diff --git a/configure b/configure
index 9a96bb232..3e5e562ae 100755
--- a/configure
+++ b/configure
@@ -14745,7 +14745,7 @@ $as_echo "no" >&6; }
 fi
 
 # Checks for header files.
-for ac_header in stdarg.h stdbool.h netinet/in.h netinet/tcp.h sys/param.h sys/select.h sys/socket.h sys/un.h sys/uio.h sys/resource.h arpa/inet.h syslog.h netdb.h sys/wait.h pwd.h glob.h grp.h login_cap.h winsock2.h ws2tcpip.h endian.h sys/endian.h libkern/OSByteOrder.h sys/ipc.h sys/shm.h ifaddrs.h net/if.h
+for ac_header in stdarg.h stdbool.h netinet/in.h netinet/tcp.h sys/param.h sys/select.h sys/socket.h sys/un.h sys/uio.h sys/resource.h arpa/inet.h syslog.h netdb.h sys/wait.h pwd.h glob.h grp.h login_cap.h winsock2.h ws2tcpip.h endian.h sys/endian.h libkern/OSByteOrder.h sys/ipc.h sys/shm.h ifaddrs.h
 do :
   as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
 ac_fn_c_check_header_compile "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default
@@ -14759,6 +14759,34 @@ fi
 
 done
 
+# net/if.h portability for Darwin see:
+# https://www.gnu.org/software/autoconf/manual/autoconf-2.69/html_node/Header-Portability.html
+for ac_header in net/if.h
+do :
+  ac_fn_c_check_header_compile "$LINENO" "net/if.h" "ac_cv_header_net_if_h" "
+#include <stdio.h>
+#ifdef STDC_HEADERS
+# include <stdlib.h>
+# include <stddef.h>
+#else
+# ifdef HAVE_STDLIB_H
+#  include <stdlib.h>
+# endif
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+# include <sys/socket.h>
+#endif
+
+"
+if test "x$ac_cv_header_net_if_h" = xyes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_NET_IF_H 1
+_ACEOF
+
+fi
+
+done
+
 
 # Check for Apple header. This uncovers TARGET_OS_IPHONE, TARGET_OS_TV or TARGET_OS_WATCH
 for ac_header in TargetConditionals.h
diff --git a/configure.ac b/configure.ac
index 2bd44353d..b4caa37dd 100644
--- a/configure.ac
+++ b/configure.ac
@@ -400,7 +400,23 @@ ACX_LIBTOOL_C_ONLY
 PKG_PROG_PKG_CONFIG
 
 # Checks for header files.
-AC_CHECK_HEADERS([stdarg.h stdbool.h netinet/in.h netinet/tcp.h sys/param.h sys/select.h sys/socket.h sys/un.h sys/uio.h sys/resource.h arpa/inet.h syslog.h netdb.h sys/wait.h pwd.h glob.h grp.h login_cap.h winsock2.h ws2tcpip.h endian.h sys/endian.h libkern/OSByteOrder.h sys/ipc.h sys/shm.h ifaddrs.h net/if.h],,, [AC_INCLUDES_DEFAULT])
+AC_CHECK_HEADERS([stdarg.h stdbool.h netinet/in.h netinet/tcp.h sys/param.h sys/select.h sys/socket.h sys/un.h sys/uio.h sys/resource.h arpa/inet.h syslog.h netdb.h sys/wait.h pwd.h glob.h grp.h login_cap.h winsock2.h ws2tcpip.h endian.h sys/endian.h libkern/OSByteOrder.h sys/ipc.h sys/shm.h ifaddrs.h],,, [AC_INCLUDES_DEFAULT])
+# net/if.h portability for Darwin see:
+# https://www.gnu.org/software/autoconf/manual/autoconf-2.69/html_node/Header-Portability.html
+AC_CHECK_HEADERS([net/if.h],,, [
+#include <stdio.h>
+#ifdef STDC_HEADERS
+# include <stdlib.h>
+# include <stddef.h>
+#else
+# ifdef HAVE_STDLIB_H
+#  include <stdlib.h>
+# endif
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+# include <sys/socket.h>
+#endif
+])
 
