Merge branch 'master' into framestreams

Fixed bison and flex conflicts by regenerating the files.

.github/FUNDING.yml

@@ -1,12 +1,2 @@
-# These are supported funding model platforms
-
-github: # Replace with up to 4 GitHub Sponsors-enabled usernames e.g., [user1, user2]
-patreon: # Replace with a single Patreon username
-open_collective: # Replace with a single Open Collective username
-ko_fi: # Replace with a single Ko-fi username
-tidelift: # Replace with a single Tidelift platform-name/package-name e.g., npm/babel
-community_bridge: # Replace with a single Community Bridge project-name e.g., cloud-foundry
-liberapay: # Replace with a single Liberapay username
-issuehunt: # Replace with a single IssueHunt username
-otechie: # Replace with a single Otechie username
+github: [NLnetLabs]
 custom: ['https://nlnetlabs.nl/funding/']

.travis.yml

@@ -1,7 +1,9 @@
-sudo: false
 language: c
-compiler:
-  - gcc
+sudo: false
+
+git:
+  depth: 5
+
 addons:
   apt:
     packages:
@@ -9,8 +11,89 @@ addons:
     - libevent-dev
     - libexpat-dev
     - clang
+
+jobs:
+  include:
+    - os: linux
+      name: GCC on Linux, Amd64
+      compiler: gcc
+      arch: amd64
+    - os: linux
+      name: Clang on Linux, Amd64
+      compiler: clang
+      arch: amd64
+    - os: osx
+      name: Clang on OS X, Amd64
+      compiler: clang
+      arch: amd64
+    - os: linux
+      name: UBsan, GCC on Linux, Amd64
+      compiler: gcc
+      arch: amd64
+      dist: bionic
+      env: TEST_UBSAN=yes
+    - os: linux
+      name: UBsan, Clang on Linux, Amd64
+      compiler: clang
+      arch: amd64
+      dist: bionic
+      env: TEST_UBSAN=yes
+    - os: linux
+      name: Asan, GCC on Linux, Amd64
+      compiler: gcc
+      arch: amd64
+      dist: bionic
+      env: TEST_ASAN=yes
+    - os: linux
+      name: Asan, Clang on Linux, Amd64
+      compiler: clang
+      arch: amd64
+      dist: bionic
+      env: TEST_ASAN=yes
+    - os: linux
+      name: GCC on Linux, Aarch64
+      compiler: gcc
+      arch: arm64
+      dist: bionic
+    - os: linux
+      name: Clang on Linux, Aarch64
+      compiler: clang
+      arch: arm64
+      dist: bionic
+    - os: linux
+      name: GCC on Linux, PowerPC64
+      compiler: gcc
+      arch: ppc64le
+      dist: bionic
+    - os: linux
+      name: Clang on Linux, PowerPC64
+      compiler: clang
+      arch: ppc64le
+      dist: bionic
+    - os: linux
+      name: GCC on Linux, s390x
+      compiler: gcc
+      arch: s390x
+      dist: bionic
+    - os: linux
+      name: Clang on Linux, s390x
+      compiler: clang
+      arch: s390x
+      dist: bionic
+
 script:
-  - ./configure --enable-debug --disable-flto
-  - make
+  - |
+    if [ "$TEST_UBSAN" = "yes" ]; then
+      export CFLAGS="-DNDEBUG -g2 -O3 -fsanitize=undefined -fno-sanitize-recover"
+      ./configure
+    elif [ "$TEST_ASAN" = "yes" ]; then
+      export CFLAGS="-DNDEBUG -g2 -O3 -fsanitize=address"
+      ./configure
+    elif [ "$TRAVIS_OS_NAME" = "osx" ]; then
+      ./configure --enable-debug --disable-flto --with-ssl=/usr/local/opt/openssl/
+    else
+      ./configure --enable-debug --disable-flto
+    fi
+  - make -j 2
   - make test
   - (cd testdata/clang-analysis.tdir; bash clang-analysis.test)

configure

@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for unbound 1.10.0.
+# Generated by GNU Autoconf 2.69 for unbound 1.10.1.
 #
 # Report bugs to <unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues>.
 #
@@ -591,8 +591,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='unbound'
 PACKAGE_TARNAME='unbound'
-PACKAGE_VERSION='1.10.0'
-PACKAGE_STRING='unbound 1.10.0'
+PACKAGE_VERSION='1.10.1'
+PACKAGE_STRING='unbound 1.10.1'
 PACKAGE_BUGREPORT='unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues'
 PACKAGE_URL=''
 
