Merge branch 'master' into zonemd

2025-12-20 23:00:56 -05:00 · 2021-02-04 16:08:11 +01:00 · 2021-02-04 16:08:11 +01:00 · b7a633fdc0
commit b7a633fdc0
parent dedc1e2340 c365e3ab9a
119 changed files with 12293 additions and 6722 deletions
--- a/Makefile.in
+++ b/Makefile.in
@ -248,6 +248,7 @@ DNSTAP_SOCKET_SRC=dnstap/unbound-dnstap-socket.c
 DNSTAP_SOCKET_OBJ=unbound-dnstap-socket.lo
 DNSTAP_SOCKET_OBJ_LINK=$(DNSTAP_SOCKET_OBJ) $(COMMON_OBJ) \
 $(COMPAT_OBJ) $(SLDNS_OBJ)
 DNSTAP_SOCKET_TESTBIN=@DNSTAP_SOCKET_TESTBIN@
 LIBUNBOUND_SRC=libunbound/context.c libunbound/libunbound.c \
 libunbound/libworker.c
 LIBUNBOUND_OBJ=context.lo libunbound.lo libworker.lo ub_event_pluggable.lo
@ -323,7 +324,7 @@ rsrc_unbound_checkconf.o:	$(srcdir)/winrc/rsrc_unbound_checkconf.rc config.h
 TEST_BIN=asynclook$(EXEEXT) delayer$(EXEEXT) \
 	lock-verify$(EXEEXT) memstats$(EXEEXT) perf$(EXEEXT) \
 	petal$(EXEEXT) pktview$(EXEEXT) streamtcp$(EXEEXT) \
-	unbound-dnstap-socket$(EXEEXT) dohclient$(EXEEXT) \
+	$(DNSTAP_SOCKET_TESTBIN) dohclient$(EXEEXT) \
 	testbound$(EXEEXT) unittest$(EXEEXT)
 tests:	all $(TEST_BIN)
@ -349,10 +350,10 @@ unbound$(EXEEXT):	$(DAEMON_OBJ_LINK) libunbound.la
 	$(LINK) -o $@ $(DAEMON_OBJ_LINK) $(EXTRALINK) $(SSLLIB) $(LIBS) $(DYNLIBMOD_EXTRALIBS)
 unbound-checkconf$(EXEEXT):	$(CHECKCONF_OBJ_LINK) libunbound.la
-	$(LINK) -o $@ $(CHECKCONF_OBJ_LINK) $(EXTRALINK) $(SSLLIB) $(LIBS) $(DYNLIBMOD_EXTRALIBS)
+	$(LINK) -o $@ $(CHECKCONF_OBJ_LINK) $(EXTRALINK) $(SSLLIB) $(LIBS)
 unbound-control$(EXEEXT):	$(CONTROL_OBJ_LINK) libunbound.la
-	$(LINK) -o $@ $(CONTROL_OBJ_LINK) $(EXTRALINK) $(SSLLIB) $(LIBS) $(DYNLIBMOD_EXTRALIBS)
+	$(LINK) -o $@ $(CONTROL_OBJ_LINK) $(EXTRALINK) $(SSLLIB) $(LIBS)
 unbound-host$(EXEEXT):	$(HOST_OBJ_LINK) libunbound.la
 	$(LINK) -o $@ $(HOST_OBJ_LINK) -L. -L.libs -lunbound $(SSLLIB) $(LIBS)
@ -370,37 +371,37 @@ anchor-update$(EXEEXT):  $(ANCHORUPD_OBJ_LINK) libunbound.la
 	$(LINK) -o $@ $(ANCHORUPD_OBJ_LINK) -L. -L.libs -lunbound $(LIBS)
 unittest$(EXEEXT):	$(UNITTEST_OBJ_LINK)
-	$(LINK) -o $@ $(UNITTEST_OBJ_LINK) $(SSLLIB) $(LIBS) $(DYNLIBMOD_EXTRALIBS)
+	$(LINK) -o $@ $(UNITTEST_OBJ_LINK) $(SSLLIB) $(LIBS)
 testbound$(EXEEXT):	$(TESTBOUND_OBJ_LINK)
-	$(LINK) -o $@ $(TESTBOUND_OBJ_LINK) $(SSLLIB) $(LIBS) $(DYNLIBMOD_EXTRALIBS)
+	$(LINK) -o $@ $(TESTBOUND_OBJ_LINK) $(SSLLIB) $(LIBS)
 lock-verify$(EXEEXT):	$(LOCKVERIFY_OBJ_LINK)
-	$(LINK) -o $@ $(LOCKVERIFY_OBJ_LINK) $(SSLLIB) $(LIBS) $(DYNLIBMOD_EXTRALIBS)
+	$(LINK) -o $@ $(LOCKVERIFY_OBJ_LINK) $(SSLLIB) $(LIBS)
 petal$(EXEEXT):	$(PETAL_OBJ_LINK)
 	$(LINK) -o $@ $(PETAL_OBJ_LINK) $(SSLLIB) $(LIBS)
 pktview$(EXEEXT):	$(PKTVIEW_OBJ_LINK)
-	$(LINK) -o $@ $(PKTVIEW_OBJ_LINK) $(SSLLIB) $(LIBS) $(DYNLIBMOD_EXTRALIBS)
+	$(LINK) -o $@ $(PKTVIEW_OBJ_LINK) $(SSLLIB) $(LIBS)
 memstats$(EXEEXT):	$(MEMSTATS_OBJ_LINK)
-	$(LINK) -o $@ $(MEMSTATS_OBJ_LINK) $(SSLLIB) $(LIBS) $(DYNLIBMOD_EXTRALIBS)
+	$(LINK) -o $@ $(MEMSTATS_OBJ_LINK) $(SSLLIB) $(LIBS)
 asynclook$(EXEEXT):	$(ASYNCLOOK_OBJ_LINK) libunbound.la
 	$(LINK) -o $@ $(ASYNCLOOK_OBJ_LINK) -L. -L.libs -lunbound $(SSLLIB) $(LIBS)
 streamtcp$(EXEEXT):	$(STREAMTCP_OBJ_LINK)
-	$(LINK) -o $@ $(STREAMTCP_OBJ_LINK) $(SSLLIB) $(LIBS) $(DYNLIBMOD_EXTRALIBS)
+	$(LINK) -o $@ $(STREAMTCP_OBJ_LINK) $(SSLLIB) $(LIBS)
 dohclient$(EXEEXT):	$(DOHCLIENT_OBJ_LINK)
-	$(LINK) -o $@ $(DOHCLIENT_OBJ_LINK) $(SSLLIB) $(LIBS) $(DYNLIBMOD_EXTRALIBS)
+	$(LINK) -o $@ $(DOHCLIENT_OBJ_LINK) $(SSLLIB) $(LIBS)
 perf$(EXEEXT):	$(PERF_OBJ_LINK)
-	$(LINK) -o $@ $(PERF_OBJ_LINK) $(SSLLIB) $(LIBS) $(DYNLIBMOD_EXTRALIBS)
+	$(LINK) -o $@ $(PERF_OBJ_LINK) $(SSLLIB) $(LIBS)
 delayer$(EXEEXT):	$(DELAYER_OBJ_LINK)
-	$(LINK) -o $@ $(DELAYER_OBJ_LINK) $(SSLLIB) $(LIBS) $(DYNLIBMOD_EXTRALIBS)
+	$(LINK) -o $@ $(DELAYER_OBJ_LINK) $(SSLLIB) $(LIBS)
 signit$(EXEEXT):	testcode/signit.c
 	$(CC) $(CPPFLAGS) $(CFLAGS) @PTHREAD_CFLAGS_ONLY@ -o $@ testcode/signit.c $(LDFLAGS) -lldns $(SSLLIB) $(LIBS)
@ -423,12 +424,13 @@ dnstap/dnstap.pb-c.c dnstap/dnstap.pb-c.h: $(srcdir)/dnstap/dnstap.proto
 	$(PROTOC_C) --c_out=. --proto_path=$(srcdir) $(srcdir)/dnstap/dnstap.proto
 unbound-dnstap-socket$(EXEEXT):	$(DNSTAP_SOCKET_OBJ_LINK)
-	$(LINK) -o $@ $(DNSTAP_SOCKET_OBJ_LINK) $(SSLLIB) $(LIBS) $(DYNLIBMOD_EXTRALIBS)
+	$(LINK) -o $@ $(DNSTAP_SOCKET_OBJ_LINK) $(SSLLIB) $(LIBS)
 dnstap.pb-c.lo dnstap.pb-c.o: dnstap/dnstap.pb-c.c dnstap/dnstap.pb-c.h
 dtstream.lo dtstream.o: $(srcdir)/dnstap/dtstream.c config.h $(srcdir)/dnstap/dtstream.h
 dnstap_fstrm.lo dnstap_fstrm.o: $(srcdir)/dnstap/dnstap_fstrm.c config.h $(srcdir)/dnstap/dnstap_fstrm.h
 unbound-dnstap-socket.lo unbound-dnstap-socket.o: $(srcdir)/dnstap/unbound-dnstap-socket.c config.h $(srcdir)/dnstap/dtstream.h
 dynlibmod.lo dynlibdmod.o: $(srcdir)/dynlibmod/dynlibmod.c config.h $(srcdir)/dynlibmod/dynlibmod.h
 # dnscrypt
 dnscrypt.lo dnscrypt.o: $(srcdir)/dnscrypt/dnscrypt.c config.h \
@ -826,13 +828,16 @@ modstack.lo modstack.o: $(srcdir)/services/modstack.c config.h $(srcdir)/service
 $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
 $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
 $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h \
- $(srcdir)/dnscrypt/dnscrypt.h  $(srcdir)/dnscrypt/cert.h \
+ $(srcdir)/dnscrypt/dnscrypt.h  $(srcdir)/util/tube.h \
- $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/dns64/dns64.h \
+ $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \
- $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h $(srcdir)/validator/validator.h \
+ $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h \
- $(srcdir)/validator/val_utils.h $(srcdir)/respip/respip.h $(srcdir)/services/localzone.h \
+ $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \
- $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(PYTHONMOD_HEADER) $(srcdir)/ipsecmod/ipsecmod.h \
+ $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/dns64/dns64.h $(srcdir)/iterator/iterator.h \
- $(srcdir)/util/storage/slabhash.h $(srcdir)/edns-subnet/addrtree.h $(srcdir)/edns-subnet/edns-subnet.h \
+ $(srcdir)/services/outbound_list.h $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h \
- $(srcdir)/ipset/ipset.h $(srcdir)/dynlibmod/dynlibmod.h
+ $(PYTHONMOD_HEADER) $(DYNLIBMOD_HEADER) $(srcdir)/cachedb/cachedb.h \
 $(srcdir)/ipsecmod/ipsecmod.h $(srcdir)/edns-subnet/subnetmod.h $(srcdir)/util/alloc.h $(srcdir)/util/net_help.h \
 $(srcdir)/util/storage/slabhash.h $(srcdir)/util/data/dname.h $(srcdir)/edns-subnet/addrtree.h \
 $(srcdir)/edns-subnet/edns-subnet.h $(srcdir)/ipset/ipset.h
 view.lo view.o: $(srcdir)/services/view.c config.h $(srcdir)/services/view.h $(srcdir)/util/rbtree.h \
 $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h \
 $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/data/msgreply.h \
@ -863,7 +868,8 @@ outside_network.lo outside_network.o: $(srcdir)/services/outside_network.c confi
 $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \
 $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h \
 $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h \
- $(srcdir)/dnstap/dnstap.h
+ $(srcdir)/util/edns.h $(srcdir)/dnstap/dnstap.h \
 alloc.lo alloc.o: $(srcdir)/util/alloc.c config.h $(srcdir)/util/alloc.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
 $(srcdir)/util/regional.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
 $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
@ -884,7 +890,8 @@ config_file.lo config_file.o: $(srcdir)/util/config_file.c config.h $(srcdir)/ut
 $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h \
 $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/util/data/dname.h \
 $(srcdir)/util/rtt.h $(srcdir)/services/cache/infra.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/parseutil.h \
- $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h $(srcdir)/util/iana_ports.inc
+ $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h $(srcdir)/edns-subnet/edns-subnet.h \
 $(srcdir)/util/iana_ports.inc
 configlexer.lo configlexer.o: util/configlexer.c config.h $(srcdir)/util/configyyrename.h \
 $(srcdir)/util/config_file.h util/configparser.h
 configparser.lo configparser.o: util/configparser.c config.h $(srcdir)/util/configyyrename.h \
@ -913,38 +920,31 @@ authzone.lo authzone.o: $(srcdir)/services/authzone.c config.h $(srcdir)/service
 $(srcdir)/util/data/msgencode.h $(srcdir)/util/regional.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h \
 $(srcdir)/services/cache/dns.h $(srcdir)/services/outside_network.h  \
 $(srcdir)/services/listen_dnsport.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/wire2str.h \
- $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/keyraw.h $(srcdir)/validator/val_nsec3.h \
+ $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/keyraw.h \
- $(srcdir)/validator/val_secalgo.h
+ $(srcdir)/validator/val_nsec3.h $(srcdir)/validator/val_secalgo.h
 fptr_wlist.lo fptr_wlist.o: $(srcdir)/util/fptr_wlist.c config.h $(srcdir)/util/fptr_wlist.h \
 $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h  \
- $(srcdir)/dnscrypt/cert.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/storage/lruhash.h \
+ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/module.h \
- $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
+ $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
- $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h \
+ $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
- $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h $(srcdir)/util/mini_event.h \
+ $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \
- $(srcdir)/services/outside_network.h  $(srcdir)/services/localzone.h \
+ $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h \
- $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/services/authzone.h \
+ $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \
- $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h $(srcdir)/services/cache/rrset.h \
+ $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/util/mini_event.h \
- $(srcdir)/util/storage/slabhash.h $(srcdir)/dns64/dns64.h $(srcdir)/iterator/iterator.h \
+ $(srcdir)/services/outside_network.h  $(srcdir)/services/cache/infra.h \
- $(srcdir)/services/outbound_list.h $(srcdir)/iterator/iter_fwd.h $(srcdir)/validator/validator.h \
+ $(srcdir)/util/rtt.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/dns64/dns64.h \
- $(srcdir)/validator/val_utils.h $(srcdir)/validator/val_anchor.h $(srcdir)/validator/val_nsec3.h \
+ $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h $(srcdir)/iterator/iter_fwd.h \
- $(srcdir)/validator/val_sigcrypt.h $(srcdir)/validator/val_kentry.h $(srcdir)/validator/val_neg.h \
+ $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h $(srcdir)/validator/val_anchor.h \
- $(srcdir)/validator/autotrust.h $(srcdir)/libunbound/libworker.h $(srcdir)/libunbound/context.h \
+ $(srcdir)/validator/val_nsec3.h $(srcdir)/validator/val_sigcrypt.h $(srcdir)/validator/val_kentry.h \
- $(srcdir)/util/alloc.h $(srcdir)/libunbound/unbound.h $(srcdir)/libunbound/unbound-event.h \
+ $(srcdir)/validator/val_neg.h $(srcdir)/validator/autotrust.h $(srcdir)/libunbound/libworker.h \
- $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h $(srcdir)/respip/respip.h \
+ $(srcdir)/libunbound/context.h $(srcdir)/util/alloc.h $(srcdir)/libunbound/unbound-event.h \
- $(PYTHONMOD_HEADER) $(srcdir)/ipsecmod/ipsecmod.h $(srcdir)/edns-subnet/subnetmod.h $(srcdir)/util/net_help.h \
+ $(srcdir)/libunbound/worker.h $(PYTHONMOD_HEADER) $(DYNLIBMOD_HEADER) \
- $(srcdir)/edns-subnet/addrtree.h $(srcdir)/edns-subnet/edns-subnet.h $(srcdir)/ipset/ipset.h \
+ $(srcdir)/cachedb/cachedb.h $(srcdir)/ipsecmod/ipsecmod.h $(srcdir)/edns-subnet/subnetmod.h \
- $(srcdir)/dynlibmod/dynlibmod.h
+ $(srcdir)/util/net_help.h $(srcdir)/util/data/dname.h $(srcdir)/edns-subnet/addrtree.h \
 $(srcdir)/edns-subnet/edns-subnet.h $(srcdir)/ipset/ipset.h $(srcdir)/dnstap/dtstream.h
 locks.lo locks.o: $(srcdir)/util/locks.c config.h $(srcdir)/util/locks.h $(srcdir)/util/log.h
 log.lo log.o: $(srcdir)/util/log.c config.h $(srcdir)/util/log.h $(srcdir)/util/locks.h $(srcdir)/sldns/sbuffer.h
-mini_event.lo mini_event.o: $(srcdir)/util/mini_event.c config.h $(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h \
+mini_event.lo mini_event.o: $(srcdir)/util/mini_event.c config.h $(srcdir)/util/mini_event.h
 $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
  $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
 $(srcdir)/util/log.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
 $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h \
 $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h \
 $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h \
 $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h \
 $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h
 module.lo module.o: $(srcdir)/util/module.c config.h $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h \
 $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
 $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/wire2str.h
@ -957,12 +957,14 @@ netevent.lo netevent.o: $(srcdir)/util/netevent.c config.h $(srcdir)/util/neteve
 $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h $(srcdir)/services/view.h \
 $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h \
 $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/sldns/str2wire.h \
- $(srcdir)/dnstap/dnstap.h  $(srcdir)/services/listen_dnsport.h
+ $(srcdir)/dnstap/dnstap.h  $(srcdir)/services/listen_dnsport.h \
 net_help.lo net_help.o: $(srcdir)/util/net_help.c config.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h \
 $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/module.h \
 $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
 $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h \
- $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/wire2str.h
+ $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/wire2str.h \
 random.lo random.o: $(srcdir)/util/random.c config.h $(srcdir)/util/random.h $(srcdir)/util/log.h
 rbtree.lo rbtree.o: $(srcdir)/util/rbtree.c config.h $(srcdir)/util/log.h $(srcdir)/util/fptr_wlist.h \
 $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h  \
@ -978,11 +980,11 @@ rtt.lo rtt.o: $(srcdir)/util/rtt.c config.h $(srcdir)/util/rtt.h $(srcdir)/itera
 $(srcdir)/services/outbound_list.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/storage/lruhash.h \
 $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/module.h \
 $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h
-edns.lo edns.o: $(srcdir)/util/edns.c config.h $(srcdir)/util/edns.h $(srcdir)/util/config_file.h \
+edns.lo edns.o: $(srcdir)/util/edns.c config.h $(srcdir)/util/edns.h $(srcdir)/util/storage/dnstree.h \
- $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h  \
+ $(srcdir)/util/rbtree.h $(srcdir)/util/config_file.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
- $(srcdir)/util/regional.h $(srcdir)/util/data/msgparse.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
+  $(srcdir)/util/net_help.h $(srcdir)/util/log.h $(srcdir)/util/regional.h \
- $(srcdir)/util/log.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgreply.h \
+ $(srcdir)/util/data/msgparse.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/sldns/pkthdr.h \
- $(srcdir)/util/data/packed_rrset.h
+ $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h
 dnstree.lo dnstree.o: $(srcdir)/util/storage/dnstree.c config.h $(srcdir)/util/storage/dnstree.h \
 $(srcdir)/util/rbtree.h $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
 $(srcdir)/util/log.h $(srcdir)/util/net_help.h
@ -1016,7 +1018,8 @@ tube.lo tube.o: $(srcdir)/util/tube.c config.h $(srcdir)/util/tube.h $(srcdir)/u
 $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/util/ub_event.h
 ub_event.lo ub_event.o: $(srcdir)/util/ub_event.c config.h $(srcdir)/util/ub_event.h $(srcdir)/util/log.h \
 $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h  \
- $(srcdir)/util/tube.h $(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h
+ $(srcdir)/util/tube.h \
 ub_event_pluggable.lo ub_event_pluggable.o: $(srcdir)/util/ub_event_pluggable.c config.h $(srcdir)/util/ub_event.h \
 $(srcdir)/libunbound/unbound-event.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
  $(srcdir)/util/log.h $(srcdir)/util/fptr_wlist.h \
@ -1026,7 +1029,8 @@ ub_event_pluggable.lo ub_event_pluggable.o: $(srcdir)/util/ub_event_pluggable.c
 $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \
 $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h \
 $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \
- $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h
+ $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h \
 winsock_event.lo winsock_event.o: $(srcdir)/util/winsock_event.c config.h
 autotrust.lo autotrust.o: $(srcdir)/validator/autotrust.c config.h $(srcdir)/validator/autotrust.h \
 $(srcdir)/util/rbtree.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
@ -1039,7 +1043,8 @@ autotrust.lo autotrust.o: $(srcdir)/validator/autotrust.c config.h $(srcdir)/val
 $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h \
 $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h \
 $(srcdir)/respip/respip.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \
- $(srcdir)/validator/val_kcache.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/keyraw.h
+ $(srcdir)/validator/val_kcache.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/keyraw.h \
 val_anchor.lo val_anchor.o: $(srcdir)/validator/val_anchor.c config.h $(srcdir)/validator/val_anchor.h \
 $(srcdir)/util/rbtree.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/validator/val_sigcrypt.h \
 $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/sldns/pkthdr.h \
@ -1069,11 +1074,13 @@ val_kcache.lo val_kcache.o: $(srcdir)/validator/val_kcache.c config.h $(srcdir)/
 val_kentry.lo val_kentry.o: $(srcdir)/validator/val_kentry.c config.h $(srcdir)/validator/val_kentry.h \
 $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/packed_rrset.h \
 $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lookup3.h $(srcdir)/util/regional.h $(srcdir)/util/net_help.h \
- $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/keyraw.h
+ $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/keyraw.h \
-val_neg.lo val_neg.o: $(srcdir)/validator/val_neg.c config.h $(srcdir)/validator/val_neg.h $(srcdir)/util/locks.h \
+ 
- $(srcdir)/util/log.h $(srcdir)/util/rbtree.h $(srcdir)/validator/val_nsec.h $(srcdir)/util/data/packed_rrset.h \
+val_neg.lo val_neg.o: $(srcdir)/validator/val_neg.c config.h \
- $(srcdir)/util/storage/lruhash.h $(srcdir)/validator/val_nsec3.h $(srcdir)/validator/val_utils.h \
+ $(srcdir)/validator/val_neg.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/rbtree.h \
- $(srcdir)/sldns/pkthdr.h $(srcdir)/util/data/dname.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/net_help.h \
+ $(srcdir)/validator/val_nsec.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
 $(srcdir)/validator/val_nsec3.h $(srcdir)/validator/val_utils.h $(srcdir)/sldns/pkthdr.h \
 $(srcdir)/util/data/dname.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/net_help.h \
 $(srcdir)/util/config_file.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \
 $(srcdir)/services/cache/dns.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/sbuffer.h
 val_nsec3.lo val_nsec3.o: $(srcdir)/validator/val_nsec3.c config.h $(srcdir)/validator/val_nsec3.h \
@ -1091,15 +1098,17 @@ val_nsec.lo val_nsec.o: $(srcdir)/validator/val_nsec.c config.h $(srcdir)/valida
 val_secalgo.lo val_secalgo.o: $(srcdir)/validator/val_secalgo.c config.h $(srcdir)/util/data/packed_rrset.h \
 $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/validator/val_secalgo.h \
 $(srcdir)/validator/val_nsec3.h $(srcdir)/util/rbtree.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/keyraw.h \
- $(srcdir)/sldns/sbuffer.h
+ $(srcdir)/sldns/sbuffer.h \
 val_sigcrypt.lo val_sigcrypt.o: $(srcdir)/validator/val_sigcrypt.c config.h \
 $(srcdir)/validator/val_sigcrypt.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
 $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/sldns/pkthdr.h $(srcdir)/validator/val_secalgo.h \
 $(srcdir)/validator/validator.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
 $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/rrdef.h $(srcdir)/validator/val_utils.h \
 $(srcdir)/util/data/dname.h $(srcdir)/util/rbtree.h $(srcdir)/util/net_help.h $(srcdir)/util/regional.h \
- $(srcdir)/util/config_file.h $(srcdir)/sldns/keyraw.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/parseutil.h \
+ $(srcdir)/util/config_file.h $(srcdir)/sldns/keyraw.h \
- $(srcdir)/sldns/wire2str.h
+ $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/wire2str.h \
 val_utils.lo val_utils.o: $(srcdir)/validator/val_utils.c config.h $(srcdir)/validator/val_utils.h \
 $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
 $(srcdir)/sldns/pkthdr.h $(srcdir)/validator/validator.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
@ -1120,15 +1129,43 @@ dns64.lo dns64.o: $(srcdir)/dns64/dns64.c config.h $(srcdir)/dns64/dns64.h $(src
 $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h \
 $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/util/net_help.h \
 $(srcdir)/util/regional.h $(srcdir)/util/data/dname.h $(srcdir)/sldns/str2wire.h
-edns-subnet.lo edns-subnet.o: $(srcdir)/edns-subnet/edns-subnet.c config.h
+edns-subnet.lo edns-subnet.o: $(srcdir)/edns-subnet/edns-subnet.c config.h \
-subnetmod.lo subnetmod.o: $(srcdir)/edns-subnet/subnetmod.c config.h
+ $(srcdir)/edns-subnet/edns-subnet.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h
 subnetmod.lo subnetmod.o: $(srcdir)/edns-subnet/subnetmod.c config.h $(srcdir)/edns-subnet/subnetmod.h \
 $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
 $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
 $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/services/outbound_list.h $(srcdir)/util/alloc.h \
 $(srcdir)/util/net_help.h $(srcdir)/util/storage/slabhash.h $(srcdir)/util/data/dname.h \
 $(srcdir)/edns-subnet/addrtree.h $(srcdir)/edns-subnet/edns-subnet.h \
 $(srcdir)/edns-subnet/subnet-whitelist.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h \
 $(srcdir)/services/mesh.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
  $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h \
 $(srcdir)/services/localzone.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h \
 $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h \
 $(srcdir)/respip/respip.h $(srcdir)/services/cache/dns.h $(srcdir)/util/regional.h \
 $(srcdir)/iterator/iter_utils.h $(srcdir)/iterator/iter_resptype.h
 addrtree.lo addrtree.o: $(srcdir)/edns-subnet/addrtree.c config.h $(srcdir)/util/log.h \
 $(srcdir)/util/data/msgreply.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
 $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h \
 $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/edns-subnet/addrtree.h
-subnet-whitelist.lo subnet-whitelist.o: $(srcdir)/edns-subnet/subnet-whitelist.c config.h
+subnet-whitelist.lo subnet-whitelist.o: $(srcdir)/edns-subnet/subnet-whitelist.c config.h \
-cachedb.lo cachedb.o: $(srcdir)/cachedb/cachedb.c config.h
+ $(srcdir)/edns-subnet/edns-subnet.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h \
-redis.lo redis.o: $(srcdir)/cachedb/redis.c config.h
+ $(srcdir)/edns-subnet/subnet-whitelist.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h \
 $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h \
 $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h
 cachedb.lo cachedb.o: $(srcdir)/cachedb/cachedb.c config.h $(srcdir)/cachedb/cachedb.h $(srcdir)/util/module.h \
 $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/msgreply.h \
 $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
 $(srcdir)/sldns/rrdef.h $(srcdir)/cachedb/redis.h $(srcdir)/util/regional.h $(srcdir)/util/net_help.h \
 $(srcdir)/util/config_file.h $(srcdir)/util/data/msgencode.h $(srcdir)/services/cache/dns.h \
 $(srcdir)/validator/val_neg.h $(srcdir)/util/rbtree.h $(srcdir)/validator/val_secalgo.h \
 $(srcdir)/iterator/iter_utils.h $(srcdir)/iterator/iter_resptype.h $(srcdir)/sldns/parseutil.h \
 $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/sbuffer.h
 redis.lo redis.o: $(srcdir)/cachedb/redis.c config.h $(srcdir)/cachedb/redis.h $(srcdir)/cachedb/cachedb.h \
 $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
 $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
 $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/alloc.h $(srcdir)/util/config_file.h \
 $(srcdir)/sldns/sbuffer.h
 respip.lo respip.o: $(srcdir)/respip/respip.c config.h $(srcdir)/services/localzone.h $(srcdir)/util/rbtree.h \
 $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/module.h \
 $(srcdir)/util/storage/lruhash.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
@ -1143,31 +1180,40 @@ checklocks.lo checklocks.o: $(srcdir)/testcode/checklocks.c config.h $(srcdir)/u
 $(srcdir)/testcode/checklocks.h
 dnstap.lo dnstap.o: $(srcdir)/dnstap/dnstap.c  config.h $(srcdir)/sldns/sbuffer.h \
 $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h $(srcdir)/util/netevent.h \
- $(srcdir)/dnscrypt/dnscrypt.h  $(srcdir)/dnscrypt/cert.h \
+ $(srcdir)/dnscrypt/dnscrypt.h  \
- $(srcdir)/util/locks.h $(srcdir)/dnstap/dnstap.h \
+ $(srcdir)/dnstap/dnstap.h \
- dnstap/dnstap.pb-c.h
+ $(srcdir)/dnstap/dtstream.h $(srcdir)/util/locks.h dnstap/dnstap.pb-c.h
 dnstap.pb-c.lo dnstap.pb-c.o: dnstap/dnstap.pb-c.c dnstap/dnstap.pb-c.h \
-dynlibmod.lo dynlibmod.o: $(srcdir)/dynlibmod/dynlibmod.c config.h $(srcdir)/dynlibmod/dynlibmod.h \
+dnstap_fstrm.lo dnstap_fstrm.o: $(srcdir)/dnstap/dnstap_fstrm.c config.h $(srcdir)/dnstap/dnstap_fstrm.h \
 $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h
 dtstream.lo dtstream.o: $(srcdir)/dnstap/dtstream.c config.h $(srcdir)/dnstap/dtstream.h $(srcdir)/util/locks.h \
 $(srcdir)/util/log.h $(srcdir)/dnstap/dnstap_fstrm.h $(srcdir)/util/config_file.h $(srcdir)/util/ub_event.h \
 $(srcdir)/util/net_help.h $(srcdir)/services/outside_network.h $(srcdir)/util/rbtree.h $(srcdir)/util/netevent.h \
 $(srcdir)/dnscrypt/dnscrypt.h   \
 $(srcdir)/sldns/sbuffer.h \
 ipsecmod.lo ipsecmod.o: $(srcdir)/ipsecmod/ipsecmod.c config.h $(srcdir)/ipsecmod/ipsecmod.h \
 $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
 $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
- $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/rbtree.h\
+ $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/rbtree.h $(srcdir)/ipsecmod/ipsecmod-whitelist.h \
 $(srcdir)/util/storage/dnstree.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h \
 $(srcdir)/dnscrypt/dnscrypt.h  $(srcdir)/util/tube.h \
- $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h $(srcdir)/util/regional.h $(srcdir)/util/net_help.h \
+ $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \
- $(srcdir)/util/config_file.h $(srcdir)/services/cache/dns.h $(srcdir)/sldns/wire2str.h
+ $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h \
-dnscrypt.lo dnscrypt.o: $(srcdir)/dnscrypt/dnscrypt.c config.h $(srcdir)/sldns/sbuffer.h \
+ $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h \
- $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h $(srcdir)/util/netevent.h \
+ $(srcdir)/util/regional.h $(srcdir)/util/net_help.h $(srcdir)/services/cache/dns.h $(srcdir)/sldns/wire2str.h
- $(srcdir)/dnscrypt/dnscrypt.h  $(srcdir)/dnscrypt/cert.h \
+ipsecmod-whitelist.lo ipsecmod-whitelist.o: $(srcdir)/ipsecmod/ipsecmod-whitelist.c config.h \
- $(srcdir)/util/locks.h $(srcdir)/util/storage/slabhash.h $(srcdir)/util/storage/lruhash.h \
+ $(srcdir)/ipsecmod/ipsecmod.h $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
- $(srcdir)/util/storage/lookup3.h
+ $(srcdir)/util/log.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
-ipsecmod.lo ipsecmod.o: $(srcdir)/ipsecmod/ipsecmod.c config.h
+ $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/rbtree.h \
 $(srcdir)/ipsecmod/ipsecmod-whitelist.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/regional.h \
 $(srcdir)/util/config_file.h $(srcdir)/util/data/dname.h $(srcdir)/sldns/str2wire.h
 ipset.lo ipset.o: $(srcdir)/ipset/ipset.c config.h $(srcdir)/ipset/ipset.h $(srcdir)/util/module.h \
 $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/msgreply.h \
 $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
- $(srcdir)/sldns/rrdef.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/services/cache/dns.h \
+ $(srcdir)/sldns/rrdef.h $(srcdir)/util/regional.h $(srcdir)/util/net_help.h $(srcdir)/util/config_file.h \
- $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/parseutil.h
+ $(srcdir)/services/cache/dns.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/parseutil.h
 ipsecmod-whitelist.lo ipsecmod-whitelist.o: $(srcdir)/ipsecmod/ipsecmod-whitelist.c config.h
 unitanchor.lo unitanchor.o: $(srcdir)/testcode/unitanchor.c config.h $(srcdir)/util/log.h $(srcdir)/util/data/dname.h \
 $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/testcode/unitmain.h \
 $(srcdir)/validator/val_anchor.h $(srcdir)/util/rbtree.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/rrdef.h
@ -1176,7 +1222,8 @@ unitdname.lo unitdname.o: $(srcdir)/testcode/unitdname.c config.h $(srcdir)/util
 $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h
 unitlruhash.lo unitlruhash.o: $(srcdir)/testcode/unitlruhash.c config.h $(srcdir)/testcode/unitmain.h \
 $(srcdir)/util/log.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/storage/slabhash.h
-unitmain.lo unitmain.o: $(srcdir)/testcode/unitmain.c config.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/keyraw.h \
+unitmain.lo unitmain.o: $(srcdir)/testcode/unitmain.c config.h \
 $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/keyraw.h \
 $(srcdir)/util/log.h $(srcdir)/testcode/unitmain.h $(srcdir)/util/alloc.h $(srcdir)/util/locks.h $(srcdir)/util/net_help.h \
 $(srcdir)/util/config_file.h $(srcdir)/util/rtt.h $(srcdir)/util/timehist.h $(srcdir)/iterator/iterator.h \
 $(srcdir)/services/outbound_list.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/storage/lruhash.h \
@ -1184,7 +1231,8 @@ unitmain.lo unitmain.o: $(srcdir)/testcode/unitmain.c config.h $(srcdir)/sldns/r
 $(srcdir)/sldns/pkthdr.h $(srcdir)/libunbound/unbound.h $(srcdir)/services/cache/infra.h \
 $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
  $(srcdir)/util/random.h $(srcdir)/respip/respip.h \
- $(srcdir)/services/localzone.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h
+ $(srcdir)/services/localzone.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h \
 $(srcdir)/services/outside_network.h 
 unitmsgparse.lo unitmsgparse.o: $(srcdir)/testcode/unitmsgparse.c config.h $(srcdir)/util/log.h \
 $(srcdir)/testcode/unitmain.h $(srcdir)/util/data/msgparse.h $(srcdir)/util/storage/lruhash.h \
 $(srcdir)/util/locks.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgreply.h \
@ -1216,8 +1264,14 @@ testpkts.lo testpkts.o: $(srcdir)/testcode/testpkts.c config.h $(srcdir)/testcod
 unitldns.lo unitldns.o: $(srcdir)/testcode/unitldns.c config.h $(srcdir)/util/log.h $(srcdir)/testcode/unitmain.h \
 $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/wire2str.h \
 $(srcdir)/sldns/parseutil.h
 unitecs.lo unitecs.o: $(srcdir)/testcode/unitecs.c config.h
 unitzonemd.lo unitzonemd.o: $(srcdir)/testcode/unitzonemd.c config.h $(srcdir)/services/authzone.h
 unitecs.lo unitecs.o: $(srcdir)/testcode/unitecs.c config.h $(srcdir)/util/log.h $(srcdir)/util/module.h \
 $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/data/msgreply.h \
 $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
 $(srcdir)/sldns/rrdef.h $(srcdir)/testcode/unitmain.h $(srcdir)/edns-subnet/addrtree.h \
 $(srcdir)/edns-subnet/subnetmod.h $(srcdir)/services/outbound_list.h $(srcdir)/util/alloc.h \
 $(srcdir)/util/net_help.h $(srcdir)/util/storage/slabhash.h $(srcdir)/util/data/dname.h \
 $(srcdir)/edns-subnet/edns-subnet.h
 unitauth.lo unitauth.o: $(srcdir)/testcode/unitauth.c config.h $(srcdir)/services/authzone.h \
 $(srcdir)/util/rbtree.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/services/mesh.h $(srcdir)/util/netevent.h \
 $(srcdir)/dnscrypt/dnscrypt.h  $(srcdir)/util/data/msgparse.h \
@ -1234,40 +1288,43 @@ acl_list.lo acl_list.o: $(srcdir)/daemon/acl_list.c config.h $(srcdir)/daemon/ac
 $(srcdir)/services/localzone.h $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h \
 $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
 $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/str2wire.h
-cachedump.lo cachedump.o: $(srcdir)/daemon/cachedump.c config.h $(srcdir)/daemon/cachedump.h \
+cachedump.lo cachedump.o: $(srcdir)/daemon/cachedump.c config.h \
- $(srcdir)/daemon/remote.h $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
+ $(srcdir)/daemon/cachedump.h $(srcdir)/daemon/remote.h $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h \
 $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
 $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h  \
 $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
 $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h \
 $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h  \
 $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/dns.h \
 $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/rtt.h \
 $(srcdir)/util/regional.h $(srcdir)/util/net_help.h $(srcdir)/util/data/dname.h $(srcdir)/iterator/iterator.h \
 $(srcdir)/services/outbound_list.h $(srcdir)/iterator/iter_delegpt.h $(srcdir)/iterator/iter_utils.h \
 $(srcdir)/iterator/iter_resptype.h $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h \
 $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h
 daemon.lo daemon.o: $(srcdir)/daemon/daemon.c config.h $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h \
 $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h  \
  $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h \
 $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
- $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/util/data/msgreply.h \
+ $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
  $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h \
 $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h \
 $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \
- $(srcdir)/daemon/remote.h $(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h \
+  $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \
- $(srcdir)/services/view.h $(srcdir)/util/config_file.h $(srcdir)/util/shm_side/shm_main.h \
+ $(srcdir)/services/cache/dns.h $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h \
- $(srcdir)/util/storage/lookup3.h $(srcdir)/util/storage/slabhash.h $(srcdir)/util/tcp_conn_limit.h \
+ $(srcdir)/util/rbtree.h $(srcdir)/util/rtt.h $(srcdir)/util/regional.h $(srcdir)/util/net_help.h \
 $(srcdir)/util/data/dname.h $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h \
 $(srcdir)/iterator/iter_delegpt.h $(srcdir)/iterator/iter_utils.h $(srcdir)/iterator/iter_resptype.h \
 $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h $(srcdir)/sldns/wire2str.h \
 $(srcdir)/sldns/str2wire.h
 daemon.lo daemon.o: $(srcdir)/daemon/daemon.c config.h \
 $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
   $(srcdir)/daemon/worker.h \
 $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h \
 $(srcdir)/util/storage/lruhash.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
 $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
 $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/util/module.h \
 $(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/remote.h \
 $(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/view.h \
 $(srcdir)/util/config_file.h $(srcdir)/util/shm_side/shm_main.h $(srcdir)/util/storage/lookup3.h \
 $(srcdir)/util/storage/slabhash.h $(srcdir)/util/tcp_conn_limit.h $(srcdir)/util/edns.h \
 $(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h \
 $(srcdir)/util/rtt.h $(srcdir)/services/localzone.h $(srcdir)/services/authzone.h $(srcdir)/services/mesh.h \
 $(srcdir)/services/rpz.h $(srcdir)/respip/respip.h $(srcdir)/util/random.h $(srcdir)/util/tube.h $(srcdir)/util/net_help.h \
 $(srcdir)/sldns/keyraw.h
-remote.lo remote.o: $(srcdir)/daemon/remote.c config.h $(srcdir)/daemon/remote.h $(srcdir)/daemon/worker.h \
+remote.lo remote.o: $(srcdir)/daemon/remote.c config.h \
- $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h \
+ $(srcdir)/daemon/remote.h \
- $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/netevent.h \
+ $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
- $(srcdir)/dnscrypt/dnscrypt.h  $(srcdir)/util/alloc.h \
+ $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
- $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
+ $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h  \
- $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/util/module.h \
+ $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
- $(srcdir)/dnstap/dnstap.h  $(srcdir)/daemon/daemon.h \
+ $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h \
 $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h  $(srcdir)/daemon/daemon.h \
 $(srcdir)/services/modstack.h $(srcdir)/daemon/cachedump.h $(srcdir)/util/config_file.h \
 $(srcdir)/util/net_help.h $(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/rrset.h \
 $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h \
@ -1292,19 +1349,21 @@ stats.lo stats.o: $(srcdir)/daemon/stats.c config.h $(srcdir)/daemon/stats.h $(s
 $(srcdir)/util/net_help.h $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h \
 $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h $(srcdir)/services/cache/rrset.h \
 $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \
- $(srcdir)/validator/val_kcache.h $(srcdir)/validator/val_neg.h
+ $(srcdir)/validator/val_kcache.h $(srcdir)/validator/val_neg.h $(srcdir)/edns-subnet/subnetmod.h \
 $(srcdir)/util/data/dname.h $(srcdir)/edns-subnet/addrtree.h $(srcdir)/edns-subnet/edns-subnet.h \
 unbound.lo unbound.o: $(srcdir)/daemon/unbound.c config.h $(srcdir)/util/log.h $(srcdir)/daemon/daemon.h \
 $(srcdir)/util/locks.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h  \
-  $(srcdir)/daemon/remote.h $(srcdir)/util/config_file.h \
+  $(srcdir)/daemon/remote.h \
- $(srcdir)/util/storage/slabhash.h $(srcdir)/util/storage/lruhash.h $(srcdir)/services/listen_dnsport.h \
+ $(srcdir)/util/config_file.h $(srcdir)/util/storage/slabhash.h $(srcdir)/util/storage/lruhash.h \
- $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/services/cache/rrset.h \
+ $(srcdir)/services/listen_dnsport.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
- $(srcdir)/util/data/packed_rrset.h $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h \
+ $(srcdir)/services/cache/rrset.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/services/cache/infra.h \
- $(srcdir)/util/rbtree.h $(srcdir)/util/rtt.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/fptr_wlist.h \
+ $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/rtt.h $(srcdir)/util/data/msgreply.h \
- $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
+ $(srcdir)/util/fptr_wlist.h $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
- $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \
+ $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/rpz.h \
- $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h \
+ $(srcdir)/services/localzone.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/services/authzone.h \
- $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/util/net_help.h \
+ $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h \
- $(srcdir)/util/ub_event.h
+ $(srcdir)/util/net_help.h $(srcdir)/util/ub_event.h
 worker.lo worker.o: $(srcdir)/daemon/worker.c config.h $(srcdir)/util/log.h $(srcdir)/util/net_help.h \
 $(srcdir)/util/random.h $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
 $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
@ -1312,23 +1371,24 @@ worker.lo worker.o: $(srcdir)/daemon/worker.c config.h $(srcdir)/util/log.h $(sr
 $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
 $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h \
 $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h  $(srcdir)/daemon/daemon.h \
- $(srcdir)/services/modstack.h $(srcdir)/daemon/remote.h $(srcdir)/daemon/acl_list.h \
+ $(srcdir)/services/modstack.h $(srcdir)/daemon/remote.h \
- $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/view.h $(srcdir)/util/config_file.h \
+ $(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/view.h \
- $(srcdir)/util/regional.h $(srcdir)/util/storage/slabhash.h $(srcdir)/services/listen_dnsport.h \
+ $(srcdir)/util/config_file.h $(srcdir)/util/regional.h $(srcdir)/util/storage/slabhash.h \
- $(srcdir)/services/outside_network.h $(srcdir)/services/outbound_list.h \
+ $(srcdir)/services/listen_dnsport.h $(srcdir)/services/outside_network.h \
- $(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \
+ $(srcdir)/services/outbound_list.h $(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h \
- $(srcdir)/services/cache/dns.h $(srcdir)/services/authzone.h $(srcdir)/services/mesh.h $(srcdir)/services/rpz.h \
+ $(srcdir)/util/rtt.h $(srcdir)/services/cache/dns.h $(srcdir)/services/authzone.h $(srcdir)/services/mesh.h \
- $(srcdir)/services/localzone.h $(srcdir)/respip/respip.h $(srcdir)/util/data/msgencode.h \
+ $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h $(srcdir)/respip/respip.h \
- $(srcdir)/util/data/dname.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h $(srcdir)/util/edns.h \
+ $(srcdir)/util/data/msgencode.h $(srcdir)/util/data/dname.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h \
- $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h $(srcdir)/validator/autotrust.h \
+ $(srcdir)/util/edns.h $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h \
- $(srcdir)/validator/val_anchor.h $(srcdir)/libunbound/context.h $(srcdir)/libunbound/unbound-event.h \
+ $(srcdir)/validator/autotrust.h $(srcdir)/validator/val_anchor.h $(srcdir)/libunbound/context.h \
- $(srcdir)/libunbound/libworker.h $(srcdir)/sldns/wire2str.h $(srcdir)/util/shm_side/shm_main.h \
+ $(srcdir)/libunbound/unbound-event.h $(srcdir)/libunbound/libworker.h $(srcdir)/sldns/wire2str.h \
- $(srcdir)/dnstap/dtstream.h
+ $(srcdir)/util/shm_side/shm_main.h $(srcdir)/dnstap/dtstream.h
 testbound.lo testbound.o: $(srcdir)/testcode/testbound.c config.h $(srcdir)/testcode/testpkts.h \
 $(srcdir)/testcode/replay.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
  $(srcdir)/util/rbtree.h $(srcdir)/testcode/fake_event.h \
- $(srcdir)/daemon/remote.h $(srcdir)/util/config_file.h $(srcdir)/sldns/keyraw.h $(srcdir)/daemon/unbound.c \
+ $(srcdir)/daemon/remote.h \
- $(srcdir)/util/log.h $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
+ $(srcdir)/util/config_file.h $(srcdir)/sldns/keyraw.h $(srcdir)/daemon/unbound.c $(srcdir)/util/log.h \
 $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
  $(srcdir)/util/storage/slabhash.h $(srcdir)/util/storage/lruhash.h \
 $(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/rrset.h \
 $(srcdir)/util/data/packed_rrset.h $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h \
@ -1347,34 +1407,35 @@ worker.lo worker.o: $(srcdir)/daemon/worker.c config.h $(srcdir)/util/log.h $(sr
 $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
 $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h \
 $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h  $(srcdir)/daemon/daemon.h \
- $(srcdir)/services/modstack.h $(srcdir)/daemon/remote.h $(srcdir)/daemon/acl_list.h \
+ $(srcdir)/services/modstack.h $(srcdir)/daemon/remote.h \
- $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/view.h $(srcdir)/util/config_file.h \
+ $(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/view.h \
- $(srcdir)/util/regional.h $(srcdir)/util/storage/slabhash.h $(srcdir)/services/listen_dnsport.h \
+ $(srcdir)/util/config_file.h $(srcdir)/util/regional.h $(srcdir)/util/storage/slabhash.h \
- $(srcdir)/services/outside_network.h $(srcdir)/services/outbound_list.h \
+ $(srcdir)/services/listen_dnsport.h $(srcdir)/services/outside_network.h \
- $(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \
+ $(srcdir)/services/outbound_list.h $(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h \
- $(srcdir)/services/cache/dns.h $(srcdir)/services/authzone.h $(srcdir)/services/mesh.h $(srcdir)/services/rpz.h \
+ $(srcdir)/util/rtt.h $(srcdir)/services/cache/dns.h $(srcdir)/services/authzone.h $(srcdir)/services/mesh.h \
- $(srcdir)/services/localzone.h $(srcdir)/respip/respip.h $(srcdir)/util/data/msgencode.h \
+ $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h $(srcdir)/respip/respip.h \
- $(srcdir)/util/data/dname.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h $(srcdir)/util/edns.h \
+ $(srcdir)/util/data/msgencode.h $(srcdir)/util/data/dname.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h \
- $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h $(srcdir)/validator/autotrust.h \
+ $(srcdir)/util/edns.h $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h \
- $(srcdir)/validator/val_anchor.h $(srcdir)/libunbound/context.h $(srcdir)/libunbound/unbound-event.h \
+ $(srcdir)/validator/autotrust.h $(srcdir)/validator/val_anchor.h $(srcdir)/libunbound/context.h \
- $(srcdir)/libunbound/libworker.h $(srcdir)/sldns/wire2str.h $(srcdir)/util/shm_side/shm_main.h \
+ $(srcdir)/libunbound/unbound-event.h $(srcdir)/libunbound/libworker.h $(srcdir)/sldns/wire2str.h \
- $(srcdir)/dnstap/dtstream.h
+ $(srcdir)/util/shm_side/shm_main.h $(srcdir)/dnstap/dtstream.h
 acl_list.lo acl_list.o: $(srcdir)/daemon/acl_list.c config.h $(srcdir)/daemon/acl_list.h \
 $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/view.h $(srcdir)/util/locks.h \
 $(srcdir)/util/log.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h \
 $(srcdir)/services/localzone.h $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h \
 $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
 $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/str2wire.h
-daemon.lo daemon.o: $(srcdir)/daemon/daemon.c config.h $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h \
+daemon.lo daemon.o: $(srcdir)/daemon/daemon.c config.h \
- $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h  \
+ $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
-  $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h \
+   $(srcdir)/daemon/worker.h \
- $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
+ $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h \
- $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/util/data/msgreply.h \
+ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
- $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h \
+ $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
- $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \
+ $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/util/module.h \
- $(srcdir)/daemon/remote.h $(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h \
+ $(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/remote.h \
- $(srcdir)/services/view.h $(srcdir)/util/config_file.h $(srcdir)/util/shm_side/shm_main.h \
+ $(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/view.h \
- $(srcdir)/util/storage/lookup3.h $(srcdir)/util/storage/slabhash.h $(srcdir)/util/tcp_conn_limit.h \
+ $(srcdir)/util/config_file.h $(srcdir)/util/shm_side/shm_main.h $(srcdir)/util/storage/lookup3.h \
 $(srcdir)/util/storage/slabhash.h $(srcdir)/util/tcp_conn_limit.h $(srcdir)/util/edns.h \
 $(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h \
 $(srcdir)/util/rtt.h $(srcdir)/services/localzone.h $(srcdir)/services/authzone.h $(srcdir)/services/mesh.h \
 $(srcdir)/services/rpz.h $(srcdir)/respip/respip.h $(srcdir)/util/random.h $(srcdir)/util/tube.h $(srcdir)/util/net_help.h \
@ -1392,7 +1453,9 @@ stats.lo stats.o: $(srcdir)/daemon/stats.c config.h $(srcdir)/daemon/stats.h $(s
 $(srcdir)/util/net_help.h $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h \
 $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h $(srcdir)/services/cache/rrset.h \
 $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \
- $(srcdir)/validator/val_kcache.h $(srcdir)/validator/val_neg.h
+ $(srcdir)/validator/val_kcache.h $(srcdir)/validator/val_neg.h $(srcdir)/edns-subnet/subnetmod.h \
 $(srcdir)/util/data/dname.h $(srcdir)/edns-subnet/addrtree.h $(srcdir)/edns-subnet/edns-subnet.h \
 replay.lo replay.o: $(srcdir)/testcode/replay.c config.h $(srcdir)/util/log.h $(srcdir)/util/net_help.h \
 $(srcdir)/util/config_file.h $(srcdir)/testcode/replay.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
  $(srcdir)/testcode/testpkts.h $(srcdir)/util/rbtree.h \
@ -1402,13 +1465,14 @@ fake_event.lo fake_event.o: $(srcdir)/testcode/fake_event.c config.h $(srcdir)/t
 $(srcdir)/util/net_help.h $(srcdir)/util/log.h $(srcdir)/util/data/msgparse.h $(srcdir)/util/storage/lruhash.h \
 $(srcdir)/util/locks.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgreply.h \
 $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgencode.h $(srcdir)/util/data/dname.h \
- $(srcdir)/util/config_file.h $(srcdir)/services/listen_dnsport.h $(srcdir)/services/outside_network.h \
+ $(srcdir)/util/edns.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/config_file.h \
- $(srcdir)/util/rbtree.h  $(srcdir)/services/cache/infra.h \
+ $(srcdir)/services/listen_dnsport.h $(srcdir)/services/outside_network.h \
- $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rtt.h $(srcdir)/testcode/replay.h $(srcdir)/testcode/testpkts.h \
+  $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \
- $(srcdir)/util/fptr_wlist.h $(srcdir)/util/module.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h \
+ $(srcdir)/testcode/replay.h $(srcdir)/testcode/testpkts.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/module.h \
- $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h $(srcdir)/services/view.h \
+ $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h \
- $(srcdir)/sldns/sbuffer.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \
+ $(srcdir)/services/localzone.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/services/authzone.h \
- $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h
+ $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h \
 $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h
 lock_verify.lo lock_verify.o: $(srcdir)/testcode/lock_verify.c config.h $(srcdir)/util/log.h $(srcdir)/util/rbtree.h \
 $(srcdir)/util/locks.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
  $(srcdir)/util/storage/lruhash.h $(srcdir)/util/module.h \
@ -1443,7 +1507,8 @@ unbound-checkconf.lo unbound-checkconf.o: $(srcdir)/smallapp/unbound-checkconf.c
 $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/services/authzone.h $(srcdir)/services/mesh.h \
 $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h  \
 $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \
- $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h
+ $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/sldns/str2wire.h \
 $(PYTHONMOD_HEADER) $(srcdir)/edns-subnet/subnet-whitelist.h
 worker_cb.lo worker_cb.o: $(srcdir)/smallapp/worker_cb.c config.h $(srcdir)/libunbound/context.h \
 $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h \
 $(srcdir)/libunbound/unbound.h $(srcdir)/libunbound/unbound-event.h $(srcdir)/util/data/packed_rrset.h \
@ -1464,76 +1529,83 @@ context.lo context.o: $(srcdir)/libunbound/context.c config.h $(srcdir)/libunbou
 $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \
 $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h  \
 $(srcdir)/services/authzone.h $(srcdir)/services/mesh.h $(srcdir)/services/rpz.h $(srcdir)/daemon/stats.h \
- $(srcdir)/util/timehist.h $(srcdir)/respip/respip.h
+ $(srcdir)/util/timehist.h $(srcdir)/respip/respip.h $(srcdir)/util/edns.h
 libunbound.lo libunbound.o: $(srcdir)/libunbound/libunbound.c $(srcdir)/libunbound/unbound.h \
 $(srcdir)/libunbound/unbound-event.h config.h $(srcdir)/libunbound/context.h $(srcdir)/util/locks.h \
 $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h \
 $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/libunbound/libworker.h \
 $(srcdir)/util/config_file.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
 $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/regional.h \
- $(srcdir)/util/random.h $(srcdir)/util/net_help.h $(srcdir)/util/tube.h $(srcdir)/util/ub_event.h \
+ $(srcdir)/util/random.h $(srcdir)/util/net_help.h $(srcdir)/util/tube.h $(srcdir)/util/ub_event.h $(srcdir)/util/edns.h \
- $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h \
+ $(srcdir)/util/storage/dnstree.h $(srcdir)/services/localzone.h $(srcdir)/services/view.h \
 $(srcdir)/sldns/sbuffer.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h $(srcdir)/util/netevent.h \
 $(srcdir)/dnscrypt/dnscrypt.h  $(srcdir)/services/cache/rrset.h \
 $(srcdir)/util/storage/slabhash.h $(srcdir)/services/authzone.h $(srcdir)/services/mesh.h \
 $(srcdir)/services/rpz.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/respip/respip.h
-libworker.lo libworker.o: $(srcdir)/libunbound/libworker.c config.h $(srcdir)/libunbound/libworker.h \
+libworker.lo libworker.o: $(srcdir)/libunbound/libworker.c config.h \
- $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
+ $(srcdir)/libunbound/libworker.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
- $(srcdir)/libunbound/context.h $(srcdir)/util/alloc.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h \
+ $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/libunbound/context.h $(srcdir)/util/alloc.h $(srcdir)/util/rbtree.h \
- $(srcdir)/libunbound/unbound.h $(srcdir)/libunbound/unbound-event.h $(srcdir)/libunbound/worker.h \
+ $(srcdir)/services/modstack.h $(srcdir)/libunbound/unbound.h $(srcdir)/libunbound/unbound-event.h \
- $(srcdir)/sldns/sbuffer.h $(srcdir)/services/outside_network.h $(srcdir)/util/netevent.h \
+ $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h $(srcdir)/services/outside_network.h \
- $(srcdir)/dnscrypt/dnscrypt.h   \
+ $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h  \
- $(srcdir)/services/mesh.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
+  $(srcdir)/services/mesh.h $(srcdir)/util/data/msgparse.h \
- $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \
+ $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
- $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/util/config_file.h \
+ $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h \
- $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/respip/respip.h \
+ $(srcdir)/services/view.h $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h \
- $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/services/outbound_list.h \
+ $(srcdir)/util/timehist.h $(srcdir)/respip/respip.h $(srcdir)/services/cache/rrset.h \
- $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h $(srcdir)/util/regional.h $(srcdir)/util/random.h \
+ $(srcdir)/util/storage/slabhash.h $(srcdir)/services/outbound_list.h $(srcdir)/util/fptr_wlist.h \
- $(srcdir)/util/storage/lookup3.h $(srcdir)/util/net_help.h $(srcdir)/util/data/dname.h \
+ $(srcdir)/util/tube.h $(srcdir)/util/regional.h $(srcdir)/util/random.h $(srcdir)/util/storage/lookup3.h \
- $(srcdir)/util/data/msgencode.h $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h \
+ $(srcdir)/util/net_help.h $(srcdir)/util/data/dname.h $(srcdir)/util/data/msgencode.h \
- $(srcdir)/sldns/str2wire.h
+ $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h $(srcdir)/sldns/str2wire.h
 unbound-host.lo unbound-host.o: $(srcdir)/smallapp/unbound-host.c config.h $(srcdir)/libunbound/unbound.h \
- $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/wire2str.h
+ $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/wire2str.h \
 asynclook.lo asynclook.o: $(srcdir)/testcode/asynclook.c config.h $(srcdir)/libunbound/unbound.h \
 $(srcdir)/libunbound/context.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/util/rbtree.h \
 $(srcdir)/services/modstack.h $(srcdir)/libunbound/unbound-event.h $(srcdir)/util/data/packed_rrset.h \
- $(srcdir)/util/storage/lruhash.h $(srcdir)/sldns/rrdef.h
+ $(srcdir)/util/storage/lruhash.h $(srcdir)/sldns/rrdef.h \
 streamtcp.lo streamtcp.o: $(srcdir)/testcode/streamtcp.c config.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
 $(srcdir)/util/net_help.h $(srcdir)/util/data/msgencode.h $(srcdir)/util/data/msgparse.h \
 $(srcdir)/util/storage/lruhash.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgreply.h \
 $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/dname.h $(srcdir)/sldns/sbuffer.h \
- $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/wire2str.h
+ $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/wire2str.h \
 perf.lo perf.o: $(srcdir)/testcode/perf.c config.h $(srcdir)/util/log.h $(srcdir)/util/locks.h $(srcdir)/util/net_help.h \
 $(srcdir)/util/data/msgencode.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/storage/lruhash.h \
 $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
 $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h
 delayer.lo delayer.o: $(srcdir)/testcode/delayer.c config.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h \
 $(srcdir)/util/config_file.h $(srcdir)/sldns/sbuffer.h
-unbound-control.lo unbound-control.o: $(srcdir)/smallapp/unbound-control.c config.h $(srcdir)/util/log.h \
+unbound-control.lo unbound-control.o: $(srcdir)/smallapp/unbound-control.c config.h \
- $(srcdir)/util/config_file.h $(srcdir)/util/locks.h $(srcdir)/util/net_help.h $(srcdir)/util/shm_side/shm_main.h \
+ $(srcdir)/util/log.h $(srcdir)/util/config_file.h $(srcdir)/util/locks.h $(srcdir)/util/net_help.h \
- $(srcdir)/libunbound/unbound.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/sldns/wire2str.h \
+ $(srcdir)/util/shm_side/shm_main.h $(srcdir)/libunbound/unbound.h $(srcdir)/daemon/stats.h \
- $(srcdir)/sldns/pkthdr.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h $(srcdir)/util/rbtree.h \
+ $(srcdir)/util/timehist.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/pkthdr.h $(srcdir)/services/rpz.h \
- $(srcdir)/util/storage/dnstree.h $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h \
+ $(srcdir)/services/localzone.h $(srcdir)/util/rbtree.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/module.h \
- $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
+ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
- $(srcdir)/sldns/rrdef.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/services/authzone.h \
+ $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/rrdef.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h \
- $(srcdir)/services/mesh.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
+ $(srcdir)/services/authzone.h $(srcdir)/services/mesh.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
  $(srcdir)/services/modstack.h $(srcdir)/respip/respip.h
 unbound-anchor.lo unbound-anchor.o: $(srcdir)/smallapp/unbound-anchor.c config.h $(srcdir)/libunbound/unbound.h \
- $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/parseutil.h
+ $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/parseutil.h \
-petal.lo petal.o: $(srcdir)/testcode/petal.c config.h
+ 
 petal.lo petal.o: $(srcdir)/testcode/petal.c config.h \
 unbound-dnstap-socket.lo unbound-dnstap-socket.o: $(srcdir)/dnstap/unbound-dnstap-socket.c config.h \
 $(srcdir)/dnstap/dtstream.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/dnstap/dnstap_fstrm.h \
 $(srcdir)/util/ub_event.h $(srcdir)/util/net_help.h $(srcdir)/services/listen_dnsport.h \
 $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h  \
- $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h $(srcdir)/util/config_file.h \
+ $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h \
- $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h
+ dnstap/dnstap.pb-c.h \
 $(srcdir)/util/config_file.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h
 pythonmod_utils.lo pythonmod_utils.o: $(srcdir)/pythonmod/pythonmod_utils.c config.h $(srcdir)/util/module.h \
 $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/msgreply.h \
 $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
 $(srcdir)/sldns/rrdef.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
  $(srcdir)/util/net_help.h $(srcdir)/services/cache/dns.h \
 $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/util/regional.h \
- $(srcdir)/iterator/iter_delegpt.h $(srcdir)/sldns/sbuffer.h
+ $(srcdir)/iterator/iter_delegpt.h $(srcdir)/sldns/sbuffer.h \
 win_svc.lo win_svc.o: $(srcdir)/winrc/win_svc.c config.h $(srcdir)/winrc/win_svc.h $(srcdir)/winrc/w_inst.h \
 $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
   $(srcdir)/daemon/worker.h \
@ -1541,8 +1613,8 @@ win_svc.lo win_svc.o: $(srcdir)/winrc/win_svc.c config.h $(srcdir)/winrc/win_svc
 $(srcdir)/util/storage/lruhash.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
 $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
 $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/util/module.h \
- $(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/remote.h $(srcdir)/util/config_file.h $(srcdir)/util/ub_event.h \
+ $(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/remote.h \
- $(srcdir)/util/net_help.h
+ $(srcdir)/util/config_file.h $(srcdir)/util/ub_event.h $(srcdir)/util/net_help.h
 w_inst.lo w_inst.o: $(srcdir)/winrc/w_inst.c config.h $(srcdir)/winrc/w_inst.h $(srcdir)/winrc/win_svc.h
 unbound-service-install.lo unbound-service-install.o: $(srcdir)/winrc/unbound-service-install.c config.h \
 $(srcdir)/winrc/w_inst.h
@ -1550,12 +1622,14 @@ unbound-service-remove.lo unbound-service-remove.o: $(srcdir)/winrc/unbound-serv
 $(srcdir)/winrc/w_inst.h
 anchor-update.lo anchor-update.o: $(srcdir)/winrc/anchor-update.c config.h $(srcdir)/libunbound/unbound.h \
 $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/wire2str.h
-keyraw.lo keyraw.o: $(srcdir)/sldns/keyraw.c config.h $(srcdir)/sldns/keyraw.h $(srcdir)/sldns/rrdef.h
+keyraw.lo keyraw.o: $(srcdir)/sldns/keyraw.c config.h $(srcdir)/sldns/keyraw.h \
 $(srcdir)/sldns/rrdef.h \
 sbuffer.lo sbuffer.o: $(srcdir)/sldns/sbuffer.c config.h $(srcdir)/sldns/sbuffer.h
 wire2str.lo wire2str.o: $(srcdir)/sldns/wire2str.c config.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h \
 $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/sbuffer.h \
- $(srcdir)/sldns/keyraw.h $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
+ $(srcdir)/sldns/keyraw.h \
- $(srcdir)/util/log.h
+ $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h
 parse.lo parse.o: $(srcdir)/sldns/parse.c config.h $(srcdir)/sldns/parse.h $(srcdir)/sldns/parseutil.h \
 $(srcdir)/sldns/sbuffer.h
 parseutil.lo parseutil.o: $(srcdir)/sldns/parseutil.c config.h $(srcdir)/sldns/parseutil.h
@ -1563,9 +1637,11 @@ rrdef.lo rrdef.o: $(srcdir)/sldns/rrdef.c config.h $(srcdir)/sldns/rrdef.h $(src
 str2wire.lo str2wire.o: $(srcdir)/sldns/str2wire.c config.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h \
 $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/parse.h $(srcdir)/sldns/parseutil.h
 dohclient.lo dohclient.o: $(srcdir)/testcode/dohclient.c config.h $(srcdir)/sldns/wire2str.h \
- $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgencode.h \
+ $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/parseutil.h \
- $(srcdir)/util/data/msgreply.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
+ $(srcdir)/util/data/msgencode.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/storage/lruhash.h \
- $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/net_help.h
+ $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
 $(srcdir)/sldns/pkthdr.h $(srcdir)/util/net_help.h \
 ctime_r.lo ctime_r.o: $(srcdir)/compat/ctime_r.c config.h $(srcdir)/util/locks.h $(srcdir)/util/log.h
 fake-rfc2553.lo fake-rfc2553.o: $(srcdir)/compat/fake-rfc2553.c $(srcdir)/compat/fake-rfc2553.h config.h
 gmtime_r.lo gmtime_r.o: $(srcdir)/compat/gmtime_r.c config.h
@ -1580,9 +1656,11 @@ strlcat.lo strlcat.o: $(srcdir)/compat/strlcat.c config.h
 strlcpy.lo strlcpy.o: $(srcdir)/compat/strlcpy.c config.h
 strptime.lo strptime.o: $(srcdir)/compat/strptime.c config.h
 getentropy_freebsd.lo getentropy_freebsd.o: $(srcdir)/compat/getentropy_freebsd.c
-getentropy_linux.lo getentropy_linux.o: $(srcdir)/compat/getentropy_linux.c config.h
+getentropy_linux.lo getentropy_linux.o: $(srcdir)/compat/getentropy_linux.c config.h \
 getentropy_osx.lo getentropy_osx.o: $(srcdir)/compat/getentropy_osx.c
-getentropy_solaris.lo getentropy_solaris.o: $(srcdir)/compat/getentropy_solaris.c config.h
+getentropy_solaris.lo getentropy_solaris.o: $(srcdir)/compat/getentropy_solaris.c config.h \
 getentropy_win.lo getentropy_win.o: $(srcdir)/compat/getentropy_win.c
 explicit_bzero.lo explicit_bzero.o: $(srcdir)/compat/explicit_bzero.c config.h
 arc4random.lo arc4random.o: $(srcdir)/compat/arc4random.c config.h $(srcdir)/compat/chacha_private.h
