diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md
new file mode 100644
index 000000000..35d7ee94f
--- /dev/null
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -0,0 +1,41 @@
+---
+name: Bug report
+about: Create a report to help us improve Unbound
+title: ''
+labels: ''
+assignees: ''
+
+---
+
+<!--
+Thanks for taking the time to report an issue!
+
+Before continuing please make sure that you checked the existing (opened and closed) issues and pull requests to avoid opening a duplicate issue. We would rather prefer to add the information to the existing one. If you are able, feel free to reopen the closed issue afterwards. If not, please create a new issue linking to the old one.
+
+If you rather have a support question and you need guidance on running/configuring Unbound, please refrain from opening an issue and use the community support mailing list instead (https://www.nlnetlabs.nl/support/mailing-lists/).
+We would like to keep GitHub issues for possible bugs and feature requests only.
+
+If you are unsure whether an issue is a bug or not, feel free to reach out to mailing list users or open an issue here.
+
+If you are opening an issue, please complete as much of the following sections as possible to give us a better understanding of your situation.
+-->
+
+**Describe the bug**
+A clear and concise description of what the bug is.
+
+**To reproduce**
+Steps to reproduce the behavior:
+1.
+2.
+3.
+
+**Expected behavior**
+A clear and concise description of what you expected to happen.
+
+**System:**
+ - Unbound version:
+ - OS:
+ - `unbound -V` output:
+
+**Additional information**
+Add any other information that you may have gathered about the issue here.
diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md
new file mode 100644
index 000000000..e9ca08b7a
--- /dev/null
+++ b/.github/ISSUE_TEMPLATE/feature_request.md
@@ -0,0 +1,31 @@
+---
+name: Feature request
+about: Suggest an idea for Unbound
+title: "[FR]"
+labels: ''
+assignees: ''
+
+---
+
+<!--
+Thanks for taking the time to report an issue!
+
+Before continuing please make sure that you checked the existing (opened and closed) issues and pull requests to avoid opening a duplicate issue. We would rather prefer to add the information to the existing one. If you are able, feel free to reopen the closed issue afterwards. If not, please create a new issue linking to the old one.
+
+If you rather have a support question and you need guidance on running/configuring Unbound, please refrain from opening an issue and use the community support mailing list instead (https://www.nlnetlabs.nl/support/mailing-lists/).
+We would like to keep GitHub issues for possible bugs and feature requests only.
+
+If you are unsure whether an issue is a bug or not, feel free to reach out to mailing list users or open an issue here.
+
+If you are opening an issue, please complete as much of the following sections as possible to give us a better understanding of your situation.
+-->
+
+**Current behavior**
+Is there a current behavior that the feature relates to?
+If yes, would you wish the current behavior to change?
+
+**Describe the desired feature**
+A clear and concise description of what the feature should be.
+
+**Potential use-case**
+Describe how you see this feature being useful to other Unbound users.
diff --git a/.github/workflows/analysis_ports.yml b/.github/workflows/analysis_ports.yml
new file mode 100644
index 000000000..fbbdd8018
--- /dev/null
+++ b/.github/workflows/analysis_ports.yml
@@ -0,0 +1,346 @@
+name: Analysis and Ports
+
+on:
+  workflow_dispatch:
+    inputs:
+      start:
+        description: 'Start analysis and port workflow'
+        default: 'yes'
+        required: true
+
+jobs:
+  build:
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        include:
+          - name: GCC on Linux
+            os: ubuntu-latest
+            config: "--enable-debug --disable-flto"
+            make_test: "yes"
+          - name: Clang-analyzer
+            os: ubuntu-latest
+            config: "CC=clang --enable-debug --disable-flto --disable-static"
+            make_test: "yes"
+            clang_analysis: "yes"
+          - name: libevent
+            os: ubuntu-latest
+            install_libevent: "yes"
+            config: "CC=clang --enable-debug --disable-flto --with-libevent --disable-static"
+            make_test: "yes"
+            clang_analysis: "yes"
+          - name: OS X
+            os: macos-latest
+            install_expat: "yes"
+            config: "--enable-debug --disable-flto --with-ssl=/usr/local/opt/openssl --with-libexpat=/usr/local/opt/expat"
+            make_test: "yes"
+          - name: Clang on OS X
+            os: macos-latest
+            install_expat: "yes"
+            config: "CC=clang --enable-debug --disable-flto --with-ssl=/usr/local/opt/openssl --with-libexpat=/usr/local/opt/expat --disable-static"
+            make_test: "yes"
+            clang_analysis: "yes"
+          - name: ubsan (gcc undefined behaviour sanitizer)
+            os: ubuntu-latest
+            config: 'CFLAGS="-DNDEBUG -g2 -O3 -fsanitize=undefined -fno-sanitize-recover=all" --disable-flto --disable-static'
+            make_test: "yes"
+          - name: asan (gcc address sanitizer)
+            os: ubuntu-latest
+            config: 'CFLAGS="-DNDEBUG -g2 -O3 -fsanitize=address" --disable-flto --disable-static'
+            make_test: "yes"
+          - name: Apple iPhone on iOS, armv7
+            os: macos-latest
+            AUTOTOOLS_HOST: armv7-apple-ios
+            OPENSSL_HOST: ios-cross
+            IOS_SDK: iPhoneOS
+            IOS_CPU: armv7s
+            test_ios: "yes"
+            config: "no"
+            make: "no"
+          - name: Apple iPhone on iOS, arm64
+            os: macos-latest
+            AUTOTOOLS_HOST: aarch64-apple-ios
+            OPENSSL_HOST: ios64-cross
+            IOS_SDK: iPhoneOS
+            IOS_CPU: arm64
+            test_ios: "yes"
+            config: "no"
+            make: "no"
+          - name: Apple TV on iOS, arm64
+            os: macos-latest
+            AUTOTOOLS_HOST: aarch64-apple-ios
+            OPENSSL_HOST: ios64-cross
+            IOS_SDK: AppleTVOS
+            IOS_CPU: arm64
+            test_ios: "yes"
+            config: "no"
+            make: "no"
+          - name: Apple Watch on iOS, armv7
+            os: macos-latest
+            AUTOTOOLS_HOST: armv7-apple-ios
+            OPENSSL_HOST: ios-cross
+            IOS_SDK: WatchOS
+            IOS_CPU: armv7k
+            test_ios: "yes"
+            config: "no"
+            make: "no"
+          - name: iPhoneSimulator on OS X, i386
+            os: macos-latest
+            AUTOTOOLS_HOST: i386-apple-ios
+            OPENSSL_HOST: iphoneos-cross
+            IOS_SDK: iPhoneSimulator
+            IOS_CPU: i386
+            test_ios: "yes"
+            config: "no"
+            make: "no"
+          - name: iPhoneSimulator on OS X, x86_64
+            os: macos-latest
+            AUTOTOOLS_HOST: x86_64-apple-ios
+            OPENSSL_HOST: iphoneos-cross
+            IOS_SDK: iPhoneSimulator
+            IOS_CPU: x86_64
+            test_ios: "yes"
+            config: "no"
+            make: "no"
+          - name: AppleTVSimulator on OS X, x86_64
+            os: macos-latest
+            AUTOTOOLS_HOST: x86_64-apple-ios
+            OPENSSL_HOST: iphoneos-cross
+            IOS_SDK: AppleTVSimulator
+            IOS_CPU: x86_64
+            test_ios: "yes"
+            config: "no"
+            make: "no"
+          - name: WatchSimulator on OS X, i386
+            os: macos-latest
+            AUTOTOOLS_HOST: i386-apple-ios
+            OPENSSL_HOST: iphoneos-cross
+            IOS_SDK: WatchSimulator
+            IOS_CPU: i386
+            test_ios: "yes"
+            config: "no"
+            make: "no"
+          - name: Android armv7a
+            os: ubuntu-latest
+            AUTOTOOLS_HOST: armv7a-linux-androidabi
+            OPENSSL_HOST: android-arm
+            ANDROID_CPU: armv7a
+            ANDROID_API: 23
+            test_android: "yes"
+            config: "no"
+            make: "no"
+          - name: Android aarch64
+            os: ubuntu-latest
+            AUTOTOOLS_HOST: aarch64-linux-android
+            OPENSSL_HOST: android-arm64
+            ANDROID_CPU: aarch64
+            ANDROID_API: 23
+            test_android: "yes"
+            config: "no"
+            make: "no"
+          - name: Android x86
+            os: ubuntu-latest
+            AUTOTOOLS_HOST: i686-linux-android
+            OPENSSL_HOST: android-x86
+            ANDROID_CPU: x86
+            ANDROID_API: 23
+            test_android: "yes"
+            config: "no"
+            make: "no"
+          - name: Android x86_64
+            os: ubuntu-latest
+            AUTOTOOLS_HOST: x86_64-linux-android
+            OPENSSL_HOST: android-x86_64
+            ANDROID_CPU: x86_64
+            ANDROID_API: 23
+            test_android: "yes"
+            config: "no"
+            make: "no"
+          - name: Windows
+            os: windows-latest
+            test_windows: "yes"
+            config: "no"
+            make: "no"
+ 
+    steps:
+      - uses: actions/checkout@v2
+        with:
+          submodules: false
+      - name: test_windows
+        if: ${{ matrix.test_windows == 'yes' }}
+        shell: bash
+        run: |
+          export unboundpath=`pwd`
+          echo unboundpath=${unboundpath}
+          cd ..
+          export prepath=`pwd`
+          echo prepath=${prepath}
+          #echo "curl cpanm"
+          #curl -L -k -s -S -o cpanm https://cpanmin.us/
+          #echo "perl cpanm Pod::Usage"
+          #perl cpanm Pod::Usage
+          mkdir openssl
+          echo "curl openssl"
+          curl -L -k -s -S -o openssl-1.1.1j.tar.gz https://www.openssl.org/source/openssl-1.1.1j.tar.gz
+          tar xzf openssl-1.1.1j.tar.gz
+          cd openssl-1.1.1j
+          # remove pod::Usage because we do not need -help or -man output
+          # from the Configure script
+          echo "Fixup ./Configure by removing use Pod::Usage require"
+          sed -e 's/use Pod::Usage//' < Configure > Configure.fix
+          echo "./Configure.fix no-shared no-asm -DOPENSSL_NO_CAPIENG mingw64 --prefix=\""$prepath/openssl\"""
+          ./Configure.fix no-shared no-asm -DOPENSSL_NO_CAPIENG mingw64 --prefix="$prepath/openssl"
+          # make the libs only, build faster
+          echo "make build_libs"
+          #make
+          make build_libs
+          mv Makefile Makefile.orig
+          # fixup \\ in the installtop to /.
+          echo "fixup INSTALLTOP"
+          sed -e 's?^INSTALLTOP=.*$?INSTALLTOP='"$prepath"'/openssl?' < Makefile.orig > Makefile
+          # install the includes and libs only, build faster
+          echo "make install_dev"
+          #make install_sw
+          make install_dev
+          cd ..
+          mkdir expat
+          echo "curl expat"
+          curl -L -k -s -S -o expat-2.2.10.tar.gz https://github.com/libexpat/libexpat/releases/download/R_2_2_10/expat-2.2.10.tar.gz
+          tar xzf expat-2.2.10.tar.gz
+          cd expat-2.2.10
+          echo "./configure SHELL=/usr/bin/bash CONFIG_SHELL=/usr/bin/bash --prefix=\"$prepath/expat\" --exec-prefix=\"$prepath/expat\" --bindir=\"$prepath/expat/bin\" --includedir=\"$prepath/expat/include\" --mandir=\"$prepath/expat/man\" --libdir=\"$prepath/expat/lib\""
+          ./configure SHELL=/usr/bin/bash CONFIG_SHELL=/usr/bin/bash --prefix="$prepath/expat" --exec-prefix="$prepath/expat" --bindir="$prepath/expat/bin" --includedir="$prepath/expat/include" --mandir="$prepath/expat/man" --libdir="$prepath/expat/lib"
+          # fixup SHELL is treated specially, but SHELZZ is not by make.
+          echo "Fixup Makefiles by renaming SHELL to SHELLZZ"
+          mv Makefile Makefile.orig
+          sed -e 's/SHELL/SHELLZZ/g' < Makefile.orig > Makefile
+          mv lib/Makefile lib/Makefile.orig
+          sed -e 's/SHELL/SHELLZZ/g' < lib/Makefile.orig > lib/Makefile
+          mv doc/Makefile doc/Makefile.orig
+          sed -e 's/SHELL/SHELLZZ/g' < doc/Makefile.orig > doc/Makefile
+          mv examples/Makefile examples/Makefile.orig
+          sed -e 's/SHELL/SHELLZZ/g' < examples/Makefile.orig > examples/Makefile
+          mv tests/Makefile tests/Makefile.orig
+          sed -e 's/SHELL/SHELLZZ/g' < tests/Makefile.orig > tests/Makefile
+          mv xmlwf/Makefile xmlwf/Makefile.orig
+          sed -e 's/SHELL/SHELLZZ/g' < xmlwf/Makefile.orig > xmlwf/Makefile
+          echo "make"
+          make
+          echo "make install"
+          make install
+          cd ..
+          echo "unbound"
+          cd unbound
+          echo "./configure --enable-debug --enable-static-exe --disable-flto \"--with-ssl=$prepath/openssl\" --with-libexpat=\"$prepath/expat\" --disable-shared"
+          ./configure --enable-debug --enable-static-exe --disable-flto "--with-ssl=$prepath/openssl" --with-libexpat="$prepath/expat" --disable-shared
+          make
+          # specific test output
+          #make testbound.exe; ./testbound.exe -s
+          #make testbound; ./testbound.exe -p testdata/acl.rpl -o -vvvv
+          make test
+      - name: test_android
+        if: ${{ matrix.test_android == 'yes' }}
+        env:
+          AUTOTOOLS_HOST: ${{ matrix.AUTOTOOLS_HOST }}
+          OPENSSL_HOST: ${{ matrix.OPENSSL_HOST }}
+          ANDROID_API: ${{ matrix.ANDROID_API }}
+          ANDROID_CPU: ${{ matrix.ANDROID_CPU }}
+        run: |
+          #(already installed) ./contrib/android/install_tools.sh
+          export ANDROID_PREFIX="$HOME/android$ANDROID_API-$ANDROID_CPU"
+          echo ANDROID_PREFIX=${ANDROID_PREFIX}
+          export ANDROID_SDK_ROOT="$HOME/android-sdk"
+          echo ANDROID_SDK_ROOT=${ANDROID_SDK_ROOT}
+          export ANDROID_NDK_ROOT="$HOME/android-ndk"
+          echo ANDROID_NDK_ROOT=${ANDROID_NDK_ROOT}
+          export AUTOTOOLS_BUILD="$(./config.guess)"
+          echo AUTOTOOLS_BUILD=${AUTOTOOLS_BUILD}
+          export PKG_CONFIG_PATH="$ANDROID_PREFIX/lib/pkgconfig"
+          echo PKG_CONFIG_PATH=${PKG_CONFIG_PATH}
+          export CONFIG_OPTS="--build=$AUTOTOOLS_BUILD --host=$AUTOTOOLS_HOST --prefix=$ANDROID_PREFIX --with-ssl=$ANDROID_PREFIX --disable-gost --with-libexpat=$ANDROID_PREFIX"
+          echo CONFIG_OPTS=${CONFIG_OPTS}
+          echo "::group::install_ndk"
+          echo "./contrib/android/install_ndk.sh"
+          ./contrib/android/install_ndk.sh
+          echo "::endgroup::"
+          echo "::group::setenv_android.sh"
+          echo "./contrib/android/setenv_android.sh"
+          source ./contrib/android/setenv_android.sh
+          echo "::endgroup::"
+          echo "::group::install_openssl"
+          echo "./contrib/android/install_openssl.sh"
+          ./contrib/android/install_openssl.sh
+          echo "::endgroup::"
+          echo "::group::install_expat"
+          echo "./contrib/android/install_expat.sh"
+          ./contrib/android/install_expat.sh
+          echo "::endgroup::"
+          echo "::group::configure"
+          echo "./configure ${CONFIG_OPTS}"
+          ./configure ${CONFIG_OPTS}
+          echo "::endgroup::"
+          echo "::group::make"
+          # make is here to preserve environment variables
+          make
+          echo "::endgroup::"
+          echo "::group::make install"
+          make install
+          echo "::endgroup::"
+      - name: test ios
+        if: ${{ matrix.test_ios == 'yes' }}
+        env:
+          AUTOTOOLS_HOST: ${{ matrix.AUTOTOOLS_HOST }}
+          OPENSSL_HOST: ${{ matrix.OPENSSL_HOST }}
+          IOS_SDK: ${{ matrix.IOS_SDK }}
+          IOS_CPU: ${{ matrix.IOS_CPU }}
+        run: |
+          #(already installed) ./contrib/ios/install_tools.sh
+          export AUTOTOOLS_BUILD="$(./config.guess)"
+          echo AUTOTOOLS_BUILD=${AUTOTOOLS_BUILD}
+          export IOS_PREFIX="$HOME/$IOS_SDK-$IOS_CPU"
+          echo IOS_PREFIX=${IOS_PREFIX}
+          export PKG_CONFIG_PATH="$IOS_PREFIX/lib/pkgconfig"
+          echo PKG_CONFIG_PATH=${PKG_CONFIG_PATH}
+          export CONFIG_OPTS="--build=$AUTOTOOLS_BUILD --host=$AUTOTOOLS_HOST --prefix=$IOS_PREFIX --with-ssl=$IOS_PREFIX --disable-gost --with-libexpat=$IOS_PREFIX"
+          echo CONFIG_OPTS=${CONFIG_OPTS}
+          echo "::group::setenv_ios.sh"
+          echo "./contrib/ios/setenv_ios.sh"
+          source ./contrib/ios/setenv_ios.sh
+          echo "::endgroup::"
+          echo "::group::install_openssl"
+          echo "./contrib/ios/install_openssl.sh"
+          ./contrib/ios/install_openssl.sh
+          echo "::endgroup::"
+          echo "::group::install_expat"
+          echo "./contrib/ios/install_expat.sh"
+          ./contrib/ios/install_expat.sh
+          echo "::endgroup::"
+          echo "::group::configure"
+          echo "./configure ${CONFIG_OPTS}"
+          ./configure ${CONFIG_OPTS}
+          echo "::endgroup::"
+          echo "::group::make"
+          # make is here to preserve environment variables
+          make
+          echo "::endgroup::"
+          echo "::group::make install"
+          make install
+          echo "::endgroup::"
+      - name: install libevent
+        if: ${{ matrix.install_libevent == 'yes' }}
+        run: sudo apt-get install libevent-dev
+      - name: install expat
+        if: ${{ matrix.install_expat == 'yes' }}
+        run: brew install expat
+      - name: configure
+        if: ${{ matrix.config != 'no' }}
+        run: ./configure ${{ matrix.config }}
+      - name: make
+        if: ${{ matrix.make != 'no' }}
+        run: make
+      - name: make test
+        if: ${{ matrix.make_test == 'yes' }}
+        run: make test
+      - name: clang-analysis
+        if: ${{ matrix.clang_analysis == 'yes' }}
+        run: (cd testdata/clang-analysis.tdir; bash clang-analysis.test)
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
new file mode 100644
index 000000000..73d68fbf3
--- /dev/null
+++ b/.github/workflows/ci.yml
@@ -0,0 +1,21 @@
+name: ci
+
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    branches: [ master ]
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v2
+    - name: configure
+      run: ./configure --enable-debug
+    - name: make
+      run: make
+    - name: make test
+      run: make test
diff --git a/.gitignore b/.gitignore
index d0c69f81d..6c3cfb91d 100644
--- a/.gitignore
+++ b/.gitignore
@@ -37,6 +37,7 @@
 /perf
 /petal
 /pktview
+/readzone
 /streamtcp
 /unbound-dnstap-socket
 /testbound
diff --git a/Makefile.in b/Makefile.in
index 8d5c7ee83..7d9974e00 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -61,6 +61,7 @@ PYTHON_CPPFLAGS=-I. @PYTHON_CPPFLAGS@
 CFLAGS=-DSRCDIR=$(srcdir) @CFLAGS@
 LDFLAGS=@LDFLAGS@
 LIBS=@LIBS@
+PYTHON_LIBS=@PYTHON_LIBS@
 LIBOBJS=@LIBOBJS@
 # filter out ctime_r from compat obj.
 LIBOBJ_WITHOUT_CTIME=@LIBOBJ_WITHOUT_CTIME@
@@ -85,6 +86,8 @@ LINTFLAGS+=@NETBSD_LINTFLAGS@
 LINTFLAGS+="-Dsigset_t=long"
 # FreeBSD
 LINTFLAGS+="-D__uint16_t=uint16_t" "-DEVP_PKEY_ASN1_METHOD=int" "-D_RuneLocale=int" "-D__va_list=va_list" "-D__uint32_t=uint32_t" "-D_Alignof(x)=x" "-D__aligned(x)=" "-D__requires_exclusive(x)=" "-D__requires_unlocked(x)=" "-D__locks_exclusive(x)=" "-D__trylocks_exclusive(x)="  "-D__unlocks(x)=" "-D__locks_shared(x)=" "-D__trylocks_shared(x)="
+# GCC Docker
+LINTFLAGS+=@GCC_DOCKER_LINTFLAGS@
 
 INSTALL=$(SHELL) $(srcdir)/install-sh
 
@@ -175,10 +178,12 @@ UNITTEST_SRC=testcode/unitanchor.c testcode/unitdname.c \
 testcode/unitlruhash.c testcode/unitmain.c testcode/unitmsgparse.c \
 testcode/unitneg.c testcode/unitregional.c testcode/unitslabhash.c \
 testcode/unitverify.c testcode/readhex.c testcode/testpkts.c testcode/unitldns.c \
-testcode/unitecs.c testcode/unitauth.c testcode/unitzonemd.c
+testcode/unitecs.c testcode/unitauth.c testcode/unitzonemd.c \
+testcode/unittcpreuse.c
 UNITTEST_OBJ=unitanchor.lo unitdname.lo unitlruhash.lo unitmain.lo \
 unitmsgparse.lo unitneg.lo unitregional.lo unitslabhash.lo unitverify.lo \
-readhex.lo testpkts.lo unitldns.lo unitecs.lo unitauth.lo unitzonemd.lo
+readhex.lo testpkts.lo unitldns.lo unitecs.lo unitauth.lo unitzonemd.lo \
+unittcpreuse.lo
 UNITTEST_OBJ_LINK=$(UNITTEST_OBJ) worker_cb.lo $(COMMON_OBJ) $(SLDNS_OBJ) \
 $(COMPAT_OBJ)
 DAEMON_SRC=daemon/acl_list.c daemon/cachedump.c daemon/daemon.c \
@@ -244,6 +249,9 @@ DELAYER_SRC=testcode/delayer.c
 DELAYER_OBJ=delayer.lo
 DELAYER_OBJ_LINK=$(DELAYER_OBJ) worker_cb.lo $(COMMON_OBJ) $(COMPAT_OBJ) \
 $(SLDNS_OBJ)
+READZONE_SRC=testcode/readzone.c
+READZONE_OBJ=readzone.lo
+READZONE_OBJ_LINK=$(READZONE_OBJ) worker_cb.lo $(COMMON_OBJ) $(COMPAT_OBJ) $(SLDNS_OBJ)
 IPSET_SRC=@IPSET_SRC@
 IPSET_OBJ=@IPSET_OBJ@
 DNSTAP_SOCKET_SRC=dnstap/unbound-dnstap-socket.c
@@ -280,7 +288,7 @@ ALL_SRC=$(COMMON_SRC) $(UNITTEST_SRC) $(DAEMON_SRC) \
 	$(CONTROL_SRC) $(UBANCHOR_SRC) $(PETAL_SRC) $(DNSTAP_SOCKET_SRC)\
 	$(PYTHONMOD_SRC) $(PYUNBOUND_SRC) $(WIN_DAEMON_THE_SRC) \
 	$(SVCINST_SRC) $(SVCUNINST_SRC) $(ANCHORUPD_SRC) $(SLDNS_SRC) \
-	$(DOHCLIENT_SRC)
+	$(DOHCLIENT_SRC) $(READZONE_SRC)
 
 ALL_OBJ=$(COMMON_OBJ) $(UNITTEST_OBJ) $(DAEMON_OBJ) \
 	$(TESTBOUND_OBJ) $(LOCKVERIFY_OBJ) $(PKTVIEW_OBJ) \
@@ -289,7 +297,7 @@ ALL_OBJ=$(COMMON_OBJ) $(UNITTEST_OBJ) $(DAEMON_OBJ) \
 	$(CONTROL_OBJ) $(UBANCHOR_OBJ) $(PETAL_OBJ) $(DNSTAP_SOCKET_OBJ)\
 	$(COMPAT_OBJ) $(PYUNBOUND_OBJ) \
 	$(SVCINST_OBJ) $(SVCUNINST_OBJ) $(ANCHORUPD_OBJ) $(SLDNS_OBJ) \
-	$(DOHCLIENT_OBJ)
+	$(DOHCLIENT_OBJ) $(READZONE_OBJ)
 
 COMPILE=$(LIBTOOL) --tag=CC --mode=compile $(CC) $(CPPFLAGS) $(CFLAGS) @PTHREAD_CFLAGS_ONLY@
 LINK=$(LIBTOOL) --tag=CC --mode=link $(CC) $(staticexe) $(RUNTIME_PATH) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS)
@@ -327,7 +335,7 @@ TEST_BIN=asynclook$(EXEEXT) delayer$(EXEEXT) \
 	lock-verify$(EXEEXT) memstats$(EXEEXT) perf$(EXEEXT) \
 	petal$(EXEEXT) pktview$(EXEEXT) streamtcp$(EXEEXT) \
 	$(DNSTAP_SOCKET_TESTBIN) dohclient$(EXEEXT) \
-	testbound$(EXEEXT) unittest$(EXEEXT)
+	testbound$(EXEEXT) unittest$(EXEEXT) readzone$(EXEEXT)
 tests:	all $(TEST_BIN)
 
 check: test
@@ -405,6 +413,9 @@ perf$(EXEEXT):	$(PERF_OBJ_LINK)
 delayer$(EXEEXT):	$(DELAYER_OBJ_LINK)
 	$(LINK) -o $@ $(DELAYER_OBJ_LINK) $(SSLLIB) $(LIBS)
 
+readzone$(EXEEXT):	$(READZONE_OBJ_LINK)
+	$(LINK) -o $@ $(READZONE_OBJ_LINK) $(SSLLIB) $(LIBS)
+
 signit$(EXEEXT):	testcode/signit.c
 	$(CC) $(CPPFLAGS) $(CFLAGS) @PTHREAD_CFLAGS_ONLY@ -o $@ testcode/signit.c $(LDFLAGS) -lldns $(SSLLIB) $(LIBS)
 
@@ -468,7 +479,7 @@ libunbound/python/libunbound_wrap.c:	$(srcdir)/libunbound/python/libunbound.i un
 
 # Pyunbound python unbound wrapper
 _unbound.la:	libunbound_wrap.lo libunbound.la
-	$(LIBTOOL) --tag=CC --mode=link $(CC) $(RUNTIME_PATH) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) -module -avoid-version -no-undefined -shared -o $@ libunbound_wrap.lo -rpath $(PYTHON_SITE_PKG) libunbound.la $(LIBS)
+	$(LIBTOOL) --tag=CC --mode=link $(CC) $(RUNTIME_PATH) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) -module -avoid-version -no-undefined -shared -o $@ libunbound_wrap.lo -rpath $(PYTHON_SITE_PKG) -L. -L.libs libunbound.la $(PYTHON_LIBS)
 
 util/config_file.c:	util/configparser.h
 util/configlexer.c:  $(srcdir)/util/configlexer.lex util/configparser.h
@@ -572,6 +583,8 @@ install-lib:	lib $(UNBOUND_EVENT_INSTALL)
 		echo ".so man3/libunbound.3" > $(DESTDIR)$(mandir)/man3/$$mpage.3 ; \
 	done
 	$(LIBTOOL) --mode=install cp unbound.h $(DESTDIR)$(includedir)/unbound.h
+	$(INSTALL) -m 755 -d $(DESTDIR)$(libdir)/pkgconfig
+	$(INSTALL) -m 644 contrib/libunbound.pc $(DESTDIR)$(libdir)/pkgconfig
 	$(LIBTOOL) --mode=install cp libunbound.la $(DESTDIR)$(libdir)
 	$(LIBTOOL) --mode=finish $(DESTDIR)$(libdir)
 
@@ -581,8 +594,6 @@ install-all:	all $(PYTHONMOD_INSTALL) $(PYUNBOUND_INSTALL) $(UNBOUND_EVENT_INSTA
 	$(INSTALL) -m 755 -d $(DESTDIR)$(mandir)/man8
 	$(INSTALL) -m 755 -d $(DESTDIR)$(mandir)/man5
 	$(INSTALL) -m 755 -d $(DESTDIR)$(mandir)/man1
-	$(INSTALL) -m 755 -d $(DESTDIR)$(libdir)/pkgconfig
-	$(INSTALL) -m 644 contrib/libunbound.pc $(DESTDIR)$(libdir)/pkgconfig
 	$(LIBTOOL) --mode=install cp -f unbound$(EXEEXT) $(DESTDIR)$(sbindir)/unbound$(EXEEXT)
 	$(LIBTOOL) --mode=install cp -f unbound-checkconf$(EXEEXT) $(DESTDIR)$(sbindir)/unbound-checkconf$(EXEEXT)
 	$(LIBTOOL) --mode=install cp -f unbound-control$(EXEEXT) $(DESTDIR)$(sbindir)/unbound-control$(EXEEXT)
@@ -701,7 +712,8 @@ infra.lo infra.o: $(srcdir)/services/cache/infra.c config.h $(srcdir)/sldns/rrde
 rrset.lo rrset.o: $(srcdir)/services/cache/rrset.c config.h $(srcdir)/services/cache/rrset.h \
  $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/storage/slabhash.h \
  $(srcdir)/util/data/packed_rrset.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/config_file.h \
- $(srcdir)/util/data/msgreply.h $(srcdir)/util/regional.h $(srcdir)/util/alloc.h $(srcdir)/util/net_help.h
+ $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/util/regional.h \
+ $(srcdir)/util/alloc.h $(srcdir)/util/net_help.h
 as112.lo as112.o: $(srcdir)/util/as112.c $(srcdir)/util/as112.h
 dname.lo dname.o: $(srcdir)/util/data/dname.c config.h $(srcdir)/util/data/dname.h \
  $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/msgparse.h \
@@ -790,7 +802,8 @@ iter_utils.lo iter_utils.o: $(srcdir)/iterator/iter_utils.c config.h $(srcdir)/i
  $(srcdir)/iterator/iter_donotq.h $(srcdir)/iterator/iter_delegpt.h $(srcdir)/iterator/iter_priv.h \
  $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
   $(srcdir)/services/cache/dns.h $(srcdir)/services/cache/rrset.h \
- $(srcdir)/util/storage/slabhash.h $(srcdir)/util/net_help.h $(srcdir)/util/config_file.h \
+ $(srcdir)/util/storage/slabhash.h $(srcdir)/services/outside_network.h \
+  $(srcdir)/util/net_help.h $(srcdir)/util/config_file.h \
  $(srcdir)/util/regional.h $(srcdir)/util/data/dname.h $(srcdir)/util/random.h $(srcdir)/util/fptr_wlist.h \
  $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h \
  $(srcdir)/services/localzone.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/services/authzone.h \
@@ -837,11 +850,7 @@ modstack.lo modstack.o: $(srcdir)/services/modstack.c config.h $(srcdir)/service
  $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h \
  $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \
  $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/dns64/dns64.h $(srcdir)/iterator/iterator.h \
- $(srcdir)/services/outbound_list.h $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h \
- $(PYTHONMOD_HEADER) $(DYNLIBMOD_HEADER) $(srcdir)/cachedb/cachedb.h \
- $(srcdir)/ipsecmod/ipsecmod.h $(srcdir)/edns-subnet/subnetmod.h $(srcdir)/util/alloc.h $(srcdir)/util/net_help.h \
- $(srcdir)/util/storage/slabhash.h $(srcdir)/util/data/dname.h $(srcdir)/edns-subnet/addrtree.h \
- $(srcdir)/edns-subnet/edns-subnet.h $(srcdir)/ipset/ipset.h
+ $(srcdir)/services/outbound_list.h $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h
 view.lo view.o: $(srcdir)/services/view.c config.h $(srcdir)/services/view.h $(srcdir)/util/rbtree.h \
  $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h \
  $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/data/msgreply.h \
@@ -872,8 +881,7 @@ outside_network.lo outside_network.o: $(srcdir)/services/outside_network.c confi
  $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \
  $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h \
  $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h \
- $(srcdir)/util/edns.h $(srcdir)/dnstap/dnstap.h \
- 
+ $(srcdir)/util/edns.h $(srcdir)/dnstap/dnstap.h
 alloc.lo alloc.o: $(srcdir)/util/alloc.c config.h $(srcdir)/util/alloc.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
  $(srcdir)/util/regional.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
  $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
@@ -894,8 +902,7 @@ config_file.lo config_file.o: $(srcdir)/util/config_file.c config.h $(srcdir)/ut
  $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h \
  $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/util/data/dname.h \
  $(srcdir)/util/rtt.h $(srcdir)/services/cache/infra.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/parseutil.h \
- $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h $(srcdir)/edns-subnet/edns-subnet.h \
- $(srcdir)/util/iana_ports.inc
+ $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h $(srcdir)/util/iana_ports.inc
 configlexer.lo configlexer.o: util/configlexer.c config.h $(srcdir)/util/configyyrename.h \
  $(srcdir)/util/config_file.h util/configparser.h
 configparser.lo configparser.o: util/configparser.c config.h $(srcdir)/util/configyyrename.h \
@@ -924,8 +931,9 @@ authzone.lo authzone.o: $(srcdir)/services/authzone.c config.h $(srcdir)/service
  $(srcdir)/util/data/msgencode.h $(srcdir)/util/regional.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h \
  $(srcdir)/services/cache/dns.h $(srcdir)/services/outside_network.h  \
  $(srcdir)/services/listen_dnsport.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/wire2str.h \
- $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/keyraw.h \
- $(srcdir)/validator/val_nsec3.h $(srcdir)/validator/val_secalgo.h
+ $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/keyraw.h $(srcdir)/validator/val_nsec3.h \
+ $(srcdir)/validator/val_nsec.h $(srcdir)/validator/val_secalgo.h $(srcdir)/validator/val_sigcrypt.h \
+ $(srcdir)/validator/val_anchor.h $(srcdir)/validator/val_utils.h
 fptr_wlist.lo fptr_wlist.o: $(srcdir)/util/fptr_wlist.c config.h $(srcdir)/util/fptr_wlist.h \
  $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h  \
  $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/module.h \
@@ -934,7 +942,7 @@ fptr_wlist.lo fptr_wlist.o: $(srcdir)/util/fptr_wlist.c config.h $(srcdir)/util/
  $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \
  $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h \
  $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \
- $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/util/mini_event.h \
+ $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h \
  $(srcdir)/services/outside_network.h  $(srcdir)/services/cache/infra.h \
  $(srcdir)/util/rtt.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/dns64/dns64.h \
  $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h $(srcdir)/iterator/iter_fwd.h \
@@ -942,13 +950,18 @@ fptr_wlist.lo fptr_wlist.o: $(srcdir)/util/fptr_wlist.c config.h $(srcdir)/util/
  $(srcdir)/validator/val_nsec3.h $(srcdir)/validator/val_sigcrypt.h $(srcdir)/validator/val_kentry.h \
  $(srcdir)/validator/val_neg.h $(srcdir)/validator/autotrust.h $(srcdir)/libunbound/libworker.h \
  $(srcdir)/libunbound/context.h $(srcdir)/util/alloc.h $(srcdir)/libunbound/unbound-event.h \
- $(srcdir)/libunbound/worker.h $(PYTHONMOD_HEADER) $(DYNLIBMOD_HEADER) \
- $(srcdir)/cachedb/cachedb.h $(srcdir)/ipsecmod/ipsecmod.h $(srcdir)/edns-subnet/subnetmod.h \
- $(srcdir)/util/net_help.h $(srcdir)/util/data/dname.h $(srcdir)/edns-subnet/addrtree.h \
- $(srcdir)/edns-subnet/edns-subnet.h $(srcdir)/ipset/ipset.h $(srcdir)/dnstap/dtstream.h
+ $(srcdir)/libunbound/worker.h
 locks.lo locks.o: $(srcdir)/util/locks.c config.h $(srcdir)/util/locks.h $(srcdir)/util/log.h
 log.lo log.o: $(srcdir)/util/log.c config.h $(srcdir)/util/log.h $(srcdir)/util/locks.h $(srcdir)/sldns/sbuffer.h
-mini_event.lo mini_event.o: $(srcdir)/util/mini_event.c config.h $(srcdir)/util/mini_event.h
+mini_event.lo mini_event.o: $(srcdir)/util/mini_event.c config.h $(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h \
+ $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
+  $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
+ $(srcdir)/util/log.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
+ $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h \
+ $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h \
+ $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h \
+ $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h \
+ $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h
 module.lo module.o: $(srcdir)/util/module.c config.h $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h \
  $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
  $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/wire2str.h
@@ -961,14 +974,12 @@ netevent.lo netevent.o: $(srcdir)/util/netevent.c config.h $(srcdir)/util/neteve
  $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h $(srcdir)/services/view.h \
  $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h \
  $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/sldns/str2wire.h \
- $(srcdir)/dnstap/dnstap.h  $(srcdir)/services/listen_dnsport.h \
- 
+ $(srcdir)/dnstap/dnstap.h  $(srcdir)/services/listen_dnsport.h
 net_help.lo net_help.o: $(srcdir)/util/net_help.c config.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h \
  $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/module.h \
  $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
  $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h \
- $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/wire2str.h \
- 
+ $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/wire2str.h
 random.lo random.o: $(srcdir)/util/random.c config.h $(srcdir)/util/random.h $(srcdir)/util/log.h
 rbtree.lo rbtree.o: $(srcdir)/util/rbtree.c config.h $(srcdir)/util/log.h $(srcdir)/util/fptr_wlist.h \
  $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h  \
@@ -1022,8 +1033,7 @@ tube.lo tube.o: $(srcdir)/util/tube.c config.h $(srcdir)/util/tube.h $(srcdir)/u
  $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/util/ub_event.h
 ub_event.lo ub_event.o: $(srcdir)/util/ub_event.c config.h $(srcdir)/util/ub_event.h $(srcdir)/util/log.h \
  $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h  \
- $(srcdir)/util/tube.h \
- 
+ $(srcdir)/util/tube.h $(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h
 ub_event_pluggable.lo ub_event_pluggable.o: $(srcdir)/util/ub_event_pluggable.c config.h $(srcdir)/util/ub_event.h \
  $(srcdir)/libunbound/unbound-event.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
   $(srcdir)/util/log.h $(srcdir)/util/fptr_wlist.h \
@@ -1033,8 +1043,7 @@ ub_event_pluggable.lo ub_event_pluggable.o: $(srcdir)/util/ub_event_pluggable.c
  $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \
  $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h \
  $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \
- $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h \
- 
+ $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h
 winsock_event.lo winsock_event.o: $(srcdir)/util/winsock_event.c config.h
 autotrust.lo autotrust.o: $(srcdir)/validator/autotrust.c config.h $(srcdir)/validator/autotrust.h \
  $(srcdir)/util/rbtree.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
@@ -1047,8 +1056,7 @@ autotrust.lo autotrust.o: $(srcdir)/validator/autotrust.c config.h $(srcdir)/val
  $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h \
  $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h \
  $(srcdir)/respip/respip.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \
- $(srcdir)/validator/val_kcache.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/keyraw.h \
- 
+ $(srcdir)/validator/val_kcache.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/keyraw.h
 val_anchor.lo val_anchor.o: $(srcdir)/validator/val_anchor.c config.h $(srcdir)/validator/val_anchor.h \
  $(srcdir)/util/rbtree.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/validator/val_sigcrypt.h \
  $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/sldns/pkthdr.h \
@@ -1078,13 +1086,11 @@ val_kcache.lo val_kcache.o: $(srcdir)/validator/val_kcache.c config.h $(srcdir)/
 val_kentry.lo val_kentry.o: $(srcdir)/validator/val_kentry.c config.h $(srcdir)/validator/val_kentry.h \
  $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/packed_rrset.h \
  $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lookup3.h $(srcdir)/util/regional.h $(srcdir)/util/net_help.h \
- $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/keyraw.h \
- 
-val_neg.lo val_neg.o: $(srcdir)/validator/val_neg.c config.h \
- $(srcdir)/validator/val_neg.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/rbtree.h \
- $(srcdir)/validator/val_nsec.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
- $(srcdir)/validator/val_nsec3.h $(srcdir)/validator/val_utils.h $(srcdir)/sldns/pkthdr.h \
- $(srcdir)/util/data/dname.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/net_help.h \
+ $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/keyraw.h
+val_neg.lo val_neg.o: $(srcdir)/validator/val_neg.c config.h $(srcdir)/validator/val_neg.h $(srcdir)/util/locks.h \
+ $(srcdir)/util/log.h $(srcdir)/util/rbtree.h $(srcdir)/validator/val_nsec.h $(srcdir)/util/data/packed_rrset.h \
+ $(srcdir)/util/storage/lruhash.h $(srcdir)/validator/val_nsec3.h $(srcdir)/validator/val_utils.h \
+ $(srcdir)/sldns/pkthdr.h $(srcdir)/util/data/dname.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/net_help.h \
  $(srcdir)/util/config_file.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \
  $(srcdir)/services/cache/dns.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/sbuffer.h
 val_nsec3.lo val_nsec3.o: $(srcdir)/validator/val_nsec3.c config.h $(srcdir)/validator/val_nsec3.h \
@@ -1102,17 +1108,15 @@ val_nsec.lo val_nsec.o: $(srcdir)/validator/val_nsec.c config.h $(srcdir)/valida
 val_secalgo.lo val_secalgo.o: $(srcdir)/validator/val_secalgo.c config.h $(srcdir)/util/data/packed_rrset.h \
  $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/validator/val_secalgo.h \
  $(srcdir)/validator/val_nsec3.h $(srcdir)/util/rbtree.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/keyraw.h \
- $(srcdir)/sldns/sbuffer.h \
- 
+ $(srcdir)/sldns/sbuffer.h
 val_sigcrypt.lo val_sigcrypt.o: $(srcdir)/validator/val_sigcrypt.c config.h \
  $(srcdir)/validator/val_sigcrypt.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
  $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/sldns/pkthdr.h $(srcdir)/validator/val_secalgo.h \
  $(srcdir)/validator/validator.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
  $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/rrdef.h $(srcdir)/validator/val_utils.h \
  $(srcdir)/util/data/dname.h $(srcdir)/util/rbtree.h $(srcdir)/util/net_help.h $(srcdir)/util/regional.h \
- $(srcdir)/util/config_file.h $(srcdir)/sldns/keyraw.h \
- $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/wire2str.h \
- 
+ $(srcdir)/util/config_file.h $(srcdir)/sldns/keyraw.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/parseutil.h \
+ $(srcdir)/sldns/wire2str.h
 val_utils.lo val_utils.o: $(srcdir)/validator/val_utils.c config.h $(srcdir)/validator/val_utils.h \
  $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
  $(srcdir)/sldns/pkthdr.h $(srcdir)/validator/validator.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
@@ -1133,43 +1137,13 @@ dns64.lo dns64.o: $(srcdir)/dns64/dns64.c config.h $(srcdir)/dns64/dns64.h $(src
  $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h \
  $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/util/net_help.h \
  $(srcdir)/util/regional.h $(srcdir)/util/data/dname.h $(srcdir)/sldns/str2wire.h
-edns-subnet.lo edns-subnet.o: $(srcdir)/edns-subnet/edns-subnet.c config.h \
- $(srcdir)/edns-subnet/edns-subnet.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h
-subnetmod.lo subnetmod.o: $(srcdir)/edns-subnet/subnetmod.c config.h $(srcdir)/edns-subnet/subnetmod.h \
- $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
- $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
- $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/services/outbound_list.h $(srcdir)/util/alloc.h \
- $(srcdir)/util/net_help.h $(srcdir)/util/storage/slabhash.h $(srcdir)/util/data/dname.h \
- $(srcdir)/edns-subnet/addrtree.h $(srcdir)/edns-subnet/edns-subnet.h \
- $(srcdir)/edns-subnet/subnet-whitelist.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h \
- $(srcdir)/services/mesh.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
-  $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h \
- $(srcdir)/services/localzone.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h \
- $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h \
- $(srcdir)/respip/respip.h $(srcdir)/services/cache/dns.h $(srcdir)/util/regional.h \
- $(srcdir)/iterator/iter_utils.h $(srcdir)/iterator/iter_resptype.h
+edns-subnet.lo edns-subnet.o: $(srcdir)/edns-subnet/edns-subnet.c config.h
+subnetmod.lo subnetmod.o: $(srcdir)/edns-subnet/subnetmod.c config.h
 addrtree.lo addrtree.o: $(srcdir)/edns-subnet/addrtree.c config.h $(srcdir)/util/log.h \
  $(srcdir)/util/data/msgreply.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
  $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h \
  $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/edns-subnet/addrtree.h
-subnet-whitelist.lo subnet-whitelist.o: $(srcdir)/edns-subnet/subnet-whitelist.c config.h \
- $(srcdir)/edns-subnet/edns-subnet.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h \
- $(srcdir)/edns-subnet/subnet-whitelist.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h \
- $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h \
- $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h
-cachedb.lo cachedb.o: $(srcdir)/cachedb/cachedb.c config.h $(srcdir)/cachedb/cachedb.h $(srcdir)/util/module.h \
- $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/msgreply.h \
- $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
- $(srcdir)/sldns/rrdef.h $(srcdir)/cachedb/redis.h $(srcdir)/util/regional.h $(srcdir)/util/net_help.h \
- $(srcdir)/util/config_file.h $(srcdir)/util/data/msgencode.h $(srcdir)/services/cache/dns.h \
- $(srcdir)/validator/val_neg.h $(srcdir)/util/rbtree.h $(srcdir)/validator/val_secalgo.h \
- $(srcdir)/iterator/iter_utils.h $(srcdir)/iterator/iter_resptype.h $(srcdir)/sldns/parseutil.h \
- $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/sbuffer.h
-redis.lo redis.o: $(srcdir)/cachedb/redis.c config.h $(srcdir)/cachedb/redis.h $(srcdir)/cachedb/cachedb.h \
- $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
- $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
- $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/alloc.h $(srcdir)/util/config_file.h \
- $(srcdir)/sldns/sbuffer.h
+subnet-whitelist.lo subnet-whitelist.o: $(srcdir)/edns-subnet/subnet-whitelist.c config.h
 respip.lo respip.o: $(srcdir)/respip/respip.c config.h $(srcdir)/services/localzone.h $(srcdir)/util/rbtree.h \
  $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/module.h \
  $(srcdir)/util/storage/lruhash.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
@@ -1182,42 +1156,8 @@ respip.lo respip.o: $(srcdir)/respip/respip.c config.h $(srcdir)/services/localz
  $(srcdir)/util/regional.h
 checklocks.lo checklocks.o: $(srcdir)/testcode/checklocks.c config.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
  $(srcdir)/testcode/checklocks.h
-dnstap.lo dnstap.o: $(srcdir)/dnstap/dnstap.c  config.h $(srcdir)/sldns/sbuffer.h \
- $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h $(srcdir)/util/netevent.h \
- $(srcdir)/dnscrypt/dnscrypt.h  \
- $(srcdir)/dnstap/dnstap.h \
- $(srcdir)/dnstap/dtstream.h $(srcdir)/util/locks.h dnstap/dnstap.pb-c.h
-dnstap.pb-c.lo dnstap.pb-c.o: dnstap/dnstap.pb-c.c dnstap/dnstap.pb-c.h \
- 
-dnstap_fstrm.lo dnstap_fstrm.o: $(srcdir)/dnstap/dnstap_fstrm.c config.h $(srcdir)/dnstap/dnstap_fstrm.h \
- $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h
-dtstream.lo dtstream.o: $(srcdir)/dnstap/dtstream.c config.h $(srcdir)/dnstap/dtstream.h $(srcdir)/util/locks.h \
- $(srcdir)/util/log.h $(srcdir)/dnstap/dnstap_fstrm.h $(srcdir)/util/config_file.h $(srcdir)/util/ub_event.h \
- $(srcdir)/util/net_help.h $(srcdir)/services/outside_network.h $(srcdir)/util/rbtree.h $(srcdir)/util/netevent.h \
- $(srcdir)/dnscrypt/dnscrypt.h   \
- $(srcdir)/sldns/sbuffer.h \
- 
-ipsecmod.lo ipsecmod.o: $(srcdir)/ipsecmod/ipsecmod.c config.h $(srcdir)/ipsecmod/ipsecmod.h \
- $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
- $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
- $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/rbtree.h $(srcdir)/ipsecmod/ipsecmod-whitelist.h \
- $(srcdir)/util/storage/dnstree.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h \
- $(srcdir)/dnscrypt/dnscrypt.h  $(srcdir)/util/tube.h \
- $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \
- $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h \
- $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h \
- $(srcdir)/util/regional.h $(srcdir)/util/net_help.h $(srcdir)/services/cache/dns.h $(srcdir)/sldns/wire2str.h
-ipsecmod-whitelist.lo ipsecmod-whitelist.o: $(srcdir)/ipsecmod/ipsecmod-whitelist.c config.h \
- $(srcdir)/ipsecmod/ipsecmod.h $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
- $(srcdir)/util/log.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
- $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/rbtree.h \
- $(srcdir)/ipsecmod/ipsecmod-whitelist.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/regional.h \
- $(srcdir)/util/config_file.h $(srcdir)/util/data/dname.h $(srcdir)/sldns/str2wire.h
-ipset.lo ipset.o: $(srcdir)/ipset/ipset.c config.h $(srcdir)/ipset/ipset.h $(srcdir)/util/module.h \
- $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/msgreply.h \
- $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
- $(srcdir)/sldns/rrdef.h $(srcdir)/util/regional.h $(srcdir)/util/net_help.h $(srcdir)/util/config_file.h \
- $(srcdir)/services/cache/dns.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/parseutil.h
+ipsecmod.lo ipsecmod.o: $(srcdir)/ipsecmod/ipsecmod.c config.h
+ipsecmod-whitelist.lo ipsecmod-whitelist.o: $(srcdir)/ipsecmod/ipsecmod-whitelist.c config.h
 unitanchor.lo unitanchor.o: $(srcdir)/testcode/unitanchor.c config.h $(srcdir)/util/log.h $(srcdir)/util/data/dname.h \
  $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/testcode/unitmain.h \
  $(srcdir)/validator/val_anchor.h $(srcdir)/util/rbtree.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/rrdef.h
@@ -1226,8 +1166,7 @@ unitdname.lo unitdname.o: $(srcdir)/testcode/unitdname.c config.h $(srcdir)/util
  $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h
 unitlruhash.lo unitlruhash.o: $(srcdir)/testcode/unitlruhash.c config.h $(srcdir)/testcode/unitmain.h \
  $(srcdir)/util/log.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/storage/slabhash.h
-unitmain.lo unitmain.o: $(srcdir)/testcode/unitmain.c config.h \
- $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/keyraw.h \
+unitmain.lo unitmain.o: $(srcdir)/testcode/unitmain.c config.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/keyraw.h \
  $(srcdir)/util/log.h $(srcdir)/testcode/unitmain.h $(srcdir)/util/alloc.h $(srcdir)/util/locks.h $(srcdir)/util/net_help.h \
  $(srcdir)/util/config_file.h $(srcdir)/util/rtt.h $(srcdir)/util/timehist.h $(srcdir)/iterator/iterator.h \
  $(srcdir)/services/outbound_list.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/storage/lruhash.h \
@@ -1268,14 +1207,7 @@ testpkts.lo testpkts.o: $(srcdir)/testcode/testpkts.c config.h $(srcdir)/testcod
 unitldns.lo unitldns.o: $(srcdir)/testcode/unitldns.c config.h $(srcdir)/util/log.h $(srcdir)/testcode/unitmain.h \
  $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/wire2str.h \
  $(srcdir)/sldns/parseutil.h
-unitzonemd.lo unitzonemd.o: $(srcdir)/testcode/unitzonemd.c config.h $(srcdir)/services/authzone.h
-unitecs.lo unitecs.o: $(srcdir)/testcode/unitecs.c config.h $(srcdir)/util/log.h $(srcdir)/util/module.h \
- $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/data/msgreply.h \
- $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
- $(srcdir)/sldns/rrdef.h $(srcdir)/testcode/unitmain.h $(srcdir)/edns-subnet/addrtree.h \
- $(srcdir)/edns-subnet/subnetmod.h $(srcdir)/services/outbound_list.h $(srcdir)/util/alloc.h \
- $(srcdir)/util/net_help.h $(srcdir)/util/storage/slabhash.h $(srcdir)/util/data/dname.h \
- $(srcdir)/edns-subnet/edns-subnet.h
+unitecs.lo unitecs.o: $(srcdir)/testcode/unitecs.c config.h
 unitauth.lo unitauth.o: $(srcdir)/testcode/unitauth.c config.h $(srcdir)/services/authzone.h \
  $(srcdir)/util/rbtree.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/services/mesh.h $(srcdir)/util/netevent.h \
  $(srcdir)/dnscrypt/dnscrypt.h  $(srcdir)/util/data/msgparse.h \
@@ -1286,49 +1218,58 @@ unitauth.lo unitauth.o: $(srcdir)/testcode/unitauth.c config.h $(srcdir)/service
  $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/testcode/unitmain.h \
  $(srcdir)/util/regional.h $(srcdir)/util/net_help.h $(srcdir)/services/cache/dns.h $(srcdir)/sldns/str2wire.h \
  $(srcdir)/sldns/wire2str.h
+unitzonemd.lo unitzonemd.o: $(srcdir)/testcode/unitzonemd.c config.h $(srcdir)/util/log.h \
+ $(srcdir)/testcode/unitmain.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h $(srcdir)/services/authzone.h \
+ $(srcdir)/util/rbtree.h $(srcdir)/util/locks.h $(srcdir)/services/mesh.h $(srcdir)/util/netevent.h \
+ $(srcdir)/dnscrypt/dnscrypt.h  $(srcdir)/util/data/msgparse.h \
+ $(srcdir)/util/storage/lruhash.h $(srcdir)/sldns/pkthdr.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
+ $(srcdir)/util/data/packed_rrset.h $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h \
+ $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h \
+ $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \
+ $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/util/data/dname.h $(srcdir)/util/regional.h \
+ $(srcdir)/validator/val_anchor.h
+unittcpreuse.lo unittcpreuse.o: $(srcdir)/testcode/unittcpreuse.c config.h $(srcdir)/services/outside_network.h \
+$(srcdir)/util/random.h
 acl_list.lo acl_list.o: $(srcdir)/daemon/acl_list.c config.h $(srcdir)/daemon/acl_list.h \
  $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/view.h $(srcdir)/util/locks.h \
  $(srcdir)/util/log.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h \
  $(srcdir)/services/localzone.h $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h \
  $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
  $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/str2wire.h
-cachedump.lo cachedump.o: $(srcdir)/daemon/cachedump.c config.h \
- $(srcdir)/daemon/cachedump.h $(srcdir)/daemon/remote.h $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h \
- $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
- $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
-  $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h \
- $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h \
- $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \
-  $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \
- $(srcdir)/services/cache/dns.h $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h \
- $(srcdir)/util/rbtree.h $(srcdir)/util/rtt.h $(srcdir)/util/regional.h $(srcdir)/util/net_help.h \
- $(srcdir)/util/data/dname.h $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h \
- $(srcdir)/iterator/iter_delegpt.h $(srcdir)/iterator/iter_utils.h $(srcdir)/iterator/iter_resptype.h \
- $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h $(srcdir)/sldns/wire2str.h \
- $(srcdir)/sldns/str2wire.h
-daemon.lo daemon.o: $(srcdir)/daemon/daemon.c config.h \
- $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
-   $(srcdir)/daemon/worker.h \
- $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h \
- $(srcdir)/util/storage/lruhash.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
- $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
- $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/util/module.h \
- $(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/remote.h \
- $(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/view.h \
- $(srcdir)/util/config_file.h $(srcdir)/util/shm_side/shm_main.h $(srcdir)/util/storage/lookup3.h \
- $(srcdir)/util/storage/slabhash.h $(srcdir)/util/tcp_conn_limit.h $(srcdir)/util/edns.h \
- $(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h \
- $(srcdir)/util/rtt.h $(srcdir)/services/localzone.h $(srcdir)/services/authzone.h $(srcdir)/services/mesh.h \
- $(srcdir)/services/rpz.h $(srcdir)/respip/respip.h $(srcdir)/util/random.h $(srcdir)/util/tube.h $(srcdir)/util/net_help.h \
- $(srcdir)/sldns/keyraw.h
-remote.lo remote.o: $(srcdir)/daemon/remote.c config.h \
- $(srcdir)/daemon/remote.h \
- $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
+cachedump.lo cachedump.o: $(srcdir)/daemon/cachedump.c config.h $(srcdir)/daemon/cachedump.h \
+ $(srcdir)/daemon/remote.h $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
  $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
  $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h  \
  $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
  $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h \
- $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h  $(srcdir)/daemon/daemon.h \
+ $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h  \
+ $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/dns.h \
+ $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/rtt.h \
+ $(srcdir)/util/regional.h $(srcdir)/util/net_help.h $(srcdir)/util/data/dname.h $(srcdir)/iterator/iterator.h \
+ $(srcdir)/services/outbound_list.h $(srcdir)/iterator/iter_delegpt.h $(srcdir)/iterator/iter_utils.h \
+ $(srcdir)/iterator/iter_resptype.h $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h \
+ $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h $(srcdir)/util/config_file.h $(srcdir)/services/outside_network.h
+daemon.lo daemon.o: $(srcdir)/daemon/daemon.c config.h $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h \
+ $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h  \
+  $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h \
+ $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
+ $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/util/data/msgreply.h \
+ $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h \
+ $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \
+ $(srcdir)/daemon/remote.h $(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h \
+ $(srcdir)/services/view.h $(srcdir)/util/config_file.h $(srcdir)/util/shm_side/shm_main.h \
+ $(srcdir)/util/storage/lookup3.h $(srcdir)/util/storage/slabhash.h $(srcdir)/util/tcp_conn_limit.h \
+ $(srcdir)/util/edns.h $(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/rrset.h \
+ $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h $(srcdir)/services/localzone.h \
+ $(srcdir)/services/authzone.h $(srcdir)/services/mesh.h $(srcdir)/services/rpz.h $(srcdir)/respip/respip.h \
+ $(srcdir)/util/random.h $(srcdir)/util/tube.h $(srcdir)/util/net_help.h $(srcdir)/sldns/keyraw.h
+remote.lo remote.o: $(srcdir)/daemon/remote.c config.h $(srcdir)/daemon/remote.h $(srcdir)/daemon/worker.h \
+ $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h \
+ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/netevent.h \
+ $(srcdir)/dnscrypt/dnscrypt.h  $(srcdir)/util/alloc.h \
+ $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
+ $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/util/module.h \
+ $(srcdir)/dnstap/dnstap.h  $(srcdir)/daemon/daemon.h \
  $(srcdir)/services/modstack.h $(srcdir)/daemon/cachedump.h $(srcdir)/util/config_file.h \
  $(srcdir)/util/net_help.h $(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/rrset.h \
  $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h \
@@ -1353,21 +1294,19 @@ stats.lo stats.o: $(srcdir)/daemon/stats.c config.h $(srcdir)/daemon/stats.h $(s
  $(srcdir)/util/net_help.h $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h \
  $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h $(srcdir)/services/cache/rrset.h \
  $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \
- $(srcdir)/validator/val_kcache.h $(srcdir)/validator/val_neg.h $(srcdir)/edns-subnet/subnetmod.h \
- $(srcdir)/util/data/dname.h $(srcdir)/edns-subnet/addrtree.h $(srcdir)/edns-subnet/edns-subnet.h \
- 
+ $(srcdir)/validator/val_kcache.h $(srcdir)/validator/val_neg.h
 unbound.lo unbound.o: $(srcdir)/daemon/unbound.c config.h $(srcdir)/util/log.h $(srcdir)/daemon/daemon.h \
  $(srcdir)/util/locks.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h  \
-  $(srcdir)/daemon/remote.h \
- $(srcdir)/util/config_file.h $(srcdir)/util/storage/slabhash.h $(srcdir)/util/storage/lruhash.h \
- $(srcdir)/services/listen_dnsport.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
- $(srcdir)/services/cache/rrset.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/services/cache/infra.h \
- $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/rtt.h $(srcdir)/util/data/msgreply.h \
- $(srcdir)/util/fptr_wlist.h $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
- $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/rpz.h \
- $(srcdir)/services/localzone.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/services/authzone.h \
- $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h \
- $(srcdir)/util/net_help.h $(srcdir)/util/ub_event.h
+  $(srcdir)/daemon/remote.h $(srcdir)/util/config_file.h \
+ $(srcdir)/util/storage/slabhash.h $(srcdir)/util/storage/lruhash.h $(srcdir)/services/listen_dnsport.h \
+ $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/services/cache/rrset.h \
+ $(srcdir)/util/data/packed_rrset.h $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h \
+ $(srcdir)/util/rbtree.h $(srcdir)/util/rtt.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/fptr_wlist.h \
+ $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
+ $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \
+ $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h \
+ $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/util/net_help.h \
+ $(srcdir)/util/ub_event.h
 worker.lo worker.o: $(srcdir)/daemon/worker.c config.h $(srcdir)/util/log.h $(srcdir)/util/net_help.h \
  $(srcdir)/util/random.h $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
  $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
@@ -1375,32 +1314,32 @@ worker.lo worker.o: $(srcdir)/daemon/worker.c config.h $(srcdir)/util/log.h $(sr
  $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
  $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h \
  $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h  $(srcdir)/daemon/daemon.h \
- $(srcdir)/services/modstack.h $(srcdir)/daemon/remote.h \
- $(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/view.h \
- $(srcdir)/util/config_file.h $(srcdir)/util/regional.h $(srcdir)/util/storage/slabhash.h \
- $(srcdir)/services/listen_dnsport.h $(srcdir)/services/outside_network.h \
- $(srcdir)/services/outbound_list.h $(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h \
- $(srcdir)/util/rtt.h $(srcdir)/services/cache/dns.h $(srcdir)/services/authzone.h $(srcdir)/services/mesh.h \
- $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h $(srcdir)/respip/respip.h \
- $(srcdir)/util/data/msgencode.h $(srcdir)/util/data/dname.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h \
- $(srcdir)/util/edns.h $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h \
- $(srcdir)/validator/autotrust.h $(srcdir)/validator/val_anchor.h $(srcdir)/libunbound/context.h \
- $(srcdir)/libunbound/unbound-event.h $(srcdir)/libunbound/libworker.h $(srcdir)/sldns/wire2str.h \
- $(srcdir)/util/shm_side/shm_main.h $(srcdir)/dnstap/dtstream.h
+ $(srcdir)/services/modstack.h $(srcdir)/daemon/remote.h $(srcdir)/daemon/acl_list.h \
+ $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/view.h $(srcdir)/util/config_file.h \
+ $(srcdir)/util/regional.h $(srcdir)/util/storage/slabhash.h $(srcdir)/services/listen_dnsport.h \
+ $(srcdir)/services/outside_network.h $(srcdir)/services/outbound_list.h \
+ $(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \
+ $(srcdir)/services/cache/dns.h $(srcdir)/services/authzone.h $(srcdir)/services/mesh.h $(srcdir)/services/rpz.h \
+ $(srcdir)/services/localzone.h $(srcdir)/respip/respip.h $(srcdir)/util/data/msgencode.h \
+ $(srcdir)/util/data/dname.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h $(srcdir)/util/edns.h \
+ $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h $(srcdir)/iterator/iter_utils.h \
+ $(srcdir)/iterator/iter_resptype.h $(srcdir)/validator/autotrust.h $(srcdir)/validator/val_anchor.h \
+ $(srcdir)/libunbound/context.h $(srcdir)/libunbound/unbound-event.h $(srcdir)/libunbound/libworker.h \
+ $(srcdir)/sldns/wire2str.h $(srcdir)/util/shm_side/shm_main.h $(srcdir)/dnstap/dtstream.h
 testbound.lo testbound.o: $(srcdir)/testcode/testbound.c config.h $(srcdir)/testcode/testpkts.h \
  $(srcdir)/testcode/replay.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
   $(srcdir)/util/rbtree.h $(srcdir)/testcode/fake_event.h \
- $(srcdir)/daemon/remote.h \
- $(srcdir)/util/config_file.h $(srcdir)/sldns/keyraw.h $(srcdir)/daemon/unbound.c $(srcdir)/util/log.h \
- $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
-  $(srcdir)/util/storage/slabhash.h $(srcdir)/util/storage/lruhash.h \
- $(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/rrset.h \
- $(srcdir)/util/data/packed_rrset.h $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h \
- $(srcdir)/util/rtt.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/module.h \
+ $(srcdir)/daemon/remote.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
+ $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
+ $(srcdir)/util/config_file.h $(srcdir)/sldns/keyraw.h $(srcdir)/daemon/unbound.c $(srcdir)/daemon/daemon.h \
+ $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h  \
+ $(srcdir)/util/storage/slabhash.h $(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/rrset.h \
+ $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rtt.h \
+ $(srcdir)/util/data/msgreply.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/module.h \
  $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h \
  $(srcdir)/services/mesh.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h $(srcdir)/services/view.h \
- $(srcdir)/sldns/sbuffer.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \
- $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/util/net_help.h $(srcdir)/util/ub_event.h
+ $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h \
+ $(srcdir)/respip/respip.h $(srcdir)/util/net_help.h $(srcdir)/util/ub_event.h
 testpkts.lo testpkts.o: $(srcdir)/testcode/testpkts.c config.h $(srcdir)/testcode/testpkts.h \
  $(srcdir)/util/net_help.h $(srcdir)/util/log.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/pkthdr.h \
  $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/wire2str.h
@@ -1411,39 +1350,38 @@ worker.lo worker.o: $(srcdir)/daemon/worker.c config.h $(srcdir)/util/log.h $(sr
  $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
  $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h \
  $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h  $(srcdir)/daemon/daemon.h \
- $(srcdir)/services/modstack.h $(srcdir)/daemon/remote.h \
- $(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/view.h \
- $(srcdir)/util/config_file.h $(srcdir)/util/regional.h $(srcdir)/util/storage/slabhash.h \
- $(srcdir)/services/listen_dnsport.h $(srcdir)/services/outside_network.h \
- $(srcdir)/services/outbound_list.h $(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h \
- $(srcdir)/util/rtt.h $(srcdir)/services/cache/dns.h $(srcdir)/services/authzone.h $(srcdir)/services/mesh.h \
- $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h $(srcdir)/respip/respip.h \
- $(srcdir)/util/data/msgencode.h $(srcdir)/util/data/dname.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h \
- $(srcdir)/util/edns.h $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h \
- $(srcdir)/validator/autotrust.h $(srcdir)/validator/val_anchor.h $(srcdir)/libunbound/context.h \
- $(srcdir)/libunbound/unbound-event.h $(srcdir)/libunbound/libworker.h $(srcdir)/sldns/wire2str.h \
- $(srcdir)/util/shm_side/shm_main.h $(srcdir)/dnstap/dtstream.h
+ $(srcdir)/services/modstack.h $(srcdir)/daemon/remote.h $(srcdir)/daemon/acl_list.h \
+ $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/view.h $(srcdir)/util/config_file.h \
+ $(srcdir)/util/regional.h $(srcdir)/util/storage/slabhash.h $(srcdir)/services/listen_dnsport.h \
+ $(srcdir)/services/outside_network.h $(srcdir)/services/outbound_list.h \
+ $(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \
+ $(srcdir)/services/cache/dns.h $(srcdir)/services/authzone.h $(srcdir)/services/mesh.h $(srcdir)/services/rpz.h \
+ $(srcdir)/services/localzone.h $(srcdir)/respip/respip.h $(srcdir)/util/data/msgencode.h \
+ $(srcdir)/util/data/dname.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h $(srcdir)/util/edns.h \
+ $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h $(srcdir)/iterator/iter_utils.h \
+ $(srcdir)/iterator/iter_resptype.h $(srcdir)/validator/autotrust.h $(srcdir)/validator/val_anchor.h \
+ $(srcdir)/libunbound/context.h $(srcdir)/libunbound/unbound-event.h $(srcdir)/libunbound/libworker.h \
+ $(srcdir)/sldns/wire2str.h $(srcdir)/util/shm_side/shm_main.h $(srcdir)/dnstap/dtstream.h
 acl_list.lo acl_list.o: $(srcdir)/daemon/acl_list.c config.h $(srcdir)/daemon/acl_list.h \
  $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/view.h $(srcdir)/util/locks.h \
  $(srcdir)/util/log.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h \
  $(srcdir)/services/localzone.h $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h \
  $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
  $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/str2wire.h
-daemon.lo daemon.o: $(srcdir)/daemon/daemon.c config.h \
- $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
-   $(srcdir)/daemon/worker.h \
- $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h \
- $(srcdir)/util/storage/lruhash.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
- $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
- $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/util/module.h \
- $(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/remote.h \
- $(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/view.h \
- $(srcdir)/util/config_file.h $(srcdir)/util/shm_side/shm_main.h $(srcdir)/util/storage/lookup3.h \
- $(srcdir)/util/storage/slabhash.h $(srcdir)/util/tcp_conn_limit.h $(srcdir)/util/edns.h \
- $(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h \
- $(srcdir)/util/rtt.h $(srcdir)/services/localzone.h $(srcdir)/services/authzone.h $(srcdir)/services/mesh.h \
- $(srcdir)/services/rpz.h $(srcdir)/respip/respip.h $(srcdir)/util/random.h $(srcdir)/util/tube.h $(srcdir)/util/net_help.h \
- $(srcdir)/sldns/keyraw.h
+daemon.lo daemon.o: $(srcdir)/daemon/daemon.c config.h $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h \
+ $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h  \
+  $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h \
+ $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
+ $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/util/data/msgreply.h \
+ $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h \
+ $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \
+ $(srcdir)/daemon/remote.h $(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h \
+ $(srcdir)/services/view.h $(srcdir)/util/config_file.h $(srcdir)/util/shm_side/shm_main.h \
+ $(srcdir)/util/storage/lookup3.h $(srcdir)/util/storage/slabhash.h $(srcdir)/util/tcp_conn_limit.h \
+ $(srcdir)/util/edns.h $(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/rrset.h \
+ $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h $(srcdir)/services/localzone.h \
+ $(srcdir)/services/authzone.h $(srcdir)/services/mesh.h $(srcdir)/services/rpz.h $(srcdir)/respip/respip.h \
+ $(srcdir)/util/random.h $(srcdir)/util/tube.h $(srcdir)/util/net_help.h $(srcdir)/sldns/keyraw.h
 stats.lo stats.o: $(srcdir)/daemon/stats.c config.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \
  $(srcdir)/libunbound/unbound.h $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
  $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
@@ -1457,9 +1395,7 @@ stats.lo stats.o: $(srcdir)/daemon/stats.c config.h $(srcdir)/daemon/stats.h $(s
  $(srcdir)/util/net_help.h $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h \
  $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h $(srcdir)/services/cache/rrset.h \
  $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \
- $(srcdir)/validator/val_kcache.h $(srcdir)/validator/val_neg.h $(srcdir)/edns-subnet/subnetmod.h \
- $(srcdir)/util/data/dname.h $(srcdir)/edns-subnet/addrtree.h $(srcdir)/edns-subnet/edns-subnet.h \
- 
+ $(srcdir)/validator/val_kcache.h $(srcdir)/validator/val_neg.h
 replay.lo replay.o: $(srcdir)/testcode/replay.c config.h $(srcdir)/util/log.h $(srcdir)/util/net_help.h \
  $(srcdir)/util/config_file.h $(srcdir)/testcode/replay.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
   $(srcdir)/testcode/testpkts.h $(srcdir)/util/rbtree.h \
@@ -1476,7 +1412,7 @@ fake_event.lo fake_event.o: $(srcdir)/testcode/fake_event.c config.h $(srcdir)/t
  $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h \
  $(srcdir)/services/localzone.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/services/authzone.h \
  $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h \
- $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h
+ $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h $(srcdir)/daemon/remote.h
 lock_verify.lo lock_verify.o: $(srcdir)/testcode/lock_verify.c config.h $(srcdir)/util/log.h $(srcdir)/util/rbtree.h \
  $(srcdir)/util/locks.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
   $(srcdir)/util/storage/lruhash.h $(srcdir)/util/module.h \
@@ -1511,8 +1447,7 @@ unbound-checkconf.lo unbound-checkconf.o: $(srcdir)/smallapp/unbound-checkconf.c
  $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/services/authzone.h $(srcdir)/services/mesh.h \
  $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h  \
  $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \
- $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/sldns/str2wire.h \
- $(PYTHONMOD_HEADER) $(srcdir)/edns-subnet/subnet-whitelist.h
+ $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/sldns/str2wire.h
 worker_cb.lo worker_cb.o: $(srcdir)/smallapp/worker_cb.c config.h $(srcdir)/libunbound/context.h \
  $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h \
  $(srcdir)/libunbound/unbound.h $(srcdir)/libunbound/unbound-event.h $(srcdir)/util/data/packed_rrset.h \
@@ -1546,70 +1481,72 @@ libunbound.lo libunbound.o: $(srcdir)/libunbound/libunbound.c $(srcdir)/libunbou
  $(srcdir)/dnscrypt/dnscrypt.h  $(srcdir)/services/cache/rrset.h \
  $(srcdir)/util/storage/slabhash.h $(srcdir)/services/authzone.h $(srcdir)/services/mesh.h \
  $(srcdir)/services/rpz.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/respip/respip.h
-libworker.lo libworker.o: $(srcdir)/libunbound/libworker.c config.h \
- $(srcdir)/libunbound/libworker.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
- $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/libunbound/context.h $(srcdir)/util/alloc.h $(srcdir)/util/rbtree.h \
- $(srcdir)/services/modstack.h $(srcdir)/libunbound/unbound.h $(srcdir)/libunbound/unbound-event.h \
- $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h $(srcdir)/services/outside_network.h \
- $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h  \
-  $(srcdir)/services/mesh.h $(srcdir)/util/data/msgparse.h \
- $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
- $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h \
- $(srcdir)/services/view.h $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h \
- $(srcdir)/util/timehist.h $(srcdir)/respip/respip.h $(srcdir)/services/cache/rrset.h \
- $(srcdir)/util/storage/slabhash.h $(srcdir)/services/outbound_list.h $(srcdir)/util/fptr_wlist.h \
- $(srcdir)/util/tube.h $(srcdir)/util/regional.h $(srcdir)/util/random.h $(srcdir)/util/storage/lookup3.h \
- $(srcdir)/util/net_help.h $(srcdir)/util/data/dname.h $(srcdir)/util/data/msgencode.h \
- $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h $(srcdir)/sldns/str2wire.h
+libworker.lo libworker.o: $(srcdir)/libunbound/libworker.c config.h $(srcdir)/libunbound/libworker.h \
+ $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
+ $(srcdir)/libunbound/context.h $(srcdir)/util/alloc.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h \
+ $(srcdir)/libunbound/unbound.h $(srcdir)/libunbound/unbound-event.h $(srcdir)/libunbound/worker.h \
+ $(srcdir)/sldns/sbuffer.h $(srcdir)/services/outside_network.h $(srcdir)/util/netevent.h \
+ $(srcdir)/dnscrypt/dnscrypt.h   \
+ $(srcdir)/services/mesh.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
+ $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \
+ $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/util/config_file.h \
+ $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/respip/respip.h \
+ $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/services/outbound_list.h \
+ $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h $(srcdir)/util/regional.h $(srcdir)/util/random.h \
+ $(srcdir)/util/storage/lookup3.h $(srcdir)/util/net_help.h $(srcdir)/util/data/dname.h \
+ $(srcdir)/util/data/msgencode.h $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h \
+ $(srcdir)/sldns/str2wire.h
 unbound-host.lo unbound-host.o: $(srcdir)/smallapp/unbound-host.c config.h $(srcdir)/libunbound/unbound.h \
- $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/wire2str.h \
- 
+ $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/wire2str.h
 asynclook.lo asynclook.o: $(srcdir)/testcode/asynclook.c config.h $(srcdir)/libunbound/unbound.h \
  $(srcdir)/libunbound/context.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/util/rbtree.h \
  $(srcdir)/services/modstack.h $(srcdir)/libunbound/unbound-event.h $(srcdir)/util/data/packed_rrset.h \
- $(srcdir)/util/storage/lruhash.h $(srcdir)/sldns/rrdef.h \
- 
+ $(srcdir)/util/storage/lruhash.h $(srcdir)/sldns/rrdef.h
 streamtcp.lo streamtcp.o: $(srcdir)/testcode/streamtcp.c config.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
  $(srcdir)/util/net_help.h $(srcdir)/util/data/msgencode.h $(srcdir)/util/data/msgparse.h \
  $(srcdir)/util/storage/lruhash.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgreply.h \
  $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/dname.h $(srcdir)/sldns/sbuffer.h \
- $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/wire2str.h \
- 
+ $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/wire2str.h
 perf.lo perf.o: $(srcdir)/testcode/perf.c config.h $(srcdir)/util/log.h $(srcdir)/util/locks.h $(srcdir)/util/net_help.h \
  $(srcdir)/util/data/msgencode.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/storage/lruhash.h \
  $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
  $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h
 delayer.lo delayer.o: $(srcdir)/testcode/delayer.c config.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h \
  $(srcdir)/util/config_file.h $(srcdir)/sldns/sbuffer.h
-unbound-control.lo unbound-control.o: $(srcdir)/smallapp/unbound-control.c config.h \
- $(srcdir)/util/log.h $(srcdir)/util/config_file.h $(srcdir)/util/locks.h $(srcdir)/util/net_help.h \
- $(srcdir)/util/shm_side/shm_main.h $(srcdir)/libunbound/unbound.h $(srcdir)/daemon/stats.h \
- $(srcdir)/util/timehist.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/pkthdr.h $(srcdir)/services/rpz.h \
- $(srcdir)/services/localzone.h $(srcdir)/util/rbtree.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/module.h \
- $(srcdir)/util/storage/lruhash.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
- $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/rrdef.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h \
- $(srcdir)/services/authzone.h $(srcdir)/services/mesh.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
-  $(srcdir)/services/modstack.h $(srcdir)/respip/respip.h
+unbound-control.lo unbound-control.o: $(srcdir)/smallapp/unbound-control.c config.h $(srcdir)/util/log.h \
+ $(srcdir)/util/config_file.h $(srcdir)/util/locks.h $(srcdir)/util/net_help.h $(srcdir)/util/shm_side/shm_main.h \
+ $(srcdir)/libunbound/unbound.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/sldns/wire2str.h \
+ $(srcdir)/sldns/pkthdr.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h $(srcdir)/util/rbtree.h \
+ $(srcdir)/util/storage/dnstree.h $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h \
+ $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
+ $(srcdir)/sldns/rrdef.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/services/authzone.h \
+ $(srcdir)/services/mesh.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
+  $(srcdir)/services/modstack.h $(srcdir)/respip/respip.h \
+ $(srcdir)/services/listen_dnsport.h
 unbound-anchor.lo unbound-anchor.o: $(srcdir)/smallapp/unbound-anchor.c config.h $(srcdir)/libunbound/unbound.h \
- $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/parseutil.h \
- 
-petal.lo petal.o: $(srcdir)/testcode/petal.c config.h \
- 
+ $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/parseutil.h
+petal.lo petal.o: $(srcdir)/testcode/petal.c config.h
 unbound-dnstap-socket.lo unbound-dnstap-socket.o: $(srcdir)/dnstap/unbound-dnstap-socket.c config.h \
  $(srcdir)/dnstap/dtstream.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/dnstap/dnstap_fstrm.h \
  $(srcdir)/util/ub_event.h $(srcdir)/util/net_help.h $(srcdir)/services/listen_dnsport.h \
  $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h  \
- $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h \
- dnstap/dnstap.pb-c.h \
- $(srcdir)/util/config_file.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h
-pythonmod_utils.lo pythonmod_utils.o: $(srcdir)/pythonmod/pythonmod_utils.c config.h $(srcdir)/util/module.h \
- $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/msgreply.h \
- $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
- $(srcdir)/sldns/rrdef.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
-  $(srcdir)/util/net_help.h $(srcdir)/services/cache/dns.h \
- $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/util/regional.h \
- $(srcdir)/iterator/iter_delegpt.h $(srcdir)/sldns/sbuffer.h \
- 
+ $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h $(srcdir)/util/config_file.h \
+ $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/daemon/worker.h \
+ $(srcdir)/libunbound/worker.h $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h \
+ $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h \
+ $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \
+  $(srcdir)/daemon/remote.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h \
+ $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h \
+ $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h \
+ $(srcdir)/services/authzone.h $(srcdir)/respip/respip.h $(srcdir)/libunbound/context.h \
+ $(srcdir)/libunbound/unbound-event.h
+pythonmod_utils.lo pythonmod_utils.o: $(srcdir)/pythonmod/pythonmod_utils.c config.h \
+ $(srcdir)/pythonmod/pythonmod_utils.h $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h \
+ $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
+ $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/netevent.h \
+ $(srcdir)/dnscrypt/dnscrypt.h  $(srcdir)/util/net_help.h \
+ $(srcdir)/services/cache/dns.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \
+ $(srcdir)/util/regional.h $(srcdir)/iterator/iter_delegpt.h $(srcdir)/sldns/sbuffer.h
 win_svc.lo win_svc.o: $(srcdir)/winrc/win_svc.c config.h $(srcdir)/winrc/win_svc.h $(srcdir)/winrc/w_inst.h \
  $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
    $(srcdir)/daemon/worker.h \
@@ -1617,8 +1554,8 @@ win_svc.lo win_svc.o: $(srcdir)/winrc/win_svc.c config.h $(srcdir)/winrc/win_svc
  $(srcdir)/util/storage/lruhash.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
  $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
  $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/util/module.h \
- $(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/remote.h \
- $(srcdir)/util/config_file.h $(srcdir)/util/ub_event.h $(srcdir)/util/net_help.h
+ $(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/remote.h $(srcdir)/util/config_file.h $(srcdir)/util/ub_event.h \
+ $(srcdir)/util/net_help.h
 w_inst.lo w_inst.o: $(srcdir)/winrc/w_inst.c config.h $(srcdir)/winrc/w_inst.h $(srcdir)/winrc/win_svc.h
 unbound-service-install.lo unbound-service-install.o: $(srcdir)/winrc/unbound-service-install.c config.h \
  $(srcdir)/winrc/w_inst.h
@@ -1626,14 +1563,12 @@ unbound-service-remove.lo unbound-service-remove.o: $(srcdir)/winrc/unbound-serv
  $(srcdir)/winrc/w_inst.h
 anchor-update.lo anchor-update.o: $(srcdir)/winrc/anchor-update.c config.h $(srcdir)/libunbound/unbound.h \
  $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/wire2str.h
-keyraw.lo keyraw.o: $(srcdir)/sldns/keyraw.c config.h $(srcdir)/sldns/keyraw.h \
- $(srcdir)/sldns/rrdef.h \
- 
+keyraw.lo keyraw.o: $(srcdir)/sldns/keyraw.c config.h $(srcdir)/sldns/keyraw.h $(srcdir)/sldns/rrdef.h
 sbuffer.lo sbuffer.o: $(srcdir)/sldns/sbuffer.c config.h $(srcdir)/sldns/sbuffer.h
 wire2str.lo wire2str.o: $(srcdir)/sldns/wire2str.c config.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h \
  $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/sbuffer.h \
- $(srcdir)/sldns/keyraw.h \
- $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h
+ $(srcdir)/sldns/keyraw.h $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
+ $(srcdir)/util/log.h
 parse.lo parse.o: $(srcdir)/sldns/parse.c config.h $(srcdir)/sldns/parse.h $(srcdir)/sldns/parseutil.h \
  $(srcdir)/sldns/sbuffer.h
 parseutil.lo parseutil.o: $(srcdir)/sldns/parseutil.c config.h $(srcdir)/sldns/parseutil.h
@@ -1644,8 +1579,8 @@ dohclient.lo dohclient.o: $(srcdir)/testcode/dohclient.c config.h $(srcdir)/sldn
  $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/parseutil.h \
  $(srcdir)/util/data/msgencode.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/storage/lruhash.h \
  $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
- $(srcdir)/sldns/pkthdr.h $(srcdir)/util/net_help.h \
- 
+ $(srcdir)/sldns/pkthdr.h $(srcdir)/util/net_help.h
+readzone.lo readzone.o: $(srcdir)/testcode/readzone.c
 ctime_r.lo ctime_r.o: $(srcdir)/compat/ctime_r.c config.h $(srcdir)/util/locks.h $(srcdir)/util/log.h
 fake-rfc2553.lo fake-rfc2553.o: $(srcdir)/compat/fake-rfc2553.c $(srcdir)/compat/fake-rfc2553.h config.h
 gmtime_r.lo gmtime_r.o: $(srcdir)/compat/gmtime_r.c config.h
@@ -1660,11 +1595,9 @@ strlcat.lo strlcat.o: $(srcdir)/compat/strlcat.c config.h
 strlcpy.lo strlcpy.o: $(srcdir)/compat/strlcpy.c config.h
 strptime.lo strptime.o: $(srcdir)/compat/strptime.c config.h
 getentropy_freebsd.lo getentropy_freebsd.o: $(srcdir)/compat/getentropy_freebsd.c
-getentropy_linux.lo getentropy_linux.o: $(srcdir)/compat/getentropy_linux.c config.h \
- 
+getentropy_linux.lo getentropy_linux.o: $(srcdir)/compat/getentropy_linux.c config.h
 getentropy_osx.lo getentropy_osx.o: $(srcdir)/compat/getentropy_osx.c
-getentropy_solaris.lo getentropy_solaris.o: $(srcdir)/compat/getentropy_solaris.c config.h \
- 
+getentropy_solaris.lo getentropy_solaris.o: $(srcdir)/compat/getentropy_solaris.c config.h
 getentropy_win.lo getentropy_win.o: $(srcdir)/compat/getentropy_win.c
 explicit_bzero.lo explicit_bzero.o: $(srcdir)/compat/explicit_bzero.c config.h
 arc4random.lo arc4random.o: $(srcdir)/compat/arc4random.c config.h $(srcdir)/compat/chacha_private.h
diff --git a/README-Travis.md b/README-Travis.md
index 3ce22cc20..ca6445612 100644
--- a/README-Travis.md
+++ b/README-Travis.md
@@ -241,7 +241,7 @@ If you are working from a developer machine you probably already have the necess
 
 The fourth step builds OpenSSL and Expat. OpenSSL and Expat are built for iOS using the scripts `contrib/ios/install_openssl.sh` and `contrib/ios/install_expat.sh`. The scripts download, configure and install the latest release version of the libraries. The libraries are configured with `--prefix="$IOS_PREFIX"` so the headers are placed in `$IOS_PREFIX/include` directory, and the libraries are placed in the `$IOS_PREFIX/lib` directory.
 
-`IOS_PREFIX` is the value `$HOME/$IOS_SDK-$IOS_CPU`. The scheme handles both iOS SDKs and cpu architectures so the pair recieves a unique installation directory. The libraries will be installed in `$HOME/iPhoneOS-armv7s`, `$HOME/iPhoneOS-arm64`, `$HOME/iPhoneSimulator-i386`, etc. For Autotools projects, the appropriate `PKG_CONFIG_PATH` is exported.
+`IOS_PREFIX` is the value `$HOME/$IOS_SDK-$IOS_CPU`. The scheme handles both iOS SDKs and cpu architectures so the pair receives a unique installation directory. The libraries will be installed in `$HOME/iPhoneOS-armv7s`, `$HOME/iPhoneOS-arm64`, `$HOME/iPhoneSimulator-i386`, etc. For Autotools projects, the appropriate `PKG_CONFIG_PATH` is exported.
 
 `PKG_CONFIG_PATH` is an important variable. It is the userland equivalent to sysroot, and allows Autotools to find non-system headers and libraries for an architecture. Typical `PKG_CONFIG_PATH` are `$HOME/iPhoneOS-armv7s/lib/pkgconfig` and `$HOME/iPhoneOS-arm64/lib/pkgconfig`.
 
diff --git a/README.md b/README.md
index c8877d1e9..d1bbcf2b7 100644
--- a/README.md
+++ b/README.md
@@ -11,7 +11,7 @@ have any feedback, we would love to hear from you. Don’t hesitate to
 [create an issue on Github](https://github.com/NLnetLabs/unbound/issues/new)
 or post a message on the [Unbound mailing list](https://lists.nlnetlabs.nl/mailman/listinfo/unbound-users).
 You can learn more about Unbound by reading our
-[documentation](https://nlnetlabs.nl/documentation/unbound/).
+[documentation](https://unbound.docs.nlnetlabs.nl/).
 
 ## Compiling
 
@@ -33,7 +33,7 @@ support.
 
 All of Unbound's configuration options are described in the man pages, which
 will be installed and are available on the Unbound
-[documentation page](https://nlnetlabs.nl/documentation/unbound/).
+[documentation page](https://unbound.docs.nlnetlabs.nl/).
 
 An example configuration file is located in
 [doc/example.conf](https://github.com/NLnetLabs/unbound/blob/master/doc/example.conf.in).
diff --git a/aclocal.m4 b/aclocal.m4
index 2fedf028c..bf3c57e2f 100644
--- a/aclocal.m4
+++ b/aclocal.m4
@@ -1,6 +1,6 @@
-# generated automatically by aclocal 1.16.1 -*- Autoconf -*-
+# generated automatically by aclocal 1.16.2 -*- Autoconf -*-
 
-# Copyright (C) 1996-2018 Free Software Foundation, Inc.
+# Copyright (C) 1996-2020 Free Software Foundation, Inc.
 
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -736,6 +736,7 @@ _LT_CONFIG_SAVE_COMMANDS([
     cat <<_LT_EOF >> "$cfgfile"
 #! $SHELL
 # Generated automatically by $as_me ($PACKAGE) $VERSION
+# Libtool was configured on host `(hostname || uname -n) 2>/dev/null | sed 1q`:
 # NOTE: Changes made to this file will be lost: look at ltmain.sh.
 
 # Provide generalized library-building support services.
@@ -1047,8 +1048,8 @@ int forced_loaded() { return 2;}
 _LT_EOF
       echo "$LTCC $LTCFLAGS -c -o conftest.o conftest.c" >&AS_MESSAGE_LOG_FD
       $LTCC $LTCFLAGS -c -o conftest.o conftest.c 2>&AS_MESSAGE_LOG_FD
-      echo "$AR cr libconftest.a conftest.o" >&AS_MESSAGE_LOG_FD
-      $AR cr libconftest.a conftest.o 2>&AS_MESSAGE_LOG_FD
+      echo "$AR cru libconftest.a conftest.o" >&AS_MESSAGE_LOG_FD
+      $AR cru libconftest.a conftest.o 2>&AS_MESSAGE_LOG_FD
       echo "$RANLIB libconftest.a" >&AS_MESSAGE_LOG_FD
       $RANLIB libconftest.a 2>&AS_MESSAGE_LOG_FD
       cat > conftest.c << _LT_EOF
@@ -1498,7 +1499,7 @@ need_locks=$enable_libtool_lock
 m4_defun([_LT_PROG_AR],
 [AC_CHECK_TOOLS(AR, [ar], false)
 : ${AR=ar}
-: ${AR_FLAGS=cr}
+: ${AR_FLAGS=cru}
 _LT_DECL([], [AR], [1], [The archiver])
 _LT_DECL([], [AR_FLAGS], [1], [Flags to create an archive])
 
@@ -2872,6 +2873,9 @@ linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*)
   # before this can be enabled.
   hardcode_into_libs=yes
 
+  # Add ABI-specific directories to the system library path.
+  sys_lib_dlsearch_path_spec="/lib64 /usr/lib64 /lib /usr/lib"
+
   # Ideally, we could use ldconfig to report *all* directores which are
   # searched for libraries, however this is still not possible.  Aside from not
   # being certain /sbin/ldconfig is available, command
@@ -2880,7 +2884,7 @@ linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*)
   # appending ld.so.conf contents (and includes) to the search path.
   if test -f /etc/ld.so.conf; then
     lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \[$]2)); skip = 1; } { if (!skip) print \[$]0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[	 ]*hwcap[	 ]/d;s/[:,	]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;s/"//g;/^$/d' | tr '\n' ' '`
-    sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra"
+    sys_lib_dlsearch_path_spec="$sys_lib_dlsearch_path_spec $lt_ld_extra"
   fi
 
   # We used to test for /lib/ld.so.1 and disable shared libraries on
@@ -2892,18 +2896,6 @@ linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*)
   dynamic_linker='GNU/Linux ld.so'
   ;;
 
-netbsdelf*-gnu)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=no
-  hardcode_into_libs=yes
-  dynamic_linker='NetBSD ld.elf_so'
-  ;;
-
 netbsd*)
   version_type=sunos
   need_lib_prefix=no
@@ -3563,7 +3555,7 @@ linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*)
   lt_cv_deplibs_check_method=pass_all
   ;;
 
-netbsd* | netbsdelf*-gnu)
+netbsd*)
   if echo __ELF__ | $CC -E - | $GREP __ELF__ > /dev/null; then
     lt_cv_deplibs_check_method='match_pattern /lib[[^/]]+(\.so\.[[0-9]]+\.[[0-9]]+|_pic\.a)$'
   else
@@ -4069,8 +4061,7 @@ _LT_EOF
   if AC_TRY_EVAL(ac_compile); then
     # Now try to grab the symbols.
     nlist=conftest.nm
-    $ECHO "$as_me:$LINENO: $NM conftest.$ac_objext | $lt_cv_sys_global_symbol_pipe > $nlist" >&AS_MESSAGE_LOG_FD
-    if eval "$NM" conftest.$ac_objext \| "$lt_cv_sys_global_symbol_pipe" \> $nlist 2>&AS_MESSAGE_LOG_FD && test -s "$nlist"; then
+    if AC_TRY_EVAL(NM conftest.$ac_objext \| "$lt_cv_sys_global_symbol_pipe" \> $nlist) && test -s "$nlist"; then
       # Try sorting and uniquifying the output.
       if sort "$nlist" | uniq > "$nlist"T; then
 	mv -f "$nlist"T "$nlist"
@@ -4442,7 +4433,7 @@ m4_if([$1], [CXX], [
 	    ;;
 	esac
 	;;
-      netbsd* | netbsdelf*-gnu)
+      netbsd*)
 	;;
       *qnx* | *nto*)
         # QNX uses GNU C++, but need to define -shared option too, otherwise
@@ -4710,12 +4701,6 @@ m4_if([$1], [CXX], [
 	_LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
 	_LT_TAGVAR(lt_prog_compiler_static, $1)='-static'
         ;;
-      # flang / f18. f95 an alias for gfortran or flang on Debian
-      flang* | f18* | f95*)
-	_LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-	_LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
-	_LT_TAGVAR(lt_prog_compiler_static, $1)='-static'
-        ;;
       # icc used to be incompatible with GCC.
       # ICC 10 doesn't accept -KPIC any more.
       icc* | ifort*)
@@ -4960,9 +4945,6 @@ m4_if([$1], [CXX], [
       ;;
     esac
     ;;
-  linux* | k*bsd*-gnu | gnu*)
-    _LT_TAGVAR(link_all_deplibs, $1)=no
-    ;;
   *)
     _LT_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols'
     ;;
@@ -5025,9 +5007,6 @@ dnl Note also adjust exclude_expsyms for C++ above.
   openbsd* | bitrig*)
     with_gnu_ld=no
     ;;
-  linux* | k*bsd*-gnu | gnu*)
-    _LT_TAGVAR(link_all_deplibs, $1)=no
-    ;;
   esac
 
   _LT_TAGVAR(ld_shlibs, $1)=yes
@@ -5282,7 +5261,7 @@ _LT_EOF
       fi
       ;;
 
-    netbsd* | netbsdelf*-gnu)
+    netbsd*)
       if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then
 	_LT_TAGVAR(archive_cmds, $1)='$LD -Bshareable $libobjs $deplibs $linker_flags -o $lib'
 	wlarc=
@@ -5803,7 +5782,6 @@ _LT_EOF
 	if test yes = "$lt_cv_irix_exported_symbol"; then
           _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags $wl-soname $wl$soname `test -n "$verstring" && func_echo_all "$wl-set_version $wl$verstring"` $wl-update_registry $wl$output_objdir/so_locations $wl-exports_file $wl$export_symbols -o $lib'
 	fi
-	_LT_TAGVAR(link_all_deplibs, $1)=no
       else
 	_LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry $output_objdir/so_locations -o $lib'
 	_LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry $output_objdir/so_locations -exports_file $export_symbols -o $lib'
@@ -5825,7 +5803,7 @@ _LT_EOF
       esac
       ;;
 
-    netbsd* | netbsdelf*-gnu)
+    netbsd*)
       if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then
 	_LT_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'  # a.out
       else
@@ -6447,7 +6425,7 @@ if test yes != "$_lt_caught_CXX_error"; then
       # Commands to make compiler produce verbose output that lists
       # what "hidden" libraries, object files and flags are used when
       # linking a shared library.
-      output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP " \-L"'
+      output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP "\-L"'
 
     else
       GXX=no
@@ -6822,7 +6800,7 @@ if test yes != "$_lt_caught_CXX_error"; then
             # explicitly linking system object files so we need to strip them
             # from the output so that they don't get included in the library
             # dependencies.
-            output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | $EGREP " \-L"`; list= ; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; func_echo_all "$list"'
+            output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | $EGREP "\-L"`; list= ; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; func_echo_all "$list"'
             ;;
           *)
             if test yes = "$GXX"; then
@@ -6887,7 +6865,7 @@ if test yes != "$_lt_caught_CXX_error"; then
 	    # explicitly linking system object files so we need to strip them
 	    # from the output so that they don't get included in the library
 	    # dependencies.
-	    output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | $GREP " \-L"`; list= ; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; func_echo_all "$list"'
+	    output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | $GREP "\-L"`; list= ; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; func_echo_all "$list"'
 	    ;;
           *)
 	    if test yes = "$GXX"; then
@@ -7226,7 +7204,7 @@ if test yes != "$_lt_caught_CXX_error"; then
 	      # Commands to make compiler produce verbose output that lists
 	      # what "hidden" libraries, object files and flags are used when
 	      # linking a shared library.
-	      output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP " \-L"'
+	      output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP "\-L"'
 
 	    else
 	      # FIXME: insert proper C++ library support
@@ -7310,7 +7288,7 @@ if test yes != "$_lt_caught_CXX_error"; then
 	        # Commands to make compiler produce verbose output that lists
 	        # what "hidden" libraries, object files and flags are used when
 	        # linking a shared library.
-	        output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP " \-L"'
+	        output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP "\-L"'
 	      else
 	        # g++ 2.7 appears to require '-G' NOT '-shared' on this
 	        # platform.
@@ -7321,7 +7299,7 @@ if test yes != "$_lt_caught_CXX_error"; then
 	        # Commands to make compiler produce verbose output that lists
 	        # what "hidden" libraries, object files and flags are used when
 	        # linking a shared library.
-	        output_verbose_link_cmd='$CC -G $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP " \-L"'
+	        output_verbose_link_cmd='$CC -G $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP "\-L"'
 	      fi
 
 	      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='$wl-R $wl$libdir'
@@ -9066,9 +9044,9 @@ m4_ifndef([_LT_PROG_F77],		[AC_DEFUN([_LT_PROG_F77])])
 m4_ifndef([_LT_PROG_FC],		[AC_DEFUN([_LT_PROG_FC])])
 m4_ifndef([_LT_PROG_CXX],		[AC_DEFUN([_LT_PROG_CXX])])
 
-dnl pkg.m4 - Macros to locate and utilise pkg-config.   -*- Autoconf -*-
-dnl serial 11 (pkg-config-0.29.1)
-dnl
+# pkg.m4 - Macros to locate and utilise pkg-config.   -*- Autoconf -*-
+# serial 11 (pkg-config-0.29.1)
+
 dnl Copyright © 2004 Scott James Remnant <scott@netsplit.com>.
 dnl Copyright © 2012-2015 Dan Nicholson <dbn.lists@gmail.com>
 dnl
@@ -9342,9 +9320,77 @@ AS_VAR_COPY([$1], [pkg_cv_][$1])
 AS_VAR_IF([$1], [""], [$5], [$4])dnl
 ])dnl PKG_CHECK_VAR
 
+dnl PKG_WITH_MODULES(VARIABLE-PREFIX, MODULES,
+dnl   [ACTION-IF-FOUND],[ACTION-IF-NOT-FOUND],
+dnl   [DESCRIPTION], [DEFAULT])
+dnl ------------------------------------------
+dnl
+dnl Prepare a "--with-" configure option using the lowercase
+dnl [VARIABLE-PREFIX] name, merging the behaviour of AC_ARG_WITH and
+dnl PKG_CHECK_MODULES in a single macro.
+AC_DEFUN([PKG_WITH_MODULES],
+[
+m4_pushdef([with_arg], m4_tolower([$1]))
+
+m4_pushdef([description],
+           [m4_default([$5], [build with ]with_arg[ support])])
+
+m4_pushdef([def_arg], [m4_default([$6], [auto])])
+m4_pushdef([def_action_if_found], [AS_TR_SH([with_]with_arg)=yes])
+m4_pushdef([def_action_if_not_found], [AS_TR_SH([with_]with_arg)=no])
+
+m4_case(def_arg,
+            [yes],[m4_pushdef([with_without], [--without-]with_arg)],
+            [m4_pushdef([with_without],[--with-]with_arg)])
+
+AC_ARG_WITH(with_arg,
+     AS_HELP_STRING(with_without, description[ @<:@default=]def_arg[@:>@]),,
+    [AS_TR_SH([with_]with_arg)=def_arg])
+
+AS_CASE([$AS_TR_SH([with_]with_arg)],
+            [yes],[PKG_CHECK_MODULES([$1],[$2],$3,$4)],
+            [auto],[PKG_CHECK_MODULES([$1],[$2],
+                                        [m4_n([def_action_if_found]) $3],
+                                        [m4_n([def_action_if_not_found]) $4])])
+
+m4_popdef([with_arg])
+m4_popdef([description])
+m4_popdef([def_arg])
+
+])dnl PKG_WITH_MODULES
+
+dnl PKG_HAVE_WITH_MODULES(VARIABLE-PREFIX, MODULES,
+dnl   [DESCRIPTION], [DEFAULT])
+dnl -----------------------------------------------
+dnl
+dnl Convenience macro to trigger AM_CONDITIONAL after PKG_WITH_MODULES
+dnl check._[VARIABLE-PREFIX] is exported as make variable.
+AC_DEFUN([PKG_HAVE_WITH_MODULES],
+[
+PKG_WITH_MODULES([$1],[$2],,,[$3],[$4])
+
+AM_CONDITIONAL([HAVE_][$1],
+               [test "$AS_TR_SH([with_]m4_tolower([$1]))" = "yes"])
+])dnl PKG_HAVE_WITH_MODULES
+
+dnl PKG_HAVE_DEFINE_WITH_MODULES(VARIABLE-PREFIX, MODULES,
+dnl   [DESCRIPTION], [DEFAULT])
+dnl ------------------------------------------------------
+dnl
+dnl Convenience macro to run AM_CONDITIONAL and AC_DEFINE after
+dnl PKG_WITH_MODULES check. HAVE_[VARIABLE-PREFIX] is exported as make
+dnl and preprocessor variable.
+AC_DEFUN([PKG_HAVE_DEFINE_WITH_MODULES],
+[
+PKG_HAVE_WITH_MODULES([$1],[$2],[$3],[$4])
+
+AS_IF([test "$AS_TR_SH([with_]m4_tolower([$1]))" = "yes"],
+        [AC_DEFINE([HAVE_][$1], 1, [Enable ]m4_tolower([$1])[ support])])
+])dnl PKG_HAVE_DEFINE_WITH_MODULES
+
 # AM_CONDITIONAL                                            -*- Autoconf -*-
 
-# Copyright (C) 1997-2018 Free Software Foundation, Inc.
+# Copyright (C) 1997-2020 Free Software Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -9375,7 +9421,7 @@ AC_CONFIG_COMMANDS_PRE(
 Usually this means the macro was only invoked conditionally.]])
 fi])])
 
-# Copyright (C) 2006-2018 Free Software Foundation, Inc.
+# Copyright (C) 2006-2020 Free Software Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
diff --git a/acx_nlnetlabs.m4 b/acx_nlnetlabs.m4
index dd8d8c329..1574f97bf 100644
--- a/acx_nlnetlabs.m4
+++ b/acx_nlnetlabs.m4
@@ -2,7 +2,14 @@
 # Copyright 2009, Wouter Wijngaards, NLnet Labs.   
 # BSD licensed.
 #
-# Version 38
+# Version 43
+# 2021-08-17 fix sed script in ssldir split handling.
+# 2021-08-17 fix for openssl to detect split version, with ssldir_include
+# 	     and ssldir_lib output directories.
+# 2021-07-30 fix for openssl use of lib64 directory.
+# 2021-06-14 fix nonblocking test to use host instead of target for mingw test.
+# 2021-05-17 fix nonblocking socket test from grep on mingw32 to mingw for
+# 	     64bit compatibility.
 # 2021-03-24 fix ACX_FUNC_DEPRECATED to use CPPFLAGS and CFLAGS.
 # 2021-01-05 fix defun for aclocal
 # 2021-01-05 autoconf 2.70 autoupdate and fixes, no AC_TRY_COMPILE
@@ -643,6 +650,30 @@ AC_DEFUN([ACX_SSL_CHECKS], [
     withval=$1
     if test x_$withval != x_no; then
         AC_MSG_CHECKING(for SSL)
+	if test -n "$withval"; then
+		dnl look for openssl install with different version, eg.
+		dnl in /usr/include/openssl11/openssl/ssl.h
+		dnl and /usr/lib64/openssl11/libssl.so
+		dnl with the --with-ssl=/usr/include/openssl11
+		if test ! -f "$withval/include/openssl/ssl.h" -a -f "$withval/openssl/ssl.h"; then
+			ssldir="$withval"
+			found_ssl="yes"
+			withval=""
+			ssldir_include="$ssldir"
+			dnl find the libdir
+			ssldir_lib=`echo $ssldir | sed -e 's/include/lib/'`
+			if test -f "$ssldir_lib/libssl.a" -o -f "$ssldir_lib/libssl.so"; then
+				: # found here
+			else
+				ssldir_lib=`echo $ssldir | sed -e 's/include/lib64/'`
+				if test -f "$ssldir_lib/libssl.a" -o -f "$ssldir_lib/libssl.so"; then
+					: # found here
+				else
+					AC_MSG_ERROR([Could not find openssl lib file, $ssldir_lib/libssl.[so,a], pass like "/usr/local" or "/usr/include/openssl11"])
+				fi
+			fi
+		fi
+	fi
         if test x_$withval = x_ -o x_$withval = x_yes; then
             withval="/usr/local/ssl /usr/lib/ssl /usr/ssl /usr/pkg /usr/local /opt/local /usr/sfw /usr"
         fi
@@ -650,12 +681,12 @@ AC_DEFUN([ACX_SSL_CHECKS], [
             ssldir="$dir"
             if test -f "$dir/include/openssl/ssl.h"; then
                 found_ssl="yes"
-                AC_DEFINE_UNQUOTED([HAVE_SSL], [], [Define if you have the SSL libraries installed.])
-                dnl assume /usr/include is already in the include-path.
-                if test "$ssldir" != "/usr"; then
-                        CPPFLAGS="$CPPFLAGS -I$ssldir/include"
-                        LIBSSL_CPPFLAGS="$LIBSSL_CPPFLAGS -I$ssldir/include"
-                fi
+		ssldir_include="$ssldir/include"
+		if test ! -d "$ssldir/lib" -a -d "$ssldir/lib64"; then
+			ssldir_lib="$ssldir/lib64"
+		else
+			ssldir_lib="$ssldir/lib"
+		fi
                 break;
             fi
         done
@@ -663,13 +694,16 @@ AC_DEFUN([ACX_SSL_CHECKS], [
             AC_MSG_ERROR(Cannot find the SSL libraries in $withval)
         else
             AC_MSG_RESULT(found in $ssldir)
+            AC_DEFINE_UNQUOTED([HAVE_SSL], [], [Define if you have the SSL libraries installed.])
             HAVE_SSL=yes
-            dnl assume /usr is already in the lib and dynlib paths.
-            if test "$ssldir" != "/usr" -a "$ssldir" != ""; then
-                LDFLAGS="$LDFLAGS -L$ssldir/lib"
-                LIBSSL_LDFLAGS="$LIBSSL_LDFLAGS -L$ssldir/lib"
-                ACX_RUNTIME_PATH_ADD([$ssldir/lib])
-            fi
+	    dnl assume /usr is already in the include, lib and dynlib paths.
+            if test "$ssldir" != "/usr"; then
+		    CPPFLAGS="$CPPFLAGS -I$ssldir_include"
+		    LIBSSL_CPPFLAGS="$LIBSSL_CPPFLAGS -I$ssldir_include"
+		    LDFLAGS="$LDFLAGS -L$ssldir_lib"
+		    LIBSSL_LDFLAGS="$LIBSSL_LDFLAGS -L$ssldir_lib"
+	    	    ACX_RUNTIME_PATH_ADD([$ssldir_lib])
+	    fi
         
             AC_MSG_CHECKING([for EVP_sha256 in -lcrypto])
             LIBS="$LIBS -lcrypto"
@@ -748,7 +782,7 @@ dnl
 AC_DEFUN([ACX_WITH_SSL],
 [
 AC_ARG_WITH(ssl, AS_HELP_STRING([--with-ssl=pathname],[enable SSL (will check /usr/local/ssl
-                            /usr/lib/ssl /usr/ssl /usr/pkg /usr/local /opt/local /usr/sfw /usr)]),[
+                            /usr/lib/ssl /usr/ssl /usr/pkg /usr/local /opt/local /usr/sfw /usr or specify like /usr/include/openssl11)]),[
         ],[
             withval="yes"
         ])
@@ -766,7 +800,7 @@ dnl
 AC_DEFUN([ACX_WITH_SSL_OPTIONAL],
 [
 AC_ARG_WITH(ssl, AS_HELP_STRING([--with-ssl=pathname],[enable SSL (will check /usr/local/ssl
-                                /usr/lib/ssl /usr/ssl /usr/pkg /usr/local /opt/local /usr/sfw /usr)]),[
+                                /usr/lib/ssl /usr/ssl /usr/pkg /usr/local /opt/local /usr/sfw /usr or specify like /usr/include/openssl11)]),[
         ],[
             withval="yes"
         ])
@@ -915,7 +949,7 @@ dnl a nonblocking socket do not work, a new call to select is necessary.
 AC_DEFUN([ACX_CHECK_NONBLOCKING_BROKEN],
 [
 AC_MSG_CHECKING([if nonblocking sockets work])
-if echo $target | grep mingw32 >/dev/null; then 
+if echo $host | grep mingw >/dev/null; then
 	AC_MSG_RESULT([no (windows)])
 	AC_DEFINE([NONBLOCKING_IS_BROKEN], 1, [Define if the network stack does not fully support nonblocking io (causes lower performance).])
 else
diff --git a/acx_python.m4 b/acx_python.m4
index 767db5b65..16c0c6fd9 100644
--- a/acx_python.m4
+++ b/acx_python.m4
@@ -18,27 +18,45 @@ AC_DEFUN([AC_PYTHON_DEVEL],[
 			print(sys.version.split()[[0]])"`
 	fi
 
-        #
-        # Check if you have distutils, else fail
-        #
-        AC_MSG_CHECKING([for the distutils Python package])
-        if ac_distutils_result=`$PYTHON -c "import distutils" 2>&1`; then
+	# Check if you have sysconfig
+	AC_MSG_CHECKING([for the sysconfig Python module])
+        if ac_sysconfig_result=`$PYTHON -c "import sysconfig" 2>&1`; then
                 AC_MSG_RESULT([yes])
-        else
+		sysconfig_module="sysconfig"
+		# if yes, use sysconfig, because distutils is deprecated.
+	else
                 AC_MSG_RESULT([no])
-                AC_MSG_ERROR([cannot import Python module "distutils".
-Please check your Python installation. The error was:
-$ac_distutils_result])
-                PYTHON_VERSION=""
-        fi
+		# if no, try to use distutils
+
+		#
+		# Check if you have distutils, else fail
+		#
+		AC_MSG_CHECKING([for the distutils Python package])
+		if ac_distutils_result=`$PYTHON -c "import distutils" 2>&1`; then
+			AC_MSG_RESULT([yes])
+		else
+			AC_MSG_RESULT([no])
+			AC_MSG_ERROR([cannot import Python module "distutils".
+	Please check your Python installation. The error was:
+	$ac_distutils_result])
+			PYTHON_VERSION=""
+		fi
+
+		sysconfig_module="distutils.sysconfig"
+	fi
 
         #
         # Check for Python include path
         #
         AC_MSG_CHECKING([for Python include path])
         if test -z "$PYTHON_CPPFLAGS"; then
-                python_path=`$PYTHON -c "import distutils.sysconfig; \
-                        print(distutils.sysconfig.get_python_inc());"`
+		if test "$sysconfig_module" = "sysconfig"; then
+			python_path=`$PYTHON -c 'import sysconfig; \
+				print(sysconfig.get_path("include"));'`
+		else
+			python_path=`$PYTHON -c "import distutils.sysconfig; \
+				print(distutils.sysconfig.get_python_inc());"`
+		fi
                 if test -n "${python_path}"; then
                         python_path="-I$python_path"
                 fi
@@ -52,14 +70,14 @@ $ac_distutils_result])
         #
         AC_MSG_CHECKING([for Python library path])
         if test -z "$PYTHON_LDFLAGS"; then
-                PYTHON_LDFLAGS=`$PYTHON -c "from distutils.sysconfig import *; \
+                PYTHON_LDFLAGS=`$PYTHON -c "from $sysconfig_module import *; \
                         print('-L'+get_config_var('LIBDIR')+' -L'+get_config_var('LIBDEST')+' '+get_config_var('BLDLIBRARY'));"`
         fi
         AC_MSG_RESULT([$PYTHON_LDFLAGS])
         AC_SUBST([PYTHON_LDFLAGS])
 
         if test -z "$PYTHON_LIBDIR"; then
-                PYTHON_LIBDIR=`$PYTHON -c "from distutils.sysconfig import *; \
+                PYTHON_LIBDIR=`$PYTHON -c "from $sysconfig_module import *; \
                         print(get_config_var('LIBDIR'));"`
         fi
 
@@ -68,8 +86,13 @@ $ac_distutils_result])
         #
         AC_MSG_CHECKING([for Python site-packages path])
         if test -z "$PYTHON_SITE_PKG"; then
-                PYTHON_SITE_PKG=`$PYTHON -c "import distutils.sysconfig; \
-                        print(distutils.sysconfig.get_python_lib(1,0));"`
+		if test "$sysconfig_module" = "sysconfig"; then
+			PYTHON_SITE_PKG=`$PYTHON -c 'import sysconfig; \
+				print(sysconfig.get_path("platlib"));'`
+		else
+			PYTHON_SITE_PKG=`$PYTHON -c "import distutils.sysconfig; \
+				print(distutils.sysconfig.get_python_lib(1,0));"`
+		fi
         fi
         AC_MSG_RESULT([$PYTHON_SITE_PKG])
         AC_SUBST([PYTHON_SITE_PKG])
diff --git a/cachedb/cachedb.c b/cachedb/cachedb.c
index e948a6b0d..725bc6ce8 100644
--- a/cachedb/cachedb.c
+++ b/cachedb/cachedb.c
@@ -519,7 +519,7 @@ parse_data(struct module_qstate* qstate, struct sldns_buffer* buf)
 		sldns_buffer_set_limit(buf, lim);
 		return 0;
 	}
-	if(parse_extract_edns(prs, &edns, qstate->env->scratch) !=
+	if(parse_extract_edns_from_response_msg(prs, &edns, qstate->env->scratch) !=
 		LDNS_RCODE_NOERROR) {
 		sldns_buffer_set_limit(buf, lim);
 		return 0;
@@ -617,12 +617,18 @@ cachedb_extcache_store(struct module_qstate* qstate, struct cachedb_env* ie)
 static int
 cachedb_intcache_lookup(struct module_qstate* qstate)
 {
+	uint8_t* dpname=NULL;
+	size_t dpnamelen=0;
 	struct dns_msg* msg;
+	if(iter_stub_fwd_no_cache(qstate, &qstate->qinfo,
+		&dpname, &dpnamelen))
+		return 0; /* no cache for these queries */
 	msg = dns_cache_lookup(qstate->env, qstate->qinfo.qname,
 		qstate->qinfo.qname_len, qstate->qinfo.qtype,
 		qstate->qinfo.qclass, qstate->query_flags,
 		qstate->region, qstate->env->scratch,
-		1 /* no partial messages with only a CNAME */
+		1, /* no partial messages with only a CNAME */
+		dpname, dpnamelen
 		);
 	if(!msg && qstate->env->neg_cache &&
 		iter_qname_indicates_dnssec(qstate->env, &qstate->qinfo)) {
diff --git a/compat/ctime_r.c b/compat/ctime_r.c
index 87c2609a8..9f2bf15bc 100644
--- a/compat/ctime_r.c
+++ b/compat/ctime_r.c
@@ -38,5 +38,5 @@ char *ctime_r(const time_t *timep, char *buf)
 		strcpy(buf, result);
 	}
 	lock_basic_unlock(&ctime_lock);
-	return result;
+	return buf;
 }
diff --git a/config.h.in b/config.h.in
index 103ad9f00..a080dde0d 100644
--- a/config.h.in
+++ b/config.h.in
@@ -28,6 +28,9 @@
 /* Whether daemon is deprecated */
 #undef DEPRECATED_DAEMON
 
+/* Deprecate RSA 1024 bit length, makes that an unsupported key */
+#undef DEPRECATE_RSA_1024
+
 /* Define this to enable kernel based UDP source port randomization. */
 #undef DISABLE_EXPLICIT_PORT_RANDOMISATION
 
@@ -69,6 +72,9 @@
 /* If we have be64toh */
 #undef HAVE_BE64TOH
 
+/* Define to 1 if you have the `BIO_set_callback_ex' function. */
+#undef HAVE_BIO_SET_CALLBACK_EX
+
 /* Define to 1 if you have the <bsd/stdlib.h> header file. */
 #undef HAVE_BSD_STDLIB_H
 
@@ -312,6 +318,9 @@
 /* Define to 1 if you have the <ifaddrs.h> header file. */
 #undef HAVE_IFADDRS_H
 
+/* Define to 1 if you have the `if_nametoindex' function. */
+#undef HAVE_IF_NAMETOINDEX
+
 /* Define to 1 if you have the `inet_aton' function. */
 #undef HAVE_INET_ATON
 
@@ -372,6 +381,9 @@
 /* Define to 1 if you have the <netinet/tcp.h> header file. */
 #undef HAVE_NETINET_TCP_H
 
+/* Define to 1 if you have the <netioapi.h> header file. */
+#undef HAVE_NETIOAPI_H
+
 /* Use libnettle for crypto */
 #undef HAVE_NETTLE
 
@@ -426,6 +438,9 @@
 /* Define to 1 if you have the `OPENSSL_init_ssl' function. */
 #undef HAVE_OPENSSL_INIT_SSL
 
+/* Define to 1 if you have the <openssl/param_build.h> header file. */
+#undef HAVE_OPENSSL_PARAM_BUILD_H
+
 /* Define to 1 if you have the <openssl/rand.h> header file. */
 #undef HAVE_OPENSSL_RAND_H
 
@@ -435,6 +450,9 @@
 /* Define to 1 if you have the <openssl/ssl.h> header file. */
 #undef HAVE_OPENSSL_SSL_H
 
+/* Define to 1 if you have the `OSSL_PARAM_BLD_new' function. */
+#undef HAVE_OSSL_PARAM_BLD_NEW
+
 /* Define if you have POSIX threads libraries and header files. */
 #undef HAVE_PTHREAD
 
@@ -516,6 +534,9 @@
 /* Define if you have the SSL libraries installed. */
 #undef HAVE_SSL
 
+/* Define to 1 if you have the `SSL_CTX_set_alpn_protos' function. */
+#undef HAVE_SSL_CTX_SET_ALPN_PROTOS
+
 /* Define to 1 if you have the `SSL_CTX_set_alpn_select_cb' function. */
 #undef HAVE_SSL_CTX_SET_ALPN_SELECT_CB
 
@@ -529,9 +550,15 @@
    function. */
 #undef HAVE_SSL_CTX_SET_TLSEXT_TICKET_KEY_EVP_CB
 
+/* Define to 1 if you have the `SSL_get0_alpn_selected' function. */
+#undef HAVE_SSL_GET0_ALPN_SELECTED
+
 /* Define to 1 if you have the `SSL_get0_peername' function. */
 #undef HAVE_SSL_GET0_PEERNAME
 
+/* Define to 1 if you have the `SSL_get1_peer_certificate' function. */
+#undef HAVE_SSL_GET1_PEER_CERTIFICATE
+
 /* Define to 1 if you have the `SSL_set1_host' function. */
 #undef HAVE_SSL_SET1_HOST
 
@@ -847,6 +874,14 @@
 /* Define if you enable libevent */
 #undef USE_LIBEVENT
 
+/* Define this to enable use of /proc/sys/net/ipv4/ip_local_port_range as a
+   default outgoing port range. This is only for the libunbound on Linux and
+   does not affect unbound resolving daemon itself. This may severely limit
+   the number of available outgoing ports and thus decrease randomness. Define
+   this only when the target system restricts (e.g. some of SELinux enabled
+   distributions) the use of non-ephemeral ports. */
+#undef USE_LINUX_IP_LOCAL_PORT_RANGE
+
 /* Define if you want to use internal select based events */
 #undef USE_MINI_EVENT
 
@@ -936,6 +971,10 @@
 /* Define to 1 if you need to in order for `stat' and other things to work. */
 #undef _POSIX_SOURCE
 
+/* defined to use gcc ansi snprintf and sscanf that understands %lld when
+   compiled for windows. */
+#undef __USE_MINGW_ANSI_STDIO
+
 /* Define to empty if `const' does not conform to ANSI C. */
 #undef const
 
@@ -1115,7 +1154,7 @@
 #include <ws2tcpip.h>
 #endif
 
-#ifndef USE_WINSOCK
+#if !defined(USE_WINSOCK) || !defined(HAVE_SNPRINTF) || defined(SNPRINTF_RET_BROKEN) || defined(__USE_MINGW_ANSI_STDIO)
 #define ARG_LL "%ll"
 #else
 #define ARG_LL "%I64"
diff --git a/configure b/configure
index 6099122b1..ac79c9a81 100755
--- a/configure
+++ b/configure
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for unbound 1.13.2.
+# Generated by GNU Autoconf 2.69 for unbound 1.15.1.
 #
 # Report bugs to <unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues>.
 #
@@ -591,8 +591,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='unbound'
 PACKAGE_TARNAME='unbound'
-PACKAGE_VERSION='1.13.2'
-PACKAGE_STRING='unbound 1.13.2'
+PACKAGE_VERSION='1.15.1'
+PACKAGE_STRING='unbound 1.15.1'
 PACKAGE_BUGREPORT='unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues'
 PACKAGE_URL=''
 
@@ -682,6 +682,7 @@ SSLLIB
 HAVE_SSL
 PC_CRYPTO_DEPENDENCY
 CONFIG_DATE
+GCC_DOCKER_LINTFLAGS
 NETBSD_LINTFLAGS
 PYUNBOUND_UNINSTALL
 PYUNBOUND_INSTALL
@@ -697,6 +698,7 @@ swig
 SWIG_LIB
 SWIG
 PC_PY_DEPENDENCY
+PYTHON_LIBS
 PY_MAJOR_VERSION
 PYTHON_SITE_PKG
 PYTHON_LDFLAGS
@@ -811,6 +813,7 @@ infodir
 docdir
 oldincludedir
 includedir
+runstatedir
 localstatedir
 sharedstatedir
 sysconfdir
@@ -877,6 +880,7 @@ enable_subnet
 enable_gost
 enable_ecdsa
 enable_dsa
+with_deprecate_rsa_1024
 enable_ed25519
 enable_ed448
 enable_event_api
@@ -900,6 +904,7 @@ enable_ipsecmod
 enable_ipset
 with_libmnl
 enable_explicit_port_randomisation
+enable_linux_ip_local_port_range
 with_libunbound_only
 '
       ac_precious_vars='build_alias
@@ -960,6 +965,7 @@ datadir='${datarootdir}'
 sysconfdir='${prefix}/etc'
 sharedstatedir='${prefix}/com'
 localstatedir='${prefix}/var'
+runstatedir='${localstatedir}/run'
 includedir='${prefix}/include'
 oldincludedir='/usr/include'
 docdir='${datarootdir}/doc/${PACKAGE_TARNAME}'
@@ -1212,6 +1218,15 @@ do
   | -silent | --silent | --silen | --sile | --sil)
     silent=yes ;;
 
+  -runstatedir | --runstatedir | --runstatedi | --runstated \
+  | --runstate | --runstat | --runsta | --runst | --runs \
+  | --run | --ru | --r)
+    ac_prev=runstatedir ;;
+  -runstatedir=* | --runstatedir=* | --runstatedi=* | --runstated=* \
+  | --runstate=* | --runstat=* | --runsta=* | --runst=* | --runs=* \
+  | --run=* | --ru=* | --r=*)
+    runstatedir=$ac_optarg ;;
+
   -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb)
     ac_prev=sbindir ;;
   -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \
@@ -1349,7 +1364,7 @@ fi
 for ac_var in	exec_prefix prefix bindir sbindir libexecdir datarootdir \
 		datadir sysconfdir sharedstatedir localstatedir includedir \
 		oldincludedir docdir infodir htmldir dvidir pdfdir psdir \
-		libdir localedir mandir
+		libdir localedir mandir runstatedir
 do
   eval ac_val=\$$ac_var
   # Remove trailing slashes.
@@ -1462,7 +1477,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures unbound 1.13.2 to adapt to many kinds of systems.
+\`configure' configures unbound 1.15.1 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1502,6 +1517,7 @@ Fine tuning of the installation directories:
   --sysconfdir=DIR        read-only single-machine data [PREFIX/etc]
   --sharedstatedir=DIR    modifiable architecture-independent data [PREFIX/com]
   --localstatedir=DIR     modifiable single-machine data [PREFIX/var]
+  --runstatedir=DIR       modifiable per-process data [LOCALSTATEDIR/run]
   --libdir=DIR            object code libraries [EPREFIX/lib]
   --includedir=DIR        C header files [PREFIX/include]
   --oldincludedir=DIR     C header files for non-gcc [/usr/include]
@@ -1527,7 +1543,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of unbound 1.13.2:";;
+     short | recursive ) echo "Configuration of unbound 1.15.1:";;
    esac
   cat <<\_ACEOF
 
@@ -1592,6 +1608,16 @@ Optional Features:
   --disable-explicit-port-randomisation
                           disable explicit source port randomisation and rely
                           on the kernel to provide random source ports
+  --enable-linux-ip-local-port-range
+                          Define this to enable use of
+                          /proc/sys/net/ipv4/ip_local_port_range as a default
+                          outgoing port range. This is only for the libunbound
+                          on Linux and does not affect unbound resolving
+                          daemon itself. This may severely limit the number of
+                          available outgoing ports and thus decrease
+                          randomness. Define this only when the target system
+                          restricts (e.g. some of SELinux enabled
+                          distributions) the use of non-ephemeral ports.
 
 Optional Packages:
   --with-PACKAGE[=ARG]    use PACKAGE [ARG=yes]
@@ -1637,8 +1663,12 @@ Optional Packages:
   --with-nettle=path      use libnettle as crypto library, installed at path.
   --with-ssl=pathname     enable SSL (will check /usr/local/ssl /usr/lib/ssl
                           /usr/ssl /usr/pkg /usr/local /opt/local /usr/sfw
-                          /usr)
+                          /usr or specify like /usr/include/openssl11)
   --with-libbsd           Use portable libbsd functions
+  --with-deprecate-rsa-1024
+                          Deprecate RSA 1024 bit length, makes that an
+                          unsupported key, for use when OpenSSL FIPS refuses
+                          1024 bit verification
   --with-libevent=pathname
                           use libevent (will check /usr/local /opt/local
                           /usr/lib /usr/pkg /usr/sfw /usr or you can specify
@@ -1755,7 +1785,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-unbound configure 1.13.2
+unbound configure 1.15.1
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2464,7 +2494,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by unbound $as_me 1.13.2, which was
+It was created by unbound $as_me 1.15.1, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -2814,13 +2844,13 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu
 
 UNBOUND_VERSION_MAJOR=1
 
-UNBOUND_VERSION_MINOR=13
+UNBOUND_VERSION_MINOR=15
 
-UNBOUND_VERSION_MICRO=2
+UNBOUND_VERSION_MICRO=1
 
 
 LIBUNBOUND_CURRENT=9
-LIBUNBOUND_REVISION=13
+LIBUNBOUND_REVISION=16
 LIBUNBOUND_AGE=1
 # 1.0.0 had 0:12:0
 # 1.0.1 had 0:13:0
@@ -2901,6 +2931,9 @@ LIBUNBOUND_AGE=1
 # 1.13.0 had 9:11:1
 # 1.13.1 had 9:12:1
 # 1.13.2 had 9:13:1
+# 1.14.0 had 9:14:1
+# 1.15.0 had 9:15:1
+# 1.15.1 had 9:16:1
 
 #   Current  -- the number of the binary API that we're implementing
 #   Revision -- which iteration of the implementation of the binary
@@ -4199,9 +4232,9 @@ case "$exec_prefix" in
 esac
 
 # are we on MinGW?
-if uname -s 2>&1 | grep MINGW32 >/dev/null; then on_mingw="yes"
+if uname -s 2>&1 | grep MINGW >/dev/null; then on_mingw="yes"
 else
-	if echo $host $target | grep mingw32 >/dev/null; then on_mingw="yes"
+	if echo $host | grep mingw >/dev/null; then on_mingw="yes"
 	else on_mingw="no"; fi
 fi
 
@@ -8074,7 +8107,7 @@ linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*)
   lt_cv_deplibs_check_method=pass_all
   ;;
 
-netbsd* | netbsdelf*-gnu)
+netbsd*)
   if echo __ELF__ | $CC -E - | $GREP __ELF__ > /dev/null; then
     lt_cv_deplibs_check_method='match_pattern /lib[^/]+(\.so\.[0-9]+\.[0-9]+|_pic\.a)$'
   else
@@ -8436,7 +8469,7 @@ esac
 fi
 
 : ${AR=ar}
-: ${AR_FLAGS=cr}
+: ${AR_FLAGS=cru}
 
 
 
@@ -8979,8 +9012,11 @@ _LT_EOF
   test $ac_status = 0; }; then
     # Now try to grab the symbols.
     nlist=conftest.nm
-    $ECHO "$as_me:$LINENO: $NM conftest.$ac_objext | $lt_cv_sys_global_symbol_pipe > $nlist" >&5
-    if eval "$NM" conftest.$ac_objext \| "$lt_cv_sys_global_symbol_pipe" \> $nlist 2>&5 && test -s "$nlist"; then
+    if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$NM conftest.$ac_objext \| "$lt_cv_sys_global_symbol_pipe" \> $nlist\""; } >&5
+  (eval $NM conftest.$ac_objext \| "$lt_cv_sys_global_symbol_pipe" \> $nlist) 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; } && test -s "$nlist"; then
       # Try sorting and uniquifying the output.
       if sort "$nlist" | uniq > "$nlist"T; then
 	mv -f "$nlist"T "$nlist"
@@ -10199,8 +10235,8 @@ int forced_loaded() { return 2;}
 _LT_EOF
       echo "$LTCC $LTCFLAGS -c -o conftest.o conftest.c" >&5
       $LTCC $LTCFLAGS -c -o conftest.o conftest.c 2>&5
-      echo "$AR cr libconftest.a conftest.o" >&5
-      $AR cr libconftest.a conftest.o 2>&5
+      echo "$AR cru libconftest.a conftest.o" >&5
+      $AR cru libconftest.a conftest.o 2>&5
       echo "$RANLIB libconftest.a" >&5
       $RANLIB libconftest.a 2>&5
       cat > conftest.c << _LT_EOF
@@ -11060,12 +11096,6 @@ lt_prog_compiler_static=
 	lt_prog_compiler_pic='-KPIC'
 	lt_prog_compiler_static='-static'
         ;;
-      # flang / f18. f95 an alias for gfortran or flang on Debian
-      flang* | f18* | f95*)
-	lt_prog_compiler_wl='-Wl,'
-	lt_prog_compiler_pic='-fPIC'
-	lt_prog_compiler_static='-static'
-        ;;
       # icc used to be incompatible with GCC.
       # ICC 10 doesn't accept -KPIC any more.
       icc* | ifort*)
@@ -11542,9 +11572,6 @@ $as_echo_n "checking whether the $compiler linker ($LD) supports shared librarie
   openbsd* | bitrig*)
     with_gnu_ld=no
     ;;
-  linux* | k*bsd*-gnu | gnu*)
-    link_all_deplibs=no
-    ;;
   esac
 
   ld_shlibs=yes
@@ -11799,7 +11826,7 @@ _LT_EOF
       fi
       ;;
 
-    netbsd* | netbsdelf*-gnu)
+    netbsd*)
       if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then
 	archive_cmds='$LD -Bshareable $libobjs $deplibs $linker_flags -o $lib'
 	wlarc=
@@ -12469,7 +12496,6 @@ $as_echo "$lt_cv_irix_exported_symbol" >&6; }
 	if test yes = "$lt_cv_irix_exported_symbol"; then
           archive_expsym_cmds='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags $wl-soname $wl$soname `test -n "$verstring" && func_echo_all "$wl-set_version $wl$verstring"` $wl-update_registry $wl$output_objdir/so_locations $wl-exports_file $wl$export_symbols -o $lib'
 	fi
-	link_all_deplibs=no
       else
 	archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry $output_objdir/so_locations -o $lib'
 	archive_expsym_cmds='$CC -shared $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry $output_objdir/so_locations -exports_file $export_symbols -o $lib'
@@ -12491,7 +12517,7 @@ $as_echo "$lt_cv_irix_exported_symbol" >&6; }
       esac
       ;;
 
-    netbsd* | netbsdelf*-gnu)
+    netbsd*)
       if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then
 	archive_cmds='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'  # a.out
       else
@@ -13586,6 +13612,9 @@ fi
   # before this can be enabled.
   hardcode_into_libs=yes
 
+  # Add ABI-specific directories to the system library path.
+  sys_lib_dlsearch_path_spec="/lib64 /usr/lib64 /lib /usr/lib"
+
   # Ideally, we could use ldconfig to report *all* directores which are
   # searched for libraries, however this is still not possible.  Aside from not
   # being certain /sbin/ldconfig is available, command
@@ -13594,7 +13623,7 @@ fi
   # appending ld.so.conf contents (and includes) to the search path.
   if test -f /etc/ld.so.conf; then
     lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[	 ]*hwcap[	 ]/d;s/[:,	]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;s/"//g;/^$/d' | tr '\n' ' '`
-    sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra"
+    sys_lib_dlsearch_path_spec="$sys_lib_dlsearch_path_spec $lt_ld_extra"
   fi
 
   # We used to test for /lib/ld.so.1 and disable shared libraries on
@@ -13606,18 +13635,6 @@ fi
   dynamic_linker='GNU/Linux ld.so'
   ;;
 
-netbsdelf*-gnu)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=no
-  hardcode_into_libs=yes
-  dynamic_linker='NetBSD ld.elf_so'
-  ;;
-
 netbsd*)
   version_type=sunos
   need_lib_prefix=no
@@ -14627,6 +14644,8 @@ CC=$lt_save_CC
 
 
 
+# pkg-config is only needed for these options, do not require it otherwise
+if test "$enable_systemd" = "yes" -o "$with_pyunbound" = "yes" -o "$with_pythonmod" = "yes"; then
 
 
 
@@ -14747,6 +14766,7 @@ $as_echo "no" >&6; }
 		PKG_CONFIG=""
 	fi
 fi
+fi
 
 # Checks for header files.
 for ac_header in stdarg.h stdbool.h netinet/in.h netinet/tcp.h sys/param.h sys/select.h sys/socket.h sys/un.h sys/uio.h sys/resource.h arpa/inet.h syslog.h netdb.h sys/wait.h pwd.h glob.h grp.h login_cap.h winsock2.h ws2tcpip.h endian.h sys/endian.h libkern/OSByteOrder.h sys/ipc.h sys/shm.h ifaddrs.h
@@ -14806,6 +14826,51 @@ fi
 
 done
 
+for ac_header in netioapi.h
+do :
+  ac_fn_c_check_header_compile "$LINENO" "netioapi.h" "ac_cv_header_netioapi_h" "$ac_includes_default
+#if HAVE_SYS_PARAM_H
+#include <sys/param.h>
+#endif
+
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+
+#ifdef HAVE_SYS_UIO_H
+#include <sys/uio.h>
+#endif
+
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+
+#ifdef HAVE_NETINET_TCP_H
+#include <netinet/tcp.h>
+#endif
+
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
+
+#ifdef HAVE_WINSOCK2_H
+#include <winsock2.h>
+#endif
+
+#ifdef HAVE_WS2TCPIP_H
+#include <ws2tcpip.h>
+#endif
+
+"
+if test "x$ac_cv_header_netioapi_h" = xyes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_NETIOAPI_H 1
+_ACEOF
+
+fi
+
+done
+
 
 # check for types.
 # Using own tests for int64* because autoconf builtin only give 32bit.
@@ -15319,7 +15384,7 @@ if test "$ac_res" != no; then :
 fi
 
 
-# check wether strptime also works
+# check whether strptime also works
 
 # check some functions of the OS before linking libs (while still runnable).
 for ac_header in unistd.h
@@ -15938,7 +16003,7 @@ fi
 
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking if nonblocking sockets work" >&5
 $as_echo_n "checking if nonblocking sockets work... " >&6; }
-if echo $target | grep mingw32 >/dev/null; then
+if echo $host | grep mingw >/dev/null; then
 	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no (windows)" >&5
 $as_echo "no (windows)" >&6; }
 
@@ -16206,7 +16271,10 @@ done
 
 
 # check if we can use SO_REUSEPORT
-if echo "$host" | $GREP -i -e linux -e dragonfly >/dev/null; then
+reuseport_default=0
+if echo "$host" | $GREP -i -e linux >/dev/null; then reuseport_default=1; fi
+if echo "$host" | $GREP -i -e dragonfly >/dev/null; then reuseport_default=1; fi
+if test "$reuseport_default" = 1; then
 
 $as_echo "#define REUSEPORT_DEFAULT 1" >>confdefs.h
 
@@ -17400,22 +17468,38 @@ fi
 			print(sys.version.split()[0])"`
 	fi
 
-        #
-        # Check if you have distutils, else fail
-        #
-        { $as_echo "$as_me:${as_lineno-$LINENO}: checking for the distutils Python package" >&5
-$as_echo_n "checking for the distutils Python package... " >&6; }
-        if ac_distutils_result=`$PYTHON -c "import distutils" 2>&1`; then
+	# Check if you have sysconfig
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for the sysconfig Python module" >&5
+$as_echo_n "checking for the sysconfig Python module... " >&6; }
+        if ac_sysconfig_result=`$PYTHON -c "import sysconfig" 2>&1`; then
                 { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
 $as_echo "yes" >&6; }
-        else
+		sysconfig_module="sysconfig"
+		# if yes, use sysconfig, because distutils is deprecated.
+	else
                 { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 $as_echo "no" >&6; }
-                as_fn_error $? "cannot import Python module \"distutils\".
-Please check your Python installation. The error was:
-$ac_distutils_result" "$LINENO" 5
-                PYTHON_VERSION=""
-        fi
+		# if no, try to use distutils
+
+		#
+		# Check if you have distutils, else fail
+		#
+		{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for the distutils Python package" >&5
+$as_echo_n "checking for the distutils Python package... " >&6; }
+		if ac_distutils_result=`$PYTHON -c "import distutils" 2>&1`; then
+			{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+		else
+			{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+			as_fn_error $? "cannot import Python module \"distutils\".
+	Please check your Python installation. The error was:
+	$ac_distutils_result" "$LINENO" 5
+			PYTHON_VERSION=""
+		fi
+
+		sysconfig_module="distutils.sysconfig"
+	fi
 
         #
         # Check for Python include path
@@ -17423,8 +17507,13 @@ $ac_distutils_result" "$LINENO" 5
         { $as_echo "$as_me:${as_lineno-$LINENO}: checking for Python include path" >&5
 $as_echo_n "checking for Python include path... " >&6; }
         if test -z "$PYTHON_CPPFLAGS"; then
-                python_path=`$PYTHON -c "import distutils.sysconfig; \
-                        print(distutils.sysconfig.get_python_inc());"`
+		if test "$sysconfig_module" = "sysconfig"; then
+			python_path=`$PYTHON -c 'import sysconfig; \
+				print(sysconfig.get_path("include"));'`
+		else
+			python_path=`$PYTHON -c "import distutils.sysconfig; \
+				print(distutils.sysconfig.get_python_inc());"`
+		fi
                 if test -n "${python_path}"; then
                         python_path="-I$python_path"
                 fi
@@ -17440,7 +17529,7 @@ $as_echo "$PYTHON_CPPFLAGS" >&6; }
         { $as_echo "$as_me:${as_lineno-$LINENO}: checking for Python library path" >&5
 $as_echo_n "checking for Python library path... " >&6; }
         if test -z "$PYTHON_LDFLAGS"; then
-                PYTHON_LDFLAGS=`$PYTHON -c "from distutils.sysconfig import *; \
+                PYTHON_LDFLAGS=`$PYTHON -c "from $sysconfig_module import *; \
                         print('-L'+get_config_var('LIBDIR')+' -L'+get_config_var('LIBDEST')+' '+get_config_var('BLDLIBRARY'));"`
         fi
         { $as_echo "$as_me:${as_lineno-$LINENO}: result: $PYTHON_LDFLAGS" >&5
@@ -17448,7 +17537,7 @@ $as_echo "$PYTHON_LDFLAGS" >&6; }
 
 
         if test -z "$PYTHON_LIBDIR"; then
-                PYTHON_LIBDIR=`$PYTHON -c "from distutils.sysconfig import *; \
+                PYTHON_LIBDIR=`$PYTHON -c "from $sysconfig_module import *; \
                         print(get_config_var('LIBDIR'));"`
         fi
 
@@ -17458,8 +17547,13 @@ $as_echo "$PYTHON_LDFLAGS" >&6; }
         { $as_echo "$as_me:${as_lineno-$LINENO}: checking for Python site-packages path" >&5
 $as_echo_n "checking for Python site-packages path... " >&6; }
         if test -z "$PYTHON_SITE_PKG"; then
-                PYTHON_SITE_PKG=`$PYTHON -c "import distutils.sysconfig; \
-                        print(distutils.sysconfig.get_python_lib(1,0));"`
+		if test "$sysconfig_module" = "sysconfig"; then
+			PYTHON_SITE_PKG=`$PYTHON -c 'import sysconfig; \
+				print(sysconfig.get_path("platlib"));'`
+		else
+			PYTHON_SITE_PKG=`$PYTHON -c "import distutils.sysconfig; \
+				print(distutils.sysconfig.get_python_lib(1,0));"`
+		fi
         fi
         { $as_echo "$as_me:${as_lineno-$LINENO}: result: $PYTHON_SITE_PKG" >&5
 $as_echo "$PYTHON_SITE_PKG" >&6; }
@@ -17547,11 +17641,15 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu
 
 $as_echo "#define HAVE_PYTHON 1" >>confdefs.h
 
-      if test -n "$LIBS"; then
-        LIBS="$PYTHON_LDFLAGS $LIBS"
-      else
-        LIBS="$PYTHON_LDFLAGS"
+      if test x_$ub_with_pythonmod != x_no; then
+        if test -n "$LIBS"; then
+          LIBS="$PYTHON_LDFLAGS $LIBS"
+        else
+          LIBS="$PYTHON_LDFLAGS"
+        fi
       fi
+      PYTHON_LIBS="$PYTHON_LDFLAGS"
+
       if test -n "$CPPFLAGS"; then
         CPPFLAGS="$CPPFLAGS $PYTHON_CPPFLAGS"
       else
@@ -17880,6 +17978,12 @@ fi
 if test "`uname`" = "NetBSD"; then
 	NETBSD_LINTFLAGS='"-D__RENAME(x)=" -D_NETINET_IN_H_'
 
+fi
+
+if test "`uname`" = "Linux"; then
+	# splint cannot parse modern c99 header files
+	GCC_DOCKER_LINTFLAGS='-syntax'
+
 fi
 CONFIG_DATE=`date +%Y%m%d`
 
@@ -17987,6 +18091,25 @@ fi
     if test x_$withval != x_no; then
         { $as_echo "$as_me:${as_lineno-$LINENO}: checking for SSL" >&5
 $as_echo_n "checking for SSL... " >&6; }
+	if test -n "$withval"; then
+										if test ! -f "$withval/include/openssl/ssl.h" -a -f "$withval/openssl/ssl.h"; then
+			ssldir="$withval"
+			found_ssl="yes"
+			withval=""
+			ssldir_include="$ssldir"
+						ssldir_lib=`echo $ssldir | sed -e 's/include/lib/'`
+			if test -f "$ssldir_lib/libssl.a" -o -f "$ssldir_lib/libssl.so"; then
+				: # found here
+			else
+				ssldir_lib=`echo $ssldir | sed -e 's/include/lib64/'`
+				if test -f "$ssldir_lib/libssl.a" -o -f "$ssldir_lib/libssl.so"; then
+					: # found here
+				else
+					as_fn_error $? "Could not find openssl lib file, $ssldir_lib/libssl.so,a, pass like \"/usr/local\" or \"/usr/include/openssl11\"" "$LINENO" 5
+				fi
+			fi
+		fi
+	fi
         if test x_$withval = x_ -o x_$withval = x_yes; then
             withval="/usr/local/ssl /usr/lib/ssl /usr/ssl /usr/pkg /usr/local /opt/local /usr/sfw /usr"
         fi
@@ -17994,15 +18117,12 @@ $as_echo_n "checking for SSL... " >&6; }
             ssldir="$dir"
             if test -f "$dir/include/openssl/ssl.h"; then
                 found_ssl="yes"
-
-cat >>confdefs.h <<_ACEOF
-#define HAVE_SSL /**/
-_ACEOF
-
-                                if test "$ssldir" != "/usr"; then
-                        CPPFLAGS="$CPPFLAGS -I$ssldir/include"
-                        LIBSSL_CPPFLAGS="$LIBSSL_CPPFLAGS -I$ssldir/include"
-                fi
+		ssldir_include="$ssldir/include"
+		if test ! -d "$ssldir/lib" -a -d "$ssldir/lib64"; then
+			ssldir_lib="$ssldir/lib64"
+		else
+			ssldir_lib="$ssldir/lib"
+		fi
                 break;
             fi
         done
@@ -18011,18 +18131,25 @@ _ACEOF
         else
             { $as_echo "$as_me:${as_lineno-$LINENO}: result: found in $ssldir" >&5
 $as_echo "found in $ssldir" >&6; }
+
+cat >>confdefs.h <<_ACEOF
+#define HAVE_SSL /**/
+_ACEOF
+
             HAVE_SSL=yes
-                        if test "$ssldir" != "/usr" -a "$ssldir" != ""; then
-                LDFLAGS="$LDFLAGS -L$ssldir/lib"
-                LIBSSL_LDFLAGS="$LIBSSL_LDFLAGS -L$ssldir/lib"
+	                if test "$ssldir" != "/usr"; then
+		    CPPFLAGS="$CPPFLAGS -I$ssldir_include"
+		    LIBSSL_CPPFLAGS="$LIBSSL_CPPFLAGS -I$ssldir_include"
+		    LDFLAGS="$LDFLAGS -L$ssldir_lib"
+		    LIBSSL_LDFLAGS="$LIBSSL_LDFLAGS -L$ssldir_lib"
 
 	if test "x$enable_rpath" = xyes; then
-		if echo "$ssldir/lib" | grep "^/" >/dev/null; then
-			RUNTIME_PATH="$RUNTIME_PATH -R$ssldir/lib"
+		if echo "$ssldir_lib" | grep "^/" >/dev/null; then
+			RUNTIME_PATH="$RUNTIME_PATH -R$ssldir_lib"
 		fi
 	fi
 
-            fi
+	    fi
 
             { $as_echo "$as_me:${as_lineno-$LINENO}: checking for EVP_sha256 in -lcrypto" >&5
 $as_echo_n "checking for EVP_sha256 in -lcrypto... " >&6; }
@@ -18310,7 +18437,7 @@ rm -f core conftest.err conftest.$ac_objext \
     conftest$ac_exeext conftest.$ac_ext
 SSLLIB="-lssl"
 
-PC_CRYPTO_DEPENDENCY="libcrypto libssl"
+PC_CRYPTO_DEPENDENCY=""
 
 
 # check if -lcrypt32 is needed because CAPIENG needs that. (on windows)
@@ -18351,7 +18478,7 @@ rm -f core conftest.err conftest.$ac_objext \
 
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for LibreSSL" >&5
 $as_echo_n "checking for LibreSSL... " >&6; }
-if grep VERSION_TEXT $ssldir/include/openssl/opensslv.h | grep "LibreSSL" >/dev/null; then
+if grep VERSION_TEXT $ssldir_include/openssl/opensslv.h | grep "LibreSSL" >/dev/null; then
 	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
 $as_echo "yes" >&6; }
 
@@ -18404,7 +18531,7 @@ else
 	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 $as_echo "no" >&6; }
 fi
-for ac_header in openssl/conf.h openssl/engine.h openssl/bn.h openssl/dh.h openssl/dsa.h openssl/rsa.h openssl/core_names.h
+for ac_header in openssl/conf.h openssl/engine.h openssl/bn.h openssl/dh.h openssl/dsa.h openssl/rsa.h openssl/core_names.h openssl/param_build.h
 do :
   as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
 ac_fn_c_check_header_compile "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default
@@ -18418,7 +18545,7 @@ fi
 
 done
 
-for ac_func in OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ENGINE_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1 EVP_DigestVerify EVP_aes_256_cbc EVP_EncryptInit_ex HMAC_Init_ex CRYPTO_THREADID_set_callback EVP_MAC_CTX_set_params
+for ac_func in OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ENGINE_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1 EVP_DigestVerify EVP_aes_256_cbc EVP_EncryptInit_ex HMAC_Init_ex CRYPTO_THREADID_set_callback EVP_MAC_CTX_set_params OSSL_PARAM_BLD_new BIO_set_callback_ex
 do :
   as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
 ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
@@ -18434,7 +18561,7 @@ done
 # these check_funcs need -lssl
 BAKLIBS="$LIBS"
 LIBS="-lssl $LIBS"
-for ac_func in OPENSSL_init_ssl SSL_CTX_set_security_level SSL_set1_host SSL_get0_peername X509_VERIFY_PARAM_set1_host SSL_CTX_set_ciphersuites SSL_CTX_set_tlsext_ticket_key_evp_cb SSL_CTX_set_alpn_select_cb
+for ac_func in OPENSSL_init_ssl SSL_CTX_set_security_level SSL_set1_host SSL_get0_peername X509_VERIFY_PARAM_set1_host SSL_CTX_set_ciphersuites SSL_CTX_set_tlsext_ticket_key_evp_cb SSL_CTX_set_alpn_select_cb SSL_get0_alpn_selected SSL_CTX_set_alpn_protos SSL_get1_peer_certificate
 do :
   as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
 ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
@@ -18740,7 +18867,7 @@ $as_echo "#define CLIENT_SUBNET 1" >>confdefs.h
 	;;
 esac
 
-# check wether gost also works
+# check whether gost also works
 
 # Check whether --enable-gost was given.
 if test "${enable_gost+set}" = set; then :
@@ -18773,7 +18900,7 @@ $as_echo_n "checking if GOST works... " >&6; }
 if test c${cross_compiling} = cno; then
 BAKCFLAGS="$CFLAGS"
 if test -n "$ssldir"; then
-	CFLAGS="$CFLAGS -Wl,-rpath,$ssldir/lib"
+	CFLAGS="$CFLAGS -Wl,-rpath,$ssldir_lib"
 fi
 if test "$cross_compiling" = yes; then :
   { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
@@ -18956,8 +19083,8 @@ fi
 	      # see if OPENSSL 1.0.0 or later (has EVP MD and Verify independency)
 	      { $as_echo "$as_me:${as_lineno-$LINENO}: checking if openssl supports SHA2 and ECDSA with EVP" >&5
 $as_echo_n "checking if openssl supports SHA2 and ECDSA with EVP... " >&6; }
-	      if grep OPENSSL_VERSION_TEXT $ssldir/include/openssl/opensslv.h | grep "OpenSSL" >/dev/null; then
-		if grep OPENSSL_VERSION_NUMBER $ssldir/include/openssl/opensslv.h | grep 0x0 >/dev/null; then
+	      if grep OPENSSL_VERSION_TEXT $ssldir_include/openssl/opensslv.h | grep "OpenSSL" >/dev/null; then
+		if grep OPENSSL_VERSION_NUMBER $ssldir_include/openssl/opensslv.h | grep 0x0 >/dev/null; then
 		  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 $as_echo "no" >&6; }
 
@@ -19051,6 +19178,18 @@ _ACEOF
       ;;
 esac
 
+
+# Check whether --with-deprecate-rsa-1024 was given.
+if test "${with_deprecate_rsa_1024+set}" = set; then :
+  withval=$with_deprecate_rsa_1024;
+fi
+
+if test "$with_deprecate_rsa_1024" = "yes"; then
+
+$as_echo "#define DEPRECATE_RSA_1024 1" >>confdefs.h
+
+fi
+
 # Check whether --enable-ed25519 was given.
 if test "${enable_ed25519+set}" = set; then :
   enableval=$enable_ed25519;
@@ -19177,8 +19316,8 @@ fi
 
 case "$enable_tfo_client" in
 	yes)
-		case `uname` in
-			Linux) ac_fn_c_check_decl "$LINENO" "MSG_FASTOPEN" "ac_cv_have_decl_MSG_FASTOPEN" "$ac_includes_default
+		case "$host_os" in
+			linux*) ac_fn_c_check_decl "$LINENO" "MSG_FASTOPEN" "ac_cv_have_decl_MSG_FASTOPEN" "$ac_includes_default
 #include <netinet/tcp.h>
 
 "
@@ -19194,8 +19333,8 @@ cat >>confdefs.h <<_ACEOF
 #define USE_MSG_FASTOPEN 1
 _ACEOF
 
-			  ;;
-			Darwin) ac_fn_c_check_decl "$LINENO" "CONNECT_RESUME_ON_READ_WRITE" "ac_cv_have_decl_CONNECT_RESUME_ON_READ_WRITE" "$ac_includes_default
+				;;
+			darwin*) ac_fn_c_check_decl "$LINENO" "CONNECT_RESUME_ON_READ_WRITE" "ac_cv_have_decl_CONNECT_RESUME_ON_READ_WRITE" "$ac_includes_default
 #include <sys/socket.h>
 
 "
@@ -19211,9 +19350,9 @@ cat >>confdefs.h <<_ACEOF
 #define USE_OSX_MSG_FASTOPEN 1
 _ACEOF
 
-			  ;;
+				;;
 		esac
-	;;
+		;;
 	no|*)
 		;;
 esac
@@ -20081,6 +20220,9 @@ fi
 
 	WIN_CHECKCONF_OBJ_LINK="rsrc_unbound_checkconf.o"
 
+
+$as_echo "#define __USE_MINGW_ANSI_STDIO 1" >>confdefs.h
+
 fi
 if test $ac_cv_func_getaddrinfo = no; then
 	case " $LIBOBJS " in
@@ -20368,7 +20510,7 @@ if test "$ac_res" != no; then :
 
 fi
 
-for ac_func in tzset sigprocmask fcntl getpwnam endpwent getrlimit setrlimit setsid chroot kill chown sleep usleep random srandom recvmsg sendmsg writev socketpair glob initgroups strftime localtime_r setusercontext _beginthreadex endservent endprotoent fsync shmget accept4 getifaddrs
+for ac_func in tzset sigprocmask fcntl getpwnam endpwent getrlimit setrlimit setsid chroot kill chown sleep usleep random srandom recvmsg sendmsg writev socketpair glob initgroups strftime localtime_r setusercontext _beginthreadex endservent endprotoent fsync shmget accept4 getifaddrs if_nametoindex
 do :
   as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
 ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
@@ -20428,7 +20570,7 @@ done
 
 
 # check if setreuid en setregid fail, on MacOSX10.4(darwin8).
-if echo $target_os | grep darwin8 > /dev/null; then
+if echo $host_os | grep darwin8 > /dev/null; then
 
 $as_echo "#define DARWIN_BROKEN_SETREUID 1" >>confdefs.h
 
@@ -21065,7 +21207,7 @@ case "$enable_allsymbols" in
 	yes)
 	COMMON_OBJ_ALL_SYMBOLS=""
 	UBSYMS=""
-	EXTRALINK="-L. -L.libs -lunbound"
+	EXTRALINK="libunbound.la"
 
 $as_echo "#define EXPORT_ALL_SYMBOLS 1" >>confdefs.h
 
@@ -21613,6 +21755,23 @@ $as_echo "#define DISABLE_EXPLICIT_PORT_RANDOMISATION 1" >>confdefs.h
 		;;
 esac
 
+if echo "$host" | $GREP -i -e linux >/dev/null; then
+	# Check whether --enable-linux-ip-local-port-range was given.
+if test "${enable_linux_ip_local_port_range+set}" = set; then :
+  enableval=$enable_linux_ip_local_port_range;
+fi
+
+	case "$enable_linux_ip_local_port_range" in
+		yes)
+
+$as_echo "#define USE_LINUX_IP_LOCAL_PORT_RANGE 1" >>confdefs.h
+
+			;;
+		no|*)
+			;;
+	esac
+fi
+
 
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking if ${MAKE:-make} supports $< with implicit rule in scope" >&5
 $as_echo_n "checking if ${MAKE:-make} supports $< with implicit rule in scope... " >&6; }
@@ -21769,7 +21928,7 @@ _ACEOF
 
 
 
-version=1.13.2
+version=1.15.1
 
 date=`date +'%b %e, %Y'`
 
@@ -22288,7 +22447,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by unbound $as_me 1.13.2, which was
+This file was extended by unbound $as_me 1.15.1, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -22354,7 +22513,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-unbound config.status 1.13.2
+unbound config.status 1.15.1
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 
@@ -23347,6 +23506,7 @@ $as_echo "$as_me: executing $ac_file commands" >&6;}
     cat <<_LT_EOF >> "$cfgfile"
 #! $SHELL
 # Generated automatically by $as_me ($PACKAGE) $VERSION
+# Libtool was configured on host `(hostname || uname -n) 2>/dev/null | sed 1q`:
 # NOTE: Changes made to this file will be lost: look at ltmain.sh.
 
 # Provide generalized library-building support services.
diff --git a/configure.ac b/configure.ac
index 43286e2b9..ca0c6154f 100644
--- a/configure.ac
+++ b/configure.ac
@@ -10,15 +10,15 @@ sinclude(dnscrypt/dnscrypt.m4)
 
 # must be numbers. ac_defun because of later processing
 m4_define([VERSION_MAJOR],[1])
-m4_define([VERSION_MINOR],[13])
-m4_define([VERSION_MICRO],[2])
+m4_define([VERSION_MINOR],[15])
+m4_define([VERSION_MICRO],[1])
 AC_INIT([unbound],m4_defn([VERSION_MAJOR]).m4_defn([VERSION_MINOR]).m4_defn([VERSION_MICRO]),[unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues],[unbound])
 AC_SUBST(UNBOUND_VERSION_MAJOR, [VERSION_MAJOR])
 AC_SUBST(UNBOUND_VERSION_MINOR, [VERSION_MINOR])
 AC_SUBST(UNBOUND_VERSION_MICRO, [VERSION_MICRO])
 
 LIBUNBOUND_CURRENT=9
-LIBUNBOUND_REVISION=13
+LIBUNBOUND_REVISION=16
 LIBUNBOUND_AGE=1
 # 1.0.0 had 0:12:0
 # 1.0.1 had 0:13:0
@@ -99,6 +99,9 @@ LIBUNBOUND_AGE=1
 # 1.13.0 had 9:11:1
 # 1.13.1 had 9:12:1
 # 1.13.2 had 9:13:1
+# 1.14.0 had 9:14:1
+# 1.15.0 had 9:15:1
+# 1.15.1 had 9:16:1
 
 #   Current  -- the number of the binary API that we're implementing
 #   Revision -- which iteration of the implementation of the binary
@@ -147,9 +150,9 @@ case "$exec_prefix" in
 esac
 
 # are we on MinGW?
-if uname -s 2>&1 | grep MINGW32 >/dev/null; then on_mingw="yes"
+if uname -s 2>&1 | grep MINGW >/dev/null; then on_mingw="yes"
 else 
-	if echo $host $target | grep mingw32 >/dev/null; then on_mingw="yes"
+	if echo $host | grep mingw >/dev/null; then on_mingw="yes"
 	else on_mingw="no"; fi
 fi
 
@@ -385,7 +388,10 @@ AC_CHECK_PROG(doxygen, doxygen, doxygen)
 AC_CHECK_TOOL(STRIP, strip)
 ACX_LIBTOOL_C_ONLY
 
+# pkg-config is only needed for these options, do not require it otherwise
+if test "$enable_systemd" = "yes" -o "$with_pyunbound" = "yes" -o "$with_pythonmod" = "yes"; then
 PKG_PROG_PKG_CONFIG
+fi
 
 # Checks for header files.
 AC_CHECK_HEADERS([stdarg.h stdbool.h netinet/in.h netinet/tcp.h sys/param.h sys/select.h sys/socket.h sys/un.h sys/uio.h sys/resource.h arpa/inet.h syslog.h netdb.h sys/wait.h pwd.h glob.h grp.h login_cap.h winsock2.h ws2tcpip.h endian.h sys/endian.h libkern/OSByteOrder.h sys/ipc.h sys/shm.h ifaddrs.h],,, [AC_INCLUDES_DEFAULT])
@@ -408,6 +414,39 @@ AC_CHECK_HEADERS([net/if.h],,, [
 
 # Check for Apple header. This uncovers TARGET_OS_IPHONE, TARGET_OS_TV or TARGET_OS_WATCH
 AC_CHECK_HEADERS([TargetConditionals.h],,, [AC_INCLUDES_DEFAULT])
+AC_CHECK_HEADERS([netioapi.h],,, [AC_INCLUDES_DEFAULT
+#if HAVE_SYS_PARAM_H
+#include <sys/param.h>
+#endif
+
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+
+#ifdef HAVE_SYS_UIO_H
+#include <sys/uio.h>
+#endif
+
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+
+#ifdef HAVE_NETINET_TCP_H
+#include <netinet/tcp.h>
+#endif
+
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
+
+#ifdef HAVE_WINSOCK2_H
+#include <winsock2.h>
+#endif
+
+#ifdef HAVE_WS2TCPIP_H
+#include <ws2tcpip.h>
+#endif
+])
 
 # check for types.  
 # Using own tests for int64* because autoconf builtin only give 32bit.
@@ -454,7 +493,7 @@ AC_SUBST(RUNTIME_PATH)
 AC_SEARCH_LIBS([inet_pton], [nsl])
 AC_SEARCH_LIBS([socket], [socket])
 
-# check wether strptime also works
+# check whether strptime also works
 AC_DEFUN([AC_CHECK_STRPTIME_WORKS],
 [AC_REQUIRE([AC_PROG_CC])
 AC_MSG_CHECKING(whether strptime works)
@@ -490,7 +529,10 @@ ACX_MKDIR_ONE_ARG
 AC_CHECK_FUNCS([strptime],[AC_CHECK_STRPTIME_WORKS],[AC_LIBOBJ([strptime])])
 
 # check if we can use SO_REUSEPORT
-if echo "$host" | $GREP -i -e linux -e dragonfly >/dev/null; then
+reuseport_default=0
+if echo "$host" | $GREP -i -e linux >/dev/null; then reuseport_default=1; fi
+if echo "$host" | $GREP -i -e dragonfly >/dev/null; then reuseport_default=1; fi
+if test "$reuseport_default" = 1; then
 	AC_DEFINE(REUSEPORT_DEFAULT, 1, [if REUSEPORT is enabled by default])
 else
 	AC_DEFINE(REUSEPORT_DEFAULT, 0, [if REUSEPORT is enabled by default])
@@ -693,11 +735,15 @@ if test x_$ub_test_python != x_no; then
       AC_SUBST(PY_MAJOR_VERSION)
       # Have Python
       AC_DEFINE(HAVE_PYTHON,1,[Define if you have Python libraries and header files.])
-      if test -n "$LIBS"; then
-        LIBS="$PYTHON_LDFLAGS $LIBS"
-      else
-        LIBS="$PYTHON_LDFLAGS"
+      if test x_$ub_with_pythonmod != x_no; then
+        if test -n "$LIBS"; then
+          LIBS="$PYTHON_LDFLAGS $LIBS"
+        else
+          LIBS="$PYTHON_LDFLAGS"
+        fi
       fi
+      PYTHON_LIBS="$PYTHON_LDFLAGS"
+      AC_SUBST(PYTHON_LIBS)
       if test -n "$CPPFLAGS"; then
         CPPFLAGS="$CPPFLAGS $PYTHON_CPPFLAGS"
       else
@@ -770,6 +816,12 @@ if test "`uname`" = "NetBSD"; then
 	NETBSD_LINTFLAGS='"-D__RENAME(x)=" -D_NETINET_IN_H_'
 	AC_SUBST(NETBSD_LINTFLAGS)
 fi
+
+if test "`uname`" = "Linux"; then
+	# splint cannot parse modern c99 header files
+	GCC_DOCKER_LINTFLAGS='-syntax'
+	AC_SUBST(GCC_DOCKER_LINTFLAGS)
+fi
 CONFIG_DATE=`date +%Y%m%d`
 AC_SUBST(CONFIG_DATE)
 
@@ -824,7 +876,7 @@ ACX_WITH_SSL
 ACX_LIB_SSL
 SSLLIB="-lssl"
 
-PC_CRYPTO_DEPENDENCY="libcrypto libssl"
+PC_CRYPTO_DEPENDENCY=""
 AC_SUBST(PC_CRYPTO_DEPENDENCY)
 
 # check if -lcrypt32 is needed because CAPIENG needs that. (on windows)
@@ -844,7 +896,7 @@ AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[
 ])
 
 AC_MSG_CHECKING([for LibreSSL])
-if grep VERSION_TEXT $ssldir/include/openssl/opensslv.h | grep "LibreSSL" >/dev/null; then
+if grep VERSION_TEXT $ssldir_include/openssl/opensslv.h | grep "LibreSSL" >/dev/null; then
 	AC_MSG_RESULT([yes])
 	AC_DEFINE([HAVE_LIBRESSL], [1], [Define if we have LibreSSL])
 	# libressl provides these compat functions, but they may also be
@@ -853,13 +905,13 @@ if grep VERSION_TEXT $ssldir/include/openssl/opensslv.h | grep "LibreSSL" >/dev/
 else
 	AC_MSG_RESULT([no])
 fi
-AC_CHECK_HEADERS([openssl/conf.h openssl/engine.h openssl/bn.h openssl/dh.h openssl/dsa.h openssl/rsa.h openssl/core_names.h],,, [AC_INCLUDES_DEFAULT])
-AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ENGINE_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1 EVP_DigestVerify EVP_aes_256_cbc EVP_EncryptInit_ex HMAC_Init_ex CRYPTO_THREADID_set_callback EVP_MAC_CTX_set_params])
+AC_CHECK_HEADERS([openssl/conf.h openssl/engine.h openssl/bn.h openssl/dh.h openssl/dsa.h openssl/rsa.h openssl/core_names.h openssl/param_build.h],,, [AC_INCLUDES_DEFAULT])
+AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ENGINE_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1 EVP_DigestVerify EVP_aes_256_cbc EVP_EncryptInit_ex HMAC_Init_ex CRYPTO_THREADID_set_callback EVP_MAC_CTX_set_params OSSL_PARAM_BLD_new BIO_set_callback_ex])
 
 # these check_funcs need -lssl
 BAKLIBS="$LIBS"
 LIBS="-lssl $LIBS"
-AC_CHECK_FUNCS([OPENSSL_init_ssl SSL_CTX_set_security_level SSL_set1_host SSL_get0_peername X509_VERIFY_PARAM_set1_host SSL_CTX_set_ciphersuites SSL_CTX_set_tlsext_ticket_key_evp_cb SSL_CTX_set_alpn_select_cb])
+AC_CHECK_FUNCS([OPENSSL_init_ssl SSL_CTX_set_security_level SSL_set1_host SSL_get0_peername X509_VERIFY_PARAM_set1_host SSL_CTX_set_ciphersuites SSL_CTX_set_tlsext_ticket_key_evp_cb SSL_CTX_set_alpn_select_cb SSL_get0_alpn_selected SSL_CTX_set_alpn_protos SSL_get1_peer_certificate])
 LIBS="$BAKLIBS"
 
 AC_CHECK_DECLS([SSL_COMP_get_compression_methods,sk_SSL_COMP_pop_free,SSL_CTX_set_ecdh_auto], [], [], [
@@ -967,14 +1019,14 @@ case "$enable_subnet" in
 	;;
 esac
 
-# check wether gost also works
+# check whether gost also works
 AC_DEFUN([AC_CHECK_GOST_WORKS],
 [AC_REQUIRE([AC_PROG_CC])
 AC_MSG_CHECKING([if GOST works])
 if test c${cross_compiling} = cno; then
 BAKCFLAGS="$CFLAGS"
 if test -n "$ssldir"; then
-	CFLAGS="$CFLAGS -Wl,-rpath,$ssldir/lib"
+	CFLAGS="$CFLAGS -Wl,-rpath,$ssldir_lib"
 fi
 AC_RUN_IFELSE([AC_LANG_SOURCE([[
 #include <string.h>
@@ -1097,8 +1149,8 @@ case "$enable_ecdsa" in
 	      ])
 	      # see if OPENSSL 1.0.0 or later (has EVP MD and Verify independency)
 	      AC_MSG_CHECKING([if openssl supports SHA2 and ECDSA with EVP])
-	      if grep OPENSSL_VERSION_TEXT $ssldir/include/openssl/opensslv.h | grep "OpenSSL" >/dev/null; then
-		if grep OPENSSL_VERSION_NUMBER $ssldir/include/openssl/opensslv.h | grep 0x0 >/dev/null; then
+	      if grep OPENSSL_VERSION_TEXT $ssldir_include/openssl/opensslv.h | grep "OpenSSL" >/dev/null; then
+		if grep OPENSSL_VERSION_NUMBER $ssldir_include/openssl/opensslv.h | grep 0x0 >/dev/null; then
 		  AC_MSG_RESULT([no])
 		  AC_DEFINE_UNQUOTED([USE_ECDSA_EVP_WORKAROUND], [1], [Define this to enable an EVP workaround for older openssl])
 		else
@@ -1155,6 +1207,11 @@ AC_INCLUDES_DEFAULT
       ;;
 esac
 
+AC_ARG_WITH(deprecate-rsa-1024, AS_HELP_STRING([--with-deprecate-rsa-1024],[Deprecate RSA 1024 bit length, makes that an unsupported key, for use when OpenSSL FIPS refuses 1024 bit verification]))
+if test "$with_deprecate_rsa_1024" = "yes"; then
+	AC_DEFINE([DEPRECATE_RSA_1024], [1], [Deprecate RSA 1024 bit length, makes that an unsupported key])
+fi
+
 AC_ARG_ENABLE(ed25519, AS_HELP_STRING([--disable-ed25519],[Disable ED25519 support]))
 use_ed25519="no"
 case "$enable_ed25519" in
@@ -1211,23 +1268,23 @@ esac
 AC_ARG_ENABLE(tfo-client, AS_HELP_STRING([--enable-tfo-client],[Enable TCP Fast Open for client mode]))
 case "$enable_tfo_client" in
 	yes)
-		case `uname` in
-			Linux) AC_CHECK_DECL([MSG_FASTOPEN], [AC_MSG_WARN([Check the platform specific TFO kernel parameters are correctly configured to support client mode TFO])],
-			                     [AC_MSG_ERROR([TCP Fast Open is not available for client mode: please rerun without --enable-tfo-client])], 
-			                     [AC_INCLUDES_DEFAULT 
+		case "$host_os" in
+			linux*) AC_CHECK_DECL([MSG_FASTOPEN], [AC_MSG_WARN([Check the platform specific TFO kernel parameters are correctly configured to support client mode TFO])],
+				[AC_MSG_ERROR([TCP Fast Open is not available for client mode: please rerun without --enable-tfo-client])],
+				[AC_INCLUDES_DEFAULT
 #include <netinet/tcp.h>
 ])
-					AC_DEFINE_UNQUOTED([USE_MSG_FASTOPEN], [1], [Define this to enable client TCP Fast Open.])
-			  ;;
-			Darwin) AC_CHECK_DECL([CONNECT_RESUME_ON_READ_WRITE], [AC_MSG_WARN([Check the platform specific TFO kernel parameters are correctly configured to support client mode TFO])], 
-			                      [AC_MSG_ERROR([TCP Fast Open is not available for client mode: please rerun without --enable-tfo-client])], 
-			                      [AC_INCLUDES_DEFAULT
+				AC_DEFINE_UNQUOTED([USE_MSG_FASTOPEN], [1], [Define this to enable client TCP Fast Open.])
+				;;
+			darwin*) AC_CHECK_DECL([CONNECT_RESUME_ON_READ_WRITE], [AC_MSG_WARN([Check the platform specific TFO kernel parameters are correctly configured to support client mode TFO])],
+				[AC_MSG_ERROR([TCP Fast Open is not available for client mode: please rerun without --enable-tfo-client])],
+				[AC_INCLUDES_DEFAULT
 #include <sys/socket.h>
 ])
-					AC_DEFINE_UNQUOTED([USE_OSX_MSG_FASTOPEN], [1], [Define this to enable client TCP Fast Open.])
-			  ;;
+				AC_DEFINE_UNQUOTED([USE_OSX_MSG_FASTOPEN], [1], [Define this to enable client TCP Fast Open.])
+				;;
 		esac
-	;;
+		;;
 	no|*)
 		;;
 esac
@@ -1497,6 +1554,7 @@ if test "$USE_WINSOCK" = 1; then
 	AC_SUBST(WIN_CONTROL_OBJ_LINK)
 	WIN_CHECKCONF_OBJ_LINK="rsrc_unbound_checkconf.o"
 	AC_SUBST(WIN_CHECKCONF_OBJ_LINK)
+	AC_DEFINE(__USE_MINGW_ANSI_STDIO, 1, [defined to use gcc ansi snprintf and sscanf that understands %lld when compiled for windows.])
 fi
 if test $ac_cv_func_getaddrinfo = no; then
 	AC_LIBOBJ([fake-rfc2553])
@@ -1583,12 +1641,12 @@ AC_LINK_IFELSE([AC_LANG_PROGRAM([
   AC_MSG_RESULT(no))
 
 AC_SEARCH_LIBS([setusercontext], [util])
-AC_CHECK_FUNCS([tzset sigprocmask fcntl getpwnam endpwent getrlimit setrlimit setsid chroot kill chown sleep usleep random srandom recvmsg sendmsg writev socketpair glob initgroups strftime localtime_r setusercontext _beginthreadex endservent endprotoent fsync shmget accept4 getifaddrs])
+AC_CHECK_FUNCS([tzset sigprocmask fcntl getpwnam endpwent getrlimit setrlimit setsid chroot kill chown sleep usleep random srandom recvmsg sendmsg writev socketpair glob initgroups strftime localtime_r setusercontext _beginthreadex endservent endprotoent fsync shmget accept4 getifaddrs if_nametoindex])
 AC_CHECK_FUNCS([setresuid],,[AC_CHECK_FUNCS([setreuid])])
 AC_CHECK_FUNCS([setresgid],,[AC_CHECK_FUNCS([setregid])])
 
 # check if setreuid en setregid fail, on MacOSX10.4(darwin8).
-if echo $target_os | grep darwin8 > /dev/null; then
+if echo $host_os | grep darwin8 > /dev/null; then
 	AC_DEFINE(DARWIN_BROKEN_SETREUID, 1, [Define this if on macOSX10.4-darwin8 and setreuid and setregid do not work])
 fi
 AC_CHECK_DECLS([inet_pton,inet_ntop], [], [], [
@@ -1851,6 +1909,17 @@ case "$enable_explicit_port_randomisation" in
 		;;
 esac
 
+if echo "$host" | $GREP -i -e linux >/dev/null; then
+	AC_ARG_ENABLE(linux-ip-local-port-range, AC_HELP_STRING([--enable-linux-ip-local-port-range], [Define this to enable use of /proc/sys/net/ipv4/ip_local_port_range as a default outgoing port range. This is only for the libunbound on Linux and does not affect unbound resolving daemon itself. This may severely limit the number of available outgoing ports and thus decrease randomness. Define this only when the target system restricts (e.g. some of SELinux enabled distributions) the use of non-ephemeral ports.]))
+	case "$enable_linux_ip_local_port_range" in
+		yes)
+			AC_DEFINE([USE_LINUX_IP_LOCAL_PORT_RANGE], [1], [Define this to enable use of /proc/sys/net/ipv4/ip_local_port_range as a default outgoing port range. This is only for the libunbound on Linux and does not affect unbound resolving daemon itself. This may severely limit the number of available outgoing ports and thus decrease randomness. Define this only when the target system restricts (e.g. some of SELinux enabled distributions) the use of non-ephemeral ports.])
+			;;
+		no|*)
+			;;
+	esac
+fi
+
 
 AC_MSG_CHECKING([if ${MAKE:-make} supports $< with implicit rule in scope])
 # on openBSD, the implicit rule make $< work.
@@ -1993,7 +2062,7 @@ dnl includes
 #include <ws2tcpip.h>
 #endif
 
-#ifndef USE_WINSOCK
+#if !defined(USE_WINSOCK) || !defined(HAVE_SNPRINTF) || defined(SNPRINTF_RET_BROKEN) || defined(__USE_MINGW_ANSI_STDIO)
 #define ARG_LL "%ll"
 #else
 #define ARG_LL "%I64"
diff --git a/contrib/Dockerfile.tests b/contrib/Dockerfile.tests
new file mode 100644
index 000000000..417daccb2
--- /dev/null
+++ b/contrib/Dockerfile.tests
@@ -0,0 +1,11 @@
+FROM gcc:latest
+WORKDIR /usr/src/unbound
+RUN apt-get update
+# install semantic parser & lexical analyzer
+RUN apt-get install -y bison flex
+# install packages used in tests
+RUN apt-get install -y ldnsutils dnsutils xxd splint doxygen netcat
+# accept short rsa keys, which are used in tests
+RUN sed -i 's/SECLEVEL=2/SECLEVEL=1/g' /usr/lib/ssl/openssl.cnf
+
+CMD ["/bin/bash"]
diff --git a/contrib/aaaa-filter-iterator.patch b/contrib/aaaa-filter-iterator.patch
index f51de2a40..551313372 100644
--- a/contrib/aaaa-filter-iterator.patch
+++ b/contrib/aaaa-filter-iterator.patch
@@ -1,8 +1,8 @@
 diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in
-index f426ac5f..147fbfa9 100644
+index 5a75e319..c6c6dbe2 100644
 --- a/doc/unbound.conf.5.in
 +++ b/doc/unbound.conf.5.in
-@@ -872,6 +872,13 @@ potentially broken nameservers. A lot of domains will not be resolvable when
+@@ -970,6 +970,13 @@ potentially broken nameservers. A lot of domains will not be resolvable when
  this option in enabled. Only use if you know what you are doing.
  This option only has effect when qname-minimisation is enabled. Default is no.
  .TP
@@ -17,10 +17,10 @@ index f426ac5f..147fbfa9 100644
  Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN
  and other denials, using information from previous NXDOMAINs answers.
 diff --git a/iterator/iter_scrub.c b/iterator/iter_scrub.c
-index aae934dd..55c55de0 100644
+index f093c1bf..e55a2246 100644
 --- a/iterator/iter_scrub.c
 +++ b/iterator/iter_scrub.c
-@@ -667,6 +667,32 @@ static int sanitize_nsec_is_overreach(struct rrset_parse* rrset,
+@@ -679,6 +679,32 @@ static int sanitize_nsec_is_overreach(sldns_buffer* pkt,
  	return 0;
  }
  
@@ -53,7 +53,7 @@ index aae934dd..55c55de0 100644
  /**
   * Given a response event, remove suspect RRsets from the response.
   * "Suspect" rrsets are potentially poison. Note that this routine expects
-@@ -686,6 +712,7 @@ scrub_sanitize(sldns_buffer* pkt, struct msg_parse* msg,
+@@ -698,6 +724,7 @@ scrub_sanitize(sldns_buffer* pkt, struct msg_parse* msg,
  	struct query_info* qinfo, uint8_t* zonename, struct module_env* env,
  	struct iter_env* ie)
  {
@@ -61,7 +61,7 @@ index aae934dd..55c55de0 100644
  	int del_addi = 0; /* if additional-holding rrsets are deleted, we
  		do not trust the normalized additional-A-AAAA any more */
  	struct rrset_parse* rrset, *prev;
-@@ -721,6 +748,13 @@ scrub_sanitize(sldns_buffer* pkt, struct msg_parse* msg,
+@@ -733,6 +760,13 @@ scrub_sanitize(sldns_buffer* pkt, struct msg_parse* msg,
  		rrset = rrset->rrset_all_next;
  	}
  
@@ -75,7 +75,7 @@ index aae934dd..55c55de0 100644
  	/* At this point, we brutally remove ALL rrsets that aren't 
  	 * children of the originating zone. The idea here is that, 
  	 * as far as we know, the server that we contacted is ONLY 
-@@ -732,6 +766,24 @@ scrub_sanitize(sldns_buffer* pkt, struct msg_parse* msg,
+@@ -744,6 +778,24 @@ scrub_sanitize(sldns_buffer* pkt, struct msg_parse* msg,
  	rrset = msg->rrset_first;
  	while(rrset) {
  
@@ -101,22 +101,22 @@ index aae934dd..55c55de0 100644
  		if( (rrset->type == LDNS_RR_TYPE_A || 
  			rrset->type == LDNS_RR_TYPE_AAAA)) {
 diff --git a/iterator/iter_utils.c b/iterator/iter_utils.c
-index 7bc67da6..e10f547a 100644
+index 2482a1f4..bd5ba243 100644
 --- a/iterator/iter_utils.c
 +++ b/iterator/iter_utils.c
-@@ -175,6 +175,7 @@ iter_apply_cfg(struct iter_env* iter_env, struct config_file* cfg)
- 	}
+@@ -177,6 +177,7 @@ iter_apply_cfg(struct iter_env* iter_env, struct config_file* cfg)
  	iter_env->supports_ipv6 = cfg->do_ip6;
  	iter_env->supports_ipv4 = cfg->do_ip4;
+ 	iter_env->outbound_msg_retry = cfg->outbound_msg_retry;
 +	iter_env->aaaa_filter = cfg->aaaa_filter;
  	return 1;
  }
  
 diff --git a/iterator/iterator.c b/iterator/iterator.c
-index 23b07ea9..ca29b48c 100644
+index 54006940..768fe202 100644
 --- a/iterator/iterator.c
 +++ b/iterator/iterator.c
-@@ -2127,6 +2127,53 @@ processDSNSFind(struct module_qstate* qstate, struct iter_qstate* iq, int id)
+@@ -2155,6 +2155,53 @@ processDSNSFind(struct module_qstate* qstate, struct iter_qstate* iq, int id)
  
  	return 0;
  }
@@ -170,7 +170,7 @@ index 23b07ea9..ca29b48c 100644
  	
  /** 
   * This is the request event state where the request will be sent to one of
-@@ -2186,6 +2233,13 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
+@@ -2216,6 +2263,13 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
  		return error_response(qstate, id, LDNS_RCODE_SERVFAIL);
  	}
  	
@@ -184,7 +184,7 @@ index 23b07ea9..ca29b48c 100644
  	/* Make sure we have a delegation point, otherwise priming failed
  	 * or another failure occurred */
  	if(!iq->dp) {
-@@ -3574,6 +3628,61 @@ processFinished(struct module_qstate* qstate, struct iter_qstate* iq,
+@@ -3648,6 +3702,61 @@ processFinished(struct module_qstate* qstate, struct iter_qstate* iq,
  	return 0;
  }
  
@@ -246,7 +246,7 @@ index 23b07ea9..ca29b48c 100644
  /*
   * Return priming query results to interested super querystates.
   * 
-@@ -3593,6 +3702,9 @@ iter_inform_super(struct module_qstate* qstate, int id,
+@@ -3667,6 +3776,9 @@ iter_inform_super(struct module_qstate* qstate, int id,
  	else if(super->qinfo.qtype == LDNS_RR_TYPE_DS && ((struct iter_qstate*)
  		super->minfo[id])->state == DSNS_FIND_STATE)
  		processDSNSResponse(qstate, id, super);
@@ -256,7 +256,7 @@ index 23b07ea9..ca29b48c 100644
  	else if(qstate->return_rcode != LDNS_RCODE_NOERROR)
  		error_supers(qstate, id, super);
  	else if(qstate->is_priming)
-@@ -3630,6 +3742,9 @@ iter_handle(struct module_qstate* qstate, struct iter_qstate* iq,
+@@ -3704,6 +3816,9 @@ iter_handle(struct module_qstate* qstate, struct iter_qstate* iq,
  			case INIT_REQUEST_3_STATE:
  				cont = processInitRequest3(qstate, iq, id);
  				break;
@@ -266,7 +266,7 @@ index 23b07ea9..ca29b48c 100644
  			case QUERYTARGETS_STATE:
  				cont = processQueryTargets(qstate, iq, ie, id);
  				break;
-@@ -3961,6 +4076,8 @@ iter_state_to_string(enum iter_state state)
+@@ -4040,6 +4155,8 @@ iter_state_to_string(enum iter_state state)
  		return "INIT REQUEST STATE (stage 2)";
  	case INIT_REQUEST_3_STATE:
  		return "INIT REQUEST STATE (stage 3)";
@@ -275,7 +275,7 @@ index 23b07ea9..ca29b48c 100644
  	case QUERYTARGETS_STATE :
  		return "QUERY TARGETS STATE";
  	case PRIME_RESP_STATE :
-@@ -3985,6 +4102,7 @@ iter_state_is_responsestate(enum iter_state s)
+@@ -4064,6 +4181,7 @@ iter_state_is_responsestate(enum iter_state s)
  		case INIT_REQUEST_STATE :
  		case INIT_REQUEST_2_STATE :
  		case INIT_REQUEST_3_STATE :
@@ -284,10 +284,10 @@ index 23b07ea9..ca29b48c 100644
  		case COLLECT_CLASS_STATE :
  			return 0;
 diff --git a/iterator/iterator.h b/iterator/iterator.h
-index 342ac207..731948d1 100644
+index 8b840528..a61c4195 100644
 --- a/iterator/iterator.h
 +++ b/iterator/iterator.h
-@@ -135,6 +135,9 @@ struct iter_env {
+@@ -133,6 +133,9 @@ struct iter_env {
  	 */
  	int* target_fetch_policy;
  
@@ -297,7 +297,7 @@ index 342ac207..731948d1 100644
  	/** lock on ratelimit counter */
  	lock_basic_type queries_ratelimit_lock;
  	/** number of queries that have been ratelimited */
-@@ -186,6 +189,14 @@ enum iter_state {
+@@ -187,6 +190,14 @@ enum iter_state {
  	 */
  	INIT_REQUEST_3_STATE,
  
@@ -312,7 +312,7 @@ index 342ac207..731948d1 100644
  	/**
  	 * Each time a delegation point changes for a given query or a 
  	 * query times out and/or wakes up, this state is (re)visited. 
-@@ -375,6 +386,13 @@ struct iter_qstate {
+@@ -376,6 +387,13 @@ struct iter_qstate {
  	 */
  	int refetch_glue;
  
@@ -327,10 +327,10 @@ index 342ac207..731948d1 100644
  	struct outbound_list outlist;
  
 diff --git a/pythonmod/interface.i b/pythonmod/interface.i
-index f08b575d..47f1bb2e 100644
+index 1ca8686a..d91b19ec 100644
 --- a/pythonmod/interface.i
 +++ b/pythonmod/interface.i
-@@ -975,6 +975,7 @@ struct config_file {
+@@ -995,6 +995,7 @@ struct config_file {
     int harden_dnssec_stripped;
     int harden_referral_path;
     int use_caps_bits_for_id;
@@ -339,10 +339,10 @@ index f08b575d..47f1bb2e 100644
     struct config_strlist* private_domain;
     size_t unwanted_threshold;
 diff --git a/util/config_file.c b/util/config_file.c
-index 0ab8614a..729fb147 100644
+index 969d664b..8d94b008 100644
 --- a/util/config_file.c
 +++ b/util/config_file.c
-@@ -218,6 +218,7 @@ config_create(void)
+@@ -231,6 +231,7 @@ config_create(void)
  	cfg->harden_referral_path = 0;
  	cfg->harden_algo_downgrade = 0;
  	cfg->use_caps_bits_for_id = 0;
@@ -351,10 +351,10 @@ index 0ab8614a..729fb147 100644
  	cfg->private_address = NULL;
  	cfg->private_domain = NULL;
 diff --git a/util/config_file.h b/util/config_file.h
-index e61257a3..dabaa7bb 100644
+index c7c9a0a4..e3aa15b0 100644
 --- a/util/config_file.h
 +++ b/util/config_file.h
-@@ -260,6 +260,8 @@ struct config_file {
+@@ -285,6 +285,8 @@ struct config_file {
  	int harden_algo_downgrade;
  	/** use 0x20 bits in query as random ID bits */
  	int use_caps_bits_for_id;
@@ -364,38 +364,38 @@ index e61257a3..dabaa7bb 100644
  	struct config_strlist* caps_whitelist;
  	/** strip away these private addrs from answers, no DNS Rebinding */
 diff --git a/util/configlexer.lex b/util/configlexer.lex
-index 79a0edca..4eaec678 100644
+index 34a0e5dd..c890be2a 100644
 --- a/util/configlexer.lex
 +++ b/util/configlexer.lex
-@@ -304,6 +304,7 @@ harden-algo-downgrade{COLON}	{ YDVAR(1, VAR_HARDEN_ALGO_DOWNGRADE) }
- use-caps-for-id{COLON}		{ YDVAR(1, VAR_USE_CAPS_FOR_ID) }
+@@ -317,6 +317,7 @@ use-caps-for-id{COLON}		{ YDVAR(1, VAR_USE_CAPS_FOR_ID) }
  caps-whitelist{COLON}		{ YDVAR(1, VAR_CAPS_WHITELIST) }
+ caps-exempt{COLON}		{ YDVAR(1, VAR_CAPS_WHITELIST) }
  unwanted-reply-threshold{COLON}	{ YDVAR(1, VAR_UNWANTED_REPLY_THRESHOLD) }
 +aaaa-filter{COLON}		{ YDVAR(1, VAR_AAAA_FILTER) }
  private-address{COLON}		{ YDVAR(1, VAR_PRIVATE_ADDRESS) }
  private-domain{COLON}		{ YDVAR(1, VAR_PRIVATE_DOMAIN) }
  prefetch-key{COLON}		{ YDVAR(1, VAR_PREFETCH_KEY) }
 diff --git a/util/configparser.y b/util/configparser.y
-index 1d0e8658..f284dd43 100644
+index d4f965f9..8cc237c6 100644
 --- a/util/configparser.y
 +++ b/util/configparser.y
 @@ -97,6 +97,7 @@ extern struct config_parser_state* cfg_parser;
- %token VAR_STATISTICS_CUMULATIVE VAR_OUTGOING_PORT_PERMIT 
+ %token VAR_STATISTICS_CUMULATIVE VAR_OUTGOING_PORT_PERMIT
  %token VAR_OUTGOING_PORT_AVOID VAR_DLV_ANCHOR_FILE VAR_DLV_ANCHOR
  %token VAR_NEG_CACHE_SIZE VAR_HARDEN_REFERRAL_PATH VAR_PRIVATE_ADDRESS
 +%token VAR_AAAA_FILTER
  %token VAR_PRIVATE_DOMAIN VAR_REMOTE_CONTROL VAR_CONTROL_ENABLE
  %token VAR_CONTROL_INTERFACE VAR_CONTROL_PORT VAR_SERVER_KEY_FILE
  %token VAR_SERVER_CERT_FILE VAR_CONTROL_KEY_FILE VAR_CONTROL_CERT_FILE
-@@ -233,6 +234,7 @@ content_server: server_num_threads | server_verbosity | server_port |
+@@ -247,6 +248,7 @@ content_server: server_num_threads | server_verbosity | server_port |
  	server_dlv_anchor_file | server_dlv_anchor | server_neg_cache_size |
  	server_harden_referral_path | server_private_address |
- 	server_private_domain | server_extended_statistics | 
+ 	server_private_domain | server_extended_statistics |
 +	server_aaaa_filter |
- 	server_local_data_ptr | server_jostle_timeout | 
- 	server_unwanted_reply_threshold | server_log_time_ascii | 
- 	server_domain_insecure | server_val_sig_skew_min | 
-@@ -1563,6 +1565,15 @@ server_caps_whitelist: VAR_CAPS_WHITELIST STRING_ARG
+ 	server_local_data_ptr | server_jostle_timeout |
+ 	server_unwanted_reply_threshold | server_log_time_ascii |
+ 	server_domain_insecure | server_val_sig_skew_min |
+@@ -1754,6 +1756,15 @@ server_caps_whitelist: VAR_CAPS_WHITELIST STRING_ARG
  			yyerror("out of memory");
  	}
  	;
diff --git a/contrib/drop2rpz b/contrib/drop2rpz
index 01602f651..6ac9b492e 100644
--- a/contrib/drop2rpz
+++ b/contrib/drop2rpz
@@ -4,7 +4,7 @@
 #
 # unbound.conf:
 #  rpz:
-#    name: "spamhaus-drop.rpz.local."
+#    name: "drop.spamhaus.org.rpz.local."
 #    zonefile: "/path/tp/spamhaus-drop.rpz.local"
 #    rpz-log: yes
 #    rpz-log-name: "spamhaus-drop"
diff --git a/contrib/unbound.service.in b/contrib/unbound.service.in
index a4596978d..ada5fac9c 100644
--- a/contrib/unbound.service.in
+++ b/contrib/unbound.service.in
@@ -60,8 +60,13 @@ NoNewPrivileges=true
 PrivateDevices=true
 PrivateTmp=true
 ProtectHome=true
+ProtectClock=true
 ProtectControlGroups=true
+ProtectKernelLogs=true
 ProtectKernelModules=true
+# This breaks using socket options like 'so-rcvbuf'. Explicitly disable for visibility.
+ProtectKernelTunables=false
+ProtectProc=invisible
 ProtectSystem=strict
 RuntimeDirectory=unbound
 ConfigurationDirectory=unbound
diff --git a/contrib/unbound.spec b/contrib/unbound.spec
index 6ddc5f18d..17be4ccd0 100644
--- a/contrib/unbound.spec
+++ b/contrib/unbound.spec
@@ -1,15 +1,14 @@
 Summary: Validating, recursive, and caching DNS resolver
 Name: unbound
-Version: 1.4.18
+Version: 1.13.1
 Release: 1%{?dist}
 License: BSD
 Url: http://www.nlnetlabs.nl/unbound/
-Source: http://www.unbound.net/downloads/%{name}-%{version}.tar.gz
+Source: http://www.nlnetlabs.nl/downloads/unbound/%{name}-%{version}.tar.gz
 #Source1: unbound.init
 Group: System Environment/Daemons
-Requires: ldns
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
-BuildRequires: flex, openssl-devel, expat-devel, ldns-devel
+BuildRequires: flex, openssl-devel, expat-devel
 
 %description
 Unbound is a validating, recursive, and caching DNS resolver.
@@ -42,7 +41,7 @@ install -d 0700 %{buildroot}%{_localstatedir}/%{name}
 install -d 0755 %{buildroot}%{_initrddir}
 install -m 0755 contrib/unbound.init %{buildroot}%{_initrddir}/unbound
 # add symbolic link from /etc/unbound.conf -> /var/unbound/unbound.conf
-ln -s %{_localstatedir}/unbound/unbound.conf %{buildroot}%{_sysconfdir}/unbound.conf 
+ln -s ../%{_localstatedir}/unbound/unbound.conf %{buildroot}%{_sysconfdir}/unbound.conf
 # remove static library from install (fedora packaging guidelines)
 rm -f %{buildroot}%{_libdir}/libunbound.a %{buildroot}%{_libdir}/libunbound.la
 
@@ -55,11 +54,12 @@ rm -rf ${RPM_BUILD_ROOT}
 %attr(0755,root,root) %{_initrddir}/%{name}
 %attr(0700,%{name},%{name}) %dir %{_localstatedir}/%{name}
 %attr(0644,%{name},%{name}) %config(noreplace) %{_localstatedir}/%{name}/unbound.conf
-%attr(0644,%{name},%{name}) %config(noreplace) %{_sysconfdir}/unbound.conf
+%config(noreplace) %{_sysconfdir}/unbound.conf
 %{_sbindir}/*
 %{_mandir}/*/*
 %{_includedir}/*
 %{_libdir}/libunbound*
+%{_libdir}/pkgconfig/libunbound*
 
 %pre
 getent group unbound >/dev/null || groupadd -r unbound
@@ -89,7 +89,13 @@ if [ "$1" -ge "1" ]; then
 fi
 
 %changelog
-* Thu Jul 13 2011 Wouter Wijngaards <wouter@nlnetlabs.nl> - 1.4.8
+* Thu Jun 10 2021 Wouter Wijngaards <wouter@nlnetlabs.nl> - 1.13.1
+- ldns and ldns-devel no longer required. Fixed date. Version to 1.13.1.
+- Removed symlink attr mode, made unbound.conf symlink relative.
+- Added pkgconfig/libunbound.pc to the packaged files.
+- fixed download url to nlnetlabs.nl download.
+
+* Wed Jul 13 2011 Wouter Wijngaards <wouter@nlnetlabs.nl> - 1.4.8
 - ldns required and ldns-devel required for build, no more ldns-builtin.
 
