diff --git a/doc/Changelog b/doc/Changelog
index 446bc6f5f..7e92f5d8a 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,15 @@
+7 April 2020: Wouter
+	- Merge PR #214 from gearnode: unbound-control-setup recreate
+	  certificates.  With the -r option the certificates are created
+	  again, without it, only the files that do not exist are created.
+
+6 April 2020: Ralph
+	- Keep track of number of timeouts. Use this counter to determine if
+	  capsforid fallback should be started.
+
+6 April 2020: George
+	- More documentation for redis-expire-records option.
+
 1 April 2020: George
 	- Merge PR #206: Redis TTL, by Talkabout.
 
diff --git a/doc/example.conf.in b/doc/example.conf.in
index 7374a564a..ff68db014 100644
--- a/doc/example.conf.in
+++ b/doc/example.conf.in
@@ -1025,10 +1025,12 @@ remote-control:
 #     redis-server-port: 6379
 #     # timeout (in ms) for communication with the redis server
 #     redis-timeout: 100
+#     # set timeout on redis records based on DNS response TTL
+#     redis-expire-records: no
 
 # IPSet
 # Add specify domain into set via ipset.
-# Note: To enable ipset needs run unbound as root user.
+# Note: To enable ipset unbound needs to run as root user.
 # ipset:
 #     # set name for ip v4 addresses
 #     name-v4: "list-v4"
diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in
index 10b779137..12c2b20f6 100644
--- a/doc/unbound.conf.5.in
+++ b/doc/unbound.conf.5.in
@@ -2096,6 +2096,11 @@ even if some data have expired in terms of DNS TTL or the Redis server has
 cached too much data;
 if necessary the Redis server must be configured to limit the cache size,
 preferably with some kind of least-recently-used eviction policy.
+Additionaly, the \fBredis\-expire\-records\fR option can be used in order to
+set the relative DNS TTL of the message as timeout to the Redis records; keep
+in mind that some additional memory is used per key and that the expire
+information is stored as absolute Unix timestamps in Redis (computer time must
+be stable).
 This backend uses synchronous communication with the Redis server
 based on the assumption that the communication is stable and sufficiently
 fast.
diff --git a/iterator/iterator.c b/iterator/iterator.c
index 1e0113a87..eea2f2fb2 100644
--- a/iterator/iterator.c
+++ b/iterator/iterator.c
@@ -159,7 +159,7 @@ iter_new(struct module_qstate* qstate, int id)
 	iq->qchase = qstate->qinfo;
 	outbound_list_init(&iq->outlist);
 	iq->minimise_count = 0;
-	iq->minimise_timeout_count = 0;
+	iq->timeout_count = 0;
 	if (qstate->env->cfg->qname_minimisation)
 		iq->minimisation_state = INIT_MINIMISE_STATE;
 	else
@@ -2190,7 +2190,7 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
 		iq->qinfo_out.qname = iq->qchase.qname;
 		iq->qinfo_out.qname_len = iq->qchase.qname_len;
 		iq->minimise_count++;
-		iq->minimise_timeout_count = 0;
+		iq->timeout_count = 0;
 
 		iter_dec_attempts(iq->dp, 1);
 
@@ -2249,7 +2249,7 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
 		}
 	}
 	if(iq->minimisation_state == SKIP_MINIMISE_STATE) {
-		if(iq->minimise_timeout_count < MAX_MINIMISE_TIMEOUT_COUNT)
+		if(iq->timeout_count < MAX_MINIMISE_TIMEOUT_COUNT)
 			/* Do not increment qname, continue incrementing next 
 			 * iteration */
 			iq->minimisation_state = MINIMISE_STATE;
@@ -2586,14 +2586,15 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
 	if(iq->response == NULL) {
 		/* Don't increment qname when QNAME minimisation is enabled */
 		if(qstate->env->cfg->qname_minimisation) {
-			iq->minimise_timeout_count++;
 			iq->minimisation_state = SKIP_MINIMISE_STATE;
 		}
+		iq->timeout_count++;
 		iq->chase_to_rd = 0;
 		iq->dnssec_lame_query = 0;
 		verbose(VERB_ALGO, "query response was timeout");
 		return next_state(iq, QUERYTARGETS_STATE);
 	}
+	iq->timeout_count = 0;
 	type = response_type_from_server(
 		(int)((iq->chase_flags&BIT_RD) || iq->chase_to_rd),
 		iq->response, &iq->qinfo_out, iq->dp);
@@ -3599,7 +3600,7 @@ process_response(struct module_qstate* qstate, struct iter_qstate* iq,
 	iq->response = NULL;
 	iq->state = QUERY_RESP_STATE;
 	if(event == module_event_noreply || event == module_event_error) {
-		if(event == module_event_noreply && iq->sent_count >= 3 &&
+		if(event == module_event_noreply && iq->timeout_count >= 3 &&
 			qstate->env->cfg->use_caps_bits_for_id &&
 			!iq->caps_fallback && !is_caps_whitelisted(ie, iq)) {
 			/* start fallback */
diff --git a/iterator/iterator.h b/iterator/iterator.h
index a2f1b5705..26ff39559 100644
--- a/iterator/iterator.h
+++ b/iterator/iterator.h
@@ -388,8 +388,9 @@ struct iter_qstate {
 