--- a/acx_nlnetlabs.m4
+++ b/acx_nlnetlabs.m4
@ -2,7 +2,9 @@
 # Copyright 2009, Wouter Wijngaards, NLnet Labs.   
 # BSD licensed.
 #
-# Version 35
+# Version 37
 # 2021-01-05 fix defun for aclocal
 # 2021-01-05 autoconf 2.70 autoupdate and fixes, no AC_TRY_COMPILE
 # 2020-08-24 Use EVP_sha256 instead of HMAC_Update (for openssl-3.0.0).
 # 2016-03-21 Check -ldl -pthread for libcrypto for ldns and openssl 1.1.0.
 # 2016-03-21 Use HMAC_Update instead of HMAC_CTX_Init (for openssl-1.1.0).
@ -447,15 +449,12 @@ AC_DEFUN([ACX_CHECK_FORMAT_ATTRIBUTE],
 AC_MSG_CHECKING(whether the C compiler (${CC-cc}) accepts the "format" attribute)
 AC_CACHE_VAL(ac_cv_c_format_attribute,
 [ac_cv_c_format_attribute=no
-AC_TRY_COMPILE(
+AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[#include <stdio.h>
 [#include <stdio.h>
 void f (char *format, ...) __attribute__ ((format (printf, 1, 2)));
 void (*pf) (char *format, ...) __attribute__ ((format (printf, 1, 2)));
-], [
+]], [[
   f ("%s", "str");
-],
+]])],[ac_cv_c_format_attribute="yes"],[ac_cv_c_format_attribute="no"])
 [ac_cv_c_format_attribute="yes"],
 [ac_cv_c_format_attribute="no"])
 ])
 AC_MSG_RESULT($ac_cv_c_format_attribute)
@ -484,14 +483,11 @@ AC_DEFUN([ACX_CHECK_UNUSED_ATTRIBUTE],
 AC_MSG_CHECKING(whether the C compiler (${CC-cc}) accepts the "unused" attribute)
 AC_CACHE_VAL(ac_cv_c_unused_attribute,
 [ac_cv_c_unused_attribute=no
-AC_TRY_COMPILE(
+AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[#include <stdio.h>
 [#include <stdio.h>
 void f (char *u __attribute__((unused)));
-], [
+]], [[
   f ("x");
-],
+]])],[ac_cv_c_unused_attribute="yes"],[ac_cv_c_unused_attribute="no"])
 [ac_cv_c_unused_attribute="yes"],
 [ac_cv_c_unused_attribute="no"])
 ])
 dnl Setup ATTR_UNUSED config.h parts.
@ -548,7 +544,7 @@ dnl as a requirement so that is gets called before LIBTOOL
 dnl because libtools 'AC_REQUIRE' names are right after this one, before
 dnl this function contents.
 AC_REQUIRE([ACX_LIBTOOL_C_PRE])
-AC_PROG_LIBTOOL
+LT_INIT
 ])
 dnl Detect if u_char type is defined, otherwise define it.
@ -677,14 +673,14 @@ AC_DEFUN([ACX_SSL_CHECKS], [
            AC_MSG_CHECKING([for EVP_sha256 in -lcrypto])
            LIBS="$LIBS -lcrypto"
            LIBSSL_LIBS="$LIBSSL_LIBS -lcrypto"
-            AC_TRY_LINK(, [
+            AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[
                int EVP_sha256(void);
                (void)EVP_sha256();
-              ], [
+              ]])],[
                AC_MSG_RESULT(yes)
                AC_DEFINE([HAVE_EVP_SHA256], 1,
                          [If you have EVP_sha256])
-              ], [
+              ],[
                AC_MSG_RESULT(no)
                # check if -lwsock32 or -lgdi32 are needed.	
                BAKLIBS="$LIBS"
@ -692,10 +688,10 @@ AC_DEFUN([ACX_SSL_CHECKS], [
 		LIBS="$LIBS -lgdi32 -lws2_32"
 		LIBSSL_LIBS="$LIBSSL_LIBS -lgdi32 -lws2_32"
                AC_MSG_CHECKING([if -lcrypto needs -lgdi32])
-                AC_TRY_LINK([], [
+                AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[
                    int EVP_sha256(void);
                    (void)EVP_sha256();
-                  ],[
+                  ]])],[
                    AC_DEFINE([HAVE_EVP_SHA256], 1,
                        [If you have EVP_sha256])
                    AC_MSG_RESULT(yes) 
@ -706,10 +702,10 @@ AC_DEFUN([ACX_SSL_CHECKS], [
                    LIBS="$LIBS -ldl"
                    LIBSSL_LIBS="$LIBSSL_LIBS -ldl"
                    AC_MSG_CHECKING([if -lcrypto needs -ldl])
-                    AC_TRY_LINK([], [
+                    AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[
                        int EVP_sha256(void);
                        (void)EVP_sha256();
-                      ],[
+                      ]])],[
                        AC_DEFINE([HAVE_EVP_SHA256], 1,
                            [If you have EVP_sha256])
                        AC_MSG_RESULT(yes) 
@ -720,10 +716,10 @@ AC_DEFUN([ACX_SSL_CHECKS], [
                        LIBS="$LIBS -ldl -pthread"
                        LIBSSL_LIBS="$LIBSSL_LIBS -ldl -pthread"
                        AC_MSG_CHECKING([if -lcrypto needs -ldl -pthread])
-                        AC_TRY_LINK([], [
+                        AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[
                            int EVP_sha256(void);
                            (void)EVP_sha256();
-                          ],[
+                          ]])],[
                            AC_DEFINE([HAVE_EVP_SHA256], 1,
                                [If you have EVP_sha256])
                            AC_MSG_RESULT(yes) 
@ -750,8 +746,7 @@ dnl Checks main header files of SSL.
 dnl
 AC_DEFUN([ACX_WITH_SSL],
 [
-AC_ARG_WITH(ssl, AC_HELP_STRING([--with-ssl=pathname],
+AC_ARG_WITH(ssl, AS_HELP_STRING([--with-ssl=pathname],[enable SSL (will check /usr/local/ssl
                                    [enable SSL (will check /usr/local/ssl
                            /usr/lib/ssl /usr/ssl /usr/pkg /usr/local /opt/local /usr/sfw /usr)]),[
        ],[
            withval="yes"
@ -769,8 +764,7 @@ dnl Checks main header files of SSL.
 dnl
 AC_DEFUN([ACX_WITH_SSL_OPTIONAL],
 [
-AC_ARG_WITH(ssl, AC_HELP_STRING([--with-ssl=pathname],
+AC_ARG_WITH(ssl, AS_HELP_STRING([--with-ssl=pathname],[enable SSL (will check /usr/local/ssl
                                [enable SSL (will check /usr/local/ssl
                                /usr/lib/ssl /usr/ssl /usr/pkg /usr/local /opt/local /usr/sfw /usr)]),[
        ],[
            withval="yes"
@ -1062,7 +1056,7 @@ dnl defines MKDIR_HAS_ONE_ARG
 AC_DEFUN([ACX_MKDIR_ONE_ARG],
 [
 AC_MSG_CHECKING([whether mkdir has one arg])
-AC_TRY_COMPILE([
+AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
 #include <stdio.h>
 #include <unistd.h>
 #ifdef HAVE_WINSOCK2_H
@ -1071,14 +1065,12 @@ AC_TRY_COMPILE([
 #ifdef HAVE_SYS_STAT_H
 #include <sys/stat.h>
 #endif
-], [
+]], [[
 	(void)mkdir("directory");
-],
+]])],[AC_MSG_RESULT(yes)
 AC_MSG_RESULT(yes)
 AC_DEFINE(MKDIR_HAS_ONE_ARG, 1, [Define if mkdir has one argument.])
-,
+],[AC_MSG_RESULT(no)
-AC_MSG_RESULT(no)
+])
 )
 ])dnl end of ACX_MKDIR_ONE_ARG
 dnl Check for ioctlsocket function. works on mingw32 too.
--- a/acx_python.m4
+++ b/acx_python.m4
@ -85,11 +85,11 @@ $ac_distutils_result])
        LIBS="$LIBS $PYTHON_LDFLAGS"
        CPPFLAGS="$CPPFLAGS $PYTHON_CPPFLAGS"
-        AC_TRY_LINK([
+        AC_LINK_IFELSE([AC_LANG_PROGRAM([[
                #include <Python.h>
-        ],[
+        ]],[[
                Py_Initialize();
-        ],[pythonexists=yes],[pythonexists=no])
+        ]])],[pythonexists=yes],[pythonexists=no])
        AC_MSG_RESULT([$pythonexists])
--- a/cachedb/cachedb.c
+++ b/cachedb/cachedb.c
@ -465,6 +465,7 @@ packed_rrset_ttl_subtract(struct packed_rrset_data* data, time_t subtract)
 			data->rr_ttl[i] -= subtract;
 		else	data->rr_ttl[i] = 0;
 	}
 	data->ttl_add = (subtract < data->ttl_add) ? (data->ttl_add - subtract) : 0;
 }
 /* Adjust the TTL of a DNS message and its RRs by 'adjust'.  If 'adjust' is
--- a/config.h.in
+++ b/config.h.in
@ -747,7 +747,8 @@
   your system. */
 #undef PTHREAD_CREATE_JOINABLE
-/* Define as the return type of signal handlers (`int' or `void'). */
+/* Return type of signal handlers, but autoconf 2.70 says 'your code may
   safely assume C89 semantics that RETSIGTYPE is void.' */
 #undef RETSIGTYPE
 /* if REUSEPORT is enabled by default */
--- a/139
+++ b/139
@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for unbound 1.12.1.
+# Generated by GNU Autoconf 2.69 for unbound 1.13.1.
 #
 # Report bugs to <unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues>.
 #
@ -591,8 +591,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='unbound'
 PACKAGE_TARNAME='unbound'
-PACKAGE_VERSION='1.12.1'
+PACKAGE_VERSION='1.13.1'
-PACKAGE_STRING='unbound 1.12.1'
+PACKAGE_STRING='unbound 1.13.1'
 PACKAGE_BUGREPORT='unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues'
 PACKAGE_URL=''
@ -649,6 +649,7 @@ ENABLE_DNSCRYPT
 ENABLE_DNSCRYPT_XCHACHA20
 DNSTAP_OBJ
 DNSTAP_SRC
 DNSTAP_SOCKET_TESTBIN
 DNSTAP_SOCKET_PATH
 opt_dnstap_socket_path
 ENABLE_DNSTAP
@ -1459,7 +1460,7 @@ if test "$ac_init_help" = "long"; then
  # Omit some internal or obsolete options to make the list less imposing.
  # This message is too long to be a string in the A/UX 3.1 sh.
  cat <<_ACEOF
-\`configure' configures unbound 1.12.1 to adapt to many kinds of systems.
+\`configure' configures unbound 1.13.1 to adapt to many kinds of systems.
 Usage: $0 [OPTION]... [VAR=VALUE]...
@ -1524,7 +1525,7 @@ fi
 if test -n "$ac_init_help"; then
  case $ac_init_help in
-     short | recursive ) echo "Configuration of unbound 1.12.1:";;
+     short | recursive ) echo "Configuration of unbound 1.13.1:";;
   esac
  cat <<\_ACEOF
@ -1752,7 +1753,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
  cat <<\_ACEOF
-unbound configure 1.12.1
+unbound configure 1.13.1
 generated by GNU Autoconf 2.69
 Copyright (C) 2012 Free Software Foundation, Inc.
@ -2461,7 +2462,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
-It was created by unbound $as_me 1.12.1, which was
+It was created by unbound $as_me 1.13.1, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
  $ $0 $@
@ -2811,13 +2812,13 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu
 UNBOUND_VERSION_MAJOR=1
-UNBOUND_VERSION_MINOR=12
+UNBOUND_VERSION_MINOR=13
 UNBOUND_VERSION_MICRO=1
 LIBUNBOUND_CURRENT=9
-LIBUNBOUND_REVISION=11
+LIBUNBOUND_REVISION=12
 LIBUNBOUND_AGE=1
 # 1.0.0 had 0:12:0
 # 1.0.1 had 0:13:0
@ -2895,7 +2896,8 @@ LIBUNBOUND_AGE=1
 # 1.10.1 had 9:8:1
 # 1.11.0 had 9:9:1
 # 1.12.0 had 9:10:1
-# 1.12.1 had 9:11:1
+# 1.13.0 had 9:11:1
 # 1.13.1 had 9:12:1
 #   Current  -- the number of the binary API that we're implementing
 #   Revision -- which iteration of the implementation of the binary
@ -4176,7 +4178,6 @@ $as_echo "$ac_cv_safe_to_define___extensions__" >&6; }
  $as_echo "#define _TANDEM_SOURCE 1" >>confdefs.h
 if test "$ac_cv_header_minix_config_h" = "yes"; then
 $as_echo "#define _NETBSD_SOURCE 1" >>confdefs.h
@ -15595,38 +15596,8 @@ $as_echo "#define HAVE_WORKING_FORK 1" >>confdefs.h
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking return type of signal handlers" >&5
 $as_echo_n "checking return type of signal handlers... " >&6; }
 if ${ac_cv_type_signal+:} false; then :
  $as_echo_n "(cached) " >&6
 else
  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 #include <sys/types.h>
 #include <signal.h>
 int
 main ()
 {
 return *(signal (0, 0)) (0) == 1;
  ;
  return 0;
 }
 _ACEOF
 if ac_fn_c_try_compile "$LINENO"; then :
  ac_cv_type_signal=int
 else
  ac_cv_type_signal=void
 fi
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_type_signal" >&5
 $as_echo "$ac_cv_type_signal" >&6; }
 cat >>confdefs.h <<_ACEOF
 #define RETSIGTYPE $ac_cv_type_signal
 _ACEOF
 $as_echo "#define RETSIGTYPE void" >>confdefs.h
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for _LARGEFILE_SOURCE value needed for large files" >&5
 $as_echo_n "checking for _LARGEFILE_SOURCE value needed for large files... " >&6; }
@ -17265,9 +17236,68 @@ $as_echo "#define WITH_DYNLIBMODULE 1" >>confdefs.h
  DYNLIBMOD_HEADER='$(srcdir)/dynlibmod/dynlibmod.h'
  if test $on_mingw = "no"; then
-    DYNLIBMOD_EXTRALIBS="-ldl -export-dynamic"
+    # link with -ldl if not already there, for all executables because
    # dlopen call is in the dynlib module.  For unbound executable, also
    # export symbols.
    { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing dlopen" >&5
 $as_echo_n "checking for library containing dlopen... " >&6; }
 if ${ac_cv_search_dlopen+:} false; then :
  $as_echo_n "(cached) " >&6
 else
  ac_func_search_save_LIBS=$LIBS
 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 /* Override any GCC internal prototype to avoid an error.
   Use char because int might match the return type of a GCC
   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
 #endif
 char dlopen ();
 int
 main ()
 {
 return dlopen ();
  ;
  return 0;
 }
 _ACEOF
 for ac_lib in '' dl; do
  if test -z "$ac_lib"; then
    ac_res="none required"
  else
-    DYNLIBMOD_EXTRALIBS="-Wl,--export-all-symbols,--out-implib,libunbound.a"
+    ac_res=-l$ac_lib
    LIBS="-l$ac_lib  $ac_func_search_save_LIBS"
  fi
  if ac_fn_c_try_link "$LINENO"; then :
  ac_cv_search_dlopen=$ac_res
 fi
 rm -f core conftest.err conftest.$ac_objext \
    conftest$ac_exeext
  if ${ac_cv_search_dlopen+:} false; then :
  break
 fi
 done
 if ${ac_cv_search_dlopen+:} false; then :
 else
  ac_cv_search_dlopen=no
 fi
 rm conftest.$ac_ext
 LIBS=$ac_func_search_save_LIBS
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_dlopen" >&5
 $as_echo "$ac_cv_search_dlopen" >&6; }
 ac_res=$ac_cv_search_dlopen
 if test "$ac_res" != no; then :
  test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
 fi
    DYNLIBMOD_EXTRALIBS="-export-dynamic"
  else
    DYNLIBMOD_EXTRALIBS="-Wl,--export-all-symbols,--out-implib,libunbound.dll.a"
  fi
 fi
@ -18287,17 +18317,13 @@ $as_echo_n "checking if libssl needs -lcrypt32... " >&6; }
 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 /* Override any GCC internal prototype to avoid an error.
   Use char because int might match the return type of a GCC
   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
 #endif
 char EVP_sha256 ();
 int
 main ()
 {
-return EVP_sha256 ();
+
 	int EVP_sha256(void);
 	(void)EVP_sha256();
  ;
  return 0;
 }
@ -19799,6 +19825,7 @@ if test x_$enable_static_exe = x_yes; then
 			LIBS="$LIBS -lgdi32"
 		fi
 		LIBS="$LIBS -lz"
 		LIBS="$LIBS -l:libssp.a"
 	fi
 fi
@ -19818,6 +19845,7 @@ if test x_$enable_fully_static = x_yes; then
 			LIBS="$LIBS -lgdi32"
 		fi
 		LIBS="$LIBS -lz"
 		LIBS="$LIBS -l:libssp.a"
 	fi
 fi
@ -21225,6 +21253,7 @@ _ACEOF
 	DNSTAP_SOCKET_PATH="$hdr_dnstap_socket_path"
 	DNSTAP_SOCKET_TESTBIN='unbound-dnstap-socket$(EXEEXT)'
        DNSTAP_SRC="dnstap/dnstap.c dnstap/dnstap.pb-c.c dnstap/dnstap_fstrm.c dnstap/dtstream.c"
@ -21731,7 +21760,7 @@ _ACEOF
-version=1.12.1
+version=1.13.1
 date=`date +'%b %e, %Y'`
@ -22250,7 +22279,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by unbound $as_me 1.12.1, which was
+This file was extended by unbound $as_me 1.13.1, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
  CONFIG_FILES    = $CONFIG_FILES
@ -22316,7 +22345,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-unbound config.status 1.12.1
+unbound config.status 1.13.1
 configured by $0, generated by GNU Autoconf 2.69,
  with options \\"\$ac_cs_config\\"
--- a/configure.ac
+++ b/configure.ac
@ -1,6 +1,6 @@
 #                                               -*- Autoconf -*-
 # Process this file with autoconf to produce a configure script.
-AC_PREREQ(2.56)
+AC_PREREQ([2.56])
 sinclude(acx_nlnetlabs.m4)
 sinclude(ax_pthread.m4)
 sinclude(acx_python.m4)
@ -10,15 +10,15 @@ sinclude(dnscrypt/dnscrypt.m4)
 # must be numbers. ac_defun because of later processing
 m4_define([VERSION_MAJOR],[1])
-m4_define([VERSION_MINOR],[12])
+m4_define([VERSION_MINOR],[13])
 m4_define([VERSION_MICRO],[1])
-AC_INIT(unbound, m4_defn([VERSION_MAJOR]).m4_defn([VERSION_MINOR]).m4_defn([VERSION_MICRO]), unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues, unbound)
+AC_INIT([unbound],m4_defn([VERSION_MAJOR]).m4_defn([VERSION_MINOR]).m4_defn([VERSION_MICRO]),[unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues],[unbound])
 AC_SUBST(UNBOUND_VERSION_MAJOR, [VERSION_MAJOR])
 AC_SUBST(UNBOUND_VERSION_MINOR, [VERSION_MINOR])
 AC_SUBST(UNBOUND_VERSION_MICRO, [VERSION_MICRO])
 LIBUNBOUND_CURRENT=9
-LIBUNBOUND_REVISION=11
+LIBUNBOUND_REVISION=12
 LIBUNBOUND_AGE=1
 # 1.0.0 had 0:12:0
 # 1.0.1 had 0:13:0
@ -96,7 +96,8 @@ LIBUNBOUND_AGE=1
 # 1.10.1 had 9:8:1
 # 1.11.0 had 9:9:1
 # 1.12.0 had 9:10:1
-# 1.12.1 had 9:11:1
+# 1.13.0 had 9:11:1
 # 1.13.1 had 9:12:1
 #   Current  -- the number of the binary API that we're implementing
 #   Revision -- which iteration of the implementation of the binary
@ -125,7 +126,7 @@ cmdln="`echo $@ | sed -e 's/\\\\/\\\\\\\\/g' | sed -e 's/"/\\\\"/'g`"
 AC_DEFINE_UNQUOTED(CONFCMDLINE, ["$cmdln"], [Command line arguments used with configure])
 CFLAGS="$CFLAGS"
-AC_AIX
+AC_USE_SYSTEM_EXTENSIONS
 if test "$ac_cv_header_minix_config_h" = "yes"; then
 	AC_DEFINE(_NETBSD_SOURCE,1, [Enable for compile on Minix])
 fi
@ -166,8 +167,7 @@ else
  ub_conf_file="C:\\Program Files\\Unbound\\service.conf"
 fi
 AC_ARG_WITH([conf_file],
-        AC_HELP_STRING([--with-conf-file=path], 
+        AS_HELP_STRING([--with-conf-file=path],[Pathname to the Unbound configuration file]),
 	[Pathname to the Unbound configuration file]),
 	[ub_conf_file="$withval"])
 AC_SUBST(ub_conf_file)
 ACX_ESCAPE_BACKSLASH($ub_conf_file, hdr_config)
@ -177,8 +177,7 @@ AC_SUBST(ub_conf_dir)
 # Determine run, chroot directory and pidfile locations
 AC_ARG_WITH(run-dir, 
-    AC_HELP_STRING([--with-run-dir=path], 
+    AS_HELP_STRING([--with-run-dir=path],[set default directory to chdir to (by default dir part of cfg file)]), 
    [set default directory to chdir to (by default dir part of cfg file)]), 
    UNBOUND_RUN_DIR="$withval", 
 if test $on_mingw = no; then
    UNBOUND_RUN_DIR=`dirname "$ub_conf_file"`
@ -191,8 +190,7 @@ ACX_ESCAPE_BACKSLASH($UNBOUND_RUN_DIR, hdr_run)
 AC_DEFINE_UNQUOTED(RUN_DIR, ["$hdr_run"], [Directory to chdir to])
 AC_ARG_WITH(chroot-dir, 
-    AC_HELP_STRING([--with-chroot-dir=path], 
+    AS_HELP_STRING([--with-chroot-dir=path],[set default directory to chroot to (by default same as run-dir)]), 
    [set default directory to chroot to (by default same as run-dir)]), 
    UNBOUND_CHROOT_DIR="$withval", 
 if test $on_mingw = no; then
    UNBOUND_CHROOT_DIR="$UNBOUND_RUN_DIR"
@ -205,16 +203,14 @@ ACX_ESCAPE_BACKSLASH($UNBOUND_CHROOT_DIR, hdr_chroot)
 AC_DEFINE_UNQUOTED(CHROOT_DIR, ["$hdr_chroot"], [Directory to chroot to])
 AC_ARG_WITH(share-dir,
-    AC_HELP_STRING([--with-share-dir=path],
+    AS_HELP_STRING([--with-share-dir=path],[set default directory with shared data (by default same as share/unbound)]),
    [set default directory with shared data (by default same as share/unbound)]),
    UNBOUND_SHARE_DIR="$withval",
    UNBOUND_SHARE_DIR="$UNBOUND_RUN_DIR")
 AC_SUBST(UNBOUND_SHARE_DIR)
 AC_DEFINE_UNQUOTED(SHARE_DIR, ["$UNBOUND_SHARE_DIR"], [Shared data])
 AC_ARG_WITH(pidfile, 
-    AC_HELP_STRING([--with-pidfile=filename], 
+    AS_HELP_STRING([--with-pidfile=filename],[set default pathname to unbound pidfile (default run-dir/unbound.pid)]), 
    [set default pathname to unbound pidfile (default run-dir/unbound.pid)]), 
    UNBOUND_PIDFILE="$withval", 
 if test $on_mingw = no; then
    UNBOUND_PIDFILE="$UNBOUND_RUN_DIR/unbound.pid"
@ -227,8 +223,7 @@ ACX_ESCAPE_BACKSLASH($UNBOUND_PIDFILE, hdr_pid)
 AC_DEFINE_UNQUOTED(PIDFILE, ["$hdr_pid"], [default pidfile location])
 AC_ARG_WITH(rootkey-file, 
-    AC_HELP_STRING([--with-rootkey-file=filename], 
+    AS_HELP_STRING([--with-rootkey-file=filename],[set default pathname to root key file (default run-dir/root.key). This file is read and written.]), 
    [set default pathname to root key file (default run-dir/root.key). This file is read and written.]), 
    UNBOUND_ROOTKEY_FILE="$withval", 
 if test $on_mingw = no; then
    UNBOUND_ROOTKEY_FILE="$UNBOUND_RUN_DIR/root.key"
@ -241,8 +236,7 @@ ACX_ESCAPE_BACKSLASH($UNBOUND_ROOTKEY_FILE, hdr_rkey)
 AC_DEFINE_UNQUOTED(ROOT_ANCHOR_FILE, ["$hdr_rkey"], [default rootkey location])
 AC_ARG_WITH(rootcert-file, 
-    AC_HELP_STRING([--with-rootcert-file=filename], 
+    AS_HELP_STRING([--with-rootcert-file=filename],[set default pathname to root update certificate file (default run-dir/icannbundle.pem).  This file need not exist if you are content with the builtin.]), 
    [set default pathname to root update certificate file (default run-dir/icannbundle.pem).  This file need not exist if you are content with the builtin.]), 
    UNBOUND_ROOTCERT_FILE="$withval", 
 if test $on_mingw = no; then
    UNBOUND_ROOTCERT_FILE="$UNBOUND_RUN_DIR/icannbundle.pem"
@ -255,8 +249,7 @@ ACX_ESCAPE_BACKSLASH($UNBOUND_ROOTCERT_FILE, hdr_rpem)
 AC_DEFINE_UNQUOTED(ROOT_CERT_FILE, ["$hdr_rpem"], [default rootcert location])
 AC_ARG_WITH(username, 
-    AC_HELP_STRING([--with-username=user], 
+    AS_HELP_STRING([--with-username=user],[set default user that unbound changes to (default user is unbound)]), 
    [set default user that unbound changes to (default user is unbound)]), 
    UNBOUND_USERNAME="$withval", 
    UNBOUND_USERNAME="unbound")
 AC_SUBST(UNBOUND_USERNAME)
@ -268,7 +261,7 @@ AC_DEFINE_UNQUOTED(RSRC_PACKAGE_VERSION, [$wnvs], [version number for resource f
 # Checks for typedefs, structures, and compiler characteristics.
 AC_C_CONST
-AC_LANG_C
+AC_LANG([C])
 # allow user to override the -g -O2 flags.
 default_cflags=no
 if test "x$CFLAGS" = "x" ; then
@ -281,8 +274,8 @@ ACX_DEPFLAG
 ACX_DETERMINE_EXT_FLAGS_UNBOUND
 # debug mode flags warnings
-AC_ARG_ENABLE(checking, AC_HELP_STRING([--enable-checking], [Enable warnings, asserts, makefile-dependencies]))
+AC_ARG_ENABLE(checking, AS_HELP_STRING([--enable-checking],[Enable warnings, asserts, makefile-dependencies]))
-AC_ARG_ENABLE(debug, AC_HELP_STRING([--enable-debug], [same as enable-checking]))
+AC_ARG_ENABLE(debug, AS_HELP_STRING([--enable-debug],[same as enable-checking]))
 if test "$enable_debug" = "yes"; then debug_enabled="$enable_debug"; 
 else debug_enabled="$enable_checking"; fi
 AC_SUBST(debug_enabled)
@ -316,14 +309,11 @@ AC_DEFUN([CHECK_WEAK_ATTRIBUTE],
 AC_MSG_CHECKING(whether the C compiler (${CC-cc}) accepts the "weak" attribute)
 AC_CACHE_VAL(ac_cv_c_weak_attribute,
 [ac_cv_c_weak_attribute=no
-AC_TRY_COMPILE(
+AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h>
 [ #include <stdio.h>
 __attribute__((weak)) void f(int x) { printf("%d", x); }
-], [
+]], [[
   f(1);
-],
+]])],[ac_cv_c_weak_attribute="yes"],[ac_cv_c_weak_attribute="no"])
 [ac_cv_c_weak_attribute="yes"],
 [ac_cv_c_weak_attribute="no"])
 ])
 AC_MSG_RESULT($ac_cv_c_weak_attribute)
@ -340,14 +330,11 @@ AC_DEFUN([CHECK_NORETURN_ATTRIBUTE],
 AC_MSG_CHECKING(whether the C compiler (${CC-cc}) accepts the "noreturn" attribute)
 AC_CACHE_VAL(ac_cv_c_noreturn_attribute,
 [ac_cv_c_noreturn_attribute=no
-AC_TRY_COMPILE(
+AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h>
 [ #include <stdio.h>
 __attribute__((noreturn)) void f(int x) { printf("%d", x); }
-], [
+]], [[
   f(1);
-],
+]])],[ac_cv_c_noreturn_attribute="yes"],[ac_cv_c_noreturn_attribute="no"])
 [ac_cv_c_noreturn_attribute="yes"],
 [ac_cv_c_noreturn_attribute="no"])
 ])
 AC_MSG_RESULT($ac_cv_c_noreturn_attribute)
@ -385,7 +372,7 @@ EOF
 	fi
 ])
-AC_PROG_LEX
+AC_PROG_LEX([noyywrap])
 if test "$LEX" != "" -a "$LEX" != ":"; then
 ACX_YYLEX_DESTROY
 fi
@ -494,7 +481,7 @@ fi
 # check some functions of the OS before linking libs (while still runnable).
 AC_FUNC_CHOWN
 AC_FUNC_FORK
-AC_TYPE_SIGNAL
+AC_DEFINE(RETSIGTYPE,void,[Return type of signal handlers, but autoconf 2.70 says 'your code may safely assume C89 semantics that RETSIGTYPE is void.'])
 AC_FUNC_FSEEKO
 ACX_SYS_LARGEFILE
 ACX_CHECK_NONBLOCKING_BROKEN
@ -513,14 +500,11 @@ sinclude(systemd.m4)
 # Include systemd.m4 - end
 # set memory allocation checking if requested
-AC_ARG_ENABLE(alloc-checks, AC_HELP_STRING([--enable-alloc-checks],
+AC_ARG_ENABLE(alloc-checks, AS_HELP_STRING([--enable-alloc-checks],[ enable to memory allocation statistics, for debug purposes ]), 
 	[ enable to memory allocation statistics, for debug purposes ]), 
 	, )
-AC_ARG_ENABLE(alloc-lite, AC_HELP_STRING([--enable-alloc-lite],
+AC_ARG_ENABLE(alloc-lite, AS_HELP_STRING([--enable-alloc-lite],[ enable for lightweight alloc assertions, for debug purposes ]), 
 	[ enable for lightweight alloc assertions, for debug purposes ]), 
 	, )
-AC_ARG_ENABLE(alloc-nonregional, AC_HELP_STRING([--enable-alloc-nonregional],
+AC_ARG_ENABLE(alloc-nonregional, AS_HELP_STRING([--enable-alloc-nonregional],[ enable nonregional allocs, slow but exposes regional allocations to other memory purifiers, for debug purposes ]), 
 	[ enable nonregional allocs, slow but exposes regional allocations to other memory purifiers, for debug purposes ]), 
 	, )
 if test x_$enable_alloc_nonregional = x_yes; then
 	AC_DEFINE(UNBOUND_ALLOC_NONREGIONAL, 1, [use malloc not regions, for debug use])
@ -564,8 +548,7 @@ else
 # check this first, so that the pthread lib does not get linked in via
 # libssl or libpython, and thus distorts the tests, and we end up using
 # the non-threadsafe C libraries.
-AC_ARG_WITH(pthreads, AC_HELP_STRING([--with-pthreads], 
+AC_ARG_WITH(pthreads, AS_HELP_STRING([--with-pthreads],[use pthreads library, or --without-pthreads to disable threading support.]), 
 [use pthreads library, or --without-pthreads to disable threading support.]), 
 [ ],[ withval="yes" ])
 ub_have_pthreads=no
 if test x_$withval != x_no; then
@ -612,12 +595,11 @@ int main(void) {return 0;}
 fi
 # check solaris thread library 
-AC_ARG_WITH(solaris-threads, AC_HELP_STRING([--with-solaris-threads], 
+AC_ARG_WITH(solaris-threads, AS_HELP_STRING([--with-solaris-threads],[use solaris native thread library.]), [ ],[ withval="no" ])
 	[use solaris native thread library.]), [ ],[ withval="no" ])
 ub_have_sol_threads=no
 if test x_$withval != x_no; then
 	if test x_$ub_have_pthreads != x_no; then
-	    AC_WARN([Have pthreads already, ignoring --with-solaris-threads])
+	    AC_MSG_WARN([Have pthreads already, ignoring --with-solaris-threads])
 	else
 	AC_SEARCH_LIBS(thr_create, [thread],
 	[
@ -627,7 +609,7 @@ if test x_$withval != x_no; then
 			[CFLAGS="$CFLAGS -D_REENTRANT"])
 		ub_have_sol_threads=yes
 	] , [ 
-		AC_ERROR([no solaris threads found.]) 
+		AC_MSG_ERROR([no solaris threads found.]) 
 	])
 	fi
 fi
@ -635,7 +617,7 @@ fi
 fi # end of non-mingw check of thread libraries
 # Check for SYSLOG_FACILITY
-AC_ARG_WITH(syslog-facility, AC_HELP_STRING([--with-syslog-facility=LOCAL0 - LOCAL7], [ set SYSLOG_FACILITY, default DAEMON ]),
+AC_ARG_WITH(syslog-facility, AS_HELP_STRING([--with-syslog-facility=LOCAL0 - LOCAL7],[ set SYSLOG_FACILITY, default DAEMON ]),
 	[ UNBOUND_SYSLOG_FACILITY="$withval" ], [])
 case "${UNBOUND_SYSLOG_FACILITY}" in
@ -648,8 +630,7 @@ AC_DEFINE_UNQUOTED(UB_SYSLOG_FACILITY,${UNBOUND_SYSLOG_FACILITY},[the SYSLOG_FAC
 # Check for dynamic library module
 AC_ARG_WITH(dynlibmodule,
-   AC_HELP_STRING([--with-dynlibmodule],
+   AS_HELP_STRING([--with-dynlibmodule],[build dynamic library module, or --without-dynlibmodule to disable it. (default=no)]),
   [build dynamic library module, or --without-dynlibmodule to disable it. (default=no)]),
   [], [ withval="no" ])
 if test x_$withval != x_no; then
@ -661,17 +642,20 @@ if test x_$withval != x_no; then
  DYNLIBMOD_HEADER='$(srcdir)/dynlibmod/dynlibmod.h'
  AC_SUBST(DYNLIBMOD_HEADER)
  if test $on_mingw = "no"; then
-    DYNLIBMOD_EXTRALIBS="-ldl -export-dynamic"
+    # link with -ldl if not already there, for all executables because
    # dlopen call is in the dynlib module.  For unbound executable, also
    # export symbols.
    AC_SEARCH_LIBS([dlopen], [dl])
    DYNLIBMOD_EXTRALIBS="-export-dynamic"
  else
-    DYNLIBMOD_EXTRALIBS="-Wl,--export-all-symbols,--out-implib,libunbound.a"
+    DYNLIBMOD_EXTRALIBS="-Wl,--export-all-symbols,--out-implib,libunbound.dll.a"
  fi
  AC_SUBST(DYNLIBMOD_EXTRALIBS)
 fi
 # Check for PyUnbound
 AC_ARG_WITH(pyunbound,
-   AC_HELP_STRING([--with-pyunbound],
+   AS_HELP_STRING([--with-pyunbound],[build PyUnbound, or --without-pyunbound to skip it. (default=no)]),
   [build PyUnbound, or --without-pyunbound to skip it. (default=no)]),
   [], [ withval="no" ])
 ub_test_python=no
@ -683,8 +667,7 @@ fi
 # Check for Python module
 AC_ARG_WITH(pythonmodule,
-   AC_HELP_STRING([--with-pythonmodule],
+   AS_HELP_STRING([--with-pythonmodule],[build Python module, or --without-pythonmodule to disable script engine. (default=no)]),
   [build Python module, or --without-pythonmodule to disable script engine. (default=no)]),
   [], [ withval="no" ])
 ub_with_pythonmod=no
@ -702,7 +685,7 @@ if test x_$ub_test_python != x_no; then
   AC_PYTHON_DEVEL
   if test ! -z "$PYTHON_VERSION"; then
 	if test `$PYTHON -c "print('$PYTHON_VERSION' >= '2.4.0')"` = "False"; then
-		AC_ERROR([Python version >= 2.4.0 is required])
+		AC_MSG_ERROR([Python version >= 2.4.0 is required])
 	fi
      [PY_MAJOR_VERSION="`$PYTHON -c \"import sys; print(sys.version_info[0])\"`"]
@ -730,7 +713,7 @@ if test x_$ub_test_python != x_no; then
      # Check for SWIG
      ub_have_swig=no
-      AC_ARG_ENABLE(swig-version-check, AC_HELP_STRING([--disable-swig-version-check], [Disable swig version check to build python modules with older swig even though that is unreliable]))
+      AC_ARG_ENABLE(swig-version-check, AS_HELP_STRING([--disable-swig-version-check],[Disable swig version check to build python modules with older swig even though that is unreliable]))
      if test "$enable_swig_version_check" = "yes"; then
      	AC_PROG_SWIG(2.0.1)
      else
@ -738,7 +721,7 @@ if test x_$ub_test_python != x_no; then
      fi
      AC_MSG_CHECKING(SWIG)
      if test ! -x "$SWIG"; then
-         AC_ERROR([failed to find swig tool, install it, or do not build Python module and PyUnbound])
+         AC_MSG_ERROR([failed to find swig tool, install it, or do not build Python module and PyUnbound])
      else
         AC_DEFINE(HAVE_SWIG, 1, [Define if you have Swig libraries and header files.])
         AC_SUBST(swig, "$SWIG")
@ -793,8 +776,7 @@ AC_SUBST(CONFIG_DATE)
 # libnss
 USE_NSS="no"
-AC_ARG_WITH([nss], AC_HELP_STRING([--with-nss=path],
+AC_ARG_WITH([nss], AS_HELP_STRING([--with-nss=path],[use libnss instead of openssl, installed at path.]),
 	[use libnss instead of openssl, installed at path.]),
 	[
 	USE_NSS="yes"
 	AC_DEFINE(HAVE_NSS, 1, [Use libnss for crypto])
@ -816,8 +798,7 @@ AC_ARG_WITH([nss], AC_HELP_STRING([--with-nss=path],
 # libnettle
 USE_NETTLE="no"
-AC_ARG_WITH([nettle], AC_HELP_STRING([--with-nettle=path],
+AC_ARG_WITH([nettle], AS_HELP_STRING([--with-nettle=path],[use libnettle as crypto library, installed at path.]),
 	[use libnettle as crypto library, installed at path.]),
 	[
 	USE_NETTLE="yes"
 	AC_DEFINE(HAVE_NETTLE, 1, [Use libnettle for crypto])
@ -849,7 +830,10 @@ AC_SUBST(PC_CRYPTO_DEPENDENCY)
 BAKLIBS="$LIBS"
 LIBS="-lssl $LIBS"
 AC_MSG_CHECKING([if libssl needs -lcrypt32])
-AC_TRY_LINK_FUNC([EVP_sha256], [
+AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[
 	int EVP_sha256(void);
 	(void)EVP_sha256();
 ]])], [
 	AC_MSG_RESULT([no])
 	LIBS="$BAKLIBS"
 ], [
@ -937,7 +921,7 @@ fi
 AC_SUBST(SSLLIB)
 # libbsd
-AC_ARG_WITH([libbsd], AC_HELP_STRING([--with-libbsd], [Use portable libbsd functions]), [
+AC_ARG_WITH([libbsd], AS_HELP_STRING([--with-libbsd],[Use portable libbsd functions]), [
 	AC_CHECK_HEADERS([bsd/string.h bsd/stdlib.h],,, [AC_INCLUDES_DEFAULT])
 	if test "x$ac_cv_header_bsd_string_h" = xyes -a "x$ac_cv_header_bsd_stdlib_h" = xyes; then
 		for func in strlcpy strlcat arc4random arc4random_uniform reallocarray; do
@ -950,7 +934,7 @@ AC_ARG_WITH([libbsd], AC_HELP_STRING([--with-libbsd], [Use portable libbsd funct
 	fi
 ])
-AC_ARG_ENABLE(sha1, AC_HELP_STRING([--disable-sha1], [Disable SHA1 RRSIG support, does not disable nsec3 support]))
+AC_ARG_ENABLE(sha1, AS_HELP_STRING([--disable-sha1],[Disable SHA1 RRSIG support, does not disable nsec3 support]))
 case "$enable_sha1" in
 	no)
 	;;
@ -960,7 +944,7 @@ case "$enable_sha1" in
 esac
-AC_ARG_ENABLE(sha2, AC_HELP_STRING([--disable-sha2], [Disable SHA256 and SHA512 RRSIG support]))
+AC_ARG_ENABLE(sha2, AS_HELP_STRING([--disable-sha2],[Disable SHA256 and SHA512 RRSIG support]))
 case "$enable_sha2" in
 	no)
 	;;
@ -969,7 +953,7 @@ case "$enable_sha2" in
 	;;
 esac
-AC_ARG_ENABLE(subnet, AC_HELP_STRING([--enable-subnet], [Enable client subnet]))
+AC_ARG_ENABLE(subnet, AS_HELP_STRING([--enable-subnet],[Enable client subnet]))
 case "$enable_subnet" in
 	yes)
 	AC_DEFINE([CLIENT_SUBNET], [1], [Define this to enable client subnet option.])
@ -1080,7 +1064,7 @@ fi
 AC_MSG_RESULT($ac_cv_c_gost_works)
 ])dnl
-AC_ARG_ENABLE(gost, AC_HELP_STRING([--disable-gost], [Disable GOST support]))
+AC_ARG_ENABLE(gost, AS_HELP_STRING([--disable-gost],[Disable GOST support]))
 use_gost="no"
 if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then
 case "$enable_gost" in
@ -1098,7 +1082,7 @@ case "$enable_gost" in
 esac
 fi dnl !USE_NSS && !USE_NETTLE
-AC_ARG_ENABLE(ecdsa, AC_HELP_STRING([--disable-ecdsa], [Disable ECDSA support]))
+AC_ARG_ENABLE(ecdsa, AS_HELP_STRING([--disable-ecdsa],[Disable ECDSA support]))
 use_ecdsa="no"
 case "$enable_ecdsa" in
    no)
@ -1130,7 +1114,7 @@ case "$enable_ecdsa" in
      ;;
 esac
-AC_ARG_ENABLE(dsa, AC_HELP_STRING([--disable-dsa], [Disable DSA support]))
+AC_ARG_ENABLE(dsa, AS_HELP_STRING([--disable-dsa],[Disable DSA support]))
 use_dsa="no"
 case "$enable_dsa" in
    yes)
@ -1170,7 +1154,7 @@ AC_INCLUDES_DEFAULT
      ;;
 esac
-AC_ARG_ENABLE(ed25519, AC_HELP_STRING([--disable-ed25519], [Disable ED25519 support]))
+AC_ARG_ENABLE(ed25519, AS_HELP_STRING([--disable-ed25519],[Disable ED25519 support]))
 use_ed25519="no"
 case "$enable_ed25519" in
    no)
@ -1193,7 +1177,7 @@ case "$enable_ed25519" in
      ;;
 esac
-AC_ARG_ENABLE(ed448, AC_HELP_STRING([--disable-ed448], [Disable ED448 support]))
+AC_ARG_ENABLE(ed448, AS_HELP_STRING([--disable-ed448],[Disable ED448 support]))
 use_ed448="no"
 case "$enable_ed448" in
    no)
@ -1213,7 +1197,7 @@ case "$enable_ed448" in
      ;;
 esac
-AC_ARG_ENABLE(event-api, AC_HELP_STRING([--enable-event-api], [Enable (experimental) pluggable event base libunbound API installed to unbound-event.h]))
+AC_ARG_ENABLE(event-api, AS_HELP_STRING([--enable-event-api],[Enable (experimental) pluggable event base libunbound API installed to unbound-event.h]))
 case "$enable_event_api" in
    yes)
      AC_SUBST(UNBOUND_EVENT_INSTALL, [unbound-event-install])
@ -1223,7 +1207,7 @@ case "$enable_event_api" in
      ;;
 esac
-AC_ARG_ENABLE(tfo-client, AC_HELP_STRING([--enable-tfo-client], [Enable TCP Fast Open for client mode]))
+AC_ARG_ENABLE(tfo-client, AS_HELP_STRING([--enable-tfo-client],[Enable TCP Fast Open for client mode]))
 case "$enable_tfo_client" in
 	yes)
 		case `uname` in
@ -1247,7 +1231,7 @@ case "$enable_tfo_client" in
 		;;
 esac
-AC_ARG_ENABLE(tfo-server, AC_HELP_STRING([--enable-tfo-server], [Enable TCP Fast Open for server mode]))
+AC_ARG_ENABLE(tfo-server, AS_HELP_STRING([--enable-tfo-server],[Enable TCP Fast Open for server mode]))
 case "$enable_tfo_server" in
 	yes)
 	      AC_CHECK_DECL([TCP_FASTOPEN], [AC_MSG_WARN([Check the platform specific TFO kernel parameters are correctly configured to support server mode TFO])], [AC_MSG_ERROR([TCP Fast Open is not available for server mode: please rerun without --enable-tfo-server])], [AC_INCLUDES_DEFAULT
@ -1260,8 +1244,7 @@ case "$enable_tfo_server" in
 esac
 # check for libevent
-AC_ARG_WITH(libevent, AC_HELP_STRING([--with-libevent=pathname],
+AC_ARG_WITH(libevent, AS_HELP_STRING([--with-libevent=pathname],[use libevent (will check /usr/local /opt/local /usr/lib /usr/pkg /usr/sfw /usr  or you can specify an explicit path). Slower, but allows use of large outgoing port ranges.]),
    [use libevent (will check /usr/local /opt/local /usr/lib /usr/pkg /usr/sfw /usr  or you can specify an explicit path). Slower, but allows use of large outgoing port ranges.]),
    [ ],[ with_libevent="no" ])
 if test "x_$with_libevent" != x_no; then
        AC_DEFINE([USE_LIBEVENT], [1], [Define if you enable libevent])
@ -1355,8 +1338,7 @@ else
 fi
 # check for libexpat
-AC_ARG_WITH(libexpat, AC_HELP_STRING([--with-libexpat=path],
+AC_ARG_WITH(libexpat, AS_HELP_STRING([--with-libexpat=path],[specify explicit path for libexpat.]),
    [specify explicit path for libexpat.]),
    [ ],[ withval="/usr/local /opt/local /usr/lib /usr/pkg /usr/sfw /usr" ])
 AC_MSG_CHECKING(for libexpat)
 found_libexpat="no"
@ -1373,7 +1355,7 @@ for dir in $withval ; do
            fi
 done
 if test x_$found_libexpat != x_yes; then
-	AC_ERROR([Could not find libexpat, expat.h])
+	AC_MSG_ERROR([Could not find libexpat, expat.h])
 fi
 AC_CHECK_HEADERS([expat.h],,, [AC_INCLUDES_DEFAULT])
 AC_CHECK_DECLS([XML_StopParser], [], [], [AC_INCLUDES_DEFAULT
@ -1381,8 +1363,7 @@ AC_CHECK_DECLS([XML_StopParser], [], [], [AC_INCLUDES_DEFAULT
 ])
 # hiredis (redis C client for cachedb)
-AC_ARG_WITH(libhiredis, AC_HELP_STRING([--with-libhiredis=path],
+AC_ARG_WITH(libhiredis, AS_HELP_STRING([--with-libhiredis=path],[specify explicit path for libhiredis.]),
    [specify explicit path for libhiredis.]),
    [ ],[ withval="no" ])
 found_libhiredis="no"
 if test x_$withval = x_yes -o x_$withval != x_no; then
@ -1405,7 +1386,7 @@ if test x_$withval = x_yes -o x_$withval != x_no; then
            fi
    done
    if test x_$found_libhiredis != x_yes; then
-	AC_ERROR([Could not find libhiredis, hiredis.h])
+	AC_MSG_ERROR([Could not find libhiredis, hiredis.h])
    fi
    AC_CHECK_HEADERS([hiredis/hiredis.h],,, [AC_INCLUDES_DEFAULT])
    AC_CHECK_DECLS([redisConnect], [], [], [AC_INCLUDES_DEFAULT
@ -1414,8 +1395,7 @@ if test x_$withval = x_yes -o x_$withval != x_no; then
 fi
 # nghttp2
-AC_ARG_WITH(libnghttp2, AC_HELP_STRING([--with-libnghttp2=path],
+AC_ARG_WITH(libnghttp2, AS_HELP_STRING([--with-libnghttp2=path],[specify explicit path for libnghttp2.]),
    [specify explicit path for libnghttp2.]),
    [ ],[ withval="no" ])
 found_libnghttp2="no"
 if test x_$withval = x_yes -o x_$withval != x_no; then
@ -1438,7 +1418,7 @@ if test x_$withval = x_yes -o x_$withval != x_no; then
            fi
    done
    if test x_$found_libnghttp2 != x_yes; then
-	AC_ERROR([Could not find libnghttp2, nghttp2.h])
+	AC_MSG_ERROR([Could not find libnghttp2, nghttp2.h])
    fi
    AC_CHECK_HEADERS([nghttp2/nghttp2.h],,, [AC_INCLUDES_DEFAULT])
    AC_CHECK_DECLS([nghttp2_session_server_new], [], [], [AC_INCLUDES_DEFAULT
@ -1449,8 +1429,7 @@ fi
 # set static linking for uninstalled libraries if requested
 AC_SUBST(staticexe)
 staticexe=""
-AC_ARG_ENABLE(static-exe, AC_HELP_STRING([--enable-static-exe],
+AC_ARG_ENABLE(static-exe, AS_HELP_STRING([--enable-static-exe],[ enable to compile executables statically against (event) uninstalled libs, for debug purposes ]),
 	[ enable to compile executables statically against (event) uninstalled libs, for debug purposes ]),
 	, )
 if test x_$enable_static_exe = x_yes; then
 	staticexe="-static"
@ -1463,12 +1442,12 @@ if test x_$enable_static_exe = x_yes; then
 			LIBS="$LIBS -lgdi32"
 		fi
 		LIBS="$LIBS -lz"
 		LIBS="$LIBS -l:libssp.a"
 	fi
 fi
 # set full static linking if requested
-AC_ARG_ENABLE(fully-static, AC_HELP_STRING([--enable-fully-static],
+AC_ARG_ENABLE(fully-static, AS_HELP_STRING([--enable-fully-static],[ enable to compile fully static ]),
 	[ enable to compile fully static ]),
 	, )
 if test x_$enable_fully_static = x_yes; then
 	staticexe="-all-static"
@ -1480,12 +1459,12 @@ if test x_$enable_fully_static = x_yes; then
 			LIBS="$LIBS -lgdi32"
 		fi
 		LIBS="$LIBS -lz"
 		LIBS="$LIBS -l:libssp.a"
 	fi
 fi
 # set lock checking if requested
-AC_ARG_ENABLE(lock_checks, AC_HELP_STRING([--enable-lock-checks],
+AC_ARG_ENABLE(lock_checks, AS_HELP_STRING([--enable-lock-checks],[ enable to check lock and unlock calls, for debug purposes ]), 
 	[ enable to check lock and unlock calls, for debug purposes ]), 
 	, )
 if test x_$enable_lock_checks = x_yes; then
 	AC_DEFINE(ENABLE_LOCK_CHECKS, 1, [Define if you want to use debug lock checking (slow).])
@ -1727,7 +1706,7 @@ AC_SUBST(LIBOBJ_WITHOUT_CTIME)
 AC_REPLACE_FUNCS(ctime_r)
 AC_REPLACE_FUNCS(strsep)
-AC_ARG_ENABLE(allsymbols, AC_HELP_STRING([--enable-allsymbols], [export all symbols from libunbound and link binaries to it, smaller install size but libunbound export table is polluted by internal symbols]))
+AC_ARG_ENABLE(allsymbols, AS_HELP_STRING([--enable-allsymbols],[export all symbols from libunbound and link binaries to it, smaller install size but libunbound export table is polluted by internal symbols]))
 case "$enable_allsymbols" in
 	yes)
 	COMMON_OBJ_ALL_SYMBOLS=""
@ -1770,7 +1749,7 @@ dt_DNSTAP([$UNBOUND_RUN_DIR/dnstap.sock],
        AC_DEFINE_UNQUOTED(DNSTAP_SOCKET_PATH,
            ["$hdr_dnstap_socket_path"], [default dnstap socket path])
 	AC_SUBST(DNSTAP_SOCKET_PATH,["$hdr_dnstap_socket_path"])
-
+	AC_SUBST(DNSTAP_SOCKET_TESTBIN,['unbound-dnstap-socket$(EXEEXT)'])
        AC_SUBST([DNSTAP_SRC], ["dnstap/dnstap.c dnstap/dnstap.pb-c.c dnstap/dnstap_fstrm.c dnstap/dtstream.c"])
        AC_SUBST([DNSTAP_OBJ], ["dnstap.lo dnstap.pb-c.lo dnstap_fstrm.lo dtstream.lo"])
    ],
@ -1793,7 +1772,7 @@ dnsc_DNSCRYPT([
 )
 # check for cachedb if requested
-AC_ARG_ENABLE(cachedb, AC_HELP_STRING([--enable-cachedb], [enable cachedb module that can use external cache storage]))
+AC_ARG_ENABLE(cachedb, AS_HELP_STRING([--enable-cachedb],[enable cachedb module that can use external cache storage]))
 # turn on cachedb when hiredis support is enabled.
 if test "$found_libhiredis" = "yes"; then enable_cachedb="yes"; fi
 case "$enable_cachedb" in
@ -1806,7 +1785,7 @@ case "$enable_cachedb" in
 esac
 # check for ipsecmod if requested
-AC_ARG_ENABLE(ipsecmod, AC_HELP_STRING([--enable-ipsecmod], [Enable ipsecmod module that facilitates opportunistic IPsec]))
+AC_ARG_ENABLE(ipsecmod, AS_HELP_STRING([--enable-ipsecmod],[Enable ipsecmod module that facilitates opportunistic IPsec]))
 case "$enable_ipsecmod" in
 	yes)
 		AC_DEFINE([USE_IPSECMOD], [1], [Define to 1 to use ipsecmod support.])