 # Check for Apple header. This uncovers TARGET_OS_IPHONE, TARGET_OS_TV or TARGET_OS_WATCH
 AC_CHECK_HEADERS([TargetConditionals.h])
diff --git a/contrib/unbound.service.in b/contrib/unbound.service.in
index c95ab94b3..a4596978d 100644
--- a/contrib/unbound.service.in
+++ b/contrib/unbound.service.in
@@ -66,7 +66,7 @@ ProtectSystem=strict
 RuntimeDirectory=unbound
 ConfigurationDirectory=unbound
 StateDirectory=unbound
-RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
 RestrictRealtime=true
 SystemCallArchitectures=native
 SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete @resources
diff --git a/contrib/unbound_portable.service.in b/contrib/unbound_portable.service.in
index 998b66dec..e763763f0 100644
--- a/contrib/unbound_portable.service.in
+++ b/contrib/unbound_portable.service.in
@@ -38,7 +38,7 @@ ProtectSystem=strict
 RuntimeDirectory=unbound
 ConfigurationDirectory=unbound
 StateDirectory=unbound
-RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
 RestrictRealtime=true
 SystemCallArchitectures=native
 SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete @resources
diff --git a/doc/Changelog b/doc/Changelog
index b7e5928ca..a4c4792ff 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,37 @@
+23 November 2020: Wouter
+	- Merge #351 from dvzrv: Add AF_NETLINK to set of allowed socket
+	  address families.
+	- Fix #350: with the AF_NETLINK permission, to fix 1.12.0 error:
+	  failed to list interfaces: getifaddrs: Address family not
+	  supported by protocol.
+
+12 November 2020: Wouter
+	- Fix to connect() to UDP destinations, default turned on,
+	  this lowers vulnerability to ICMP side channels.
+	- Retry for interfaces with unused ports if possible.
+
+10 November 2020: Wouter
+	- Fix #341: fixing a possible memory leak.
+	- Fix memory leak after fix for possible memory leak failure.
+	- Fix #343: Fail to build --with-libnghttp2 with error: 'SSIZE_MAX'
+	  undeclared.
+
+27 October 2020: Wouter
+	- In man page note that tls-cert-bundle is read before permission
+	  drop and chroot.
+
+22 October 2020: Wouter
+	- Fix #333: Unbound Segmentation Fault w/ log_info Functions From
+	  Python Mod.
+	- Fix that minimal-responses does not remove addresses from a priming
+	  query response.
+
+21 October 2020: George
+	- Fix #327: net/if.h check fails on some darwin versions; contribution by
+	  Joshua Root.
+	- Fix #320: potential memory corruption due to size miscomputation upton
+	  custom region alloc init.
+
 21 October 2020: Wouter
 	- Merge PR #228 : infra-keep-probing option to probe hosts that are
 	  down.  Add infra-keep-probing: yes option. Hosts that are down are
diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in
index 0b73480aa..84805f90f 100644
--- a/doc/unbound.conf.5.in
+++ b/doc/unbound.conf.5.in
@@ -522,7 +522,8 @@ Alternate syntax for \fBtls\-port\fR.
 If null or "", no file is used.  Set it to the certificate bundle file,
 for example "/etc/pki/tls/certs/ca\-bundle.crt".  These certificates are used
 for authenticating connections made to outside peers.  For example auth\-zone
-urls, and also DNS over TLS connections.
+urls, and also DNS over TLS connections.  It is read at start up before
+permission drop and chroot.
 .TP
 .B ssl\-cert\-bundle: \fI<file>
 Alternate syntax for \fBtls\-cert\-bundle\fR.
diff --git a/pythonmod/interface.i b/pythonmod/interface.i
index 71f2bf774..cbee4f714 100644
--- a/pythonmod/interface.i
+++ b/pythonmod/interface.i
@@ -1413,6 +1413,19 @@ struct delegpt* find_delegation(struct module_qstate* qstate, char *nm, size_t n
 /******************************
  * Various debugging functions *
  ******************************/
+
+/* rename the variadic functions because python does the formatting already*/
+%rename (unbound_log_info) log_info;
+%rename (unbound_log_err) log_err;
+%rename (unbound_log_warn) log_warn;
+%rename (unbound_verbose) verbose;
+/* provide functions that take one string as argument, so python can cook
+the string */
+%rename (log_info) pymod_log_info;
+%rename (log_warn) pymod_log_warn;
+%rename (log_err) pymod_log_err;
+%rename (verbose) pymod_verbose;
+
 void verbose(enum verbosity_value level, const char* format, ...);
 void log_info(const char* format, ...);
 void log_err(const char* format, ...);
@@ -1422,6 +1435,19 @@ void log_dns_msg(const char* str, struct query_info* qinfo, struct reply_info* r
 void log_query_info(enum verbosity_value v, const char* str, struct query_info* qinf);
 void regional_log_stats(struct regional *r);
 