@@ -1452,7 +1452,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures unbound 1.10.0 to adapt to many kinds of systems.
+\`configure' configures unbound 1.10.1 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1517,7 +1517,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of unbound 1.10.0:";;
+     short | recursive ) echo "Configuration of unbound 1.10.1:";;
    esac
   cat <<\_ACEOF
 
@@ -1739,7 +1739,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-unbound configure 1.10.0
+unbound configure 1.10.1
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2448,7 +2448,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by unbound $as_me 1.10.0, which was
+It was created by unbound $as_me 1.10.1, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -2800,11 +2800,11 @@ UNBOUND_VERSION_MAJOR=1
 
 UNBOUND_VERSION_MINOR=10
 
-UNBOUND_VERSION_MICRO=0
+UNBOUND_VERSION_MICRO=1
 
 
 LIBUNBOUND_CURRENT=9
-LIBUNBOUND_REVISION=7
+LIBUNBOUND_REVISION=8
 LIBUNBOUND_AGE=1
 # 1.0.0 had 0:12:0
 # 1.0.1 had 0:13:0
@@ -2879,6 +2879,7 @@ LIBUNBOUND_AGE=1
 # 1.9.5 had 9:5:1
 # 1.9.6 had 9:6:1
 # 1.10.0 had 9:7:1
+# 1.10.1 had 9:8:1
 
 #   Current  -- the number of the binary API that we're implementing
 #   Revision -- which iteration of the implementation of the binary
@@ -21532,7 +21533,7 @@ _ACEOF
 
 
 
-version=1.10.0
+version=1.10.1
 
 date=`date +'%b %e, %Y'`
 
@@ -22051,7 +22052,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by unbound $as_me 1.10.0, which was
+This file was extended by unbound $as_me 1.10.1, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -22117,7 +22118,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-unbound config.status 1.10.0
+unbound config.status 1.10.1
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 

configure.ac

@@ -11,14 +11,14 @@ sinclude(dnscrypt/dnscrypt.m4)
 # must be numbers. ac_defun because of later processing
 m4_define([VERSION_MAJOR],[1])
 m4_define([VERSION_MINOR],[10])
-m4_define([VERSION_MICRO],[0])
+m4_define([VERSION_MICRO],[1])
 AC_INIT(unbound, m4_defn([VERSION_MAJOR]).m4_defn([VERSION_MINOR]).m4_defn([VERSION_MICRO]), unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues, unbound)
 AC_SUBST(UNBOUND_VERSION_MAJOR, [VERSION_MAJOR])
 AC_SUBST(UNBOUND_VERSION_MINOR, [VERSION_MINOR])
 AC_SUBST(UNBOUND_VERSION_MICRO, [VERSION_MICRO])
 
 LIBUNBOUND_CURRENT=9
-LIBUNBOUND_REVISION=7
+LIBUNBOUND_REVISION=8
 LIBUNBOUND_AGE=1
 # 1.0.0 had 0:12:0
 # 1.0.1 had 0:13:0
@@ -93,6 +93,7 @@ LIBUNBOUND_AGE=1
 # 1.9.5 had 9:5:1
 # 1.9.6 had 9:6:1
 # 1.10.0 had 9:7:1
+# 1.10.1 had 9:8:1
 
