Rebase on master

2025-12-20 23:00:56 -05:00 · 2021-01-22 16:44:56 +00:00 · 2021-01-22 16:44:56 +00:00 · c4c849d878
commit c4c849d878
parent f95dce8e34 2a3548e1ef
217 changed files with 16796 additions and 12324 deletions
--- a/.gitignore
+++ b/.gitignore
@ -31,6 +31,7 @@
 /unbound.h
 /asynclook
 /delayer
 /dohclient
 /lock-verify
 /memstats
 /perf
--- a/Makefile.in
+++ b/Makefile.in
@ -231,6 +231,10 @@ STREAMTCP_SRC=testcode/streamtcp.c
 STREAMTCP_OBJ=streamtcp.lo
 STREAMTCP_OBJ_LINK=$(STREAMTCP_OBJ) worker_cb.lo $(COMMON_OBJ) $(COMPAT_OBJ) \
 $(SLDNS_OBJ)
 DOHCLIENT_SRC=testcode/dohclient.c
 DOHCLIENT_OBJ=dohclient.lo
 DOHCLIENT_OBJ_LINK=$(DOHCLIENT_OBJ) worker_cb.lo $(COMMON_OBJ) $(COMPAT_OBJ) \
 $(SLDNS_OBJ)
 PERF_SRC=testcode/perf.c
 PERF_OBJ=perf.lo
 PERF_OBJ_LINK=$(PERF_OBJ) worker_cb.lo $(COMMON_OBJ) $(COMPAT_OBJ) $(SLDNS_OBJ)
@ -272,7 +276,8 @@ ALL_SRC=$(COMMON_SRC) $(UNITTEST_SRC) $(DAEMON_SRC) \
 	$(ASYNCLOOK_SRC) $(STREAMTCP_SRC) $(PERF_SRC) $(DELAYER_SRC) \
 	$(CONTROL_SRC) $(UBANCHOR_SRC) $(PETAL_SRC) $(DNSTAP_SOCKET_SRC)\
 	$(PYTHONMOD_SRC) $(PYUNBOUND_SRC) $(WIN_DAEMON_THE_SRC) \
-	$(SVCINST_SRC) $(SVCUNINST_SRC) $(ANCHORUPD_SRC) $(SLDNS_SRC)
+	$(SVCINST_SRC) $(SVCUNINST_SRC) $(ANCHORUPD_SRC) $(SLDNS_SRC) \
 	$(DOHCLIENT_SRC)
 ALL_OBJ=$(COMMON_OBJ) $(UNITTEST_OBJ) $(DAEMON_OBJ) \
 	$(TESTBOUND_OBJ) $(LOCKVERIFY_OBJ) $(PKTVIEW_OBJ) \
@ -280,7 +285,8 @@ ALL_OBJ=$(COMMON_OBJ) $(UNITTEST_OBJ) $(DAEMON_OBJ) \
 	$(ASYNCLOOK_OBJ) $(STREAMTCP_OBJ) $(PERF_OBJ) $(DELAYER_OBJ) \
 	$(CONTROL_OBJ) $(UBANCHOR_OBJ) $(PETAL_OBJ) $(DNSTAP_SOCKET_OBJ)\
 	$(COMPAT_OBJ) $(PYUNBOUND_OBJ) \
-	$(SVCINST_OBJ) $(SVCUNINST_OBJ) $(ANCHORUPD_OBJ) $(SLDNS_OBJ)
+	$(SVCINST_OBJ) $(SVCUNINST_OBJ) $(ANCHORUPD_OBJ) $(SLDNS_OBJ) \
 	$(DOHCLIENT_OBJ)
 COMPILE=$(LIBTOOL) --tag=CC --mode=compile $(CC) $(CPPFLAGS) $(CFLAGS) @PTHREAD_CFLAGS_ONLY@
 LINK=$(LIBTOOL) --tag=CC --mode=link $(CC) $(staticexe) $(RUNTIME_PATH) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS)
@ -317,7 +323,7 @@ rsrc_unbound_checkconf.o:	$(srcdir)/winrc/rsrc_unbound_checkconf.rc config.h
 TEST_BIN=asynclook$(EXEEXT) delayer$(EXEEXT) \
 	lock-verify$(EXEEXT) memstats$(EXEEXT) perf$(EXEEXT) \
 	petal$(EXEEXT) pktview$(EXEEXT) streamtcp$(EXEEXT) \
-	unbound-dnstap-socket$(EXEEXT) \
+	unbound-dnstap-socket$(EXEEXT) dohclient$(EXEEXT) \
 	testbound$(EXEEXT) unittest$(EXEEXT)
 tests:	all $(TEST_BIN)
@ -343,10 +349,10 @@ unbound$(EXEEXT):	$(DAEMON_OBJ_LINK) libunbound.la
 	$(LINK) -o $@ $(DAEMON_OBJ_LINK) $(EXTRALINK) $(SSLLIB) $(LIBS) $(DYNLIBMOD_EXTRALIBS)
 unbound-checkconf$(EXEEXT):	$(CHECKCONF_OBJ_LINK) libunbound.la
-	$(LINK) -o $@ $(CHECKCONF_OBJ_LINK) $(EXTRALINK) $(SSLLIB) $(LIBS) $(DYNLIBMOD_EXTRALIBS)
+	$(LINK) -o $@ $(CHECKCONF_OBJ_LINK) $(EXTRALINK) $(SSLLIB) $(LIBS)
 unbound-control$(EXEEXT):	$(CONTROL_OBJ_LINK) libunbound.la
-	$(LINK) -o $@ $(CONTROL_OBJ_LINK) $(EXTRALINK) $(SSLLIB) $(LIBS) $(DYNLIBMOD_EXTRALIBS)
+	$(LINK) -o $@ $(CONTROL_OBJ_LINK) $(EXTRALINK) $(SSLLIB) $(LIBS)
 unbound-host$(EXEEXT):	$(HOST_OBJ_LINK) libunbound.la
 	$(LINK) -o $@ $(HOST_OBJ_LINK) -L. -L.libs -lunbound $(SSLLIB) $(LIBS)
@ -364,34 +370,37 @@ anchor-update$(EXEEXT):  $(ANCHORUPD_OBJ_LINK) libunbound.la
 	$(LINK) -o $@ $(ANCHORUPD_OBJ_LINK) -L. -L.libs -lunbound $(LIBS)
 unittest$(EXEEXT):	$(UNITTEST_OBJ_LINK)
-	$(LINK) -o $@ $(UNITTEST_OBJ_LINK) $(SSLLIB) $(LIBS) $(DYNLIBMOD_EXTRALIBS)
+	$(LINK) -o $@ $(UNITTEST_OBJ_LINK) $(SSLLIB) $(LIBS)
 testbound$(EXEEXT):	$(TESTBOUND_OBJ_LINK)
-	$(LINK) -o $@ $(TESTBOUND_OBJ_LINK) $(SSLLIB) $(LIBS) $(DYNLIBMOD_EXTRALIBS)
+	$(LINK) -o $@ $(TESTBOUND_OBJ_LINK) $(SSLLIB) $(LIBS)
 lock-verify$(EXEEXT):	$(LOCKVERIFY_OBJ_LINK)
-	$(LINK) -o $@ $(LOCKVERIFY_OBJ_LINK) $(SSLLIB) $(LIBS) $(DYNLIBMOD_EXTRALIBS)
+	$(LINK) -o $@ $(LOCKVERIFY_OBJ_LINK) $(SSLLIB) $(LIBS)
 petal$(EXEEXT):	$(PETAL_OBJ_LINK)
 	$(LINK) -o $@ $(PETAL_OBJ_LINK) $(SSLLIB) $(LIBS)
 pktview$(EXEEXT):	$(PKTVIEW_OBJ_LINK)
-	$(LINK) -o $@ $(PKTVIEW_OBJ_LINK) $(SSLLIB) $(LIBS) $(DYNLIBMOD_EXTRALIBS)
+	$(LINK) -o $@ $(PKTVIEW_OBJ_LINK) $(SSLLIB) $(LIBS)
 memstats$(EXEEXT):	$(MEMSTATS_OBJ_LINK)
-	$(LINK) -o $@ $(MEMSTATS_OBJ_LINK) $(SSLLIB) $(LIBS) $(DYNLIBMOD_EXTRALIBS)
+	$(LINK) -o $@ $(MEMSTATS_OBJ_LINK) $(SSLLIB) $(LIBS)
 asynclook$(EXEEXT):	$(ASYNCLOOK_OBJ_LINK) libunbound.la
 	$(LINK) -o $@ $(ASYNCLOOK_OBJ_LINK) -L. -L.libs -lunbound $(SSLLIB) $(LIBS)
 streamtcp$(EXEEXT):	$(STREAMTCP_OBJ_LINK)
-	$(LINK) -o $@ $(STREAMTCP_OBJ_LINK) $(SSLLIB) $(LIBS) $(DYNLIBMOD_EXTRALIBS)
+	$(LINK) -o $@ $(STREAMTCP_OBJ_LINK) $(SSLLIB) $(LIBS)
 dohclient$(EXEEXT):	$(DOHCLIENT_OBJ_LINK)
 	$(LINK) -o $@ $(DOHCLIENT_OBJ_LINK) $(SSLLIB) $(LIBS)
 perf$(EXEEXT):	$(PERF_OBJ_LINK)
-	$(LINK) -o $@ $(PERF_OBJ_LINK) $(SSLLIB) $(LIBS) $(DYNLIBMOD_EXTRALIBS)
+	$(LINK) -o $@ $(PERF_OBJ_LINK) $(SSLLIB) $(LIBS)
 delayer$(EXEEXT):	$(DELAYER_OBJ_LINK)
-	$(LINK) -o $@ $(DELAYER_OBJ_LINK) $(SSLLIB) $(LIBS) $(DYNLIBMOD_EXTRALIBS)
+	$(LINK) -o $@ $(DELAYER_OBJ_LINK) $(SSLLIB) $(LIBS)
 signit$(EXEEXT):	testcode/signit.c
 	$(CC) $(CPPFLAGS) $(CFLAGS) @PTHREAD_CFLAGS_ONLY@ -o $@ testcode/signit.c $(LDFLAGS) -lldns $(SSLLIB) $(LIBS)
@ -414,12 +423,13 @@ dnstap/dnstap.pb-c.c dnstap/dnstap.pb-c.h: $(srcdir)/dnstap/dnstap.proto
 	$(PROTOC_C) --c_out=. --proto_path=$(srcdir) $(srcdir)/dnstap/dnstap.proto
 unbound-dnstap-socket$(EXEEXT):	$(DNSTAP_SOCKET_OBJ_LINK)
-	$(LINK) -o $@ $(DNSTAP_SOCKET_OBJ_LINK) $(SSLLIB) $(LIBS) $(DYNLIBMOD_EXTRALIBS)
+	$(LINK) -o $@ $(DNSTAP_SOCKET_OBJ_LINK) $(SSLLIB) $(LIBS)
 dnstap.pb-c.lo dnstap.pb-c.o: dnstap/dnstap.pb-c.c dnstap/dnstap.pb-c.h
 dtstream.lo dtstream.o: $(srcdir)/dnstap/dtstream.c config.h $(srcdir)/dnstap/dtstream.h
 dnstap_fstrm.lo dnstap_fstrm.o: $(srcdir)/dnstap/dnstap_fstrm.c config.h $(srcdir)/dnstap/dnstap_fstrm.h
 unbound-dnstap-socket.lo unbound-dnstap-socket.o: $(srcdir)/dnstap/unbound-dnstap-socket.c config.h $(srcdir)/dnstap/dtstream.h
 dynlibmod.lo dynlibdmod.o: $(srcdir)/dynlibmod/dynlibmod.c config.h $(srcdir)/dynlibmod/dynlibmod.h
 # dnscrypt
 dnscrypt.lo dnscrypt.o: $(srcdir)/dnscrypt/dnscrypt.c config.h \
@ -672,7 +682,7 @@ dns.lo dns.o: $(srcdir)/services/cache/dns.c config.h $(srcdir)/iterator/iter_de
 $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
 $(srcdir)/validator/val_utils.h $(srcdir)/sldns/pkthdr.h $(srcdir)/services/cache/dns.h \
 $(srcdir)/util/data/msgreply.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \
- $(srcdir)/util/data/dname.h $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/rrdef.h \
+ $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/dname.h $(srcdir)/util/module.h \
 $(srcdir)/util/net_help.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/sldns/sbuffer.h
 infra.lo infra.o: $(srcdir)/services/cache/infra.c config.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/str2wire.h \
 $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h $(srcdir)/services/cache/infra.h \
@ -713,10 +723,11 @@ msgreply.lo msgreply.o: $(srcdir)/util/data/msgreply.c config.h $(srcdir)/util/d
 $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/util/config_file.h \
 $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h \
 $(srcdir)/respip/respip.h
-packed_rrset.lo packed_rrset.o: $(srcdir)/util/data/packed_rrset.c config.h \
+packed_rrset.lo packed_rrset.o: $(srcdir)/util/data/packed_rrset.c config.h $(srcdir)/util/data/msgparse.h \
- $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
+ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/sldns/pkthdr.h \
- $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lookup3.h $(srcdir)/util/alloc.h $(srcdir)/util/regional.h \
+ $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/dname.h \
- $(srcdir)/util/net_help.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h
+ $(srcdir)/util/storage/lookup3.h $(srcdir)/util/alloc.h $(srcdir)/util/regional.h $(srcdir)/util/net_help.h \
 $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h
 iterator.lo iterator.o: $(srcdir)/iterator/iterator.c config.h $(srcdir)/iterator/iterator.h \
 $(srcdir)/services/outbound_list.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/storage/lruhash.h \
 $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/module.h \
@ -785,7 +796,7 @@ listen_dnsport.lo listen_dnsport.o: $(srcdir)/services/listen_dnsport.c config.h
 $(srcdir)/services/listen_dnsport.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
  $(srcdir)/services/outside_network.h $(srcdir)/util/rbtree.h \
  $(srcdir)/util/log.h $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h \
- $(srcdir)/sldns/sbuffer.h $(srcdir)/services/mesh.h $(srcdir)/util/data/msgparse.h \
+ $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/parseutil.h $(srcdir)/services/mesh.h $(srcdir)/util/data/msgparse.h \
 $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
 $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
 $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \
@ -808,21 +819,24 @@ mesh.lo mesh.o: $(srcdir)/services/mesh.c config.h $(srcdir)/services/mesh.h $(s
 $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h \
 $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h \
 $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h \
- $(srcdir)/services/outbound_list.h $(srcdir)/services/cache/dns.h $(srcdir)/util/net_help.h \
+ $(srcdir)/services/outbound_list.h $(srcdir)/services/cache/dns.h $(srcdir)/services/cache/rrset.h \
- $(srcdir)/util/regional.h $(srcdir)/util/data/msgencode.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h \
+ $(srcdir)/util/storage/slabhash.h $(srcdir)/util/net_help.h $(srcdir)/util/regional.h \
- $(srcdir)/util/alloc.h $(srcdir)/util/edns.h $(srcdir)/sldns/wire2str.h $(srcdir)/util/data/dname.h \
+ $(srcdir)/util/data/msgencode.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h $(srcdir)/util/alloc.h \
- $(srcdir)/services/listen_dnsport.h
+ $(srcdir)/util/edns.h $(srcdir)/sldns/wire2str.h $(srcdir)/util/data/dname.h $(srcdir)/services/listen_dnsport.h
 modstack.lo modstack.o: $(srcdir)/services/modstack.c config.h $(srcdir)/services/modstack.h \
 $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
 $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
 $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h \
- $(srcdir)/dnscrypt/dnscrypt.h  $(srcdir)/dnscrypt/cert.h \
+ $(srcdir)/dnscrypt/dnscrypt.h  $(srcdir)/util/tube.h \
- $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/dns64/dns64.h \
+ $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \
- $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h $(srcdir)/validator/validator.h \
+ $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h \
- $(srcdir)/validator/val_utils.h $(srcdir)/respip/respip.h $(srcdir)/services/localzone.h \
+ $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \
- $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(PYTHONMOD_HEADER) $(srcdir)/ipsecmod/ipsecmod.h \
+ $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/dns64/dns64.h $(srcdir)/iterator/iterator.h \
- $(srcdir)/util/storage/slabhash.h $(srcdir)/edns-subnet/addrtree.h $(srcdir)/edns-subnet/edns-subnet.h \
+ $(srcdir)/services/outbound_list.h $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h \
- $(srcdir)/ipset/ipset.h $(srcdir)/dynlibmod/dynlibmod.h
+ $(PYTHONMOD_HEADER) $(DYNLIBMOD_HEADER) $(srcdir)/cachedb/cachedb.h \
 $(srcdir)/ipsecmod/ipsecmod.h $(srcdir)/edns-subnet/subnetmod.h $(srcdir)/util/alloc.h $(srcdir)/util/net_help.h \
 $(srcdir)/util/storage/slabhash.h $(srcdir)/util/data/dname.h $(srcdir)/edns-subnet/addrtree.h \
 $(srcdir)/edns-subnet/edns-subnet.h $(srcdir)/ipset/ipset.h
 view.lo view.o: $(srcdir)/services/view.c config.h $(srcdir)/services/view.h $(srcdir)/util/rbtree.h \
 $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h \
 $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/data/msgreply.h \
@ -853,7 +867,8 @@ outside_network.lo outside_network.o: $(srcdir)/services/outside_network.c confi
 $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \
 $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h \
 $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h \
- $(srcdir)/dnstap/dnstap.h
+ $(srcdir)/util/edns.h $(srcdir)/dnstap/dnstap.h \
 alloc.lo alloc.o: $(srcdir)/util/alloc.c config.h $(srcdir)/util/alloc.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
 $(srcdir)/util/regional.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
 $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
@ -874,7 +889,8 @@ config_file.lo config_file.o: $(srcdir)/util/config_file.c config.h $(srcdir)/ut
 $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h \
 $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/util/data/dname.h \
 $(srcdir)/util/rtt.h $(srcdir)/services/cache/infra.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/parseutil.h \
- $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h $(srcdir)/util/iana_ports.inc
+ $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h $(srcdir)/edns-subnet/edns-subnet.h \
 $(srcdir)/util/iana_ports.inc
 configlexer.lo configlexer.o: util/configlexer.c config.h $(srcdir)/util/configyyrename.h \
 $(srcdir)/util/config_file.h util/configparser.h
 configparser.lo configparser.o: util/configparser.c config.h $(srcdir)/util/configyyrename.h \
@ -903,38 +919,31 @@ authzone.lo authzone.o: $(srcdir)/services/authzone.c config.h $(srcdir)/service
 $(srcdir)/util/data/msgencode.h $(srcdir)/util/regional.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h \
 $(srcdir)/services/cache/dns.h $(srcdir)/services/outside_network.h  \
 $(srcdir)/services/listen_dnsport.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/wire2str.h \
- $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/keyraw.h $(srcdir)/validator/val_nsec3.h \
+ $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/keyraw.h \
- $(srcdir)/validator/val_secalgo.h
+ $(srcdir)/validator/val_nsec3.h $(srcdir)/validator/val_secalgo.h
 fptr_wlist.lo fptr_wlist.o: $(srcdir)/util/fptr_wlist.c config.h $(srcdir)/util/fptr_wlist.h \
 $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h  \
- $(srcdir)/dnscrypt/cert.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/storage/lruhash.h \
+ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/module.h \
- $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
+ $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
- $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h \
+ $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
- $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h $(srcdir)/util/mini_event.h \
+ $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \
- $(srcdir)/services/outside_network.h  $(srcdir)/services/localzone.h \
+ $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h \
- $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/services/authzone.h \
+ $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \
- $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h $(srcdir)/services/cache/rrset.h \
+ $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/util/mini_event.h \
- $(srcdir)/util/storage/slabhash.h $(srcdir)/dns64/dns64.h $(srcdir)/iterator/iterator.h \
+ $(srcdir)/services/outside_network.h  $(srcdir)/services/cache/infra.h \
- $(srcdir)/services/outbound_list.h $(srcdir)/iterator/iter_fwd.h $(srcdir)/validator/validator.h \
+ $(srcdir)/util/rtt.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/dns64/dns64.h \
- $(srcdir)/validator/val_utils.h $(srcdir)/validator/val_anchor.h $(srcdir)/validator/val_nsec3.h \
+ $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h $(srcdir)/iterator/iter_fwd.h \
- $(srcdir)/validator/val_sigcrypt.h $(srcdir)/validator/val_kentry.h $(srcdir)/validator/val_neg.h \
+ $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h $(srcdir)/validator/val_anchor.h \
- $(srcdir)/validator/autotrust.h $(srcdir)/libunbound/libworker.h $(srcdir)/libunbound/context.h \
+ $(srcdir)/validator/val_nsec3.h $(srcdir)/validator/val_sigcrypt.h $(srcdir)/validator/val_kentry.h \
- $(srcdir)/util/alloc.h $(srcdir)/libunbound/unbound.h $(srcdir)/libunbound/unbound-event.h \
+ $(srcdir)/validator/val_neg.h $(srcdir)/validator/autotrust.h $(srcdir)/libunbound/libworker.h \
- $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h $(srcdir)/respip/respip.h \
+ $(srcdir)/libunbound/context.h $(srcdir)/util/alloc.h $(srcdir)/libunbound/unbound-event.h \
- $(PYTHONMOD_HEADER) $(srcdir)/ipsecmod/ipsecmod.h $(srcdir)/edns-subnet/subnetmod.h $(srcdir)/util/net_help.h \
+ $(srcdir)/libunbound/worker.h $(PYTHONMOD_HEADER) $(DYNLIBMOD_HEADER) \
- $(srcdir)/edns-subnet/addrtree.h $(srcdir)/edns-subnet/edns-subnet.h $(srcdir)/ipset/ipset.h \
+ $(srcdir)/cachedb/cachedb.h $(srcdir)/ipsecmod/ipsecmod.h $(srcdir)/edns-subnet/subnetmod.h \
- $(srcdir)/dynlibmod/dynlibmod.h
+ $(srcdir)/util/net_help.h $(srcdir)/util/data/dname.h $(srcdir)/edns-subnet/addrtree.h \
 $(srcdir)/edns-subnet/edns-subnet.h $(srcdir)/ipset/ipset.h $(srcdir)/dnstap/dtstream.h
 locks.lo locks.o: $(srcdir)/util/locks.c config.h $(srcdir)/util/locks.h $(srcdir)/util/log.h
 log.lo log.o: $(srcdir)/util/log.c config.h $(srcdir)/util/log.h $(srcdir)/util/locks.h $(srcdir)/sldns/sbuffer.h
-mini_event.lo mini_event.o: $(srcdir)/util/mini_event.c config.h $(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h \
+mini_event.lo mini_event.o: $(srcdir)/util/mini_event.c config.h $(srcdir)/util/mini_event.h
 $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
  $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
 $(srcdir)/util/log.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
 $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h \
 $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h \
 $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h \
 $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h \
 $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h
 module.lo module.o: $(srcdir)/util/module.c config.h $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h \
 $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
 $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/wire2str.h
@ -947,12 +956,14 @@ netevent.lo netevent.o: $(srcdir)/util/netevent.c config.h $(srcdir)/util/neteve
 $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h $(srcdir)/services/view.h \
 $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h \
 $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/sldns/str2wire.h \
- $(srcdir)/dnstap/dnstap.h  $(srcdir)/services/listen_dnsport.h
+ $(srcdir)/dnstap/dnstap.h  $(srcdir)/services/listen_dnsport.h \
 net_help.lo net_help.o: $(srcdir)/util/net_help.c config.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h \
 $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/module.h \
 $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
 $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h \
- $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/wire2str.h
+ $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/wire2str.h \
 random.lo random.o: $(srcdir)/util/random.c config.h $(srcdir)/util/random.h $(srcdir)/util/log.h
 rbtree.lo rbtree.o: $(srcdir)/util/rbtree.c config.h $(srcdir)/util/log.h $(srcdir)/util/fptr_wlist.h \
 $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h  \
@ -968,11 +979,11 @@ rtt.lo rtt.o: $(srcdir)/util/rtt.c config.h $(srcdir)/util/rtt.h $(srcdir)/itera
 $(srcdir)/services/outbound_list.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/storage/lruhash.h \
 $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/module.h \
 $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h
-edns.lo edns.o: $(srcdir)/util/edns.c config.h $(srcdir)/util/edns.h $(srcdir)/util/config_file.h \
+edns.lo edns.o: $(srcdir)/util/edns.c config.h $(srcdir)/util/edns.h $(srcdir)/util/storage/dnstree.h \
- $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h  \
+ $(srcdir)/util/rbtree.h $(srcdir)/util/config_file.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
- $(srcdir)/util/regional.h $(srcdir)/util/data/msgparse.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
+  $(srcdir)/util/net_help.h $(srcdir)/util/log.h $(srcdir)/util/regional.h \
- $(srcdir)/util/log.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgreply.h \
+ $(srcdir)/util/data/msgparse.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/sldns/pkthdr.h \
- $(srcdir)/util/data/packed_rrset.h
+ $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h
 dnstree.lo dnstree.o: $(srcdir)/util/storage/dnstree.c config.h $(srcdir)/util/storage/dnstree.h \
 $(srcdir)/util/rbtree.h $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
 $(srcdir)/util/log.h $(srcdir)/util/net_help.h
@ -1006,7 +1017,8 @@ tube.lo tube.o: $(srcdir)/util/tube.c config.h $(srcdir)/util/tube.h $(srcdir)/u
 $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/util/ub_event.h
 ub_event.lo ub_event.o: $(srcdir)/util/ub_event.c config.h $(srcdir)/util/ub_event.h $(srcdir)/util/log.h \
 $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h  \
- $(srcdir)/util/tube.h $(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h
+ $(srcdir)/util/tube.h \
 ub_event_pluggable.lo ub_event_pluggable.o: $(srcdir)/util/ub_event_pluggable.c config.h $(srcdir)/util/ub_event.h \
 $(srcdir)/libunbound/unbound-event.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
  $(srcdir)/util/log.h $(srcdir)/util/fptr_wlist.h \
@ -1016,7 +1028,8 @@ ub_event_pluggable.lo ub_event_pluggable.o: $(srcdir)/util/ub_event_pluggable.c
 $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \
 $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h \
 $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \
- $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h
+ $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h \
 winsock_event.lo winsock_event.o: $(srcdir)/util/winsock_event.c config.h
 autotrust.lo autotrust.o: $(srcdir)/validator/autotrust.c config.h $(srcdir)/validator/autotrust.h \
 $(srcdir)/util/rbtree.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
@ -1029,7 +1042,8 @@ autotrust.lo autotrust.o: $(srcdir)/validator/autotrust.c config.h $(srcdir)/val
 $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h \
 $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h \
 $(srcdir)/respip/respip.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \
- $(srcdir)/validator/val_kcache.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/keyraw.h
+ $(srcdir)/validator/val_kcache.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/keyraw.h \
 val_anchor.lo val_anchor.o: $(srcdir)/validator/val_anchor.c config.h $(srcdir)/validator/val_anchor.h \
 $(srcdir)/util/rbtree.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/validator/val_sigcrypt.h \
 $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/sldns/pkthdr.h \
@ -1059,11 +1073,13 @@ val_kcache.lo val_kcache.o: $(srcdir)/validator/val_kcache.c config.h $(srcdir)/
 val_kentry.lo val_kentry.o: $(srcdir)/validator/val_kentry.c config.h $(srcdir)/validator/val_kentry.h \
 $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/packed_rrset.h \
 $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lookup3.h $(srcdir)/util/regional.h $(srcdir)/util/net_help.h \
- $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/keyraw.h
+ $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/keyraw.h \
-val_neg.lo val_neg.o: $(srcdir)/validator/val_neg.c config.h $(srcdir)/validator/val_neg.h $(srcdir)/util/locks.h \
+ 
- $(srcdir)/util/log.h $(srcdir)/util/rbtree.h $(srcdir)/validator/val_nsec.h $(srcdir)/util/data/packed_rrset.h \
+val_neg.lo val_neg.o: $(srcdir)/validator/val_neg.c config.h \
- $(srcdir)/util/storage/lruhash.h $(srcdir)/validator/val_nsec3.h $(srcdir)/validator/val_utils.h \
+ $(srcdir)/validator/val_neg.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/rbtree.h \
- $(srcdir)/sldns/pkthdr.h $(srcdir)/util/data/dname.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/net_help.h \
+ $(srcdir)/validator/val_nsec.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
 $(srcdir)/validator/val_nsec3.h $(srcdir)/validator/val_utils.h $(srcdir)/sldns/pkthdr.h \
 $(srcdir)/util/data/dname.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/net_help.h \
 $(srcdir)/util/config_file.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \
 $(srcdir)/services/cache/dns.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/sbuffer.h
 val_nsec3.lo val_nsec3.o: $(srcdir)/validator/val_nsec3.c config.h $(srcdir)/validator/val_nsec3.h \
@ -1081,15 +1097,17 @@ val_nsec.lo val_nsec.o: $(srcdir)/validator/val_nsec.c config.h $(srcdir)/valida
 val_secalgo.lo val_secalgo.o: $(srcdir)/validator/val_secalgo.c config.h $(srcdir)/util/data/packed_rrset.h \
 $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/validator/val_secalgo.h \
 $(srcdir)/validator/val_nsec3.h $(srcdir)/util/rbtree.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/keyraw.h \
- $(srcdir)/sldns/sbuffer.h
+ $(srcdir)/sldns/sbuffer.h \
 val_sigcrypt.lo val_sigcrypt.o: $(srcdir)/validator/val_sigcrypt.c config.h \
 $(srcdir)/validator/val_sigcrypt.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
 $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/sldns/pkthdr.h $(srcdir)/validator/val_secalgo.h \
 $(srcdir)/validator/validator.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
 $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/rrdef.h $(srcdir)/validator/val_utils.h \
 $(srcdir)/util/data/dname.h $(srcdir)/util/rbtree.h $(srcdir)/util/net_help.h $(srcdir)/util/regional.h \
- $(srcdir)/util/config_file.h $(srcdir)/sldns/keyraw.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/parseutil.h \
+ $(srcdir)/util/config_file.h $(srcdir)/sldns/keyraw.h \
- $(srcdir)/sldns/wire2str.h
+ $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/wire2str.h \
 val_utils.lo val_utils.o: $(srcdir)/validator/val_utils.c config.h $(srcdir)/validator/val_utils.h \
 $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
 $(srcdir)/sldns/pkthdr.h $(srcdir)/validator/validator.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
@ -1110,15 +1128,43 @@ dns64.lo dns64.o: $(srcdir)/dns64/dns64.c config.h $(srcdir)/dns64/dns64.h $(src
 $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h \
 $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/util/net_help.h \
 $(srcdir)/util/regional.h $(srcdir)/util/data/dname.h $(srcdir)/sldns/str2wire.h
-edns-subnet.lo edns-subnet.o: $(srcdir)/edns-subnet/edns-subnet.c config.h
+edns-subnet.lo edns-subnet.o: $(srcdir)/edns-subnet/edns-subnet.c config.h \
-subnetmod.lo subnetmod.o: $(srcdir)/edns-subnet/subnetmod.c config.h
+ $(srcdir)/edns-subnet/edns-subnet.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h
 subnetmod.lo subnetmod.o: $(srcdir)/edns-subnet/subnetmod.c config.h $(srcdir)/edns-subnet/subnetmod.h \
 $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
 $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
 $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/services/outbound_list.h $(srcdir)/util/alloc.h \
 $(srcdir)/util/net_help.h $(srcdir)/util/storage/slabhash.h $(srcdir)/util/data/dname.h \
 $(srcdir)/edns-subnet/addrtree.h $(srcdir)/edns-subnet/edns-subnet.h \
 $(srcdir)/edns-subnet/subnet-whitelist.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h \
 $(srcdir)/services/mesh.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
  $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h \
 $(srcdir)/services/localzone.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h \
 $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h \
 $(srcdir)/respip/respip.h $(srcdir)/services/cache/dns.h $(srcdir)/util/regional.h \
 $(srcdir)/iterator/iter_utils.h $(srcdir)/iterator/iter_resptype.h
 addrtree.lo addrtree.o: $(srcdir)/edns-subnet/addrtree.c config.h $(srcdir)/util/log.h \
 $(srcdir)/util/data/msgreply.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
 $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h \
 $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/edns-subnet/addrtree.h
-subnet-whitelist.lo subnet-whitelist.o: $(srcdir)/edns-subnet/subnet-whitelist.c config.h
+subnet-whitelist.lo subnet-whitelist.o: $(srcdir)/edns-subnet/subnet-whitelist.c config.h \
-cachedb.lo cachedb.o: $(srcdir)/cachedb/cachedb.c config.h
+ $(srcdir)/edns-subnet/edns-subnet.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h \
-redis.lo redis.o: $(srcdir)/cachedb/redis.c config.h
+ $(srcdir)/edns-subnet/subnet-whitelist.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h \
 $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h \
 $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h
 cachedb.lo cachedb.o: $(srcdir)/cachedb/cachedb.c config.h $(srcdir)/cachedb/cachedb.h $(srcdir)/util/module.h \
 $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/msgreply.h \
 $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
 $(srcdir)/sldns/rrdef.h $(srcdir)/cachedb/redis.h $(srcdir)/util/regional.h $(srcdir)/util/net_help.h \
 $(srcdir)/util/config_file.h $(srcdir)/util/data/msgencode.h $(srcdir)/services/cache/dns.h \
 $(srcdir)/validator/val_neg.h $(srcdir)/util/rbtree.h $(srcdir)/validator/val_secalgo.h \
 $(srcdir)/iterator/iter_utils.h $(srcdir)/iterator/iter_resptype.h $(srcdir)/sldns/parseutil.h \
 $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/sbuffer.h
 redis.lo redis.o: $(srcdir)/cachedb/redis.c config.h $(srcdir)/cachedb/redis.h $(srcdir)/cachedb/cachedb.h \
 $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
 $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
 $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/alloc.h $(srcdir)/util/config_file.h \
 $(srcdir)/sldns/sbuffer.h
 respip.lo respip.o: $(srcdir)/respip/respip.c config.h $(srcdir)/services/localzone.h $(srcdir)/util/rbtree.h \
 $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/module.h \
 $(srcdir)/util/storage/lruhash.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
@ -1133,31 +1179,40 @@ checklocks.lo checklocks.o: $(srcdir)/testcode/checklocks.c config.h $(srcdir)/u
 $(srcdir)/testcode/checklocks.h
 dnstap.lo dnstap.o: $(srcdir)/dnstap/dnstap.c  config.h $(srcdir)/sldns/sbuffer.h \
 $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h $(srcdir)/util/netevent.h \
- $(srcdir)/dnscrypt/dnscrypt.h  $(srcdir)/dnscrypt/cert.h \
+ $(srcdir)/dnscrypt/dnscrypt.h  \
- $(srcdir)/util/locks.h $(srcdir)/dnstap/dnstap.h \
+ $(srcdir)/dnstap/dnstap.h \
- dnstap/dnstap.pb-c.h
+ $(srcdir)/dnstap/dtstream.h $(srcdir)/util/locks.h dnstap/dnstap.pb-c.h
 dnstap.pb-c.lo dnstap.pb-c.o: dnstap/dnstap.pb-c.c dnstap/dnstap.pb-c.h \
-dynlibmod.lo dynlibmod.o: $(srcdir)/dynlibmod/dynlibmod.c config.h $(srcdir)/dynlibmod/dynlibmod.h \
+dnstap_fstrm.lo dnstap_fstrm.o: $(srcdir)/dnstap/dnstap_fstrm.c config.h $(srcdir)/dnstap/dnstap_fstrm.h \
 $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h
 dtstream.lo dtstream.o: $(srcdir)/dnstap/dtstream.c config.h $(srcdir)/dnstap/dtstream.h $(srcdir)/util/locks.h \
 $(srcdir)/util/log.h $(srcdir)/dnstap/dnstap_fstrm.h $(srcdir)/util/config_file.h $(srcdir)/util/ub_event.h \
 $(srcdir)/util/net_help.h $(srcdir)/services/outside_network.h $(srcdir)/util/rbtree.h $(srcdir)/util/netevent.h \
 $(srcdir)/dnscrypt/dnscrypt.h   \
 $(srcdir)/sldns/sbuffer.h \
 ipsecmod.lo ipsecmod.o: $(srcdir)/ipsecmod/ipsecmod.c config.h $(srcdir)/ipsecmod/ipsecmod.h \
 $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
 $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
- $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/rbtree.h\
+ $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/rbtree.h $(srcdir)/ipsecmod/ipsecmod-whitelist.h \
 $(srcdir)/util/storage/dnstree.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h \
 $(srcdir)/dnscrypt/dnscrypt.h  $(srcdir)/util/tube.h \
- $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h $(srcdir)/util/regional.h $(srcdir)/util/net_help.h \
+ $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \
- $(srcdir)/util/config_file.h $(srcdir)/services/cache/dns.h $(srcdir)/sldns/wire2str.h
+ $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h \
-dnscrypt.lo dnscrypt.o: $(srcdir)/dnscrypt/dnscrypt.c config.h $(srcdir)/sldns/sbuffer.h \
+ $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h \
- $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h $(srcdir)/util/netevent.h \
+ $(srcdir)/util/regional.h $(srcdir)/util/net_help.h $(srcdir)/services/cache/dns.h $(srcdir)/sldns/wire2str.h
- $(srcdir)/dnscrypt/dnscrypt.h  $(srcdir)/dnscrypt/cert.h \
+ipsecmod-whitelist.lo ipsecmod-whitelist.o: $(srcdir)/ipsecmod/ipsecmod-whitelist.c config.h \
- $(srcdir)/util/locks.h $(srcdir)/util/storage/slabhash.h $(srcdir)/util/storage/lruhash.h \
+ $(srcdir)/ipsecmod/ipsecmod.h $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
- $(srcdir)/util/storage/lookup3.h
+ $(srcdir)/util/log.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
-ipsecmod.lo ipsecmod.o: $(srcdir)/ipsecmod/ipsecmod.c config.h
+ $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/rbtree.h \
 $(srcdir)/ipsecmod/ipsecmod-whitelist.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/regional.h \
 $(srcdir)/util/config_file.h $(srcdir)/util/data/dname.h $(srcdir)/sldns/str2wire.h
 ipset.lo ipset.o: $(srcdir)/ipset/ipset.c config.h $(srcdir)/ipset/ipset.h $(srcdir)/util/module.h \
 $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/msgreply.h \
 $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
- $(srcdir)/sldns/rrdef.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/services/cache/dns.h \
+ $(srcdir)/sldns/rrdef.h $(srcdir)/util/regional.h $(srcdir)/util/net_help.h $(srcdir)/util/config_file.h \
- $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/parseutil.h
+ $(srcdir)/services/cache/dns.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/parseutil.h
 ipsecmod-whitelist.lo ipsecmod-whitelist.o: $(srcdir)/ipsecmod/ipsecmod-whitelist.c config.h
 unitanchor.lo unitanchor.o: $(srcdir)/testcode/unitanchor.c config.h $(srcdir)/util/log.h $(srcdir)/util/data/dname.h \
 $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/testcode/unitmain.h \
 $(srcdir)/validator/val_anchor.h $(srcdir)/util/rbtree.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/rrdef.h
@ -1166,7 +1221,8 @@ unitdname.lo unitdname.o: $(srcdir)/testcode/unitdname.c config.h $(srcdir)/util
 $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h
 unitlruhash.lo unitlruhash.o: $(srcdir)/testcode/unitlruhash.c config.h $(srcdir)/testcode/unitmain.h \
 $(srcdir)/util/log.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/storage/slabhash.h
-unitmain.lo unitmain.o: $(srcdir)/testcode/unitmain.c config.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/keyraw.h \
+unitmain.lo unitmain.o: $(srcdir)/testcode/unitmain.c config.h \
 $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/keyraw.h \
 $(srcdir)/util/log.h $(srcdir)/testcode/unitmain.h $(srcdir)/util/alloc.h $(srcdir)/util/locks.h $(srcdir)/util/net_help.h \
 $(srcdir)/util/config_file.h $(srcdir)/util/rtt.h $(srcdir)/util/timehist.h $(srcdir)/iterator/iterator.h \
 $(srcdir)/services/outbound_list.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/storage/lruhash.h \
@ -1174,7 +1230,8 @@ unitmain.lo unitmain.o: $(srcdir)/testcode/unitmain.c config.h $(srcdir)/sldns/r
 $(srcdir)/sldns/pkthdr.h $(srcdir)/libunbound/unbound.h $(srcdir)/services/cache/infra.h \
 $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
  $(srcdir)/util/random.h $(srcdir)/respip/respip.h \
- $(srcdir)/services/localzone.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h
+ $(srcdir)/services/localzone.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h \
 $(srcdir)/services/outside_network.h 
 unitmsgparse.lo unitmsgparse.o: $(srcdir)/testcode/unitmsgparse.c config.h $(srcdir)/util/log.h \
 $(srcdir)/testcode/unitmain.h $(srcdir)/util/data/msgparse.h $(srcdir)/util/storage/lruhash.h \
 $(srcdir)/util/locks.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgreply.h \
@ -1204,8 +1261,15 @@ testpkts.lo testpkts.o: $(srcdir)/testcode/testpkts.c config.h $(srcdir)/testcod
 $(srcdir)/util/net_help.h $(srcdir)/util/log.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/pkthdr.h \
 $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/wire2str.h
 unitldns.lo unitldns.o: $(srcdir)/testcode/unitldns.c config.h $(srcdir)/util/log.h $(srcdir)/testcode/unitmain.h \
- $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/wire2str.h
+ $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/wire2str.h \
-unitecs.lo unitecs.o: $(srcdir)/testcode/unitecs.c config.h
+ $(srcdir)/sldns/parseutil.h
 unitecs.lo unitecs.o: $(srcdir)/testcode/unitecs.c config.h $(srcdir)/util/log.h $(srcdir)/util/module.h \
 $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/data/msgreply.h \
 $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
 $(srcdir)/sldns/rrdef.h $(srcdir)/testcode/unitmain.h $(srcdir)/edns-subnet/addrtree.h \
 $(srcdir)/edns-subnet/subnetmod.h $(srcdir)/services/outbound_list.h $(srcdir)/util/alloc.h \
 $(srcdir)/util/net_help.h $(srcdir)/util/storage/slabhash.h $(srcdir)/util/data/dname.h \
 $(srcdir)/edns-subnet/edns-subnet.h
 unitauth.lo unitauth.o: $(srcdir)/testcode/unitauth.c config.h $(srcdir)/services/authzone.h \
 $(srcdir)/util/rbtree.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/services/mesh.h $(srcdir)/util/netevent.h \
 $(srcdir)/dnscrypt/dnscrypt.h  $(srcdir)/util/data/msgparse.h \
@ -1222,40 +1286,43 @@ acl_list.lo acl_list.o: $(srcdir)/daemon/acl_list.c config.h $(srcdir)/daemon/ac
 $(srcdir)/services/localzone.h $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h \
 $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
 $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/str2wire.h
-cachedump.lo cachedump.o: $(srcdir)/daemon/cachedump.c config.h $(srcdir)/daemon/cachedump.h \
+cachedump.lo cachedump.o: $(srcdir)/daemon/cachedump.c config.h \
- $(srcdir)/daemon/remote.h $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
+ $(srcdir)/daemon/cachedump.h $(srcdir)/daemon/remote.h $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h \
 $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
 $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h  \
 $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
 $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h \
 $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h  \
 $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/dns.h \
 $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/rtt.h \
 $(srcdir)/util/regional.h $(srcdir)/util/net_help.h $(srcdir)/util/data/dname.h $(srcdir)/iterator/iterator.h \
 $(srcdir)/services/outbound_list.h $(srcdir)/iterator/iter_delegpt.h $(srcdir)/iterator/iter_utils.h \
 $(srcdir)/iterator/iter_resptype.h $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h \
 $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h
 daemon.lo daemon.o: $(srcdir)/daemon/daemon.c config.h $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h \
 $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h  \
  $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h \
 $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
- $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/util/data/msgreply.h \
+ $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
  $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h \
 $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h \
 $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \
- $(srcdir)/daemon/remote.h $(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h \
+  $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \
- $(srcdir)/services/view.h $(srcdir)/util/config_file.h $(srcdir)/util/shm_side/shm_main.h \
+ $(srcdir)/services/cache/dns.h $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h \
- $(srcdir)/util/storage/lookup3.h $(srcdir)/util/storage/slabhash.h $(srcdir)/util/tcp_conn_limit.h \
+ $(srcdir)/util/rbtree.h $(srcdir)/util/rtt.h $(srcdir)/util/regional.h $(srcdir)/util/net_help.h \
 $(srcdir)/util/data/dname.h $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h \
 $(srcdir)/iterator/iter_delegpt.h $(srcdir)/iterator/iter_utils.h $(srcdir)/iterator/iter_resptype.h \
 $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h $(srcdir)/sldns/wire2str.h \
 $(srcdir)/sldns/str2wire.h
 daemon.lo daemon.o: $(srcdir)/daemon/daemon.c config.h \
 $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
   $(srcdir)/daemon/worker.h \
 $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h \
 $(srcdir)/util/storage/lruhash.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
 $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
 $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/util/module.h \
 $(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/remote.h \
 $(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/view.h \
 $(srcdir)/util/config_file.h $(srcdir)/util/shm_side/shm_main.h $(srcdir)/util/storage/lookup3.h \
 $(srcdir)/util/storage/slabhash.h $(srcdir)/util/tcp_conn_limit.h $(srcdir)/util/edns.h \
 $(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h \
 $(srcdir)/util/rtt.h $(srcdir)/services/localzone.h $(srcdir)/services/authzone.h $(srcdir)/services/mesh.h \
 $(srcdir)/services/rpz.h $(srcdir)/respip/respip.h $(srcdir)/util/random.h $(srcdir)/util/tube.h $(srcdir)/util/net_help.h \
 $(srcdir)/sldns/keyraw.h
-remote.lo remote.o: $(srcdir)/daemon/remote.c config.h $(srcdir)/daemon/remote.h $(srcdir)/daemon/worker.h \
+remote.lo remote.o: $(srcdir)/daemon/remote.c config.h \
- $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h \
+ $(srcdir)/daemon/remote.h \
- $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/netevent.h \
+ $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
- $(srcdir)/dnscrypt/dnscrypt.h  $(srcdir)/util/alloc.h \
+ $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
- $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
+ $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h  \
- $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/util/module.h \
+ $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
- $(srcdir)/dnstap/dnstap.h  $(srcdir)/daemon/daemon.h \
+ $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h \
 $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h  $(srcdir)/daemon/daemon.h \
 $(srcdir)/services/modstack.h $(srcdir)/daemon/cachedump.h $(srcdir)/util/config_file.h \
 $(srcdir)/util/net_help.h $(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/rrset.h \
 $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h \
@ -1280,19 +1347,21 @@ stats.lo stats.o: $(srcdir)/daemon/stats.c config.h $(srcdir)/daemon/stats.h $(s
 $(srcdir)/util/net_help.h $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h \
 $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h $(srcdir)/services/cache/rrset.h \
 $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \
- $(srcdir)/validator/val_kcache.h $(srcdir)/validator/val_neg.h
+ $(srcdir)/validator/val_kcache.h $(srcdir)/validator/val_neg.h $(srcdir)/edns-subnet/subnetmod.h \
 $(srcdir)/util/data/dname.h $(srcdir)/edns-subnet/addrtree.h $(srcdir)/edns-subnet/edns-subnet.h \
 unbound.lo unbound.o: $(srcdir)/daemon/unbound.c config.h $(srcdir)/util/log.h $(srcdir)/daemon/daemon.h \
 $(srcdir)/util/locks.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h  \
-  $(srcdir)/daemon/remote.h $(srcdir)/util/config_file.h \
+  $(srcdir)/daemon/remote.h \
- $(srcdir)/util/storage/slabhash.h $(srcdir)/util/storage/lruhash.h $(srcdir)/services/listen_dnsport.h \
+ $(srcdir)/util/config_file.h $(srcdir)/util/storage/slabhash.h $(srcdir)/util/storage/lruhash.h \
- $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/services/cache/rrset.h \
+ $(srcdir)/services/listen_dnsport.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
- $(srcdir)/util/data/packed_rrset.h $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h \
+ $(srcdir)/services/cache/rrset.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/services/cache/infra.h \
- $(srcdir)/util/rbtree.h $(srcdir)/util/rtt.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/fptr_wlist.h \
+ $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/rtt.h $(srcdir)/util/data/msgreply.h \
- $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
+ $(srcdir)/util/fptr_wlist.h $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
- $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \
+ $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/rpz.h \
- $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h \
+ $(srcdir)/services/localzone.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/services/authzone.h \
- $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/util/net_help.h \
+ $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h \
- $(srcdir)/util/ub_event.h
+ $(srcdir)/util/net_help.h $(srcdir)/util/ub_event.h
 worker.lo worker.o: $(srcdir)/daemon/worker.c config.h $(srcdir)/util/log.h $(srcdir)/util/net_help.h \
 $(srcdir)/util/random.h $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
 $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
@ -1300,22 +1369,24 @@ worker.lo worker.o: $(srcdir)/daemon/worker.c config.h $(srcdir)/util/log.h $(sr
 $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
 $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h \
 $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h  $(srcdir)/daemon/daemon.h \
- $(srcdir)/services/modstack.h $(srcdir)/daemon/remote.h $(srcdir)/daemon/acl_list.h \
+ $(srcdir)/services/modstack.h $(srcdir)/daemon/remote.h \
- $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/view.h $(srcdir)/util/config_file.h \
+ $(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/view.h \
- $(srcdir)/util/regional.h $(srcdir)/util/storage/slabhash.h $(srcdir)/services/listen_dnsport.h \
+ $(srcdir)/util/config_file.h $(srcdir)/util/regional.h $(srcdir)/util/storage/slabhash.h \
- $(srcdir)/services/outside_network.h $(srcdir)/services/outbound_list.h \
+ $(srcdir)/services/listen_dnsport.h $(srcdir)/services/outside_network.h \
- $(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \
+ $(srcdir)/services/outbound_list.h $(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h \
- $(srcdir)/services/cache/dns.h $(srcdir)/services/authzone.h $(srcdir)/services/mesh.h $(srcdir)/services/rpz.h \
+ $(srcdir)/util/rtt.h $(srcdir)/services/cache/dns.h $(srcdir)/services/authzone.h $(srcdir)/services/mesh.h \
- $(srcdir)/services/localzone.h $(srcdir)/respip/respip.h $(srcdir)/util/data/msgencode.h \
+ $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h $(srcdir)/respip/respip.h \
- $(srcdir)/util/data/dname.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h $(srcdir)/util/edns.h \
+ $(srcdir)/util/data/msgencode.h $(srcdir)/util/data/dname.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h \
- $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h $(srcdir)/validator/autotrust.h \
+ $(srcdir)/util/edns.h $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h \
- $(srcdir)/validator/val_anchor.h $(srcdir)/libunbound/context.h $(srcdir)/libunbound/unbound-event.h \
+ $(srcdir)/validator/autotrust.h $(srcdir)/validator/val_anchor.h $(srcdir)/libunbound/context.h \
- $(srcdir)/libunbound/libworker.h $(srcdir)/sldns/wire2str.h $(srcdir)/util/shm_side/shm_main.h
+ $(srcdir)/libunbound/unbound-event.h $(srcdir)/libunbound/libworker.h $(srcdir)/sldns/wire2str.h \
 $(srcdir)/util/shm_side/shm_main.h $(srcdir)/dnstap/dtstream.h
 testbound.lo testbound.o: $(srcdir)/testcode/testbound.c config.h $(srcdir)/testcode/testpkts.h \
 $(srcdir)/testcode/replay.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
  $(srcdir)/util/rbtree.h $(srcdir)/testcode/fake_event.h \
- $(srcdir)/daemon/remote.h $(srcdir)/util/config_file.h $(srcdir)/sldns/keyraw.h $(srcdir)/daemon/unbound.c \
+ $(srcdir)/daemon/remote.h \
- $(srcdir)/util/log.h $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
+ $(srcdir)/util/config_file.h $(srcdir)/sldns/keyraw.h $(srcdir)/daemon/unbound.c $(srcdir)/util/log.h \
 $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
  $(srcdir)/util/storage/slabhash.h $(srcdir)/util/storage/lruhash.h \
 $(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/rrset.h \
 $(srcdir)/util/data/packed_rrset.h $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h \
@ -1334,33 +1405,35 @@ worker.lo worker.o: $(srcdir)/daemon/worker.c config.h $(srcdir)/util/log.h $(sr
 $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
 $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h \
 $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h  $(srcdir)/daemon/daemon.h \
- $(srcdir)/services/modstack.h $(srcdir)/daemon/remote.h $(srcdir)/daemon/acl_list.h \
+ $(srcdir)/services/modstack.h $(srcdir)/daemon/remote.h \
- $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/view.h $(srcdir)/util/config_file.h \
+ $(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/view.h \
- $(srcdir)/util/regional.h $(srcdir)/util/storage/slabhash.h $(srcdir)/services/listen_dnsport.h \
+ $(srcdir)/util/config_file.h $(srcdir)/util/regional.h $(srcdir)/util/storage/slabhash.h \
- $(srcdir)/services/outside_network.h $(srcdir)/services/outbound_list.h \
+ $(srcdir)/services/listen_dnsport.h $(srcdir)/services/outside_network.h \
- $(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \
+ $(srcdir)/services/outbound_list.h $(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h \
- $(srcdir)/services/cache/dns.h $(srcdir)/services/authzone.h $(srcdir)/services/mesh.h $(srcdir)/services/rpz.h \
+ $(srcdir)/util/rtt.h $(srcdir)/services/cache/dns.h $(srcdir)/services/authzone.h $(srcdir)/services/mesh.h \
- $(srcdir)/services/localzone.h $(srcdir)/respip/respip.h $(srcdir)/util/data/msgencode.h \
+ $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h $(srcdir)/respip/respip.h \
- $(srcdir)/util/data/dname.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h $(srcdir)/util/edns.h \
+ $(srcdir)/util/data/msgencode.h $(srcdir)/util/data/dname.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h \
- $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h $(srcdir)/validator/autotrust.h \
+ $(srcdir)/util/edns.h $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h \
- $(srcdir)/validator/val_anchor.h $(srcdir)/libunbound/context.h $(srcdir)/libunbound/unbound-event.h \
+ $(srcdir)/validator/autotrust.h $(srcdir)/validator/val_anchor.h $(srcdir)/libunbound/context.h \
- $(srcdir)/libunbound/libworker.h $(srcdir)/sldns/wire2str.h $(srcdir)/util/shm_side/shm_main.h
+ $(srcdir)/libunbound/unbound-event.h $(srcdir)/libunbound/libworker.h $(srcdir)/sldns/wire2str.h \
 $(srcdir)/util/shm_side/shm_main.h $(srcdir)/dnstap/dtstream.h
 acl_list.lo acl_list.o: $(srcdir)/daemon/acl_list.c config.h $(srcdir)/daemon/acl_list.h \
 $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/view.h $(srcdir)/util/locks.h \
 $(srcdir)/util/log.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h \
 $(srcdir)/services/localzone.h $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h \
 $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
 $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/str2wire.h
-daemon.lo daemon.o: $(srcdir)/daemon/daemon.c config.h $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h \
+daemon.lo daemon.o: $(srcdir)/daemon/daemon.c config.h \
- $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h  \
+ $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
-  $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h \
+   $(srcdir)/daemon/worker.h \
- $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
+ $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h \
- $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/util/data/msgreply.h \
+ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
- $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h \
+ $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
- $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \
+ $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/util/module.h \
- $(srcdir)/daemon/remote.h $(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h \
+ $(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/remote.h \
- $(srcdir)/services/view.h $(srcdir)/util/config_file.h $(srcdir)/util/shm_side/shm_main.h \
+ $(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/view.h \
- $(srcdir)/util/storage/lookup3.h $(srcdir)/util/storage/slabhash.h $(srcdir)/util/tcp_conn_limit.h \
+ $(srcdir)/util/config_file.h $(srcdir)/util/shm_side/shm_main.h $(srcdir)/util/storage/lookup3.h \
 $(srcdir)/util/storage/slabhash.h $(srcdir)/util/tcp_conn_limit.h $(srcdir)/util/edns.h \
 $(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h \
 $(srcdir)/util/rtt.h $(srcdir)/services/localzone.h $(srcdir)/services/authzone.h $(srcdir)/services/mesh.h \
 $(srcdir)/services/rpz.h $(srcdir)/respip/respip.h $(srcdir)/util/random.h $(srcdir)/util/tube.h $(srcdir)/util/net_help.h \
@ -1378,7 +1451,9 @@ stats.lo stats.o: $(srcdir)/daemon/stats.c config.h $(srcdir)/daemon/stats.h $(s
 $(srcdir)/util/net_help.h $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h \
 $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h $(srcdir)/services/cache/rrset.h \
 $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \
- $(srcdir)/validator/val_kcache.h $(srcdir)/validator/val_neg.h
+ $(srcdir)/validator/val_kcache.h $(srcdir)/validator/val_neg.h $(srcdir)/edns-subnet/subnetmod.h \
 $(srcdir)/util/data/dname.h $(srcdir)/edns-subnet/addrtree.h $(srcdir)/edns-subnet/edns-subnet.h \
 replay.lo replay.o: $(srcdir)/testcode/replay.c config.h $(srcdir)/util/log.h $(srcdir)/util/net_help.h \
 $(srcdir)/util/config_file.h $(srcdir)/testcode/replay.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
  $(srcdir)/testcode/testpkts.h $(srcdir)/util/rbtree.h \
@ -1388,13 +1463,14 @@ fake_event.lo fake_event.o: $(srcdir)/testcode/fake_event.c config.h $(srcdir)/t
 $(srcdir)/util/net_help.h $(srcdir)/util/log.h $(srcdir)/util/data/msgparse.h $(srcdir)/util/storage/lruhash.h \
 $(srcdir)/util/locks.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgreply.h \
 $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgencode.h $(srcdir)/util/data/dname.h \
- $(srcdir)/util/config_file.h $(srcdir)/services/listen_dnsport.h $(srcdir)/services/outside_network.h \
+ $(srcdir)/util/edns.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/config_file.h \
- $(srcdir)/util/rbtree.h  $(srcdir)/services/cache/infra.h \
+ $(srcdir)/services/listen_dnsport.h $(srcdir)/services/outside_network.h \
- $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rtt.h $(srcdir)/testcode/replay.h $(srcdir)/testcode/testpkts.h \
+  $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \
- $(srcdir)/util/fptr_wlist.h $(srcdir)/util/module.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h \
+ $(srcdir)/testcode/replay.h $(srcdir)/testcode/testpkts.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/module.h \
- $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h $(srcdir)/services/view.h \
+ $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h \
- $(srcdir)/sldns/sbuffer.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \
+ $(srcdir)/services/localzone.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/services/authzone.h \
- $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h
+ $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h \
 $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h
 lock_verify.lo lock_verify.o: $(srcdir)/testcode/lock_verify.c config.h $(srcdir)/util/log.h $(srcdir)/util/rbtree.h \
 $(srcdir)/util/locks.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
  $(srcdir)/util/storage/lruhash.h $(srcdir)/util/module.h \
@ -1429,7 +1505,8 @@ unbound-checkconf.lo unbound-checkconf.o: $(srcdir)/smallapp/unbound-checkconf.c
 $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/services/authzone.h $(srcdir)/services/mesh.h \
 $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h  \
 $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \
- $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h
+ $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/sldns/str2wire.h \
 $(PYTHONMOD_HEADER) $(srcdir)/edns-subnet/subnet-whitelist.h
 worker_cb.lo worker_cb.o: $(srcdir)/smallapp/worker_cb.c config.h $(srcdir)/libunbound/context.h \
 $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h \
 $(srcdir)/libunbound/unbound.h $(srcdir)/libunbound/unbound-event.h $(srcdir)/util/data/packed_rrset.h \
@ -1450,70 +1527,83 @@ context.lo context.o: $(srcdir)/libunbound/context.c config.h $(srcdir)/libunbou
 $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \
 $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h  \
 $(srcdir)/services/authzone.h $(srcdir)/services/mesh.h $(srcdir)/services/rpz.h $(srcdir)/daemon/stats.h \
- $(srcdir)/util/timehist.h $(srcdir)/respip/respip.h
+ $(srcdir)/util/timehist.h $(srcdir)/respip/respip.h $(srcdir)/util/edns.h
 libunbound.lo libunbound.o: $(srcdir)/libunbound/libunbound.c $(srcdir)/libunbound/unbound.h \
 $(srcdir)/libunbound/unbound-event.h config.h $(srcdir)/libunbound/context.h $(srcdir)/util/locks.h \
 $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h \
 $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/libunbound/libworker.h \
 $(srcdir)/util/config_file.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
 $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/regional.h \
- $(srcdir)/util/random.h $(srcdir)/util/net_help.h $(srcdir)/util/tube.h $(srcdir)/util/ub_event.h \
+ $(srcdir)/util/random.h $(srcdir)/util/net_help.h $(srcdir)/util/tube.h $(srcdir)/util/ub_event.h $(srcdir)/util/edns.h \
- $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h \
+ $(srcdir)/util/storage/dnstree.h $(srcdir)/services/localzone.h $(srcdir)/services/view.h \
 $(srcdir)/sldns/sbuffer.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h $(srcdir)/util/netevent.h \
 $(srcdir)/dnscrypt/dnscrypt.h  $(srcdir)/services/cache/rrset.h \
 $(srcdir)/util/storage/slabhash.h $(srcdir)/services/authzone.h $(srcdir)/services/mesh.h \
 $(srcdir)/services/rpz.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/respip/respip.h
-libworker.lo libworker.o: $(srcdir)/libunbound/libworker.c config.h $(srcdir)/libunbound/libworker.h \
+libworker.lo libworker.o: $(srcdir)/libunbound/libworker.c config.h \
- $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
+ $(srcdir)/libunbound/libworker.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
- $(srcdir)/libunbound/context.h $(srcdir)/util/alloc.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h \
+ $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/libunbound/context.h $(srcdir)/util/alloc.h $(srcdir)/util/rbtree.h \
- $(srcdir)/libunbound/unbound.h $(srcdir)/libunbound/unbound-event.h $(srcdir)/libunbound/worker.h \
+ $(srcdir)/services/modstack.h $(srcdir)/libunbound/unbound.h $(srcdir)/libunbound/unbound-event.h \
- $(srcdir)/sldns/sbuffer.h $(srcdir)/services/outside_network.h $(srcdir)/util/netevent.h \
+ $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h $(srcdir)/services/outside_network.h \
- $(srcdir)/dnscrypt/dnscrypt.h   \
+ $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h  \
- $(srcdir)/services/mesh.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
+  $(srcdir)/services/mesh.h $(srcdir)/util/data/msgparse.h \
- $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \
+ $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
- $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/util/config_file.h \
+ $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h \
- $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/respip/respip.h \
+ $(srcdir)/services/view.h $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h \
- $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/services/outbound_list.h \
+ $(srcdir)/util/timehist.h $(srcdir)/respip/respip.h $(srcdir)/services/cache/rrset.h \
- $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h $(srcdir)/util/regional.h $(srcdir)/util/random.h \
+ $(srcdir)/util/storage/slabhash.h $(srcdir)/services/outbound_list.h $(srcdir)/util/fptr_wlist.h \
- $(srcdir)/util/storage/lookup3.h $(srcdir)/util/net_help.h $(srcdir)/util/data/dname.h \
+ $(srcdir)/util/tube.h $(srcdir)/util/regional.h $(srcdir)/util/random.h $(srcdir)/util/storage/lookup3.h \
- $(srcdir)/util/data/msgencode.h $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h \
+ $(srcdir)/util/net_help.h $(srcdir)/util/data/dname.h $(srcdir)/util/data/msgencode.h \
- $(srcdir)/sldns/str2wire.h
+ $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h $(srcdir)/sldns/str2wire.h
 unbound-host.lo unbound-host.o: $(srcdir)/smallapp/unbound-host.c config.h $(srcdir)/libunbound/unbound.h \
- $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/wire2str.h
+ $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/wire2str.h \
 asynclook.lo asynclook.o: $(srcdir)/testcode/asynclook.c config.h $(srcdir)/libunbound/unbound.h \
 $(srcdir)/libunbound/context.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/util/rbtree.h \
 $(srcdir)/services/modstack.h $(srcdir)/libunbound/unbound-event.h $(srcdir)/util/data/packed_rrset.h \
- $(srcdir)/util/storage/lruhash.h $(srcdir)/sldns/rrdef.h
+ $(srcdir)/util/storage/lruhash.h $(srcdir)/sldns/rrdef.h \
 streamtcp.lo streamtcp.o: $(srcdir)/testcode/streamtcp.c config.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
 $(srcdir)/util/net_help.h $(srcdir)/util/data/msgencode.h $(srcdir)/util/data/msgparse.h \
 $(srcdir)/util/storage/lruhash.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgreply.h \
 $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/dname.h $(srcdir)/sldns/sbuffer.h \
- $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/wire2str.h
+ $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/wire2str.h \
 perf.lo perf.o: $(srcdir)/testcode/perf.c config.h $(srcdir)/util/log.h $(srcdir)/util/locks.h $(srcdir)/util/net_help.h \
 $(srcdir)/util/data/msgencode.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/storage/lruhash.h \
 $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
 $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h
 delayer.lo delayer.o: $(srcdir)/testcode/delayer.c config.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h \
 $(srcdir)/util/config_file.h $(srcdir)/sldns/sbuffer.h
-unbound-control.lo unbound-control.o: $(srcdir)/smallapp/unbound-control.c config.h $(srcdir)/util/log.h \
+unbound-control.lo unbound-control.o: $(srcdir)/smallapp/unbound-control.c config.h \
- $(srcdir)/util/config_file.h $(srcdir)/util/locks.h $(srcdir)/util/net_help.h $(srcdir)/util/shm_side/shm_main.h \
+ $(srcdir)/util/log.h $(srcdir)/util/config_file.h $(srcdir)/util/locks.h $(srcdir)/util/net_help.h \
- $(srcdir)/libunbound/unbound.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/sldns/wire2str.h \
+ $(srcdir)/util/shm_side/shm_main.h $(srcdir)/libunbound/unbound.h $(srcdir)/daemon/stats.h \
- $(srcdir)/sldns/pkthdr.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h $(srcdir)/util/rbtree.h \
+ $(srcdir)/util/timehist.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/pkthdr.h $(srcdir)/services/rpz.h \
- $(srcdir)/util/storage/dnstree.h $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h \
+ $(srcdir)/services/localzone.h $(srcdir)/util/rbtree.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/module.h \
- $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
+ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
- $(srcdir)/sldns/rrdef.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/services/authzone.h \
+ $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/rrdef.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h \
- $(srcdir)/services/mesh.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
+ $(srcdir)/services/authzone.h $(srcdir)/services/mesh.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
  $(srcdir)/services/modstack.h $(srcdir)/respip/respip.h
 unbound-anchor.lo unbound-anchor.o: $(srcdir)/smallapp/unbound-anchor.c config.h $(srcdir)/libunbound/unbound.h \
- $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/parseutil.h
+ $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/parseutil.h \
-petal.lo petal.o: $(srcdir)/testcode/petal.c config.h
+ 
 petal.lo petal.o: $(srcdir)/testcode/petal.c config.h \
 unbound-dnstap-socket.lo unbound-dnstap-socket.o: $(srcdir)/dnstap/unbound-dnstap-socket.c config.h \
 $(srcdir)/dnstap/dtstream.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/dnstap/dnstap_fstrm.h \
 $(srcdir)/util/ub_event.h $(srcdir)/util/net_help.h $(srcdir)/services/listen_dnsport.h \
 $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h  \
 $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h \
 dnstap/dnstap.pb-c.h \
 $(srcdir)/util/config_file.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h
 pythonmod_utils.lo pythonmod_utils.o: $(srcdir)/pythonmod/pythonmod_utils.c config.h $(srcdir)/util/module.h \
 $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/msgreply.h \
 $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
 $(srcdir)/sldns/rrdef.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
  $(srcdir)/util/net_help.h $(srcdir)/services/cache/dns.h \
 $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/util/regional.h \
- $(srcdir)/iterator/iter_delegpt.h $(srcdir)/sldns/sbuffer.h
+ $(srcdir)/iterator/iter_delegpt.h $(srcdir)/sldns/sbuffer.h \
 win_svc.lo win_svc.o: $(srcdir)/winrc/win_svc.c config.h $(srcdir)/winrc/win_svc.h $(srcdir)/winrc/w_inst.h \
 $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
   $(srcdir)/daemon/worker.h \
@ -1521,8 +1611,8 @@ win_svc.lo win_svc.o: $(srcdir)/winrc/win_svc.c config.h $(srcdir)/winrc/win_svc
 $(srcdir)/util/storage/lruhash.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
 $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
 $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/util/module.h \
- $(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/remote.h $(srcdir)/util/config_file.h $(srcdir)/util/ub_event.h \
+ $(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/remote.h \
- $(srcdir)/util/net_help.h
+ $(srcdir)/util/config_file.h $(srcdir)/util/ub_event.h $(srcdir)/util/net_help.h
 w_inst.lo w_inst.o: $(srcdir)/winrc/w_inst.c config.h $(srcdir)/winrc/w_inst.h $(srcdir)/winrc/win_svc.h
 unbound-service-install.lo unbound-service-install.o: $(srcdir)/winrc/unbound-service-install.c config.h \
 $(srcdir)/winrc/w_inst.h
@ -1530,18 +1620,26 @@ unbound-service-remove.lo unbound-service-remove.o: $(srcdir)/winrc/unbound-serv
 $(srcdir)/winrc/w_inst.h
 anchor-update.lo anchor-update.o: $(srcdir)/winrc/anchor-update.c config.h $(srcdir)/libunbound/unbound.h \
 $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/wire2str.h
-keyraw.lo keyraw.o: $(srcdir)/sldns/keyraw.c config.h $(srcdir)/sldns/keyraw.h $(srcdir)/sldns/rrdef.h
+keyraw.lo keyraw.o: $(srcdir)/sldns/keyraw.c config.h $(srcdir)/sldns/keyraw.h \
 $(srcdir)/sldns/rrdef.h \
 sbuffer.lo sbuffer.o: $(srcdir)/sldns/sbuffer.c config.h $(srcdir)/sldns/sbuffer.h
 wire2str.lo wire2str.o: $(srcdir)/sldns/wire2str.c config.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h \
 $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/sbuffer.h \
- $(srcdir)/sldns/keyraw.h $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
+ $(srcdir)/sldns/keyraw.h \
- $(srcdir)/util/log.h
+ $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h
 parse.lo parse.o: $(srcdir)/sldns/parse.c config.h $(srcdir)/sldns/parse.h $(srcdir)/sldns/parseutil.h \
 $(srcdir)/sldns/sbuffer.h
 parseutil.lo parseutil.o: $(srcdir)/sldns/parseutil.c config.h $(srcdir)/sldns/parseutil.h
 rrdef.lo rrdef.o: $(srcdir)/sldns/rrdef.c config.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/parseutil.h
 str2wire.lo str2wire.o: $(srcdir)/sldns/str2wire.c config.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h \
 $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/parse.h $(srcdir)/sldns/parseutil.h
 dohclient.lo dohclient.o: $(srcdir)/testcode/dohclient.c config.h $(srcdir)/sldns/wire2str.h \
 $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/parseutil.h \
 $(srcdir)/util/data/msgencode.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/storage/lruhash.h \
 $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
 $(srcdir)/sldns/pkthdr.h $(srcdir)/util/net_help.h \
 ctime_r.lo ctime_r.o: $(srcdir)/compat/ctime_r.c config.h $(srcdir)/util/locks.h $(srcdir)/util/log.h
 fake-rfc2553.lo fake-rfc2553.o: $(srcdir)/compat/fake-rfc2553.c $(srcdir)/compat/fake-rfc2553.h config.h
 gmtime_r.lo gmtime_r.o: $(srcdir)/compat/gmtime_r.c config.h
@ -1556,9 +1654,11 @@ strlcat.lo strlcat.o: $(srcdir)/compat/strlcat.c config.h
 strlcpy.lo strlcpy.o: $(srcdir)/compat/strlcpy.c config.h
 strptime.lo strptime.o: $(srcdir)/compat/strptime.c config.h
 getentropy_freebsd.lo getentropy_freebsd.o: $(srcdir)/compat/getentropy_freebsd.c
-getentropy_linux.lo getentropy_linux.o: $(srcdir)/compat/getentropy_linux.c config.h
+getentropy_linux.lo getentropy_linux.o: $(srcdir)/compat/getentropy_linux.c config.h \
 getentropy_osx.lo getentropy_osx.o: $(srcdir)/compat/getentropy_osx.c
-getentropy_solaris.lo getentropy_solaris.o: $(srcdir)/compat/getentropy_solaris.c config.h
+getentropy_solaris.lo getentropy_solaris.o: $(srcdir)/compat/getentropy_solaris.c config.h \
 getentropy_win.lo getentropy_win.o: $(srcdir)/compat/getentropy_win.c
 explicit_bzero.lo explicit_bzero.o: $(srcdir)/compat/explicit_bzero.c config.h
 arc4random.lo arc4random.o: $(srcdir)/compat/arc4random.c config.h $(srcdir)/compat/chacha_private.h
--- a/README.md
+++ b/README.md
@ -9,7 +9,7 @@ fast and lean and incorporates modern features based on open standards. If you
 have any feedback, we would love to hear from you. Don’t hesitate to
 [create an issue on Github](https://github.com/NLnetLabs/unbound/issues/new)
 or post a message on the [Unbound mailing list](https://lists.nlnetlabs.nl/mailman/listinfo/unbound-users).
-You can lean more about Unbound by reading our
+You can learn more about Unbound by reading our
 [documentation](https://nlnetlabs.nl/documentation/unbound/).
 ## Compiling
--- a/aclocal.m4
+++ b/aclocal.m4
@ -736,7 +736,6 @@ _LT_CONFIG_SAVE_COMMANDS([
    cat <<_LT_EOF >> "$cfgfile"
 #! $SHELL
 # Generated automatically by $as_me ($PACKAGE) $VERSION
 # Libtool was configured on host `(hostname || uname -n) 2>/dev/null | sed 1q`:
 # NOTE: Changes made to this file will be lost: look at ltmain.sh.
 # Provide generalized library-building support services.
@ -1048,8 +1047,8 @@ int forced_loaded() { return 2;}
 _LT_EOF
      echo "$LTCC $LTCFLAGS -c -o conftest.o conftest.c" >&AS_MESSAGE_LOG_FD
      $LTCC $LTCFLAGS -c -o conftest.o conftest.c 2>&AS_MESSAGE_LOG_FD
-      echo "$AR cru libconftest.a conftest.o" >&AS_MESSAGE_LOG_FD
+      echo "$AR cr libconftest.a conftest.o" >&AS_MESSAGE_LOG_FD
-      $AR cru libconftest.a conftest.o 2>&AS_MESSAGE_LOG_FD
+      $AR cr libconftest.a conftest.o 2>&AS_MESSAGE_LOG_FD
      echo "$RANLIB libconftest.a" >&AS_MESSAGE_LOG_FD
      $RANLIB libconftest.a 2>&AS_MESSAGE_LOG_FD
      cat > conftest.c << _LT_EOF
@ -1499,7 +1498,7 @@ need_locks=$enable_libtool_lock
 m4_defun([_LT_PROG_AR],
 [AC_CHECK_TOOLS(AR, [ar], false)
 : ${AR=ar}
-: ${AR_FLAGS=cru}
+: ${AR_FLAGS=cr}
 _LT_DECL([], [AR], [1], [The archiver])
 _LT_DECL([], [AR_FLAGS], [1], [Flags to create an archive])
@ -2873,9 +2872,6 @@ linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*)
  # before this can be enabled.
  hardcode_into_libs=yes
  # Add ABI-specific directories to the system library path.
  sys_lib_dlsearch_path_spec="/lib64 /usr/lib64 /lib /usr/lib"
  # Ideally, we could use ldconfig to report *all* directores which are
  # searched for libraries, however this is still not possible.  Aside from not
  # being certain /sbin/ldconfig is available, command
@ -2884,7 +2880,7 @@ linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*)
  # appending ld.so.conf contents (and includes) to the search path.
  if test -f /etc/ld.so.conf; then
    lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \[$]2)); skip = 1; } { if (!skip) print \[$]0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[	 ]*hwcap[	 ]/d;s/[:,	]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;s/"//g;/^$/d' | tr '\n' ' '`
-    sys_lib_dlsearch_path_spec="$sys_lib_dlsearch_path_spec $lt_ld_extra"
+    sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra"
  fi
  # We used to test for /lib/ld.so.1 and disable shared libraries on
@ -2896,6 +2892,18 @@ linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*)
  dynamic_linker='GNU/Linux ld.so'
  ;;
 netbsdelf*-gnu)
  version_type=linux
  need_lib_prefix=no
  need_version=no
  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
  soname_spec='${libname}${release}${shared_ext}$major'
  shlibpath_var=LD_LIBRARY_PATH
  shlibpath_overrides_runpath=no
  hardcode_into_libs=yes
  dynamic_linker='NetBSD ld.elf_so'
  ;;
 netbsd*)
  version_type=sunos
  need_lib_prefix=no
@ -3555,7 +3563,7 @@ linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*)
  lt_cv_deplibs_check_method=pass_all
  ;;
-netbsd*)
+netbsd* | netbsdelf*-gnu)
  if echo __ELF__ | $CC -E - | $GREP __ELF__ > /dev/null; then
    lt_cv_deplibs_check_method='match_pattern /lib[[^/]]+(\.so\.[[0-9]]+\.[[0-9]]+|_pic\.a)$'
  else
@ -4061,7 +4069,8 @@ _LT_EOF
  if AC_TRY_EVAL(ac_compile); then
    # Now try to grab the symbols.
    nlist=conftest.nm
-    if AC_TRY_EVAL(NM conftest.$ac_objext \| "$lt_cv_sys_global_symbol_pipe" \> $nlist) && test -s "$nlist"; then
+    $ECHO "$as_me:$LINENO: $NM conftest.$ac_objext | $lt_cv_sys_global_symbol_pipe > $nlist" >&AS_MESSAGE_LOG_FD
    if eval "$NM" conftest.$ac_objext \| "$lt_cv_sys_global_symbol_pipe" \> $nlist 2>&AS_MESSAGE_LOG_FD && test -s "$nlist"; then
      # Try sorting and uniquifying the output.
      if sort "$nlist" | uniq > "$nlist"T; then
 	mv -f "$nlist"T "$nlist"
@ -4433,7 +4442,7 @@ m4_if([$1], [CXX], [
 	    ;;
 	esac
 	;;
-      netbsd*)
+      netbsd* | netbsdelf*-gnu)
 	;;
      *qnx* | *nto*)
        # QNX uses GNU C++, but need to define -shared option too, otherwise
@ -4701,6 +4710,12 @@ m4_if([$1], [CXX], [
 	_LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
 	_LT_TAGVAR(lt_prog_compiler_static, $1)='-static'
        ;;
      # flang / f18. f95 an alias for gfortran or flang on Debian
      flang* | f18* | f95*)
 	_LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
 	_LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
 	_LT_TAGVAR(lt_prog_compiler_static, $1)='-static'
        ;;
      # icc used to be incompatible with GCC.
      # ICC 10 doesn't accept -KPIC any more.
      icc* | ifort*)
@ -4945,6 +4960,9 @@ m4_if([$1], [CXX], [
      ;;
    esac
    ;;
  linux* | k*bsd*-gnu | gnu*)
    _LT_TAGVAR(link_all_deplibs, $1)=no
    ;;
  *)
    _LT_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols'
    ;;
@ -5007,6 +5025,9 @@ dnl Note also adjust exclude_expsyms for C++ above.
  openbsd* | bitrig*)
    with_gnu_ld=no
    ;;
  linux* | k*bsd*-gnu | gnu*)
    _LT_TAGVAR(link_all_deplibs, $1)=no
    ;;
  esac
  _LT_TAGVAR(ld_shlibs, $1)=yes
@ -5261,7 +5282,7 @@ _LT_EOF
      fi
      ;;
-    netbsd*)
+    netbsd* | netbsdelf*-gnu)
      if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then
 	_LT_TAGVAR(archive_cmds, $1)='$LD -Bshareable $libobjs $deplibs $linker_flags -o $lib'
 	wlarc=
@ -5782,6 +5803,7 @@ _LT_EOF
 	if test yes = "$lt_cv_irix_exported_symbol"; then
          _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags $wl-soname $wl$soname `test -n "$verstring" && func_echo_all "$wl-set_version $wl$verstring"` $wl-update_registry $wl$output_objdir/so_locations $wl-exports_file $wl$export_symbols -o $lib'
 	fi
 	_LT_TAGVAR(link_all_deplibs, $1)=no
      else
 	_LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry $output_objdir/so_locations -o $lib'
 	_LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry $output_objdir/so_locations -exports_file $export_symbols -o $lib'
@ -5803,7 +5825,7 @@ _LT_EOF
      esac
      ;;
-    netbsd*)
+    netbsd* | netbsdelf*-gnu)
      if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then
 	_LT_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'  # a.out
      else
@ -6425,7 +6447,7 @@ if test yes != "$_lt_caught_CXX_error"; then
      # Commands to make compiler produce verbose output that lists
      # what "hidden" libraries, object files and flags are used when
      # linking a shared library.
-      output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP "\-L"'
+      output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP " \-L"'
    else
      GXX=no
@ -6800,7 +6822,7 @@ if test yes != "$_lt_caught_CXX_error"; then
            # explicitly linking system object files so we need to strip them
            # from the output so that they don't get included in the library
            # dependencies.
-            output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | $EGREP "\-L"`; list= ; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; func_echo_all "$list"'
+            output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | $EGREP " \-L"`; list= ; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; func_echo_all "$list"'
            ;;
          *)
            if test yes = "$GXX"; then
@ -6865,7 +6887,7 @@ if test yes != "$_lt_caught_CXX_error"; then
 	    # explicitly linking system object files so we need to strip them
 	    # from the output so that they don't get included in the library
 	    # dependencies.
-	    output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | $GREP "\-L"`; list= ; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; func_echo_all "$list"'
+	    output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | $GREP " \-L"`; list= ; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; func_echo_all "$list"'
 	    ;;
          *)
 	    if test yes = "$GXX"; then
@ -7204,7 +7226,7 @@ if test yes != "$_lt_caught_CXX_error"; then
 	      # Commands to make compiler produce verbose output that lists
 	      # what "hidden" libraries, object files and flags are used when
 	      # linking a shared library.
-	      output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP "\-L"'
+	      output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP " \-L"'
 	    else
 	      # FIXME: insert proper C++ library support
@ -7288,7 +7310,7 @@ if test yes != "$_lt_caught_CXX_error"; then
 	        # Commands to make compiler produce verbose output that lists
 	        # what "hidden" libraries, object files and flags are used when
 	        # linking a shared library.
-	        output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP "\-L"'
+	        output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP " \-L"'
 	      else
 	        # g++ 2.7 appears to require '-G' NOT '-shared' on this
 	        # platform.
@ -7299,7 +7321,7 @@ if test yes != "$_lt_caught_CXX_error"; then
 	        # Commands to make compiler produce verbose output that lists
 	        # what "hidden" libraries, object files and flags are used when
 	        # linking a shared library.
-	        output_verbose_link_cmd='$CC -G $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP "\-L"'
+	        output_verbose_link_cmd='$CC -G $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP " \-L"'
 	      fi
 	      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='$wl-R $wl$libdir'
@ -9044,9 +9066,9 @@ m4_ifndef([_LT_PROG_F77],		[AC_DEFUN([_LT_PROG_F77])])
 m4_ifndef([_LT_PROG_FC],		[AC_DEFUN([_LT_PROG_FC])])
 m4_ifndef([_LT_PROG_CXX],		[AC_DEFUN([_LT_PROG_CXX])])
-# pkg.m4 - Macros to locate and utilise pkg-config.   -*- Autoconf -*-
+dnl pkg.m4 - Macros to locate and utilise pkg-config.   -*- Autoconf -*-
-# serial 11 (pkg-config-0.29.1)
+dnl serial 11 (pkg-config-0.29.1)
-
+dnl
 dnl Copyright © 2004 Scott James Remnant <scott@netsplit.com>.
 dnl Copyright © 2012-2015 Dan Nicholson <dbn.lists@gmail.com>
 dnl
@ -9320,74 +9342,6 @@ AS_VAR_COPY([$1], [pkg_cv_][$1])
 AS_VAR_IF([$1], [""], [$5], [$4])dnl
 ])dnl PKG_CHECK_VAR
 dnl PKG_WITH_MODULES(VARIABLE-PREFIX, MODULES,
 dnl   [ACTION-IF-FOUND],[ACTION-IF-NOT-FOUND],
 dnl   [DESCRIPTION], [DEFAULT])
 dnl ------------------------------------------
 dnl
 dnl Prepare a "--with-" configure option using the lowercase
 dnl [VARIABLE-PREFIX] name, merging the behaviour of AC_ARG_WITH and
 dnl PKG_CHECK_MODULES in a single macro.