@ -1821,7 +1800,7 @@ case "$enable_ipsecmod" in
 esac
 # check for ipset if requested
-AC_ARG_ENABLE(ipset, AC_HELP_STRING([--enable-ipset], [enable ipset module]))
+AC_ARG_ENABLE(ipset, AS_HELP_STRING([--enable-ipset],[enable ipset module]))
 case "$enable_ipset" in
    yes)
 		AC_DEFINE([USE_IPSET], [1], [Define to 1 to use ipset support])
@ -1831,8 +1810,7 @@ case "$enable_ipset" in
 		AC_SUBST(IPSET_OBJ)
 		# mnl
-		AC_ARG_WITH(libmnl, AC_HELP_STRING([--with-libmnl=path],
+		AC_ARG_WITH(libmnl, AS_HELP_STRING([--with-libmnl=path],[specify explicit path for libmnl.]),
 			[specify explicit path for libmnl.]),
 			[ ],[ withval="yes" ])
 		found_libmnl="no"
 		AC_MSG_CHECKING(for libmnl)
@ -1853,14 +1831,14 @@ case "$enable_ipset" in
 			fi
 		done
 		if test x_$found_libmnl != x_yes; then
-			AC_ERROR([Could not find libmnl, libmnl.h])
+			AC_MSG_ERROR([Could not find libmnl, libmnl.h])
 		fi
 		;;
    no|*)
    	# nothing
 		;;
 esac
-AC_ARG_ENABLE(explicit-port-randomisation, AC_HELP_STRING([--disable-explicit-port-randomisation], [disable explicit source port randomisation and rely on the kernel to provide random source ports]))
+AC_ARG_ENABLE(explicit-port-randomisation, AS_HELP_STRING([--disable-explicit-port-randomisation],[disable explicit source port randomisation and rely on the kernel to provide random source ports]))
 case "$enable_explicit_port_randomisation" in
 	no)
 		AC_DEFINE([DISABLE_EXPLICIT_PORT_RANDOMISATION], [1], [Define this to enable kernel based UDP source port randomization.])
@ -1908,8 +1886,7 @@ AC_SUBST(SOURCEFILE)
 # see if we want to build the library or everything
 ALLTARGET="alltargets"
 INSTALLTARGET="install-all"
-AC_ARG_WITH(libunbound-only, AC_HELP_STRING([--with-libunbound-only],
+AC_ARG_WITH(libunbound-only, AS_HELP_STRING([--with-libunbound-only],[do not build daemon and tool programs]),
 	[do not build daemon and tool programs]),
 	[
 	if test "$withval" = "yes"; then
 		ALLTARGET="lib"
@ -1918,10 +1895,10 @@ AC_ARG_WITH(libunbound-only, AC_HELP_STRING([--with-libunbound-only],
 ])
 if test $ALLTARGET = "alltargets"; then
 	if test $USE_NSS = "yes"; then 
-		AC_ERROR([--with-nss can only be used in combination with --with-libunbound-only.])	
+		AC_MSG_ERROR([--with-nss can only be used in combination with --with-libunbound-only.])	
 	fi
 	if test $USE_NETTLE = "yes"; then
-		AC_ERROR([--with-nettle can only be used in combination with --with-libunbound-only.])	
+		AC_MSG_ERROR([--with-nettle can only be used in combination with --with-libunbound-only.])	
 	fi
 fi
@ -2198,5 +2175,5 @@ AC_SUBST(version, [VERSION_MAJOR.VERSION_MINOR.VERSION_MICRO])
 AC_SUBST(date, [`date +'%b %e, %Y'`])
 AC_CONFIG_FILES([Makefile doc/example.conf doc/libunbound.3 doc/unbound.8 doc/unbound-anchor.8 doc/unbound-checkconf.8 doc/unbound.conf.5 doc/unbound-control.8 doc/unbound-host.1 smallapp/unbound-control-setup.sh dnstap/dnstap_config.h dnscrypt/dnscrypt_config.h contrib/libunbound.pc contrib/unbound.socket contrib/unbound.service contrib/unbound_portable.service])
-AC_CONFIG_HEADER([config.h])
+AC_CONFIG_HEADERS([config.h])
 AC_OUTPUT
--- a/contrib/README
+++ b/contrib/README
@ -53,3 +53,5 @@ distribution but may be helpful.
  lookups for downstream clients.
 * drop2rpz: perl script that converts the Spamhaus DROP-List in RPZ-Format,
  contributed by Andreas Schulze.
 * metrics.awk: awk script that can convert unbound-control stats to
  Prometheus metrics format output.
--- a/contrib/metrics.awk
+++ b/contrib/metrics.awk
@ -0,0 +1,180 @@
 # read output of unbound-control stats
 # and output prometheus metrics style output.
 # use these options:
 #	server:		extended-statistics: yes
 #			statistics-cumulative: no
 #			statistics-interval: 0
 #	remote-control: control-enable: yes
 # Can use it like unbound-control stats | awk -f "metrics.awk"
 BEGIN {
 	FS="=";
 }
 # everything like total.num.queries=value is put in val["total.num.queries"]
 /^.*\..*=/ {
 	val[$1]=$2;
 }
 # print the output metrics
 END {
 	print "# HELP unbound_hits_queries Unbound DNS traffic and cache hits"
 	print "# TYPE unbound_hits_queries gauge"
 	print "unbound_hits_queries{type=\"total.num.queries\"} " val["total.num.queries"];
 	for (x=0; x<99; x++) {
 		if(val["thread" $x ".num.queries"] != "") {
 			print "unbound_hits_queries{type=\"thread" $x ".num.queries\"} " val["thread" $x ".num.queries"];
 		}
 	}
 	print "unbound_hits_queries{type=\"total.num.cachehits\"} " val["total.num.cachehits"];
 	print "unbound_hits_queries{type=\"total.num.prefetch\"} " val["total.num.prefetch"];
 	print "unbound_hits_queries{type=\"num.query.tcp\"} " val["num.query.tcp"];
 	print "unbound_hits_queries{type=\"num.query.tcpout\"} " val["num.query.tcpout"];
 	print "unbound_hits_queries{type=\"num.query.tls\"} " val["num.query.tls"];
 	print "unbound_hits_queries{type=\"num.query.tls.resume\"} " val["num.query.tls.resume"];
 	print "unbound_hits_queries{type=\"num.query.ipv6\"} " val["num.query.ipv6"];
 	print "unbound_hits_queries{type=\"unwanted.queries\"} " val["unwanted.queries"];
 	print ""
 	print "# HELP unbound_queue_queries Unbound requestlist size"
 	print "# TYPE unbound_queue_queries gauge"
 	print "unbound_queue_queries{type=\"total.requestlist.avg\"} " val["total.requestlist.avg"];
 	print "unbound_queue_queries{type=\"total.requestlist.max\"} " val["total.requestlist.max"];
 	print "unbound_queue_queries{type=\"total.requestlist.overwritten\"} " val["total.requestlist.overwritten"];
 	print "unbound_queue_queries{type=\"total.requestlist.exceeded\"} " val["total.requestlist.exceeded"];
 	print ""
 	print "# HELP unbound_memory_bytes Unbound memory usage"
 	print "# TYPE unbound_memory_bytes gauge"
 	print "unbound_memory_bytes{type=\"mem.cache.rrset\"} " val["mem.cache.rrset"];
 	print "unbound_memory_bytes{type=\"mem.cache.message\"} " val["mem.cache.message"];
 	print "unbound_memory_bytes{type=\"mem.mod.iterator\"} " val["mem.mod.iterator"];
 	if(val["mem.mod.validator"] != "") {
 		print "unbound_memory_bytes{type=\"mem.mod.validator\"} " val["mem.mod.validator"];
 	}
 	if(val["mem.mod.respip"] != "") {
 		print "unbound_memory_bytes{type=\"mem.mod.respip\"} " val["mem.mod.respip"];
 	}
 	if(val["mem.mod.subnet"] != "") {
 		print "unbound_memory_bytes{type=\"mem.mod.subnet\"} " val["mem.mod.subnet"];
 	}
 	if(val["mem.mod.ipsecmod"] != "") {
 		print "unbound_memory_bytes{type=\"mem.mod.ipsecmod\"} " val["mem.mod.ipsecmod"];
 	}
 	if(val["mem.mod.dynlibmod"] != "") {
 		print "unbound_memory_bytes{type=\"mem.mod.dynlibmod\"} " val["mem.mod.dynlibmod"];
 	}
 	print "unbound_memory_bytes{type=\"msg.cache.count\"} " val["msg.cache.count"];
 	print "unbound_memory_bytes{type=\"rrset.cache.count\"} " val["rrset.cache.count"];
 	print "unbound_memory_bytes{type=\"infra.cache.count\"} " val["infra.cache.count"];
 	print "unbound_memory_bytes{type=\"key.cache.count\"} " val["key.cache.count"];
 	print ""
 	print "# HELP unbound_by_type_queries Unbound DNS queries by type"
 	print "# TYPE unbound_by_type_queries gauge"
 	for(x in val) {
 		if(x ~ /^num.query.type./) {
 			if(val[x] != "") {
 				split(x, a, ".");
 				print "unbound_by_type_queries{type=\"" a[4] "\"} " val[x];
 			}
 		}
 	}
 	print ""
 	print "# HELP unbound_by_class_queries Unbound DNS queries by class"
 	print "# TYPE unbound_by_class_queries gauge"
 	for(x in val) {
 		if(x ~ /^num.query.class./) {
 			if(val[x] != "") {
 				split(x, a, ".");
 				print "unbound_by_class_queries{class=\"" a[4] "\"} " val[x];
 			}
 		}
 	}
 	print ""
 	print "# HELP unbound_by_opcode_queries Unbound DNS queries by opcode"
 	print "# TYPE unbound_by_opcode_queries gauge"
 	for(x in val) {
 		if(x ~ /^num.query.opcode./) {
 			if(val[x] != "") {
 				split(x, a, ".");
 				print "unbound_by_opcode_queries{opcode=\"" a[4] "\"} " val[x];
 			}
 		}
 	}
 	print ""
 	print "# HELP unbound_by_rcode_queries Unbound DNS answers by rcode"
 	print "# TYPE unbound_by_rcode_queries gauge"
 	for(x in val) {
 		if(x ~ /^num.answer.rcode./) {
 			if(val[x] != "") {
 				split(x, a, ".");
 				print "unbound_by_rcode_queries{rcode=\"" a[4] "\"} " val[x];
 			}
 		}
 	}
 	print ""
 	print "# HELP unbound_by_flags_queries Unbound DNS queries by flags"
 	print "# TYPE unbound_by_flags_queries gauge"
 	for(x in val) {
 		if(x ~ /^num.query.flags./) {
 			if(val[x] != "") {
 				split(x, a, ".");
 				print "unbound_by_flags_queries{flag=\"" a[4] "\"} " val[x];
 			}
 		}
 	}
 	if(val["num.query.edns.present"] != "") {
 		print "unbound_by_flags_queries{flag=\"num.query.edns.present\"} " val["num.query.edns.present"];
 	}
 	if(val["num.query.edns.DO"] != "") {
 		print "unbound_by_flags_queries{flag=\"num.query.edns.DO\"} " val["num.query.edns.DO"];
 	}
 	print ""
 	print "# HELP unbound_histogram_seconds Unbound DNS histogram of reply time"
 	print "# TYPE unbound_histogram_seconds gauge"
 	print "unbound_histogram_seconds{bucket=\"000000.000000.to.000000.000001\"} " val["histogram.000000.000000.to.000000.000001"];
 	print "unbound_histogram_seconds{bucket=\"000000.000001.to.000000.000002\"} " val["histogram.000000.000001.to.000000.000002"];
 	print "unbound_histogram_seconds{bucket=\"000000.000002.to.000000.000004\"} " val["histogram.000000.000002.to.000000.000004"];
 	print "unbound_histogram_seconds{bucket=\"000000.000004.to.000000.000008\"} " val["histogram.000000.000004.to.000000.000008"];
 	print "unbound_histogram_seconds{bucket=\"000000.000008.to.000000.000016\"} " val["histogram.000000.000008.to.000000.000016"];
 	print "unbound_histogram_seconds{bucket=\"000000.000016.to.000000.000032\"} " val["histogram.000000.000016.to.000000.000032"];
 	print "unbound_histogram_seconds{bucket=\"000000.000032.to.000000.000064\"} " val["histogram.000000.000032.to.000000.000064"];
 	print "unbound_histogram_seconds{bucket=\"000000.000064.to.000000.000128\"} " val["histogram.000000.000064.to.000000.000128"];
 	print "unbound_histogram_seconds{bucket=\"000000.000128.to.000000.000256\"} " val["histogram.000000.000128.to.000000.000256"];
 	print "unbound_histogram_seconds{bucket=\"000000.000256.to.000000.000512\"} " val["histogram.000000.000256.to.000000.000512"];
 	print "unbound_histogram_seconds{bucket=\"000000.000512.to.000000.001024\"} " val["histogram.000000.000512.to.000000.001024"];
 	print "unbound_histogram_seconds{bucket=\"000000.001024.to.000000.002048\"} " val["histogram.000000.001024.to.000000.002048"];
 	print "unbound_histogram_seconds{bucket=\"000000.002048.to.000000.004096\"} " val["histogram.000000.002048.to.000000.004096"];
 	print "unbound_histogram_seconds{bucket=\"000000.004096.to.000000.008192\"} " val["histogram.000000.004096.to.000000.008192"];
 	print "unbound_histogram_seconds{bucket=\"000000.008192.to.000000.016384\"} " val["histogram.000000.008192.to.000000.016384"];
 	print "unbound_histogram_seconds{bucket=\"000000.016384.to.000000.032768\"} " val["histogram.000000.016384.to.000000.032768"];
 	print "unbound_histogram_seconds{bucket=\"000000.032768.to.000000.065536\"} " val["histogram.000000.032768.to.000000.065536"];
 	print "unbound_histogram_seconds{bucket=\"000000.065536.to.000000.131072\"} " val["histogram.000000.065536.to.000000.131072"];
 	print "unbound_histogram_seconds{bucket=\"000000.131072.to.000000.262144\"} " val["histogram.000000.131072.to.000000.262144"];
 	print "unbound_histogram_seconds{bucket=\"000000.262144.to.000000.524288\"} " val["histogram.000000.262144.to.000000.524288"];
 	print "unbound_histogram_seconds{bucket=\"000000.524288.to.000001.000000\"} " val["histogram.000000.524288.to.000001.000000"];
 	print "unbound_histogram_seconds{bucket=\"000001.000000.to.000002.000000\"} " val["histogram.000001.000000.to.000002.000000"];
 	print "unbound_histogram_seconds{bucket=\"000002.000000.to.000004.000000\"} " val["histogram.000002.000000.to.000004.000000"];
 	print "unbound_histogram_seconds{bucket=\"000004.000000.to.000008.000000\"} " val["histogram.000004.000000.to.000008.000000"];
 	print "unbound_histogram_seconds{bucket=\"000008.000000.to.000016.000000\"} " val["histogram.000008.000000.to.000016.000000"];
 	print "unbound_histogram_seconds{bucket=\"000016.000000.to.000032.000000\"} " val["histogram.000016.000000.to.000032.000000"];
 	print "unbound_histogram_seconds{bucket=\"000032.000000.to.000064.000000\"} " val["histogram.000032.000000.to.000064.000000"];
 	print "unbound_histogram_seconds{bucket=\"000064.000000.to.000128.000000\"} " val["histogram.000064.000000.to.000128.000000"];
 	print "unbound_histogram_seconds{bucket=\"000128.000000.to.000256.000000\"} " val["histogram.000128.000000.to.000256.000000"];
 	print "unbound_histogram_seconds{bucket=\"000256.000000.to.000512.000000\"} " val["histogram.000256.000000.to.000512.000000"];
 	print "unbound_histogram_seconds{bucket=\"000512.000000.to.001024.000000\"} " val["histogram.000512.000000.to.001024.000000"];
 	print "unbound_histogram_seconds{bucket=\"001024.000000.to.002048.000000\"} " val["histogram.001024.000000.to.002048.000000"];
 	print "unbound_histogram_seconds{bucket=\"002048.000000.to.004096.000000\"} " val["histogram.002048.000000.to.004096.000000"];
 	print "unbound_histogram_seconds{bucket=\"004096.000000.to.008192.000000\"} " val["histogram.004096.000000.to.008192.000000"];
 	print "unbound_histogram_seconds{bucket=\"008192.000000.to.016384.000000\"} " val["histogram.008192.000000.to.016384.000000"];
 	print "unbound_histogram_seconds{bucket=\"016384.000000.to.032768.000000\"} " val["histogram.016384.000000.to.032768.000000"];
 	print "unbound_histogram_seconds{bucket=\"032768.000000.to.065536.000000\"} " val["histogram.032768.000000.to.065536.000000"];
 	print "unbound_histogram_seconds{bucket=\"065536.000000.to.131072.000000\"} " val["histogram.065536.000000.to.131072.000000"];
 	print "unbound_histogram_seconds{bucket=\"131072.000000.to.262144.000000\"} " val["histogram.131072.000000.to.262144.000000"];
 	print "unbound_histogram_seconds{bucket=\"262144.000000.to.524288.000000\"} " val["histogram.262144.000000.to.524288.000000"];
 	print ""
 }
--- a/contrib/unbound.service.in
+++ b/contrib/unbound.service.in
@ -66,7 +66,7 @@ ProtectSystem=strict
 RuntimeDirectory=unbound
 ConfigurationDirectory=unbound
 StateDirectory=unbound
-RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
 RestrictRealtime=true
 SystemCallArchitectures=native
 SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete @resources
--- a/contrib/unbound_portable.service.in
+++ b/contrib/unbound_portable.service.in
@ -38,7 +38,7 @@ ProtectSystem=strict
 RuntimeDirectory=unbound
 ConfigurationDirectory=unbound
 StateDirectory=unbound
-RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
 RestrictRealtime=true
 SystemCallArchitectures=native
 SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete @resources
--- a/daemon/daemon.c
+++ b/daemon/daemon.c
@ -291,7 +291,7 @@ daemon_init(void)
 		free(daemon);
 		return NULL;
 	}
-	if(!(daemon->env->edns_tags = edns_tags_create())) {
+	if(!(daemon->env->edns_strings = edns_strings_create())) {
 		auth_zones_delete(daemon->env->auth_zones);
 		acl_list_delete(daemon->acl);
 		tcl_list_delete(daemon->tcl);
@ -641,9 +641,9 @@ daemon_fork(struct daemon* daemon)
 		&daemon->use_rpz, daemon->env, &daemon->mods))
 		fatal_exit("auth_zones could not be setup");
-	/* Set-up EDNS tags */
+	/* Set-up EDNS strings */
-	if(!edns_tags_apply_cfg(daemon->env->edns_tags, daemon->cfg))
+	if(!edns_strings_apply_cfg(daemon->env->edns_strings, daemon->cfg))
-		fatal_exit("Could not set up EDNS tags");
+		fatal_exit("Could not set up EDNS strings");
 	/* response-ip-xxx options don't work as expected without the respip
 	 * module.  To avoid run-time operational surprise we reject such
@ -773,7 +773,7 @@ daemon_delete(struct daemon* daemon)
 		rrset_cache_delete(daemon->env->rrset_cache);
 		infra_delete(daemon->env->infra_cache);
 		edns_known_options_delete(daemon->env);
-		edns_tags_delete(daemon->env->edns_tags);
+		edns_strings_delete(daemon->env->edns_strings);
 		auth_zones_delete(daemon->env->auth_zones);
 	}
 	ub_randfree(daemon->rand);
--- a/daemon/remote.c
+++ b/daemon/remote.c
@ -2906,6 +2906,57 @@ do_ip_ratelimit_list(RES* ssl, struct worker* worker, char* arg)
 	slabhash_traverse(a.infra->client_ip_rates, 0, ip_rate_list, &a);
 }
 /** do the rpz_enable/disable command */
 static void
 do_rpz_enable_disable(RES* ssl, struct worker* worker, char* arg, int enable) {
    size_t nmlen;
    int nmlabs;
    uint8_t *nm = NULL;
    struct auth_zones *az = worker->env.auth_zones;
    struct auth_zone *z = NULL;
    if (!parse_arg_name(ssl, arg, &nm, &nmlen, &nmlabs))
        return;
    if (az) {
        lock_rw_rdlock(&az->lock);
        z = auth_zone_find(az, nm, nmlen, LDNS_RR_CLASS_IN);
        if (z) {
            lock_rw_wrlock(&z->lock);
        }
        lock_rw_unlock(&az->lock);
    }
    free(nm);
    if (!z) {
        (void) ssl_printf(ssl, "error no auth-zone %s\n", arg);
        return;
    }
    if (!z->rpz) {
        (void) ssl_printf(ssl, "error auth-zone %s not RPZ\n", arg);
        lock_rw_unlock(&z->lock);
        return;
    }
    if (enable) {
        rpz_enable(z->rpz);
    } else {
        rpz_disable(z->rpz);
    }
    lock_rw_unlock(&z->lock);
    send_ok(ssl);
 }
 /** do the rpz_enable command */
 static void
 do_rpz_enable(RES* ssl, struct worker* worker, char* arg)
 {
    do_rpz_enable_disable(ssl, worker, arg, 1);
 }
 /** do the rpz_disable command */
 static void
 do_rpz_disable(RES* ssl, struct worker* worker, char* arg)
 {
    do_rpz_enable_disable(ssl, worker, arg, 0);
 }
 /** tell other processes to execute the command */
 static void
 distribute_cmd(struct daemon_remote* rc, RES* ssl, char* cmd)
@ -3106,6 +3157,10 @@ execute_cmd(struct daemon_remote* rc, RES* ssl, char* cmd,
 		do_flush_bogus(ssl, worker);
 	} else if(cmdcmp(p, "flush_negative", 14)) {
 		do_flush_negative(ssl, worker);
    } else if(cmdcmp(p, "rpz_enable", 10)) {
        do_rpz_enable(ssl, worker, skipwhite(p+10));
    } else if(cmdcmp(p, "rpz_disable", 11)) {
        do_rpz_disable(ssl, worker, skipwhite(p+11));
 	} else {
 		(void)ssl_printf(ssl, "error unknown command '%s'\n", p);
 	}
--- a/daemon/unbound.c
+++ b/daemon/unbound.c
@ -337,22 +337,44 @@ readpid (const char* file)
 /** write pid to file. 
 * @param pidfile: file name of pid file.
 * @param pid: pid to write to file.
 * @return false on failure
 */
-static void
+static int
 writepid (const char* pidfile, pid_t pid)
 {
-	FILE* f;
+	int fd;
 	char pidbuf[32];
 	size_t count = 0;
 	snprintf(pidbuf, sizeof(pidbuf), "%lu\n", (unsigned long)pid);
-	if ((f = fopen(pidfile, "w")) ==  NULL ) {
+	if((fd = open(pidfile, O_WRONLY | O_CREAT | O_TRUNC
 #ifdef O_NOFOLLOW
 		| O_NOFOLLOW
 #endif
 		, 0644)) == -1) {
 		log_err("cannot open pidfile %s: %s", 
 			pidfile, strerror(errno));
-		return;
+		return 0;
 	}
-	if(fprintf(f, "%lu\n", (unsigned long)pid) < 0) {
+	while(count < strlen(pidbuf)) {
-		log_err("cannot write to pidfile %s: %s", 
+		ssize_t r = write(fd, pidbuf+count, strlen(pidbuf)-count);
-			pidfile, strerror(errno));
+		if(r == -1) {
 			if(errno == EAGAIN || errno == EINTR)
 				continue;
 			log_err("cannot write to pidfile %s: %s",
 				pidfile, strerror(errno));
 			close(fd);
 			return 0;
 		} else if(r == 0) {
 			log_err("cannot write any bytes to pidfile %s: "
 				"write returns 0 bytes written", pidfile);
 			close(fd);
 			return 0;
 		}
 		count += r;
 	}
-	fclose(f);
+	close(fd);
 	return 1;
 }
 /**
@ -506,16 +528,17 @@ perform_setup(struct daemon* daemon, struct config_file* cfg, int debug_mode,
 	/* write new pidfile (while still root, so can be outside chroot) */
 #ifdef HAVE_KILL
 	if(cfg->pidfile && cfg->pidfile[0] && need_pidfile) {
-		writepid(daemon->pidfile, getpid());
+		if(writepid(daemon->pidfile, getpid())) {
-		if(cfg->username && cfg->username[0] && cfg_uid != (uid_t)-1 &&
+			if(cfg->username && cfg->username[0] && cfg_uid != (uid_t)-1 &&
-			pidinchroot) {
+				pidinchroot) {
 #  ifdef HAVE_CHOWN
-			if(chown(daemon->pidfile, cfg_uid, cfg_gid) == -1) {
+				if(chown(daemon->pidfile, cfg_uid, cfg_gid) == -1) {
-				verbose(VERB_QUERY, "cannot chown %u.%u %s: %s",
+					verbose(VERB_QUERY, "cannot chown %u.%u %s: %s",
-					(unsigned)cfg_uid, (unsigned)cfg_gid,
+						(unsigned)cfg_uid, (unsigned)cfg_gid,
-					daemon->pidfile, strerror(errno));
+						daemon->pidfile, strerror(errno));
-			}
+				}
 #  endif /* HAVE_CHOWN */
 			}
 		}
 	}
 #else
--- a/daemon/worker.c
+++ b/daemon/worker.c
@ -513,7 +513,8 @@ answer_norec_from_cache(struct worker* worker, struct query_info* qinfo,
 			edns->ext_rcode = 0;
 			edns->bits &= EDNS_DO;
 			if(!inplace_cb_reply_servfail_call(&worker->env, qinfo, NULL,
-				msg->rep, LDNS_RCODE_SERVFAIL, edns, repinfo, worker->scratchpad))
+				msg->rep, LDNS_RCODE_SERVFAIL, edns, repinfo, worker->scratchpad,
 				worker->env.now_tv))
 					return 0;
 			error_encode(repinfo->c->buffer, LDNS_RCODE_SERVFAIL, 
 				&msg->qinfo, id, flags, edns);
@ -544,7 +545,8 @@ answer_norec_from_cache(struct worker* worker, struct query_info* qinfo,
 	edns->ext_rcode = 0;
 	edns->bits &= EDNS_DO;
 	if(!inplace_cb_reply_cache_call(&worker->env, qinfo, NULL, msg->rep,
-		(int)(flags&LDNS_RCODE_MASK), edns, repinfo, worker->scratchpad))
+		(int)(flags&LDNS_RCODE_MASK), edns, repinfo, worker->scratchpad,
 		worker->env.now_tv))
 			return 0;
 	msg->rep->flags |= BIT_QR|BIT_RA;
 	if(!apply_edns_options(edns, &edns_bak, worker->env.cfg,
@ -553,7 +555,8 @@ answer_norec_from_cache(struct worker* worker, struct query_info* qinfo,
 		repinfo->c->buffer, 0, 1, worker->scratchpad,
 		udpsize, edns, (int)(edns->bits & EDNS_DO), secure)) {
 		if(!inplace_cb_reply_servfail_call(&worker->env, qinfo, NULL, NULL,
-			LDNS_RCODE_SERVFAIL, edns, repinfo, worker->scratchpad))
+			LDNS_RCODE_SERVFAIL, edns, repinfo, worker->scratchpad,
 			worker->env.now_tv))
 				edns->opt_list = NULL;
 		error_encode(repinfo->c->buffer, LDNS_RCODE_SERVFAIL, 
 			&msg->qinfo, id, flags, edns);
@ -576,7 +579,7 @@ apply_respip_action(struct worker* worker, const struct query_info* qinfo,
 	struct comm_reply* repinfo, struct ub_packed_rrset_key** alias_rrset,
 	struct reply_info** encode_repp, struct auth_zones* az)
 {
-	struct respip_action_info actinfo = {0};
+	struct respip_action_info actinfo = {0, 0, 0, 0, NULL, 0, NULL};
 	actinfo.action = respip_none;
 	if(qinfo->qtype != LDNS_RR_TYPE_A &&
@ -684,7 +687,8 @@ answer_from_cache(struct worker* worker, struct query_info* qinfo,
 		edns->ext_rcode = 0;
 		edns->bits &= EDNS_DO;
 		if(!inplace_cb_reply_servfail_call(&worker->env, qinfo, NULL, rep,
-			LDNS_RCODE_SERVFAIL, edns, repinfo, worker->scratchpad))
+			LDNS_RCODE_SERVFAIL, edns, repinfo, worker->scratchpad,
 			worker->env.now_tv))
 			goto bail_out;
 		error_encode(repinfo->c->buffer, LDNS_RCODE_SERVFAIL,
 			qinfo, id, flags, edns);
@ -718,7 +722,8 @@ answer_from_cache(struct worker* worker, struct query_info* qinfo,
 	edns->ext_rcode = 0;
 	edns->bits &= EDNS_DO;
 	if(!inplace_cb_reply_cache_call(&worker->env, qinfo, NULL, rep,
-		(int)(flags&LDNS_RCODE_MASK), edns, repinfo, worker->scratchpad))
+		(int)(flags&LDNS_RCODE_MASK), edns, repinfo, worker->scratchpad,
 		worker->env.now_tv))
 		goto bail_out;
 	*alias_rrset = NULL; /* avoid confusion if caller set it to non-NULL */
 	if((worker->daemon->use_response_ip || worker->daemon->use_rpz) &&
@ -754,7 +759,8 @@ answer_from_cache(struct worker* worker, struct query_info* qinfo,
 		repinfo->c->buffer, timenow, 1, worker->scratchpad,
 		udpsize, edns, (int)(edns->bits & EDNS_DO), *is_secure_answer)) {
 		if(!inplace_cb_reply_servfail_call(&worker->env, qinfo, NULL, NULL,
-			LDNS_RCODE_SERVFAIL, edns, repinfo, worker->scratchpad))
+			LDNS_RCODE_SERVFAIL, edns, repinfo, worker->scratchpad,
 			worker->env.now_tv))
 				edns->opt_list = NULL;
 		error_encode(repinfo->c->buffer, LDNS_RCODE_SERVFAIL, 
 			qinfo, id, flags, edns);
@ -842,7 +848,8 @@ chaos_replystr(sldns_buffer* pkt, char** str, int num, struct edns_data* edns,
 	edns->udp_size = EDNS_ADVERTISED_SIZE;
 	edns->bits &= EDNS_DO;
 	if(!inplace_cb_reply_local_call(&worker->env, NULL, NULL, NULL,
-		LDNS_RCODE_NOERROR, edns, repinfo, worker->scratchpad))
+		LDNS_RCODE_NOERROR, edns, repinfo, worker->scratchpad,
 		worker->env.now_tv))
 			edns->opt_list = NULL;
 	if(sldns_buffer_capacity(pkt) >=
 		sldns_buffer_limit(pkt)+calc_edns_field_size(edns))
@ -1282,6 +1289,7 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 			edns.udp_size = EDNS_ADVERTISED_SIZE;
 			edns.bits &= EDNS_DO;
 			edns.opt_list = NULL;
 			edns.padding_block_size = 0;
 			verbose(VERB_ALGO, "query with bad edns version.");
 			log_addr(VERB_CLIENT,"from",&repinfo->addr, repinfo->addrlen);
 			error_encode(c->buffer, EDNS_RCODE_BADVERS&0xf, &qinfo,
@ -1807,7 +1815,7 @@ worker_init(struct worker* worker, struct config_file *cfg,
 		&worker_alloc_cleanup, worker,
 		cfg->do_udp || cfg->udp_upstream_without_downstream,
 		worker->daemon->connect_sslctx, cfg->delay_close,
-		cfg->tls_use_sni, dtenv);
+		cfg->tls_use_sni, dtenv, cfg->udp_connect);
 	if(!worker->back) {
 		log_err("could not create outgoing sockets");
 		worker_delete(worker);
--- a/dns64/dns64.c
+++ b/dns64/dns64.c
@ -198,14 +198,17 @@ uitoa(unsigned n, char* s)
 static uint32_t
 extract_ipv4(const uint8_t ipv6[], size_t ipv6_len, const int offset)
 {
-    uint32_t ipv4;
+    uint32_t ipv4 = 0;
    int i, pos;
    log_assert(ipv6_len == 16); (void)ipv6_len;
-    ipv4 = (uint32_t)ipv6[offset/8+0] << (24 + (offset%8))
+    log_assert(offset == 32 || offset == 40 || offset == 48 || offset == 56 ||
-         | (uint32_t)ipv6[offset/8+1] << (16 + (offset%8))
+        offset == 64 || offset == 96);
-         | (uint32_t)ipv6[offset/8+2] << ( 8 + (offset%8))
+    for(i = 0, pos = offset / 8; i < 4; i++, pos++) {
-         | (uint32_t)ipv6[offset/8+3] << ( 0 + (offset%8));
+        if (pos == 8)
-    if (offset/8+4 < 16)
+            pos++;
-        ipv4 |= (uint32_t)ipv6[offset/8+4] >> (8 - offset%8);
+        ipv4 = ipv4 << 8;
        ipv4 |= ipv6[pos];
    }
    return ipv4;
 }
@ -296,18 +299,18 @@ synthesize_aaaa(const uint8_t prefix_addr[], size_t prefix_addr_len,
 	int prefix_net, const uint8_t a[], size_t a_len, uint8_t aaaa[],
 	size_t aaaa_len)
 {
    size_t i;
    int pos;
    log_assert(prefix_addr_len == 16 && a_len == 4 && aaaa_len == 16);
    log_assert(prefix_net == 32 || prefix_net == 40 || prefix_net == 48 ||
        prefix_net == 56 || prefix_net == 64 || prefix_net == 96);
    (void)prefix_addr_len; (void)a_len; (void)aaaa_len;
    memcpy(aaaa, prefix_addr, 16);
-    aaaa[prefix_net/8+0] |= a[0] >> (0+prefix_net%8);
+    for(i = 0, pos = prefix_net / 8; i < a_len; i++, pos++) {
-    aaaa[prefix_net/8+1] |= a[0] << (8-prefix_net%8);
+        if(pos == 8)
-    aaaa[prefix_net/8+1] |= a[1] >> (0+prefix_net%8);
+            aaaa[pos++] = 0;
-    aaaa[prefix_net/8+2] |= a[1] << (8-prefix_net%8);
+        aaaa[pos] = a[i];
-    aaaa[prefix_net/8+2] |= a[2] >> (0+prefix_net%8);
+    }
    aaaa[prefix_net/8+3] |= a[2] << (8-prefix_net%8);
    aaaa[prefix_net/8+3] |= a[3] >> (0+prefix_net%8);
    if (prefix_net/8+4 < 16)  /* <-- my beautiful symmetry is destroyed! */
    aaaa[prefix_net/8+4] |= a[3] << (8-prefix_net%8);
 }
@ -374,8 +377,10 @@ dns64_apply_cfg(struct dns64_env* dns64_env, struct config_file* cfg)
        log_err("dns64_prefix is not IPv6: %s", cfg->dns64_prefix);
        return 0;
    }
-    if (dns64_env->prefix_net < 0 || dns64_env->prefix_net > 96) {
+    if (dns64_env->prefix_net != 32 && dns64_env->prefix_net != 40 &&
-        log_err("dns64-prefix length it not between 0 and 96: %s",
+            dns64_env->prefix_net != 48 && dns64_env->prefix_net != 56 &&
            dns64_env->prefix_net != 64 && dns64_env->prefix_net != 96 ) {
        log_err("dns64-prefix length it not 32, 40, 48, 56, 64 or 96: %s",
                cfg->dns64_prefix);
        return 0;
    }
@ -722,7 +727,7 @@ dns64_synth_aaaa_data(const struct ub_packed_rrset_key* fk,
 		*dd_out = NULL;
 		return; /* integer overflow protection in alloc */
 	}
-	if (!(dd = *dd_out = regional_alloc(region,
+	if (!(dd = *dd_out = regional_alloc_zero(region,
 		  sizeof(struct packed_rrset_data)
 		  + fd->count * (sizeof(size_t) + sizeof(time_t) +
 			     sizeof(uint8_t*) + 2 + 16)))) {
--- a/dnscrypt/dnscrypt.m4
+++ b/dnscrypt/dnscrypt.m4
@ -11,7 +11,7 @@ AC_DEFUN([dnsc_DNSCRYPT],
    [opt_dnscrypt=$enableval], [opt_dnscrypt=no])
  if test "x$opt_dnscrypt" != "xno"; then
-    AC_ARG_WITH([libsodium], AC_HELP_STRING([--with-libsodium=path],
+    AC_ARG_WITH([libsodium], AS_HELP_STRING([--with-libsodium=path],
    	[Path where libsodium is installed, for dnscrypt]), [
 	CFLAGS="$CFLAGS -I$withval/include"
 	LDFLAGS="$LDFLAGS -L$withval/lib"
--- a/dnstap/dnstap.m4
+++ b/dnstap/dnstap.m4
@ -20,7 +20,7 @@ AC_DEFUN([dt_DNSTAP],
    if test -z "$PROTOC_C"; then
      AC_MSG_ERROR([The protoc-c program was not found. Please install protobuf-c!])
    fi
-    AC_ARG_WITH([protobuf-c], AC_HELP_STRING([--with-protobuf-c=path],
+    AC_ARG_WITH([protobuf-c], AS_HELP_STRING([--with-protobuf-c=path],
    	[Path where protobuf-c is installed, for dnstap]), [
 	  # workaround for protobuf-c includes at old dir before protobuf-c-1.0.0
 	  if test -f $withval/include/google/protobuf-c/protobuf-c.h; then
--- a/dnstap/unbound-dnstap-socket.c
+++ b/dnstap/unbound-dnstap-socket.c
@ -727,7 +727,7 @@ static ssize_t tap_receive(struct tap_data* data, void* buf, size_t len)
 }
 /** delete the tap structure */
-void tap_data_free(struct tap_data* data)
+static void tap_data_free(struct tap_data* data)
 {
 	ub_event_del(data->ev);
 	ub_event_free(data->ev);
@ -1166,7 +1166,8 @@ int sig_quit = 0;
 /** signal handler for user quit */
 static RETSIGTYPE main_sigh(int sig)
 {
-	verbose(VERB_ALGO, "exit on signal %d\n", sig);
+	if(!sig_quit)
 		fprintf(stderr, "exit on signal %d\n", sig);
 	if(sig_base) {
 		ub_event_base_loopexit(sig_base);
 		sig_base = NULL;
@ -1354,6 +1355,10 @@ int main(int argc, char** argv)
 struct tube;
 struct query_info;
 #include "util/data/packed_rrset.h"
 #include "daemon/worker.h"
 #include "daemon/remote.h"
 #include "util/fptr_wlist.h"
 #include "libunbound/context.h"
 void worker_handle_control_cmd(struct tube* ATTR_UNUSED(tube),
 	uint8_t* ATTR_UNUSED(buffer), size_t ATTR_UNUSED(len),
--- a/doc/Changelog
+++ b/doc/Changelog
@ -1,5 +1,207 @@
 4 February 2021: Wouter
 	- release 1.13.1rc2 tag on branch-1.13.1 with added changes of 2 feb.
 2 February 2021: Wouter
 	- branch-1.13.1 is created, with release-1.13.1rc1 tag.
 	- Fix dynlibmod link on rhel8 for -ldl inclusion.
 	- Fix windows dependency on libssp.dll because of default stack
 	  protector in mingw.
 	- Fix indentation of root anchor for use by windows install script.
 1 February 2021: George
 	- Attempt to fix NULL keys in the reuse_tcp tree; relates to #411.
 29 January 2021: Wouter
 	- Fix for doxygen 1.8.20 compatibility.
 28 January 2021: Wouter
 	- Annotate that we ignore the return value of if_indextoname.
 	- Fix to use correct type for label count in rpz routine.
 	- Fix empty clause warning in config_file nsid parse.
 	- Fix to use correct type for label count in ipdnametoaddr rpz routine.
 	- Fix empty clause warning in edns pass for padding.
 	- Fix fwd ancil test post script when not supported.
 26 January 2021: George
 	- Merge PR #408 from fobser: Prevent a few more yacc clashes.
 	- Merge PR #275 from Roland van Rijswijk-Deij: Add feature to return the
 	  original instead of a decrementing TTL ('serve-original-ttl')
 	- Merge PR #355 from noloader: Make ICANN Update CA and DS Trust Anchor
 	  static data.
 	- Ignore cache blacklisting when trying to reply with expired data from
 	  cache (#394).
 26 January 2021: Wouter
 	- Fix compile of unbound-dnstap-socket without dnstap installed.
 22 January 2021: Willem
 	- Padding of queries and responses with DNS over TLS as specified in
 	  RFC7830 and RFC8467.
 22 January 2021: George
 	- Fix TTL of SOA record for negative answers (localzone and
 	  authzone data) to be the minimum of the SOA TTL and the SOA.MINIMUM.
 19 January 2021: Willem
 	- Support for RFC5001: DNS Name Server Identifier (NSID) Option
 	  with the nsid: option in unbound.conf
 18 January 2021: Wouter
 	- Fix #404: DNS query with small edns bufsize fail.
 	- Fix declaration before statement and signed comparison warning in
 	  dns64.
 15 January 2021: Wouter
 	- Merge #402 from fobser: Implement IPv4-Embedded addresses according
 	  to RFC6052.
 14 January 2021: Wouter
 	- Fix for #93: dynlibmodule import library is named libunbound.dll.a.
 13 January 2021: Wouter
 	- Merge #399 from xiangbao227: The lock of lruhash table should
 	  unlocked after markdel entry.
 	- Fix for #93: dynlibmodule link fix for Windows.
 12 January 2021: Wouter
 	- Fix #397: [Feature request] add new type always_null to local-zone
 	  similar to always_nxdomain.
 	- Fix so local zone types always_nodata and always_deny can be used
 	  from the config file.
 8 January 2021: Wouter
 	- Merge PR #391 from fhriley: Add start_time to reply callbacks so
 	  modules can compute the response time.
 	- For #391: use struct timeval* start_time for callback information.
 	- For #391: fix indentation.
 	- For #391: more double casts in python start time calculation.
 	- Add comment documentation.
 	- Fix clang analysis warning.
 6 January 2021: Wouter
 	- Fix #379: zone loading over HTTP appears to have buffer issues.
 	- Merge PR #395 from mptre: add missing null check.
 	- Fix #387: client-subnet-always-forward seems to effectively bypass
 	  any caching?
 5 January 2021: Wouter
 	- Fix #385: autoconf 2.70 impacts unbound build
 	- Merge PR #375 by fhriley: Add rpz_enable and rpz_disable commands
 	  to unbound-control.
 4 January 2021: Wouter
 	- For #376: Fix that comm point event is not double removed or double
 	  added to event map.
 	- iana portlist updated.
 16 December 2020: George
 	- Fix error cases when udp-connect is set and send() returns an error
 	  (modified patch from Xin Li @delphij).
 11 December 2020: Wouter
 	- Fix #371: unbound-control timeout when Unbound is not running.
 	- Fix to squelch permission denied and other errors from remote host,
 	  they are logged at higher verbosity but not on low verbosity.
 	- Merge PR #335 from fobser: Sprinkle in some static to prevent
 	  missing prototype warnings.
 	- Merge PR #373 from fobser: Warning: arithmetic on a pointer to void
 	  is a GNU extension.
 	- Fix missing prototypes in the code.
 3 December 2020: Wouter
 	- make depend.
 	- iana portlist updated.
 2 December 2020: Wouter
 	- Fix #360: for the additionally reported TCP Fast Open makes TCP
 	  connections fail, in that case we print a hint that this is
 	  happening with the error in the logs.
 	- Fix #356: deadlock when listening tcp.
 	- Fix unbound-dnstap-socket to not use log routine from interrupt
 	  handler and not print so frequently when invoked in sequence.
 	- Fix on windows to ignore connection failure on UDP, unless verbose.
 	- Fix for #283: fix stream reuse and tcp fast open.
 	- Fix update, with write event check with streamreuse and fastopen.
 1 December 2020: Wouter
 	- Fix #358: Squelch udp connect 'no route to host' errors on low
 	  verbosity.
 30 November 2020: Wouter
 	- Fix assertion failure on double callback when iterator loses
 	  interest in query at head of line that then has the tcp stream
 	  not kept for reuse.
 	- tag for the 1.13.0rc4 release.  This also became the 1.13.0
 	  release version on 3 dec 2020 with the streamreuse and fastopen
 	  fix from 2 dec 2020.  The code repo continues for 1.13.1 in
 	  development.
 27 November 2020: Wouter
 	- Fix compile warning for type cast in http2_submit_dns_response.
 	- Fix when use free buffer to initialize rbtree for stream reuse.
 	- Fix compile warnings for windows.
 	- Fix compile warnings in rpz initialization.
 	- Fix contrib/metrics.awk for FreeBSD awk compatibility.
 	- tag for the 1.13.0rc3 release.
 26 November 2020: Wouter
 	- Fix to omit UDP receive errors from log, if verbosity low.
 	  These happen because of udp-connect.
 	- For #352: contrib/metrics.awk for Prometheus style metrics output.
 	- Fix that after failed read, the readagain cannot activate.
 	- Clear readagain upon decommission of pending tcp structure.
 25 November 2020: Wouter
 	- with udp-connect ignore connection refused with UDP timeouts.
 	- Fix udp-connect on FreeBSD, do send calls on connected UDP socket.
 	- Better fix for reuse tree comparison for is-tls sockets.  Where
 	  the tree key identity is preserved after cleanup of the TLS state.
 	- Remove debug commands from reuse tests.
 	- Fix memory leak for edns client tag opcode config element.
 	- Attempt fix for libevent state in tcp reuse cases after a packet
 	  is written.
 	- Fix readagain and writeagain callback functions for comm point
 	  cleanup.
 	- tag for the 1.13.0rc2 release.
 24 November 2020: Wouter
 	- Merge PR #283 : Stream reuse.  This implements upstream stream
 	  reuse for performing several queries over the same TCP or TLS
 	  channel.
 	- set version of main branch to 1.13.0 for upcoming release.
 	- iana portlist updated.
 	- Fix one port unit test for udp-connect.
 	- tag for the 1.13.0rc1 release.
 	- Fix crash when TLS connection is closed prematurely, when
 	  reuse tree comparison is not properly identical to insertion.
 	- Fix padding of struct regional for 32bit systems.
 23 November 2020: George
 	- Merge PR #313 from Ralph Dolmans: Replace edns-client-tag with
 	  edns-client-string option.
 23 November 2020: Wouter
 	- Merge #351 from dvzrv: Add AF_NETLINK to set of allowed socket
 	  address families.
 	- Fix #350: with the AF_NETLINK permission, to fix 1.12.0 error:
 	  failed to list interfaces: getifaddrs: Address family not
 	  supported by protocol.
 	- Fix #347: IP_DONTFRAG broken on Apple xcode 12.2.
 	- Option to toggle udp-connect, default is enabled.
 	- Fix for #303 CVE-2020-28935 : Fix that symlink does not interfere
 	  with chown of pidfile.
 	- Further fix for it and retvalue 0 fix for it.
 12 November 2020: Wouter
 	- Fix to connect() to UDP destinations, default turned on,
 	  this lowers vulnerability to ICMP side channels.
 	- Retry for interfaces with unused ports if possible.
 10 November 2020: Wouter
 	- Fix #341: fixing a possible memory leak.
 	- Fix memory leak after fix for possible memory leak failure.
 	- Fix #343: Fail to build --with-libnghttp2 with error: 'SSIZE_MAX'
 	  undeclared.
 27 October 2020: Wouter
 	- In man page note that tls-cert-bundle is read before permission
--- a/doc/FEATURES
+++ b/doc/FEATURES
@ -39,6 +39,7 @@ RFC 4343: case insensitive handling of domain names.
 RFC 4509: SHA256 DS hash.
 RFC 4592: wildcards.
 RFC 4697: No DNS Resolution Misbehavior.
 RFC 5001: DNS Name Server Identifier (NSID) Option
 RFC 5011: update of trust anchors with timers.
 RFC 5155: NSEC3, NSEC3PARAM types
 RFC 5358: reflectors-are-evil: access control list for recursive
--- a/doc/TODO
+++ b/doc/TODO
@ -14,7 +14,6 @@ o (option) store primed key data in a overlaid keyhints file (sort of like draft
 o windows version, auto update feature, a query to check for the version.
 o command the server with TSIG inband. get-config, clearcache, 
 	get stats, get memstats, get ..., reload, clear one zone from cache
 o NSID rfc 5001 support.
 o timers rfc 5011 support.
 o Treat YXDOMAIN from a DNAME properly, in iterator (not throwaway), validator.
 o make timeout backoffs randomized (a couple percent random) to spread traffic.
--- a/doc/example.conf.in
+++ b/doc/example.conf.in
@ -161,6 +161,9 @@ server:
 	# msec to wait before close of port on timeout UDP. 0 disables.
 	# delay-close: 0
 	# perform connect for UDP sockets to mitigate ICMP side channel.
 	# udp-connect: yes
 	# msec for waiting for an unknown server to reply.  Increase if you
 	# are behind a slow satellite link, to eg. 1128.
 	# unknown-server-time-limit: 376
@ -374,6 +377,9 @@ server:
 	# the version to report. Leave "" or default to return package version.
 	# version: ""
 	# NSID identity (hex string, or "ascii_somestring"). default disabled.
 	# nsid: "aabbccdd"
 	# the target fetch policy.
 	# series of integers describing the policy per dependency depth.
 	# The number of values in the list determines the maximum dependency
@ -385,7 +391,7 @@ server:
 	# target-fetch-policy: "3 2 1 0 0"
 	# Harden against very small EDNS buffer sizes.
-	# harden-short-bufsize: no
+	# harden-short-bufsize: yes
 	# Harden against unseemly large queries.
 	# harden-large-queries: no
@ -592,6 +598,13 @@ server:
 	# A recommended value is 1800.
 	# serve-expired-client-timeout: 0
 	# Return the original TTL as received from the upstream name server rather
 	# than the decrementing TTL as stored in the cache.  Enabling this feature
 	# does not impact cache expiry, it only changes the TTL unbound embeds in
 	# responses to queries. Note that enabling this feature implicitly disables
 	# enforcement of the configured minimum and maximum TTL.
 	# serve-original-ttl: no
 	# Have the validator log failed validations for your diagnosis.
 	# 0: off. 1: A line per failed user query. 2: With reason and bad IP.
 	# val-log-level: 0
@ -704,8 +717,10 @@ server:
 	# o inform acts like transparent, but logs client IP address
 	# o inform_deny drops queries and logs client IP address
 	# o inform_redirect redirects queries and logs client IP address
-	# o always_transparent, always_refuse, always_nxdomain, resolve in
+	# o always_transparent, always_refuse, always_nxdomain, always_nodata,
-	#   that way but ignore local data for that name
+	#   always_deny resolve in that way but ignore local data for
 	#   that name
 	# o always_null returns 0.0.0.0 or ::0 for any name in the zone.
 	# o noview breaks out of that view towards global local-zones.
 	#
 	# defaults are localhost address, reverse for 127.0.0.1 and ::1
@ -753,6 +768,12 @@ server:
 	# cipher setting for TLSv1.3
 	# tls-ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"
 	# Pad responses to padded queries received over TLS
 	# pad-responses: yes
 	# Padded responses will be padded to the closest multiple of this size.
 	# pad-responses-block-size: 468
 	# Use the SNI extension for TLS connections.  Default is yes.
 	# Changing the value requires a reload.
 	# tls-use-sni: yes
@ -775,6 +796,12 @@ server:
 	# Add system certs to the cert bundle, from the Windows Cert Store
 	# tls-win-cert: no
 	# Pad queries over TLS upstreams
 	# pad-queries: yes
 	# Padded queries will be padded to the closest multiple of this size.
 	# pad-queries-block-size: 128
 	# Also serve tls on these port numbers (eg. 443, ...), by listing
 	# tls-additional-port: portno for each of the port numbers.
--- a/doc/unbound-control.8.in
+++ b/doc/unbound-control.8.in
@ -305,6 +305,12 @@ Transfer the auth zone from master.  The auth zone probe sequence is started,
 where the masters are probed to see if they have an updated zone (with the SOA
 serial check).  And then the zone is transferred for a newer zone version.
 .TP
 .B rpz_enable \fIzone\fR
 Enable the RPZ zone if it had previously been disabled.
 .TP
 .B rpz_enable \fIzone\fR
 Disable the RPZ zone.
 .TP
 .B view_list_local_zones \fIview\fR
 \fIlist_local_zones\fR for given view.
 .TP
--- a/doc/unbound.conf.5.in
+++ b/doc/unbound.conf.5.in
@ -274,6 +274,10 @@ eg. 1500 msec.  When timeouts happen you need extra sockets, it checks
 the ID and remote IP of packets, and unwanted packets are added to the
 unwanted packet counter.
 .TP
 .B udp\-connect: \fI<yes or no>
 Perform connect for UDP sockets that mitigates ICMP side channel leakage.
 Default is yes.
 .TP
 .B unknown\-server\-time\-limit: \fI<msec>
 The wait time in msec for waiting for an unknown server to reply.
 Increase this if you are behind a slow satellite link, to eg. 1128.
@ -560,6 +564,25 @@ and that is the default.
 Set the list of ciphersuites to allow when serving TLS.  This is for newer
 TLS 1.3 connections.  Use "" for defaults, and that is the default.
 .TP
 .B pad\-responses: \fI<yes or no>
 If enabled, TLS serviced queries that contained an EDNS Padding option will
 cause responses padded to the closest multiple of the size specified in
 \fBpad\-responses\-block\-size\fR.
 Default is yes.
 .TP
 .B pad\-responses\-block\-size: \fI<number>
 The block size with which to pad responses serviced over TLS. Only responses
 to padded queries will be padded.
 Default is 468.
 .TP
 .B pad\-queries: \fI<yes or no>
 If enabled, all queries sent over TLS upstreams will be padded to the closest
 multiple of the size specified in \fBpad\-queries\-block\-size\fR.
 Default is yes.
 .TP
 .B pad\-queries\-block\-size: \fI<number>
 The block size with which to pad queries sent over TLS upstreams.
 Default is 128.
 .B tls\-use\-sni: \fI<yes or no>
 Enable or disable sending the SNI extension on TLS connections.
 Default is yes.
@ -815,6 +838,11 @@ If enabled version.server and version.bind queries are refused.
 Set the version to report. If set to "", the default, then the package
 version is returned.
 .TP
 .B nsid:\fR <string>
 Add the specified nsid to the EDNS section of the answer when queried
 with an NSID EDNS enabled packet.  As a sequence of hex characters or
 with ascii_ prefix and then an ascii string.
 .TP
 .B hide\-trustanchor: \fI<yes or no>
 If enabled trustanchor.unbound queries are refused.
 .TP
@ -835,9 +863,8 @@ closer to that of BIND 9, while setting "\-1 \-1 \-1 \-1 \-1" gives behaviour
 rumoured to be closer to that of BIND 8.
 .TP
 .B harden\-short\-bufsize: \fI<yes or no>
-Very small EDNS buffer sizes from queries are ignored. Default is off, since
+Very small EDNS buffer sizes from queries are ignored. Default is on, as
-it is legal protocol wise to send these, and unbound tries to give very
+described in the standard.
 small answers to these queries, where possible.
 .TP
 .B harden\-large\-queries: \fI<yes or no>
 Very large queries are ignored. Default is off, since it is legal protocol
@ -1159,6 +1186,19 @@ responding with expired data.  A recommended value per
 RFC 8767 is 1800.  Setting this to 0 will disable this
 behavior.  Default is 0.
 .TP
 .B serve\-original\-ttl: \fI<yes or no>
 If enabled, unbound will always return the original TTL as received from
 the upstream name server rather than the decrementing TTL as
 stored in the cache.  This feature may be useful if unbound serves as a 
 front-end to a hidden authoritative name server. Enabling this feature does 
 not impact cache expiry, it only changes the TTL unbound embeds in responses to 
 queries. Note that enabling this feature implicitly disables enforcement of
 the configured minimum and maximum TTL, as it is assumed users who enable this 
 feature do not want unbound to change the TTL obtained from an upstream server. 
 Thus, the values set using \fBcache\-min\-ttl\fR and \fBcache\-max\-ttl\fR are
 ignored.
 Default is "no".
 .TP
 .B val\-nsec3\-keysize\-iterations: \fI<"list of values">
 List of keysize and iteration count values, separated by spaces, surrounded
 by quotes. Default is "1024 150 2048 500 4096 2500". This determines the
@ -1233,7 +1273,7 @@ address space are not validated.  This is usually required whenever
 Configure a local zone. The type determines the answer to give if
 there is no match from local\-data. The types are deny, refuse, static,
 transparent, redirect, nodefault, typetransparent, inform, inform_deny,
-inform_redirect, always_transparent, always_refuse, always_nxdomain, noview,
+inform_redirect, always_transparent, always_refuse, always_nxdomain, always_null, noview,
 and are explained below. After that the default settings are listed. Use
 local\-data: to enter data into the local zone. Answers for local zones
 are authoritative DNS answers. By default the zones are class IN.
@ -1307,6 +1347,17 @@ Like refuse, but ignores local data and refuses the query.
 \h'5'\fIalways_nxdomain\fR
 Like static, but ignores local data and returns nxdomain for the query.
 .TP 10
 \h'5'\fIalways_nodata\fR
 Like static, but ignores local data and returns nodata for the query.
 .TP 10
 \h'5'\fIalways_deny\fR
 Like deny, but ignores local data and drops the query.
 .TP 10
 \h'5'\fIalways_null\fR
 Always returns 0.0.0.0 or ::0 for every name in the zone.  Like redirect
 with zero data for A and AAAA.  Ignores local data in the zone.  Used for
 some block lists.
 .TP 10
 \h'5'\fInoview\fR
 Breaks out of that view and moves towards the global local zones for answer
 to the query.  If the view first is no, it'll resolve normally.  If view first
@ -1552,15 +1603,15 @@ Set the number of servers that should be used for fast server selection. Only
 use the fastest specified number of servers with the fast\-server\-permil
 option, that turns this on or off. The default is to use the fastest 3 servers.
 .TP 5
-.B edns\-client\-tag: \fI<IP netblock> <tag data>
+.B edns\-client\-string: \fI<IP netblock> <string>
-Include an edns-client-tag option in queries with destination address matching
+Include an EDNS0 option containing configured ascii string in queries with
-the configured IP netblock. This configuration option can be used multiple
+destination address matching the configured IP netblock.  This configuration
-times. The most specific match will be used. The tag data is configured in
+option can be used multiple times. The most specific match will be used.
 decimal format, from 0 to 65535.
 .TP 5
-.B edns\-client\-tag\-opcode: \fI<opcode>
+.B edns\-client\-string\-opcode: \fI<opcode>
-EDNS0 option code for the edns-client-tag option, from 0 to 65535. Default is
+EDNS0 option code for the \fIedns\-client\-string\fR option, from 0 to 65535.
-16, as assigned by IANA.
+A value from the `Reserved for Local/Experimental` range (65001-65534) should
 be used.  Default is 65001.
 .SS "Remote Control Options"
 In the
 .B remote\-control:
@ -2048,7 +2099,8 @@ Specify whether the ECS address check (configured using
 query contains an ECS record, or only for queries for which the ECS record is
 generated using the querier address (and therefore did not contain ECS data in
 the client query). If enabled, the address check is skipped when the client
-query contains an ECS record. Default is no.
