6WBDH+8K
-6ujzvX+ZTHnofs7y64XC8k34HTOCD2zlW7kijWbT8YjRYFU6o9F5zUGD9RCan0ds
+WaBe1ca4TZHr9ThL2gEMEfAQl0wXDwRWRoi3NjNMH+mw0L1rjwThI5GXqNIee7o5
-sVscT2psLSzfdsmFAcbmnGdxYkXk2PC1FHtaqExxehralGUCQQDcqrg9uQKXlhQi
+FzUReSXZuTdFMyGe3Owcx+XoYnwi6cplSNoGsDBu4B9bKKglR9YleJVw4L4Xi8xP
-XAaPr8SiWvtRm2a9IMMZkRfUWZclPHq6fCWNuUaCD+cTat4wAuqeknAz33VEosw3
+q6O9UPj4+nypHk/DOoC7DIM3ufN0yxPBsFo5TVowxfhdjZXJbbftd2TZv7AH8+XL
-fXGsok//AkEA1GjIHXrOcSlpfVJb6NeOBugjRtZ7ZDT5gbtnMS9ob0qntKV6saaL
+A5UoZgRzXgzECelXSCTBFlMTnT48LfA9pMLydyjAz2UdPHs5Iv+TK5nnI+aJoeaP
-CNmJwuD9Q3XkU5j1+uHvYGP2NzcJd2CjhwJACV0hNlVMe9w9fHvFN4Gw6WbM9ViP
+7kFZSngxdy1+A/bNAgMBAAECggGBALpTOIqQwVg4CFBylL/a8K1IWJTI/I65sklf
-0oS6YrJafYNTu5vGZXVxLoNnL4u3NYa6aPUmuZXjNwBLfJ8f5VboZPf6RwJAINd2
+XxYL7G7SB2HlEJ//z+E+F0+S4Vlao1vyLQ5QkgE82pAUB8FoMWvY1qF0Y8A5wtm6
-oYA8bSi/A755MX4qmozH74r4Fx1Nuq5UHTm8RwDe/0Javx8F/j9MWpJY9lZDEF3l
+iZSGk4OLK488ZbT8Ii9i+AGKgPe2XbVxsJwj8N4k7Zooqec9hz73Up8ATEWJkRz7
-In5OebPa/NyInSmW/wJAZuP9aRn0nDBkHYri++1A7NykMiJ/nH0mDECbnk+wxx0S
+2u7oMGG4z91E0PULA64dOi3l/vOQe5w/Aa+CwVbAWtI05o7kMvQEBMDJn6C7CByo
-LwqIetBhxb8eQwMg45+iAH7CHAMQ8BQuF/nFE6eotg==
+MB5op9wueJMnz7PM7hns+U7Dy6oE4ljuolJUy51bDzFWwoM54cRoQqLFNHd8JVQj
 WxldCkbfF43iyprlsEcUrTyUjtdA+ZeiG39vg/mtdmgNpGmdupHJZQvSuG8IcVlz
 O+eMSeQS1QXPD6Ik8UK4SU0h+zOl8xIWtRrsxQuh4fnTN40udm/YUWl/6gOebsBI
 IrVLlKGqJSfB3tMjpCRqdTzJ0dA9keVpkqm2ugZkxEf1+/efq/rFIQ2pUBLCqNTN
 qpNqruK8y8FphP30I2uI4Ej2UIB8AQKBwQDd2Yptj2FyDyaXCycsyde0wYkNyzGU
 dRnzdibfHnMZwjgTjwAwgIUBVIS8H0/z7ZJQKN7osJfddMrtjJtYYUk9g/dCpHXs
 bNh2QSoWah3FdzNGuWd0iRf9+LFxhjAAMo/FS8zFJAJKrFsBdCGTfFUMdsLC0bjr
 YjiWBuvV72uKf8XIZX5KIZruKdWBBcWukcb21R1UDyFYyXRBsly5XHaIYKZql3km
 7pV7MKWO0IYgHbHIqGUqPQlzZ/lkunS1jKECgcEA23wHffD6Ou9/x3okPx2AWpTr
 gh8rgqbyo6hQkBW5Y90Wz824cqaYebZDaBR/xlVx/YwjKkohv8Bde2lpH/ZxRZ1Z
 5Sk2s6GJ/vU0L9RsJZgCgj4L6Coal1NMxuZtCXAlnOpiCdxSZgfqbshbTVz30KsG
 ZJG361Cua1ScdAHxlZBxT52/1Sm0zRC2hnxL7h4qo7Idmtzs40LAJvYOKekR0pPN
 oWeJfra7vgx/jVNvMFWoOoSLpidVO4g+ot4ery6tAoHAdW3rCic1C2zdnmH28Iw+
 s50l8Lk3mz+I5wgJd1zkzCO0DxZIoWPGA3g7cmCYr6N3KRsZMs4W9NAXgjpFGDkW
 zYsG3K21BdpvkdjYcFjnPVjlOXB2RIc0vehf9Jl02wXoeCSxVUDEPcaRvWk9RJYx
 ZpGOchUU7vNkxHURbIJ4yCzuAi9G8/Jp0dsu+kaV5tufF5SjG5WOrzKjaQsCbdN1
 oqaWMCHRrTvov/Z2C+xwsptFOdN5CSyZzg6hQiI4GMlBAoHAXyb6KINcOEi0YMp3
 BFXJ23tMTnEs78tozcKeipigcsbaqORK3omS+NEnj+uzKUzJyl4CsMbKstK2tFYS
 mSTCHqgE3PBtIpsZtEqhgUraR8IK9GPpzZDTTl9ynZgwFTNlWw3RyuyVXF56J+T8
 kCGJ3hEHCHqT/ZRQyX85BKIDFhA0z4tYKxWVqIFiYBNq56R0X9tMMmMs36mEnF93
 7Ht6mowxTZQRa7nU0qOgeKh/P7ki4Zus3y+WJ+T9IqahLtlRAoHBAIhqMrcxSAB8
 RpB9jukJlAnidw2jCMPgrFE8tP0khhVvGrXMldxAUsMKntDIo8dGCnG1KTcWDI0O
 jepvSPHSsxVLFugL79h0eVIS5z4huW48i9xgU8VlHdgAcgEPIAOFcOw2BCu/s0Vp
 O+MM/EyUOdo3NsibB3qc/GJI6iNBYS7AljYEVo6rXo5V/MZvZUF4vClen6Obzsre
 MTTb+4sJjfqleWuvr1XNMeu2mBfXBQkWGZP1byBK0MvD/aQ2PWq92A==
 -----END RSA PRIVATE KEY-----
--- a/Show more
+++ b/Show more