 #   Current  -- the number of the binary API that we're implementing
 #   Revision -- which iteration of the implementation of the binary

contrib/README

@@ -27,7 +27,7 @@ distribution but may be helpful.
   works like the BIND feature (removes AAAA records unless AAAA-only domain).
   Useful for certain 'broken IPv6 default route' scenarios.
   Patch from Stephane Lapie for ASAHI Net.
-* unbound_smf22.tar.gz: Solaris SMF installation/removal scripts.
+* unbound_smf23.tar.gz: Solaris SMF installation/removal scripts.
   Contributed by Yuri Voinov.
 * unbound.socket and unbound.service: systemd files for unbound, install them
   in /usr/lib/systemd/system.  Contributed by Sami Kerola and Pavel Odintsov.

contrib/unbound.service.in

@@ -76,7 +76,7 @@ RestrictSUIDSGID=yes
 ReadWritePaths=@UNBOUND_RUN_DIR@ @UNBOUND_CHROOT_DIR@
 
 # Below rules are needed when chroot is enabled (usually it's enabled by default).
-# If chroot is disabled like chrooot: "" then they may be safely removed.
+# If chroot is disabled like chroot: "" then they may be safely removed.
 TemporaryFileSystem=@UNBOUND_CHROOT_DIR@/dev:ro
 TemporaryFileSystem=@UNBOUND_CHROOT_DIR@/run:ro
 BindReadOnlyPaths=-/run/systemd/notify:@UNBOUND_CHROOT_DIR@/run/systemd/notify

daemon/remote.c

@@ -907,7 +907,7 @@ static int
 print_ext(RES* ssl, struct ub_stats_info* s)
 {
 	int i;
-	char nm[16];
+	char nm[32];
 	const sldns_rr_descriptor* desc;
 	const sldns_lookup_table* lt;
 	/* TYPE */

doc/Changelog

@@ -1,9 +1,45 @@
+28 February 2020: Ralph
+	- Merge PR #172: Add IBM s390x arch for testing, by noloader.
+
+28 February 2020: Wouter
+	- Merge PR #173: updated makedist.sh for config.guess and
+	  config.sub and sha256 digest for gpg, by noloader.
+
+27 February 2020: George
+	- Merge PR #171: Add additional compilers and platforms to Travis
+	  testing, by noloader.
+
+27 February 2020: Wouter
+	- Fix #169: Fix warning for daemon/remote.c output may be truncated
+	  from snprintf.
+	- Fix #170: Fix gcc undefined sanitizer signed integer overflow
+	  warning in signature expiry RFC1982 serial number arithmetic.
+	- Fix more undefined sanitizer issues, in respip copy_rrset null
+	  dname, and in the client_info_compare routine for null memcmp.
+
+26 February 2020: Wouter
+	- iana portlist updated.
+
+25 February 2020: Wouter
+	- Fix #165: Add prefer-ip4: yesno config option to prefer ipv4 for
+	  using ipv4 filters, because the hosts ip6 netblock /64 is not owned
+	  by one operator, and thus reputation is shared.
+
+24 February 2020: George
+	- Merge PR #166: Fix typo in unbound.service.in, by glitsj16.
+
+20 February 2020: Wouter
+	- Updated contrib/unbound_smf23.tar.gz with Solaris SMF service for
+	  Unbound from Yuri Voinov.
+	- master branch has 1.10.1 version.
+
 18 February 2020: Wouter
 	- protect X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS with ifdef for
 	  different openssl versions.
 
 17 February 2020: Wouter
-	- changelog point where the tag for 1.10.0rc2 release is.
+	- changelog point where the tag for 1.10.0rc2 release is.  And with
+	  the unbound_smf23 commit added to it, that is the 1.10.0 release.
 
 17 February 2020: Ralph
 	- Add respip to supported module-config options in unbound-checkconf.

doc/example.conf.in

@@ -70,6 +70,9 @@ server:
 	# Set this to yes to prefer ipv6 upstream servers over ipv4.
 	# prefer-ip6: no
 
+	# Prefer ipv4 upstream servers, even if ipv6 is available.
+	# prefer-ip4: no
+
 	# number of ports to allocate per thread, determines the size of the
 	# port range that can be open simultaneously.  About double the
 	# num-queries-per-thread, or, use as many as the OS will allow you.