+query contains an ECS record. And the lookup in the regular cache is skipped.
 Default is no.
 .TP
 .B max\-client\-subnet\-ipv6: \fI<number>\fR
 Specifies the maximum prefix length of the client source address we are willing
--- a/doc/unbound.doxygen
+++ b/doc/unbound.doxygen
@ -1143,7 +1143,7 @@ COMPACT_LATEX          = NO
 # by the printer. Possible values are: a4, a4wide, letter, legal and
 # executive. If left blank a4wide will be used.
-PAPER_TYPE             = a4wide
+#PAPER_TYPE             = a4wide
 # The EXTRA_PACKAGES tag can be to specify one or more names of LaTeX
 # packages that should be included in the LaTeX output.
@ -1451,7 +1451,7 @@ EXTERNAL_GROUPS        = YES
 # The PERL_PATH should be the absolute path and name of the perl script
 # interpreter (i.e. the result of `which perl').
-PERL_PATH              = /usr/bin/perl
+#PERL_PATH              = /usr/bin/perl
 #---------------------------------------------------------------------------
 # Configuration options related to the dot tool
@ -1473,7 +1473,7 @@ CLASS_DIAGRAMS         = YES
 # the mscgen tool resides. If left empty the tool is assumed to be found in the
 # default search path.
-MSCGEN_PATH            =
+#MSCGEN_PATH            =
 # If set to YES, the inheritance and collaboration graphs will hide
 # inheritance and usage relations if the target is undocumented
--- a/dynlibmod/dynlibmod.c
+++ b/dynlibmod/dynlibmod.c
@ -5,16 +5,16 @@
 * module actions.
 */
 #include "config.h"
 #include "dynlibmod/dynlibmod.h"
 #include "util/module.h"
 #include "util/config_file.h"
 #include "dynlibmod/dynlibmod.h"
 #if HAVE_WINDOWS_H
 #include <windows.h>
 #define __DYNMOD HMODULE
 #define __DYNSYM FARPROC
 #define __LOADSYM GetProcAddress
-void log_dlerror() {
+static void log_dlerror() {
    DWORD dwLastError = GetLastError();
    LPSTR MessageBuffer;
    DWORD dwBufferLength;
@ -37,11 +37,11 @@ void log_dlerror() {
 }
-HMODULE open_library(const char* fname) {
+static HMODULE open_library(const char* fname) {
    return LoadLibrary(fname);
 }
-void close_library(const char* fname, __DYNMOD handle) {
+static void close_library(const char* fname, __DYNMOD handle) {
 	(void)fname;
 	(void)handle;
 }
@ -50,15 +50,15 @@ void close_library(const char* fname, __DYNMOD handle) {
 #define __DYNMOD void*
 #define __DYNSYM void*
 #define __LOADSYM dlsym
-void log_dlerror() {
+static void log_dlerror() {
    log_err("dynlibmod: %s", dlerror());
 }
-void* open_library(const char* fname) {
+static void* open_library(const char* fname) {
    return dlopen(fname, RTLD_LAZY | RTLD_GLOBAL);
 }
-void close_library(const char* fname, __DYNMOD handle) {
+static void close_library(const char* fname, __DYNMOD handle) {
 	if(!handle) return;
 	if(dlclose(handle) != 0) {
 		log_err("dlclose %s: %s", fname, strerror(errno));
@ -212,10 +212,10 @@ size_t dynlibmod_get_mem(struct module_env* env, int id) {
 int dynlib_inplace_cb_reply_generic(struct query_info* qinfo,
    struct module_qstate* qstate, struct reply_info* rep, int rcode,
    struct edns_data* edns, struct edns_option** opt_list_out,
-    struct comm_reply* repinfo, struct regional* region, int id,
+    struct comm_reply* repinfo, struct regional* region,
-    void* callback) {
+    struct timeval* start_time, int id, void* callback) {
    struct cb_pair* cb_pair = (struct cb_pair*) callback;
-    return ((inplace_cb_reply_func_type*) cb_pair->cb)(qinfo, qstate, rep, rcode, edns, opt_list_out, repinfo, region, id, cb_pair->cb_arg);
+    return ((inplace_cb_reply_func_type*) cb_pair->cb)(qinfo, qstate, rep, rcode, edns, opt_list_out, repinfo, region, start_time, id, cb_pair->cb_arg);
 }
 int dynlib_inplace_cb_query_generic(struct query_info* qinfo, uint16_t flags,
--- a/dynlibmod/dynlibmod.h
+++ b/dynlibmod/dynlibmod.h
@ -70,8 +70,8 @@ size_t dynlibmod_get_mem(struct module_env* env, int id);
 int dynlib_inplace_cb_reply_generic(struct query_info* qinfo,
    struct module_qstate* qstate, struct reply_info* rep, int rcode,
    struct edns_data* edns, struct edns_option** opt_list_out,
-    struct comm_reply* repinfo, struct regional* region, int id,
+    struct comm_reply* repinfo, struct regional* region,
-    void* callback);
+	struct timeval* start_time, int id, void* callback);
 int dynlib_inplace_cb_query_generic(struct query_info* qinfo, uint16_t flags,
    struct module_qstate* qstate, struct sockaddr_storage* addr,
--- a/dynlibmod/examples/helloworld.c
+++ b/dynlibmod/examples/helloworld.c
@ -7,8 +7,10 @@
 * And to build for windows, first make unbound with the --with-dynlibmod
 * switch, then use this command:
 *   x86_64-w64-mingw32-gcc -m64 -I../.. -shared -Wall -Werror -fpic
- *      -o helloworld.dll helloworld.c -L../.. -l:libunbound.a
+ *      -o helloworld.dll helloworld.c -L../.. -l:libunbound.dll.a
- * to cross-compile a 64-bit Windows DLL.
+ * to cross-compile a 64-bit Windows DLL.  The libunbound.dll.a is produced
 * by the compile step that makes unbound.exe and allows the dynlib dll to
 * access definitions in unbound.exe.
 */
 #include "../../config.h"
@ -30,8 +32,8 @@
 int reply_callback(struct query_info* qinfo,
    struct module_qstate* qstate, struct reply_info* rep, int rcode,
    struct edns_data* edns, struct edns_option** opt_list_out,
-    struct comm_reply* repinfo, struct regional* region, int id,
+    struct comm_reply* repinfo, struct regional* region,
-    void* callback);
+    struct timeval* start_time, int id, void* callback);
 /* Init is called when the module is first loaded. It should be used to set up
 * the environment for this module and do any other initialisation required. */
@ -116,8 +118,8 @@ EXPORT size_t get_mem(struct module_env* env, int id) {
 int reply_callback(struct query_info* qinfo,
    struct module_qstate* qstate, struct reply_info* rep, int rcode,
    struct edns_data* edns, struct edns_option** opt_list_out,
-    struct comm_reply* repinfo, struct regional* region, int id,
+    struct comm_reply* repinfo, struct regional* region,
-    void* callback) {
+    struct timeval* start_time, int id, void* callback) {
    log_info("dynlib: hello world from callback");
    struct dynlibmod_env* env = qstate->env->modinfo[id];
    if (env->dyn_env != NULL) {
--- a/libunbound/context.c
+++ b/libunbound/context.c
@ -81,7 +81,7 @@ context_finalize(struct ub_ctx* ctx)
 	if(!auth_zones_apply_cfg(ctx->env->auth_zones, cfg, 1, &is_rpz,
 		ctx->env, &ctx->mods))
 		return UB_INITFAIL;
-	if(!edns_tags_apply_cfg(ctx->env->edns_tags, cfg))
+	if(!edns_strings_apply_cfg(ctx->env->edns_strings, cfg))
 		return UB_INITFAIL;
 	if(!slabhash_is_size(ctx->env->msg_cache, cfg->msg_cache_size,
 		cfg->msg_cache_slabs)) {
--- a/libunbound/libunbound.c
+++ b/libunbound/libunbound.c
@ -154,8 +154,8 @@ static struct ub_ctx* ub_ctx_create_nopipe(void)
 		errno = ENOMEM;
 		return NULL;
 	}
-	ctx->env->edns_tags = edns_tags_create();
+	ctx->env->edns_strings = edns_strings_create();
-	if(!ctx->env->edns_tags) {
+	if(!ctx->env->edns_strings) {
 		auth_zones_delete(ctx->env->auth_zones);
 		edns_known_options_delete(ctx->env);
 		config_delete(ctx->env->cfg);
@ -186,7 +186,7 @@ ub_ctx_create(void)
 		config_delete(ctx->env->cfg);
 		modstack_desetup(&ctx->mods, ctx->env);
 		edns_known_options_delete(ctx->env);
-		edns_tags_delete(ctx->env->edns_tags);
+		edns_strings_delete(ctx->env->edns_strings);
 		free(ctx->env);
 		free(ctx);
 		errno = e;
@ -199,7 +199,7 @@ ub_ctx_create(void)
 		config_delete(ctx->env->cfg);
 		modstack_desetup(&ctx->mods, ctx->env);
 		edns_known_options_delete(ctx->env);
-		edns_tags_delete(ctx->env->edns_tags);
+		edns_strings_delete(ctx->env->edns_strings);
 		free(ctx->env);
 		free(ctx);
 		errno = e;
@ -338,7 +338,7 @@ ub_ctx_delete(struct ub_ctx* ctx)
 		infra_delete(ctx->env->infra_cache);
 		config_delete(ctx->env->cfg);
 		edns_known_options_delete(ctx->env);
-		edns_tags_delete(ctx->env->edns_tags);
+		edns_strings_delete(ctx->env->edns_strings);
 		auth_zones_delete(ctx->env->auth_zones);
 		free(ctx->env);
 	}
--- a/libunbound/libworker.c
+++ b/libunbound/libworker.c
@ -73,6 +73,9 @@
 #include "iterator/iter_hints.h"
 #include "sldns/sbuffer.h"
 #include "sldns/str2wire.h"
 #ifdef USE_DNSTAP
 #include "dnstap/dtstream.h"
 #endif
 #ifdef HAVE_TARGETCONDITIONALS_H
 #include <TargetConditionals.h>
@ -238,7 +241,7 @@ libworker_setup(struct ub_ctx* ctx, int is_bg, struct ub_event_base* eb)
 		ports, numports, cfg->unwanted_threshold,
 		cfg->outgoing_tcp_mss, &libworker_alloc_cleanup, w,
 		cfg->do_udp || cfg->udp_upstream_without_downstream, w->sslctx,
-		cfg->delay_close, cfg->tls_use_sni, NULL);
+		cfg->delay_close, cfg->tls_use_sni, NULL, cfg->udp_connect);
 	w->env->outnet = w->back;
 	if(!w->is_bg || w->is_bg_thread) {
 		lock_basic_unlock(&ctx->cfglock);
@ -574,6 +577,7 @@ setup_qinfo_edns(struct libworker* w, struct ctx_query* q,
 	edns->edns_version = 0;
 	edns->bits = EDNS_DO;
 	edns->opt_list = NULL;
 	edns->padding_block_size = 0;
 	if(sldns_buffer_capacity(w->back->udp_buff) < 65535)
 		edns->udp_size = (uint16_t)sldns_buffer_capacity(
 			w->back->udp_buff);
--- a/makedist.sh
+++ b/makedist.sh
@ -412,6 +412,11 @@ if [ "$DOWIN" = "yes" ]; then
    cp ../unbound.exe ../unbound-anchor.exe ../unbound-host.exe ../unbound-control.exe ../unbound-checkconf.exe ../unbound-service-install.exe ../unbound-service-remove.exe ../LICENSE ../winrc/unbound-control-setup.cmd ../winrc/unbound-website.url ../winrc/service.conf ../winrc/README.txt ../contrib/create_unbound_ad_servers.cmd ../contrib/warmup.cmd ../contrib/unbound_cache.cmd .
    mkdir libunbound
    cp ../../unbound_shared/unbound.h ../../unbound_shared/.libs/libunbound*.dll ../../unbound_shared/.libs/libunbound.dll.a ../../unbound_shared/.libs/libunbound.a ../../unbound_shared/.libs/libunbound*.def ../../sslsharedinstall/lib/libcrypto.dll.a ../../sslsharedinstall/lib/libssl.dll.a ../../sslsharedinstall/bin/libcrypto*.dll ../../sslsharedinstall/bin/libssl*.dll ../../wxpinstall/bin/libexpat*.dll ../../wxpinstall/lib/libexpat.dll.a libunbound/.
    if test "$W64" = "no"; then
 	    cp /usr/i686-w64-mingw32/sys-root/mingw/bin/libssp-0.dll libunbound/.
    else
 	    cp /usr/x86_64-w64-mingw32/sys-root/mingw/bin/libssp-0.dll libunbound/.
    fi
    # zipfile
    zip -r ../$file LICENSE README.txt unbound.exe unbound-anchor.exe unbound-host.exe unbound-control.exe unbound-checkconf.exe unbound-service-install.exe unbound-service-remove.exe unbound-control-setup.cmd example.conf service.conf root.key unbound-website.url create_unbound_ad_servers.cmd warmup.cmd unbound_cache.cmd Changelog libunbound
    info "Testing $file"
--- a/pythonmod/interface.i
+++ b/pythonmod/interface.i
@ -20,6 +20,7 @@
 * called to perform operations on queries.
 */
   #include <sys/types.h>
   #include <time.h>
   #ifdef HAVE_SYS_SOCKET_H
   #include <sys/socket.h>
   #endif
@ -696,6 +697,8 @@ struct edns_data {
 /* ************************************************************************************ *
   Structure module_env
 * ************************************************************************************ */
 %rename(_now) module_env::now;
 %rename(_now_tv) module_env::now_tv;
 struct module_env {
    struct config_file* cfg;
    struct slabhash* msg_cache;
@ -739,6 +742,19 @@ struct module_env {
    size_t edns_known_options_num;
 };
 %inline %{
    PyObject* _module_env_now_get(struct module_env* env) {
        double ts = env->now_tv->tv_sec + env->now_tv->tv_usec / 1e6;
        return PyFloat_FromDouble(ts);
    }
 %}
 %extend module_env {
    %pythoncode %{
        def _now_get(self): return _module_env_now_get(self)
        now = property(_now_get)
    %}
 }
 /* ************************************************************************************ *
   Structure module_qstate
 * ************************************************************************************ */
@ -1525,13 +1541,14 @@ int edns_opt_list_append(struct edns_option** list, uint16_t code, size_t len,
    int python_inplace_cb_reply_generic(struct query_info* qinfo,
        struct module_qstate* qstate, struct reply_info* rep, int rcode,
        struct edns_data* edns, struct edns_option** opt_list_out,
-        struct comm_reply* repinfo, struct regional* region, int id,
+        struct comm_reply* repinfo, struct regional* region,
-        void* python_callback)
+        struct timeval* start_time, int id, void* python_callback)
    {
        PyObject *func, *py_edns, *py_qstate, *py_opt_list_out, *py_qinfo;
        PyObject *py_rep, *py_repinfo, *py_region;
        PyObject *py_args, *py_kwargs, *result;
        int res = 0;
        double py_start_time = ((double)start_time->tv_sec) + ((double)start_time->tv_usec) / 1.0e6;
        PyGILState_STATE gstate = PyGILState_Ensure();
        func = (PyObject *) python_callback;
@ -1546,7 +1563,8 @@ int edns_opt_list_append(struct edns_option** list, uint16_t code, size_t len,
        py_region = SWIG_NewPointerObj((void*) region, SWIGTYPE_p_regional, 0);
        py_args = Py_BuildValue("(OOOiOOO)", py_qinfo, py_qstate, py_rep,
            rcode, py_edns, py_opt_list_out, py_region);
-        py_kwargs = Py_BuildValue("{s:O}", "repinfo", py_repinfo);
+        py_kwargs = Py_BuildValue("{s:O,s:d}", "repinfo", py_repinfo, "start_time",
                                  py_start_time);
        result = PyObject_Call(func, py_args, py_kwargs);
        Py_XDECREF(py_edns);
        Py_XDECREF(py_qstate);
--- a/pythonmod/pythonmod.h
+++ b/pythonmod/pythonmod.h
@ -72,8 +72,8 @@ size_t pythonmod_get_mem(struct module_env* env, int id);
 int python_inplace_cb_reply_generic(struct query_info* qinfo,
 	struct module_qstate* qstate, struct reply_info* rep, int rcode,
 	struct edns_data* edns, struct edns_option** opt_list_out,
-	struct comm_reply* repinfo, struct regional* region, int id,
+	struct comm_reply* repinfo, struct regional* region,
-	void* python_callback);
+	struct timeval* start_time, int id, void* python_callback);
 /** Declared here for fptr_wlist access. The definition is in interface.i. */
 int python_inplace_cb_query_generic(
--- a/pythonmod/pythonmod_utils.c
+++ b/pythonmod/pythonmod_utils.c
@ -39,6 +39,7 @@
 * conversions.
 */
 #include "config.h"
 #include "pythonmod/pythonmod_utils.h"
 #include "util/module.h"
 #include "util/netevent.h"
 #include "util/net_help.h"
--- a/pythonmod/pythonmod_utils.h
+++ b/pythonmod/pythonmod_utils.h
@ -43,6 +43,7 @@
 #include "util/module.h"
 struct delegpt_addr;
 struct sldns_buffer;
 /**
 *  Store the reply_info and query_info pair in message cache (qstate->msg_cache)
@ -77,7 +78,7 @@ void invalidateQueryInCache(struct module_qstate* qstate, struct query_info* qin
 * @param pkt: a sldns_buffer which contains sldns_packet data
 * @return 0 on failure, out of memory or parse error.
 */
-int createResponse(struct module_qstate* qstate, sldns_buffer* pkt);
+int createResponse(struct module_qstate* qstate, struct sldns_buffer* pkt);
 /**
 *  Convert reply->addr to string
--- a/respip/respip.c
+++ b/respip/respip.c
@ -523,7 +523,7 @@ copy_rrset(const struct ub_packed_rrset_key* key, struct regional* region)
 			return NULL; /* guard against integer overflow */
 		dsize += data->rr_len[i];
 	}
-	d = regional_alloc(region, dsize);
+	d = regional_alloc_zero(region, dsize);
 	if(!d)
 		return NULL;
 	*d = *data;
@ -914,7 +914,7 @@ respip_rewrite_reply(const struct query_info* qinfo,
 	int ret = 1;
 	struct ub_packed_rrset_key* redirect_rrset = NULL;
 	struct rpz* r;
-	struct auth_zone* a;
+	struct auth_zone* a = NULL;
 	struct ub_packed_rrset_key* data = NULL;
 	int rpz_used = 0;
 	int rpz_log = 0;
@ -1109,7 +1109,7 @@ respip_operate(struct module_qstate* qstate, enum module_ev event, int id,
 			qstate->return_msg && qstate->return_msg->rep) {
 			struct reply_info* new_rep = qstate->return_msg->rep;
 			struct ub_packed_rrset_key* alias_rrset = NULL;
-			struct respip_action_info actinfo = {0};
+			struct respip_action_info actinfo = {0, 0, 0, 0, NULL, 0, NULL};
 			actinfo.action = respip_none;
 			if(!respip_rewrite_reply(&qstate->qinfo,
@ -1170,7 +1170,7 @@ respip_merge_cname(struct reply_info* base_rep,
 	struct ub_packed_rrset_key* alias_rrset = NULL; /* ditto */
 	uint16_t tgt_rcode;
 	size_t i, j;
-	struct respip_action_info actinfo = {0};
+	struct respip_action_info actinfo = {0, 0, 0, 0, NULL, 0, NULL};
 	actinfo.action = respip_none;
 	/* If the query for the CNAME target would result in an unusual rcode,
--- a/services/authzone.c
+++ b/services/authzone.c
@ -2518,7 +2518,8 @@ static int
 az_add_negative_soa(struct auth_zone* z, struct regional* region,
 	struct dns_msg* msg)
 {
-	uint32_t minimum;
+	time_t minimum;
 	size_t i;
 	struct packed_rrset_data* d;
 	struct auth_rrset* soa;
 	struct auth_data* apex = az_find_name(z, z->name, z->namelen);
@ -2535,9 +2536,11 @@ az_add_negative_soa(struct auth_zone* z, struct regional* region,
 	/* last 4 bytes are minimum ttl in network format */
 	if(d->count == 0) return 0;
 	if(d->rr_len[0] < 2+4) return 0;
-	minimum = sldns_read_uint32(d->rr_data[0]+(d->rr_len[0]-4));
+	minimum = (time_t)sldns_read_uint32(d->rr_data[0]+(d->rr_len[0]-4));
-	d->ttl = (time_t)minimum;
+	minimum = d->ttl<minimum?d->ttl:minimum;
-	d->rr_ttl[0] = (time_t)minimum;
+	d->ttl = minimum;
 	for(i=0; i < d->count + d->rrsig_count; i++)
 		d->rr_ttl[i] = minimum;
 	msg->rep->ttl = get_rrset_ttl(msg->rep->rrsets[0]);
 	msg->rep->prefetch_ttl = PREFETCH_TTL_CALC(msg->rep->ttl);
 	msg->rep->serve_expired_ttl = msg->rep->ttl + SERVE_EXPIRED_TTL;
@ -3473,7 +3476,7 @@ auth_answer_encode(struct query_info* qinfo, struct module_env* env,
 	edns->bits &= EDNS_DO;
 	if(!inplace_cb_reply_local_call(env, qinfo, NULL, msg->rep,
-		(int)FLAGS_GET_RCODE(msg->rep->flags), edns, repinfo, temp)
+		(int)FLAGS_GET_RCODE(msg->rep->flags), edns, repinfo, temp, env->now_tv)
 		|| !reply_info_answer_encode(qinfo, msg->rep,
 		*(uint16_t*)sldns_buffer_begin(buf),
 		sldns_buffer_read_u16_at(buf, 2),
@ -3497,7 +3500,7 @@ auth_error_encode(struct query_info* qinfo, struct module_env* env,
 	edns->bits &= EDNS_DO;
 	if(!inplace_cb_reply_local_call(env, qinfo, NULL, NULL,
-		rcode, edns, repinfo, temp))
+		rcode, edns, repinfo, temp, env->now_tv))
 		edns->opt_list = NULL;
 	error_encode(buf, rcode|BIT_AA, qinfo,
 		*(uint16_t*)sldns_buffer_begin(buf),
@ -5336,6 +5339,7 @@ xfr_transfer_lookup_host(struct auth_xfer* xfr, struct module_env* env)
 	edns.edns_version = 0;
 	edns.bits = EDNS_DO;
 	edns.opt_list = NULL;
 	edns.padding_block_size = 0;
 	if(sldns_buffer_capacity(buf) < 65535)
 		edns.udp_size = (uint16_t)sldns_buffer_capacity(buf);
 	else	edns.udp_size = 65535;
@ -6322,7 +6326,7 @@ xfr_probe_send_probe(struct auth_xfer* xfr, struct module_env* env,
 	/* send udp packet */
 	if(!comm_point_send_udp_msg(xfr->task_probe->cp, env->scratch_buffer,
-		(struct sockaddr*)&addr, addrlen)) {
+		(struct sockaddr*)&addr, addrlen, 0)) {
 		char zname[255+1], as[256];
 		dname_str(xfr->name, zname);
 		addr_to_str(&addr, addrlen, as, sizeof(as));
@ -6524,6 +6528,7 @@ xfr_probe_lookup_host(struct auth_xfer* xfr, struct module_env* env)
 	edns.edns_version = 0;
 	edns.bits = EDNS_DO;
 	edns.opt_list = NULL;
 	edns.padding_block_size = 0;
 	if(sldns_buffer_capacity(buf) < 65535)
 		edns.udp_size = (uint16_t)sldns_buffer_capacity(buf);
 	else	edns.udp_size = 65535;
--- a/services/cache/rrset.c
+++ b/services/cache/rrset.c
@ -45,6 +45,7 @@
 #include "util/config_file.h"
 #include "util/data/packed_rrset.h"
 #include "util/data/msgreply.h"
 #include "util/data/msgparse.h"
 #include "util/regional.h"
 #include "util/alloc.h"
 #include "util/net_help.h"
@ -396,6 +397,7 @@ rrset_update_sec_status(struct rrset_cache* r,
 			cachedata->ttl = updata->ttl + now;
 			for(i=0; i<cachedata->count+cachedata->rrsig_count; i++)
 				cachedata->rr_ttl[i] = updata->rr_ttl[i]+now;
 			cachedata->ttl_add = now;
 		}
 	}
 	lock_rw_unlock(&e->lock);
--- a/services/listen_dnsport.c
+++ b/services/listen_dnsport.c
@ -43,6 +43,7 @@
 #  include <sys/types.h>
 #endif
 #include <sys/time.h>
 #include <limits.h>
 #ifdef USE_TCP_FASTOPEN
 #include <netinet/tcp.h>
 #endif
@ -530,7 +531,9 @@ create_udp_sock(int family, int socktype, struct sockaddr* addr,
 				return -1;
 			}
 		}
-#  elif defined(IP_DONTFRAG)
+#  elif defined(IP_DONTFRAG) && !defined(__APPLE__)
 		/* the IP_DONTFRAG option if defined in the 11.0 OSX headers,
 		 * but does not work on that version, so we exclude it */
 		int off = 0;
 		if (setsockopt(s, IPPROTO_IP, IP_DONTFRAG, 
 			&off, (socklen_t)sizeof(off)) < 0) {
@ -1453,7 +1456,7 @@ resolve_ifa_name(struct ifaddrs *ifas, const char *search_ifa, char ***ip_addres
 				log_err("inet_ntop failed");
 				return 0;
 			}
-			if_indextoname(in6->sin6_scope_id,
+			(void)if_indextoname(in6->sin6_scope_id,
 				(char *)if_index_name);
 			if (strlen(if_index_name) != 0) {
 				snprintf(addr_buf, sizeof(addr_buf),
@ -1471,7 +1474,6 @@ resolve_ifa_name(struct ifaddrs *ifas, const char *search_ifa, char ***ip_addres
 		tmpbuf = realloc(*ip_addresses, sizeof(char *) * (*ip_addresses_size + 1));
 		if(!tmpbuf) {
 			free(*ip_addresses);
 			log_err("realloc failed: out of memory");
 			return 0;
 		} else {
@ -1488,7 +1490,6 @@ resolve_ifa_name(struct ifaddrs *ifas, const char *search_ifa, char ***ip_addres
 	if (*ip_addresses_size == last_ip_addresses_size) {
 		tmpbuf = realloc(*ip_addresses, sizeof(char *) * (*ip_addresses_size + 1));
 		if(!tmpbuf) {
 			free(*ip_addresses);
 			log_err("realloc failed: out of memory");
 			return 0;
 		} else {
@ -1820,12 +1821,12 @@ tcp_req_info_setup_listen(struct tcp_req_info* req)
 		req->cp->tcp_is_reading = 0;
 		comm_point_stop_listening(req->cp);
 		comm_point_start_listening(req->cp, -1,
-			req->cp->tcp_timeout_msec);
+			adjusted_tcp_timeout(req->cp));
 	} else if(rd) {
 		req->cp->tcp_is_reading = 1;
 		comm_point_stop_listening(req->cp);
 		comm_point_start_listening(req->cp, -1,
-			req->cp->tcp_timeout_msec);
+			adjusted_tcp_timeout(req->cp));
 		/* and also read it (from SSL stack buffers), so
 		 * no event read event is expected since the remainder of
 		 * the TLS frame is sitting in the buffers. */
@ -1833,7 +1834,7 @@ tcp_req_info_setup_listen(struct tcp_req_info* req)
 	} else {
 		comm_point_stop_listening(req->cp);
 		comm_point_start_listening(req->cp, -1,
-			req->cp->tcp_timeout_msec);
+			adjusted_tcp_timeout(req->cp));
 		comm_point_listen_for_rw(req->cp, 0, 0);
 	}
 }
@ -1946,7 +1947,7 @@ tcp_req_info_handle_readdone(struct tcp_req_info* req)
 	send_it:
 		c->tcp_is_reading = 0;
 		comm_point_stop_listening(c);
-		comm_point_start_listening(c, -1, c->tcp_timeout_msec);
+		comm_point_start_listening(c, -1, adjusted_tcp_timeout(c));
 		return;
 	}
 	req->in_worker_handle = 0;
@ -2064,7 +2065,7 @@ tcp_req_info_send_reply(struct tcp_req_info* req)
 		/* switch to listen to write events */
 		comm_point_stop_listening(req->cp);
 		comm_point_start_listening(req->cp, -1,
-			req->cp->tcp_timeout_msec);
+			adjusted_tcp_timeout(req->cp));
 		return;
 	}
 	/* queue up the answer behind the others already pending */
@ -2207,7 +2208,7 @@ int http2_submit_dns_response(struct http2_session* h2_session)
 	}
 	rlen = sldns_buffer_remaining(h2_session->c->buffer);
-	snprintf(rlen_str, sizeof(rlen_str), "%u", rlen);
+	snprintf(rlen_str, sizeof(rlen_str), "%u", (unsigned)rlen);
 	lock_basic_lock(&http2_response_buffer_count_lock);
 	if(http2_response_buffer_count + rlen > http2_response_buffer_max) {
@ -2792,7 +2793,7 @@ void http2_req_stream_clear(struct http2_stream* h2_stream)
 	}
 }
-nghttp2_session_callbacks* http2_req_callbacks_create()
+nghttp2_session_callbacks* http2_req_callbacks_create(void)
 {
 	nghttp2_session_callbacks *callbacks;
 	if(nghttp2_session_callbacks_new(&callbacks) == NGHTTP2_ERR_NOMEM) {
--- a/services/listen_dnsport.h
+++ b/services/listen_dnsport.h
@ -404,7 +404,7 @@ size_t http2_get_response_buffer_size(void);
 * Create nghttp2 callbacks to handle HTTP2 requests.
 * @return malloc'ed struct, NULL on failure
 */
-nghttp2_session_callbacks* http2_req_callbacks_create();
+nghttp2_session_callbacks* http2_req_callbacks_create(void);
 /** Free http2 stream buffers and decrease buffer counters */
 void http2_req_stream_clear(struct http2_stream* h2_stream);
--- a/services/localzone.c
+++ b/services/localzone.c
@ -463,6 +463,48 @@ lz_find_create_node(struct local_zone* z, uint8_t* nm, size_t nmlen,
 	return 1;
 }
 /* Mark the SOA record for the zone. This only marks the SOA rrset; the data
 * for the RR is entered later on local_zone_enter_rr() as with the other
 * records. An artifical soa_negative record with a modified TTL (minimum of
 * the TTL and the SOA.MINIMUM) is also created and marked for usage with
 * negative answers and to avoid allocations during those answers. */
 static int
 lz_mark_soa_for_zone(struct local_zone* z, struct ub_packed_rrset_key* soa_rrset,
 	uint8_t* rdata, size_t rdata_len, time_t ttl, const char* rrstr)
 {
 	struct packed_rrset_data* pd = (struct packed_rrset_data*)
 		regional_alloc_zero(z->region, sizeof(*pd));
 	struct ub_packed_rrset_key* rrset_negative = (struct ub_packed_rrset_key*)
 		regional_alloc_zero(z->region, sizeof(*rrset_negative));
 	time_t minimum;
 	if(!rrset_negative||!pd) {
 		log_err("out of memory");
 		return 0;
 	}
 	/* Mark the original SOA record and then continue with the negative one. */
 	z->soa = soa_rrset;
 	rrset_negative->entry.key = rrset_negative;
 	pd->trust = rrset_trust_prim_noglue;
 	pd->security = sec_status_insecure;
 	rrset_negative->entry.data = pd;
 	rrset_negative->rk.dname = soa_rrset->rk.dname;
 	rrset_negative->rk.dname_len = soa_rrset->rk.dname_len;
 	rrset_negative->rk.type = soa_rrset->rk.type;
 	rrset_negative->rk.rrset_class = soa_rrset->rk.rrset_class;
 	if(!rrset_insert_rr(z->region, pd, rdata, rdata_len, ttl, rrstr))
 		return 0;
 	/* last 4 bytes are minimum ttl in network format */
 	if(pd->count == 0 || pd->rr_len[0] < 2+4)
 		return 0;
 	minimum = (time_t)sldns_read_uint32(pd->rr_data[0]+(pd->rr_len[0]-4));
 	minimum = ttl<minimum?ttl:minimum;
 	pd->ttl = minimum;
 	pd->rr_ttl[0] = minimum;
 	z->soa_negative = rrset_negative;
 	return 1;
 }
 int
 local_zone_enter_rr(struct local_zone* z, uint8_t* nm, size_t nmlen,
 	int nmlabs, uint16_t rrtype, uint16_t rrclass, time_t ttl,
@ -502,8 +544,10 @@ local_zone_enter_rr(struct local_zone* z, uint8_t* nm, size_t nmlen,
 		if(query_dname_compare(node->name, z->name) == 0) {
 			if(rrtype == LDNS_RR_TYPE_NSEC)
 			  rrset->rrset->rk.flags = PACKED_RRSET_NSEC_AT_APEX;
-			if(rrtype == LDNS_RR_TYPE_SOA)
+			if(rrtype == LDNS_RR_TYPE_SOA &&
-				z->soa = rrset->rrset;
+				!lz_mark_soa_for_zone(z, rrset->rrset, rdata, rdata_len, ttl,
 					rrstr))
 				return 0;
 		}
 	} 
 	pd = (struct packed_rrset_data*)rrset->rrset->entry.data;
@ -1215,7 +1259,7 @@ local_encode(struct query_info* qinfo, struct module_env* env,
 	edns->ext_rcode = 0;
 	edns->bits &= EDNS_DO;
 	if(!inplace_cb_reply_local_call(env, qinfo, NULL, &rep, rcode, edns,
-		repinfo, temp) || !reply_info_answer_encode(qinfo, &rep,
+		repinfo, temp, env->now_tv) || !reply_info_answer_encode(qinfo, &rep,
 		*(uint16_t*)sldns_buffer_begin(buf), sldns_buffer_read_u16_at(buf, 2),
 		buf, 0, 0, temp, udpsize, edns, (int)(edns->bits&EDNS_DO), 0)) {
 		error_encode(buf, (LDNS_RCODE_SERVFAIL|BIT_AA), qinfo,
@ -1237,7 +1281,7 @@ local_error_encode(struct query_info* qinfo, struct module_env* env,
 	edns->bits &= EDNS_DO;
 	if(!inplace_cb_reply_local_call(env, qinfo, NULL, NULL,
-		rcode, edns, repinfo, temp))
+		rcode, edns, repinfo, temp, env->now_tv))
 		edns->opt_list = NULL;
 	error_encode(buf, r, qinfo, *(uint16_t*)sldns_buffer_begin(buf),
 		sldns_buffer_read_u16_at(buf, 2), edns);
@ -1548,9 +1592,9 @@ local_zones_zone_answer(struct local_zone* z, struct module_env* env,
 			lz_type == local_zone_inform_redirect ||
 			lz_type == local_zone_always_nodata)?
 			LDNS_RCODE_NOERROR:LDNS_RCODE_NXDOMAIN;
-		if(z->soa)
+		if(z->soa && z->soa_negative)
 			return local_encode(qinfo, env, edns, repinfo, buf, temp,
-				z->soa, 0, rcode);
+				z->soa_negative, 0, rcode);
 		local_error_encode(qinfo, env, edns, repinfo, buf, temp, rcode,
 			(rcode|BIT_AA));
 		return 1;
@ -1558,6 +1602,46 @@ local_zones_zone_answer(struct local_zone* z, struct module_env* env,
 		|| lz_type == local_zone_always_transparent) {
 		/* no NODATA or NXDOMAINS for this zone type */
 		return 0;
 	} else if(lz_type == local_zone_always_null) {
 		/* 0.0.0.0 or ::0 or noerror/nodata for this zone type,
 		 * used for blocklists. */
 		if(qinfo->qtype == LDNS_RR_TYPE_A ||
 			qinfo->qtype == LDNS_RR_TYPE_AAAA) {
 			struct ub_packed_rrset_key lrr;
 			struct packed_rrset_data d;
 			time_t rr_ttl = 3600;
 			size_t rr_len = 0;
 			uint8_t rr_data[2+16] = {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0};
 			uint8_t* rr_datas = rr_data;
 			memset(&lrr, 0, sizeof(lrr));
 			memset(&d, 0, sizeof(d));
 			lrr.entry.data = &d;
 			lrr.rk.dname = qinfo->qname;
 			lrr.rk.dname_len = qinfo->qname_len;
 			lrr.rk.type = htons(qinfo->qtype);
 			lrr.rk.rrset_class = htons(qinfo->qclass);
 			if(qinfo->qtype == LDNS_RR_TYPE_A) {
 				rr_len = 4;
 				sldns_write_uint16(rr_data, rr_len);
 				rr_len += 2;
 			} else {
 				rr_len = 16;
 				sldns_write_uint16(rr_data, rr_len);
 				rr_len += 2;
 			}
 			d.ttl = rr_ttl;
 			d.count = 1;
 			d.rr_len = &rr_len;
 			d.rr_data = &rr_datas;
 			d.rr_ttl = &rr_ttl;
 			return local_encode(qinfo, env, edns, repinfo, buf, temp,
 				&lrr, 1, LDNS_RCODE_NOERROR);
 		} else {
 			local_error_encode(qinfo, env, edns, repinfo, buf,
 				temp, LDNS_RCODE_NOERROR,
 				(LDNS_RCODE_NOERROR|BIT_AA));
 		}
 		return 1;
 	}
 	/* else lz_type == local_zone_transparent */
@ -1565,9 +1649,9 @@ local_zones_zone_answer(struct local_zone* z, struct module_env* env,
 	 * does not, then we should make this noerror/nodata */
 	if(ld && ld->rrsets) {
 		int rcode = LDNS_RCODE_NOERROR;
-		if(z->soa)
+		if(z->soa && z->soa_negative)
 			return local_encode(qinfo, env, edns, repinfo, buf, temp,
-				z->soa, 0, rcode);
+				z->soa_negative, 0, rcode);
 		local_error_encode(qinfo, env, edns, repinfo, buf, temp, rcode,
 			(rcode|BIT_AA));
 		return 1;
@ -1762,6 +1846,7 @@ const char* local_zone_type2str(enum localzone_type t)
 		case local_zone_always_nxdomain: return "always_nxdomain";
 		case local_zone_always_nodata: return "always_nodata";
 		case local_zone_always_deny: return "always_deny";
 		case local_zone_always_null: return "always_null";
 		case local_zone_noview: return "noview";
 		case local_zone_invalid: return "invalid";
 	}
@ -1798,6 +1883,8 @@ int local_zone_str2type(const char* type, enum localzone_type* t)
 		*t = local_zone_always_nodata;
 	else if(strcmp(type, "always_deny") == 0)
 		*t = local_zone_always_deny;
 	else if(strcmp(type, "always_null") == 0)
 		*t = local_zone_always_null;
 	else if(strcmp(type, "noview") == 0)
 		*t = local_zone_noview;
 	else if(strcmp(type, "nodefault") == 0)
@ -2000,8 +2087,10 @@ void local_zones_del_data(struct local_zones* zones,
 		/* no memory recycling for zone deletions ... */
 		d->rrsets = NULL;
 		/* did we delete the soa record ? */
-		if(query_dname_compare(d->name, z->name) == 0)
+		if(query_dname_compare(d->name, z->name) == 0) {
 			z->soa = NULL;
 			z->soa_negative = NULL;
 		}
 		/* cleanup the empty nonterminals for this name */
 		del_empty_term(z, d, name, len, labs);
--- a/services/localzone.h
+++ b/services/localzone.h
@ -96,6 +96,9 @@ enum localzone_type {
 	local_zone_always_nodata,
 	/** drop query, even when there is local data */
 	local_zone_always_deny,
 	/** answer with 0.0.0.0 or ::0 or noerror/nodata, even when there is
 	 * local data */
 	local_zone_always_null,
 	/** answer not from the view, but global or no-answer */
 	local_zone_noview,
 	/** Invalid type, cannot be used to generate answer */
@ -155,6 +158,10 @@ struct local_zone {
 	rbtree_type data;
 	/** if data contains zone apex SOA data, this is a ptr to it. */
 	struct ub_packed_rrset_key* soa;
 	/** if data contains zone apex SOA data, this is a prt to an
 	 * artificial negative SOA rrset (TTL is the minimum of the TTL and the
 	 * SOA.MINIMUM). */
 	struct ub_packed_rrset_key* soa_negative;
 };
 /**
--- a/services/mesh.c
+++ b/services/mesh.c
@ -498,7 +498,7 @@ void mesh_new_client(struct mesh_area* mesh, struct query_info* qinfo,
 		if(!s) {
 			log_err("mesh_state_create: out of memory; SERVFAIL");
 			if(!inplace_cb_reply_servfail_call(mesh->env, qinfo, NULL, NULL,
-				LDNS_RCODE_SERVFAIL, edns, rep, mesh->env->scratch))
+				LDNS_RCODE_SERVFAIL, edns, rep, mesh->env->scratch, mesh->env->now_tv))
 					edns->opt_list = NULL;
 			error_encode(r_buffer, LDNS_RCODE_SERVFAIL,
 				qinfo, qid, qflags, edns);
@ -514,7 +514,7 @@ void mesh_new_client(struct mesh_area* mesh, struct query_info* qinfo,
 			if(!s->s.edns_opts_front_in) {
 				log_err("mesh_state_create: out of memory; SERVFAIL");
 				if(!inplace_cb_reply_servfail_call(mesh->env, qinfo, NULL,
-					NULL, LDNS_RCODE_SERVFAIL, edns, rep, mesh->env->scratch))
+					NULL, LDNS_RCODE_SERVFAIL, edns, rep, mesh->env->scratch, mesh->env->now_tv))
 						edns->opt_list = NULL;
 				error_encode(r_buffer, LDNS_RCODE_SERVFAIL,
 					qinfo, qid, qflags, edns);
@ -587,7 +587,7 @@ void mesh_new_client(struct mesh_area* mesh, struct query_info* qinfo,
 servfail_mem:
 	if(!inplace_cb_reply_servfail_call(mesh->env, qinfo, &s->s,
-		NULL, LDNS_RCODE_SERVFAIL, edns, rep, mesh->env->scratch))
+		NULL, LDNS_RCODE_SERVFAIL, edns, rep, mesh->env->scratch, mesh->env->now_tv))
 			edns->opt_list = NULL;
 	error_encode(r_buffer, LDNS_RCODE_SERVFAIL,
 		qinfo, qid, qflags, edns);
@ -1112,10 +1112,12 @@ int mesh_state_attachment(struct mesh_state* super, struct mesh_state* sub)
 * @param rcode: if not 0, error code.
 * @param rep: reply to send (or NULL if rcode is set).
 * @param r: callback entry
 * @param start_time: the time to pass to callback functions, it is 0 or
 * 	a value from one of the packets if the mesh state had packets.
 */
 static void
 mesh_do_callback(struct mesh_state* m, int rcode, struct reply_info* rep,
-	struct mesh_cb* r)
+	struct mesh_cb* r, struct timeval* start_time)
 {
 	int secure;
 	char* reason = NULL;
@ -1136,11 +1138,11 @@ mesh_do_callback(struct mesh_state* m, int rcode, struct reply_info* rep,
 	if(rcode) {
 		if(rcode == LDNS_RCODE_SERVFAIL) {
 			if(!inplace_cb_reply_servfail_call(m->s.env, &m->s.qinfo, &m->s,
-				rep, rcode, &r->edns, NULL, m->s.region))
+				rep, rcode, &r->edns, NULL, m->s.region, start_time))
 					r->edns.opt_list = NULL;
 		} else {
 			if(!inplace_cb_reply_call(m->s.env, &m->s.qinfo, &m->s, rep, rcode,
-				&r->edns, NULL, m->s.region))
+				&r->edns, NULL, m->s.region, start_time))
 					r->edns.opt_list = NULL;
 		}
 		fptr_ok(fptr_whitelist_mesh_cb(r->cb));
@ -1155,7 +1157,7 @@ mesh_do_callback(struct mesh_state* m, int rcode, struct reply_info* rep,
 		r->edns.bits &= EDNS_DO;
 		if(!inplace_cb_reply_call(m->s.env, &m->s.qinfo, &m->s, rep,
-			LDNS_RCODE_NOERROR, &r->edns, NULL, m->s.region) ||
+			LDNS_RCODE_NOERROR, &r->edns, NULL, m->s.region, start_time) ||
 			!reply_info_answer_encode(&m->s.qinfo, rep, r->qid, 
 			r->qflags, r->buf, 0, 1, 
 			m->s.env->scratch, udp_size, &r->edns, 
@ -1256,11 +1258,11 @@ mesh_send_reply(struct mesh_state* m, int rcode, struct reply_info* rep,
 		m->s.qinfo.local_alias = r->local_alias;
 		if(rcode == LDNS_RCODE_SERVFAIL) {
 			if(!inplace_cb_reply_servfail_call(m->s.env, &m->s.qinfo, &m->s,
-				rep, rcode, &r->edns, &r->query_reply, m->s.region))
+				rep, rcode, &r->edns, &r->query_reply, m->s.region, &r->start_time))
 					r->edns.opt_list = NULL;
 		} else { 
 			if(!inplace_cb_reply_call(m->s.env, &m->s.qinfo, &m->s, rep, rcode,
-				&r->edns, &r->query_reply, m->s.region))
+				&r->edns, &r->query_reply, m->s.region, &r->start_time))
 					r->edns.opt_list = NULL;
 		}
 		error_encode(r_buffer, rcode, &m->s.qinfo, r->qid,
@ -1277,7 +1279,7 @@ mesh_send_reply(struct mesh_state* m, int rcode, struct reply_info* rep,
 		m->s.qinfo.qname = r->qname;
 		m->s.qinfo.local_alias = r->local_alias;
 		if(!inplace_cb_reply_call(m->s.env, &m->s.qinfo, &m->s, rep,
-			LDNS_RCODE_NOERROR, &r->edns, &r->query_reply, m->s.region) ||
+			LDNS_RCODE_NOERROR, &r->edns, &r->query_reply, m->s.region, &r->start_time) ||
 			!apply_edns_options(&r->edns, &edns_bak,
 				m->s.env->cfg, r->query_reply.c,
 				m->s.region) ||
@ -1287,7 +1289,7 @@ mesh_send_reply(struct mesh_state* m, int rcode, struct reply_info* rep,
 			secure)) 
 		{
 			if(!inplace_cb_reply_servfail_call(m->s.env, &m->s.qinfo, &m->s,
-			rep, LDNS_RCODE_SERVFAIL, &r->edns, &r->query_reply, m->s.region))
+			rep, LDNS_RCODE_SERVFAIL, &r->edns, &r->query_reply, m->s.region, &r->start_time))
 				r->edns.opt_list = NULL;
 			error_encode(r_buffer, LDNS_RCODE_SERVFAIL,
 				&m->s.qinfo, r->qid, r->qflags, &r->edns);
@ -1330,6 +1332,7 @@ void mesh_query_done(struct mesh_state* mstate)
 	struct mesh_cb* c;
 	struct reply_info* rep = (mstate->s.return_msg?
 		mstate->s.return_msg->rep:NULL);
 	struct timeval tv = {0, 0};
 	/* No need for the serve expired timer anymore; we are going to reply. */
 	if(mstate->s.serve_expired_data) {
 		comm_timer_delete(mstate->s.serve_expired_data->timer);
@ -1349,6 +1352,8 @@ void mesh_query_done(struct mesh_state* mstate)
 		}
 	}
 	for(r = mstate->reply_list; r; r = r->next) {
 		tv = r->start_time;
 		/* if a response-ip address block has been stored the
 		 *  information should be logged for each client. */
 		if(mstate->s.respip_action_info &&
@ -1421,7 +1426,7 @@ void mesh_query_done(struct mesh_state* mstate)
 		if(!mstate->reply_list && !mstate->cb_list &&
 			mstate->super_set.count == 0)
 			mstate->s.env->mesh->num_detached_states++;
-		mesh_do_callback(mstate, mstate->s.return_rcode, rep, c);
+		mesh_do_callback(mstate, mstate->s.return_rcode, rep, c, &tv);
 	}
 }
@ -1917,13 +1922,16 @@ mesh_serve_expired_callback(void* arg)
 	struct respip_action_info actinfo;
 	struct query_info* lookup_qinfo = &qstate->qinfo;
 	struct query_info qinfo_tmp;
 	struct timeval tv = {0, 0};
 	int must_validate = (!(qstate->query_flags&BIT_CD)
 		|| qstate->env->cfg->ignore_cd) && qstate->env->need_to_validate;
 	if(!qstate->serve_expired_data) return;
 	verbose(VERB_ALGO, "Serve expired: Trying to reply with expired data");
 	comm_timer_delete(qstate->serve_expired_data->timer);
 	qstate->serve_expired_data->timer = NULL;
-	if(qstate->blacklist || qstate->no_cache_lookup || qstate->is_drop) {
+	/* If is_drop or no_cache_lookup (modules that handle their own cache e.g.,
 	 * subnetmod) ignore stale data from the main cache. */
 	if(qstate->no_cache_lookup || qstate->is_drop) {
 		verbose(VERB_ALGO,
 			"Serve expired: Not allowed to look into cache for stale");
 		return;
@ -1988,6 +1996,8 @@ mesh_serve_expired_callback(void* arg)
 		log_dns_msg("Serve expired lookup", &qstate->qinfo, msg->rep);
 	for(r = mstate->reply_list; r; r = r->next) {
 		tv = r->start_time;
 		/* If address info is returned, it means the action should be an
 		* 'inform' variant and the information should be logged. */
 		if(actinfo.addrinfo) {
@ -2042,6 +2052,6 @@ mesh_serve_expired_callback(void* arg)
 		if(!mstate->reply_list && !mstate->cb_list &&
 			mstate->super_set.count == 0)
 			qstate->env->mesh->num_detached_states++;
-		mesh_do_callback(mstate, LDNS_RCODE_NOERROR, msg->rep, c);
+		mesh_do_callback(mstate, LDNS_RCODE_NOERROR, msg->rep, c, &tv);
 	}
 }
--- a/services/outside_network.c
+++ b/services/outside_network.c
--- a/services/outside_network.h
+++ b/services/outside_network.h
@ -52,6 +52,7 @@ struct ub_randstate;
 struct pending_tcp;
 struct waiting_tcp;
 struct waiting_udp;
 struct reuse_tcp;
 struct infra_cache;
 struct port_comm;
 struct port_if;
@ -106,6 +107,9 @@ struct outside_network {
 	int delayclose;
 	/** timeout for delayclose */
 	struct timeval delay_tv;
 	/** if we perform udp-connect, connect() for UDP socket to mitigate
 	 * ICMP side channel leakage */
 	int udp_connect;
 	/** array of outgoing IP4 interfaces */
 	struct port_if* ip4_ifs;
@ -154,6 +158,21 @@ struct outside_network {
 	size_t num_tcp;
 	/** number of tcp communication points in use. */
 	size_t num_tcp_outgoing;
 	/**
 	 * tree of still-open and waiting tcp connections for reuse.
 	 * can be closed and reopened to get a new tcp connection.
 	 * or reused to the same destination again.  with timeout to close.
 	 * Entries are of type struct reuse_tcp.
 	 * The entries are both active and empty connections.
 	 */
 	rbtree_type tcp_reuse;
 	/** max number of tcp_reuse entries we want to keep open */
 	size_t tcp_reuse_max;
 	/** first and last(oldest) in lru list of reuse connections.
 	 * the oldest can be closed to get a new free pending_tcp if needed
 	 * The list contains empty connections, that wait for timeout or
 	 * a new query that can use the existing connection. */
 	struct reuse_tcp* tcp_reuse_first, *tcp_reuse_last;
 	/** list of tcp comm points that are free for use */
 	struct pending_tcp* tcp_free;
 	/** list of tcp queries waiting for a buffer */
@ -211,6 +230,76 @@ struct port_comm {
 	struct comm_point* cp;
 };
 /**
 * Reuse TCP connection, still open can be used again.
 */
 struct reuse_tcp {
 	/** rbtree node with links in tcp_reuse tree. key is NULL when not
 	 * in tree. Both active and empty connections are in the tree.
 	 * key is a pointer to this structure, the members used to compare
 	 * are the sockaddr and and then is-ssl bool, and then ptr value is
 	 * used in case the same address exists several times in the tree
 	 * when there are multiple connections to the same destination to
 	 * make the rbtree items unique. */
 	rbnode_type node;
 	/** the key for the tcp_reuse tree. address of peer, ip4 or ip6,
 	 * and port number of peer */
 	struct sockaddr_storage addr;
 	/** length of addr */
 	socklen_t addrlen;
 	/** also key for tcp_reuse tree, if ssl is used */
 	int is_ssl;
 	/** lru chain, so that the oldest can be removed to get a new
 	 * connection when all are in (re)use. oldest is last in list.
 	 * The lru only contains empty connections waiting for reuse,
 	 * the ones with active queries are not on the list because they
 	 * do not need to be closed to make space for others.  They already
 	 * service a query so the close for another query does not help
 	 * service a larger number of queries. */
 	struct reuse_tcp* lru_next, *lru_prev;
 	/** true if the reuse_tcp item is on the lru list with empty items */
 	int item_on_lru_list;
 	/** the connection to reuse, the fd is non-1 and is open.
 	 * the addr and port determine where the connection is going,
 	 * and is key to the rbtree.  The SSL ptr determines if it is
 	 * a TLS connection or a plain TCP connection there.  And TLS
 	 * or not is also part of the key to the rbtree.
 	 * There is a timeout and read event on the fd, to close it. */
 	struct pending_tcp* pending;
 	/**
 	 * The more read again value pointed to by the commpoint
 	 * tcp_more_read_again pointer, so that it exists after commpoint
 	 * delete
 	 */
 	int cp_more_read_again;
 	/**
 	 * The more write again value pointed to by the commpoint
 	 * tcp_more_write_again pointer, so that it exists after commpoint
 	 * delete
 	 */
 	int cp_more_write_again;
 	/** rbtree with other queries waiting on the connection, by ID number,
 	 * of type struct waiting_tcp. It is for looking up received
 	 * answers to the structure for callback.  And also to see if ID
 	 * numbers are unused and can be used for a new query.
 	 * The write_wait elements are also in the tree, so that ID numbers
 	 * can be looked up also for them.  They are bool write_wait_queued. */
 	rbtree_type tree_by_id;
 	/** list of queries waiting to be written on the channel,
 	 * if NULL no queries are waiting to be written and the pending->query
 	 * is the query currently serviced.  The first is the next in line.
 	 * They are also in the tree_by_id. Once written, the are removed
 	 * from this list, but stay in the tree. */
 	struct waiting_tcp* write_wait_first, *write_wait_last;
 	/** the outside network it is part of */
 	struct outside_network* outnet;
 };
 /** max number of queries on a reuse connection */
 #define MAX_REUSE_TCP_QUERIES 200
 /** timeout for REUSE entries in milliseconds. */
 #define REUSE_TIMEOUT 60000
 /**
 * A query that has an answer pending for it.
 */
@ -255,12 +344,15 @@ struct pending {
 struct pending_tcp {
 	/** next in list of free tcp comm points, or NULL. */
 	struct pending_tcp* next_free;
 	/** the ID for the query; checked in reply */
 	uint16_t id;
 	/** tcp comm point it was sent on (and reply must come back on). */
 	struct comm_point* c;
 	/** the query being serviced, NULL if the pending_tcp is unused. */
 	struct waiting_tcp* query;
 	/** the pre-allocated reuse tcp structure.  if ->pending is nonNULL
 	 * it is in use and the connection is waiting for reuse.
 	 * It is here for memory pre-allocation, and used to make this
 	 * pending_tcp wait for reuse. */
 	struct reuse_tcp reuse;
 };
 /**
@ -269,12 +361,27 @@ struct pending_tcp {
 struct waiting_tcp {
 	/** 
 	 * next in waiting list.
-	 * if pkt==0, this points to the pending_tcp structure.
+	 * if on_tcp_waiting_list==0, this points to the pending_tcp structure.
 	 */
 	struct waiting_tcp* next_waiting;
 	/** if true the item is on the tcp waiting list and next_waiting
 	 * is used for that.  If false, the next_waiting points to the
 	 * pending_tcp */
 	int on_tcp_waiting_list;
 	/** next and prev in query waiting list for stream connection */
 	struct waiting_tcp* write_wait_prev, *write_wait_next;
 	/** true if the waiting_tcp structure is on the write_wait queue */
 	int write_wait_queued;
 	/** entry in reuse.tree_by_id, if key is NULL, not in tree, otherwise,
 	 * this struct is key and sorted by ID (from waiting_tcp.id). */
 	rbnode_type id_node;
 	/** the ID for the query; checked in reply */
 	uint16_t id;
 	/** timeout event; timer keeps running whether the query is
 	 * waiting for a buffer or the tcp reply is pending */
 	struct comm_timer* timer;
 	/** timeout in msec */
 	int timeout;
 	/** the outside network it is part of */
 	struct outside_network* outnet;
 	/** remote address. */
@ -284,13 +391,14 @@ struct waiting_tcp {
 	/** 
 	 * The query itself, the query packet to send.
 	 * allocated after the waiting_tcp structure.
 	 * set to NULL when the query is serviced and it part of pending_tcp.
 	 * if this is NULL, the next_waiting points to the pending_tcp.
 	 */
 	uint8_t* pkt;
 	/** length of query packet. */
 	size_t pkt_len;
-	/** callback for the timeout, error or reply to the message */
+	/** callback for the timeout, error or reply to the message,
 	 * or NULL if no user is waiting. the entry uses an ID number.
 	 * a query that was written is no longer needed, but the ID number
 	 * and a reply will come back and can be ignored if NULL */
 	comm_point_callback_type* cb;
 	/** callback user argument */
 	void* cb_arg;
@ -298,6 +406,8 @@ struct waiting_tcp {
 	int ssl_upstream;
 	/** ref to the tls_auth_name from the serviced_query */
 	char* tls_auth_name;
 	/** the packet was involved in an error, to stop looping errors */
 	int error_count;
 };
 /**
@ -392,6 +502,8 @@ struct serviced_query {
 	struct service_callback* cblist;
 	/** the UDP or TCP query that is pending, see status which */
 	void* pending;
 	/** block size with which to pad encrypted queries (default: 128) */
 	size_t padding_block_size;
 };
 /**
@ -421,6 +533,7 @@ struct serviced_query {
 * 	msec to wait on timeouted udp sockets.
 * @param tls_use_sni: if SNI is used for TLS connections.
 * @param dtenv: environment to send dnstap events with (if enabled).
 * @param udp_connect: if the udp_connect option is enabled.
 * @return: the new structure (with no pending answers) or NULL on error.
 */
 struct outside_network* outside_network_create(struct comm_base* base,
@ -429,7 +542,8 @@ struct outside_network* outside_network_create(struct comm_base* base,
 	struct ub_randstate* rnd, int use_caps_for_id, int* availports, 
 	int numavailports, size_t unwanted_threshold, int tcp_mss,
 	void (*unwanted_action)(void*), void* unwanted_param, int do_udp,
-	void* sslctx, int delayclose, int tls_use_sni, struct dt_env *dtenv);
+	void* sslctx, int delayclose, int tls_use_sni, struct dt_env *dtenv,
 	int udp_connect);
 /**
 * Delete outside_network structure.