 * Thu Mar 17 2011 Wouter Wijngaards <wouter@nlnetlabs.nl> - 1.4.8
diff --git a/contrib/unbound_munin_ b/contrib/unbound_munin_
index defca291c..503752758 100755
--- a/contrib/unbound_munin_
+++ b/contrib/unbound_munin_
@@ -14,7 +14,6 @@
 # Run the command unbound-control-setup to generate the key files.
 #
 # Environment variables for this script
-#	statefile	- where to put temporary statefile.
 #	unbound_conf	- where the unbound.conf file is located.
 #	unbound_control	- where to find unbound-control executable.
 #	spoof_warn	- what level to warn about spoofing
@@ -24,7 +23,6 @@
 # with:
 # [unbound*]
 # user root
-# env.statefile /usr/local/var/munin/plugin-state/unbound-state
 # env.unbound_conf /usr/local/etc/unbound/unbound.conf
 # env.unbound_control /usr/local/sbin/unbound-control
 # env.spoof_warn 1000
@@ -66,7 +64,6 @@ System with unbound daemon.
 
   [unbound*]
   user root
-  env.statefile /usr/local/var/munin/plugin-state/unbound-state
   env.unbound_conf /usr/local/etc/unbound/unbound.conf
   env.unbound_control /usr/local/sbin/unbound-control
   env.spoof_warn 1000
@@ -98,7 +95,8 @@ BSD
 
 =cut
 
-state=${statefile:-/usr/local/var/munin/plugin-state/unbound-state}
+state="${MUNIN_PLUGSTATE}/unbound.state"
+seentags="${MUNIN_PLUGSTATE}/unbound-seentags.state"
 conf=${unbound_conf:-/usr/local/etc/unbound/unbound.conf}
 ctrl=${unbound_control:-/usr/local/sbin/unbound-control}
 warn=${spoof_warn:-1000}
@@ -121,12 +119,24 @@ get_value ( ) {
 	fi
 }
 
+# Update list of seen query types etc to seentags file. This is run while
+# holding the lock, after the state file is updated.
+update_seentags() {
+    tmplist="$(cat ${seentags} 2> /dev/null)
+num.query.type.A
+num.query.class.IN
+num.query.opcode.QUERY
+num.answer.rcode.NOERROR
+"
+    (echo "${tmplist}"; grep ^num ${state} | sed -e 's/=.*//') | sort -u > ${seentags}
+}
+
 # download the state from the unbound server.
 get_state ( ) {
 	# obtain lock for fetching the state
 	# because there is a race condition in fetching and writing to file
 
-	# see if the lock is stale, if so, take it 
+	# see if the lock is stale, if so, take it
 	if test -f $lock ; then
 		pid="`cat $lock 2>&1`"
 		kill -0 "$pid" >/dev/null 2>&1
@@ -168,6 +178,7 @@ get_state ( ) {
 		rm -f $lock
 		exit 1
 	fi
+	update_seentags
 	rm -f $lock
 }
 
@@ -232,7 +243,7 @@ if test "$1" = "config" ; then
 		echo "graph_args --base 1000 -l 0"
 		echo "graph_vlabel queries / \${graph_period}"
 		echo "graph_scale no"
-		echo "graph_category DNS"
+		echo "graph_category dns"
 		for x in `grep "^thread[0-9][0-9]*\.num\.queries=" $state |
 			sed -e 's/=.*//'`; do
 			exist_config $x "queries handled by `basename $x .num.queries`"
@@ -256,7 +267,7 @@ if test "$1" = "config" ; then
 		echo "graph_args --base 1000 -l 0"
 		echo "graph_vlabel number of queries"
 		echo "graph_scale no"
-		echo "graph_category DNS"
+		echo "graph_category dns"
 		p_config "total.requestlist.avg" "Average size of queue on insert" "GAUGE"
 		p_config "total.requestlist.max" "Max size of queue (in 5 min)" "GAUGE"
 		p_config "total.requestlist.overwritten" "Number of queries replaced by new ones" "GAUGE"
@@ -267,7 +278,7 @@ if test "$1" = "config" ; then
 		echo "graph_title Unbound memory usage"
 		echo "graph_args --base 1024 -l 0"
 		echo "graph_vlabel memory used in bytes"
-		echo "graph_category DNS"
+		echo "graph_category dns"
 		p_config "mem.cache.rrset" "RRset cache memory" "GAUGE"
 		p_config "mem.cache.message" "Message cache memory" "GAUGE"
 		p_config "mem.mod.iterator" "Iterator module memory" "GAUGE"
@@ -283,9 +294,8 @@ if test "$1" = "config" ; then
 		echo "graph_args --base 1000 -l 0"
 		echo "graph_vlabel queries / \${graph_period}"
 		echo "graph_scale no"
-		echo "graph_category DNS"
-		for x in `grep "^num.query.type" $state`; do
-			nm=`echo $x | sed -e 's/=.*$//'`
+		echo "graph_category dns"
+		for nm in `grep "^num.query.type" $seentags`; do
 			tp=`echo $nm | sed -e s/num.query.type.//`
 			p_config "$nm" "$tp" "ABSOLUTE"
 		done
@@ -296,9 +306,8 @@ if test "$1" = "config" ; then
 		echo "graph_args --base 1000 -l 0"
 		echo "graph_vlabel queries / \${graph_period}"
 		echo "graph_scale no"
-		echo "graph_category DNS"
-		for x in `grep "^num.query.class" $state`; do
-			nm=`echo $x | sed -e 's/=.*$//'`
+		echo "graph_category dns"
+		for nm in `grep "^num.query.class" $seentags`; do
 			tp=`echo $nm | sed -e s/num.query.class.//`
 			p_config "$nm" "$tp" "ABSOLUTE"
 		done
@@ -309,9 +318,8 @@ if test "$1" = "config" ; then
 		echo "graph_args --base 1000 -l 0"
 		echo "graph_vlabel queries / \${graph_period}"
 		echo "graph_scale no"
-		echo "graph_category DNS"
-		for x in `grep "^num.query.opcode" $state`; do
-			nm=`echo $x | sed -e 's/=.*$//'`
+		echo "graph_category dns"
+		for nm in `grep "^num.query.opcode" $seentags`; do
 			tp=`echo $nm | sed -e s/num.query.opcode.//`
 			p_config "$nm" "$tp" "ABSOLUTE"
 		done
@@ -322,9 +330,8 @@ if test "$1" = "config" ; then
 		echo "graph_args --base 1000 -l 0"
 		echo "graph_vlabel answer packets / \${graph_period}"
 		echo "graph_scale no"
-		echo "graph_category DNS"
-		for x in `grep "^num.answer.rcode" $state`; do
-			nm=`echo $x | sed -e 's/=.*$//'`
+		echo "graph_category dns"
+		for nm in `grep "^num.answer.rcode" $seentags`; do
 			tp=`echo $nm | sed -e s/num.answer.rcode.//`
 			p_config "$nm" "$tp" "ABSOLUTE"
 		done
@@ -338,7 +345,7 @@ if test "$1" = "config" ; then
 		echo "graph_args --base 1000 -l 0"
 		echo "graph_vlabel queries / \${graph_period}"
 		echo "graph_scale no"
-		echo "graph_category DNS"
+		echo "graph_category dns"
 		p_config "num.query.flags.QR" "QR (query reply) flag" "ABSOLUTE"
 		p_config "num.query.flags.AA" "AA (auth answer) flag" "ABSOLUTE"
 		p_config "num.query.flags.TC" "TC (truncated) flag" "ABSOLUTE"
@@ -356,7 +363,7 @@ if test "$1" = "config" ; then
 		echo "graph_args --base 1000 -l 0"
 		echo "graph_vlabel queries / \${graph_period}"
 		echo "graph_scale no"
-		echo "graph_category DNS"
+		echo "graph_category dns"
 		echo hcache.label "cache hits"
 		echo hcache.min 0
 		echo hcache.type ABSOLUTE
@@ -467,27 +474,23 @@ memory)
 	done
 	;;
 by_type)
-	for x in `grep "^num.query.type" $state`; do
-		nm=`echo $x | sed -e 's/=.*$//'`
-		print_value_line $nm $x
+	for nm in `grep "^num.query.type" $seentags`; do
+		print_value $nm
 	done
 	;;
 by_class)
-	for x in `grep "^num.query.class" $state`; do
-		nm=`echo $x | sed -e 's/=.*$//'`
-		print_value_line $nm $x
+	for nm in `grep "^num.query.class" $seentags`; do
+		print_value $nm
 	done
 	;;
 by_opcode)
-	for x in `grep "^num.query.opcode" $state`; do
-		nm=`echo $x | sed -e 's/=.*$//'`
-		print_value_line $nm $x
+	for nm in `grep "^num.query.opcode" $seentags`; do
+		print_value $nm
 	done
 	;;
 by_rcode)
-	for x in `grep "^num.answer.rcode" $state`; do
-		nm=`echo $x | sed -e 's/=.*$//'`
-		print_value_line $nm $x
+	for nm in `grep "^num.answer.rcode" $seentags`; do
+		print_value $nm
 	done
 	print_value "num.answer.secure"
 	print_value "num.answer.bogus"
diff --git a/daemon/acl_list.c b/daemon/acl_list.c
index 84324575e..aecb3e0c6 100644
--- a/daemon/acl_list.c
+++ b/daemon/acl_list.c
@@ -487,3 +487,38 @@ acl_list_get_mem(struct acl_list* acl)
 	if(!acl) return 0;
 	return sizeof(*acl) + regional_get_mem(acl->region);
 }
+
+const char* acl_access_to_str(enum acl_access acl)
+{
+	switch(acl) {
+	case acl_deny: return "deny";
+	case acl_refuse: return "refuse";
+	case acl_deny_non_local: return "deny_non_local";
+	case acl_refuse_non_local: return "refuse_non_local";
+	case acl_allow: return "allow";
+	case acl_allow_snoop: return "allow_snoop";
+	case acl_allow_setrd: return "allow_setrd";
+	default: break;
+	}
+	return "unknown";
+}
+
+void
+log_acl_action(const char* action, struct sockaddr_storage* addr,
+	socklen_t addrlen, enum acl_access acl, struct acl_addr* acladdr)
+{
+	char a[128], n[128];
+	uint16_t port;
+	addr_to_str(addr, addrlen, a, sizeof(a));
+	port = ntohs(((struct sockaddr_in*)addr)->sin_port);
+	if(acladdr) {
+		addr_to_str(&acladdr->node.addr, acladdr->node.addrlen,
+			n, sizeof(n));
+		verbose(VERB_ALGO, "%s query from %s port %d because of "
+			"%s/%d %s", action, a, (int)port, n, acladdr->node.net,
+			acl_access_to_str(acl));
+	} else {
+		verbose(VERB_ALGO, "%s query from %s port %d", action, a,
+			(int)port);
+	}
+}
diff --git a/daemon/acl_list.h b/daemon/acl_list.h
index 3a3b94bc5..c09e832a1 100644
--- a/daemon/acl_list.h
+++ b/daemon/acl_list.h
@@ -154,4 +154,15 @@ acl_addr_lookup(struct acl_list* acl, struct sockaddr_storage* addr,
  */
 size_t acl_list_get_mem(struct acl_list* acl);
 
+/*
+ * Get string for acl access specification
+ * @param acl: access type value
+ * @return string
+ */
+const char* acl_access_to_str(enum acl_access acl);
+
+/* log acl and addr for action */
+void log_acl_action(const char* action, struct sockaddr_storage* addr,
+	socklen_t addrlen, enum acl_access acl, struct acl_addr* acladdr);
+
 #endif /* DAEMON_ACL_LIST_H */
diff --git a/daemon/cachedump.c b/daemon/cachedump.c
index b1ce53b59..b929f909b 100644
--- a/daemon/cachedump.c
+++ b/daemon/cachedump.c
@@ -47,10 +47,12 @@
 #include "services/cache/rrset.h"
 #include "services/cache/dns.h"
 #include "services/cache/infra.h"
+#include "services/outside_network.h"
 #include "util/data/msgreply.h"
 #include "util/regional.h"
 #include "util/net_help.h"
 #include "util/data/dname.h"
+#include "util/config_file.h"
 #include "iterator/iterator.h"
 #include "iterator/iter_delegpt.h"
 #include "iterator/iter_utils.h"
@@ -854,7 +856,9 @@ int print_deleg_lookup(RES* ssl, struct worker* worker, uint8_t* nm,
 				"cache; goes to configured roots\n");
 		}
 		/* go up? */
-		if(iter_dp_is_useless(&qinfo, BIT_RD, dp)) {
+		if(iter_dp_is_useless(&qinfo, BIT_RD, dp,
+			(worker->env.cfg->do_ip4 && worker->back->num_ip4 != 0),
+			(worker->env.cfg->do_ip6 && worker->back->num_ip6 != 0))) {
 			print_dp_main(ssl, dp, msg);
 			print_dp_details(ssl, worker, dp);
 			if(!ssl_printf(ssl, "cache delegation was "
diff --git a/daemon/daemon.c b/daemon/daemon.c
index 6d6667883..0e3923b4e 100644
--- a/daemon/daemon.c
+++ b/daemon/daemon.c
@@ -210,7 +210,6 @@ daemon_init(void)
 	}
 #endif /* USE_WINSOCK */
 	signal_handling_record();
-	checklock_start();
 #ifdef HAVE_SSL
 #  ifdef HAVE_ERR_LOAD_CRYPTO_STRINGS
 	ERR_load_crypto_strings();
@@ -280,6 +279,7 @@ daemon_init(void)
 		free(daemon);
 		return NULL;
 	}
+	listen_setup_locks();
 	if(gettimeofday(&daemon->time_boot, NULL) < 0)
 		log_err("gettimeofday: %s", strerror(errno));
 	daemon->time_last_stat = daemon->time_boot;
@@ -781,6 +781,7 @@ daemon_delete(struct daemon* daemon)
 	alloc_clear(&daemon->superalloc);
 	acl_list_delete(daemon->acl);
 	tcl_list_delete(daemon->tcl);
+	listen_desetup_locks();
 	free(daemon->chroot);
 	free(daemon->pidfile);
 	free(daemon->env);
diff --git a/daemon/remote.c b/daemon/remote.c
index 7e432fe52..675ef4397 100644
--- a/daemon/remote.c
+++ b/daemon/remote.c
@@ -130,7 +130,7 @@ timeval_divide(struct timeval* avg, const struct timeval* sum, long long d)
 {
 #ifndef S_SPLINT_S
 	size_t leftover;
-	if(d == 0) {
+	if(d <= 0) {
 		avg->tv_sec = 0;
 		avg->tv_usec = 0;
 		return;
@@ -139,7 +139,13 @@ timeval_divide(struct timeval* avg, const struct timeval* sum, long long d)
 	avg->tv_usec = sum->tv_usec / d;
 	/* handle fraction from seconds divide */
 	leftover = sum->tv_sec - avg->tv_sec*d;
-	avg->tv_usec += (leftover*1000000)/d;
+	if(leftover <= 0)
+		leftover = 0;
+	avg->tv_usec += (((long long)leftover)*((long long)1000000))/d;
+	if(avg->tv_sec < 0)
+		avg->tv_sec = 0;
+	if(avg->tv_usec < 0)
+		avg->tv_usec = 0;
 #endif
 }
 
@@ -294,6 +300,7 @@ add_open(const char* ip, int nr, struct listen_port** list, int noproto_is_err,
 		 */
 		if(fd != -1) {
 #ifdef HAVE_CHOWN
+			chmod(ip, (mode_t)(S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP));
 			if (cfg->username && cfg->username[0] &&
 				cfg_uid != (uid_t)-1) {
 				if(chown(ip, cfg_uid, cfg_gid) == -1)
@@ -301,7 +308,6 @@ add_open(const char* ip, int nr, struct listen_port** list, int noproto_is_err,
 					  (unsigned)cfg_uid, (unsigned)cfg_gid,
 					  ip, strerror(errno));
 			}
-			chmod(ip, (mode_t)(S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP));
 #else
 			(void)cfg;
 #endif
@@ -807,7 +813,7 @@ print_mem(RES* ssl, struct worker* worker, struct daemon* daemon,
 	iter = mod_get_mem(&worker->env, "iterator");
 	respip = mod_get_mem(&worker->env, "respip");
 #ifdef CLIENT_SUBNET
-	subnet = mod_get_mem(&worker->env, "subnet");
+	subnet = mod_get_mem(&worker->env, "subnetcache");
 #endif /* CLIENT_SUBNET */
 #ifdef USE_IPSECMOD
 	ipsecmod = mod_get_mem(&worker->env, "ipsecmod");
@@ -1298,10 +1304,35 @@ do_zones_remove(RES* ssl, struct local_zones* zones)
 	(void)ssl_printf(ssl, "removed %d zones\n", num);
 }
 
+/** check syntax of newly added RR */
+static int
+check_RR_syntax(RES* ssl, char* str, int line)
+{
+	uint8_t rr[LDNS_RR_BUF_SIZE];
+	size_t len = sizeof(rr), dname_len = 0;
+	int s = sldns_str2wire_rr_buf(str, rr, &len, &dname_len, 3600,
+		NULL, 0, NULL, 0);
+	if(s != 0) {
+		char linestr[32];
+		if(line == 0)
+			linestr[0]=0;
+		else 	snprintf(linestr, sizeof(linestr), "line %d ", line);
+		if(!ssl_printf(ssl, "error parsing local-data at %sposition %d '%s': %s\n",
+			linestr, LDNS_WIREPARSE_OFFSET(s), str,
+			sldns_get_errorstr_parse(s)))
+			return 0;
+		return 0;
+	}
+	return 1;
+}
+
 /** Add new RR data */
 static int
-perform_data_add(RES* ssl, struct local_zones* zones, char* arg)
+perform_data_add(RES* ssl, struct local_zones* zones, char* arg, int line)
 {
+	if(!check_RR_syntax(ssl, arg, line)) {
+		return 0;
+	}
 	if(!local_zones_add_RR(zones, arg)) {
 		ssl_printf(ssl,"error in syntax or out of memory, %s\n", arg);
 		return 0;
@@ -1313,7 +1344,7 @@ perform_data_add(RES* ssl, struct local_zones* zones, char* arg)
 static void
 do_data_add(RES* ssl, struct local_zones* zones, char* arg)
 {
-	if(!perform_data_add(ssl, zones, arg))
+	if(!perform_data_add(ssl, zones, arg, 0))
 		return;
 	send_ok(ssl);
 }
@@ -1323,15 +1354,12 @@ static void
 do_datas_add(RES* ssl, struct local_zones* zones)
 {
 	char buf[2048];
-	int num = 0;
+	int num = 0, line = 0;
 	while(ssl_read_line(ssl, buf, sizeof(buf))) {
 		if(buf[0] == 0x04 && buf[1] == 0)
 			break; /* end of transmission */
-		if(!perform_data_add(ssl, zones, buf)) {
-			if(!ssl_printf(ssl, "error for input line: %s\n", buf))
-				return;
-		}
-		else
+		line++;
+		if(perform_data_add(ssl, zones, buf, line))
 			num++;
 	}
 	(void)ssl_printf(ssl, "added %d datas\n", num);
@@ -1987,7 +2015,7 @@ print_root_fwds(RES* ssl, struct iter_forwards* fwds, uint8_t* root)
 
 /** parse args into delegpt */
 static struct delegpt*
-parse_delegpt(RES* ssl, char* args, uint8_t* nm, int allow_names)
+parse_delegpt(RES* ssl, char* args, uint8_t* nm)
 {
 	/* parse args and add in */
 	char* p = args;
@@ -2009,40 +2037,35 @@ parse_delegpt(RES* ssl, char* args, uint8_t* nm, int allow_names)
 		}
 		/* parse address */
 		if(!authextstrtoaddr(todo, &addr, &addrlen, &auth_name)) {
-			if(allow_names) {
-				uint8_t* n = NULL;
-				size_t ln;
-				int lb;
-				if(!parse_arg_name(ssl, todo, &n, &ln, &lb)) {
-					(void)ssl_printf(ssl, "error cannot "
-						"parse IP address or name "
-						"'%s'\n", todo);
-					delegpt_free_mlc(dp);
-					return NULL;
-				}
-				if(!delegpt_add_ns_mlc(dp, n, 0)) {
-					(void)ssl_printf(ssl, "error out of memory\n");
-					free(n);
-					delegpt_free_mlc(dp);
-					return NULL;
-				}
-				free(n);
-
-			} else {
+			uint8_t* dname= NULL;
+			int port;
+			dname = authextstrtodname(todo, &port, &auth_name);
+			if(!dname) {
 				(void)ssl_printf(ssl, "error cannot parse"
-					" IP address '%s'\n", todo);
+					" '%s'\n", todo);
+				delegpt_free_mlc(dp);
+				return NULL;
+			}
+#if ! defined(HAVE_SSL_SET1_HOST) && ! defined(HAVE_X509_VERIFY_PARAM_SET1_HOST)
+			if(auth_name)
+				log_err("no name verification functionality in "
+				"ssl library, ignored name for %s", todo);
+#endif
+			if(!delegpt_add_ns_mlc(dp, dname, 0, auth_name, port)) {
+				(void)ssl_printf(ssl, "error out of memory\n");
+				free(dname);
 				delegpt_free_mlc(dp);
 				return NULL;
 			}
 		} else {
 #if ! defined(HAVE_SSL_SET1_HOST) && ! defined(HAVE_X509_VERIFY_PARAM_SET1_HOST)
 			if(auth_name)
-			  log_err("no name verification functionality in "
+				log_err("no name verification functionality in "
 				"ssl library, ignored name for %s", todo);
 #endif
 			/* add address */
 			if(!delegpt_add_addr_mlc(dp, &addr, addrlen, 0, 0,
-				auth_name)) {
+				auth_name, -1)) {
 				(void)ssl_printf(ssl, "error out of memory\n");
 				delegpt_free_mlc(dp);
 				return NULL;
@@ -2075,7 +2098,7 @@ do_forward(RES* ssl, struct worker* worker, char* args)
 		forwards_delete_zone(fwd, LDNS_RR_CLASS_IN, root);
 	} else {
 		struct delegpt* dp;
-		if(!(dp = parse_delegpt(ssl, args, root, 0)))
+		if(!(dp = parse_delegpt(ssl, args, root)))
 			return;
 		if(!forwards_add_zone(fwd, LDNS_RR_CLASS_IN, dp)) {
 			(void)ssl_printf(ssl, "error out of memory\n");
@@ -2121,7 +2144,7 @@ parse_fs_args(RES* ssl, char* args, uint8_t** nm, struct delegpt** dp,
 
 	/* parse dp */
 	if(dp) {
-		if(!(*dp = parse_delegpt(ssl, args, *nm, 1))) {
+		if(!(*dp = parse_delegpt(ssl, args, *nm))) {
 			free(*nm);
 			return 0;
 		}
@@ -2837,6 +2860,8 @@ struct ratelimit_list_arg {
 	int all;
 	/** current time */
 	time_t now;
+	/** if backoff is enabled */
+	int backoff;
 };
 
 #define ip_ratelimit_list_arg ratelimit_list_arg
@@ -2850,7 +2875,7 @@ rate_list(struct lruhash_entry* e, void* arg)
 	struct rate_data* d = (struct rate_data*)e->data;
 	char buf[257];
 	int lim = infra_find_ratelimit(a->infra, k->name, k->namelen);
-	int max = infra_rate_max(d, a->now);
+	int max = infra_rate_max(d, a->now, a->backoff);
 	if(a->all == 0) {
 		if(max < lim)
 			return;
@@ -2868,7 +2893,7 @@ ip_rate_list(struct lruhash_entry* e, void* arg)
 	struct ip_rate_key* k = (struct ip_rate_key*)e->key;
 	struct ip_rate_data* d = (struct ip_rate_data*)e->data;
 	int lim = infra_ip_ratelimit;
-	int max = infra_rate_max(d, a->now);
+	int max = infra_rate_max(d, a->now, a->backoff);
 	if(a->all == 0) {
 		if(max < lim)
 			return;
@@ -2886,6 +2911,7 @@ do_ratelimit_list(RES* ssl, struct worker* worker, char* arg)
 	a.infra = worker->env.infra_cache;
 	a.now = *worker->env.now;
 	a.ssl = ssl;
+	a.backoff = worker->env.cfg->ratelimit_backoff;
 	arg = skipwhite(arg);
 	if(strcmp(arg, "+a") == 0)
 		a.all = 1;
@@ -2904,6 +2930,7 @@ do_ip_ratelimit_list(RES* ssl, struct worker* worker, char* arg)
 	a.infra = worker->env.infra_cache;
 	a.now = *worker->env.now;
 	a.ssl = ssl;
+	a.backoff = worker->env.cfg->ip_ratelimit_backoff;
 	arg = skipwhite(arg);
 	if(strcmp(arg, "+a") == 0)
 		a.all = 1;
@@ -3310,7 +3337,11 @@ int remote_control_callback(struct comm_point* c, void* arg, int err,
 	if (!rc->use_cert) {
 		verbose(VERB_ALGO, "unauthenticated remote control connection");
 	} else if(SSL_get_verify_result(s->ssl) == X509_V_OK) {
+#ifdef HAVE_SSL_GET1_PEER_CERTIFICATE
+		X509* x = SSL_get1_peer_certificate(s->ssl);
+#else
 		X509* x = SSL_get_peer_certificate(s->ssl);
+#endif
 		if(!x) {
 			verbose(VERB_DETAIL, "remote control connection "
 				"provided no client certificate");
diff --git a/daemon/stats.c b/daemon/stats.c
index 8720a52d6..d08f18dbb 100644
--- a/daemon/stats.c
+++ b/daemon/stats.c
@@ -137,7 +137,7 @@ static void
 set_subnet_stats(struct worker* worker, struct ub_server_stats* svr,
 	int reset)
 {
-	int m = modstack_find(&worker->env.mesh->mods, "subnet");
+	int m = modstack_find(&worker->env.mesh->mods, "subnetcache");
 	struct subnet_env* sne;
 	if(m == -1)
 		return;
diff --git a/daemon/unbound.c b/daemon/unbound.c
index b2bb526c0..457a08032 100644
--- a/daemon/unbound.c
+++ b/daemon/unbound.c
@@ -212,15 +212,17 @@ checkrlimits(struct config_file* cfg)
 	}
 #endif
 
+#ifdef RLIMIT_AS
 	if(getrlimit(RLIMIT_AS, &rlim) == 0) {
 		if(rlim.rlim_cur != (rlim_t)RLIM_INFINITY &&
 			rlim.rlim_cur < (rlim_t)memsize_expect) {
 			log_warn("the ulimit(max memory size) is smaller than the expected memory usage (added size of caches). %u < %u bytes", (unsigned)rlim.rlim_cur, (unsigned)memsize_expect);
 		}
 	}
+#endif
 	if(getrlimit(RLIMIT_DATA, &rlim) == 0) {
 		if(rlim.rlim_cur != (rlim_t)RLIM_INFINITY &&
-			rlim.rlim_cur < memsize_expect) {
+			rlim.rlim_cur < (rlim_t)memsize_expect) {
 			log_warn("the ulimit(data seg size) is smaller than the expected memory usage (added size of caches). %u < %u bytes", (unsigned)rlim.rlim_cur, (unsigned)memsize_expect);
 		}
 	}
@@ -779,6 +781,7 @@ main(int argc, char* argv[])
 	int cmdline_cfg = 0;
 #endif
 
+	checklock_start();
 	log_init(NULL, 0, NULL);
 	log_ident_default = strrchr(argv[0],'/')?strrchr(argv[0],'/')+1:argv[0];
 	log_ident_set_default(log_ident_default);
diff --git a/daemon/worker.c b/daemon/worker.c
index ffe7ff2d4..7209bc4cd 100644
--- a/daemon/worker.c
+++ b/daemon/worker.c
@@ -146,7 +146,7 @@ worker_mem_report(struct worker* ATTR_UNUSED(worker),
 				(&worker->env, i);
 #ifdef CLIENT_SUBNET
 		else if(strcmp(worker->env.mesh->mods.mod[i]->name,
-			"subnet")==0)
+			"subnetcache")==0)
 			subnet += (*worker->env.mesh->mods.mod[i]->get_mem)
 				(&worker->env, i);
 #endif /* CLIENT_SUBNET */
@@ -205,7 +205,7 @@ worker_mem_report(struct worker* ATTR_UNUSED(worker),
 				(&worker->env, i);
 #ifdef CLIENT_SUBNET
 		else if(strcmp(worker->env.mesh->mods.mod[i]->name,
-			"subnet")==0)
+			"subnetcache")==0)
 			subnet += (*worker->env.mesh->mods.mod[i]->get_mem)
 				(&worker->env, i);
 #endif /* CLIENT_SUBNET */
@@ -236,38 +236,6 @@ worker_send_cmd(struct worker* worker, enum worker_commands cmd)
 	}
 }
 
-int 
-worker_handle_reply(struct comm_point* c, void* arg, int error, 
-	struct comm_reply* reply_info)
-{
-	struct module_qstate* q = (struct module_qstate*)arg;
-	struct worker* worker = q->env->worker;
-	struct outbound_entry e;
-	e.qstate = q;
-	e.qsent = NULL;
-
-	if(error != 0) {
-		mesh_report_reply(worker->env.mesh, &e, reply_info, error);
-		worker_mem_report(worker, NULL);
-		return 0;
-	}
-	/* sanity check. */
-	if(!LDNS_QR_WIRE(sldns_buffer_begin(c->buffer))
-		|| LDNS_OPCODE_WIRE(sldns_buffer_begin(c->buffer)) != 
-			LDNS_PACKET_QUERY
-		|| LDNS_QDCOUNT(sldns_buffer_begin(c->buffer)) > 1) {
-		/* error becomes timeout for the module as if this reply
-		 * never arrived. */
-		mesh_report_reply(worker->env.mesh, &e, reply_info, 
-			NETEVENT_TIMEOUT);
-		worker_mem_report(worker, NULL);
-		return 0;
-	}
-	mesh_report_reply(worker->env.mesh, &e, reply_info, NETEVENT_NOERROR);
-	worker_mem_report(worker, NULL);
-	return 0;
-}
-
 int 
 worker_handle_service_reply(struct comm_point* c, void* arg, int error, 
 	struct comm_reply* reply_info)
@@ -481,7 +449,6 @@ answer_norec_from_cache(struct worker* worker, struct query_info* qinfo,
 	 * Then check if it needs validation, if so, this routine fails,
 	 * so that iterator can prime and validator can verify rrsets.
 	 */
-	struct edns_data edns_bak;
 	uint16_t udpsize = edns->udp_size;
 	int secure = 0;
 	time_t timenow = *worker->env.now;
@@ -540,7 +507,6 @@ answer_norec_from_cache(struct worker* worker, struct query_info* qinfo,
 		}
 	}
 	/* return this delegation from the cache */
-	edns_bak = *edns;
 	edns->edns_version = EDNS_ADVERTISED_VERSION;
 	edns->udp_size = EDNS_ADVERTISED_SIZE;
 	edns->ext_rcode = 0;
@@ -550,15 +516,13 @@ answer_norec_from_cache(struct worker* worker, struct query_info* qinfo,
 		worker->env.now_tv))
 			return 0;
 	msg->rep->flags |= BIT_QR|BIT_RA;
-	if(!apply_edns_options(edns, &edns_bak, worker->env.cfg,
-		repinfo->c, worker->scratchpad) ||
-		!reply_info_answer_encode(&msg->qinfo, msg->rep, id, flags, 
+	if(!reply_info_answer_encode(&msg->qinfo, msg->rep, id, flags,
 		repinfo->c->buffer, 0, 1, worker->scratchpad,
 		udpsize, edns, (int)(edns->bits & EDNS_DO), secure)) {
 		if(!inplace_cb_reply_servfail_call(&worker->env, qinfo, NULL, NULL,
 			LDNS_RCODE_SERVFAIL, edns, repinfo, worker->scratchpad,
 			worker->env.now_tv))
-				edns->opt_list = NULL;
+				edns->opt_list_inplace_cb_out = NULL;
 		error_encode(repinfo->c->buffer, LDNS_RCODE_SERVFAIL, 
 			&msg->qinfo, id, flags, edns);
 	}
@@ -589,7 +553,7 @@ apply_respip_action(struct worker* worker, const struct query_info* qinfo,
 		return 1;
 
 	if(!respip_rewrite_reply(qinfo, cinfo, rep, encode_repp, &actinfo,
-		alias_rrset, 0, worker->scratchpad, az))
+		alias_rrset, 0, worker->scratchpad, az, NULL))
 		return 0;
 
 	/* xxx_deny actions mean dropping the reply, unless the original reply
@@ -636,7 +600,6 @@ answer_from_cache(struct worker* worker, struct query_info* qinfo,
 	struct reply_info* rep, uint16_t id, uint16_t flags,
 	struct comm_reply* repinfo, struct edns_data* edns)
 {
-	struct edns_data edns_bak;
 	time_t timenow = *worker->env.now;
 	uint16_t udpsize = edns->udp_size;
 	struct reply_info* encode_rep = rep;
@@ -717,7 +680,6 @@ answer_from_cache(struct worker* worker, struct query_info* qinfo,
 		}
 	} else *is_secure_answer = 0;
 
-	edns_bak = *edns;
 	edns->edns_version = EDNS_ADVERTISED_VERSION;
 	edns->udp_size = EDNS_ADVERTISED_SIZE;
 	edns->ext_rcode = 0;
@@ -754,15 +716,13 @@ answer_from_cache(struct worker* worker, struct query_info* qinfo,
 			if(!*partial_repp)
 				goto bail_out;
 		}
-	} else if(!apply_edns_options(edns, &edns_bak, worker->env.cfg,
-		repinfo->c, worker->scratchpad) ||
-		!reply_info_answer_encode(qinfo, encode_rep, id, flags,
+	} else if(!reply_info_answer_encode(qinfo, encode_rep, id, flags,
 		repinfo->c->buffer, timenow, 1, worker->scratchpad,
 		udpsize, edns, (int)(edns->bits & EDNS_DO), *is_secure_answer)) {
 		if(!inplace_cb_reply_servfail_call(&worker->env, qinfo, NULL, NULL,
 			LDNS_RCODE_SERVFAIL, edns, repinfo, worker->scratchpad,
 			worker->env.now_tv))
-				edns->opt_list = NULL;
+				edns->opt_list_inplace_cb_out = NULL;
 		error_encode(repinfo->c->buffer, LDNS_RCODE_SERVFAIL, 
 			qinfo, id, flags, edns);
 	}
@@ -782,7 +742,8 @@ bail_out:
 /** Reply to client and perform prefetch to keep cache up to date. */
 static void
 reply_and_prefetch(struct worker* worker, struct query_info* qinfo, 
-	uint16_t flags, struct comm_reply* repinfo, time_t leeway, int noreply)
+	uint16_t flags, struct comm_reply* repinfo, time_t leeway, int noreply,
+	int rpz_passthru)
 {
 	/* first send answer to client to keep its latency 
 	 * as small as a cachereply */
@@ -801,7 +762,7 @@ reply_and_prefetch(struct worker* worker, struct query_info* qinfo,
 	 * the cache and go to the network for the data). */
 	/* this (potentially) runs the mesh for the new query */
 	mesh_new_prefetch(worker->env.mesh, qinfo, flags, leeway + 
-		PREFETCH_EXPIRY_ADD);
+		PREFETCH_EXPIRY_ADD, rpz_passthru);
 }
 
 /**
@@ -821,6 +782,14 @@ chaos_replystr(sldns_buffer* pkt, char** str, int num, struct edns_data* edns,
 	int i;
 	unsigned int rd = LDNS_RD_WIRE(sldns_buffer_begin(pkt));
 	unsigned int cd = LDNS_CD_WIRE(sldns_buffer_begin(pkt));
+	size_t udpsize = edns->udp_size;
+	edns->edns_version = EDNS_ADVERTISED_VERSION;
+	edns->udp_size = EDNS_ADVERTISED_SIZE;
+	edns->bits &= EDNS_DO;
+	if(!inplace_cb_reply_local_call(&worker->env, NULL, NULL, NULL,
+		LDNS_RCODE_NOERROR, edns, repinfo, worker->scratchpad,
+		worker->env.now_tv))
+			edns->opt_list_inplace_cb_out = NULL;
 	sldns_buffer_clear(pkt);
 	sldns_buffer_skip(pkt, (ssize_t)sizeof(uint16_t)); /* skip id */
 	sldns_buffer_write_u16(pkt, (uint16_t)(BIT_QR|BIT_RA));
@@ -836,6 +805,12 @@ chaos_replystr(sldns_buffer* pkt, char** str, int num, struct edns_data* edns,
 	for(i=0; i<num; i++) {
 		size_t len = strlen(str[i]);
 		if(len>255) len=255; /* cap size of TXT record */
+		if(sldns_buffer_position(pkt)+2+2+2+4+2+1+len+
+			calc_edns_field_size(edns) > udpsize) {
+			sldns_buffer_write_u16_at(pkt, 6, i); /* ANCOUNT */
+			LDNS_TC_SET(sldns_buffer_begin(pkt));
+			break;
+		}
 		sldns_buffer_write_u16(pkt, 0xc00c); /* compr ptr to query */
 		sldns_buffer_write_u16(pkt, LDNS_RR_TYPE_TXT);
 		sldns_buffer_write_u16(pkt, LDNS_RR_CLASS_CH);
@@ -845,13 +820,6 @@ chaos_replystr(sldns_buffer* pkt, char** str, int num, struct edns_data* edns,
 		sldns_buffer_write(pkt, str[i], len);
 	}
 	sldns_buffer_flip(pkt);
-	edns->edns_version = EDNS_ADVERTISED_VERSION;
-	edns->udp_size = EDNS_ADVERTISED_SIZE;
-	edns->bits &= EDNS_DO;
-	if(!inplace_cb_reply_local_call(&worker->env, NULL, NULL, NULL,
-		LDNS_RCODE_NOERROR, edns, repinfo, worker->scratchpad,
-		worker->env.now_tv))
-			edns->opt_list = NULL;
 	if(sldns_buffer_capacity(pkt) >=
 		sldns_buffer_limit(pkt)+calc_edns_field_size(edns))
 		attach_edns_record(pkt, edns);
@@ -1036,7 +1004,6 @@ answer_notify(struct worker* w, struct query_info* qinfo,
 	edns->udp_size = EDNS_ADVERTISED_SIZE;
 	edns->ext_rcode = 0;
 	edns->bits &= EDNS_DO;
-	edns->opt_list = NULL;
 	error_encode(pkt, rcode, qinfo,
 		*(uint16_t*)(void *)sldns_buffer_begin(pkt),
 		sldns_buffer_read_u16_at(pkt, 2), edns);
@@ -1046,17 +1013,25 @@ answer_notify(struct worker* w, struct query_info* qinfo,
 static int
 deny_refuse(struct comm_point* c, enum acl_access acl,
 	enum acl_access deny, enum acl_access refuse,
-	struct worker* worker, struct comm_reply* repinfo)
+	struct worker* worker, struct comm_reply* repinfo,
+	struct acl_addr* acladdr)
 {
 	if(acl == deny) {
+		if(verbosity >= VERB_ALGO) {
+			log_acl_action("dropped", &repinfo->addr,
+				repinfo->addrlen, acl, acladdr);
+			log_buf(VERB_ALGO, "dropped", c->buffer);
+		}
 		comm_point_drop_reply(repinfo);
 		if(worker->stats.extended)
 			worker->stats.unwanted_queries++;
 		return 0;
 	} else if(acl == refuse) {
-		log_addr(VERB_ALGO, "refused query from",
-			&repinfo->addr, repinfo->addrlen);
-		log_buf(VERB_ALGO, "refuse", c->buffer);
+		if(verbosity >= VERB_ALGO) {
+			log_acl_action("refused", &repinfo->addr,
+				repinfo->addrlen, acl, acladdr);
+			log_buf(VERB_ALGO, "refuse", c->buffer);
+		}
 		if(worker->stats.extended)
 			worker->stats.unwanted_queries++;
 		if(worker_check_request(c->buffer, worker) == -1) {
@@ -1079,16 +1054,20 @@ deny_refuse(struct comm_point* c, enum acl_access acl,
 
 static int
 deny_refuse_all(struct comm_point* c, enum acl_access acl,
-	struct worker* worker, struct comm_reply* repinfo)
+	struct worker* worker, struct comm_reply* repinfo,
+	struct acl_addr* acladdr)
 {
-	return deny_refuse(c, acl, acl_deny, acl_refuse, worker, repinfo);
+	return deny_refuse(c, acl, acl_deny, acl_refuse, worker, repinfo,
+		acladdr);
 }
 
 static int
 deny_refuse_non_local(struct comm_point* c, enum acl_access acl,
-	struct worker* worker, struct comm_reply* repinfo)
+	struct worker* worker, struct comm_reply* repinfo,
+	struct acl_addr* acladdr)
 {
-	return deny_refuse(c, acl, acl_deny_non_local, acl_refuse_non_local, worker, repinfo);
+	return deny_refuse(c, acl, acl_deny_non_local, acl_refuse_non_local,
+		worker, repinfo, acladdr);
 }
 
 int 
@@ -1107,6 +1086,7 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 	int need_drop = 0;
 	int is_expired_answer = 0;
 	int is_secure_answer = 0;
+	int rpz_passthru = 0;
 	/* We might have to chase a CNAME chain internally, in which case
 	 * we'll have up to two replies and combine them to build a complete
 	 * answer.  These variables control this case. */
@@ -1179,7 +1159,7 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 	acladdr = acl_addr_lookup(worker->daemon->acl, &repinfo->addr, 
 		repinfo->addrlen);
 	acl = acl_get_control(acladdr);
-	if((ret=deny_refuse_all(c, acl, worker, repinfo)) != -1)
+	if((ret=deny_refuse_all(c, acl, worker, repinfo, acladdr)) != -1)
 	{
 		if(ret == 1)
 			goto send_reply;
@@ -1201,7 +1181,8 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 
 	/* check if this query should be dropped based on source ip rate limiting */
 	if(!infra_ip_ratelimit_inc(worker->env.infra_cache, repinfo,
-			*worker->env.now, c->buffer)) {
+			*worker->env.now,
+			worker->env.cfg->ip_ratelimit_backoff, c->buffer)) {
 		/* See if we are passed through with slip factor */
 		if(worker->env.cfg->ip_ratelimit_factor != 0 &&
 			ub_random_max(worker->env.rnd,
@@ -1273,7 +1254,8 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 		}
 		goto send_reply;
 	}
-	if((ret=parse_edns_from_pkt(c->buffer, &edns, worker->scratchpad)) != 0) {
+	if((ret=parse_edns_from_query_pkt(c->buffer, &edns, worker->env.cfg, c,
+					worker->scratchpad)) != 0) {
 		struct edns_data reply_edns;
 		verbose(VERB_ALGO, "worker parse edns: formerror.");
 		log_addr(VERB_CLIENT,"from",&repinfo->addr, repinfo->addrlen);
@@ -1288,13 +1270,14 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 		goto send_reply;
 	}
 	if(edns.edns_present) {
-		struct edns_option* edns_opt;
 		if(edns.edns_version != 0) {
 			edns.ext_rcode = (uint8_t)(EDNS_RCODE_BADVERS>>4);
 			edns.edns_version = EDNS_ADVERTISED_VERSION;
 			edns.udp_size = EDNS_ADVERTISED_SIZE;
 			edns.bits &= EDNS_DO;
-			edns.opt_list = NULL;
+			edns.opt_list_in = NULL;
+			edns.opt_list_out = NULL;
+			edns.opt_list_inplace_cb_out = NULL;
 			edns.padding_block_size = 0;
 			verbose(VERB_ALGO, "query with bad edns version.");
 			log_addr(VERB_CLIENT,"from",&repinfo->addr, repinfo->addrlen);
@@ -1314,26 +1297,6 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 			log_addr(VERB_CLIENT,"from",&repinfo->addr, repinfo->addrlen);
 			edns.udp_size = NORMAL_UDP_SIZE;
 		}
-		if(c->type != comm_udp) {
-			edns_opt = edns_opt_list_find(edns.opt_list, LDNS_EDNS_KEEPALIVE);
-			if(edns_opt && edns_opt->opt_len > 0) {
-				edns.ext_rcode = 0;
-				edns.edns_version = EDNS_ADVERTISED_VERSION;
-				edns.udp_size = EDNS_ADVERTISED_SIZE;
-				edns.bits &= EDNS_DO;
-				edns.opt_list = NULL;
-				verbose(VERB_ALGO, "query with bad edns keepalive.");
-				log_addr(VERB_CLIENT,"from",&repinfo->addr, repinfo->addrlen);
-				error_encode(c->buffer, LDNS_RCODE_FORMERR, &qinfo,
-					*(uint16_t*)(void *)sldns_buffer_begin(c->buffer),
-					sldns_buffer_read_u16_at(c->buffer, 2), NULL);
-				if(sldns_buffer_capacity(c->buffer) >=
-				   sldns_buffer_limit(c->buffer)+calc_edns_field_size(&edns))
-					attach_edns_record(c->buffer, &edns);
-				regional_free_all(worker->scratchpad);
-				goto send_reply;
-			}
-		}
 	}
 	if(edns.udp_size > worker->daemon->cfg->max_udp_size &&
 		c->type == comm_udp) {
@@ -1387,9 +1350,10 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 		goto send_reply;
 	}
 	if(worker->env.auth_zones &&
-		rpz_apply_qname_trigger(worker->env.auth_zones,
+		rpz_callback_from_worker_request(worker->env.auth_zones,
 		&worker->env, &qinfo, &edns, c->buffer, worker->scratchpad,
-		repinfo, acladdr->taglist, acladdr->taglen, &worker->stats)) {
+		repinfo, acladdr->taglist, acladdr->taglen, &worker->stats,
+		&rpz_passthru)) {
 		regional_free_all(worker->scratchpad);
 		if(sldns_buffer_limit(c->buffer) == 0) {
 			comm_point_drop_reply(repinfo);
@@ -1415,7 +1379,7 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 
 	/* We've looked in our local zones. If the answer isn't there, we
 	 * might need to bail out based on ACLs now. */
-	if((ret=deny_refuse_non_local(c, acl, worker, repinfo)) != -1)
+	if((ret=deny_refuse_non_local(c, acl, worker, repinfo, acladdr)) != -1)
 	{
 		regional_free_all(worker->scratchpad);
 		if(ret == 1)
@@ -1485,7 +1449,7 @@ lookup_cache:
 	 * this is a two-pass operation, and lookup_qinfo is different for
 	 * each pass.  We should still pass the original qinfo to
 	 * answer_from_cache(), however, since it's used to build the reply. */
-	if(!edns_bypass_cache_stage(edns.opt_list, &worker->env)) {
+	if(!edns_bypass_cache_stage(edns.opt_list_in, &worker->env)) {
 		is_expired_answer = 0;
 		is_secure_answer = 0;
 		h = query_info_hash(lookup_qinfo, sldns_buffer_read_u16_at(c->buffer, 2));
@@ -1515,7 +1479,8 @@ lookup_cache:
 					reply_and_prefetch(worker, lookup_qinfo,
 						sldns_buffer_read_u16_at(c->buffer, 2),
 						repinfo, leeway,
-						(partial_rep || need_drop));
+						(partial_rep || need_drop),
+						rpz_passthru);
 					if(!partial_rep) {
 						rc = 0;
 						regional_free_all(worker->scratchpad);
@@ -1578,7 +1543,8 @@ lookup_cache:
 	/* grab a work request structure for this new request */
 	mesh_new_client(worker->env.mesh, &qinfo, cinfo,
 		sldns_buffer_read_u16_at(c->buffer, 2),
-		&edns, repinfo, *(uint16_t*)(void *)sldns_buffer_begin(c->buffer));
+		&edns, repinfo, *(uint16_t*)(void *)sldns_buffer_begin(c->buffer),
+		rpz_passthru);
 	regional_free_all(worker->scratchpad);
 	worker_mem_report(worker, NULL);
 	return 0;
@@ -1642,6 +1608,9 @@ worker_sighandler(int sig, void* arg)
 		case SIGHUP:
 			comm_base_exit(worker->base);
 			break;
+#endif
+#ifdef SIGBREAK
+		case SIGBREAK:
 #endif
 		case SIGINT:
 			worker->need_to_exit = 1;
@@ -1760,6 +1729,9 @@ worker_init(struct worker* worker, struct config_file *cfg,
 	if(do_sigs) {
 #ifdef SIGHUP
 		ub_thread_sig_unblock(SIGHUP);
+#endif
+#ifdef SIGBREAK
+		ub_thread_sig_unblock(SIGBREAK);
 #endif
 		ub_thread_sig_unblock(SIGINT);
 #ifdef SIGQUIT
@@ -1777,6 +1749,9 @@ worker_init(struct worker* worker, struct config_file *cfg,
 			|| !comm_signal_bind(worker->comsig, SIGQUIT)
 #endif
 			|| !comm_signal_bind(worker->comsig, SIGTERM)
+#ifdef SIGBREAK
+			|| !comm_signal_bind(worker->comsig, SIGBREAK)
+#endif
 			|| !comm_signal_bind(worker->comsig, SIGINT)) {
 			log_err("could not create signal handlers");
 			worker_delete(worker);
@@ -1826,7 +1801,9 @@ worker_init(struct worker* worker, struct config_file *cfg,
 		&worker_alloc_cleanup, worker,
 		cfg->do_udp || cfg->udp_upstream_without_downstream,
 		worker->daemon->connect_sslctx, cfg->delay_close,
-		cfg->tls_use_sni, dtenv, cfg->udp_connect);
+		cfg->tls_use_sni, dtenv, cfg->udp_connect,
+		cfg->max_reuse_tcp_queries, cfg->tcp_reuse_timeout,
+		cfg->tcp_auth_query_timeout);
 	if(!worker->back) {
 		log_err("could not create outgoing sockets");
 		worker_delete(worker);
@@ -1880,6 +1857,11 @@ worker_init(struct worker* worker, struct config_file *cfg,
 		return 0;
 	}
 	worker->env.mesh = mesh_create(&worker->daemon->mods, &worker->env);
+	if(!worker->env.mesh) {
+		log_err("malloc failure");
+		worker_delete(worker);
+		return 0;
+	}
 	/* Pass on daemon variables that we would need in the mesh area */
 	worker->env.mesh->use_response_ip = worker->daemon->use_response_ip;
 	worker->env.mesh->use_rpz = worker->daemon->use_rpz;
@@ -1890,6 +1872,11 @@ worker_init(struct worker* worker, struct config_file *cfg,
 	worker->env.kill_sub = &mesh_state_delete;
 	worker->env.detect_cycle = &mesh_detect_cycle;
 	worker->env.scratch_buffer = sldns_buffer_new(cfg->msg_buffer_size);
+	if(!worker->env.scratch_buffer) {
+		log_err("malloc failure");
+		worker_delete(worker);
+		return 0;
+	}
 	if(!(worker->env.fwds = forwards_create()) ||
 		!forwards_apply_cfg(worker->env.fwds, cfg)) {
 		log_err("Could not set forward zones");
@@ -1944,10 +1931,6 @@ worker_init(struct worker* worker, struct config_file *cfg,
 		}
 	}
 #endif /* USE_DNSTAP */
-	if(!worker->env.mesh || !worker->env.scratch_buffer) {
-		worker_delete(worker);
-		return 0;
-	}
 	worker_mem_report(worker, NULL);
 	/* if statistics enabled start timer */
 	if(worker->env.cfg->stat_interval > 0) {
@@ -2011,9 +1994,10 @@ worker_delete(struct worker* worker)
 
 struct outbound_entry*
 worker_send_query(struct query_info* qinfo, uint16_t flags, int dnssec,
-	int want_dnssec, int nocaps, struct sockaddr_storage* addr,
-	socklen_t addrlen, uint8_t* zone, size_t zonelen, int ssl_upstream,
-	char* tls_auth_name, struct module_qstate* q)
+	int want_dnssec, int nocaps, int check_ratelimit,
+	struct sockaddr_storage* addr, socklen_t addrlen, uint8_t* zone,
+	size_t zonelen, int tcp_upstream, int ssl_upstream, char* tls_auth_name,
+	struct module_qstate* q, int* was_ratelimited)
 {
 	struct worker* worker = q->env->worker;
 	struct outbound_entry* e = (struct outbound_entry*)regional_alloc(
@@ -2022,9 +2006,10 @@ worker_send_query(struct query_info* qinfo, uint16_t flags, int dnssec,
 		return NULL;
 	e->qstate = q;
 	e->qsent = outnet_serviced_query(worker->back, qinfo, flags, dnssec,
-		want_dnssec, nocaps, q->env->cfg->tcp_upstream,
+		want_dnssec, nocaps, check_ratelimit, tcp_upstream,
 		ssl_upstream, tls_auth_name, addr, addrlen, zone, zonelen, q,
-		worker_handle_service_reply, e, worker->back->udp_buff, q->env);
+		worker_handle_service_reply, e, worker->back->udp_buff, q->env,
+		was_ratelimited);
 	if(!e->qsent) {
 		return NULL;
 	}
@@ -2068,18 +2053,11 @@ struct outbound_entry* libworker_send_query(
 	struct query_info* ATTR_UNUSED(qinfo),
 	uint16_t ATTR_UNUSED(flags), int ATTR_UNUSED(dnssec),
 	int ATTR_UNUSED(want_dnssec), int ATTR_UNUSED(nocaps),
+	int ATTR_UNUSED(check_ratelimit),
 	struct sockaddr_storage* ATTR_UNUSED(addr), socklen_t ATTR_UNUSED(addrlen),
-	uint8_t* ATTR_UNUSED(zone), size_t ATTR_UNUSED(zonelen),
+	uint8_t* ATTR_UNUSED(zone), size_t ATTR_UNUSED(zonelen), int ATTR_UNUSED(tcp_upstream),
 	int ATTR_UNUSED(ssl_upstream), char* ATTR_UNUSED(tls_auth_name),
-	struct module_qstate* ATTR_UNUSED(q))
-{
-	log_assert(0);
-	return 0;
-}
-
-int libworker_handle_reply(struct comm_point* ATTR_UNUSED(c), 
-	void* ATTR_UNUSED(arg), int ATTR_UNUSED(error),
-        struct comm_reply* ATTR_UNUSED(reply_info))
+	struct module_qstate* ATTR_UNUSED(q), int* ATTR_UNUSED(was_ratelimited))
 {
 	log_assert(0);
 	return 0;
diff --git a/dns64/dns64.c b/dns64/dns64.c
index c79bc9c65..d01b436e1 100644
--- a/dns64/dns64.c
+++ b/dns64/dns64.c
@@ -685,8 +685,12 @@ dns64_operate(struct module_qstate* qstate, enum module_ev event, int id,
 	switch(event) {
 		case module_event_new:
 			/* Tag this query as being new and fall through. */
-			iq = (struct dns64_qstate*)regional_alloc(
-				qstate->region, sizeof(*iq));
+			if (!(iq = (struct dns64_qstate*)regional_alloc(
+				qstate->region, sizeof(*iq)))) {
+				log_err("out of memory");
+				qstate->ext_state[id] = module_error;
+				return;
+			}
 			qstate->minfo[id] = iq;
 			iq->state = DNS64_NEW_QUERY;
 			iq->started_no_cache_store = qstate->no_cache_store;
@@ -913,8 +917,9 @@ dns64_adjust_ptr(struct module_qstate* qstate, struct module_qstate* super)
                     sizeof(struct dns_msg))))
         return;
     super->return_msg->qinfo = super->qinfo;
-    super->return_msg->rep = reply_info_copy(qstate->return_msg->rep, NULL,
-            super->region);
+    if (!(super->return_msg->rep = reply_info_copy(qstate->return_msg->rep,
+                    NULL, super->region)))
+        return;
 
     /*
      * Adjust the domain name of the answer RR set so that it matches the
diff --git a/dnscrypt/dnscrypt.c b/dnscrypt/dnscrypt.c
index 9b324ae69..4902447fd 100644
--- a/dnscrypt/dnscrypt.c
+++ b/dnscrypt/dnscrypt.c
@@ -435,7 +435,7 @@ dnscrypt_hrtime(void)
 
 /**
  * Add the server nonce part to once.
- * The nonce is made half of client nonce and the seconf half of the server
+ * The nonce is made half of client nonce and the second half of the server
  * nonce, both of them of size crypto_box_HALF_NONCEBYTES.
  * \param[in] nonce: a uint8_t* of size crypto_box_NONCEBYTES
  */
@@ -674,7 +674,7 @@ dnsc_find_cert(struct dnsc_env* dnscenv, struct sldns_buffer* buffer)
 /**
  * Insert local-zone and local-data into configuration.
  * In order to be able to serve certs over TXT, we can reuse the local-zone and
- * local-data config option. The zone and qname are infered from the
+ * local-data config option. The zone and qname are inferred from the
  * provider_name and the content of the TXT record from the certificate content.
  * returns the number of certificate TXT record that were loaded.
  * < 0 in case of error.
diff --git a/dnscrypt/dnscrypt.h b/dnscrypt/dnscrypt.h
index 666f54e62..b0da9b732 100644
--- a/dnscrypt/dnscrypt.h
+++ b/dnscrypt/dnscrypt.h
@@ -114,7 +114,7 @@ void dnsc_delete(struct dnsc_env *env);
 
 /**
  * handle a crypted dnscrypt request.
- * Determine wether or not a query is coming over the dnscrypt listener and
+ * Determine whether or not a query is coming over the dnscrypt listener and
  * attempt to uncurve it or detect if it is a certificate query.
  * return 0 in case of failure.
  */
@@ -122,7 +122,7 @@ int dnsc_handle_curved_request(struct dnsc_env* dnscenv,
                                struct comm_reply* repinfo);
 /**
  * handle an unencrypted dnscrypt request.
- * Determine wether or not a query is going over the dnscrypt channel and
+ * Determine whether or not a query is going over the dnscrypt channel and
  * attempt to curve it unless it was not crypted like when  it is a
  * certificate query.
  * \return 0 in case of failure.
diff --git a/dnstap/dnstap.c b/dnstap/dnstap.c
index 6577a019a..5c0cde1d5 100644
--- a/dnstap/dnstap.c
+++ b/dnstap/dnstap.c
@@ -507,19 +507,19 @@ dt_msg_send_outside_query(struct dt_env *env,
 
 void
 dt_msg_send_outside_response(struct dt_env *env,
-			     struct sockaddr_storage *rsock,
-			     struct sockaddr_storage *qsock,
-			     enum comm_point_type cptype,
-			     uint8_t *zone, size_t zone_len,
-			     uint8_t *qbuf, size_t qbuf_len,
-			     const struct timeval *qtime,
-			     const struct timeval *rtime,
-			     sldns_buffer *rmsg)
+	struct sockaddr_storage *rsock,
+	struct sockaddr_storage *qsock,
+	enum comm_point_type cptype,
+	uint8_t *zone, size_t zone_len,
+	uint8_t *qbuf, size_t qbuf_len,
+	const struct timeval *qtime,
+	const struct timeval *rtime,
+	sldns_buffer *rmsg)
 {
 	struct dt_msg dm;
 	uint16_t qflags;
 
-	log_assert(qbuf_len >= sizeof(qflags));
+	(void)qbuf_len; log_assert(qbuf_len >= sizeof(qflags));
 	memcpy(&qflags, qbuf, sizeof(qflags));
 	qflags = ntohs(qflags);
 
diff --git a/dnstap/dtstream.c b/dnstap/dtstream.c
index f1ace3c34..a1dd9703e 100644
--- a/dnstap/dtstream.c
+++ b/dnstap/dtstream.c
@@ -188,9 +188,9 @@ mq_wakeup_cb(void* arg)
 
 /** start timer to wakeup dtio because there is content in the queue */
 static void
-dt_msg_queue_start_timer(struct dt_msg_queue* mq)
+dt_msg_queue_start_timer(struct dt_msg_queue* mq, int wakeupnow)
 {
-	struct timeval tv;
+	struct timeval tv = {0};
 	/* Start a timer to process messages to be logged.
 	 * If we woke up the dtio thread for every message, the wakeup
 	 * messages take up too much processing power.  If the queue
@@ -204,19 +204,26 @@ dt_msg_queue_start_timer(struct dt_msg_queue* mq)
 
 	/* do not start the timer if a timer already exists, perhaps
 	 * in another worker.  So this variable is protected by a lock in
-	 * dtio */
+	 * dtio. */
+
+	/* If we need to wakeupnow, 0 the timer to force the callback. */
 	lock_basic_lock(&mq->dtio->wakeup_timer_lock);
 	if(mq->dtio->wakeup_timer_enabled) {
+		if(wakeupnow) {
+			comm_timer_set(mq->wakeup_timer, &tv);
+		}
 		lock_basic_unlock(&mq->dtio->wakeup_timer_lock);
 		return;
 	}
 	mq->dtio->wakeup_timer_enabled = 1; /* we are going to start one */
-	lock_basic_unlock(&mq->dtio->wakeup_timer_lock);
 
 	/* start the timer, in mq, in the event base of our worker */
-	tv.tv_sec = 1;
-	tv.tv_usec = 0;
+	if(!wakeupnow) {
+		tv.tv_sec = 1;
+		tv.tv_usec = 0;
+	}
 	comm_timer_set(mq->wakeup_timer, &tv);
+	lock_basic_unlock(&mq->dtio->wakeup_timer_lock);
 }
 
 void
@@ -251,7 +258,7 @@ dt_msg_queue_submit(struct dt_msg_queue* mq, void* buf, size_t len)
 	entry->buf = buf;
 	entry->len = len;
 
-	/* aqcuire lock */
+	/* acquire lock */
 	lock_basic_lock(&mq->lock);
 	/* if list was empty, start timer for (eventual) wakeup */
 	if(mq->first == NULL)
@@ -283,10 +290,8 @@ dt_msg_queue_submit(struct dt_msg_queue* mq, void* buf, size_t len)
 	/* release lock */
 	lock_basic_unlock(&mq->lock);
 
-	if(wakeupnow) {
-		dtio_wakeup(mq->dtio);
-	} else if(wakeupstarttimer) {
-		dt_msg_queue_start_timer(mq);
+	if(wakeupnow || wakeupstarttimer) {
+		dt_msg_queue_start_timer(mq, wakeupnow);
 	}
 }
 
@@ -930,7 +935,7 @@ static int dtio_write_more_of_data(struct dt_io_thread* dtio)
 	return 1;
 }
 
-/** write more of the current messsage. false if incomplete, true if
+/** write more of the current message. false if incomplete, true if
  * the message is done */
 static int dtio_write_more(struct dt_io_thread* dtio)
 {
@@ -1181,7 +1186,7 @@ static int dtio_read_accept_frame(struct dt_io_thread* dtio)
 					goto close_connection;
 				return 1;
 			} else {
-				/* unknow content type */
+				/* unknown content type */
 				verbose(VERB_ALGO, "dnstap: ACCEPT frame "
 					"contains unknown content type, "
 					"closing connection");
diff --git a/dnstap/unbound-dnstap-socket.c b/dnstap/unbound-dnstap-socket.c
index 8e28be4e8..63292fbca 100644
--- a/dnstap/unbound-dnstap-socket.c
+++ b/dnstap/unbound-dnstap-socket.c
@@ -1012,6 +1012,7 @@ void dtio_tap_callback(int fd, short ATTR_UNUSED(bits), void* arg)
 		if(verbosity) log_info("bidirectional stream");
 		if(!reply_with_accept(data)) {
 			tap_data_free(data);
+			return;
 		}
 	} else if(data->len >= 4 && sldns_read_uint32(data->frame) ==
 		FSTRM_CONTROL_FRAME_STOP && data->is_bidirectional) {
@@ -1166,8 +1167,13 @@ int sig_quit = 0;
 /** signal handler for user quit */
 static RETSIGTYPE main_sigh(int sig)
 {
-	if(!sig_quit)
-		fprintf(stderr, "exit on signal %d\n", sig);
+	if(!sig_quit) {
+		char str[] = "exit on signal   \n";
+		str[15] = '0' + (sig/10)%10;
+		str[16] = '0' + sig%10;
+		/* simple cast to void will not silence Wunused-result */
+		(void)!write(STDERR_FILENO, str, strlen(str));
+	}
 	if(sig_base) {
 		ub_event_base_loopexit(sig_base);
 		sig_base = NULL;
@@ -1258,9 +1264,9 @@ int main(int argc, char** argv)
 	memset(&tls_list, 0, sizeof(tls_list));
 
 	/* lock debug start (if any) */
+	checklock_start();
 	log_ident_set("unbound-dnstap-socket");
 	log_init(0, 0, 0);
-	checklock_start();
 
 #ifdef SIGPIPE
 	if(signal(SIGPIPE, SIG_IGN) == SIG_ERR) {
@@ -1375,14 +1381,6 @@ int worker_handle_request(struct comm_point* ATTR_UNUSED(c),
 	return 0;
 }
 
-int worker_handle_reply(struct comm_point* ATTR_UNUSED(c), 
-	void* ATTR_UNUSED(arg), int ATTR_UNUSED(error),
-        struct comm_reply* ATTR_UNUSED(reply_info))
-{
-	log_assert(0);
-	return 0;
-}
-
 int worker_handle_service_reply(struct comm_point* ATTR_UNUSED(c), 
 	void* ATTR_UNUSED(arg), int ATTR_UNUSED(error),
         struct comm_reply* ATTR_UNUSED(reply_info))
@@ -1415,10 +1413,12 @@ void worker_sighandler(int ATTR_UNUSED(sig), void* ATTR_UNUSED(arg))
 struct outbound_entry* worker_send_query(
 	struct query_info* ATTR_UNUSED(qinfo), uint16_t ATTR_UNUSED(flags),
 	int ATTR_UNUSED(dnssec), int ATTR_UNUSED(want_dnssec),
-	int ATTR_UNUSED(nocaps), struct sockaddr_storage* ATTR_UNUSED(addr),
+	int ATTR_UNUSED(nocaps), int ATTR_UNUSED(check_ratelimit),
+	struct sockaddr_storage* ATTR_UNUSED(addr),
 	socklen_t ATTR_UNUSED(addrlen), uint8_t* ATTR_UNUSED(zone),
-	size_t ATTR_UNUSED(zonelen), int ATTR_UNUSED(ssl_upstream),
-	char* ATTR_UNUSED(tls_auth_name), struct module_qstate* ATTR_UNUSED(q))
+	size_t ATTR_UNUSED(zonelen), int ATTR_UNUSED(tcp_upstream),
+	int ATTR_UNUSED(ssl_upstream), char* ATTR_UNUSED(tls_auth_name),
+	struct module_qstate* ATTR_UNUSED(q), int* ATTR_UNUSED(was_ratelimited))
 {
 	log_assert(0);
 	return 0;
@@ -1447,18 +1447,12 @@ worker_alloc_cleanup(void* ATTR_UNUSED(arg))
 struct outbound_entry* libworker_send_query(
 	struct query_info* ATTR_UNUSED(qinfo), uint16_t ATTR_UNUSED(flags),
 	int ATTR_UNUSED(dnssec), int ATTR_UNUSED(want_dnssec),
-	int ATTR_UNUSED(nocaps), struct sockaddr_storage* ATTR_UNUSED(addr),
+	int ATTR_UNUSED(nocaps), int ATTR_UNUSED(check_ratelimit),
+	struct sockaddr_storage* ATTR_UNUSED(addr),
 	socklen_t ATTR_UNUSED(addrlen), uint8_t* ATTR_UNUSED(zone),
-	size_t ATTR_UNUSED(zonelen), int ATTR_UNUSED(ssl_upstream),
-	char* ATTR_UNUSED(tls_auth_name), struct module_qstate* ATTR_UNUSED(q))
-{
-	log_assert(0);
-	return 0;
-}
-
-int libworker_handle_reply(struct comm_point* ATTR_UNUSED(c), 
-	void* ATTR_UNUSED(arg), int ATTR_UNUSED(error),
-        struct comm_reply* ATTR_UNUSED(reply_info))
+	size_t ATTR_UNUSED(zonelen), int ATTR_UNUSED(tcp_upstream),
+	int ATTR_UNUSED(ssl_upstream), char* ATTR_UNUSED(tls_auth_name),
+	struct module_qstate* ATTR_UNUSED(q), int* ATTR_UNUSED(was_ratelimited))
 {
 	log_assert(0);
 	return 0;
diff --git a/doc/Changelog b/doc/Changelog
index 66e6f9a48..1fdae1fde 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,640 @@
+8 April 2022: Wouter
+	- Fix zonemd check to allow unsupported algorithms to load.
+	  If there are only unsupported algorithms, or unsupported schemes,
+	  and no failed or successful other ZONEMD records, or malformed
+	  or bad ZONEMD records, the unsupported records allow the zone load.
+	- Fix zonemd unsupported algo check.
+	- Fix zonemd unsupported algo check reason to not copy to next record,
+	  and check for success for debug printout.
+	- Fix zonemd unsupported algo check to print unsupported reason before
+	  zeroing it.
+	- Fix zonemd unsupported algo check to set reason to NULL before the
+	  check routine, but after malformed checks, to get the correct NULL
+	  output when the digest matches.
+
+25 March 2022: Wouter
+	- Fix spelling error in comment in sldns_str2wire_svcparam_key_lookup.
+
+23 March 2022: Wouter
+	- Fix #651: [FR] Better logging for refused queries.
+
+18 March 2022: George
+	- Merge PR #648 from eaglegai: fix -q doesn't work when use with
+	  'unbound-control stats_shm'.
+
+17 March 2022: Wouter
+	- Fix to describe auth-zone and other configuration at the local-zone
+	  configuration option, to allow for more broadly view of the options.
+
+16 March 2022: Wouter
+	- Fix to ensure uniform handling of spaces and tabs when parsing RRs.
+
+9 March 2022: Wouter
+	- Merge #644: Make `install-lib` make target install the pkg-config
+	  file.
+
+7 March 2022: Wouter
+	- Fix configure for python to use sysutils, because distutils is
+	  deprecated. It uses sysutils when available, distutils otherwise.
+
+3 March 2022: Wouter
+	- Fix #637: Integer Overflow in sldns_str2period function.
+	- Fix for #637: fix integer overflow checks in sldns_str2period.
+
+2 March 2022: George
+	- Merge PR #632 from scottrw93: Match cnames in ipset.
+	- Various fixes for #632: variable initialisation, convert the qinfo
+	  to str once, accept trailing dot in the local-zone ipset option.
+
+2 March 2022: Wouter
+	- Fix compile warnings for printf ll format on mingw compile.
+
+1 March 2022: Wouter
+	- Fix pythonmod for change in iter_dp_is_useless function prototype.
+
+28 February 2022: George
+	- Fix #630: Unify the RPZ log messages.
+	- Merge #623 from rex4539: Fix typos.
+
+28 February 2022: Wouter
+	- Fix #633: Document unix domain socket support for unbound-control.
+	- Fix for #633: updated fix with new text.
+	- Fix edns client subnet to add the option based on the option list,
+	  so that it is not state dependent, after the state fix of #605 for
+	  double EDNS options.
+	- Fix for edns client subnet option add fix in removal code, from review.
+
+25 February 2022: Wouter
+	- Fix to detect that no IPv6 support means that IPv6 addresses are
+	  useless for delegation point lookups.
+	- update Makefile dependencies.
+	- Fix check interface existence for support detection in remote lookup.
+
+18 February 2022: Wouter
+	- Fix that address not available is squelched from the logs for
+	  udp connect failures. It is visible on verbosity 4 and more.
+	- Merge #631 from mollyim: Replace OpenSSL's ERR_PACK with
+	  ERR_GET_REASON.
+
+16 February 2022: Wouter
+	- Fix for #628: fix rpz-passthru for qname trigger by localzone type.
+
+15 February 2022: Wouter
+	- Fix #628: A rpz-passthru action is not ending RPZ zone processing.
+
+11 February 2022: Wouter
+	- Fix #624: Unable to stop Unbound in Windows console (does not
+	  respond to CTRL+C command).
+	- Fix #618: enabling interface-automatic disables DNS-over-TLS.
+	  Adds the option to list interface-automatic-ports.
+	- Remove debug info from #618 fix.
+
+7 February 2022: Wouter
+	- Fix that TCP interface does not use TLS when TLS is also configured.
+
+4 February 2022: Wouter
+	- Fix #412: cache invalidation issue with CNAME+A.
+
+3 February 2022: Wouter
+	- Fix for #611: Integer overflow in sldns_wire2str_pkt_scan.
+	- Tag for 1.15.0rc1 created. That became 1.15.0 on 10 feb 2022.
+	  The repository continues with version 1.15.1.
+
+2 February 2022: George
+	- Merge PR #532 from Shchelk: Fix: buffer overflow bug.
+	- Merge PR #616: Update ratelimit logic. It also introduces
+	  ratelimit-backoff and ip-ratelimit-backoff configuration options.
+	- Change aggressive-nsec default to yes.
+	- Merge PR #617: Update stub/forward-host notation to accept port and
+	  tls-auth-name.
+	- Update stream_ssl.tdir test to also use the new forward-host
+	  notation.
+
+2 February 2022: Wouter
+	- Update version number in repo to 1.15.0 for upcoming release,
+	  since it changes the aggressive-nsec default and the ratelimit change.
+	- Fix header comment for doxygen for authextstrtoaddr.
+	- please clang analyzer for loop in test code.
+	- Fix docker splint test to use more portable uname.
+	- Update contrib/aaaa-filter-iterator.patch with diff for current
+	  software version.
+
+1 February 2022: George
+	- Merge PR #603 from fobser: Use OpenSSL 1.1 API to access DSA and RSA
+	  internals.
+
+31 January 2022: George
+	- Fix review comment for use-after-free when failing to send UDP out.
+
+31 January 2022: Wouter
+	- iana portlist update.
+
+29 January 2022: George
+	- Fix tls-* and ssl-* documented alternate syntax to also be available
+	  through remote-control and unbound-checkconf.
+	- Better cleanup on failed DoT/DoH listening socket creation.
+
+26 January 2022: George
+	- Fix #599: [FR] RFC 9156 (obsoletes RFC 7816), by noting the new RFC
+	  document.
+
+26 January 2022: Wouter
+	- Test for NSID in SERVFAIL response due to DNSSEC bogus.
+
+25 January 2022: George
+	- Fix #588: Unbound 1.13.2 crashes due to p->pc is NULL in
+	  serviced_udp_callback.
+	- Merge PR #612: TCP race condition.
+
+25 January 2022: Wouter
+	- Fix #610: Undefine-shift in sldns_str2wire_hip_buf.
+
+19 January 2022: George
+	- For dnstap, do not wakeupnow right there. Instead zero the timer to
+	  force the wakeup callback asap.
+
+14 January 2022: George
+	- Merge PR #605:
+	  - Fix EDNS to upstream where the same option could be attached
+	     more than once.
+	  - Add a region to serviced_query for allocations.
+
+14 January 2022: Wouter
+	- Add rpz: for-downstream: yesno option, where the RPZ zone is
+	  authoritatively answered for, so the RPZ zone contents can be
+	  checked with DNS queries directed at the RPZ zone.
+	- For #602: Allow the module-config "subnetcache validator cachedb
+	  iterator".
+
+11 January 2022: George
+	- Fix prematurely terminated TCP queries when a reply has the same ID.
+
+7 January 2022: Wouter
+	- Merge #600 from pemensik: Change file mode before changing file
+	  owner.
+
+5 January 2022: Wouter
+	- Fix for #596: fix that rpz return message is returned and not just
+	  the rcode from the iterator return path. This fixes signal unset RA
+	  after a CNAME.
+	- Fix unit tests for rpz now that the AA flag returns successfully from
+	  the iterator loop.
+	- Fix for #596: add unit test for nsdname trigger and signal unset RA.
+	- Fix for #596: add unit test for nsip trigger and signal unset RA.
+	- Fix #598: Fix unbound-checkconf fatal error: module conf
+	  'respip dns64 validator iterator' is not known to work.
+	- Fix for #596: Fix rpz-signal-nxdomain-ra to work for clientip
+	  triggered operation.
+
+4 January 2022: Wouter
+	- Fix #596: unset the RA bit when a query is blocked by an unbound
+	  RPZ nxdomain reply. The option rpz-signal-nxdomain-ra allows to
+	  signal that a domain is externally blocked to clients when it
+	  is blocked with NXDOMAIN by unsetting RA.
+	- Fix to add test for rpz-signal-nxdomain-ra.
+	- Fix #596: only unset RA when NXDOMAIN is signalled.
+	- Fix that RPZ does not set RD flag on replies, it should be copied
+	  from the query.
+
+22 December 2021: George
+	- contrib/aaaa-filter-iterator.patch file renewed diff content to
+	  apply cleanly to the current coderepo for the current code version.
+
+20 December 2021: George
+	- Fix #591: Unbound-anchor manpage links to non-existent license file.
+
+13 December 2021: George
+	- Add missing configure flags for optional features in the
+	  documentation.
+	- Fix Unbound capitalization in the documentation.
+
+13 December 2021: Wouter
+	- Fix to pick up other class local zone information before unlock.
+
+10 December 2021: George
+	- Allow local-data for classes other than IN to inherit a configured
+	  local-zone's type if possible, instead of defaulting to type
+	  transparent as per the implicit rule.
+
+10 December 2021: Wouter
+	- Add code similar to fix for ldns for tab between strings, for
+	  consistency, the test case was not broken.
+
+6 December 2021: Wouter
+	- Merge PR #581 from fobser: Fix -Wmissing-prototypes and -Wshadow
+	  warnings in rpz.
+	- Fix validator debug output about DS support, print correct algorithm.
+
+3 December 2021: Wouter
+	- Fix compile warning for if_nametoindex on windows 64bit.
+
+1 December 2021: Wouter
+	- configure is set to 1.14.0, and release branch.
+	  This was released as version 1.14.0 on 9 Dec 2021, with the doxygen
+	  fix below included. The main branch continues as 1.14.1.
+	- Fix doc/unbound.doxygen to remove obsolete tag warning.
+
+1 December 2021: George
+	- Merge PR #511 from yan12125: Reduce unnecessary linking.
+	- Merge PR #493 from Jaap: Fix generation of libunbound.pc.
+	- Merge PR #555 from fobser: Allow interface names as scope-id in IPv6
+	  link-local addresses.
+	- Merge PR #562 from Willem: Reset keepalive per new tcp session.
+	- Merge PR #522 from sibeream: memory management violations fixed.
+	- Merge PR #530 from Shchelk: Fix: dereferencing a null pointer.
+	- Fix #454: listen_dnsport.c:825: error: ‘IPV6_TCLASS’ undeclared.
+	- Fix #574: Review fixes for size allocation.
+
+30 November 2021: Wouter
+	- Fix to remove git tracking and ci information from release tarballs.
+	- iana portlist update.
+
+29 November 2021: Wouter
+	- Merge PR #570 from rex4539: Fix typos.
+	- Fix for #570: regen aclocal.m4, fix configure.ac for spelling.
+	- Fix to make python module opt_list use opt_list_in.
+	- Fix #574: unbound-checkconf reports fatal error if interface names
+	  are used as value for interfaces:
+	- Fix #574: Review fixes for it.
+	- Fix #576: [FR] UB_* error codes in unbound.h
+	- Fix #574: Review fix for spelling.
+
+15 November 2021: Tom
+	- Improve EDNS option handling, now also works for synthesised
+	  responses such as local-data and server.id CH TXT responses.
+
+5 November 2021: George
+	- Fix for #558: fix loop in comm_point->tcp_free when a comm_point is
+	  reclaimed more than once during callbacks.
+	- Fix for #558: clear the UB_EV_TIMEOUT bit before adding an event.
+
+5 November 2021: Wouter
+	- Fix that forward-zone name is documented as the full name of the
+	  zone. It is not relative but a fully qualified domain name.
+	- Fix analyzer review failure in rpz action override code to not
+	  crash on unlocking the local zone lock.
+	- Fix to remove unused code from rpz resolve client and action
+	  function.
+	- Merge #565: unbound.service.in: Disable ProtectKernelTunables again.
+
+2 November 2021: Wouter
+	- Fix #552: Unbound assumes index.html exists on RPZ host.
+
+11 October 2021: Wouter
+	- Fix chaos replies to have truncation for short message lengths,
+	  or long reply strings.
+	- Fix to protect custom regional create against small values.
+
+4 October 2021: Wouter
+	- Fix to add example.conf note for outbound-msg-retry.
+
+27 September 2021: Wouter
+	- Implement RFC8375: Special-Use Domain 'home.arpa.'.
+
+21 September 2021: Wouter
+	- For crosscompile on windows, detect 64bit stackprotector library.
+	- Fix crosscompile shell syntax.
+	- Fix crosscompile windows to use libssp when it exists.
+	- For the windows compile script disable gost.
+	- Fix that on windows, use BIO_set_callback_ex instead of deprecated
+	  BIO_set_callback.
+	- Fix crosscompile script for the shared build flags.
+
+20 September 2021: Wouter
+	- Fix crosscompile on windows to work with openssl 3.0.0 the
+	  link with ws2_32 needs -l:libssp.a for __strcpy_chk.
+	  Also copy results from lib64 directory if needed.
+
+10 September 2021: Wouter
+	- Fix initialisation errors reported by gcc sanitizer.
+	- Fix lock debug code for gcc sanitizer reports.
+	- Fix more initialisation errors reported by gcc sanitizer.
+
+8 September 2021: Wouter
+	- Merged #41 from Moritz Schneider: made outbound-msg-retry
+	  configurable.
+	- Small fixes for #41: changelog, conflicts resolved,
+	  processQueryResponse takes an iterator env argument like other
+	  functions in the iterator, no colon in string for set_option,
+	  and some whitespace style, to make it similar to the rest.
+	- Fix for #41: change outbound retry to int to fix signed comparison
+	  warnings.
+	- Fix root_anchor test to check with new icannbundle date.
+
+3 September 2021: Wouter
+	- Fix #538: Fix subnetcache statistics.
+
+1 September 2021: Wouter
+	- Fix tcp fastopen failure when disabled, try normal connect instead.
+
+27 August 2021: Wouter
+	- Fix #533: Negative responses get cached even when setting
+	  cache-max-negative-ttl: 1
+
+25 August 2021: Wouter
+	- Merge #401: RPZ triggers. This add additional RPZ triggers,
+	  unbound supports a full set of rpz triggers, and this now
+	  includes nsdname, nsip and clientip triggers. Also actions
+	  are fully supported, and this now includes the tcp-only action.
+	- Fix #536: error: RPZ: name of record (drop.spamhaus.org.rpz.local.)
+	  to insert into RPZ.
+	- Fix the stream wait stream_wait_count_lock and http2 buffer locks
+	  setup and desetup from race condition.
+	- Fix RPZ locks. Do not unlock zones lock if requested and rpz find
+	  zone does not find the zone. Readlock the clientip that is found
+	  for ipbased triggers. Unlock the nsdname zone lock when done.
+	  Unlock zone and ip in rpz nsip and nsdname callback. Unlock
+	  authzone and localzone if clientip found in rpz worker call.
+	- Fix compile warning in libunbound for listen desetup routine.
+	- Fix asynclook unit test for setup of lockchecks before log.
+
+20 August 2021: Wouter
+	- Fix #529: Fix: log_assert does nothing if UNBOUND_DEBUG is
+	  undefined.
+	- Fix #531: Fix: passed to proc after free.
+
+17 August 2021: Wouter
+	- Fix that --with-ssl can use "/usr/include/openssl11" to pass the
+	  location of a different openssl version.
+	- Fix #527: not sending quad9 cert to syslog (and may be more).
+	- Fix sed script in ssldir split handling.
+
+16 August 2021: George
+	- Merge PR #528 from fobser: Make sldns_str2wire_svcparam_buf()
+	  static.
+
+16 August 2021: Wouter
+	- Fix to support harden-algo-downgrade for ZONEMD dnssec checks.
+
+13 August 2021: Wouter
+	- Support using system-wide crypto policies.
+	- Fix for #431: Squelch permission denied errors for udp connect,
+	  and udp send, they are visible at higher verbosity settings.
+	- Fix zonemd verification of key that is not in DNS but in the zone
+	  and needs a chain of trust.
+	- zonemd, fix order of bogus printout string manipulation.
+
+12 August 2021: George
+	- Merge PR #514, from ziollek: Docker environment for run tests.
+	- For #514: generate configure.
+
+12 August 2021: Wouter
+	- And 1.13.2rc1 became the 1.13.2 with the fix for the python module
+	  build. The current code repository continues with version 1.13.3.
+	- Add test tool readzone to .gitignore.
+	- Merge #521: Update mini_event.c.
+	- Merge #523: fix: free() call more than once with the same pointer.
+	- Merge #519: Support for selective enabling tcp-upstream for
+	  stub/forward zones.
+	- For #519: note stub-tcp-upstream and forward-tcp-upstream in
+	  the example configuration file.
+	- For #519: yacc and lex. And fix python bindings, and test program
+	  unbound-dnstap-socket.
+	- For #519: fix comments for doxygen.
+	- Fix to print error from unbound-anchor for writing to the key
+	  file, also when not verbose.
+
+5 August 2021: Wouter
+	- Tag for 1.13.2rc1 release.
+	- Fix #520: Unbound 1.13.2rc1 fails to build python module.
+
+4 August 2021: George
+	- Merge PR #415 from sibeream: Use
+	  /proc/sys/net/ipv4/ip_local_port_range to determine available outgoing
+	  ports. (New --enable-linux-ip-local-port-range configuration option)
+	- Bump MAX_RESTART_COUNT to 11 from 8; in relation to #438. This
+	  allows longer CNAME chains in Unbound.
+
+4 August 2021: Wouter
+	- In unit test use openssl set security level to allow keys in test.
+	- Fix static analysis warnings about localzone locks that are unused.
+	- Fix missing locks in zonemd unit test.
+	- Fix readzone compile under debug config.
+	- Fix out of sourcedir run of zonemd unit tests.
+	- Fix libnettle zonemd unit test.
+	- Fix unit test zonemd_reload for use in run_vm.
+
+3 August 2021: George
+	- Listen to read or write events after the SSL handshake.
+	  Sticky events on windows would stick on read when write was needed.
+
+3 August 2021: Wouter
+	- Merge PR #517 from dyunwei: #420 breaks the mesh reply list
+	  function that need to reuse the dns answer.
+	- Annotate assertion into error printout; we think it may be an
+	  error, but the situation looks harmless.
+	- Fix sign comparison warning on FreeBSD.
+
+2 August 2021: Wouter
+	- Prepare for OpenSSL 3.0.0 provider API usage, move the sldns
+	  keyraw functions to produce EVP_PKEY results.
+	- Move RSA and DSA to use OpenSSL 3.0.0 API.
+	- Move ECDSA functions to use OpenSSL 3.0.0 API.
+	- iana portlist update.
+	- Fix verbose printout failure in tcp reuse unit test.
+
+30 July 2021: Wouter
+	- Fix #515: Compilation against openssl 3.0.0 beta2 is failing to
+	  build unbound.
+	- For #515: Fix compilation with openssl 3.0.0 beta2, lib64 dir and
+	  SSL_get_peer_certificate.
+	- Move acx_nlnetlabs.m4 to version 41, with lib64 openssl dir check.
+
+26 July 2021: George
+	- Merge #513: Stream reuse, attempt to fix #411, #439, #469. This
+	  introduces a couple of fixes for the stream reuse functionality
+	  that could result in broken internal structures.
+
+26 July 2021: Wouter
+	- Merge #512: unbound.service.in: upgrade hardening to latest
+	  standards.
+	- Fix readzone unknown type print for memory resize.
+
+21 July 2021: Wouter
+	- Fix that ldns_zone_new_frm_fp_l counts the line number for an empty
+	  line after a comment.
+
+16 July 2021: George
+	- Introduce 'http-user-agent:' and 'hide-http-user-agent:' options.
+
+16 July 2021: Wouter
+	- Merge #510 from ndptech: Don't call a function which hasn't been
+	  defined.
+	- Fix for #510: in depth, use ifdefs for windows api event calls.
+	- Fix spelling in doc/unbound.doxygen comment.
+	- Fix spelling in localzone.h comment.
+	- Fix unbound-control local_data and local_datas to print detailed
+	  syntax errors.
+	- review fix to remove duplicate error printout.
+	- Insert header into testcode/readzone.c, it was missing.
+	- Fix from lint for ignored return value.
+	- Fix for older parsers for function call in serve expired get cached.
+
+6 July 2021: Wouter
+	- iana portlist update.
+
+5 July 2021: George
+	- Fix compiler warnings for #491.
+	- Fix clang-analysis warnings for testcode/readzone.c.
+
+4 July 2021: George
+	- Fix Wunused-result compile warnings.
+
+2 July 2021: Tom
+	- Merge PR #491: Add SVCB and HTTPS types and handling according to
+	  draft-ietf-dnsop-svcb-https.
+
+2 July 2021: Wouter
+	- Fix #506: Python Module Seems to Leak Memory if it Experiences an
+	  Unhandled Exception.
+
+25 June 2021: Wouter
+	- Fix up permissions on rpl data file in tests.
+	- Fix testbound newline treatment in moment_read and tempfile write.
+	- Fix configure grep for reuseport default for failure.
+	- Fix compat ctime_r return value
+	- Fix configure does not require pkg-config if not needed.
+	- Fix unit test in the ctime_r calls for autotrust and in testbound.
+	- Fix auth zone download on windows to unlink before rename.
+
+24 June 2021: Wouter
+	- Add analyzer and port compile github workflow.
+
+23 June 2021: Wouter
+	- Fix #503: DNS over HTTPS response truncated.
+	- Fix warnings reported by the gcc analyzer.
+
+21 June 2021: George
+	- Fix #495: Documentation or implementation of "verbosity" option.
+
+18 June 2021: Wouter
+	- Fix a number of warnings reported by the gcc analyzer.
+
+15 June 2021: George
+	- Merge #440 by kimheino: Various fixes to contrib/unbound_munin_ file.
+
+14 June 2021: Wouter
+	- Fix configure nonblocking test and onmingw test to use host.
+
+10 June 2021: Wouter
+	- Fix #500: SPEC file in version 1.13.1 references version 1.4;
+	  unable to build RPM from source.
+	- Fix contrib/unbound.spec, fixed url and comment.
+
+9 June 2021: George
+	- Merge #486 by fobster: Make VAL_MAX_RESTART_COUNT configurable.
+	- Generated lexer and parser for #486; updated example.conf.
+	- Fix #413 (based on patch by k-ronny): unbound: does not compile
+	  on macOS 11.1-x86_64 host.
+	- Use host_os instead of target_os in configure for Darwin8 build.
+
+8 June 2021: George
+	- Fix unused variable warning when compiling with --enable-dnstap.
+
+7 June 2021: George
+	- Merge #448 from shoeper: Update unbound-control.8.in, fix
+	  rpz_disable typo.
+	- Fix #425: Document auth-zone supports communication with DNS
+	  primary on nondefault port.
+
+1 June 2021: George
+	- Fix test for zonemd-check option.
+
+27 May 2021: Wouter
+	- Merge #496 from banburybill: Use build system endianness if
+	  available, otherwise try to work it out.
+	- zonemd-check: yesno option, default no, enables the processing
+	  of ZONEMD records for that zone.
+
+25 May 2021: Wouter
+	- Move the NSEC3 max iterations count in line with the 150 value
+	  used by BIND, Knot and PowerDNS. This sets the default value
+	  for it in the configuration to 150 for all key sizes.
+	- Fix #492: module-config respip missing in unbound.conf.5.in man
+	  page. Merges #494 from he32.
+	- For #492: Fix font highlighting for the man page on emacs.
+
+21 May 2021: Wouter
+	- Test code has -q option for quiet output.
+
+19 May 2021: George
+	- Fix for #411, #439, #469: Reset the DNS message ID when moving queries
+	  between TCP streams.
+	- Refactor for uniform way to produce random DNS message IDs.
+
+17 May 2021: Wouter
+	- Fix #489: Compile using MSYS2 MinGW 64-bit.
+
+12 May 2021: Wouter
+	- Fix that auth-zone zonefiles use last TTL if no TTL is specified.
+
+10 May 2021: Wouter
+	- Merge PR #487: ifdef RLIMIT_AS in recently added check.
+
+7 May 2021: Wouter
+	- Fix #485: Unbound occasionally reports broken stats.
+	- Add ./configure --with-deprecate-rsa-1024 that turns off RSA 1024.
+	- Remove case fallthrough from deprecate-rsa-1024 code.
+
+4 May 2021: George
+	- Fix for #367: only attempt to get the interface for queries that are no
+	  longer on the tcp_waiting_list.
+	- Add more logging for out-of-memory cases.
+
+4 May 2021: Wouter
+	- Merge #478: Allow configuration of TCP timeout while waiting for
+	  response.
+	- Fix to squelch tcp socket bind failures when the interface is gone.
+	- Rerun flex and bison.
+
+3 May 2021: Wouter
+	- Fix #481: Fix comment in configuration file.
+
+29 April 2021: Wouter
+	- Add that log-servfail prints an IP address and more information
+	  about one of the last failures for that query.
+
+28 April 2021: George
+	- Fix compiler warning for signed/unsigned comparison for
+	  max_reuse_tcp_queries.
+
+28 April 2021: Wouter
+	- Fix #474: always_null and others inside view.
+
+26 April 2021: Wouter
+	- Merge #470 from edevil: Allow configuration of persistent TCP
+	  connections.
+
+22 April 2021: Wouter
+	- Merge #466 from FGasper: Support OpenSSLs that lack
+	  SSL_get0_alpn_selected.
+	- Fix #468: OpenSSL 1.0.1 can no longer build Unbound.
+	- Further fix for #468: detect SSL_CTX_set_alpn_protos for build with
+	  OpenSSL 1.0.1.
+	- Fix that testcode dohclient has OpenSSL initialisation calls.
+
+13 April 2021: George
+	- Fix documentation comment for files previously residing in checkconf/.
+	- Remove unused functions worker_handle_reply and libworker_handle_reply.
+
+13 April 2021: Wouter
+	- Fix that nxdomain synthesis does not happen above the stub or
+	  forward definition.
+
+12 April 2021: George
+	- Fix (increase) verbosity level for iterator error log in
+	  processQueryTargets().
+
+12 April 2021: Wouter
+	- Fix permission denied sendto log, squelch the log messages
+	  unless high verbosity is set.
+
+9 April 2021: Wouter
+	- rebuild configure to set EXTRALINK to libunbound.la for #460.
+
+7 April 2021: Wouter
+	- Fix for #411: Depth protect for crash on deleted element timeout.
+
 1 April 2021: Wouter
 	- Merge #460 from orbea: build: Link with the libtool archive.
 	- Fix to stop IPv6 PMTU discovery.
diff --git a/doc/README.tests b/doc/README.tests
index 5385e2b22..376f01717 100644
--- a/doc/README.tests
+++ b/doc/README.tests
@@ -15,6 +15,14 @@ You need to have the following programs installed and in your PATH.
 * xxd and nc (optional) - for (malformed) packet transmission.
 The optional programs are detected and can be omitted.
 
+You can also use prepared Dockerfile to run tests inside docker based on latest gcc image:
+* build container: docker build -t unbound-tester -f contrib/Dockerfile.tests .
+* run container: docker run -it --mount type=bind,source="$(pwd)",target=/usr/src/unbound --rm unbound-tester
+* configure environment: ./configure
+* run test: make test
+* run long tests: make longtest
+It is worth to mention that you need to enable [ipv6 in your docker daemon configuration](https://docs.docker.com/config/daemon/ipv6/) because some tests need ipv6 network stack.
+
 testdata/ contains the data for tests. 
 testcode/ contains scripts and c code for the tests.
 
diff --git a/doc/example.conf.in b/doc/example.conf.in
index 82b652f8a..146ace827 100644
--- a/doc/example.conf.in
+++ b/doc/example.conf.in
@@ -55,6 +55,10 @@ server:
 	# Socket options are not supported on all platforms. experimental.
 	# interface-automatic: no
 
+	# instead of the default port, open additional ports separated by
+	# spaces when interface-automatic is enabled, by listing them here.
+	# interface-automatic-ports: ""
+
 	# port to answer queries from
 	# port: 53
 
@@ -82,13 +86,13 @@ server:
 	# num-queries-per-thread, or, use as many as the OS will allow you.
 	# outgoing-range: 4096
 
-	# permit unbound to use this port number or port range for
+	# permit Unbound to use this port number or port range for
 	# making outgoing queries, using an outgoing interface.
 	# outgoing-port-permit: 32768
 
-	# deny unbound the use this of port number or port range for
+	# deny Unbound the use this of port number or port range for
 	# making outgoing queries, using an outgoing interface.
-	# Use this to make sure unbound does not grab a UDP port that some
+	# Use this to make sure Unbound does not grab a UDP port that some
 	# other server on this computer needs. The default is to avoid
 	# IANA-assigned port numbers.
 	# If multiple outgoing-port-permit and outgoing-port-avoid options
@@ -164,6 +168,9 @@ server:
 	# perform connect for UDP sockets to mitigate ICMP side channel.
 	# udp-connect: yes
 
+	# The number of retries when a non-positive response is received.
+	# outbound-msg-retry: 5
+
 	# msec for waiting for an unknown server to reply.  Increase if you
 	# are behind a slow satellite link, to eg. 1128.
 	# unknown-server-time-limit: 376
@@ -251,7 +258,7 @@ server:
 	# use-systemd: no
 
 	# Detach from the terminal, run in background, "yes" or "no".
-	# Set the value to "no" when unbound runs as systemd service.
+	# Set the value to "no" when Unbound runs as systemd service.
 	# do-daemonize: yes
 
 	# control which clients are allowed to make (recursive) queries
@@ -304,7 +311,7 @@ server:
 	# The pid file can be absolute and outside of the chroot, it is
 	# written just prior to performing the chroot and dropping permissions.
 	#
-	# Additionally, unbound may need to access /dev/urandom (for entropy).
+	# Additionally, Unbound may need to access /dev/urandom (for entropy).
 	# How to do this is specific to your OS.
 	#
 	# If you give "" no chroot is performed. The path must not end in a /.
@@ -371,6 +378,9 @@ server:
 	# enable to not answer trustanchor.unbound queries.
 	# hide-trustanchor: no
 
+	# enable to not set the User-Agent HTTP header.
+	# hide-http-user-agent: no
+
 	# the identity to report. Leave "" or default to return hostname.
 	# identity: ""
 
@@ -380,6 +390,10 @@ server:
 	# NSID identity (hex string, or "ascii_somestring"). default disabled.
 	# nsid: "aabbccdd"
 
+	# User-Agent HTTP header to use. Leave "" or default to use package name
+	# and version.
+	# http-user-agent: ""
+
 	# the target fetch policy.
 	# series of integers describing the policy per dependency depth.
 	# The number of values in the list determines the maximum dependency
@@ -432,7 +446,7 @@ server:
 
 	# Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN
 	# and other denials, using information from previous NXDOMAINs answers.
-	# aggressive-nsec: no
+	# aggressive-nsec: yes
 
 	# Use 0x20-encoded random bits in the query to foil spoof attempts.
 	# This feature is an experimental implementation of draft dns-0x20.
@@ -507,7 +521,8 @@ server:
 	# Use several entries, one per domain name, to track multiple zones.
 	#
 	# If you want to perform DNSSEC validation, run unbound-anchor before
-	# you start unbound (i.e. in the system boot scripts).  And enable:
+	# you start Unbound (i.e. in the system boot scripts).
+	# And then enable the auto-trust-anchor-file config item.
 	# Please note usage of unbound-anchor root anchor is at your own risk
 	# and under the terms of our LICENSE (see that file in the source).
 	# auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@"
@@ -556,6 +571,10 @@ server:
 	# val-sig-skew-min: 3600
 	# val-sig-skew-max: 86400
 
+	# The maximum number the validator should restart validation with
+	# another authority in case of failed validation.
+	# val-max-restart: 5
+
 	# Should additional section of secure message also be kept clean of
 	# unsecure data. Useful to shield the users of this validator from
 	# potential bogus data in the additional section. All unsigned data
@@ -570,7 +589,7 @@ server:
 	# val-permissive-mode: no
 
 	# Ignore the CD flag in incoming queries and refuse them bogus data.
-	# Enable it if the only clients of unbound are legacy servers (w2008)
+	# Enable it if the only clients of Unbound are legacy servers (w2008)
 	# that set CD but cannot validate themselves.
 	# ignore-cd-flag: no
 
@@ -600,7 +619,7 @@ server:
 
 	# Return the original TTL as received from the upstream name server rather
 	# than the decrementing TTL as stored in the cache.  Enabling this feature
-	# does not impact cache expiry, it only changes the TTL unbound embeds in
+	# does not impact cache expiry, it only changes the TTL Unbound embeds in
 	# responses to queries. Note that enabling this feature implicitly disables
 	# enforcement of the configured minimum and maximum TTL.
 	# serve-original-ttl: no
@@ -613,7 +632,7 @@ server:
 	# keysize. Keep this table very short, as linear search is done.
 	# A message with an NSEC3 with larger count is marked insecure.
 	# List in ascending order the keysize and count values.
-	# val-nsec3-keysize-iterations: "1024 150 2048 500 4096 2500"
+	# val-nsec3-keysize-iterations: "1024 150 2048 150 4096 150"
 
 	# if enabled, ZONEMD verification failures do not block the zone.
 	# zonemd-permissive-mode: no
@@ -654,6 +673,7 @@ server:
 	# local-zone: "localhost." nodefault
 	# local-zone: "127.in-addr.arpa." nodefault
 	# local-zone: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." nodefault
+	# local-zone: "home.arpa." nodefault
 	# local-zone: "onion." nodefault
 	# local-zone: "test." nodefault
 	# local-zone: "invalid." nodefault
@@ -693,9 +713,9 @@ server:
 	# Add example.com into ipset
 	# local-zone: "example.com" ipset
 
-	# If unbound is running service for the local host then it is useful
+	# If Unbound is running service for the local host then it is useful
 	# to perform lan-wide lookups to the upstream, and unblock the
-	# long list of local-zones above.  If this unbound is a dns server
+	# long list of local-zones above.  If this Unbound is a dns server
 	# for a network of computers, disabled is better and stops information
 	# leakage of local lan information.
 	# unblock-lan-zones: no
@@ -844,6 +864,10 @@ server:
 	# 0 blocks when ratelimited, otherwise let 1/xth traffic through
 	# ratelimit-factor: 10
 
+	# Aggressive rate limit when the limit is reached and until demand has
+	# decreased in a 2 second rate window.
+	# ratelimit-backoff: no
+
 	# override the ratelimit for a specific domain name.
 	# give this setting multiple times to have multiple overrides.
 	# ratelimit-for-domain: example.com 1000
@@ -864,6 +888,10 @@ server:
 	# 0 blocks when ip is ratelimited, otherwise let 1/xth traffic through
 	# ip-ratelimit-factor: 10
 
+	# Aggressive rate limit when the limit is reached and until demand has
+	# decreased in a 2 second rate window.
+	# ip-ratelimit-backoff: no
+
 	# Limit the number of connections simultaneous from a netblock
 	# tcp-connection-limit: 192.0.2.0/24 12
 
@@ -873,7 +901,7 @@ server:
 	# the number of servers that will be used in the fast server selection.
 	# fast-server-num: 3
 
-	# Specific options for ipsecmod. unbound needs to be configured with
+	# Specific options for ipsecmod. Unbound needs to be configured with
 	# --enable-ipsecmod for these to take effect.
 	#
 	# Enable or disable ipsecmod (it still needs to be defined in
@@ -885,7 +913,7 @@ server:
 	# listed in module-config (above).
 	# ipsecmod-hook: "./my_executable"
 	#
-	# When enabled unbound will reply with SERVFAIL if the return value of
+	# When enabled Unbound will reply with SERVFAIL if the return value of
 	# the ipsecmod-hook is not 0.
 	# ipsecmod-strict: no
 	#
@@ -901,6 +929,13 @@ server:
 	# ipsecmod-allow: "example.com"
 	# ipsecmod-allow: "nlnetlabs.nl"
 
+	# Timeout for REUSE entries in milliseconds.
+	# tcp-reuse-timeout: 60000
+	# Max number of queries on a reuse connection.
+	# max-reuse-tcp-queries: 200
+	# Timeout in milliseconds for TCP queries to auth servers.
+	# tcp-auth-query-timeout: 3000
+
 
 # Python config section. To enable:
 # o use --with-pythonmodule to configure before compiling.
@@ -943,10 +978,10 @@ remote-control:
 	# For local sockets this option is ignored, and TLS is not used.
 	# control-use-cert: "yes"
 
-	# unbound server key file.
+	# Unbound server key file.
 	# server-key-file: "@UNBOUND_RUN_DIR@/unbound_server.key"
 
-	# unbound server certificate file.
+	# Unbound server certificate file.
 	# server-cert-file: "@UNBOUND_RUN_DIR@/unbound_server.pem"
 
 	# unbound-control key file.
@@ -968,6 +1003,7 @@ remote-control:
 #	stub-addr: 192.0.2.68
 #	stub-prime: no
 #	stub-first: no
+#	stub-tcp-upstream: no
 #	stub-tls-upstream: no
 #	stub-no-cache: no
 # stub-zone:
@@ -985,6 +1021,7 @@ remote-control:
 # 	forward-addr: 192.0.2.68
 # 	forward-addr: 192.0.2.73@5355  # forward to port 5355.
 # 	forward-first: no
+# 	forward-tcp-upstream: no
 # 	forward-tls-upstream: no
 #	forward-no-cache: no
 # forward-zone:
@@ -1025,6 +1062,7 @@ remote-control:
 #	name: "example.org"
 #	for-downstream: yes
 #	for-upstream: yes
+#	zonemd-check: no
 #	zonemd-reject-absence: no
 #	zonefile: "example.org.zone"
 
@@ -1046,8 +1084,9 @@ remote-control:
 #	local-zone: "example.com" refuse
 
 # DNSCrypt
+# To enable, use --enable-dnscrypt to configure before compiling.
 # Caveats:
-# 1. the keys/certs cannot be produced by unbound. You can use dnscrypt-wrapper
+# 1. the keys/certs cannot be produced by Unbound. You can use dnscrypt-wrapper
 #   for this: https://github.com/cofyc/dnscrypt-wrapper/blob/master/README.md#usage
 # 2. dnscrypt channel attaches to an interface. you MUST set interfaces to
 #   listen on `dnscrypt-port` with the follo0wing snippet:
@@ -1066,7 +1105,9 @@ remote-control:
 #     dnscrypt-provider-cert: /path/unbound-conf/keys2/1.cert
 
 # CacheDB
-# Enable external backend DB as auxiliary cache.  Specify the backend name
+# External backend DB as auxiliary cache.
+# To enable, use --enable-cachedb to configure before compiling.
+# Specify the backend name
 # (default is "testframe", which has no use other than for debugging and
 # testing) and backend-specific options.  The 'cachedb' module must be
 # included in module-config, just before the iterator module.
@@ -1076,6 +1117,7 @@ remote-control:
 #     secret-seed: "default"
 #
 #     # For "redis" backend:
+#     # (to enable, use --with-libhiredis to configure before compiling)
 #     # redis server's IP address or host name
 #     redis-server-host: 127.0.0.1
 #     # redis server's TCP port
@@ -1087,7 +1129,9 @@ remote-control:
 
 # IPSet
 # Add specify domain into set via ipset.
-# Note: To enable ipset unbound needs to run as root user.
+# To enable:
+# o use --enable-ipset to configure before compiling;
+# o Unbound then needs to run as root user.
 # ipset:
 #     # set name for ip v4 addresses
 #     name-v4: "list-v4"
@@ -1095,9 +1139,10 @@ remote-control:
 #     name-v6: "list-v6"
 #
 
-# Dnstap logging support, if compiled in.  To enable, set the dnstap-enable
-# to yes and also some of dnstap-log-..-messages to yes.  And select an
-# upstream log destination, by socket path, TCP or TLS destination.
+# Dnstap logging support, if compiled in by using --enable-dnstap to configure.
+# To enable, set the dnstap-enable to yes and also some of
+# dnstap-log-..-messages to yes.  And select an upstream log destination, by
+# socket path, TCP or TLS destination.
 # dnstap:
 # 	dnstap-enable: no
 # 	# if set to yes frame streams will be used in bidirectional mode
@@ -1110,7 +1155,7 @@ remote-control:
 # 	dnstap-tls: yes
 # 	# name for authenticating the upstream server. or "" disabled.
 # 	dnstap-tls-server-name: ""
-# 	# if "", it uses the cert bundle from the main unbound config.
+# 	# if "", it uses the cert bundle from the main Unbound config.
 # 	dnstap-tls-cert-bundle: ""
 # 	# key file for client authentication, or "" disabled.
 # 	dnstap-tls-client-key-file: ""
@@ -1130,10 +1175,11 @@ remote-control:
 # 	dnstap-log-forwarder-response-messages: no
 
 # Response Policy Zones
-# RPZ policies. Applied in order of configuration. QNAME and Response IP
-# Address trigger are the only supported triggers. Supported actions are:
-# NXDOMAIN, NODATA, PASSTHRU, DROP and Local Data. Policies can be loaded from
-# file, using zone transfer, or using HTTP. The respip module needs to be added
+# RPZ policies. Applied in order of configuration. QNAME, Response IP
+# Address, nsdname, nsip and clientip triggers are supported. Supported
+# actions are: NXDOMAIN, NODATA, PASSTHRU, DROP, Local Data, tcp-only
+# and drop.  Policies can be loaded from a file, or using zone
+# transfer, or using HTTP. The respip module needs to be added
 # to the module-config, e.g.: module-config: "respip validator iterator".
 # rpz:
 #     name: "rpz.example.com"
@@ -1145,4 +1191,6 @@ remote-control:
 #     rpz-cname-override: www.example.org
 #     rpz-log: yes
 #     rpz-log-name: "example policy"
+#     rpz-signal-nxdomain-ra: no
+#     for-downstream: no
 #     tags: "example"
diff --git a/doc/unbound-anchor.8.in b/doc/unbound-anchor.8.in
index b0d8302c4..31c4e9113 100644
--- a/doc/unbound-anchor.8.in
+++ b/doc/unbound-anchor.8.in
@@ -41,7 +41,7 @@ update certificate files.
 .P
 It tests if the root anchor file works, and if not, and an update is possible,
 attempts to update the root anchor using the root update certificate.
-It performs a https fetch of root-anchors.xml and checks the results (RFC7958), 
+It performs a https fetch of root-anchors.xml and checks the results (RFC7958),
 if all checks are successful, it updates the root anchor file.  Otherwise
 the root anchor file is unchanged.  It performs RFC5011 tracking if the
 DNSSEC information available via the DNS makes that possible.
@@ -159,7 +159,7 @@ Or something more suitable for your operational environment.
 The root keys and update certificate included in this tool
 are provided for convenience and under the terms of our
 license (see the LICENSE file in the source distribution or
-http://unbound.nlnetlabs.nl/svn/trunk/LICENSE) and might be stale or
+https://github.com/NLnetLabs/unbound/blob/master/LICENSE) and might be stale or
 not suitable to your purpose.
 .P
 By running "unbound\-anchor \-l" the  keys and certificate that are
@@ -185,5 +185,5 @@ Source for the root key information.
 .I https://data.iana.org/root\-anchors/root\-anchors.p7s
 Signature on the root key information.
 .SH "SEE ALSO"
-\fIunbound.conf\fR(5), 
+\fIunbound.conf\fR(5),
 \fIunbound\fR(8).
diff --git a/doc/unbound-checkconf.8.in b/doc/unbound-checkconf.8.in
index f38049a03..98f1bf808 100644
--- a/doc/unbound-checkconf.8.in
+++ b/doc/unbound-checkconf.8.in
@@ -9,7 +9,7 @@
 .\"
 .SH "NAME"
 unbound\-checkconf
-\- Check unbound configuration file for errors.
+\- Check Unbound configuration file for errors.
 .SH "SYNOPSIS"
 .B unbound\-checkconf
 .RB [ \-h ]
@@ -21,8 +21,8 @@ unbound\-checkconf
 .B Unbound\-checkconf
 checks the configuration file for the
 \fIunbound\fR(8)
-DNS resolver for syntax and other errors. 
-The config file syntax is described in 
+DNS resolver for syntax and other errors.
+The config file syntax is described in
 \fIunbound.conf\fR(5).
 .P
 The available options are:
@@ -34,19 +34,19 @@ Show the version and commandline option help.
 Print full pathname, with chroot applied to it.  Use with the \-o option.
 .TP
 .B \-o\fI option
-If given, after checking the config file the value of this option is 
+If given, after checking the config file the value of this option is
 printed to stdout.  For "" (disabled) options an empty line is printed.
 .TP
 .I cfgfile
-The config file to read with settings for unbound. It is checked.
+The config file to read with settings for Unbound. It is checked.
 If omitted, the config file at the default location is checked.
 .SH "EXIT CODE"
-The unbound\-checkconf program exits with status code 1 on error, 
+The unbound\-checkconf program exits with status code 1 on error,
 0 for a correct config file.
 .SH "FILES"
 .TP
 .I @ub_conf_file@
-unbound configuration file.
+Unbound configuration file.
 .SH "SEE ALSO"
-\fIunbound.conf\fR(5), 
+\fIunbound.conf\fR(5),
 \fIunbound\fR(8).
diff --git a/doc/unbound-control.8.in b/doc/unbound-control.8.in
index 20325abf2..2f3910463 100644
--- a/doc/unbound-control.8.in
+++ b/doc/unbound-control.8.in
@@ -14,15 +14,15 @@
 .SH "SYNOPSIS"
 .B unbound\-control
 .RB [ \-hq ]
-.RB [ \-c 
+.RB [ \-c
 .IR cfgfile ]
-.RB [ \-s 
+.RB [ \-s
 .IR server ]
 .IR command
 .SH "DESCRIPTION"
 .B Unbound\-control
 performs remote administration on the \fIunbound\fR(8) DNS server.
-It reads the configuration file, contacts the unbound server over SSL
+It reads the configuration file, contacts the Unbound server over SSL
 sends the command and displays the result.
 .P
 The available options are:
@@ -44,8 +44,8 @@ quiet, if the option is given it does not print anything if it works ok.
 There are several commands that the server understands.
 .TP
 .B start
-Start the server. Simply execs \fIunbound\fR(8).  The unbound executable 
-is searched for in the \fBPATH\fR set in the environment.  It is started 
+Start the server. Simply execs \fIunbound\fR(8).  The Unbound executable
+is searched for in the \fBPATH\fR set in the environment.  It is started
 with the config file specified using \fI\-c\fR or the default config file.
 .TP
 .B stop
@@ -65,8 +65,8 @@ daemon release the file it is logging to.  If you are using syslog it will
 attempt to close and open the syslog (which may not work if chrooted).
 .TP
 .B stats
-Print statistics. Resets the internal counters to zero, this can be 
-controlled using the \fBstatistics\-cumulative\fR config statement. 
+Print statistics. Resets the internal counters to zero, this can be
+controlled using the \fBstatistics\-cumulative\fR config statement.
 Statistics are printed with one [name]: [value] per line.
 .TP
 .B stats_noreset
@@ -74,7 +74,7 @@ Peek at statistics. Prints them like the \fBstats\fR command does, but does not
 reset the internal counters to zero.
 .TP
 .B status
-Display server status. Exit code 3 if not running (the connection to the 
+Display server status. Exit code 3 if not running (the connection to the
 port is refused), 1 on error, 0 if running.
 .TP
 .B local_zone \fIname\fR \fItype
@@ -88,15 +88,14 @@ it.  If the zone does not exist, the command succeeds.
 .B local_data \fIRR data...
 Add new local data, the given resource record. Like \fBlocal\-data\fR
 config statement, except for when no covering zone exists.  In that case
-this remote control command creates a transparent zone with the same 
-name as this record.  This command is not good at returning detailed syntax 
-errors.
+this remote control command creates a transparent zone with the same
+name as this record.
 .TP
 .B local_data_remove \fIname
 Remove all RR data from local name.  If the name already has no items,
 nothing happens.  Often results in NXDOMAIN for the name (in a static zone),
-but if the name has become an empty nonterminal (there is still data in 
-domain names below the removed name), NOERROR nodata answers are the 
+but if the name has become an empty nonterminal (there is still data in
+domain names below the removed name), NOERROR nodata answers are the
 result for that name.
 .TP
 .B local_zones
@@ -126,22 +125,22 @@ in old or wrong data returned to clients.  Loading data into the cache
 in this way is supported in order to aid with debugging.
 .TP
 .B lookup \fIname
-Print to stdout the name servers that would be used to look up the 
+Print to stdout the name servers that would be used to look up the
 name specified.
 .TP
 .B flush \fIname
 Remove the name from the cache. Removes the types
 A, AAAA, NS, SOA, CNAME, DNAME, MX, PTR, SRV and NAPTR.
-Because that is fast to do. Other record types can be removed using 
-.B flush_type 
-or 
+Because that is fast to do. Other record types can be removed using
+.B flush_type
+or
 .B flush_zone\fR.
 .TP
 .B flush_type \fIname\fR \fItype
 Remove the name, type information from the cache.
 .TP
 .B flush_zone \fIname
-Remove all information at or below the name from the cache. 
+Remove all information at or below the name from the cache.
 The rrsets and key entries are removed so that new lookups will be performed.
 This needs to walk and inspect the entire cache, and is a slow operation.
 The entries are set to expired in the implementation of this command (so,
@@ -188,7 +187,7 @@ therefore not flushed.  The option must end with a ':' and whitespace
 must be between the option and the value.  Some values may not have an
 effect if set this way, the new values are not written to the config file,
 not all options are supported.  This is different from the set_option call
-in libunbound, where all values work because unbound has not been initialized.
+in libunbound, where all values work because Unbound has not been initialized.
 .IP
 The values that work are: statistics\-interval, statistics\-cumulative,
 do\-not\-query\-localhost, harden\-short\-bufsize, harden\-large\-queries,
@@ -228,36 +227,36 @@ List the local data RRs in use.  The resource records are printed.
 .TP
 .B insecure_add \fIzone
 Add a \fBdomain\-insecure\fR for the given zone, like the statement in unbound.conf.
-Adds to the running unbound without affecting the cache contents (which may
+Adds to the running Unbound without affecting the cache contents (which may
 still be bogus, use \fBflush_zone\fR to remove it), does not affect the config file.
 .TP
 .B insecure_remove \fIzone
 Removes domain\-insecure for the given zone.
 .TP
 .B forward_add \fR[\fI+i\fR] \fIzone addr ...
-Add a new forward zone to running unbound.  With +i option also adds a
+Add a new forward zone to running Unbound.  With +i option also adds a
 \fIdomain\-insecure\fR for the zone (so it can resolve insecurely if you have
 a DNSSEC root trust anchor configured for other names).
 The addr can be IP4, IP6 or nameserver names, like \fIforward-zone\fR config
 in unbound.conf.
 .TP
 .B forward_remove \fR[\fI+i\fR] \fIzone
-Remove a forward zone from running unbound.  The +i also removes a
+Remove a forward zone from running Unbound.  The +i also removes a
 \fIdomain\-insecure\fR for the zone.
 .TP
 .B stub_add \fR[\fI+ip\fR] \fIzone addr ...
-Add a new stub zone to running unbound.  With +i option also adds a
+Add a new stub zone to running Unbound.  With +i option also adds a
 \fIdomain\-insecure\fR for the zone.  With +p the stub zone is set to prime,
 without it it is set to notprime.  The addr can be IP4, IP6 or nameserver
 names, like the \fIstub-zone\fR config in unbound.conf.
 .TP
 .B stub_remove \fR[\fI+i\fR] \fIzone
-Remove a stub zone from running unbound.  The +i also removes a
+Remove a stub zone from running Unbound.  The +i also removes a
 \fIdomain\-insecure\fR for the zone.
 .TP
 .B forward \fR[\fIoff\fR | \fIaddr ...\fR ]
 Setup forwarding mode.  Configures if the server should ask other upstream
-nameservers, should go to the internet root nameservers itself, or show 
+nameservers, should go to the internet root nameservers itself, or show
 the current config.  You could pass the nameservers after a DHCP update.
 .IP
 Without arguments the current list of addresses used to forward all queries
@@ -297,7 +296,7 @@ status, indicating if the zone is expired and current serial number.
 Reload the auth zone from zonefile.  The zonefile is read in overwriting
 the current contents of the zone in memory.  This changes the auth zone
 contents itself, not the cache contents.  Such cache contents exists if
-you set unbound to validate with for-upstream yes and that can be cleared
+you set Unbound to validate with for-upstream yes and that can be cleared
 with \fBflush_zone\fR \fIzone\fR.
 .TP
 .B auth_zone_transfer \fIzone\fR
@@ -308,7 +307,7 @@ serial check).  And then the zone is transferred for a newer zone version.
 .B rpz_enable \fIzone\fR
 Enable the RPZ zone if it had previously been disabled.
 .TP
-.B rpz_enable \fIzone\fR
+.B rpz_disable \fIzone\fR
 Disable the RPZ zone.
 .TP
 .B view_list_local_zones \fIview\fR
@@ -337,7 +336,7 @@ Add a list of \fIlocal_data\fR for given view from stdin.  Like local_datas.
 .SH "EXIT CODE"
 The unbound\-control program exits with status code 1 on error, 0 on success.
 .SH "SET UP"
-The setup requires a self\-signed certificate and private keys for both 
+The setup requires a self\-signed certificate and private keys for both
 the server and client.  The script \fIunbound\-control\-setup\fR generates
 these in the default run directory, or with \-d in another directory.
 If you change the access control permissions on the key files you can decide
@@ -351,7 +350,7 @@ If you have not configured
 a username in unbound.conf, the keys need read permission for the user
 credentials under which the daemon is started.
 The script preserves private keys present in the directory.
-After running the script as root, turn on \fBcontrol\-enable\fR in 
+After running the script as root, turn on \fBcontrol\-enable\fR in
 \fIunbound.conf\fR.
 .SH "STATISTIC COUNTERS"
 The \fIstats\fR command shows a number of statistic counters.
@@ -418,8 +417,8 @@ Average time it took to answer queries that needed recursive processing. Note th
 .TP
 .I threadX.recursion.time.median
 The median of the time it took to answer queries that needed recursive
-processing.  The median means that 50% of the user queries were answered in 
-less than this time.  Because of big outliers (usually queries to non 
+processing.  The median means that 50% of the user queries were answered in
+less than this time.  Because of big outliers (usually queries to non
 responsive servers), the average can be bigger than the median.  This median
 has been calculated by interpolation from a histogram.
 .TP
@@ -545,32 +544,32 @@ The total number of queries over all threads with query opcode QUERY.
 Also printed for other opcodes, UPDATE, ...
 .TP
 .I num.query.tcp
-Number of queries that were made using TCP towards the unbound server.
+Number of queries that were made using TCP towards the Unbound server.
 .TP
 .I num.query.tcpout
-Number of queries that the unbound server made using TCP outgoing towards
+Number of queries that the Unbound server made using TCP outgoing towards
 other servers.
 .TP
 .I num.query.tls
-Number of queries that were made using TLS towards the unbound server.
+Number of queries that were made using TLS towards the Unbound server.
 These are also counted in num.query.tcp, because TLS uses TCP.
 .TP
 .I num.query.tls.resume
 Number of TLS session resumptions, these are queries over TLS towards
-the unbound server where the client negotiated a TLS session resumption key.
+the Unbound server where the client negotiated a TLS session resumption key.
 .TP
 .I num.query.https
-Number of queries that were made using HTTPS towards the unbound server.
+Number of queries that were made using HTTPS towards the Unbound server.
 These are also counted in num.query.tcp and num.query.tls, because HTTPS
 uses TLS and TCP.
 .TP
 .I num.query.ipv6
-Number of queries that were made using IPv6 towards the unbound server.
+Number of queries that were made using IPv6 towards the Unbound server.
 .TP
 .I num.query.flags.RD
 The number of queries that had the RD flag set in the header.
 Also printed for flags QR, AA, TC, RA, Z, AD, CD.
-Note that queries with flags QR, AA or TC may have been rejected 
+Note that queries with flags QR, AA or TC may have been rejected
 because of that.
 .TP
 .I num.query.edns.present
@@ -604,7 +603,7 @@ These queries are also included in the num.answer.rcode.NOERROR number.
 Common for AAAA lookups when an A record exists, and no AAAA.
 .TP
 .I num.answer.secure
-Number of answers that were secure.  The answer validated correctly. 
+Number of answers that were secure.  The answer validated correctly.
 The AD bit might have been set in some of these answers, where the client
 signalled (with DO or AD bit in the query) that they were ready to accept
 the AD bit in the answer.
@@ -645,7 +644,7 @@ per delegation point, and their validation status.
 .I dnscrypt_shared_secret.cache.count
 The number of items in the shared secret cache. These are precomputed shared
 secrets for a given client public key/server secret key pair. Shared secrets
-are CPU intensive and this cache allows unbound to avoid recomputing the
+are CPU intensive and this cache allows Unbound to avoid recomputing the
 shared secret when multiple dnscrypt queries are sent from the same client.
 .TP
 .I dnscrypt_nonce.cache.count
@@ -685,16 +684,16 @@ specific cache, after getting processed by the edns client subnet module.
 .TP
 .I num.rpz.action.<rpz_action>
 Number of queries answered using configured RPZ policy, per RPZ action type.
-Possible actions are: nxdomain, nodata, passthru, drop, local_data, disabled,
-and cname_override.
+Possible actions are: nxdomain, nodata, passthru, drop, tcp\-only, local\-data,
+disabled, and cname\-override.
 .SH "FILES"
 .TP
 .I @ub_conf_file@
-unbound configuration file.
+Unbound configuration file.
 .TP
 .I @UNBOUND_RUN_DIR@
 directory with private keys (unbound_server.key and unbound_control.key) and
 self\-signed certificates (unbound_server.pem and unbound_control.pem).
 .SH "SEE ALSO"
-\fIunbound.conf\fR(5), 
+\fIunbound.conf\fR(5),
 \fIunbound\fR(8).
diff --git a/doc/unbound-host.1.in b/doc/unbound-host.1.in
index 1bddf2fd0..31902b422 100644
--- a/doc/unbound-host.1.in
+++ b/doc/unbound-host.1.in
@@ -15,7 +15,7 @@
 .RB [ \-C
 .IR configfile ]
 .RB [ \-vdhr46D ]
-.RB [ \-c 
+.RB [ \-c
 .IR class ]
 .RB [ \-t
 .IR type ]
@@ -28,12 +28,12 @@
 .I hostname
 .SH "DESCRIPTION"
 .B Unbound\-host
-uses the unbound validating resolver to query for the hostname and display
-results. With the \fB\-v\fR option it displays validation 
+uses the Unbound validating resolver to query for the hostname and display
+results. With the \fB\-v\fR option it displays validation
 status: secure, insecure, bogus (security failure).
 .P
 By default it reads no configuration file whatsoever.  It attempts to reach
-the internet root servers.  With \fB\-C\fR an unbound config file and with
+the internet root servers.  With \fB\-C\fR an Unbound config file and with
 \fB\-r\fR resolv.conf can be read.
 .P
 The available options are:
@@ -73,7 +73,7 @@ For example \-y "example.com DS 31560 5 1 1CFED84787E6E19CCF9372C1187325972FE546
 .TP
 .B \-D
 Enables DNSSEC validation.  Reads the root anchor from the default configured
-root anchor at the default location, \fI@UNBOUND_ROOTKEY_FILE@\fR. 
+root anchor at the default location, \fI@UNBOUND_ROOTKEY_FILE@\fR.
 .TP
 .B \-f \fIkeyfile
 Reads keys from a file. Every line has a DS or DNSKEY record, in the format
@@ -110,9 +110,9 @@ $ unbound\-host \-v \-y "example.com DS 31560 5 1 1CFED84787E6E19CCF9372C1187325
 .P
 $ unbound\-host \-v \-y "example.com DS 31560 5 1 1CFED84787E6E19CCF9372C1187325972FE546CD" 192.0.2.153
 .SH "EXIT CODE"
-The unbound\-host program exits with status code 1 on error, 
+The unbound\-host program exits with status code 1 on error,
 0 on no error. The data may not be available on exit code 0, exit code 1
 means the lookup encountered a fatal error.
 .SH "SEE ALSO"
-\fIunbound.conf\fR(5), 
+\fIunbound.conf\fR(5),
 \fIunbound\fR(8).
diff --git a/doc/unbound.8.in b/doc/unbound.8.in
index 6e28ea783..936326912 100644
--- a/doc/unbound.8.in
+++ b/doc/unbound.8.in
@@ -57,7 +57,7 @@ The available options are:
 Show the version number and commandline option help, and exit.
 .TP
 .B \-c\fI cfgfile
-Set the config file with settings for unbound to read instead of reading the
+Set the config file with settings for Unbound to read instead of reading the
 file at the default location, @ub_conf_file@. The syntax is
 described in \fIunbound.conf\fR(5).
 .TP
@@ -70,7 +70,7 @@ or to syslog, but the log messages are printed to stderr all the time.
 .TP
 .B \-p
 Don't use a pidfile.  This argument should only be used by supervision
-systems which can ensure that only one instance of unbound will run
+systems which can ensure that only one instance of Unbound will run
 concurrently.
 .TP
 .B \-v
diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in
index 6fe9f6203..3397d706a 100644
--- a/doc/unbound.conf.5.in
+++ b/doc/unbound.conf.5.in
@@ -89,11 +89,11 @@ These options are part of the
 clause.
 .TP
 .B verbosity: \fI<number>
-The verbosity number, level 0 means no verbosity, only errors. Level 1
-gives operational information. Level 2 gives detailed operational
-information. Level 3 gives query level information, output per query.
-Level 4 gives algorithm level information.  Level 5 logs client
-identification for cache misses.  Default is level 1.
+The verbosity number, level 0 means no verbosity, only errors.  Level 1
+gives operational information.  Level 2 gives detailed operational
+information including short information per query.  Level 3 gives query level
+information, output per query.  Level 4 gives algorithm level information.
+Level 5 logs client identification for cache misses.  Default is level 1.
 The verbosity can also be increased from the commandline, see \fIunbound\fR(8).
 .TP
 .B statistics\-interval: \fI<seconds>
@@ -104,7 +104,7 @@ requestlist statistics are printed for every interval (but can be 0).
 This is because the median calculation requires data to be present.
 .TP
 .B statistics\-cumulative: \fI<yes or no>
-If enabled, statistics are cumulative since starting unbound, without clearing
+If enabled, statistics are cumulative since starting Unbound, without clearing
 the statistics counters after logging the statistics. Default is no.
 .TP
 .B extended\-statistics: \fI<yes or no>
@@ -136,10 +136,19 @@ Same as interface: (for ease of compatibility with nsd.conf).
 Listen on all addresses on all (current and future) interfaces, detect the
 source interface on UDP queries and copy them to replies.  This is a lot like
 ip\-transparent, but this option services all interfaces whilst with
-ip\-transparent you can select which (future) interfaces unbound provides
+ip\-transparent you can select which (future) interfaces Unbound provides
 service on.  This feature is experimental, and needs support in your OS for
 particular socket options.  Default value is no.
 .TP
+.B interface\-automatic\-ports: \fI<string>
+List the port numbers that interface-automatic listens on. If empty, the
+default port is listened on. The port numbers are separated by spaces in the
+string. Default is "".
+.IP
+This can be used to have interface automatic to deal with the interface,
+and listen on the normal port number, by including it in the list, and
+also https or dns over tls port numbers by putting them in the list as well.
+.TP
 .B outgoing\-interface: \fI<ip address or ip6 netblock>
 Interface to use to connect to the network. This interface is used to send
 queries to authoritative servers and receive their replies. Can be given
@@ -154,7 +163,7 @@ sent via a random outgoing interface to counter spoofing.
 If an IPv6 netblock is specified instead of an individual IPv6 address,
 outgoing UDP queries will use a randomised source address taken from the
 netblock to counter spoofing. Requires the IPv6 netblock to be routed to the
-host running unbound, and requires OS support for unprivileged non-local binds
+host running Unbound, and requires OS support for unprivileged non-local binds
 (currently only supported on Linux). Several netblocks may be specified with
 multiple
 .B outgoing\-interface:
@@ -174,7 +183,7 @@ numbers need extra resources from the operating system.  For performance a
 very large value is best, use libevent to make this possible.
 .TP
 .B outgoing\-port\-permit: \fI<port number or range>
-Permit unbound to open this port or range of ports for use to send queries.
+Permit Unbound to open this port or range of ports for use to send queries.
 A larger number of permitted outgoing ports increases resilience against
 spoofing attempts. Make sure these ports are not needed by other daemons.
 By default only ports above 1024 that have not been assigned by IANA are used.
@@ -187,8 +196,8 @@ processing starts with the non IANA allocated ports above 1024 in the set
 of allowed ports.
 .TP
 .B outgoing\-port\-avoid: \fI<port number or range>
-Do not permit unbound to open this port or range of ports for use to send
-queries. Use this to make sure unbound does not grab a port that another
+Do not permit Unbound to open this port or range of ports for use to send
+queries. Use this to make sure Unbound does not grab a port that another
 daemon needs. The port is avoided on all outgoing interfaces, both IP4 and IP6.
 By default only ports above 1024 that have not been assigned by IANA are used.
 Give a port number or a range of the form "low\-high", without spaces.
@@ -289,7 +298,7 @@ If not 0, then set the SO_RCVBUF socket option to get more buffer
 space on UDP port 53 incoming queries.  So that short spikes on busy
 servers do not drop packets (see counter in netstat \-su).  Default is
 0 (use system value).  Otherwise, the number of bytes to ask for, try
-"4m" on a busy server.  The OS caps it at a maximum, on linux unbound
+"4m" on a busy server.  The OS caps it at a maximum, on linux Unbound
 needs root permission to bypass the limit, or the admin can use sysctl
 net.core.rmem_max.  On BSD change kern.ipc.maxsockbuf in /etc/sysctl.conf.
 On OpenBSD change header and recompile kernel. On Solaris ndd \-set
@@ -302,7 +311,7 @@ in answer traffic, otherwise 'send: resource temporarily unavailable'
 can get logged, the buffer overrun is also visible by netstat \-su.
 Default is 0 (use system value).  Specify the number of bytes to ask
 for, try "4m" on a very busy server.  The OS caps it at a maximum, on
-linux unbound needs root permission to bypass the limit, or the admin
+linux Unbound needs root permission to bypass the limit, or the admin
 can use sysctl net.core.wmem_max.  On BSD, Solaris changes are similar
 to so\-rcvbuf.
 .TP
@@ -319,18 +328,18 @@ At extreme load it could be better to turn it off to distribute the queries
 evenly, reported for Linux systems (4.4.x).
 .TP
 .B ip\-transparent: \fI<yes or no>
-If yes, then use IP_TRANSPARENT socket option on sockets where unbound
+If yes, then use IP_TRANSPARENT socket option on sockets where Unbound
 is listening for incoming traffic.  Default no.  Allows you to bind to
 non\-local interfaces.  For example for non\-existent IP addresses that
 are going to exist later on, with host failover configuration.  This is
 a lot like interface\-automatic, but that one services all interfaces
-and with this option you can select which (future) interfaces unbound
-provides service on.  This option needs unbound to be started with root
+and with this option you can select which (future) interfaces Unbound
+provides service on.  This option needs Unbound to be started with root
 permissions on some systems.  The option uses IP_BINDANY on FreeBSD systems
 and SO_BINDANY on OpenBSD systems.
 .TP
 .B ip\-freebind: \fI<yes or no>
-If yes, then use IP_FREEBIND socket option on sockets where unbound
+If yes, then use IP_FREEBIND socket option on sockets where Unbound
 is listening to incoming traffic.  Default no.  Allows you to bind to
 IP addresses that are nonlocal or do not exist, like when the network
 interface or IP address is down.  Exists only on Linux, where the similar
@@ -451,6 +460,19 @@ total number configured, and finally to 0 if the number of free buffers
 falls below 20% of the total number configured. A minimum timeout of
 200 milliseconds is observed regardless of the option value used.
 .TP
+.B tcp-reuse-timeout: \fI<msec>\fR
+The period Unbound will keep TCP persistent connections open to
+authority servers. This option defaults to 60000 milliseconds.
+.TP
+.B max-reuse-tcp-queries: \fI<number>\fR
+The maximum number of queries that can be sent on a persistent TCP
+connection.
+This option defaults to 200 queries.
+.TP
+.B tcp-auth-query-timeout: \fI<number>\fR
+Timeout in milliseconds for TCP queries to auth servers.
+This option defaults to 3000 milliseconds.
+.TP
 .B edns-tcp-keepalive: \fI<yes or no>\fR
 Enable or disable EDNS TCP Keepalive. Default is no.
 .TP
@@ -472,7 +494,9 @@ advertised timeout.
 .TP
 .B tcp\-upstream: \fI<yes or no>
 Enable or disable whether the upstream queries use TCP only for transport.
-Default is no.  Useful in tunneling scenarios.
+Default is no.  Useful in tunneling scenarios. If set to no you can specify
+TCP transport only for selected forward or stub zones using forward-tcp-upstream
+or stub-tcp-upstream respectively.
 .TP
 .B udp\-upstream\-without\-downstream: \fI<yes or no>
 Enable udp upstream even if do-udp is no.  Default is no, and this does not
@@ -545,7 +569,7 @@ service.  Can list multiple, each on a new statement.
 .TP
 .B tls-session-ticket-keys: \fI<file>
 If not "", lists files with 80 bytes of random contents that are used to
-perform TLS session resumption for clients using the unbound server.
+perform TLS session resumption for clients using the Unbound server.
 These files contain the secret key for the TLS session tickets.
 First key use to encrypt and decrypt TLS session tickets.
 Other keys use to decrypt only.  With this you can roll over to new keys,
@@ -627,8 +651,8 @@ Enable or disable systemd socket activation.
 Default is no.
 .TP
 .B do\-daemonize: \fI<yes or no>
-Enable or disable whether the unbound server forks into the background as
-a daemon.  Set the value to \fIno\fR when unbound runs as systemd service.
+Enable or disable whether the Unbound server forks into the background as
+a daemon.  Set the value to \fIno\fR when Unbound runs as systemd service.
 Default is yes.
 .TP
 .B tcp\-connection\-limit: \fI<IP netblock> <limit>
@@ -655,7 +679,7 @@ what almost all clients need).  Nonrecursive queries are refused.
 .IP
 The \fIallow\fR action does allow nonrecursive queries to access the
 local\-data that is configured.  The reason is that this does not involve
-the unbound server recursive lookup algorithm, and static data is served
+the Unbound server recursive lookup algorithm, and static data is served
 in the reply.  This supports normal operations where nonrecursive queries
 are made for the authoritative data.  For nonrecursive queries any replies
 from the dynamic cache are refused.
@@ -727,7 +751,7 @@ to chroot and dropping permissions. This allows the pidfile to be
 Unbound is not able to remove the pidfile after termination when it is located
 outside of the chroot directory.
 .IP
-Additionally, unbound may need to access /dev/urandom (for entropy)
+Additionally, Unbound may need to access /dev/urandom (for entropy)
 from inside the chroot.
 .IP
 If given a chroot is done to the given directory. By default chroot is
@@ -761,7 +785,7 @@ The logfile is reopened (for append) when the config file is reread, on
 SIGHUP.
 .TP
 .B use\-syslog: \fI<yes or no>
-Sets unbound to send log messages to the syslogd, using
+Sets Unbound to send log messages to the syslogd, using
 \fIsyslog\fR(3).
 The log facility LOG_DAEMON is used, with identity "unbound".
 The logfile setting is overridden when use\-syslog is turned on.
@@ -771,7 +795,7 @@ The default is to log to syslog.
 If "" is given (default), then the name of the executable, usually "unbound"
 is used to report to the log.  Enter a string to override it
 with that, which is useful on systems that run more than one instance of
-unbound, with different configurations, so that the logs can be easily
+Unbound, with different configurations, so that the logs can be easily
 distinguished against.
 .TP
 .B log\-time\-ascii: \fI<yes or no>
@@ -839,6 +863,17 @@ If enabled version.server and version.bind queries are refused.
 Set the version to report. If set to "", the default, then the package
 version is returned.
 .TP
+.B hide\-http\-user\-agent: \fI<yes or no>
+If enabled the HTTP header User-Agent is not set. Use with caution as some
+webserver configurations may reject HTTP requests lacking this header.
+If needed, it is better to explicitly set the
+.B http\-user\-agent
+below.
+.TP
+.B http\-user\-agent: \fI<string>
+Set the HTTP User-Agent header for outgoing HTTP requests. If set to "",
+the default, then the package name and version are used.
+.TP
 .B nsid:\fR <string>
 Add the specified nsid to the EDNS section of the answer when queried
 with an NSID EDNS enabled packet.  As a sequence of hex characters or
@@ -848,12 +883,12 @@ with ascii_ prefix and then an ascii string.
 If enabled trustanchor.unbound queries are refused.
 .TP
 .B target\-fetch\-policy: \fI<"list of numbers">
-Set the target fetch policy used by unbound to determine if it should fetch
+Set the target fetch policy used by Unbound to determine if it should fetch
 nameserver target addresses opportunistically. The policy is described per
 dependency depth.
 .IP
 The number of values determines the maximum dependency depth
-that unbound will pursue in answering a query.
+that Unbound will pursue in answering a query.
 A value of \-1 means to fetch all targets opportunistically for that dependency
 depth. A value of 0 means to fetch on demand only. A positive value fetches
 that many targets opportunistically.
@@ -947,7 +982,7 @@ This option only has effect when qname-minimisation is enabled. Default is no.
 .B aggressive\-nsec: \fI<yes or no>
 Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN
 and other denials, using information from previous NXDOMAINs answers.
-Default is no.  It helps to reduce the query rate towards targets that get
+Default is yes.  It helps to reduce the query rate towards targets that get
 a very high nonexistent name lookup rate.
 .TP
 .B private\-address: \fI<IP address or subnet>
@@ -1004,7 +1039,7 @@ a little more CPU.  Also if the cache is set to 0, it is no use. Default is no.
 .TP
 .B deny\-any: \fI<yes or no>
 If yes, deny queries of type ANY with an empty response.  Default is no.
-If disabled, unbound responds with a short list of resource records if some
+If disabled, Unbound responds with a short list of resource records if some
 can be found in the cache and makes the upstream type ANY query if there
 are none.
 .TP
@@ -1013,7 +1048,7 @@ If yes, Unbound rotates RRSet order in response (the random number is taken
 from the query ID, for speed and thread safety).  Default is yes.
 .TP
 .B minimal-responses: \fI<yes or no>
-If yes, Unbound doesn't insert authority/additional sections into response
+If yes, Unbound does not insert authority/additional sections into response
 messages when those sections are not required.  This reduces response
 size significantly, and may avoid TCP fallback for some responses.
 This may cause a slight speedup.  The default is yes, even though the DNS
@@ -1031,15 +1066,24 @@ of this setting, if a trust anchor is loaded.
 .TP
 .B module\-config: \fI<"module names">
 Module configuration, a list of module names separated by spaces, surround
-the string with quotes (""). The modules can be validator, iterator.
-Setting this to "iterator" will result in a non\-validating server.
-Setting this to "validator iterator" will turn on DNSSEC validation.
-The ordering of the modules is important.
-You must also set trust\-anchors for validation to be useful.
-The default is "validator iterator".  When the server is built with
-EDNS client subnet support the default is "subnetcache validator iterator".
+the string with quotes (""). The modules can be \fIrespip\fR,
+\fIvalidator\fR, or \fIiterator\fR (and possibly more, see below).
+Setting this to just "\fIiterator\fR" will result in a non\-validating
+server.
+Setting this to "\fIvalidator iterator\fR" will turn on DNSSEC validation.
+The ordering of the modules is significant, the order decides the
+order of processing.
+You must also set \fItrust\-anchors\fR for validation to be useful.
+Adding \fIrespip\fR to the front will cause RPZ processing to be done on
+all queries.
+The default is "\fIvalidator iterator\fR".
+.IP
+When the server is built with
+EDNS client subnet support the default is "\fIsubnetcache validator
+iterator\fR".
 Most modules that need to be listed here have to be listed at the beginning
-of the line.  The cachedb module has to be listed just before the iterator.
+of the line.  The subnetcachedb module has to be listed just before
+the iterator.
 The python module can be listed in different places, it then processes the
 output of the module it is just before. The dynlib module can be listed pretty
 much anywhere, it is only a very thin wrapper that allows dynamic libraries to
@@ -1055,7 +1099,7 @@ File with trust anchor for one zone, which is tracked with RFC5011 probes.
 The probes are run several times per month, thus the machine must be online
 frequently.  The initial file can be one with contents as described in
 \fBtrust\-anchor\-file\fR.  The file is written to when the anchor is updated,
-so the unbound user must have write permission.  Write permission to the file,
+so the Unbound user must have write permission.  Write permission to the file,
 but also to the directory it is in (to create a temporary file, which is
 necessary to deal with filesystem full events), it must also be inside the
 chroot (if that is used).
@@ -1118,6 +1162,10 @@ min and max very low disables the clock skew allowances.  Setting both
 min and max very high makes the validator check the signature timestamps
 less strictly.
 .TP
+.B val\-max\-restart: \fI<number>
+The maximum number the validator should restart validation with
+another authority in case of failed validation. Default is 5.
+.TP
 .B val\-bogus\-ttl: \fI<number>
 The time to live for bogus data. This is data that has failed validation;
 due to invalid signatures or other checks. The TTL from that data cannot be
@@ -1137,7 +1185,7 @@ the verbosity setting.  Default is 0, off.  At 1, for every user query
 that fails a line is printed to the logs.  This way you can monitor what
 happens with validation.  Use a diagnosis tool, such as dig or drill,
 to find out why validation is failing for these queries.  At 2, not only
-the query that failed is printed but also the reason why unbound thought
+the query that failed is printed but also the reason why Unbound thought
 it was wrong and which server sent the faulty data.
 .TP
 .B val\-permissive\-mode: \fI<yes or no>
@@ -1149,15 +1197,15 @@ is set in replies. Also logging is performed as for full validation.
 The default value is "no".
 .TP
 .B ignore\-cd\-flag: \fI<yes or no>
-Instruct unbound to ignore the CD flag from clients and refuse to
+Instruct Unbound to ignore the CD flag from clients and refuse to
 return bogus answers to them.  Thus, the CD (Checking Disabled) flag
 does not disable checking any more.  This is useful if legacy (w2008)
 servers that set the CD flag but cannot validate DNSSEC themselves are
-the clients, and then unbound provides them with DNSSEC protection.
+the clients, and then Unbound provides them with DNSSEC protection.
 The default value is "no".
 .TP
 .B serve\-expired: \fI<yes or no>
-If enabled, unbound attempts to serve old responses from cache with a
+If enabled, Unbound attempts to serve old responses from cache with a
 TTL of \fBserve\-expired\-reply\-ttl\fR in the response without waiting for the
 actual resolution to finish.  The actual resolution answer ends up in the cache
 later on.  Default is "no".
@@ -1188,21 +1236,21 @@ RFC 8767 is 1800.  Setting this to 0 will disable this
 behavior.  Default is 0.
 .TP
 .B serve\-original\-ttl: \fI<yes or no>
-If enabled, unbound will always return the original TTL as received from
+If enabled, Unbound will always return the original TTL as received from
 the upstream name server rather than the decrementing TTL as
-stored in the cache.  This feature may be useful if unbound serves as a 
-front-end to a hidden authoritative name server. Enabling this feature does 
-not impact cache expiry, it only changes the TTL unbound embeds in responses to 
+stored in the cache.  This feature may be useful if Unbound serves as a
+front-end to a hidden authoritative name server. Enabling this feature does
+not impact cache expiry, it only changes the TTL Unbound embeds in responses to
 queries. Note that enabling this feature implicitly disables enforcement of
-the configured minimum and maximum TTL, as it is assumed users who enable this 
-feature do not want unbound to change the TTL obtained from an upstream server. 
+the configured minimum and maximum TTL, as it is assumed users who enable this
+feature do not want Unbound to change the TTL obtained from an upstream server.
 Thus, the values set using \fBcache\-min\-ttl\fR and \fBcache\-max\-ttl\fR are
 ignored.
 Default is "no".
 .TP
 .B val\-nsec3\-keysize\-iterations: \fI<"list of values">
 List of keysize and iteration count values, separated by spaces, surrounded
-by quotes. Default is "1024 150 2048 500 4096 2500". This determines the
+by quotes. Default is "1024 150 2048 150 4096 150". This determines the
 maximum allowed NSEC3 iteration count before a message is simply marked
 insecure instead of performing the many hashing iterations. The list must
 be in ascending order and have at least one entry. If you set it to
@@ -1256,11 +1304,11 @@ or gigabytes (1024*1024 bytes in a megabyte).
 .TP
 .B unblock\-lan\-zones: \fI<yes or no>
 Default is disabled.  If enabled, then for private address space,
-the reverse lookups are no longer filtered.  This allows unbound when
+the reverse lookups are no longer filtered.  This allows Unbound when
 running as dns service on a host where it provides service for that host,
 to put out all of the queries for the 'lan' upstream.  When enabled,
 only localhost, 127.0.0.1 reverse and ::1 reverse zones are configured
-with default local zones.  Disable the option when unbound is running
+with default local zones.  Disable the option when Unbound is running
 as a (DHCP-) DNS network resolver for a group of machines, where such
 lookups should be filtered (RFC compliance), this also stops potential
 data leakage about the local network to the upstream DNS servers.
@@ -1281,7 +1329,17 @@ are authoritative DNS answers. By default the zones are class IN.
 .IP
 If you need more complicated authoritative data, with referrals, wildcards,
 CNAME/DNAME support, or DNSSEC authoritative service, setup a stub\-zone for
-it as detailed in the stub zone section below.
+it as detailed in the stub zone section below. A stub\-zone can be used to
+have unbound send queries to another server, an authoritative server, to
+fetch the information. With a forward\-zone, unbound sends queries to a server
+that is a recursive server to fetch the information. With an auth\-zone a
+zone can be loaded from file and used, it can be used like a local\-zone
+for users downstream, or the auth\-zone information can be used to fetch
+information from when resolving like it is an upstream server. The
+forward\-zone and auth\-zone options are described in their sections below.
+If you want to perform filtering of the information that the users can fetch,
+the local\-zone and local\-data statements allow for this, but also the
+rpz functionality can be used, described in the RPZ section.
 .TP 10
 \h'5'\fIdeny\fR
 Do not send an answer, drop the query.
@@ -1364,7 +1422,7 @@ Breaks out of that view and moves towards the global local zones for answer
 to the query.  If the view first is no, it'll resolve normally.  If view first
 is enabled, it'll break perform that step and check the global answers.
 For when the view has view specific overrides but some zone has to be
-answered from global local zone contents. 
+answered from global local zone contents.
 .TP 10
 \h'5'\fInodefault\fR
 Used to turn off default contents for AS112 zones. The other types
@@ -1373,13 +1431,13 @@ has no other effect than turning off default contents for the
 given zone.  Use \fInodefault\fR if you use exactly that zone, if you want to
 use a subzone, use \fItransparent\fR.
 .P
-The default zones are localhost, reverse 127.0.0.1 and ::1, the onion, test,
-invalid and the AS112 zones. The AS112 zones are reverse DNS zones for
-private use and reserved IP addresses for which the servers on the internet
-cannot provide correct answers. They are configured by default to give
-nxdomain (no reverse information) answers. The defaults can be turned off
-by specifying your own local\-zone of that name, or using the 'nodefault'
-type. Below is a list of the default zone contents.
+The default zones are localhost, reverse 127.0.0.1 and ::1, the home.arpa,
+the onion, test, invalid and the AS112 zones. The AS112 zones are reverse
+DNS zones for private use and reserved IP addresses for which the servers
+on the internet cannot provide correct answers. They are configured by
+default to give nxdomain (no reverse information) answers. The defaults
+can be turned off by specifying your own local\-zone of that name, or
+using the 'nodefault' type. Below is a list of the default zone contents.
 .TP 10
 \h'5'\fIlocalhost\fR
 The IP4 and IP6 localhost information is given. NS and SOA records are provided
@@ -1420,6 +1478,15 @@ local\-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
     PTR localhost."
 .fi
 .TP 10
+\h'5'\fIhome.arpa (RFC 8375)\fR
+Default content:
+.nf
+local\-zone: "home.arpa." static
+local\-data: "home.arpa. 10800 IN NS localhost."
+local\-data: "home.arpa. 10800 IN
+    SOA localhost. nobody.invalid. 1 3600 1200 604800 10800"
+.fi
+.TP 10
 \h'5'\fIonion (RFC 7686)\fR
 Default content:
 .nf
@@ -1514,6 +1581,82 @@ Use this localzone type, regardless the type configured for the local-zone
 (both tagged and untagged) and regardless the type configured using
 access\-control\-tag\-action.
 .TP 5
+.B response\-ip: \fI<IP-netblock> <action>
+This requires use of the "respip" module.
+.IP
+If the IP address in an AAAA or A RR in the answer section of a
+response matches the specified IP netblock, the specified action will
+apply.
+\fI<action>\fR has generally the same semantics as that for
+\fIaccess-control-tag-action\fR, but there are some exceptions.
+.IP
+Actions for \fIresponse-ip\fR are different from those for
+\fIlocal-zone\fR in that in case of the former there is no point of
+such conditions as "the query matches it but there is no local data".
+Because of this difference, the semantics of \fIresponse-ip\fR actions
+are modified or simplified as follows: The \fIstatic, refuse,
+transparent, typetransparent,\fR and \fInodefault\fR actions are
+invalid for \fIresponse-ip\fR.
+Using any of these will cause the configuration to be rejected as
+faulty. The \fIdeny\fR action is non-conditional, i.e. it always
+results in dropping the corresponding query.
+The resolution result before applying the deny action is still cached
+and can be used for other queries.
+.TP 5
+.B response-ip-data: \fI<IP-netblock> <"resource record string">
+This requires use of the "respip" module.
+.IP
+This specifies the action data for \fIresponse-ip\fR with action being
+to redirect as specified by "\fIresource record string\fR".  "Resource
+record string" is similar to that of \fIaccess-control-tag-action\fR,
+but it must be of either AAAA, A or CNAME types.
+If the IP-netblock is an IPv6/IPV4 prefix, the record
+must be AAAA/A respectively, unless it is a CNAME (which can be used
+for both versions of IP netblocks).  If it is CNAME there must not be
+more than one \fIresponse-ip-data\fR for the same IP-netblock.
+Also, CNAME and other types of records must not coexist for the same
+IP-netblock, following the normal rules for CNAME records.
+The textual domain name for the CNAME does not have to be explicitly
+terminated with a dot ("."); the root name is assumed to be the origin
+for the name.
+.TP 5
+.B response-ip-tag: \fI<IP-netblock> <"list of tags">
+This requires use of the "respip" module.
+.IP
+Assign tags to response IP-netblocks.  If the IP address in an AAAA or
+A RR in the answer section of a response matches the specified
+IP-netblock, the specified tags are assigned to the IP address.
+Then, if an \fIaccess-control-tag\fR is defined for the client and it
+includes one of the tags for the response IP, the corresponding
+\fIaccess-control-tag-action\fR will apply.
+Tag matching rule is the same as that for \fIaccess-control-tag\fR and
+\fIlocal-zones\fR.
+Unlike \fIlocal-zone-tag\fR, \fIresponse-ip-tag\fR can be defined for
+an IP-netblock even if no \fIresponse-ip\fR is defined for that
+netblock.
+If multiple \fIresponse-ip-tag\fR options are specified for the same
+IP-netblock in different statements, all but the first will be
+ignored.
+However, this will not be flagged as a configuration error, but the
+result is probably not what was intended.
+.IP
+Actions specified in an
+\fIaccess-control-tag-action\fR that has a matching tag with
+\fIresponse-ip-tag\fR can be those that are "invalid" for
+\fIresponse-ip\fR listed above, since \fIaccess-control-tag-action\fRs
+can be shared with local zones.
+For these actions, if they behave differently depending on whether
+local data exists or not in case of local zones, the behavior for
+\fIresponse-ip-data\fR will generally result in NOERROR/NODATA instead
+of NXDOMAIN, since the \fIresponse-ip\fR data are inherently type
+specific, and non-existence of data does not indicate anything about
+the existence or non-existence of the qname itself.
+For example, if the matching tag action is \fIstatic\fR but there is
+no data for the corresponding \fIresponse-ip\fR configuration, then
+the result will be NOERROR/NODATA.
+The only case where NXDOMAIN is returned is when an
+\fIalways_nxdomain\fR action applies.
+.TP 5
 .B ratelimit: \fI<number or 0>
 Enable ratelimiting of queries sent to nameserver for performing recursion.
 If 0, the default, it is disabled.  This option is experimental at this time.
@@ -1523,8 +1666,9 @@ query names, but not spoofed reflection floods.  Cached responses are not
 ratelimited by this setting.  The zone of the query is determined by examining
 the nameservers for it, the zone name is used to keep track of the rate.
 For example, 1000 may be a suitable value to stop the server from being
-overloaded with random names, and keeps unbound from sending traffic to the
-nameservers for those zones.
+overloaded with random names, and keeps Unbound from sending traffic to the
+nameservers for those zones.  Configured forwarders are excluded from
+ratelimiting.
 .TP 5
 .B ratelimit\-size: \fI<memory size>
 Give the size of the data structure in which the current ongoing rates are
@@ -1546,6 +1690,15 @@ This can make ordinary queries complete (if repeatedly queried for),
 and enter the cache, whilst also mitigating the traffic flow by the
 factor given.
 .TP 5
+.B ratelimit\-backoff: \fI<yes or no>
+If enabled, the ratelimit is treated as a hard failure instead of the default
+maximum allowed constant rate.  When the limit is reached, traffic is
+ratelimited and demand continues to be kept track of for a 2 second rate
+window.  No traffic is allowed, except for ratelimit\-factor, until demand
+decreases below the configured ratelimit for a 2 second rate window.  Useful to
+set ratelimit to a suspicious rate to aggressively limit unusually high
+traffic.  Default is off.
+.TP 5
 .B ratelimit\-for\-domain: \fI<domain> <number qps or 0>
 Override the global ratelimit for an exact match domain name with the listed
 number.  You can give this for any number of names.  For example, for
@@ -1562,7 +1715,7 @@ to use different settings for a top\-level\-domain and subdomains.
 A value of 0 will disable ratelimiting for domain names that end in this name.
 .TP 5
 .B ip\-ratelimit: \fI<number or 0>
-Enable global ratelimiting of queries accepted per ip address.
+Enable global ratelimiting of queries accepted per IP address.
 If 0, the default, it is disabled.  This option is experimental at this time.
 The ratelimit is in queries per second that are allowed.  More queries are
 completely dropped and will not receive a reply, SERVFAIL or otherwise.
@@ -1589,6 +1742,20 @@ This can make ordinary queries complete (if repeatedly queried for),
 and enter the cache, whilst also mitigating the traffic flow by the
 factor given.
 .TP 5
+.B ip\-ratelimit\-backoff: \fI<yes or no>
+If enabled, the ratelimit is treated as a hard failure instead of the default
+maximum allowed constant rate.  When the limit is reached, traffic is
+ratelimited and demand continues to be kept track of for a 2 second rate
+window.  No traffic is allowed, except for ip\-ratelimit\-factor, until demand
+decreases below the configured ratelimit for a 2 second rate window.  Useful to
+set ip\-ratelimit to a suspicious rate to aggressively limit unusually high
+traffic.  Default is off.
+.TP 5
+.B outbound\-msg\-retry: \fI<number>
+The number of retries Unbound will do in case of a non positive response is
+received. If a forward nameserver is used, this is the number of retries per
+forward nameserver in case of throwaway response.
+.TP 5
 .B fast\-server\-permil: \fI<number>
 Specify how many times out of 1000 to pick from the set of fastest servers.
 0 turns the feature off.  A value of 900 would pick from the fastest
@@ -1623,7 +1790,7 @@ In the
 .B remote\-control:
 clause are the declarations for the remote control facility.  If this is
 enabled, the \fIunbound\-control\fR(8) utility can be used to send
-commands to the running unbound server.  The server uses these clauses
+commands to the running Unbound server.  The server uses these clauses
 to setup TLSv1 security for the connection.  The
 \fIunbound\-control\fR(8) utility also reads the \fBremote\-control\fR
 section for options.  To setup the correct self\-signed certificates use the
@@ -1641,9 +1808,9 @@ Use 0.0.0.0 and ::0 to listen to all interfaces.
 If you change this and permissions have been dropped, you must restart
 the server for the change to take effect.
 .IP
-If you set it to an absolute path, a local socket is used.  The local socket
+If you set it to an absolute path, a unix domain socket is used. This socket
 does not use the certificates and keys, so those files need not be present.
-To restrict access, unbound sets permissions on the file to the user and
+To restrict access, Unbound sets permissions on the file to the user and
 group that is configured, the access bits are set to allow the group members
 to access the control socket file.  Put users that need to access the socket
 in the that group.  To restrict access further, create a directory to put
@@ -1663,12 +1830,12 @@ and the value of this option is ignored.
 .B server\-key\-file: \fI<private key file>
 Path to the server private key, by default unbound_server.key.
 This file is generated by the \fIunbound\-control\-setup\fR utility.
-This file is used by the unbound server, but not by \fIunbound\-control\fR.
+This file is used by the Unbound server, but not by \fIunbound\-control\fR.
 .TP 5
 .B server\-cert\-file: \fI<certificate file.pem>
 Path to the server self signed certificate, by default unbound_server.pem.
 This file is generated by the \fIunbound\-control\-setup\fR utility.
-This file is used by the unbound server, and also by \fIunbound\-control\fR.
+This file is used by the Unbound server, and also by \fIunbound\-control\fR.
 .TP 5
 .B control\-key\-file: \fI<private key file>
 Path to the control client private key, by default unbound_control.key.
@@ -1686,24 +1853,24 @@ There may be multiple
 .B stub\-zone:
 clauses. Each with a name: and zero or more hostnames or IP addresses.
 For the stub zone this list of nameservers is used. Class IN is assumed.
-The servers should be authority servers, not recursors; unbound performs
+The servers should be authority servers, not recursors; Unbound performs
 the recursive processing itself for stub zones.
 .P
 The stub zone can be used to configure authoritative data to be used
 by the resolver that cannot be accessed using the public internet servers.
 This is useful for company\-local data or private zones. Setup an
 authoritative server on a different host (or different port). Enter a config
-entry for unbound with
+entry for Unbound with
 .B stub\-addr:
 <ip address of host[@port]>.
-The unbound resolver can then access the data, without referring to the
+The Unbound resolver can then access the data, without referring to the
 public internet for it.
 .P
 This setup allows DNSSEC signed zones to be served by that
 authoritative server, in which case a trusted key entry with the public key
-can be put in config, so that unbound can validate the data and set the AD
+can be put in config, so that Unbound can validate the data and set the AD
 bit on replies for the private zone (authoritative servers do not set the
-AD bit).  This setup makes unbound capable of answering queries for the
+AD bit).  This setup makes Unbound capable of answering queries for the
 private zone, and can even set the AD bit ('authentic'), but the AA
 ('authoritative') bit is not set on these replies.
 .P
@@ -1711,20 +1878,26 @@ Consider adding \fBserver:\fR statements for \fBdomain\-insecure:\fR and
 for \fBlocal\-zone:\fI name nodefault\fR for the zone if it is a locally
 served zone.  The insecure clause stops DNSSEC from invalidating the
 zone.  The local zone nodefault (or \fItransparent\fR) clause makes the
-(reverse\-) zone bypass unbound's filtering of RFC1918 zones.
+(reverse\-) zone bypass Unbound's filtering of RFC1918 zones.
 .TP
 .B name: \fI<domain name>
-Name of the stub zone.
+Name of the stub zone. This is the full domain name of the zone.
 .TP
 .B stub\-host: \fI<domain name>
 Name of stub zone nameserver. Is itself resolved before it is used.
+To use a nondefault port for DNS communication append '@' with the port number.
+If tls is enabled, then you can append a '#' and a name, then it'll check the
+tls authentication certificates with that name.  If you combine the '@'
+and '#', the '@' comes first.  If only '#' is used the default port is the
+configured tls\-port.
 .TP
 .B stub\-addr: \fI<IP address>
 IP address of stub zone nameserver. Can be IP 4 or IP 6.
 To use a nondefault port for DNS communication append '@' with the port number.
-If tls is enabled, then you can append a '#' and a name, then it'll check
-the tls authentication certificates with that name.  If you combine
-the '@' and '#', the '@' comes first.
+If tls is enabled, then you can append a '#' and a name, then it'll check the
+tls authentication certificates with that name.  If you combine the '@'
+and '#', the '@' comes first.  If only '#' is used the default port is the
+configured tls\-port.
 .TP
 .B stub\-prime: \fI<yes or no>
 This option is by default no.  If enabled it performs NS set priming,
@@ -1745,6 +1918,10 @@ Default is no.
 .B stub\-ssl\-upstream: \fI<yes or no>
 Alternate syntax for \fBstub\-tls\-upstream\fR.
 .TP
+.B stub\-tcp\-upstream: \fI<yes or no>
+If it is set to "yes" then upstream queries use TCP only for transport regardless of global flag tcp-upstream.
+Default is no.
+.TP
 .B stub\-no\-cache: \fI<yes or no>
 Default is no.  If enabled, data inside the stub is not cached.  This is
 useful when you want immediate changes to be visible.
@@ -1756,10 +1933,10 @@ clauses. Each with a \fBname:\fR and zero or more hostnames or IP
 addresses.  For the forward zone this list of nameservers is used to
 forward the queries to. The servers listed as \fBforward\-host:\fR and
 \fBforward\-addr:\fR have to handle further recursion for the query.  Thus,
-those servers are not authority servers, but are (just like unbound is)
-recursive servers too; unbound does not perform recursion itself for the
+those servers are not authority servers, but are (just like Unbound is)
+recursive servers too; Unbound does not perform recursion itself for the
 forward zone, it lets the remote server do it.  Class IN is assumed.
-CNAMEs are chased by unbound itself, asking the remote server for every
+CNAMEs are chased by Unbound itself, asking the remote server for every
 name in the indirection chain, to protect the local cache from illegal
 indirect referenced items.
 A forward\-zone entry with name "." and a forward\-addr target will
@@ -1767,17 +1944,23 @@ forward all queries to that other server (unless it can answer from
 the cache).
 .TP
 .B name: \fI<domain name>
-Name of the forward zone.
+Name of the forward zone. This is the full domain name of the zone.
 .TP
 .B forward\-host: \fI<domain name>
 Name of server to forward to. Is itself resolved before it is used.
+To use a nondefault port for DNS communication append '@' with the port number.
+If tls is enabled, then you can append a '#' and a name, then it'll check the
+tls authentication certificates with that name.  If you combine the '@'
+and '#', the '@' comes first.  If only '#' is used the default port is the
+configured tls\-port.
 .TP
 .B forward\-addr: \fI<IP address>
 IP address of server to forward to. Can be IP 4 or IP 6.
 To use a nondefault port for DNS communication append '@' with the port number.
-If tls is enabled, then you can append a '#' and a name, then it'll check
-the tls authentication certificates with that name.  If you combine
-the '@' and '#', the '@' comes first.
+If tls is enabled, then you can append a '#' and a name, then it'll check the
+tls authentication certificates with that name.  If you combine the '@'
+and '#', the '@' comes first.  If only '#' is used the default port is the
+configured tls\-port.
 .IP
 At high verbosity it logs the TLS certificate, with TLS enabled.
 If you leave out the '#' and auth name from the forward\-addr, any
@@ -1785,7 +1968,7 @@ name is accepted.  The cert must also match a CA from the tls\-cert\-bundle.
 .TP
 .B forward\-first: \fI<yes or no>
 If a forwarded query is met with a SERVFAIL error, and this option is
-enabled, unbound will fall back to normal recursive resolution for this
+enabled, Unbound will fall back to normal recursive resolution for this
 query as if no query forwarding had been specified.  The default is "no".
 .TP
 .B forward\-tls\-upstream: \fI<yes or no>
@@ -1797,6 +1980,10 @@ load CA certs, otherwise the connections cannot be authenticated.
 .B forward\-ssl\-upstream: \fI<yes or no>
 Alternate syntax for \fBforward\-tls\-upstream\fR.
 .TP
+.B forward\-tcp\-upstream: \fI<yes or no>
+If it is set to "yes" then upstream queries use TCP only for transport regardless of global flag tcp-upstream.
+Default is no.
+.TP
 .B forward\-no\-cache: \fI<yes or no>
 Default is no.  If enabled, data inside the forward is not cached.  This is
 useful when you want immediate changes to be visible.
@@ -1807,7 +1994,7 @@ have a \fBname:\fR.  There can be multiple ones, by listing multiple auth\-zone
 The authority zone with the name closest to the name looked up is used.
 Authority zones are processed after \fBlocal\-zones\fR and before
 cache (\fBfor\-downstream:\fR \fIyes\fR), and when used in this manner
-make unbound respond like an authority server.  Authority zones are also
+make Unbound respond like an authority server.  Authority zones are also
 processed after cache, just before going to the network to fetch
 information for recursion (\fBfor\-upstream:\fR \fIyes\fR), and when used
 in this manner provide a local copy of an authority server that speeds up
@@ -1830,7 +2017,9 @@ Name of the authority zone.
 .B primary: \fI<IP address or host name>
 Where to download a copy of the zone from, with AXFR and IXFR.  Multiple
 primaries can be specified.  They are all tried if one fails.
-With the "ip#name" notation a AXFR over TLS can be used.
+To use a nondefault port for DNS communication append '@' with the port number.
+You can append a '#' and a name, then AXFR over TLS can be used and the tls authentication certificates will be checked with that name.  If you combine
+the '@' and '#', the '@' comes first.
 If you point it at another Unbound instance, it would not work because
 that does not support AXFR/IXFR for the zone, but if you used \fBurl:\fR to download
 the zonefile as a text file from a webserver that would work.
@@ -1866,27 +2055,33 @@ file is downloaded when notified.  The primaries from primary: statements are
 allowed notify by default.
 .TP
 .B fallback\-enabled: \fI<yes or no>
-Default no.  If enabled, unbound falls back to querying the internet as
+Default no.  If enabled, Unbound falls back to querying the internet as
 a resolver for this zone when lookups fail.  For example for DNSSEC
 validation failures.
 .TP
 .B for\-downstream: \fI<yes or no>
-Default yes.  If enabled, unbound serves authority responses to
-downstream clients for this zone.  This option makes unbound behave, for
+Default yes.  If enabled, Unbound serves authority responses to
+downstream clients for this zone.  This option makes Unbound behave, for
 the queries with names in this zone, like one of the authority servers for
-that zone.  Turn it off if you want unbound to provide recursion for the
+that zone.  Turn it off if you want Unbound to provide recursion for the
 zone but have a local copy of zone data.  If for\-downstream is no and
-for\-upstream is yes, then unbound will DNSSEC validate the contents of the
+for\-upstream is yes, then Unbound will DNSSEC validate the contents of the
 zone before serving the zone contents to clients and store validation
 results in the cache.
 .TP
 .B for\-upstream: \fI<yes or no>
-Default yes.  If enabled, unbound fetches data from this data collection
+Default yes.  If enabled, Unbound fetches data from this data collection
 for answering recursion queries.  Instead of sending queries over the internet
 to the authority servers for this zone, it'll fetch the data directly from
-the zone data.  Turn it on when you want unbound to provide recursion for
+the zone data.  Turn it on when you want Unbound to provide recursion for
 downstream clients, and use the zone data as a local copy to speed up lookups.
 .TP
+.B zonemd\-check: \fI<yes or no>
+Enable this option to check ZONEMD records in the zone. Default is disabled.
+The ZONEMD record is a checksum over the zone data. This includes glue in
+the zone and data from the zone file, and excludes comments from the zone file.
+When there is a DNSSEC chain of trust, DNSSEC signatures are checked too.
+.TP
 .B zonemd\-reject\-absence: \fI<yes or no>
 Enable this option to reject the absence of the ZONEMD record.  Without it,
 when zonemd is not there it is not checked.  It is useful to enable for a
@@ -1902,14 +2097,14 @@ a ZONEMD is always a failure, also for nonDNSSEC signed zones.
 .TP
 .B zonefile: \fI<filename>
 The filename where the zone is stored.  If not given then no zonefile is used.
-If the file does not exist or is empty, unbound will attempt to fetch zone
+If the file does not exist or is empty, Unbound will attempt to fetch zone
 data (eg. from the primary servers).
 .SS "View Options"
 .LP
 There may be multiple
 .B view:
 clauses. Each with a \fBname:\fR and zero or more \fBlocal\-zone\fR and
-\fBlocal\-data\fR elements. Views can also contain view\-first, 
+\fBlocal\-data\fR elements. Views can also contain view\-first,
 response\-ip, response\-ip\-data and local\-data\-ptr elements.
 View can be mapped to requests by specifying the
 view name in an \fBaccess\-control\-view\fR element. Options from matching
@@ -2002,9 +2197,9 @@ underneath the name given.
 The
 .B dnscrypt:
 clause gives the settings of the dnscrypt channel. While those options are
-available, they are only meaningful if unbound was compiled with
+available, they are only meaningful if Unbound was compiled with
 \fB\-\-enable\-dnscrypt\fR.
-Currently certificate and secret/public keys cannot be generated by unbound.
+Currently certificate and secret/public keys cannot be generated by Unbound.
 You can use dnscrypt-wrapper to generate those: https://github.com/cofyc/\
 dnscrypt-wrapper/blob/master/README.md#usage
 .TP
@@ -2123,7 +2318,7 @@ of 0 is always accepted. Default is 0.
 .TP
 .B min\-client\-subnet\-ipv4: \fI<number>\fR
 Specifies the minimum prefix length of the IPv4 source mask we are willing to
-accept in queries. Shorter source masks result in REFUSED answers. Source mask 
+accept in queries. Shorter source masks result in REFUSED answers. Source mask
 of 0 is always accepted. Default is 0.
 .TP
 .B max\-ecs\-tree\-size\-ipv4: \fI<number>\fR
@@ -2136,12 +2331,13 @@ This number applies for each qname/qclass/qtype tuple. Defaults to 100.
 .SS "Opportunistic IPsec Support Module Options"
 .LP
 The IPsec module must be configured in the \fBmodule\-config:\fR "ipsecmod
-validator iterator" directive and be compiled into the daemon to be
-enabled.  These settings go in the \fBserver:\fR section.
+validator iterator" directive and be compiled into Unbound by using
+\fB\-\-enable\-ipsecmod\fR to be enabled.
+These settings go in the \fBserver:\fR section.
 .LP
-When unbound receives an A/AAAA query that is not in the cache and finds a
+When Unbound receives an A/AAAA query that is not in the cache and finds a
 valid answer, it will withhold returning the answer and instead will generate
-an IPSECKEY subquery for the same domain name.  If an answer was found, unbound
+an IPSECKEY subquery for the same domain name.  If an answer was found, Unbound
 will call an external hook passing the following arguments:
 .TP 10
 \h'5'\fIQNAME\fR
@@ -2170,19 +2366,19 @@ relevant for opportunistic IPsec.
 .B ipsecmod-enabled: \fI<yes or no>\fR
 Specifies whether the IPsec module is enabled or not.  The IPsec module still
 needs to be defined in the \fBmodule\-config:\fR directive.  This option
-facilitates turning on/off the module without restarting/reloading unbound.
+facilitates turning on/off the module without restarting/reloading Unbound.
 Defaults to yes.
 .TP
 .B ipsecmod\-hook: \fI<filename>\fR
-Specifies the external hook that unbound will call with \fIsystem\fR(3).  The
+Specifies the external hook that Unbound will call with \fIsystem\fR(3).  The
 file can be specified as an absolute/relative path.  The file needs the proper
-permissions to be able to be executed by the same user that runs unbound.  It
+permissions to be able to be executed by the same user that runs Unbound.  It
 must be present when the IPsec module is defined in the \fBmodule\-config:\fR
 directive.
 .TP
 .B ipsecmod-strict: \fI<yes or no>\fR
-If enabled unbound requires the external hook to return a success value of 0.
-Failing to do so unbound will reply with SERVFAIL.  The A/AAAA answer will also
+If enabled Unbound requires the external hook to return a success value of 0.
+Failing to do so Unbound will reply with SERVFAIL.  The A/AAAA answer will also
 not be cached.  Defaults to no.
 .TP
 .B ipsecmod\-max-ttl: \fI<seconds>\fR
@@ -2190,7 +2386,7 @@ Time to live maximum for A/AAAA cached records after calling the external hook.
 Defaults to 3600.
 .TP
 .B ipsecmod-ignore-bogus: \fI<yes or no>\fR
-Specifies the behaviour of unbound when the IPSECKEY answer is bogus.  If set
+Specifies the behaviour of Unbound when the IPSECKEY answer is bogus.  If set
 to yes, the hook will be called and the A/AAAA answer will be returned to the
 client.  If set to no, the hook will not be called and the answer to the
 A/AAAA query will be SERVFAIL.  Mainly used for testing.  Defaults to no.
@@ -2217,7 +2413,7 @@ If Unbound cannot even find an answer in the backend, it resolves the
 query as usual, and stores the answer in the backend.
 .P
 This module interacts with the \fBserve\-expired\-*\fR options and will reply
-with expired data if unbound is configured for that.  Currently the use
+with expired data if Unbound is configured for that.  Currently the use
 of \fBserve\-expired\-client\-timeout:\fR and
 \fBserve\-expired\-reply\-ttl:\fR is not consistent for data originating from
 the external cache as these will result in a reply with 0 TTL without trying to
@@ -2275,7 +2471,7 @@ This option defaults to "default".
 .P
 The following
 .B cachedb
-otions are specific to the redis backend.
+options are specific to the redis backend.
 .TP
 .B redis-server-host: \fI<server address or name>\fR
 The IP (either v6 or v4) address or domain name of the Redis server.
@@ -2296,16 +2492,17 @@ re-establish a new connection later.
 This option defaults to 100 milliseconds.
 .TP
 .B redis-expire-records: \fI<yes or no>
-If Redis record expiration is enabled.  If yes, unbound sets timeout for Redis
+If Redis record expiration is enabled.  If yes, Unbound sets timeout for Redis
 records so that Redis can evict keys that have expired automatically.  If
-unbound is configured with \fBserve-expired\fR and \fBserve-expired-ttl\fR is 0,
+Unbound is configured with \fBserve-expired\fR and \fBserve-expired-ttl\fR is 0,
 this option is internally reverted to "no".  Redis SETEX support is required
 for this option (Redis >= 2.0.0).
 This option defaults to no.
 .SS DNSTAP Logging Options
-DNSTAP support, when compiled in, is enabled in the \fBdnstap:\fR section.
+DNSTAP support, when compiled in by using \fB\-\-enable\-dnstap\fR, is enabled
+in the \fBdnstap:\fR section.
 This starts an extra thread (when compiled with threading) that writes
-the log information to the destination.  If unbound is compiled without
+the log information to the destination.  If Unbound is compiled without
 threading it does not spawn a thread, but connects per-process to the
 destination.
 .TP
@@ -2363,19 +2560,19 @@ Default is "".
 .TP
 .B dnstap-log-resolver-query-messages: \fI<yes or no>
 Enable to log resolver query messages.  Default is no.
-These are messages from unbound to upstream servers.
+These are messages from Unbound to upstream servers.
 .TP
 .B dnstap-log-resolver-response-messages: \fI<yes or no>
 Enable to log resolver response messages.  Default is no.
-These are replies from upstream servers to unbound.
+These are replies from upstream servers to Unbound.
 .TP
 .B dnstap-log-client-query-messages: \fI<yes or no>
 Enable to log client query messages.  Default is no.
-These are client queries to unbound.
+These are client queries to Unbound.
 .TP
 .B dnstap-log-client-response-messages: \fI<yes or no>
 Enable to log client response messages.  Default is no.
-These are responses from unbound to clients.
+These are responses from Unbound to clients.
 .TP
 .B dnstap-log-forwarder-query-messages: \fI<yes or no>
 Enable to log forwarder query messages.  Default is no.
@@ -2390,10 +2587,49 @@ with a different name. RPZ clauses are applied in order of configuration. The
 \fBrespip\fR module needs to be added to the \fBmodule-config\fR, e.g.:
 \fBmodule-config: "respip validator iterator"\fR.
 .P
-Only the QNAME and Response IP Address triggers are supported. The supported RPZ
-actions are: NXDOMAIN, NODATA, PASSTHRU, DROP and Local Data. RPZ QNAME triggers
-are applied after
-\fBlocal-zones\fR and before \fBauth-zones\fR.
+QNAME, Response IP Address, nsdname, nsip and clientip triggers are supported.
+Supported actions are: NXDOMAIN, NODATA, PASSTHRU, DROP, Local Data, tcp\-only
+and drop.  RPZ QNAME triggers are applied after \fBlocal\-zones\fR and
+before \fBauth\-zones\fR.
+.P
+The rpz zone is formatted with a SOA start record as usual.  The items in
+the zone are entries, that specify what to act on (the trigger) and what to
+do (the action).  The trigger to act on is recorded in the name, the action
+to do is recorded as the resource record.  The names all end in the zone
+name, so you could type the trigger names without a trailing dot in the
+zonefile.
+.P
+An example RPZ record, that answers example.com with NXDOMAIN
+.nf
+	example.com CNAME .
+.fi
+.P
+The triggers are encoded in the name on the left
+.nf
+	name                          query name
+	netblock.rpz-client-ip        client IP address
+	netblock.rpz-ip               response IP address in the answer
+	name.rpz-nsdname              nameserver name
+	netblock.rpz-nsip             nameserver IP address
+.fi
+The netblock is written as <netblocklen>.<ip address in reverse>.
+For IPv6 use 'zz' for '::'.  Specify individual addresses with scope length
+of 32 or 128.  For example, 24.10.100.51.198.rpz-ip is 198.51.100.10/24 and
+32.10.zz.db8.2001.rpz-ip is 2001:db8:0:0:0:0:0:10/32.
+.P
+The actions are specified with the record on the right
+.nf
+	CNAME .                      nxdomain reply
+	CNAME *.                     nodata reply
+	CNAME rpz-passthru.          do nothing, allow to continue
+	CNAME rpz-drop.              the query is dropped
+	CNAME rpz-tcp-only.          answer over TCP
+	A 192.0.2.1                  answer with this IP address
+.fi
+Other records like AAAA, TXT and other CNAMEs (not rpz-..) can also be used to
+answer queries with that content.
+.P
+The RPZ zones can be configured in the config file with these settings in the \fBrpz:\fR block.
 .TP
 .B name: \fI<zone name>
 Name of the authority zone.
@@ -2401,6 +2637,15 @@ Name of the authority zone.
 .B primary: \fI<IP address or host name>
 Where to download a copy of the zone from, with AXFR and IXFR.  Multiple
 primaries can be specified.  They are all tried if one fails.
+To use a nondefault port for DNS communication append '@' with the port number.
+You can append a '#' and a name, then AXFR over TLS can be used and the tls authentication certificates will be checked with that name.  If you combine
+the '@' and '#', the '@' comes first.
+If you point it at another Unbound instance, it would not work because
+that does not support AXFR/IXFR for the zone, but if you used \fBurl:\fR to download
+the zonefile as a text file from a webserver that would work.
+If you specify the hostname, you cannot use the domain from the zonefile,
+because it may not have that when retrieving that data, instead use a plain
+IP address to avoid a circular dependency on retrieving that IP address.
 .TP
 .B master: \fI<IP address or host name>
 Alternate syntax for \fBprimary\fR.
@@ -2426,7 +2671,7 @@ allowed notify by default.
 .TP
 .B zonefile: \fI<filename>
 The filename where the zone is stored.  If not given then no zonefile is used.
-If the file does not exist or is empty, unbound will attempt to fetch zone
+If the file does not exist or is empty, Unbound will attempt to fetch zone
 data (eg. from the primary servers).
 .TP
 .B rpz\-action\-override: \fI<action>
@@ -2443,6 +2688,17 @@ Log all applied RPZ actions for this RPZ zone. Default is no.
 .B rpz\-log\-name: \fI<name>
 Specify a string to be part of the log line, for easy referencing.
 .TP
+.B rpz\-signal\-nxdomain\-ra: \fI<yes or no>
+Signal when a query is blocked by the RPZ with NXDOMAIN with an unset RA flag.
+This allows certain clients, like dnsmasq, to infer that the domain is
+externally blocked. Default is no.
+.TP
+.B for\-downstream: \fI<yes or no>
+If enabled the zone is authoritatively answered for and queries for the RPZ
+zone information are answered to downstream clients. This is useful for
+monitoring scripts, that can then access the SOA information to check if
+the rpz information is up to date. Default is no.
+.TP
 .B tags: \fI<list of tags>
 Limit the policies from this RPZ clause to clients with a matching tag. Tags
 need to be defined in \fBdefine\-tag\fR and can be assigned to client addresses
@@ -2483,7 +2739,7 @@ server:
 .SH "FILES"
 .TP
 .I @UNBOUND_RUN_DIR@
-default unbound working directory.
+default Unbound working directory.
 .TP
 .I @UNBOUND_CHROOT_DIR@
 default
@@ -2491,13 +2747,13 @@ default
 location.
 .TP
 .I @ub_conf_file@
-unbound configuration file.
+Unbound configuration file.
 .TP
 .I @UNBOUND_PIDFILE@
-default unbound pidfile with process ID of the running daemon.
+default Unbound pidfile with process ID of the running daemon.
 .TP
 .I unbound.log
-unbound log file. default is to log to
+Unbound log file. default is to log to
 \fIsyslog\fR(3).
 .SH "SEE ALSO"
 \fIunbound\fR(8),
diff --git a/doc/unbound.doxygen b/doc/unbound.doxygen
index 4c32d8943..7222dbc27 100644
--- a/doc/unbound.doxygen
+++ b/doc/unbound.doxygen
@@ -279,10 +279,10 @@ TYPEDEF_HIDES_STRUCT   = NO
 # For small to medium size projects (<1000 input files) the default value is
 # probably good enough. For larger projects a too small cache size can cause
 # doxygen to be busy swapping symbols to and from disk most of the time
-# causing a significant performance penality.
+# causing a significant performance penalty.
 # If the system has enough physical memory increasing the cache will improve the
 # performance by keeping more symbols in memory. Note that the value works on
-# a logarithmic scale so increasing the size by one will rougly double the
+# a logarithmic scale so increasing the size by one will roughly double the
 # memory usage. The cache size is given by this formula:
 # 2^(16+SYMBOL_CACHE_SIZE). The valid range is 0..9, the default is 0,
 # corresponding to a cache size of 2^16 = 65536 symbols
@@ -779,7 +779,7 @@ ALPHABETICAL_INDEX     = YES
 # the COLS_IN_ALPHA_INDEX tag can be used to specify the number of columns
 # in which this list will be split (can be a number in the range [1..20])
 
-COLS_IN_ALPHA_INDEX    = 5
+#COLS_IN_ALPHA_INDEX    = 5
 
 # In case all classes in a project start with a common prefix, all
 # classes will be put under the same header in the alphabetical index.
@@ -1076,7 +1076,7 @@ TREEVIEW_WIDTH         = 250
 
 FORMULA_FONTSIZE       = 10
 
-# Use the FORMULA_TRANPARENT tag to determine whether or not the images
+# Use the FORMULA_TRANSPARENT tag to determine whether or not the images
 # generated for formulas are transparent PNGs. Transparent PNGs are
 # not supported properly for IE 6.0, but are supported on all modern browsers.
 # Note that when changing this option you need to delete any form_*.png files
diff --git a/edns-subnet/edns-subnet.h b/edns-subnet/edns-subnet.h
index 4b306080a..6ab541de9 100644
--- a/edns-subnet/edns-subnet.h
+++ b/edns-subnet/edns-subnet.h
@@ -59,7 +59,7 @@ struct ecs_data {
 
 /** 
  * copy the first n BITS from src to dst iff both src and dst 
- * are large enough, return 0 on succes
+ * are large enough, return 0 on success
  */
 int
 copy_clear(uint8_t* dst, size_t dstlen, uint8_t* src, size_t srclen, size_t n);
diff --git a/edns-subnet/subnetmod.c b/edns-subnet/subnetmod.c
index 6c8589aba..fcea71c31 100644
--- a/edns-subnet/subnetmod.c
+++ b/edns-subnet/subnetmod.c
@@ -150,7 +150,7 @@ int ecs_whitelist_check(struct query_info* qinfo,
 
 	/* Cache by default, might be disabled after parsing EDNS option
 	 * received from nameserver. */
-	if(!iter_stub_fwd_no_cache(qstate, &qstate->qinfo)) {
+	if(!iter_stub_fwd_no_cache(qstate, &qstate->qinfo, NULL, NULL)) {
 		qstate->no_cache_store = 0;
 	}
 
@@ -162,17 +162,21 @@ int ecs_whitelist_check(struct query_info* qinfo,
 		/* Address on whitelist or client query contains ECS option, we
 		 * want to sent out ECS. Only add option if it is not already
 		 * set. */
-		if(!(sq->subnet_sent)) {
+		if(!edns_opt_list_find(qstate->edns_opts_back_out,
+			qstate->env->cfg->client_subnet_opcode)) {
 			ecs_opt_list_append(&sq->ecs_server_out,
 				&qstate->edns_opts_back_out, qstate);
-			sq->subnet_sent = 1;
 		}
+		sq->subnet_sent = 1;
 	}
-	else if(sq->subnet_sent) {
+	else {
 		/* Outgoing ECS option is set, but we don't want to sent it to
 		 * this address, remove option. */
-		edns_opt_list_remove(&qstate->edns_opts_back_out,
-			qstate->env->cfg->client_subnet_opcode);
+		if(edns_opt_list_find(qstate->edns_opts_back_out,
+			qstate->env->cfg->client_subnet_opcode)) {
+			edns_opt_list_remove(&qstate->edns_opts_back_out,
+				qstate->env->cfg->client_subnet_opcode);
+		}
 		sq->subnet_sent = 0;
 	}
 	return 1;
@@ -497,7 +501,7 @@ eval_response(struct module_qstate *qstate, int id, struct subnet_qstate *sq)
 	if (!s_in->subnet_validdata) {
 		/* The authority indicated no support for edns subnet. As a
 		 * consequence the answer ended up in the regular cache. It
-		 * is still usefull to put it in the edns subnet cache for
+		 * is still useful to put it in the edns subnet cache for
 		 * when a client explicitly asks for subnet specific answer. */
 		verbose(VERB_QUERY, "subnetcache: Authority indicates no support");
 		if(!sq->started_no_cache_store) {
diff --git a/ipsecmod/ipsecmod.c b/ipsecmod/ipsecmod.c
index e443e882b..577f7112e 100644
--- a/ipsecmod/ipsecmod.c
+++ b/ipsecmod/ipsecmod.c
@@ -37,7 +37,7 @@
  * \file
  *
  * This file contains a module that facilitates opportunistic IPsec. It does so
- * by also quering for the IPSECKEY for A/AAAA queries and calling a
+ * by also querying for the IPSECKEY for A/AAAA queries and calling a
  * configurable hook (eg. signaling an IKE daemon) before replying.
  */
 
@@ -419,6 +419,7 @@ ipsecmod_handle_query(struct module_qstate* qstate,
 			if(!qstate->env->cfg->ipsecmod_ignore_bogus &&
 				rrset_data->security == sec_status_bogus) {
 				log_err("ipsecmod: bogus IPSECKEY");
+				errinf(qstate, "ipsecmod: bogus IPSECKEY");
 				ipsecmod_error(qstate, id);
 				return;
 			}
@@ -426,6 +427,7 @@ ipsecmod_handle_query(struct module_qstate* qstate,
 			if(!call_hook(qstate, iq, ie) &&
 				qstate->env->cfg->ipsecmod_strict) {
 				log_err("ipsecmod: ipsecmod-hook failed");
+				errinf(qstate, "ipsecmod: ipsecmod-hook failed");
 				ipsecmod_error(qstate, id);
 				return;
 			}
@@ -497,6 +499,7 @@ ipsecmod_handle_response(struct module_qstate* qstate,
 			qstate->qinfo.qname_len, LDNS_RR_TYPE_IPSECKEY,
 			qstate->qinfo.qclass, 0)) {
 			log_err("ipsecmod: could not generate subquery.");
+			errinf(qstate, "ipsecmod: could not generate subquery.");
 			ipsecmod_error(qstate, id);
 		}
 		return;
@@ -520,6 +523,7 @@ ipsecmod_operate(struct module_qstate* qstate, enum module_ev event, int id,
 	if((event == module_event_new || event == module_event_pass) &&
 		iq == NULL) {
 		if(!ipsecmod_new(qstate, id)) {
+			errinf(qstate, "ipsecmod: could not ipsecmod_new");
 			ipsecmod_error(qstate, id);
 			return;
 		}
@@ -542,6 +546,7 @@ ipsecmod_operate(struct module_qstate* qstate, enum module_ev event, int id,
 	}
 	if(event == module_event_error) {
 		verbose(VERB_ALGO, "got called with event error, giving up");
+		errinf(qstate, "ipsecmod: got called with event error");
 		ipsecmod_error(qstate, id);
 		return;
 	}
@@ -552,6 +557,7 @@ ipsecmod_operate(struct module_qstate* qstate, enum module_ev event, int id,
 	}
 
 	log_err("ipsecmod: bad event %s", strmodulevent(event));
+	errinf(qstate, "ipsecmod: operate got bad event");
 	ipsecmod_error(qstate, id);
 	return;
 }
diff --git a/ipsecmod/ipsecmod.h b/ipsecmod/ipsecmod.h
index e00816d4b..272f473c2 100644
--- a/ipsecmod/ipsecmod.h
+++ b/ipsecmod/ipsecmod.h
@@ -37,7 +37,7 @@
  * \file
  *
  * This file contains a module that facilitates opportunistic IPsec. It does so
- * by also quering for the IPSECKEY for A/AAAA queries and calling a
+ * by also querying for the IPSECKEY for A/AAAA queries and calling a
  * configurable hook (eg. signaling an IKE daemon) before replying.
  */
 
diff --git a/ipset/ipset.c b/ipset/ipset.c
index f6e2c4a9d..c61ebc205 100644
--- a/ipset/ipset.c
+++ b/ipset/ipset.c
@@ -138,10 +138,10 @@ ipset_add_rrset_data(struct ipset_env *ie, struct mnl_socket *mnl,
 static int
 ipset_check_zones_for_rrset(struct module_env *env, struct ipset_env *ie,
 	struct mnl_socket *mnl, struct ub_packed_rrset_key *rrset,
-	const char *setname, int af)
+	const char *qname, const int qlen, const char *setname, int af)
 {
 	static char dname[BUFF_LEN];
-	const char *s;
+	const char *ds, *qs;
 	int dlen, plen;
 
 	struct config_strlist *p;
@@ -152,70 +152,73 @@ ipset_check_zones_for_rrset(struct module_env *env, struct ipset_env *ie,
 		log_err("bad domain name");
 		return -1;
 	}
-	if (dname[dlen - 1] == '.') {
-		dlen--;
-	}
 
 	for (p = env->cfg->local_zones_ipset; p; p = p->next) {
+		ds = NULL;
+		qs = NULL;
 		plen = strlen(p->str);
 
 		if (dlen >= plen) {
-			s = dname + (dlen - plen);
-
-			if (strncasecmp(p->str, s, plen) == 0) {
-				d = (struct packed_rrset_data*)rrset->entry.data;
-				ipset_add_rrset_data(ie, mnl, d, setname,
-					af, dname);
-				break;
-			}
+			ds = dname + (dlen - plen);
+		}
+		if (qlen >= plen) {
+			qs = qname + (qlen - plen);
+		}
+		if ((ds && strncasecmp(p->str, ds, plen) == 0)
+			|| (qs && strncasecmp(p->str, qs, plen) == 0)) {
+			d = (struct packed_rrset_data*)rrset->entry.data;
+			ipset_add_rrset_data(ie, mnl, d, setname,
+				af, dname);
+			break;
 		}
 	}
 	return 0;
 }
 