 AC_DEFUN([PKG_WITH_MODULES],
 [
 m4_pushdef([with_arg], m4_tolower([$1]))
 m4_pushdef([description],
           [m4_default([$5], [build with ]with_arg[ support])])
 m4_pushdef([def_arg], [m4_default([$6], [auto])])
 m4_pushdef([def_action_if_found], [AS_TR_SH([with_]with_arg)=yes])
 m4_pushdef([def_action_if_not_found], [AS_TR_SH([with_]with_arg)=no])
 m4_case(def_arg,
            [yes],[m4_pushdef([with_without], [--without-]with_arg)],
            [m4_pushdef([with_without],[--with-]with_arg)])
 AC_ARG_WITH(with_arg,
     AS_HELP_STRING(with_without, description[ @<:@default=]def_arg[@:>@]),,
    [AS_TR_SH([with_]with_arg)=def_arg])
 AS_CASE([$AS_TR_SH([with_]with_arg)],
            [yes],[PKG_CHECK_MODULES([$1],[$2],$3,$4)],
            [auto],[PKG_CHECK_MODULES([$1],[$2],
                                        [m4_n([def_action_if_found]) $3],
                                        [m4_n([def_action_if_not_found]) $4])])
 m4_popdef([with_arg])
 m4_popdef([description])
 m4_popdef([def_arg])
 ])dnl PKG_WITH_MODULES
 dnl PKG_HAVE_WITH_MODULES(VARIABLE-PREFIX, MODULES,
 dnl   [DESCRIPTION], [DEFAULT])
 dnl -----------------------------------------------
 dnl
 dnl Convenience macro to trigger AM_CONDITIONAL after PKG_WITH_MODULES
 dnl check._[VARIABLE-PREFIX] is exported as make variable.
 AC_DEFUN([PKG_HAVE_WITH_MODULES],
 [
 PKG_WITH_MODULES([$1],[$2],,,[$3],[$4])
 AM_CONDITIONAL([HAVE_][$1],
               [test "$AS_TR_SH([with_]m4_tolower([$1]))" = "yes"])
 ])dnl PKG_HAVE_WITH_MODULES
 dnl PKG_HAVE_DEFINE_WITH_MODULES(VARIABLE-PREFIX, MODULES,
 dnl   [DESCRIPTION], [DEFAULT])
 dnl ------------------------------------------------------
 dnl
 dnl Convenience macro to run AM_CONDITIONAL and AC_DEFINE after
 dnl PKG_WITH_MODULES check. HAVE_[VARIABLE-PREFIX] is exported as make
 dnl and preprocessor variable.
 AC_DEFUN([PKG_HAVE_DEFINE_WITH_MODULES],
 [
 PKG_HAVE_WITH_MODULES([$1],[$2],[$3],[$4])
 AS_IF([test "$AS_TR_SH([with_]m4_tolower([$1]))" = "yes"],
        [AC_DEFINE([HAVE_][$1], 1, [Enable ]m4_tolower([$1])[ support])])
 ])dnl PKG_HAVE_DEFINE_WITH_MODULES
 # AM_CONDITIONAL                                            -*- Autoconf -*-
 # Copyright (C) 1997-2018 Free Software Foundation, Inc.
--- a/acx_nlnetlabs.m4
+++ b/acx_nlnetlabs.m4
@ -2,7 +2,10 @@
 # Copyright 2009, Wouter Wijngaards, NLnet Labs.   
 # BSD licensed.
 #
-# Version 34
+# Version 37
 # 2021-01-05 fix defun for aclocal
 # 2021-01-05 autoconf 2.70 autoupdate and fixes, no AC_TRY_COMPILE
 # 2020-08-24 Use EVP_sha256 instead of HMAC_Update (for openssl-3.0.0).
 # 2016-03-21 Check -ldl -pthread for libcrypto for ldns and openssl 1.1.0.
 # 2016-03-21 Use HMAC_Update instead of HMAC_CTX_Init (for openssl-1.1.0).
 # 2016-01-04 -D_DEFAULT_SOURCE defined with -D_BSD_SOURCE for Linux glibc 2.20
@ -446,15 +449,12 @@ AC_DEFUN([ACX_CHECK_FORMAT_ATTRIBUTE],
 AC_MSG_CHECKING(whether the C compiler (${CC-cc}) accepts the "format" attribute)
 AC_CACHE_VAL(ac_cv_c_format_attribute,
 [ac_cv_c_format_attribute=no
-AC_TRY_COMPILE(
+AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[#include <stdio.h>
 [#include <stdio.h>
 void f (char *format, ...) __attribute__ ((format (printf, 1, 2)));
 void (*pf) (char *format, ...) __attribute__ ((format (printf, 1, 2)));
-], [
+]], [[
   f ("%s", "str");
-],
+]])],[ac_cv_c_format_attribute="yes"],[ac_cv_c_format_attribute="no"])
 [ac_cv_c_format_attribute="yes"],
 [ac_cv_c_format_attribute="no"])
 ])
 AC_MSG_RESULT($ac_cv_c_format_attribute)
@ -483,14 +483,11 @@ AC_DEFUN([ACX_CHECK_UNUSED_ATTRIBUTE],
 AC_MSG_CHECKING(whether the C compiler (${CC-cc}) accepts the "unused" attribute)
 AC_CACHE_VAL(ac_cv_c_unused_attribute,
 [ac_cv_c_unused_attribute=no
-AC_TRY_COMPILE(
+AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[#include <stdio.h>
 [#include <stdio.h>
 void f (char *u __attribute__((unused)));
-], [
+]], [[
   f ("x");
-],
+]])],[ac_cv_c_unused_attribute="yes"],[ac_cv_c_unused_attribute="no"])
 [ac_cv_c_unused_attribute="yes"],
 [ac_cv_c_unused_attribute="no"])
 ])
 dnl Setup ATTR_UNUSED config.h parts.
@ -547,7 +544,7 @@ dnl as a requirement so that is gets called before LIBTOOL
 dnl because libtools 'AC_REQUIRE' names are right after this one, before
 dnl this function contents.
 AC_REQUIRE([ACX_LIBTOOL_C_PRE])
-AC_PROG_LIBTOOL
+LT_INIT
 ])
 dnl Detect if u_char type is defined, otherwise define it.
@ -673,17 +670,17 @@ AC_DEFUN([ACX_SSL_CHECKS], [
                ACX_RUNTIME_PATH_ADD([$ssldir/lib])
            fi
-            AC_MSG_CHECKING([for HMAC_Update in -lcrypto])
+            AC_MSG_CHECKING([for EVP_sha256 in -lcrypto])
            LIBS="$LIBS -lcrypto"
            LIBSSL_LIBS="$LIBSSL_LIBS -lcrypto"
-            AC_TRY_LINK(, [
+            AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[
-                int HMAC_Update(void);
+                int EVP_sha256(void);
-                (void)HMAC_Update();
+                (void)EVP_sha256();
-              ], [
+              ]])],[
                AC_MSG_RESULT(yes)
-                AC_DEFINE([HAVE_HMAC_UPDATE], 1, 
+                AC_DEFINE([HAVE_EVP_SHA256], 1,
-                          [If you have HMAC_Update])
+                          [If you have EVP_sha256])
-              ], [
+              ],[
                AC_MSG_RESULT(no)
                # check if -lwsock32 or -lgdi32 are needed.	
                BAKLIBS="$LIBS"
@ -691,12 +688,12 @@ AC_DEFUN([ACX_SSL_CHECKS], [
 		LIBS="$LIBS -lgdi32 -lws2_32"
 		LIBSSL_LIBS="$LIBSSL_LIBS -lgdi32 -lws2_32"
                AC_MSG_CHECKING([if -lcrypto needs -lgdi32])
-                AC_TRY_LINK([], [
+                AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[
-                    int HMAC_Update(void);
+                    int EVP_sha256(void);
-                    (void)HMAC_Update();
+                    (void)EVP_sha256();
-                  ],[
+                  ]])],[
-                    AC_DEFINE([HAVE_HMAC_UPDATE], 1, 
+                    AC_DEFINE([HAVE_EVP_SHA256], 1,
-                        [If you have HMAC_Update])
+                        [If you have EVP_sha256])
                    AC_MSG_RESULT(yes) 
                  ],[
                    AC_MSG_RESULT(no)
@ -705,12 +702,12 @@ AC_DEFUN([ACX_SSL_CHECKS], [
                    LIBS="$LIBS -ldl"
                    LIBSSL_LIBS="$LIBSSL_LIBS -ldl"
                    AC_MSG_CHECKING([if -lcrypto needs -ldl])
-                    AC_TRY_LINK([], [
+                    AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[
-                        int HMAC_Update(void);
+                        int EVP_sha256(void);
-                        (void)HMAC_Update();
+                        (void)EVP_sha256();
-                      ],[
+                      ]])],[
-                        AC_DEFINE([HAVE_HMAC_UPDATE], 1, 
+                        AC_DEFINE([HAVE_EVP_SHA256], 1,
-                            [If you have HMAC_Update])
+                            [If you have EVP_sha256])
                        AC_MSG_RESULT(yes) 
                      ],[
                        AC_MSG_RESULT(no)
@ -719,12 +716,12 @@ AC_DEFUN([ACX_SSL_CHECKS], [
                        LIBS="$LIBS -ldl -pthread"
                        LIBSSL_LIBS="$LIBSSL_LIBS -ldl -pthread"
                        AC_MSG_CHECKING([if -lcrypto needs -ldl -pthread])
-                        AC_TRY_LINK([], [
+                        AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[
-                            int HMAC_Update(void);
+                            int EVP_sha256(void);
-                            (void)HMAC_Update();
+                            (void)EVP_sha256();
-                          ],[
+                          ]])],[
-                            AC_DEFINE([HAVE_HMAC_UPDATE], 1, 
+                            AC_DEFINE([HAVE_EVP_SHA256], 1,
-                                [If you have HMAC_Update])
+                                [If you have EVP_sha256])
                            AC_MSG_RESULT(yes) 
                          ],[
                            AC_MSG_RESULT(no)
@ -749,8 +746,7 @@ dnl Checks main header files of SSL.
 dnl
 AC_DEFUN([ACX_WITH_SSL],
 [
-AC_ARG_WITH(ssl, AC_HELP_STRING([--with-ssl=pathname],
+AC_ARG_WITH(ssl, AS_HELP_STRING([--with-ssl=pathname],[enable SSL (will check /usr/local/ssl
                                    [enable SSL (will check /usr/local/ssl
                            /usr/lib/ssl /usr/ssl /usr/pkg /usr/local /opt/local /usr/sfw /usr)]),[
        ],[
            withval="yes"
@ -768,8 +764,7 @@ dnl Checks main header files of SSL.
 dnl
 AC_DEFUN([ACX_WITH_SSL_OPTIONAL],
 [
-AC_ARG_WITH(ssl, AC_HELP_STRING([--with-ssl=pathname],
+AC_ARG_WITH(ssl, AS_HELP_STRING([--with-ssl=pathname],[enable SSL (will check /usr/local/ssl
                                [enable SSL (will check /usr/local/ssl
                                /usr/lib/ssl /usr/ssl /usr/pkg /usr/local /opt/local /usr/sfw /usr)]),[
        ],[
            withval="yes"
@ -1061,7 +1056,7 @@ dnl defines MKDIR_HAS_ONE_ARG
 AC_DEFUN([ACX_MKDIR_ONE_ARG],
 [
 AC_MSG_CHECKING([whether mkdir has one arg])
-AC_TRY_COMPILE([
+AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
 #include <stdio.h>
 #include <unistd.h>
 #ifdef HAVE_WINSOCK2_H
@ -1070,14 +1065,12 @@ AC_TRY_COMPILE([
 #ifdef HAVE_SYS_STAT_H
 #include <sys/stat.h>
 #endif
-], [
+]], [[
 	(void)mkdir("directory");
-],
+]])],[AC_MSG_RESULT(yes)
 AC_MSG_RESULT(yes)
 AC_DEFINE(MKDIR_HAS_ONE_ARG, 1, [Define if mkdir has one argument.])
-,
+],[AC_MSG_RESULT(no)
-AC_MSG_RESULT(no)
+])
 )
 ])dnl end of ACX_MKDIR_ONE_ARG
 dnl Check for ioctlsocket function. works on mingw32 too.
--- a/acx_python.m4
+++ b/acx_python.m4
@ -85,11 +85,11 @@ $ac_distutils_result])
        LIBS="$LIBS $PYTHON_LDFLAGS"
        CPPFLAGS="$CPPFLAGS $PYTHON_CPPFLAGS"
-        AC_TRY_LINK([
+        AC_LINK_IFELSE([AC_LANG_PROGRAM([[
                #include <Python.h>
-        ],[
+        ]],[[
                Py_Initialize();
-        ],[pythonexists=yes],[pythonexists=no])
+        ]])],[pythonexists=yes],[pythonexists=no])
        AC_MSG_RESULT([$pythonexists])
--- a/config.h.in
+++ b/config.h.in
@ -113,6 +113,10 @@
   don't. */
 #undef HAVE_DECL_INET_PTON
 /* Define to 1 if you have the declaration of `nghttp2_session_server_new',
   and to 0 if you don't. */
 #undef HAVE_DECL_NGHTTP2_SESSION_SERVER_NEW
 /* Define to 1 if you have the declaration of `NID_ED25519', and to 0 if you
   don't. */
 #undef HAVE_DECL_NID_ED25519
@ -221,6 +225,9 @@
 /* Define to 1 if you have the `EVP_EncryptInit_ex' function. */
 #undef HAVE_EVP_ENCRYPTINIT_EX
 /* Define to 1 if you have the `EVP_MAC_CTX_set_params' function. */
 #undef HAVE_EVP_MAC_CTX_SET_PARAMS
 /* Define to 1 if you have the `EVP_MD_CTX_new' function. */
 #undef HAVE_EVP_MD_CTX_NEW
@ -269,6 +276,9 @@
 /* Define to 1 if you have the `getentropy' function. */
 #undef HAVE_GETENTROPY
 /* Define to 1 if you have the `getifaddrs' function. */
 #undef HAVE_GETIFADDRS
 /* Define to 1 if you have the <getopt.h> header file. */
 #undef HAVE_GETOPT_H
@ -296,12 +306,12 @@
 /* Define to 1 if you have the `HMAC_Init_ex' function. */
 #undef HAVE_HMAC_INIT_EX
 /* If you have HMAC_Update */
 #undef HAVE_HMAC_UPDATE
 /* If we have htobe64 */
 #undef HAVE_HTOBE64
 /* Define to 1 if you have the <ifaddrs.h> header file. */
 #undef HAVE_IFADDRS_H
 /* Define to 1 if you have the `inet_aton' function. */
 #undef HAVE_INET_ATON
@ -371,6 +381,15 @@
 /* Define to 1 if you have the <nettle/eddsa.h> header file. */
 #undef HAVE_NETTLE_EDDSA_H
 /* Define to 1 if you have the <net/if.h> header file. */
 #undef HAVE_NET_IF_H
 /* Define this to use nghttp2 client. */
 #undef HAVE_NGHTTP2
 /* Define to 1 if you have the <nghttp2/nghttp2.h> header file. */
 #undef HAVE_NGHTTP2_NGHTTP2_H
 /* Use libnss for crypto */
 #undef HAVE_NSS
@ -497,6 +516,9 @@
 /* Define if you have the SSL libraries installed. */
 #undef HAVE_SSL
 /* Define to 1 if you have the `SSL_CTX_set_alpn_select_cb' function. */
 #undef HAVE_SSL_CTX_SET_ALPN_SELECT_CB
 /* Define to 1 if you have the `SSL_CTX_set_ciphersuites' function. */
 #undef HAVE_SSL_CTX_SET_CIPHERSUITES
@ -573,6 +595,9 @@
 /* Define to 1 if you have the <sys/resource.h> header file. */
 #undef HAVE_SYS_RESOURCE_H
 /* Define to 1 if you have the <sys/select.h> header file. */
 #undef HAVE_SYS_SELECT_H
 /* Define to 1 if you have the <sys/sha2.h> header file. */
 #undef HAVE_SYS_SHA2_H
@ -722,7 +747,8 @@
   your system. */
 #undef PTHREAD_CREATE_JOINABLE
-/* Define as the return type of signal handlers (`int' or `void'). */
+/* Return type of signal handlers, but autoconf 2.70 says 'your code may
   safely assume C89 semantics that RETSIGTYPE is void.' */
 #undef RETSIGTYPE
 /* if REUSEPORT is enabled by default */
@ -1358,6 +1384,8 @@ void *unbound_stat_realloc_log(void *ptr, size_t size, const char* file,
 #define UNBOUND_DNS_PORT 53
 /** default port for DNS over TLS traffic. */
 #define UNBOUND_DNS_OVER_TLS_PORT 853
 /** default port for DNS over HTTPS traffic. */
 #define UNBOUND_DNS_OVER_HTTPS_PORT 443
 /** default port for unbound control traffic, registered port with IANA,
    ub-dns-control  8953/tcp    unbound dns nameserver control */
 #define UNBOUND_CONTROL_PORT 8953
--- a/252
+++ b/252
@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for unbound 1.11.1.
+# Generated by GNU Autoconf 2.69 for unbound 1.13.1.
 #
 # Report bugs to <unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues>.
 #
@ -591,8 +591,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='unbound'
 PACKAGE_TARNAME='unbound'
-PACKAGE_VERSION='1.11.1'
+PACKAGE_VERSION='1.13.1'
-PACKAGE_STRING='unbound 1.11.1'
+PACKAGE_STRING='unbound 1.13.1'
 PACKAGE_BUGREPORT='unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues'
 PACKAGE_URL=''
@ -882,6 +882,7 @@ enable_tfo_server
 with_libevent
 with_libexpat
 with_libhiredis
 with_libnghttp2
 enable_static_exe
 enable_fully_static
 enable_lock_checks
@ -1458,7 +1459,7 @@ if test "$ac_init_help" = "long"; then
  # Omit some internal or obsolete options to make the list less imposing.
  # This message is too long to be a string in the A/UX 3.1 sh.
  cat <<_ACEOF
-\`configure' configures unbound 1.11.1 to adapt to many kinds of systems.
+\`configure' configures unbound 1.13.1 to adapt to many kinds of systems.
 Usage: $0 [OPTION]... [VAR=VALUE]...
@ -1523,7 +1524,7 @@ fi
 if test -n "$ac_init_help"; then
  case $ac_init_help in
-     short | recursive ) echo "Configuration of unbound 1.11.1:";;
+     short | recursive ) echo "Configuration of unbound 1.13.1:";;
   esac
  cat <<\_ACEOF
@ -1642,6 +1643,7 @@ Optional Packages:
                          outgoing port ranges.
  --with-libexpat=path    specify explicit path for libexpat.
  --with-libhiredis=path  specify explicit path for libhiredis.
  --with-libnghttp2=path  specify explicit path for libnghttp2.
  --with-dnstap-socket-path=pathname
                          set default dnstap socket path
  --with-protobuf-c=path  Path where protobuf-c is installed, for dnstap
@ -1750,7 +1752,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
  cat <<\_ACEOF
-unbound configure 1.11.1
+unbound configure 1.13.1
 generated by GNU Autoconf 2.69
 Copyright (C) 2012 Free Software Foundation, Inc.
@ -2459,7 +2461,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
-It was created by unbound $as_me 1.11.1, which was
+It was created by unbound $as_me 1.13.1, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
  $ $0 $@
@ -2809,13 +2811,13 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu
 UNBOUND_VERSION_MAJOR=1
-UNBOUND_VERSION_MINOR=11
+UNBOUND_VERSION_MINOR=13
 UNBOUND_VERSION_MICRO=1
 LIBUNBOUND_CURRENT=9
-LIBUNBOUND_REVISION=10
+LIBUNBOUND_REVISION=12
 LIBUNBOUND_AGE=1
 # 1.0.0 had 0:12:0
 # 1.0.1 had 0:13:0
@ -2892,7 +2894,9 @@ LIBUNBOUND_AGE=1
 # 1.10.0 had 9:7:1
 # 1.10.1 had 9:8:1
 # 1.11.0 had 9:9:1
-# 1.11.1 had 9:10:1
+# 1.12.0 had 9:10:1
 # 1.13.0 had 9:11:1
 # 1.13.1 had 9:12:1
 #   Current  -- the number of the binary API that we're implementing
 #   Revision -- which iteration of the implementation of the binary
@ -4173,7 +4177,6 @@ $as_echo "$ac_cv_safe_to_define___extensions__" >&6; }
  $as_echo "#define _TANDEM_SOURCE 1" >>confdefs.h
 if test "$ac_cv_header_minix_config_h" = "yes"; then
 $as_echo "#define _NETBSD_SOURCE 1" >>confdefs.h
@ -8067,7 +8070,7 @@ linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*)
  lt_cv_deplibs_check_method=pass_all
  ;;
-netbsd*)
+netbsd* | netbsdelf*-gnu)
  if echo __ELF__ | $CC -E - | $GREP __ELF__ > /dev/null; then
    lt_cv_deplibs_check_method='match_pattern /lib[^/]+(\.so\.[0-9]+\.[0-9]+|_pic\.a)$'
  else
@ -8429,7 +8432,7 @@ esac
 fi
 : ${AR=ar}
-: ${AR_FLAGS=cru}
+: ${AR_FLAGS=cr}
@ -8972,11 +8975,8 @@ _LT_EOF
  test $ac_status = 0; }; then
    # Now try to grab the symbols.
    nlist=conftest.nm
-    if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$NM conftest.$ac_objext \| "$lt_cv_sys_global_symbol_pipe" \> $nlist\""; } >&5
+    $ECHO "$as_me:$LINENO: $NM conftest.$ac_objext | $lt_cv_sys_global_symbol_pipe > $nlist" >&5
-  (eval $NM conftest.$ac_objext \| "$lt_cv_sys_global_symbol_pipe" \> $nlist) 2>&5
+    if eval "$NM" conftest.$ac_objext \| "$lt_cv_sys_global_symbol_pipe" \> $nlist 2>&5 && test -s "$nlist"; then
  ac_status=$?
  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
  test $ac_status = 0; } && test -s "$nlist"; then
      # Try sorting and uniquifying the output.
      if sort "$nlist" | uniq > "$nlist"T; then
 	mv -f "$nlist"T "$nlist"
@ -10195,8 +10195,8 @@ int forced_loaded() { return 2;}
 _LT_EOF
      echo "$LTCC $LTCFLAGS -c -o conftest.o conftest.c" >&5
      $LTCC $LTCFLAGS -c -o conftest.o conftest.c 2>&5
-      echo "$AR cru libconftest.a conftest.o" >&5
+      echo "$AR cr libconftest.a conftest.o" >&5
-      $AR cru libconftest.a conftest.o 2>&5
+      $AR cr libconftest.a conftest.o 2>&5
      echo "$RANLIB libconftest.a" >&5
      $RANLIB libconftest.a 2>&5
      cat > conftest.c << _LT_EOF
@ -11056,6 +11056,12 @@ lt_prog_compiler_static=
 	lt_prog_compiler_pic='-KPIC'
 	lt_prog_compiler_static='-static'
        ;;
      # flang / f18. f95 an alias for gfortran or flang on Debian
      flang* | f18* | f95*)
 	lt_prog_compiler_wl='-Wl,'
 	lt_prog_compiler_pic='-fPIC'
 	lt_prog_compiler_static='-static'
        ;;
      # icc used to be incompatible with GCC.
      # ICC 10 doesn't accept -KPIC any more.
      icc* | ifort*)
@ -11532,6 +11538,9 @@ $as_echo_n "checking whether the $compiler linker ($LD) supports shared librarie
  openbsd* | bitrig*)
    with_gnu_ld=no
    ;;
  linux* | k*bsd*-gnu | gnu*)
    link_all_deplibs=no
    ;;
  esac
  ld_shlibs=yes
@ -11786,7 +11795,7 @@ _LT_EOF
      fi
      ;;
-    netbsd*)
+    netbsd* | netbsdelf*-gnu)
      if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then
 	archive_cmds='$LD -Bshareable $libobjs $deplibs $linker_flags -o $lib'
 	wlarc=
@ -12456,6 +12465,7 @@ $as_echo "$lt_cv_irix_exported_symbol" >&6; }
 	if test yes = "$lt_cv_irix_exported_symbol"; then
          archive_expsym_cmds='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags $wl-soname $wl$soname `test -n "$verstring" && func_echo_all "$wl-set_version $wl$verstring"` $wl-update_registry $wl$output_objdir/so_locations $wl-exports_file $wl$export_symbols -o $lib'
 	fi
 	link_all_deplibs=no
      else
 	archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry $output_objdir/so_locations -o $lib'
 	archive_expsym_cmds='$CC -shared $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry $output_objdir/so_locations -exports_file $export_symbols -o $lib'
@ -12477,7 +12487,7 @@ $as_echo "$lt_cv_irix_exported_symbol" >&6; }
      esac
      ;;
-    netbsd*)
+    netbsd* | netbsdelf*-gnu)
      if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then
 	archive_cmds='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'  # a.out
      else
@ -13572,9 +13582,6 @@ fi
  # before this can be enabled.
  hardcode_into_libs=yes
  # Add ABI-specific directories to the system library path.
  sys_lib_dlsearch_path_spec="/lib64 /usr/lib64 /lib /usr/lib"
  # Ideally, we could use ldconfig to report *all* directores which are
  # searched for libraries, however this is still not possible.  Aside from not
  # being certain /sbin/ldconfig is available, command
@ -13583,7 +13590,7 @@ fi
  # appending ld.so.conf contents (and includes) to the search path.
  if test -f /etc/ld.so.conf; then
    lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[	 ]*hwcap[	 ]/d;s/[:,	]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;s/"//g;/^$/d' | tr '\n' ' '`
-    sys_lib_dlsearch_path_spec="$sys_lib_dlsearch_path_spec $lt_ld_extra"
+    sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra"
  fi
  # We used to test for /lib/ld.so.1 and disable shared libraries on
@ -13595,6 +13602,18 @@ fi
  dynamic_linker='GNU/Linux ld.so'
  ;;
 netbsdelf*-gnu)
  version_type=linux
  need_lib_prefix=no
  need_version=no
  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
  soname_spec='${libname}${release}${shared_ext}$major'
  shlibpath_var=LD_LIBRARY_PATH
  shlibpath_overrides_runpath=no
  hardcode_into_libs=yes
  dynamic_linker='NetBSD ld.elf_so'
  ;;
 netbsd*)
  version_type=sunos
  need_lib_prefix=no
@ -14726,7 +14745,7 @@ $as_echo "no" >&6; }
 fi
 # Checks for header files.
-for ac_header in stdarg.h stdbool.h netinet/in.h netinet/tcp.h sys/param.h sys/socket.h sys/un.h sys/uio.h sys/resource.h arpa/inet.h syslog.h netdb.h sys/wait.h pwd.h glob.h grp.h login_cap.h winsock2.h ws2tcpip.h endian.h sys/endian.h libkern/OSByteOrder.h sys/ipc.h sys/shm.h
+for ac_header in stdarg.h stdbool.h netinet/in.h netinet/tcp.h sys/param.h sys/select.h sys/socket.h sys/un.h sys/uio.h sys/resource.h arpa/inet.h syslog.h netdb.h sys/wait.h pwd.h glob.h grp.h login_cap.h winsock2.h ws2tcpip.h endian.h sys/endian.h libkern/OSByteOrder.h sys/ipc.h sys/shm.h ifaddrs.h
 do :
  as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
 ac_fn_c_check_header_compile "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default
@ -14740,6 +14759,34 @@ fi
 done
 # net/if.h portability for Darwin see:
 # https://www.gnu.org/software/autoconf/manual/autoconf-2.69/html_node/Header-Portability.html
 for ac_header in net/if.h
 do :
  ac_fn_c_check_header_compile "$LINENO" "net/if.h" "ac_cv_header_net_if_h" "
 #include <stdio.h>
 #ifdef STDC_HEADERS
 # include <stdlib.h>
 # include <stddef.h>
 #else
 # ifdef HAVE_STDLIB_H
 #  include <stdlib.h>
 # endif
 #endif
 #ifdef HAVE_SYS_SOCKET_H
 # include <sys/socket.h>
 #endif
 "
 if test "x$ac_cv_header_net_if_h" = xyes; then :
  cat >>confdefs.h <<_ACEOF
 #define HAVE_NET_IF_H 1
 _ACEOF
 fi
 done
 # Check for Apple header. This uncovers TARGET_OS_IPHONE, TARGET_OS_TV or TARGET_OS_WATCH
 for ac_header in TargetConditionals.h
@ -15548,38 +15595,8 @@ $as_echo "#define HAVE_WORKING_FORK 1" >>confdefs.h
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking return type of signal handlers" >&5
 $as_echo_n "checking return type of signal handlers... " >&6; }
 if ${ac_cv_type_signal+:} false; then :
  $as_echo_n "(cached) " >&6
 else
  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 #include <sys/types.h>
 #include <signal.h>
 int
 main ()
 {
 return *(signal (0, 0)) (0) == 1;
  ;
  return 0;
 }
 _ACEOF
 if ac_fn_c_try_compile "$LINENO"; then :
  ac_cv_type_signal=int
 else
  ac_cv_type_signal=void
 fi
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_type_signal" >&5
 $as_echo "$ac_cv_type_signal" >&6; }
 cat >>confdefs.h <<_ACEOF
 #define RETSIGTYPE $ac_cv_type_signal
 _ACEOF
 $as_echo "#define RETSIGTYPE void" >>confdefs.h
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for _LARGEFILE_SOURCE value needed for large files" >&5
 $as_echo_n "checking for _LARGEFILE_SOURCE value needed for large files... " >&6; }
@ -17220,7 +17237,7 @@ $as_echo "#define WITH_DYNLIBMODULE 1" >>confdefs.h
  if test $on_mingw = "no"; then
    DYNLIBMOD_EXTRALIBS="-ldl -export-dynamic"
  else
-    DYNLIBMOD_EXTRALIBS="-Wl,--export-all-symbols,--out-implib,libunbound.a"
+    DYNLIBMOD_EXTRALIBS="-Wl,--export-all-symbols,--out-implib,libunbound.dll.a"
  fi
 fi
@ -17943,8 +17960,8 @@ $as_echo "found in $ssldir" >&6; }
            fi
-            { $as_echo "$as_me:${as_lineno-$LINENO}: checking for HMAC_Update in -lcrypto" >&5
+            { $as_echo "$as_me:${as_lineno-$LINENO}: checking for EVP_sha256 in -lcrypto" >&5
-$as_echo_n "checking for HMAC_Update in -lcrypto... " >&6; }
+$as_echo_n "checking for EVP_sha256 in -lcrypto... " >&6; }
            LIBS="$LIBS -lcrypto"
            LIBSSL_LIBS="$LIBSSL_LIBS -lcrypto"
            cat confdefs.h - <<_ACEOF >conftest.$ac_ext
@ -17954,8 +17971,8 @@ int
 main ()
 {
-                int HMAC_Update(void);
+                int EVP_sha256(void);
-                (void)HMAC_Update();
+                (void)EVP_sha256();
  ;
  return 0;
@ -17966,7 +17983,7 @@ if ac_fn_c_try_link "$LINENO"; then :
                { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
 $as_echo "yes" >&6; }
-$as_echo "#define HAVE_HMAC_UPDATE 1" >>confdefs.h
+$as_echo "#define HAVE_EVP_SHA256 1" >>confdefs.h
 else
@ -17987,8 +18004,8 @@ int
 main ()
 {
-                    int HMAC_Update(void);
+                    int EVP_sha256(void);
-                    (void)HMAC_Update();
+                    (void)EVP_sha256();
  ;
  return 0;
@ -17997,7 +18014,7 @@ _ACEOF
 if ac_fn_c_try_link "$LINENO"; then :
-$as_echo "#define HAVE_HMAC_UPDATE 1" >>confdefs.h
+$as_echo "#define HAVE_EVP_SHA256 1" >>confdefs.h
                    { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
 $as_echo "yes" >&6; }
@ -18019,8 +18036,8 @@ int
 main ()
 {
-                        int HMAC_Update(void);
+                        int EVP_sha256(void);
-                        (void)HMAC_Update();
+                        (void)EVP_sha256();
  ;
  return 0;
@ -18029,7 +18046,7 @@ _ACEOF
 if ac_fn_c_try_link "$LINENO"; then :
-$as_echo "#define HAVE_HMAC_UPDATE 1" >>confdefs.h
+$as_echo "#define HAVE_EVP_SHA256 1" >>confdefs.h
                        { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
 $as_echo "yes" >&6; }
@ -18051,8 +18068,8 @@ int
 main ()
 {
-                            int HMAC_Update(void);
+                            int EVP_sha256(void);
-                            (void)HMAC_Update();
+                            (void)EVP_sha256();
  ;
  return 0;
@ -18061,7 +18078,7 @@ _ACEOF
 if ac_fn_c_try_link "$LINENO"; then :
-$as_echo "#define HAVE_HMAC_UPDATE 1" >>confdefs.h
+$as_echo "#define HAVE_EVP_SHA256 1" >>confdefs.h
                            { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
 $as_echo "yes" >&6; }
@ -18240,17 +18257,13 @@ $as_echo_n "checking if libssl needs -lcrypt32... " >&6; }
 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 /* Override any GCC internal prototype to avoid an error.
   Use char because int might match the return type of a GCC
   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
 #endif
 char HMAC_Update ();
 int
 main ()
 {
-return HMAC_Update ();
+
 	int EVP_sha256(void);
 	(void)EVP_sha256();
  ;
  return 0;
 }
@ -18341,7 +18354,7 @@ fi
 done
-for ac_func in OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ENGINE_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1 EVP_DigestVerify EVP_aes_256_cbc EVP_EncryptInit_ex HMAC_Init_ex CRYPTO_THREADID_set_callback
+for ac_func in OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ENGINE_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1 EVP_DigestVerify EVP_aes_256_cbc EVP_EncryptInit_ex HMAC_Init_ex CRYPTO_THREADID_set_callback EVP_MAC_CTX_set_params
 do :
  as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
 ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
@ -18357,7 +18370,7 @@ done
 # these check_funcs need -lssl
 BAKLIBS="$LIBS"
 LIBS="-lssl $LIBS"
-for ac_func in OPENSSL_init_ssl SSL_CTX_set_security_level SSL_set1_host SSL_get0_peername X509_VERIFY_PARAM_set1_host SSL_CTX_set_ciphersuites SSL_CTX_set_tlsext_ticket_key_evp_cb
+for ac_func in OPENSSL_init_ssl SSL_CTX_set_security_level SSL_set1_host SSL_get0_peername X509_VERIFY_PARAM_set1_host SSL_CTX_set_ciphersuites SSL_CTX_set_tlsext_ticket_key_evp_cb SSL_CTX_set_alpn_select_cb
 do :
  as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
 ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
@ -19669,6 +19682,70 @@ _ACEOF
 fi
 # nghttp2
 # Check whether --with-libnghttp2 was given.
 if test "${with_libnghttp2+set}" = set; then :
  withval=$with_libnghttp2;
 else
   withval="no"
 fi
 found_libnghttp2="no"
 if test x_$withval = x_yes -o x_$withval != x_no; then
   { $as_echo "$as_me:${as_lineno-$LINENO}: checking for libnghttp2" >&5
 $as_echo_n "checking for libnghttp2... " >&6; }
   if test x_$withval = x_ -o x_$withval = x_yes; then
            withval="/usr/local /opt/local /usr/lib /usr/pkg /usr/sfw /usr"
   fi
   for dir in $withval ; do
            if test -f "$dir/include/nghttp2/nghttp2.h"; then
 		found_libnghttp2="yes"
 				if test "$dir" != "/usr"; then
                    CPPFLAGS="$CPPFLAGS -I$dir/include"
 		    LDFLAGS="$LDFLAGS -L$dir/lib"
 		fi
 		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: found in $dir" >&5
 $as_echo "found in $dir" >&6; }
 $as_echo "#define HAVE_NGHTTP2 1" >>confdefs.h
 		LIBS="$LIBS -lnghttp2"
                break;
            fi
    done
    if test x_$found_libnghttp2 != x_yes; then
 	as_fn_error $? "Could not find libnghttp2, nghttp2.h" "$LINENO" 5
    fi
    for ac_header in nghttp2/nghttp2.h
 do :
  ac_fn_c_check_header_compile "$LINENO" "nghttp2/nghttp2.h" "ac_cv_header_nghttp2_nghttp2_h" "$ac_includes_default
 "
 if test "x$ac_cv_header_nghttp2_nghttp2_h" = xyes; then :
  cat >>confdefs.h <<_ACEOF
 #define HAVE_NGHTTP2_NGHTTP2_H 1
 _ACEOF
 fi
 done
    ac_fn_c_check_decl "$LINENO" "nghttp2_session_server_new" "ac_cv_have_decl_nghttp2_session_server_new" "$ac_includes_default
    #include <nghttp2/nghttp2.h>
 "
 if test "x$ac_cv_have_decl_nghttp2_session_server_new" = xyes; then :
  ac_have_decl=1
 else
  ac_have_decl=0
 fi
 cat >>confdefs.h <<_ACEOF
 #define HAVE_DECL_NGHTTP2_SESSION_SERVER_NEW $ac_have_decl
 _ACEOF
 fi
 # set static linking for uninstalled libraries if requested
 staticexe=""
@ -20224,7 +20301,7 @@ if test "$ac_res" != no; then :
 fi
-for ac_func in tzset sigprocmask fcntl getpwnam endpwent getrlimit setrlimit setsid chroot kill chown sleep usleep random srandom recvmsg sendmsg writev socketpair glob initgroups strftime localtime_r setusercontext _beginthreadex endservent endprotoent fsync shmget accept4
+for ac_func in tzset sigprocmask fcntl getpwnam endpwent getrlimit setrlimit setsid chroot kill chown sleep usleep random srandom recvmsg sendmsg writev socketpair glob initgroups strftime localtime_r setusercontext _beginthreadex endservent endprotoent fsync shmget accept4 getifaddrs
 do :
  as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
 ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
@ -21620,7 +21697,7 @@ _ACEOF
-version=1.11.1
+version=1.13.1
 date=`date +'%b %e, %Y'`
@ -22139,7 +22216,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by unbound $as_me 1.11.1, which was
+This file was extended by unbound $as_me 1.13.1, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
  CONFIG_FILES    = $CONFIG_FILES
@ -22205,7 +22282,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-unbound config.status 1.11.1
+unbound config.status 1.13.1
 configured by $0, generated by GNU Autoconf 2.69,
  with options \\"\$ac_cs_config\\"
@ -23198,7 +23275,6 @@ $as_echo "$as_me: executing $ac_file commands" >&6;}
    cat <<_LT_EOF >> "$cfgfile"
 #! $SHELL
 # Generated automatically by $as_me ($PACKAGE) $VERSION
 # Libtool was configured on host `(hostname || uname -n) 2>/dev/null | sed 1q`:
 # NOTE: Changes made to this file will be lost: look at ltmain.sh.
 # Provide generalized library-building support services.
--- a/configure.ac
+++ b/configure.ac
@ -1,6 +1,6 @@
 #                                               -*- Autoconf -*-
 # Process this file with autoconf to produce a configure script.
-AC_PREREQ(2.56)
+AC_PREREQ([2.56])
 sinclude(acx_nlnetlabs.m4)
 sinclude(ax_pthread.m4)
 sinclude(acx_python.m4)
@ -10,15 +10,15 @@ sinclude(dnscrypt/dnscrypt.m4)
 # must be numbers. ac_defun because of later processing
 m4_define([VERSION_MAJOR],[1])
-m4_define([VERSION_MINOR],[11])
+m4_define([VERSION_MINOR],[13])
 m4_define([VERSION_MICRO],[1])
-AC_INIT(unbound, m4_defn([VERSION_MAJOR]).m4_defn([VERSION_MINOR]).m4_defn([VERSION_MICRO]), unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues, unbound)
+AC_INIT([unbound],m4_defn([VERSION_MAJOR]).m4_defn([VERSION_MINOR]).m4_defn([VERSION_MICRO]),[unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues],[unbound])
 AC_SUBST(UNBOUND_VERSION_MAJOR, [VERSION_MAJOR])
 AC_SUBST(UNBOUND_VERSION_MINOR, [VERSION_MINOR])
 AC_SUBST(UNBOUND_VERSION_MICRO, [VERSION_MICRO])
 LIBUNBOUND_CURRENT=9
-LIBUNBOUND_REVISION=10
+LIBUNBOUND_REVISION=12
 LIBUNBOUND_AGE=1
 # 1.0.0 had 0:12:0
 # 1.0.1 had 0:13:0
@ -95,7 +95,9 @@ LIBUNBOUND_AGE=1
 # 1.10.0 had 9:7:1
 # 1.10.1 had 9:8:1
 # 1.11.0 had 9:9:1
-# 1.11.1 had 9:10:1
+# 1.12.0 had 9:10:1
 # 1.13.0 had 9:11:1
 # 1.13.1 had 9:12:1
 #   Current  -- the number of the binary API that we're implementing
 #   Revision -- which iteration of the implementation of the binary
@ -124,7 +126,7 @@ cmdln="`echo $@ | sed -e 's/\\\\/\\\\\\\\/g' | sed -e 's/"/\\\\"/'g`"
 AC_DEFINE_UNQUOTED(CONFCMDLINE, ["$cmdln"], [Command line arguments used with configure])
 CFLAGS="$CFLAGS"
-AC_AIX
+AC_USE_SYSTEM_EXTENSIONS
 if test "$ac_cv_header_minix_config_h" = "yes"; then
 	AC_DEFINE(_NETBSD_SOURCE,1, [Enable for compile on Minix])
 fi
@ -165,8 +167,7 @@ else
  ub_conf_file="C:\\Program Files\\Unbound\\service.conf"
 fi
 AC_ARG_WITH([conf_file],
-        AC_HELP_STRING([--with-conf-file=path], 
+        AS_HELP_STRING([--with-conf-file=path],[Pathname to the Unbound configuration file]),
 	[Pathname to the Unbound configuration file]),
 	[ub_conf_file="$withval"])
 AC_SUBST(ub_conf_file)
 ACX_ESCAPE_BACKSLASH($ub_conf_file, hdr_config)
@ -176,8 +177,7 @@ AC_SUBST(ub_conf_dir)
 # Determine run, chroot directory and pidfile locations
 AC_ARG_WITH(run-dir, 
-    AC_HELP_STRING([--with-run-dir=path], 
+    AS_HELP_STRING([--with-run-dir=path],[set default directory to chdir to (by default dir part of cfg file)]), 
    [set default directory to chdir to (by default dir part of cfg file)]), 
    UNBOUND_RUN_DIR="$withval", 
 if test $on_mingw = no; then
    UNBOUND_RUN_DIR=`dirname "$ub_conf_file"`
@ -190,8 +190,7 @@ ACX_ESCAPE_BACKSLASH($UNBOUND_RUN_DIR, hdr_run)
 AC_DEFINE_UNQUOTED(RUN_DIR, ["$hdr_run"], [Directory to chdir to])
 AC_ARG_WITH(chroot-dir, 
-    AC_HELP_STRING([--with-chroot-dir=path], 
+    AS_HELP_STRING([--with-chroot-dir=path],[set default directory to chroot to (by default same as run-dir)]), 
    [set default directory to chroot to (by default same as run-dir)]), 
    UNBOUND_CHROOT_DIR="$withval", 
 if test $on_mingw = no; then
    UNBOUND_CHROOT_DIR="$UNBOUND_RUN_DIR"
@ -204,16 +203,14 @@ ACX_ESCAPE_BACKSLASH($UNBOUND_CHROOT_DIR, hdr_chroot)
 AC_DEFINE_UNQUOTED(CHROOT_DIR, ["$hdr_chroot"], [Directory to chroot to])
 AC_ARG_WITH(share-dir,
-    AC_HELP_STRING([--with-share-dir=path],
+    AS_HELP_STRING([--with-share-dir=path],[set default directory with shared data (by default same as share/unbound)]),
    [set default directory with shared data (by default same as share/unbound)]),
    UNBOUND_SHARE_DIR="$withval",
    UNBOUND_SHARE_DIR="$UNBOUND_RUN_DIR")
 AC_SUBST(UNBOUND_SHARE_DIR)
 AC_DEFINE_UNQUOTED(SHARE_DIR, ["$UNBOUND_SHARE_DIR"], [Shared data])
 AC_ARG_WITH(pidfile, 
-    AC_HELP_STRING([--with-pidfile=filename], 
+    AS_HELP_STRING([--with-pidfile=filename],[set default pathname to unbound pidfile (default run-dir/unbound.pid)]), 
    [set default pathname to unbound pidfile (default run-dir/unbound.pid)]), 
    UNBOUND_PIDFILE="$withval", 
 if test $on_mingw = no; then
    UNBOUND_PIDFILE="$UNBOUND_RUN_DIR/unbound.pid"
@ -226,8 +223,7 @@ ACX_ESCAPE_BACKSLASH($UNBOUND_PIDFILE, hdr_pid)
 AC_DEFINE_UNQUOTED(PIDFILE, ["$hdr_pid"], [default pidfile location])
 AC_ARG_WITH(rootkey-file, 
-    AC_HELP_STRING([--with-rootkey-file=filename], 
+    AS_HELP_STRING([--with-rootkey-file=filename],[set default pathname to root key file (default run-dir/root.key). This file is read and written.]), 
    [set default pathname to root key file (default run-dir/root.key). This file is read and written.]), 
    UNBOUND_ROOTKEY_FILE="$withval", 
 if test $on_mingw = no; then
    UNBOUND_ROOTKEY_FILE="$UNBOUND_RUN_DIR/root.key"
@ -240,8 +236,7 @@ ACX_ESCAPE_BACKSLASH($UNBOUND_ROOTKEY_FILE, hdr_rkey)
 AC_DEFINE_UNQUOTED(ROOT_ANCHOR_FILE, ["$hdr_rkey"], [default rootkey location])
 AC_ARG_WITH(rootcert-file, 
-    AC_HELP_STRING([--with-rootcert-file=filename], 
+    AS_HELP_STRING([--with-rootcert-file=filename],[set default pathname to root update certificate file (default run-dir/icannbundle.pem).  This file need not exist if you are content with the builtin.]), 
    [set default pathname to root update certificate file (default run-dir/icannbundle.pem).  This file need not exist if you are content with the builtin.]), 
    UNBOUND_ROOTCERT_FILE="$withval", 
 if test $on_mingw = no; then
    UNBOUND_ROOTCERT_FILE="$UNBOUND_RUN_DIR/icannbundle.pem"
@ -254,8 +249,7 @@ ACX_ESCAPE_BACKSLASH($UNBOUND_ROOTCERT_FILE, hdr_rpem)
 AC_DEFINE_UNQUOTED(ROOT_CERT_FILE, ["$hdr_rpem"], [default rootcert location])
 AC_ARG_WITH(username, 
-    AC_HELP_STRING([--with-username=user], 
+    AS_HELP_STRING([--with-username=user],[set default user that unbound changes to (default user is unbound)]), 
    [set default user that unbound changes to (default user is unbound)]), 
    UNBOUND_USERNAME="$withval", 
    UNBOUND_USERNAME="unbound")
 AC_SUBST(UNBOUND_USERNAME)
@ -267,7 +261,7 @@ AC_DEFINE_UNQUOTED(RSRC_PACKAGE_VERSION, [$wnvs], [version number for resource f
 # Checks for typedefs, structures, and compiler characteristics.
 AC_C_CONST
-AC_LANG_C
+AC_LANG([C])
 # allow user to override the -g -O2 flags.
 default_cflags=no
 if test "x$CFLAGS" = "x" ; then
@ -280,8 +274,8 @@ ACX_DEPFLAG
 ACX_DETERMINE_EXT_FLAGS_UNBOUND
 # debug mode flags warnings
-AC_ARG_ENABLE(checking, AC_HELP_STRING([--enable-checking], [Enable warnings, asserts, makefile-dependencies]))
+AC_ARG_ENABLE(checking, AS_HELP_STRING([--enable-checking],[Enable warnings, asserts, makefile-dependencies]))
-AC_ARG_ENABLE(debug, AC_HELP_STRING([--enable-debug], [same as enable-checking]))
+AC_ARG_ENABLE(debug, AS_HELP_STRING([--enable-debug],[same as enable-checking]))
 if test "$enable_debug" = "yes"; then debug_enabled="$enable_debug"; 
 else debug_enabled="$enable_checking"; fi
 AC_SUBST(debug_enabled)
@ -315,14 +309,11 @@ AC_DEFUN([CHECK_WEAK_ATTRIBUTE],
 AC_MSG_CHECKING(whether the C compiler (${CC-cc}) accepts the "weak" attribute)
 AC_CACHE_VAL(ac_cv_c_weak_attribute,
 [ac_cv_c_weak_attribute=no
-AC_TRY_COMPILE(
+AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h>
 [ #include <stdio.h>
 __attribute__((weak)) void f(int x) { printf("%d", x); }
-], [
+]], [[
   f(1);
-],
+]])],[ac_cv_c_weak_attribute="yes"],[ac_cv_c_weak_attribute="no"])
 [ac_cv_c_weak_attribute="yes"],
 [ac_cv_c_weak_attribute="no"])
 ])
 AC_MSG_RESULT($ac_cv_c_weak_attribute)
@ -339,14 +330,11 @@ AC_DEFUN([CHECK_NORETURN_ATTRIBUTE],
 AC_MSG_CHECKING(whether the C compiler (${CC-cc}) accepts the "noreturn" attribute)
 AC_CACHE_VAL(ac_cv_c_noreturn_attribute,
 [ac_cv_c_noreturn_attribute=no
-AC_TRY_COMPILE(
+AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h>
 [ #include <stdio.h>
 __attribute__((noreturn)) void f(int x) { printf("%d", x); }
-], [
+]], [[
   f(1);
-],
+]])],[ac_cv_c_noreturn_attribute="yes"],[ac_cv_c_noreturn_attribute="no"])
 [ac_cv_c_noreturn_attribute="yes"],
 [ac_cv_c_noreturn_attribute="no"])
 ])
 AC_MSG_RESULT($ac_cv_c_noreturn_attribute)
@ -384,7 +372,7 @@ EOF
 	fi
 ])
-AC_PROG_LEX
+AC_PROG_LEX([noyywrap])
 if test "$LEX" != "" -a "$LEX" != ":"; then
 ACX_YYLEX_DESTROY
 fi
@ -399,7 +387,23 @@ ACX_LIBTOOL_C_ONLY
 PKG_PROG_PKG_CONFIG
 # Checks for header files.
-AC_CHECK_HEADERS([stdarg.h stdbool.h netinet/in.h netinet/tcp.h sys/param.h sys/socket.h sys/un.h sys/uio.h sys/resource.h arpa/inet.h syslog.h netdb.h sys/wait.h pwd.h glob.h grp.h login_cap.h winsock2.h ws2tcpip.h endian.h sys/endian.h libkern/OSByteOrder.h sys/ipc.h sys/shm.h],,, [AC_INCLUDES_DEFAULT])
+AC_CHECK_HEADERS([stdarg.h stdbool.h netinet/in.h netinet/tcp.h sys/param.h sys/select.h sys/socket.h sys/un.h sys/uio.h sys/resource.h arpa/inet.h syslog.h netdb.h sys/wait.h pwd.h glob.h grp.h login_cap.h winsock2.h ws2tcpip.h endian.h sys/endian.h libkern/OSByteOrder.h sys/ipc.h sys/shm.h ifaddrs.h],,, [AC_INCLUDES_DEFAULT])
 # net/if.h portability for Darwin see:
 # https://www.gnu.org/software/autoconf/manual/autoconf-2.69/html_node/Header-Portability.html
 AC_CHECK_HEADERS([net/if.h],,, [
 #include <stdio.h>
 #ifdef STDC_HEADERS
 # include <stdlib.h>
 # include <stddef.h>
 #else
 # ifdef HAVE_STDLIB_H
 #  include <stdlib.h>
 # endif
 #endif
 #ifdef HAVE_SYS_SOCKET_H
 # include <sys/socket.h>
 #endif
 ])
 # Check for Apple header. This uncovers TARGET_OS_IPHONE, TARGET_OS_TV or TARGET_OS_WATCH
 AC_CHECK_HEADERS([TargetConditionals.h])
@ -477,7 +481,7 @@ fi
 # check some functions of the OS before linking libs (while still runnable).
 AC_FUNC_CHOWN
 AC_FUNC_FORK
-AC_TYPE_SIGNAL
+AC_DEFINE(RETSIGTYPE,void,[Return type of signal handlers, but autoconf 2.70 says 'your code may safely assume C89 semantics that RETSIGTYPE is void.'])
 AC_FUNC_FSEEKO
 ACX_SYS_LARGEFILE
 ACX_CHECK_NONBLOCKING_BROKEN
@ -496,14 +500,11 @@ sinclude(systemd.m4)
 # Include systemd.m4 - end
 # set memory allocation checking if requested
-AC_ARG_ENABLE(alloc-checks, AC_HELP_STRING([--enable-alloc-checks],
+AC_ARG_ENABLE(alloc-checks, AS_HELP_STRING([--enable-alloc-checks],[ enable to memory allocation statistics, for debug purposes ]), 
 	[ enable to memory allocation statistics, for debug purposes ]), 
 	, )
-AC_ARG_ENABLE(alloc-lite, AC_HELP_STRING([--enable-alloc-lite],
+AC_ARG_ENABLE(alloc-lite, AS_HELP_STRING([--enable-alloc-lite],[ enable for lightweight alloc assertions, for debug purposes ]), 
 	[ enable for lightweight alloc assertions, for debug purposes ]), 
 	, )
-AC_ARG_ENABLE(alloc-nonregional, AC_HELP_STRING([--enable-alloc-nonregional],
+AC_ARG_ENABLE(alloc-nonregional, AS_HELP_STRING([--enable-alloc-nonregional],[ enable nonregional allocs, slow but exposes regional allocations to other memory purifiers, for debug purposes ]), 
 	[ enable nonregional allocs, slow but exposes regional allocations to other memory purifiers, for debug purposes ]), 
 	, )
 if test x_$enable_alloc_nonregional = x_yes; then
 	AC_DEFINE(UNBOUND_ALLOC_NONREGIONAL, 1, [use malloc not regions, for debug use])
@ -547,8 +548,7 @@ else
 # check this first, so that the pthread lib does not get linked in via
 # libssl or libpython, and thus distorts the tests, and we end up using
 # the non-threadsafe C libraries.
-AC_ARG_WITH(pthreads, AC_HELP_STRING([--with-pthreads], 
+AC_ARG_WITH(pthreads, AS_HELP_STRING([--with-pthreads],[use pthreads library, or --without-pthreads to disable threading support.]), 
 [use pthreads library, or --without-pthreads to disable threading support.]), 
 [ ],[ withval="yes" ])
 ub_have_pthreads=no
 if test x_$withval != x_no; then
@ -595,12 +595,11 @@ int main(void) {return 0;}
 fi
 # check solaris thread library 
-AC_ARG_WITH(solaris-threads, AC_HELP_STRING([--with-solaris-threads], 
+AC_ARG_WITH(solaris-threads, AS_HELP_STRING([--with-solaris-threads],[use solaris native thread library.]), [ ],[ withval="no" ])
 	[use solaris native thread library.]), [ ],[ withval="no" ])
 ub_have_sol_threads=no
 if test x_$withval != x_no; then
 	if test x_$ub_have_pthreads != x_no; then
-	    AC_WARN([Have pthreads already, ignoring --with-solaris-threads])
+	    AC_MSG_WARN([Have pthreads already, ignoring --with-solaris-threads])
 	else
 	AC_SEARCH_LIBS(thr_create, [thread],
 	[
@ -610,7 +609,7 @@ if test x_$withval != x_no; then
 			[CFLAGS="$CFLAGS -D_REENTRANT"])
 		ub_have_sol_threads=yes
 	] , [ 
-		AC_ERROR([no solaris threads found.]) 
+		AC_MSG_ERROR([no solaris threads found.]) 
 	])
 	fi
 fi
@ -618,7 +617,7 @@ fi
 fi # end of non-mingw check of thread libraries
 # Check for SYSLOG_FACILITY
-AC_ARG_WITH(syslog-facility, AC_HELP_STRING([--with-syslog-facility=LOCAL0 - LOCAL7], [ set SYSLOG_FACILITY, default DAEMON ]),
+AC_ARG_WITH(syslog-facility, AS_HELP_STRING([--with-syslog-facility=LOCAL0 - LOCAL7],[ set SYSLOG_FACILITY, default DAEMON ]),
 	[ UNBOUND_SYSLOG_FACILITY="$withval" ], [])
 case "${UNBOUND_SYSLOG_FACILITY}" in
@ -631,8 +630,7 @@ AC_DEFINE_UNQUOTED(UB_SYSLOG_FACILITY,${UNBOUND_SYSLOG_FACILITY},[the SYSLOG_FAC
 # Check for dynamic library module
 AC_ARG_WITH(dynlibmodule,
-   AC_HELP_STRING([--with-dynlibmodule],
+   AS_HELP_STRING([--with-dynlibmodule],[build dynamic library module, or --without-dynlibmodule to disable it. (default=no)]),
   [build dynamic library module, or --without-dynlibmodule to disable it. (default=no)]),
   [], [ withval="no" ])
 if test x_$withval != x_no; then
@ -646,15 +644,14 @@ if test x_$withval != x_no; then
  if test $on_mingw = "no"; then
    DYNLIBMOD_EXTRALIBS="-ldl -export-dynamic"
  else
-    DYNLIBMOD_EXTRALIBS="-Wl,--export-all-symbols,--out-implib,libunbound.a"
+    DYNLIBMOD_EXTRALIBS="-Wl,--export-all-symbols,--out-implib,libunbound.dll.a"
  fi
  AC_SUBST(DYNLIBMOD_EXTRALIBS)
 fi
 # Check for PyUnbound
 AC_ARG_WITH(pyunbound,
-   AC_HELP_STRING([--with-pyunbound],
+   AS_HELP_STRING([--with-pyunbound],[build PyUnbound, or --without-pyunbound to skip it. (default=no)]),
   [build PyUnbound, or --without-pyunbound to skip it. (default=no)]),
   [], [ withval="no" ])
 ub_test_python=no
@ -666,8 +663,7 @@ fi
 # Check for Python module
 AC_ARG_WITH(pythonmodule,
-   AC_HELP_STRING([--with-pythonmodule],
+   AS_HELP_STRING([--with-pythonmodule],[build Python module, or --without-pythonmodule to disable script engine. (default=no)]),
   [build Python module, or --without-pythonmodule to disable script engine. (default=no)]),
   [], [ withval="no" ])
 ub_with_pythonmod=no
@ -685,7 +681,7 @@ if test x_$ub_test_python != x_no; then
   AC_PYTHON_DEVEL
   if test ! -z "$PYTHON_VERSION"; then
 	if test `$PYTHON -c "print('$PYTHON_VERSION' >= '2.4.0')"` = "False"; then
-		AC_ERROR([Python version >= 2.4.0 is required])
+		AC_MSG_ERROR([Python version >= 2.4.0 is required])
 	fi
      [PY_MAJOR_VERSION="`$PYTHON -c \"import sys; print(sys.version_info[0])\"`"]
@ -713,7 +709,7 @@ if test x_$ub_test_python != x_no; then
      # Check for SWIG
      ub_have_swig=no
-      AC_ARG_ENABLE(swig-version-check, AC_HELP_STRING([--disable-swig-version-check], [Disable swig version check to build python modules with older swig even though that is unreliable]))
+      AC_ARG_ENABLE(swig-version-check, AS_HELP_STRING([--disable-swig-version-check],[Disable swig version check to build python modules with older swig even though that is unreliable]))
      if test "$enable_swig_version_check" = "yes"; then
      	AC_PROG_SWIG(2.0.1)
      else
@ -721,7 +717,7 @@ if test x_$ub_test_python != x_no; then
      fi
      AC_MSG_CHECKING(SWIG)
      if test ! -x "$SWIG"; then
-         AC_ERROR([failed to find swig tool, install it, or do not build Python module and PyUnbound])
+         AC_MSG_ERROR([failed to find swig tool, install it, or do not build Python module and PyUnbound])
      else
         AC_DEFINE(HAVE_SWIG, 1, [Define if you have Swig libraries and header files.])
         AC_SUBST(swig, "$SWIG")
@ -776,8 +772,7 @@ AC_SUBST(CONFIG_DATE)
 # libnss
 USE_NSS="no"
-AC_ARG_WITH([nss], AC_HELP_STRING([--with-nss=path],
+AC_ARG_WITH([nss], AS_HELP_STRING([--with-nss=path],[use libnss instead of openssl, installed at path.]),
 	[use libnss instead of openssl, installed at path.]),
 	[
 	USE_NSS="yes"
 	AC_DEFINE(HAVE_NSS, 1, [Use libnss for crypto])
@ -799,8 +794,7 @@ AC_ARG_WITH([nss], AC_HELP_STRING([--with-nss=path],
 # libnettle
 USE_NETTLE="no"
-AC_ARG_WITH([nettle], AC_HELP_STRING([--with-nettle=path],
+AC_ARG_WITH([nettle], AS_HELP_STRING([--with-nettle=path],[use libnettle as crypto library, installed at path.]),
 	[use libnettle as crypto library, installed at path.]),
 	[
 	USE_NETTLE="yes"
 	AC_DEFINE(HAVE_NETTLE, 1, [Use libnettle for crypto])
@ -832,7 +826,10 @@ AC_SUBST(PC_CRYPTO_DEPENDENCY)
 BAKLIBS="$LIBS"
 LIBS="-lssl $LIBS"
 AC_MSG_CHECKING([if libssl needs -lcrypt32])
-AC_TRY_LINK_FUNC([HMAC_Update], [
+AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[
 	int EVP_sha256(void);
 	(void)EVP_sha256();
 ]])], [
 	AC_MSG_RESULT([no])
 	LIBS="$BAKLIBS"
 ], [
@ -852,12 +849,12 @@ else
 	AC_MSG_RESULT([no])
 fi
 AC_CHECK_HEADERS([openssl/conf.h openssl/engine.h openssl/bn.h openssl/dh.h openssl/dsa.h openssl/rsa.h openssl/core_names.h],,, [AC_INCLUDES_DEFAULT])
-AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ENGINE_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1 EVP_DigestVerify EVP_aes_256_cbc EVP_EncryptInit_ex HMAC_Init_ex CRYPTO_THREADID_set_callback])
+AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ENGINE_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1 EVP_DigestVerify EVP_aes_256_cbc EVP_EncryptInit_ex HMAC_Init_ex CRYPTO_THREADID_set_callback EVP_MAC_CTX_set_params])
 # these check_funcs need -lssl
 BAKLIBS="$LIBS"
 LIBS="-lssl $LIBS"
-AC_CHECK_FUNCS([OPENSSL_init_ssl SSL_CTX_set_security_level SSL_set1_host SSL_get0_peername X509_VERIFY_PARAM_set1_host SSL_CTX_set_ciphersuites SSL_CTX_set_tlsext_ticket_key_evp_cb])
+AC_CHECK_FUNCS([OPENSSL_init_ssl SSL_CTX_set_security_level SSL_set1_host SSL_get0_peername X509_VERIFY_PARAM_set1_host SSL_CTX_set_ciphersuites SSL_CTX_set_tlsext_ticket_key_evp_cb SSL_CTX_set_alpn_select_cb])
 LIBS="$BAKLIBS"
 AC_CHECK_DECLS([SSL_COMP_get_compression_methods,sk_SSL_COMP_pop_free,SSL_CTX_set_ecdh_auto], [], [], [
@ -920,7 +917,7 @@ fi
 AC_SUBST(SSLLIB)
 # libbsd
-AC_ARG_WITH([libbsd], AC_HELP_STRING([--with-libbsd], [Use portable libbsd functions]), [
+AC_ARG_WITH([libbsd], AS_HELP_STRING([--with-libbsd],[Use portable libbsd functions]), [
 	AC_CHECK_HEADERS([bsd/string.h bsd/stdlib.h],,, [AC_INCLUDES_DEFAULT])
 	if test "x$ac_cv_header_bsd_string_h" = xyes -a "x$ac_cv_header_bsd_stdlib_h" = xyes; then
 		for func in strlcpy strlcat arc4random arc4random_uniform reallocarray; do
@ -933,7 +930,7 @@ AC_ARG_WITH([libbsd], AC_HELP_STRING([--with-libbsd], [Use portable libbsd funct
 	fi
 ])
-AC_ARG_ENABLE(sha1, AC_HELP_STRING([--disable-sha1], [Disable SHA1 RRSIG support, does not disable nsec3 support]))
+AC_ARG_ENABLE(sha1, AS_HELP_STRING([--disable-sha1],[Disable SHA1 RRSIG support, does not disable nsec3 support]))
 case "$enable_sha1" in
 	no)
 	;;
@ -943,7 +940,7 @@ case "$enable_sha1" in
 esac
-AC_ARG_ENABLE(sha2, AC_HELP_STRING([--disable-sha2], [Disable SHA256 and SHA512 RRSIG support]))
+AC_ARG_ENABLE(sha2, AS_HELP_STRING([--disable-sha2],[Disable SHA256 and SHA512 RRSIG support]))
 case "$enable_sha2" in
 	no)
 	;;
@ -952,7 +949,7 @@ case "$enable_sha2" in
 	;;
 esac
-AC_ARG_ENABLE(subnet, AC_HELP_STRING([--enable-subnet], [Enable client subnet]))
+AC_ARG_ENABLE(subnet, AS_HELP_STRING([--enable-subnet],[Enable client subnet]))
 case "$enable_subnet" in
 	yes)
 	AC_DEFINE([CLIENT_SUBNET], [1], [Define this to enable client subnet option.])
@ -1063,7 +1060,7 @@ fi
 AC_MSG_RESULT($ac_cv_c_gost_works)
 ])dnl
-AC_ARG_ENABLE(gost, AC_HELP_STRING([--disable-gost], [Disable GOST support]))
+AC_ARG_ENABLE(gost, AS_HELP_STRING([--disable-gost],[Disable GOST support]))
 use_gost="no"
 if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then
 case "$enable_gost" in
@ -1081,7 +1078,7 @@ case "$enable_gost" in
 esac
 fi dnl !USE_NSS && !USE_NETTLE
-AC_ARG_ENABLE(ecdsa, AC_HELP_STRING([--disable-ecdsa], [Disable ECDSA support]))
+AC_ARG_ENABLE(ecdsa, AS_HELP_STRING([--disable-ecdsa],[Disable ECDSA support]))
 use_ecdsa="no"
 case "$enable_ecdsa" in
    no)
@ -1113,7 +1110,7 @@ case "$enable_ecdsa" in
      ;;
 esac
-AC_ARG_ENABLE(dsa, AC_HELP_STRING([--disable-dsa], [Disable DSA support]))
+AC_ARG_ENABLE(dsa, AS_HELP_STRING([--disable-dsa],[Disable DSA support]))
 use_dsa="no"
 case "$enable_dsa" in
    yes)
@ -1153,7 +1150,7 @@ AC_INCLUDES_DEFAULT
      ;;
 esac
-AC_ARG_ENABLE(ed25519, AC_HELP_STRING([--disable-ed25519], [Disable ED25519 support]))
+AC_ARG_ENABLE(ed25519, AS_HELP_STRING([--disable-ed25519],[Disable ED25519 support]))
 use_ed25519="no"
 case "$enable_ed25519" in
    no)
@ -1176,7 +1173,7 @@ case "$enable_ed25519" in
      ;;
 esac
-AC_ARG_ENABLE(ed448, AC_HELP_STRING([--disable-ed448], [Disable ED448 support]))
+AC_ARG_ENABLE(ed448, AS_HELP_STRING([--disable-ed448],[Disable ED448 support]))
 use_ed448="no"
 case "$enable_ed448" in
    no)
@ -1196,7 +1193,7 @@ case "$enable_ed448" in
      ;;
 esac
-AC_ARG_ENABLE(event-api, AC_HELP_STRING([--enable-event-api], [Enable (experimental) pluggable event base libunbound API installed to unbound-event.h]))
+AC_ARG_ENABLE(event-api, AS_HELP_STRING([--enable-event-api],[Enable (experimental) pluggable event base libunbound API installed to unbound-event.h]))
 case "$enable_event_api" in
    yes)
      AC_SUBST(UNBOUND_EVENT_INSTALL, [unbound-event-install])
@ -1206,7 +1203,7 @@ case "$enable_event_api" in
      ;;
 esac
-AC_ARG_ENABLE(tfo-client, AC_HELP_STRING([--enable-tfo-client], [Enable TCP Fast Open for client mode]))
+AC_ARG_ENABLE(tfo-client, AS_HELP_STRING([--enable-tfo-client],[Enable TCP Fast Open for client mode]))
 case "$enable_tfo_client" in
 	yes)
 		case `uname` in
@ -1230,7 +1227,7 @@ case "$enable_tfo_client" in
 		;;
 esac
-AC_ARG_ENABLE(tfo-server, AC_HELP_STRING([--enable-tfo-server], [Enable TCP Fast Open for server mode]))
+AC_ARG_ENABLE(tfo-server, AS_HELP_STRING([--enable-tfo-server],[Enable TCP Fast Open for server mode]))
 case "$enable_tfo_server" in
 	yes)
 	      AC_CHECK_DECL([TCP_FASTOPEN], [AC_MSG_WARN([Check the platform specific TFO kernel parameters are correctly configured to support server mode TFO])], [AC_MSG_ERROR([TCP Fast Open is not available for server mode: please rerun without --enable-tfo-server])], [AC_INCLUDES_DEFAULT
@ -1243,8 +1240,7 @@ case "$enable_tfo_server" in
 esac
 # check for libevent
-AC_ARG_WITH(libevent, AC_HELP_STRING([--with-libevent=pathname],
+AC_ARG_WITH(libevent, AS_HELP_STRING([--with-libevent=pathname],[use libevent (will check /usr/local /opt/local /usr/lib /usr/pkg /usr/sfw /usr  or you can specify an explicit path). Slower, but allows use of large outgoing port ranges.]),
    [use libevent (will check /usr/local /opt/local /usr/lib /usr/pkg /usr/sfw /usr  or you can specify an explicit path). Slower, but allows use of large outgoing port ranges.]),
    [ ],[ with_libevent="no" ])
 if test "x_$with_libevent" != x_no; then
        AC_DEFINE([USE_LIBEVENT], [1], [Define if you enable libevent])
@ -1338,8 +1334,7 @@ else
 fi
 # check for libexpat
-AC_ARG_WITH(libexpat, AC_HELP_STRING([--with-libexpat=path],
+AC_ARG_WITH(libexpat, AS_HELP_STRING([--with-libexpat=path],[specify explicit path for libexpat.]),
    [specify explicit path for libexpat.]),
    [ ],[ withval="/usr/local /opt/local /usr/lib /usr/pkg /usr/sfw /usr" ])
 AC_MSG_CHECKING(for libexpat)
 found_libexpat="no"
@ -1356,7 +1351,7 @@ for dir in $withval ; do
            fi
 done
 if test x_$found_libexpat != x_yes; then
-	AC_ERROR([Could not find libexpat, expat.h])
+	AC_MSG_ERROR([Could not find libexpat, expat.h])
 fi
 AC_CHECK_HEADERS([expat.h],,, [AC_INCLUDES_DEFAULT])
 AC_CHECK_DECLS([XML_StopParser], [], [], [AC_INCLUDES_DEFAULT
@ -1364,8 +1359,7 @@ AC_CHECK_DECLS([XML_StopParser], [], [], [AC_INCLUDES_DEFAULT
 ])
 # hiredis (redis C client for cachedb)
-AC_ARG_WITH(libhiredis, AC_HELP_STRING([--with-libhiredis=path],
+AC_ARG_WITH(libhiredis, AS_HELP_STRING([--with-libhiredis=path],[specify explicit path for libhiredis.]),
    [specify explicit path for libhiredis.]),
    [ ],[ withval="no" ])
 found_libhiredis="no"
 if test x_$withval = x_yes -o x_$withval != x_no; then
@ -1388,7 +1382,7 @@ if test x_$withval = x_yes -o x_$withval != x_no; then
            fi
    done
    if test x_$found_libhiredis != x_yes; then
-	AC_ERROR([Could not find libhiredis, hiredis.h])
+	AC_MSG_ERROR([Could not find libhiredis, hiredis.h])
    fi
    AC_CHECK_HEADERS([hiredis/hiredis.h],,, [AC_INCLUDES_DEFAULT])
    AC_CHECK_DECLS([redisConnect], [], [], [AC_INCLUDES_DEFAULT
@ -1396,11 +1390,42 @@ if test x_$withval = x_yes -o x_$withval != x_no; then
    ])
 fi
 # nghttp2
 AC_ARG_WITH(libnghttp2, AS_HELP_STRING([--with-libnghttp2=path],[specify explicit path for libnghttp2.]),
    [ ],[ withval="no" ])
 found_libnghttp2="no"
 if test x_$withval = x_yes -o x_$withval != x_no; then
   AC_MSG_CHECKING(for libnghttp2)
   if test x_$withval = x_ -o x_$withval = x_yes; then
            withval="/usr/local /opt/local /usr/lib /usr/pkg /usr/sfw /usr"
   fi
   for dir in $withval ; do
            if test -f "$dir/include/nghttp2/nghttp2.h"; then
 		found_libnghttp2="yes"
 		dnl assume /usr is in default path.
 		if test "$dir" != "/usr"; then
                    CPPFLAGS="$CPPFLAGS -I$dir/include"
 		    LDFLAGS="$LDFLAGS -L$dir/lib"
 		fi
 		AC_MSG_RESULT(found in $dir)
 		AC_DEFINE([HAVE_NGHTTP2], [1], [Define this to use nghttp2 client.])
 		LIBS="$LIBS -lnghttp2"
                break;
            fi
    done
    if test x_$found_libnghttp2 != x_yes; then
 	AC_MSG_ERROR([Could not find libnghttp2, nghttp2.h])
    fi
    AC_CHECK_HEADERS([nghttp2/nghttp2.h],,, [AC_INCLUDES_DEFAULT])
    AC_CHECK_DECLS([nghttp2_session_server_new], [], [], [AC_INCLUDES_DEFAULT
    #include <nghttp2/nghttp2.h>
    ])
 fi
 # set static linking for uninstalled libraries if requested
 AC_SUBST(staticexe)
 staticexe=""
-AC_ARG_ENABLE(static-exe, AC_HELP_STRING([--enable-static-exe],
+AC_ARG_ENABLE(static-exe, AS_HELP_STRING([--enable-static-exe],[ enable to compile executables statically against (event) uninstalled libs, for debug purposes ]),
 	[ enable to compile executables statically against (event) uninstalled libs, for debug purposes ]),
 	, )
 if test x_$enable_static_exe = x_yes; then
 	staticexe="-static"
@ -1417,8 +1442,7 @@ if test x_$enable_static_exe = x_yes; then
 fi
 # set full static linking if requested
-AC_ARG_ENABLE(fully-static, AC_HELP_STRING([--enable-fully-static],
+AC_ARG_ENABLE(fully-static, AS_HELP_STRING([--enable-fully-static],[ enable to compile fully static ]),
 	[ enable to compile fully static ]),
 	, )
 if test x_$enable_fully_static = x_yes; then
 	staticexe="-all-static"
@ -1434,8 +1458,7 @@ if test x_$enable_fully_static = x_yes; then
 fi
 # set lock checking if requested
-AC_ARG_ENABLE(lock_checks, AC_HELP_STRING([--enable-lock-checks],
+AC_ARG_ENABLE(lock_checks, AS_HELP_STRING([--enable-lock-checks],[ enable to check lock and unlock calls, for debug purposes ]), 
 	[ enable to check lock and unlock calls, for debug purposes ]), 
 	, )
 if test x_$enable_lock_checks = x_yes; then
 	AC_DEFINE(ENABLE_LOCK_CHECKS, 1, [Define if you want to use debug lock checking (slow).])
@ -1552,7 +1575,7 @@ AC_LINK_IFELSE([AC_LANG_PROGRAM([
  AC_MSG_RESULT(no))
 AC_SEARCH_LIBS([setusercontext], [util])
-AC_CHECK_FUNCS([tzset sigprocmask fcntl getpwnam endpwent getrlimit setrlimit setsid chroot kill chown sleep usleep random srandom recvmsg sendmsg writev socketpair glob initgroups strftime localtime_r setusercontext _beginthreadex endservent endprotoent fsync shmget accept4])
+AC_CHECK_FUNCS([tzset sigprocmask fcntl getpwnam endpwent getrlimit setrlimit setsid chroot kill chown sleep usleep random srandom recvmsg sendmsg writev socketpair glob initgroups strftime localtime_r setusercontext _beginthreadex endservent endprotoent fsync shmget accept4 getifaddrs])
 AC_CHECK_FUNCS([setresuid],,[AC_CHECK_FUNCS([setreuid])])
 AC_CHECK_FUNCS([setresgid],,[AC_CHECK_FUNCS([setregid])])
@ -1677,7 +1700,7 @@ AC_SUBST(LIBOBJ_WITHOUT_CTIME)
 AC_REPLACE_FUNCS(ctime_r)
 AC_REPLACE_FUNCS(strsep)
-AC_ARG_ENABLE(allsymbols, AC_HELP_STRING([--enable-allsymbols], [export all symbols from libunbound and link binaries to it, smaller install size but libunbound export table is polluted by internal symbols]))
+AC_ARG_ENABLE(allsymbols, AS_HELP_STRING([--enable-allsymbols],[export all symbols from libunbound and link binaries to it, smaller install size but libunbound export table is polluted by internal symbols]))
 case "$enable_allsymbols" in
 	yes)
 	COMMON_OBJ_ALL_SYMBOLS=""
@ -1743,7 +1766,7 @@ dnsc_DNSCRYPT([
 )
 # check for cachedb if requested
-AC_ARG_ENABLE(cachedb, AC_HELP_STRING([--enable-cachedb], [enable cachedb module that can use external cache storage]))
+AC_ARG_ENABLE(cachedb, AS_HELP_STRING([--enable-cachedb],[enable cachedb module that can use external cache storage]))
 # turn on cachedb when hiredis support is enabled.
 if test "$found_libhiredis" = "yes"; then enable_cachedb="yes"; fi
 case "$enable_cachedb" in
@ -1756,7 +1779,7 @@ case "$enable_cachedb" in
 esac
 # check for ipsecmod if requested
-AC_ARG_ENABLE(ipsecmod, AC_HELP_STRING([--enable-ipsecmod], [Enable ipsecmod module that facilitates opportunistic IPsec]))
+AC_ARG_ENABLE(ipsecmod, AS_HELP_STRING([--enable-ipsecmod],[Enable ipsecmod module that facilitates opportunistic IPsec]))
 case "$enable_ipsecmod" in
 	yes)
 		AC_DEFINE([USE_IPSECMOD], [1], [Define to 1 to use ipsecmod support.])
@ -1771,7 +1794,7 @@ case "$enable_ipsecmod" in
 esac
 # check for ipset if requested
-AC_ARG_ENABLE(ipset, AC_HELP_STRING([--enable-ipset], [enable ipset module]))
+AC_ARG_ENABLE(ipset, AS_HELP_STRING([--enable-ipset],[enable ipset module]))
 case "$enable_ipset" in
    yes)
 		AC_DEFINE([USE_IPSET], [1], [Define to 1 to use ipset support])
@ -1781,8 +1804,7 @@ case "$enable_ipset" in
 		AC_SUBST(IPSET_OBJ)
 		# mnl
-		AC_ARG_WITH(libmnl, AC_HELP_STRING([--with-libmnl=path],
+		AC_ARG_WITH(libmnl, AS_HELP_STRING([--with-libmnl=path],[specify explicit path for libmnl.]),
 			[specify explicit path for libmnl.]),
 			[ ],[ withval="yes" ])
 		found_libmnl="no"
 		AC_MSG_CHECKING(for libmnl)
@ -1803,14 +1825,14 @@ case "$enable_ipset" in
 			fi
 		done
 		if test x_$found_libmnl != x_yes; then
-			AC_ERROR([Could not find libmnl, libmnl.h])
+			AC_MSG_ERROR([Could not find libmnl, libmnl.h])
 		fi
 		;;
    no|*)
    	# nothing
 		;;
 esac
-AC_ARG_ENABLE(explicit-port-randomisation, AC_HELP_STRING([--disable-explicit-port-randomisation], [disable explicit source port randomisation and rely on the kernel to provide random source ports]))
+AC_ARG_ENABLE(explicit-port-randomisation, AS_HELP_STRING([--disable-explicit-port-randomisation],[disable explicit source port randomisation and rely on the kernel to provide random source ports]))
 case "$enable_explicit_port_randomisation" in
 	no)
 		AC_DEFINE([DISABLE_EXPLICIT_PORT_RANDOMISATION], [1], [Define this to enable kernel based UDP source port randomization.])
@ -1858,8 +1880,7 @@ AC_SUBST(SOURCEFILE)
 # see if we want to build the library or everything
 ALLTARGET="alltargets"
 INSTALLTARGET="install-all"
-AC_ARG_WITH(libunbound-only, AC_HELP_STRING([--with-libunbound-only],
+AC_ARG_WITH(libunbound-only, AS_HELP_STRING([--with-libunbound-only],[do not build daemon and tool programs]),
 	[do not build daemon and tool programs]),
 	[
 	if test "$withval" = "yes"; then
 		ALLTARGET="lib"
@ -1868,10 +1889,10 @@ AC_ARG_WITH(libunbound-only, AC_HELP_STRING([--with-libunbound-only],
 ])
 if test $ALLTARGET = "alltargets"; then
 	if test $USE_NSS = "yes"; then 
-		AC_ERROR([--with-nss can only be used in combination with --with-libunbound-only.])	