doc/unbound.conf.5.in

@@ -381,6 +381,13 @@ IPv6 to the internet nameservers.  With this option you can disable the
 ipv6 transport for sending DNS traffic, it does not impact the contents of
 the DNS traffic, which may have ip4 and ip6 addresses in it.
 .TP
+.B prefer\-ip4: \fI<yes or no>
+If enabled, prefer IPv4 transport for sending DNS queries to internet
+nameservers. Default is no.  Useful if the IPv6 netblock the server has,
+the entire /64 of that is not owned by one operator and the reputation of
+the netblock /64 is an issue, using IPv4 then uses the IPv4 filters that
+the upstream servers have.
+.TP
 .B prefer\-ip6: \fI<yes or no>
 If enabled, prefer IPv6 transport for sending DNS queries to internet
 nameservers. Default is no.

iterator/iter_utils.c

@@ -484,6 +484,63 @@ iter_filter_order(struct iter_env* iter_env, struct module_env* env,
 			got_num = num4ok;
 			*selected_rtt = num4_lowrtt;
 		}
+	} else if (env->cfg->prefer_ip4) {
+		int got_num4 = 0;
+		int low_rtt4 = 0;
+		int i;
+		int attempt = -1; /* filter to make sure addresses have
+		  less attempts on them than the first, to force round
+		  robin when all the IPv4 addresses fail */
+		int num6ok = 0; /* number ip6 at low attempt count */
+		int num6_lowrtt = 0;
+		prev = NULL;
+		a = dp->result_list;
+		for(i = 0; i < got_num; i++) {
+			swap_to_front = 0;
+			if(a->addr.ss_family != AF_INET && attempt == -1) {
+				/* if we only have ip6 at low attempt count,
+				 * then ip4 is failing, and we need to
+				 * select one of the remaining IPv6 addrs */
+				attempt = a->attempts;
+				num6ok++;
+				num6_lowrtt = a->sel_rtt;
+			} else if(a->addr.ss_family != AF_INET && attempt == a->attempts) {
+				num6ok++;
+				if(num6_lowrtt == 0 || a->sel_rtt < num6_lowrtt) {
+					num6_lowrtt = a->sel_rtt;
+				}
+			}
+			if(a->addr.ss_family == AF_INET) {
+				if(attempt == -1) {
+					attempt = a->attempts;
+				} else if(a->attempts > attempt) {
+					break;
+				}
+				got_num4++;
+				swap_to_front = 1;
+				if(low_rtt4 == 0 || a->sel_rtt < low_rtt4) {
+					low_rtt4 = a->sel_rtt;
+				}
+			}
+			/* swap to front if IPv4, or move to next result */
+			if(swap_to_front && prev) {
+				n = a->next_result;
+				prev->next_result = n;
+				a->next_result = dp->result_list;
+				dp->result_list = a;
+				a = n;
+			} else {
+				prev = a;
+				a = a->next_result;
+			}
+		}
+		if(got_num4 > 0) {
+			got_num = got_num4;
+			*selected_rtt = low_rtt4;
+		} else if(num6ok > 0) {
+			got_num = num6ok;
+			*selected_rtt = num6_lowrtt;
+		}
 	}
 	return got_num;
 }

makedist.sh

@@ -464,6 +464,20 @@ rm -rf .git || error_cleanup "Failed to remove .git tracking information"
 info "Adding libtool utils (libtoolize)."
 libtoolize -c --install || libtoolize -c || error_cleanup "Libtoolize failed."
 
+# https://www.gnu.org/software/gettext/manual/html_node/config_002eguess.html
+info "Updating config.guess and config.sub"
+wget -O config.guess 'https://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.guess;hb=HEAD'
+wget -O config.sub 'https://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.sub;hb=HEAD'
+chmod a+x config.guess config.sub
+
+# Remove quarantine bit on Apple platforms
+if [ `uname -s | grep -i -c darwin` -ne 0 ]; then
+    if [ -n `command -v xattr` ]; then
+        xattr -d com.apple.quarantine config.guess
+        xattr -d com.apple.quarantine config.sub
+    fi
+fi
+
 info "Building configure script (autoreconf)."
 autoreconf || error_cleanup "Autoconf failed."
 