+/* the one argument string log functions */
+void pymod_log_info(const char* str);
+void pymod_log_err(const char* str);
+void pymod_log_warn(const char* str);
+void pymod_verbose(enum verbosity_value level, const char* str);
+%{
+void pymod_log_info(const char* str) { log_info("%s", str); }
+void pymod_log_err(const char* str) { log_err("%s", str); }
+void pymod_log_warn(const char* str) { log_warn("%s", str); }
+void pymod_verbose(enum verbosity_value level, const char* str) {
+        verbose(level, "%s", str); }
+%}
+
 /***************************************************************************
  * Free allocated memory from marked sources returning corresponding types *
  ***************************************************************************/
diff --git a/services/listen_dnsport.c b/services/listen_dnsport.c
index e506eeb31..10a7aec60 100644
--- a/services/listen_dnsport.c
+++ b/services/listen_dnsport.c
@@ -43,6 +43,7 @@
 #  include <sys/types.h>
 #endif
 #include <sys/time.h>
+#include <limits.h>
 #ifdef USE_TCP_FASTOPEN
 #include <netinet/tcp.h>
 #endif
@@ -1404,6 +1405,7 @@ static int
 resolve_ifa_name(struct ifaddrs *ifas, const char *search_ifa, char ***ip_addresses, int *ip_addresses_size)
 {
 	struct ifaddrs *ifa;
+	void *tmpbuf;
 	int last_ip_addresses_size = *ip_addresses_size;
 
 	for(ifa = ifas; ifa != NULL; ifa = ifa->ifa_next) {
@@ -1468,10 +1470,12 @@ resolve_ifa_name(struct ifaddrs *ifas, const char *search_ifa, char ***ip_addres
 		}
 		verbose(4, "interface %s has address %s", search_ifa, addr_buf);
 
-		*ip_addresses = realloc(*ip_addresses, sizeof(char *) * (*ip_addresses_size + 1));
-		if(!*ip_addresses) {
+		tmpbuf = realloc(*ip_addresses, sizeof(char *) * (*ip_addresses_size + 1));
+		if(!tmpbuf) {
 			log_err("realloc failed: out of memory");
 			return 0;
+		} else {
+			*ip_addresses = tmpbuf;
 		}
 		(*ip_addresses)[*ip_addresses_size] = strdup(addr_buf);
 		if(!(*ip_addresses)[*ip_addresses_size]) {
@@ -1482,10 +1486,12 @@ resolve_ifa_name(struct ifaddrs *ifas, const char *search_ifa, char ***ip_addres
 	}
 