+		AC_MSG_ERROR([--with-nss can only be used in combination with --with-libunbound-only.])	
 	fi
 	if test $USE_NETTLE = "yes"; then
-		AC_ERROR([--with-nettle can only be used in combination with --with-libunbound-only.])	
+		AC_MSG_ERROR([--with-nettle can only be used in combination with --with-libunbound-only.])	
 	fi
 fi
@ -2132,6 +2153,8 @@ void *unbound_stat_realloc_log(void *ptr, size_t size, const char* file,
 #define UNBOUND_DNS_PORT 53
 /** default port for DNS over TLS traffic. */
 #define UNBOUND_DNS_OVER_TLS_PORT 853
 /** default port for DNS over HTTPS traffic. */
 #define UNBOUND_DNS_OVER_HTTPS_PORT 443
 /** default port for unbound control traffic, registered port with IANA,
    ub-dns-control  8953/tcp    unbound dns nameserver control */
 #define UNBOUND_CONTROL_PORT 8953
@ -2146,5 +2169,5 @@ AC_SUBST(version, [VERSION_MAJOR.VERSION_MINOR.VERSION_MICRO])
 AC_SUBST(date, [`date +'%b %e, %Y'`])
 AC_CONFIG_FILES([Makefile doc/example.conf doc/libunbound.3 doc/unbound.8 doc/unbound-anchor.8 doc/unbound-checkconf.8 doc/unbound.conf.5 doc/unbound-control.8 doc/unbound-host.1 smallapp/unbound-control-setup.sh dnstap/dnstap_config.h dnscrypt/dnscrypt_config.h contrib/libunbound.pc contrib/unbound.socket contrib/unbound.service contrib/unbound_portable.service])
-AC_CONFIG_HEADER([config.h])
+AC_CONFIG_HEADERS([config.h])
 AC_OUTPUT
--- a/contrib/README
+++ b/contrib/README
@ -53,3 +53,5 @@ distribution but may be helpful.
  lookups for downstream clients.
 * drop2rpz: perl script that converts the Spamhaus DROP-List in RPZ-Format,
  contributed by Andreas Schulze.
 * metrics.awk: awk script that can convert unbound-control stats to
  Prometheus metrics format output.
--- a/contrib/aaaa-filter-iterator.patch
+++ b/contrib/aaaa-filter-iterator.patch
@ -1,10 +1,10 @@
-Index: trunk/doc/unbound.conf.5.in
+diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in
-===================================================================
+index f426ac5f..147fbfa9 100644
--- trunk/doc/unbound.conf.5.in	(revision 4357)
+--- a/doc/unbound.conf.5.in
-+++ trunk/doc/unbound.conf.5.in	(working copy)
+++ b/doc/unbound.conf.5.in
-@@ -701,6 +701,13 @@
+@@ -872,6 +872,13 @@ potentially broken nameservers. A lot of domains will not be resolvable when
 this option in enabled. Only use if you know what you are doing.
- This option only has effect when qname-minimisation is enabled. Default is off.
+ This option only has effect when qname-minimisation is enabled. Default is no.
 .TP
 +.B aaaa\-filter: \fI<yes or no>
 +Activate behavior similar to BIND's AAAA-filter.
@ -16,14 +16,15 @@ Index: trunk/doc/unbound.conf.5.in
 .B aggressive\-nsec: \fI<yes or no>
 Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN
 and other denials, using information from previous NXDOMAINs answers.
-Index: trunk/iterator/iter_scrub.c
+diff --git a/iterator/iter_scrub.c b/iterator/iter_scrub.c
-===================================================================
+index aae934dd..55c55de0 100644
--- trunk/iterator/iter_scrub.c	(revision 4357)
+--- a/iterator/iter_scrub.c
-+++ trunk/iterator/iter_scrub.c	(working copy)
+++ b/iterator/iter_scrub.c
-@@ -617,6 +617,32 @@
+@@ -667,6 +667,32 @@ static int sanitize_nsec_is_overreach(struct rrset_parse* rrset,
 	return 0;
 }
- /**
+/**
 + * ASN: Lookup A records from rrset cache.
 + * @param qinfo: the question originally asked.
 + * @param env: module environment with config and cache.
@ -49,11 +50,10 @@ Index: trunk/iterator/iter_scrub.c
 +	return 0;
 +}
 +
-+/**
+ /**
  * Given a response event, remove suspect RRsets from the response.
  * "Suspect" rrsets are potentially poison. Note that this routine expects
-  * the response to be in a "normalized" state -- that is, all "irrelevant"
+@@ -686,6 +712,7 @@ scrub_sanitize(sldns_buffer* pkt, struct msg_parse* msg,
@@ -635,6 +661,7 @@
 	struct query_info* qinfo, uint8_t* zonename, struct module_env* env,
 	struct iter_env* ie)
 {
@ -61,7 +61,7 @@ Index: trunk/iterator/iter_scrub.c
 	int del_addi = 0; /* if additional-holding rrsets are deleted, we
 		do not trust the normalized additional-A-AAAA any more */
 	struct rrset_parse* rrset, *prev;
-@@ -670,6 +697,13 @@
+@@ -721,6 +748,13 @@ scrub_sanitize(sldns_buffer* pkt, struct msg_parse* msg,
 		rrset = rrset->rrset_all_next;
 	}
@ -75,11 +75,10 @@ Index: trunk/iterator/iter_scrub.c
 	/* At this point, we brutally remove ALL rrsets that aren't 
 	 * children of the originating zone. The idea here is that, 
 	 * as far as we know, the server that we contacted is ONLY 
-@@ -680,6 +714,24 @@
+@@ -732,6 +766,24 @@ scrub_sanitize(sldns_buffer* pkt, struct msg_parse* msg,
 	prev = NULL;
 	rrset = msg->rrset_first;
 	while(rrset) {
-+
+ 
 +		/* ASN: For AAAA records only... */
 +		if((ie->aaaa_filter) && (rrset->type == LDNS_RR_TYPE_AAAA)) {
 +			/* ASN: If this is not a AAAA query, then remove AAAA
@ -97,14 +96,15 @@ Index: trunk/iterator/iter_scrub.c
 +				LDNS_RR_TYPE_AAAA, qinfo->qclass);
 +		}
 +		/* ASN: End of added code */
- 
+
 		/* remove private addresses */
 		if( (rrset->type == LDNS_RR_TYPE_A || 
-Index: trunk/iterator/iter_utils.c
+ 			rrset->type == LDNS_RR_TYPE_AAAA)) {
-===================================================================
+diff --git a/iterator/iter_utils.c b/iterator/iter_utils.c
--- trunk/iterator/iter_utils.c	(revision 4357)
+index 7bc67da6..e10f547a 100644
-+++ trunk/iterator/iter_utils.c	(working copy)
+--- a/iterator/iter_utils.c
-@@ -175,6 +175,7 @@
+++ b/iterator/iter_utils.c
@@ -175,6 +175,7 @@ iter_apply_cfg(struct iter_env* iter_env, struct config_file* cfg)
 	}
 	iter_env->supports_ipv6 = cfg->do_ip6;
 	iter_env->supports_ipv4 = cfg->do_ip4;
@ -112,11 +112,11 @@ Index: trunk/iterator/iter_utils.c
 	return 1;
 }
-Index: trunk/iterator/iterator.c
+diff --git a/iterator/iterator.c b/iterator/iterator.c
-===================================================================
+index 23b07ea9..ca29b48c 100644
--- trunk/iterator/iterator.c	(revision 4357)
+--- a/iterator/iterator.c
-+++ trunk/iterator/iterator.c	(working copy)
+++ b/iterator/iterator.c
-@@ -1847,6 +1847,53 @@
+@@ -2127,6 +2127,53 @@ processDSNSFind(struct module_qstate* qstate, struct iter_qstate* iq, int id)
 	return 0;
 }
@ -170,7 +170,7 @@ Index: trunk/iterator/iterator.c
 /** 
  * This is the request event state where the request will be sent to one of
-@@ -1894,6 +1941,13 @@
+@@ -2186,6 +2233,13 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
 		return error_response(qstate, id, LDNS_RCODE_SERVFAIL);
 	}
@ -184,7 +184,7 @@ Index: trunk/iterator/iterator.c
 	/* Make sure we have a delegation point, otherwise priming failed
 	 * or another failure occurred */
 	if(!iq->dp) {
-@@ -3095,6 +3149,61 @@
+@@ -3574,6 +3628,61 @@ processFinished(struct module_qstate* qstate, struct iter_qstate* iq,
 	return 0;
 }
@ -246,7 +246,7 @@ Index: trunk/iterator/iterator.c
 /*
  * Return priming query results to interested super querystates.
  * 
-@@ -3114,6 +3223,9 @@
+@@ -3593,6 +3702,9 @@ iter_inform_super(struct module_qstate* qstate, int id,
 	else if(super->qinfo.qtype == LDNS_RR_TYPE_DS && ((struct iter_qstate*)
 		super->minfo[id])->state == DSNS_FIND_STATE)
 		processDSNSResponse(qstate, id, super);
@ -256,7 +256,7 @@ Index: trunk/iterator/iterator.c
 	else if(qstate->return_rcode != LDNS_RCODE_NOERROR)
 		error_supers(qstate, id, super);
 	else if(qstate->is_priming)
-@@ -3151,6 +3263,9 @@
+@@ -3630,6 +3742,9 @@ iter_handle(struct module_qstate* qstate, struct iter_qstate* iq,
 			case INIT_REQUEST_3_STATE:
 				cont = processInitRequest3(qstate, iq, id);
 				break;
@ -266,7 +266,7 @@ Index: trunk/iterator/iterator.c
 			case QUERYTARGETS_STATE:
 				cont = processQueryTargets(qstate, iq, ie, id);
 				break;
-@@ -3460,6 +3575,8 @@
+@@ -3961,6 +4076,8 @@ iter_state_to_string(enum iter_state state)
 		return "INIT REQUEST STATE (stage 2)";
 	case INIT_REQUEST_3_STATE:
 		return "INIT REQUEST STATE (stage 3)";
@ -275,7 +275,7 @@ Index: trunk/iterator/iterator.c
 	case QUERYTARGETS_STATE :
 		return "QUERY TARGETS STATE";
 	case PRIME_RESP_STATE :
-@@ -3484,6 +3601,7 @@
+@@ -3985,6 +4102,7 @@ iter_state_is_responsestate(enum iter_state s)
 		case INIT_REQUEST_STATE :
 		case INIT_REQUEST_2_STATE :
 		case INIT_REQUEST_3_STATE :
@ -283,11 +283,11 @@ Index: trunk/iterator/iterator.c
 		case QUERYTARGETS_STATE :
 		case COLLECT_CLASS_STATE :
 			return 0;
-Index: trunk/iterator/iterator.h
+diff --git a/iterator/iterator.h b/iterator/iterator.h
-===================================================================
+index 342ac207..731948d1 100644
--- trunk/iterator/iterator.h	(revision 4357)
+--- a/iterator/iterator.h
-+++ trunk/iterator/iterator.h	(working copy)
+++ b/iterator/iterator.h
-@@ -130,6 +130,9 @@
+@@ -135,6 +135,9 @@ struct iter_env {
 	 */
 	int* target_fetch_policy;
@ -297,10 +297,11 @@ Index: trunk/iterator/iterator.h
 	/** lock on ratelimit counter */
 	lock_basic_type queries_ratelimit_lock;
 	/** number of queries that have been ratelimited */
-@@ -182,6 +185,14 @@
+@@ -186,6 +189,14 @@ enum iter_state {
 	 */
 	INIT_REQUEST_3_STATE,
- 	/**
+	/**
 +	 * This state is responsible for intercepting AAAA queries,
 +	 * and launch a A subquery on the same target, to populate the
 +	 * cache with A records, so the AAAA filter scrubbing logic can
@ -308,29 +309,28 @@ Index: trunk/iterator/iterator.h
 +	 */
 +	ASN_FETCH_A_FOR_AAAA_STATE,
 +
-+	/**
+ 	/**
 	 * Each time a delegation point changes for a given query or a 
 	 * query times out and/or wakes up, this state is (re)visited. 
- 	 * This state is responsible for iterating through a list of 
+@@ -375,6 +386,13 @@ struct iter_qstate {
@@ -364,6 +375,13 @@
 	 * be used when creating the state. A higher one will be attempted.
 	 */
 	int refetch_glue;
-+
+ 
 +	/**
 +	 * ASN: This is a flag that, if true, means that this query is
 +	 * for fetching A records to populate cache and determine if we must
 +	 * return AAAA records or not.
 +	 */
 +	int fetch_a_for_aaaa;
- 
+
 	/** list of pending queries to authoritative servers. */
 	struct outbound_list outlist;
-Index: trunk/pythonmod/interface.i
+ 
-===================================================================
+diff --git a/pythonmod/interface.i b/pythonmod/interface.i
--- trunk/pythonmod/interface.i	(revision 4357)
+index f08b575d..47f1bb2e 100644
-+++ trunk/pythonmod/interface.i	(working copy)
+--- a/pythonmod/interface.i
-@@ -851,6 +851,7 @@
+++ b/pythonmod/interface.i
@@ -975,6 +975,7 @@ struct config_file {
    int harden_dnssec_stripped;
    int harden_referral_path;
    int use_caps_bits_for_id;
@ -338,11 +338,11 @@ Index: trunk/pythonmod/interface.i
    struct config_strlist* private_address;
    struct config_strlist* private_domain;
    size_t unwanted_threshold;
-Index: trunk/util/config_file.c
+diff --git a/util/config_file.c b/util/config_file.c
-===================================================================
+index 0ab8614a..729fb147 100644
--- trunk/util/config_file.c	(revision 4357)
+--- a/util/config_file.c
-+++ trunk/util/config_file.c	(working copy)
+++ b/util/config_file.c
-@@ -195,6 +195,7 @@
+@@ -218,6 +218,7 @@ config_create(void)
 	cfg->harden_referral_path = 0;
 	cfg->harden_algo_downgrade = 0;
 	cfg->use_caps_bits_for_id = 0;
@ -350,11 +350,11 @@ Index: trunk/util/config_file.c
 	cfg->caps_whitelist = NULL;
 	cfg->private_address = NULL;
 	cfg->private_domain = NULL;
-Index: trunk/util/config_file.h
+diff --git a/util/config_file.h b/util/config_file.h
-===================================================================
+index e61257a3..dabaa7bb 100644
--- trunk/util/config_file.h	(revision 4357)
+--- a/util/config_file.h
-+++ trunk/util/config_file.h	(working copy)
+++ b/util/config_file.h
-@@ -209,6 +209,8 @@
+@@ -260,6 +260,8 @@ struct config_file {
 	int harden_algo_downgrade;
 	/** use 0x20 bits in query as random ID bits */
 	int use_caps_bits_for_id;
@ -363,11 +363,11 @@ Index: trunk/util/config_file.h
 	/** 0x20 whitelist, domains that do not use capsforid */
 	struct config_strlist* caps_whitelist;
 	/** strip away these private addrs from answers, no DNS Rebinding */
-Index: trunk/util/configlexer.lex
+diff --git a/util/configlexer.lex b/util/configlexer.lex
-===================================================================
+index 79a0edca..4eaec678 100644
--- trunk/util/configlexer.lex	(revision 4357)
+--- a/util/configlexer.lex
-+++ trunk/util/configlexer.lex	(working copy)
+++ b/util/configlexer.lex
-@@ -279,6 +279,7 @@
+@@ -304,6 +304,7 @@ harden-algo-downgrade{COLON}	{ YDVAR(1, VAR_HARDEN_ALGO_DOWNGRADE) }
 use-caps-for-id{COLON}		{ YDVAR(1, VAR_USE_CAPS_FOR_ID) }
 caps-whitelist{COLON}		{ YDVAR(1, VAR_CAPS_WHITELIST) }
 unwanted-reply-threshold{COLON}	{ YDVAR(1, VAR_UNWANTED_REPLY_THRESHOLD) }
@ -375,11 +375,11 @@ Index: trunk/util/configlexer.lex
 private-address{COLON}		{ YDVAR(1, VAR_PRIVATE_ADDRESS) }
 private-domain{COLON}		{ YDVAR(1, VAR_PRIVATE_DOMAIN) }
 prefetch-key{COLON}		{ YDVAR(1, VAR_PREFETCH_KEY) }
-Index: trunk/util/configparser.y
+diff --git a/util/configparser.y b/util/configparser.y
-===================================================================
+index 1d0e8658..f284dd43 100644
--- trunk/util/configparser.y	(revision 4357)
+--- a/util/configparser.y
-+++ trunk/util/configparser.y	(working copy)
+++ b/util/configparser.y
-@@ -95,6 +95,7 @@
+@@ -97,6 +97,7 @@ extern struct config_parser_state* cfg_parser;
 %token VAR_STATISTICS_CUMULATIVE VAR_OUTGOING_PORT_PERMIT 
 %token VAR_OUTGOING_PORT_AVOID VAR_DLV_ANCHOR_FILE VAR_DLV_ANCHOR
 %token VAR_NEG_CACHE_SIZE VAR_HARDEN_REFERRAL_PATH VAR_PRIVATE_ADDRESS
@ -387,7 +387,7 @@ Index: trunk/util/configparser.y
 %token VAR_PRIVATE_DOMAIN VAR_REMOTE_CONTROL VAR_CONTROL_ENABLE
 %token VAR_CONTROL_INTERFACE VAR_CONTROL_PORT VAR_SERVER_KEY_FILE
 %token VAR_SERVER_CERT_FILE VAR_CONTROL_KEY_FILE VAR_CONTROL_CERT_FILE
-@@ -203,6 +204,7 @@
+@@ -233,6 +234,7 @@ content_server: server_num_threads | server_verbosity | server_port |
 	server_dlv_anchor_file | server_dlv_anchor | server_neg_cache_size |
 	server_harden_referral_path | server_private_address |
 	server_private_domain | server_extended_statistics | 
@ -395,12 +395,10 @@ Index: trunk/util/configparser.y
 	server_local_data_ptr | server_jostle_timeout | 
 	server_unwanted_reply_threshold | server_log_time_ascii | 
 	server_domain_insecure | server_val_sig_skew_min | 
-@@ -1183,6 +1185,15 @@
+@@ -1563,6 +1565,15 @@ server_caps_whitelist: VAR_CAPS_WHITELIST STRING_ARG
 		OUTYY(("P(server_caps_whitelist:%s)\n", $2));
 		if(!cfg_strlist_insert(&cfg_parser->cfg->caps_whitelist, $2))
 			yyerror("out of memory");
-+	}
+ 	}
-+	;
+ 	;
 +server_aaaa_filter: VAR_AAAA_FILTER STRING_ARG
 +	{
 +		OUTYY(("P(server_aaaa_filter:%s)\n", $2));
@ -408,6 +406,8 @@ Index: trunk/util/configparser.y
 +			yyerror("expected yes or no.");
 +		else cfg_parser->cfg->aaaa_filter = (strcmp($2, "yes")==0);
 +		free($2);
- 	}
+	}
- 	;
+	;
 server_private_address: VAR_PRIVATE_ADDRESS STRING_ARG
 	{
 		OUTYY(("P(server_private_address:%s)\n", $2));
--- a/contrib/metrics.awk
+++ b/contrib/metrics.awk
@ -0,0 +1,180 @@
 # read output of unbound-control stats
 # and output prometheus metrics style output.
 # use these options:
 #	server:		extended-statistics: yes
 #			statistics-cumulative: no
 #			statistics-interval: 0
 #	remote-control: control-enable: yes
 # Can use it like unbound-control stats | awk -f "metrics.awk"
 BEGIN {
 	FS="=";
 }
 # everything like total.num.queries=value is put in val["total.num.queries"]
 /^.*\..*=/ {
 	val[$1]=$2;
 }
 # print the output metrics
 END {
 	print "# HELP unbound_hits_queries Unbound DNS traffic and cache hits"
 	print "# TYPE unbound_hits_queries gauge"
 	print "unbound_hits_queries{type=\"total.num.queries\"} " val["total.num.queries"];
 	for (x=0; x<99; x++) {
 		if(val["thread" $x ".num.queries"] != "") {
 			print "unbound_hits_queries{type=\"thread" $x ".num.queries\"} " val["thread" $x ".num.queries"];
 		}
 	}
 	print "unbound_hits_queries{type=\"total.num.cachehits\"} " val["total.num.cachehits"];
 	print "unbound_hits_queries{type=\"total.num.prefetch\"} " val["total.num.prefetch"];
 	print "unbound_hits_queries{type=\"num.query.tcp\"} " val["num.query.tcp"];
 	print "unbound_hits_queries{type=\"num.query.tcpout\"} " val["num.query.tcpout"];
 	print "unbound_hits_queries{type=\"num.query.tls\"} " val["num.query.tls"];
 	print "unbound_hits_queries{type=\"num.query.tls.resume\"} " val["num.query.tls.resume"];
 	print "unbound_hits_queries{type=\"num.query.ipv6\"} " val["num.query.ipv6"];
 	print "unbound_hits_queries{type=\"unwanted.queries\"} " val["unwanted.queries"];
 	print ""
 	print "# HELP unbound_queue_queries Unbound requestlist size"
 	print "# TYPE unbound_queue_queries gauge"
 	print "unbound_queue_queries{type=\"total.requestlist.avg\"} " val["total.requestlist.avg"];
 	print "unbound_queue_queries{type=\"total.requestlist.max\"} " val["total.requestlist.max"];
 	print "unbound_queue_queries{type=\"total.requestlist.overwritten\"} " val["total.requestlist.overwritten"];
 	print "unbound_queue_queries{type=\"total.requestlist.exceeded\"} " val["total.requestlist.exceeded"];
 	print ""
 	print "# HELP unbound_memory_bytes Unbound memory usage"
 	print "# TYPE unbound_memory_bytes gauge"
 	print "unbound_memory_bytes{type=\"mem.cache.rrset\"} " val["mem.cache.rrset"];
 	print "unbound_memory_bytes{type=\"mem.cache.message\"} " val["mem.cache.message"];
 	print "unbound_memory_bytes{type=\"mem.mod.iterator\"} " val["mem.mod.iterator"];
 	if(val["mem.mod.validator"] != "") {
 		print "unbound_memory_bytes{type=\"mem.mod.validator\"} " val["mem.mod.validator"];
 	}
 	if(val["mem.mod.respip"] != "") {
 		print "unbound_memory_bytes{type=\"mem.mod.respip\"} " val["mem.mod.respip"];
 	}
 	if(val["mem.mod.subnet"] != "") {
 		print "unbound_memory_bytes{type=\"mem.mod.subnet\"} " val["mem.mod.subnet"];
 	}
 	if(val["mem.mod.ipsecmod"] != "") {
 		print "unbound_memory_bytes{type=\"mem.mod.ipsecmod\"} " val["mem.mod.ipsecmod"];
 	}
 	if(val["mem.mod.dynlibmod"] != "") {
 		print "unbound_memory_bytes{type=\"mem.mod.dynlibmod\"} " val["mem.mod.dynlibmod"];
 	}
 	print "unbound_memory_bytes{type=\"msg.cache.count\"} " val["msg.cache.count"];
 	print "unbound_memory_bytes{type=\"rrset.cache.count\"} " val["rrset.cache.count"];
 	print "unbound_memory_bytes{type=\"infra.cache.count\"} " val["infra.cache.count"];
 	print "unbound_memory_bytes{type=\"key.cache.count\"} " val["key.cache.count"];
 	print ""
 	print "# HELP unbound_by_type_queries Unbound DNS queries by type"
 	print "# TYPE unbound_by_type_queries gauge"
 	for(x in val) {
 		if(x ~ /^num.query.type./) {
 			if(val[x] != "") {
 				split(x, a, ".");
 				print "unbound_by_type_queries{type=\"" a[4] "\"} " val[x];
 			}
 		}
 	}
 	print ""
 	print "# HELP unbound_by_class_queries Unbound DNS queries by class"
 	print "# TYPE unbound_by_class_queries gauge"
 	for(x in val) {
 		if(x ~ /^num.query.class./) {
 			if(val[x] != "") {
 				split(x, a, ".");
 				print "unbound_by_class_queries{class=\"" a[4] "\"} " val[x];
 			}
 		}
 	}
 	print ""
 	print "# HELP unbound_by_opcode_queries Unbound DNS queries by opcode"
 	print "# TYPE unbound_by_opcode_queries gauge"
 	for(x in val) {
 		if(x ~ /^num.query.opcode./) {
 			if(val[x] != "") {
 				split(x, a, ".");
 				print "unbound_by_opcode_queries{opcode=\"" a[4] "\"} " val[x];
 			}
 		}
 	}
 	print ""
 	print "# HELP unbound_by_rcode_queries Unbound DNS answers by rcode"
 	print "# TYPE unbound_by_rcode_queries gauge"
 	for(x in val) {
 		if(x ~ /^num.answer.rcode./) {
 			if(val[x] != "") {
 				split(x, a, ".");
 				print "unbound_by_rcode_queries{rcode=\"" a[4] "\"} " val[x];
 			}
 		}
 	}
 	print ""
 	print "# HELP unbound_by_flags_queries Unbound DNS queries by flags"
 	print "# TYPE unbound_by_flags_queries gauge"
 	for(x in val) {
 		if(x ~ /^num.query.flags./) {
 			if(val[x] != "") {
 				split(x, a, ".");
 				print "unbound_by_flags_queries{flag=\"" a[4] "\"} " val[x];
 			}
 		}
 	}
 	if(val["num.query.edns.present"] != "") {
 		print "unbound_by_flags_queries{flag=\"num.query.edns.present\"} " val["num.query.edns.present"];
 	}
 	if(val["num.query.edns.DO"] != "") {
 		print "unbound_by_flags_queries{flag=\"num.query.edns.DO\"} " val["num.query.edns.DO"];
 	}
 	print ""
 	print "# HELP unbound_histogram_seconds Unbound DNS histogram of reply time"
 	print "# TYPE unbound_histogram_seconds gauge"
 	print "unbound_histogram_seconds{bucket=\"000000.000000.to.000000.000001\"} " val["histogram.000000.000000.to.000000.000001"];
 	print "unbound_histogram_seconds{bucket=\"000000.000001.to.000000.000002\"} " val["histogram.000000.000001.to.000000.000002"];
 	print "unbound_histogram_seconds{bucket=\"000000.000002.to.000000.000004\"} " val["histogram.000000.000002.to.000000.000004"];
 	print "unbound_histogram_seconds{bucket=\"000000.000004.to.000000.000008\"} " val["histogram.000000.000004.to.000000.000008"];
 	print "unbound_histogram_seconds{bucket=\"000000.000008.to.000000.000016\"} " val["histogram.000000.000008.to.000000.000016"];
 	print "unbound_histogram_seconds{bucket=\"000000.000016.to.000000.000032\"} " val["histogram.000000.000016.to.000000.000032"];
 	print "unbound_histogram_seconds{bucket=\"000000.000032.to.000000.000064\"} " val["histogram.000000.000032.to.000000.000064"];
 	print "unbound_histogram_seconds{bucket=\"000000.000064.to.000000.000128\"} " val["histogram.000000.000064.to.000000.000128"];
 	print "unbound_histogram_seconds{bucket=\"000000.000128.to.000000.000256\"} " val["histogram.000000.000128.to.000000.000256"];
 	print "unbound_histogram_seconds{bucket=\"000000.000256.to.000000.000512\"} " val["histogram.000000.000256.to.000000.000512"];
 	print "unbound_histogram_seconds{bucket=\"000000.000512.to.000000.001024\"} " val["histogram.000000.000512.to.000000.001024"];
 	print "unbound_histogram_seconds{bucket=\"000000.001024.to.000000.002048\"} " val["histogram.000000.001024.to.000000.002048"];
 	print "unbound_histogram_seconds{bucket=\"000000.002048.to.000000.004096\"} " val["histogram.000000.002048.to.000000.004096"];
 	print "unbound_histogram_seconds{bucket=\"000000.004096.to.000000.008192\"} " val["histogram.000000.004096.to.000000.008192"];
 	print "unbound_histogram_seconds{bucket=\"000000.008192.to.000000.016384\"} " val["histogram.000000.008192.to.000000.016384"];
 	print "unbound_histogram_seconds{bucket=\"000000.016384.to.000000.032768\"} " val["histogram.000000.016384.to.000000.032768"];
 	print "unbound_histogram_seconds{bucket=\"000000.032768.to.000000.065536\"} " val["histogram.000000.032768.to.000000.065536"];
 	print "unbound_histogram_seconds{bucket=\"000000.065536.to.000000.131072\"} " val["histogram.000000.065536.to.000000.131072"];
 	print "unbound_histogram_seconds{bucket=\"000000.131072.to.000000.262144\"} " val["histogram.000000.131072.to.000000.262144"];
 	print "unbound_histogram_seconds{bucket=\"000000.262144.to.000000.524288\"} " val["histogram.000000.262144.to.000000.524288"];
 	print "unbound_histogram_seconds{bucket=\"000000.524288.to.000001.000000\"} " val["histogram.000000.524288.to.000001.000000"];
 	print "unbound_histogram_seconds{bucket=\"000001.000000.to.000002.000000\"} " val["histogram.000001.000000.to.000002.000000"];
 	print "unbound_histogram_seconds{bucket=\"000002.000000.to.000004.000000\"} " val["histogram.000002.000000.to.000004.000000"];
 	print "unbound_histogram_seconds{bucket=\"000004.000000.to.000008.000000\"} " val["histogram.000004.000000.to.000008.000000"];
 	print "unbound_histogram_seconds{bucket=\"000008.000000.to.000016.000000\"} " val["histogram.000008.000000.to.000016.000000"];
 	print "unbound_histogram_seconds{bucket=\"000016.000000.to.000032.000000\"} " val["histogram.000016.000000.to.000032.000000"];
 	print "unbound_histogram_seconds{bucket=\"000032.000000.to.000064.000000\"} " val["histogram.000032.000000.to.000064.000000"];
 	print "unbound_histogram_seconds{bucket=\"000064.000000.to.000128.000000\"} " val["histogram.000064.000000.to.000128.000000"];
 	print "unbound_histogram_seconds{bucket=\"000128.000000.to.000256.000000\"} " val["histogram.000128.000000.to.000256.000000"];
 	print "unbound_histogram_seconds{bucket=\"000256.000000.to.000512.000000\"} " val["histogram.000256.000000.to.000512.000000"];
 	print "unbound_histogram_seconds{bucket=\"000512.000000.to.001024.000000\"} " val["histogram.000512.000000.to.001024.000000"];
 	print "unbound_histogram_seconds{bucket=\"001024.000000.to.002048.000000\"} " val["histogram.001024.000000.to.002048.000000"];
 	print "unbound_histogram_seconds{bucket=\"002048.000000.to.004096.000000\"} " val["histogram.002048.000000.to.004096.000000"];
 	print "unbound_histogram_seconds{bucket=\"004096.000000.to.008192.000000\"} " val["histogram.004096.000000.to.008192.000000"];
 	print "unbound_histogram_seconds{bucket=\"008192.000000.to.016384.000000\"} " val["histogram.008192.000000.to.016384.000000"];
 	print "unbound_histogram_seconds{bucket=\"016384.000000.to.032768.000000\"} " val["histogram.016384.000000.to.032768.000000"];
 	print "unbound_histogram_seconds{bucket=\"032768.000000.to.065536.000000\"} " val["histogram.032768.000000.to.065536.000000"];
 	print "unbound_histogram_seconds{bucket=\"065536.000000.to.131072.000000\"} " val["histogram.065536.000000.to.131072.000000"];
 	print "unbound_histogram_seconds{bucket=\"131072.000000.to.262144.000000\"} " val["histogram.131072.000000.to.262144.000000"];
 	print "unbound_histogram_seconds{bucket=\"262144.000000.to.524288.000000\"} " val["histogram.262144.000000.to.524288.000000"];
 	print ""
 }
--- a/contrib/unbound.service.in
+++ b/contrib/unbound.service.in
@ -42,9 +42,9 @@
 [Unit]
 Description=Validating, recursive, and caching DNS resolver
 Documentation=man:unbound(8)
-After=network.target
+After=network-online.target
-Before=network-online.target nss-lookup.target
+Before=nss-lookup.target
-Wants=nss-lookup.target
+Wants=network-online.target nss-lookup.target
 [Install]
 WantedBy=multi-user.target
@ -66,7 +66,7 @@ ProtectSystem=strict
 RuntimeDirectory=unbound
 ConfigurationDirectory=unbound
 StateDirectory=unbound
-RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
 RestrictRealtime=true
 SystemCallArchitectures=native
 SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete @resources
--- a/contrib/unbound_portable.service.in
+++ b/contrib/unbound_portable.service.in
@ -38,7 +38,7 @@ ProtectSystem=strict
 RuntimeDirectory=unbound
 ConfigurationDirectory=unbound
 StateDirectory=unbound
-RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
 RestrictRealtime=true
 SystemCallArchitectures=native
 SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete @resources
--- a/daemon/daemon.c
+++ b/daemon/daemon.c
@ -77,6 +77,7 @@
 #include "util/storage/lookup3.h"
 #include "util/storage/slabhash.h"
 #include "util/tcp_conn_limit.h"
 #include "util/edns.h"
 #include "services/listen_dnsport.h"
 #include "services/cache/rrset.h"
 #include "services/cache/infra.h"
@ -290,6 +291,15 @@ daemon_init(void)
 		free(daemon);
 		return NULL;
 	}
 	if(!(daemon->env->edns_strings = edns_strings_create())) {
 		auth_zones_delete(daemon->env->auth_zones);
 		acl_list_delete(daemon->acl);
 		tcl_list_delete(daemon->tcl);
 		edns_known_options_delete(daemon->env);
 		free(daemon->env);
 		free(daemon);
 		return NULL;
 	}
 	return daemon;	
 }
@ -298,6 +308,8 @@ daemon_open_shared_ports(struct daemon* daemon)
 {
 	log_assert(daemon);
 	if(daemon->cfg->port != daemon->listening_port) {
 		char** resif = NULL;
 		int num_resif = 0;
 		size_t i;
 		struct listen_port* p0;
 		daemon->reuseport = 0;
@ -308,15 +320,18 @@ daemon_open_shared_ports(struct daemon* daemon)
 			free(daemon->ports);
 			daemon->ports = NULL;
 		}
 		if(!resolve_interface_names(daemon->cfg, &resif, &num_resif))
 			return 0;
 		/* see if we want to reuseport */
 #ifdef SO_REUSEPORT
 		if(daemon->cfg->so_reuseport && daemon->cfg->num_threads > 0)
 			daemon->reuseport = 1;
 #endif
 		/* try to use reuseport */
-		p0 = listening_ports_open(daemon->cfg, &daemon->reuseport);
+		p0 = listening_ports_open(daemon->cfg, resif, num_resif, &daemon->reuseport);
 		if(!p0) {
 			listening_ports_free(p0);
 			config_del_strarray(resif, num_resif);
 			return 0;
 		}
 		if(daemon->reuseport) {
@ -330,6 +345,7 @@ daemon_open_shared_ports(struct daemon* daemon)
 		if(!(daemon->ports = (struct listen_port**)calloc(
 			daemon->num_ports, sizeof(*daemon->ports)))) {
 			listening_ports_free(p0);
 			config_del_strarray(resif, num_resif);
 			return 0;
 		}
 		daemon->ports[0] = p0;
@ -338,16 +354,19 @@ daemon_open_shared_ports(struct daemon* daemon)
 			for(i=1; i<daemon->num_ports; i++) {
 				if(!(daemon->ports[i]=
 					listening_ports_open(daemon->cfg,
 						resif, num_resif,
 						&daemon->reuseport))
 					|| !daemon->reuseport ) {
 					for(i=0; i<daemon->num_ports; i++)
 						listening_ports_free(daemon->ports[i]);
 					free(daemon->ports);
 					daemon->ports = NULL;
 					config_del_strarray(resif, num_resif);
 					return 0;
 				}
 			}
 		}
 		config_del_strarray(resif, num_resif);
 		daemon->listening_port = daemon->cfg->port;
 	}
 	if(!daemon->cfg->remote_control_enable && daemon->rc_port) {
@ -619,6 +638,10 @@ daemon_fork(struct daemon* daemon)
 		&daemon->use_rpz))
 		fatal_exit("auth_zones could not be setup");
 	/* Set-up EDNS strings */
 	if(!edns_strings_apply_cfg(daemon->env->edns_strings, daemon->cfg))
 		fatal_exit("Could not set up EDNS strings");
 	/* setup modules */
 	daemon_setup_modules(daemon);
@ -750,6 +773,7 @@ daemon_delete(struct daemon* daemon)
 		rrset_cache_delete(daemon->env->rrset_cache);
 		infra_delete(daemon->env->infra_cache);
 		edns_known_options_delete(daemon->env);
 		edns_strings_delete(daemon->env->edns_strings);
 		auth_zones_delete(daemon->env->auth_zones);
 	}
 	ub_randfree(daemon->rand);
--- a/daemon/remote.c
+++ b/daemon/remote.c
@ -329,7 +329,8 @@ add_open(const char* ip, int nr, struct listen_port** list, int noproto_is_err,
 		/* open fd */
 		fd = create_tcp_accept_sock(res, 1, &noproto, 0,
-			cfg->ip_transparent, 0, cfg->ip_freebind, cfg->use_systemd, cfg->ip_dscp);
+			cfg->ip_transparent, 0, 0, cfg->ip_freebind,
 			cfg->use_systemd, cfg->ip_dscp);
 		freeaddrinfo(res);
 	}
@ -348,11 +349,7 @@ add_open(const char* ip, int nr, struct listen_port** list, int noproto_is_err,
 	/* alloc */
 	n = (struct listen_port*)calloc(1, sizeof(*n));
 	if(!n) {
-#ifndef USE_WINSOCK
+		sock_close(fd);
 		close(fd);
 #else
 		closesocket(fd);
 #endif
 		log_err("out of memory");
 		return 0;
 	}
@ -461,11 +458,7 @@ int remote_accept_callback(struct comm_point* c, void* arg, int err,
 	if(rc->active >= rc->max_active) {
 		log_warn("drop incoming remote control: too many connections");
 	close_exit:
-#ifndef USE_WINSOCK
+		sock_close(newfd);
 		close(newfd);
 #else
 		closesocket(newfd);
 #endif
 		return 0;
 	}
@ -574,11 +567,8 @@ ssl_print_text(RES* res, const char* text)
 			if(r == -1) {
 				if(errno == EAGAIN || errno == EINTR)
 					continue;
-#ifndef USE_WINSOCK
+				log_err("could not send: %s",
-				log_err("could not send: %s", strerror(errno));
+					sock_strerror(errno));
 #else
 				log_err("could not send: %s", wsa_strerror(WSAGetLastError()));
 #endif
 				return 0;
 			}
 			at += r;
@ -635,11 +625,8 @@ ssl_read_line(RES* res, char* buf, size_t max)
 					}
 					if(errno == EINTR || errno == EAGAIN)
 						continue;
-#ifndef USE_WINSOCK
+					log_err("could not recv: %s",
-					log_err("could not recv: %s", strerror(errno));
+						sock_strerror(errno));
 #else
 					log_err("could not recv: %s", wsa_strerror(WSAGetLastError()));
 #endif
 					return 0;
 				}
 				break;
@ -862,6 +849,12 @@ print_mem(RES* ssl, struct worker* worker, struct daemon* daemon,
 	if(!print_longnum(ssl, "mem.streamwait"SQ,
 		(size_t)s->svr.mem_stream_wait))
 		return 0;
 	if(!print_longnum(ssl, "mem.http.query_buffer"SQ,
 		(size_t)s->svr.mem_http2_query_buffer))
 		return 0;
 	if(!print_longnum(ssl, "mem.http.response_buffer"SQ,
 		(size_t)s->svr.mem_http2_response_buffer))
 		return 0;
 	return 1;
 }
@ -988,6 +981,8 @@ print_ext(RES* ssl, struct ub_stats_info* s)
 		(unsigned long)s->svr.qtls_resume)) return 0;
 	if(!ssl_printf(ssl, "num.query.ipv6"SQ"%lu\n", 
 		(unsigned long)s->svr.qipv6)) return 0;
 	if(!ssl_printf(ssl, "num.query.https"SQ"%lu\n",
 		(unsigned long)s->svr.qhttps)) return 0;
 	/* flags */
 	if(!ssl_printf(ssl, "num.query.flags.QR"SQ"%lu\n", 
 		(unsigned long)s->svr.qbit_QR)) return 0;
@ -2865,6 +2860,57 @@ do_ip_ratelimit_list(RES* ssl, struct worker* worker, char* arg)
 	slabhash_traverse(a.infra->client_ip_rates, 0, ip_rate_list, &a);
 }
 /** do the rpz_enable/disable command */
 static void
 do_rpz_enable_disable(RES* ssl, struct worker* worker, char* arg, int enable) {
    size_t nmlen;
    int nmlabs;
    uint8_t *nm = NULL;
    struct auth_zones *az = worker->env.auth_zones;
    struct auth_zone *z = NULL;
    if (!parse_arg_name(ssl, arg, &nm, &nmlen, &nmlabs))
        return;
    if (az) {
        lock_rw_rdlock(&az->lock);
        z = auth_zone_find(az, nm, nmlen, LDNS_RR_CLASS_IN);
        if (z) {
            lock_rw_wrlock(&z->lock);
        }
        lock_rw_unlock(&az->lock);
    }
    free(nm);
    if (!z) {
        (void) ssl_printf(ssl, "error no auth-zone %s\n", arg);
        return;
    }
    if (!z->rpz) {
        (void) ssl_printf(ssl, "error auth-zone %s not RPZ\n", arg);
        lock_rw_unlock(&z->lock);
        return;
    }
    if (enable) {
        rpz_enable(z->rpz);
    } else {
        rpz_disable(z->rpz);
    }
    lock_rw_unlock(&z->lock);
    send_ok(ssl);
 }
 /** do the rpz_enable command */
 static void
 do_rpz_enable(RES* ssl, struct worker* worker, char* arg)
 {
    do_rpz_enable_disable(ssl, worker, arg, 1);
 }
 /** do the rpz_disable command */
 static void
 do_rpz_disable(RES* ssl, struct worker* worker, char* arg)
 {
    do_rpz_enable_disable(ssl, worker, arg, 0);
 }
 /** tell other processes to execute the command */
 static void
 distribute_cmd(struct daemon_remote* rc, RES* ssl, char* cmd)
@ -3065,6 +3111,10 @@ execute_cmd(struct daemon_remote* rc, RES* ssl, char* cmd,
 		do_flush_bogus(ssl, worker);
 	} else if(cmdcmp(p, "flush_negative", 14)) {
 		do_flush_negative(ssl, worker);
    } else if(cmdcmp(p, "rpz_enable", 10)) {
        do_rpz_enable(ssl, worker, skipwhite(p+10));
    } else if(cmdcmp(p, "rpz_disable", 11)) {
        do_rpz_disable(ssl, worker, skipwhite(p+11));
 	} else {
 		(void)ssl_printf(ssl, "error unknown command '%s'\n", p);
 	}
@ -3116,11 +3166,7 @@ handle_req(struct daemon_remote* rc, struct rc_state* s, RES* res)
 				if(rr == 0) return;
 				if(errno == EINTR || errno == EAGAIN)
 					continue;
-#ifndef USE_WINSOCK
+				log_err("could not recv: %s", sock_strerror(errno));
 				log_err("could not recv: %s", strerror(errno));
 #else
 				log_err("could not recv: %s", wsa_strerror(WSAGetLastError()));
 #endif
 				return;
 			}
 			r = (int)rr;
--- a/daemon/stats.c
+++ b/daemon/stats.c
@ -271,6 +271,7 @@ server_stats_compile(struct worker* worker, struct ub_stats_info* s, int reset)
 	s->svr.ans_secure += (long long)worker->env.mesh->ans_secure;
 	s->svr.ans_bogus += (long long)worker->env.mesh->ans_bogus;
 	s->svr.ans_rcode_nodata += (long long)worker->env.mesh->ans_nodata;
 	s->svr.ans_expired += (long long)worker->env.mesh->ans_expired;
 	for(i=0; i<UB_STATS_RCODE_NUM; i++)
 		s->svr.ans_rcode[i] += (long long)worker->env.mesh->ans_rcode[i];
 	for(i=0; i<UB_STATS_RPZ_ACTION_NUM; i++)
@ -335,6 +336,10 @@ server_stats_compile(struct worker* worker, struct ub_stats_info* s, int reset)
 	}
 	s->svr.mem_stream_wait =
 		(long long)tcp_req_info_get_stream_buffer_size();
 	s->svr.mem_http2_query_buffer =
 		(long long)http2_get_query_buffer_size();
 	s->svr.mem_http2_response_buffer =
 		(long long)http2_get_response_buffer_size();
 	/* Set neg cache usage numbers */
 	set_neg_cache_stats(worker, &s->svr, reset);
@ -421,6 +426,7 @@ void server_stats_add(struct ub_stats_info* total, struct ub_stats_info* a)
 		total->svr.qtcp_outgoing += a->svr.qtcp_outgoing;
 		total->svr.qtls += a->svr.qtls;
 		total->svr.qtls_resume += a->svr.qtls_resume;
 		total->svr.qhttps += a->svr.qhttps;
 		total->svr.qipv6 += a->svr.qipv6;
 		total->svr.qbit_QR += a->svr.qbit_QR;
 		total->svr.qbit_AA += a->svr.qbit_AA;
@ -484,6 +490,8 @@ void server_stats_insquery(struct ub_server_stats* stats, struct comm_point* c,
 			if(SSL_session_reused(c->ssl)) 
 				stats->qtls_resume++;
 #endif
 			if(c->type == comm_http)
 				stats->qhttps++;
 		}
 	}
 	if(repinfo && addr_is_ip6(&repinfo->addr, repinfo->addrlen))
--- a/daemon/unbound.c
+++ b/daemon/unbound.c
@ -92,7 +92,7 @@
 #include <TargetConditionals.h>
 #endif
-#if defined(TARGET_OS_TV) || defined(TARGET_OS_WATCH)
+#if (defined(TARGET_OS_TV) && TARGET_OS_TV) || (defined(TARGET_OS_WATCH) && TARGET_OS_WATCH)
 #undef HAVE_FORK
 #endif
@ -337,22 +337,44 @@ readpid (const char* file)
 /** write pid to file. 
 * @param pidfile: file name of pid file.
 * @param pid: pid to write to file.
 * @return false on failure
 */
-static void
+static int
 writepid (const char* pidfile, pid_t pid)
 {
-	FILE* f;
+	int fd;
 	char pidbuf[32];
 	size_t count = 0;
 	snprintf(pidbuf, sizeof(pidbuf), "%lu\n", (unsigned long)pid);
-	if ((f = fopen(pidfile, "w")) ==  NULL ) {
+	if((fd = open(pidfile, O_WRONLY | O_CREAT | O_TRUNC
 #ifdef O_NOFOLLOW
 		| O_NOFOLLOW
 #endif
 		, 0644)) == -1) {
 		log_err("cannot open pidfile %s: %s", 
 			pidfile, strerror(errno));
-		return;
+		return 0;
 	}
-	if(fprintf(f, "%lu\n", (unsigned long)pid) < 0) {
+	while(count < strlen(pidbuf)) {
-		log_err("cannot write to pidfile %s: %s", 
+		ssize_t r = write(fd, pidbuf+count, strlen(pidbuf)-count);
-			pidfile, strerror(errno));
+		if(r == -1) {
 			if(errno == EAGAIN || errno == EINTR)
 				continue;
 			log_err("cannot write to pidfile %s: %s",
 				pidfile, strerror(errno));
 			close(fd);
 			return 0;
 		} else if(r == 0) {
 			log_err("cannot write any bytes to pidfile %s: "
 				"write returns 0 bytes written", pidfile);
 			close(fd);
 			return 0;
 		}
 		count += r;
 	}
-	fclose(f);
+	close(fd);
 	return 1;
 }
 /**
@ -506,16 +528,17 @@ perform_setup(struct daemon* daemon, struct config_file* cfg, int debug_mode,
 	/* write new pidfile (while still root, so can be outside chroot) */
 #ifdef HAVE_KILL
 	if(cfg->pidfile && cfg->pidfile[0] && need_pidfile) {
-		writepid(daemon->pidfile, getpid());
+		if(writepid(daemon->pidfile, getpid())) {
-		if(cfg->username && cfg->username[0] && cfg_uid != (uid_t)-1 &&
+			if(cfg->username && cfg->username[0] && cfg_uid != (uid_t)-1 &&
-			pidinchroot) {
+				pidinchroot) {
 #  ifdef HAVE_CHOWN
-			if(chown(daemon->pidfile, cfg_uid, cfg_gid) == -1) {
+				if(chown(daemon->pidfile, cfg_uid, cfg_gid) == -1) {
-				verbose(VERB_QUERY, "cannot chown %u.%u %s: %s",
+					verbose(VERB_QUERY, "cannot chown %u.%u %s: %s",
-					(unsigned)cfg_uid, (unsigned)cfg_gid,
+						(unsigned)cfg_uid, (unsigned)cfg_gid,
-					daemon->pidfile, strerror(errno));
+						daemon->pidfile, strerror(errno));
-			}
+				}
 #  endif /* HAVE_CHOWN */
 			}
 		}
 	}
 #else
--- a/daemon/worker.c
+++ b/daemon/worker.c
@ -513,7 +513,8 @@ answer_norec_from_cache(struct worker* worker, struct query_info* qinfo,
 			edns->ext_rcode = 0;
 			edns->bits &= EDNS_DO;
 			if(!inplace_cb_reply_servfail_call(&worker->env, qinfo, NULL,
-				msg->rep, LDNS_RCODE_SERVFAIL, edns, repinfo, worker->scratchpad))
+				msg->rep, LDNS_RCODE_SERVFAIL, edns, repinfo, worker->scratchpad,
 				worker->env.now_tv))
 					return 0;
 			error_encode(repinfo->c->buffer, LDNS_RCODE_SERVFAIL, 
 				&msg->qinfo, id, flags, edns);
@ -544,7 +545,8 @@ answer_norec_from_cache(struct worker* worker, struct query_info* qinfo,
 	edns->ext_rcode = 0;
 	edns->bits &= EDNS_DO;
 	if(!inplace_cb_reply_cache_call(&worker->env, qinfo, NULL, msg->rep,
-		(int)(flags&LDNS_RCODE_MASK), edns, repinfo, worker->scratchpad))
+		(int)(flags&LDNS_RCODE_MASK), edns, repinfo, worker->scratchpad,
 		worker->env.now_tv))
 			return 0;
 	msg->rep->flags |= BIT_QR|BIT_RA;
 	if(!apply_edns_options(edns, &edns_bak, worker->env.cfg,
@ -553,7 +555,8 @@ answer_norec_from_cache(struct worker* worker, struct query_info* qinfo,
 		repinfo->c->buffer, 0, 1, worker->scratchpad,
 		udpsize, edns, (int)(edns->bits & EDNS_DO), secure)) {
 		if(!inplace_cb_reply_servfail_call(&worker->env, qinfo, NULL, NULL,
-			LDNS_RCODE_SERVFAIL, edns, repinfo, worker->scratchpad))
+			LDNS_RCODE_SERVFAIL, edns, repinfo, worker->scratchpad,
 			worker->env.now_tv))
 				edns->opt_list = NULL;
 		error_encode(repinfo->c->buffer, LDNS_RCODE_SERVFAIL, 
 			&msg->qinfo, id, flags, edns);
@ -576,7 +579,7 @@ apply_respip_action(struct worker* worker, const struct query_info* qinfo,
 	struct comm_reply* repinfo, struct ub_packed_rrset_key** alias_rrset,
 	struct reply_info** encode_repp, struct auth_zones* az)
 {
-	struct respip_action_info actinfo = {0};
+	struct respip_action_info actinfo = {0, 0, 0, 0, NULL, 0, NULL};
 	actinfo.action = respip_none;
 	if(qinfo->qtype != LDNS_RR_TYPE_A &&
@ -684,7 +687,8 @@ answer_from_cache(struct worker* worker, struct query_info* qinfo,
 		edns->ext_rcode = 0;
 		edns->bits &= EDNS_DO;
 		if(!inplace_cb_reply_servfail_call(&worker->env, qinfo, NULL, rep,
-			LDNS_RCODE_SERVFAIL, edns, repinfo, worker->scratchpad))
+			LDNS_RCODE_SERVFAIL, edns, repinfo, worker->scratchpad,
 			worker->env.now_tv))
 			goto bail_out;
 		error_encode(repinfo->c->buffer, LDNS_RCODE_SERVFAIL,
 			qinfo, id, flags, edns);
@ -718,7 +722,8 @@ answer_from_cache(struct worker* worker, struct query_info* qinfo,
 	edns->ext_rcode = 0;
 	edns->bits &= EDNS_DO;
 	if(!inplace_cb_reply_cache_call(&worker->env, qinfo, NULL, rep,
-		(int)(flags&LDNS_RCODE_MASK), edns, repinfo, worker->scratchpad))
+		(int)(flags&LDNS_RCODE_MASK), edns, repinfo, worker->scratchpad,
 		worker->env.now_tv))
 		goto bail_out;
 	*alias_rrset = NULL; /* avoid confusion if caller set it to non-NULL */
 	if((worker->daemon->use_response_ip || worker->daemon->use_rpz) &&
@ -754,7 +759,8 @@ answer_from_cache(struct worker* worker, struct query_info* qinfo,
 		repinfo->c->buffer, timenow, 1, worker->scratchpad,
 		udpsize, edns, (int)(edns->bits & EDNS_DO), *is_secure_answer)) {
 		if(!inplace_cb_reply_servfail_call(&worker->env, qinfo, NULL, NULL,
-			LDNS_RCODE_SERVFAIL, edns, repinfo, worker->scratchpad))
+			LDNS_RCODE_SERVFAIL, edns, repinfo, worker->scratchpad,
 			worker->env.now_tv))
 				edns->opt_list = NULL;
 		error_encode(repinfo->c->buffer, LDNS_RCODE_SERVFAIL, 
 			qinfo, id, flags, edns);
@ -842,7 +848,8 @@ chaos_replystr(sldns_buffer* pkt, char** str, int num, struct edns_data* edns,
 	edns->udp_size = EDNS_ADVERTISED_SIZE;
 	edns->bits &= EDNS_DO;
 	if(!inplace_cb_reply_local_call(&worker->env, NULL, NULL, NULL,
-		LDNS_RCODE_NOERROR, edns, repinfo, worker->scratchpad))
+		LDNS_RCODE_NOERROR, edns, repinfo, worker->scratchpad,
 		worker->env.now_tv))
 			edns->opt_list = NULL;
 	if(sldns_buffer_capacity(pkt) >=
 		sldns_buffer_limit(pkt)+calc_edns_field_size(edns))
@ -1109,7 +1116,7 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 	struct respip_client_info* cinfo = NULL, cinfo_tmp;
 	memset(&qinfo, 0, sizeof(qinfo));
-	if(error != NETEVENT_NOERROR || !repinfo) {
+	if((error != NETEVENT_NOERROR && error != NETEVENT_DONE)|| !repinfo) {
 		/* some bad tcp query DNS formats give these error calls */
 		verbose(VERB_ALGO, "handle request called with err=%d", error);
 		return 0;
@ -1219,7 +1226,6 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 		LDNS_QR_SET(sldns_buffer_begin(c->buffer));
 		LDNS_RCODE_SET(sldns_buffer_begin(c->buffer), 
 			LDNS_RCODE_FORMERR);
 		server_stats_insrcode(&worker->stats, c->buffer);
 		goto send_reply;
 	}
 	if(worker->env.cfg->log_queries) {
@ -1237,7 +1243,6 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 			LDNS_RCODE_REFUSED);
 		if(worker->stats.extended) {
 			worker->stats.qtype[qinfo.qtype]++;
 			server_stats_insrcode(&worker->stats, c->buffer);
 		}
 		goto send_reply;
 	}
@ -1259,7 +1264,6 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 			LDNS_RCODE_FORMERR);
 		if(worker->stats.extended) {
 			worker->stats.qtype[qinfo.qtype]++;
 			server_stats_insrcode(&worker->stats, c->buffer);
 		}
 		goto send_reply;
 	}
@ -1275,7 +1279,6 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 			*(uint16_t*)(void *)sldns_buffer_begin(c->buffer),
 			sldns_buffer_read_u16_at(c->buffer, 2), &reply_edns);
 		regional_free_all(worker->scratchpad);
 		server_stats_insrcode(&worker->stats, c->buffer);
 		goto send_reply;
 	}
 	if(edns.edns_present) {
@ -1354,7 +1357,6 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 		edns.udp_size = 65535; /* max size for TCP replies */
 	if(qinfo.qclass == LDNS_RR_CLASS_CH && answer_chaos(worker, &qinfo,
 		&edns, repinfo, c->buffer)) {
 		server_stats_insrcode(&worker->stats, c->buffer);
 		regional_free_all(worker->scratchpad);
 		goto send_reply;
 	}
@ -1375,7 +1377,6 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 			comm_point_drop_reply(repinfo);
 			return 0;
 		}
 		server_stats_insrcode(&worker->stats, c->buffer);
 		goto send_reply;
 	}
 	if(worker->env.auth_zones &&
@ -1387,7 +1388,6 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 			comm_point_drop_reply(repinfo);
 			return 0;
 		}
 		server_stats_insrcode(&worker->stats, c->buffer);
 		goto send_reply;
 	}
 	if(worker->env.auth_zones &&
@ -1403,7 +1403,6 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 		if(LDNS_RD_WIRE(sldns_buffer_begin(c->buffer)) &&
 		   acl != acl_deny_non_local && acl != acl_refuse_non_local)
 			LDNS_RA_SET(sldns_buffer_begin(c->buffer));
 		server_stats_insrcode(&worker->stats, c->buffer);
 		goto send_reply;
 	}
@ -1432,7 +1431,6 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 			*(uint16_t*)(void *)sldns_buffer_begin(c->buffer),
 			sldns_buffer_read_u16_at(c->buffer, 2), NULL);
 		regional_free_all(worker->scratchpad);
 		server_stats_insrcode(&worker->stats, c->buffer);
 		log_addr(VERB_ALGO, "refused nonrec (cache snoop) query from",
 			&repinfo->addr, repinfo->addrlen);
 		goto send_reply;
@ -1588,9 +1586,9 @@ send_reply_rc:
 	if(is_expired_answer) {
 		worker->stats.ans_expired++;
 	}
 	server_stats_insrcode(&worker->stats, c->buffer);
 	if(worker->stats.extended) {
 		if(is_secure_answer) worker->stats.ans_secure++;
 		server_stats_insrcode(&worker->stats, repinfo->c->buffer);
 	}
 #ifdef USE_DNSTAP
 	if(worker->dtenv.log_client_response_messages)
@ -1726,14 +1724,6 @@ worker_create(struct daemon* daemon, int id, int* ports, int n)
 		return NULL;
 	}
 	explicit_bzero(&seed, sizeof(seed));
 #ifdef USE_DNSTAP
 	if(daemon->cfg->dnstap) {
 		log_assert(daemon->dtenv != NULL);
 		memcpy(&worker->dtenv, daemon->dtenv, sizeof(struct dt_env));
 		if(!dt_init(&worker->dtenv))
 			fatal_exit("dt_init failed");
 	}
 #endif
 	return worker;
 }
@ -1792,13 +1782,22 @@ worker_init(struct worker* worker, struct config_file *cfg,
 	} else { /* !do_sigs */
 		worker->comsig = NULL;
 	}
 #ifdef USE_DNSTAP
 	if(cfg->dnstap) {
 		log_assert(worker->daemon->dtenv != NULL);
 		memcpy(&worker->dtenv, worker->daemon->dtenv, sizeof(struct dt_env));
 		if(!dt_init(&worker->dtenv, worker->base))
 			fatal_exit("dt_init failed");
 	}
 #endif
 	worker->front = listen_create(worker->base, ports,
 		cfg->msg_buffer_size, (int)cfg->incoming_num_tcp,
 		cfg->do_tcp_keepalive
 			? cfg->tcp_keepalive_timeout
 			: cfg->tcp_idle_timeout,
-			worker->daemon->tcl,
+		cfg->harden_large_queries, cfg->http_max_streams,
-		worker->daemon->listen_sslctx,
+		cfg->http_endpoint, cfg->http_notls_downstream,
 		worker->daemon->tcl, worker->daemon->listen_sslctx,
 		dtenv, worker_handle_request, worker);
 	if(!worker->front) {
 		log_err("could not create listening sockets");
@ -1815,7 +1814,7 @@ worker_init(struct worker* worker, struct config_file *cfg,
 		&worker_alloc_cleanup, worker,
 		cfg->do_udp || cfg->udp_upstream_without_downstream,
 		worker->daemon->connect_sslctx, cfg->delay_close,
-		cfg->tls_use_sni, dtenv);
+		cfg->tls_use_sni, dtenv, cfg->udp_connect);
 	if(!worker->back) {
 		log_err("could not create outgoing sockets");
 		worker_delete(worker);
--- a/dns64/dns64.c
+++ b/dns64/dns64.c
@ -198,14 +198,17 @@ uitoa(unsigned n, char* s)
 static uint32_t
 extract_ipv4(const uint8_t ipv6[], size_t ipv6_len, const int offset)
 {
-    uint32_t ipv4;
+    uint32_t ipv4 = 0;
    int i, pos;
    log_assert(ipv6_len == 16); (void)ipv6_len;
-    ipv4 = (uint32_t)ipv6[offset/8+0] << (24 + (offset%8))
+    log_assert(offset == 32 || offset == 40 || offset == 48 || offset == 56 ||
-         | (uint32_t)ipv6[offset/8+1] << (16 + (offset%8))
+        offset == 64 || offset == 96);
-         | (uint32_t)ipv6[offset/8+2] << ( 8 + (offset%8))
+    for(i = 0, pos = offset / 8; i < 4; i++, pos++) {
-         | (uint32_t)ipv6[offset/8+3] << ( 0 + (offset%8));
+        if (pos == 8)
-    if (offset/8+4 < 16)
+            pos++;
-        ipv4 |= (uint32_t)ipv6[offset/8+4] >> (8 - offset%8);
+        ipv4 = ipv4 << 8;
        ipv4 |= ipv6[pos];
    }
    return ipv4;
 }
@ -296,18 +299,18 @@ synthesize_aaaa(const uint8_t prefix_addr[], size_t prefix_addr_len,
 	int prefix_net, const uint8_t a[], size_t a_len, uint8_t aaaa[],
 	size_t aaaa_len)
 {
    size_t i;
    int pos;
    log_assert(prefix_addr_len == 16 && a_len == 4 && aaaa_len == 16);
    log_assert(prefix_net == 32 || prefix_net == 40 || prefix_net == 48 ||
        prefix_net == 56 || prefix_net == 64 || prefix_net == 96);
    (void)prefix_addr_len; (void)a_len; (void)aaaa_len;
    memcpy(aaaa, prefix_addr, 16);
-    aaaa[prefix_net/8+0] |= a[0] >> (0+prefix_net%8);
+    for(i = 0, pos = prefix_net / 8; i < a_len; i++, pos++) {
-    aaaa[prefix_net/8+1] |= a[0] << (8-prefix_net%8);
+        if(pos == 8)
-    aaaa[prefix_net/8+1] |= a[1] >> (0+prefix_net%8);
+            aaaa[pos++] = 0;
-    aaaa[prefix_net/8+2] |= a[1] << (8-prefix_net%8);
+        aaaa[pos] = a[i];
-    aaaa[prefix_net/8+2] |= a[2] >> (0+prefix_net%8);
+    }
    aaaa[prefix_net/8+3] |= a[2] << (8-prefix_net%8);
    aaaa[prefix_net/8+3] |= a[3] >> (0+prefix_net%8);
    if (prefix_net/8+4 < 16)  /* <-- my beautiful symmetry is destroyed! */
    aaaa[prefix_net/8+4] |= a[3] << (8-prefix_net%8);
 }
@ -374,8 +377,10 @@ dns64_apply_cfg(struct dns64_env* dns64_env, struct config_file* cfg)
        log_err("dns64_prefix is not IPv6: %s", cfg->dns64_prefix);
        return 0;
    }
-    if (dns64_env->prefix_net < 0 || dns64_env->prefix_net > 96) {
+    if (dns64_env->prefix_net != 32 && dns64_env->prefix_net != 40 &&
-        log_err("dns64-prefix length it not between 0 and 96: %s",
+            dns64_env->prefix_net != 48 && dns64_env->prefix_net != 56 &&
            dns64_env->prefix_net != 64 && dns64_env->prefix_net != 96 ) {
        log_err("dns64-prefix length it not 32, 40, 48, 56, 64 or 96: %s",
                cfg->dns64_prefix);
        return 0;
    }
--- a/dnscrypt/dnscrypt.m4
+++ b/dnscrypt/dnscrypt.m4
@ -11,7 +11,7 @@ AC_DEFUN([dnsc_DNSCRYPT],
    [opt_dnscrypt=$enableval], [opt_dnscrypt=no])
  if test "x$opt_dnscrypt" != "xno"; then
-    AC_ARG_WITH([libsodium], AC_HELP_STRING([--with-libsodium=path],
+    AC_ARG_WITH([libsodium], AS_HELP_STRING([--with-libsodium=path],
    	[Path where libsodium is installed, for dnscrypt]), [
 	CFLAGS="$CFLAGS -I$withval/include"
 	LDFLAGS="$LDFLAGS -L$withval/lib"
--- a/dnstap/dnstap.c
+++ b/dnstap/dnstap.c
@ -134,9 +134,13 @@ dt_create(struct config_file* cfg)
 	if(cfg->dnstap && cfg->dnstap_socket_path && cfg->dnstap_socket_path[0] &&
 		(cfg->dnstap_ip==NULL || cfg->dnstap_ip[0]==0)) {
 		char* p = cfg->dnstap_socket_path;
 		if(cfg->chrootdir && cfg->chrootdir[0] && strncmp(p,
 			cfg->chrootdir, strlen(cfg->chrootdir)) == 0)
 			p += strlen(cfg->chrootdir);
 		verbose(VERB_OPS, "attempting to connect to dnstap socket %s",
-			cfg->dnstap_socket_path);
+			p);
-		check_socket_file(cfg->dnstap_socket_path);
+		check_socket_file(p);
 	}
 	env = (struct dt_env *) calloc(1, sizeof(struct dt_env));
@ -240,9 +244,9 @@ dt_apply_cfg(struct dt_env *env, struct config_file *cfg)
 }
 int
-dt_init(struct dt_env *env)
+dt_init(struct dt_env *env, struct comm_base* base)
 {
-	env->msgqueue = dt_msg_queue_create();
+	env->msgqueue = dt_msg_queue_create(base);
 	if(!env->msgqueue) {
 		log_err("malloc failure");
 		return 0;
--- a/dnstap/dnstap.h
+++ b/dnstap/dnstap.h
@ -101,10 +101,11 @@ dt_apply_cfg(struct dt_env *env, struct config_file *cfg);
 /**
 * Initialize per-worker state in dnstap environment object.
 * @param env: dnstap environment object to initialize, created with dt_create().
 * @param base: event base for wakeup timer.
 * @return: true on success, false on failure.
 */
 int
-dt_init(struct dt_env *env);
+dt_init(struct dt_env *env, struct comm_base* base);
 /**
 * Deletes the per-worker state created by dt_init
--- a/dnstap/dnstap.m4
+++ b/dnstap/dnstap.m4
@ -20,7 +20,7 @@ AC_DEFUN([dt_DNSTAP],
    if test -z "$PROTOC_C"; then
      AC_MSG_ERROR([The protoc-c program was not found. Please install protobuf-c!])
    fi
-    AC_ARG_WITH([protobuf-c], AC_HELP_STRING([--with-protobuf-c=path],
+    AC_ARG_WITH([protobuf-c], AS_HELP_STRING([--with-protobuf-c=path],
    	[Path where protobuf-c is installed, for dnstap]), [
 	  # workaround for protobuf-c includes at old dir before protobuf-c-1.0.0
 	  if test -f $withval/include/google/protobuf-c/protobuf-c.h; then
--- a/dnstap/dtstream.c
+++ b/dnstap/dtstream.c
@ -68,6 +68,8 @@
 #define DTIO_RECONNECT_TIMEOUT_MAX 1000
 /** the msec to wait for reconnect slow, to stop busy spinning on reconnect */
 #define DTIO_RECONNECT_TIMEOUT_SLOW 1000
 /** number of messages before wakeup of thread */
 #define DTIO_MSG_FOR_WAKEUP 32
 /** maximum length of received frame */
 #define DTIO_RECV_FRAME_MAX_LEN 1000
@ -99,13 +101,18 @@ static int dtio_enable_brief_write(struct dt_io_thread* dtio);
 #endif
 struct dt_msg_queue*
-dt_msg_queue_create(void)
+dt_msg_queue_create(struct comm_base* base)
 {
 	struct dt_msg_queue* mq = calloc(1, sizeof(*mq));
 	if(!mq) return NULL;
 	mq->maxsize = 1*1024*1024; /* set max size of buffer, per worker,
 		about 1 M should contain 64K messages with some overhead,
 		or a whole bunch smaller ones */
 	mq->wakeup_timer = comm_timer_create(base, mq_wakeup_cb, mq);
 	if(!mq->wakeup_timer) {
 		free(mq);
 		return NULL;
 	}
 	lock_basic_init(&mq->lock);
 	lock_protect(&mq->lock, mq, sizeof(*mq));
 	return mq;
@ -125,6 +132,7 @@ dt_msg_queue_clear(struct dt_msg_queue* mq)
 	mq->first = NULL;
 	mq->last = NULL;
 	mq->cursize = 0;
 	mq->msgcount = 0;
 }
 void
@ -133,6 +141,7 @@ dt_msg_queue_delete(struct dt_msg_queue* mq)
 	if(!mq) return;
 	lock_basic_destroy(&mq->lock);
 	dt_msg_queue_clear(mq);
 	comm_timer_delete(mq->wakeup_timer);
 	free(mq);
 }
@ -149,25 +158,71 @@ static void dtio_wakeup(struct dt_io_thread* dtio)
 #ifndef USE_WINSOCK
 			if(errno == EINTR || errno == EAGAIN)
 				continue;
 			log_err("dnstap io wakeup: write: %s", strerror(errno));
 #else
 			if(WSAGetLastError() == WSAEINPROGRESS)
 				continue;
 			if(WSAGetLastError() == WSAEWOULDBLOCK)
 				continue;
 			log_err("dnstap io stop: write: %s",
 				wsa_strerror(WSAGetLastError()));
 #endif
 			log_err("dnstap io wakeup: write: %s",
 				sock_strerror(errno));
 			break;
 		}
 		break;
 	}
 }
 void
 mq_wakeup_cb(void* arg)
 {
 	struct dt_msg_queue* mq = (struct dt_msg_queue*)arg;
 	/* even if the dtio is already active, because perhaps much
 	 * traffic suddenly, we leave the timer running to save on
 	 * managing it, the once a second timer is less work then
 	 * starting and stopping the timer frequently */
 	lock_basic_lock(&mq->dtio->wakeup_timer_lock);
 	mq->dtio->wakeup_timer_enabled = 0;
 	lock_basic_unlock(&mq->dtio->wakeup_timer_lock);
 	dtio_wakeup(mq->dtio);
 }
 /** start timer to wakeup dtio because there is content in the queue */
 static void
 dt_msg_queue_start_timer(struct dt_msg_queue* mq)
 {
 	struct timeval tv;
 	/* Start a timer to process messages to be logged.
 	 * If we woke up the dtio thread for every message, the wakeup
 	 * messages take up too much processing power.  If the queue
 	 * fills up the wakeup happens immediately.  The timer wakes it up
 	 * if there are infrequent messages to log. */
 	/* we cannot start a timer in dtio thread, because it is a different
 	 * thread and its event base is in use by the other thread, it would
 	 * give race conditions if we tried to modify its event base,
 	 * and locks would wait until it woke up, and this is what we do. */
 	/* do not start the timer if a timer already exists, perhaps
 	 * in another worker.  So this variable is protected by a lock in
 	 * dtio */
 	lock_basic_lock(&mq->dtio->wakeup_timer_lock);
 	if(mq->dtio->wakeup_timer_enabled) {
 		lock_basic_unlock(&mq->dtio->wakeup_timer_lock);
 		return;
 	}
 	mq->dtio->wakeup_timer_enabled = 1; /* we are going to start one */
 	lock_basic_unlock(&mq->dtio->wakeup_timer_lock);
 	/* start the timer, in mq, in the event base of our worker */
 	tv.tv_sec = 1;
 	tv.tv_usec = 0;
 	comm_timer_set(mq->wakeup_timer, &tv);
 }
 void
 dt_msg_queue_submit(struct dt_msg_queue* mq, void* buf, size_t len)
 {
-	int wakeup = 0;
+	int wakeupnow = 0, wakeupstarttimer = 0;
 	struct dt_msg_entry* entry;
 	/* check conditions */
@ -198,9 +253,15 @@ dt_msg_queue_submit(struct dt_msg_queue* mq, void* buf, size_t len)
 	/* aqcuire lock */
 	lock_basic_lock(&mq->lock);
-	/* list was empty, wakeup dtio */
+	/* if list was empty, start timer for (eventual) wakeup */
 	if(mq->first == NULL)
-		wakeup = 1;
+		wakeupstarttimer = 1;
 	/* if list contains more than wakeupnum elements, wakeup now,
 	 * or if list is (going to be) almost full */
 	if(mq->msgcount == DTIO_MSG_FOR_WAKEUP ||
 		(mq->cursize < mq->maxsize * 9 / 10 &&
 		mq->cursize+len >= mq->maxsize * 9 / 10))
 		wakeupnow = 1;
 	/* see if it is going to fit */
 	if(mq->cursize + len > mq->maxsize) {
 		/* buffer full, or congested. */
@ -211,6 +272,7 @@ dt_msg_queue_submit(struct dt_msg_queue* mq, void* buf, size_t len)
 		return;
 	}
 	mq->cursize += len;
 	mq->msgcount ++;
 	/* append to list */
 	if(mq->last) {
 		mq->last->next = entry;
@ -221,13 +283,19 @@ dt_msg_queue_submit(struct dt_msg_queue* mq, void* buf, size_t len)
 	/* release lock */
 	lock_basic_unlock(&mq->lock);
-	if(wakeup)
+	if(wakeupnow) {
 		dtio_wakeup(mq->dtio);
 	} else if(wakeupstarttimer) {
 		dt_msg_queue_start_timer(mq);
 	}
 }
 struct dt_io_thread* dt_io_thread_create(void)
 {
 	struct dt_io_thread* dtio = calloc(1, sizeof(*dtio));
 	lock_basic_init(&dtio->wakeup_timer_lock);
 	lock_protect(&dtio->wakeup_timer_lock, &dtio->wakeup_timer_enabled,
 		sizeof(dtio->wakeup_timer_enabled));
 	return dtio;
 }
@ -235,6 +303,7 @@ void dt_io_thread_delete(struct dt_io_thread* dtio)
 {
 	struct dt_io_list_item* item, *nextitem;
 	if(!dtio) return;
 	lock_basic_destroy(&dtio->wakeup_timer_lock);
 	item=dtio->io_list;
 	while(item) {
 		nextitem = item->next;
@ -272,14 +341,19 @@ int dt_io_thread_apply_cfg(struct dt_io_thread* dtio, struct config_file *cfg)
 	dtio->is_bidirectional = cfg->dnstap_bidirectional;
 	if(dtio->upstream_is_unix) {
 		char* nm;
 		if(!cfg->dnstap_socket_path ||
 			cfg->dnstap_socket_path[0]==0) {
 			log_err("dnstap setup: no dnstap-socket-path for "
 				"socket connect");
 			return 0;
 		}
 		nm = cfg->dnstap_socket_path;
 		if(cfg->chrootdir && cfg->chrootdir[0] && strncmp(nm,
 			cfg->chrootdir, strlen(cfg->chrootdir)) == 0)
 			nm += strlen(cfg->chrootdir);
 		free(dtio->socket_path);
-		dtio->socket_path = strdup(cfg->dnstap_socket_path);
+		dtio->socket_path = strdup(nm);
 		if(!dtio->socket_path) {
 			log_err("dnstap setup: malloc failure");
 			return 0;
@ -416,6 +490,7 @@ static int dt_msg_queue_pop(struct dt_msg_queue* mq, void** buf,
 		mq->first = entry->next;
 		if(!entry->next) mq->last = NULL;
 		mq->cursize -= entry->len;
 		mq->msgcount --;
 		lock_basic_unlock(&mq->lock);
 		*buf = entry->buf;
@ -587,11 +662,7 @@ static void dtio_del_output_event(struct dt_io_thread* dtio)
 /** close dtio socket and set it to -1 */
 static void dtio_close_fd(struct dt_io_thread* dtio)
 {
-#ifndef USE_WINSOCK
+	sock_close(dtio->fd);
 	close(dtio->fd);
 #else
 	closesocket(dtio->fd);
 #endif
 	dtio->fd = -1;
 }
@ -659,13 +730,8 @@ static int dtio_check_nb_connect(struct dt_io_thread* dtio)
 		char* to = dtio->socket_path;
 		if(!to) to = dtio->ip_str;
 		if(!to) to = "";
 #ifndef USE_WINSOCK
 		log_err("dnstap io: failed to connect to \"%s\": %s",
-			to, strerror(error));
+			to, sock_strerror(error));
 #else
 		log_err("dnstap io: failed to connect to \"%s\": %s",
 			to, wsa_strerror(error));
 #endif
 		return -1; /* error, close it */
 	}
@ -742,7 +808,6 @@ static int dtio_write_buf(struct dt_io_thread* dtio, uint8_t* buf,
 #ifndef USE_WINSOCK
 		if(errno == EINTR || errno == EAGAIN)
 			return 0;
 		log_err("dnstap io: failed send: %s", strerror(errno));
 #else
 		if(WSAGetLastError() == WSAEINPROGRESS)
 			return 0;
@ -752,9 +817,8 @@ static int dtio_write_buf(struct dt_io_thread* dtio, uint8_t* buf,
 				UB_EV_WRITE);
 			return 0;
 		}
 		log_err("dnstap io: failed send: %s",
 			wsa_strerror(WSAGetLastError()));
 #endif
 		log_err("dnstap io: failed send: %s", sock_strerror(errno));
 		return -1;
 	}
 	return ret;
@ -778,7 +842,6 @@ static int dtio_write_with_writev(struct dt_io_thread* dtio)
 #ifndef USE_WINSOCK
 		if(errno == EINTR || errno == EAGAIN)
 			return 0;
 		log_err("dnstap io: failed writev: %s", strerror(errno));
 #else
 		if(WSAGetLastError() == WSAEINPROGRESS)
 			return 0;
@ -788,9 +851,8 @@ static int dtio_write_with_writev(struct dt_io_thread* dtio)
 				UB_EV_WRITE);
 			return 0;
 		}
 		log_err("dnstap io: failed writev: %s",
 			wsa_strerror(WSAGetLastError()));
 #endif
 		log_err("dnstap io: failed writev: %s", sock_strerror(errno));
 		/* close the channel */
 		dtio_del_output_event(dtio);
 		dtio_close_output(dtio);
@ -1115,6 +1177,8 @@ static int dtio_read_accept_frame(struct dt_io_thread* dtio)
 					goto close_connection;
 				}
 				dtio->accept_frame_received = 1;
 				if(!dtio_add_output_event_write(dtio))
 					goto close_connection;
 				return 1;
 			} else {
 				/* unknow content type */
@ -1482,15 +1546,13 @@ void dtio_cmd_cb(int fd, short ATTR_UNUSED(bits), void* arg)
 #ifndef USE_WINSOCK
 		if(errno == EINTR || errno == EAGAIN)
 			return; /* ignore this */
 		log_err("dnstap io: failed to read: %s", strerror(errno));
 #else
 		if(WSAGetLastError() == WSAEINPROGRESS)
 			return;
 		if(WSAGetLastError() == WSAEWOULDBLOCK)
 			return;
 		log_err("dnstap io: failed to read: %s",
 			wsa_strerror(WSAGetLastError()));
 #endif
 		log_err("dnstap io: failed to read: %s", sock_strerror(errno));
 		/* and then fall through to quit the thread */
 	} else if(r == 0) {
 		verbose(VERB_ALGO, "dnstap io: cmd channel closed");
@ -1852,13 +1914,8 @@ static int dtio_open_output_local(struct dt_io_thread* dtio)
 	struct sockaddr_un s;
 	dtio->fd = socket(AF_LOCAL, SOCK_STREAM, 0);
 	if(dtio->fd == -1) {
 #ifndef USE_WINSOCK
 		log_err("dnstap io: failed to create socket: %s",
-			strerror(errno));
+			sock_strerror(errno));
 #else
 		log_err("dnstap io: failed to create socket: %s",
 			wsa_strerror(WSAGetLastError()));
 #endif
 		return 0;
 	}
 	memset(&s, 0, sizeof(s));
@ -1873,13 +1930,13 @@ static int dtio_open_output_local(struct dt_io_thread* dtio)
 	if(connect(dtio->fd, (struct sockaddr*)&s, (socklen_t)sizeof(s))
 		== -1) {
 		char* to = dtio->socket_path;
-#ifndef USE_WINSOCK
+		if(dtio->reconnect_timeout > DTIO_RECONNECT_TIMEOUT_MIN &&
 			verbosity < 4) {
 			dtio_close_fd(dtio);
 			return 0; /* no log retries on low verbosity */
 		}
 		log_err("dnstap io: failed to connect to \"%s\": %s",
-			to, strerror(errno));
+			to, sock_strerror(errno));
 #else
 		log_err("dnstap io: failed to connect to \"%s\": %s",
 			to, wsa_strerror(WSAGetLastError()));
 #endif
 		dtio_close_fd(dtio);
 		return 0;
 	}
@ -1904,18 +1961,18 @@ static int dtio_open_output_tcp(struct dt_io_thread* dtio)
 	}
 	dtio->fd = socket(addr.ss_family, SOCK_STREAM, 0);
 	if(dtio->fd == -1) {
-#ifndef USE_WINSOCK
+		log_err("can't create socket: %s", sock_strerror(errno));
 		log_err("can't create socket: %s", strerror(errno));
 #else
 		log_err("can't create socket: %s",
 			wsa_strerror(WSAGetLastError()));
 #endif
 		return 0;
 	}
 	fd_set_nonblock(dtio->fd);
 	if(connect(dtio->fd, (struct sockaddr*)&addr, addrlen) == -1) {
 		if(errno == EINPROGRESS)
 			return 1; /* wait until connect done*/
 		if(dtio->reconnect_timeout > DTIO_RECONNECT_TIMEOUT_MIN &&
 			verbosity < 4) {
 			dtio_close_fd(dtio);
 			return 0; /* no log retries on low verbosity */
 		}
 #ifndef USE_WINSOCK
 		if(tcp_connect_errno_needs_log(
 			(struct sockaddr *)&addr, addrlen)) {
@ -2097,15 +2154,14 @@ void dt_io_thread_stop(struct dt_io_thread* dtio)
 #ifndef USE_WINSOCK
 			if(errno == EINTR || errno == EAGAIN)
 				continue;
 			log_err("dnstap io stop: write: %s", strerror(errno));
 #else
 			if(WSAGetLastError() == WSAEINPROGRESS)
 				continue;
 			if(WSAGetLastError() == WSAEWOULDBLOCK)
 				continue;
 			log_err("dnstap io stop: write: %s",
 				wsa_strerror(WSAGetLastError()));
 #endif
 			log_err("dnstap io stop: write: %s",
 				sock_strerror(errno));
 			break;
 		}
 		break;
--- a/dnstap/dtstream.h
+++ b/dnstap/dtstream.h
@ -49,6 +49,7 @@ struct dt_msg_entry;
 struct dt_io_list_item;
 struct dt_io_thread;
 struct config_file;
 struct comm_base;
 /**
 * A message buffer with dnstap messages queued up.  It is per-worker.