-static int ipset_update(struct module_env *env, struct dns_msg *return_msg, struct ipset_env *ie) {
+static int ipset_update(struct module_env *env, struct dns_msg *return_msg,
+	struct query_info qinfo, struct ipset_env *ie)
+{
 	struct mnl_socket *mnl;
-
 	size_t i;
-
 	const char *setname;
-
 	struct ub_packed_rrset_key *rrset;
-
 	int af;
-
+	static char qname[BUFF_LEN];
+	int qlen;
 
 	mnl = (struct mnl_socket *)ie->mnl;
 	if (!mnl) {
-		// retry to create mnl socket
+		/* retry to create mnl socket */
 		mnl = open_mnl_socket();
 		if (!mnl) {
 			return -1;
 		}
-
 		ie->mnl = mnl;
 	}
 
-	for (i = 0; i < return_msg->rep->rrset_count; ++i) {
+	qlen = sldns_wire2str_dname_buf(qinfo.qname, qinfo.qname_len,
+		qname, BUFF_LEN);
+	if(qlen == 0) {
+		log_err("bad domain name");
+		return -1;
+	}
+
+	for(i = 0; i < return_msg->rep->rrset_count; i++) {
 		setname = NULL;
-
 		rrset = return_msg->rep->rrsets[i];
-
-		if (rrset->rk.type == htons(LDNS_RR_TYPE_A)) {
+		if(ntohs(rrset->rk.type) == LDNS_RR_TYPE_A &&
+			ie->v4_enabled == 1) {
 			af = AF_INET;
-			if ((ie->v4_enabled == 1)) {
-				setname = ie->name_v4;
-			}
-		} else {
+			setname = ie->name_v4;
+		} else if(ntohs(rrset->rk.type) == LDNS_RR_TYPE_AAAA &&
+			ie->v6_enabled == 1) {
 			af = AF_INET6;
-			if ((ie->v6_enabled == 1)) {
-				setname = ie->name_v6;
-			}
+			setname = ie->name_v6;
 		}
 
 		if (setname) {
 			if(ipset_check_zones_for_rrset(env, ie, mnl, rrset,
-				setname, af) == -1)
+				qname, qlen, setname, af) == -1)
 				return -1;
 		}
 	}
@@ -311,7 +314,7 @@ void ipset_operate(struct module_qstate *qstate, enum module_ev event, int id,
 
 	if (iq && (event == module_event_moddone)) {
 		if (qstate->return_msg && qstate->return_msg->rep) {
-			ipset_update(qstate->env, qstate->return_msg, ie);
+			ipset_update(qstate->env, qstate->return_msg, qstate->qinfo, ie);
 		}
 		qstate->ext_state[id] = module_finished;
 		return;
diff --git a/iterator/iter_delegpt.c b/iterator/iter_delegpt.c
index 9a672b0af..80148e810 100644
--- a/iterator/iter_delegpt.c
+++ b/iterator/iter_delegpt.c
@@ -73,8 +73,10 @@ struct delegpt* delegpt_copy(struct delegpt* dp, struct regional* region)
 	copy->bogus = dp->bogus;
 	copy->has_parent_side_NS = dp->has_parent_side_NS;
 	copy->ssl_upstream = dp->ssl_upstream;
+	copy->tcp_upstream = dp->tcp_upstream;
 	for(ns = dp->nslist; ns; ns = ns->next) {
-		if(!delegpt_add_ns(copy, region, ns->name, ns->lame))
+		if(!delegpt_add_ns(copy, region, ns->name, ns->lame,
+			ns->tls_auth_name, ns->port))
 			return NULL;
 		copy->nslist->resolved = ns->resolved;
 		copy->nslist->got4 = ns->got4;
@@ -83,8 +85,8 @@ struct delegpt* delegpt_copy(struct delegpt* dp, struct regional* region)
 		copy->nslist->done_pside6 = ns->done_pside6;
 	}
 	for(a = dp->target_list; a; a = a->next_target) {
-		if(!delegpt_add_addr(copy, region, &a->addr, a->addrlen, 
-			a->bogus, a->lame, a->tls_auth_name, NULL))
+		if(!delegpt_add_addr(copy, region, &a->addr, a->addrlen,
+			a->bogus, a->lame, a->tls_auth_name, -1, NULL))
 			return NULL;
 	}
 	return copy;
@@ -101,7 +103,7 @@ delegpt_set_name(struct delegpt* dp, struct regional* region, uint8_t* name)
 
 int 
 delegpt_add_ns(struct delegpt* dp, struct regional* region, uint8_t* name,
-	uint8_t lame)
+	uint8_t lame, char* tls_auth_name, int port)
 {
 	struct delegpt_ns* ns;
 	size_t len;
@@ -125,6 +127,14 @@ delegpt_add_ns(struct delegpt* dp, struct regional* region, uint8_t* name,
 	ns->lame = lame;
 	ns->done_pside4 = 0;
 	ns->done_pside6 = 0;
+	ns->port = port;
+	if(tls_auth_name) {
+		ns->tls_auth_name = regional_strdup(region, tls_auth_name);
+		if(!ns->tls_auth_name)
+			return 0;
+	} else {
+		ns->tls_auth_name = NULL;
+	}
 	return ns->name != 0;
 }
 
@@ -158,9 +168,9 @@ delegpt_find_addr(struct delegpt* dp, struct sockaddr_storage* addr,
 	return NULL;
 }
 
-int 
-delegpt_add_target(struct delegpt* dp, struct regional* region, 
-	uint8_t* name, size_t namelen, struct sockaddr_storage* addr, 
+int
+delegpt_add_target(struct delegpt* dp, struct regional* region,
+	uint8_t* name, size_t namelen, struct sockaddr_storage* addr,
 	socklen_t addrlen, uint8_t bogus, uint8_t lame, int* additions)
 {
 	struct delegpt_ns* ns = delegpt_find_ns(dp, name, namelen);
@@ -176,17 +186,22 @@ delegpt_add_target(struct delegpt* dp, struct regional* region,
 		if(ns->got4 && ns->got6)
 			ns->resolved = 1;
 	}
-	return delegpt_add_addr(dp, region, addr, addrlen, bogus, lame, NULL,
-		additions);
+	log_assert(ns->port>0);
+	return delegpt_add_addr(dp, region, addr, addrlen, bogus, lame,
+		ns->tls_auth_name, ns->port, additions);
 }
 
-int 
-delegpt_add_addr(struct delegpt* dp, struct regional* region, 
-	struct sockaddr_storage* addr, socklen_t addrlen, uint8_t bogus, 
-	uint8_t lame, char* tls_auth_name, int* additions)
+int
+delegpt_add_addr(struct delegpt* dp, struct regional* region,
+	struct sockaddr_storage* addr, socklen_t addrlen, uint8_t bogus,
+	uint8_t lame, char* tls_auth_name, int port, int* additions)
 {
 	struct delegpt_addr* a;
 	log_assert(!dp->dp_type_mlc);
+	if(port != -1) {
+		log_assert(port>0);
+		sockaddr_store_port(addr, addrlen, port);
+	}
 	/* check for duplicates */
 	if((a = delegpt_find_addr(dp, addr, addrlen))) {
 		if(bogus)
@@ -411,7 +426,8 @@ delegpt_rrset_add_ns(struct delegpt* dp, struct regional* region,
 			(size_t)sldns_read_uint16(nsdata->rr_data[i]))
 			continue; /* bad format */
 		/* add rdata of NS (= wirefmt dname), skip rdatalen bytes */
-		if(!delegpt_add_ns(dp, region, nsdata->rr_data[i]+2, lame))
+		if(!delegpt_add_ns(dp, region, nsdata->rr_data[i]+2, lame,
+			NULL, UNBOUND_DNS_PORT))
 			return 0;
 	}
 	return 1;
@@ -428,7 +444,6 @@ delegpt_add_rrset_A(struct delegpt* dp, struct regional* region,
 	log_assert(!dp->dp_type_mlc);
         memset(&sa, 0, len);
         sa.sin_family = AF_INET;
-        sa.sin_port = (in_port_t)htons(UNBOUND_DNS_PORT);
         for(i=0; i<d->count; i++) {
                 if(d->rr_len[i] != 2 + INET_SIZE)
                         continue;
@@ -452,7 +467,6 @@ delegpt_add_rrset_AAAA(struct delegpt* dp, struct regional* region,
 	log_assert(!dp->dp_type_mlc);
         memset(&sa, 0, len);
         sa.sin6_family = AF_INET6;
-        sa.sin6_port = (in_port_t)htons(UNBOUND_DNS_PORT);
         for(i=0; i<d->count; i++) {
                 if(d->rr_len[i] != 2 + INET6_SIZE) /* rdatalen + len of IP6 */
                         continue;
@@ -554,6 +568,7 @@ void delegpt_free_mlc(struct delegpt* dp)
 	while(n) {
 		nn = n->next;
 		free(n->name);
+		free(n->tls_auth_name);
 		free(n);
 		n = nn;
 	}
@@ -576,7 +591,8 @@ int delegpt_set_name_mlc(struct delegpt* dp, uint8_t* name)
 	return (dp->name != NULL);
 }
 
-int delegpt_add_ns_mlc(struct delegpt* dp, uint8_t* name, uint8_t lame)
+int delegpt_add_ns_mlc(struct delegpt* dp, uint8_t* name, uint8_t lame,
+	char* tls_auth_name, int port)
 {
 	struct delegpt_ns* ns;
 	size_t len;
@@ -603,14 +619,30 @@ int delegpt_add_ns_mlc(struct delegpt* dp, uint8_t* name, uint8_t lame)
 	ns->lame = (uint8_t)lame;
 	ns->done_pside4 = 0;
 	ns->done_pside6 = 0;
+	ns->port = port;
+	if(tls_auth_name) {
+		ns->tls_auth_name = strdup(tls_auth_name);
+		if(!ns->tls_auth_name) {
+			free(ns->name);
+			free(ns);
+			return 0;
+		}
+	} else {
+		ns->tls_auth_name = NULL;
+	}
 	return 1;
 }
 
 int delegpt_add_addr_mlc(struct delegpt* dp, struct sockaddr_storage* addr,
-	socklen_t addrlen, uint8_t bogus, uint8_t lame, char* tls_auth_name)
+	socklen_t addrlen, uint8_t bogus, uint8_t lame, char* tls_auth_name,
+	int port)
 {
 	struct delegpt_addr* a;
 	log_assert(dp->dp_type_mlc);
+	if(port != -1) {
+		log_assert(port>0);
+		sockaddr_store_port(addr, addrlen, port);
+	}
 	/* check for duplicates */
 	if((a = delegpt_find_addr(dp, addr, addrlen))) {
 		if(bogus)
@@ -663,7 +695,9 @@ int delegpt_add_target_mlc(struct delegpt* dp, uint8_t* name, size_t namelen,
 		if(ns->got4 && ns->got6)
 			ns->resolved = 1;
 	}
-	return delegpt_add_addr_mlc(dp, addr, addrlen, bogus, lame, NULL);
+	log_assert(ns->port>0);
+	return delegpt_add_addr_mlc(dp, addr, addrlen, bogus, lame,
+		ns->tls_auth_name, ns->port);
 }
 
 size_t delegpt_get_mem(struct delegpt* dp)
diff --git a/iterator/iter_delegpt.h b/iterator/iter_delegpt.h
index 138eb6e1b..998b98cd8 100644
--- a/iterator/iter_delegpt.h
+++ b/iterator/iter_delegpt.h
@@ -83,6 +83,8 @@ struct delegpt {
 	uint8_t dp_type_mlc;
 	/** use SSL for upstream query */
 	uint8_t ssl_upstream;
+	/** use TCP for upstream query */
+	uint8_t tcp_upstream;
 	/** delegpt from authoritative zone that is locally hosted */
 	uint8_t auth_dp;
 	/*** no cache */
@@ -124,6 +126,11 @@ struct delegpt_ns {
 	 * Also enabled if a parent-side cache entry exists, or a parent-side
 	 * negative-cache entry exists. */
 	uint8_t done_pside6;
+	/** the TLS authentication name, (if not NULL) to use. */
+	char* tls_auth_name;
+	/** the port to use; it should mostly be the default 53 but configured
+	 *  upstreams can provide nondefault ports. */
+	int port;
 };
 
 /**
@@ -189,10 +196,12 @@ int delegpt_set_name(struct delegpt* dp, struct regional* regional,
  * @param regional: where to allocate the info.
  * @param name: domain name in wire format.
  * @param lame: name is lame, disprefer it.
+ * @param tls_auth_name: TLS authentication name (or NULL).
+ * @param port: port to use for resolved addresses.
  * @return false on error.
  */
-int delegpt_add_ns(struct delegpt* dp, struct regional* regional, 
-	uint8_t* name, uint8_t lame);
+int delegpt_add_ns(struct delegpt* dp, struct regional* regional,
+	uint8_t* name, uint8_t lame, char* tls_auth_name, int port);
 
 /**
  * Add NS rrset; calls add_ns repeatedly.
@@ -269,12 +278,14 @@ int delegpt_add_rrset(struct delegpt* dp, struct regional* regional,
  * @param bogus: if address is bogus.
  * @param lame: if address is lame.
  * @param tls_auth_name: TLS authentication name (or NULL).
+ * @param port: the port to use; if -1 the port is taken from addr.
  * @param additions: will be set to 1 if a new address is added
  * @return false on error.
  */
-int delegpt_add_addr(struct delegpt* dp, struct regional* regional, 
+int delegpt_add_addr(struct delegpt* dp, struct regional* regional,
 	struct sockaddr_storage* addr, socklen_t addrlen,
-	uint8_t bogus, uint8_t lame, char* tls_auth_name, int* additions);
+	uint8_t bogus, uint8_t lame, char* tls_auth_name, int port,
+	int* additions);
 
 /** 
  * Find NS record in name list of delegation point.
@@ -402,22 +413,27 @@ int delegpt_set_name_mlc(struct delegpt* dp, uint8_t* name);
  * @param dp: must have been created with delegpt_create_mlc. 
  * @param name: the name to add.
  * @param lame: the name is lame, disprefer.
+ * @param tls_auth_name: TLS authentication name (or NULL).
+ * @param port: port to use for resolved addresses.
  * @return false on error.
  */
-int delegpt_add_ns_mlc(struct delegpt* dp, uint8_t* name, uint8_t lame);
+int delegpt_add_ns_mlc(struct delegpt* dp, uint8_t* name, uint8_t lame,
+	char* tls_auth_name, int port);
 
 /**
  * add an address to a malloced delegation point.
- * @param dp: must have been created with delegpt_create_mlc. 
+ * @param dp: must have been created with delegpt_create_mlc.
  * @param addr: the address.
  * @param addrlen: the length of addr.
  * @param bogus: if address is bogus.
  * @param lame: if address is lame.
  * @param tls_auth_name: TLS authentication name (or NULL).
+ * @param port: the port to use; if -1 the port is taken from addr.
  * @return false on error.
  */
 int delegpt_add_addr_mlc(struct delegpt* dp, struct sockaddr_storage* addr,
-	socklen_t addrlen, uint8_t bogus, uint8_t lame, char* tls_auth_name);
+	socklen_t addrlen, uint8_t bogus, uint8_t lame, char* tls_auth_name,
+	int port);
 
 /**
  * Add target address to the delegation point.
diff --git a/iterator/iter_fwd.c b/iterator/iter_fwd.c
index ea3d70e07..151372912 100644
--- a/iterator/iter_fwd.c
+++ b/iterator/iter_fwd.c
@@ -200,21 +200,27 @@ read_fwds_name(struct config_stub* s)
 }
 
 /** set fwd host names */
-static int 
+static int
 read_fwds_host(struct config_stub* s, struct delegpt* dp)
 {
 	struct config_strlist* p;
 	uint8_t* dname;
-	size_t dname_len;
+	char* tls_auth_name;
+	int port;
 	for(p = s->hosts; p; p = p->next) {
 		log_assert(p->str);
-		dname = sldns_str2wire_dname(p->str, &dname_len);
+		dname = authextstrtodname(p->str, &port, &tls_auth_name);
 		if(!dname) {
 			log_err("cannot parse forward %s server name: '%s'", 
 				s->name, p->str);
 			return 0;
 		}
-		if(!delegpt_add_ns_mlc(dp, dname, 0)) {
+#if ! defined(HAVE_SSL_SET1_HOST) && ! defined(HAVE_X509_VERIFY_PARAM_SET1_HOST)
+		if(tls_auth_name)
+			log_err("no name verification functionality in "
+				"ssl library, ignored name for %s", p->str);
+#endif
+		if(!delegpt_add_ns_mlc(dp, dname, 0, tls_auth_name, port)) {
 			free(dname);
 			log_err("out of memory");
 			return 0;
@@ -245,7 +251,7 @@ read_fwds_addr(struct config_stub* s, struct delegpt* dp)
 				"ssl library, ignored name for %s", p->str);
 #endif
 		if(!delegpt_add_addr_mlc(dp, &addr, addrlen, 0, 0,
-			tls_auth_name)) {
+			tls_auth_name, -1)) {
 			log_err("out of memory");
 			return 0;
 		}
@@ -276,6 +282,8 @@ read_forwards(struct iter_forwards* fwd, struct config_file* cfg)
 		dp->no_cache = s->no_cache;
 		/* use SSL for queries to this forwarder */
 		dp->ssl_upstream = (uint8_t)s->ssl_upstream;
+		/* use TCP for queries to this forwarder */
+		dp->tcp_upstream = (uint8_t)s->tcp_upstream;
 		verbose(VERB_QUERY, "Forward zone server list:");
 		delegpt_log(VERB_QUERY, dp);
 		if(!forwards_insert(fwd, LDNS_RR_CLASS_IN, dp))
diff --git a/iterator/iter_hints.c b/iterator/iter_hints.c
index 60e518122..9b1a200bb 100644
--- a/iterator/iter_hints.c
+++ b/iterator/iter_hints.c
@@ -99,7 +99,7 @@ ah(struct delegpt* dp, const char* sv, const char* ip)
 		log_err("could not parse %s", sv);
 		return 0;
 	}
-	if(!delegpt_add_ns_mlc(dp, dname, 0) ||
+	if(!delegpt_add_ns_mlc(dp, dname, 0, NULL, UNBOUND_DNS_PORT) ||
 	   !extstrtoaddr(ip, &addr, &addrlen) ||
 	   !delegpt_add_target_mlc(dp, dname, dname_len,
 		&addr, addrlen, 0, 0)) {
@@ -213,21 +213,27 @@ read_stubs_name(struct config_stub* s)
 }
 
 /** set stub host names */
-static int 
+static int
 read_stubs_host(struct config_stub* s, struct delegpt* dp)
 {
 	struct config_strlist* p;
-	size_t dname_len;
 	uint8_t* dname;
+	char* tls_auth_name;
+	int port;
 	for(p = s->hosts; p; p = p->next) {
 		log_assert(p->str);
-		dname = sldns_str2wire_dname(p->str, &dname_len);
+		dname = authextstrtodname(p->str, &port, &tls_auth_name);
 		if(!dname) {
 			log_err("cannot parse stub %s nameserver name: '%s'", 
 				s->name, p->str);
 			return 0;
 		}
-		if(!delegpt_add_ns_mlc(dp, dname, 0)) {
+#if ! defined(HAVE_SSL_SET1_HOST) && ! defined(HAVE_X509_VERIFY_PARAM_SET1_HOST)
+		if(tls_auth_name)
+			log_err("no name verification functionality in "
+				"ssl library, ignored name for %s", p->str);
+#endif
+		if(!delegpt_add_ns_mlc(dp, dname, 0, tls_auth_name, port)) {
 			free(dname);
 			log_err("out of memory");
 			return 0;
@@ -258,7 +264,7 @@ read_stubs_addr(struct config_stub* s, struct delegpt* dp)
 				"ssl library, ignored name for %s", p->str);
 #endif
 		if(!delegpt_add_addr_mlc(dp, &addr, addrlen, 0, 0,
-			auth_name)) {
+			auth_name, -1)) {
 			log_err("out of memory");
 			return 0;
 		}
@@ -287,6 +293,8 @@ read_stubs(struct iter_hints* hints, struct config_file* cfg)
 		dp->no_cache = s->no_cache;
 		/* ssl_upstream */
 		dp->ssl_upstream = (uint8_t)s->ssl_upstream;
+		/* tcp_upstream */
+		dp->tcp_upstream = (uint8_t)s->tcp_upstream;
 		delegpt_log(VERB_QUERY, dp);
 		if(!hints_insert(hints, LDNS_RR_CLASS_IN, dp, !s->isprime))
 			return 0;
@@ -336,7 +344,7 @@ read_root_hints(struct iter_hints* hints, char* fname)
 		if(sldns_wirerr_get_type(rr, rr_len, dname_len)
 			== LDNS_RR_TYPE_NS) {
 			if(!delegpt_add_ns_mlc(dp, sldns_wirerr_get_rdata(rr,
-				rr_len, dname_len), 0)) {
+				rr_len, dname_len), 0, NULL, UNBOUND_DNS_PORT)) {
 				log_err("out of memory reading root hints");
 				goto stop_read;
 			}
@@ -395,10 +403,10 @@ read_root_hints(struct iter_hints* hints, char* fname)
 		delegpt_free_mlc(dp);
 		return 1;
 	}
+	delegpt_log(VERB_QUERY, dp);
 	if(!hints_insert(hints, c, dp, 0)) {
 		return 0;
 	}
-	delegpt_log(VERB_QUERY, dp);
 	return 1;
 
 stop_read:
diff --git a/iterator/iter_utils.c b/iterator/iter_utils.c
index 637acf736..5c811c6d3 100644
--- a/iterator/iter_utils.c
+++ b/iterator/iter_utils.c
@@ -4,22 +4,22 @@
  * Copyright (c) 2007, NLnet Labs. All rights reserved.
  *
  * This software is open source.
- * 
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
- * 
+ *
  * Redistributions of source code must retain the above copyright notice,
  * this list of conditions and the following disclaimer.
- * 
+ *
  * Redistributions in binary form must reproduce the above copyright notice,
  * this list of conditions and the following disclaimer in the documentation
  * and/or other materials provided with the distribution.
- * 
+ *
  * Neither the name of the NLNET LABS nor the names of its contributors may
  * be used to endorse or promote products derived from this software without
  * specific prior written permission.
- * 
+ *
  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
@@ -37,7 +37,7 @@
  * \file
  *
  * This file contains functions to assist the iterator module.
- * Configuration options. Forward zones. 
+ * Configuration options. Forward zones.
  */
 #include "config.h"
 #include "iterator/iter_utils.h"
@@ -141,7 +141,7 @@ caps_white_apply_cfg(rbtree_type* ntree, struct config_file* cfg)
 	return 1;
 }
 
-int 
+int
 iter_apply_cfg(struct iter_env* iter_env, struct config_file* cfg)
 {
 	int i;
@@ -151,7 +151,7 @@ iter_apply_cfg(struct iter_env* iter_env, struct config_file* cfg)
 	for(i=0; i<iter_env->max_dependency_depth+1; i++)
 		verbose(VERB_QUERY, "target fetch policy for level %d is %d",
 			i, iter_env->target_fetch_policy[i]);
-	
+
 	if(!iter_env->donotq)
 		iter_env->donotq = donotq_create();
 	if(!iter_env->donotq || !donotq_apply_cfg(iter_env->donotq, cfg)) {
@@ -176,8 +176,8 @@ iter_apply_cfg(struct iter_env* iter_env, struct config_file* cfg)
 	}
 	iter_env->supports_ipv6 = cfg->do_ip6;
 	iter_env->supports_ipv4 = cfg->do_ip4;
-
 	iter_env->max_query_restarts = cfg->max_query_restarts;
+	iter_env->outbound_msg_retry = cfg->outbound_msg_retry;
 
 	return 1;
 }
@@ -215,7 +215,7 @@ iter_apply_cfg(struct iter_env* iter_env, struct config_file* cfg)
  *		dnsseclame servers get penalty
  *	USEFUL_SERVER_TOP_TIMEOUT*3 ..
  *		recursion lame servers get penalty
- *	UNKNOWN_SERVER_NICENESS 
+ *	UNKNOWN_SERVER_NICENESS
  *		If no information is known about the server, this is
  *		returned. 376 msec or so.
  *	+BLACKLIST_PENALTY (of USEFUL_TOP_TIMEOUT*4) for dnssec failed IPs.
@@ -224,11 +224,11 @@ iter_apply_cfg(struct iter_env* iter_env, struct config_file* cfg)
  * is turned off (so we do not discard the reply).
  * When a final value is chosen that is recursionlame; RD bit is set on query.
  * Because of the numbers this means recursionlame also have dnssec lameness
- * checking turned off. 
+ * checking turned off.
  */
 static int
 iter_filter_unsuitable(struct iter_env* iter_env, struct module_env* env,
-	uint8_t* name, size_t namelen, uint16_t qtype, time_t now, 
+	uint8_t* name, size_t namelen, uint16_t qtype, time_t now,
 	struct delegpt_addr* a)
 {
 	int rtt, lame, reclame, dnsseclame;
@@ -246,8 +246,8 @@ iter_filter_unsuitable(struct iter_env* iter_env, struct module_env* env,
 		return -1; /* there is no ip4 available */
 	}
 	/* check lameness - need zone , class info */
-	if(infra_get_lame_rtt(env->infra_cache, &a->addr, a->addrlen, 
-		name, namelen, qtype, &lame, &dnsseclame, &reclame, 
+	if(infra_get_lame_rtt(env->infra_cache, &a->addr, a->addrlen,
+		name, namelen, qtype, &lame, &dnsseclame, &reclame,
 		&rtt, now)) {
 		log_addr(VERB_ALGO, "servselect", &a->addr, a->addrlen);
 		verbose(VERB_ALGO, "   rtt=%d%s%s%s%s", rtt,
@@ -285,7 +285,7 @@ iter_filter_unsuitable(struct iter_env* iter_env, struct module_env* env,
 /** lookup RTT information, and also store fastest rtt (if any) */
 static int
 iter_fill_rtt(struct iter_env* iter_env, struct module_env* env,
-	uint8_t* name, size_t namelen, uint16_t qtype, time_t now, 
+	uint8_t* name, size_t namelen, uint16_t qtype, time_t now,
 	struct delegpt* dp, int* best_rtt, struct sock_list* blacklist,
 	size_t* num_suitable_results)
 {
@@ -296,7 +296,7 @@ iter_fill_rtt(struct iter_env* iter_env, struct module_env* env,
 	if(dp->bogus)
 		return 0; /* NS bogus, all bogus, nothing found */
 	for(a=dp->result_list; a; a = a->next_result) {
-		a->sel_rtt = iter_filter_unsuitable(iter_env, env, 
+		a->sel_rtt = iter_filter_unsuitable(iter_env, env,
 			name, namelen, qtype, now, a);
 		if(a->sel_rtt != -1) {
 			if(sock_list_find(blacklist, &a->addr, a->addrlen))
@@ -332,7 +332,7 @@ nth_rtt(struct delegpt_addr* result_list, size_t num_results, size_t n)
 	int rtt_band;
 	size_t i;
 	int* rtt_list, *rtt_index;
-	
+
 	if(num_results < 1 || n >= num_results) {
 		return -1;
 	}
@@ -364,8 +364,8 @@ nth_rtt(struct delegpt_addr* result_list, size_t num_results, size_t n)
  * returns number of best targets (or 0, no suitable targets) */
 static int
 iter_filter_order(struct iter_env* iter_env, struct module_env* env,
-	uint8_t* name, size_t namelen, uint16_t qtype, time_t now, 
-	struct delegpt* dp, int* selected_rtt, int open_target, 
+	uint8_t* name, size_t namelen, uint16_t qtype, time_t now,
+	struct delegpt* dp, int* selected_rtt, int open_target,
 	struct sock_list* blacklist, time_t prefetch)
 {
 	int got_num = 0, low_rtt = 0, swap_to_front, rtt_band = RTT_BAND, nth;
@@ -373,9 +373,9 @@ iter_filter_order(struct iter_env* iter_env, struct module_env* env,
 	struct delegpt_addr* a, *n, *prev=NULL;
 
 	/* fillup sel_rtt and find best rtt in the bunch */
-	got_num = iter_fill_rtt(iter_env, env, name, namelen, qtype, now, dp, 
+	got_num = iter_fill_rtt(iter_env, env, name, namelen, qtype, now, dp,
 		&low_rtt, blacklist, &num_results);
-	if(got_num == 0) 
+	if(got_num == 0)
 		return 0;
 	if(low_rtt >= USEFUL_SERVER_TOP_TIMEOUT &&
 		(delegpt_count_missing_targets(dp) > 0 || open_target > 0)) {
@@ -443,6 +443,7 @@ iter_filter_order(struct iter_env* iter_env, struct module_env* env,
 		prev = NULL;
 		a = dp->result_list;
 		for(i = 0; i < got_num; i++) {
+			if(!a) break; /* robustness */
 			swap_to_front = 0;
 			if(a->addr.ss_family != AF_INET6 && attempt == -1) {
 				/* if we only have ip4 at low attempt count,
@@ -500,6 +501,7 @@ iter_filter_order(struct iter_env* iter_env, struct module_env* env,
 		prev = NULL;
 		a = dp->result_list;
 		for(i = 0; i < got_num; i++) {
+			if(!a) break; /* robustness */
 			swap_to_front = 0;
 			if(a->addr.ss_family != AF_INET && attempt == -1) {
 				/* if we only have ip6 at low attempt count,
@@ -549,9 +551,9 @@ iter_filter_order(struct iter_env* iter_env, struct module_env* env,
 	return got_num;
 }
 
-struct delegpt_addr* 
-iter_server_selection(struct iter_env* iter_env, 
-	struct module_env* env, struct delegpt* dp, 
+struct delegpt_addr*
+iter_server_selection(struct iter_env* iter_env,
+	struct module_env* env, struct delegpt* dp,
 	uint8_t* name, size_t namelen, uint16_t qtype, int* dnssec_lame,
 	int* chase_to_rd, int open_target, struct sock_list* blacklist,
 	time_t prefetch)
@@ -593,7 +595,7 @@ iter_server_selection(struct iter_env* iter_env,
 
 	if(num == 1) {
 		a = dp->result_list;
-		if(++a->attempts < OUTBOUND_MSG_RETRY)
+		if(++a->attempts < iter_env->outbound_msg_retry)
 			return a;
 		dp->result_list = a->next_result;
 		return a;
@@ -603,7 +605,7 @@ iter_server_selection(struct iter_env* iter_env,
 	log_assert(num > 1);
 	/* grab secure random number, to pick unexpected server.
 	 * also we need it to be threadsafe. */
-	sel = ub_random_max(env->rnd, num); 
+	sel = ub_random_max(env->rnd, num);
 	a = dp->result_list;
 	prev = NULL;
 	while(sel > 0 && a) {
@@ -613,7 +615,7 @@ iter_server_selection(struct iter_env* iter_env,
 	}
 	if(!a)  /* robustness */
 		return NULL;
-	if(++a->attempts < OUTBOUND_MSG_RETRY)
+	if(++a->attempts < iter_env->outbound_msg_retry)
 		return a;
 	/* remove it from the delegation point result list */
 	if(prev)
@@ -622,8 +624,8 @@ iter_server_selection(struct iter_env* iter_env,
 	return a;
 }
 
-struct dns_msg* 
-dns_alloc_msg(sldns_buffer* pkt, struct msg_parse* msg, 
+struct dns_msg*
+dns_alloc_msg(sldns_buffer* pkt, struct msg_parse* msg,
 	struct regional* region)
 {
 	struct dns_msg* m = (struct dns_msg*)regional_alloc(region,
@@ -638,7 +640,7 @@ dns_alloc_msg(sldns_buffer* pkt, struct msg_parse* msg,
 	return m;
 }
 
-struct dns_msg* 
+struct dns_msg*
 dns_copy_msg(struct dns_msg* from, struct regional* region)
 {
 	struct dns_msg* m = (struct dns_msg*)regional_alloc(region,
@@ -654,7 +656,7 @@ dns_copy_msg(struct dns_msg* from, struct regional* region)
 	return m;
 }
 
-void 
+void
 iter_dns_store(struct module_env* env, struct query_info* msgqinf,
 	struct reply_info* msgrep, int is_referral, time_t leeway, int pside,
 	struct regional* region, uint16_t flags)
@@ -664,7 +666,7 @@ iter_dns_store(struct module_env* env, struct query_info* msgqinf,
 		log_err("out of memory: cannot store data in cache");
 }
 
-int 
+int
 iter_ns_probability(struct ub_randstate* rnd, int n, int m)
 {
 	int sel;
@@ -672,7 +674,7 @@ iter_ns_probability(struct ub_randstate* rnd, int n, int m)
 		return 1;
 	/* we do not need secure random numbers here, but
 	 * we do need it to be threadsafe, so we use this */
-	sel = ub_random_max(rnd, m); 
+	sel = ub_random_max(rnd, m);
 	return (sel < n);
 }
 
@@ -689,12 +691,12 @@ causes_cycle(struct module_qstate* qstate, uint8_t* name, size_t namelen,
 	qinf.local_alias = NULL;
 	fptr_ok(fptr_whitelist_modenv_detect_cycle(
 		qstate->env->detect_cycle));
-	return (*qstate->env->detect_cycle)(qstate, &qinf, 
+	return (*qstate->env->detect_cycle)(qstate, &qinf,
 		(uint16_t)(BIT_RD|BIT_CD), qstate->is_priming,
 		qstate->is_valrec);
 }
 
-void 
+void
 iter_mark_cycle_targets(struct module_qstate* qstate, struct delegpt* dp)
 {
 	struct delegpt_ns* ns;
@@ -702,21 +704,21 @@ iter_mark_cycle_targets(struct module_qstate* qstate, struct delegpt* dp)
 		if(ns->resolved)
 			continue;
 		/* see if this ns as target causes dependency cycle */
-		if(causes_cycle(qstate, ns->name, ns->namelen, 
+		if(causes_cycle(qstate, ns->name, ns->namelen,
 			LDNS_RR_TYPE_AAAA, qstate->qinfo.qclass) ||
-		   causes_cycle(qstate, ns->name, ns->namelen, 
+		   causes_cycle(qstate, ns->name, ns->namelen,
 			LDNS_RR_TYPE_A, qstate->qinfo.qclass)) {
 			log_nametypeclass(VERB_QUERY, "skipping target due "
 			 	"to dependency cycle (harden-glue: no may "
-				"fix some of the cycles)", 
-				ns->name, LDNS_RR_TYPE_A, 
+				"fix some of the cycles)",
+				ns->name, LDNS_RR_TYPE_A,
 				qstate->qinfo.qclass);
 			ns->resolved = 1;
 		}
 	}
 }
 
-void 
+void
 iter_mark_pside_cycle_targets(struct module_qstate* qstate, struct delegpt* dp)
 {
 	struct delegpt_ns* ns;
@@ -724,14 +726,14 @@ iter_mark_pside_cycle_targets(struct module_qstate* qstate, struct delegpt* dp)
 		if(ns->done_pside4 && ns->done_pside6)
 			continue;
 		/* see if this ns as target causes dependency cycle */
-		if(causes_cycle(qstate, ns->name, ns->namelen, 
+		if(causes_cycle(qstate, ns->name, ns->namelen,
 			LDNS_RR_TYPE_A, qstate->qinfo.qclass)) {
 			log_nametypeclass(VERB_QUERY, "skipping target due "
 			 	"to dependency cycle", ns->name,
 				LDNS_RR_TYPE_A, qstate->qinfo.qclass);
 			ns->done_pside4 = 1;
 		}
-		if(causes_cycle(qstate, ns->name, ns->namelen, 
+		if(causes_cycle(qstate, ns->name, ns->namelen,
 			LDNS_RR_TYPE_AAAA, qstate->qinfo.qclass)) {
 			log_nametypeclass(VERB_QUERY, "skipping target due "
 			 	"to dependency cycle", ns->name,
@@ -741,11 +743,12 @@ iter_mark_pside_cycle_targets(struct module_qstate* qstate, struct delegpt* dp)
 	}
 }
 
-int 
-iter_dp_is_useless(struct query_info* qinfo, uint16_t qflags, 
-	struct delegpt* dp)
+int
+iter_dp_is_useless(struct query_info* qinfo, uint16_t qflags,
+	struct delegpt* dp, int supports_ipv4, int supports_ipv6)
 {
 	struct delegpt_ns* ns;
+	struct delegpt_addr* a;
 	/* check:
 	 *      o RD qflag is on.
 	 *      o no addresses are provided.
@@ -758,17 +761,28 @@ iter_dp_is_useless(struct query_info* qinfo, uint16_t qflags,
 	 */
 	if(!(qflags&BIT_RD))
 		return 0;
-	/* either available or unused targets */
-	if(dp->usable_list || dp->result_list)
-		return 0;
-	
+	/* either available or unused targets,
+	 * if they exist, the dp is not useless. */
+	for(a = dp->usable_list; a; a = a->next_usable) {
+		if(!addr_is_ip6(&a->addr, a->addrlen) && supports_ipv4)
+			return 0;
+		else if(addr_is_ip6(&a->addr, a->addrlen) && supports_ipv6)
+			return 0;
+	}
+	for(a = dp->result_list; a; a = a->next_result) {
+		if(!addr_is_ip6(&a->addr, a->addrlen) && supports_ipv4)
+			return 0;
+		else if(addr_is_ip6(&a->addr, a->addrlen) && supports_ipv6)
+			return 0;
+	}
+
 	/* see if query is for one of the nameservers, which is glue */
-	if( (qinfo->qtype == LDNS_RR_TYPE_A ||
-		qinfo->qtype == LDNS_RR_TYPE_AAAA) &&
+	if( ((qinfo->qtype == LDNS_RR_TYPE_A && supports_ipv4) ||
+		(qinfo->qtype == LDNS_RR_TYPE_AAAA && supports_ipv6)) &&
 		dname_subdomain_c(qinfo->qname, dp->name) &&
 		delegpt_find_ns(dp, qinfo->qname, qinfo->qname_len))
 		return 1;
-	
+
 	for(ns = dp->nslist; ns; ns = ns->next) {
 		if(ns->resolved) /* skip failed targets */
 			continue;
@@ -786,7 +800,7 @@ iter_qname_indicates_dnssec(struct module_env* env, struct query_info *qinfo)
 		return 0;
 	/* a trust anchor exists above the name? */
 	if((a=anchors_lookup(env->anchors, qinfo->qname, qinfo->qname_len,
-		qinfo->qclass))) { 
+		qinfo->qclass))) {
 		if(a->numDS == 0 && a->numDNSKEY == 0) {
 			/* insecure trust point */
 			lock_basic_unlock(&a->lock);
@@ -799,7 +813,7 @@ iter_qname_indicates_dnssec(struct module_env* env, struct query_info *qinfo)
 	return 0;
 }
 
-int 
+int
 iter_indicates_dnssec(struct module_env* env, struct delegpt* dp,
         struct dns_msg* msg, uint16_t dclass)
 {
@@ -843,7 +857,7 @@ iter_indicates_dnssec(struct module_env* env, struct delegpt* dp,
 	return 0;
 }
 
-int 
+int
 iter_msg_has_dnssec(struct dns_msg* msg)
 {
 	size_t i;
@@ -876,7 +890,7 @@ int iter_msg_from_zone(struct dns_msg* msg, struct delegpt* dp,
 		 * and referral to example.com. NS ... , then origin zone
 		 * is .com. For a referral to sub.example.com. NS ... then
 		 * we do not know, since example.com. may be in between. */
-		for(i=0; i<msg->rep->an_numrrsets+msg->rep->ns_numrrsets; 
+		for(i=0; i<msg->rep->an_numrrsets+msg->rep->ns_numrrsets;
 			i++) {
 			struct ub_packed_rrset_key* s = msg->rep->rrsets[i];
 			if(ntohs(s->rk.type) == LDNS_RR_TYPE_NS &&
@@ -891,7 +905,7 @@ int iter_msg_from_zone(struct dns_msg* msg, struct delegpt* dp,
 		return 0;
 	}
 	log_assert(type==RESPONSE_TYPE_ANSWER || type==RESPONSE_TYPE_CNAME);
-	/* not a referral, and not lame delegation (upwards), so, 
+	/* not a referral, and not lame delegation (upwards), so,
 	 * any NS rrset must be from the zone itself */
 	if(reply_find_rrset_section_an(msg->rep, dp->name, dp->namelen,
 		LDNS_RR_TYPE_NS, dclass) ||
@@ -907,7 +921,7 @@ int iter_msg_from_zone(struct dns_msg* msg, struct delegpt* dp,
 }
 
 /**
- * check equality of two rrsets 
+ * check equality of two rrsets
  * @param k1: rrset
  * @param k2: rrset
  * @return true if equal
@@ -936,7 +950,7 @@ rrset_equal(struct ub_packed_rrset_key* k1, struct ub_packed_rrset_key* k2)
 	for(i=0; i<t; i++) {
 		if(d1->rr_len[i] != d2->rr_len[i] ||
 			/* no ttl check: d1->rr_ttl[i] != d2->rr_ttl[i] ||*/
-			memcmp(d1->rr_data[i], d2->rr_data[i], 
+			memcmp(d1->rr_data[i], d2->rr_data[i],
 				d1->rr_len[i]) != 0)
 			return 0;
 	}
@@ -967,7 +981,7 @@ rrset_canonical_sort_cmp(const void* x, const void* y)
 	return 0;
 }
 
-int 
+int
 reply_equal(struct reply_info* p, struct reply_info* q, struct regional* region)
 {
 	size_t i;
@@ -1025,7 +1039,7 @@ reply_equal(struct reply_info* p, struct reply_info* q, struct regional* region)
 	return 1;
 }
 
-void 
+void
 caps_strip_reply(struct reply_info* rep)
 {
 	size_t i;
@@ -1067,8 +1081,8 @@ int caps_failed_rcode(struct reply_info* rep)
 		FLAGS_GET_RCODE(rep->flags) == LDNS_RCODE_NXDOMAIN);
 }
 
-void 
-iter_store_parentside_rrset(struct module_env* env, 
+void
+iter_store_parentside_rrset(struct module_env* env,
 	struct ub_packed_rrset_key* rrset)
 {
 	struct rrset_ref ref;
@@ -1108,12 +1122,12 @@ iter_store_parentside_NS(struct module_env* env, struct reply_info* rep)
 	}
 }
 
-void iter_store_parentside_neg(struct module_env* env, 
+void iter_store_parentside_neg(struct module_env* env,
         struct query_info* qinfo, struct reply_info* rep)
 {
 	/* TTL: NS from referral in iq->deleg_msg,
 	 *      or first RR from iq->response,
-	 *      or servfail5secs if !iq->response */ 
+	 *      or servfail5secs if !iq->response */
 	time_t ttl = NORR_TTL;
 	struct ub_packed_rrset_key* neg;
 	struct packed_rrset_data* newd;
@@ -1134,7 +1148,7 @@ void iter_store_parentside_neg(struct module_env* env,
 	neg->rk.type = htons(qinfo->qtype);
 	neg->rk.rrset_class = htons(qinfo->qclass);
 	neg->rk.flags = 0;
-	neg->rk.dname = regional_alloc_init(env->scratch, qinfo->qname, 
+	neg->rk.dname = regional_alloc_init(env->scratch, qinfo->qname,
 		qinfo->qname_len);
 	if(!neg->rk.dname) {
 		log_err("out of memory in store_parentside_neg");
@@ -1142,7 +1156,7 @@ void iter_store_parentside_neg(struct module_env* env,
 	}
 	neg->rk.dname_len = qinfo->qname_len;
 	neg->entry.hash = rrset_key_hash(&neg->rk);
-	newd = (struct packed_rrset_data*)regional_alloc_zero(env->scratch, 
+	newd = (struct packed_rrset_data*)regional_alloc_zero(env->scratch,
 		sizeof(struct packed_rrset_data) + sizeof(size_t) +
 		sizeof(uint8_t*) + sizeof(time_t) + sizeof(uint16_t));
 	if(!newd) {
@@ -1167,13 +1181,13 @@ void iter_store_parentside_neg(struct module_env* env,
 	iter_store_parentside_rrset(env, neg);
 }
 
-int 
+int
 iter_lookup_parent_NS_from_cache(struct module_env* env, struct delegpt* dp,
 	struct regional* region, struct query_info* qinfo)
 {
 	struct ub_packed_rrset_key* akey;
-	akey = rrset_cache_lookup(env->rrset_cache, dp->name, 
-		dp->namelen, LDNS_RR_TYPE_NS, qinfo->qclass, 
+	akey = rrset_cache_lookup(env->rrset_cache, dp->name,
+		dp->namelen, LDNS_RR_TYPE_NS, qinfo->qclass,
 		PACKED_RRSET_PARENT_SIDE, *env->now, 0);
 	if(akey) {
 		log_rrset_key(VERB_ALGO, "found parent-side NS in cache", akey);
@@ -1196,8 +1210,8 @@ int iter_lookup_parent_glue_from_cache(struct module_env* env,
 	size_t num = delegpt_count_targets(dp);
 	for(ns = dp->nslist; ns; ns = ns->next) {
 		/* get cached parentside A */
-		akey = rrset_cache_lookup(env->rrset_cache, ns->name, 
-			ns->namelen, LDNS_RR_TYPE_A, qinfo->qclass, 
+		akey = rrset_cache_lookup(env->rrset_cache, ns->name,
+			ns->namelen, LDNS_RR_TYPE_A, qinfo->qclass,
 			PACKED_RRSET_PARENT_SIDE, *env->now, 0);
 		if(akey) {
 			log_rrset_key(VERB_ALGO, "found parent-side", akey);
@@ -1208,8 +1222,8 @@ int iter_lookup_parent_glue_from_cache(struct module_env* env,
 			lock_rw_unlock(&akey->entry.lock);
 		}
 		/* get cached parentside AAAA */
-		akey = rrset_cache_lookup(env->rrset_cache, ns->name, 
-			ns->namelen, LDNS_RR_TYPE_AAAA, qinfo->qclass, 
+		akey = rrset_cache_lookup(env->rrset_cache, ns->name,
+			ns->namelen, LDNS_RR_TYPE_AAAA, qinfo->qclass,
 			PACKED_RRSET_PARENT_SIDE, *env->now, 0);
 		if(akey) {
 			log_rrset_key(VERB_ALGO, "found parent-side", akey);
@@ -1224,8 +1238,8 @@ int iter_lookup_parent_glue_from_cache(struct module_env* env,
 	return delegpt_count_targets(dp) != num;
 }
 
-int 
-iter_get_next_root(struct iter_hints* hints, struct iter_forwards* fwd, 
+int
+iter_get_next_root(struct iter_hints* hints, struct iter_forwards* fwd,
 	uint16_t* c)
 {
 	uint16_t c1 = *c, c2 = *c;
@@ -1247,7 +1261,7 @@ void
 iter_scrub_ds(struct dns_msg* msg, struct ub_packed_rrset_key* ns, uint8_t* z)
 {
 	/* Only the DS record for the delegation itself is expected.
-	 * We allow DS for everything between the bailiwick and the 
+	 * We allow DS for everything between the bailiwick and the
 	 * zonecut, thus DS records must be at or above the zonecut.
 	 * And the DS records must be below the server authority zone.
 	 * The answer section is already scrubbed. */
@@ -1261,7 +1275,7 @@ iter_scrub_ds(struct dns_msg* msg, struct ub_packed_rrset_key* ns, uint8_t* z)
 				s->rk.dname, ntohs(s->rk.type),
 				ntohs(s->rk.rrset_class));
 			memmove(msg->rep->rrsets+i, msg->rep->rrsets+i+1,
-				sizeof(struct ub_packed_rrset_key*) * 
+				sizeof(struct ub_packed_rrset_key*) *
 				(msg->rep->rrset_count-i-1));
 			msg->rep->ns_numrrsets--;
 			msg->rep->rrset_count--;
@@ -1285,11 +1299,11 @@ iter_scrub_nxdomain(struct dns_msg* msg)
 	msg->rep->an_numrrsets = 0;
 }
 
-void iter_dec_attempts(struct delegpt* dp, int d)
+void iter_dec_attempts(struct delegpt* dp, int d, int outbound_msg_retry)
 {
 	struct delegpt_addr* a;
 	for(a=dp->target_list; a; a = a->next_target) {
-		if(a->attempts >= OUTBOUND_MSG_RETRY) {
+		if(a->attempts >= outbound_msg_retry) {
 			/* add back to result list */
 			a->next_result = dp->result_list;
 			dp->result_list = a;
@@ -1300,7 +1314,8 @@ void iter_dec_attempts(struct delegpt* dp, int d)
 	}
 }
 
-void iter_merge_retry_counts(struct delegpt* dp, struct delegpt* old)
+void iter_merge_retry_counts(struct delegpt* dp, struct delegpt* old,
+	int outbound_msg_retry)
 {
 	struct delegpt_addr* a, *o, *prev;
 	for(a=dp->target_list; a; a = a->next_target) {
@@ -1314,7 +1329,7 @@ void iter_merge_retry_counts(struct delegpt* dp, struct delegpt* old)
 	prev = NULL;
 	a = dp->usable_list;
 	while(a) {
-		if(a->attempts >= OUTBOUND_MSG_RETRY) {
+		if(a->attempts >= outbound_msg_retry) {
 			log_addr(VERB_ALGO, "remove from usable list dp",
 				&a->addr, a->addrlen);
 			/* remove from result list */
@@ -1394,7 +1409,8 @@ int iter_dp_cangodown(struct query_info* qinfo, struct delegpt* dp)
 }
 
 int
-iter_stub_fwd_no_cache(struct module_qstate *qstate, struct query_info *qinf)
+iter_stub_fwd_no_cache(struct module_qstate *qstate, struct query_info *qinf,
+	uint8_t** retdpname, size_t* retdpnamelen)
 {
 	struct iter_hints_stub *stub;
 	struct delegpt *dp;
@@ -1423,6 +1439,10 @@ iter_stub_fwd_no_cache(struct module_qstate *qstate, struct query_info *qinf)
 			dname_str(stub->dp->name, dpname);
 			verbose(VERB_ALGO, "stub for %s %s has no_cache", qname, dpname);
 		}
+		if(retdpname) {
+			*retdpname = stub->dp->name;
+			*retdpnamelen = stub->dp->namelen;
+		}
 		return (stub->dp->no_cache);
 	}
 
@@ -1435,8 +1455,16 @@ iter_stub_fwd_no_cache(struct module_qstate *qstate, struct query_info *qinf)
 			dname_str(dp->name, dpname);
 			verbose(VERB_ALGO, "forward for %s %s has no_cache", qname, dpname);
 		}
+		if(retdpname) {
+			*retdpname = dp->name;
+			*retdpnamelen = dp->namelen;
+		}
 		return (dp->no_cache);
 	}
+	if(retdpname) {
+		*retdpname = NULL;
+		*retdpnamelen = 0;
+	}
 	return 0;
 }
 
diff --git a/iterator/iter_utils.h b/iterator/iter_utils.h
index 7be79cf4a..c0e518157 100644
--- a/iterator/iter_utils.h
+++ b/iterator/iter_utils.h
@@ -175,10 +175,14 @@ void iter_mark_pside_cycle_targets(struct module_qstate* qstate,
  * @param qinfo: query name and type
  * @param qflags: query flags with RD flag
  * @param dp: delegpt to check.
+ * @param supports_ipv4: if we support ipv4 for lookups to the target.
+ * 	if not, then the IPv4 addresses are useless.
+ * @param supports_ipv6: if we support ipv6 for lookups to the target.
+ * 	if not, then the IPv6 addresses are useless.
  * @return true if dp is useless.
  */
 int iter_dp_is_useless(struct query_info* qinfo, uint16_t qflags, 
-	struct delegpt* dp);
+	struct delegpt* dp, int supports_ipv4, int supports_ipv6);
 
 /**
  * See if qname has DNSSEC needs.  This is true if there is a trust anchor above
@@ -347,16 +351,19 @@ void iter_scrub_nxdomain(struct dns_msg* msg);
  * Remove query attempts from all available ips. For 0x20.
  * @param dp: delegpt.
  * @param d: decrease.
+ * @param outbound_msg_retry: number of retries of outgoing queries
  */
-void iter_dec_attempts(struct delegpt* dp, int d);
+void iter_dec_attempts(struct delegpt* dp, int d, int outbound_msg_retry);
 
 /**
  * Add retry counts from older delegpt to newer delegpt.
  * Does not waste time on timeout'd (or other failing) addresses.
  * @param dp: new delegationpoint.
  * @param old: old delegationpoint.
+ * @param outbound_msg_retry: number of retries of outgoing queries
  */
-void iter_merge_retry_counts(struct delegpt* dp, struct delegpt* old);
+void iter_merge_retry_counts(struct delegpt* dp, struct delegpt* old,
+	int outbound_msg_retry);
 
 /**
  * See if a DS response (type ANSWER) is too low: a nodata answer with 
@@ -382,10 +389,15 @@ int iter_dp_cangodown(struct query_info* qinfo, struct delegpt* dp);
  * Lookup if no_cache is set in stub or fwd.
  * @param qstate: query state with env with hints and fwds.
  * @param qinf: query name to lookup for.
+ * @param retdpname: returns NULL or the deepest enclosing name of fwd or stub.
+ * 	This is the name under which the closest lookup is going to happen.
+ * 	Used for NXDOMAIN checks, above that it is an nxdomain from a
+ * 	different server and zone. You can pass NULL to not get it.
+ * @param retdpnamelen: returns the length of the dpname.
  * @return true if no_cache is set in stub or fwd.
  */
 int iter_stub_fwd_no_cache(struct module_qstate *qstate,
-	struct query_info *qinf);
+	struct query_info *qinf, uint8_t** retdpname, size_t* retdpnamelen);
 
 /**
  * Set support for IP4 and IP6 depending on outgoing interfaces
diff --git a/iterator/iterator.c b/iterator/iterator.c
index 5163857fa..6f38a14fc 100644
--- a/iterator/iterator.c
+++ b/iterator/iterator.c
@@ -585,6 +585,60 @@ handle_cname_response(struct module_qstate* qstate, struct iter_qstate* iq,
 	return 1;
 }
 
+/** add response specific error information for log servfail */
+static void
+errinf_reply(struct module_qstate* qstate, struct iter_qstate* iq)
+{
+	if(qstate->env->cfg->val_log_level < 2 && !qstate->env->cfg->log_servfail)
+		return;
+	if((qstate->reply && qstate->reply->addrlen != 0) ||
+		(iq->fail_reply && iq->fail_reply->addrlen != 0)) {
+		char from[256], frm[512];
+		if(qstate->reply && qstate->reply->addrlen != 0)
+			addr_to_str(&qstate->reply->addr, qstate->reply->addrlen,
+				from, sizeof(from));
+		else
+			addr_to_str(&iq->fail_reply->addr, iq->fail_reply->addrlen,
+				from, sizeof(from));
+		snprintf(frm, sizeof(frm), "from %s", from);
+		errinf(qstate, frm);
+	}
+	if(iq->scrub_failures || iq->parse_failures) {
+		if(iq->scrub_failures)
+			errinf(qstate, "upstream response failed scrub");
+		if(iq->parse_failures)
+			errinf(qstate, "could not parse upstream response");
+	} else if(iq->response == NULL && iq->timeout_count != 0) {
+		errinf(qstate, "upstream server timeout");
+	} else if(iq->response == NULL) {
+		errinf(qstate, "no server to query");
+		if(iq->dp) {
+			if(iq->dp->target_list == NULL)
+				errinf(qstate, "no addresses for nameservers");
+			else	errinf(qstate, "nameserver addresses not usable");
+			if(iq->dp->nslist == NULL)
+				errinf(qstate, "have no nameserver names");
+			if(iq->dp->bogus)
+				errinf(qstate, "NS record was dnssec bogus");
+		}
+	}
+	if(iq->response && iq->response->rep) {
+		if(FLAGS_GET_RCODE(iq->response->rep->flags) != 0) {
+			char rcode[256], rc[32];
+			(void)sldns_wire2str_rcode_buf(
+				FLAGS_GET_RCODE(iq->response->rep->flags),
+				rc, sizeof(rc));
+			snprintf(rcode, sizeof(rcode), "got %s", rc);
+			errinf(qstate, rcode);
+		} else {
+			/* rcode NOERROR */
+			if(iq->response->rep->an_numrrsets == 0) {
+				errinf(qstate, "nodata answer");
+			}
+		}
+	}
+}
+
 /** see if last resort is possible - does config allow queries to parent */
 static int
 can_have_last_resort(struct module_env* env, uint8_t* nm, size_t nmlen,
@@ -1228,8 +1282,8 @@ static int
 processInitRequest(struct module_qstate* qstate, struct iter_qstate* iq,
 	struct iter_env* ie, int id)
 {
-	uint8_t* delname;
-	size_t delnamelen;
+	uint8_t* delname, *dpname=NULL;
+	size_t delnamelen, dpnamelen=0;
 	struct dns_msg* msg = NULL;
 
 	log_query_info(VERB_DETAIL, "resolving", &qstate->qinfo);
@@ -1283,7 +1337,7 @@ processInitRequest(struct module_qstate* qstate, struct iter_qstate* iq,
 	/* This either results in a query restart (CNAME cache response), a
 	 * terminating response (ANSWER), or a cache miss (null). */
 	
-	if (iter_stub_fwd_no_cache(qstate, &iq->qchase)) {
+	if (iter_stub_fwd_no_cache(qstate, &iq->qchase, &dpname, &dpnamelen)) {
 		/* Asked to not query cache. */
 		verbose(VERB_ALGO, "no-cache set, going to the network");
 		qstate->no_cache_lookup = 1;
@@ -1298,7 +1352,8 @@ processInitRequest(struct module_qstate* qstate, struct iter_qstate* iq,
 		msg = dns_cache_lookup(qstate->env, iq->qchase.qname, 
 			iq->qchase.qname_len, iq->qchase.qtype, 
 			iq->qchase.qclass, qstate->query_flags,
-			qstate->region, qstate->env->scratch, 0);
+			qstate->region, qstate->env->scratch, 0, dpname,
+			dpnamelen);
 		if(!msg && qstate->env->neg_cache &&
 			iter_qname_indicates_dnssec(qstate->env, &iq->qchase)) {
 			/* lookup in negative cache; may result in
@@ -1478,36 +1533,6 @@ processInitRequest(struct module_qstate* qstate, struct iter_qstate* iq,
 		if(!iq->ratelimit_ok && qstate->prefetch_leeway)
 			iq->ratelimit_ok = 1; /* allow prefetches, this keeps
 			otherwise valid data in the cache */
-		if(!iq->ratelimit_ok && infra_ratelimit_exceeded(
-			qstate->env->infra_cache, iq->dp->name,
-			iq->dp->namelen, *qstate->env->now)) {
-			/* and increment the rate, so that the rate for time
-			 * now will also exceed the rate, keeping cache fresh */
-			(void)infra_ratelimit_inc(qstate->env->infra_cache,
-				iq->dp->name, iq->dp->namelen,
-				*qstate->env->now, &qstate->qinfo,
-				qstate->reply);
-			/* see if we are passed through with slip factor */
-			if(qstate->env->cfg->ratelimit_factor != 0 &&
-				ub_random_max(qstate->env->rnd,
-				    qstate->env->cfg->ratelimit_factor) == 1) {
-				iq->ratelimit_ok = 1;
-				log_nametypeclass(VERB_ALGO, "ratelimit allowed through for "
-					"delegation point", iq->dp->name,
-					LDNS_RR_TYPE_NS, LDNS_RR_CLASS_IN);
-			} else {
-				lock_basic_lock(&ie->queries_ratelimit_lock);
-				ie->num_queries_ratelimited++;
-				lock_basic_unlock(&ie->queries_ratelimit_lock);
-				log_nametypeclass(VERB_ALGO, "ratelimit exceeded with "
-					"delegation point", iq->dp->name,
-					LDNS_RR_TYPE_NS, LDNS_RR_CLASS_IN);
-				qstate->was_ratelimited = 1;
-				errinf(qstate, "query was ratelimited");
-				errinf_dname(qstate, "for zone", iq->dp->name);
-				return error_response(qstate, id, LDNS_RCODE_SERVFAIL);
-			}
-		}
 
 		/* see if this dp not useless.
 		 * It is useless if:
@@ -1522,7 +1547,7 @@ processInitRequest(struct module_qstate* qstate, struct iter_qstate* iq,
 		 * same server reply) if useless-checked.
 		 */
 		if(iter_dp_is_useless(&qstate->qinfo, qstate->query_flags, 
-			iq->dp)) {
+			iq->dp, ie->supports_ipv4, ie->supports_ipv6)) {
 			struct delegpt* retdp = NULL;
 			if(!can_have_last_resort(qstate->env, iq->dp->name, iq->dp->namelen, iq->qchase.qclass, &retdp)) {
 				if(retdp) {
@@ -1921,6 +1946,7 @@ processLastResort(struct module_qstate* qstate, struct iter_qstate* iq,
 		 * of a response. */
 		errinf(qstate, "all the configured stub or forward servers failed,");
 		errinf_dname(qstate, "at zone", iq->dp->name);
+		errinf_reply(qstate, iq);
 		verbose(VERB_QUERY, "configured stub or forward servers failed -- returning SERVFAIL");
 		return error_response_cache(qstate, id, LDNS_RCODE_SERVFAIL);
 	}
@@ -1932,12 +1958,13 @@ processLastResort(struct module_qstate* qstate, struct iter_qstate* iq,
 			iq->chase_flags &= ~BIT_RD; /* go to authorities */
 			for(ns = p->nslist; ns; ns=ns->next) {
 				(void)delegpt_add_ns(iq->dp, qstate->region,
-					ns->name, ns->lame);
+					ns->name, ns->lame, ns->tls_auth_name,
+					ns->port);
 			}
 			for(a = p->target_list; a; a=a->next_target) {
 				(void)delegpt_add_addr(iq->dp, qstate->region,
 					&a->addr, a->addrlen, a->bogus,
-					a->lame, a->tls_auth_name, NULL);
+					a->lame, a->tls_auth_name, -1, NULL);
 			}
 		}
 		iq->dp->has_parent_side_NS = 1;
@@ -2067,6 +2094,7 @@ processLastResort(struct module_qstate* qstate, struct iter_qstate* iq,
 
 	errinf(qstate, "all servers for this domain failed,");
 	errinf_dname(qstate, "at zone", iq->dp->name);
+	errinf_reply(qstate, iq);
 	verbose(VERB_QUERY, "out of query targets -- returning SERVFAIL");
 	/* fail -- no more targets, no more hope of targets, no hope 
 	 * of a response. */
@@ -2154,9 +2182,11 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
 	int auth_fallback = 0;
 	uint8_t* qout_orig = NULL;
 	size_t qout_orig_len = 0;
+	int sq_check_ratelimit = 1;
+	int sq_was_ratelimited = 0;
 
-	/* NOTE: a request will encounter this state for each target it 
-	 * needs to send a query to. That is, at least one per referral, 
+	/* NOTE: a request will encounter this state for each target it
+	 * needs to send a query to. That is, at least one per referral,
 	 * more if some targets timeout or return throwaway answers. */
 
 	log_query_info(VERB_QUERY, "processQueryTargets:", &qstate->qinfo);
@@ -2241,7 +2271,7 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
 		iq->minimise_count++;
 		iq->timeout_count = 0;
 
-		iter_dec_attempts(iq->dp, 1);
+		iter_dec_attempts(iq->dp, 1, ie->outbound_msg_retry);
 
 		/* Limit number of iterations for QNAMEs with more
 		 * than MAX_MINIMISE_COUNT labels. Send first MINIMISE_ONE_LAB
@@ -2288,7 +2318,8 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
 				iq->qinfo_out.qname, iq->qinfo_out.qname_len, 
 				iq->qinfo_out.qtype, iq->qinfo_out.qclass, 
 				qstate->query_flags, qstate->region, 
-				qstate->env->scratch, 0);
+				qstate->env->scratch, 0, iq->dp->name,
+				iq->dp->namelen);
 			if(msg && FLAGS_GET_RCODE(msg->rep->flags) ==
 				LDNS_RCODE_NOERROR)
 				/* no need to send query if it is already 
@@ -2442,7 +2473,7 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
 				(int)iq->caps_server+1, (int)naddr*3);
 			iq->response = iq->caps_response;
 			iq->caps_fallback = 0;
-			iter_dec_attempts(iq->dp, 3); /* space for fallback */
+			iter_dec_attempts(iq->dp, 3, ie->outbound_msg_retry); /* space for fallback */
 			iq->num_current_queries++; /* RespState decrements it*/
 			iq->referral_count++; /* make sure we don't loop */
 			iq->sent_count = 0;
@@ -2471,6 +2502,23 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
 	/* Add the current set of unused targets to our queue. */
 	delegpt_add_unused_targets(iq->dp);
 
+	if(qstate->env->auth_zones) {
+		/* apply rpz triggers at query time */
+		struct dns_msg* forged_response = rpz_callback_from_iterator_module(qstate, iq);
+		if(forged_response != NULL) {
+			qstate->ext_state[id] = module_finished;
+			qstate->return_rcode = LDNS_RCODE_NOERROR;
+			qstate->return_msg = forged_response;
+			iq->response = forged_response;
+			next_state(iq, FINISHED_STATE);
+			if(!iter_prepend(iq, qstate->return_msg, qstate->region)) {
+				log_err("rpz: prepend rrsets: out of memory");
+				return error_response(qstate, id, LDNS_RCODE_SERVFAIL);
+			}
+			return 0;
+		}
+	}
+
 	/* Select the next usable target, filtering out unsuitable targets. */
 	target = iter_server_selection(ie, qstate->env, iq->dp, 
 		iq->dp->name, iq->dp->namelen, iq->qchase.qtype,
@@ -2530,7 +2578,7 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
 						(int)iq->caps_server+1);
 					iq->response = iq->caps_response;
 					iq->caps_fallback = 0;
-					iter_dec_attempts(iq->dp, 3); /* space for fallback */
+					iter_dec_attempts(iq->dp, 3, ie->outbound_msg_retry); /* space for fallback */
 					iq->num_current_queries++; /* RespState decrements it*/
 					iq->referral_count++; /* make sure we don't loop */
 					iq->sent_count = 0;
@@ -2571,22 +2619,9 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
 		return 0;
 	}
 
-	/* if not forwarding, check ratelimits per delegationpoint name */
-	if(!(iq->chase_flags & BIT_RD) && !iq->ratelimit_ok) {
-		if(!infra_ratelimit_inc(qstate->env->infra_cache, iq->dp->name,
-			iq->dp->namelen, *qstate->env->now, &qstate->qinfo,
-			qstate->reply)) {
-			lock_basic_lock(&ie->queries_ratelimit_lock);
-			ie->num_queries_ratelimited++;
-			lock_basic_unlock(&ie->queries_ratelimit_lock);
-			verbose(VERB_ALGO, "query exceeded ratelimits");
-			qstate->was_ratelimited = 1;
-			errinf_dname(qstate, "exceeded ratelimit for zone",
-				iq->dp->name);
-			return error_response(qstate, id, LDNS_RCODE_SERVFAIL);
-		}
-	}
-
+	/* Do not check ratelimit for forwarding queries or if we already got a
+	 * pass. */
+	sq_check_ratelimit = (!(iq->chase_flags & BIT_RD) && !iq->ratelimit_ok);
 	/* We have a valid target. */
 	if(verbosity >= VERB_QUERY) {
 		log_query_info(VERB_QUERY, "sending query:", &iq->qinfo_out);
@@ -2598,24 +2633,32 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
 	}
 	fptr_ok(fptr_whitelist_modenv_send_query(qstate->env->send_query));
 	outq = (*qstate->env->send_query)(&iq->qinfo_out,
-		iq->chase_flags | (iq->chase_to_rd?BIT_RD:0), 
+		iq->chase_flags | (iq->chase_to_rd?BIT_RD:0),
 		/* unset CD if to forwarder(RD set) and not dnssec retry
 		 * (blacklist nonempty) and no trust-anchors are configured
 		 * above the qname or on the first attempt when dnssec is on */
 		EDNS_DO| ((iq->chase_to_rd||(iq->chase_flags&BIT_RD)!=0)&&
 		!qstate->blacklist&&(!iter_qname_indicates_dnssec(qstate->env,
-		&iq->qinfo_out)||target->attempts==1)?0:BIT_CD), 
+		&iq->qinfo_out)||target->attempts==1)?0:BIT_CD),
 		iq->dnssec_expected, iq->caps_fallback || is_caps_whitelisted(
-		ie, iq), &target->addr, target->addrlen,
+		ie, iq), sq_check_ratelimit, &target->addr, target->addrlen,
 		iq->dp->name, iq->dp->namelen,
+		(iq->dp->tcp_upstream || qstate->env->cfg->tcp_upstream),
 		(iq->dp->ssl_upstream || qstate->env->cfg->ssl_upstream),
-		target->tls_auth_name, qstate);
+		target->tls_auth_name, qstate, &sq_was_ratelimited);
 	if(!outq) {
-		log_addr(VERB_DETAIL, "error sending query to auth server", 
+		if(sq_was_ratelimited) {
+			lock_basic_lock(&ie->queries_ratelimit_lock);
+			ie->num_queries_ratelimited++;
+			lock_basic_unlock(&ie->queries_ratelimit_lock);
+			verbose(VERB_ALGO, "query exceeded ratelimits");
+			qstate->was_ratelimited = 1;
+			errinf_dname(qstate, "exceeded ratelimit for zone",
+				iq->dp->name);
+			return error_response(qstate, id, LDNS_RCODE_SERVFAIL);
+		}
+		log_addr(VERB_QUERY, "error sending query to auth server",
 			&target->addr, target->addrlen);
-		if(!(iq->chase_flags & BIT_RD) && !iq->ratelimit_ok)
-		    infra_ratelimit_dec(qstate->env->infra_cache, iq->dp->name,
-			iq->dp->namelen, *qstate->env->now);
 		if(qstate->env->cfg->qname_minimisation)
 			iq->minimisation_state = SKIP_MINIMISE_STATE;
 		return next_state(iq, QUERYTARGETS_STATE);
@@ -2649,6 +2692,7 @@ find_NS(struct reply_info* rep, size_t from, size_t to)
  * 
  * @param qstate: query state.
  * @param iq: iterator query state.
+ * @param ie: iterator shared global environment.
  * @param id: module id.
  * @return true if the event requires more immediate processing, false if
  *         not. This is generally only true when forwarding the request to
@@ -2656,10 +2700,11 @@ find_NS(struct reply_info* rep, size_t from, size_t to)
  */
 static int
 processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
-	int id)
+	struct iter_env* ie, int id)
 {
 	int dnsseclame = 0;
 	enum response_type type;
+
 	iq->num_current_queries--;
 
 	if(!inplace_cb_query_response_call(qstate->env, qstate, iq->response))
@@ -2787,7 +2832,9 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
 		}
 		if(!qstate->no_cache_store)
 			iter_dns_store(qstate->env, &iq->response->qinfo,
-				iq->response->rep, 0, qstate->prefetch_leeway,
+				iq->response->rep,
+				iq->qchase.qtype != iq->response->qinfo.qtype,
+				qstate->prefetch_leeway,
 				iq->dp&&iq->dp->has_parent_side_NS,
 				qstate->region, qstate->query_flags);
 		/* close down outstanding requests to be discarded */
@@ -2857,14 +2904,6 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
 		 * delegation point, and back to the QUERYTARGETS_STATE. */
 		verbose(VERB_DETAIL, "query response was REFERRAL");
 
-		if(!(iq->chase_flags & BIT_RD) && !iq->ratelimit_ok) {
-			/* we have a referral, no ratelimit, we can send
-			 * our queries to the given name */
-			infra_ratelimit_dec(qstate->env->infra_cache,
-				iq->dp->name, iq->dp->namelen,
-				*qstate->env->now);
-		}
-
 		/* if hardened, only store referral if we asked for it */
 		if(!qstate->no_cache_store &&
 		(!qstate->env->cfg->harden_referral_path ||
@@ -2925,7 +2964,8 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
 		}
 		if(iq->store_parent_NS && query_dname_compare(iq->dp->name,
 			iq->store_parent_NS->name) == 0)
-			iter_merge_retry_counts(iq->dp, iq->store_parent_NS);
+			iter_merge_retry_counts(iq->dp, iq->store_parent_NS,
+				ie->outbound_msg_retry);
 		delegpt_log(VERB_ALGO, iq->dp);
 		/* Count this as a referral. */
 		iq->referral_count++;
@@ -2957,6 +2997,8 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
 			qstate->env->detach_subs));
 		(*qstate->env->detach_subs)(qstate);
 		iq->num_target_queries = 0;
+		iq->response = NULL;
+		iq->fail_reply = NULL;
 		verbose(VERB_ALGO, "cleared outbound list for next round");
 		return next_state(iq, QUERYTARGETS_STATE);
 	} else if(type == RESPONSE_TYPE_CNAME) {
@@ -3001,6 +3043,39 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
 		/* set the current request's qname to the new value. */
 		iq->qchase.qname = sname;
 		iq->qchase.qname_len = snamelen;
+		if(qstate->env->auth_zones) {
+			/* apply rpz qname triggers after cname */
+			struct dns_msg* forged_response =
+				rpz_callback_from_iterator_cname(qstate, iq);
+			while(forged_response && reply_find_rrset_section_an(
+				forged_response->rep, iq->qchase.qname,
+				iq->qchase.qname_len, LDNS_RR_TYPE_CNAME,
+				iq->qchase.qclass)) {
+				/* another cname to follow */
+				if(!handle_cname_response(qstate, iq, forged_response,
+					&sname, &snamelen)) {
+					errinf(qstate, "malloc failure, CNAME info");
+					return error_response(qstate, id, LDNS_RCODE_SERVFAIL);
+				}
+				iq->qchase.qname = sname;
+				iq->qchase.qname_len = snamelen;
+				forged_response =
+					rpz_callback_from_iterator_cname(qstate, iq);
+			}
+			if(forged_response != NULL) {
+				qstate->ext_state[id] = module_finished;
+				qstate->return_rcode = LDNS_RCODE_NOERROR;
+				qstate->return_msg = forged_response;
+				iq->response = forged_response;
+				next_state(iq, FINISHED_STATE);
+				if(!iter_prepend(iq, qstate->return_msg, qstate->region)) {
+					log_err("rpz: after cname, prepend rrsets: out of memory");
+					return error_response(qstate, id, LDNS_RCODE_SERVFAIL);
+				}
+				qstate->return_msg->qinfo = qstate->qinfo;
+				return 0;
+			}
+		}
 		/* Clear the query state, since this is a query restart. */
 		iq->deleg_msg = NULL;
 		iq->dp = NULL;
@@ -3128,7 +3203,7 @@ prime_supers(struct module_qstate* qstate, int id, struct module_qstate* forq)
 	/* Convert our response to a delegation point */
 	dp = delegpt_from_message(qstate->return_msg, forq->region);
 	if(!dp) {
-		/* if there is no convertable delegation point, then 
+		/* if there is no convertible delegation point, then 
 		 * the ANSWER type was (presumably) a negative answer. */
 		verbose(VERB_ALGO, "prime response was not a positive "
 			"ANSWER; failing");
@@ -3270,21 +3345,22 @@ processTargetResponse(struct module_qstate* qstate, int id,
 			log_err("out of memory adding pside glue");
 	}
 
-	/* This response is relevant to the current query, so we 
-	 * add (attempt to add, anyway) this target(s) and reactivate 
-	 * the original event. 
-	 * NOTE: we could only look for the AnswerRRset if the 
+	/* This response is relevant to the current query, so we
+	 * add (attempt to add, anyway) this target(s) and reactivate
+	 * the original event.
+	 * NOTE: we could only look for the AnswerRRset if the
 	 * response type was ANSWER. */
 	rrset = reply_find_answer_rrset(&iq->qchase, qstate->return_msg->rep);
 	if(rrset) {
 		int additions = 0;
 		/* if CNAMEs have been followed - add new NS to delegpt. */
 		/* BTW. RFC 1918 says NS should not have got CNAMEs. Robust. */
-		if(!delegpt_find_ns(foriq->dp, rrset->rk.dname, 
+		if(!delegpt_find_ns(foriq->dp, rrset->rk.dname,
 			rrset->rk.dname_len)) {
 			/* if dpns->lame then set newcname ns lame too */
-			if(!delegpt_add_ns(foriq->dp, forq->region, 
-				rrset->rk.dname, dpns->lame))
+			if(!delegpt_add_ns(foriq->dp, forq->region,
+				rrset->rk.dname, dpns->lame, dpns->tls_auth_name,
+				dpns->port))
 				log_err("out of memory adding cnamed-ns");
 		}
 		/* if dpns->lame then set the address(es) lame too */
@@ -3634,7 +3710,7 @@ iter_handle(struct module_qstate* qstate, struct iter_qstate* iq,
 				cont = processQueryTargets(qstate, iq, ie, id);
 				break;
 			case QUERY_RESP_STATE:
-				cont = processQueryResponse(qstate, iq, id);
+				cont = processQueryResponse(qstate, iq, ie, id);
 				break;
 			case PRIME_RESP_STATE:
 				cont = processPrimeResponse(qstate, id);
@@ -3704,7 +3780,7 @@ process_response(struct module_qstate* qstate, struct iter_qstate* iq,
 			iq->num_current_queries--;
 			/* need fresh attempts for the 0x20 fallback, if
 			 * that was the cause for the failure */
-			iter_dec_attempts(iq->dp, 3);
+			iter_dec_attempts(iq->dp, 3, ie->outbound_msg_retry);
 			verbose(VERB_DETAIL, "Capsforid: timeouts, starting fallback");
 			goto handle_it;
 		}
@@ -3720,6 +3796,7 @@ process_response(struct module_qstate* qstate, struct iter_qstate* iq,
 	}
 
 	/* parse message */
+	iq->fail_reply = qstate->reply;
 	prs = (struct msg_parse*)regional_alloc(qstate->env->scratch, 
 		sizeof(struct msg_parse));
 	if(!prs) {
@@ -3733,16 +3810,19 @@ process_response(struct module_qstate* qstate, struct iter_qstate* iq,
 	sldns_buffer_set_position(pkt, 0);
 	if(parse_packet(pkt, prs, qstate->env->scratch) != LDNS_RCODE_NOERROR) {
 		verbose(VERB_ALGO, "parse error on reply packet");
+		iq->parse_failures++;
 		goto handle_it;
 	}
 	/* edns is not examined, but removed from message to help cache */
-	if(parse_extract_edns(prs, &edns, qstate->env->scratch) !=
-		LDNS_RCODE_NOERROR)
+	if(parse_extract_edns_from_response_msg(prs, &edns, qstate->env->scratch) !=
+		LDNS_RCODE_NOERROR) {
+		iq->parse_failures++;
 		goto handle_it;
+	}
 
 	/* Copy the edns options we may got from the back end */
-	if(edns.opt_list) {
-		qstate->edns_opts_back_in = edns_opt_copy_region(edns.opt_list,
+	if(edns.opt_list_in) {
+		qstate->edns_opts_back_in = edns_opt_copy_region(edns.opt_list_in,
 			qstate->region);
 		if(!qstate->edns_opts_back_in) {
 			log_err("out of memory on incoming message");
@@ -3772,6 +3852,7 @@ process_response(struct module_qstate* qstate, struct iter_qstate* iq,
 			iq->num_current_queries--;
 			verbose(VERB_DETAIL, "Capsforid: scrub failed, starting fallback with no response");
 		}
+		iq->scrub_failures++;
 		goto handle_it;
 	}
 
diff --git a/iterator/iterator.h b/iterator/iterator.h
index d3ca716fc..57d06ef8a 100644
--- a/iterator/iterator.h
+++ b/iterator/iterator.h
@@ -61,7 +61,7 @@ struct rbtree_type;
  * its subqueries */
 #define MAX_TARGET_NX		5
 /** max number of query restarts. Determines max number of CNAME chain. */
-#define MAX_RESTART_COUNT       8
+#define MAX_RESTART_COUNT	11
 /** max number of referrals. Makes sure resolver does not run away */
 #define MAX_REFERRAL_COUNT	130
 /** max number of queries-sent-out.  Make sure large NS set does not loop */
@@ -80,7 +80,7 @@ struct rbtree_type;
 /**
  * number of labels from QNAME that are always send individually when using
  * QNAME minimisation, even when the number of labels of the QNAME is bigger
- * tham MAX_MINIMISE_COUNT */
+ * than MAX_MINIMISE_COUNT */
 #define MINIMISE_ONE_LAB	4
 #define MINIMISE_MULTIPLE_LABS	(MAX_MINIMISE_COUNT - MINIMISE_ONE_LAB)
 /** at what query-sent-count to stop target fetch policy */
@@ -94,8 +94,6 @@ extern int UNKNOWN_SERVER_NICENESS;
  * Equals RTT_MAX_TIMEOUT
  */
 #define USEFUL_SERVER_TOP_TIMEOUT	120000
-/** number of retries on outgoing queries */
-#define OUTBOUND_MSG_RETRY 5
 /** RTT band, within this amount from the best, servers are chosen randomly.
  * Chosen so that the UNKNOWN_SERVER_NICENESS falls within the band of a 
  * fast server, this causes server exploration as a side benefit. msec. */
@@ -142,6 +140,8 @@ struct iter_env {
 
 	/** max number of query restarts to limit length of CNAME chain */
 	size_t max_query_restarts;
+	/** number of retries on outgoing queries */
+	int outbound_msg_retry;
 };
 
 /**
@@ -381,7 +381,7 @@ struct iter_qstate {
 	/** list of pending queries to authoritative servers. */
 	struct outbound_list outlist;
 
-	/** QNAME minimisation state, RFC7816 */
+	/** QNAME minimisation state, RFC9156 */
 	enum minimisation_state minimisation_state;
 
 	/** State for capsfail: QNAME minimisation state for comparisons. */
@@ -409,6 +409,12 @@ struct iter_qstate {
 	int auth_zone_response;
 	/** True if the auth_zones should not be consulted for the query */
 	int auth_zone_avoid;
+	/** true if there have been scrubbing failures of reply packets */
+	int scrub_failures;
+	/** true if there have been parse failures of reply packets */
+	int parse_failures;
+	/** a failure printout address for last received answer */
+	struct comm_reply* fail_reply;
 };
 
 /**
diff --git a/libunbound/context.c b/libunbound/context.c
index 267366ae5..c8d911f13 100644
--- a/libunbound/context.c
+++ b/libunbound/context.c
@@ -48,6 +48,7 @@
 #include "services/cache/rrset.h"
 #include "services/cache/infra.h"
 #include "services/authzone.h"
+#include "services/listen_dnsport.h"
 #include "util/data/msgreply.h"
 #include "util/storage/slabhash.h"
 #include "util/edns.h"
@@ -69,9 +70,11 @@ context_finalize(struct ub_ctx* ctx)
 	} else {
 		log_init(cfg->logfile, cfg->use_syslog, NULL);
 	}
+	cfg_apply_local_port_policy(cfg, 65536);
 	config_apply(cfg);
 	if(!modstack_setup(&ctx->mods, cfg->module_conf, ctx->env))
 		return UB_INITFAIL;
+	listen_setup_locks();
 	log_edns_known_options(VERB_ALGO, ctx->env);
 	ctx->local_zones = local_zones_create();
 	if(!ctx->local_zones)
diff --git a/libunbound/context.h b/libunbound/context.h
index 78f8731e2..c0c86fb52 100644
--- a/libunbound/context.h
+++ b/libunbound/context.h
@@ -176,35 +176,6 @@ struct ctx_query {
 	struct ub_result* res;
 };
 
-/**
- * The error constants
- */
-enum ub_ctx_err {
-	/** no error */
-	UB_NOERROR = 0,
-	/** socket operation. Set to -1, so that if an error from _fd() is
-	 * passed (-1) it gives a socket error. */
-	UB_SOCKET = -1,
-	/** alloc failure */
-	UB_NOMEM = -2,
-	/** syntax error */
-	UB_SYNTAX = -3,
-	/** DNS service failed */
-	UB_SERVFAIL = -4,
-	/** fork() failed */
-	UB_FORKFAIL = -5,
-	/** cfg change after finalize() */
-	UB_AFTERFINAL = -6,
-	/** initialization failed (bad settings) */
-	UB_INITFAIL = -7,
-	/** error in pipe communication with async bg worker */
-	UB_PIPE = -8,
-	/** error reading from file (resolv.conf) */
-	UB_READFILE = -9,
-	/** error async_id does not exist or result already been delivered */
-	UB_NOID = -10
-};
-
 /**
  * Command codes for libunbound pipe.
  *
diff --git a/libunbound/libunbound.c b/libunbound/libunbound.c
index c9e24ba8d..038b7b927 100644
--- a/libunbound/libunbound.c
+++ b/libunbound/libunbound.c
@@ -64,6 +64,7 @@
 #include "services/cache/infra.h"
 #include "services/cache/rrset.h"
 #include "services/authzone.h"
+#include "services/listen_dnsport.h"
 #include "sldns/sbuffer.h"
 #ifdef HAVE_PTHREAD
 #include <signal.h>
@@ -185,6 +186,7 @@ ub_ctx_create(void)
 		ub_randfree(ctx->seed_rnd);
 		config_delete(ctx->env->cfg);
 		modstack_desetup(&ctx->mods, ctx->env);
+		listen_desetup_locks();
 		edns_known_options_delete(ctx->env);
 		edns_strings_delete(ctx->env->edns_strings);
 		free(ctx->env);
@@ -198,6 +200,7 @@ ub_ctx_create(void)
 		ub_randfree(ctx->seed_rnd);
 		config_delete(ctx->env->cfg);
 		modstack_desetup(&ctx->mods, ctx->env);
+		listen_desetup_locks();
 		edns_known_options_delete(ctx->env);
 		edns_strings_delete(ctx->env->edns_strings);
 		free(ctx->env);
@@ -344,6 +347,7 @@ ub_ctx_delete(struct ub_ctx* ctx)
 	}
 	ub_randfree(ctx->seed_rnd);
 	alloc_clear(&ctx->superalloc);
+	listen_desetup_locks();
 	traverse_postorder(&ctx->queries, delq, NULL);
 	if(ctx_logfile_overridden) {
 		log_file(NULL);
diff --git a/libunbound/libworker.c b/libunbound/libworker.c
index 7f46df386..11bf5f9db 100644
--- a/libunbound/libworker.c
+++ b/libunbound/libworker.c
@@ -241,7 +241,9 @@ libworker_setup(struct ub_ctx* ctx, int is_bg, struct ub_event_base* eb)
 		ports, numports, cfg->unwanted_threshold,
 		cfg->outgoing_tcp_mss, &libworker_alloc_cleanup, w,
 		cfg->do_udp || cfg->udp_upstream_without_downstream, w->sslctx,
-		cfg->delay_close, cfg->tls_use_sni, NULL, cfg->udp_connect);
+		cfg->delay_close, cfg->tls_use_sni, NULL, cfg->udp_connect,
+		cfg->max_reuse_tcp_queries, cfg->tcp_reuse_timeout,
+		cfg->tcp_auth_query_timeout);
 	w->env->outnet = w->back;
 	if(!w->is_bg || w->is_bg_thread) {
 		lock_basic_unlock(&ctx->cfglock);
@@ -454,8 +456,15 @@ fill_res(struct ub_result* res, struct ub_packed_rrset_key* answer,
 		if(rep->rrset_count != 0)
 			res->ttl = (int)rep->ttl;
 		res->data = (char**)calloc(1, sizeof(char*));
+		if(!res->data)
+			return 0; /* out of memory */
 		res->len = (int*)calloc(1, sizeof(int));
-		return (res->data && res->len);
+		if(!res->len) {
+			free(res->data);
+			res->data = NULL;
+			return 0; /* out of memory */
+		}
+		return 1;
 	}
 	data = (struct packed_rrset_data*)answer->entry.data;
 	if(query_dname_compare(rq->qname, answer->rk.dname) != 0) {
@@ -463,15 +472,30 @@ fill_res(struct ub_result* res, struct ub_packed_rrset_key* answer,
 			return 0; /* out of memory */
 	} else	res->canonname = NULL;
 	res->data = (char**)calloc(data->count+1, sizeof(char*));
-	res->len = (int*)calloc(data->count+1, sizeof(int));
-	if(!res->data || !res->len)
+	if(!res->data)
 		return 0; /* out of memory */
+	res->len = (int*)calloc(data->count+1, sizeof(int));
+	if(!res->len) {
+		free(res->data);
+		res->data = NULL;
+		return 0; /* out of memory */
+	}
 	for(i=0; i<data->count; i++) {
 		/* remove rdlength from rdata */
 		res->len[i] = (int)(data->rr_len[i] - 2);
 		res->data[i] = memdup(data->rr_data[i]+2, (size_t)res->len[i]);
-		if(!res->data[i])
+		if(!res->data[i]) {
+			size_t j;
+			for(j=0; j<i; j++) {
+				free(res->data[j]);
+				res->data[j] = NULL;
+			}
+			free(res->data);
+			res->data = NULL;
+			free(res->len);
+			res->len = NULL;
 			return 0; /* out of memory */
+		}
 	}
 	/* ttl for positive answers, from CNAME and answer RRs */
 	if(data->count != 0) {
@@ -576,7 +600,9 @@ setup_qinfo_edns(struct libworker* w, struct ctx_query* q,
 	edns->ext_rcode = 0;
 	edns->edns_version = 0;
 	edns->bits = EDNS_DO;
-	edns->opt_list = NULL;
+	edns->opt_list_in = NULL;
+	edns->opt_list_out = NULL;
+	edns->opt_list_inplace_cb_out = NULL;
 	edns->padding_block_size = 0;
 	if(sldns_buffer_capacity(w->back->udp_buff) < 65535)
 		edns->udp_size = (uint16_t)sldns_buffer_capacity(
@@ -624,7 +650,7 @@ int libworker_fg(struct ub_ctx* ctx, struct ctx_query* q)
 	}
 	/* process new query */
 	if(!mesh_new_callback(w->env->mesh, &qinfo, qflags, &edns, 
-		w->back->udp_buff, qid, libworker_fg_done_cb, q)) {
+		w->back->udp_buff, qid, libworker_fg_done_cb, q, 0)) {
 		free(qinfo.qname);
 		return UB_NOMEM;
 	}
@@ -704,7 +730,7 @@ int libworker_attach_mesh(struct ub_ctx* ctx, struct ctx_query* q,
 	if(async_id)
 		*async_id = q->querynum;
 	if(!mesh_new_callback(w->env->mesh, &qinfo, qflags, &edns, 
-		w->back->udp_buff, qid, libworker_event_done_cb, q)) {
+		w->back->udp_buff, qid, libworker_event_done_cb, q, 0)) {
 		free(qinfo.qname);
 		return UB_NOMEM;
 	}
@@ -841,7 +867,7 @@ handle_newq(struct libworker* w, uint8_t* buf, uint32_t len)
 	q->w = w;
 	/* process new query */
 	if(!mesh_new_callback(w->env->mesh, &qinfo, qflags, &edns, 
-		w->back->udp_buff, qid, libworker_bg_done_cb, q)) {
+		w->back->udp_buff, qid, libworker_bg_done_cb, q, 0)) {
 		add_bg_result(w, q, NULL, UB_NOMEM, NULL, 0);
 	}
 	free(qinfo.qname);
@@ -856,9 +882,10 @@ void libworker_alloc_cleanup(void* arg)
 
 struct outbound_entry* libworker_send_query(struct query_info* qinfo,
 	uint16_t flags, int dnssec, int want_dnssec, int nocaps,
+	int check_ratelimit,
 	struct sockaddr_storage* addr, socklen_t addrlen, uint8_t* zone,
-	size_t zonelen, int ssl_upstream, char* tls_auth_name,
-	struct module_qstate* q)
+	size_t zonelen, int tcp_upstream, int ssl_upstream, char* tls_auth_name,
+	struct module_qstate* q, int* was_ratelimited)
 {
 	struct libworker* w = (struct libworker*)q->env->worker;
 	struct outbound_entry* e = (struct outbound_entry*)regional_alloc(
@@ -867,44 +894,16 @@ struct outbound_entry* libworker_send_query(struct query_info* qinfo,
 		return NULL;
 	e->qstate = q;
 	e->qsent = outnet_serviced_query(w->back, qinfo, flags, dnssec,
-		want_dnssec, nocaps, q->env->cfg->tcp_upstream, ssl_upstream,
+		want_dnssec, nocaps, check_ratelimit, tcp_upstream, ssl_upstream,
 		tls_auth_name, addr, addrlen, zone, zonelen, q,
-		libworker_handle_service_reply, e, w->back->udp_buff, q->env);
+		libworker_handle_service_reply, e, w->back->udp_buff, q->env,
+		was_ratelimited);
 	if(!e->qsent) {
 		return NULL;
 	}
 	return e;
 }
 
-int 
-libworker_handle_reply(struct comm_point* c, void* arg, int error,
-        struct comm_reply* reply_info)
-{
-	struct module_qstate* q = (struct module_qstate*)arg;
-	struct libworker* lw = (struct libworker*)q->env->worker;
-	struct outbound_entry e;
-	e.qstate = q;
-	e.qsent = NULL;
-
-	if(error != 0) {
-		mesh_report_reply(lw->env->mesh, &e, reply_info, error);
-		return 0;
-	}
-	/* sanity check. */
-	if(!LDNS_QR_WIRE(sldns_buffer_begin(c->buffer))
-		|| LDNS_OPCODE_WIRE(sldns_buffer_begin(c->buffer)) !=
-			LDNS_PACKET_QUERY
-		|| LDNS_QDCOUNT(sldns_buffer_begin(c->buffer)) > 1) {
-		/* error becomes timeout for the module as if this reply
-		 * never arrived. */
-		mesh_report_reply(lw->env->mesh, &e, reply_info, 
-			NETEVENT_TIMEOUT);
-		return 0;
-	}
-	mesh_report_reply(lw->env->mesh, &e, reply_info, NETEVENT_NOERROR);
-	return 0;
-}
-
 int 
 libworker_handle_service_reply(struct comm_point* c, void* arg, int error,
         struct comm_reply* reply_info)
@@ -947,14 +946,6 @@ int worker_handle_request(struct comm_point* ATTR_UNUSED(c),
 	return 0;
 }
 
-int worker_handle_reply(struct comm_point* ATTR_UNUSED(c), 
-	void* ATTR_UNUSED(arg), int ATTR_UNUSED(error),
-        struct comm_reply* ATTR_UNUSED(reply_info))
-{
-	log_assert(0);
-	return 0;
-}
-
 int worker_handle_service_reply(struct comm_point* ATTR_UNUSED(c), 
 	void* ATTR_UNUSED(arg), int ATTR_UNUSED(error),
         struct comm_reply* ATTR_UNUSED(reply_info))
@@ -987,10 +978,11 @@ void worker_sighandler(int ATTR_UNUSED(sig), void* ATTR_UNUSED(arg))
 struct outbound_entry* worker_send_query(struct query_info* ATTR_UNUSED(qinfo),
 	uint16_t ATTR_UNUSED(flags), int ATTR_UNUSED(dnssec),
 	int ATTR_UNUSED(want_dnssec), int ATTR_UNUSED(nocaps),
+	int ATTR_UNUSED(check_ratelimit),
 	struct sockaddr_storage* ATTR_UNUSED(addr), socklen_t ATTR_UNUSED(addrlen),
-	uint8_t* ATTR_UNUSED(zone), size_t ATTR_UNUSED(zonelen),
+	uint8_t* ATTR_UNUSED(zone), size_t ATTR_UNUSED(zonelen), int ATTR_UNUSED(tcp_upstream),
 	int ATTR_UNUSED(ssl_upstream), char* ATTR_UNUSED(tls_auth_name),
-	struct module_qstate* ATTR_UNUSED(q))
+	struct module_qstate* ATTR_UNUSED(q), int* ATTR_UNUSED(was_ratelimited))
 {
 	log_assert(0);
 	return 0;
diff --git a/libunbound/python/doc/examples/example4.rst b/libunbound/python/doc/examples/example4.rst
index 3b43eb85f..a95be52fb 100644
--- a/libunbound/python/doc/examples/example4.rst
+++ b/libunbound/python/doc/examples/example4.rst
@@ -31,6 +31,6 @@ Source code
         else:
             print "Result is insecure"
 
-More detailed informations can be seen in libUnbound DNSSEC tutorial `here`_.
+More detailed information can be seen in libUnbound DNSSEC tutorial `here`_.
 
 .. _here: http://www.unbound.net/documentation/libunbound-tutorial-6.html
diff --git a/libunbound/python/libunbound.i b/libunbound/python/libunbound.i
index ab244a6fb..c9549bf90 100644
--- a/libunbound/python/libunbound.i
+++ b/libunbound/python/libunbound.i
@@ -363,7 +363,7 @@ Result: ['74.125.43.147', '74.125.43.99', '74.125.43.103', '74.125.43.104']
                     ctx.debuglevel(3)
                     ctx.debugout(fw)
 
-                  Another option is to print the debug informations to stderr output
+                  Another option is to print the debug information to stderr output
 
                   ::
 
@@ -936,6 +936,8 @@ int _ub_resolve_async(struct ub_ctx* ctx, char* name, int rrtype, int rrclass, v
       int r;
       struct cb_data* id;
       id = (struct cb_data*) malloc(sizeof(struct cb_data));
+      if(!id)
+              return -2; /* UB_NOMEM */
       id->data = mydata;
       id->func = pyfunc;
    
diff --git a/libunbound/unbound-event.h b/libunbound/unbound-event.h
index 4d694b8b4..a5d5c038b 100644
--- a/libunbound/unbound-event.h
+++ b/libunbound/unbound-event.h
@@ -41,7 +41,7 @@
  *
  * Use ub_ctx_create_event_ub_base() to create an unbound context that uses
  * the user provided event base API.  Then, use the ub_resolve_event call
- * to add DNS resolve queries to the context.  Those then run whith the
+ * to add DNS resolve queries to the context.  Those then run with the
  * provided event_base, and when they are done you get a function callback.
  *
  * This method does not fork another process or create a thread, the effort
diff --git a/libunbound/unbound.h b/libunbound/unbound.h
index 945c17a8f..ee8558759 100644
--- a/libunbound/unbound.h
+++ b/libunbound/unbound.h
@@ -224,7 +224,7 @@ struct ub_result {
  * It is called with
  *	void* my_arg: your pointer to a (struct of) data of your choice, 
  *		or NULL.
- *	int err: if 0 all is OK, otherwise an error occured and no results
+ *	int err: if 0 all is OK, otherwise an error occurred and no results
  *	     are forthcoming.
  *	struct result: pointer to more detailed result structure.
  *		This structure is allocated on the heap and needs to be
@@ -232,6 +232,35 @@ struct ub_result {
  */
 typedef void (*ub_callback_type)(void*, int, struct ub_result*);
 
+/**
+ * The error constants
+ */
+enum ub_ctx_err {
+	/** no error */
+	UB_NOERROR = 0,
+	/** socket operation. Set to -1, so that if an error from _fd() is
+	 * passed (-1) it gives a socket error. */
+	UB_SOCKET = -1,
+	/** alloc failure */
+	UB_NOMEM = -2,
+	/** syntax error */
+	UB_SYNTAX = -3,
+	/** DNS service failed */
+	UB_SERVFAIL = -4,
+	/** fork() failed */
+	UB_FORKFAIL = -5,
+	/** cfg change after finalize() */
+	UB_AFTERFINAL = -6,
+	/** initialization failed (bad settings) */
+	UB_INITFAIL = -7,
+	/** error in pipe communication with async bg worker */
+	UB_PIPE = -8,
+	/** error reading from file (resolv.conf) */
+	UB_READFILE = -9,
+	/** error async_id does not exist or result already been delivered */
+	UB_NOID = -10
+};
+
 /**
  * Create a resolving and validation context.
  * The information from /etc/resolv.conf and /etc/hosts is not utilised by
@@ -563,6 +592,7 @@ void ub_resolve_free(struct ub_result* result);
 /** 
  * Convert error value to a human readable string.
  * @param err: error code from one of the libunbound functions.
+ * 	The error codes are from the type enum ub_ctx_err.
  * @return pointer to constant text string, zero terminated.
  */
 const char* ub_strerror(int err);
diff --git a/libunbound/worker.h b/libunbound/worker.h
index fe1d51878..0fa5bfa99 100644
--- a/libunbound/worker.h
+++ b/libunbound/worker.h
@@ -58,26 +58,27 @@ struct query_info;
  * @param dnssec: if set, EDNS record will have DO bit set.
  * @param want_dnssec: signatures needed.
  * @param nocaps: ignore capsforid(if in config), do not perturb qname.
+ * @param check_ratelimit: if set, will check ratelimit before sending out.
  * @param addr: where to.
  * @param addrlen: length of addr.
  * @param zone: delegation point name.
  * @param zonelen: length of zone name wireformat dname.
+ * @param tcp_upstream: use TCP for upstream queries.
  * @param ssl_upstream: use SSL for upstream queries.
  * @param tls_auth_name: if ssl_upstream, use this name with TLS
  * 	authentication.
- * @param q: wich query state to reactivate upon return.
+ * @param q: which query state to reactivate upon return.
+ * @param was_ratelimited: it will signal back if the query failed to pass the
+ *	ratelimit check.
  * @return: false on failure (memory or socket related). no query was
  *      sent.
  */
 struct outbound_entry* libworker_send_query(struct query_info* qinfo,
 	uint16_t flags, int dnssec, int want_dnssec, int nocaps,
+	int check_ratelimit,
 	struct sockaddr_storage* addr, socklen_t addrlen, uint8_t* zone,
-	size_t zonelen, int ssl_upstream, char* tls_auth_name,
-	struct module_qstate* q);
-
-/** process incoming replies from the network */
-int libworker_handle_reply(struct comm_point* c, void* arg, int error,
-        struct comm_reply* reply_info);
+	size_t zonelen, int tcp_upstream, int ssl_upstream, char* tls_auth_name,
+	struct module_qstate* q, int* was_ratelimited);
 
 /** process incoming serviced query replies from the network */
 int libworker_handle_service_reply(struct comm_point* c, void* arg, int error,
@@ -113,22 +114,27 @@ void worker_sighandler(int sig, void* arg);
  * @param dnssec: if set, EDNS record will have DO bit set.
  * @param want_dnssec: signatures needed.
  * @param nocaps: ignore capsforid(if in config), do not perturb qname.
+ * @param check_ratelimit: if set, will check ratelimit before sending out.
  * @param addr: where to.
  * @param addrlen: length of addr.
  * @param zone: wireformat dname of the zone.
  * @param zonelen: length of zone name.
+ * @param tcp_upstream: use TCP for upstream queries.
  * @param ssl_upstream: use SSL for upstream queries.
  * @param tls_auth_name: if ssl_upstream, use this name with TLS
  * 	authentication.
- * @param q: wich query state to reactivate upon return.
+ * @param q: which query state to reactivate upon return.
+ * @param was_ratelimited: it will signal back if the query failed to pass the
+ *	ratelimit check.
  * @return: false on failure (memory or socket related). no query was
  *      sent.
  */
 struct outbound_entry* worker_send_query(struct query_info* qinfo,
 	uint16_t flags, int dnssec, int want_dnssec, int nocaps,
+	int check_ratelimit,
 	struct sockaddr_storage* addr, socklen_t addrlen, uint8_t* zone,
-	size_t zonelen, int ssl_upstream, char* tls_auth_name,
-	struct module_qstate* q);
+	size_t zonelen, int tcp_upstream, int ssl_upstream, char* tls_auth_name,
+	struct module_qstate* q, int* was_ratelimited);
 
 /** 
  * process control messages from the main thread. Frees the control 
@@ -146,10 +152,6 @@ void worker_handle_control_cmd(struct tube* tube, uint8_t* msg, size_t len,
 int worker_handle_request(struct comm_point* c, void* arg, int error,
 	struct comm_reply* repinfo);
 
-/** process incoming replies from the network */
-int worker_handle_reply(struct comm_point* c, void* arg, int error, 
-	struct comm_reply* reply_info);
-
 /** process incoming serviced query replies from the network */
 int worker_handle_service_reply(struct comm_point* c, void* arg, int error, 
 	struct comm_reply* reply_info);
diff --git a/makedist.sh b/makedist.sh
index 6b7e0a83d..4234a0672 100755
--- a/makedist.sh
+++ b/makedist.sh
@@ -271,8 +271,18 @@ if [ "$DOWIN" = "yes" ]; then
 		else
 			sslflags="no-asm -DOPENSSL_NO_CAPIENG mingw"
 		fi
+		if test -f /usr/x86_64-w64-mingw32/sys-root/mingw/bin/libssp-0.dll; then
+			# stack protector lib needs to link in to make
+			# -lws2_32 work in openssl link stage
+			SSPLIB="-l:libssp.a"
+		else
+			# disable SSPLIB if no such file
+			SSPLIB=""
+		fi
 		info "winssl: Configure no-shared $sslflags"
-		CC=${warch}-w64-mingw32-gcc AR=${warch}-w64-mingw32-ar RANLIB=${warch}-w64-mingw32-ranlib WINDRES=${warch}-w64-mingw32-windres ./Configure --prefix="$sslinstall" no-shared $sslflags || error_cleanup "OpenSSL Configure failed"
+		set -x # echo the configure command
+		__CNF_LDLIBS=$SSPLIB CC=${warch}-w64-mingw32-gcc AR=${warch}-w64-mingw32-ar RANLIB=${warch}-w64-mingw32-ranlib WINDRES=${warch}-w64-mingw32-windres ./Configure --prefix="$sslinstall" no-shared $sslflags || error_cleanup "OpenSSL Configure failed"
+		set +x
 		info "winssl: make"
 		make $MINJ || error_cleanup "OpenSSL crosscompile failed"
 		# only install sw not docs, which take a long time.
@@ -285,7 +295,9 @@ if [ "$DOWIN" = "yes" ]; then
 		sslsharedinstall="`pwd`/sslsharedinstall"
 		cd openssl_shared
 		info "winssl: Configure shared $sslflags"
-		CC=${warch}-w64-mingw32-gcc AR=${warch}-w64-mingw32-ar RANLIB=${warch}-w64-mingw32-ranlib WINDRES=${warch}-w64-mingw32-windres ./Configure --prefix="$sslsharedinstall" shared $sslflags || error_cleanup "OpenSSL Configure failed"
+		set -x # echo the configure command
+		__CNF_LDLIBS=$SSPLIB CC=${warch}-w64-mingw32-gcc AR=${warch}-w64-mingw32-ar RANLIB=${warch}-w64-mingw32-ranlib WINDRES=${warch}-w64-mingw32-windres ./Configure --prefix="$sslsharedinstall" shared $sslflags || error_cleanup "OpenSSL Configure failed"
+		set +x
 		info "winssl: make"
 		make $MINJ || error_cleanup "OpenSSL crosscompile failed"
 		info "winssl: make install_sw"
@@ -317,7 +329,7 @@ if [ "$DOWIN" = "yes" ]; then
 	info "git clone --depth=1 --no-tags -b $GITBRANCH $GITREPO unbound"
 	git clone --depth=1 --no-tags -b $GITBRANCH $GITREPO unbound || error_cleanup "git clone failed"
 	cd unbound || error_cleanup "Unbound not exported correctly from git"
-	rm -rf .git || error_cleanup "Failed to remove .git tracking information"
+	rm -rf .git .travis.yml .gitattributes .github .gitignore || error_cleanup "Failed to remove .git tracking and ci information"
 
 	# on a re-configure the cache may no longer be valid...
 	if test -f mingw32-config.cache; then rm mingw32-config.cache; fi
@@ -364,12 +376,12 @@ if [ "$DOWIN" = "yes" ]; then
     fi
     if test "$W64" = "no"; then
 		# Disable stack-protector for 32-bit windows builds.
-		echo "$configure"' --enable-debug --enable-static-exe --disable-flto '"$* $cross_flag" "$file_flag" "$file2_flag" "$file3_flag" CFLAGS='-O2 -g -fno-stack-protector'
-		$configure --enable-debug --enable-static-exe --disable-flto $* $cross_flag "$file_flag" "$file2_flag" "$file3_flag" CFLAGS='-O2 -g -fno-stack-protector'\
+		echo "$configure"' --enable-debug --enable-static-exe --disable-flto --disable-gost '"$* $cross_flag" "$file_flag" "$file2_flag" "$file3_flag" CFLAGS='-O2 -g -fno-stack-protector'
+		$configure --enable-debug --enable-static-exe --disable-flto --disable-gost $* $cross_flag "$file_flag" "$file2_flag" "$file3_flag" CFLAGS='-O2 -g -fno-stack-protector'\
 		|| error_cleanup "Could not configure"
     else
-		echo "$configure"' --enable-debug --enable-static-exe --disable-flto '"$* $cross_flag"
-		$configure --enable-debug --enable-static-exe --disable-flto $* $cross_flag \
+		echo "$configure"' --enable-debug --enable-static-exe --disable-flto --disable-gost '"$* $cross_flag"
+		$configure --enable-debug --enable-static-exe --disable-flto --disable-gost $* $cross_flag \
 		|| error_cleanup "Could not configure"
     fi
     info "Calling make"
@@ -381,12 +393,12 @@ if [ "$DOWIN" = "yes" ]; then
     cd ../unbound_shared
     if test "$W64" = "no"; then
 	# Disable stack-protector for 32-bit windows builds.
-		echo "$configure"' --enable-debug --disable-flto '"$* $shared_cross_flag" "$file_flag" "$file2_flag" "$file3_flag" CFLAGS='-O2 -g -fno-stack-protector'
-		$configure --enable-debug --disable-flto $* $shared_cross_flag "$file_flag" "$file2_flag" "$file3_flag" CFLAGS='-O2 -g -fno-stack-protector'\
+		echo "$configure"' --enable-debug --disable-flto --disable-gost '"$* $shared_cross_flag" "$file_flag" "$file2_flag" "$file3_flag" CFLAGS='-O2 -g -fno-stack-protector'
+		$configure --enable-debug --disable-flto --disable-gost $* $shared_cross_flag "$file_flag" "$file2_flag" "$file3_flag" CFLAGS='-O2 -g -fno-stack-protector'\
 		|| error_cleanup "Could not configure"
     else
-		echo "$configure"' --enable-debug --disable-flto '"$* $shared_cross_flag"
-        $configure --enable-debug --disable-flto $* $shared_cross_flag \
+		echo "$configure"' --enable-debug --disable-flto --disable-gost '"$* $shared_cross_flag"
+        $configure --enable-debug --disable-flto --disable-gost $* $shared_cross_flag \
 		|| error_cleanup "Could not configure"
     fi
     info "Calling make for DLL"
@@ -415,12 +427,19 @@ if [ "$DOWIN" = "yes" ]; then
     cp ../doc/example.conf ../doc/Changelog .
     cp ../unbound.exe ../unbound-anchor.exe ../unbound-host.exe ../unbound-control.exe ../unbound-checkconf.exe ../unbound-service-install.exe ../unbound-service-remove.exe ../LICENSE ../winrc/unbound-control-setup.cmd ../winrc/unbound-website.url ../winrc/service.conf ../winrc/README.txt ../contrib/create_unbound_ad_servers.cmd ../contrib/warmup.cmd ../contrib/unbound_cache.cmd .
     mkdir libunbound
-    cp ../../unbound_shared/unbound.h ../../unbound_shared/.libs/libunbound*.dll ../../unbound_shared/.libs/libunbound.dll.a ../../unbound_shared/.libs/libunbound.a ../../unbound_shared/.libs/libunbound*.def ../../sslsharedinstall/lib/libcrypto.dll.a ../../sslsharedinstall/lib/libssl.dll.a ../../sslsharedinstall/bin/libcrypto*.dll ../../sslsharedinstall/bin/libssl*.dll ../../wxpinstall/bin/libexpat*.dll ../../wxpinstall/lib/libexpat.dll.a libunbound/.
-    if test "$W64" = "no"; then
-	# Disable stack-protector for 32-bit windows builds.
-	# cp /usr/i686-w64-mingw32/sys-root/mingw/bin/libssp-0.dll libunbound/.
-	:
+    # test to see if lib or lib64 (for openssl 3.0.0) needs to be used
+    if test -f ../../sslsharedinstall/lib/libcrypto.dll.a; then
+	cp ../../sslsharedinstall/lib/libcrypto.dll.a libunbound/.
     else
+	cp ../../sslsharedinstall/lib64/libcrypto.dll.a libunbound/.
+    fi
+    if test -f ../../sslsharedinstall/lib/libssl.dll.a; then
+	cp ../../sslsharedinstall/lib/libssl.dll.a libunbound/.
+    else
+	cp ../../sslsharedinstall/lib64/libssl.dll.a libunbound/.
+    fi
+    cp ../../unbound_shared/unbound.h ../../unbound_shared/.libs/libunbound*.dll ../../unbound_shared/.libs/libunbound.dll.a ../../unbound_shared/.libs/libunbound.a ../../unbound_shared/.libs/libunbound*.def ../../sslsharedinstall/bin/libcrypto*.dll ../../sslsharedinstall/bin/libssl*.dll ../../wxpinstall/bin/libexpat*.dll ../../wxpinstall/lib/libexpat.dll.a libunbound/.
+    if test -f /usr/x86_64-w64-mingw32/sys-root/mingw/bin/libssp-0.dll; then
 	    cp /usr/x86_64-w64-mingw32/sys-root/mingw/bin/libssp-0.dll libunbound/.
     fi
     # zipfile
@@ -470,7 +489,7 @@ info "git clone --depth=1 --no-tags -b $GITBRANCH $GITREPO unbound"
 git clone --depth=1 --no-tags -b $GITBRANCH $GITREPO unbound || error_cleanup "git clone failed"
 
 cd unbound || error_cleanup "Unbound not exported correctly from git"
-rm -rf .git || error_cleanup "Failed to remove .git tracking information"
+rm -rf .git .travis.yml .gitattributes .github .gitignore || error_cleanup "Failed to remove .git tracking and ci information"
 
 info "Adding libtool utils (libtoolize)."
 libtoolize -c --install || libtoolize -c || error_cleanup "Libtoolize failed."
diff --git a/pythonmod/doc/examples/example5.rst b/pythonmod/doc/examples/example5.rst
index 938d8941b..8b9d145d1 100644
--- a/pythonmod/doc/examples/example5.rst
+++ b/pythonmod/doc/examples/example5.rst
@@ -90,7 +90,7 @@ We can also remove an EDNS option code from an EDNS option list.
         log_info("python: Option code {} was not found in the "
                  "list.".format(code))
 
-.. note:: All occurences of the EDNS option code will be removed from the list:
+.. note:: All occurrences of the EDNS option code will be removed from the list:
 
 
 Controlling other modules' cache behavior
diff --git a/pythonmod/doc/modules/struct.rst b/pythonmod/doc/modules/struct.rst
index de7c084e9..310cf5524 100644
--- a/pythonmod/doc/modules/struct.rst
+++ b/pythonmod/doc/modules/struct.rst
@@ -12,7 +12,7 @@ module_qstate
 
     .. attribute:: qinfo
 
-        (:class:`query_info`) Informations about query being answered. Name, RR type, RR class.
+        (:class:`query_info`) Information about query being answered. Name, RR type, RR class.
 
     .. attribute:: query_flags
 
@@ -256,7 +256,7 @@ dns_msg
 
    .. attribute:: qinfo
    
-      (:class:`query_info`) Informations about query.
+      (:class:`query_info`) Information about query.
    
    .. attribute:: rep
    
@@ -440,7 +440,7 @@ DNSMessage
       
    .. method:: set_return_msg(self, qstate)
    
-      This method fills qstate return message according to the given informations. 
+      This method fills qstate return message according to the given information. 
 		It takes lists of RRs in each section of answer, created necessary RRsets in wire format and store the result in :attr:`qstate.return_msg`.
 		Returns 1 if OK.
    
diff --git a/pythonmod/doc/usecase.rst b/pythonmod/doc/usecase.rst
index 5845061b0..27985e039 100644
--- a/pythonmod/doc/usecase.rst
+++ b/pythonmod/doc/usecase.rst
@@ -21,7 +21,7 @@ almost every mail server supports DNS based blacklisting.
 
 DNS based Wake-On-Lan
 ---------------------
-Controled by secured queries secured with private key.
+Controlled by secured queries secured with private key.
 
 Dynamic translation service
 ---------------------------
diff --git a/pythonmod/examples/edns.py b/pythonmod/examples/edns.py
index ca1bb8da7..ddcccc51c 100644
--- a/pythonmod/examples/edns.py
+++ b/pythonmod/examples/edns.py
@@ -55,7 +55,7 @@
 #       Return True on success, False on failure.
 #
 #   edns_opt_list_remove(edns_opt_list, code):
-#       Remove all occurences of the given EDNS option code from the
+#       Remove all occurrences of the given EDNS option code from the
 #           edns_opt_list.
 #       Return True when at least one EDNS option was removed, False otherwise.
 #
diff --git a/pythonmod/interface.i b/pythonmod/interface.i
index 5dae04aa4..2fac5f884 100644
--- a/pythonmod/interface.i
+++ b/pythonmod/interface.i
@@ -678,11 +678,14 @@ struct edns_data {
     uint8_t edns_version;
     uint16_t bits;
     uint16_t udp_size;
-    struct edns_option* opt_list;
+    struct edns_option* opt_list_in;
+    struct edns_option* opt_list_out;
+    struct edns_option* opt_list_inplace_cb_out;
+    uint16_t padding_block_size;
 };
 %inline %{
     struct edns_option** _edns_data_opt_list_get(struct edns_data* edns) {
-       return &edns->opt_list;
+       return &edns->opt_list_in;
     }
 %}
 %extend edns_data {
@@ -709,9 +712,10 @@ struct module_env {
     /* --- services --- */
     struct outbound_entry* (*send_query)(struct query_info* qinfo,
         uint16_t flags, int dnssec, int want_dnssec, int nocaps,
+        int check_ratelimit,
         struct sockaddr_storage* addr, socklen_t addrlen,
-        uint8_t* zone, size_t zonelen, int ssl_upstream, char* tls_auth_name,
-        struct module_qstate* q);
+        uint8_t* zone, size_t zonelen, int tcp_upstream, int ssl_upstream,
+        char* tls_auth_name, struct module_qstate* q, int* was_ratelimited);
     void (*detach_subs)(struct module_qstate* qstate);
     int (*attach_sub)(struct module_qstate* qstate,
         struct query_info* qinfo, uint16_t qflags, int prime,
@@ -1341,7 +1345,7 @@ int set_return_msg(struct module_qstate* qstate,
 %pythoncode %{
     class DNSMessage:
         def __init__(self, rr_name, rr_type, rr_class = RR_CLASS_IN, query_flags = 0, default_ttl = 0):
-            """Query flags is a combination of PKT_xx contants"""
+            """Query flags is a combination of PKT_xx constants"""
             self.rr_name = rr_name
             self.rr_type = rr_type
             self.rr_class = rr_class
@@ -1373,7 +1377,7 @@ struct delegpt* dns_cache_find_delegation(struct module_env* env,
         uint8_t* qname, size_t qnamelen, uint16_t qtype, uint16_t qclass,
         struct regional* region, struct dns_msg** msg, uint32_t timenow);
 int iter_dp_is_useless(struct query_info* qinfo, uint16_t qflags,
-        struct delegpt* dp);
+        struct delegpt* dp, int supports_ipv4, int supports_ipv6);
 struct iter_hints_stub* hints_lookup_stub(struct iter_hints* hints,
         uint8_t* qname, uint16_t qclass, struct delegpt* dp);
 
@@ -1403,7 +1407,8 @@ struct delegpt* find_delegation(struct module_qstate* qstate, char *nm, size_t n
         dp = dns_cache_find_delegation(qstate->env, (uint8_t*)nm, nmlen, qinfo.qtype, qinfo.qclass, region, &msg, timenow);
         if(!dp)
             return NULL;
-        if(iter_dp_is_useless(&qinfo, BIT_RD, dp)) {
+        if(iter_dp_is_useless(&qinfo, BIT_RD, dp,
+                qstate->env->cfg->do_ip4, qstate->env->cfg->do_ip6)) {
             if (dname_is_root((uint8_t*)nm))
                 return NULL;
             nm = (char*)dp->name;
@@ -1546,7 +1551,7 @@ int edns_opt_list_append(struct edns_option** list, uint16_t code, size_t len,
     {
         PyObject *func, *py_edns, *py_qstate, *py_opt_list_out, *py_qinfo;
         PyObject *py_rep, *py_repinfo, *py_region;
-        PyObject *py_args, *py_kwargs, *result;
+        PyObject *py_args = NULL, *py_kwargs = NULL, *result = NULL;
         int res = 0;
         double py_start_time = ((double)start_time->tv_sec) + ((double)start_time->tv_usec) / 1.0e6;
 
@@ -1561,11 +1566,20 @@ int edns_opt_list_append(struct edns_option** list, uint16_t code, size_t len,
         py_rep = SWIG_NewPointerObj((void*) rep, SWIGTYPE_p_reply_info, 0);
         py_repinfo = SWIG_NewPointerObj((void*) repinfo, SWIGTYPE_p_comm_reply, 0);
         py_region = SWIG_NewPointerObj((void*) region, SWIGTYPE_p_regional, 0);
-        py_args = Py_BuildValue("(OOOiOOO)", py_qinfo, py_qstate, py_rep,
-            rcode, py_edns, py_opt_list_out, py_region);
-        py_kwargs = Py_BuildValue("{s:O,s:d}", "repinfo", py_repinfo, "start_time",
-                                  py_start_time);
-        result = PyObject_Call(func, py_args, py_kwargs);
+        if(py_qinfo && py_qstate && py_rep && py_edns && py_opt_list_out
+                && py_region && py_repinfo) {
+                py_args = Py_BuildValue("(OOOiOOO)", py_qinfo, py_qstate, py_rep,
+                        rcode, py_edns, py_opt_list_out, py_region);
+                py_kwargs = Py_BuildValue("{s:O,s:d}", "repinfo", py_repinfo, "start_time",
+                          py_start_time);
+                if(py_args && py_kwargs) {
+                        result = PyObject_Call(func, py_args, py_kwargs);
+                } else {
+                        log_err("pythonmod: malloc failure in python_inplace_cb_reply_generic");
+                }
+        } else {
+                log_err("pythonmod: malloc failure in python_inplace_cb_reply_generic");
+        }
         Py_XDECREF(py_edns);
         Py_XDECREF(py_qstate);
         Py_XDECREF(py_opt_list_out);
@@ -1624,6 +1638,7 @@ int edns_opt_list_append(struct edns_option** list, uint16_t code, size_t len,
     {
         int res = 0;
         PyObject *func = python_callback;
+        PyObject *py_args = NULL, *py_kwargs = NULL, *result = NULL;
 
         PyGILState_STATE gstate = PyGILState_Ensure();
 
@@ -1632,12 +1647,19 @@ int edns_opt_list_append(struct edns_option** list, uint16_t code, size_t len,
         PyObject *py_addr = SWIG_NewPointerObj((void *) addr, SWIGTYPE_p_sockaddr_storage, 0);
         PyObject *py_zone = PyBytes_FromStringAndSize((const char *)zone, zonelen);
         PyObject *py_region = SWIG_NewPointerObj((void*) region, SWIGTYPE_p_regional, 0);
-
-        PyObject *py_args = Py_BuildValue("(OiOOOO)", py_qinfo, flags, py_qstate, py_addr, py_zone, py_region);
-        PyObject *py_kwargs = Py_BuildValue("{}");
-        PyObject *result = PyObject_Call(func, py_args, py_kwargs);
-        if (result) {
-            res = PyInt_AsLong(result);
+        if(py_qinfo && py_qstate && py_addr && py_zone && py_region) {
+                py_args = Py_BuildValue("(OiOOOO)", py_qinfo, flags, py_qstate, py_addr, py_zone, py_region);
+                py_kwargs = Py_BuildValue("{}");
+                if(py_args && py_kwargs) {
+                        result = PyObject_Call(func, py_args, py_kwargs);
+                        if (result) {
+                            res = PyInt_AsLong(result);
+                        }
+                } else {
+                        log_err("pythonmod: malloc failure in python_inplace_cb_query_generic");
+                }
+        } else {
+                log_err("pythonmod: malloc failure in python_inplace_cb_query_generic");
         }
 
         Py_XDECREF(py_qinfo);
diff --git a/pythonmod/pythonmod.c b/pythonmod/pythonmod.c
index 6e60d02fe..4bea54e6a 100644
--- a/pythonmod/pythonmod.c
+++ b/pythonmod/pythonmod.c
@@ -245,6 +245,11 @@ cleanup:
 	/* clear the exception, by not restoring it */
 	/* Restore the exception state */
 	/* PyErr_Restore(exc_typ, exc_val, exc_tb); */
+	/* when using PyErr_Restore there is no need to Py_XDECREF for
+	 * these 3 pointers. */
+	Py_XDECREF(exc_typ);
+	Py_XDECREF(exc_val);
+	Py_XDECREF(exc_tb);
 }
 
 int pythonmod_init(struct module_env* env, int id)
@@ -561,9 +566,19 @@ void pythonmod_operate(struct module_qstate* qstate, enum module_ev event,
    {
       /* create qstate */
       pq = qstate->minfo[id] = malloc(sizeof(struct pythonmod_qstate));
+      if(!pq) {
+		log_err("pythonmod_operate: malloc failure for qstate");
+		PyGILState_Release(gil);
+		return;
+      }
 
       /* Initialize per query data */
       pq->data = PyDict_New();
+      if(!pq->data) {
+		log_err("pythonmod_operate: malloc failure for query data dict");
+		PyGILState_Release(gil);
+		return;
+      }
    }
 
    /* Call operate */
diff --git a/pythonmod/pythonmod_utils.c b/pythonmod/pythonmod_utils.c
index 21a16bbe8..34a20ba76 100644
--- a/pythonmod/pythonmod_utils.c
+++ b/pythonmod/pythonmod_utils.c
@@ -132,7 +132,7 @@ int createResponse(struct module_qstate* qstate, sldns_buffer* pkt)
 		return 0;
 	}
 	/* edns is not examined, but removed from message to help cache */
-	if(parse_extract_edns(prs, &edns, qstate->env->scratch) !=
+	if(parse_extract_edns_from_response_msg(prs, &edns, qstate->env->scratch) !=
 		LDNS_RCODE_NOERROR)
 		return 0;
 
diff --git a/respip/respip.c b/respip/respip.c
index 8fe82cdee..deff66317 100644
--- a/respip/respip.c
+++ b/respip/respip.c
@@ -25,6 +25,7 @@
 #include "respip/respip.h"
 #include "services/view.h"
 #include "sldns/rrdef.h"
+#include "util/data/dname.h"
 
 
 /** Subset of resp_addr.node, used for inform-variant logging */
@@ -129,7 +130,7 @@ respip_sockaddr_delete(struct respip_set* set, struct resp_addr* node)
 	struct resp_addr* prev;
 	prev = (struct resp_addr*)rbtree_previous((struct rbnode_type*)node);	
 	lock_rw_destroy(&node->lock);
-	rbtree_delete(&set->ip_tree, node);
+	(void)rbtree_delete(&set->ip_tree, node);
 	/* no free'ing, all allocated in region */
 	if(!prev)
 		addr_tree_init_parents((rbtree_type*)set);
@@ -483,8 +484,8 @@ respip_views_apply_cfg(struct views* vs, struct config_file* cfg,
  * This function returns the copied rrset key on success, and NULL on memory
  * allocation failure.
  */
-static struct ub_packed_rrset_key*
-copy_rrset(const struct ub_packed_rrset_key* key, struct regional* region)
+struct ub_packed_rrset_key*
+respip_copy_rrset(const struct ub_packed_rrset_key* key, struct regional* region)
 {
 	struct ub_packed_rrset_key* ck = regional_alloc(region,
 		sizeof(struct ub_packed_rrset_key));
@@ -602,7 +603,7 @@ rdata2sockaddr(const struct packed_rrset_data* rd, uint16_t rtype, size_t i,
  */
 static struct resp_addr*
 respip_addr_lookup(const struct reply_info *rep, struct respip_set* rs,
-	size_t* rrset_id)
+	size_t* rrset_id, size_t* rr_id)
 {
 	size_t i;
 	struct resp_addr* ra;
@@ -625,6 +626,7 @@ respip_addr_lookup(const struct reply_info *rep, struct respip_set* rs,
 				&ss, addrlen);
 			if(ra) {
 				*rrset_id = i;
+				*rr_id = j;
 				lock_rw_rdlock(&ra->lock);
 				lock_rw_unlock(&rs->lock);
 				return ra;
@@ -635,43 +637,6 @@ respip_addr_lookup(const struct reply_info *rep, struct respip_set* rs,
 	return NULL;
 }
 
-/*
- * Create a new reply_info based on 'rep'.  The new info is based on
- * the passed 'rep', but ignores any rrsets except for the first 'an_numrrsets'
- * RRsets in the answer section.  These answer rrsets are copied to the
- * new info, up to 'copy_rrsets' rrsets (which must not be larger than
- * 'an_numrrsets').  If an_numrrsets > copy_rrsets, the remaining rrsets array
- * entries will be kept empty so the caller can fill them later.  When rrsets
- * are copied, they are shallow copied.  The caller must ensure that the
- * copied rrsets are valid throughout its lifetime and must provide appropriate
- * mutex if it can be shared by multiple threads.
- */
-static struct reply_info *
-make_new_reply_info(const struct reply_info* rep, struct regional* region,
-	size_t an_numrrsets, size_t copy_rrsets)
-{
-	struct reply_info* new_rep;
-	size_t i;
-
-	/* create a base struct.  we specify 'insecure' security status as
-	 * the modified response won't be DNSSEC-valid.  In our faked response
-	 * the authority and additional sections will be empty (except possible
-	 * EDNS0 OPT RR in the additional section appended on sending it out),
-	 * so the total number of RRsets is an_numrrsets. */
-	new_rep = construct_reply_info_base(region, rep->flags,
-		rep->qdcount, rep->ttl, rep->prefetch_ttl,
-		rep->serve_expired_ttl, an_numrrsets, 0, 0, an_numrrsets,
-		sec_status_insecure);
-	if(!new_rep)
-		return NULL;
-	if(!reply_info_alloc_rrset_keys(new_rep, NULL, region))
-		return NULL;
-	for(i=0; i<copy_rrsets; i++)
-		new_rep->rrsets[i] = rep->rrsets[i];
-
-	return new_rep;
-}
-
 /**
  * See if response-ip or tag data should override the original answer rrset
  * (which is rep->rrsets[rrset_id]) and if so override it.
@@ -730,7 +695,7 @@ respip_data_answer(enum respip_action action,
 				"response-ip redirect with tag data [%d] %s",
 				tag, (tag<num_tags?tagname[tag]:"null"));
 			/* use copy_rrset() to 'normalize' memory layout */
-			rp = copy_rrset(&r, region);
+			rp = respip_copy_rrset(&r, region);
 			if(!rp)
 				return -1;
 		}
@@ -743,7 +708,7 @@ respip_data_answer(enum respip_action action,
 	 * rename the dname for other actions than redirect.  This is because
 	 * response-ip-data isn't associated to any specific name. */
 	if(rp == data) {
-		rp = copy_rrset(rp, region);
+		rp = respip_copy_rrset(rp, region);
 		if(!rp)
 			return -1;
 		rp->rk.dname = rep->rrsets[rrset_id]->rk.dname;
@@ -807,7 +772,6 @@ respip_nodata_answer(uint16_t qtype, enum respip_action action,
 		 * is explicitly specified. */
 		int rcode = (action == respip_always_nxdomain)?
 			LDNS_RCODE_NXDOMAIN:LDNS_RCODE_NOERROR;
-
 		/* We should empty the answer section except for any preceding
 		 * CNAMEs (in that case rrset_id > 0).  Type-ANY case is
 		 * special as noted in respip_data_answer(). */
@@ -869,8 +833,11 @@ static int
 respip_use_rpz(struct resp_addr* raddr, struct rpz* r,
 	enum respip_action* action,
 	struct ub_packed_rrset_key** data, int* rpz_log, char** log_name,
-	int* rpz_cname_override, struct regional* region, int* is_rpz)
+	int* rpz_cname_override, struct regional* region, int* is_rpz,
+	int* rpz_passthru)
 {
+	if(rpz_passthru && *rpz_passthru)
+		return 0;
 	if(r->action_override == RPZ_DISABLED_ACTION) {
 		*is_rpz = 0;
 		return 1;
@@ -884,6 +851,9 @@ respip_use_rpz(struct resp_addr* raddr, struct rpz* r,
 		*data = r->cname_override;
 		*rpz_cname_override = 1;
 	}
+	if(*action == respip_always_transparent /* RPZ_PASSTHRU_ACTION */
+		&& rpz_passthru)
+		*rpz_passthru = 1;
 	*rpz_log = r->log;
 	if(r->log_name)
 		if(!(*log_name = regional_strdup(region, r->log_name)))
@@ -897,7 +867,7 @@ respip_rewrite_reply(const struct query_info* qinfo,
 	const struct respip_client_info* cinfo, const struct reply_info* rep,
 	struct reply_info** new_repp, struct respip_action_info* actinfo,
 	struct ub_packed_rrset_key** alias_rrset, int search_only,
-	struct regional* region, struct auth_zones* az)
+	struct regional* region, struct auth_zones* az, int* rpz_passthru)
 {
 	const uint8_t* ctaglist;
 	size_t ctaglen;
@@ -907,7 +877,7 @@ respip_rewrite_reply(const struct query_info* qinfo,
 	size_t tag_datas_size;
 	struct view* view = NULL;
 	struct respip_set* ipset = NULL;
-	size_t rrset_id = 0;
+	size_t rrset_id = 0, rr_id = 0;
 	enum respip_action action = respip_none;
 	int tag = -1;
 	struct resp_addr* raddr = NULL;
@@ -948,7 +918,7 @@ respip_rewrite_reply(const struct query_info* qinfo,
 		lock_rw_rdlock(&view->lock);
 		if(view->respip_set) {
 			if((raddr = respip_addr_lookup(rep,
-				view->respip_set, &rrset_id))) {
+				view->respip_set, &rrset_id, &rr_id))) {
 				/** for per-view respip directives the action
 				 * can only be direct (i.e. not tag-based) */
 				action = raddr->action;
@@ -962,7 +932,7 @@ respip_rewrite_reply(const struct query_info* qinfo,
 		}
 	}
 	if(!raddr && (raddr = respip_addr_lookup(rep, ipset,
-		&rrset_id))) {
+		&rrset_id, &rr_id))) {
 		action = (enum respip_action)local_data_find_tag_action(
 			raddr->taglist, raddr->taglen, ctaglist, ctaglen,
 			tag_actions, tag_actions_size,
@@ -970,16 +940,16 @@ respip_rewrite_reply(const struct query_info* qinfo,
 			ipset->tagname, ipset->num_tags);
 	}
 	lock_rw_rdlock(&az->rpz_lock);
-	for(a = az->rpz_first; a && !raddr; a = a->rpz_az_next) {
+	for(a = az->rpz_first; a && !raddr && !(rpz_passthru && *rpz_passthru); a = a->rpz_az_next) {
 		lock_rw_rdlock(&a->lock);
 		r = a->rpz;
 		if(!r->taglist || taglist_intersect(r->taglist, 
 			r->taglistlen, ctaglist, ctaglen)) {
 			if((raddr = respip_addr_lookup(rep,
-				r->respip_set, &rrset_id))) {
+				r->respip_set, &rrset_id, &rr_id))) {
 				if(!respip_use_rpz(raddr, r, &action, &data,
 					&rpz_log, &log_name, &rpz_cname_override,
-					region, &rpz_used)) {
+					region, &rpz_used, rpz_passthru)) {
 					log_err("out of memory");
 					lock_rw_unlock(&raddr->lock);
 					lock_rw_unlock(&a->lock);
@@ -987,6 +957,21 @@ respip_rewrite_reply(const struct query_info* qinfo,
 					return 0;
 				}
 				if(rpz_used) {
+					if(verbosity >= VERB_ALGO) {
+						struct sockaddr_storage ss;
+						socklen_t ss_len = 0;
+						char nm[256], ip[256];
+						char qn[255+1];
+						if(!rdata2sockaddr(rep->rrsets[rrset_id]->entry.data, ntohs(rep->rrsets[rrset_id]->rk.type), rr_id, &ss, &ss_len))
+							snprintf(ip, sizeof(ip), "invalidRRdata");
+						else
+							addr_to_str(&ss, ss_len, ip, sizeof(ip));
+						dname_str(qinfo->qname, qn);
+						addr_to_str(&raddr->node.addr,
+							raddr->node.addrlen,
+							nm, sizeof(nm));
+						verbose(VERB_ALGO, "respip: rpz: response-ip trigger %s/%d on %s %s with action %s", nm, raddr->node.net, qn, ip, rpz_action_to_string(respip_action_to_rpz_action(action)));
+					}
 					/* break to make sure 'a' stays pointed
 					 * to used auth_zone, and keeps lock */
 					break;
@@ -1115,7 +1100,8 @@ respip_operate(struct module_qstate* qstate, enum module_ev event, int id,
 			if(!respip_rewrite_reply(&qstate->qinfo,
 				qstate->client_info, qstate->return_msg->rep,
 				&new_rep, &actinfo, &alias_rrset, 0,
-				qstate->region, qstate->env->auth_zones)) {
+				qstate->region, qstate->env->auth_zones,
+				&qstate->rpz_passthru)) {
 				goto servfail;
 			}
 			if(actinfo.action != respip_none) {
@@ -1190,7 +1176,7 @@ respip_merge_cname(struct reply_info* base_rep,
 
 	/* see if the target reply would be subject to a response-ip action. */
 	if(!respip_rewrite_reply(qinfo, cinfo, tgt_rep, &tmp_rep, &actinfo,
-		&alias_rrset, 1, region, az))
+		&alias_rrset, 1, region, az, NULL))
 		return 0;
 	if(actinfo.action != respip_none) {
 		log_info("CNAME target of redirect response-ip action would "
@@ -1209,7 +1195,7 @@ respip_merge_cname(struct reply_info* base_rep,
 	if(!new_rep)
 		return 0;
 	for(i=0,j=base_rep->an_numrrsets; i<tgt_rep->an_numrrsets; i++,j++) {
-		new_rep->rrsets[j] = copy_rrset(tgt_rep->rrsets[i], region);
+		new_rep->rrsets[j] = respip_copy_rrset(tgt_rep->rrsets[i], region);
 		if(!new_rep->rrsets[j])
 			return 0;
 	}
@@ -1322,7 +1308,7 @@ respip_inform_print(struct respip_action_info* respip_actinfo, uint8_t* qname,
 		respip, sizeof(respip));
 	if(respip_actinfo->rpz_log) {
 		txtlen += snprintf(txt+txtlen, sizeof(txt)-txtlen, "%s",
-			"RPZ applied ");
+			"rpz: applied ");
 		if(respip_actinfo->rpz_cname_override)
 			actionstr = rpz_action_to_string(
 				RPZ_CNAME_OVERRIDE_ACTION);
diff --git a/respip/respip.h b/respip/respip.h
index bbd471421..988a72263 100644
--- a/respip/respip.h
+++ b/respip/respip.h
@@ -176,6 +176,8 @@ int respip_merge_cname(struct reply_info* base_rep,
  *   will be set (or intact) accordingly but the modified reply won't be built.
  * @param az: auth zones containing RPZ information.
  * @param region: allocator to build *new_repp.
+ * @param rpz_passthru: keeps track of query state can have passthru that
+ *   stops further rpz processing. Or NULL for cached answer processing.
  * @return 1 on success, 0 on error.
  */
 int respip_rewrite_reply(const struct query_info* qinfo,
@@ -183,7 +185,8 @@ int respip_rewrite_reply(const struct query_info* qinfo,
 	const struct reply_info *rep, struct reply_info** new_repp,
 	struct respip_action_info* actinfo,
 	struct ub_packed_rrset_key** alias_rrset,
-	int search_only, struct regional* region, struct auth_zones* az);
+	int search_only, struct regional* region, struct auth_zones* az,
+	int* rpz_passthru);
 
 /**
  * Get the response-ip function block.
@@ -294,4 +297,7 @@ respip_enter_rr(struct regional* region, struct resp_addr* raddr,
  */
 void
 respip_sockaddr_delete(struct respip_set* set, struct resp_addr* node);
+
+struct ub_packed_rrset_key*
+respip_copy_rrset(const struct ub_packed_rrset_key* key, struct regional* region);
 #endif	/* RESPIP_RESPIP_H */
diff --git a/services/authzone.c b/services/authzone.c
index 196fe6693..d3e93a62a 100644
--- a/services/authzone.c
+++ b/services/authzone.c
@@ -84,7 +84,7 @@
 #define AUTH_PROBE_TIMEOUT_STOP 1000 /* msec */
 /* auth transfer timeout for TCP connections, in msec */
 #define AUTH_TRANSFER_TIMEOUT 10000 /* msec */
-/* auth transfer max backoff for failed tranfers and probes */
+/* auth transfer max backoff for failed transfers and probes */
 #define AUTH_TRANSFER_MAX_BACKOFF 86400 /* sec */
 /* auth http port number */
 #define AUTH_HTTP_PORT 80
@@ -243,7 +243,7 @@ msg_add_rrset_an(struct auth_zone* z, struct regional* region,
 	return 1;
 }
 
-/** add rrset to authority section (no additonal section rrsets yet) */
+/** add rrset to authority section (no additional section rrsets yet) */
 static int
 msg_add_rrset_ns(struct auth_zone* z, struct regional* region,
 	struct dns_msg* msg, struct auth_data* node, struct auth_rrset* rrset)
@@ -1755,6 +1755,8 @@ zonemd_offline_verify(struct auth_zone* z, struct module_env* env_for_val,
 {
 	struct module_env env;
 	time_t now = 0;
+	if(!z->zonemd_check)
+		return;
 	env = *env_for_val;
 	env.scratch_buffer = sldns_buffer_new(env.cfg->msg_buffer_size);
 	if(!env.scratch_buffer) {
@@ -1880,6 +1882,8 @@ static int auth_zone_zonemd_check_hash(struct auth_zone* z,
 	struct regional* region = NULL;
 	struct sldns_buffer* buf = NULL;
 	uint32_t soa_serial = 0;
+	char* unsupported_reason = NULL;
+	int only_unsupported = 1;
 	region = env->scratch;
 	regional_free_all(region);
 	buf = env->scratch_buffer;
@@ -1909,6 +1913,7 @@ static int auth_zone_zonemd_check_hash(struct auth_zone* z,
 			&hashalgo, &hash, &hashlen)) {
 			/* malformed RR */
 			*reason = "ZONEMD rdata malformed";
+			only_unsupported = 0;
 			continue;
 		}
 		/* check for duplicates */
@@ -1918,25 +1923,51 @@ static int auth_zone_zonemd_check_hash(struct auth_zone* z,
 			 * is not allowed. */
 			*reason = "ZONEMD RRSet contains more than one RR "
 				"with the same scheme and hash algorithm";
+			only_unsupported = 0;
 			continue;
 		}
 		regional_free_all(region);
 		if(serial != soa_serial) {
 			*reason = "ZONEMD serial is wrong";
+			only_unsupported = 0;
 			continue;
 		}
+		*reason = NULL;
 		if(auth_zone_generate_zonemd_check(z, scheme, hashalgo,
 			hash, hashlen, region, buf, reason)) {
 			/* success */
+			if(*reason) {
+				if(!unsupported_reason)
+					unsupported_reason = *reason;
+				/* continue to check for valid ZONEMD */
+				if(verbosity >= VERB_ALGO) {
+					char zstr[255+1];
+					dname_str(z->name, zstr);
+					verbose(VERB_ALGO, "auth-zone %s ZONEMD %d %d is unsupported: %s", zstr, (int)scheme, (int)hashalgo, *reason);
+				}
+				*reason = NULL;
+				continue;
+			}
 			if(verbosity >= VERB_ALGO) {
 				char zstr[255+1];
 				dname_str(z->name, zstr);
-				verbose(VERB_ALGO, "auth-zone %s ZONEMD hash is correct", zstr);
+				if(!*reason)
+					verbose(VERB_ALGO, "auth-zone %s ZONEMD hash is correct", zstr);
 			}
 			return 1;
 		}
+		only_unsupported = 0;
 		/* try next one */
 	}
+	/* have we seen no failures but only unsupported algo,
+	 * and one unsupported algorithm, or more. */
+	if(only_unsupported && unsupported_reason) {
+		/* only unsupported algorithms, with valid serial, not
+		 * malformed. Did not see supported algorithms, failed or
+		 * successful ones. */
+		*reason = unsupported_reason;
+		return 1;
+	}
 	/* fail, we may have reason */
 	if(!*reason)
 		*reason = "no ZONEMD records found";
@@ -1948,6 +1979,17 @@ static int auth_zone_zonemd_check_hash(struct auth_zone* z,
 	return 0;
 }
 
+/** find the apex SOA RRset, if it exists */
+struct auth_rrset* auth_zone_get_soa_rrset(struct auth_zone* z)
+{
+	struct auth_data* apex;
+	struct auth_rrset* soa;
+	apex = az_find_name(z, z->name, z->namelen);
+	if(!apex) return NULL;
+	soa = az_domain_rrset(apex, LDNS_RR_TYPE_SOA);
+	return soa;
+}
+
 /** find serial number of zone or false if none */
 int
 auth_zone_get_serial(struct auth_zone* z, uint32_t* serial)
@@ -2096,6 +2138,7 @@ auth_zones_cfg(struct auth_zones* az, struct config_auth* c)
 	z->for_downstream = c->for_downstream;
 	z->for_upstream = c->for_upstream;
 	z->fallback_enabled = c->fallback_enabled;
+	z->zonemd_check = c->zonemd_check;
 	z->zonemd_reject_absence = c->zonemd_reject_absence;
 	if(c->isrpz && !z->rpz){
 		if(!(z->rpz = rpz_create(c))){
@@ -3504,7 +3547,7 @@ auth_error_encode(struct query_info* qinfo, struct module_env* env,
 
 	if(!inplace_cb_reply_local_call(env, qinfo, NULL, NULL,
 		rcode, edns, repinfo, temp, env->now_tv))
-		edns->opt_list = NULL;
+		edns->opt_list_inplace_cb_out = NULL;
 	error_encode(buf, rcode|BIT_AA, qinfo,
 		*(uint16_t*)sldns_buffer_begin(buf),
 		sldns_buffer_read_u16_at(buf, 2), edns);
@@ -4442,7 +4485,7 @@ chunkline_get_line_collated(struct auth_chunk** chunk, size_t* chunk_pos,
 	return 1;
 }
 
-/** process $ORIGIN for http */
+/** process $ORIGIN for http, 0 nothing, 1 done, 2 error */
 static int
 http_parse_origin(sldns_buffer* buf, struct sldns_file_parse_state* pstate)
 {
@@ -4453,13 +4496,16 @@ http_parse_origin(sldns_buffer* buf, struct sldns_file_parse_state* pstate)
 		pstate->origin_len = sizeof(pstate->origin);
 		s = sldns_str2wire_dname_buf(sldns_strip_ws(line+8),
 			pstate->origin, &pstate->origin_len);
-		if(s) pstate->origin_len = 0;
+		if(s) {
+			pstate->origin_len = 0;
+			return 2;
+		}
 		return 1;
 	}
 	return 0;
 }
 
-/** process $TTL for http */
+/** process $TTL for http, 0 nothing, 1 done, 2 error */
 static int
 http_parse_ttl(sldns_buffer* buf, struct sldns_file_parse_state* pstate)
 {
@@ -4467,8 +4513,12 @@ http_parse_ttl(sldns_buffer* buf, struct sldns_file_parse_state* pstate)
 	if(strncmp(line, "$TTL", 4) == 0 &&
 		isspace((unsigned char)line[4])) {
 		const char* end = NULL;
+		int overflow = 0;
 		pstate->default_ttl = sldns_str2period(
-			sldns_strip_ws(line+5), &end);
+			sldns_strip_ws(line+5), &end, &overflow);
+		if(overflow) {
+			return 2;
+		}
 		return 1;
 	}
 	return 0;
@@ -4479,15 +4529,20 @@ static int
 chunkline_non_comment_RR(struct auth_chunk** chunk, size_t* chunk_pos,
 	sldns_buffer* buf, struct sldns_file_parse_state* pstate)
 {
+	int ret;
 	while(chunkline_get_line_collated(chunk, chunk_pos, buf)) {
 		if(chunkline_is_comment_line_or_empty(buf)) {
 			/* a comment, go to next line */
 			continue;
 		}
-		if(http_parse_origin(buf, pstate)) {
+		if((ret=http_parse_origin(buf, pstate))!=0) {
+			if(ret == 2)
+				return 0;
 			continue; /* $ORIGIN has been handled */
 		}
-		if(http_parse_ttl(buf, pstate)) {
+		if((ret=http_parse_ttl(buf, pstate))!=0) {
+			if(ret == 2)
+				return 0;
 			continue; /* $TTL has been handled */
 		}
 		return 1;
@@ -4993,6 +5048,7 @@ apply_http(struct auth_xfer* xfr, struct auth_zone* z,
 	struct sldns_file_parse_state pstate;
 	struct auth_chunk* chunk;
 	size_t chunk_pos;
+	int ret;
 	memset(&pstate, 0, sizeof(pstate));
 	pstate.default_ttl = 3600;
 	if(xfr->namelen < sizeof(pstate.origin)) {
@@ -5049,10 +5105,24 @@ apply_http(struct auth_xfer* xfr, struct auth_zone* z,
 			continue;
 		}
 		/* parse line and add RR */
-		if(http_parse_origin(scratch_buffer, &pstate)) {
+		if((ret=http_parse_origin(scratch_buffer, &pstate))!=0) {
+			if(ret == 2) {
+				verbose(VERB_ALGO, "error parsing ORIGIN on line [%s:%d] %s",
+					xfr->task_transfer->master->file,
+					pstate.lineno,
+					sldns_buffer_begin(scratch_buffer));
+				return 0;
+			}
 			continue; /* $ORIGIN has been handled */
 		}
-		if(http_parse_ttl(scratch_buffer, &pstate)) {
+		if((ret=http_parse_ttl(scratch_buffer, &pstate))!=0) {
+			if(ret == 2) {
+				verbose(VERB_ALGO, "error parsing TTL on line [%s:%d] %s",
+					xfr->task_transfer->master->file,
+					pstate.lineno,
+					sldns_buffer_begin(scratch_buffer));
+				return 0;
+			}
 			continue; /* $TTL has been handled */
 		}
 		if(!http_parse_add_rr(xfr, z, scratch_buffer, &pstate)) {
@@ -5149,6 +5219,9 @@ xfr_write_after_update(struct auth_xfer* xfr, struct module_env* env)
 		lock_rw_unlock(&z->lock);
 		return;
 	}
+#ifdef UB_ON_WINDOWS
+	(void)unlink(zfilename); /* windows does not replace file with rename() */
+#endif
 	if(rename(tmpfile, zfilename) < 0) {
 		log_err("could not rename(%s, %s): %s", tmpfile, zfilename,
 			strerror(errno));
@@ -5341,7 +5414,9 @@ xfr_transfer_lookup_host(struct auth_xfer* xfr, struct module_env* env)
 	edns.ext_rcode = 0;
 	edns.edns_version = 0;
 	edns.bits = EDNS_DO;
-	edns.opt_list = NULL;
+	edns.opt_list_in = NULL;
+	edns.opt_list_out = NULL;
+	edns.opt_list_inplace_cb_out = NULL;
 	edns.padding_block_size = 0;
 	if(sldns_buffer_capacity(buf) < 65535)
 		edns.udp_size = (uint16_t)sldns_buffer_capacity(buf);
@@ -5351,7 +5426,7 @@ xfr_transfer_lookup_host(struct auth_xfer* xfr, struct module_env* env)
 	 * called straight away */
 	lock_basic_unlock(&xfr->lock);
 	if(!mesh_new_callback(env->mesh, &qinfo, qflags, &edns, buf, 0,
-		&auth_xfer_transfer_lookup_callback, xfr)) {
+		&auth_xfer_transfer_lookup_callback, xfr, 0)) {
 		lock_basic_lock(&xfr->lock);
 		log_err("out of memory lookup up master %s", master->host);
 		return 0;
@@ -5420,7 +5495,7 @@ xfr_transfer_init_fetch(struct auth_xfer* xfr, struct module_env* env)
 		xfr->task_transfer->cp = outnet_comm_point_for_http(
 			env->outnet, auth_xfer_transfer_http_callback, xfr,
 			&addr, addrlen, -1, master->ssl, master->host,
-			master->file);
+			master->file, env->cfg);
 		if(!xfr->task_transfer->cp) {
 			char zname[255+1], as[256];
 			dname_str(xfr->name, zname);
@@ -5442,7 +5517,7 @@ xfr_transfer_init_fetch(struct auth_xfer* xfr, struct module_env* env)
 	/* perform AXFR/IXFR */
 	/* set the packet to be written */
 	/* create new ID */
-	xfr->task_transfer->id = (uint16_t)(ub_random(env->rnd)&0xffff);
+	xfr->task_transfer->id = GET_RANDOM_ID(env->rnd);
 	xfr_create_ixfr_packet(xfr, env->scratch_buffer,
 		xfr->task_transfer->id, master);
 
@@ -6292,7 +6367,7 @@ xfr_probe_send_probe(struct auth_xfer* xfr, struct module_env* env,
 	/* create new ID for new probes, but not on timeout retries,
 	 * this means we'll accept replies to previous retries to same ip */
 	if(timeout == AUTH_PROBE_TIMEOUT)
-		xfr->task_probe->id = (uint16_t)(ub_random(env->rnd)&0xffff);
+		xfr->task_probe->id = GET_RANDOM_ID(env->rnd);
 	xfr_create_soa_probe_packet(xfr, env->scratch_buffer, 
 		xfr->task_probe->id);
 	/* we need to remove the cp if we have a different ip4/ip6 type now */
@@ -6474,7 +6549,7 @@ auth_xfer_probe_udp_callback(struct comm_point* c, void* arg, int err,
 	comm_point_delete(xfr->task_probe->cp);
 	xfr->task_probe->cp = NULL;
 
-	/* if the result was not a successfull probe, we need
+	/* if the result was not a successful probe, we need
 	 * to send the next one */
 	xfr_probe_nextmaster(xfr);
 	xfr_probe_send_or_end(xfr, env);
@@ -6530,7 +6605,9 @@ xfr_probe_lookup_host(struct auth_xfer* xfr, struct module_env* env)
 	edns.ext_rcode = 0;
 	edns.edns_version = 0;
 	edns.bits = EDNS_DO;
-	edns.opt_list = NULL;
+	edns.opt_list_in = NULL;
+	edns.opt_list_out = NULL;
+	edns.opt_list_inplace_cb_out = NULL;
 	edns.padding_block_size = 0;
 	if(sldns_buffer_capacity(buf) < 65535)
 		edns.udp_size = (uint16_t)sldns_buffer_capacity(buf);
@@ -6540,7 +6617,7 @@ xfr_probe_lookup_host(struct auth_xfer* xfr, struct module_env* env)
 	 * called straight away */
 	lock_basic_unlock(&xfr->lock);
 	if(!mesh_new_callback(env->mesh, &qinfo, qflags, &edns, buf, 0,
-		&auth_xfer_probe_lookup_callback, xfr)) {
+		&auth_xfer_probe_lookup_callback, xfr, 0)) {
 		lock_basic_lock(&xfr->lock);
 		log_err("out of memory lookup up master %s", master->host);
 		return 0;
@@ -7143,7 +7220,7 @@ parse_url(char* url, char** host, char** file, int* port, int* ssl)
 	while(p && *p == '/')
 		p++;
 	if(!p || p[0] == 0)
-		*file = strdup("index.html");
+		*file = strdup("/");
 	else	*file = strdup(p);
 	if(!*file) {
 		log_err("malloc failure");
@@ -7165,12 +7242,14 @@ xfer_set_masters(struct auth_master** list, struct config_auth* c,
 	if(with_http)
 	  for(p = c->urls; p; p = p->next) {
 		m = auth_master_new(&list);
+		if(!m) return 0;
 		m->http = 1;
 		if(!parse_url(p->str, &m->host, &m->file, &m->port, &m->ssl))
 			return 0;
 	}
 	for(p = c->masters; p; p = p->next) {
 		m = auth_master_new(&list);
+		if(!m) return 0;
 		m->ixfr = 1; /* this flag is not configurable */
 		m->host = strdup(p->str);
 		if(!m->host) {
@@ -7180,6 +7259,7 @@ xfer_set_masters(struct auth_master** list, struct config_auth* c,
 	}
 	for(p = c->allow_notify; p; p = p->next) {
 		m = auth_master_new(&list);
+		if(!m) return 0;
 		m->allow_notify = 1;
 		m->host = strdup(p->str);
 		if(!m->host) {
@@ -7608,13 +7688,16 @@ int auth_zone_generate_zonemd_check(struct auth_zone* z, int scheme,
 {
 	uint8_t gen[512];
 	size_t genlen = 0;
+	*reason = NULL;
 	if(!zonemd_hashalgo_supported(hashalgo)) {
+		/* allow it */
 		*reason = "unsupported algorithm";
-		return 0;
+		return 1;
 	}
 	if(!zonemd_scheme_supported(scheme)) {
+		/* allow it */
 		*reason = "unsupported scheme";
-		return 0;
+		return 1;
 	}
 	if(hashlen < 12) {
 		/* the ZONEMD draft requires digests to fail if too small */
@@ -7674,7 +7757,7 @@ static void auth_zone_log(uint8_t* name, enum verbosity_value level,
 static int zonemd_dnssec_verify_rrset(struct auth_zone* z,
 	struct module_env* env, struct module_stack* mods,
 	struct ub_packed_rrset_key* dnskey, struct auth_data* node,
-	struct auth_rrset* rrset, char** why_bogus)
+	struct auth_rrset* rrset, char** why_bogus, uint8_t* sigalg)
 {
 	struct ub_packed_rrset_key pk;
 	enum sec_status sec;
@@ -7702,7 +7785,7 @@ static int zonemd_dnssec_verify_rrset(struct auth_zone* z,
 		auth_zone_log(z->name, VERB_ALGO,
 			"zonemd: verify %s RRset with DNSKEY", typestr);
 	}
-	sec = dnskeyset_verify_rrset(env, ve, &pk, dnskey, NULL, why_bogus,
+	sec = dnskeyset_verify_rrset(env, ve, &pk, dnskey, sigalg, why_bogus,
 		LDNS_SECTION_ANSWER, NULL);
 	if(sec == sec_status_secure) {
 		return 1;
@@ -7746,7 +7829,7 @@ static int nsec3_of_param_has_type(struct auth_rrset* nsec3, int algo,
 static int zonemd_check_dnssec_absence(struct auth_zone* z,
 	struct module_env* env, struct module_stack* mods,
 	struct ub_packed_rrset_key* dnskey, struct auth_data* apex,
-	char** reason, char** why_bogus)
+	char** reason, char** why_bogus, uint8_t* sigalg)
 {
 	struct auth_rrset* nsec = NULL;
 	if(!apex) {
@@ -7758,7 +7841,7 @@ static int zonemd_check_dnssec_absence(struct auth_zone* z,
 		struct ub_packed_rrset_key pk;
 		/* dnssec verify the NSEC */
 		if(!zonemd_dnssec_verify_rrset(z, env, mods, dnskey, apex,
-			nsec, why_bogus)) {
+			nsec, why_bogus, sigalg)) {
 			*reason = "DNSSEC verify failed for NSEC RRset";
 			return 0;
 		}
@@ -7801,7 +7884,7 @@ static int zonemd_check_dnssec_absence(struct auth_zone* z,
 		}
 		/* dnssec verify the NSEC3 */
 		if(!zonemd_dnssec_verify_rrset(z, env, mods, dnskey, match,
-			nsec3, why_bogus)) {
+			nsec3, why_bogus, sigalg)) {
 			*reason = "DNSSEC verify failed for NSEC3 RRset";
 			return 0;
 		}
@@ -7822,7 +7905,8 @@ static int zonemd_check_dnssec_absence(struct auth_zone* z,
 static int zonemd_check_dnssec_soazonemd(struct auth_zone* z,
 	struct module_env* env, struct module_stack* mods,
 	struct ub_packed_rrset_key* dnskey, struct auth_data* apex,
-	struct auth_rrset* zonemd_rrset, char** reason, char** why_bogus)
+	struct auth_rrset* zonemd_rrset, char** reason, char** why_bogus,
+	uint8_t* sigalg)
 {
 	struct auth_rrset* soa;
 	if(!apex) {
@@ -7835,12 +7919,12 @@ static int zonemd_check_dnssec_soazonemd(struct auth_zone* z,
 		return 0;
 	}
 	if(!zonemd_dnssec_verify_rrset(z, env, mods, dnskey, apex, soa,
-		why_bogus)) {
+		why_bogus, sigalg)) {
 		*reason = "DNSSEC verify failed for SOA RRset";
 		return 0;
 	}
 	if(!zonemd_dnssec_verify_rrset(z, env, mods, dnskey, apex,
-		zonemd_rrset, why_bogus)) {
+		zonemd_rrset, why_bogus, sigalg)) {
 		*reason = "DNSSEC verify failed for ZONEMD RRset";
 		return 0;
 	}
@@ -7899,12 +7983,14 @@ static void auth_zone_zonemd_fail(struct auth_zone* z, struct module_env* env,
  * @param is_insecure: if true, the dnskey is not used, the zone is insecure.
  * 	And dnssec is not used.  It is DNSSEC secure insecure or not under
  * 	a trust anchor.
+ * @param sigalg: if nonNULL provide algorithm downgrade protection.
+ * 	Otherwise one algorithm is enough. Must have space of ALGO_NEEDS_MAX+1.
  * @param result: if not NULL result reason copied here.
  */
 static void
 auth_zone_verify_zonemd_with_key(struct auth_zone* z, struct module_env* env,
 	struct module_stack* mods, struct ub_packed_rrset_key* dnskey,
-	int is_insecure, char** result)
+	int is_insecure, char** result, uint8_t* sigalg)
 {
 	char* reason = NULL, *why_bogus = NULL;
 	struct auth_data* apex = NULL;
@@ -7934,7 +8020,7 @@ auth_zone_verify_zonemd_with_key(struct auth_zone* z, struct module_env* env,
 	} else if(!zonemd_rrset && dnskey && !is_insecure) {
 		/* fetch, DNSSEC verify, and check NSEC/NSEC3 */
 		if(!zonemd_check_dnssec_absence(z, env, mods, dnskey, apex,
-			&reason, &why_bogus)) {
+			&reason, &why_bogus, sigalg)) {
 			auth_zone_zonemd_fail(z, env, reason, why_bogus, result);
 			return;
 		}
@@ -7942,7 +8028,7 @@ auth_zone_verify_zonemd_with_key(struct auth_zone* z, struct module_env* env,
 	} else if(zonemd_rrset && dnskey && !is_insecure) {
 		/* check DNSSEC verify of SOA and ZONEMD */
 		if(!zonemd_check_dnssec_soazonemd(z, env, mods, dnskey, apex,
-			zonemd_rrset, &reason, &why_bogus)) {
+			zonemd_rrset, &reason, &why_bogus, sigalg)) {
 			auth_zone_zonemd_fail(z, env, reason, why_bogus, result);
 			return;
 		}
@@ -7976,9 +8062,13 @@ auth_zone_verify_zonemd_with_key(struct auth_zone* z, struct module_env* env,
 	}
 
 	/* success! log the success */
-	auth_zone_log(z->name, VERB_ALGO, "ZONEMD verification successful");
+	if(reason)
+		auth_zone_log(z->name, VERB_ALGO, "ZONEMD %s", reason);
+	else	auth_zone_log(z->name, VERB_ALGO, "ZONEMD verification successful");
 	if(result) {
-		*result = strdup("ZONEMD verification successful");
+		if(reason)
+			*result = strdup(reason);
+		else	*result = strdup("ZONEMD verification successful");
 		if(!*result) log_err("out of memory");
 	}
 }
@@ -8056,15 +8146,78 @@ zonemd_get_dnskey_from_anchor(struct auth_zone* z, struct module_env* env,
 	return NULL;
 }
 
+/** verify the DNSKEY from the zone with looked up DS record */
+static struct ub_packed_rrset_key*
+auth_zone_verify_zonemd_key_with_ds(struct auth_zone* z,
+	struct module_env* env, struct module_stack* mods,
+	struct ub_packed_rrset_key* ds, int* is_insecure, char** why_bogus,
+	struct ub_packed_rrset_key* keystorage, uint8_t* sigalg)
+{
+	struct auth_data* apex;
+	struct auth_rrset* dnskey_rrset;
+	enum sec_status sec;
+	struct val_env* ve;
+	int m;
+
+	/* fetch DNSKEY from zone data */
+	apex = az_find_name(z, z->name, z->namelen);
+	if(!apex) {
+		*why_bogus = "in verifywithDS, zone has no apex";
+		return NULL;
+	}
+	dnskey_rrset = az_domain_rrset(apex, LDNS_RR_TYPE_DNSKEY);
+	if(!dnskey_rrset || dnskey_rrset->data->count==0) {
+		*why_bogus = "in verifywithDS, zone has no DNSKEY";
+		return NULL;
+	}
+
+	m = modstack_find(mods, "validator");
+	if(m == -1) {
+		*why_bogus = "in verifywithDS, have no validator module";
+		return NULL;
+	}
+	ve = (struct val_env*)env->modinfo[m];
+
+	memset(keystorage, 0, sizeof(*keystorage));
+	keystorage->entry.key = keystorage;
+	keystorage->entry.data = dnskey_rrset->data;
+	keystorage->rk.dname = apex->name;
+	keystorage->rk.dname_len = apex->namelen;
+	keystorage->rk.type = htons(LDNS_RR_TYPE_DNSKEY);
+	keystorage->rk.rrset_class = htons(z->dclass);
+	auth_zone_log(z->name, VERB_QUERY, "zonemd: verify zone DNSKEY with DS");
+	sec = val_verify_DNSKEY_with_DS(env, ve, keystorage, ds, sigalg,
+		why_bogus, NULL);
+	regional_free_all(env->scratch);
+	if(sec == sec_status_secure) {
+		/* success */
+		return keystorage;
+	} else if(sec == sec_status_insecure) {
+		/* insecure */
+		*is_insecure = 1;
+	} else {
+		/* bogus */
+		*is_insecure = 0;
+		if(*why_bogus == NULL)
+			*why_bogus = "verify failed";
+		auth_zone_log(z->name, VERB_ALGO,
+			"zonemd: verify DNSKEY RRset with DS failed: %s",
+			*why_bogus);
+	}
+	return NULL;
+}
+
 /** callback for ZONEMD lookup of DNSKEY */
 void auth_zonemd_dnskey_lookup_callback(void* arg, int rcode, sldns_buffer* buf,
 	enum sec_status sec, char* why_bogus, int ATTR_UNUSED(was_ratelimited))
 {
 	struct auth_zone* z = (struct auth_zone*)arg;
 	struct module_env* env;
-	char* reason = NULL;
-	struct ub_packed_rrset_key* dnskey = NULL;
-	int is_insecure = 0;
+	char* reason = NULL, *ds_bogus = NULL, *typestr="DNSKEY";
+	struct ub_packed_rrset_key* dnskey = NULL, *ds = NULL;
+	int is_insecure = 0, downprot;
+	struct ub_packed_rrset_key keystorage;
+	uint8_t sigalg[ALGO_NEEDS_MAX+1];
 
 	lock_rw_wrlock(&z->lock);
 	env = z->zonemd_callback_env;
@@ -8075,16 +8228,22 @@ void auth_zonemd_dnskey_lookup_callback(void* arg, int rcode, sldns_buffer* buf,
 		lock_rw_unlock(&z->lock);
 		return; /* stop on quit */
 	}
+	if(z->zonemd_callback_qtype == LDNS_RR_TYPE_DS)
+		typestr = "DS";
+	downprot = env->cfg->harden_algo_downgrade;
 
 	/* process result */
 	if(sec == sec_status_bogus) {
 		reason = why_bogus;
-		if(!reason)
-			reason = "lookup of DNSKEY was bogus";
+		if(!reason) {
+			if(z->zonemd_callback_qtype == LDNS_RR_TYPE_DNSKEY)
+				reason = "lookup of DNSKEY was bogus";
+			else	reason = "lookup of DS was bogus";
+		}
 		auth_zone_log(z->name, VERB_ALGO,
-			"zonemd lookup of DNSKEY was bogus: %s", reason);
+			"zonemd lookup of %s was bogus: %s", typestr, reason);
 	} else if(rcode == LDNS_RCODE_NOERROR) {
-		uint16_t wanted_qtype = LDNS_RR_TYPE_DNSKEY;
+		uint16_t wanted_qtype = z->zonemd_callback_qtype;
 		struct regional* temp = env->scratch;
 		struct query_info rq;
 		struct reply_info* rep;
@@ -8097,25 +8256,29 @@ void auth_zonemd_dnskey_lookup_callback(void* arg, int rcode, sldns_buffer* buf,
 			struct ub_packed_rrset_key* answer =
 				reply_find_answer_rrset(&rq, rep);
 			if(answer && sec == sec_status_secure) {
-				dnskey = answer;
+				if(z->zonemd_callback_qtype == LDNS_RR_TYPE_DNSKEY)
+					dnskey = answer;
+				else	ds = answer;
 				auth_zone_log(z->name, VERB_ALGO,
-					"zonemd lookup of DNSKEY was secure");
+					"zonemd lookup of %s was secure", typestr);
 			} else if(sec == sec_status_secure && !answer) {
 				is_insecure = 1;
 				auth_zone_log(z->name, VERB_ALGO,
-					"zonemd lookup of DNSKEY has no content, but is secure, treat as insecure");
+					"zonemd lookup of %s has no content, but is secure, treat as insecure", typestr);
 			} else if(sec == sec_status_insecure) {
 				is_insecure = 1;
 				auth_zone_log(z->name, VERB_ALGO,
-					"zonemd lookup of DNSKEY was insecure");
+					"zonemd lookup of %s was insecure", typestr);
 			} else if(sec == sec_status_indeterminate) {
 				is_insecure = 1;
 				auth_zone_log(z->name, VERB_ALGO,
-					"zonemd lookup of DNSKEY was indeterminate, treat as insecure");
+					"zonemd lookup of %s was indeterminate, treat as insecure", typestr);
 			} else {
 				auth_zone_log(z->name, VERB_ALGO,
-					"zonemd lookup of DNSKEY has nodata");
-				reason = "lookup of DNSKEY has nodata";
+					"zonemd lookup of %s has nodata", typestr);
+				if(z->zonemd_callback_qtype == LDNS_RR_TYPE_DNSKEY)
+					reason = "lookup of DNSKEY has nodata";
+				else	reason = "lookup of DS has nodata";
 			}
 		} else if(rep && rq.qtype == wanted_qtype &&
 			query_dname_compare(z->name, rq.qname) == 0 &&
@@ -8128,40 +8291,52 @@ void auth_zonemd_dnskey_lookup_callback(void* arg, int rcode, sldns_buffer* buf,
 			 * trust, as insecure. */
 			is_insecure = 1;
 			auth_zone_log(z->name, VERB_ALGO,
-				"zonemd lookup of DNSKEY was secure NXDOMAIN, treat as insecure");
+				"zonemd lookup of %s was secure NXDOMAIN, treat as insecure", typestr);
 		} else if(rep && rq.qtype == wanted_qtype &&
 			query_dname_compare(z->name, rq.qname) == 0 &&
 			FLAGS_GET_RCODE(rep->flags) == LDNS_RCODE_NXDOMAIN &&
 			sec == sec_status_insecure) {
 			is_insecure = 1;
 			auth_zone_log(z->name, VERB_ALGO,
-				"zonemd lookup of DNSKEY was insecure NXDOMAIN, treat as insecure");
+				"zonemd lookup of %s was insecure NXDOMAIN, treat as insecure", typestr);
 		} else if(rep && rq.qtype == wanted_qtype &&
 			query_dname_compare(z->name, rq.qname) == 0 &&
 			FLAGS_GET_RCODE(rep->flags) == LDNS_RCODE_NXDOMAIN &&
 			sec == sec_status_indeterminate) {
 			is_insecure = 1;
 			auth_zone_log(z->name, VERB_ALGO,
-				"zonemd lookup of DNSKEY was indeterminate NXDOMAIN, treat as insecure");
+				"zonemd lookup of %s was indeterminate NXDOMAIN, treat as insecure", typestr);
 		} else {
 			auth_zone_log(z->name, VERB_ALGO,
-				"zonemd lookup of DNSKEY has no answer");
-			reason = "lookup of DNSKEY has no answer";
+				"zonemd lookup of %s has no answer", typestr);
+			if(z->zonemd_callback_qtype == LDNS_RR_TYPE_DNSKEY)
+				reason = "lookup of DNSKEY has no answer";
+			else	reason = "lookup of DS has no answer";
 		}
 	} else {
 		auth_zone_log(z->name, VERB_ALGO,
-			"zonemd lookup of DNSKEY failed");
-		reason = "lookup of DNSKEY failed";
+			"zonemd lookup of %s failed", typestr);
+		if(z->zonemd_callback_qtype == LDNS_RR_TYPE_DNSKEY)
+			reason = "lookup of DNSKEY failed";
+		else	reason = "lookup of DS failed";
+	}
+
+	if(!reason && !is_insecure && !dnskey && ds) {
+		dnskey = auth_zone_verify_zonemd_key_with_ds(z, env,
+			&env->mesh->mods, ds, &is_insecure, &ds_bogus,
+			&keystorage, downprot?sigalg:NULL);
+		if(!dnskey && !is_insecure && !reason)
+			reason = "DNSKEY verify with DS failed";
 	}
 
 	if(reason) {
-		auth_zone_zonemd_fail(z, env, reason, NULL, NULL);
+		auth_zone_zonemd_fail(z, env, reason, ds_bogus, NULL);
 		lock_rw_unlock(&z->lock);
 		return;
 	}
 
 	auth_zone_verify_zonemd_with_key(z, env, &env->mesh->mods, dnskey,
-		is_insecure, NULL);
+		is_insecure, NULL, downprot?sigalg:NULL);
 	regional_free_all(env->scratch);
 	lock_rw_unlock(&z->lock);
 }
@@ -8174,14 +8349,21 @@ zonemd_lookup_dnskey(struct auth_zone* z, struct module_env* env)
 	uint16_t qflags = BIT_RD;
 	struct edns_data edns;
 	sldns_buffer* buf = env->scratch_buffer;
+	int fetch_ds = 0;
 
+	if(!z->fallback_enabled) {
+		/* we cannot actually get the DNSKEY, because it is in the
+		 * zone we have ourselves, and it is not served yet
+		 * (possibly), so fetch type DS */
+		fetch_ds = 1;
+	}
 	if(z->zonemd_callback_env) {
 		/* another worker is already working on the callback
 		 * for the DNSKEY lookup for ZONEMD verification.
 		 * We do not also have to do ZONEMD verification, let that
 		 * worker do it */
 		auth_zone_log(z->name, VERB_ALGO,
-			"zonemd needs lookup of DNSKEY and that already worked on by another worker");
+			"zonemd needs lookup of %s and that already is worked on by another worker", (fetch_ds?"DS":"DNSKEY"));
 		return 1;
 	}
 
@@ -8190,21 +8372,26 @@ zonemd_lookup_dnskey(struct auth_zone* z, struct module_env* env)
 	qinfo.qname_len = z->namelen;
 	qinfo.qname = z->name;
 	qinfo.qclass = z->dclass;
-	qinfo.qtype = LDNS_RR_TYPE_DNSKEY;
+	if(fetch_ds)
+		qinfo.qtype = LDNS_RR_TYPE_DS;
+	else	qinfo.qtype = LDNS_RR_TYPE_DNSKEY;
 	qinfo.local_alias = NULL;
 	if(verbosity >= VERB_ALGO) {
 		char buf1[512];
 		char buf2[LDNS_MAX_DOMAINLEN+1];
 		dname_str(z->name, buf2);
-		snprintf(buf1, sizeof(buf1), "auth zone %s: lookup DNSKEY "
-			"for zonemd verification", buf2);
+		snprintf(buf1, sizeof(buf1), "auth zone %s: lookup %s "
+			"for zonemd verification", buf2,
+			(fetch_ds?"DS":"DNSKEY"));
 		log_query_info(VERB_ALGO, buf1, &qinfo);
 	}
 	edns.edns_present = 1;
 	edns.ext_rcode = 0;
 	edns.edns_version = 0;
 	edns.bits = EDNS_DO;
-	edns.opt_list = NULL;
+	edns.opt_list_in = NULL;
+	edns.opt_list_out = NULL;
+	edns.opt_list_inplace_cb_out = NULL;
 	if(sldns_buffer_capacity(buf) < 65535)
 		edns.udp_size = (uint16_t)sldns_buffer_capacity(buf);
 	else	edns.udp_size = 65535;
@@ -8212,12 +8399,14 @@ zonemd_lookup_dnskey(struct auth_zone* z, struct module_env* env)
 	/* store the worker-specific module env for the callback.
 	 * We can then reference this when the callback executes */
 	z->zonemd_callback_env = env;
+	z->zonemd_callback_qtype = qinfo.qtype;
 	/* the callback can be called straight away */
 	lock_rw_unlock(&z->lock);
 	if(!mesh_new_callback(env->mesh, &qinfo, qflags, &edns, buf, 0,
-		&auth_zonemd_dnskey_lookup_callback, z)) {
+		&auth_zonemd_dnskey_lookup_callback, z, 0)) {
 		lock_rw_wrlock(&z->lock);
-		log_err("out of memory lookup up dnskey for zonemd");
+		log_err("out of memory lookup of %s for zonemd",
+			(fetch_ds?"DS":"DNSKEY"));
 		return 0;
 	}
 	lock_rw_wrlock(&z->lock);
@@ -8234,6 +8423,10 @@ void auth_zone_verify_zonemd(struct auth_zone* z, struct module_env* env,
 	int is_insecure = 0;
 	/* verify the ZONEMD if present.
 	 * If not present check if absence is allowed by DNSSEC */
+	if(!z->zonemd_check)
+		return;
+	if(z->data.count == 0)
+		return; /* no data */
 
 	/* if zone is under a trustanchor */
 	/* is it equal to trustanchor - get dnskey's verified */
@@ -8287,7 +8480,7 @@ void auth_zone_verify_zonemd(struct auth_zone* z, struct module_env* env,
 	}
 
 	auth_zone_verify_zonemd_with_key(z, env, mods, dnskey, is_insecure,
-		result);
+		result, NULL);
 	regional_free_all(env->scratch);
 }
 
@@ -8302,6 +8495,10 @@ void auth_zones_pickup_zonemd_verify(struct auth_zones* az,
 	lock_rw_rdlock(&az->lock);
 	RBTREE_FOR(z, struct auth_zone*, &az->ztree) {
 		lock_rw_wrlock(&z->lock);
+		if(!z->zonemd_check) {
+			lock_rw_unlock(&z->lock);
+			continue;
+		}
 		key.dclass = z->dclass;
 		key.namelabs = z->namelabs;
 		if(z->namelen > sizeof(savezname)) {
diff --git a/services/authzone.h b/services/authzone.h
index 4810017a3..07614ed82 100644
--- a/services/authzone.h
+++ b/services/authzone.h
@@ -132,6 +132,8 @@ struct auth_zone {
 	/** for upstream: this zone answers queries that unbound intends to
 	 * send upstream. */
 	int for_upstream;
+	/** check ZONEMD records */
+	int zonemd_check;
 	/** reject absence of ZONEMD records */
 	int zonemd_reject_absence;
 	/** RPZ zones */
@@ -141,6 +143,8 @@ struct auth_zone {
 	 * worker has already picked up the zonemd verification task and
 	 * this worker does not have to do it as well. */
 	struct module_env* zonemd_callback_env;
+	/** for the zonemd callback, the type of data looked up */
+	uint16_t zonemd_callback_qtype;
 	/** zone has been deleted */
 	int zone_deleted;
 	/** deletelist pointer, unused normally except during delete */
@@ -632,6 +636,9 @@ int auth_zones_startprobesequence(struct auth_zones* az,
 /** read auth zone from zonefile. caller must lock zone. false on failure */
 int auth_zone_read_zonefile(struct auth_zone* z, struct config_file* cfg);
 
+/** find the apex SOA RRset, if it exists. NULL if no SOA RRset. */
+struct auth_rrset* auth_zone_get_soa_rrset(struct auth_zone* z);
+
 /** find serial number of zone or false if none (no SOA record) */
 int auth_zone_get_serial(struct auth_zone* z, uint32_t* serial);
 
@@ -740,6 +747,9 @@ int zonemd_scheme_supported(int scheme);
  * @param region: temp region for allocs during canonicalisation.
  * @param buf: temp buffer during canonicalisation.
  * @param reason: string returned with failure reason.
+ * 	If the hash cannot be checked, but it is allowed, for unknown
+ * 	algorithms, the routine returns success, and the reason is nonNULL,
+ * 	with the allowance reason.
  * @return false on failure.
  */
 int auth_zone_generate_zonemd_check(struct auth_zone* z, int scheme,
diff --git a/services/cache/dns.c b/services/cache/dns.c
index f3149b614..5b64fe475 100644
--- a/services/cache/dns.c
+++ b/services/cache/dns.c
@@ -801,7 +801,7 @@ struct dns_msg*
 dns_cache_lookup(struct module_env* env,
 	uint8_t* qname, size_t qnamelen, uint16_t qtype, uint16_t qclass,
 	uint16_t flags, struct regional* region, struct regional* scratch,
-	int no_partial)
+	int no_partial, uint8_t* dpname, size_t dpnamelen)
 {
 	struct lruhash_entry* e;
 	struct query_info k;
@@ -923,6 +923,9 @@ dns_cache_lookup(struct module_env* env,
 	 * the same.  We search upwards for NXDOMAINs. */
 	if(env->cfg->harden_below_nxdomain) {
 		while(!dname_is_root(k.qname)) {
+			if(dpname && dpnamelen
+				&& !dname_subdomain_c(k.qname, dpname))
+				break; /* no synth nxdomain above the stub */
 			dname_remove_label(&k.qname, &k.qname_len);
 			h = query_info_hash(&k, flags);
 			e = slabhash_lookup(env->msg_cache, h, &k, 0);
diff --git a/services/cache/dns.h b/services/cache/dns.h
index f1b77fb36..bece83702 100644
--- a/services/cache/dns.h
+++ b/services/cache/dns.h
@@ -164,6 +164,8 @@ struct dns_msg* tomsg(struct module_env* env, struct query_info* q,
  * @param scratch: where to allocate temporary data.
  * @param no_partial: if true, only complete messages and not a partial
  *	one (with only the start of the CNAME chain and not the rest).
+ * @param dpname: if not NULL, do not return NXDOMAIN above this name.
+ * @param dpnamelen: length of dpname.
  * @return new response message (alloced in region, rrsets do not have IDs).
  * 	or NULL on error or if not found in cache.
  *	TTLs are made relative to the current time.
@@ -171,7 +173,7 @@ struct dns_msg* tomsg(struct module_env* env, struct query_info* q,
 struct dns_msg* dns_cache_lookup(struct module_env* env,
 	uint8_t* qname, size_t qnamelen, uint16_t qtype, uint16_t qclass,
 	uint16_t flags, struct regional* region, struct regional* scratch,
-	int no_partial);
+	int no_partial, uint8_t* dpname, size_t dpnamelen);
 
 /** 
  * find and add A and AAAA records for missing nameservers in delegpt 
diff --git a/services/cache/infra.c b/services/cache/infra.c
index 2d16bcd6e..252e1e288 100644
--- a/services/cache/infra.c
+++ b/services/cache/infra.c
@@ -236,6 +236,9 @@ infra_create(struct config_file* cfg)
 		sizeof(struct infra_cache));
 	size_t maxmem = cfg->infra_cache_numhosts * (sizeof(struct infra_key)+
 		sizeof(struct infra_data)+INFRA_BYTES_NAME);
+	if(!infra) {
+		return NULL;
+	}
 	infra->hosts = slabhash_create(cfg->infra_cache_slabs,
 		INFRA_HOST_STARTSIZE, maxmem, &infra_sizefunc, &infra_compfunc,
 		&infra_delkeyfunc, &infra_deldatafunc, NULL);
@@ -895,8 +898,9 @@ static void infra_ip_create_ratedata(struct infra_cache* infra,
 	slabhash_insert(infra->client_ip_rates, h, &k->entry, d, NULL);
 }
 
-/** find the second and return its rate counter, if none, remove oldest */
-static int* infra_rate_find_second(void* data, time_t t)
+/** Find the second and return its rate counter. If none and should_add, remove
+ *  oldest to accommodate. Else return none. */
+static int* infra_rate_find_second_or_none(void* data, time_t t, int should_add)
 {
 	struct rate_data* d = (struct rate_data*)data;
 	int i, oldest;
@@ -904,6 +908,7 @@ static int* infra_rate_find_second(void* data, time_t t)
 		if(d->timestamp[i] == t)
 			return &(d->qps[i]);
 	}
+	if(!should_add) return NULL;
 	/* remove oldest timestamp, and insert it at t with 0 qps */
 	oldest = 0;
 	for(i=0; i<RATE_WINDOW; i++) {
@@ -915,21 +920,41 @@ static int* infra_rate_find_second(void* data, time_t t)
 	return &(d->qps[oldest]);
 }
 
-int infra_rate_max(void* data, time_t now)
+/** find the second and return its rate counter, if none, remove oldest to
+ *  accommodate */
+static int* infra_rate_give_second(void* data, time_t t)
+{
+    return infra_rate_find_second_or_none(data, t, 1);
+}
+
+/** find the second and return its rate counter only if it exists. Caller
+ *  should check for NULL return value */
+static int* infra_rate_get_second(void* data, time_t t)
+{
+    return infra_rate_find_second_or_none(data, t, 0);
+}
+
+int infra_rate_max(void* data, time_t now, int backoff)
 {
 	struct rate_data* d = (struct rate_data*)data;
 	int i, max = 0;
 	for(i=0; i<RATE_WINDOW; i++) {
-		if(now-d->timestamp[i] <= RATE_WINDOW) {
-			if(d->qps[i] > max)
+		if(backoff) {
+			if(now-d->timestamp[i] <= RATE_WINDOW &&
+				d->qps[i] > max) {
 				max = d->qps[i];
+			}
+		} else {
+			if(now == d->timestamp[i]) {
+				return d->qps[i];
+			}
 		}
 	}
 	return max;
 }
 
 int infra_ratelimit_inc(struct infra_cache* infra, uint8_t* name,
-	size_t namelen, time_t timenow, struct query_info* qinfo,
+	size_t namelen, time_t timenow, int backoff, struct query_info* qinfo,
 	struct comm_reply* replylist)
 {
 	int lim, max;
@@ -946,13 +971,13 @@ int infra_ratelimit_inc(struct infra_cache* infra, uint8_t* name,
 	/* find or insert ratedata */
 	entry = infra_find_ratedata(infra, name, namelen, 1);
 	if(entry) {
-		int premax = infra_rate_max(entry->data, timenow);
-		int* cur = infra_rate_find_second(entry->data, timenow);
+		int premax = infra_rate_max(entry->data, timenow, backoff);
+		int* cur = infra_rate_give_second(entry->data, timenow);
 		(*cur)++;
-		max = infra_rate_max(entry->data, timenow);
+		max = infra_rate_max(entry->data, timenow, backoff);
 		lock_rw_unlock(&entry->lock);
 
-		if(premax < lim && max >= lim) {
+		if(premax <= lim && max > lim) {
 			char buf[257], qnm[257], ts[12], cs[12], ip[128];
 			dname_str(name, buf);
 			dname_str(qinfo->qname, qnm);
@@ -967,12 +992,12 @@ int infra_ratelimit_inc(struct infra_cache* infra, uint8_t* name,
 				verbose(VERB_OPS, "ratelimit exceeded %s %d query %s %s %s", buf, lim, qnm, cs, ts);
 			}
 		}
-		return (max < lim);
+		return (max <= lim);
 	}
 
 	/* create */
 	infra_create_ratedata(infra, name, namelen, timenow);
-	return (1 < lim);
+	return (1 <= lim);
 }
 
 void infra_ratelimit_dec(struct infra_cache* infra, uint8_t* name,
@@ -984,14 +1009,19 @@ void infra_ratelimit_dec(struct infra_cache* infra, uint8_t* name,
 		return; /* not enabled */
 	entry = infra_find_ratedata(infra, name, namelen, 1);
 	if(!entry) return; /* not cached */
-	cur = infra_rate_find_second(entry->data, timenow);
+	cur = infra_rate_get_second(entry->data, timenow);
+	if(cur == NULL) {
+		/* our timenow is not available anymore; nothing to decrease */
+		lock_rw_unlock(&entry->lock);
+		return;
+	}
 	if((*cur) > 0)
 		(*cur)--;
 	lock_rw_unlock(&entry->lock);
 }
 
 int infra_ratelimit_exceeded(struct infra_cache* infra, uint8_t* name,
-	size_t namelen, time_t timenow)
+	size_t namelen, time_t timenow, int backoff)
 {
 	struct lruhash_entry* entry;
 	int lim, max;
@@ -1007,7 +1037,7 @@ int infra_ratelimit_exceeded(struct infra_cache* infra, uint8_t* name,
 	entry = infra_find_ratedata(infra, name, namelen, 0);
 	if(!entry)
 		return 0; /* not cached */
-	max = infra_rate_max(entry->data, timenow);
+	max = infra_rate_max(entry->data, timenow, backoff);
 	lock_rw_unlock(&entry->lock);
 
 	return (max >= lim);
@@ -1024,7 +1054,8 @@ infra_get_mem(struct infra_cache* infra)
 }
 
 int infra_ip_ratelimit_inc(struct infra_cache* infra,
-  struct comm_reply* repinfo, time_t timenow, struct sldns_buffer* buffer)
+	struct comm_reply* repinfo, time_t timenow, int backoff,
+	struct sldns_buffer* buffer)
 {
 	int max;
 	struct lruhash_entry* entry;
@@ -1036,10 +1067,10 @@ int infra_ip_ratelimit_inc(struct infra_cache* infra,
 	/* find or insert ratedata */
 	entry = infra_find_ip_ratedata(infra, repinfo, 1);
 	if(entry) {
-		int premax = infra_rate_max(entry->data, timenow);
-		int* cur = infra_rate_find_second(entry->data, timenow);
+		int premax = infra_rate_max(entry->data, timenow, backoff);
+		int* cur = infra_rate_give_second(entry->data, timenow);
 		(*cur)++;
-		max = infra_rate_max(entry->data, timenow);
+		max = infra_rate_max(entry->data, timenow, backoff);
 		lock_rw_unlock(&entry->lock);
 
 		if(premax < infra_ip_ratelimit && max >= infra_ip_ratelimit) {
diff --git a/services/cache/infra.h b/services/cache/infra.h
index 14f97c4c6..6a2371aca 100644
--- a/services/cache/infra.h
+++ b/services/cache/infra.h
@@ -368,6 +368,7 @@ long long infra_get_host_rto(struct infra_cache* infra,
  * @param name: zone name
  * @param namelen: zone name length
  * @param timenow: what time it is now.
+ * @param backoff: if backoff is enabled.
  * @param qinfo: for logging, query name.
  * @param replylist: for logging, querier's address (if any).
  * @return 1 if it could be incremented. 0 if the increment overshot the
@@ -375,7 +376,7 @@ long long infra_get_host_rto(struct infra_cache* infra,
  * Failures like alloc failures are not returned (probably as 1).
  */
 int infra_ratelimit_inc(struct infra_cache* infra, uint8_t* name,
-	size_t namelen, time_t timenow, struct query_info* qinfo,
+	size_t namelen, time_t timenow, int backoff, struct query_info* qinfo,
 	struct comm_reply* replylist);
 
 /**
@@ -398,13 +399,15 @@ void infra_ratelimit_dec(struct infra_cache* infra, uint8_t* name,
  * @param name: zone name
  * @param namelen: zone name length
  * @param timenow: what time it is now.
+ * @param backoff: if backoff is enabled.
  * @return true if exceeded.
  */
 int infra_ratelimit_exceeded(struct infra_cache* infra, uint8_t* name,
-	size_t namelen, time_t timenow);
+	size_t namelen, time_t timenow, int backoff);
 
-/** find the maximum rate stored, not too old. 0 if no information. */
-int infra_rate_max(void* data, time_t now);
+/** find the maximum rate stored. 0 if no information.
+ *  When backoff is enabled look for the maximum in the whole RATE_WINDOW. */
+int infra_rate_max(void* data, time_t now, int backoff);
 
 /** find the ratelimit in qps for a domain. 0 if no limit for domain. */
 int infra_find_ratelimit(struct infra_cache* infra, uint8_t* name,
@@ -415,11 +418,12 @@ int infra_find_ratelimit(struct infra_cache* infra, uint8_t* name,
  *  @param infra: infra cache
  *  @param repinfo: information about client
  *  @param timenow: what time it is now.
+ *  @param backoff: if backoff is enabled.
  *  @param buffer: with query for logging.
  *  @return 1 if it could be incremented. 0 if the increment overshot the
  *  ratelimit and the query should be dropped. */
 int infra_ip_ratelimit_inc(struct infra_cache* infra,
-	struct comm_reply* repinfo, time_t timenow,
+	struct comm_reply* repinfo, time_t timenow, int backoff,
 	struct sldns_buffer* buffer);
 