@@ -542,9 +556,8 @@ cleanup
 
 storehash unbound-$version.tar.gz
 echo "create unbound-$version.tar.gz.asc with:"
-echo "  gpg --armor --detach-sign unbound-$version.tar.gz"
-echo "  gpg --armor --detach-sign unbound-$version.zip"
-echo "  gpg --armor --detach-sign unbound_setup_$version.exe"
+echo "  gpg --armor --detach-sign --digest-algo SHA256 unbound-$version.tar.gz"
+echo "  gpg --armor --detach-sign --digest-algo SHA256 unbound-$version.zip"
+echo "  gpg --armor --detach-sign --digest-algo SHA256 unbound_setup_$version.exe"
 
 info "Unbound distribution created successfully."
-

respip/respip.c

@@ -502,10 +502,16 @@ copy_rrset(const struct ub_packed_rrset_key* key, struct regional* region)
 	ck->entry.hash = key->entry.hash;
 	ck->entry.key = ck;
 	ck->rk = key->rk;
-	ck->rk.dname = regional_alloc_init(region, key->rk.dname,
-		key->rk.dname_len);
-	if(!ck->rk.dname)
-		return NULL;
+	if(key->rk.dname) {
+		ck->rk.dname = regional_alloc_init(region, key->rk.dname,
+			key->rk.dname_len);
+		if(!ck->rk.dname)
+			return NULL;
+		ck->rk.dname_len = key->rk.dname_len;
+	} else {
+		ck->rk.dname = NULL;
+		ck->rk.dname_len = 0;
+	}
 
 	if((unsigned)data->count >= 0xffff00U)
 		return NULL; /* guard against integer overflow in dsize */

services/mesh.c

@@ -159,16 +159,28 @@ client_info_compare(const struct respip_client_info* ci_a,
 		return 1;
 	if(ci_a->taglen != ci_b->taglen)
 		return (ci_a->taglen < ci_b->taglen) ? -1 : 1;
-	cmp = memcmp(ci_a->taglist, ci_b->taglist, ci_a->taglen);
-	if(cmp != 0)
-		return cmp;
+	if(ci_a->taglist && !ci_b->taglist)
+		return -1;
+	if(!ci_a->taglist && ci_b->taglist)
+		return 1;
+	if(ci_a->taglist && ci_b->taglist) {
+		cmp = memcmp(ci_a->taglist, ci_b->taglist, ci_a->taglen);
+		if(cmp != 0)
+			return cmp;
+	}
 	if(ci_a->tag_actions_size != ci_b->tag_actions_size)
 		return (ci_a->tag_actions_size < ci_b->tag_actions_size) ?
 			-1 : 1;
-	cmp = memcmp(ci_a->tag_actions, ci_b->tag_actions,
-		ci_a->tag_actions_size);
-	if(cmp != 0)
-		return cmp;
+	if(ci_a->tag_actions && !ci_b->tag_actions)
+		return -1;
+	if(!ci_a->tag_actions && ci_b->tag_actions)
+		return 1;
+	if(ci_a->tag_actions && ci_b->tag_actions) {
+		cmp = memcmp(ci_a->tag_actions, ci_b->tag_actions,
+			ci_a->tag_actions_size);
+		if(cmp != 0)
+			return cmp;
+	}
 	if(ci_a->tag_datas != ci_b->tag_datas)
 		return ci_a->tag_datas < ci_b->tag_datas ? -1 : 1;
 	if(ci_a->view != ci_b->view)

smallapp/unbound-checkconf.c

@@ -481,6 +481,8 @@ morechecks(struct config_file* cfg)
 		fatal_exit("num_threads value weird");
 	if(!cfg->do_ip4 && !cfg->do_ip6)
 		fatal_exit("ip4 and ip6 are both disabled, pointless");
+	if(!cfg->do_ip4 && cfg->prefer_ip4)
+		fatal_exit("cannot prefer and disable ip4, pointless");
 	if(!cfg->do_ip6 && cfg->prefer_ip6)
 		fatal_exit("cannot prefer and disable ip6, pointless");
 	if(!cfg->do_udp && !cfg->do_tcp)