@ -68,11 +69,15 @@ struct dt_msg_queue {
 	/** current size of the buffer, in bytes.  data bytes of messages.
 	 * If a new message make it more than maxsize, the buffer is full */
 	size_t cursize;
 	/** number of messages in the queue */
 	int msgcount;
 	/** list of messages.  The messages are added to the back and taken
 	 * out from the front. */
 	struct dt_msg_entry* first, *last;
 	/** reference to the io thread to wakeup */
 	struct dt_io_thread* dtio;
 	/** the wakeup timer for dtio, on worker event base */
 	struct comm_timer* wakeup_timer;
 };
 /**
@ -166,6 +171,10 @@ struct dt_io_thread {
 	 * for the current message length that precedes the frame */
 	size_t cur_msg_len_done;
 	/** lock on wakeup_timer_enabled */
 	lock_basic_type wakeup_timer_lock;
 	/** if wakeup timer is enabled in some thread */
 	int wakeup_timer_enabled;
 	/** command pipe that stops the pipe if closed.  Used to quit
 	 * the program. [0] is read, [1] is written to. */
 	int commandpipe[2];
@ -233,9 +242,10 @@ struct dt_io_list_item {
 /**
 * Create new (empty) worker message queue. Limit set to default on max.
 * @param base: event base for wakeup timer.
 * @return NULL on malloc failure or a new queue (not locked).
 */
-struct dt_msg_queue* dt_msg_queue_create(void);
+struct dt_msg_queue* dt_msg_queue_create(struct comm_base* base);
 /**
 * Delete a worker message queue.  It has to be unlinked from access,
@ -258,6 +268,9 @@ void dt_msg_queue_delete(struct dt_msg_queue* mq);
 */
 void dt_msg_queue_submit(struct dt_msg_queue* mq, void* buf, size_t len);
 /** timer callback to wakeup dtio thread to process messages */
 void mq_wakeup_cb(void* arg);
 /**
 * Create IO thread.
 * @return new io thread object. not yet started. or NULL malloc failure.
--- a/dnstap/unbound-dnstap-socket.c
+++ b/dnstap/unbound-dnstap-socket.c
@ -278,57 +278,31 @@ static int make_tcp_accept(char* ip)
 	}
 	if((s = socket(addr.ss_family, SOCK_STREAM, 0)) == -1) {
-#ifndef USE_WINSOCK
+		log_err("can't create socket: %s", sock_strerror(errno));
 		log_err("can't create socket: %s", strerror(errno));
 #else
 		log_err("can't create socket: %s",
 			wsa_strerror(WSAGetLastError()));
 #endif
 		return -1;
 	}
 #ifdef SO_REUSEADDR
 	if(setsockopt(s, SOL_SOCKET, SO_REUSEADDR, (void*)&on,
 		(socklen_t)sizeof(on)) < 0) {
 #ifndef USE_WINSOCK
 		log_err("setsockopt(.. SO_REUSEADDR ..) failed: %s",
-			strerror(errno));
+			sock_strerror(errno));
-		close(s);
+		sock_close(s);
 #else
 		log_err("setsockopt(.. SO_REUSEADDR ..) failed: %s",
 			wsa_strerror(WSAGetLastError()));
 		closesocket(s);
 #endif
 		return -1;
 	}
 #endif /* SO_REUSEADDR */
 	if(bind(s, (struct sockaddr*)&addr, len) != 0) {
-#ifndef USE_WINSOCK
+		log_err_addr("can't bind socket", sock_strerror(errno),
 		log_err_addr("can't bind socket", strerror(errno),
 			&addr, len);
-		close(s);
+		sock_close(s);
 #else
 		log_err_addr("can't bind socket",
 			wsa_strerror(WSAGetLastError()), &addr, len);
 		closesocket(s);
 #endif
 		return -1;
 	}
 	if(!fd_set_nonblock(s)) {
-#ifndef USE_WINSOCK
+		sock_close(s);
 		close(s);
 #else
 		closesocket(s);
 #endif
 		return -1;
 	}
 	if(listen(s, LISTEN_BACKLOG) == -1) {
-#ifndef USE_WINSOCK
+		log_err("can't listen: %s", sock_strerror(errno));
-		log_err("can't listen: %s", strerror(errno));
+		sock_close(s);
 		close(s);
 #else
 		log_err("can't listen: %s", wsa_strerror(WSAGetLastError()));
 		closesocket(s);
 #endif
 		return -1;
 	}
 	return s;
@ -654,7 +628,6 @@ static ssize_t receive_bytes(struct tap_data* data, int fd, void* buf,
 #ifndef USE_WINSOCK
 		if(errno == EINTR || errno == EAGAIN)
 			return -1;
 		log_err("could not recv: %s", strerror(errno));
 #else /* USE_WINSOCK */
 		if(WSAGetLastError() == WSAEINPROGRESS)
 			return -1;
@ -662,9 +635,8 @@ static ssize_t receive_bytes(struct tap_data* data, int fd, void* buf,
 			ub_winsock_tcp_wouldblock(data->ev, UB_EV_READ);
 			return -1;
 		}
 		log_err("could not recv: %s",
 			wsa_strerror(WSAGetLastError()));
 #endif
 		log_err("could not recv: %s", sock_strerror(errno));
 		if(verbosity) log_info("dnstap client stream closed from %s",
 			(data->id?data->id:""));
 		return 0;
@ -755,7 +727,7 @@ static ssize_t tap_receive(struct tap_data* data, void* buf, size_t len)
 }
 /** delete the tap structure */
-void tap_data_free(struct tap_data* data)
+static void tap_data_free(struct tap_data* data)
 {
 	ub_event_del(data->ev);
 	ub_event_free(data->ev);
@ -796,12 +768,7 @@ static int reply_with_accept(struct tap_data* data)
 		}
 	} else {
 		if(send(data->fd, acceptframe, len, 0) == -1) {
-#ifndef USE_WINSOCK
+			log_err("send failed: %s", sock_strerror(errno));
 			log_err("send failed: %s", strerror(errno));
 #else
 			log_err("send failed: %s",
 				wsa_strerror(WSAGetLastError()));
 #endif
 			fd_set_nonblock(data->fd);
 			free(acceptframe);
 			return 0;
@ -834,11 +801,7 @@ static int reply_with_finish(int fd)
 	fd_set_block(fd);
 	if(send(fd, finishframe, len, 0) == -1) {
-#ifndef USE_WINSOCK
+		log_err("send failed: %s", sock_strerror(errno));
 		log_err("send failed: %s", strerror(errno));
 #else
 		log_err("send failed: %s", wsa_strerror(WSAGetLastError()));
 #endif
 		fd_set_nonblock(fd);
 		free(finishframe);
 		return 0;
@ -1094,7 +1057,6 @@ void dtio_mainfdcallback(int fd, short ATTR_UNUSED(bits), void* arg)
 #endif /* EPROTO */
 			)
 			return;
 		log_err_addr("accept failed", strerror(errno), &addr, addrlen);
 #else /* USE_WINSOCK */
 		if(WSAGetLastError() == WSAEINPROGRESS ||
 			WSAGetLastError() == WSAECONNRESET)
@ -1103,9 +1065,9 @@ void dtio_mainfdcallback(int fd, short ATTR_UNUSED(bits), void* arg)
 			ub_winsock_tcp_wouldblock(maindata->ev, UB_EV_READ);
 			return;
 		}
 		log_err_addr("accept failed", wsa_strerror(WSAGetLastError()),
 			&addr, addrlen);
 #endif
 		log_err_addr("accept failed", sock_strerror(errno), &addr,
 			addrlen);
 		return;
 	}
 	fd_set_nonblock(s);
@ -1204,9 +1166,12 @@ int sig_quit = 0;
 /** signal handler for user quit */
 static RETSIGTYPE main_sigh(int sig)
 {
-	verbose(VERB_ALGO, "exit on signal %d\n", sig);
+	if(!sig_quit)
-	if(sig_base)
+		fprintf(stderr, "exit on signal %d\n", sig);
 	if(sig_base) {
 		ub_event_base_loopexit(sig_base);
 		sig_base = NULL;
 	}
 	sig_quit = 1;
 }
@ -1247,9 +1212,9 @@ setup_and_run(struct config_strlist_head* local_list,
 	if(verbosity) log_info("start of service");
 	ub_event_base_dispatch(base);
 	sig_base = NULL;
 	if(verbosity) log_info("end of service");
 	sig_base = NULL;
 	tap_socket_list_delete(maindata->acceptlist);
 	ub_event_base_free(base);
 	free(maindata);
@ -1390,6 +1355,10 @@ int main(int argc, char** argv)
 struct tube;
 struct query_info;
 #include "util/data/packed_rrset.h"
 #include "daemon/worker.h"
 #include "daemon/remote.h"
 #include "util/fptr_wlist.h"
 #include "libunbound/context.h"
 void worker_handle_control_cmd(struct tube* ATTR_UNUSED(tube),
 	uint8_t* ATTR_UNUSED(buffer), size_t ATTR_UNUSED(len),
--- a/doc/Changelog
+++ b/doc/Changelog
@ -1,3 +1,376 @@
 22 January 2021: George
 	- Fix TTL of SOA record for negative answers (localzone and
 	  authzone data) to be the minimum of the SOA TTL and the SOA.MINIMUM.
 19 January 2021: Willem
 	- Support for RFC5001: DNS Name Server Identifier (NSID) Option
 	  with the nsid: option in unbound.conf
 18 January 2021: Wouter
 	- Fix #404: DNS query with small edns bufsize fail.
 	- Fix declaration before statement and signed comparison warning in
 	  dns64.
 15 January 2021: Wouter
 	- Merge #402 from fobser: Implement IPv4-Embedded addresses according
 	  to RFC6052.
 14 January 2021: Wouter
 	- Fix for #93: dynlibmodule import library is named libunbound.dll.a.
 13 January 2021: Wouter
 	- Merge #399 from xiangbao227: The lock of lruhash table should
 	  unlocked after markdel entry.
 	- Fix for #93: dynlibmodule link fix for Windows.
 12 January 2021: Wouter
 	- Fix #397: [Feature request] add new type always_null to local-zone
 	  similar to always_nxdomain.
 	- Fix so local zone types always_nodata and always_deny can be used
 	  from the config file.
 8 January 2021: Wouter
 	- Merge PR #391 from fhriley: Add start_time to reply callbacks so
 	  modules can compute the response time.
 	- For #391: use struct timeval* start_time for callback information.
 	- For #391: fix indentation.
 	- For #391: more double casts in python start time calculation.
 	- Add comment documentation.
 	- Fix clang analysis warning.
 6 January 2021: Wouter
 	- Fix #379: zone loading over HTTP appears to have buffer issues.
 	- Merge PR #395 from mptre: add missing null check.
 	- Fix #387: client-subnet-always-forward seems to effectively bypass
 	  any caching?
 5 January 2021: Wouter
 	- Fix #385: autoconf 2.70 impacts unbound build
 	- Merge PR #375 by fhriley: Add rpz_enable and rpz_disable commands
 	  to unbound-control.
 4 January 2021: Wouter
 	- For #376: Fix that comm point event is not double removed or double
 	  added to event map.
 	- iana portlist updated.
 16 December 2020: George
 	- Fix error cases when udp-connect is set and send() returns an error
 	  (modified patch from Xin Li @delphij).
 11 December 2020: Wouter
 	- Fix #371: unbound-control timeout when Unbound is not running.
 	- Fix to squelch permission denied and other errors from remote host,
 	  they are logged at higher verbosity but not on low verbosity.
 	- Merge PR #335 from fobser: Sprinkle in some static to prevent
 	  missing prototype warnings.
 	- Merge PR #373 from fobser: Warning: arithmetic on a pointer to void
 	  is a GNU extension.
 	- Fix missing prototypes in the code.
 3 December 2020: Wouter
 	- make depend.
 	- iana portlist updated.
 2 December 2020: Wouter
 	- Fix #360: for the additionally reported TCP Fast Open makes TCP
 	  connections fail, in that case we print a hint that this is
 	  happening with the error in the logs.
 	- Fix #356: deadlock when listening tcp.
 	- Fix unbound-dnstap-socket to not use log routine from interrupt
 	  handler and not print so frequently when invoked in sequence.
 	- Fix on windows to ignore connection failure on UDP, unless verbose.
 	- Fix for #283: fix stream reuse and tcp fast open.
 	- Fix update, with write event check with streamreuse and fastopen.
 1 December 2020: Wouter
 	- Fix #358: Squelch udp connect 'no route to host' errors on low
 	  verbosity.
 30 November 2020: Wouter
 	- Fix assertion failure on double callback when iterator loses
 	  interest in query at head of line that then has the tcp stream
 	  not kept for reuse.
 	- tag for the 1.13.0rc4 release.  This also became the 1.13.0
 	  release version on 3 dec 2020 with the streamreuse and fastopen
 	  fix from 2 dec 2020.  The code repo continues for 1.13.1 in
 	  development.
 27 November 2020: Wouter
 	- Fix compile warning for type cast in http2_submit_dns_response.
 	- Fix when use free buffer to initialize rbtree for stream reuse.
 	- Fix compile warnings for windows.
 	- Fix compile warnings in rpz initialization.
 	- Fix contrib/metrics.awk for FreeBSD awk compatibility.
 	- tag for the 1.13.0rc3 release.
 26 November 2020: Wouter
 	- Fix to omit UDP receive errors from log, if verbosity low.
 	  These happen because of udp-connect.
 	- For #352: contrib/metrics.awk for Prometheus style metrics output.
 	- Fix that after failed read, the readagain cannot activate.
 	- Clear readagain upon decommission of pending tcp structure.
 25 November 2020: Wouter
 	- with udp-connect ignore connection refused with UDP timeouts.
 	- Fix udp-connect on FreeBSD, do send calls on connected UDP socket.
 	- Better fix for reuse tree comparison for is-tls sockets.  Where
 	  the tree key identity is preserved after cleanup of the TLS state.
 	- Remove debug commands from reuse tests.
 	- Fix memory leak for edns client tag opcode config element.
 	- Attempt fix for libevent state in tcp reuse cases after a packet
 	  is written.
 	- Fix readagain and writeagain callback functions for comm point
 	  cleanup.
 	- tag for the 1.13.0rc2 release.
 24 November 2020: Wouter
 	- Merge PR #283 : Stream reuse.  This implements upstream stream
 	  reuse for performing several queries over the same TCP or TLS
 	  channel.
 	- set version of main branch to 1.13.0 for upcoming release.
 	- iana portlist updated.
 	- Fix one port unit test for udp-connect.
 	- tag for the 1.13.0rc1 release.
 	- Fix crash when TLS connection is closed prematurely, when
 	  reuse tree comparison is not properly identical to insertion.
 	- Fix padding of struct regional for 32bit systems.
 23 November 2020: George
 	- Merge PR #313 from Ralph Dolmans: Replace edns-client-tag with
 	  edns-client-string option.
 23 November 2020: Wouter
 	- Merge #351 from dvzrv: Add AF_NETLINK to set of allowed socket
 	  address families.
 	- Fix #350: with the AF_NETLINK permission, to fix 1.12.0 error:
 	  failed to list interfaces: getifaddrs: Address family not
 	  supported by protocol.
 	- Fix #347: IP_DONTFRAG broken on Apple xcode 12.2.
 	- Option to toggle udp-connect, default is enabled.
 	- Fix for #303 CVE-2020-28935 : Fix that symlink does not interfere
 	  with chown of pidfile.
 	- Further fix for it and retvalue 0 fix for it.
 12 November 2020: Wouter
 	- Fix to connect() to UDP destinations, default turned on,
 	  this lowers vulnerability to ICMP side channels.
 	- Retry for interfaces with unused ports if possible.
 10 November 2020: Wouter
 	- Fix #341: fixing a possible memory leak.
 	- Fix memory leak after fix for possible memory leak failure.
 	- Fix #343: Fail to build --with-libnghttp2 with error: 'SSIZE_MAX'
 	  undeclared.
 27 October 2020: Wouter
 	- In man page note that tls-cert-bundle is read before permission
 	  drop and chroot.
 22 October 2020: Wouter
 	- Fix #333: Unbound Segmentation Fault w/ log_info Functions From
 	  Python Mod.
 	- Fix that minimal-responses does not remove addresses from a priming
 	  query response.
 21 October 2020: George
 	- Fix #327: net/if.h check fails on some darwin versions; contribution by
 	  Joshua Root.
 	- Fix #320: potential memory corruption due to size miscomputation upton
 	  custom region alloc init.
 21 October 2020: Wouter
 	- Merge PR #228 : infra-keep-probing option to probe hosts that are
 	  down.  Add infra-keep-probing: yes option. Hosts that are down are
 	  probed more frequently.
 	  With the option turned on, it probes about every 120 seconds,
 	  eventually after exponential backoff, and that keeps that way. If
 	  traffic keeps up for the domain. It probes with one at a time, eg.
 	  one query is allowed to probe, other queries within that 120 second
 	  interval are turned away.
 19 October 2020: George
 	- Merge PR #324 from James Renken: Add modern X.509v3 extensions to
 	  unbound-control TLS certificates.
 	- Fix for PR #324 to attach the x509v3 extensions to the client
 	  certificate.
 19 October 2020: Ralph
 	- local-zone regional allocations outside of chunk
 19 October 2020: Wouter
 	- Fix that http settings have colon in set_option, for
 	  http-endpoint, http-max-streams, http-query-buffer-size,
 	  http-response-buffer-size, and http-nodelay.
 	- Fix memory leak of https port string when reading config.
 	- Fix #330: [Feature request] Add unencrypted DNS over HTTPS support.
 	  This adds the option http-notls-downstream: yesno to change that,
 	  and the dohclient test code has the -n option.
 	- Fix python documentation warning on functions.rst inplace_cb_reply.
 	- Fix dnstap test to wait for log timer to see if queries are logged.
 	- Log ip address when http session recv fails, eg. due to tls fail.
 	- Fix to set the tcp handler event toggle flag back to default when
 	  the handler structure is reused.
 	- Clean the fix for out of order TCP processing limits on number
 	  of queries.  It was tested to work.
 16 October 2020: Wouter
 	- Fix that the out of order TCP processing does not limit the
 	  number of outstanding queries over a connection.
 15 October 2020: George
 	- Fix that if there are reply callbacks for the given rcode, those
 	  are called per reply and a new message created if that was modified
 	  by the call.
 	- Pass the comm_reply information to the inplace_cb_reply* functions
 	  during the mesh state and update the documentation on that.
 15 October 2020: Wouter
 	- Merge PR #326 from netblue30: DoH: implement content-length
 	  header field
 	- DoH content length, simplify code, remove declaration after
 	  statement and fix cast warning.
 14 October 2020: Wouter
 	- Fix for python reply callback to see mesh state reply_list member,
 	  it only removes it briefly for the commpoint call so that it does
 	  not drop it and attempt to modify the reply list during reply.
 	- Fix that if there are on reply callbacks, those are called per
 	  reply and a new message created if that was modified by the call.
 	- Free up auth zone parse region after use for lookup of host
 13 October 2020: Wouter
 	- Fix #323: unbound testsuite fails on mock build in systemd-nspawn
 	  if systemd support is build.
 9 October 2020: Wouter
 	- Fix dnstap socket and the chroot not applied properly to the dnstap
 	  socket path.
 	- Fix warning in libnss compile, nss_buf2dsa is not used without DSA.
 8 October 2020: Wouter
 	- Tag for 1.12.0 release.
 	- Current repo is version 1.12.1 in development.
 	- Fix #319: potential memory leak on config failure, in rpz config.
 1 October 2020: Wouter
 	- Current repo is version 1.12.0 for release.  Tag for 1.12.0rc1.
 30 September 2020: Wouter
 	- Fix doh tests when not compiled in.
 	- Add dohclient test executable to gitignore.
 	- Fix stream_ssl, ssl_req_order and ssl_req_timeout tests for
 	  alloc check debug output.
 	- Easier kill of unbound-dnstap-socket tool in test.
 	- Fix memory leak of edns tags at libunbound context delete.
 	- Fix double loopexit for unbound-dnstap-socket after sigterm.
 29 September 2020: Ralph
 	- DNS Flag Day 2020: change edns-buffer-size default to 1232.
 28 September 2020: Wouter
 	- Fix unit test for dnstap changes, so that it waits for the timer.
 23 September 2020: Wouter
 	- Fix #305: dnstap logging significantly affects unbound performance
 	  (regression in 1.11).
 	- Fix #305: only wake up thread when threshold reached.
 	- Fix to ifdef fptr wlist item for dnstap.
 23 September 2020: Ralph
 	- Fix edns-client-tags get_option typo
 	- Add edns-client-tag-opcode option
 	- Use inclusive language in configuration
 21 September 2020: Ralph
 	- Fix #304: dnstap logging not recovering after dnstap process restarts
 21 September 2020: Wouter
 	- Merge PR #311 by luismerino: Dynlibmod leak.
 	- Error message is logged for dynlibmod malloc failures.
 	- iana portlist updated.
 18 September 2020: Wouter
 	- Fix that prefer-ip4 and prefer-ip6 can be get and set with
 	  unbound-control, with libunbound and the unbound-checkconf option
 	  output function.
 	- iana portlist updated.
 15 September 2020: George
 	- Introduce test for statistics.
 15 September 2020: Wouter
 	- Spelling fix.
 11 September 2020: Wouter
 	- Remove x file mode on ipset/ipset.c and h files.
 9 September 2020: Wouter
 	- Fix num.expired statistics output.
 31 August 2020: Wouter
 	- Merge PR #293: Add missing prototype.  Also refactor to use the new
 	  shorthand function to clean up the code.
 	- Refactor to use sock_strerr shorthand function.
 	- Fix #296: systemd nss-lookup.target is reached before unbound can
 	  successfully answer queries. Changed contrib/unbound.service.in.
 27 August 2020: Wouter
 	- Similar to NSD PR#113, implement that interface names can be used,
 	  eg. something like interface: eth0 is resolved at server start and
 	  uses the IP addresses for that named interface.
 	- Review fix, doxygen and assign null in case of error free.
 26 August 2020: George
 	- Update documentation in python example code.
 24 August 2020: Wouter
 	- Fix that dnstap reconnects do not spam the log with the repeated
 	  attempts.  Attempts on the timer are only logged on high verbosity,
 	  if they produce a connection failure error.
 	- Fix to apply chroot to dnstap-socket-path, if chroot is enabled.
 	- Change configure to use EVP_sha256 instead of HMAC_Update for
 	  openssl-3.0.0.
 20 August 2020: Ralph
 	- Fix stats double count issue (#289).
 13 August 2020: Ralph
 	- Create and init edns tags data for libunbound.
 10 August 2020: Ralph
 	- Merge (modified) PR #277, use EVP_MAC_CTX_set_params if available,
 	  by Vítězslav Čížek.
 10 August 2020: Wouter
 	- Fix #287: doc typo: "Additionaly".
 	- Rerun autoconf
 6 August 2020: Wouter
 	- Merge PR #284 and Fix #246: Remove DLV entirely from Unbound.
 	  The DLV has been decommisioned and in unbound 1.5.4, in 2015, there
 	  was advise to stop using it.  The current code base does not contain
 	  DLV code any more.  The use of dlv options displays a warning.
 5 August 2020: Wouter
 	- contrib/aaaa-filter-iterator.patch file renewed diff content to
 	  apply cleanly to the current coderepo for the current code version.
 5 August 2020: Ralph
 	- Merge PR #272: Add EDNS client tag functionality.
 4 August 2020: George
 	- Improve error log message when inserting rpz RR.
 	- Merge PR #280, Make tvOS & watchOS checks verify truthiness as well as
 	  definedness, by Felipe Gasper.
 4 August 2020: Wouter
 	- Fix mini_event.h on OpenBSD cannot find fd_set.
 31 July 2020: Wouter
 	- Fix doxygen comment for no ssl for tls session ticket key callback
 	  routine.
 27 July 2020: George
 	- Merge PR #268, draft-ietf-dnsop-serve-stale-10 has become RFC 8767 on
 	  March 2020, by and0x000.
--- a/doc/FEATURES
+++ b/doc/FEATURES
@ -39,6 +39,7 @@ RFC 4343: case insensitive handling of domain names.
 RFC 4509: SHA256 DS hash.
 RFC 4592: wildcards.
 RFC 4697: No DNS Resolution Misbehavior.
 RFC 5001: DNS Name Server Identifier (NSID) Option
 RFC 5011: update of trust anchors with timers.
 RFC 5155: NSEC3, NSEC3PARAM types
 RFC 5358: reflectors-are-evil: access control list for recursive
--- a/doc/TODO
+++ b/doc/TODO
@ -14,7 +14,6 @@ o (option) store primed key data in a overlaid keyhints file (sort of like draft
 o windows version, auto update feature, a query to check for the version.
 o command the server with TSIG inband. get-config, clearcache, 
 	get stats, get memstats, get ..., reload, clear one zone from cache
 o NSID rfc 5001 support.
 o timers rfc 5011 support.
 o Treat YXDOMAIN from a DNAME properly, in iterator (not throwaway), validator.
 o make timeout backoffs randomized (a couple percent random) to spread traffic.
--- a/doc/example.conf.in
+++ b/doc/example.conf.in
@ -129,8 +129,8 @@ server:
 	# ip-dscp: 0
 	# EDNS reassembly buffer to advertise to UDP peers (the actual buffer
-	# is set with msg-buffer-size). 1472 can solve fragmentation (timeouts)
+	# is set with msg-buffer-size).
-	# edns-buffer-size: 4096
+	# edns-buffer-size: 1232
 	# Maximum UDP response size (not applied to TCP response).
 	# Suggested values are 512 to 4096. Default is 4096. 65536 disables it.
@ -161,6 +161,9 @@ server:
 	# msec to wait before close of port on timeout UDP. 0 disables.
 	# delay-close: 0
 	# perform connect for UDP sockets to mitigate ICMP side channel.
 	# udp-connect: yes
 	# msec for waiting for an unknown server to reply.  Increase if you
 	# are behind a slow satellite link, to eg. 1128.
 	# unknown-server-time-limit: 376
@ -192,6 +195,9 @@ server:
 	# minimum wait time for responses, increase if uplink is long. In msec.
 	# infra-cache-min-rtt: 50
 	# enable to make server probe down hosts more frequently.
 	# infra-keep-probing: no
 	# the number of slabs to use for the Infrastructure cache.
 	# the number of slabs must be a power of 2.
 	# more slabs reduce lock contention, but fragment memory usage.
@ -371,6 +377,9 @@ server:
 	# the version to report. Leave "" or default to return package version.
 	# version: ""
 	# NSID identity (hex string, or "ascii_somestring"). default disabled.
 	# nsid: "aabbccdd"
 	# the target fetch policy.
 	# series of integers describing the policy per dependency depth.
 	# The number of values in the list determines the maximum dependency
@ -382,7 +391,7 @@ server:
 	# target-fetch-policy: "3 2 1 0 0"
 	# Harden against very small EDNS buffer sizes.
-	# harden-short-bufsize: no
+	# harden-short-bufsize: yes
 	# Harden against unseemly large queries.
 	# harden-large-queries: no
@ -431,8 +440,8 @@ server:
 	# Domains (and domains in them) without support for dns-0x20 and
 	# the fallback fails because they keep sending different answers.
-	# caps-whitelist: "licdn.com"
+	# caps-exempt: "licdn.com"
-	# caps-whitelist: "senderbase.org"
+	# caps-exempt: "senderbase.org"
 	# Enforce privacy of these addresses. Strips them away from answers.
 	# It may cause DNSSEC validation to additionally mark it as bogus.
@ -509,11 +518,6 @@ server:
 	# Root key trust anchor sentinel (draft-ietf-dnsop-kskroll-sentinel)
 	# root-key-sentinel: yes
 	# File with DLV trusted keys. Same format as trust-anchor-file.
 	# There can be only one DLV configured, it is trusted from root down.
 	# DLV is going to be decommissioned.  Please do not use it any more.
 	# dlv-anchor-file: "dlv.isc.org.key"
 	# File with trusted keys for validation. Specify more than one file
 	# with several entries, one file per entry.
 	# Zone file format, with DS and DNSKEY entries.
@ -627,7 +631,7 @@ server:
 	# more slabs reduce lock contention, but fragment memory usage.
 	# key-cache-slabs: 4
-	# the amount of memory to use for the negative cache (used for DLV).
+	# the amount of memory to use for the negative cache.
 	# plain value in bytes or you can append k, m or G. default is "1Mb".
 	# neg-cache-size: 1m
@ -703,8 +707,10 @@ server:
 	# o inform acts like transparent, but logs client IP address
 	# o inform_deny drops queries and logs client IP address
 	# o inform_redirect redirects queries and logs client IP address
-	# o always_transparent, always_refuse, always_nxdomain, resolve in
+	# o always_transparent, always_refuse, always_nxdomain, always_nodata,
-	#   that way but ignore local data for that name
+	#   always_deny resolve in that way but ignore local data for
 	#   that name
 	# o always_null returns 0.0.0.0 or ::0 for any name in the zone.
 	# o noview breaks out of that view towards global local-zones.
 	#
 	# defaults are localhost address, reverse for 127.0.0.1 and ::1
@ -738,12 +744,14 @@ server:
 	# add a netblock specific override to a localzone, with zone type
 	# local-zone-override: "example.com" 192.0.2.0/24 refuse
-	# service clients over TLS (on the TCP sockets), with plain DNS inside
+	# service clients over TLS (on the TCP sockets) with plain DNS inside
-	# the TLS stream.  Give the certificate to use and private key.
+	# the TLS stream, and over HTTPS using HTTP/2 as specified in RFC8484.
 	# Give the certificate to use and private key.
 	# default is "" (disabled).  requires restart to take effect.
 	# tls-service-key: "path/to/privatekeyfile.key"
 	# tls-service-pem: "path/to/publiccertfile.pem"
 	# tls-port: 853
 	# https-port: 443
 	# cipher setting for TLSv1.2
 	# tls-ciphers: "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256"
@ -775,6 +783,25 @@ server:
 	# Also serve tls on these port numbers (eg. 443, ...), by listing
 	# tls-additional-port: portno for each of the port numbers.
 	# HTTP endpoint to provide DNS-over-HTTPS service on.
 	# http-endpoint: "/dns-query"
 	# HTTP/2 SETTINGS_MAX_CONCURRENT_STREAMS value to use.
 	# http-max-streams: 100
 	# Maximum number of bytes used for all HTTP/2 query buffers.
 	# http-query-buffer-size: 4m
 	# Maximum number of bytes used for all HTTP/2 response buffers.
 	# http-response-buffer-size: 4m
 	# Set TCP_NODELAY socket option on sockets used for DNS-over-HTTPS
 	# service.
 	# http-nodelay: yes
 	# Disable TLS for DNS-over-HTTP downstream service.
 	# http-notls-downstream: no
 	# DNS64 prefix. Must be specified when DNS64 is use.
 	# Enable dns64 in module-config.  Used to synthesize IPv6 from IPv4.
 	# dns64-prefix: 64:ff9b::0/96
@ -848,9 +875,9 @@ server:
 	# ipsecmod-ignore-bogus: no
 	#
 	# Domains for which ipsecmod will be triggered. If not defined (default)
-	# all domains are treated as being whitelisted.
+	# all domains are treated as being allowed.
-	# ipsecmod-whitelist: "example.com"
+	# ipsecmod-allow: "example.com"
-	# ipsecmod-whitelist: "nlnetlabs.nl"
+	# ipsecmod-allow: "nlnetlabs.nl"
 # Python config section. To enable:
@ -948,27 +975,27 @@ remote-control:
 # upstream (which saves a lookup to the upstream).  The first example
 # has a copy of the root for local usage.  The second serves example.org
 # authoritatively.  zonefile: reads from file (and writes to it if you also
-# download it), master: fetches with AXFR and IXFR, or url to zonefile.
+# download it), primary: fetches with AXFR and IXFR, or url to zonefile.
-# With allow-notify: you can give additional (apart from masters) sources of
+# With allow-notify: you can give additional (apart from primaries) sources of
 # notifies.
 # auth-zone:
 #	name: "."
-#	master: 199.9.14.201         # b.root-servers.net
+#	primary: 199.9.14.201         # b.root-servers.net
-#	master: 192.33.4.12          # c.root-servers.net
+#	primary: 192.33.4.12          # c.root-servers.net
-#	master: 199.7.91.13          # d.root-servers.net
+#	primary: 199.7.91.13          # d.root-servers.net
-#	master: 192.5.5.241          # f.root-servers.net
+#	primary: 192.5.5.241          # f.root-servers.net
-#	master: 192.112.36.4         # g.root-servers.net
+#	primary: 192.112.36.4         # g.root-servers.net
-#	master: 193.0.14.129         # k.root-servers.net
+#	primary: 193.0.14.129         # k.root-servers.net
-#	master: 192.0.47.132         # xfr.cjr.dns.icann.org
+#	primary: 192.0.47.132         # xfr.cjr.dns.icann.org
-#	master: 192.0.32.132         # xfr.lax.dns.icann.org
+#	primary: 192.0.32.132         # xfr.lax.dns.icann.org
-#	master: 2001:500:200::b      # b.root-servers.net
+#	primary: 2001:500:200::b      # b.root-servers.net
-#	master: 2001:500:2::c        # c.root-servers.net
+#	primary: 2001:500:2::c        # c.root-servers.net
-#	master: 2001:500:2d::d       # d.root-servers.net
+#	primary: 2001:500:2d::d       # d.root-servers.net
-#	master: 2001:500:2f::f       # f.root-servers.net
+#	primary: 2001:500:2f::f       # f.root-servers.net
-#	master: 2001:500:12::d0d     # g.root-servers.net
+#	primary: 2001:500:12::d0d     # g.root-servers.net
-#	master: 2001:7fd::1          # k.root-servers.net
+#	primary: 2001:7fd::1          # k.root-servers.net
-#	master: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org
+#	primary: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org
-#	master: 2620:0:2d0:202::132  # xfr.lax.dns.icann.org
+#	primary: 2620:0:2d0:202::132  # xfr.lax.dns.icann.org
 #	fallback-enabled: yes
 #	for-downstream: no
 #	for-upstream: yes
@ -1088,7 +1115,7 @@ remote-control:
 # rpz:
 #     name: "rpz.example.com"
 #     zonefile: "rpz.example.com"
-#     master: 192.0.2.0
+#     primary: 192.0.2.0
 #     allow-notify: 192.0.2.0/32
 #     url: http://www.example.com/rpz.example.org.zone
 #     rpz-action-override: cname
--- a/doc/unbound-control.8.in
+++ b/doc/unbound-control.8.in
@ -305,6 +305,12 @@ Transfer the auth zone from master.  The auth zone probe sequence is started,
 where the masters are probed to see if they have an updated zone (with the SOA
 serial check).  And then the zone is transferred for a newer zone version.
 .TP
 .B rpz_enable \fIzone\fR
 Enable the RPZ zone if it had previously been disabled.
 .TP
 .B rpz_enable \fIzone\fR
 Disable the RPZ zone.
 .TP
 .B view_list_local_zones \fIview\fR
 \fIlist_local_zones\fR for given view.
 .TP
@ -506,6 +512,14 @@ negative cache.
 Memory in bytes in used by the TCP and TLS stream wait buffers.  These are
 answers waiting to be written back to the clients.
 .TP
 .I mem.http.query_buffer
 Memory in bytes used by the HTTP/2 query buffers. Containing (partial) DNS
 queries waiting for request stream completion.
 .TP
 .I mem.http.response_buffer
 Memory in bytes used by the HTTP/2 response buffers. Containing DNS responses
 waiting to be written back to the clients.
 .TP
 .I histogram.<sec>.<usec>.to.<sec>.<usec>
 Shows a histogram, summed over all threads. Every element counts the
 recursive queries whose reply time fit between the lower and upper bound.
@ -545,6 +559,11 @@ These are also counted in num.query.tcp, because TLS uses TCP.
 Number of TLS session resumptions, these are queries over TLS towards
 the unbound server where the client negotiated a TLS session resumption key.
 .TP
 .I num.query.https
 Number of queries that were made using HTTPS towards the unbound server.
 These are also counted in num.query.tcp and num.query.tls, because HTTPS
 uses TLS and TCP.
 .TP
 .I num.query.ipv6
 Number of queries that were made using IPv6 towards the unbound server.
 .TP
--- a/doc/unbound.conf.5.in
+++ b/doc/unbound.conf.5.in
@ -122,7 +122,8 @@ The port number, default 53, on which the server responds to queries.
 Interface to use to connect to the network. This interface is listened to
 for queries from clients, and answers to clients are given from it.
 Can be given multiple times to work on several interfaces. If none are
-given the default is to listen to localhost.
+given the default is to listen to localhost.  If an interface name is used
 instead of an ip address, the list of ip addresses on that interface are used.
 The interfaces are not changed on a reload (kill \-HUP) but only on restart.
 A port number can be specified with @port (without spaces between
 interface and port number), if not specified the default port (from
@ -206,12 +207,11 @@ accepted. For larger installations increasing this value is a good idea.
 Number of bytes size to advertise as the EDNS reassembly buffer size.
 This is the value put into datagrams over UDP towards peers.  The actual
 buffer size is determined by msg\-buffer\-size (both for TCP and UDP).  Do
-not set higher than that value.  Default is 4096 which is RFC recommended.
+not set higher than that value.  Default is 1232 which is the DNS Flag Day 2020
-If you have fragmentation reassembly problems, usually seen as timeouts,
+recommendation. Setting to 512 bypasses even the most stringent path MTU
-then a value of 1472 can fix it.  Setting to 512 bypasses even the most
+problems, but is seen as extreme, since the amount of TCP fallback generated is
-stringent path MTU problems, but is seen as extreme, since the amount
+excessive (probably also for this resolver, consider tuning the outgoing tcp
-of TCP fallback generated is excessive (probably also for this resolver,
+number).
 consider tuning the outgoing tcp number).
 .TP
 .B max\-udp\-size: \fI<number>
 Maximum UDP response size (not applied to TCP response).  65536 disables the
@ -274,6 +274,10 @@ eg. 1500 msec.  When timeouts happen you need extra sockets, it checks
 the ID and remote IP of packets, and unwanted packets are added to the
 unwanted packet counter.
 .TP
 .B udp\-connect: \fI<yes or no>
 Perform connect for UDP sockets that mitigates ICMP side channel leakage.
 Default is yes.
 .TP
 .B unknown\-server\-time\-limit: \fI<msec>
 The wait time in msec for waiting for an unknown server to reply.
 Increase this if you are behind a slow satellite link, to eg. 1128.
@ -382,6 +386,12 @@ Lower limit for dynamic retransmit timeout calculation in infrastructure
 cache. Default is 50 milliseconds. Increase this value if using forwarders
 needing more time to do recursive name resolution.
 .TP
 .B infra\-keep\-probing: \fI<yes or no>
 If enabled the server keeps probing hosts that are down, in the one probe
 at a time regime.  Default is no.  Hosts that are down, eg. they did
 not respond during the one probe at a time period, are marked as down and
 it may take \fBinfra\-host\-ttl\fR time to get probed again.
 .TP
 .B define\-tag: \fI<"list of tags">
 Define the tags that can be used with local\-zone and access\-control.
 Enclose the list between quotes ("") and put spaces between tags.
@ -484,15 +494,16 @@ Alternate syntax for \fBtls\-upstream\fR.  If both are present in the config
 file the last is used.
 .TP
 .B tls\-service\-key: \fI<file>
-If enabled, the server provides TLS service on the TCP ports marked
+If enabled, the server provides DNS-over-TLS or DNS-over-HTTPS service on the
-implicitly or explicitly for TLS service with tls\-port.  The file must
+TCP ports marked implicitly or explicitly for these services with tls\-port or
-contain the private key for the TLS session, the public certificate is in
+https\-port. The file must contain the private key for the TLS session, the
-the tls\-service\-pem file and it must also be specified if tls\-service\-key
+public certificate is in the tls\-service\-pem file and it must also be
-is specified.  The default is "", turned off.  Enabling or disabling
+specified if tls\-service\-key is specified.  The default is "", turned off.
-this service requires a restart (a reload is not enough), because the
+Enabling or disabling this service requires a restart (a reload is not enough),
-key is read while root permissions are held and before chroot (if any).
+because the key is read while root permissions are held and before chroot (if any).
-The ports enabled implicitly or explicitly via \fBtls\-port:\fR do not provide
+The ports enabled implicitly or explicitly via \fBtls\-port:\fR and
-normal DNS TCP service.
+\fBhttps\-port:\fR do not provide normal DNS TCP service. Unbound needs to be
 compiled with libnghttp2 in order to provide DNS-over-HTTPS.
 .TP
 .B ssl\-service\-key: \fI<file>
 Alternate syntax for \fBtls\-service\-key\fR.
@ -515,7 +526,8 @@ Alternate syntax for \fBtls\-port\fR.
 If null or "", no file is used.  Set it to the certificate bundle file,
 for example "/etc/pki/tls/certs/ca\-bundle.crt".  These certificates are used
 for authenticating connections made to outside peers.  For example auth\-zone
-urls, and also DNS over TLS connections.
+urls, and also DNS over TLS connections.  It is read at start up before
 permission drop and chroot.
 .TP
 .B ssl\-cert\-bundle: \fI<file>
 Alternate syntax for \fBtls\-cert\-bundle\fR.
@ -557,6 +569,39 @@ Enable or disable sending the SNI extension on TLS connections.
 Default is yes.
 Changing the value requires a reload.
 .TP
 .B https\-port: \fI<number>
 The port number on which to provide DNS-over-HTTPS service, default 443, only
 interfaces configured with that port number as @number get the HTTPS service.
 .TP
 .B http\-endpoint: \fI<endpoint string>
 The HTTP endpoint to provide DNS-over-HTTPS service on. Default "/dns-query".
 .TP
 .B http\-max\-streams: \fI<number of streams>
 Number used in the SETTINGS_MAX_CONCURRENT_STREAMS parameter in the HTTP/2
 SETTINGS frame for DNS-over-HTTPS connections. Default 100.
 .TP
 .B http\-query\-buffer\-size: \fI<size in bytes>
 Maximum number of bytes used for all HTTP/2 query buffers combined. These
 buffers contain (partial) DNS queries waiting for request stream completion.
 An RST_STREAM frame will be send to streams exceeding this limit. Default is 4
 megabytes. A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes,
 megabytes or gigabytes (1024*1024 bytes in a megabyte).
 .TP
 .B http\-response\-buffer\-size: \fI<size in bytes>
 Maximum number of bytes used for all HTTP/2 response buffers combined. These
 buffers contain DNS responses waiting to be written back to the clients.
 An RST_STREAM frame will be send to streams exceeding this limit. Default is 4
 megabytes. A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes,
 megabytes or gigabytes (1024*1024 bytes in a megabyte).
 .TP
 .B http\-nodelay: \fI<yes or no>
 Set TCP_NODELAY socket option on sockets used to provide DNS-over-HTTPS service.
 Ignored if the option is not available. Default is yes.
 .TP
 .B http\-notls\-downstream: \fI<yes or no>
 Disable use of TLS for the downstream DNS-over-HTTP connections.  Useful for
 local back end servers.  Default is no.
 .TP
 .B use\-systemd: \fI<yes or no>
 Enable or disable systemd socket activation.
 Default is no.
@ -774,6 +819,11 @@ If enabled version.server and version.bind queries are refused.
 Set the version to report. If set to "", the default, then the package
 version is returned.
 .TP
 .B nsid:\fR <string>
 Add the specified nsid to the EDNS section of the answer when queried
 with an NSID EDNS enabled packet.  As a sequence of hex characters or
 with ascii_ prefix and then an ascii string.
 .TP
 .B hide\-trustanchor: \fI<yes or no>
 If enabled trustanchor.unbound queries are refused.
 .TP
@ -794,9 +844,8 @@ closer to that of BIND 9, while setting "\-1 \-1 \-1 \-1 \-1" gives behaviour
 rumoured to be closer to that of BIND 8.
 .TP
 .B harden\-short\-bufsize: \fI<yes or no>
-Very small EDNS buffer sizes from queries are ignored. Default is off, since
+Very small EDNS buffer sizes from queries are ignored. Default is on, as
-it is legal protocol wise to send these, and unbound tries to give very
+described in the standard.
 small answers to these queries, where possible.
 .TP
 .B harden\-large\-queries: \fI<yes or no>
 Very large queries are ignored. Default is off, since it is legal protocol
@ -853,12 +902,15 @@ authority servers and checks if the reply still has the correct casing.
 Disabled by default.
 This feature is an experimental implementation of draft dns\-0x20.
 .TP
-.B caps\-whitelist: \fI<domain>
+.B caps\-exempt: \fI<domain>
-Whitelist the domain so that it does not receive caps\-for\-id perturbed
+Exempt the domain so that it does not receive caps\-for\-id perturbed
 queries.  For domains that do not support 0x20 and also fail with fallback
 because they keep sending different answers, like some load balancers.
 Can be given multiple times, for different domains.
 .TP
 .B caps\-whitelist: \fI<yes or no>
 Alternate syntax for \fBcaps\-exempt\fR.
 .TP
 .B qname\-minimisation: \fI<yes or no>
 Send minimum amount of information to upstream servers to enhance privacy.
 Only send minimum required labels of the QNAME and set QTYPE to A when
@ -1010,26 +1062,11 @@ Send RFC8145 key tag query after trust anchor priming. Default is yes.
 .B root\-key\-sentinel: \fI<yes or no>
 Root key trust anchor sentinel. Default is yes.
 .TP
 .B dlv\-anchor\-file: \fI<filename>
 This option was used during early days DNSSEC deployment when no parent-side
 DS record registrations were easily available.  Nowadays, it is best to have
 DS records registered with the parent zone (many top level zones are signed).
 File with trusted keys for DLV (DNSSEC Lookaside Validation). Both DS and
 DNSKEY entries can be used in the file, in the same format as for
 \fItrust\-anchor\-file:\fR statements. Only one DLV can be configured, more
 would be slow. The DLV configured is used as a root trusted DLV, this
 means that it is a lookaside for the root. Default is "", or no dlv anchor
 file. DLV is going to be decommissioned.  Please do not use it any more.
 .TP
 .B dlv\-anchor: \fI<"Resource Record">
 Much like trust\-anchor, this is a DLV anchor with the DS or DNSKEY inline.
 DLV is going to be decommissioned.  Please do not use it any more.
 .TP
 .B domain\-insecure: \fI<domain name>
 Sets domain name to be insecure, DNSSEC chain of trust is ignored towards
 the domain name.  So a trust anchor above the domain name can not make the
 domain secure with a DS record, such a DS record is then ignored.
-Also keys from DLV are ignored for the domain.  Can be given multiple times
+Can be given multiple times
 to specify multiple domains that are treated as if unsigned.  If you set
 trust anchors for the domain they override this setting (and the domain
 is secured).
@ -1211,7 +1248,7 @@ address space are not validated.  This is usually required whenever
 Configure a local zone. The type determines the answer to give if
 there is no match from local\-data. The types are deny, refuse, static,
 transparent, redirect, nodefault, typetransparent, inform, inform_deny,
-inform_redirect, always_transparent, always_refuse, always_nxdomain, noview,
+inform_redirect, always_transparent, always_refuse, always_nxdomain, always_null, noview,
 and are explained below. After that the default settings are listed. Use
 local\-data: to enter data into the local zone. Answers for local zones
 are authoritative DNS answers. By default the zones are class IN.
@ -1285,6 +1322,17 @@ Like refuse, but ignores local data and refuses the query.
 \h'5'\fIalways_nxdomain\fR
 Like static, but ignores local data and returns nxdomain for the query.
 .TP 10
 \h'5'\fIalways_nodata\fR
 Like static, but ignores local data and returns nodata for the query.
 .TP 10
 \h'5'\fIalways_deny\fR
 Like deny, but ignores local data and drops the query.
 .TP 10
 \h'5'\fIalways_null\fR
 Always returns 0.0.0.0 or ::0 for every name in the zone.  Like redirect
 with zero data for A and AAAA.  Ignores local data in the zone.  Used for
 some block lists.
 .TP 10
 \h'5'\fInoview\fR
 Breaks out of that view and moves towards the global local zones for answer
 to the query.  If the view first is no, it'll resolve normally.  If view first
@ -1529,6 +1577,16 @@ servers set. The default for fast\-server\-permil is 0.
 Set the number of servers that should be used for fast server selection. Only
 use the fastest specified number of servers with the fast\-server\-permil
 option, that turns this on or off. The default is to use the fastest 3 servers.
 .TP 5
 .B edns\-client\-string: \fI<IP netblock> <string>
 Include an EDNS0 option containing configured ascii string in queries with
 destination address matching the configured IP netblock.  This configuration
 option can be used multiple times. The most specific match will be used.
 .TP 5
 .B edns\-client\-string\-opcode: \fI<opcode>
 EDNS0 option code for the \fIedns\-client\-string\fR option, from 0 to 65535.
 A value from the `Reserved for Local/Experimental` range (65001-65534) should
 be used.  Default is 65001.
 .SS "Remote Control Options"
 In the
 .B remote\-control:
@ -1731,16 +1789,16 @@ uses the SOA timer values and performs SOA UDP queries to detect zone changes.
 If the update fetch fails, the timers in the SOA record are used to time
 another fetch attempt.  Until the SOA expiry timer is reached.  Then the
 zone is expired.  When a zone is expired, queries are SERVFAIL, and
-any new serial number is accepted from the master (even if older), and if
+any new serial number is accepted from the primary (even if older), and if
 fallback is enabled, the fallback activates to fetch from the upstream instead
 of the SERVFAIL.
 .TP
 .B name: \fI<zone name>
 Name of the authority zone.
 .TP
-.B master: \fI<IP address or host name>
+.B primary: \fI<IP address or host name>
 Where to download a copy of the zone from, with AXFR and IXFR.  Multiple
-masters can be specified.  They are all tried if one fails.
+primaries can be specified.  They are all tried if one fails.
 With the "ip#name" notation a AXFR over TLS can be used.
 If you point it at another Unbound instance, it would not work because
 that does not support AXFR/IXFR for the zone, but if you used \fBurl:\fR to download
@ -1749,27 +1807,31 @@ If you specify the hostname, you cannot use the domain from the zonefile,
 because it may not have that when retrieving that data, instead use a plain
 IP address to avoid a circular dependency on retrieving that IP address.
 .TP
 .B master: \fI<IP address or host name>
 Alternate syntax for \fBprimary\fR.
 .TP
 .B url: \fI<url to zonefile>
 Where to download a zonefile for the zone.  With http or https.  An example
 for the url is "http://www.example.com/example.org.zone".  Multiple url
 statements can be given, they are tried in turn.  If only urls are given
 the SOA refresh timer is used to wait for making new downloads.  If also
-masters are listed, the masters are first probed with UDP SOA queries to
+primaries are listed, the primaries are first probed with UDP SOA queries to
 see if the SOA serial number has changed, reducing the number of downloads.
-If none of the urls work, the masters are tried with IXFR and AXFR.
+If none of the urls work, the primaries are tried with IXFR and AXFR.
 For https, the \fBtls\-cert\-bundle\fR and the hostname from the url are used
 to authenticate the connection.
 If you specify a hostname in the URL, you cannot use the domain from the
 zonefile, because it may not have that when retrieving that data, instead
 use a plain IP address to avoid a circular dependency on retrieving that IP
-address.  Avoid dependencies on name lookups by using a notation like "http://192.0.2.1/unbound-master/example.com.zone", with an explicit IP address.
+address.  Avoid dependencies on name lookups by using a notation like
 "http://192.0.2.1/unbound-primaries/example.com.zone", with an explicit IP address.
 .TP
 .B allow\-notify: \fI<IP address or host name or netblockIP/prefix>
 With allow\-notify you can specify additional sources of notifies.
 When notified, the server attempts to first probe and then zone transfer.
-If the notify is from a master, it first attempts that master.  Otherwise
+If the notify is from a primary, it first attempts that primary.  Otherwise
-other masters are attempted.  If there are no masters, but only urls, the
+other primaries are attempted.  If there are no primaries, but only urls, the
-file is downloaded when notified.  The masters from master: statements are
+file is downloaded when notified.  The primaries from primary: statements are
 allowed notify by default.
 .TP
 .B fallback\-enabled: \fI<yes or no>
@ -1797,7 +1859,7 @@ downstream clients, and use the zone data as a local copy to speed up lookups.
 .B zonefile: \fI<filename>
 The filename where the zone is stored.  If not given then no zonefile is used.
 If the file does not exist or is empty, unbound will attempt to fetch zone
-data (eg. from the master servers).
+data (eg. from the primary servers).
 .SS "View Options"
 .LP
 There may be multiple
@ -1964,14 +2026,16 @@ The ECS module must be configured in the \fBmodule\-config:\fR "subnetcache
 validator iterator" directive and be compiled into the daemon to be
 enabled.  These settings go in the \fBserver:\fR section.
 .LP
-If the destination address is whitelisted with Unbound will add the EDNS0
+If the destination address is allowed in the configuration Unbound will add the
-option to the query containing the relevant part of the client's address. When
+EDNS0 option to the query containing the relevant part of the client's address.
-an answer contains the ECS option the response and the option are placed in a
+When an answer contains the ECS option the response and the option are placed in
-specialized cache. If the authority indicated no support, the response is
+a specialized cache. If the authority indicated no support, the response is
 stored in the regular cache.
 .LP
 Additionally, when a client includes the option in its queries, Unbound will
-forward the option to the authority if present in the whitelist, or
+forward the option when sending the query to addresses that are explicitly
 allowed in the configuration using \fBsend\-client\-subnet\fR. The option will
 always be forwarded, regardless the allowed addresses, if
 \fBclient\-subnet\-always\-forward\fR is set to yes. In this case the lookup in
 the regular cache is skipped.
 .LP
@ -1992,12 +2056,13 @@ given multiple times. Zones not listed will not receive edns-subnet information,
 unless hosted by authority specified in \fBsend\-client\-subnet\fR.
 .TP
 .B client\-subnet\-always\-forward: \fI<yes or no>\fR
-Specify whether the ECS whitelist check (configured using
+Specify whether the ECS address check (configured using
 \fBsend\-client\-subnet\fR) is applied for all queries, even if the triggering
 query contains an ECS record, or only for queries for which the ECS record is
 generated using the querier address (and therefore did not contain ECS data in
-the client query). If enabled, the whitelist check is skipped when the client
+the client query). If enabled, the address check is skipped when the client
-query contains an ECS record. Default is no.
+query contains an ECS record. And the lookup in the regular cache is skipped.
 Default is no.
 .TP
 .B max\-client\-subnet\-ipv6: \fI<number>\fR
 Specifies the maximum prefix length of the client source address we are willing
@ -2086,10 +2151,13 @@ to yes, the hook will be called and the A/AAAA answer will be returned to the
 client.  If set to no, the hook will not be called and the answer to the
 A/AAAA query will be SERVFAIL.  Mainly used for testing.  Defaults to no.
 .TP
-.B ipsecmod\-whitelist: \fI<domain>\fR
+.B ipsecmod\-allow: \fI<domain>\fR
-Whitelist the domain so that the module logic will be executed.  Can
+Allow the ipsecmod functionality for the domain so that the module logic will be
-be given multiple times, for different domains.  If the option is not
+executed.  Can be given multiple times, for different domains.  If the option is
-specified, all domains are treated as being whitelisted (default).
+not specified, all domains are treated as being allowed (default).
 .TP
 .B ipsecmod\-whitelist: \fI<yes or no>
 Alternate syntax for \fBipsecmod\-allow\fR.
 .SS "Cache DB Module Options"
 .LP
 The Cache DB module must be configured in the \fBmodule\-config:\fR
@ -2123,7 +2191,7 @@ even if some data have expired in terms of DNS TTL or the Redis server has
 cached too much data;
 if necessary the Redis server must be configured to limit the cache size,
 preferably with some kind of least-recently-used eviction policy.
-Additionaly, the \fBredis\-expire\-records\fR option can be used in order to
+Additionally, the \fBredis\-expire\-records\fR option can be used in order to
 set the relative DNS TTL of the message as timeout to the Redis records; keep
 in mind that some additional memory is used per key and that the expire
 information is stored as absolute Unix timestamps in Redis (computer time must
@ -2286,33 +2354,36 @@ are applied after
 .B name: \fI<zone name>
 Name of the authority zone.
 .TP
-.B master: \fI<IP address or host name>
+.B primary: \fI<IP address or host name>
 Where to download a copy of the zone from, with AXFR and IXFR.  Multiple
-masters can be specified.  They are all tried if one fails.
+primaries can be specified.  They are all tried if one fails.
 .TP
 .B master: \fI<IP address or host name>
 Alternate syntax for \fBprimary\fR.
 .TP
 .B url: \fI<url to zonefile>
 Where to download a zonefile for the zone.  With http or https.  An example
 for the url is "http://www.example.com/example.org.zone".  Multiple url
 statements can be given, they are tried in turn.  If only urls are given
 the SOA refresh timer is used to wait for making new downloads.  If also
-masters are listed, the masters are first probed with UDP SOA queries to
+primaries are listed, the primaries are first probed with UDP SOA queries to
 see if the SOA serial number has changed, reducing the number of downloads.
-If none of the urls work, the masters are tried with IXFR and AXFR.
+If none of the urls work, the primaries are tried with IXFR and AXFR.
 For https, the \fBtls\-cert\-bundle\fR and the hostname from the url are used
 to authenticate the connection.
 .TP
 .B allow\-notify: \fI<IP address or host name or netblockIP/prefix>
 With allow\-notify you can specify additional sources of notifies.
 When notified, the server attempts to first probe and then zone transfer.
-If the notify is from a master, it first attempts that master.  Otherwise
+If the notify is from a primary, it first attempts that primary.  Otherwise
-other masters are attempted.  If there are no masters, but only urls, the
+other primaries are attempted.  If there are no primaries, but only urls, the
-file is downloaded when notified.  The masters from master: statements are
+file is downloaded when notified.  The primaries from primary: statements are
 allowed notify by default.
 .TP
 .B zonefile: \fI<filename>
 The filename where the zone is stored.  If not given then no zonefile is used.
 If the file does not exist or is empty, unbound will attempt to fetch zone
-data (eg. from the master servers).
+data (eg. from the primary servers).
 .TP
 .B rpz\-action\-override: \fI<action>
 Always use this RPZ action for matching triggers from this zone. Possible action
--- a/dynlibmod/dynlibmod.c
+++ b/dynlibmod/dynlibmod.c
@ -5,16 +5,16 @@
 * module actions.
 */
 #include "config.h"
 #include "dynlibmod/dynlibmod.h"
 #include "util/module.h"
 #include "util/config_file.h"
 #include "dynlibmod/dynlibmod.h"
 #if HAVE_WINDOWS_H
 #include <windows.h>
 #define __DYNMOD HMODULE
 #define __DYNSYM FARPROC
 #define __LOADSYM GetProcAddress
-void log_dlerror() {
+static void log_dlerror() {
    DWORD dwLastError = GetLastError();
    LPSTR MessageBuffer;
    DWORD dwBufferLength;
@ -37,11 +37,11 @@ void log_dlerror() {
 }
-HMODULE open_library(const char* fname) {
+static HMODULE open_library(const char* fname) {
    return LoadLibrary(fname);
 }
-void close_library(const char* fname, __DYNMOD handle) {
+static void close_library(const char* fname, __DYNMOD handle) {
 	(void)fname;
 	(void)handle;
 }
@ -50,15 +50,15 @@ void close_library(const char* fname, __DYNMOD handle) {
 #define __DYNMOD void*
 #define __DYNSYM void*
 #define __LOADSYM dlsym
-void log_dlerror() {
+static void log_dlerror() {
    log_err("dynlibmod: %s", dlerror());
 }
-void* open_library(const char* fname) {
+static void* open_library(const char* fname) {
    return dlopen(fname, RTLD_LAZY | RTLD_GLOBAL);
 }
-void close_library(const char* fname, __DYNMOD handle) {
+static void close_library(const char* fname, __DYNMOD handle) {
 	if(!handle) return;
 	if(dlclose(handle) != 0) {
 		log_err("dlclose %s: %s", fname, strerror(errno));
@ -212,10 +212,10 @@ size_t dynlibmod_get_mem(struct module_env* env, int id) {
 int dynlib_inplace_cb_reply_generic(struct query_info* qinfo,
    struct module_qstate* qstate, struct reply_info* rep, int rcode,
    struct edns_data* edns, struct edns_option** opt_list_out,
-    struct comm_reply* repinfo, struct regional* region, int id,
+    struct comm_reply* repinfo, struct regional* region,
-    void* callback) {
+    struct timeval* start_time, int id, void* callback) {
    struct cb_pair* cb_pair = (struct cb_pair*) callback;
-    return ((inplace_cb_reply_func_type*) cb_pair->cb)(qinfo, qstate, rep, rcode, edns, opt_list_out, repinfo, region, id, cb_pair->cb_arg);
+    return ((inplace_cb_reply_func_type*) cb_pair->cb)(qinfo, qstate, rep, rcode, edns, opt_list_out, repinfo, region, start_time, id, cb_pair->cb_arg);
 }
 int dynlib_inplace_cb_query_generic(struct query_info* qinfo, uint16_t flags,
@ -242,6 +242,10 @@ int
 inplace_cb_register_wrapped(void* cb, enum inplace_cb_list_type type, void* cbarg,
    struct module_env* env, int id) {
    struct cb_pair* cb_pair = malloc(sizeof(struct cb_pair));
    if(cb_pair == NULL) {
 	log_err("dynlibmod[%d]: malloc failure", id);
        return 0;
    }
    cb_pair->cb = cb;
    cb_pair->cb_arg = cbarg;
    if(type >= inplace_cb_reply && type <= inplace_cb_reply_servfail) {
@ -253,6 +257,7 @@ inplace_cb_register_wrapped(void* cb, enum inplace_cb_list_type type, void* cbar
    } else if(type == inplace_cb_edns_back_parsed) {
        return inplace_cb_register(&dynlib_inplace_cb_edns_back_parsed, type, (void*) cb_pair, env, id);
    } else {
        free(cb_pair);
        return 0;
    }
 }
--- a/dynlibmod/dynlibmod.h
+++ b/dynlibmod/dynlibmod.h
@ -70,8 +70,8 @@ size_t dynlibmod_get_mem(struct module_env* env, int id);
 int dynlib_inplace_cb_reply_generic(struct query_info* qinfo,
    struct module_qstate* qstate, struct reply_info* rep, int rcode,
    struct edns_data* edns, struct edns_option** opt_list_out,
-    struct comm_reply* repinfo, struct regional* region, int id,
+    struct comm_reply* repinfo, struct regional* region,
-    void* callback);
+	struct timeval* start_time, int id, void* callback);
 int dynlib_inplace_cb_query_generic(struct query_info* qinfo, uint16_t flags,
    struct module_qstate* qstate, struct sockaddr_storage* addr,
--- a/dynlibmod/examples/helloworld.c
+++ b/dynlibmod/examples/helloworld.c
@ -7,8 +7,10 @@
 * And to build for windows, first make unbound with the --with-dynlibmod
 * switch, then use this command:
 *   x86_64-w64-mingw32-gcc -m64 -I../.. -shared -Wall -Werror -fpic
- *      -o helloworld.dll helloworld.c -L../.. -l:libunbound.a
+ *      -o helloworld.dll helloworld.c -L../.. -l:libunbound.dll.a
- * to cross-compile a 64-bit Windows DLL.
+ * to cross-compile a 64-bit Windows DLL.  The libunbound.dll.a is produced
 * by the compile step that makes unbound.exe and allows the dynlib dll to
 * access definitions in unbound.exe.
 */
 #include "../../config.h"
@ -30,8 +32,8 @@
 int reply_callback(struct query_info* qinfo,
    struct module_qstate* qstate, struct reply_info* rep, int rcode,
    struct edns_data* edns, struct edns_option** opt_list_out,
-    struct comm_reply* repinfo, struct regional* region, int id,
+    struct comm_reply* repinfo, struct regional* region,
-    void* callback);
+    struct timeval* start_time, int id, void* callback);
 /* Init is called when the module is first loaded. It should be used to set up
 * the environment for this module and do any other initialisation required. */
@ -116,8 +118,8 @@ EXPORT size_t get_mem(struct module_env* env, int id) {
 int reply_callback(struct query_info* qinfo,
    struct module_qstate* qstate, struct reply_info* rep, int rcode,
    struct edns_data* edns, struct edns_option** opt_list_out,
-    struct comm_reply* repinfo, struct regional* region, int id,
+    struct comm_reply* repinfo, struct regional* region,
-    void* callback) {
+    struct timeval* start_time, int id, void* callback) {
    log_info("dynlib: hello world from callback");
    struct dynlibmod_env* env = qstate->env->modinfo[id];
    if (env->dyn_env != NULL) {
--- a/ipset/ipset.c
+++ b/ipset/ipset.c
--- a/ipset/ipset.h
+++ b/ipset/ipset.h
--- a/iterator/iterator.c
+++ b/iterator/iterator.c
@ -3191,7 +3191,7 @@ processPrimeResponse(struct module_qstate* qstate, int id)
 	/* validate the root or stub after priming (if enabled).
 	 * This is the same query as the prime query, but with validation.
 	 * Now that we are primed, the additional queries that validation
-	 * may need can be resolved, such as DLV. */
+	 * may need can be resolved. */
 	if(qstate->env->cfg->harden_referral_path) {
 		struct module_qstate* subq = NULL;
 		log_nametypeclass(VERB_ALGO, "schedule prime validation", 
--- a/libunbound/context.c
+++ b/libunbound/context.c
@ -50,6 +50,7 @@
 #include "services/authzone.h"
 #include "util/data/msgreply.h"
 #include "util/storage/slabhash.h"
 #include "util/edns.h"
 #include "sldns/sbuffer.h"
 int 
@ -79,6 +80,8 @@ context_finalize(struct ub_ctx* ctx)
 		return UB_INITFAIL;
 	if(!auth_zones_apply_cfg(ctx->env->auth_zones, cfg, 1, &is_rpz))
 		return UB_INITFAIL;
 	if(!edns_strings_apply_cfg(ctx->env->edns_strings, cfg))
 		return UB_INITFAIL;
 	if(!slabhash_is_size(ctx->env->msg_cache, cfg->msg_cache_size,
 		cfg->msg_cache_slabs)) {
 		slabhash_delete(ctx->env->msg_cache);
--- a/libunbound/libunbound.c
+++ b/libunbound/libunbound.c
@ -58,6 +58,7 @@
 #include "util/net_help.h"
 #include "util/tube.h"
 #include "util/ub_event.h"
 #include "util/edns.h"
 #include "services/modstack.h"
 #include "services/localzone.h"
 #include "services/cache/infra.h"
@ -153,6 +154,18 @@ static struct ub_ctx* ub_ctx_create_nopipe(void)
 		errno = ENOMEM;
 		return NULL;
 	}
 	ctx->env->edns_strings = edns_strings_create();
 	if(!ctx->env->edns_strings) {
 		auth_zones_delete(ctx->env->auth_zones);
 		edns_known_options_delete(ctx->env);
 		config_delete(ctx->env->cfg);
 		free(ctx->env);
 		ub_randfree(ctx->seed_rnd);
 		free(ctx);
 		errno = ENOMEM;
 		return NULL;
 	}
 	ctx->env->alloc = &ctx->superalloc;
 	ctx->env->worker = NULL;
 	ctx->env->need_to_validate = 0;
@ -173,6 +186,7 @@ ub_ctx_create(void)
 		config_delete(ctx->env->cfg);
 		modstack_desetup(&ctx->mods, ctx->env);
 		edns_known_options_delete(ctx->env);
 		edns_strings_delete(ctx->env->edns_strings);
 		free(ctx->env);
 		free(ctx);
 		errno = e;
@ -185,6 +199,7 @@ ub_ctx_create(void)
 		config_delete(ctx->env->cfg);
 		modstack_desetup(&ctx->mods, ctx->env);
 		edns_known_options_delete(ctx->env);
 		edns_strings_delete(ctx->env->edns_strings);
 		free(ctx->env);
 		free(ctx);
 		errno = e;
@ -323,6 +338,7 @@ ub_ctx_delete(struct ub_ctx* ctx)
 		infra_delete(ctx->env->infra_cache);
 		config_delete(ctx->env->cfg);
 		edns_known_options_delete(ctx->env);
 		edns_strings_delete(ctx->env->edns_strings);
 		auth_zones_delete(ctx->env->auth_zones);
 		free(ctx->env);
 	}
--- a/libunbound/libworker.c
+++ b/libunbound/libworker.c
@ -73,12 +73,15 @@
 #include "iterator/iter_hints.h"
 #include "sldns/sbuffer.h"
 #include "sldns/str2wire.h"
 #ifdef USE_DNSTAP
 #include "dnstap/dtstream.h"
 #endif
 #ifdef HAVE_TARGETCONDITIONALS_H
 #include <TargetConditionals.h>
 #endif
-#if defined(TARGET_OS_TV) || defined(TARGET_OS_WATCH)
+#if (defined(TARGET_OS_TV) && TARGET_OS_TV) || (defined(TARGET_OS_WATCH) && TARGET_OS_WATCH)
 #undef HAVE_FORK
 #endif
@ -238,7 +241,7 @@ libworker_setup(struct ub_ctx* ctx, int is_bg, struct ub_event_base* eb)
 		ports, numports, cfg->unwanted_threshold,
 		cfg->outgoing_tcp_mss, &libworker_alloc_cleanup, w,
 		cfg->do_udp || cfg->udp_upstream_without_downstream, w->sslctx,
-		cfg->delay_close, cfg->tls_use_sni, NULL);
+		cfg->delay_close, cfg->tls_use_sni, NULL, cfg->udp_connect);
 	w->env->outnet = w->back;
 	if(!w->is_bg || w->is_bg_thread) {
 		lock_basic_unlock(&ctx->cfglock);
--- a/libunbound/unbound.h
+++ b/libunbound/unbound.h
@ -697,6 +697,8 @@ struct ub_server_stats {
 	long long qtcp_outgoing;
 	/** number of queries over (DNS over) TLS */
 	long long qtls;
 	/** number of queries over (DNS over) HTTPS */
 	long long qhttps;
 	/** number of queries over IPv6 */
 	long long qipv6;
 	/** number of queries with QR bit */
@ -787,6 +789,10 @@ struct ub_server_stats {
 	long long num_query_subnet_cache;
 	/** number of bytes in the stream wait buffers */
 	long long mem_stream_wait;
 	/** number of bytes in the HTTP2 query buffers */
 	long long mem_http2_query_buffer;
 	/** number of bytes in the HTTP2 response buffers */
 	long long mem_http2_response_buffer;
 	/** number of TLS connection resume */
 	long long qtls_resume;
 	/** RPZ action stats */
--- a/pythonmod/doc/examples/example6.rst
+++ b/pythonmod/doc/examples/example6.rst
@ -60,7 +60,6 @@ The callback function's prototype is the following:
        :param **kwargs: Dictionary that may contain parameters added in a future
                         release. Current parameters:
            ``repinfo``: Reply information for a communication point (comm_reply).
                         It is None when the callback happens in the mesh states.
        :return: True on success, False on failure.
@ -105,8 +104,6 @@ The callback function's prototype is the following:
        :param **kwargs: Dictionary that may contain parameters added in a future
                         release. Current parameters:
            ``repinfo``: Reply information for a communication point (comm_reply).
                         It is None when the callback happens in the mesh
                         states(modules).
        :return: True on success, False on failure.
@ -154,8 +151,6 @@ The callback function's prototype is the following:
        :param **kwargs: Dictionary that may contain parameters added in a future
                         release. Current parameters:
            ``repinfo``: Reply information for a communication point (comm_reply).
                         It is None when the callback happens in the mesh
                         states(modules).
        :return: True on success, False on failure.
@ -201,8 +196,6 @@ The callback function's prototype is the following:
        :param **kwargs: Dictionary that may contain parameters added in a future
                         release. Current parameters:
            ``repinfo``: Reply information for a communication point (comm_reply).
                         It is None when the callback happens in the mesh
                         states(modules).
        :return: True on success, False on failure.
--- a/pythonmod/doc/modules/config.rst
+++ b/pythonmod/doc/modules/config.rst
@ -256,14 +256,6 @@ config_file
      Files with trusted DNSKEYs in named.conf format, list.
   .. attribute:: dlv_anchor_file
      DLV anchor file.
   .. attribute:: dlv_anchor_list
      DLV anchor inline.
   .. attribute:: max_ttl
      The number of seconds maximal TTL used for RRsets and messages.
--- a/pythonmod/doc/modules/functions.rst
+++ b/pythonmod/doc/modules/functions.rst
@ -89,7 +89,7 @@ EDNS options
 Inplace callbacks
 -----------------
-.. function:: inplace_cb_reply(qinfo, qstate, rep, rcode, edns, opt_list_out, region)
+.. function:: inplace_cb_reply(qinfo, qstate, rep, rcode, edns, opt_list_out, region, \*\*kwargs)
    Function prototype for callback functions used in
    `register_inplace_cb_reply`_, `register_inplace_cb_reply_cache`_,
@ -102,6 +102,9 @@ Inplace callbacks
    :param edns: :class:`edns_data`
    :param opt_list_out: :class:`edns_option`. EDNS option list to append options to.
    :param region: :class:`regional`
    :param \*\*kwargs: Dictionary that may contain parameters added in a future
        release. Current parameters:
        ``repinfo``: :class:`comm_reply`. Reply information for a communication point.
 .. function:: inplace_cb_query(qinfo, flags, qstate, addr, zone, region)
--- a/pythonmod/examples/avahi-resolver.py
+++ b/pythonmod/examples/avahi-resolver.py
@ -59,6 +59,8 @@
 # |   num-threads: 32
 # |   cache-max-negative-ttl: 60
 # |   cache-max-ttl: 60
 # | python:
 # |   python-script: path/to/this/file
 #
 #
 # The plugin can also be run interactively. Provide the name and
--- a/pythonmod/examples/inplace_callbacks.py
+++ b/pythonmod/examples/inplace_callbacks.py
@ -43,7 +43,7 @@
 #       This query returns SERVFAIL as the txt record of bogus.nlnetlabs.nl is
 #       intentionally bogus. The reply will contain an empty EDNS option
 #       with option code 65003.
-#       Unbound will also log the source address(es) of the client(s) that made
+#       Unbound will also log the source address of the client that made
 #       the request.
 #       (unbound needs to be validating for this example to work)
@ -91,8 +91,6 @@ def inplace_reply_callback(qinfo, qstate, rep, rcode, edns, opt_list_out,
    :param **kwargs: Dictionary that may contain parameters added in a future
                     release. Current parameters:
        ``repinfo``: Reply information for a communication point (comm_reply).
                     It is None when the callback happens in the mesh
                     states(modules).
    :return: True on success, False on failure.
@ -121,8 +119,6 @@ def inplace_cache_callback(qinfo, qstate, rep, rcode, edns, opt_list_out,
    :param **kwargs: Dictionary that may contain parameters added in a future
                     release. Current parameters:
        ``repinfo``: Reply information for a communication point (comm_reply).
                     It is None when the callback happens in the mesh
                     states(modules).
    :return: True on success, False on failure.
@ -173,8 +169,6 @@ def inplace_local_callback(qinfo, qstate, rep, rcode, edns, opt_list_out,
    :param **kwargs: Dictionary that may contain parameters added in a future
                     release. Current parameters:
        ``repinfo``: Reply information for a communication point (comm_reply).
                     It is None when the callback happens in the mesh
                     states(modules).
    :return: True on success, False on failure.
@ -205,13 +199,11 @@ def inplace_servfail_callback(qinfo, qstate, rep, rcode, edns, opt_list_out,
    :param **kwargs: Dictionary that may contain parameters added in a future
                     release. Current parameters:
        ``repinfo``: Reply information for a communication point (comm_reply).
                     It is None when the callback happens in the mesh
                     states(modules).
    :return: True on success, False on failure.
    For demonstration purposes we want to reply with an empty EDNS code '65003'
-    and log the IP address(es) of the client(s).
+    and log the IP address of the client.
    """
    log_info("python: called back while servfail.")
@ -219,30 +211,14 @@ def inplace_servfail_callback(qinfo, qstate, rep, rcode, edns, opt_list_out,
    b = bytearray.fromhex("")
    edns_opt_list_append(opt_list_out, 65003, b, region)
-    # Log the client(s) IP address(es)
+    # Log the client's IP address
    comm_reply = kwargs['repinfo']
    if comm_reply:
        # If it is not None this callback was called before the query reached
        # the mesh states(modules). There is only one client associated with
        # this query.
        addr = comm_reply.addr
        port = comm_reply.port
        addr_family = comm_reply.family
        log_info("python: Client IP: {}({}), port: {}"
                 "".format(addr, addr_family, port))
    else:
        # If it is not None this callback was called while the query is in the
        # mesh states(modules). In this case they may be multiple clients
        # waiting for this query.
        # The following code is the same as with the resip.py example.
        rl = qstate.mesh_info.reply_list
        while (rl):
            if rl.query_reply:
                q = rl.query_reply
                log_info("python: Client IP: {}({}), port: {}"
                         "".format(q.addr, q.family, q.port))
            rl = rl.next
    return True
--- a/pythonmod/interface.i
+++ b/pythonmod/interface.i
@ -20,6 +20,7 @@
 * called to perform operations on queries.
 */
   #include <sys/types.h>
   #include <time.h>
   #ifdef HAVE_SYS_SOCKET_H
   #include <sys/socket.h>
   #endif
@ -696,6 +697,8 @@ struct edns_data {
 /* ************************************************************************************ *
   Structure module_env
 * ************************************************************************************ */
 %rename(_now) module_env::now;
 %rename(_now_tv) module_env::now_tv;
 struct module_env {
    struct config_file* cfg;
    struct slabhash* msg_cache;
@ -739,6 +742,19 @@ struct module_env {
    size_t edns_known_options_num;
 };
 %inline %{
    PyObject* _module_env_now_get(struct module_env* env) {
        double ts = env->now_tv->tv_sec + env->now_tv->tv_usec / 1e6;
        return PyFloat_FromDouble(ts);
    }
 %}
 %extend module_env {
    %pythoncode %{
        def _now_get(self): return _module_env_now_get(self)
        now = property(_now_get)
    %}
 }
 /* ************************************************************************************ *
   Structure module_qstate
 * ************************************************************************************ */
@ -992,8 +1008,6 @@ struct config_file {
   struct config_strlist* trust_anchor_file_list;
   struct config_strlist* trust_anchor_list;
   struct config_strlist* trusted_keys_file_list;
   char* dlv_anchor_file;
   struct config_strlist* dlv_anchor_list;
   int max_ttl;
   int32_t val_date_override;
   int bogus_ttl;
@ -1415,6 +1429,19 @@ struct delegpt* find_delegation(struct module_qstate* qstate, char *nm, size_t n
 /******************************
 * Various debugging functions *
 ******************************/
 /* rename the variadic functions because python does the formatting already*/
 %rename (unbound_log_info) log_info;
 %rename (unbound_log_err) log_err;
 %rename (unbound_log_warn) log_warn;
 %rename (unbound_verbose) verbose;
 /* provide functions that take one string as argument, so python can cook
 the string */
 %rename (log_info) pymod_log_info;
 %rename (log_warn) pymod_log_warn;
 %rename (log_err) pymod_log_err;
 %rename (verbose) pymod_verbose;
 void verbose(enum verbosity_value level, const char* format, ...);
 void log_info(const char* format, ...);
 void log_err(const char* format, ...);
@ -1424,6 +1451,19 @@ void log_dns_msg(const char* str, struct query_info* qinfo, struct reply_info* r
 void log_query_info(enum verbosity_value v, const char* str, struct query_info* qinf);
 void regional_log_stats(struct regional *r);
 /* the one argument string log functions */
 void pymod_log_info(const char* str);
 void pymod_log_err(const char* str);
 void pymod_log_warn(const char* str);
 void pymod_verbose(enum verbosity_value level, const char* str);
 %{
 void pymod_log_info(const char* str) { log_info("%s", str); }
 void pymod_log_err(const char* str) { log_err("%s", str); }
 void pymod_log_warn(const char* str) { log_warn("%s", str); }
 void pymod_verbose(enum verbosity_value level, const char* str) {
        verbose(level, "%s", str); }
 %}
 /***************************************************************************
 * Free allocated memory from marked sources returning corresponding types *
 ***************************************************************************/
@ -1501,13 +1541,14 @@ int edns_opt_list_append(struct edns_option** list, uint16_t code, size_t len,
    int python_inplace_cb_reply_generic(struct query_info* qinfo,
        struct module_qstate* qstate, struct reply_info* rep, int rcode,
        struct edns_data* edns, struct edns_option** opt_list_out,
-        struct comm_reply* repinfo, struct regional* region, int id,
+        struct comm_reply* repinfo, struct regional* region,
-        void* python_callback)
+        struct timeval* start_time, int id, void* python_callback)
    {
        PyObject *func, *py_edns, *py_qstate, *py_opt_list_out, *py_qinfo;
        PyObject *py_rep, *py_repinfo, *py_region;
        PyObject *py_args, *py_kwargs, *result;
        int res = 0;
        double py_start_time = ((double)start_time->tv_sec) + ((double)start_time->tv_usec) / 1.0e6;
        PyGILState_STATE gstate = PyGILState_Ensure();
        func = (PyObject *) python_callback;
@ -1522,7 +1563,8 @@ int edns_opt_list_append(struct edns_option** list, uint16_t code, size_t len,
        py_region = SWIG_NewPointerObj((void*) region, SWIGTYPE_p_regional, 0);
        py_args = Py_BuildValue("(OOOiOOO)", py_qinfo, py_qstate, py_rep,
            rcode, py_edns, py_opt_list_out, py_region);
-        py_kwargs = Py_BuildValue("{s:O}", "repinfo", py_repinfo);
+        py_kwargs = Py_BuildValue("{s:O,s:d}", "repinfo", py_repinfo, "start_time",
                                  py_start_time);
        result = PyObject_Call(func, py_args, py_kwargs);
        Py_XDECREF(py_edns);
        Py_XDECREF(py_qstate);
--- a/pythonmod/pythonmod.h
+++ b/pythonmod/pythonmod.h
@ -72,8 +72,8 @@ size_t pythonmod_get_mem(struct module_env* env, int id);
 int python_inplace_cb_reply_generic(struct query_info* qinfo,
 	struct module_qstate* qstate, struct reply_info* rep, int rcode,
 	struct edns_data* edns, struct edns_option** opt_list_out,
-	struct comm_reply* repinfo, struct regional* region, int id,
+	struct comm_reply* repinfo, struct regional* region,
-	void* python_callback);
+	struct timeval* start_time, int id, void* python_callback);
 /** Declared here for fptr_wlist access. The definition is in interface.i. */
 int python_inplace_cb_query_generic(
--- a/pythonmod/pythonmod_utils.c
+++ b/pythonmod/pythonmod_utils.c
@ -39,6 +39,7 @@
 * conversions.