@ -546,6 +660,19 @@ size_t outnet_get_mem(struct outside_network* outnet);
 */
 size_t serviced_get_mem(struct serviced_query* sq);
 /** Pick random ID value for a tcp stream, avoids existing IDs. */
 uint16_t reuse_tcp_select_id(struct reuse_tcp* reuse,
 	struct outside_network* outnet);
 /** find element in tree by id */
 struct waiting_tcp* reuse_tcp_by_id_find(struct reuse_tcp* reuse, uint16_t id);
 /** insert element in tree by id */
 void reuse_tree_by_id_insert(struct reuse_tcp* reuse, struct waiting_tcp* w);
 /** delete readwait waiting_tcp elements, deletes the elements in the list */
 void reuse_del_readwait(rbtree_type* tree_by_id);
 /** get TCP file descriptor for address, returns -1 on failure,
 * tcp_mss is 0 or maxseg size to set for TCP packets. */
 int outnet_get_tcp_fd(struct sockaddr_storage* addr, socklen_t addrlen, int tcp_mss, int dscp);
@ -643,4 +770,10 @@ int pending_cmp(const void* key1, const void* key2);
 /** compare function of serviced query rbtree */
 int serviced_cmp(const void* key1, const void* key2);
 /** compare function of reuse_tcp rbtree in outside_network struct */
 int reuse_cmp(const void* key1, const void* key2);
 /** compare function of reuse_tcp tree_by_id rbtree */
 int reuse_id_cmp(const void* key1, const void* key2);
 #endif /* OUTSIDE_NETWORK_H */
--- a/services/rpz.c
+++ b/services/rpz.c
@ -668,7 +668,8 @@ rpz_find_zone(struct rpz* r, uint8_t* qname, size_t qname_len, uint16_t qclass,
 	int only_exact, int wr, int zones_keep_lock)
 {
 	uint8_t* ce;
-	size_t ce_len, ce_labs;
+	size_t ce_len;
 	int ce_labs;
 	uint8_t wc[LDNS_MAX_DOMAINLEN+1];
 	int exact;
 	struct local_zone* z = NULL;
@ -963,8 +964,8 @@ rpz_apply_qname_trigger(struct auth_zones* az, struct module_env* env,
 	for(a = az->rpz_first; a; a = a->rpz_az_next) {
 		lock_rw_rdlock(&a->lock);
 		r = a->rpz;
-		if(!r->taglist || taglist_intersect(r->taglist, 
+		if(!r->disabled && (!r->taglist || taglist_intersect(r->taglist,
-			r->taglistlen, taglist, taglen)) {
+			r->taglistlen, taglist, taglen))) {
 			z = rpz_find_zone(r, qinfo->qname, qinfo->qname_len,
 				qinfo->qclass, 0, 0, 0);
 			if(z && r->action_override == RPZ_DISABLED_ACTION) {
@ -1044,3 +1045,17 @@ rpz_apply_qname_trigger(struct auth_zones* az, struct module_env* env,
 	return ret;
 }
 void rpz_enable(struct rpz* r)
 {
    if(!r)
        return;
    r->disabled = 0;
 }
 void rpz_disable(struct rpz* r)
 {
    if(!r)
        return;
    r->disabled = 1;
 }
--- a/services/rpz.h
+++ b/services/rpz.h
@ -99,6 +99,7 @@ struct rpz {
 	int log;
 	char* log_name;
 	struct regional* region;
 	int disabled;
 };
 /**
@ -198,4 +199,16 @@ void rpz_finish_config(struct rpz* r);
 enum respip_action
 rpz_action_to_respip_action(enum rpz_action a);
 /**
 * Enable RPZ
 * @param r: RPZ struct to enable
 */
 void rpz_enable(struct rpz* r);
 /**
 * Disable RPZ
 * @param r: RPZ struct to disable
 */
 void rpz_disable(struct rpz* r);
 #endif /* SERVICES_RPZ_H */
--- a/smallapp/unbound-anchor.c
+++ b/smallapp/unbound-anchor.c
@ -155,6 +155,36 @@
 char* wsa_strerror(int err);
 #endif
 static const char ICANN_UPDATE_CA[] =
 	/* The ICANN CA fetched at 24 Sep 2010.  Valid to 2028 */
 	"-----BEGIN CERTIFICATE-----\n"
 	"MIIDdzCCAl+gAwIBAgIBATANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO\n"
 	"TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV\n"
 	"BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTA5MTIyMzA0MTkxMloX\n"
 	"DTI5MTIxODA0MTkxMlowXTEOMAwGA1UEChMFSUNBTk4xJjAkBgNVBAsTHUlDQU5O\n"
 	"IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRYwFAYDVQQDEw1JQ0FOTiBSb290IENB\n"
 	"MQswCQYDVQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKDb\n"
 	"cLhPNNqc1NB+u+oVvOnJESofYS9qub0/PXagmgr37pNublVThIzyLPGCJ8gPms9S\n"
 	"G1TaKNIsMI7d+5IgMy3WyPEOECGIcfqEIktdR1YWfJufXcMReZwU4v/AdKzdOdfg\n"
 	"ONiwc6r70duEr1IiqPbVm5T05l1e6D+HkAvHGnf1LtOPGs4CHQdpIUcy2kauAEy2\n"
 	"paKcOcHASvbTHK7TbbvHGPB+7faAztABLoneErruEcumetcNfPMIjXKdv1V1E3C7\n"
 	"MSJKy+jAqqQJqjZoQGB0necZgUMiUv7JK1IPQRM2CXJllcyJrm9WFxY0c1KjBO29\n"
 	"iIKK69fcglKcBuFShUECAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8B\n"
 	"Af8EBAMCAf4wHQYDVR0OBBYEFLpS6UmDJIZSL8eZzfyNa2kITcBQMA0GCSqGSIb3\n"
 	"DQEBCwUAA4IBAQAP8emCogqHny2UYFqywEuhLys7R9UKmYY4suzGO4nkbgfPFMfH\n"
 	"6M+Zj6owwxlwueZt1j/IaCayoKU3QsrYYoDRolpILh+FPwx7wseUEV8ZKpWsoDoD\n"
 	"2JFbLg2cfB8u/OlE4RYmcxxFSmXBg0yQ8/IoQt/bxOcEEhhiQ168H2yE5rxJMt9h\n"
 	"15nu5JBSewrCkYqYYmaxyOC3WrVGfHZxVI7MpIFcGdvSb2a1uyuua8l0BKgk3ujF\n"
 	"0/wsHNeP22qNyVO+XVBzrM8fk8BSUFuiT/6tZTYXRtEt5aKQZgXbKU5dUF3jT9qg\n"
 	"j/Br5BZw3X/zd325TvnswzMC1+ljLzHnQGGk\n"
 	"-----END CERTIFICATE-----\n";
 static const char DS_TRUST_ANCHOR[] =
 	/* The anchors must start on a new line with ". IN DS and end with \n"[;]
 	 * because the makedist script greps on the source here */
 	/* anchor 20326 is from 2017 */
 ". IN DS 20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D\n";
 /** verbosity for this application */
 static int verb = 0;
@ -213,48 +243,21 @@ usage(void)
 static const char*
 get_builtin_cert(void)
 {
-	return
+	return ICANN_UPDATE_CA;
 /* The ICANN CA fetched at 24 Sep 2010.  Valid to 2028 */
 "-----BEGIN CERTIFICATE-----\n"
 "MIIDdzCCAl+gAwIBAgIBATANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO\n"
 "TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV\n"
 "BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTA5MTIyMzA0MTkxMloX\n"
 "DTI5MTIxODA0MTkxMlowXTEOMAwGA1UEChMFSUNBTk4xJjAkBgNVBAsTHUlDQU5O\n"
 "IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRYwFAYDVQQDEw1JQ0FOTiBSb290IENB\n"
 "MQswCQYDVQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKDb\n"
 "cLhPNNqc1NB+u+oVvOnJESofYS9qub0/PXagmgr37pNublVThIzyLPGCJ8gPms9S\n"
 "G1TaKNIsMI7d+5IgMy3WyPEOECGIcfqEIktdR1YWfJufXcMReZwU4v/AdKzdOdfg\n"
 "ONiwc6r70duEr1IiqPbVm5T05l1e6D+HkAvHGnf1LtOPGs4CHQdpIUcy2kauAEy2\n"
 "paKcOcHASvbTHK7TbbvHGPB+7faAztABLoneErruEcumetcNfPMIjXKdv1V1E3C7\n"
 "MSJKy+jAqqQJqjZoQGB0necZgUMiUv7JK1IPQRM2CXJllcyJrm9WFxY0c1KjBO29\n"
 "iIKK69fcglKcBuFShUECAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8B\n"
 "Af8EBAMCAf4wHQYDVR0OBBYEFLpS6UmDJIZSL8eZzfyNa2kITcBQMA0GCSqGSIb3\n"
 "DQEBCwUAA4IBAQAP8emCogqHny2UYFqywEuhLys7R9UKmYY4suzGO4nkbgfPFMfH\n"
 "6M+Zj6owwxlwueZt1j/IaCayoKU3QsrYYoDRolpILh+FPwx7wseUEV8ZKpWsoDoD\n"
 "2JFbLg2cfB8u/OlE4RYmcxxFSmXBg0yQ8/IoQt/bxOcEEhhiQ168H2yE5rxJMt9h\n"
 "15nu5JBSewrCkYqYYmaxyOC3WrVGfHZxVI7MpIFcGdvSb2a1uyuua8l0BKgk3ujF\n"
 "0/wsHNeP22qNyVO+XVBzrM8fk8BSUFuiT/6tZTYXRtEt5aKQZgXbKU5dUF3jT9qg\n"
 "j/Br5BZw3X/zd325TvnswzMC1+ljLzHnQGGk\n"
 "-----END CERTIFICATE-----\n"
 		;
 }
 /** return the built in root DS trust anchor */
 static const char*
 get_builtin_ds(void)
 {
-	return
+	return DS_TRUST_ANCHOR;
 /* The anchors must start on a new line with ". IN DS and end with \n"[;]
 * because the makedist script greps on the source here */
 /* anchor 20326 is from 2017 */
 ". IN DS 20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D\n";
 }
 /** print hex data */
 static void
-print_data(const char* msg, const char* data, int len)
+print_data(const char* msg, const char* data, size_t len)
 {
-	int i;
+	size_t i;
 	printf("%s: ", msg);
 	for(i=0; i<len; i++) {
 		printf(" %2.2x", (unsigned char)data[i]);
@ -1110,7 +1113,7 @@ read_http_result(SSL* ssl)
 		data = read_data_chunk(ssl, len);
 	}
 	if(!data) return NULL;
-	if(verb >= 4) print_data("read data", data, (int)len);
+	if(verb >= 4) print_data("read data", data, len);
 	m = BIO_new(BIO_s_mem());
 	if(!m) {
 		if(verb) printf("out of memory\n");
--- a/smallapp/unbound-control.c
+++ b/smallapp/unbound-control.c
@ -82,6 +82,9 @@ static void usage(void) ATTR_NORETURN;
 static void ssl_err(const char* s) ATTR_NORETURN;
 static void ssl_path_err(const char* s, const char *path) ATTR_NORETURN;
 /** timeout to wait for connection over stream, in msec */
 #define UNBOUND_CONTROL_CONNECT_TIMEOUT 5000
 /** Give unbound-control usage, and exit (1). */
 static void
 usage(void)
@ -164,6 +167,9 @@ usage(void)
 	printf("  view_local_data_remove view name  	remove local-data in view\n");
 	printf("  view_local_datas_remove view 		remove list of local-data from view\n");
 	printf("  					one entry per line read from stdin\n");
 	printf("  rpz_enable zone		Enable the RPZ zone if it had previously\n");
 	printf("  				been disabled\n");
 	printf("  rpz_disable zone		Disable the RPZ zone\n");
 	printf("Version %s\n", PACKAGE_VERSION);
 	printf("BSD licensed, see LICENSE in source package for details.\n");
 	printf("Report bugs to %s\n", PACKAGE_BUGREPORT);
@ -545,6 +551,30 @@ setup_ctx(struct config_file* cfg)
 	return ctx;
 }
 /** check connect error */
 static void
 checkconnecterr(int err, const char* svr, struct sockaddr_storage* addr,
 	socklen_t addrlen, int statuscmd, int useport)
 {
 #ifndef USE_WINSOCK
 	if(!useport) log_err("connect: %s for %s", strerror(err), svr);
 	else log_err_addr("connect", strerror(err), addr, addrlen);
 	if(err == ECONNREFUSED && statuscmd) {
 		printf("unbound is stopped\n");
 		exit(3);
 	}
 #else
 	int wsaerr = err;
 	if(!useport) log_err("connect: %s for %s", wsa_strerror(wsaerr), svr);
 	else log_err_addr("connect", wsa_strerror(wsaerr), addr, addrlen);
 	if(wsaerr == WSAECONNREFUSED && statuscmd) {
 		printf("unbound is stopped\n");
 		exit(3);
 	}
 #endif
 	exit(1);
 }
 /** contact the server with TCP connect */
 static int
 contact_server(const char* svr, struct config_file* cfg, int statuscmd)
@ -598,26 +628,75 @@ contact_server(const char* svr, struct config_file* cfg, int statuscmd)
 	if(fd == -1) {
 		fatal_exit("socket: %s", sock_strerror(errno));
 	}
 	fd_set_nonblock(fd);
 	if(connect(fd, (struct sockaddr*)&addr, addrlen) < 0) {
 #ifndef USE_WINSOCK
-		int err = errno;
+#ifdef EINPROGRESS
-		if(!useport) log_err("connect: %s for %s", strerror(err), svr);
+		if(errno != EINPROGRESS) {
-		else log_err_addr("connect", strerror(err), &addr, addrlen);
+			checkconnecterr(errno, svr, &addr,
-		if(err == ECONNREFUSED && statuscmd) {
+				addrlen, statuscmd, useport);
-			printf("unbound is stopped\n");
+		}
-			exit(3);
+#endif
-		}
+#else
-#else
+		if(WSAGetLastError() != WSAEINPROGRESS &&
-		int wsaerr = WSAGetLastError();
+			WSAGetLastError() != WSAEWOULDBLOCK) {
-		if(!useport) log_err("connect: %s for %s", wsa_strerror(wsaerr), svr);
+			checkconnecterr(WSAGetLastError(), svr, &addr,
-		else log_err_addr("connect", wsa_strerror(wsaerr), &addr, addrlen);
+				addrlen, statuscmd, useport);
 		if(wsaerr == WSAECONNREFUSED && statuscmd) {
 			printf("unbound is stopped\n");
 			exit(3);
 		}
 #endif
 		exit(1);
 	}
 	while(1) {
 		fd_set rset, wset, eset;
 		struct timeval tv;
 		FD_ZERO(&rset);
 		FD_SET(FD_SET_T fd, &rset);
 		FD_ZERO(&wset);
 		FD_SET(FD_SET_T fd, &wset);
 		FD_ZERO(&eset);
 		FD_SET(FD_SET_T fd, &eset);
 		tv.tv_sec = UNBOUND_CONTROL_CONNECT_TIMEOUT/1000;
 		tv.tv_usec= (UNBOUND_CONTROL_CONNECT_TIMEOUT%1000)*1000;
 		if(select(fd+1, &rset, &wset, &eset, &tv) == -1) {
 			fatal_exit("select: %s", sock_strerror(errno));
 		}
 		if(!FD_ISSET(fd, &rset) && !FD_ISSET(fd, &wset) &&
 			!FD_ISSET(fd, &eset)) {
 			fatal_exit("timeout: could not connect to server");
 		} else {
 			/* check nonblocking connect error */
 			int error = 0;
 			socklen_t len = (socklen_t)sizeof(error);
 			if(getsockopt(fd, SOL_SOCKET, SO_ERROR, (void*)&error,
 				&len) < 0) {
 #ifndef USE_WINSOCK
 				error = errno; /* on solaris errno is error */
 #else
 				error = WSAGetLastError();
 #endif
 			}
 			if(error != 0) {
 #ifndef USE_WINSOCK
 #ifdef EINPROGRESS
 				if(error == EINPROGRESS)
 					continue; /* try again later */
 #endif
 #ifdef EWOULDBLOCK
 				if(error == EWOULDBLOCK)
 					continue; /* try again later */
 #endif
 #else
 				if(error == WSAEINPROGRESS)
 					continue; /* try again later */
 				if(error == WSAEWOULDBLOCK)
 					continue; /* try again later */
 #endif
 				checkconnecterr(error, svr, &addr, addrlen,
 					statuscmd, useport);
 			}
 		}
 		break;
 	}
 	fd_set_block(fd);
 	return fd;
 }
--- a/smallapp/worker_cb.c
+++ b/smallapp/worker_cb.c
@ -46,6 +46,9 @@
 #include "util/fptr_wlist.h"
 #include "util/log.h"
 #include "services/mesh.h"
 #ifdef USE_DNSTAP
 #include "dnstap/dtstream.h"
 #endif
 void worker_handle_control_cmd(struct tube* ATTR_UNUSED(tube),
 	uint8_t* ATTR_UNUSED(buffer), size_t ATTR_UNUSED(len),
--- a/testcode/fake_event.c
+++ b/testcode/fake_event.c
@ -64,6 +64,7 @@
 #include "sldns/sbuffer.h"
 #include "sldns/wire2str.h"
 #include "sldns/str2wire.h"
 #include "daemon/remote.h"
 #include <signal.h>
 struct worker;
 struct daemon_remote;
@ -1045,7 +1046,7 @@ outside_network_create(struct comm_base* base, size_t bufsize,
 	void (*unwanted_action)(void*), void* ATTR_UNUSED(unwanted_param),
 	int ATTR_UNUSED(do_udp), void* ATTR_UNUSED(sslctx),
 	int ATTR_UNUSED(delayclose), int ATTR_UNUSED(tls_use_sni),
-	struct dt_env* ATTR_UNUSED(dtenv))
+	struct dt_env* ATTR_UNUSED(dtenv), int ATTR_UNUSED(udp_connect))
 {
 	struct replay_runtime* runtime = (struct replay_runtime*)base;
 	struct outside_network* outnet =  calloc(1, 
@ -1214,7 +1215,7 @@ struct serviced_query* outnet_serviced_query(struct outside_network* outnet,
 	sldns_buffer_flip(pend->buffer);
 	if(1) {
 		struct edns_data edns;
-		struct edns_tag_addr* client_tag_addr;
+		struct edns_string_addr* client_string_addr;
 		if(!inplace_cb_query_call(env, qinfo, flags, addr, addrlen,
 			zone, zonelen, qstate, qstate->region)) {
 			free(pend);
@ -1228,13 +1229,14 @@ struct serviced_query* outnet_serviced_query(struct outside_network* outnet,
 		edns.bits = 0;
 		if(dnssec)
 			edns.bits = EDNS_DO;
-		if((client_tag_addr = edns_tag_addr_lookup(
+		edns.padding_block_size = 0;
-			&env->edns_tags->client_tags,
+		if((client_string_addr = edns_string_addr_lookup(
 			&env->edns_strings->client_strings,
 			addr, addrlen))) {
 			uint16_t client_tag = htons(client_tag_addr->tag_data);
 			edns_opt_list_append(&qstate->edns_opts_back_out,
-				env->edns_tags->client_tag_opcode, 2,
+				env->edns_strings->client_string_opcode,
-				(uint8_t*)&client_tag, qstate->region);
+				client_string_addr->string_len,
 				client_string_addr->string, qstate->region);
 		}
 		edns.opt_list = qstate->edns_opts_back_out;
 		attach_edns_record(pend->buffer, &edns);
@ -1511,6 +1513,18 @@ int serviced_cmp(const void* ATTR_UNUSED(a), const void* ATTR_UNUSED(b))
 	return 0;
 }
 int reuse_cmp(const void* ATTR_UNUSED(a), const void* ATTR_UNUSED(b))
 {
 	log_assert(0);
 	return 0;
 }
 int reuse_id_cmp(const void* ATTR_UNUSED(a), const void* ATTR_UNUSED(b))
 {
 	log_assert(0);
 	return 0;
 }
 /* timers in testbound for autotrust. statistics tested in tdir. */
 struct comm_timer* comm_timer_create(struct comm_base* base, 
 	void (*cb)(void*), void* cb_arg)
@ -1753,7 +1767,7 @@ struct comm_point* outnet_comm_point_for_http(struct outside_network* outnet,
 }
 int comm_point_send_udp_msg(struct comm_point *c, sldns_buffer* packet,
-	struct sockaddr* addr, socklen_t addrlen) 
+	struct sockaddr* addr, socklen_t addrlen, int ATTR_UNUSED(is_connected))
 {
 	struct fake_commpoint* fc = (struct fake_commpoint*)c;
 	struct replay_runtime* runtime = fc->runtime;
--- a/testcode/testbound.c
+++ b/testcode/testbound.c
@ -42,16 +42,22 @@
 #ifdef HAVE_TIME_H
 #  include <time.h>
 #endif
 #include <ctype.h>
 #include "testcode/testpkts.h"
 #include "testcode/replay.h"
 #include "testcode/fake_event.h"
 #include "daemon/remote.h"
 #include "libunbound/worker.h"
 #include "util/config_file.h"
 #include "sldns/keyraw.h"
-#include <ctype.h>
+#ifdef UB_ON_WINDOWS
 #include "winrc/win_svc.h"
 #endif
 /** signal that this is a testbound compile */
 #define unbound_testbound 1
 /** renamed main routine */
 int daemon_main(int argc, char* argv[]);
 /** 
 * include the main program from the unbound daemon.
 * rename main to daemon_main to call it
@ -333,7 +339,7 @@ setup_playback(const char* filename, int* pass_argc, char* pass_argv[])
 }
 /** remove config file at exit */
-void remove_configfile(void)
+static void remove_configfile(void)
 {
 	struct config_strlist* p;
 	for(p=cfgfiles; p; p=p->next)
@ -551,22 +557,28 @@ void remote_get_opt_ssl(char* ATTR_UNUSED(str), void* ATTR_UNUSED(arg))
        log_assert(0);
 }
 #ifdef UB_ON_WINDOWS
 void wsvc_command_option(const char* ATTR_UNUSED(wopt), 
 	const char* ATTR_UNUSED(cfgfile), int ATTR_UNUSED(v), 
 	int ATTR_UNUSED(c))
 {
 	log_assert(0);
 }
 #endif
 #ifdef UB_ON_WINDOWS
 void wsvc_setup_worker(struct worker* ATTR_UNUSED(worker))
 {
 	/* do nothing */
 }
 #endif
 #ifdef UB_ON_WINDOWS
 void wsvc_desetup_worker(struct worker* ATTR_UNUSED(worker))
 {
 	/* do nothing */
 }
 #endif
 #ifdef UB_ON_WINDOWS
 void worker_win_stop_cb(int ATTR_UNUSED(fd), short ATTR_UNUSED(ev),
--- a/testcode/unitmain.c
+++ b/testcode/unitmain.c
@ -839,6 +839,52 @@ static void respip_test(void)
 	respip_conf_actions_test();
 }
 #include "services/outside_network.h"
 /** add number of new IDs to the reuse tree, randomly chosen */
 static void tcpid_addmore(struct reuse_tcp* reuse,
 	struct outside_network* outnet, unsigned int addnum)
 {
 	unsigned int i;
 	struct waiting_tcp* w;
 	for(i=0; i<addnum; i++) {
 		uint16_t id = reuse_tcp_select_id(reuse, outnet);
 		unit_assert(!reuse_tcp_by_id_find(reuse, id));
 		w = calloc(1, sizeof(*w));
 		unit_assert(w);
 		w->id = id;
 		w->outnet = outnet;
 		w->next_waiting = (void*)reuse->pending;
 		reuse_tree_by_id_insert(reuse, w);
 	}
 }
 /** fill up the reuse ID tree and test assertions */
 static void tcpid_fillup(struct reuse_tcp* reuse,
 	struct outside_network* outnet)
 {
 	int t, numtest=3;
 	for(t=0; t<numtest; t++) {
 		rbtree_init(&reuse->tree_by_id, reuse_id_cmp);
 		tcpid_addmore(reuse, outnet, 65535);
 		reuse_del_readwait(&reuse->tree_by_id);
 	}
 }
 /** test TCP ID selection */
 static void tcpid_test(void)
 {
 	struct pending_tcp pend;
 	struct outside_network outnet;
 	unit_show_func("services/outside_network.c", "reuse_tcp_select_id");
 	memset(&pend, 0, sizeof(pend));
 	pend.reuse.pending = &pend;
 	memset(&outnet, 0, sizeof(outnet));
 	outnet.rnd = ub_initstate(NULL);
 	rbtree_init(&pend.reuse.tree_by_id, reuse_id_cmp);
 	tcpid_fillup(&pend.reuse, &outnet);
 	ub_randfree(outnet.rnd);
 }
 void unit_show_func(const char* file, const char* func)
 {
 	printf("test %s:%s\n", file, func);
@ -908,6 +954,7 @@ main(int argc, char* argv[])
 	ldns_test();
 	zonemd_test();
 	msgparse_test();
 	tcpid_test();
 #ifdef CLIENT_SUBNET
 	ecs_test();
 #endif /* CLIENT_SUBNET */
--- a/testdata/auth_zonefile_down.rpl
+++ b/testdata/auth_zonefile_down.rpl
@ -1,6 +1,12 @@
 ; config options
 server:
 	target-fetch-policy: "0 0 0 0 0"
 	; Options for signed zone. The zone is partially copied from val_negcache_nxdomain.rpl
 	trust-anchor: "testzone.nlnetlabs.nl.	IN	DS	2926 8 2 6f8512d1e82eecbd684fc4a76f39f8c5b411af385494873bdead663ddb78a88b"
 	val-override-date: "20180213111425"
 	qname-minimisation: "no"
 	trust-anchor-signaling: no
 	aggressive-nsec: yes
 auth-zone:
 	name: "example.com."
@ -41,6 +47,50 @@ ns1	3600	IN	A	1.2.3.4
 ns2	3600	IN	AAAA	::2
 TEMPFILE_END
 auth-zone:
 	name: "soa.high.com."
 	for-downstream: yes
 	for-upstream: no
 	zonefile:
 TEMPFILE_NAME soa.high.com
 TEMPFILE_CONTENTS soa.high.com
 $ORIGIN high.com.
 soa	500	IN	SOA	dns.example.de. hostmaster.dns.example.de. (
 		1379078166 28800 7200 604800 200 )
 	3600	IN	NS	ns1.example.com.
 	3600	IN	NS	ns2.example.com.
 TEMPFILE_END
 auth-zone:
 	name: "soa.low.com."
 	for-downstream: yes
 	for-upstream: no
 	zonefile:
 TEMPFILE_NAME soa.low.com
 TEMPFILE_CONTENTS soa.low.com
 $ORIGIN low.com.
 soa	200	IN	SOA	dns.example.de. hostmaster.dns.example.de. (
 		1379078166 28800 7200 604800 500 )
 	3600	IN	NS	ns1.example.com.
 	3600	IN	NS	ns2.example.com.
 TEMPFILE_END
 auth-zone:
 	name: "testzone.nlnetlabs.nl."
 	for-downstream: yes
 	for-upstream: no
 	zonefile:
 TEMPFILE_NAME testzone.nlnetlabs.nl
 TEMPFILE_CONTENTS testzone.nlnetlabs.nl
 $ORIGIN testzone.nlnetlabs.nl.
 testzone.nlnetlabs.nl.  3600    IN      NSEC    alligator.testzone.nlnetlabs.nl. NS SOA RRSIG NSEC DNSKEY
 testzone.nlnetlabs.nl.  3600    IN      RRSIG   NSEC 8 3 3600 20180313102201 20180213102201 44940 testzone.nlnetlabs.nl. gTKn6U1nal9oA79IRxLa/7zexl6A0yJZzeEGBbZ5rh5feyAr2X4LTR9bPCgcHeMVggf4FP+kD1L/sxzj/YLwB1ZKGKlwnzsHtPFTlmvDClaqQ76DRZq5Vejr2ZfnclBUb2vtxaXywTRW8oueaaq9flcShEQ/cQ+KRU8sc344qd0=
 alligator.testzone.nlnetlabs.nl.        3600    IN      NSEC    cheetah.testzone.nlnetlabs.nl. TXT RRSIG NSEC
 alligator.testzone.nlnetlabs.nl.        3600    IN      RRSIG   NSEC 8 4 3600 20180313102201 20180213102201 44940 testzone.nlnetlabs.nl. QAgQ0AsMoYG02+VPfoOctSPlTHdQOkQt5fFkSkzIbVhUzNOqa+dB/Qkc81AwFeJosA+PvYjt6utcVkIWmK2Djy9eXC49gILtVF79vUe4G7ZrybO5NXjqNa5ANoUGM+yew4wkjeNOMVAsvs+1kvFY7S8RAa/0AIYlZHQ8vNBPNaI=
 testzone.nlnetlabs.nl.  4600    IN      SOA     ns.nlnetlabs.nl. ralph.nlnetlabs.nl. 1 14400 3600 604800 3600
 testzone.nlnetlabs.nl.  4600    IN      RRSIG   SOA 8 3 3600 20180313102201 20180213102201 44940 testzone.nlnetlabs.nl. GhmXNFQktZIgaBpGKwj9Q2mfq5+jcbRPK+PPgtRVicUPZga/d/iGEL8PV/8DzGwkaZbM14pamSUMgdJibW4zNhLz/ukjPilbjoj6giH1jtbdZLAQ6iK9pZ/4jKUEq4txviTczZNnDeolgPEEl4xo4NclQmi7zj1XBlQRbjvG0/0=
 TEMPFILE_END
 stub-zone:
 	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
@ -50,7 +100,7 @@ SCENARIO_BEGIN Test authority zone with zonefile for downstream responses
 ; K.ROOT-SERVERS.NET.
 RANGE_BEGIN 0 100
-	ADDRESS 193.0.14.129 
+	ADDRESS 193.0.14.129
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
@ -182,4 +232,109 @@ SECTION ANSWER
 www.example.com. IN A	1.2.3.4
 ENTRY_END
 ; check SOA TTL to be the minimum of the SOA.minimum and the SOA TTL
 STEP 30 QUERY
 ENTRY_BEGIN
 REPLY RD
 SECTION QUESTION
 nonexistent.soa.high.com. IN A
 ENTRY_END
 STEP 31 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH all ttl
 REPLY QR RD RA AA NXDOMAIN
 SECTION QUESTION
 nonexistent.soa.high.com IN A
 SECTION AUTHORITY
 soa.high.com. 200 IN SOA dns.example.de. hostmaster.dns.example.de. 1379078166 28800 7200 604800 200
 ENTRY_END
 ; check that the original SOA is also returned
 STEP 32 QUERY
 ENTRY_BEGIN
 REPLY RD
 SECTION QUESTION
 soa.high.com. IN SOA
 ENTRY_END
 STEP 33 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH all ttl
 REPLY QR RD RA AA NOERROR
 SECTION QUESTION
 soa.high.com. IN SOA
 SECTION ANSWER
 soa.high.com. 500 IN SOA dns.example.de. hostmaster.dns.example.de. 1379078166 28800 7200 604800 200
 ENTRY_END
 ; check SOA TTL to be the minimum of the SOA.minimum and the SOA TTL
 STEP 40 QUERY
 ENTRY_BEGIN
 REPLY RD
 SECTION QUESTION
 nonexistent.soa.low.com. IN A
 ENTRY_END
 STEP 41 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH all ttl
 REPLY QR RD RA AA NXDOMAIN
 SECTION QUESTION
 nonexistent.soa.low.com. IN A
 SECTION AUTHORITY
 soa.low.com. 200 IN SOA dns.example.de. hostmaster.dns.example.de. 1379078166 28800 7200 604800 500
 ENTRY_END
 ; check that the original SOA is also returned
 STEP 42 QUERY
 ENTRY_BEGIN
 REPLY RD
 SECTION QUESTION
 soa.low.com. IN SOA
 ENTRY_END
 STEP 43 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH all ttl
 REPLY QR RD RA AA NOERROR
 SECTION QUESTION
 soa.low.com. IN SOA
 SECTION ANSWER
 soa.low.com. 200 IN SOA dns.example.de. hostmaster.dns.example.de. 1379078166 28800 7200 604800 500
 ENTRY_END
 ; check SOA TTL to be minimum of the SOA.minimum and the SOA TTL for DNSSEC
 STEP 50 QUERY
 ENTRY_BEGIN
 REPLY RD DO
 SECTION QUESTION
 ant.testzone.nlnetlabs.nl. IN A
 ENTRY_END
 STEP 51 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH all ttl
 REPLY QR RD DO RA AA NXDOMAIN
 SECTION QUESTION
 ant.testzone.nlnetlabs.nl. IN A
 SECTION AUTHORITY
 testzone.nlnetlabs.nl.  3600    IN      SOA     ns.nlnetlabs.nl. ralph.nlnetlabs.nl. 1 14400 3600 604800 3600
 testzone.nlnetlabs.nl.  3600    IN      RRSIG   SOA 8 3 3600 20180313102201 20180213102201 44940 testzone.nlnetlabs.nl. GhmXNFQktZIgaBpGKwj9Q2mfq5+jcbRPK+PPgtRVicUPZga/d/iGEL8PV/8DzGwkaZbM14pamSUMgdJibW4zNhLz/ukjPilbjoj6giH1jtbdZLAQ6iK9pZ/4jKUEq4txviTczZNnDeolgPEEl4xo4NclQmi7zj1XBlQRbjvG0/0=
 alligator.testzone.nlnetlabs.nl.        3600    IN      NSEC    cheetah.testzone.nlnetlabs.nl. TXT RRSIG NSEC
 alligator.testzone.nlnetlabs.nl.        3600    IN      RRSIG   NSEC 8 4 3600 20180313102201 20180213102201 44940 testzone.nlnetlabs.nl. QAgQ0AsMoYG02+VPfoOctSPlTHdQOkQt5fFkSkzIbVhUzNOqa+dB/Qkc81AwFeJosA+PvYjt6utcVkIWmK2Djy9eXC49gILtVF79vUe4G7ZrybO5NXjqNa5ANoUGM+yew4wkjeNOMVAsvs+1kvFY7S8RAa/0AIYlZHQ8vNBPNaI=
 testzone.nlnetlabs.nl.  3600    IN      NSEC    alligator.testzone.nlnetlabs.nl. NS SOA RRSIG NSEC DNSKEY
 testzone.nlnetlabs.nl.  3600    IN      RRSIG   NSEC 8 3 3600 20180313102201 20180213102201 44940 testzone.nlnetlabs.nl. gTKn6U1nal9oA79IRxLa/7zexl6A0yJZzeEGBbZ5rh5feyAr2X4LTR9bPCgcHeMVggf4FP+kD1L/sxzj/YLwB1ZKGKlwnzsHtPFTlmvDClaqQ76DRZq5Vejr2ZfnclBUb2vtxaXywTRW8oueaaq9flcShEQ/cQ+KRU8sc344qd0=
 ENTRY_END
 ; check that the original SOA is also returned
 STEP 52 QUERY
 ENTRY_BEGIN
 REPLY RD DO
 SECTION QUESTION
 testzone.nlnetlabs.nl. IN SOA
 ENTRY_END
 STEP 53 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH all ttl
 REPLY QR RD DO RA AA NOERROR
 SECTION QUESTION
 testzone.nlnetlabs.nl. IN SOA
 SECTION ANSWER
 testzone.nlnetlabs.nl.  4600    IN      SOA     ns.nlnetlabs.nl. ralph.nlnetlabs.nl. 1 14400 3600 604800 3600
 testzone.nlnetlabs.nl.  4600    IN      RRSIG   SOA 8 3 3600 20180313102201 20180213102201 44940 testzone.nlnetlabs.nl. GhmXNFQktZIgaBpGKwj9Q2mfq5+jcbRPK+PPgtRVicUPZga/d/iGEL8PV/8DzGwkaZbM14pamSUMgdJibW4zNhLz/ukjPilbjoj6giH1jtbdZLAQ6iK9pZ/4jKUEq4txviTczZNnDeolgPEEl4xo4NclQmi7zj1XBlQRbjvG0/0=
 ENTRY_END
 SCENARIO_END
--- a/testdata/edns_client_string.rpl
+++ b/testdata/edns_client_string.rpl
@ -1,14 +1,14 @@
 ; config options
 server:
-	edns-client-tag: 10.0.0.0/24 1234
+	edns-client-string: 10.0.0.0/24 "abc d"
-	edns-client-tag: 10.0.0.10/32 5678
+	edns-client-string: 10.0.0.10/32 "123AbC!"
 stub-zone:
-	name: "tag1234."
+	name: "edns-string-abc."
 	stub-addr: 10.0.0.1
 stub-zone:
-	name: "tag5678."
+	name: "edns-string-123."
 	stub-addr: 10.0.0.10
 stub-zone:
@ -17,7 +17,7 @@ stub-zone:
 CONFIG_END
-SCENARIO_BEGIN Test EDNS client tag option
+SCENARIO_BEGIN Test EDNS string tag option
 RANGE_BEGIN 0 1000
 	ADDRESS 10.0.0.1
@ -26,9 +26,9 @@ MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
-tag1234. IN A
+edns-string-abc. IN A
 SECTION ANSWER
-tag1234. IN A 10.20.30.40
+edns-string-abc. IN A 10.20.30.40
 SECTION ADDITIONAL
 ENTRY_END
 RANGE_END
@ -40,9 +40,9 @@ MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
-tag5678. IN A
+edns-string-123. IN A
 SECTION ANSWER
-tag5678. IN A 10.20.30.40
+edns-string-123. IN A 10.20.30.40
 SECTION ADDITIONAL
 ENTRY_END
 RANGE_END
@ -65,19 +65,19 @@ STEP 10 QUERY
 ENTRY_BEGIN
 REPLY RD
 SECTION QUESTION
-tag1234. IN A
+edns-string-abc. IN A
 ENTRY_END
 STEP 20 CHECK_OUT_QUERY
 ENTRY_BEGIN
 MATCH qname qtype opcode ednsdata
 SECTION QUESTION
-tag1234. IN A
+edns-string-abc. IN A
 SECTION ADDITIONAL
 	HEX_EDNSDATA_BEGIN
-		00 10           ; Opcode 16
+		fd e9           ; Opcode 65001
-		00 02           ; Length 2
+		00 05           ; Length 5
-		04 d2           ; 1234
+		61 62 63 20 64  ; "abc d"
 	HEX_EDNSDATA_END
 ENTRY_END
@ -86,28 +86,29 @@ ENTRY_BEGIN
 MATCH all
 REPLY QR RD RA NOERROR
 SECTION QUESTION
-tag1234. IN A
+edns-string-abc. IN A
 SECTION ANSWER
-tag1234. IN A 10.20.30.40
+edns-string-abc. IN A 10.20.30.40
 ENTRY_END
 STEP 110 QUERY
 ENTRY_BEGIN
 REPLY RD
 SECTION QUESTION
-tag5678. IN A
+edns-string-123. IN A
 ENTRY_END
 STEP 120 CHECK_OUT_QUERY
 ENTRY_BEGIN
 MATCH qname qtype opcode ednsdata
 SECTION QUESTION
-tag5678. IN A
+edns-string-123. IN A
 SECTION ADDITIONAL
 	HEX_EDNSDATA_BEGIN
-		00 10           ; Opcode 16
+		fd e9           ; Opcode 65001
-		00 02           ; Length 2
+		00 07           ; Length 7
-		16 2e           ; 5678
+		31 32 33 41 62  ; "123Ab"
 		43 21		; "C!"
 	HEX_EDNSDATA_END
 ENTRY_END
@ -116,9 +117,9 @@ ENTRY_BEGIN
 MATCH all
 REPLY QR RD RA NOERROR
 SECTION QUESTION
-tag5678. IN A
+edns-string-123. IN A
 SECTION ANSWER
-tag5678. IN A 10.20.30.40
+edns-string-123. IN A 10.20.30.40
 ENTRY_END
 STEP 210 QUERY
--- a/testdata/edns_client_string_opcode.rpl
+++ b/testdata/edns_client_string_opcode.rpl
@ -0,0 +1,153 @@
 ; config options
 server:
 	edns-client-string: 10.0.0.0/24 "abc d"
 	edns-client-string: 10.0.0.10/32 "123AbC!"
 	edns-client-string-opcode: 65432
 stub-zone:
 	name: "edns-string-abc."
 	stub-addr: 10.0.0.1
 stub-zone:
 	name: "edns-string-123."
 	stub-addr: 10.0.0.10
 stub-zone:
 	name: "notag."
 	stub-addr: 10.10.0.1
 CONFIG_END
 SCENARIO_BEGIN Test EDNS string tag option
 RANGE_BEGIN 0 1000
 	ADDRESS 10.0.0.1
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 edns-string-abc. IN A
 SECTION ANSWER
 edns-string-abc. IN A 10.20.30.40
 SECTION ADDITIONAL
 ENTRY_END
 RANGE_END
 RANGE_BEGIN 0 1000
 	ADDRESS 10.0.0.10
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 edns-string-123. IN A
 SECTION ANSWER
 edns-string-123. IN A 10.20.30.40
 SECTION ADDITIONAL
 ENTRY_END
 RANGE_END
 RANGE_BEGIN 0 1000
 	ADDRESS 10.10.0.1
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 notag. IN A
 SECTION ANSWER
 notag. IN A 10.20.30.40
 SECTION ADDITIONAL
 ENTRY_END
 RANGE_END
 STEP 10 QUERY
 ENTRY_BEGIN
 REPLY RD
 SECTION QUESTION
 edns-string-abc. IN A
 ENTRY_END
 STEP 20 CHECK_OUT_QUERY
 ENTRY_BEGIN
 MATCH qname qtype opcode ednsdata
 SECTION QUESTION
 edns-string-abc. IN A
 SECTION ADDITIONAL
 	HEX_EDNSDATA_BEGIN
 		ff 98           ; Opcode 65432
 		00 05           ; Length 5
 		61 62 63 20 64  ; "abc d"
 	HEX_EDNSDATA_END
 ENTRY_END
 STEP 30 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH all
 REPLY QR RD RA NOERROR
 SECTION QUESTION
 edns-string-abc. IN A
 SECTION ANSWER
 edns-string-abc. IN A 10.20.30.40
 ENTRY_END
 STEP 110 QUERY
 ENTRY_BEGIN
 REPLY RD
 SECTION QUESTION
 edns-string-123. IN A
 ENTRY_END
 STEP 120 CHECK_OUT_QUERY
 ENTRY_BEGIN
 MATCH qname qtype opcode ednsdata
 SECTION QUESTION
 edns-string-123. IN A
 SECTION ADDITIONAL
 	HEX_EDNSDATA_BEGIN
 		ff 98           ; Opcode 65432
 		00 07           ; Length 7
 		31 32 33 41 62  ; "123Ab"
 		43 21		; "C!"
 	HEX_EDNSDATA_END
 ENTRY_END
 STEP 130 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH all
 REPLY QR RD RA NOERROR
 SECTION QUESTION
 edns-string-123. IN A
 SECTION ANSWER
 edns-string-123. IN A 10.20.30.40
 ENTRY_END
 STEP 210 QUERY
 ENTRY_BEGIN
 REPLY RD
 SECTION QUESTION
 notag. IN A
 ENTRY_END
 STEP 220 CHECK_OUT_QUERY
 ENTRY_BEGIN
 MATCH qname qtype opcode ednsdata
 SECTION QUESTION
 notag. IN A
 SECTION ADDITIONAL
 	HEX_EDNSDATA_BEGIN
 	HEX_EDNSDATA_END
 ENTRY_END
 STEP 230 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH all
 REPLY QR RD RA NOERROR
 SECTION QUESTION
 notag. IN A
 SECTION ANSWER
 notag. IN A 10.20.30.40
 ENTRY_END
 SCENARIO_END
--- a/testdata/fwd_ancil.tdir/fwd_ancil.post
+++ b/testdata/fwd_ancil.tdir/fwd_ancil.post
@ -14,5 +14,9 @@ fi
 kill_pid $FWD_PID
 if fgrep "service stopped" unbound.log; then
 	exit 0
-fi      
+fi
 if fgrep "disable interface-automatic" unbound.log; then
 	echo "skip test"
 	exit 0
 fi
 kill_pid $UNBOUND_PID
--- a/testdata/fwd_oneport.tdir/fwd_oneport.conf
+++ b/testdata/fwd_oneport.tdir/fwd_oneport.conf
@ -13,6 +13,7 @@ server:
 	num-queries-per-thread: 1024
 	use-syslog: no
 	do-not-query-localhost: no
 	udp-connect: no
 forward-zone:
 	name: "."
 	forward-addr: "127.0.0.1@@TOPORT@"
--- a/testdata/localdata.rpl
+++ b/testdata/localdata.rpl
@ -35,6 +35,9 @@ server:
 	local-zone: "redirect.top." redirect
 	local-data: "redirect.top. A 20.30.40.54"
 	; null zone
 	local-zone: "null.top." always_null
 	; create implicit data in the IN domain as well
 	local-data: "a.a.implicit. A 20.30.41.50"
 	local-data: "b.a.implicit. A 20.30.42.50"
@ -85,12 +88,12 @@ local. IN A
 ENTRY_END
 STEP 6 CHECK_ANSWER
 ENTRY_BEGIN
-MATCH all
+MATCH all ttl
 REPLY QR RA AA
 SECTION QUESTION
 local. IN A
 SECTION AUTHORITY
-local. 3600 IN SOA nobody nobody 1 2 3 4 5
+local. 5 IN SOA nobody nobody 1 2 3 4 5
 ENTRY_END
 ; positive SOA
@ -101,7 +104,7 @@ local. IN SOA
 ENTRY_END
 STEP 8 CHECK_ANSWER
 ENTRY_BEGIN
-MATCH all
+MATCH all ttl
 REPLY QR RA AA
 SECTION QUESTION
 local. IN SOA
@ -133,12 +136,12 @@ serv.local. IN MX
 ENTRY_END
 STEP 12 CHECK_ANSWER
 ENTRY_BEGIN
-MATCH all
+MATCH all ttl
 REPLY QR RA AA
 SECTION QUESTION
 serv.local. IN MX
 SECTION AUTHORITY
-local. 3600 IN SOA nobody nobody 1 2 3 4 5
+local. 5 IN SOA nobody nobody 1 2 3 4 5
 ENTRY_END
 ; no such type, empty nonterminal
@ -149,12 +152,12 @@ bla.local. IN MX
 ENTRY_END
 STEP 14 CHECK_ANSWER
 ENTRY_BEGIN
-MATCH all
+MATCH all ttl
 REPLY QR RA AA
 SECTION QUESTION
 bla.local. IN MX
 SECTION AUTHORITY
-local. 3600 IN SOA nobody nobody 1 2 3 4 5
+local. 5 IN SOA nobody nobody 1 2 3 4 5
 ENTRY_END
 ; nxdomain with SOA
@ -165,12 +168,12 @@ doing.local. IN MX
 ENTRY_END
 STEP 16 CHECK_ANSWER
 ENTRY_BEGIN
-MATCH all
+MATCH all ttl
 REPLY QR RA AA NXDOMAIN
 SECTION QUESTION
 doing.local. IN MX
 SECTION AUTHORITY
-local. 3600 IN SOA nobody nobody 1 2 3 4 5
+local. 5 IN SOA nobody nobody 1 2 3 4 5
 ENTRY_END
 ; nxdomain without SOA
@ -355,4 +358,36 @@ SECTION ANSWER
 www.redirect.top. IN A 20.30.40.54
 ENTRY_END
 ; always_null zone
 STEP 60 QUERY
 ENTRY_BEGIN
 SECTION QUESTION
 null.top. IN A
 ENTRY_END
 STEP 61 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH all
 REPLY QR RA AA NOERROR
 SECTION QUESTION
 null.top. IN A
 SECTION ANSWER
 null.top. IN A 0.0.0.0
 ENTRY_END
 ; always_null zone AAAA
 STEP 62 QUERY
 ENTRY_BEGIN
 SECTION QUESTION
 foo.null.top. IN AAAA
 ENTRY_END
 STEP 63 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH all
 REPLY QR RA AA NOERROR
 SECTION QUESTION
 foo.null.top. IN AAAA
 SECTION ANSWER
 foo.null.top. IN AAAA ::0
 ENTRY_END
 SCENARIO_END
--- a/testdata/nsid_ascii.rpl
+++ b/testdata/nsid_ascii.rpl
@ -0,0 +1,54 @@
 ; config options
 server:
 	nsid: "ascii_hopsa kidee"
 stub-zone:
 	name: "example."
 	stub-addr: 192.0.2.1
 CONFIG_END
 SCENARIO_BEGIN Test EDNS string tag option
 RANGE_BEGIN 0 1000
 	ADDRESS 192.0.2.1
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 example. IN A
 SECTION ANSWER
 example. IN A 198.51.100.1
 SECTION ADDITIONAL
 ENTRY_END
 RANGE_END
 STEP 10 QUERY
 ENTRY_BEGIN
 REPLY RD
 SECTION QUESTION
 example. IN A
 SECTION ADDITIONAL
 	HEX_EDNSDATA_BEGIN
 		00 03 ; Opcode NSID (3)
 		00 00 ; Length 0
 	HEX_EDNSDATA_END
 ENTRY_END
 STEP 30 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH all
 REPLY QR RD RA NOERROR
 SECTION QUESTION
 example. IN A
 SECTION ANSWER
 example. IN A 198.51.100.1
 SECTION ADDITIONAL
 	HEX_EDNSDATA_BEGIN
 		00 03             ; Opcode NSID (3)
 		00 0b             ; Length 11
 		68 6F 70 73 61 20 ; "hopsa "
 		6B 69 64 65 65    ; "kidee"
 	HEX_EDNSDATA_END
 ENTRY_END
 SCENARIO_END
--- a/testdata/nsid_hex.rpl
+++ b/testdata/nsid_hex.rpl
@ -0,0 +1,54 @@
 ; config options
 server:
 	nsid: "0123456789abcdef"
 stub-zone:
 	name: "example."
 	stub-addr: 192.0.2.1
 CONFIG_END
 SCENARIO_BEGIN Test EDNS string tag option
 RANGE_BEGIN 0 1000
 	ADDRESS 192.0.2.1
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 example. IN A
 SECTION ANSWER
 example. IN A 198.51.100.1
 SECTION ADDITIONAL
 ENTRY_END
 RANGE_END
 STEP 10 QUERY
 ENTRY_BEGIN
 REPLY RD
 SECTION QUESTION
 example. IN A
 SECTION ADDITIONAL
 	HEX_EDNSDATA_BEGIN
 		00 03 ; Opcode NSID (3)
 		00 00 ; Length 0
 	HEX_EDNSDATA_END
 ENTRY_END
 STEP 30 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH all
 REPLY QR RD RA NOERROR
 SECTION QUESTION
 example. IN A
 SECTION ANSWER
 example. IN A 198.51.100.1
 SECTION ADDITIONAL
 	HEX_EDNSDATA_BEGIN
 		00 03       ; Opcode NSID (3)
 		00 08       ; Length 8
 		01 23 45 67 ;
 		89 ab cd ef ;
 	HEX_EDNSDATA_END
 ENTRY_END
 SCENARIO_END
--- a/testdata/nsid_not_set.rpl
+++ b/testdata/nsid_not_set.rpl
@ -0,0 +1,47 @@
 ; config options
 stub-zone:
 	name: "example."
 	stub-addr: 192.0.2.1
 CONFIG_END
 SCENARIO_BEGIN Test EDNS string tag option
 RANGE_BEGIN 0 1000
 	ADDRESS 192.0.2.1
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 example. IN A
 SECTION ANSWER
 example. IN A 198.51.100.1
 SECTION ADDITIONAL
 ENTRY_END
 RANGE_END
 STEP 10 QUERY
 ENTRY_BEGIN
 REPLY RD
 SECTION QUESTION
 example. IN A
 SECTION ADDITIONAL
 	HEX_EDNSDATA_BEGIN
 		00 03 ; Opcode NSID (3)
 		00 00 ; Length 0
 	HEX_EDNSDATA_END
 ENTRY_END
 STEP 30 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH all
 REPLY QR RD RA NOERROR
 SECTION QUESTION
 example. IN A
 SECTION ANSWER
 example. IN A 198.51.100.1
 SECTION ADDITIONAL
 	HEX_EDNSDATA_BEGIN
 	HEX_EDNSDATA_END
 ENTRY_END
 SCENARIO_END
--- a/testdata/padding.tdir/padding.conf
+++ b/testdata/padding.tdir/padding.conf
@ -0,0 +1,27 @@
 server:
 	interface: 127.0.0.1
 	port: @PORT@
 	use-syslog: no
 	directory: .
 	pidfile: "unbound.pid"
 	chroot: ""
 	username: ""
 	do-not-query-localhost: no
 	tls-cert-bundle: "unbound_server.pem"
 	tls-upstream: yes
 remote-control:
        control-enable: yes
        control-interface: 127.0.0.1
        control-port: @CONTROL_PORT@
        server-key-file: "unbound_server.key"
        server-cert-file: "unbound_server.pem"
        control-key-file: "unbound_control.key"
        control-cert-file: "unbound_control.pem"
 forward-zone:
 	name: "."
 	forward-addr: "127.0.0.1@@TOPORT@#unbound"
--- a/testdata/padding.tdir/padding.conf2
+++ b/testdata/padding.tdir/padding.conf2
@ -0,0 +1,47 @@
 # this is the upstream server that has pipelining and responds to queries.
 server:
 	verbosity: 1
 	# num-threads: 1
 	interface: 127.0.0.1@@PORT@
 	port: @PORT@
 	use-syslog: no
 	directory: .
 	pidfile: "unbound2.pid"
 	chroot: ""
 	username: ""
 	do-not-query-localhost: no
 	tls-port: @PORT@
 	tls-service-key: "unbound_server.key"
 	tls-service-pem: "unbound_server.pem"
 	tcp-idle-timeout: 10000
 	log-queries: yes
 	log-replies: yes
 	log-identity: "upstream"
 remote-control:
        control-enable: yes
        control-interface: 127.0.0.1
        # control-interface: ::1
        control-port: @CONTROL_PORT2@
        server-key-file: "unbound_server.key"
        server-cert-file: "unbound_server.pem"
        control-key-file: "unbound_control.key"
        control-cert-file: "unbound_control.pem"
 forward-zone:
 	name: "."
 	forward-addr: "127.0.0.1@@TOPORT@"
 dnstap:
        dnstap-enable: yes
        dnstap-socket-path: "dnstap.socket"
        dnstap-send-identity: yes
        dnstap-send-version: yes
        #dnstap-identity
        #dnstap-version
        dnstap-log-resolver-query-messages: no
        dnstap-log-resolver-response-messages: no
        dnstap-log-client-query-messages: yes
        dnstap-log-client-response-messages: yes
        dnstap-log-forwarder-query-messages: no
        dnstap-log-forwarder-response-messages: no
--- a/testdata/padding.tdir/padding.dsc
+++ b/testdata/padding.tdir/padding.dsc
@ -0,0 +1,16 @@
 BaseName: padding
 Version: 1.0
 Description: Test EDNS0 padding option (RFC7830 and RFC8467).
 CreationDate: Sun Jan 24 16:41:42 CET 2021
 Maintainer: Willem Toorop
 Category: 
 Component:
 CmdDepends: 
 Depends: 
 Help:
 Pre: padding.pre
 Post: padding.post
 Test: padding.test
 AuxFiles: 
 Passed:
 Failure:
--- a/testdata/padding.tdir/padding.msgsizes
+++ b/testdata/padding.tdir/padding.msgsizes
@ -0,0 +1,20 @@
 ;; MSG SIZE  rcvd: 128
 ;; MSG SIZE  rcvd: 468
 ;; MSG SIZE  rcvd: 128
 ;; MSG SIZE  rcvd: 936
 ;; MSG SIZE  rcvd: 128
 ;; MSG SIZE  rcvd: 60
 ;; MSG SIZE  rcvd: 128
 ;; MSG SIZE  rcvd: 502
 ;; MSG SIZE  rcvd: 44
 ;; MSG SIZE  rcvd: 60
 ;; MSG SIZE  rcvd: 44
 ;; MSG SIZE  rcvd: 502
 ;; MSG SIZE  rcvd: 48
 ;; MSG SIZE  rcvd: 64
 ;; MSG SIZE  rcvd: 48
 ;; MSG SIZE  rcvd: 512
 ;; MSG SIZE  rcvd: 48
 ;; MSG SIZE  rcvd: 512
 ;; MSG SIZE  rcvd: 48
 ;; MSG SIZE  rcvd: 512
--- a/testdata/padding.tdir/padding.post
+++ b/testdata/padding.tdir/padding.post
@ -0,0 +1,23 @@
 # #-- padding.post --#
 # source the master var file when it's there
 [ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
 # source the test var file when it's there
 [ -f .tpkg.var.test ] && source .tpkg.var.test
 #
 # do your teardown here
 . ../common.sh
 PRE="../.."
 if grep "define USE_DNSTAP 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi
 kill_pid $DNSTAP_SOCKET_PID
 kill_pid $FWD_PID
 kill_pid `cat unbound2.pid`
 if test -f unbound2.log; then
 	echo ">>> upstream log"
 	cat unbound2.log
 fi
 #kill_pid $UNBOUND_PID
 kill_pid `cat unbound.pid`
 if test -f unbound.log; then
 	echo ">>> unbound log"
 	cat unbound.log
 fi
--- a/testdata/padding.tdir/padding.pre
+++ b/testdata/padding.tdir/padding.pre
@ -0,0 +1,69 @@
 # #-- padding.pre--#
 # source the master var file when it's there
 [ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
 # use .tpkg.var.test for in test variable passing
 [ -f .tpkg.var.test ] && source .tpkg.var.test
 PRE="../.."
 . ../common.sh
 if grep "define USE_DNSTAP 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi
 get_random_port 5
 UNBOUND_PORT=$RND_PORT
 UPSTREAM_PORT=$(($RND_PORT + 1))
 FWD_PORT=$(($RND_PORT + 2))
 CONTROL_PORT=$(($RND_PORT + 3))
 CONTROL_PORT2=$(($RND_PORT + 4))
 echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test
 echo "UPSTREAM_PORT=$UPSTREAM_PORT" >> .tpkg.var.test
 echo "FWD_PORT=$FWD_PORT" >> .tpkg.var.test
 echo "CONTROL_PORT=$CONTROL_PORT" >> .tpkg.var.test
 echo "CONTROL_PORT2=$CONTROL_PORT2" >> .tpkg.var.test
 # start ldns-testnd
 get_ldns_testns
 $LDNS_TESTNS -p $FWD_PORT padding.testns >fwd.log 2>&1 &
 FWD_PID=$!
 echo "FWD_PID=$FWD_PID" >> .tpkg.var.test
 # start the dnstap log server
 # the -vvvv flag prints protocol and connection information from the
 # unbound-dnstap-socket server.
 # the -l flag prints the DNS info in the DNSTAP packet in multiline output.
 # stderr is the '-vvvv' server logs and errors.
 # stdout is the one-line packet logs (or with -l, multiline).
 $PRE/unbound-dnstap-socket -u dnstap.socket -l -vvvv 2>tap.errlog >tap.log &
 if test $? -ne 0; then
        echo "could not start unbound-dnstap-socket server"
        exit 1
 fi
 DNSTAP_SOCKET_PID=$!
 echo "DNSTAP_SOCKET_PID=$DNSTAP_SOCKET_PID" >> .tpkg.var.test
 # wait for the server to go up and make the dnstap.socket file
 wait_server_up "tap.errlog" "creating unix socket"
 if test ! -S dnstap.socket; then 
        echo "the dnstap.socket file does not exist!"
 fi
 # make config file
 sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$UPSTREAM_PORT'/' -e 's/@CONTROL_PORT\@/'$CONTROL_PORT'/' < padding.conf > ub.conf
 # start unbound in the background
 $PRE/unbound -d -c ub.conf >unbound.log 2>&1 &
 #$PRE/unbound -d -c ub.conf 2>&1 | tee unbound.log &
 UNBOUND_PID=$!
 echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
 # make upstream config file
 sed -e 's/@PORT\@/'$UPSTREAM_PORT'/' -e 's/@TOPORT\@/'$FWD_PORT'/' -e 's/@CONTROL_PORT2\@/'$CONTROL_PORT2'/' < padding.conf2 > ub2.conf
 # start upstream unbound in the background
 $PRE/unbound -d -c ub2.conf >unbound2.log 2>&1 &
 #$PRE/unbound -d -c ub2.conf 2>&1 | tee unbound2.log &
 UPSTREAM_PID=$!
 echo "UPSTREAM_PID=$UPSTREAM_PID" >> .tpkg.var.test
 wait_ldns_testns_up fwd.log
 wait_unbound_up unbound.log
 wait_unbound_up unbound2.log
 cat .tpkg.var.test
--- a/testdata/padding.tdir/padding.test
+++ b/testdata/padding.tdir/padding.test
@ -0,0 +1,170 @@
 echo There we go...
 # #-- padding.test --#
 # source the master var file when it's there
 [ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
 # use .tpkg.var.test for in test variable passing
 [ -f .tpkg.var.test ] && source .tpkg.var.test
 PRE="../.."