 /**
diff --git a/services/cache/rrset.h b/services/cache/rrset.h
index 35a0d732b..7c36d4032 100644
--- a/services/cache/rrset.h
+++ b/services/cache/rrset.h
@@ -120,7 +120,7 @@ void rrset_cache_touch(struct rrset_cache* r, struct ub_packed_rrset_key* key,
  *	the new rrset. The reference may be changed if the cached rrset is
  *	superior.
  *	Before calling the rrset is presumed newly allocated and changeable.
- *	Afer calling you do not hold a lock, and the rrset is inserted in
+ *	After calling you do not hold a lock, and the rrset is inserted in
  *	the hashtable so you need a lock to change it.
  * @param alloc: how to allocate (and deallocate) the special rrset key.
  * @param timenow: current time (to see if ttl in cache is expired).
@@ -143,7 +143,7 @@ int rrset_cache_update(struct rrset_cache* r, struct rrset_ref* ref,
  * @param rrset: which rrset to cache as wildcard. This rrset is left 
  * 	untouched.
  * @param ce: the closest encloser, will be uses to generate the wildcard dname.
- * @param ce_len: the closest encloser lenght.
+ * @param ce_len: the closest encloser length.
  * @param alloc: how to allocate (and deallocate) the special rrset key.
  * @param timenow: current time (to see if ttl in cache is expired).
  */
diff --git a/services/listen_dnsport.c b/services/listen_dnsport.c
index ca40fac5c..afe4cb71d 100644
--- a/services/listen_dnsport.c
+++ b/services/listen_dnsport.c
@@ -47,6 +47,7 @@
 #ifdef USE_TCP_FASTOPEN
 #include <netinet/tcp.h>
 #endif
+#include <ctype.h>
 #include "services/listen_dnsport.h"
 #include "services/outside_network.h"
 #include "util/netevent.h"
@@ -869,9 +870,14 @@ set_ip_dscp(int socket, int addrfamily, int dscp)
 	ds = dscp << 2;
 	switch(addrfamily) {
 	case AF_INET6:
-		if(setsockopt(socket, IPPROTO_IPV6, IPV6_TCLASS, (void*)&ds, sizeof(ds)) < 0)
+	#ifdef IPV6_TCLASS
+		if(setsockopt(socket, IPPROTO_IPV6, IPV6_TCLASS, (void*)&ds,
+			sizeof(ds)) < 0)
 			return sock_strerror(errno);
 		break;
+	#else
+		return "IPV6_TCLASS not defined on this system";
+	#endif
 	default:
 		if(setsockopt(socket, IPPROTO_IP, IP_TOS, (void*)&ds, sizeof(ds)) < 0)
 			return sock_strerror(errno);
@@ -1306,6 +1312,38 @@ listen_cp_insert(struct comm_point* c, struct listen_dnsport* front)
 	return 1;
 }
 
+void listen_setup_locks(void)
+{
+	if(!stream_wait_lock_inited) {
+		lock_basic_init(&stream_wait_count_lock);
+		stream_wait_lock_inited = 1;
+	}
+	if(!http2_query_buffer_lock_inited) {
+		lock_basic_init(&http2_query_buffer_count_lock);
+		http2_query_buffer_lock_inited = 1;
+	}
+	if(!http2_response_buffer_lock_inited) {
+		lock_basic_init(&http2_response_buffer_count_lock);
+		http2_response_buffer_lock_inited = 1;
+	}
+}
+
+void listen_desetup_locks(void)
+{
+	if(stream_wait_lock_inited) {
+		stream_wait_lock_inited = 0;
+		lock_basic_destroy(&stream_wait_count_lock);
+	}
+	if(http2_query_buffer_lock_inited) {
+		http2_query_buffer_lock_inited = 0;
+		lock_basic_destroy(&http2_query_buffer_count_lock);
+	}
+	if(http2_response_buffer_lock_inited) {
+		http2_response_buffer_lock_inited = 0;
+		lock_basic_destroy(&http2_response_buffer_count_lock);
+	}
+}
+
 struct listen_dnsport* 
 listen_create(struct comm_base* base, struct listen_port* ports,
 	size_t bufsize, int tcp_accept_count, int tcp_idle_timeout,
@@ -1327,57 +1365,44 @@ listen_create(struct comm_base* base, struct listen_port* ports,
 		free(front);
 		return NULL;
 	}
-	if(!stream_wait_lock_inited) {
-		lock_basic_init(&stream_wait_count_lock);
-		stream_wait_lock_inited = 1;
-	}
-	if(!http2_query_buffer_lock_inited) {
-		lock_basic_init(&http2_query_buffer_count_lock);
-		http2_query_buffer_lock_inited = 1;
-	}
-	if(!http2_response_buffer_lock_inited) {
-		lock_basic_init(&http2_response_buffer_count_lock);
-		http2_response_buffer_lock_inited = 1;
-	}
 
 	/* create comm points as needed */
 	while(ports) {
 		struct comm_point* cp = NULL;
 		if(ports->ftype == listen_type_udp ||
-		   ports->ftype == listen_type_udp_dnscrypt)
-			cp = comm_point_create_udp(base, ports->fd, 
+		   ports->ftype == listen_type_udp_dnscrypt) {
+			cp = comm_point_create_udp(base, ports->fd,
 				front->udp_buff, cb, cb_arg, ports->socket);
-		else if(ports->ftype == listen_type_tcp ||
-				ports->ftype == listen_type_tcp_dnscrypt)
-			cp = comm_point_create_tcp(base, ports->fd, 
+		} else if(ports->ftype == listen_type_tcp ||
+				ports->ftype == listen_type_tcp_dnscrypt) {
+			cp = comm_point_create_tcp(base, ports->fd,
 				tcp_accept_count, tcp_idle_timeout,
 				harden_large_queries, 0, NULL,
 				tcp_conn_limit, bufsize, front->udp_buff,
 				ports->ftype, cb, cb_arg, ports->socket);
-		else if(ports->ftype == listen_type_ssl ||
+		} else if(ports->ftype == listen_type_ssl ||
 			ports->ftype == listen_type_http) {
-			cp = comm_point_create_tcp(base, ports->fd, 
+			cp = comm_point_create_tcp(base, ports->fd,
 				tcp_accept_count, tcp_idle_timeout,
 				harden_large_queries,
 				http_max_streams, http_endpoint,
 				tcp_conn_limit, bufsize, front->udp_buff,
 				ports->ftype, cb, cb_arg, ports->socket);
-			if(http_notls && ports->ftype == listen_type_http)
-				cp->ssl = NULL;
-			else
-				cp->ssl = sslctx;
 			if(ports->ftype == listen_type_http) {
 				if(!sslctx && !http_notls) {
-				  log_warn("HTTPS port configured, but no TLS "
-					"tls-service-key or tls-service-pem "
-					"set");
+					log_warn("HTTPS port configured, but "
+						"no TLS tls-service-key or "
+						"tls-service-pem set");
 				}
 #ifndef HAVE_SSL_CTX_SET_ALPN_SELECT_CB
-				if(!http_notls)
-				  log_warn("Unbound is not compiled with an "
-					"OpenSSL version supporting ALPN "
-					" (OpenSSL >= 1.0.2). This is required "
-					"to use DNS-over-HTTPS");
+				if(!http_notls) {
+					log_warn("Unbound is not compiled "
+						"with an OpenSSL version "
+						"supporting ALPN "
+						"(OpenSSL >= 1.0.2). This "
+						"is required to use "
+						"DNS-over-HTTPS");
+				}
 #endif
 #ifndef HAVE_NGHTTP2_NGHTTP2_H
 				log_warn("Unbound is not compiled with "
@@ -1386,14 +1411,25 @@ listen_create(struct comm_base* base, struct listen_port* ports,
 #endif
 			}
 		} else if(ports->ftype == listen_type_udpancil ||
-				  ports->ftype == listen_type_udpancil_dnscrypt)
-			cp = comm_point_create_udp_ancil(base, ports->fd, 
+				  ports->ftype == listen_type_udpancil_dnscrypt) {
+			cp = comm_point_create_udp_ancil(base, ports->fd,
 				front->udp_buff, cb, cb_arg, ports->socket);
+		}
 		if(!cp) {
-			log_err("can't create commpoint");	
+			log_err("can't create commpoint");
 			listen_delete(front);
 			return NULL;
 		}
+		if((http_notls && ports->ftype == listen_type_http) ||
+			(ports->ftype == listen_type_tcp) ||
+			(ports->ftype == listen_type_udp) ||
+			(ports->ftype == listen_type_udpancil) ||
+			(ports->ftype == listen_type_tcp_dnscrypt) ||
+			(ports->ftype == listen_type_udp_dnscrypt) ||
+			(ports->ftype == listen_type_udpancil_dnscrypt))
+			cp->ssl = NULL;
+		else
+			cp->ssl = sslctx;
 		cp->dtenv = dtenv;
 		cp->do_not_close = 1;
 #ifdef USE_DNSCRYPT
@@ -1454,18 +1490,6 @@ listen_delete(struct listen_dnsport* front)
 #endif
 	sldns_buffer_free(front->udp_buff);
 	free(front);
-	if(stream_wait_lock_inited) {
-		stream_wait_lock_inited = 0;
-		lock_basic_destroy(&stream_wait_count_lock);
-	}
-	if(http2_query_buffer_lock_inited) {
-		http2_query_buffer_lock_inited = 0;
-		lock_basic_destroy(&http2_query_buffer_count_lock);
-	}
-	if(http2_response_buffer_lock_inited) {
-		http2_response_buffer_lock_inited = 0;
-		lock_basic_destroy(&http2_response_buffer_count_lock);
-	}
 }
 
 #ifdef HAVE_GETIFADDRS
@@ -1693,6 +1717,63 @@ listening_ports_open(struct config_file* cfg, char** ifs, int num_ifs,
 	}
 	/* create ip4 and ip6 ports so that return addresses are nice. */
 	if(do_auto || num_ifs == 0) {
+		if(do_auto && cfg->if_automatic_ports &&
+			cfg->if_automatic_ports[0]!=0) {
+			char* now = cfg->if_automatic_ports;
+			while(now && *now) {
+				char* after;
+				int extraport;
+				while(isspace((unsigned char)*now))
+					now++;
+				if(!*now)
+					break;
+				after = now;
+				extraport = (int)strtol(now, &after, 10);
+				if(extraport < 0 || extraport > 65535) {
+					log_err("interface-automatic-ports port number out of range, at position %d of '%s'", (int)(now-cfg->if_automatic_ports)+1, cfg->if_automatic_ports);
+					listening_ports_free(list);
+					return NULL;
+				}
+				if(extraport == 0 && now == after) {
+					log_err("interface-automatic-ports could not be parsed, at position %d of '%s'", (int)(now-cfg->if_automatic_ports)+1, cfg->if_automatic_ports);
+					listening_ports_free(list);
+					return NULL;
+				}
+				now = after;
+				snprintf(portbuf, sizeof(portbuf), "%d", extraport);
+				if(do_ip6) {
+					hints.ai_family = AF_INET6;
+					if(!ports_create_if("::0",
+						do_auto, cfg->do_udp, do_tcp,
+						&hints, portbuf, &list,
+						cfg->so_rcvbuf, cfg->so_sndbuf,
+						cfg->ssl_port, cfg->tls_additional_port,
+						cfg->https_port, reuseport, cfg->ip_transparent,
+						cfg->tcp_mss, cfg->ip_freebind,
+						cfg->http_nodelay, cfg->use_systemd,
+						cfg->dnscrypt_port, cfg->ip_dscp)) {
+						listening_ports_free(list);
+						return NULL;
+					}
+				}
+				if(do_ip4) {
+					hints.ai_family = AF_INET;
+					if(!ports_create_if("0.0.0.0",
+						do_auto, cfg->do_udp, do_tcp,
+						&hints, portbuf, &list,
+						cfg->so_rcvbuf, cfg->so_sndbuf,
+						cfg->ssl_port, cfg->tls_additional_port,
+						cfg->https_port, reuseport, cfg->ip_transparent,
+						cfg->tcp_mss, cfg->ip_freebind,
+						cfg->http_nodelay, cfg->use_systemd,
+						cfg->dnscrypt_port, cfg->ip_dscp)) {
+						listening_ports_free(list);
+						return NULL;
+					}
+				}
+			}
+			return list;
+		}
 		if(do_ip6) {
 			hints.ai_family = AF_INET6;
 			if(!ports_create_if(do_auto?"::0":"::1", 
@@ -2477,6 +2558,10 @@ static int http2_query_read_done(struct http2_session* h2_session,
 			"buffer already assigned to stream");
 		return -1;
 	}
+    
+    /* the c->buffer might be used by mesh_send_reply and no be cleard
+	 * need to be cleared before use */
+	sldns_buffer_clear(h2_session->c->buffer);
 	if(sldns_buffer_remaining(h2_session->c->buffer) <
 		sldns_buffer_remaining(h2_stream->qbuffer)) {
 		/* qbuffer will be free'd in frame close cb */
@@ -2606,7 +2691,7 @@ static int http2_req_begin_headers_cb(nghttp2_session* session,
 	int ret;
 	if(frame->hd.type != NGHTTP2_HEADERS ||
 		frame->headers.cat != NGHTTP2_HCAT_REQUEST) {
-		/* only interrested in request headers */
+		/* only interested in request headers */
 		return 0;
 	}
 	if(!(h2_stream = http2_stream_create(frame->hd.stream_id))) {
@@ -2678,18 +2763,45 @@ static int http2_buffer_uri_query(struct http2_session* h2_session,
 		return 0;
 	}
 
-	if(!(b64len = sldns_b64url_pton(
-		(char const *)start, length,
-		sldns_buffer_current(h2_stream->qbuffer),
-		expectb64len)) || b64len < 0) {
-		lock_basic_lock(&http2_query_buffer_count_lock);
-		http2_query_buffer_count -= expectb64len;
-		lock_basic_unlock(&http2_query_buffer_count_lock);
-		sldns_buffer_free(h2_stream->qbuffer);
-		h2_stream->qbuffer = NULL;
-		/* return without error, method can be an
-		 * unknown POST */
-		return 1;
+	if(sldns_b64_contains_nonurl((char const*)start, length)) {
+		char buf[65536+4];
+		verbose(VERB_ALGO, "HTTP2 stream contains wrong b64 encoding");
+		/* copy to the scratch buffer temporarily to terminate the
+		 * string with a zero */
+		if(length+1 > sizeof(buf)) {
+			/* too long */
+			lock_basic_lock(&http2_query_buffer_count_lock);
+			http2_query_buffer_count -= expectb64len;
+			lock_basic_unlock(&http2_query_buffer_count_lock);
+			sldns_buffer_free(h2_stream->qbuffer);
+			h2_stream->qbuffer = NULL;
+			return 1;
+		}
+		memmove(buf, start, length);
+		buf[length] = 0;
+		if(!(b64len = sldns_b64_pton(buf, sldns_buffer_current(
+			h2_stream->qbuffer), expectb64len)) || b64len < 0) {
+			lock_basic_lock(&http2_query_buffer_count_lock);
+			http2_query_buffer_count -= expectb64len;
+			lock_basic_unlock(&http2_query_buffer_count_lock);
+			sldns_buffer_free(h2_stream->qbuffer);
+			h2_stream->qbuffer = NULL;
+			return 1;
+		}
+	} else {
+		if(!(b64len = sldns_b64url_pton(
+			(char const *)start, length,
+			sldns_buffer_current(h2_stream->qbuffer),
+			expectb64len)) || b64len < 0) {
+			lock_basic_lock(&http2_query_buffer_count_lock);
+			http2_query_buffer_count -= expectb64len;
+			lock_basic_unlock(&http2_query_buffer_count_lock);
+			sldns_buffer_free(h2_stream->qbuffer);
+			h2_stream->qbuffer = NULL;
+			/* return without error, method can be an
+			 * unknown POST */
+			return 1;
+		}
 	}
 	sldns_buffer_skip(h2_stream->qbuffer, (size_t)b64len);
 	return 1;
@@ -2707,7 +2819,7 @@ static int http2_req_header_cb(nghttp2_session* session,
 	 * the HEADER */
 	if(frame->hd.type != NGHTTP2_HEADERS ||
 		frame->headers.cat != NGHTTP2_HCAT_REQUEST) {
-		/* only interrested in request headers */
+		/* only interested in request headers */
 		return 0;
 	}
 	if(!(h2_stream = nghttp2_session_get_stream_user_data(session,
@@ -2803,7 +2915,7 @@ static int http2_req_header_cb(nghttp2_session* session,
 			h2_stream->query_too_large = 1;
 			return 0;
 		}
-		/* guaranteed to only contian digits and be null terminated */
+		/* guaranteed to only contain digits and be null terminated */
 		h2_stream->content_length = atoi((const char*)value);
 		if(h2_stream->content_length >
 			h2_session->c->http2_stream_max_qbuffer_size) {
@@ -2843,7 +2955,7 @@ static int http2_req_data_chunk_recv_cb(nghttp2_session* ATTR_UNUSED(session),
 			/* setting this to msg-buffer-size can result in a lot
 			 * of memory consuption. Most queries should fit in a
 			 * single DATA frame, and most POST queries will
-			 * containt content-length which does not impose this
+			 * contain content-length which does not impose this
 			 * limit. */
 			qlen = len;
 		}
diff --git a/services/listen_dnsport.h b/services/listen_dnsport.h
index 1e51be9bf..0e63236bc 100644
--- a/services/listen_dnsport.h
+++ b/services/listen_dnsport.h
@@ -199,6 +199,11 @@ listen_create(struct comm_base* base, struct listen_port* ports,
  */
 void listen_delete(struct listen_dnsport* listen);
 
+/** setup the locks for the listen ports */
+void listen_setup_locks(void);
+/** desetup the locks for the listen ports */
+void listen_desetup_locks(void);
+
 /**
  * delete listen_list of commpoints. Calls commpointdelete() on items.
  * This may close the fds or not depending on flags.
diff --git a/services/localzone.c b/services/localzone.c
index fd2ff2bb6..3e3a71aea 100644
--- a/services/localzone.c
+++ b/services/localzone.c
@@ -56,6 +56,44 @@
  * with 16 bytes for an A record, a 64K packet has about 4000 max */
 #define LOCALZONE_RRSET_COUNT_MAX 4096
 
+/** print all RRsets in local zone */
+static void
+local_zone_out(struct local_zone* z)
+{
+	struct local_data* d;
+	struct local_rrset* p;
+	RBTREE_FOR(d, struct local_data*, &z->data) {
+		for(p = d->rrsets; p; p = p->next) {
+			log_nametypeclass(NO_VERBOSE, "rrset", d->name,
+				ntohs(p->rrset->rk.type),
+				ntohs(p->rrset->rk.rrset_class));
+		}
+	}
+}
+
+static void
+local_zone_print(struct local_zone* z)
+{
+	char buf[64];
+	lock_rw_rdlock(&z->lock);
+	snprintf(buf, sizeof(buf), "%s zone",
+		local_zone_type2str(z->type));
+	log_nametypeclass(NO_VERBOSE, buf, z->name, 0, z->dclass);
+	local_zone_out(z);
+	lock_rw_unlock(&z->lock);
+}
+
+void local_zones_print(struct local_zones* zones)
+{
+	struct local_zone* z;
+	lock_rw_rdlock(&zones->lock);
+	log_info("number of auth zones %u", (unsigned)zones->ztree.count);
+	RBTREE_FOR(z, struct local_zone*, &zones->ztree) {
+		local_zone_print(z);
+	}
+	lock_rw_unlock(&zones->lock);
+}
+
 struct local_zones* 
 local_zones_create(void)
 {
@@ -465,7 +503,7 @@ lz_find_create_node(struct local_zone* z, uint8_t* nm, size_t nmlen,
 
 /* Mark the SOA record for the zone. This only marks the SOA rrset; the data
  * for the RR is entered later on local_zone_enter_rr() as with the other
- * records. An artifical soa_negative record with a modified TTL (minimum of
+ * records. An artificial soa_negative record with a modified TTL (minimum of
  * the TTL and the SOA.MINIMUM) is also created and marked for usage with
  * negative answers and to avoid allocations during those answers. */
 static int
@@ -745,9 +783,15 @@ static int
 lz_enter_zones(struct local_zones* zones, struct config_file* cfg)
 {
 	struct config_str2list* p;
+#ifndef THREADS_DISABLED
 	struct local_zone* z;
+#endif
 	for(p = cfg->local_zones; p; p = p->next) {
-		if(!(z=lz_enter_zone(zones, p->str, p->str2, 
+		if(!(
+#ifndef THREADS_DISABLED
+			z=
+#endif
+			lz_enter_zone(zones, p->str, p->str2,
 			LDNS_RR_CLASS_IN)))
 			return 0;
 		lock_rw_unlock(&z->lock);
@@ -892,6 +936,11 @@ int local_zone_enter_defaults(struct local_zones* zones, struct config_file* cfg
 		}
 		lock_rw_unlock(&z->lock);
 	}
+	/* home.arpa. zone (RFC 8375) */
+	if(!add_empty_default(zones, cfg, "home.arpa.")) {
+		log_err("out of memory adding default zone");
+		return 0;
+	}
 	/* onion. zone (RFC 7686) */
 	if(!add_empty_default(zones, cfg, "onion.")) {
 		log_err("out of memory adding default zone");
@@ -999,6 +1048,38 @@ lz_setup_implicit(struct local_zones* zones, struct config_file* cfg)
 		lock_rw_rdlock(&zones->lock);
 		if(!local_zones_lookup(zones, rr_name, len, labs, rr_class,
 			rr_type)) {
+			/* Check if there is a zone that this could go
+			 * under but for different class; created zones are
+			 * always for LDNS_RR_CLASS_IN. Create the zone with
+			 * a different class but the same configured
+			 * local_zone_type. */
+			struct local_zone* z = local_zones_lookup(zones,
+				rr_name, len, labs, LDNS_RR_CLASS_IN, rr_type);
+			if(z) {
+				uint8_t* name = memdup(z->name, z->namelen);
+				size_t znamelen = z->namelen;
+				int znamelabs = z->namelabs;
+				enum localzone_type ztype = z->type;
+				lock_rw_unlock(&zones->lock);
+				if(!name) {
+					log_err("out of memory");
+					free(rr_name);
+					return 0;
+				}
+				if(!(
+#ifndef THREADS_DISABLED
+					z =
+#endif
+					lz_enter_zone_dname(zones, name,
+						znamelen, znamelabs,
+						ztype, rr_class))) {
+					free(rr_name);
+					return 0;
+				}
+				lock_rw_unlock(&z->lock);
+				free(rr_name);
+				continue;
+			}
 			if(!have_name) {
 				dclass = rr_class;
 				nm = rr_name;
@@ -1027,7 +1108,9 @@ lz_setup_implicit(struct local_zones* zones, struct config_file* cfg)
 	}
 	if(have_name) {
 		uint8_t* n2;
+#ifndef THREADS_DISABLED
 		struct local_zone* z;
+#endif
 		/* allocate zone of smallest shared topdomain to contain em */
 		n2 = nm;
 		dname_remove_labels(&n2, &nmlen, nmlabs - match);
@@ -1039,7 +1122,11 @@ lz_setup_implicit(struct local_zones* zones, struct config_file* cfg)
 		}
 		log_nametypeclass(VERB_ALGO, "implicit transparent local-zone", 
 			n2, 0, dclass);
-		if(!(z=lz_enter_zone_dname(zones, n2, nmlen, match, 
+		if(!(
+#ifndef THREADS_DISABLED
+			z=
+#endif
+			lz_enter_zone_dname(zones, n2, nmlen, match,
 			local_zone_transparent, dclass))) {
 			return 0;
 		}
@@ -1203,38 +1290,6 @@ local_zones_find_le(struct local_zones* zones,
 	return (struct local_zone*)node;
 }
 
-/** print all RRsets in local zone */
-static void 
-local_zone_out(struct local_zone* z)
-{
-	struct local_data* d;
-	struct local_rrset* p;
-	RBTREE_FOR(d, struct local_data*, &z->data) {
-		for(p = d->rrsets; p; p = p->next) {
-			log_nametypeclass(NO_VERBOSE, "rrset", d->name,
-				ntohs(p->rrset->rk.type),
-				ntohs(p->rrset->rk.rrset_class));
-		}
-	}
-}
-
-void local_zones_print(struct local_zones* zones)
-{
-	struct local_zone* z;
-	lock_rw_rdlock(&zones->lock);
-	log_info("number of auth zones %u", (unsigned)zones->ztree.count);
-	RBTREE_FOR(z, struct local_zone*, &zones->ztree) {
-		char buf[64];
-		lock_rw_rdlock(&z->lock);
-		snprintf(buf, sizeof(buf), "%s zone",
-			local_zone_type2str(z->type));
-		log_nametypeclass(NO_VERBOSE, buf, z->name, 0, z->dclass);
-		local_zone_out(z);
-		lock_rw_unlock(&z->lock);
-	}
-	lock_rw_unlock(&zones->lock);
-}
-
 /** encode answer consisting of 1 rrset */
 static int
 local_encode(struct query_info* qinfo, struct module_env* env,
@@ -1282,7 +1337,7 @@ local_error_encode(struct query_info* qinfo, struct module_env* env,
 
 	if(!inplace_cb_reply_local_call(env, qinfo, NULL, NULL,
 		rcode, edns, repinfo, temp, env->now_tv))
-		edns->opt_list = NULL;
+		edns->opt_list_inplace_cb_out = NULL;
 	error_encode(buf, r, qinfo, *(uint16_t*)sldns_buffer_begin(buf),
 		sldns_buffer_read_u16_at(buf, 2), edns);
 }
@@ -1509,7 +1564,7 @@ local_data_answer(struct local_zone* z, struct module_env* env,
 			/* write qname */
 			memmove(d->rr_data[0] + sizeof(uint16_t), qinfo->qname,
 				qinfo->qname_len - 1);
-			/* write cname target wilcard wildcard label */
+			/* write cname target wildcard label */
 			memmove(d->rr_data[0] + sizeof(uint16_t) +
 				qinfo->qname_len - 1, ctarget + 2,
 				ctargetlen - 2);
@@ -1558,6 +1613,15 @@ local_zone_does_not_cover(struct local_zone* z, struct query_info* qinfo,
 	return (lr == NULL);
 }
 
+static inline int
+local_zone_is_udp_query(struct comm_reply* repinfo) {
+	return repinfo != NULL
+			? (repinfo->c != NULL
+				? repinfo->c->type == comm_udp
+				: 0)
+			: 0;
+}
+
 int
 local_zones_zone_answer(struct local_zone* z, struct module_env* env,
 	struct query_info* qinfo, struct edns_data* edns,
@@ -1580,7 +1644,9 @@ local_zones_zone_answer(struct local_zone* z, struct module_env* env,
 		lz_type == local_zone_redirect ||
 		lz_type == local_zone_inform_redirect ||
 		lz_type == local_zone_always_nxdomain ||
-		lz_type == local_zone_always_nodata) {
+		lz_type == local_zone_always_nodata ||
+		(lz_type == local_zone_truncate
+			&& local_zone_is_udp_query(repinfo))) {
 		/* for static, reply nodata or nxdomain
 		 * for redirect, reply nodata */
 		/* no additional section processing,
@@ -1590,9 +1656,11 @@ local_zones_zone_answer(struct local_zone* z, struct module_env* env,
 		 */
 		int rcode = (ld || lz_type == local_zone_redirect ||
 			lz_type == local_zone_inform_redirect ||
-			lz_type == local_zone_always_nodata)?
+			lz_type == local_zone_always_nodata ||
+			lz_type == local_zone_truncate)?
 			LDNS_RCODE_NOERROR:LDNS_RCODE_NXDOMAIN;
-		if(z->soa && z->soa_negative)
+		rcode = (lz_type == local_zone_truncate ? (rcode|BIT_TC) : rcode);
+		if(z != NULL && z->soa && z->soa_negative)
 			return local_encode(qinfo, env, edns, repinfo, buf, temp,
 				z->soa_negative, 0, rcode);
 		local_error_encode(qinfo, env, edns, repinfo, buf, temp, rcode,
@@ -1649,7 +1717,7 @@ local_zones_zone_answer(struct local_zone* z, struct module_env* env,
 	 * does not, then we should make this noerror/nodata */
 	if(ld && ld->rrsets) {
 		int rcode = LDNS_RCODE_NOERROR;
-		if(z->soa && z->soa_negative)
+		if(z != NULL && z->soa && z->soa_negative)
 			return local_encode(qinfo, env, edns, repinfo, buf, temp,
 				z->soa_negative, 0, rcode);
 		local_error_encode(qinfo, env, edns, repinfo, buf, temp, rcode,
@@ -1848,6 +1916,7 @@ const char* local_zone_type2str(enum localzone_type t)
 		case local_zone_always_deny: return "always_deny";
 		case local_zone_always_null: return "always_null";
 		case local_zone_noview: return "noview";
+		case local_zone_truncate: return "truncate";
 		case local_zone_invalid: return "invalid";
 	}
 	return "badtyped"; 
@@ -1887,6 +1956,8 @@ int local_zone_str2type(const char* type, enum localzone_type* t)
 		*t = local_zone_always_null;
 	else if(strcmp(type, "noview") == 0)
 		*t = local_zone_noview;
+	else if(strcmp(type, "truncate") == 0)
+		*t = local_zone_truncate;
 	else if(strcmp(type, "nodefault") == 0)
 		*t = local_zone_nodefault;
 	else return 0;
diff --git a/services/localzone.h b/services/localzone.h
index 3da5c8754..19534f750 100644
--- a/services/localzone.h
+++ b/services/localzone.h
@@ -101,6 +101,8 @@ enum localzone_type {
 	local_zone_always_null,
 	/** answer not from the view, but global or no-answer */
 	local_zone_noview,
+	/** truncate the response; client should retry via tcp */
+	local_zone_truncate,
 	/** Invalid type, cannot be used to generate answer */
 	local_zone_invalid
 };
@@ -158,7 +160,7 @@ struct local_zone {
 	rbtree_type data;
 	/** if data contains zone apex SOA data, this is a ptr to it. */
 	struct ub_packed_rrset_key* soa;
-	/** if data contains zone apex SOA data, this is a prt to an
+	/** if data contains zone apex SOA data, this is a ptr to an
 	 * artificial negative SOA rrset (TTL is the minimum of the TTL and the
 	 * SOA.MINIMUM). */
 	struct ub_packed_rrset_key* soa_negative;
@@ -255,7 +257,7 @@ void local_zone_delete(struct local_zone* z);
  * @param dclass: class to lookup.
  * @param dtype: type to lookup, if type DS a zone higher is used for zonecuts.
  * @param taglist: taglist to lookup.
- * @param taglen: lenth of taglist.
+ * @param taglen: length of taglist.
  * @param ignoretags: lookup zone by name and class, regardless the
  * local-zone's tags.
  * @return closest local_zone or NULL if no covering zone is found.
@@ -563,6 +565,8 @@ enum respip_action {
 	respip_always_nodata = local_zone_always_nodata,
         /** answer with nodata response */
 	respip_always_deny = local_zone_always_deny,
+	/** RPZ: truncate answer in order to force switch to tcp */
+	respip_truncate = local_zone_truncate,
 
 	/* The rest of the values are only possible as
 	 * access-control-tag-action */
diff --git a/services/mesh.c b/services/mesh.c
index 88b3d15d0..4b022d47f 100644
--- a/services/mesh.c
+++ b/services/mesh.c
@@ -99,7 +99,7 @@ timeval_divide(struct timeval* avg, const struct timeval* sum, size_t d)
 {
 #ifndef S_SPLINT_S
 	size_t leftover;
-	if(d == 0) {
+	if(d <= 0) {
 		avg->tv_sec = 0;
 		avg->tv_usec = 0;
 		return;
@@ -108,7 +108,13 @@ timeval_divide(struct timeval* avg, const struct timeval* sum, size_t d)
 	avg->tv_usec = sum->tv_usec / d;
 	/* handle fraction from seconds divide */
 	leftover = sum->tv_sec - avg->tv_sec*d;
-	avg->tv_usec += (leftover*1000000)/d;
+	if(leftover <= 0)
+		leftover = 0;
+	avg->tv_usec += (((long long)leftover)*((long long)1000000))/d;
+	if(avg->tv_sec < 0)
+		avg->tv_sec = 0;
+	if(avg->tv_usec < 0)
+		avg->tv_usec = 0;
 #endif
 }
 
@@ -433,7 +439,7 @@ mesh_serve_expired_init(struct mesh_state* mstate, int timeout)
 	mstate->s.serve_expired_data->get_cached_answer =
 		mstate->s.serve_expired_data->get_cached_answer?
 		mstate->s.serve_expired_data->get_cached_answer:
-		mesh_serve_expired_lookup;
+		&mesh_serve_expired_lookup;
 
 	/* In case this timer already popped, start it again */
 	if(!mstate->s.serve_expired_data->timer) {
@@ -452,10 +458,11 @@ mesh_serve_expired_init(struct mesh_state* mstate, int timeout)
 
 void mesh_new_client(struct mesh_area* mesh, struct query_info* qinfo,
 	struct respip_client_info* cinfo, uint16_t qflags,
-	struct edns_data* edns, struct comm_reply* rep, uint16_t qid)
+	struct edns_data* edns, struct comm_reply* rep, uint16_t qid,
+	int rpz_passthru)
 {
 	struct mesh_state* s = NULL;
-	int unique = unique_mesh_state(edns->opt_list, mesh->env);
+	int unique = unique_mesh_state(edns->opt_list_in, mesh->env);
 	int was_detached = 0;
 	int was_noreply = 0;
 	int added = 0;
@@ -499,7 +506,7 @@ void mesh_new_client(struct mesh_area* mesh, struct query_info* qinfo,
 			log_err("mesh_state_create: out of memory; SERVFAIL");
 			if(!inplace_cb_reply_servfail_call(mesh->env, qinfo, NULL, NULL,
 				LDNS_RCODE_SERVFAIL, edns, rep, mesh->env->scratch, mesh->env->now_tv))
-					edns->opt_list = NULL;
+					edns->opt_list_inplace_cb_out = NULL;
 			error_encode(r_buffer, LDNS_RCODE_SERVFAIL,
 				qinfo, qid, qflags, edns);
 			comm_point_send_reply(rep);
@@ -507,15 +514,16 @@ void mesh_new_client(struct mesh_area* mesh, struct query_info* qinfo,
 		}
 		if(unique)
 			mesh_state_make_unique(s);
+		s->s.rpz_passthru = rpz_passthru;
 		/* copy the edns options we got from the front */
-		if(edns->opt_list) {
-			s->s.edns_opts_front_in = edns_opt_copy_region(edns->opt_list,
+		if(edns->opt_list_in) {
+			s->s.edns_opts_front_in = edns_opt_copy_region(edns->opt_list_in,
 				s->s.region);
 			if(!s->s.edns_opts_front_in) {
 				log_err("mesh_state_create: out of memory; SERVFAIL");
 				if(!inplace_cb_reply_servfail_call(mesh->env, qinfo, NULL,
 					NULL, LDNS_RCODE_SERVFAIL, edns, rep, mesh->env->scratch, mesh->env->now_tv))
-						edns->opt_list = NULL;
+						edns->opt_list_inplace_cb_out = NULL;
 				error_encode(r_buffer, LDNS_RCODE_SERVFAIL,
 					qinfo, qid, qflags, edns);
 				comm_point_send_reply(rep);
@@ -588,7 +596,7 @@ void mesh_new_client(struct mesh_area* mesh, struct query_info* qinfo,
 servfail_mem:
 	if(!inplace_cb_reply_servfail_call(mesh->env, qinfo, &s->s,
 		NULL, LDNS_RCODE_SERVFAIL, edns, rep, mesh->env->scratch, mesh->env->now_tv))
-			edns->opt_list = NULL;
+			edns->opt_list_inplace_cb_out = NULL;
 	error_encode(r_buffer, LDNS_RCODE_SERVFAIL,
 		qinfo, qid, qflags, edns);
 	comm_point_send_reply(rep);
@@ -600,10 +608,10 @@ servfail_mem:
 int 
 mesh_new_callback(struct mesh_area* mesh, struct query_info* qinfo,
 	uint16_t qflags, struct edns_data* edns, sldns_buffer* buf, 
-	uint16_t qid, mesh_cb_func_type cb, void* cb_arg)
+	uint16_t qid, mesh_cb_func_type cb, void* cb_arg, int rpz_passthru)
 {
 	struct mesh_state* s = NULL;
-	int unique = unique_mesh_state(edns->opt_list, mesh->env);
+	int unique = unique_mesh_state(edns->opt_list_in, mesh->env);
 	int timeout = mesh->env->cfg->serve_expired?
 		mesh->env->cfg->serve_expired_client_timeout:0;
 	int was_detached = 0;
@@ -626,8 +634,9 @@ mesh_new_callback(struct mesh_area* mesh, struct query_info* qinfo,
 		}
 		if(unique)
 			mesh_state_make_unique(s);
-		if(edns->opt_list) {
-			s->s.edns_opts_front_in = edns_opt_copy_region(edns->opt_list,
+		s->s.rpz_passthru = rpz_passthru;
+		if(edns->opt_list_in) {
+			s->s.edns_opts_front_in = edns_opt_copy_region(edns->opt_list_in,
 				s->s.region);
 			if(!s->s.edns_opts_front_in) {
 				return 0;
@@ -680,7 +689,8 @@ mesh_new_callback(struct mesh_area* mesh, struct query_info* qinfo,
  * 0 (false), in which case the new state is only made runnable so it
  * will not be run recursively on top of the current state. */
 static void mesh_schedule_prefetch(struct mesh_area* mesh,
-	struct query_info* qinfo, uint16_t qflags, time_t leeway, int run)
+	struct query_info* qinfo, uint16_t qflags, time_t leeway, int run,
+	int rpz_passthru)
 {
 	struct mesh_state* s = mesh_area_find(mesh, NULL, qinfo,
 		qflags&(BIT_RD|BIT_CD), 0, 0);
@@ -735,6 +745,7 @@ static void mesh_schedule_prefetch(struct mesh_area* mesh,
 			s->list_select = mesh_jostle_list;
 		}
 	}
+	s->s.rpz_passthru = rpz_passthru;
 
 	if(!run) {
 #ifdef UNBOUND_DEBUG
@@ -751,9 +762,9 @@ static void mesh_schedule_prefetch(struct mesh_area* mesh,
 }
 
 void mesh_new_prefetch(struct mesh_area* mesh, struct query_info* qinfo,
-        uint16_t qflags, time_t leeway)
+        uint16_t qflags, time_t leeway, int rpz_passthru)
 {
-	mesh_schedule_prefetch(mesh, qinfo, qflags, leeway, 1);
+	mesh_schedule_prefetch(mesh, qinfo, qflags, leeway, 1, rpz_passthru);
 }
 
 void mesh_report_reply(struct mesh_area* mesh, struct outbound_entry* e,
@@ -1139,11 +1150,11 @@ mesh_do_callback(struct mesh_state* m, int rcode, struct reply_info* rep,
 		if(rcode == LDNS_RCODE_SERVFAIL) {
 			if(!inplace_cb_reply_servfail_call(m->s.env, &m->s.qinfo, &m->s,
 				rep, rcode, &r->edns, NULL, m->s.region, start_time))
-					r->edns.opt_list = NULL;
+					r->edns.opt_list_inplace_cb_out = NULL;
 		} else {
 			if(!inplace_cb_reply_call(m->s.env, &m->s.qinfo, &m->s, rep, rcode,
 				&r->edns, NULL, m->s.region, start_time))
-					r->edns.opt_list = NULL;
+					r->edns.opt_list_inplace_cb_out = NULL;
 		}
 		fptr_ok(fptr_whitelist_mesh_cb(r->cb));
 		(*r->cb)(r->cb_arg, rcode, r->buf, sec_status_unchecked, NULL,
@@ -1177,6 +1188,22 @@ mesh_do_callback(struct mesh_state* m, int rcode, struct reply_info* rep,
 	m->s.env->mesh->num_reply_addrs--;
 }
 
+static inline int
+mesh_is_rpz_respip_tcponly_action(struct mesh_state const* m)
+{
+	struct respip_action_info const* respip_info = m->s.respip_action_info;
+	return respip_info == NULL
+			? 0
+			: (respip_info->rpz_used
+			&& !respip_info->rpz_disabled
+			&& respip_info->action == respip_truncate);
+}
+
+static inline int
+mesh_is_udp(struct mesh_reply const* r) {
+	return r->query_reply.c->type == comm_udp;
+}
+
 /**
  * Send reply to mesh reply entry
  * @param m: mesh state to send it for.
@@ -1195,15 +1222,17 @@ mesh_send_reply(struct mesh_state* m, int rcode, struct reply_info* rep,
 	struct timeval end_time;
 	struct timeval duration;
 	int secure;
-	/* Copy the client's EDNS for later restore, to make sure the edns
-	 * compare is with the correct edns options. */
-	struct edns_data edns_bak = r->edns;
 	/* briefly set the replylist to null in case the
 	 * meshsendreply calls tcpreqinfo sendreply that
 	 * comm_point_drops because of size, and then the
 	 * null stops the mesh state remove and thus
 	 * reply_list modification and accounting */
 	struct mesh_reply* rlist = m->reply_list;
+
+	/* rpz: apply actions */
+	rcode = mesh_is_udp(r) && mesh_is_rpz_respip_tcponly_action(m)
+			? (rcode|BIT_TC) : rcode;
+
 	/* examine security status */
 	if(m->s.env->need_to_validate && (!(r->qflags&BIT_CD) ||
 		m->s.env->cfg->ignore_cd) && rep && 
@@ -1242,8 +1271,9 @@ mesh_send_reply(struct mesh_state* m, int rcode, struct reply_info* rep,
 		prev->edns.edns_present == r->edns.edns_present &&
 		prev->edns.bits == r->edns.bits &&
 		prev->edns.udp_size == r->edns.udp_size &&
-		edns_opt_list_compare(prev->edns.opt_list, r->edns.opt_list)
-		== 0) {
+		edns_opt_list_compare(prev->edns.opt_list_out, r->edns.opt_list_out) == 0 &&
+		edns_opt_list_compare(prev->edns.opt_list_inplace_cb_out, r->edns.opt_list_inplace_cb_out) == 0
+		) {
 		/* if the previous reply is identical to this one, fix ID */
 		if(prev_buffer != r_buffer)
 			sldns_buffer_copy(r_buffer, prev_buffer);
@@ -1259,11 +1289,11 @@ mesh_send_reply(struct mesh_state* m, int rcode, struct reply_info* rep,
 		if(rcode == LDNS_RCODE_SERVFAIL) {
 			if(!inplace_cb_reply_servfail_call(m->s.env, &m->s.qinfo, &m->s,
 				rep, rcode, &r->edns, &r->query_reply, m->s.region, &r->start_time))
-					r->edns.opt_list = NULL;
+					r->edns.opt_list_inplace_cb_out = NULL;
 		} else { 
 			if(!inplace_cb_reply_call(m->s.env, &m->s.qinfo, &m->s, rep, rcode,
 				&r->edns, &r->query_reply, m->s.region, &r->start_time))
-					r->edns.opt_list = NULL;
+					r->edns.opt_list_inplace_cb_out = NULL;
 		}
 		error_encode(r_buffer, rcode, &m->s.qinfo, r->qid,
 			r->qflags, &r->edns);
@@ -1280,9 +1310,6 @@ mesh_send_reply(struct mesh_state* m, int rcode, struct reply_info* rep,
 		m->s.qinfo.local_alias = r->local_alias;
 		if(!inplace_cb_reply_call(m->s.env, &m->s.qinfo, &m->s, rep,
 			LDNS_RCODE_NOERROR, &r->edns, &r->query_reply, m->s.region, &r->start_time) ||
-			!apply_edns_options(&r->edns, &edns_bak,
-				m->s.env->cfg, r->query_reply.c,
-				m->s.region) ||
 			!reply_info_answer_encode(&m->s.qinfo, rep, r->qid, 
 			r->qflags, r_buffer, 0, 1, m->s.env->scratch,
 			udp_size, &r->edns, (int)(r->edns.bits & EDNS_DO),
@@ -1290,11 +1317,10 @@ mesh_send_reply(struct mesh_state* m, int rcode, struct reply_info* rep,
 		{
 			if(!inplace_cb_reply_servfail_call(m->s.env, &m->s.qinfo, &m->s,
 			rep, LDNS_RCODE_SERVFAIL, &r->edns, &r->query_reply, m->s.region, &r->start_time))
-				r->edns.opt_list = NULL;
+				r->edns.opt_list_inplace_cb_out = NULL;
 			error_encode(r_buffer, LDNS_RCODE_SERVFAIL,
 				&m->s.qinfo, r->qid, r->qflags, &r->edns);
 		}
-		r->edns = edns_bak;
 		m->reply_list = NULL;
 		comm_point_send_reply(&r->query_reply);
 		m->reply_list = rlist;
@@ -1340,7 +1366,7 @@ void mesh_query_done(struct mesh_state* mstate)
 	}
 	if(mstate->s.return_rcode == LDNS_RCODE_SERVFAIL ||
 		(rep && FLAGS_GET_RCODE(rep->flags) == LDNS_RCODE_SERVFAIL)) {
-		/* we are SERVFAILing; check for expired asnwer here */
+		/* we are SERVFAILing; check for expired answer here */
 		mesh_serve_expired_callback(mstate);
 		if((mstate->reply_list || mstate->cb_list)
 		&& mstate->s.env->cfg->log_servfail
@@ -1482,12 +1508,15 @@ int mesh_state_add_cb(struct mesh_state* s, struct edns_data* edns,
 	r->cb = cb;
 	r->cb_arg = cb_arg;
 	r->edns = *edns;
-	if(edns->opt_list) {
-		r->edns.opt_list = edns_opt_copy_region(edns->opt_list,
-			s->s.region);
-		if(!r->edns.opt_list)
-			return 0;
-	}
+	if(edns->opt_list_in && !(r->edns.opt_list_in =
+			edns_opt_copy_region(edns->opt_list_in, s->s.region)))
+		return 0;
+	if(edns->opt_list_out && !(r->edns.opt_list_out =
+			edns_opt_copy_region(edns->opt_list_out, s->s.region)))
+		return 0;
+	if(edns->opt_list_inplace_cb_out && !(r->edns.opt_list_inplace_cb_out =
+			edns_opt_copy_region(edns->opt_list_inplace_cb_out, s->s.region)))
+		return 0;
 	r->qid = qid;
 	r->qflags = qflags;
 	r->next = s->cb_list;
@@ -1506,12 +1535,15 @@ int mesh_state_add_reply(struct mesh_state* s, struct edns_data* edns,
 		return 0;
 	r->query_reply = *rep;
 	r->edns = *edns;
-	if(edns->opt_list) {
-		r->edns.opt_list = edns_opt_copy_region(edns->opt_list,
-			s->s.region);
-		if(!r->edns.opt_list)
-			return 0;
-	}
+	if(edns->opt_list_in && !(r->edns.opt_list_in =
+			edns_opt_copy_region(edns->opt_list_in, s->s.region)))
+		return 0;
+	if(edns->opt_list_out && !(r->edns.opt_list_out =
+			edns_opt_copy_region(edns->opt_list_out, s->s.region)))
+		return 0;
+	if(edns->opt_list_inplace_cb_out && !(r->edns.opt_list_inplace_cb_out =
+			edns_opt_copy_region(edns->opt_list_inplace_cb_out, s->s.region)))
+		return 0;
 	r->qid = qid;
 	r->qflags = qflags;
 	r->start_time = *s->s.env->now_tv;
@@ -1557,7 +1589,7 @@ int mesh_state_add_reply(struct mesh_state* s, struct edns_data* edns,
 			return 0;
 
 		/* the rrset is not packed, like in the cache, but it is
-		 * individualy allocated with an allocator from localzone. */
+		 * individually allocated with an allocator from localzone. */
 		d = regional_alloc_zero(s->s.region, sizeof(*d));
 		if(!d)
 			return 0;
@@ -1666,6 +1698,7 @@ mesh_continue(struct mesh_area* mesh, struct mesh_state* mstate,
 		if(mstate->s.curmod == 0) {
 			struct query_info* qinfo = NULL;
 			uint16_t qflags;
+			int rpz_p = 0;
 
 			mesh_query_done(mstate);
 			mesh_walk_supers(mesh, mstate);
@@ -1674,13 +1707,15 @@ mesh_continue(struct mesh_area* mesh, struct mesh_state* mstate,
 			 * from an external DNS server, we'll need to schedule
 			 * a prefetch after removing the current state, so
 			 * we need to make a copy of the query info here. */
-			if(mstate->s.need_refetch)
+			if(mstate->s.need_refetch) {
 				mesh_copy_qinfo(mstate, &qinfo, &qflags);
+				rpz_p = mstate->s.rpz_passthru;
+			}
 
 			mesh_state_delete(&mstate->s);
 			if(qinfo) {
 				mesh_schedule_prefetch(mesh, qinfo, qflags,
-					0, 1);
+					0, 1, rpz_p);
 			}
 			return 0;
 		}
@@ -1890,7 +1925,7 @@ apply_respip_action(struct module_qstate* qstate,
 		return 1;
 
 	if(!respip_rewrite_reply(qinfo, cinfo, rep, encode_repp, actinfo,
-		alias_rrset, 0, qstate->region, az))
+		alias_rrset, 0, qstate->region, az, NULL))
 		return 0;
 
 	/* xxx_deny actions mean dropping the reply, unless the original reply
@@ -1940,7 +1975,7 @@ mesh_serve_expired_callback(void* arg)
 	while(1) {
 		fptr_ok(fptr_whitelist_serve_expired_lookup(
 			qstate->serve_expired_data->get_cached_answer));
-		msg = qstate->serve_expired_data->get_cached_answer(qstate,
+		msg = (*qstate->serve_expired_data->get_cached_answer)(qstate,
 			lookup_qinfo);
 		if(!msg)
 			return;
diff --git a/services/mesh.h b/services/mesh.h
index d0a4b5fb3..526e679fe 100644
--- a/services/mesh.h
+++ b/services/mesh.h
@@ -296,10 +296,13 @@ void mesh_delete(struct mesh_area* mesh);
  * @param edns: edns data from client query.
  * @param rep: where to reply to.
  * @param qid: query id to reply with.
+ * @param rpz_passthru: if true, the rpz passthru was previously found and
+ * 	further rpz processing is stopped.
  */
 void mesh_new_client(struct mesh_area* mesh, struct query_info* qinfo,
 	struct respip_client_info* cinfo, uint16_t qflags,
-	struct edns_data* edns, struct comm_reply* rep, uint16_t qid);
+	struct edns_data* edns, struct comm_reply* rep, uint16_t qid,
+	int rpz_passthru);
 
 /**
  * New query with callback. Create new query state if needed, and
@@ -314,11 +317,13 @@ void mesh_new_client(struct mesh_area* mesh, struct query_info* qinfo,
  * @param qid: query id to reply with.
  * @param cb: callback function.
  * @param cb_arg: callback user arg.
+ * @param rpz_passthru: if true, the rpz passthru was previously found and
+ * 	further rpz processing is stopped.
  * @return 0 on error.
  */
 int mesh_new_callback(struct mesh_area* mesh, struct query_info* qinfo,
 	uint16_t qflags, struct edns_data* edns, struct sldns_buffer* buf, 
-	uint16_t qid, mesh_cb_func_type cb, void* cb_arg);
+	uint16_t qid, mesh_cb_func_type cb, void* cb_arg, int rpz_passthru);
 
 /**
  * New prefetch message. Create new query state if needed.
@@ -328,9 +333,11 @@ int mesh_new_callback(struct mesh_area* mesh, struct query_info* qinfo,
  * @param qinfo: query from client.
  * @param qflags: flags from client query.
  * @param leeway: TTL leeway what to expire earlier for this update.
+ * @param rpz_passthru: if true, the rpz passthru was previously found and
+ * 	further rpz processing is stopped.
  */
 void mesh_new_prefetch(struct mesh_area* mesh, struct query_info* qinfo,
-	uint16_t qflags, time_t leeway);
+	uint16_t qflags, time_t leeway, int rpz_passthru);
 
 /**
  * Handle new event from the wire. A serviced query has returned.
diff --git a/services/outbound_list.h b/services/outbound_list.h
index ad59e42d1..73c137d50 100644
--- a/services/outbound_list.h
+++ b/services/outbound_list.h
@@ -79,7 +79,7 @@ void outbound_list_init(struct outbound_list* list);
  * Clear the user owner outbound list structure.
  * Deletes serviced queries.
  * @param list: the list structure. It is cleared, but the list struct itself
- * 	is callers responsability to delete.
+ * 	is callers responsibility to delete.
  */
 void outbound_list_clear(struct outbound_list* list);
 
diff --git a/services/outside_network.c b/services/outside_network.c
index 9769b7602..4578bf8fc 100644
--- a/services/outside_network.c
+++ b/services/outside_network.c
@@ -90,10 +90,20 @@ static int randomize_and_send_udp(struct pending* pend, sldns_buffer* packet,
 static void waiting_list_remove(struct outside_network* outnet,
 	struct waiting_tcp* w);
 
-/** remove reused element from tree and lru list */
-static void reuse_tcp_remove_tree_list(struct outside_network* outnet,
+/** select a DNS ID for a TCP stream */
+static uint16_t tcp_select_id(struct outside_network* outnet,
 	struct reuse_tcp* reuse);
 
+/** Perform serviced query UDP sending operation */
+static int serviced_udp_send(struct serviced_query* sq, sldns_buffer* buff);
+
+/** Send serviced query over TCP return false on initial failure */
+static int serviced_tcp_send(struct serviced_query* sq, sldns_buffer* buff);
+
+/** call the callbacks for a serviced query */
+static void serviced_callbacks(struct serviced_query* sq, int error,
+	struct comm_point* c, struct comm_reply* rep);
+
 int 
 pending_cmp(const void* key1, const void* key2)
 {
@@ -238,7 +248,14 @@ pick_outgoing_tcp(struct pending_tcp* pend, struct waiting_tcp* w, int s)
 		((struct sockaddr_in6*)&pi->addr)->sin6_port = 0;
 	else	((struct sockaddr_in*)&pi->addr)->sin_port = 0;
 	if(bind(s, (struct sockaddr*)&pi->addr, pi->addrlen) != 0) {
-		log_err("outgoing tcp: bind: %s", sock_strerror(errno));
+#ifndef USE_WINSOCK
+#ifdef EADDRNOTAVAIL
+		if(!(verbosity < 4 && errno == EADDRNOTAVAIL))
+#endif
+#else /* USE_WINSOCK */
+		if(!(verbosity < 4 && WSAGetLastError() == WSAEADDRNOTAVAIL))
+#endif
+		    log_err("outgoing tcp: bind: %s", sock_strerror(errno));
 		sock_close(s);
 		return 0;
 	}
@@ -340,6 +357,8 @@ log_reuse_tcp(enum verbosity_value v, const char* msg, struct reuse_tcp* reuse)
 	uint16_t port;
 	char addrbuf[128];
 	if(verbosity < v) return;
+	if(!reuse || !reuse->pending || !reuse->pending->c)
+		return;
 	addr_to_str(&reuse->addr, reuse->addrlen, addrbuf, sizeof(addrbuf));
 	port = ntohs(((struct sockaddr_in*)&reuse->addr)->sin_port);
 	verbose(v, "%s %s#%u fd %d", msg, addrbuf, (unsigned)port,
@@ -359,6 +378,8 @@ static struct waiting_tcp* reuse_write_wait_pop(struct reuse_tcp* reuse)
 		w->write_wait_next->write_wait_prev = NULL;
 	else	reuse->write_wait_last = NULL;
 	w->write_wait_queued = 0;
+	w->write_wait_next = NULL;
+	w->write_wait_prev = NULL;
 	return w;
 }
 
@@ -366,6 +387,8 @@ static struct waiting_tcp* reuse_write_wait_pop(struct reuse_tcp* reuse)
 static void reuse_write_wait_remove(struct reuse_tcp* reuse,
 	struct waiting_tcp* w)
 {
+	log_assert(w);
+	log_assert(w->write_wait_queued);
 	if(!w)
 		return;
 	if(!w->write_wait_queued)
@@ -373,10 +396,16 @@ static void reuse_write_wait_remove(struct reuse_tcp* reuse,
 	if(w->write_wait_prev)
 		w->write_wait_prev->write_wait_next = w->write_wait_next;
 	else	reuse->write_wait_first = w->write_wait_next;
+	log_assert(!w->write_wait_prev ||
+		w->write_wait_prev->write_wait_next != w->write_wait_prev);
 	if(w->write_wait_next)
 		w->write_wait_next->write_wait_prev = w->write_wait_prev;
 	else	reuse->write_wait_last = w->write_wait_prev;
+	log_assert(!w->write_wait_next
+		|| w->write_wait_next->write_wait_prev != w->write_wait_next);
 	w->write_wait_queued = 0;
+	w->write_wait_next = NULL;
+	w->write_wait_prev = NULL;
 }
 
 /** push the element after the last on the writewait list */
@@ -387,6 +416,8 @@ static void reuse_write_wait_push_back(struct reuse_tcp* reuse,
 	log_assert(!w->write_wait_queued);
 	if(reuse->write_wait_last) {
 		reuse->write_wait_last->write_wait_next = w;
+		log_assert(reuse->write_wait_last->write_wait_next !=
+			reuse->write_wait_last);
 		w->write_wait_prev = reuse->write_wait_last;
 	} else {
 		reuse->write_wait_first = w;
@@ -399,9 +430,18 @@ static void reuse_write_wait_push_back(struct reuse_tcp* reuse,
 void
 reuse_tree_by_id_insert(struct reuse_tcp* reuse, struct waiting_tcp* w)
 {
+#ifdef UNBOUND_DEBUG
+	rbnode_type* added;
+#endif
 	log_assert(w->id_node.key == NULL);
 	w->id_node.key = w;
+#ifdef UNBOUND_DEBUG
+	added =
+#else
+	(void)
+#endif
 	rbtree_insert(&reuse->tree_by_id, &w->id_node);
+	log_assert(added);  /* should have been added */
 }
 
 /** find element in tree by id */
@@ -427,34 +467,45 @@ tree_by_id_get_id(rbnode_type* node)
 }
 
 /** insert into reuse tcp tree and LRU, false on failure (duplicate) */
-static int
+int
 reuse_tcp_insert(struct outside_network* outnet, struct pending_tcp* pend_tcp)
 {
 	log_reuse_tcp(VERB_CLIENT, "reuse_tcp_insert", &pend_tcp->reuse);
 	if(pend_tcp->reuse.item_on_lru_list) {
 		if(!pend_tcp->reuse.node.key)
-			log_err("internal error: reuse_tcp_insert: on lru list without key");
+			log_err("internal error: reuse_tcp_insert: "
+				"in lru list without key");
 		return 1;
 	}
 	pend_tcp->reuse.node.key = &pend_tcp->reuse;
 	pend_tcp->reuse.pending = pend_tcp;
 	if(!rbtree_insert(&outnet->tcp_reuse, &pend_tcp->reuse.node)) {
-		/* this is a duplicate connection, close this one */
-		verbose(VERB_CLIENT, "reuse_tcp_insert: duplicate connection");
-		pend_tcp->reuse.node.key = NULL;
-		return 0;
+		/* We are not in the LRU list but we are already in the
+		 * tcp_reuse tree, strange.
+		 * Continue to add ourselves to the LRU list. */
+		log_err("internal error: reuse_tcp_insert: in lru list but "
+			"not in the tree");
 	}
 	/* insert into LRU, first is newest */
 	pend_tcp->reuse.lru_prev = NULL;
 	if(outnet->tcp_reuse_first) {
 		pend_tcp->reuse.lru_next = outnet->tcp_reuse_first;
+		log_assert(pend_tcp->reuse.lru_next != &pend_tcp->reuse);
 		outnet->tcp_reuse_first->lru_prev = &pend_tcp->reuse;
+		log_assert(outnet->tcp_reuse_first->lru_prev !=
+			outnet->tcp_reuse_first);
 	} else {
 		pend_tcp->reuse.lru_next = NULL;
 		outnet->tcp_reuse_last = &pend_tcp->reuse;
 	}
 	outnet->tcp_reuse_first = &pend_tcp->reuse;
 	pend_tcp->reuse.item_on_lru_list = 1;
+	log_assert((!outnet->tcp_reuse_first && !outnet->tcp_reuse_last) ||
+		(outnet->tcp_reuse_first && outnet->tcp_reuse_last));
+	log_assert(outnet->tcp_reuse_first != outnet->tcp_reuse_first->lru_next &&
+		outnet->tcp_reuse_first != outnet->tcp_reuse_first->lru_prev);
+	log_assert(outnet->tcp_reuse_last != outnet->tcp_reuse_last->lru_next &&
+		outnet->tcp_reuse_last != outnet->tcp_reuse_last->lru_prev);
 	return 1;
 }
 
@@ -514,7 +565,7 @@ reuse_tcp_find(struct outside_network* outnet, struct sockaddr_storage* addr,
 	while(result && result != RBTREE_NULL &&
 		reuse_cmp_addrportssl(result->key, &key_p.reuse) == 0) {
 		if(((struct reuse_tcp*)result)->tree_by_id.count <
-			MAX_REUSE_TCP_QUERIES) {
+			outnet->max_reuse_tcp_queries) {
 			/* same address, port, ssl-yes-or-no, and has
 			 * space for another query */
 			return (struct reuse_tcp*)result;
@@ -692,28 +743,65 @@ outnet_tcp_take_into_use(struct waiting_tcp* w)
 /** Touch the lru of a reuse_tcp element, it is in use.
  * This moves it to the front of the list, where it is not likely to
  * be closed.  Items at the back of the list are closed to make space. */
-static void
+void
 reuse_tcp_lru_touch(struct outside_network* outnet, struct reuse_tcp* reuse)
 {
 	if(!reuse->item_on_lru_list) {
 		log_err("internal error: we need to touch the lru_list but item not in list");
 		return; /* not on the list, no lru to modify */
 	}
+	log_assert(reuse->lru_prev ||
+		(!reuse->lru_prev && outnet->tcp_reuse_first == reuse));
 	if(!reuse->lru_prev)
 		return; /* already first in the list */
 	/* remove at current position */
 	/* since it is not first, there is a previous element */
 	reuse->lru_prev->lru_next = reuse->lru_next;
+	log_assert(reuse->lru_prev->lru_next != reuse->lru_prev);
 	if(reuse->lru_next)
 		reuse->lru_next->lru_prev = reuse->lru_prev;
 	else	outnet->tcp_reuse_last = reuse->lru_prev;
+	log_assert(!reuse->lru_next || reuse->lru_next->lru_prev != reuse->lru_next);
+	log_assert(outnet->tcp_reuse_last != outnet->tcp_reuse_last->lru_next &&
+		outnet->tcp_reuse_last != outnet->tcp_reuse_last->lru_prev);
 	/* insert at the front */
 	reuse->lru_prev = NULL;
 	reuse->lru_next = outnet->tcp_reuse_first;
+	if(outnet->tcp_reuse_first) {
+		outnet->tcp_reuse_first->lru_prev = reuse;
+	}
+	log_assert(reuse->lru_next != reuse);
 	/* since it is not first, it is not the only element and
 	 * lru_next is thus not NULL and thus reuse is now not the last in
 	 * the list, so outnet->tcp_reuse_last does not need to be modified */
 	outnet->tcp_reuse_first = reuse;
+	log_assert(outnet->tcp_reuse_first != outnet->tcp_reuse_first->lru_next &&
+		outnet->tcp_reuse_first != outnet->tcp_reuse_first->lru_prev);
+	log_assert((!outnet->tcp_reuse_first && !outnet->tcp_reuse_last) ||
+		(outnet->tcp_reuse_first && outnet->tcp_reuse_last));
+}
+
+/** Snip the last reuse_tcp element off of the LRU list */
+struct reuse_tcp*
+reuse_tcp_lru_snip(struct outside_network* outnet)
+{
+	struct reuse_tcp* reuse = outnet->tcp_reuse_last;
+	if(!reuse) return NULL;
+	/* snip off of LRU */
+	log_assert(reuse->lru_next == NULL);
+	if(reuse->lru_prev) {
+		outnet->tcp_reuse_last = reuse->lru_prev;
+		reuse->lru_prev->lru_next = NULL;
+	} else {
+		outnet->tcp_reuse_last = NULL;
+		outnet->tcp_reuse_first = NULL;
+	}
+	log_assert((!outnet->tcp_reuse_first && !outnet->tcp_reuse_last) ||
+		(outnet->tcp_reuse_first && outnet->tcp_reuse_last));
+	reuse->item_on_lru_list = 0;
+	reuse->lru_next = NULL;
+	reuse->lru_prev = NULL;
+	return reuse;
 }
 
 /** call callback on waiting_tcp, if not NULL */
@@ -721,30 +809,84 @@ static void
 waiting_tcp_callback(struct waiting_tcp* w, struct comm_point* c, int error,
 	struct comm_reply* reply_info)
 {
-	if(w->cb) {
+	if(w && w->cb) {
 		fptr_ok(fptr_whitelist_pending_tcp(w->cb));
 		(void)(*w->cb)(c, w->cb_arg, error, reply_info);
 	}
 }
 
+/** add waiting_tcp element to the outnet tcp waiting list */
+static void
+outnet_add_tcp_waiting(struct outside_network* outnet, struct waiting_tcp* w)
+{
+	struct timeval tv;
+	log_assert(!w->on_tcp_waiting_list);
+	if(w->on_tcp_waiting_list)
+		return;
+	w->next_waiting = NULL;
+	if(outnet->tcp_wait_last)
+		outnet->tcp_wait_last->next_waiting = w;
+	else	outnet->tcp_wait_first = w;
+	outnet->tcp_wait_last = w;
+	w->on_tcp_waiting_list = 1;
+#ifndef S_SPLINT_S
+	tv.tv_sec = w->timeout/1000;
+	tv.tv_usec = (w->timeout%1000)*1000;
+#endif
+	comm_timer_set(w->timer, &tv);
+}
+
+/** add waiting_tcp element as first to the outnet tcp waiting list */
+static void
+outnet_add_tcp_waiting_first(struct outside_network* outnet,
+	struct waiting_tcp* w, int reset_timer)
+{
+	struct timeval tv;
+	log_assert(!w->on_tcp_waiting_list);
+	if(w->on_tcp_waiting_list)
+		return;
+	w->next_waiting = outnet->tcp_wait_first;
+	log_assert(w->next_waiting != w);
+	if(!outnet->tcp_wait_last)
+		outnet->tcp_wait_last = w;
+	outnet->tcp_wait_first = w;
+	w->on_tcp_waiting_list = 1;
+	if(reset_timer) {
+#ifndef S_SPLINT_S
+		tv.tv_sec = w->timeout/1000;
+		tv.tv_usec = (w->timeout%1000)*1000;
+#endif
+		comm_timer_set(w->timer, &tv);
+	}
+	log_assert(
+		(!outnet->tcp_reuse_first && !outnet->tcp_reuse_last) ||
+		(outnet->tcp_reuse_first && outnet->tcp_reuse_last));
+}
+
 /** see if buffers can be used to service TCP queries */
 static void
 use_free_buffer(struct outside_network* outnet)
 {
 	struct waiting_tcp* w;
-	while(outnet->tcp_free && outnet->tcp_wait_first 
-		&& !outnet->want_to_quit) {
+	while(outnet->tcp_wait_first && !outnet->want_to_quit) {
 #ifdef USE_DNSTAP
 		struct pending_tcp* pend_tcp = NULL;
 #endif
 		struct reuse_tcp* reuse = NULL;
 		w = outnet->tcp_wait_first;
+		log_assert(w->on_tcp_waiting_list);
 		outnet->tcp_wait_first = w->next_waiting;
 		if(outnet->tcp_wait_last == w)
 			outnet->tcp_wait_last = NULL;
+		log_assert(
+			(!outnet->tcp_reuse_first && !outnet->tcp_reuse_last) ||
+			(outnet->tcp_reuse_first && outnet->tcp_reuse_last));
 		w->on_tcp_waiting_list = 0;
 		reuse = reuse_tcp_find(outnet, &w->addr, w->addrlen,
 			w->ssl_upstream);
+		/* re-select an ID when moving to a new TCP buffer */
+		w->id = tcp_select_id(outnet, reuse);
+		LDNS_ID_SET(w->pkt, w->id);
 		if(reuse) {
 			log_reuse_tcp(VERB_CLIENT, "use free buffer for waiting tcp: "
 				"found reuse", reuse);
@@ -767,7 +909,7 @@ use_free_buffer(struct outside_network* outnet)
 					reuse->pending->c->fd, reuse->pending,
 					w);
 			}
-		} else {
+		} else if(outnet->tcp_free) {
 			struct pending_tcp* pend = w->outnet->tcp_free;
 			rbtree_init(&pend->reuse.tree_by_id, reuse_id_cmp);
 			pend->reuse.pending = pend;
@@ -784,11 +926,15 @@ use_free_buffer(struct outside_network* outnet)
 #ifdef USE_DNSTAP
 			pend_tcp = pend;
 #endif
+		} else {
+			/* no reuse and no free buffer, put back at the start */
+			outnet_add_tcp_waiting_first(outnet, w, 0);
+			break;
 		}
 #ifdef USE_DNSTAP
 		if(outnet->dtenv && pend_tcp && w && w->sq &&
-		   (outnet->dtenv->log_resolver_query_messages ||
-		    outnet->dtenv->log_forwarder_query_messages)) {
+			(outnet->dtenv->log_resolver_query_messages ||
+			outnet->dtenv->log_forwarder_query_messages)) {
 			sldns_buffer tmp;
 			sldns_buffer_init_frm_data(&tmp, w->pkt, w->pkt_len);
 			dt_msg_send_outside_query(outnet->dtenv, &w->sq->addr,
@@ -799,32 +945,21 @@ use_free_buffer(struct outside_network* outnet)
 	}
 }
 
-/** add waiting_tcp element to the outnet tcp waiting list */
-static void
-outnet_add_tcp_waiting(struct outside_network* outnet, struct waiting_tcp* w)
-{
-	struct timeval tv;
-	if(w->on_tcp_waiting_list)
-		return;
-	w->next_waiting = NULL;
-	if(outnet->tcp_wait_last)
-		outnet->tcp_wait_last->next_waiting = w;
-	else	outnet->tcp_wait_first = w;
-	outnet->tcp_wait_last = w;
-	w->on_tcp_waiting_list = 1;
-#ifndef S_SPLINT_S
-	tv.tv_sec = w->timeout/1000;
-	tv.tv_usec = (w->timeout%1000)*1000;
-#endif
-	comm_timer_set(w->timer, &tv);
-}
-
 /** delete element from tree by id */
 static void
 reuse_tree_by_id_delete(struct reuse_tcp* reuse, struct waiting_tcp* w)
 {
+#ifdef UNBOUND_DEBUG
+	rbnode_type* rem;
+#endif
 	log_assert(w->id_node.key != NULL);
+#ifdef UNBOUND_DEBUG
+	rem =
+#else
+	(void)
+#endif
 	rbtree_delete(&reuse->tree_by_id, w);
+	log_assert(rem);  /* should have been there */
 	w->id_node.key = NULL;
 }
 
@@ -883,7 +1018,7 @@ reuse_move_writewait_away(struct outside_network* outnet,
 }
 
 /** remove reused element from tree and lru list */
-static void
+void
 reuse_tcp_remove_tree_list(struct outside_network* outnet,
 	struct reuse_tcp* reuse)
 {
@@ -909,21 +1044,38 @@ reuse_tcp_remove_tree_list(struct outside_network* outnet,
 			 * and thus have a pending pointer to the struct */
 			log_assert(reuse->lru_prev->pending);
 			reuse->lru_prev->lru_next = reuse->lru_next;
+			log_assert(reuse->lru_prev->lru_next != reuse->lru_prev);
 		} else {
 			log_assert(!reuse->lru_next || reuse->lru_next->pending);
 			outnet->tcp_reuse_first = reuse->lru_next;
+			log_assert(!outnet->tcp_reuse_first ||
+				(outnet->tcp_reuse_first !=
+				 outnet->tcp_reuse_first->lru_next &&
+				 outnet->tcp_reuse_first !=
+				 outnet->tcp_reuse_first->lru_prev));
 		}
 		if(reuse->lru_next) {
 			/* assert that members of the lru list are waiting
 			 * and thus have a pending pointer to the struct */
 			log_assert(reuse->lru_next->pending);
 			reuse->lru_next->lru_prev = reuse->lru_prev;
+			log_assert(reuse->lru_next->lru_prev != reuse->lru_next);
 		} else {
 			log_assert(!reuse->lru_prev || reuse->lru_prev->pending);
 			outnet->tcp_reuse_last = reuse->lru_prev;
+			log_assert(!outnet->tcp_reuse_last ||
+				(outnet->tcp_reuse_last !=
+				 outnet->tcp_reuse_last->lru_next &&
+				 outnet->tcp_reuse_last !=
+				 outnet->tcp_reuse_last->lru_prev));
 		}
+		log_assert((!outnet->tcp_reuse_first && !outnet->tcp_reuse_last) ||
+			(outnet->tcp_reuse_first && outnet->tcp_reuse_last));
 		reuse->item_on_lru_list = 0;
+		reuse->lru_next = NULL;
+		reuse->lru_prev = NULL;
 	}
+	reuse->pending = NULL;
 }
 
 /** helper function that deletes an element from the tree of readwait
@@ -950,8 +1102,12 @@ decommission_pending_tcp(struct outside_network* outnet,
 	struct pending_tcp* pend)
 {
 	verbose(VERB_CLIENT, "decommission_pending_tcp");
-	pend->next_free = outnet->tcp_free;
-	outnet->tcp_free = pend;
+	/* A certain code path can lead here twice for the same pending_tcp
+	 * creating a loop in the free pending_tcp list. */
+	if(outnet->tcp_free != pend) {
+		pend->next_free = outnet->tcp_free;
+		outnet->tcp_free = pend;
+	}
 	if(pend->reuse.node.key) {
 		/* needs unlink from the reuse tree to get deleted */
 		reuse_tcp_remove_tree_list(outnet, &pend->reuse);
@@ -991,6 +1147,22 @@ static void reuse_cb_readwait_for_failure(rbtree_type* tree_by_id, int err)
 	}
 }
 
+/** mark the entry for being in the cb_and_decommission stage */
+static void mark_for_cb_and_decommission(rbnode_type* node,
+	void* ATTR_UNUSED(arg))
+{
+	struct waiting_tcp* w = (struct waiting_tcp*)node->key;
+	/* Mark the waiting_tcp to signal later code (serviced_delete) that
+	 * this item is part of the backed up tree_by_id and will be deleted
+	 * later. */
+	w->in_cb_and_decommission = 1;
+	/* Mark the serviced_query for deletion so that later code through
+	 * callbacks (iter_clear .. outnet_serviced_query_stop) won't
+	 * prematurely delete it. */
+	if(w->cb)
+		((struct serviced_query*)w->cb_arg)->to_be_deleted = 1;
+}
+
 /** perform callbacks for failure and also decommission pending tcp.
  * the callbacks remove references in sq->pending to the waiting_tcp
  * members of the tree_by_id in the pending tcp.  The pending_tcp is
@@ -1006,28 +1178,31 @@ static void reuse_cb_and_decommission(struct outside_network* outnet,
 	pend->reuse.write_wait_first = NULL;
 	pend->reuse.write_wait_last = NULL;
 	decommission_pending_tcp(outnet, pend);
+	if(store.root != NULL && store.root != RBTREE_NULL) {
+		traverse_postorder(&store, &mark_for_cb_and_decommission, NULL);
+	}
 	reuse_cb_readwait_for_failure(&store, error);
 	reuse_del_readwait(&store);
 }
 
 /** set timeout on tcp fd and setup read event to catch incoming dns msgs */
 static void
-reuse_tcp_setup_timeout(struct pending_tcp* pend_tcp)
+reuse_tcp_setup_timeout(struct pending_tcp* pend_tcp, int tcp_reuse_timeout)
 {
 	log_reuse_tcp(VERB_CLIENT, "reuse_tcp_setup_timeout", &pend_tcp->reuse);
-	comm_point_start_listening(pend_tcp->c, -1, REUSE_TIMEOUT);
+	comm_point_start_listening(pend_tcp->c, -1, tcp_reuse_timeout);
 }
 
 /** set timeout on tcp fd and setup read event to catch incoming dns msgs */
 static void
-reuse_tcp_setup_read_and_timeout(struct pending_tcp* pend_tcp)
+reuse_tcp_setup_read_and_timeout(struct pending_tcp* pend_tcp, int tcp_reuse_timeout)
 {
 	log_reuse_tcp(VERB_CLIENT, "reuse_tcp_setup_readtimeout", &pend_tcp->reuse);
 	sldns_buffer_clear(pend_tcp->c->buffer);
 	pend_tcp->c->tcp_is_reading = 1;
 	pend_tcp->c->tcp_byte_count = 0;
 	comm_point_stop_listening(pend_tcp->c);
-	comm_point_start_listening(pend_tcp->c, -1, REUSE_TIMEOUT);
+	comm_point_start_listening(pend_tcp->c, -1, tcp_reuse_timeout);
 }
 
 int 
@@ -1037,6 +1212,7 @@ outnet_tcp_cb(struct comm_point* c, void* arg, int error,
 	struct pending_tcp* pend = (struct pending_tcp*)arg;
 	struct outside_network* outnet = pend->reuse.outnet;
 	struct waiting_tcp* w = NULL;
+	log_assert(pend->reuse.item_on_lru_list && pend->reuse.node.key);
 	verbose(VERB_ALGO, "outnettcp cb");
 	if(error == NETEVENT_TIMEOUT) {
 		if(pend->c->tcp_write_and_read) {
@@ -1083,7 +1259,7 @@ outnet_tcp_cb(struct comm_point* c, void* arg, int error,
 			pend->reuse.cp_more_write_again = 0;
 			pend->c->tcp_is_reading = 1;
 			comm_point_stop_listening(pend->c);
-			reuse_tcp_setup_timeout(pend);
+			reuse_tcp_setup_timeout(pend, outnet->tcp_reuse_timeout);
 		}
 		return 0;
 	} else if(error != NETEVENT_NOERROR) {
@@ -1102,6 +1278,12 @@ outnet_tcp_cb(struct comm_point* c, void* arg, int error,
 				c->buffer));
 			/* find the query the reply is for */
 			w = reuse_tcp_by_id_find(&pend->reuse, id);
+			/* Make sure that the reply we got is at least for a
+			 * sent query with the same ID; the waiting_tcp that
+			 * gets a reply is assumed to not be waiting to be
+			 * sent. */
+			if(w && (w->on_tcp_waiting_list || w->write_wait_queued))
+				w = NULL;
 		}
 	}
 	if(error == NETEVENT_NOERROR && !w) {
@@ -1119,6 +1301,8 @@ outnet_tcp_cb(struct comm_point* c, void* arg, int error,
 		}
 	}
 	if(w) {
+		log_assert(!w->on_tcp_waiting_list);
+		log_assert(!w->write_wait_queued);
 		reuse_tree_by_id_delete(&pend->reuse, w);
 		verbose(VERB_CLIENT, "outnet tcp callback query err %d buflen %d",
 			error, (int)sldns_buffer_limit(c->buffer));
@@ -1136,7 +1320,7 @@ outnet_tcp_cb(struct comm_point* c, void* arg, int error,
 		 * and there could be more bytes to read on the input */
 		if(pend->reuse.tree_by_id.count != 0)
 			pend->reuse.cp_more_read_again = 1;
-		reuse_tcp_setup_read_and_timeout(pend);
+		reuse_tcp_setup_read_and_timeout(pend, outnet->tcp_reuse_timeout);
 		return 0;
 	}
 	verbose(VERB_CLIENT, "outnet_tcp_cb reuse after cb: decommission it");
@@ -1178,7 +1362,7 @@ outnet_send_wait_udp(struct outside_network* outnet)
 {
 	struct pending* pend;
 	/* process waiting queries */
-	while(outnet->udp_wait_first && outnet->unused_fds 
+	while(outnet->udp_wait_first && outnet->unused_fds
 		&& !outnet->want_to_quit) {
 		pend = outnet->udp_wait_first;
 		outnet->udp_wait_first = pend->next_waiting;
@@ -1187,8 +1371,10 @@ outnet_send_wait_udp(struct outside_network* outnet)
 		sldns_buffer_write(outnet->udp_buff, pend->pkt, pend->pkt_len);
 		sldns_buffer_flip(outnet->udp_buff);
 		free(pend->pkt); /* freeing now makes get_mem correct */
-		pend->pkt = NULL; 
+		pend->pkt = NULL;
 		pend->pkt_len = 0;
+		log_assert(!pend->sq->busy);
+		pend->sq->busy = 1;
 		if(!randomize_and_send_udp(pend, outnet->udp_buff,
 			pend->timeout)) {
 			/* callback error on pending */
@@ -1198,6 +1384,8 @@ outnet_send_wait_udp(struct outside_network* outnet)
 					NETEVENT_CLOSED, NULL);
 			}
 			pending_delete(outnet, pend);
+		} else {
+			pend->sq->busy = 0;
 		}
 	}
 }
@@ -1308,7 +1496,6 @@ calc_num46(char** ifs, int num_ifs, int do_ip4, int do_ip6,
 				(*num_ip4)++;
 		}
 	}
-
 }
 
 void
@@ -1404,7 +1591,8 @@ outside_network_create(struct comm_base *base, size_t bufsize,
 	int numavailports, size_t unwanted_threshold, int tcp_mss,
 	void (*unwanted_action)(void*), void* unwanted_param, int do_udp,
 	void* sslctx, int delayclose, int tls_use_sni, struct dt_env* dtenv,
-	int udp_connect)
+	int udp_connect, int max_reuse_tcp_queries, int tcp_reuse_timeout,
+	int tcp_auth_query_timeout)
 {
 	struct outside_network* outnet = (struct outside_network*)
 		calloc(1, sizeof(struct outside_network));
@@ -1416,6 +1604,9 @@ outside_network_create(struct comm_base *base, size_t bufsize,
 	comm_base_timept(base, &outnet->now_secs, &outnet->now_tv);
 	outnet->base = base;
 	outnet->num_tcp = num_tcp;
+	outnet->max_reuse_tcp_queries = max_reuse_tcp_queries;
+	outnet->tcp_reuse_timeout= tcp_reuse_timeout;
+	outnet->tcp_auth_query_timeout = tcp_auth_query_timeout;
 	outnet->num_tcp_outgoing = 0;
 	outnet->infra = infra;
 	outnet->rnd = rnd;
@@ -1558,16 +1749,9 @@ static void
 serviced_node_del(rbnode_type* node, void* ATTR_UNUSED(arg))
 {
 	struct serviced_query* sq = (struct serviced_query*)node;
-	struct service_callback* p = sq->cblist, *np;
-	free(sq->qbuf);
-	free(sq->zone);
-	free(sq->tls_auth_name);
-	edns_opt_list_free(sq->opt_list);
-	while(p) {
-		np = p->next;
-		free(p);
-		p = np;
-	}
+	alloc_reg_release(sq->alloc, sq->region);
+	if(sq->timer)
+		comm_timer_delete(sq->timer);
 	free(sq);
 }
 
@@ -1644,22 +1828,19 @@ outside_network_delete(struct outside_network* outnet)
 		size_t i;
 		for(i=0; i<outnet->num_tcp; i++)
 			if(outnet->tcp_conns[i]) {
-				if(outnet->tcp_conns[i]->query &&
-					!outnet->tcp_conns[i]->query->
-					on_tcp_waiting_list) {
+				struct pending_tcp* pend;
+				pend = outnet->tcp_conns[i];
+				if(pend->reuse.item_on_lru_list) {
 					/* delete waiting_tcp elements that
 					 * the tcp conn is working on */
-					struct pending_tcp* pend =
-						(struct pending_tcp*)outnet->
-						tcp_conns[i]->query->
-						next_waiting;
 					decommission_pending_tcp(outnet, pend);
 				}
 				comm_point_delete(outnet->tcp_conns[i]->c);
-				waiting_tcp_delete(outnet->tcp_conns[i]->query);
 				free(outnet->tcp_conns[i]);
+				outnet->tcp_conns[i] = NULL;
 			}
 		free(outnet->tcp_conns);
+		outnet->tcp_conns = NULL;
 	}
 	if(outnet->tcp_wait_first) {
 		struct waiting_tcp* p = outnet->tcp_wait_first, *np;
@@ -1777,18 +1958,18 @@ select_id(struct outside_network* outnet, struct pending* pend,
 	sldns_buffer* packet)
 {
 	int id_tries = 0;
-	pend->id = ((unsigned)ub_random(outnet->rnd)>>8) & 0xffff;
+	pend->id = GET_RANDOM_ID(outnet->rnd);
 	LDNS_ID_SET(sldns_buffer_begin(packet), pend->id);
 
 	/* insert in tree */
 	pend->node.key = pend;
 	while(!rbtree_insert(outnet->pending, &pend->node)) {
 		/* change ID to avoid collision */
-		pend->id = ((unsigned)ub_random(outnet->rnd)>>8) & 0xffff;
+		pend->id = GET_RANDOM_ID(outnet->rnd);
 		LDNS_ID_SET(sldns_buffer_begin(packet), pend->id);
 		id_tries++;
 		if(id_tries == MAX_ID_RETRY) {
-			pend->id=99999; /* non existant ID */
+			pend->id=99999; /* non existent ID */
 			log_err("failed to generate unique ID, drop msg");
 			return 0;
 		}
@@ -1813,8 +1994,12 @@ static int udp_connect_needs_log(int err)
 #  endif
 #  ifdef ENETDOWN
 	case ENETDOWN:
+#  endif
+#  ifdef EADDRNOTAVAIL
+	case EADDRNOTAVAIL:
 #  endif
 	case EPERM:
+	case EACCES:
 		if(verbosity >= VERB_ALGO)
 			return 1;
 		return 0;
@@ -2026,10 +2211,13 @@ pending_udp_query(struct serviced_query* sq, struct sldns_buffer* packet,
 		sq->outnet->udp_wait_last = pend;
 		return pend;
 	}
+	log_assert(!sq->busy);
+	sq->busy = 1;
 	if(!randomize_and_send_udp(pend, packet, timeout)) {
 		pending_delete(sq->outnet, pend);
 		return NULL;
 	}
+	sq->busy = 0;
 	return pend;
 }
 
@@ -2057,24 +2245,20 @@ outnet_tcptimer(void* arg)
 static void
 reuse_tcp_close_oldest(struct outside_network* outnet)
 {
-	struct pending_tcp* pend;
+	struct reuse_tcp* reuse;
 	verbose(VERB_CLIENT, "reuse_tcp_close_oldest");
-	if(!outnet->tcp_reuse_last) return;
-	pend = outnet->tcp_reuse_last->pending;
-
-	/* snip off of LRU */
-	log_assert(pend->reuse.lru_next == NULL);
-	if(pend->reuse.lru_prev) {
-		outnet->tcp_reuse_last = pend->reuse.lru_prev;
-		pend->reuse.lru_prev->lru_next = NULL;
-	} else {
-		outnet->tcp_reuse_last = NULL;
-		outnet->tcp_reuse_first = NULL;
-	}
-	pend->reuse.item_on_lru_list = 0;
-
+	reuse = reuse_tcp_lru_snip(outnet);
+	if(!reuse) return;
 	/* free up */
-	reuse_cb_and_decommission(outnet, pend, NETEVENT_CLOSED);
+	reuse_cb_and_decommission(outnet, reuse->pending, NETEVENT_CLOSED);
+}
+
+static uint16_t
+tcp_select_id(struct outside_network* outnet, struct reuse_tcp* reuse)
+{
+	if(reuse)
+		return reuse_tcp_select_id(reuse, outnet);
+	return GET_RANDOM_ID(outnet->rnd);
 }
 
 /** find spare ID value for reuse tcp stream.  That is random and also does
@@ -2090,20 +2274,20 @@ reuse_tcp_select_id(struct reuse_tcp* reuse, struct outside_network* outnet)
 
 	/* make really sure the tree is not empty */
 	if(reuse->tree_by_id.count == 0) {
-		id = ((unsigned)ub_random(outnet->rnd)>>8) & 0xffff;
+		id = GET_RANDOM_ID(outnet->rnd);
 		return id;
 	}
 
 	/* try to find random empty spots by picking them */
 	for(i = 0; i<try_random; i++) {
-		id = ((unsigned)ub_random(outnet->rnd)>>8) & 0xffff;
+		id = GET_RANDOM_ID(outnet->rnd);
 		if(!reuse_tcp_by_id_find(reuse, id)) {
 			return id;
 		}
 	}
 
 	/* equally pick a random unused element from the tree that is
-	 * not in use.  Pick a the n-th index of an ununused number,
+	 * not in use.  Pick a the n-th index of an unused number,
 	 * then loop over the empty spaces in the tree and find it */
 	log_assert(reuse->tree_by_id.count < 0xffff);
 	select = ub_random_max(outnet->rnd, 0xffff - reuse->tree_by_id.count);
@@ -2172,6 +2356,7 @@ pending_tcp_query(struct serviced_query* sq, sldns_buffer* packet,
 		reuse_tcp_lru_touch(sq->outnet, reuse);
 	}
 
+	log_assert(!reuse || (reuse && pend));
 	/* if !pend but we have reuse streams, close a reuse stream
 	 * to be able to open a new one to this target, no use waiting
 	 * to reuse a file descriptor while another query needs to use
@@ -2179,6 +2364,7 @@ pending_tcp_query(struct serviced_query* sq, sldns_buffer* packet,
 	if(!pend) {
 		reuse_tcp_close_oldest(sq->outnet);
 		pend = sq->outnet->tcp_free;
+		log_assert(!reuse || (pend == reuse->pending));
 	}
 
 	/* allocate space to store query */
@@ -2194,9 +2380,7 @@ pending_tcp_query(struct serviced_query* sq, sldns_buffer* packet,
 	w->pkt = (uint8_t*)w + sizeof(struct waiting_tcp);
 	w->pkt_len = sldns_buffer_limit(packet);
 	memmove(w->pkt, sldns_buffer_begin(packet), w->pkt_len);
-	if(reuse)
-		w->id = reuse_tcp_select_id(reuse, sq->outnet);
-	else	w->id = ((unsigned)ub_random(sq->outnet->rnd)>>8) & 0xffff;
+	w->id = tcp_select_id(sq->outnet, reuse);
 	LDNS_ID_SET(w->pkt, w->id);
 	memcpy(&w->addr, &sq->addr, sq->addrlen);
 	w->addrlen = sq->addrlen;
@@ -2216,9 +2400,11 @@ pending_tcp_query(struct serviced_query* sq, sldns_buffer* packet,
 #ifdef USE_DNSTAP
 	w->sq = NULL;
 #endif
+	w->in_cb_and_decommission = 0;
 	if(pend) {
 		/* we have a buffer available right now */
 		if(reuse) {
+			log_assert(reuse == &pend->reuse);
 			/* reuse existing fd, write query and continue */
 			/* store query in tree by id */
 			verbose(VERB_CLIENT, "pending_tcp_query: reuse, store");
@@ -2311,30 +2497,62 @@ lookup_serviced(struct outside_network* outnet, sldns_buffer* buff, int dnssec,
 	return (struct serviced_query*)rbtree_search(outnet->serviced, &key);
 }
 
+void
+serviced_timer_cb(void* arg)
+{
+	struct serviced_query* sq = (struct serviced_query*)arg;
+	struct outside_network* outnet = sq->outnet;
+	verbose(VERB_ALGO, "serviced send timer");
+	/* By the time this cb is called, if we don't have any registered
+	 * callbacks for this serviced_query anymore; do not send. */
+	if(!sq->cblist)
+		goto delete;
+	/* perform first network action */
+	if(outnet->do_udp && !(sq->tcp_upstream || sq->ssl_upstream)) {
+		if(!serviced_udp_send(sq, outnet->udp_buff))
+			goto delete;
+	} else {
+		if(!serviced_tcp_send(sq, outnet->udp_buff))
+			goto delete;
+	}
+	/* Maybe by this time we don't have callbacks attached anymore. Don't
+	 * proactively try to delete; let it run and maybe another callback
+	 * will get attached by the time we get an answer. */
+	return;
+delete:
+	serviced_callbacks(sq, NETEVENT_CLOSED, NULL, NULL);
+}
+
 /** Create new serviced entry */
 static struct serviced_query*
 serviced_create(struct outside_network* outnet, sldns_buffer* buff, int dnssec,
 	int want_dnssec, int nocaps, int tcp_upstream, int ssl_upstream,
 	char* tls_auth_name, struct sockaddr_storage* addr, socklen_t addrlen,
 	uint8_t* zone, size_t zonelen, int qtype, struct edns_option* opt_list,
-	size_t pad_queries_block_size)
+	size_t pad_queries_block_size, struct alloc_cache* alloc,
+	struct regional* region)
 {
 	struct serviced_query* sq = (struct serviced_query*)malloc(sizeof(*sq));
+	struct timeval t;
 #ifdef UNBOUND_DEBUG
 	rbnode_type* ins;
 #endif
 	if(!sq) 
 		return NULL;
 	sq->node.key = sq;
-	sq->qbuf = memdup(sldns_buffer_begin(buff), sldns_buffer_limit(buff));
+	sq->alloc = alloc;
+	sq->region = region;
+	sq->qbuf = regional_alloc_init(region, sldns_buffer_begin(buff),
+		sldns_buffer_limit(buff));
 	if(!sq->qbuf) {
+		alloc_reg_release(alloc, region);
 		free(sq);
 		return NULL;
 	}
 	sq->qbuflen = sldns_buffer_limit(buff);
-	sq->zone = memdup(zone, zonelen);
+	sq->zone = regional_alloc_init(region, zone, zonelen);
 	if(!sq->zone) {
-		free(sq->qbuf);
+		alloc_reg_release(alloc, region);
 		free(sq);
 		return NULL;
 	}
@@ -2346,10 +2564,9 @@ serviced_create(struct outside_network* outnet, sldns_buffer* buff, int dnssec,
 	sq->tcp_upstream = tcp_upstream;
 	sq->ssl_upstream = ssl_upstream;
 	if(tls_auth_name) {
-		sq->tls_auth_name = strdup(tls_auth_name);
+		sq->tls_auth_name = regional_strdup(region, tls_auth_name);
 		if(!sq->tls_auth_name) {
-			free(sq->zone);
-			free(sq->qbuf);
+			alloc_reg_release(alloc, region);
 			free(sq);
 			return NULL;
 		}
@@ -2358,17 +2575,16 @@ serviced_create(struct outside_network* outnet, sldns_buffer* buff, int dnssec,
 	}
 	memcpy(&sq->addr, addr, addrlen);
 	sq->addrlen = addrlen;
-	sq->opt_list = NULL;
-	if(opt_list) {
-		sq->opt_list = edns_opt_copy_alloc(opt_list);
-		if(!sq->opt_list) {
-			free(sq->tls_auth_name);
-			free(sq->zone);
-			free(sq->qbuf);
-			free(sq);
-			return NULL;
-		}
+	sq->opt_list = opt_list;
+	sq->busy = 0;
+	sq->timer = comm_timer_create(outnet->base, serviced_timer_cb, sq);
+	if(!sq->timer) {
+		alloc_reg_release(alloc, region);
+		free(sq);
+		return NULL;
 	}
+	memset(&t, 0, sizeof(t));
+	comm_timer_set(sq->timer, &t);
 	sq->outnet = outnet;
 	sq->cblist = NULL;
 	sq->pending = NULL;
@@ -2377,7 +2593,7 @@ serviced_create(struct outside_network* outnet, sldns_buffer* buff, int dnssec,
 	sq->to_be_deleted = 0;
 	sq->padding_block_size = pad_queries_block_size;
 #ifdef UNBOUND_DEBUG
-	ins = 
+	ins =
 #else
 	(void)
 #endif
@@ -2405,6 +2621,9 @@ waiting_list_remove(struct outside_network* outnet, struct waiting_tcp* w)
 		prev = p;
 		p = p->next_waiting;
 	}
+	/* waiting_list_remove is currently called only with items that are
+	 * already in the waiting list. */
+	log_assert(0);
 }
 
 /** reuse tcp stream, remove serviced query from stream,
@@ -2443,7 +2662,7 @@ reuse_tcp_remove_serviced_keep(struct waiting_tcp* w,
 		if(!reuse_tcp_insert(sq->outnet, pend_tcp)) {
 			return 0;
 		}
-		reuse_tcp_setup_timeout(pend_tcp);
+		reuse_tcp_setup_timeout(pend_tcp, sq->outnet->tcp_reuse_timeout);
 		return 1;
 	}
 	return 0;
@@ -2472,29 +2691,38 @@ serviced_delete(struct serviced_query* sq)
 			struct waiting_tcp* w = (struct waiting_tcp*)
 				sq->pending;
 			verbose(VERB_CLIENT, "serviced_delete: TCP");
+			log_assert(!(w->write_wait_queued && w->on_tcp_waiting_list));
 			/* if on stream-write-waiting list then
 			 * remove from waiting list and waiting_tcp_delete */
 			if(w->write_wait_queued) {
 				struct pending_tcp* pend =
 					(struct pending_tcp*)w->next_waiting;
 				verbose(VERB_CLIENT, "serviced_delete: writewait");
-				reuse_tree_by_id_delete(&pend->reuse, w);
+				if(!w->in_cb_and_decommission)
+					reuse_tree_by_id_delete(&pend->reuse, w);
 				reuse_write_wait_remove(&pend->reuse, w);
-				waiting_tcp_delete(w);
+				if(!w->in_cb_and_decommission)
+					waiting_tcp_delete(w);
 			} else if(!w->on_tcp_waiting_list) {
 				struct pending_tcp* pend =
 					(struct pending_tcp*)w->next_waiting;
 				verbose(VERB_CLIENT, "serviced_delete: tcpreusekeep");
+				/* w needs to stay on tree_by_id to not assign
+				 * the same ID; remove the callback since its
+				 * serviced_query will be gone. */
+				w->cb = NULL;
 				if(!reuse_tcp_remove_serviced_keep(w, sq)) {
-					reuse_cb_and_decommission(sq->outnet,
-						pend, NETEVENT_CLOSED);
+					if(!w->in_cb_and_decommission)
+						reuse_cb_and_decommission(sq->outnet,
+							pend, NETEVENT_CLOSED);
 					use_free_buffer(sq->outnet);
 				}
 				sq->pending = NULL;
 			} else {
 				verbose(VERB_CLIENT, "serviced_delete: tcpwait");
 				waiting_list_remove(sq->outnet, w);
-				waiting_tcp_delete(w);
+				if(!w->in_cb_and_decommission)
+					waiting_tcp_delete(w);
 			}
 		}
 	}
@@ -2561,7 +2789,9 @@ serviced_encode(struct serviced_query* sq, sldns_buffer* buff, int with_edns)
 		edns.edns_present = 1;
 		edns.ext_rcode = 0;
 		edns.edns_version = EDNS_ADVERTISED_VERSION;
-		edns.opt_list = sq->opt_list;
+		edns.opt_list_in = NULL;
+		edns.opt_list_out = sq->opt_list;
+		edns.opt_list_inplace_cb_out = NULL;
 		if(sq->status == serviced_query_UDP_EDNS_FRAG) {
 			if(addr_is_ip6(&sq->addr, sq->addrlen)) {
 				if(EDNS_FRAG_SIZE_IP6 < EDNS_ADVERTISED_SIZE)
@@ -2584,8 +2814,8 @@ serviced_encode(struct serviced_query* sq, sldns_buffer* buff, int with_edns)
 			padding_option.opt_code = LDNS_EDNS_PADDING;
 			padding_option.opt_len = 0;
 			padding_option.opt_data = NULL;
-			padding_option.next = edns.opt_list;
-			edns.opt_list = &padding_option;
+			padding_option.next = edns.opt_list_out;
+			edns.opt_list_out = &padding_option;
 			edns.padding_block_size = sq->padding_block_size;
 		}
 		attach_edns_record(buff, &edns);
@@ -2742,7 +2972,8 @@ serviced_callbacks(struct serviced_query* sq, int error, struct comm_point* c,
 		 * use secondary buffer to store the query.
 		 * This is a data copy, but faster than packet to server */
 		backlen = sldns_buffer_limit(c->buffer);
-		backup_p = memdup(sldns_buffer_begin(c->buffer), backlen);
+		backup_p = regional_alloc_init(sq->region,
+			sldns_buffer_begin(c->buffer), backlen);
 		if(!backup_p) {
 			log_err("malloc failure in serviced query callbacks");
 			error = NETEVENT_CLOSED;
@@ -2760,10 +2991,8 @@ serviced_callbacks(struct serviced_query* sq, int error, struct comm_point* c,
 		}
 		fptr_ok(fptr_whitelist_serviced_query(p->cb));
 		(void)(*p->cb)(c, p->cb_arg, error, rep);
-		free(p);
 	}
 	if(backup_p) {
-		free(backup_p);
 		sq->outnet->svcd_overhead = 0;
 	}
 	verbose(VERB_ALGO, "svcd callbacks end");
@@ -2779,8 +3008,12 @@ serviced_tcp_callback(struct comm_point* c, void* arg, int error,
 	struct comm_reply r2;
 #ifdef USE_DNSTAP
 	struct waiting_tcp* w = (struct waiting_tcp*)sq->pending;
-	struct pending_tcp* pend_tcp = (struct pending_tcp*)w->next_waiting;
-	struct port_if* pi = pend_tcp->pi;
+	struct pending_tcp* pend_tcp = NULL;
+	struct port_if* pi = NULL;
+	if(w && !w->on_tcp_waiting_list && w->next_waiting) {
+		pend_tcp = (struct pending_tcp*)w->next_waiting;
+		pi = pend_tcp->pi;
+	}
 #endif
 	sq->pending = NULL; /* removed after this callback */
 	if(error != NETEVENT_NOERROR)
@@ -2793,7 +3026,7 @@ serviced_tcp_callback(struct comm_point* c, void* arg, int error,
 	/*
 	 * sending src (local service)/dst (upstream) addresses over DNSTAP
 	 */
-	if(error==NETEVENT_NOERROR && sq->outnet->dtenv &&
+	if(error==NETEVENT_NOERROR && pi && sq->outnet->dtenv &&
 	   (sq->outnet->dtenv->log_resolver_response_messages ||
 	    sq->outnet->dtenv->log_forwarder_response_messages)) {
 		log_addr(VERB_ALGO, "response from upstream", &sq->addr, sq->addrlen);
@@ -2873,8 +3106,11 @@ serviced_tcp_initiate(struct serviced_query* sq, sldns_buffer* buff)
 		sq->status==serviced_query_TCP_EDNS?"EDNS":"");
 	serviced_encode(sq, buff, sq->status == serviced_query_TCP_EDNS);
 	sq->last_sent_time = *sq->outnet->now_tv;
-	sq->pending = pending_tcp_query(sq, buff, TCP_AUTH_QUERY_TIMEOUT,
+	log_assert(!sq->busy);
+	sq->busy = 1;
+	sq->pending = pending_tcp_query(sq, buff, sq->outnet->tcp_auth_query_timeout,
 		serviced_tcp_callback, sq);
+	sq->busy = 0;
 	if(!sq->pending) {
 		/* delete from tree so that a retry by above layer does not
 		 * clash with this entry */
@@ -2901,13 +3137,16 @@ serviced_tcp_send(struct serviced_query* sq, sldns_buffer* buff)
 	sq->last_sent_time = *sq->outnet->now_tv;
 	if(sq->tcp_upstream || sq->ssl_upstream) {
 		timeout = rtt;
-		if(rtt >= UNKNOWN_SERVER_NICENESS && rtt < TCP_AUTH_QUERY_TIMEOUT)
-			timeout = TCP_AUTH_QUERY_TIMEOUT;
+		if(rtt >= UNKNOWN_SERVER_NICENESS && rtt < sq->outnet->tcp_auth_query_timeout)
+			timeout = sq->outnet->tcp_auth_query_timeout;
 	} else {
-		timeout = TCP_AUTH_QUERY_TIMEOUT;
+		timeout = sq->outnet->tcp_auth_query_timeout;
 	}
+	log_assert(!sq->busy);
+	sq->busy = 1;
 	sq->pending = pending_tcp_query(sq, buff, timeout,
 		serviced_tcp_callback, sq);
+	sq->busy = 0;
 	return sq->pending != NULL;
 }
 
@@ -2958,7 +3197,6 @@ serviced_udp_callback(struct comm_point* c, void* arg, int error,
 	struct timeval now = *sq->outnet->now_tv;
 #ifdef USE_DNSTAP
 	struct pending* p = (struct pending*)sq->pending;
-	struct port_if* pi = p->pc->pif;
 #endif
 
 	sq->pending = NULL; /* removed after callback */
@@ -3000,14 +3238,16 @@ serviced_udp_callback(struct comm_point* c, void* arg, int error,
 	/*
 	 * sending src (local service)/dst (upstream) addresses over DNSTAP
 	 */
-	if(error == NETEVENT_NOERROR && outnet->dtenv &&
-	   (outnet->dtenv->log_resolver_response_messages ||
-	    outnet->dtenv->log_forwarder_response_messages)) {
+	if(error == NETEVENT_NOERROR && outnet->dtenv && p->pc &&
+		(outnet->dtenv->log_resolver_response_messages ||
+		outnet->dtenv->log_forwarder_response_messages)) {
 		log_addr(VERB_ALGO, "response from upstream", &sq->addr, sq->addrlen);
-		log_addr(VERB_ALGO, "to local addr", &pi->addr, pi->addrlen);
-		dt_msg_send_outside_response(outnet->dtenv, &sq->addr, &pi->addr, c->type,
-		  sq->zone, sq->zonelen, sq->qbuf, sq->qbuflen,
-		  &sq->last_sent_time, sq->outnet->now_tv, c->buffer);
+		log_addr(VERB_ALGO, "to local addr", &p->pc->pif->addr,
+			p->pc->pif->addrlen);
+		dt_msg_send_outside_response(outnet->dtenv, &sq->addr,
+			&p->pc->pif->addr, c->type, sq->zone, sq->zonelen,
+			sq->qbuf, sq->qbuflen, &sq->last_sent_time,
+			sq->outnet->now_tv, c->buffer);
 	}
 #endif
 	if( (sq->status == serviced_query_UDP_EDNS 
@@ -3097,64 +3337,117 @@ serviced_udp_callback(struct comm_point* c, void* arg, int error,
 struct serviced_query* 
 outnet_serviced_query(struct outside_network* outnet,
 	struct query_info* qinfo, uint16_t flags, int dnssec, int want_dnssec,
-	int nocaps, int tcp_upstream, int ssl_upstream, char* tls_auth_name,
-	struct sockaddr_storage* addr, socklen_t addrlen, uint8_t* zone,
-	size_t zonelen, struct module_qstate* qstate,
-	comm_point_callback_type* callback, void* callback_arg, sldns_buffer* buff,
-	struct module_env* env)
+	int nocaps, int check_ratelimit, int tcp_upstream, int ssl_upstream,
+	char* tls_auth_name, struct sockaddr_storage* addr, socklen_t addrlen,
+	uint8_t* zone, size_t zonelen, struct module_qstate* qstate,
+	comm_point_callback_type* callback, void* callback_arg,
+	sldns_buffer* buff, struct module_env* env, int* was_ratelimited)
 {
 	struct serviced_query* sq;
 	struct service_callback* cb;
 	struct edns_string_addr* client_string_addr;
+	struct regional* region;
+	struct edns_option* backed_up_opt_list = qstate->edns_opts_back_out;
+	struct edns_option* per_upstream_opt_list = NULL;
+	time_t timenow = 0;
 
-	if(!inplace_cb_query_call(env, qinfo, flags, addr, addrlen, zone, zonelen,
-		qstate, qstate->region))
+	/* If we have an already populated EDNS option list make a copy since
+	 * we may now add upstream specific EDNS options. */
+	/* Use a region that could be attached to a serviced_query, if it needs
+	 * to be created. If an existing one is found then this region will be
+	 * destroyed here. */
+	region = alloc_reg_obtain(env->alloc);
+	if(!region) return NULL;
+	if(qstate->edns_opts_back_out) {
+		per_upstream_opt_list = edns_opt_copy_region(
+			qstate->edns_opts_back_out, region);
+		if(!per_upstream_opt_list) {
+			alloc_reg_release(env->alloc, region);
 			return NULL;
+		}
+		qstate->edns_opts_back_out = per_upstream_opt_list;
+	}
+
+	if(!inplace_cb_query_call(env, qinfo, flags, addr, addrlen, zone,
+		zonelen, qstate, region)) {
+		alloc_reg_release(env->alloc, region);
+		return NULL;
+	}
+	/* Restore the option list; we can explicitly use the copied one from
+	 * now on. */
+	per_upstream_opt_list = qstate->edns_opts_back_out;
+	qstate->edns_opts_back_out = backed_up_opt_list;
 
 	if((client_string_addr = edns_string_addr_lookup(
 		&env->edns_strings->client_strings, addr, addrlen))) {
-		edns_opt_list_append(&qstate->edns_opts_back_out,
+		edns_opt_list_append(&per_upstream_opt_list,
 			env->edns_strings->client_string_opcode,
 			client_string_addr->string_len,
-			client_string_addr->string, qstate->region);
+			client_string_addr->string, region);
 	}
 
 	serviced_gen_query(buff, qinfo->qname, qinfo->qname_len, qinfo->qtype,
 		qinfo->qclass, flags);
 	sq = lookup_serviced(outnet, buff, dnssec, addr, addrlen,
-		qstate->edns_opts_back_out);
-	/* duplicate entries are included in the callback list, because
-	 * there is a counterpart registration by our caller that needs to
-	 * be doubly-removed (with callbacks perhaps). */
-	if(!(cb = (struct service_callback*)malloc(sizeof(*cb))))
-		return NULL;
+		per_upstream_opt_list);
 	if(!sq) {
+		/* Check ratelimit only for new serviced_query */
+		if(check_ratelimit) {
+			timenow = *env->now;
+			if(!infra_ratelimit_inc(env->infra_cache, zone,
+				zonelen, timenow, env->cfg->ratelimit_backoff,
+				&qstate->qinfo, qstate->reply)) {
+				/* Can we pass through with slip factor? */
+				if(env->cfg->ratelimit_factor == 0 ||
+					ub_random_max(env->rnd,
+					env->cfg->ratelimit_factor) != 1) {
+					*was_ratelimited = 1;
+					alloc_reg_release(env->alloc, region);
+					return NULL;
+				}
+				log_nametypeclass(VERB_ALGO,
+					"ratelimit allowed through for "
+					"delegation point", zone,
+					LDNS_RR_TYPE_NS, LDNS_RR_CLASS_IN);
+			}
+		}
 		/* make new serviced query entry */
 		sq = serviced_create(outnet, buff, dnssec, want_dnssec, nocaps,
 			tcp_upstream, ssl_upstream, tls_auth_name, addr,
 			addrlen, zone, zonelen, (int)qinfo->qtype,
-			qstate->edns_opts_back_out,
+			per_upstream_opt_list,
 			( ssl_upstream && env->cfg->pad_queries
-			? env->cfg->pad_queries_block_size : 0 ));
+			? env->cfg->pad_queries_block_size : 0 ),
+			env->alloc, region);
 		if(!sq) {
-			free(cb);
+			if(check_ratelimit) {
+				infra_ratelimit_dec(env->infra_cache,
+					zone, zonelen, timenow);
+			}
+			alloc_reg_release(env->alloc, region);
 			return NULL;
 		}
-		/* perform first network action */
-		if(outnet->do_udp && !(tcp_upstream || ssl_upstream)) {
-			if(!serviced_udp_send(sq, buff)) {
-				(void)rbtree_delete(outnet->serviced, sq);
-				serviced_node_del(&sq->node, NULL);
-				free(cb);
-				return NULL;
-			}
-		} else {
-			if(!serviced_tcp_send(sq, buff)) {
-				(void)rbtree_delete(outnet->serviced, sq);
-				serviced_node_del(&sq->node, NULL);
-				free(cb);
-				return NULL;
+		if(!(cb = (struct service_callback*)regional_alloc(
+			sq->region, sizeof(*cb)))) {
+			if(check_ratelimit) {
+				infra_ratelimit_dec(env->infra_cache,
+					zone, zonelen, timenow);
 			}
+			(void)rbtree_delete(outnet->serviced, sq);
+			serviced_node_del(&sq->node, NULL);
+			return NULL;
+		}
+		/* No network action at this point; it will be invoked with the
+		 * serviced_query timer instead to run outside of the mesh. */
+	} else {
+		/* We don't need this region anymore. */
+		alloc_reg_release(env->alloc, region);
+		/* duplicate entries are included in the callback list, because
+		 * there is a counterpart registration by our caller that needs
+		 * to be doubly-removed (with callbacks perhaps). */
+		if(!(cb = (struct service_callback*)regional_alloc(
+			sq->region, sizeof(*cb)))) {
+			return NULL;
 		}
 	}
 	/* add callback to list of callbacks */
@@ -3174,7 +3467,6 @@ callback_list_remove(struct serviced_query* sq, void* cb_arg)
 		if((*pp)->cb_arg == cb_arg) {
 			struct service_callback* del = *pp;
 			*pp = del->next;
-			free(del);
 			return;
 		}
 		pp = &(*pp)->next;
@@ -3183,13 +3475,13 @@ callback_list_remove(struct serviced_query* sq, void* cb_arg)
 
 void outnet_serviced_query_stop(struct serviced_query* sq, void* cb_arg)
 {
-	if(!sq) 
+	if(!sq)
 		return;
 	callback_list_remove(sq, cb_arg);
 	/* if callbacks() routine scheduled deletion, let it do that */
-	if(!sq->cblist && !sq->to_be_deleted) {
+	if(!sq->cblist && !sq->busy && !sq->to_be_deleted) {
 		(void)rbtree_delete(sq->outnet->serviced, sq);
-		serviced_delete(sq); 
+		serviced_delete(sq);
 	}
 }
 
@@ -3388,15 +3680,28 @@ outnet_comm_point_for_tcp(struct outside_network* outnet,
 	return cp;
 }
 
+/** setup the User-Agent HTTP header based on http-user-agent configuration */
+static void
+setup_http_user_agent(sldns_buffer* buf, struct config_file* cfg)
+{
+	if(cfg->hide_http_user_agent) return;
+	if(cfg->http_user_agent==NULL || cfg->http_user_agent[0] == 0) {
+		sldns_buffer_printf(buf, "User-Agent: %s/%s\r\n", PACKAGE_NAME,
+			PACKAGE_VERSION);
+	} else {
+		sldns_buffer_printf(buf, "User-Agent: %s\r\n", cfg->http_user_agent);
+	}
+}
+
 /** setup http request headers in buffer for sending query to destination */
 static int
-setup_http_request(sldns_buffer* buf, char* host, char* path)
+setup_http_request(sldns_buffer* buf, char* host, char* path,
+	struct config_file* cfg)
 {
 	sldns_buffer_clear(buf);
 	sldns_buffer_printf(buf, "GET /%s HTTP/1.1\r\n", path);
 	sldns_buffer_printf(buf, "Host: %s\r\n", host);
-	sldns_buffer_printf(buf, "User-Agent: unbound/%s\r\n",
-		PACKAGE_VERSION);
+	setup_http_user_agent(buf, cfg);
 	/* We do not really do multiple queries per connection,
 	 * but this header setting is also not needed.
 	 * sldns_buffer_printf(buf, "Connection: close\r\n") */
@@ -3412,7 +3717,7 @@ struct comm_point*
 outnet_comm_point_for_http(struct outside_network* outnet,
 	comm_point_callback_type* cb, void* cb_arg,
 	struct sockaddr_storage* to_addr, socklen_t to_addrlen, int timeout,
-	int ssl, char* host, char* path)
+	int ssl, char* host, char* path, struct config_file* cfg)
 {
 	/* cp calls cb with err=NETEVENT_DONE when transfer is done */
 	struct comm_point* cp;
@@ -3448,7 +3753,7 @@ outnet_comm_point_for_http(struct outside_network* outnet,
 	comm_point_start_listening(cp, fd, timeout);
 
 	/* setup http request in cp->buffer */
-	if(!setup_http_request(cp->buffer, host, path)) {
+	if(!setup_http_request(cp->buffer, host, path, cfg)) {
 		log_err("error setting up http request");
 		comm_point_delete(cp);
 		return NULL;
diff --git a/services/outside_network.h b/services/outside_network.h
index 233588d40..4c5b96f83 100644
--- a/services/outside_network.h
+++ b/services/outside_network.h
@@ -43,7 +43,9 @@
 #ifndef OUTSIDE_NETWORK_H
 #define OUTSIDE_NETWORK_H
 
+#include "util/alloc.h"
 #include "util/rbtree.h"
+#include "util/regional.h"
 #include "util/netevent.h"
 #include "dnstap/dnstap_config.h"
 struct pending;
@@ -63,6 +65,7 @@ struct edns_option;
 struct module_env;
 struct module_qstate;
 struct query_info;
+struct config_file;
 
 /**
  * Send queries to outside servers and wait for answers from servers.
@@ -158,6 +161,12 @@ struct outside_network {
 	size_t num_tcp;
 	/** number of tcp communication points in use. */
 	size_t num_tcp_outgoing;
+	/** max number of queries on a reuse connection */
+	size_t max_reuse_tcp_queries;
+	/** timeout for REUSE entries in milliseconds. */
+	int tcp_reuse_timeout;
+	/** timeout in milliseconds for TCP queries to auth servers. */
+	int tcp_auth_query_timeout;
 	/**
 	 * tree of still-open and waiting tcp connections for reuse.
 	 * can be closed and reopened to get a new tcp connection.
@@ -295,11 +304,6 @@ struct reuse_tcp {
 	struct outside_network* outnet;
 };
 
-/** max number of queries on a reuse connection */
-#define MAX_REUSE_TCP_QUERIES 200
-/** timeout for REUSE entries in milliseconds. */
-#define REUSE_TIMEOUT 60000
-
 /**
  * A query that has an answer pending for it.
  */
@@ -410,6 +414,8 @@ struct waiting_tcp {
 	char* tls_auth_name;
 	/** the packet was involved in an error, to stop looping errors */
 	int error_count;
+	/** if true, the item is at the cb_and_decommission stage */
+	int in_cb_and_decommission;
 #ifdef USE_DNSTAP
 	/** serviced query pointer for dnstap to get logging info, if nonNULL*/
 	struct serviced_query* sq;
@@ -510,6 +516,15 @@ struct serviced_query {
 	void* pending;
 	/** block size with which to pad encrypted queries (default: 128) */
 	size_t padding_block_size;
+	/** region for this serviced query. Will be cleared when this
+	 * serviced_query will be deleted */
+	struct regional* region;
+	/** allocation service for the region */
+	struct alloc_cache* alloc;
+	/** flash timer to start the net I/O as a separate event */
+	struct comm_timer* timer;
+	/** true if serviced_query is currently doing net I/O and may block */
+	int busy;
 };
 
 /**
@@ -540,6 +555,9 @@ struct serviced_query {
  * @param tls_use_sni: if SNI is used for TLS connections.
  * @param dtenv: environment to send dnstap events with (if enabled).
  * @param udp_connect: if the udp_connect option is enabled.
+ * @param max_reuse_tcp_queries: max number of queries on a reuse connection.
+ * @param tcp_reuse_timeout: timeout for REUSE entries in milliseconds.
+ * @param tcp_auth_query_timeout: timeout in milliseconds for TCP queries to auth servers.
  * @return: the new structure (with no pending answers) or NULL on error.
  */
 struct outside_network* outside_network_create(struct comm_base* base,
@@ -549,7 +567,8 @@ struct outside_network* outside_network_create(struct comm_base* base,
 	int numavailports, size_t unwanted_threshold, int tcp_mss,
 	void (*unwanted_action)(void*), void* unwanted_param, int do_udp,
 	void* sslctx, int delayclose, int tls_use_sni, struct dt_env *dtenv,
-	int udp_connect);
+	int udp_connect, int max_reuse_tcp_queries, int tcp_reuse_timeout,
+	int tcp_auth_query_timeout);
 
 /**
  * Delete outside_network structure.
@@ -613,6 +632,7 @@ void pending_delete(struct outside_network* outnet, struct pending* p);
  * @param want_dnssec: signatures are needed, without EDNS the answer is
  * 	likely to be useless.
  * @param nocaps: ignore use_caps_for_id and use unperturbed qname.
+ * @param check_ratelimit: if set, will check ratelimit before sending out.
  * @param tcp_upstream: use TCP for upstream queries.
  * @param ssl_upstream: use SSL for upstream queries.
  * @param tls_auth_name: when ssl_upstream is true, use this name to check
@@ -629,16 +649,18 @@ void pending_delete(struct outside_network* outnet, struct pending* p);
  * @param callback_arg: user argument to callback function.
  * @param buff: scratch buffer to create query contents in. Empty on exit.
  * @param env: the module environment.
+ * @param was_ratelimited: it will signal back if the query failed to pass the
+ *	ratelimit check.
  * @return 0 on error, or pointer to serviced query that is used to answer
  *	this serviced query may be shared with other callbacks as well.
  */
 struct serviced_query* outnet_serviced_query(struct outside_network* outnet,
 	struct query_info* qinfo, uint16_t flags, int dnssec, int want_dnssec,
-	int nocaps, int tcp_upstream, int ssl_upstream, char* tls_auth_name,
-	struct sockaddr_storage* addr, socklen_t addrlen, uint8_t* zone,
-	size_t zonelen, struct module_qstate* qstate,
+	int nocaps, int check_ratelimit, int tcp_upstream, int ssl_upstream,
+	char* tls_auth_name, struct sockaddr_storage* addr, socklen_t addrlen,
+	uint8_t* zone, size_t zonelen, struct module_qstate* qstate,
 	comm_point_callback_type* callback, void* callback_arg,
-	struct sldns_buffer* buff, struct module_env* env);
+	struct sldns_buffer* buff, struct module_env* env, int* was_ratelimited);
 
 /**
  * Remove service query callback.
@@ -676,12 +698,28 @@ struct waiting_tcp* reuse_tcp_by_id_find(struct reuse_tcp* reuse, uint16_t id);
 /** insert element in tree by id */
 void reuse_tree_by_id_insert(struct reuse_tcp* reuse, struct waiting_tcp* w);
 
+/** insert element in tcp_reuse tree and LRU list */
+int reuse_tcp_insert(struct outside_network* outnet,
+	struct pending_tcp* pend_tcp);
+
+/** touch the LRU of the element */
+void reuse_tcp_lru_touch(struct outside_network* outnet,
+	struct reuse_tcp* reuse);
+
+/** remove element from tree and LRU list */
+void reuse_tcp_remove_tree_list(struct outside_network* outnet,
+	struct reuse_tcp* reuse);
+
+/** snip the last reuse_tcp element off of the LRU list if any */
+struct reuse_tcp* reuse_tcp_lru_snip(struct outside_network* outnet);
+
 /** delete readwait waiting_tcp elements, deletes the elements in the list */
 void reuse_del_readwait(rbtree_type* tree_by_id);
 
 /** get TCP file descriptor for address, returns -1 on failure,
  * tcp_mss is 0 or maxseg size to set for TCP packets. */
-int outnet_get_tcp_fd(struct sockaddr_storage* addr, socklen_t addrlen, int tcp_mss, int dscp);
+int outnet_get_tcp_fd(struct sockaddr_storage* addr, socklen_t addrlen,
+	int tcp_mss, int dscp);
 
 /**
  * Create udp commpoint suitable for sending packets to the destination.
@@ -735,12 +773,13 @@ struct comm_point* outnet_comm_point_for_tcp(struct outside_network* outnet,
  * @param ssl: set to true for https.
  * @param host: hostname to use for the destination. part of http request.
  * @param path: pathname to lookup, eg. name of the file on the destination.
+ * @param cfg: running configuration for User-Agent setup.
  * @return http_out commpoint, or NULL.
  */
 struct comm_point* outnet_comm_point_for_http(struct outside_network* outnet,
 	comm_point_callback_type* cb, void* cb_arg,
 	struct sockaddr_storage* to_addr, socklen_t to_addrlen, int timeout,
-	int ssl, char* host, char* path);
+	int ssl, char* host, char* path, struct config_file* cfg);
 
 /** connect tcp connection to addr, 0 on failure */
 int outnet_tcp_connect(int s, struct sockaddr_storage* addr, socklen_t addrlen);
@@ -762,6 +801,9 @@ void pending_udp_timer_delay_cb(void *arg);
 /** callback for outgoing TCP timer event */
 void outnet_tcptimer(void* arg);
 
+/** callback to send serviced queries */
+void serviced_timer_cb(void *arg);
+
 /** callback for serviced query UDP answers */
 int serviced_udp_callback(struct comm_point* c, void* arg, int error,
         struct comm_reply* rep);
diff --git a/services/rpz.c b/services/rpz.c
index 3a1ec00d7..e2642033c 100644
--- a/services/rpz.c
+++ b/services/rpz.c
@@ -50,45 +50,50 @@
 #include "util/data/dname.h"
 #include "util/locks.h"
 #include "util/regional.h"
+#include "util/data/msgencode.h"
+#include "services/cache/dns.h"
+#include "iterator/iterator.h"
+#include "iterator/iter_delegpt.h"
+#include "daemon/worker.h"
+
+typedef struct resp_addr rpz_aclnode_type;
+
+struct matched_delegation_point {
+	uint8_t* dname;
+	size_t dname_len;
+};
 
 /** string for RPZ action enum */
 const char*
 rpz_action_to_string(enum rpz_action a)
 {
 	switch(a) {
-	case RPZ_NXDOMAIN_ACTION:	return "nxdomain";
-	case RPZ_NODATA_ACTION:		return "nodata";
-	case RPZ_PASSTHRU_ACTION:	return "passthru";
-	case RPZ_DROP_ACTION:		return "drop";
-	case RPZ_TCP_ONLY_ACTION:	return "tcp_only";
-	case RPZ_INVALID_ACTION:	return "invalid";
-	case RPZ_LOCAL_DATA_ACTION:	return "local_data";
-	case RPZ_DISABLED_ACTION:	return "disabled";
-	case RPZ_CNAME_OVERRIDE_ACTION:	return "cname_override";
-	case RPZ_NO_OVERRIDE_ACTION:	return "no_override";
+	case RPZ_NXDOMAIN_ACTION: return "rpz-nxdomain";
+	case RPZ_NODATA_ACTION: return "rpz-nodata";
+	case RPZ_PASSTHRU_ACTION: return "rpz-passthru";
+	case RPZ_DROP_ACTION: return "rpz-drop";
+	case RPZ_TCP_ONLY_ACTION: return "rpz-tcp-only";
+	case RPZ_INVALID_ACTION: return "rpz-invalid";
+	case RPZ_LOCAL_DATA_ACTION: return "rpz-local-data";
+	case RPZ_DISABLED_ACTION: return "rpz-disabled";
+	case RPZ_CNAME_OVERRIDE_ACTION: return "rpz-cname-override";
+	case RPZ_NO_OVERRIDE_ACTION: return "rpz-no-override";
+	default: return "rpz-unknown-action";
 	}
-	return "unknown";
 }
 
 /** RPZ action enum for config string */
 static enum rpz_action
 rpz_config_to_action(char* a)
 {
-	if(strcmp(a, "nxdomain") == 0)
-		return RPZ_NXDOMAIN_ACTION;
-	else if(strcmp(a, "nodata") == 0)
-		return RPZ_NODATA_ACTION;
-	else if(strcmp(a, "passthru") == 0)
-		return RPZ_PASSTHRU_ACTION;
-	else if(strcmp(a, "drop") == 0)
-		return RPZ_DROP_ACTION;
-	else if(strcmp(a, "tcp_only") == 0)
-		return RPZ_TCP_ONLY_ACTION;
-	else if(strcmp(a, "cname") == 0)
-		return RPZ_CNAME_OVERRIDE_ACTION;
-	else if(strcmp(a, "disabled") == 0)
-		return RPZ_DISABLED_ACTION;
-	return RPZ_INVALID_ACTION;
+	if(strcmp(a, "nxdomain") == 0) return RPZ_NXDOMAIN_ACTION;
+	else if(strcmp(a, "nodata") == 0) return RPZ_NODATA_ACTION;
+	else if(strcmp(a, "passthru") == 0) return RPZ_PASSTHRU_ACTION;
+	else if(strcmp(a, "drop") == 0) return RPZ_DROP_ACTION;
+	else if(strcmp(a, "tcp_only") == 0) return RPZ_TCP_ONLY_ACTION;
+	else if(strcmp(a, "cname") == 0) return RPZ_CNAME_OVERRIDE_ACTION;
+	else if(strcmp(a, "disabled") == 0) return RPZ_DISABLED_ACTION;
+	else return RPZ_INVALID_ACTION;
 }
 
 /** string for RPZ trigger enum */
@@ -96,14 +101,14 @@ static const char*
 rpz_trigger_to_string(enum rpz_trigger r)
 {
 	switch(r) {
-	case RPZ_QNAME_TRIGGER:		return "qname";
-	case RPZ_CLIENT_IP_TRIGGER:	return "client_ip";
-	case RPZ_RESPONSE_IP_TRIGGER:	return "response_ip";
-	case RPZ_NSDNAME_TRIGGER:	return "nsdname";
-	case RPZ_NSIP_TRIGGER:		return "nsip";
-	case RPZ_INVALID_TRIGGER:	return "invalid";
+	case RPZ_QNAME_TRIGGER: return "rpz-qname";
+	case RPZ_CLIENT_IP_TRIGGER: return "rpz-client-ip";
+	case RPZ_RESPONSE_IP_TRIGGER: return "rpz-response-ip";
+	case RPZ_NSDNAME_TRIGGER: return "rpz-nsdname";
+	case RPZ_NSIP_TRIGGER: return "rpz-nsip";
+	case RPZ_INVALID_TRIGGER: return "rpz-invalid";
+	default: return "rpz-unknown-trigger";
 	}
-	return "unknown";
 }
 
 /**
@@ -137,6 +142,31 @@ get_tld_label(uint8_t* dname, size_t maxdnamelen)
 	return prevlab;
 }
 
+/**
+ * The RR types that are to be ignored.
+ * DNSSEC RRs at the apex, and SOA and NS are ignored.
+ */
+static int
+rpz_type_ignored(uint16_t rr_type)
+{
+	switch(rr_type) {
+		case LDNS_RR_TYPE_SOA:
+		case LDNS_RR_TYPE_NS:
+		case LDNS_RR_TYPE_DNAME:
+		/* all DNSSEC-related RRs must be ignored */
+		case LDNS_RR_TYPE_DNSKEY:
+		case LDNS_RR_TYPE_DS:
+		case LDNS_RR_TYPE_RRSIG:
+		case LDNS_RR_TYPE_NSEC:
+		case LDNS_RR_TYPE_NSEC3:
+		case LDNS_RR_TYPE_NSEC3PARAM:
+			return 1;
+		default:
+			break;
+	}
+	return 0;
+}
+
 /**
  * Classify RPZ action for RR type/rdata
  * @param rr_type: the RR type
@@ -208,15 +238,15 @@ static enum localzone_type
 rpz_action_to_localzone_type(enum rpz_action a)
 {
 	switch(a) {
-	case RPZ_NXDOMAIN_ACTION:	return local_zone_always_nxdomain;
-	case RPZ_NODATA_ACTION:		return local_zone_always_nodata;
-	case RPZ_DROP_ACTION:		return local_zone_always_deny;
-	case RPZ_PASSTHRU_ACTION:	return local_zone_always_transparent;
+	case RPZ_NXDOMAIN_ACTION: return local_zone_always_nxdomain;
+	case RPZ_NODATA_ACTION: return local_zone_always_nodata;
+	case RPZ_DROP_ACTION: return local_zone_always_deny;
+	case RPZ_PASSTHRU_ACTION: return local_zone_always_transparent;
 	case RPZ_LOCAL_DATA_ACTION:	/* fallthrough */
 	case RPZ_CNAME_OVERRIDE_ACTION: return local_zone_redirect;
-	case RPZ_INVALID_ACTION: 	/* fallthrough */
-	case RPZ_TCP_ONLY_ACTION:	/* fallthrough */
-	default:			return local_zone_invalid;
+	case RPZ_TCP_ONLY_ACTION: return local_zone_truncate;
+	case RPZ_INVALID_ACTION: /* fallthrough */
+	default: return local_zone_invalid;
 	}
 }
 
@@ -224,15 +254,15 @@ enum respip_action
 rpz_action_to_respip_action(enum rpz_action a)
 {
 	switch(a) {
-	case RPZ_NXDOMAIN_ACTION:	return respip_always_nxdomain;
-	case RPZ_NODATA_ACTION:		return respip_always_nodata;
-	case RPZ_DROP_ACTION:		return respip_always_deny;
-	case RPZ_PASSTHRU_ACTION:	return respip_always_transparent;
-	case RPZ_LOCAL_DATA_ACTION:	/* fallthrough */
+	case RPZ_NXDOMAIN_ACTION: return respip_always_nxdomain;
+	case RPZ_NODATA_ACTION: return respip_always_nodata;
+	case RPZ_DROP_ACTION: return respip_always_deny;
+	case RPZ_PASSTHRU_ACTION: return respip_always_transparent;
+	case RPZ_LOCAL_DATA_ACTION: /* fallthrough */
 	case RPZ_CNAME_OVERRIDE_ACTION: return respip_redirect;
-	case RPZ_INVALID_ACTION:	/* fallthrough */
-	case RPZ_TCP_ONLY_ACTION:	/* fallthrough */
-	default:			return respip_invalid;
+	case RPZ_TCP_ONLY_ACTION: return respip_truncate;
+	case RPZ_INVALID_ACTION: /* fallthrough */
+	default: return respip_invalid;
 	}
 }
 
@@ -240,14 +270,14 @@ static enum rpz_action
 localzone_type_to_rpz_action(enum localzone_type lzt)
 {
 	switch(lzt) {
-	case local_zone_always_nxdomain:	return RPZ_NXDOMAIN_ACTION;
-	case local_zone_always_nodata:		return RPZ_NODATA_ACTION;
-	case local_zone_always_deny:		return RPZ_DROP_ACTION;
-	case local_zone_always_transparent:	return RPZ_PASSTHRU_ACTION;
-	case local_zone_redirect:		return RPZ_LOCAL_DATA_ACTION;
-	case local_zone_invalid:
-	default:
-		return RPZ_INVALID_ACTION;
+	case local_zone_always_nxdomain: return RPZ_NXDOMAIN_ACTION;
+	case local_zone_always_nodata: return RPZ_NODATA_ACTION;
+	case local_zone_always_deny: return RPZ_DROP_ACTION;
+	case local_zone_always_transparent: return RPZ_PASSTHRU_ACTION;
+	case local_zone_redirect: return RPZ_LOCAL_DATA_ACTION;
+	case local_zone_truncate: return RPZ_TCP_ONLY_ACTION;
+	case local_zone_invalid: /* fallthrough */
+	default: return RPZ_INVALID_ACTION;
 	}
 }
 
@@ -255,14 +285,14 @@ enum rpz_action
 respip_action_to_rpz_action(enum respip_action a)
 {
 	switch(a) {
-	case respip_always_nxdomain:	return RPZ_NXDOMAIN_ACTION;
-	case respip_always_nodata:	return RPZ_NODATA_ACTION;
-	case respip_always_deny:	return RPZ_DROP_ACTION;
-	case respip_always_transparent:	return RPZ_PASSTHRU_ACTION;
-	case respip_redirect:		return RPZ_LOCAL_DATA_ACTION;
-	case respip_invalid:
-	default:
-		return RPZ_INVALID_ACTION;
+	case respip_always_nxdomain: return RPZ_NXDOMAIN_ACTION;
+	case respip_always_nodata: return RPZ_NODATA_ACTION;
+	case respip_always_deny: return RPZ_DROP_ACTION;
+	case respip_always_transparent: return RPZ_PASSTHRU_ACTION;
+	case respip_redirect: return RPZ_LOCAL_DATA_ACTION;
+	case respip_truncate: return RPZ_TCP_ONLY_ACTION;
+	case respip_invalid: /* fallthrough */
+	default: return RPZ_INVALID_ACTION;
 	}
 }
 
@@ -298,12 +328,55 @@ rpz_dname_to_trigger(uint8_t* dname, size_t dname_len)
 	return RPZ_QNAME_TRIGGER;
 }
 
-void rpz_delete(struct rpz* r)
+static inline struct clientip_synthesized_rrset*
+rpz_clientip_synthesized_set_create(void)
+{
+	struct clientip_synthesized_rrset* set = calloc(1, sizeof(*set));
+	if(set == NULL) {
+		return NULL;
+	}
+	set->region = regional_create();
+	if(set->region == NULL) {
+		free(set);
+		return NULL;
+	}
+	addr_tree_init(&set->entries);
+	lock_rw_init(&set->lock);
+	return set;
+}
+
+static void
+rpz_clientip_synthesized_rr_delete(rbnode_type* n, void* ATTR_UNUSED(arg))
+{
+	struct clientip_synthesized_rr* r = (struct clientip_synthesized_rr*)n->key;
+	lock_rw_destroy(&r->lock);
+#ifdef THREADS_DISABLED
+	(void)r;
+#endif
+}
+
+static inline void
+rpz_clientip_synthesized_set_delete(struct clientip_synthesized_rrset* set)
+{
+	if(set == NULL) {
+		return;
+	}
+	lock_rw_destroy(&set->lock);
+	traverse_postorder(&set->entries, rpz_clientip_synthesized_rr_delete, NULL);
+	regional_destroy(set->region);
+	free(set);
+}
+
+void
+rpz_delete(struct rpz* r)
 {
 	if(!r)
 		return;
 	local_zones_delete(r->local_zones);
+	local_zones_delete(r->nsdname_zones);
 	respip_set_delete(r->respip_set);
+	rpz_clientip_synthesized_set_delete(r->client_set);
+	rpz_clientip_synthesized_set_delete(r->ns_set);
 	regional_destroy(r->region);
 	free(r->taglist);
 	free(r->log_name);
@@ -315,13 +388,31 @@ rpz_clear(struct rpz* r)
 {
 	/* must hold write lock on auth_zone */
 	local_zones_delete(r->local_zones);
+	r->local_zones = NULL;
+	local_zones_delete(r->nsdname_zones);
+	r->nsdname_zones = NULL;
 	respip_set_delete(r->respip_set);
+	r->respip_set = NULL;
+	rpz_clientip_synthesized_set_delete(r->client_set);
+	r->client_set = NULL;
+	rpz_clientip_synthesized_set_delete(r->ns_set);
+	r->ns_set = NULL;
 	if(!(r->local_zones = local_zones_create())){
 		return 0;
 	}
+	r->nsdname_zones = local_zones_create();
+	if(r->nsdname_zones == NULL) {
+		return 0;
+	}
 	if(!(r->respip_set = respip_set_create())) {
 		return 0;
 	}
+	if(!(r->client_set = rpz_clientip_synthesized_set_create())) {
+		return 0;
+	}
+	if(!(r->ns_set = rpz_clientip_synthesized_set_create())) {
+		return 0;
+	}
 	return 1;
 }
 
@@ -331,6 +422,14 @@ rpz_finish_config(struct rpz* r)
 	lock_rw_wrlock(&r->respip_set->lock);
 	addr_tree_init_parents(&r->respip_set->ip_tree);
 	lock_rw_unlock(&r->respip_set->lock);
+
+	lock_rw_wrlock(&r->client_set->lock);
+	addr_tree_init_parents(&r->client_set->entries);
+	lock_rw_unlock(&r->client_set->lock);
+
+	lock_rw_wrlock(&r->ns_set->lock);
+	addr_tree_init_parents(&r->ns_set->entries);
+	lock_rw_unlock(&r->ns_set->lock);
 }
 
 /** new rrset containing CNAME override, does not yet contain a dname */
@@ -394,9 +493,26 @@ rpz_create(struct config_auth* p)
 	if(!(r->local_zones = local_zones_create())){
 		goto err;
 	}
+
+	r->nsdname_zones = local_zones_create();
+	if(r->local_zones == NULL){
+		goto err;
+	}
+
 	if(!(r->respip_set = respip_set_create())) {
 		goto err;
 	}
+
+	r->client_set = rpz_clientip_synthesized_set_create();
+	if(r->client_set == NULL) {
+		goto err;
+	}
+
+	r->ns_set = rpz_clientip_synthesized_set_create();
+	if(r->ns_set == NULL) {
+		goto err;
+	}
+
 	r->taglistlen = p->rpz_taglistlen;
 	r->taglist = memdup(p->rpz_taglist, r->taglistlen);
 	if(p->rpz_action_override) {
@@ -410,13 +526,13 @@ rpz_create(struct config_auth* p)
 		size_t nmlen = sizeof(nm);
 
 		if(!p->rpz_cname) {
-			log_err("RPZ override with cname action found, but no "
+			log_err("rpz: override with cname action found, but no "
 				"rpz-cname-override configured");
 			goto err;
 		}
 
 		if(sldns_str2wire_dname_buf(p->rpz_cname, nm, &nmlen) != 0) {
-			log_err("cannot parse RPZ cname override: %s",
+			log_err("rpz: cannot parse cname override: %s",
 				p->rpz_cname);
 			goto err;
 		}
@@ -426,6 +542,7 @@ rpz_create(struct config_auth* p)
 		}
 	}
 	r->log = p->rpz_log;
+	r->signal_nxdomain_ra = p->rpz_signal_nxdomain_ra;
 	if(p->rpz_log_name) {
 		if(!(r->log_name = strdup(p->rpz_log_name))) {
 			log_err("malloc failure on RPZ log_name strdup");
@@ -437,8 +554,14 @@ err:
 	if(r) {
 		if(r->local_zones)
 			local_zones_delete(r->local_zones);
+		if(r->nsdname_zones)
+			local_zones_delete(r->nsdname_zones);
 		if(r->respip_set)
 			respip_set_delete(r->respip_set);
+		if(r->client_set != NULL)
+			rpz_clientip_synthesized_set_delete(r->client_set);
+		if(r->ns_set != NULL)
+			rpz_clientip_synthesized_set_delete(r->ns_set);
 		if(r->taglist)
 			free(r->taglist);
 		if(r->region)
@@ -467,19 +590,17 @@ strip_dname_origin(uint8_t* dname, size_t dnamelen, size_t originlen,
 	return newdnamelen + 1;	/* + 1 for root label */
 }
 
-/** Insert RR into RPZ's local-zone */
 static void
-rpz_insert_qname_trigger(struct rpz* r, uint8_t* dname, size_t dnamelen,
-	enum rpz_action a, uint16_t rrtype, uint16_t rrclass, uint32_t ttl,
-	uint8_t* rdata, size_t rdata_len, uint8_t* rr, size_t rr_len)
+rpz_insert_local_zones_trigger(struct local_zones* lz, uint8_t* dname,
+	size_t dnamelen, enum rpz_action a, uint16_t rrtype, uint16_t rrclass,
+	uint32_t ttl, uint8_t* rdata, size_t rdata_len, uint8_t* rr, size_t rr_len)
 {
 	struct local_zone* z;
 	enum localzone_type tp = local_zone_always_transparent;
 	int dnamelabs = dname_count_labels(dname);
-	char* rrstr;
 	int newzone = 0;
 
-	if(a == RPZ_TCP_ONLY_ACTION || a == RPZ_INVALID_ACTION) {
+	if(a == RPZ_INVALID_ACTION) {
 		char str[255+1];
 		if(rrtype == LDNS_RR_TYPE_SOA || rrtype == LDNS_RR_TYPE_NS ||
 			rrtype == LDNS_RR_TYPE_DNAME ||
@@ -493,62 +614,366 @@ rpz_insert_qname_trigger(struct rpz* r, uint8_t* dname, size_t dnamelen,
 			return; /* no need to log these types as unsupported */
 		}
 		dname_str(dname, str);
-		verbose(VERB_ALGO, "RPZ: qname trigger, %s skipping unsupported action: %s",
+		verbose(VERB_ALGO, "rpz: qname trigger, %s skipping unsupported action: %s",
 			str, rpz_action_to_string(a));
 		free(dname);
 		return;
 	}
 
-	lock_rw_wrlock(&r->local_zones->lock);
+	lock_rw_wrlock(&lz->lock);
 	/* exact match */
-	z = local_zones_find(r->local_zones, dname, dnamelen, dnamelabs,
-		LDNS_RR_CLASS_IN);
-	if(z && a != RPZ_LOCAL_DATA_ACTION) {
-		rrstr = sldns_wire2str_rr(rr, rr_len);
-		if(!rrstr) {
-			log_err("malloc error while inserting RPZ qname "
-				"trigger");
+	z = local_zones_find(lz, dname, dnamelen, dnamelabs, LDNS_RR_CLASS_IN);
+	if(z != NULL && a != RPZ_LOCAL_DATA_ACTION) {
+		char* rrstr = sldns_wire2str_rr(rr, rr_len);
+		if(rrstr == NULL) {
+			log_err("malloc error while inserting rpz nsdname trigger");
 			free(dname);
-			lock_rw_unlock(&r->local_zones->lock);
+			lock_rw_unlock(&lz->lock);
 			return;
 		}
-		verbose(VERB_ALGO, "RPZ: skipping duplicate record: '%s'",
-			rrstr);
+		if(rrstr[0])
+			rrstr[strlen(rrstr)-1]=0; /* remove newline */
+		verbose(VERB_ALGO, "rpz: skipping duplicate record: '%s'", rrstr);
 		free(rrstr);
 		free(dname);
-		lock_rw_unlock(&r->local_zones->lock);
+		lock_rw_unlock(&lz->lock);
 		return;
 	}
-	if(!z) {
+	if(z == NULL) {
 		tp = rpz_action_to_localzone_type(a);
-		if(!(z = local_zones_add_zone(r->local_zones, dname, dnamelen,
-			dnamelabs, rrclass, tp))) {
-			log_warn("RPZ create failed");
-			lock_rw_unlock(&r->local_zones->lock);
+		z = local_zones_add_zone(lz, dname, dnamelen,
+					 dnamelabs, rrclass, tp);
+		if(z == NULL) {
+			log_warn("rpz: create failed");
+			lock_rw_unlock(&lz->lock);
 			/* dname will be free'd in failed local_zone_create() */
 			return;
 		}
 		newzone = 1;
 	}
 	if(a == RPZ_LOCAL_DATA_ACTION) {
-		rrstr = sldns_wire2str_rr(rr, rr_len);
-		if(!rrstr) {
-			log_err("malloc error while inserting RPZ qname "
-				"trigger");
+		char* rrstr = sldns_wire2str_rr(rr, rr_len);
+		if(rrstr == NULL) {
+			log_err("malloc error while inserting rpz nsdname trigger");
 			free(dname);
-			lock_rw_unlock(&r->local_zones->lock);
+			lock_rw_unlock(&lz->lock);
 			return;
 		}
 		lock_rw_wrlock(&z->lock);
-		local_zone_enter_rr(z, dname, dnamelen, dnamelabs,
-			rrtype, rrclass, ttl, rdata, rdata_len, rrstr);
+		local_zone_enter_rr(z, dname, dnamelen, dnamelabs, rrtype,
+				    rrclass, ttl, rdata, rdata_len, rrstr);
 		lock_rw_unlock(&z->lock);
 		free(rrstr);
 	}
-	if(!newzone)
+	if(!newzone) {
 		free(dname);
-	lock_rw_unlock(&r->local_zones->lock);
-	return;
+	}
+	lock_rw_unlock(&lz->lock);
+}
+
+static void
+rpz_log_dname(char const* msg, uint8_t* dname, size_t dname_len)
+{
+	char buf[LDNS_MAX_DOMAINLEN+1];
+	(void)dname_len;
+	dname_str(dname, buf);
+	verbose(VERB_ALGO, "rpz: %s: <%s>", msg, buf);
+}
+
+static void
+rpz_insert_qname_trigger(struct rpz* r, uint8_t* dname, size_t dnamelen,
+	enum rpz_action a, uint16_t rrtype, uint16_t rrclass, uint32_t ttl,
+	uint8_t* rdata, size_t rdata_len, uint8_t* rr, size_t rr_len)
+{
+	if(a == RPZ_INVALID_ACTION) {
+		verbose(VERB_ALGO, "rpz: skipping invalid action");
+		free(dname);
+		return;
+	}
+
+	rpz_insert_local_zones_trigger(r->local_zones, dname, dnamelen, a, rrtype,
+				       rrclass, ttl, rdata, rdata_len, rr, rr_len);
+}
+
+static int
+rpz_strip_nsdname_suffix(uint8_t* dname, size_t maxdnamelen,
+	uint8_t** stripdname, size_t* stripdnamelen)
+{
+	uint8_t* tldstart = get_tld_label(dname, maxdnamelen);
+	uint8_t swap;
+	if(tldstart == NULL) {
+		if(dname == NULL) {
+			*stripdname = NULL;
+			*stripdnamelen = 0;
+			return 0;
+		}
+		*stripdname = memdup(dname, maxdnamelen);
+		if(!*stripdname) {
+			*stripdnamelen = 0;
+			log_err("malloc failure for rpz strip suffix");
+			return 0;
+		}
+		*stripdnamelen = maxdnamelen;
+		return 1;
+	}
+	/* shorten the domain name briefly,
+	 * then we allocate a new name with the correct length */
+	swap = *tldstart;
+	*tldstart = 0;
+	(void)dname_count_size_labels(dname, stripdnamelen);
+	*stripdname = memdup(dname, *stripdnamelen);
+	*tldstart = swap;
+	if(!*stripdname) {
+		*stripdnamelen = 0;
+		log_err("malloc failure for rpz strip suffix");
+		return 0;
+	}
+	return 1;
+}
+
+static void
+rpz_insert_nsdname_trigger(struct rpz* r, uint8_t* dname, size_t dnamelen,
+	enum rpz_action a, uint16_t rrtype, uint16_t rrclass, uint32_t ttl,
+	uint8_t* rdata, size_t rdata_len, uint8_t* rr, size_t rr_len)
+{
+	uint8_t* dname_stripped = NULL;
+	size_t dnamelen_stripped = 0;
+
+	rpz_strip_nsdname_suffix(dname, dnamelen, &dname_stripped,
+		&dnamelen_stripped);
+	if(a == RPZ_INVALID_ACTION) {
+		verbose(VERB_ALGO, "rpz: skipping invalid action");
+		free(dname_stripped);
+		return;
+	}
+
+	/* dname_stripped is consumed or freed by the insert routine */
+	rpz_insert_local_zones_trigger(r->nsdname_zones, dname_stripped,
+		dnamelen_stripped, a, rrtype, rrclass, ttl, rdata, rdata_len,
+		rr, rr_len);
+}
+
+static int
+rpz_insert_ipaddr_based_trigger(struct respip_set* set, struct sockaddr_storage* addr,
+	socklen_t addrlen, int net, enum rpz_action a, uint16_t rrtype,
+	uint16_t rrclass, uint32_t ttl, uint8_t* rdata, size_t rdata_len,
+	uint8_t* rr, size_t rr_len)
+{
+	struct resp_addr* node;
+	char* rrstr;
+	enum respip_action respa = rpz_action_to_respip_action(a);
+
+	lock_rw_wrlock(&set->lock);
+	rrstr = sldns_wire2str_rr(rr, rr_len);
+	if(rrstr == NULL) {
+		log_err("malloc error while inserting rpz ipaddr based trigger");
+		lock_rw_unlock(&set->lock);
+		return 0;
+	}
+
+	node = respip_sockaddr_find_or_create(set, addr, addrlen, net, 1, rrstr);
+	if(node == NULL) {
+		lock_rw_unlock(&set->lock);
+		free(rrstr);
+		return 0;
+	}
+
+	lock_rw_wrlock(&node->lock);
+	lock_rw_unlock(&set->lock);
+
+	node->action = respa;
+
+	if(a == RPZ_LOCAL_DATA_ACTION) {
+		respip_enter_rr(set->region, node, rrtype,
+				rrclass, ttl, rdata, rdata_len, rrstr, "");
+	}
+
+	lock_rw_unlock(&node->lock);
+	free(rrstr);
+	return 1;
+}
+
+static inline struct clientip_synthesized_rr*
+rpz_clientip_ensure_entry(struct clientip_synthesized_rrset* set,
+	struct sockaddr_storage* addr, socklen_t addrlen, int net)
+{
+	int insert_ok;
+	struct clientip_synthesized_rr* node =
+		(struct clientip_synthesized_rr*)addr_tree_find(&set->entries,
+								addr, addrlen, net);
+
+	if(node != NULL) { return node; }
+
+	/* node does not yet exist => allocate one */
+	node = regional_alloc_zero(set->region, sizeof(*node));
+	if(node == NULL) {
+		log_err("out of memory");
+		return NULL;
+	}
+
+	lock_rw_init(&node->lock);
+	node->action = RPZ_INVALID_ACTION;
+	insert_ok = addr_tree_insert(&set->entries, &node->node,
+				     addr, addrlen, net);
+	if (!insert_ok) {
+		log_warn("rpz: unexpected: unable to insert clientip address node");
+		/* we can not free the just allocated node.
+		 * theoretically a memleak */
+		return NULL;
+	}
+
+	return node;
+}
+
+static void
+rpz_report_rrset_error(const char* msg, uint8_t* rr, size_t rr_len) {
+	char* rrstr = sldns_wire2str_rr(rr, rr_len);
+	if(rrstr == NULL) {
+		log_err("malloc error while inserting rpz clientip based record");
+		return;
+	}
+	log_err("rpz: unexpected: unable to insert %s: %s", msg, rrstr);
+	free(rrstr);
+}
+
+/* from localzone.c; difference is we don't have a dname */
+static struct local_rrset*
+rpz_clientip_new_rrset(struct regional* region,
+	struct clientip_synthesized_rr* raddr, uint16_t rrtype, uint16_t rrclass)
+{
+	struct packed_rrset_data* pd;
+	struct local_rrset* rrset = (struct local_rrset*)
+		regional_alloc_zero(region, sizeof(*rrset));
+	if(rrset == NULL) {
+		log_err("out of memory");
+		return NULL;
+	}
+	rrset->next = raddr->data;
+	raddr->data = rrset;
+	rrset->rrset = (struct ub_packed_rrset_key*)
+		regional_alloc_zero(region, sizeof(*rrset->rrset));
+	if(rrset->rrset == NULL) {
+		log_err("out of memory");
+		return NULL;
+	}
+	rrset->rrset->entry.key = rrset->rrset;
+	pd = (struct packed_rrset_data*)regional_alloc_zero(region, sizeof(*pd));
+	if(pd == NULL) {
+		log_err("out of memory");
+		return NULL;
+	}
+	pd->trust = rrset_trust_prim_noglue;
+	pd->security = sec_status_insecure;
+	rrset->rrset->entry.data = pd;
+	rrset->rrset->rk.type = htons(rrtype);
+	rrset->rrset->rk.rrset_class = htons(rrclass);
+	rrset->rrset->rk.dname = regional_alloc_zero(region, 1);
+	if(rrset->rrset->rk.dname == NULL) {
+		log_err("out of memory");
+		return NULL;
+	}
+	rrset->rrset->rk.dname_len = 1;
+	return rrset;
+}
+
+static int
+rpz_clientip_enter_rr(struct regional* region, struct clientip_synthesized_rr* raddr,
+	uint16_t rrtype, uint16_t rrclass, time_t ttl, uint8_t* rdata,
+	size_t rdata_len)
+{
+	struct local_rrset* rrset;
+	if (rrtype == LDNS_RR_TYPE_CNAME && raddr->data != NULL) {
+		log_err("CNAME response-ip data can not co-exist with other "
+			"client-ip data");
+		return 0;
+	}
+
+	rrset = rpz_clientip_new_rrset(region, raddr, rrtype, rrclass);
+	if(raddr->data == NULL) {
+		return 0;
+	}
+
+	return rrset_insert_rr(region, rrset->rrset->entry.data, rdata, rdata_len, ttl, "");
+}
+
+static int
+rpz_clientip_insert_trigger_rr(struct clientip_synthesized_rrset* set, struct sockaddr_storage* addr,
+	socklen_t addrlen, int net, enum rpz_action a, uint16_t rrtype,
+	uint16_t rrclass, uint32_t ttl, uint8_t* rdata, size_t rdata_len,
+	uint8_t* rr, size_t rr_len)
+{
+	struct clientip_synthesized_rr* node;
+
+	lock_rw_wrlock(&set->lock);
+
+	node = rpz_clientip_ensure_entry(set, addr, addrlen, net);
+	if(node == NULL) {
+		lock_rw_unlock(&set->lock);
+		rpz_report_rrset_error("client ip address", rr, rr_len);
+		return 0;
+	}
+
+	lock_rw_wrlock(&node->lock);
+	lock_rw_unlock(&set->lock);
+
+	node->action = a;
+	if(a == RPZ_LOCAL_DATA_ACTION) {
+		if(!rpz_clientip_enter_rr(set->region, node, rrtype,
+			rrclass, ttl, rdata, rdata_len)) {
+			verbose(VERB_ALGO, "rpz: unable to insert clientip rr");
+			lock_rw_unlock(&node->lock);
+			return 0;
+		}
+
+	}
+
+	lock_rw_unlock(&node->lock);
+
+	return 1;
+}
+
+static int
+rpz_insert_clientip_trigger(struct rpz* r, uint8_t* dname, size_t dnamelen,
+	enum rpz_action a, uint16_t rrtype, uint16_t rrclass, uint32_t ttl,
+	uint8_t* rdata, size_t rdata_len, uint8_t* rr, size_t rr_len)
+{
+	struct sockaddr_storage addr;
+	socklen_t addrlen;
+	int net, af;
+
+	if(a == RPZ_INVALID_ACTION) {
+		return 0;
+	}
+
+	if(!netblockdnametoaddr(dname, dnamelen, &addr, &addrlen, &net, &af)) {
+		verbose(VERB_ALGO, "rpz: unable to parse client ip");
+		return 0;
+	}
+
+	return rpz_clientip_insert_trigger_rr(r->client_set, &addr, addrlen, net,
+			a, rrtype, rrclass, ttl, rdata, rdata_len, rr, rr_len);
+}
+
+static int
+rpz_insert_nsip_trigger(struct rpz* r, uint8_t* dname, size_t dnamelen,
+	enum rpz_action a, uint16_t rrtype, uint16_t rrclass, uint32_t ttl,
+	uint8_t* rdata, size_t rdata_len, uint8_t* rr, size_t rr_len)
+{
+	struct sockaddr_storage addr;
+	socklen_t addrlen;
+	int net, af;
+
+	if(a == RPZ_INVALID_ACTION) {
+		return 0;
+	}
+
+	if(!netblockdnametoaddr(dname, dnamelen, &addr, &addrlen, &net, &af)) {
+		verbose(VERB_ALGO, "rpz: unable to parse ns ip");
+		return 0;
+	}
+
+	return rpz_clientip_insert_trigger_rr(r->ns_set, &addr, addrlen, net,
+			a, rrtype, rrclass, ttl, rdata, rdata_len, rr, rr_len);
 }
 
 /** Insert RR into RPZ's respip_set */
@@ -557,50 +982,30 @@ rpz_insert_response_ip_trigger(struct rpz* r, uint8_t* dname, size_t dnamelen,
 	enum rpz_action a, uint16_t rrtype, uint16_t rrclass, uint32_t ttl,
 	uint8_t* rdata, size_t rdata_len, uint8_t* rr, size_t rr_len)
 {
-	struct resp_addr* node;
 	struct sockaddr_storage addr;
 	socklen_t addrlen;
 	int net, af;
-	char* rrstr;
-	enum respip_action respa = rpz_action_to_respip_action(a);
 
-	if(a == RPZ_TCP_ONLY_ACTION || a == RPZ_INVALID_ACTION ||
-		respa == respip_invalid) {
+	if(a == RPZ_INVALID_ACTION) {
+		return 0;
+	}
+
+	if(!netblockdnametoaddr(dname, dnamelen, &addr, &addrlen, &net, &af)) {
+		verbose(VERB_ALGO, "rpz: unable to parse response ip");
+		return 0;
+	}
+
+	if(a == RPZ_INVALID_ACTION ||
+		rpz_action_to_respip_action(a) == respip_invalid) {
 		char str[255+1];
 		dname_str(dname, str);
-		verbose(VERB_ALGO, "RPZ: respip trigger, %s skipping unsupported action: %s",
+		verbose(VERB_ALGO, "rpz: respip trigger, %s skipping unsupported action: %s",
 			str, rpz_action_to_string(a));
 		return 0;
 	}
 
-	if(!netblockdnametoaddr(dname, dnamelen, &addr, &addrlen, &net, &af))
-		return 0;
-
-	lock_rw_wrlock(&r->respip_set->lock);
-	rrstr = sldns_wire2str_rr(rr, rr_len);
-	if(!rrstr) {
-		log_err("malloc error while inserting RPZ respip trigger");
-		lock_rw_unlock(&r->respip_set->lock);
-		return 0;
-	}
-	if(!(node=respip_sockaddr_find_or_create(r->respip_set, &addr, addrlen,
-		net, 1, rrstr))) {
-		lock_rw_unlock(&r->respip_set->lock);
-		free(rrstr);
-		return 0;
-	}
-
-	lock_rw_wrlock(&node->lock);
-	lock_rw_unlock(&r->respip_set->lock);
-	node->action = respa;
-
-	if(a == RPZ_LOCAL_DATA_ACTION) {
-		respip_enter_rr(r->respip_set->region, node, rrtype,
-			rrclass, ttl, rdata, rdata_len, rrstr, "");
-	}
-	lock_rw_unlock(&node->lock);
-	free(rrstr);
-	return 1;
+	return rpz_insert_ipaddr_based_trigger(r->respip_set, &addr, addrlen, net,
+			a, rrtype, rrclass, ttl, rdata, rdata_len, rr, rr_len);
 }
 
 int
@@ -614,15 +1019,19 @@ rpz_insert_rr(struct rpz* r, uint8_t* azname, size_t aznamelen, uint8_t* dname,
 	enum rpz_action a;
 	uint8_t* policydname;
 
+	if(rpz_type_ignored(rr_type)) {
+		/* this rpz action is not valid, eg. this is the SOA or NS RR */
+		return 1;
+	}
 	if(!dname_subdomain_c(dname, azname)) {
 		char* dname_str = sldns_wire2str_dname(dname, dnamelen);
 		char* azname_str = sldns_wire2str_dname(azname, aznamelen);
 		if(dname_str && azname_str) {
-			log_err("RPZ: name of record (%s) to insert into RPZ is not a "
+			log_err("rpz: name of record (%s) to insert into RPZ is not a "
 				"subdomain of the configured name of the RPZ zone (%s)",
 				dname_str, azname_str);
 		} else {
-			log_err("RPZ: name of record to insert into RPZ is not a "
+			log_err("rpz: name of record to insert into RPZ is not a "
 				"subdomain of the configured name of the RPZ zone");
 		}
 		free(dname_str);
@@ -645,23 +1054,37 @@ rpz_insert_rr(struct rpz* r, uint8_t* azname, size_t aznamelen, uint8_t* dname,
 	t = rpz_dname_to_trigger(policydname, policydnamelen);
 	if(t == RPZ_INVALID_TRIGGER) {
 		free(policydname);
-		verbose(VERB_ALGO, "RPZ: skipping invalid trigger");
+		verbose(VERB_ALGO, "rpz: skipping invalid trigger");
 		return 1;
 	}
 	if(t == RPZ_QNAME_TRIGGER) {
+		/* policydname will be consumed, no free */
 		rpz_insert_qname_trigger(r, policydname, policydnamelen,
 			a, rr_type, rr_class, rr_ttl, rdatawl, rdatalen, rr,
 			rr_len);
-	}
-	else if(t == RPZ_RESPONSE_IP_TRIGGER) {
+	} else if(t == RPZ_RESPONSE_IP_TRIGGER) {
 		rpz_insert_response_ip_trigger(r, policydname, policydnamelen,
 			a, rr_type, rr_class, rr_ttl, rdatawl, rdatalen, rr,
 			rr_len);
 		free(policydname);
-	}
-	else {
+	} else if(t == RPZ_CLIENT_IP_TRIGGER) {
+		rpz_insert_clientip_trigger(r, policydname, policydnamelen,
+			a, rr_type, rr_class, rr_ttl, rdatawl, rdatalen, rr,
+			rr_len);
 		free(policydname);
-		verbose(VERB_ALGO, "RPZ: skipping unsupported trigger: %s",
+	} else if(t == RPZ_NSIP_TRIGGER) {
+		rpz_insert_nsip_trigger(r, policydname, policydnamelen,
+			a, rr_type, rr_class, rr_ttl, rdatawl, rdatalen, rr,
+			rr_len);
+		free(policydname);
+	} else if(t == RPZ_NSDNAME_TRIGGER) {
+		rpz_insert_nsdname_trigger(r, policydname, policydnamelen,
+			a, rr_type, rr_class, rr_ttl, rdatawl, rdatalen, rr,
+			rr_len);
+		free(policydname);
+	} else {
+		free(policydname);
+		verbose(VERB_ALGO, "rpz: skipping unsupported trigger: %s",
 			rpz_trigger_to_string(t));
 	}
 	return 1;
@@ -669,18 +1092,18 @@ rpz_insert_rr(struct rpz* r, uint8_t* azname, size_t aznamelen, uint8_t* dname,
 
 /**
  * Find RPZ local-zone by qname.
- * @param r: rpz containing local-zone tree
+ * @param zones: local-zone tree
  * @param qname: qname
  * @param qname_len: length of qname
  * @param qclass: qclass
- * @param only_exact: if 1 only excact (non wildcard) matches are returned
+ * @param only_exact: if 1 only exact (non wildcard) matches are returned
  * @param wr: get write lock for local-zone if 1, read lock if 0
  * @param zones_keep_lock: if set do not release the r->local_zones lock, this
  * 	  makes the caller of this function responsible for releasing the lock.
  * @return: NULL or local-zone holding rd or wr lock
  */
 static struct local_zone*
-rpz_find_zone(struct rpz* r, uint8_t* qname, size_t qname_len, uint16_t qclass,
+rpz_find_zone(struct local_zones* zones, uint8_t* qname, size_t qname_len, uint16_t qclass,
 	int only_exact, int wr, int zones_keep_lock)
 {
 	uint8_t* ce;
@@ -689,16 +1112,19 @@ rpz_find_zone(struct rpz* r, uint8_t* qname, size_t qname_len, uint16_t qclass,
 	uint8_t wc[LDNS_MAX_DOMAINLEN+1];
 	int exact;
 	struct local_zone* z = NULL;
+
 	if(wr) {
-		lock_rw_wrlock(&r->local_zones->lock);
+		lock_rw_wrlock(&zones->lock);
 	} else {
-		lock_rw_rdlock(&r->local_zones->lock);
+		lock_rw_rdlock(&zones->lock);
 	}
-	z = local_zones_find_le(r->local_zones, qname, qname_len,
+	z = local_zones_find_le(zones, qname, qname_len,
 		dname_count_labels(qname),
 		LDNS_RR_CLASS_IN, &exact);
 	if(!z || (only_exact && !exact)) {
-		lock_rw_unlock(&r->local_zones->lock);
+		if(!zones_keep_lock) {
+			lock_rw_unlock(&zones->lock);
+		}
 		return NULL;
 	}
 	if(wr) {
@@ -707,7 +1133,7 @@ rpz_find_zone(struct rpz* r, uint8_t* qname, size_t qname_len, uint16_t qclass,
 		lock_rw_rdlock(&z->lock);
 	}
 	if(!zones_keep_lock) {
-		lock_rw_unlock(&r->local_zones->lock);
+		lock_rw_unlock(&zones->lock);
 	}
 
 	if(exact)
@@ -721,7 +1147,7 @@ rpz_find_zone(struct rpz* r, uint8_t* qname, size_t qname_len, uint16_t qclass,
 	if(!ce /* should not happen */) {
 		lock_rw_unlock(&z->lock);
 		if(zones_keep_lock) {
-			lock_rw_unlock(&r->local_zones->lock);
+			lock_rw_unlock(&zones->lock);
 		}
 		return NULL;
 	}
@@ -729,7 +1155,7 @@ rpz_find_zone(struct rpz* r, uint8_t* qname, size_t qname_len, uint16_t qclass,
 	if(ce_len+2 > sizeof(wc)) {
 		lock_rw_unlock(&z->lock);
 		if(zones_keep_lock) {
-			lock_rw_unlock(&r->local_zones->lock);
+			lock_rw_unlock(&zones->lock);
 		}
 		return NULL;
 	}
@@ -740,15 +1166,15 @@ rpz_find_zone(struct rpz* r, uint8_t* qname, size_t qname_len, uint16_t qclass,
 
 	if(!zones_keep_lock) {
 		if(wr) {
-			lock_rw_wrlock(&r->local_zones->lock);
+			lock_rw_wrlock(&zones->lock);
 		} else {
-			lock_rw_rdlock(&r->local_zones->lock);
+			lock_rw_rdlock(&zones->lock);
 		}
 	}
-	z = local_zones_find_le(r->local_zones, wc,
+	z = local_zones_find_le(zones, wc,
 		ce_len+2, ce_labs+1, qclass, &exact);
 	if(!z || !exact) {
-		lock_rw_unlock(&r->local_zones->lock);
+		lock_rw_unlock(&zones->lock);
 		return NULL;
 	}
 	if(wr) {
@@ -757,7 +1183,7 @@ rpz_find_zone(struct rpz* r, uint8_t* qname, size_t qname_len, uint16_t qclass,
 		lock_rw_rdlock(&z->lock);
 	}
 	if(!zones_keep_lock) {
-		lock_rw_unlock(&r->local_zones->lock);
+		lock_rw_unlock(&zones->lock);
 	}
 	return z;
 }
@@ -766,7 +1192,7 @@ rpz_find_zone(struct rpz* r, uint8_t* qname, size_t qname_len, uint16_t qclass,
  * Remove RR from RPZ's local-data
  * @param z: local-zone for RPZ, holding write lock
  * @param policydname: dname of RR to remove
- * @param policydnamelen: lenth of policydname
+ * @param policydnamelen: length of policydname
  * @param rr_type: RR type of RR to remove
  * @param rdata: rdata of RR to remove
  * @param rdatalen: length of rdata
@@ -852,10 +1278,10 @@ rpz_remove_qname_trigger(struct rpz* r, uint8_t* dname, size_t dnamelen,
 {
 	struct local_zone* z;
 	int delete_zone = 1;
-	z = rpz_find_zone(r, dname, dnamelen, rr_class,
+	z = rpz_find_zone(r->local_zones, dname, dnamelen, rr_class,
 		1 /* only exact */, 1 /* wr lock */, 1 /* keep lock*/);
 	if(!z) {
-		verbose(VERB_ALGO, "RPZ: cannot remove RR from IXFR, "
+		verbose(VERB_ALGO, "rpz: cannot remove RR from IXFR, "
 			"RPZ domain not found");
 		return;
 	}
@@ -891,7 +1317,7 @@ rpz_remove_response_ip_trigger(struct rpz* r, uint8_t* dname, size_t dnamelen,
 	lock_rw_wrlock(&r->respip_set->lock);
 	if(!(node = (struct resp_addr*)addr_tree_find(
 		&r->respip_set->ip_tree, &addr, addrlen, net))) {
-		verbose(VERB_ALGO, "RPZ: cannot remove RR from IXFR, "
+		verbose(VERB_ALGO, "rpz: cannot remove RR from IXFR, "
 			"RPZ domain not found");
 		lock_rw_unlock(&r->respip_set->lock);
 		return;
@@ -944,118 +1370,1030 @@ rpz_remove_rr(struct rpz* r, size_t aznamelen, uint8_t* dname, size_t dnamelen,
 
 /** print log information for an applied RPZ policy. Based on local-zone's
  * lz_inform_print().
+ * The repinfo contains the reply address. If it is NULL, the module
+ * state is used to report the first IP address (if any).
+ * The dname is used, for the applied rpz, if NULL, addrnode is used.
  */
 static void
-log_rpz_apply(uint8_t* dname, enum rpz_action a, struct query_info* qinfo,
-	struct comm_reply* repinfo, char* log_name)
+log_rpz_apply(char* trigger, uint8_t* dname, struct addr_tree_node* addrnode,
+	enum rpz_action a, struct query_info* qinfo,
+	struct comm_reply* repinfo, struct module_qstate* ms, char* log_name)
 {
-	char ip[128], txt[512];
+	char ip[128], txt[512], portstr[32];
 	char dnamestr[LDNS_MAX_DOMAINLEN+1];
-	uint16_t port = ntohs(((struct sockaddr_in*)&repinfo->addr)->sin_port);
-	dname_str(dname, dnamestr);
-	addr_to_str(&repinfo->addr, repinfo->addrlen, ip, sizeof(ip));
-	if(log_name)
-		snprintf(txt, sizeof(txt), "RPZ applied [%s] %s %s %s@%u",
-			log_name, dnamestr, rpz_action_to_string(a), ip,
-			(unsigned)port);
-	else
-		snprintf(txt, sizeof(txt), "RPZ applied %s %s %s@%u",
-			dnamestr, rpz_action_to_string(a), ip, (unsigned)port);
+	uint16_t port = 0;
+	if(dname) {
+		dname_str(dname, dnamestr);
+	} else if(addrnode) {
+		char addrbuf[128];
+		addr_to_str(&addrnode->addr, addrnode->addrlen, addrbuf, sizeof(addrbuf));
+		snprintf(dnamestr, sizeof(dnamestr), "%s/%d", addrbuf, addrnode->net);
+	} else {
+		dnamestr[0]=0;
+	}
+	if(repinfo) {
+		addr_to_str(&repinfo->addr, repinfo->addrlen, ip, sizeof(ip));
+		port = ntohs(((struct sockaddr_in*)&repinfo->addr)->sin_port);
+	} else if(ms && ms->mesh_info && ms->mesh_info->reply_list) {
+		addr_to_str(&ms->mesh_info->reply_list->query_reply.addr, ms->mesh_info->reply_list->query_reply.addrlen, ip, sizeof(ip));
+		port = ntohs(((struct sockaddr_in*)&ms->mesh_info->reply_list->query_reply.addr)->sin_port);
+	} else {
+		ip[0]=0;
+		port = 0;
+	}
+	snprintf(portstr, sizeof(portstr), "@%u", (unsigned)port);
+	snprintf(txt, sizeof(txt), "rpz: applied %s%s%s%s%s%s %s %s%s",
+		(log_name?"[":""), (log_name?log_name:""), (log_name?"] ":""),
+		(strcmp(trigger,"qname")==0?"":trigger),
+		(strcmp(trigger,"qname")==0?"":" "),
+		dnamestr, rpz_action_to_string(a),
+		(ip[0]?ip:""), (ip[0]?portstr:""));
 	log_nametypeclass(0, txt, qinfo->qname, qinfo->qtype, qinfo->qclass);
 }
 
-int
-rpz_apply_qname_trigger(struct auth_zones* az, struct module_env* env,
-	struct query_info* qinfo, struct edns_data* edns, sldns_buffer* buf,
-	struct regional* temp, struct comm_reply* repinfo,
-	uint8_t* taglist, size_t taglen, struct ub_server_stats* stats)
+static struct clientip_synthesized_rr*
+rpz_ipbased_trigger_lookup(struct clientip_synthesized_rrset* set,
+	struct sockaddr_storage* addr, socklen_t addrlen, char* triggername)
 {
+	struct clientip_synthesized_rr* raddr = NULL;
+	enum rpz_action action = RPZ_INVALID_ACTION;
+
+	lock_rw_rdlock(&set->lock);
+
+	raddr = (struct clientip_synthesized_rr*)addr_tree_lookup(&set->entries,
+			addr, addrlen);
+	if(raddr != NULL) {
+		lock_rw_rdlock(&raddr->lock);
+		action = raddr->action;
+		if(verbosity >= VERB_ALGO) {
+			char ip[256], net[256];
+			addr_to_str(addr, addrlen, ip, sizeof(ip));
+			addr_to_str(&raddr->node.addr, raddr->node.addrlen,
+				net, sizeof(net));
+			verbose(VERB_ALGO, "rpz: trigger %s %s/%d on %s action=%s",
+				triggername, net, raddr->node.net, ip, rpz_action_to_string(action));
+		}
+	}
+	lock_rw_unlock(&set->lock);
+
+	return raddr;
+}
+
+static inline
+struct clientip_synthesized_rr*
+rpz_resolve_client_action_and_zone(struct auth_zones* az, struct query_info* qinfo,
+	struct comm_reply* repinfo, uint8_t* taglist, size_t taglen,
+	struct ub_server_stats* stats,
+	/* output parameters */
+	struct local_zone** z_out, struct auth_zone** a_out, struct rpz** r_out)
+{
+	struct clientip_synthesized_rr* node = NULL;
+	struct auth_zone* a = NULL;
 	struct rpz* r = NULL;
-	struct auth_zone* a;
-	int ret;
-	enum localzone_type lzt;
 	struct local_zone* z = NULL;
-	struct local_data* ld = NULL;
+
 	lock_rw_rdlock(&az->rpz_lock);
+
 	for(a = az->rpz_first; a; a = a->rpz_az_next) {
 		lock_rw_rdlock(&a->lock);
 		r = a->rpz;
-		if(!r->disabled && (!r->taglist || taglist_intersect(r->taglist,
-			r->taglistlen, taglist, taglen))) {
-			z = rpz_find_zone(r, qinfo->qname, qinfo->qname_len,
-				qinfo->qclass, 0, 0, 0);
-			if(z && r->action_override == RPZ_DISABLED_ACTION) {
-				if(r->log)
-					log_rpz_apply(z->name,
-						r->action_override,
-						qinfo, repinfo, r->log_name);
-				/* TODO only register stats when stats_extended?
-				 * */
-				stats->rpz_action[r->action_override]++;
+		if(r->disabled) {
+			lock_rw_unlock(&a->lock);
+			continue;
+		}
+		if(r->taglist && !taglist_intersect(r->taglist,
+					r->taglistlen, taglist, taglen)) {
+			lock_rw_unlock(&a->lock);
+			continue;
+		}
+		z = rpz_find_zone(r->local_zones, qinfo->qname, qinfo->qname_len,
+			qinfo->qclass, 0, 0, 0);
+		node = rpz_ipbased_trigger_lookup(r->client_set, &repinfo->addr, repinfo->addrlen, "clientip");
+		if((z || node) && r->action_override == RPZ_DISABLED_ACTION) {
+			if(r->log)
+				log_rpz_apply((node?"clientip":"qname"),
+					(z?z->name:NULL),
+					(node?&node->node:NULL),
+					r->action_override,
+					qinfo, repinfo, NULL, r->log_name);
+			stats->rpz_action[r->action_override]++;
+			if(z != NULL) {
 				lock_rw_unlock(&z->lock);
 				z = NULL;
 			}
-			if(z)
-				break;
+			if(node != NULL) {
+				lock_rw_unlock(&node->lock);
+				node = NULL;
+			}
 		}
-		lock_rw_unlock(&a->lock); /* not found in this auth_zone */
+		if(z || node) {
+			break;
+		}
+		/* not found in this auth_zone */
+		lock_rw_unlock(&a->lock);
 	}
+
 	lock_rw_unlock(&az->rpz_lock);
-	if(!z)
-		return 0; /* not holding auth_zone.lock anymore */
 
-	log_assert(r);
-	if(r->action_override == RPZ_NO_OVERRIDE_ACTION)
-		lzt = z->type;
-	else
-		lzt = rpz_action_to_localzone_type(r->action_override);
+	*r_out = r;
+	*a_out = a;
+	*z_out = z;
 