 */
 #include "config.h"
 #include "pythonmod/pythonmod_utils.h"
 #include "util/module.h"
 #include "util/netevent.h"
 #include "util/net_help.h"
--- a/pythonmod/pythonmod_utils.h
+++ b/pythonmod/pythonmod_utils.h
@ -43,6 +43,7 @@
 #include "util/module.h"
 struct delegpt_addr;
 struct sldns_buffer;
 /**
 *  Store the reply_info and query_info pair in message cache (qstate->msg_cache)
@ -77,7 +78,7 @@ void invalidateQueryInCache(struct module_qstate* qstate, struct query_info* qin
 * @param pkt: a sldns_buffer which contains sldns_packet data
 * @return 0 on failure, out of memory or parse error.
 */
-int createResponse(struct module_qstate* qstate, sldns_buffer* pkt);
+int createResponse(struct module_qstate* qstate, struct sldns_buffer* pkt);
 /**
 *  Convert reply->addr to string
--- a/respip/respip.c
+++ b/respip/respip.c
@ -914,7 +914,7 @@ respip_rewrite_reply(const struct query_info* qinfo,
 	int ret = 1;
 	struct ub_packed_rrset_key* redirect_rrset = NULL;
 	struct rpz* r;
-	struct auth_zone* a;
+	struct auth_zone* a = NULL;
 	struct ub_packed_rrset_key* data = NULL;
 	int rpz_used = 0;
 	int rpz_log = 0;
@ -1109,7 +1109,7 @@ respip_operate(struct module_qstate* qstate, enum module_ev event, int id,
 			qstate->return_msg && qstate->return_msg->rep) {
 			struct reply_info* new_rep = qstate->return_msg->rep;
 			struct ub_packed_rrset_key* alias_rrset = NULL;
-			struct respip_action_info actinfo = {0};
+			struct respip_action_info actinfo = {0, 0, 0, 0, NULL, 0, NULL};
 			actinfo.action = respip_none;
 			if(!respip_rewrite_reply(&qstate->qinfo,
@ -1170,7 +1170,7 @@ respip_merge_cname(struct reply_info* base_rep,
 	struct ub_packed_rrset_key* alias_rrset = NULL; /* ditto */
 	uint16_t tgt_rcode;
 	size_t i, j;
-	struct respip_action_info actinfo = {0};
+	struct respip_action_info actinfo = {0, 0, 0, 0, NULL, 0, NULL};
 	actinfo.action = respip_none;
 	/* If the query for the CNAME target would result in an unusual rcode,
--- a/services/authzone.c
+++ b/services/authzone.c
@ -2331,7 +2331,8 @@ static int
 az_add_negative_soa(struct auth_zone* z, struct regional* region,
 	struct dns_msg* msg)
 {
-	uint32_t minimum;
+	time_t minimum;
 	size_t i;
 	struct packed_rrset_data* d;
 	struct auth_rrset* soa;
 	struct auth_data* apex = az_find_name(z, z->name, z->namelen);
@ -2348,9 +2349,11 @@ az_add_negative_soa(struct auth_zone* z, struct regional* region,
 	/* last 4 bytes are minimum ttl in network format */
 	if(d->count == 0) return 0;
 	if(d->rr_len[0] < 2+4) return 0;
-	minimum = sldns_read_uint32(d->rr_data[0]+(d->rr_len[0]-4));
+	minimum = (time_t)sldns_read_uint32(d->rr_data[0]+(d->rr_len[0]-4));
-	d->ttl = (time_t)minimum;
+	minimum = d->ttl<minimum?d->ttl:minimum;
-	d->rr_ttl[0] = (time_t)minimum;
+	d->ttl = minimum;
 	for(i=0; i < d->count + d->rrsig_count; i++)
 		d->rr_ttl[i] = minimum;
 	msg->rep->ttl = get_rrset_ttl(msg->rep->rrsets[0]);
 	msg->rep->prefetch_ttl = PREFETCH_TTL_CALC(msg->rep->ttl);
 	msg->rep->serve_expired_ttl = msg->rep->ttl + SERVE_EXPIRED_TTL;
@ -3286,7 +3289,7 @@ auth_answer_encode(struct query_info* qinfo, struct module_env* env,
 	edns->bits &= EDNS_DO;
 	if(!inplace_cb_reply_local_call(env, qinfo, NULL, msg->rep,
-		(int)FLAGS_GET_RCODE(msg->rep->flags), edns, repinfo, temp)
+		(int)FLAGS_GET_RCODE(msg->rep->flags), edns, repinfo, temp, env->now_tv)
 		|| !reply_info_answer_encode(qinfo, msg->rep,
 		*(uint16_t*)sldns_buffer_begin(buf),
 		sldns_buffer_read_u16_at(buf, 2),
@ -3310,7 +3313,7 @@ auth_error_encode(struct query_info* qinfo, struct module_env* env,
 	edns->bits &= EDNS_DO;
 	if(!inplace_cb_reply_local_call(env, qinfo, NULL, NULL,
-		rcode, edns, repinfo, temp))
+		rcode, edns, repinfo, temp, env->now_tv))
 		edns->opt_list = NULL;
 	error_encode(buf, rcode|BIT_AA, qinfo,
 		*(uint16_t*)sldns_buffer_begin(buf),
@ -5387,6 +5390,7 @@ void auth_xfer_transfer_lookup_callback(void* arg, int rcode, sldns_buffer* buf,
 				verbose(VERB_ALGO, "auth zone %s host %s type %s transfer lookup has no answer", zname, xfr->task_transfer->lookup_target->host, (xfr->task_transfer->lookup_aaaa?"AAAA":"A"));
 			}
 		}
 		regional_free_all(temp);
 	} else {
 		if(verbosity >= VERB_ALGO) {
 			char zname[255+1];
@ -6092,7 +6096,7 @@ xfr_probe_send_probe(struct auth_xfer* xfr, struct module_env* env,
 	/* send udp packet */
 	if(!comm_point_send_udp_msg(xfr->task_probe->cp, env->scratch_buffer,
-		(struct sockaddr*)&addr, addrlen)) {
+		(struct sockaddr*)&addr, addrlen, 0)) {
 		char zname[255+1], as[256];
 		dname_str(xfr->name, zname);
 		addr_to_str(&addr, addrlen, as, sizeof(as));
@ -6444,6 +6448,7 @@ void auth_xfer_probe_lookup_callback(void* arg, int rcode, sldns_buffer* buf,
 				verbose(VERB_ALGO, "auth zone %s host %s type %s probe lookup has no address", zname, xfr->task_probe->lookup_target->host, (xfr->task_probe->lookup_aaaa?"AAAA":"A"));
 			}
 		}
 		regional_free_all(temp);
 	} else {
 		if(verbosity >= VERB_ALGO) {
 			char zname[255+1];
--- a/services/cache/dns.c
+++ b/services/cache/dns.c
@ -890,9 +890,8 @@ dns_cache_lookup(struct module_env* env,
 		lock_rw_unlock(&rrset->entry.lock);
 	}
-	/* construct DS, DNSKEY, DLV messages from rrset cache. */
+	/* construct DS, DNSKEY messages from rrset cache. */
-	if((qtype == LDNS_RR_TYPE_DS || qtype == LDNS_RR_TYPE_DNSKEY ||
+	if((qtype == LDNS_RR_TYPE_DS || qtype == LDNS_RR_TYPE_DNSKEY) &&
 		qtype == LDNS_RR_TYPE_DLV) &&
 		(rrset=rrset_cache_lookup(env->rrset_cache, qname, qnamelen, 
 		qtype, qclass, 0, now, 0))) {
 		/* if the rrset is from the additional section, and the
--- a/services/cache/infra.c
+++ b/services/cache/infra.c
@ -244,6 +244,7 @@ infra_create(struct config_file* cfg)
 		return NULL;
 	}
 	infra->host_ttl = cfg->host_ttl;
 	infra->infra_keep_probing = cfg->infra_keep_probing;
 	infra_dp_ratelimit = cfg->ratelimit;
 	infra->domain_rates = slabhash_create(cfg->ratelimit_slabs,
 		INFRA_HOST_STARTSIZE, cfg->ratelimit_size,
@ -297,6 +298,7 @@ infra_adjust(struct infra_cache* infra, struct config_file* cfg)
 	if(!infra)
 		return infra_create(cfg);
 	infra->host_ttl = cfg->host_ttl;
 	infra->infra_keep_probing = cfg->infra_keep_probing;
 	infra_dp_ratelimit = cfg->ratelimit;
 	infra_ip_ratelimit = cfg->ip_ratelimit;
 	maxmem = cfg->infra_cache_numhosts * (sizeof(struct infra_key)+
@ -445,6 +447,7 @@ infra_host(struct infra_cache* infra, struct sockaddr_storage* addr,
 	if(e && ((struct infra_data*)e->data)->ttl < timenow) {
 		/* it expired, try to reuse existing entry */
 		int old = ((struct infra_data*)e->data)->rtt.rto;
 		time_t tprobe = ((struct infra_data*)e->data)->probedelay;
 		uint8_t tA = ((struct infra_data*)e->data)->timeout_A;
 		uint8_t tAAAA = ((struct infra_data*)e->data)->timeout_AAAA;
 		uint8_t tother = ((struct infra_data*)e->data)->timeout_other;
@ -460,6 +463,7 @@ infra_host(struct infra_cache* infra, struct sockaddr_storage* addr,
 			if(old >= USEFUL_SERVER_TOP_TIMEOUT) {
 				((struct infra_data*)e->data)->rtt.rto
 					= USEFUL_SERVER_TOP_TIMEOUT;
 				((struct infra_data*)e->data)->probedelay = tprobe;
 				((struct infra_data*)e->data)->timeout_A = tA;
 				((struct infra_data*)e->data)->timeout_AAAA = tAAAA;
 				((struct infra_data*)e->data)->timeout_other = tother;
@ -482,7 +486,8 @@ infra_host(struct infra_cache* infra, struct sockaddr_storage* addr,
 	*edns_vs = data->edns_version;
 	*edns_lame_known = data->edns_lame_known;
 	*to = rtt_timeout(&data->rtt);
-	if(*to >= PROBE_MAXRTO && rtt_notimeout(&data->rtt)*4 <= *to) {
+	if(*to >= PROBE_MAXRTO && (infra->infra_keep_probing ||
 		rtt_notimeout(&data->rtt)*4 <= *to)) {
 		/* delay other queries, this is the probe query */
 		if(!wr) {
 			lock_rw_unlock(&e->lock);
@ -566,18 +571,27 @@ infra_rtt_update(struct infra_cache* infra, struct sockaddr_storage* addr,
 	struct lruhash_entry* e = infra_lookup_nottl(infra, addr, addrlen,
 		nm, nmlen, 1);
 	struct infra_data* data;
-	int needtoinsert = 0;
+	int needtoinsert = 0, expired = 0;
 	int rto = 1;
 	time_t oldprobedelay = 0;
 	if(!e) {
 		if(!(e = new_entry(infra, addr, addrlen, nm, nmlen, timenow)))
 			return 0;
 		needtoinsert = 1;
 	} else if(((struct infra_data*)e->data)->ttl < timenow) {
 		oldprobedelay = ((struct infra_data*)e->data)->probedelay;
 		data_entry_init(infra, e, timenow);
 		expired = 1;
 	}
 	/* have an entry, update the rtt */
 	data = (struct infra_data*)e->data;
 	if(roundtrip == -1) {
 		if(needtoinsert || expired) {
 			/* timeout on entry that has expired before the timer
 			 * keep old timeout from the function caller */
 			data->rtt.rto = orig_rtt;
 			data->probedelay = oldprobedelay;
 		}
 		rtt_lost(&data->rtt, orig_rtt);
 		if(qtype == LDNS_RR_TYPE_A) {
 			if(data->timeout_A < TIMEOUT_COUNT_MAX)
@ -681,7 +695,12 @@ infra_get_lame_rtt(struct infra_cache* infra,
 		return 0;
 	host = (struct infra_data*)e->data;
 	*rtt = rtt_unclamped(&host->rtt);
-	if(host->rtt.rto >= PROBE_MAXRTO && timenow < host->probedelay
+	if(host->rtt.rto >= PROBE_MAXRTO && timenow >= host->probedelay
 		&& infra->infra_keep_probing) {
 		/* single probe, keep probing */
 		if(*rtt >= USEFUL_SERVER_TOP_TIMEOUT)
 			*rtt = USEFUL_SERVER_TOP_TIMEOUT-1000;
 	} else if(host->rtt.rto >= PROBE_MAXRTO && timenow < host->probedelay
 		&& rtt_notimeout(&host->rtt)*4 <= host->rtt.rto) {
 		/* single probe for this domain, and we are not probing */
 		/* unless the query type allows a probe to happen */
@ -704,7 +723,8 @@ infra_get_lame_rtt(struct infra_cache* infra,
 		/* see if this can be a re-probe of an unresponsive server */
 		/* minus 1000 because that is outside of the RTTBAND, so
 		 * blacklisted servers stay blacklisted if this is chosen */
-		if(host->rtt.rto >= USEFUL_SERVER_TOP_TIMEOUT) {
+		if(host->rtt.rto >= USEFUL_SERVER_TOP_TIMEOUT ||
 			infra->infra_keep_probing) {
 			lock_rw_unlock(&e->lock);
 			*rtt = USEFUL_SERVER_TOP_TIMEOUT-1000;
 			*lame = 0;
--- a/services/cache/infra.h
+++ b/services/cache/infra.h
@ -114,6 +114,8 @@ struct infra_cache {
 	struct slabhash* hosts;
 	/** TTL value for host information, in seconds */
 	int host_ttl;
 	/** the hosts that are down are kept probed for recovery */
 	int infra_keep_probing;
 	/** hash table with query rates per name: rate_key, rate_data */
 	struct slabhash* domain_rates;
 	/** ratelimit settings for domains, struct domain_limit_data */
--- a/services/listen_dnsport.c
+++ b/services/listen_dnsport.c
--- a/services/listen_dnsport.h
+++ b/services/listen_dnsport.h
@ -43,6 +43,9 @@
 #define LISTEN_DNSPORT_H
 #include "util/netevent.h"
 #ifdef HAVE_NGHTTP2_NGHTTP2_H
 #include <nghttp2/nghttp2.h>
 #endif
 struct listen_list;
 struct config_file;
 struct addrinfo;
@ -94,8 +97,9 @@ enum listen_type {
 	/** tcp type + dnscrypt */
 	listen_type_tcp_dnscrypt,
 	/** udp ipv6 (v4mapped) for use with ancillary data + dnscrypt*/
-	listen_type_udpancil_dnscrypt
+	listen_type_udpancil_dnscrypt,
-
+	/** HTTP(2) over TLS over TCP */
 	listen_type_http
 };
 /**
@ -117,19 +121,32 @@ struct listen_port {
 * interfaces for IP4 and/or IP6, for UDP and/or TCP.
 * On the given port number. It creates the sockets.
 * @param cfg: settings on what ports to open.
 * @param ifs: interfaces to open, array of IP addresses, "ip[@port]".
 * @param num_ifs: length of ifs.
 * @param reuseport: set to true if you want reuseport, or NULL to not have it,
 *   set to false on exit if reuseport failed to apply (because of no
 *   kernel support).
 * @return: linked list of ports or NULL on error.
 */
 struct listen_port* listening_ports_open(struct config_file* cfg,
-	int* reuseport);
+	char** ifs, int num_ifs, int* reuseport);
 /**
 * Close and delete the (list of) listening ports.
 */
 void listening_ports_free(struct listen_port* list);
 /**
 * Resolve interface names in config and store result IP addresses
 * @param cfg: config
 * @param resif: string array (malloced array of malloced strings) with
 * 	result.  NULL if cfg has none.
 * @param num_resif: length of resif.  Zero if cfg has zero num_ifs.
 * @return 0 on failure.
 */
 int resolve_interface_names(struct config_file* cfg, char*** resif,
 	int* num_resif);
 /**
 * Create commpoints with for this thread for the shared ports.
 * @param base: the comm_base that provides event functionality.
@ -139,6 +156,10 @@ void listening_ports_free(struct listen_port* list);
 * @param tcp_accept_count: max number of simultaneous TCP connections 
 * 	from clients.
 * @param tcp_idle_timeout: idle timeout for TCP connections in msec.
 * @param harden_large_queries: whether query size should be limited.
 * @param http_max_streams: maximum number of HTTP/2 streams per connection.
 * @param http_endpoint: HTTP endpoint to service queries on
 * @param http_notls: no TLS for http downstream
 * @param tcp_conn_limit: TCP connection limit info.
 * @param sslctx: nonNULL if ssl context.
 * @param dtenv: nonNULL if dnstap enabled.
@ -147,11 +168,13 @@ void listening_ports_free(struct listen_port* list);
 * @param cb_arg: user data argument for callback function.
 * @return: the malloced listening structure, ready for use. NULL on error.
 */
-struct listen_dnsport* listen_create(struct comm_base* base,
+struct listen_dnsport*
-	struct listen_port* ports, size_t bufsize,
+listen_create(struct comm_base* base, struct listen_port* ports,
-	int tcp_accept_count, int tcp_idle_timeout,
+	size_t bufsize, int tcp_accept_count, int tcp_idle_timeout,
-	struct tcl_list* tcp_conn_limit, void* sslctx,
+	int harden_large_queries, uint32_t http_max_streams,
-	struct dt_env *dtenv, comm_point_callback_type* cb, void* cb_arg);
+	char* http_endpoint, int http_notls, struct tcl_list* tcp_conn_limit,
 	void* sslctx, struct dt_env* dtenv, comm_point_callback_type* cb,
 	void *cb_arg);
 /**
 * delete the listening structure
@ -221,13 +244,15 @@ int create_udp_sock(int family, int socktype, struct sockaddr* addr,
 * 	listening UDP port.  Set to false on return if it failed to do so.
 * @param transparent: set IP_TRANSPARENT socket option.
 * @param mss: maximum segment size of the socket. if zero, leaves the default. 
 * @param nodelay: if true set TCP_NODELAY and TCP_QUICKACK socket options.
 * @param freebind: set IP_FREEBIND socket option.
 * @param use_systemd: if true, fetch sockets from systemd.
 * @param dscp: DSCP to use.
 * @return: the socket. -1 on error.
 */
 int create_tcp_accept_sock(struct addrinfo *addr, int v6only, int* noproto,
-	int* reuseport, int transparent, int mss, int freebind, int use_systemd, int dscp);
+	int* reuseport, int transparent, int mss, int nodelay, int freebind,
 	int use_systemd, int dscp);
 /**
 * Create and bind local listening socket
@ -369,7 +394,34 @@ int tcp_req_info_handle_read_close(struct tcp_req_info* req);
 /** get the size of currently used tcp stream wait buffers (in bytes) */
 size_t tcp_req_info_get_stream_buffer_size(void);
 /** get the size of currently used HTTP2 query buffers (in bytes) */
 size_t http2_get_query_buffer_size(void);
 /** get the size of currently used HTTP2 response buffers (in bytes) */
 size_t http2_get_response_buffer_size(void);
 #ifdef HAVE_NGHTTP2
 /** 
 * Create nghttp2 callbacks to handle HTTP2 requests.
 * @return malloc'ed struct, NULL on failure
 */
 nghttp2_session_callbacks* http2_req_callbacks_create(void);
 /** Free http2 stream buffers and decrease buffer counters */
 void http2_req_stream_clear(struct http2_stream* h2_stream);
 /**
 * DNS response ready to be submitted to nghttp2, to be prepared for sending
 * out. Response is stored in c->buffer. Copy to rbuffer because the c->buffer
 * might be used before this will be send out.
 * @param h2_session: http2 session, containing c->buffer which contains answer
 * @param h2_stream: http2 stream, containing buffer to store answer in
 * @return 0 on error, 1 otherwise
 */
 int http2_submit_dns_response(struct http2_session* h2_session);
 #else
 int http2_submit_dns_response(void* v);
 #endif /* HAVE_NGHTTP2 */
 char* set_ip_dscp(int socket, int addrfamily, int ds);
 char* sock_strerror(int errn);
 #endif /* LISTEN_DNSPORT_H */
--- a/services/localzone.c
+++ b/services/localzone.c
@ -157,7 +157,7 @@ local_zone_create(uint8_t* nm, size_t len, int labs,
 	z->namelen = len;
 	z->namelabs = labs;
 	lock_rw_init(&z->lock);
-	z->region = regional_create_custom(sizeof(struct regional));
+	z->region = regional_create_nochunk(sizeof(struct regional));
 	if(!z->region) {
 		free(z);
 		return NULL;
@ -463,6 +463,48 @@ lz_find_create_node(struct local_zone* z, uint8_t* nm, size_t nmlen,
 	return 1;
 }
 /* Mark the SOA record for the zone. This only marks the SOA rrset; the data
 * for the RR is entered later on local_zone_enter_rr() as with the other
 * records. An artifical soa_negative record with a modified TTL (minimum of
 * the TTL and the SOA.MINIMUM) is also created and marked for usage with
 * negative answers and to avoid allocations during those answers. */
 static int
 lz_mark_soa_for_zone(struct local_zone* z, struct ub_packed_rrset_key* soa_rrset,
 	uint8_t* rdata, size_t rdata_len, time_t ttl, const char* rrstr)
 {
 	struct packed_rrset_data* pd = (struct packed_rrset_data*)
 		regional_alloc_zero(z->region, sizeof(*pd));
 	struct ub_packed_rrset_key* rrset_negative = (struct ub_packed_rrset_key*)
 		regional_alloc_zero(z->region, sizeof(*rrset_negative));
 	time_t minimum;
 	if(!rrset_negative||!pd) {
 		log_err("out of memory");
 		return 0;
 	}
 	/* Mark the original SOA record and then continue with the negative one. */
 	z->soa = soa_rrset;
 	rrset_negative->entry.key = rrset_negative;
 	pd->trust = rrset_trust_prim_noglue;
 	pd->security = sec_status_insecure;
 	rrset_negative->entry.data = pd;
 	rrset_negative->rk.dname = soa_rrset->rk.dname;
 	rrset_negative->rk.dname_len = soa_rrset->rk.dname_len;
 	rrset_negative->rk.type = soa_rrset->rk.type;
 	rrset_negative->rk.rrset_class = soa_rrset->rk.rrset_class;
 	if(!rrset_insert_rr(z->region, pd, rdata, rdata_len, ttl, rrstr))
 		return 0;
 	/* last 4 bytes are minimum ttl in network format */
 	if(pd->count == 0 || pd->rr_len[0] < 2+4)
 		return 0;
 	minimum = (time_t)sldns_read_uint32(pd->rr_data[0]+(pd->rr_len[0]-4));
 	minimum = ttl<minimum?ttl:minimum;
 	pd->ttl = minimum;
 	pd->rr_ttl[0] = minimum;
 	z->soa_negative = rrset_negative;
 	return 1;
 }
 int
 local_zone_enter_rr(struct local_zone* z, uint8_t* nm, size_t nmlen,
 	int nmlabs, uint16_t rrtype, uint16_t rrclass, time_t ttl,
@ -502,8 +544,10 @@ local_zone_enter_rr(struct local_zone* z, uint8_t* nm, size_t nmlen,
 		if(query_dname_compare(node->name, z->name) == 0) {
 			if(rrtype == LDNS_RR_TYPE_NSEC)
 			  rrset->rrset->rk.flags = PACKED_RRSET_NSEC_AT_APEX;
-			if(rrtype == LDNS_RR_TYPE_SOA)
+			if(rrtype == LDNS_RR_TYPE_SOA &&
-				z->soa = rrset->rrset;
+				!lz_mark_soa_for_zone(z, rrset->rrset, rdata, rdata_len, ttl,
 					rrstr))
 				return 0;
 		}
 	} 
 	pd = (struct packed_rrset_data*)rrset->rrset->entry.data;
@ -1215,7 +1259,7 @@ local_encode(struct query_info* qinfo, struct module_env* env,
 	edns->ext_rcode = 0;
 	edns->bits &= EDNS_DO;
 	if(!inplace_cb_reply_local_call(env, qinfo, NULL, &rep, rcode, edns,
-		repinfo, temp) || !reply_info_answer_encode(qinfo, &rep,
+		repinfo, temp, env->now_tv) || !reply_info_answer_encode(qinfo, &rep,
 		*(uint16_t*)sldns_buffer_begin(buf), sldns_buffer_read_u16_at(buf, 2),
 		buf, 0, 0, temp, udpsize, edns, (int)(edns->bits&EDNS_DO), 0)) {
 		error_encode(buf, (LDNS_RCODE_SERVFAIL|BIT_AA), qinfo,
@ -1237,7 +1281,7 @@ local_error_encode(struct query_info* qinfo, struct module_env* env,
 	edns->bits &= EDNS_DO;
 	if(!inplace_cb_reply_local_call(env, qinfo, NULL, NULL,
-		rcode, edns, repinfo, temp))
+		rcode, edns, repinfo, temp, env->now_tv))
 		edns->opt_list = NULL;
 	error_encode(buf, r, qinfo, *(uint16_t*)sldns_buffer_begin(buf),
 		sldns_buffer_read_u16_at(buf, 2), edns);
@ -1548,9 +1592,9 @@ local_zones_zone_answer(struct local_zone* z, struct module_env* env,
 			lz_type == local_zone_inform_redirect ||
 			lz_type == local_zone_always_nodata)?
 			LDNS_RCODE_NOERROR:LDNS_RCODE_NXDOMAIN;
-		if(z->soa)
+		if(z->soa && z->soa_negative)
 			return local_encode(qinfo, env, edns, repinfo, buf, temp,
-				z->soa, 0, rcode);
+				z->soa_negative, 0, rcode);
 		local_error_encode(qinfo, env, edns, repinfo, buf, temp, rcode,
 			(rcode|BIT_AA));
 		return 1;
@ -1558,6 +1602,46 @@ local_zones_zone_answer(struct local_zone* z, struct module_env* env,
 		|| lz_type == local_zone_always_transparent) {
 		/* no NODATA or NXDOMAINS for this zone type */
 		return 0;
 	} else if(lz_type == local_zone_always_null) {
 		/* 0.0.0.0 or ::0 or noerror/nodata for this zone type,
 		 * used for blocklists. */
 		if(qinfo->qtype == LDNS_RR_TYPE_A ||
 			qinfo->qtype == LDNS_RR_TYPE_AAAA) {
 			struct ub_packed_rrset_key lrr;
 			struct packed_rrset_data d;
 			time_t rr_ttl = 3600;
 			size_t rr_len = 0;
 			uint8_t rr_data[2+16] = {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0};
 			uint8_t* rr_datas = rr_data;
 			memset(&lrr, 0, sizeof(lrr));
 			memset(&d, 0, sizeof(d));
 			lrr.entry.data = &d;
 			lrr.rk.dname = qinfo->qname;
 			lrr.rk.dname_len = qinfo->qname_len;
 			lrr.rk.type = htons(qinfo->qtype);
 			lrr.rk.rrset_class = htons(qinfo->qclass);
 			if(qinfo->qtype == LDNS_RR_TYPE_A) {
 				rr_len = 4;
 				sldns_write_uint16(rr_data, rr_len);
 				rr_len += 2;
 			} else {
 				rr_len = 16;
 				sldns_write_uint16(rr_data, rr_len);
 				rr_len += 2;
 			}
 			d.ttl = rr_ttl;
 			d.count = 1;
 			d.rr_len = &rr_len;
 			d.rr_data = &rr_datas;
 			d.rr_ttl = &rr_ttl;
 			return local_encode(qinfo, env, edns, repinfo, buf, temp,
 				&lrr, 1, LDNS_RCODE_NOERROR);
 		} else {
 			local_error_encode(qinfo, env, edns, repinfo, buf,
 				temp, LDNS_RCODE_NOERROR,
 				(LDNS_RCODE_NOERROR|BIT_AA));
 		}
 		return 1;
 	}
 	/* else lz_type == local_zone_transparent */
@ -1565,9 +1649,9 @@ local_zones_zone_answer(struct local_zone* z, struct module_env* env,
 	 * does not, then we should make this noerror/nodata */
 	if(ld && ld->rrsets) {
 		int rcode = LDNS_RCODE_NOERROR;
-		if(z->soa)
+		if(z->soa && z->soa_negative)
 			return local_encode(qinfo, env, edns, repinfo, buf, temp,
-				z->soa, 0, rcode);
+				z->soa_negative, 0, rcode);
 		local_error_encode(qinfo, env, edns, repinfo, buf, temp, rcode,
 			(rcode|BIT_AA));
 		return 1;
@ -1762,6 +1846,7 @@ const char* local_zone_type2str(enum localzone_type t)
 		case local_zone_always_nxdomain: return "always_nxdomain";
 		case local_zone_always_nodata: return "always_nodata";
 		case local_zone_always_deny: return "always_deny";
 		case local_zone_always_null: return "always_null";
 		case local_zone_noview: return "noview";
 		case local_zone_invalid: return "invalid";
 	}
@ -1798,6 +1883,8 @@ int local_zone_str2type(const char* type, enum localzone_type* t)
 		*t = local_zone_always_nodata;
 	else if(strcmp(type, "always_deny") == 0)
 		*t = local_zone_always_deny;
 	else if(strcmp(type, "always_null") == 0)
 		*t = local_zone_always_null;
 	else if(strcmp(type, "noview") == 0)
 		*t = local_zone_noview;
 	else if(strcmp(type, "nodefault") == 0)
@ -2000,8 +2087,10 @@ void local_zones_del_data(struct local_zones* zones,
 		/* no memory recycling for zone deletions ... */
 		d->rrsets = NULL;
 		/* did we delete the soa record ? */
-		if(query_dname_compare(d->name, z->name) == 0)
+		if(query_dname_compare(d->name, z->name) == 0) {
 			z->soa = NULL;
 			z->soa_negative = NULL;
 		}
 		/* cleanup the empty nonterminals for this name */
 		del_empty_term(z, d, name, len, labs);
--- a/services/localzone.h
+++ b/services/localzone.h
@ -96,6 +96,9 @@ enum localzone_type {
 	local_zone_always_nodata,
 	/** drop query, even when there is local data */
 	local_zone_always_deny,
 	/** answer with 0.0.0.0 or ::0 or noerror/nodata, even when there is
 	 * local data */
 	local_zone_always_null,
 	/** answer not from the view, but global or no-answer */
 	local_zone_noview,
 	/** Invalid type, cannot be used to generate answer */
@ -155,6 +158,10 @@ struct local_zone {
 	rbtree_type data;
 	/** if data contains zone apex SOA data, this is a ptr to it. */
 	struct ub_packed_rrset_key* soa;
 	/** if data contains zone apex SOA data, this is a prt to an
 	 * artificial negative SOA rrset (TTL is the minimum of the TTL and the
 	 * SOA.MINIMUM). */
 	struct ub_packed_rrset_key* soa_negative;
 };
 /**
--- a/services/mesh.c
+++ b/services/mesh.c
@ -498,7 +498,7 @@ void mesh_new_client(struct mesh_area* mesh, struct query_info* qinfo,
 		if(!s) {
 			log_err("mesh_state_create: out of memory; SERVFAIL");
 			if(!inplace_cb_reply_servfail_call(mesh->env, qinfo, NULL, NULL,
-				LDNS_RCODE_SERVFAIL, edns, rep, mesh->env->scratch))
+				LDNS_RCODE_SERVFAIL, edns, rep, mesh->env->scratch, mesh->env->now_tv))
 					edns->opt_list = NULL;
 			error_encode(r_buffer, LDNS_RCODE_SERVFAIL,
 				qinfo, qid, qflags, edns);
@ -514,7 +514,7 @@ void mesh_new_client(struct mesh_area* mesh, struct query_info* qinfo,
 			if(!s->s.edns_opts_front_in) {
 				log_err("mesh_state_create: out of memory; SERVFAIL");
 				if(!inplace_cb_reply_servfail_call(mesh->env, qinfo, NULL,
-					NULL, LDNS_RCODE_SERVFAIL, edns, rep, mesh->env->scratch))
+					NULL, LDNS_RCODE_SERVFAIL, edns, rep, mesh->env->scratch, mesh->env->now_tv))
 						edns->opt_list = NULL;
 				error_encode(r_buffer, LDNS_RCODE_SERVFAIL,
 					qinfo, qid, qflags, edns);
@ -551,6 +551,9 @@ void mesh_new_client(struct mesh_area* mesh, struct query_info* qinfo,
 			goto servfail_mem;
 		}
 	}
 	if(rep->c->use_h2) {
 		http2_stream_add_meshstate(rep->c->h2_stream, mesh, s);
 	}
 	/* add serve expired timer if required and not already there */
 	if(timeout && !mesh_serve_expired_init(s, timeout)) {
 		log_err("mesh_new_client: out of memory initializing serve expired");
@ -584,7 +587,7 @@ void mesh_new_client(struct mesh_area* mesh, struct query_info* qinfo,
 servfail_mem:
 	if(!inplace_cb_reply_servfail_call(mesh->env, qinfo, &s->s,
-		NULL, LDNS_RCODE_SERVFAIL, edns, rep, mesh->env->scratch))
+		NULL, LDNS_RCODE_SERVFAIL, edns, rep, mesh->env->scratch, mesh->env->now_tv))
 			edns->opt_list = NULL;
 	error_encode(r_buffer, LDNS_RCODE_SERVFAIL,
 		qinfo, qid, qflags, edns);
@ -1109,10 +1112,12 @@ int mesh_state_attachment(struct mesh_state* super, struct mesh_state* sub)
 * @param rcode: if not 0, error code.
 * @param rep: reply to send (or NULL if rcode is set).
 * @param r: callback entry
 * @param start_time: the time to pass to callback functions, it is 0 or
 * 	a value from one of the packets if the mesh state had packets.
 */
 static void
 mesh_do_callback(struct mesh_state* m, int rcode, struct reply_info* rep,
-	struct mesh_cb* r)
+	struct mesh_cb* r, struct timeval* start_time)
 {
 	int secure;
 	char* reason = NULL;
@ -1133,11 +1138,11 @@ mesh_do_callback(struct mesh_state* m, int rcode, struct reply_info* rep,
 	if(rcode) {
 		if(rcode == LDNS_RCODE_SERVFAIL) {
 			if(!inplace_cb_reply_servfail_call(m->s.env, &m->s.qinfo, &m->s,
-				rep, rcode, &r->edns, NULL, m->s.region))
+				rep, rcode, &r->edns, NULL, m->s.region, start_time))
 					r->edns.opt_list = NULL;
 		} else {
 			if(!inplace_cb_reply_call(m->s.env, &m->s.qinfo, &m->s, rep, rcode,
-				&r->edns, NULL, m->s.region))
+				&r->edns, NULL, m->s.region, start_time))
 					r->edns.opt_list = NULL;
 		}
 		fptr_ok(fptr_whitelist_mesh_cb(r->cb));
@ -1152,7 +1157,7 @@ mesh_do_callback(struct mesh_state* m, int rcode, struct reply_info* rep,
 		r->edns.bits &= EDNS_DO;
 		if(!inplace_cb_reply_call(m->s.env, &m->s.qinfo, &m->s, rep,
-			LDNS_RCODE_NOERROR, &r->edns, NULL, m->s.region) ||
+			LDNS_RCODE_NOERROR, &r->edns, NULL, m->s.region, start_time) ||
 			!reply_info_answer_encode(&m->s.qinfo, rep, r->qid, 
 			r->qflags, r->buf, 0, 1, 
 			m->s.env->scratch, udp_size, &r->edns, 
@ -1193,6 +1198,12 @@ mesh_send_reply(struct mesh_state* m, int rcode, struct reply_info* rep,
 	/* Copy the client's EDNS for later restore, to make sure the edns
 	 * compare is with the correct edns options. */
 	struct edns_data edns_bak = r->edns;
 	/* briefly set the replylist to null in case the
 	 * meshsendreply calls tcpreqinfo sendreply that
 	 * comm_point_drops because of size, and then the
 	 * null stops the mesh state remove and thus
 	 * reply_list modification and accounting */
 	struct mesh_reply* rlist = m->reply_list;
 	/* examine security status */
 	if(m->s.env->need_to_validate && (!(r->qflags&BIT_CD) ||
 		m->s.env->cfg->ignore_cd) && rep && 
@ -1207,16 +1218,29 @@ mesh_send_reply(struct mesh_state* m, int rcode, struct reply_info* rep,
 	else	secure = 0;
 	if(!rep && rcode == LDNS_RCODE_NOERROR)
 		rcode = LDNS_RCODE_SERVFAIL;
 	if(r->query_reply.c->use_h2) {
 		r->query_reply.c->h2_stream = r->h2_stream;
 		/* Mesh reply won't exist for long anymore. Make it impossible
 		 * for HTTP/2 stream to refer to mesh state, in case
 		 * connection gets cleanup before HTTP/2 stream close. */
 		r->h2_stream->mesh_state = NULL;
 	}
 	/* send the reply */
-	/* We don't reuse the encoded answer if either the previous or current
+	/* We don't reuse the encoded answer if:
-	 * response has a local alias.  We could compare the alias records
+	 * - either the previous or current response has a local alias.  We could
-	 * and still reuse the previous answer if they are the same, but that
+	 *   compare the alias records and still reuse the previous answer if they
-	 * would be complicated and error prone for the relatively minor case.
+	 *   are the same, but that would be complicated and error prone for the
-	 * So we err on the side of safety. */
+	 *   relatively minor case. So we err on the side of safety.
-	if(prev && prev_buffer && prev->qflags == r->qflags && 
+	 * - there are registered callback functions for the given rcode, as these
 	 *   need to be called for each reply. */
 	if(((rcode != LDNS_RCODE_SERVFAIL &&
 			!m->s.env->inplace_cb_lists[inplace_cb_reply]) ||
 		(rcode == LDNS_RCODE_SERVFAIL &&
 			!m->s.env->inplace_cb_lists[inplace_cb_reply_servfail])) &&
 		prev && prev_buffer && prev->qflags == r->qflags &&
 		!prev->local_alias && !r->local_alias &&
-		prev->edns.edns_present == r->edns.edns_present && 
+		prev->edns.edns_present == r->edns.edns_present &&
-		prev->edns.bits == r->edns.bits && 
+		prev->edns.bits == r->edns.bits &&
 		prev->edns.udp_size == r->edns.udp_size &&
 		edns_opt_list_compare(prev->edns.opt_list, r->edns.opt_list)
 		== 0) {
@ -1226,22 +1250,26 @@ mesh_send_reply(struct mesh_state* m, int rcode, struct reply_info* rep,
 		sldns_buffer_write_at(r_buffer, 0, &r->qid, sizeof(uint16_t));
 		sldns_buffer_write_at(r_buffer, 12, r->qname,
 			m->s.qinfo.qname_len);
 		m->reply_list = NULL;
 		comm_point_send_reply(&r->query_reply);
 		m->reply_list = rlist;
 	} else if(rcode) {
 		m->s.qinfo.qname = r->qname;
 		m->s.qinfo.local_alias = r->local_alias;
 		if(rcode == LDNS_RCODE_SERVFAIL) {
 			if(!inplace_cb_reply_servfail_call(m->s.env, &m->s.qinfo, &m->s,
-				rep, rcode, &r->edns, NULL, m->s.region))
+				rep, rcode, &r->edns, &r->query_reply, m->s.region, &r->start_time))
 					r->edns.opt_list = NULL;
 		} else { 
 			if(!inplace_cb_reply_call(m->s.env, &m->s.qinfo, &m->s, rep, rcode,
-				&r->edns, NULL, m->s.region))
+				&r->edns, &r->query_reply, m->s.region, &r->start_time))
 					r->edns.opt_list = NULL;
 		}
 		error_encode(r_buffer, rcode, &m->s.qinfo, r->qid,
 			r->qflags, &r->edns);
 		m->reply_list = NULL;
 		comm_point_send_reply(&r->query_reply);
 		m->reply_list = rlist;
 	} else {
 		size_t udp_size = r->edns.udp_size;
 		r->edns.edns_version = EDNS_ADVERTISED_VERSION;
@ -1251,7 +1279,7 @@ mesh_send_reply(struct mesh_state* m, int rcode, struct reply_info* rep,
 		m->s.qinfo.qname = r->qname;
 		m->s.qinfo.local_alias = r->local_alias;
 		if(!inplace_cb_reply_call(m->s.env, &m->s.qinfo, &m->s, rep,
-			LDNS_RCODE_NOERROR, &r->edns, NULL, m->s.region) ||
+			LDNS_RCODE_NOERROR, &r->edns, &r->query_reply, m->s.region, &r->start_time) ||
 			!apply_edns_options(&r->edns, &edns_bak,
 				m->s.env->cfg, r->query_reply.c,
 				m->s.region) ||
@ -1261,13 +1289,15 @@ mesh_send_reply(struct mesh_state* m, int rcode, struct reply_info* rep,
 			secure)) 
 		{
 			if(!inplace_cb_reply_servfail_call(m->s.env, &m->s.qinfo, &m->s,
-			rep, LDNS_RCODE_SERVFAIL, &r->edns, NULL, m->s.region))
+			rep, LDNS_RCODE_SERVFAIL, &r->edns, &r->query_reply, m->s.region, &r->start_time))
 				r->edns.opt_list = NULL;
 			error_encode(r_buffer, LDNS_RCODE_SERVFAIL,
 				&m->s.qinfo, r->qid, r->qflags, &r->edns);
 		}
 		r->edns = edns_bak;
 		m->reply_list = NULL;
 		comm_point_send_reply(&r->query_reply);
 		m->reply_list = rlist;
 	}
 	/* account */
 	log_assert(m->s.env->mesh->num_reply_addrs > 0);
@ -1302,6 +1332,7 @@ void mesh_query_done(struct mesh_state* mstate)
 	struct mesh_cb* c;
 	struct reply_info* rep = (mstate->s.return_msg?
 		mstate->s.return_msg->rep:NULL);
 	struct timeval tv = {0, 0};
 	/* No need for the serve expired timer anymore; we are going to reply. */
 	if(mstate->s.serve_expired_data) {
 		comm_timer_delete(mstate->s.serve_expired_data->timer);
@ -1321,6 +1352,8 @@ void mesh_query_done(struct mesh_state* mstate)
 		}
 	}
 	for(r = mstate->reply_list; r; r = r->next) {
 		tv = r->start_time;
 		/* if a response-ip address block has been stored the
 		 *  information should be logged for each client. */
 		if(mstate->s.respip_action_info &&
@ -1355,20 +1388,12 @@ void mesh_query_done(struct mesh_state* mstate)
 			mstate->reply_list = reply_list;
 		} else {
 			struct sldns_buffer* r_buffer = r->query_reply.c->buffer;
 			struct mesh_reply* rlist = mstate->reply_list;
 			if(r->query_reply.c->tcp_req_info) {
 				r_buffer = r->query_reply.c->tcp_req_info->spool_buffer;
 				prev_buffer = NULL;
 			}
 			/* briefly set the replylist to null in case the
 			 * meshsendreply calls tcpreqinfo sendreply that
 			 * comm_point_drops because of size, and then the
 			 * null stops the mesh state remove and thus
 			 * reply_list modification and accounting */
 			mstate->reply_list = NULL;
 			mesh_send_reply(mstate, mstate->s.return_rcode, rep,
 				r, r_buffer, prev, prev_buffer);
 			mstate->reply_list = rlist;
 			if(r->query_reply.c->tcp_req_info) {
 				tcp_req_info_remove_mesh_state(r->query_reply.c->tcp_req_info, mstate);
 				r_buffer = NULL;
@ -1401,7 +1426,7 @@ void mesh_query_done(struct mesh_state* mstate)
 		if(!mstate->reply_list && !mstate->cb_list &&
 			mstate->super_set.count == 0)
 			mstate->s.env->mesh->num_detached_states++;
-		mesh_do_callback(mstate, mstate->s.return_rcode, rep, c);
+		mesh_do_callback(mstate, mstate->s.return_rcode, rep, c, &tv);
 	}
 }
@ -1495,6 +1520,8 @@ int mesh_state_add_reply(struct mesh_state* s, struct edns_data* edns,
 		s->s.qinfo.qname_len);
 	if(!r->qname)
 		return 0;
 	if(rep->c->use_h2)
 		r->h2_stream = rep->c->h2_stream;
 	/* Data related to local alias stored in 'qinfo' (if any) is ephemeral
 	 * and can be different for different original queries (even if the
@ -1882,7 +1909,7 @@ mesh_serve_expired_callback(void* arg)
 {
 	struct mesh_state* mstate = (struct mesh_state*) arg;
 	struct module_qstate* qstate = &mstate->s;
-	struct mesh_reply* r, *rlist;
+	struct mesh_reply* r;
 	struct mesh_area* mesh = qstate->env->mesh;
 	struct dns_msg* msg;
 	struct mesh_cb* c;
@ -1895,6 +1922,7 @@ mesh_serve_expired_callback(void* arg)
 	struct respip_action_info actinfo;
 	struct query_info* lookup_qinfo = &qstate->qinfo;
 	struct query_info qinfo_tmp;
 	struct timeval tv = {0, 0};
 	int must_validate = (!(qstate->query_flags&BIT_CD)
 		|| qstate->env->cfg->ignore_cd) && qstate->env->need_to_validate;
 	if(!qstate->serve_expired_data) return;
@ -1966,6 +1994,8 @@ mesh_serve_expired_callback(void* arg)
 		log_dns_msg("Serve expired lookup", &qstate->qinfo, msg->rep);
 	for(r = mstate->reply_list; r; r = r->next) {
 		tv = r->start_time;
 		/* If address info is returned, it means the action should be an
 		* 'inform' variant and the information should be logged. */
 		if(actinfo.addrinfo) {
@ -1987,15 +2017,8 @@ mesh_serve_expired_callback(void* arg)
 		r_buffer = r->query_reply.c->buffer;
 		if(r->query_reply.c->tcp_req_info)
 			r_buffer = r->query_reply.c->tcp_req_info->spool_buffer;
 		/* briefly set the replylist to null in case the meshsendreply
 		 * calls tcpreqinfo sendreply that comm_point_drops because
 		 * of size, and then the null stops the mesh state remove and
 		 * thus reply_list modification and accounting */
 		rlist = mstate->reply_list;
 		mstate->reply_list = NULL;
 		mesh_send_reply(mstate, LDNS_RCODE_NOERROR, msg->rep,
 			r, r_buffer, prev, prev_buffer);
 		mstate->reply_list = rlist;
 		if(r->query_reply.c->tcp_req_info)
 			tcp_req_info_remove_mesh_state(r->query_reply.c->tcp_req_info, mstate);
 		prev = r;
@ -2027,6 +2050,6 @@ mesh_serve_expired_callback(void* arg)
 		if(!mstate->reply_list && !mstate->cb_list &&
 			mstate->super_set.count == 0)
 			qstate->env->mesh->num_detached_states++;
-		mesh_do_callback(mstate, LDNS_RCODE_NOERROR, msg->rep, c);
+		mesh_do_callback(mstate, LDNS_RCODE_NOERROR, msg->rep, c, &tv);
 	}
 }
--- a/services/mesh.h
+++ b/services/mesh.h
@ -230,6 +230,8 @@ struct mesh_reply {
 	uint8_t* qname;
 	/** same as that in query_info. */
 	struct local_rrset* local_alias;
 	/** send query to this http2 stream, if set */
 	struct http2_stream* h2_stream;
 };
 /** 
--- a/services/outside_network.c
+++ b/services/outside_network.c
--- a/services/outside_network.h
+++ b/services/outside_network.h
@ -52,6 +52,7 @@ struct ub_randstate;
 struct pending_tcp;
 struct waiting_tcp;
 struct waiting_udp;
 struct reuse_tcp;
 struct infra_cache;
 struct port_comm;
 struct port_if;
@ -106,6 +107,9 @@ struct outside_network {
 	int delayclose;
 	/** timeout for delayclose */
 	struct timeval delay_tv;
 	/** if we perform udp-connect, connect() for UDP socket to mitigate
 	 * ICMP side channel leakage */
 	int udp_connect;
 	/** array of outgoing IP4 interfaces */
 	struct port_if* ip4_ifs;
@ -154,6 +158,21 @@ struct outside_network {
 	size_t num_tcp;
 	/** number of tcp communication points in use. */
 	size_t num_tcp_outgoing;
 	/**
 	 * tree of still-open and waiting tcp connections for reuse.
 	 * can be closed and reopened to get a new tcp connection.
 	 * or reused to the same destination again.  with timeout to close.
 	 * Entries are of type struct reuse_tcp.
 	 * The entries are both active and empty connections.
 	 */
 	rbtree_type tcp_reuse;
 	/** max number of tcp_reuse entries we want to keep open */
 	size_t tcp_reuse_max;
 	/** first and last(oldest) in lru list of reuse connections.
 	 * the oldest can be closed to get a new free pending_tcp if needed
 	 * The list contains empty connections, that wait for timeout or
 	 * a new query that can use the existing connection. */
 	struct reuse_tcp* tcp_reuse_first, *tcp_reuse_last;
 	/** list of tcp comm points that are free for use */
 	struct pending_tcp* tcp_free;
 	/** list of tcp queries waiting for a buffer */
@ -211,6 +230,76 @@ struct port_comm {
 	struct comm_point* cp;
 };
 /**
 * Reuse TCP connection, still open can be used again.
 */
 struct reuse_tcp {
 	/** rbtree node with links in tcp_reuse tree. key is NULL when not
 	 * in tree. Both active and empty connections are in the tree.
 	 * key is a pointer to this structure, the members used to compare
 	 * are the sockaddr and and then is-ssl bool, and then ptr value is
 	 * used in case the same address exists several times in the tree
 	 * when there are multiple connections to the same destination to
 	 * make the rbtree items unique. */
 	rbnode_type node;
 	/** the key for the tcp_reuse tree. address of peer, ip4 or ip6,
 	 * and port number of peer */
 	struct sockaddr_storage addr;
 	/** length of addr */
 	socklen_t addrlen;
 	/** also key for tcp_reuse tree, if ssl is used */
 	int is_ssl;
 	/** lru chain, so that the oldest can be removed to get a new
 	 * connection when all are in (re)use. oldest is last in list.
 	 * The lru only contains empty connections waiting for reuse,
 	 * the ones with active queries are not on the list because they
 	 * do not need to be closed to make space for others.  They already
 	 * service a query so the close for another query does not help
 	 * service a larger number of queries. */
 	struct reuse_tcp* lru_next, *lru_prev;
 	/** true if the reuse_tcp item is on the lru list with empty items */
 	int item_on_lru_list;
 	/** the connection to reuse, the fd is non-1 and is open.
 	 * the addr and port determine where the connection is going,
 	 * and is key to the rbtree.  The SSL ptr determines if it is
 	 * a TLS connection or a plain TCP connection there.  And TLS
 	 * or not is also part of the key to the rbtree.
 	 * There is a timeout and read event on the fd, to close it. */
 	struct pending_tcp* pending;
 	/**
 	 * The more read again value pointed to by the commpoint
 	 * tcp_more_read_again pointer, so that it exists after commpoint
 	 * delete
 	 */
 	int cp_more_read_again;
 	/**
 	 * The more write again value pointed to by the commpoint
 	 * tcp_more_write_again pointer, so that it exists after commpoint
 	 * delete
 	 */
 	int cp_more_write_again;
 	/** rbtree with other queries waiting on the connection, by ID number,
 	 * of type struct waiting_tcp. It is for looking up received
 	 * answers to the structure for callback.  And also to see if ID
 	 * numbers are unused and can be used for a new query.
 	 * The write_wait elements are also in the tree, so that ID numbers
 	 * can be looked up also for them.  They are bool write_wait_queued. */
 	rbtree_type tree_by_id;
 	/** list of queries waiting to be written on the channel,
 	 * if NULL no queries are waiting to be written and the pending->query
 	 * is the query currently serviced.  The first is the next in line.
 	 * They are also in the tree_by_id. Once written, the are removed
 	 * from this list, but stay in the tree. */
 	struct waiting_tcp* write_wait_first, *write_wait_last;
 	/** the outside network it is part of */
 	struct outside_network* outnet;
 };
 /** max number of queries on a reuse connection */
 #define MAX_REUSE_TCP_QUERIES 200
 /** timeout for REUSE entries in milliseconds. */
 #define REUSE_TIMEOUT 60000
 /**
 * A query that has an answer pending for it.
 */
@ -255,12 +344,15 @@ struct pending {
 struct pending_tcp {
 	/** next in list of free tcp comm points, or NULL. */
 	struct pending_tcp* next_free;
 	/** the ID for the query; checked in reply */
 	uint16_t id;
 	/** tcp comm point it was sent on (and reply must come back on). */
 	struct comm_point* c;
 	/** the query being serviced, NULL if the pending_tcp is unused. */
 	struct waiting_tcp* query;
 	/** the pre-allocated reuse tcp structure.  if ->pending is nonNULL
 	 * it is in use and the connection is waiting for reuse.
 	 * It is here for memory pre-allocation, and used to make this
 	 * pending_tcp wait for reuse. */
 	struct reuse_tcp reuse;
 };
 /**
@ -269,12 +361,27 @@ struct pending_tcp {
 struct waiting_tcp {
 	/** 
 	 * next in waiting list.
-	 * if pkt==0, this points to the pending_tcp structure.
+	 * if on_tcp_waiting_list==0, this points to the pending_tcp structure.
 	 */
 	struct waiting_tcp* next_waiting;
 	/** if true the item is on the tcp waiting list and next_waiting
 	 * is used for that.  If false, the next_waiting points to the
 	 * pending_tcp */
 	int on_tcp_waiting_list;
 	/** next and prev in query waiting list for stream connection */
 	struct waiting_tcp* write_wait_prev, *write_wait_next;
 	/** true if the waiting_tcp structure is on the write_wait queue */
 	int write_wait_queued;
 	/** entry in reuse.tree_by_id, if key is NULL, not in tree, otherwise,
 	 * this struct is key and sorted by ID (from waiting_tcp.id). */
 	rbnode_type id_node;
 	/** the ID for the query; checked in reply */
 	uint16_t id;
 	/** timeout event; timer keeps running whether the query is
 	 * waiting for a buffer or the tcp reply is pending */
 	struct comm_timer* timer;
 	/** timeout in msec */
 	int timeout;
 	/** the outside network it is part of */
 	struct outside_network* outnet;
 	/** remote address. */
@ -284,13 +391,14 @@ struct waiting_tcp {
 	/** 
 	 * The query itself, the query packet to send.
 	 * allocated after the waiting_tcp structure.
 	 * set to NULL when the query is serviced and it part of pending_tcp.
 	 * if this is NULL, the next_waiting points to the pending_tcp.
 	 */
 	uint8_t* pkt;
 	/** length of query packet. */
 	size_t pkt_len;
-	/** callback for the timeout, error or reply to the message */
+	/** callback for the timeout, error or reply to the message,
 	 * or NULL if no user is waiting. the entry uses an ID number.
 	 * a query that was written is no longer needed, but the ID number
 	 * and a reply will come back and can be ignored if NULL */
 	comm_point_callback_type* cb;
 	/** callback user argument */
 	void* cb_arg;
@ -298,6 +406,8 @@ struct waiting_tcp {
 	int ssl_upstream;
 	/** ref to the tls_auth_name from the serviced_query */
 	char* tls_auth_name;
 	/** the packet was involved in an error, to stop looping errors */
 	int error_count;
 };
 /**
@ -421,6 +531,7 @@ struct serviced_query {
 * 	msec to wait on timeouted udp sockets.
 * @param tls_use_sni: if SNI is used for TLS connections.
 * @param dtenv: environment to send dnstap events with (if enabled).
 * @param udp_connect: if the udp_connect option is enabled.
 * @return: the new structure (with no pending answers) or NULL on error.
 */
 struct outside_network* outside_network_create(struct comm_base* base,
@ -429,7 +540,8 @@ struct outside_network* outside_network_create(struct comm_base* base,
 	struct ub_randstate* rnd, int use_caps_for_id, int* availports, 
 	int numavailports, size_t unwanted_threshold, int tcp_mss,
 	void (*unwanted_action)(void*), void* unwanted_param, int do_udp,
-	void* sslctx, int delayclose, int tls_use_sni, struct dt_env *dtenv);
+	void* sslctx, int delayclose, int tls_use_sni, struct dt_env *dtenv,
 	int udp_connect);
 /**
 * Delete outside_network structure.
@ -546,6 +658,19 @@ size_t outnet_get_mem(struct outside_network* outnet);
 */
 size_t serviced_get_mem(struct serviced_query* sq);
 /** Pick random ID value for a tcp stream, avoids existing IDs. */
 uint16_t reuse_tcp_select_id(struct reuse_tcp* reuse,
 	struct outside_network* outnet);
 /** find element in tree by id */
 struct waiting_tcp* reuse_tcp_by_id_find(struct reuse_tcp* reuse, uint16_t id);
 /** insert element in tree by id */
 void reuse_tree_by_id_insert(struct reuse_tcp* reuse, struct waiting_tcp* w);
 /** delete readwait waiting_tcp elements, deletes the elements in the list */
 void reuse_del_readwait(rbtree_type* tree_by_id);
 /** get TCP file descriptor for address, returns -1 on failure,
 * tcp_mss is 0 or maxseg size to set for TCP packets. */
 int outnet_get_tcp_fd(struct sockaddr_storage* addr, socklen_t addrlen, int tcp_mss, int dscp);
@ -643,4 +768,10 @@ int pending_cmp(const void* key1, const void* key2);
 /** compare function of serviced query rbtree */
 int serviced_cmp(const void* key1, const void* key2);
 /** compare function of reuse_tcp rbtree in outside_network struct */
 int reuse_cmp(const void* key1, const void* key2);
 /** compare function of reuse_tcp tree_by_id rbtree */
 int reuse_id_cmp(const void* key1, const void* key2);
 #endif /* OUTSIDE_NETWORK_H */
--- a/services/rpz.c
+++ b/services/rpz.c
@ -440,6 +440,8 @@ err:
 			respip_set_delete(r->respip_set);
 		if(r->taglist)
 			free(r->taglist);
 		if(r->region)
 			regional_destroy(r->region);
 		free(r);
 	}
 	return NULL;
@ -597,8 +599,18 @@ rpz_insert_rr(struct rpz* r, uint8_t* azname, size_t aznamelen, uint8_t* dname,
 	uint8_t* policydname;
 	if(!dname_subdomain_c(dname, azname)) {
-		log_err("RPZ: name of record to insert into RPZ is not a "
+		char* dname_str = sldns_wire2str_dname(dname, dnamelen);
-			"subdomain of the configured name of the RPZ zone");
+		char* azname_str = sldns_wire2str_dname(azname, aznamelen);
 		if(dname_str && azname_str) {
 			log_err("RPZ: name of record (%s) to insert into RPZ is not a "
 				"subdomain of the configured name of the RPZ zone (%s)",
 				dname_str, azname_str);
 		} else {
 			log_err("RPZ: name of record to insert into RPZ is not a "
 				"subdomain of the configured name of the RPZ zone");
 		}
 		free(dname_str);
 		free(azname_str);
 		return 0;
 	}
@ -951,8 +963,8 @@ rpz_apply_qname_trigger(struct auth_zones* az, struct module_env* env,
 	for(a = az->rpz_first; a; a = a->rpz_az_next) {
 		lock_rw_rdlock(&a->lock);
 		r = a->rpz;
-		if(!r->taglist || taglist_intersect(r->taglist, 
+		if(!r->disabled && (!r->taglist || taglist_intersect(r->taglist,
-			r->taglistlen, taglist, taglen)) {
+			r->taglistlen, taglist, taglen))) {
 			z = rpz_find_zone(r, qinfo->qname, qinfo->qname_len,
 				qinfo->qclass, 0, 0, 0);
 			if(z && r->action_override == RPZ_DISABLED_ACTION) {
@ -1032,3 +1044,17 @@ rpz_apply_qname_trigger(struct auth_zones* az, struct module_env* env,
 	return ret;
 }
 void rpz_enable(struct rpz* r)
 {
    if(!r)
        return;
    r->disabled = 0;
 }
 void rpz_disable(struct rpz* r)
 {
    if(!r)
        return;
    r->disabled = 1;
 }
--- a/services/rpz.h
+++ b/services/rpz.h
@ -99,6 +99,7 @@ struct rpz {
 	int log;
 	char* log_name;
 	struct regional* region;
 	int disabled;
 };
 /**
@ -198,4 +199,16 @@ void rpz_finish_config(struct rpz* r);
 enum respip_action
 rpz_action_to_respip_action(enum rpz_action a);
 /**
 * Enable RPZ
 * @param r: RPZ struct to enable
 */
 void rpz_enable(struct rpz* r);
 /**
 * Disable RPZ
 * @param r: RPZ struct to disable
 */
 void rpz_disable(struct rpz* r);
 #endif /* SERVICES_RPZ_H */
--- a/sldns/parseutil.c
+++ b/sldns/parseutil.c
@ -619,13 +619,18 @@ size_t sldns_b64_ntop_calculate_size(size_t srcsize)
 *
 * This routine does not insert spaces or linebreaks after 76 characters.
 */
-int sldns_b64_ntop(uint8_t const *src, size_t srclength,
+static int sldns_b64_ntop_base(uint8_t const *src, size_t srclength,
-	char *target, size_t targsize)
+	char *target, size_t targsize, int base64url, int padding)
 {
-	const char* b64 =
+	char* b64;
 	"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
 	const char pad64 = '=';
 	size_t i = 0, o = 0;
 	if(base64url)
 		b64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123"
 			"456789-_";
 	else
 		b64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123"
 			"456789+/";
 	if(targsize < sldns_b64_ntop_calculate_size(srclength))
 		return -1;
 	/* whole chunks: xxxxxxyy yyyyzzzz zzwwwwww */
@ -645,18 +650,26 @@ int sldns_b64_ntop(uint8_t const *src, size_t srclength,
 		target[o] = b64[src[i] >> 2];
 		target[o+1] = b64[ ((src[i]&0x03)<<4) | (src[i+1]>>4) ];
 		target[o+2] = b64[ ((src[i+1]&0x0f)<<2) ];
-		target[o+3] = pad64;
+		if(padding) {
-		/* i += 2; */
+			target[o+3] = pad64;
-		o += 4;
+			/* i += 2; */
 			o += 4;
 		} else {
 			o += 3;
 		}
 		break;
 	case 1:
 		/* one at end, converted into A B = = */
 		target[o] = b64[src[i] >> 2];
 		target[o+1] = b64[ ((src[i]&0x03)<<4) ];
-		target[o+2] = pad64;
+		if(padding) {
-		target[o+3] = pad64;
+			target[o+2] = pad64;
-		/* i += 1; */
+			target[o+3] = pad64;
-		o += 4;
+			/* i += 1; */
 			o += 4;
 		} else {
 			o += 2;
 		}
 		break;
 	case 0:
 	default:
@ -669,19 +682,36 @@ int sldns_b64_ntop(uint8_t const *src, size_t srclength,
 	return (int)o;
 }
 int sldns_b64_ntop(uint8_t const *src, size_t srclength, char *target,
 	size_t targsize)
 {
 	return sldns_b64_ntop_base(src, srclength, target, targsize,
 		0 /* no base64url */, 1 /* padding */);
 }
 int sldns_b64url_ntop(uint8_t const *src, size_t srclength, char *target,
 	size_t targsize)
 {
 	return sldns_b64_ntop_base(src, srclength, target, targsize,
 		1 /* base64url */, 0 /* no padding */);
 }
 size_t sldns_b64_pton_calculate_size(size_t srcsize)
 {
 	return (((((srcsize + 3) / 4) * 3)) + 1);
 }
-int sldns_b64_pton(char const *src, uint8_t *target, size_t targsize)
+/* padding not required if srcsize is set */
 static int sldns_b64_pton_base(char const *src, size_t srcsize, uint8_t *target,
 	size_t targsize, int base64url)
 {
 	const uint8_t pad64 = 64; /* is 64th in the b64 array */
 	const char* s = src;
 	uint8_t in[4];
 	size_t o = 0, incount = 0;
 	int check_padding = (srcsize) ? 0 : 1;
-	while(*s) {
+	while(*s && (check_padding || srcsize)) {
 		/* skip any character that is not base64 */
 		/* conceptually we do:
 		const char* b64 =      pad'=' is appended to array
@ -690,30 +720,43 @@ int sldns_b64_pton(char const *src, uint8_t *target, size_t targsize)
 		and use d-b64;
 		*/
 		char d = *s++;
 		srcsize--;
 		if(d <= 'Z' && d >= 'A')
 			d -= 'A';
 		else if(d <= 'z' && d >= 'a')
 			d = d - 'a' + 26;
 		else if(d <= '9' && d >= '0')
 			d = d - '0' + 52;
-		else if(d == '+')
+		else if(!base64url && d == '+')
 			d = 62;
-		else if(d == '/')
+		else if(base64url && d == '-')
 			d = 62;
 		else if(!base64url && d == '/')
 			d = 63;
-		else if(d == '=')
+		else if(base64url && d == '_')
 			d = 63;
 		else if(d == '=') {
 			if(!check_padding)
 				continue;
 			d = 64;
-		else	continue;
+		} else	continue;
 		in[incount++] = (uint8_t)d;
-		if(incount != 4)
+		/* work on block of 4, unless padding is not used and there are
 		 * less than 4 chars left */
 		if(incount != 4 && (check_padding || srcsize))
 			continue;
 		assert(!check_padding || incount==4);
 		/* process whole block of 4 characters into 3 output bytes */
-		if(in[3] == pad64 && in[2] == pad64) { /* A B = = */
+		if((incount == 2 ||
 			(incount == 4 && in[3] == pad64 && in[2] == pad64))) { /* A B = = */
 			if(o+1 > targsize)
 				return -1;
 			target[o] = (in[0]<<2) | ((in[1]&0x30)>>4);
 			o += 1;
 			break; /* we are done */
-		} else if(in[3] == pad64) { /* A B C = */
+		} else if(incount == 3 ||
 			(incount == 4 && in[3] == pad64)) { /* A B C = */
 			if(o+2 > targsize)
 				return -1;
 			target[o] = (in[0]<<2) | ((in[1]&0x30)>>4);
@ -721,7 +764,7 @@ int sldns_b64_pton(char const *src, uint8_t *target, size_t targsize)
 			o += 2;
 			break; /* we are done */
 		} else {
-			if(o+3 > targsize)
+			if(incount != 4 || o+3 > targsize)
 				return -1;
 			/* write xxxxxxyy yyyyzzzz zzwwwwww */
 			target[o] = (in[0]<<2) | ((in[1]&0x30)>>4);
@ -733,3 +776,17 @@ int sldns_b64_pton(char const *src, uint8_t *target, size_t targsize)
 	}
 	return (int)o;
 }
 int sldns_b64_pton(char const *src, uint8_t *target, size_t targsize)
 {
 	return sldns_b64_pton_base(src, 0, target, targsize, 0);
 }
 int sldns_b64url_pton(char const *src, size_t srcsize, uint8_t *target,
 	size_t targsize)
 {
 	if(!srcsize) {
 		return 0;
 	}
 	return sldns_b64_pton_base(src, srcsize, target, targsize, 1);
 }
--- a/sldns/parseutil.h
+++ b/sldns/parseutil.h
@ -92,13 +92,16 @@ size_t sldns_b64_ntop_calculate_size(size_t srcsize);
 int sldns_b64_ntop(uint8_t const *src, size_t srclength,
 	char *target, size_t targsize);
 int sldns_b64url_ntop(uint8_t const *src, size_t srclength, char *target,
 	size_t targsize);
 /**
 * calculates the size needed to store the result of sldns_b64_pton
 */
 size_t sldns_b64_pton_calculate_size(size_t srcsize);
 int sldns_b64_pton(char const *src, uint8_t *target, size_t targsize);
 int sldns_b64url_pton(char const *src, size_t srcsize, uint8_t *target,
 	size_t targsize);
 /**
 * calculates the size needed to store the result of b32_ntop
--- a/sldns/rrdef.h
+++ b/sldns/rrdef.h
@ -426,7 +426,8 @@ enum sldns_enum_edns_option
 	LDNS_EDNS_N3U = 7, /* RFC6975 */
 	LDNS_EDNS_CLIENT_SUBNET = 8, /* RFC7871 */
 	LDNS_EDNS_KEEPALIVE = 11, /* draft-ietf-dnsop-edns-tcp-keepalive*/
-	LDNS_EDNS_PADDING = 12 /* RFC7830 */
+	LDNS_EDNS_PADDING = 12, /* RFC7830 */
 	LDNS_EDNS_CLIENT_TAG = 16 /* draft-bellis-dnsop-edns-tags-01 */
 };
 typedef enum sldns_enum_edns_option sldns_edns_option;
--- a/smallapp/unbound-checkconf.c
+++ b/smallapp/unbound-checkconf.c
@ -624,8 +624,6 @@ morechecks(struct config_file* cfg)
 		cfg->auto_trust_anchor_file_list, cfg->chrootdir, cfg);
 	check_chroot_filelist_wild("trusted-keys-file",
 		cfg->trusted_keys_file_list, cfg->chrootdir, cfg);
 	check_chroot_string("dlv-anchor-file", &cfg->dlv_anchor_file,
 		cfg->chrootdir, cfg);
 #ifdef USE_IPSECMOD
 	if(cfg->ipsecmod_enabled && strstr(cfg->module_conf, "ipsecmod")) {
 		/* only check hook if enabled */
--- a/smallapp/unbound-control-setup.sh.in
+++ b/smallapp/unbound-control-setup.sh.in
@ -120,12 +120,19 @@ if [ ! -f "$SVR_BASE.key" ]; then
 fi
 cat >server.cnf <<EOF
 [req]
 default_bits=$BITS
 default_md=$HASH
 prompt=no
 distinguished_name=req_distinguished_name
 x509_extensions=v3_ca
 [req_distinguished_name]
 commonName=$SERVERNAME
 [v3_ca]
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid:always,issuer:always
 basicConstraints=critical,CA:TRUE,pathlen:0
 subjectAltName=DNS:$SERVERNAME
 EOF
 [ -f server.cnf ] || fatal "cannot create openssl configuration"
@ -156,8 +163,12 @@ default_bits=$BITS
 default_md=$HASH
 prompt=no
 distinguished_name=req_distinguished_name
 req_extensions=v3_req
 [req_distinguished_name]
 commonName=$CLIENTNAME
 [v3_req]
 basicConstraints=critical,CA:FALSE
 subjectAltName=DNS:$CLIENTNAME
 EOF
 [ -f client.cnf ] || fatal "cannot create openssl configuration"
@ -179,6 +190,8 @@ if [ ! -f "$CTL_BASE.pem" -o $RECREATE -eq 1 ]; then
                  -CAkey "$SVR_BASE.key" \
                  -CAcreateserial \
                  -$HASH \
                  -extfile client.cnf \
                  -extensions v3_req \
                  -out "$CTL_BASE.pem"
    [ ! -f "CTL_BASE.pem" ] || fatal "cannot create signed client certificate"
--- a/smallapp/unbound-control.c
+++ b/smallapp/unbound-control.c
@ -82,6 +82,9 @@ static void usage(void) ATTR_NORETURN;
 static void ssl_err(const char* s) ATTR_NORETURN;
 static void ssl_path_err(const char* s, const char *path) ATTR_NORETURN;
 /** timeout to wait for connection over stream, in msec */
 #define UNBOUND_CONTROL_CONNECT_TIMEOUT 5000
 /** Give unbound-control usage, and exit (1). */
 static void
 usage(void)
@ -164,6 +167,9 @@ usage(void)
 	printf("  view_local_data_remove view name  	remove local-data in view\n");
 	printf("  view_local_datas_remove view 		remove list of local-data from view\n");
 	printf("  					one entry per line read from stdin\n");
 	printf("  rpz_enable zone		Enable the RPZ zone if it had previously\n");
 	printf("  				been disabled\n");
 	printf("  rpz_disable zone		Disable the RPZ zone\n");
 	printf("Version %s\n", PACKAGE_VERSION);
 	printf("BSD licensed, see LICENSE in source package for details.\n");
 	printf("Report bugs to %s\n", PACKAGE_BUGREPORT);
@ -278,6 +284,8 @@ static void print_mem(struct ub_shm_stat_info* shm_stat,
 		shm_stat->mem.dnscrypt_nonce);
 #endif
 	PR_LL("mem.streamwait", s->svr.mem_stream_wait);
 	PR_LL("mem.http.query_buffer", s->svr.mem_http2_query_buffer);
 	PR_LL("mem.http.response_buffer", s->svr.mem_http2_response_buffer);
 }
 /** print histogram */
@ -342,6 +350,7 @@ static void print_extended(struct ub_stats_info* s)
 	PR_UL("num.query.tls", s->svr.qtls);
 	PR_UL("num.query.tls_resume", s->svr.qtls_resume);
 	PR_UL("num.query.ipv6", s->svr.qipv6);
 	PR_UL("num.query.https", s->svr.qhttps);
 	/* flags */
 	PR_UL("num.query.flags.QR", s->svr.qbit_QR);
@ -542,6 +551,30 @@ setup_ctx(struct config_file* cfg)
 	return ctx;
 }
 /** check connect error */
 static void
 checkconnecterr(int err, const char* svr, struct sockaddr_storage* addr,
 	socklen_t addrlen, int statuscmd, int useport)
 {
 #ifndef USE_WINSOCK
 	if(!useport) log_err("connect: %s for %s", strerror(err), svr);
 	else log_err_addr("connect", strerror(err), addr, addrlen);
 	if(err == ECONNREFUSED && statuscmd) {
 		printf("unbound is stopped\n");
 		exit(3);
 	}
 #else
 	int wsaerr = err;
 	if(!useport) log_err("connect: %s for %s", wsa_strerror(wsaerr), svr);
 	else log_err_addr("connect", wsa_strerror(wsaerr), addr, addrlen);
 	if(wsaerr == WSAECONNREFUSED && statuscmd) {
 		printf("unbound is stopped\n");
 		exit(3);
 	}
 #endif
 	exit(1);
 }
 /** contact the server with TCP connect */
 static int
 contact_server(const char* svr, struct config_file* cfg, int statuscmd)
@ -593,32 +626,77 @@ contact_server(const char* svr, struct config_file* cfg, int statuscmd)
 		addrfamily = addr_is_ip6(&addr, addrlen)?PF_INET6:PF_INET;
 	fd = socket(addrfamily, SOCK_STREAM, proto);
 	if(fd == -1) {
-#ifndef USE_WINSOCK
+		fatal_exit("socket: %s", sock_strerror(errno));
 		fatal_exit("socket: %s", strerror(errno));
 #else
 		fatal_exit("socket: %s", wsa_strerror(WSAGetLastError()));
 #endif
 	}
 	fd_set_nonblock(fd);
 	if(connect(fd, (struct sockaddr*)&addr, addrlen) < 0) {
 #ifndef USE_WINSOCK
-		int err = errno;
+#ifdef EINPROGRESS
-		if(!useport) log_err("connect: %s for %s", strerror(err), svr);
+		if(errno != EINPROGRESS) {
-		else log_err_addr("connect", strerror(err), &addr, addrlen);
+			checkconnecterr(errno, svr, &addr,
-		if(err == ECONNREFUSED && statuscmd) {
+				addrlen, statuscmd, useport);
-			printf("unbound is stopped\n");
+		}
-			exit(3);
+#endif
-		}
+#else
-#else
+		if(WSAGetLastError() != WSAEINPROGRESS &&
-		int wsaerr = WSAGetLastError();
+			WSAGetLastError() != WSAEWOULDBLOCK) {
-		if(!useport) log_err("connect: %s for %s", wsa_strerror(wsaerr), svr);
+			checkconnecterr(WSAGetLastError(), svr, &addr,
-		else log_err_addr("connect", wsa_strerror(wsaerr), &addr, addrlen);
+				addrlen, statuscmd, useport);
 		if(wsaerr == WSAECONNREFUSED && statuscmd) {
 			printf("unbound is stopped\n");
 			exit(3);
 		}
 #endif
 		exit(1);
 	}
 	while(1) {
 		fd_set rset, wset, eset;
 		struct timeval tv;
 		FD_ZERO(&rset);
 		FD_SET(FD_SET_T fd, &rset);
 		FD_ZERO(&wset);
 		FD_SET(FD_SET_T fd, &wset);
 		FD_ZERO(&eset);
 		FD_SET(FD_SET_T fd, &eset);
 		tv.tv_sec = UNBOUND_CONTROL_CONNECT_TIMEOUT/1000;
 		tv.tv_usec= (UNBOUND_CONTROL_CONNECT_TIMEOUT%1000)*1000;
 		if(select(fd+1, &rset, &wset, &eset, &tv) == -1) {
 			fatal_exit("select: %s", sock_strerror(errno));
 		}
 		if(!FD_ISSET(fd, &rset) && !FD_ISSET(fd, &wset) &&
 			!FD_ISSET(fd, &eset)) {
 			fatal_exit("timeout: could not connect to server");
 		} else {
 			/* check nonblocking connect error */
 			int error = 0;
 			socklen_t len = (socklen_t)sizeof(error);
 			if(getsockopt(fd, SOL_SOCKET, SO_ERROR, (void*)&error,
 				&len) < 0) {
 #ifndef USE_WINSOCK
 				error = errno; /* on solaris errno is error */
 #else
 				error = WSAGetLastError();
 #endif
 			}
 			if(error != 0) {
 #ifndef USE_WINSOCK
 #ifdef EINPROGRESS
 				if(error == EINPROGRESS)
 					continue; /* try again later */
 #endif
 #ifdef EWOULDBLOCK
 				if(error == EWOULDBLOCK)
 					continue; /* try again later */
 #endif
 #else
 				if(error == WSAEINPROGRESS)
 					continue; /* try again later */
 				if(error == WSAEWOULDBLOCK)
 					continue; /* try again later */
 #endif
 				checkconnecterr(error, svr, &addr, addrlen,
 					statuscmd, useport);
 			}
 		}
 		break;
 	}
 	fd_set_block(fd);
 	return fd;
 }
@ -681,11 +759,7 @@ remote_read(SSL* ssl, int fd, char* buf, size_t len)
 				/* EOF */
 				return 0;
 			}
-#ifndef USE_WINSOCK
+			fatal_exit("could not recv: %s", sock_strerror(errno));
 			fatal_exit("could not recv: %s", strerror(errno));
 #else
 			fatal_exit("could not recv: %s", wsa_strerror(WSAGetLastError()));
 #endif
 		}
 		buf[rr] = 0;
 	}
@ -701,11 +775,7 @@ remote_write(SSL* ssl, int fd, const char* buf, size_t len)
 			ssl_err("could not SSL_write");
 	} else {
 		if(send(fd, buf, len, 0) < (ssize_t)len) {
-#ifndef USE_WINSOCK
+			fatal_exit("could not send: %s", sock_strerror(errno));
 			fatal_exit("could not send: %s", strerror(errno));
 #else
 			fatal_exit("could not send: %s", wsa_strerror(WSAGetLastError()));
 #endif
 		}
 	}
 }
@ -824,11 +894,7 @@ go(const char* cfgfile, char* svr, int quiet, int argc, char* argv[])
 	ret = go_cmd(ssl, fd, quiet, argc, argv);
 	if(ssl) SSL_free(ssl);
-#ifndef USE_WINSOCK
+	sock_close(fd);
 	close(fd);
 #else
 	closesocket(fd);
 #endif
 	if(ctx) SSL_CTX_free(ctx);
 	config_delete(cfg);
 	return ret;
@ -886,7 +952,7 @@ int main(int argc, char* argv[])
 	if(argc == 0)
 		usage();
 	if(argc >= 1 && strcmp(argv[0], "start")==0) {
-#if defined(TARGET_OS_TV) || defined(TARGET_OS_WATCH)
+#if (defined(TARGET_OS_TV) && TARGET_OS_TV) || (defined(TARGET_OS_WATCH) && TARGET_OS_WATCH)
 		fatal_exit("could not exec unbound: %s",
 			strerror(ENOSYS));
 #else
--- a/smallapp/worker_cb.c
+++ b/smallapp/worker_cb.c
@ -46,6 +46,9 @@
 #include "util/fptr_wlist.h"
 #include "util/log.h"
 #include "services/mesh.h"
 #ifdef USE_DNSTAP
 #include "dnstap/dtstream.h"
 #endif
 void worker_handle_control_cmd(struct tube* ATTR_UNUSED(tube),
 	uint8_t* ATTR_UNUSED(buffer), size_t ATTR_UNUSED(len),
--- a/testcode/delayer.c
+++ b/testcode/delayer.c
@ -372,11 +372,7 @@ service_send(struct ringbuf* ring, struct timeval* now, sldns_buffer* pkt,
 			sldns_buffer_limit(pkt), 0, 
 			(struct sockaddr*)srv_addr, srv_len);
 		if(sent == -1) {
-#ifndef USE_WINSOCK
+			log_err("sendto: %s", sock_strerror(errno));
 			log_err("sendto: %s", strerror(errno));
 #else
 			log_err("sendto: %s", wsa_strerror(WSAGetLastError()));
 #endif
 		} else if(sent != (ssize_t)sldns_buffer_limit(pkt)) {
 			log_err("sendto: partial send");
 		}
@ -398,13 +394,12 @@ do_proxy(struct proxy* p, int retsock, sldns_buffer* pkt)
 #ifndef USE_WINSOCK
 			if(errno == EAGAIN || errno == EINTR)
 				return;
 			log_err("recv: %s", strerror(errno));
 #else
 			if(WSAGetLastError() == WSAEINPROGRESS ||
 				WSAGetLastError() == WSAEWOULDBLOCK)
 				return;
 			log_err("recv: %s", wsa_strerror(WSAGetLastError()));
 #endif
 			log_err("recv: %s", sock_strerror(errno));
 			return;
 		}
 		sldns_buffer_set_limit(pkt, (size_t)r);
@ -414,11 +409,7 @@ do_proxy(struct proxy* p, int retsock, sldns_buffer* pkt)
 		r = sendto(retsock, (void*)sldns_buffer_begin(pkt), (size_t)r, 
 			0, (struct sockaddr*)&p->addr, p->addr_len);
 		if(r == -1) {
-#ifndef USE_WINSOCK
+			log_err("sendto: %s", sock_strerror(errno));
 			log_err("sendto: %s", strerror(errno));
 #else
 			log_err("sendto: %s", wsa_strerror(WSAGetLastError()));
 #endif
 		}
 	}
 }
@ -469,11 +460,7 @@ find_create_proxy(struct sockaddr_storage* from, socklen_t from_len,
 	if(!p) fatal_exit("out of memory");
 	p->s = socket(serv_ip6?AF_INET6:AF_INET, SOCK_DGRAM, 0);
 	if(p->s == -1) {
-#ifndef USE_WINSOCK
+		fatal_exit("socket: %s", sock_strerror(errno));
 		fatal_exit("socket: %s", strerror(errno));
 #else
 		fatal_exit("socket: %s", wsa_strerror(WSAGetLastError()));
 #endif
 	}
 	fd_set_nonblock(p->s);
 	memmove(&p->addr, from, from_len);
@ -507,14 +494,12 @@ service_recv(int s, struct ringbuf* ring, sldns_buffer* pkt,
 #ifndef USE_WINSOCK
 			if(errno == EAGAIN || errno == EINTR)
 				return;
 			fatal_exit("recvfrom: %s", strerror(errno));
 #else
 			if(WSAGetLastError() == WSAEWOULDBLOCK || 
 				WSAGetLastError() == WSAEINPROGRESS)
 				return;
 			fatal_exit("recvfrom: %s", 
 				wsa_strerror(WSAGetLastError()));
 #endif
 			fatal_exit("recvfrom: %s", sock_strerror(errno));
 		}
 		sldns_buffer_set_limit(pkt, (size_t)len);
 		/* find its proxy element */
@ -550,15 +535,9 @@ tcp_proxy_delete(struct tcp_proxy* p)
 		free(s);
 		s = sn;
 	}
-#ifndef USE_WINSOCK
+	sock_close(p->client_s);
 	close(p->client_s);
 	if(p->server_s != -1)
-		close(p->server_s);
+		sock_close(p->server_s);
 #else
 	closesocket(p->client_s);
 	if(p->server_s != -1)
 		closesocket(p->server_s);
 #endif
 	free(p);
 }
@ -577,14 +556,13 @@ service_tcp_listen(int s, fd_set* rorig, int* max, struct tcp_proxy** proxies,
 #ifndef USE_WINSOCK
 		if(errno == EAGAIN || errno == EINTR)
 			return;
 		fatal_exit("accept: %s", strerror(errno));
 #else
 		if(WSAGetLastError() == WSAEWOULDBLOCK || 
 			WSAGetLastError() == WSAEINPROGRESS ||
 			WSAGetLastError() == WSAECONNRESET)
 			return;
 		fatal_exit("accept: %s", wsa_strerror(WSAGetLastError()));
 #endif
 		fatal_exit("accept: %s", sock_strerror(errno));
 	}
 	p = (struct tcp_proxy*)calloc(1, sizeof(*p));
 	if(!p) fatal_exit("out of memory");
@ -595,11 +573,7 @@ service_tcp_listen(int s, fd_set* rorig, int* max, struct tcp_proxy** proxies,
 	p->server_s = socket(addr_is_ip6(srv_addr, srv_len)?AF_INET6:AF_INET,
 		SOCK_STREAM, 0);
 	if(p->server_s == -1) {
-#ifndef USE_WINSOCK
+		fatal_exit("tcp socket: %s", sock_strerror(errno));
 		fatal_exit("tcp socket: %s", strerror(errno));
 #else
 		fatal_exit("tcp socket: %s", wsa_strerror(WSAGetLastError()));
 #endif
 	}
 	fd_set_nonblock(p->client_s);
 	fd_set_nonblock(p->server_s);
@ -607,16 +581,14 @@ service_tcp_listen(int s, fd_set* rorig, int* max, struct tcp_proxy** proxies,
 #ifndef USE_WINSOCK
 		if(errno != EINPROGRESS) {
 			log_err("tcp connect: %s", strerror(errno));
 			close(p->server_s);
 			close(p->client_s);
 #else
 		if(WSAGetLastError() != WSAEWOULDBLOCK &&
 			WSAGetLastError() != WSAEINPROGRESS) {
 			log_err("tcp connect: %s", 
 				wsa_strerror(WSAGetLastError()));
 			closesocket(p->server_s);
 			closesocket(p->client_s);
 #endif
 			sock_close(p->server_s);
 			sock_close(p->client_s);
 			free(p);
 			return;
 		}
@ -650,13 +622,12 @@ tcp_relay_read(int s, struct tcp_send_list** first,
 #ifndef USE_WINSOCK
 		if(errno == EINTR || errno == EAGAIN)
 			return 1;
 		log_err("tcp read: %s", strerror(errno));
 #else
 		if(WSAGetLastError() == WSAEINPROGRESS || 
 			WSAGetLastError() == WSAEWOULDBLOCK)
 			return 1;
 		log_err("tcp read: %s", wsa_strerror(WSAGetLastError()));
 #endif
 		log_err("tcp read: %s", sock_strerror(errno));
 		return 0;
 	} else if(r == 0) {
 		/* connection closed */
@ -708,14 +679,12 @@ tcp_relay_write(int s, struct tcp_send_list** first,
 #ifndef USE_WINSOCK
 			if(errno == EAGAIN || errno == EINTR)
 				return 1;
 			log_err("tcp write: %s", strerror(errno));
 #else
 			if(WSAGetLastError() == WSAEWOULDBLOCK || 
 				WSAGetLastError() == WSAEINPROGRESS)
 				return 1;
 			log_err("tcp write: %s", 
 				wsa_strerror(WSAGetLastError()));
 #endif
 			log_err("tcp write: %s", sock_strerror(errno));
 			return 0;
 		} else if(r == 0) {
 			/* closed */
@ -769,11 +738,7 @@ service_tcp_relay(struct tcp_proxy** tcp_proxies, struct timeval* now,
 			log_addr(1, "read tcp answer", &p->addr, p->addr_len);
 			if(!tcp_relay_read(p->server_s, &p->answerlist, 
 				&p->answerlast, now, delay, pkt)) {
-#ifndef USE_WINSOCK
+				sock_close(p->server_s);
 				close(p->server_s);
 #else
 				closesocket(p->server_s);
 #endif
 				FD_CLR(FD_SET_T p->server_s, worig);
 				FD_CLR(FD_SET_T p->server_s, rorig);
 				p->server_s = -1;
@ -901,11 +866,7 @@ proxy_list_clear(struct proxy* p)
 			"%u returned\n", i++, from, port, (int)p->numreuse+1,
 			(unsigned)p->numwait, (unsigned)p->numsent, 
 			(unsigned)p->numreturn);
-#ifndef USE_WINSOCK
+		sock_close(p->s);
 		close(p->s);
 #else
 		closesocket(p->s);
 #endif
 		free(p);
 		p = np;
 	}
@ -1034,11 +995,7 @@ service(const char* bind_str, int bindport, const char* serv_str,
 	/* bind UDP port */
 	if((s = socket(str_is_ip6(bind_str)?AF_INET6:AF_INET,
 		SOCK_DGRAM, 0)) == -1) {
-#ifndef USE_WINSOCK
+		fatal_exit("socket: %s", sock_strerror(errno));
 		fatal_exit("socket: %s", strerror(errno));
 #else
 		fatal_exit("socket: %s", wsa_strerror(WSAGetLastError()));
 #endif
 	}
 	i=0;
 	if(bindport == 0) {
@ -1051,11 +1008,7 @@ service(const char* bind_str, int bindport, const char* serv_str,
 			exit(1);
 		}
 		if(bind(s, (struct sockaddr*)&bind_addr, bind_len) == -1) {
-#ifndef USE_WINSOCK
+			log_err("bind: %s", sock_strerror(errno));
 			log_err("bind: %s", strerror(errno));
 #else
 			log_err("bind: %s", wsa_strerror(WSAGetLastError()));
 #endif
 			if(i--==0)
 				fatal_exit("cannot bind any port");
 			bindport = 1024 + ((int)arc4random())%64000;
@ -1065,39 +1018,22 @@ service(const char* bind_str, int bindport, const char* serv_str,
 	/* and TCP port */
 	if((listen_s = socket(str_is_ip6(bind_str)?AF_INET6:AF_INET,
 		SOCK_STREAM, 0)) == -1) {
-#ifndef USE_WINSOCK
+		fatal_exit("tcp socket: %s", sock_strerror(errno));
 		fatal_exit("tcp socket: %s", strerror(errno));
 #else
 		fatal_exit("tcp socket: %s", wsa_strerror(WSAGetLastError()));
 #endif
 	}
 #ifdef SO_REUSEADDR
 	if(1) {
 		int on = 1;
 		if(setsockopt(listen_s, SOL_SOCKET, SO_REUSEADDR, (void*)&on,
 			(socklen_t)sizeof(on)) < 0)
 #ifndef USE_WINSOCK
 			fatal_exit("setsockopt(.. SO_REUSEADDR ..) failed: %s",
-				strerror(errno));
+				sock_strerror(errno));
 #else
 			fatal_exit("setsockopt(.. SO_REUSEADDR ..) failed: %s",
 				wsa_strerror(WSAGetLastError()));
 #endif
 	}
 #endif
 	if(bind(listen_s, (struct sockaddr*)&bind_addr, bind_len) == -1) {
-#ifndef USE_WINSOCK
+		fatal_exit("tcp bind: %s", sock_strerror(errno));
 		fatal_exit("tcp bind: %s", strerror(errno));
 #else
 		fatal_exit("tcp bind: %s", wsa_strerror(WSAGetLastError()));
 #endif
 	}
 	if(listen(listen_s, 5) == -1) {
-#ifndef USE_WINSOCK
+		fatal_exit("tcp listen: %s", sock_strerror(errno));
 		fatal_exit("tcp listen: %s", strerror(errno));
 #else
 		fatal_exit("tcp listen: %s", wsa_strerror(WSAGetLastError()));
 #endif
 	}
 	fd_set_nonblock(listen_s);
 	printf("listening on port: %d\n", bindport);
@ -1109,13 +1045,8 @@ service(const char* bind_str, int bindport, const char* serv_str,
 	/* cleanup */
 	verbose(1, "cleanup");
-#ifndef USE_WINSOCK
+	sock_close(s);
-	close(s);
+	sock_close(listen_s);
 	close(listen_s);
 #else
 	closesocket(s);
 	closesocket(listen_s);
 #endif
 	sldns_buffer_free(pkt);
 	ring_delete(ring);
 }
--- a/testcode/do-tests.sh
+++ b/testcode/do-tests.sh
@ -29,6 +29,9 @@ else
 	HAVE_MINGW=no
 fi
 # stop tests from notifying systemd, if that is compiled in.
 export -n NOTIFY_SOCKET
 cd testdata;
 sh ../testcode/mini_tdir.sh clean
 rm -f .perfstats.txt
--- a/testcode/dohclient.c
+++ b/testcode/dohclient.c
@ -0,0 +1,638 @@
 /*
 * testcode/dohclient.c - debug program. Perform multiple DNS queries using DoH.