 	/**
 	 * Count number of time-outs. Used to prevent resolving failures when
-	 * the QNAME minimisation QTYPE is blocked. */
-	int minimise_timeout_count;
+	 * the QNAME minimisation QTYPE is blocked. Used to determine if
+	 * capsforid fallback should be started.*/
+	int timeout_count;
 
 	/** True if the current response is from auth_zone */
 	int auth_zone_response;
diff --git a/smallapp/unbound-control-setup.sh.in b/smallapp/unbound-control-setup.sh.in
index f4024b435..d901ad6cf 100644
--- a/smallapp/unbound-control-setup.sh.in
+++ b/smallapp/unbound-control-setup.sh.in
@@ -5,22 +5,22 @@
 # Copyright (c) 2008, NLnet Labs. All rights reserved.
 #
 # This software is open source.
-# 
+#
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions
 # are met:
-# 
+#
 # Redistributions of source code must retain the above copyright notice,
 # this list of conditions and the following disclaimer.
-# 
+#
 # Redistributions in binary form must reproduce the above copyright notice,
 # this list of conditions and the following disclaimer in the documentation
 # and/or other materials provided with the distribution.
-# 
+#
 # Neither the name of the NLNET LABS nor the names of its contributors may
 # be used to endorse or promote products derived from this software without
 # specific prior written permission.
-# 
+#
 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
 # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
@@ -57,87 +57,144 @@ SVR_BASE=unbound_server
 # base name for unbound-control keys
 CTL_BASE=unbound_control
 
+# flag to recreate generated certificates
+RECREATE=0
+
 # we want -rw-r----- access (say you run this as root: grp=yes (server), all=no).
 umask 0027
 
 # end of options
 
-# functions:
-error ( ) {
-	echo "$0 fatal error: $1"
-	exit 1
+set -eu
+
+cleanup() {
+    echo "removing artifacts"
+
+    rm -rf \
+       server.cnf \
+       client.cnf \
+       "${SVR_BASE}_trust.pem" \
+       "${CTL_BASE}_trust.pem" \
+       "${SVR_BASE}_trust.srl"
 }
 
-# check arguments:
-while test $# -ne 0; do
-	case $1 in
-	-d)
-	if test $# -eq 1; then error "need argument for -d"; fi
-	DESTDIR="$2"
-	shift
-	;;
-	*)
-	echo "unbound-control-setup.sh - setup SSL keys for unbound-control"
-	echo "	-d dir	use directory to store keys and certificates."
-	echo "		default: $DESTDIR"
-	echo "please run this command using the same user id that the "
-	echo "unbound daemon uses, it needs read privileges."
-	exit 1
-	;;
-	esac
-	shift
+fatal() {
+    printf "fatal error: $*\n" >/dev/stderr
+    exit 1
+}
+
+usage() {
+    cat <<EOF
+usage: $0 OPTIONS
+OPTIONS
+-d <dir>  used directory to store keys and certificates (default: $DESTDIR)
+-h        show help notice
+-r        recreate certificates
+EOF
+}
+
+OPTIND=1
+while getopts 'd:hr' arg; do
+    case "$arg" in
+      d) DESTDIR="$OPTARG" ;;
+      h) usage; exit 0 ;;
+      r) RECREATE=1 ;;
+      ?) fatal "'$arg' unknown option" ;;
+    esac
 done
+shift $((OPTIND - 1))
+
 
-# go!:
 echo "setup in directory $DESTDIR"
-cd "$DESTDIR" || error "could not cd to $DESTDIR"
+cd "$DESTDIR"
 
-# create certificate keys; do not recreate if they already exist.
-if test -f $SVR_BASE.key; then
-	echo "$SVR_BASE.key exists"
-else
-	echo "generating $SVR_BASE.key"
-	openssl genrsa -out $SVR_BASE.key $BITS || error "could not genrsa"
-fi
-if test -f $CTL_BASE.key; then
-	echo "$CTL_BASE.key exists"
-else
-	echo "generating $CTL_BASE.key"
-	openssl genrsa -out $CTL_BASE.key $BITS || error "could not genrsa"
+trap cleanup SIGINT
+
+# ===
+# Generate server certificate
+# ===
+
+# generate private key; do no recreate it if they already exist.
+if [ ! -f "$SVR_BASE.key" ]; then
+    openssl genrsa -out "$SVR_BASE.key" "$BITS"
 fi
 