 . ../common.sh
 if grep "define USE_DNSTAP 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi
 echo "> query www.example.com. A"
 dig @127.0.0.1 -p $UNBOUND_PORT www.example.com. | tee outfile
 echo "> check answer"
 if grep "10.20.30.40" outfile; then
        echo "OK"
 else
        echo "> cat logfiles"
        cat tap.log
        cat tap.errlog
        cat fwd.log
 	cat unbound2.log 
        cat unbound.log
        echo "Not OK"
        exit 1
 fi
 echo "> wait for log to happen on timer"
 sleep 3
 echo "> check tap.log for dnstap info"
 # see if it logged the information in tap.log
 # wait for a moment for filesystem to catch up.
 if grep "www.example.com" tap.log >/dev/null; then :; else sleep 1; fi
 if grep "www.example.com" tap.log >/dev/null; then :; else sleep 1; fi
 if grep "www.example.com" tap.log >/dev/null; then :; else sleep 1; fi
 if grep "www.example.com" tap.log >/dev/null; then :; else sleep 1; fi
 if grep "www.example.com" tap.log >/dev/null; then :; else sleep 1; fi
 if grep "www.example.com" tap.log >/dev/null; then :; else sleep 10; fi
 if grep "www.example.com" tap.log; then echo "yes it is in tap.log";
 else
        echo "information not in tap.log"
        echo "failed"
        echo "> cat logfiles"
        cat tap.log
        cat tap.errlog
        cat fwd.log
        cat unbound.log
        echo "Not OK"
        exit 1
 fi
 echo "> query txt.example.com. TXT"
 dig @127.0.0.1 -p $UNBOUND_PORT txt.example.com. TXT | tee outfile
 echo "> check answer"
 if grep "Lorem ipsum" outfile; then
        echo "OK"
 else
        echo "> cat logfiles"
        cat tap.log
        cat tap.errlog
        cat fwd.log
 	cat unbound2.log 
        cat unbound.log
        echo "Not OK"
        exit 1
 fi
 echo "> check tap.log for dnstap info"
 # see if it logged the information in tap.log
 # wait for a moment for filesystem to catch up.
 if grep "txt.example.com" tap.log >/dev/null; then :; else sleep 1; fi
 if grep "txt.example.com" tap.log >/dev/null; then :; else sleep 1; fi
 if grep "txt.example.com" tap.log >/dev/null; then :; else sleep 1; fi
 if grep "txt.example.com" tap.log >/dev/null; then :; else sleep 1; fi
 if grep "txt.example.com" tap.log >/dev/null; then :; else sleep 1; fi
 if grep "txt.example.com" tap.log >/dev/null; then :; else sleep 10; fi
 if grep "txt.example.com" tap.log; then echo "yes it is in tap.log";
 else
        echo "information not in tap.log"
        echo "failed"
        echo "> cat logfiles"
        cat tap.log
        cat tap.errlog
        cat fwd.log
        cat unbound.log
        echo "Not OK"
        exit 1
 fi
 echo "> flush cache entries."
 $PRE/unbound-control -c ub.conf flush_type www.example.com A
 $PRE/unbound-control -c ub.conf flush_type txt.example.com TXT
 echo "> disable padding of responses."
 $PRE/unbound-control -c ub2.conf set_option pad-responses: no
 echo "> query www.example.com. A"
 dig @127.0.0.1 -p $UNBOUND_PORT www.example.com. A | tee outfile
 echo "> query txt.example.com. TXT"
 dig @127.0.0.1 -p $UNBOUND_PORT txt.example.com. TXT | tee outfile
 echo "> flush cache entries."
 $PRE/unbound-control -c ub.conf flush_type www.example.com A
 $PRE/unbound-control -c ub.conf flush_type txt.example.com TXT
 echo "> enable padding of responses."
 $PRE/unbound-control -c ub2.conf set_option pad-responses: yes
 echo "> set pad responses block size to 64"
 $PRE/unbound-control -c ub2.conf set_option pad-responses-block-size: 64
 echo "> disable padding of queries."
 $PRE/unbound-control -c ub.conf set_option pad-queries: no
 echo "> query www.example.com. A"
 dig @127.0.0.1 -p $UNBOUND_PORT www.example.com. A | tee outfile
 echo "> query txt.example.com. TXT"
 dig @127.0.0.1 -p $UNBOUND_PORT txt.example.com. TXT | tee outfile
 echo "> flush cache entries."
 $PRE/unbound-control -c ub.conf flush_type www.example.com A
 $PRE/unbound-control -c ub.conf flush_type txt.example.com TXT
 echo "> enable padding of queries."
 $PRE/unbound-control -c ub.conf set_option pad-queries: yes
 echo "> set pad queries block size to 48"
 $PRE/unbound-control -c ub.conf set_option pad-queries-block-size: 48
 echo "> query www.example.com. A"
 dig @127.0.0.1 -p $UNBOUND_PORT www.example.com. A | tee outfile
 echo "> query txt.example.com. TXT"
 dig @127.0.0.1 -p $UNBOUND_PORT txt.example.com. TXT | tee outfile
 echo "> flush cache entries."
 $PRE/unbound-control -c ub.conf flush_type www.example.com A
 $PRE/unbound-control -c ub.conf flush_type txt.example.com TXT
 echo "> set pad responses block size to 512"
 $PRE/unbound-control -c ub2.conf set_option pad-responses-block-size: 512
 echo "> query www.example.com. A"
 dig @127.0.0.1 -p $UNBOUND_PORT www.example.com. A | tee outfile
 echo "> query fin.example.com. TXT"
 dig @127.0.0.1 -p $UNBOUND_PORT fin.example.com. TXT | tee outfile
 echo "> check tap.log for dnstap info"
 # see if it logged the information in tap.log
 # wait for a moment for filesystem to catch up.
 if grep "fini" tap.log >/dev/null; then :; else sleep 1; fi
 if grep "fini" tap.log >/dev/null; then :; else sleep 1; fi
 if grep "fini" tap.log >/dev/null; then :; else sleep 1; fi
 if grep "fini" tap.log >/dev/null; then :; else sleep 1; fi
 if grep "fini" tap.log >/dev/null; then :; else sleep 1; fi
 if grep "fini" tap.log >/dev/null; then :; else sleep 10; fi
 if grep "fini" tap.log; then echo "yes it is in tap.log";
 else
        echo "information not in tap.log"
        echo "failed"
        echo "> cat logfiles"
        cat tap.log
        cat tap.errlog
        cat fwd.log
        cat unbound.log
        echo "Not OK"
        exit 1
 fi
 grep '^;; MSG SIZE  rcvd: ' tap.log > message.sizes
 if diff message.sizes padding.msgsizes
 then
 	echo "OK - Message sizes matched expected sizes"
 	exit 0
 else
        echo "unexpected message sizes"
        echo "failed"
        echo "> cat logfiles"
        cat tap.log
        cat tap.errlog
        cat fwd.log
        cat unbound.log
        echo "Not OK"
        exit 1
 fi
--- a/testdata/padding.tdir/padding.testns
+++ b/testdata/padding.tdir/padding.testns
@ -0,0 +1,34 @@
 ; nameserver test file
 $ORIGIN example.com.
 $TTL 3600
 ENTRY_BEGIN
 MATCH opcode qtype qname
 REPLY QR AA NOERROR
 ADJUST copy_id
 SECTION QUESTION
 www	IN	A
 SECTION ANSWER
 www	IN	A	10.20.30.40
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode qtype qname
 REPLY QR AA NOERROR
 ADJUST copy_id
 SECTION QUESTION
 txt	IN	TXT
 SECTION ANSWER
 txt	IN	TXT	"Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua." "Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." "Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur." "Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum."
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode qtype qname
 REPLY QR AA NOERROR
 ADJUST copy_id
 SECTION QUESTION
 fin	IN	TXT
 SECTION ANSWER
 fin	IN	TXT	"Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua." "Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." "Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur." "Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum." "fini"
 ENTRY_END
--- a/testdata/padding.tdir/unbound_control.key
+++ b/testdata/padding.tdir/unbound_control.key
@ -0,0 +1,39 @@
 -----BEGIN RSA PRIVATE KEY-----
 MIIG4gIBAAKCAYEAstEp+Pyh8XGrtZ77A4FhYjvbeB3dMa7Q2rGWxobzlA9przhA
 1aChAvUtCOAuM+rB6NTNB8YWfZJbQHawyMNpmC77cg6vXLYCGUQHZyAqidN049RJ
 F5T7j4N8Vniv17LiRdr0S6swy4PRvEnIPPV43EQHZqC5jVvHsKkhIfmBF/Dj5TXR
 ypeawWV/m5jeU6/4HRYMfytBZdO1mPXuWLh0lgbQ4SCbgrOUVD3rniMk1yZIbQOm
 vlDHYqekjDb/vOW2KxUQLG04aZMJ1mWfdbwG0CKQkSjISEDZ1l76vhM6mTM0fwXb
 IvyFZ9yPPCle1mF5aSlxS2cmGuGVSRQaw8XF9fe3a9ACJJTr33HdSpyaZkKRAUzL
 cKqLCl323daKv3NwwAT03Tj4iQM416ASMoiyfFa/2GWTKQVjddu8Crar7tGaf5xr
 lig4DBmrBvdYA3njy72/RD71hLwmlRoCGU7dRuDr9O6KASUm1Ri91ONZ/qdjMvov
 15l2vj4GV+KXR00dAgMBAAECggGAHepIL1N0dEQkCdpy+/8lH54L9WhpnOo2HqAf
 LU9eaKK7d4jdr9+TkD8cLaPzltPrZNxVALvu/0sA4SP6J1wpyj/x6P7z73qzly5+
 Xo5PD4fEwmi9YaiW/UduAblnEZrnp/AddptJKoL/D5T4XtpiQddPtael4zQ7kB57
 YIexRSQTvEDovA/o3/nvA0TrzOxfgd4ycQP3iOWGN/TMzyLsvjydrUwbOB567iz9
 whL3Etdgvnwh5Sz2blbFfH+nAR8ctvFFz+osPvuIVR21VMEI6wm7kTpSNnQ6sh/c
 lrLb/bTADn4g7z/LpIZJ+MrLvyEcoqValrLYeFBhM9CV8woPxvkO2P3pU47HVGax
 tC7GV6a/kt5RoKFd/TNdiA3OC7NGZtaeXv9VkPf4fVwBtSO9d5ZZXTGEynDD/rUQ
 U4KFJe6OD23APjse08HiiKqTPhsOneOONU67iqoaTdIkT2R4EdlkVEDpXVtWb+G9
 Q+IqYzVljlzuyHrhWXLJw/FMa2aBAoHBAOnZbi4gGpH+P6886WDWVgIlTccuXoyc
 Mg9QQYk9UDeXxL0AizR5bZy49Sduegz9vkHpAiZARQsUnizHjZ8YlRcrmn4t6tx3
 ahTIKAjdprnxJfYINM580j8CGbXvX5LhIlm3O267D0Op+co3+7Ujy+cjsIuFQrP+
 1MqMgXSeBjzC1APivmps7HeFE+4w0k2PfN5wSMDNCzLo99PZuUG5XZ93OVOS5dpN
 b+WskdcD8NOoJy/X/5A08veEI/jYO/DyqQKBwQDDwUQCOWf41ecvJLtBHKmEnHDz
 ftzHino9DRKG8a9XaN4rmetnoWEaM2vHGX3pf3mwH+dAe8vJdAQueDhBKYeEpm6C
 TYNOpou1+Zs5s99BilCTNYo8fkMOAyqwRwmz9zgHS6QxXuPwsghKefLJGt6o6RFF
 tfWVTfLlYJ+I3GQe3ySsk3wjVz4oUTKiyiq5+KzD+HhEkS7u+RQ7Z0ZI2xd2cF8Y
 aN2hjKDpcOiFf3CDoqka5D1qMNLgIHO52AHww1UCgcA1h7o7AMpURRka6hyaODY0
 A4oMYEbwdQjYjIyT998W+rzkbu1us6UtzQEBZ760npkgyU/epbOoV63lnkCC/MOU
 LD0PST+L/CHiY/cWIHb79YG1EifUZKpUFg0Aoq0EGFkepF0MefGCkbRGYA5UZr9U
 R80wAu9D+L+JJiS0J0BSRF74DL196zUuHt5zFeXuLzxsRtPAnq9DliS08BACRYZy
 7H3I7cWD9Vn5/0jbKWHFcaaWwyETR6uekTcSzZzbCRECgcBeoE3/xUA9SSk34Mmj
 7/cB4522Ft0imA3+9RK/qJTZ7Bd5fC4PKjOGNtUiqW/0L2rjeIiQ40bfWvWqgPKw
 jSK1PL6uvkl6+4cNsFsYyZpiVDoe7wKju2UuoNlB3RUTqa2r2STFuNj2wRjA57I1
 BIgdnox65jqQsd14g/yaa+75/WP9CE45xzKEyrtvdcqxm0Pod3OrsYK+gikFjiar
 kT0GQ8u0QPzh2tjt/2ZnIfOBrl+QYERP0MofDZDjhUdq2wECgcB0Lu841+yP5cdR
 qbJhXO4zJNh7oWNcJlOuQp3ZMNFrA1oHpe9pmLukiROOy01k9WxIMQDzU5GSqRv3
 VLkYOIcbhJ3kClKAcM3j95SkKbU2H5/RENb3Ck52xtl4pNU1x/3PnVFZfDVuuHO9
 MZ9YBcIeK98MyP2jr5JtFKnOyPE7xKq0IHIhXadpbc2wjje5FtZ1cUtMyEECCXNa
 C1TpXebHGyXGpY9WdWXhjdE/1jPvfS+uO5WyuDpYPr339gsdq1g=
 -----END RSA PRIVATE KEY-----
--- a/testdata/padding.tdir/unbound_control.pem
+++ b/testdata/padding.tdir/unbound_control.pem
@ -0,0 +1,22 @@
 -----BEGIN CERTIFICATE-----
 MIIDszCCAhsCFGD5193whHQ2bVdzbaQfdf1gc4SkMA0GCSqGSIb3DQEBCwUAMBIx
 EDAOBgNVBAMMB3VuYm91bmQwHhcNMjAwNzA4MTMzMjMwWhcNNDAwMzI1MTMzMjMw
 WjAaMRgwFgYDVQQDDA91bmJvdW5kLWNvbnRyb2wwggGiMA0GCSqGSIb3DQEBAQUA
 A4IBjwAwggGKAoIBgQCy0Sn4/KHxcau1nvsDgWFiO9t4Hd0xrtDasZbGhvOUD2mv
 OEDVoKEC9S0I4C4z6sHo1M0HxhZ9kltAdrDIw2mYLvtyDq9ctgIZRAdnICqJ03Tj
 1EkXlPuPg3xWeK/XsuJF2vRLqzDLg9G8Scg89XjcRAdmoLmNW8ewqSEh+YEX8OPl
 NdHKl5rBZX+bmN5Tr/gdFgx/K0Fl07WY9e5YuHSWBtDhIJuCs5RUPeueIyTXJkht
 A6a+UMdip6SMNv+85bYrFRAsbThpkwnWZZ91vAbQIpCRKMhIQNnWXvq+EzqZMzR/
 Bdsi/IVn3I88KV7WYXlpKXFLZyYa4ZVJFBrDxcX197dr0AIklOvfcd1KnJpmQpEB
 TMtwqosKXfbd1oq/c3DABPTdOPiJAzjXoBIyiLJ8Vr/YZZMpBWN127wKtqvu0Zp/
 nGuWKDgMGasG91gDeePLvb9EPvWEvCaVGgIZTt1G4Ov07ooBJSbVGL3U41n+p2My
 +i/XmXa+PgZX4pdHTR0CAwEAATANBgkqhkiG9w0BAQsFAAOCAYEAd++Wen6l8Ifj
 4h3p/y16PhSsWJWuJ4wdNYy3/GM84S26wGjzlEEwiW76HpH6VJzPOiBAeWnFKE83
 hFyetEIxgJeIPbcs9ZP/Uoh8GZH9tRISBSN9Hgk2Slr9llo4t1H0g/XTgA5HqMQU
 9YydlBh43G7Vw3FVwh09OM6poNOGQKNc/tq2/QdKeUMtyBbLWpRmjH5XcCT35fbn
 ZiVOUldqSHD4kKrFO4nJYXZyipRbcXybsLiX9GP0GLemc3IgIvOXyJ2RPp06o/SJ
 pzlMlkcAfLJaSuEW57xRakhuNK7m051TKKzJzIEX+NFYOVdafFHS8VwGrYsdrFvD
 72tMfu+Fu55y3awdWWGc6YlaGogZiuMnJkvQphwgn+5qE/7CGEckoKEsH601rqIZ
 muaIc85+nEcHJeijd/ZlBN9zeltjFoMuqTUENgmv8+tUAdVm/UMY9Vjme6b43ydP
 uv6DS02+k9z8toxXworLiPr94BGaiGV1NxgwZKLZigYJt/Fi2Qte
 -----END CERTIFICATE-----
--- a/testdata/padding.tdir/unbound_server.key
+++ b/testdata/padding.tdir/unbound_server.key
@ -0,0 +1,39 @@
 -----BEGIN RSA PRIVATE KEY-----
 MIIG5AIBAAKCAYEAvjSVSN2QMXudpzukdLCqgg/IOhCX8KYkD0FFFfWcQjgKq5wI
 0x41iG32a6wbGanre4IX7VxaSPu9kkHfnGgynCk5nwDRedE/FLFhAU78PoT0+Nqq
 GRS7XVQ24vLmIz9Hqc2Ozx1um1BXBTmIT0UfN2e22I0LWQ6a3seZlEDRj45gnk7Z
 uh9MDgotaBdm+v1JAbupSf6Zis4VEH3JNdvVGE3O1DHEIeuuz/3BDhpf6WBDH+8K
 WaBe1ca4TZHr9ThL2gEMEfAQl0wXDwRWRoi3NjNMH+mw0L1rjwThI5GXqNIee7o5
 FzUReSXZuTdFMyGe3Owcx+XoYnwi6cplSNoGsDBu4B9bKKglR9YleJVw4L4Xi8xP
 q6O9UPj4+nypHk/DOoC7DIM3ufN0yxPBsFo5TVowxfhdjZXJbbftd2TZv7AH8+XL
 A5UoZgRzXgzECelXSCTBFlMTnT48LfA9pMLydyjAz2UdPHs5Iv+TK5nnI+aJoeaP
 7kFZSngxdy1+A/bNAgMBAAECggGBALpTOIqQwVg4CFBylL/a8K1IWJTI/I65sklf
 XxYL7G7SB2HlEJ//z+E+F0+S4Vlao1vyLQ5QkgE82pAUB8FoMWvY1qF0Y8A5wtm6
 iZSGk4OLK488ZbT8Ii9i+AGKgPe2XbVxsJwj8N4k7Zooqec9hz73Up8ATEWJkRz7
 2u7oMGG4z91E0PULA64dOi3l/vOQe5w/Aa+CwVbAWtI05o7kMvQEBMDJn6C7CByo
 MB5op9wueJMnz7PM7hns+U7Dy6oE4ljuolJUy51bDzFWwoM54cRoQqLFNHd8JVQj
 WxldCkbfF43iyprlsEcUrTyUjtdA+ZeiG39vg/mtdmgNpGmdupHJZQvSuG8IcVlz
 O+eMSeQS1QXPD6Ik8UK4SU0h+zOl8xIWtRrsxQuh4fnTN40udm/YUWl/6gOebsBI
 IrVLlKGqJSfB3tMjpCRqdTzJ0dA9keVpkqm2ugZkxEf1+/efq/rFIQ2pUBLCqNTN
 qpNqruK8y8FphP30I2uI4Ej2UIB8AQKBwQDd2Yptj2FyDyaXCycsyde0wYkNyzGU
 dRnzdibfHnMZwjgTjwAwgIUBVIS8H0/z7ZJQKN7osJfddMrtjJtYYUk9g/dCpHXs
 bNh2QSoWah3FdzNGuWd0iRf9+LFxhjAAMo/FS8zFJAJKrFsBdCGTfFUMdsLC0bjr
 YjiWBuvV72uKf8XIZX5KIZruKdWBBcWukcb21R1UDyFYyXRBsly5XHaIYKZql3km
 7pV7MKWO0IYgHbHIqGUqPQlzZ/lkunS1jKECgcEA23wHffD6Ou9/x3okPx2AWpTr
 gh8rgqbyo6hQkBW5Y90Wz824cqaYebZDaBR/xlVx/YwjKkohv8Bde2lpH/ZxRZ1Z
 5Sk2s6GJ/vU0L9RsJZgCgj4L6Coal1NMxuZtCXAlnOpiCdxSZgfqbshbTVz30KsG
 ZJG361Cua1ScdAHxlZBxT52/1Sm0zRC2hnxL7h4qo7Idmtzs40LAJvYOKekR0pPN
 oWeJfra7vgx/jVNvMFWoOoSLpidVO4g+ot4ery6tAoHAdW3rCic1C2zdnmH28Iw+
 s50l8Lk3mz+I5wgJd1zkzCO0DxZIoWPGA3g7cmCYr6N3KRsZMs4W9NAXgjpFGDkW
 zYsG3K21BdpvkdjYcFjnPVjlOXB2RIc0vehf9Jl02wXoeCSxVUDEPcaRvWk9RJYx
 ZpGOchUU7vNkxHURbIJ4yCzuAi9G8/Jp0dsu+kaV5tufF5SjG5WOrzKjaQsCbdN1
 oqaWMCHRrTvov/Z2C+xwsptFOdN5CSyZzg6hQiI4GMlBAoHAXyb6KINcOEi0YMp3
 BFXJ23tMTnEs78tozcKeipigcsbaqORK3omS+NEnj+uzKUzJyl4CsMbKstK2tFYS
 mSTCHqgE3PBtIpsZtEqhgUraR8IK9GPpzZDTTl9ynZgwFTNlWw3RyuyVXF56J+T8
 kCGJ3hEHCHqT/ZRQyX85BKIDFhA0z4tYKxWVqIFiYBNq56R0X9tMMmMs36mEnF93
 7Ht6mowxTZQRa7nU0qOgeKh/P7ki4Zus3y+WJ+T9IqahLtlRAoHBAIhqMrcxSAB8
 RpB9jukJlAnidw2jCMPgrFE8tP0khhVvGrXMldxAUsMKntDIo8dGCnG1KTcWDI0O
 jepvSPHSsxVLFugL79h0eVIS5z4huW48i9xgU8VlHdgAcgEPIAOFcOw2BCu/s0Vp
 O+MM/EyUOdo3NsibB3qc/GJI6iNBYS7AljYEVo6rXo5V/MZvZUF4vClen6Obzsre
 MTTb+4sJjfqleWuvr1XNMeu2mBfXBQkWGZP1byBK0MvD/aQ2PWq92A==
 -----END RSA PRIVATE KEY-----
--- a/testdata/padding.tdir/unbound_server.pem
+++ b/testdata/padding.tdir/unbound_server.pem
@ -0,0 +1,22 @@
 -----BEGIN CERTIFICATE-----
 MIIDqzCCAhMCFBHWXeQ6ZIa9QcQbXLFfC6tj+KA+MA0GCSqGSIb3DQEBCwUAMBIx
 EDAOBgNVBAMMB3VuYm91bmQwHhcNMjAwNzA4MTMzMjI5WhcNNDAwMzI1MTMzMjI5
 WjASMRAwDgYDVQQDDAd1bmJvdW5kMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIB
 igKCAYEAvjSVSN2QMXudpzukdLCqgg/IOhCX8KYkD0FFFfWcQjgKq5wI0x41iG32
 a6wbGanre4IX7VxaSPu9kkHfnGgynCk5nwDRedE/FLFhAU78PoT0+NqqGRS7XVQ2
 4vLmIz9Hqc2Ozx1um1BXBTmIT0UfN2e22I0LWQ6a3seZlEDRj45gnk7Zuh9MDgot
 aBdm+v1JAbupSf6Zis4VEH3JNdvVGE3O1DHEIeuuz/3BDhpf6WBDH+8KWaBe1ca4
 TZHr9ThL2gEMEfAQl0wXDwRWRoi3NjNMH+mw0L1rjwThI5GXqNIee7o5FzUReSXZ
 uTdFMyGe3Owcx+XoYnwi6cplSNoGsDBu4B9bKKglR9YleJVw4L4Xi8xPq6O9UPj4
 +nypHk/DOoC7DIM3ufN0yxPBsFo5TVowxfhdjZXJbbftd2TZv7AH8+XLA5UoZgRz
 XgzECelXSCTBFlMTnT48LfA9pMLydyjAz2UdPHs5Iv+TK5nnI+aJoeaP7kFZSngx
 dy1+A/bNAgMBAAEwDQYJKoZIhvcNAQELBQADggGBABunf93MKaCUHiZgnoOTinsW
 84/EgInrgtKzAyH+BhnKkJOhhR0kkIAx5d9BpDlaSiRTACFon9moWCgDIIsK/Ar7
 JE0Kln9cV//wiiNoFU0O4mnzyGUIMvlaEX6QHMJJQYvL05+w/3AAcf5XmMJtR5ca
 fJ8FqvGC34b2WxX9lTQoyT52sRt+1KnQikiMEnEyAdKktMG+MwKsFDdOwDXyZhZg
 XZhRrfX3/NVJolqB6EahjWIGXDeKuSSKZVtCyib6LskyeMzN5lcRfvubKDdlqFVF
 qlD7rHBsKhQUWK/IO64mGf7y/de+CgHtED5vDvr/p2uj/9sABATfbrOQR3W/Of25
 sLBj4OEfrJ7lX8hQgFaxkMI3x6VFT3W8dTCp7xnQgb6bgROWB5fNEZ9jk/gjSRmD
 yIU+r0UbKe5kBk/CmZVFXL2TyJ92V5NYEQh8V4DGy19qZ6u/XKYyNJL4ocs35GGe
 CA8SBuyrmdhx38h1RHErR2Skzadi1S7MwGf1y431fQ==
 -----END CERTIFICATE-----
--- a/testdata/serve_original_ttl.rpl
+++ b/testdata/serve_original_ttl.rpl
@ -0,0 +1,136 @@
 ; config options
 server:
 	access-control: 127.0.0.1 allow_snoop
 	module-config: "validator iterator"
 	qname-minimisation: "no"
 	minimal-responses: no
 	serve-original-ttl: yes
 	cache-max-ttl: 1000
 	cache-min-ttl: 20
 	serve-expired: yes
 	serve-expired-reply-ttl: 123
 stub-zone:
 	name: "example.com"
 	stub-addr: 1.2.3.4
 CONFIG_END
 SCENARIO_BEGIN Test serve-original-ttl
 ; Scenario overview:
 ; - query for example.com. IN A
 ; - check that we get an answer for example.com. IN A with the correct TTL
 ; - query again after a couple seconds and check that we get the original TTL
 ; (next steps are combination with serve-expired)
 ; - query again after the TTL expired
 ; - check that we get the expired cached answer with the original TTL
 ; ns.example.com.
 RANGE_BEGIN 0 100
 	ADDRESS 1.2.3.4
 	ENTRY_BEGIN
 		MATCH opcode qtype qname
 		ADJUST copy_id
 		REPLY QR NOERROR
 		SECTION QUESTION
 			example.com. IN NS
 		SECTION ANSWER
 			example.com. IN NS ns.example.com.
 		SECTION ADDITIONAL
 			ns.example.com. IN A 1.2.3.4
 	ENTRY_END
 	ENTRY_BEGIN
 		MATCH opcode qtype qname
 		ADJUST copy_id
 		REPLY QR NOERROR
 		SECTION QUESTION
 			example.com. IN A
 		SECTION ANSWER
 			example.com. 10 IN A 5.6.7.8
 		SECTION AUTHORITY
 			example.com. IN NS ns.example.com.
 		SECTION ADDITIONAL
 			ns.example.com. IN A 1.2.3.4
 	ENTRY_END
 RANGE_END
 ; Query with RD flag
 STEP 1 QUERY
 ENTRY_BEGIN
 	REPLY RD
 	SECTION QUESTION
 		example.com. IN A
 ENTRY_END
 ; Check that we got the correct answer (should be cached)
 STEP 10 CHECK_ANSWER
 ENTRY_BEGIN
 	MATCH all ttl
 	REPLY QR RD RA NOERROR
 	SECTION QUESTION
 		example.com. IN A
 	SECTION ANSWER
 		example.com. 10 IN A 5.6.7.8
 	SECTION AUTHORITY
 		example.com. IN NS ns.example.com.
 	SECTION ADDITIONAL
 		ns.example.com. IN A 1.2.3.4
 ENTRY_END
 ; Wait a couple of seconds (< 10)
 STEP 11 TIME_PASSES ELAPSE 5
 ; Query again
 STEP 20 QUERY
 ENTRY_BEGIN
 	REPLY
 	SECTION QUESTION
 		example.com. IN A
 ENTRY_END
 ; Check that we got the cached answer with the original TTL
 ; (Passively checks that minimum and maximum TTLs are ignored)
 STEP 30 CHECK_ANSWER
 ENTRY_BEGIN
 	MATCH all ttl
 	REPLY QR RA NOERROR
 	SECTION QUESTION
 		example.com. IN A
 	SECTION ANSWER
 		example.com.  10 A 5.6.7.8
 	SECTION AUTHORITY
 		example.com. 3600 NS ns.example.com.
 	SECTION ADDITIONAL
 		ns.example.com. 3600 A 1.2.3.4
 ENTRY_END
 ; Wait for the TTL to expire
 STEP 31 TIME_PASSES ELAPSE 3601
 ; Query again
 STEP 40 QUERY
 ENTRY_BEGIN
 	REPLY
 	SECTION QUESTION
 		example.com. IN A
 ENTRY_END
 ; Check that we got a stale answer with the original TTL
 STEP 50 CHECK_ANSWER
 ENTRY_BEGIN
 	MATCH all ttl
 	REPLY QR RA NOERROR
 	SECTION QUESTION
 		example.com. IN A
 	SECTION ANSWER
 		example.com.  10 A 5.6.7.8
 	SECTION AUTHORITY
 		example.com. NS ns.example.com.
 	SECTION ADDITIONAL
 		ns.example.com. A 1.2.3.4
 ENTRY_END
 ; Give time for the pending query to get answered
 STEP 51 TRAFFIC
 SCENARIO_END
--- a/testdata/tcp_reuse.tdir/tcp_reuse.conf
+++ b/testdata/tcp_reuse.tdir/tcp_reuse.conf
@ -0,0 +1,17 @@
 server:
 	verbosity: 5
 	# num-threads: 1
 	interface: 127.0.0.1
 	port: @PORT@
 	use-syslog: no
 	directory: .
 	pidfile: "unbound.pid"
 	chroot: ""
 	username: ""
 	do-not-query-localhost: no
 	tcp-upstream: yes
 forward-zone:
 	name: "."
 	forward-addr: "127.0.0.1@@TOPORT@"
--- a/testdata/tcp_reuse.tdir/tcp_reuse.conf2
+++ b/testdata/tcp_reuse.tdir/tcp_reuse.conf2
@ -0,0 +1,39 @@
 # this is the upstream server that has pipelining and responds to queries.
 server:
 	verbosity: 1
 	# num-threads: 1
 	interface: 127.0.0.1
 	port: @PORT@
 	use-syslog: no
 	directory: .
 	pidfile: "unbound2.pid"
 	chroot: ""
 	username: ""
 	do-not-query-localhost: no
 	tcp-idle-timeout: 10000
 	log-queries: yes
 	log-replies: yes
 	log-identity: "upstream"
 	local-zone: "." refuse
 	local-zone: "example.com" static
 	local-data: "www.example.com  A 10.20.30.40"
 	local-data: "www1.example.com  A 10.20.30.41"
 	local-data: "www2.example.com  A 10.20.30.42"
 	local-data: "www3.example.com  A 10.20.30.43"
 	local-data: "www4.example.com  A 10.20.30.44"
 	local-data: "www5.example.com  A 10.20.30.45"
 	local-data: "www6.example.com  A 10.20.30.46"
 	local-data: "www7.example.com  A 10.20.30.47"
 	local-zone: "drop.net" deny
 	local-zone: "refuse.net" refuse
 	local-zone: "more.net" redirect
 	local-data: "more.net A 10.20.30.40"
 # if queries escape, send them to localhost
 forward-zone:
 	name: "."
 	forward-addr: "127.0.0.1@@TOPORT@"
--- a/testdata/tcp_reuse.tdir/tcp_reuse.dsc
+++ b/testdata/tcp_reuse.tdir/tcp_reuse.dsc
@ -0,0 +1,16 @@
 BaseName: tcp_reuse
 Version: 1.0
 Description: Test tcp stream reuse.
 CreationDate: Wed Jun 03 09:37:00 CET 2020
 Maintainer: Wouter Wijngaards
 Category: 
 Component:
 CmdDepends: 
 Depends: 
 Help:
 Pre: tcp_reuse.pre
 Post: tcp_reuse.post
 Test: tcp_reuse.test
 AuxFiles: 
 Passed:
 Failure:
--- a/testdata/tcp_reuse.tdir/tcp_reuse.post
+++ b/testdata/tcp_reuse.tdir/tcp_reuse.post
@ -0,0 +1,19 @@
 # #-- tcp_reuse.post --#
 # source the master var file when it's there
 [ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
 # source the test var file when it's there
 [ -f .tpkg.var.test ] && source .tpkg.var.test
 #
 # do your teardown here
 . ../common.sh
 kill_pid `cat unbound2.pid`
 if test -f unbound2.log; then
 	echo ">>> upstream log"
 	cat unbound2.log
 fi
 #kill_pid $UNBOUND_PID
 kill_pid `cat unbound.pid`
 if test -f unbound.log; then
 	echo ">>> unbound log"
 	cat unbound.log
 fi
--- a/testdata/tcp_reuse.tdir/tcp_reuse.pre
+++ b/testdata/tcp_reuse.tdir/tcp_reuse.pre
@ -0,0 +1,34 @@
 # #-- tcp_reuse.pre--#
 # source the master var file when it's there
 [ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
 # use .tpkg.var.test for in test variable passing
 [ -f .tpkg.var.test ] && source .tpkg.var.test
 PRE="../.."
 . ../common.sh
 get_random_port 2
 UNBOUND_PORT=$RND_PORT
 UPSTREAM_PORT=$(($RND_PORT + 1))
 echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test
 echo "UPSTREAM_PORT=$UPSTREAM_PORT" >> .tpkg.var.test
 # make config file
 sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$UPSTREAM_PORT'/' < tcp_reuse.conf > ub.conf
 # start unbound in the background
 #$PRE/unbound -d -c ub.conf >unbound.log 2>&1 &
 $PRE/unbound -d -c ub.conf 2>&1 | tee unbound.log &
 UNBOUND_PID=$!
 echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
 wait_unbound_up unbound.log
 # make upstream config file
 sed -e 's/@PORT\@/'$UPSTREAM_PORT'/' -e 's/@TOPORT\@/'$UPSTREAM_PORT'/' < tcp_reuse.conf2 > ub2.conf
 # start upstream unbound in the background
 #$PRE/unbound -d -c ub2.conf >unbound2.log 2>&1 &
 $PRE/unbound -d -c ub2.conf 2>&1 | tee unbound2.log &
 UPSTREAM_PID=$!
 echo "UPSTREAM_PID=$UPSTREAM_PID" >> .tpkg.var.test
 wait_unbound_up unbound2.log
 cat .tpkg.var.test
--- a/testdata/tcp_reuse.tdir/tcp_reuse.test
+++ b/testdata/tcp_reuse.tdir/tcp_reuse.test
@ -0,0 +1,309 @@
 # #-- tcp_reuse.test --#
 # source the master var file when it's there
 [ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
 # use .tpkg.var.test for in test variable passing
 [ -f .tpkg.var.test ] && source .tpkg.var.test
 PRE="../.."
 . ../common.sh
 get_make
 (cd $PRE; $MAKE streamtcp)
 echo "> query www1.example.com."
 $PRE/streamtcp -f 127.0.0.1@$UNBOUND_PORT www1.example.com. A IN >outfile 2>&1
 cat outfile
 if test "$?" -ne 0; then
 	echo "exit status not OK"
 	echo "> cat logfiles"
 	cat outfile
 	cat unbound2.log 
 	cat unbound.log
 	echo "Not OK"
 	exit 1
 fi
 if grep "www1.example.com" outfile | grep "10.20.30.41"; then
 	echo "content OK"
 else
 	echo "result contents not OK, for www1.example.com"
 	echo "> cat logfiles"
 	cat outfile
 	cat unbound2.log 
 	cat unbound.log
 	echo "result contents not OK, for www1.example.com"
 	exit 1
 fi
 echo "OK"
 echo ""
 # this should be reused on the same tcp stream:
 echo "> query www2.example.com."
 $PRE/streamtcp -f 127.0.0.1@$UNBOUND_PORT www2.example.com. A IN >outfile 2>&1
 cat outfile
 if test "$?" -ne 0; then
 	echo "exit status not OK"
 	echo "> cat logfiles"
 	cat outfile
 	cat unbound2.log 
 	cat unbound.log
 	echo "Not OK"
 	exit 1
 fi
 if grep "www2.example.com" outfile | grep "10.20.30.42"; then
 	echo "content OK"
 else
 	echo "result contents not OK, for www2.example.com"
 	echo "> cat logfiles"
 	cat outfile
 	cat unbound2.log 
 	cat unbound.log
 	echo "result contents not OK, for www2.example.com"
 	exit 1
 fi
 echo "> query refuse.net."
 $PRE/streamtcp -f 127.0.0.1@$UNBOUND_PORT refuse.net. A IN >outfile 2>&1
 cat outfile
 if test "$?" -ne 0; then
 	echo "exit status not OK"
 	echo "> cat logfiles"
 	cat outfile
 	cat unbound2.log
 	cat unbound.log
 	echo "Not OK"
 	exit 1
 fi
 if grep "rcode: SERVFAIL" outfile; then
 	echo "content OK"
 else
 	echo "result contents not OK, for refuse.net"
 	echo "> cat logfiles"
 	cat outfile
 	cat unbound2.log
 	cat unbound.log
 	echo "result contents not OK, for refuse.net"
 	exit 1
 fi
 echo "> query www3.example.com."
 echo "> query www4.example.com."
 echo "> query www5.example.com."
 echo "> query www6.example.com."
 $PRE/streamtcp -f 127.0.0.1@$UNBOUND_PORT www3.example.com. A IN >outfile3 2>&1 &
 $PRE/streamtcp -f 127.0.0.1@$UNBOUND_PORT www4.example.com. A IN >outfile4 2>&1 &
 $PRE/streamtcp -f 127.0.0.1@$UNBOUND_PORT www5.example.com. A IN >outfile5 2>&1 &
 $PRE/streamtcp -f 127.0.0.1@$UNBOUND_PORT www6.example.com. A IN >outfile6 2>&1 &
 wait
 if test "$?" -ne 0; then
 	echo "exit status not OK"
 	echo "> cat logfiles"
 	cat outfile3
 	cat outfile4
 	cat outfile5
 	cat outfile6
 	cat unbound2.log
 	cat unbound.log
 	echo "Not OK"
 	exit 1
 fi
 if grep "www3.example.com" outfile3 | grep "10.20.30.43"; then
 	echo "content OK"
 else
 	echo "result contents not OK, for www3.example.com"
 	echo "> cat logfiles"
 	cat outfile3
 	cat outfile4
 	cat outfile5
 	cat outfile6
 	cat unbound2.log
 	cat unbound.log
 	echo "result contents not OK, for www3.example.com"
 	exit 1
 fi
 if grep "www4.example.com" outfile4 | grep "10.20.30.44"; then
 	echo "content OK"
 else
 	echo "result contents not OK, for www4.example.com"
 	echo "> cat logfiles"
 	cat outfile3
 	cat outfile4
 	cat outfile5
 	cat outfile6
 	cat unbound2.log
 	cat unbound.log
 	echo "result contents not OK, for www4.example.com"
 	exit 1
 fi
 if grep "www5.example.com" outfile5 | grep "10.20.30.45"; then
 	echo "content OK"
 else
 	echo "result contents not OK, for www5.example.com"
 	echo "> cat logfiles"
 	cat outfile3
 	cat outfile4
 	cat outfile5
 	cat outfile6
 	cat unbound2.log
 	cat unbound.log
 	echo "result contents not OK, for www5.example.com"
 	exit 1
 fi
 if grep "www6.example.com" outfile6 | grep "10.20.30.46"; then
 	echo "content OK"
 else
 	echo "result contents not OK, for www6.example.com"
 	echo "> cat logfiles"
 	cat outfile3
 	cat outfile4
 	cat outfile5
 	cat outfile6
 	cat unbound2.log
 	cat unbound.log
 	echo "result contents not OK, for www6.example.com"
 	exit 1
 fi
 echo "> query a1.more.net a2.more.net a3.more.net a4.more.net a5.more.net"
 $PRE/streamtcp -a -f 127.0.0.1@$UNBOUND_PORT a1.more.net A IN a2.more.net A IN a3.more.net A IN a4.more.net A IN a5.more.net A IN >outfile 2>&1
 if test "$?" -ne 0; then
 	echo "exit status not OK"
 	echo "> cat logfiles"
 	cat outfile
 	cat unbound2.log
 	cat unbound.log
 	echo "Not OK"
 	exit 1
 fi
 cat outfile
 for x in a1.more.net a2.more.net a3.more.net a4.more.net a5.more.net; do
 	if grep "$x" outfile | grep "10.20.30.40"; then
 		echo "content OK for $x"
 	else
 		echo "result contents not OK, for $x"
 		echo "> cat logfiles"
 		cat outfile
 		cat unbound2.log
 		cat unbound.log
 		echo "result contents not OK, for $x"
 		exit 1
 	fi
 done
 # make the server timeout to drop the upstream connection
 echo "> sleep 15"
 sleep 15
 # see if we are still up.
 echo "> query a7.more.net"
 $PRE/streamtcp -a -f 127.0.0.1@$UNBOUND_PORT a7.more.net A IN >outfile 2>&1
 if test "$?" -ne 0; then
 	echo "exit status not OK"
 	echo "> cat logfiles"
 	cat outfile
 	cat unbound2.log
 	cat unbound.log
 	echo "Not OK"
 	exit 1
 fi
 cat outfile
 for x in a7.more.net; do
 	if grep "$x" outfile | grep "10.20.30.40"; then
 		echo "content OK for $x"
 	else
 		echo "result contents not OK, for $x"
 		echo "> cat logfiles"
 		cat outfile
 		cat unbound2.log
 		cat unbound.log
 		echo "result contents not OK, for $x"
 		exit 1
 	fi
 done
 # dropconn.drop.net make the server drop the connection.
 echo "> query a11.more.net a12.more.net dropconn.drop.net a14.more.net a15.more.net"
 $PRE/streamtcp -a -f 127.0.0.1@$UNBOUND_PORT a11.more.net A IN a12.more.net A IN dropconn.drop.net A IN a14.more.net A IN a15.more.net A IN >outfile 2>&1
 if test "$?" -ne 0; then
 	echo "exit status not OK"
 	echo "> cat logfiles"
 	cat outfile
 	cat unbound2.log
 	cat unbound.log
 	echo "Not OK"
 	exit 1
 fi
 cat outfile
 # cannot really check outfile, because it may or may not have answers depending
 # on how fast the other server responds or the drop happens, but there are
 # a bunch of connection drops, whilst resolving the other queries.
 echo "> query drop.net."
 $PRE/streamtcp -f 127.0.0.1@$UNBOUND_PORT drop.net. A IN >outfile 2>&1
 cat outfile
 if test "$?" -ne 0; then
 	echo "exit status not OK"
 	echo "> cat logfiles"
 	cat outfile
 	cat unbound2.log
 	cat unbound.log
 	echo "Not OK"
 	exit 1
 fi
 if grep "rcode: SERVFAIL" outfile; then
 	echo "content OK"
 else
 	echo "result contents not OK, for drop.net"
 	echo "> cat logfiles"
 	cat outfile
 	cat unbound2.log
 	cat unbound.log
 	echo "result contents not OK, for drop.net"
 	exit 1
 fi
 # timeouts at the end. (so that the server is not marked as failed for
 # the other tests).
 echo "> query q1.drop.net."
 echo "> query q2.drop.net."
 $PRE/streamtcp -f 127.0.0.1@$UNBOUND_PORT q1.drop.net. A IN >outfile1 2>&1 &
 $PRE/streamtcp -f 127.0.0.1@$UNBOUND_PORT q2.drop.net. A IN >outfile2 2>&1 &
 wait
 if test "$?" -ne 0; then
 	echo "exit status not OK"
 	echo "> cat logfiles"
 	cat outfile1
 	cat outfile2
 	cat unbound2.log
 	cat unbound.log
 	echo "Not OK"
 	exit 1
 fi
 cat outfile1
 cat outfile2
 if grep "rcode: SERVFAIL" outfile1; then
 	echo "content OK"
 else
 	echo "result contents not OK, for q1.drop.net"
 	echo "> cat logfiles"
 	cat outfile1
 	cat outfile2
 	cat unbound2.log
 	cat unbound.log
 	echo "result contents not OK, for q1.drop.net"
 	exit 1
 fi
 if grep "rcode: SERVFAIL" outfile2; then
 	echo "content OK"
 else
 	echo "result contents not OK, for q2.drop.net"
 	echo "> cat logfiles"
 	cat outfile1
 	cat outfile2
 	cat unbound2.log
 	cat unbound.log
 	echo "result contents not OK, for q2.drop.net"
 	exit 1
 fi
 echo "OK"
 exit 0
--- a/testdata/tls_reuse.tdir/tls_reuse.conf
+++ b/testdata/tls_reuse.tdir/tls_reuse.conf
@ -0,0 +1,18 @@
 server:
 	verbosity: 5
 	# num-threads: 1
 	interface: 127.0.0.1
 	port: @PORT@
 	use-syslog: no
 	directory: .
 	pidfile: "unbound.pid"
 	chroot: ""
 	username: ""
 	do-not-query-localhost: no
 	tls-cert-bundle: "unbound_server.pem"
 	tls-upstream: yes
 forward-zone:
 	name: "."
 	forward-addr: "127.0.0.1@@TOPORT@#unbound"
--- a/testdata/tls_reuse.tdir/tls_reuse.conf2
+++ b/testdata/tls_reuse.tdir/tls_reuse.conf2
@ -0,0 +1,43 @@
 # this is the upstream server that has pipelining and responds to queries.
 server:
 	verbosity: 1
 	# num-threads: 1
 	interface: 127.0.0.1@@PORT@
 	port: @PORT@
 	use-syslog: no
 	directory: .
 	pidfile: "unbound2.pid"
 	chroot: ""
 	username: ""
 	do-not-query-localhost: no
 	tls-port: @PORT@
 	tls-service-key: "unbound_server.key"
 	tls-service-pem: "unbound_server.pem"
 	tcp-idle-timeout: 10000
 	log-queries: yes
 	log-replies: yes
 	log-identity: "upstream"
 	local-zone: "." refuse
 	local-zone: "example.com" static
 	local-data: "www.example.com  A 10.20.30.40"
 	local-data: "www1.example.com  A 10.20.30.41"
 	local-data: "www2.example.com  A 10.20.30.42"
 	local-data: "www3.example.com  A 10.20.30.43"
 	local-data: "www4.example.com  A 10.20.30.44"
 	local-data: "www5.example.com  A 10.20.30.45"
 	local-data: "www6.example.com  A 10.20.30.46"
 	local-data: "www7.example.com  A 10.20.30.47"
 	local-zone: "drop.net" deny
 	local-zone: "refuse.net" refuse
 	local-zone: "more.net" redirect
 	local-data: "more.net A 10.20.30.40"
 # if queries escape, send them to localhost
 forward-zone:
 	name: "."
 	forward-tls-upstream: yes
 	forward-addr: "127.0.0.1@@TOPORT@"
--- a/testdata/tls_reuse.tdir/tls_reuse.dsc
+++ b/testdata/tls_reuse.tdir/tls_reuse.dsc
@ -0,0 +1,16 @@
 BaseName: tls_reuse
 Version: 1.0
 Description: Test tls stream reuse.
 CreationDate: Wed Jun 30 16:37:00 CET 2020
 Maintainer: Wouter Wijngaards
 Category: 
 Component:
 CmdDepends: 
 Depends: 
 Help:
 Pre: tls_reuse.pre
 Post: tls_reuse.post
 Test: tls_reuse.test
 AuxFiles: 
 Passed:
 Failure:
--- a/testdata/tls_reuse.tdir/tls_reuse.post
+++ b/testdata/tls_reuse.tdir/tls_reuse.post
@ -0,0 +1,19 @@
 # #-- tls_reuse.post --#
 # source the master var file when it's there
 [ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
 # source the test var file when it's there
 [ -f .tpkg.var.test ] && source .tpkg.var.test
 #
 # do your teardown here
 . ../common.sh
 kill_pid `cat unbound2.pid`
 if test -f unbound2.log; then
 	echo ">>> upstream log"
 	cat unbound2.log
 fi
 #kill_pid $UNBOUND_PID
 kill_pid `cat unbound.pid`
 if test -f unbound.log; then
 	echo ">>> unbound log"
 	cat unbound.log
 fi
--- a/testdata/tls_reuse.tdir/tls_reuse.pre
+++ b/testdata/tls_reuse.tdir/tls_reuse.pre
@ -0,0 +1,34 @@
 # #-- tls_reuse.pre--#
 # source the master var file when it's there
 [ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
 # use .tpkg.var.test for in test variable passing
 [ -f .tpkg.var.test ] && source .tpkg.var.test
 PRE="../.."
 . ../common.sh
 get_random_port 2
 UNBOUND_PORT=$RND_PORT
 UPSTREAM_PORT=$(($RND_PORT + 1))
 echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test
 echo "UPSTREAM_PORT=$UPSTREAM_PORT" >> .tpkg.var.test
 # make config file
 sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$UPSTREAM_PORT'/' < tls_reuse.conf > ub.conf
 # start unbound in the background
 #$PRE/unbound -d -c ub.conf >unbound.log 2>&1 &
 $PRE/unbound -d -c ub.conf 2>&1 | tee unbound.log &
 UNBOUND_PID=$!
 echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
 wait_unbound_up unbound.log
 # make upstream config file
 sed -e 's/@PORT\@/'$UPSTREAM_PORT'/' -e 's/@TOPORT\@/'$UPSTREAM_PORT'/' < tls_reuse.conf2 > ub2.conf
 # start upstream unbound in the background
 #$PRE/unbound -d -c ub2.conf >unbound2.log 2>&1 &
 $PRE/unbound -d -c ub2.conf 2>&1 | tee unbound2.log &
 UPSTREAM_PID=$!
 echo "UPSTREAM_PID=$UPSTREAM_PID" >> .tpkg.var.test
 wait_unbound_up unbound2.log
 cat .tpkg.var.test
--- a/testdata/tls_reuse.tdir/tls_reuse.test
+++ b/testdata/tls_reuse.tdir/tls_reuse.test
@ -0,0 +1,308 @@
 # #-- tls_reuse.test --#
 # source the master var file when it's there
 [ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
 # use .tpkg.var.test for in test variable passing
 [ -f .tpkg.var.test ] && source .tpkg.var.test
 PRE="../.."
 . ../common.sh
 get_make
 (cd $PRE; $MAKE streamtcp)
 echo "> query www1.example.com."
 $PRE/streamtcp -f 127.0.0.1@$UNBOUND_PORT www1.example.com. A IN >outfile 2>&1
 cat outfile
 if test "$?" -ne 0; then
 	echo "exit status not OK"
 	echo "> cat logfiles"
 	cat outfile
 	cat unbound2.log 
 	cat unbound.log
 	echo "Not OK"
 	exit 1
 fi
 if grep "www1.example.com" outfile | grep "10.20.30.41"; then
 	echo "content OK"
 else
 	echo "result contents not OK, for www1.example.com"
 	echo "> cat logfiles"
 	cat outfile
 	cat unbound2.log 
 	cat unbound.log
 	echo "result contents not OK, for www1.example.com"
 	exit 1
 fi
 echo "OK"
 echo ""
 # this should be reused on the same tcp stream:
 echo "> query www2.example.com."
 $PRE/streamtcp -f 127.0.0.1@$UNBOUND_PORT www2.example.com. A IN >outfile 2>&1
 cat outfile
 if test "$?" -ne 0; then
 	echo "exit status not OK"
 	echo "> cat logfiles"
 	cat outfile
 	cat unbound2.log 
 	cat unbound.log
 	echo "Not OK"
 	exit 1
 fi
 if grep "www2.example.com" outfile | grep "10.20.30.42"; then
 	echo "content OK"
 else
 	echo "result contents not OK, for www2.example.com"
 	echo "> cat logfiles"
 	cat outfile
 	cat unbound2.log 
 	cat unbound.log
 	echo "result contents not OK, for www2.example.com"
 	exit 1
 fi
 echo "> query refuse.net."
 $PRE/streamtcp -f 127.0.0.1@$UNBOUND_PORT refuse.net. A IN >outfile 2>&1
 cat outfile
 if test "$?" -ne 0; then
 	echo "exit status not OK"
 	echo "> cat logfiles"
 	cat outfile
 	cat unbound2.log
 	cat unbound.log
 	echo "Not OK"
 	exit 1
 fi
 if grep "rcode: SERVFAIL" outfile; then
 	echo "content OK"
 else
 	echo "result contents not OK, for refuse.net"
 	echo "> cat logfiles"
 	cat outfile
 	cat unbound2.log
 	cat unbound.log
 	echo "result contents not OK, for refuse.net"
 	exit 1
 fi
 echo "> query www3.example.com."
 echo "> query www4.example.com."
 echo "> query www5.example.com."
 echo "> query www6.example.com."
 $PRE/streamtcp -f 127.0.0.1@$UNBOUND_PORT www3.example.com. A IN >outfile3 2>&1 &
 $PRE/streamtcp -f 127.0.0.1@$UNBOUND_PORT www4.example.com. A IN >outfile4 2>&1 &
 $PRE/streamtcp -f 127.0.0.1@$UNBOUND_PORT www5.example.com. A IN >outfile5 2>&1 &
 $PRE/streamtcp -f 127.0.0.1@$UNBOUND_PORT www6.example.com. A IN >outfile6 2>&1 &
 wait
 if test "$?" -ne 0; then
 	echo "exit status not OK"
 	echo "> cat logfiles"
 	cat outfile3
 	cat outfile4
 	cat outfile5
 	cat outfile6
 	cat unbound2.log
 	cat unbound.log
 	echo "Not OK"
 	exit 1
 fi
 if grep "www3.example.com" outfile3 | grep "10.20.30.43"; then
 	echo "content OK"
 else
 	echo "result contents not OK, for www3.example.com"
 	echo "> cat logfiles"
 	cat outfile3
 	cat outfile4
 	cat outfile5
 	cat outfile6
 	cat unbound2.log
 	cat unbound.log
 	echo "result contents not OK, for www3.example.com"
 	exit 1
 fi
 if grep "www4.example.com" outfile4 | grep "10.20.30.44"; then
 	echo "content OK"
 else
 	echo "result contents not OK, for www4.example.com"
 	echo "> cat logfiles"
 	cat outfile3
 	cat outfile4
 	cat outfile5
 	cat outfile6
 	cat unbound2.log
 	cat unbound.log
 	echo "result contents not OK, for www4.example.com"
 	exit 1
 fi
 if grep "www5.example.com" outfile5 | grep "10.20.30.45"; then
 	echo "content OK"
 else
 	echo "result contents not OK, for www5.example.com"
 	echo "> cat logfiles"
 	cat outfile3
 	cat outfile4
 	cat outfile5
 	cat outfile6
 	cat unbound2.log
 	cat unbound.log
 	echo "result contents not OK, for www5.example.com"
 	exit 1
 fi
 if grep "www6.example.com" outfile6 | grep "10.20.30.46"; then
 	echo "content OK"
 else
 	echo "result contents not OK, for www6.example.com"
 	echo "> cat logfiles"
 	cat outfile3
 	cat outfile4
 	cat outfile5
 	cat outfile6
 	cat unbound2.log
 	cat unbound.log
 	echo "result contents not OK, for www6.example.com"
 	exit 1
 fi
 echo "> query a1.more.net a2.more.net a3.more.net a4.more.net a5.more.net"
 $PRE/streamtcp -a -f 127.0.0.1@$UNBOUND_PORT a1.more.net A IN a2.more.net A IN a3.more.net A IN a4.more.net A IN a5.more.net A IN >outfile 2>&1
 if test "$?" -ne 0; then
 	echo "exit status not OK"
 	echo "> cat logfiles"
 	cat outfile
 	cat unbound2.log
 	cat unbound.log
 	echo "Not OK"
 	exit 1
 fi
 cat outfile
 for x in a1.more.net a2.more.net a3.more.net a4.more.net a5.more.net; do
 	if grep "$x" outfile | grep "10.20.30.40"; then
 		echo "content OK for $x"
 	else
 		echo "result contents not OK, for $x"
 		echo "> cat logfiles"
 		cat outfile
 		cat unbound2.log
 		cat unbound.log
 		echo "result contents not OK, for $x"
 		exit 1
 	fi
 done
 # make the server timeout to drop the upstream connection
 echo "> sleep 15"
 sleep 15
 # see if we are still up.
 echo "> query a7.more.net"
 $PRE/streamtcp -a -f 127.0.0.1@$UNBOUND_PORT a7.more.net A IN >outfile 2>&1
 if test "$?" -ne 0; then
 	echo "exit status not OK"
 	echo "> cat logfiles"
 	cat outfile
 	cat unbound2.log
 	cat unbound.log
 	echo "Not OK"
 	exit 1
 fi
 cat outfile
 for x in a7.more.net; do
 	if grep "$x" outfile | grep "10.20.30.40"; then
 		echo "content OK for $x"
 	else
 		echo "result contents not OK, for $x"
 		echo "> cat logfiles"
 		cat outfile
 		cat unbound2.log
 		cat unbound.log
 		echo "result contents not OK, for $x"
 		exit 1
 	fi
 done
 # dropconn.drop.net make the server drop the connection.
 echo "> query a11.more.net a12.more.net dropconn.drop.net a14.more.net a15.more.net"
 $PRE/streamtcp -a -f 127.0.0.1@$UNBOUND_PORT a11.more.net A IN a12.more.net A IN dropconn.drop.net A IN a14.more.net A IN a15.more.net A IN >outfile 2>&1
 if test "$?" -ne 0; then
 	echo "exit status not OK"
 	echo "> cat logfiles"
 	cat outfile
 	cat unbound2.log
 	cat unbound.log
 	echo "Not OK"
 	exit 1
 fi
 cat outfile
 # cannot really check outfile, because it may or may not have answers depending
 # on how fast the other server responds or the drop happens, but there are
 # a bunch of connection drops, whilst resolving the other queries.
 echo "> query drop.net."
 $PRE/streamtcp -f 127.0.0.1@$UNBOUND_PORT drop.net. A IN >outfile 2>&1
 cat outfile
 if test "$?" -ne 0; then
 	echo "exit status not OK"
 	echo "> cat logfiles"
 	cat outfile
 	cat unbound2.log
 	cat unbound.log
 	echo "Not OK"
 	exit 1
 fi
 if grep "rcode: SERVFAIL" outfile; then
 	echo "content OK"
 else
 	echo "result contents not OK, for drop.net"
 	echo "> cat logfiles"
 	cat outfile
 	cat unbound2.log
 	cat unbound.log
 	echo "result contents not OK, for drop.net"
 	exit 1
 fi
 # timeouts at the end. (so that the server is not marked as failed for
 # the other tests).
 echo "> query q1.drop.net."
 echo "> query q2.drop.net."