+	return node;
+}
+
+static inline int
+rpz_is_udp_query(struct comm_reply* repinfo) {
+	return repinfo != NULL
+			? (repinfo->c != NULL
+				? repinfo->c->type == comm_udp
+				: 0)
+			: 0;
+}
+
+/** encode answer consisting of 1 rrset */
+static int
+rpz_local_encode(struct module_env* env, struct query_info* qinfo,
+	struct edns_data* edns, struct comm_reply* repinfo, sldns_buffer* buf,
+	struct regional* temp, struct ub_packed_rrset_key* rrset, int ansec,
+	int rcode, struct ub_packed_rrset_key* soa_rrset)
+{
+	struct reply_info rep;
+	uint16_t udpsize;
+	struct ub_packed_rrset_key* rrsetlist[3];
+
+	memset(&rep, 0, sizeof(rep));
+	rep.flags = (uint16_t)((BIT_QR | BIT_AA | BIT_RA) | rcode);
+	rep.qdcount = 1;
+	rep.rrset_count = ansec;
+	rep.rrsets = rrsetlist;
+	if(ansec > 0) {
+		rep.an_numrrsets = 1;
+		rep.rrsets[0] = rrset;
+		rep.ttl = ((struct packed_rrset_data*)rrset->entry.data)->rr_ttl[0];
+	}
+	if(soa_rrset != NULL) {
+		rep.ar_numrrsets = 1;
+		rep.rrsets[rep.rrset_count] = soa_rrset;
+		rep.rrset_count ++;
+		if(rep.ttl < ((struct packed_rrset_data*)soa_rrset->entry.data)->rr_ttl[0]) {
+			rep.ttl = ((struct packed_rrset_data*)soa_rrset->entry.data)->rr_ttl[0];
+		}
+	}
+
+	udpsize = edns->udp_size;
+	edns->edns_version = EDNS_ADVERTISED_VERSION;
+	edns->udp_size = EDNS_ADVERTISED_SIZE;
+	edns->ext_rcode = 0;
+	edns->bits &= EDNS_DO;
+	if(!inplace_cb_reply_local_call(env, qinfo, NULL, &rep, rcode, edns,
+		repinfo, temp, env->now_tv) ||
+	  !reply_info_answer_encode(qinfo, &rep,
+		*(uint16_t*)sldns_buffer_begin(buf), sldns_buffer_read_u16_at(buf, 2),
+		buf, 0, 0, temp, udpsize, edns, (int)(edns->bits&EDNS_DO), 0)) {
+		error_encode(buf, (LDNS_RCODE_SERVFAIL|BIT_AA), qinfo,
+			*(uint16_t*)sldns_buffer_begin(buf),
+			sldns_buffer_read_u16_at(buf, 2), edns);
+	}
+
+	return 1;
+}
+
+static struct local_rrset*
+rpz_find_synthesized_rrset(int qtype, struct clientip_synthesized_rr* data) {
+	struct local_rrset* cursor = data->data;
+	while( cursor != NULL) {
+		struct packed_rrset_key* packed_rrset = &cursor->rrset->rk;
+		if(htons(qtype) == packed_rrset->type) {
+			return cursor;
+		}
+		cursor = cursor->next;
+	}
+	return NULL;
+}
+
+/** allocate SOA record ubrrsetkey in region */
+static struct ub_packed_rrset_key*
+make_soa_ubrrset(struct auth_zone* auth_zone, struct auth_rrset* soa,
+	struct regional* temp)
+{
+	struct ub_packed_rrset_key csoa;
+	if(!soa)
+		return NULL;
+	memset(&csoa, 0, sizeof(csoa));
+	csoa.entry.key = &csoa;
+	csoa.rk.rrset_class = htons(LDNS_RR_CLASS_IN);
+	csoa.rk.type = htons(LDNS_RR_TYPE_SOA);
+	csoa.rk.flags |= PACKED_RRSET_FIXEDTTL
+		| PACKED_RRSET_RPZ;
+	csoa.rk.dname = auth_zone->name;
+	csoa.rk.dname_len = auth_zone->namelen;
+	csoa.entry.hash = rrset_key_hash(&csoa.rk);
+	csoa.entry.data = soa->data;
+	return respip_copy_rrset(&csoa, temp);
+}
+
+static void
+rpz_apply_clientip_localdata_action(struct clientip_synthesized_rr* raddr,
+	struct module_env* env, struct query_info* qinfo,
+	struct edns_data* edns, struct comm_reply* repinfo, sldns_buffer* buf,
+	struct regional* temp, struct auth_zone* auth_zone)
+{
+	struct local_rrset* rrset;
+	enum rpz_action action = RPZ_INVALID_ACTION;
+	struct ub_packed_rrset_key* rp = NULL;
+	struct ub_packed_rrset_key* rsoa = NULL;
+	int rcode = LDNS_RCODE_NOERROR|BIT_AA;
+	int rrset_count = 1;
+
+	/* prepare synthesized answer for client */
+	action = raddr->action;
+	if(action == RPZ_LOCAL_DATA_ACTION && raddr->data == NULL ) {
+		verbose(VERB_ALGO, "rpz: bug: local-data action but no local data");
+		return;
+	}
+
+	/* check query type / rr type */
+	rrset = rpz_find_synthesized_rrset(qinfo->qtype, raddr);
+	if(rrset == NULL) {
+		verbose(VERB_ALGO, "rpz: unable to find local-data for query");
+		rrset_count = 0;
+		goto nodata;
+	}
+
+	rp = respip_copy_rrset(rrset->rrset, temp);
+	if(!rp) {
+		verbose(VERB_ALGO, "rpz: local data action: out of memory");
+		return;
+	}
+
+	rp->rk.flags |= PACKED_RRSET_FIXEDTTL | PACKED_RRSET_RPZ;
+	rp->rk.dname = qinfo->qname;
+	rp->rk.dname_len = qinfo->qname_len;
+	rp->entry.hash = rrset_key_hash(&rp->rk);
+nodata:
+	if(auth_zone) {
+		struct auth_rrset* soa = NULL;
+		soa = auth_zone_get_soa_rrset(auth_zone);
+		if(soa) {
+			rsoa = make_soa_ubrrset(auth_zone, soa, temp);
+			if(!rsoa) {
+				verbose(VERB_ALGO, "rpz: local data action soa: out of memory");
+				return;
+			}
+		}
+	}
+
+	rpz_local_encode(env, qinfo, edns, repinfo, buf, temp, rp,
+		rrset_count, rcode, rsoa);
+}
+
+/** add additional section SOA record to the reply.
+ * Since this gets fed into the normal iterator answer creation, it
+ * gets minimal-responses applied to it, that can remove the additional SOA
+ * again. */
+static int
+rpz_add_soa(struct reply_info* rep, struct module_qstate* ms,
+	struct auth_zone* az)
+{
+	struct auth_rrset* soa = NULL;
+	struct ub_packed_rrset_key* rsoa = NULL;
+	struct ub_packed_rrset_key** prevrrsets;
+	if(!az) return 1;
+	soa = auth_zone_get_soa_rrset(az);
+	if(!soa) return 1;
+	if(!rep) return 0;
+	rsoa = make_soa_ubrrset(az, soa, ms->region);
+	if(!rsoa) return 0;
+	prevrrsets = rep->rrsets;
+	rep->rrsets = regional_alloc_zero(ms->region,
+		sizeof(*rep->rrsets)*(rep->rrset_count+1));
+	if(!rep->rrsets)
+		return 0;
+	if(prevrrsets && rep->rrset_count > 0)
+		memcpy(rep->rrsets, prevrrsets, rep->rrset_count*sizeof(*rep->rrsets));
+	rep->rrset_count++;
+	rep->ar_numrrsets++;
+	rep->rrsets[rep->rrset_count-1] = rsoa;
+	return 1;
+}
+
+static inline struct dns_msg*
+rpz_dns_msg_new(struct regional* region)
+{
+	struct dns_msg* msg =
+			(struct dns_msg*)regional_alloc(region,
+							sizeof(struct dns_msg));
+	if(msg == NULL) { return NULL; }
+	memset(msg, 0, sizeof(struct dns_msg));
+
+	return msg;
+}
+
+static inline struct dns_msg*
+rpz_synthesize_nodata(struct rpz* ATTR_UNUSED(r), struct module_qstate* ms,
+	struct query_info* qinfo, struct auth_zone* az)
+{
+	struct dns_msg* msg = rpz_dns_msg_new(ms->region);
+	if(msg == NULL) { return msg; }
+	msg->qinfo = *qinfo;
+	msg->rep = construct_reply_info_base(ms->region,
+					     LDNS_RCODE_NOERROR | BIT_QR | BIT_AA | BIT_RA,
+					     1, /* qd */
+					     0, /* ttl */
+					     0, /* prettl */
+					     0, /* expttl */
+					     0, /* an */
+					     0, /* ns */
+					     0, /* ar */
+					     0, /* total */
+					     sec_status_insecure);
+	if(msg->rep)
+		msg->rep->authoritative = 1;
+	if(!rpz_add_soa(msg->rep, ms, az))
+		return NULL;
+	return msg;
+}
+
+static inline struct dns_msg*
+rpz_synthesize_nxdomain(struct rpz* r, struct module_qstate* ms,
+	struct query_info* qinfo, struct auth_zone* az)
+{
+	struct dns_msg* msg = rpz_dns_msg_new(ms->region);
+	uint16_t flags;
+	if(msg == NULL) { return msg; }
+	msg->qinfo = *qinfo;
+	flags = LDNS_RCODE_NXDOMAIN | BIT_QR | BIT_AA | BIT_RA;
+	if(r->signal_nxdomain_ra)
+		flags &= ~BIT_RA;
+	msg->rep = construct_reply_info_base(ms->region,
+					     flags,
+					     1, /* qd */
+					     0, /* ttl */
+					     0, /* prettl */
+					     0, /* expttl */
+					     0, /* an */
+					     0, /* ns */
+					     0, /* ar */
+					     0, /* total */
+					     sec_status_insecure);
+	if(msg->rep)
+		msg->rep->authoritative = 1;
+	if(!rpz_add_soa(msg->rep, ms, az))
+		return NULL;
+	return msg;
+}
+
+static inline struct dns_msg*
+rpz_synthesize_localdata_from_rrset(struct rpz* ATTR_UNUSED(r), struct module_qstate* ms,
+	struct query_info* qi, struct local_rrset* rrset, struct auth_zone* az)
+{
+	struct dns_msg* msg = NULL;
+	struct reply_info* new_reply_info;
+	struct ub_packed_rrset_key* rp;
+
+
+	msg = rpz_dns_msg_new(ms->region);
+	if(msg == NULL) { return NULL; }
+
+        new_reply_info = construct_reply_info_base(ms->region,
+                                                   LDNS_RCODE_NOERROR | BIT_QR | BIT_AA | BIT_RA,
+                                                   1, /* qd */
+                                                   0, /* ttl */
+                                                   0, /* prettl */
+                                                   0, /* expttl */
+                                                   1, /* an */
+                                                   0, /* ns */
+                                                   0, /* ar */
+                                                   1, /* total */
+                                                   sec_status_insecure);
+	if(new_reply_info == NULL) {
+		log_err("out of memory");
+		return NULL;
+	}
+	new_reply_info->authoritative = 1;
+	rp = respip_copy_rrset(rrset->rrset, ms->region);
+	if(rp == NULL) {
+		log_err("out of memory");
+		return NULL;
+	}
+	rp->rk.dname = qi->qname;
+	rp->rk.dname_len = qi->qname_len;
+	/* this rrset is from the rpz data, or synthesized.
+	 * It is not actually from the network, so we flag it with this
+	 * flags as a fake RRset. If later the cache is used to look up
+	 * rrsets, then the fake ones are not returned (if you look without
+	 * the flag). For like CNAME lookups from the iterator or A, AAAA
+	 * lookups for nameserver targets, it would use the without flag
+	 * actual data. So that the actual network data and fake data
+	 * are kept track of separately. */
+	rp->rk.flags |= PACKED_RRSET_RPZ;
+	new_reply_info->rrsets[0] = rp;
+	msg->rep = new_reply_info;
+	if(!rpz_add_soa(msg->rep, ms, az))
+		return NULL;
+	return msg;
+}
+
+static inline struct dns_msg*
+rpz_synthesize_nsip_localdata(struct rpz* r, struct module_qstate* ms,
+	struct clientip_synthesized_rr* data, struct auth_zone* az)
+{
+	struct query_info* qi = &ms->qinfo;
+	struct local_rrset* rrset;
+
+	rrset = rpz_find_synthesized_rrset(qi->qtype, data);
+	if(rrset == NULL) {
+		verbose(VERB_ALGO, "rpz: nsip: no matching local data found");
+		return NULL;
+	}
+
+	return rpz_synthesize_localdata_from_rrset(r, ms, &ms->qinfo, rrset, az);
+}
+
+/* copy'n'paste from localzone.c */
+static struct local_rrset*
+local_data_find_type(struct local_data* data, uint16_t type, int alias_ok)
+{
+	struct local_rrset* p;
+	type = htons(type);
+	for(p = data->rrsets; p; p = p->next) {
+		if(p->rrset->rk.type == type)
+			return p;
+		if(alias_ok && p->rrset->rk.type == htons(LDNS_RR_TYPE_CNAME))
+			return p;
+	}
+	return NULL;
+}
+
+/* based on localzone.c:local_data_answer() */
+static inline struct dns_msg*
+rpz_synthesize_nsdname_localdata(struct rpz* r, struct module_qstate* ms,
+	struct local_zone* z, struct matched_delegation_point const* match,
+	struct auth_zone* az)
+{
+	struct local_data key;
+	struct local_data* ld;
+	struct local_rrset* rrset;
+
+	if(match->dname == NULL) { return NULL; }
+
+	key.node.key = &key;
+	key.name = match->dname;
+	key.namelen = match->dname_len;
+	key.namelabs = dname_count_labels(match->dname);
+
+	rpz_log_dname("nsdname local data", key.name, key.namelen);
+
+	ld = (struct local_data*)rbtree_search(&z->data, &key.node);
+	if(ld == NULL) {
+		verbose(VERB_ALGO, "rpz: nsdname: impossible: qname not found");
+		return NULL;
+	}
+
+	rrset = local_data_find_type(ld, ms->qinfo.qtype, 1);
+	if(rrset == NULL) {
+		verbose(VERB_ALGO, "rpz: nsdname: no matching local data found");
+		return NULL;
+	}
+
+	return rpz_synthesize_localdata_from_rrset(r, ms, &ms->qinfo, rrset, az);
+}
+
+/* like local_data_answer for qname triggers after a cname */
+static struct dns_msg*
+rpz_synthesize_qname_localdata_msg(struct rpz* r, struct module_qstate* ms,
+	struct query_info* qinfo, struct local_zone* z, struct auth_zone* az)
+{
+	struct local_data key;
+	struct local_data* ld;
+	struct local_rrset* rrset;
+	key.node.key = &key;
+	key.name = qinfo->qname;
+	key.namelen = qinfo->qname_len;
+	key.namelabs = dname_count_labels(qinfo->qname);
+	ld = (struct local_data*)rbtree_search(&z->data, &key.node);
+	if(ld == NULL) {
+		verbose(VERB_ALGO, "rpz: qname after cname: name not found");
+		return NULL;
+	}
+	rrset = local_data_find_type(ld, qinfo->qtype, 1);
+	if(rrset == NULL) {
+		verbose(VERB_ALGO, "rpz: qname after cname: type not found");
+		return NULL;
+	}
+	return rpz_synthesize_localdata_from_rrset(r, ms, qinfo, rrset, az);
+}
+
+static int
+rpz_synthesize_qname_localdata(struct module_env* env, struct rpz* r,
+	struct local_zone* z, enum localzone_type lzt, struct query_info* qinfo,
+	struct edns_data* edns, sldns_buffer* buf, struct regional* temp,
+	struct comm_reply* repinfo, struct ub_server_stats* stats)
+{
+	struct local_data* ld = NULL;
+	int ret = 0;
 	if(r->action_override == RPZ_CNAME_OVERRIDE_ACTION) {
-		qinfo->local_alias =
-			regional_alloc_zero(temp, sizeof(struct local_rrset));
-		if(!qinfo->local_alias) {
-			lock_rw_unlock(&z->lock);
-			lock_rw_unlock(&a->lock);
+		qinfo->local_alias = regional_alloc_zero(temp, sizeof(struct local_rrset));
+		if(qinfo->local_alias == NULL) {
 			return 0; /* out of memory */
 		}
-		qinfo->local_alias->rrset =
-			regional_alloc_init(temp, r->cname_override,
-				sizeof(*r->cname_override));
-		if(!qinfo->local_alias->rrset) {
-			lock_rw_unlock(&z->lock);
-			lock_rw_unlock(&a->lock);
+		qinfo->local_alias->rrset = regional_alloc_init(temp, r->cname_override,
+								sizeof(*r->cname_override));
+		if(qinfo->local_alias->rrset == NULL) {
 			return 0; /* out of memory */
 		}
 		qinfo->local_alias->rrset->rk.dname = qinfo->qname;
 		qinfo->local_alias->rrset->rk.dname_len = qinfo->qname_len;
-		if(r->log)
-			log_rpz_apply(z->name, RPZ_CNAME_OVERRIDE_ACTION, 
-				qinfo, repinfo, r->log_name);
+		if(r->log) {
+			log_rpz_apply("qname", z->name, NULL, RPZ_CNAME_OVERRIDE_ACTION,
+				      qinfo, repinfo, NULL, r->log_name);
+		}
 		stats->rpz_action[RPZ_CNAME_OVERRIDE_ACTION]++;
-		lock_rw_unlock(&z->lock);
-		lock_rw_unlock(&a->lock);
 		return 0;
 	}
 
 	if(lzt == local_zone_redirect && local_data_answer(z, env, qinfo,
 		edns, repinfo, buf, temp, dname_count_labels(qinfo->qname),
 		&ld, lzt, -1, NULL, 0, NULL, 0)) {
-		if(r->log)
-			log_rpz_apply(z->name,
+		if(r->log) {
+			log_rpz_apply("qname", z->name, NULL,
 				localzone_type_to_rpz_action(lzt), qinfo,
-				repinfo, r->log_name);
+				repinfo, NULL, r->log_name);
+		}
 		stats->rpz_action[localzone_type_to_rpz_action(lzt)]++;
-		lock_rw_unlock(&z->lock);
-		lock_rw_unlock(&a->lock);
 		return !qinfo->local_alias;
 	}
 
 	ret = local_zones_zone_answer(z, env, qinfo, edns, repinfo, buf, temp,
 		0 /* no local data used */, lzt);
-	if(r->log)
-		log_rpz_apply(z->name, localzone_type_to_rpz_action(lzt),
-			qinfo, repinfo, r->log_name);
+	if(r->signal_nxdomain_ra && LDNS_RCODE_WIRE(sldns_buffer_begin(buf))
+		== LDNS_RCODE_NXDOMAIN)
+		LDNS_RA_CLR(sldns_buffer_begin(buf));
+	if(r->log) {
+		log_rpz_apply("qname", z->name, NULL, localzone_type_to_rpz_action(lzt),
+			      qinfo, repinfo, NULL, r->log_name);
+	}
 	stats->rpz_action[localzone_type_to_rpz_action(lzt)]++;
+	return ret;
+}
+
+static struct clientip_synthesized_rr*
+rpz_delegation_point_ipbased_trigger_lookup(struct rpz* rpz, struct iter_qstate* is)
+{
+	struct delegpt_addr* cursor;
+	struct clientip_synthesized_rr* action = NULL;
+	if(is->dp == NULL) { return NULL; }
+	for(cursor = is->dp->target_list;
+	    cursor != NULL;
+	    cursor = cursor->next_target) {
+		if(cursor->bogus) { continue; }
+		action = rpz_ipbased_trigger_lookup(rpz->ns_set, &cursor->addr,
+						    cursor->addrlen, "nsip");
+		if(action != NULL) { return action; }
+	}
+	return NULL;
+}
+
+static struct dns_msg*
+rpz_apply_nsip_trigger(struct module_qstate* ms, struct rpz* r,
+	struct clientip_synthesized_rr* raddr, struct auth_zone* az)
+{
+	enum rpz_action action = raddr->action;
+	struct dns_msg* ret = NULL;
+
+	if(r->action_override != RPZ_NO_OVERRIDE_ACTION) {
+		verbose(VERB_ALGO, "rpz: using override action=%s (replaces=%s)",
+			rpz_action_to_string(r->action_override), rpz_action_to_string(action));
+		action = r->action_override;
+	}
+
+	if(action == RPZ_LOCAL_DATA_ACTION && raddr->data == NULL) {
+		verbose(VERB_ALGO, "rpz: bug: nsip local data action but no local data");
+		ret = rpz_synthesize_nodata(r, ms, &ms->qinfo, az);
+		goto done;
+	}
+
+	switch(action) {
+	case RPZ_NXDOMAIN_ACTION:
+		ret = rpz_synthesize_nxdomain(r, ms, &ms->qinfo, az);
+		break;
+	case RPZ_NODATA_ACTION:
+		ret = rpz_synthesize_nodata(r, ms, &ms->qinfo, az);
+		break;
+	case RPZ_TCP_ONLY_ACTION:
+		/* basically a passthru here but the tcp-only will be
+		 * honored before the query gets sent. */
+		ms->respip_action_info->action = respip_truncate;
+		ret = NULL;
+		break;
+	case RPZ_DROP_ACTION:
+		ret = rpz_synthesize_nodata(r, ms, &ms->qinfo, az);
+		ms->is_drop = 1;
+		break;
+	case RPZ_LOCAL_DATA_ACTION:
+		ret = rpz_synthesize_nsip_localdata(r, ms, raddr, az);
+		if(ret == NULL) { ret = rpz_synthesize_nodata(r, ms, &ms->qinfo, az); }
+		break;
+	case RPZ_PASSTHRU_ACTION:
+		ret = NULL;
+		ms->rpz_passthru = 1;
+		break;
+	default:
+		verbose(VERB_ALGO, "rpz: nsip: bug: unhandled or invalid action: '%s'",
+			rpz_action_to_string(action));
+		ret = NULL;
+	}
+
+done:
+	if(r->log)
+		log_rpz_apply("nsip", NULL, &raddr->node,
+			action, &ms->qinfo, NULL, ms, r->log_name);
+	if(ms->env->worker)
+		ms->env->worker->stats.rpz_action[action]++;
+	lock_rw_unlock(&raddr->lock);
+	return ret;
+}
+
+static struct dns_msg*
+rpz_apply_nsdname_trigger(struct module_qstate* ms, struct rpz* r,
+	struct local_zone* z, struct matched_delegation_point const* match,
+	struct auth_zone* az)
+{
+	struct dns_msg* ret = NULL;
+	enum rpz_action action = localzone_type_to_rpz_action(z->type);
+
+	if(r->action_override != RPZ_NO_OVERRIDE_ACTION) {
+		verbose(VERB_ALGO, "rpz: using override action=%s (replaces=%s)",
+			rpz_action_to_string(r->action_override), rpz_action_to_string(action));
+		action = r->action_override;
+	}
+
+	switch(action) {
+	case RPZ_NXDOMAIN_ACTION:
+		ret = rpz_synthesize_nxdomain(r, ms, &ms->qinfo, az);
+		break;
+	case RPZ_NODATA_ACTION:
+		ret = rpz_synthesize_nodata(r, ms, &ms->qinfo, az);
+		break;
+	case RPZ_TCP_ONLY_ACTION:
+		/* basically a passthru here but the tcp-only will be
+		 * honored before the query gets sent. */
+		ms->respip_action_info->action = respip_truncate;
+		ret = NULL;
+		break;
+	case RPZ_DROP_ACTION:
+		ret = rpz_synthesize_nodata(r, ms, &ms->qinfo, az);
+		ms->is_drop = 1;
+		break;
+	case RPZ_LOCAL_DATA_ACTION:
+		ret = rpz_synthesize_nsdname_localdata(r, ms, z, match, az);
+		if(ret == NULL) { ret = rpz_synthesize_nodata(r, ms, &ms->qinfo, az); }
+		break;
+	case RPZ_PASSTHRU_ACTION:
+		ret = NULL;
+		ms->rpz_passthru = 1;
+		break;
+	default:
+		verbose(VERB_ALGO, "rpz: nsip: bug: unhandled or invalid action: '%s'",
+			rpz_action_to_string(action));
+		ret = NULL;
+	}
+
+	if(r->log)
+		log_rpz_apply("nsdname", match->dname, NULL,
+			action, &ms->qinfo, NULL, ms, r->log_name);
+	if(ms->env->worker)
+		ms->env->worker->stats.rpz_action[action]++;
+	lock_rw_unlock(&z->lock);
+	return ret;
+}
+
+static struct local_zone*
+rpz_delegation_point_zone_lookup(struct delegpt* dp, struct local_zones* zones,
+	uint16_t qclass,
+	/* output parameter */
+	struct matched_delegation_point* match)
+{
+	struct delegpt_ns* nameserver;
+	struct local_zone* z = NULL;
+
+	/* the rpz specs match the nameserver names (NS records), not the
+	 * name of the delegation point itself, to the nsdname triggers */
+	for(nameserver = dp->nslist;
+	    nameserver != NULL;
+	    nameserver = nameserver->next) {
+		z = rpz_find_zone(zones, nameserver->name, nameserver->namelen,
+				  qclass, 0, 0, 0);
+		if(z != NULL) {
+			match->dname = nameserver->name;
+			match->dname_len = nameserver->namelen;
+			if(verbosity >= VERB_ALGO) {
+				char nm[255+1], zn[255+1];
+				dname_str(match->dname, nm);
+				dname_str(z->name, zn);
+				if(strcmp(nm, zn) != 0)
+					verbose(VERB_ALGO, "rpz: trigger nsdname %s on %s action=%s",
+						zn, nm, rpz_action_to_string(localzone_type_to_rpz_action(z->type)));
+				else
+					verbose(VERB_ALGO, "rpz: trigger nsdname %s action=%s",
+						nm, rpz_action_to_string(localzone_type_to_rpz_action(z->type)));
+			}
+			break;
+		}
+	}
+
+	return z;
+}
+
+struct dns_msg*
+rpz_callback_from_iterator_module(struct module_qstate* ms, struct iter_qstate* is)
+{
+	struct auth_zones* az;
+	struct auth_zone* a;
+	struct clientip_synthesized_rr* raddr = NULL;
+	struct rpz* r = NULL;
+	struct local_zone* z = NULL;
+	struct matched_delegation_point match = {0};
+
+	if(ms->rpz_passthru) {
+		verbose(VERB_ALGO, "query is rpz_passthru, no further processing");
+		return NULL;
+	}
+
+	if(ms->env == NULL || ms->env->auth_zones == NULL) { return 0; }
+
+	az = ms->env->auth_zones;
+
+	verbose(VERB_ALGO, "rpz: iterator module callback: have_rpz=%d", az->rpz_first != NULL);
+
+	lock_rw_rdlock(&az->rpz_lock);
+
+	/* precedence of RPZ works, loosely, like this:
+	 * CNAMEs in order of the CNAME chain. rpzs in the order they are
+	 * configured. In an RPZ: first client-IP addr, then QNAME, then
+	 * response IP, then NSDNAME, then NSIP. Longest match first. Smallest
+	 * one from a set. */
+	/* we use the precedence rules for the topics and triggers that
+	 * are pertinent at this stage of the resolve processing */
+	for(a = az->rpz_first; a != NULL; a = a->rpz_az_next) {
+		lock_rw_rdlock(&a->lock);
+		r = a->rpz;
+		if(r->disabled) {
+			lock_rw_unlock(&a->lock);
+			continue;
+		}
+
+		/* the nsdname has precedence over the nsip triggers */
+		z = rpz_delegation_point_zone_lookup(is->dp, r->nsdname_zones,
+						     ms->qinfo.qclass, &match);
+		if(z != NULL) {
+			lock_rw_unlock(&a->lock);
+			break;
+		}
+
+		raddr = rpz_delegation_point_ipbased_trigger_lookup(r, is);
+		if(raddr != NULL) {
+			lock_rw_unlock(&a->lock);
+			break;
+		}
+		lock_rw_unlock(&a->lock);
+	}
+
+	lock_rw_unlock(&az->rpz_lock);
+
+	if(raddr == NULL && z == NULL) { return NULL; }
+	else if(raddr != NULL) {
+		if(z) {
+			lock_rw_unlock(&z->lock);
+		}
+		return rpz_apply_nsip_trigger(ms, r, raddr, a);
+	} else if(z != NULL) {
+		if(raddr) {
+			lock_rw_unlock(&raddr->lock);
+		}
+		return rpz_apply_nsdname_trigger(ms, r, z, &match, a);
+	} else { return NULL; }
+}
+
+struct dns_msg* rpz_callback_from_iterator_cname(struct module_qstate* ms,
+	struct iter_qstate* is)
+{
+	struct auth_zones* az;
+	struct auth_zone* a = NULL;
+	struct rpz* r = NULL;
+	struct local_zone* z = NULL;
+	enum localzone_type lzt;
+	struct dns_msg* ret = NULL;
+
+	if(ms->rpz_passthru) {
+		verbose(VERB_ALGO, "query is rpz_passthru, no further processing");
+		return NULL;
+	}
+
+	if(ms->env == NULL || ms->env->auth_zones == NULL) { return 0; }
+	az = ms->env->auth_zones;
+
+	lock_rw_rdlock(&az->rpz_lock);
+
+	for(a = az->rpz_first; a; a = a->rpz_az_next) {
+		lock_rw_rdlock(&a->lock);
+		r = a->rpz;
+		if(r->disabled) {
+			lock_rw_unlock(&a->lock);
+			continue;
+		}
+		z = rpz_find_zone(r->local_zones, is->qchase.qname,
+			is->qchase.qname_len, is->qchase.qclass, 0, 0, 0);
+		if(z && r->action_override == RPZ_DISABLED_ACTION) {
+			if(r->log)
+				log_rpz_apply("qname", z->name, NULL,
+					r->action_override,
+					&ms->qinfo, NULL, ms, r->log_name);
+			if(ms->env->worker)
+				ms->env->worker->stats.rpz_action[r->action_override]++;
+			lock_rw_unlock(&z->lock);
+			z = NULL;
+		}
+		if(z) {
+			break;
+		}
+		/* not found in this auth_zone */
+		lock_rw_unlock(&a->lock);
+	}
+	lock_rw_unlock(&az->rpz_lock);
+
+	if(z == NULL)
+		return NULL;
+	if(r->action_override == RPZ_NO_OVERRIDE_ACTION) {
+		lzt = z->type;
+	} else {
+		lzt = rpz_action_to_localzone_type(r->action_override);
+	}
+
+	if(verbosity >= VERB_ALGO) {
+		char nm[255+1], zn[255+1];
+		dname_str(is->qchase.qname, nm);
+		dname_str(z->name, zn);
+		if(strcmp(zn, nm) != 0)
+			verbose(VERB_ALGO, "rpz: qname trigger after cname %s on %s, with action=%s",
+				zn, nm, rpz_action_to_string(localzone_type_to_rpz_action(lzt)));
+		else
+			verbose(VERB_ALGO, "rpz: qname trigger after cname %s, with action=%s",
+				nm, rpz_action_to_string(localzone_type_to_rpz_action(lzt)));
+	}
+	switch(localzone_type_to_rpz_action(lzt)) {
+	case RPZ_NXDOMAIN_ACTION:
+		ret = rpz_synthesize_nxdomain(r, ms, &is->qchase, a);
+		break;
+	case RPZ_NODATA_ACTION:
+		ret = rpz_synthesize_nodata(r, ms, &is->qchase, a);
+		break;
+	case RPZ_TCP_ONLY_ACTION:
+		/* basically a passthru here but the tcp-only will be
+		 * honored before the query gets sent. */
+		ms->respip_action_info->action = respip_truncate;
+		ret = NULL;
+		break;
+	case RPZ_DROP_ACTION:
+		ret = rpz_synthesize_nodata(r, ms, &is->qchase, a);
+		ms->is_drop = 1;
+		break;
+	case RPZ_LOCAL_DATA_ACTION:
+		ret = rpz_synthesize_qname_localdata_msg(r, ms, &is->qchase, z, a);
+		if(ret == NULL) { ret = rpz_synthesize_nodata(r, ms, &is->qchase, a); }
+		break;
+	case RPZ_PASSTHRU_ACTION:
+		ret = NULL;
+		ms->rpz_passthru = 1;
+		break;
+	default:
+		verbose(VERB_ALGO, "rpz: qname trigger after cname: bug: unhandled or invalid action: '%s'",
+			rpz_action_to_string(localzone_type_to_rpz_action(lzt)));
+		ret = NULL;
+	}
+	lock_rw_unlock(&z->lock);
+	lock_rw_unlock(&a->lock);
+	return ret;
+}
+
+static int
+rpz_apply_maybe_clientip_trigger(struct auth_zones* az, struct module_env* env,
+	struct query_info* qinfo, struct edns_data* edns, struct comm_reply* repinfo,
+	uint8_t* taglist, size_t taglen, struct ub_server_stats* stats,
+	sldns_buffer* buf, struct regional* temp,
+	/* output parameters */
+	struct local_zone** z_out, struct auth_zone** a_out, struct rpz** r_out,
+	int* passthru)
+{
+	int ret = 0;
+	enum rpz_action client_action;
+	struct clientip_synthesized_rr* node = rpz_resolve_client_action_and_zone(
+		az, qinfo, repinfo, taglist, taglen, stats, z_out, a_out, r_out);
+
+	client_action = ((node == NULL) ? RPZ_INVALID_ACTION : node->action);
+	if(client_action == RPZ_PASSTHRU_ACTION) {
+		*passthru = 1;
+	}
+	if(*z_out == NULL || (client_action != RPZ_INVALID_ACTION &&
+			      client_action != RPZ_PASSTHRU_ACTION)) {
+		if(client_action == RPZ_PASSTHRU_ACTION
+			|| client_action == RPZ_INVALID_ACTION
+			|| (client_action == RPZ_TCP_ONLY_ACTION
+				&& !rpz_is_udp_query(repinfo))) {
+			ret = 0;
+			goto done;
+		}
+		stats->rpz_action[client_action]++;
+		if(client_action == RPZ_LOCAL_DATA_ACTION) {
+			rpz_apply_clientip_localdata_action(node, env, qinfo,
+				edns, repinfo, buf, temp, *a_out);
+		} else {
+			if(*r_out && (*r_out)->log)
+				log_rpz_apply(
+					(node?"clientip":"qname"),
+					((*z_out)?(*z_out)->name:NULL),
+					(node?&node->node:NULL),
+					client_action, qinfo, repinfo, NULL,
+					(*r_out)->log_name);
+			local_zones_zone_answer(*z_out /*likely NULL, no zone*/, env, qinfo, edns,
+				repinfo, buf, temp, 0 /* no local data used */,
+				rpz_action_to_localzone_type(client_action));
+			if(*r_out && (*r_out)->signal_nxdomain_ra &&
+				LDNS_RCODE_WIRE(sldns_buffer_begin(buf))
+				== LDNS_RCODE_NXDOMAIN)
+				LDNS_RA_CLR(sldns_buffer_begin(buf));
+		}
+		ret = 1;
+		goto done;
+	}
+	ret = -1;
+done:
+	if(node != NULL) {
+		lock_rw_unlock(&node->lock);
+	}
+	return ret;
+}
+
+int
+rpz_callback_from_worker_request(struct auth_zones* az, struct module_env* env,
+	struct query_info* qinfo, struct edns_data* edns, sldns_buffer* buf,
+	struct regional* temp, struct comm_reply* repinfo, uint8_t* taglist,
+	size_t taglen, struct ub_server_stats* stats, int* passthru)
+{
+	struct rpz* r = NULL;
+	struct auth_zone* a = NULL;
+	struct local_zone* z = NULL;
+	int ret;
+	enum localzone_type lzt;
+
+	int clientip_trigger = rpz_apply_maybe_clientip_trigger(az, env, qinfo,
+		edns, repinfo, taglist, taglen, stats, buf, temp, &z, &a, &r,
+		passthru);
+	if(clientip_trigger >= 0) {
+		if(a) {
+			lock_rw_unlock(&a->lock);
+		}
+		if(z) {
+			lock_rw_unlock(&z->lock);
+		}
+		return clientip_trigger;
+	}
+
+	if(z == NULL) {
+		if(a) {
+			lock_rw_unlock(&a->lock);
+		}
+		return 0;
+	}
+
+	log_assert(r);
+
+	if(r->action_override == RPZ_NO_OVERRIDE_ACTION) {
+		lzt = z->type;
+	} else {
+		lzt = rpz_action_to_localzone_type(r->action_override);
+	}
+	if(r->action_override == RPZ_PASSTHRU_ACTION ||
+		lzt == local_zone_always_transparent /* RPZ_PASSTHRU_ACTION */) {
+		*passthru = 1;
+	}
+
+	if(verbosity >= VERB_ALGO) {
+		char nm[255+1], zn[255+1];
+		dname_str(qinfo->qname, nm);
+		dname_str(z->name, zn);
+		if(strcmp(zn, nm) != 0)
+			verbose(VERB_ALGO, "rpz: qname trigger %s on %s with action=%s",
+				zn, nm, rpz_action_to_string(localzone_type_to_rpz_action(lzt)));
+		else
+			verbose(VERB_ALGO, "rpz: qname trigger %s with action=%s",
+				nm, rpz_action_to_string(localzone_type_to_rpz_action(lzt)));
+	}
+
+	ret = rpz_synthesize_qname_localdata(env, r, z, lzt, qinfo, edns, buf, temp,
+					     repinfo, stats);
+
 	lock_rw_unlock(&z->lock);
 	lock_rw_unlock(&a->lock);
 
diff --git a/services/rpz.h b/services/rpz.h
index d5996a6cf..53781197a 100644
--- a/services/rpz.h
+++ b/services/rpz.h
@@ -50,6 +50,7 @@
 #include "sldns/sbuffer.h"
 #include "daemon/stats.h"
 #include "respip/respip.h"
+struct iter_qstate;
 
 /**
  * RPZ triggers, only the QNAME trigger is currently supported in Unbound.
@@ -83,6 +84,27 @@ enum rpz_action {
 	RPZ_CNAME_OVERRIDE_ACTION, /* RPZ CNAME action override*/
 };
 
+struct clientip_synthesized_rrset{
+	struct regional* region;
+	struct rbtree_type entries;
+	lock_rw_type lock;	/* lock on the respip tree */
+};
+
+struct clientip_synthesized_rr {
+	/** node in address tree */
+	struct addr_tree_node node;
+	/** lock on the node item */
+	lock_rw_type lock;
+	/** tag bitlist */
+	uint8_t* taglist;
+	/** length of the taglist (in bytes) */
+	size_t taglen;
+	/** action for this address span */
+	enum rpz_action action;
+	/** "local data" for this node */
+	struct local_rrset* data;
+};
+
 /**
  * RPZ containing policies. Pointed to from corresponding auth-zone. Part of a
  * linked list to keep configuration order. Iterating or changing the linked
@@ -92,12 +114,17 @@ enum rpz_action {
 struct rpz {
 	struct local_zones* local_zones;
 	struct respip_set* respip_set;
+	struct clientip_synthesized_rrset* client_set;
+	struct clientip_synthesized_rrset* ns_set;
+	struct local_zones* nsdname_zones;
 	uint8_t* taglist;
 	size_t taglistlen;
 	enum rpz_action action_override;
 	struct ub_packed_rrset_key* cname_override;
 	int log;
 	char* log_name;
+	/** signal NXDOMAIN blocked with unset RA flag */
+	int signal_nxdomain_ra;
 	struct regional* region;
 	int disabled;
 };
@@ -147,14 +174,39 @@ void rpz_remove_rr(struct rpz* r, size_t aznamelen, uint8_t* dname,
  * @param temp: scratchpad
  * @param repinfo: reply info
  * @param taglist: taglist to lookup.
- * @param taglen: lenth of taglist.
+ * @param taglen: length of taglist.
  * @param stats: worker stats struct
+ * @param passthru: returns if the query can passthru further rpz processing.
  * @return: 1 if client answer is ready, 0 to continue resolving
  */
-int rpz_apply_qname_trigger(struct auth_zones* az, struct module_env* env,
+int rpz_callback_from_worker_request(struct auth_zones* az, struct module_env* env,
 	struct query_info* qinfo, struct edns_data* edns, sldns_buffer* buf,
 	struct regional* temp, struct comm_reply* repinfo,
-	uint8_t* taglist, size_t taglen, struct ub_server_stats* stats);
+	uint8_t* taglist, size_t taglen, struct ub_server_stats* stats,
+	int* passthru);
+
+/**
+ * Callback to process when the iterator module is about to send queries.
+ * Checks for nsip and nsdname triggers.
+ * @param qstate: the query state.
+ * @param iq: iterator module query state.
+ * @return NULL if nothing is done. Or a new message with the contents from
+ * 	the rpz, based on the delegation point. It is allocated in the
+ * 	qstate region.
+ */
+struct dns_msg* rpz_callback_from_iterator_module(struct module_qstate* qstate,
+	struct iter_qstate* iq);
+
+/**
+ * Callback to process when the iterator module has followed a cname.
+ * There can be a qname trigger for the new query name.
+ * @param qstate: the query state.
+ * @param iq: iterator module query state.
+ * @return NULL if nothing is done. Or a new message with the contents from
+ * 	the rpz, based on the iq.qchase. It is allocated in the qstate region.
+ */
+struct dns_msg* rpz_callback_from_iterator_cname(struct module_qstate* qstate,
+	struct iter_qstate* iq);
 
 /**
  * Delete RPZ
@@ -186,7 +238,7 @@ enum rpz_action
 respip_action_to_rpz_action(enum respip_action a);
 
 /**
- * Prepare RPZ after procesing feed content.
+ * Prepare RPZ after processing feed content.
  * @param r: RPZ to use
  */
 void rpz_finish_config(struct rpz* r);
diff --git a/sldns/keyraw.c b/sldns/keyraw.c
index 2ec225bc5..befe1f722 100644
--- a/sldns/keyraw.c
+++ b/sldns/keyraw.c
@@ -26,11 +26,15 @@
 #ifdef HAVE_OPENSSL_BN_H
 #include <openssl/bn.h>
 #endif
-#ifdef HAVE_OPENSSL_RSA_H
-#include <openssl/rsa.h>
-#endif
-#ifdef HAVE_OPENSSL_DSA_H
-#include <openssl/dsa.h>
+#ifdef HAVE_OPENSSL_PARAM_BUILD_H
+#  include <openssl/param_build.h>
+#else
+#  ifdef HAVE_OPENSSL_RSA_H
+#  include <openssl/rsa.h>
+#  endif
+#  ifdef HAVE_OPENSSL_DSA_H
+#  include <openssl/dsa.h>
+#  endif
 #endif
 #endif /* HAVE_SSL */
 
@@ -191,48 +195,63 @@ void sldns_key_EVP_unload_gost(void)
 }
 #endif /* USE_GOST */
 
-DSA *
-sldns_key_buf2dsa_raw(unsigned char* key, size_t len)
+/* Retrieve params as BIGNUM from raw buffer */
+static int
+sldns_key_dsa_buf_bignum(unsigned char* key, size_t len, BIGNUM** p,
+	BIGNUM** q, BIGNUM** g, BIGNUM** y)
 {
 	uint8_t T;
 	uint16_t length;
 	uint16_t offset;
-	DSA *dsa;
-	BIGNUM *Q; BIGNUM *P;
-	BIGNUM *G; BIGNUM *Y;
 
 	if(len == 0)
-		return NULL;
+		return 0;
 	T = (uint8_t)key[0];
 	length = (64 + T * 8);
 	offset = 1;
 
 	if (T > 8) {
-		return NULL;
+		return 0;
 	}
 	if(len < (size_t)1 + SHA_DIGEST_LENGTH + 3*length)
-		return NULL;
+		return 0;
 
-	Q = BN_bin2bn(key+offset, SHA_DIGEST_LENGTH, NULL);
+	*q = BN_bin2bn(key+offset, SHA_DIGEST_LENGTH, NULL);
 	offset += SHA_DIGEST_LENGTH;
 
-	P = BN_bin2bn(key+offset, (int)length, NULL);
+	*p = BN_bin2bn(key+offset, (int)length, NULL);
 	offset += length;
 
-	G = BN_bin2bn(key+offset, (int)length, NULL);
+	*g = BN_bin2bn(key+offset, (int)length, NULL);
 	offset += length;
 
-	Y = BN_bin2bn(key+offset, (int)length, NULL);
+	*y = BN_bin2bn(key+offset, (int)length, NULL);
 
-	/* create the key and set its properties */
-	if(!Q || !P || !G || !Y || !(dsa = DSA_new())) {
-		BN_free(Q);
-		BN_free(P);
-		BN_free(G);
-		BN_free(Y);
+	if(!*q || !*p || !*g || !*y) {
+		BN_free(*q);
+		BN_free(*p);
+		BN_free(*g);
+		BN_free(*y);
+		return 0;
+	}
+	return 1;
+}
+
+#ifndef HAVE_OSSL_PARAM_BLD_NEW
+DSA *
+sldns_key_buf2dsa_raw(unsigned char* key, size_t len)
+{
+	DSA *dsa;
+	BIGNUM *Q=NULL, *P=NULL, *G=NULL, *Y=NULL;
+	if(!sldns_key_dsa_buf_bignum(key, len, &P, &Q, &G, &Y)) {
 		return NULL;
 	}
-#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL)
+	/* create the key and set its properties */
+	if(!(dsa = DSA_new())) {
+		return NULL;
+	}
+#if OPENSSL_VERSION_NUMBER < 0x10100000 || \
+        (defined(HAVE_LIBRESSL) && LIBRESSL_VERSION_NUMBER < 0x02070000f)
 #ifndef S_SPLINT_S
 	dsa->p = P;
 	dsa->q = Q;
@@ -261,22 +280,111 @@ sldns_key_buf2dsa_raw(unsigned char* key, size_t len)
 
 	return dsa;
 }
+#endif /* HAVE_OSSL_PARAM_BLD_NEW */
 
-RSA *
-sldns_key_buf2rsa_raw(unsigned char* key, size_t len)
+EVP_PKEY *sldns_key_dsa2pkey_raw(unsigned char* key, size_t len)
+{
+#ifdef HAVE_OSSL_PARAM_BLD_NEW
+	EVP_PKEY* evp_key = NULL;
+	EVP_PKEY_CTX* ctx;
+	BIGNUM *p=NULL, *q=NULL, *g=NULL, *y=NULL;
+	OSSL_PARAM_BLD* param_bld;
+	OSSL_PARAM* params = NULL;
+	if(!sldns_key_dsa_buf_bignum(key, len, &p, &q, &g, &y)) {
+		return NULL;
+	}
+
+	param_bld = OSSL_PARAM_BLD_new();
+	if(!param_bld) {
+		BN_free(p);
+		BN_free(q);
+		BN_free(g);
+		BN_free(y);
+		return NULL;
+	}
+	if(!OSSL_PARAM_BLD_push_BN(param_bld, "p", p) ||
+	   !OSSL_PARAM_BLD_push_BN(param_bld, "g", g) ||
+	   !OSSL_PARAM_BLD_push_BN(param_bld, "q", q) ||
+	   !OSSL_PARAM_BLD_push_BN(param_bld, "pub", y)) {
+		OSSL_PARAM_BLD_free(param_bld);
+		BN_free(p);
+		BN_free(q);
+		BN_free(g);
+		BN_free(y);
+		return NULL;
+	}
+	params = OSSL_PARAM_BLD_to_param(param_bld);
+	OSSL_PARAM_BLD_free(param_bld);
+
+	ctx = EVP_PKEY_CTX_new_from_name(NULL, "DSA", NULL);
+	if(!ctx) {
+		OSSL_PARAM_free(params);
+		BN_free(p);
+		BN_free(q);
+		BN_free(g);
+		BN_free(y);
+		return NULL;
+	}
+	if(EVP_PKEY_fromdata_init(ctx) <= 0) {
+		EVP_PKEY_CTX_free(ctx);
+		OSSL_PARAM_free(params);
+		BN_free(p);
+		BN_free(q);
+		BN_free(g);
+		BN_free(y);
+		return NULL;
+	}
+	if(EVP_PKEY_fromdata(ctx, &evp_key, EVP_PKEY_PUBLIC_KEY, params) <= 0) {
+		EVP_PKEY_CTX_free(ctx);
+		OSSL_PARAM_free(params);
+		BN_free(p);
+		BN_free(q);
+		BN_free(g);
+		BN_free(y);
+		return NULL;
+	}
+
+	EVP_PKEY_CTX_free(ctx);
+	OSSL_PARAM_free(params);
+	BN_free(p);
+	BN_free(q);
+	BN_free(g);
+	BN_free(y);
+	return evp_key;
+#else
+	DSA* dsa;
+	EVP_PKEY* evp_key = EVP_PKEY_new();
+	if(!evp_key) {
+		return NULL;
+	}
+	dsa = sldns_key_buf2dsa_raw(key, len);
+	if(!dsa) {
+		EVP_PKEY_free(evp_key);
+		return NULL;
+	}
+	if(EVP_PKEY_assign_DSA(evp_key, dsa) == 0) {
+		DSA_free(dsa);
+		EVP_PKEY_free(evp_key);
+		return NULL;
+	}
+	return evp_key;
+#endif
+}
+
+/* Retrieve params as BIGNUM from raw buffer, n is modulus, e is exponent */
+static int
+sldns_key_rsa_buf_bignum(unsigned char* key, size_t len, BIGNUM** n,
+	BIGNUM** e)
 {
 	uint16_t offset;
 	uint16_t exp;
 	uint16_t int16;
-	RSA *rsa;
-	BIGNUM *modulus;
-	BIGNUM *exponent;
 
 	if (len == 0)
-		return NULL;
+		return 0;
 	if (key[0] == 0) {
 		if(len < 3)
-			return NULL;
+			return 0;
 		memmove(&int16, key+1, 2);
 		exp = ntohs(int16);
 		offset = 3;
@@ -287,30 +395,42 @@ sldns_key_buf2rsa_raw(unsigned char* key, size_t len)
 
 	/* key length at least one */
 	if(len < (size_t)offset + exp + 1)
-		return NULL;
+		return 0;
 
 	/* Exponent */
-	exponent = BN_new();
-	if(!exponent) return NULL;
-	(void) BN_bin2bn(key+offset, (int)exp, exponent);
+	*e = BN_new();
+	if(!*e) return 0;
+	(void) BN_bin2bn(key+offset, (int)exp, *e);
 	offset += exp;
 
 	/* Modulus */
-	modulus = BN_new();
-	if(!modulus) {
-		BN_free(exponent);
-		return NULL;
+	*n = BN_new();
+	if(!*n) {
+		BN_free(*e);
+		return 0;
 	}
 	/* length of the buffer must match the key length! */
-	(void) BN_bin2bn(key+offset, (int)(len - offset), modulus);
+	(void) BN_bin2bn(key+offset, (int)(len - offset), *n);
+	return 1;
+}
 
+#ifndef HAVE_OSSL_PARAM_BLD_NEW
+RSA *
+sldns_key_buf2rsa_raw(unsigned char* key, size_t len)
+{
+	BIGNUM* modulus = NULL;
+	BIGNUM* exponent = NULL;
+	RSA *rsa;
+	if(!sldns_key_rsa_buf_bignum(key, len, &modulus, &exponent))
+		return NULL;
 	rsa = RSA_new();
 	if(!rsa) {
 		BN_free(exponent);
 		BN_free(modulus);
 		return NULL;
 	}
-#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL)
+#if OPENSSL_VERSION_NUMBER < 0x10100000 || \
+        (defined(HAVE_LIBRESSL) && LIBRESSL_VERSION_NUMBER < 0x02070000f)
 #ifndef S_SPLINT_S
 	rsa->n = modulus;
 	rsa->e = exponent;
@@ -327,6 +447,88 @@ sldns_key_buf2rsa_raw(unsigned char* key, size_t len)
 
 	return rsa;
 }
+#endif /* HAVE_OSSL_PARAM_BLD_NEW */
+
+EVP_PKEY* sldns_key_rsa2pkey_raw(unsigned char* key, size_t len)
+{
+#ifdef HAVE_OSSL_PARAM_BLD_NEW
+	EVP_PKEY* evp_key = NULL;
+	EVP_PKEY_CTX* ctx;
+	BIGNUM *n=NULL, *e=NULL;
+	OSSL_PARAM_BLD* param_bld;
+	OSSL_PARAM* params = NULL;
+
+	if(!sldns_key_rsa_buf_bignum(key, len, &n, &e)) {
+		return NULL;
+	}
+
+	param_bld = OSSL_PARAM_BLD_new();
+	if(!param_bld) {
+		BN_free(n);
+		BN_free(e);
+		return NULL;
+	}
+	if(!OSSL_PARAM_BLD_push_BN(param_bld, "n", n)) {
+		OSSL_PARAM_BLD_free(param_bld);
+		BN_free(n);
+		BN_free(e);
+		return NULL;
+	}
+	if(!OSSL_PARAM_BLD_push_BN(param_bld, "e", e)) {
+		OSSL_PARAM_BLD_free(param_bld);
+		BN_free(n);
+		BN_free(e);
+		return NULL;
+	}
+	params = OSSL_PARAM_BLD_to_param(param_bld);
+	OSSL_PARAM_BLD_free(param_bld);
+
+	ctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL);
+	if(!ctx) {
+		OSSL_PARAM_free(params);
+		BN_free(n);
+		BN_free(e);
+		return NULL;
+	}
+	if(EVP_PKEY_fromdata_init(ctx) <= 0) {
+		EVP_PKEY_CTX_free(ctx);
+		OSSL_PARAM_free(params);
+		BN_free(n);
+		BN_free(e);
+		return NULL;
+	}
+	if(EVP_PKEY_fromdata(ctx, &evp_key, EVP_PKEY_PUBLIC_KEY, params) <= 0) {
+		EVP_PKEY_CTX_free(ctx);
+		OSSL_PARAM_free(params);
+		BN_free(n);
+		BN_free(e);
+		return NULL;
+	}
+
+	EVP_PKEY_CTX_free(ctx);
+	OSSL_PARAM_free(params);
+	BN_free(n);
+	BN_free(e);
+	return evp_key;
+#else
+	RSA* rsa;
+	EVP_PKEY *evp_key = EVP_PKEY_new();
+	if(!evp_key) {
+		return NULL;
+	}
+	rsa = sldns_key_buf2rsa_raw(key, len);
+	if(!rsa) {
+		EVP_PKEY_free(evp_key);
+		return NULL;
+	}
+	if(EVP_PKEY_assign_RSA(evp_key, rsa) == 0) {
+		RSA_free(rsa);
+		EVP_PKEY_free(evp_key);
+		return NULL;
+	}
+	return evp_key;
+#endif
+}
 
 #ifdef USE_GOST
 EVP_PKEY*
@@ -357,6 +559,62 @@ sldns_gost2pkey_raw(unsigned char* key, size_t keylen)
 EVP_PKEY*
 sldns_ecdsa2pkey_raw(unsigned char* key, size_t keylen, uint8_t algo)
 {
+#ifdef HAVE_OSSL_PARAM_BLD_NEW
+	unsigned char buf[256+2]; /* sufficient for 2*384/8+1 */
+	EVP_PKEY *evp_key = NULL;
+	EVP_PKEY_CTX* ctx;
+	OSSL_PARAM_BLD* param_bld;
+	OSSL_PARAM* params = NULL;
+	char* group = NULL;
+
+	/* check length, which uncompressed must be 2 bignums */
+	if(algo == LDNS_ECDSAP256SHA256) {
+		if(keylen != 2*256/8) return NULL;
+		group = "prime256v1";
+	} else if(algo == LDNS_ECDSAP384SHA384) {
+		if(keylen != 2*384/8) return NULL;
+		group = "P-384";
+	} else {
+		return NULL;
+	}
+	if(keylen+1 > sizeof(buf)) { /* sanity check */
+		return NULL;
+	}
+	/* prepend the 0x04 for uncompressed format */
+	buf[0] = POINT_CONVERSION_UNCOMPRESSED;
+	memmove(buf+1, key, keylen);
+
+	param_bld = OSSL_PARAM_BLD_new();
+	if(!param_bld) {
+		return NULL;
+	}
+	if(!OSSL_PARAM_BLD_push_utf8_string(param_bld, "group", group, 0) ||
+	   !OSSL_PARAM_BLD_push_octet_string(param_bld, "pub", buf, keylen+1)) {
+		OSSL_PARAM_BLD_free(param_bld);
+		return NULL;
+	}
+	params = OSSL_PARAM_BLD_to_param(param_bld);
+	OSSL_PARAM_BLD_free(param_bld);
+
+	ctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL);
+	if(!ctx) {
+		OSSL_PARAM_free(params);
+		return NULL;
+	}
+	if(EVP_PKEY_fromdata_init(ctx) <= 0) {
+		EVP_PKEY_CTX_free(ctx);
+		OSSL_PARAM_free(params);
+		return NULL;
+	}
+	if(EVP_PKEY_fromdata(ctx, &evp_key, EVP_PKEY_PUBLIC_KEY, params) <= 0) {
+		EVP_PKEY_CTX_free(ctx);
+		OSSL_PARAM_free(params);
+		return NULL;
+	}
+	EVP_PKEY_CTX_free(ctx);
+	OSSL_PARAM_free(params);
+	return evp_key;
+#else
 	unsigned char buf[256+2]; /* sufficient for 2*384/8+1 */
         const unsigned char* pp = buf;
         EVP_PKEY *evp_key;
@@ -393,6 +651,7 @@ sldns_ecdsa2pkey_raw(unsigned char* key, size_t keylen, uint8_t algo)
 		return NULL;
 	}
         return evp_key;
+#endif /* HAVE_OSSL_PARAM_BLD_NEW */
 }
 #endif /* USE_ECDSA */
 
diff --git a/sldns/keyraw.h b/sldns/keyraw.h
index 989b02ce0..b1f19740c 100644
--- a/sldns/keyraw.h
+++ b/sldns/keyraw.h
@@ -57,6 +57,7 @@ int sldns_key_EVP_load_gost_id(void);
 /** Release the engine reference held for the GOST engine. */
 void sldns_key_EVP_unload_gost(void);
 
+#ifndef HAVE_OSSL_PARAM_BLD_NEW
 /**
  * Like sldns_key_buf2dsa, but uses raw buffer.
  * \param[in] key the uncompressed wireformat of the key.
@@ -64,6 +65,15 @@ void sldns_key_EVP_unload_gost(void);
  * \return a DSA * structure with the key material
  */
 DSA *sldns_key_buf2dsa_raw(unsigned char* key, size_t len);
+#endif
+
+/**
+ * Converts a holding buffer with DSA key material to EVP PKEY in openssl.
+ * \param[in] key the uncompressed wireformat of the key.
+ * \param[in] len length of key data
+ * \return the key or NULL on error.
+ */
+EVP_PKEY *sldns_key_dsa2pkey_raw(unsigned char* key, size_t len);
 
 /**
  * Converts a holding buffer with key material to EVP PKEY in openssl.
@@ -84,6 +94,7 @@ EVP_PKEY* sldns_gost2pkey_raw(unsigned char* key, size_t keylen);
  */
 EVP_PKEY* sldns_ecdsa2pkey_raw(unsigned char* key, size_t keylen, uint8_t algo);
 
+#ifndef HAVE_OSSL_PARAM_BLD_NEW
 /**
  * Like sldns_key_buf2rsa, but uses raw buffer.
  * \param[in] key the uncompressed wireformat of the key.
@@ -91,6 +102,15 @@ EVP_PKEY* sldns_ecdsa2pkey_raw(unsigned char* key, size_t keylen, uint8_t algo);
  * \return a RSA * structure with the key material
  */
 RSA *sldns_key_buf2rsa_raw(unsigned char* key, size_t len);
+#endif
+
+/**
+ * Converts a holding buffer with RSA key material to EVP PKEY in openssl.
+ * \param[in] key the uncompressed wireformat of the key.
+ * \param[in] len length of key data
+ * \return the key or NULL on error.
+ */
+EVP_PKEY* sldns_key_rsa2pkey_raw(unsigned char* key, size_t len);
 
 /**
  * Converts a holding buffer with key material to EVP PKEY in openssl.
diff --git a/sldns/parse.c b/sldns/parse.c
index f4de8602f..491c8f51b 100644
--- a/sldns/parse.c
+++ b/sldns/parse.c
@@ -149,6 +149,9 @@ sldns_fget_token_l(FILE *f, char *token, const char *delim, size_t limit, int *l
 		if (c != '\0' && c != '\n') {
 			*t++ = c;
 		}
+		if (c == '\n' && line_nr) {
+			*line_nr = *line_nr + 1;
+		}
 		if (c == '\\' && prev_c == '\\')
 			prev_c = 0;
 		else	prev_c = c;
diff --git a/sldns/parseutil.c b/sldns/parseutil.c
index 9f289d359..dd1f33484 100644
--- a/sldns/parseutil.c
+++ b/sldns/parseutil.c
@@ -209,11 +209,13 @@ sldns_hexdigit_to_int(char ch)
 }
 
 uint32_t
-sldns_str2period(const char *nptr, const char **endptr)
+sldns_str2period(const char *nptr, const char **endptr, int* overflow)
 {
 	int sign = 0;
 	uint32_t i = 0;
 	uint32_t seconds = 0;
+	const uint32_t maxint = 0xffffffff;
+	*overflow = 0;
 
 	for(*endptr = nptr; **endptr; (*endptr)++) {
 		switch (**endptr) {
@@ -236,26 +238,46 @@ sldns_str2period(const char *nptr, const char **endptr)
 				break;
 			case 's':
 			case 'S':
+				if(seconds > maxint-i) {
+					*overflow = 1;
+					return 0;
+				}
 				seconds += i;
 				i = 0;
 				break;
 			case 'm':
 			case 'M':
+				if(i > maxint/60 || seconds > maxint-(i*60)) {
+					*overflow = 1;
+					return 0;
+				}
 				seconds += i * 60;
 				i = 0;
 				break;
 			case 'h':
 			case 'H':
+				if(i > maxint/(60*60) || seconds > maxint-(i*60*60)) {
+					*overflow = 1;
+					return 0;
+				}
 				seconds += i * 60 * 60;
 				i = 0;
 				break;
 			case 'd':
 			case 'D':
+				if(i > maxint/(60*60*24) || seconds > maxint-(i*60*60*24)) {
+					*overflow = 1;
+					return 0;
+				}
 				seconds += i * 60 * 60 * 24;
 				i = 0;
 				break;
 			case 'w':
 			case 'W':
+				if(i > maxint/(60*60*24*7) || seconds > maxint-(i*60*60*24*7)) {
+					*overflow = 1;
+					return 0;
+				}
 				seconds += i * 60 * 60 * 24 * 7;
 				i = 0;
 				break;
@@ -269,15 +291,27 @@ sldns_str2period(const char *nptr, const char **endptr)
 			case '7':
 			case '8':
 			case '9':
+				if(i > maxint/10 || i*10 > maxint - (**endptr - '0')) {
+					*overflow = 1;
+					return 0;
+				}
 				i *= 10;
 				i += (**endptr - '0');
 				break;
 			default:
+				if(seconds > maxint-i) {
+					*overflow = 1;
+					return 0;
+				}
 				seconds += i;
 				/* disregard signedness */
 				return seconds;
 		}
 	}
+	if(seconds > maxint-i) {
+		*overflow = 1;
+		return 0;
+	}
 	seconds += i;
 	/* disregard signedness */
 	return seconds;
@@ -790,3 +824,18 @@ int sldns_b64url_pton(char const *src, size_t srcsize, uint8_t *target,
 	}
 	return sldns_b64_pton_base(src, srcsize, target, targsize, 1);
 }
+
+int sldns_b64_contains_nonurl(char const *src, size_t srcsize)
+{
+	const char* s = src;
+	while(*s && srcsize) {
+		char d = *s++;
+		srcsize--;
+		/* the '+' and the '/' and padding '=' is not allowed in b64
+		 * url encoding */
+		if(d == '+' || d == '/' || d == '=') {
+			return 1;
+		}
+	}
+	return 0;
+}
diff --git a/sldns/parseutil.h b/sldns/parseutil.h
index 7eb23317f..683f34e23 100644
--- a/sldns/parseutil.h
+++ b/sldns/parseutil.h
@@ -58,7 +58,7 @@ time_t sldns_mktime_from_utc(const struct tm *tm);
  * The function interprets time as the number of seconds since epoch
  * with respect to now using serial arithmetics (rfc1982).
  * That number of seconds is then converted to broken-out time information.
- * This is especially usefull when converting the inception and expiration
+ * This is especially useful when converting the inception and expiration
  * fields of RRSIG records.
  *
  * \param[in] time number of seconds since epoch (midnight, January 1st, 1970)
@@ -74,9 +74,11 @@ struct tm * sldns_serial_arithmetics_gmtime_r(int32_t time, time_t now, struct t
  * converts a ttl value (like 5d2h) to a long.
  * \param[in] nptr the start of the string
  * \param[out] endptr points to the last char in case of error
+ * \param[out] overflow returns if the string causes integer overflow error,
+ * 	       the number is too big, string of digits too long.
  * \return the convert duration value
  */
-uint32_t sldns_str2period(const char *nptr, const char **endptr);
+uint32_t sldns_str2period(const char *nptr, const char **endptr, int* overflow);
 
 /**
  * Returns the int value of the given (hex) digit
@@ -102,6 +104,7 @@ size_t sldns_b64_pton_calculate_size(size_t srcsize);
 int sldns_b64_pton(char const *src, uint8_t *target, size_t targsize);
 int sldns_b64url_pton(char const *src, size_t srcsize, uint8_t *target,
 	size_t targsize);
+int sldns_b64_contains_nonurl(char const *src, size_t srcsize);
 
 /**
  * calculates the size needed to store the result of b32_ntop
diff --git a/sldns/rrdef.c b/sldns/rrdef.c
index 54051313a..fe5c8e104 100644
--- a/sldns/rrdef.c
+++ b/sldns/rrdef.c
@@ -153,6 +153,9 @@ static const sldns_rdf_type type_csync_wireformat[] = {
 static const sldns_rdf_type type_zonemd_wireformat[] = {
 	LDNS_RDF_TYPE_INT32, LDNS_RDF_TYPE_INT8, LDNS_RDF_TYPE_INT8, LDNS_RDF_TYPE_HEX
 };
+static const sldns_rdf_type type_svcb_wireformat[] = {
+	LDNS_RDF_TYPE_INT16, LDNS_RDF_TYPE_DNAME
+};
 /* nsec3 is some vars, followed by same type of data of nsec */
 static const sldns_rdf_type type_nsec3_wireformat[] = {
 /*	LDNS_RDF_TYPE_NSEC3_VARS, LDNS_RDF_TYPE_NSEC3_NEXT_OWNER, LDNS_RDF_TYPE_NSEC*/
@@ -377,8 +380,10 @@ static sldns_rr_descriptor rdata_field_descriptors[] = {
 	{LDNS_RR_TYPE_CSYNC, "CSYNC", 3, 3, type_csync_wireformat, LDNS_RDF_TYPE_NONE, LDNS_RR_NO_COMPRESS, 0 },
 	/* 63 */
 	{LDNS_RR_TYPE_ZONEMD, "ZONEMD", 4, 4, type_zonemd_wireformat, LDNS_RDF_TYPE_NONE, LDNS_RR_NO_COMPRESS, 0 },
-{(enum sldns_enum_rr_type)0, "TYPE64", 1, 1, type_0_wireformat, LDNS_RDF_TYPE_NONE, LDNS_RR_NO_COMPRESS, 0 },
-{(enum sldns_enum_rr_type)0, "TYPE65", 1, 1, type_0_wireformat, LDNS_RDF_TYPE_NONE, LDNS_RR_NO_COMPRESS, 0 },
+	/* 64 */
+	{LDNS_RR_TYPE_SVCB, "SVCB", 2, 2, type_svcb_wireformat, LDNS_RDF_TYPE_SVCPARAM, LDNS_RR_NO_COMPRESS, 0 },
+	/* 65 */
+	{LDNS_RR_TYPE_HTTPS, "HTTPS", 2, 2, type_svcb_wireformat, LDNS_RDF_TYPE_SVCPARAM, LDNS_RR_NO_COMPRESS, 0 },
 {(enum sldns_enum_rr_type)0, "TYPE66", 1, 1, type_0_wireformat, LDNS_RDF_TYPE_NONE, LDNS_RR_NO_COMPRESS, 0 },
 {(enum sldns_enum_rr_type)0, "TYPE67", 1, 1, type_0_wireformat, LDNS_RDF_TYPE_NONE, LDNS_RR_NO_COMPRESS, 0 },
 {(enum sldns_enum_rr_type)0, "TYPE68", 1, 1, type_0_wireformat, LDNS_RDF_TYPE_NONE, LDNS_RR_NO_COMPRESS, 0 },
diff --git a/sldns/rrdef.h b/sldns/rrdef.h
index ece632c3c..42d5de064 100644
--- a/sldns/rrdef.h
+++ b/sldns/rrdef.h
@@ -196,6 +196,8 @@ enum sldns_enum_rr_type
 	LDNS_RR_TYPE_OPENPGPKEY = 61, /* RFC 7929 */
 	LDNS_RR_TYPE_CSYNC = 62, /* RFC 7477 */
 	LDNS_RR_TYPE_ZONEMD = 63, /* draft-ietf-dnsop-dns-zone-digest-12 */
+    LDNS_RR_TYPE_SVCB = 64, /* draft-ietf-dnsop-svcb-https-04 */
+    LDNS_RR_TYPE_HTTPS = 65, /* draft-ietf-dnsop-svcb-https-04 */
 
 	LDNS_RR_TYPE_SPF = 99, /* RFC 4408 */
 
@@ -353,8 +355,13 @@ enum sldns_enum_rdf_type
 	/** TSIG extended 16bit error value */
 	LDNS_RDF_TYPE_TSIGERROR,
 
+	/* draft-ietf-dnsop-svcb-https-05:
+	 * each SvcParam consisting of a SvcParamKey=SvcParamValue pair or
+	 * a standalone SvcParamKey */
+	LDNS_RDF_TYPE_SVCPARAM,
+
         /* Aliases */
-        LDNS_RDF_TYPE_BITMAP = LDNS_RDF_TYPE_NSEC
+        LDNS_RDF_TYPE_BITMAP = LDNS_RDF_TYPE_NSEC,
 };
 typedef enum sldns_enum_rdf_type sldns_rdf_type;
 
diff --git a/sldns/str2wire.c b/sldns/str2wire.c
index 70eec6dab..3cfff4bde 100644
--- a/sldns/str2wire.c
+++ b/sldns/str2wire.c
@@ -25,11 +25,12 @@
 #include <netdb.h>
 #endif
 
+/** bits for the offset */
+#define RET_OFFSET_MASK (((unsigned)(~LDNS_WIREPARSE_MASK))>>LDNS_WIREPARSE_SHIFT)
 /** return an error */
-#define RET_ERR(e, off) ((int)((e)|((off)<<LDNS_WIREPARSE_SHIFT)))
+#define RET_ERR(e, off) ((int)(((e)&LDNS_WIREPARSE_MASK)|(((off)&RET_OFFSET_MASK)<<LDNS_WIREPARSE_SHIFT)))
 /** Move parse error but keep its ID */
 #define RET_ERR_SHIFT(e, move) RET_ERR(LDNS_WIREPARSE_ERROR(e), LDNS_WIREPARSE_OFFSET(e)+(move));
-#define LDNS_IP6ADDRLEN      (128/8)
 
 /*
  * No special care is taken, all dots are translated into
@@ -248,11 +249,16 @@ rrinternal_get_ttl(sldns_buffer* strbuf, char* token, size_t token_len,
 	int* not_there, uint32_t* ttl, uint32_t default_ttl)
 {
 	const char* endptr;
+	int overflow;
 	if(sldns_bget_token(strbuf, token, "\t\n ", token_len) == -1) {
 		return RET_ERR(LDNS_WIREPARSE_ERR_SYNTAX_TTL,
 			sldns_buffer_position(strbuf));
 	}
-	*ttl = (uint32_t) sldns_str2period(token, &endptr);
+	*ttl = (uint32_t) sldns_str2period(token, &endptr, &overflow);
+	if(overflow) {
+		return RET_ERR(LDNS_WIREPARSE_ERR_SYNTAX_INTEGER_OVERFLOW,
+			sldns_buffer_position(strbuf));
+	}
 
 	if (strlen(token) > 0 && !isdigit((unsigned char)token[0])) {
 		*not_there = 1;
@@ -372,7 +378,8 @@ rrinternal_get_quoted(sldns_buffer* strbuf, const char** delimiters,
 
 		/* skip spaces */
 		while(sldns_buffer_remaining(strbuf) > 0 &&
-			*(sldns_buffer_current(strbuf)) == ' ') {
+			(*(sldns_buffer_current(strbuf)) == ' ' ||
+			*(sldns_buffer_current(strbuf)) == '\t')) {
 			sldns_buffer_skip(strbuf, 1);
 		}
 
@@ -544,9 +551,10 @@ sldns_parse_rdf_token(sldns_buffer* strbuf, char* token, size_t token_len,
 {
 	size_t slen;
 
-	/* skip spaces */
+	/* skip spaces and tabs */
 	while(sldns_buffer_remaining(strbuf) > 0 && !*quoted &&
-		*(sldns_buffer_current(strbuf)) == ' ') {
+		(*(sldns_buffer_current(strbuf)) == ' ' ||
+		*(sldns_buffer_current(strbuf)) == '\t')) {
 		sldns_buffer_skip(strbuf, 1);
 	}
 
@@ -602,7 +610,10 @@ sldns_affix_token(sldns_buffer* strbuf, char* token, size_t* token_len,
 	size_t addstrlen = 0;
 
 	/* add space */
-	if(addlen < 1) return 0;
+	/* when addlen < 2, the token buffer is full considering the NULL byte
+	 * from strlen and will lead to buffer overflow with the second
+	 * assignment below. */
+	if(addlen < 2) return 0;
 	token[*token_strlen] = ' ';
 	token[++(*token_strlen)] = 0;
 
@@ -615,6 +626,122 @@ sldns_affix_token(sldns_buffer* strbuf, char* token, size_t* token_len,
 	return 1;
 }
 
+static int sldns_str2wire_svcparam_key_cmp(const void *a, const void *b)
+{
+	return sldns_read_uint16(*(uint8_t**) a)
+	     - sldns_read_uint16(*(uint8_t**) b);
+}
+
+/**
+ * Add constraints to the SVCB RRs which involve the whole set
+ */
+static int sldns_str2wire_check_svcbparams(uint8_t* rdata, uint16_t rdata_len)
+{
+	size_t   nparams = 0, i;
+	uint8_t  new_rdata[LDNS_MAX_RDFLEN];
+	uint8_t* new_rdata_ptr = new_rdata;
+	uint8_t* svcparams[MAX_NUMBER_OF_SVCPARAMS];
+	uint8_t* rdata_ptr = rdata;
+	uint16_t rdata_remaining = rdata_len;
+
+	/* find the SvcParams */
+	while (rdata_remaining) {
+		uint16_t svcbparam_len;
+
+		svcparams[nparams] = rdata_ptr;
+		if (rdata_remaining < 4)
+			return LDNS_WIREPARSE_ERR_SVCPARAM_BROKEN_RDATA;
+		svcbparam_len = sldns_read_uint16(rdata_ptr + 2);
+		rdata_remaining -= 4;
+		rdata_ptr += 4;
+
+		if (rdata_remaining < svcbparam_len)
+			return LDNS_WIREPARSE_ERR_SVCPARAM_BROKEN_RDATA;
+		rdata_remaining -= svcbparam_len;
+		rdata_ptr += svcbparam_len;
+
+		nparams += 1;
+		if (nparams >= MAX_NUMBER_OF_SVCPARAMS)
+			return LDNS_WIREPARSE_ERR_SVCB_TOO_MANY_PARAMS;
+	}
+
+	/* In draft-ietf-dnsop-svcb-https-06 Section 7:
+	 *
+	 *     In wire format, the keys are represented by their numeric
+	 *     values in network byte order, concatenated in ascending order.
+	 */
+	qsort((void *)svcparams
+	     ,nparams
+	     ,sizeof(uint8_t*)
+	     ,sldns_str2wire_svcparam_key_cmp);
+
+
+	/* The code below revolves around semantic errors in the SVCParam set.
+	 * So long as we do not distinguish between running Unbound as a primary
+	 * or as a secondary, we default to secondary behavior and we ignore the
+	 * semantic errors. */
+
+#ifdef SVCB_SEMANTIC_ERRORS
+	{
+		uint8_t* mandatory = NULL;
+		/* In draft-ietf-dnsop-svcb-https-06 Section 7:
+		 *
+		 *     Keys (...) MUST NOT appear more than once.
+		 *
+		 * If they key has already been seen, we have a duplicate
+		 */
+		for(i=0; i < nparams; i++) {
+			uint16_t key = sldns_read_uint16(svcparams[i]);
+			if(i + 1 < nparams && key == sldns_read_uint16(svcparams[i+1]))
+				return LDNS_WIREPARSE_ERR_SVCB_DUPLICATE_KEYS;
+			if(key == SVCB_KEY_MANDATORY)
+				mandatory = svcparams[i];
+		}
+
+		/* 4. verify that all the SvcParamKeys in mandatory are present */
+		if(mandatory) {
+			/* Divide by sizeof(uint16_t)*/
+			uint16_t mandatory_nkeys = sldns_read_uint16(mandatory + 2) / sizeof(uint16_t);
+
+			/* Guaranteed by sldns_str2wire_svcparam_key_value */
+			assert(mandatory_nkeys > 0);
+
+			for(i=0; i < mandatory_nkeys; i++) {
+				uint16_t mandatory_key = sldns_read_uint16(
+					mandatory
+					+ 2 * sizeof(uint16_t)
+					+ i * sizeof(uint16_t));
+				uint8_t found = 0;
+				size_t j;
+
+				for(j=0; j < nparams; j++) {
+					if(mandatory_key == sldns_read_uint16(svcparams[j])) {
+						found = 1;
+						break;
+					}
+				}
+
+				if(!found)
+					return LDNS_WIREPARSE_ERR_SVCB_MANDATORY_MISSING_PARAM;
+			}
+		}
+	}
+#endif
+	/* Write rdata in correct order */
+	for (i = 0; i < nparams; i++) {
+		uint16_t svcparam_len = sldns_read_uint16(svcparams[i] + 2)
+		                      + 2 * sizeof(uint16_t);
+
+		if ((unsigned)(new_rdata_ptr - new_rdata) + svcparam_len > sizeof(new_rdata))
+			return LDNS_WIREPARSE_ERR_BUFFER_TOO_SMALL;
+
+		memcpy(new_rdata_ptr, svcparams[i], svcparam_len);
+		new_rdata_ptr += svcparam_len;
+	}
+	memcpy(rdata, new_rdata, rdata_len);
+	return LDNS_WIREPARSE_ERR_OK;
+}
+
 /** parse rdata from string into rr buffer(-remainder after dname). */
 static int
 rrinternal_parse_rdata(sldns_buffer* strbuf, char* token, size_t token_len,
@@ -654,7 +781,8 @@ rrinternal_parse_rdata(sldns_buffer* strbuf, char* token, size_t token_len,
 
 		/* unknown RR data */
 		if(token_strlen>=2 && strncmp(token, "\\#", 2) == 0 &&
-			!quoted && (token_strlen == 2 || token[2]==' ')) {
+			!quoted && (token_strlen == 2 || token[2]==' ' ||
+			token[2]=='\t')) {
 			was_unknown_rr_format = 1;
 			if((status=rrinternal_parse_unknown(strbuf, token,
 				token_len, rr, rr_len, &rr_cur_len, 
@@ -712,6 +840,42 @@ rrinternal_parse_rdata(sldns_buffer* strbuf, char* token, size_t token_len,
 	/* write rdata length */
 	sldns_write_uint16(rr+dname_len+8, (uint16_t)(rr_cur_len-dname_len-10));
 	*rr_len = rr_cur_len;
+	/* SVCB/HTTPS handling  */
+	if (rr_type == LDNS_RR_TYPE_SVCB || rr_type == LDNS_RR_TYPE_HTTPS) {
+		size_t rdata_len = rr_cur_len - dname_len - 10;
+		uint8_t *rdata = rr+dname_len + 10;
+		
+		/* skip 1st rdata field SvcPriority (uint16_t) */
+		if (rdata_len < sizeof(uint16_t))
+			return LDNS_WIREPARSE_ERR_OK;
+
+		rdata_len -= sizeof(uint16_t);
+		rdata += sizeof(uint16_t);
+
+		/* skip 2nd rdata field dname */
+		while (rdata_len && *rdata != 0) {
+			uint8_t label_len;
+
+			if (*rdata & 0xC0)
+				return LDNS_WIREPARSE_ERR_OK;
+
+			label_len = *rdata + 1;
+			if (rdata_len < label_len)
+				return LDNS_WIREPARSE_ERR_OK;
+
+			rdata_len -= label_len;
+			rdata += label_len;
+		}
+		/* The root label is one more character, so smaller
+		 * than 1 + 1 means no Svcparam Keys */
+		if (rdata_len < 2 || *rdata != 0)
+			return LDNS_WIREPARSE_ERR_OK;
+
+		rdata_len -= 1;
+		rdata += 1;
+		return sldns_str2wire_check_svcbparams(rdata, rdata_len);
+
+	}
 	return LDNS_WIREPARSE_ERR_OK;
 }
 
@@ -898,12 +1062,15 @@ int sldns_fp2wire_rr_buf(FILE* in, uint8_t* rr, size_t* len, size_t* dname_len,
 		return s;
 	} else if(strncmp(line, "$TTL", 4) == 0 && isspace((unsigned char)line[4])) {
 		const char* end = NULL;
+		int overflow = 0;
 		strlcpy((char*)rr, line, *len);
 		*len = 0;
 		*dname_len = 0;
 		if(!parse_state) return LDNS_WIREPARSE_ERR_OK;
 		parse_state->default_ttl = sldns_str2period(
-			sldns_strip_ws(line+5), &end);
+			sldns_strip_ws(line+5), &end, &overflow);
+		if(overflow)
+			return LDNS_WIREPARSE_ERR_SYNTAX_INTEGER_OVERFLOW;
 	} else if (strncmp(line, "$INCLUDE", 8) == 0) {
 		strlcpy((char*)rr, line, *len);
 		*len = 0;
@@ -929,11 +1096,533 @@ int sldns_fp2wire_rr_buf(FILE* in, uint8_t* rr, size_t* len, size_t* dname_len,
 			memmove(parse_state->prev_rr, rr, *dname_len);
 			parse_state->prev_rr_len = (*dname_len);
 		}
+		if(r == LDNS_WIREPARSE_ERR_OK && parse_state) {
+			parse_state->default_ttl = sldns_wirerr_get_ttl(
+				rr, *len, *dname_len);
+		}
 		return r;
 	}
 	return LDNS_WIREPARSE_ERR_OK;
 }
 
+static int
+sldns_str2wire_svcparam_key_lookup(const char *key, size_t key_len)
+{
+	char buf[64];
+	char *endptr;
+	unsigned long int key_value;
+
+	if (key_len >= 4  && key_len <= 8 && !strncmp(key, "key", 3)) {
+		memcpy(buf, key + 3, key_len - 3);
+		buf[key_len - 3] = 0;
+		key_value = strtoul(buf, &endptr, 10);
+
+		if (endptr > buf	/* digits seen */
+		&& *endptr == 0		/* no non-digit chars after digits */
+		&&  key_value <= 65535)	/* no overflow */
+			return key_value;
+
+	} else switch (key_len) {
+	case sizeof("mandatory")-1:
+		if (!strncmp(key, "mandatory", sizeof("mandatory")-1))
+			return SVCB_KEY_MANDATORY;
+		if (!strncmp(key, "echconfig", sizeof("echconfig")-1))
+			return SVCB_KEY_ECH; /* allow "echconfig" as well as "ech" */
+		break;
+
+	case sizeof("alpn")-1:
+		if (!strncmp(key, "alpn", sizeof("alpn")-1))
+			return SVCB_KEY_ALPN;
+		if (!strncmp(key, "port", sizeof("port")-1))
+			return SVCB_KEY_PORT;
+		break;
+
+	case sizeof("no-default-alpn")-1:
+		if (!strncmp( key  , "no-default-alpn"
+		            , sizeof("no-default-alpn")-1))
+			return SVCB_KEY_NO_DEFAULT_ALPN;
+		break;
+
+	case sizeof("ipv4hint")-1:
+		if (!strncmp(key, "ipv4hint", sizeof("ipv4hint")-1))
+			return SVCB_KEY_IPV4HINT;
+		if (!strncmp(key, "ipv6hint", sizeof("ipv6hint")-1))
+			return SVCB_KEY_IPV6HINT;
+		break;
+
+	case sizeof("ech")-1:
+		if (!strncmp(key, "ech", sizeof("ech")-1))
+			return SVCB_KEY_ECH;
+		break;
+
+	default:
+		break;
+	}
+
+	/* Although the returned value might be used by the caller,
+	 * the parser has erred, so the zone will not be loaded.
+	 */
+	return -1;
+}
+
+static int
+sldns_str2wire_svcparam_port(const char* val, uint8_t* rd, size_t* rd_len)
+{
+	unsigned long int port;
+	char *endptr;
+
+	if (*rd_len < 6)
+		return LDNS_WIREPARSE_ERR_BUFFER_TOO_SMALL;
+
+	port = strtoul(val, &endptr, 10);
+
+	if (endptr > val	/* digits seen */
+	&& *endptr == 0		/* no non-digit chars after digits */
+	&&  port <= 65535) {	/* no overflow */
+
+		sldns_write_uint16(rd, SVCB_KEY_PORT);
+		sldns_write_uint16(rd + 2, sizeof(uint16_t));
+		sldns_write_uint16(rd + 4, port);
+		*rd_len = 6;
+
+		return LDNS_WIREPARSE_ERR_OK;
+	}
+
+	return LDNS_WIREPARSE_ERR_SVCB_PORT_VALUE_SYNTAX;
+}
+
+static int
+sldns_str2wire_svcbparam_ipv4hint(const char* val, uint8_t* rd, size_t* rd_len)
+{
+	size_t count;
+	char ip_str[INET_ADDRSTRLEN+1];
+	char *next_ip_str;
+	size_t i;
+
+	for (i = 0, count = 1; val[i]; i++) {
+		if (val[i] == ',')
+			count += 1;
+		if (count > SVCB_MAX_COMMA_SEPARATED_VALUES) {
+			return LDNS_WIREPARSE_ERR_SVCB_IPV4_TOO_MANY_ADDRESSES;
+		}
+	}
+
+	if (*rd_len < (LDNS_IP4ADDRLEN * count) + 4)
+		return LDNS_WIREPARSE_ERR_BUFFER_TOO_SMALL;
+
+	/* count is number of comma's in val + 1; so the actual number of IPv4
+	 * addresses in val
+	 */
+	sldns_write_uint16(rd, SVCB_KEY_IPV4HINT);
+	sldns_write_uint16(rd + 2, LDNS_IP4ADDRLEN * count);
+	*rd_len = 4;
+
+	while (count) {
+		if (!(next_ip_str = strchr(val, ','))) {
+			if (inet_pton(AF_INET, val, rd + *rd_len) != 1)
+				break;
+			*rd_len += LDNS_IP4ADDRLEN;
+
+			assert(count == 1);
+
+		} else if (next_ip_str - val >= (int)sizeof(ip_str))
+			break;
+
+		else {
+			memcpy(ip_str, val, next_ip_str - val);
+			ip_str[next_ip_str - val] = 0;
+			if (inet_pton(AF_INET, ip_str, rd + *rd_len) != 1) {
+				break;
+			}
+			*rd_len += LDNS_IP4ADDRLEN;
+
+			val = next_ip_str + 1;
+		}
+		count--;
+	}
+	if (count) /* verify that we parsed all values */
+		return LDNS_WIREPARSE_ERR_SYNTAX_IP4;
+
+	return LDNS_WIREPARSE_ERR_OK;
+}
+
+static int
+sldns_str2wire_svcbparam_ipv6hint(const char* val, uint8_t* rd, size_t* rd_len)
+{
+	size_t count;
+	char ip_str[INET6_ADDRSTRLEN+1];
+	char *next_ip_str;
+	size_t i;
+
+	for (i = 0, count = 1; val[i]; i++) {
+		if (val[i] == ',')
+			count += 1;
+		if (count > SVCB_MAX_COMMA_SEPARATED_VALUES) {
+			return LDNS_WIREPARSE_ERR_SVCB_IPV6_TOO_MANY_ADDRESSES;
+		}
+	}
+
+	if (*rd_len < (LDNS_IP6ADDRLEN * count) + 4)
+		return LDNS_WIREPARSE_ERR_BUFFER_TOO_SMALL;
+
+	/* count is number of comma's in val + 1; so the actual number of IPv6
+	 * addresses in val
+	 */
+	sldns_write_uint16(rd, SVCB_KEY_IPV6HINT);
+	sldns_write_uint16(rd + 2, LDNS_IP6ADDRLEN * count);
+	*rd_len = 4;
+
+	while (count) {
+		if (!(next_ip_str = strchr(val, ','))) {
+			if (inet_pton(AF_INET6, val, rd + *rd_len) != 1)
+				break;
+			*rd_len += LDNS_IP6ADDRLEN;
+
+			assert(count == 1);
+
+		} else if (next_ip_str - val >= (int)sizeof(ip_str))
+			break;
+
+		else {
+			memcpy(ip_str, val, next_ip_str - val);
+			ip_str[next_ip_str - val] = 0;
+			if (inet_pton(AF_INET6, ip_str, rd + *rd_len) != 1) {
+				break;
+			}
+			*rd_len += LDNS_IP6ADDRLEN;
+
+			val = next_ip_str + 1;
+		}
+		count--;
+	}
+	if (count) /* verify that we parsed all values */
+		return LDNS_WIREPARSE_ERR_SYNTAX_IP6;
+
+	return LDNS_WIREPARSE_ERR_OK;
+}
+
+/* compare function used for sorting uint16_t's */
+static int
+sldns_network_uint16_cmp(const void *a, const void *b)
+{
+	return ((int)sldns_read_uint16(a)) - ((int)sldns_read_uint16(b));
+}
+
+static int
+sldns_str2wire_svcbparam_mandatory(const char* val, uint8_t* rd, size_t* rd_len)
+{
+	size_t i, count, val_len;
+	char* next_key;
+
+	val_len = strlen(val);
+
+	for (i = 0, count = 1; val[i]; i++) {
+		if (val[i] == ',')
+			count += 1;
+		if (count > SVCB_MAX_COMMA_SEPARATED_VALUES) {
+			return LDNS_WIREPARSE_ERR_SVCB_MANDATORY_TOO_MANY_KEYS;
+		}
+	}
+	if (sizeof(uint16_t) * (count + 2) > *rd_len)
+		return LDNS_WIREPARSE_ERR_BUFFER_TOO_SMALL;
+
+	sldns_write_uint16(rd, SVCB_KEY_MANDATORY);
+	sldns_write_uint16(rd + 2, sizeof(uint16_t) * count);
+	*rd_len = 4;
+
+	while (1) {
+		int svcparamkey;
+
+		if (!(next_key = strchr(val, ','))) {
+			svcparamkey = sldns_str2wire_svcparam_key_lookup(val, val_len);
+
+			if (svcparamkey < 0) {
+				return LDNS_WIREPARSE_ERR_SVCB_UNKNOWN_KEY;
+			}
+
+			sldns_write_uint16(rd + *rd_len, svcparamkey);
+			*rd_len += 2;
+			break;
+		} else {
+			svcparamkey = sldns_str2wire_svcparam_key_lookup(val, next_key - val);
+
+			if (svcparamkey < 0) {
+				return LDNS_WIREPARSE_ERR_SVCB_UNKNOWN_KEY;
+			}
+
+			sldns_write_uint16(rd + *rd_len,
+				svcparamkey);
+			*rd_len += 2;
+		}
+
+		val_len -= next_key - val + 1;
+		val = next_key + 1; /* skip the comma */
+	}
+
+	/* In draft-ietf-dnsop-svcb-https-06 Section 7:
+	 *
+	 *    "In wire format, the keys are represented by their numeric
+	 *     values in network byte order, concatenated in ascending order."
+	 */
+	qsort((void *)(rd + 4), count, sizeof(uint16_t), sldns_network_uint16_cmp);
+
+	/* The code below revolves around semantic errors in the SVCParam set.
+	 * So long as we do not distinguish between running Unbound as a primary
+	 * or as a secondary, we default to secondary behavior and we ignore the
+	 * semantic errors. */
+#ifdef SVCB_SEMANTIC_ERRORS
+	/* In draft-ietf-dnsop-svcb-https-06 Section 8
+	 * automatically mandatory MUST NOT appear in its own value-list
+	 */
+	if (sldns_read_uint16(rd + 4) == SVCB_KEY_MANDATORY)
+		return LDNS_WIREPARSE_ERR_SVCB_MANDATORY_IN_MANDATORY;
+
+	/* Guarantee key uniqueness. After the sort we only need to
+	 * compare neighbouring keys */
+	if (count > 1) {
+		for (i = 0; i < count - 1; i++) {
+			uint8_t* current_pos = (rd + 4 + (sizeof(uint16_t) * i));
+			uint16_t key = sldns_read_uint16(current_pos);
+
+			if (key == sldns_read_uint16(current_pos + 2)) {
+				return LDNS_WIREPARSE_ERR_SVCB_MANDATORY_DUPLICATE_KEY;
+			}
+		}
+	}
+#endif
+	return LDNS_WIREPARSE_ERR_OK;
+}
+
+static int
+sldns_str2wire_svcbparam_ech_value(const char* val, uint8_t* rd, size_t* rd_len)
+{
+	uint8_t buffer[LDNS_MAX_RDFLEN];
+	int wire_len;
+
+	/* single 0 represents empty buffer */
+	if(strcmp(val, "0") == 0) {
+		if (*rd_len < 4)
+			return LDNS_WIREPARSE_ERR_BUFFER_TOO_SMALL;
+		sldns_write_uint16(rd, SVCB_KEY_ECH);
+		sldns_write_uint16(rd + 2, 0);
+
+		return LDNS_WIREPARSE_ERR_OK;
+	}
+
+	wire_len = sldns_b64_pton(val, buffer, LDNS_MAX_RDFLEN);
+
+	if (wire_len <= 0) {
+		return LDNS_WIREPARSE_ERR_SYNTAX_B64;
+	} else if ((unsigned)wire_len + 4 > *rd_len) {
+		return LDNS_WIREPARSE_ERR_BUFFER_TOO_SMALL;
+	} else {
+		sldns_write_uint16(rd, SVCB_KEY_ECH);
+		sldns_write_uint16(rd + 2, wire_len);
+		memcpy(rd + 4, buffer, wire_len);
+		*rd_len = 4 + wire_len;
+
+		return LDNS_WIREPARSE_ERR_OK;
+	}
+}
+
+static const char*
+sldns_str2wire_svcbparam_parse_next_unescaped_comma(const char *val)
+{
+	while (*val) {
+		/* Only return when the comma is not escaped*/
+		if (*val == '\\'){
+			++val;
+			if (!*val)
+				break;
+		} else if (*val == ',')
+				return val;
+
+		val++;
+	}
+	return NULL;
+}
+
+/* The source is already properly unescaped, this double unescaping is purely to allow for
+ * comma's in comma separated alpn lists.
+ * 
+ * In draft-ietf-dnsop-svcb-https-06 Section 7:
+ * To enable simpler parsing, this SvcParamValue MUST NOT contain escape sequences.
+ */
+static size_t
+sldns_str2wire_svcbparam_parse_copy_unescaped(uint8_t *dst,
+	const char *src, size_t len)
+{
+	uint8_t *orig_dst = dst;
+
+	while (len) {
+		if (*src == '\\') {
+			src++;
+			len--;
+			if (!len)
+				break;
+		}
+		*dst++ = *src++;
+		len--;
+	}
+	return (size_t)(dst - orig_dst);
+}
+
+static int
+sldns_str2wire_svcbparam_alpn_value(const char* val,
+	uint8_t* rd, size_t* rd_len)
+{
+	uint8_t     unescaped_dst[LDNS_MAX_RDFLEN];
+	uint8_t    *dst = unescaped_dst;
+	const char *next_str;
+	size_t      str_len;
+	size_t      dst_len;
+	size_t      val_len;
+	
+	val_len = strlen(val);
+
+	if (val_len > sizeof(unescaped_dst)) {
+		return LDNS_WIREPARSE_ERR_SVCB_ALPN_KEY_TOO_LARGE;
+	}
+	while (val_len) {
+		size_t key_len;
+
+		str_len = (next_str = sldns_str2wire_svcbparam_parse_next_unescaped_comma(val))
+		        ? (size_t)(next_str - val) : val_len;
+
+		if (str_len > 255) {
+			return LDNS_WIREPARSE_ERR_SVCB_ALPN_KEY_TOO_LARGE;
+		}
+
+		key_len = sldns_str2wire_svcbparam_parse_copy_unescaped(dst + 1, val, str_len);
+		*dst++ = key_len;
+		 dst  += key_len;
+
+		if (!next_str)
+			break;
+
+		/* skip the comma in the next iteration */
+		val_len -= next_str - val + 1;
+		val = next_str + 1;
+	}
+	dst_len = dst - unescaped_dst;
+	if (*rd_len < 4 + dst_len)
+		return LDNS_WIREPARSE_ERR_BUFFER_TOO_SMALL;
+	sldns_write_uint16(rd, SVCB_KEY_ALPN);
+	sldns_write_uint16(rd + 2, dst_len);
+	memcpy(rd + 4, unescaped_dst, dst_len);
+	*rd_len = 4 + dst_len;
+	
+	return LDNS_WIREPARSE_ERR_OK;
+}
+
+static int
+sldns_str2wire_svcparam_value(const char *key, size_t key_len,
+	const char *val, uint8_t* rd, size_t* rd_len)
+{
+	size_t str_len;
+	int svcparamkey = sldns_str2wire_svcparam_key_lookup(key, key_len);
+
+	if (svcparamkey < 0) {
+		return LDNS_WIREPARSE_ERR_SVCB_UNKNOWN_KEY;
+	}
+
+	/* key without value */
+	if (val == NULL) {
+		switch (svcparamkey) {
+#ifdef SVCB_SEMANTIC_ERRORS
+		case SVCB_KEY_MANDATORY:
+		case SVCB_KEY_ALPN:
+		case SVCB_KEY_PORT:
+		case SVCB_KEY_IPV4HINT:
+		case SVCB_KEY_IPV6HINT:
+			return LDNS_WIREPARSE_ERR_SVCB_MISSING_PARAM;
+#endif
+		default:
+			if (*rd_len < 4)
+				return LDNS_WIREPARSE_ERR_BUFFER_TOO_SMALL;
+			sldns_write_uint16(rd, svcparamkey);
+			sldns_write_uint16(rd + 2, 0);
+			*rd_len = 4;
+
+			return LDNS_WIREPARSE_ERR_OK;
+		}
+	}
+
+	/* value is non-empty */
+	switch (svcparamkey) {
+	case SVCB_KEY_PORT:
+		return sldns_str2wire_svcparam_port(val, rd, rd_len);
+	case SVCB_KEY_IPV4HINT:
+		return sldns_str2wire_svcbparam_ipv4hint(val, rd, rd_len);
+	case SVCB_KEY_IPV6HINT:
+		return sldns_str2wire_svcbparam_ipv6hint(val, rd, rd_len);
+	case SVCB_KEY_MANDATORY:
+		return sldns_str2wire_svcbparam_mandatory(val, rd, rd_len);
+#ifdef SVCB_SEMANTIC_ERRORS
+	case SVCB_KEY_NO_DEFAULT_ALPN:
+		return LDNS_WIREPARSE_ERR_SVCB_NO_DEFAULT_ALPN_VALUE;
+#endif
+	case SVCB_KEY_ECH:
+		return sldns_str2wire_svcbparam_ech_value(val, rd, rd_len);
+	case SVCB_KEY_ALPN:
+		return sldns_str2wire_svcbparam_alpn_value(val, rd, rd_len);
+	default:
+		str_len = strlen(val);
+		if (*rd_len < 4 + str_len)
+			return LDNS_WIREPARSE_ERR_BUFFER_TOO_SMALL;
+		sldns_write_uint16(rd, svcparamkey);
+		sldns_write_uint16(rd + 2, str_len);
+		memcpy(rd + 4, val, str_len);
+		*rd_len = 4 + str_len;
+
+		return LDNS_WIREPARSE_ERR_OK;
+	}
+
+	return LDNS_WIREPARSE_ERR_GENERAL;
+}
+
+static int sldns_str2wire_svcparam_buf(const char* str, uint8_t* rd, size_t* rd_len)
+{
+	const char* eq_pos;
+	char unescaped_val[LDNS_MAX_RDFLEN];
+	char* val_out = unescaped_val;
+	const char* val_in;
+
+	eq_pos = strchr(str, '=');
+
+	/* case: key=value */
+	if (eq_pos != NULL && eq_pos[1]) {
+		val_in = eq_pos + 1;
+		
+		/* unescape characters and "" blocks */
+		if (*val_in == '"') {
+			val_in++;
+			while (*val_in != '"'
+			&& (unsigned)(val_out - unescaped_val + 1) < sizeof(unescaped_val)
+			&& sldns_parse_char( (uint8_t*) val_out, &val_in)) {
+				val_out++;
+			}
+		} else {
+			while ((unsigned)(val_out - unescaped_val + 1) < sizeof(unescaped_val)
+			&& sldns_parse_char( (uint8_t*) val_out, &val_in)) {
+				val_out++;
+			}
+		}
+		*val_out = 0;
+
+		return sldns_str2wire_svcparam_value(str, eq_pos - str, 
+		                                         unescaped_val[0] ? unescaped_val : NULL, rd, rd_len);
+	}
+	/* case: key= */
+	else if (eq_pos != NULL && !(eq_pos[1])) { 
+		return sldns_str2wire_svcparam_value(str, eq_pos - str, NULL, rd, rd_len);
+	}
+	/* case: key */
+	else {
+		return sldns_str2wire_svcparam_value(str, strlen(str), NULL, rd, rd_len);
+	}
+}
+
 int sldns_str2wire_rdf_buf(const char* str, uint8_t* rd, size_t* len,
 	sldns_rdf_type rdftype)
 {
@@ -1006,6 +1695,8 @@ int sldns_str2wire_rdf_buf(const char* str, uint8_t* rd, size_t* len,
 		return sldns_str2wire_hip_buf(str, rd, len);
 	case LDNS_RDF_TYPE_INT16_DATA:
 		return sldns_str2wire_int16_data_buf(str, rd, len);
+	case LDNS_RDF_TYPE_SVCPARAM:
+		return sldns_str2wire_svcparam_buf(str, rd, len);
 	case LDNS_RDF_TYPE_UNKNOWN:
 	case LDNS_RDF_TYPE_SERVICE:
 		return LDNS_WIREPARSE_ERR_NOT_IMPL;
@@ -1476,9 +2167,13 @@ int sldns_str2wire_tsigtime_buf(const char* str, uint8_t* rd, size_t* len)
 int sldns_str2wire_period_buf(const char* str, uint8_t* rd, size_t* len)
 {
 	const char* end;
-	uint32_t p = sldns_str2period(str, &end);
+	int overflow;
+	uint32_t p = sldns_str2period(str, &end, &overflow);
 	if(*end != 0)
 		return RET_ERR(LDNS_WIREPARSE_ERR_SYNTAX_PERIOD, end-str);
+	if(overflow)
+		return RET_ERR(LDNS_WIREPARSE_ERR_SYNTAX_INTEGER_OVERFLOW,
+			end-str);
 	if(*len < 4)
 		return LDNS_WIREPARSE_ERR_BUFFER_TOO_SMALL;
 	sldns_write_uint32(rd, p);
diff --git a/sldns/str2wire.h b/sldns/str2wire.h
index 70070e4f5..baee4236f 100644
--- a/sldns/str2wire.h
+++ b/sldns/str2wire.h
@@ -23,10 +23,27 @@ extern "C" {
 #endif
 struct sldns_struct_lookup_table;
 
+#define LDNS_IP4ADDRLEN      (32/8)
+#define LDNS_IP6ADDRLEN      (128/8)
+
 /** buffer to read an RR, cannot be larger than 64K because of packet size */
 #define LDNS_RR_BUF_SIZE 65535 /* bytes */
 #define LDNS_DEFAULT_TTL	3600
 
+/* SVCB keys currently defined in draft-ietf-dnsop-svcb-https */
+#define SVCB_KEY_MANDATORY		0
+#define SVCB_KEY_ALPN			1
+#define SVCB_KEY_NO_DEFAULT_ALPN	2
+#define SVCB_KEY_PORT			3
+#define SVCB_KEY_IPV4HINT		4
+#define SVCB_KEY_ECH			5
+#define SVCB_KEY_IPV6HINT		6
+#define SVCPARAMKEY_COUNT		7
+
+#define MAX_NUMBER_OF_SVCPARAMS	64
+
+#define SVCB_MAX_COMMA_SEPARATED_VALUES	1000
+
 /*
  * To convert class and type to string see
  * sldns_get_rr_class_by_name(str)
@@ -170,7 +187,7 @@ uint8_t* sldns_wirerr_get_rdatawl(uint8_t* rr, size_t len, size_t dname_len);
 #define LDNS_WIREPARSE_MASK 0x0fff
 #define LDNS_WIREPARSE_SHIFT 12
 #define LDNS_WIREPARSE_ERROR(e) ((e)&LDNS_WIREPARSE_MASK)
-#define LDNS_WIREPARSE_OFFSET(e) (((e)&~LDNS_WIREPARSE_MASK)>>LDNS_WIREPARSE_SHIFT)
+#define LDNS_WIREPARSE_OFFSET(e) ((((unsigned)(e))&~LDNS_WIREPARSE_MASK)>>LDNS_WIREPARSE_SHIFT)
 /* use lookuptable to get error string, sldns_wireparse_errors */
 #define LDNS_WIREPARSE_ERR_OK 0
 #define LDNS_WIREPARSE_ERR_GENERAL 342
@@ -204,6 +221,20 @@ uint8_t* sldns_wirerr_get_rdatawl(uint8_t* rr, size_t len, size_t dname_len);
 #define LDNS_WIREPARSE_ERR_SYNTAX_INTEGER_OVERFLOW 370
 #define LDNS_WIREPARSE_ERR_INCLUDE 371
 #define LDNS_WIREPARSE_ERR_PARENTHESIS 372
+#define LDNS_WIREPARSE_ERR_SVCB_UNKNOWN_KEY 373
+#define LDNS_WIREPARSE_ERR_SVCB_MISSING_PARAM 374
+#define LDNS_WIREPARSE_ERR_SVCB_TOO_MANY_PARAMS 375
+#define LDNS_WIREPARSE_ERR_SVCB_DUPLICATE_KEYS 376
+#define LDNS_WIREPARSE_ERR_SVCB_MANDATORY_TOO_MANY_KEYS 377
+#define LDNS_WIREPARSE_ERR_SVCB_MANDATORY_MISSING_PARAM 378
+#define LDNS_WIREPARSE_ERR_SVCB_MANDATORY_DUPLICATE_KEY 379
+#define LDNS_WIREPARSE_ERR_SVCB_MANDATORY_IN_MANDATORY 380
+#define LDNS_WIREPARSE_ERR_SVCB_PORT_VALUE_SYNTAX 381
+#define LDNS_WIREPARSE_ERR_SVCB_IPV4_TOO_MANY_ADDRESSES 382
+#define LDNS_WIREPARSE_ERR_SVCB_IPV6_TOO_MANY_ADDRESSES 383
+#define LDNS_WIREPARSE_ERR_SVCB_ALPN_KEY_TOO_LARGE 384
+#define LDNS_WIREPARSE_ERR_SVCB_NO_DEFAULT_ALPN_VALUE 385
+#define LDNS_WIREPARSE_ERR_SVCPARAM_BROKEN_RDATA 386
 
 /**
  * Get reference to a constant string for the (parse) error.
diff --git a/sldns/wire2str.c b/sldns/wire2str.c
index d0d1632d4..b70efe299 100644
--- a/sldns/wire2str.c
+++ b/sldns/wire2str.c
@@ -149,6 +149,30 @@ static sldns_lookup_table sldns_wireparse_errors_data[] = {
 	{ LDNS_WIREPARSE_ERR_SYNTAX_INTEGER_OVERFLOW, "Syntax error, integer overflow" },
 	{ LDNS_WIREPARSE_ERR_INCLUDE, "$INCLUDE directive was seen in the zone" },
 	{ LDNS_WIREPARSE_ERR_PARENTHESIS, "Parse error, parenthesis mismatch" },
+	{ LDNS_WIREPARSE_ERR_SVCB_UNKNOWN_KEY, "Unknown SvcParamKey"},
+	{ LDNS_WIREPARSE_ERR_SVCB_MISSING_PARAM, "SvcParam is missing a SvcParamValue"},
+	{ LDNS_WIREPARSE_ERR_SVCB_DUPLICATE_KEYS, "Duplicate SVCB key found"},
+	{ LDNS_WIREPARSE_ERR_SVCB_MANDATORY_TOO_MANY_KEYS, "Too many keys in mandatory" },
+	{ LDNS_WIREPARSE_ERR_SVCB_TOO_MANY_PARAMS,
+		"Too many SvcParams. Unbound only allows 63 entries" },
+	{ LDNS_WIREPARSE_ERR_SVCB_MANDATORY_MISSING_PARAM,
+		"Mandatory SvcParamKey is missing"},
+	{ LDNS_WIREPARSE_ERR_SVCB_MANDATORY_DUPLICATE_KEY,
+		"Keys in SvcParam mandatory MUST be unique" },
+	{ LDNS_WIREPARSE_ERR_SVCB_MANDATORY_IN_MANDATORY, 
+		"mandatory MUST not be included as mandatory parameter" },
+	{ LDNS_WIREPARSE_ERR_SVCB_PORT_VALUE_SYNTAX,
+		"Could not parse port SvcParamValue" },
+	{ LDNS_WIREPARSE_ERR_SVCB_IPV4_TOO_MANY_ADDRESSES,
+		"Too many IPv4 addresses in ipv4hint" },
+	{ LDNS_WIREPARSE_ERR_SVCB_IPV6_TOO_MANY_ADDRESSES,
+		"Too many IPv6 addresses in ipv6hint" },
+	{ LDNS_WIREPARSE_ERR_SVCB_ALPN_KEY_TOO_LARGE,
+		"Alpn strings need to be smaller than 255 chars"},
+	{ LDNS_WIREPARSE_ERR_SVCB_NO_DEFAULT_ALPN_VALUE,
+		"No-default-alpn should not have a value" },
+	{ LDNS_WIREPARSE_ERR_SVCPARAM_BROKEN_RDATA,
+		"General SVCParam error" },
 	{ 0, NULL }
 };
 sldns_lookup_table* sldns_wireparse_errors = sldns_wireparse_errors_data;
@@ -196,6 +220,12 @@ static sldns_lookup_table sldns_tsig_errors_data[] = {
 };
 sldns_lookup_table* sldns_tsig_errors = sldns_tsig_errors_data;
 
+/* draft-ietf-dnsop-svcb-https-06: 6. Initial SvcParamKeys */
+const char *svcparamkey_strs[] = {
+	"mandatory", "alpn", "no-default-alpn", "port",
+	"ipv4hint", "ech", "ipv6hint"
+};
+
 char* sldns_wire2str_pkt(uint8_t* data, size_t len)
 {
 	size_t slen = (size_t)sldns_wire2str_pkt_buf(data, len, NULL, 0);
@@ -787,6 +817,7 @@ int sldns_wire2str_dname_scan(uint8_t** d, size_t* dlen, char** s, size_t* slen,
 	unsigned i, counter=0;
 	unsigned maxcompr = MAX_COMPRESS_PTRS; /* loop detection, max compr ptrs */
 	int in_buf = 1;
+	size_t dname_len = 0;
 	if(comprloop) {
 		if(*comprloop != 0)
 			maxcompr = 30; /* for like ipv6 reverse name, per label */
@@ -842,6 +873,16 @@ int sldns_wire2str_dname_scan(uint8_t** d, size_t* dlen, char** s, size_t* slen,
 			labellen = (uint8_t)*dlen;
 		else if(!in_buf && pos+(size_t)labellen > pkt+pktlen)
 			labellen = (uint8_t)(pkt + pktlen - pos);
+		dname_len += ((size_t)labellen)+1;
+		if(dname_len > LDNS_MAX_DOMAINLEN) {
+			/* dname_len counts the uncompressed length we have
+			 * seen so far, and the domain name has become too
+			 * long, prevent the loop from printing overly long
+			 * content. */
+			w += sldns_str_print(s, slen,
+				"ErrorDomainNameTooLong");
+			return w;
+		}
 		for(i=0; i<(unsigned)labellen; i++) {
 			w += dname_char_print(s, slen, *pos++);
 		}
@@ -940,6 +981,253 @@ int sldns_wire2str_ttl_scan(uint8_t** d, size_t* dlen, char** s, size_t* slen)
 	return sldns_str_print(s, slen, "%u", (unsigned)ttl);
 }
 
+static int
+sldns_print_svcparamkey(char** s, size_t* slen, uint16_t svcparamkey)
+{
+	if (svcparamkey < SVCPARAMKEY_COUNT) {
+		return sldns_str_print(s, slen, "%s", svcparamkey_strs[svcparamkey]);
+	}
+	else {
+		return sldns_str_print(s, slen, "key%d", (int)svcparamkey);
+	}
+}
+
+static int sldns_wire2str_svcparam_port2str(char** s,
+	size_t* slen, uint16_t data_len, uint8_t* data)
+{
+	int w = 0;
+
+	if (data_len != 2)
+		return -1; /* wireformat error, a short is 2 bytes */
+	w = sldns_str_print(s, slen, "=%d", (int)sldns_read_uint16(data));
+
+	return w;
+}
+
+static int sldns_wire2str_svcparam_ipv4hint2str(char** s,
+	size_t* slen, uint16_t data_len, uint8_t* data)
+{
+	char ip_str[INET_ADDRSTRLEN + 1];
+
+	int w = 0;
+
+	assert(data_len > 0);
+
+	if ((data_len % LDNS_IP4ADDRLEN) == 0) {
+		if (inet_ntop(AF_INET, data, ip_str, sizeof(ip_str)) == NULL)
+			return -1; /* wireformat error, incorrect size or inet family */
+
+		w += sldns_str_print(s, slen, "=%s", ip_str);
+		data += LDNS_IP4ADDRLEN;
+
+		while ((data_len -= LDNS_IP4ADDRLEN) > 0) {
+			if (inet_ntop(AF_INET, data, ip_str, sizeof(ip_str)) == NULL)
+				return -1; /* wireformat error, incorrect size or inet family */
+
+			w += sldns_str_print(s, slen, ",%s", ip_str);
+			data += LDNS_IP4ADDRLEN;
+		}
+	} else
+		return -1;
+
+	return w;
+}
+
+static int sldns_wire2str_svcparam_ipv6hint2str(char** s,
+	size_t* slen, uint16_t data_len, uint8_t* data)
+{
+	char ip_str[INET6_ADDRSTRLEN + 1];
+
+	int w = 0;
+
+	assert(data_len > 0);
+
+	if ((data_len % LDNS_IP6ADDRLEN) == 0) {
+		if (inet_ntop(AF_INET6, data, ip_str, sizeof(ip_str)) == NULL)
+			return -1; /* wireformat error, incorrect size or inet family */
+
+		w += sldns_str_print(s, slen, "=%s", ip_str);
+		data += LDNS_IP6ADDRLEN;
+
+		while ((data_len -= LDNS_IP6ADDRLEN) > 0) {
+			if (inet_ntop(AF_INET6, data, ip_str, sizeof(ip_str)) == NULL)
+				return -1; /* wireformat error, incorrect size or inet family */
+
+			w += sldns_str_print(s, slen, ",%s", ip_str);
+			data += LDNS_IP6ADDRLEN;
+		}
+	} else
+		return -1;
+
+	return w;
+}
+
+static int sldns_wire2str_svcparam_mandatory2str(char** s,
+	size_t* slen, uint16_t data_len, uint8_t* data)
+{
+	int w = 0;
+
+	assert(data_len > 0);
+
+	if (data_len % sizeof(uint16_t))
+		return -1; // wireformat error, data_len must be multiple of shorts
+	w += sldns_str_print(s, slen, "=");
+	w += sldns_print_svcparamkey(s, slen, sldns_read_uint16(data));
+	data += 2;
+
+	while ((data_len -= sizeof(uint16_t))) {
+		w += sldns_str_print(s, slen, ",");
+		w += sldns_print_svcparamkey(s, slen, sldns_read_uint16(data));
+		data += 2;
+	}
+
+	return w;
+}
+
+static int sldns_wire2str_svcparam_alpn2str(char** s,
+	size_t* slen, uint16_t data_len, uint8_t* data)
+{
+	uint8_t *dp = (void *)data;
+	int w = 0;
+
+	assert(data_len > 0); /* Guaranteed by sldns_wire2str_svcparam_scan */
+
+	w += sldns_str_print(s, slen, "=\"");
+	while (data_len) {
+		/* alpn is list of length byte (str_len) followed by a string of that size */
+		uint8_t i, str_len = *dp++;
+
+		if (str_len > --data_len)
+			return -1;
+
+		for (i = 0; i < str_len; i++) {
+			if (dp[i] == '"' || dp[i] == '\\')
+				w += sldns_str_print(s, slen, "\\\\\\%c", dp[i]);
+
+			else if (dp[i] == ',')
+				w += sldns_str_print(s, slen, "\\\\%c", dp[i]);
+
+			else if (!isprint(dp[i]))
+				w += sldns_str_print(s, slen, "\\%03u", (unsigned) dp[i]);
+
+			else
+				w += sldns_str_print(s, slen, "%c", dp[i]);
+		}
+		dp += str_len;
+		if ((data_len -= str_len))
+			w += sldns_str_print(s, slen, "%s", ",");
+	}
+	w += sldns_str_print(s, slen, "\"");
+	
+	return w;
+}
+
+static int sldns_wire2str_svcparam_ech2str(char** s,
+	size_t* slen, uint16_t data_len, uint8_t* data)
+{
+	int size;
+	int w = 0;
+
+	assert(data_len > 0); /* Guaranteed by sldns_wire2str_svcparam_scan */
+
+	w += sldns_str_print(s, slen, "=\"");
+
+	if ((size = sldns_b64_ntop(data, data_len, *s, *slen)) < 0)
+		return -1;
+
+	(*s) += size;
+	(*slen) -= size;
+
+	w += sldns_str_print(s, slen, "\"");	
+
+	return w + size;
+}
+
+int sldns_wire2str_svcparam_scan(uint8_t** d, size_t* dlen, char** s, size_t* slen)
+{
+	uint8_t ch;
+	uint16_t svcparamkey, data_len;
+	int written_chars = 0;
+	int r, i;
+
+	/* verify that we have enough data to read svcparamkey and data_len */
+	if(*dlen < 4)
+		return -1;
+
+	svcparamkey = sldns_read_uint16(*d);
+	data_len = sldns_read_uint16(*d+2);
+	*d    += 4;
+	*dlen -= 4;
+
+	/* verify that we have data_len data */
+	if (data_len > *dlen)
+		return -1; 
+
+	written_chars += sldns_print_svcparamkey(s, slen, svcparamkey);
+	if (!data_len) {
+
+	 	/* Some SvcParams MUST have values */
+	 	switch (svcparamkey) {
+	 	case SVCB_KEY_ALPN:
+	 	case SVCB_KEY_PORT:
+	 	case SVCB_KEY_IPV4HINT:
+	 	case SVCB_KEY_IPV6HINT:
+	 	case SVCB_KEY_MANDATORY:
+	 		return -1;
+	 	default:
+	 		return written_chars;
+	 	}
+	}
+
+	switch (svcparamkey) {
+	case SVCB_KEY_PORT:
+		r = sldns_wire2str_svcparam_port2str(s, slen, data_len, *d);
+		break;
+	case SVCB_KEY_IPV4HINT:
+		r = sldns_wire2str_svcparam_ipv4hint2str(s, slen, data_len, *d);
+		break;
+	case SVCB_KEY_IPV6HINT:
+		r = sldns_wire2str_svcparam_ipv6hint2str(s, slen, data_len, *d);
+		break;
+	case SVCB_KEY_MANDATORY:
+		r = sldns_wire2str_svcparam_mandatory2str(s, slen, data_len, *d);
+		break;
+	case SVCB_KEY_NO_DEFAULT_ALPN:
+		return -1;  /* wireformat error, should not have a value */
+	case SVCB_KEY_ALPN:
+		r = sldns_wire2str_svcparam_alpn2str(s, slen, data_len, *d);
+		break;
+	case SVCB_KEY_ECH:
+		r = sldns_wire2str_svcparam_ech2str(s, slen, data_len, *d);
+		break;
+	default:
+		r = sldns_str_print(s, slen, "=\"");
+
+		for (i = 0; i < data_len; i++) {
+			ch = (*d)[i];
+
+			if (ch == '"' || ch == '\\')
+				r += sldns_str_print(s, slen, "\\%c", ch);
+
+			else if (!isprint(ch))
+				r += sldns_str_print(s, slen, "\\%03u", (unsigned) ch);
+
+			else
+				r += sldns_str_print(s, slen, "%c", ch);
+
+		}
+		r += sldns_str_print(s, slen, "\"");
+		break;
+	}
+	if (r <= 0)
+		return -1; /* wireformat error */
+	
+	written_chars += r;
+	*d    += data_len;
+	*dlen -= data_len;
+	return written_chars;
+}
+
 int sldns_wire2str_rdf_scan(uint8_t** d, size_t* dlen, char** s, size_t* slen,
 	int rdftype, uint8_t* pkt, size_t pktlen, int* comprloop)
 {
@@ -1017,6 +1305,8 @@ int sldns_wire2str_rdf_scan(uint8_t** d, size_t* dlen, char** s, size_t* slen,
 		return sldns_wire2str_tag_scan(d, dlen, s, slen);
 	case LDNS_RDF_TYPE_LONG_STR:
 		return sldns_wire2str_long_str_scan(d, dlen, s, slen);
+	case LDNS_RDF_TYPE_SVCPARAM:
+		return sldns_wire2str_svcparam_scan(d, dlen, s, slen);
 	case LDNS_RDF_TYPE_TSIGERROR:
 		return sldns_wire2str_tsigerror_scan(d, dlen, s, slen);
 	}
diff --git a/sldns/wire2str.h b/sldns/wire2str.h
index 0167fe7c1..548c66300 100644
--- a/sldns/wire2str.h
+++ b/sldns/wire2str.h
@@ -59,7 +59,7 @@ char* sldns_wire2str_pkt(uint8_t* data, size_t len);
 char* sldns_wire2str_rr(uint8_t* rr, size_t len);
 
 /**
- * Conver wire dname to a string.
+ * Convert wire dname to a string.
  * @param dname: the dname in uncompressed wireformat.
  * @param dname_len: length of the dname.
  * @return string or NULL on failure.
@@ -494,6 +494,18 @@ int sldns_wire2str_opcode_buf(int opcode, char* str, size_t len);
 int sldns_wire2str_dname_buf(uint8_t* dname, size_t dname_len, char* str,
 	size_t len);
 
+/**
+ * Convert wire SVCB to a string with user buffer.
+ * @param d: the SVCB data in uncompressed wireformat.
+ * @param dlen: length of the SVCB data.
+ * @param s: the string to write to.
+ * @param slen: length of string.
+ * @return the number of characters for this element, excluding zerobyte.
+ * 	Is larger or equal than str_len if output was truncated.
+ */
+int sldns_wire2str_svcparam_scan(uint8_t** d, size_t* dlen, char** s,
+	size_t* slen);
+
 /**
  * Scan wireformat rdf field to string, with user buffers.
  * It shifts the arguments to move along (see sldns_wire2str_pkt_scan).
diff --git a/smallapp/unbound-anchor.c b/smallapp/unbound-anchor.c
index 3e6fc6e6f..3bc25a10c 100644
--- a/smallapp/unbound-anchor.c
+++ b/smallapp/unbound-anchor.c
@@ -2044,13 +2044,13 @@ write_builtin_anchor(const char* file)
 	const char* builtin_root_anchor = get_builtin_ds();
 	FILE* out = fopen(file, "w");
 	if(!out) {
-		if(verb) printf("%s: %s\n", file, strerror(errno));
-		if(verb) printf("  could not write builtin anchor\n");
+		printf("could not write builtin anchor, to file %s: %s\n",
+			file, strerror(errno));
 		return;
 	}
 	if(!fwrite(builtin_root_anchor, strlen(builtin_root_anchor), 1, out)) {
-		if(verb) printf("%s: %s\n", file, strerror(errno));
-		if(verb) printf("  could not complete write builtin anchor\n");
+		printf("could not complete write builtin anchor, to file %s: %s\n",
+			file, strerror(errno));
 	}
 	fclose(out);
 }
diff --git a/smallapp/unbound-checkconf.c b/smallapp/unbound-checkconf.c
index 34a1f5bb4..c25182bd2 100644
--- a/smallapp/unbound-checkconf.c
+++ b/smallapp/unbound-checkconf.c
@@ -1,5 +1,5 @@
 /*
- * checkconf/unbound-checkconf.c - config file checker for unbound.conf file.
+ * smallapp/unbound-checkconf.c - config file checker for unbound.conf file.
  *
  * Copyright (c) 2007, NLnet Labs. All rights reserved.
  *
@@ -54,6 +54,7 @@
 #include "iterator/iter_hints.h"
 #include "validator/validator.h"
 #include "services/localzone.h"
+#include "services/listen_dnsport.h"
 #include "services/view.h"
 #include "services/authzone.h"
 #include "respip/respip.h"
@@ -334,19 +335,64 @@ interfacechecks(struct config_file* cfg)
 	int d;
 	struct sockaddr_storage a;
 	socklen_t alen;
-	int i, j;
+	int i, j, i2, j2;
+	char*** resif = NULL;
+	int* num_resif = NULL;
+
+	if(cfg->num_ifs != 0) {
+		resif = (char***)calloc(cfg->num_ifs, sizeof(char**));
+		if(!resif) fatal_exit("malloc failure");
+		num_resif = (int*)calloc(cfg->num_ifs, sizeof(int));
+		if(!num_resif) fatal_exit("malloc failure");
+	}
 	for(i=0; i<cfg->num_ifs; i++) {
-		if(!extstrtoaddr(cfg->ifs[i], &a, &alen)) {
-			fatal_exit("cannot parse interface specified as '%s'",
-				cfg->ifs[i]);
-		}
-		for(j=0; j<cfg->num_ifs; j++) {
-			if(i!=j && strcmp(cfg->ifs[i], cfg->ifs[j])==0)
+		/* search for duplicates in IP or ifname arguments */
+		for(i2=0; i2<i; i2++) {
+			if(strcmp(cfg->ifs[i], cfg->ifs[i2]) == 0) {
 				fatal_exit("interface: %s present twice, "
 					"cannot bind same ports twice.",
 					cfg->ifs[i]);
+			}
+		}
+		if(!resolve_interface_names(&cfg->ifs[i], 1, NULL, &resif[i],
+			&num_resif[i])) {
+			fatal_exit("could not resolve interface names, for %s",
+				cfg->ifs[i]);
+		}
+		/* search for duplicates in the returned addresses */
+		for(j=0; j<num_resif[i]; j++) {
+			if(!extstrtoaddr(resif[i][j], &a, &alen)) {
+				if(strcmp(cfg->ifs[i], resif[i][j]) != 0)
+					fatal_exit("cannot parse interface address '%s' from the interface specified as '%s'",
+						resif[i][j], cfg->ifs[i]);
+				else
+					fatal_exit("cannot parse interface specified as '%s'",
+						cfg->ifs[i]);
+			}
+			for(i2=0; i2<i; i2++) {
+				for(j2=0; j2<num_resif[i2]; j2++) {
+					if(strcmp(resif[i][j], resif[i2][j2])
+						== 0) {
+						char info1[1024], info2[1024];
+						if(strcmp(cfg->ifs[i], resif[i][j]) != 0)
+							snprintf(info1, sizeof(info1), "address %s from interface: %s", resif[i][j], cfg->ifs[i]);
+						else	snprintf(info1, sizeof(info1), "interface: %s", cfg->ifs[i]);
+						if(strcmp(cfg->ifs[i2], resif[i2][j2]) != 0)
+							snprintf(info2, sizeof(info2), "address %s from interface: %s", resif[i2][j2], cfg->ifs[i2]);
+						else	snprintf(info2, sizeof(info2), "interface: %s", cfg->ifs[i2]);
+						fatal_exit("%s present twice, cannot bind the same ports twice. The first entry is %s and the second is %s", resif[i][j], info2, info1);
+					}
+				}
+			}
 		}
 	}
+
+	for(i=0; i<cfg->num_ifs; i++) {
+		config_del_strarray(resif[i], num_resif[i]);
+	}
+	free(resif);
+	free(num_resif);
+
 	for(i=0; i<cfg->num_out_ifs; i++) {
 		if(!ipstrtoaddr(cfg->out_ifs[i], UNBOUND_DNS_PORT, &a, &alen) &&
 		   !netblockstrtoaddr(cfg->out_ifs[i], UNBOUND_DNS_PORT, &a, &alen, &d)) {
@@ -362,6 +408,28 @@ interfacechecks(struct config_file* cfg)
 	}
 }
 
+/** check interface-automatic-ports */
+static void
+ifautomaticportschecks(char* ifautomaticports)
+{
+	char* now = ifautomaticports;
+	while(now && *now) {
+		char* after;
+		int extraport;
+		while(isspace((unsigned char)*now))
+			now++;
+		if(!*now)
+			break;
+		after = now;
+		extraport = (int)strtol(now, &after, 10);
+		if(extraport < 0 || extraport > 65535)
+			fatal_exit("interface-automatic-ports: port out of range at position %d in '%s'", (int)(now-ifautomaticports)+1, ifautomaticports);
+		if(extraport == 0 && now == after)
+			fatal_exit("interface-automatic-ports: parse error at position %d in '%s'", (int)(now-ifautomaticports)+1, ifautomaticports);
+		now = after;
+	}
+}
+
 /** check acl ips */
 static void
 aclchecks(struct config_file* cfg)
@@ -562,6 +630,7 @@ morechecks(struct config_file* cfg)
 	warn_hosts("stub-host", cfg->stubs);
 	warn_hosts("forward-host", cfg->forwards);
 	interfacechecks(cfg);
+	ifautomaticportschecks(cfg->if_automatic_ports);
 	aclchecks(cfg);
 	tcpconnlimitchecks(cfg);
 
@@ -645,6 +714,8 @@ morechecks(struct config_file* cfg)
 		&& strcmp(cfg->module_conf, "dns64 iterator") != 0
 		&& strcmp(cfg->module_conf, "respip iterator") != 0
 		&& strcmp(cfg->module_conf, "respip validator iterator") != 0
+		&& strcmp(cfg->module_conf, "respip dns64 validator iterator") != 0
+		&& strcmp(cfg->module_conf, "respip dns64 iterator") != 0
 #ifdef WITH_PYTHONMODULE
 		&& strcmp(cfg->module_conf, "python iterator") != 0
 		&& strcmp(cfg->module_conf, "python respip iterator") != 0
@@ -739,6 +810,10 @@ morechecks(struct config_file* cfg)
 		&& strcmp(cfg->module_conf, "validator python cachedb iterator") != 0
 		&& strcmp(cfg->module_conf, "respip validator python cachedb iterator") != 0
 #endif
+#if defined(CLIENT_SUBNET) && defined(USE_CACHEDB)
+		&& strcmp(cfg->module_conf, "respip subnetcache validator cachedb iterator") != 0
+		&& strcmp(cfg->module_conf, "subnetcache validator cachedb iterator") != 0
+#endif
 #ifdef CLIENT_SUBNET
 		&& strcmp(cfg->module_conf, "subnetcache iterator") != 0
 		&& strcmp(cfg->module_conf, "respip subnetcache iterator") != 0
@@ -909,9 +984,9 @@ int main(int argc, char* argv[])
 	const char* f;
 	const char* opt = NULL;
 	const char* cfgfile = CONFIGFILE;
+	checklock_start();
 	log_ident_set("unbound-checkconf");
 	log_init(NULL, 0, NULL);
-	checklock_start();
 #ifdef USE_WINSOCK
 	/* use registry config file in preference to compiletime location */
 	if(!(cfgfile=w_lookup_reg_str("Software\\Unbound", "ConfigFile")))
diff --git a/smallapp/unbound-control.c b/smallapp/unbound-control.c
index 5a6f0c560..a22ad5433 100644
--- a/smallapp/unbound-control.c
+++ b/smallapp/unbound-control.c
@@ -1,5 +1,5 @@
 /*
- * checkconf/unbound-control.c - remote control utility for unbound.
+ * smallapp/unbound-control.c - remote control utility for unbound.
  *
  * Copyright (c) 2008, NLnet Labs. All rights reserved.
  *
@@ -188,7 +188,7 @@ timeval_divide(struct timeval* avg, const struct timeval* sum, long long d)
 {
 #ifndef S_SPLINT_S
 	size_t leftover;
-	if(d == 0) {
+	if(d <= 0) {
 		avg->tv_sec = 0;
 		avg->tv_usec = 0;
 		return;
@@ -197,7 +197,13 @@ timeval_divide(struct timeval* avg, const struct timeval* sum, long long d)
 	avg->tv_usec = sum->tv_usec / d;
 	/* handle fraction from seconds divide */
 	leftover = sum->tv_sec - avg->tv_sec*d;
-	avg->tv_usec += (leftover*1000000)/d;
+	if(leftover <= 0)
+		leftover = 0;
+	avg->tv_usec += (((long long)leftover)*((long long)1000000))/d;
+	if(avg->tv_sec < 0)
+		avg->tv_sec = 0;
+	if(avg->tv_usec < 0)
+		avg->tv_usec = 0;
 #endif
 }
 
@@ -438,7 +444,7 @@ static void do_stats_shm(struct config_file* cfg, struct ub_stats_info* stats,
 #endif /* HAVE_SHMGET */
 
 /** print statistics from shm memory segment */
-static void print_stats_shm(const char* cfgfile)
+static void print_stats_shm(const char* cfgfile, int quiet)
 {
 #ifdef HAVE_SHMGET
 	struct config_file* cfg;
@@ -468,8 +474,11 @@ static void print_stats_shm(const char* cfgfile)
 		fatal_exit("shmat(%d): %s", id_arr, strerror(errno));
 	}
 
-	/* print the stats */
-	do_stats_shm(cfg, stats, shm_stat);
+
+	if(!quiet) {
+		/* print the stats */
+		do_stats_shm(cfg, stats, shm_stat);
+	}
 
 	/* shutdown */
 	shmdt(shm_stat);
@@ -493,9 +502,7 @@ static void ssl_path_err(const char* s, const char *path)
 {
 	unsigned long err;
 	err = ERR_peek_error();
-	if (ERR_GET_LIB(err) == ERR_LIB_SYS &&
-		(ERR_GET_FUNC(err) == SYS_F_FOPEN ||
-		 ERR_GET_FUNC(err) == SYS_F_FREAD) ) {
+	if(ERR_GET_LIB(err) == ERR_LIB_SYS) {
 		fprintf(stderr, "error: %s\n%s: %s\n",
 			s, path, ERR_reason_error_string(err));
 		exit(1);
@@ -537,11 +544,11 @@ setup_ctx(struct config_file* cfg)
 #endif
 	if(!SSL_CTX_use_certificate_chain_file(ctx,c_cert))
 		ssl_path_err("Error setting up SSL_CTX client cert", c_cert);
-	if (!SSL_CTX_use_PrivateKey_file(ctx,c_key,SSL_FILETYPE_PEM))
+	if(!SSL_CTX_use_PrivateKey_file(ctx,c_key,SSL_FILETYPE_PEM))
 		ssl_path_err("Error setting up SSL_CTX client key", c_key);
-	if (!SSL_CTX_check_private_key(ctx))
+	if(!SSL_CTX_check_private_key(ctx))
 		ssl_err("Error setting up SSL_CTX client key");
-	if (SSL_CTX_load_verify_locations(ctx, s_cert, NULL) != 1)
+	if(SSL_CTX_load_verify_locations(ctx, s_cert, NULL) != 1)
 		ssl_path_err("Error setting up SSL_CTX verify, server cert",
 			     s_cert);
 	SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL);
@@ -876,8 +883,9 @@ go_cmd(SSL* ssl, int fd, int quiet, int argc, char* argv[])
 		if(first_line && strncmp(buf, "error", 5) == 0) {
 			printf("%s", buf);
 			was_error = 1;
-		} else if (!quiet)
+		} else if(!quiet) {
 			printf("%s", buf);
+		}
 
 		first_line = 0;
 	}
@@ -940,9 +948,9 @@ int main(int argc, char* argv[])
 	extern int check_locking_order;
 	check_locking_order = 0;
 #endif /* USE_THREAD_DEBUG */
+	checklock_start();
 	log_ident_set("unbound-control");
 	log_init(NULL, 0, NULL);
-	checklock_start();
 #ifdef USE_WINSOCK
 	/* use registry config file in preference to compiletime location */
 	if(!(cfgfile=w_lookup_reg_str("Software\\Unbound", "ConfigFile")))
@@ -983,7 +991,7 @@ int main(int argc, char* argv[])
 #endif
 	}
 	if(argc >= 1 && strcmp(argv[0], "stats_shm")==0) {
-		print_stats_shm(cfgfile);
+		print_stats_shm(cfgfile, quiet);
 		return 0;
 	}
 	check_args_for_listcmd(argc, argv);
diff --git a/smallapp/unbound-host.c b/smallapp/unbound-host.c
index 1ae2d8521..d612575f3 100644
--- a/smallapp/unbound-host.c
+++ b/smallapp/unbound-host.c
@@ -1,5 +1,5 @@
 /*
- * checkconf/unbound-host.c - replacement for host that supports validation.
+ * smallapp/unbound-host.c - replacement for host that supports validation.
  *
  * Copyright (c) 2007, NLnet Labs. All rights reserved.
  *
diff --git a/smallapp/worker_cb.c b/smallapp/worker_cb.c
index cdf855dc3..c68981735 100644
--- a/smallapp/worker_cb.c
+++ b/smallapp/worker_cb.c
@@ -1,5 +1,5 @@
 /*
- * checkconf/worker_cb.c - fake callback routines to make fptr_wlist work
+ * smallapp/worker_cb.c - fake callback routines to make fptr_wlist work
  *
  * Copyright (c) 2007, NLnet Labs. All rights reserved.
  *
@@ -65,14 +65,6 @@ int worker_handle_request(struct comm_point* ATTR_UNUSED(c),
 	return 0;
 }
 
-int worker_handle_reply(struct comm_point* ATTR_UNUSED(c), 
-	void* ATTR_UNUSED(arg), int ATTR_UNUSED(error),
-        struct comm_reply* ATTR_UNUSED(reply_info))
-{
-	log_assert(0);
-	return 0;
-}
-
 int worker_handle_service_reply(struct comm_point* ATTR_UNUSED(c), 
 	void* ATTR_UNUSED(arg), int ATTR_UNUSED(error),
         struct comm_reply* ATTR_UNUSED(reply_info))
@@ -105,10 +97,12 @@ void worker_sighandler(int ATTR_UNUSED(sig), void* ATTR_UNUSED(arg))
 struct outbound_entry* worker_send_query(
 	struct query_info* ATTR_UNUSED(qinfo), uint16_t ATTR_UNUSED(flags),
 	int ATTR_UNUSED(dnssec), int ATTR_UNUSED(want_dnssec),
-	int ATTR_UNUSED(nocaps), struct sockaddr_storage* ATTR_UNUSED(addr),
+	int ATTR_UNUSED(nocaps), int ATTR_UNUSED(check_ratelimit),
+	struct sockaddr_storage* ATTR_UNUSED(addr),
 	socklen_t ATTR_UNUSED(addrlen), uint8_t* ATTR_UNUSED(zone),
-	size_t ATTR_UNUSED(zonelen), int ATTR_UNUSED(ssl_upstream),
-	char* ATTR_UNUSED(tls_auth_name), struct module_qstate* ATTR_UNUSED(q))
+	size_t ATTR_UNUSED(zonelen), int ATTR_UNUSED(tcp_upstream), int ATTR_UNUSED(ssl_upstream),
+	char* ATTR_UNUSED(tls_auth_name), struct module_qstate* ATTR_UNUSED(q),
+	int* ATTR_UNUSED(was_ratelimited))
 {
 	log_assert(0);
 	return 0;
@@ -137,18 +131,12 @@ worker_alloc_cleanup(void* ATTR_UNUSED(arg))
 struct outbound_entry* libworker_send_query(
 	struct query_info* ATTR_UNUSED(qinfo), uint16_t ATTR_UNUSED(flags),
 	int ATTR_UNUSED(dnssec), int ATTR_UNUSED(want_dnssec),
-	int ATTR_UNUSED(nocaps), struct sockaddr_storage* ATTR_UNUSED(addr),
+	int ATTR_UNUSED(nocaps), int ATTR_UNUSED(check_ratelimit),
+	struct sockaddr_storage* ATTR_UNUSED(addr),
 	socklen_t ATTR_UNUSED(addrlen), uint8_t* ATTR_UNUSED(zone),
-	size_t ATTR_UNUSED(zonelen), int ATTR_UNUSED(ssl_upstream),
-	char* ATTR_UNUSED(tls_auth_name), struct module_qstate* ATTR_UNUSED(q))
-{
-	log_assert(0);
-	return 0;
-}
-
-int libworker_handle_reply(struct comm_point* ATTR_UNUSED(c), 
-	void* ATTR_UNUSED(arg), int ATTR_UNUSED(error),
-        struct comm_reply* ATTR_UNUSED(reply_info))
+	size_t ATTR_UNUSED(zonelen), int ATTR_UNUSED(tcp_upstream), int ATTR_UNUSED(ssl_upstream),
+	char* ATTR_UNUSED(tls_auth_name), struct module_qstate* ATTR_UNUSED(q),
+	int* ATTR_UNUSED(was_ratelimited))
 {
 	log_assert(0);
 	return 0;
diff --git a/testcode/asynclook.c b/testcode/asynclook.c
index 660f72a7d..fffd14ed5 100644
--- a/testcode/asynclook.c
+++ b/testcode/asynclook.c
@@ -406,10 +406,10 @@ int main(int argc, char** argv)
 	struct lookinfo* lookups;
 	int i, r, cancel=0, blocking=0, ext=0;
 
+	checklock_start();
 	/* init log now because solaris thr_key_create() is not threadsafe */
 	log_init(0,0,0);
 	/* lock debug start (if any) */
-	checklock_start();
 
 	/* create context */
 	ctx = ub_ctx_create();
diff --git a/testcode/delayer.c b/testcode/delayer.c
index 54175dbe3..e915961f5 100644
--- a/testcode/delayer.c
+++ b/testcode/delayer.c
@@ -347,7 +347,11 @@ static volatile int do_quit = 0;
 /** signal handler for user quit */
 static RETSIGTYPE delayer_sigh(int sig)
 {
-	printf("exit on signal %d\n", sig);
+	char str[] = "exit on signal   \n";
+	str[15] = '0' + (sig/10)%10;
+	str[16] = '0' + sig%10;
+	/* simple cast to void will not silence Wunused-result */
+	(void)!write(STDOUT_FILENO, str, strlen(str));
 	do_quit = 1;
 }
 
diff --git a/testcode/do-tests.sh b/testcode/do-tests.sh
index effb7c16a..2a1cfc4c9 100755
--- a/testcode/do-tests.sh
+++ b/testcode/do-tests.sh
@@ -1,5 +1,11 @@
 #!/usr/bin/env bash
 . testdata/common.sh
+quiet=0
+if test "$1" = "-q"; then
+	quiet=1
+	tdirarg="-q"
+	shift
+fi
 
 NEED_SPLINT='00-lint.tdir'
 NEED_DOXYGEN='01-doc.tdir'
@@ -33,7 +39,7 @@ fi
 export -n NOTIFY_SOCKET
 
 cd testdata;
-sh ../testcode/mini_tdir.sh clean
+sh ../testcode/mini_tdir.sh $tdirarg clean
 rm -f .perfstats.txt
 for test in `ls -d *.tdir`; do
 	SKIP=0
@@ -57,10 +63,10 @@ for test in `ls -d *.tdir`; do
 	fi
 	if test $SKIP -eq 0; then
 		echo $test
-		sh ../testcode/mini_tdir.sh -a ../.. exe $test
+		sh ../testcode/mini_tdir.sh -a ../.. $tdirarg exe $test
 	else
 		echo "skip $test"
 	fi
 done
-sh ../testcode/mini_tdir.sh report
+sh ../testcode/mini_tdir.sh $tdirarg report
 cat .perfstats.txt
diff --git a/testcode/dohclient.c b/testcode/dohclient.c
index 263418049..d35f5a82c 100644
--- a/testcode/dohclient.c
+++ b/testcode/dohclient.c
@@ -358,7 +358,7 @@ static int http2_data_chunk_recv_cb(nghttp2_session* ATTR_UNUSED(session),
 	}
 
 	if(sldns_buffer_remaining(h2_stream->buf) < len) {
-		log_err("received data chunck does not fit into buffer");
+		log_err("received data chunk does not fit into buffer");
 		return NGHTTP2_ERR_CALLBACK_FAILURE;
 	}
 
@@ -423,6 +423,7 @@ http2_session_create()
 
 	if(nghttp2_session_callbacks_new(&callbacks) == NGHTTP2_ERR_NOMEM) {
 		log_err("failed to initialize nghttp2 callback");
+		free(h2_session);
 		return NULL;
 	}
 	nghttp2_session_callbacks_set_recv_callback(callbacks, http2_recv_cb);
@@ -501,7 +502,9 @@ run(struct http2_session* h2_session, int port, int no_tls, int count, char** q)
 	if(!no_tls) {
 		ctx = connect_sslctx_create(NULL, NULL, NULL, 0);
 		if(!ctx) fatal_exit("cannot create ssl ctx");
+#ifdef HAVE_SSL_CTX_SET_ALPN_PROTOS
 		SSL_CTX_set_alpn_protos(ctx, (const unsigned char *)"\x02h2", 3);
+#endif
 		ssl = outgoing_ssl_fd(ctx, fd);
 		if(!ssl) {
 			printf("cannot create ssl\n");
@@ -528,7 +531,7 @@ run(struct http2_session* h2_session, int port, int no_tls, int count, char** q)
 
 	h2_session->block_select = 1;
 
-	/* hande query */
+	/* handle query */
 	for(i=0; i<count; i+=3) {
 		buf = make_query(q[i], q[i+1], q[i+2]);
 		submit_query(h2_session, buf);
@@ -568,8 +571,8 @@ int main(int argc, char** argv)
 		return 1;
 	}
 #endif
-	log_init(0, 0, 0);
 	checklock_start();
+	log_init(0, 0, 0);
 
 	h2_session = http2_session_create();
 	if(!h2_session) fatal_exit("out of memory");
@@ -620,7 +623,25 @@ int main(int argc, char** argv)
 		return 1;
 	}
 
-
+	if(!no_tls) {
+#if OPENSSL_VERSION_NUMBER < 0x10100000 || !defined(HAVE_OPENSSL_INIT_SSL)
+		ERR_load_SSL_strings();
+#endif
+#if OPENSSL_VERSION_NUMBER < 0x10100000 || !defined(HAVE_OPENSSL_INIT_CRYPTO)
+#  ifndef S_SPLINT_S
+		OpenSSL_add_all_algorithms();
+#  endif
+#else
+		OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS
+			| OPENSSL_INIT_ADD_ALL_DIGESTS
+			| OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL);
+#endif
+#if OPENSSL_VERSION_NUMBER < 0x10100000 || !defined(HAVE_OPENSSL_INIT_SSL)
+		(void)SSL_library_init();
+#else
+		(void)OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL);
+#endif
+	}
 	run(h2_session, port, no_tls, argc, argv);
 
 	checklock_stop();
diff --git a/testcode/fake_event.c b/testcode/fake_event.c
index 3ff933928..be06a4721 100644
--- a/testcode/fake_event.c
+++ b/testcode/fake_event.c
@@ -451,6 +451,8 @@ fake_front_query(struct replay_runtime* runtime, struct replay_moment *todo)
 	struct comm_reply repinfo;
 	memset(&repinfo, 0, sizeof(repinfo));
 	repinfo.c = (struct comm_point*)calloc(1, sizeof(struct comm_point));
+	if(!repinfo.c)
+		fatal_exit("out of memory in fake_front_query");
 	repinfo.addrlen = (socklen_t)sizeof(struct sockaddr_in);
 	if(todo->addrlen != 0) {
 		repinfo.addrlen = todo->addrlen;
@@ -597,7 +599,7 @@ autotrust_check(struct replay_runtime* runtime, struct replay_moment* mom)
 			log_err("should be: %s", p->str);
 			fatal_exit("autotrust_check failed");
 		}
-		if(line[0]) line[strlen(line)-1] = 0; /* remove newline */
+		strip_end_white(line);
 		expanded = macro_process(runtime->vars, runtime, p->str);
 		if(!expanded) 
 			fatal_exit("could not expand macro line %d", lineno);
@@ -650,7 +652,7 @@ tempfile_check(struct replay_runtime* runtime, struct replay_moment* mom)
 			log_err("should be: %s", p->str);
 			fatal_exit("tempfile_check failed");
 		}
-		if(line[0]) line[strlen(line)-1] = 0; /* remove newline */
+		strip_end_white(line);
 		expanded = macro_process(runtime->vars, runtime, p->str);
 		if(!expanded) 
 			fatal_exit("could not expand macro line %d", lineno);
@@ -909,6 +911,8 @@ comm_base_create(int ATTR_UNUSED(sigs))
 	/* we return the runtime structure instead. */
 	struct replay_runtime* runtime = (struct replay_runtime*)
 		calloc(1, sizeof(struct replay_runtime));
+	if(!runtime)
+		fatal_exit("out of memory in fake_event.c:comm_base_create");
 	runtime->scenario = saved_scenario;
 	runtime->vars = macro_store_create();
 	if(!runtime->vars) fatal_exit("out of memory");
@@ -1046,7 +1050,9 @@ outside_network_create(struct comm_base* base, size_t bufsize,
 	void (*unwanted_action)(void*), void* ATTR_UNUSED(unwanted_param),
 	int ATTR_UNUSED(do_udp), void* ATTR_UNUSED(sslctx),
 	int ATTR_UNUSED(delayclose), int ATTR_UNUSED(tls_use_sni),
-	struct dt_env* ATTR_UNUSED(dtenv), int ATTR_UNUSED(udp_connect))
+	struct dt_env* ATTR_UNUSED(dtenv), int ATTR_UNUSED(udp_connect),
+	int ATTR_UNUSED(max_reuse_tcp_queries), int ATTR_UNUSED(tcp_reuse_timeout),
+	int ATTR_UNUSED(tcp_auth_query_timeout))
 {
 	struct replay_runtime* runtime = (struct replay_runtime*)base;
 	struct outside_network* outnet =  calloc(1, 
@@ -1181,12 +1187,13 @@ pending_tcp_query(struct serviced_query* sq, sldns_buffer* packet,
 struct serviced_query* outnet_serviced_query(struct outside_network* outnet,
 	struct query_info* qinfo, uint16_t flags, int dnssec,
 	int ATTR_UNUSED(want_dnssec), int ATTR_UNUSED(nocaps),
+	int ATTR_UNUSED(check_ratelimit),
 	int ATTR_UNUSED(tcp_upstream), int ATTR_UNUSED(ssl_upstream),
 	char* ATTR_UNUSED(tls_auth_name), struct sockaddr_storage* addr,
 	socklen_t addrlen, uint8_t* zone, size_t zonelen,
 	struct module_qstate* qstate, comm_point_callback_type* callback,
 	void* callback_arg, sldns_buffer* ATTR_UNUSED(buff),
-	struct module_env* env)
+	struct module_env* env, int* ATTR_UNUSED(was_ratelimited))
 {
 	struct replay_runtime* runtime = (struct replay_runtime*)outnet->base;
 	struct fake_pending* pend = (struct fake_pending*)calloc(1,
@@ -1216,11 +1223,37 @@ struct serviced_query* outnet_serviced_query(struct outside_network* outnet,
 	if(1) {
 		struct edns_data edns;
 		struct edns_string_addr* client_string_addr;
+		struct edns_option* backed_up_opt_list =
+			qstate->edns_opts_back_out;
+		struct edns_option* per_upstream_opt_list = NULL;
+		/* If we have an already populated EDNS option list make a copy
+		 * since we may now add upstream specific EDNS options. */
+		if(qstate->edns_opts_back_out) {
+			per_upstream_opt_list = edns_opt_copy_region(
+				qstate->edns_opts_back_out, qstate->region);
+			if(!per_upstream_opt_list) {
+				free(pend);
+				fatal_exit("out of memory");
+			}
+			qstate->edns_opts_back_out = per_upstream_opt_list;
+		}
 		if(!inplace_cb_query_call(env, qinfo, flags, addr, addrlen,
 			zone, zonelen, qstate, qstate->region)) {
 			free(pend);
 			return NULL;
 		}
+		/* Restore the option list; we can explicitly use the copied
+		 * one from now on. */
+		per_upstream_opt_list = qstate->edns_opts_back_out;
+		qstate->edns_opts_back_out = backed_up_opt_list;
+		if((client_string_addr = edns_string_addr_lookup(
+			&env->edns_strings->client_strings,
+			addr, addrlen))) {
+			edns_opt_list_append(&per_upstream_opt_list,
+				env->edns_strings->client_string_opcode,
+				client_string_addr->string_len,
+				client_string_addr->string, qstate->region);
+		}
 		/* add edns */
 		edns.edns_present = 1;
 		edns.ext_rcode = 0;
@@ -1230,15 +1263,9 @@ struct serviced_query* outnet_serviced_query(struct outside_network* outnet,
 		if(dnssec)
 			edns.bits = EDNS_DO;
 		edns.padding_block_size = 0;
-		if((client_string_addr = edns_string_addr_lookup(
-			&env->edns_strings->client_strings,
-			addr, addrlen))) {
-			edns_opt_list_append(&qstate->edns_opts_back_out,
-				env->edns_strings->client_string_opcode,
-				client_string_addr->string_len,
-				client_string_addr->string, qstate->region);
-		}
-		edns.opt_list = qstate->edns_opts_back_out;
+		edns.opt_list_in = NULL;
+		edns.opt_list_out = per_upstream_opt_list;
+		edns.opt_list_inplace_cb_out = NULL;
 		attach_edns_record(pend->buffer, &edns);
 	}
 	memcpy(&pend->addr, addr, addrlen);
@@ -1416,6 +1443,11 @@ void pending_udp_timer_cb(void *ATTR_UNUSED(arg))
 	log_assert(0);
 }
 
+void serviced_timer_cb(void *ATTR_UNUSED(arg))
+{
+	log_assert(0);
+}
+
 void pending_udp_timer_delay_cb(void *ATTR_UNUSED(arg))
 {
 	log_assert(0);
@@ -1532,6 +1564,8 @@ struct comm_timer* comm_timer_create(struct comm_base* base,
 {
 	struct replay_runtime* runtime = (struct replay_runtime*)base;
 	struct fake_timer* t = (struct fake_timer*)calloc(1, sizeof(*t));
+	if(!t)
+		fatal_exit("out of memory in fake_event.c:comm_timer_create");
 	t->cb = cb;
 	t->cb_arg = cb_arg;
 	fptr_ok(fptr_whitelist_comm_timer(t->cb)); /* check in advance */
@@ -1709,7 +1743,7 @@ struct comm_point* outnet_comm_point_for_tcp(struct outside_network* outnet,
 		addr_to_str((struct sockaddr_storage*)to_addr, to_addrlen,
 			addrbuf, sizeof(addrbuf));
 		if(verbosity >= VERB_ALGO) {
-			if(buf[0] != 0) buf[strlen(buf)-1] = 0; /* del newline*/
+			strip_end_white(buf);
 			log_info("tcp to %s: %s", addrbuf, buf);
 		}
 		log_assert(sldns_buffer_limit(query)-LDNS_HEADER_SIZE >= 2);
@@ -1741,7 +1775,7 @@ struct comm_point* outnet_comm_point_for_tcp(struct outside_network* outnet,
 struct comm_point* outnet_comm_point_for_http(struct outside_network* outnet,
 	comm_point_callback_type* cb, void* cb_arg,
 	struct sockaddr_storage* to_addr, socklen_t to_addrlen, int timeout,
-	int ssl, char* host, char* path)
+	int ssl, char* host, char* path, struct config_file* cfg)
 {
 	struct replay_runtime* runtime = (struct replay_runtime*)
 		outnet->base;
@@ -1763,6 +1797,7 @@ struct comm_point* outnet_comm_point_for_http(struct outside_network* outnet,
 	(void)ssl;
 	(void)host;
 	(void)path;
+	(void)cfg;
 
 	/* handle http comm point and return contents from test script */
 	return (struct comm_point*)fc;
@@ -1799,7 +1834,7 @@ int comm_point_send_udp_msg(struct comm_point *c, sldns_buffer* packet,
 		addr_to_str((struct sockaddr_storage*)addr, addrlen,
 			addrbuf, sizeof(addrbuf));
 		if(verbosity >= VERB_ALGO) {
-			if(buf[0] != 0) buf[strlen(buf)-1] = 0; /* del newline*/
+			strip_end_white(buf);
 			log_info("udp to %s: %s", addrbuf, buf);
 		}
 		log_assert(sldns_buffer_limit(packet)-LDNS_HEADER_SIZE >= 2);
diff --git a/testcode/lock_verify.c b/testcode/lock_verify.c
index 666a7029d..b0cffe292 100644
--- a/testcode/lock_verify.c
+++ b/testcode/lock_verify.c
@@ -387,6 +387,37 @@ static void check_order(rbtree_type* all_locks)
 	fprintf(stderr, "\n");
 }
 
+/** delete lock ref */
+static void dellockref(rbnode_type* node, void* ATTR_UNUSED(arg))
+{
+	struct lock_ref* o = (struct lock_ref*)node;
+	if(!o) return;
+	free(o->file);
+	free(o);
+}
+
+/** delete lock node */
+static void delnode(rbnode_type* node, void* ATTR_UNUSED(arg))
+{
+	struct order_lock* o = (struct order_lock*)node;
+	if(!o) return;
+	free(o->create_file);
+	if(o->smaller) {
+		traverse_postorder(o->smaller, &dellockref, NULL);
+		free(o->smaller);
+	}
+	free(o);
+}
+
+/** delete allocated memory */
+static void locks_free(rbtree_type* all_locks)
+{
+	if(!all_locks)
+		return;
+	traverse_postorder(all_locks, &delnode, NULL);
+	free(all_locks);
+}
+
 /** main program to verify all traces passed */
 int
 main(int argc, char* argv[])
@@ -403,6 +434,7 @@ main(int argc, char* argv[])
 		usage();
 		return 1;
 	}
+	checklock_start();
 	log_init(NULL, 0, NULL);
 	log_ident_set("lock-verify");
 	/* init */
@@ -421,6 +453,7 @@ main(int argc, char* argv[])
 	printf("checked %d locks in %d seconds with %d errors.\n", 
 		(int)all_locks->count, (int)(time(NULL)-starttime),
 		errors_detected);
+	locks_free(all_locks);
 	if(errors_detected) return 1;
 	return 0;
 }
diff --git a/testcode/mini_tdir.sh b/testcode/mini_tdir.sh
index 5f02b0862..0457a95e7 100755
--- a/testcode/mini_tdir.sh
+++ b/testcode/mini_tdir.sh
@@ -5,14 +5,23 @@ if test "$1" = "-a"; then
 	shift
 	shift
 fi
-	
+quiet=0
+if test "$1" = "-q"; then
+	quiet=1
+	shift
+fi
+
 if test "$1" = "clean"; then
-	echo "rm -f result.* .done* .tdir.var.master .tdir.var.test"
+	if test $quiet = 0; then
+		echo "rm -f result.* .done* .tdir.var.master .tdir.var.test"
+	fi
 	rm -f result.* .done* .tdir.var.master .tdir.var.test
 	exit 0
 fi
 if test "$1" = "fake"; then
-	echo "minitdir fake $2"
+	if test $quiet = 0; then
+		echo "minitdir fake $2"
+	fi
 	echo "fake" > .done-`basename $2 .tdir`
 	exit 0
 fi
@@ -37,7 +46,7 @@ if test "$1" = "-f" && test "$2" = "report"; then
 			desc=`grep ^Description: "result.$name" | sed -e 's/Description: //'`
 		fi
 		if test -f ".done-$name"; then
-			if test "$1" != "-q"; then
+			if test $quiet = 0; then
 				echo "** PASSED ** $timelen $name: $desc"
 				pass=`expr $pass + 1`
 			fi
@@ -65,7 +74,7 @@ if test "$1" = "report" || test "$2" = "report"; then
 	for result in *.tdir; do
 		name=`basename $result .tdir`
 		if test -f ".done-$name"; then
-			if test "$1" != "-q"; then
+			if test $quiet = 0; then
 				echo "** PASSED ** : $name"
 			fi
 		else
@@ -82,9 +91,9 @@ fi
 if test "$1" != 'exe'; then
 	# usage
 	echo "mini tdir. Reduced functionality for old shells."
-	echo "	tdir exe <file>"
-	echo "	tdir fake <file>"
-	echo "	tdir clean"
+	echo "	tdir [-q] exe <file>"
+	echo "	tdir [-q] fake <file>"
+	echo "	tdir [-q] clean"
 	echo "	tdir [-q|-f] report"
 	exit 1
 fi
@@ -117,7 +126,9 @@ if test -f .done-$name; then
 fi
 
 # Copy
-echo "minitdir copy $1 to $dir"
+if test $quiet = 0; then
+	echo "minitdir copy $1 to $dir"
+fi
 mkdir $dir
 if cp --help 2>&1 | grep -- "-a" >/dev/null; then
 cp -a $name.tdir/* $dir/
@@ -131,7 +142,9 @@ echo "minitdir exe $name" > $result
 grep "Description:" $name.dsc >> $result 2>&1
 echo "DateRunStart: "`date "+%s" 2>/dev/null` >> $result
 if test -f $name.pre; then
-	echo "minitdir exe $name.pre"
+	if test $quiet = 0; then
+		echo "minitdir exe $name.pre"
+	fi
 	echo "minitdir exe $name.pre" >> $result
 	$shell $name.pre $args >> $result
 	if test $? -ne 0; then
@@ -139,7 +152,9 @@ if test -f $name.pre; then
 	fi
 fi
 if test -f $name.test; then
-	echo "minitdir exe $name.test"
+	if test $quiet = 0; then
+		echo "minitdir exe $name.test"
+	fi
 	echo "minitdir exe $name.test" >> $result
 	$shell $name.test $args >>$result 2>&1
 	if test $? -ne 0; then
@@ -149,12 +164,16 @@ if test -f $name.test; then
 	else
 		echo "$name: PASSED" >> $result
 		echo "$name: PASSED" > ../.done-$name
-		echo "$name: PASSED"
+		if test $quiet = 0; then
+			echo "$name: PASSED"
+		fi
 		success="yes"
 	fi
 fi
 if test -f $name.post; then
-	echo "minitdir exe $name.post"
+	if test $quiet = 0; then
+		echo "minitdir exe $name.post"
+	fi
 	echo "minitdir exe $name.post" >> $result
 	$shell $name.post $args >> $result
 	if test $? -ne 0; then
diff --git a/testcode/perf.c b/testcode/perf.c
index b13eca6d3..55d6483c7 100644
--- a/testcode/perf.c
+++ b/testcode/perf.c
@@ -575,9 +575,9 @@ int main(int argc, char* argv[])
 	memset(&info, 0, sizeof(info));
 	info.io_num = 16;
 
+	checklock_start();
 	log_init(NULL, 0, NULL);
 	log_ident_set("perf");
-	checklock_start();
 #ifdef USE_WINSOCK
 	if((r = WSAStartup(MAKEWORD(2,2), &wsa_data)) != 0)
 		fatal_exit("WSAStartup failed: %s", wsa_strerror(r));
diff --git a/testcode/petal.c b/testcode/petal.c
index 123684aab..63d3d452e 100644
--- a/testcode/petal.c
+++ b/testcode/petal.c
@@ -220,8 +220,11 @@ read_http_headers(SSL* ssl, char* file, size_t flen, char* host, size_t hlen,
 	host[0] = 0;
 	while(read_ssl_line(ssl, buf, sizeof(buf))) {
 		if(verb>=2) printf("read: %s\n", buf);
-		if(buf[0] == 0)
+		if(buf[0] == 0) {
+			int e = ERR_peek_error();
+			printf("error string: %s\n", ERR_reason_error_string(e));
 			return 1;
+		}
 		if(!process_one_header(buf, file, flen, host, hlen, vs))
 			return 0;
 	}
@@ -238,8 +241,14 @@ setup_ctx(char* key, char* cert)
 	(void)SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
 #endif
 	(void)SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3);
-	if(!SSL_CTX_use_certificate_chain_file(ctx, cert))
+#ifdef HAVE_SSL_CTX_SET_SECURITY_LEVEL
+	SSL_CTX_set_security_level(ctx, 0); /* for keys in tests */
+#endif
+	if(!SSL_CTX_use_certificate_chain_file(ctx, cert)) {
+		int e = ERR_peek_error();
+		printf("error string: %s\n", ERR_reason_error_string(e));
 		print_exit("cannot read cert");
+	}
 	if(!SSL_CTX_use_PrivateKey_file(ctx, key, SSL_FILETYPE_PEM))
 		print_exit("cannot read key");
 	if(!SSL_CTX_check_private_key(ctx))
@@ -573,10 +582,9 @@ do_service(char* addr, int port, char* key, char* cert)
 {
 	SSL_CTX* sslctx = setup_ctx(key, cert);
 	int fd = setup_fd(addr, port);
-	int go = 1;
 	if(fd == -1) print_exit("could not setup sockets");
 	if(verb) {printf("petal start\n"); fflush(stdout);}
-	while(go) {
+	while(1) {
 		struct sockaddr_storage from;
 		socklen_t flen = (socklen_t)sizeof(from);
 		int s;
diff --git a/testcode/readzone.c b/testcode/readzone.c
new file mode 100644
index 000000000..94511e577
--- /dev/null
+++ b/testcode/readzone.c
@@ -0,0 +1,158 @@
+/*
+ * testcode/readzone.c - readzone tool reads zonefiles
+ *
+ * Copyright (c) 2021, NLnet Labs. All rights reserved.
+ *
+ * This software is open source.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ *
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ *
+ * Neither the name of the NLNET LABS nor the names of its contributors may
+ * be used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
+ * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+/**
+ * \file
+ * Command to read and echo a zonefile.
+ */
+
+#include "config.h"
+#include <stdio.h>
+#include <stdlib.h>
+#include <errno.h>
+#include <string.h>
+#include <unistd.h>
+
+#include <stdint.h>
+#include "sldns/str2wire.h"
+#include "sldns/wire2str.h"
+
+int print_usage(FILE *out, const char *progname)
+{
+	fprintf(out, "usage: %s [ -u ] <zonefile> [<origin>]\n", progname);
+	fprintf(out, "\t-u\tprint in unknown type (RFC3597) format\n");
+	return out == stdout ? EXIT_SUCCESS : EXIT_FAILURE;
+}
+
+int main(int argc, char *const *argv)
+{
+	char *progname = argv[0];
+	uint8_t rr[LDNS_RR_BUF_SIZE];
+	char *str = malloc(1024 * 1024);
+	size_t str_len = sizeof(str);
+	struct sldns_file_parse_state state;
+	FILE *in = NULL;
+	int s = -1;
+	int opt;
+	int print_in_unknown_type_format = 0;
+
+	while ((opt = getopt(argc, argv, "hu")) != -1) {
+		switch (opt) {
+		case 'h':
+			free(str);
+			return print_usage(stdout, progname);
+		case 'u':
+			print_in_unknown_type_format = 1;
+			break;
+		default:
+			free(str);
+			return print_usage(stderr, progname);
+		}
+	}
+	argc -= optind;
+	argv += optind;
+
+	memset(&state, 0, sizeof(state));
+	state.default_ttl = 3600;
+	state.lineno = 1;
+	if (argc == 2) {
+		state.origin_len = sizeof(state.origin);
+		s = sldns_str2wire_dname_buf(argv[1], state.origin
+		                                    , &state.origin_len);
+		if (s) {
+			fprintf(stderr, "Error parsing origin: %s\n"
+			              , sldns_get_errorstr_parse(s));
+			free(str);
+			return EXIT_FAILURE;
+		}
+		s = -1;
+	}
+	if (!str)
+		fprintf(stderr, "Memory allocation error: %s\n"
+		              , strerror(errno));
+
+	else if (argc != 1 && argc != 2) {
+		free(str);
+		return print_usage(stderr, progname);
+	}
+
+	else if (!(in = fopen(argv[0], "r")))
+		fprintf(stderr, "Error opening \"%s\": %s\n"
+		              , argv[0], strerror(errno));
+	else while (!feof(in)) {
+		size_t rr_len = sizeof(rr), dname_len = 0;
+		size_t written;
+
+		s = sldns_fp2wire_rr_buf(in, rr, &rr_len, &dname_len, &state);
+		if (s) {
+			fprintf( stderr, "parse error %d:%d: %s\n"
+			               , state.lineno, LDNS_WIREPARSE_OFFSET(s)
+			               , sldns_get_errorstr_parse(s));
+			break;
+		}
+		if (rr_len == 0)
+			continue;
+
+		if (print_in_unknown_type_format)
+			written = sldns_wire2str_rr_unknown_buf(
+				rr, rr_len, str, str_len);
+		else
+			written = sldns_wire2str_rr_buf(
+				rr, rr_len, str, str_len);
+
+		if (written > str_len) {
+			while (written > str_len)
+				str_len *= 2;
+			free(str);
+			if (!(str = malloc(str_len))) {
+				fprintf(stderr, "Memory allocation error: %s\n"
+				              , strerror(errno));
+				s = -1;
+				break;
+			}
+			if (print_in_unknown_type_format)
+				(void) sldns_wire2str_rr_unknown_buf(
+					rr, rr_len, str, str_len);
+			else
+				(void) sldns_wire2str_rr_buf(
+					rr, rr_len, str, str_len);
+		}
+		fprintf(stdout, "%s", str);
+	}
+	if (in)
+		fclose(in);
+	free(str);
+	return !in || s ? EXIT_FAILURE : EXIT_SUCCESS;
+}
diff --git a/testcode/replay.c b/testcode/replay.c
index 84ce50441..2487c146f 100644
--- a/testcode/replay.c
+++ b/testcode/replay.c
@@ -124,8 +124,7 @@ replay_range_delete(struct replay_range* rng)
 	free(rng);
 }
 
-/** strip whitespace from end of string */
-static void
+void
 strip_end_white(char* p)
 {
 	size_t i;
@@ -227,7 +226,7 @@ read_file_content(FILE* in, int* lineno, struct replay_moment* mom)
 		if(strncmp(line, "FILE_END", 8) == 0) {
 			return;
 		}
-		if(line[0]) line[strlen(line)-1] = 0; /* remove newline */
+		strip_end_white(line);
 		if(!cfg_strlist_insert(last, strdup(line)))
 			fatal_exit("malloc failure");
 		last = &( (*last)->next );
@@ -249,7 +248,7 @@ read_assign_step(char* remain, struct replay_moment* mom)
 	if(eq != '=')
 		fatal_exit("no '=' in assign: %s", remain);
 	remain += skip;
-	if(remain[0]) remain[strlen(remain)-1]=0; /* remove newline */
+	strip_end_white(remain);
 	mom->string = strdup(remain);
 	if(!mom->variable || !mom->string)
 		fatal_exit("out of memory");
@@ -318,8 +317,7 @@ replay_moment_read(char* remain, FILE* in, const char* name,
 		mom->evt_type = repevt_autotrust_check;
 		while(isspace((unsigned char)*remain))
 			remain++;
-		if(strlen(remain)>0 && remain[strlen(remain)-1]=='\n')
-			remain[strlen(remain)-1] = 0;
+		strip_end_white(remain);
 		mom->autotrust_id = strdup(remain);
 		if(!mom->autotrust_id) fatal_exit("out of memory");
 		read_file_content(in, &pstate->lineno, mom);
@@ -327,8 +325,7 @@ replay_moment_read(char* remain, FILE* in, const char* name,
 		mom->evt_type = repevt_tempfile_check;
 		while(isspace((unsigned char)*remain))
 			remain++;
-		if(strlen(remain)>0 && remain[strlen(remain)-1]=='\n')
-			remain[strlen(remain)-1] = 0;
+		strip_end_white(remain);
 		mom->autotrust_id = strdup(remain);
 		if(!mom->autotrust_id) fatal_exit("out of memory");
 		read_file_content(in, &pstate->lineno, mom);
@@ -359,8 +356,7 @@ replay_moment_read(char* remain, FILE* in, const char* name,
 			m++;
 		if(!extstrtoaddr(s, &mom->addr, &mom->addrlen))
 			fatal_exit("bad infra_rtt address %s", s);
-		if(strlen(m)>0 && m[strlen(m)-1]=='\n')
-			m[strlen(m)-1] = 0;
+		strip_end_white(m);
 		mom->variable = strdup(remain);
 		mom->string = strdup(m);
 		if(!mom->string) fatal_exit("out of memory");
@@ -375,8 +371,7 @@ replay_moment_read(char* remain, FILE* in, const char* name,
 	if(parse_keyword(&remain, "ADDRESS")) {
 		while(isspace((unsigned char)*remain))
 			remain++;
-		if(strlen(remain) > 0) /* remove \n */
-			remain[strlen(remain)-1] = 0;
+		strip_end_white(remain);
 		if(!extstrtoaddr(remain, &mom->addr, &mom->addrlen)) {
 			log_err("line %d: could not parse ADDRESS: %s", 
 				pstate->lineno, remain);
@@ -693,7 +688,11 @@ do_macro_ctime(char* arg)
 		return NULL;
 	}
 	ctime_r(&tt, buf);
-	if(buf[0]) buf[strlen(buf)-1]=0; /* remove trailing newline */
+#ifdef USE_WINSOCK
+	if(strlen(buf) > 10 && buf[7]==' ' && buf[8]=='0')
+		buf[8]=' '; /* fix error in windows ctime */
+#endif
+	strip_end_white(buf);
 	return strdup(buf);
 }
 
diff --git a/testcode/replay.h b/testcode/replay.h
index 5132cdacb..0271dff03 100644
--- a/testcode/replay.h
+++ b/testcode/replay.h
@@ -425,6 +425,9 @@ int replay_var_compare(const void* a, const void* b);
 /** get oldest enabled fake timer */
 struct fake_timer* replay_get_oldest_timer(struct replay_runtime* runtime);
 
+/** strip whitespace from end of string */
+void strip_end_white(char* p);
+
 /**
  * Create variable storage
  * @return new or NULL on failure.
diff --git a/testcode/streamtcp.c b/testcode/streamtcp.c
index ffdddbe9d..ecc83c1cf 100644
--- a/testcode/streamtcp.c
+++ b/testcode/streamtcp.c
@@ -397,11 +397,17 @@ send_em(const char* svr, int udp, int usessl, int noanswer, int onarrival,
 /** SIGPIPE handler */
 static RETSIGTYPE sigh(int sig)
 {
+	char str[] = "Got unhandled signal   \n";
 	if(sig == SIGPIPE) {
-		printf("got SIGPIPE, remote connection gone\n");
+		char* strpipe = "got SIGPIPE, remote connection gone\n";
+		/* simple cast to void will not silence Wunused-result */
+		(void)!write(STDOUT_FILENO, strpipe, strlen(strpipe));
 		exit(1);
 	}
-	printf("Got unhandled signal %d\n", sig);
+	str[21] = '0' + (sig/10)%10;
+	str[22] = '0' + sig%10;
+	/* simple cast to void will not silence Wunused-result */
+	(void)!write(STDOUT_FILENO, str, strlen(str));
 	exit(1);
 }
 #endif /* SIGPIPE */
@@ -431,8 +437,8 @@ int main(int argc, char** argv)
 #endif
 
 	/* lock debug start (if any) */
-	log_init(0, 0, 0);
 	checklock_start();
+	log_init(0, 0, 0);
 
 #ifdef SIGPIPE
 	if(signal(SIGPIPE, &sigh) == SIG_ERR) {
diff --git a/testcode/testbound.c b/testcode/testbound.c
index 5e10779fc..ec627cc8d 100644
--- a/testcode/testbound.c
+++ b/testcode/testbound.c
@@ -168,7 +168,7 @@ spool_temp_file_name(int* lineno, FILE* cfg, char* id)
 		id++;
 	if(*id == '\0') 
 		fatal_exit("TEMPFILE_NAME must have id, line %d", *lineno);
-	id[strlen(id)-1]=0; /* remove newline */
+	strip_end_white(id);
 	fake_temp_file("_temp_", id, line, sizeof(line));
 	fprintf(cfg, "\"%s\"\n", line);
 }
@@ -185,7 +185,7 @@ spool_temp_file(FILE* in, int* lineno, char* id)
 		id++;
 	if(*id == '\0') 
 		fatal_exit("TEMPFILE_CONTENTS must have id, line %d", *lineno);
-	id[strlen(id)-1]=0; /* remove newline */
+	strip_end_white(id);
 	fake_temp_file("_temp_", id, line, sizeof(line));
 	/* open file and spool to it */
 	spool = fopen(line, "w");
@@ -205,7 +205,7 @@ spool_temp_file(FILE* in, int* lineno, char* id)
 			char* tid = parse+17;
 			while(isspace((unsigned char)*tid))
 				tid++;
-			tid[strlen(tid)-1]=0; /* remove newline */
+			strip_end_white(tid);
 			fake_temp_file("_temp_", tid, l2, sizeof(l2));
 			snprintf(line, sizeof(line), "$INCLUDE %s\n", l2);
 		}
@@ -230,7 +230,7 @@ spool_auto_file(FILE* in, int* lineno, FILE* cfg, char* id)
 		id++;
 	if(*id == '\0') 
 		fatal_exit("AUTROTRUST_FILE must have id, line %d", *lineno);
-	id[strlen(id)-1]=0; /* remove newline */
+	strip_end_white(id);
 	fake_temp_file("_auto_", id, line, sizeof(line));
 	/* add option for the file */
 	fprintf(cfg, "server:	auto-trust-anchor-file: \"%s\"\n", line);
@@ -279,6 +279,7 @@ setup_config(FILE* in, int* lineno, int* pass_argc, char* pass_argv[])
 	fprintf(cfg, "		username: \"\"\n");
 	fprintf(cfg, "		pidfile: \"\"\n");
 	fprintf(cfg, "		val-log-level: 2\n");
+	fprintf(cfg, "		log-servfail: yes\n");
 	fprintf(cfg, "remote-control:	control-enable: no\n");
 	while(fgets(line, MAX_LINE_LEN-1, in)) {
 		parse = line;
@@ -373,6 +374,7 @@ main(int argc, char* argv[])
 	(void)unsetenv("NOTIFY_SOCKET");
 #endif /* HAVE_SYSTEMD */
 
+	checklock_start();
 	log_init(NULL, 0, NULL);
 	/* determine commandline options for the daemon */
 	pass_argc = 1;
@@ -603,3 +605,13 @@ int squelch_err_ssl_handshake(unsigned long ATTR_UNUSED(err))
 {
 	return 0;
 }
+
+void listen_setup_locks(void)
+{
+	/* nothing */
+}
+
+void listen_desetup_locks(void)
+{
+	/* nothing */
+}
diff --git a/testcode/unitauth.c b/testcode/unitauth.c
index 184573ab6..d193526b8 100644
--- a/testcode/unitauth.c
+++ b/testcode/unitauth.c
@@ -468,8 +468,13 @@ tmpfilecleanup(void)
 	int i;
 	char buf[256];
 	for(i=0; i<tempno; i++) {
+#ifdef USE_WINSOCK
+		snprintf(buf, sizeof(buf), "unbound.unittest.%u.%d",
+			(unsigned)getpid(), i);
+#else
 		snprintf(buf, sizeof(buf), "/tmp/unbound.unittest.%u.%d",
 			(unsigned)getpid(), i);
+#endif
 		if(vbmp) printf("cleanup: unlink %s\n", buf);
 		unlink(buf);
 	}
@@ -483,8 +488,13 @@ create_tmp_file(const char* s)
 	char *fname;
 	FILE *out;
 	size_t r;
+#ifdef USE_WINSOCK
+	snprintf(buf, sizeof(buf), "unbound.unittest.%u.%d",
+		(unsigned)getpid(), tempno++);
+#else
 	snprintf(buf, sizeof(buf), "/tmp/unbound.unittest.%u.%d",
 		(unsigned)getpid(), tempno++);
+#endif
 	fname = strdup(buf);
 	if(!fname) fatal_exit("out of memory");
 	/* if no string, just make the name */
diff --git a/testcode/unitmain.c b/testcode/unitmain.c
index 30562af11..16aa88450 100644
--- a/testcode/unitmain.c
+++ b/testcode/unitmain.c
@@ -839,52 +839,6 @@ static void respip_test(void)
 	respip_conf_actions_test();
 }
 
-#include "services/outside_network.h"
-/** add number of new IDs to the reuse tree, randomly chosen */
-static void tcpid_addmore(struct reuse_tcp* reuse,
-	struct outside_network* outnet, unsigned int addnum)
-{
-	unsigned int i;
-	struct waiting_tcp* w;
-	for(i=0; i<addnum; i++) {
-		uint16_t id = reuse_tcp_select_id(reuse, outnet);
-		unit_assert(!reuse_tcp_by_id_find(reuse, id));
-		w = calloc(1, sizeof(*w));
-		unit_assert(w);
-		w->id = id;
-		w->outnet = outnet;
-		w->next_waiting = (void*)reuse->pending;
-		reuse_tree_by_id_insert(reuse, w);
-	}
-}
-
-/** fill up the reuse ID tree and test assertions */
-static void tcpid_fillup(struct reuse_tcp* reuse,
-	struct outside_network* outnet)
-{
-	int t, numtest=3;
-	for(t=0; t<numtest; t++) {
-		rbtree_init(&reuse->tree_by_id, reuse_id_cmp);
-		tcpid_addmore(reuse, outnet, 65535);
-		reuse_del_readwait(&reuse->tree_by_id);
-	}
-}
-
-/** test TCP ID selection */
-static void tcpid_test(void)
-{
-	struct pending_tcp pend;
-	struct outside_network outnet;
-	unit_show_func("services/outside_network.c", "reuse_tcp_select_id");
-	memset(&pend, 0, sizeof(pend));
-	pend.reuse.pending = &pend;
-	memset(&outnet, 0, sizeof(outnet));
-	outnet.rnd = ub_initstate(NULL);
-	rbtree_init(&pend.reuse.tree_by_id, reuse_id_cmp);
-	tcpid_fillup(&pend.reuse, &outnet);
-	ub_randfree(outnet.rnd);
-}
-
 void unit_show_func(const char* file, const char* func)
 {
 	printf("test %s:%s\n", file, func);
@@ -907,6 +861,7 @@ void ecdsa_evp_workaround_init(void);
 int 
 main(int argc, char* argv[])
 {
+	checklock_start();
 	log_init(NULL, 0, NULL);
 	if(argc != 1) {
 		printf("usage: %s\n", argv[0]);
@@ -934,7 +889,6 @@ main(int argc, char* argv[])
 	if(NSS_NoDB_Init(".") != SECSuccess)
 		fatal_exit("could not init NSS");
 #endif /* HAVE_SSL or HAVE_NSS*/
-	checklock_start();
 	authzone_test();
 	neg_test();
 	rnd_test();
@@ -953,8 +907,8 @@ main(int argc, char* argv[])
 	infra_test();
 	ldns_test();
 	zonemd_test();
+	tcpreuse_test();
 	msgparse_test();
-	tcpid_test();
 #ifdef CLIENT_SUBNET
 	ecs_test();
 #endif /* CLIENT_SUBNET */
diff --git a/testcode/unitmain.h b/testcode/unitmain.h
index 66d1322f2..adcd74f77 100644
--- a/testcode/unitmain.h
+++ b/testcode/unitmain.h
@@ -82,5 +82,7 @@ void ldns_test(void);
 void authzone_test(void);
 /** unit test for zonemd functions */
 void zonemd_test(void);
+/** unit test for tcp_reuse functions */
+void tcpreuse_test(void);
 
 #endif /* TESTCODE_UNITMAIN_H */
diff --git a/testcode/unittcpreuse.c b/testcode/unittcpreuse.c
new file mode 100644
index 000000000..087c6c1b9
--- /dev/null
+++ b/testcode/unittcpreuse.c
@@ -0,0 +1,236 @@
+/*
+ * testcode/unittcpreuse.c - unit test for tcp_reuse.
+ *
+ * Copyright (c) 2021, NLnet Labs. All rights reserved.
+ *
+ * This software is open source.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ *
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ *
+ * Neither the name of the NLNET LABS nor the names of its contributors may
+ * be used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
+ * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+/**
+ * \file
+ * Tests the tcp_reuse functionality.
+ */
+
+#include "config.h"
+#include "testcode/unitmain.h"
+#include "util/log.h"
+#include "util/random.h"
+#include "services/outside_network.h"
+
+/** add number of new IDs to the reuse tree, randomly chosen */
+static void tcpid_addmore(struct reuse_tcp* reuse,
+	struct outside_network* outnet, unsigned int addnum)
+{
+	unsigned int i;
+	struct waiting_tcp* w;
+	for(i=0; i<addnum; i++) {
+		uint16_t id = reuse_tcp_select_id(reuse, outnet);
+		unit_assert(!reuse_tcp_by_id_find(reuse, id));
+		w = calloc(1, sizeof(*w));
+		unit_assert(w);
+		w->id = id;
+		w->outnet = outnet;
+		w->next_waiting = (void*)reuse->pending;
+		reuse_tree_by_id_insert(reuse, w);
+	}
+}
+
+/** fill up the reuse ID tree and test assertions */
+static void tcpid_fillup(struct reuse_tcp* reuse,
+	struct outside_network* outnet)
+{
+	int t, numtest=3;
+	for(t=0; t<numtest; t++) {
+		rbtree_init(&reuse->tree_by_id, reuse_id_cmp);
+		tcpid_addmore(reuse, outnet, 65535);
+		reuse_del_readwait(&reuse->tree_by_id);
+	}
+}
+
+/** test TCP ID selection */
+static void tcpid_test(void)
+{
+	struct pending_tcp pend;
+	struct outside_network outnet;
+	unit_show_func("services/outside_network.c", "reuse_tcp_select_id");
+	memset(&pend, 0, sizeof(pend));
+	pend.reuse.pending = &pend;
+	memset(&outnet, 0, sizeof(outnet));
+	outnet.rnd = ub_initstate(NULL);
+	rbtree_init(&pend.reuse.tree_by_id, reuse_id_cmp);
+	tcpid_fillup(&pend.reuse, &outnet);
+	ub_randfree(outnet.rnd);
+}
+
+/** check that the tree has present number of nodes and the LRU is linked
+ * properly. */
+static void check_tree_and_list(struct outside_network* outnet, int present)
+{
+	int i;
+	struct reuse_tcp *reuse, *next_reuse;
+	unit_assert(present == (int)outnet->tcp_reuse.count);
+	if(present < 1) {
+		unit_assert(outnet->tcp_reuse_first == NULL);
+		unit_assert(outnet->tcp_reuse_last == NULL);
+		return;
+	}
+	unit_assert(outnet->tcp_reuse_first->item_on_lru_list);
+	unit_assert(!outnet->tcp_reuse_first->lru_prev);
+	reuse = outnet->tcp_reuse_first;
+	for(i=0; i<present-1; i++) {
+		unit_assert(reuse->item_on_lru_list);
+		unit_assert(reuse->lru_next);
+		unit_assert(reuse->lru_next != reuse);
+		next_reuse = reuse->lru_next;
+		unit_assert(next_reuse->lru_prev == reuse);
+		reuse = next_reuse;
+	}
+	unit_assert(!reuse->lru_next);
+	unit_assert(outnet->tcp_reuse_last->item_on_lru_list);
+	unit_assert(outnet->tcp_reuse_last == reuse);
+}
+
+/** creates pending_tcp. Copy of outside_network.c:create_pending_tcp without
+ *  the comm_point creation */
+static int create_pending_tcp(struct outside_network* outnet)
+{
+	size_t i;
+	if(outnet->num_tcp == 0)
+		return 1; /* no tcp needed, nothing to do */
+	if(!(outnet->tcp_conns = (struct pending_tcp **)calloc(
+			outnet->num_tcp, sizeof(struct pending_tcp*))))
+		return 0;
+	for(i=0; i<outnet->num_tcp; i++) {
+		if(!(outnet->tcp_conns[i] = (struct pending_tcp*)calloc(1,
+			sizeof(struct pending_tcp))))
+			return 0;
+		outnet->tcp_conns[i]->next_free = outnet->tcp_free;
+		outnet->tcp_free = outnet->tcp_conns[i];
+	}
+	return 1;
+}
+
+/** empty the tcp_reuse tree and LRU list */
+static void empty_tree(struct outside_network* outnet)
+{
+	size_t i;
+	struct reuse_tcp* reuse;
+	reuse = outnet->tcp_reuse_first;
+	i = outnet->tcp_reuse.count;
+	while(reuse) {
+		reuse_tcp_remove_tree_list(outnet, reuse);
+		check_tree_and_list(outnet, --i);
+		reuse = outnet->tcp_reuse_first;
+	}
+}
+
+/** check removal of the LRU element on the given position of total elements */
+static void check_removal(struct outside_network* outnet, int position, int total)
+{
+	int i;
+	struct reuse_tcp* reuse;
+	empty_tree(outnet);
+	for(i=0; i<total; i++) {
+		reuse_tcp_insert(outnet, outnet->tcp_conns[i]);
+	}
+	check_tree_and_list(outnet, total);
+	reuse = outnet->tcp_reuse_first;
+	for(i=0; i<position; i++) reuse = reuse->lru_next;
+	reuse_tcp_remove_tree_list(outnet, reuse);
+	check_tree_and_list(outnet, total-1);
+}
+
+/** check snipping off the last element of the LRU with total elements */
+static void check_snip(struct outside_network* outnet, int total)
+{
+	int i;
+	struct reuse_tcp* reuse;
+	empty_tree(outnet);
+	for(i=0; i<total; i++) {
+		reuse_tcp_insert(outnet, outnet->tcp_conns[i]);
+	}
+	check_tree_and_list(outnet, total);
+	reuse = reuse_tcp_lru_snip(outnet);
+	while(reuse) {
+		reuse_tcp_remove_tree_list(outnet, reuse);
+		check_tree_and_list(outnet, --total);
+		reuse = reuse_tcp_lru_snip(outnet);
+	}
+	unit_assert(outnet->tcp_reuse_first == NULL);
+	unit_assert(outnet->tcp_reuse_last == NULL);
+	unit_assert(outnet->tcp_reuse.count == 0);
+}
+
+/** test tcp_reuse tree and LRU list functions */
+static void tcp_reuse_tree_list_test(void)
+{
+	size_t i;
+	struct outside_network outnet;
+	struct reuse_tcp* reuse;
+	memset(&outnet, 0, sizeof(outnet));
+	rbtree_init(&outnet.tcp_reuse, reuse_cmp);
+	outnet.num_tcp = 5;
+	outnet.tcp_reuse_max = outnet.num_tcp;
+	if(!create_pending_tcp(&outnet)) fatal_exit("out of memory");
+	/* add all to the tree */
+	unit_show_func("services/outside_network.c", "reuse_tcp_insert");
+	for(i=0; i<outnet.num_tcp; i++) {
+		reuse_tcp_insert(&outnet, outnet.tcp_conns[i]);
+		check_tree_and_list(&outnet, i+1);
+	}
+	/* check touching */
+	unit_show_func("services/outside_network.c", "reuse_tcp_lru_touch");
+	for(i=0; i<outnet.tcp_reuse.count; i++) {
+		for(reuse = outnet.tcp_reuse_first; reuse->lru_next; reuse = reuse->lru_next);
+		reuse_tcp_lru_touch(&outnet, reuse);
+		check_tree_and_list(&outnet, outnet.num_tcp);
+	}
+	/* check removal */
+	unit_show_func("services/outside_network.c", "reuse_tcp_remove_tree_list");
+	check_removal(&outnet, 2, 5);
+	check_removal(&outnet, 1, 3);
+	check_removal(&outnet, 1, 2);
+	/* check snip */
+	unit_show_func("services/outside_network.c", "reuse_tcp_lru_snip");
+	check_snip(&outnet, 4);
+
+	for(i=0; i<outnet.num_tcp; i++)
+		if(outnet.tcp_conns[i]) {
+			free(outnet.tcp_conns[i]);
+		}
+	free(outnet.tcp_conns);
+}
+
+void tcpreuse_test(void)
+{
+    unit_show_feature("tcp_reuse");
+    tcpid_test();
+    tcp_reuse_tree_list_test();
+}
diff --git a/testcode/unitzonemd.c b/testcode/unitzonemd.c
index a8949a8c4..23c9f7010 100644
--- a/testcode/unitzonemd.c
+++ b/testcode/unitzonemd.c
@@ -48,6 +48,10 @@
 #include "util/regional.h"
 #include "validator/val_anchor.h"
 
+#define xstr(s) str(s)
+#define str(s) #s
+#define SRCDIRSTR xstr(SRCDIR)
+
 /** Add zone from file for testing */
 struct auth_zone* authtest_addzone(struct auth_zones* az, const char* name,
 	char* fname);
@@ -82,6 +86,9 @@ static void zonemd_generate_test(const char* zname, char* zfile,
 	/* read file */
 	z = authtest_addzone(az, zname, zfile);
 	unit_assert(z);
+	lock_rw_wrlock(&z->lock);
+	z->zonemd_check = 1;
+	lock_rw_unlock(&z->lock);
 
 	/* create zonemd digest */
 	result = auth_zone_generate_zonemd_hash(z, scheme, hashalgo,
@@ -129,37 +136,37 @@ static void zonemd_generate_test(const char* zname, char* zfile,
 static void zonemd_generate_tests(void)
 {
 	unit_show_func("services/authzone.c", "auth_zone_generate_zonemd_hash");
-	zonemd_generate_test("example.org", "testdata/zonemd.example1.zone",
+	zonemd_generate_test("example.org", SRCDIRSTR "/testdata/zonemd.example1.zone",
 		1, 2, "20564D10F50A0CEBEC856C64032B7DFB53D3C449A421A5BC7A21F7627B4ACEA4DF29F2C6FE82ED9C23ADF6F4D420D5DD63EF6E6349D60FDAB910B65DF8D481B7");
 
 	/* https://tools.ietf.org/html/draft-ietf-dnsop-dns-zone-digest-12
 	 * from section A.1 */
-	zonemd_generate_test("example", "testdata/zonemd.example_a1.zone",
+	zonemd_generate_test("example", SRCDIRSTR "/testdata/zonemd.example_a1.zone",
 		1, 1, "c68090d90a7aed716bc459f9340e3d7c1370d4d24b7e2fc3a1ddc0b9a87153b9a9713b3c9ae5cc27777f98b8e730044c");
 
 	/* https://tools.ietf.org/html/draft-ietf-dnsop-dns-zone-digest-12
 	 * from section A.2 */
-	zonemd_generate_test("example", "testdata/zonemd.example_a2.zone",
+	zonemd_generate_test("example", SRCDIRSTR "/testdata/zonemd.example_a2.zone",
 		1, 1, "31cefb03814f5062ad12fa951ba0ef5f8da6ae354a415767246f7dc932ceb1e742a2108f529db6a33a11c01493de358d");
 
 	/* https://tools.ietf.org/html/draft-ietf-dnsop-dns-zone-digest-12
 	 * from section A.3 SHA384 digest */
-	zonemd_generate_test("example", "testdata/zonemd.example_a3.zone",
+	zonemd_generate_test("example", SRCDIRSTR "/testdata/zonemd.example_a3.zone",
 		1, 1, "62e6cf51b02e54b9b5f967d547ce43136792901f9f88e637493daaf401c92c279dd10f0edb1c56f8080211f8480ee306");
 
 	/* https://tools.ietf.org/html/draft-ietf-dnsop-dns-zone-digest-12
 	 * from section A.3 SHA512 digest*/
-	zonemd_generate_test("example", "testdata/zonemd.example_a3.zone",
+	zonemd_generate_test("example", SRCDIRSTR "/testdata/zonemd.example_a3.zone",
 		1, 2, "08cfa1115c7b948c4163a901270395ea226a930cd2cbcf2fa9a5e6eb85f37c8a4e114d884e66f176eab121cb02db7d652e0cc4827e7a3204f166b47e5613fd27");
 
 	/* https://tools.ietf.org/html/draft-ietf-dnsop-dns-zone-digest-12
 	 * from section A.4 */
-	zonemd_generate_test("uri.arpa", "testdata/zonemd.example_a4.zone",
+	zonemd_generate_test("uri.arpa", SRCDIRSTR "/testdata/zonemd.example_a4.zone",
 		1, 1, "1291b78ddf7669b1a39d014d87626b709b55774c5d7d58fadc556439889a10eaf6f11d615900a4f996bd46279514e473");
 
 	/* https://tools.ietf.org/html/draft-ietf-dnsop-dns-zone-digest-12
 	 * from section A.5 */
-	zonemd_generate_test("root-servers.net", "testdata/zonemd.example_a5.zone",
+	zonemd_generate_test("root-servers.net", SRCDIRSTR "/testdata/zonemd.example_a5.zone",
 		1, 1, "f1ca0ccd91bd5573d9f431c00ee0101b2545c97602be0a978a3b11dbfc1c776d5b3e86ae3d973d6b5349ba7f04340f79");
 }
 
@@ -167,7 +174,7 @@ static void zonemd_generate_tests(void)
 static void zonemd_check_test(void)
 {
 	const char* zname = "example.org";
-	char* zfile = "testdata/zonemd.example1.zone";
+	char* zfile = SRCDIRSTR "/testdata/zonemd.example1.zone";
 	int scheme = 1;
 	int hashalgo = 2;
 	const char* digest = "20564D10F50A0CEBEC856C64032B7DFB53D3C449A421A5BC7A21F7627B4ACEA4DF29F2C6FE82ED9C23ADF6F4D420D5DD63EF6E6349D60FDAB910B65DF8D481B7";
@@ -196,6 +203,9 @@ static void zonemd_check_test(void)
 	/* read file */
 	z = authtest_addzone(az, zname, zfile);
 	unit_assert(z);
+	lock_rw_wrlock(&z->lock);
+	z->zonemd_check = 1;
+	lock_rw_unlock(&z->lock);
 	hashlen = sizeof(hash);
 	if(sldns_str2wire_hex_buf(digest, hash, &hashlen) != 0) {
 		unit_assert(0); /* parse failure */
@@ -211,10 +221,10 @@ static void zonemd_check_test(void)
 	unit_assert(result && reason == NULL);
 	result = auth_zone_generate_zonemd_check(z, 241, hashalgo,
 		hash, hashlen, region, buf, &reason);
-	unit_assert(!result && strcmp(reason, "unsupported scheme")==0);
+	unit_assert(result && strcmp(reason, "unsupported scheme")==0);
 	result = auth_zone_generate_zonemd_check(z, scheme, 242,
 		hash, hashlen, region, buf, &reason);
-	unit_assert(!result && strcmp(reason, "unsupported algorithm")==0);
+	unit_assert(result && strcmp(reason, "unsupported algorithm")==0);
 	result = auth_zone_generate_zonemd_check(z, scheme, hashalgo,
 		hash, 2, region, buf, &reason);
 	unit_assert(!result && strcmp(reason, "digest length too small, less than 12")==0);
@@ -291,6 +301,7 @@ static void zonemd_verify_test(char* zname, char* zfile, char* tastr,
 
 	/* test */
 	lock_rw_wrlock(&z->lock);
+	z->zonemd_check = 1;
 	auth_zone_verify_zonemd(z, &env, &mods, &result, 1, 0);
 	lock_rw_unlock(&z->lock);
 	if(verbosity >= VERB_ALGO) {
@@ -334,25 +345,25 @@ static void zonemd_verify_tests(void)
 	unit_show_func("services/authzone.c", "auth_zone_verify_zonemd");
 	/* give trustanchor for unsigned zone, should fail */
 	zonemd_verify_test("example.org",
-		"testdata/zonemd.example1.zone",
+		SRCDIRSTR "/testdata/zonemd.example1.zone",
 		"example.org. IN DS 55566 8 2 9c148338951ce1c3b5cd3da532f3d90dfcf92595148022f2c2fd98e5deee90af",
 		"20180302005009",
 		"verify DNSKEY RRset with trust anchor failed: have trust anchor, but zone has no DNSKEY");
 	/* unsigned zone without ZONEMD in it */
 	zonemd_verify_test("example.org",
-		"testdata/zonemd.example1.zone",
+		SRCDIRSTR "/testdata/zonemd.example1.zone",
 		NULL,
 		"20180302005009",
 		"no ZONEMD present");
 	/* no trust anchor, so it succeeds for zone with a correct ZONEMD */
 	zonemd_verify_test("example.com",
-		"testdata/zonemd.example2.zone",
+		SRCDIRSTR "/testdata/zonemd.example2.zone",
 		NULL,
 		"20180302005009",
 		"ZONEMD verification successful");
 	/* trust anchor for another zone, so it is indeterminate */
 	zonemd_verify_test("example.com",
-		"testdata/zonemd.example2.zone",
+		SRCDIRSTR "/testdata/zonemd.example2.zone",
 		"example.org. IN DS 55566 8 2 9c148338951ce1c3b5cd3da532f3d90dfcf92595148022f2c2fd98e5deee90af",
 		"20180302005009",
 		"ZONEMD verification successful");
@@ -361,7 +372,7 @@ static void zonemd_verify_tests(void)
 	/* this zonefile has an incorrect ZONEMD digest, with correct
 	 * DNSSEC signature. */
 	zonemd_verify_test("example.com",
-		"testdata/zonemd.example3.zone",
+		SRCDIRSTR "/testdata/zonemd.example3.zone",
 		NULL,
 		"20180302005009",
 		"incorrect digest");
@@ -369,7 +380,7 @@ static void zonemd_verify_tests(void)
 	/* this zonefile has an incorrect ZONEMD digest, with correct
 	 * DNSSEC signature. */
 	zonemd_verify_test("example.com",
-		"testdata/zonemd.example4.zone",
+		SRCDIRSTR "/testdata/zonemd.example4.zone",
 		NULL,
 		"20180302005009",
 		"incorrect digest");
@@ -377,91 +388,116 @@ static void zonemd_verify_tests(void)
 	/* this zonefile has a correct ZONEMD digest and
 	 * correct DNSSEC signature */
 	zonemd_verify_test("example.com",
-		"testdata/zonemd.example5.zone",
+		SRCDIRSTR "/testdata/zonemd.example5.zone",
 		NULL,
 		"20180302005009",
 		"ZONEMD verification successful");
 	/* valid zonemd, in dnssec NSEC3 zone, no trust anchor*/
 	zonemd_verify_test("example.com",
-		"testdata/zonemd.example6.zone",
+		SRCDIRSTR "/testdata/zonemd.example6.zone",
 		NULL,
 		"20180302005009",
 		"ZONEMD verification successful");
 
 	/* load a DNSSEC signed zone with a trust anchor, valid ZONEMD */
 	zonemd_verify_test("example.com",
-		"testdata/zonemd.example5.zone",
+		SRCDIRSTR "/testdata/zonemd.example5.zone",
 		"example.com. IN DS 55566 8 2 9c148338951ce1c3b5cd3da532f3d90dfcf92595148022f2c2fd98e5deee90af",
 		"20201020135527",
 		"ZONEMD verification successful");
 	/* load a DNSSEC NSEC3 signed zone with a trust anchor, valid ZONEMD */
 	zonemd_verify_test("example.com",
-		"testdata/zonemd.example6.zone",
+		SRCDIRSTR "/testdata/zonemd.example6.zone",
 		"example.com. IN DS 55566 8 2 9c148338951ce1c3b5cd3da532f3d90dfcf92595148022f2c2fd98e5deee90af",
 		"20201020135527",
 		"ZONEMD verification successful");
 
 	/* load a DNSSEC NSEC zone without ZONEMD */
 	zonemd_verify_test("example.com",
-		"testdata/zonemd.example7.zone",
+		SRCDIRSTR "/testdata/zonemd.example7.zone",
 		"example.com. IN DS 55566 8 2 9c148338951ce1c3b5cd3da532f3d90dfcf92595148022f2c2fd98e5deee90af",
 		"20201020135527",
 		"DNSSEC verified nonexistence of ZONEMD");
 	/* load a DNSSEC NSEC3 zone without ZONEMD */
 	zonemd_verify_test("example.com",
-		"testdata/zonemd.example8.zone",
+		SRCDIRSTR "/testdata/zonemd.example8.zone",
 		"example.com. IN DS 55566 8 2 9c148338951ce1c3b5cd3da532f3d90dfcf92595148022f2c2fd98e5deee90af",
 		"20201020135527",
 		"DNSSEC verified nonexistence of ZONEMD");
 
 	/* load DNSSEC zone but RRSIG on ZONEMD is wrong */
 	zonemd_verify_test("example.com",
-		"testdata/zonemd.example9.zone",
+		SRCDIRSTR "/testdata/zonemd.example9.zone",
 		"example.com. IN DS 55566 8 2 9c148338951ce1c3b5cd3da532f3d90dfcf92595148022f2c2fd98e5deee90af",
 		"20201020135527",
-		"DNSSEC verify failed for ZONEMD RRset: signature crypto failed");
+#ifdef HAVE_SSL
+		"DNSSEC verify failed for ZONEMD RRset: signature crypto failed"
+#else /* HAVE_NETTLE */
+		"DNSSEC verify failed for ZONEMD RRset: RSA signature verification failed"
+#endif
+		);
 	/* load DNSSEC zone but RRSIG on SOA is wrong */
 	zonemd_verify_test("example.com",
-		"testdata/zonemd.example10.zone",
+		SRCDIRSTR "/testdata/zonemd.example10.zone",
 		"example.com. IN DS 55566 8 2 9c148338951ce1c3b5cd3da532f3d90dfcf92595148022f2c2fd98e5deee90af",
 		"20201020135527",
-		"DNSSEC verify failed for SOA RRset: signature crypto failed");
+#ifdef HAVE_SSL
+		"DNSSEC verify failed for SOA RRset: signature crypto failed"
+#else /* HAVE_NETTLE */
+		"DNSSEC verify failed for SOA RRset: RSA signature verification failed"
+#endif
+		);
 
 	/* load DNSSEC zone without ZONEMD, but NSEC bitmap says it exists */
 	zonemd_verify_test("example.com",
-		"testdata/zonemd.example11.zone",
+		SRCDIRSTR "/testdata/zonemd.example11.zone",
 		"example.com. IN DS 55566 8 2 9c148338951ce1c3b5cd3da532f3d90dfcf92595148022f2c2fd98e5deee90af",
 		"20201020135527",
 		"DNSSEC NSEC bitmap says type ZONEMD exists");
 	/* load DNSSEC zone without ZONEMD, but NSEC3 bitmap says it exists */
 	zonemd_verify_test("example.com",
-		"testdata/zonemd.example12.zone",
+		SRCDIRSTR "/testdata/zonemd.example12.zone",
 		"example.com. IN DS 55566 8 2 9c148338951ce1c3b5cd3da532f3d90dfcf92595148022f2c2fd98e5deee90af",
 		"20201020135527",
 		"DNSSEC NSEC3 bitmap says type ZONEMD exists");
 
 	/* load DNSSEC zone without ZONEMD, but RRSIG on NSEC not okay */
 	zonemd_verify_test("example.com",
-		"testdata/zonemd.example13.zone",
+		SRCDIRSTR "/testdata/zonemd.example13.zone",
 		"example.com. IN DS 55566 8 2 9c148338951ce1c3b5cd3da532f3d90dfcf92595148022f2c2fd98e5deee90af",
 		"20201020135527",
-		"DNSSEC verify failed for NSEC RRset: signature crypto failed");
+#ifdef HAVE_SSL
+		"DNSSEC verify failed for NSEC RRset: signature crypto failed"
+#else /* HAVE_NETTLE */
+		"DNSSEC verify failed for NSEC RRset: RSA signature verification failed"
+#endif
+		);
 	/* load DNSSEC zone without ZONEMD, but RRSIG on NSEC3 not okay */
 	zonemd_verify_test("example.com",
-		"testdata/zonemd.example14.zone",
+		SRCDIRSTR "/testdata/zonemd.example14.zone",
 		"example.com. IN DS 55566 8 2 9c148338951ce1c3b5cd3da532f3d90dfcf92595148022f2c2fd98e5deee90af",
 		"20201020135527",
-		"DNSSEC verify failed for NSEC3 RRset: signature crypto failed");
+#ifdef HAVE_SSL
+		"DNSSEC verify failed for NSEC3 RRset: signature crypto failed"
+#else /* HAVE_NETTLE */
+		"DNSSEC verify failed for NSEC3 RRset: RSA signature verification failed"
+#endif
+		);
 
 	/* load DNSSEC zone, with ZONEMD, but DNSKEY RRSIG is not okay. */
 	zonemd_verify_test("example.com",
-		"testdata/zonemd.example15.zone",
+		SRCDIRSTR "/testdata/zonemd.example15.zone",
 		"example.com. IN DS 55566 8 2 9c148338951ce1c3b5cd3da532f3d90dfcf92595148022f2c2fd98e5deee90af",
 		"20201020135527",
-		"verify DNSKEY RRset with trust anchor failed: signature crypto failed");
+#ifdef HAVE_SSL
+		"verify DNSKEY RRset with trust anchor failed: signature crypto failed"
+#else /* HAVE_NETTLE */
+		"verify DNSKEY RRset with trust anchor failed: RSA signature verification failed"
+#endif
+		);
 	/* load DNSSEC zone, but trust anchor mismatches DNSKEY */
 	zonemd_verify_test("example.com",
-		"testdata/zonemd.example5.zone",
+		SRCDIRSTR "/testdata/zonemd.example5.zone",
 		/* okay anchor is
 		"example.com. IN DS 55566 8 2 9c148338951ce1c3b5cd3da532f3d90dfcf92595148022f2c2fd98e5deee90af", */
 		"example.com. IN DS 55566 8 2 0000000000111111222223333444444dfcf92595148022f2c2fd98e5deee90af",
@@ -470,7 +506,7 @@ static void zonemd_verify_tests(void)
 	/* load DNSSEC zone, but trust anchor fails because the zone
 	 * has expired signatures.  We set the date for it */
 	zonemd_verify_test("example.com",
-		"testdata/zonemd.example5.zone",
+		SRCDIRSTR "/testdata/zonemd.example5.zone",
 		"example.com. IN DS 55566 8 2 9c148338951ce1c3b5cd3da532f3d90dfcf92595148022f2c2fd98e5deee90af",
 		/* okay date: "20201020135527", */
 		"20221020135527",
@@ -478,14 +514,14 @@ static void zonemd_verify_tests(void)
 
 	/* duplicate zonemd with same scheme and algorithm */
 	zonemd_verify_test("example.com",
-		"testdata/zonemd.example16.zone",
+		SRCDIRSTR "/testdata/zonemd.example16.zone",
 		NULL,
 		"20180302005009",
 		"ZONEMD RRSet contains more than one RR with the same scheme and hash algorithm");
 	/* different capitalisation of ns name and owner names, should
 	 * be canonicalized. */
 	zonemd_verify_test("example.com",
-		"testdata/zonemd.example17.zone",
+		SRCDIRSTR "/testdata/zonemd.example17.zone",
 		NULL,
 		"20180302005009",
 		"ZONEMD verification successful");
diff --git a/testdata/10-unbound-anchor.tdir/keys/unbound-control-setup b/testdata/10-unbound-anchor.tdir/keys/unbound-control-setup
index 2492f47b4..ff205be19 100755
--- a/testdata/10-unbound-anchor.tdir/keys/unbound-control-setup
+++ b/testdata/10-unbound-anchor.tdir/keys/unbound-control-setup
@@ -81,7 +81,7 @@ while test $# -ne 0; do
 	echo "	-d dir	use directory to store keys and certificates."
 	echo "		default: $DESTDIR"
 	echo "please run this command using the same user id that the "
-	echo "unboun daemon uses, it needs read privileges."
+	echo "unbound daemon uses, it needs read privileges."
 	exit 1
 	;;
 	esac
diff --git a/testdata/auth_xfr_ixfrmismatch.rpl b/testdata/auth_xfr_ixfrmismatch.rpl
index b1d71b474..612bca47d 100644
--- a/testdata/auth_xfr_ixfrmismatch.rpl
+++ b/testdata/auth_xfr_ixfrmismatch.rpl
@@ -182,7 +182,7 @@ example.com. IN SOA ns.example.com. hostmaster.example.com. 2 3600 900 86400 360
 example.com. IN SOA ns.example.com. hostmaster.example.com. 1 3600 900 86400 3600
 www.example.com. IN A	1.2.3.4
 mail.example.com.	3600	IN	A	1.2.3.6
-; this is the delete of the nonexistant entry
+; this is the delete of the nonexistent entry
 nonexist.example.com.	3600	IN	A	1.2.3.4
 example.com. IN SOA ns.example.com. hostmaster.example.com. 2 3600 900 86400 3600
 EXTRA_PACKET
diff --git a/testdata/auth_zonemd_anchor.rpl b/testdata/auth_zonemd_anchor.rpl
index 7e4257513..c443f7d43 100644
--- a/testdata/auth_zonemd_anchor.rpl
+++ b/testdata/auth_zonemd_anchor.rpl
@@ -24,6 +24,7 @@ auth-zone:
 	## on failures with for-upstream, fallback to sending queries to
 	## the authority servers
 	## fallback-enabled: no
+	zonemd-check: yes
 