-# create self-signed cert for server
-echo "[req]" > request.cfg
-echo "default_bits=$BITS" >> request.cfg
-echo "default_md=$HASH" >> request.cfg
-echo "prompt=no" >> request.cfg
-echo "distinguished_name=req_distinguished_name" >> request.cfg
-echo "" >> request.cfg
-echo "[req_distinguished_name]" >> request.cfg
-echo "commonName=$SERVERNAME" >> request.cfg
+cat >server.cnf <<EOF
+default_bits=$BITS
+default_md=$HASH
+prompt=no
+distinguished_name=req_distinguished_name
+[req_distinguished_name]
+commonName=$SERVERNAME
+EOF
 
-test -f request.cfg || error "could not create request.cfg"
+[ -f server.cnf ] || fatal "cannot create openssl configuration"
 
-echo "create $SVR_BASE.pem (self signed certificate)"
-openssl req -key $SVR_BASE.key -config request.cfg  -new -x509 -days $DAYS -out $SVR_BASE.pem || error "could not create $SVR_BASE.pem"
-# create trusted usage pem
-openssl x509 -in $SVR_BASE.pem -addtrust serverAuth -out $SVR_BASE"_trust.pem"
+if [ ! -f "$SVR_BASE.pem" -o $RECREATE -eq 1 ]; then
+    openssl req \
+            -new -x509 \
+            -key "$SVR_BASE.key" \
+            -config server.cnf  \
+            -days "$DAYS" \
+            -out "$SVR_BASE.pem"
 
-# create client request and sign it, piped
-echo "[req]" > request.cfg
-echo "default_bits=$BITS" >> request.cfg
-echo "default_md=$HASH" >> request.cfg
-echo "prompt=no" >> request.cfg
-echo "distinguished_name=req_distinguished_name" >> request.cfg
-echo "" >> request.cfg
-echo "[req_distinguished_name]" >> request.cfg
-echo "commonName=$CLIENTNAME" >> request.cfg
+    [ ! -f "SVR_BASE.pem" ] || fatal "cannot create server certificate"
+fi
 
-test -f request.cfg || error "could not create request.cfg"
+# ===
+# Generate client certificate
+# ===
+
+# generate private key; do no recreate it if they already exist.
+if [ ! -f "$CTL_BASE.key" ]; then
+    openssl genrsa -out "$CTL_BASE.key" "$BITS"
+fi
+
+cat >client.cnf <<EOF
+[req]
+default_bits=$BITS
+default_md=$HASH
+prompt=no
+distinguished_name=req_distinguished_name
+[req_distinguished_name]
+commonName=$CLIENTNAME
+EOF
+
+[ -f client.cnf ] || fatal "cannot create openssl configuration"
+
+if [ ! -f "$CTL_BASE.pem" -o $RECREATE -eq 1 ]; then
+    openssl x509 \
+        -addtrust serverAuth \
+        -in "$SVR_BASE.pem" \
+        -out "${SVR_BASE}_trust.pem"
+
+    openssl req \
+            -new \
+            -config client.cnf \
+            -key "$CTL_BASE.key" \
+        | openssl x509 \
+                  -req \
+                  -days "$DAYS" \
+                  -CA "${SVR_BASE}_trust.pem" \
+                  -CAkey "$SVR_BASE.key" \
+                  -CAcreateserial \
+                  -$HASH \
+                  -out "$CTL_BASE.pem"
+
+    [ ! -f "CTL_BASE.pem" ] || fatal "cannot create signed client certificate"
+fi
+
+# remove unused permissions
+chmod o-rw \
+      "$SVR_BASE.pem" \
+      "$SVR_BASE.key" \
+      "$CTL_BASE.pem" \
+      "$CTL_BASE.key"
+
+cleanup
+
+echo "Setup success. Certificates created. Enable in unbound.conf file to use"
 
-echo "create $CTL_BASE.pem (signed client certificate)"
-openssl req -key $CTL_BASE.key -config request.cfg -new | openssl x509 -req -days $DAYS -CA $SVR_BASE"_trust.pem" -CAkey $SVR_BASE.key -CAcreateserial -$HASH -out $CTL_BASE.pem
-test -f $CTL_BASE.pem || error "could not create $CTL_BASE.pem"
 # create trusted usage pem
 # openssl x509 -in $CTL_BASE.pem -addtrust clientAuth -out $CTL_BASE"_trust.pem"
 
@@ -148,13 +205,3 @@ test -f $CTL_BASE.pem || error "could not create $CTL_BASE.pem"
 # echo "empty password is used, simply click OK on the password dialog box."
 # openssl pkcs12 -export -in $CTL_BASE"_trust.pem" -inkey $CTL_BASE.key -name "unbound remote control client cert" -out $CTL_BASE"_browser.pfx" -password "pass:" || error "could not create browser certificate"
 
-# set desired permissions
-chmod 0640 $SVR_BASE.pem $SVR_BASE.key $CTL_BASE.pem $CTL_BASE.key
-
-# remove crap
-rm -f request.cfg
-rm -f $CTL_BASE"_trust.pem" $SVR_BASE"_trust.pem" $SVR_BASE"_trust.srl"
-
-echo "Setup success. Certificates created. Enable in unbound.conf file to use"
-
-exit 0