 $PRE/streamtcp -f 127.0.0.1@$UNBOUND_PORT q1.drop.net. A IN >outfile1 2>&1 &
 $PRE/streamtcp -f 127.0.0.1@$UNBOUND_PORT q2.drop.net. A IN >outfile2 2>&1 &
 wait
 if test "$?" -ne 0; then
 	echo "exit status not OK"
 	echo "> cat logfiles"
 	cat outfile1
 	cat outfile2
 	cat unbound2.log
 	cat unbound.log
 	echo "Not OK"
 	exit 1
 fi
 cat outfile1
 cat outfile2
 if grep "rcode: SERVFAIL" outfile1; then
 	echo "content OK"
 else
 	echo "result contents not OK, for q1.drop.net"
 	echo "> cat logfiles"
 	cat outfile1
 	cat outfile2
 	cat unbound2.log
 	cat unbound.log
 	echo "result contents not OK, for q1.drop.net"
 	exit 1
 fi
 if grep "rcode: SERVFAIL" outfile2; then
 	echo "content OK"
 else
 	echo "result contents not OK, for q2.drop.net"
 	echo "> cat logfiles"
 	cat outfile1
 	cat outfile2
 	cat unbound2.log
 	cat unbound.log
 	echo "result contents not OK, for q2.drop.net"
 	exit 1
 fi
 echo "OK"
 exit 0
--- a/testdata/tls_reuse.tdir/unbound_control.key
+++ b/testdata/tls_reuse.tdir/unbound_control.key
@ -0,0 +1,39 @@
 -----BEGIN RSA PRIVATE KEY-----
 MIIG4gIBAAKCAYEAstEp+Pyh8XGrtZ77A4FhYjvbeB3dMa7Q2rGWxobzlA9przhA
 1aChAvUtCOAuM+rB6NTNB8YWfZJbQHawyMNpmC77cg6vXLYCGUQHZyAqidN049RJ
 F5T7j4N8Vniv17LiRdr0S6swy4PRvEnIPPV43EQHZqC5jVvHsKkhIfmBF/Dj5TXR
 ypeawWV/m5jeU6/4HRYMfytBZdO1mPXuWLh0lgbQ4SCbgrOUVD3rniMk1yZIbQOm
 vlDHYqekjDb/vOW2KxUQLG04aZMJ1mWfdbwG0CKQkSjISEDZ1l76vhM6mTM0fwXb
 IvyFZ9yPPCle1mF5aSlxS2cmGuGVSRQaw8XF9fe3a9ACJJTr33HdSpyaZkKRAUzL
 cKqLCl323daKv3NwwAT03Tj4iQM416ASMoiyfFa/2GWTKQVjddu8Crar7tGaf5xr
 lig4DBmrBvdYA3njy72/RD71hLwmlRoCGU7dRuDr9O6KASUm1Ri91ONZ/qdjMvov
 15l2vj4GV+KXR00dAgMBAAECggGAHepIL1N0dEQkCdpy+/8lH54L9WhpnOo2HqAf
 LU9eaKK7d4jdr9+TkD8cLaPzltPrZNxVALvu/0sA4SP6J1wpyj/x6P7z73qzly5+
 Xo5PD4fEwmi9YaiW/UduAblnEZrnp/AddptJKoL/D5T4XtpiQddPtael4zQ7kB57
 YIexRSQTvEDovA/o3/nvA0TrzOxfgd4ycQP3iOWGN/TMzyLsvjydrUwbOB567iz9
 whL3Etdgvnwh5Sz2blbFfH+nAR8ctvFFz+osPvuIVR21VMEI6wm7kTpSNnQ6sh/c
 lrLb/bTADn4g7z/LpIZJ+MrLvyEcoqValrLYeFBhM9CV8woPxvkO2P3pU47HVGax
 tC7GV6a/kt5RoKFd/TNdiA3OC7NGZtaeXv9VkPf4fVwBtSO9d5ZZXTGEynDD/rUQ
 U4KFJe6OD23APjse08HiiKqTPhsOneOONU67iqoaTdIkT2R4EdlkVEDpXVtWb+G9
 Q+IqYzVljlzuyHrhWXLJw/FMa2aBAoHBAOnZbi4gGpH+P6886WDWVgIlTccuXoyc
 Mg9QQYk9UDeXxL0AizR5bZy49Sduegz9vkHpAiZARQsUnizHjZ8YlRcrmn4t6tx3
 ahTIKAjdprnxJfYINM580j8CGbXvX5LhIlm3O267D0Op+co3+7Ujy+cjsIuFQrP+
 1MqMgXSeBjzC1APivmps7HeFE+4w0k2PfN5wSMDNCzLo99PZuUG5XZ93OVOS5dpN
 b+WskdcD8NOoJy/X/5A08veEI/jYO/DyqQKBwQDDwUQCOWf41ecvJLtBHKmEnHDz
 ftzHino9DRKG8a9XaN4rmetnoWEaM2vHGX3pf3mwH+dAe8vJdAQueDhBKYeEpm6C
 TYNOpou1+Zs5s99BilCTNYo8fkMOAyqwRwmz9zgHS6QxXuPwsghKefLJGt6o6RFF
 tfWVTfLlYJ+I3GQe3ySsk3wjVz4oUTKiyiq5+KzD+HhEkS7u+RQ7Z0ZI2xd2cF8Y
 aN2hjKDpcOiFf3CDoqka5D1qMNLgIHO52AHww1UCgcA1h7o7AMpURRka6hyaODY0
 A4oMYEbwdQjYjIyT998W+rzkbu1us6UtzQEBZ760npkgyU/epbOoV63lnkCC/MOU
 LD0PST+L/CHiY/cWIHb79YG1EifUZKpUFg0Aoq0EGFkepF0MefGCkbRGYA5UZr9U
 R80wAu9D+L+JJiS0J0BSRF74DL196zUuHt5zFeXuLzxsRtPAnq9DliS08BACRYZy
 7H3I7cWD9Vn5/0jbKWHFcaaWwyETR6uekTcSzZzbCRECgcBeoE3/xUA9SSk34Mmj
 7/cB4522Ft0imA3+9RK/qJTZ7Bd5fC4PKjOGNtUiqW/0L2rjeIiQ40bfWvWqgPKw
 jSK1PL6uvkl6+4cNsFsYyZpiVDoe7wKju2UuoNlB3RUTqa2r2STFuNj2wRjA57I1
 BIgdnox65jqQsd14g/yaa+75/WP9CE45xzKEyrtvdcqxm0Pod3OrsYK+gikFjiar
 kT0GQ8u0QPzh2tjt/2ZnIfOBrl+QYERP0MofDZDjhUdq2wECgcB0Lu841+yP5cdR
 qbJhXO4zJNh7oWNcJlOuQp3ZMNFrA1oHpe9pmLukiROOy01k9WxIMQDzU5GSqRv3
 VLkYOIcbhJ3kClKAcM3j95SkKbU2H5/RENb3Ck52xtl4pNU1x/3PnVFZfDVuuHO9
 MZ9YBcIeK98MyP2jr5JtFKnOyPE7xKq0IHIhXadpbc2wjje5FtZ1cUtMyEECCXNa
 C1TpXebHGyXGpY9WdWXhjdE/1jPvfS+uO5WyuDpYPr339gsdq1g=
 -----END RSA PRIVATE KEY-----
--- a/testdata/tls_reuse.tdir/unbound_control.pem
+++ b/testdata/tls_reuse.tdir/unbound_control.pem
@ -0,0 +1,22 @@
 -----BEGIN CERTIFICATE-----
 MIIDszCCAhsCFGD5193whHQ2bVdzbaQfdf1gc4SkMA0GCSqGSIb3DQEBCwUAMBIx
 EDAOBgNVBAMMB3VuYm91bmQwHhcNMjAwNzA4MTMzMjMwWhcNNDAwMzI1MTMzMjMw
 WjAaMRgwFgYDVQQDDA91bmJvdW5kLWNvbnRyb2wwggGiMA0GCSqGSIb3DQEBAQUA
 A4IBjwAwggGKAoIBgQCy0Sn4/KHxcau1nvsDgWFiO9t4Hd0xrtDasZbGhvOUD2mv
 OEDVoKEC9S0I4C4z6sHo1M0HxhZ9kltAdrDIw2mYLvtyDq9ctgIZRAdnICqJ03Tj
 1EkXlPuPg3xWeK/XsuJF2vRLqzDLg9G8Scg89XjcRAdmoLmNW8ewqSEh+YEX8OPl
 NdHKl5rBZX+bmN5Tr/gdFgx/K0Fl07WY9e5YuHSWBtDhIJuCs5RUPeueIyTXJkht
 A6a+UMdip6SMNv+85bYrFRAsbThpkwnWZZ91vAbQIpCRKMhIQNnWXvq+EzqZMzR/
 Bdsi/IVn3I88KV7WYXlpKXFLZyYa4ZVJFBrDxcX197dr0AIklOvfcd1KnJpmQpEB
 TMtwqosKXfbd1oq/c3DABPTdOPiJAzjXoBIyiLJ8Vr/YZZMpBWN127wKtqvu0Zp/
 nGuWKDgMGasG91gDeePLvb9EPvWEvCaVGgIZTt1G4Ov07ooBJSbVGL3U41n+p2My
 +i/XmXa+PgZX4pdHTR0CAwEAATANBgkqhkiG9w0BAQsFAAOCAYEAd++Wen6l8Ifj
 4h3p/y16PhSsWJWuJ4wdNYy3/GM84S26wGjzlEEwiW76HpH6VJzPOiBAeWnFKE83
 hFyetEIxgJeIPbcs9ZP/Uoh8GZH9tRISBSN9Hgk2Slr9llo4t1H0g/XTgA5HqMQU
 9YydlBh43G7Vw3FVwh09OM6poNOGQKNc/tq2/QdKeUMtyBbLWpRmjH5XcCT35fbn
 ZiVOUldqSHD4kKrFO4nJYXZyipRbcXybsLiX9GP0GLemc3IgIvOXyJ2RPp06o/SJ
 pzlMlkcAfLJaSuEW57xRakhuNK7m051TKKzJzIEX+NFYOVdafFHS8VwGrYsdrFvD
 72tMfu+Fu55y3awdWWGc6YlaGogZiuMnJkvQphwgn+5qE/7CGEckoKEsH601rqIZ
 muaIc85+nEcHJeijd/ZlBN9zeltjFoMuqTUENgmv8+tUAdVm/UMY9Vjme6b43ydP
 uv6DS02+k9z8toxXworLiPr94BGaiGV1NxgwZKLZigYJt/Fi2Qte
 -----END CERTIFICATE-----
--- a/testdata/tls_reuse.tdir/unbound_server.key
+++ b/testdata/tls_reuse.tdir/unbound_server.key
@ -0,0 +1,39 @@
 -----BEGIN RSA PRIVATE KEY-----
 MIIG5AIBAAKCAYEAvjSVSN2QMXudpzukdLCqgg/IOhCX8KYkD0FFFfWcQjgKq5wI
 0x41iG32a6wbGanre4IX7VxaSPu9kkHfnGgynCk5nwDRedE/FLFhAU78PoT0+Nqq
 GRS7XVQ24vLmIz9Hqc2Ozx1um1BXBTmIT0UfN2e22I0LWQ6a3seZlEDRj45gnk7Z
 uh9MDgotaBdm+v1JAbupSf6Zis4VEH3JNdvVGE3O1DHEIeuuz/3BDhpf6WBDH+8K
 WaBe1ca4TZHr9ThL2gEMEfAQl0wXDwRWRoi3NjNMH+mw0L1rjwThI5GXqNIee7o5
 FzUReSXZuTdFMyGe3Owcx+XoYnwi6cplSNoGsDBu4B9bKKglR9YleJVw4L4Xi8xP
 q6O9UPj4+nypHk/DOoC7DIM3ufN0yxPBsFo5TVowxfhdjZXJbbftd2TZv7AH8+XL
 A5UoZgRzXgzECelXSCTBFlMTnT48LfA9pMLydyjAz2UdPHs5Iv+TK5nnI+aJoeaP
 7kFZSngxdy1+A/bNAgMBAAECggGBALpTOIqQwVg4CFBylL/a8K1IWJTI/I65sklf
 XxYL7G7SB2HlEJ//z+E+F0+S4Vlao1vyLQ5QkgE82pAUB8FoMWvY1qF0Y8A5wtm6
 iZSGk4OLK488ZbT8Ii9i+AGKgPe2XbVxsJwj8N4k7Zooqec9hz73Up8ATEWJkRz7
 2u7oMGG4z91E0PULA64dOi3l/vOQe5w/Aa+CwVbAWtI05o7kMvQEBMDJn6C7CByo
 MB5op9wueJMnz7PM7hns+U7Dy6oE4ljuolJUy51bDzFWwoM54cRoQqLFNHd8JVQj
 WxldCkbfF43iyprlsEcUrTyUjtdA+ZeiG39vg/mtdmgNpGmdupHJZQvSuG8IcVlz
 O+eMSeQS1QXPD6Ik8UK4SU0h+zOl8xIWtRrsxQuh4fnTN40udm/YUWl/6gOebsBI
 IrVLlKGqJSfB3tMjpCRqdTzJ0dA9keVpkqm2ugZkxEf1+/efq/rFIQ2pUBLCqNTN
 qpNqruK8y8FphP30I2uI4Ej2UIB8AQKBwQDd2Yptj2FyDyaXCycsyde0wYkNyzGU
 dRnzdibfHnMZwjgTjwAwgIUBVIS8H0/z7ZJQKN7osJfddMrtjJtYYUk9g/dCpHXs
 bNh2QSoWah3FdzNGuWd0iRf9+LFxhjAAMo/FS8zFJAJKrFsBdCGTfFUMdsLC0bjr
 YjiWBuvV72uKf8XIZX5KIZruKdWBBcWukcb21R1UDyFYyXRBsly5XHaIYKZql3km
 7pV7MKWO0IYgHbHIqGUqPQlzZ/lkunS1jKECgcEA23wHffD6Ou9/x3okPx2AWpTr
 gh8rgqbyo6hQkBW5Y90Wz824cqaYebZDaBR/xlVx/YwjKkohv8Bde2lpH/ZxRZ1Z
 5Sk2s6GJ/vU0L9RsJZgCgj4L6Coal1NMxuZtCXAlnOpiCdxSZgfqbshbTVz30KsG
 ZJG361Cua1ScdAHxlZBxT52/1Sm0zRC2hnxL7h4qo7Idmtzs40LAJvYOKekR0pPN
 oWeJfra7vgx/jVNvMFWoOoSLpidVO4g+ot4ery6tAoHAdW3rCic1C2zdnmH28Iw+
 s50l8Lk3mz+I5wgJd1zkzCO0DxZIoWPGA3g7cmCYr6N3KRsZMs4W9NAXgjpFGDkW
 zYsG3K21BdpvkdjYcFjnPVjlOXB2RIc0vehf9Jl02wXoeCSxVUDEPcaRvWk9RJYx
 ZpGOchUU7vNkxHURbIJ4yCzuAi9G8/Jp0dsu+kaV5tufF5SjG5WOrzKjaQsCbdN1
 oqaWMCHRrTvov/Z2C+xwsptFOdN5CSyZzg6hQiI4GMlBAoHAXyb6KINcOEi0YMp3
 BFXJ23tMTnEs78tozcKeipigcsbaqORK3omS+NEnj+uzKUzJyl4CsMbKstK2tFYS
 mSTCHqgE3PBtIpsZtEqhgUraR8IK9GPpzZDTTl9ynZgwFTNlWw3RyuyVXF56J+T8
 kCGJ3hEHCHqT/ZRQyX85BKIDFhA0z4tYKxWVqIFiYBNq56R0X9tMMmMs36mEnF93
 7Ht6mowxTZQRa7nU0qOgeKh/P7ki4Zus3y+WJ+T9IqahLtlRAoHBAIhqMrcxSAB8
 RpB9jukJlAnidw2jCMPgrFE8tP0khhVvGrXMldxAUsMKntDIo8dGCnG1KTcWDI0O
 jepvSPHSsxVLFugL79h0eVIS5z4huW48i9xgU8VlHdgAcgEPIAOFcOw2BCu/s0Vp
 O+MM/EyUOdo3NsibB3qc/GJI6iNBYS7AljYEVo6rXo5V/MZvZUF4vClen6Obzsre
 MTTb+4sJjfqleWuvr1XNMeu2mBfXBQkWGZP1byBK0MvD/aQ2PWq92A==
 -----END RSA PRIVATE KEY-----
--- a/testdata/tls_reuse.tdir/unbound_server.pem
+++ b/testdata/tls_reuse.tdir/unbound_server.pem
@ -0,0 +1,22 @@
 -----BEGIN CERTIFICATE-----
 MIIDqzCCAhMCFBHWXeQ6ZIa9QcQbXLFfC6tj+KA+MA0GCSqGSIb3DQEBCwUAMBIx
 EDAOBgNVBAMMB3VuYm91bmQwHhcNMjAwNzA4MTMzMjI5WhcNNDAwMzI1MTMzMjI5
 WjASMRAwDgYDVQQDDAd1bmJvdW5kMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIB
 igKCAYEAvjSVSN2QMXudpzukdLCqgg/IOhCX8KYkD0FFFfWcQjgKq5wI0x41iG32
 a6wbGanre4IX7VxaSPu9kkHfnGgynCk5nwDRedE/FLFhAU78PoT0+NqqGRS7XVQ2
 4vLmIz9Hqc2Ozx1um1BXBTmIT0UfN2e22I0LWQ6a3seZlEDRj45gnk7Zuh9MDgot
 aBdm+v1JAbupSf6Zis4VEH3JNdvVGE3O1DHEIeuuz/3BDhpf6WBDH+8KWaBe1ca4
 TZHr9ThL2gEMEfAQl0wXDwRWRoi3NjNMH+mw0L1rjwThI5GXqNIee7o5FzUReSXZ
 uTdFMyGe3Owcx+XoYnwi6cplSNoGsDBu4B9bKKglR9YleJVw4L4Xi8xPq6O9UPj4
 +nypHk/DOoC7DIM3ufN0yxPBsFo5TVowxfhdjZXJbbftd2TZv7AH8+XLA5UoZgRz
 XgzECelXSCTBFlMTnT48LfA9pMLydyjAz2UdPHs5Iv+TK5nnI+aJoeaP7kFZSngx
 dy1+A/bNAgMBAAEwDQYJKoZIhvcNAQELBQADggGBABunf93MKaCUHiZgnoOTinsW
 84/EgInrgtKzAyH+BhnKkJOhhR0kkIAx5d9BpDlaSiRTACFon9moWCgDIIsK/Ar7
 JE0Kln9cV//wiiNoFU0O4mnzyGUIMvlaEX6QHMJJQYvL05+w/3AAcf5XmMJtR5ca
 fJ8FqvGC34b2WxX9lTQoyT52sRt+1KnQikiMEnEyAdKktMG+MwKsFDdOwDXyZhZg
 XZhRrfX3/NVJolqB6EahjWIGXDeKuSSKZVtCyib6LskyeMzN5lcRfvubKDdlqFVF
 qlD7rHBsKhQUWK/IO64mGf7y/de+CgHtED5vDvr/p2uj/9sABATfbrOQR3W/Of25
 sLBj4OEfrJ7lX8hQgFaxkMI3x6VFT3W8dTCp7xnQgb6bgROWB5fNEZ9jk/gjSRmD
 yIU+r0UbKe5kBk/CmZVFXL2TyJ92V5NYEQh8V4DGy19qZ6u/XKYyNJL4ocs35GGe
 CA8SBuyrmdhx38h1RHErR2Skzadi1S7MwGf1y431fQ==
 -----END CERTIFICATE-----
--- a/util/config_file.c
+++ b/util/config_file.c
@ -172,6 +172,7 @@ config_create(void)
 	cfg->infra_cache_min_rtt = 50;
 	cfg->infra_keep_probing = 0;
 	cfg->delay_close = 0;
 	cfg->udp_connect = 1;
 	if(!(cfg->outgoing_avail_ports = (int*)calloc(65536, sizeof(int))))
 		goto error_exit;
 	init_outgoing_availports(cfg->outgoing_avail_ports, 65536);
@ -219,7 +220,7 @@ config_create(void)
 	cfg->views = NULL;
 	cfg->acls = NULL;
 	cfg->tcp_connection_limits = NULL;
-	cfg->harden_short_bufsize = 0;
+	cfg->harden_short_bufsize = 1;
 	cfg->harden_large_queries = 0;
 	cfg->harden_glue = 1;
 	cfg->harden_dnssec_stripped = 1;
@ -236,6 +237,9 @@ config_create(void)
 	cfg->hide_trustanchor = 0;
 	cfg->identity = NULL;
 	cfg->version = NULL;
 	cfg->nsid_cfg_str = NULL;
 	cfg->nsid = NULL;
 	cfg->nsid_len = 0;
 	cfg->auto_trust_anchor_file_list = NULL;
 	cfg->trust_anchor_file_list = NULL;
 	cfg->trust_anchor_list = NULL;
@ -257,6 +261,7 @@ config_create(void)
 	cfg->serve_expired_ttl_reset = 0;
 	cfg->serve_expired_reply_ttl = 30;
 	cfg->serve_expired_client_timeout = 0;
 	cfg->serve_original_ttl = 0;
 	cfg->zonemd_permissive_mode = 0;
 	cfg->add_holddown = 30*24*3600;
 	cfg->del_holddown = 30*24*3600;
@ -323,8 +328,8 @@ config_create(void)
 	cfg->qname_minimisation_strict = 0;
 	cfg->shm_enable = 0;
 	cfg->shm_key = 11777;
-	cfg->edns_client_tags = NULL;
+	cfg->edns_client_strings = NULL;
-	cfg->edns_client_tag_opcode = LDNS_EDNS_CLIENT_TAG;
+	cfg->edns_client_string_opcode = 65001;
 	cfg->dnscrypt = 0;
 	cfg->dnscrypt_port = 0;
 	cfg->dnscrypt_provider = NULL;
@ -335,6 +340,10 @@ config_create(void)
 	cfg->dnscrypt_shared_secret_cache_slabs = 4;
 	cfg->dnscrypt_nonce_cache_size = 4*1024*1024;
 	cfg->dnscrypt_nonce_cache_slabs = 4;
 	cfg->pad_responses = 1;
 	cfg->pad_responses_block_size = 468; /* from RFC8467 */
 	cfg->pad_queries = 1;
 	cfg->pad_queries_block_size = 128; /* from RFC8467 */
 #ifdef USE_IPSECMOD
 	cfg->ipsecmod_enabled = 1;
 	cfg->ipsecmod_ignore_bogus = 0;
@ -388,6 +397,7 @@ struct config_file* config_create_forlib(void)
 	cfg->val_log_level = 2; /* to fill why_bogus with */
 	cfg->val_log_squelch = 1;
 	cfg->minimal_responses = 0;
 	cfg->harden_short_bufsize = 1;
 	return cfg;
 }
@ -570,6 +580,7 @@ int config_set_option(struct config_file* cfg, const char* opt,
 	else S_POW2("infra-cache-slabs:", infra_cache_slabs)
 	else S_SIZET_NONZERO("infra-cache-numhosts:", infra_cache_numhosts)
 	else S_NUMBER_OR_ZERO("delay-close:", delay_close)
 	else S_YNO("udp-connect:", udp_connect)
 	else S_STR("chroot:", chrootdir)
 	else S_STR("username:", username)
 	else S_STR("directory:", directory)
@ -579,6 +590,20 @@ int config_set_option(struct config_file* cfg, const char* opt,
 	else S_YNO("hide-trustanchor:", hide_trustanchor)
 	else S_STR("identity:", identity)
 	else S_STR("version:", version)
 	else if(strcmp(opt, "nsid:") == 0) {
 		free(cfg->nsid_cfg_str);
 		if (!(cfg->nsid_cfg_str = strdup(val)))
 			return 0;
 		/* Empty string is just validly unsetting nsid */
 		if (*val == 0) {
 			free(cfg->nsid);
 			cfg->nsid = NULL;
 			cfg->nsid_len = 0;
 			return 1;
 		}
 		cfg->nsid = cfg_parse_nsid(val, &cfg->nsid_len);
 		return cfg->nsid != NULL;
 	}
 	else S_STRLIST("root-hints:", root_hints)
 	else S_STR("target-fetch-policy:", target_fetch_policy)
 	else S_YNO("harden-glue:", harden_glue)
@ -623,6 +648,7 @@ int config_set_option(struct config_file* cfg, const char* opt,
 	else if(strcmp(opt, "serve-expired-reply-ttl:") == 0)
 	{ IS_NUMBER_OR_ZERO; cfg->serve_expired_reply_ttl = atoi(val); SERVE_EXPIRED_REPLY_TTL=(time_t)cfg->serve_expired_reply_ttl;}
 	else S_NUMBER_OR_ZERO("serve-expired-client-timeout:", serve_expired_client_timeout)
 	else S_YNO("serve-original-ttl:", serve_original_ttl)
 	else S_STR("val-nsec3-keysize-iterations:", val_nsec3_key_iterations)
 	else S_YNO("zonemd-permissive-mode:", zonemd_permissive_mode)
 	else S_UNSIGNED_OR_ZERO("add-holddown:", add_holddown)
@ -719,6 +745,10 @@ int config_set_option(struct config_file* cfg, const char* opt,
 	else S_NUMBER_OR_ZERO("fast-server-permil:", fast_server_permil)
 	else S_YNO("qname-minimisation:", qname_minimisation)
 	else S_YNO("qname-minimisation-strict:", qname_minimisation_strict)
 	else S_YNO("pad-responses:", pad_responses)
 	else S_SIZET_NONZERO("pad-responses-block-size:", pad_responses_block_size)
 	else S_YNO("pad-queries:", pad_queries)
 	else S_SIZET_NONZERO("pad-queries-block-size:", pad_queries_block_size)
 #ifdef USE_IPSECMOD
 	else S_YNO("ipsecmod-enabled:", ipsecmod_enabled)
 	else S_YNO("ipsecmod-ignore-bogus:", ipsecmod_ignore_bogus)
@ -966,6 +996,7 @@ config_get_option(struct config_file* cfg, const char* opt,
 	else O_YNO(opt, "infra-keep-probing", infra_keep_probing)
 	else O_MEM(opt, "infra-cache-numhosts", infra_cache_numhosts)
 	else O_UNS(opt, "delay-close", delay_close)
 	else O_YNO(opt, "udp-connect", udp_connect)
 	else O_YNO(opt, "do-ip4", do_ip4)
 	else O_YNO(opt, "do-ip6", do_ip6)
 	else O_YNO(opt, "do-udp", do_udp)
@ -1014,6 +1045,7 @@ config_get_option(struct config_file* cfg, const char* opt,
 	else O_YNO(opt, "hide-trustanchor", hide_trustanchor)
 	else O_STR(opt, "identity", identity)
 	else O_STR(opt, "version", version)
 	else O_STR(opt, "nsid", nsid_cfg_str)
 	else O_STR(opt, "target-fetch-policy", target_fetch_policy)
 	else O_YNO(opt, "harden-short-bufsize", harden_short_bufsize)
 	else O_YNO(opt, "harden-large-queries", harden_large_queries)
@ -1038,6 +1070,7 @@ config_get_option(struct config_file* cfg, const char* opt,
 	else O_YNO(opt, "serve-expired-ttl-reset", serve_expired_ttl_reset)
 	else O_DEC(opt, "serve-expired-reply-ttl", serve_expired_reply_ttl)
 	else O_DEC(opt, "serve-expired-client-timeout", serve_expired_client_timeout)
 	else O_YNO(opt, "serve-original-ttl", serve_original_ttl)
 	else O_STR(opt, "val-nsec3-keysize-iterations",val_nsec3_key_iterations)
 	else O_YNO(opt, "zonemd-permissive-mode", zonemd_permissive_mode)
 	else O_UNS(opt, "add-holddown", add_holddown)
@ -1158,7 +1191,11 @@ config_get_option(struct config_file* cfg, const char* opt,
 	else O_LS3(opt, "access-control-tag-action", acl_tag_actions)
 	else O_LS3(opt, "access-control-tag-data", acl_tag_datas)
 	else O_LS2(opt, "access-control-view", acl_view)
-	else O_LS2(opt, "edns-client-tags", edns_client_tags)
+	else O_YNO(opt, "pad-responses", pad_responses)
 	else O_DEC(opt, "pad-responses-block-size", pad_responses_block_size)
 	else O_YNO(opt, "pad-queries", pad_queries)
 	else O_DEC(opt, "pad-queries-block-size", pad_queries_block_size)
 	else O_LS2(opt, "edns-client-strings", edns_client_strings)
 #ifdef USE_IPSECMOD
 	else O_YNO(opt, "ipsecmod-enabled", ipsecmod_enabled)
 	else O_YNO(opt, "ipsecmod-ignore-bogus", ipsecmod_ignore_bogus)
@ -1482,6 +1519,8 @@ config_delete(struct config_file* cfg)
 #endif
 	free(cfg->identity);
 	free(cfg->version);
 	free(cfg->nsid_cfg_str);
 	free(cfg->nsid);
 	free(cfg->module_conf);
 	free(cfg->outgoing_avail_ports);
 	config_delstrlist(cfg->caps_whitelist);
@ -1527,7 +1566,7 @@ config_delete(struct config_file* cfg)
 	config_deldblstrlist(cfg->ratelimit_below_domain);
 	config_delstrlist(cfg->python_script);
 	config_delstrlist(cfg->dynlib_file);
-	config_deldblstrlist(cfg->edns_client_tags);
+	config_deldblstrlist(cfg->edns_client_strings);
 #ifdef USE_IPSECMOD
 	free(cfg->ipsecmod_hook);
 	config_delstrlist(cfg->ipsecmod_whitelist);
@ -2020,6 +2059,38 @@ uint8_t* config_parse_taglist(struct config_file* cfg, char* str,
 	return taglist;
 }
 uint8_t* cfg_parse_nsid(const char* str, uint16_t* nsid_len)
 {
 	uint8_t* nsid = NULL;
 	if (strncasecmp(str, "ascii_", 6) == 0) {
 		if ((nsid = (uint8_t *)strdup(str + 6)))
 			*nsid_len = strlen(str + 6);
 	} else if (strlen(str) % 2) {
 		; /* hex string has even number of characters */
 	}
 	else if (*str && (nsid = calloc(1, strlen(str) / 2))) {
 		const char *ch;
 		uint8_t *dp;
 		for ( ch = str, dp = nsid
 		    ; isxdigit(ch[0]) && isxdigit(ch[1])
 		    ; ch += 2, dp++) {
 			*dp  = (uint8_t)sldns_hexdigit_to_int(ch[0]) * 16;
 			*dp += (uint8_t)sldns_hexdigit_to_int(ch[1]);
 		}
 		if (*ch) {
 			free(nsid);
 			nsid = NULL;
 		} else
 			*nsid_len = strlen(str) / 2;
 	}
 	return nsid;
 }
 char* config_taglist2str(struct config_file* cfg, uint8_t* taglist,
        size_t taglen)
 {
@ -2062,6 +2133,7 @@ config_apply(struct config_file* config)
 	SERVE_EXPIRED = config->serve_expired;
 	SERVE_EXPIRED_TTL = (time_t)config->serve_expired_ttl;
 	SERVE_EXPIRED_REPLY_TTL = (time_t)config->serve_expired_reply_ttl;
 	SERVE_ORIGINAL_TTL = config->serve_original_ttl;
 	MAX_NEG_TTL = (time_t)config->max_negative_ttl;
 	RTT_MIN_TIMEOUT = config->infra_cache_min_rtt;
 	EDNS_ADVERTISED_SIZE = (uint16_t)config->edns_buffer_size;
--- a/util/config_file.h
+++ b/util/config_file.h
@ -185,6 +185,8 @@ struct config_file {
 	int infra_keep_probing;
 	/** delay close of udp-timeouted ports, if 0 no delayclose. in msec */
 	int delay_close;
 	/** udp_connect enable uses UDP connect to mitigate ICMP side channel */
 	int udp_connect;
 	/** the target fetch policy for the iterator */
 	char* target_fetch_policy;
@ -336,6 +338,10 @@ struct config_file {
 	char* identity;
 	/** version, package version returned if "". */
 	char* version;
 	/** nsid */
 	char *nsid_cfg_str;
 	uint8_t *nsid;
 	uint16_t nsid_len;
 	/** the module configuration string */
 	char* module_conf;
@ -386,6 +392,8 @@ struct config_file {
 	/** serve expired entries only after trying to update the entries and this
 	 *  timeout (in milliseconds) is reached */
 	int serve_expired_client_timeout;
 	/** serve original TTLs rather than decrementing ones */
 	int serve_original_ttl;
 	/** nsec3 maximum iterations per key size, string */
 	char* val_nsec3_key_iterations;
 	/** if zonemd failures are permitted, only logged */
@ -568,10 +576,10 @@ struct config_file {
 	/** SHM data - key for the shm */
 	int shm_key;
-	/** list of EDNS client tag entries, linked list */
+	/** list of EDNS client string entries, linked list */
-	struct config_str2list* edns_client_tags;
+	struct config_str2list* edns_client_strings;
-	/** EDNS opcode to use for EDNS client tags */
+	/** EDNS opcode to use for EDNS client strings */
-	uint16_t edns_client_tag_opcode;
+	uint16_t edns_client_string_opcode;
 	/** DNSCrypt */
 	/** true to enable dnscrypt */
@ -596,6 +604,17 @@ struct config_file {
 	size_t dnscrypt_nonce_cache_size;
 	/** number of slabs for dnscrypt nonces cache */
 	size_t dnscrypt_nonce_cache_slabs;
 	/** EDNS padding according to RFC7830 and RFC8467 */
 	/** true to enable padding of responses (default: on) */
 	int pad_responses;
 	/** block size with which to pad encrypted responses (default: 468) */
 	size_t pad_responses_block_size;
 	/** true to enable padding of queries (default: on) */
 	int pad_queries;
 	/** block size with which to pad encrypted queries (default: 128) */
 	size_t pad_queries_block_size;
 	/** IPsec module */
 #ifdef USE_IPSECMOD
 	/** false to bypass the IPsec module */
@ -1072,6 +1091,16 @@ int cfg_count_numbers(const char* str);
 */
 int cfg_parse_memsize(const char* str, size_t* res);
 /**
 * Parse nsid from string into binary nsid. nsid is either a hexidecimal
 * string or an ascii string prepended with ascii_ in which case the
 * characters after ascii_ are simply copied.
 * @param str: the string to parse.
 * @param nsid_len: returns length of nsid in bytes.
 * @return malloced bytes or NULL on parse error or malloc failure.
 */
 uint8_t* cfg_parse_nsid(const char* str, uint16_t* nsid_len);
 /**
 * Add a tag name to the config.  It is added at the end with a new ID value.
 * @param cfg: the config structure.
--- a/util/configlexer.c
+++ b/util/configlexer.c
--- a/util/configlexer.lex
+++ b/util/configlexer.lex
@ -301,6 +301,7 @@ infra-keep-probing{COLON}	{ YDVAR(1, VAR_INFRA_KEEP_PROBING) }
 num-queries-per-thread{COLON}	{ YDVAR(1, VAR_NUM_QUERIES_PER_THREAD) }
 jostle-timeout{COLON}		{ YDVAR(1, VAR_JOSTLE_TIMEOUT) }
 delay-close{COLON}		{ YDVAR(1, VAR_DELAY_CLOSE) }
 udp-connect{COLON}		{ YDVAR(1, VAR_UDP_CONNECT) }
 target-fetch-policy{COLON}	{ YDVAR(1, VAR_TARGET_FETCH_POLICY) }
 harden-short-bufsize{COLON}	{ YDVAR(1, VAR_HARDEN_SHORT_BUFSIZE) }
 harden-large-queries{COLON}	{ YDVAR(1, VAR_HARDEN_LARGE_QUERIES) }
@ -391,6 +392,7 @@ serve-expired-ttl{COLON}	{ YDVAR(1, VAR_SERVE_EXPIRED_TTL) }
 serve-expired-ttl-reset{COLON}	{ YDVAR(1, VAR_SERVE_EXPIRED_TTL_RESET) }
 serve-expired-reply-ttl{COLON}	{ YDVAR(1, VAR_SERVE_EXPIRED_REPLY_TTL) }
 serve-expired-client-timeout{COLON}	{ YDVAR(1, VAR_SERVE_EXPIRED_CLIENT_TIMEOUT) }
 serve-original-ttl{COLON}	{ YDVAR(1, VAR_SERVE_ORIGINAL_TTL) }
 fake-dsa{COLON}			{ YDVAR(1, VAR_FAKE_DSA) }
 fake-sha1{COLON}		{ YDVAR(1, VAR_FAKE_SHA1) }
 val-log-level{COLON}		{ YDVAR(1, VAR_VAL_LOG_LEVEL) }
@ -511,6 +513,10 @@ dnscrypt-shared-secret-cache-slabs{COLON}	{
 		YDVAR(1, VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS) }
 dnscrypt-nonce-cache-size{COLON}	{ YDVAR(1, VAR_DNSCRYPT_NONCE_CACHE_SIZE) }
 dnscrypt-nonce-cache-slabs{COLON}	{ YDVAR(1, VAR_DNSCRYPT_NONCE_CACHE_SLABS) }
 pad-responses{COLON}		{ YDVAR(1, VAR_PAD_RESPONSES) }
 pad-responses-block-size{COLON}	{ YDVAR(1, VAR_PAD_RESPONSES_BLOCK_SIZE) }
 pad-queries{COLON}		{ YDVAR(1, VAR_PAD_QUERIES) }
 pad-queries-block-size{COLON}	{ YDVAR(1, VAR_PAD_QUERIES_BLOCK_SIZE) }
 ipsecmod-enabled{COLON}		{ YDVAR(1, VAR_IPSECMOD_ENABLED) }
 ipsecmod-ignore-bogus{COLON}	{ YDVAR(1, VAR_IPSECMOD_IGNORE_BOGUS) }
 ipsecmod-hook{COLON}		{ YDVAR(1, VAR_IPSECMOD_HOOK) }
@ -530,8 +536,9 @@ name-v4{COLON}			{ YDVAR(1, VAR_IPSET_NAME_V4) }
 name-v6{COLON}			{ YDVAR(1, VAR_IPSET_NAME_V6) }
 udp-upstream-without-downstream{COLON} { YDVAR(1, VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM) }
 tcp-connection-limit{COLON}	{ YDVAR(2, VAR_TCP_CONNECTION_LIMIT) }
-edns-client-tag{COLON}		{ YDVAR(2, VAR_EDNS_CLIENT_TAG) }
+edns-client-string{COLON}	{ YDVAR(2, VAR_EDNS_CLIENT_STRING) }
-edns-client-tag-opcode{COLON}	{ YDVAR(1, VAR_EDNS_CLIENT_TAG_OPCODE) }
+edns-client-string-opcode{COLON} { YDVAR(1, VAR_EDNS_CLIENT_STRING_OPCODE) }
 nsid{COLON}			{ YDVAR(1, VAR_NSID ) }
 <INITIAL,val>{NEWLINE}		{ LEXOUT(("NL\n")); cfg_parser->line++; }
 	/* Quoted strings. Strip leading and ending quotes */
--- a/util/configparser.c
+++ b/util/configparser.c
--- a/util/configparser.h
+++ b/util/configparser.h
@ -1,8 +1,8 @@
-/* A Bison parser, made by GNU Bison 3.4.1.  */
+/* A Bison parser, made by GNU Bison 3.6.4.  */
 /* Bison interface for Yacc-like parsers in C
-   Copyright (C) 1984, 1989-1990, 2000-2015, 2018-2019 Free Software Foundation,
+   Copyright (C) 1984, 1989-1990, 2000-2015, 2018-2020 Free Software Foundation,
   Inc.
   This program is free software: you can redistribute it and/or modify
@ -31,8 +31,9 @@
   This special exception was added by the Free Software Foundation in
   version 2.2 of Bison.  */
-/* Undocumented macros, especially those whose name start with YY_,
+/* DO NOT RELY ON FEATURES THAT ARE NOT DOCUMENTED in the manual,
-   are private implementation details.  Do not rely on them.  */
+   especially those whose name start with YY_ or yy_.  They are
   private implementation details that can be changed or removed.  */
 #ifndef YY_YY_UTIL_CONFIGPARSER_H_INCLUDED
 # define YY_YY_UTIL_CONFIGPARSER_H_INCLUDED
@ -44,315 +45,330 @@
 extern int yydebug;
 #endif
-/* Token type.  */
+/* Token kinds.  */
 #ifndef YYTOKENTYPE
 # define YYTOKENTYPE
  enum yytokentype
  {
-    SPACE = 258,
+    YYEMPTY = -2,
-    LETTER = 259,
+    YYEOF = 0,                     /* "end of file"  */
-    NEWLINE = 260,
+    YYerror = 256,                 /* error  */
-    COMMENT = 261,
+    YYUNDEF = 257,                 /* "invalid token"  */
-    COLON = 262,
+    SPACE = 258,                   /* SPACE  */
-    ANY = 263,
+    LETTER = 259,                  /* LETTER  */
-    ZONESTR = 264,
+    NEWLINE = 260,                 /* NEWLINE  */
-    STRING_ARG = 265,
+    COMMENT = 261,                 /* COMMENT  */
-    VAR_FORCE_TOPLEVEL = 266,
+    COLON = 262,                   /* COLON  */
-    VAR_SERVER = 267,
+    ANY = 263,                     /* ANY  */
-    VAR_VERBOSITY = 268,
+    ZONESTR = 264,                 /* ZONESTR  */
-    VAR_NUM_THREADS = 269,
+    STRING_ARG = 265,              /* STRING_ARG  */
-    VAR_PORT = 270,
+    VAR_FORCE_TOPLEVEL = 266,      /* VAR_FORCE_TOPLEVEL  */
-    VAR_OUTGOING_RANGE = 271,
+    VAR_SERVER = 267,              /* VAR_SERVER  */
-    VAR_INTERFACE = 272,
+    VAR_VERBOSITY = 268,           /* VAR_VERBOSITY  */
-    VAR_PREFER_IP4 = 273,
+    VAR_NUM_THREADS = 269,         /* VAR_NUM_THREADS  */
-    VAR_DO_IP4 = 274,
+    VAR_PORT = 270,                /* VAR_PORT  */
-    VAR_DO_IP6 = 275,
+    VAR_OUTGOING_RANGE = 271,      /* VAR_OUTGOING_RANGE  */
-    VAR_PREFER_IP6 = 276,
+    VAR_INTERFACE = 272,           /* VAR_INTERFACE  */
-    VAR_DO_UDP = 277,
+    VAR_PREFER_IP4 = 273,          /* VAR_PREFER_IP4  */
-    VAR_DO_TCP = 278,
+    VAR_DO_IP4 = 274,              /* VAR_DO_IP4  */
-    VAR_TCP_MSS = 279,
+    VAR_DO_IP6 = 275,              /* VAR_DO_IP6  */
-    VAR_OUTGOING_TCP_MSS = 280,
+    VAR_PREFER_IP6 = 276,          /* VAR_PREFER_IP6  */
-    VAR_TCP_IDLE_TIMEOUT = 281,
+    VAR_DO_UDP = 277,              /* VAR_DO_UDP  */
-    VAR_EDNS_TCP_KEEPALIVE = 282,
+    VAR_DO_TCP = 278,              /* VAR_DO_TCP  */
-    VAR_EDNS_TCP_KEEPALIVE_TIMEOUT = 283,
+    VAR_TCP_MSS = 279,             /* VAR_TCP_MSS  */
-    VAR_CHROOT = 284,
+    VAR_OUTGOING_TCP_MSS = 280,    /* VAR_OUTGOING_TCP_MSS  */
-    VAR_USERNAME = 285,
+    VAR_TCP_IDLE_TIMEOUT = 281,    /* VAR_TCP_IDLE_TIMEOUT  */
-    VAR_DIRECTORY = 286,
+    VAR_EDNS_TCP_KEEPALIVE = 282,  /* VAR_EDNS_TCP_KEEPALIVE  */
-    VAR_LOGFILE = 287,
+    VAR_EDNS_TCP_KEEPALIVE_TIMEOUT = 283, /* VAR_EDNS_TCP_KEEPALIVE_TIMEOUT  */
-    VAR_PIDFILE = 288,
+    VAR_CHROOT = 284,              /* VAR_CHROOT  */
-    VAR_MSG_CACHE_SIZE = 289,
+    VAR_USERNAME = 285,            /* VAR_USERNAME  */
-    VAR_MSG_CACHE_SLABS = 290,
+    VAR_DIRECTORY = 286,           /* VAR_DIRECTORY  */
-    VAR_NUM_QUERIES_PER_THREAD = 291,
+    VAR_LOGFILE = 287,             /* VAR_LOGFILE  */
-    VAR_RRSET_CACHE_SIZE = 292,
+    VAR_PIDFILE = 288,             /* VAR_PIDFILE  */
-    VAR_RRSET_CACHE_SLABS = 293,
+    VAR_MSG_CACHE_SIZE = 289,      /* VAR_MSG_CACHE_SIZE  */
-    VAR_OUTGOING_NUM_TCP = 294,
+    VAR_MSG_CACHE_SLABS = 290,     /* VAR_MSG_CACHE_SLABS  */
-    VAR_INFRA_HOST_TTL = 295,
+    VAR_NUM_QUERIES_PER_THREAD = 291, /* VAR_NUM_QUERIES_PER_THREAD  */
-    VAR_INFRA_LAME_TTL = 296,
+    VAR_RRSET_CACHE_SIZE = 292,    /* VAR_RRSET_CACHE_SIZE  */
-    VAR_INFRA_CACHE_SLABS = 297,
+    VAR_RRSET_CACHE_SLABS = 293,   /* VAR_RRSET_CACHE_SLABS  */
-    VAR_INFRA_CACHE_NUMHOSTS = 298,
+    VAR_OUTGOING_NUM_TCP = 294,    /* VAR_OUTGOING_NUM_TCP  */
-    VAR_INFRA_CACHE_LAME_SIZE = 299,
+    VAR_INFRA_HOST_TTL = 295,      /* VAR_INFRA_HOST_TTL  */
-    VAR_NAME = 300,
+    VAR_INFRA_LAME_TTL = 296,      /* VAR_INFRA_LAME_TTL  */
-    VAR_STUB_ZONE = 301,
+    VAR_INFRA_CACHE_SLABS = 297,   /* VAR_INFRA_CACHE_SLABS  */
-    VAR_STUB_HOST = 302,
+    VAR_INFRA_CACHE_NUMHOSTS = 298, /* VAR_INFRA_CACHE_NUMHOSTS  */
-    VAR_STUB_ADDR = 303,
+    VAR_INFRA_CACHE_LAME_SIZE = 299, /* VAR_INFRA_CACHE_LAME_SIZE  */
-    VAR_TARGET_FETCH_POLICY = 304,
+    VAR_NAME = 300,                /* VAR_NAME  */
-    VAR_HARDEN_SHORT_BUFSIZE = 305,
+    VAR_STUB_ZONE = 301,           /* VAR_STUB_ZONE  */
-    VAR_HARDEN_LARGE_QUERIES = 306,
+    VAR_STUB_HOST = 302,           /* VAR_STUB_HOST  */
-    VAR_FORWARD_ZONE = 307,
+    VAR_STUB_ADDR = 303,           /* VAR_STUB_ADDR  */
-    VAR_FORWARD_HOST = 308,
+    VAR_TARGET_FETCH_POLICY = 304, /* VAR_TARGET_FETCH_POLICY  */
-    VAR_FORWARD_ADDR = 309,
+    VAR_HARDEN_SHORT_BUFSIZE = 305, /* VAR_HARDEN_SHORT_BUFSIZE  */
-    VAR_DO_NOT_QUERY_ADDRESS = 310,
+    VAR_HARDEN_LARGE_QUERIES = 306, /* VAR_HARDEN_LARGE_QUERIES  */
-    VAR_HIDE_IDENTITY = 311,
+    VAR_FORWARD_ZONE = 307,        /* VAR_FORWARD_ZONE  */
-    VAR_HIDE_VERSION = 312,
+    VAR_FORWARD_HOST = 308,        /* VAR_FORWARD_HOST  */
-    VAR_IDENTITY = 313,
+    VAR_FORWARD_ADDR = 309,        /* VAR_FORWARD_ADDR  */
-    VAR_VERSION = 314,
+    VAR_DO_NOT_QUERY_ADDRESS = 310, /* VAR_DO_NOT_QUERY_ADDRESS  */
-    VAR_HARDEN_GLUE = 315,
+    VAR_HIDE_IDENTITY = 311,       /* VAR_HIDE_IDENTITY  */
-    VAR_MODULE_CONF = 316,
+    VAR_HIDE_VERSION = 312,        /* VAR_HIDE_VERSION  */
-    VAR_TRUST_ANCHOR_FILE = 317,
+    VAR_IDENTITY = 313,            /* VAR_IDENTITY  */
-    VAR_TRUST_ANCHOR = 318,
+    VAR_VERSION = 314,             /* VAR_VERSION  */
-    VAR_VAL_OVERRIDE_DATE = 319,
+    VAR_HARDEN_GLUE = 315,         /* VAR_HARDEN_GLUE  */
-    VAR_BOGUS_TTL = 320,
+    VAR_MODULE_CONF = 316,         /* VAR_MODULE_CONF  */
-    VAR_VAL_CLEAN_ADDITIONAL = 321,
+    VAR_TRUST_ANCHOR_FILE = 317,   /* VAR_TRUST_ANCHOR_FILE  */
-    VAR_VAL_PERMISSIVE_MODE = 322,
+    VAR_TRUST_ANCHOR = 318,        /* VAR_TRUST_ANCHOR  */
-    VAR_INCOMING_NUM_TCP = 323,
+    VAR_VAL_OVERRIDE_DATE = 319,   /* VAR_VAL_OVERRIDE_DATE  */
-    VAR_MSG_BUFFER_SIZE = 324,
+    VAR_BOGUS_TTL = 320,           /* VAR_BOGUS_TTL  */
-    VAR_KEY_CACHE_SIZE = 325,
+    VAR_VAL_CLEAN_ADDITIONAL = 321, /* VAR_VAL_CLEAN_ADDITIONAL  */
-    VAR_KEY_CACHE_SLABS = 326,
+    VAR_VAL_PERMISSIVE_MODE = 322, /* VAR_VAL_PERMISSIVE_MODE  */
-    VAR_TRUSTED_KEYS_FILE = 327,
+    VAR_INCOMING_NUM_TCP = 323,    /* VAR_INCOMING_NUM_TCP  */
-    VAR_VAL_NSEC3_KEYSIZE_ITERATIONS = 328,
+    VAR_MSG_BUFFER_SIZE = 324,     /* VAR_MSG_BUFFER_SIZE  */
-    VAR_USE_SYSLOG = 329,
+    VAR_KEY_CACHE_SIZE = 325,      /* VAR_KEY_CACHE_SIZE  */
-    VAR_OUTGOING_INTERFACE = 330,
+    VAR_KEY_CACHE_SLABS = 326,     /* VAR_KEY_CACHE_SLABS  */
-    VAR_ROOT_HINTS = 331,
+    VAR_TRUSTED_KEYS_FILE = 327,   /* VAR_TRUSTED_KEYS_FILE  */
-    VAR_DO_NOT_QUERY_LOCALHOST = 332,
+    VAR_VAL_NSEC3_KEYSIZE_ITERATIONS = 328, /* VAR_VAL_NSEC3_KEYSIZE_ITERATIONS  */
-    VAR_CACHE_MAX_TTL = 333,
+    VAR_USE_SYSLOG = 329,          /* VAR_USE_SYSLOG  */
-    VAR_HARDEN_DNSSEC_STRIPPED = 334,
+    VAR_OUTGOING_INTERFACE = 330,  /* VAR_OUTGOING_INTERFACE  */
-    VAR_ACCESS_CONTROL = 335,
+    VAR_ROOT_HINTS = 331,          /* VAR_ROOT_HINTS  */
-    VAR_LOCAL_ZONE = 336,
+    VAR_DO_NOT_QUERY_LOCALHOST = 332, /* VAR_DO_NOT_QUERY_LOCALHOST  */
-    VAR_LOCAL_DATA = 337,
+    VAR_CACHE_MAX_TTL = 333,       /* VAR_CACHE_MAX_TTL  */
-    VAR_INTERFACE_AUTOMATIC = 338,
+    VAR_HARDEN_DNSSEC_STRIPPED = 334, /* VAR_HARDEN_DNSSEC_STRIPPED  */
-    VAR_STATISTICS_INTERVAL = 339,
+    VAR_ACCESS_CONTROL = 335,      /* VAR_ACCESS_CONTROL  */
-    VAR_DO_DAEMONIZE = 340,
+    VAR_LOCAL_ZONE = 336,          /* VAR_LOCAL_ZONE  */
-    VAR_USE_CAPS_FOR_ID = 341,
+    VAR_LOCAL_DATA = 337,          /* VAR_LOCAL_DATA  */
-    VAR_STATISTICS_CUMULATIVE = 342,
+    VAR_INTERFACE_AUTOMATIC = 338, /* VAR_INTERFACE_AUTOMATIC  */
-    VAR_OUTGOING_PORT_PERMIT = 343,
+    VAR_STATISTICS_INTERVAL = 339, /* VAR_STATISTICS_INTERVAL  */
-    VAR_OUTGOING_PORT_AVOID = 344,
+    VAR_DO_DAEMONIZE = 340,        /* VAR_DO_DAEMONIZE  */
-    VAR_DLV_ANCHOR_FILE = 345,
+    VAR_USE_CAPS_FOR_ID = 341,     /* VAR_USE_CAPS_FOR_ID  */
-    VAR_DLV_ANCHOR = 346,
+    VAR_STATISTICS_CUMULATIVE = 342, /* VAR_STATISTICS_CUMULATIVE  */
-    VAR_NEG_CACHE_SIZE = 347,
+    VAR_OUTGOING_PORT_PERMIT = 343, /* VAR_OUTGOING_PORT_PERMIT  */
-    VAR_HARDEN_REFERRAL_PATH = 348,
+    VAR_OUTGOING_PORT_AVOID = 344, /* VAR_OUTGOING_PORT_AVOID  */
-    VAR_PRIVATE_ADDRESS = 349,
+    VAR_DLV_ANCHOR_FILE = 345,     /* VAR_DLV_ANCHOR_FILE  */
-    VAR_PRIVATE_DOMAIN = 350,
+    VAR_DLV_ANCHOR = 346,          /* VAR_DLV_ANCHOR  */
-    VAR_REMOTE_CONTROL = 351,
+    VAR_NEG_CACHE_SIZE = 347,      /* VAR_NEG_CACHE_SIZE  */
-    VAR_CONTROL_ENABLE = 352,
+    VAR_HARDEN_REFERRAL_PATH = 348, /* VAR_HARDEN_REFERRAL_PATH  */
-    VAR_CONTROL_INTERFACE = 353,
+    VAR_PRIVATE_ADDRESS = 349,     /* VAR_PRIVATE_ADDRESS  */
-    VAR_CONTROL_PORT = 354,
+    VAR_PRIVATE_DOMAIN = 350,      /* VAR_PRIVATE_DOMAIN  */
-    VAR_SERVER_KEY_FILE = 355,
+    VAR_REMOTE_CONTROL = 351,      /* VAR_REMOTE_CONTROL  */
-    VAR_SERVER_CERT_FILE = 356,
+    VAR_CONTROL_ENABLE = 352,      /* VAR_CONTROL_ENABLE  */
-    VAR_CONTROL_KEY_FILE = 357,
+    VAR_CONTROL_INTERFACE = 353,   /* VAR_CONTROL_INTERFACE  */
-    VAR_CONTROL_CERT_FILE = 358,
+    VAR_CONTROL_PORT = 354,        /* VAR_CONTROL_PORT  */
-    VAR_CONTROL_USE_CERT = 359,
+    VAR_SERVER_KEY_FILE = 355,     /* VAR_SERVER_KEY_FILE  */
-    VAR_EXTENDED_STATISTICS = 360,
+    VAR_SERVER_CERT_FILE = 356,    /* VAR_SERVER_CERT_FILE  */
-    VAR_LOCAL_DATA_PTR = 361,
+    VAR_CONTROL_KEY_FILE = 357,    /* VAR_CONTROL_KEY_FILE  */
-    VAR_JOSTLE_TIMEOUT = 362,
+    VAR_CONTROL_CERT_FILE = 358,   /* VAR_CONTROL_CERT_FILE  */
-    VAR_STUB_PRIME = 363,
+    VAR_CONTROL_USE_CERT = 359,    /* VAR_CONTROL_USE_CERT  */
-    VAR_UNWANTED_REPLY_THRESHOLD = 364,
+    VAR_EXTENDED_STATISTICS = 360, /* VAR_EXTENDED_STATISTICS  */
-    VAR_LOG_TIME_ASCII = 365,
+    VAR_LOCAL_DATA_PTR = 361,      /* VAR_LOCAL_DATA_PTR  */
-    VAR_DOMAIN_INSECURE = 366,
+    VAR_JOSTLE_TIMEOUT = 362,      /* VAR_JOSTLE_TIMEOUT  */
-    VAR_PYTHON = 367,
+    VAR_STUB_PRIME = 363,          /* VAR_STUB_PRIME  */
-    VAR_PYTHON_SCRIPT = 368,
+    VAR_UNWANTED_REPLY_THRESHOLD = 364, /* VAR_UNWANTED_REPLY_THRESHOLD  */
-    VAR_VAL_SIG_SKEW_MIN = 369,
+    VAR_LOG_TIME_ASCII = 365,      /* VAR_LOG_TIME_ASCII  */
-    VAR_VAL_SIG_SKEW_MAX = 370,
+    VAR_DOMAIN_INSECURE = 366,     /* VAR_DOMAIN_INSECURE  */
-    VAR_CACHE_MIN_TTL = 371,
+    VAR_PYTHON = 367,              /* VAR_PYTHON  */
-    VAR_VAL_LOG_LEVEL = 372,
+    VAR_PYTHON_SCRIPT = 368,       /* VAR_PYTHON_SCRIPT  */
-    VAR_AUTO_TRUST_ANCHOR_FILE = 373,
+    VAR_VAL_SIG_SKEW_MIN = 369,    /* VAR_VAL_SIG_SKEW_MIN  */
-    VAR_KEEP_MISSING = 374,
+    VAR_VAL_SIG_SKEW_MAX = 370,    /* VAR_VAL_SIG_SKEW_MAX  */
-    VAR_ADD_HOLDDOWN = 375,
+    VAR_CACHE_MIN_TTL = 371,       /* VAR_CACHE_MIN_TTL  */
-    VAR_DEL_HOLDDOWN = 376,
+    VAR_VAL_LOG_LEVEL = 372,       /* VAR_VAL_LOG_LEVEL  */
-    VAR_SO_RCVBUF = 377,
+    VAR_AUTO_TRUST_ANCHOR_FILE = 373, /* VAR_AUTO_TRUST_ANCHOR_FILE  */
-    VAR_EDNS_BUFFER_SIZE = 378,
+    VAR_KEEP_MISSING = 374,        /* VAR_KEEP_MISSING  */
-    VAR_PREFETCH = 379,
+    VAR_ADD_HOLDDOWN = 375,        /* VAR_ADD_HOLDDOWN  */
-    VAR_PREFETCH_KEY = 380,
+    VAR_DEL_HOLDDOWN = 376,        /* VAR_DEL_HOLDDOWN  */
-    VAR_SO_SNDBUF = 381,
+    VAR_SO_RCVBUF = 377,           /* VAR_SO_RCVBUF  */
-    VAR_SO_REUSEPORT = 382,
+    VAR_EDNS_BUFFER_SIZE = 378,    /* VAR_EDNS_BUFFER_SIZE  */
-    VAR_HARDEN_BELOW_NXDOMAIN = 383,
+    VAR_PREFETCH = 379,            /* VAR_PREFETCH  */
-    VAR_IGNORE_CD_FLAG = 384,
+    VAR_PREFETCH_KEY = 380,        /* VAR_PREFETCH_KEY  */
-    VAR_LOG_QUERIES = 385,
+    VAR_SO_SNDBUF = 381,           /* VAR_SO_SNDBUF  */
-    VAR_LOG_REPLIES = 386,
+    VAR_SO_REUSEPORT = 382,        /* VAR_SO_REUSEPORT  */
-    VAR_LOG_LOCAL_ACTIONS = 387,
+    VAR_HARDEN_BELOW_NXDOMAIN = 383, /* VAR_HARDEN_BELOW_NXDOMAIN  */
-    VAR_TCP_UPSTREAM = 388,
+    VAR_IGNORE_CD_FLAG = 384,      /* VAR_IGNORE_CD_FLAG  */
-    VAR_SSL_UPSTREAM = 389,
+    VAR_LOG_QUERIES = 385,         /* VAR_LOG_QUERIES  */
-    VAR_SSL_SERVICE_KEY = 390,
+    VAR_LOG_REPLIES = 386,         /* VAR_LOG_REPLIES  */
-    VAR_SSL_SERVICE_PEM = 391,
+    VAR_LOG_LOCAL_ACTIONS = 387,   /* VAR_LOG_LOCAL_ACTIONS  */
-    VAR_SSL_PORT = 392,
+    VAR_TCP_UPSTREAM = 388,        /* VAR_TCP_UPSTREAM  */
-    VAR_FORWARD_FIRST = 393,
+    VAR_SSL_UPSTREAM = 389,        /* VAR_SSL_UPSTREAM  */
-    VAR_STUB_SSL_UPSTREAM = 394,
+    VAR_SSL_SERVICE_KEY = 390,     /* VAR_SSL_SERVICE_KEY  */
-    VAR_FORWARD_SSL_UPSTREAM = 395,
+    VAR_SSL_SERVICE_PEM = 391,     /* VAR_SSL_SERVICE_PEM  */
-    VAR_TLS_CERT_BUNDLE = 396,
+    VAR_SSL_PORT = 392,            /* VAR_SSL_PORT  */
-    VAR_HTTPS_PORT = 397,
+    VAR_FORWARD_FIRST = 393,       /* VAR_FORWARD_FIRST  */
-    VAR_HTTP_ENDPOINT = 398,
+    VAR_STUB_SSL_UPSTREAM = 394,   /* VAR_STUB_SSL_UPSTREAM  */
-    VAR_HTTP_MAX_STREAMS = 399,
+    VAR_FORWARD_SSL_UPSTREAM = 395, /* VAR_FORWARD_SSL_UPSTREAM  */
-    VAR_HTTP_QUERY_BUFFER_SIZE = 400,
+    VAR_TLS_CERT_BUNDLE = 396,     /* VAR_TLS_CERT_BUNDLE  */
-    VAR_HTTP_RESPONSE_BUFFER_SIZE = 401,
+    VAR_HTTPS_PORT = 397,          /* VAR_HTTPS_PORT  */
-    VAR_HTTP_NODELAY = 402,
+    VAR_HTTP_ENDPOINT = 398,       /* VAR_HTTP_ENDPOINT  */
-    VAR_HTTP_NOTLS_DOWNSTREAM = 403,
+    VAR_HTTP_MAX_STREAMS = 399,    /* VAR_HTTP_MAX_STREAMS  */
-    VAR_STUB_FIRST = 404,
+    VAR_HTTP_QUERY_BUFFER_SIZE = 400, /* VAR_HTTP_QUERY_BUFFER_SIZE  */
-    VAR_MINIMAL_RESPONSES = 405,