 	## this line generates zonefile: \n"/tmp/xxx.example.com"\n
 	zonefile:
diff --git a/testdata/auth_zonemd_anchor_fail.rpl b/testdata/auth_zonemd_anchor_fail.rpl
index 69492d5f8..d055174dc 100644
--- a/testdata/auth_zonemd_anchor_fail.rpl
+++ b/testdata/auth_zonemd_anchor_fail.rpl
@@ -27,6 +27,7 @@ auth-zone:
 	## on failures with for-upstream, fallback to sending queries to
 	## the authority servers
 	## fallback-enabled: no
+	zonemd-check: yes
 
 	## this line generates zonefile: \n"/tmp/xxx.example.com"\n
 	zonefile:
diff --git a/testdata/auth_zonemd_chain.rpl b/testdata/auth_zonemd_chain.rpl
index b693f6c35..74479274f 100644
--- a/testdata/auth_zonemd_chain.rpl
+++ b/testdata/auth_zonemd_chain.rpl
@@ -24,6 +24,7 @@ auth-zone:
 	## on failures with for-upstream, fallback to sending queries to
 	## the authority servers
 	## fallback-enabled: no
+	zonemd-check: yes
 
 	## this line generates zonefile: \n"/tmp/xxx.example.com"\n
 	zonefile:
diff --git a/testdata/auth_zonemd_chain_fail.rpl b/testdata/auth_zonemd_chain_fail.rpl
index d38367b9d..393b1c028 100644
--- a/testdata/auth_zonemd_chain_fail.rpl
+++ b/testdata/auth_zonemd_chain_fail.rpl
@@ -24,6 +24,7 @@ auth-zone:
 	## on failures with for-upstream, fallback to sending queries to
 	## the authority servers
 	## fallback-enabled: no
+	zonemd-check: yes
 
 	## this line generates zonefile: \n"/tmp/xxx.example.com"\n
 	zonefile:
diff --git a/testdata/auth_zonemd_file.rpl b/testdata/auth_zonemd_file.rpl
index ffccd6779..bdf0ccbae 100644
--- a/testdata/auth_zonemd_file.rpl
+++ b/testdata/auth_zonemd_file.rpl
@@ -21,6 +21,7 @@ auth-zone:
 	## on failures with for-upstream, fallback to sending queries to
 	## the authority servers
 	## fallback-enabled: no
+	zonemd-check: yes
 
 	## this line generates zonefile: \n"/tmp/xxx.example.com"\n
 	zonefile:
diff --git a/testdata/auth_zonemd_file_fail.rpl b/testdata/auth_zonemd_file_fail.rpl
index 4bfa81b80..69487cf65 100644
--- a/testdata/auth_zonemd_file_fail.rpl
+++ b/testdata/auth_zonemd_file_fail.rpl
@@ -21,6 +21,7 @@ auth-zone:
 	## on failures with for-upstream, fallback to sending queries to
 	## the authority servers
 	## fallback-enabled: no
+	zonemd-check: yes
 
 	## this line generates zonefile: \n"/tmp/xxx.example.com"\n
 	zonefile:
diff --git a/testdata/auth_zonemd_file_unknown.rpl b/testdata/auth_zonemd_file_unknown.rpl
new file mode 100644
index 000000000..f5c5f276e
--- /dev/null
+++ b/testdata/auth_zonemd_file_unknown.rpl
@@ -0,0 +1,184 @@
+; config options
+server:
+	target-fetch-policy: "0 0 0 0 0"
+
+auth-zone:
+	name: "example.com."
+	## zonefile (or none).
+	## zonefile: "example.com.zone"
+	## master by IP address or hostname
+	## can list multiple masters, each on one line.
+	## master:
+	## url for http fetch
+	## url:
+	## queries from downstream clients get authoritative answers.
+	## for-downstream: yes
+	for-downstream: no
+	## queries are used to fetch authoritative answers from this zone,
+	## instead of unbound itself sending queries there.
+	## for-upstream: yes
+	for-upstream: yes
+	## on failures with for-upstream, fallback to sending queries to
+	## the authority servers
+	## fallback-enabled: no
+	zonemd-check: yes
+
+	## this line generates zonefile: \n"/tmp/xxx.example.com"\n
+	zonefile:
+TEMPFILE_NAME example.com
+	## this is the inline file /tmp/xxx.example.com
+	## the tempfiles are deleted when the testrun is over.
+TEMPFILE_CONTENTS example.com
+example.com. IN SOA ns.example.com. hostmaster.example.com. 200154054 28800 7200 604800 3600
+example.com. IN NS ns.example.com.
+example.com. IN ZONEMD 200154054 1 22 EFAA5B78B38AB1C45DE57B8167BCCE906451D0E72118E1F5E80B5F0C3CF04BFFC65D53C011185528EAD439D6F3A02F511961E090E5E4E0DFA013BD276D728B22
+example.com. IN ZONEMD 200154054 21 2 EFAA5B78B38AB1C45DE57B8167BCCE906451D0E72118E1F5E80B5F0C3CF04BFFC65D53C011185528EAD439D6F3A02F511961E090E5E4E0DFA013BD276D728B22
+www.example.com. IN A 127.0.0.1
+ns.example.com. IN A 127.0.0.1
+bar.example.com. IN A 1.2.3.4
+ding.example.com. IN A 1.2.3.4
+foo.example.com. IN A 1.2.3.4
+TEMPFILE_END
+
+stub-zone:
+	name: "."
+	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
+CONFIG_END
+
+SCENARIO_BEGIN Test authority zone with ZONEMD with unknown algo from zonefile
+
+; K.ROOT-SERVERS.NET.
+RANGE_BEGIN 0 100
+	ADDRESS 193.0.14.129
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+. IN NS
+SECTION ANSWER
+. IN NS	K.ROOT-SERVERS.NET.
+SECTION ADDITIONAL
+K.ROOT-SERVERS.NET.	IN	A	193.0.14.129
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+com. IN NS
+SECTION AUTHORITY
+com.	IN NS	a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net.	IN 	A	192.5.6.30
+ENTRY_END
+RANGE_END
+
+; a.gtld-servers.net.
+RANGE_BEGIN 0 100
+	ADDRESS 192.5.6.30
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+com. IN NS
+SECTION ANSWER
+com.	IN NS	a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net.	IN 	A	192.5.6.30
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+example.com. IN NS
+SECTION AUTHORITY
+example.com.	IN NS	ns.example.com.
+SECTION ADDITIONAL
+ns.example.com. IN A 1.2.3.44
+ENTRY_END
+RANGE_END
+
+; ns.example.net.
+RANGE_BEGIN 0 100
+	ADDRESS 1.2.3.44
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+example.net. IN NS
+SECTION ANSWER
+example.net.	IN NS	ns.example.net.
+SECTION ADDITIONAL
+ns.example.net.		IN 	A	1.2.3.44
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+ns.example.net. IN A
+SECTION ANSWER
+ns.example.net. IN A	1.2.3.44
+SECTION AUTHORITY
+example.net.	IN NS	ns.example.net.
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+ns.example.net. IN AAAA
+SECTION AUTHORITY
+example.net.	IN NS	ns.example.net.
+SECTION ADDITIONAL
+www.example.net. IN A	1.2.3.44
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+example.com. IN NS
+SECTION ANSWER
+example.com.	IN NS	ns.example.net.
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. IN A	10.20.30.40
+ENTRY_END
+RANGE_END
+
+STEP 1 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+www.example.com. IN A
+ENTRY_END
+
+; recursion happens here.
+STEP 20 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. IN A	127.0.0.1
+ENTRY_END
+
+SCENARIO_END
diff --git a/testdata/auth_zonemd_insecure.rpl b/testdata/auth_zonemd_insecure.rpl
index b48992b4d..18a4117d8 100644
--- a/testdata/auth_zonemd_insecure.rpl
+++ b/testdata/auth_zonemd_insecure.rpl
@@ -24,6 +24,7 @@ auth-zone:
 	## on failures with for-upstream, fallback to sending queries to
 	## the authority servers
 	## fallback-enabled: no
+	zonemd-check: yes
 
 	## this line generates zonefile: \n"/tmp/xxx.example.com"\n
 	zonefile:
diff --git a/testdata/auth_zonemd_insecure_absent.rpl b/testdata/auth_zonemd_insecure_absent.rpl
index 4706ccb0a..1c3f48808 100644
--- a/testdata/auth_zonemd_insecure_absent.rpl
+++ b/testdata/auth_zonemd_insecure_absent.rpl
@@ -24,6 +24,7 @@ auth-zone:
 	## on failures with for-upstream, fallback to sending queries to
 	## the authority servers
 	## fallback-enabled: no
+	zonemd-check: yes
 
 	## this line generates zonefile: \n"/tmp/xxx.example.com"\n
 	zonefile:
diff --git a/testdata/auth_zonemd_insecure_absent_reject.rpl b/testdata/auth_zonemd_insecure_absent_reject.rpl
index 79225c936..beb9f5b9a 100644
--- a/testdata/auth_zonemd_insecure_absent_reject.rpl
+++ b/testdata/auth_zonemd_insecure_absent_reject.rpl
@@ -7,6 +7,7 @@ server:
 
 auth-zone:
 	name: "example.com."
+	zonemd-check: yes
 	zonemd-reject-absence: yes
 	## zonefile (or none).
 	## zonefile: "example.com.zone"
diff --git a/testdata/auth_zonemd_insecure_fail.rpl b/testdata/auth_zonemd_insecure_fail.rpl
index 03bbdd64c..f7aad071e 100644
--- a/testdata/auth_zonemd_insecure_fail.rpl
+++ b/testdata/auth_zonemd_insecure_fail.rpl
@@ -24,6 +24,7 @@ auth-zone:
 	## on failures with for-upstream, fallback to sending queries to
 	## the authority servers
 	## fallback-enabled: no
+	zonemd-check: yes
 
 	## this line generates zonefile: \n"/tmp/xxx.example.com"\n
 	zonefile:
diff --git a/testdata/auth_zonemd_nokey.rpl b/testdata/auth_zonemd_nokey.rpl
index 57609337e..a89414bf6 100644
--- a/testdata/auth_zonemd_nokey.rpl
+++ b/testdata/auth_zonemd_nokey.rpl
@@ -24,6 +24,7 @@ auth-zone:
 	## on failures with for-upstream, fallback to sending queries to
 	## the authority servers
 	## fallback-enabled: no
+	zonemd-check: yes
 
 	## this line generates zonefile: \n"/tmp/xxx.example.com"\n
 	zonefile:
diff --git a/testdata/auth_zonemd_permissive_mode.rpl b/testdata/auth_zonemd_permissive_mode.rpl
index 0df0a2951..4149daa92 100644
--- a/testdata/auth_zonemd_permissive_mode.rpl
+++ b/testdata/auth_zonemd_permissive_mode.rpl
@@ -22,6 +22,7 @@ auth-zone:
 	## on failures with for-upstream, fallback to sending queries to
 	## the authority servers
 	## fallback-enabled: no
+	zonemd-check: yes
 
 	## this line generates zonefile: \n"/tmp/xxx.example.com"\n
 	zonefile:
diff --git a/testdata/auth_zonemd_xfr.rpl b/testdata/auth_zonemd_xfr.rpl
index 0a4d45f92..89e22cea1 100644
--- a/testdata/auth_zonemd_xfr.rpl
+++ b/testdata/auth_zonemd_xfr.rpl
@@ -22,6 +22,7 @@ auth-zone:
 	## on failures with for-upstream, fallback to sending queries to
 	## the authority servers
 	## fallback-enabled: no
+	zonemd-check: yes
 
 	## this line generates zonefile: \n"/tmp/xxx.example.com"\n
 	zonefile:
diff --git a/testdata/auth_zonemd_xfr_anchor.rpl b/testdata/auth_zonemd_xfr_anchor.rpl
index 682d51b47..667de2eae 100644
--- a/testdata/auth_zonemd_xfr_anchor.rpl
+++ b/testdata/auth_zonemd_xfr_anchor.rpl
@@ -25,6 +25,7 @@ auth-zone:
 	## on failures with for-upstream, fallback to sending queries to
 	## the authority servers
 	## fallback-enabled: no
+	zonemd-check: yes
 
 	## this line generates zonefile: \n"/tmp/xxx.example.com"\n
 	zonefile:
diff --git a/testdata/auth_zonemd_xfr_anchor_fail.rpl b/testdata/auth_zonemd_xfr_anchor_fail.rpl
index 2b2849546..237ed9498 100644
--- a/testdata/auth_zonemd_xfr_anchor_fail.rpl
+++ b/testdata/auth_zonemd_xfr_anchor_fail.rpl
@@ -25,6 +25,7 @@ auth-zone:
 	## on failures with for-upstream, fallback to sending queries to
 	## the authority servers
 	## fallback-enabled: no
+	zonemd-check: yes
 
 	## this line generates zonefile: \n"/tmp/xxx.example.com"\n
 	zonefile:
diff --git a/testdata/auth_zonemd_xfr_chain.rpl b/testdata/auth_zonemd_xfr_chain.rpl
index 9d1fdcf68..4deb99bcb 100644
--- a/testdata/auth_zonemd_xfr_chain.rpl
+++ b/testdata/auth_zonemd_xfr_chain.rpl
@@ -25,6 +25,7 @@ auth-zone:
 	## on failures with for-upstream, fallback to sending queries to
 	## the authority servers
 	## fallback-enabled: no
+	zonemd-check: yes
 
 	## this line generates zonefile: \n"/tmp/xxx.example.com"\n
 	zonefile:
diff --git a/testdata/auth_zonemd_xfr_chain_fail.rpl b/testdata/auth_zonemd_xfr_chain_fail.rpl
index 8b3ad74f0..3e09c9e8e 100644
--- a/testdata/auth_zonemd_xfr_chain_fail.rpl
+++ b/testdata/auth_zonemd_xfr_chain_fail.rpl
@@ -25,6 +25,7 @@ auth-zone:
 	## on failures with for-upstream, fallback to sending queries to
 	## the authority servers
 	## fallback-enabled: no
+	zonemd-check: yes
 
 	## this line generates zonefile: \n"/tmp/xxx.example.com"\n
 	zonefile:
diff --git a/testdata/auth_zonemd_xfr_chain_keyinxfr.rpl b/testdata/auth_zonemd_xfr_chain_keyinxfr.rpl
new file mode 100644
index 000000000..2feec88c0
--- /dev/null
+++ b/testdata/auth_zonemd_xfr_chain_keyinxfr.rpl
@@ -0,0 +1,315 @@
+; config options
+server:
+	target-fetch-policy: "0 0 0 0 0"
+	trust-anchor: "com. DS 1444 8 2 0d72034e3e18a9ef383c164b68302433bbde957616e10cf44575fea2abae469c"
+	trust-anchor-signaling: no
+	val-override-date: 20201020135527
+
+auth-zone:
+	name: "example.com."
+	## zonefile (or none).
+	## zonefile: "example.com.zone"
+	## master by IP address or hostname
+	## can list multiple masters, each on one line.
+	## master:
+	master: 1.2.3.44
+	## url for http fetch
+	## url:
+	## queries from downstream clients get authoritative answers.
+	## for-downstream: yes
+
+	## The for-downstream and fallback are disabled, the key cannot be
+	## retrieved by DNS lookup, it is in the xfr itself.
+	## only after the zone is loaded can it be looked up.
+	for-downstream: no
+	## queries are used to fetch authoritative answers from this zone,
+	## instead of unbound itself sending queries there.
+	## for-upstream: yes
+	for-upstream: yes
+	## on failures with for-upstream, fallback to sending queries to
+	## the authority servers
+	## fallback-enabled: no
+	fallback-enabled: no
+	zonemd-check: yes
+
+	## this line generates zonefile: \n"/tmp/xxx.example.com"\n
+	zonefile:
+TEMPFILE_NAME example.com
+	## this is the inline file /tmp/xxx.example.com
+	## the tempfiles are deleted when the testrun is over.
+TEMPFILE_CONTENTS example.com
+TEMPFILE_END
+
+stub-zone:
+	name: "."
+	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
+CONFIG_END
+
+SCENARIO_BEGIN Test authority zone with AXFR with ZONEMD with key in xfr
+
+; K.ROOT-SERVERS.NET.
+RANGE_BEGIN 0 100
+	ADDRESS 193.0.14.129 
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+. IN NS
+SECTION ANSWER
+. IN NS	K.ROOT-SERVERS.NET.
+SECTION ADDITIONAL
+K.ROOT-SERVERS.NET.	IN	A	193.0.14.129
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+com. IN NS
+SECTION AUTHORITY
+com.	IN NS	a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net.	IN 	A	192.5.6.30
+ENTRY_END
+RANGE_END
+
+; a.gtld-servers.net.
+RANGE_BEGIN 0 100
+	ADDRESS 192.5.6.30
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+com. IN NS
+SECTION ANSWER
+com.	IN NS	a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net.	IN 	A	192.5.6.30
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qname qtype
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+example.com. IN DS
+SECTION ANSWER
+example.com.	3600	IN	DS	55566 8 2 9c148338951ce1c3b5cd3da532f3d90dfcf92595148022f2c2fd98e5deee90af
+example.com.	3600	IN	RRSIG	DS 8 2 3600 20201116135527 20201019135527 1444 com. BpV1M171SSkbdlGawwweJwQ0W+aNaCrgkt2QTsxCvbo1acR5i3AKm4REOUzo4I36lRx26mYkF9Topkeu0aFmov7P2uUhCxk4faFK7k87k97FAqZaDGp/K9b3YCfiwJBc5pJSUW0ndU/Ve5zAh/wL493RMSC7LwJr5JjV0NxydFk=
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+example.com. IN NS
+SECTION AUTHORITY
+example.com.	IN NS	ns.example.com.
+example.com.	3600	IN	DS	55566 8 2 9c148338951ce1c3b5cd3da532f3d90dfcf92595148022f2c2fd98e5deee90af
+example.com.	3600	IN	RRSIG	DS 8 2 3600 20201116135527 20201019135527 1444 com. BpV1M171SSkbdlGawwweJwQ0W+aNaCrgkt2QTsxCvbo1acR5i3AKm4REOUzo4I36lRx26mYkF9Topkeu0aFmov7P2uUhCxk4faFK7k87k97FAqZaDGp/K9b3YCfiwJBc5pJSUW0ndU/Ve5zAh/wL493RMSC7LwJr5JjV0NxydFk=
+SECTION ADDITIONAL
+ns.example.com. IN A 1.2.3.44
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+com. IN DNSKEY
+SECTION ANSWER
+com.	3600	IN	DNSKEY	257 3 8 AwEAAbd9WqjzE2Pynz21OG5doSf9hFzMr5dhzz2waZ3vTa+0o5r7AjTAqmA1yH/B3+aAMihUm5ucZSfVqo7+kOaRE8yFj9aivOmA1n1+JLevJq/oyvQyjxQN2Qb89LyaNUT5oKZIiL+uyyhNW3KDR3SSbQ/GBwQNDHVcZi+JDR3RC0r7 ;{id = 1444 (ksk), size = 1024b}
+com.	3600	IN	RRSIG	DNSKEY 8 1 3600 20201116135527 20201019135527 1444 com. BEOMfWvi6RgnHaHsst+Ed265hBuCkgMR7gDpu89J7ZrVL6DzMKnNVFdgjl/9xwLj/pkukc7qeLSHjAfLlN0E4THW7PVshscQnjvXCkktG2Ejx9fTyllAqeGDh9z9QDGlQZIGTMgb9413qZhNqe2Tda9PTJRpiZ8b4bdQp6V1kVo=
+SECTION ADDITIONAL
+ENTRY_END
+RANGE_END
+
+; ns.example.net.
+RANGE_BEGIN 0 100
+	ADDRESS 1.2.3.44
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+example.net. IN NS
+SECTION ANSWER
+example.net.	IN NS	ns.example.net.
+SECTION ADDITIONAL
+ns.example.net.		IN 	A	1.2.3.44
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+ns.example.net. IN A
+SECTION ANSWER
+ns.example.net. IN A	1.2.3.44
+SECTION AUTHORITY
+example.net.	IN NS	ns.example.net.
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+ns.example.net. IN AAAA
+SECTION AUTHORITY
+example.net.	IN NS	ns.example.net.
+SECTION ADDITIONAL
+www.example.net. IN A	1.2.3.44
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+example.com. IN NS
+SECTION ANSWER
+example.com.	IN NS	ns.example.net.
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. IN A	10.20.30.40
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+example.com. IN SOA
+SECTION ANSWER
+; serial, refresh, retry, expire, minimum
+example.com. IN SOA ns.example.com. hostmaster.example.com. 1 3600 900 86400 3600
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+example.com. IN AXFR
+SECTION ANSWER
+example.com.	3600	IN	SOA	ns.example.com. hostmaster.example.com. 200154054 28800 7200 604800 3600
+example.com.	3600	IN	RRSIG	SOA 8 2 3600 20201116135527 20201019135527 55566 example.com. gcFHT/Q4iDZ78CK6fyY2HZr8sRtgH2Rna9fEs06RW0gqMnfDntweoIaBamOZ7NlAP84aY2bZeanmEccmkHexByUpodCoKQ4NzVXctLr0TO4PVoFyfUfj62fjhM56SF8ioDxsoDQcPtYXcjNQjwfntWofMqHCMxrb9LzbgePzhOM=
+example.com.	3600	IN	NS	ns.example.com.
+example.com.	3600	IN	RRSIG	NS 8 2 3600 20201116135527 20201019135527 55566 example.com. X+V3XsbJbBi9OsHpjMkGCox8RLY/uXp/XX/O/flTrIre9fMDWm9ZGnewtuQFpLgGc6hUTi0eLsuRWRA5fZXEKUBhmoR2Ph01KgE1gvlL7v6zPWQwXVcBRUr3mOSbYdNNkHkXEjiDBGEhNkfqR216zNgw563eEGXOkLUFNIx5Zpg=
+example.com.	3600	IN	DNSKEY	256 3 8 AwEAAdug/L739i0mgN2nuK/bhxu3wFn5Ud9nK2+XUmZQlPUEZUC5YZvm1rfMmEWTGBn87fFxEu/kjFZHJ55JLzqsbbpVHLbmKCTT2gYR2FV2WDKROGKuYbVkJIXdKAjJ0ONuK507NinYvlWXIoxHn22KAWOd9wKgSTNHBlmGkX+ts3hh ;{id = 55566 (zsk), size = 1024b}
+example.com.	3600	IN	RRSIG	DNSKEY 8 2 3600 20201116135527 20201019135527 55566 example.com. fsdnVg38PKQTH2mDOwkXL6Jre7JP7Gf8WI3CvIbmeYQUJtAlpcSbZkS3wInm3kKMxOuT55BWzndQzpfmpo91OqJjG27W0k9301NMLUwFprA6b9HK+iPAT0JpYPDPzcm1bQdarLzLS+eD/GPwmyVSX7Gze+08VfE8m8sOW2r7UjA=
+example.com.	3600	IN	TYPE63	\# 70 0bee1bc6010258f7620f93204bbb31b44f795b3409cc4abd9ef5601decc15675bd7751213152984eddce0626e6062e744b03b3e47711202fbb79e4a2eb8bc5cf46741b5cae6f
+example.com.	3600	IN	RRSIG	TYPE63 8 2 3600 20201116135527 20201019135527 55566 example.com. orn8ZF/yqj9u4WrhiO6gtEcTaVsnZSWWZLfXhcIOiWSB8kKCxtZl5cG17dD3Du1NllUwMRqkp0KleLhIoUS9xeQ/0x05u+CYLrfQ62oAiD7q54ZQzpXJIH52aQzKV70ZnO03CZowhQBnetmIoKX6xLogKo8pt+BdQbo3oVHxV8Y=
+example.com.	3600	IN	NSEC	bar.example.com. NS SOA RRSIG NSEC DNSKEY TYPE63 
+example.com.	3600	IN	RRSIG	NSEC 8 2 3600 20201116135527 20201019135527 55566 example.com. ufLrlOQprAqjnH85Rt3T0Mxd3ZB0mBeeNIr84eFJ8Rk6WiWEPm0Y1R7GRufNI24Mj7iqLcL4nJM6KK6B7dJqjqu73jw1acuYNnbsoV2BNDRXRFP2FNWTpctVdi+955f3FzgsmEJXfGiSUG0YXAEcZmdCPCn5ii2jk8mk7r6KKYo=
+bar.example.com.	3600	IN	A	1.2.3.4
+bar.example.com.	3600	IN	RRSIG	A 8 3 3600 20201116135527 20201019135527 55566 example.com. NYhmRicF4C9+YxpWeQrepy4ALM1CM0USoDuGi3W5Xtp4/+YpCJfSIdR9vlJaJ2WayYuZrz9Ai2ci7oWwE1Fn3oywGwCKvGo9m0c3mC2eEtphE19wrop6pWu6um4RiFhmzYS1voraA3PAdYzze9U4NHzlk0+sb5vNZW9dSZS30Ds=
+bar.example.com.	3600	IN	NSEC	ding.example.com. A RRSIG NSEC 
+bar.example.com.	3600	IN	RRSIG	NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. VhsGuBx20DXQZNU8ITAMnasn6NVyEjN9xtB8msH5xJn80UCuaqvFBURzcPWN3aHnykEvGfdPF/9P3WvlON0cMikWkqSLy6Q9bpvgAq13HWYh+ZcDoqLtICaB7RkBQc+6aHAqZFyQbD8/m8Kxt5eVJtV6rEuf+yPX0+3aXHhsRg0=
+ding.example.com.	3600	IN	A	1.2.3.4
+ding.example.com.	3600	IN	RRSIG	A 8 3 3600 20201116135527 20201019135527 55566 example.com. OERsruISkpd1s68ute8Xm8YXisBCTkkiDMt34K+0dVqvySOJq63d3qN18BeUxZxLyHDB1eR3nZZKqEdkTqrv2r98skhWhjnOECpFbu5gKjtN/KPexbbJ+rxC0QqciuWOC7M6YE0cvI17/RB9KhVRy5rqY2X4Gt2wk2CNeD1dAko=
+ding.example.com.	3600	IN	NSEC	foo.example.com. A RRSIG NSEC 
+ding.example.com.	3600	IN	RRSIG	NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. nb1W2aaKrU5iAQiY8gMsoMOejID19JMTEwY2rRoe+KsvzMs0rE0ifEkqit4blXaU0tfy0foJ70uqdJFqBoGz1NcSwZ6GNk/iNfGvG3XpxZ/zqEe7kkIucqqei794G7z9psqV94yZ3WaT+IswPpWrSaWv1w41RtcWufPhe4fOAmU=
+foo.example.com.	3600	IN	A	1.2.3.4
+foo.example.com.	3600	IN	RRSIG	A 8 3 3600 20201116135527 20201019135527 55566 example.com. ZcUngb2pUejwnsshbJN/Dfr+Bzu8fcZXyqLArQ+10Bw1IPHyfx7yyUJ43V5tTYVHPSEsJzTnaWj+olVrNhVZxq5e0pgzSYPfGln2FEItEvMIOn33j8yKTpPW2MLyuFF5ZkXhosG20EUwRMvMmRHRz9mIZfwWoMbSGPukmLh8zMA=
+foo.example.com.	3600	IN	NSEC	ns.example.com. A RRSIG NSEC 
+foo.example.com.	3600	IN	RRSIG	NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. fUZEpkEULRWDntN5Z7Kr8M83Hjhf08ECMKRpo6IBoBc3ayenj+YMgWAvFXC825wjENPYYWNGag0d32U83zCZxqgv+8uXZd3B7QDpTbL41aWZdc++s5YWTkYjyOWwJ1XHOv4nL3qEnJBXVzo/E1gbSKhTFuG97i+7J1MFd9MsC5s=
+ns.example.com.	3600	IN	A	127.0.0.1
+ns.example.com.	3600	IN	RRSIG	A 8 3 3600 20201116135527 20201019135527 55566 example.com. SiuxuPtN/ITd+Z20j8UNUHJWbLHirE8zQOWMv5fAZ1rPKpAidrZgUL8J417GdrTwkueU2ywAJ7EzFJSwNTa7o/wUnq7svmOR6Ze6UQsKuZFZGEfqPNDRp4YuF86LU5jChuo+f/IRpydHrxVwGxDPCR9KarDM+ewfW+yI5bZeZcg=
+ns.example.com.	3600	IN	NSEC	www.example.com. A RRSIG NSEC 
+ns.example.com.	3600	IN	RRSIG	NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. 0upKNYjiow4NDJm3I1RbUddE9GGuFYEVKswww5BAc/6WHuukupncL30lskvcSKGpByDssP2Hi2CufyEtYeGWh6q1TxtOFRqFBX1p6Q5b3tBlCtvv4h31dQR9uqLvq+GkGS5MR+0LO5kWagIpZmnI8YY5plVdXEtNbp2Ar8zvz/A=
+www.example.com.	3600	IN	A	127.0.0.1
+www.example.com.	3600	IN	RRSIG	A 8 3 3600 20201116135527 20201019135527 55566 example.com. AaIeICaPjV50TDrpbyOn94+hs8EYIMTmN4pYqj7e8GIGimqQIk5jgpwSx6SOoOF+uOqkf9GKHkQTn5YVGaeXwEQleg7mPTmMYKAOk06Y7MFUO1Vwt1Vt7Wo+Cpa3x2a1CmEkfFOi4WqP43VJnUtjjKmXoKRz3VUmqByyJYUAGbQ=
+www.example.com.	3600	IN	NSEC	example.com. A RRSIG NSEC 
+www.example.com.	3600	IN	RRSIG	NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. meg/t6nIBqQZ0d5/dT7uu/3CuP4vE+HxqFQaj2fjUNceA/6C7QIQnqQ5Kyblg+XijDkQX0yvyFNHYdgF16UDgFT7tlNUCHk1SpF5BWzV4c4tBEhxASTz7UQo111O3Tyd6CldPzO/Se15Ud0/ZYltHEqWTfY5nJoXC/OJD9V2QOI=
+example.com.	3600	IN	SOA	ns.example.com. hostmaster.example.com. 200154054 28800 7200 604800 3600
+ENTRY_END
+RANGE_END
+
+STEP 1 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+www.example.com. IN A
+ENTRY_END
+
+; recursion happens here.
+STEP 20 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA SERVFAIL
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+ENTRY_END
+
+STEP 30 TIME_PASSES ELAPSE 10
+STEP 40 TRAFFIC
+
+STEP 50 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+www.example.com. IN A
+ENTRY_END
+
+; recursion happens here.
+STEP 60 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. IN A	127.0.0.1
+ENTRY_END
+
+; the zonefile was updated with new contents
+STEP 70 CHECK_TEMPFILE example.com
+FILE_BEGIN
+example.com.	3600	IN	SOA	ns.example.com. hostmaster.example.com. 200154054 28800 7200 604800 3600
+example.com.	3600	IN	RRSIG	SOA 8 2 3600 20201116135527 20201019135527 55566 example.com. gcFHT/Q4iDZ78CK6fyY2HZr8sRtgH2Rna9fEs06RW0gqMnfDntweoIaBamOZ7NlAP84aY2bZeanmEccmkHexByUpodCoKQ4NzVXctLr0TO4PVoFyfUfj62fjhM56SF8ioDxsoDQcPtYXcjNQjwfntWofMqHCMxrb9LzbgePzhOM=
+example.com.	3600	IN	NS	ns.example.com.
+example.com.	3600	IN	RRSIG	NS 8 2 3600 20201116135527 20201019135527 55566 example.com. X+V3XsbJbBi9OsHpjMkGCox8RLY/uXp/XX/O/flTrIre9fMDWm9ZGnewtuQFpLgGc6hUTi0eLsuRWRA5fZXEKUBhmoR2Ph01KgE1gvlL7v6zPWQwXVcBRUr3mOSbYdNNkHkXEjiDBGEhNkfqR216zNgw563eEGXOkLUFNIx5Zpg=
+example.com.	3600	IN	NSEC	bar.example.com. NS SOA RRSIG NSEC DNSKEY ZONEMD
+example.com.	3600	IN	RRSIG	NSEC 8 2 3600 20201116135527 20201019135527 55566 example.com. ufLrlOQprAqjnH85Rt3T0Mxd3ZB0mBeeNIr84eFJ8Rk6WiWEPm0Y1R7GRufNI24Mj7iqLcL4nJM6KK6B7dJqjqu73jw1acuYNnbsoV2BNDRXRFP2FNWTpctVdi+955f3FzgsmEJXfGiSUG0YXAEcZmdCPCn5ii2jk8mk7r6KKYo=
+example.com.	3600	IN	DNSKEY	256 3 8 AwEAAdug/L739i0mgN2nuK/bhxu3wFn5Ud9nK2+XUmZQlPUEZUC5YZvm1rfMmEWTGBn87fFxEu/kjFZHJ55JLzqsbbpVHLbmKCTT2gYR2FV2WDKROGKuYbVkJIXdKAjJ0ONuK507NinYvlWXIoxHn22KAWOd9wKgSTNHBlmGkX+ts3hh ;{id = 55566}
+example.com.	3600	IN	RRSIG	DNSKEY 8 2 3600 20201116135527 20201019135527 55566 example.com. fsdnVg38PKQTH2mDOwkXL6Jre7JP7Gf8WI3CvIbmeYQUJtAlpcSbZkS3wInm3kKMxOuT55BWzndQzpfmpo91OqJjG27W0k9301NMLUwFprA6b9HK+iPAT0JpYPDPzcm1bQdarLzLS+eD/GPwmyVSX7Gze+08VfE8m8sOW2r7UjA=
+example.com.	3600	IN	ZONEMD	200154054 1 2 58F7620F93204BBB31B44F795B3409CC4ABD9EF5601DECC15675BD7751213152984EDDCE0626E6062E744B03B3E47711202FBB79E4A2EB8BC5CF46741B5CAE6F
+example.com.	3600	IN	RRSIG	ZONEMD 8 2 3600 20201116135527 20201019135527 55566 example.com. orn8ZF/yqj9u4WrhiO6gtEcTaVsnZSWWZLfXhcIOiWSB8kKCxtZl5cG17dD3Du1NllUwMRqkp0KleLhIoUS9xeQ/0x05u+CYLrfQ62oAiD7q54ZQzpXJIH52aQzKV70ZnO03CZowhQBnetmIoKX6xLogKo8pt+BdQbo3oVHxV8Y=
+bar.example.com.	3600	IN	A	1.2.3.4
+bar.example.com.	3600	IN	RRSIG	A 8 3 3600 20201116135527 20201019135527 55566 example.com. NYhmRicF4C9+YxpWeQrepy4ALM1CM0USoDuGi3W5Xtp4/+YpCJfSIdR9vlJaJ2WayYuZrz9Ai2ci7oWwE1Fn3oywGwCKvGo9m0c3mC2eEtphE19wrop6pWu6um4RiFhmzYS1voraA3PAdYzze9U4NHzlk0+sb5vNZW9dSZS30Ds=
+bar.example.com.	3600	IN	NSEC	ding.example.com. A RRSIG NSEC
+bar.example.com.	3600	IN	RRSIG	NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. VhsGuBx20DXQZNU8ITAMnasn6NVyEjN9xtB8msH5xJn80UCuaqvFBURzcPWN3aHnykEvGfdPF/9P3WvlON0cMikWkqSLy6Q9bpvgAq13HWYh+ZcDoqLtICaB7RkBQc+6aHAqZFyQbD8/m8Kxt5eVJtV6rEuf+yPX0+3aXHhsRg0=
+ding.example.com.	3600	IN	A	1.2.3.4
+ding.example.com.	3600	IN	RRSIG	A 8 3 3600 20201116135527 20201019135527 55566 example.com. OERsruISkpd1s68ute8Xm8YXisBCTkkiDMt34K+0dVqvySOJq63d3qN18BeUxZxLyHDB1eR3nZZKqEdkTqrv2r98skhWhjnOECpFbu5gKjtN/KPexbbJ+rxC0QqciuWOC7M6YE0cvI17/RB9KhVRy5rqY2X4Gt2wk2CNeD1dAko=
+ding.example.com.	3600	IN	NSEC	foo.example.com. A RRSIG NSEC
+ding.example.com.	3600	IN	RRSIG	NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. nb1W2aaKrU5iAQiY8gMsoMOejID19JMTEwY2rRoe+KsvzMs0rE0ifEkqit4blXaU0tfy0foJ70uqdJFqBoGz1NcSwZ6GNk/iNfGvG3XpxZ/zqEe7kkIucqqei794G7z9psqV94yZ3WaT+IswPpWrSaWv1w41RtcWufPhe4fOAmU=
+foo.example.com.	3600	IN	A	1.2.3.4
+foo.example.com.	3600	IN	RRSIG	A 8 3 3600 20201116135527 20201019135527 55566 example.com. ZcUngb2pUejwnsshbJN/Dfr+Bzu8fcZXyqLArQ+10Bw1IPHyfx7yyUJ43V5tTYVHPSEsJzTnaWj+olVrNhVZxq5e0pgzSYPfGln2FEItEvMIOn33j8yKTpPW2MLyuFF5ZkXhosG20EUwRMvMmRHRz9mIZfwWoMbSGPukmLh8zMA=
+foo.example.com.	3600	IN	NSEC	ns.example.com. A RRSIG NSEC
+foo.example.com.	3600	IN	RRSIG	NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. fUZEpkEULRWDntN5Z7Kr8M83Hjhf08ECMKRpo6IBoBc3ayenj+YMgWAvFXC825wjENPYYWNGag0d32U83zCZxqgv+8uXZd3B7QDpTbL41aWZdc++s5YWTkYjyOWwJ1XHOv4nL3qEnJBXVzo/E1gbSKhTFuG97i+7J1MFd9MsC5s=
+ns.example.com.	3600	IN	A	127.0.0.1
+ns.example.com.	3600	IN	RRSIG	A 8 3 3600 20201116135527 20201019135527 55566 example.com. SiuxuPtN/ITd+Z20j8UNUHJWbLHirE8zQOWMv5fAZ1rPKpAidrZgUL8J417GdrTwkueU2ywAJ7EzFJSwNTa7o/wUnq7svmOR6Ze6UQsKuZFZGEfqPNDRp4YuF86LU5jChuo+f/IRpydHrxVwGxDPCR9KarDM+ewfW+yI5bZeZcg=
+ns.example.com.	3600	IN	NSEC	www.example.com. A RRSIG NSEC
+ns.example.com.	3600	IN	RRSIG	NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. 0upKNYjiow4NDJm3I1RbUddE9GGuFYEVKswww5BAc/6WHuukupncL30lskvcSKGpByDssP2Hi2CufyEtYeGWh6q1TxtOFRqFBX1p6Q5b3tBlCtvv4h31dQR9uqLvq+GkGS5MR+0LO5kWagIpZmnI8YY5plVdXEtNbp2Ar8zvz/A=
+www.example.com.	3600	IN	A	127.0.0.1
+www.example.com.	3600	IN	RRSIG	A 8 3 3600 20201116135527 20201019135527 55566 example.com. AaIeICaPjV50TDrpbyOn94+hs8EYIMTmN4pYqj7e8GIGimqQIk5jgpwSx6SOoOF+uOqkf9GKHkQTn5YVGaeXwEQleg7mPTmMYKAOk06Y7MFUO1Vwt1Vt7Wo+Cpa3x2a1CmEkfFOi4WqP43VJnUtjjKmXoKRz3VUmqByyJYUAGbQ=
+www.example.com.	3600	IN	NSEC	example.com. A RRSIG NSEC
+www.example.com.	3600	IN	RRSIG	NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. meg/t6nIBqQZ0d5/dT7uu/3CuP4vE+HxqFQaj2fjUNceA/6C7QIQnqQ5Kyblg+XijDkQX0yvyFNHYdgF16UDgFT7tlNUCHk1SpF5BWzV4c4tBEhxASTz7UQo111O3Tyd6CldPzO/Se15Ud0/ZYltHEqWTfY5nJoXC/OJD9V2QOI=
+FILE_END
+
+SCENARIO_END
diff --git a/testdata/auth_zonemd_xfr_fail.rpl b/testdata/auth_zonemd_xfr_fail.rpl
index 9fdf70889..f54ca7e08 100644
--- a/testdata/auth_zonemd_xfr_fail.rpl
+++ b/testdata/auth_zonemd_xfr_fail.rpl
@@ -22,6 +22,7 @@ auth-zone:
 	## on failures with for-upstream, fallback to sending queries to
 	## the authority servers
 	## fallback-enabled: no
+	zonemd-check: yes
 
 	## this line generates zonefile: \n"/tmp/xxx.example.com"\n
 	zonefile:
diff --git a/testdata/edns_attached_once_per_upstream.rpl b/testdata/edns_attached_once_per_upstream.rpl
new file mode 100644
index 000000000..19f1ba75d
--- /dev/null
+++ b/testdata/edns_attached_once_per_upstream.rpl
@@ -0,0 +1,90 @@
+; config options
+server:
+	edns-client-string: 10.0.0.0/24 "abc d"
+	outbound-msg-retry: 1
+
+stub-zone:
+	name: "edns-string-abc."
+	stub-addr: 10.0.0.3
+	stub-first: yes
+
+forward-zone:
+	name: "."
+	forward-addr: 10.0.0.1
+
+CONFIG_END
+
+SCENARIO_BEGIN Test that upstream specific EDNS is attached once; uses string tag option
+
+RANGE_BEGIN 0 1000
+	ADDRESS 10.0.0.3
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR SERVFAIL
+SECTION QUESTION
+edns-string-abc. IN A
+ENTRY_END
+RANGE_END
+
+RANGE_BEGIN 0 1000
+	ADDRESS 10.0.0.1
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+edns-string-abc. IN A
+SECTION ANSWER
+edns-string-abc. IN A 10.20.30.40
+SECTION ADDITIONAL
+ENTRY_END
+RANGE_END
+
+STEP 10 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+edns-string-abc. IN A
+ENTRY_END
+
+; This will receive SERVFAIL and the next address will be queried
+STEP 20 CHECK_OUT_QUERY ADDRESS  10.0.0.3
+ENTRY_BEGIN
+MATCH qname qtype opcode ednsdata
+SECTION QUESTION
+edns-string-abc. IN A
+SECTION ADDITIONAL
+	HEX_EDNSDATA_BEGIN
+		fd e9           ; Opcode 65001
+		00 05           ; Length 5
+		61 62 63 20 64  ; "abc d"
+	HEX_EDNSDATA_END
+ENTRY_END
+
+; This will receive the answer; makes sure that EDNS is attached once
+STEP 22 CHECK_OUT_QUERY ADDRESS  10.0.0.1
+ENTRY_BEGIN
+MATCH qname qtype opcode ednsdata
+SECTION QUESTION
+edns-string-abc. IN A
+SECTION ADDITIONAL
+	HEX_EDNSDATA_BEGIN
+		fd e9           ; Opcode 65001
+		00 05           ; Length 5
+		61 62 63 20 64  ; "abc d"
+	HEX_EDNSDATA_END
+ENTRY_END
+
+
+STEP 30 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+edns-string-abc. IN A
+SECTION ANSWER
+edns-string-abc. IN A 10.20.30.40
+ENTRY_END
+
+SCENARIO_END
diff --git a/testdata/fwd.rpl b/testdata/fwd.rpl
index 53b6f9ad1..f94340856 100644
--- a/testdata/fwd.rpl
+++ b/testdata/fwd.rpl
@@ -28,7 +28,7 @@ REPLY RD
 SECTION QUESTION
 www.example.com. IN A
 ENTRY_END
-; unneccesary nothing steps.
+; unnecessary nothing steps.
 STEP 2 NOTHING
 STEP 3 NOTHING
 STEP 4 CHECK_ANSWER
diff --git a/testdata/fwd_any.rpl b/testdata/fwd_any.rpl
index 4284ee79e..0fa827db6 100644
--- a/testdata/fwd_any.rpl
+++ b/testdata/fwd_any.rpl
@@ -59,7 +59,7 @@ REPLY RD
 SECTION QUESTION
 www.example.com. IN A
 ENTRY_END
-; unneccesary nothing steps.
+; unnecessary nothing steps.
 STEP 20 NOTHING
 STEP 30 CHECK_ANSWER
 ENTRY_BEGIN
diff --git a/testdata/fwd_error.rpl b/testdata/fwd_error.rpl
index 238b1f58d..2421027a3 100644
--- a/testdata/fwd_error.rpl
+++ b/testdata/fwd_error.rpl
@@ -9,7 +9,7 @@ SECTION QUESTION
 www.example.com. IN A
 ENTRY_END
 ; But the pending query fails due to error (say TCP failure or malloc or ...)
-; This is iterator/iterator.h OUTBOUND_MSG_RETRY number of errors.
+; This is util/config_file.c outbound-msg-retry number of errors.
 STEP 2 ERROR
 STEP 3 ERROR
 STEP 4 ERROR
diff --git a/testdata/fwd_error_retries.rpl b/testdata/fwd_error_retries.rpl
new file mode 100644
index 000000000..b63086c0f
--- /dev/null
+++ b/testdata/fwd_error_retries.rpl
@@ -0,0 +1,27 @@
+; config options
+server:
+	outbound-msg-retry: 1
+
+forward-zone:
+	name: "."
+	forward-addr: 216.0.0.1
+CONFIG_END
+SCENARIO_BEGIN Test basic forwarding with servfail and retry of 1
+STEP 1 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+www.example.com. IN A
+ENTRY_END
+; query fails with servfail, now we make only outgoing-msg-retry=1 retries
+STEP 2 ERROR
+; returns servfail
+STEP 14 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH opcode qname qtype
+SECTION QUESTION
+REPLY SERVFAIL QR RD RA
+MATCH all
+www.example.com. IN A
+ENTRY_END
+SCENARIO_END
diff --git a/testdata/fwd_timeout.rpl b/testdata/fwd_timeout.rpl
index 1bb934dff..e4a711099 100644
--- a/testdata/fwd_timeout.rpl
+++ b/testdata/fwd_timeout.rpl
@@ -9,7 +9,7 @@ SECTION QUESTION
 www.example.com. IN A
 ENTRY_END
 ; But the pending query times out!
-; OUTBOUND_MSG_RETRY times timeout.
+; outbound-msg-retry times timeout.
 STEP 2 TIMEOUT
 STEP 3 TIMEOUT
 STEP 4 TIMEOUT
diff --git a/testdata/fwd_udp_with_tcp_upstream.tdir/fwd_udp_with_tcp_upstream.conf b/testdata/fwd_udp_with_tcp_upstream.tdir/fwd_udp_with_tcp_upstream.conf
new file mode 100644
index 000000000..6daf2eeec
--- /dev/null
+++ b/testdata/fwd_udp_with_tcp_upstream.tdir/fwd_udp_with_tcp_upstream.conf
@@ -0,0 +1,20 @@
+server:
+	verbosity: 5
+	# num-threads: 1
+	interface: 127.0.0.1
+	port: @PORT@
+	use-syslog: no
+	directory: ""
+	pidfile: "unbound.pid"
+	chroot: ""
+	username: ""
+	do-not-query-localhost: no
+forward-zone:
+	name: "tcp.example.com"
+	forward-addr: "127.0.0.1@@TOPORT@"
+	forward-tcp-upstream: "yes"
+forward-zone:
+	name: "udp.example.com"
+	forward-addr: "127.0.0.1@@TOPORT@"
+	forward-tcp-upstream: "no"
+
diff --git a/testdata/fwd_udp_with_tcp_upstream.tdir/fwd_udp_with_tcp_upstream.dsc b/testdata/fwd_udp_with_tcp_upstream.tdir/fwd_udp_with_tcp_upstream.dsc
new file mode 100644
index 000000000..5b1f0d3d1
--- /dev/null
+++ b/testdata/fwd_udp_with_tcp_upstream.tdir/fwd_udp_with_tcp_upstream.dsc
@@ -0,0 +1,16 @@
+BaseName: fwd_udp_with_tcp_upstream
+Version: 1.0
+Description: Forward an UDP packet to upstream via TCP and return reply.
+CreationDate: Thu Aug  5 07:44:41 CEST 2021
+Maintainer: ziollek
+Category: 
+Component:
+CmdDepends: 
+Depends: 
+Help:
+Pre: fwd_udp_with_tcp_upstream.pre
+Post: fwd_udp_with_tcp_upstream.post
+Test: fwd_udp_with_tcp_upstream.test
+AuxFiles: 
+Passed:
+Failure:
diff --git a/testdata/fwd_udp_with_tcp_upstream.tdir/fwd_udp_with_tcp_upstream.post b/testdata/fwd_udp_with_tcp_upstream.tdir/fwd_udp_with_tcp_upstream.post
new file mode 100644
index 000000000..0013eca71
--- /dev/null
+++ b/testdata/fwd_udp_with_tcp_upstream.tdir/fwd_udp_with_tcp_upstream.post
@@ -0,0 +1,10 @@
+# #-- fwd_udp_with_tcp_upstream.post --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# source the test var file when it's there
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+#
+# do your teardown here
+. ../common.sh
+kill_pid $FWD_PID
+kill_pid $UNBOUND_PID
diff --git a/testdata/fwd_udp_with_tcp_upstream.tdir/fwd_udp_with_tcp_upstream.pre b/testdata/fwd_udp_with_tcp_upstream.tdir/fwd_udp_with_tcp_upstream.pre
new file mode 100644
index 000000000..546787a5f
--- /dev/null
+++ b/testdata/fwd_udp_with_tcp_upstream.tdir/fwd_udp_with_tcp_upstream.pre
@@ -0,0 +1,31 @@
+# #-- fwd_udp_with_tcp_upstream.pre--#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+. ../common.sh
+get_random_port 2
+UNBOUND_PORT=$RND_PORT
+FWD_PORT=$(($RND_PORT + 1))
+echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test
+echo "FWD_PORT=$FWD_PORT" >> .tpkg.var.test
+
+# start forwarder
+get_ldns_testns
+$LDNS_TESTNS -p $FWD_PORT fwd_udp_with_tcp_upstream.testns >fwd.log 2>&1 &
+FWD_PID=$!
+echo "FWD_PID=$FWD_PID" >> .tpkg.var.test
+
+# make config file
+sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$FWD_PORT'/' < fwd_udp_with_tcp_upstream.conf > ub.conf
+# start unbound in the background
+PRE="../.."
+$PRE/unbound -d -c ub.conf >unbound.log 2>&1 &
+UNBOUND_PID=$!
+echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
+
+cat .tpkg.var.test
+wait_ldns_testns_up fwd.log
+wait_unbound_up unbound.log
+
diff --git a/testdata/fwd_udp_with_tcp_upstream.tdir/fwd_udp_with_tcp_upstream.test b/testdata/fwd_udp_with_tcp_upstream.tdir/fwd_udp_with_tcp_upstream.test
new file mode 100644
index 000000000..fad6497be
--- /dev/null
+++ b/testdata/fwd_udp_with_tcp_upstream.tdir/fwd_udp_with_tcp_upstream.test
@@ -0,0 +1,35 @@
+# #-- fwd_udp_with_tcp_upstream.test --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+PRE="../.."
+# do the test
+echo "> dig tcp.example.com."
+dig @localhost -p $UNBOUND_PORT tcp.example.com. | tee outfile
+echo "> cat logfiles"
+cat fwd.log 
+cat unbound.log
+echo "> check answer"
+if grep "10.20.30.40" outfile; then
+	echo "OK"
+else
+	echo "Not OK"
+	exit 1
+fi
+
+echo "> dig udp.example.com."
+dig @localhost -p $UNBOUND_PORT udp.example.com. | tee outfile
+echo "> cat logfiles"
+cat fwd.log
+cat unbound.log
+echo "> check answer"
+if grep "10.20.30.80" outfile; then
+	echo "OK"
+else
+	echo "Not OK"
+	exit 1
+fi
+
+exit 0
diff --git a/testdata/fwd_udp_with_tcp_upstream.tdir/fwd_udp_with_tcp_upstream.testns b/testdata/fwd_udp_with_tcp_upstream.tdir/fwd_udp_with_tcp_upstream.testns
new file mode 100644
index 000000000..04089af0e
--- /dev/null
+++ b/testdata/fwd_udp_with_tcp_upstream.tdir/fwd_udp_with_tcp_upstream.testns
@@ -0,0 +1,25 @@
+; nameserver test file
+$ORIGIN example.com.
+$TTL 3600
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+MATCH TCP
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+tcp	IN	A
+SECTION ANSWER
+tcp	IN	A	10.20.30.40
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+MATCH UDP
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+udp	IN	A
+SECTION ANSWER
+udp	IN	A	10.20.30.80
+ENTRY_END
diff --git a/testdata/fwd_zero.tdir/fwd_zero.test b/testdata/fwd_zero.tdir/fwd_zero.test
index 87a2dec9c..2e0806d6f 100644
--- a/testdata/fwd_zero.tdir/fwd_zero.test
+++ b/testdata/fwd_zero.tdir/fwd_zero.test
@@ -7,7 +7,7 @@
 PRE="../.."
 
 OPT="-i"
-if nc -h 2>&1 | grep -- "-w secs" >/dev/null; then
+if nc -h 2>&1 | grep -E -- "-w (timeout|secs)" >/dev/null; then
         OPT="-w"
 fi
 
diff --git a/testdata/http_user_agent.tdir/127.0.0.1/example.com.zone b/testdata/http_user_agent.tdir/127.0.0.1/example.com.zone
new file mode 100644
index 000000000..695eb1c32
--- /dev/null
+++ b/testdata/http_user_agent.tdir/127.0.0.1/example.com.zone
@@ -0,0 +1,3 @@
+example.com. IN SOA ns.example.com. hostmaster.example.com. 1 3600 900 86400 3600
+example.com.	IN NS	ns.example.net.
+www.example.com. IN A	1.2.3.4
diff --git a/testdata/http_user_agent.tdir/http_user_agent.conf b/testdata/http_user_agent.tdir/http_user_agent.conf
new file mode 100644
index 000000000..c563416ae
--- /dev/null
+++ b/testdata/http_user_agent.tdir/http_user_agent.conf
@@ -0,0 +1,24 @@
+auth-zone:
+	name: "example.com"
+	for-upstream: yes
+	for-downstream: yes
+	url: "https://127.0.0.1:@TOPORT@/example.com.zone"
+remote-control:
+	control-enable: yes
+	control-interface: 127.0.0.1
+	control-port: @CONTROL_PORT@
+	server-key-file: "unbound_server.key"
+	server-cert-file: "unbound_server.pem"
+	control-key-file: "unbound_control.key"
+	control-cert-file: "unbound_control.pem"
+server:
+	verbosity: 7
+	interface: 127.0.0.1
+	port: @PORT@
+	use-syslog: no
+	directory: ""
+	pidfile: "unbound.pid"
+	chroot: ""
+	username: ""
+	do-not-query-localhost: no
+	use-caps-for-id: yes
diff --git a/testdata/http_user_agent.tdir/http_user_agent.dsc b/testdata/http_user_agent.tdir/http_user_agent.dsc
new file mode 100644
index 000000000..6b24c43fc
--- /dev/null
+++ b/testdata/http_user_agent.tdir/http_user_agent.dsc
@@ -0,0 +1,16 @@
+BaseName: http_user_agent
+Version: 1.0
+Description: Check the http-user-agent configuration
+CreationDate: Wed 2 Jun 13:59:26 CEST 2021
+Maintainer:
+Category: 
+Component:
+CmdDepends:
+Depends: 
+Help:
+Pre: http_user_agent.pre
+Post: http_user_agent.post
+Test: http_user_agent.test
+AuxFiles: 
+Passed:
+Failure:
diff --git a/testdata/http_user_agent.tdir/http_user_agent.post b/testdata/http_user_agent.tdir/http_user_agent.post
new file mode 100644
index 000000000..797ff57c8
--- /dev/null
+++ b/testdata/http_user_agent.tdir/http_user_agent.post
@@ -0,0 +1,11 @@
+# #-- http_user_agent.post --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# source the test var file when it's there
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+#
+# do your teardown here
+PRE="../.."
+. ../common.sh
+kill_pid $UNBOUND_PID
+kill_pid $PETAL_PID
diff --git a/testdata/http_user_agent.tdir/http_user_agent.pre b/testdata/http_user_agent.tdir/http_user_agent.pre
new file mode 100644
index 000000000..e94bd536e
--- /dev/null
+++ b/testdata/http_user_agent.tdir/http_user_agent.pre
@@ -0,0 +1,37 @@
+# #-- http_user_agent.pre--#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+PRE="../.."
+. ../common.sh
+get_random_port 3
+UNBOUND_PORT=$RND_PORT
+PETAL_PORT=$(($RND_PORT + 1))
+CONTROL_PORT=$(($RND_PORT + 3))
+echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test
+echo "PETAL_PORT=$PETAL_PORT" >> .tpkg.var.test
+echo "CONTROL_PORT=$CONTROL_PORT" >> .tpkg.var.test
+
+get_make
+(cd $PRE; $MAKE petal)
+
+# start https daemon
+# More verbosity because we need to see the HTTP headers
+$PRE/petal -vv -a "127.0.0.1" -p $PETAL_PORT >petal.log 2>&1 &
+PETAL_PID=$!
+echo "PETAL_PID=$PETAL_PID" >> .tpkg.var.test
+cat .tpkg.var.test
+wait_petal_up petal.log
+
+# make config file
+sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$PETAL_PORT'/' -e 's/@CONTROL_PORT\@/'$CONTROL_PORT'/'< http_user_agent.conf > ub.conf
+# start unbound in the background
+$PRE/unbound -d -c ub.conf >unbound.log 2>&1 &
+UNBOUND_PID=$!
+echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
+
+cat .tpkg.var.test
+wait_unbound_up unbound.log
+
diff --git a/testdata/http_user_agent.tdir/http_user_agent.test b/testdata/http_user_agent.tdir/http_user_agent.test
new file mode 100644
index 000000000..dce2d476c
--- /dev/null
+++ b/testdata/http_user_agent.tdir/http_user_agent.test
@@ -0,0 +1,103 @@
+# #-- http_user_agent.test --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+PRE="../.."
+
+# Query and check check that we get the correct answer from the auth_zone
+query () {
+	echo "> dig www.example.com."
+	dig @localhost -p $UNBOUND_PORT www.example.com. | tee outfile
+	if grep SERVFAIL outfile; then
+		echo "> try again"
+		dig @localhost -p $UNBOUND_PORT www.example.com. | tee outfile
+	fi
+	if grep SERVFAIL outfile; then
+		echo "> try again"
+		sleep 1
+		dig @localhost -p $UNBOUND_PORT www.example.com. | tee outfile
+	fi
+	if grep SERVFAIL outfile; then
+		echo "> try again"
+		sleep 1
+		dig @localhost -p $UNBOUND_PORT www.example.com. | tee outfile
+	fi
+	if grep SERVFAIL outfile; then
+		echo "> try again"
+		sleep 1
+		dig @localhost -p $UNBOUND_PORT www.example.com. | tee outfile
+	fi
+	if grep SERVFAIL outfile; then
+		echo "> try again"
+		sleep 10
+		dig @localhost -p $UNBOUND_PORT www.example.com. | tee outfile
+	fi
+	if grep SERVFAIL outfile; then
+		echo "> try again"
+		sleep 10
+		dig @localhost -p $UNBOUND_PORT www.example.com. | tee outfile
+	fi
+	echo "> check answer"
+	if grep "1.2.3.4" outfile; then
+		echo "OK"
+	else
+		echo "Not OK"
+		exit 1
+	fi
+}
+
+# Reload the configuration and retransfer the zone
+reload_and_retransfer () {
+	echo "> Reloading Unbound"
+	echo "$PRE/unbound-control -c ub.conf reload"
+	$PRE/unbound-control -c ub.conf reload
+	if test $? -ne 0; then
+		echo "wrong exit value from unbound-control"
+		exit 1
+	fi
+	echo "> Refetching example.com"
+	echo "$PRE/unbound-control -c ub.conf auth_zone_transfer example.com"
+	$PRE/unbound-control -c ub.conf auth_zone_transfer example.com
+	if test $? -ne 0; then
+		echo "wrong exit value from unbound-control"
+		exit 1
+	fi
+}
+
+# do the test
+query
+# add custom http-user-agent
+echo "server: http-user-agent: customUA" >> ub.conf
+reload_and_retransfer
+query
+# hide http-user-agent
+echo "server: hide-http-user-agent: yes" >> ub.conf
+reload_and_retransfer
+query
+
+echo "> cat logfiles"
+cat petal.log 
+cat unbound.log
+
+# check petal.log for the correct number of occurrences.
+# It should be 2 User-Agents, one being the custom.
+echo "> check User-Agent occurrences"
+occurrences=`grep "User-Agent:" petal.log | wc -l`
+echo $occurrences
+if test $occurrences -eq 2; then
+	echo "OK"
+else
+	echo "Not OK"
+	exit 1
+fi
+echo "> check custom User-Agent"
+if grep "User-Agent: customUA" petal.log; then
+	echo "OK"
+else
+	echo "Not OK"
+	exit 1
+fi
+
+exit 0
diff --git a/testdata/http_user_agent.tdir/petal.key b/testdata/http_user_agent.tdir/petal.key
new file mode 100644
index 000000000..6614e498f
--- /dev/null
+++ b/testdata/http_user_agent.tdir/petal.key
@@ -0,0 +1,21 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIDfQIBAAKBwQC1xQ/Kca6zszZbcCtdOTIH2Uy2gOy/DfabMUU7TmNPm0dVE0NJ
+RuN+Rm304SonpwghfP2/ULZNnuDgpG03/32yI7k/VzG6iA4hiF7tT/KAAWC/+2l1
+QCsawCV2bSrFK0VhcZr7ALqXd8vkDaQ867K029ypjOQtAJ85qdO3mERy7TGtdUcu
+O6hLeVet419YeQ2F8cfNxn63d7bOzNGLPW5xwaCd3UcgD+Ib0k4xfFvbinvPQUeU
+J/i4YDWexFYSL+ECAwEAAQKBwCLXXQl+9O+5AEhSnd1Go1Jh0pSA7eBJOuXQcebG
+Rb7ykp+6C4G2NtDziwwPRNdI6wQQQ0sym18RfyVQHydGr78/nbiIbB3HCn5e92Mh
+mefzW6ow9Kvm2txLzGKA1lvoyRbNm81jnG/eygi3u7Nqd5PNv+4dHj2RkTlmxOeh
+qnDMVP5md8uZPv6lYNnrnIzvLCR5vnPNdVwn89AqzI85IcDZdy0R9ZX4NBbsDgAU
+6ig6uXuRXvSGiyJ/OUXSrnogaQJhAOjvkHUhVZQkPOxO90TNH4j0GdKKtbSWxIdz
+lKfuJeBAEqs0TL+C6vbS81Xw3W1alyDdUBk3rJMOBqW6Ryq5HNL+j5H+Jfsh7fvc
+Yle+5wHGci0P9zCFZCrY8It7n9XFIwJhAMfEi6oJa2G8waPJ1bQhxka82Tf9pnKM
+XCn/1BBOFjVIx5F842cpA+zp5a62GENTGYPQTTRBB/2/ZwnW5aIkrlg54AtmbqBZ
+Oh+2kJdJQD/tfoVmc5soUE2ScTHadK5RKwJhAN4w9kjkXS+MSZjX0kIMsBIBVkhh
+C+aREjJqa9ir7/Ey7RvmLXdYuCxtGLRXp7/R8+rjcK49Tx6O+IRJZe042mfhbq3C
+EhS1Tr86f4xXix9EXlDhs9bSxrOgcAN9Dv/opQJhAK7eBcPaav0rVfYh/8emqQHS
+3fJ9Pu6WnzbEksWTFS2ff9KDGCx9YspIFJ5TF/oXDAaumGZdZrlgirm6O1kr8tGY
+F97i04PZl1+bWAaWQH+1TUNI43m2WFUPE7coG2tb8QJgcddDg9VlXliZqgcETZfJ
+kJmYETxrcSn3ao6v116N8yxhEgUgjkmsCTiFgx36iDVnXwK6PIt+sIu8MC7eYNa3
+berrv/M21K0LRn20IWRxvUobG070weHCAgkko7fTWgr2
+-----END RSA PRIVATE KEY-----
diff --git a/testdata/http_user_agent.tdir/petal.pem b/testdata/http_user_agent.tdir/petal.pem
new file mode 100644
index 000000000..19c8b895b
--- /dev/null
+++ b/testdata/http_user_agent.tdir/petal.pem
@@ -0,0 +1,14 @@
+-----BEGIN CERTIFICATE-----
+MIICFzCCAUACCQDO660L5y5LGDANBgkqhkiG9w0BAQUFADAQMQ4wDAYDVQQDEwVw
+ZXRhbDAeFw0xMDA5MzAxMzQzMDFaFw0zMDA2MTcxMzQzMDFaMBAxDjAMBgNVBAMT
+BXBldGFsMIHfMA0GCSqGSIb3DQEBAQUAA4HNADCByQKBwQC1xQ/Kca6zszZbcCtd
+OTIH2Uy2gOy/DfabMUU7TmNPm0dVE0NJRuN+Rm304SonpwghfP2/ULZNnuDgpG03
+/32yI7k/VzG6iA4hiF7tT/KAAWC/+2l1QCsawCV2bSrFK0VhcZr7ALqXd8vkDaQ8
+67K029ypjOQtAJ85qdO3mERy7TGtdUcuO6hLeVet419YeQ2F8cfNxn63d7bOzNGL
+PW5xwaCd3UcgD+Ib0k4xfFvbinvPQUeUJ/i4YDWexFYSL+ECAwEAATANBgkqhkiG
+9w0BAQUFAAOBwQBBkX9KDP2RXbg+xPmdJ4P6CwvA5x1LZwC++ydVx4NlvT0pWicD
+ZUnXjcWAJlkeOuUBAqFG7WHTrXpUUAjmdqFVq2yFjteUYBdrFz0RDB2jM9feeKYO
+mTgxdZyT9a6humxCxt5VfgT02axLjm/2AqCyFPMbf4PASoJDln01AEuZLZ8Xl2gV
+bYHMnHTGoD1Hu6FNEzRgkMC6XT8X3YjHvzQhpc/qL5wEfEsinQGdX4twsuWbf8xd
+q7miNnkO8vd0maw=
+-----END CERTIFICATE-----
diff --git a/testdata/http_user_agent.tdir/unbound_control.key b/testdata/http_user_agent.tdir/unbound_control.key
new file mode 100644
index 000000000..753a4ef61
--- /dev/null
+++ b/testdata/http_user_agent.tdir/unbound_control.key
@@ -0,0 +1,39 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIG4gIBAAKCAYEAstEp+Pyh8XGrtZ77A4FhYjvbeB3dMa7Q2rGWxobzlA9przhA
+1aChAvUtCOAuM+rB6NTNB8YWfZJbQHawyMNpmC77cg6vXLYCGUQHZyAqidN049RJ
+F5T7j4N8Vniv17LiRdr0S6swy4PRvEnIPPV43EQHZqC5jVvHsKkhIfmBF/Dj5TXR
+ypeawWV/m5jeU6/4HRYMfytBZdO1mPXuWLh0lgbQ4SCbgrOUVD3rniMk1yZIbQOm
+vlDHYqekjDb/vOW2KxUQLG04aZMJ1mWfdbwG0CKQkSjISEDZ1l76vhM6mTM0fwXb
+IvyFZ9yPPCle1mF5aSlxS2cmGuGVSRQaw8XF9fe3a9ACJJTr33HdSpyaZkKRAUzL
+cKqLCl323daKv3NwwAT03Tj4iQM416ASMoiyfFa/2GWTKQVjddu8Crar7tGaf5xr
+lig4DBmrBvdYA3njy72/RD71hLwmlRoCGU7dRuDr9O6KASUm1Ri91ONZ/qdjMvov
+15l2vj4GV+KXR00dAgMBAAECggGAHepIL1N0dEQkCdpy+/8lH54L9WhpnOo2HqAf
+LU9eaKK7d4jdr9+TkD8cLaPzltPrZNxVALvu/0sA4SP6J1wpyj/x6P7z73qzly5+
+Xo5PD4fEwmi9YaiW/UduAblnEZrnp/AddptJKoL/D5T4XtpiQddPtael4zQ7kB57
+YIexRSQTvEDovA/o3/nvA0TrzOxfgd4ycQP3iOWGN/TMzyLsvjydrUwbOB567iz9
+whL3Etdgvnwh5Sz2blbFfH+nAR8ctvFFz+osPvuIVR21VMEI6wm7kTpSNnQ6sh/c
+lrLb/bTADn4g7z/LpIZJ+MrLvyEcoqValrLYeFBhM9CV8woPxvkO2P3pU47HVGax
+tC7GV6a/kt5RoKFd/TNdiA3OC7NGZtaeXv9VkPf4fVwBtSO9d5ZZXTGEynDD/rUQ
+U4KFJe6OD23APjse08HiiKqTPhsOneOONU67iqoaTdIkT2R4EdlkVEDpXVtWb+G9
+Q+IqYzVljlzuyHrhWXLJw/FMa2aBAoHBAOnZbi4gGpH+P6886WDWVgIlTccuXoyc
+Mg9QQYk9UDeXxL0AizR5bZy49Sduegz9vkHpAiZARQsUnizHjZ8YlRcrmn4t6tx3
+ahTIKAjdprnxJfYINM580j8CGbXvX5LhIlm3O267D0Op+co3+7Ujy+cjsIuFQrP+
+1MqMgXSeBjzC1APivmps7HeFE+4w0k2PfN5wSMDNCzLo99PZuUG5XZ93OVOS5dpN
+b+WskdcD8NOoJy/X/5A08veEI/jYO/DyqQKBwQDDwUQCOWf41ecvJLtBHKmEnHDz
+ftzHino9DRKG8a9XaN4rmetnoWEaM2vHGX3pf3mwH+dAe8vJdAQueDhBKYeEpm6C
+TYNOpou1+Zs5s99BilCTNYo8fkMOAyqwRwmz9zgHS6QxXuPwsghKefLJGt6o6RFF
+tfWVTfLlYJ+I3GQe3ySsk3wjVz4oUTKiyiq5+KzD+HhEkS7u+RQ7Z0ZI2xd2cF8Y
+aN2hjKDpcOiFf3CDoqka5D1qMNLgIHO52AHww1UCgcA1h7o7AMpURRka6hyaODY0
+A4oMYEbwdQjYjIyT998W+rzkbu1us6UtzQEBZ760npkgyU/epbOoV63lnkCC/MOU
+LD0PST+L/CHiY/cWIHb79YG1EifUZKpUFg0Aoq0EGFkepF0MefGCkbRGYA5UZr9U
+R80wAu9D+L+JJiS0J0BSRF74DL196zUuHt5zFeXuLzxsRtPAnq9DliS08BACRYZy
+7H3I7cWD9Vn5/0jbKWHFcaaWwyETR6uekTcSzZzbCRECgcBeoE3/xUA9SSk34Mmj
+7/cB4522Ft0imA3+9RK/qJTZ7Bd5fC4PKjOGNtUiqW/0L2rjeIiQ40bfWvWqgPKw
+jSK1PL6uvkl6+4cNsFsYyZpiVDoe7wKju2UuoNlB3RUTqa2r2STFuNj2wRjA57I1
+BIgdnox65jqQsd14g/yaa+75/WP9CE45xzKEyrtvdcqxm0Pod3OrsYK+gikFjiar
+kT0GQ8u0QPzh2tjt/2ZnIfOBrl+QYERP0MofDZDjhUdq2wECgcB0Lu841+yP5cdR
+qbJhXO4zJNh7oWNcJlOuQp3ZMNFrA1oHpe9pmLukiROOy01k9WxIMQDzU5GSqRv3
+VLkYOIcbhJ3kClKAcM3j95SkKbU2H5/RENb3Ck52xtl4pNU1x/3PnVFZfDVuuHO9
+MZ9YBcIeK98MyP2jr5JtFKnOyPE7xKq0IHIhXadpbc2wjje5FtZ1cUtMyEECCXNa
+C1TpXebHGyXGpY9WdWXhjdE/1jPvfS+uO5WyuDpYPr339gsdq1g=
+-----END RSA PRIVATE KEY-----
diff --git a/testdata/http_user_agent.tdir/unbound_control.pem b/testdata/http_user_agent.tdir/unbound_control.pem
new file mode 100644
index 000000000..a1edf7017
--- /dev/null
+++ b/testdata/http_user_agent.tdir/unbound_control.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDszCCAhsCFGD5193whHQ2bVdzbaQfdf1gc4SkMA0GCSqGSIb3DQEBCwUAMBIx
+EDAOBgNVBAMMB3VuYm91bmQwHhcNMjAwNzA4MTMzMjMwWhcNNDAwMzI1MTMzMjMw
+WjAaMRgwFgYDVQQDDA91bmJvdW5kLWNvbnRyb2wwggGiMA0GCSqGSIb3DQEBAQUA
+A4IBjwAwggGKAoIBgQCy0Sn4/KHxcau1nvsDgWFiO9t4Hd0xrtDasZbGhvOUD2mv
+OEDVoKEC9S0I4C4z6sHo1M0HxhZ9kltAdrDIw2mYLvtyDq9ctgIZRAdnICqJ03Tj
+1EkXlPuPg3xWeK/XsuJF2vRLqzDLg9G8Scg89XjcRAdmoLmNW8ewqSEh+YEX8OPl
+NdHKl5rBZX+bmN5Tr/gdFgx/K0Fl07WY9e5YuHSWBtDhIJuCs5RUPeueIyTXJkht
+A6a+UMdip6SMNv+85bYrFRAsbThpkwnWZZ91vAbQIpCRKMhIQNnWXvq+EzqZMzR/
+Bdsi/IVn3I88KV7WYXlpKXFLZyYa4ZVJFBrDxcX197dr0AIklOvfcd1KnJpmQpEB
+TMtwqosKXfbd1oq/c3DABPTdOPiJAzjXoBIyiLJ8Vr/YZZMpBWN127wKtqvu0Zp/
+nGuWKDgMGasG91gDeePLvb9EPvWEvCaVGgIZTt1G4Ov07ooBJSbVGL3U41n+p2My
++i/XmXa+PgZX4pdHTR0CAwEAATANBgkqhkiG9w0BAQsFAAOCAYEAd++Wen6l8Ifj
+4h3p/y16PhSsWJWuJ4wdNYy3/GM84S26wGjzlEEwiW76HpH6VJzPOiBAeWnFKE83
+hFyetEIxgJeIPbcs9ZP/Uoh8GZH9tRISBSN9Hgk2Slr9llo4t1H0g/XTgA5HqMQU
+9YydlBh43G7Vw3FVwh09OM6poNOGQKNc/tq2/QdKeUMtyBbLWpRmjH5XcCT35fbn
+ZiVOUldqSHD4kKrFO4nJYXZyipRbcXybsLiX9GP0GLemc3IgIvOXyJ2RPp06o/SJ
+pzlMlkcAfLJaSuEW57xRakhuNK7m051TKKzJzIEX+NFYOVdafFHS8VwGrYsdrFvD
+72tMfu+Fu55y3awdWWGc6YlaGogZiuMnJkvQphwgn+5qE/7CGEckoKEsH601rqIZ
+muaIc85+nEcHJeijd/ZlBN9zeltjFoMuqTUENgmv8+tUAdVm/UMY9Vjme6b43ydP
+uv6DS02+k9z8toxXworLiPr94BGaiGV1NxgwZKLZigYJt/Fi2Qte
+-----END CERTIFICATE-----
diff --git a/testdata/http_user_agent.tdir/unbound_server.key b/testdata/http_user_agent.tdir/unbound_server.key
new file mode 100644
index 000000000..370a7bbb2
--- /dev/null
+++ b/testdata/http_user_agent.tdir/unbound_server.key
@@ -0,0 +1,39 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIG5AIBAAKCAYEAvjSVSN2QMXudpzukdLCqgg/IOhCX8KYkD0FFFfWcQjgKq5wI
+0x41iG32a6wbGanre4IX7VxaSPu9kkHfnGgynCk5nwDRedE/FLFhAU78PoT0+Nqq
+GRS7XVQ24vLmIz9Hqc2Ozx1um1BXBTmIT0UfN2e22I0LWQ6a3seZlEDRj45gnk7Z
+uh9MDgotaBdm+v1JAbupSf6Zis4VEH3JNdvVGE3O1DHEIeuuz/3BDhpf6WBDH+8K
+WaBe1ca4TZHr9ThL2gEMEfAQl0wXDwRWRoi3NjNMH+mw0L1rjwThI5GXqNIee7o5
+FzUReSXZuTdFMyGe3Owcx+XoYnwi6cplSNoGsDBu4B9bKKglR9YleJVw4L4Xi8xP
+q6O9UPj4+nypHk/DOoC7DIM3ufN0yxPBsFo5TVowxfhdjZXJbbftd2TZv7AH8+XL
+A5UoZgRzXgzECelXSCTBFlMTnT48LfA9pMLydyjAz2UdPHs5Iv+TK5nnI+aJoeaP
+7kFZSngxdy1+A/bNAgMBAAECggGBALpTOIqQwVg4CFBylL/a8K1IWJTI/I65sklf
+XxYL7G7SB2HlEJ//z+E+F0+S4Vlao1vyLQ5QkgE82pAUB8FoMWvY1qF0Y8A5wtm6
+iZSGk4OLK488ZbT8Ii9i+AGKgPe2XbVxsJwj8N4k7Zooqec9hz73Up8ATEWJkRz7
+2u7oMGG4z91E0PULA64dOi3l/vOQe5w/Aa+CwVbAWtI05o7kMvQEBMDJn6C7CByo
+MB5op9wueJMnz7PM7hns+U7Dy6oE4ljuolJUy51bDzFWwoM54cRoQqLFNHd8JVQj
+WxldCkbfF43iyprlsEcUrTyUjtdA+ZeiG39vg/mtdmgNpGmdupHJZQvSuG8IcVlz
+O+eMSeQS1QXPD6Ik8UK4SU0h+zOl8xIWtRrsxQuh4fnTN40udm/YUWl/6gOebsBI
+IrVLlKGqJSfB3tMjpCRqdTzJ0dA9keVpkqm2ugZkxEf1+/efq/rFIQ2pUBLCqNTN
+qpNqruK8y8FphP30I2uI4Ej2UIB8AQKBwQDd2Yptj2FyDyaXCycsyde0wYkNyzGU
+dRnzdibfHnMZwjgTjwAwgIUBVIS8H0/z7ZJQKN7osJfddMrtjJtYYUk9g/dCpHXs
+bNh2QSoWah3FdzNGuWd0iRf9+LFxhjAAMo/FS8zFJAJKrFsBdCGTfFUMdsLC0bjr
+YjiWBuvV72uKf8XIZX5KIZruKdWBBcWukcb21R1UDyFYyXRBsly5XHaIYKZql3km
+7pV7MKWO0IYgHbHIqGUqPQlzZ/lkunS1jKECgcEA23wHffD6Ou9/x3okPx2AWpTr
+gh8rgqbyo6hQkBW5Y90Wz824cqaYebZDaBR/xlVx/YwjKkohv8Bde2lpH/ZxRZ1Z
+5Sk2s6GJ/vU0L9RsJZgCgj4L6Coal1NMxuZtCXAlnOpiCdxSZgfqbshbTVz30KsG
+ZJG361Cua1ScdAHxlZBxT52/1Sm0zRC2hnxL7h4qo7Idmtzs40LAJvYOKekR0pPN
+oWeJfra7vgx/jVNvMFWoOoSLpidVO4g+ot4ery6tAoHAdW3rCic1C2zdnmH28Iw+
+s50l8Lk3mz+I5wgJd1zkzCO0DxZIoWPGA3g7cmCYr6N3KRsZMs4W9NAXgjpFGDkW
+zYsG3K21BdpvkdjYcFjnPVjlOXB2RIc0vehf9Jl02wXoeCSxVUDEPcaRvWk9RJYx
+ZpGOchUU7vNkxHURbIJ4yCzuAi9G8/Jp0dsu+kaV5tufF5SjG5WOrzKjaQsCbdN1
+oqaWMCHRrTvov/Z2C+xwsptFOdN5CSyZzg6hQiI4GMlBAoHAXyb6KINcOEi0YMp3
+BFXJ23tMTnEs78tozcKeipigcsbaqORK3omS+NEnj+uzKUzJyl4CsMbKstK2tFYS
+mSTCHqgE3PBtIpsZtEqhgUraR8IK9GPpzZDTTl9ynZgwFTNlWw3RyuyVXF56J+T8
+kCGJ3hEHCHqT/ZRQyX85BKIDFhA0z4tYKxWVqIFiYBNq56R0X9tMMmMs36mEnF93
+7Ht6mowxTZQRa7nU0qOgeKh/P7ki4Zus3y+WJ+T9IqahLtlRAoHBAIhqMrcxSAB8
+RpB9jukJlAnidw2jCMPgrFE8tP0khhVvGrXMldxAUsMKntDIo8dGCnG1KTcWDI0O
+jepvSPHSsxVLFugL79h0eVIS5z4huW48i9xgU8VlHdgAcgEPIAOFcOw2BCu/s0Vp
+O+MM/EyUOdo3NsibB3qc/GJI6iNBYS7AljYEVo6rXo5V/MZvZUF4vClen6Obzsre
+MTTb+4sJjfqleWuvr1XNMeu2mBfXBQkWGZP1byBK0MvD/aQ2PWq92A==
+-----END RSA PRIVATE KEY-----
diff --git a/testdata/http_user_agent.tdir/unbound_server.pem b/testdata/http_user_agent.tdir/unbound_server.pem
new file mode 100644
index 000000000..986807310
--- /dev/null
+++ b/testdata/http_user_agent.tdir/unbound_server.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDqzCCAhMCFBHWXeQ6ZIa9QcQbXLFfC6tj+KA+MA0GCSqGSIb3DQEBCwUAMBIx
+EDAOBgNVBAMMB3VuYm91bmQwHhcNMjAwNzA4MTMzMjI5WhcNNDAwMzI1MTMzMjI5
+WjASMRAwDgYDVQQDDAd1bmJvdW5kMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIB
+igKCAYEAvjSVSN2QMXudpzukdLCqgg/IOhCX8KYkD0FFFfWcQjgKq5wI0x41iG32
+a6wbGanre4IX7VxaSPu9kkHfnGgynCk5nwDRedE/FLFhAU78PoT0+NqqGRS7XVQ2
+4vLmIz9Hqc2Ozx1um1BXBTmIT0UfN2e22I0LWQ6a3seZlEDRj45gnk7Zuh9MDgot
+aBdm+v1JAbupSf6Zis4VEH3JNdvVGE3O1DHEIeuuz/3BDhpf6WBDH+8KWaBe1ca4
+TZHr9ThL2gEMEfAQl0wXDwRWRoi3NjNMH+mw0L1rjwThI5GXqNIee7o5FzUReSXZ
+uTdFMyGe3Owcx+XoYnwi6cplSNoGsDBu4B9bKKglR9YleJVw4L4Xi8xPq6O9UPj4
++nypHk/DOoC7DIM3ufN0yxPBsFo5TVowxfhdjZXJbbftd2TZv7AH8+XLA5UoZgRz
+XgzECelXSCTBFlMTnT48LfA9pMLydyjAz2UdPHs5Iv+TK5nnI+aJoeaP7kFZSngx
+dy1+A/bNAgMBAAEwDQYJKoZIhvcNAQELBQADggGBABunf93MKaCUHiZgnoOTinsW
+84/EgInrgtKzAyH+BhnKkJOhhR0kkIAx5d9BpDlaSiRTACFon9moWCgDIIsK/Ar7
+JE0Kln9cV//wiiNoFU0O4mnzyGUIMvlaEX6QHMJJQYvL05+w/3AAcf5XmMJtR5ca
+fJ8FqvGC34b2WxX9lTQoyT52sRt+1KnQikiMEnEyAdKktMG+MwKsFDdOwDXyZhZg
+XZhRrfX3/NVJolqB6EahjWIGXDeKuSSKZVtCyib6LskyeMzN5lcRfvubKDdlqFVF
+qlD7rHBsKhQUWK/IO64mGf7y/de+CgHtED5vDvr/p2uj/9sABATfbrOQR3W/Of25
+sLBj4OEfrJ7lX8hQgFaxkMI3x6VFT3W8dTCp7xnQgb6bgROWB5fNEZ9jk/gjSRmD
+yIU+r0UbKe5kBk/CmZVFXL2TyJ92V5NYEQh8V4DGy19qZ6u/XKYyNJL4ocs35GGe
+CA8SBuyrmdhx38h1RHErR2Skzadi1S7MwGf1y431fQ==
+-----END CERTIFICATE-----
diff --git a/testdata/ipset.tdir/ipset.conf b/testdata/ipset.tdir/ipset.conf
new file mode 100644
index 000000000..7cc34912d
--- /dev/null
+++ b/testdata/ipset.tdir/ipset.conf
@@ -0,0 +1,23 @@
+server:
+	verbosity: 3
+	num-threads: 1
+	module-config: "ipset iterator"
+	outgoing-range: 16
+	interface: 127.0.0.1
+	port: @PORT@
+	use-syslog: no
+	directory: ""
+	pidfile: "unbound.pid"
+	chroot: ""
+	username: ""
+	do-not-query-localhost: no
+	local-zone: "example.net." ipset
+stub-zone:
+	name: "example.net."
+	stub-addr: "127.0.0.1@@TOPORT@"
+stub-zone:
+	name: "example.com."
+	stub-addr: "127.0.0.1@@TOPORT@"
+ipset:
+	name-v4: atotallymadeupnamefor4
+	name-v6: atotallymadeupnamefor6
diff --git a/testdata/ipset.tdir/ipset.dsc b/testdata/ipset.tdir/ipset.dsc
new file mode 100644
index 000000000..b7792b7e0
--- /dev/null
+++ b/testdata/ipset.tdir/ipset.dsc
@@ -0,0 +1,16 @@
+BaseName: ipset
+Version: 1.0
+Description: mock test ipset module
+CreationDate: Wed Mar 2 13:00:38 CET 2022
+Maintainer: George Thessalonikefs
+Category:
+Component:
+CmdDepends:
+Depends:
+Help:
+Pre: ipset.pre
+Post: ipset.post
+Test: ipset.test
+AuxFiles:
+Passed:
+Failure:
diff --git a/testdata/ipset.tdir/ipset.post b/testdata/ipset.tdir/ipset.post
new file mode 100644
index 000000000..7af512a4d
--- /dev/null
+++ b/testdata/ipset.tdir/ipset.post
@@ -0,0 +1,14 @@
+# #-- ipset.post --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# source the test var file when it's there
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+#
+# do your teardown here
+. ../common.sh
+PRE="../.."
+if grep "define USE_IPSET 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi
+kill_pid $FWD_PID
+kill_pid $UNBOUND_PID
+cat unbound.log
+exit 0
diff --git a/testdata/ipset.tdir/ipset.pre b/testdata/ipset.tdir/ipset.pre
new file mode 100644
index 000000000..ee1aedc70
--- /dev/null
+++ b/testdata/ipset.tdir/ipset.pre
@@ -0,0 +1,33 @@
+# #-- ipset.pre--#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+. ../common.sh
+
+PRE="../.."
+if grep "define USE_IPSET 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi
+
+get_random_port 2
+UNBOUND_PORT=$RND_PORT
+FWD_PORT=$(($RND_PORT + 1))
+echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test
+echo "FWD_PORT=$FWD_PORT" >> .tpkg.var.test
+
+# start forwarder
+get_ldns_testns
+$LDNS_TESTNS -p $FWD_PORT ipset.testns >fwd.log 2>&1 &
+FWD_PID=$!
+echo "FWD_PID=$FWD_PID" >> .tpkg.var.test
+
+# make config file
+sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$FWD_PORT'/' < ipset.conf > ub.conf
+# start unbound in the background
+$PRE/unbound -d -c ub.conf >unbound.log 2>&1 &
+UNBOUND_PID=$!
+echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
+
+cat .tpkg.var.test
+wait_ldns_testns_up fwd.log
+wait_unbound_up unbound.log
diff --git a/testdata/ipset.tdir/ipset.test b/testdata/ipset.tdir/ipset.test
new file mode 100644
index 000000000..9150e5e3f
--- /dev/null
+++ b/testdata/ipset.tdir/ipset.test
@@ -0,0 +1,155 @@
+# #-- ipset.test --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+. ../common.sh
+PRE="../.."
+if grep "define USE_IPSET 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi
+
+# Make all the queries. They need to succeed by the way.
+echo "> dig www.example.net."
+dig @127.0.0.1 -p $UNBOUND_PORT www.example.net. | tee outfile
+echo "> check answer"
+if grep "1.1.1.1" outfile; then
+	echo "OK"
+else
+	echo "> cat logfiles"
+	cat fwd.log
+	cat unbound.log
+	echo "Not OK"
+	exit 1
+fi
+echo "> check ipset"
+if grep "ipset: add 1.1.1.1 to atotallymadeupnamefor4 for www.example.net." unbound.log; then
+	echo "ipset OK"
+else
+	echo "> cat logfiles"
+	cat fwd.log
+	cat unbound.log
+	echo "Not OK"
+	exit 1
+fi
+
+echo "> dig www.example.net. AAAA"
+dig @127.0.0.1 -p $UNBOUND_PORT www.example.net. AAAA | tee outfile
+echo "> check answer"
+if grep "::1" outfile; then
+	echo "OK"
+else
+	echo "> cat logfiles"
+	cat fwd.log
+	cat unbound.log
+	echo "Not OK"
+	exit 1
+fi
+echo "> check ipset"
+if grep "ipset: add ::1 to atotallymadeupnamefor6 for www.example.net." unbound.log; then
+	echo "ipset OK"
+else
+	echo "> cat logfiles"
+	cat fwd.log
+	cat unbound.log
+	echo "Not OK"
+	exit 1
+fi
+
+echo "> dig cname.example.net."
+dig @127.0.0.1 -p $UNBOUND_PORT cname.example.net. | tee outfile
+echo "> check answer"
+if grep "2.2.2.2" outfile; then
+	echo "OK"
+else
+	echo "> cat logfiles"
+	cat fwd.log
+	cat unbound.log
+	echo "Not OK"
+	exit 1
+fi
+echo "> check ipset"
+if grep "ipset: add 2.2.2.2 to atotallymadeupnamefor4 for target.example.net." unbound.log; then
+	echo "ipset OK"
+else
+	echo "> cat logfiles"
+	cat fwd.log
+	cat unbound.log
+	echo "Not OK"
+	exit 1
+fi
+
+echo "> dig cname.example.net. AAAA"
+dig @127.0.0.1 -p $UNBOUND_PORT cname.example.net. AAAA | tee outfile
+echo "> check answer"
+if grep "::2" outfile; then
+	echo "OK"
+else
+	echo "> cat logfiles"
+	cat fwd.log
+	cat unbound.log
+	echo "Not OK"
+	exit 1
+fi
+echo "> check ipset"
+if grep "ipset: add ::2 to atotallymadeupnamefor6 for target.example.net." unbound.log; then
+	echo "ipset OK"
+else
+	echo "> cat logfiles"
+	cat fwd.log
+	cat unbound.log
+	echo "Not OK"
+	exit 1
+fi
+
+echo "> dig outsidecname.example.net."
+dig @127.0.0.1 -p $UNBOUND_PORT outsidecname.example.net. | tee outfile
+echo "> check answer"
+if grep "3.3.3.3" outfile; then
+	echo "OK"
+else
+	echo "> cat logfiles"
+	cat fwd.log
+	cat unbound.log
+	echo "Not OK"
+	exit 1
+fi
+echo "> check ipset"
+if grep "ipset: add 3.3.3.3 to atotallymadeupnamefor4 for target.example.com." unbound.log; then
+	echo "ipset OK"
+else
+	echo "> cat logfiles"
+	cat fwd.log
+	cat unbound.log
+	echo "Not OK"
+	exit 1
+fi
+
+echo "> dig outsidecname.example.net. AAAA"
+dig @127.0.0.1 -p $UNBOUND_PORT outsidecname.example.net. AAAA | tee outfile
+echo "> check answer"
+if grep "::3" outfile; then
+	echo "OK"
+else
+	echo "> cat logfiles"
+	cat fwd.log
+	cat unbound.log
+	echo "Not OK"
+	exit 1
+fi
+echo "> check ipset"
+if grep "ipset: add ::3 to atotallymadeupnamefor6 for target.example.com." unbound.log; then
+	echo "ipset OK"
+else
+	echo "> cat logfiles"
+	cat fwd.log
+	cat unbound.log
+	echo "Not OK"
+	exit 1
+fi
+
+echo "> cat logfiles"
+cat tap.log
+cat tap.errlog
+cat fwd.log
+echo "> OK"
+exit 0
diff --git a/testdata/ipset.tdir/ipset.testns b/testdata/ipset.tdir/ipset.testns
new file mode 100644
index 000000000..2b626e915
--- /dev/null
+++ b/testdata/ipset.tdir/ipset.testns
@@ -0,0 +1,103 @@
+; nameserver test file
+$ORIGIN example.net.
+$TTL 3600
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+www	IN	A
+SECTION ANSWER
+www	IN	A	1.1.1.1
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+www	IN	AAAA
+SECTION ANSWER
+www	IN	AAAA	::1
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+cname	IN	A
+SECTION ANSWER
+cname	IN	CNAME	target.example.net.
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+cname	IN	AAAA
+SECTION ANSWER
+cname	IN	CNAME	target.example.net.
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+outsidecname	IN	A
+SECTION ANSWER
+outsidecname	IN	CNAME	target.example.com.
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+outsidecname	IN	AAAA
+SECTION ANSWER
+outsidecname	IN	CNAME	target.example.com.
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+target	IN	A
+SECTION ANSWER
+target	IN	A	2.2.2.2
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+target	IN	AAAA
+SECTION ANSWER
+target	IN	AAAA	::2
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+target.example.com.	IN	A
+SECTION ANSWER
+target.example.com.	IN	A	3.3.3.3
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+target.example.com.	IN	AAAA
+SECTION ANSWER
+target.example.com.	IN	AAAA	::3
+ENTRY_END
diff --git a/testdata/iter_cname_minimise.rpl b/testdata/iter_cname_minimise.rpl
new file mode 100644
index 000000000..b61c3e344
--- /dev/null
+++ b/testdata/iter_cname_minimise.rpl
@@ -0,0 +1,179 @@
+; config options
+server:
+	target-fetch-policy: "0 0 0 0 0"
+	qname-minimisation: yes
+	module-config: "iterator"
+
+stub-zone:
+	name: "."
+	stub-addr: 193.0.14.129         # K.ROOT-SERVERS.NET.
+CONFIG_END
+
+SCENARIO_BEGIN Test cname chain resolution with qname minimisation.
+
+; K.ROOT-SERVERS.NET.
+RANGE_BEGIN 0 100
+	ADDRESS 193.0.14.129
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+. IN NS
+SECTION ANSWER
+. IN NS K.ROOT-SERVERS.NET.
+SECTION ADDITIONAL
+K.ROOT-SERVERS.NET.     IN      A       193.0.14.129
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+com. IN NS
+SECTION AUTHORITY
+com.    IN NS   a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net.     IN      A       192.5.6.30
+ENTRY_END
+RANGE_END
+
+; a.gtld-servers.net.
+RANGE_BEGIN 0 100
+	ADDRESS 192.5.6.30
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+com. IN NS
+SECTION ANSWER
+com.    IN NS   a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net.     IN      A       192.5.6.30
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+example.com. IN NS
+SECTION AUTHORITY
+example.com.    IN NS   ns.example.com.
+SECTION ADDITIONAL
+ns.example.com. IN A 1.2.3.44
+ENTRY_END
+RANGE_END
+
+; ns.example.com.
+RANGE_BEGIN 0 100
+	ADDRESS 1.2.3.44
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+example.com. IN NS
+SECTION ANSWER
+example.com.    IN NS   ns.example.com.
+SECTION ADDITIONAL
+ns.example.com.         IN      A       1.2.3.44
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+ns.example.com. IN A
+SECTION ANSWER
+ns.example.com. IN A    1.2.3.44
+SECTION AUTHORITY
+example.com.    IN NS   ns.example.com.
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+ns.example.com. IN AAAA
+SECTION AUTHORITY
+example.com.    IN NS   ns.example.com.
+SECTION ADDITIONAL
+www.example.com. IN A   1.2.3.44
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. 300 IN A   10.20.30.40
+SECTION AUTHORITY
+example.com.    IN NS   ns.example.com.
+SECTION ADDITIONAL
+ns.example.com  IN A    1.2.3.44
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+c.example.com. IN A
+SECTION ANSWER
+c.example.com. 10 IN CNAME www.example.com.
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+c.example.com. IN CNAME
+SECTION ANSWER
+c.example.com. 10 IN CNAME www.example.com.
+ENTRY_END
+RANGE_END
+
+STEP 1 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+c.example.com. IN CNAME
+ENTRY_END
+
+STEP 20 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+c.example.com. IN CNAME
+SECTION ANSWER
+c.example.com. 10 IN CNAME www.example.com.
+ENTRY_END
+
+STEP 30 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+c.example.com. IN A
+ENTRY_END
+
+STEP 40 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+c.example.com. IN A
+SECTION ANSWER
+c.example.com. 10 IN CNAME www.example.com.
+www.example.com. 300 IN A   10.20.30.40
+ENTRY_END
+
+SCENARIO_END
diff --git a/testdata/iter_dp_ip6useless.rpl b/testdata/iter_dp_ip6useless.rpl
new file mode 100644
index 000000000..9a7746e11
--- /dev/null
+++ b/testdata/iter_dp_ip6useless.rpl
@@ -0,0 +1,168 @@
+; config options
+server:
+	do-ip6: no
+	target-fetch-policy: "0 0 0 0 0"
+	qname-minimisation: no
+stub-zone:
+	name: "."
+	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
+CONFIG_END
+
+SCENARIO_BEGIN Test iterator when doip6 is no and dp is useless with only ip6
+
+; K.ROOT-SERVERS.NET.
+RANGE_BEGIN 0 100
+	ADDRESS 193.0.14.129 
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+. IN NS
+SECTION ANSWER
+. IN NS	K.ROOT-SERVERS.NET.
+SECTION ADDITIONAL
+K.ROOT-SERVERS.NET.	IN	A	193.0.14.129
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+com. IN NS
+SECTION AUTHORITY
+com.	IN NS	a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net.	IN 	A	192.5.6.30
+ENTRY_END
+RANGE_END
+
+; a.gtld-servers.net.
+RANGE_BEGIN 0 100
+	ADDRESS 192.5.6.30
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+com. IN NS
+SECTION ANSWER
+com.	IN NS	a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net.	IN 	A	192.5.6.30
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+example.com. IN NS
+SECTION AUTHORITY
+example.com.	IN NS	ns.example.com.
+SECTION ADDITIONAL
+; short TTL here, so it can expire
+ns.example.com.	1	IN 	A	1.2.3.4
+ns.example.com.	100	IN 	AAAA	::53
+ENTRY_END
+RANGE_END
+
+; ns.example.com.
+RANGE_BEGIN 0 100
+	ADDRESS 1.2.3.4
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+example.com. IN NS
+SECTION ANSWER
+example.com.	IN NS	ns.example.com.
+SECTION ADDITIONAL
+; short TTL here, so it can expire
+ns.example.com.	1	IN 	A	1.2.3.4
+ns.example.com.	100	IN 	AAAA	::53
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+ns.example.com. IN A
+SECTION ANSWER
+; short TTL
+ns.example.com.	1	IN 	A	1.2.3.4
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+ns.example.com. IN AAAA
+SECTION ANSWER
+ns.example.com.		IN 	AAAA	::53
+ENTRY_END
+
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. IN A	10.20.30.40
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+mail.example.com. IN A
+SECTION ANSWER
+mail.example.com. IN A	10.20.30.50
+ENTRY_END
+RANGE_END
+
+STEP 1 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+www.example.com. IN A
+ENTRY_END
+
+; recursion happens here.
+STEP 10 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. IN A	10.20.30.40
+ENTRY_END
+
+STEP 20 TIME_PASSES ELAPSE 5.0
+
+STEP 30 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+mail.example.com. IN A
+ENTRY_END
+
+STEP 40 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+mail.example.com. IN A
+SECTION ANSWER
+mail.example.com. IN A	10.20.30.50
+ENTRY_END
+
+SCENARIO_END
diff --git a/testdata/iter_primenoglue.rpl b/testdata/iter_primenoglue.rpl
index a75ed82dd..a0be71c78 100644
--- a/testdata/iter_primenoglue.rpl
+++ b/testdata/iter_primenoglue.rpl
@@ -28,7 +28,7 @@ SECTION QUESTION
 SECTION ANSWER
 . IN NS	K.ROOT-SERVERS.NET.
 SECTION ADDITIONAL
-; glue ommitted!
+; glue omitted!
 ;K.ROOT-SERVERS.NET.	IN	A	193.0.14.129
 ENTRY_END
 
diff --git a/testdata/iter_scrub_dname_rev.rpl b/testdata/iter_scrub_dname_rev.rpl
index 3e649f936..9caca66c0 100644
--- a/testdata/iter_scrub_dname_rev.rpl
+++ b/testdata/iter_scrub_dname_rev.rpl
@@ -17,7 +17,7 @@ CONFIG_END
 SCENARIO_BEGIN Test scrub of reversed DNAME and CNAME in answer section
 
 RANGE_BEGIN 0 100
-; all adresses
+; all addresses
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
diff --git a/testdata/iter_scrub_dname_sec.rpl b/testdata/iter_scrub_dname_sec.rpl
index 4597cdf98..34a7b324d 100644
--- a/testdata/iter_scrub_dname_sec.rpl
+++ b/testdata/iter_scrub_dname_sec.rpl
@@ -17,7 +17,7 @@ CONFIG_END
 SCENARIO_BEGIN Test scrub of secure DNAME in answer section
 
 RANGE_BEGIN 0 100
-; all adresses
+; all addresses
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
diff --git a/testdata/localdata.rpl b/testdata/localdata.rpl
index 047fbeeba..e54de2b61 100644
--- a/testdata/localdata.rpl
+++ b/testdata/localdata.rpl
@@ -45,9 +45,32 @@ server:
 	local-data: "b.c.implicit. A 20.30.45.50"
 	local-data: "c.c.implicit. A 20.30.44.50"
 
+        ; create implicit data in the ANY domain
+        ; this should inherit the local_zone_type of the already configured
+        ; zone 'refuse.top.' and not be transparent
+        local-data: "refuse.top. ANY TXT implicit_non_transparent"
+
+stub-zone:
+        name: "refuse.top"
+        stub-addr: 1.2.3.4
+
 CONFIG_END
 SCENARIO_BEGIN Test local data queries
 
+RANGE_BEGIN 0 100
+	ADDRESS 1.2.3.4
+; This entry should never be queried
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+www.refuse.top. IN A
+SECTION ANSWER
+www.refuse.top. IN A 5.5.5.5
+ENTRY_END
+RANGE_END
+
 ; id.server.
 STEP 1 QUERY
 ENTRY_BEGIN
@@ -390,4 +413,35 @@ SECTION ANSWER
 foo.null.top. IN AAAA ::0
 ENTRY_END
 
+; refuse zone for implicit local-data with CLASS != IN
+STEP 64 QUERY
+ENTRY_BEGIN
+SECTION QUESTION
+refuse.top. ANY TXT
+ENTRY_END
+STEP 65 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RA AA NOERROR
+SECTION QUESTION
+refuse.top. ANY TXT
+SECTION ANSWER
+refuse.top. ANY TXT implicit_non_transparent
+ENTRY_END
+
+; refuse zone for implicit local-data with CLASS != IN
+STEP 66 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+www.refuse.top. ANY A
+ENTRY_END
+STEP 67 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RA RD AA REFUSED
+SECTION QUESTION
+www.refuse.top. ANY A
+ENTRY_END
+
 SCENARIO_END
diff --git a/testdata/nsid_bogus.rpl b/testdata/nsid_bogus.rpl
new file mode 100644
index 000000000..1414163f8
--- /dev/null
+++ b/testdata/nsid_bogus.rpl
@@ -0,0 +1,174 @@
+; config options
+; The island of trust is at example.com
+server:
+	trust-anchor: "example.com.    3600    IN      DS      2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b"
+	val-override-date: "20070916134226"
+	target-fetch-policy: "0 0 0 0 0"
+	qname-minimisation: "no"
+	fake-sha1: yes
+	trust-anchor-signaling: no
+	minimal-responses: no
+	nsid: "ascii_hopsa kidee"
+
+stub-zone:
+	name: "."
+	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
+CONFIG_END
+
+SCENARIO_BEGIN Test for NSID in SERVFAIL response due to DNSSEC bogus
+
+; K.ROOT-SERVERS.NET.
+RANGE_BEGIN 0 100
+	ADDRESS 193.0.14.129 
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+. IN NS
+SECTION ANSWER
+. IN NS	K.ROOT-SERVERS.NET.
+SECTION ADDITIONAL
+K.ROOT-SERVERS.NET.	IN	A	193.0.14.129
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION AUTHORITY
+com.	IN NS	a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net.	IN 	A	192.5.6.30
+ENTRY_END
+RANGE_END
+
+; a.gtld-servers.net.
+RANGE_BEGIN 0 100
+	ADDRESS 192.5.6.30
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+com. IN NS
+SECTION ANSWER
+com.    IN NS   a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net.     IN      A       192.5.6.30
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION AUTHORITY
+example.com.	IN NS	ns.example.com.
+SECTION ADDITIONAL
+ns.example.com.		IN 	A	1.2.3.4
+ENTRY_END
+RANGE_END
+
+; ns.example.com.
+RANGE_BEGIN 0 100
+	ADDRESS 1.2.3.4
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+example.com. IN NS
+SECTION ANSWER
+example.com.    IN NS   ns.example.com.
+example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
+SECTION ADDITIONAL
+ns.example.com.         IN      A       1.2.3.4
+ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
+ENTRY_END
+
+; response to DNSKEY priming query
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+example.com. IN DNSKEY
+SECTION ANSWER
+example.com.    3600    IN      DNSKEY  256 3 3 ALXLUsWqUrY3JYER3T4TBJII s70j+sDS/UT2QRp61SE7S3E EXopNXoFE73JLRmvpi/UrOO/Vz4Se 6wXv/CYCKjGw06U4WRgR YXcpEhJROyNapmdIKSx hOzfLVE1gqA0PweZR8d tY3aNQSRn3sPpwJr6Mi /PqQKAMMrZ9ckJpf1+b QMOOvxgzz2U1GS18b3y ZKcgTMEaJzd/GZYzi/B N2DzQ0MsrSwYXfsNLFO Bbs8PJMW4LYIxeeOe6rUgkWOF 7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b}
+example.com.    3600    IN      RRSIG   DNSKEY 3 2 3600 20070926134802 20070829134802 2854 example.com. MCwCFG1yhRNtTEa3Eno2zhVVuy2EJX3wAhQeLyUp6+UXcpC5qGNu9tkrTEgPUg== ;{id = 2854}
+SECTION AUTHORITY
+example.com.	IN NS	ns.example.com.
+example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
+SECTION ADDITIONAL
+ns.example.com.		IN 	A	1.2.3.4
+ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
+ENTRY_END
+
+; nodata for ns.example.com AAAA
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+ns.example.com. IN AAAA
+SECTION ANSWER
+SECTION ADDITIONAL
+ENTRY_END
+
+
+; response to query of interest
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. IN A	10.20.30.40
+;good signature
+;www.example.com.        3600    IN      RRSIG   A 3 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFC99iE9K5y2WNgI0gFvBWaTi9wm6AhUAoUqOpDtG5Zct+Qr9F3mSdnbc6V4= ;{id = 2854}
+;missing
+www.example.com.        3600    IN      RRSIG   A 3 3 3600 20070926134150 20070829134150 2855 example.com. MC0CFC99iE9K5y2WNgI0gFvBWaTi9wm6AhUAoUqOpDtG5Zct+Qr9F3mSdnbc6V4=
+SECTION AUTHORITY
+example.com.	IN NS	ns.example.com.
+example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
+SECTION ADDITIONAL
+ns.example.com.		IN 	A	1.2.3.4
+ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCQMyTjn7WWwpwAR1LlVeLpRgZGuQIUCcJDEkwAuzytTDRlYK7nIMwH1CM= ;{id = 2854}
+ENTRY_END
+RANGE_END
+
+STEP 1 QUERY
+ENTRY_BEGIN
+REPLY RD DO
+SECTION QUESTION
+www.example.com. IN A
+SECTION ADDITIONAL
+	HEX_EDNSDATA_BEGIN
+		00 03 ; Opcode NSID (3)
+		00 00 ; Length 0
+	HEX_EDNSDATA_END
+ENTRY_END
+
+; recursion happens here.
+STEP 10 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA DO SERVFAIL
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+SECTION ADDITIONAL
+	HEX_EDNSDATA_BEGIN
+		00 03             ; Opcode NSID (3)
+		00 0b             ; Length 11
+		68 6F 70 73 61 20 ; "hopsa "
+		6B 69 64 65 65    ; "kidee"
+	HEX_EDNSDATA_END
+ENTRY_END
+
+SCENARIO_END
diff --git a/testdata/pylib.tdir/pylib.lookup.conf b/testdata/pylib.tdir/pylib.lookup.conf
index 3f4a8d26d..f467d5bc6 100644
--- a/testdata/pylib.tdir/pylib.lookup.conf
+++ b/testdata/pylib.tdir/pylib.lookup.conf
@@ -11,4 +11,4 @@ server:
 stub-zone:
 	name: "example.com."
 	stub-addr: "127.0.0.1@@TOPORT@"
-
+	stub-no-cache: yes
diff --git a/testdata/pylib.tdir/pylib.lookup.py b/testdata/pylib.tdir/pylib.lookup.py
index 114bb49a0..b9f6e8397 100755
--- a/testdata/pylib.tdir/pylib.lookup.py
+++ b/testdata/pylib.tdir/pylib.lookup.py
@@ -9,9 +9,11 @@ import time
 import unbound
 
 qname = "www.example.com"
+qname2 = "www2.example.com"
 qtype = unbound.RR_TYPE_A
 qclass = unbound.RR_CLASS_IN
 
+
 def create_context(config_file="ub.lookup.conf", asyncflag=False):
     """
     Create an unbound context to use for testing.
@@ -69,32 +71,6 @@ def test_async_resolve(ctx):
         print("Failed async resolve with: {}".format(retval))
 
 
-def test_ratelimit_fg_on(ctx):
-    """
-    Test resolving a ratelimited domain with a foreground worker.
-
-    """
-    ctx.set_option("ratelimit:", "1")
-    ctx.set_option("ratelimit-factor:", "0")
-    status, result = ctx.resolve(qname, qtype, qclass)
-    if status == 0 and result.was_ratelimited:
-        print("Ratelimit-fg-on: pass")
-    else:
-        print("Failed ratelimit-fg-on with: {}".format(status))
-
-
-def test_ratelimit_fg_off(ctx):
-    """
-    Test resolving a non-ratelimited domain with a foreground worker.
-
-    """
-    status, result = ctx.resolve(qname, qtype, qclass)
-    if status == 0 and result.havedata:
-        print("Ratelimit-fg-off: {}".format(result.data.address_list))
-    else:
-        print("Failed ratelimit-fg-off with: {}".format(status))
-
-
 def test_ratelimit_bg_on(ctx):
     """
     Test resolving a ratelimited domain with a background worker.
@@ -102,40 +78,32 @@ def test_ratelimit_bg_on(ctx):
     """
     ctx.set_option("ratelimit:", "1")
     ctx.set_option("ratelimit-factor:", "0")
-    cb_data = dict(done=False)
-    retval, async_id = ctx.resolve_async(qname, cb_data, callback, qtype, qclass)
-    while retval == 0 and not cb_data['done']:
-        time.sleep(0.1)
-        retval = ctx.process()
+    total_runs = 6
+    success_threshold = 4  # 2/3*total_runs
+    successes = 0
+    for i in range(total_runs):
+        cb_data = dict(done=False)
+        cb_data2 = dict(done=False)
+        retval, async_id = ctx.resolve_async(qname, cb_data, callback, qtype, qclass)
+        retval, async_id = ctx.resolve_async(qname2, cb_data2, callback, qtype, qclass)
 
-    if cb_data.get('was_ratelimited'):
+        while retval == 0 and not (cb_data['done'] and cb_data['done']):
+            time.sleep(0.1)
+            retval = ctx.process()
+
+        if bool(cb_data.get('was_ratelimited')) ^ bool(cb_data2.get('was_ratelimited')):
+            successes += 1
+        if successes >= success_threshold:
+            break
+        time.sleep(1)
+    if successes >= success_threshold:
         print("Ratelimit-bg-on: pass")
     else:
-        print("Failed ratelimit-bg-on with: {}".format(status))
-
-
-def test_ratelimit_bg_off(ctx):
-    """
-    Test resolving a non-ratelimited domain with a background worker.
-
-    """
-    cb_data = dict(done=False)
-    retval, async_id = ctx.resolve_async(qname, cb_data, callback, qtype, qclass)
-    while retval == 0 and not cb_data['done']:
-        time.sleep(0.1)
-        retval = ctx.process()
-
-    if cb_data.get('data'):
-        print("Ratelimit-bg-off: {}".format(cb_data['data'].address_list))
-    else:
-        print("Failed ratelimit-bg-off with: {}".format(status))
+        print("Failed ratelimit-bg-on")
 
 
 test_resolve(create_context())
 test_async_resolve(create_context(asyncflag=True))
-test_ratelimit_fg_on(create_context())
-test_ratelimit_fg_off(create_context())
 test_ratelimit_bg_on(create_context(asyncflag=True))
-test_ratelimit_bg_off(create_context(asyncflag=True))
 
 sys.exit(0)
diff --git a/testdata/pylib.tdir/pylib.test b/testdata/pylib.tdir/pylib.test
index 893aaf64f..59f996459 100644
--- a/testdata/pylib.tdir/pylib.test
+++ b/testdata/pylib.tdir/pylib.test
@@ -42,30 +42,12 @@ else
 	echo "Not OK (async resolve)"
 	exit 1
 fi
-if grep "Ratelimit-fg-on: pass" outfile; then
-	:
-else
-	echo "Not OK (ratelimit-fg-on)"
-	exit 1
-fi
-if grep "Ratelimit-fg-off: \[.\?10.20.30.40.\?\]" outfile; then
-	:
-else
-	echo "Not OK (ratelimit-fg-off)"
-	exit 1
-fi
 if grep "Ratelimit-bg-on: pass" outfile; then
 	:
 else
 	echo "Not OK (ratelimit-bg-on)"
 	exit 1
 fi
-if grep "Ratelimit-bg-off: \[.\?10.20.30.40.\?\]" outfile; then
-	:
-else
-	echo "Not OK (ratelimit-bg-off)"
-	exit 1
-fi
 
 echo "OK"
 
diff --git a/testdata/pylib.tdir/pylib.testns b/testdata/pylib.tdir/pylib.testns
index f2a700cc7..af54ed570 100644
--- a/testdata/pylib.tdir/pylib.testns
+++ b/testdata/pylib.tdir/pylib.testns
@@ -12,3 +12,12 @@ SECTION ANSWER
 www	IN	A	10.20.30.40
 ENTRY_END
 
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+www2	IN	A
+SECTION ANSWER
+www2	IN	A	10.20.30.40
+ENTRY_END
diff --git a/testdata/ratelimit.tdir/ratelimit.conf b/testdata/ratelimit.tdir/ratelimit.conf
new file mode 100644
index 000000000..5d2456c39
--- /dev/null
+++ b/testdata/ratelimit.tdir/ratelimit.conf
@@ -0,0 +1,29 @@
+server:
+	verbosity: 5
+	# num-threads: 1
+	interface: 127.0.0.1
+	port: @PORT@
+	use-syslog: no
+	directory: .
+	pidfile: "unbound.pid"
+	chroot: ""
+	username: ""
+	do-not-query-localhost: no
+
+	ratelimit: 1
+	ratelimit-factor: 0
+
+stub-zone:
+	name: "example.com."
+	stub-addr: "127.0.0.1@@TOPORT@"
+        stub-no-cache: yes
+
+remote-control:
+	control-enable: yes
+	control-interface: 127.0.0.1
+	# control-interface: ::1
+	control-port: @CONTROL_PORT@
+	server-key-file: "unbound_server.key"
+	server-cert-file: "unbound_server.pem"
+	control-key-file: "unbound_control.key"
+	control-cert-file: "unbound_control.pem"
diff --git a/testdata/ratelimit.tdir/ratelimit.dsc b/testdata/ratelimit.tdir/ratelimit.dsc
new file mode 100644
index 000000000..abd5307c7
--- /dev/null
+++ b/testdata/ratelimit.tdir/ratelimit.dsc
@@ -0,0 +1,16 @@
+BaseName: ratelimit
+Version: 1.0
+Description: Test ratelimit.
+CreationDate: Sun Jan 30 00:40:00 CET 2022
+Maintainer: Yorgos Thessalonikefs
+Category:
+Component:
+CmdDepends:
+Depends:
+Help:
+Pre: ratelimit.pre
+Post: ratelimit.post
+Test: ratelimit.test
+AuxFiles:
+Passed:
+Failure:
diff --git a/testdata/ratelimit.tdir/ratelimit.post b/testdata/ratelimit.tdir/ratelimit.post
new file mode 100644
index 000000000..6738ed55a
--- /dev/null
+++ b/testdata/ratelimit.tdir/ratelimit.post
@@ -0,0 +1,14 @@
+# #-- ratelimit.post --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# source the test var file when it's there
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+#
+# do your teardown here
+. ../common.sh
+kill_pid $STUB_PID
+kill_pid $UNBOUND_PID
+if test -f unbound.log; then
+	echo ">>> unbound log"
+	cat unbound.log
+fi
diff --git a/testdata/ratelimit.tdir/ratelimit.pre b/testdata/ratelimit.tdir/ratelimit.pre
new file mode 100644
index 000000000..2404cfc00
--- /dev/null
+++ b/testdata/ratelimit.tdir/ratelimit.pre
@@ -0,0 +1,33 @@
+# #-- ratelimit.pre--#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+PRE="../.."
+. ../common.sh
+get_random_port 2
+UNBOUND_PORT=$RND_PORT
+STUB_PORT=$(($RND_PORT + 1))
+CONTROL_PORT=$(($RND_PORT + 2))
+echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test
+echo "STUB_PORT=$STUB_PORT" >> .tpkg.var.test
+echo "CONTROL_PORT=$CONTROL_PORT" >> .tpkg.var.test
+
+# start ldns-testns
+get_ldns_testns
+$LDNS_TESTNS -v -p $STUB_PORT ratelimit.testns >stub.log 2>&1 &
+STUB_PID=$!
+echo "STUB_PID=$STUB_PID" >> .tpkg.var.test
+
+# make config file
+sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$STUB_PORT'/' -e 's/@CONTROL_PORT\@/'$CONTROL_PORT'/' < ratelimit.conf > ub.conf
+# start unbound in the background
+$PRE/unbound -d -c ub.conf >unbound.log 2>&1 &
+UNBOUND_PID=$!
+echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
+
+wait_ldns_testns_up stub.log
+wait_unbound_up unbound.log
+
+cat .tpkg.var.test
diff --git a/testdata/ratelimit.tdir/ratelimit.test b/testdata/ratelimit.tdir/ratelimit.test
new file mode 100644
index 000000000..cc1471740
--- /dev/null
+++ b/testdata/ratelimit.tdir/ratelimit.test
@@ -0,0 +1,183 @@
+# #-- ratelimit.test --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+PRE="../.."
+. ../common.sh
+
+get_make
+(cd $PRE; $MAKE streamtcp)
+
+# These tests rely on second time precision. To combat false negatives the
+# tests run multiple times and we allow 1/3 of the runs to fail.
+total_runs=6
+success_threshold=4  # 2/3*total_runs
+
+successes=0
+echo "> Three parallel queries"
+# For this test we send three parallel queries and we expect only one of them
+# to be allowed through each second.
+for i in $(seq 1 $total_runs); do
+	$PRE/streamtcp -na -f 127.0.0.1@$UNBOUND_PORT www1.example.com. A IN www2.example.com. A IN www3.example.com. A IN >outfile 2>&1
+	if test "$?" -ne 0; then
+		echo "exit status not OK"
+		echo "> cat logfiles"
+		cat outfile
+		cat unbound.log
+		echo "Not OK"
+		exit 1
+	fi
+	cat outfile
+	if test `grep "rcode: SERVFAIL" outfile | wc -l` -eq 2; then
+		((successes++))
+	fi
+	# We don't have to wait for all the runs to complete if we know
+	# we passed the threshold.
+	if test $successes -ge $success_threshold; then
+		break
+	fi
+	sleep 1
+done
+if test $successes -ge $success_threshold; then
+	echo "Number of ratelimited queries OK for three parallel queries"
+else
+	echo "Number of ratelimited queries not OK for three parallel queries"
+	echo "> cat logfiles"
+	cat outfile
+	cat unbound.log
+	echo "Number of ratelimited queries not OK for three parallel queries"
+	exit 1
+fi
+
+echo "> Activating ratelimit-factor"
+echo "$PRE/unbound-control -c ub.conf set_option ratelimit-factor: 3"
+$PRE/unbound-control -c ub.conf set_option ratelimit-factor: 3
+if test $? -ne 0; then
+	echo "wrong exit value after success"
+	exit 1
+fi
+
+slipped_through=0
+echo "> Three parallel queries with ratelimit-factor"
+# For this test we send three parallel queries and we expect at least two of
+# them to be allowed through at a given second; one from the ratelimit itself
+# and one from the ratelimit-factor.
+for i in {1..10}; do
+	$PRE/streamtcp -na -f 127.0.0.1@$UNBOUND_PORT www1.example.com. A IN www2.example.com. A IN www3.example.com. A IN >outfile 2>&1
+	if test "$?" -ne 0; then
+		echo "exit status not OK"
+		echo "> cat logfiles"
+		cat outfile
+		cat unbound.log
+		echo "Not OK"
+		exit 1
+	fi
+	cat outfile
+	if test `grep "rcode: SERVFAIL" outfile | wc -l` -lt 2; then
+		slipped_through=1
+		break
+	fi
+	sleep 2
+done
+if test $slipped_through -eq 0; then
+	echo "ratelimit-factor did not work"
+	echo "> cat logfiles"
+	cat outfile
+	cat unbound.log
+	echo "ratelimit-factor did not work"
+	exit 1
+fi
+echo "ratelimit-factor OK"
+
+echo "> Disabling ratelimit-factor"
+echo "$PRE/unbound-control -c ub.conf set_option ratelimit-factor: 0"
+$PRE/unbound-control -c ub.conf set_option ratelimit-factor: 0
+if test $? -ne 0; then
+	echo "wrong exit value after success"
+	exit 1
+fi
+echo "> Activating ratelimit-backoff"
+echo "$PRE/unbound-control -c ub.conf set_option ratelimit-backoff: yes"
+$PRE/unbound-control -c ub.conf set_option ratelimit-backoff: yes
+if test $? -ne 0; then
+	echo "wrong exit value after success"
+	exit 1
+fi
+
+successes=0
+echo "> Three parallel queries with backoff"
+# For this test we send three parallel queries. The ratelimit should be reached
+# for that second. Then for the next second we again send three parallel
+# queries and we expect none of them to be allowed through because of the
+# backoff logic that keeps rolling the RATE_WINDOW based on demand.
+for i in $(seq 1 $total_runs); do
+	$PRE/streamtcp -na -f 127.0.0.1@$UNBOUND_PORT www1.example.com. A IN www2.example.com. A IN www3.example.com. A IN >outfile 2>&1
+	if test "$?" -ne 0; then
+		echo "exit status not OK"
+		echo "> cat logfiles"
+		cat outfile
+		cat unbound.log
+		echo "Not OK"
+		exit 1
+	fi
+	sleep 1  # Limit is reached; it should also be active for the next second
+	$PRE/streamtcp -na -f 127.0.0.1@$UNBOUND_PORT www1.example.com. A IN www2.example.com. A IN www3.example.com. A IN >outfile 2>&1
+	if test "$?" -ne 0; then
+		echo "exit status not OK"
+		echo "> cat logfiles"
+		cat outfile
+		cat unbound.log
+		echo "Not OK"
+		exit 1
+	fi
+	cat outfile
+	if test `grep "rcode: SERVFAIL" outfile | wc -l` -eq 3; then
+		((successes++))
+	fi
+	# We don't have to wait for all the runs to complete if we know
+	# we passed the threshold.
+	if test $successes -ge $success_threshold; then
+		break
+	fi
+done
+
+if test $successes -ge $success_threshold; then
+	echo "three parallel queries with backoff OK"
+else
+	echo "Number of ratelimited queries not OK for three parallel queries with backoff"
+	echo "> cat logfiles"
+	cat outfile
+	cat unbound.log
+	echo "Number of ratelimited queries not OK for three parallel queries with backoff"
+	exit 1
+fi
+
+echo "> Three parallel queries after backoff RATE_WINDOW"
+sleep 3  # Make sure the RATE_WINDOW is renewed
+# For this test we make three parallel queries after the RATE_WINDOW has passed
+# without any new demand and we expect at least one query to pass through. This
+# is to check that the backoff logic does not insist on past (outside of
+# RATE_WINDOW) limits.
+$PRE/streamtcp -na -f 127.0.0.1@$UNBOUND_PORT www1.example.com. A IN www2.example.com. A IN www3.example.com. A IN >outfile 2>&1
+if test "$?" -ne 0; then
+	echo "exit status not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat unbound.log
+	echo "Not OK"
+	exit 1
+fi
+cat outfile
+if test `grep "rcode: NOERROR" outfile | wc -l` -gt 0; then
+	echo "Number of ratelimited queries OK for three parallel queries after backoff RATE_WINDOW"
+else
+	echo "Number of ratelimited queries not OK for three parallel queries after backoff RATE_WINDOW"
+	echo "> cat logfiles"
+	cat outfile
+	cat unbound.log
+	echo "Number of ratelimited queries not OK for three parallel queries after backoff RATE_WINDOW"
+	exit 1
+fi
+exit 0
diff --git a/testdata/ratelimit.tdir/ratelimit.testns b/testdata/ratelimit.tdir/ratelimit.testns
new file mode 100644
index 000000000..673bd15a5
--- /dev/null
+++ b/testdata/ratelimit.tdir/ratelimit.testns
@@ -0,0 +1,13 @@
+; nameserver test file
+$ORIGIN example.com.
+$TTL 3600
+
+ENTRY_BEGIN
+MATCH opcode qtype
+REPLY QR AA NOERROR
+ADJUST copy_id copy_query
+SECTION QUESTION
+wild	IN	A
+SECTION ANSWER
+wild	IN	A	10.20.30.40
+ENTRY_END
diff --git a/testdata/ratelimit.tdir/unbound_control.key b/testdata/ratelimit.tdir/unbound_control.key
new file mode 100644
index 000000000..753a4ef61
--- /dev/null
+++ b/testdata/ratelimit.tdir/unbound_control.key
@@ -0,0 +1,39 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIG4gIBAAKCAYEAstEp+Pyh8XGrtZ77A4FhYjvbeB3dMa7Q2rGWxobzlA9przhA
+1aChAvUtCOAuM+rB6NTNB8YWfZJbQHawyMNpmC77cg6vXLYCGUQHZyAqidN049RJ
+F5T7j4N8Vniv17LiRdr0S6swy4PRvEnIPPV43EQHZqC5jVvHsKkhIfmBF/Dj5TXR
+ypeawWV/m5jeU6/4HRYMfytBZdO1mPXuWLh0lgbQ4SCbgrOUVD3rniMk1yZIbQOm
+vlDHYqekjDb/vOW2KxUQLG04aZMJ1mWfdbwG0CKQkSjISEDZ1l76vhM6mTM0fwXb
+IvyFZ9yPPCle1mF5aSlxS2cmGuGVSRQaw8XF9fe3a9ACJJTr33HdSpyaZkKRAUzL
+cKqLCl323daKv3NwwAT03Tj4iQM416ASMoiyfFa/2GWTKQVjddu8Crar7tGaf5xr
+lig4DBmrBvdYA3njy72/RD71hLwmlRoCGU7dRuDr9O6KASUm1Ri91ONZ/qdjMvov
+15l2vj4GV+KXR00dAgMBAAECggGAHepIL1N0dEQkCdpy+/8lH54L9WhpnOo2HqAf
+LU9eaKK7d4jdr9+TkD8cLaPzltPrZNxVALvu/0sA4SP6J1wpyj/x6P7z73qzly5+
+Xo5PD4fEwmi9YaiW/UduAblnEZrnp/AddptJKoL/D5T4XtpiQddPtael4zQ7kB57
+YIexRSQTvEDovA/o3/nvA0TrzOxfgd4ycQP3iOWGN/TMzyLsvjydrUwbOB567iz9
+whL3Etdgvnwh5Sz2blbFfH+nAR8ctvFFz+osPvuIVR21VMEI6wm7kTpSNnQ6sh/c
+lrLb/bTADn4g7z/LpIZJ+MrLvyEcoqValrLYeFBhM9CV8woPxvkO2P3pU47HVGax
+tC7GV6a/kt5RoKFd/TNdiA3OC7NGZtaeXv9VkPf4fVwBtSO9d5ZZXTGEynDD/rUQ
+U4KFJe6OD23APjse08HiiKqTPhsOneOONU67iqoaTdIkT2R4EdlkVEDpXVtWb+G9
+Q+IqYzVljlzuyHrhWXLJw/FMa2aBAoHBAOnZbi4gGpH+P6886WDWVgIlTccuXoyc
+Mg9QQYk9UDeXxL0AizR5bZy49Sduegz9vkHpAiZARQsUnizHjZ8YlRcrmn4t6tx3
+ahTIKAjdprnxJfYINM580j8CGbXvX5LhIlm3O267D0Op+co3+7Ujy+cjsIuFQrP+
+1MqMgXSeBjzC1APivmps7HeFE+4w0k2PfN5wSMDNCzLo99PZuUG5XZ93OVOS5dpN
+b+WskdcD8NOoJy/X/5A08veEI/jYO/DyqQKBwQDDwUQCOWf41ecvJLtBHKmEnHDz
+ftzHino9DRKG8a9XaN4rmetnoWEaM2vHGX3pf3mwH+dAe8vJdAQueDhBKYeEpm6C
+TYNOpou1+Zs5s99BilCTNYo8fkMOAyqwRwmz9zgHS6QxXuPwsghKefLJGt6o6RFF
+tfWVTfLlYJ+I3GQe3ySsk3wjVz4oUTKiyiq5+KzD+HhEkS7u+RQ7Z0ZI2xd2cF8Y
+aN2hjKDpcOiFf3CDoqka5D1qMNLgIHO52AHww1UCgcA1h7o7AMpURRka6hyaODY0
+A4oMYEbwdQjYjIyT998W+rzkbu1us6UtzQEBZ760npkgyU/epbOoV63lnkCC/MOU
+LD0PST+L/CHiY/cWIHb79YG1EifUZKpUFg0Aoq0EGFkepF0MefGCkbRGYA5UZr9U
+R80wAu9D+L+JJiS0J0BSRF74DL196zUuHt5zFeXuLzxsRtPAnq9DliS08BACRYZy
+7H3I7cWD9Vn5/0jbKWHFcaaWwyETR6uekTcSzZzbCRECgcBeoE3/xUA9SSk34Mmj
+7/cB4522Ft0imA3+9RK/qJTZ7Bd5fC4PKjOGNtUiqW/0L2rjeIiQ40bfWvWqgPKw
+jSK1PL6uvkl6+4cNsFsYyZpiVDoe7wKju2UuoNlB3RUTqa2r2STFuNj2wRjA57I1
+BIgdnox65jqQsd14g/yaa+75/WP9CE45xzKEyrtvdcqxm0Pod3OrsYK+gikFjiar
+kT0GQ8u0QPzh2tjt/2ZnIfOBrl+QYERP0MofDZDjhUdq2wECgcB0Lu841+yP5cdR
+qbJhXO4zJNh7oWNcJlOuQp3ZMNFrA1oHpe9pmLukiROOy01k9WxIMQDzU5GSqRv3
+VLkYOIcbhJ3kClKAcM3j95SkKbU2H5/RENb3Ck52xtl4pNU1x/3PnVFZfDVuuHO9
+MZ9YBcIeK98MyP2jr5JtFKnOyPE7xKq0IHIhXadpbc2wjje5FtZ1cUtMyEECCXNa
+C1TpXebHGyXGpY9WdWXhjdE/1jPvfS+uO5WyuDpYPr339gsdq1g=
+-----END RSA PRIVATE KEY-----
diff --git a/testdata/ratelimit.tdir/unbound_control.pem b/testdata/ratelimit.tdir/unbound_control.pem
new file mode 100644
index 000000000..a1edf7017
--- /dev/null
+++ b/testdata/ratelimit.tdir/unbound_control.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDszCCAhsCFGD5193whHQ2bVdzbaQfdf1gc4SkMA0GCSqGSIb3DQEBCwUAMBIx
+EDAOBgNVBAMMB3VuYm91bmQwHhcNMjAwNzA4MTMzMjMwWhcNNDAwMzI1MTMzMjMw
+WjAaMRgwFgYDVQQDDA91bmJvdW5kLWNvbnRyb2wwggGiMA0GCSqGSIb3DQEBAQUA
+A4IBjwAwggGKAoIBgQCy0Sn4/KHxcau1nvsDgWFiO9t4Hd0xrtDasZbGhvOUD2mv
+OEDVoKEC9S0I4C4z6sHo1M0HxhZ9kltAdrDIw2mYLvtyDq9ctgIZRAdnICqJ03Tj
+1EkXlPuPg3xWeK/XsuJF2vRLqzDLg9G8Scg89XjcRAdmoLmNW8ewqSEh+YEX8OPl
+NdHKl5rBZX+bmN5Tr/gdFgx/K0Fl07WY9e5YuHSWBtDhIJuCs5RUPeueIyTXJkht
+A6a+UMdip6SMNv+85bYrFRAsbThpkwnWZZ91vAbQIpCRKMhIQNnWXvq+EzqZMzR/
+Bdsi/IVn3I88KV7WYXlpKXFLZyYa4ZVJFBrDxcX197dr0AIklOvfcd1KnJpmQpEB
+TMtwqosKXfbd1oq/c3DABPTdOPiJAzjXoBIyiLJ8Vr/YZZMpBWN127wKtqvu0Zp/
+nGuWKDgMGasG91gDeePLvb9EPvWEvCaVGgIZTt1G4Ov07ooBJSbVGL3U41n+p2My
++i/XmXa+PgZX4pdHTR0CAwEAATANBgkqhkiG9w0BAQsFAAOCAYEAd++Wen6l8Ifj
+4h3p/y16PhSsWJWuJ4wdNYy3/GM84S26wGjzlEEwiW76HpH6VJzPOiBAeWnFKE83
+hFyetEIxgJeIPbcs9ZP/Uoh8GZH9tRISBSN9Hgk2Slr9llo4t1H0g/XTgA5HqMQU
+9YydlBh43G7Vw3FVwh09OM6poNOGQKNc/tq2/QdKeUMtyBbLWpRmjH5XcCT35fbn
+ZiVOUldqSHD4kKrFO4nJYXZyipRbcXybsLiX9GP0GLemc3IgIvOXyJ2RPp06o/SJ
+pzlMlkcAfLJaSuEW57xRakhuNK7m051TKKzJzIEX+NFYOVdafFHS8VwGrYsdrFvD
+72tMfu+Fu55y3awdWWGc6YlaGogZiuMnJkvQphwgn+5qE/7CGEckoKEsH601rqIZ
+muaIc85+nEcHJeijd/ZlBN9zeltjFoMuqTUENgmv8+tUAdVm/UMY9Vjme6b43ydP
+uv6DS02+k9z8toxXworLiPr94BGaiGV1NxgwZKLZigYJt/Fi2Qte
+-----END CERTIFICATE-----
diff --git a/testdata/ratelimit.tdir/unbound_server.key b/testdata/ratelimit.tdir/unbound_server.key
new file mode 100644
index 000000000..370a7bbb2
--- /dev/null
+++ b/testdata/ratelimit.tdir/unbound_server.key
@@ -0,0 +1,39 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIG5AIBAAKCAYEAvjSVSN2QMXudpzukdLCqgg/IOhCX8KYkD0FFFfWcQjgKq5wI
+0x41iG32a6wbGanre4IX7VxaSPu9kkHfnGgynCk5nwDRedE/FLFhAU78PoT0+Nqq
+GRS7XVQ24vLmIz9Hqc2Ozx1um1BXBTmIT0UfN2e22I0LWQ6a3seZlEDRj45gnk7Z
+uh9MDgotaBdm+v1JAbupSf6Zis4VEH3JNdvVGE3O1DHEIeuuz/3BDhpf6WBDH+8K
+WaBe1ca4TZHr9ThL2gEMEfAQl0wXDwRWRoi3NjNMH+mw0L1rjwThI5GXqNIee7o5
+FzUReSXZuTdFMyGe3Owcx+XoYnwi6cplSNoGsDBu4B9bKKglR9YleJVw4L4Xi8xP
+q6O9UPj4+nypHk/DOoC7DIM3ufN0yxPBsFo5TVowxfhdjZXJbbftd2TZv7AH8+XL
+A5UoZgRzXgzECelXSCTBFlMTnT48LfA9pMLydyjAz2UdPHs5Iv+TK5nnI+aJoeaP
+7kFZSngxdy1+A/bNAgMBAAECggGBALpTOIqQwVg4CFBylL/a8K1IWJTI/I65sklf
+XxYL7G7SB2HlEJ//z+E+F0+S4Vlao1vyLQ5QkgE82pAUB8FoMWvY1qF0Y8A5wtm6
+iZSGk4OLK488ZbT8Ii9i+AGKgPe2XbVxsJwj8N4k7Zooqec9hz73Up8ATEWJkRz7
+2u7oMGG4z91E0PULA64dOi3l/vOQe5w/Aa+CwVbAWtI05o7kMvQEBMDJn6C7CByo
+MB5op9wueJMnz7PM7hns+U7Dy6oE4ljuolJUy51bDzFWwoM54cRoQqLFNHd8JVQj
+WxldCkbfF43iyprlsEcUrTyUjtdA+ZeiG39vg/mtdmgNpGmdupHJZQvSuG8IcVlz
+O+eMSeQS1QXPD6Ik8UK4SU0h+zOl8xIWtRrsxQuh4fnTN40udm/YUWl/6gOebsBI
+IrVLlKGqJSfB3tMjpCRqdTzJ0dA9keVpkqm2ugZkxEf1+/efq/rFIQ2pUBLCqNTN
+qpNqruK8y8FphP30I2uI4Ej2UIB8AQKBwQDd2Yptj2FyDyaXCycsyde0wYkNyzGU
+dRnzdibfHnMZwjgTjwAwgIUBVIS8H0/z7ZJQKN7osJfddMrtjJtYYUk9g/dCpHXs
+bNh2QSoWah3FdzNGuWd0iRf9+LFxhjAAMo/FS8zFJAJKrFsBdCGTfFUMdsLC0bjr
+YjiWBuvV72uKf8XIZX5KIZruKdWBBcWukcb21R1UDyFYyXRBsly5XHaIYKZql3km
+7pV7MKWO0IYgHbHIqGUqPQlzZ/lkunS1jKECgcEA23wHffD6Ou9/x3okPx2AWpTr
+gh8rgqbyo6hQkBW5Y90Wz824cqaYebZDaBR/xlVx/YwjKkohv8Bde2lpH/ZxRZ1Z
+5Sk2s6GJ/vU0L9RsJZgCgj4L6Coal1NMxuZtCXAlnOpiCdxSZgfqbshbTVz30KsG
+ZJG361Cua1ScdAHxlZBxT52/1Sm0zRC2hnxL7h4qo7Idmtzs40LAJvYOKekR0pPN
+oWeJfra7vgx/jVNvMFWoOoSLpidVO4g+ot4ery6tAoHAdW3rCic1C2zdnmH28Iw+
+s50l8Lk3mz+I5wgJd1zkzCO0DxZIoWPGA3g7cmCYr6N3KRsZMs4W9NAXgjpFGDkW
+zYsG3K21BdpvkdjYcFjnPVjlOXB2RIc0vehf9Jl02wXoeCSxVUDEPcaRvWk9RJYx
+ZpGOchUU7vNkxHURbIJ4yCzuAi9G8/Jp0dsu+kaV5tufF5SjG5WOrzKjaQsCbdN1
+oqaWMCHRrTvov/Z2C+xwsptFOdN5CSyZzg6hQiI4GMlBAoHAXyb6KINcOEi0YMp3
+BFXJ23tMTnEs78tozcKeipigcsbaqORK3omS+NEnj+uzKUzJyl4CsMbKstK2tFYS
+mSTCHqgE3PBtIpsZtEqhgUraR8IK9GPpzZDTTl9ynZgwFTNlWw3RyuyVXF56J+T8
+kCGJ3hEHCHqT/ZRQyX85BKIDFhA0z4tYKxWVqIFiYBNq56R0X9tMMmMs36mEnF93
+7Ht6mowxTZQRa7nU0qOgeKh/P7ki4Zus3y+WJ+T9IqahLtlRAoHBAIhqMrcxSAB8
+RpB9jukJlAnidw2jCMPgrFE8tP0khhVvGrXMldxAUsMKntDIo8dGCnG1KTcWDI0O
+jepvSPHSsxVLFugL79h0eVIS5z4huW48i9xgU8VlHdgAcgEPIAOFcOw2BCu/s0Vp
+O+MM/EyUOdo3NsibB3qc/GJI6iNBYS7AljYEVo6rXo5V/MZvZUF4vClen6Obzsre
+MTTb+4sJjfqleWuvr1XNMeu2mBfXBQkWGZP1byBK0MvD/aQ2PWq92A==
+-----END RSA PRIVATE KEY-----
diff --git a/testdata/ratelimit.tdir/unbound_server.pem b/testdata/ratelimit.tdir/unbound_server.pem
new file mode 100644
index 000000000..986807310
--- /dev/null
+++ b/testdata/ratelimit.tdir/unbound_server.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDqzCCAhMCFBHWXeQ6ZIa9QcQbXLFfC6tj+KA+MA0GCSqGSIb3DQEBCwUAMBIx
+EDAOBgNVBAMMB3VuYm91bmQwHhcNMjAwNzA4MTMzMjI5WhcNNDAwMzI1MTMzMjI5
+WjASMRAwDgYDVQQDDAd1bmJvdW5kMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIB
+igKCAYEAvjSVSN2QMXudpzukdLCqgg/IOhCX8KYkD0FFFfWcQjgKq5wI0x41iG32
+a6wbGanre4IX7VxaSPu9kkHfnGgynCk5nwDRedE/FLFhAU78PoT0+NqqGRS7XVQ2
+4vLmIz9Hqc2Ozx1um1BXBTmIT0UfN2e22I0LWQ6a3seZlEDRj45gnk7Zuh9MDgot
+aBdm+v1JAbupSf6Zis4VEH3JNdvVGE3O1DHEIeuuz/3BDhpf6WBDH+8KWaBe1ca4
+TZHr9ThL2gEMEfAQl0wXDwRWRoi3NjNMH+mw0L1rjwThI5GXqNIee7o5FzUReSXZ
+uTdFMyGe3Owcx+XoYnwi6cplSNoGsDBu4B9bKKglR9YleJVw4L4Xi8xPq6O9UPj4
++nypHk/DOoC7DIM3ufN0yxPBsFo5TVowxfhdjZXJbbftd2TZv7AH8+XLA5UoZgRz
+XgzECelXSCTBFlMTnT48LfA9pMLydyjAz2UdPHs5Iv+TK5nnI+aJoeaP7kFZSngx
+dy1+A/bNAgMBAAEwDQYJKoZIhvcNAQELBQADggGBABunf93MKaCUHiZgnoOTinsW
+84/EgInrgtKzAyH+BhnKkJOhhR0kkIAx5d9BpDlaSiRTACFon9moWCgDIIsK/Ar7
+JE0Kln9cV//wiiNoFU0O4mnzyGUIMvlaEX6QHMJJQYvL05+w/3AAcf5XmMJtR5ca
+fJ8FqvGC34b2WxX9lTQoyT52sRt+1KnQikiMEnEyAdKktMG+MwKsFDdOwDXyZhZg
+XZhRrfX3/NVJolqB6EahjWIGXDeKuSSKZVtCyib6LskyeMzN5lcRfvubKDdlqFVF
+qlD7rHBsKhQUWK/IO64mGf7y/de+CgHtED5vDvr/p2uj/9sABATfbrOQR3W/Of25
+sLBj4OEfrJ7lX8hQgFaxkMI3x6VFT3W8dTCp7xnQgb6bgROWB5fNEZ9jk/gjSRmD
+yIU+r0UbKe5kBk/CmZVFXL2TyJ92V5NYEQh8V4DGy19qZ6u/XKYyNJL4ocs35GGe
+CA8SBuyrmdhx38h1RHErR2Skzadi1S7MwGf1y431fQ==
+-----END CERTIFICATE-----
diff --git a/testdata/root_anchor.tdir/root_anchor.test b/testdata/root_anchor.tdir/root_anchor.test
index 8be248ab9..f75dadf67 100644
--- a/testdata/root_anchor.tdir/root_anchor.test
+++ b/testdata/root_anchor.tdir/root_anchor.test
@@ -27,7 +27,7 @@ fi
 
 echo ""
 # test that unbound-anchor, the builtin certificate, works
-# so, force https with -F and the -c is a nonexistant file
+# so, force https with -F and the -c is a nonexistent file
 $PRE/unbound-anchor -a test.cert -c test.pem -v -F
 # check that the test.cert file is OK.
 if $PRE/unbound-host -f test.cert -t SOA -v . 2>&1 | grep "(secure)"; then
@@ -38,7 +38,7 @@ else
 fi
 
 # use curl to see if the PGP certificate has been updated.
-curl --time-cond "20170203 10:00:00" https://data.iana.org/root-anchors/icannbundle.pem > newcert
+curl --time-cond "20210908 17:00:00" https://data.iana.org/root-anchors/icannbundle.pem > newcert
 if test -n "`cat newcert`"; then
 	echo "icannbundle.pem has been updated"
 	cat newcert
diff --git a/testdata/root_key_sentinel.rpl b/testdata/root_key_sentinel.rpl
old mode 100755
new mode 100644
index 1b66c5aac..2310953ad
--- a/testdata/root_key_sentinel.rpl
+++ b/testdata/root_key_sentinel.rpl
@@ -175,11 +175,11 @@ REPLY QR RD RA AD DO NXDOMAIN
 SECTION QUESTION
 root-key-sentinel-not-ta-20326.	IN	A
 SECTION AUTHORITY
-.			86400	IN	SOA	a.root-servers.net. nstld.verisign-grs.com. 2018042300 1800 900 604800 86400
-.			86400	IN	RRSIG	SOA 8 0 86400 20180506050000 20180423040000 39570 . LboVfcSRUSuBcZPpkkOO1N6KpGO6DBzOGL6UtSVUssycPzGIZctcIM0s Kb71iBf3rxFjNVlgCuNFb74WpCyRQ2coB2uUQXVA81A+P4Qb62/s3Nr2 pRGxayA1Y0Uq2M4CRkh3bjgn/cEcEFSWTl+xDVjZO8hX98JdQjYmrVui 4zEQhsMM03sqkmjkH88owibWK7HDl6O0n6Imer2hCsVTlFv7PSrBHlXP KntkIMDtbGHZW/BkKnA6P1jfAVfgXr70bRVaDRddLqJp3EX6EuR83osg 8q46170NgCMCKK3ePItJYF16SEADFKdOQs19CMTXAN7M1p4cnGk2yRG/ 68BmCg==
 .			86400	IN	NSEC	aaa. NS SOA RRSIG NSEC DNSKEY
 .			86400	IN	RRSIG	NSEC 8 0 86400 20180506050000 20180423040000 39570 . E1FeP4/GvcPksKXgas9pslduWU6+cqqSoJpgtCeymd6t7MORbnsQJdUo rjqbRtxvOOnv5g4uVZdv0krSc/eqw8HWEiCW0oZWYLcz+h8eI4htt4uv 8LciVgQn3Aspic2b8uWdPTJUPuc94esn5AJZDMK9VOTwZD2UVqbv/k9U 4LG0o56yRQshYTG2hiutFXLYmzFe2YmKct6G7W50O7s5hwxTqqRwv9av 1Q3UZUj/ZARNt9z53pygJsDPDX+L2q4lowtiHJCRPjijm8K3Bwb8uFsG 3YB20K9d3krack9c6gAMJzpgeuFQ/b2HxiZMJPvJ3tHqIhDn0U5qoZdT Xq0WTw==
 room.			86400	IN	NSEC	rs. NS DS RRSIG NSEC
 room.			86400	IN	RRSIG	NSEC 8 1 86400 20180506050000 20180423040000 39570 . Fmhf8s0yVixynVdO6VWLEctcvb7+3UK9gu+9BhUPBS0SNedhMwfyiYaR MzWU9P99gVYUT1G/vXRqbAabtD3Ccnt/ydUBguZq3pV5GL+7czeEbZ5z 8/LlS+wyw2OTe4DOKzBZ7oZAA/r/Tz2bhVA6kNyIKFXAmBXuh7I5Ty7H elbIWh7Lq7QjZwN9LL4M1kSNePH2cmS3Lu/scRf3m3fN/70sgoYzKNB7 +Hbi/YjXBbRIcj7tHA6iMoZLGPXRMJdb6NqJNIaDIDtOA95cFa4oRx2P usBW9lpXG0YY+KDm1J6UjxUP7TIn0yXt+c0vy2cz7zu++ZEkdU29WtBG dUQEaA==
+.			86400	IN	SOA	a.root-servers.net. nstld.verisign-grs.com. 2018042300 1800 900 604800 86400
+.			86400	IN	RRSIG	SOA 8 0 86400 20180506050000 20180423040000 39570 . LboVfcSRUSuBcZPpkkOO1N6KpGO6DBzOGL6UtSVUssycPzGIZctcIM0s Kb71iBf3rxFjNVlgCuNFb74WpCyRQ2coB2uUQXVA81A+P4Qb62/s3Nr2 pRGxayA1Y0Uq2M4CRkh3bjgn/cEcEFSWTl+xDVjZO8hX98JdQjYmrVui 4zEQhsMM03sqkmjkH88owibWK7HDl6O0n6Imer2hCsVTlFv7PSrBHlXP KntkIMDtbGHZW/BkKnA6P1jfAVfgXr70bRVaDRddLqJp3EX6EuR83osg 8q46170NgCMCKK3ePItJYF16SEADFKdOQs19CMTXAN7M1p4cnGk2yRG/ 68BmCg==
 ENTRY_END
 SCENARIO_END
diff --git a/testdata/rpz_clientip.rpl b/testdata/rpz_clientip.rpl
new file mode 100644
index 000000000..78e05ad91
--- /dev/null
+++ b/testdata/rpz_clientip.rpl
@@ -0,0 +1,264 @@
+; config options
+server:
+	module-config: "respip validator iterator"
+	target-fetch-policy: "0 0 0 0 0"
+	qname-minimisation: no
+	minimal-responses: no
+  access-control: 192.0.0.0/8 allow
+
+rpz:
+	name: "rpz.example.com."
+	zonefile:
+TEMPFILE_NAME rpz.example.com
+TEMPFILE_CONTENTS rpz.example.com
+$ORIGIN example.com.
+rpz	3600	IN	SOA	ns1.rpz.example.com. hostmaster.rpz.example.com. (
+		1379078166 28800 7200 604800 7200 )
+	3600	IN	NS	ns1.rpz.example.com.
+	3600	IN	NS	ns2.rpz.example.com.
+$ORIGIN rpz.example.com.
+24.0.0.0.192.rpz-client-ip CNAME .
+24.0.1.0.192.rpz-client-ip CNAME *.
+24.0.2.0.192.rpz-client-ip CNAME rpz-drop.
+24.0.3.0.192.rpz-client-ip CNAME rpz-passthru.
+24.0.4.0.192.rpz-client-ip CNAME rpz-tcp-only.
+24.0.5.0.192.rpz-client-ip A 127.0.0.1
+24.0.5.0.192.rpz-client-ip TXT "42"
+TEMPFILE_END
+
+stub-zone:
+	name: "a."
+	stub-addr: 10.20.30.40
+CONFIG_END
+
+SCENARIO_BEGIN Test RPZ client ip triggers
+
+RANGE_BEGIN 0 100
+	ADDRESS 10.20.30.40
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+a. IN NS
+SECTION ANSWER
+a. IN NS ns.a.
+SECTION ADDITIONAL
+ns.a IN A 10.20.30.40
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+a.a.  IN  TXT
+SECTION ANSWER
+a.a.  IN  TXT "upstream txt rr a.a."
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+a.a.  IN  A
+SECTION ANSWER
+a.a.  IN  A 10.20.30.40
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+a.a.  IN  AAAA
+SECTION ANSWER
+a.a.  IN  AAAA 2001:db8::123
+ENTRY_END
+
+RANGE_END
+
+; unrelated client ip address -- passthru
+
+STEP 10 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+a.a.  IN TXT
+ENTRY_END
+
+STEP 11 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+a.a.  IN TXT
+SECTION ANSWER
+a.a.  IN TXT "upstream txt rr a.a."
+ENTRY_END
+
+; should be NXDOMAIN
+
+STEP 20 QUERY ADDRESS 192.0.0.1
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+a.a.  IN TXT
+ENTRY_END
+
+STEP 21 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR AA RD RA NXDOMAIN
+SECTION QUESTION
+a.a.  IN TXT
+SECTION ANSWER
+ENTRY_END
+
+; should be NODATA
+
+STEP 30 QUERY ADDRESS 192.0.1.1
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+a.a.  IN TXT
+ENTRY_END
+
+STEP 31 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR AA RD RA NOERROR
+SECTION QUESTION
+a.a.  IN TXT
+SECTION ANSWER
+ENTRY_END
+
+; should be PASSTHRU
+
+STEP 40 QUERY ADDRESS 192.0.3.1
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+a.a.  IN TXT
+ENTRY_END
+
+STEP 41 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+a.a.  IN TXT
+SECTION ANSWER
+a.a.  IN TXT "upstream txt rr a.a."
+ENTRY_END
+
+; should be TRUNCATED
+
+STEP 50 QUERY ADDRESS 192.0.4.1
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+a.a.  IN TXT
+ENTRY_END
+
+STEP 51 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR AA TC RD RA NOERROR
+SECTION QUESTION
+a.a.  IN TXT
+SECTION ANSWER
+ENTRY_END
+
+; should not be TRUNCATED via TCP
+
+STEP 52 QUERY ADDRESS 192.0.4.1
+ENTRY_BEGIN
+MATCH TCP
+REPLY RD
+SECTION QUESTION
+a.a.  IN TXT
+ENTRY_END
+
+STEP 53 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all TCP
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+a.a.  IN TXT
+SECTION ANSWER
+a.a.  IN TXT "upstream txt rr a.a."
+ENTRY_END
+
+; should be synthesized
+
+STEP 60 QUERY ADDRESS 192.0.5.1
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+a.a.  IN A
+ENTRY_END
+
+STEP 61 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR AA RD RA NOERROR
+SECTION QUESTION
+a.a.  IN A
+SECTION ANSWER
+a.a.  IN A 127.0.0.1
+SECTION ADDITIONAL
+rpz.example.com.	3600	IN	SOA	ns1.rpz.example.com. hostmaster.rpz.example.com. ( 1379078166 28800 7200 604800 7200 )
+ENTRY_END
+
+; should be synthesized
+
+STEP 62 QUERY ADDRESS 192.0.5.1
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+a.a.  IN TXT
+ENTRY_END
+
+STEP 63 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR AA RD RA NOERROR
+SECTION QUESTION
+a.a.  IN TXT
+SECTION ANSWER
+a.a.  IN TXT "42"
+SECTION ADDITIONAL
+rpz.example.com.	3600	IN	SOA	ns1.rpz.example.com. hostmaster.rpz.example.com. ( 1379078166 28800 7200 604800 7200 )
+ENTRY_END
+
+; should be synthesized NODATA
+
+STEP 64 QUERY ADDRESS 192.0.5.1
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+a.a.  IN AAAA
+ENTRY_END
+
+STEP 65 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR AA RD RA NOERROR
+SECTION QUESTION
+a.a.  IN AAAA
+SECTION ADDITIONAL
+rpz.example.com.	3600	IN	SOA	ns1.rpz.example.com. hostmaster.rpz.example.com. ( 1379078166 28800 7200 604800 7200 )
+ENTRY_END
+
+; should be DROPPED
+
+STEP 90 QUERY ADDRESS 192.0.2.1
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+a.a.  IN TXT
+ENTRY_END
+
+SCENARIO_END
diff --git a/testdata/rpz_nsdname.rpl b/testdata/rpz_nsdname.rpl
new file mode 100644
index 000000000..1c678cc13
--- /dev/null
+++ b/testdata/rpz_nsdname.rpl
@@ -0,0 +1,390 @@
+; config options
+server:
+	module-config: "respip validator iterator"
+	target-fetch-policy: "0 0 0 0 0"
+	qname-minimisation: no
+  access-control: 192.0.0.0/8 allow
+
+rpz:
+	name: "rpz.example.com."
+	rpz-log: yes
+	rpz-log-name: "rpz.example.com"
+	zonefile:
+TEMPFILE_NAME rpz.example.com
+TEMPFILE_CONTENTS rpz.example.com
+$ORIGIN example.com.
+rpz	3600	IN	SOA	ns1.rpz.example.com. hostmaster.rpz.example.com. (
+		1379078166 28800 7200 604800 7200 )
+	3600	IN	NS	ns1.rpz.example.com.
+	3600	IN	NS	ns2.rpz.example.com.
+$ORIGIN rpz.example.com.
+ns1.gotham.aa.rpz-nsdname CNAME .
+ns1.gotham.bb.rpz-nsdname CNAME *.
+ns1.gotham.cc.rpz-nsdname CNAME rpz-drop.
+ns1.gotham.com.rpz-nsdname CNAME rpz-passthru.
+ns1.gotham.dd.rpz-nsdname CNAME rpz-tcp-only.
+ns1.gotham.ff.rpz-nsdname A 127.0.0.1
+ns1.gotham.ff.rpz-nsdname TXT "42"
+TEMPFILE_END
+
+stub-zone:
+	name: "."
+	stub-addr: 1.1.1.1
+CONFIG_END
+
+SCENARIO_BEGIN Test RPZ nsip triggers
+
+; . --------------------------------------------------------------------------
+RANGE_BEGIN 0 100
+	ADDRESS 1.1.1.1
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+. IN NS
+SECTION ANSWER
+. IN NS ns.root.
+SECTION ADDITIONAL
+ns.root IN A 1.1.1.1
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+com. IN A
+SECTION AUTHORITY
+com. IN NS ns1.com.
+SECTION ADDITIONAL
+ns1.com. IN A 8.8.8.8
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+aa. IN A
+SECTION AUTHORITY
+aa. IN NS ns1.aa.
+SECTION ADDITIONAL
+ns1.aa. IN A 8.8.0.8
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+bb. IN A
+SECTION AUTHORITY
+bb. IN NS ns1.bb.
+SECTION ADDITIONAL
+ns1.bb. IN A 8.8.1.8
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+cc. IN A
+SECTION AUTHORITY
+cc. IN NS ns1.cc.
+SECTION ADDITIONAL
+ns1.cc. IN A 8.8.2.8
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+dd. IN A
+SECTION AUTHORITY
+dd. IN NS ns1.dd.
+SECTION ADDITIONAL
+ns1.dd. IN A 8.8.3.8
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+ee. IN A
+SECTION AUTHORITY
+ee. IN NS ns1.ee.
+SECTION ADDITIONAL
+ns1.ee. IN A 8.8.5.8
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+ff. IN A
+SECTION AUTHORITY
+ff. IN NS ns1.ff.
+SECTION ADDITIONAL
+ns1.ff. IN A 8.8.6.8
+ENTRY_END
+
+RANGE_END
+
+; com. -----------------------------------------------------------------------
+RANGE_BEGIN 0 100
+	ADDRESS 8.8.8.8
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+com. IN NS
+SECTION ANSWER
+com. IN NS ns1.com.
+SECTION ADDITIONAL
+ns1.com. IN A 8.8.8.8
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+gotham.com. IN A
+SECTION AUTHORITY
+gotham.com.	IN NS	ns1.gotham.com.
+SECTION ADDITIONAL
+ns1.gotham.com. IN A 192.0.6.1
+ENTRY_END
+
+RANGE_END
+
+; aa. ------------------------------------------------------------------------
+RANGE_BEGIN 0 100
+	ADDRESS 8.8.0.8
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+aa. IN NS
+SECTION ANSWER
+aa. IN NS ns1.aa.
+SECTION ADDITIONAL
+ns1.aa. IN A 8.8.0.8
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+gotham.aa. IN A
+SECTION AUTHORITY
+gotham.aa.	IN NS	ns1.gotham.aa.
+SECTION ADDITIONAL
+ns1.gotham.aa. IN A 192.0.0.1
+ENTRY_END
+
+RANGE_END
+
+; bb. ------------------------------------------------------------------------
+RANGE_BEGIN 0 100
+	ADDRESS 8.8.1.8
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+bb. IN NS
+SECTION ANSWER
+bb. IN NS ns1.bb.
+SECTION ADDITIONAL
+ns1.bb. IN A 8.8.1.8
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+gotham.bb. IN A
+SECTION AUTHORITY
+gotham.bb.	IN NS	ns1.gotham.bb.
+SECTION ADDITIONAL
+ns1.gotham.bb. IN A 192.0.1.1
+ENTRY_END
+
+RANGE_END
+
+; ff. ------------------------------------------------------------------------
+RANGE_BEGIN 0 100
+	ADDRESS 8.8.6.8
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+ff. IN NS
+SECTION ANSWER
+ff. IN NS ns1.ff.
+SECTION ADDITIONAL
+ns1.ff. IN A 8.8.6.8
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+gotham.ff. IN A
+SECTION AUTHORITY
+gotham.ff. IN NS ns1.gotham.ff.
+SECTION ADDITIONAL
+ns1.gotham.ff. IN A 192.0.5.1
+ENTRY_END
+
+RANGE_END
+
+; ns1.gotham.com. ------------------------------------------------------------
+RANGE_BEGIN 0 100
+	ADDRESS 192.0.6.1
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+gotham.com. IN A
+SECTION ANSWER
+gotham.com. IN A 192.0.6.2
+ENTRY_END
+
+RANGE_END
+
+; ns1.gotham.aa. -------------------------------------------------------------
+RANGE_BEGIN 0 100
+	ADDRESS 192.0.0.1
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+gotham.aa. IN A
+SECTION ANSWER
+gotham.aa. IN A 192.0.0.2
+ENTRY_END
+
+RANGE_END
+
+; ns1.gotham.bb. -------------------------------------------------------------
+RANGE_BEGIN 0 100
+	ADDRESS 192.0.1.1
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+gotham.bb. IN A
+SECTION ANSWER
+gotham.bb. IN A 192.0.1.2
+ENTRY_END
+
+RANGE_END
+
+; ns1.gotham.ff. -------------------------------------------------------------
+RANGE_BEGIN 0 100
+	ADDRESS 192.0.5.1
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+gotham.ff. IN A
+SECTION ANSWER
+gotham.ff. IN A 192.0.5.2
+ENTRY_END
+
+RANGE_END
+
+; ----------------------------------------------------------------------------
+
+STEP 1 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+gotham.com. IN A
+ENTRY_END
+
+STEP 2 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+gotham.com. IN A
+SECTION ANSWER
+gotham.com. IN A 192.0.6.2
+ENTRY_END
+
+STEP 10 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+gotham.aa. IN A
+ENTRY_END
+
+STEP 11 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR AA RD RA NXDOMAIN
+SECTION QUESTION
+gotham.aa. IN A
+SECTION ANSWER
+ENTRY_END
+
+STEP 20 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+gotham.bb. IN A
+ENTRY_END
+
+STEP 21 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AA NOERROR
+SECTION QUESTION
+gotham.bb. IN A
+SECTION ANSWER
+ENTRY_END
+
+STEP 30 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+gotham.ff. IN A
+ENTRY_END
+
+STEP 31 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AA NOERROR
+SECTION QUESTION
+gotham.ff. IN A
+SECTION ANSWER
+gotham.ff. IN A 127.0.0.1
+ENTRY_END
+
+SCENARIO_END
diff --git a/testdata/rpz_nsip.rpl b/testdata/rpz_nsip.rpl
new file mode 100644
index 000000000..34dbd9fef
--- /dev/null
+++ b/testdata/rpz_nsip.rpl
@@ -0,0 +1,408 @@
+; config options
+server:
+	module-config: "respip validator iterator"
+	target-fetch-policy: "0 0 0 0 0"
+	qname-minimisation: no
+  access-control: 192.0.0.0/8 allow
+
+rpz:
+	name: "rpz.example.com."
+	rpz-log: yes
+	rpz-log-name: "rpz.example.com"
+	zonefile:
+TEMPFILE_NAME rpz.example.com
+TEMPFILE_CONTENTS rpz.example.com
+$ORIGIN example.com.
+rpz	3600	IN	SOA	ns1.rpz.gotham.com. hostmaster.rpz.example.com. (
+		1379078166 28800 7200 604800 7200 )
+	3600	IN	NS	ns1.rpz.example.com.
+	3600	IN	NS	ns2.rpz.example.com.
+$ORIGIN rpz.example.com.
+24.0.0.0.192.rpz-nsip CNAME .
+24.0.1.0.192.rpz-nsip CNAME *.
+24.0.2.0.192.rpz-nsip CNAME rpz-drop.
+24.0.3.0.192.rpz-nsip CNAME rpz-passthru.
+24.0.4.0.192.rpz-nsip CNAME rpz-tcp-only.
+24.0.5.0.192.rpz-nsip A 127.0.0.1
+24.0.5.0.192.rpz-nsip TXT "42"
+TEMPFILE_END
+
+stub-zone:
+	name: "."
+	stub-addr: 1.1.1.1
+CONFIG_END
+
+SCENARIO_BEGIN Test RPZ nsip triggers
+
+; . --------------------------------------------------------------------------
+RANGE_BEGIN 0 100
+	ADDRESS 1.1.1.1
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+. IN NS
+SECTION ANSWER
+. IN NS ns.root.
+SECTION ADDITIONAL
+ns.root IN A 1.1.1.1
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+com. IN A
+SECTION AUTHORITY
+com. IN NS ns1.com.
+SECTION ADDITIONAL
+ns1.com. IN A 8.8.8.8
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+aa. IN A
+SECTION AUTHORITY
+aa. IN NS ns1.aa.
+SECTION ADDITIONAL
+ns1.aa. IN A 8.8.0.8
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+bb. IN A
+SECTION AUTHORITY
+bb. IN NS ns1.bb.
+SECTION ADDITIONAL
+ns1.bb. IN A 8.8.1.8
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+cc. IN A
+SECTION AUTHORITY
+cc. IN NS ns1.cc.
+SECTION ADDITIONAL
+ns1.cc. IN A 8.8.2.8
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+dd. IN A
+SECTION AUTHORITY
+dd. IN NS ns1.dd.
+SECTION ADDITIONAL
+ns1.dd. IN A 8.8.3.8
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+ee. IN A
+SECTION AUTHORITY
+ee. IN NS ns1.ee.
+SECTION ADDITIONAL
+ns1.ee. IN A 8.8.5.8
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+ff. IN A
+SECTION AUTHORITY
+ff. IN NS ns1.ff.
+SECTION ADDITIONAL
+ns1.ff. IN A 8.8.6.8
+ENTRY_END
+
+RANGE_END
+
+; com. -----------------------------------------------------------------------
+RANGE_BEGIN 0 100
+	ADDRESS 8.8.8.8
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+com. IN NS
+SECTION ANSWER
+com. IN NS ns1.com.
+SECTION ADDITIONAL
+ns1.com. IN A 8.8.8.8
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+gotham.com. IN A
+SECTION AUTHORITY
+gotham.com.	IN NS	ns1.gotham.com.
+SECTION ADDITIONAL
+ns1.gotham.com. IN A 192.0.6.1
+ENTRY_END
+
+RANGE_END
+
+; aa. ------------------------------------------------------------------------
+RANGE_BEGIN 0 100
+	ADDRESS 8.8.0.8
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+aa. IN NS
+SECTION ANSWER
+aa. IN NS ns1.aa.
+SECTION ADDITIONAL
+ns1.aa. IN A 8.8.0.8
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+gotham.aa. IN A
+SECTION AUTHORITY
+gotham.aa.	IN NS	ns1.gotham.aa.
+SECTION ADDITIONAL
+ns1.gotham.aa. IN A 192.0.0.1
+ENTRY_END
+
+RANGE_END
+
+; bb. ------------------------------------------------------------------------
+RANGE_BEGIN 0 100
+	ADDRESS 8.8.1.8
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+bb. IN NS
+SECTION ANSWER
+bb. IN NS ns1.bb.
+SECTION ADDITIONAL
+ns1.bb. IN A 8.8.1.8
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+gotham.bb. IN A
+SECTION AUTHORITY
+gotham.bb.	IN NS	ns1.gotham.bb.
+SECTION ADDITIONAL
+ns1.gotham.bb. IN A 192.0.1.1
+ENTRY_END
+
+RANGE_END
+
+; ff. ------------------------------------------------------------------------
+RANGE_BEGIN 0 100
+	ADDRESS 8.8.6.8
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+ff. IN NS
+SECTION ANSWER
+ff. IN NS ns1.ff.
+SECTION ADDITIONAL
+ns1.ff. IN A 8.8.6.8
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+gotham.ff. IN A
+SECTION AUTHORITY
+gotham.ff. IN NS ns1.gotham.ff.
+SECTION ADDITIONAL
+ns1.gotham.ff. IN A 192.0.5.1
+ENTRY_END
+
+RANGE_END
+
+; ns1.gotham.com. ------------------------------------------------------------
+RANGE_BEGIN 0 100
+	ADDRESS 192.0.6.1
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+gotham.com. IN A
+SECTION ANSWER
+gotham.com. IN A 192.0.6.2
+ENTRY_END
+
+RANGE_END
+
+; ns1.gotham.aa. -------------------------------------------------------------
+RANGE_BEGIN 0 100
+	ADDRESS 192.0.0.1
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+gotham.aa. IN A
+SECTION ANSWER
+gotham.aa. IN A 192.0.0.2
+ENTRY_END
+
+RANGE_END
+
+; ns1.gotham.bb. -------------------------------------------------------------
+RANGE_BEGIN 0 100
+	ADDRESS 192.0.1.1
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+gotham.bb. IN A
+SECTION ANSWER
+gotham.bb. IN A 192.0.1.2
+ENTRY_END
+
+RANGE_END
+
+; ns1.gotham.ff. -------------------------------------------------------------
+RANGE_BEGIN 0 100
+	ADDRESS 192.0.5.1
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+gotham.ff. IN A
+SECTION ANSWER
+gotham.ff. IN A 192.0.5.2
+ENTRY_END
+
+RANGE_END
+
+; ----------------------------------------------------------------------------
+
+STEP 1 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+gotham.com. IN A
+ENTRY_END
+
+STEP 2 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+gotham.com. IN A
+SECTION ANSWER
+gotham.com. IN A 192.0.6.2
+ENTRY_END
+
+STEP 10 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+gotham.aa. IN A
+ENTRY_END
+
+STEP 11 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR AA RD RA NXDOMAIN
+SECTION QUESTION
+gotham.aa. IN A
+SECTION ANSWER
+ENTRY_END
+
+STEP 20 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+gotham.bb. IN A
+ENTRY_END
+
+STEP 21 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AA NOERROR
+SECTION QUESTION
+gotham.bb. IN A
+SECTION ANSWER
+ENTRY_END
+
+STEP 30 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+gotham.ff. IN A
+ENTRY_END
+
+STEP 31 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AA NOERROR
+SECTION QUESTION
+gotham.ff. IN A
+SECTION ANSWER
+gotham.ff. IN A 127.0.0.1
+ENTRY_END
+
+; again with more cache items
+STEP 40 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+gotham.ff. IN A
+ENTRY_END
+
+STEP 41 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AA NOERROR
+SECTION QUESTION
+gotham.ff. IN A
+SECTION ANSWER
+gotham.ff. IN A 127.0.0.1
+ENTRY_END
+
+SCENARIO_END
diff --git a/testdata/rpz_passthru.rpl b/testdata/rpz_passthru.rpl
new file mode 100644
index 000000000..5c8557547
--- /dev/null
+++ b/testdata/rpz_passthru.rpl
@@ -0,0 +1,154 @@
+; config options
+server:
+	module-config: "respip validator iterator"
+	target-fetch-policy: "0 0 0 0 0"
+	qname-minimisation: no
+	access-control: 192.0.0.0/8 allow
+
+rpz:
+	name: "rpz.example.com."
+	rpz-log: yes
+	rpz-log-name: "rpz.example.com"
+	rpz-action-override: passthru
+	zonefile:
+TEMPFILE_NAME rpz.example.com
+TEMPFILE_CONTENTS rpz.example.com
+$ORIGIN example.com.
+rpz	3600	IN	SOA	ns1.rpz.example.com. hostmaster.rpz.example.com. (
+		1379078166 28800 7200 604800 7200 )
+	3600	IN	NS	ns1.rpz.example.com.
+	3600	IN	NS	ns2.rpz.example.com.
+$ORIGIN rpz.example.com.
+c.a	TXT	"local data 1st zone"
+d.a	A 127.0.0.1
+TEMPFILE_END
+
+rpz:
+	name: "wl.example.com."
+	rpz-log: yes
+	rpz-log-name: "wl.example.com"
+	zonefile:
+TEMPFILE_NAME wl.example.com
+TEMPFILE_CONTENTS wl.example.com
+$ORIGIN example.com.
+wl	3600	IN	SOA	ns1.wl.example.com. hostmaster.wl.example.com. (
+		1379078166 28800 7200 604800 7200 )
+	3600	IN	NS	ns1.wl.example.com.
+	3600	IN	NS	ns2.wl.example.com.
+$ORIGIN wl.example.com.
+e.a	CNAME rpz-passthru.
+TEMPFILE_END
+
+rpz:
+	name: "rpz2.example.com."
+	rpz-log: yes
+	rpz-log-name: "rpz2.example.com"
+	rpz-action-override: nxdomain
+	zonefile:
+TEMPFILE_NAME rpz2.example.com
+TEMPFILE_CONTENTS rpz2.example.com
+$ORIGIN example.com.
+rpz2	3600	IN	SOA	ns1.rpz.example.com. hostmaster.rpz.example.com. (
+		1379078166 28800 7200 604800 7200 )
+	3600	IN	NS	ns1.rpz.example.com.
+	3600	IN	NS	ns2.rpz.example.com.
+$ORIGIN rpz2.example.com.
+c.a	TXT	"local data 2nd zone"
+24.0.5.0.192.rpz-client-ip A 127.0.0.1
+24.0.5.0.192.rpz-client-ip TXT "clientip 2nd zone"
+24.0.3.2.1.rpz-ip A 127.0.0.2
+TEMPFILE_END
+
+stub-zone:
+	name: "a."
+	stub-addr: 10.20.30.40
+CONFIG_END
+
+SCENARIO_BEGIN Test RPZ passthru ends processing for later triggers.
+
+; a.
+RANGE_BEGIN 0 1000
+	ADDRESS 10.20.30.40
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+c.a. IN TXT
+SECTION ANSWER
+c.a. IN TXT "answer from upstream ns"
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+d.a. IN A
+SECTION ANSWER
+d.a. IN A 1.2.3.4
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+e.a. IN A
+SECTION ANSWER
+e.a. IN A 1.2.3.4
+ENTRY_END
+RANGE_END
+
+STEP 10 QUERY ADDRESS 192.0.5.1
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+c.a.	IN	TXT
+ENTRY_END
+
+STEP 11 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+c.a.	IN	TXT
+SECTION ANSWER
+c.a. IN TXT "answer from upstream ns"
+ENTRY_END
+
+STEP 20 QUERY ADDRESS 192.0.2.1
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+d.a.	IN	A
+ENTRY_END
+
+STEP 21 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+d.a.	IN	A
+SECTION ANSWER
+d.a. IN A 1.2.3.4
+ENTRY_END
+
+STEP 30 QUERY ADDRESS 192.0.2.1
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+e.a.	IN	A
+ENTRY_END
+
+STEP 31 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+e.a.	IN	A
+SECTION ANSWER
+e.a. IN A 1.2.3.4
+ENTRY_END
+
+SCENARIO_END
diff --git a/testdata/rpz_qname.rpl b/testdata/rpz_qname.rpl
index 7940e9392..aae55b573 100644
--- a/testdata/rpz_qname.rpl
+++ b/testdata/rpz_qname.rpl
@@ -6,6 +6,8 @@ server:
 
 rpz:
 	name: "rpz.example.com."
+	rpz-log: yes
+	rpz-log-name: "rpz.example.com"
 	zonefile:
 TEMPFILE_NAME rpz.example.com
 TEMPFILE_CONTENTS rpz.example.com
@@ -20,10 +22,13 @@ a	CNAME 	*. ; duplicate CNAME here on purpose
 *.a	TXT	"wildcard local data"
 b.a	CNAME 	*.
 c.a	CNAME	rpz-passthru.
+c.g	CNAME	rpz-passthru.
 TEMPFILE_END
 
 rpz:
 	name: "rpz2.example.com."
+	rpz-log: yes
+	rpz-log-name: "rpz2.example.com"
 	zonefile:
 TEMPFILE_NAME rpz2.example.com
 TEMPFILE_CONTENTS rpz2.example.com
@@ -38,6 +43,8 @@ d	TXT	"local data 2nd zone"
 e	CNAME	*.a.example.
 *.e	CNAME	*.b.example.
 drop	CNAME	rpz-drop.
+tcp	CNAME	rpz-tcp-only.
+c.g	CNAME	.
 TEMPFILE_END
 
 stub-zone:
@@ -46,12 +53,18 @@ stub-zone:
 stub-zone:
 	name: "example."
 	stub-addr: 10.20.30.50
+stub-zone:
+	name: "tcp."
+	stub-addr: 10.20.30.60
+stub-zone:
+	name: "g."
+	stub-addr: 10.20.30.40
 CONFIG_END
 
 SCENARIO_BEGIN Test all support RPZ action for QNAME trigger
 
 ; a.
-RANGE_BEGIN 0 100
+RANGE_BEGIN 0 1000
 	ADDRESS 10.20.30.40
 ENTRY_BEGIN
 MATCH opcode qtype qname
@@ -85,10 +98,20 @@ SECTION ANSWER
 x.b.a. IN TXT "answer from upstream ns"
 ENTRY_END
 
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+c.g. IN TXT
+SECTION ANSWER
+c.g. IN TXT "answer from upstream ns"
+ENTRY_END
+
 RANGE_END
 
 ; example.
-RANGE_BEGIN 0 100
+RANGE_BEGIN 0 1000
 	ADDRESS 10.20.30.50
 ENTRY_BEGIN
 MATCH opcode qtype qname
@@ -122,6 +145,42 @@ SECTION ANSWER
 something.e.b.example. IN TXT "*.b.example. answer from upstream ns"
 ENTRY_END
 
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+f.example. IN TXT
+SECTION ANSWER
+f.example. IN CNAME d.
+ENTRY_END
+
+RANGE_END
+
+; tcp.
+RANGE_BEGIN 0 1000
+	ADDRESS 10.20.30.60
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+tcp. IN NS
+SECTION ANSWER
+tcp. IN NS ns.example.
+SECTION ADDITIONAL
+ns.tcp IN A 10.20.30.60
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+tcp. IN TXT
+SECTION ANSWER
+tcp. IN TXT "tcp. answer from upstream ns"
+ENTRY_END
 RANGE_END
 
 STEP 10 QUERY
@@ -295,10 +354,84 @@ something.e.b.example.	IN	TXT	"*.b.example. answer from upstream ns"
 ENTRY_END
 
 ; deny zone
-STEP 90 QUERY
+;STEP 90 QUERY
+;ENTRY_BEGIN
+;SECTION QUESTION
+;drop. IN TXT
+;ENTRY_END
+
+; tcp-only action
+
+STEP 95 QUERY
 ENTRY_BEGIN
+REPLY RD
 SECTION QUESTION
-drop. IN TXT
+tcp. IN TXT
 ENTRY_END
+
+STEP 96 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AA TC NOERROR
+SECTION QUESTION
+tcp. IN TXT
+SECTION ANSWER
+ENTRY_END
+
+STEP 97 QUERY
+ENTRY_BEGIN
+MATCH TCP
+REPLY RD
+SECTION QUESTION
+tcp.  IN TXT
+ENTRY_END
+
+STEP 98 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all TCP
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+tcp.  IN TXT
+SECTION ANSWER
+tcp. IN TXT "tcp. answer from upstream ns"
+ENTRY_END
+
+; check if the name after the CNAME has the qname trigger applied to it.
+STEP 100 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+f.example.  IN TXT
+ENTRY_END
+
+STEP 101 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AA NOERROR
+SECTION QUESTION
+f.example.	IN	TXT
+SECTION ANSWER
+f.example.	IN	CNAME	d.
+d.		IN	TXT	"local data 2nd zone"
+ENTRY_END
+
+; check if passthru ends processing
+STEP 110 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+c.g.  IN TXT
+ENTRY_END
+
+STEP 111 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+c.g.	IN	TXT
+SECTION ANSWER
+c.g.	IN	TXT "answer from upstream ns"
+ENTRY_END
+
 ; no answer is checked at exit of testbound.
 SCENARIO_END
diff --git a/testdata/rpz_qname_tcponly.rpl b/testdata/rpz_qname_tcponly.rpl
new file mode 100644
index 000000000..d30b88616
--- /dev/null
+++ b/testdata/rpz_qname_tcponly.rpl
@@ -0,0 +1,117 @@
+; config options
+server:
+	module-config: "respip validator iterator"
+	target-fetch-policy: "0 0 0 0 0"
+	qname-minimisation: no
+
+rpz:
+	name: "rpz.example.com."
+	zonefile:
+TEMPFILE_NAME rpz.example.com
+TEMPFILE_CONTENTS rpz.example.com
+$ORIGIN example.com.
+rpz	3600	IN	SOA	ns1.rpz.example.com. hostmaster.rpz.example.com. (
+		1379078166 28800 7200 604800 7200 )
+	3600	IN	NS	ns1.rpz.example.com.
+	3600	IN	NS	ns2.rpz.example.com.
+$ORIGIN rpz.example.com.
+a.a CNAME rpz-passthru.
+b.a CNAME rpz-tcp-only.
+TEMPFILE_END
+
+stub-zone:
+	name: "a."
+	stub-addr: 10.20.30.40
+CONFIG_END
+
+SCENARIO_BEGIN Test RPZ qname trigger and tcp-only action
+
+RANGE_BEGIN 0 100
+	ADDRESS 10.20.30.40
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+a. IN NS
+SECTION ANSWER
+a. IN NS ns.a.
+SECTION ADDITIONAL
+ns.a IN A 10.20.30.40
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+a.a.  IN  TXT
+SECTION ANSWER
+a.a.  IN  TXT "upstream txt rr a.a."
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+b.a.  IN  TXT
+SECTION ANSWER
+b.a.  IN  TXT "upstream txt rr b.a."
+ENTRY_END
+
+RANGE_END
+
+STEP 10 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+a.a.  IN TXT
+ENTRY_END
+
+STEP 11 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+a.a.  IN TXT
+SECTION ANSWER
+a.a.  IN TXT "upstream txt rr a.a."
+ENTRY_END
+
+STEP 20 QUERY
+ENTRY_BEGIN
+MATCH UDP
+REPLY RD
+SECTION QUESTION
+b.a.  IN TXT
+ENTRY_END
+
+STEP 21 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all UDP
+REPLY QR AA TC RD RA NOERROR
+SECTION QUESTION
+b.a.  IN TXT
+SECTION ANSWER
+ENTRY_END
+
+STEP 30 QUERY
+ENTRY_BEGIN
+MATCH TCP
+REPLY RD
+SECTION QUESTION
+b.a.  IN TXT
+ENTRY_END
+
+STEP 31 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all TCP
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+b.a.  IN TXT
+SECTION ANSWER
+b.a.  IN TXT "upstream txt rr b.a."
+ENTRY_END
+
+SCENARIO_END
diff --git a/testdata/rpz_respip.rpl b/testdata/rpz_respip.rpl
index 94f998be6..894a7cc5f 100644
--- a/testdata/rpz_respip.rpl
+++ b/testdata/rpz_respip.rpl
@@ -20,6 +20,7 @@ $ORIGIN rpz.example.com.
 16.0.0.10.10.rpz-ip CNAME .
 24.0.10.10.10.rpz-ip CNAME rpz-drop.
 32.10.10.10.10.rpz-ip CNAME rpz-passthru.
+32.1.1.1.10.rpz-ip CNAME rpz-tcp-only.
 32.zz.db8.2001.rpz-ip CNAME *.
 48.zz.aa.db8.2001.rpz-ip CNAME .
 64.zz.bb.aa.db8.2001.rpz-ip CNAME rpz-drop.
@@ -217,6 +218,16 @@ SECTION ANSWER
 h. IN AAAA 2001:db8:aa:bb:cc::124
 ENTRY_END
 
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+y. IN A
+SECTION ANSWER
+y. IN A 10.1.1.1
+ENTRY_END
+
 RANGE_END
 
 STEP 1 QUERY
@@ -446,4 +457,21 @@ SECTION QUESTION
 e.	IN	AAAA
 ENTRY_END
 STEP 29 TIME_PASSES ELAPSE 12
+
+STEP 30 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+y.	IN	A
+ENTRY_END
+
+STEP 31 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR TC RD RA NOERROR
+SECTION QUESTION
+y.	IN	A
+SECTION ANSWER
+ENTRY_END
+
 SCENARIO_END
diff --git a/testdata/rpz_respip_tcponly.rpl b/testdata/rpz_respip_tcponly.rpl
new file mode 100644
index 000000000..c495de203
--- /dev/null
+++ b/testdata/rpz_respip_tcponly.rpl
@@ -0,0 +1,207 @@
+; config options
+server:
+	module-config: "respip validator iterator"
+	target-fetch-policy: "0 0 0 0 0"
+	qname-minimisation: no
+
+rpz:
+	name: "rpz.example.com."
+	zonefile:
+TEMPFILE_NAME rpz.example.com
+TEMPFILE_CONTENTS rpz.example.com
+$ORIGIN example.com.
+rpz	3600	IN	SOA	ns1.rpz.example.com. hostmaster.rpz.example.com. (
+		1379078166 28800 7200 604800 7200 )
+	3600	IN	NS	ns1.rpz.example.com.
+	3600	IN	NS	ns2.rpz.example.com.
+$ORIGIN rpz.example.com.
+8.0.0.0.10.rpz-ip CNAME	*.
+16.0.0.10.10.rpz-ip CNAME .
+24.0.10.10.10.rpz-ip CNAME rpz-drop.
+32.10.10.10.10.rpz-ip CNAME rpz-passthru.
+32.1.1.1.10.rpz-ip CNAME rpz-tcp-only.
+TEMPFILE_END
+
+stub-zone:
+	name: "."
+	stub-addr: 10.20.30.40
+CONFIG_END
+
+SCENARIO_BEGIN Test RPZ response IP address trigger and tcp-only action
+
+RANGE_BEGIN 0 100
+	ADDRESS 10.20.30.40
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+. IN NS
+SECTION ANSWER
+. IN NS ns.
+SECTION ADDITIONAL
+ns. IN A 10.20.30.40
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+a. IN A
+SECTION ANSWER
+a. IN A 10.0.0.123
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+b. IN A
+SECTION ANSWER
+b. IN A 10.1.0.123
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+c. IN A
+SECTION ANSWER
+c. IN A 10.11.0.123
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+d. IN A
+SECTION ANSWER
+d. IN A 10.10.0.123
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+f. IN A
+SECTION ANSWER
+f. IN A 10.10.10.10
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+y. IN A
+SECTION ANSWER
+y. IN A 10.1.1.1
+ENTRY_END
+
+RANGE_END
+
+STEP 1 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+a.	IN	A
+ENTRY_END
+
+STEP 2 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+a.	IN	A
+SECTION ANSWER
+ENTRY_END
+
+STEP 10 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+b.	IN	A
+ENTRY_END
+
+STEP 11 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+b.	IN	A
+SECTION ANSWER
+ENTRY_END
+
+STEP 13 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+d.	IN	A
+ENTRY_END
+
+STEP 14 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NXDOMAIN
+SECTION QUESTION
+d.	IN	A
+SECTION ANSWER
+ENTRY_END
+
+STEP 17 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+f.	IN	A
+ENTRY_END
+
+STEP 18 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+f.	IN	A
+SECTION ANSWER
+f.	IN	A 10.10.10.10
+ENTRY_END
+
+STEP 30 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+y.	IN	A
+ENTRY_END
+
+STEP 31 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR TC RD RA NOERROR
+SECTION QUESTION
+y.	IN	A
+SECTION ANSWER
+ENTRY_END
+
+STEP 40 QUERY
+ENTRY_BEGIN
+MATCH TCP
+REPLY RD
+SECTION QUESTION
+y.	IN	A
+ENTRY_END
+
+STEP 41 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all TCP
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+y.	IN	A
+SECTION ANSWER
+y.	IN	A 10.1.1.1
+ENTRY_END
+
+SCENARIO_END
diff --git a/testdata/rpz_signal_nxdomain_ra.rpl b/testdata/rpz_signal_nxdomain_ra.rpl
new file mode 100644
index 000000000..b89498cf9
--- /dev/null
+++ b/testdata/rpz_signal_nxdomain_ra.rpl
@@ -0,0 +1,254 @@
+; config options
+server:
+	module-config: "respip validator iterator"
+	target-fetch-policy: "0 0 0 0 0"
+	qname-minimisation: no
+	access-control: 192.0.0.0/8 allow
+
+rpz:
+	name: "rpz.example.com."
+	rpz-signal-nxdomain-ra: yes
+	zonefile:
+TEMPFILE_NAME rpz.example.com
+TEMPFILE_CONTENTS rpz.example.com
+$ORIGIN example.com.
+rpz	3600	IN	SOA	ns1.rpz.example.com. hostmaster.rpz.example.com. (
+		1379078166 28800 7200 604800 7200 )
+	3600	IN	NS	ns1.rpz.example.com.
+	3600	IN	NS	ns2.rpz.example.com.
+$ORIGIN rpz.example.com.
+a.a CNAME .
+b.a CNAME .
+ns1.a.rpz-nsdname CNAME .
+24.0.0.0.192.rpz-nsip CNAME .
+24.0.3.0.192.rpz-client-ip CNAME .
+TEMPFILE_END
+
+stub-zone:
+	name: "a."
+	stub-addr: 10.20.30.40
+CONFIG_END
+
+SCENARIO_BEGIN Test RPZ qname trigger and signal NXDOMAIN with unset RA.
+
+RANGE_BEGIN 0 100
+	ADDRESS 10.20.30.40
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+a. IN NS
+SECTION ANSWER
+a. IN NS ns.a.
+SECTION ADDITIONAL
+ns.a IN A 10.20.30.40
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+a.a.  IN  TXT
+SECTION ANSWER
+a.a.  IN  TXT "upstream txt rr a.a."
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+b.a.  IN  TXT
+SECTION ANSWER
+b.a.  IN  TXT "upstream txt rr b.a."
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+c.a.  IN  TXT
+SECTION ANSWER
+c.a.  IN  CNAME b.a
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+d.a.  IN  NS
+SECTION ANSWER
+SECTION AUTHORITY
+d.a.  IN  NS ns1.a.
+SECTION ADDITIONAL
+ns1.a. IN A 10.20.30.50
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+e.a.  IN  NS
+SECTION ANSWER
+SECTION AUTHORITY
+e.a.  IN  NS ns2.a.
+SECTION ADDITIONAL
+ns2.a. IN A 192.0.0.5
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+f.a.  IN  TXT
+SECTION ANSWER
+f.a.  IN  TXT "upstream txt rr f.a."
+ENTRY_END
+
+RANGE_END
+
+RANGE_BEGIN 0 100
+	ADDRESS 10.20.30.50
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+d.a. IN NS
+SECTION ANSWER
+d.a. IN NS ns1.a.
+SECTION ADDITIONAL
+ns1.a. IN A 10.20.30.50
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+d.d.a. IN TXT
+SECTION ANSWER
+d.d.a. IN TXT "upstream answer for d.d.a"
+ENTRY_END
+
+RANGE_END
+
+RANGE_BEGIN 0 100
+	ADDRESS 192.0.0.5
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+e.a. IN NS
+SECTION ANSWER
+e.a. IN NS ns2.a.
+SECTION ADDITIONAL
+ns2.a. IN A 192.0.0.5
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+e.e.a. IN TXT
+SECTION ANSWER
+e.e.a. IN TXT "upstream answer for e.e.a"
+ENTRY_END
+
+RANGE_END
+
+; qname trigger
+STEP 10 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+a.a.  IN TXT
+ENTRY_END
+
+STEP 11 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD AA NXDOMAIN
+SECTION QUESTION
+a.a.  IN TXT
+SECTION ANSWER
+ENTRY_END
+
+; qname trigger after cname
+STEP 20 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+c.a.  IN TXT
+ENTRY_END
+
+STEP 21 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD AA NXDOMAIN
+SECTION QUESTION
+c.a.  IN TXT
+SECTION ANSWER
+c.a.  IN  CNAME b.a
+ENTRY_END
+
+; nsdname trigger
+STEP 30 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+d.d.a.  IN TXT
+ENTRY_END
+
+STEP 31 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD AA NXDOMAIN
+SECTION QUESTION
+d.d.a.  IN TXT
+SECTION ANSWER
+ENTRY_END
+
+; nsip trigger
+STEP 40 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+e.e.a.  IN TXT
+ENTRY_END
+
+STEP 41 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD AA NXDOMAIN
+SECTION QUESTION
+e.e.a.  IN TXT
+SECTION ANSWER
+ENTRY_END
+
+; clientip trigger
+STEP 50 QUERY ADDRESS 192.0.3.1
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+f.a.  IN TXT
+ENTRY_END
+
+STEP 51 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR AA RD NXDOMAIN
+SECTION QUESTION
+f.a.  IN TXT
+SECTION ANSWER
+ENTRY_END
+
+SCENARIO_END
diff --git a/testdata/stream_ssl.tdir/stream_ssl.clie.conf b/testdata/stream_ssl.tdir/stream_ssl.clie.conf
index 4643c6d55..923ab1fb5 100644
--- a/testdata/stream_ssl.tdir/stream_ssl.clie.conf
+++ b/testdata/stream_ssl.tdir/stream_ssl.clie.conf
@@ -16,3 +16,7 @@ server:
 forward-zone:
 	name: "."
 	forward-addr: "127.0.0.1@@SERVPORT@#unbound"
+
+forward-zone:
+	name: "test.host."
+	forward-host: "unbound.server@@SERVPORT@#unbound"
diff --git a/testdata/stream_ssl.tdir/stream_ssl.serv.conf b/testdata/stream_ssl.tdir/stream_ssl.serv.conf
index c77e39fc5..a5dfcf364 100644
--- a/testdata/stream_ssl.tdir/stream_ssl.serv.conf
+++ b/testdata/stream_ssl.tdir/stream_ssl.serv.conf
@@ -10,6 +10,8 @@ server:
 	username: ""
 	do-not-query-localhost: yes
 	local-data: "www.example.com. IN A 10.20.30.40"
+	local-data: "unbound.server. IN A 127.0.0.1"
+	local-data: "test.host. IN A 1.2.3.4"
 	ssl-port: @SERVPORT@
 	ssl-service-key: "unbound_server.key"
 	ssl-service-pem: "unbound_server.pem"
diff --git a/testdata/stream_ssl.tdir/stream_ssl.test b/testdata/stream_ssl.tdir/stream_ssl.test
index b5bc2d911..39972a844 100644
--- a/testdata/stream_ssl.tdir/stream_ssl.test
+++ b/testdata/stream_ssl.tdir/stream_ssl.test
@@ -73,4 +73,38 @@ else
 	exit 1
 fi
 