 	if (*ip_addresses_size == last_ip_addresses_size) {
-		*ip_addresses = realloc(*ip_addresses, sizeof(char *) * (*ip_addresses_size + 1));
-		if(!*ip_addresses) {
+		tmpbuf = realloc(*ip_addresses, sizeof(char *) * (*ip_addresses_size + 1));
+		if(!tmpbuf) {
 			log_err("realloc failed: out of memory");
 			return 0;
+		} else {
+			*ip_addresses = tmpbuf;
 		}
 		(*ip_addresses)[*ip_addresses_size] = strdup(search_ifa);
 		if(!(*ip_addresses)[*ip_addresses_size]) {
diff --git a/services/outside_network.c b/services/outside_network.c
index d0dac9087..7e1f91088 100644
--- a/services/outside_network.c
+++ b/services/outside_network.c
@@ -1742,13 +1742,26 @@ select_ifport(struct outside_network* outnet, struct pending* pend,
 		my_if = ub_random_max(outnet->rnd, num_if);
 		pif = &ifs[my_if];
 #ifndef DISABLE_EXPLICIT_PORT_RANDOMISATION
-		my_port = ub_random_max(outnet->rnd, pif->avail_total);
-		if(my_port < pif->inuse) {
-			/* port already open */
-			pend->pc = pif->out[my_port];
-			verbose(VERB_ALGO, "using UDP if=%d port=%d", 
-				my_if, pend->pc->number);
-			break;
+		if(1) {
+			/* if we connect() we cannot reuse fds for a port */
+			if(pif->inuse >= pif->avail_total) {
+				tries++;
+				if(tries < MAX_PORT_RETRY)
+					continue;
+				log_err("failed to find an open port, drop msg");
+				return 0;
+			}
+			my_port = pif->inuse + ub_random_max(outnet->rnd,
+				pif->avail_total - pif->inuse);
+		} else  {
+			my_port = ub_random_max(outnet->rnd, pif->avail_total);
+			if(my_port < pif->inuse) {
+				/* port already open */
+				pend->pc = pif->out[my_port];
+				verbose(VERB_ALGO, "using UDP if=%d port=%d",
+					my_if, pend->pc->number);
+				break;
+			}
 		}
 		/* try to open new port, if fails, loop to try again */
 		log_assert(pif->inuse < pif->maxout);
@@ -1765,6 +1778,17 @@ select_ifport(struct outside_network* outnet, struct pending* pend,
 		if(fd != -1) {
 			verbose(VERB_ALGO, "opened UDP if=%d port=%d", 
 				my_if, portno);
+			if(1) {
+				/* connect() to the destination */
+				if(connect(fd, (struct sockaddr*)&pend->addr,
+					pend->addrlen) < 0) {
+					log_err_addr("udp connect failed",
+						strerror(errno), &pend->addr,
+						pend->addrlen);
+					sock_close(fd);
+					return 0;
+				}
+			}
 			/* grab fd */
 			pend->pc = outnet->unused_fds;
 			outnet->unused_fds = pend->pc->next;
diff --git a/testdata/dnstap.tdir/dnstap.pre b/testdata/dnstap.tdir/dnstap.pre
index 95216949c..6561d77e9 100644
--- a/testdata/dnstap.tdir/dnstap.pre
+++ b/testdata/dnstap.tdir/dnstap.pre
@@ -45,7 +45,7 @@ fi
 # make config file
 sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$FWD_PORT'/' -e 's/@CONTROL_PORT\@/'$CONTROL_PORT'/' < dnstap.conf > ub.conf
 # start unbound in the background
-$PRE/unbound -d -c ub.conf >unbound.log 2>&1 &
+$PRE/unbound -d -c ub.conf -vvvv >unbound.log 2>&1 &
 UNBOUND_PID=$!
 echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
 
diff --git a/util/data/msgencode.c b/util/data/msgencode.c
index be69f628a..1746cfbb8 100644
--- a/util/data/msgencode.c
+++ b/util/data/msgencode.c
@@ -624,6 +624,9 @@ positive_answer(struct reply_info* rep, uint16_t qtype) {
 
 	for(i=0;i<rep->an_numrrsets; i++) {
 		if(ntohs(rep->rrsets[i]->rk.type) == qtype) {
+			/* for priming queries, type NS, include addresses */
+			if(qtype == LDNS_RR_TYPE_NS)
+				return 0;
 			/* in case it is a wildcard with DNSSEC, there will
 			 * be NSEC/NSEC3 records in the authority section
 			 * that we cannot remove */
diff --git a/util/regional.c b/util/regional.c
index 01a042b61..bd67ecf50 100644
--- a/util/regional.c
+++ b/util/regional.c
@@ -89,8 +89,9 @@ regional_init(struct regional* r)
 static struct regional*
 regional_create_custom_large_object(size_t size, size_t large_object_size)
 {
-	struct regional* r = (struct regional*)malloc(size);
+	struct regional* r;
 	size = ALIGN_UP(size, ALIGNMENT);
+	r = (struct regional*)malloc(size);
 	log_assert(sizeof(struct regional) <= size);
 	if(!r) return NULL;
 	r->first_size = size;