+    VAR_HTTP_RESPONSE_BUFFER_SIZE = 401, /* VAR_HTTP_RESPONSE_BUFFER_SIZE  */
-    VAR_RRSET_ROUNDROBIN = 406,
+    VAR_HTTP_NODELAY = 402,        /* VAR_HTTP_NODELAY  */
-    VAR_MAX_UDP_SIZE = 407,
+    VAR_HTTP_NOTLS_DOWNSTREAM = 403, /* VAR_HTTP_NOTLS_DOWNSTREAM  */
-    VAR_DELAY_CLOSE = 408,
+    VAR_STUB_FIRST = 404,          /* VAR_STUB_FIRST  */
-    VAR_UNBLOCK_LAN_ZONES = 409,
+    VAR_MINIMAL_RESPONSES = 405,   /* VAR_MINIMAL_RESPONSES  */
-    VAR_INSECURE_LAN_ZONES = 410,
+    VAR_RRSET_ROUNDROBIN = 406,    /* VAR_RRSET_ROUNDROBIN  */
-    VAR_INFRA_CACHE_MIN_RTT = 411,
+    VAR_MAX_UDP_SIZE = 407,        /* VAR_MAX_UDP_SIZE  */
-    VAR_INFRA_KEEP_PROBING = 412,
+    VAR_DELAY_CLOSE = 408,         /* VAR_DELAY_CLOSE  */
-    VAR_DNS64_PREFIX = 413,
+    VAR_UDP_CONNECT = 409,         /* VAR_UDP_CONNECT  */
-    VAR_DNS64_SYNTHALL = 414,
+    VAR_UNBLOCK_LAN_ZONES = 410,   /* VAR_UNBLOCK_LAN_ZONES  */
-    VAR_DNS64_IGNORE_AAAA = 415,
+    VAR_INSECURE_LAN_ZONES = 411,  /* VAR_INSECURE_LAN_ZONES  */
-    VAR_DNSTAP = 416,
+    VAR_INFRA_CACHE_MIN_RTT = 412, /* VAR_INFRA_CACHE_MIN_RTT  */
-    VAR_DNSTAP_ENABLE = 417,
+    VAR_INFRA_KEEP_PROBING = 413,  /* VAR_INFRA_KEEP_PROBING  */
-    VAR_DNSTAP_SOCKET_PATH = 418,
+    VAR_DNS64_PREFIX = 414,        /* VAR_DNS64_PREFIX  */
-    VAR_DNSTAP_IP = 419,
+    VAR_DNS64_SYNTHALL = 415,      /* VAR_DNS64_SYNTHALL  */
-    VAR_DNSTAP_TLS = 420,
+    VAR_DNS64_IGNORE_AAAA = 416,   /* VAR_DNS64_IGNORE_AAAA  */
-    VAR_DNSTAP_TLS_SERVER_NAME = 421,
+    VAR_DNSTAP = 417,              /* VAR_DNSTAP  */
-    VAR_DNSTAP_TLS_CERT_BUNDLE = 422,
+    VAR_DNSTAP_ENABLE = 418,       /* VAR_DNSTAP_ENABLE  */
-    VAR_DNSTAP_TLS_CLIENT_KEY_FILE = 423,
+    VAR_DNSTAP_SOCKET_PATH = 419,  /* VAR_DNSTAP_SOCKET_PATH  */
-    VAR_DNSTAP_TLS_CLIENT_CERT_FILE = 424,
+    VAR_DNSTAP_IP = 420,           /* VAR_DNSTAP_IP  */
-    VAR_DNSTAP_SEND_IDENTITY = 425,
+    VAR_DNSTAP_TLS = 421,          /* VAR_DNSTAP_TLS  */
-    VAR_DNSTAP_SEND_VERSION = 426,
+    VAR_DNSTAP_TLS_SERVER_NAME = 422, /* VAR_DNSTAP_TLS_SERVER_NAME  */
-    VAR_DNSTAP_BIDIRECTIONAL = 427,
+    VAR_DNSTAP_TLS_CERT_BUNDLE = 423, /* VAR_DNSTAP_TLS_CERT_BUNDLE  */
-    VAR_DNSTAP_IDENTITY = 428,
+    VAR_DNSTAP_TLS_CLIENT_KEY_FILE = 424, /* VAR_DNSTAP_TLS_CLIENT_KEY_FILE  */
-    VAR_DNSTAP_VERSION = 429,
+    VAR_DNSTAP_TLS_CLIENT_CERT_FILE = 425, /* VAR_DNSTAP_TLS_CLIENT_CERT_FILE  */
-    VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES = 430,
+    VAR_DNSTAP_SEND_IDENTITY = 426, /* VAR_DNSTAP_SEND_IDENTITY  */
-    VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES = 431,
+    VAR_DNSTAP_SEND_VERSION = 427, /* VAR_DNSTAP_SEND_VERSION  */
-    VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES = 432,
+    VAR_DNSTAP_BIDIRECTIONAL = 428, /* VAR_DNSTAP_BIDIRECTIONAL  */
-    VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES = 433,
+    VAR_DNSTAP_IDENTITY = 429,     /* VAR_DNSTAP_IDENTITY  */
-    VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES = 434,
+    VAR_DNSTAP_VERSION = 430,      /* VAR_DNSTAP_VERSION  */
-    VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES = 435,
+    VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES = 431, /* VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES  */
-    VAR_RESPONSE_IP_TAG = 436,
+    VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES = 432, /* VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES  */
-    VAR_RESPONSE_IP = 437,
+    VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES = 433, /* VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES  */
-    VAR_RESPONSE_IP_DATA = 438,
+    VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES = 434, /* VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES  */
-    VAR_HARDEN_ALGO_DOWNGRADE = 439,
+    VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES = 435, /* VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES  */
-    VAR_IP_TRANSPARENT = 440,
+    VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES = 436, /* VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES  */
-    VAR_IP_DSCP = 441,
+    VAR_RESPONSE_IP_TAG = 437,     /* VAR_RESPONSE_IP_TAG  */
-    VAR_DISABLE_DNSSEC_LAME_CHECK = 442,
+    VAR_RESPONSE_IP = 438,         /* VAR_RESPONSE_IP  */
-    VAR_IP_RATELIMIT = 443,
+    VAR_RESPONSE_IP_DATA = 439,    /* VAR_RESPONSE_IP_DATA  */
-    VAR_IP_RATELIMIT_SLABS = 444,
+    VAR_HARDEN_ALGO_DOWNGRADE = 440, /* VAR_HARDEN_ALGO_DOWNGRADE  */
-    VAR_IP_RATELIMIT_SIZE = 445,
+    VAR_IP_TRANSPARENT = 441,      /* VAR_IP_TRANSPARENT  */
-    VAR_RATELIMIT = 446,
+    VAR_IP_DSCP = 442,             /* VAR_IP_DSCP  */
-    VAR_RATELIMIT_SLABS = 447,
+    VAR_DISABLE_DNSSEC_LAME_CHECK = 443, /* VAR_DISABLE_DNSSEC_LAME_CHECK  */
-    VAR_RATELIMIT_SIZE = 448,
+    VAR_IP_RATELIMIT = 444,        /* VAR_IP_RATELIMIT  */
-    VAR_RATELIMIT_FOR_DOMAIN = 449,
+    VAR_IP_RATELIMIT_SLABS = 445,  /* VAR_IP_RATELIMIT_SLABS  */
-    VAR_RATELIMIT_BELOW_DOMAIN = 450,
+    VAR_IP_RATELIMIT_SIZE = 446,   /* VAR_IP_RATELIMIT_SIZE  */
-    VAR_IP_RATELIMIT_FACTOR = 451,
+    VAR_RATELIMIT = 447,           /* VAR_RATELIMIT  */
-    VAR_RATELIMIT_FACTOR = 452,
+    VAR_RATELIMIT_SLABS = 448,     /* VAR_RATELIMIT_SLABS  */
-    VAR_SEND_CLIENT_SUBNET = 453,
+    VAR_RATELIMIT_SIZE = 449,      /* VAR_RATELIMIT_SIZE  */
-    VAR_CLIENT_SUBNET_ZONE = 454,
+    VAR_RATELIMIT_FOR_DOMAIN = 450, /* VAR_RATELIMIT_FOR_DOMAIN  */
-    VAR_CLIENT_SUBNET_ALWAYS_FORWARD = 455,
+    VAR_RATELIMIT_BELOW_DOMAIN = 451, /* VAR_RATELIMIT_BELOW_DOMAIN  */
-    VAR_CLIENT_SUBNET_OPCODE = 456,
+    VAR_IP_RATELIMIT_FACTOR = 452, /* VAR_IP_RATELIMIT_FACTOR  */
-    VAR_MAX_CLIENT_SUBNET_IPV4 = 457,
+    VAR_RATELIMIT_FACTOR = 453,    /* VAR_RATELIMIT_FACTOR  */
-    VAR_MAX_CLIENT_SUBNET_IPV6 = 458,
+    VAR_SEND_CLIENT_SUBNET = 454,  /* VAR_SEND_CLIENT_SUBNET  */
-    VAR_MIN_CLIENT_SUBNET_IPV4 = 459,
+    VAR_CLIENT_SUBNET_ZONE = 455,  /* VAR_CLIENT_SUBNET_ZONE  */
-    VAR_MIN_CLIENT_SUBNET_IPV6 = 460,
+    VAR_CLIENT_SUBNET_ALWAYS_FORWARD = 456, /* VAR_CLIENT_SUBNET_ALWAYS_FORWARD  */
-    VAR_MAX_ECS_TREE_SIZE_IPV4 = 461,
+    VAR_CLIENT_SUBNET_OPCODE = 457, /* VAR_CLIENT_SUBNET_OPCODE  */
-    VAR_MAX_ECS_TREE_SIZE_IPV6 = 462,
+    VAR_MAX_CLIENT_SUBNET_IPV4 = 458, /* VAR_MAX_CLIENT_SUBNET_IPV4  */
-    VAR_CAPS_WHITELIST = 463,
+    VAR_MAX_CLIENT_SUBNET_IPV6 = 459, /* VAR_MAX_CLIENT_SUBNET_IPV6  */
-    VAR_CACHE_MAX_NEGATIVE_TTL = 464,
+    VAR_MIN_CLIENT_SUBNET_IPV4 = 460, /* VAR_MIN_CLIENT_SUBNET_IPV4  */
-    VAR_PERMIT_SMALL_HOLDDOWN = 465,
+    VAR_MIN_CLIENT_SUBNET_IPV6 = 461, /* VAR_MIN_CLIENT_SUBNET_IPV6  */
-    VAR_QNAME_MINIMISATION = 466,
+    VAR_MAX_ECS_TREE_SIZE_IPV4 = 462, /* VAR_MAX_ECS_TREE_SIZE_IPV4  */
-    VAR_QNAME_MINIMISATION_STRICT = 467,
+    VAR_MAX_ECS_TREE_SIZE_IPV6 = 463, /* VAR_MAX_ECS_TREE_SIZE_IPV6  */
-    VAR_IP_FREEBIND = 468,
+    VAR_CAPS_WHITELIST = 464,      /* VAR_CAPS_WHITELIST  */
-    VAR_DEFINE_TAG = 469,
+    VAR_CACHE_MAX_NEGATIVE_TTL = 465, /* VAR_CACHE_MAX_NEGATIVE_TTL  */
-    VAR_LOCAL_ZONE_TAG = 470,
+    VAR_PERMIT_SMALL_HOLDDOWN = 466, /* VAR_PERMIT_SMALL_HOLDDOWN  */
-    VAR_ACCESS_CONTROL_TAG = 471,
+    VAR_QNAME_MINIMISATION = 467,  /* VAR_QNAME_MINIMISATION  */
-    VAR_LOCAL_ZONE_OVERRIDE = 472,
+    VAR_QNAME_MINIMISATION_STRICT = 468, /* VAR_QNAME_MINIMISATION_STRICT  */
-    VAR_ACCESS_CONTROL_TAG_ACTION = 473,
+    VAR_IP_FREEBIND = 469,         /* VAR_IP_FREEBIND  */
-    VAR_ACCESS_CONTROL_TAG_DATA = 474,
+    VAR_DEFINE_TAG = 470,          /* VAR_DEFINE_TAG  */
-    VAR_VIEW = 475,
+    VAR_LOCAL_ZONE_TAG = 471,      /* VAR_LOCAL_ZONE_TAG  */
-    VAR_ACCESS_CONTROL_VIEW = 476,
+    VAR_ACCESS_CONTROL_TAG = 472,  /* VAR_ACCESS_CONTROL_TAG  */
-    VAR_VIEW_FIRST = 477,
+    VAR_LOCAL_ZONE_OVERRIDE = 473, /* VAR_LOCAL_ZONE_OVERRIDE  */
-    VAR_SERVE_EXPIRED = 478,
+    VAR_ACCESS_CONTROL_TAG_ACTION = 474, /* VAR_ACCESS_CONTROL_TAG_ACTION  */
-    VAR_SERVE_EXPIRED_TTL = 479,
+    VAR_ACCESS_CONTROL_TAG_DATA = 475, /* VAR_ACCESS_CONTROL_TAG_DATA  */
-    VAR_SERVE_EXPIRED_TTL_RESET = 480,
+    VAR_VIEW = 476,                /* VAR_VIEW  */
-    VAR_SERVE_EXPIRED_REPLY_TTL = 481,
+    VAR_ACCESS_CONTROL_VIEW = 477, /* VAR_ACCESS_CONTROL_VIEW  */
-    VAR_SERVE_EXPIRED_CLIENT_TIMEOUT = 482,
+    VAR_VIEW_FIRST = 478,          /* VAR_VIEW_FIRST  */
-    VAR_FAKE_DSA = 483,
+    VAR_SERVE_EXPIRED = 479,       /* VAR_SERVE_EXPIRED  */
-    VAR_FAKE_SHA1 = 484,
+    VAR_SERVE_EXPIRED_TTL = 480,   /* VAR_SERVE_EXPIRED_TTL  */
-    VAR_LOG_IDENTITY = 485,
+    VAR_SERVE_EXPIRED_TTL_RESET = 481, /* VAR_SERVE_EXPIRED_TTL_RESET  */
-    VAR_HIDE_TRUSTANCHOR = 486,
+    VAR_SERVE_EXPIRED_REPLY_TTL = 482, /* VAR_SERVE_EXPIRED_REPLY_TTL  */
-    VAR_TRUST_ANCHOR_SIGNALING = 487,
+    VAR_SERVE_EXPIRED_CLIENT_TIMEOUT = 483, /* VAR_SERVE_EXPIRED_CLIENT_TIMEOUT  */
-    VAR_AGGRESSIVE_NSEC = 488,
+    VAR_SERVE_ORIGINAL_TTL = 484,  /* VAR_SERVE_ORIGINAL_TTL  */
-    VAR_USE_SYSTEMD = 489,
+    VAR_FAKE_DSA = 485,            /* VAR_FAKE_DSA  */
-    VAR_SHM_ENABLE = 490,
+    VAR_FAKE_SHA1 = 486,           /* VAR_FAKE_SHA1  */
-    VAR_SHM_KEY = 491,
+    VAR_LOG_IDENTITY = 487,        /* VAR_LOG_IDENTITY  */
-    VAR_ROOT_KEY_SENTINEL = 492,
+    VAR_HIDE_TRUSTANCHOR = 488,    /* VAR_HIDE_TRUSTANCHOR  */
-    VAR_DNSCRYPT = 493,
+    VAR_TRUST_ANCHOR_SIGNALING = 489, /* VAR_TRUST_ANCHOR_SIGNALING  */
-    VAR_DNSCRYPT_ENABLE = 494,
+    VAR_AGGRESSIVE_NSEC = 490,     /* VAR_AGGRESSIVE_NSEC  */
-    VAR_DNSCRYPT_PORT = 495,
+    VAR_USE_SYSTEMD = 491,         /* VAR_USE_SYSTEMD  */
-    VAR_DNSCRYPT_PROVIDER = 496,
+    VAR_SHM_ENABLE = 492,          /* VAR_SHM_ENABLE  */
-    VAR_DNSCRYPT_SECRET_KEY = 497,
+    VAR_SHM_KEY = 493,             /* VAR_SHM_KEY  */
-    VAR_DNSCRYPT_PROVIDER_CERT = 498,
+    VAR_ROOT_KEY_SENTINEL = 494,   /* VAR_ROOT_KEY_SENTINEL  */
-    VAR_DNSCRYPT_PROVIDER_CERT_ROTATED = 499,
+    VAR_DNSCRYPT = 495,            /* VAR_DNSCRYPT  */
-    VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE = 500,
+    VAR_DNSCRYPT_ENABLE = 496,     /* VAR_DNSCRYPT_ENABLE  */
-    VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS = 501,
+    VAR_DNSCRYPT_PORT = 497,       /* VAR_DNSCRYPT_PORT  */
-    VAR_DNSCRYPT_NONCE_CACHE_SIZE = 502,
+    VAR_DNSCRYPT_PROVIDER = 498,   /* VAR_DNSCRYPT_PROVIDER  */
-    VAR_DNSCRYPT_NONCE_CACHE_SLABS = 503,
+    VAR_DNSCRYPT_SECRET_KEY = 499, /* VAR_DNSCRYPT_SECRET_KEY  */
-    VAR_IPSECMOD_ENABLED = 504,
+    VAR_DNSCRYPT_PROVIDER_CERT = 500, /* VAR_DNSCRYPT_PROVIDER_CERT  */
-    VAR_IPSECMOD_HOOK = 505,
+    VAR_DNSCRYPT_PROVIDER_CERT_ROTATED = 501, /* VAR_DNSCRYPT_PROVIDER_CERT_ROTATED  */
-    VAR_IPSECMOD_IGNORE_BOGUS = 506,
+    VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE = 502, /* VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE  */
-    VAR_IPSECMOD_MAX_TTL = 507,
+    VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS = 503, /* VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS  */
-    VAR_IPSECMOD_WHITELIST = 508,
+    VAR_DNSCRYPT_NONCE_CACHE_SIZE = 504, /* VAR_DNSCRYPT_NONCE_CACHE_SIZE  */
-    VAR_IPSECMOD_STRICT = 509,
+    VAR_DNSCRYPT_NONCE_CACHE_SLABS = 505, /* VAR_DNSCRYPT_NONCE_CACHE_SLABS  */
-    VAR_CACHEDB = 510,
+    VAR_PAD_RESPONSES = 506,       /* VAR_PAD_RESPONSES  */
-    VAR_CACHEDB_BACKEND = 511,
+    VAR_PAD_RESPONSES_BLOCK_SIZE = 507, /* VAR_PAD_RESPONSES_BLOCK_SIZE  */
-    VAR_CACHEDB_SECRETSEED = 512,
+    VAR_PAD_QUERIES = 508,         /* VAR_PAD_QUERIES  */
-    VAR_CACHEDB_REDISHOST = 513,
+    VAR_PAD_QUERIES_BLOCK_SIZE = 509, /* VAR_PAD_QUERIES_BLOCK_SIZE  */
-    VAR_CACHEDB_REDISPORT = 514,
+    VAR_IPSECMOD_ENABLED = 510,    /* VAR_IPSECMOD_ENABLED  */
-    VAR_CACHEDB_REDISTIMEOUT = 515,
+    VAR_IPSECMOD_HOOK = 511,       /* VAR_IPSECMOD_HOOK  */
-    VAR_CACHEDB_REDISEXPIRERECORDS = 516,
+    VAR_IPSECMOD_IGNORE_BOGUS = 512, /* VAR_IPSECMOD_IGNORE_BOGUS  */
-    VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM = 517,
+    VAR_IPSECMOD_MAX_TTL = 513,    /* VAR_IPSECMOD_MAX_TTL  */
-    VAR_FOR_UPSTREAM = 518,
+    VAR_IPSECMOD_WHITELIST = 514,  /* VAR_IPSECMOD_WHITELIST  */
-    VAR_AUTH_ZONE = 519,
+    VAR_IPSECMOD_STRICT = 515,     /* VAR_IPSECMOD_STRICT  */
-    VAR_ZONEFILE = 520,
+    VAR_CACHEDB = 516,             /* VAR_CACHEDB  */
-    VAR_MASTER = 521,
+    VAR_CACHEDB_BACKEND = 517,     /* VAR_CACHEDB_BACKEND  */
-    VAR_URL = 522,
+    VAR_CACHEDB_SECRETSEED = 518,  /* VAR_CACHEDB_SECRETSEED  */
-    VAR_FOR_DOWNSTREAM = 523,
+    VAR_CACHEDB_REDISHOST = 519,   /* VAR_CACHEDB_REDISHOST  */
-    VAR_FALLBACK_ENABLED = 524,
+    VAR_CACHEDB_REDISPORT = 520,   /* VAR_CACHEDB_REDISPORT  */
-    VAR_TLS_ADDITIONAL_PORT = 525,
+    VAR_CACHEDB_REDISTIMEOUT = 521, /* VAR_CACHEDB_REDISTIMEOUT  */
-    VAR_LOW_RTT = 526,
+    VAR_CACHEDB_REDISEXPIRERECORDS = 522, /* VAR_CACHEDB_REDISEXPIRERECORDS  */
-    VAR_LOW_RTT_PERMIL = 527,
+    VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM = 523, /* VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM  */
-    VAR_FAST_SERVER_PERMIL = 528,
+    VAR_FOR_UPSTREAM = 524,        /* VAR_FOR_UPSTREAM  */
-    VAR_FAST_SERVER_NUM = 529,
+    VAR_AUTH_ZONE = 525,           /* VAR_AUTH_ZONE  */
-    VAR_ALLOW_NOTIFY = 530,
+    VAR_ZONEFILE = 526,            /* VAR_ZONEFILE  */
-    VAR_TLS_WIN_CERT = 531,
+    VAR_MASTER = 527,              /* VAR_MASTER  */
-    VAR_TCP_CONNECTION_LIMIT = 532,
+    VAR_URL = 528,                 /* VAR_URL  */
-    VAR_FORWARD_NO_CACHE = 533,
+    VAR_FOR_DOWNSTREAM = 529,      /* VAR_FOR_DOWNSTREAM  */
-    VAR_STUB_NO_CACHE = 534,
+    VAR_FALLBACK_ENABLED = 530,    /* VAR_FALLBACK_ENABLED  */
-    VAR_LOG_SERVFAIL = 535,
+    VAR_TLS_ADDITIONAL_PORT = 531, /* VAR_TLS_ADDITIONAL_PORT  */
-    VAR_DENY_ANY = 536,
+    VAR_LOW_RTT = 532,             /* VAR_LOW_RTT  */
-    VAR_UNKNOWN_SERVER_TIME_LIMIT = 537,
+    VAR_LOW_RTT_PERMIL = 533,      /* VAR_LOW_RTT_PERMIL  */
-    VAR_LOG_TAG_QUERYREPLY = 538,
+    VAR_FAST_SERVER_PERMIL = 534,  /* VAR_FAST_SERVER_PERMIL  */
-    VAR_STREAM_WAIT_SIZE = 539,
+    VAR_FAST_SERVER_NUM = 535,     /* VAR_FAST_SERVER_NUM  */
-    VAR_TLS_CIPHERS = 540,
+    VAR_ALLOW_NOTIFY = 536,        /* VAR_ALLOW_NOTIFY  */
-    VAR_TLS_CIPHERSUITES = 541,
+    VAR_TLS_WIN_CERT = 537,        /* VAR_TLS_WIN_CERT  */
-    VAR_TLS_USE_SNI = 542,
+    VAR_TCP_CONNECTION_LIMIT = 538, /* VAR_TCP_CONNECTION_LIMIT  */
-    VAR_IPSET = 543,
+    VAR_FORWARD_NO_CACHE = 539,    /* VAR_FORWARD_NO_CACHE  */
-    VAR_IPSET_NAME_V4 = 544,
+    VAR_STUB_NO_CACHE = 540,       /* VAR_STUB_NO_CACHE  */
-    VAR_IPSET_NAME_V6 = 545,
+    VAR_LOG_SERVFAIL = 541,        /* VAR_LOG_SERVFAIL  */
-    VAR_TLS_SESSION_TICKET_KEYS = 546,
+    VAR_DENY_ANY = 542,            /* VAR_DENY_ANY  */
-    VAR_RPZ = 547,
+    VAR_UNKNOWN_SERVER_TIME_LIMIT = 543, /* VAR_UNKNOWN_SERVER_TIME_LIMIT  */
-    VAR_TAGS = 548,
+    VAR_LOG_TAG_QUERYREPLY = 544,  /* VAR_LOG_TAG_QUERYREPLY  */
-    VAR_RPZ_ACTION_OVERRIDE = 549,
+    VAR_STREAM_WAIT_SIZE = 545,    /* VAR_STREAM_WAIT_SIZE  */
-    VAR_RPZ_CNAME_OVERRIDE = 550,
+    VAR_TLS_CIPHERS = 546,         /* VAR_TLS_CIPHERS  */
-    VAR_RPZ_LOG = 551,
+    VAR_TLS_CIPHERSUITES = 547,    /* VAR_TLS_CIPHERSUITES  */
-    VAR_RPZ_LOG_NAME = 552,
+    VAR_TLS_USE_SNI = 548,         /* VAR_TLS_USE_SNI  */
-    VAR_DYNLIB = 553,
+    VAR_IPSET = 549,               /* VAR_IPSET  */
-    VAR_DYNLIB_FILE = 554,
+    VAR_IPSET_NAME_V4 = 550,       /* VAR_IPSET_NAME_V4  */
-    VAR_EDNS_CLIENT_TAG = 555,
+    VAR_IPSET_NAME_V6 = 551,       /* VAR_IPSET_NAME_V6  */
-    VAR_EDNS_CLIENT_TAG_OPCODE = 556,
+    VAR_TLS_SESSION_TICKET_KEYS = 552, /* VAR_TLS_SESSION_TICKET_KEYS  */
-    VAR_ZONEMD_PERMISSIVE_MODE = 557,
+    VAR_RPZ = 553,                 /* VAR_RPZ  */
-    VAR_ZONEMD_REJECT_ABSENCE = 558
+    VAR_TAGS = 554,                /* VAR_TAGS  */
    VAR_RPZ_ACTION_OVERRIDE = 555, /* VAR_RPZ_ACTION_OVERRIDE  */
    VAR_RPZ_CNAME_OVERRIDE = 556,  /* VAR_RPZ_CNAME_OVERRIDE  */
    VAR_RPZ_LOG = 557,             /* VAR_RPZ_LOG  */
    VAR_RPZ_LOG_NAME = 558,        /* VAR_RPZ_LOG_NAME  */
    VAR_DYNLIB = 559,              /* VAR_DYNLIB  */
    VAR_DYNLIB_FILE = 560,         /* VAR_DYNLIB_FILE  */
    VAR_EDNS_CLIENT_STRING = 561,  /* VAR_EDNS_CLIENT_STRING  */
    VAR_EDNS_CLIENT_STRING_OPCODE = 562, /* VAR_EDNS_CLIENT_STRING_OPCODE  */
    VAR_NSID = 563,                /* VAR_NSID  */
    VAR_ZONEMD_PERMISSIVE_MODE = 564, /* VAR_ZONEMD_PERMISSIVE_MODE  */
    VAR_ZONEMD_REJECT_ABSENCE = 565 /* VAR_ZONEMD_REJECT_ABSENCE  */
  };
  typedef enum yytokentype yytoken_kind_t;
 #endif
-/* Tokens.  */
+/* Token kinds.  */
 #define YYEOF 0
 #define YYerror 256
 #define YYUNDEF 257
 #define SPACE 258
 #define LETTER 259
 #define NEWLINE 260
@ -504,156 +520,163 @@ extern int yydebug;
 #define VAR_RRSET_ROUNDROBIN 406
 #define VAR_MAX_UDP_SIZE 407
 #define VAR_DELAY_CLOSE 408
-#define VAR_UNBLOCK_LAN_ZONES 409
+#define VAR_UDP_CONNECT 409
-#define VAR_INSECURE_LAN_ZONES 410
+#define VAR_UNBLOCK_LAN_ZONES 410
-#define VAR_INFRA_CACHE_MIN_RTT 411
+#define VAR_INSECURE_LAN_ZONES 411
-#define VAR_INFRA_KEEP_PROBING 412
+#define VAR_INFRA_CACHE_MIN_RTT 412
-#define VAR_DNS64_PREFIX 413
+#define VAR_INFRA_KEEP_PROBING 413
-#define VAR_DNS64_SYNTHALL 414
+#define VAR_DNS64_PREFIX 414
-#define VAR_DNS64_IGNORE_AAAA 415
+#define VAR_DNS64_SYNTHALL 415
-#define VAR_DNSTAP 416
+#define VAR_DNS64_IGNORE_AAAA 416
-#define VAR_DNSTAP_ENABLE 417
+#define VAR_DNSTAP 417
-#define VAR_DNSTAP_SOCKET_PATH 418
+#define VAR_DNSTAP_ENABLE 418
-#define VAR_DNSTAP_IP 419
+#define VAR_DNSTAP_SOCKET_PATH 419
-#define VAR_DNSTAP_TLS 420
+#define VAR_DNSTAP_IP 420
-#define VAR_DNSTAP_TLS_SERVER_NAME 421
+#define VAR_DNSTAP_TLS 421
-#define VAR_DNSTAP_TLS_CERT_BUNDLE 422
+#define VAR_DNSTAP_TLS_SERVER_NAME 422
-#define VAR_DNSTAP_TLS_CLIENT_KEY_FILE 423
+#define VAR_DNSTAP_TLS_CERT_BUNDLE 423
-#define VAR_DNSTAP_TLS_CLIENT_CERT_FILE 424
+#define VAR_DNSTAP_TLS_CLIENT_KEY_FILE 424
-#define VAR_DNSTAP_SEND_IDENTITY 425
+#define VAR_DNSTAP_TLS_CLIENT_CERT_FILE 425
-#define VAR_DNSTAP_SEND_VERSION 426
+#define VAR_DNSTAP_SEND_IDENTITY 426
-#define VAR_DNSTAP_BIDIRECTIONAL 427
+#define VAR_DNSTAP_SEND_VERSION 427
-#define VAR_DNSTAP_IDENTITY 428
+#define VAR_DNSTAP_BIDIRECTIONAL 428
-#define VAR_DNSTAP_VERSION 429
+#define VAR_DNSTAP_IDENTITY 429
-#define VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES 430
+#define VAR_DNSTAP_VERSION 430
-#define VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES 431
+#define VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES 431
-#define VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES 432
+#define VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES 432
-#define VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES 433
+#define VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES 433
-#define VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES 434
+#define VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES 434
-#define VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES 435
+#define VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES 435
-#define VAR_RESPONSE_IP_TAG 436
+#define VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES 436
-#define VAR_RESPONSE_IP 437
+#define VAR_RESPONSE_IP_TAG 437
-#define VAR_RESPONSE_IP_DATA 438
+#define VAR_RESPONSE_IP 438
-#define VAR_HARDEN_ALGO_DOWNGRADE 439
+#define VAR_RESPONSE_IP_DATA 439
-#define VAR_IP_TRANSPARENT 440
+#define VAR_HARDEN_ALGO_DOWNGRADE 440
-#define VAR_IP_DSCP 441
+#define VAR_IP_TRANSPARENT 441
-#define VAR_DISABLE_DNSSEC_LAME_CHECK 442
+#define VAR_IP_DSCP 442
-#define VAR_IP_RATELIMIT 443
+#define VAR_DISABLE_DNSSEC_LAME_CHECK 443
-#define VAR_IP_RATELIMIT_SLABS 444
+#define VAR_IP_RATELIMIT 444
-#define VAR_IP_RATELIMIT_SIZE 445
+#define VAR_IP_RATELIMIT_SLABS 445
-#define VAR_RATELIMIT 446
+#define VAR_IP_RATELIMIT_SIZE 446
-#define VAR_RATELIMIT_SLABS 447
+#define VAR_RATELIMIT 447
-#define VAR_RATELIMIT_SIZE 448
+#define VAR_RATELIMIT_SLABS 448
-#define VAR_RATELIMIT_FOR_DOMAIN 449
+#define VAR_RATELIMIT_SIZE 449
-#define VAR_RATELIMIT_BELOW_DOMAIN 450
+#define VAR_RATELIMIT_FOR_DOMAIN 450
-#define VAR_IP_RATELIMIT_FACTOR 451
+#define VAR_RATELIMIT_BELOW_DOMAIN 451
-#define VAR_RATELIMIT_FACTOR 452
+#define VAR_IP_RATELIMIT_FACTOR 452
-#define VAR_SEND_CLIENT_SUBNET 453
+#define VAR_RATELIMIT_FACTOR 453
-#define VAR_CLIENT_SUBNET_ZONE 454
+#define VAR_SEND_CLIENT_SUBNET 454
-#define VAR_CLIENT_SUBNET_ALWAYS_FORWARD 455
+#define VAR_CLIENT_SUBNET_ZONE 455
-#define VAR_CLIENT_SUBNET_OPCODE 456
+#define VAR_CLIENT_SUBNET_ALWAYS_FORWARD 456
-#define VAR_MAX_CLIENT_SUBNET_IPV4 457
+#define VAR_CLIENT_SUBNET_OPCODE 457
-#define VAR_MAX_CLIENT_SUBNET_IPV6 458
+#define VAR_MAX_CLIENT_SUBNET_IPV4 458
-#define VAR_MIN_CLIENT_SUBNET_IPV4 459
+#define VAR_MAX_CLIENT_SUBNET_IPV6 459
-#define VAR_MIN_CLIENT_SUBNET_IPV6 460
+#define VAR_MIN_CLIENT_SUBNET_IPV4 460
-#define VAR_MAX_ECS_TREE_SIZE_IPV4 461
+#define VAR_MIN_CLIENT_SUBNET_IPV6 461
-#define VAR_MAX_ECS_TREE_SIZE_IPV6 462
+#define VAR_MAX_ECS_TREE_SIZE_IPV4 462
-#define VAR_CAPS_WHITELIST 463
+#define VAR_MAX_ECS_TREE_SIZE_IPV6 463
-#define VAR_CACHE_MAX_NEGATIVE_TTL 464
+#define VAR_CAPS_WHITELIST 464
-#define VAR_PERMIT_SMALL_HOLDDOWN 465
+#define VAR_CACHE_MAX_NEGATIVE_TTL 465
-#define VAR_QNAME_MINIMISATION 466
+#define VAR_PERMIT_SMALL_HOLDDOWN 466
-#define VAR_QNAME_MINIMISATION_STRICT 467
+#define VAR_QNAME_MINIMISATION 467
-#define VAR_IP_FREEBIND 468
+#define VAR_QNAME_MINIMISATION_STRICT 468
-#define VAR_DEFINE_TAG 469
+#define VAR_IP_FREEBIND 469
-#define VAR_LOCAL_ZONE_TAG 470
+#define VAR_DEFINE_TAG 470
-#define VAR_ACCESS_CONTROL_TAG 471
+#define VAR_LOCAL_ZONE_TAG 471
-#define VAR_LOCAL_ZONE_OVERRIDE 472
+#define VAR_ACCESS_CONTROL_TAG 472
-#define VAR_ACCESS_CONTROL_TAG_ACTION 473
+#define VAR_LOCAL_ZONE_OVERRIDE 473
-#define VAR_ACCESS_CONTROL_TAG_DATA 474
+#define VAR_ACCESS_CONTROL_TAG_ACTION 474
-#define VAR_VIEW 475
+#define VAR_ACCESS_CONTROL_TAG_DATA 475
-#define VAR_ACCESS_CONTROL_VIEW 476
+#define VAR_VIEW 476
-#define VAR_VIEW_FIRST 477
+#define VAR_ACCESS_CONTROL_VIEW 477
-#define VAR_SERVE_EXPIRED 478
+#define VAR_VIEW_FIRST 478
-#define VAR_SERVE_EXPIRED_TTL 479
+#define VAR_SERVE_EXPIRED 479
-#define VAR_SERVE_EXPIRED_TTL_RESET 480
+#define VAR_SERVE_EXPIRED_TTL 480
-#define VAR_SERVE_EXPIRED_REPLY_TTL 481
+#define VAR_SERVE_EXPIRED_TTL_RESET 481
-#define VAR_SERVE_EXPIRED_CLIENT_TIMEOUT 482
+#define VAR_SERVE_EXPIRED_REPLY_TTL 482
-#define VAR_FAKE_DSA 483
+#define VAR_SERVE_EXPIRED_CLIENT_TIMEOUT 483
-#define VAR_FAKE_SHA1 484
+#define VAR_SERVE_ORIGINAL_TTL 484
-#define VAR_LOG_IDENTITY 485
+#define VAR_FAKE_DSA 485
-#define VAR_HIDE_TRUSTANCHOR 486
+#define VAR_FAKE_SHA1 486
-#define VAR_TRUST_ANCHOR_SIGNALING 487
+#define VAR_LOG_IDENTITY 487
-#define VAR_AGGRESSIVE_NSEC 488
+#define VAR_HIDE_TRUSTANCHOR 488
-#define VAR_USE_SYSTEMD 489
+#define VAR_TRUST_ANCHOR_SIGNALING 489
-#define VAR_SHM_ENABLE 490
+#define VAR_AGGRESSIVE_NSEC 490
-#define VAR_SHM_KEY 491
+#define VAR_USE_SYSTEMD 491
-#define VAR_ROOT_KEY_SENTINEL 492
+#define VAR_SHM_ENABLE 492
-#define VAR_DNSCRYPT 493
+#define VAR_SHM_KEY 493
-#define VAR_DNSCRYPT_ENABLE 494
+#define VAR_ROOT_KEY_SENTINEL 494
-#define VAR_DNSCRYPT_PORT 495
+#define VAR_DNSCRYPT 495
-#define VAR_DNSCRYPT_PROVIDER 496
+#define VAR_DNSCRYPT_ENABLE 496
-#define VAR_DNSCRYPT_SECRET_KEY 497
+#define VAR_DNSCRYPT_PORT 497
-#define VAR_DNSCRYPT_PROVIDER_CERT 498
+#define VAR_DNSCRYPT_PROVIDER 498
-#define VAR_DNSCRYPT_PROVIDER_CERT_ROTATED 499
+#define VAR_DNSCRYPT_SECRET_KEY 499
-#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE 500
+#define VAR_DNSCRYPT_PROVIDER_CERT 500
-#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS 501
+#define VAR_DNSCRYPT_PROVIDER_CERT_ROTATED 501
-#define VAR_DNSCRYPT_NONCE_CACHE_SIZE 502
+#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE 502
-#define VAR_DNSCRYPT_NONCE_CACHE_SLABS 503
+#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS 503
-#define VAR_IPSECMOD_ENABLED 504
+#define VAR_DNSCRYPT_NONCE_CACHE_SIZE 504
-#define VAR_IPSECMOD_HOOK 505
+#define VAR_DNSCRYPT_NONCE_CACHE_SLABS 505
-#define VAR_IPSECMOD_IGNORE_BOGUS 506
+#define VAR_PAD_RESPONSES 506
-#define VAR_IPSECMOD_MAX_TTL 507
+#define VAR_PAD_RESPONSES_BLOCK_SIZE 507
-#define VAR_IPSECMOD_WHITELIST 508
+#define VAR_PAD_QUERIES 508
-#define VAR_IPSECMOD_STRICT 509
+#define VAR_PAD_QUERIES_BLOCK_SIZE 509
-#define VAR_CACHEDB 510
+#define VAR_IPSECMOD_ENABLED 510
-#define VAR_CACHEDB_BACKEND 511
+#define VAR_IPSECMOD_HOOK 511
-#define VAR_CACHEDB_SECRETSEED 512
+#define VAR_IPSECMOD_IGNORE_BOGUS 512
-#define VAR_CACHEDB_REDISHOST 513
+#define VAR_IPSECMOD_MAX_TTL 513
-#define VAR_CACHEDB_REDISPORT 514
+#define VAR_IPSECMOD_WHITELIST 514
-#define VAR_CACHEDB_REDISTIMEOUT 515
+#define VAR_IPSECMOD_STRICT 515
-#define VAR_CACHEDB_REDISEXPIRERECORDS 516
+#define VAR_CACHEDB 516
-#define VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM 517
+#define VAR_CACHEDB_BACKEND 517
-#define VAR_FOR_UPSTREAM 518
+#define VAR_CACHEDB_SECRETSEED 518
-#define VAR_AUTH_ZONE 519
+#define VAR_CACHEDB_REDISHOST 519
-#define VAR_ZONEFILE 520
+#define VAR_CACHEDB_REDISPORT 520
-#define VAR_MASTER 521
+#define VAR_CACHEDB_REDISTIMEOUT 521
-#define VAR_URL 522
+#define VAR_CACHEDB_REDISEXPIRERECORDS 522
-#define VAR_FOR_DOWNSTREAM 523
+#define VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM 523
-#define VAR_FALLBACK_ENABLED 524
+#define VAR_FOR_UPSTREAM 524
-#define VAR_TLS_ADDITIONAL_PORT 525
+#define VAR_AUTH_ZONE 525
-#define VAR_LOW_RTT 526
+#define VAR_ZONEFILE 526
-#define VAR_LOW_RTT_PERMIL 527
+#define VAR_MASTER 527
-#define VAR_FAST_SERVER_PERMIL 528
+#define VAR_URL 528
-#define VAR_FAST_SERVER_NUM 529
+#define VAR_FOR_DOWNSTREAM 529
-#define VAR_ALLOW_NOTIFY 530
+#define VAR_FALLBACK_ENABLED 530
-#define VAR_TLS_WIN_CERT 531
+#define VAR_TLS_ADDITIONAL_PORT 531
-#define VAR_TCP_CONNECTION_LIMIT 532
+#define VAR_LOW_RTT 532
-#define VAR_FORWARD_NO_CACHE 533
+#define VAR_LOW_RTT_PERMIL 533
-#define VAR_STUB_NO_CACHE 534
+#define VAR_FAST_SERVER_PERMIL 534
-#define VAR_LOG_SERVFAIL 535
+#define VAR_FAST_SERVER_NUM 535
-#define VAR_DENY_ANY 536
+#define VAR_ALLOW_NOTIFY 536
-#define VAR_UNKNOWN_SERVER_TIME_LIMIT 537
+#define VAR_TLS_WIN_CERT 537
-#define VAR_LOG_TAG_QUERYREPLY 538
+#define VAR_TCP_CONNECTION_LIMIT 538
-#define VAR_STREAM_WAIT_SIZE 539
+#define VAR_FORWARD_NO_CACHE 539
-#define VAR_TLS_CIPHERS 540
+#define VAR_STUB_NO_CACHE 540
-#define VAR_TLS_CIPHERSUITES 541
+#define VAR_LOG_SERVFAIL 541
-#define VAR_TLS_USE_SNI 542
+#define VAR_DENY_ANY 542
-#define VAR_IPSET 543
+#define VAR_UNKNOWN_SERVER_TIME_LIMIT 543
-#define VAR_IPSET_NAME_V4 544
+#define VAR_LOG_TAG_QUERYREPLY 544
-#define VAR_IPSET_NAME_V6 545
+#define VAR_STREAM_WAIT_SIZE 545
-#define VAR_TLS_SESSION_TICKET_KEYS 546
+#define VAR_TLS_CIPHERS 546
-#define VAR_RPZ 547
+#define VAR_TLS_CIPHERSUITES 547
-#define VAR_TAGS 548
+#define VAR_TLS_USE_SNI 548
-#define VAR_RPZ_ACTION_OVERRIDE 549
+#define VAR_IPSET 549
-#define VAR_RPZ_CNAME_OVERRIDE 550
+#define VAR_IPSET_NAME_V4 550
-#define VAR_RPZ_LOG 551
+#define VAR_IPSET_NAME_V6 551
-#define VAR_RPZ_LOG_NAME 552
+#define VAR_TLS_SESSION_TICKET_KEYS 552
-#define VAR_DYNLIB 553
+#define VAR_RPZ 553
-#define VAR_DYNLIB_FILE 554
+#define VAR_TAGS 554
-#define VAR_EDNS_CLIENT_TAG 555
+#define VAR_RPZ_ACTION_OVERRIDE 555
-#define VAR_EDNS_CLIENT_TAG_OPCODE 556
+#define VAR_RPZ_CNAME_OVERRIDE 556
-#define VAR_ZONEMD_PERMISSIVE_MODE 557
+#define VAR_RPZ_LOG 557
-#define VAR_ZONEMD_REJECT_ABSENCE 558
+#define VAR_RPZ_LOG_NAME 558
 #define VAR_DYNLIB 559
 #define VAR_DYNLIB_FILE 560
 #define VAR_EDNS_CLIENT_STRING 561
 #define VAR_EDNS_CLIENT_STRING_OPCODE 562
 #define VAR_NSID 563
 #define VAR_ZONEMD_PERMISSIVE_MODE 564
 #define VAR_ZONEMD_REJECT_ABSENCE 565
 /* Value type.  */
 #if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED
@ -663,7 +686,7 @@ union YYSTYPE
 	char*	str;
-#line 667 "util/configparser.h"
+#line 690 "util/configparser.h"
 };
 typedef union YYSTYPE YYSTYPE;
--- a/util/configparser.y
+++ b/util/configparser.y
@ -116,7 +116,7 @@ extern struct config_parser_state* cfg_parser;
 %token VAR_HTTP_QUERY_BUFFER_SIZE VAR_HTTP_RESPONSE_BUFFER_SIZE
 %token VAR_HTTP_NODELAY VAR_HTTP_NOTLS_DOWNSTREAM
 %token VAR_STUB_FIRST VAR_MINIMAL_RESPONSES VAR_RRSET_ROUNDROBIN
-%token VAR_MAX_UDP_SIZE VAR_DELAY_CLOSE
+%token VAR_MAX_UDP_SIZE VAR_DELAY_CLOSE VAR_UDP_CONNECT
 %token VAR_UNBLOCK_LAN_ZONES VAR_INSECURE_LAN_ZONES
 %token VAR_INFRA_CACHE_MIN_RTT VAR_INFRA_KEEP_PROBING
 %token VAR_DNS64_PREFIX VAR_DNS64_SYNTHALL VAR_DNS64_IGNORE_AAAA
@ -151,7 +151,7 @@ extern struct config_parser_state* cfg_parser;
 %token VAR_ACCESS_CONTROL_TAG_DATA VAR_VIEW VAR_ACCESS_CONTROL_VIEW
 %token VAR_VIEW_FIRST VAR_SERVE_EXPIRED VAR_SERVE_EXPIRED_TTL
 %token VAR_SERVE_EXPIRED_TTL_RESET VAR_SERVE_EXPIRED_REPLY_TTL
-%token VAR_SERVE_EXPIRED_CLIENT_TIMEOUT VAR_FAKE_DSA
+%token VAR_SERVE_EXPIRED_CLIENT_TIMEOUT VAR_SERVE_ORIGINAL_TTL VAR_FAKE_DSA
 %token VAR_FAKE_SHA1 VAR_LOG_IDENTITY VAR_HIDE_TRUSTANCHOR
 %token VAR_TRUST_ANCHOR_SIGNALING VAR_AGGRESSIVE_NSEC VAR_USE_SYSTEMD
 %token VAR_SHM_ENABLE VAR_SHM_KEY VAR_ROOT_KEY_SENTINEL
@ -162,6 +162,8 @@ extern struct config_parser_state* cfg_parser;
 %token VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS
 %token VAR_DNSCRYPT_NONCE_CACHE_SIZE
 %token VAR_DNSCRYPT_NONCE_CACHE_SLABS
 %token VAR_PAD_RESPONSES VAR_PAD_RESPONSES_BLOCK_SIZE
 %token VAR_PAD_QUERIES VAR_PAD_QUERIES_BLOCK_SIZE
 %token VAR_IPSECMOD_ENABLED VAR_IPSECMOD_HOOK VAR_IPSECMOD_IGNORE_BOGUS
 %token VAR_IPSECMOD_MAX_TTL VAR_IPSECMOD_WHITELIST VAR_IPSECMOD_STRICT
 %token VAR_CACHEDB VAR_CACHEDB_BACKEND VAR_CACHEDB_SECRETSEED
@ -178,7 +180,8 @@ extern struct config_parser_state* cfg_parser;
 %token VAR_IPSET VAR_IPSET_NAME_V4 VAR_IPSET_NAME_V6
 %token VAR_TLS_SESSION_TICKET_KEYS VAR_RPZ VAR_TAGS VAR_RPZ_ACTION_OVERRIDE
 %token VAR_RPZ_CNAME_OVERRIDE VAR_RPZ_LOG VAR_RPZ_LOG_NAME
-%token VAR_DYNLIB VAR_DYNLIB_FILE VAR_EDNS_CLIENT_TAG VAR_EDNS_CLIENT_TAG_OPCODE
+%token VAR_DYNLIB VAR_DYNLIB_FILE VAR_EDNS_CLIENT_STRING
 %token VAR_EDNS_CLIENT_STRING_OPCODE VAR_NSID
 %token VAR_ZONEMD_PERMISSIVE_MODE VAR_ZONEMD_REJECT_ABSENCE
 %%
@ -252,7 +255,7 @@ content_server: server_num_threads | server_verbosity | server_port |
 	server_http_query_buffer_size | server_http_response_buffer_size |
 	server_http_nodelay | server_http_notls_downstream |
 	server_minimal_responses | server_rrset_roundrobin | server_max_udp_size |
-	server_so_reuseport | server_delay_close |
+	server_so_reuseport | server_delay_close | server_udp_connect |
 	server_unblock_lan_zones | server_insecure_lan_zones |
 	server_dns64_prefix | server_dns64_synthall | server_dns64_ignore_aaaa |
 	server_infra_cache_min_rtt | server_harden_algo_downgrade |
@ -274,10 +277,14 @@ content_server: server_num_threads | server_verbosity | server_port |
 	server_disable_dnssec_lame_check | server_access_control_tag |
 	server_local_zone_override | server_access_control_tag_action |
 	server_access_control_tag_data | server_access_control_view |
-	server_qname_minimisation_strict | server_serve_expired |
+	server_qname_minimisation_strict |
 	server_pad_responses | server_pad_responses_block_size |
 	server_pad_queries | server_pad_queries_block_size |
 	server_serve_expired |
 	server_serve_expired_ttl | server_serve_expired_ttl_reset |
 	server_serve_expired_reply_ttl | server_serve_expired_client_timeout |
-	server_fake_dsa | server_log_identity | server_use_systemd |
+	server_serve_original_ttl | server_fake_dsa | 
 	server_log_identity | server_use_systemd |
 	server_response_ip_tag | server_response_ip | server_response_ip_data |
 	server_shm_enable | server_shm_key | server_fake_sha1 |
 	server_hide_trustanchor | server_trust_anchor_signaling |
@ -292,8 +299,9 @@ content_server: server_num_threads | server_verbosity | server_port |
 	server_unknown_server_time_limit | server_log_tag_queryreply |
 	server_stream_wait_size | server_tls_ciphers |
 	server_tls_ciphersuites | server_tls_session_ticket_keys |
-	server_tls_use_sni | server_edns_client_tag |
+	server_tls_use_sni | server_edns_client_string |
-	server_edns_client_tag_opcode | server_zonemd_permissive_mode
+	server_edns_client_string_opcode | server_nsid |
 	server_zonemd_permissive_mode
 	;
 stubstart: VAR_STUB_ZONE
 	{
@ -1305,6 +1313,22 @@ server_version: VAR_VERSION STRING_ARG
 		cfg_parser->cfg->version = $2;
 	}
 	;
 server_nsid: VAR_NSID STRING_ARG
 	{
 		OUTYY(("P(server_nsid:%s)\n", $2));
 		free(cfg_parser->cfg->nsid_cfg_str);
 		cfg_parser->cfg->nsid_cfg_str = $2;
 		free(cfg_parser->cfg->nsid);
 		cfg_parser->cfg->nsid = NULL;
 		cfg_parser->cfg->nsid_len = 0;
 		if (*$2 == 0)
 			; /* pass; empty string is not setting nsid */
 		else if (!(cfg_parser->cfg->nsid = cfg_parse_nsid(
 					$2, &cfg_parser->cfg->nsid_len)))
 			yyerror("the NSID must be either a hex string or an "
 			    "ascii character string prepended with ascii_.");
 	}
 	;
 server_so_rcvbuf: VAR_SO_RCVBUF STRING_ARG
 	{
 		OUTYY(("P(server_so_rcvbuf:%s)\n", $2));
@ -1445,6 +1469,15 @@ server_delay_close: VAR_DELAY_CLOSE STRING_ARG
 		free($2);
 	}
 	;
 server_udp_connect: VAR_UDP_CONNECT STRING_ARG
 	{
 		OUTYY(("P(server_udp_connect:%s)\n", $2));
 		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
 			yyerror("expected yes or no.");
 		else cfg_parser->cfg->udp_connect = (strcmp($2, "yes")==0);
 		free($2);
 	}
 	;
 server_unblock_lan_zones: VAR_UNBLOCK_LAN_ZONES STRING_ARG
 	{
 		OUTYY(("P(server_unblock_lan_zones:%s)\n", $2));
@ -1905,6 +1938,15 @@ server_serve_expired_client_timeout: VAR_SERVE_EXPIRED_CLIENT_TIMEOUT STRING_ARG
 		free($2);
 	}
 	;
 server_serve_original_ttl: VAR_SERVE_ORIGINAL_TTL STRING_ARG
 	{
 		OUTYY(("P(server_serve_original_ttl:%s)\n", $2));
 		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
 			yyerror("expected yes or no.");
 		else cfg_parser->cfg->serve_original_ttl = (strcmp($2, "yes")==0);
 		free($2);
 	}
 	;
 server_fake_dsa: VAR_FAKE_DSA STRING_ARG
 	{
 		OUTYY(("P(server_fake_dsa:%s)\n", $2));
@ -2031,6 +2073,9 @@ server_local_zone: VAR_LOCAL_ZONE STRING_ARG STRING_ARG
 		   && strcmp($3, "always_transparent")!=0
 		   && strcmp($3, "always_refuse")!=0
 		   && strcmp($3, "always_nxdomain")!=0
 		   && strcmp($3, "always_nodata")!=0
 		   && strcmp($3, "always_deny")!=0
 		   && strcmp($3, "always_null")!=0
 		   && strcmp($3, "noview")!=0
 		   && strcmp($3, "inform")!=0 && strcmp($3, "inform_deny")!=0
 		   && strcmp($3, "inform_redirect") != 0
@ -2039,8 +2084,9 @@ server_local_zone: VAR_LOCAL_ZONE STRING_ARG STRING_ARG
 				"refuse, redirect, transparent, "
 				"typetransparent, inform, inform_deny, "
 				"inform_redirect, always_transparent, "
-				"always_refuse, always_nxdomain, noview "
+				"always_refuse, always_nxdomain, "
-				", nodefault or ipset");
+				"always_nodata, always_deny, always_null, "
 				"noview, nodefault or ipset");
 			free($2);
 			free($3);
 		} else if(strcmp($3, "nodefault")==0) {
@ -2417,6 +2463,44 @@ server_qname_minimisation_strict: VAR_QNAME_MINIMISATION_STRICT STRING_ARG
 		free($2);
 	}
 	;
 server_pad_responses: VAR_PAD_RESPONSES STRING_ARG
 	{
 		OUTYY(("P(server_pad_responses:%s)\n", $2));
 		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
 			yyerror("expected yes or no.");
 		else cfg_parser->cfg->pad_responses = 
 			(strcmp($2, "yes")==0);
 		free($2);
 	}
 	;
 server_pad_responses_block_size: VAR_PAD_RESPONSES_BLOCK_SIZE STRING_ARG
 	{
 		OUTYY(("P(server_pad_responses_block_size:%s)\n", $2));
 		if(atoi($2) == 0)
 			yyerror("number expected");
 		else cfg_parser->cfg->pad_responses_block_size = atoi($2);
 		free($2);
 	}
 	;
 server_pad_queries: VAR_PAD_QUERIES STRING_ARG
 	{
 		OUTYY(("P(server_pad_queries:%s)\n", $2));
 		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
 			yyerror("expected yes or no.");
 		else cfg_parser->cfg->pad_queries = 
 			(strcmp($2, "yes")==0);
 		free($2);
 	}
 	;
 server_pad_queries_block_size: VAR_PAD_QUERIES_BLOCK_SIZE STRING_ARG
 	{
 		OUTYY(("P(server_pad_queries_block_size:%s)\n", $2));
 		if(atoi($2) == 0)
 			yyerror("number expected");
 		else cfg_parser->cfg->pad_queries_block_size = atoi($2);
 		free($2);
 	}
 	;
 server_ipsecmod_enabled: VAR_IPSECMOD_ENABLED STRING_ARG
 	{
 	#ifdef USE_IPSECMOD
@ -2495,29 +2579,24 @@ server_ipsecmod_strict: VAR_IPSECMOD_STRICT STRING_ARG
 	#endif
 	}
 	;
-server_edns_client_tag: VAR_EDNS_CLIENT_TAG STRING_ARG STRING_ARG
+server_edns_client_string: VAR_EDNS_CLIENT_STRING STRING_ARG STRING_ARG
 	{
-		int tag_data;
+		OUTYY(("P(server_edns_client_string:%s %s)\n", $2, $3));
 		OUTYY(("P(server_edns_client_tag:%s %s)\n", $2, $3));
 		tag_data = atoi($3);
 		if(tag_data > 65535 || tag_data < 0 ||
 			(tag_data == 0 && (strlen($3) != 1 || $3[0] != '0')))
 			yyerror("edns-client-tag data invalid, needs to be a "
 				"number from 0 to 65535");
 		if(!cfg_str2list_insert(
-			&cfg_parser->cfg->edns_client_tags, $2, $3))
+			&cfg_parser->cfg->edns_client_strings, $2, $3))
 			fatal_exit("out of memory adding "
-				"edns-client-tag");
+				"edns-client-string");
 	}
 	;
-server_edns_client_tag_opcode: VAR_EDNS_CLIENT_TAG_OPCODE STRING_ARG
+server_edns_client_string_opcode: VAR_EDNS_CLIENT_STRING_OPCODE STRING_ARG
 	{
-		OUTYY(("P(edns_client_tag_opcode:%s)\n", $2));
+		OUTYY(("P(edns_client_string_opcode:%s)\n", $2));
 		if(atoi($2) == 0 && strcmp($2, "0") != 0)
 			yyerror("option code expected");
 		else if(atoi($2) > 65535 || atoi($2) < 0)
 			yyerror("option code must be in interval [0, 65535]");
-		else cfg_parser->cfg->edns_client_tag_opcode = atoi($2);
+		else cfg_parser->cfg->edns_client_string_opcode = atoi($2);
 		free($2);
 	}
 	;
--- a/Show more
+++ b/Show more