util/config_file.h

@@ -85,6 +85,8 @@ struct config_file {
 	int do_ip4;
 	/** do ip6 query support. */
 	int do_ip6;
+	/** prefer ip4 upstream queries. */
+	int prefer_ip4;
 	/** prefer ip6 upstream queries. */
 	int prefer_ip6;
 	/** do udp query support. */

util/configlexer.lex

@@ -220,6 +220,7 @@ outgoing-num-tcp{COLON}		{ YDVAR(1, VAR_OUTGOING_NUM_TCP) }
 incoming-num-tcp{COLON}		{ YDVAR(1, VAR_INCOMING_NUM_TCP) }
 do-ip4{COLON}			{ YDVAR(1, VAR_DO_IP4) }
 do-ip6{COLON}			{ YDVAR(1, VAR_DO_IP6) }
+prefer-ip4{COLON}		{ YDVAR(1, VAR_PREFER_IP4) }
 prefer-ip6{COLON}		{ YDVAR(1, VAR_PREFER_IP6) }
 do-udp{COLON}			{ YDVAR(1, VAR_DO_UDP) }
 do-tcp{COLON}			{ YDVAR(1, VAR_DO_TCP) }

util/configparser.y

@@ -70,7 +70,7 @@ extern struct config_parser_state* cfg_parser;
 %token SPACE LETTER NEWLINE COMMENT COLON ANY ZONESTR
 %token <str> STRING_ARG
 %token VAR_SERVER VAR_VERBOSITY VAR_NUM_THREADS VAR_PORT
-%token VAR_OUTGOING_RANGE VAR_INTERFACE
+%token VAR_OUTGOING_RANGE VAR_INTERFACE VAR_PREFER_IP4
 %token VAR_DO_IP4 VAR_DO_IP6 VAR_PREFER_IP6 VAR_DO_UDP VAR_DO_TCP
 %token VAR_TCP_MSS VAR_OUTGOING_TCP_MSS VAR_TCP_IDLE_TIMEOUT
 %token VAR_EDNS_TCP_KEEPALIVE VAR_EDNS_TCP_KEEPALIVE_TIMEOUT
@@ -193,7 +193,7 @@ contents_server: contents_server content_server
 	| ;
 content_server: server_num_threads | server_verbosity | server_port |
 	server_outgoing_range | server_do_ip4 |
-	server_do_ip6 | server_prefer_ip6 |
+	server_do_ip6 | server_prefer_ip4 | server_prefer_ip6 |
 	server_do_udp | server_do_tcp |
 	server_tcp_mss | server_outgoing_tcp_mss | server_tcp_idle_timeout |
 	server_tcp_keepalive | server_tcp_keepalive_timeout |
@@ -782,6 +782,15 @@ server_do_tcp: VAR_DO_TCP STRING_ARG
 		free($2);
 	}
 	;
+server_prefer_ip4: VAR_PREFER_IP4 STRING_ARG
+	{
+		OUTYY(("P(server_prefer_ip4:%s)\n", $2));
+		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
+			yyerror("expected yes or no.");
+		else cfg_parser->cfg->prefer_ip4 = (strcmp($2, "yes")==0);
+		free($2);
+	}
+	;
 server_prefer_ip6: VAR_PREFER_IP6 STRING_ARG
 	{
 		OUTYY(("P(server_prefer_ip6:%s)\n", $2));

util/iana_ports.inc

@@ -4539,6 +4539,7 @@
 6850,
 6868,
 6888,
+6924,
 6935,
 6936,
 6946,

validator/val_sigcrypt.c

@@ -1343,7 +1343,7 @@ adjust_ttl(struct val_env* ve, uint32_t unow,
 	if(ve->date_override) {
 		now = ve->date_override;
 	} else	now = (int32_t)unow;
-	expittl = expi - now;
+	expittl = (int32_t)((uint32_t)expi - (uint32_t)now);
 
 	/* so now:
 	 * d->ttl: rrset ttl read from message or cache. May be reduced