+rm -f outfile
+
+# test client unbound (no SSL towards it, but it does SSL to the SSL service)
+# test that forward-host notation also works.
+echo "> dig test.host. A IN"
+dig @127.0.0.1 -p $CLIE_PORT test.host. >outfile 2>&1
+if test "$?" -ne 0; then
+	echo "exit status not OK"
+	echo "> cat logfiles"
+	cat outfile
+	echo "SSLSERVICE"
+	cat unboundserv.log
+	echo "SSLCLIENT"
+	cat unboundclie.log
+	echo "Not OK"
+	exit 1
+else
+	echo "exit status OK"
+fi
+echo "> cat logfiles"
+cat outfile
+echo "SSLSERVICE"
+cat unboundserv.log
+echo "SSLCLIENT"
+cat unboundclie.log
+echo "> check answer"
+if grep "1.2.3.4" outfile; then
+	echo "OK"
+else
+	echo "Not OK"
+	exit 1
+fi
+
+rm -f outfile
 exit 0
diff --git a/testdata/stub_udp_with_tcp_upstream.tdir/stub_udp_with_tcp_upstream.conf b/testdata/stub_udp_with_tcp_upstream.tdir/stub_udp_with_tcp_upstream.conf
new file mode 100644
index 000000000..d57c787b1
--- /dev/null
+++ b/testdata/stub_udp_with_tcp_upstream.tdir/stub_udp_with_tcp_upstream.conf
@@ -0,0 +1,19 @@
+server:
+	verbosity: 2
+	# num-threads: 1
+	interface: 127.0.0.1
+	port: @PORT@
+	use-syslog: no
+	directory: ""
+	pidfile: "unbound.pid"
+	chroot: ""
+	username: ""
+	do-not-query-localhost: no
+stub-zone:
+	name: "tcp.example.com"
+	stub-addr: "127.0.0.1@@TOPORT@"
+	stub-tcp-upstream: "yes"
+stub-zone:
+	name: "udp.example.com"
+	stub-addr: "127.0.0.1@@TOPORT@"
+	stub-tcp-upstream: "no"
\ No newline at end of file
diff --git a/testdata/stub_udp_with_tcp_upstream.tdir/stub_udp_with_tcp_upstream.dsc b/testdata/stub_udp_with_tcp_upstream.tdir/stub_udp_with_tcp_upstream.dsc
new file mode 100644
index 000000000..526ff67f9
--- /dev/null
+++ b/testdata/stub_udp_with_tcp_upstream.tdir/stub_udp_with_tcp_upstream.dsc
@@ -0,0 +1,16 @@
+BaseName: stub_udp_with_tcp_upstream
+Version: 1.0
+Description: Stub server contacted via UDP with tcp upstream.
+CreationDate: Thu Aug  5 07:44:41 CEST 2021
+Maintainer: ziollek
+Category: 
+Component:
+CmdDepends: 
+Depends: 
+Help:
+Pre: stub_udp_with_tcp_upstream.pre
+Post: stub_udp_with_tcp_upstream.post
+Test: stub_udp_with_tcp_upstream.test
+AuxFiles: 
+Passed:
+Failure:
diff --git a/testdata/stub_udp_with_tcp_upstream.tdir/stub_udp_with_tcp_upstream.post b/testdata/stub_udp_with_tcp_upstream.tdir/stub_udp_with_tcp_upstream.post
new file mode 100644
index 000000000..c804b6c46
--- /dev/null
+++ b/testdata/stub_udp_with_tcp_upstream.tdir/stub_udp_with_tcp_upstream.post
@@ -0,0 +1,10 @@
+# #-- stub_udp_with_tcp_upstream.post --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# source the test var file when it's there
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+#
+# do your teardown here
+. ../common.sh
+kill_pid $FWD_PID
+kill_pid $UNBOUND_PID
diff --git a/testdata/stub_udp_with_tcp_upstream.tdir/stub_udp_with_tcp_upstream.pre b/testdata/stub_udp_with_tcp_upstream.tdir/stub_udp_with_tcp_upstream.pre
new file mode 100644
index 000000000..2bca63b9d
--- /dev/null
+++ b/testdata/stub_udp_with_tcp_upstream.tdir/stub_udp_with_tcp_upstream.pre
@@ -0,0 +1,35 @@
+# #-- stub_udp_with_tcp_upstream.pre--#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+. ../common.sh
+
+get_random_port 2
+UNBOUND_PORT=$RND_PORT
+FWD_PORT=$(($RND_PORT + 1))
+echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test
+echo "FWD_PORT=$FWD_PORT" >> .tpkg.var.test
+
+# start forwarder
+get_ldns_testns
+$LDNS_TESTNS -p $FWD_PORT stub_udp_with_tcp_upstream.testns >fwd.log 2>&1 &
+FWD_PID=$!
+echo "FWD_PID=$FWD_PID" >> .tpkg.var.test
+
+# make config file
+sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$FWD_PORT'/' < stub_udp_with_tcp_upstream.conf > ub.conf
+# start unbound in the background
+PRE="../.."
+$PRE/unbound -d -c ub.conf >unbound.log 2>&1 &
+UNBOUND_PID=$!
+echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
+
+cat .tpkg.var.test
+
+# wait for forwarder to come up
+wait_ldns_testns_up fwd.log
+
+# wait for unbound to come up
+wait_unbound_up unbound.log
+
diff --git a/testdata/stub_udp_with_tcp_upstream.tdir/stub_udp_with_tcp_upstream.test b/testdata/stub_udp_with_tcp_upstream.tdir/stub_udp_with_tcp_upstream.test
new file mode 100644
index 000000000..43591ac16
--- /dev/null
+++ b/testdata/stub_udp_with_tcp_upstream.tdir/stub_udp_with_tcp_upstream.test
@@ -0,0 +1,37 @@
+# #-- stub_udp_with_tcp_upstream.test --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+PRE="../.."
+# do the test
+echo "> dig tcp.example.com."
+dig @127.0.0.1 -p $UNBOUND_PORT tcp.example.com. | tee outfile
+echo "> cat logfiles"
+cat fwd.log 
+cat unbound.log
+echo "> check answer"
+if grep "10.20.30.40" outfile; then
+	echo "OK"
+else
+	echo "Not OK"
+	exit 1
+fi
+
+
+# check if second stub is requested via udp
+echo "> dig udp.example.com."
+dig @127.0.0.1 -p $UNBOUND_PORT udp.example.com. | tee outfile
+echo "> cat logfiles"
+cat fwd.log 
+cat unbound.log
+echo "> check answer"
+if grep "10.20.30.80" outfile; then
+	echo "OK"
+else
+	echo "Not OK"
+	exit 1
+fi
+
+exit 0
diff --git a/testdata/stub_udp_with_tcp_upstream.tdir/stub_udp_with_tcp_upstream.testns b/testdata/stub_udp_with_tcp_upstream.tdir/stub_udp_with_tcp_upstream.testns
new file mode 100644
index 000000000..f2155414e
--- /dev/null
+++ b/testdata/stub_udp_with_tcp_upstream.tdir/stub_udp_with_tcp_upstream.testns
@@ -0,0 +1,48 @@
+; nameserver test file
+$ORIGIN example.com.
+$TTL 3600
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+MATCH TCP
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+tcp	IN	A
+SECTION ANSWER
+tcp	IN	A	10.20.30.40
+SECTION AUTHORITY
+@	IN 	NS	ns.example.com.
+SECTION ADDITIONAL
+ns	IN	A	127.0.0.1
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+MATCH UDP
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+udp	IN	A
+SECTION ANSWER
+udp	IN	A	10.20.30.80
+SECTION AUTHORITY
+@	IN 	NS	ns.example.com.
+SECTION ADDITIONAL
+ns	IN	A	127.0.0.1
+ENTRY_END
+
+; root prime
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+.	IN	NS
+SECTION ANSWER
+. 	IN 	NS 	root.server.
+SECTION AUTHORITY
+SECTION ADDITIONAL
+root.server.	IN	A	127.0.0.1
+ENTRY_END
+
diff --git a/testdata/svcb.tdir/crypto.cloudflare.com.zone b/testdata/svcb.tdir/crypto.cloudflare.com.zone
new file mode 100644
index 000000000..53c89c735
--- /dev/null
+++ b/testdata/svcb.tdir/crypto.cloudflare.com.zone
@@ -0,0 +1,9 @@
+crypto.cloudflare.com.	3600 IN	SOA jobs.ns.cloudflare.com. dns.cloudflare.com. (
+				2037099480 ; serial
+				10000      ; refresh (2 hours 46 minutes 40 seconds)
+				2400       ; retry (40 minutes)
+				604800     ; expire (1 week)
+				3600       ; minimum (1 hour)
+				)
+crypto.cloudflare.com.  300     IN      HTTPS   1 . alpn=h2 ipv4hint=162.159.135.79,162.159.136.79 echconfig=AEj+CgBETwAgACDeVpr34JzYHDGNFoGWhksj5mpBxradonbqH3X9+h7jHgAEAAEAAQAAABNjbG91ZGZsYXJlLWVzbmkuY29tAAA= ipv6hint=2606:4700:7::a29f:874f,2606:4700:7::a29f:884f
+
diff --git a/testdata/svcb.tdir/svcb.dsc b/testdata/svcb.tdir/svcb.dsc
new file mode 100644
index 000000000..6eae7638e
--- /dev/null
+++ b/testdata/svcb.tdir/svcb.dsc
@@ -0,0 +1,16 @@
+BaseName: svcb
+Version: 1.0
+Description: Test SVCB and HTTPS parsing
+CreationDate: Fri May 25 12:51:22 UTC 2021
+Maintainer: Tom Carpay
+Category: 
+Component:
+CmdDepends: 
+Depends: 
+Help:
+Pre:
+Post:
+Test: svcb.test
+AuxFiles: 
+Passed:
+Failure:
diff --git a/testdata/svcb.tdir/svcb.failure-cases-01 b/testdata/svcb.tdir/svcb.failure-cases-01
new file mode 100644
index 000000000..c60151692
--- /dev/null
+++ b/testdata/svcb.tdir/svcb.failure-cases-01
@@ -0,0 +1,9 @@
+$ORIGIN failure-cases.
+$TTL 3600
+
+@       SOA     primary admin 0 0 0 0 0
+
+; Here there are multiple instances of the same SvcParamKey in the mandatory list
+
+f21	HTTPS   1 foo.example.com. ech="123"
+f21	HTTPS   1 foo.example.com. echconfig="123"
diff --git a/testdata/svcb.tdir/svcb.failure-cases-02 b/testdata/svcb.tdir/svcb.failure-cases-02
new file mode 100644
index 000000000..9d6f0186d
--- /dev/null
+++ b/testdata/svcb.tdir/svcb.failure-cases-02
@@ -0,0 +1,8 @@
+$ORIGIN failure-cases.
+$TTL 3600
+
+@       SOA     primary admin 0 0 0 0 0
+
+; Port must be a positive number < 65536
+
+f22	HTTPS   1 foo.example.com. port=65536
diff --git a/testdata/svcb.tdir/svcb.failure-cases-03 b/testdata/svcb.tdir/svcb.failure-cases-03
new file mode 100644
index 000000000..bb819daae
--- /dev/null
+++ b/testdata/svcb.tdir/svcb.failure-cases-03
@@ -0,0 +1,8 @@
+$ORIGIN failure-cases.
+$TTL 3600
+
+@       SOA     primary admin 0 0 0 0 0
+
+; 65 SvcParams is too many SvcParams; the limit is 64
+
+f23	HTTPS   1 foo.example.com. ( key11=a key12=a key13=a key14=a key15=a key16=a key17=a key18=a key19=a key110=a key111=a key112=a key113=a key114=a key115=a key116=a key117=a key118=a key119=a key120=a key121=a key122=a key123=a key124=a key125=a key126=a key127=a key128=a key129=a key130=a key131=a key132=a key133=a key134=a key135=a key136=a key137=a key138=a key139=a key140=a key141=a key142=a key143=a key144=a key145=a key146=a key147=a key148=a key149=a key150=a key151=a key152=a key153=a key154=a key155=a key156=a key157=a key158=a key159=a key160=a key161=a key162=a key163=a key164=a key165=a )
\ No newline at end of file
diff --git a/testdata/svcb.tdir/svcb.failure-cases-04 b/testdata/svcb.tdir/svcb.failure-cases-04
new file mode 100644
index 000000000..ae02ac417
--- /dev/null
+++ b/testdata/svcb.tdir/svcb.failure-cases-04
@@ -0,0 +1,8 @@
+$ORIGIN failure-cases.
+$TTL 3600
+
+@       SOA     primary admin 0 0 0 0 0
+
+; 256 is too many characters for an alpn; maximum is 255
+
+f23	HTTPS   1 foo.example.com. ( alpn="aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" )
\ No newline at end of file
diff --git a/testdata/svcb.tdir/svcb.success-cases.zone b/testdata/svcb.tdir/svcb.success-cases.zone
new file mode 100644
index 000000000..5d6339542
--- /dev/null
+++ b/testdata/svcb.tdir/svcb.success-cases.zone
@@ -0,0 +1,47 @@
+$ORIGIN success-cases.
+$TTL 3600
+
+@       SOA     primary admin 0 0 0 0 0
+
+
+; A particular key does not need to have a value
+
+s01	SVCB   0 . key123
+
+
+; echconfig does not need to have a value
+
+s02	SVCB   0 . echconfig
+
+
+; When "no-default-alpn" is specified in an RR, "alpn" must also be specified
+; in order for the RR to be "self-consistent"
+
+s03	HTTPS	0 . alpn="h2,h3" no-default-alpn
+
+
+; SHOULD is not MUST (so allowed)
+; Zone-file implementations SHOULD enforce self-consistency
+
+s04	HTTPS	0 . no-default-alpn
+
+
+; SHOULD is not MUST (so allowed)
+; (port and no-default-alpn are automatically mandatory keys with HTTPS)
+; Other automatically mandatory keys SHOULD NOT appear in the list either.
+
+s05	HTTPS	0 . alpn="dot" no-default-alpn port=853 mandatory=port
+
+; Any valid base64 is okay for ech
+s06     HTTPS   0 . ech="aGVsbG93b3JsZCE="
+
+; echconfig is an alias for ech
+s07     HTTPS   0 . echconfig="aGVsbG93b3JsZCE="
+
+; maximum size allowed in a svcb rdata set (63 SvcParams)
+
+s08     HTTPS   0 . ( key11=a key12=a key13=a key14=a key15=a key16=a key17=a key18=a key19=a key110=a key111=a key112=a key113=a key114=a key115=a key116=a key117=a key118=a key119=a key120=a key121=a key122=a key123=a key124=a key125=a key126=a key127=a key128=a key129=a key130=a key131=a key132=a key133=a key134=a key135=a key136=a key137=a key138=a key139=a key140=a key141=a key142=a key143=a key144=a key145=a key146=a key147=a key148=a key149=a key150=a key151=a key152=a key153=a key154=a key155=a key156=a key157=a key158=a key159=a key160=a key161=a key162=a key163=a)
+
+; maximum alpn size allowed (255 characters)
+
+s09     HTTPS   0 . ( alpn="aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" )
diff --git a/testdata/svcb.tdir/svcb.success-cases.zone.cmp b/testdata/svcb.tdir/svcb.success-cases.zone.cmp
new file mode 100644
index 000000000..e504e7b18
--- /dev/null
+++ b/testdata/svcb.tdir/svcb.success-cases.zone.cmp
@@ -0,0 +1,10 @@
+success-cases.	3600	IN	SOA	primary.success-cases. admin.success-cases. 0 0 0 0 0
+s01.success-cases.	3600	IN	SVCB	0 . key123
+s02.success-cases.	3600	IN	SVCB	0 . ech
+s03.success-cases.	3600	IN	HTTPS	0 . alpn="h2,h3" no-default-alpn
+s04.success-cases.	3600	IN	HTTPS	0 . no-default-alpn
+s05.success-cases.	3600	IN	HTTPS	0 . mandatory=port alpn="dot" no-default-alpn port=853
+s06.success-cases.	3600	IN	HTTPS	0 . ech="aGVsbG93b3JsZCE="
+s07.success-cases.	3600	IN	HTTPS	0 . ech="aGVsbG93b3JsZCE="
+s08.success-cases.	3600	IN	HTTPS	0 . key11="a" key12="a" key13="a" key14="a" key15="a" key16="a" key17="a" key18="a" key19="a" key110="a" key111="a" key112="a" key113="a" key114="a" key115="a" key116="a" key117="a" key118="a" key119="a" key120="a" key121="a" key122="a" key123="a" key124="a" key125="a" key126="a" key127="a" key128="a" key129="a" key130="a" key131="a" key132="a" key133="a" key134="a" key135="a" key136="a" key137="a" key138="a" key139="a" key140="a" key141="a" key142="a" key143="a" key144="a" key145="a" key146="a" key147="a" key148="a" key149="a" key150="a" key151="a" key152="a" key153="a" key154="a" key155="a" key156="a" key157="a" key158="a" key159="a" key160="a" key161="a" key162="a" key163="a"
+s09.success-cases.	3600	IN	HTTPS	0 . alpn="aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
diff --git a/testdata/svcb.tdir/svcb.test b/testdata/svcb.tdir/svcb.test
new file mode 100644
index 000000000..17330e08f
--- /dev/null
+++ b/testdata/svcb.tdir/svcb.test
@@ -0,0 +1,97 @@
+# #-- svcb.test --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+
+# check and write the test vectors in their respective formats
+PRE=../..
+if ! $PRE/readzone svcb.test-vectors-pf.zone > svcb.test-vectors-pf.zone.out
+then
+	echo "Could not parse presentation format zone"
+	exit 1
+
+elif ! $PRE/readzone svcb.test-vectors-pf.zone.out > svcb.test-vectors-pf.zone.out.out
+then
+	echo "Could not parse output from presentation format zone"
+	exit 1
+
+elif ! $PRE/readzone svcb.test-vectors-wf.zone > svcb.test-vectors-wf.zone.out
+then
+	echo "Could not parse RFC3597 formatted zone"
+	exit 1
+
+elif ! $PRE/readzone svcb.test-vectors-wf.zone.out > svcb.test-vectors-wf.zone.out.out
+then
+	echo "Could not parse output from RFC3597 formatted zone"
+	exit 1
+else
+	echo "All test zones parsed successfully"
+fi
+
+
+# check the formatting of the written files
+if ! diff svcb.test-vectors-pf.zone.out svcb.test-vectors-pf.zone.out.out
+then
+	echo "Parsing inconsistency 1"
+	exit 1
+
+elif ! diff svcb.test-vectors-pf.zone.out svcb.test-vectors-wf.zone.out
+then
+	echo "Parsing inconsistency 2"
+	exit 1
+
+elif ! diff svcb.test-vectors-pf.zone.out svcb.test-vectors-wf.zone.out.out
+then
+	echo "Parsing inconsistency 3"
+	exit 1
+else
+	echo "Parsing of SVCB and HTTPS was consistent"
+fi
+
+
+# check all the failure cases
+if $PRE/readzone svcb.failure-cases-01
+then
+	echo "Failure case 01: ech value is not base64 encoded"
+	echo "Incorrectly succeeded"
+	exit 1
+
+elif $PRE/readzone svcb.failure-cases-02
+then
+	echo "Failure case 02: port value needs to be a positive integer < 65536"
+	echo "Incorrectly succeeded"
+	exit 1
+
+elif $PRE/readzone svcb.failure-cases-03
+then
+	echo "Failure case 02: 65 SvcParams is too many SvcParams; the limit is 64"
+	echo "Incorrectly succeeded"
+	exit 1
+
+elif $PRE/readzone svcb.failure-cases-04
+then
+	echo "Failure case 04: 256 is too many characters for an alpn; maximum is 255"
+	echo "Incorrectly succeeded"
+	exit 1
+else
+	echo "All failure cases test successfully"
+fi
+
+
+# check all the success and write them
+if ! $PRE/readzone svcb.success-cases.zone > svcb.success-cases.zone.out
+then
+ 	echo "Some particular success cases did not succeed to parse"
+ 	exit 1
+
+elif ! diff svcb.success-cases.zone.out svcb.success-cases.zone.cmp
+then
+	echo "Some success cases could not be printed"
+ 	exit 1
+else
+ 	echo "All particular success cases parsed and printed successfully"
+fi
+
+
diff --git a/testdata/svcb.tdir/svcb.test-vectors-pf.zone b/testdata/svcb.tdir/svcb.test-vectors-pf.zone
new file mode 100644
index 000000000..d2cb5087b
--- /dev/null
+++ b/testdata/svcb.tdir/svcb.test-vectors-pf.zone
@@ -0,0 +1,92 @@
+$ORIGIN test-vectors.
+$TTL 3600
+
+@	SOA	primary admin 1 3600 1800 7200 3600
+
+	NS	primary
+primary	A	127.0.0.1
+; D.1. AliasForm
+
+v01	SVCB	0 foo.example.com.
+
+; D.2. ServiceForm
+; The first form is the simple "use the ownername".
+
+v02	SVCB	1 .
+
+; This vector only has a port.
+
+v03	SVCB	16 foo.example.com. port=53
+
+; This example has a key that is not registered, its value is unquoted.
+
+v04	SVCB	1 foo.example.com. key667=hello
+
+; This example has a key that is not registered, its value is quoted and
+; contains a decimal-escaped character.
+
+v05	SVCB	1 foo.example.com. key667="hello\210qoo"
+
+; Here, two IPv6 hints are quoted in the presentation format.
+
+v06	SVCB	1 foo.example.com. ipv6hint="2001:db8::1,2001:db8::53:1"
+
+; This example shows a single IPv6 hint in IPv4 mapped IPv6 presentation format.
+
+v07	SVCB	1 example.com. ipv6hint="2001:db8:ffff:ffff:ffff:ffff:198.51.100.100"
+
+; In the next vector, neither the SvcParamValues nor the mandatory keys are
+; sorted in presentation format, but are correctly sorted in the wire-format.
+
+v08	SVCB	16 foo.example.org. (alpn=h2,h3-19 mandatory=ipv4hint,alpn
+                    ipv4hint=192.0.2.1)
+
+; This last (two) vectors has an alpn value with an escaped comma and an
+; escaped backslash in two presentation formats.
+
+v09	SVCB	16 foo.example.org. alpn="f\\\\oo\\,bar,h2"
+v10	SVCB	16 foo.example.org. alpn=f\\\092oo\092,bar,h2
+
+
+; D.1. AliasForm
+
+v11	HTTPS	0 foo.example.com.
+
+; D.2. ServiceForm
+; The first form is the simple "use the ownername".
+
+v12	HTTPS	1 .
+
+; This vector only has a port.
+
+v13	HTTPS	16 foo.example.com. port=53
+
+; This example has a key that is not registered, its value is unquoted.
+
+v14	HTTPS	1 foo.example.com. key667=hello
+
+; This example has a key that is not registered, its value is quoted and
+; contains a decimal-escaped character.
+
+v15	HTTPS	1 foo.example.com. key667="hello\210qoo"
+
+; Here, two IPv6 hints are quoted in the presentation format.
+
+v16	HTTPS	1 foo.example.com. ipv6hint="2001:db8::1,2001:db8::53:1"
+
+; This example shows a single IPv6 hint in IPv4 mapped IPv6 presentation format.
+
+v17	HTTPS	1 example.com. ipv6hint="2001:db8:ffff:ffff:ffff:ffff:198.51.100.100"
+
+; In the next vector, neither the SvcParamValues nor the mandatory keys are
+; sorted in presentation format, but are correctly sorted in the wire-format.
+
+v18	HTTPS	16 foo.example.org. (alpn=h2,h3-19 mandatory=ipv4hint,alpn
+                    ipv4hint=192.0.2.1)
+
+; This last (two) vectors has an alpn value with an escaped comma and an
+; escaped backslash in two presentation formats.
+
+v19	HTTPS	16 foo.example.org. alpn="f\\\\oo\\,bar,h2"
+v20	HTTPS	16 foo.example.org. alpn=f\\\092oo\092,bar,h2
+
diff --git a/testdata/svcb.tdir/svcb.test-vectors-wf.zone b/testdata/svcb.tdir/svcb.test-vectors-wf.zone
new file mode 100644
index 000000000..bf47ab75c
--- /dev/null
+++ b/testdata/svcb.tdir/svcb.test-vectors-wf.zone
@@ -0,0 +1,232 @@
+$ORIGIN test-vectors.
+$TTL 3600
+
+@	SOA	primary admin 1 3600 1800 7200 3600
+
+	NS	primary
+primary	A	127.0.0.1
+
+; D.1. AliasForm
+
+v01	SVCB	\# 19 (
+00 00                                              ; priority
+03 66 6f 6f 07 65 78 61 6d 70 6c 65 03 63 6f 6d 00 ; target
+)
+
+; D.2. ServiceForm
+; The first form is the simple "use the ownername".
+
+v02	SVCB	\# 3 (
+00 01      ; priority
+00         ; target (root label)
+)
+
+; This vector only has a port.
+
+v03	SVCB	\# 25 (
+00 10                                              ; priority
+03 66 6f 6f 07 65 78 61 6d 70 6c 65 03 63 6f 6d 00 ; target
+00 03                                              ; key 3
+00 02                                              ; length 2
+00 35                                              ; value
+)
+
+; This example has a key that is not registered, its value is unquoted.
+
+v04	SVCB	\# 28 (
+00 01                                              ; priority
+03 66 6f 6f 07 65 78 61 6d 70 6c 65 03 63 6f 6d 00 ; target
+02 9b                                              ; key 667
+00 05                                              ; length 5
+68 65 6c 6c 6f                                     ; value
+)
+
+; This example has a key that is not registered, its value is quoted and
+; contains a decimal-escaped character.
+
+v05	SVCB	\# 32 (
+00 01                                              ; priority
+03 66 6f 6f 07 65 78 61 6d 70 6c 65 03 63 6f 6d 00 ; target
+02 9b                                              ; key 667
+00 09                                              ; length 9
+68 65 6c 6c 6f d2 71 6f 6f                         ; value
+)
+
+; Here, two IPv6 hints are quoted in the presentation format.
+
+v06	SVCB	\# 55 (
+00 01                                              ; priority
+03 66 6f 6f 07 65 78 61 6d 70 6c 65 03 63 6f 6d 00 ; target
+00 06                                              ; key 6
+00 20                                              ; length 32
+20 01 0d b8 00 00 00 00 00 00 00 00 00 00 00 01    ; first address
+20 01 0d b8 00 00 00 00 00 00 00 00 00 53 00 01    ; second address
+)
+
+; This example shows a single IPv6 hint in IPv4 mapped IPv6 presentation format.
+
+v07	SVCB	\# 35 (
+00 01                                              ; priority
+07 65 78 61 6d 70 6c 65 03 63 6f 6d 00             ; target
+00 06                                              ; key 6
+00 10                                              ; length 16
+20 01 0d b8 ff ff ff ff ff ff ff ff c6 33 64 64    ; address
+)
+
+; In the next vector, neither the SvcParamValues nor the mandatory keys are
+; sorted in presentation format, but are correctly sorted in the wire-format.
+
+v08	SVCB	\# 48 (
+00 10                                              ; priority
+03 66 6f 6f 07 65 78 61 6d 70 6c 65 03 6f 72 67 00 ; target
+00 00                                              ; key 0
+00 04                                              ; param length 4
+00 01                                              ; value: key 1
+00 04                                              ; value: key 4
+00 01                                              ; key 1
+00 09                                              ; param length 9
+02                                                 ; alpn length 2
+68 32                                              ; alpn value
+05                                                 ; alpn length 5
+68 33 2d 31 39                                     ; alpn value
+00 04                                              ; key 4
+00 04                                              ; param length 4
+c0 00 02 01                                        ; param value
+)
+
+; This last (two) vectors has an alpn value with an escaped comma and an
+; escaped backslash in two presentation formats.
+
+v09	SVCB	\# 35 (
+00 10                                              ; priority
+03 66 6f 6f 07 65 78 61 6d 70 6c 65 03 6f 72 67 00 ; target
+00 01                                              ; key 1
+00 0c                                              ; param length 12
+08                                                 ; alpn length 8
+66 5c 6f 6f 2c 62 61 72                            ; alpn value
+02                                                 ; alpn length 2
+68 32                                              ; alpn value
+)
+v10	SVCB	\# 35 (
+00 10                                              ; priority
+03 66 6f 6f 07 65 78 61 6d 70 6c 65 03 6f 72 67 00 ; target
+00 01                                              ; key 1
+00 0c                                              ; param length 12
+08                                                 ; alpn length 8
+66 5c 6f 6f 2c 62 61 72                            ; alpn value
+02                                                 ; alpn length 2
+68 32                                              ; alpn value
+)
+
+; D.1. AliasForm
+
+v11	HTTPS	\# 19 (
+00 00                                              ; priority
+03 66 6f 6f 07 65 78 61 6d 70 6c 65 03 63 6f 6d 00 ; target
+)
+
+; D.2. ServiceForm
+; The first form is the simple "use the ownername".
+
+v12	HTTPS	\# 3 (
+00 01      ; priority
+00         ; target (root label)
+)
+
+; This vector only has a port.
+
+v13	HTTPS	\# 25 (
+00 10                                              ; priority
+03 66 6f 6f 07 65 78 61 6d 70 6c 65 03 63 6f 6d 00 ; target
+00 03                                              ; key 3
+00 02                                              ; length 2
+00 35                                              ; value
+)
+
+; This example has a key that is not registered, its value is unquoted.
+
+v14	HTTPS	\# 28 (
+00 01                                              ; priority
+03 66 6f 6f 07 65 78 61 6d 70 6c 65 03 63 6f 6d 00 ; target
+02 9b                                              ; key 667
+00 05                                              ; length 5
+68 65 6c 6c 6f                                     ; value
+)
+
+; This example has a key that is not registered, its value is quoted and
+; contains a decimal-escaped character.
+
+v15	HTTPS	\# 32 (
+00 01                                              ; priority
+03 66 6f 6f 07 65 78 61 6d 70 6c 65 03 63 6f 6d 00 ; target
+02 9b                                              ; key 667
+00 09                                              ; length 9
+68 65 6c 6c 6f d2 71 6f 6f                         ; value
+)
+
+; Here, two IPv6 hints are quoted in the presentation format.
+
+v16	HTTPS	\# 55 (
+00 01                                              ; priority
+03 66 6f 6f 07 65 78 61 6d 70 6c 65 03 63 6f 6d 00 ; target
+00 06                                              ; key 6
+00 20                                              ; length 32
+20 01 0d b8 00 00 00 00 00 00 00 00 00 00 00 01    ; first address
+20 01 0d b8 00 00 00 00 00 00 00 00 00 53 00 01    ; second address
+)
+
+; This example shows a single IPv6 hint in IPv4 mapped IPv6 presentation format.
+
+v17	HTTPS	\# 35 (
+00 01                                              ; priority
+07 65 78 61 6d 70 6c 65 03 63 6f 6d 00             ; target
+00 06                                              ; key 6
+00 10                                              ; length 16
+20 01 0d b8 ff ff ff ff ff ff ff ff c6 33 64 64    ; address
+)
+
+; In the next vector, neither the SvcParamValues nor the mandatory keys are
+; sorted in presentation format, but are correctly sorted in the wire-format.
+
+v18	HTTPS	\# 48 (
+00 10                                              ; priority
+03 66 6f 6f 07 65 78 61 6d 70 6c 65 03 6f 72 67 00 ; target
+00 00                                              ; key 0
+00 04                                              ; param length 4
+00 01                                              ; value: key 1
+00 04                                              ; value: key 4
+00 01                                              ; key 1
+00 09                                              ; param length 9
+02                                                 ; alpn length 2
+68 32                                              ; alpn value
+05                                                 ; alpn length 5
+68 33 2d 31 39                                     ; alpn value
+00 04                                              ; key 4
+00 04                                              ; param length 4
+c0 00 02 01                                        ; param value
+)
+
+; This last (two) vectors has an alpn value with an escaped comma and an
+; escaped backslash in two presentation formats.
+
+v19	HTTPS	\# 35 (
+00 10                                              ; priority
+03 66 6f 6f 07 65 78 61 6d 70 6c 65 03 6f 72 67 00 ; target
+00 01                                              ; key 1
+00 0c                                              ; param length 12
+08                                                 ; alpn length 8
+66 5c 6f 6f 2c 62 61 72                            ; alpn value
+02                                                 ; alpn length 2
+68 32                                              ; alpn value
+)
+v20	HTTPS	\# 35 (
+00 10                                              ; priority
+03 66 6f 6f 07 65 78 61 6d 70 6c 65 03 6f 72 67 00 ; target
+00 01                                              ; key 1
+00 0c                                              ; param length 12
+08                                                 ; alpn length 8
+66 5c 6f 6f 2c 62 61 72                            ; alpn value
+02                                                 ; alpn length 2
+68 32                                              ; alpn value
+)
+
diff --git a/testdata/test_ldnsrr.5 b/testdata/test_ldnsrr.5
index c6e7ea2ba..2762ca82d 100644
--- a/testdata/test_ldnsrr.5
+++ b/testdata/test_ldnsrr.5
@@ -172,3 +172,5 @@ uri.arpa.       3600    IN      ZONEMD  2018100702 1 1 ( 1291b78ddf7669b1a39d014
 root-servers.net.     3600000 IN  ZONEMD  2018091100 1 1 ( f1ca0ccd91bd5573d9f431c00ee0101b2545c97602be0a97 8a3b11dbfc1c776d5b3e86ae3d973d6b5349ba7f04340f79 )
 ; from ldns issue #121, 0.10m was parsed as 0.01m.
 foo.	12345	IN	LOC	12 45 52.333 N 105 40 33.452 W -24m 0.1m 0.1m 0.1m
+; from ldns issue #147, fix #148, tab between quoted strings.
+foo	12345	IN	HINFO	"hohum"	"weirdo"
diff --git a/testdata/test_ldnsrr.c5 b/testdata/test_ldnsrr.c5
index f30aa0b73..e86532c34 100644
--- a/testdata/test_ldnsrr.c5
+++ b/testdata/test_ldnsrr.c5
@@ -212,3 +212,5 @@ uri.arpa.	3600	IN	ZONEMD	2018100702 1 1 1291B78DDF7669B1A39D014D87626B709B55774C
 root-servers.net.	3600000	IN	ZONEMD	2018091100 1 1 F1CA0CCD91BD5573D9F431C00EE0101B2545C97602BE0A978A3B11DBFC1C776D5B3E86AE3D973D6B5349BA7F04340F79
 03666F6F00001D00010000303900100011111182BD2D4D69530BD400988D20
 foo.	12345	IN	LOC	12 45 52.333 N 105 40 33.452 W -24m 0.10m 0.10m 0.10m
+03666F6F00000D000100003039000D05686F68756D0677656972646F
+foo.	12345	IN	HINFO	"hohum" "weirdo"
diff --git a/testdata/ttl_msg.rpl b/testdata/ttl_msg.rpl
index efb7ea387..06726fb58 100644
--- a/testdata/ttl_msg.rpl
+++ b/testdata/ttl_msg.rpl
@@ -411,7 +411,7 @@ ENTRY_END
 ; cause a lookup for nx1.example.com bypassing the cache.
 ; with bug; this causes msg ttl for nx1 to be time(NOW)+ttl.
 ; so 15+5 = 20
-; visiable in debug log as "msg ttl is %d"
+; visible in debug log as "msg ttl is %d"
 STEP 40 QUERY
 ENTRY_BEGIN
 REPLY RD
diff --git a/testdata/val_keyprefetch_verify.rpl b/testdata/val_keyprefetch_verify.rpl
index f2050fb7f..9b901a8cb 100644
--- a/testdata/val_keyprefetch_verify.rpl
+++ b/testdata/val_keyprefetch_verify.rpl
@@ -219,7 +219,7 @@ STEP 20 TIME_PASSES ELAPSE 3400
 
 ; now the key gets prefetched and has to be verified with the anchor,
 ; not with the key itself.
-; this answer is from cache enyway.
+; this answer is from cache anyway.
 STEP 30 QUERY
 ENTRY_BEGIN
 REPLY RD DO
diff --git a/testdata/val_nodata_failwc.rpl b/testdata/val_nodata_failwc.rpl
index 76fa8acac..f9c810951 100644
--- a/testdata/val_nodata_failwc.rpl
+++ b/testdata/val_nodata_failwc.rpl
@@ -42,7 +42,7 @@ SECTION ANSWER
 SECTION AUTHORITY
 nsecwc.nlnetlabs.nl.	3600	IN	SOA	ns.nlnetlabs.nl. ralph.nlnetlabs.nl. 1 14400 3600 604800 3600
 nsecwc.nlnetlabs.nl.	3600	IN	RRSIG	SOA 8 3 3600 20200101000000 20171108114635 565 nsecwc.nlnetlabs.nl. bYibpCDg1LgrnYJgVahgu94LBqLIcNs4iC0SW8LV7pTI1hhuFKbLkO2O ekPdkJAWmu/KTytf8D+cdcK6X/9VS8QCVIF5S0hraHtNezu0f1B5ztg3 7Rqy+uJSucNKoykueAsz2z43GMgO0rGH3bqM7+3ii8p2E2rhzqEtG/D3 qyY=
-; NSEC has a label lenght of 3, indication that the original owner name is:
+; NSEC has a label length of 3, indication that the original owner name is:
 ; *.nsecwc.nlnetlabs.nl. The NSEC therefore does no prove the NODATA answer.
 _25._tcp.mail.nsecwc.nlnetlabs.nl. 3600	IN NSEC	delegation.nsecwc.nlnetlabs.nl. TXT RRSIG NSEC
 _25._tcp.mail.nsecwc.nlnetlabs.nl. 3600	IN RRSIG NSEC 8 3 3600 20200101000000 20171108114635 565 nsecwc.nlnetlabs.nl. ddy1MRbshFuFJswlouNGHsZUF/tYu8BOCztY2JuHeTMyWL7rhRKp73q/ 1RAXMwywKsynT5ioY0bMtEQszeIEn29IYaPDHieLAobjF6BMu1kO7U2/ oEBrSHM/fx28BcaM5G4nfCIm3BlhQhWvk1NDHLn3Q26x4hF/dnmFOUet aXw=
diff --git a/testdata/val_nsec3_optout_cache.rpl b/testdata/val_nsec3_optout_cache.rpl
index 215cca676..05c07a839 100644
--- a/testdata/val_nsec3_optout_cache.rpl
+++ b/testdata/val_nsec3_optout_cache.rpl
@@ -138,7 +138,7 @@ b6fuorg741ufili49mg9j4328ig53sqg.example.com. IN NSEC3 1 1 123 aabb00123456bbccd
 b6fuorg741ufili49mg9j4328ig53sqg.example.com.   3600    IN      RRSIG   NSEC3 3 3 3600 20070926135752 20070829135752 2854 example.com. AKHQ0gnNP5WDab1yqbd+Bt12CSSff88sqeDR40dvhiWOcYA8mmyjYNA=
 
 ; span around sub.example.com., same span as foo.example.com, but it has
-; just changed and it is now larger to accomodate sub.example.com.
+; just changed and it is now larger to accommodate sub.example.com.
 6obgmo062d9935unjnnj2su5otaj9334.example.com. IN NSEC3 1 1 123 aabb00123456bbccdd 9r1f0ieoutlnjc03meng9e3bn2n0o9pd NS DS RRSIG
 6obgmo062d9935unjnnj2su5otaj9334.example.com.   3600    IN      RRSIG   NSEC3 3 3 3600 20070926135752 20070829135752 2854 example.com. ABzruSKUUcJRNlYDqZ4UmQH/WnzeXt9Gozp3chS4cR0sqsEeGjL54eQ=
 
@@ -164,7 +164,7 @@ b6fuorg741ufili49mg9j4328ig53sqg.example.com. IN NSEC3 1 1 123 aabb00123456bbccd
 b6fuorg741ufili49mg9j4328ig53sqg.example.com.   3600    IN      RRSIG   NSEC3 3 3 3600 20070926135752 20070829135752 2854 example.com. AKHQ0gnNP5WDab1yqbd+Bt12CSSff88sqeDR40dvhiWOcYA8mmyjYNA=
 
 ; span around sub.example.com., same span as foo.example.com, but it has
-; just changed and it is now larger to accomodate sub.example.com.
+; just changed and it is now larger to accommodate sub.example.com.
 6obgmo062d9935unjnnj2su5otaj9334.example.com. IN NSEC3 1 1 123 aabb00123456bbccdd 9r1f0ieoutlnjc03meng9e3bn2n0o9pd NS DS RRSIG
 6obgmo062d9935unjnnj2su5otaj9334.example.com.   3600    IN      RRSIG   NSEC3 3 3 3600 20070926135752 20070829135752 2854 example.com. ABzruSKUUcJRNlYDqZ4UmQH/WnzeXt9Gozp3chS4cR0sqsEeGjL54eQ=
 
diff --git a/testdata/zonemd_reload.tdir/zonemd_reload.conf b/testdata/zonemd_reload.tdir/zonemd_reload.conf
index 27bdb4424..9afd6e2b1 100644
--- a/testdata/zonemd_reload.tdir/zonemd_reload.conf
+++ b/testdata/zonemd_reload.tdir/zonemd_reload.conf
@@ -19,4 +19,5 @@ auth-zone:
 	for-upstream: yes
 	for-downstream: yes
 	zonefile: "zonemd_reload.zone"
+	zonemd-check: yes
 	#master: "127.0.0.1@@TOPORT@"
diff --git a/testdata/zonemd_reload.tdir/zonemd_reload.test b/testdata/zonemd_reload.tdir/zonemd_reload.test
index 5ae1d9b0c..fbdf07511 100644
--- a/testdata/zonemd_reload.tdir/zonemd_reload.test
+++ b/testdata/zonemd_reload.tdir/zonemd_reload.test
@@ -41,7 +41,7 @@ echo "> cat logfiles"
 cat fwd.log 
 cat unbound.log
 echo "> check answer"
-if grep www.example.com outfile | grep "127.0.0.1"; then
+if grep www.example.com outfile | grep "192.0.2.1"; then
 	echo "OK"
 else
 	echo "Not OK"
diff --git a/testdata/zonemd_reload.tdir/zonemd_reload.zone b/testdata/zonemd_reload.tdir/zonemd_reload.zone
index 16b631c7b..01e57a738 100644
--- a/testdata/zonemd_reload.tdir/zonemd_reload.zone
+++ b/testdata/zonemd_reload.tdir/zonemd_reload.zone
@@ -1,8 +1,8 @@
 example.com. IN SOA ns.example.com. hostmaster.example.com. 200154054 28800 7200 604800 3600
 example.com. IN NS ns.example.com.
-example.com. IN ZONEMD 200154054 1 2 EFAA5B78B38AB1C45DE57B8167BCCE906451D0E72118E1F5E80B5F0C3CF04BFFC65D53C011185528EAD439D6F3A02F511961E090E5E4E0DFA013BD276D728B22
-www.example.com. IN A 127.0.0.1
-ns.example.com. IN A 127.0.0.1
+example.com. IN ZONEMD 200154054 1 2 D207FBBD1403DC8FDDC0159AB1F4B4C54A2FEB814E5CB1E82841C51D1372E78E4F6C75F7A9D710CC78C54E2DB3B92D07C72990644F93E1C44AC356EACA3980C5
+www.example.com. IN A 192.0.2.1
+ns.example.com. IN A 192.0.2.1
 bar.example.com. IN A 1.2.3.4
 ding.example.com. IN A 1.2.3.4
 foo.example.com. IN A 1.2.3.4
diff --git a/util/config_file.c b/util/config_file.c
index ce3fc543b..ef6ecf63e 100644
--- a/util/config_file.c
+++ b/util/config_file.c
@@ -105,11 +105,14 @@ config_create(void)
 	cfg->do_ip6 = 1;
 	cfg->do_udp = 1;
 	cfg->do_tcp = 1;
+	cfg->tcp_reuse_timeout = 60 * 1000; /* 60s in milisecs */
+	cfg->max_reuse_tcp_queries = 200;
 	cfg->tcp_upstream = 0;
 	cfg->udp_upstream_without_downstream = 0;
 	cfg->tcp_mss = 0;
 	cfg->outgoing_tcp_mss = 0;
 	cfg->tcp_idle_timeout = 30 * 1000; /* 30s in millisecs */
+	cfg->tcp_auth_query_timeout = 3 * 1000; /* 3s in millisecs */
 	cfg->do_tcp_keepalive = 0;
 	cfg->tcp_keepalive_timeout = 120 * 1000; /* 120s in millisecs */
 	cfg->ssl_service_key = NULL;
@@ -192,6 +195,7 @@ config_create(void)
 	cfg->use_systemd = 0;
 	cfg->do_daemonize = 1;
 	cfg->if_automatic = 0;
+	cfg->if_automatic_ports = NULL;
 	cfg->so_rcvbuf = 0;
 	cfg->so_sndbuf = 0;
 	cfg->so_reuseport = REUSEPORT_DEFAULT;
@@ -235,8 +239,10 @@ config_create(void)
 	cfg->hide_identity = 0;
 	cfg->hide_version = 0;
 	cfg->hide_trustanchor = 0;
+	cfg->hide_http_user_agent = 0;
 	cfg->identity = NULL;
 	cfg->version = NULL;
+	cfg->http_user_agent = NULL;
 	cfg->nsid_cfg_str = NULL;
 	cfg->nsid = NULL;
 	cfg->nsid_len = 0;
@@ -250,11 +256,12 @@ config_create(void)
 	cfg->val_date_override = 0;
 	cfg->val_sig_skew_min = 3600; /* at least daylight savings trouble */
 	cfg->val_sig_skew_max = 86400; /* at most timezone settings trouble */
+	cfg->val_max_restart = 5;
 	cfg->val_clean_additional = 1;
 	cfg->val_log_level = 0;
 	cfg->val_log_squelch = 0;
 	cfg->val_permissive_mode = 0;
-	cfg->aggressive_nsec = 0;
+	cfg->aggressive_nsec = 1;
 	cfg->ignore_cd = 0;
 	cfg->serve_expired = 0;
 	cfg->serve_expired_ttl = 0;
@@ -306,7 +313,7 @@ config_create(void)
 	if(!(cfg->module_conf = strdup("validator iterator"))) goto error_exit;
 #endif
 	if(!(cfg->val_nsec3_key_iterations = 
-		strdup("1024 150 2048 500 4096 2500"))) goto error_exit;
+		strdup("1024 150 2048 150 4096 150"))) goto error_exit;
 #if defined(DNSTAP_SOCKET_PATH)
 	if(!(cfg->dnstap_socket_path = strdup(DNSTAP_SOCKET_PATH)))
 		goto error_exit;
@@ -324,6 +331,9 @@ config_create(void)
 	cfg->ratelimit_below_domain = NULL;
 	cfg->ip_ratelimit_factor = 10;
 	cfg->ratelimit_factor = 10;
+	cfg->ip_ratelimit_backoff = 0;
+	cfg->ratelimit_backoff = 0;
+	cfg->outbound_msg_retry = 5;
 	cfg->qname_minimisation = 1;
 	cfg->qname_minimisation_strict = 0;
 	cfg->shm_enable = 0;
@@ -518,15 +528,24 @@ int config_set_option(struct config_file* cfg, const char* opt,
 		udp_upstream_without_downstream)
 	else S_NUMBER_NONZERO("tcp-mss:", tcp_mss)
 	else S_NUMBER_NONZERO("outgoing-tcp-mss:", outgoing_tcp_mss)
+	else S_NUMBER_NONZERO("tcp-auth-query-timeout:", tcp_auth_query_timeout)
 	else S_NUMBER_NONZERO("tcp-idle-timeout:", tcp_idle_timeout)
+	else S_NUMBER_NONZERO("max-reuse-tcp-queries:", max_reuse_tcp_queries)
+	else S_NUMBER_NONZERO("tcp-reuse-timeout:", tcp_reuse_timeout)
 	else S_YNO("edns-tcp-keepalive:", do_tcp_keepalive)
 	else S_NUMBER_NONZERO("edns-tcp-keepalive-timeout:", tcp_keepalive_timeout)
 	else S_YNO("ssl-upstream:", ssl_upstream)
+	else S_YNO("tls-upstream:", ssl_upstream)
 	else S_STR("ssl-service-key:", ssl_service_key)
+	else S_STR("tls-service-key:", ssl_service_key)
 	else S_STR("ssl-service-pem:", ssl_service_pem)
+	else S_STR("tls-service-pem:", ssl_service_pem)
 	else S_NUMBER_NONZERO("ssl-port:", ssl_port)
+	else S_NUMBER_NONZERO("tls-port:", ssl_port)
+	else S_STR("ssl-cert-bundle:", tls_cert_bundle)
 	else S_STR("tls-cert-bundle:", tls_cert_bundle)
 	else S_YNO("tls-win-cert:", tls_win_cert)
+	else S_STRLIST("additional-ssl-port:", tls_additional_port)
 	else S_STRLIST("additional-tls-port:", tls_additional_port)
 	else S_STRLIST("tls-additional-ports:", tls_additional_port)
 	else S_STRLIST("tls-additional-port:", tls_additional_port)
@@ -542,6 +561,7 @@ int config_set_option(struct config_file* cfg, const char* opt,
 	else S_YNO("http-nodelay:", http_nodelay)
 	else S_YNO("http-notls-downstream:", http_notls_downstream)
 	else S_YNO("interface-automatic:", if_automatic)
+	else S_STR("interface-automatic-ports:", if_automatic_ports)
 	else S_YNO("use-systemd:", use_systemd)
 	else S_YNO("do-daemonize:", do_daemonize)
 	else S_NUMBER_NONZERO("port:", port)
@@ -589,8 +609,10 @@ int config_set_option(struct config_file* cfg, const char* opt,
 	else S_YNO("hide-identity:", hide_identity)
 	else S_YNO("hide-version:", hide_version)
 	else S_YNO("hide-trustanchor:", hide_trustanchor)
+	else S_YNO("hide-http-user-agent:", hide_http_user_agent)
 	else S_STR("identity:", identity)
 	else S_STR("version:", version)
+	else S_STR("http-user-agent:", http_user_agent)
 	else if(strcmp(opt, "nsid:") == 0) {
 		free(cfg->nsid_cfg_str);
 		if (!(cfg->nsid_cfg_str = strdup(val)))
@@ -742,6 +764,9 @@ int config_set_option(struct config_file* cfg, const char* opt,
 	else S_POW2("ratelimit-slabs:", ratelimit_slabs)
 	else S_NUMBER_OR_ZERO("ip-ratelimit-factor:", ip_ratelimit_factor)
 	else S_NUMBER_OR_ZERO("ratelimit-factor:", ratelimit_factor)
+	else S_YNO("ip-ratelimit-backoff:", ip_ratelimit_backoff)
+	else S_YNO("ratelimit-backoff:", ratelimit_backoff)
+	else S_NUMBER_NONZERO("outbound-msg-retry:", outbound_msg_retry)
 	else S_SIZET_NONZERO("fast-server-num:", fast_server_num)
 	else S_NUMBER_OR_ZERO("fast-server-permil:", fast_server_permil)
 	else S_YNO("qname-minimisation:", qname_minimisation)
@@ -760,12 +785,14 @@ int config_set_option(struct config_file* cfg, const char* opt,
 #endif
 	else if(strcmp(opt, "define-tag:") ==0) {
 		return config_add_tag(cfg, val);
-	/* val_sig_skew_min and max are copied into val_env during init,
-	 * so this does not update val_env with set_option */
+	/* val_sig_skew_min, max and val_max_restart are copied into val_env
+	 * during init so this does not update val_env with set_option */
 	} else if(strcmp(opt, "val-sig-skew-min:") == 0)
 	{ IS_NUMBER_OR_ZERO; cfg->val_sig_skew_min = (int32_t)atoi(val); }
 	else if(strcmp(opt, "val-sig-skew-max:") == 0)
 	{ IS_NUMBER_OR_ZERO; cfg->val_sig_skew_max = (int32_t)atoi(val); }
+	else if(strcmp(opt, "val-max-restart:") == 0)
+	{ IS_NUMBER_OR_ZERO; cfg->val_max_restart = (int32_t)atoi(val); }
 	else if (strcmp(opt, "outgoing-interface:") == 0) {
 		char* d = strdup(val);
 		char** oi = 
@@ -967,6 +994,7 @@ config_get_option(struct config_file* cfg, const char* opt,
 	else O_IFC(opt, "interface", num_ifs, ifs)
 	else O_IFC(opt, "outgoing-interface", num_out_ifs, out_ifs)
 	else O_YNO(opt, "interface-automatic", if_automatic)
+	else O_STR(opt, "interface-automatic-ports", if_automatic_ports)
 	else O_DEC(opt, "port", port)
 	else O_DEC(opt, "outgoing-range", outgoing_num_ports)
 	else O_DEC(opt, "outgoing-num-tcp", outgoing_num_tcp)
@@ -1009,15 +1037,26 @@ config_get_option(struct config_file* cfg, const char* opt,
 	else O_YNO(opt, "udp-upstream-without-downstream", udp_upstream_without_downstream)
 	else O_DEC(opt, "tcp-mss", tcp_mss)
 	else O_DEC(opt, "outgoing-tcp-mss", outgoing_tcp_mss)
+	else O_DEC(opt, "tcp-auth-query-timeout", tcp_auth_query_timeout)
 	else O_DEC(opt, "tcp-idle-timeout", tcp_idle_timeout)
+	else O_DEC(opt, "max-reuse-tcp-queries", max_reuse_tcp_queries)
+	else O_DEC(opt, "tcp-reuse-timeout", tcp_reuse_timeout)
 	else O_YNO(opt, "edns-tcp-keepalive", do_tcp_keepalive)
 	else O_DEC(opt, "edns-tcp-keepalive-timeout", tcp_keepalive_timeout)
 	else O_YNO(opt, "ssl-upstream", ssl_upstream)
+	else O_YNO(opt, "tls-upstream", ssl_upstream)
 	else O_STR(opt, "ssl-service-key", ssl_service_key)
+	else O_STR(opt, "tls-service-key", ssl_service_key)
 	else O_STR(opt, "ssl-service-pem", ssl_service_pem)
+	else O_STR(opt, "tls-service-pem", ssl_service_pem)
 	else O_DEC(opt, "ssl-port", ssl_port)
+	else O_DEC(opt, "tls-port", ssl_port)
+	else O_STR(opt, "ssl-cert-bundle", tls_cert_bundle)
 	else O_STR(opt, "tls-cert-bundle", tls_cert_bundle)
 	else O_YNO(opt, "tls-win-cert", tls_win_cert)
+	else O_LST(opt, "additional-ssl-port", tls_additional_port)
+	else O_LST(opt, "additional-tls-port", tls_additional_port)
+	else O_LST(opt, "tls-additional-ports", tls_additional_port)
 	else O_LST(opt, "tls-additional-port", tls_additional_port)
 	else O_LST(opt, "tls-session-ticket-keys", tls_session_ticket_keys.first)
 	else O_STR(opt, "tls-ciphers", tls_ciphers)
@@ -1045,8 +1084,10 @@ config_get_option(struct config_file* cfg, const char* opt,
 	else O_YNO(opt, "hide-identity", hide_identity)
 	else O_YNO(opt, "hide-version", hide_version)
 	else O_YNO(opt, "hide-trustanchor", hide_trustanchor)
+	else O_YNO(opt, "hide-http-user-agent", hide_http_user_agent)
 	else O_STR(opt, "identity", identity)
 	else O_STR(opt, "version", version)
+	else O_STR(opt, "http-user-agent", http_user_agent)
 	else O_STR(opt, "nsid", nsid_cfg_str)
 	else O_STR(opt, "target-fetch-policy", target_fetch_policy)
 	else O_YNO(opt, "harden-short-bufsize", harden_short_bufsize)
@@ -1179,10 +1220,14 @@ config_get_option(struct config_file* cfg, const char* opt,
 	else O_LS2(opt, "ratelimit-below-domain", ratelimit_below_domain)
 	else O_DEC(opt, "ip-ratelimit-factor", ip_ratelimit_factor)
 	else O_DEC(opt, "ratelimit-factor", ratelimit_factor)
+	else O_YNO(opt, "ip-ratelimit-backoff", ip_ratelimit_backoff)
+	else O_YNO(opt, "ratelimit-backoff", ratelimit_backoff)
+	else O_UNS(opt, "outbound-msg-retry", outbound_msg_retry)
 	else O_DEC(opt, "fast-server-num", fast_server_num)
 	else O_DEC(opt, "fast-server-permil", fast_server_permil)
 	else O_DEC(opt, "val-sig-skew-min", val_sig_skew_min)
 	else O_DEC(opt, "val-sig-skew-max", val_sig_skew_max)
+	else O_DEC(opt, "val-max-restart", val_max_restart)
 	else O_YNO(opt, "qname-minimisation", qname_minimisation)
 	else O_YNO(opt, "qname-minimisation-strict", qname_minimisation_strict)
 	else O_IFC(opt, "define-tag", num_tags, tagname)
@@ -1495,6 +1540,7 @@ config_delete(struct config_file* cfg)
 	free(cfg->directory);
 	free(cfg->logfile);
 	free(cfg->pidfile);
+	free(cfg->if_automatic_ports);
 	free(cfg->target_fetch_policy);
 	free(cfg->ssl_service_key);
 	free(cfg->ssl_service_pem);
@@ -1522,6 +1568,7 @@ config_delete(struct config_file* cfg)
 #endif
 	free(cfg->identity);
 	free(cfg->version);
+	free(cfg->http_user_agent);
 	free(cfg->nsid_cfg_str);
 	free(cfg->nsid);
 	free(cfg->module_conf);
@@ -1687,6 +1734,37 @@ int cfg_condense_ports(struct config_file* cfg, int** avail)
 	return num;
 }
 
+void cfg_apply_local_port_policy(struct config_file* cfg, int num) {
+(void)cfg;
+(void)num;
+#ifdef USE_LINUX_IP_LOCAL_PORT_RANGE
+	{
+		int i = 0;
+		FILE* range_fd;
+		if ((range_fd = fopen(LINUX_IP_LOCAL_PORT_RANGE_PATH, "r")) != NULL) {
+			int min_port = 0;
+			int max_port = num - 1;
+			if (fscanf(range_fd, "%d %d", &min_port, &max_port) == 2) {
+				for(i=0; i<min_port; i++) {
+					cfg->outgoing_avail_ports[i] = 0;
+				}
+				for(i=max_port+1; i<num; i++) {
+					cfg->outgoing_avail_ports[i] = 0;
+				}
+			} else {
+				log_err("unexpected port range in %s",
+						LINUX_IP_LOCAL_PORT_RANGE_PATH);
+			}
+			fclose(range_fd);
+		} else {
+			log_err("failed to read from file: %s (%s)",
+					LINUX_IP_LOCAL_PORT_RANGE_PATH,
+					strerror(errno));
+		}
+	}
+#endif
+}
+
 /** print error with file and line number */
 static void ub_c_error_va_list(const char *fmt, va_list args)
 {
diff --git a/util/config_file.h b/util/config_file.h
index 23837065a..c30a8f61b 100644
--- a/util/config_file.h
+++ b/util/config_file.h
@@ -93,6 +93,12 @@ struct config_file {
 	int do_udp;
 	/** do tcp query support. */
 	int do_tcp;
+	/** max number of queries on a reuse connection. */
+	size_t max_reuse_tcp_queries;
+	/** timeout for REUSE entries in milliseconds. */
+	int tcp_reuse_timeout;
+	/** timeout in milliseconds for TCP queries to auth servers. */
+	int tcp_auth_query_timeout;
 	/** tcp upstream queries (no UDP upstream queries) */
 	int tcp_upstream;
 	/** udp upstream enabled when no UDP downstream is enabled (do_udp no)*/
@@ -199,6 +205,8 @@ struct config_file {
 	/** automatic interface for incoming messages. Uses ipv6 remapping,
 	 * and recvmsg/sendmsg ancillary data to detect interfaces, boolean */
 	int if_automatic;
+	/** extra ports to open if if_automatic enabled, or NULL for default */
+	char* if_automatic_ports;
 	/** SO_RCVBUF size to set on port 53 UDP socket */
 	size_t so_rcvbuf;
 	/** SO_SNDBUF size to set on port 53 UDP socket */
@@ -334,10 +342,14 @@ struct config_file {
 	int hide_version;
 	/** do not report trustanchor (trustanchor.unbound) */
 	int hide_trustanchor;
+	/** do not report the User-Agent HTTP header */
+	int hide_http_user_agent;
 	/** identity, hostname is returned if "". */
 	char* identity;
 	/** version, package version returned if "". */
 	char* version;
+	/** User-Agent for HTTP header */
+	char* http_user_agent;
 	/** nsid */
 	char *nsid_cfg_str;
 	uint8_t *nsid;
@@ -367,6 +379,8 @@ struct config_file {
 	int32_t val_sig_skew_min;
 	/** the maximum for signature clock skew */
 	int32_t val_sig_skew_max;
+	/** max number of query restarts, number of IPs to probe */
+	int32_t val_max_restart;
 	/** this value sets the number of seconds before revalidating bogus */
 	int bogus_ttl; 
 	/** should validator clean additional section for secure msgs */
@@ -553,6 +567,10 @@ struct config_file {
 	size_t ip_ratelimit_size;
 	/** ip_ratelimit factor, 0 blocks all, 10 allows 1/10 of traffic */
 	int ip_ratelimit_factor;
+	/** ratelimit backoff, when on, if the limit is reached it is
+	 *  considered an attack and it backs off until 'demand' decreases over
+	 *  the RATE_WINDOW. */
+	int ip_ratelimit_backoff;
 
 	/** ratelimit for domains. 0 is off, otherwise qps (unless overridden) */
 	int ratelimit;
@@ -566,6 +584,13 @@ struct config_file {
 	struct config_str2list* ratelimit_below_domain;
 	/** ratelimit factor, 0 blocks all, 10 allows 1/10 of traffic */
 	int ratelimit_factor;
+	/** ratelimit backoff, when on, if the limit is reached it is
+	 *  considered an attack and it backs off until 'demand' decreases over
+	 *  the RATE_WINDOW. */
+	int ratelimit_backoff;
+
+	/** number of retries on outgoing queries */
+	int outbound_msg_retry;
 	/** minimise outgoing QNAME and hide original QTYPE if possible */
 	int qname_minimisation;
 	/** minimise QNAME in strict mode, minimise according to RFC.
@@ -688,6 +713,8 @@ struct config_stub {
 	int isprime;
 	/** if forward-first is set (failover to without if fails) */
 	int isfirst;
+	/** use tcp for queries to this stub */
+	int tcp_upstream;
 	/** use SSL for queries to this stub */
 	int ssl_upstream;
 	/*** no cache */
@@ -732,6 +759,10 @@ struct config_auth {
 	/** Always reply with this CNAME target if the cname override action is
 	 * used */
 	char* rpz_cname;
+	/** signal nxdomain block with unset RA */
+	int rpz_signal_nxdomain_ra;
+	/** Check ZONEMD records for this zone */
+	int zonemd_check;
 	/** Reject absence of ZONEMD records, zone must have one */
 	int zonemd_reject_absence;
 };
@@ -1095,7 +1126,7 @@ int cfg_count_numbers(const char* str);
 int cfg_parse_memsize(const char* str, size_t* res);
 
 /**
- * Parse nsid from string into binary nsid. nsid is either a hexidecimal
+ * Parse nsid from string into binary nsid. nsid is either a hexadecimal
  * string or an ascii string prepended with ascii_ in which case the
  * characters after ascii_ are simply copied.
  * @param str: the string to parse.
@@ -1179,6 +1210,13 @@ int cfg_mark_ports(const char* str, int allow, int* avail, int num);
  */
 int cfg_condense_ports(struct config_file* cfg, int** avail);
 
+/**
+ * Apply system specific port range policy.
+ * @param cfg: config file.
+ * @param num: size of the array (65536).
+ */
+void cfg_apply_local_port_policy(struct config_file* cfg, int num);
+
 /**
  * Scan ports available
  * @param avail: the array from cfg.
@@ -1318,5 +1356,9 @@ int if_is_https(const char* ifname, const char* port, int https_port);
  */
 int cfg_has_https(struct config_file* cfg);
 
+#ifdef USE_LINUX_IP_LOCAL_PORT_RANGE
+#define LINUX_IP_LOCAL_PORT_RANGE_PATH "/proc/sys/net/ipv4/ip_local_port_range"
+#endif
+
 #endif /* UTIL_CONFIG_FILE_H */
 
diff --git a/util/configlexer.c b/util/configlexer.c
index cbf1c103c..7a052201d 100644
--- a/util/configlexer.c
+++ b/util/configlexer.c
@@ -354,8 +354,8 @@ static void yynoreturn yy_fatal_error ( const char* msg  );
 	(yy_hold_char) = *yy_cp; \
 	*yy_cp = '\0'; \
 	(yy_c_buf_p) = yy_cp;
-#define YY_NUM_RULES 345
-#define YY_END_OF_BUFFER 346
+#define YY_NUM_RULES 359
+#define YY_END_OF_BUFFER 360
 /* This struct is not used in this scanner,
    but its presence is necessary. */
 struct yy_trans_info
@@ -363,380 +363,400 @@ struct yy_trans_info
 	flex_int32_t yy_verify;
 	flex_int32_t yy_nxt;
 	};
-static const flex_int16_t yy_accept[3388] =
+static const flex_int16_t yy_accept[3565] =
     {   0,
-        1,    1,  319,  319,  323,  323,  327,  327,  331,  331,
-        1,    1,  335,  335,  339,  339,  346,  343,    1,  317,
-      317,  344,    2,  344,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  319,  320,  320,  321,
-      344,  323,  324,  324,  325,  344,  330,  327,  328,  328,
-      329,  344,  331,  332,  332,  333,  344,  342,  318,    2,
-      322,  344,  342,  338,  335,  336,  336,  337,  344,  339,
-      340,  340,  341,  344,  343,    0,    1,    2,    2,    2,
-        2,  343,  343,  343,  343,  343,  343,  343,  343,  343,
+        1,    1,  333,  333,  337,  337,  341,  341,  345,  345,
+        1,    1,  349,  349,  353,  353,  360,  357,    1,  331,
+      331,  358,    2,  358,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  333,  334,  334,  335,
+      358,  337,  338,  338,  339,  358,  344,  341,  342,  342,
+      343,  358,  345,  346,  346,  347,  358,  356,  332,    2,
+      336,  358,  356,  352,  349,  350,  350,  351,  358,  353,
+      354,  354,  355,  358,  357,    0,    1,    2,    2,    2,
+        2,  357,  357,  357,  357,  357,  357,  357,  357,  357,
 
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  319,
-        0,  323,    0,  330,    0,  327,  331,    0,  342,    0,
-        2,    2,  342,  338,    0,  335,  339,    0,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  333,
+        0,  337,    0,  344,    0,  341,  345,    0,  356,    0,
+        2,    2,  356,  352,    0,  349,  353,    0,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
 
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  342,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  356,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
 
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  125,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  134,
-      343,  343,  343,  343,  343,  343,  343,  342,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  131,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      141,  357,  357,  357,  357,  357,  357,  357,  356,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
 
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  109,  343,  316,  343,
-      343,  343,  343,  343,  343,  343,    8,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  113,  357,
+      330,  357,  357,  357,  357,  357,  357,  357,  357,    8,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
 
-      343,  343,  343,  343,  343,  343,  126,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  139,  343,  343,
-      342,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      132,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  146,  357,  357,  356,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
 
-      343,  343,  343,  343,  343,  343,  343,  343,  309,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  323,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
 
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  342,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,   64,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  241,  343,   14,   15,  343,   19,   18,  343,
-      343,  225,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  356,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,   68,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  252,  357,   14,
+       15,  357,   19,   18,  357,  357,  236,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
 
-      343,  343,  343,  132,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  223,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,    3,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      139,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  234,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,    3,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
 
-      343,  343,  343,  342,  343,  343,  343,  343,  343,  343,
-      343,  303,  343,  343,  302,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  326,  343,  343,  343,  343,  343,  343,  343,
-      343,   63,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,   67,  343,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  356,  357,  357,
+      357,  357,  357,  357,  357,  317,  357,  357,  316,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  340,  357,
 
-      272,  343,  343,  343,  343,  343,  343,  343,  343,  310,
-      311,  343,  343,  343,  343,  343,  343,  343,   68,  343,
-      343,  133,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  129,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  212,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,   21,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  158,  343,  343,
+      357,  357,  357,  357,  357,  357,  357,   67,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,   71,  357,  286,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  324,  325,  357,  357,
+      357,  357,  357,  357,  357,  357,   72,  357,  357,  140,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  135,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  223,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,   21,  357,
 
-      343,  343,  342,  326,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  107,  343,  343,  343,  343,
-      343,  343,  343,  280,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  182,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  157,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      166,  357,  357,  357,  357,  357,  356,  340,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  111,
+      357,  357,  357,  357,  357,  357,  357,  294,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  192,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
 
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  106,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,   32,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,   33,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,   65,  343,  343,  343,  343,  343,  343,  343,  343,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  165,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  110,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,   35,  357,  357,  357,  357,  357,
 
-      343,  131,  343,  343,  342,  343,  343,  343,  343,  343,
-      124,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,   66,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  245,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  183,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,   54,  343,  343,  343,  343,  343,  343,  343,  343,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,   36,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,   69,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  138,  357,  357,  357,  356,  357,
+      357,  357,  357,  357,  130,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+       70,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  256,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  193,  357,  357,
 
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  263,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,   58,  343,   59,  343,  343,  343,
-      343,  343,  110,  343,  111,  343,  343,  343,  343,  108,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,   57,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  274,  357,  357,  357,  357,  357,  357,
 
-      343,  343,  343,  343,  343,  343,  343,  343,  343,    7,
-      343,  343,  343,  342,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  234,  343,  343,  343,  343,  160,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  246,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,   45,  343,  343,  343,  343,  343,  343,  343,  343,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,   62,  357,   63,  357,  357,  357,
+      357,  357,  114,  357,  115,  357,  357,  357,  357,  357,
+      112,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,    7,  357,  357,  357,  357,  356,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  245,  357,  357,
+      357,  357,  169,  357,  357,  357,  357,  357,  357,  357,
 
-      343,   55,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  204,  343,  203,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,   16,   17,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,   69,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  211,  343,  343,  343,  343,
-      343,  343,  113,  343,  112,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  257,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,   48,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,   58,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  215,  357,  214,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
 
-      343,  343,  343,  343,  343,  343,  343,  195,  343,  343,
-      343,  343,  343,  343,  343,  343,  140,  343,  343,  342,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      101,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-       89,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  224,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,   94,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
+      357,  357,  357,  357,  357,  357,  357,   16,   17,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,   73,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  222,  357,  357,  357,
+      357,  357,  357,  117,  357,  116,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  206,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  147,  357,  357,  357,  356,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  105,  357,  357,  357,
 
-      343,  343,  343,  343,  343,  343,  343,   62,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  198,  199,  343,  343,
-      343,  274,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,    6,  343,  343,  343,  343,  343,
-      343,  293,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  278,
-      343,  343,  343,  343,  343,  343,  304,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,   42,  343,
+      357,  357,  357,  357,  357,  357,   93,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  235,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,   98,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,   66,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  209,  210,  357,  357,  357,
 
-      343,  343,  343,   44,  343,  343,  343,   90,  343,  343,
-      343,  343,  343,   52,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  342,  343,  191,  343,  343,  343,  135,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      216,  343,  192,  343,  343,  343,  231,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,   53,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  137,  118,
-      343,  119,  343,  343,  343,  117,  343,  343,  343,  343,
-      343,  343,  343,  343,  155,  343,  343,   50,  343,  343,
+      288,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,    6,  357,  357,  357,  357,  357,
+      357,  357,  307,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  292,  357,  357,  357,  357,  357,  357,  357,  318,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,   45,  357,  357,  357,  357,   47,
+      357,  357,  357,   94,  357,  357,  357,  357,  357,   55,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
 
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  262,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  193,  343,  343,  343,  343,  343,
-      196,  343,  202,  343,  343,  343,  343,  343,  230,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  105,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  130,  343,  343,  343,  343,  343,
-      343,  343,   60,  343,  343,  343,   26,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,   20,  343,  343,  343,
+      357,  356,  357,  202,  357,  357,  357,  142,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  227,  357,
+      203,  357,  357,  357,  242,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,   56,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  144,  123,  357,  124,
+      357,  357,  357,  357,  122,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  162,  357,  357,   53,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  273,  357,  357,  357,  357,
 
-      343,  343,  343,   27,   36,  343,  165,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  342,  343,  343,  343,  343,  343,  343,   77,
-       79,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  282,  343,  343,  343,  343,  242,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  120,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  154,  343,   46,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
+      357,  357,  357,  357,  357,  204,  357,  357,  357,  357,
+      357,  207,  357,  213,  357,  357,  357,  357,  357,  357,
+      241,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  109,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  136,  357,
+      357,  357,  357,  357,  357,  357,  357,   64,  357,  357,
+      357,   29,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,   20,  357,  357,  357,  357,  357,
+      357,   30,   39,  357,  174,  357,  357,  357,  357,  357,
 
-      343,  343,  343,  343,  343,  343,  297,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  159,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  291,  343,
-      343,  343,  222,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  307,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  176,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  114,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  171,  343,  184,  343,  343,  343,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  200,
+      357,  357,  356,  357,  357,  357,  357,  357,  357,   81,
+       83,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  296,  357,  357,  357,  357,  253,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  125,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  161,  357,   49,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
 
-      343,  343,  343,  342,  343,  143,  343,  343,  343,  343,
-      343,  100,  343,  343,  343,  343,  214,  343,  343,  343,
-      343,  343,  343,  232,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      254,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  136,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  175,  343,  343,  343,
-      343,  343,  343,   80,  343,   81,  343,  343,  343,  343,
-      343,   61,  300,  343,  343,  343,  343,  343,   88,  185,
-      343,  205,  343,  235,  343,  343,  197,  275,  343,  343,
+      311,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      168,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  305,  357,  357,  357,  233,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  321,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  186,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  118,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  181,  357,  194,  357,  357,
 
-      343,  343,  343,   73,  343,  187,  343,  343,  343,  343,
-      343,    9,  343,  343,  343,  343,  343,  104,  343,  343,
-      343,  343,  267,  343,  343,  343,  343,  213,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  342,  343,  343,  343,
-      343,  174,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  161,  343,  281,  343,  343,  343,  343,  343,
+      357,  357,  357,  357,  357,  356,  357,  150,  357,  357,
+      357,  357,  357,  104,  357,  357,  357,  357,  225,  357,
+      357,  357,  357,  357,  357,  243,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  265,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  143,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  185,  357,  357,  357,  357,  357,  357,   84,  357,
+       85,  357,  357,  357,  357,  357,  357,   65,  314,  357,
+      357,  357,  357,  357,   92,  195,  357,  216,  357,  246,
 
-      253,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  226,  343,  343,  343,  343,  343,  273,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  301,
-      343,  186,  343,  343,  343,  343,  343,  343,  343,   72,
-       74,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      103,  343,  343,  343,  343,  265,  343,  343,  343,  343,
-      277,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  218,   34,   28,   30,  343,  343,  343,
+      357,  357,  208,  289,  357,  357,  357,  357,  357,  357,
+       77,  357,  197,  357,  357,  357,  357,  357,  357,    9,
+      357,  357,  357,  357,  357,  108,  357,  357,  357,  357,
+      357,  278,  357,  357,  357,  357,  224,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      356,  357,  357,  357,  357,  184,  357,  357,  357,  357,
 
-      343,  343,  343,  343,  343,  343,   35,  343,   29,   31,
-      343,  343,  343,  343,  343,  343,  343,  343,   99,  343,
-      343,  343,  343,  343,  343,  343,  343,  342,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  220,
-      217,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,   71,
-      343,  343,  343,  138,  343,  121,  343,  343,  343,  343,
-      343,  343,  343,  343,  156,   47,  343,  343,  343,  334,
-       13,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  295,  343,  298,  343,  343,  343,  343,  343,  343,
+      357,  357,  357,  357,  357,  357,  170,  357,  295,  357,
+      357,  357,  357,  357,  264,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  237,  357,  357,  357,
+      357,  357,  287,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      167,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  315,  357,  196,
+      357,  357,  357,  357,  357,  357,  357,  357,   76,   78,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      107,  357,  357,  357,  357,  357,  276,  357,  357,  357,
 
-      343,  343,  343,  343,   12,  343,  343,   22,  343,  343,
-      343,  343,  343,  271,  343,  343,  343,  343,  279,  343,
-      343,  343,   75,  343,  228,  343,  343,  343,  343,  343,
-      219,  343,  343,   70,  343,  343,  343,  343,   23,  343,
-       43,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  170,  169,  343,  343,  334,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  221,  215,  343,
-      233,  343,  343,  283,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
+      357,  291,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  229,   37,   31,   33,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,   38,  357,   32,   34,  357,  357,  357,  357,  357,
+      357,  357,  357,  103,  357,  180,  357,  357,  357,  357,
+      357,  357,  357,  356,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  231,  228,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,   75,  357,  357,  357,  145,
+      357,  126,  357,  357,  357,  357,  357,  357,  357,  357,
 
-      343,  343,  343,  343,  343,  343,   82,  343,  343,  343,
-      343,  266,  343,  343,  343,  343,  201,  343,  343,  343,
-      343,  227,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  305,  306,  167,  343,  343,   76,  343,
-      343,  343,  343,  177,  343,  343,  343,  115,  116,  343,
-      343,  343,  343,  162,  343,  164,  343,  206,  343,  343,
-      343,  343,  168,  343,  343,  343,  343,  236,  343,  343,
-      343,  343,  343,  343,  343,  145,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  244,  343,
-      343,  343,  343,  343,  343,  343,  314,  343,   24,  343,
+      357,  357,  163,   50,  357,  357,  357,  348,   13,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      309,  357,  312,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,   12,  357,  357,   22,  357,
+      357,  357,  357,  357,  357,  282,  357,  357,  357,  357,
+      293,  357,  357,  357,  357,   79,  357,  239,  357,  357,
+      357,  357,  357,  230,  357,  357,   74,  357,  357,  357,
+      357,  357,  357,   23,  357,  357,   46,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  179,
+      178,  357,  357,  348,  357,  357,  357,  357,  357,  357,
 
-      276,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,   86,  207,  343,  343,  264,
-      343,  299,  343,  200,  343,  343,  343,  343,   56,  343,
-      343,  343,  343,  343,  343,    4,  343,  343,  343,  343,
-      128,  144,  343,  343,  343,  181,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  239,   37,   38,  343,  343,  343,  343,
-      343,  343,  343,  284,  343,  343,  343,  343,  343,  343,
-      343,  252,  343,  343,  343,  343,  343,  343,  343,  343,
-      210,  343,  343,  343,  343,  343,  343,  343,  343,  343,
+      357,  357,  357,  232,  226,  357,  244,  357,  357,  297,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,   86,  357,  357,  357,  357,  357,
+      277,  357,  357,  357,  357,  212,  357,  357,  357,  357,
+      357,  238,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  284,  357,  357,  357,  319,  320,  176,  357,  357,
+      357,   80,  357,  357,  357,  357,  187,  357,  357,  357,
+      119,  121,  120,  357,  357,  357,   25,  357,  357,  171,
 
-      343,  343,  343,   85,  343,   57,  270,  343,  240,  343,
-      343,  343,  343,   11,  343,  343,  343,  343,  343,  343,
-      343,  343,  127,  343,  343,  343,  343,  208,   91,  343,
-       40,  343,  343,  343,  343,  343,  343,  343,  343,  173,
-      343,  343,  343,  343,  343,  343,  343,  147,  343,  343,
-      343,  343,  243,  343,  343,  343,  343,  343,  251,  343,
-      343,  343,  343,  141,  343,  343,  343,  122,  123,  343,
-      343,  343,   93,   97,   92,  343,  343,  343,  343,   83,
-      343,  343,  343,  343,  343,   10,  343,  343,  343,  343,
-      343,  268,  308,  343,  343,  343,  343,  313,   39,  343,
+      357,  173,  357,  217,  357,  357,  357,  357,  177,  357,
+      357,  357,  357,  247,  357,  357,  357,  357,  357,  357,
+      357,  152,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  255,  357,  357,  357,  357,  357,
+      357,  357,  328,  357,   27,  357,  290,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,   90,  218,  357,  357,  357,  275,  357,
+      313,  357,  211,  357,  357,  357,  357,  357,  285,   59,
+      357,  357,  357,  357,  357,  357,    4,  357,  357,  357,
+      357,  134,  357,  151,  357,  357,  357,  191,  357,  357,
 
-      343,  343,  343,  343,  172,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-       98,   96,  343,   51,  343,  343,   84,  296,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  194,  343,  343,
-      343,  343,  343,  209,  343,  343,  343,  343,  343,  343,
-      343,  190,  343,  343,  163,   78,  343,  343,  343,  343,
-      343,  285,  343,  343,  343,  343,  343,  343,  343,  248,
-      343,  343,  247,  142,  343,  343,   95,   48,  343,  148,
-      149,  152,  153,  150,  151,   87,  294,  343,  343,  269,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  250,   40,   41,  357,
+      357,  357,  357,  357,  357,  357,  298,  357,  357,  357,
+      357,  357,  357,  357,  263,  357,  357,  357,  357,  357,
+      357,  357,  357,  221,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,   89,  357,
+      357,   60,  357,  281,  357,  251,  357,  357,  357,  357,
+      357,   11,  357,  357,  357,  357,  357,  357,  357,  357,
+      133,  357,  357,  357,  357,  357,  219,   95,  357,  357,
+       43,  357,  357,  357,  357,  357,  357,  357,  357,  183,
 
-      343,  343,  343,  343,  166,  343,  343,  343,  343,  189,
-      343,  238,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  179,  178,   41,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  292,  343,  343,
-      343,  343,  102,  343,  237,  343,  261,  289,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  315,
-      343,   49,    5,  343,  343,  229,  343,  343,  290,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  249,   25,
+      357,  357,  357,  357,  357,  357,  357,  154,  357,  357,
+      357,  357,  254,  357,  357,  357,  357,  357,  262,  357,
+      357,  357,  357,  148,  357,  357,  357,  127,  129,  128,
+      357,  357,  357,   97,  101,   96,  164,  357,  357,  357,
+      357,   87,  357,  283,  357,  357,  357,  357,  357,  357,
+       10,  357,  357,  357,  357,  357,  279,  322,  357,  357,
+      357,  357,  357,  357,  327,   42,  357,  357,  357,  357,
+      357,  182,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  102,  100,  357,
 
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  250,  343,  343,  343,  146,  343,  343,  343,
-      343,  343,  343,  343,  343,  180,  343,  188,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  286,  343,  343,
-      343,  343,  343,  343,  343,  343,  343,  343,  343,  343,
-      343,  343,  343,  343,  343,  312,  343,  343,  257,  343,
-      343,  343,  343,  343,  287,  343,  343,  343,  343,  343,
-      343,  288,  343,  343,  343,  255,  343,  258,  259,  343,
-      343,  343,  343,  343,  256,  260,    0
+       54,  357,  357,   88,  357,  310,  357,  357,  357,  357,
+       24,  357,  357,  357,  357,  357,  205,  357,  357,  357,
+      357,  357,  357,  220,  357,  357,  357,  357,  357,  357,
+      357,  357,  201,  357,  357,  172,   82,  357,  357,  357,
+      357,  357,  299,  357,  357,  357,  357,  357,  357,  357,
+      259,  357,  357,  258,  149,  357,  357,   99,   51,  357,
+      357,  155,  156,  159,  160,  157,  158,   91,  308,  357,
+      357,  280,  137,  357,  357,  357,   26,  357,  175,  357,
+      357,  357,  357,  199,  357,  249,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+
+      357,  357,  357,  357,  357,  357,  357,  189,  188,   44,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  306,  357,  357,  357,  357,  106,  357,
+      248,  357,  272,  303,  357,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  329,  357,   52,   61,    5,
+      357,  357,  240,  357,  357,  304,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  260,   28,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  261,
+      357,  357,  357,  153,  357,  357,  357,  357,  357,  357,
+
+      357,  357,  190,  357,  198,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  300,  357,  357,  357,  357,  357,
+      357,  357,  357,  357,  357,  357,  357,  357,  357,  357,
+      357,  357,  326,  357,  357,  268,  357,  357,  357,  357,
+      357,  301,  357,  357,  357,  357,  357,  357,  302,  357,
+      357,  357,  266,  357,  269,  270,  357,  357,  357,  357,
+      357,  267,  271,    0
     } ;
 
 static const YY_CHAR yy_ec[256] =
@@ -779,17 +799,17 @@ static const YY_CHAR yy_meta[41] =
         1,    1,    1,    1,    1,    1,    1,    1,    1,    1
     } ;
 
-static const flex_int16_t yy_base[3406] =
+static const flex_int16_t yy_base[3583] =
     {   0,
         0,    0,   38,   41,   44,   46,   59,   65,   71,   77,
-       90,  112,   96,  118,  124,  136, 4333, 3646,   81, 6613,
-     6613, 6613,  129,   52,  130,   63,  131,  152,   70,  140,
+       90,  112,   96,  118,  124,  136, 3060, 2545,   81, 6961,
+     6961, 6961,  129,   52,  130,   63,  131,  152,   70,  140,
       149,  156,   57,   88,   76,  173,  175,   95,  197,  145,
-      185,  199,  208,  213,  178,  123, 3471, 6613, 6613, 6613,
-      107, 3089, 6613, 6613, 6613,  154, 2938, 2734, 6613, 6613,
-     6613,  245, 2551, 6613, 6613, 6613,  163, 2380, 6613,  249,
-     6613,  253,  148, 2167, 2097, 6613, 6613, 6613,  257, 1895,
-     6613, 6613, 6613,  233, 1571,  263,  201,    0,  267,    0,
+      185,  199,  208,  213,  178,  123, 2505, 6961, 6961, 6961,
+      107, 2460, 6961, 6961, 6961,  154, 2315, 2089, 6961, 6961,
+     6961,  245, 2007, 6961, 6961, 6961,  163, 1936, 6961,  249,
+     6961,  253,  148, 1835, 1793, 6961, 6961, 6961,  257, 1696,
+     6961, 6961, 6961,  233, 1543,  263,  201,    0,  267,    0,
         0,  165,  191,  221,  252,  205,  181,  265,   92,  261,
 
       216,  263,  271,  272,  210,  279,  274,  282,  278,  291,
@@ -797,8 +817,8 @@ static const flex_int16_t yy_base[3406] =
       317,  311,  315,  319,  321,  331,  327,  332,  336,  322,
       339,  337,  346,  345,  347,  348,  353,  351,  357,  284,
       358,  359,  369,  360,  380,  365,  381,  379,  375,  366,
-      367,  389,  390,  394,  393,  395,  396,  403,  404, 1355,
-      419, 1172,  422, 1110,  429, 1014,  912,  433,  781,  437,
+      367,  389,  390,  394,  393,  395,  396,  403,  404, 1277,
+      419, 1241,  422, 1199,  429, 1020,  925,  433,  779,  437,
       441,    0,  433,  705,  447,  479,  287,  452,  411,  445,
       426,  446,  447,  448,  449,  450,  451,  453,  452,  456,
       470,  234,  463,  473,  481,  479,  476,  483,  486,  487,
@@ -806,738 +826,776 @@ static const flex_int16_t yy_base[3406] =
       488,  489,  491,  492,  501,  500,  502,  505,  508,  510,
       511,  460,  509,  513,  527,  515,  516,  519,  538,  529,
       540,  543,  539,  548,  555,  400,  550,  551,  558,  553,
-      560,  561,  569,  562,  565,  566,  567,  570,  572,  574,
-      576,  579,  578,  582,  577,  590,  591,  585,  595,  594,
-      606,  601,  608,  604,  605,  362,  607,  611,  615,  623,
-      612,  627,  613,  614,  629,  633,  640,  641,  636,  622,
-      637,  639,  643,  644,  646,  648,  647,  656,  660,  659,
-      663,  667,  657,  665,  669,  671,  673,  649,  682,  675,
-      684,  688,  680,  683,  690,  692,  694,  696,  695,  699,
+      560,  561,  571,  562,  566,  567,  570,  569,  573,  577,
+      574,  580,  578,  583,  584,  598,  595,  585,  601,  586,
+      594,  596,  612,  602,  611,  362,  607,  610,  619,  624,
+      609,  627,  620,  623,  629,  634,  631,  641,  636,  639,
+      640,  642,  644,  643,  646,  647,  648,  656,  659,  660,
+      664,  667,  657,  668,  658,  670,  673,  674,  683,  675,
+      685,  679,  689,  688,  690,  692,  694,  696,  695,  697,
 
-      697,  700,  708,  704,  713,  712,  721,  716,  722,  719,
-      731,  732,  727,  717,  728,  729,  733,  736,  730,  740,
-      738,  741,  745,  743,  750,  752,  760,  755,  756,  771,
-      763,  766,  762,  773,  774,  769,  775,  793,  798,  799,
-      786,  800,  801,  804,  803,  805,  807,  808,  809,  818,
-      811,  823,  815,  824,  825,  829,  836,  834, 6613,  831,
-      833,  847,  848,  849,  852,  765,  856,  858,  839,  868,
-      864,  861,  870,  892,  865,  878,  869,  871,  874, 6613,
-      887,  880,  916,  882,  889,  902,  904,  900,  903,  905,
-      914,  907,  933,  850,  909,  924,  940,  936,  925,  937,
+      700,  703,  708,  704,  713,  714,  721,  719,  724,  717,
+      726,  733,  728,  729,  730,  731,  734,  736,  732,  737,
+      738,  742,  745,  743,  753,  754,  755,  759,  758,  774,
+      763,  764,  771,  784,  765,  767,  769,  775,  796,  785,
+      798,  799,  800,  803,  804,  801,  808,  807,  809,  811,
+      823,  813,  820,  826,  827,  829,  830,  837,  832, 6961,
+      834,  836,  848,  847,  850,  853,  843,  859,  860,  839,
+      870,  866,  863,  881,  903,  867,  871,  873,  876,  872,
+     6961,  893,  883,  927,  885,  889,  911,  895,  907,  913,
+      916,  909,  914,  921,  923,  917,  920,  944,  945,  935,
 
-      939,  942,  943,  952,  948,  950,  951,  953,  961,  956,
-      960,  964,  968,  962,  971,  972,  975,  977,  983,  974,
-      980,  990,  973,  993,  994,  995,  997,  996, 1007, 1004,
-     1000, 1001, 1015, 1014, 1028, 1017, 1026, 1027, 1030, 1029,
-     1035, 1036, 1039, 1041, 1042, 1043, 1044, 1054, 1046, 1049,
-     1051, 1053, 1057, 1059, 1061, 1063, 1066, 1065, 1067, 1071,
-     1069, 1078, 1080, 1074, 1086, 1076, 6613, 1088, 6613, 1082,
-     1091, 1092, 1090, 1097, 1093, 1094, 6613, 1096, 1100, 1104,
-     1105, 1115, 1108, 1126, 1107, 1121, 1122, 1125, 1123, 1127,
-     1138, 1129, 1131, 1145, 1136, 1141, 1140, 1143, 1144, 1147,
+      936,  947,  952,  951,  959,  960,  954,  958,  963,  971,
+      964,  967,  973,  982,  972,  969,  975,  976,  877,  984,
+      993,  994,  995,  981,  988,  999, 1001, 1002, 1009, 1032,
+     1011, 1012, 1020, 1006, 1014, 1028, 1026, 1024, 1034, 1033,
+     1035, 1007, 1041, 1039, 1044, 1051, 1048, 1054, 1063, 1058,
+     1059, 1060, 1064, 1065, 1066, 1068, 1071, 1072, 1073, 1076,
+     1077, 1083, 1084, 1088, 1092, 1078, 1093, 1086, 6961, 1100,
+     6961, 1095, 1098, 1102, 1103, 1104, 1105, 1107, 1109, 6961,
+     1111, 1114, 1113, 1120, 1124, 1117, 1128, 1130, 1136, 1137,
+     1138, 1139, 1140, 1142, 1149, 1144, 1154, 1152, 1147, 1158,
 
-     1151, 1153, 1154, 1155, 1156, 1175, 6613, 1157, 1165, 1167,
-     1159, 1168, 1182, 1187, 1173, 1185, 1193, 1197, 1205, 1198,
-     1200, 1204, 1179, 1203, 1160, 1208, 1214, 1211, 1217, 1219,
-     1218, 1220, 1222, 1221, 1224, 1225, 1232, 6613, 1235, 1241,
-     1246, 1253, 1236, 1239, 1249, 1251, 1252, 1255, 1256, 1257,
-     1259,  517, 1258, 1263, 1275, 1264, 1277, 1272, 1228, 1274,
-     1278, 1280, 1279, 1281, 1283, 1292, 1289, 1295, 1304, 1307,
-     1306, 1309, 1316, 1318, 1298, 1311, 1321, 1315, 1313, 1314,
-     1325, 1326, 1327, 1329, 1330, 1339, 1336, 1335, 1337, 1338,
-     1343, 1341, 1345, 1346, 1347, 1349, 1360, 1357, 1358, 1365,
+     1156, 1159, 1115, 1160, 1162, 1166, 1167, 1168, 1169, 1188,
+     6961, 1172, 1174, 1175, 1181, 1179, 1186, 1184, 1193, 1201,
+     1203, 1211, 1205, 1213, 1215, 1212, 1217, 1173, 1219, 1223,
+     1225, 1228, 1229, 1231, 1232, 1234, 1235, 1237, 1238, 1240,
+     1239, 1247, 1250, 1251, 6961, 1252, 1254, 1255, 1268, 1263,
+     1264, 1267, 1269, 1270, 1271, 1272, 1274, 1278,  517, 1273,
+     1291, 1288, 1284, 1298, 1293, 1294, 1295, 1299, 1301, 1300,
+     1302, 1304, 1313, 1310, 1316, 1325, 1328, 1327, 1330, 1337,
+     1339, 1319, 1332, 1342, 1336, 1334, 1335, 1346, 1347, 1348,
+     1350, 1351, 1360, 1356, 1357, 1359, 1358, 1364, 1365, 1367,
 
-     1361, 1370, 1364, 1359, 1378, 1380, 1367, 1374, 6613, 1390,
-     1287, 1388, 1392, 1393, 1394, 1395, 1386, 1387, 1399, 1401,
-     1403, 1404, 1410, 1407, 1411, 1412, 1413, 1415, 1423, 1419,
-     1426, 1434, 1433, 1435, 1420, 1437, 1439, 1441, 1448, 1445,
-     1449, 1452, 1421, 1453, 1462, 1454, 1457, 1459, 1469, 1447,
-     1465, 1468, 1471, 1475, 1477, 1480, 1487, 1482, 1485, 1502,
-     1488, 1472, 1493, 1486, 1504, 1492, 1499, 1503, 1507, 1508,
-     1515, 1512, 1511, 1514, 1518, 1513, 1519, 1522, 1524, 1536,
-     1523, 1532, 1527, 1535, 1541, 1525, 1540, 1542, 1547, 1548,
-     1550, 1549, 1551, 1553, 1558, 1559, 1562, 1561, 1564, 1568,
+     1362, 1368, 1370, 1372, 1374, 1381, 1379, 1385, 1390, 1386,
+     1391, 1387, 1380, 1395, 1403, 1397, 1406, 6961, 1413, 1308,
+     1409, 1410, 1415, 1416, 1417, 1418, 1423, 1424, 1425, 1427,
+     1426, 1429, 1430, 1433, 1435, 1437, 1440, 1442, 1450, 1445,
+     1455, 1462, 1461, 1443, 1447, 1457, 1463, 1467, 1466, 1474,
+     1470, 1479, 1478, 1469, 1482, 1489, 1480, 1484, 1486, 1496,
+     1476, 1492, 1498, 1499, 1507, 1502, 1504, 1510, 1518, 1514,
+     1515, 1522, 1523, 1500, 1527, 1517, 1531, 1532, 1534, 1535,
+     1537, 1538, 1545, 1540, 1542, 1546, 1547, 1541, 1548, 1554,
+     1549, 1569, 1555, 1560, 1565, 1568, 1570, 1571, 1572, 1578,
 
-     1570, 1574, 1576, 1577, 1579, 1580, 1588, 1581, 1590, 1591,
-     1592, 1594, 1595, 1602, 1604, 1598, 1608, 1605, 1611, 1610,
-     1613, 1614, 1616, 1617, 1622, 1623, 1624, 6613, 1629, 1636,
-     1631, 1634, 1632, 1637, 1639, 1646, 1641, 1643, 1642, 1645,
-     1647, 1671, 6613, 1653, 6613, 6613, 1652, 6613, 6613, 1654,
-     1655, 6613, 1658, 1656, 1659, 1674, 1681, 1684, 1666, 1679,
-     1672, 1687, 1694, 1708, 1695, 1692, 1696, 1698, 1699, 1701,
-     1706, 1703, 1689, 1716, 1725, 1730, 1731, 1717, 1719, 1732,
-     1735, 1739, 1740, 1742, 1746, 1748, 1749, 1733, 1751, 1753,
-     1756, 1754, 1757, 1759, 1763, 1764, 1760, 1767, 1766, 1776,
+     1573, 1579, 1580, 1581, 1583, 1592, 1584, 1582, 1593, 1594,
+     1601, 1595, 1603, 1602, 1604, 1611, 1610, 1614, 1615, 1605,
+     1616, 1620, 1626, 1627, 1628, 1631, 1630, 1635, 1638, 1636,
+     1640, 1642, 1648, 1649, 1650, 1652, 1633, 1656, 1659, 1664,
+     1667, 1661, 6961, 1657, 1675, 1651, 1673, 1674, 1653, 1679,
+     1687, 1680, 1682, 1683, 1684, 1685, 1710, 6961, 1691, 6961,
+     6961, 1690, 6961, 6961, 1693, 1692, 6961, 1694, 1695, 1708,
+     1699, 1713, 1716, 1720, 1718, 1711, 1721, 1733, 1742, 1728,
+     1734, 1726, 1735, 1751, 1738, 1752, 1740, 1750, 1758, 1759,
+     1757, 1764, 1771, 1766, 1775, 1768, 1779, 1777, 1780, 1786,
 
-     1780, 1769, 1787, 6613, 1784, 1796, 1797, 1793, 1800, 1792,
-     1799, 1801, 1772, 1783, 1802, 1803, 1806, 1807, 1804, 1808,
-     1812, 1816, 1817, 1819, 1829, 1836, 1813, 6613, 1825, 1833,
-     1820, 1818, 1837, 1835, 1840, 1839, 1841, 1843, 1847, 1855,
-     1850, 1848, 1856, 1858, 1857, 1859, 1861, 6613, 1868, 1874,
-     1862, 1871, 1865, 1869, 1878, 1879, 1880, 1882, 1884, 1888,
-     1885, 1887, 1896, 1893, 1897, 1894, 1904, 1899, 1908, 1910,
-     1912, 1914, 1916, 1917, 1919, 1920, 1921, 1923, 1924, 1932,
-     1935, 1931, 1936, 1933, 1928, 1952, 1955, 1950, 1938, 1939,
-     1953, 1941, 1960, 1969, 1964, 1956, 1965, 1972, 1968, 1971,
+     1787, 1791, 1793, 1788, 1794, 1797, 1796, 1798, 1799, 1802,
+     1804, 1723, 1805, 1808, 1809, 1810, 1818, 1815, 1823, 1830,
+     6961, 1828, 1831, 1827, 1840, 1836, 1843, 1811, 1838, 1839,
+     1849, 1851, 1845, 1842, 1852, 1854, 1855, 1856, 1859, 1861,
+     1864, 1867, 1865, 1869, 1872, 1870, 6961, 1877, 1878, 1871,
+     1879, 1881, 1882, 1883, 1891, 1892, 1893, 1894, 1904, 1896,
+     1899, 1897, 1901, 1906, 1908, 1909, 1911, 6961, 1916, 1924,
+     1913, 1921, 1919, 1925, 1928, 1929, 1930, 1933, 1931, 1935,
+     1937, 1938, 1947, 1943, 1944, 1946, 1949, 1953, 1958, 1961,
+     1959, 1960, 1971, 1963, 1966, 1972, 1974, 1975, 1976, 1977,
 
-     1973, 1975, 1976, 1983, 1981, 1985, 1986, 1979, 1984, 1990,
-     1993, 6613, 1997, 1999, 6613, 1998, 2000, 2002, 2024, 2005,
-     2003, 2010, 2009, 2014, 2015, 2016, 2018, 2017, 2028, 2044,
-     2037, 2034, 2047, 2026, 2049, 2050, 2052, 2053, 2055, 2056,
-     2059, 2030, 2060, 2072, 2075, 2074, 2082, 2084, 2058, 2071,
-     2061, 2091, 2081, 2083, 2086, 2089, 2094, 2098, 2096, 2102,
-     2087, 2107, 2108, 2115, 2113, 2119, 2112, 2120, 2114, 2122,
-     2123, 2125, 6613, 2134, 2135, 2129, 2137, 2133, 2147, 2139,
-     2140, 6613, 2143, 2149, 2150, 2157, 2153, 2154, 2155, 2156,
-     2161, 2163, 2165, 2169, 2170, 2168, 2164, 2186, 6613, 2171,
+     1978, 1980, 1985, 1990, 1987, 1995, 1988, 1991, 1998, 2009,
+     2004, 1993, 2005, 2010, 2006, 2013, 2022, 2024, 2020, 2019,
+     2021, 2032, 2028, 2030, 2031, 2033, 2036, 2041, 2042, 2043,
+     2044, 2046, 2050, 2051, 2053, 6961, 2055, 2059, 6961, 2058,
+     2060, 2061, 2083, 2062, 2065, 2066, 2075, 2064, 2087, 2078,
+     2076, 2095, 2084, 2102, 2097, 2103, 2105, 2107, 2108, 2112,
+     2110, 2111, 2114, 2116, 2118, 2120, 2128, 2137, 2138, 2140,
+     2134, 2142, 2119, 2143, 2067, 2163, 2144, 2145, 2146, 2147,
+     2148, 2152, 2153, 2151, 2154, 2155, 2165, 2170, 2172, 2173,
+     2175, 2158, 2179, 2180, 2181, 2191, 2188, 2185, 6961, 2200,
 
-     6613, 2182, 2172, 2184, 2185, 2188, 2189, 2190, 2193, 6613,
-     6613, 2197, 2191, 2207, 2211, 2201, 2194, 2212, 6613, 2213,
-     2220, 6613, 2217, 2223, 2216, 2215, 2222, 2224, 2227, 2228,
-     2237, 2232, 2239, 2234, 2236, 2244, 6613, 2245, 2246, 2250,
-     2251, 2247, 2253, 2254, 2260, 2257, 6613, 2264, 2261, 2266,
-     2274, 2276, 2271, 2273, 2278, 2282, 2279, 2284, 2285, 2286,
-     2287, 2294, 2296, 2293, 2299, 2301, 2308, 6613, 2292, 2295,
-     2313, 2309, 2312, 2316, 2317, 2318, 2319, 2320, 2321, 2322,
-     2327, 2328, 2329, 2330, 2337, 2340, 2335, 2339, 2343, 2345,
-     2347, 2348, 2355, 2352, 2353, 2354, 2356, 6613, 2357, 2359,
+     2193, 2197, 2201, 2202, 2209, 2207, 2204, 6961, 2208, 2210,
+     2211, 2220, 2213, 2218, 2221, 2224, 2225, 2228, 2229, 2231,
+     2233, 2230, 2232, 2251, 6961, 2234, 6961, 2238, 2235, 2253,
+     2243, 2246, 2247, 2254, 2256, 2259, 6961, 6961, 2263, 2257,
+     2270, 2273, 2278, 2274, 2275, 2276, 6961, 2277, 2285, 6961,
+     2287, 2292, 2280, 2281, 2282, 2286, 2296, 2297, 2305, 2300,
+     2308, 2303, 2306, 2307, 6961, 2313, 2316, 2310, 2317, 2323,
+     2324, 2325, 2327, 2330, 2326, 6961, 2333, 2329, 2336, 2343,
+     2347, 2341, 2344, 2348, 2352, 2349, 2354, 2355, 2356, 2357,
+     2364, 2366, 2369, 2371, 2372, 2374, 2378, 2385, 6961, 2381,
 
-     2363, 2366, 2365,  171, 2369, 2367, 2372, 2374, 2377, 2388,
-     2375, 2396, 2397, 2378, 2393, 2399, 2400, 2389, 2392, 2402,
-     2404, 2408, 2409, 2410, 2411, 6613, 2413, 2414, 2415, 2417,
-     2418, 2420, 2429, 6613, 2422, 2435, 2437, 2439, 2444, 2441,
-     2446, 2431, 2447, 2452, 2453, 2454, 2456, 2457, 2460, 2459,
-     2463, 6613, 2467, 2464, 2471, 2472, 2475, 2477, 2478, 2479,
-     2483, 2484, 2485, 2486, 2488, 2490, 2489, 2491, 2493, 2499,
-     2500, 2496, 2504, 2509, 2506, 2507, 2510, 2513, 2514, 2519,
-     2517, 6613, 2529, 2520, 2527, 2525, 2528, 2530, 2531, 2538,
-     2553, 2540, 2542, 2544, 2554, 2560, 2545, 2562, 2549, 2563,
+     2380, 2382, 2390, 2387, 2389, 2391, 2394, 2393, 2395, 2396,
+     2401, 2397, 2405, 2406, 2407, 2409, 2418, 2421, 2416, 2417,
+     2426, 2413, 2420, 2423, 2427, 2365, 2429, 2430, 2433, 2436,
+     6961, 2437, 2441, 2438, 2443, 2444, 2442,  171, 2450, 2451,
+     2453, 2454, 2458, 2469, 2455, 2463, 2476, 2471, 2472, 2478,
+     2474, 2481, 2482, 2483, 2484, 2473, 2486, 2485, 2489, 6961,
+     2491, 2497, 2494, 2498, 2501, 2502, 2504, 6961, 2506, 2514,
+     2516, 2525, 2519, 2503, 2527, 2528, 2531, 2529, 2532, 2533,
+     2534, 2535, 2536, 2542, 2539, 6961, 2544, 2551, 2554, 2541,
+     2555, 2562, 2548, 2563, 2564, 2565, 2568, 2567, 2569, 2573,
 
-     2567, 2566, 2576, 2577, 2580, 2586, 2574, 2588, 2591, 2578,
-     2581, 2584, 2590, 2592, 2600, 2601, 2608, 2609, 2606, 2612,
-     2604, 2621, 2615, 2627, 2633, 2623, 6613, 2632, 2625, 2617,
-     2637, 2644, 2639, 2641, 2642, 2645, 2649, 2650, 2651, 2652,
-     2660, 2655, 2653, 2657, 2662, 2664, 2665, 2668, 2672, 2673,
-     2676, 2680, 2677, 2683, 2421, 6613, 2684, 2686, 2685, 2688,
-     2694, 2689, 2696, 2699, 2701, 2702, 2703, 2708, 2705, 2710,
-     2711, 2712, 2718, 2605, 2714, 6613, 2716, 2715, 2721, 2720,
-     2728, 2729, 2735, 2736, 2738, 2741, 2744, 2745, 2746, 2747,
-     2748, 6613, 2756, 2757, 2753, 2765, 2755, 2760, 2762, 2767,
+     2570, 2572, 2574, 2575, 2583, 2594, 2577, 2586, 2587, 2590,
+     2591, 2595, 2599, 2600, 2601, 2608, 2603, 6961, 2615, 2604,
+     2612, 2613, 2611, 2614, 2617, 2620, 2634, 2624, 2627, 2629,
+     2635, 2644, 2637, 2638, 2646, 2654, 2651, 2639, 2664, 2660,
+     2661, 2668, 2659, 2670, 2672, 2662, 2673, 2684, 2674, 2676,
+     2681, 2679, 2685, 2694, 2695, 2687, 2697, 2698, 2690, 2700,
+     2702, 2712, 2717, 2707, 6961, 2719, 2709, 2720, 2721, 2728,
+     2725, 2726, 2731, 2729, 2732, 2733, 2735, 2737, 2745, 2746,
+     2744, 2742, 2749, 2753, 2755, 2757, 2760, 2759, 2740, 2768,
+     2762, 2764, 2771, 2772, 6961, 2775, 2776, 2780, 2782, 2784,
 
-     2768, 6613, 2769,  832, 2770, 2771, 2772, 2780, 2781, 2776,
-     6613, 2783, 2778, 2784, 2786, 2789, 2793, 2790, 2796, 2794,
-     2799, 2800, 2805, 2803, 2809, 2811, 6613, 2812, 2821, 2817,
-     2813, 2819, 2823, 2825, 2826, 2828, 2829, 2843, 2834, 6613,
-     2852, 2847, 2839, 2855, 2842, 2830, 2853, 2857, 2858, 2859,
-     2860, 2864, 2865, 6613, 2867, 2866, 2868, 2872, 2870, 2875,
-     2876, 2888, 2878, 2879, 2883, 2887, 2889, 2891, 2894, 2896,
-     2900, 2901, 2906, 2907, 2909, 2911, 2892, 2913, 2922, 2923,
-     2918, 2926, 2921, 2928, 2929, 2930, 2937, 2939, 2940, 2941,
-     2945, 6613, 2948, 2949, 2943, 2936, 2951, 2955, 2956, 2957,
+     2785, 2787, 2788, 2790, 2792, 2793, 2794, 2797, 2798, 2800,
+     2801, 2802, 2809, 2806, 2807, 2808, 2812, 6961, 2820, 2819,
+     2821, 2824, 2827, 2825, 2831, 2837, 2839, 2828, 2841, 2835,
+     2842, 2843, 2845, 6961, 2855, 2857, 2847, 2854, 2862, 2860,
+     2861, 2863, 2865, 2866, 6961, 2867, 2870, 2868, 2875, 2871,
+     2873, 2882, 2883, 2879, 6961, 2887, 2884, 2889, 2892, 2893,
+     2894, 2895, 2899, 2897, 2901, 2902, 2906, 2915, 2907, 2916,
+     6961, 2903, 2924, 2910, 2925, 2919, 2929, 2931, 2932, 2933,
+     2935, 2937, 2940, 6961, 2942, 2945, 2948, 2957, 2952, 2953,
+     2955, 2958, 2960, 2962, 2961, 2964, 2966, 6961, 2968, 2967,
 
-     2958, 2960, 2962, 2961, 2965, 2967, 2974, 2978, 2975, 2981,
-     2983, 2984, 2976, 2987, 2988, 2989, 2990, 2997, 2993, 2994,
-     3005, 2996, 3000, 3010, 3011, 3012, 3013, 3014, 3021, 3001,
-     3019, 3016, 3023, 3018, 3024, 3027, 3029, 3041, 3042, 3044,
-     3025, 3036, 3046, 3049, 6613, 3052, 3053, 3050, 3054, 3056,
-     3061, 3057, 3069, 3064, 3067, 3066, 3073, 3078, 3075, 3076,
-     3081, 3083, 3091, 3087, 6613, 3084, 6613, 3088, 3092, 3098,
-     3106, 3093, 6613, 3105, 6613, 3107, 3112, 3101, 3108, 6613,
-     3115, 3096, 3114, 3119, 3121, 3122, 3125, 3126, 3127, 3128,
-     3130, 3132, 3133, 3134, 3135, 3137, 3140, 3142, 3146, 3147,
+     2970, 2974, 2972, 2977, 2978, 2989, 2984, 2987, 2990, 2991,
+     2992, 2993, 2994, 2999, 3010, 3001, 2998, 3000, 3002, 3014,
+     3012, 3019, 3018, 3022, 3026, 3030, 3025, 3031, 3034, 3029,
+     3036, 3037, 3040, 3047, 3048, 3049, 3050, 3053, 6961, 3056,
+     3057, 3059, 3044, 3060, 3063, 3064, 3066, 3069, 3065, 3067,
+     3071, 3074, 3078, 3087, 3090, 3080, 3082, 3091, 3092, 3093,
+     3094, 3095, 3096, 3101, 3104, 3103, 3105, 3106, 3113, 3109,
+     3112, 3121, 3117, 3120, 3122, 3123, 3124, 3126, 3127, 3129,
+     3130, 3134, 3133, 3135, 3138, 3146, 3156, 3153, 3147, 3149,
+     3157, 3159, 3161, 6961, 3160, 3164, 3168, 3165, 3170, 3174,
 
-     3153, 3145, 3156, 3157, 3161, 3163, 3164, 3165, 3166, 6613,
-     3170, 3167, 3172, 3173, 3175, 3178, 3179, 3181, 3182, 3185,
-     3191, 3188, 3190, 3201, 3194, 3197, 3204, 3209, 3212, 3219,
-     3205, 3220, 6613, 3215, 3222, 3187, 3226, 6613, 3218, 3216,
-     3227, 3230, 3233, 3234, 3235, 3236, 3237, 3241, 3242, 3243,
-     3255, 3251, 3244, 3253, 6613, 3248, 3260, 3246, 3264, 3269,
-     3276, 3280, 3277, 3278, 3283, 3281, 3285, 3286, 3287, 3288,
-     3289, 3291, 3298, 3301, 3297, 3306, 3293, 3303, 3311, 3312,
-     3296, 3304, 3313, 3315, 3318, 3320, 3319, 3321, 3262, 3323,
-     3322, 6613, 3326, 3327, 3330, 3342, 3328, 3331, 3335, 3340,
+     3171, 3181, 3177, 3182, 3190, 3188, 3187, 3194, 3179, 3189,
+     3196, 3197, 3206, 3202, 6961, 3203, 6961, 3204, 3208, 3209,
+     3218, 3211, 6961, 3215, 6961, 3216, 3223, 3220, 3224, 3226,
+     6961, 3227, 3228, 3232, 3229, 3233, 3234, 3239, 3237, 3241,
+     3243, 3245, 3246, 3255, 3244, 3250, 3251, 3257, 3266, 3256,
+     3261, 3263, 3269, 3272, 3274, 3273, 3280, 3275, 3282, 3283,
+     3285, 3286, 3287, 6961, 3291, 3295, 3296, 3299, 3300, 3288,
+     3303, 3302, 3310, 3307, 3311, 3308, 3314, 3315, 3319, 3320,
+     3323, 3325, 3331, 3336, 3343, 3326, 3344, 6961, 3339, 3348,
+     3330, 3350, 6961, 3352, 3327, 3354, 3358, 3360, 3361, 3362,
 
-     3344, 6613, 3350, 3351, 3352, 3356, 3358, 3345, 3353, 3361,
-     3362, 3363, 3364, 3366, 3369, 3370, 6613, 3374, 6613, 3375,
-     3384, 3377, 3383, 3390, 3388, 3392, 3397, 3391, 3393, 3398,
-     3405, 3399, 3401, 3407, 3408, 3411, 3413, 3415, 3425, 3414,
-     3419, 3421, 3426, 3428, 3436, 3433, 3429, 6613, 6613, 3431,
-     3437, 3442, 3445, 3448, 3446, 3449, 3453, 3447, 3454, 3458,
-     3459, 3469, 6613, 3460, 3466, 3467, 3470, 3482, 3473, 3484,
-     3486, 3485, 3478, 3493, 3488, 6613, 3495, 3496, 3503, 3498,
-     3499, 3506, 6613, 3501, 6613, 3504, 3505, 3512, 3507, 3513,
-     3514, 3517, 3518, 3522, 3525, 3534, 3529, 3536, 3530, 3533,
+     3363, 3364, 3367, 3368, 3369, 3370, 3378, 3381, 3384, 6961,
+     3382, 3390, 3371, 3394, 3393, 3404, 3405, 3401, 3407, 3409,
+     3417, 3413, 3402, 3412, 3400, 3414, 3420, 3422, 3427, 3431,
+     3424, 3432, 3428, 3433, 3436, 3437, 3439, 3440, 3443, 3441,
+     3444, 3445, 3449, 3446, 3447, 3448, 3340, 3450, 3466, 6961,
+     3453, 3455, 3468, 3476, 3454, 3471, 3475, 3477, 3478, 6961,
+     3480, 3482, 3483, 3484, 3485, 3489, 3492, 3490, 3493, 3494,
+     3497, 3498, 3501, 3500, 6961, 3507, 6961, 3508, 3515, 3520,
+     3524, 3509, 3517, 3525, 3530, 3526, 3531, 3532, 3538, 3540,
+     3534, 3536, 3542, 3543, 3546, 3547, 3554, 3560, 3557, 3549,
 
-     3537, 3539, 3540, 3547, 3544, 3545, 3546, 6613, 3549, 3552,
-     3554, 3555, 3557, 3563, 3565, 3559, 6613, 3567, 3570, 3569,
-     3571, 3578, 3575, 3579, 3580, 3584, 3587, 3585, 3588, 3590,
-     6613, 3589, 3593, 3603, 3595, 3596, 3598, 3606, 3609, 3611,
-     6613, 3615, 3616, 3623, 3619, 3621, 3622, 3626, 3627, 3628,
-     3630, 3631, 3632, 3634, 3635, 3640, 3636, 3638, 3645, 3641,
-     3653, 3655, 3642, 3663, 3670, 3656, 6613, 3659, 3666, 3668,
-     3669, 3671, 3672, 3674, 3680, 3682, 3676, 3691, 3692, 3683,
-     3687, 3695, 3697, 3705, 3700, 6613, 3712, 3698, 3713, 3702,
-     3711, 3710, 3715, 3717, 3719, 3721, 3720, 3723, 3724, 3726,
+     3561, 3563, 3565, 3566, 3573, 3570, 3568, 6961, 6961, 3571,
+     3576, 3577, 3583, 3584, 3585, 3587, 3589, 3592, 3591, 3595,
+     3600, 3611, 6961, 3603, 3604, 3606, 3607, 3608, 3620, 3613,
+     3624, 3621, 3625, 3626, 3633, 3629, 6961, 3632, 3634, 3642,
+     3637, 3638, 3645, 6961, 3375, 6961, 3643, 3644, 3646, 3649,
+     3651, 3655, 3653, 3658, 3659, 3654, 3660, 3670, 3677, 3679,
+     3675, 3681, 3676, 3682, 3678, 3684, 3685, 3692, 3687, 3689,
+     3690, 6961, 3694, 3695, 3699, 3701, 3702, 3707, 3711, 3704,
+     3710, 6961, 3714, 3717, 3718, 3719, 3720, 3724, 3727, 3728,
+     3729, 3737, 3730, 3732, 3738, 3741, 6961, 3742, 3734, 3749,
 
-     3738, 3730, 3733, 3729, 3734, 3745, 3737, 6613, 3752, 3748,
-     3740, 3756, 3750, 3759, 3766, 3763, 3764, 3765, 3768, 3769,
-     3770, 3773, 3775, 3776, 3779, 3780, 6613, 6613, 3782, 3783,
-     3785, 6613, 3787, 3788, 3798, 3790, 3791, 3799, 3803, 3802,
-     3801, 3804, 3806, 3807, 6613, 3813, 3821, 3816, 3817, 3825,
-     3820, 6613, 3826, 3834, 3830, 3833, 3831, 3835, 3837, 3839,
-     3841, 3842, 3843, 3846, 3854, 3858, 3850, 3849, 3853, 6613,
-     3859, 3861, 3862, 3866, 3863, 3871, 6613, 3868, 3872, 3874,
-     3878, 3880, 3891, 3877, 3885, 3893, 3888, 3894, 3895, 3897,
-     3898, 3899, 3906, 3905, 3907, 3904, 3910, 3913, 6613, 3915,
+     3745, 3747, 3752, 3756, 3759, 3764, 6961, 3766, 3751, 3773,
+     3769, 3770, 3772, 3775, 3776, 3777, 3779, 3780, 3781, 3783,
+     3784, 3789, 3785, 3787, 3794, 3790, 3802, 3804, 3791, 3812,
+     3819, 3805, 6961, 3808, 3815, 3817, 3818, 3820, 3821, 3823,
+     3829, 3831, 3825, 3840, 3841, 3832, 3836, 3843, 3847, 3844,
+     3855, 3851, 6961, 3856, 3852, 3865, 3858, 3860, 3866, 3862,
+     3867, 3868, 3872, 3874, 3875, 3876, 3877, 3878, 3883, 3886,
+     3890, 3891, 3892, 3893, 3900, 3895, 6961, 3907, 3884, 3897,
+     3914, 3908, 3905, 3923, 3918, 3921, 3922, 3925, 3926, 3928,
+     3930, 3931, 3932, 3935, 3936, 6961, 6961, 3938, 3939, 3940,
 
-     3916, 3921, 3923, 6613, 3926, 3934, 3935, 6613, 3936, 3931,
-     3937, 3938, 3945, 6613, 3940, 3943, 3944, 3946, 3954, 3951,
-     3955, 3953, 3958, 3959, 3962, 6613, 3963, 3960, 3961, 6613,
-     3965, 3969, 3977, 3981, 3967, 3988, 3983, 3985, 3986, 3984,
-     6613, 3991, 6613, 3994, 3995, 3998, 6613, 4000, 4001, 4003,
-     4005, 4002, 4009, 4010, 4016, 4018, 4006, 4020, 4021, 4022,
-     4023, 4025, 4034, 4024, 4031, 4032, 4033, 6613, 4036, 4035,
-     4043, 4038, 4044, 4046, 4049, 4051, 4054, 4056, 6613, 6613,
-     4063, 6613, 4057, 4064, 4065, 6613, 4067, 4070, 4074, 4066,
-     4075, 4071, 4078, 4079, 6613, 4086, 4088, 6613, 4090, 4091,
+     6961, 3942, 3944, 3954, 3945, 3947, 3955, 3957, 3959, 3958,
+     3960, 3962, 3968, 3969, 6961, 3977, 3970, 3979, 3978, 3974,
+     3988, 3987, 6961, 3980, 3990, 3992, 3995, 3993, 3983, 3996,
+     4001, 3997, 4005, 4006, 4007, 4010, 4018, 4019, 4014, 4016,
+     4017, 6961, 4020, 4022, 4023, 4026, 4027, 4029, 4030, 6961,
+     4035, 4032, 4038, 4041, 4043, 4050, 4042, 4053, 4056, 4057,
+     4058, 4060, 4061, 4062, 4063, 4065, 4073, 4059, 4071, 4070,
+     4068, 4088, 4089, 4076, 6961, 4084, 4091, 4074, 4096, 6961,
+     4098, 4105, 4106, 6961, 4109, 4092, 4108, 4110, 4117, 6961,
+     4112, 4115, 4114, 4120, 4116, 4129, 4125, 4133, 4131, 4132,
 
-     4098, 4093, 4094, 4095, 4101, 4096, 4099, 4106, 4107, 4108,
-     4109, 4103, 4110, 4111, 6613, 4104, 4112, 4114, 4128, 4122,
-     4131, 4133, 4132, 4134, 6613, 4138, 4139, 4142, 4144, 4145,
-     6613, 4146, 6613, 4147, 4148, 4150, 4156, 4153, 6613, 4159,
-     4163, 4167, 4164, 4168, 4169, 4170, 4174, 4176, 4178, 4186,
-     4182, 4183, 4181, 4201, 4184, 6613, 4185, 4188, 4206, 4207,
-     4197, 4189, 4216, 4213, 4215, 4203, 4211, 4223, 4214, 4224,
-     4228, 4230, 4231, 4220, 6613, 4232, 4233, 4234, 4243, 4240,
-     4245, 4246, 6613, 4247, 4248, 4251, 6613, 4249, 4250, 4257,
-     4261, 4263, 4264, 4267, 4265, 4269, 6613, 4268, 4273, 4271,
+     4128, 4134, 4137, 6961, 4138, 4135, 4140, 6961, 4143, 4152,
+     4156, 4158, 4142, 4165, 4160, 4163, 4161, 4164, 6961, 4169,
+     6961, 4172, 4170, 4176, 6961, 4171, 4178, 4179, 4181, 4185,
+     4186, 4187, 4193, 4189, 4195, 4197, 4198, 4199, 4200, 4202,
+     4209, 4201, 4205, 4208, 4210, 6961, 4211, 4213, 4220, 4217,
+     4221, 4225, 4227, 4228, 4230, 4232, 6961, 6961, 4241, 6961,
+     4233, 4238, 4242, 4243, 6961, 4246, 4248, 4250, 4247, 4251,
+     4253, 4256, 4266, 4136, 6961, 4268, 4269, 6961, 4257, 4271,
+     4278, 4273, 4275, 4263, 4276, 4283, 4279, 4260, 4286, 4289,
+     4290, 4291, 4292, 4293, 4300, 6961, 4294, 4297, 4295, 4310,
 
-     4272, 4287, 4286, 6613, 6613, 4288, 6613, 4290, 4274, 4278,
-     4298, 4275, 4299, 4302, 4303, 4305, 4306, 4309, 4310, 4276,
-     4311, 4320, 4317, 4324, 4327, 4328, 4326, 4191, 4331, 6613,
-     6613, 4333, 4334, 4336, 4338, 4340, 4342, 4343, 4350, 4347,
-     4355, 4358, 4348, 4365, 6613, 4362, 4363, 4364, 4367, 6613,
-     4346, 4369, 4370, 4373, 4372, 4376, 4375, 4378, 4379, 4380,
-     4382, 4385, 4386, 4390, 4392, 4396, 4397, 4400, 4399, 4403,
-     4405, 4407, 6613, 4412, 4408, 4410, 4411, 4413, 4417, 4421,
-     4426, 4422, 6613, 4415, 6613, 4428, 4425, 4440, 4431, 4445,
-     4447, 4432, 4448, 4449, 4451, 4453, 4456, 4457, 4466, 4458,
+     4299, 4304, 4312, 4311, 4313, 6961, 4321, 4323, 4322, 4327,
+     4328, 6961, 4329, 6961, 4330, 4334, 4337, 4339, 4331, 4342,
+     6961, 4344, 4345, 4352, 4347, 4353, 4354, 4355, 4357, 4361,
+     4363, 4364, 4371, 4367, 4369, 4366, 4376, 4377, 6961, 4368,
+     4374, 4390, 4391, 4383, 4380, 4386, 4399, 4396, 4398, 4397,
+     4402, 4404, 4405, 4407, 4411, 4413, 4409, 4416, 6961, 4419,
+     4420, 4424, 4421, 4431, 4427, 4428, 4433, 6961, 4435, 4436,
+     4438, 6961, 4440, 4444, 4446, 4449, 4450, 4451, 4452, 4456,
+     4454, 4457, 4458, 4460, 6961, 4462, 4463, 4461, 4477, 4478,
+     4467, 6961, 6961, 4480, 6961, 4484, 4466, 4485, 4487, 4488,
 
-     4462, 4467, 4460, 4471, 4477, 4474, 6613, 4478, 4480, 4481,
-     4482, 4485, 4487, 4488, 4490, 4491, 4493, 4495, 4497, 4499,
-     4504, 4505, 4506, 4508, 4511, 6613, 4512, 4514, 4516, 4521,
-     4518, 4523, 4524, 4525, 4532, 4528, 4533, 4537, 6613, 4534,
-     4538, 4543, 6613, 4540, 4544, 4546, 4550, 4552, 4545, 4553,
-     4555, 4556, 6613, 4563, 4559, 4565, 4566, 4568, 4569, 4424,
-     4573, 4575, 4576, 4582, 6613, 4583, 4581, 4589, 4590, 4588,
-     4591, 4596, 4592, 4598, 6613, 4601, 4603, 4599, 4611, 4607,
-     4615, 4616, 4618, 4610, 4612, 4619, 4620, 4627, 4630, 4631,
-     4632, 4643, 4644, 4641, 6613, 4633, 6613, 4642, 4647, 4655,
+     4492, 4494, 4495, 4497, 4491, 4498, 4502, 4503, 4507, 6961,
+     4510, 4518, 4511, 4522, 4525, 4530, 4523, 4527, 4514, 6961,
+     6961, 4532, 4536, 4538, 4540, 4541, 4543, 4528, 4550, 4548,
+     4556, 4559, 4549, 4566, 6961, 4561, 4552, 4563, 4564, 6961,
+     4545, 4568, 4569, 4571, 4574, 4575, 4578, 4576, 4577, 4580,
+     4588, 4581, 4583, 4590, 4589, 4591, 4599, 4597, 4600, 4601,
+     4603, 4607, 6961, 4604, 4608, 4610, 4613, 4617, 4618, 4619,
+     4620, 4622, 4623, 4630, 6961, 4628, 6961, 4626, 4631, 4646,
+     4633, 4636, 4648, 4649, 4650, 4651, 4655, 4657, 4658, 4661,
+     4663, 4667, 4662, 4668, 4671, 4673, 4675, 4679, 4683, 4680,
 
-     4656, 4650, 4660, 4658, 4652, 6613, 4654, 4662, 4667, 4664,
-     4668, 6613, 4669, 4671, 4673, 4680, 6613, 4682, 4684, 4675,
-     4686, 4691, 4693, 6613, 4697, 4699, 4700, 4707, 4709, 4704,
-     4711, 4706, 4714, 4712, 4708, 4716, 4717, 4725, 4723, 4721,
-     6613, 4727, 4729, 4734, 4736, 4730, 4738, 4728, 4740, 4743,
-     4745, 6613, 4746, 4749, 4750, 4752, 4753, 4754, 4755, 4762,
-     4759, 4761, 4763, 4764, 4767, 4768, 6613, 4773, 4771, 4775,
-     4784, 4626, 4786, 6613, 4781, 6613, 4777, 4792, 4794, 4776,
-     4795, 6613, 6613, 4799, 4804, 4800, 4806, 4801, 6613, 6613,
-     4808, 6613, 4809, 6613, 4811, 4813, 6613, 6613, 4814, 4815,
+     6961, 4686, 4676, 4688, 4625, 4690, 4693, 4694, 4698, 4699,
+     4701, 4695, 4702, 4704, 4706, 4709, 4711, 4712, 4714, 4715,
+     6961, 4716, 4719, 4722, 4725, 4726, 4727, 4730, 4735, 4739,
+     4743, 4731, 4733, 4745, 6961, 4737, 4746, 4754, 6961, 4749,
+     4751, 4756, 4757, 4758, 4760, 4761, 4763, 4767, 4770, 6961,
+     4774, 4764, 4771, 4775, 4776, 4777, 4781, 4783, 4786, 4788,
+     4790, 4798, 6961, 4799, 4791, 4800, 4802, 4804, 4806, 4810,
+     4808, 4811, 6961, 4812, 4815, 4821, 4823, 4828, 4830, 4814,
+     4825, 4833, 4834, 4836, 4832, 4842, 4843, 4844, 4845, 4847,
+     4849, 4848, 4865, 4866, 4863, 6961, 4850, 6961, 4851, 4852,
 
-     4816, 4817, 4824, 6613, 4831, 6613, 4826, 4832, 4818, 4828,
-     4835, 6613, 4836, 4839, 4837, 4844, 4846, 6613, 4838, 4854,
-     4843, 4851, 6613, 4853, 4857, 4858, 4862, 6613, 4863, 4868,
-     4865, 4869, 4872, 4871, 4873, 4874, 4878, 4879, 4884, 4882,
-     4883, 4885, 4894, 4896, 4898, 4900, 4901, 4886, 4905, 4906,
-     4908, 4911, 4912, 4914, 4915, 4917, 4918, 4920, 4922, 4925,
-     4926, 4676, 4927, 4928, 4930, 4929, 4932, 4941, 4933, 4943,
-     4944, 4945, 4946, 4947, 4950, 4951, 4954, 4955, 4959, 4960,
-     4962, 6613, 4963, 4957, 4965, 4971, 4973, 4978, 4980, 4990,
-     4992, 4993, 6613, 4995, 6613, 4997, 4982, 4999, 4967, 5001,
+     4868, 4878, 4873, 4875, 4876, 4880, 4879, 6961, 4881, 4886,
+     4888, 4883, 4891, 6961, 4892, 4889, 4893, 4894, 6961, 4907,
+     4890, 4896, 4903, 4912, 4913, 6961, 4918, 4919, 4920, 4927,
+     4929, 4924, 4931, 4926, 4934, 4932, 4928, 4936, 4937, 4945,
+     4943, 4941, 6961, 4947, 4949, 4954, 4956, 4950, 4958, 4948,
+     4960, 4963, 4965, 6961, 4966, 4969, 4970, 4972, 4973, 4975,
+     4974, 4976, 4983, 4980, 4984, 4982, 4988, 4991, 4993, 4995,
+     4997, 6961, 4999, 5001, 5003, 5012, 5005, 5002, 6961, 5009,
+     6961, 5014, 5019, 5021, 5022, 5015, 5026, 6961, 6961, 5029,
+     5036, 5023, 5032, 5034, 6961, 6961, 5038, 6961, 5039, 6961,
 
-     6613, 4984, 5002, 5003, 5006, 5005, 5007, 5009, 5008, 5012,
-     5013, 5017, 6613, 5022, 5015, 5019, 5023, 5034, 6613, 5035,
-     5037, 5024, 5038, 5039, 5040, 5043, 5045, 5048, 5047, 5050,
-     5052, 5053, 5054, 5059, 5058, 5068, 5075, 5060, 5062, 5070,
-     5071, 5074, 5076, 5080, 5081, 5082, 5088, 5090, 5094, 6613,
-     5083, 6613, 5095, 5091, 5097, 5098, 5101, 5099, 5103, 6613,
-     6613, 5105, 5108, 5113, 5114, 5115, 5117, 5120, 5121, 5123,
-     6613, 5124, 5126, 5135, 5128, 6613, 5132, 5137, 5138, 5143,
-     6613, 5140, 5144, 5145, 5151, 5146, 5155, 5156, 5159, 5148,
-     5160, 5162, 5167, 6613, 6613, 6613, 6613, 5169, 5163, 5174,
+     5040, 5042, 6961, 6961, 5044, 5045, 5046, 5047, 5048, 5051,
+     6961, 5056, 6961, 5065, 5060, 5061, 5063, 5064, 5068, 6961,
+     5066, 5069, 5070, 5075, 5077, 6961, 5074, 5078, 5094, 5081,
+     5089, 6961, 5091, 5092, 5093, 5096, 6961, 5097, 5101, 5102,
+     5103, 5106, 5105, 5108, 5109, 5110, 5116, 5117, 5120, 5119,
+     5122, 5123, 5127, 5132, 5134, 5136, 5137, 5138, 5140, 5143,
+     5146, 5150, 5141, 5148, 5152, 5154, 5155, 5157, 5159, 5160,
+     5162, 5166, 5167, 5163, 5170, 5169, 5171, 5180, 5172, 5182,
+     5184, 5186, 5188, 5189, 5190, 5193, 5194, 5197, 5198, 5199,
+     5196, 5203, 5200, 5207, 5212, 6961, 5205, 5213, 5214, 5216,
 
-     5171, 5175, 5177, 5178, 5180, 5176, 6613, 5190, 6613, 6613,
-     5192, 5193, 5181, 5194, 5196, 5183, 5200, 5203, 6613, 5201,
-     5205, 5207, 5206, 5214, 5218, 5215, 5208, 5223, 5219, 5224,
-     5225, 5228, 5236, 5232, 5233, 5235, 5239, 5241, 5248, 6613,
-     6613, 5238, 5253, 5242, 5255, 5256, 5257, 5258, 5265, 5260,
-     5263, 5266, 5267, 5269, 5270, 5279, 5280, 5271, 5278, 6613,
-     5281, 5284, 5283, 6613, 5285, 6613, 5287, 5293, 5294, 5295,
-     5296, 5300, 5301, 5304, 6613, 6613, 5299, 5316, 5314, 6613,
-     6613, 5303, 5306, 5311, 5319, 5321, 5315, 5323, 5324, 5336,
-     5325, 6613, 5327, 6613, 5329, 5333, 5341, 5331, 5351, 5352,
+     5217, 5221, 5224, 5233, 5239, 5240, 6961, 5242, 6961, 5244,
+     5228, 5225, 5230, 5247, 6961, 5234, 5248, 5250, 5251, 5252,
+     5253, 5255, 5256, 5259, 5260, 5263, 6961, 5268, 5265, 5258,
+     5274, 5270, 6961, 5275, 5282, 5285, 5286, 5287, 5288, 5291,
+     5289, 5290, 5293, 5292, 5294, 5297, 5299, 5300, 5310, 5312,
+     6961, 5314, 5316, 5323, 5319, 5321, 5322, 5324, 5325, 5326,
+     5329, 5327, 5334, 5331, 5343, 5348, 5345, 6961, 5332, 6961,
+     5349, 5335, 5352, 5353, 5355, 5356, 5357, 5359, 6961, 6961,
+     5362, 5363, 5365, 5367, 5369, 5370, 5372, 5374, 5375, 5376,
+     6961, 5379, 5383, 5387, 5393, 5386, 6961, 5395, 5396, 5397,
 
-     5353, 5355, 5350, 5338, 6613, 5348, 5359, 6613, 5366, 5361,
-     5363, 5362, 5365, 6613, 5368, 5370, 5374, 5378, 6613, 5382,
-     5371, 5379, 6613, 5386, 6613, 5383, 5387, 5389, 5396, 5393,
-     6613, 5391, 5397, 6613, 5400, 5407, 5409, 5402, 6613, 5404,
-     6613, 5394, 5417, 5418, 5421, 5408, 5425, 5413, 5410, 5427,
-     5435, 5431, 5432, 6613, 6613, 5439, 5437,  135, 5444, 5434,
-     5440, 5445, 5446, 5453, 5448, 5450, 5456, 6613, 6613, 5458,
-     6613, 5451, 5461, 6613, 5449, 5466, 5467, 5462, 5470, 5471,
-     5472, 5476, 5478, 5481, 5482, 5483, 5484, 5486, 5502, 5505,
-     5487, 5508, 5509, 5511, 5513, 5515, 5517, 5518, 5500, 5498,
+     5401, 6961, 5402, 5398, 5404, 5405, 5412, 5403, 5419, 5415,
+     5421, 5409, 5423, 5413, 5427, 6961, 6961, 6961, 6961, 5428,
+     5424, 5432, 5434, 5436, 5437, 5439, 5442, 5443, 5441, 5438,
+     5444, 6961, 5454, 6961, 6961, 5455, 5456, 5457, 5462, 5464,
+     5463, 5465, 5468, 6961, 5466, 6961, 5470, 5473, 5469, 5480,
+     5486, 5483, 5477, 5490, 5487, 5492, 5491, 5493, 5501, 5498,
+     5499, 5502, 5505, 5507, 5513, 6961, 6961, 5508, 5515, 5516,
+     5524, 5520, 5522, 5526, 5534, 5529, 5530, 5532, 5531, 5536,
+     5537, 5545, 5548, 5538, 5547, 6961, 5549, 5550, 5551, 6961,
+     5552, 6961, 5557, 5560, 5561, 5553, 5563, 5568, 5569, 5572,
 
-     5521, 5519, 5522, 5525, 5528, 5529, 6613, 5531, 5536, 5488,
-     5532, 6613, 5540, 5537, 5542, 5546, 6613, 5553, 5545, 5547,
-     5555, 6613, 5543, 5558, 5559, 5560, 5562, 5565, 5567, 5572,
-     5570, 5568, 5574, 6613, 6613, 6613, 5575, 5585, 6613, 5587,
-     5579, 5573, 5588, 6613, 5590, 5591, 5592, 6613, 6613, 5594,
-     5596, 5595, 5603, 6613, 5599, 6613, 5601, 6613, 5602, 5608,
-     5609, 5612, 6613, 5618, 5614, 5616, 5624, 6613, 5632, 5634,
-     5636, 5617, 5620, 5629, 5637, 6613, 5644, 5641, 5645, 5652,
-     5639, 5643, 5647, 5649, 5653, 5662, 5658, 5660, 6613, 5661,
-     5664, 5667, 5673, 5663, 5666, 5670, 6613, 5675, 6613, 5677,
+     5570, 5575, 6961, 6961, 5567, 5587, 5582, 6961, 6961, 5574,
+     5583, 5586, 5590, 5584, 5592, 5595, 5594, 5597, 5599, 5596,
+     6961, 5601, 6961, 5600, 5602, 5608, 5610, 5619, 5623, 5614,
+     5624, 5622, 5625, 5626, 5629, 6961, 5627, 5628, 6961, 5637,
+     5639, 5640, 5638, 5646, 5643, 6961, 5647, 5649, 5654, 5656,
+     6961, 5660, 5657, 5663, 5662, 6961, 5665, 6961, 5630, 5669,
+     5666, 5676, 5672, 6961, 5673, 5679, 6961, 5682, 5686, 5688,
+     5689, 5677, 5683, 6961, 5695, 5691, 6961, 5697, 5699, 5700,
+     5703, 5704, 5706, 5707, 5708, 5710, 5718, 5714, 5711, 6961,
+     6961, 5722, 5723,  135, 5731, 5721, 5727, 5729, 5732, 5739,
 
-     6613, 5678, 5679, 5680, 5687, 5686, 5688, 5689, 5693, 5699,
-     5694, 5690, 5701, 5705, 5706, 6613, 6613, 5710, 5712, 6613,
-     5713, 6613, 5715, 6613, 5716, 5717, 5719, 5718, 6613, 5721,
-     5722, 5728, 5730, 5726, 5729, 6613, 5738, 5731, 5736, 5741,
-     6613, 6613, 5743, 5750, 5746, 6613, 5747, 5753, 5757, 5754,
-     5759, 5760, 5761, 5762, 5772, 5764, 5765, 5767, 5776, 5773,
-     5781, 5786, 5779, 6613, 6613, 6613, 5785, 5790, 5798, 5794,
-     5796, 5801, 5791, 6613, 5800, 5803, 5806, 5804, 5813, 5808,
-     5815, 6613, 5812, 5816, 5817, 5818, 5820, 5821, 5822, 5827,
-     6613, 5829, 5833, 5830, 5837, 5839, 5846, 5848, 5850, 5841,
+     5734, 5736, 5742, 6961, 6961, 5743, 6961, 5737, 5750, 6961,
+     5735, 5751, 5755, 5746, 5752, 5758, 5761, 5765, 5767, 5768,
+     5769, 5770, 5771, 5775, 5792, 5794, 5777, 5774, 5797, 5799,
+     5801, 5803, 5805, 5762, 5807, 5789, 5785, 5808, 5810, 5795,
+     5813, 5816, 5817, 5819, 6961, 5821, 5824, 5826, 5827, 5828,
+     6961, 5831, 5834, 5836, 5838, 6961, 5845, 5840, 5842, 5847,
+     5848, 6961, 5832, 5853, 5855, 5858, 5859, 5860, 5861, 5863,
+     5870, 6961, 5867, 5865, 5871, 6961, 6961, 6961, 5876, 5883,
+     5873, 6961, 5885, 5877, 5886, 5888, 6961, 5890, 5892, 5893,
+     6961, 6961, 6961, 5894, 5895, 5898, 6961, 5896, 5903, 6961,
 
-     5843, 5858, 5855, 6613, 5857, 6613, 6613, 5853, 6613, 5859,
-     5861, 5862, 5863, 6613, 5866, 5867, 5868, 5871, 5870, 5873,
-     5875, 5877, 6613, 5886, 5878, 5888, 5889, 6613, 6613, 5892,
-     6613, 5896, 5897, 5899, 5906, 5903, 5901, 5905, 5911, 6613,
-     5908, 5914, 5910, 5917, 5918, 5920, 5921, 6613, 5925, 5922,
-     5924, 5926, 6613, 5929, 5934, 5931, 5935, 5938, 6613, 5940,
-     5939, 5942, 5952, 6613, 5951, 5955, 5953, 6613, 6613, 5961,
-     5963, 5964, 6613, 6613, 6613, 5970, 5967, 5954, 5975, 6613,
-     5977, 5981, 5985, 5989, 5980, 6613, 5988, 5990, 5992, 5994,
-     5995, 6613, 6613, 5996, 5997, 5998, 6001, 6613, 6613, 6002,
+     5902, 6961, 5899, 6961, 5904, 5908, 5917, 5912, 6961, 5910,
+     5922, 5923, 5924, 6961, 5927, 5930, 5932, 5933, 5934, 5936,
+     5938, 6961, 5945, 5941, 5944, 5948, 5940, 5950, 5951, 5952,
+     5953, 5965, 5956, 5961, 6961, 5963, 5964, 5968, 5974, 5966,
+     5976, 5977, 6961, 5970, 6961, 5979, 6961, 5980, 5982, 5983,
+     5984, 5989, 5986, 5987, 5997, 5994, 6000, 6003, 6001, 6007,
+     6008, 6012, 6009, 6961, 6961, 6019, 6015, 6017, 6961, 6014,
+     6961, 6023, 6961, 6024, 6026, 6027, 6029, 6031, 6961, 6961,
+     6038, 6030, 6039, 6047, 6033, 6043, 6961, 6051, 6044, 6046,
+     6054, 6961, 6055, 6961, 6057, 6066, 6059, 6961, 6061, 6068,
 
-     6004, 6006, 6005, 6007, 6613, 6008, 6013, 6020, 6015, 6028,
-     6031, 6033, 6021, 6034, 6035, 6043, 6046, 6023, 6038, 6041,
-     6045, 6049, 6051, 6056, 6058, 6057, 6060, 6065, 6061, 6066,
-     6613, 6613, 6068, 6613, 6073, 6069, 6613, 6613, 6075, 6080,
-     6082, 6084, 6086, 6088, 6090, 6092, 6077, 6613, 6093, 6095,
-     6096, 6097, 6098, 6613, 6100, 6107, 6099, 6104, 6101, 6110,
-     6116, 6613, 6108, 6121, 6613, 6613, 6112, 6122, 6124, 6126,
-     6128, 6613, 6129, 6137, 6133, 6134, 6135, 6138, 6136, 6613,
-     6142, 6140, 6613, 6613, 6141, 6143, 6613, 6613, 6144, 6613,
-     6613, 6613, 6613, 6613, 6613, 6613, 6613, 6155, 6159, 6613,
+     6070, 6063, 6071, 6073, 6074, 6075, 6076, 6086, 6079, 6081,
+     6082, 6088, 6089, 6094, 6100, 6105, 6961, 6961, 6961, 6095,
+     6090, 6114, 6112, 6113, 6115, 6099, 6961, 6118, 6120, 6121,
+     6122, 6130, 6125, 6128, 6961, 6132, 6129, 6131, 6133, 6135,
+     6136, 6137, 6139, 6961, 6150, 6152, 6158, 6140, 6154, 6159,
+     6161, 6163, 6166, 6170, 6167, 6171, 6178, 6174, 6961, 6176,
+     6173, 6961, 6182, 6961, 6177, 6961, 6183, 6184, 6185, 6186,
+     6187, 6961, 6191, 6192, 6193, 6195, 6194, 6198, 6200, 6202,
+     6961, 6203, 6216, 6211, 6213, 6215, 6961, 6961, 6217, 6223,
+     6961, 6225, 6228, 6226, 6235, 6227, 6234, 6237, 6241, 6961,
 
-     6151, 6166, 6168, 6172, 6613, 6153, 6169, 6157, 6163, 6613,
-     6173, 6613, 6174, 6175, 6177, 6179, 6180, 6184, 6188, 6189,
-     6191, 6190, 6192, 6196, 6193, 6198, 6194, 6200, 6207, 6204,
-     6205, 6213, 6613, 6613, 6613, 6214, 6215, 6220, 6222, 6224,
-     6226, 6230, 6233, 6234, 6216, 6237, 6238, 6239, 6241, 6242,
-     6251, 6246, 6247, 6249, 6256, 6248, 6262, 6613, 6264, 6250,
-     6252, 6270, 6613, 6258, 6613, 6267, 6613, 6613, 6275, 6276,
-     6272, 6278, 6287, 6288, 6279, 6283, 6284, 6286, 6290, 6613,
-     6295, 6613, 6613, 6292, 6298, 6613, 6300, 6301, 6613, 6299,
-     6302, 6304, 6308, 6309, 6306, 6310, 6311, 6327, 6613, 6613,
+     6243, 6244, 6230, 6245, 6248, 6251, 6252, 6961, 6254, 6255,
+     6256, 6257, 6961, 6260, 6259, 6264, 6266, 6267, 6961, 6268,
+     6269, 6285, 6283, 6961, 6270, 6291, 6271, 6961, 6961, 6961,
+     6293, 6296, 6297, 6961, 6961, 6961, 6961, 6299, 6300, 6261,
+     6303, 6961, 6304, 6961, 6307, 6311, 6315, 6317, 6323, 6310,
+     6961, 6322, 6324, 6326, 6318, 6328, 6961, 6961, 6329, 6331,
+     6332, 6334, 6338, 6335, 6961, 6961, 6340, 6341, 6343, 6344,
+     6345, 6961, 6346, 6349, 6357, 6350, 6361, 6367, 6369, 6358,
+     6370, 6371, 6378, 6382, 6363, 6374, 6379, 6381, 6385, 6384,
+     6392, 6393, 6395, 6397, 6399, 6394, 6402, 6961, 6961, 6405,
 
-     6312, 6317, 6320, 6329, 6331, 6330, 6333, 6337, 6338, 6340,
-     6341, 6350, 6613, 6347, 6348, 6352, 6613, 6354, 6349, 6355,
-     6356, 6357, 6365, 6361, 6364, 6613, 6366, 6613, 6370, 6372,
-     6373, 6363, 6371, 6374, 6385, 6383, 6379, 6613, 6389, 6393,
-     6391, 6395, 6397, 6399, 6400, 6401, 6403, 6406, 6412, 6409,
-     6416, 6417, 6413, 6421, 6418, 6613, 6428, 6419, 6613, 6425,
-     6429, 6422, 6431, 6435, 6613, 6440, 6433, 6442, 6443, 6446,
-     6447, 6613, 6449, 6456, 6451, 6613, 6457, 6613, 6613, 6459,
-     6453, 6460, 6466, 6468, 6613, 6613, 6613, 6493, 6500, 6507,
-     6514, 6521, 6528, 6535,   88, 6542, 6549, 6556, 6563, 6570,
+     6961, 6411, 6406, 6961, 6408, 6961, 6413, 6417, 6419, 6421,
+     6961, 6423, 6425, 6428, 6430, 6414, 6961, 6432, 6434, 6436,
+     6437, 6431, 6438, 6961, 6445, 6442, 6448, 6439, 6449, 6451,
+     6452, 6456, 6961, 6450, 6460, 6961, 6961, 6457, 6464, 6466,
+     6468, 6470, 6961, 6471, 6478, 6473, 6476, 6477, 6479, 6482,
+     6961, 6480, 6484, 6961, 6961, 6485, 6490, 6961, 6961, 6483,
+     6491, 6961, 6961, 6961, 6961, 6961, 6961, 6961, 6961, 6494,
+     6500, 6961, 6961, 6495, 6502, 6507, 6961, 6513, 6961, 6504,
+     6510, 6514, 6515, 6961, 6516, 6961, 6517, 6520, 6521, 6522,
+     6523, 6528, 6532, 6525, 6533, 6534, 6536, 6537, 6539, 6541,
 
-     6577, 6584, 6591, 6598, 6605
+     6542, 6543, 6549, 6546, 6556, 6557, 6558, 6961, 6961, 6961,
+     6559, 6560, 6567, 6562, 6569, 6574, 6579, 6582, 6570, 6572,
+     6583, 6585, 6588, 6576, 6584, 6597, 6594, 6595, 6598, 6605,
+     6596, 6610, 6612, 6961, 6614, 6587, 6600, 6618, 6961, 6606,
+     6961, 6615, 6961, 6961, 6623, 6624, 6620, 6626, 6635, 6636,
+     6627, 6631, 6632, 6634, 6638, 6961, 6643, 6961, 6961, 6961,
+     6640, 6646, 6961, 6648, 6649, 6961, 6647, 6650, 6652, 6656,
+     6657, 6654, 6658, 6659, 6675, 6961, 6961, 6660, 6665, 6668,
+     6677, 6679, 6678, 6681, 6685, 6686, 6688, 6689, 6698, 6961,
+     6695, 6696, 6700, 6961, 6702, 6697, 6703, 6704, 6705, 6713,
+
+     6709, 6712, 6961, 6714, 6961, 6718, 6720, 6721, 6711, 6719,
+     6722, 6733, 6731, 6727, 6961, 6737, 6741, 6739, 6743, 6745,
+     6747, 6748, 6749, 6751, 6754, 6760, 6757, 6764, 6765, 6761,
+     6769, 6766, 6961, 6776, 6767, 6961, 6773, 6777, 6770, 6779,
+     6783, 6961, 6788, 6781, 6790, 6791, 6794, 6795, 6961, 6797,
+     6804, 6799, 6961, 6805, 6961, 6961, 6807, 6801, 6808, 6814,
+     6816, 6961, 6961, 6961, 6841, 6848, 6855, 6862, 6869, 6876,
+     6883,   88, 6890, 6897, 6904, 6911, 6918, 6925, 6932, 6939,
+     6946, 6953
     } ;
 
-static const flex_int16_t yy_def[3406] =
+static const flex_int16_t yy_def[3583] =
     {   0,
-     3387,    1, 3388, 3388, 3389, 3389, 3390, 3390, 3391, 3391,
-     3392, 3392, 3393, 3393, 3394, 3394, 3387, 3395, 3387, 3387,
-     3387, 3387, 3396, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3397, 3387, 3387, 3387,
-     3397, 3398, 3387, 3387, 3387, 3398, 3399, 3387, 3387, 3387,
-     3387, 3399, 3400, 3387, 3387, 3387, 3400, 3401, 3387, 3402,
-     3387, 3401, 3401, 3403, 3387, 3387, 3387, 3387, 3403, 3404,
-     3387, 3387, 3387, 3404, 3395, 3395, 3387, 3405, 3396, 3405,
-     3396, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
+     3564,    1, 3565, 3565, 3566, 3566, 3567, 3567, 3568, 3568,
+     3569, 3569, 3570, 3570, 3571, 3571, 3564, 3572, 3564, 3564,
+     3564, 3564, 3573, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3574, 3564, 3564, 3564,
+     3574, 3575, 3564, 3564, 3564, 3575, 3576, 3564, 3564, 3564,
+     3564, 3576, 3577, 3564, 3564, 3564, 3577, 3578, 3564, 3579,
+     3564, 3578, 3578, 3580, 3564, 3564, 3564, 3564, 3580, 3581,
+     3564, 3564, 3564, 3581, 3572, 3572, 3564, 3582, 3573, 3582,
+     3573, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
 
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3397,
-     3397, 3398, 3398, 3399, 3399, 3387, 3400, 3400, 3401, 3401,
-     3402, 3402, 3401, 3403, 3403, 3387, 3404, 3404, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3574,
+     3574, 3575, 3575, 3576, 3576, 3564, 3577, 3577, 3578, 3578,
+     3579, 3579, 3578, 3580, 3580, 3564, 3581, 3581, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
 
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3401, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3578, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
 
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3387, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3387,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3401, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3564,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3564, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3578, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
 
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3387, 3395, 3387, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3387, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3564, 3572,
+     3564, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3564,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
 
-     3395, 3395, 3395, 3395, 3395, 3395, 3387, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3387, 3395, 3395,
-     3401, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3564, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3564, 3572, 3572, 3578, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
 
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3387, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3564, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
 
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3401, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3387, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3387, 3395, 3387, 3387, 3395, 3387, 3387, 3395,
-     3395, 3387, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3578,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3564, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3564, 3572, 3564,
+     3564, 3572, 3564, 3564, 3572, 3572, 3564, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
 
-     3395, 3395, 3395, 3387, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3387, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3387, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3564, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3564, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3564, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
 
-     3395, 3395, 3395, 3401, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3387, 3395, 3395, 3387, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3387, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3387, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3387, 3395,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3578, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3564, 3572, 3572, 3564, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3564, 3572,
 
-     3387, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3387,
-     3387, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3387, 3395,
-     3395, 3387, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3387, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3387, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3387, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3387, 3395, 3395,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3564, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3564, 3572, 3564, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3564, 3564, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3564, 3572, 3572, 3564,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3564, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3564, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3564, 3572,
 
-     3395, 3395, 3401, 3401, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3387, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3387, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3387, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3387, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3564, 3572, 3572, 3572, 3572, 3572, 3578, 3578, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3564,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3564, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3564, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
 
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3387, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3387, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3387, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3387, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3564, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3564, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3564, 3572, 3572, 3572, 3572, 3572,
 
-     3395, 3387, 3395, 3395, 3401, 3395, 3395, 3395, 3395, 3395,
-     3387, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3387, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3387,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3387, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3387, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3564, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3564, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3564, 3572, 3572, 3572, 3578, 3572,
+     3572, 3572, 3572, 3572, 3564, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3564, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3564, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3564, 3572, 3572,
 
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3387, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3387, 3395, 3387, 3395, 3395, 3395,
-     3395, 3395, 3387, 3395, 3387, 3395, 3395, 3395, 3395, 3387,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3564, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3564, 3572, 3572, 3572, 3572, 3572, 3572,
 
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3387,
-     3395, 3395, 3395, 3401, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3387, 3395, 3395, 3395, 3395, 3387, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3387, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3387, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3564, 3572, 3564, 3572, 3572, 3572,
+     3572, 3572, 3564, 3572, 3564, 3572, 3572, 3572, 3572, 3572,
+     3564, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3564, 3572, 3572, 3572, 3572, 3578, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3564, 3572, 3572,
+     3572, 3572, 3564, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
 
-     3395, 3387, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3387, 3395, 3387, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3387, 3387, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3387, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3387, 3395, 3395, 3395, 3395,
-     3395, 3395, 3387, 3395, 3387, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3564,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3564,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3564,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3564, 3572, 3564, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
 
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3387, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3387, 3395, 3395, 3401,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3387, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3387, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3387, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3387, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3564, 3564, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3564, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3564, 3572, 3572, 3572,
+     3572, 3572, 3572, 3564, 3572, 3564, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3564, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3564, 3572, 3572, 3572, 3578, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3564, 3572, 3572, 3572,
 
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3387, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3387, 3387, 3395, 3395,
-     3395, 3387, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3387, 3395, 3395, 3395, 3395, 3395,
-     3395, 3387, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3387,
-     3395, 3395, 3395, 3395, 3395, 3395, 3387, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3387, 3395,
+     3572, 3572, 3572, 3572, 3572, 3572, 3564, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3564, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3564, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3564, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3564, 3564, 3572, 3572, 3572,
 
-     3395, 3395, 3395, 3387, 3395, 3395, 3395, 3387, 3395, 3395,
-     3395, 3395, 3395, 3387, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3401, 3395, 3387, 3395, 3395, 3395, 3387,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3387, 3395, 3387, 3395, 3395, 3395, 3387, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3387, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3387, 3387,
-     3395, 3387, 3395, 3395, 3395, 3387, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3387, 3395, 3395, 3387, 3395, 3395,
+     3564, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3564, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3564, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3564, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3564,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3564, 3572, 3572, 3572, 3572, 3564,
+     3572, 3572, 3572, 3564, 3572, 3572, 3572, 3572, 3572, 3564,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
 
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3387, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3387, 3395, 3395, 3395, 3395, 3395,
-     3387, 3395, 3387, 3395, 3395, 3395, 3395, 3395, 3387, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3387, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3387, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3387, 3395, 3395, 3395, 3387, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3387, 3395, 3395, 3395,
+     3572, 3578, 3572, 3564, 3572, 3572, 3572, 3564, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3564, 3572,
+     3564, 3572, 3572, 3572, 3564, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3564, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3564, 3564, 3572, 3564,
+     3572, 3572, 3572, 3572, 3564, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3564, 3572, 3572, 3564, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3564, 3572, 3572, 3572, 3572,
 
-     3395, 3395, 3395, 3387, 3387, 3395, 3387, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3401, 3395, 3395, 3395, 3395, 3395, 3395, 3387,
-     3387, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3387, 3395, 3395, 3395, 3395, 3387,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3387, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3387, 3395, 3387, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
+     3572, 3572, 3572, 3572, 3572, 3564, 3572, 3572, 3572, 3572,
+     3572, 3564, 3572, 3564, 3572, 3572, 3572, 3572, 3572, 3572,
+     3564, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3564, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3564, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3564, 3572, 3572,
+     3572, 3564, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3564, 3572, 3572, 3572, 3572, 3572,
+     3572, 3564, 3564, 3572, 3564, 3572, 3572, 3572, 3572, 3572,
 
-     3395, 3395, 3395, 3395, 3395, 3395, 3387, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3387, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3387, 3395,
-     3395, 3395, 3387, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3387, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3387, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3387, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3387, 3395, 3387, 3395, 3395, 3395,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3564,
+     3572, 3572, 3578, 3572, 3572, 3572, 3572, 3572, 3572, 3564,
+     3564, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3564, 3572, 3572, 3572, 3572, 3564,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3564, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3564, 3572, 3564, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
 
-     3395, 3395, 3395, 3401, 3395, 3387, 3395, 3395, 3395, 3395,
-     3395, 3387, 3395, 3395, 3395, 3395, 3387, 3395, 3395, 3395,
-     3395, 3395, 3395, 3387, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3387, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3387, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3387, 3395, 3395, 3395,
-     3395, 3395, 3395, 3387, 3395, 3387, 3395, 3395, 3395, 3395,
-     3395, 3387, 3387, 3395, 3395, 3395, 3395, 3395, 3387, 3387,
-     3395, 3387, 3395, 3387, 3395, 3395, 3387, 3387, 3395, 3395,
+     3564, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3564, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3564, 3572, 3572, 3572, 3564, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3564,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3564, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3564, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3564, 3572, 3564, 3572, 3572,
 
-     3395, 3395, 3395, 3387, 3395, 3387, 3395, 3395, 3395, 3395,
-     3395, 3387, 3395, 3395, 3395, 3395, 3395, 3387, 3395, 3395,
-     3395, 3395, 3387, 3395, 3395, 3395, 3395, 3387, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3401, 3395, 3395, 3395,
-     3395, 3387, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3387, 3395, 3387, 3395, 3395, 3395, 3395, 3395,
+     3572, 3572, 3572, 3572, 3572, 3578, 3572, 3564, 3572, 3572,
+     3572, 3572, 3572, 3564, 3572, 3572, 3572, 3572, 3564, 3572,
+     3572, 3572, 3572, 3572, 3572, 3564, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3564, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3564, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3564, 3572, 3572, 3572, 3572, 3572, 3572, 3564, 3572,
+     3564, 3572, 3572, 3572, 3572, 3572, 3572, 3564, 3564, 3572,
+     3572, 3572, 3572, 3572, 3564, 3564, 3572, 3564, 3572, 3564,
 
-     3387, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3387, 3395, 3395, 3395, 3395, 3395, 3387, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3387,
-     3395, 3387, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3387,
-     3387, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3387, 3395, 3395, 3395, 3395, 3387, 3395, 3395, 3395, 3395,
-     3387, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3387, 3387, 3387, 3387, 3395, 3395, 3395,
+     3572, 3572, 3564, 3564, 3572, 3572, 3572, 3572, 3572, 3572,
+     3564, 3572, 3564, 3572, 3572, 3572, 3572, 3572, 3572, 3564,
+     3572, 3572, 3572, 3572, 3572, 3564, 3572, 3572, 3572, 3572,
+     3572, 3564, 3572, 3572, 3572, 3572, 3564, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3578, 3572, 3572, 3572, 3572, 3564, 3572, 3572, 3572, 3572,
 
-     3395, 3395, 3395, 3395, 3395, 3395, 3387, 3395, 3387, 3387,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3387, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3401, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3387,
-     3387, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3387,
-     3395, 3395, 3395, 3387, 3395, 3387, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3387, 3387, 3395, 3395, 3395, 3387,
-     3387, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3387, 3395, 3387, 3395, 3395, 3395, 3395, 3395, 3395,
+     3572, 3572, 3572, 3572, 3572, 3572, 3564, 3572, 3564, 3572,
+     3572, 3572, 3572, 3572, 3564, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3564, 3572, 3572, 3572,
+     3572, 3572, 3564, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3564, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3564, 3572, 3564,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3564, 3564,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3564, 3572, 3572, 3572, 3572, 3572, 3564, 3572, 3572, 3572,
 
-     3395, 3395, 3395, 3395, 3387, 3395, 3395, 3387, 3395, 3395,
-     3395, 3395, 3395, 3387, 3395, 3395, 3395, 3395, 3387, 3395,
-     3395, 3395, 3387, 3395, 3387, 3395, 3395, 3395, 3395, 3395,
-     3387, 3395, 3395, 3387, 3395, 3395, 3395, 3395, 3387, 3395,
-     3387, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3387, 3387, 3395, 3395, 3401, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3387, 3387, 3395,
-     3387, 3395, 3395, 3387, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
+     3572, 3564, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3564, 3564, 3564, 3564, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3564, 3572, 3564, 3564, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3564, 3572, 3564, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3578, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3564, 3564, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3564, 3572, 3572, 3572, 3564,
+     3572, 3564, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
 
-     3395, 3395, 3395, 3395, 3395, 3395, 3387, 3395, 3395, 3395,
-     3395, 3387, 3395, 3395, 3395, 3395, 3387, 3395, 3395, 3395,
-     3395, 3387, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3387, 3387, 3387, 3395, 3395, 3387, 3395,
-     3395, 3395, 3395, 3387, 3395, 3395, 3395, 3387, 3387, 3395,
-     3395, 3395, 3395, 3387, 3395, 3387, 3395, 3387, 3395, 3395,
-     3395, 3395, 3387, 3395, 3395, 3395, 3395, 3387, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3387, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3387, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3387, 3395, 3387, 3395,
+     3572, 3572, 3564, 3564, 3572, 3572, 3572, 3564, 3564, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3564, 3572, 3564, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3564, 3572, 3572, 3564, 3572,
+     3572, 3572, 3572, 3572, 3572, 3564, 3572, 3572, 3572, 3572,
+     3564, 3572, 3572, 3572, 3572, 3564, 3572, 3564, 3572, 3572,
+     3572, 3572, 3572, 3564, 3572, 3572, 3564, 3572, 3572, 3572,
+     3572, 3572, 3572, 3564, 3572, 3572, 3564, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3564,
+     3564, 3572, 3572, 3578, 3572, 3572, 3572, 3572, 3572, 3572,
 
-     3387, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3387, 3387, 3395, 3395, 3387,
-     3395, 3387, 3395, 3387, 3395, 3395, 3395, 3395, 3387, 3395,
-     3395, 3395, 3395, 3395, 3395, 3387, 3395, 3395, 3395, 3395,
-     3387, 3387, 3395, 3395, 3395, 3387, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3387, 3387, 3387, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3387, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3387, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3387, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
+     3572, 3572, 3572, 3564, 3564, 3572, 3564, 3572, 3572, 3564,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3564, 3572, 3572, 3572, 3572, 3572,
+     3564, 3572, 3572, 3572, 3572, 3564, 3572, 3572, 3572, 3572,
+     3572, 3564, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3564, 3572, 3572, 3572, 3564, 3564, 3564, 3572, 3572,
+     3572, 3564, 3572, 3572, 3572, 3572, 3564, 3572, 3572, 3572,
+     3564, 3564, 3564, 3572, 3572, 3572, 3564, 3572, 3572, 3564,
 
-     3395, 3395, 3395, 3387, 3395, 3387, 3387, 3395, 3387, 3395,
-     3395, 3395, 3395, 3387, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3387, 3395, 3395, 3395, 3395, 3387, 3387, 3395,
-     3387, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3387,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3387, 3395, 3395,
-     3395, 3395, 3387, 3395, 3395, 3395, 3395, 3395, 3387, 3395,
-     3395, 3395, 3395, 3387, 3395, 3395, 3395, 3387, 3387, 3395,
-     3395, 3395, 3387, 3387, 3387, 3395, 3395, 3395, 3395, 3387,
-     3395, 3395, 3395, 3395, 3395, 3387, 3395, 3395, 3395, 3395,
-     3395, 3387, 3387, 3395, 3395, 3395, 3395, 3387, 3387, 3395,
+     3572, 3564, 3572, 3564, 3572, 3572, 3572, 3572, 3564, 3572,
+     3572, 3572, 3572, 3564, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3564, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3564, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3564, 3572, 3564, 3572, 3564, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3564, 3564, 3572, 3572, 3572, 3564, 3572,
+     3564, 3572, 3564, 3572, 3572, 3572, 3572, 3572, 3564, 3564,
+     3572, 3572, 3572, 3572, 3572, 3572, 3564, 3572, 3572, 3572,
+     3572, 3564, 3572, 3564, 3572, 3572, 3572, 3564, 3572, 3572,
 
-     3395, 3395, 3395, 3395, 3387, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3387, 3387, 3395, 3387, 3395, 3395, 3387, 3387, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3387, 3395, 3395,
-     3395, 3395, 3395, 3387, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3387, 3395, 3395, 3387, 3387, 3395, 3395, 3395, 3395,
-     3395, 3387, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3387,
-     3395, 3395, 3387, 3387, 3395, 3395, 3387, 3387, 3395, 3387,
-     3387, 3387, 3387, 3387, 3387, 3387, 3387, 3395, 3395, 3387,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3564, 3564, 3564, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3564, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3564, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3564, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3564, 3572,
+     3572, 3564, 3572, 3564, 3572, 3564, 3572, 3572, 3572, 3572,
+     3572, 3564, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3564, 3572, 3572, 3572, 3572, 3572, 3564, 3564, 3572, 3572,
+     3564, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3564,
 
-     3395, 3395, 3395, 3395, 3387, 3395, 3395, 3395, 3395, 3387,
-     3395, 3387, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3387, 3387, 3387, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3387, 3395, 3395,
-     3395, 3395, 3387, 3395, 3387, 3395, 3387, 3387, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3387,
-     3395, 3387, 3387, 3395, 3395, 3387, 3395, 3395, 3387, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3387, 3387,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3564, 3572, 3572,
+     3572, 3572, 3564, 3572, 3572, 3572, 3572, 3572, 3564, 3572,
+     3572, 3572, 3572, 3564, 3572, 3572, 3572, 3564, 3564, 3564,
+     3572, 3572, 3572, 3564, 3564, 3564, 3564, 3572, 3572, 3572,
+     3572, 3564, 3572, 3564, 3572, 3572, 3572, 3572, 3572, 3572,
+     3564, 3572, 3572, 3572, 3572, 3572, 3564, 3564, 3572, 3572,
+     3572, 3572, 3572, 3572, 3564, 3564, 3572, 3572, 3572, 3572,
+     3572, 3564, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3564, 3564, 3572,
 
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3387, 3395, 3395, 3395, 3387, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3387, 3395, 3387, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3387, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395, 3395,
-     3395, 3395, 3395, 3395, 3395, 3387, 3395, 3395, 3387, 3395,
-     3395, 3395, 3395, 3395, 3387, 3395, 3395, 3395, 3395, 3395,
-     3395, 3387, 3395, 3395, 3395, 3387, 3395, 3387, 3387, 3395,
-     3395, 3395, 3395, 3395, 3387, 3387,    0, 3387, 3387, 3387,
-     3387, 3387, 3387, 3387, 3387, 3387, 3387, 3387, 3387, 3387,
+     3564, 3572, 3572, 3564, 3572, 3564, 3572, 3572, 3572, 3572,
+     3564, 3572, 3572, 3572, 3572, 3572, 3564, 3572, 3572, 3572,
+     3572, 3572, 3572, 3564, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3564, 3572, 3572, 3564, 3564, 3572, 3572, 3572,
+     3572, 3572, 3564, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3564, 3572, 3572, 3564, 3564, 3572, 3572, 3564, 3564, 3572,
+     3572, 3564, 3564, 3564, 3564, 3564, 3564, 3564, 3564, 3572,
+     3572, 3564, 3564, 3572, 3572, 3572, 3564, 3572, 3564, 3572,
+     3572, 3572, 3572, 3564, 3572, 3564, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
 
-     3387, 3387, 3387, 3387, 3387
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3564, 3564, 3564,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3564, 3572, 3572, 3572, 3572, 3564, 3572,
+     3564, 3572, 3564, 3564, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3564, 3572, 3564, 3564, 3564,
+     3572, 3572, 3564, 3572, 3572, 3564, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3564, 3564, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3564,
+     3572, 3572, 3572, 3564, 3572, 3572, 3572, 3572, 3572, 3572,
+
+     3572, 3572, 3564, 3572, 3564, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3564, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572, 3572,
+     3572, 3572, 3564, 3572, 3572, 3564, 3572, 3572, 3572, 3572,
+     3572, 3564, 3572, 3572, 3572, 3572, 3572, 3572, 3564, 3572,
+     3572, 3572, 3564, 3572, 3564, 3564, 3572, 3572, 3572, 3572,
+     3572, 3564, 3564,    0, 3564, 3564, 3564, 3564, 3564, 3564,
+     3564, 3564, 3564, 3564, 3564, 3564, 3564, 3564, 3564, 3564,
+     3564, 3564
     } ;
 
-static const flex_int16_t yy_nxt[6654] =
+static const flex_int16_t yy_nxt[7002] =
     {   0,
        18,   19,   20,   21,   22,   23,   22,   18,   18,   18,
        18,   18,   22,   24,   25,   26,   27,   28,   29,   30,
@@ -1579,7 +1637,7 @@ static const flex_int16_t yy_nxt[6654] =
        86,  227,  225,  223,   86,   86,  216,  229,  224,   86,
        86,  219,   86,  222,  230,  232,  233,  228,   86,   86,
        86,   86,  231,  235,   86,  237,   86,  240,  234,  238,
-       86,   86,   86,   86,  242,   86,  236,  370,   86,   86,
+       86,   86,   86,   86,  242,   86,  236,  371,   86,   86,
        86,  239,   86,  243,  241,  248,  251,  252,   86,  244,
       253,  247,   86,   86,   86,  254,  249,  246,  260,  257,
 
@@ -1599,681 +1657,720 @@ static const flex_int16_t yy_nxt[6654] =
       311,   86,   86,   86,   86,  307,   86,  318,   86,   86,
        86,  319,   86,  325,  312,  313,  315,  309,  314,  316,
        86,  320,   86,  329,  321,  328,  322,  330,  327,  326,
-      332,   86,   86,   86,  726,  334,   86,  338,  323,  331,
+      332,   86,   86,   86,  741,  334,   86,  338,  323,  331,
       324,   86,  335,   86,   86,  340,   86,  342,   86,  339,
-      341,   86,  333,   86,   86,   86,  344,  336,   86,   86,
-       86,  343,   86,   86,  346,   86,  348,   86,  345,   86,
-       86,   86,   86,  351,  353,   86,  349,  358,   86,  347,
+      341,   86,  333,   86,   86,   86,  343,  336,  345,   86,
+       86,  344,   86,   86,   86,  347,   86,   86,  346,  349,
+       86,   86,  354,   86,  352,  350,   86,   86,   86,   86,
 
-      352,  354,  359,   86,   86,  350,  355,   86,   86,  360,
-      357,  356,  362,  364,   86,  367,  361,   86,   86,   86,
-       86,   86,  373,  369,   86,   86,   86,   86,   86,  363,
-      374,  372,  365,  366,  376,   86,   86,  368,  377,  371,
-       86,  378,   86,  379,  375,  380,   86,  381,  383,   86,
-       86,  384,  170,   86,   86,  387,   86,   86,  386,   86,
-       86,   86,   86,  394,  388,  390,  392,  395,  385,   86,
-       86,  382,   86,   86,  398,  389,   86,  396,   86,  391,
-       86,  397,   86,  393,   86,  399,   86,  404,   86,  405,
-      409,  406,  400,   86,  403,   86,   86,   86,  402,  407,
+      348,  365,  355,  353,  351,  359,  356,   86,   86,   86,
+      360,   86,  357,  361,   86,   86,  362,  358,  363,  368,
+       86,  364,   86,   86,   86,   86,  374,  366,  367,  370,
+      373,  375,   86,   86,  377,  369,   86,   86,  382,  372,
+       86,  376,   86,  380,   86,  378,  381,   86,  384,   86,
+      379,  385,   86,   86,   86,  170,   86,   86,  388,   86,
+       86,   86,  383,  395,  391,  393,  396,  389,  386,   86,
+       86,   86,   86,   86,  399,  387,  390,   86,  397,  392,
+       86,   86,  398,   86,  394,  400,   86,   86,   86,  402,
+      406,  407,   86,  409,  404,  401,   86,  403,   86,  410,
 
-      401,   86,  408,   86,  411,   86,  412,   86,   86,   86,
-       86,  415,   86,   86,  410,  419,  416,   86,  175,  417,
-      421,   86,  418,  413,  414,   86,   86,  422,  423,   86,
-       86,  420,   86,  424,   86,   86,  426,  427,  428,  429,
-       86,   86,   86,   86,   86,   86,   86,  435,  432,   86,
-      425,   86,  436,   86,   86,  434,   86,  438,   86,  441,
-      431,  437,  433,   86,  430,   86,  443,  446,   86,   86,
-      439,  447,  440,   86,  442,   86,   86,  445,   86,   86,
-      457,  448,   86,  444,   86,  455,   86,   86,   86,  458,
-      461,  459,  499,  449,  170,  462,  450,  456,  469,   86,
+      408,   86,   86,   86,  412,   86,  413,   86,   86,   86,
+       86,  416,  405,   86,  417,  420,   86,   86,  175,  411,
+      422,   86,  418,  414,  415,  419,   86,   86,  424,  423,
+       86,  421,   86,  429,   86,  428,  425,   86,  427,   86,
+      430,   86,   86,   86,   86,   86,   86,   86,  436,   86,
+       86,   86,  437,  426,  439,   86,   86,  435,   86,  442,
+      433,  432,  447,  438,  434,  431,   86,   86,   86,  444,
+      440,   86,   86,  441,  443,  448,   86,   86,   86,  446,
+       86,  463,   86,  449,   86,  456,  445,   86,   86,  458,
+      466,  467,  170,  464,  465,  457,  450,   86,   86,  451,
 
-      463,  451,  452,  453,  454,  466,   86,  460,  464,  465,
-      467,   86,   86,   86,   86,  468,   86,   86,   86,  477,
-       86,   86,   86,  479,   86,  475,  478,  476,   86,  472,
-      470,   86,  480,  471,  473,  474,   86,   86,   86,  481,
-      483,  482,   86,  487,   86,   86,   86,   86,  488,   86,
-      489,  492,   86,  505,  493, 1513,  484,  486,  485,  490,
-       86,   86,   86,   86,  491,   86,  494,  495,  497,   86,
-      498,   86,  500,  496,   86,  506,  507,   86,   86,  508,
-      504,   86,   86,   86,   86,  501,  509,   86,  502,  547,
-      503,   86,  510,   86,  520,   86,  511,  522,  519,  523,
+      459,  470,  460,  468,  452,  453,  454,  455,  469,   86,
+      471,   86,   86,   86,   86,  461,   86,   86,  462,  480,
+       86,   86,   86,  478,   86,  482,   86,  481,  474,  472,
+      479,  475,  473,   86,  476,  477,   86,  483,  485,   86,
+       86,  484,   86,   86,  490,   86,  491,   86,  492,   86,
+       86,  486,   86,  509,  496,  497,   86,  493,  489,  487,
+       86,   86,  488,   86,  494,  498,   86,  495,  499,  501,
+      503,  502,   86,   86,  500,  504,   86,  510,  511,   86,
+       86,  512,  508,   86,   86,   86,   86,  526,  505,   86,
+       86,  506,  581,  507,   86,  513,   86,  514,   86,  530,
 
-       86,  524,   86,  525,  512,   86,  513,  527,  514,  537,
-      535,  536,  521,  170,  538,   86,   86,   86,   86,  526,
-       86,  515,   86,  539,  516,  168,  517,   86,  518,   86,
-      540,  528,  529,  543,  541,  542,  544,   86,   86,  545,
-      546,  530,  548,  531,  532,  533,   86,  550,  534,   86,
-       86,  549,   86,   86,  552,   86,   86,  551,  554,  559,
-      557,   86,  560,   86,   86,   86,   86,  556,  564,   86,
-      555,  558,  553,   86,   86,   86,  562,   86,  568,  569,
-      563,   86,  567,  561,   86,   86,   86,   86,   86,  566,
-       86,  578,  574,   86,  565,  570,   86,  579,  575,  576,
+      525,  528,   86,  515,  529,  527,   86,  516,   86,  531,
+      533,  543,  517,  542,  546,  518,   86,  519,  544,  520,
+      170,  547,   86,  545,   86,  532,   86,   86,  553,   86,
+       86,  551,  521,   86,   86,  522,   86,  523,  168,  524,
+       86,  548,  534,  535,  550,  549,  552,  556,   86,   86,
+      555,  557,  536,  537,  538,  539,  540,   86,   86,  541,
+       86,  558,  554,  559,   86,   86,  566,   86,  561,  562,
+      564,   86,   86,   86,  567,  563,   86,   86,  571,  565,
+       86,  560,   86,  569,   86,   86,   86,  568,   86,   86,
+      570,  574,  575,  576,   86,   86,  573,   86,  578,  582,
 
-      571,  572,  573,   86,  581,  582,   86,   86,   86,   86,
-       86,  595,  580,   86,   86,  166,  577,   86,  587,  597,
-       86,  583,  596,  584,  586,  590,  585,   86,   86,  588,
-       86,  589,  598,  591,  592,  600,  599,  593,  594,   86,
-       86,   86,   86,   86,  603,  602,  604,  605,   86,   86,
-      607,  601,   86,  609,   86,   86,   86,   86,  612,   86,
-      610,  613,   86,  614,   86,  608,   86,   86,  606,  611,
-       86,  617,   86,  619,   86,  618,   86,  615,   86,   86,
-       86,  620,   86,  625,   86,  616,  621,   86,  626,   86,
-      624,   86,  628,   86,  627,   86,  622,  623,  629,   86,
+      583,   86,  572,  580,  579,  577,   86,   86,   86,  588,
+      585,  586,   86,  589,   86,   86,  590,  584,  604,   86,
+       86,  166,   86,  607,   86,   86,  587,   86,  591,  593,
+      594,  595,  592,   86,  605,  609,  608,   86,  606,   86,
+      615,   86,  596,  611,  597,   86,   86,   86,   86,  613,
+      598,  612,   86,  614,   86,  616,  618,   86,  599,  600,
+      610,   86,  601,  602,   86,  617,  603,   86,  621,  619,
+      622,   86,   86,   86,  620,  623,   86,   86,   86,   86,
+      628,   86,  626,  627,   86,   86,   86,  624,  629,   86,
+       86,   86,  634,  630,  625,  635,   86,   86,  633,   86,
 
-      631,   86,  633,   86,   86,   86,   86,   86,  630,   86,
-       86,  632,  635,   86,  636,  638,  634,   86,   86,  640,
-       86,   86,  646,  165,  637,  649,  639,  641,   86,  642,
-      647,  643,  645,  648,   86,   86,   86,  644,   86,   86,
-       86,  653,   86,  651,   86,  656,  652,  658,  650,   86,
-      654,   86,  659,   86,   86,  655,   86,   86,   86,  662,
-       86,  665,  657,  661,   86,  666,   86,   86,   86,   86,
-       86,  668,   86,   86,  700,  663,  660,  664,   86,  667,
-       86,   86,  671,  669,  682,  163,   86,  670,   86,  672,
-      680,  683,   86,  681,  673,   86,  674,  684,   86,  685,
+      636,   86,  638,  632,  631,   86,   86,  641,   86,  637,
+      639,   86,  640,   86,  643,   86,   86,   86,   86,  645,
+       86,  642,   86,  649,   86,  647,   86,   86,   86,  644,
+       86,  657,  677,   86,  651,  659,  646,   86,  648,  658,
+      650,   86,  652,   86,  653,  654,  655,  656,  660,   86,
+       86,   86,   86,   86,  664,   86,  668,   86,  662,  671,
+       86,  663,   86,  661,  667,   86,  665,   86,  666,   86,
+      670,   86,   86,   86,  673,   86,  674,  669,  678,   86,
+       86,   86,   86,  672,  680,   86,   86,   86,   86,  711,
+      679,  675,   86,  676,   86,  683,  681,   86,  695,   86,
 
-       86,  688,  675,  689,  676,  686,   86,  677,  678,  687,
-       86,   86,  693,   86,  679,  698,   86,   86,   86,  692,
-      697,   86,  690,  694,   86,  691,  695,   86,  702,  696,
-       86,   86,   86,   86,   86,   86,  699,   86,   86,  703,
-      708,   86,  704,  709,  733,   86,  701,  705,   86,   86,
-      706,  712,   86,  711,   86,  707,  710,  713,  714,  170,
-      716,  717,   86,  715,   86,   86,   86,  718,   86,   86,
-       86,   86,   86,  723,  725,  728,   86,   86,  720,  727,
-      721,  719,  729,  724,  731,   86,  722,   86,   86,  730,
-       86,   86,   86,   86,   86,  737,   86,  732,  736,  742,
+      682,   86,  684,  694,  697,  692,   86,  685,  693,  686,
+      699,  696,  165,  698,   86,  687,   86,  688,   86,  700,
+      689,  690,  707,  701,   86,   86,   86,  691,   86,  703,
+       86,  702,   86,  708,  704,  706,   86,  705,   86,  714,
+      709,   86,   86,  716,   86,   86,  710,   86,   86,  720,
+       86,   86,   86,   86,  163,  712,  713,  718,  723,  717,
+       86,  724,  719,   86,   86,   86,  715,   86,  170,  721,
+      727,  729,  730,  722,  728,  731,   86,   86,  726,  725,
+       86,   86,   86,   86,   86,   86,   86,   86,  732,  738,
+      161,   86,  733,  740,  742,  744,  735,   86,  736,  734,
 
-       86,  734,   86,  738,  743,   86,  735,  745,   86,  791,
-      739,   86,  741,  740,  747,  744,  746,   86,  748,   86,
-       86,  749,   86,  750,   86,  751,   86,   86,   86,   86,
-      752,   86,  753,  756,   86,  758,  754,  755,   86,   86,
-       86,  759,   86,   86,  760,  757,  764,  763,   86,   86,
-       86,   86,   86,  765,   86,  767,   86,  769,   86,   86,
-       86,  762,   86,  761,  772,  768,  766,  775,  161,  770,
-       86,   86,   86,   86,   86,  776,  773,   86,   86,  771,
-       86,  778,  774,   86,  783,  777,  779,   86,  785,  780,
-      781,   86,  782,   86,  788,  784,  786,  790,  787,   86,
+      739,   86,  737,  743,   86,  746,   86,   86,   86,  745,
+      748,   86,   86,   86,   86,   86,  752,   86,  747,  751,
+      757,   86,  749,   86,  753,  758,   86,  750,  760,   86,
+      808,  754,   86,  756,  755,  762,  759,  761,   86,  763,
+       86,   86,  764,   86,  765,   86,  766,   86,   86,   86,
+       86,  767,   86,  768,  771,   86,  773,  769,  770,   86,
+       86,   86,  774,   86,   86,  775,  772,  779,  778,   86,
+       86,   86,   86,   86,  781,   86,  783,   86,   86,  785,
+       86,   86,  777,   86,  776,   86,  788,   86,  792,  780,
+      782,  784,   86,   86,   86,  786,  787,  793,   86,   86,
 
-       86,   86,  789,   86,  792,   86,   86,   86,   86,  793,
-      796,  795,   86,  797,   86,  798,   86,   86,  799,  800,
-       86,  802,  804,   86,   86,   86,   86,  801,   86,  805,
-      810,  794,   86,   86,   86,  808,   86,  803,  811,   86,
-      809,  807,  812,  806,  813,  814,   86,   86,   86,  815,
-       86,  817,   86,  816,   86,  821,  823,  819,   86,  825,
-       86,   86,   86,  822,  818,   86,   86,   86,  824,  827,
-       86,  826,   86,  820,  828,   86,  834,  831,   86,  835,
-      829,   86,   86,  830,   86,   86,  837,  836,   86,  839,
-       86,  832,  833,   86,  843,   86,  841,  840,   86,   86,
+       86,  790,  789,   86,   86,  800,  795,  791,   86,  802,
+       86,  796,  794,  803,  797,  798,   86,  799,  801,   86,
+      807,  804,   86,   86,  805,  809,   86,  810,   86,   86,
+       86,   86,  813,  812,  806,  814,   86,   86,   86,   86,
+       86,  821,   86,   86,  817,  819,   86,  815,   86,  811,
+       86,  818,  822,   86,  816,   86,   86,  828,   86,  820,
+       86,  834,  826,   86,  829,  823,  825,  827,   86,  824,
+       86,  830,  831,  832,   86,   86,   86,  833,  835,   86,
+       86,  840,   86,   86,  836,  838,  842,   86,  841,   86,
+      837,   86,   86,   86,  843,   86,  846,   86,  839,   86,
 
-       86,   86,  849,  845,  838,   86,   86,  844,  851,  847,
-      850,  842,   86,  846,  848,   86,   86,   86,  852,  853,
-       86,   86,  859,  854,   86,   86,   86,   86,   86,  860,
-      855,   86,   86,  861,  856,   86,   86,   86,   86,  857,
-       86,  858,  862,  868,  864,   86,  863,  866,   86,   86,
-      869,  865,  867,   86,   86,   86,  874,  870,  873,  871,
-       86,   86,   86,   86,   86,  882,   86,  872,  880,  875,
-      883,   86,   86,  876,   86,   86,  881,   86,  877,  878,
-      879,   86,  888,   86,   86,  884,  886,   86,  887,   86,
-       86,  885,   86,   86,   86,  893,  892,  889,  895,  894,
+      845,  847,   86,  853,  850,   86,  848,  844,  854,   86,
+      849,   86,   86,   86,  855,   86,  856,   86,  851,  852,
+       86,  858,  859,   86,  860,  863,  861,   86,   86,  867,
+       86,   86,  857,  865,  868,   86,   86,  869,  870,  864,
+       86,  862,  871,  866,   86,   86,  873,   86,   86,  872,
+       86,   86,  879,   86,   86,   86,   86,  880,   86,   86,
+       86,   86,   86,  874,  881,  875,  876,   86,   86,  877,
+      886,  878,  884,   86,  882,  883,  889,  888,   86,  887,
+      885,   86,   86,   86,   86,   86,   86,  891,  890,  896,
+      892,   86,   86,   86,   86,   86,   86,   86,  905,  906,
 
-      891,   86,  890,   86,   86,   86,  896,   86,   86,  903,
-      898,   86,  897,  899,  905,   86,  901,  170,   86,  900,
-      902,   86,  904,   86,   86,  906,   86,   86,  912,   86,
-       86,  913,  907,  908,  915,   86,   86,   86,  909,  914,
-      910,  916,   86,  919,   86,   86,  917,   86,  911,   86,
-       86,  921,   86,  925,   86,   86,   86,  922,   86,   86,
-       86,  918,  926,  927,  920,   86,   86,   86,   86,   86,
-      924,   86,   86,  928,  941,  923,  940,  942,  943,   86,
-      930,  938,  939,  929,   86,   86,  931,   86,  944,  932,
-      948,  945,   86,  933,   86,  946,  934,   86,  947,  950,
+      893,  903,  898,  895,  894,   86,   86,   86,   86,  897,
+      899,  900,  901,  902,   86,   86,   86,   86,   86,  904,
+      907,  911,  910,   86,   86,  909,  908,   86,   86,   86,
+      915,  912,  916,   86,  919,  917,  913,  914,  920,   86,
+       86,   86,  918,   86,   86,  927,   86,  922,   86,  170,
+      923,   86,  925,   86,  928,   86,  929,  921,  924,  930,
+      926,   86,   86,   86,   86,   86,   86,  935,  936,   86,
+       86,  932,   86,  937,   86,  931,  939,   86,  933,  934,
+       86,  938,  943,  941,  944,  940,   86,   86,   86,  942,
+      945,  947,   86,   86,  949,   86,   86,   86,   86,  946,
 
-       86,  952,   86,  935,  936,   86,  937,   86,   86,   86,
-      949,   86,   86,  960,   86,  963,   86,  969,  965,   86,
-      951,   86,  953,  954,  967,  955,  961,  962,  956,   86,
-       86,  975,   86,  957,  966,  968,  964,  972,   86,  958,
-      959,  971,  973,   86,   86,   86,   86,  976,   86,  978,
-      977,  974,   86,   86,  970,   86,  980,  979,  982,   86,
-      981,   86,   86,  983,   86,  985,   86,   86,  986,   86,
-       86,  990,   86,   86,  984,  989,   86,   86,  993,   86,
-       86,  999,   86,  997, 1010,   86,  987,  991,  988,   86,
-      992,  994,  995,   86, 1000, 1011,   86,   86,  998, 1001,
+       86,  950,  951,   86,   86,   86,   86,   86,   86,  178,
+      948,  965,   86,  966,  952,  964,  969,  967,  954,  962,
+      963,   86,  953,   86,   86,  955,   86,  970,  956,   86,
+      971,   86,  957,   86,   86,  958,   86,  968,  974,   86,
+      976,   86,  959,  960,  972,  961,   86,   86,   86,  973,
+     1018,   86,  985,   86,  975,   86,  977,  978,  992,  979,
+      986,  984,  980,   86,   86,   86,  987,  981,  988,  990,
+       86,   86,   86,  982,  983,  989,  994,   86,  998,   86,
+      997,   86,  993,  999,   86,  991, 1000,  995,   86, 1001,
+       86, 1004,   86,   86,  176,  996, 1002, 1003, 1005,   86,
 
-       86,  996, 1002, 1003, 1004,   86,   86, 1006, 1007,   86,
-       86, 1005,   86,   86,   86,   86,   86,   86, 1008,   86,
-       86,   86, 1009, 1012, 1014,   86,   86, 1015, 1019,   86,
-       86,   86,   86,   86, 1013, 1016, 1028, 1017,   86, 1020,
-     1021, 1022,   86, 1023, 1018, 1024,   86, 1025,   86,   86,
-       86, 1030,   86,   86,   86, 1026,   86, 1027, 1031, 1029,
-       86,   86, 1036,   86, 1038, 1034, 1032, 1037,   86,   86,
-       86,   86,   86, 1035,   86,   86, 1039, 1044,   86, 1033,
-     1041,   86,   86, 1046,   86, 1045, 1047,   86, 1040, 1049,
-     1043,   86,   86,   86, 1042,   86, 1048,   86,   86, 1050,
+       86,   86, 1006, 1008,   86, 1007,   86,   86, 1009,   86,
+       86,   86,   86, 1010, 1012,   86, 1016,   86,   86, 1019,
+     1015,   86,   86,   86,   86, 1023, 1011, 1034,   86, 1013,
+     1014,   86, 1017, 1024, 1021, 1025,   86, 1026, 1029, 1020,
+       86,   86, 1027,   86,   86, 1022, 1028, 1031,  175,   86,
+     1033,   86,   86,   86, 1032,   86,   86, 1035,   86, 1030,
+     1036, 1037,   86, 1038,   86,   86, 1039,   86,   86,   86,
+     1041, 1042,   86, 1040,   86, 1043, 1047,   86,   86, 1051,
+       86, 1050,   86,   86,   86,   86, 1049, 1044, 1045, 1048,
+       86,   86,   86, 1046,   86,   86,   86, 1056, 1058, 1053,
 
-       86,   86, 1051, 1060, 1055, 1057,   86,   86,  178,   86,
-       86, 1052,   86, 1054, 1053, 1061, 1058,   86, 1065, 1059,
-     1056,   86, 1062,   86, 1068,   86, 1063,   86, 1067,   86,
-       86, 1064,   86,   86,   86, 1066,   86,   86, 1070, 1077,
-     1072,   86, 1078, 1080,   86,   86,   86, 1069,   86,   86,
-     1071,   86,   86, 1073,   86, 1075, 1074, 1076, 1079, 1083,
-     1081, 1082, 1084,   86, 1087,   86,   86, 1085,   86,   86,
-     1086, 1089, 1088,   86, 1091, 1090, 1092,   86,   86, 1096,
-     1093,   86,   86, 1098,   86,   86,   86, 1094,   86,   86,
-     1103, 1095,   86, 1100,   86, 1104,  170,   86,   86,   86,
+     1054, 1059, 1052, 1057,   86,   86,   86,   86, 1055,   86,
+       86, 1064,   86, 1067,   86, 1062, 1065,   86, 1060,   86,
+     1063,   86,   86, 1066,   86, 1068,   86, 1073, 1070,   86,
+     1061, 1075,   86, 1069,   86, 1074, 1076,   86,   86, 1078,
+     1072,   86,   86,   86,   86, 1071,   86, 1077,   86,  170,
+       86,   86, 1086, 1079, 1089, 1084,   86,   86, 1080,   86,
+       86, 1081,   86, 1083, 1082, 1090,   86, 1085, 1087, 1091,
+     1088,   86,   86,   86,   86, 1092,   86, 1095, 1098,   86,
+     1094, 1093, 1096, 1099,   86,   86, 1097,   86,   86,   86,
+       86,   86, 1109,   86, 1102, 1100, 1104, 1110,   86, 1101,
 