 *
 * Copyright (c) 2020, NLnet Labs. All rights reserved.
 *
 * This software is open source.
 * 
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 
 * Redistributions of source code must retain the above copyright notice,
 * this list of conditions and the following disclaimer.
 * 
 * Redistributions in binary form must reproduce the above copyright notice,
 * this list of conditions and the following disclaimer in the documentation
 * and/or other materials provided with the distribution.
 * 
 * Neither the name of the NLNET LABS nor the names of its contributors may
 * be used to endorse or promote products derived from this software without
 * specific prior written permission.
 * 
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */
 /** 
 * \file
 *
 * Simple DNS-over-HTTPS client. For testing and debugging purposes.
 * No authentication of TLS cert.
 */
 #include "config.h"
 #ifdef HAVE_GETOPT_H
 #include <getopt.h>
 #endif
 #include "sldns/wire2str.h"
 #include "sldns/sbuffer.h"
 #include "sldns/str2wire.h"
 #include "sldns/parseutil.h"
 #include "util/data/msgencode.h"
 #include "util/data/msgreply.h"
 #include "util/data/msgparse.h"
 #include "util/net_help.h"
 #include <openssl/ssl.h>
 #include <openssl/err.h>
 #ifdef HAVE_NGHTTP2
 #include <nghttp2/nghttp2.h>
 struct http2_session {
 	nghttp2_session* session;
 	SSL* ssl;
 	int fd;
 	int query_count;
 	/* Use POST :method if 1 */
 	int post;
 	int block_select;
 	const char* authority;
 	const char* endpoint;
 	const char* content_type;
 };
 struct http2_stream {
 	int32_t stream_id;
 	int res_status;
 	struct sldns_buffer* buf;
 	char* path;
 };
 static void usage(char* argv[])
 {
 	printf("usage: %s [options] name type class ...\n", argv[0]);
 	printf("	sends the name-type-class queries over "
 			"DNS-over-HTTPS.\n");
 	printf("-s server	IP address to send the queries to, "
 			"default: 127.0.0.1\n");
 	printf("-p		Port to connect to, default: %d\n",
 		UNBOUND_DNS_OVER_HTTPS_PORT);
 	printf("-P		Use POST method instead of default GET\n");
 	printf("-e		HTTP endpoint, default: /dns-query\n");
 	printf("-c		Content-type in request, default: "
 		"application/dns-message\n");
 	printf("-n		no-tls, TLS is disabled\n");
 	printf("-h 		This help text\n");
 	exit(1);
 }
 /** open TCP socket to svr */
 static int
 open_svr(const char* svr, int port)
 {
 	struct sockaddr_storage addr;
 	socklen_t addrlen;
 	int fd = -1;
 	int r;
 	if(!ipstrtoaddr(svr, port, &addr, &addrlen)) {
 		printf("fatal: bad server specs '%s'\n", svr);
 		exit(1);
 	}
 	fd = socket(addr_is_ip6(&addr, addrlen)?PF_INET6:PF_INET,
 		SOCK_STREAM, 0);
 	if(fd == -1) {
 		perror("socket() error");
 		exit(1);
 	}
 	r = connect(fd, (struct sockaddr*)&addr, addrlen);
 	if(r < 0 && r != EINPROGRESS) {
 		perror("connect() error");
 		exit(1);
 	}
 	return fd;
 }
 static ssize_t http2_submit_request_read_cb(
 	nghttp2_session* ATTR_UNUSED(session),
 	int32_t ATTR_UNUSED(stream_id), uint8_t* buf, size_t length,
 	uint32_t* data_flags, nghttp2_data_source* source,
 	void* ATTR_UNUSED(cb_arg))
 {
 	if(length > sldns_buffer_remaining(source->ptr))
 		length = sldns_buffer_remaining(source->ptr);
 	memcpy(buf, sldns_buffer_current(source->ptr), length);
 	sldns_buffer_skip(source->ptr, length);
 	if(sldns_buffer_remaining(source->ptr) == 0) {
 		*data_flags |= NGHTTP2_DATA_FLAG_EOF;
 	}
 	return length;
 }
 static void
 submit_query(struct http2_session* h2_session, struct sldns_buffer* buf)
 {
 	int32_t stream_id;
 	struct http2_stream* h2_stream;
 	nghttp2_nv headers[5];
 	char* qb64;
 	size_t qb64_size;
 	size_t qb64_expected_size;
 	size_t i;
 	nghttp2_data_provider data_prd;
 	h2_stream = calloc(1,  sizeof(*h2_stream));
 	if(!h2_stream)
 		fatal_exit("could not malloc http2 stream");
 	h2_stream->buf = buf;
 	if(h2_session->post) {
 		data_prd.source.ptr = buf;
 		data_prd.read_callback = http2_submit_request_read_cb;
 		h2_stream->path = (char*)h2_session->endpoint;
 	} else {
 		qb64_expected_size = sldns_b64_ntop_calculate_size(
 				sldns_buffer_remaining(buf));
 		qb64 = malloc(qb64_expected_size);
 		if(!qb64) fatal_exit("out of memory");
 		qb64_size = sldns_b64url_ntop(sldns_buffer_begin(buf),
 			sldns_buffer_remaining(buf), qb64, qb64_expected_size);
 		h2_stream->path = malloc(strlen(
 			h2_session->endpoint)+strlen("?dns=")+qb64_size+1);
 		if(!h2_stream->path) fatal_exit("out of memory");
 		snprintf(h2_stream->path, strlen(h2_session->endpoint)+
 			strlen("?dns=")+qb64_size+1, "%s?dns=%s",
 			h2_session->endpoint, qb64);
 		free(qb64);
 	}
 	headers[0].name = (uint8_t*)":method";
 	if(h2_session->post)
 		headers[0].value = (uint8_t*)"POST";
 	else
 		headers[0].value = (uint8_t*)"GET";
 	headers[1].name = (uint8_t*)":path";
 	headers[1].value = (uint8_t*)h2_stream->path;
 	headers[2].name = (uint8_t*)":scheme";
 	if(h2_session->ssl)
 		headers[2].value = (uint8_t*)"https";
 	else
 		headers[2].value = (uint8_t*)"http";
 	headers[3].name = (uint8_t*)":authority";
 	headers[3].value = (uint8_t*)h2_session->authority;
 	headers[4].name = (uint8_t*)"content-type";
 	headers[4].value = (uint8_t*)h2_session->content_type;
 	printf("Request headers\n");
 	for(i=0; i<sizeof(headers)/sizeof(headers[0]); i++) {
 		headers[i].namelen = strlen((char*)headers[i].name);
 		headers[i].valuelen = strlen((char*)headers[i].value);
 		headers[i].flags = NGHTTP2_NV_FLAG_NONE;
 		printf("%s: %s\n", headers[i].name, headers[i].value);
 	}
 	stream_id = nghttp2_submit_request(h2_session->session, NULL, headers,
 		sizeof(headers)/sizeof(headers[0]),
 		(h2_session->post) ? &data_prd : NULL, h2_stream);
 	if(stream_id < 0) {
 		printf("Failed to submit nghttp2 request");
 		exit(1);
 	}
 	h2_session->query_count++;
 	h2_stream->stream_id = stream_id;
 }
 static sldns_buffer*
 make_query(char* qname, char* qtype, char* qclass)
 {
 	struct query_info qinfo;
 	struct edns_data edns;
 	sldns_buffer* buf = sldns_buffer_new(65553);
 	if(!buf) fatal_exit("out of memory");
 	qinfo.qname = sldns_str2wire_dname(qname, &qinfo.qname_len);
 	if(!qinfo.qname) {
 		printf("cannot parse query name: '%s'\n", qname);
 		exit(1);
 	}
 	qinfo.qtype = sldns_get_rr_type_by_name(qtype);
 	qinfo.qclass = sldns_get_rr_class_by_name(qclass);
 	qinfo.local_alias = NULL;
 	qinfo_query_encode(buf, &qinfo); /* flips buffer */
 	free(qinfo.qname);
 	sldns_buffer_write_u16_at(buf, 0, 0x0000);
 	sldns_buffer_write_u16_at(buf, 2, BIT_RD);
 	memset(&edns, 0, sizeof(edns));
 	edns.edns_present = 1;
 	edns.bits = EDNS_DO;
 	edns.udp_size = 4096;
 	if(sldns_buffer_capacity(buf) >=
 		sldns_buffer_limit(buf)+calc_edns_field_size(&edns))
 		attach_edns_record(buf, &edns);
 	return buf;
 }
 static ssize_t http2_recv_cb(nghttp2_session* ATTR_UNUSED(session),
 	uint8_t* buf, size_t len, int ATTR_UNUSED(flags), void* cb_arg)
 {
 	struct http2_session* h2_session = (struct http2_session*)cb_arg;
 	int r;
 	ssize_t ret;
 	struct timeval tv, *waittv;
 	fd_set rfd;
 	ERR_clear_error();
 	memset(&tv, 0, sizeof(tv));
 	if(h2_session->block_select && h2_session->query_count <= 0) {
 		return NGHTTP2_ERR_WOULDBLOCK;
 	}
 	if(h2_session->block_select)
 		waittv = NULL;
 	else
 		waittv = &tv;
 	memset(&rfd, 0, sizeof(rfd));
 	FD_ZERO(&rfd);
 	FD_SET(h2_session->fd, &rfd);
 	r = select(h2_session->fd+1, &rfd, NULL, NULL, waittv);
 	if(r <= 0) {
 		return NGHTTP2_ERR_WOULDBLOCK;
 	}
 	if(h2_session->ssl) {
 		r = SSL_read(h2_session->ssl, buf, len);
 		if(r <= 0) {
 			int want = SSL_get_error(h2_session->ssl, r);
 			if(want == SSL_ERROR_ZERO_RETURN) {
 				return NGHTTP2_ERR_EOF;
 			}
 			log_crypto_err("could not SSL_read");
 			return NGHTTP2_ERR_EOF;
 		}
 		return r;
 	}
 	ret = read(h2_session->fd, buf, len);
 	if(ret == 0) {
 		return NGHTTP2_ERR_EOF;
 	} else if(ret < 0) {
 		log_err("could not http2 read: %s", strerror(errno));
 		return NGHTTP2_ERR_EOF;
 	}
 	return ret;
 }
 static ssize_t http2_send_cb(nghttp2_session* ATTR_UNUSED(session),
 	const uint8_t* buf, size_t len, int ATTR_UNUSED(flags), void* cb_arg)
 {
 	struct http2_session* h2_session = (struct http2_session*)cb_arg;
 	ssize_t ret;
 	if(h2_session->ssl) {
 		int r;
 		ERR_clear_error();
 		r = SSL_write(h2_session->ssl, buf, len);
 		if(r <= 0) {
 			int want = SSL_get_error(h2_session->ssl, r);
 			if(want == SSL_ERROR_ZERO_RETURN) {
 				return NGHTTP2_ERR_CALLBACK_FAILURE;
 			}
 			log_crypto_err("could not SSL_write");
 			return NGHTTP2_ERR_CALLBACK_FAILURE;
 		}
 		return r;
 	}
 	ret = write(h2_session->fd, buf, len);
 	if(ret == 0) {
 		return NGHTTP2_ERR_CALLBACK_FAILURE;
 	} else if(ret < 0) {
 		log_err("could not http2 write: %s", strerror(errno));
 		return NGHTTP2_ERR_CALLBACK_FAILURE;
 	}
 	return ret;
 }
 static int http2_stream_close_cb(nghttp2_session* ATTR_UNUSED(session),
 	int32_t ATTR_UNUSED(stream_id),
 	nghttp2_error_code ATTR_UNUSED(error_code), void *cb_arg)
 {
 	struct http2_session* h2_session = (struct http2_session*)cb_arg;
 	struct http2_stream* h2_stream;
 	if(!(h2_stream = nghttp2_session_get_stream_user_data(
 		h2_session->session, stream_id))) {
 		return 0;
 	}
 	h2_session->query_count--;
 	sldns_buffer_free(h2_stream->buf);
 	if(!h2_session->post)
 		free(h2_stream->path);
 	free(h2_stream);
 	h2_stream = NULL;
 	return 0;
 }
 static int http2_data_chunk_recv_cb(nghttp2_session* ATTR_UNUSED(session),
 	uint8_t ATTR_UNUSED(flags), int32_t stream_id, const uint8_t* data,
 	size_t len, void* cb_arg)
 {
 	struct http2_session* h2_session = (struct http2_session*)cb_arg;
 	struct http2_stream* h2_stream;
 	if(!(h2_stream = nghttp2_session_get_stream_user_data(
 		h2_session->session, stream_id))) {
 		return 0;
 	}
 	if(sldns_buffer_remaining(h2_stream->buf) < len) {
 		log_err("received data chunck does not fit into buffer");
 		return NGHTTP2_ERR_CALLBACK_FAILURE;
 	}
 	sldns_buffer_write(h2_stream->buf, data, len);
 	return 0;
 }
 static int http2_frame_recv_cb(nghttp2_session *session,
 	const nghttp2_frame *frame, void* ATTR_UNUSED(cb_arg))
 {
 	struct http2_stream* h2_stream;
 	if(!(h2_stream = nghttp2_session_get_stream_user_data(
 		session, frame->hd.stream_id)))
 		return 0;
 	if(frame->hd.type == NGHTTP2_HEADERS &&
 		frame->headers.cat == NGHTTP2_HCAT_RESPONSE) {
 		sldns_buffer_clear(h2_stream->buf);
 	}
 	if(((frame->hd.type != NGHTTP2_DATA &&
 		frame->hd.type != NGHTTP2_HEADERS) ||
 		frame->hd.flags & NGHTTP2_FLAG_END_STREAM) &&
 			h2_stream->res_status == 200) {
 			char* pktstr;
 			sldns_buffer_flip(h2_stream->buf);
 			pktstr = sldns_wire2str_pkt(
 				sldns_buffer_begin(h2_stream->buf),
 				sldns_buffer_limit(h2_stream->buf));
 			printf("%s\n", pktstr);
 			free(pktstr);
 			return 0;
 	}
 	return 0;
 }
 static int http2_header_cb(nghttp2_session* ATTR_UNUSED(session),
 	const nghttp2_frame* frame, const uint8_t* name, size_t namelen,
 	const uint8_t* value, size_t ATTR_UNUSED(valuelen),
 	uint8_t ATTR_UNUSED(flags), void* cb_arg)
 {
 	struct http2_stream* h2_stream;
 	struct http2_session* h2_session = (struct http2_session*)cb_arg;
 	printf("%s %s\n", name, value);
 	if(namelen == 7 && memcmp(":status", name, namelen) == 0) {
 		if(!(h2_stream = nghttp2_session_get_stream_user_data(
 			h2_session->session, frame->hd.stream_id))) {
 			return 0;
 		}
 		h2_stream->res_status = atoi((char*)value);
 	}
 	return 0;
 }
 static struct http2_session*
 http2_session_create()
 {
 	struct http2_session* h2_session = calloc(1,
 		sizeof(struct http2_session));
 	nghttp2_session_callbacks* callbacks;
 	if(!h2_session)
 		fatal_exit("out of memory");
 	if(nghttp2_session_callbacks_new(&callbacks) == NGHTTP2_ERR_NOMEM) {
 		log_err("failed to initialize nghttp2 callback");
 		return NULL;
 	}
 	nghttp2_session_callbacks_set_recv_callback(callbacks, http2_recv_cb);
 	nghttp2_session_callbacks_set_send_callback(callbacks, http2_send_cb);
 	nghttp2_session_callbacks_set_on_stream_close_callback(callbacks,
 		http2_stream_close_cb);
 	nghttp2_session_callbacks_set_on_data_chunk_recv_callback(callbacks,
 		http2_data_chunk_recv_cb);
 	nghttp2_session_callbacks_set_on_frame_recv_callback(callbacks,
 		http2_frame_recv_cb);
 	nghttp2_session_callbacks_set_on_header_callback(callbacks,
 		http2_header_cb);
 	nghttp2_session_client_new(&h2_session->session, callbacks, h2_session);
 	nghttp2_session_callbacks_del(callbacks);
 	return h2_session;
 }
 static void
 http2_session_delete(struct http2_session* h2_session)
 {
 	nghttp2_session_del(h2_session->session);
 	free(h2_session);
 }
 static void
 http2_submit_setting(struct http2_session* h2_session)
 {
 	int ret;
 	nghttp2_settings_entry settings[1] = {
 		{NGHTTP2_SETTINGS_MAX_CONCURRENT_STREAMS,
 		 100}};
 	ret = nghttp2_submit_settings(h2_session->session, NGHTTP2_FLAG_NONE,
 		settings, 1);
 	if(ret) {
 		printf("http2: submit_settings failed, "
 			"error: %s\n", nghttp2_strerror(ret));
 		exit(1);
 	}
 }
 static void
 http2_write(struct http2_session* h2_session)
 {
 	if(nghttp2_session_want_write(h2_session->session)) {
 		if(nghttp2_session_send(h2_session->session)) {
 			printf("nghttp2 session send failed\n");
 			exit(1);
 		}
 	}
 }
 static void
 http2_read(struct http2_session* h2_session)
 {
 	if(nghttp2_session_want_read(h2_session->session)) {
 		if(nghttp2_session_recv(h2_session->session)) {
 			printf("nghttp2 session mem_recv failed\n");
 			exit(1);
 		}
 	}
 }
 static void
 run(struct http2_session* h2_session, int port, int no_tls, int count, char** q)
 {
 	int i;
 	SSL_CTX* ctx = NULL;
 	SSL* ssl = NULL;
 	int fd;
 	struct sldns_buffer* buf = NULL;
 	fd = open_svr(h2_session->authority, port);
 	h2_session->fd = fd;
 	if(!no_tls) {
 		ctx = connect_sslctx_create(NULL, NULL, NULL, 0);
 		if(!ctx) fatal_exit("cannot create ssl ctx");
 		SSL_CTX_set_alpn_protos(ctx, (const unsigned char *)"\x02h2", 3);
 		ssl = outgoing_ssl_fd(ctx, fd);
 		if(!ssl) {
 			printf("cannot create ssl\n");
 			exit(1);
 		}
 		h2_session->ssl = ssl;
 		while(1) {
 			int r;
 			ERR_clear_error();
 			if( (r=SSL_do_handshake(ssl)) == 1)
 				break;
 			r = SSL_get_error(ssl, r);
 			if(r != SSL_ERROR_WANT_READ &&
 				r != SSL_ERROR_WANT_WRITE) {
 				log_crypto_err("could not ssl_handshake");
 				exit(1);
 			}
 		}
 	}
 	http2_submit_setting(h2_session);
 	http2_write(h2_session);
 	http2_read(h2_session); /* Read setting from remote peer */
 	h2_session->block_select = 1;
 	/* hande query */
 	for(i=0; i<count; i+=3) {
 		buf = make_query(q[i], q[i+1], q[i+2]);
 		submit_query(h2_session, buf);
 	}
 	http2_write(h2_session);
 	while(h2_session->query_count) {
 		http2_read(h2_session);
 		http2_write(h2_session);
 	}
 	/* shutdown */
 	http2_session_delete(h2_session);
 	if(ssl) {
 		SSL_shutdown(ssl);
 		SSL_free(ssl);
 	}
 	if(ctx) {
 		SSL_CTX_free(ctx);
 	}
 	close(fd);
 }
 /** getopt global, in case header files fail to declare it. */
 extern int optind;
 /** getopt global, in case header files fail to declare it. */
 extern char* optarg;
 int main(int argc, char** argv)
 {
 	int c;
 	int port = UNBOUND_DNS_OVER_HTTPS_PORT, no_tls = 0;
 	struct http2_session* h2_session;
 #ifdef USE_WINSOCK
 	WSADATA wsa_data;
 	if(WSAStartup(MAKEWORD(2,2), &wsa_data) != 0) {
 		printf("WSAStartup failed\n");
 		return 1;
 	}
 #endif
 	log_init(0, 0, 0);
 	checklock_start();
 	h2_session = http2_session_create();
 	if(!h2_session) fatal_exit("out of memory");
 	if(argc == 1) {
 		usage(argv);
 	}
 	h2_session->authority = "127.0.0.1";
 	h2_session->post = 0;
 	h2_session->endpoint = "/dns-query";
 	h2_session->content_type = "application/dns-message";
 	while((c=getopt(argc, argv, "c:e:hns:p:P")) != -1) {
 		switch(c) {
 			case 'c':
 				h2_session->content_type = optarg;
 				break;
 			case 'e':
 				h2_session->endpoint = optarg;
 				break;
 			case 'n':
 				no_tls = 1;
 				break;
 			case 'p':
 				if(atoi(optarg)==0 && strcmp(optarg,"0")!=0) {
 					printf("error parsing port, "
 					    "number expected: %s\n", optarg);
 					return 1;
 				}
 				port = atoi(optarg);
 				break;
 			case 'P':
 				h2_session->post = 1;
 				break;
 			case 's':
 				h2_session->authority = optarg;
 				break;
 			case 'h':
 			case '?':
 			default:
 				usage(argv);
 		}
 	}
 	argc -= optind;
 	argv += optind;
 	if(argc%3!=0) {
 		printf("Invalid input. Specify qname, qtype, and qclass.\n");
 		return 1;
 	}
 	run(h2_session, port, no_tls, argc, argv);
 	checklock_stop();
 #ifdef USE_WINSOCK
 	WSACleanup();
 #endif
 	return 0;
 }
 #else
 int main(int ATTR_UNUSED(argc), char** ATTR_UNUSED(argv))
 {
 	printf("Compiled without nghttp2, cannot run test.\n");
 	return 1;
 }
 #endif /*  HAVE_NGHTTP2 */
--- a/testcode/fake_event.c
+++ b/testcode/fake_event.c
@ -52,6 +52,7 @@
 #include "util/data/msgreply.h"
 #include "util/data/msgencode.h"
 #include "util/data/dname.h"
 #include "util/edns.h"
 #include "util/config_file.h"
 #include "services/listen_dnsport.h"
 #include "services/outside_network.h"
@ -63,6 +64,7 @@
 #include "sldns/sbuffer.h"
 #include "sldns/wire2str.h"
 #include "sldns/str2wire.h"
 #include "daemon/remote.h"
 #include <signal.h>
 struct worker;
 struct daemon_remote;
@ -868,9 +870,13 @@ struct listen_dnsport*
 listen_create(struct comm_base* base, struct listen_port* ATTR_UNUSED(ports),
 	size_t bufsize, int ATTR_UNUSED(tcp_accept_count),
 	int ATTR_UNUSED(tcp_idle_timeout),
 	int ATTR_UNUSED(harden_large_queries),
 	uint32_t ATTR_UNUSED(http_max_streams),
 	char* ATTR_UNUSED(http_endpoint),
 	int ATTR_UNUSED(http_notls),
 	struct tcl_list* ATTR_UNUSED(tcp_conn_limit),
 	void* ATTR_UNUSED(sslctx), struct dt_env* ATTR_UNUSED(dtenv),
-	comm_point_callback_type* cb, void* cb_arg)
+	comm_point_callback_type* cb, void *cb_arg)
 {
 	struct replay_runtime* runtime = (struct replay_runtime*)base;
 	struct listen_dnsport* l= calloc(1, sizeof(struct listen_dnsport));
@ -1040,7 +1046,7 @@ outside_network_create(struct comm_base* base, size_t bufsize,
 	void (*unwanted_action)(void*), void* ATTR_UNUSED(unwanted_param),
 	int ATTR_UNUSED(do_udp), void* ATTR_UNUSED(sslctx),
 	int ATTR_UNUSED(delayclose), int ATTR_UNUSED(tls_use_sni),
-	struct dt_env* ATTR_UNUSED(dtenv))
+	struct dt_env* ATTR_UNUSED(dtenv), int ATTR_UNUSED(udp_connect))
 {
 	struct replay_runtime* runtime = (struct replay_runtime*)base;
 	struct outside_network* outnet =  calloc(1, 
@ -1180,7 +1186,7 @@ struct serviced_query* outnet_serviced_query(struct outside_network* outnet,
 	socklen_t addrlen, uint8_t* zone, size_t zonelen,
 	struct module_qstate* qstate, comm_point_callback_type* callback,
 	void* callback_arg, sldns_buffer* ATTR_UNUSED(buff),
-	struct module_env* ATTR_UNUSED(env))
+	struct module_env* env)
 {
 	struct replay_runtime* runtime = (struct replay_runtime*)outnet->base;
 	struct fake_pending* pend = (struct fake_pending*)calloc(1,
@ -1209,6 +1215,7 @@ struct serviced_query* outnet_serviced_query(struct outside_network* outnet,
 	sldns_buffer_flip(pend->buffer);
 	if(1) {
 		struct edns_data edns;
 		struct edns_string_addr* client_string_addr;
 		if(!inplace_cb_query_call(env, qinfo, flags, addr, addrlen,
 			zone, zonelen, qstate, qstate->region)) {
 			free(pend);
@ -1220,9 +1227,17 @@ struct serviced_query* outnet_serviced_query(struct outside_network* outnet,
 		edns.edns_version = EDNS_ADVERTISED_VERSION;
 		edns.udp_size = EDNS_ADVERTISED_SIZE;
 		edns.bits = 0;
 		edns.opt_list = qstate->edns_opts_back_out;
 		if(dnssec)
 			edns.bits = EDNS_DO;
 		if((client_string_addr = edns_string_addr_lookup(
 			&env->edns_strings->client_strings,
 			addr, addrlen))) {
 			edns_opt_list_append(&qstate->edns_opts_back_out,
 				env->edns_strings->client_string_opcode,
 				client_string_addr->string_len,
 				client_string_addr->string, qstate->region);
 		}
 		edns.opt_list = qstate->edns_opts_back_out;
 		attach_edns_record(pend->buffer, &edns);
 	}
 	memcpy(&pend->addr, addr, addrlen);
@ -1290,7 +1305,14 @@ void outnet_serviced_query_stop(struct serviced_query* sq, void* cb_arg)
 	log_info("double delete of pending serviced query");
 }
 int resolve_interface_names(struct config_file* ATTR_UNUSED(cfg),
 	char*** ATTR_UNUSED(resif), int* ATTR_UNUSED(num_resif))
 {
 	return 1;
 }
 struct listen_port* listening_ports_open(struct config_file* ATTR_UNUSED(cfg),
 	char** ATTR_UNUSED(ifs), int ATTR_UNUSED(num_ifs),
 	int* ATTR_UNUSED(reuseport))
 {
 	return calloc(1, 1);
@ -1490,6 +1512,18 @@ int serviced_cmp(const void* ATTR_UNUSED(a), const void* ATTR_UNUSED(b))
 	return 0;
 }
 int reuse_cmp(const void* ATTR_UNUSED(a), const void* ATTR_UNUSED(b))
 {
 	log_assert(0);
 	return 0;
 }
 int reuse_id_cmp(const void* ATTR_UNUSED(a), const void* ATTR_UNUSED(b))
 {
 	log_assert(0);
 	return 0;
 }
 /* timers in testbound for autotrust. statistics tested in tdir. */
 struct comm_timer* comm_timer_create(struct comm_base* base, 
 	void (*cb)(void*), void* cb_arg)
@ -1732,7 +1766,7 @@ struct comm_point* outnet_comm_point_for_http(struct outside_network* outnet,
 }
 int comm_point_send_udp_msg(struct comm_point *c, sldns_buffer* packet,
-	struct sockaddr* addr, socklen_t addrlen) 
+	struct sockaddr* addr, socklen_t addrlen, int ATTR_UNUSED(is_connected))
 {
 	struct fake_commpoint* fc = (struct fake_commpoint*)c;
 	struct replay_runtime* runtime = fc->runtime;
@ -1825,4 +1859,21 @@ tcp_req_info_get_stream_buffer_size(void)
 	return 0;
 }
 size_t
 http2_get_query_buffer_size(void)
 {
 	return 0;
 }
 size_t
 http2_get_response_buffer_size(void)
 {
 	return 0;
 }
 void http2_stream_add_meshstate(struct http2_stream* ATTR_UNUSED(h2_stream),
 	struct mesh_area* ATTR_UNUSED(mesh), struct mesh_state* ATTR_UNUSED(m))
 {
 }
 /*********** End of Dummy routines ***********/
--- a/testcode/perf.c
+++ b/testcode/perf.c
@ -233,12 +233,7 @@ perfsetup(struct perfinfo* info)
 			addr_is_ip6(&info->dest, info->destlen)?
 			AF_INET6:AF_INET, SOCK_DGRAM, 0);
 		if(info->io[i].fd == -1) {
-#ifndef USE_WINSOCK
+			fatal_exit("socket: %s", sock_strerror(errno));
 			fatal_exit("socket: %s", strerror(errno));
 #else
 			fatal_exit("socket: %s", 
 				wsa_strerror(WSAGetLastError()));
 #endif
 		}
 		if(info->io[i].fd > info->maxfd)
 			info->maxfd = info->io[i].fd;
@ -260,11 +255,7 @@ perffree(struct perfinfo* info)
 	if(!info) return;
 	if(info->io) {
 		for(i=0; i<info->io_num; i++) {
-#ifndef USE_WINSOCK
+			sock_close(info->io[i].fd);
 			close(info->io[i].fd);
 #else
 			closesocket(info->io[i].fd);
 #endif
 		}
 		free(info->io);
 	}
@ -285,11 +276,7 @@ perfsend(struct perfinfo* info, size_t n, struct timeval* now)
 	/*log_hex("send", info->qlist_data[info->qlist_idx],
 		info->qlist_len[info->qlist_idx]);*/
 	if(r == -1) {
-#ifndef USE_WINSOCK
+		log_err("sendto: %s", sock_strerror(errno));
 		log_err("sendto: %s", strerror(errno));
 #else
 		log_err("sendto: %s", wsa_strerror(WSAGetLastError()));
 #endif
 	} else if(r != (ssize_t)info->qlist_len[info->qlist_idx]) {
 		log_err("partial sendto");
 	}
@ -309,11 +296,7 @@ perfreply(struct perfinfo* info, size_t n, struct timeval* now)
 	r = recv(info->io[n].fd, (void*)sldns_buffer_begin(info->buf),
 		sldns_buffer_capacity(info->buf), 0);
 	if(r == -1) {
-#ifndef USE_WINSOCK
+		log_err("recv: %s", sock_strerror(errno));
 		log_err("recv: %s", strerror(errno));
 #else
 		log_err("recv: %s", wsa_strerror(WSAGetLastError()));
 #endif
 	} else {
 		info->by_rcode[LDNS_RCODE_WIRE(sldns_buffer_begin(
 			info->buf))]++;
--- a/testcode/run_vm.sh
+++ b/testcode/run_vm.sh
@ -40,6 +40,8 @@ cleanup() {
 	exit 0
 }
 trap cleanup INT
 # stop tests from notifying systemd, if that is compiled in.
 export -n NOTIFY_SOCKET
 for t in $RUNLIST
 do
--- a/testcode/streamtcp.c
+++ b/testcode/streamtcp.c
@ -388,11 +388,7 @@ send_em(const char* svr, int udp, int usessl, int noanswer, int onarrival,
 		SSL_free(ssl);
 		SSL_CTX_free(ctx);
 	}
-#ifndef USE_WINSOCK
+	sock_close(fd);
 	close(fd);
 #else
 	closesocket(fd);
 #endif
 	sldns_buffer_free(buf);
 	printf("orderly exit\n");
 }
--- a/testcode/testbound.c
+++ b/testcode/testbound.c
@ -42,16 +42,22 @@
 #ifdef HAVE_TIME_H
 #  include <time.h>
 #endif
 #include <ctype.h>
 #include "testcode/testpkts.h"
 #include "testcode/replay.h"
 #include "testcode/fake_event.h"
 #include "daemon/remote.h"
 #include "libunbound/worker.h"
 #include "util/config_file.h"
 #include "sldns/keyraw.h"
-#include <ctype.h>
+#ifdef UB_ON_WINDOWS
 #include "winrc/win_svc.h"
 #endif
 /** signal that this is a testbound compile */
 #define unbound_testbound 1
 /** renamed main routine */
 int daemon_main(int argc, char* argv[]);
 /** 
 * include the main program from the unbound daemon.
 * rename main to daemon_main to call it
@ -333,7 +339,7 @@ setup_playback(const char* filename, int* pass_argc, char* pass_argv[])
 }
 /** remove config file at exit */
-void remove_configfile(void)
+static void remove_configfile(void)
 {
 	struct config_strlist* p;
 	for(p=cfgfiles; p; p=p->next)
@ -362,6 +368,10 @@ main(int argc, char* argv[])
 	/* we do not want the test to depend on the timezone */
 	(void)putenv("TZ=UTC");
 	memset(pass_argv, 0, sizeof(pass_argv));
 #ifdef HAVE_SYSTEMD
 	/* we do not want the test to use systemd daemon startup notification*/
 	(void)unsetenv("NOTIFY_SOCKET");
 #endif /* HAVE_SYSTEMD */
 	log_init(NULL, 0, NULL);
 	/* determine commandline options for the daemon */
@ -547,22 +557,28 @@ void remote_get_opt_ssl(char* ATTR_UNUSED(str), void* ATTR_UNUSED(arg))
        log_assert(0);
 }
 #ifdef UB_ON_WINDOWS
 void wsvc_command_option(const char* ATTR_UNUSED(wopt), 
 	const char* ATTR_UNUSED(cfgfile), int ATTR_UNUSED(v), 
 	int ATTR_UNUSED(c))
 {
 	log_assert(0);
 }
 #endif
 #ifdef UB_ON_WINDOWS
 void wsvc_setup_worker(struct worker* ATTR_UNUSED(worker))
 {
 	/* do nothing */
 }
 #endif
 #ifdef UB_ON_WINDOWS
 void wsvc_desetup_worker(struct worker* ATTR_UNUSED(worker))
 {
 	/* do nothing */
 }
 #endif
 #ifdef UB_ON_WINDOWS
 void worker_win_stop_cb(int ATTR_UNUSED(fd), short ATTR_UNUSED(ev),
--- a/testcode/testpkts.c
+++ b/testcode/testpkts.c
@ -501,7 +501,7 @@ add_edns(uint8_t* pktbuf, size_t pktsize, int do_flag, uint8_t *ednsdata,
 {
 	uint8_t edns[] = {0x00, /* root label */
 		0x00, LDNS_RR_TYPE_OPT, /* type */
-		0x10, 0x00, /* class is UDPSIZE 4096 */
+		0x04, 0xD0, /* class is UDPSIZE 1232 */
 		0x00, /* TTL[0] is ext rcode */
 		0x00, /* TTL[1] is edns version */
 		(uint8_t)(do_flag?0x80:0x00), 0x00, /* TTL[2-3] is edns flags, DO */
--- a/testcode/unitldns.c
+++ b/testcode/unitldns.c
@ -44,6 +44,7 @@
 #include "sldns/sbuffer.h"
 #include "sldns/str2wire.h"
 #include "sldns/wire2str.h"
 #include "sldns/parseutil.h"
 /** verbose this unit test */
 static int vbmp = 0; 
@ -220,9 +221,60 @@ rr_tests(void)
 		SRCDIRSTR "/testdata/test_ldnsrr.c5");
 }
 /** test various base64 decoding options */
 static void
 b64_test(void)
 {
 	/* "normal" b64 alphabet, with padding */
 	char* p1 = "aGVsbG8="; /* "hello" */
 	char* p2 = "aGVsbG8+"; /* "hello>" */
 	char* p3 = "aGVsbG8/IQ=="; /* "hello?!" */
 	char* p4 = "aGVsbG8"; /* "hel" + extra garbage */
 	/* base64 url, without padding */
 	char* u1 = "aGVsbG8"; /* "hello" */
 	char* u2 = "aGVsbG8-"; /* "hello>" */
 	char* u3 = "aGVsbG8_IQ"; /* "hello?!" */
 	char* u4 = "aaaaa"; /* garbage */
 	char target[128];
 	size_t tarsize = 128;
 	int result;
 	memset(target, 0, sizeof(target));
 	result = sldns_b64_pton(p1, (uint8_t*)target, tarsize);
 	unit_assert(result == strlen("hello") && strcmp(target, "hello") == 0);
 	memset(target, 0, sizeof(target));
 	result = sldns_b64_pton(p2, (uint8_t*)target, tarsize);
 	unit_assert(result == strlen("hello>") && strcmp(target, "hello>") == 0);
 	memset(target, 0, sizeof(target));
 	result = sldns_b64_pton(p3, (uint8_t*)target, tarsize);
 	unit_assert(result == strlen("hello?!") && strcmp(target, "hello?!") == 0);
 	memset(target, 0, sizeof(target));
 	result = sldns_b64_pton(p4, (uint8_t*)target, tarsize);
 	/* when padding is used everything that is not a block of 4 will be
 	 * ignored */
 	unit_assert(result == strlen("hel") && strcmp(target, "hel") == 0);
 	memset(target, 0, sizeof(target));
 	result = sldns_b64url_pton(u1, strlen(u1), (uint8_t*)target, tarsize);
 	unit_assert(result == strlen("hello") && strcmp(target, "hello") == 0);
 	memset(target, 0, sizeof(target));
 	result = sldns_b64url_pton(u2, strlen(u2), (uint8_t*)target, tarsize);
 	unit_assert(result == strlen("hello>") && strcmp(target, "hello>") == 0);
 	memset(target, 0, sizeof(target));
 	result = sldns_b64url_pton(u3, strlen(u3), (uint8_t*)target, tarsize);
 	unit_assert(result == strlen("hello+/") && strcmp(target, "hello?!") == 0);
 	/* one item in block of four is not allowed */
 	memset(target, 0, sizeof(target));
 	result = sldns_b64url_pton(u4, strlen(u4), (uint8_t*)target, tarsize);
 	unit_assert(result == -1);
 }
 void
 ldns_test(void)
 {
 	unit_show_feature("sldns");
 	rr_tests();
 	b64_test();
 }
--- a/testcode/unitmain.c
+++ b/testcode/unitmain.c
@ -839,6 +839,52 @@ static void respip_test(void)
 	respip_conf_actions_test();
 }
 #include "services/outside_network.h"
 /** add number of new IDs to the reuse tree, randomly chosen */
 static void tcpid_addmore(struct reuse_tcp* reuse,
 	struct outside_network* outnet, unsigned int addnum)
 {
 	unsigned int i;
 	struct waiting_tcp* w;
 	for(i=0; i<addnum; i++) {
 		uint16_t id = reuse_tcp_select_id(reuse, outnet);
 		unit_assert(!reuse_tcp_by_id_find(reuse, id));
 		w = calloc(1, sizeof(*w));
 		unit_assert(w);
 		w->id = id;
 		w->outnet = outnet;
 		w->next_waiting = (void*)reuse->pending;
 		reuse_tree_by_id_insert(reuse, w);
 	}
 }
 /** fill up the reuse ID tree and test assertions */
 static void tcpid_fillup(struct reuse_tcp* reuse,
 	struct outside_network* outnet)
 {
 	int t, numtest=3;
 	for(t=0; t<numtest; t++) {
 		rbtree_init(&reuse->tree_by_id, reuse_id_cmp);
 		tcpid_addmore(reuse, outnet, 65535);
 		reuse_del_readwait(&reuse->tree_by_id);
 	}
 }
 /** test TCP ID selection */
 static void tcpid_test(void)
 {
 	struct pending_tcp pend;
 	struct outside_network outnet;
 	unit_show_func("services/outside_network.c", "reuse_tcp_select_id");
 	memset(&pend, 0, sizeof(pend));
 	pend.reuse.pending = &pend;
 	memset(&outnet, 0, sizeof(outnet));
 	outnet.rnd = ub_initstate(NULL);
 	rbtree_init(&pend.reuse.tree_by_id, reuse_id_cmp);
 	tcpid_fillup(&pend.reuse, &outnet);
 	ub_randfree(outnet.rnd);
 }
 void unit_show_func(const char* file, const char* func)
 {
 	printf("test %s:%s\n", file, func);
@ -907,6 +953,7 @@ main(int argc, char* argv[])
 	infra_test();
 	ldns_test();
 	msgparse_test();
 	tcpid_test();
 #ifdef CLIENT_SUBNET
 	ecs_test();
 #endif /* CLIENT_SUBNET */
--- a/testdata/auth_zonefile_down.rpl
+++ b/testdata/auth_zonefile_down.rpl
@ -1,6 +1,12 @@
 ; config options
 server:
 	target-fetch-policy: "0 0 0 0 0"
 	; Options for signed zone. The zone is partially copied from val_negcache_nxdomain.rpl
 	trust-anchor: "testzone.nlnetlabs.nl.	IN	DS	2926 8 2 6f8512d1e82eecbd684fc4a76f39f8c5b411af385494873bdead663ddb78a88b"
 	val-override-date: "20180213111425"
 	qname-minimisation: "no"
 	trust-anchor-signaling: no
 	aggressive-nsec: yes
 auth-zone:
 	name: "example.com."
@ -41,6 +47,50 @@ ns1	3600	IN	A	1.2.3.4
 ns2	3600	IN	AAAA	::2
 TEMPFILE_END
 auth-zone:
 	name: "soa.high.com."
 	for-downstream: yes
 	for-upstream: no
 	zonefile:
 TEMPFILE_NAME soa.high.com
 TEMPFILE_CONTENTS soa.high.com
 $ORIGIN high.com.
 soa	500	IN	SOA	dns.example.de. hostmaster.dns.example.de. (
 		1379078166 28800 7200 604800 200 )
 	3600	IN	NS	ns1.example.com.
 	3600	IN	NS	ns2.example.com.
 TEMPFILE_END
 auth-zone:
 	name: "soa.low.com."
 	for-downstream: yes
 	for-upstream: no
 	zonefile:
 TEMPFILE_NAME soa.low.com
 TEMPFILE_CONTENTS soa.low.com
 $ORIGIN low.com.
 soa	200	IN	SOA	dns.example.de. hostmaster.dns.example.de. (
 		1379078166 28800 7200 604800 500 )
 	3600	IN	NS	ns1.example.com.
 	3600	IN	NS	ns2.example.com.
 TEMPFILE_END
 auth-zone:
 	name: "testzone.nlnetlabs.nl."
 	for-downstream: yes
 	for-upstream: no
 	zonefile:
 TEMPFILE_NAME testzone.nlnetlabs.nl
 TEMPFILE_CONTENTS testzone.nlnetlabs.nl
 $ORIGIN testzone.nlnetlabs.nl.
 testzone.nlnetlabs.nl.  3600    IN      NSEC    alligator.testzone.nlnetlabs.nl. NS SOA RRSIG NSEC DNSKEY
 testzone.nlnetlabs.nl.  3600    IN      RRSIG   NSEC 8 3 3600 20180313102201 20180213102201 44940 testzone.nlnetlabs.nl. gTKn6U1nal9oA79IRxLa/7zexl6A0yJZzeEGBbZ5rh5feyAr2X4LTR9bPCgcHeMVggf4FP+kD1L/sxzj/YLwB1ZKGKlwnzsHtPFTlmvDClaqQ76DRZq5Vejr2ZfnclBUb2vtxaXywTRW8oueaaq9flcShEQ/cQ+KRU8sc344qd0=
 alligator.testzone.nlnetlabs.nl.        3600    IN      NSEC    cheetah.testzone.nlnetlabs.nl. TXT RRSIG NSEC
 alligator.testzone.nlnetlabs.nl.        3600    IN      RRSIG   NSEC 8 4 3600 20180313102201 20180213102201 44940 testzone.nlnetlabs.nl. QAgQ0AsMoYG02+VPfoOctSPlTHdQOkQt5fFkSkzIbVhUzNOqa+dB/Qkc81AwFeJosA+PvYjt6utcVkIWmK2Djy9eXC49gILtVF79vUe4G7ZrybO5NXjqNa5ANoUGM+yew4wkjeNOMVAsvs+1kvFY7S8RAa/0AIYlZHQ8vNBPNaI=
 testzone.nlnetlabs.nl.  4600    IN      SOA     ns.nlnetlabs.nl. ralph.nlnetlabs.nl. 1 14400 3600 604800 3600
 testzone.nlnetlabs.nl.  4600    IN      RRSIG   SOA 8 3 3600 20180313102201 20180213102201 44940 testzone.nlnetlabs.nl. GhmXNFQktZIgaBpGKwj9Q2mfq5+jcbRPK+PPgtRVicUPZga/d/iGEL8PV/8DzGwkaZbM14pamSUMgdJibW4zNhLz/ukjPilbjoj6giH1jtbdZLAQ6iK9pZ/4jKUEq4txviTczZNnDeolgPEEl4xo4NclQmi7zj1XBlQRbjvG0/0=
 TEMPFILE_END
 stub-zone:
 	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
@ -50,7 +100,7 @@ SCENARIO_BEGIN Test authority zone with zonefile for downstream responses
 ; K.ROOT-SERVERS.NET.
 RANGE_BEGIN 0 100
-	ADDRESS 193.0.14.129 
+	ADDRESS 193.0.14.129
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
@ -182,4 +232,109 @@ SECTION ANSWER
 www.example.com. IN A	1.2.3.4
 ENTRY_END
 ; check SOA TTL to be the minimum of the SOA.minimum and the SOA TTL
 STEP 30 QUERY
 ENTRY_BEGIN
 REPLY RD
 SECTION QUESTION
 nonexistent.soa.high.com. IN A
 ENTRY_END
 STEP 31 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH all ttl
 REPLY QR RD RA AA NXDOMAIN
 SECTION QUESTION
 nonexistent.soa.high.com IN A
 SECTION AUTHORITY
 soa.high.com. 200 IN SOA dns.example.de. hostmaster.dns.example.de. 1379078166 28800 7200 604800 200
 ENTRY_END
 ; check that the original SOA is also returned
 STEP 32 QUERY
 ENTRY_BEGIN
 REPLY RD
 SECTION QUESTION
 soa.high.com. IN SOA
 ENTRY_END
 STEP 33 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH all ttl
 REPLY QR RD RA AA NOERROR
 SECTION QUESTION
 soa.high.com. IN SOA
 SECTION ANSWER
 soa.high.com. 500 IN SOA dns.example.de. hostmaster.dns.example.de. 1379078166 28800 7200 604800 200
 ENTRY_END
 ; check SOA TTL to be the minimum of the SOA.minimum and the SOA TTL
 STEP 40 QUERY
 ENTRY_BEGIN
 REPLY RD
 SECTION QUESTION
 nonexistent.soa.low.com. IN A
 ENTRY_END
 STEP 41 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH all ttl
 REPLY QR RD RA AA NXDOMAIN
 SECTION QUESTION
 nonexistent.soa.low.com. IN A
 SECTION AUTHORITY
 soa.low.com. 200 IN SOA dns.example.de. hostmaster.dns.example.de. 1379078166 28800 7200 604800 500
 ENTRY_END
 ; check that the original SOA is also returned
 STEP 42 QUERY
 ENTRY_BEGIN
 REPLY RD
 SECTION QUESTION
 soa.low.com. IN SOA
 ENTRY_END
 STEP 43 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH all ttl
 REPLY QR RD RA AA NOERROR
 SECTION QUESTION
 soa.low.com. IN SOA
 SECTION ANSWER
 soa.low.com. 200 IN SOA dns.example.de. hostmaster.dns.example.de. 1379078166 28800 7200 604800 500
 ENTRY_END
 ; check SOA TTL to be minimum of the SOA.minimum and the SOA TTL for DNSSEC
 STEP 50 QUERY
 ENTRY_BEGIN
 REPLY RD DO
 SECTION QUESTION
 ant.testzone.nlnetlabs.nl. IN A
 ENTRY_END
 STEP 51 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH all ttl
 REPLY QR RD DO RA AA NXDOMAIN
 SECTION QUESTION
 ant.testzone.nlnetlabs.nl. IN A
 SECTION AUTHORITY
 testzone.nlnetlabs.nl.  3600    IN      SOA     ns.nlnetlabs.nl. ralph.nlnetlabs.nl. 1 14400 3600 604800 3600
 testzone.nlnetlabs.nl.  3600    IN      RRSIG   SOA 8 3 3600 20180313102201 20180213102201 44940 testzone.nlnetlabs.nl. GhmXNFQktZIgaBpGKwj9Q2mfq5+jcbRPK+PPgtRVicUPZga/d/iGEL8PV/8DzGwkaZbM14pamSUMgdJibW4zNhLz/ukjPilbjoj6giH1jtbdZLAQ6iK9pZ/4jKUEq4txviTczZNnDeolgPEEl4xo4NclQmi7zj1XBlQRbjvG0/0=
 alligator.testzone.nlnetlabs.nl.        3600    IN      NSEC    cheetah.testzone.nlnetlabs.nl. TXT RRSIG NSEC
 alligator.testzone.nlnetlabs.nl.        3600    IN      RRSIG   NSEC 8 4 3600 20180313102201 20180213102201 44940 testzone.nlnetlabs.nl. QAgQ0AsMoYG02+VPfoOctSPlTHdQOkQt5fFkSkzIbVhUzNOqa+dB/Qkc81AwFeJosA+PvYjt6utcVkIWmK2Djy9eXC49gILtVF79vUe4G7ZrybO5NXjqNa5ANoUGM+yew4wkjeNOMVAsvs+1kvFY7S8RAa/0AIYlZHQ8vNBPNaI=
 testzone.nlnetlabs.nl.  3600    IN      NSEC    alligator.testzone.nlnetlabs.nl. NS SOA RRSIG NSEC DNSKEY
 testzone.nlnetlabs.nl.  3600    IN      RRSIG   NSEC 8 3 3600 20180313102201 20180213102201 44940 testzone.nlnetlabs.nl. gTKn6U1nal9oA79IRxLa/7zexl6A0yJZzeEGBbZ5rh5feyAr2X4LTR9bPCgcHeMVggf4FP+kD1L/sxzj/YLwB1ZKGKlwnzsHtPFTlmvDClaqQ76DRZq5Vejr2ZfnclBUb2vtxaXywTRW8oueaaq9flcShEQ/cQ+KRU8sc344qd0=
 ENTRY_END
 ; check that the original SOA is also returned
 STEP 52 QUERY
 ENTRY_BEGIN
 REPLY RD DO
 SECTION QUESTION
 testzone.nlnetlabs.nl. IN SOA
 ENTRY_END
 STEP 53 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH all ttl
 REPLY QR RD DO RA AA NOERROR
 SECTION QUESTION
 testzone.nlnetlabs.nl. IN SOA
 SECTION ANSWER
 testzone.nlnetlabs.nl.  4600    IN      SOA     ns.nlnetlabs.nl. ralph.nlnetlabs.nl. 1 14400 3600 604800 3600
 testzone.nlnetlabs.nl.  4600    IN      RRSIG   SOA 8 3 3600 20180313102201 20180213102201 44940 testzone.nlnetlabs.nl. GhmXNFQktZIgaBpGKwj9Q2mfq5+jcbRPK+PPgtRVicUPZga/d/iGEL8PV/8DzGwkaZbM14pamSUMgdJibW4zNhLz/ukjPilbjoj6giH1jtbdZLAQ6iK9pZ/4jKUEq4txviTczZNnDeolgPEEl4xo4NclQmi7zj1XBlQRbjvG0/0=
 ENTRY_END
 SCENARIO_END
--- a/testdata/dlv_anchor.rpl
+++ b/testdata/dlv_anchor.rpl
@ -1,279 +0,0 @@
 ; config options
 ; The island of trust is at example.com (the DLV repository)
 server:
 	dlv-anchor: "example.com.    3600    IN      DS      2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b"
 	val-override-date: "20070916134226"
 	target-fetch-policy: "0 0 0 0 0"
 	qname-minimisation: "no"
 	fake-sha1: yes
 	trust-anchor-signaling: no
 	minimal-responses: no
 stub-zone:
 	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 CONFIG_END
 SCENARIO_BEGIN Test validator with DLV anchor
 ; positive response for DLV.
 ; K.ROOT-SERVERS.NET.
 RANGE_BEGIN 0 100
 	ADDRESS 193.0.14.129 
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 . IN NS
 SECTION ANSWER
 . IN NS	K.ROOT-SERVERS.NET.
 SECTION ADDITIONAL
 K.ROOT-SERVERS.NET.	IN	A	193.0.14.129
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode subdomain
 ADJUST copy_id copy_query
 REPLY QR NOERROR
 SECTION QUESTION
 com. IN A
 SECTION AUTHORITY
 com.	IN NS	a.gtld-servers.net.
 SECTION ADDITIONAL
 a.gtld-servers.net.	IN 	A	192.5.6.30
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode subdomain
 ADJUST copy_id copy_query
 REPLY QR NOERROR
 SECTION QUESTION
 net. IN A
 SECTION AUTHORITY
 net.	IN NS	a.gtld-servers.net.
 SECTION ADDITIONAL
 a.gtld-servers.net.	IN 	A	192.5.6.30
 ENTRY_END
 RANGE_END
 ; a.gtld-servers.net.
 RANGE_BEGIN 0 100
 	ADDRESS 192.5.6.30
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 com. IN NS
 SECTION ANSWER
 com.    IN NS   a.gtld-servers.net.
 SECTION ADDITIONAL
 a.gtld-servers.net.     IN      A       192.5.6.30
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 net. IN NS
 SECTION ANSWER
 net.    IN NS   a.gtld-servers.net.
 SECTION ADDITIONAL
 a.gtld-servers.net.     IN      A       192.5.6.30
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode subdomain
 ADJUST copy_id copy_query
 REPLY QR NOERROR
 SECTION QUESTION
 example.com. IN A
 SECTION AUTHORITY
 example.com.	IN NS	ns.example.com.
 SECTION ADDITIONAL
 ns.example.com.		IN 	A	1.2.3.4
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode subdomain
 ADJUST copy_id copy_query
 REPLY QR NOERROR
 SECTION QUESTION
 example.net. IN A
 SECTION AUTHORITY
 example.net.	IN NS	ns.example.net.
 SECTION ADDITIONAL
 ns.example.net.		IN 	A	1.2.3.5
 ENTRY_END
 RANGE_END
 ; ns.example.com.
 RANGE_BEGIN 0 100
 	ADDRESS 1.2.3.4
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 example.com. IN NS
 SECTION ANSWER
 example.com.    IN NS   ns.example.com.
 example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
 SECTION ADDITIONAL
 ns.example.com.         IN      A       1.2.3.4
 ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
 ENTRY_END
 ; response to DNSKEY priming query
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 example.com. IN DNSKEY
 SECTION ANSWER
 example.com.    3600    IN      DNSKEY  256 3 3 ALXLUsWqUrY3JYER3T4TBJII s70j+sDS/UT2QRp61SE7S3E EXopNXoFE73JLRmvpi/UrOO/Vz4Se 6wXv/CYCKjGw06U4WRgR YXcpEhJROyNapmdIKSx hOzfLVE1gqA0PweZR8d tY3aNQSRn3sPpwJr6Mi /PqQKAMMrZ9ckJpf1+b QMOOvxgzz2U1GS18b3y ZKcgTMEaJzd/GZYzi/B N2DzQ0MsrSwYXfsNLFO Bbs8PJMW4LYIxeeOe6rUgkWOF 7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b}
 example.com.    3600    IN      RRSIG   DNSKEY 3 2 3600 20070926134802 20070829134802 2854 example.com. MCwCFG1yhRNtTEa3Eno2zhVVuy2EJX3wAhQeLyUp6+UXcpC5qGNu9tkrTEgPUg== ;{id = 2854}
 SECTION AUTHORITY
 example.com.	IN NS	ns.example.com.
 example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
 SECTION ADDITIONAL
 ns.example.com.		IN 	A	1.2.3.4
 ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
 ENTRY_END
 ; DLV query
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 example.net.example.com. IN DLV
 SECTION ANSWER
 example.net.example.com.	3600	IN	DLV	30899 5 1 14188c885f20623ad1d3bec42798f3f951793e4c ; xehac-mofum-malyd-bomaf-pegit-fuzes-ganin-misiz-nigel-nozog-soxix
 example.net.example.com.	3600	IN	RRSIG	DLV 3 4 3600 20070926134150 20070829134150 2854 example.com. ACK48Q/oKwh/SM9yRiKjZYuc+AtEZ2yCPNJ15kKCN8nsVcv7xigmNTY= ;{id = 2854}
 SECTION AUTHORITY
 example.com.	IN NS	ns.example.com.
 example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
 SECTION ADDITIONAL
 ns.example.com.		IN 	A	1.2.3.4
 ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 net.example.com. IN DLV
 SECTION ANSWER
 SECTION AUTHORITY
 example.com. IN SOA open.nlnetlabs.nl. hostmaster.nlnetlabs.nl. 2008081300 28800 7200 604800 3600
 example.com.	3600	IN	RRSIG	SOA 3 2 3600 20070926134150 20070829134150 2854 example.com. AKPJnPBqfJKxE4P2iVYkSRJno9HmiXJZtjdqE8oBeq9Lk9FytcMdcig= ;{id = 2854}
 example.com IN NSEC example.net.example.com. SOA NS RRSIG NSEC
 example.com.	3600	IN	RRSIG	NSEC 3 2 3600 20070926134150 20070829134150 2854 example.com. AIoUkJ04/7/kJFDLocoqksqt9UL2RHHwlRfXAMxGdBHcNO+GSpG47Uk= ;{id = 2854}
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NXDOMAIN
 SECTION QUESTION
 com.example.com. IN DLV
 SECTION ANSWER
 SECTION AUTHORITY
 example.com. IN SOA open.nlnetlabs.nl. hostmaster.nlnetlabs.nl. 2008081300 28800 7200 604800 3600
 example.com.	3600	IN	RRSIG	SOA 3 2 3600 20070926134150 20070829134150 2854 example.com. AKPJnPBqfJKxE4P2iVYkSRJno9HmiXJZtjdqE8oBeq9Lk9FytcMdcig= ;{id = 2854}
 example.com IN NSEC example.net.example.com. SOA NS RRSIG NSEC
 example.com.	3600	IN	RRSIG	NSEC 3 2 3600 20070926134150 20070829134150 2854 example.com. AIoUkJ04/7/kJFDLocoqksqt9UL2RHHwlRfXAMxGdBHcNO+GSpG47Uk= ;{id = 2854}
 ENTRY_END
 RANGE_END
 ; ns.example.net.
 RANGE_BEGIN 0 100
 	ADDRESS 1.2.3.5
 ; DS RR is
 ; example.net.	3600	IN	DS	30899 5 1 14188c885f20623ad1d3bec42798f3f951793e4c ; xehac-mofum-malyd-bomaf-pegit-fuzes-ganin-misiz-nigel-nozog-soxix
 ; DNSKEY prime query
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 example.net. IN DNSKEY
 SECTION ANSWER
 example.net.    3600    IN      DNSKEY  256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b}
 example.net.    3600    IN      RRSIG   DNSKEY RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. hiFzlQ8VoYgCuvIsfVuxC3mfJDqsTh0yc6abs5xMx5uEcIjb0dndFQx7INOM+imlzveEN73Hqp4OLFpFhsWLlw== ;{id = 30899}
 SECTION AUTHORITY
 example.net.    IN NS   ns.example.net.
 example.net.    3600    IN      RRSIG   NS RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. E8JX0l4B+cSR5bkHQwOJy1pBmlLMTYCJ8EwfNMU/eCv0YhKwo26rHhn52FGisgv+Nwp7/NbhHqQ+kJgoZC94XA== ;{id = 30899}
 SECTION ADDITIONAL
 ns.example.net.         IN      A       1.2.3.5
 ns.example.net. 3600    IN      RRSIG   A RSASHA1 3 3600 20070926134150 20070829134150 30899 example.net. x+tQMC9FhzT7Fcy1pM5NrOC7E8nLd7THPI3C6ie4EwL8PrxllqlR3q/DKB0d/m0qCOPcgN6HFOYURV1s4uAcsw== ;{id = 30899}
 ENTRY_END
 ; NS query
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 example.net. IN NS
 SECTION ANSWER
 example.net.    IN NS   ns.example.net.
 example.net.    3600    IN      RRSIG   NS RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. E8JX0l4B+cSR5bkHQwOJy1pBmlLMTYCJ8EwfNMU/eCv0YhKwo26rHhn52FGisgv+Nwp7/NbhHqQ+kJgoZC94XA== ;{id = 30899}
 SECTION ADDITIONAL
 ns.example.net.         IN      A       1.2.3.5
 ns.example.net. 3600    IN      RRSIG   A RSASHA1 3 3600 20070926134150 20070829134150 30899 example.net. x+tQMC9FhzT7Fcy1pM5NrOC7E8nLd7THPI3C6ie4EwL8PrxllqlR3q/DKB0d/m0qCOPcgN6HFOYURV1s4uAcsw== ;{id = 30899}
 ENTRY_END
 ; www.example.net query
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 www.example.net. IN A
 SECTION ANSWER
 www.example.net.	3600	IN	A	10.20.30.40
 www.example.net.	3600	IN	RRSIG	A 5 3 3600 20070926135752 20070829135752 30899 example.net. ACvv4RQVC7TbI57ewqFImRaVoymktJ5Cxn/FaCodIENt82LVM92nivbP2WtwWCsQHWp7FkrMxTlQTJwyAeXFyg== ;{id = 30899}
 SECTION AUTHORITY
 example.net.    IN NS   ns.example.net.
 example.net.    3600    IN      RRSIG   NS RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. E8JX0l4B+cSR5bkHQwOJy1pBmlLMTYCJ8EwfNMU/eCv0YhKwo26rHhn52FGisgv+Nwp7/NbhHqQ+kJgoZC94XA== ;{id = 30899}
 SECTION ADDITIONAL
 ns.example.net.         IN      A       1.2.3.5
 ns.example.net. 3600    IN      RRSIG   A RSASHA1 3 3600 20070926134150 20070829134150 30899 example.net. x+tQMC9FhzT7Fcy1pM5NrOC7E8nLd7THPI3C6ie4EwL8PrxllqlR3q/DKB0d/m0qCOPcgN6HFOYURV1s4uAcsw== ;{id = 30899}
 ENTRY_END
 RANGE_END
 STEP 1 QUERY
 ENTRY_BEGIN
 REPLY RD DO
 SECTION QUESTION
 www.example.net. IN A
 ENTRY_END
 ; recursion happens here.
 STEP 10 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH all
 REPLY QR RD RA AD DO NOERROR
 SECTION QUESTION
 www.example.net. IN A
 SECTION ANSWER
 www.example.net.	3600	IN	A	10.20.30.40
 www.example.net.	3600	IN	RRSIG	A 5 3 3600 20070926135752 20070829135752 30899 example.net. ACvv4RQVC7TbI57ewqFImRaVoymktJ5Cxn/FaCodIENt82LVM92nivbP2WtwWCsQHWp7FkrMxTlQTJwyAeXFyg== ;{id = 30899}
 SECTION AUTHORITY
 example.net.    IN NS   ns.example.net.
 example.net.    3600    IN      RRSIG   NS RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. E8JX0l4B+cSR5bkHQwOJy1pBmlLMTYCJ8EwfNMU/eCv0YhKwo26rHhn52FGisgv+Nwp7/NbhHqQ+kJgoZC94XA== ;{id = 30899}
 SECTION ADDITIONAL
 ns.example.net.         IN      A       1.2.3.5
 ns.example.net. 3600    IN      RRSIG   A RSASHA1 3 3600 20070926134150 20070829134150 30899 example.net. x+tQMC9FhzT7Fcy1pM5NrOC7E8nLd7THPI3C6ie4EwL8PrxllqlR3q/DKB0d/m0qCOPcgN6HFOYURV1s4uAcsw== ;{id = 30899}
 ENTRY_END
 SCENARIO_END
--- a/testdata/dlv_ask_higher.rpl
+++ b/testdata/dlv_ask_higher.rpl
@ -1,354 +0,0 @@
 ; config options
 ; The island of trust is at example.com (the DLV repository)
 server:
 	dlv-anchor: "example.com.    3600    IN      DS      2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b"
 	val-override-date: "20070916134226"
 	target-fetch-policy: "0 0 0 0 0"
 	qname-minimisation: "no"
 	fake-sha1: yes
 	trust-anchor-signaling: no
 	minimal-responses: no
 stub-zone:
 	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 CONFIG_END
 SCENARIO_BEGIN Test validator with DLV where it needs to ask higher up in dlv.
 ; at first negative DLV response, it needs to ask higher.
 ; the SOA record in that negative response has a big span (if interpreted as NSEC)
 ; then a positive response for DLV.
 ; K.ROOT-SERVERS.NET.
 RANGE_BEGIN 0 100
 	ADDRESS 193.0.14.129 
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 . IN NS
 SECTION ANSWER
 . IN NS	K.ROOT-SERVERS.NET.
 SECTION ADDITIONAL
 K.ROOT-SERVERS.NET.	IN	A	193.0.14.129
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode subdomain
 ADJUST copy_id copy_query
 REPLY QR NOERROR
 SECTION QUESTION
 com. IN A
 SECTION AUTHORITY
 com.	IN NS	a.gtld-servers.net.
 SECTION ADDITIONAL
 a.gtld-servers.net.	IN 	A	192.5.6.30
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode subdomain
 ADJUST copy_id copy_query
 REPLY QR NOERROR
 SECTION QUESTION
 net. IN A
 SECTION AUTHORITY
 net.	IN NS	a.gtld-servers.net.
 SECTION ADDITIONAL
 a.gtld-servers.net.	IN 	A	192.5.6.30
 ENTRY_END
 RANGE_END
 ; a.gtld-servers.net.
 RANGE_BEGIN 0 100
 	ADDRESS 192.5.6.30
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 com. IN NS
 SECTION ANSWER
 com.    IN NS   a.gtld-servers.net.
 SECTION ADDITIONAL
 a.gtld-servers.net.     IN      A       192.5.6.30
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 net. IN NS
 SECTION ANSWER
 net.    IN NS   a.gtld-servers.net.
 SECTION ADDITIONAL
 a.gtld-servers.net.     IN      A       192.5.6.30
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode subdomain
 ADJUST copy_id copy_query
 REPLY QR NOERROR
 SECTION QUESTION
 example.com. IN A
 SECTION AUTHORITY
 example.com.	IN NS	ns.example.com.
 SECTION ADDITIONAL
 ns.example.com.		IN 	A	1.2.3.4
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode subdomain
 ADJUST copy_id copy_query
 REPLY QR NOERROR
 SECTION QUESTION
 example.net. IN A
 SECTION AUTHORITY
 example.net.	IN NS	ns.example.net.
 SECTION ADDITIONAL
 ns.example.net.		IN 	A	1.2.3.5
 ENTRY_END
 RANGE_END
 ; ns.example.com.
 RANGE_BEGIN 0 100
 	ADDRESS 1.2.3.4
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 example.com. IN NS
 SECTION ANSWER
 example.com.    IN NS   ns.example.com.
 example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
 SECTION ADDITIONAL
 ns.example.com.         IN      A       1.2.3.4
 ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
 ENTRY_END
 ; response to DNSKEY priming query
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 example.com. IN DNSKEY
 SECTION ANSWER
 example.com.    3600    IN      DNSKEY  256 3 3 ALXLUsWqUrY3JYER3T4TBJII s70j+sDS/UT2QRp61SE7S3E EXopNXoFE73JLRmvpi/UrOO/Vz4Se 6wXv/CYCKjGw06U4WRgR YXcpEhJROyNapmdIKSx hOzfLVE1gqA0PweZR8d tY3aNQSRn3sPpwJr6Mi /PqQKAMMrZ9ckJpf1+b QMOOvxgzz2U1GS18b3y ZKcgTMEaJzd/GZYzi/B N2DzQ0MsrSwYXfsNLFO Bbs8PJMW4LYIxeeOe6rUgkWOF 7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b}
 example.com.    3600    IN      RRSIG   DNSKEY 3 2 3600 20070926134802 20070829134802 2854 example.com. MCwCFG1yhRNtTEa3Eno2zhVVuy2EJX3wAhQeLyUp6+UXcpC5qGNu9tkrTEgPUg== ;{id = 2854}
 SECTION AUTHORITY
 example.com.	IN NS	ns.example.com.
 example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
 SECTION ADDITIONAL
 ns.example.com.		IN 	A	1.2.3.4
 ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
 ENTRY_END
 ; failed DLV query
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR AA NXDOMAIN
 SECTION QUESTION
 sub.example.net.example.com. IN DLV
 SECTION ANSWER
 SECTION AUTHORITY
 example.com. IN SOA open.nlnetlabs.nl. hostmaster.nlnetlabs.nl. 2008081300 28800 7200 604800 3600
 example.com.	3600	IN	RRSIG	SOA 3 2 3600 20070926134150 20070829134150 2854 example.com. AKPJnPBqfJKxE4P2iVYkSRJno9HmiXJZtjdqE8oBeq9Lk9FytcMdcig= ;{id = 2854}
 example.net.example.com IN NSEC not.example.com. RRSIG NSEC DLV
 example.net.example.com.	3600	IN	RRSIG	NSEC 3 4 3600 20070926134150 20070829134150 2854 example.com. AKz/e6KOw8gCx6wnpIatBwKb0WOPBTWmNNMg91XR/wlJQ9Z2+qICPmA= ;{id = 2854}
 example.com IN NSEC example.net.example.com. SOA NS RRSIG NSEC
 example.com.	3600	IN	RRSIG	NSEC 3 2 3600 20070926134150 20070829134150 2854 example.com. AIoUkJ04/7/kJFDLocoqksqt9UL2RHHwlRfXAMxGdBHcNO+GSpG47Uk= ;{id = 2854}
 SECTION ADDITIONAL
 ENTRY_END
 ; DLV query
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 example.net.example.com. IN DLV
 SECTION ANSWER
 example.net.example.com.	3600	IN	DLV	30899 5 1 14188c885f20623ad1d3bec42798f3f951793e4c ; xehac-mofum-malyd-bomaf-pegit-fuzes-ganin-misiz-nigel-nozog-soxix
 example.net.example.com.	3600	IN	RRSIG	DLV 3 4 3600 20070926134150 20070829134150 2854 example.com. ACK48Q/oKwh/SM9yRiKjZYuc+AtEZ2yCPNJ15kKCN8nsVcv7xigmNTY= ;{id = 2854}
 SECTION AUTHORITY
 example.com.	IN NS	ns.example.com.
 example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
 SECTION ADDITIONAL
 ns.example.com.		IN 	A	1.2.3.4
 ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 net.example.com. IN DLV
 SECTION ANSWER
 SECTION AUTHORITY
 example.com. IN SOA open.nlnetlabs.nl. hostmaster.nlnetlabs.nl. 2008081300 28800 7200 604800 3600
 example.com.	3600	IN	RRSIG	SOA 3 2 3600 20070926134150 20070829134150 2854 example.com. AKPJnPBqfJKxE4P2iVYkSRJno9HmiXJZtjdqE8oBeq9Lk9FytcMdcig= ;{id = 2854}
 example.com IN NSEC example.net.example.com. SOA NS RRSIG NSEC
 example.com.	3600	IN	RRSIG	NSEC 3 2 3600 20070926134150 20070829134150 2854 example.com. AIoUkJ04/7/kJFDLocoqksqt9UL2RHHwlRfXAMxGdBHcNO+GSpG47Uk= ;{id = 2854}
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NXDOMAIN
 SECTION QUESTION
 com.example.com. IN DLV
 SECTION ANSWER
 SECTION AUTHORITY
 example.com. IN SOA open.nlnetlabs.nl. hostmaster.nlnetlabs.nl. 2008081300 28800 7200 604800 3600
 example.com.	3600	IN	RRSIG	SOA 3 2 3600 20070926134150 20070829134150 2854 example.com. AKPJnPBqfJKxE4P2iVYkSRJno9HmiXJZtjdqE8oBeq9Lk9FytcMdcig= ;{id = 2854}
 example.com IN NSEC example.net.example.com. SOA NS RRSIG NSEC
 example.com.	3600	IN	RRSIG	NSEC 3 2 3600 20070926134150 20070829134150 2854 example.com. AIoUkJ04/7/kJFDLocoqksqt9UL2RHHwlRfXAMxGdBHcNO+GSpG47Uk= ;{id = 2854}
 ENTRY_END
 RANGE_END
 ; ns.example.net.
 RANGE_BEGIN 0 100
 	ADDRESS 1.2.3.5
 ; DS RR is
 ; example.net.	3600	IN	DS	30899 5 1 14188c885f20623ad1d3bec42798f3f951793e4c ; xehac-mofum-malyd-bomaf-pegit-fuzes-ganin-misiz-nigel-nozog-soxix
 ; DNSKEY prime query
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 example.net. IN DNSKEY
 SECTION ANSWER
 example.net.    3600    IN      DNSKEY  256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b}
 example.net.    3600    IN      RRSIG   DNSKEY RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. hiFzlQ8VoYgCuvIsfVuxC3mfJDqsTh0yc6abs5xMx5uEcIjb0dndFQx7INOM+imlzveEN73Hqp4OLFpFhsWLlw== ;{id = 30899}
 SECTION AUTHORITY
 example.net.    IN NS   ns.example.net.
 example.net.    3600    IN      RRSIG   NS RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. E8JX0l4B+cSR5bkHQwOJy1pBmlLMTYCJ8EwfNMU/eCv0YhKwo26rHhn52FGisgv+Nwp7/NbhHqQ+kJgoZC94XA== ;{id = 30899}
 SECTION ADDITIONAL
 ns.example.net.         IN      A       1.2.3.5
 ns.example.net. 3600    IN      RRSIG   A RSASHA1 3 3600 20070926134150 20070829134150 30899 example.net. x+tQMC9FhzT7Fcy1pM5NrOC7E8nLd7THPI3C6ie4EwL8PrxllqlR3q/DKB0d/m0qCOPcgN6HFOYURV1s4uAcsw== ;{id = 30899}
 ENTRY_END
 ; NS query
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 example.net. IN NS
 SECTION ANSWER
 example.net.    IN NS   ns.example.net.
 example.net.    3600    IN      RRSIG   NS RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. E8JX0l4B+cSR5bkHQwOJy1pBmlLMTYCJ8EwfNMU/eCv0YhKwo26rHhn52FGisgv+Nwp7/NbhHqQ+kJgoZC94XA== ;{id = 30899}
 SECTION ADDITIONAL
 ns.example.net.         IN      A       1.2.3.5
 ns.example.net. 3600    IN      RRSIG   A RSASHA1 3 3600 20070926134150 20070829134150 30899 example.net. x+tQMC9FhzT7Fcy1pM5NrOC7E8nLd7THPI3C6ie4EwL8PrxllqlR3q/DKB0d/m0qCOPcgN6HFOYURV1s4uAcsw== ;{id = 30899}
 ENTRY_END
 ; www.sub.example.net query
 ENTRY_BEGIN
 MATCH opcode subdomain
 ADJUST copy_id copy_query
 REPLY QR NOERROR
 SECTION QUESTION
 sub.example.net. IN A
 SECTION ANSWER
 SECTION AUTHORITY
 sub.example.net.    IN NS   ns.sub.example.net.
 sub.example.net.	3600	IN	DS	30899 5 1 36b39460f94a807cbbbf3b31cc9db955081b2b36 ; xetir-fahok-bovug-pebyl-sovur-zyvaf-cufan-tivih-hadec-rypof-kixox
 sub.example.net.	3600	IN	RRSIG	DS 5 3 3600 20070926134150 20070829134150 30899 example.net. nM5HAlRsrLurc5mUNKwCye5X6LSH53pLgSeyni4wb6Jd2J48ZRWwrVvy7IpyvI75+Wlu3aGOjv/kEyVaizChRQ== ;{id = 30899}
 SECTION ADDITIONAL
 ns.sub.example.net.         IN      A       1.2.3.6
 ENTRY_END
 RANGE_END
 ; ns.sub.example.net.
 RANGE_BEGIN 0 100
 	ADDRESS 1.2.3.6
 ; DS
 ; sub.example.net.	3600	IN	DS	30899 5 1 36b39460f94a807cbbbf3b31cc9db955081b2b36 ; xetir-fahok-bovug-pebyl-sovur-zyvaf-cufan-tivih-hadec-rypof-kixox
 ; DNSKEY prime query
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 sub.example.net. IN DNSKEY
 SECTION ANSWER
 sub.example.net.    3600    IN      DNSKEY  256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b}
 sub.example.net.	3600	IN	RRSIG	DNSKEY 5 3 3600 20070926134150 20070829134150 30899 sub.example.net. PATh0K1jz9QeN02C79noX9gwK+Nr5VznWPQwygm/pYDsOb0z3EsaiOrzyoreegDKgoNn3kN0CywS+usCWM6hrw== ;{id = 30899}
 SECTION AUTHORITY
 sub.example.net.    IN NS   ns.sub.example.net.
 sub.example.net.	3600	IN	RRSIG	NS 5 3 3600 20070926134150 20070829134150 30899 sub.example.net. JZUK303aE7R428S5XXLaowpM79YSc2g7wy2rDOH+6Ts2UefZInv6X5cjJU4+qBrS8i9XhdllqG7SEnPKZ0GtAw== ;{id = 30899}
 SECTION ADDITIONAL
 ns.sub.example.net.         IN      A       1.2.3.6
 ns.sub.example.net.	3600	IN	RRSIG	A 5 4 3600 20070926134150 20070829134150 30899 sub.example.net. AluXPa4XdlCysQMVrt0YairoOug4GMvy8rNUeKLCfQ5xVqRMqkTisbzJXBQPgYEVA0DJR74eEpgLrcz5ztb1aA== ;{id = 30899}
 ENTRY_END
 ; NS query
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 sub.example.net. IN NS
 SECTION ANSWER
 sub.example.net.    IN NS   ns.sub.example.net.
 sub.example.net.	3600	IN	RRSIG	NS 5 3 3600 20070926134150 20070829134150 30899 sub.example.net. JZUK303aE7R428S5XXLaowpM79YSc2g7wy2rDOH+6Ts2UefZInv6X5cjJU4+qBrS8i9XhdllqG7SEnPKZ0GtAw== ;{id = 30899}
 SECTION ADDITIONAL
 ns.sub.example.net.         IN      A       1.2.3.6
 ns.sub.example.net.	3600	IN	RRSIG	A 5 4 3600 20070926134150 20070829134150 30899 sub.example.net. AluXPa4XdlCysQMVrt0YairoOug4GMvy8rNUeKLCfQ5xVqRMqkTisbzJXBQPgYEVA0DJR74eEpgLrcz5ztb1aA== ;{id = 30899}
 ENTRY_END
 ; www.sub.example.net query
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 www.sub.example.net. IN A
 SECTION ANSWER
 www.sub.example.net.	3600	IN	A	10.20.30.40
 www.sub.example.net.	3600	IN	RRSIG	A 5 4 3600 20070926134150 20070829134150 30899 sub.example.net. Q+88AIM3K8q6S0bHeFVT742EepZFxOxgtaL1V68DEkP4NePKzL4zttWQD3uI/5ALw/fIrC7G43Eo+epWn2ZGCA== ;{id = 30899}
 SECTION AUTHORITY
 sub.example.net.    IN NS   ns.sub.example.net.
 sub.example.net.	3600	IN	RRSIG	NS 5 3 3600 20070926134150 20070829134150 30899 sub.example.net. JZUK303aE7R428S5XXLaowpM79YSc2g7wy2rDOH+6Ts2UefZInv6X5cjJU4+qBrS8i9XhdllqG7SEnPKZ0GtAw== ;{id = 30899}
 SECTION ADDITIONAL
 ns.sub.example.net.         IN      A       1.2.3.6
 ns.sub.example.net.	3600	IN	RRSIG	A 5 4 3600 20070926134150 20070829134150 30899 sub.example.net. AluXPa4XdlCysQMVrt0YairoOug4GMvy8rNUeKLCfQ5xVqRMqkTisbzJXBQPgYEVA0DJR74eEpgLrcz5ztb1aA== ;{id = 30899}
 ENTRY_END
 RANGE_END
 STEP 1 QUERY
 ENTRY_BEGIN
 REPLY RD DO
 SECTION QUESTION
 www.sub.example.net. IN A
 ENTRY_END
 ; recursion happens here.
 STEP 10 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH all
 REPLY QR RD RA AD DO NOERROR
 SECTION QUESTION
 www.sub.example.net. IN A
 SECTION ANSWER
 www.sub.example.net.	3600	IN	A	10.20.30.40
 www.sub.example.net.    3600    IN      RRSIG   A 5 4 3600 20070926134150 20070829134150 30899 sub.example.net. Q+88AIM3K8q6S0bHeFVT742EepZFxOxgtaL1V68DEkP4NePKzL4zttWQD3uI/5ALw/fIrC7G43Eo+epWn2ZGCA== ;{id = 30899}
 SECTION AUTHORITY
 sub.example.net.    IN NS   ns.sub.example.net.
 sub.example.net.        3600    IN      RRSIG   NS 5 3 3600 20070926134150 20070829134150 30899 sub.example.net. JZUK303aE7R428S5XXLaowpM79YSc2g7wy2rDOH+6Ts2UefZInv6X5cjJU4+qBrS8i9XhdllqG7SEnPKZ0GtAw== ;{id = 30899}
 SECTION ADDITIONAL
 ns.sub.example.net.         IN      A       1.2.3.6
 ns.sub.example.net.     3600    IN      RRSIG   A 5 4 3600 20070926134150 20070829134150 30899 sub.example.net. AluXPa4XdlCysQMVrt0YairoOug4GMvy8rNUeKLCfQ5xVqRMqkTisbzJXBQPgYEVA0DJR74eEpgLrcz5ztb1aA== ;{id = 30899}
 ENTRY_END
 SCENARIO_END
--- a/testdata/dlv_below_ta.rpl
+++ b/testdata/dlv_below_ta.rpl
@ -1,355 +0,0 @@
 ; config options
 ; The island of trust is at example.com (the DLV repository)
 server:
 	dlv-anchor: "example.com.    3600    IN      DS      2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b"
 	trust-anchor: "example.net.	3600	IN	DS	30899 5 1 14188c885f20623ad1d3bec42798f3f951793e4c ; xehac-mofum-malyd-bomaf-pegit-fuzes-ganin-misiz-nigel-nozog-soxix"
 	val-override-date: "20070916134226"
 	target-fetch-policy: "0 0 0 0 0"
 	qname-minimisation: "no"
 	fake-sha1: yes
 	trust-anchor-signaling: no
 	minimal-responses: no
 stub-zone:
 	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 CONFIG_END
 SCENARIO_BEGIN Test validator, use DLV for nonDSed zone below trustanchor.
 ; DLV example.com.
 ; trust anchor at example.net but no secure delegation to
 ; sub.example.net  signed with DLV but not by parent.
 ; K.ROOT-SERVERS.NET.
 RANGE_BEGIN 0 100
 	ADDRESS 193.0.14.129 
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 . IN NS
 SECTION ANSWER
 . IN NS	K.ROOT-SERVERS.NET.
 SECTION ADDITIONAL
 K.ROOT-SERVERS.NET.	IN	A	193.0.14.129
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode subdomain
 ADJUST copy_id copy_query
 REPLY QR NOERROR
 SECTION QUESTION
 com. IN A
 SECTION AUTHORITY
 com.	IN NS	a.gtld-servers.net.
 SECTION ADDITIONAL
 a.gtld-servers.net.	IN 	A	192.5.6.30
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode subdomain
 ADJUST copy_id copy_query
 REPLY QR NOERROR
 SECTION QUESTION
 net. IN A
 SECTION AUTHORITY
 net.	IN NS	a.gtld-servers.net.
 SECTION ADDITIONAL
 a.gtld-servers.net.	IN 	A	192.5.6.30
 ENTRY_END
 RANGE_END
 ; a.gtld-servers.net.
 RANGE_BEGIN 0 100
 	ADDRESS 192.5.6.30
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 com. IN NS
 SECTION ANSWER
 com.    IN NS   a.gtld-servers.net.
 SECTION ADDITIONAL
 a.gtld-servers.net.     IN      A       192.5.6.30
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 net. IN NS
 SECTION ANSWER
 net.    IN NS   a.gtld-servers.net.
 SECTION ADDITIONAL
 a.gtld-servers.net.     IN      A       192.5.6.30
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode subdomain
 ADJUST copy_id copy_query
 REPLY QR NOERROR
 SECTION QUESTION
 example.com. IN A
 SECTION AUTHORITY
 example.com.	IN NS	ns.example.com.
 SECTION ADDITIONAL
 ns.example.com.		IN 	A	1.2.3.4
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode subdomain
 ADJUST copy_id copy_query
 REPLY QR NOERROR
 SECTION QUESTION
 example.net. IN A
 SECTION AUTHORITY
 example.net.	IN NS	ns.example.net.
 SECTION ADDITIONAL
 ns.example.net.		IN 	A	1.2.3.5
 ENTRY_END
 RANGE_END
 ; ns.example.com.
 RANGE_BEGIN 0 100
 	ADDRESS 1.2.3.4
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 example.com. IN NS
 SECTION ANSWER
 example.com.    IN NS   ns.example.com.
 example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
 SECTION ADDITIONAL
 ns.example.com.         IN      A       1.2.3.4
 ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
 ENTRY_END
 ; response to DNSKEY priming query
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 example.com. IN DNSKEY
 SECTION ANSWER
 example.com.    3600    IN      DNSKEY  256 3 3 ALXLUsWqUrY3JYER3T4TBJII s70j+sDS/UT2QRp61SE7S3E EXopNXoFE73JLRmvpi/UrOO/Vz4Se 6wXv/CYCKjGw06U4WRgR YXcpEhJROyNapmdIKSx hOzfLVE1gqA0PweZR8d tY3aNQSRn3sPpwJr6Mi /PqQKAMMrZ9ckJpf1+b QMOOvxgzz2U1GS18b3y ZKcgTMEaJzd/GZYzi/B N2DzQ0MsrSwYXfsNLFO Bbs8PJMW4LYIxeeOe6rUgkWOF 7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b}
 example.com.    3600    IN      RRSIG   DNSKEY 3 2 3600 20070926134802 20070829134802 2854 example.com. MCwCFG1yhRNtTEa3Eno2zhVVuy2EJX3wAhQeLyUp6+UXcpC5qGNu9tkrTEgPUg== ;{id = 2854}
 SECTION AUTHORITY
 example.com.	IN NS	ns.example.com.
 example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
 SECTION ADDITIONAL
 ns.example.com.		IN 	A	1.2.3.4
 ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
 ENTRY_END
 ; DLV query
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 sub.example.net.example.com. IN DLV
 SECTION ANSWER
 sub.example.net.example.com.	3600	IN	DLV	30899 5 1 36b39460f94a807cbbbf3b31cc9db955081b2b36 ; xetir-fahok-bovug-pebyl-sovur-zyvaf-cufan-tivih-hadec-rypof-kixox
 sub.example.net.example.com.	3600	IN	RRSIG	DLV 3 5 3600 20070926135752 20070829135752 2854 example.com. AAdhy87nuDEaxmc+k9pJHYnhKiEYL++OLPxzOdwEQOtsHi7jeD3lRDU= ;{id = 2854}
 SECTION AUTHORITY
 example.com.	IN NS	ns.example.com.
 example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
 SECTION ADDITIONAL
 ns.example.com.		IN 	A	1.2.3.4
 ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 net.example.com. IN DLV
 SECTION ANSWER
 SECTION AUTHORITY
 example.com. IN SOA open.nlnetlabs.nl. hostmaster.nlnetlabs.nl. 2008081300 28800 7200 604800 3600
 example.com.	3600	IN	RRSIG	SOA 3 2 3600 20070926134150 20070829134150 2854 example.com. AKPJnPBqfJKxE4P2iVYkSRJno9HmiXJZtjdqE8oBeq9Lk9FytcMdcig= ;{id = 2854}
 example.com IN NSEC sub.example.net.example.com. SOA NS RRSIG NSEC
 example.com.	3600	IN	RRSIG	NSEC 3 2 3600 20070926135752 20070829135752 2854 example.com. ALITtZY03PDWnuAeEL/5VwMIXY3iC2y7Qkeq5DgAHmPbNyWiOmJNEKg= ;{id = 2854}
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NXDOMAIN
 SECTION QUESTION
 com.example.com. IN DLV
 SECTION ANSWER
 SECTION AUTHORITY
 example.com. IN SOA open.nlnetlabs.nl. hostmaster.nlnetlabs.nl. 2008081300 28800 7200 604800 3600
 example.com.	3600	IN	RRSIG	SOA 3 2 3600 20070926134150 20070829134150 2854 example.com. AKPJnPBqfJKxE4P2iVYkSRJno9HmiXJZtjdqE8oBeq9Lk9FytcMdcig= ;{id = 2854}
 example.com IN NSEC sub.example.net.example.com. SOA NS RRSIG NSEC
 example.com.	3600	IN	RRSIG	NSEC 3 2 3600 20070926135752 20070829135752 2854 example.com. ALITtZY03PDWnuAeEL/5VwMIXY3iC2y7Qkeq5DgAHmPbNyWiOmJNEKg= ;{id = 2854}
 ENTRY_END
 RANGE_END
 ; ns.example.net.
 RANGE_BEGIN 0 100
 	ADDRESS 1.2.3.5
 ; DS RR is
 ; example.net.	3600	IN	DS	30899 5 1 14188c885f20623ad1d3bec42798f3f951793e4c ; xehac-mofum-malyd-bomaf-pegit-fuzes-ganin-misiz-nigel-nozog-soxix
 ; DNSKEY prime query
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 example.net. IN DNSKEY
 SECTION ANSWER
 example.net.    3600    IN      DNSKEY  256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b}
 example.net.    3600    IN      RRSIG   DNSKEY RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. hiFzlQ8VoYgCuvIsfVuxC3mfJDqsTh0yc6abs5xMx5uEcIjb0dndFQx7INOM+imlzveEN73Hqp4OLFpFhsWLlw== ;{id = 30899}
 SECTION AUTHORITY
 example.net.    IN NS   ns.example.net.
 example.net.    3600    IN      RRSIG   NS RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. E8JX0l4B+cSR5bkHQwOJy1pBmlLMTYCJ8EwfNMU/eCv0YhKwo26rHhn52FGisgv+Nwp7/NbhHqQ+kJgoZC94XA== ;{id = 30899}
 SECTION ADDITIONAL
 ns.example.net.         IN      A       1.2.3.5
 ns.example.net. 3600    IN      RRSIG   A RSASHA1 3 3600 20070926134150 20070829134150 30899 example.net. x+tQMC9FhzT7Fcy1pM5NrOC7E8nLd7THPI3C6ie4EwL8PrxllqlR3q/DKB0d/m0qCOPcgN6HFOYURV1s4uAcsw== ;{id = 30899}
 ENTRY_END
 ; NS query
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 example.net. IN NS
 SECTION ANSWER
 example.net.    IN NS   ns.example.net.
 example.net.    3600    IN      RRSIG   NS RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. E8JX0l4B+cSR5bkHQwOJy1pBmlLMTYCJ8EwfNMU/eCv0YhKwo26rHhn52FGisgv+Nwp7/NbhHqQ+kJgoZC94XA== ;{id = 30899}
 SECTION ADDITIONAL
 ns.example.net.         IN      A       1.2.3.5
 ns.example.net. 3600    IN      RRSIG   A RSASHA1 3 3600 20070926134150 20070829134150 30899 example.net. x+tQMC9FhzT7Fcy1pM5NrOC7E8nLd7THPI3C6ie4EwL8PrxllqlR3q/DKB0d/m0qCOPcgN6HFOYURV1s4uAcsw== ;{id = 30899}
 ENTRY_END
 ; no DS to sub.example.net, securely insecure.
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id 
 REPLY QR NOERROR
 SECTION QUESTION
 sub.example.net. IN DS
 SECTION ANSWER
 SECTION AUTHORITY
 example.net. IN SOA open.nlnetlabs.nl. hostmaster.nlnetlabs.nl. 2008081300 28800 7200 604800 3600
 example.net.	3600	IN	RRSIG	SOA 5 2 3600 20070926134150 20070829134150 30899 example.net. ELVULZHTRc0Qk06rSBRnB/T6sm1+AbAtdEJHN6PCsz2Z3s3E5A8NH7Krz0VzRaYIEUStnbAtuE3oP8XHWHBnyQ== ;{id = 30899}
 sub.example.net.	IN NSEC tut.example.net. NS NSEC
 sub.example.net.	3600	IN	RRSIG	NSEC 5 3 3600 20070926134150 20070829134150 30899 example.net. eNJ2OPjMhGKvg70aYT9l9Uo1lJsqmDqVRMlHibv6t+CNjljytI9Vwbao17oV0cjIksmESAewReb73x9fmVIgEQ== ;{id = 30899}
 SECTION ADDITIONAL
 ENTRY_END
 ; delegation to sub.example.net, securely insecure.
 ENTRY_BEGIN
 MATCH opcode subdomain
 ADJUST copy_id copy_query
 REPLY QR NOERROR
 SECTION QUESTION
 sub.example.net. IN NS
 SECTION ANSWER
 SECTION AUTHORITY
 sub.example.net.    IN NS   ns.sub.example.net.
 sub.example.net.	IN NSEC tut.example.net. NS NSEC
 sub.example.net.	3600	IN	RRSIG	NSEC 5 3 3600 20070926134150 20070829134150 30899 example.net. eNJ2OPjMhGKvg70aYT9l9Uo1lJsqmDqVRMlHibv6t+CNjljytI9Vwbao17oV0cjIksmESAewReb73x9fmVIgEQ== ;{id = 30899}
 SECTION ADDITIONAL
 ns.sub.example.net.         IN      A       1.2.3.6
 ENTRY_END
 RANGE_END
 ; ns.sub.example.net.
 RANGE_BEGIN 0 100
 	ADDRESS 1.2.3.6
 ; DS is
 ; sub.example.net.	3600	IN	DS	30899 5 1 36b39460f94a807cbbbf3b31cc9db955081b2b36 ; xetir-fahok-bovug-pebyl-sovur-zyvaf-cufan-tivih-hadec-rypof-kixox
 ; DNSKEY query
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR AA NOERROR
 SECTION QUESTION
 sub.example.net. IN DNSKEY
 SECTION ANSWER
 sub.example.net.    3600    IN      DNSKEY  256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b}
 sub.example.net.	3600	IN	RRSIG	DNSKEY 5 3 3600 20070926134150 20070829134150 30899 sub.example.net. PATh0K1jz9QeN02C79noX9gwK+Nr5VznWPQwygm/pYDsOb0z3EsaiOrzyoreegDKgoNn3kN0CywS+usCWM6hrw== ;{id = 30899}
 SECTION AUTHORITY
 sub.example.net.    IN NS   ns.sub.example.net.
 sub.example.net.	3600	IN	RRSIG	NS 5 3 3600 20070926134150 20070829134150 30899 sub.example.net. JZUK303aE7R428S5XXLaowpM79YSc2g7wy2rDOH+6Ts2UefZInv6X5cjJU4+qBrS8i9XhdllqG7SEnPKZ0GtAw== ;{id = 30899}
 SECTION ADDITIONAL
 ns.sub.example.net.         IN      A       1.2.3.6
 ns.sub.example.net.	3600	IN	RRSIG	A 5 4 3600 20070926134150 20070829134150 30899 sub.example.net. AluXPa4XdlCysQMVrt0YairoOug4GMvy8rNUeKLCfQ5xVqRMqkTisbzJXBQPgYEVA0DJR74eEpgLrcz5ztb1aA== ;{id = 30899}
 ENTRY_END
 ; NS query
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR AA NOERROR
 SECTION QUESTION
 sub.example.net. IN NS
 SECTION ANSWER
 sub.example.net.    IN NS   ns.sub.example.net.
 sub.example.net.	3600	IN	RRSIG	NS 5 3 3600 20070926134150 20070829134150 30899 sub.example.net. JZUK303aE7R428S5XXLaowpM79YSc2g7wy2rDOH+6Ts2UefZInv6X5cjJU4+qBrS8i9XhdllqG7SEnPKZ0GtAw== ;{id = 30899}
 SECTION ADDITIONAL
 ns.sub.example.net.         IN      A       1.2.3.6
 ns.sub.example.net.	3600	IN	RRSIG	A 5 4 3600 20070926134150 20070829134150 30899 sub.example.net. AluXPa4XdlCysQMVrt0YairoOug4GMvy8rNUeKLCfQ5xVqRMqkTisbzJXBQPgYEVA0DJR74eEpgLrcz5ztb1aA== ;{id = 30899}
 ENTRY_END
 ; www.sub.example.net query
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR AA NOERROR
 SECTION QUESTION
 www.sub.example.net. IN A
 SECTION ANSWER
 www.sub.example.net. IN A 10.20.30.40
 www.sub.example.net.	3600	IN	RRSIG	A 5 4 3600 20070926134150 20070829134150 30899 sub.example.net. Q+88AIM3K8q6S0bHeFVT742EepZFxOxgtaL1V68DEkP4NePKzL4zttWQD3uI/5ALw/fIrC7G43Eo+epWn2ZGCA== ;{id = 30899}
 SECTION AUTHORITY
 sub.example.net.    IN NS   ns.sub.example.net.
 sub.example.net.	3600	IN	RRSIG	NS 5 3 3600 20070926134150 20070829134150 30899 sub.example.net. JZUK303aE7R428S5XXLaowpM79YSc2g7wy2rDOH+6Ts2UefZInv6X5cjJU4+qBrS8i9XhdllqG7SEnPKZ0GtAw== ;{id = 30899}
 SECTION ADDITIONAL
 ns.sub.example.net.         IN      A       1.2.3.6
 ns.sub.example.net.	3600	IN	RRSIG	A 5 4 3600 20070926134150 20070829134150 30899 sub.example.net. AluXPa4XdlCysQMVrt0YairoOug4GMvy8rNUeKLCfQ5xVqRMqkTisbzJXBQPgYEVA0DJR74eEpgLrcz5ztb1aA== ;{id = 30899}
 ENTRY_END
 RANGE_END
 STEP 1 QUERY
 ENTRY_BEGIN
 REPLY RD DO
 SECTION QUESTION
 www.sub.example.net. IN A
 ENTRY_END
 ; recursion happens here.
 STEP 10 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH all
 REPLY QR RD RA AD DO NOERROR
 SECTION QUESTION
 www.sub.example.net. IN A
 SECTION ANSWER
 www.sub.example.net. IN A 10.20.30.40
 www.sub.example.net.	3600	IN	RRSIG	A 5 4 3600 20070926134150 20070829134150 30899 sub.example.net. Q+88AIM3K8q6S0bHeFVT742EepZFxOxgtaL1V68DEkP4NePKzL4zttWQD3uI/5ALw/fIrC7G43Eo+epWn2ZGCA== ;{id = 30899}
 SECTION AUTHORITY
 sub.example.net.    IN NS   ns.sub.example.net.
 sub.example.net.	3600	IN	RRSIG	NS 5 3 3600 20070926134150 20070829134150 30899 sub.example.net. JZUK303aE7R428S5XXLaowpM79YSc2g7wy2rDOH+6Ts2UefZInv6X5cjJU4+qBrS8i9XhdllqG7SEnPKZ0GtAw== ;{id = 30899}
 SECTION ADDITIONAL
 ns.sub.example.net.         IN      A       1.2.3.6
 ns.sub.example.net.	3600	IN	RRSIG	A 5 4 3600 20070926134150 20070829134150 30899 sub.example.net. AluXPa4XdlCysQMVrt0YairoOug4GMvy8rNUeKLCfQ5xVqRMqkTisbzJXBQPgYEVA0DJR74eEpgLrcz5ztb1aA== ;{id = 30899}
 ENTRY_END
 SCENARIO_END
--- a/testdata/dlv_delegation.rpl
+++ b/testdata/dlv_delegation.rpl
@ -1,335 +0,0 @@
 ; config options
 ; The island of trust is at example.com (the DLV repository)
 server:
 	dlv-anchor: "example.com.    3600    IN      DS      2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b"
 	val-override-date: "20070916134226"
 	target-fetch-policy: "0 0 0 0 0"
 	qname-minimisation: "no"
 	fake-sha1: yes
 	trust-anchor-signaling: no
 	minimal-responses: no
 stub-zone:
 	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 CONFIG_END
 SCENARIO_BEGIN Test validator with delegation in DLV repository
 ; positive response for DLV.
 ; but the DLV repository has a (secure) delegation inside it.
 ; K.ROOT-SERVERS.NET.
 RANGE_BEGIN 0 100
 	ADDRESS 193.0.14.129 
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 . IN NS
 SECTION ANSWER
 . IN NS	K.ROOT-SERVERS.NET.
 SECTION ADDITIONAL
 K.ROOT-SERVERS.NET.	IN	A	193.0.14.129
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode subdomain
 ADJUST copy_id copy_query
 REPLY QR NOERROR
 SECTION QUESTION
 com. IN A
 SECTION AUTHORITY
 com.	IN NS	a.gtld-servers.net.
 SECTION ADDITIONAL
 a.gtld-servers.net.	IN 	A	192.5.6.30
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode subdomain
 ADJUST copy_id copy_query
 REPLY QR NOERROR
 SECTION QUESTION
 net. IN A
 SECTION AUTHORITY
 net.	IN NS	a.gtld-servers.net.
 SECTION ADDITIONAL
 a.gtld-servers.net.	IN 	A	192.5.6.30
 ENTRY_END
 RANGE_END
 ; a.gtld-servers.net.
 RANGE_BEGIN 0 100
 	ADDRESS 192.5.6.30
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 com. IN NS
 SECTION ANSWER
 com.    IN NS   a.gtld-servers.net.
 SECTION ADDITIONAL
 a.gtld-servers.net.     IN      A       192.5.6.30
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 net. IN NS
 SECTION ANSWER
 net.    IN NS   a.gtld-servers.net.
 SECTION ADDITIONAL
 a.gtld-servers.net.     IN      A       192.5.6.30
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode subdomain
 ADJUST copy_id copy_query
 REPLY QR NOERROR
 SECTION QUESTION
 example.com. IN A
 SECTION AUTHORITY
 example.com.	IN NS	ns.example.com.
 SECTION ADDITIONAL
 ns.example.com.		IN 	A	1.2.3.4
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode subdomain
 ADJUST copy_id copy_query
 REPLY QR NOERROR
 SECTION QUESTION
 example.net. IN A
 SECTION AUTHORITY
 example.net.	IN NS	ns.example.net.
 SECTION ADDITIONAL
 ns.example.net.		IN 	A	1.2.3.5
 ENTRY_END
 RANGE_END
 ; ns.example.com.
 RANGE_BEGIN 0 100
 	ADDRESS 1.2.3.4
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 example.com. IN NS
 SECTION ANSWER
 example.com.    IN NS   ns.example.com.
 example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
 SECTION ADDITIONAL
 ns.example.com.         IN      A       1.2.3.4
 ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
 ENTRY_END
 ; response to DNSKEY priming query
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 example.com. IN DNSKEY
 SECTION ANSWER
 example.com.    3600    IN      DNSKEY  256 3 3 ALXLUsWqUrY3JYER3T4TBJII s70j+sDS/UT2QRp61SE7S3E EXopNXoFE73JLRmvpi/UrOO/Vz4Se 6wXv/CYCKjGw06U4WRgR YXcpEhJROyNapmdIKSx hOzfLVE1gqA0PweZR8d tY3aNQSRn3sPpwJr6Mi /PqQKAMMrZ9ckJpf1+b QMOOvxgzz2U1GS18b3y ZKcgTMEaJzd/GZYzi/B N2DzQ0MsrSwYXfsNLFO Bbs8PJMW4LYIxeeOe6rUgkWOF 7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b}
 example.com.    3600    IN      RRSIG   DNSKEY 3 2 3600 20070926134802 20070829134802 2854 example.com. MCwCFG1yhRNtTEa3Eno2zhVVuy2EJX3wAhQeLyUp6+UXcpC5qGNu9tkrTEgPUg== ;{id = 2854}
 SECTION AUTHORITY
 example.com.	IN NS	ns.example.com.
 example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
 SECTION ADDITIONAL
 ns.example.com.		IN 	A	1.2.3.4
 ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
 ENTRY_END
 ; referral to the net.example.com DLV server
 ENTRY_BEGIN
 MATCH opcode subdomain
 ADJUST copy_id copy_query
 REPLY QR NOERROR
 SECTION QUESTION
 net.example.com. IN DLV
 SECTION ANSWER
 SECTION AUTHORITY
 net.example.com. NS ns.net.example.com.
 net.example.com.	3600	IN	DS	2854 3 1 24d80cd822bc4083cf491b7f055890345a77dd9b ; xenat-myfat-memir-sabym-fefig-nakol-zucyh-megef-gakel-lolyn-ruxox
 net.example.com.	3600	IN	RRSIG	DS 3 3 3600 20070926134150 20070829134150 2854 example.com. AA0APyTN12wzj1XmDEZe+wrPE1hkLAINKT8cT9zGup7zX3O8R4Ki2N8= ;{id = 2854}
 SECTION ADDITIONAL
 ns.net.example.com. A 1.2.3.6
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NXDOMAIN
 SECTION QUESTION
 com.example.com. IN DLV
 SECTION ANSWER
 SECTION AUTHORITY
 example.com. IN SOA open.nlnetlabs.nl. hostmaster.nlnetlabs.nl. 2008081300 28800 7200 604800 3600
 example.com.	3600	IN	RRSIG	SOA 3 2 3600 20070926134150 20070829134150 2854 example.com. AKPJnPBqfJKxE4P2iVYkSRJno9HmiXJZtjdqE8oBeq9Lk9FytcMdcig= ;{id = 2854}
 example.com IN NSEC net.example.com. SOA NS RRSIG NSEC
 example.com.	3600	IN	RRSIG	NSEC 3 2 3600 20070926134150 20070829134150 2854 example.com. AJEvfI+tX6Y1OF0h1CNHERJjXaaTsmLWTMLgXk4UYJl8JjAikCpsf9Q= ;{id = 2854}
 ENTRY_END
 RANGE_END
 ; ns.net.example.com.
 RANGE_BEGIN 0 100
 	ADDRESS 1.2.3.6
 ; NS query
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 net.example.com. IN NS
 SECTION ANSWER
 net.example.com. NS ns.net.example.com.
 net.example.com.	3600	IN	RRSIG	NS 3 3 3600 20070926134150 20070829134150 2854 net.example.com. AHjTvB20SzZVV9P3LXJ6lVzFWCoDk7T71VHllOwmom3a/EutlUpsgNM= ;{id = 2854}
 SECTION ADDITIONAL
 ns.net.example.com. A 1.2.3.6
 ns.net.example.com.	3600	IN	RRSIG	A 3 4 3600 20070926134150 20070829134150 2854 net.example.com. AE2wjNCJayCBi6e8QAGwgujdMC2LbVWQVbQCuQx+grjoQJXQxxpFB5I= ;{id = 2854}
 ENTRY_END
 ; DNSKEY query
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 net.example.com. IN DNSKEY
 SECTION ANSWER
 net.example.com.        3600    IN      DNSKEY  256 3 3 ALXLUsWqUrY3JYER3T4TBJIIs70j+sDS/UT2QRp61SE7S3EEXopNXoFE73JLRmvpi/UrOO/Vz4Se6wXv/CYCKjGw06U4WRgRYXcpEhJROyNapmdIKSxhOzfLVE1gqA0PweZR8dtY3aNQSRn3sPpwJr6Mi/PqQKAMMrZ9ckJpf1+bQMOOvxgzz2U1GS18b3yZKcgTMEaJzd/GZYzi/BN2DzQ0MsrSwYXfsNLFOBbs8PJMW4LYIxeeOe6rUgkWOF7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b}
 net.example.com.	3600	IN	RRSIG	DNSKEY 3 3 3600 20070926134150 20070829134150 2854 net.example.com. ADgKDV1Yi2iFOXFUN1XkvBU7KW/rdtGcOEdc9VMIxfIKDo5h24E5fqs= ;{id = 2854}
 SECTION AUTHORITY
 net.example.com. NS ns.net.example.com.
 net.example.com.	3600	IN	RRSIG	NS 3 3 3600 20070926134150 20070829134150 2854 net.example.com. AHjTvB20SzZVV9P3LXJ6lVzFWCoDk7T71VHllOwmom3a/EutlUpsgNM= ;{id = 2854}
 SECTION ADDITIONAL
 ns.net.example.com. A 1.2.3.6
 ns.net.example.com.	3600	IN	RRSIG	A 3 4 3600 20070926134150 20070829134150 2854 net.example.com. AE2wjNCJayCBi6e8QAGwgujdMC2LbVWQVbQCuQx+grjoQJXQxxpFB5I= ;{id = 2854}
 ENTRY_END
 ; DLV apex
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 net.example.com. IN DLV
 SECTION ANSWER
 SECTION AUTHORITY
 net.example.com. SOA open.nlnetlabs.nl. hostmaster.nlnetlabs.nl. 2008081300 28800 7200 604800 3600
 net.example.com.	3600	IN	RRSIG	SOA 3 3 3600 20070926134150 20070829134150 2854 net.example.com. AKAjedAeGWRHaqhDhNhbTvVUQMgCspiD4GNC7dMVbEZSd87AFcqwg1Y= ;{id = 2854}
 net.example.com. NSEC example.net.example.com. SOA NS DNSKEY RRSIG NSEC
 net.example.com.	3600	IN	RRSIG	NSEC 3 3 3600 20070926134150 20070829134150 2854 net.example.com. AAHqj3xDqng7ZuNFn89sTjTo2qfuXTv0yR6v8mZ1+L5mCsOwjpGXrJw= ;{id = 2854}
 SECTION ADDITIONAL
 ENTRY_END
 ; DLV of interest
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 example.net.example.com. IN DLV
 SECTION ANSWER
 example.net.example.com.        3600    IN      DLV     30899 5 1 14188c885f20623ad1d3bec42798f3f951793e4c ; xehac-mofum-malyd-bomaf-pegit-fuzes-ganin-misiz-nigel-nozog-soxix
 example.net.example.com.	3600	IN	RRSIG	DLV 3 4 3600 20070926134150 20070829134150 2854 net.example.com. AIZmoTbAlXYwLknm84i7sbglbHr1Iq7t0yyTENO/MsPj7K/mvEQAI/g= ;{id = 2854}
 SECTION AUTHORITY
 net.example.com. NS ns.net.example.com.
 net.example.com.	3600	IN	RRSIG	NS 3 3 3600 20070926134150 20070829134150 2854 net.example.com. AHjTvB20SzZVV9P3LXJ6lVzFWCoDk7T71VHllOwmom3a/EutlUpsgNM= ;{id = 2854}
 SECTION ADDITIONAL
 ns.net.example.com. A 1.2.3.6
 ns.net.example.com.	3600	IN	RRSIG	A 3 4 3600 20070926134150 20070829134150 2854 net.example.com. AE2wjNCJayCBi6e8QAGwgujdMC2LbVWQVbQCuQx+grjoQJXQxxpFB5I= ;{id = 2854}
 ENTRY_END
 RANGE_END
 ; ns.example.net.
 RANGE_BEGIN 0 100
 	ADDRESS 1.2.3.5
 ; DS RR is
 ; example.net.	3600	IN	DS	30899 5 1 14188c885f20623ad1d3bec42798f3f951793e4c ; xehac-mofum-malyd-bomaf-pegit-fuzes-ganin-misiz-nigel-nozog-soxix
 ; DNSKEY prime query
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 example.net. IN DNSKEY
 SECTION ANSWER
 example.net.    3600    IN      DNSKEY  256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b}
 example.net.    3600    IN      RRSIG   DNSKEY RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. hiFzlQ8VoYgCuvIsfVuxC3mfJDqsTh0yc6abs5xMx5uEcIjb0dndFQx7INOM+imlzveEN73Hqp4OLFpFhsWLlw== ;{id = 30899}
 SECTION AUTHORITY
 example.net.    IN NS   ns.example.net.
 example.net.    3600    IN      RRSIG   NS RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. E8JX0l4B+cSR5bkHQwOJy1pBmlLMTYCJ8EwfNMU/eCv0YhKwo26rHhn52FGisgv+Nwp7/NbhHqQ+kJgoZC94XA== ;{id = 30899}
 SECTION ADDITIONAL
 ns.example.net.         IN      A       1.2.3.5
 ns.example.net. 3600    IN      RRSIG   A RSASHA1 3 3600 20070926134150 20070829134150 30899 example.net. x+tQMC9FhzT7Fcy1pM5NrOC7E8nLd7THPI3C6ie4EwL8PrxllqlR3q/DKB0d/m0qCOPcgN6HFOYURV1s4uAcsw== ;{id = 30899}
 ENTRY_END
 ; NS query
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 example.net. IN NS
 SECTION ANSWER
 example.net.    IN NS   ns.example.net.
 example.net.    3600    IN      RRSIG   NS RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. E8JX0l4B+cSR5bkHQwOJy1pBmlLMTYCJ8EwfNMU/eCv0YhKwo26rHhn52FGisgv+Nwp7/NbhHqQ+kJgoZC94XA== ;{id = 30899}
 SECTION ADDITIONAL
 ns.example.net.         IN      A       1.2.3.5
 ns.example.net. 3600    IN      RRSIG   A RSASHA1 3 3600 20070926134150 20070829134150 30899 example.net. x+tQMC9FhzT7Fcy1pM5NrOC7E8nLd7THPI3C6ie4EwL8PrxllqlR3q/DKB0d/m0qCOPcgN6HFOYURV1s4uAcsw== ;{id = 30899}
 ENTRY_END
 ; www.example.net query
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 www.example.net. IN A
 SECTION ANSWER
 www.example.net.	3600	IN	A	10.20.30.40
 www.example.net.	3600	IN	RRSIG	A 5 3 3600 20070926135752 20070829135752 30899 example.net. ACvv4RQVC7TbI57ewqFImRaVoymktJ5Cxn/FaCodIENt82LVM92nivbP2WtwWCsQHWp7FkrMxTlQTJwyAeXFyg== ;{id = 30899}
 SECTION AUTHORITY
 example.net.    IN NS   ns.example.net.
 example.net.    3600    IN      RRSIG   NS RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. E8JX0l4B+cSR5bkHQwOJy1pBmlLMTYCJ8EwfNMU/eCv0YhKwo26rHhn52FGisgv+Nwp7/NbhHqQ+kJgoZC94XA== ;{id = 30899}
 SECTION ADDITIONAL
 ns.example.net.         IN      A       1.2.3.5
 ns.example.net. 3600    IN      RRSIG   A RSASHA1 3 3600 20070926134150 20070829134150 30899 example.net. x+tQMC9FhzT7Fcy1pM5NrOC7E8nLd7THPI3C6ie4EwL8PrxllqlR3q/DKB0d/m0qCOPcgN6HFOYURV1s4uAcsw== ;{id = 30899}
 ENTRY_END
 RANGE_END
 STEP 1 QUERY
 ENTRY_BEGIN
 REPLY RD DO
 SECTION QUESTION
 www.example.net. IN A
 ENTRY_END
 ; recursion happens here.
 STEP 10 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH all
 REPLY QR RD RA AD DO NOERROR
 SECTION QUESTION
 www.example.net. IN A
 SECTION ANSWER
 www.example.net.	3600	IN	A	10.20.30.40
 www.example.net.	3600	IN	RRSIG	A 5 3 3600 20070926135752 20070829135752 30899 example.net. ACvv4RQVC7TbI57ewqFImRaVoymktJ5Cxn/FaCodIENt82LVM92nivbP2WtwWCsQHWp7FkrMxTlQTJwyAeXFyg== ;{id = 30899}
 SECTION AUTHORITY
 example.net.    IN NS   ns.example.net.
 example.net.    3600    IN      RRSIG   NS RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. E8JX0l4B+cSR5bkHQwOJy1pBmlLMTYCJ8EwfNMU/eCv0YhKwo26rHhn52FGisgv+Nwp7/NbhHqQ+kJgoZC94XA== ;{id = 30899}
 SECTION ADDITIONAL
 ns.example.net.         IN      A       1.2.3.5
 ns.example.net. 3600    IN      RRSIG   A RSASHA1 3 3600 20070926134150 20070829134150 30899 example.net. x+tQMC9FhzT7Fcy1pM5NrOC7E8nLd7THPI3C6ie4EwL8PrxllqlR3q/DKB0d/m0qCOPcgN6HFOYURV1s4uAcsw== ;{id = 30899}
 ENTRY_END
 SCENARIO_END
--- a/testdata/dlv_ds_lookup.rpl
+++ b/testdata/dlv_ds_lookup.rpl
@ -1,281 +0,0 @@
 ; config options
 ; The island of trust is at example.com (the DLV repository)
 server:
 	dlv-anchor: "example.com.    3600    IN      DS      2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b"
 	val-override-date: "20070916134226"
 	target-fetch-policy: "0 0 0 0 0"
 	qname-minimisation: "no"
 	fake-sha1: yes
 	trust-anchor-signaling: no
 stub-zone:
 	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 CONFIG_END
 SCENARIO_BEGIN Test validator with DLV anchor for a DS lookup.
 ; positive response for DLV.
 ; K.ROOT-SERVERS.NET.
 RANGE_BEGIN 0 100
 	ADDRESS 193.0.14.129 
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 . IN NS
 SECTION ANSWER
 . IN NS	K.ROOT-SERVERS.NET.
 SECTION ADDITIONAL
 K.ROOT-SERVERS.NET.	IN	A	193.0.14.129
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode subdomain
 ADJUST copy_id copy_query
 REPLY QR NOERROR
 SECTION QUESTION
 com. IN A
 SECTION AUTHORITY
 com.	IN NS	a.gtld-servers.net.
 SECTION ADDITIONAL
 a.gtld-servers.net.	IN 	A	192.5.6.30
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode subdomain
 ADJUST copy_id copy_query
 REPLY QR NOERROR
 SECTION QUESTION
 net. IN A
 SECTION AUTHORITY
 net.	IN NS	a.gtld-servers.net.
 SECTION ADDITIONAL
 a.gtld-servers.net.	IN 	A	192.5.6.30
 ENTRY_END
 RANGE_END
 ; a.gtld-servers.net.
 RANGE_BEGIN 0 100
 	ADDRESS 192.5.6.30
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 com. IN NS
 SECTION ANSWER
 com.    IN NS   a.gtld-servers.net.
 SECTION ADDITIONAL
 a.gtld-servers.net.     IN      A       192.5.6.30
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 net. IN NS
 SECTION ANSWER
 net.    IN NS   a.gtld-servers.net.
 SECTION ADDITIONAL
 a.gtld-servers.net.     IN      A       192.5.6.30
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode subdomain
 ADJUST copy_id copy_query
 REPLY QR NOERROR
 SECTION QUESTION
 example.com. IN A
 SECTION AUTHORITY
 example.com.	IN NS	ns.example.com.
 SECTION ADDITIONAL
 ns.example.com.		IN 	A	1.2.3.4
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 example.net. IN DS
 SECTION AUTHORITY
 net.			900	IN	SOA	a.gtld-servers.net. nstld.verisign-grs.com. 1251367385 1800 900 604800 86400
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode subdomain
 ADJUST copy_id copy_query
 REPLY QR NOERROR
 SECTION QUESTION
 example.net. IN A
 SECTION AUTHORITY
 example.net.	IN NS	ns.example.net.
 SECTION ADDITIONAL
 ns.example.net.		IN 	A	1.2.3.5
 ENTRY_END
 RANGE_END
 ; ns.example.com.
 RANGE_BEGIN 0 100
 	ADDRESS 1.2.3.4
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 example.com. IN NS
 SECTION ANSWER
 example.com.    IN NS   ns.example.com.
 example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
 SECTION ADDITIONAL
 ns.example.com.         IN      A       1.2.3.4
 ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
 ENTRY_END
 ; response to DNSKEY priming query
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 example.com. IN DNSKEY
 SECTION ANSWER
 example.com.    3600    IN      DNSKEY  256 3 3 ALXLUsWqUrY3JYER3T4TBJII s70j+sDS/UT2QRp61SE7S3E EXopNXoFE73JLRmvpi/UrOO/Vz4Se 6wXv/CYCKjGw06U4WRgR YXcpEhJROyNapmdIKSx hOzfLVE1gqA0PweZR8d tY3aNQSRn3sPpwJr6Mi /PqQKAMMrZ9ckJpf1+b QMOOvxgzz2U1GS18b3y ZKcgTMEaJzd/GZYzi/B N2DzQ0MsrSwYXfsNLFO Bbs8PJMW4LYIxeeOe6rUgkWOF 7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b}
 example.com.    3600    IN      RRSIG   DNSKEY 3 2 3600 20070926134802 20070829134802 2854 example.com. MCwCFG1yhRNtTEa3Eno2zhVVuy2EJX3wAhQeLyUp6+UXcpC5qGNu9tkrTEgPUg== ;{id = 2854}
 SECTION AUTHORITY
 example.com.	IN NS	ns.example.com.
 example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
 SECTION ADDITIONAL
 ns.example.com.		IN 	A	1.2.3.4
 ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
 ENTRY_END
 ; DLV query
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 example.net.example.com. IN DLV
 SECTION ANSWER
 example.net.example.com.	3600	IN	DLV	30899 5 1 14188c885f20623ad1d3bec42798f3f951793e4c ; xehac-mofum-malyd-bomaf-pegit-fuzes-ganin-misiz-nigel-nozog-soxix
 example.net.example.com.	3600	IN	RRSIG	DLV 3 4 3600 20070926134150 20070829134150 2854 example.com. ACK48Q/oKwh/SM9yRiKjZYuc+AtEZ2yCPNJ15kKCN8nsVcv7xigmNTY= ;{id = 2854}
 SECTION AUTHORITY
 example.com.	IN NS	ns.example.com.
 example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
 SECTION ADDITIONAL
 ns.example.com.		IN 	A	1.2.3.4
 ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 net.example.com. IN DLV
 SECTION ANSWER
 SECTION AUTHORITY
 example.com. IN SOA open.nlnetlabs.nl. hostmaster.nlnetlabs.nl. 2008081300 28800 7200 604800 3600
 example.com.	3600	IN	RRSIG	SOA 3 2 3600 20070926134150 20070829134150 2854 example.com. AKPJnPBqfJKxE4P2iVYkSRJno9HmiXJZtjdqE8oBeq9Lk9FytcMdcig= ;{id = 2854}
 example.com IN NSEC example.net.example.com. SOA NS RRSIG NSEC
 example.com.	3600	IN	RRSIG	NSEC 3 2 3600 20070926134150 20070829134150 2854 example.com. AIoUkJ04/7/kJFDLocoqksqt9UL2RHHwlRfXAMxGdBHcNO+GSpG47Uk= ;{id = 2854}
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NXDOMAIN
 SECTION QUESTION
 com.example.com. IN DLV
 SECTION ANSWER
 SECTION AUTHORITY
 example.com. IN SOA open.nlnetlabs.nl. hostmaster.nlnetlabs.nl. 2008081300 28800 7200 604800 3600
 example.com.	3600	IN	RRSIG	SOA 3 2 3600 20070926134150 20070829134150 2854 example.com. AKPJnPBqfJKxE4P2iVYkSRJno9HmiXJZtjdqE8oBeq9Lk9FytcMdcig= ;{id = 2854}
 example.com IN NSEC example.net.example.com. SOA NS RRSIG NSEC
 example.com.	3600	IN	RRSIG	NSEC 3 2 3600 20070926134150 20070829134150 2854 example.com. AIoUkJ04/7/kJFDLocoqksqt9UL2RHHwlRfXAMxGdBHcNO+GSpG47Uk= ;{id = 2854}
 ENTRY_END
 RANGE_END
 ; ns.example.net.
 RANGE_BEGIN 0 100
 	ADDRESS 1.2.3.5
 ; DS RR is
 ; example.net.	3600	IN	DS	30899 5 1 14188c885f20623ad1d3bec42798f3f951793e4c ; xehac-mofum-malyd-bomaf-pegit-fuzes-ganin-misiz-nigel-nozog-soxix
 ; DNSKEY prime query
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 example.net. IN DNSKEY
 SECTION ANSWER
 example.net.    3600    IN      DNSKEY  256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b}
 example.net.    3600    IN      RRSIG   DNSKEY RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. hiFzlQ8VoYgCuvIsfVuxC3mfJDqsTh0yc6abs5xMx5uEcIjb0dndFQx7INOM+imlzveEN73Hqp4OLFpFhsWLlw== ;{id = 30899}
 SECTION AUTHORITY
 example.net.    IN NS   ns.example.net.
 example.net.    3600    IN      RRSIG   NS RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. E8JX0l4B+cSR5bkHQwOJy1pBmlLMTYCJ8EwfNMU/eCv0YhKwo26rHhn52FGisgv+Nwp7/NbhHqQ+kJgoZC94XA== ;{id = 30899}
 SECTION ADDITIONAL
 ns.example.net.         IN      A       1.2.3.5
 ns.example.net. 3600    IN      RRSIG   A RSASHA1 3 3600 20070926134150 20070829134150 30899 example.net. x+tQMC9FhzT7Fcy1pM5NrOC7E8nLd7THPI3C6ie4EwL8PrxllqlR3q/DKB0d/m0qCOPcgN6HFOYURV1s4uAcsw== ;{id = 30899}
 ENTRY_END
 ; NS query
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 example.net. IN NS
 SECTION ANSWER
 example.net.    IN NS   ns.example.net.
 example.net.    3600    IN      RRSIG   NS RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. E8JX0l4B+cSR5bkHQwOJy1pBmlLMTYCJ8EwfNMU/eCv0YhKwo26rHhn52FGisgv+Nwp7/NbhHqQ+kJgoZC94XA== ;{id = 30899}
 SECTION ADDITIONAL
 ns.example.net.         IN      A       1.2.3.5
 ns.example.net. 3600    IN      RRSIG   A RSASHA1 3 3600 20070926134150 20070829134150 30899 example.net. x+tQMC9FhzT7Fcy1pM5NrOC7E8nLd7THPI3C6ie4EwL8PrxllqlR3q/DKB0d/m0qCOPcgN6HFOYURV1s4uAcsw== ;{id = 30899}
 ENTRY_END
 ; www.example.net query
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 www.example.net. IN A
 SECTION ANSWER
 www.example.net.	3600	IN	A	10.20.30.40
 www.example.net.	3600	IN	RRSIG	A 5 3 3600 20070926135752 20070829135752 30899 example.net. ACvv4RQVC7TbI57ewqFImRaVoymktJ5Cxn/FaCodIENt82LVM92nivbP2WtwWCsQHWp7FkrMxTlQTJwyAeXFyg== ;{id = 30899}
 SECTION AUTHORITY
 example.net.    IN NS   ns.example.net.
 example.net.    3600    IN      RRSIG   NS RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. E8JX0l4B+cSR5bkHQwOJy1pBmlLMTYCJ8EwfNMU/eCv0YhKwo26rHhn52FGisgv+Nwp7/NbhHqQ+kJgoZC94XA== ;{id = 30899}
 SECTION ADDITIONAL
 ns.example.net.         IN      A       1.2.3.5
 ns.example.net. 3600    IN      RRSIG   A RSASHA1 3 3600 20070926134150 20070829134150 30899 example.net. x+tQMC9FhzT7Fcy1pM5NrOC7E8nLd7THPI3C6ie4EwL8PrxllqlR3q/DKB0d/m0qCOPcgN6HFOYURV1s4uAcsw== ;{id = 30899}
 ENTRY_END
 RANGE_END
 STEP 1 QUERY
 ENTRY_BEGIN
 REPLY RD DO
 SECTION QUESTION
 example.net. IN DS
 ENTRY_END
 ; recursion happens here.
 STEP 10 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH all
 REPLY QR RD RA DO NOERROR
 SECTION QUESTION
 example.net. IN DS
 SECTION AUTHORITY
 net.			900	IN	SOA	a.gtld-servers.net. nstld.verisign-grs.com. 1251367385 1800 900 604800 86400
 ENTRY_END
 SCENARIO_END
--- a/testdata/dlv_insecure.rpl
+++ b/testdata/dlv_insecure.rpl
@ -1,254 +0,0 @@
 ; config options
 ; The island of trust is at example.com (the DLV repository)
 server:
 	dlv-anchor: "example.com.    3600    IN      DS      2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b"
 	val-override-date: "20070916134226"
 	harden-referral-path: no
 	target-fetch-policy: "0 0 0 0 0"
 	qname-minimisation: "no"
 	fake-sha1: yes
 	trust-anchor-signaling: no
 	minimal-responses: no
 stub-zone:
 	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 CONFIG_END
 SCENARIO_BEGIN Test validator with insecure zone with no DLV 
 ; K.ROOT-SERVERS.NET.
 RANGE_BEGIN 0 100
 	ADDRESS 193.0.14.129 
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 . IN NS
 SECTION ANSWER
 . IN NS	K.ROOT-SERVERS.NET.
 SECTION ADDITIONAL
 K.ROOT-SERVERS.NET.	IN	A	193.0.14.129
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode subdomain
 ADJUST copy_id copy_query
 REPLY QR NOERROR
 SECTION QUESTION
 com. IN A
 SECTION AUTHORITY
 com.	IN NS	a.gtld-servers.net.
 SECTION ADDITIONAL
 a.gtld-servers.net.	IN 	A	192.5.6.30
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode subdomain
 ADJUST copy_id copy_query
 REPLY QR NOERROR
 SECTION QUESTION
 net. IN A
 SECTION AUTHORITY
 net.	IN NS	a.gtld-servers.net.
 SECTION ADDITIONAL
 a.gtld-servers.net.	IN 	A	192.5.6.30
 ENTRY_END
 RANGE_END
 ; a.gtld-servers.net.
 RANGE_BEGIN 0 100
 	ADDRESS 192.5.6.30
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 com. IN NS
 SECTION ANSWER
 com.    IN NS   a.gtld-servers.net.
 SECTION ADDITIONAL
 a.gtld-servers.net.     IN      A       192.5.6.30
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 net. IN NS
 SECTION ANSWER
 net.    IN NS   a.gtld-servers.net.
 SECTION ADDITIONAL
 a.gtld-servers.net.     IN      A       192.5.6.30
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode subdomain
 ADJUST copy_id copy_query
 REPLY QR NOERROR
 SECTION QUESTION
 example.com. IN A
 SECTION AUTHORITY
 example.com.	IN NS	ns.example.com.
 SECTION ADDITIONAL
 ns.example.com.		IN 	A	1.2.3.4
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode subdomain
 ADJUST copy_id copy_query
 REPLY QR NOERROR
 SECTION QUESTION
 example.net. IN A
 SECTION AUTHORITY
 example.net.	IN NS	ns.example.net.
 SECTION ADDITIONAL
 ns.example.net.		IN 	A	1.2.3.5
 ENTRY_END
 RANGE_END
 ; ns.example.com.
 RANGE_BEGIN 0 100
 	ADDRESS 1.2.3.4
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 example.com. IN NS
 SECTION ANSWER
 example.com.    IN NS   ns.example.com.
 example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
 SECTION ADDITIONAL
 ns.example.com.         IN      A       1.2.3.4
 ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
 ENTRY_END
 ; response to DNSKEY priming query
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 example.com. IN DNSKEY
 SECTION ANSWER
 example.com.    3600    IN      DNSKEY  256 3 3 ALXLUsWqUrY3JYER3T4TBJII s70j+sDS/UT2QRp61SE7S3E EXopNXoFE73JLRmvpi/UrOO/Vz4Se 6wXv/CYCKjGw06U4WRgR YXcpEhJROyNapmdIKSx hOzfLVE1gqA0PweZR8d tY3aNQSRn3sPpwJr6Mi /PqQKAMMrZ9ckJpf1+b QMOOvxgzz2U1GS18b3y ZKcgTMEaJzd/GZYzi/B N2DzQ0MsrSwYXfsNLFO Bbs8PJMW4LYIxeeOe6rUgkWOF 7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b}
 example.com.    3600    IN      RRSIG   DNSKEY 3 2 3600 20070926134802 20070829134802 2854 example.com. MCwCFG1yhRNtTEa3Eno2zhVVuy2EJX3wAhQeLyUp6+UXcpC5qGNu9tkrTEgPUg== ;{id = 2854}
 SECTION AUTHORITY
 example.com.	IN NS	ns.example.com.
 example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
 SECTION ADDITIONAL
 ns.example.com.		IN 	A	1.2.3.4
 ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
 ENTRY_END
 ; DLV query
 ; could be picked out of the negative cache due to NS queries in between.
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NXDOMAIN
 SECTION QUESTION
 www.example.net.example.com. IN DLV
 SECTION ANSWER
 SECTION AUTHORITY
 example.com. IN SOA open.nlnetlabs.nl. hostmaster.nlnetlabs.nl. 2008081300 28800 7200 604800 3600
 example.com.	3600	IN	RRSIG	SOA 3 2 3600 20070926134150 20070829134150 2854 example.com. AKPJnPBqfJKxE4P2iVYkSRJno9HmiXJZtjdqE8oBeq9Lk9FytcMdcig= ;{id = 2854}
 example.com.	IN NS	ns.example.com.
 example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
 example.com IN NSEC zazz.example.com. SOA NS RRSIG NSEC
 example.com.	3600	IN	RRSIG	NSEC 3 2 3600 20070926135752 20070829135752 2854 example.com. AAi21jQpno6gXnrPrtK0NvNgX9B8E9U5RvTd47QiCWLF7KdtKxB7Xz0= ;{id = 2854}
 SECTION ADDITIONAL
 ns.example.com.		IN 	A	1.2.3.4
 ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NXDOMAIN
 SECTION QUESTION
 net.example.com. IN DLV
 SECTION ANSWER
 SECTION AUTHORITY
 example.com. IN SOA open.nlnetlabs.nl. hostmaster.nlnetlabs.nl. 2008081300 28800 7200 604800 3600
 example.com.	3600	IN	RRSIG	SOA 3 2 3600 20070926134150 20070829134150 2854 example.com. AKPJnPBqfJKxE4P2iVYkSRJno9HmiXJZtjdqE8oBeq9Lk9FytcMdcig= ;{id = 2854}
 example.com IN NSEC zazz.example.com. SOA NS RRSIG NSEC
 example.com.	3600	IN	RRSIG	NSEC 3 2 3600 20070926135752 20070829135752 2854 example.com. AAi21jQpno6gXnrPrtK0NvNgX9B8E9U5RvTd47QiCWLF7KdtKxB7Xz0= ;{id = 2854}
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NXDOMAIN
 SECTION QUESTION
 com.example.com. IN DLV
 SECTION ANSWER
 SECTION AUTHORITY
 example.com. IN SOA open.nlnetlabs.nl. hostmaster.nlnetlabs.nl. 2008081300 28800 7200 604800 3600
 example.com.	3600	IN	RRSIG	SOA 3 2 3600 20070926134150 20070829134150 2854 example.com. AKPJnPBqfJKxE4P2iVYkSRJno9HmiXJZtjdqE8oBeq9Lk9FytcMdcig= ;{id = 2854}
 example.com IN NSEC zazz.example.com. SOA NS RRSIG NSEC
 example.com.	3600	IN	RRSIG	NSEC 3 2 3600 20070926135752 20070829135752 2854 example.com. AAi21jQpno6gXnrPrtK0NvNgX9B8E9U5RvTd47QiCWLF7KdtKxB7Xz0= ;{id = 2854}
 ENTRY_END
 RANGE_END
 ; ns.example.net.
 RANGE_BEGIN 0 100
 	ADDRESS 1.2.3.5
 ; NS query
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 example.net. IN NS
 SECTION ANSWER
 example.net.    IN NS   ns.example.net.
 SECTION ADDITIONAL
 ns.example.net.         IN      A       1.2.3.5
 ENTRY_END
 ; www.example.net query
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 www.example.net. IN A
 SECTION ANSWER
 www.example.net.	3600	IN	A	10.20.30.40
 SECTION AUTHORITY
 example.net.    IN NS   ns.example.net.
 SECTION ADDITIONAL
 ns.example.net.         IN      A       1.2.3.5
 ENTRY_END
 RANGE_END
 STEP 1 QUERY
 ENTRY_BEGIN
 REPLY RD DO
 SECTION QUESTION
 www.example.net. IN A
 ENTRY_END
 ; recursion happens here.
 STEP 10 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH all
 REPLY QR RD RA DO NOERROR
 SECTION QUESTION
 www.example.net. IN A
 SECTION ANSWER
 www.example.net.	3600	IN	A	10.20.30.40
 SECTION AUTHORITY
 example.net.    IN NS   ns.example.net.
 SECTION ADDITIONAL
 ns.example.net.         IN      A       1.2.3.5
 ENTRY_END
 SCENARIO_END
--- a/testdata/dlv_insecure_negcache.rpl
+++ b/testdata/dlv_insecure_negcache.rpl
@ -1,311 +0,0 @@
 ; config options
 ; The island of trust is at example.com (the DLV repository)
 server:
 	dlv-anchor: "example.com.    3600    IN      DS      2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b"
 	val-override-date: "20070916134226"
 	harden-referral-path: no
 	target-fetch-policy: "0 0 0 0 0"
 	qname-minimisation: "no"
 	fake-sha1: yes
 	trust-anchor-signaling: no
 	minimal-responses: no
 stub-zone:
 	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 CONFIG_END
 SCENARIO_BEGIN Test validator with insecure zone, no DLV from negative cache
 ; K.ROOT-SERVERS.NET.
 RANGE_BEGIN 0 100
 	ADDRESS 193.0.14.129 
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 . IN NS
 SECTION ANSWER
 . IN NS	K.ROOT-SERVERS.NET.
 SECTION ADDITIONAL
 K.ROOT-SERVERS.NET.	IN	A	193.0.14.129
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode subdomain
 ADJUST copy_id copy_query
 REPLY QR NOERROR
 SECTION QUESTION
 com. IN A
 SECTION AUTHORITY
 com.	IN NS	a.gtld-servers.net.
 SECTION ADDITIONAL
 a.gtld-servers.net.	IN 	A	192.5.6.30
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode subdomain
 ADJUST copy_id copy_query
 REPLY QR NOERROR
 SECTION QUESTION
 net. IN A
 SECTION AUTHORITY
 net.	IN NS	a.gtld-servers.net.
 SECTION ADDITIONAL
 a.gtld-servers.net.	IN 	A	192.5.6.30
 ENTRY_END
 RANGE_END
 ; a.gtld-servers.net.
 RANGE_BEGIN 0 300
 	ADDRESS 192.5.6.30
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 com. IN NS
 SECTION ANSWER
 com.    IN NS   a.gtld-servers.net.
 SECTION ADDITIONAL
 a.gtld-servers.net.     IN      A       192.5.6.30
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 net. IN NS
 SECTION ANSWER
 net.    IN NS   a.gtld-servers.net.
 SECTION ADDITIONAL
 a.gtld-servers.net.     IN      A       192.5.6.30
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode subdomain
 ADJUST copy_id copy_query
 REPLY QR NOERROR
 SECTION QUESTION
 example.com. IN A
 SECTION AUTHORITY
 example.com.	IN NS	ns.example.com.
 SECTION ADDITIONAL
 ns.example.com.		IN 	A	1.2.3.4
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode subdomain
 ADJUST copy_id copy_query
 REPLY QR NOERROR
 SECTION QUESTION
 example.net. IN A
 SECTION AUTHORITY
 example.net.	IN NS	ns.example.net.
 SECTION ADDITIONAL
 ns.example.net.		IN 	A	1.2.3.5
 ENTRY_END
 RANGE_END
 ; ns.example.com.
 RANGE_BEGIN 0 100
 	ADDRESS 1.2.3.4
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 example.com. IN NS
 SECTION ANSWER
 example.com.    IN NS   ns.example.com.
 example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
 SECTION ADDITIONAL
 ns.example.com.         IN      A       1.2.3.4
 ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
 ENTRY_END
 ; response to DNSKEY priming query
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 example.com. IN DNSKEY
 SECTION ANSWER
 example.com.    3600    IN      DNSKEY  256 3 3 ALXLUsWqUrY3JYER3T4TBJII s70j+sDS/UT2QRp61SE7S3E EXopNXoFE73JLRmvpi/UrOO/Vz4Se 6wXv/CYCKjGw06U4WRgR YXcpEhJROyNapmdIKSx hOzfLVE1gqA0PweZR8d tY3aNQSRn3sPpwJr6Mi /PqQKAMMrZ9ckJpf1+b QMOOvxgzz2U1GS18b3y ZKcgTMEaJzd/GZYzi/B N2DzQ0MsrSwYXfsNLFO Bbs8PJMW4LYIxeeOe6rUgkWOF 7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b}
 example.com.    3600    IN      RRSIG   DNSKEY 3 2 3600 20070926134802 20070829134802 2854 example.com. MCwCFG1yhRNtTEa3Eno2zhVVuy2EJX3wAhQeLyUp6+UXcpC5qGNu9tkrTEgPUg== ;{id = 2854}
 SECTION AUTHORITY
 example.com.	IN NS	ns.example.com.
 example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
 SECTION ADDITIONAL
 ns.example.com.		IN 	A	1.2.3.4
 ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
 ENTRY_END
 ; DLV query
 ; could be picked out of the negative cache due to NS queries in between.
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NXDOMAIN
 SECTION QUESTION
 www.example.net.example.com. IN DLV
 SECTION ANSWER
 SECTION AUTHORITY
 example.com. IN SOA open.nlnetlabs.nl. hostmaster.nlnetlabs.nl. 2008081300 28800 7200 604800 3600
 example.com.	3600	IN	RRSIG	SOA 3 2 3600 20070926134150 20070829134150 2854 example.com. AKPJnPBqfJKxE4P2iVYkSRJno9HmiXJZtjdqE8oBeq9Lk9FytcMdcig= ;{id = 2854}
 example.com.	IN NS	ns.example.com.
 example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
 zoink.name.example.com IN NSEC zazz.net.example.com. RRSIG NSEC DLV
 zoink.name.example.com. 3600    IN      RRSIG   NSEC 3 4 3600 20070926134150 20070829134150 2854 example.com. AHipxvshRHglCEN4nZCT4m/4RIj8TrCOE2AsqEoH9e+6OYSo+yuNzzo= ;{id = 2854}
 SECTION ADDITIONAL
 ns.example.com.		IN 	A	1.2.3.4
 ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 net.example.com. IN DLV
 SECTION ANSWER
 SECTION AUTHORITY
 example.com. IN SOA open.nlnetlabs.nl. hostmaster.nlnetlabs.nl. 2008081300 28800 7200 604800 3600
 example.com.	3600	IN	RRSIG	SOA 3 2 3600 20070926134150 20070829134150 2854 example.com. AKPJnPBqfJKxE4P2iVYkSRJno9HmiXJZtjdqE8oBeq9Lk9FytcMdcig= ;{id = 2854}
 zoink.name.example.com IN NSEC zazz.net.example.com. RRSIG NSEC DLV
 zoink.name.example.com. 3600    IN      RRSIG   NSEC 3 4 3600 20070926134150 20070829134150 2854 example.com. AHipxvshRHglCEN4nZCT4m/4RIj8TrCOE2AsqEoH9e+6OYSo+yuNzzo= ;{id = 2854}
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 example.com. IN DLV
 SECTION ANSWER
 SECTION AUTHORITY
 example.com. IN SOA open.nlnetlabs.nl. hostmaster.nlnetlabs.nl. 2008081300 28800 7200 604800 3600
 example.com.	3600	IN	RRSIG	SOA 3 2 3600 20070926134150 20070829134150 2854 example.com. AKPJnPBqfJKxE4P2iVYkSRJno9HmiXJZtjdqE8oBeq9Lk9FytcMdcig= ;{id = 2854}
 example.com IN NSEC frump.aqua.example.com. SOA NS RRSIG NSEC DNSKEY
 example.com.	3600	IN	RRSIG	NSEC 3 2 3600 20070926134150 20070829134150 2854 example.com. AAscY9DfNm3Uy8f8Q4WX6AzR0flHYNSr3fKfgQ0Xc20fzj1lGP9ebfk= ;{id = 2854}
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NXDOMAIN
 SECTION QUESTION
 com.example.com. IN DLV
 SECTION ANSWER
 SECTION AUTHORITY
 example.com. IN SOA open.nlnetlabs.nl. hostmaster.nlnetlabs.nl. 2008081300 28800 7200 604800 3600
 example.com.	3600	IN	RRSIG	SOA 3 2 3600 20070926134150 20070829134150 2854 example.com. AKPJnPBqfJKxE4P2iVYkSRJno9HmiXJZtjdqE8oBeq9Lk9FytcMdcig= ;{id = 2854}
 example.com IN NSEC zazz.example.com. SOA NS RRSIG NSEC
 example.com.	3600	IN	RRSIG	NSEC 3 2 3600 20070926135752 20070829135752 2854 example.com. AAi21jQpno6gXnrPrtK0NvNgX9B8E9U5RvTd47QiCWLF7KdtKxB7Xz0= ;{id = 2854}
 ENTRY_END
 RANGE_END
 ; ns.example.net.
 RANGE_BEGIN 0 300
 	ADDRESS 1.2.3.5
 ; NS query
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 example.net. IN NS
 SECTION ANSWER
 example.net.    IN NS   ns.example.net.
 SECTION ADDITIONAL
 ns.example.net.         IN      A       1.2.3.5
 ENTRY_END
 ; www.example.net query
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 www.example.net. IN A
 SECTION ANSWER
 www.example.net.	10	IN	A	10.20.30.40
 SECTION AUTHORITY
 example.net.    IN NS   ns.example.net.
 SECTION ADDITIONAL
 ns.example.net.         IN      A       1.2.3.5
 ENTRY_END
 RANGE_END
 STEP 1 QUERY
 ENTRY_BEGIN
 REPLY RD DO
 SECTION QUESTION
 www.example.net. IN A
 ENTRY_END
 ; recursion happens here.
 STEP 10 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH all
 REPLY QR RD RA DO NOERROR
 SECTION QUESTION
 www.example.net. IN A
 SECTION ANSWER
 www.example.net.	10	IN	A	10.20.30.40
 SECTION AUTHORITY
 example.net.    IN NS   ns.example.net.
 SECTION ADDITIONAL
 ns.example.net.         IN      A       1.2.3.5
 ENTRY_END
 STEP 150 TIME_PASSES ELAPSE 30
 ; no more DLV authority reachable
 STEP 200 QUERY
 ENTRY_BEGIN
 REPLY RD DO
 SECTION QUESTION
 www.example.net. IN A
 ENTRY_END
 STEP 210 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH all
 REPLY QR RD RA DO NOERROR
 SECTION QUESTION
 www.example.net. IN A
 SECTION ANSWER
 www.example.net.	10	IN	A	10.20.30.40
 SECTION AUTHORITY
 example.net.    IN NS   ns.example.net.
 SECTION ADDITIONAL
 ns.example.net.         IN      A       1.2.3.5
 ENTRY_END
 STEP 220 QUERY
 ENTRY_BEGIN
 REPLY RD DO
 SECTION QUESTION
 net. IN NS
 ENTRY_END
 STEP 230 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH all
 REPLY QR RD RA DO NOERROR
 SECTION QUESTION
 net. IN NS
 SECTION ANSWER
 net.    IN NS   a.gtld-servers.net.
 SECTION ADDITIONAL
 a.gtld-servers.net.     IN      A       192.5.6.30
 ENTRY_END
 SCENARIO_END
--- a/testdata/dlv_keyretry.rpl
+++ b/testdata/dlv_keyretry.rpl
@ -1,287 +0,0 @@
 ; config options
 ; The island of trust is at example.com (the DLV repository)
 server:
 	dlv-anchor: "example.com.    3600    IN      DS      2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b"
 	val-override-date: "20070916134226"
 	target-fetch-policy: "0 0 0 0 0"
 	qname-minimisation: "no"
 	fake-sha1: yes
 	trust-anchor-signaling: no
 stub-zone:
 	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 CONFIG_END
 SCENARIO_BEGIN Test validator with DLV anchor and subsequently key retries
 ; positive response for DLV.  But the DNSKEY for the target fails validation.
 ; K.ROOT-SERVERS.NET.
 RANGE_BEGIN 0 100
 	ADDRESS 193.0.14.129 
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 . IN NS
 SECTION ANSWER
 . IN NS	K.ROOT-SERVERS.NET.
 SECTION ADDITIONAL
 K.ROOT-SERVERS.NET.	IN	A	193.0.14.129
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode subdomain
 ADJUST copy_id copy_query
 REPLY QR NOERROR
 SECTION QUESTION
 com. IN A
 SECTION AUTHORITY
 com.	IN NS	a.gtld-servers.net.
 SECTION ADDITIONAL
 a.gtld-servers.net.	IN 	A	192.5.6.30
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode subdomain
 ADJUST copy_id copy_query
 REPLY QR NOERROR
 SECTION QUESTION
 net. IN A
 SECTION AUTHORITY
 net.	IN NS	a.gtld-servers.net.
 SECTION ADDITIONAL
 a.gtld-servers.net.	IN 	A	192.5.6.30
 ENTRY_END
 RANGE_END
 ; a.gtld-servers.net.
 RANGE_BEGIN 0 100
 	ADDRESS 192.5.6.30
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 com. IN NS
 SECTION ANSWER
 com.    IN NS   a.gtld-servers.net.
 SECTION ADDITIONAL
 a.gtld-servers.net.     IN      A       192.5.6.30
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 net. IN NS
 SECTION ANSWER
 net.    IN NS   a.gtld-servers.net.
 SECTION ADDITIONAL
 a.gtld-servers.net.     IN      A       192.5.6.30
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode subdomain
 ADJUST copy_id copy_query
 REPLY QR NOERROR
 SECTION QUESTION
 example.com. IN A
 SECTION AUTHORITY
 example.com.	IN NS	ns.example.com.
 SECTION ADDITIONAL
 ns.example.com.		IN 	A	1.2.3.4
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode subdomain
 ADJUST copy_id copy_query
 REPLY QR NOERROR
 SECTION QUESTION
 example.net. IN A
 SECTION AUTHORITY
 example.net.	IN NS	ns.example.net.
 SECTION ADDITIONAL
 ns.example.net.		IN 	A	1.2.3.5
 ENTRY_END
 RANGE_END
 ; ns.example.com.
 RANGE_BEGIN 0 100
 	ADDRESS 1.2.3.4
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 example.com. IN NS
 SECTION ANSWER
 example.com.    IN NS   ns.example.com.
 example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
 SECTION ADDITIONAL
 ns.example.com.         IN      A       1.2.3.4
 ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
 ENTRY_END
 ; response to DNSKEY priming query
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 example.com. IN DNSKEY
 SECTION ANSWER
 example.com.    3600    IN      DNSKEY  256 3 3 ALXLUsWqUrY3JYER3T4TBJII s70j+sDS/UT2QRp61SE7S3E EXopNXoFE73JLRmvpi/UrOO/Vz4Se 6wXv/CYCKjGw06U4WRgR YXcpEhJROyNapmdIKSx hOzfLVE1gqA0PweZR8d tY3aNQSRn3sPpwJr6Mi /PqQKAMMrZ9ckJpf1+b QMOOvxgzz2U1GS18b3y ZKcgTMEaJzd/GZYzi/B N2DzQ0MsrSwYXfsNLFO Bbs8PJMW4LYIxeeOe6rUgkWOF 7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b}
 example.com.    3600    IN      RRSIG   DNSKEY 3 2 3600 20070926134802 20070829134802 2854 example.com. MCwCFG1yhRNtTEa3Eno2zhVVuy2EJX3wAhQeLyUp6+UXcpC5qGNu9tkrTEgPUg== ;{id = 2854}
 SECTION AUTHORITY
 example.com.	IN NS	ns.example.com.
 example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
 SECTION ADDITIONAL
 ns.example.com.		IN 	A	1.2.3.4
 ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
 ENTRY_END
 ; DLV query
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 example.net.example.com. IN DLV
 SECTION ANSWER
 example.net.example.com.	3600	IN	DLV	30899 5 1 14188c885f20623ad1d3bec42798f3f951793e4c ; xehac-mofum-malyd-bomaf-pegit-fuzes-ganin-misiz-nigel-nozog-soxix
 example.net.example.com.	3600	IN	RRSIG	DLV 3 4 3600 20070926134150 20070829134150 2854 example.com. ACK48Q/oKwh/SM9yRiKjZYuc+AtEZ2yCPNJ15kKCN8nsVcv7xigmNTY= ;{id = 2854}
 SECTION AUTHORITY
 example.com.	IN NS	ns.example.com.
 example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
 SECTION ADDITIONAL
 ns.example.com.		IN 	A	1.2.3.4
 ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 net.example.com. IN DLV
 SECTION ANSWER
 SECTION AUTHORITY
 example.com. IN SOA open.nlnetlabs.nl. hostmaster.nlnetlabs.nl. 2008081300 28800 7200 604800 3600
 example.com.	3600	IN	RRSIG	SOA 3 2 3600 20070926134150 20070829134150 2854 example.com. AKPJnPBqfJKxE4P2iVYkSRJno9HmiXJZtjdqE8oBeq9Lk9FytcMdcig= ;{id = 2854}
 example.com IN NSEC example.net.example.com. SOA NS RRSIG NSEC
 example.com.	3600	IN	RRSIG	NSEC 3 2 3600 20070926134150 20070829134150 2854 example.com. AIoUkJ04/7/kJFDLocoqksqt9UL2RHHwlRfXAMxGdBHcNO+GSpG47Uk= ;{id = 2854}
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NXDOMAIN
 SECTION QUESTION
 com.example.com. IN DLV
 SECTION ANSWER
 SECTION AUTHORITY
 example.com. IN SOA open.nlnetlabs.nl. hostmaster.nlnetlabs.nl. 2008081300 28800 7200 604800 3600
 example.com.	3600	IN	RRSIG	SOA 3 2 3600 20070926134150 20070829134150 2854 example.com. AKPJnPBqfJKxE4P2iVYkSRJno9HmiXJZtjdqE8oBeq9Lk9FytcMdcig= ;{id = 2854}
 example.com IN NSEC example.net.example.com. SOA NS RRSIG NSEC
 example.com.	3600	IN	RRSIG	NSEC 3 2 3600 20070926134150 20070829134150 2854 example.com. AIoUkJ04/7/kJFDLocoqksqt9UL2RHHwlRfXAMxGdBHcNO+GSpG47Uk= ;{id = 2854}
 ENTRY_END
 RANGE_END
 ; ns.example.net.
 RANGE_BEGIN 0 100
 	ADDRESS 1.2.3.5
 ; DS RR is
 ; example.net.	3600	IN	DS	30899 5 1 14188c885f20623ad1d3bec42798f3f951793e4c ; xehac-mofum-malyd-bomaf-pegit-fuzes-ganin-misiz-nigel-nozog-soxix
 ; DNSKEY prime query
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 example.net. IN DNSKEY
 SECTION ANSWER
 example.net.    3600    IN      DNSKEY  256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b}
 ; expired signature
 example.net.	3600	IN	RRSIG	DNSKEY 5 2 3600 20050926134150 20050829134150 30899 example.net. ydM0/eWMqFn4RxMTbscdSLU7bJNoPuzjCa0eI7HSV/r/54slSGvkl0fmwqrROl1tpc0YMV6kAzgB1T5lJbvdsA== ;{id = 30899}
 ; good signature:
 ;example.net.    3600    IN      RRSIG   DNSKEY RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. hiFzlQ8VoYgCuvIsfVuxC3mfJDqsTh0yc6abs5xMx5uEcIjb0dndFQx7INOM+imlzveEN73Hqp4OLFpFhsWLlw== ;{id = 30899}
 SECTION AUTHORITY
 example.net.    IN NS   ns.example.net.
 example.net.    3600    IN      RRSIG   NS RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. E8JX0l4B+cSR5bkHQwOJy1pBmlLMTYCJ8EwfNMU/eCv0YhKwo26rHhn52FGisgv+Nwp7/NbhHqQ+kJgoZC94XA== ;{id = 30899}
 SECTION ADDITIONAL
 ns.example.net.         IN      A       1.2.3.5
 ns.example.net. 3600    IN      RRSIG   A RSASHA1 3 3600 20070926134150 20070829134150 30899 example.net. x+tQMC9FhzT7Fcy1pM5NrOC7E8nLd7THPI3C6ie4EwL8PrxllqlR3q/DKB0d/m0qCOPcgN6HFOYURV1s4uAcsw== ;{id = 30899}
 ENTRY_END
 ; NS query
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 example.net. IN NS
 SECTION ANSWER
 example.net.    IN NS   ns.example.net.
 example.net.    3600    IN      RRSIG   NS RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. E8JX0l4B+cSR5bkHQwOJy1pBmlLMTYCJ8EwfNMU/eCv0YhKwo26rHhn52FGisgv+Nwp7/NbhHqQ+kJgoZC94XA== ;{id = 30899}
 SECTION ADDITIONAL
 ns.example.net.         IN      A       1.2.3.5
 ns.example.net. 3600    IN      RRSIG   A RSASHA1 3 3600 20070926134150 20070829134150 30899 example.net. x+tQMC9FhzT7Fcy1pM5NrOC7E8nLd7THPI3C6ie4EwL8PrxllqlR3q/DKB0d/m0qCOPcgN6HFOYURV1s4uAcsw== ;{id = 30899}
 ENTRY_END
 ; AAAA for nameserver (for dnssec retry) query
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR AA NOERROR
 SECTION QUESTION
 ns.example.net. IN AAAA
 SECTION AUTHORITY
 example.net. IN SOA . . 2007091300 28800 7200 604800 3600
 example.net.	3600	IN	RRSIG	SOA 5 2 3600 20070926134150 20070829134150 30899 example.net. MrpP4svNpbN/YKhuYRlNbvNg0yVxn4ywW1tyEFA9v6F7BR6k1pP8iPfN5XV+XWPAmbss9h3fwKq8zNs4F/SPkg== ;{id = 30899}
 ns.example.net. IN NSEC ppp.example.net. A RRSIG NSEC
 ns.example.net.	3600	IN	RRSIG	NSEC 5 3 3600 20070926134150 20070829134150 30899 example.net. freWP6rXWsU5iyRE2gIM9rICuBxCYlQSW01GkLPez5czqtEL0hHN8vtjTlfoNxjJjiZj3vAavZDIQGgOOOMIsA== ;{id = 30899}
 ENTRY_END
 ; www.example.net query
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 www.example.net. IN A
 SECTION ANSWER
 www.example.net.	3600	IN	A	10.20.30.40
 www.example.net.	3600	IN	RRSIG	A 5 3 3600 20070926135752 20070829135752 30899 example.net. ACvv4RQVC7TbI57ewqFImRaVoymktJ5Cxn/FaCodIENt82LVM92nivbP2WtwWCsQHWp7FkrMxTlQTJwyAeXFyg== ;{id = 30899}
 SECTION AUTHORITY
 example.net.    IN NS   ns.example.net.
 example.net.    3600    IN      RRSIG   NS RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. E8JX0l4B+cSR5bkHQwOJy1pBmlLMTYCJ8EwfNMU/eCv0YhKwo26rHhn52FGisgv+Nwp7/NbhHqQ+kJgoZC94XA== ;{id = 30899}
 SECTION ADDITIONAL
 ns.example.net.         IN      A       1.2.3.5
 ns.example.net. 3600    IN      RRSIG   A RSASHA1 3 3600 20070926134150 20070829134150 30899 example.net. x+tQMC9FhzT7Fcy1pM5NrOC7E8nLd7THPI3C6ie4EwL8PrxllqlR3q/DKB0d/m0qCOPcgN6HFOYURV1s4uAcsw== ;{id = 30899}
 ENTRY_END
 RANGE_END
 STEP 1 QUERY
 ENTRY_BEGIN
 REPLY RD DO
 SECTION QUESTION
 www.example.net. IN A
 ENTRY_END
 ; recursion happens here.
 STEP 10 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH all
 REPLY QR RD RA DO SERVFAIL
 SECTION QUESTION
 www.example.net. IN A
 SECTION ANSWER
 ENTRY_END
 SCENARIO_END
--- a/testdata/dlv_negnx.rpl
+++ b/testdata/dlv_negnx.rpl
@ -1,405 +0,0 @@
 ; config options
 ; The island of trust is at example.com (the DLV repository)
 server:
 	dlv-anchor: "example.com.    3600    IN      DS      2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b"
 	val-override-date: "20070916134226"
 	target-fetch-policy: "0 0 0 0 0"
 	qname-minimisation: "no"
 	fake-sha1: yes
 	trust-anchor-signaling: no
 stub-zone:
 	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 CONFIG_END
 SCENARIO_BEGIN Test validator with DLV anchor for negcache nxdomain proof
 ; put a DLV in the negcache.
 ; then test ask-higher with that in the cache.
 ; K.ROOT-SERVERS.NET.
 RANGE_BEGIN 0 100
 	ADDRESS 193.0.14.129 
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 . IN NS
 SECTION ANSWER
 . IN NS	K.ROOT-SERVERS.NET.
 SECTION ADDITIONAL
 K.ROOT-SERVERS.NET.	IN	A	193.0.14.129
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode subdomain
 ADJUST copy_id copy_query
 REPLY QR NOERROR
 SECTION QUESTION
 com. IN A
 SECTION AUTHORITY
 com.	IN NS	a.gtld-servers.net.
 SECTION ADDITIONAL
 a.gtld-servers.net.	IN 	A	192.5.6.30
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode subdomain
 ADJUST copy_id copy_query
 REPLY QR NOERROR
 SECTION QUESTION
 net. IN A
 SECTION AUTHORITY
 net.	IN NS	a.gtld-servers.net.
 SECTION ADDITIONAL
 a.gtld-servers.net.	IN 	A	192.5.6.30
 ENTRY_END
 RANGE_END
 ; a.gtld-servers.net.
 RANGE_BEGIN 0 100
 	ADDRESS 192.5.6.30
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 com. IN NS
 SECTION ANSWER
 com.    IN NS   a.gtld-servers.net.
 SECTION ADDITIONAL
 a.gtld-servers.net.     IN      A       192.5.6.30
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 net. IN NS
 SECTION ANSWER
 net.    IN NS   a.gtld-servers.net.
 SECTION ADDITIONAL
 a.gtld-servers.net.     IN      A       192.5.6.30
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode subdomain
 ADJUST copy_id copy_query
 REPLY QR NOERROR
 SECTION QUESTION
 example.com. IN A
 SECTION AUTHORITY
 example.com.	IN NS	ns.example.com.
 SECTION ADDITIONAL
 ns.example.com.		IN 	A	1.2.3.4
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode subdomain
 ADJUST copy_id copy_query
 REPLY QR NOERROR
 SECTION QUESTION
 example.net. IN A
 SECTION AUTHORITY
 example.net.	IN NS	ns.example.net.
 SECTION ADDITIONAL
 ns.example.net.		IN 	A	1.2.3.5
 ENTRY_END
 RANGE_END
 ; ns.example.com.
 RANGE_BEGIN 0 100
 	ADDRESS 1.2.3.4
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 example.com. IN NS
 SECTION ANSWER
 example.com.    IN NS   ns.example.com.
 example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
 SECTION ADDITIONAL
 ns.example.com.         IN      A       1.2.3.4
 ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
 ENTRY_END
 ; response to DNSKEY priming query
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 example.com. IN DNSKEY
 SECTION ANSWER
 example.com.    3600    IN      DNSKEY  256 3 3 ALXLUsWqUrY3JYER3T4TBJII s70j+sDS/UT2QRp61SE7S3E EXopNXoFE73JLRmvpi/UrOO/Vz4Se 6wXv/CYCKjGw06U4WRgR YXcpEhJROyNapmdIKSx hOzfLVE1gqA0PweZR8d tY3aNQSRn3sPpwJr6Mi /PqQKAMMrZ9ckJpf1+b QMOOvxgzz2U1GS18b3y ZKcgTMEaJzd/GZYzi/B N2DzQ0MsrSwYXfsNLFO Bbs8PJMW4LYIxeeOe6rUgkWOF 7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b}
 example.com.    3600    IN      RRSIG   DNSKEY 3 2 3600 20070926134802 20070829134802 2854 example.com. MCwCFG1yhRNtTEa3Eno2zhVVuy2EJX3wAhQeLyUp6+UXcpC5qGNu9tkrTEgPUg== ;{id = 2854}
 SECTION AUTHORITY
 example.com.	IN NS	ns.example.com.
 example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
 SECTION ADDITIONAL
 ns.example.com.		IN 	A	1.2.3.4
 ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
 ENTRY_END
 ; DLV query
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 example.net.example.com. IN DLV
 SECTION ANSWER
 example.net.example.com.	3600	IN	DLV	30899 5 1 14188c885f20623ad1d3bec42798f3f951793e4c ; xehac-mofum-malyd-bomaf-pegit-fuzes-ganin-misiz-nigel-nozog-soxix
 example.net.example.com.	3600	IN	RRSIG	DLV 3 4 3600 20070926134150 20070829134150 2854 example.com. ACK48Q/oKwh/SM9yRiKjZYuc+AtEZ2yCPNJ15kKCN8nsVcv7xigmNTY= ;{id = 2854}
 SECTION AUTHORITY
 example.com.	IN NS	ns.example.com.
 example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
 SECTION ADDITIONAL
 ns.example.com.		IN 	A	1.2.3.4
 ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
 ENTRY_END
 ; under example.net in DLV
 ENTRY_BEGIN
 MATCH opcode qtype subdomain
 ADJUST copy_id copy_query
 REPLY QR NXDOMAIN
 SECTION QUESTION
 example.net.example.com. IN DLV
 SECTION ANSWER
 SECTION AUTHORITY
 example.net.example.com.	3600	IN 	NSEC fru.net.example.com. RRSIG NSEC DLV
 example.net.example.com.	3600	IN	RRSIG	NSEC 3 4 3600 20070926134150 20070829134150 2854 example.com. AI6NNKt4dGcAdCrW73GYwyoqelsdj1dd8mBNPpHRQIL0yp7yYFZ7kXU= ;{id = 2854}
 example.com. IN SOA . . 1 2 3 4 5
 example.com.	3600	IN	RRSIG	SOA 3 2 3600 20070926134150 20070829134150 2854 example.com. AIkRPbv+kZaiG61pH/wQy8fX2UqQS5YRwHaxe4yjEUXk59fgO71Db3s= ;{id = 2854}
 SECTION ADDITIONAL
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 net.example.com. IN DLV
 SECTION ANSWER
 SECTION AUTHORITY
 example.com. IN SOA open.nlnetlabs.nl. hostmaster.nlnetlabs.nl. 2008081300 28800 7200 604800 3600
 example.com.	3600	IN	RRSIG	SOA 3 2 3600 20070926134150 20070829134150 2854 example.com. AKPJnPBqfJKxE4P2iVYkSRJno9HmiXJZtjdqE8oBeq9Lk9FytcMdcig= ;{id = 2854}
 example.com IN NSEC example.net.example.com. SOA NS RRSIG NSEC
 example.com.	3600	IN	RRSIG	NSEC 3 2 3600 20070926134150 20070829134150 2854 example.com. AIoUkJ04/7/kJFDLocoqksqt9UL2RHHwlRfXAMxGdBHcNO+GSpG47Uk= ;{id = 2854}
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NXDOMAIN
 SECTION QUESTION
 com.example.com. IN DLV
 SECTION ANSWER
 SECTION AUTHORITY
 example.com. IN SOA open.nlnetlabs.nl. hostmaster.nlnetlabs.nl. 2008081300 28800 7200 604800 3600
 example.com.	3600	IN	RRSIG	SOA 3 2 3600 20070926134150 20070829134150 2854 example.com. AKPJnPBqfJKxE4P2iVYkSRJno9HmiXJZtjdqE8oBeq9Lk9FytcMdcig= ;{id = 2854}
 example.com IN NSEC example.net.example.com. SOA NS RRSIG NSEC
 example.com.	3600	IN	RRSIG	NSEC 3 2 3600 20070926134150 20070829134150 2854 example.com. AIoUkJ04/7/kJFDLocoqksqt9UL2RHHwlRfXAMxGdBHcNO+GSpG47Uk= ;{id = 2854}
 ENTRY_END
 RANGE_END
 ; ns.example.net.
 RANGE_BEGIN 0 100
 	ADDRESS 1.2.3.5
 ; DS RR is
 ; example.net.	3600	IN	DS	30899 5 1 14188c885f20623ad1d3bec42798f3f951793e4c ; xehac-mofum-malyd-bomaf-pegit-fuzes-ganin-misiz-nigel-nozog-soxix
 ; DNSKEY prime query
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 example.net. IN DNSKEY
 SECTION ANSWER
 ; have it flushed out of the cache quickly.
 example.net.    0    IN      DNSKEY  256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b}
 example.net.    0    IN      RRSIG   DNSKEY RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. hiFzlQ8VoYgCuvIsfVuxC3mfJDqsTh0yc6abs5xMx5uEcIjb0dndFQx7INOM+imlzveEN73Hqp4OLFpFhsWLlw== ;{id = 30899}
 SECTION AUTHORITY
 example.net.    IN NS   ns.example.net.
 example.net.    3600    IN      RRSIG   NS RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. E8JX0l4B+cSR5bkHQwOJy1pBmlLMTYCJ8EwfNMU/eCv0YhKwo26rHhn52FGisgv+Nwp7/NbhHqQ+kJgoZC94XA== ;{id = 30899}
 SECTION ADDITIONAL
 ns.example.net.         IN      A       1.2.3.5
 ns.example.net. 3600    IN      RRSIG   A RSASHA1 3 3600 20070926134150 20070829134150 30899 example.net. x+tQMC9FhzT7Fcy1pM5NrOC7E8nLd7THPI3C6ie4EwL8PrxllqlR3q/DKB0d/m0qCOPcgN6HFOYURV1s4uAcsw== ;{id = 30899}
 ENTRY_END
 ; NS query
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 example.net. IN NS
 SECTION ANSWER
 example.net.    IN NS   ns.example.net.
 example.net.    3600    IN      RRSIG   NS RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. E8JX0l4B+cSR5bkHQwOJy1pBmlLMTYCJ8EwfNMU/eCv0YhKwo26rHhn52FGisgv+Nwp7/NbhHqQ+kJgoZC94XA== ;{id = 30899}
 SECTION ADDITIONAL
 ns.example.net.         IN      A       1.2.3.5
 ns.example.net. 3600    IN      RRSIG   A RSASHA1 3 3600 20070926134150 20070829134150 30899 example.net. x+tQMC9FhzT7Fcy1pM5NrOC7E8nLd7THPI3C6ie4EwL8PrxllqlR3q/DKB0d/m0qCOPcgN6HFOYURV1s4uAcsw== ;{id = 30899}
 ENTRY_END
 ; www.example.net query
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 www.example.net. IN A
 SECTION ANSWER
 www.example.net.	3600	IN	A	10.20.30.40
 www.example.net.	3600	IN	RRSIG	A 5 3 3600 20070926135752 20070829135752 30899 example.net. ACvv4RQVC7TbI57ewqFImRaVoymktJ5Cxn/FaCodIENt82LVM92nivbP2WtwWCsQHWp7FkrMxTlQTJwyAeXFyg== ;{id = 30899}
 SECTION AUTHORITY
 example.net.    IN NS   ns.example.net.
 example.net.    3600    IN      RRSIG   NS RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. E8JX0l4B+cSR5bkHQwOJy1pBmlLMTYCJ8EwfNMU/eCv0YhKwo26rHhn52FGisgv+Nwp7/NbhHqQ+kJgoZC94XA== ;{id = 30899}
 SECTION ADDITIONAL
 ns.example.net.         IN      A       1.2.3.5
 ns.example.net. 3600    IN      RRSIG   A RSASHA1 3 3600 20070926134150 20070829134150 30899 example.net. x+tQMC9FhzT7Fcy1pM5NrOC7E8nLd7THPI3C6ie4EwL8PrxllqlR3q/DKB0d/m0qCOPcgN6HFOYURV1s4uAcsw== ;{id = 30899}
 ENTRY_END
 ; subzone
 ENTRY_BEGIN
 MATCH opcode subdomain
 ADJUST copy_id copy_query
 REPLY QR NOERROR
 SECTION QUESTION
 sub1.example.net. IN A
 SECTION ANSWER
 SECTION AUTHORITY
 sub1.example.net.	3600	IN	DS	30899 5 1 8916603e54c6f7edcfd885602e3b7b8dc475ba5c ; xodec-komif-vehis-kotav-tefot-mecyk-biryf-rivym-ticol-huvyh-saxox
 sub1.example.net.	3600	IN	RRSIG	DS 5 3 3600 20070926134150 20070829134150 30899 example.net. A3vVrEY3+oIUqdbAa3tkKaU3o47eBD01hVXfAEAue1M+Uci2PA5YyiulLzStyiP75XUXkvubLQ2+ltKMTtfdag== ;{id = 30899}
 sub1.example.net. IN NS ns.sub1.example.net.
 SECTION ADDITIONAL
 ns.sub1.example.net. IN A 1.2.3.10
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode subdomain
 ADJUST copy_id copy_query
 REPLY QR NOERROR
 SECTION QUESTION
 sub2.example.net. IN A
 SECTION ANSWER
 SECTION AUTHORITY
 sub2.example.net.	3600	IN	DS	30899 5 1 627f7a51f1545133fec3ecbd19b85b92b15679c9 ; ximil-zovah-casuh-gygef-fyzas-farir-tikir-mukon-disih-kavus-nyxex
 sub2.example.net.	3600	IN	RRSIG	DS 5 3 3600 20070926134150 20070829134150 30899 example.net. azMXKt4VPHj2hk5MDU6h8E/HOtNnHnIVS6Le3BV43wtJcHG5wlCxOksOZBOpXMkpbWLvbCJOOMPOnh31nlbjgg== ;{id = 30899}
 sub2.example.net. IN NS ns.sub2.example.net.
 SECTION ADDITIONAL
 ns.sub2.example.net. IN A 1.2.3.12
 ENTRY_END
 RANGE_END
 ; sub1.example.net.
 ; ns.example.net.
 RANGE_BEGIN 0 100
 	ADDRESS 1.2.3.10
 ; DNSKEY query
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 sub1.example.net. IN DNSKEY
 SECTION ANSWER
 sub1.example.net.       3600    IN      DNSKEY  256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b}
 sub1.example.net.	3600	IN	RRSIG	DNSKEY 5 3 3600 20070926134150 20070829134150 30899 sub1.example.net. E200eTdRnkL7/fk54i1nXEE9a/rC2GxZfVkWMU044tpwV6d4XRxVhlFBzY4FytbRFFBUDhz7L3B0qC6BXJM8rg== ;{id = 30899}
 ENTRY_END
 ; www query
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 www.sub1.example.net. IN A
 SECTION ANSWER
 www.sub1.example.net. IN A 192.168.1.1
 www.sub1.example.net.	3600	IN	RRSIG	A 5 4 3600 20070926134150 20070829134150 30899 sub1.example.net. JKxcjPjc/TsQmUmCYHLQa3cBk1c+SbDPtVml69nDWC167NNWG8OLjLrLtUBVCfbTzCmqOWXq2qhrGPxjO65GCQ== ;{id = 30899}
 ENTRY_END
 RANGE_END
 ; sub2.example.net.
 RANGE_BEGIN 0 100
 	ADDRESS 1.2.3.12
 ; DNSKEY query
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 sub2.example.net. IN DNSKEY
 SECTION ANSWER
 sub2.example.net.       3600    IN      DNSKEY  256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b}
 sub2.example.net.	3600	IN	RRSIG	DNSKEY 5 3 3600 20070926134150 20070829134150 30899 sub2.example.net. VcNaPuz9Mmjj5ofZqOa4FsixBomFJTjd/9wxhZOVdxf1LsNR5L++8k09gQvnjtCvqSPfNer/uv0xl+9sRr8Wmw== ;{id = 30899}
 ENTRY_END
 ; www query
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 www.sub2.example.net. IN A
 SECTION ANSWER
 www.sub2.example.net. IN A 192.168.1.12
 www.sub2.example.net.	3600	IN	RRSIG	A 5 4 3600 20070926134150 20070829134150 30899 sub2.example.net. PsWY6+5/0+hsTOhNak/jdSeG44hvHgX5az1Q5XY/YkIchsflH9rmvP1EruFhflNhRR+22M7POiljYOoD5ylQXQ== ;{id = 30899}
 ENTRY_END
 RANGE_END
 STEP 1 QUERY
 ENTRY_BEGIN
 REPLY RD DO
 SECTION QUESTION
 www.sub1.example.net. IN A
 ENTRY_END
 ; recursion happens here.
 STEP 10 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH all
 REPLY QR RD RA AD DO NOERROR
 SECTION QUESTION
 www.sub1.example.net. IN A
 SECTION ANSWER
 www.sub1.example.net. IN A 192.168.1.1
 www.sub1.example.net.   3600    IN      RRSIG   A 5 4 3600 20070926134150 20070829134150 30899 sub1.example.net. JKxcjPjc/TsQmUmCYHLQa3cBk1c+SbDPtVml69nDWC167NNWG8OLjLrLtUBVCfbTzCmqOWXq2qhrGPxjO65GCQ== ;{id = 30899}
 SECTION AUTHORITY
 SECTION ADDITIONAL
 ENTRY_END
 ; have example.net DNSKEY time out
 STEP 14 TIME_PASSES ELAPSE 1.0
 STEP 20 QUERY
 ENTRY_BEGIN
 REPLY RD DO
 SECTION QUESTION
 www.sub2.example.net. IN A
 ENTRY_END
 STEP 30 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH all
 REPLY QR RD RA AD DO NOERROR
 SECTION QUESTION
 www.sub2.example.net. IN A
 SECTION ANSWER
 www.sub2.example.net. IN A 192.168.1.12
 www.sub2.example.net.	3600	IN	RRSIG	A 5 4 3600 20070926134150 20070829134150 30899 sub2.example.net. PsWY6+5/0+hsTOhNak/jdSeG44hvHgX5az1Q5XY/YkIchsflH9rmvP1EruFhflNhRR+22M7POiljYOoD5ylQXQ== ;{id = 30899}
 SECTION AUTHORITY
 SECTION ADDITIONAL
 ENTRY_END
 SCENARIO_END
--- a/testdata/dlv_optout.rpl
+++ b/testdata/dlv_optout.rpl
@ -1,440 +0,0 @@
 ; config options
 ; The island of trust is at example.com (the DLV repository)
 server:
 	dlv-anchor: "example.com.    3600    IN      DS      2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b"
 	trust-anchor: "example.net.	3600	IN	DS	30899 5 1 14188c885f20623ad1d3bec42798f3f951793e4c ; xehac-mofum-malyd-bomaf-pegit-fuzes-ganin-misiz-nigel-nozog-soxix"
 	val-override-date: "20070916134226"
 	target-fetch-policy: "0 0 0 0 0"
 	qname-minimisation: "no"
 	fake-sha1: yes
 	trust-anchor-signaling: no
 stub-zone:
 	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 CONFIG_END
 SCENARIO_BEGIN Test validator, DLV to zone below optout, check negative cache.
 ; DLV example.com.
 ; trust anchor at example.net but no secure delegation to
 ; sub.example.net  signed with DLV but not by parent.
 ; parent uses optout NSEC3.
 ; then a signed delegation to down.sub.example.net.
 ; K.ROOT-SERVERS.NET.
 RANGE_BEGIN 0 100
 	ADDRESS 193.0.14.129 
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 . IN NS
 SECTION ANSWER
 . IN NS	K.ROOT-SERVERS.NET.
 SECTION ADDITIONAL
 K.ROOT-SERVERS.NET.	IN	A	193.0.14.129
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode subdomain
 ADJUST copy_id copy_query
 REPLY QR NOERROR
 SECTION QUESTION
 com. IN A
 SECTION AUTHORITY
 com.	IN NS	a.gtld-servers.net.
 SECTION ADDITIONAL
 a.gtld-servers.net.	IN 	A	192.5.6.30
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode subdomain
 ADJUST copy_id copy_query
 REPLY QR NOERROR
 SECTION QUESTION
 net. IN A
 SECTION AUTHORITY
 net.	IN NS	a.gtld-servers.net.
 SECTION ADDITIONAL
 a.gtld-servers.net.	IN 	A	192.5.6.30
 ENTRY_END
 RANGE_END
 ; a.gtld-servers.net.
 RANGE_BEGIN 0 100
 	ADDRESS 192.5.6.30
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 com. IN NS
 SECTION ANSWER
 com.    IN NS   a.gtld-servers.net.
 SECTION ADDITIONAL
 a.gtld-servers.net.     IN      A       192.5.6.30
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 net. IN NS
 SECTION ANSWER
 net.    IN NS   a.gtld-servers.net.
 SECTION ADDITIONAL
 a.gtld-servers.net.     IN      A       192.5.6.30
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode subdomain
 ADJUST copy_id copy_query
 REPLY QR NOERROR
 SECTION QUESTION
 example.com. IN A
 SECTION AUTHORITY
 example.com.	IN NS	ns.example.com.
 SECTION ADDITIONAL
 ns.example.com.		IN 	A	1.2.3.4
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode subdomain
 ADJUST copy_id copy_query
 REPLY QR NOERROR
 SECTION QUESTION
 example.net. IN A
 SECTION AUTHORITY
 example.net.	IN NS	ns.example.net.
 SECTION ADDITIONAL
 ns.example.net.		IN 	A	1.2.3.5
 ENTRY_END
 RANGE_END
 ; ns.example.com.
 RANGE_BEGIN 0 100
 	ADDRESS 1.2.3.4
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 example.com. IN NS
 SECTION ANSWER
 example.com.    IN NS   ns.example.com.
 example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
 SECTION ADDITIONAL
 ns.example.com.         IN      A       1.2.3.4
 ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
 ENTRY_END
 ; response to DNSKEY priming query
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 example.com. IN DNSKEY
 SECTION ANSWER
 example.com.    3600    IN      DNSKEY  256 3 3 ALXLUsWqUrY3JYER3T4TBJII s70j+sDS/UT2QRp61SE7S3E EXopNXoFE73JLRmvpi/UrOO/Vz4Se 6wXv/CYCKjGw06U4WRgR YXcpEhJROyNapmdIKSx hOzfLVE1gqA0PweZR8d tY3aNQSRn3sPpwJr6Mi /PqQKAMMrZ9ckJpf1+b QMOOvxgzz2U1GS18b3y ZKcgTMEaJzd/GZYzi/B N2DzQ0MsrSwYXfsNLFO Bbs8PJMW4LYIxeeOe6rUgkWOF 7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b}
 example.com.    3600    IN      RRSIG   DNSKEY 3 2 3600 20070926134802 20070829134802 2854 example.com. MCwCFG1yhRNtTEa3Eno2zhVVuy2EJX3wAhQeLyUp6+UXcpC5qGNu9tkrTEgPUg== ;{id = 2854}
 SECTION AUTHORITY
 example.com.	IN NS	ns.example.com.
 example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
 SECTION ADDITIONAL
 ns.example.com.		IN 	A	1.2.3.4
 ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
 ENTRY_END
 ; DLV query
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 sub.example.net.example.com. IN DLV
 SECTION ANSWER
 sub.example.net.example.com.	3600	IN	DLV	30899 5 1 36b39460f94a807cbbbf3b31cc9db955081b2b36 ; xetir-fahok-bovug-pebyl-sovur-zyvaf-cufan-tivih-hadec-rypof-kixox
 sub.example.net.example.com.	3600	IN	RRSIG	DLV 3 5 3600 20070926135752 20070829135752 2854 example.com. AAdhy87nuDEaxmc+k9pJHYnhKiEYL++OLPxzOdwEQOtsHi7jeD3lRDU= ;{id = 2854}
 SECTION AUTHORITY
 example.com.	IN NS	ns.example.com.
 example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
 SECTION ADDITIONAL
 ns.example.com.		IN 	A	1.2.3.4
 ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NXDOMAIN
 SECTION QUESTION
 down.sub.example.net.example.com. IN DLV
 SECTION ANSWER
 SECTION AUTHORITY
 example.com. IN SOA open.nlnetlabs.nl. hostmaster.nlnetlabs.nl. 2008081300 28800 7200 604800 3600
 example.com.	3600	IN	RRSIG	SOA 3 2 3600 20070926134150 20070829134150 2854 example.com. AKPJnPBqfJKxE4P2iVYkSRJno9HmiXJZtjdqE8oBeq9Lk9FytcMdcig= ;{id = 2854}
 sub.example.net.example.com. IN NSEC zzz.example.net.example.com. RRSIG NSEC DLV
 sub.example.net.example.com.	3600	IN	RRSIG	NSEC 3 5 3600 20070926134150 20070829134150 2854 example.com. AG/M+H/lex1CMTIuO+JpdmTjCzt7XBsLtRLPDfYTykhxnnECzZwkMnQ= ;{id = 2854}
 SECTION ADDITIONAL
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 net.example.com. IN DLV
 SECTION ANSWER
 SECTION AUTHORITY
 example.com. IN SOA open.nlnetlabs.nl. hostmaster.nlnetlabs.nl. 2008081300 28800 7200 604800 3600
 example.com.	3600	IN	RRSIG	SOA 3 2 3600 20070926134150 20070829134150 2854 example.com. AKPJnPBqfJKxE4P2iVYkSRJno9HmiXJZtjdqE8oBeq9Lk9FytcMdcig= ;{id = 2854}
 example.com IN NSEC sub.example.net.example.com. SOA NS RRSIG NSEC
 example.com.	3600	IN	RRSIG	NSEC 3 2 3600 20070926135752 20070829135752 2854 example.com. ALITtZY03PDWnuAeEL/5VwMIXY3iC2y7Qkeq5DgAHmPbNyWiOmJNEKg= ;{id = 2854}
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NXDOMAIN
 SECTION QUESTION
 com.example.com. IN DLV
 SECTION ANSWER
 SECTION AUTHORITY
 example.com. IN SOA open.nlnetlabs.nl. hostmaster.nlnetlabs.nl. 2008081300 28800 7200 604800 3600
 example.com.	3600	IN	RRSIG	SOA 3 2 3600 20070926134150 20070829134150 2854 example.com. AKPJnPBqfJKxE4P2iVYkSRJno9HmiXJZtjdqE8oBeq9Lk9FytcMdcig= ;{id = 2854}
 example.com IN NSEC sub.example.net.example.com. SOA NS RRSIG NSEC
 example.com.	3600	IN	RRSIG	NSEC 3 2 3600 20070926135752 20070829135752 2854 example.com. ALITtZY03PDWnuAeEL/5VwMIXY3iC2y7Qkeq5DgAHmPbNyWiOmJNEKg= ;{id = 2854}
 ENTRY_END
 RANGE_END
 ; ns.example.net.
 RANGE_BEGIN 0 100
 	ADDRESS 1.2.3.5
 ; DS RR is
 ; example.net.	3600	IN	DS	30899 5 1 14188c885f20623ad1d3bec42798f3f951793e4c ; xehac-mofum-malyd-bomaf-pegit-fuzes-ganin-misiz-nigel-nozog-soxix
 ; DNSKEY prime query
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 example.net. IN DNSKEY
 SECTION ANSWER
 example.net.    3600    IN      DNSKEY  256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b}
 example.net.    3600    IN      RRSIG   DNSKEY RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. hiFzlQ8VoYgCuvIsfVuxC3mfJDqsTh0yc6abs5xMx5uEcIjb0dndFQx7INOM+imlzveEN73Hqp4OLFpFhsWLlw== ;{id = 30899}
 SECTION AUTHORITY
 example.net.    IN NS   ns.example.net.
 example.net.    3600    IN      RRSIG   NS RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. E8JX0l4B+cSR5bkHQwOJy1pBmlLMTYCJ8EwfNMU/eCv0YhKwo26rHhn52FGisgv+Nwp7/NbhHqQ+kJgoZC94XA== ;{id = 30899}
 SECTION ADDITIONAL
 ns.example.net.         IN      A       1.2.3.5
 ns.example.net. 3600    IN      RRSIG   A RSASHA1 3 3600 20070926134150 20070829134150 30899 example.net. x+tQMC9FhzT7Fcy1pM5NrOC7E8nLd7THPI3C6ie4EwL8PrxllqlR3q/DKB0d/m0qCOPcgN6HFOYURV1s4uAcsw== ;{id = 30899}
 ENTRY_END
 ; NS query
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 example.net. IN NS
 SECTION ANSWER
 example.net.    IN NS   ns.example.net.
 example.net.    3600    IN      RRSIG   NS RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. E8JX0l4B+cSR5bkHQwOJy1pBmlLMTYCJ8EwfNMU/eCv0YhKwo26rHhn52FGisgv+Nwp7/NbhHqQ+kJgoZC94XA== ;{id = 30899}
 SECTION ADDITIONAL
 ns.example.net.         IN      A       1.2.3.5
 ns.example.net. 3600    IN      RRSIG   A RSASHA1 3 3600 20070926134150 20070829134150 30899 example.net. x+tQMC9FhzT7Fcy1pM5NrOC7E8nLd7THPI3C6ie4EwL8PrxllqlR3q/DKB0d/m0qCOPcgN6HFOYURV1s4uAcsw== ;{id = 30899}
 ENTRY_END
 ; no DS to sub.example.net, optout NSEC3.
 ; NSEC3PARAM 1 1 31 DE15C001
 ; example.net. 		-> hk4jq0lg6q3bt992urc88dqten1k2be8.
 ; sub.example.net. 	-> ecs17hqd0kf7dk9g1cjvevj25pginrf2.
 ; *.example.net. 	-> 1tgbedpeeuubbsejh2dqvso62f8n4dk1.
 ; down.sub.example.net. -> 9j1r8re9b1238vd907tilclgat1i0fre.
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id 
 REPLY QR NOERROR
 SECTION QUESTION
 sub.example.net. IN DS
 SECTION ANSWER
 SECTION AUTHORITY
 example.net. IN SOA open.nlnetlabs.nl. hostmaster.nlnetlabs.nl. 2008081300 28800 7200 604800 3600
 example.net.	3600	IN	RRSIG	SOA 5 2 3600 20070926134150 20070829134150 30899 example.net. ELVULZHTRc0Qk06rSBRnB/T6sm1+AbAtdEJHN6PCsz2Z3s3E5A8NH7Krz0VzRaYIEUStnbAtuE3oP8XHWHBnyQ== ;{id = 30899}
 ; CE is example.net
 hk4jq0lg6q3bt992urc88dqten1k2be8.example.net. IN NSEC3 1 1 31 DE15C001 hl4jq0lg6q3bt992urc88dqten1k2be8 NS SOA NAPTR RRSIG DNSKEY NSEC3PARAM
 hk4jq0lg6q3bt992urc88dqten1k2be8.example.net.	3600	IN	RRSIG	NSEC3 5 3 3600 20070926134150 20070829134150 30899 example.net. n1dQKbRoB+X4K003RAhdUp6ZUP5dCiwQi+apGfLII8wmCUmw/cKiz7/Ijhs/+88hZwq/7yhlZM0D/yqAUKUiAA== ;{id = 30899}
 ; NC covers sub.example.net
 ebs17hqd0kf7dk9g1cjvevj25pginrf2.example.net. IN NSEC3 1 1 31 de15c001 efs17hqd0kf7dk9g1cjvevj25pginrf2 A RRSIG
 ebs17hqd0kf7dk9g1cjvevj25pginrf2.example.net.	3600	IN	RRSIG	NSEC3 5 3 3600 20070926134150 20070829134150 30899 example.net. oSVB7Dyp7/yaOlT8AFwBJZdqwRRSQ8XFzCpu1AP51JPIuhCg5byepdvY6UC3xXc7YVO6h74tpxFCGqLpRXwDoQ== ;{id = 30899}
 SECTION ADDITIONAL
 ENTRY_END
 ; delegation to sub.example.net, optout NSEC3.
 ENTRY_BEGIN
 MATCH opcode subdomain
 ADJUST copy_id copy_query
 REPLY QR NOERROR
 SECTION QUESTION
 sub.example.net. IN NS
 SECTION ANSWER
 SECTION AUTHORITY
 sub.example.net.    IN NS   ns.sub.example.net.
 hk4jq0lg6q3bt992urc88dqten1k2be8.example.net. IN NSEC3 1 1 31 DE15C001 hl4jq0lg6q3bt992urc88dqten1k2be8 NS SOA NAPTR RRSIG DNSKEY NSEC3PARAM
 hk4jq0lg6q3bt992urc88dqten1k2be8.example.net.	3600	IN	RRSIG	NSEC3 5 3 3600 20070926134150 20070829134150 30899 example.net. n1dQKbRoB+X4K003RAhdUp6ZUP5dCiwQi+apGfLII8wmCUmw/cKiz7/Ijhs/+88hZwq/7yhlZM0D/yqAUKUiAA== ;{id = 30899}
 ebs17hqd0kf7dk9g1cjvevj25pginrf2.example.net. IN NSEC3 1 1 31 de15c001 efs17hqd0kf7dk9g1cjvevj25pginrf2 A RRSIG
 ebs17hqd0kf7dk9g1cjvevj25pginrf2.example.net.	3600	IN	RRSIG	NSEC3 5 3 3600 20070926134150 20070829134150 30899 example.net. oSVB7Dyp7/yaOlT8AFwBJZdqwRRSQ8XFzCpu1AP51JPIuhCg5byepdvY6UC3xXc7YVO6h74tpxFCGqLpRXwDoQ== ;{id = 30899}
 SECTION ADDITIONAL
 ns.sub.example.net.         IN      A       1.2.3.6
 ENTRY_END
 RANGE_END
 ; ns.sub.example.net.
 RANGE_BEGIN 0 100
 	ADDRESS 1.2.3.6
 ; DS is
 ; sub.example.net.	3600	IN	DS	30899 5 1 36b39460f94a807cbbbf3b31cc9db955081b2b36 ; xetir-fahok-bovug-pebyl-sovur-zyvaf-cufan-tivih-hadec-rypof-kixox
 ; DNSKEY query
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR AA NOERROR
 SECTION QUESTION
 sub.example.net. IN DNSKEY
 SECTION ANSWER
 sub.example.net.    3600    IN      DNSKEY  256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b}
 sub.example.net.	3600	IN	RRSIG	DNSKEY 5 3 3600 20070926134150 20070829134150 30899 sub.example.net. PATh0K1jz9QeN02C79noX9gwK+Nr5VznWPQwygm/pYDsOb0z3EsaiOrzyoreegDKgoNn3kN0CywS+usCWM6hrw== ;{id = 30899}
 SECTION AUTHORITY
 sub.example.net.    IN NS   ns.sub.example.net.
 sub.example.net.	3600	IN	RRSIG	NS 5 3 3600 20070926134150 20070829134150 30899 sub.example.net. JZUK303aE7R428S5XXLaowpM79YSc2g7wy2rDOH+6Ts2UefZInv6X5cjJU4+qBrS8i9XhdllqG7SEnPKZ0GtAw== ;{id = 30899}
 SECTION ADDITIONAL
 ns.sub.example.net.         IN      A       1.2.3.6
 ns.sub.example.net.	3600	IN	RRSIG	A 5 4 3600 20070926134150 20070829134150 30899 sub.example.net. AluXPa4XdlCysQMVrt0YairoOug4GMvy8rNUeKLCfQ5xVqRMqkTisbzJXBQPgYEVA0DJR74eEpgLrcz5ztb1aA== ;{id = 30899}
 ENTRY_END
 ; NS query
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR AA NOERROR
 SECTION QUESTION
 sub.example.net. IN NS
 SECTION ANSWER
 sub.example.net.    IN NS   ns.sub.example.net.
 sub.example.net.	3600	IN	RRSIG	NS 5 3 3600 20070926134150 20070829134150 30899 sub.example.net. JZUK303aE7R428S5XXLaowpM79YSc2g7wy2rDOH+6Ts2UefZInv6X5cjJU4+qBrS8i9XhdllqG7SEnPKZ0GtAw== ;{id = 30899}
 SECTION ADDITIONAL
 ns.sub.example.net.         IN      A       1.2.3.6
 ns.sub.example.net.	3600	IN	RRSIG	A 5 4 3600 20070926134150 20070829134150 30899 sub.example.net. AluXPa4XdlCysQMVrt0YairoOug4GMvy8rNUeKLCfQ5xVqRMqkTisbzJXBQPgYEVA0DJR74eEpgLrcz5ztb1aA== ;{id = 30899}
 ENTRY_END
 ; www.sub.example.net query
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR AA NOERROR
 SECTION QUESTION
 www.sub.example.net. IN A
 SECTION ANSWER
 www.sub.example.net. IN A 10.20.30.40
 www.sub.example.net.	3600	IN	RRSIG	A 5 4 3600 20070926134150 20070829134150 30899 sub.example.net. Q+88AIM3K8q6S0bHeFVT742EepZFxOxgtaL1V68DEkP4NePKzL4zttWQD3uI/5ALw/fIrC7G43Eo+epWn2ZGCA== ;{id = 30899}
 SECTION AUTHORITY
 sub.example.net.    IN NS   ns.sub.example.net.
 sub.example.net.	3600	IN	RRSIG	NS 5 3 3600 20070926134150 20070829134150 30899 sub.example.net. JZUK303aE7R428S5XXLaowpM79YSc2g7wy2rDOH+6Ts2UefZInv6X5cjJU4+qBrS8i9XhdllqG7SEnPKZ0GtAw== ;{id = 30899}
 SECTION ADDITIONAL
 ns.sub.example.net.         IN      A       1.2.3.6
 ns.sub.example.net.	3600	IN	RRSIG	A 5 4 3600 20070926134150 20070829134150 30899 sub.example.net. AluXPa4XdlCysQMVrt0YairoOug4GMvy8rNUeKLCfQ5xVqRMqkTisbzJXBQPgYEVA0DJR74eEpgLrcz5ztb1aA== ;{id = 30899}
 ENTRY_END
 ; DS for down.sub.example.net
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR AA NOERROR
 SECTION QUESTION
 down.sub.example.net. IN DS
 SECTION ANSWER
 down.sub.example.net.   3600    IN      DS      60946 5 1 c636304ab7cdb6272215aceac95a8d312ac7a4f6 
 down.sub.example.net.	3600	IN	RRSIG	DS 5 4 3600 20070926134150 20070829134150 30899 sub.example.net. AMc8J534UF2+0PtPSNBw6RzN4Q5gXfnBXiUfpuT/MR1YtOE/5AP/0dTgvqvKRiFZx3NjOPeZmRnaabxkw0Qzrw== ;{id = 30899}
 SECTION AUTHORITY
 SECTION ADDITIONAL
 ENTRY_END
 ; delegation to down.sub.example.net
 ENTRY_BEGIN
 MATCH opcode subdomain
 ADJUST copy_id copy_query
 REPLY QR NOERROR
 SECTION QUESTION
 down.sub.example.net. IN NS
 SECTION ANSWER
 SECTION AUTHORITY
 down.sub.example.net. IN NS ns.down.sub.example.net.
 ; the DS record is not given (like it was parent and child hosted on the same
 ; server)
 ;down.sub.example.net.   3600    IN      DS      60946 5 1 c636304ab7cdb6272215aceac95a8d312ac7a4f6 
 ;down.sub.example.net.	3600	IN	RRSIG	DS 5 4 3600 20070926134150 20070829134150 30899 sub.example.net. AMc8J534UF2+0PtPSNBw6RzN4Q5gXfnBXiUfpuT/MR1YtOE/5AP/0dTgvqvKRiFZx3NjOPeZmRnaabxkw0Qzrw== ;{id = 30899}
 SECTION ADDITIONAL
 ns.down.sub.example.net. IN A 1.2.3.7
 ENTRY_END
 RANGE_END
 ; ns.down.sub.example.net.
 RANGE_BEGIN 0 100
 	ADDRESS 1.2.3.7
 ; DNSKEY query
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR AA NOERROR
 SECTION QUESTION
 down.sub.example.net. IN DNSKEY
 SECTION ANSWER
 down.sub.example.net.	3600	IN	DNSKEY	257 3 5 AwEAAeiaUiUIpWMfYz5L0sfJTZWnuN9IyBX4em9VjsoqQTsOD1HDQpNb4buvJo7pN2aBCxNS7e0OL8e2mVB6CLZ+8ek= ;{id = 60946 (ksk), size = 512b}
 down.sub.example.net.	3600	IN	RRSIG	DNSKEY 5 4 3600 20070926134150 20070829134150 60946 down.sub.example.net. lK5HNva/IPw0CS9BfBd16fqm5y9bgCSwGsBLBAA1d5SCcKep6AVrv6NFuXl12d1G3MdQ4ruHi6eDDO5dhtkfrw== ;{id = 60946}
 SECTION AUTHORITY
 SECTION ADDITIONAL
 ENTRY_END
 ; www.down.sub.example.net.
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR AA NOERROR
 SECTION QUESTION
 www.down.sub.example.net. IN A
 SECTION ANSWER
 www.down.sub.example.net. IN A 10.20.30.44
 www.down.sub.example.net.	3600	IN	RRSIG	A 5 5 3600 20070926134150 20070829134150 60946 down.sub.example.net. Hg5WF/xW8PRth2rl1mZcYK8/pgGpM73e/fD+mH/XElEKgL9zq0ou8psA0I6OvMLGBN6RQeknQHRAy3D2/5k/Wg== ;{id = 60946}
 SECTION AUTHORITY
 SECTION ADDITIONAL
 ENTRY_END
 RANGE_END
 STEP 1 QUERY
 ENTRY_BEGIN
 REPLY RD DO
 SECTION QUESTION
 www.down.sub.example.net. IN A
 ENTRY_END
 ; recursion happens here.
 STEP 10 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH all
 REPLY QR RD RA AD DO NOERROR
 SECTION QUESTION
 www.down.sub.example.net. IN A
 SECTION ANSWER
 www.down.sub.example.net. IN A 10.20.30.44
 www.down.sub.example.net.	3600	IN	RRSIG	A 5 5 3600 20070926134150 20070829134150 60946 down.sub.example.net. Hg5WF/xW8PRth2rl1mZcYK8/pgGpM73e/fD+mH/XElEKgL9zq0ou8psA0I6OvMLGBN6RQeknQHRAy3D2/5k/Wg== ;{id = 60946}
 ENTRY_END
 SCENARIO_END
--- a/testdata/dlv_remove.rpl
+++ b/testdata/dlv_remove.rpl
@ -1,198 +0,0 @@
 ; config options
 ; The island of trust is at example.com (the DLV repository)
 server:
 	dlv-anchor: "example.com.    3600    IN      DS      2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b"
 	val-override-date: "20070916134226"
 	target-fetch-policy: "0 0 0 0 0"
 	fake-sha1: yes
 stub-zone:
 	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 CONFIG_END
 SCENARIO_BEGIN Test validator with DLV anchor but DLV domain is down
 ; so DLV has been decommissioned.
 ; K.ROOT-SERVERS.NET.
 RANGE_BEGIN 0 100
 	ADDRESS 193.0.14.129 
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 . IN NS
 SECTION ANSWER
 . IN NS	K.ROOT-SERVERS.NET.
 SECTION ADDITIONAL
 K.ROOT-SERVERS.NET.	IN	A	193.0.14.129
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode subdomain
 ADJUST copy_id copy_query
 REPLY QR NOERROR
 SECTION QUESTION
 com. IN A
 SECTION AUTHORITY
 com.	IN NS	a.gtld-servers.net.
 SECTION ADDITIONAL
 a.gtld-servers.net.	IN 	A	192.5.6.30
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode subdomain
 ADJUST copy_id copy_query
 REPLY QR NOERROR
 SECTION QUESTION
 net. IN A
 SECTION AUTHORITY
 net.	IN NS	a.gtld-servers.net.
 SECTION ADDITIONAL
 a.gtld-servers.net.	IN 	A	192.5.6.30
 ENTRY_END
 RANGE_END
 ; a.gtld-servers.net.
 RANGE_BEGIN 0 100
 	ADDRESS 192.5.6.30
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 com. IN NS
 SECTION ANSWER
 com.    IN NS   a.gtld-servers.net.
 SECTION ADDITIONAL
 a.gtld-servers.net.     IN      A       192.5.6.30
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 net. IN NS
 SECTION ANSWER
 net.    IN NS   a.gtld-servers.net.
 SECTION ADDITIONAL
 a.gtld-servers.net.     IN      A       192.5.6.30
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode subdomain
 ADJUST copy_id copy_query
 REPLY QR NOERROR
 SECTION QUESTION
 example.com. IN A
 SECTION AUTHORITY
 example.com.	IN NS	ns.example.com.
 SECTION ADDITIONAL
 ns.example.com.		IN 	A	1.2.3.4
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode subdomain
 ADJUST copy_id copy_query
 REPLY QR NOERROR
 SECTION QUESTION
 example.net. IN A
 SECTION AUTHORITY
 example.net.	IN NS	ns.example.net.
 SECTION ADDITIONAL
 ns.example.net.		IN 	A	1.2.3.5
 ENTRY_END
 RANGE_END
 ; ns.example.com.
 RANGE_BEGIN 0 100
 	ADDRESS 1.2.3.4
 ENTRY_BEGIN
 MATCH opcode
 ADJUST copy_id copy_query
 REPLY QR SERVFAIL
 SECTION QUESTION
 example.com. IN NS
 ENTRY_END
 RANGE_END
 ; ns.example.net.
 RANGE_BEGIN 0 100
 	ADDRESS 1.2.3.5
 ; DS RR is
 ; example.net.	3600	IN	DS	30899 5 1 14188c885f20623ad1d3bec42798f3f951793e4c ; xehac-mofum-malyd-bomaf-pegit-fuzes-ganin-misiz-nigel-nozog-soxix
 ; DNSKEY prime query
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 example.net. IN DNSKEY
 SECTION ANSWER
 example.net.    3600    IN      DNSKEY  256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b}
 example.net.    3600    IN      RRSIG   DNSKEY RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. hiFzlQ8VoYgCuvIsfVuxC3mfJDqsTh0yc6abs5xMx5uEcIjb0dndFQx7INOM+imlzveEN73Hqp4OLFpFhsWLlw== ;{id = 30899}
 SECTION AUTHORITY
 example.net.    IN NS   ns.example.net.
 example.net.    3600    IN      RRSIG   NS RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. E8JX0l4B+cSR5bkHQwOJy1pBmlLMTYCJ8EwfNMU/eCv0YhKwo26rHhn52FGisgv+Nwp7/NbhHqQ+kJgoZC94XA== ;{id = 30899}
 SECTION ADDITIONAL
 ns.example.net.         IN      A       1.2.3.5
 ns.example.net. 3600    IN      RRSIG   A RSASHA1 3 3600 20070926134150 20070829134150 30899 example.net. x+tQMC9FhzT7Fcy1pM5NrOC7E8nLd7THPI3C6ie4EwL8PrxllqlR3q/DKB0d/m0qCOPcgN6HFOYURV1s4uAcsw== ;{id = 30899}
 ENTRY_END
 ; NS query
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 example.net. IN NS
 SECTION ANSWER
 example.net.    IN NS   ns.example.net.
 example.net.    3600    IN      RRSIG   NS RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. E8JX0l4B+cSR5bkHQwOJy1pBmlLMTYCJ8EwfNMU/eCv0YhKwo26rHhn52FGisgv+Nwp7/NbhHqQ+kJgoZC94XA== ;{id = 30899}
 SECTION ADDITIONAL
 ns.example.net.         IN      A       1.2.3.5
 ns.example.net. 3600    IN      RRSIG   A RSASHA1 3 3600 20070926134150 20070829134150 30899 example.net. x+tQMC9FhzT7Fcy1pM5NrOC7E8nLd7THPI3C6ie4EwL8PrxllqlR3q/DKB0d/m0qCOPcgN6HFOYURV1s4uAcsw== ;{id = 30899}
 ENTRY_END
 ; www.example.net query
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 www.example.net. IN A
 SECTION ANSWER
 www.example.net.	3600	IN	A	10.20.30.40
 www.example.net.	3600	IN	RRSIG	A 5 3 3600 20070926135752 20070829135752 30899 example.net. ACvv4RQVC7TbI57ewqFImRaVoymktJ5Cxn/FaCodIENt82LVM92nivbP2WtwWCsQHWp7FkrMxTlQTJwyAeXFyg== ;{id = 30899}
 SECTION AUTHORITY
 example.net.    IN NS   ns.example.net.
 example.net.    3600    IN      RRSIG   NS RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. E8JX0l4B+cSR5bkHQwOJy1pBmlLMTYCJ8EwfNMU/eCv0YhKwo26rHhn52FGisgv+Nwp7/NbhHqQ+kJgoZC94XA== ;{id = 30899}
 SECTION ADDITIONAL
 ns.example.net.         IN      A       1.2.3.5
 ns.example.net. 3600    IN      RRSIG   A RSASHA1 3 3600 20070926134150 20070829134150 30899 example.net. x+tQMC9FhzT7Fcy1pM5NrOC7E8nLd7THPI3C6ie4EwL8PrxllqlR3q/DKB0d/m0qCOPcgN6HFOYURV1s4uAcsw== ;{id = 30899}
 ENTRY_END
 RANGE_END
 STEP 1 QUERY
 ENTRY_BEGIN
 REPLY RD DO
 SECTION QUESTION
 www.example.net. IN A
 ENTRY_END
 ; recursion happens here.
 STEP 10 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH all
 REPLY QR RD RA DO SERVFAIL
 SECTION QUESTION
 www.example.net. IN A
 SECTION ANSWER
 ENTRY_END
 SCENARIO_END
--- a/testdata/dlv_remove_empty.rpl
+++ b/testdata/dlv_remove_empty.rpl
@ -1,272 +0,0 @@
 ; config options
 ; The island of trust is at example.com (the DLV repository)
 server:
 	dlv-anchor: "example.com.    3600    IN      DS      2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b"
 	val-override-date: "20070916134226"
 	target-fetch-policy: "0 0 0 0 0"
 	fake-sha1: yes
 	minimal-responses: no
 stub-zone:
 	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 CONFIG_END
 SCENARIO_BEGIN Test validator with DLV and DLV repository is empty.
 ; K.ROOT-SERVERS.NET.
 RANGE_BEGIN 0 100
 	ADDRESS 193.0.14.129 
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 . IN NS
 SECTION ANSWER
 . IN NS	K.ROOT-SERVERS.NET.
 SECTION ADDITIONAL
 K.ROOT-SERVERS.NET.	IN	A	193.0.14.129
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode subdomain
 ADJUST copy_id copy_query
 REPLY QR NOERROR
 SECTION QUESTION
 com. IN A
 SECTION AUTHORITY
 com.	IN NS	a.gtld-servers.net.
 SECTION ADDITIONAL
 a.gtld-servers.net.	IN 	A	192.5.6.30
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode subdomain
 ADJUST copy_id copy_query
 REPLY QR NOERROR
 SECTION QUESTION
 net. IN A
 SECTION AUTHORITY
 net.	IN NS	a.gtld-servers.net.
 SECTION ADDITIONAL
 a.gtld-servers.net.	IN 	A	192.5.6.30
 ENTRY_END
 RANGE_END
 ; a.gtld-servers.net.
 RANGE_BEGIN 0 100
 	ADDRESS 192.5.6.30
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 com. IN NS
 SECTION ANSWER
 com.    IN NS   a.gtld-servers.net.
 SECTION ADDITIONAL
 a.gtld-servers.net.     IN      A       192.5.6.30
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 net. IN NS
 SECTION ANSWER
 net.    IN NS   a.gtld-servers.net.
 SECTION ADDITIONAL
 a.gtld-servers.net.     IN      A       192.5.6.30
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode subdomain
 ADJUST copy_id copy_query
 REPLY QR NOERROR
 SECTION QUESTION
 example.com. IN A
 SECTION AUTHORITY
 example.com.	IN NS	ns.example.com.
 SECTION ADDITIONAL
 ns.example.com.		IN 	A	1.2.3.4
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode subdomain
 ADJUST copy_id copy_query
 REPLY QR NOERROR
 SECTION QUESTION
 example.net. IN A
 SECTION AUTHORITY
 example.net.	IN NS	ns.example.net.
 SECTION ADDITIONAL
 ns.example.net.		IN 	A	1.2.3.5
 ENTRY_END
 RANGE_END
 ; ns.example.com.
 RANGE_BEGIN 0 100
 	ADDRESS 1.2.3.4
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 example.com. IN NS
 SECTION ANSWER
 example.com.    IN NS   ns.example.com.
 example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
 SECTION ADDITIONAL
 ns.example.com.         IN      A       1.2.3.4
 ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
 ENTRY_END
 ; response to DNSKEY priming query
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 example.com. IN DNSKEY
 SECTION ANSWER
 example.com.    3600    IN      DNSKEY  256 3 3 ALXLUsWqUrY3JYER3T4TBJII s70j+sDS/UT2QRp61SE7S3E EXopNXoFE73JLRmvpi/UrOO/Vz4Se 6wXv/CYCKjGw06U4WRgR YXcpEhJROyNapmdIKSx hOzfLVE1gqA0PweZR8d tY3aNQSRn3sPpwJr6Mi /PqQKAMMrZ9ckJpf1+b QMOOvxgzz2U1GS18b3y ZKcgTMEaJzd/GZYzi/B N2DzQ0MsrSwYXfsNLFO Bbs8PJMW4LYIxeeOe6rUgkWOF 7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b}
 example.com.    3600    IN      RRSIG   DNSKEY 3 2 3600 20070926134802 20070829134802 2854 example.com. MCwCFG1yhRNtTEa3Eno2zhVVuy2EJX3wAhQeLyUp6+UXcpC5qGNu9tkrTEgPUg== ;{id = 2854}
 SECTION AUTHORITY
 example.com.	IN NS	ns.example.com.
 example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
 SECTION ADDITIONAL
 ns.example.com.		IN 	A	1.2.3.4
 ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
 ENTRY_END
 ; DLV query, everything is NXDOMAIN
 ENTRY_BEGIN
 MATCH opcode subdomain
 ADJUST copy_id copy_query
 REPLY QR AA NXDOMAIN
 SECTION QUESTION
 example.com. IN DLV
 SECTION ANSWER
 SECTION AUTHORITY
 example.com.	3600	IN	NSEC	example.com. NS SOA RRSIG NSEC DNSKEY 
 example.com.	3600	IN	RRSIG	NSEC 3 2 3600 20070926135752 20070829135752 2854 example.com. AH++lP1qhsBw6zO1g3JVPZeQIpDhL9xT8V9xdgjXvCjIGQ1BUUlfQkA=
 SECTION ADDITIONAL
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 net.example.com. IN DLV
 SECTION ANSWER
 SECTION AUTHORITY
 example.com. IN SOA open.nlnetlabs.nl. hostmaster.nlnetlabs.nl. 2008081300 28800 7200 604800 3600
 example.com.	3600	IN	RRSIG	SOA 3 2 3600 20070926134150 20070829134150 2854 example.com. AKPJnPBqfJKxE4P2iVYkSRJno9HmiXJZtjdqE8oBeq9Lk9FytcMdcig= ;{id = 2854}
 example.com IN NSEC example.net.example.com. SOA NS RRSIG NSEC
 example.com.	3600	IN	RRSIG	NSEC 3 2 3600 20070926134150 20070829134150 2854 example.com. AIoUkJ04/7/kJFDLocoqksqt9UL2RHHwlRfXAMxGdBHcNO+GSpG47Uk= ;{id = 2854}
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NXDOMAIN
 SECTION QUESTION
 com.example.com. IN DLV
 SECTION ANSWER
 SECTION AUTHORITY
 example.com. IN SOA open.nlnetlabs.nl. hostmaster.nlnetlabs.nl. 2008081300 28800 7200 604800 3600
 example.com.	3600	IN	RRSIG	SOA 3 2 3600 20070926134150 20070829134150 2854 example.com. AKPJnPBqfJKxE4P2iVYkSRJno9HmiXJZtjdqE8oBeq9Lk9FytcMdcig= ;{id = 2854}
 example.com IN NSEC example.net.example.com. SOA NS RRSIG NSEC
 example.com.	3600	IN	RRSIG	NSEC 3 2 3600 20070926134150 20070829134150 2854 example.com. AIoUkJ04/7/kJFDLocoqksqt9UL2RHHwlRfXAMxGdBHcNO+GSpG47Uk= ;{id = 2854}
 ENTRY_END
 RANGE_END
 ; ns.example.net.
 RANGE_BEGIN 0 100
 	ADDRESS 1.2.3.5
 ; DS RR is
 ; example.net.	3600	IN	DS	30899 5 1 14188c885f20623ad1d3bec42798f3f951793e4c ; xehac-mofum-malyd-bomaf-pegit-fuzes-ganin-misiz-nigel-nozog-soxix
 ; DNSKEY prime query
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 example.net. IN DNSKEY
 SECTION ANSWER
 example.net.    3600    IN      DNSKEY  256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b}
 example.net.    3600    IN      RRSIG   DNSKEY RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. hiFzlQ8VoYgCuvIsfVuxC3mfJDqsTh0yc6abs5xMx5uEcIjb0dndFQx7INOM+imlzveEN73Hqp4OLFpFhsWLlw== ;{id = 30899}
 SECTION AUTHORITY
 example.net.    IN NS   ns.example.net.
 example.net.    3600    IN      RRSIG   NS RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. E8JX0l4B+cSR5bkHQwOJy1pBmlLMTYCJ8EwfNMU/eCv0YhKwo26rHhn52FGisgv+Nwp7/NbhHqQ+kJgoZC94XA== ;{id = 30899}
 SECTION ADDITIONAL
 ns.example.net.         IN      A       1.2.3.5
 ns.example.net. 3600    IN      RRSIG   A RSASHA1 3 3600 20070926134150 20070829134150 30899 example.net. x+tQMC9FhzT7Fcy1pM5NrOC7E8nLd7THPI3C6ie4EwL8PrxllqlR3q/DKB0d/m0qCOPcgN6HFOYURV1s4uAcsw== ;{id = 30899}
 ENTRY_END
 ; NS query
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 example.net. IN NS
 SECTION ANSWER
 example.net.    IN NS   ns.example.net.
 example.net.    3600    IN      RRSIG   NS RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. E8JX0l4B+cSR5bkHQwOJy1pBmlLMTYCJ8EwfNMU/eCv0YhKwo26rHhn52FGisgv+Nwp7/NbhHqQ+kJgoZC94XA== ;{id = 30899}
 SECTION ADDITIONAL
 ns.example.net.         IN      A       1.2.3.5
 ns.example.net. 3600    IN      RRSIG   A RSASHA1 3 3600 20070926134150 20070829134150 30899 example.net. x+tQMC9FhzT7Fcy1pM5NrOC7E8nLd7THPI3C6ie4EwL8PrxllqlR3q/DKB0d/m0qCOPcgN6HFOYURV1s4uAcsw== ;{id = 30899}
 ENTRY_END
 ; www.example.net query
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 www.example.net. IN A
 SECTION ANSWER
 www.example.net.	3600	IN	A	10.20.30.40
 www.example.net.	3600	IN	RRSIG	A 5 3 3600 20070926135752 20070829135752 30899 example.net. ACvv4RQVC7TbI57ewqFImRaVoymktJ5Cxn/FaCodIENt82LVM92nivbP2WtwWCsQHWp7FkrMxTlQTJwyAeXFyg== ;{id = 30899}
 SECTION AUTHORITY
 example.net.    IN NS   ns.example.net.
 example.net.    3600    IN      RRSIG   NS RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. E8JX0l4B+cSR5bkHQwOJy1pBmlLMTYCJ8EwfNMU/eCv0YhKwo26rHhn52FGisgv+Nwp7/NbhHqQ+kJgoZC94XA== ;{id = 30899}
 SECTION ADDITIONAL
 ns.example.net.         IN      A       1.2.3.5
 ns.example.net. 3600    IN      RRSIG   A RSASHA1 3 3600 20070926134150 20070829134150 30899 example.net. x+tQMC9FhzT7Fcy1pM5NrOC7E8nLd7THPI3C6ie4EwL8PrxllqlR3q/DKB0d/m0qCOPcgN6HFOYURV1s4uAcsw== ;{id = 30899}
 ENTRY_END
 RANGE_END
 STEP 1 QUERY
 ENTRY_BEGIN
 REPLY RD DO
 SECTION QUESTION
 www.example.net. IN A
 ENTRY_END
 ; recursion happens here.
 STEP 10 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH all
 REPLY QR RD RA DO NOERROR
 SECTION QUESTION
 www.example.net. IN A
 SECTION ANSWER
 www.example.net.	3600	IN	A	10.20.30.40
 www.example.net.	3600	IN	RRSIG	A 5 3 3600 20070926135752 20070829135752 30899 example.net. ACvv4RQVC7TbI57ewqFImRaVoymktJ5Cxn/FaCodIENt82LVM92nivbP2WtwWCsQHWp7FkrMxTlQTJwyAeXFyg== ;{id = 30899}
 SECTION AUTHORITY
 example.net.    IN NS   ns.example.net.
 example.net.    3600    IN      RRSIG   NS RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. E8JX0l4B+cSR5bkHQwOJy1pBmlLMTYCJ8EwfNMU/eCv0YhKwo26rHhn52FGisgv+Nwp7/NbhHqQ+kJgoZC94XA== ;{id = 30899}
 SECTION ADDITIONAL
 ns.example.net.         IN      A       1.2.3.5
 ns.example.net. 3600    IN      RRSIG   A RSASHA1 3 3600 20070926134150 20070829134150 30899 example.net. x+tQMC9FhzT7Fcy1pM5NrOC7E8nLd7THPI3C6ie4EwL8PrxllqlR3q/DKB0d/m0qCOPcgN6HFOYURV1s4uAcsw== ;{id = 30899}
 ENTRY_END
 SCENARIO_END
--- a/testdata/dlv_remove_nodel.rpl
+++ b/testdata/dlv_remove_nodel.rpl
@ -1,276 +0,0 @@
 ; config options
 ; The island of trust is at example.com (the DLV repository)
 server:
 	dlv-anchor: "dlv.example.com.    3600    IN      DS      2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b"
 	trust-anchor: "example.com.    3600    IN      DS      2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b"
 	val-override-date: "20070916134226"
 	target-fetch-policy: "0 0 0 0 0"
 	fake-sha1: yes
 	minimal-responses: no
 stub-zone:
 	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 CONFIG_END
 SCENARIO_BEGIN Test validator with DLV and DLV is removed and not delegated
 ; so the response is that the dlv domain itself does not exist, but it's
 ; parent domain does exist (securely).
 ; K.ROOT-SERVERS.NET.
 RANGE_BEGIN 0 100
 	ADDRESS 193.0.14.129 
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 . IN NS
 SECTION ANSWER
 . IN NS	K.ROOT-SERVERS.NET.
 SECTION ADDITIONAL
 K.ROOT-SERVERS.NET.	IN	A	193.0.14.129
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode subdomain
 ADJUST copy_id copy_query
 REPLY QR NOERROR
 SECTION QUESTION
 com. IN A
 SECTION AUTHORITY
 com.	IN NS	a.gtld-servers.net.
 SECTION ADDITIONAL
 a.gtld-servers.net.	IN 	A	192.5.6.30
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode subdomain
 ADJUST copy_id copy_query
 REPLY QR NOERROR
 SECTION QUESTION
 net. IN A
 SECTION AUTHORITY
 net.	IN NS	a.gtld-servers.net.
 SECTION ADDITIONAL
 a.gtld-servers.net.	IN 	A	192.5.6.30
 ENTRY_END
 RANGE_END
 ; a.gtld-servers.net.
 RANGE_BEGIN 0 100
 	ADDRESS 192.5.6.30
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 com. IN NS
 SECTION ANSWER
 com.    IN NS   a.gtld-servers.net.
 SECTION ADDITIONAL
 a.gtld-servers.net.     IN      A       192.5.6.30
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 net. IN NS
 SECTION ANSWER
 net.    IN NS   a.gtld-servers.net.
 SECTION ADDITIONAL
 a.gtld-servers.net.     IN      A       192.5.6.30
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode subdomain
 ADJUST copy_id copy_query
 REPLY QR NOERROR
 SECTION QUESTION
 example.com. IN A
 SECTION AUTHORITY
 example.com.	IN NS	ns.example.com.
 SECTION ADDITIONAL
 ns.example.com.		IN 	A	1.2.3.4
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode subdomain
 ADJUST copy_id copy_query
 REPLY QR NOERROR
 SECTION QUESTION
 example.net. IN A
 SECTION AUTHORITY
 example.net.	IN NS	ns.example.net.
 SECTION ADDITIONAL
 ns.example.net.		IN 	A	1.2.3.5
 ENTRY_END
 RANGE_END
 ; ns.example.com.
 RANGE_BEGIN 0 100
 	ADDRESS 1.2.3.4
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 example.com. IN NS
 SECTION ANSWER
 example.com.    IN NS   ns.example.com.
 example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
 SECTION ADDITIONAL
 ns.example.com.         IN      A       1.2.3.4
 ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
 ENTRY_END
 ; response to DNSKEY priming query
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 example.com. IN DNSKEY
 SECTION ANSWER
 example.com.    3600    IN      DNSKEY  256 3 3 ALXLUsWqUrY3JYER3T4TBJII s70j+sDS/UT2QRp61SE7S3E EXopNXoFE73JLRmvpi/UrOO/Vz4Se 6wXv/CYCKjGw06U4WRgR YXcpEhJROyNapmdIKSx hOzfLVE1gqA0PweZR8d tY3aNQSRn3sPpwJr6Mi /PqQKAMMrZ9ckJpf1+b QMOOvxgzz2U1GS18b3y ZKcgTMEaJzd/GZYzi/B N2DzQ0MsrSwYXfsNLFO Bbs8PJMW4LYIxeeOe6rUgkWOF 7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b}
 example.com.    3600    IN      RRSIG   DNSKEY 3 2 3600 20070926134802 20070829134802 2854 example.com. MCwCFG1yhRNtTEa3Eno2zhVVuy2EJX3wAhQeLyUp6+UXcpC5qGNu9tkrTEgPUg== ;{id = 2854}
 SECTION AUTHORITY
 example.com.	IN NS	ns.example.com.
 example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
 SECTION ADDITIONAL
 ns.example.com.		IN 	A	1.2.3.4
 ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
 ENTRY_END
 ; DLV query, everything is NXDOMAIN
 ; thus, no delegation to the dlv repository in dlv.example.com
 ENTRY_BEGIN
 MATCH opcode subdomain
 ADJUST copy_id copy_query
 REPLY QR AA NXDOMAIN
 SECTION QUESTION
 example.com. IN DLV
 SECTION ANSWER
 SECTION AUTHORITY
 example.com.	3600	IN	NSEC	example.com. NS SOA RRSIG NSEC DNSKEY 
 example.com.	3600	IN	RRSIG	NSEC 3 2 3600 20070926135752 20070829135752 2854 example.com. AH++lP1qhsBw6zO1g3JVPZeQIpDhL9xT8V9xdgjXvCjIGQ1BUUlfQkA=
 SECTION ADDITIONAL
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 net.example.com. IN DLV
 SECTION ANSWER
 SECTION AUTHORITY
 example.com. IN SOA open.nlnetlabs.nl. hostmaster.nlnetlabs.nl. 2008081300 28800 7200 604800 3600
 example.com.	3600	IN	RRSIG	SOA 3 2 3600 20070926134150 20070829134150 2854 example.com. AKPJnPBqfJKxE4P2iVYkSRJno9HmiXJZtjdqE8oBeq9Lk9FytcMdcig= ;{id = 2854}
 example.com IN NSEC example.net.example.com. SOA NS RRSIG NSEC
 example.com.	3600	IN	RRSIG	NSEC 3 2 3600 20070926134150 20070829134150 2854 example.com. AIoUkJ04/7/kJFDLocoqksqt9UL2RHHwlRfXAMxGdBHcNO+GSpG47Uk= ;{id = 2854}
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NXDOMAIN
 SECTION QUESTION
 com.example.com. IN DLV
 SECTION ANSWER
 SECTION AUTHORITY
 example.com. IN SOA open.nlnetlabs.nl. hostmaster.nlnetlabs.nl. 2008081300 28800 7200 604800 3600
 example.com.	3600	IN	RRSIG	SOA 3 2 3600 20070926134150 20070829134150 2854 example.com. AKPJnPBqfJKxE4P2iVYkSRJno9HmiXJZtjdqE8oBeq9Lk9FytcMdcig= ;{id = 2854}
 example.com IN NSEC example.net.example.com. SOA NS RRSIG NSEC
 example.com.	3600	IN	RRSIG	NSEC 3 2 3600 20070926134150 20070829134150 2854 example.com. AIoUkJ04/7/kJFDLocoqksqt9UL2RHHwlRfXAMxGdBHcNO+GSpG47Uk= ;{id = 2854}
 ENTRY_END
 RANGE_END
 ; ns.example.net.
 RANGE_BEGIN 0 100
 	ADDRESS 1.2.3.5
 ; DS RR is
 ; example.net.	3600	IN	DS	30899 5 1 14188c885f20623ad1d3bec42798f3f951793e4c ; xehac-mofum-malyd-bomaf-pegit-fuzes-ganin-misiz-nigel-nozog-soxix
 ; DNSKEY prime query
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 example.net. IN DNSKEY
 SECTION ANSWER
 example.net.    3600    IN      DNSKEY  256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b}
 example.net.    3600    IN      RRSIG   DNSKEY RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. hiFzlQ8VoYgCuvIsfVuxC3mfJDqsTh0yc6abs5xMx5uEcIjb0dndFQx7INOM+imlzveEN73Hqp4OLFpFhsWLlw== ;{id = 30899}
 SECTION AUTHORITY
 example.net.    IN NS   ns.example.net.
 example.net.    3600    IN      RRSIG   NS RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. E8JX0l4B+cSR5bkHQwOJy1pBmlLMTYCJ8EwfNMU/eCv0YhKwo26rHhn52FGisgv+Nwp7/NbhHqQ+kJgoZC94XA== ;{id = 30899}
 SECTION ADDITIONAL
 ns.example.net.         IN      A       1.2.3.5
 ns.example.net. 3600    IN      RRSIG   A RSASHA1 3 3600 20070926134150 20070829134150 30899 example.net. x+tQMC9FhzT7Fcy1pM5NrOC7E8nLd7THPI3C6ie4EwL8PrxllqlR3q/DKB0d/m0qCOPcgN6HFOYURV1s4uAcsw== ;{id = 30899}
 ENTRY_END
 ; NS query
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 example.net. IN NS
 SECTION ANSWER
 example.net.    IN NS   ns.example.net.
 example.net.    3600    IN      RRSIG   NS RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. E8JX0l4B+cSR5bkHQwOJy1pBmlLMTYCJ8EwfNMU/eCv0YhKwo26rHhn52FGisgv+Nwp7/NbhHqQ+kJgoZC94XA== ;{id = 30899}
 SECTION ADDITIONAL
 ns.example.net.         IN      A       1.2.3.5
 ns.example.net. 3600    IN      RRSIG   A RSASHA1 3 3600 20070926134150 20070829134150 30899 example.net. x+tQMC9FhzT7Fcy1pM5NrOC7E8nLd7THPI3C6ie4EwL8PrxllqlR3q/DKB0d/m0qCOPcgN6HFOYURV1s4uAcsw== ;{id = 30899}
 ENTRY_END
 ; www.example.net query
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 www.example.net. IN A
 SECTION ANSWER
 www.example.net.	3600	IN	A	10.20.30.40
 www.example.net.	3600	IN	RRSIG	A 5 3 3600 20070926135752 20070829135752 30899 example.net. ACvv4RQVC7TbI57ewqFImRaVoymktJ5Cxn/FaCodIENt82LVM92nivbP2WtwWCsQHWp7FkrMxTlQTJwyAeXFyg== ;{id = 30899}
 SECTION AUTHORITY
 example.net.    IN NS   ns.example.net.
 example.net.    3600    IN      RRSIG   NS RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. E8JX0l4B+cSR5bkHQwOJy1pBmlLMTYCJ8EwfNMU/eCv0YhKwo26rHhn52FGisgv+Nwp7/NbhHqQ+kJgoZC94XA== ;{id = 30899}
 SECTION ADDITIONAL
 ns.example.net.         IN      A       1.2.3.5
 ns.example.net. 3600    IN      RRSIG   A RSASHA1 3 3600 20070926134150 20070829134150 30899 example.net. x+tQMC9FhzT7Fcy1pM5NrOC7E8nLd7THPI3C6ie4EwL8PrxllqlR3q/DKB0d/m0qCOPcgN6HFOYURV1s4uAcsw== ;{id = 30899}
 ENTRY_END
 RANGE_END
 STEP 1 QUERY
 ENTRY_BEGIN
 REPLY RD DO
 SECTION QUESTION
 www.example.net. IN A
 ENTRY_END
 ; recursion happens here.
 STEP 10 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH all
 REPLY QR RD RA DO NOERROR
 SECTION QUESTION
 www.example.net. IN A
 SECTION ANSWER
 www.example.net.	3600	IN	A	10.20.30.40
 www.example.net.	3600	IN	RRSIG	A 5 3 3600 20070926135752 20070829135752 30899 example.net. ACvv4RQVC7TbI57ewqFImRaVoymktJ5Cxn/FaCodIENt82LVM92nivbP2WtwWCsQHWp7FkrMxTlQTJwyAeXFyg== ;{id = 30899}
 SECTION AUTHORITY
 example.net.    IN NS   ns.example.net.
 example.net.    3600    IN      RRSIG   NS RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. E8JX0l4B+cSR5bkHQwOJy1pBmlLMTYCJ8EwfNMU/eCv0YhKwo26rHhn52FGisgv+Nwp7/NbhHqQ+kJgoZC94XA== ;{id = 30899}
 SECTION ADDITIONAL
 ns.example.net.         IN      A       1.2.3.5
 ns.example.net. 3600    IN      RRSIG   A RSASHA1 3 3600 20070926134150 20070829134150 30899 example.net. x+tQMC9FhzT7Fcy1pM5NrOC7E8nLd7THPI3C6ie4EwL8PrxllqlR3q/DKB0d/m0qCOPcgN6HFOYURV1s4uAcsw== ;{id = 30899}
 ENTRY_END
 SCENARIO_END
--- a/testdata/dlv_remove_pos.rpl
+++ b/testdata/dlv_remove_pos.rpl
@ -1,167 +0,0 @@
 ; config options
 ; The island of trust is at example.com
 server:
 	dlv-anchor: "dlv.example.net.    3600    IN      DS      2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b"
 	trust-anchor: "example.com.    3600    IN      DS      2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b"
 	val-override-date: "20070916134226"
 	target-fetch-policy: "0 0 0 0 0"
 	qname-minimisation: "no"
 	fake-sha1: yes
 	trust-anchor-signaling: no
 	minimal-responses: no
 stub-zone:
 	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 CONFIG_END
 SCENARIO_BEGIN Test validator with DLV removed for positive anchored response
 ; So the destination has a valid DNSSEC chain of trust to the root,
 ; but the configured dlv anchor fails.
 ; K.ROOT-SERVERS.NET.
 RANGE_BEGIN 0 100
 	ADDRESS 193.0.14.129 
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 . IN NS
 SECTION ANSWER
 . IN NS	K.ROOT-SERVERS.NET.
 SECTION ADDITIONAL
 K.ROOT-SERVERS.NET.	IN	A	193.0.14.129
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 www.example.com. IN A
 SECTION AUTHORITY
 com.	IN NS	a.gtld-servers.net.
 SECTION ADDITIONAL
 a.gtld-servers.net.	IN 	A	192.5.6.30
 ENTRY_END
 ; this covers dlv.example.net and thus makes it servfail (unusable).
 ENTRY_BEGIN
 MATCH opcode subdomain
 ADJUST copy_id copy_query
 REPLY QR SERVFAIL
 SECTION QUESTION
 net. IN NS
 ENTRY_END
 RANGE_END
 ; a.gtld-servers.net.
 RANGE_BEGIN 0 100
 	ADDRESS 192.5.6.30
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 com. IN NS
 SECTION ANSWER
 com.    IN NS   a.gtld-servers.net.
 SECTION ADDITIONAL
 a.gtld-servers.net.     IN      A       192.5.6.30
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 www.example.com. IN A
 SECTION AUTHORITY
 example.com.	IN NS	ns.example.com.
 SECTION ADDITIONAL
 ns.example.com.		IN 	A	1.2.3.4
 ENTRY_END
 RANGE_END
 ; ns.example.com.
 RANGE_BEGIN 0 100
 	ADDRESS 1.2.3.4
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 example.com. IN NS
 SECTION ANSWER
 example.com.    IN NS   ns.example.com.
 example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
 SECTION ADDITIONAL
 ns.example.com.         IN      A       1.2.3.4
 ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
 ENTRY_END
 ; response to DNSKEY priming query
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 example.com. IN DNSKEY
 SECTION ANSWER
 example.com.    3600    IN      DNSKEY  256 3 3 ALXLUsWqUrY3JYER3T4TBJII s70j+sDS/UT2QRp61SE7S3E EXopNXoFE73JLRmvpi/UrOO/Vz4Se 6wXv/CYCKjGw06U4WRgR YXcpEhJROyNapmdIKSx hOzfLVE1gqA0PweZR8d tY3aNQSRn3sPpwJr6Mi /PqQKAMMrZ9ckJpf1+b QMOOvxgzz2U1GS18b3y ZKcgTMEaJzd/GZYzi/B N2DzQ0MsrSwYXfsNLFO Bbs8PJMW4LYIxeeOe6rUgkWOF 7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b}
 example.com.    3600    IN      RRSIG   DNSKEY 3 2 3600 20070926134802 20070829134802 2854 example.com. MCwCFG1yhRNtTEa3Eno2zhVVuy2EJX3wAhQeLyUp6+UXcpC5qGNu9tkrTEgPUg== ;{id = 2854}
 SECTION AUTHORITY
 example.com.	IN NS	ns.example.com.
 example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
 SECTION ADDITIONAL
 ns.example.com.		IN 	A	1.2.3.4
 ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
 ENTRY_END
 ; response to query of interest
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 www.example.com. IN A
 SECTION ANSWER
 www.example.com. IN A	10.20.30.40
 ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCQMyTjn7WWwpwAR1LlVeLpRgZGuQIUCcJDEkwAuzytTDRlYK7nIMwH1CM= ;{id = 2854}
 SECTION AUTHORITY
 example.com.	IN NS	ns.example.com.
 example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
 SECTION ADDITIONAL
 ns.example.com.		IN 	A	1.2.3.4
 www.example.com.        3600    IN      RRSIG   A 3 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFC99iE9K5y2WNgI0gFvBWaTi9wm6AhUAoUqOpDtG5Zct+Qr9F3mSdnbc6V4= ;{id = 2854}
 ENTRY_END
 RANGE_END
 STEP 1 QUERY
 ENTRY_BEGIN
 REPLY RD DO
 SECTION QUESTION
 www.example.com. IN A
 ENTRY_END
 ; recursion happens here.
 STEP 10 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH all
 REPLY QR RD RA AD DO NOERROR
 SECTION QUESTION
 www.example.com. IN A
 SECTION ANSWER
 www.example.com. IN A	10.20.30.40
 www.example.com.        3600    IN      RRSIG   A 3 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFC99iE9K5y2WNgI0gFvBWaTi9wm6AhUAoUqOpDtG5Zct+Qr9F3mSdnbc6V4= ;{id = 2854}
 SECTION AUTHORITY
 example.com.	IN NS	ns.example.com.
 example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
 SECTION ADDITIONAL
 ns.example.com.		IN 	A	1.2.3.4
 ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCQMyTjn7WWwpwAR1LlVeLpRgZGuQIUCcJDEkwAuzytTDRlYK7nIMwH1CM= ;{id = 2854}
 ENTRY_END
 SCENARIO_END
--- a/Show more
+++ b/Show more