-     1107, 1097, 1106,   86, 1099, 1101,   86, 1102, 1110, 1105,
-       86,   86,   86,   86, 1108,   86,   86, 1109,   86, 1123,
-     1124, 1126,   86,   86, 1114, 1111, 1113,   86,   86,   86,
-       86,   86, 1128, 1115, 1112, 1131, 1116,   86, 1125,   86,
-     1117,   86, 1118,   86, 1129, 1130, 1119,   86, 1120, 1148,
-       86, 1133, 1127, 1121, 1139, 1132, 1134,   86, 1122, 1135,
-       86, 1136,   86,   86, 1137,   86,   86, 1140,   86,   86,
-     1143,   86,   86,   86,   86, 1142, 1138, 1141, 1149, 1150,
-     1144, 1147, 1151, 1146,   86,   86, 1152,   86,   86, 1145,
-     1153, 1154, 1157, 1155,   86,   86,   86,   86,  176,   86,
+       86,   86, 1112,   86,   86, 1115,   86, 1103,   86, 1105,
+     1107,   86, 1106, 1108, 1111, 1113, 1116,   86,   86,   86,
+      168, 1117,   86,   86, 1114, 1118,   86, 1123, 1121, 1124,
+     1119, 1125,   86,   86,   86,   86, 1126,   86, 1120, 1129,
+     1122,   86, 1131,   86,   86,   86,   86, 1128, 1137,   86,
+     1127, 1133, 1134, 1138,  170,   86,   86,   86, 1141,   86,
+     1140, 1130, 1132,   86,   86, 1135,   86, 1136,   86, 1144,
+     1139,   86,   86,   86,   86,   86, 1157,   86,   86,   86,
+       86, 1142, 1158, 1143, 1148, 1145, 1147, 1160,   86,   86,
+      166,   86, 1146, 1149, 1159, 1150,   86,   86, 1191, 1151,
 
-       86, 1166,   86, 1156,   86, 1158, 1165,   86, 1169,   86,
-     1159,   86, 1160, 1167, 1168,   86, 1170, 1171, 1161, 1173,
-       86,   86, 1176, 1162, 1163,   86,   86,   86,   86, 1172,
-     1164, 1177,   86,   86, 1182,   86,   86, 1175,   86, 1174,
-     1183, 1185,   86, 1179, 1178, 1181,   86,   86,   86, 1180,
-       86, 1186,   86,   86, 1190, 1188,   86, 1191, 1184, 1189,
-       86, 1187,   86,   86, 1196, 1193,   86,   86,   86,   86,
-       86, 1194, 1192, 1199,   86, 1197,   86,   86,   86, 1195,
-      175,   86,   86,   86,   86,   86, 1198, 1206, 1201, 1200,
-     1203, 1204, 1205, 1208, 1207,   86, 1202,   86,   86,   86,
+       86, 1152, 1161, 1164, 1162, 1153, 1163, 1154,   86, 1167,
+       86, 1166, 1155, 1165, 1168,   86,   86, 1156,   86, 1169,
+       86,   86, 1171,   86,   86,   86, 1174,   86, 1177,   86,
+     1170,   86,   86,   86, 1172, 1173, 1175, 1176, 1178, 1182,
+     1181,   86, 1187, 1180, 1184, 1185, 1183,   86, 1179, 1188,
+       86,   86, 1186,   86, 1189,   86,   86,   86,   86,   86,
+       86,   86, 1203, 1200,   86,   86,   86,   86,   86, 1199,
+     1204,   86, 1202, 1201, 1205, 1190,   86, 1192,   86, 1211,
+     1206, 1207, 1193,   86, 1194,   86,   86, 1208,   86, 1214,
+     1195, 1212,   86,   86,   86, 1196, 1197, 1209,   86, 1210,
 
-     1209,   86,   86,   86,   86, 1211,   86,   86, 1216, 1210,
-       86, 1217, 1213, 1219,   86, 1218, 1212, 1215, 1221, 1214,
-       86, 1220, 1223, 1222,   86,   86,   86, 1226,   86,   86,
-       86, 1228, 1227,   86, 1229,   86,   86,   86, 1224, 1230,
-       86,   86, 1225, 1231, 1237,   86, 1239,   86, 1232,   86,
-       86, 1233,   86, 1235, 1241, 1234, 1236,   86,   86,   86,
-       86, 1243, 1240,   86,   86, 1238,   86,   86, 1245, 1246,
-       86, 1242, 1249,   86,   86, 1248, 1247,   86, 1250,   86,
-     1244, 1255, 1251, 1252,   86, 1254,   86,   86, 1256,   86,
-     1253,   86,   86, 1257, 1259,   86, 1260,   86,   86,   86,
+     1213,   86, 1198, 1218,   86, 1219,   86, 1221, 1215, 1222,
+       86, 1216, 1217,   86,   86,   86, 1226,   86, 1220, 1224,
+       86,   86,   86,   86,   86, 1227,   86, 1232, 1225, 1223,
+     1229,   86, 1230,   86,   86, 1233, 1228,   86,   86, 1235,
+     1231,   86,   86,   86,   86,   86,   86,   86,   86, 1242,
+     1234,   86, 1237, 1240, 1239, 1241,   86, 1236, 1244,   86,
+       86, 1238, 1243, 1245,   86, 1246,   86,   86, 1247,   86,
+       86, 1248,   86, 1250, 1253, 1249,   86, 1254, 1251, 1256,
+     1258, 1255, 1252,   86, 1257, 1259,   86,   86,   86,   86,
+       86,   86, 1264,   86,   86,   86, 1260, 1265,   86,   86,
 
-       86, 1266, 1264, 1267, 1258,   86,   86,   86,   86,   86,
-     1261, 1268,   86, 1265,   86, 1271, 1262, 1269, 1263, 1270,
-     1274,   86,   86, 1272, 1276,   86,   86, 1275, 1273,   86,
-       86,   86,   86,   86,   86,   86, 1281, 1282, 1277, 1278,
-       86,   86,   86,   86, 1288, 1284, 1283, 1289,   86, 1279,
-       86, 1280,   86,   86, 1286, 1292,   86, 1291,   86, 1285,
-       86,   86, 1287, 1290, 1296,   86,   86,   86,   86,   86,
-       86, 1302,   86, 1295, 1294, 1298,   86, 1293,  170,   86,
-       86, 1303,   86, 1297, 1304,   86, 1299,   86,   86, 1301,
-       86,   86, 1309,  170, 1300, 1307, 1306, 1308, 1305, 1310,
+       86, 1266, 1262, 1261, 1267,   86, 1263, 1269, 1268,   86,
+       86, 1271, 1275,   86, 1270, 1277,   86, 1272,   86,   86,
+       86,   86, 1273,   86, 1279, 1274,   86, 1281,  165,   86,
+       86, 1278, 1282, 1276, 1280, 1284,   86,   86,   86,   86,
+       86, 1285,   86,   86, 1283, 1288,   86, 1287, 1289,   86,
+     1294, 1290, 1291, 1286,   86, 1293,   86,   86, 1292, 1295,
+       86,   86,   86, 1296, 1298,   86, 1299,   86,   86,   86,
+       86, 1305, 1303, 1306, 1339, 1297, 1307,   86,   86,   86,
+     1300, 1310,   86, 1304,   86,   86, 1301,   86, 1302, 1308,
+     1309,   86, 1312,   86,   86,   86, 1311, 1316,   86, 1313,
 
-     1311,   86,   86, 1313, 1314,   86,   86, 1315, 1312,   86,
-       86, 1316,   86,   86, 1317,   86, 1319,   86, 1318, 1320,
-     1321,   86,   86,   86,   86, 1327,   86,   86,   86, 1324,
-       86,   86, 1322,   86,   86,   86, 1468, 1331, 1325, 1337,
-     1323, 1328,   86, 1326,   86, 1330, 1329, 1333,   86, 1338,
-       86, 1340,   86, 1332,   86, 1339, 1334,   86, 1335,   86,
-       86, 1336, 1343, 1344, 1341,   86,   86,   86, 1342,   86,
-       86, 1347,   86,   86, 1346, 1350,   86,   86, 1345, 1354,
-       86, 1349, 1355, 1352,   86,   86, 1348, 1351,   86, 1356,
-       86,   86,   86, 1358, 1359, 1353,   86,   86,   86,   86,
+       86, 1318,   86,   86,   86, 1317,   86,   86,   86,   86,
+       86, 1314, 1323, 1319,   86, 1315, 1320, 1324,   86,   86,
+       86, 1325,   86, 1326, 1321, 1330,   86, 1322, 1331,   86,
+       86,   86, 1328,   86,   86, 1333,   86, 1327, 1334,   86,
+       86, 1329,   86,   86, 1332, 1335,   86, 1336, 1337,   86,
+       86,   86, 1341, 1345,   86,  170,   86,   86, 1338, 1346,
+     1340, 1347, 1348,   86,   86, 1342,   86,   86,   86, 1344,
+     1357,   86, 1353,  163, 1343, 1349,   86, 1350, 1352, 1351,
+     1354, 1355,   86, 1358,   86,   86,   86,   86, 1356,   86,
+     1360,   86, 1362, 1361,   86,   86,   86,   86,   86,   86,
 
-     1360,   86,   86,   86,   86, 1357,   86, 1361, 1366,   86,
-     1364, 1362,   86,   86, 1365, 1367, 1363,   86, 1371,   86,
-       86, 1368,   86,   86, 1370, 1369,   86,   86, 1372, 1373,
-       86, 1375,   86,   86, 1376, 1378, 1383, 1374,   86, 1377,
-       86,   86,   86,   86,   86, 1379, 1386, 1381, 1384, 1389,
-     1382,   86, 1380,   86, 1385,   86, 1406,   86,   86, 1388,
-     1391, 1387,   86, 1390,  168, 1392,   86,   86, 1396, 1394,
-     1395, 1404, 1393,   86, 1397,   86,   86, 1407, 1398,   86,
-       86, 1399, 1400, 1410, 1405, 1408, 1401,   86, 1409,   86,
-       86,   86, 1402,   86,   86, 1411, 1403,   86, 1412,   86,
+     1359, 1365,   86, 1371,   86, 1367, 1368,   86, 1363, 1364,
+       86,   86, 1366, 1369,   86,   86,   86,   86,  161,   86,
+     1375, 1370, 1377, 1381, 1372, 1373, 1374,   86, 1382,   86,
+     1386, 1378,   86, 1379, 1383, 1376, 1380, 1384,   86, 1385,
+       86,   86,   86, 1387,   86,   86,   86,   86,   86,   86,
+     1391, 1390,   86, 1394,   86,   86, 1398,   86,   86, 1393,
+     1388,   86, 1389, 1395,   86, 1392, 1396,   86,   86, 1399,
+     1404, 1397, 1400, 1402, 1401,   86,   86,   86,   86, 1403,
+       86,   86,   86,   86, 1408,   86,   86,   86,   86, 1411,
+       86, 1405, 1406, 1409, 1416, 1410,   86, 1407, 1412,   86,
 
-     1413,   86, 1415,   86,   86,   86, 1420, 1416, 1414, 1417,
-     1422, 1418, 1419,   86,   86, 1425, 1426,   86,   86,   86,
-     1486,   86,   86, 1421, 1427,   86, 1429, 1423,   86, 1428,
-       86, 1430, 1424, 1431,   86, 1432,   86, 1433,   86, 1434,
-       86, 1436, 1435, 1437, 1438,   86,   86, 1439, 1442, 1440,
-       86, 1444,   86, 1441,   86,   86, 1445,   86,   86, 1443,
-     1448, 1446,   86,   86,   86,   86,   86, 1454,   86, 1455,
-       86, 1450, 1449,   86, 1456,   86, 1447,   86,   86, 1453,
-     1458,   86, 1451, 1452, 1457,   86,   86, 1460, 1461,   86,
-       86, 1459, 1465,   86, 1464, 1467,   86,   86,   86,   86,
+       86, 1418, 1413,   86,   86, 1415, 1414,   86,   86, 1421,
+     1419, 1417,   86,   86,   86, 1428,   86,   86, 1422, 1420,
+     1424,   86, 1430, 1423,   86,   86,   86,   86,   86, 1427,
+       86, 1425, 1431,   86, 1433, 1436, 1429,   86, 1426, 1432,
+       86, 1438,   86, 1435, 1434, 1437, 1439,   86,   86, 1443,
+       86,   86,   86, 1453, 1441, 1442, 1440,   86, 1444,   86,
+     1452, 1456, 1445, 1451,   86, 1446, 1447,   86, 1454, 1455,
+     1448, 1457,   86,   86,   86,   86, 1449,   86, 1458, 1459,
+     1450,   86, 1460,   86, 1462,   86,   86,   86, 1463,   86,
+     1464, 1467,   86, 1461,   86, 1465, 1468,   86,   86, 1470,
 
-     1469,   86,   86, 1462, 1470, 1466, 1473,   86, 1475,   86,
-     1472, 1463,   86, 1476,   86,   86,   86, 1471,   86, 1477,
-     1480,   86, 1474,   86,   86,   86, 1482,   86,   86,   86,
-     1484,   86, 1488,   86,   86,  166, 1478, 1479, 1481, 1490,
-     1485,   86,   86, 1489, 1483, 1487, 1492, 1491,   86,   86,
-     1493,   86, 1495, 1494,   86, 1497, 1496,   86,   86,   86,
-       86,   86, 1498, 1503, 1504, 1500,   86, 1501,   86,   86,
-       86, 1505, 1506,   86, 1502,   86, 1499, 1507,   86, 1510,
-       86,   86,   86,  170,   86,   86, 1509, 1517, 1518,   86,
-     1520,   86, 1508,   86,   86, 1519,   86,   86, 1514,   86,
+       86, 1473, 1474,   86, 1466, 1475, 1471,   86,   86, 1469,
+       86,   86, 1478,   86, 1476,   86, 1472, 1479, 1483, 1480,
+       86, 1481,   86, 1482, 1477,   86, 1485, 1486, 1487, 1484,
+       86, 1488,   86,   86,   86, 1493, 1489, 1490,   86,   86,
+     1494,   86,   86, 1492,   86,   86,   86, 1495,   86, 1497,
+       86, 1491, 1503,   86, 1499,   86, 1498,   86,   86,   86,
+     1504, 1496,   86, 1506, 1502, 1500,   86, 1501,   86, 1505,
+       86, 1508,   86,   86, 1515,   86, 1507,   86, 1513, 1510,
+     1511,   86, 1509, 1517,   86,   86, 1514, 1518,   86,   86,
+     1512, 1519, 1516,   86, 1520,   86, 1523,   86,   86, 1525,
 
-     1512, 1511,   86,   86, 1515, 1521,   86,   86, 1516,   86,
-     1528, 1522,   86,   86, 1525, 1533,   86, 1523,   86, 1524,
-     1526, 1527,   86, 1532,   86,   86,   86, 1529, 1537, 1535,
-       86, 1531,   86, 1538,   86, 1540,   86, 1530,   86,   86,
-     1541,   86,   86,   86, 1536, 1534, 1546,   86, 1539, 1547,
-     1542, 1548,   86, 1543, 1544,   86,   86, 1545, 1549, 1551,
-       86, 1550, 1554, 1553, 1552,   86,   86, 1555,   86, 1557,
-       86,   86,   86,   86, 1556, 1559, 1560,   86,   86,   86,
-       86,   86, 1563,   86, 1558,   86, 1568, 1569,   86,   86,
-     1561,   86,   86, 1562, 1565, 1572,   86, 1566, 1564, 1567,
+       86,   86, 1526,   86, 1522,   86,   86,   86, 1527, 1531,
+       86,   86, 1521,   86,   86,   86, 1536, 1534, 1524,   86,
+       86,   86,   86, 1539, 1537,   86, 1528, 1529, 1530, 1538,
+     1533, 1532,   86,   86,   86, 1535, 1541,   86,   86, 1543,
+       86,   86, 1550, 1540,   86, 1545, 1546, 1542,   86, 1547,
+       86, 1544,   86, 1548,   86,   86,   86, 1549,   86, 1551,
+       86, 1553, 1556, 1554, 1557, 1558, 1552,   86,   86, 1560,
+       86, 1555, 1559,   86,   86,   86,   86, 1564,   86,   86,
+       86,   86, 1561,   86,   86, 1566,   86, 1563,  170, 1572,
+     1573, 1568,   86, 1562, 1575,   86,   86,   86, 1574, 1565,
 
-       86,   86,   86, 1573,   86,   86, 1570,   86, 1571,   86,
-     1575, 1574, 1579,   86,   86, 1576, 1580, 1577, 1581,   86,
-       86, 1584,   86, 1578,   86, 1587,   86, 1588, 1583, 1589,
-     1590,   86, 1582, 1586,   86,   86,   86, 1585, 1592,   86,
-     1593,   86,   86,   86, 1597, 1591, 1598, 1599, 1596,   86,
-       86,  165,   86,   86,   86, 1600,   86, 1594,   86, 1601,
-     1602,   86,   86, 1595,   86, 1604, 1603, 1605,   86,   86,
-       86,   86, 1610,   86,   86,   86, 1606, 1609,   86, 1613,
-       86, 1616, 1607, 1612, 1608, 1618, 1617,   86,   86,   86,
-     1619,   86, 1614, 1611,   86, 1621,   86,   86, 1624, 1615,
+       86, 1567,   86, 1569, 1570,   86,   86,   86,   86, 1571,
+       86, 1576,   86, 1583,   86,   86,   86, 1577, 1580,   86,
+       86, 1581, 1578,   86, 1587, 1579, 1582, 1588,   86,   86,
+     1584, 1592,   86, 1586, 1590, 1591, 1593,   86,   86, 1585,
+     1596, 1594,   86, 1589,   86,   86,   86, 1595,   86, 1606,
+       86, 1601, 1604,   86, 1602,   86, 1597, 1603,   86, 1598,
+     1599,   86, 1607, 1600, 1609,   86,   86, 1605,   86, 1610,
+       86,   86, 1608,   86,   86,   86, 1614,   86, 1615,   86,
+       86,   86, 1618,   86, 1611,   86, 1613,   86, 1623, 1624,
+       86,   86, 1612, 1616, 1617, 1620, 1627,   86, 1621, 1619,
 
-       86,   86,   86,   86, 1629, 1625,   86,   86, 1620,   86,
-       86, 1630, 1632,   86,   86, 1622, 1623, 1635,   86, 1634,
-     1626, 1628, 1627,   86,   86,   86,   86,   86, 1633,   86,
-     1643,   86,   86, 1631,   86, 1641,   86,   86,   86, 1644,
-       86, 1648,   86, 1636, 1637, 1638, 1639, 1642, 1640,   86,
-     1645, 1652, 1647, 1649,   86,   86, 1646,   86, 1653,   86,
-     1650, 1651,   86,   86, 1655,   86,   86,   86, 1656,   86,
-       86, 1659, 1654, 1663,   86, 1664, 1665,   86, 1660,   86,
-       86, 1657,   86, 1658, 1668, 1662,   86, 1661,   86,   86,
-     1669,   86, 1666, 1667,   86, 1670,   86,   86, 1675, 1676,
+       86, 1622,   86,   86,   86,   86,   86,   86, 1625, 1628,
+     1626,   86,   86,   86,   86,   86, 1629, 1635, 1631, 1637,
+     1632, 1633, 1630,   86, 1640,   86, 1634,   86, 1641, 1638,
+     1636,   86,   86, 1646, 1639,   86, 1645, 1647,   86,   86,
+     1642, 1643,   86,   86,   86, 1649, 1650,   86, 1651,   86,
+       86, 1644, 1648,   86, 1655, 1656, 1657,   86, 1654, 3564,
+       86,   86,   86,   86, 1658, 1652,   86, 1659, 1660,   86,
+       86, 1653,   86,   86, 1661, 1663,   86,   86,   86,   86,
+       86, 1662,   86, 1668,   86, 1664, 1667,   86, 1670, 1671,
+     1665,   86, 1666,   86, 1674,   86, 1679, 1676, 1669, 1675,
 
-       86,   86,  163, 1673,   86,   86,   86, 1672, 1671,   86,
-     1679,   86, 1680, 1681,   86, 1677, 1674, 1683,   86,   86,
-       86,   86, 1678, 1684, 1685,   86, 1682,   86,   86, 1689,
-     1686, 1688,   86, 1691,   86,   86, 1690, 1687,   86,   86,
-       86,   86, 1697,   86, 1695,   86,   86,   86,   86, 1692,
-       86, 1703, 1698,   86, 1696,   86, 1693, 1694,   86,   86,
-       86, 1700, 1709, 1699, 1706, 1708,   86, 1704, 1702,   86,
-       86, 1711, 1701, 1705,   86, 1707,   86,   86,   86,   86,
-       86, 1714, 1717,   86, 1716,   86,  170, 1713,   86, 1710,
-     1719,   86,   86, 1718,   86,   86, 1712, 1715,   86, 1727,
+       86, 1672, 1677,   86,   86,   86,   86,   86,   86,   86,
+     1673, 1687, 1683, 1678,   86, 1682,   86,   86,   86,   86,
+     1691, 1688,   86, 1680, 1681,   86,   86, 1684, 1694, 1685,
+       86, 1693, 1686,   86,   86,   86,   86,   86, 1689,   86,
+       86, 1692,   86,   86, 1703, 1690,   86,   86,   86, 1695,
+     1704,   86, 1696, 1700, 1697, 1698, 1699, 1702, 1708,   86,
+       86, 1701,   86, 1707, 1711, 1705,   86, 1706, 1709,   86,
+       86, 1710,   86,   86,   86, 1712, 1715,   86,   86, 1713,
+     1716,   86, 1719,   86,   86, 1714, 1723,   86, 1725, 1724,
+       86, 1718,   86, 1717,   86,   86, 1720, 1728, 1721, 1722,
 
-       86,   86, 1720,   86,   86, 1722, 1721,   86, 1725, 1728,
-       86, 1723, 1724, 1731,   86, 1733, 1732,   86,   86, 1742,
-     1726, 1729,   86, 1730, 1735,   86, 1737, 1739,   86,   86,
-     1736,   86,   86,   86, 1741,   86, 1744, 1734, 1738,   86,
-       86, 1746, 1740,   86, 1747, 1743,   86,   86,   86,   86,
-       86, 1752, 1751, 1745,   86,   86,   86,   86, 1759,   86,
-     1748,   86, 1760, 1750,   86, 1749,   86, 1754,   86, 1761,
-     1763, 1756, 1753,   86, 1757,   86, 1755,   86, 1764, 1796,
-     1766, 1767,   86, 1768, 1765, 1762, 1758, 1769, 1773,   86,
-       86,   86, 1771,   86,   86, 1770,   86, 1772,   86,   86,
+       86,   86,   86,   86, 1730, 1726, 1729,   86, 1727,   86,
+       86, 1731, 1732, 1736, 1737,   86,   86,   86, 1734,   86,
+     1733,   86,   86, 1741,   86, 1742, 1740, 1744,   86,   86,
+     1735,   86, 1745,   86, 1738, 1746,   86,   86, 1739,   86,
+       86,   86,   86, 1750, 1743,   86,   86,   86, 1755, 1747,
+       86, 1753,   86, 1748,   86, 1749,   86,   86,   86,   86,
+     1761, 1759, 1751,   86,   86, 1752, 1754, 1756,   86,   86,
+       86, 1757, 1760, 1758,   86, 1763,   86, 1762, 1764,   86,
+     1767, 1770,   86, 1768, 1772,   86,   86,   86,   86, 1765,
+     1766, 1773, 1769,   86, 1775,   86,   86, 1771,   86,   86,
 
-       86,   86,   86, 1774,   86, 1780,   86, 1779, 1781,   86,
-       86,   86, 1775, 1783,   86, 1782,   86,   86, 1776,   86,
-     1777, 1785, 1778, 1786,   86,   86,   86, 1788,   86, 1784,
-     1787,   86,   86,   86,   86,   86,   86, 1789, 1797,   86,
-       86,   86, 1791,   86,   86, 1792, 1790, 1793,   86, 1802,
-     1794, 1799, 1800,   86, 1798,   86, 1801,   86,   86, 1795,
-     1804, 1803, 1808,   86,   86,   86,   86, 1806, 1805,   86,
-     1810,   86, 1812, 1813,   86,   86,   86,   86, 1807,   86,
-     1814, 1811,   86,   86, 1809, 1817, 1819,   86,   86, 1827,
-       86, 1820, 1818, 1816, 1821, 1828,   86,   86, 1815, 1822,
+       86,   86, 1779, 1782,   86, 1781, 1774, 1778,   86,   86,
+     1776, 1783,   86,  170, 1777,   86,   86, 1785, 1780, 1787,
+       86,   86, 1784,   86,   86, 1793, 1794,   86,   86, 1786,
+     1788, 1797,   86,   86, 1789, 1790,   86, 1791,   86,   86,
+       86, 1799, 1798,   86,   86, 1792, 1801, 1795, 1796,   86,
+     1803, 1805,   86,   86, 1802, 1865,   86,   86, 1800, 1804,
+     1807,   86, 1808,   86, 1811,   86, 1806,   86, 1812, 1809,
+     1810,   86, 1813,   86,   86,   86,   86,   86, 1818, 1817,
+       86,   86,   86,   86,   86, 1825, 1822, 1814,   86, 1823,
+     1816,   86, 1815, 1820,   86,   86, 1963,   86, 1819, 1826,
 
-     1826,   86, 1823,   86,   86,   86,   86, 1824, 1831, 1832,
-       86,   86,   86, 1825,   86, 1829, 1835, 1833,   86, 1830,
-       86,   86, 1844, 1836,   86, 1834,   86,   86,   86, 1839,
-     1838, 1837,   86, 1841,   86, 1843, 1842, 1845,   86,   86,
-     1840,   86,   86, 1851,   86, 1847,   86, 1846, 1852,   86,
-       86, 1853, 1848, 1849, 1854,   86, 1857, 1850,   86,   86,
-       86,   86,   86, 1861, 1860, 1865,   86,   86, 1856, 1855,
-     1859,   86,   86,   86, 1858, 1863, 1869, 1862, 1864,   86,
-       86, 1870,   86,   86,  161, 1866,   86, 1871, 1874, 1875,
-     1868,   86, 1867, 1878, 1872,   86, 1877,   86,   86,   86,
+     1827, 1824, 1821,   86, 1829, 1833,   86,   86, 1830, 1831,
+     1832, 1834, 1835,   86,   86,   86, 1828,   86,   86, 1836,
+       86, 1837,   86, 1838, 1839,   86,   86,   86, 1841, 1846,
+       86, 1840, 1843,   86, 1847,   86, 1845,   86, 1848, 1850,
+       86,   86, 1849, 1842,   86,   86,   86, 1844, 1853,   86,
+       86, 1852,   86,   86,   86, 1854,   86,   86,   86,   86,
+       86,   86,   86,   86, 1851, 1864,   86,   86,   86, 3564,
+     1855, 1859, 1860, 1856, 1858, 1857, 1861, 1862, 1868,   86,
+     1869,   86, 1866, 1871,   86, 1863, 1867, 1872,   86,   86,
+       86,   86, 1877,   86, 1870,   86,   86,   86,   86, 1881,
 
-     1881,   86, 1873, 1879, 1876, 1880,   86, 1882,   86,   86,
-     1885,   86,   86, 1889,   86, 1887,   86,   86,   86,   86,
-       86, 1888, 1890, 1884, 1886,   86,   86,   86, 1883, 1894,
-       86,   86, 1901, 1893, 1899,   86, 1891, 1892,   86, 1895,
-     1896, 1902,   86,   86, 1897, 1898,   86,   86, 1904,   86,
-       86, 1908,   86,   86, 1910, 1903, 1900,   86,   86,   86,
-       86, 1914,   86, 1905, 1906,   86, 1909,   86,   86, 1907,
-       86, 1916,   86, 1917, 1912, 1918,   86, 1913,   86, 1911,
-       86, 1919,  170,   86,   86, 1915, 1923, 1920,   86, 1922,
-     1926,   86,   86,   86, 1924, 1921, 1930,   86,   86, 1925,
+     1873, 1879,   86,   86, 1875,   86,   86,   86, 1874, 1880,
+       86,   86, 1876,   86,   86, 1878, 1886, 1882, 1888, 1883,
+       86,   86,   86, 1889, 1885, 1887, 1890, 1884,   86, 1891,
+       86, 1895, 1896,   86, 1898, 1892, 1897,   86,   86,   86,
+     1893, 1900, 1901,   86,   86,   86, 1894,   86, 1899,   86,
+     1904,   86, 1902,   86, 1905,   86,   86, 3564, 1906,   86,
+       86, 1914,   86, 1903, 1909, 1908, 1907,   86, 1911, 1913,
+       86, 1912, 1915,   86,   86, 1910,   86, 1916,   86,   86,
+     1922,   86, 1917,   86,   86, 1923,   86, 1918, 1924,   86,
+       86, 1928, 1920, 1925, 1919, 1921,   86,   86,   86, 1931,
 
-       86,   86,   86,   86, 1928, 1932,   86, 1927,   86,   86,
-     1937,   86, 1929, 1933, 1931, 1934,   86, 1940, 1941,   86,
-     1938, 1935,   86, 1943,   86, 1942, 1936, 1939,   86,   86,
-     1946, 1947,   86, 1944,   86,   86,   86, 1949, 1945,   86,
-       86,   86, 1950,   86,   86,   86, 1948,   86,   86,   86,
-     1955,   86, 1956,   86,   86,   86, 1960, 1957,   86,   86,
-     1951, 1953, 1954, 1952, 1959, 1958,   86, 1961,   86,   86,
-     1967, 1964,   86, 1966, 1963, 1968,   86, 1969, 1965,   86,
-     1962,   86,   86,   86,   86,   86, 1975,   86, 1978,   86,
-     1970, 1971, 1979,   86, 1980,   86,   86, 1973, 1972, 1976,
+       86, 1933,   86, 1932,   86,   86, 1930, 1927,   86, 1926,
+     1937, 1935, 1929,   86, 1936, 1934,   86,   86, 1941,   86,
+       86,   86, 1938, 1942,   86, 1946,   86, 1948, 1951, 1939,
+     1943, 1940, 1944,   86,   86, 1947, 1950,   86,   86,   86,
+     1954, 1945,   86, 1952, 1949,   86,   86,   86, 1955, 1958,
+       86,   86, 1962, 1953, 1960,   86,   86,   86,   86,   86,
+     1961, 1957,   86, 1959,   86, 1956,   86,   86,   86, 1968,
+     1967,   86,   86,   86, 3564, 1964, 1965, 1969, 1966, 1970,
+     1971, 1973, 1975,   86, 1977, 1972, 1978, 1974,   86,   86,
+       86,   86,   86, 1980,   86,   86, 1984,   86,   86, 1986,
 
-       86, 1977, 1974, 1982,   86,   86, 1983, 1986,   86, 1981,
-       86,   86, 1988,   86, 1987,   86, 1989, 1984,   86, 1990,
-     1992, 1985, 1995,   86,   86,   86,   86, 1994,   86, 1991,
-       86, 1998,   86,   86,   86, 1997,   86,   86, 2002,   86,
-     1993, 2001,   86,   86, 2003, 2004,   86,   86, 1996, 1999,
-       86,   86, 2012,   86, 2000, 2005, 2006, 2007,   86, 2014,
-     2010,   86, 2008,   86, 2015,   86, 2009, 2011, 2017,   86,
-     2013, 2018,   86, 2021, 2019, 2016,   86,   86,   86,   86,
-     2025,   86,   86,   86, 2027, 2022,   86, 2020,   86,   86,
-     2030, 2031,   86,   86, 2033,   86,   86, 2023,   86, 2024,
+       86, 1979,   86,   86, 1976,   86, 1990,   86,   86, 1981,
+     1983, 1985,   86, 1982,   86,   86, 1992,   86, 1988, 1993,
+       86, 1989, 1987,   86,   86, 1995, 1997,   86, 1991, 1996,
+       86,   86,  170,   86, 2001, 1994, 2004,   86, 1999, 2000,
+       86,   86,   86,   86, 2002,   86, 1998,   86, 2003, 2008,
+       86,   86, 2010, 2006,   86,   86, 2015, 2009,   86, 2005,
+       86, 2007,   86, 2011,   86,   86, 2012, 2014, 2019,   86,
+     2016, 2018,   86, 2023, 2013, 2020, 2021,   86, 2017,   86,
+     2024, 2025,   86,   86, 2022,   86,   86, 2027,   86,   86,
+       86, 2028,   86,   86,   86, 2026,   86,   86,   86, 2033,
 
-       86,   86, 2039,   86,   86, 2038, 2028, 2035, 2026, 2036,
-     2029,   86,   86, 2032,   86,   86,   86,   86, 2045,   86,
-       86, 2034, 2037, 2042, 2043, 2040,   86, 2041, 2049,   86,
-       86, 2048, 2052,   86,   86, 2053, 2047, 2051,   86,   86,
-     2044, 2055, 2056,   86,   86, 2046,   86,   86,   86, 2050,
-       86, 2057,   86, 2058,   86,   86,   86, 2062, 2054,   86,
-     2065, 2066,   86,   86, 2061, 2067,   86,   86, 2059, 2060,
-     2070,   86,   86, 2063,   86,   86,   86, 2069, 2075,   86,
-     2074,   86, 2064, 2068,   86,   86, 2071,   86, 2080, 2079,
-       86,   86, 2072,   86, 2084, 2076, 2073, 2081,   86, 2077,
+       86, 2034,   86,   86,   86, 2038, 2035,   86, 3564, 2029,
+     2031, 2032, 2030, 2037, 2036,   86, 2039,   86,   86, 2045,
+     2042,   86, 2044, 2041, 2046,   86, 2047, 2043,   86, 2040,
+       86,   86,   86,   86,   86, 2053,   86, 2056,   86, 2048,
+     2049, 2057,   86, 2058,   86,   86, 2051, 2050, 2054,   86,
+     2055, 2052, 2060,   86,   86, 2061,   86,   86, 2059, 2065,
+       86, 2066, 2067, 2069,   86,   86, 2062, 2068,   86,   86,
+     2063,   86, 2071,   86, 2075,   86, 2072, 2064,   86,   86,
+       86,   86, 2074, 2070, 2078,   86, 2077,   86,   86,   86,
+       86,   86, 2083, 2085, 2081, 2082,   86,   86, 2073,   86,
 
-     2078,   86, 2082, 2083,   86, 2087,   86,   86,   86, 2085,
-       86,   86,   86, 2094, 2086, 2091, 2097,   86,   86,   86,
-       86, 2089, 2088,   86, 2098, 2096,   86, 2090,   86,   86,
-     2099, 2092, 2093, 2095,   86, 2104,   86, 2100, 2105,   86,
-     2101, 2106, 2108, 2109,   86, 2102, 2107,   86,   86,   86,
-       86,   86, 2113,   86, 2103, 2111,   86,   86,   86,   86,
-     2115, 2118, 2120, 2112,   86, 2114,   86,   86,   86, 2116,
-     2110,   86,  170,   86,   86,   86,   86, 2123,   86, 2127,
-       86, 2128,   86, 2129, 2117, 2121, 2119, 2124, 2125, 2130,
-       86, 2122, 2126, 2131,   86, 2133,   86,   86,   86,   86,
+     2076, 2084, 2079,   86,   86,   86,   86, 2093,   86, 2080,
+       86, 2097, 3564,   86, 2095, 2086, 2087, 2088,   86, 2096,
+       86,   86, 2089, 2091, 2090, 2098, 2092,   86, 2094, 2099,
+     2102,   86, 2100, 2101,   86,   86,   86, 2106,   86,   86,
+     2103,   86, 2108,   86,   86,   86, 2111, 2112,   86,   86,
+     2114,   86,   86,   86, 2104,   86, 2105,   86,   86, 2121,
+       86, 2119, 2116, 2109, 2117, 2107, 2110,   86,   86, 2113,
+       86,   86,   86,   86, 2120,   86, 2127, 2115, 2118, 2124,
+     2125,   86,   86,   86, 2130, 2123, 2132,   86, 2131, 2122,
+       86,   86,   86,   86, 2134, 2135,   86, 2138, 2129, 2126,
 
-     2132,   86, 2134, 2135,   86, 2136, 2137,   86,   86, 2138,
-     2139,   86, 2141,   86,   86,   86,   86, 2145,   86,   86,
-     2140, 2144,   86,   86, 2146, 2142, 2143, 2147, 2148,   86,
-     2150,   86, 2149,   86,   86,   86,   86,   86,   86, 2151,
-     2155, 2157, 2152, 2156,   86,   86,   86,   86,   86,   86,
-     2162,   86, 2153, 2159, 2154, 2158,   86,   86, 2167,   86,
-     2161, 2163,   86, 2160,   86, 2165, 2164,   86, 2168,   86,
-       86, 2166, 2171, 2174, 2169, 2173,   86,   86,   86,   86,
-       86, 2179, 2172,   86,   86, 2170, 2182,   86,   86, 2181,
-     2183,   86,   86, 2175, 2176, 2177, 2180, 2178, 2185,   86,
+       86,   86, 2136,   86, 2139,   86,   86, 2128,   86,   86,
+       86, 2133, 2137, 2140,   86, 2141, 2142, 2144,   86,   86,
+       86, 2146, 2145,   86, 2149, 2150, 2151,   86, 2143,   86,
+       86,   86,   86,   86, 2154,   86,   86, 2147, 2159,   86,
+       86, 2158,   86,   86, 2153,   86, 2148, 2152,   86, 2164,
+     2155,   86, 2165, 2156,   86,   86,   86, 2157, 2162, 2169,
+     2166, 2161, 2168,   86, 2160, 2167,   86, 2163, 2172,   86,
+       86,   86,   86,   86,   86,   86,   86, 2170,   86, 2176,
+     2180,   86, 2171,   86,   86, 2174,   86,   86, 2183,   86,
+     2181, 2173, 2175, 2187, 2184, 2177, 2178,   86, 2179, 2182,
 
-     2184,   86, 2186,   86,   86, 2189,   86,   86,   86,   86,
-     2188,   86,   86, 2190,   86, 2193,   86,   86, 2194,   86,
-       86,   86,   86,   86,   86,   86, 2187,   86, 2192, 2191,
-     2202, 2196, 2197, 2195, 2199,   86, 2198, 2204, 2201, 2206,
-     2207,   86, 2200, 2203,   86,   86,   86,   86, 2205, 2210,
-     2211,   86,   86, 2208, 2214,   86, 2213,   86,   86,   86,
-       86,   86, 2216,   86, 2209, 2217,   86, 2212, 2218,   86,
-     2220, 2222,   86, 2215, 2224, 2221,   86,   86, 2219, 2226,
-       86,   86,   86,   86, 2229, 2223, 2228,   86, 2230,   86,
-     2225,   86, 2231, 2234,   86,   86,   86,   86,   86,   86,
+     2185,   86,   86, 2186,   86,   86, 2188, 2191, 2192,   86,
+     2193,   86, 2194, 2196, 3564, 2189, 2197, 2195,   86,   86,
+     2190,   86,   86,   86, 2201,   86, 2199,   86,   86,   86,
+       86, 2198, 2203,   86, 2205, 2200, 2207, 2202,   86, 2204,
+     2209,   86,   86, 2210,   86,   86,   86,  170,   86,   86,
+       86,   86, 2213,   86, 2206,   86,   86, 2276, 2217, 2218,
+     2208, 2212, 2214, 2215, 2211,   86, 2219, 2216, 2220,   86,
+     2221,   86, 2223,   86,   86, 2222,   86,   86,   86, 2224,
+     2226, 2225,   86,   86,   86,   86, 2227, 2228, 2229,   86,
+     2231,   86,   86, 2235,   86, 2230, 2232, 2234,   86,   86,
 
-     2235,   86,   86, 2227,   86, 2240, 2237, 2232, 2238, 2236,
-       86, 2233, 2310, 2239,   86, 2242,   86, 2241, 2243,   86,
-       86, 2244, 2246, 2247,   86, 2245,   86,   86,   86,   86,
-     2249, 2248, 2251,   86, 2250, 2253,   86,   86, 2255, 2254,
-     2252,   86, 2256,   86,   86,   86,   86,   86, 2262, 2258,
-     2264, 2259, 2257,   86, 2260, 2265,   86, 2261,   86,   86,
-       86,   86,   86,   86,   86, 2266, 2270, 2267, 2263, 2271,
-       86, 2268, 2269, 2275,   86, 2272,   86,   86,   86, 2274,
-       86,   86,   86, 2273,   86,   86,   86,   86,   86,   86,
-     2284,   86, 2279, 2281, 2276, 2277, 2278, 2280, 2282,   86,
+       86, 2240,   86, 2233, 2237, 2238,   86, 2236,   86, 2239,
+       86,   86,   86,   86,   86,   86, 2247, 2245,   86, 2242,
+     2246,   86,   86,   86,   86, 2252,   86, 2249, 2241, 2243,
+       86, 2244, 2248,   86,   86, 2257, 2253, 2251,   86, 2250,
+       86,   86, 2255,   86, 2254,   86,   86, 2258, 2261, 2264,
+     2256,   86, 2259, 2263,   86,   86,   86, 2270, 2262,   86,
+       86,   86, 2260,   86,   86, 2272,   86, 2265, 2273,   86,
+       86, 2266, 2267,   86, 2268, 2269,   86, 2271, 2275,   86,
+     2277,   86,   86, 2278,   86, 2281,   86, 2274,   86,   86,
+     2280,   86,   86, 2279, 2288, 2283,   86, 2286, 2284,   86,
 
-       86,   86, 2301,   86, 2283, 2285, 2291, 2287, 2286, 2289,
-     2290,   86,   86, 2293, 2295,   86,   86, 2297,   86,   86,
-     2288, 2294,   86,   86,   86, 2296, 2299, 2303, 2300, 2292,
-      170, 2305, 3387,   86, 2307, 2308, 2306,   86, 2298,   86,
-       86,   86, 2309, 2302,   86, 2312,   86,   86, 2313,   86,
-     2317,   86, 2304,   86, 2318,   86,   86, 2321, 2316,   86,
-       86,   86, 2314,   86, 2311, 2322, 2325, 2319,   86, 2323,
-     2324,   86, 2326, 2315, 2320,   86,   86,   86,   86, 2327,
-       86, 2329,   86,   86, 2331,   86,   86, 2332,   86,   86,
-     2335,   86,   86,   86, 2341,   86, 2328, 2339,   86,   86,
+     2282, 2287,   86,   86,   86,   86,   86,   86,   86, 2285,
+       86, 2289,   86,   86, 2290, 2295, 2292,   86, 2291, 2296,
+     2300, 2294, 2301,   86,   86,   86,   86, 2298, 2304, 2305,
+     2302, 2293, 2297, 2299,   86,   86,   86, 2303, 2308, 2307,
+       86,   86,   86,   86,   86, 2310, 2306,   86, 2311, 2318,
+       86, 2312,   86, 2309, 2316,   86, 2314,   86,   86, 2319,
+       86, 2313, 2315, 2317, 2321,   86,   86,   86,   86, 2324,
+       86, 2323, 2320, 2325,   86, 2326,   86,   86, 2330,   86,
+       86,   86,   86, 2334,   86, 2331, 2322,   86, 2335,   86,
+       86, 2333, 2327,   86, 2328, 2332,   86, 2329, 2336,   86,
 
-     2330, 2334, 2342,   86, 2337,   86, 2333, 2336, 2344,   86,
-       86, 2338,   86,   86, 2343, 2340,   86, 2349,   86, 2352,
-       86,   86, 2347,   86,   86,   86,   86, 2346,   86, 2350,
-       86, 2345, 2348, 2353,   86,   86, 2351,   86,   86,   86,
-     2354,   86, 2355, 2362,   86,   86, 2366, 2356, 2369, 2358,
-     2357, 2360, 2364,   86, 2363, 2359, 2361, 2367,   86, 2365,
-       86,   86,   86, 2434,   86, 2368,   86, 2373, 2374,   86,
-       86,   86, 2375,   86, 2370,   86, 2371, 2372, 2376,   86,
-       86, 2379, 2380, 2382,   86, 2381, 2377,   86, 2378, 2383,
-       86,   86, 2384,   86,   86,   86, 2385, 2389,   86, 2390,
+     2337, 2338, 2339,   86,   86, 2340, 2344, 2341, 2342,   86,
+       86,   86,   86, 2346, 2345,   86, 2350,   86,   86, 2343,
+       86, 2352,   86, 2348,   86, 2353,   86, 2355, 2347,   86,
+     2351, 2349,   86,   86,   86, 2354, 2357,   86, 2362, 2360,
+       86,   86, 2358, 2363,   86, 2359,   86, 2356,   86,   86,
+     2365,   86, 2364,   86, 2368, 2361, 2369,   86, 2366,   86,
+     2367, 2373,   86,   86,   86,   86, 2370,   86, 2372,   86,
+       86,   86, 3564,   86,   86,   86,   86, 2371, 2381,   86,
+       86, 2374, 2375, 2376, 2379, 2377, 2380, 2382, 2383, 2387,
+       86,   86, 2378,   86, 2384, 2385, 2386,   86,   86, 2388,
 
-       86,   86, 2392,   86,   86, 2394,   86, 2388,   86, 3387,
-       86, 2397,   86, 2386, 2387, 2396, 2398,   86,   86,   86,
-     2391,   86, 2393, 2395,   86,   86, 2404,   86, 2400,   86,
-     2403,   86, 2399, 2406,   86, 2401,   86,   86,   86, 2410,
-     2409,   86, 2408, 2402, 2412,   86,   86,   86, 2405, 2407,
-       86,   86, 2415,   86, 2411, 2418,   86,   86,   86,   86,
-     2413, 2414, 2416,   86, 2423,   86,   86, 2422,   86,   86,
-     2417, 2425,   86, 2419, 2421, 2428,   86, 2424,   86,   86,
-     2420,   86,   86, 2426, 2427, 2430,   86, 2435,   86,   86,
-     2441, 2437, 2429, 2431,   86,   86,   86, 2436, 2438, 2432,
+       86,   86, 2391, 2390,   86,   86, 2396,   86,   86, 2398,
+       86,   86, 2389, 2392, 2395,   86,   86, 2397, 2393, 2401,
+       86, 2402, 2399,   86,  170, 2405, 2394,   86, 3564, 2407,
+     2400,   86, 2409, 2403, 2408,   86,   86, 2410,   86, 2411,
+       86,   86, 2404,   86, 2414,   86, 2406, 2413, 2412,   86,
+     2415,   86, 2419,   86,   86, 2420,   86, 2423,   86, 2422,
+     2418,   86,   86,   86, 2416,   86, 2424, 2427, 2421,   86,
+     2425, 2426,   86, 2428,   86, 2417,   86,   86, 2429,   86,
+     2431,   86,   86, 2433,   86, 2430, 2434,   86,   86,   86,
+       86,   86, 2437,   86,   86, 2441,   86, 2432, 2444, 2436,
 
-     2433,   86,   86,   86,   86,   86, 2442, 2443, 2444,   86,
-     2448,   86,   86, 2439,   86, 2440,   86, 2446, 2453, 2450,
-       86, 2451, 2455,   86,   86,   86, 2445, 2452,   86,   86,
-     2447,   86,   86,   86, 2456, 2460, 2457, 2449, 2459,   86,
-       86, 2454, 2461,   86,   86,   86,   86, 2539, 2458, 2462,
-     2466, 2467, 2463, 2464,   86,   86,   86,   86, 2468, 2465,
-       86, 2471, 2472,   86, 2470,   86, 2469,   86,   86,   86,
-     2473,  170, 2475,   86, 2476,   86, 2477,   86, 2474, 2482,
-       86,   86,   86, 2480,   86, 2478,   86, 2479,   86,   86,
-     2484, 2481, 2483,   86, 2485,   86, 2613,   86, 2489,   86,
+     2443,   86,   86,   86,   86, 2435, 2438, 2439, 2446, 2440,
+       86, 2445,   86,   86,   86, 2442,   86,   86, 2451, 2454,
+       86,   86, 2448,   86, 2449, 2455,   86, 2452, 2447, 2450,
+       86,   86,   86,   86, 2453,   86,   86, 2465,   86,   86,
+     2456,   86, 2457,   86,   86, 2458,   86, 2463, 2470,   86,
+     2494, 2461, 2467, 2459, 2462, 2460, 2466, 2464, 2468,   86,
+     2472,   86,   86,   86,   86, 2469, 2474, 2473,   86, 2471,
+       86,   86, 2478, 2479,   86,   86,   86, 2475, 2480, 2481,
+       86,   86, 2476, 2477,   86, 2484,   86, 2485,   86,   86,
+     2482, 2488,   86,   86, 2483, 2489,   86, 2486, 2490,   86,
 
-     2486, 2487, 2490, 2493,   86, 2488,   86, 2494, 2491, 2495,
-       86, 2492,   86,   86, 2498, 2496, 2499,   86, 2497,   86,
-       86,   86,   86, 2501,   86,   86, 2500,   86, 2503,   86,
-       86, 2507, 2508, 2502,   86, 2505,   86, 2504,   86, 2510,
-       86,   86,   86,   86, 2511, 2512, 2513,   86, 2506,   86,
-     2509,   86, 2515,   86, 2514, 2519,   86, 2518,   86,   86,
-     2516, 2517,   86,   86, 2521,   86,   86,   86,   86, 2528,
-     2525, 2520,   86, 2527,   86,   86,   86,   86, 2529, 2524,
-       86,   86, 2522, 2523,   86, 2533,   86, 2526,   86,   86,
-       86, 2538, 2530, 2537,   86, 2531, 2532,   86, 2535,   86,
+     2487,   86, 2495,   86, 2491, 2496,   86,   86,   86, 2492,
+     2498,   86,   86, 2500,   86,   86, 2503,   86, 2504,   86,
+     2502, 2493,   86, 2501,   86,   86, 2497,   86,   86,   86,
+     2499, 2511,   86, 2506, 2510,   86, 2505, 2513,   86,   86,
+       86, 2508, 2507,   86,   86, 2515,   86, 2509,   86, 2516,
+       86, 2517,   86, 2518, 2512, 2520,   86, 2514,   86,   86,
+     2523, 2522,   86, 2521,   86, 2524, 2526,   86, 2519,   86,
+       86,   86, 2532,   86,   86, 2531,   86,   86, 2525, 2528,
+       86, 2534, 2527,   86,   86, 2530, 2537,   86,   86,   86,
+       86, 2539, 2529, 2533,   86, 2535,   86, 2538, 2536,   86,
 
-     2536, 2540, 2534, 2541, 2542,   86, 2543,   86,   86, 2546,
-     2544, 2548,   86,   86,   86, 2545, 2547,   86, 2550,   86,
-     2552,   86,   86, 2551,   86, 2549,   86,   86,   86,   86,
-       86,   86, 2556, 2562, 2558, 2559, 2560,   86, 2554,   86,
-     2553,   86, 2555, 2561,   86,   86, 2563, 2564,   86,   86,
-       86,   86,   86, 2566, 2557, 2568,   86,   86, 2571,   86,
-     2572, 2573, 2569, 2565,   86, 2576,   86,   86, 2567, 2570,
-       86,   86, 3387, 2577, 2574,   86,   86, 2580,   86, 2575,
-     2581,   86,   86, 2582,   86,   86,   86,   86, 2586, 2585,
-     2578,   86,   86, 2579, 2584,   86,   86,   86,   86,   86,
+     2545,   86, 2540,   86,   86, 2547, 2551, 2541, 2542, 2543,
+     2546,   86,   86,   86, 2548,   86, 2552,   86, 2553,   86,
+     2554,   86, 2544,   86,   86,   86, 2558,   86,   86, 2549,
+     2560, 2550, 2556, 2561,   86, 2564,   86, 2565,   86, 2562,
+     2568,   86, 2555,   86, 2557,   86,   86,   86, 2566,   86,
+     2559, 2563, 2569, 2567, 2570,   86,   86,   86,   86, 2573,
+       86,   86,   86,   86,   86,   86, 2574, 2575, 2572, 2576,
+     2571, 2577, 2579, 2580, 2584, 2578,   86, 3564,   86,   86,
+     2581,   86, 2585, 2582, 2583, 2586,   86, 2587,   86,   86,
+     2590,   86,   86,  170,   86, 2588,   86, 2589, 2591,   86,
 
-     2583, 2587, 2590, 2593, 2589, 2588, 2594,   86, 2595,   86,
-     2596,   86, 2597,   86,   86, 2591, 2592, 2599,   86,   86,
-     2601,   86, 2602, 2600,   86,   86, 2598,   86,   86, 2607,
-       86,   86, 2609,   86, 2610,   86, 2603, 2604,   86,   86,
-       86,   86,   86,   86, 2606,   86,   86, 2605, 2616, 2611,
-     2608, 2612, 2614, 2619,   86, 2620,   86,   86,   86,   86,
-       86, 2615, 2617,   86,   86, 2618, 2627,  170,   86, 2629,
-       86, 2623,   86,   86, 2625,   86,   86, 2622,   86, 2628,
-       86, 2630, 2621, 2624,   86, 2626,   86, 2636, 2631, 3387,
-     2632,   86, 2634,   86, 2633,   86, 2638,   86, 2639, 2647,
+     2596,   86,   86,   86,   86,   86,   86,   86, 2604,   86,
+     2594, 2597, 2592, 2598, 2593, 2595,   86, 2599, 2600, 2602,
+       86, 2601, 3564, 2603, 2607,   86,   86, 2608, 2606, 2605,
+     2609,   86,   86,   86, 2612, 2610, 2613,   86, 2611,   86,
+       86,   86,   86, 2615,   86,   86, 2614,   86, 2617,   86,
+       86, 2621, 2622, 2616,   86, 2619,   86, 2618,   86, 2624,
+       86,   86,   86,   86, 2625, 2626, 2627,   86, 2620,   86,
+     2623,   86, 2629,   86, 2628, 2633,   86, 2632,   86,   86,
+     2630, 2631,   86,   86, 2635,   86,   86,   86,   86,   86,
+     2643, 2634, 2640,   86, 2642,   86,   86,   86, 2645, 2644,
 
-     2637, 2635, 2640,   86, 2641,   86,   86, 2642,   86, 2643,
-       86, 2644,   86, 2645,   86,   86,   86, 2649,   86,   86,
-       86,   86,   86, 2646, 2655,   86,   86, 2653,   86, 2648,
-       86, 2659,   86, 2650, 2660,   86,   86,   86, 2651, 2652,
-     2654, 2656, 2661, 2657, 2658, 2663, 2664,   86,   86, 2666,
-       86,   86,   86,   86, 2662, 2667,   86, 2665,   86, 2669,
-       86,   86, 2675,   86, 2676,   86,   86,   86, 2670, 2668,
-     2680,   86,   86,   86, 2671,   86, 2672, 2673, 2679, 2674,
-     2681,   86, 2682,   86,   86, 2678, 2677,   86,   86,   86,
-     2684, 2683, 2687,   86,   86,   86,   86, 2691, 2686, 2690,
+     2639,   86, 2636, 2637,   86, 2638,   86, 2641,   86, 2651,
+       86, 2649,   86, 2646,   86,   86,   86, 2657,   86, 2655,
+     2647, 2654,   86, 2648, 2652,   86, 2656,   86,   86, 2650,
+     2653, 2658,   86, 2660,   86,   86,   86, 2661, 2662,   86,
+     2664, 2659,   86, 2666, 2668,   86, 2665,   86, 2667,   86,
+     2670,   86,   86,   86, 2663,   86, 2669,   86,   86,   86,
+       86,   86, 2674, 2679,   86, 2677, 2678, 2672, 2680,   86,
+     2671, 2673, 2681,   86,   86, 2683,   86,   86,   86,   86,
+     2676,   86,   86,   86, 2675, 2688, 2686,   86,   86, 2691,
+       86,   86, 2684, 2682,   86, 2689, 2692, 2693, 2687, 2685,
 
-     2692,   86, 2685,   86,   86, 2693, 2694,   86,   86, 2688,
-       86,   86,   86, 2689,   86, 2695,   86, 2696,   86, 2700,
-     3387,   86, 2698, 2697, 2704, 2705,   86,   86,   86, 2708,
-       86, 2699, 2701,   86,   86, 2702,   86,   86, 2703,   86,
-     2711,   86, 2706, 2713, 2709,   86, 2707, 2714,   86, 2710,
-       86,   86, 2712,   86, 2715, 2719,   86,   86,   86,   86,
-     2716,   86, 2722, 2723,   86, 2720, 2721, 2725,   86,   86,
-     2717, 2718,   86,   86, 2726,   86,   86, 2728, 2724, 2731,
-       86, 2727,   86, 2732,   86, 2729, 2734,   86,   86,   86,
-       86,   86, 2739,   86,   86, 2730,   86, 2735, 2733, 2737,
+     2690, 2694,   86, 2697,   86,   86,   86,   86, 2698,   86,
+       86, 2701, 2695, 2702,   86,   86,   86, 2696,   86,   86,
+     2703,   86,   86,   86, 2708, 2699, 2707, 2700, 2705,   86,
+       86, 2706,   86,   86, 2704,   86,   86, 2709, 2712, 2716,
+       86, 2715, 2711, 2710, 2717,   86, 2718,   86, 2719,   86,
+       86,   86, 2713,   86,   86, 2714,   86, 2723, 2722,   86,
+     2724,   86, 2720,   86, 2725,   86, 2726,   86,   86, 2721,
+       86, 2732,   86,   86, 2734,   86,   86, 2728, 2735,   86,
+       86, 2727,   86,   86,   86,   86, 2731, 2729, 2737, 2730,
+     2738, 2736, 2733,   86, 2739,   86, 2744,   86, 2741,   86,
 
-     2738, 2736, 2741,   86, 2740,   86,   86,   86, 2744,   86,
-     2742, 2743, 2745,   86,   86, 2747,   86, 2746,   86,   86,
-       86,   86, 2748, 2751, 2749, 2752, 2754,   86,   86, 2750,
-     2755,   86,   86, 2756, 2753, 2758,  170,   86,   86, 2759,
-     2757,   86, 2760, 2763, 3387,   86,   86, 2765,   86,   86,
-     2764,   86,   86, 2768,   86,   86, 2761, 2767, 2772, 2762,
-     2769,   86, 2773, 2766, 2770, 2771,   86, 2774,   86,   86,
-       86,   86, 2778,   86, 2775, 2776,   86, 2779,   86,   86,
-       86, 2780,   86,   86,   86, 2777, 2785, 2786, 2781, 2787,
-     2783,   86,   86,   86,   86, 2782,   86,   86,   86, 2791,
+     2746,   86,   86,   86, 2740, 2742,   86,   86, 2745,  170,
+       86,   86,   86,   86, 2753, 2743,   86, 2755,   86, 2749,
+       86, 2754, 2756, 2748, 2751,   86,   86,   86, 2747,   86,
+       86, 2750, 2762, 2752,   86, 2757, 2759,   86,   86, 2764,
+     2758,   86, 2765,   86, 2763, 2766,   86,   86, 2760, 2772,
+     2761, 2767,   86,   86, 2768,   86, 2769,   86, 2770, 2771,
+       86,   86, 2773,   86,   86,   86,   86, 2775,   86,   86,
+     2781,   86,   86,   86, 2779, 2774,   86, 2785,   86, 2776,
+     2786,   86, 2790,   86, 2778, 2777, 2780,   86,   86, 2782,
+     2783, 2784, 2787, 2788, 2792,   86, 2789, 2791,   86,   86,
 
-       86, 2789, 2790, 2788, 2784, 2793,   86,   86,   86,   86,
-     2792, 2794,   86,   86,   86, 2799,   86,   86, 2797,   86,
-     3387, 2796, 2798, 2802,   86, 2795, 2800,   86,   86,   86,
-     2801, 2807,   86, 2803,   86, 2804,   86,   86,   86, 2805,
-       86, 2808,   86, 2806,   86, 2810,   86, 2809, 2812,   86,
-     2816,   86, 2811, 2817,   86, 2814, 2824, 2813, 2819, 2820,
-     2821,   86, 2815,   86,   86,   86,   86, 2822,   86, 2818,
-     2825, 2823,   86, 2827,   86,   86,   86, 2828,   86,   86,
-     2829,   86, 2832,   86,   86, 2826, 2834,   86, 2837, 2830,
-     2835,   86,   86, 2831, 2836,   86,   86, 2838, 2839,   86,
+       86,   86,   86,   86,   86,   86,   86,   86, 2796, 2803,
+       86, 2804,   86,   86, 2802, 3564, 2793, 2794, 2795, 2797,
+     2798, 2799, 2800,   86, 2801,   86, 2808,   86, 2809,   86,
+     2810, 2807,   86, 2805,   86,   86,   86,   86,   86,   86,
+       86, 2806,   86, 2815,   86,   86, 2820,   86,   86, 2812,
+     2811, 2814, 2819, 2817, 2813, 2821,   86, 2823,   86, 2816,
+     2818,   86,   86, 2822, 2824,   86,   86, 2826,   86,   86,
+       86, 2825,   86, 2829, 2830,   86,   86, 2827,   86, 2836,
+       86, 2835,   86,   86, 2839,   86, 2828,   86,   86,   86,
+     2831, 2832,   86, 2842, 2834, 2833,   86, 2837, 2840,   86,
 
-       86, 2833,   86, 2843,   86, 2841,   86,   86, 2844,   86,
-       86, 2847, 2848,   86, 2842,   86, 2840,   86, 2845, 2849,
-       86,   86,   86,   86, 2846, 2850,   86, 2853, 2851, 2854,
-       86,   86, 2855, 2856,   86, 2852, 2857, 2858,   86, 2859,
-       86, 2860, 2862, 2863,   86,   86, 2865,   86,   86, 2864,
-       86, 2867,   86,   86, 2861, 2866, 2868,   86,   86,   86,
-     2873,   86,   86,   86,   86, 2872,   86, 2875, 2876,   86,
-     2869,   86, 2878, 2870,   86,   86, 2877, 2879, 2871,   86,
-       86, 2882, 2881,   86,   86,   86, 2874, 2880, 2885,   86,
-     2889,   86, 2883, 2884,   86,   86,   86,   86, 2891,   86,
+       86, 2838, 2844, 2841, 2845, 2846,   86, 2843,   86,   86,
+       86,   86, 2847, 2851,   86,   86,   86,   86,   86, 2855,
+     2853, 2854,   86, 2848, 2856,   86,   86, 2852,   86, 2849,
+     2850, 2858,   86, 2859,   86, 2857,   86,   86, 2861, 2864,
+       86,   86, 2865, 2860, 2867,   86, 2863,   86, 2862,   86,
+       86,   86,   86, 2874,   86,   86,   86,   86, 3564, 2866,
+     2868, 2871, 2869, 2870, 2872, 2873, 2877,   86,   86,   86,
+       86, 2875, 2876, 2878, 2879,   86,   86,   86,   86,   86,
+     2881,   86,   86,   86, 2880, 2882,   86, 2884, 2887, 2885,
+       86, 2888, 2890,   86, 2886, 2883,   86, 2889, 2891,   86,
 
-       86,   86, 2886, 2888, 2918, 2887, 2892, 2895, 2890, 2896,
-     2893,   86, 2898,   86, 2897,   86, 2894, 2899,   86, 2900,
-     2901,   86,   86, 2902,   86, 2903,   86, 2904,   86, 2905,
-       86,   86,   86, 2908,   86,   86, 2907, 2909,   86, 2910,
-     2912,   86,   86, 2916,   86,   86, 2906, 2913, 2917,   86,
-       86, 2911, 2920,   86, 2922,   86,   86, 2921,   86,   86,
-       86, 2914, 2915, 2919, 2923, 2924,   86, 2925,   86, 2926,
-     2929,   86,   86,   86, 2928,   86, 2930, 2927,   86, 2935,
-       86,   86, 2931,   86, 2936,   86,   86,   86,   86, 2933,
-     2938, 2939,   86, 2940, 2932, 2934, 2937, 2941,   86, 2942,
+       86, 2892, 2894,  170,   86,   86,   86, 2895, 2899, 2893,
+     2896,   86,   86, 2901,   86,   86, 2900, 3564,   86, 2904,
+       86,   86, 2897, 2903, 2898, 2905,   86, 2907,   86,   86,
+     2902, 2909, 2908,   86, 2906,   86, 2910,   86, 2911,   86,
+     2912, 2914,   86,   86,   86,   86, 2915,   86, 2916,   86,
+       86,   86, 2921, 2913, 2917, 2922, 2923, 2919,   86, 2918,
+       86,   86,   86,   86,   86,   86,   86, 2927, 2926, 2925,
+       86, 2920, 2924,   86,   86, 2929,   86, 2928, 2930, 2931,
+       86,   86,   86,   86, 2932,   86, 2936,   86,   86, 2933,
+     2934, 2935, 2937, 2938, 2940,   86,   86,   86, 2939,   86,
 
-       86,   86, 2946,   86,   86,   86, 2943,   86,   86,   86,
-     2952, 2944,   86, 2947,   86,   86,   86, 2948, 2950, 2945,
-     2955,   86,   86, 2957, 2953,   86, 2956,   86, 2951,   86,
-       86,   86, 2949,   86, 2958, 2954, 2959,   86, 2962, 2967,
-     2960, 2963,   86, 2961, 2964,   86, 2965,   86, 2966,   86,
-       86, 2971,   86, 2968,   86, 2970,   86,   86,   86, 2972,
-       86, 2969,   86, 2973, 2974,   86,   86, 2978, 2976, 2980,
-     2975,   86, 2982,   86,   86,   86,   86,   86, 2983,   86,
-       86, 2977, 2984,   86, 2979, 2985,   86, 2986,   86, 2991,
-       86,   86,   86,   86, 2988, 2987, 2981, 2994, 2989,   86,
+       86, 2941, 2945,   86, 2946,   86, 2942,   86,   86,   86,
+       86, 2951,   86,   86,   86,   86, 2943, 2948, 2944, 2955,
+     2956,   86, 2949,   86, 2947, 2950, 2958,   86, 2952, 2953,
+     2959, 2961,   86, 2954, 2962,   86,   86,   86,   86,   86,
+       86,   86,   86,   86, 2968, 2960, 2963, 2965, 2957, 2966,
+       86,   86,   86,   86, 2967, 2969,   86, 2970, 2972,   86,
+       86, 2974,   86, 2983, 2964, 2971, 2976,   86, 2977,   86,
+       86, 2973, 2978,   86, 2979,   86,   86, 2982,   86,   86,
+     2975, 2980,   86, 2986, 2981,   86,   86, 2984, 2987,   86,
+       86, 2985,   86, 2990, 2991,   86,   86, 2988, 2992,   86,
 
-       86,   86,   86,   86, 2992, 2993,   86,   86, 2990, 2995,
-     2998, 2999,   86, 3000,   86, 2996, 3001, 3004,   86,   86,
-     2997, 3002, 3006,   86, 3007,   86,   86, 3009,   86,   86,
-       86,   86,   86, 3014,   86,   86, 3013, 3017, 3005,   86,
-     3003,   86,   86,   86,   86, 3010, 3011, 3008, 3012,   86,
-     3016,   86, 3020, 3023,   86, 3015,   86, 3025, 3021,   86,
-       86, 3019, 3018,   86, 3026, 3028,   86,   86, 3022, 3029,
-       86, 3031,   86,   86,   86,   86, 3024,   86,   86, 3036,
-       86, 3387, 3027, 3034, 3033,   86,   86, 3030, 3040,   86,
-     3038, 3032,   86, 3044,   86, 3035, 3037, 3042,   86,   86,
+     2993,   86,   86, 2995,   86, 2994, 2989, 2997,   86, 2996,
+       86, 3000,   86,   86, 3001, 3002,   86,   86, 3004,   86,
+       86,   86, 2998,   86,   86, 3008, 3009,   86, 3010, 3011,
+     2999,   86, 3003, 3005,   86,   86,   86, 3007, 3013, 3006,
+       86, 3012,   86, 3014,   86,   86, 3019,   86,   86,   86,
+       86, 3018,   86, 3021, 3022,   86,   86, 3015, 3024,   86,
+     3016, 3023, 3017,   86,   86,   86, 3025, 3027,   86, 3028,
+     3031,   86, 3020, 3026,   86,   86, 3029, 3030,   86, 3035,
+       86,   86,   86,   86,   86, 3037, 3047,   86,   86, 3032,
+       86, 3053, 3034, 3038, 3033, 3036, 3041, 3039,   86, 3042,
 
-     3039, 3041, 3043,   86,   86, 3047, 3048,   86, 3050,   86,
-     3045,   86, 3049,   86,   86, 3053,   86,   86, 3052,   86,
-     3056,   86, 3051, 3046, 3054,   86,   86, 3059,   86,   86,
-       86,   86, 3064,   86,   86,   86, 3055, 3060, 3057, 3058,
-       86, 3068,   86,   86, 3063, 3069,   86, 3061, 3070, 3067,
-       86, 3066,   86, 3065,   86, 3062,   86, 3072, 3073,   86,
-     3074,   86, 3075,   86, 3071, 3078,   86, 3076,   86, 3080,
-       86,   86,   86, 3079,   86,   86,   86, 3085, 3086,   86,
-       86,   86, 3077,   86,   86, 3081,   86, 3092,   86, 3093,
-       86,   86, 3387, 3094, 3082, 3091, 3083, 3084, 3089,   86,
+     3564, 3044,   86, 3040, 3043,   86, 3045,   86,   86, 3046,
+       86, 3048,   86, 3049,   86, 3050,   86, 3051,   86, 3052,
+       86,   86, 3055,   86, 3056, 3054,   86, 3059, 3058,   86,
+       86, 3060,   86, 3064,   86, 3057, 3065,   86, 3061,   86,
+       86,   86, 3066, 3069,   86,   86, 3067,   86, 3071,   86,
+     3062,   86, 3063,   86, 3070,   86, 3072, 3073,   86, 3068,
+       86,   86, 3074, 3078, 3075, 3079,   86, 3080,   86, 3076,
+     3077,   86,   86,   86,   86, 3081,   86, 3086,   86, 3564,
+       86, 3082, 3087,   86,   86, 3084,   86, 3089, 3090,   86,
+       86, 3085, 3083, 3088, 3091, 3092,   86, 3094,   86,   86,
 
-     3088,   86,   86, 3090, 3098,   86, 3087, 3097, 3099,   86,
-       86, 3095,   86, 3102,   86, 3100,   86, 3105,   86,   86,
-     3096,   86, 3104,   86,   86, 3107, 3101,   86, 3103, 3106,
-       86,   86, 3108,   86,   86,   86, 3111,   86,   86,   86,
-     3113, 3387,   86, 3109,   86, 3112, 3114,   86,   86, 3126,
-     3110,   86,   86,   86, 3115,   86, 3123, 3116, 3124, 3117,
-     3118, 3120, 3121, 3119,   86,   86,   86,   86,   86, 3122,
-     3127, 3129, 3125, 3131,   86, 3132,   86,   86, 3387, 3130,
-       86, 3133, 3134,   86, 3128, 3135, 3136, 3137,   86, 3138,
-       86, 3139, 3140,   86,   86, 3141, 3142, 3145,   86, 3143,
+     3093,   86, 3098,   86, 3095,   86,   86,   86,   86,   86,
+     3105,   86,   86, 3102, 3099,   86,   86,   86, 3100, 3097,
+     3103,   86, 3108,   86, 3096,   86, 3109, 3106, 3112, 3104,
+       86, 3110, 3101, 3107, 3111,   86,   86,   86, 3115, 3117,
+       86, 3116, 3118,   86, 3119,   86,   86,   86, 3113,   86,
+     3114,   86, 3124,   86,   86, 3120, 3123,   86,   86, 3125,
+     3127,   86, 3126,   86,   86,   86,   86, 3121, 3122,   86,
+     3131, 3128, 3133, 3135,   86, 3129,   86,   86,   86,   86,
+     3136,   86, 3137,   86, 3132, 3130, 3138,   86, 3139,   86,
+       86, 3144,   86,   86, 3134,   86,   86,   86, 3140,   86,
 
-     3144,   86,   86,   86, 3148,   86, 3146,   86,   86,   86,
-       86,   86, 3147, 3154,   86,   86, 3153,   86,   86,   86,
-       86,   86, 3150, 3157, 3156, 3149,   86, 3158,   86, 3151,
-     3152, 3161, 3162,   86,   86, 3159,   86, 3163, 3387, 3160,
-     3155,   86, 3164, 3165,   86, 3166,   86,   86,   86, 3167,
-     3171,   86, 3168, 3173,   86, 3172,   86, 3169,   86,   86,
-     3170, 3174,   86, 3177,   86, 3181, 3175, 3178, 3180,   86,
-       86,   86, 3183,   86,   86, 3176, 3182, 3184,   86,   86,
-     3187,   86,   86, 3179, 3186, 3188,   86, 3190,   86, 3185,
-       86, 3189, 3191,   86, 3192,   86, 3193,   86, 3194,   86,
+       86, 3148,   86, 3143, 3141, 3142, 3145,   86, 3146, 3147,
+       86, 3149, 3153,   86,   86, 3150,   86, 3155, 3152, 3151,
+       86,   86,   86, 3156, 3159,   86, 3161,   86,   86, 3164,
+       86, 3162,   86, 3154, 3163, 3166,   86,   86, 3157,   86,
+       86, 3160,   86,   86,   86, 3169,   86, 3158, 3165, 3171,
+     3172,   86,   86, 3167, 3175, 3168,   86,   86, 3170,   86,
+       86, 3174, 3182, 3173,   86, 3178, 3181,   86,   86, 3176,
+       86, 3179,   86, 3184,   86, 3177,   86, 3185, 3180,   86,
+     3187,   86, 3188,   86,   86, 3191,   86,   86,   86,   86,
+     3183, 3189,   86, 3196,   86,   86, 3186, 3194, 3193,   86,
 
-     3195,   86, 3196,   86, 3197,   86,   86, 3200,   86,   86,
-       86,   86,   86,   86,   86, 3199, 3198,   86, 3201, 3205,
-       86,   86, 3202,   86, 3209,   86, 3208, 3206, 3210,   86,
-     3207, 3203, 3204, 3212,   86,   86, 3211,   86, 3214,   86,
-     3216,   86,   86, 3213, 3219, 3218,   86,   86,   86,   86,
-       86,   86, 3221,   86,   86,   86,   86,   86, 3227, 3217,
-     3220, 3225, 3226, 3215,   86, 3224,   86, 3222,   86, 3223,
-       86, 3228,   86, 3230, 3238, 3231,   86, 3232, 3233,   86,
-     3234,   86,   86, 3229, 3235,   86,   86,   86,   86, 3236,
-       86, 3237,   86,   86, 3244, 3243, 3239,   86, 3246, 3242,
+     3200,   86,   86,   86, 3190, 3192, 3198,   86,   86, 3195,
+     3202, 3197,   86,   86, 3564, 3199, 3203, 3201,   86, 3204,
+     3205, 3207, 3210, 3206, 3208,   86,   86,   86,   86, 3209,
+     3211,   86, 3213,   86,   86,   86, 3212, 3216,   86, 3214,
+     3219,   86,   86,   86,   86,   86,   86, 3224,   86,   86,
+       86, 3564,   86,   86, 3215, 3217, 3218, 3220, 3231, 3223,
+     3221, 3227, 3228,   86, 3229,   86, 3226,   86, 3225, 3222,
+     3230,   86,   86, 3234,   86, 3235,   86, 3233, 3236,   86,
+       86, 3232, 3237,   86,   86, 3240,   86,   86, 3242,   86,
+       86,   86, 3241, 3238, 3244,   86,   86,   86,   86,   86,
 
-     3240,   86,   86,   86,   86,   86,   86,   86, 3245,   86,
-     3241,   86, 3255,   86, 3247, 3253, 3258,   86,   86, 3250,
-       86, 3248, 3249, 3254, 3252, 3257,   86,   86,   86,   86,
-     3251, 3260, 3263,   86, 3256,   86, 3265,   86, 3259,   86,
-     3266, 3261, 3267,   86, 3264, 3268,   86,   86, 3262, 3270,
-       86,   86,   86, 3271,   86,   86, 3272, 3273, 3276,   86,
-       86,   86,   86,   86,   86,   86, 3269, 3279, 3280,   86,
-     3275,   86, 3278, 3277, 3282,   86, 3283,   86, 3284, 3274,
-       86, 3281, 3286,   86, 3285,   86, 3287, 3289,   86,   86,
-     3290,   86,   86, 3291, 3293, 3294,   86,   86, 3288,   86,
+       86, 3250, 3243, 3251,   86,   86,   86,   86,   86, 3245,
+     3239,   86, 3257,   86, 3258,   86,   86, 3248, 3246, 3247,
+     3256, 3249, 3254, 3260,   86, 3253,   86, 3255,   86,   86,
+       86, 3252, 3564, 3263, 3259, 3265,   86, 3266,   86,   86,
+       86,   86, 3269,   86, 3261, 3262, 3267,   86,   86, 3272,
+       86, 3264, 3270, 3268,   86, 3271,   86,   86,   86, 3273,
+     3274,   86, 3275, 3276,   86,   86, 3278,   86,   86,   86,
+       86, 3280,   86,   86,   86, 3281, 3279,   86, 3277,   86,
+       86,   86,   86,   86,   86, 3290, 3291, 3282, 3286, 3283,
+     3284, 3285, 3293, 3303, 3287, 3288,   86, 3297,   86, 3564,
 
-       86,   86, 3299,   86, 3298,   86, 3295, 3300,   86, 3296,
-     3292,   86,   86,   86,   86,   86, 3297,   86, 3304,   86,
-     3306,   86,   86,   86,   86,   86, 3301, 3303, 3311, 3312,
-       86, 3302, 3305,   86, 3308, 3309, 3307, 3319, 3310, 3313,
-       86, 3317,   86,   86,   86, 3314,   86, 3320, 3315, 3318,
-       86,   86, 3316,   86,   86, 3321, 3322, 3325, 3323, 3326,
-       86,   86,   86,   86, 3328,   86, 3327,   86,   86,   86,
-       86, 3329, 3334, 3324,   86, 3331,   86,   86,   86,   86,
-     3337, 3330, 3338,   86,   86,   86,   86,   86, 3332, 3333,
-     3336, 3341,   86, 3335, 3339, 3342,   86, 3340,   86, 3345,
+     3289, 3294, 3292, 3295,   86, 3298,   86, 3296, 3299,   86,
+       86, 3301,   86,   86, 3300, 3304,   86,   86, 3302, 3306,
+       86, 3307, 3308,   86,   86, 3309, 3310, 3314,   86, 3311,
+       86,   86, 3305, 3312, 3313,   86,   86,   86, 3317,   86,
+     3315,   86,   86, 3320,   86,   86, 3316,   86,   86, 3318,
+     3324,   86, 3323,   86,   86, 3319,   86,   86,   86,   86,
+     3328, 3327,   86,   86, 3321, 3322, 3329, 3332, 3325, 3333,
+       86,   86, 3334, 3330,   86, 3335,   86, 3331, 3326, 3336,
+       86, 3337,   86,   86,   86, 3342, 3338,   86, 3339, 3344,
+     3343,   86,   86, 3340,   86,   86, 3341,   86,   86, 3348,
 
-     3344, 3346,   86, 3343,   86, 3347,   86, 3349,   86, 3351,
-       86, 3352,   86,   86,   86, 3356,   86, 3353, 3387,   86,
-     3354, 3359,   86, 3350, 3357,   86,   86, 3358, 3348,   86,
-       86,   86,   86, 3355,   86,   86, 3360, 3361,   86, 3363,
-     3365,   86,   86, 3367,   86, 3362,   86, 3368,   86, 3371,
-     3364, 3366, 3372,   86, 3369,   86,   86, 3375, 3376,   86,
-       86, 3378,   86, 3370,   86, 3373,   86, 3377, 3379,   86,
-       86, 3380,   86,   86, 3374, 3381, 3387, 3382, 3385,   86,
-     3386,   86, 3387, 3387, 3387, 3383, 3387, 3387, 3387, 3387,
-     3387, 3387, 3384,   47,   47,   47,   47,   47,   47,   47,
+     3352, 3345, 3346, 3349, 3351,   86,   86,   86,   86, 3354,
+       86, 3355,   86, 3347, 3353,   86, 3350, 3358,   86,   86,
+     3357,   86, 3356, 3359,   86, 3362,   86,   86, 3360, 3363,
+       86, 3364,   86, 3365,   86, 3366,   86, 3367,   86, 3361,
+     3368,   86, 3369,   86,   86,   86, 3372,   86, 3373,   86,
+       86,   86,   86, 3370, 3371,   86, 3375, 3377,   86, 3374,
+     3379,   86,   86,   86,   86,   86, 3383, 3380, 3384,   86,
+       86, 3376, 3386,   86, 3378, 3381, 3382,   86, 3385,   86,
+     3388,   86, 3390,   86,   86, 3393,   86, 3392, 3387,   86,
+       86,   86,   86,   86, 3395,   86,   86,   86,   86, 3399,
 
-       52,   52,   52,   52,   52,   52,   52,   57,   57,   57,
-       57,   57,   57,   57,   63,   63,   63,   63,   63,   63,
-       63,   68,   68,   68,   68,   68,   68,   68,   74,   74,
-       74,   74,   74,   74,   74,   80,   80,   80,   80,   80,
-       80,   80,   89,   89, 3387,   89,   89,   89,   89,  160,
-      160, 3387, 3387, 3387,  160,  160,  162,  162, 3387, 3387,
-      162, 3387,  162,  164, 3387, 3387, 3387, 3387, 3387,  164,
-      167,  167, 3387, 3387, 3387,  167,  167,  169, 3387, 3387,
-     3387, 3387, 3387,  169,  171,  171, 3387,  171,  171,  171,
-      171,  174, 3387, 3387, 3387, 3387, 3387,  174,  177,  177,
+     3394, 3391, 3401,   86,   86, 3389, 3400,   86,   86, 3396,
+     3397, 3398, 3405,   86, 3408,   86, 3406,   86, 3402, 3409,
+       86, 3407, 3403,   86, 3404, 3410,   86,   86,   86,   86,
+       86, 3413, 3412,   86,   86,   86,   86, 3419,   86, 3418,
+     3411,   86, 3421, 3415, 3417,   86,   86,   86, 3414,   86,
+       86, 3420,   86, 3416,   86,   86,   86, 3423, 3422,   86,
+     3430, 3428,   86, 3425, 3424, 3427, 3429, 3432, 3434,   86,
+       86,   86,   86,   86, 3426,   86, 3436, 3431, 3433, 3439,
+       86, 3441,   86,   86, 3440,   86, 3437,   86, 3442,   86,
+     3435, 3443,   86, 3438, 3444,   86,   86,   86,   86, 3447,
 
-     3387, 3387, 3387,  177,  177,   90,   90, 3387,   90,   90,
-       90,   90,   17, 3387, 3387, 3387, 3387, 3387, 3387, 3387,
-     3387, 3387, 3387, 3387, 3387, 3387, 3387, 3387, 3387, 3387,
-     3387, 3387, 3387, 3387, 3387, 3387, 3387, 3387, 3387, 3387,
-     3387, 3387, 3387, 3387, 3387, 3387, 3387, 3387, 3387, 3387,
-     3387, 3387, 3387
+       86,   86, 3445, 3448, 3452, 3446, 3449,   86,   86,   86,
+       86,   86, 3451,   86, 3450, 3461, 3455, 3456,   86,   86,
+     3454, 3453, 3458,   86, 3459,   86, 3460,   86,   86, 3457,
+     3463,   86, 3462,   86, 3464, 3466,   86,   86, 3467,   86,
+       86, 3468, 3470, 3471,   86,   86, 3465,   86,   86,   86,
+     3476,   86, 3475,   86, 3472, 3477,   86, 3473, 3469,   86,
+       86,   86,   86,   86, 3474,   86, 3481,   86, 3483,   86,
+       86,   86,   86,   86, 3478, 3480, 3488, 3489,   86, 3479,
+     3482,   86, 3485, 3486, 3484, 3496, 3487, 3490,   86, 3494,
+       86,   86,   86, 3491,   86, 3497, 3492, 3495,   86,   86,
+
+     3493,   86,   86, 3498, 3499, 3502, 3500, 3503,   86,   86,
+       86,   86, 3505,   86, 3504,   86,   86,   86,   86, 3506,
+     3511, 3501,   86, 3508,   86,   86,   86,   86, 3514, 3507,
+     3515,   86,   86,   86,   86,   86, 3509, 3510, 3513, 3518,
+       86, 3512, 3516, 3519,   86, 3517,   86, 3522, 3521, 3523,
+       86, 3520,   86, 3524,   86, 3526,   86, 3528,   86, 3529,
+       86,   86,   86, 3533,   86, 3530, 3564,   86, 3531, 3536,
+       86, 3527, 3534,   86,   86, 3535, 3525,   86,   86,   86,
+       86, 3532,   86,   86, 3537, 3538,   86, 3540, 3542,   86,
+       86, 3544,   86, 3539,   86, 3545,   86, 3548, 3541, 3543,
+
+     3549,   86, 3546,   86,   86, 3552, 3553,   86,   86, 3555,
+       86, 3547,   86, 3550,   86, 3554, 3556,   86,   86, 3557,
+       86,   86, 3551, 3558, 3564, 3559, 3562,   86, 3563,   86,
+     3564, 3564, 3564, 3560, 3564, 3564, 3564, 3564, 3564, 3564,
+     3561,   47,   47,   47,   47,   47,   47,   47,   52,   52,
+       52,   52,   52,   52,   52,   57,   57,   57,   57,   57,
+       57,   57,   63,   63,   63,   63,   63,   63,   63,   68,
+       68,   68,   68,   68,   68,   68,   74,   74,   74,   74,
+       74,   74,   74,   80,   80,   80,   80,   80,   80,   80,
+       89,   89, 3564,   89,   89,   89,   89,  160,  160, 3564,
+
+     3564, 3564,  160,  160,  162,  162, 3564, 3564,  162, 3564,
+      162,  164, 3564, 3564, 3564, 3564, 3564,  164,  167,  167,
+     3564, 3564, 3564,  167,  167,  169, 3564, 3564, 3564, 3564,
+     3564,  169,  171,  171, 3564,  171,  171,  171,  171,  174,
+     3564, 3564, 3564, 3564, 3564,  174,  177,  177, 3564, 3564,
+     3564,  177,  177,   90,   90, 3564,   90,   90,   90,   90,
+       17, 3564, 3564, 3564, 3564, 3564, 3564, 3564, 3564, 3564,
+     3564, 3564, 3564, 3564, 3564, 3564, 3564, 3564, 3564, 3564,
+     3564, 3564, 3564, 3564, 3564, 3564, 3564, 3564, 3564, 3564,
+     3564, 3564, 3564, 3564, 3564, 3564, 3564, 3564, 3564, 3564,
+
+     3564
     } ;
 
-static const flex_int16_t yy_chk[6654] =
+static const flex_int16_t yy_chk[7002] =
     {   0,
         1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
         1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
@@ -2283,18 +2380,18 @@ static const flex_int16_t yy_chk[6654] =
         5,    3,    6,   24,    4,   24,   24,    5,   24,    6,
         7,    7,    7,    7,   24,    7,    8,    8,    8,    8,
        33,    8,    7,    9,    9,    9,   26,   26,    8,   10,
-       10,   10,   19,   29,    9,   33,   19,   29, 3395,   35,
+       10,   10,   19,   29,    9,   33,   19,   29, 3572,   35,
        10,   11,   11,   11,   11,   11,   11,   13,   13,   13,
 
        13,   34,   13,   11,   35,   99,   34,   29,   38,   13,
        51,   51,   11,   12,   12,   12,   12,   12,   12,   14,
        14,   14,   14,   99,   14,   12,   15,   15,   15,   38,
        23,   14,   23,   23,   12,   23,   46,   15,   16,   16,
-       16,   23,   23,   25,   27,   27,   25,   25, 2758,   16,
+       16,   23,   23,   25,   27,   27,   25,   25, 2894,   16,
        25,   46,   27,   30,   30,   25,   27,   56,   40,   27,
        56,   73,   31,   31,   25,   28,   67,   67,   30,   32,
        28,   31,   40,   32,   28,   73,   32,   28,   92,   28,
-       28,   92,   31,   32, 1104,   32,   36,   36,   37,   37,
+       28,   92,   31,   32, 1138,   32,   36,   36,   37,   37,
        28,   45,   45,   37,   97,   36,   45,   97,   41,   41,
 
        45,   36,   87,   41,   93,   36,   87,   37,   93,   37,
@@ -2333,680 +2430,719 @@ static const flex_int16_t yy_chk[6654] =
       200,  201,  202,  197,  203,  204,  201,  202,  205,  197,
       197,  199,  196,  206,  205,  207,  203,  206,  208,  200,
       207,  209,  213,  210,  211,  204,  214,  213,  216,  217,
-      552,  214,  218,  216,  208,  209,  211,  205,  210,  211,
+      559,  214,  218,  216,  208,  209,  211,  205,  210,  211,
       215,  215,  220,  220,  215,  219,  215,  221,  218,  217,
-      222,  219,  223,  221,  552,  224,  222,  227,  215,  221,
+      222,  219,  223,  221,  559,  224,  222,  227,  215,  221,
       215,  224,  225,  227,  228,  229,  230,  231,  225,  228,
-      230,  229,  223,  231,  232,  234,  233,  225,  235,  236,
-      237,  232,  233,  238,  235,  239,  237,  240,  234,  241,
-      245,  243,  242,  239,  241,  244,  238,  246,  248,  236,
+      230,  229,  223,  231,  232,  234,  232,  225,  233,  235,
+      236,  232,  238,  237,  233,  235,  239,  241,  234,  237,
+      240,  243,  241,  242,  239,  238,  244,  245,  248,  250,
 
-      240,  242,  246,  246,  247,  238,  243,  250,  249,  247,
-      245,  244,  249,  251,  252,  253,  248,  254,  255,  251,
-      257,  253,  259,  255,  258,  261,  263,  264,  259,  250,
-      260,  258,  252,  252,  262,  270,  260,  254,  263,  257,
-      262,  264,  265,  265,  261,  266,  266,  267,  268,  269,
-      271,  269,  272,  267,  268,  271,  273,  274,  270,  275,
-      277,  276,  288,  278,  272,  274,  276,  279,  269,  278,
-      283,  267,  280,  279,  282,  273,  281,  280,  284,  275,
-      282,  281,  285,  277,  286,  283,  287,  288,  290,  289,
-      293,  290,  284,  293,  287,  289,  294,  291,  286,  291,
+      236,  251,  242,  240,  238,  246,  243,  251,  247,  252,
+      246,  246,  244,  247,  249,  254,  248,  245,  249,  253,
+      257,  250,  261,  258,  255,  253,  259,  252,  252,  255,
+      258,  260,  259,  263,  262,  254,  264,  260,  267,  257,
+      262,  261,  265,  265,  267,  263,  266,  266,  268,  269,
+      264,  269,  270,  271,  268,  272,  274,  273,  271,  275,
+      276,  277,  267,  278,  274,  276,  279,  272,  269,  278,
+      283,  285,  279,  280,  282,  270,  273,  281,  280,  275,
+      282,  284,  281,  286,  277,  283,  287,  288,  290,  285,
+      289,  290,  292,  292,  287,  284,  289,  286,  291,  293,
 
-      285,  292,  292,  295,  295,  296,  296,  297,  299,  298,
-      301,  299,  300,  302,  294,  303,  300,  304,  174,  301,
-      305,  303,  302,  297,  298,  306,  305,  306,  307,  308,
-      314,  304,  310,  308,  307,  309,  309,  310,  311,  312,
-      313,  315,  316,  319,  311,  312,  317,  317,  314,  318,
-      308,  321,  318,  320,  322,  316,  324,  320,  323,  323,
-      313,  319,  315,  325,  312,  326,  325,  327,  328,  329,
-      321,  328,  322,  327,  324,  333,  331,  326,  366,  332,
-      333,  329,  336,  325,  330,  331,  334,  335,  337,  334,
-      335,  334,  366,  330,  169,  336,  330,  332,  341,  341,
+      291,  294,  293,  295,  295,  296,  296,  297,  299,  298,
+      300,  299,  288,  301,  300,  303,  302,  304,  174,  294,
+      305,  303,  301,  297,  298,  302,  305,  306,  307,  306,
+      310,  304,  308,  311,  307,  310,  308,  309,  309,  311,
+      312,  313,  314,  315,  316,  319,  312,  317,  317,  318,
+      320,  321,  318,  308,  320,  322,  324,  316,  323,  323,
+      314,  313,  327,  319,  315,  312,  325,  326,  327,  325,
+      321,  329,  328,  322,  324,  328,  331,  332,  335,  326,
+      336,  335,  337,  329,  333,  331,  325,  330,  338,  333,
+      338,  338,  169,  336,  337,  332,  330,  334,  340,  330,
 
-      337,  330,  330,  330,  330,  339,  338,  334,  338,  338,
-      339,  339,  340,  342,  343,  340,  345,  344,  346,  347,
-      347,  348,  349,  349,  351,  345,  348,  346,  353,  343,
-      342,  350,  350,  342,  344,  344,  352,  354,  355,  351,
-      353,  352,  356,  357,  360, 1304,  361,  358,  358,  357,
-      358,  361,  369,  369,  362, 1304,  354,  356,  355,  358,
-      362,  363,  364,  394,  360,  365,  363,  364,  365,  367,
-      365,  368,  367,  364,  372,  370,  371,  371,  375,  372,
-      368,  370,  377,  373,  378,  367,  373,  379,  367,  394,
-      367,  376,  373,  382,  376,  384,  373,  377,  375,  378,
+      334,  340,  334,  339,  330,  330,  330,  330,  339,  339,
+      341,  341,  342,  343,  346,  334,  344,  345,  334,  348,
+      348,  347,  349,  346,  350,  350,  352,  349,  343,  342,
+      347,  344,  342,  353,  345,  345,  351,  351,  353,  354,
+      355,  352,  356,  357,  358,  359,  359,  361,  359,  362,
+      358,  354,  370,  370,  362,  363,  367,  359,  357,  355,
+      364,  363,  356,  365,  359,  364,  366,  361,  365,  366,
+      367,  366,  368,  369,  365,  368,  373,  371,  372,  372,
+      376,  373,  369,  371,  377,  380,  378,  377,  368,  379,
+      419,  368,  419,  368,  374,  374,  383,  374,  385,  380,
 
-      381,  379,  385,  381,  373,  374,  374,  382,  374,  386,
-      384,  385,  376,  388,  386,  386,  389,  387,  390,  381,
-      392,  374,  395,  387,  374,  167,  374,  391,  374,  383,
-      387,  383,  383,  390,  388,  389,  391,  396,  399,  392,
-      393,  383,  395,  383,  383,  383,  393,  397,  383,  398,
-      400,  396,  401,  397,  398,  402,  403,  397,  399,  404,
-      402,  405,  405,  406,  407,  404,  408,  401,  409,  410,
-      400,  403,  398,  411,  409,  414,  407,  412,  413,  413,
-      408,  413,  412,  406,  415,  416,  423,  420,  417,  411,
-      418,  420,  418,  421,  410,  414,  419,  421,  419,  419,
+      376,  378,  386,  374,  379,  377,  382,  374,  388,  382,
+      383,  386,  374,  385,  388,  374,  375,  375,  387,  375,
+      389,  388,  392,  387,  387,  382,  390,  393,  394,  391,
+      396,  392,  375,  397,  394,  375,  395,  375,  167,  375,
+      384,  389,  384,  384,  391,  390,  393,  397,  400,  401,
+      396,  398,  384,  384,  384,  384,  384,  398,  399,  384,
+      402,  398,  395,  399,  404,  403,  405,  407,  400,  401,
+      403,  408,  405,  406,  406,  402,  409,  411,  410,  404,
+      412,  399,  416,  408,  410,  415,  413,  407,  417,  418,
+      409,  413,  414,  414,  424,  414,  412,  420,  416,  420,
 
-      415,  416,  417,  422,  422,  423,  424,  425,  426,  428,
-      427,  430,  421,  431,  432,  166,  419,  430,  428,  432,
-      429,  424,  431,  425,  427,  429,  426,  434,  433,  428,
-      436,  428,  433,  429,  429,  435,  434,  429,  429,  437,
-      438,  435,  440,  439,  438,  437,  439,  440,  441,  442,
-      442,  436,  443,  444,  444,  445,  446,  447,  447,  449,
-      445,  448,  450,  449,  451,  443,  452,  448,  441,  446,
-      453,  452,  454,  454,  455,  453,  456,  450,  458,  457,
-      459,  454,  461,  459,  460,  451,  455,  464,  460,  466,
-      458,  462,  462,  463,  461,  470,  456,  457,  463,  465,
+      420,  425,  411,  418,  417,  415,  421,  422,  423,  423,
+      421,  422,  426,  424,  427,  428,  425,  420,  431,  434,
+      442,  166,  429,  434,  431,  432,  422,  435,  426,  428,
+      429,  429,  427,  433,  432,  436,  435,  438,  433,  437,
+      442,  436,  429,  438,  429,  430,  440,  439,  441,  440,
+      430,  439,  444,  441,  443,  443,  445,  445,  430,  430,
+      437,  447,  430,  430,  446,  444,  430,  448,  448,  446,
+      449,  450,  451,  452,  447,  450,  449,  453,  454,  455,
+      455,  456,  453,  454,  457,  458,  459,  451,  455,  460,
+      461,  466,  460,  456,  452,  461,  462,  463,  459,  468,
 
-      465,  468,  468,  473,  471,  472,  475,  476,  464,  478,
-      474,  466,  471,  479,  472,  474,  470,  480,  481,  476,
-      485,  483,  482,  164,  473,  485,  475,  478,  482,  478,
-      483,  479,  481,  484,  486,  487,  489,  480,  488,  484,
-      490,  488,  492,  487,  493,  491,  487,  493,  486,  495,
-      489,  491,  494,  497,  496,  490,  498,  499,  494,  496,
-      500,  499,  492,  495,  501,  500,  502,  503,  504,  505,
-      508,  502,  511,  525,  525,  497,  494,  498,  509,  501,
-      510,  512,  505,  503,  510,  162,  515,  504,  506,  506,
-      508,  511,  523,  509,  506,  513,  506,  512,  516,  513,
+      462,  464,  464,  458,  457,  465,  467,  467,  472,  463,
+      465,  473,  466,  470,  470,  474,  475,  476,  477,  473,
+      478,  468,  479,  477,  481,  475,  483,  482,  503,  472,
+      486,  485,  503,  484,  479,  487,  474,  485,  476,  486,
+      478,  487,  481,  488,  481,  482,  483,  484,  488,  489,
+      490,  491,  492,  493,  491,  494,  495,  496,  490,  498,
+      499,  490,  495,  489,  494,  498,  492,  497,  493,  501,
+      497,  500,  502,  504,  499,  505,  500,  496,  504,  506,
+      507,  508,  509,  498,  506,  512,  528,  513,  514,  528,
+      505,  501,  516,  502,  515,  509,  507,  518,  515,  517,
 
-      514,  515,  506,  516,  506,  514,  517,  506,  506,  514,
-      518,  520,  519,  521,  506,  523,  524,  522,  519,  518,
-      522,  526,  517,  519,  528,  517,  520,  527,  527,  521,
-      529,  531,  530,  532,  534,  533,  524,  535,  536,  528,
-      533,  559,  529,  534,  559,  537,  526,  530,  539,  543,
-      531,  537,  544,  536,  540,  532,  535,  539,  540,  541,
-      542,  543,  545,  541,  546,  547,  542,  544,  548,  549,
-      550,  553,  551,  549,  551,  554,  554,  556,  546,  553,
-      547,  545,  555,  550,  557,  558,  548,  560,  555,  556,
-      557,  561,  563,  562,  564,  563,  565,  558,  562,  566,
+      508,  510,  510,  514,  517,  512,  519,  510,  513,  510,
+      519,  516,  164,  518,  520,  510,  521,  510,  523,  520,
+      510,  510,  525,  520,  522,  526,  524,  510,  525,  522,
+      527,  521,  529,  525,  523,  524,  530,  523,  531,  531,
+      526,  532,  533,  533,  534,  535,  527,  536,  537,  537,
+      538,  539,  541,  540,  162,  529,  530,  535,  540,  534,
+      542,  541,  536,  543,  544,  546,  532,  547,  548,  538,
+      544,  547,  548,  539,  546,  549,  550,  551,  543,  542,
+      552,  549,  553,  554,  555,  556,  560,  557,  550,  556,
+      160,  558,  551,  558,  560,  562,  553,  563,  554,  552,
 
-      611,  560,  567,  564,  566,  566,  561,  568,  568,  611,
-      564,  575,  565,  564,  570,  567,  569,  569,  571,  571,
-      570,  572,  572,  573,  576,  574,  579,  580,  578,  573,
-      574,  574,  575,  578,  577,  580,  576,  577,  581,  582,
-      583,  581,  584,  585,  582,  579,  586,  585,  588,  587,
-      589,  590,  586,  587,  592,  589,  591,  591,  593,  594,
-      595,  584,  596,  583,  594,  590,  588,  597,  160,  592,
-      598,  599,  604,  597,  601,  598,  595,  603,  600,  593,
-      607,  600,  596,  602,  602,  599,  600,  608,  604,  600,
-      600,  605,  601,  606,  607,  603,  605,  610,  606,  617,
+      557,  562,  555,  561,  561,  564,  565,  566,  567,  563,
+      566,  564,  568,  570,  569,  571,  570,  572,  565,  569,
+      573,  620,  567,  574,  571,  573,  573,  568,  575,  575,
+      620,  571,  582,  572,  571,  577,  574,  576,  576,  578,
+      578,  577,  579,  579,  580,  583,  581,  586,  587,  585,
+      580,  581,  581,  582,  585,  584,  587,  583,  584,  588,
+      589,  590,  588,  591,  592,  589,  586,  593,  592,  594,
+      595,  597,  596,  593,  595,  601,  597,  598,  599,  599,
+      600,  602,  591,  603,  590,  604,  602,  605,  606,  594,
+      596,  598,  607,  613,  606,  600,  601,  607,  608,  610,
 
-      618,  612,  608,  610,  612,  613,  614,  615,  616,  613,
-      615,  614,  619,  616,  620,  617,  621,  622,  618,  619,
-      624,  621,  623,  623,  625,  626,  627,  620,  628,  624,
-      629,  613,  630,  635,  643,  627,  629,  622,  630,  631,
-      628,  626,  631,  625,  632,  632,  633,  632,  634,  633,
-      636,  635,  637,  634,  638,  639,  641,  637,  640,  643,
-      650,  639,  641,  640,  636,  642,  644,  646,  642,  645,
-      647,  644,  648,  638,  645,  645,  649,  648,  651,  650,
-      646,  652,  649,  647,  653,  662,  652,  651,  654,  654,
-      655,  648,  648,  656,  657,  658,  656,  655,  659,  664,
+      612,  604,  603,  609,  611,  611,  609,  605,  614,  613,
+      616,  609,  608,  614,  609,  609,  615,  610,  612,  617,
+      619,  615,  621,  622,  616,  621,  619,  622,  623,  624,
+      625,  626,  624,  623,  617,  625,  627,  628,  629,  631,
+      630,  632,  632,  633,  628,  630,  634,  626,  635,  622,
+      636,  629,  633,  637,  627,  638,  644,  639,  640,  631,
+      645,  644,  637,  639,  640,  634,  636,  638,  641,  635,
+      646,  641,  642,  642,  643,  642,  647,  643,  645,  649,
+      648,  650,  654,  651,  646,  648,  652,  650,  651,  661,
+      647,  653,  652,  657,  653,  655,  656,  658,  649,  659,
 
-      657,  661,  661,  659,  653,  666,  663,  658,  663,  660,
-      662,  656,  667,  659,  660,  660,  668,  665,  664,  665,
-      669,  670,  671,  666,  673,  672,  676,  674,  671,  672,
-      667,  675,  677,  673,  668,  678,  681,  679,  686,  669,
-      683,  670,  674,  680,  676,  682,  675,  678,  684,  680,
-      681,  677,  679,  687,  685,  688,  686,  682,  685,  683,
-      689,  690,  692,  691,  693,  693,  694,  684,  691,  687,
-      694,  695,  696,  688,  698,  697,  692,  699,  689,  689,
-      690,  700,  699,  701,   85,  695,  697,  702,  698,  703,
-      704,  696,  705,  706,  708,  704,  703,  700,  706,  705,
+      655,  656,  656,  660,  659,  662,  657,  654,  661,  660,
+      658,  663,  664,  674,  662,  666,  663,  667,  659,  659,
+      665,  665,  666,  668,  667,  669,  668,  670,  671,  672,
+      676,  669,  664,  671,  672,  672,  673,  673,  674,  670,
+      675,  668,  675,  671,  677,  678,  677,  679,  680,  676,
+      681,  682,  683,  684,  688,  685,   85,  684,  683,  686,
+      687,  689,  691,  678,  685,  679,  680,  690,  693,  681,
+      690,  682,  688,  694,  686,  687,  692,  691,  695,  690,
+      689,  696,  692,  697,  698,  699,  701,  694,  693,  699,
+      695,  700,  702,  703,  704,  708,  705,  707,  707,  708,
 
-      702,  707,  701,  709,  710,  711,  707,  712,  713,  714,
-      709,  716,  708,  710,  716,  714,  712,  715,  718,  711,
-      713,  717,  715,  720,  719,  717,  721,  722,  723,  723,
-      724,  724,  718,  719,  725,  725,  726,  727,  720,  724,
-      721,  726,  729,  730,  731,  733,  727,  732,  722,  730,
-      734,  732,  735,  736,  737,  739,  738,  733,  740,  736,
-      741,  729,  737,  738,  731,  747,  744,  750,  751,  754,
-      735,  753,  755,  739,  751,  734,  750,  753,  754,  759,
-      741,  744,  747,  740,  742,  761,  742,  756,  755,  742,
-      759,  756,  760,  742,  757,  757,  742,  758,  758,  761,
+      696,  705,  701,  698,  697,  706,  709,  710,  712,  700,
+      702,  703,  703,  704,  711,  714,  713,  715,  720,  706,
+      709,  713,  712,  717,  716,  711,  710,  718,  719,  721,
+      717,  714,  718,  722,  721,  719,  715,  716,  722,  723,
+      724,  725,  720,  727,  726,  729,  737,  724,  728,  730,
+      725,  729,  727,  731,  730,  732,  731,  723,  726,  732,
+      728,  733,  734,  735,  746,  736,  749,  737,  738,  738,
+      744,  734,  739,  739,  742,  733,  740,  740,  735,  736,
+      741,  739,  745,  742,  746,  741,  747,  748,  745,  744,
+      747,  749,  750,  752,  751,  753,  754,  755,  756,  748,
 
-      762,  763,  773,  742,  742,  766,  742,  763,  765,  767,
-      760,  768,  769,  765,  770,  768,  772,  773,  770,  771,
-      762,  764,  764,  764,  771,  764,  766,  767,  764,  774,
-      778,  778,  779,  764,  770,  772,  769,  776,  775,  764,
-      764,  775,  776,  776,  777,  780,  788,  779,  781,  781,
-      780,  777,  782,  783,  774,  784,  783,  782,  785,  785,
-      784,  786,  787,  786,  789,  788,  790,  792,  789,  791,
-      793,  793,  794,  797,  787,  792,  795,  796,  796,  799,
-      798,  802,  802,  800,  813,  813,  790,  794,  791,  800,
-      795,  797,  798,  801,  803,  814,  814,  805,  801,  803,
+      751,  752,  753,  762,  759,  766,  765,  768,  769,   80,
+      750,  766,  771,  768,  754,  765,  771,  769,  756,  759,
+      762,  770,  755,  757,  776,  757,  772,  772,  757,  773,
+      773,  775,  757,  774,  777,  757,  812,  770,  776,  782,
+      778,  780,  757,  757,  774,  757,  778,  781,  783,  775,
+      812,  785,  781,  787,  777,  779,  779,  779,  787,  779,
+      782,  780,  779,  788,  784,  786,  783,  779,  784,  786,
+      791,  789,  790,  779,  779,  785,  789,  792,  793,  794,
+      792,  796,  788,  793,  793,  786,  794,  790,  795,  795,
+      798,  798,  797,  799,   75,  791,  796,  797,  799,  800,
 
-      803,  799,  805,  806,  807,  810,  808,  809,  810,  806,
-      807,  808,  811,  809,  812,  815,  816,  819,  811,  817,
-      818,  820,  812,  815,  817,  821,  827,  818,  822,  822,
-      823,  832,  824,  831,  816,  819,  832,  820,  829,  823,
-      824,  825,  825,  826,  821,  827,  830,  829,  834,  826,
-      833,  834,  836,  835,  837,  830,  838,  831,  835,  833,
-      839,  842,  840,  841,  841,  838,  836,  840,  840,  843,
-      845,  844,  846,  839,  847,  851,  842,  847,  853,  837,
-      844,  849,  854,  849,  852,  847,  850,  850,  843,  852,
-      846,  855,  856,  857,  845,  858,  851,  859,  861,  853,
+      801,  804,  800,  802,  802,  801,  803,  805,  803,  807,
+      806,  808,  809,  804,  806,  810,  810,  811,  813,  813,
+      809,  814,  815,  816,  828,  817,  805,  828,  818,  807,
+      808,  817,  811,  818,  815,  819,  819,  820,  823,  814,
+      824,  822,  820,  820,  823,  816,  822,  825,   74,  826,
+      827,  829,  830,  825,  826,  834,  827,  829,  833,  824,
+      830,  831,  831,  832,  832,  835,  833,  836,  837,  838,
+      835,  836,  839,  834,  840,  837,  841,  841,  843,  845,
+      842,  844,  844,  846,  850,  845,  843,  838,  839,  842,
+      848,  849,  851,  840,  852,  853,  854,  851,  853,  848,
 
-      862,  860,  854,  863,  858,  860,  864,  866,   80,  863,
-      865,  855,  868,  857,  856,  864,  861,  867,  868,  862,
-      859,  869,  865,  870,  871,  871,  866,  872,  870,  873,
-      874,  867,  875,  876,  877,  869,  878,  879,  873,  880,
-      875,  885,  881,  883,  882,  880,  884,  872,  881,  883,
-      874,  889,  890,  876,  892,  878,  877,  879,  882,  886,
-      884,  885,  887,  888,  890,  886,  891,  888,  887,  896,
-      889,  891,  890,  893,  893,  892,  894,  895,  897,  898,
-      895,  899,  894,  900,  900,  898,  901,  896,  902,  903,
-      904,  897,  908,  902,  905,  904,  904,  909,  906,  907,
+      849,  854,  846,  852,  855,  856,  857,  858,  850,  860,
+      862,  859,  861,  861,  863,  857,  859,  859,  855,  864,
+      858,  865,  866,  860,  867,  862,  871,  867,  864,  869,
+      856,  869,  873,  863,  872,  867,  870,  870,  874,  872,
+      866,  875,  876,  877,  879,  865,  878,  871,  880,   68,
+      881,  882,  880,  873,  883,  878,  884,  885,  874,  886,
+      883,  875,  887,  877,  876,  884,  888,  879,  881,  885,
+      882,  889,  891,  892,  890,  886,  894,  889,  892,  895,
+      888,  887,  890,  893,  893,  896,  891,  897,  898,  899,
+      900,  901,  903,  902,  896,  894,  898,  904,  903,  895,
 
-      907,  899,  906,  910,  901,  903,  911,  903,  910,  905,
-      913,  916,  914,  917,  908,  918,  921,  909,  920,  920,
-      921,  923,  923,  922,  916,  911,  914,  924,  925,  926,
-      928,  927,  925,  917,  913,  928,  918,  919,  922,  934,
-      919,  929,  919,  942,  926,  927,  919,  932,  919,  942,
-      931,  930,  924,  919,  934,  929,  930,  930,  919,  931,
-      933,  932,  935,  936,  933,  937,  938,  935,  939,  940,
-      937,  949,  941,  943,  951,  936,  933,  935,  943,  944,
-      938,  941,  945,  940,  950,  944,  946,  946,  945,  939,
-      947,  948,  951,  949,  953,  947,  954,  948,   75,  955,
+      905,  907,  906,  904,  908,  909,  912,  897,  906,  899,
+      901,  909,  900,  902,  905,  907,  910,  911,  913,  915,
+       63,  911,  910,  914,  908,  912,  916,  916,  914,  917,
+      913,  918,  920,  919,  921,  917,  919,  918,  913,  922,
+      915,  923,  924,  924,  925,  922,  926,  921,  928,  927,
+      920,  926,  927,  928,  928,  929,  930,  931,  931,  932,
+      930,  923,  925,  933,  934,  927,  935,  927,  937,  934,
+      929,  940,  938,  941,  942,  944,  944,  948,  945,  946,
+      975,  932,  945,  933,  940,  935,  938,  947,  947,  951,
+       58,  950,  937,  941,  946,  942,  943,  953,  975,  943,
 
-      961,  954,  956,  950,  952,  952,  953,  957,  957,  959,
-      952,  958,  952,  955,  956,  960,  958,  959,  952,  961,
-      962,  963,  964,  952,  952,  967,  965,  969,  964,  960,
-      952,  965,  966,  968,  970,  970,  971,  963,  972,  962,
-      971,  974,  976,  967,  966,  969,  978,  974,  975,  968,
-      977,  975,  980,  981,  979,  977,  983,  980,  972,  978,
-      979,  976,  984,  985,  986,  983,  987,  988,  989,  990,
-      986,  984,  981,  989,  991,  987,  992,  997,  993,  985,
-       74,  996,  994,  995, 1000, 1003,  988,  996,  991,  990,
-      993,  994,  995,  998,  997, 1002,  992, 1004, 1005,  998,
+      949,  943,  948,  951,  949,  943,  950,  943,  952,  954,
+      955,  953,  943,  952,  954,  954,  956,  943,  957,  955,
+      958,  959,  957,  961,  962,  960,  959,  963,  961,  964,
+      956,  965,  973,  966,  957,  958,  959,  960,  962,  966,
+      965,  967,  971,  964,  968,  969,  967,  971,  963,  972,
+      968,  969,  970,  970,  973,  972,  974,  977,  978,  979,
+      980,  981,  981,  978,  984,  982,  983,  985,  986,  977,
+      982,  992,  980,  979,  983,  974,  976,  976,  987,  989,
+      984,  985,  976,  988,  976,  989,  990,  986,  991,  992,
+      976,  990,  993,  994,  995,  976,  976,  987,  998,  988,
 
-     1000, 1006, 1007, 1008, 1013, 1003, 1009, 1017, 1008, 1002,
-     1012, 1009, 1005, 1013, 1016, 1012, 1004, 1007, 1015, 1006,
-     1014, 1014, 1017, 1016, 1015, 1018, 1020, 1021, 1026, 1025,
-     1023, 1023, 1021, 1021, 1023, 1027, 1024, 1028, 1018, 1024,
-     1029, 1030, 1020, 1025, 1031, 1032, 1033, 1034, 1026, 1035,
-     1031, 1027, 1033, 1029, 1035, 1028, 1030, 1036, 1038, 1039,
-     1042, 1038, 1034, 1040, 1041, 1032, 1043, 1044, 1040, 1041,
-     1046, 1036, 1044, 1045, 1049, 1043, 1042, 1048, 1045, 1050,
-     1039, 1051, 1046, 1048, 1053, 1050, 1054, 1051, 1052, 1052,
-     1049, 1055, 1057, 1053, 1055, 1056, 1056, 1058, 1059, 1060,
+      991,  997,  976,  996,  996,  997, 1001, 1000,  993, 1001,
+     1002,  994,  995, 1000, 1003, 1004, 1005, 1007,  998, 1003,
+     1006, 1009, 1005, 1010, 1011, 1006, 1013, 1012, 1004, 1002,
+     1009, 1014, 1010, 1012, 1015, 1013, 1007, 1016, 1017, 1015,
+     1011, 1018, 1019, 1022, 1020, 1023, 1021, 1026, 1029, 1022,
+     1014, 1028, 1017, 1020, 1019, 1021, 1031, 1016, 1024, 1032,
+     1033, 1018, 1023, 1026, 1024, 1028, 1030, 1034, 1029, 1035,
+     1040, 1030, 1036, 1032, 1035, 1031, 1039, 1036, 1033, 1040,
+     1042, 1039, 1034, 1041, 1041, 1043, 1042, 1044, 1045, 1046,
+     1048, 1043, 1049, 1053, 1054, 1055, 1044, 1049, 1049, 1056,
 
-     1061, 1062, 1060, 1063, 1054, 1069, 1064, 1062, 1070, 1063,
-     1057, 1064, 1065, 1061, 1066, 1067, 1058, 1065, 1059, 1066,
-     1071, 1067, 1072, 1069, 1073, 1073, 1071, 1072, 1070, 1074,
-     1075, 1076, 1077, 1078, 1079, 1080, 1078, 1079, 1074, 1075,
-     1081, 1082, 1083, 1084, 1085, 1081, 1080, 1086, 1087, 1076,
-     1085, 1077, 1088, 1086, 1083, 1089, 1089, 1088, 1090, 1082,
-     1091, 1092, 1084, 1087, 1093, 1094, 1095, 1096, 1093, 1097,
-     1099, 1100, 1100, 1092, 1091, 1095, 1101, 1090, 1103, 1102,
-     1106, 1101, 1105, 1094, 1102, 1107, 1096, 1108, 1111, 1099,
-     1109, 1114, 1108,   68, 1097, 1106, 1105, 1107, 1103, 1109,
+     1051, 1051, 1046, 1045, 1051, 1052, 1048, 1053, 1052, 1057,
+     1058, 1055, 1059, 1060, 1054, 1061, 1062, 1056, 1059, 1063,
+     1064, 1061, 1057, 1068, 1063, 1058, 1066, 1066,   57, 1067,
+     1069, 1062, 1067, 1060, 1064, 1069, 1070, 1071, 1072, 1075,
+     1073, 1070, 1078, 1074, 1068, 1073, 1077, 1072, 1074, 1079,
+     1080, 1075, 1077, 1071, 1082, 1079, 1080, 1083, 1078, 1081,
+     1081, 1084, 1086, 1082, 1084, 1085, 1085, 1087, 1088, 1089,
+     1090, 1091, 1089, 1092, 1126, 1083, 1093, 1091, 1126, 1092,
+     1086, 1096, 1093, 1090, 1094, 1095, 1087, 1096, 1088, 1094,
+     1095, 1097, 1098, 1101, 1100, 1102, 1097, 1103, 1098, 1100,
 
-     1110, 1110, 1118, 1112, 1113, 1119, 1115, 1114, 1111, 1112,
-     1113, 1115, 1116, 1117, 1116, 1120, 1118, 1121, 1117, 1119,
-     1120, 1122, 1123, 1124, 1125, 1127, 1127, 1128, 1129, 1123,
-     1130, 1131, 1121, 1132, 1255, 1135, 1255, 1131, 1124, 1135,
-     1122, 1128, 1133, 1125, 1142, 1130, 1129, 1133, 1136, 1136,
-     1137, 1138, 1138, 1132, 1140, 1137, 1133, 1139, 1133, 1141,
-     1143, 1133, 1141, 1142, 1139, 1144, 1145, 1146, 1140, 1147,
-     1148, 1145, 1150, 1149, 1144, 1148, 1151, 1154, 1143, 1153,
-     1153, 1147, 1154, 1150, 1155, 1156, 1146, 1149, 1157, 1155,
-     1158, 1159, 1160, 1157, 1158, 1151, 1161, 1162, 1163, 1164,
+     1104, 1105, 1105, 1103, 1106, 1104, 1108, 1107, 1109, 1110,
+     1112, 1101, 1110, 1106, 1111, 1102, 1107, 1111, 1113, 1114,
+     1115, 1112, 1116, 1113, 1108, 1117, 1122, 1109, 1118, 1119,
+     1120, 1117, 1115, 1123, 1118, 1120, 1124, 1114, 1121, 1121,
+     1125, 1116, 1127, 1128, 1119, 1122, 1129, 1123, 1124, 1130,
+     1132, 1134, 1128, 1133, 1133, 1137, 1135, 1136, 1125, 1134,
+     1127, 1135, 1136, 1139, 1140, 1129, 1141, 1142, 1145, 1132,
+     1146, 1143, 1142,   52, 1130, 1137, 1146, 1139, 1141, 1140,
+     1143, 1144, 1144, 1147, 1148, 1149, 1156, 1151, 1145, 1147,
+     1149, 1150, 1151, 1150, 1152, 1153, 1154, 1155, 1158, 1157,
 
-     1159, 1165, 1167, 1166, 1168, 1156, 1169, 1160, 1165, 1172,
-     1163, 1161, 1170, 1171, 1164, 1166, 1162, 1173, 1170, 1175,
-     1176, 1167, 1174, 1177, 1169, 1168, 1178, 1179, 1171, 1172,
-     1181, 1174, 1180, 1184, 1175, 1177, 1183, 1173, 1186, 1176,
-     1185, 1187, 1183, 1188, 1189, 1178, 1186, 1180, 1184, 1189,
-     1181, 1190, 1179, 1192, 1185, 1193, 1199, 1194, 1197, 1188,
-     1191, 1187, 1199, 1190,   63, 1191, 1191, 1195, 1195, 1193,
-     1194, 1197, 1192, 1196, 1196, 1198, 1200, 1200, 1196, 1202,
-     1201, 1196, 1196, 1203, 1198, 1201, 1196, 1207, 1202, 1203,
-     1204, 1210, 1196, 1205, 1211, 1204, 1196, 1212, 1205, 1206,
+     1148, 1154, 1159, 1161, 1161, 1156, 1157, 1163, 1152, 1153,
+     1162, 1164, 1155, 1158, 1165, 1166, 1174, 1167,   47, 1169,
+     1165, 1159, 1167, 1169, 1162, 1163, 1164, 1170, 1170, 1171,
+     1174, 1167, 1173, 1167, 1171, 1166, 1167, 1172, 1172, 1173,
+     1175, 1176, 1178, 1175, 1177, 1179, 1180, 1181, 1182, 1183,
+     1179, 1178, 1185, 1182, 1190, 1184, 1187, 1187,   18, 1181,
+     1176, 1193, 1177, 1183, 1188, 1180, 1184, 1189, 1191, 1188,
+     1193, 1185, 1189, 1191, 1190, 1192, 1194, 1195, 1196, 1192,
+     1198, 1197, 1199, 1201, 1197, 1202, 1200, 1203, 1204, 1199,
+     1207, 1194, 1195, 1197, 1204, 1198, 1205, 1196, 1200, 1208,
 
-     1206, 1208, 1208, 1213, 1209, 1214, 1212, 1209, 1207, 1209,
-     1214, 1210, 1211, 1215, 1216, 1217, 1218, 1221, 1274, 1219,
-     1274, 1217, 1218, 1213, 1219, 1220, 1221, 1215, 1223, 1220,
-     1230, 1221, 1216, 1221, 1222, 1221, 1226, 1221, 1229, 1222,
-     1224, 1224, 1223, 1225, 1225, 1228, 1225, 1226, 1230, 1228,
-     1231, 1232, 1233, 1229, 1234, 1235, 1232, 1232, 1236, 1231,
-     1235, 1233, 1237, 1238, 1239, 1240, 1243, 1241, 1242, 1242,
-     1244, 1237, 1236, 1241, 1243, 1245, 1234, 1246, 1247, 1240,
-     1245, 1248, 1238, 1239, 1244, 1249, 1250, 1247, 1248, 1251,
-     1253, 1246, 1252, 1252, 1251, 1254, 1254, 1257, 1259, 1258,
+     1209, 1206, 1201, 1210, 1211, 1203, 1202, 1206, 1212, 1209,
+     1207, 1205, 1213, 1214, 1215, 1216, 1217, 1220, 1210, 1208,
+     1212, 1216, 1219, 1211, 1223, 1221, 1222, 1224, 1219, 1215,
+     1225, 1213, 1220, 1226, 1222, 1225, 1217, 1228, 1214, 1221,
+     1229, 1227, 1230, 1224, 1223, 1226, 1227, 1227, 1231, 1231,
+     1233, 1234, 1238, 1235, 1229, 1230, 1228, 1232, 1232, 1235,
+     1234, 1238, 1232, 1233, 1237, 1232, 1232, 1236, 1236, 1237,
+     1232, 1239, 1243, 1240, 1241, 1246, 1232, 1239, 1240, 1241,
+     1232, 1242, 1242, 1244, 1244, 1245, 1247, 1249, 1245, 1250,
+     1245, 1248, 1252, 1243, 1251, 1246, 1249, 1248, 1253, 1251,
 
-     1257, 1260, 1262, 1249, 1258, 1253, 1261, 1261, 1263, 1263,
-     1260, 1250, 1264, 1264, 1265, 1266, 1267, 1259, 1269, 1265,
-     1268, 1268, 1262, 1270, 1271, 1272, 1270, 1275, 1278, 1277,
-     1272, 1273, 1277, 1280, 1279,   58, 1266, 1267, 1269, 1279,
-     1273, 1281, 1282, 1278, 1271, 1275, 1281, 1280, 1283, 1284,
-     1282, 1285, 1284, 1283, 1286, 1286, 1285, 1287, 1288, 1289,
-     1290, 1291, 1287, 1293, 1294, 1289, 1295, 1290, 1297, 1293,
-     1294, 1295, 1296, 1298, 1291, 1299, 1288, 1297, 1296, 1300,
-     1300, 1301, 1303, 1305, 1306, 1307, 1299, 1308, 1309, 1310,
-     1312, 1313, 1298, 1308, 1309, 1310, 1312, 1314, 1305, 1315,
+     1256, 1254, 1255, 1259, 1247, 1256, 1252, 1254, 1255, 1250,
+     1257, 1258, 1259, 1260, 1257, 1261, 1253, 1259, 1260, 1259,
+     1264, 1259, 1267, 1259, 1258, 1262, 1262, 1263, 1263, 1261,
+     1263, 1264, 1266, 1268, 1269, 1270, 1266, 1267, 1271, 1272,
+     1270, 1270, 1274, 1269, 1273, 1275, 1276, 1271, 1277, 1273,
+     1278, 1268, 1279, 1289, 1275, 1282, 1274, 1281, 1279, 1280,
+     1280, 1272, 1283, 1282, 1278, 1276, 1284, 1277, 1285, 1281,
+     1286, 1284, 1288, 1287, 1291, 1291, 1283, 1292, 1289, 1286,
+     1287, 1290, 1285, 1293, 1293, 1294, 1290, 1294, 1296, 1297,
+     1288, 1296, 1292, 1298, 1297, 1299, 1300, 1300, 1301, 1302,
 
-     1303, 1301, 1316, 1318, 1306, 1313, 1317, 1320, 1307, 1319,
-     1319, 1313, 1321, 1322, 1316, 1324, 1324, 1314, 1323, 1315,
-     1317, 1318, 1325, 1323, 1326, 1328, 1331, 1320, 1329, 1326,
-     1330, 1322, 1332, 1329, 1329, 1331, 1333, 1321, 1334, 1335,
-     1332, 1336, 1337, 1346, 1328, 1325, 1336, 1339, 1330, 1336,
-     1333, 1337, 1343, 1334, 1335, 1345, 1338, 1335, 1338, 1341,
-     1342, 1339, 1344, 1343, 1342, 1341, 1347, 1344, 1344, 1346,
-     1348, 1349, 1350, 1351, 1345, 1348, 1349, 1352, 1353, 1356,
-     1355, 1357, 1352, 1359, 1347, 1358, 1358, 1359, 1360, 1361,
-     1350, 1363, 1364, 1351, 1355, 1362, 1365, 1356, 1353, 1357,
+     1302, 1303, 1303, 1304, 1299, 1305, 1306, 1307, 1304, 1308,
+     1308, 1309, 1298, 1310, 1311, 1312, 1313, 1311, 1301, 1314,
+     1315, 1316, 1313, 1316, 1314, 1317, 1305, 1306, 1307, 1315,
+     1310, 1309, 1320, 1319, 1321, 1312, 1319, 1322, 1324, 1321,
+     1323, 1328, 1328, 1317, 1325, 1323, 1324, 1320, 1330, 1325,
+     1326, 1322, 1327, 1326, 1329, 1331, 1332, 1327, 1333, 1329,
+     1337, 1331, 1335, 1332, 1336, 1337, 1330, 1338, 1335, 1339,
+     1336, 1333, 1338, 1340, 1341, 1339, 1342, 1343, 1343, 1344,
+     1346, 1348, 1340, 1347, 1350, 1346, 1351, 1342, 1349, 1352,
+     1353, 1348, 1354, 1341, 1356, 1352, 1353, 1357, 1354, 1344,
 
-     1366, 1362, 1367, 1363, 1368, 1377, 1360, 1369, 1361, 1370,
-     1365, 1364, 1369, 1371, 1372, 1366, 1370, 1367, 1371, 1373,
-     1374, 1374, 1375, 1368, 1376, 1377, 1378, 1378, 1373, 1379,
-     1380, 1381, 1372, 1376, 1383, 1379, 1380, 1375, 1382, 1382,
-     1383, 1384, 1385, 1386, 1387, 1381, 1388, 1389, 1386, 1396,
-     1387,   57, 1388, 1389, 1390, 1390, 1395, 1384, 1391, 1391,
-     1393, 1393, 1394, 1385, 1397, 1395, 1394, 1396, 1398, 1399,
-     1400, 1401, 1401, 1402, 1404, 1403, 1397, 1400, 1405, 1404,
-     1406, 1407, 1398, 1403, 1399, 1408, 1407, 1407, 1409, 1413,
-     1408, 1408, 1405, 1402, 1410, 1410, 1411, 1412, 1413, 1406,
+     1356, 1347, 1358, 1349, 1350, 1359, 1360, 1361, 1362, 1351,
+     1364, 1357, 1363, 1363, 1365, 1366, 1372, 1357, 1360, 1367,
+     1369, 1361, 1358, 1374, 1367, 1359, 1362, 1368, 1368, 1370,
+     1364, 1373, 1376, 1366, 1370, 1372, 1373, 1373, 1375, 1365,
+     1376, 1374, 1377, 1369, 1378, 1379, 1380, 1375, 1381, 1385,
+     1382, 1380, 1382, 1383, 1380, 1385, 1377, 1381, 1386, 1378,
+     1379, 1387, 1386, 1379, 1388, 1389, 1390, 1383, 1391, 1388,
+     1388, 1392, 1387, 1393, 1395, 1394, 1392, 1396, 1393, 1397,
+     1400, 1399, 1396, 1401, 1389, 1403, 1391, 1402, 1402, 1403,
+     1404, 1405, 1390, 1394, 1395, 1399, 1406, 1407, 1400, 1397,
 
-     1414, 1415, 1416, 1417, 1418, 1414, 1419, 1420, 1409, 1422,
-     1418, 1419, 1421, 1423, 1430, 1411, 1412, 1424, 1421, 1423,
-     1415, 1417, 1416, 1424, 1425, 1426, 1427, 1428, 1422, 1432,
-     1432, 1434, 1431, 1420, 1429, 1430, 1433, 1435, 1441, 1433,
-     1436, 1437, 1437, 1425, 1426, 1427, 1428, 1431, 1429, 1442,
-     1434, 1441, 1436, 1438, 1438, 1439, 1435, 1440, 1442, 1443,
-     1439, 1440, 1444, 1448, 1444, 1446, 1447, 1449, 1444, 1450,
-     1452, 1447, 1443, 1451, 1451, 1452, 1453, 1454, 1448, 1456,
-     1455, 1444, 1453, 1446, 1456, 1450, 1457, 1449, 1459, 1460,
-     1457, 1458, 1454, 1455, 1461, 1458, 1462, 1466, 1463, 1464,
+     1408, 1401, 1406, 1409, 1410, 1411, 1412, 1413, 1404, 1407,
+     1405, 1417, 1414, 1418, 1416, 1419, 1408, 1414, 1410, 1416,
+     1411, 1412, 1409, 1415, 1419, 1421, 1413, 1420, 1420, 1417,
+     1415, 1423, 1422, 1425, 1418, 1424, 1424, 1426, 1427, 1425,
+     1421, 1422, 1430, 1426, 1428, 1428, 1429, 1429, 1430, 1431,
+     1432, 1423, 1427, 1433, 1434, 1435, 1436, 1443, 1433,   17,
+     1434, 1435, 1436, 1437, 1437, 1431, 1438, 1438, 1440, 1440,
+     1441, 1432, 1442, 1444, 1441, 1443, 1445, 1446, 1449, 1447,
+     1450, 1442, 1448, 1448, 1451, 1444, 1447, 1452, 1450, 1451,
+     1445, 1453, 1446, 1456, 1454, 1457, 1457, 1455, 1449, 1454,
 
-     1464, 1468,   52, 1461, 1463, 1469, 1472, 1460, 1459, 1482,
-     1469, 1470, 1470, 1471, 1478, 1466, 1462, 1474, 1474, 1471,
-     1476, 1479, 1468, 1476, 1477, 1477, 1472, 1483, 1481, 1482,
-     1478, 1481, 1484, 1484, 1485, 1486, 1483, 1479, 1487, 1488,
-     1489, 1490, 1490, 1491, 1488, 1492, 1493, 1494, 1495, 1485,
-     1496, 1496, 1491, 1497, 1489, 1498, 1486, 1487, 1502, 1499,
-     1500, 1493, 1502, 1492, 1499, 1501, 1501, 1497, 1495, 1503,
-     1504, 1504, 1494, 1498, 1505, 1500, 1506, 1507, 1508, 1509,
-     1512, 1507, 1511, 1511, 1509, 1513, 1514, 1506, 1515, 1503,
-     1513, 1516, 1517, 1512, 1518, 1519, 1505, 1508, 1520, 1520,
+     1454, 1452, 1455, 1455, 1458, 1459, 1460, 1461, 1462, 1463,
+     1453, 1465, 1461, 1456, 1464, 1460, 1466, 1465, 1467, 1468,
+     1469, 1466, 1470, 1458, 1459, 1471, 1469, 1462, 1472, 1463,
+     1473, 1471, 1464, 1474, 1472, 1475, 1476, 1477, 1467, 1478,
+     1479, 1470, 1480, 1481, 1481, 1468, 1483, 1482, 1484, 1473,
+     1482, 1485, 1474, 1478, 1475, 1476, 1477, 1480, 1486, 1486,
+     1489, 1479, 1490, 1485, 1489, 1483, 1488, 1484, 1487, 1487,
+     1491, 1488, 1492, 1495, 1493, 1490, 1493, 1496, 1498, 1491,
+     1493, 1497, 1496, 1499, 1501, 1492, 1500, 1500, 1502, 1501,
+     1503, 1495, 1509, 1493, 1502, 1504, 1497, 1505, 1498, 1499,
 
-     1536, 1522, 1514, 1523, 1521, 1516, 1515, 1525, 1518, 1521,
-     1526, 1517, 1517, 1524, 1524, 1526, 1525, 1527, 1531, 1536,
-     1519, 1522, 1528, 1523, 1528, 1529, 1530, 1532, 1534, 1540,
-     1529, 1539, 1530, 1532, 1535, 1535, 1539, 1527, 1531, 1537,
-     1541, 1541, 1534, 1542, 1542, 1537, 1543, 1544, 1545, 1546,
-     1547, 1547, 1546, 1540, 1548, 1549, 1550, 1553, 1552, 1558,
-     1543, 1556, 1553, 1545, 1552, 1544, 1554, 1549, 1551, 1554,
-     1556, 1551, 1548, 1557, 1551, 1589, 1550, 1559, 1557, 1589,
-     1559, 1560, 1560, 1561, 1558, 1554, 1551, 1562, 1566, 1561,
-     1563, 1564, 1564, 1562, 1566, 1563, 1565, 1565, 1567, 1568,
+     1507, 1506, 1510, 1505, 1507, 1503, 1506, 1508, 1504, 1511,
+     1512, 1508, 1509, 1513, 1514, 1514, 1516, 1518, 1511, 1513,
+     1510, 1519, 1520, 1520, 1522, 1521, 1519, 1524, 1524, 1526,
+     1512, 1521, 1526, 1528, 1516, 1527, 1527, 1529, 1518, 1530,
+     1532, 1533, 1535, 1532, 1522, 1534, 1536, 1537, 1537, 1528,
+     1539, 1535, 1538, 1529, 1540, 1530, 1541, 1545, 1542, 1543,
+     1543, 1541, 1533, 1546, 1547, 1534, 1536, 1538, 1544, 1550,
+     1548, 1539, 1542, 1540, 1551, 1545, 1552, 1544, 1546, 1549,
+     1549, 1552, 1553, 1550, 1554, 1554, 1556, 1555, 1558, 1547,
+     1548, 1555, 1551, 1557, 1557, 1559, 1560, 1553, 1561, 1562,
 
-     1569, 1570, 1571, 1567, 1572, 1573, 1577, 1572, 1574, 1581,
-     1575, 1573, 1568, 1576, 1574, 1575, 1578, 1582, 1569, 1576,
-     1570, 1578, 1571, 1579, 1579, 1580, 1583, 1581, 1584, 1577,
-     1580, 1585, 1587, 1586, 1588, 1591, 1590, 1582, 1590, 1593,
-     1594, 1597, 1584, 1595, 1598, 1585, 1583, 1586, 1599, 1596,
-     1587, 1593, 1594, 1600, 1591, 1596, 1595, 1601, 1608, 1588,
-     1598, 1597, 1603, 1603, 1604, 1605, 1609, 1600, 1599, 1606,
-     1605, 1607, 1607, 1608, 1610, 1611, 1612, 1613, 1601, 1614,
-     1609, 1606, 1615, 1616, 1604, 1612, 1614, 1618, 1620, 1622,
-     1622, 1615, 1613, 1611, 1615, 1623, 1623, 1621, 1610, 1616,
+     1563, 1570, 1561, 1565, 1565, 1563, 1556, 1560, 1566, 1567,
+     1558, 1566, 1568, 1569, 1559, 1572, 1571, 1568, 1562, 1570,
+     1574, 1576, 1567, 1573, 1575, 1575, 1576, 1577, 1578, 1569,
+     1571, 1579, 1579, 1580, 1572, 1572, 1581, 1573, 1582, 1586,
+     1595, 1581, 1580, 1591, 1583, 1574, 1583, 1577, 1578, 1584,
+     1585, 1587, 1589, 1647, 1584, 1647, 1585, 1587, 1582, 1586,
+     1590, 1590, 1591, 1592, 1595, 1594, 1589, 1596, 1596, 1592,
+     1594, 1597, 1597, 1598, 1599, 1600, 1601, 1602, 1602, 1601,
+     1603, 1604, 1605, 1606, 1613, 1607, 1606, 1598, 1745, 1606,
+     1600, 1607, 1599, 1604, 1608, 1611, 1745, 1609, 1603, 1608,
 
-     1621, 1625, 1618, 1624, 1628, 1626, 1629, 1618, 1626, 1627,
-     1627, 1630, 1632, 1620, 1633, 1624, 1630, 1628, 1631, 1625,
-     1634, 1635, 1638, 1631, 1636, 1629, 1637, 1640, 1638, 1634,
-     1633, 1632, 1641, 1636, 1642, 1637, 1636, 1639, 1639, 1643,
-     1635, 1644, 1647, 1645, 1650, 1641, 1646, 1640, 1645, 1645,
-     1651, 1646, 1642, 1643, 1647, 1652, 1652, 1644, 1653, 1655,
-     1658, 1654, 1656, 1656, 1655, 1658, 1657, 1659, 1651, 1650,
-     1654, 1660, 1661, 1664, 1653, 1657, 1662, 1656, 1657, 1665,
-     1666, 1662, 1662, 1667,   47, 1659, 1669, 1664, 1667, 1668,
-     1661, 1673, 1660, 1671, 1665, 1668, 1670, 1670, 1672, 1671,
+     1609, 1606, 1605, 1612, 1611, 1615, 1615, 1614, 1612, 1613,
+     1614, 1616, 1617, 1625, 1618, 1623, 1609, 1616, 1617, 1618,
+     1619, 1619, 1620, 1620, 1621, 1624, 1622, 1626, 1623, 1628,
+     1621, 1622, 1625, 1627, 1629, 1628, 1627, 1631, 1630, 1632,
+     1629, 1633, 1631, 1624, 1630, 1632, 1634, 1626, 1635, 1635,
+     1636, 1634, 1637, 1638, 1640, 1636, 1639, 1641, 1642, 1644,
+     1645, 1646, 1643, 1648, 1633, 1646, 1651, 1655, 1652,    0,
+     1637, 1641, 1642, 1638, 1640, 1639, 1643, 1644, 1651, 1649,
+     1652, 1653, 1648, 1654, 1656, 1645, 1649, 1655, 1657, 1654,
+     1658, 1659, 1661, 1661, 1653, 1662, 1663, 1664, 1665, 1665,
 
-     1674, 1675, 1666, 1672, 1669, 1673, 1674, 1675, 1677, 1678,
-     1679, 1680, 1681, 1682, 1684, 1681, 1679, 1686, 1687, 1682,
-     1689, 1681, 1684, 1678, 1680, 1688, 1690, 1691, 1677, 1689,
-     1692, 1693, 1695, 1688, 1694, 1694, 1686, 1687, 1695, 1690,
-     1691, 1696, 1697, 1699, 1692, 1693, 1700, 1696, 1698, 1698,
-     1701, 1702, 1702, 1703, 1704, 1697, 1694, 1705, 1706, 1707,
-     1704, 1709, 1709, 1699, 1700, 1710, 1703, 1711, 1712, 1701,
-     1713, 1711, 1716, 1712, 1706, 1713, 1714, 1707, 1715, 1705,
-     1718, 1714, 1720, 1719, 1721, 1710, 1719, 1715, 1723, 1718,
-     1722, 1722, 1724, 1725, 1720, 1716, 1726, 1726, 1728, 1721,
+     1656, 1663, 1666, 1668, 1658, 1667, 1669, 1670, 1657, 1664,
+     1671, 1672, 1659, 1674, 1673, 1662, 1670, 1666, 1672, 1667,
+     1676, 1678, 1682, 1673, 1669, 1671, 1673, 1668, 1679, 1674,
+     1683, 1679, 1680, 1680, 1682, 1676, 1681, 1681, 1684, 1686,
+     1676, 1684, 1685, 1685, 1687, 1688, 1678, 1691, 1683, 1692,
+     1688, 1689, 1686, 1690, 1689, 1693, 1694,    0, 1690, 1695,
+     1696, 1697, 1700, 1687, 1693, 1692, 1691, 1697, 1695, 1696,
+     1699, 1695, 1698, 1698, 1701, 1694, 1702, 1699, 1703, 1704,
+     1705, 1707, 1700, 1706, 1710, 1705, 1705, 1701, 1706, 1711,
+     1712, 1712, 1703, 1707, 1702, 1704, 1713, 1714, 1715, 1715,
 
-     1727, 1729, 1732, 1730, 1724, 1728, 1733, 1723, 1735, 1736,
-     1734, 1737, 1725, 1729, 1727, 1730, 1734, 1737, 1738, 1738,
-     1735, 1732, 1739, 1740, 1740, 1739, 1733, 1736, 1742, 1743,
-     1744, 1745, 1745, 1742, 1746, 1747, 1744, 1747, 1743, 1748,
-     1749, 1750, 1748, 1751, 1752, 1753, 1746, 1754, 1755, 1757,
-     1753, 1758, 1754, 1756, 1760, 1763, 1758, 1755, 1759,   18,
-     1749, 1751, 1752, 1750, 1757, 1756, 1761, 1759, 1762, 1766,
-     1763, 1761, 1768, 1762, 1760, 1764, 1764, 1765, 1761, 1769,
-     1759, 1770, 1771, 1765, 1772, 1773, 1772, 1774, 1774, 1777,
-     1766, 1768, 1775, 1775, 1776, 1776, 1780, 1770, 1769, 1773,
+     1716, 1716, 1717, 1715, 1719, 1718, 1714, 1711, 1720, 1710,
+     1718, 1717, 1713, 1721, 1717, 1716, 1724, 1725, 1722, 1726,
+     1727, 1728, 1719, 1722, 1722, 1727, 1730, 1729, 1732, 1720,
+     1724, 1721, 1725, 1729, 1732, 1728, 1731, 1731, 1733, 1734,
+     1735, 1726, 1736, 1733, 1730, 1738, 1735, 1739, 1736, 1740,
+     1741, 1742, 1743, 1734, 1742, 1740, 1747, 1748, 1743, 1749,
+     1742, 1739, 1750, 1741, 1751, 1738, 1753, 1756, 1752, 1751,
+     1750, 1754, 1755, 1757,    0, 1747, 1748, 1752, 1749, 1753,
+     1754, 1756, 1758, 1758, 1759, 1755, 1760, 1757, 1761, 1763,
+     1759, 1765, 1760, 1762, 1762, 1764, 1766, 1766, 1767, 1768,
 
-     1781, 1773, 1771, 1778, 1778, 1779, 1779, 1782, 1782, 1777,
-     1783, 1788, 1784, 1785, 1783, 1790, 1785, 1780, 1784, 1787,
-     1789, 1781, 1792, 1792, 1791, 1787, 1789, 1791, 1793, 1788,
-     1794, 1795, 1795, 1797, 1796, 1794, 1798, 1799, 1799, 1800,
-     1790, 1798, 1804, 1802, 1800, 1801, 1803, 1805, 1793, 1796,
-     1807, 1801, 1806, 1811, 1797, 1802, 1802, 1802, 1806, 1809,
-     1804, 1810, 1802, 1813, 1809, 1809, 1803, 1805, 1811, 1812,
-     1807, 1812, 1814, 1815, 1813, 1810, 1816, 1817, 1818, 1815,
-     1819, 1819, 1820, 1821, 1821, 1816, 1822, 1814, 1823, 1824,
-     1824, 1825, 1825, 1826, 1829, 1829, 1830, 1817, 1831, 1818,
+     1769, 1761, 1770, 1771, 1758, 1768, 1773, 1773, 1774, 1763,
+     1765, 1767, 1775, 1764, 1776, 1777, 1775, 1780, 1770, 1776,
+     1778, 1771, 1769, 1781, 1779, 1778, 1780, 1783, 1774, 1779,
+     1784, 1785, 1786, 1787, 1785, 1777, 1788, 1788, 1783, 1784,
+     1789, 1790, 1791, 1793, 1786, 1794, 1781, 1799, 1787, 1792,
+     1792, 1795, 1794, 1790, 1796, 1798, 1800, 1793, 1801, 1789,
+     1802, 1791, 1800, 1795, 1809, 1803, 1796, 1799, 1804, 1804,
+     1801, 1803, 1805, 1809, 1798, 1805, 1806, 1806, 1802, 1808,
+     1810, 1811, 1811, 1812, 1808, 1813, 1810, 1813, 1814, 1815,
+     1816, 1814, 1817, 1818, 1819, 1812, 1820, 1821, 1823, 1819,
 
-     1833, 1834, 1836, 1836, 1837, 1835, 1822, 1831, 1820, 1833,
-     1823, 1835, 1838, 1826, 1841, 1840, 1839, 1842, 1842, 1843,
-     1844, 1830, 1834, 1839, 1840, 1837, 1846, 1838, 1847, 1848,
-     1849, 1846, 1850, 1851, 1847, 1851, 1844, 1849, 1850, 1853,
-     1841, 1854, 1855, 1855, 1857, 1843, 1856, 1854, 1858, 1848,
-     1859, 1856, 1860, 1857, 1861, 1862, 1863, 1861, 1853, 1864,
-     1864, 1865, 1868, 1867, 1860, 1866, 1869, 1865, 1858, 1859,
-     1869, 1866, 1871, 1862, 1872, 1873, 1875, 1868, 1874, 1874,
-     1873, 1878, 1863, 1867, 1876, 1879, 1869, 1880, 1880, 1879,
-     1884, 1881, 1871, 1882, 1884, 1875, 1872, 1881, 1885, 1876,
+     1824, 1820, 1822, 1826, 1829, 1824, 1821, 1825,    0, 1815,
+     1817, 1818, 1816, 1823, 1822, 1827, 1825, 1828, 1832, 1829,
+     1827, 1834, 1828, 1826, 1830, 1830, 1831, 1827, 1835, 1825,
+     1836, 1837, 1831, 1838, 1839, 1838, 1840, 1840, 1843, 1832,
+     1834, 1841, 1841, 1842, 1842, 1846, 1836, 1835, 1839, 1847,
+     1839, 1837, 1844, 1844, 1845, 1845, 1848, 1850, 1843, 1849,
+     1849, 1850, 1851, 1854, 1852, 1855, 1846, 1852, 1851, 1854,
+     1847, 1857, 1856, 1858, 1860, 1860, 1857, 1848, 1856, 1859,
+     1861, 1862, 1859, 1855, 1863, 1863, 1862, 1864, 1865, 1866,
+     1867, 1868, 1868, 1870, 1866, 1867, 1869, 1879, 1858, 1870,
 
-     1878, 1887, 1882, 1883, 1883, 1886, 1886, 1888, 1889, 1885,
-     1890, 1891, 1892, 1893, 1885, 1890, 1896, 1896, 1894, 1893,
-     1895, 1888, 1887, 1897, 1897, 1895, 1898, 1889, 1900, 1901,
-     1898, 1891, 1892, 1894, 1902, 1903, 1903, 1900, 1905, 1905,
-     1901, 1906, 1907, 1909, 1910, 1901, 1906, 1906, 1907, 1909,
-     1911, 1912, 1913, 1915, 1902, 1911, 1916, 1917, 1913, 1918,
-     1916, 1919, 1921, 1912, 1920, 1915, 1922, 1919, 1921, 1917,
-     1910, 1923, 1924, 1928, 1929, 1925, 1927, 1924, 1931, 1929,
-     1935, 1931, 1932, 1932, 1918, 1922, 1920, 1925, 1927, 1933,
-     1933, 1923, 1928, 1934, 1934, 1936, 1937, 1940, 1938, 1939,
+     1861, 1869, 1864, 1871, 1872, 1873, 1874, 1875, 1876, 1865,
+     1880, 1879,    0, 1875, 1878, 1871, 1871, 1871, 1883, 1878,
+     1878, 1882, 1871, 1873, 1872, 1880, 1874, 1881, 1876, 1881,
+     1884, 1885, 1882, 1883, 1886, 1887, 1884, 1888, 1888, 1889,
+     1885, 1890, 1890, 1891, 1892, 1893, 1893, 1894, 1894, 1895,
+     1898, 1898, 1899, 1900, 1886, 1902, 1887, 1903, 1905, 1906,
+     1906, 1904, 1900, 1891, 1902, 1889, 1892, 1904, 1907, 1895,
+     1908, 1910, 1909, 1911, 1905, 1912, 1912, 1899, 1903, 1909,
+     1910, 1913, 1914, 1917, 1916, 1908, 1918, 1920, 1917, 1907,
+     1916, 1919, 1918, 1924, 1920, 1921, 1929, 1925, 1914, 1911,
 
-     1935, 1936, 1937, 1938, 1942, 1939, 1940, 1944, 1945, 1942,
-     1944, 1946, 1946, 1948, 1949, 1952, 1950, 1951, 1951, 1957,
-     1945, 1950, 1953, 1954, 1952, 1948, 1949, 1953, 1954, 1955,
-     1956, 1956, 1955, 1958, 1959, 1960, 1961, 1964, 1962, 1957,
-     1961, 1963, 1958, 1962, 1965, 1966, 1967, 1963, 1970, 1969,
-     1969, 1972, 1959, 1965, 1960, 1964, 1971, 1973, 1973, 1974,
-     1967, 1969, 1975, 1966, 1976, 1971, 1970, 1977, 1974, 1978,
-     1983, 1972, 1977, 1983, 1975, 1981, 1981, 1984, 1985, 1990,
-     1987, 1989, 1978, 1988, 1992, 1976, 1992, 1989, 1991, 1991,
-     1993, 1993, 1994, 1984, 1985, 1987, 1990, 1988, 1996, 1996,
+     1922, 1921, 1922, 1925, 1926, 1926, 1928, 1913, 1927, 1930,
+     1932, 1919, 1924, 1927, 1931, 1928, 1929, 1931, 1933, 1934,
+     1935, 1933, 1932, 1936, 1936, 1937, 1938, 1939, 1930, 1940,
+     1941, 1937, 1938, 1943, 1941, 1944, 1945, 1934, 1946, 1946,
+     1947, 1945, 1948, 1949, 1940, 1952, 1935, 1939, 1951, 1952,
+     1941, 1953, 1953, 1943, 1954, 1957, 1955, 1944, 1949, 1957,
+     1954, 1948, 1956, 1956, 1947, 1955, 1958, 1951, 1959, 1959,
+     1960, 1961, 1968, 1962, 1963, 1964, 1965, 1958, 1966, 1963,
+     1967, 1971, 1958, 1970, 1969, 1961, 1967, 1978, 1970, 1974,
+     1968, 1960, 1962, 1974, 1971, 1964, 1965, 1976, 1966, 1969,
 
-     1994, 1997, 1997, 1999, 2000, 2001, 2002, 2003, 2004, 2006,
-     2000, 2001, 2007, 2002, 2005, 2005, 2012, 2016, 2006, 2008,
-     2009, 2010, 2011, 2013, 2014, 2017, 1999, 2018, 2004, 2003,
-     2014, 2008, 2009, 2007, 2011, 2020, 2010, 2016, 2013, 2018,
-     2019, 2019, 2012, 2014, 2021, 2023, 2022, 2024, 2017, 2022,
-     2023, 2026, 2027, 2020, 2027, 2028, 2026, 2029, 2030, 2032,
-     2034, 2035, 2029, 2036, 2021, 2030, 2038, 2024, 2032, 2037,
-     2035, 2037, 2040, 2028, 2040, 2036, 2041, 2043, 2034, 2042,
-     2042, 2044, 2045, 2046, 2045, 2038, 2044, 2047, 2046, 2048,
-     2041, 2049, 2047, 2050, 2053, 2051, 2052, 2055, 2057, 2050,
+     1972, 1972, 1973, 1973, 1977, 1986, 1976, 1978, 1979, 1979,
+     1981, 1981, 1982, 1983,    0, 1977, 1985, 1982, 1982, 1983,
+     1977, 1987, 1985, 1988, 1989, 1991, 1987, 1993, 1992, 1995,
+     1989, 1986, 1992, 1994, 1994, 1988, 1996, 1991, 1997, 1993,
+     1998, 2001, 1996, 1999, 1999, 2000, 1998, 2002, 2006, 2074,
+     2003, 2005, 2002, 2007, 1995, 2013, 2009, 2074, 2007, 2009,
+     1997, 2001, 2003, 2005, 2000, 2010, 2010, 2006, 2011, 2011,
+     2012, 2012, 2014, 2015, 2017, 2013, 2016, 2018, 2014, 2015,
+     2017, 2016, 2020, 2023, 2026, 2022, 2018, 2020, 2022, 2024,
+     2024, 2027, 2028, 2029, 2029, 2023, 2026, 2028, 2030, 2031,
 
-     2051, 2058, 2062, 2043, 2128, 2055, 2053, 2048, 2054, 2052,
-     2061, 2049, 2128, 2054, 2054, 2058, 2066, 2057, 2059, 2059,
-     2060, 2060, 2062, 2063, 2067, 2061, 2064, 2069, 2065, 2063,
-     2065, 2064, 2067, 2074, 2066, 2068, 2068, 2070, 2070, 2069,
-     2067, 2071, 2071, 2072, 2073, 2076, 2077, 2078, 2077, 2073,
-     2079, 2074, 2072, 2080, 2076, 2079, 2079, 2076, 2081, 2082,
-     2084, 2085, 2088, 2089, 2086, 2080, 2085, 2081, 2078, 2086,
-     2090, 2082, 2084, 2091, 2091, 2088, 2092, 2093, 2095, 2090,
-     2094, 2098, 2096, 2089, 2100, 2101, 2099, 2109, 2112, 2120,
-     2101, 2110, 2095, 2098, 2092, 2093, 2094, 2096, 2099, 2103,
+     2032, 2034, 2034, 2027, 2031, 2032, 2033, 2030, 2035, 2033,
+     2036, 2037, 2038, 2039, 2042, 2040, 2041, 2039, 2043, 2036,
+     2040, 2044, 2041, 2045, 2047, 2047, 2048, 2043, 2035, 2037,
+     2050, 2038, 2042, 2049, 2051, 2051, 2047, 2045, 2052, 2044,
+     2053, 2054, 2049, 2055, 2048, 2056, 2061, 2052, 2055, 2061,
+     2050, 2062, 2053, 2059, 2059, 2063, 2064, 2068, 2056, 2066,
+     2069, 2067, 2054, 2068, 2070, 2070, 2071, 2062, 2071, 2072,
+     2079, 2063, 2064, 2088, 2066, 2067, 2084, 2069, 2073, 2073,
+     2076, 2076, 2077, 2077, 2080, 2081, 2082, 2072, 2083, 2085,
+     2080, 2081, 2087, 2079, 2088, 2083, 2086, 2086, 2084, 2089,
 
-     2102, 2106, 2120, 2108, 2100, 2102, 2110, 2106, 2103, 2108,
-     2109, 2111, 2113, 2112, 2114, 2114, 2115, 2116, 2116, 2117,
-     2106, 2113, 2118, 2119, 2121, 2115, 2118, 2122, 2119, 2111,
-     2123, 2124,   17, 2122, 2125, 2126, 2124, 2124, 2117, 2127,
-     2125, 2126, 2127, 2121, 2129, 2132, 2132, 2133, 2133, 2134,
-     2135, 2135, 2123, 2136, 2136, 2137, 2138, 2139, 2134, 2151,
-     2140, 2143, 2133, 2139, 2129, 2140, 2143, 2137, 2141, 2141,
-     2142, 2142, 2144, 2133, 2138, 2146, 2147, 2148, 2144, 2146,
-     2149, 2148, 2152, 2153, 2151, 2155, 2154, 2152, 2157, 2156,
-     2155, 2158, 2159, 2160, 2161, 2161, 2147, 2159, 2162, 2163,
+     2082, 2087, 2090, 2091, 2092, 2093, 2094, 2097, 2099, 2085,
+     2098, 2089, 2101, 2095, 2090, 2095, 2092, 2102, 2091, 2095,
+     2099, 2094, 2100, 2100, 2104, 2103, 2105, 2097, 2103, 2104,
+     2101, 2093, 2095, 2098, 2107, 2109, 2108, 2102, 2108, 2107,
+     2110, 2111, 2113, 2115, 2119, 2110, 2105, 2116, 2111, 2120,
+     2117, 2113, 2118, 2109, 2118, 2120, 2116, 2122, 2123, 2122,
+     2125, 2115, 2117, 2119, 2124, 2124, 2126, 2127, 2128, 2127,
+     2129, 2126, 2123, 2128, 2130, 2129, 2131, 2132, 2133, 2136,
+     2134, 2140, 2135, 2137, 2133, 2134, 2125, 2141, 2137, 2137,
+     2138, 2136, 2130, 2145, 2131, 2135, 2144, 2132, 2138, 2146,
 
-     2149, 2154, 2162, 2164, 2157, 2165, 2153, 2156, 2164, 2166,
-     2167, 2158, 2169, 2168, 2163, 2160, 2170, 2169, 2171, 2172,
-     2172, 2175, 2167, 2176, 2177, 2174, 2178, 2166, 2184, 2170,
-     2179, 2165, 2168, 2174, 2180, 2182, 2171, 2260, 2187, 2181,
-     2175, 2186, 2176, 2184, 2189, 2192, 2189, 2177, 2192, 2179,
-     2178, 2181, 2187, 2188, 2186, 2180, 2182, 2190, 2190, 2188,
-     2191, 2193, 2194, 2260, 2195, 2191, 2196, 2196, 2197, 2197,
-     2198, 2200, 2198, 2203, 2193, 2201, 2194, 2195, 2199, 2199,
-     2202, 2202, 2203, 2204, 2204, 2203, 2200, 2206, 2201, 2205,
-     2205, 2208, 2206, 2209, 2210, 2211, 2208, 2212, 2212, 2213,
+     2140, 2141, 2142, 2142, 2143, 2143, 2147, 2144, 2145, 2148,
+     2150, 2149, 2147, 2149, 2148, 2151, 2152, 2152, 2153, 2146,
+     2154, 2154, 2157, 2151, 2155, 2155, 2156, 2157, 2150, 2158,
+     2153, 2151, 2160, 2161, 2163, 2156, 2160, 2162, 2164, 2162,
+     2165, 2166, 2161, 2164, 2164, 2161, 2167, 2158, 2169, 2170,
+     2166, 2171, 2165, 2173, 2170, 2163, 2171, 2174, 2167, 2175,
+     2169, 2176, 2176, 2177, 2178, 2179, 2173, 2181, 2175, 2180,
+     2182, 2183,    0, 2184, 2188, 2186, 2187, 2174, 2184, 2197,
+     2191, 2177, 2178, 2179, 2182, 2180, 2183, 2186, 2187, 2191,
+     2189, 2190, 2181, 2194, 2188, 2189, 2190, 2196, 2198, 2194,
 
-     2213, 2214, 2215, 2215, 2216, 2217, 2217, 2211, 2218,    0,
-     2219, 2220, 2220, 2209, 2210, 2219, 2221, 2221, 2222, 2223,
-     2214, 2224, 2216, 2218, 2225, 2227, 2228, 2228, 2223, 2229,
-     2227, 2231, 2222, 2230, 2230, 2224, 2232, 2233, 2234, 2234,
-     2233, 2236, 2232, 2225, 2235, 2235, 2237, 2240, 2229, 2231,
-     2238, 2241, 2238, 2244, 2234, 2242, 2242, 2245, 2249, 2246,
-     2236, 2237, 2240, 2247, 2248, 2248, 2250, 2247, 2251, 2252,
-     2241, 2250, 2255, 2244, 2246, 2254, 2254, 2249, 2256, 2257,
-     2245, 2258, 2259, 2251, 2252, 2256, 2261, 2261, 2262, 2263,
-     2266, 2263, 2255, 2257, 2267, 2264, 2266, 2262, 2264, 2258,
+     2199, 2200, 2197, 2196, 2205, 2201, 2202, 2202, 2203, 2204,
+     2204, 2206, 2194, 2198, 2201, 2207, 2208, 2203, 2199, 2207,
+     2209, 2208, 2205, 2211, 2213, 2212, 2200, 2219,    0, 2214,
+     2206, 2212, 2215, 2209, 2214, 2214, 2217, 2216, 2215, 2217,
+     2218, 2228, 2211, 2216, 2222, 2222, 2213, 2219, 2218, 2223,
+     2223, 2224, 2225, 2225, 2226, 2226, 2227, 2229, 2241, 2228,
+     2224, 2230, 2233, 2229, 2223, 2237, 2230, 2233, 2227, 2231,
+     2231, 2232, 2232, 2234, 2236, 2223, 2238, 2239, 2236, 2234,
+     2238, 2242, 2243, 2241, 2244, 2237, 2242, 2245, 2246, 2248,
+     2249, 2247, 2245, 2250, 2252, 2249, 2253, 2239, 2252, 2244,
 
-     2259, 2270, 2268, 2269, 2271, 2273, 2267, 2268, 2269, 2272,
-     2273, 2274, 2278, 2264, 2276, 2264, 2277, 2271, 2279, 2276,
-     2280, 2277, 2281, 2284, 2279, 2285, 2270, 2278, 2281, 2282,
-     2272, 2283, 2286, 2287, 2282, 2286, 2283, 2274, 2285, 2372,
-     2288, 2280, 2287, 2289, 2290, 2291, 2296, 2372, 2284, 2288,
-     2292, 2293, 2289, 2290, 2294, 2298, 2292, 2293, 2294, 2291,
-     2299, 2299, 2300, 2302, 2298, 2305, 2296, 2307, 2300, 2301,
-     2301, 2304, 2302, 2303, 2303, 2308, 2304, 2310, 2301, 2309,
-     2309, 2311, 2313, 2307, 2314, 2305, 2315, 2305, 2320, 2462,
-     2311, 2308, 2310, 2316, 2313, 2318, 2462, 2319, 2318, 2321,
+     2251, 2251, 2255, 2254, 2256, 2243, 2246, 2247, 2254, 2248,
+     2258, 2253, 2257, 2259, 2260, 2250, 2261, 2264, 2259, 2262,
+     2262, 2265, 2256, 2266, 2257, 2264, 2267, 2260, 2255, 2258,
+     2268, 2269, 2270, 2271, 2261, 2272, 2273, 2274, 2305, 2278,
+     2265, 2276, 2266, 2274, 2279, 2267, 2281, 2272, 2281, 2282,
+     2305, 2270, 2278, 2268, 2271, 2269, 2276, 2273, 2279, 2280,
+     2283, 2283, 2284, 2285, 2286, 2280, 2285, 2284, 2287, 2282,
+     2288, 2289, 2289, 2290, 2290, 2293, 2291, 2286, 2291, 2292,
+     2292, 2294, 2287, 2288, 2295, 2295, 2296, 2296, 2297, 2303,
+     2293, 2298, 2298, 2300, 2294, 2299, 2299, 2297, 2300, 2302,
 
-     2314, 2315, 2319, 2322, 2322, 2316, 2323, 2323, 2320, 2325,
-     2325, 2321, 2326, 2327, 2328, 2326, 2329, 2330, 2327, 2332,
-     2328, 2335, 2329, 2331, 2331, 2334, 2330, 2333, 2333, 2336,
-     2337, 2337, 2338, 2332, 2340, 2335, 2339, 2334, 2338, 2340,
-     2342, 2348, 2343, 2346, 2342, 2343, 2344, 2344, 2336, 2345,
-     2339, 2347, 2346, 2349, 2345, 2350, 2350, 2349, 2351, 2353,
-     2347, 2348, 2354, 2355, 2353, 2356, 2357, 2358, 2359, 2360,
-     2357, 2351, 2361, 2359, 2362, 2360, 2363, 2364, 2361, 2356,
-     2365, 2366, 2354, 2355, 2369, 2365, 2368, 2358, 2370, 2380,
-     2377, 2371, 2362, 2370, 2375, 2363, 2364, 2371, 2368, 2373,
+     2297, 2304, 2306, 2306, 2302, 2307, 2307, 2308, 2312, 2303,
+     2309, 2309, 2310, 2311, 2311, 2313, 2314, 2314, 2315, 2315,
+     2313, 2304, 2316, 2312, 2317, 2318, 2308, 2319, 2320, 2322,
+     2310, 2323, 2323, 2317, 2322, 2324, 2316, 2325, 2325, 2326,
+     2327, 2319, 2318, 2328, 2332, 2327, 2333, 2320, 2329, 2328,
+     2336, 2329, 2330, 2330, 2324, 2331, 2331, 2326, 2334, 2337,
+     2334, 2333, 2340, 2332, 2341, 2336, 2338, 2338, 2330, 2342,
+     2343, 2344, 2345, 2345, 2346, 2344, 2347, 2352, 2337, 2341,
+     2348, 2347, 2340, 2349, 2353, 2343, 2351, 2351, 2354, 2355,
+     2356, 2353, 2342, 2346, 2357, 2348, 2358, 2352, 2349, 2359,
 
-     2369, 2373, 2366, 2375, 2377, 2378, 2378, 2379, 2381, 2381,
-     2379, 2385, 2384, 2386, 2388, 2380, 2384, 2385, 2387, 2387,
-     2391, 2391, 2393, 2388, 2395, 2386, 2396, 2399, 2400, 2401,
-     2402, 2409, 2399, 2407, 2401, 2402, 2403, 2403, 2395, 2407,
-     2393, 2410, 2396, 2405, 2405, 2408, 2408, 2409, 2411, 2413,
-     2415, 2419, 2414, 2411, 2400, 2414, 2421, 2416, 2417, 2417,
-     2419, 2420, 2415, 2410, 2422, 2424, 2424, 2420, 2413, 2416,
-     2425, 2426,    0, 2425, 2421, 2427, 2429, 2429, 2431, 2422,
-     2430, 2430, 2432, 2431, 2434, 2433, 2435, 2436, 2435, 2434,
-     2426, 2437, 2438, 2427, 2433, 2440, 2441, 2439, 2442, 2448,
+     2359, 2360, 2354, 2361, 2365, 2361, 2364, 2355, 2356, 2357,
+     2360, 2362, 2364, 2366, 2362, 2367, 2365, 2368, 2366, 2369,
+     2367, 2371, 2358, 2370, 2372, 2374, 2371, 2380, 2375, 2362,
+     2374, 2362, 2369, 2375, 2376, 2378, 2377, 2379, 2381, 2376,
+     2382, 2378, 2368, 2379, 2370, 2385, 2382, 2383, 2380, 2384,
+     2372, 2377, 2383, 2381, 2384, 2386, 2387, 2388, 2389, 2387,
+     2390, 2392, 2391, 2397, 2399, 2400, 2388, 2389, 2386, 2390,
+     2385, 2391, 2393, 2394, 2400, 2392, 2395,    0, 2393, 2394,
+     2395, 2401, 2401, 2397, 2399, 2402, 2403, 2403, 2404, 2405,
+     2405, 2402, 2407, 2406, 2409, 2403, 2412, 2404, 2406, 2410,
 
-     2432, 2436, 2439, 2442, 2438, 2437, 2443, 2443, 2444, 2444,
-     2445, 2445, 2446, 2446, 2447, 2440, 2441, 2448, 2449, 2450,
-     2450, 2451, 2451, 2449, 2452, 2453, 2447, 2454, 2455, 2456,
-     2456, 2457, 2458, 2458, 2459, 2459, 2452, 2453, 2460, 2461,
-     2463, 2464, 2466, 2465, 2455, 2467, 2469, 2454, 2465, 2460,
-     2457, 2461, 2463, 2468, 2468, 2469, 2470, 2471, 2472, 2473,
-     2474, 2464, 2466, 2475, 2476, 2467, 2476, 2477, 2478, 2478,
-     2484, 2472, 2479, 2480, 2474, 2481, 2483, 2471, 2485, 2477,
-     2499, 2479, 2470, 2473, 2486, 2475, 2487, 2486, 2480,    0,
-     2481, 2488, 2484, 2489, 2483, 2497, 2488, 2502, 2489, 2499,
+     2411, 2411, 2416, 2421, 2413, 2415, 2417, 2418, 2421, 2422,
+     2409, 2412, 2407, 2413, 2407, 2410, 2423, 2415, 2416, 2418,
+     2420, 2417,    0, 2420, 2424, 2424, 2425, 2425, 2423, 2422,
+     2427, 2427, 2428, 2429, 2430, 2428, 2431, 2432, 2429, 2434,
+     2430, 2437, 2431, 2433, 2433, 2436, 2432, 2435, 2435, 2438,
+     2439, 2439, 2440, 2434, 2442, 2437, 2441, 2436, 2440, 2442,
+     2444, 2450, 2445, 2448, 2444, 2445, 2446, 2446, 2438, 2447,
+     2441, 2449, 2448, 2451, 2447, 2452, 2452, 2451, 2453, 2455,
+     2449, 2450, 2456, 2457, 2455, 2458, 2459, 2461, 2460, 2462,
+     2463, 2453, 2460, 2464, 2462, 2466, 2463, 2465, 2465, 2464,
 
-     2487, 2485, 2490, 2490, 2491, 2491, 2492, 2492, 2494, 2494,
-     2496, 2496, 2498, 2497, 2500, 2503, 2504, 2502, 2506, 2505,
-     2507, 2509, 2508, 2498, 2508, 2510, 2511, 2506, 2515, 2500,
-     2512, 2512, 2516, 2503, 2514, 2514, 2517, 2522, 2504, 2505,
-     2507, 2509, 2515, 2510, 2511, 2517, 2518, 2518, 2520, 2521,
-     2521, 2523, 2524, 2525, 2516, 2522, 2526, 2520, 2527, 2524,
-     2529, 2528, 2530, 2530, 2531, 2531, 2532, 2533, 2525, 2523,
-     2535, 2535, 2534, 2538, 2526, 2539, 2527, 2528, 2534, 2529,
-     2536, 2536, 2537, 2540, 2541, 2533, 2532, 2542, 2537, 2543,
-     2539, 2538, 2542, 2544, 2545, 2546, 2551, 2546, 2541, 2545,
+     2459, 2467, 2456, 2457, 2468, 2458, 2469, 2461, 2470, 2471,
+     2471, 2469, 2473, 2466, 2474, 2478, 2475, 2478, 2477, 2476,
+     2467, 2475, 2480, 2468, 2473, 2476, 2477, 2482, 2486, 2470,
+     2474, 2480, 2483, 2483, 2484, 2485, 2492, 2484, 2485, 2487,
+     2487, 2482, 2490, 2491, 2493, 2493, 2490, 2494, 2492, 2491,
+     2497, 2497, 2499, 2501, 2486, 2502, 2494, 2505, 2506, 2507,
+     2508, 2509, 2505, 2510, 2510, 2508, 2509, 2501, 2512, 2512,
+     2499, 2502, 2514, 2515, 2516, 2516, 2517, 2518, 2514, 2521,
+     2507, 2519, 2522, 2523, 2506, 2522, 2519, 2527, 2524, 2525,
+     2525, 2528, 2517, 2515, 2530, 2523, 2527, 2528, 2521, 2518,
 
-     2547, 2547, 2540, 2548, 2554, 2548, 2549, 2549, 2553, 2543,
-     2555, 2556, 2558, 2544, 2557, 2551, 2559, 2553, 2562, 2557,
-        0, 2563, 2555, 2554, 2563, 2564, 2564, 2565, 2566, 2567,
-     2567, 2556, 2558, 2568, 2569, 2559, 2570, 2572, 2562, 2573,
-     2570, 2575, 2565, 2573, 2568, 2577, 2566, 2574, 2574, 2569,
-     2578, 2579, 2572, 2582, 2575, 2580, 2580, 2583, 2584, 2586,
-     2577, 2590, 2584, 2585, 2585, 2582, 2583, 2587, 2587, 2588,
-     2578, 2579, 2589, 2591, 2588, 2592, 2599, 2590, 2586, 2593,
-     2593, 2589, 2598, 2598, 2601, 2591, 2600, 2600, 2602, 2606,
-     2603, 2604, 2605, 2605, 2613, 2592, 2616, 2601, 2599, 2603,
+     2524, 2529, 2531, 2533, 2533, 2534, 2535, 2529, 2534, 2536,
+     2538, 2538, 2530, 2539, 2539, 2540, 2541, 2531, 2543, 2542,
+     2540, 2544, 2545, 2546, 2545, 2535, 2544, 2536, 2542, 2547,
+     2548, 2543, 2550, 2549, 2541, 2551, 2552, 2546, 2549, 2553,
+     2553, 2552, 2548, 2547, 2554, 2554, 2555, 2555, 2556, 2556,
+     2557, 2558, 2550, 2559, 2563, 2551, 2560, 2560, 2559, 2561,
+     2561, 2564, 2557, 2562, 2562, 2565, 2563, 2566, 2567, 2558,
+     2568, 2569, 2569, 2570, 2571, 2571, 2574, 2565, 2572, 2572,
+     2573, 2564, 2576, 2575, 2577, 2579, 2568, 2566, 2574, 2567,
+     2575, 2573, 2570, 2578, 2576, 2580, 2581, 2581, 2578, 2582,
 
-     2604, 2602, 2608, 2608, 2606, 2611, 2612, 2614, 2613, 2615,
-     2611, 2612, 2614, 2617, 2620, 2616, 2618, 2615, 2621, 2623,
-     2622, 2627, 2617, 2621, 2618, 2622, 2624, 2624, 2626, 2620,
-     2625, 2625, 2629, 2626, 2623, 2628, 2628, 2630, 2631, 2629,
-     2627, 2632, 2630, 2633,    0, 2634, 2635, 2635, 2636, 2633,
-     2634, 2642, 2637, 2638, 2638, 2644, 2631, 2637, 2644, 2632,
-     2639, 2639, 2645, 2636, 2642, 2643, 2643, 2645, 2645, 2646,
-     2647, 2648, 2649, 2650, 2646, 2647, 2651, 2650, 2649, 2652,
-     2653, 2651, 2654, 2655, 2658, 2648, 2656, 2657, 2652, 2658,
-     2654, 2659, 2656, 2657, 2661, 2653, 2663, 2662, 2665, 2663,
+     2583, 2583, 2584, 2585, 2577, 2579, 2586, 2587, 2582, 2591,
+     2588, 2589, 2590, 2593, 2590, 2580, 2592, 2592, 2597, 2586,
+     2594, 2591, 2593, 2585, 2588, 2595, 2598, 2599, 2584, 2600,
+     2601, 2587, 2600, 2589, 2602, 2594, 2597, 2603, 2612, 2602,
+     2595, 2611, 2603, 2613, 2601, 2604, 2604, 2616, 2598, 2612,
+     2599, 2605, 2605, 2606, 2606, 2608, 2608, 2610, 2610, 2611,
+     2614, 2617, 2613, 2618, 2619, 2620, 2621, 2616, 2622, 2623,
+     2622, 2630, 2624, 2625, 2620, 2614, 2626, 2626, 2629, 2617,
+     2628, 2628, 2632, 2632, 2619, 2618, 2621, 2631, 2634, 2623,
+     2624, 2625, 2629, 2630, 2635, 2635, 2631, 2634, 2636, 2637,
 
-     2667, 2661, 2662, 2659, 2655, 2667, 2668, 2669, 2670, 2671,
-     2665, 2668, 2677, 2672, 2673, 2673, 2682, 2674, 2671, 2683,
-        0, 2670, 2672, 2678, 2684, 2669, 2674, 2679, 2687, 2678,
-     2677, 2685, 2685, 2679, 2686, 2682, 2688, 2689, 2691, 2683,
-     2693, 2686, 2695, 2684, 2698, 2688, 2696, 2687, 2690, 2690,
-     2696, 2704, 2689, 2697, 2697, 2693, 2704, 2691, 2699, 2700,
-     2701, 2706, 2695, 2703, 2699, 2700, 2701, 2702, 2702, 2698,
-     2706, 2703, 2707, 2709, 2710, 2712, 2711, 2710, 2713, 2709,
-     2711, 2715, 2715, 2716, 2721, 2707, 2717, 2717, 2721, 2712,
-     2718, 2718, 2722, 2713, 2720, 2720, 2726, 2722, 2724, 2724,
+     2638, 2639, 2641, 2642, 2640, 2644, 2643, 2645, 2639, 2646,
+     2646, 2647, 2647, 2648, 2645,    0, 2636, 2637, 2638, 2640,
+     2641, 2642, 2643, 2649, 2644, 2650, 2652, 2652, 2653, 2653,
+     2654, 2650, 2655, 2648, 2656, 2657, 2654, 2658, 2659, 2660,
+     2662, 2649, 2661, 2659, 2664, 2669, 2664, 2663, 2672, 2656,
+     2655, 2658, 2663, 2661, 2657, 2665, 2665, 2667, 2667, 2660,
+     2662, 2666, 2671, 2666, 2669, 2673, 2674, 2672, 2675, 2676,
+     2677, 2671, 2678, 2675, 2676, 2681, 2682, 2673, 2683, 2684,
+     2684, 2683, 2685, 2686, 2687, 2687, 2674, 2688, 2689, 2690,
+     2677, 2678, 2692, 2690, 2682, 2681, 2693, 2685, 2688, 2696,
 
-     2727, 2716, 2728, 2729, 2732, 2727, 2730, 2742, 2729, 2729,
-     2733, 2733, 2735, 2735, 2728, 2738, 2726, 2740, 2730, 2736,
-     2736, 2746, 2737, 2749, 2732, 2737, 2748, 2742, 2738, 2743,
-     2743, 2744, 2744, 2745, 2745, 2740, 2746, 2747, 2747, 2748,
-     2750, 2749, 2751, 2752, 2752, 2753, 2756, 2760, 2751, 2753,
-     2757, 2759, 2756, 2761, 2750, 2757, 2759, 2759, 2762, 2763,
-     2764, 2765, 2775, 2766, 2772, 2763, 2764, 2766, 2767, 2767,
-     2760, 2770, 2772, 2761, 2773, 2778, 2770, 2773, 2762, 2776,
-     2777, 2777, 2776, 2779, 2780, 2781, 2765, 2775, 2779, 2782,
-     2783, 2783, 2778, 2778, 2784, 2785, 2786, 2787, 2785, 2788,
+     2694, 2686, 2693, 2689, 2694, 2695, 2695, 2692, 2698, 2699,
+     2700, 2704, 2696, 2701, 2701, 2703, 2708, 2705, 2706, 2706,
+     2704, 2705, 2712, 2698, 2707, 2707, 2714, 2703, 2710, 2699,
+     2700, 2709, 2709, 2710, 2711, 2708, 2713, 2721, 2712, 2715,
+     2715, 2720, 2720, 2711, 2722, 2722, 2714, 2723, 2713, 2724,
+     2725, 2730, 2726, 2729, 2729, 2727, 2728, 2731,    0, 2721,
+     2723, 2726, 2724, 2725, 2727, 2728, 2733, 2733, 2736, 2737,
+     2738, 2730, 2731, 2736, 2737, 2739, 2741, 2740, 2742, 2745,
+     2739, 2743, 2749, 2747, 2738, 2740, 2748, 2742, 2747, 2743,
+     2753, 2748, 2750, 2750, 2745, 2741, 2752, 2749, 2751, 2751,
 
-     2791, 2810, 2780, 2782, 2810, 2781, 2785, 2788, 2784, 2789,
-     2786, 2800, 2790, 2799, 2789, 2789, 2787, 2790, 2790, 2791,
-     2792, 2792, 2793, 2793, 2794, 2794, 2795, 2795, 2796, 2796,
-     2797, 2798, 2802, 2799, 2801, 2803, 2798, 2800, 2804, 2801,
-     2803, 2805, 2806, 2808, 2808, 2811, 2797, 2804, 2809, 2809,
-     2814, 2802, 2813, 2813, 2815, 2815, 2823, 2814, 2819, 2816,
-     2820, 2805, 2806, 2811, 2816, 2818, 2818, 2819, 2821, 2820,
-     2824, 2824, 2825, 2826, 2823, 2827, 2825, 2821, 2828, 2830,
-     2829, 2832, 2826, 2831, 2830, 2830, 2842, 2833, 2837, 2828,
-     2832, 2833, 2841, 2837, 2827, 2829, 2831, 2838, 2838, 2840,
+     2755, 2752, 2754, 2754, 2757, 2756, 2758, 2755, 2759, 2753,
+     2756, 2760, 2761, 2761, 2759, 2762, 2760,    0, 2763, 2764,
+     2764, 2768, 2757, 2763, 2758, 2765, 2765, 2769, 2769, 2770,
+     2762, 2771, 2770, 2772, 2768, 2773, 2771, 2771, 2772, 2774,
+     2773, 2775, 2776, 2777, 2779, 2778, 2776, 2775, 2777, 2780,
+     2781, 2784, 2782, 2774, 2778, 2783, 2784, 2780, 2782, 2779,
+     2785, 2783, 2787, 2788, 2789, 2791, 2796, 2789, 2788, 2787,
+     2793, 2781, 2785, 2794, 2795, 2793, 2797, 2791, 2794, 2795,
+     2805, 2798, 2799, 2801, 2796, 2800, 2800, 2810, 2802, 2797,
+     2798, 2799, 2801, 2802, 2806, 2807, 2811, 2814, 2805, 2812,
 
-     2840, 2843, 2845, 2845, 2846, 2847, 2841, 2850, 2852, 2851,
-     2853, 2842, 2855, 2846, 2857, 2859, 2853, 2847, 2851, 2843,
-     2859, 2860, 2861, 2861, 2855, 2862, 2860, 2865, 2852, 2866,
-     2872, 2864, 2850, 2873, 2862, 2857, 2864, 2867, 2867, 2872,
-     2865, 2867, 2874, 2866, 2869, 2869, 2870, 2870, 2871, 2871,
-     2875, 2877, 2881, 2873, 2878, 2875, 2882, 2877, 2879, 2878,
-     2883, 2874, 2884, 2879, 2880, 2880, 2885, 2884, 2882, 2886,
-     2881, 2887, 2888, 2888, 2890, 2886, 2894, 2891, 2890, 2895,
-     2892, 2883, 2891, 2896, 2885, 2892, 2893, 2893, 2898, 2900,
-     2900, 2902, 2903, 2904, 2895, 2894, 2887, 2904, 2896, 2906,
+     2806, 2807, 2813, 2813, 2814, 2815, 2810, 2817, 2816, 2820,
+     2818, 2819, 2819, 2824, 2822, 2825, 2811, 2816, 2812, 2825,
+     2826, 2826, 2817, 2827, 2815, 2818, 2828, 2830, 2820, 2822,
+     2829, 2831, 2828, 2824, 2832, 2832, 2829, 2831, 2833, 2834,
+     2837, 2838, 2835, 2859, 2840, 2830, 2833, 2835, 2827, 2837,
+     2840, 2843, 2841, 2842, 2838, 2841, 2845, 2842, 2844, 2844,
+     2847, 2847, 2848, 2859, 2834, 2843, 2849, 2849, 2850, 2850,
+     2853, 2845, 2852, 2852, 2853, 2855, 2854, 2857, 2857, 2861,
+     2848, 2854, 2860, 2862, 2855, 2863, 2865, 2860, 2862, 2862,
+     2872, 2861, 2866, 2866, 2868, 2868, 2873, 2863, 2869, 2869,
 
-     2905, 2907, 2908, 2912, 2902, 2903, 2909, 2911, 2898, 2905,
-     2908, 2909, 2910, 2910, 2913, 2906, 2911, 2914, 2914, 2915,
-     2907, 2912, 2918, 2918, 2919, 2919, 2921, 2923, 2923, 2925,
-     2926, 2928, 2927, 2930, 2930, 2931, 2928, 2933, 2915, 2934,
-     2913, 2932, 2935, 2933, 2938, 2925, 2926, 2921, 2927, 2939,
-     2932, 2937, 2937, 2940, 2940, 2931, 2943, 2944, 2938, 2945,
-     2947, 2935, 2934, 2944, 2945, 2948, 2948, 2950, 2939, 2949,
-     2949, 2951, 2951, 2952, 2953, 2954, 2943, 2956, 2957, 2955,
-     2958,    0, 2947, 2953, 2952, 2955, 2960, 2950, 2959, 2959,
-     2957, 2951, 2963, 2963, 2961, 2954, 2956, 2961, 2967, 2962,
+     2870, 2870, 2871, 2872, 2876, 2871, 2865, 2875, 2875, 2873,
+     2878, 2879, 2879, 2880, 2880, 2881, 2881, 2882, 2883, 2883,
+     2884, 2885, 2876, 2886, 2889, 2887, 2888, 2888, 2889, 2892,
+     2878, 2887, 2882, 2884, 2896, 2892, 2893, 2886, 2895, 2885,
+     2897, 2893, 2898, 2895, 2895, 2899, 2900, 2901, 2911, 2902,
+     2908, 2899, 2900, 2902, 2903, 2903, 2906, 2896, 2908, 2914,
+     2897, 2906, 2898, 2909, 2912, 2915, 2909, 2912, 2913, 2913,
+     2915, 2916, 2901, 2911, 2917, 2934, 2914, 2914, 2918, 2919,
+     2919, 2920, 2921, 2922, 2923, 2921, 2928, 2928, 2924, 2916,
+     2927, 2934, 2918, 2921, 2917, 2920, 2924, 2922, 2937, 2925,
 
-     2958, 2960, 2962, 2968, 2973, 2969, 2970, 2970, 2972, 2971,
-     2967, 2969, 2971, 2975, 2972, 2976, 2976, 2978, 2975, 2977,
-     2979, 2980, 2973, 2968, 2977, 2983, 2979, 2981, 2981, 2984,
-     2985, 2986, 2987, 2987, 2988, 2989, 2978, 2983, 2980, 2980,
-     2990, 2992, 2992, 2994, 2986, 2993, 2993, 2984, 2994, 2990,
-     2995, 2989, 2996, 2988, 3000, 2985, 3001, 2996, 2997, 2997,
-     2998, 2998, 2999, 2999, 2995, 3002, 3008, 3000, 3003, 3005,
-     3005, 3002, 3010, 3003, 3011, 3012, 3013, 3013, 3015, 3015,
-     3016, 3017, 3001, 3019, 3018, 3008, 3020, 3021, 3021, 3022,
-     3022, 3025,    0, 3024, 3010, 3020, 3011, 3012, 3018, 3024,
+        0, 2926, 2936, 2923, 2925, 2925, 2926, 2926, 2940, 2927,
+     2929, 2929, 2930, 2930, 2931, 2931, 2932, 2932, 2933, 2933,
+     2935, 2938, 2936, 2939, 2937, 2935, 2941, 2940, 2939, 2942,
+     2943, 2941, 2944, 2946, 2946, 2938, 2947, 2947, 2942, 2948,
+     2949, 2950, 2948, 2952, 2952, 2963, 2949, 2953, 2954, 2954,
+     2943, 2955, 2944, 2958, 2953, 2959, 2955, 2957, 2957, 2950,
+     2960, 2961, 2958, 2963, 2959, 2964, 2964, 2965, 2965, 2960,
+     2961, 2966, 2967, 2968, 2969, 2966, 2970, 2971, 2974,    0,
+     2973, 2967, 2971, 2971, 2975, 2969, 2981, 2974, 2975, 2979,
+     2984, 2970, 2968, 2973, 2979, 2980, 2980, 2983, 2983, 2985,
 
-     3017, 3026, 3027, 3019, 3030, 3030, 3016, 3027, 3032, 3032,
-     3033, 3025, 3034, 3035, 3037, 3033, 3036, 3038, 3038, 3035,
-     3026, 3041, 3037, 3043, 3039, 3041, 3034, 3042, 3036, 3039,
-     3044, 3045, 3042, 3046, 3047, 3050, 3045, 3051, 3049, 3052,
-     3047,    0, 3054, 3043, 3056, 3046, 3049, 3055, 3057, 3062,
-     3044, 3058, 3061, 3060, 3050, 3062, 3058, 3051, 3060, 3052,
-     3054, 3056, 3056, 3055, 3065, 3063, 3067, 3078, 3066, 3057,
-     3063, 3066, 3061, 3070, 3070, 3071, 3071, 3072,    0, 3067,
-     3077, 3072, 3076, 3076, 3065, 3077, 3078, 3079, 3079, 3081,
-     3081, 3082, 3082, 3085, 3082, 3083, 3083, 3085, 3083, 3084,
+     2981, 2986, 2988, 2988, 2984, 2989, 2990, 2994, 2995, 2998,
+     2999, 2996, 3003, 2995, 2989, 3001, 2999, 3005, 2990, 2986,
+     2996, 3006, 3005, 3010, 2985, 3008, 3006, 3001, 3010, 2998,
+     3007, 3007, 2994, 3003, 3008, 3011, 3012, 3013, 3013, 3015,
+     3015, 3013, 3016, 3016, 3017, 3017, 3018, 3019, 3011, 3020,
+     3012, 3021, 3023, 3027, 3024, 3018, 3021, 3025, 3023, 3024,
+     3026, 3026, 3025, 3028, 3029, 3030, 3031, 3019, 3020, 3033,
+     3030, 3027, 3032, 3034, 3034, 3028, 3036, 3037, 3032, 3040,
+     3036, 3038, 3037, 3044, 3031, 3029, 3038, 3039, 3039, 3041,
+     3042, 3046, 3046, 3048, 3033, 3049, 3050, 3051, 3040, 3053,
 
-     3084, 3087, 3084, 3088, 3089, 3089, 3087, 3090, 3091, 3094,
-     3095, 3096, 3088, 3097, 3097, 3100, 3096, 3101, 3103, 3102,
-     3104, 3106, 3091, 3102, 3101, 3090, 3107, 3103, 3109, 3094,
-     3095, 3107, 3108, 3108, 3113, 3104, 3118, 3109,    0, 3106,
-     3100, 3110, 3110, 3111, 3111, 3112, 3112, 3114, 3115, 3113,
-     3116, 3119, 3114, 3117, 3120, 3116, 3116, 3115, 3121, 3117,
-     3115, 3118, 3122, 3121, 3123, 3125, 3119, 3122, 3124, 3124,
-     3126, 3125, 3127, 3127, 3129, 3120, 3126, 3128, 3128, 3130,
-     3133, 3133, 3136, 3123, 3130, 3135, 3135, 3139, 3139, 3129,
-     3147, 3136, 3140, 3140, 3141, 3141, 3142, 3142, 3143, 3143,
+     3054, 3051, 3052, 3044, 3041, 3042, 3048, 3056, 3049, 3050,
+     3055, 3052, 3056, 3057, 3059, 3053, 3058, 3058, 3055, 3054,
+     3060, 3061, 3063, 3059, 3062, 3062, 3066, 3070, 3067, 3068,
+     3068, 3066, 3066, 3057, 3067, 3072, 3072, 3074, 3060, 3075,
+     3076, 3063, 3077, 3082, 3078, 3076, 3085, 3061, 3070, 3078,
+     3081, 3081, 3083, 3074, 3084, 3075, 3086, 3089, 3077, 3090,
+     3084, 3083, 3093, 3082, 3088, 3088, 3091, 3091, 3093, 3085,
+     3095, 3089, 3097, 3096, 3099, 3086, 3102, 3097, 3090, 3096,
+     3100, 3100, 3101, 3101, 3103, 3104, 3104, 3105, 3106, 3107,
+     3095, 3102, 3109, 3108, 3110, 3111, 3099, 3106, 3105, 3108,
 
-     3144, 3144, 3145, 3145, 3146, 3146, 3149, 3150, 3150, 3151,
-     3152, 3153, 3157, 3155, 3159, 3149, 3147, 3158, 3151, 3156,
-     3156, 3163, 3152, 3160, 3160, 3167, 3159, 3157, 3161, 3161,
-     3158, 3153, 3155, 3164, 3164, 3168, 3163, 3169, 3168, 3170,
-     3170, 3171, 3173, 3167, 3174, 3173, 3175, 3176, 3177, 3179,
-     3174, 3178, 3176, 3182, 3185, 3181, 3186, 3189, 3185, 3171,
-     3175, 3181, 3182, 3169, 3201, 3179, 3206, 3177, 3198, 3178,
-     3208, 3186, 3199, 3198, 3208, 3199, 3209, 3201, 3202, 3202,
-     3203, 3203, 3207, 3189, 3204, 3204, 3211, 3213, 3214, 3206,
-     3215, 3207, 3216, 3217, 3216, 3215, 3209, 3218, 3218, 3214,
+     3112, 3112, 3113, 3121, 3103, 3104, 3110, 3114, 3120, 3107,
+     3114, 3109, 3126, 3115,    0, 3111, 3115, 3113, 3116, 3116,
+     3120, 3122, 3125, 3121, 3123, 3123, 3124, 3122, 3125, 3124,
+     3126, 3128, 3129, 3129, 3130, 3131, 3128, 3132, 3133, 3130,
+     3134, 3134, 3137, 3132, 3138, 3136, 3139, 3140, 3140, 3141,
+     3142,    0, 3143, 3148, 3131, 3133, 3133, 3136, 3148, 3139,
+     3137, 3143, 3145, 3145, 3146, 3146, 3142, 3149, 3141, 3138,
+     3147, 3147, 3150, 3151, 3151, 3152, 3152, 3150, 3153, 3153,
+     3155, 3149, 3154, 3154, 3156, 3157, 3161, 3158, 3160, 3160,
+     3165, 3157, 3158, 3155, 3163, 3163, 3167, 3168, 3169, 3170,
 
-     3211, 3219, 3220, 3222, 3221, 3223, 3225, 3227, 3217, 3224,
-     3213, 3226, 3227, 3228, 3219, 3225, 3230, 3230, 3231, 3222,
-     3229, 3220, 3221, 3226, 3224, 3229, 3232, 3236, 3237, 3245,
-     3223, 3232, 3238, 3238, 3228, 3239, 3240, 3240, 3231, 3241,
-     3241, 3236, 3242, 3242, 3239, 3243, 3243, 3244, 3237, 3245,
-     3246, 3247, 3248, 3246, 3249, 3250, 3247, 3248, 3251, 3252,
-     3253, 3256, 3254, 3260, 3251, 3261, 3244, 3254, 3255, 3255,
-     3250, 3264, 3253, 3252, 3257, 3257, 3259, 3259, 3260, 3249,
-     3266, 3256, 3262, 3262, 3261, 3271, 3264, 3269, 3269, 3270,
-     3270, 3272, 3275, 3271, 3273, 3274, 3276, 3277, 3266, 3278,
+     3171, 3171, 3161, 3173, 3173, 3174, 3175, 3177, 3176, 3165,
+     3156, 3178, 3179, 3179, 3180, 3180, 3182, 3169, 3167, 3168,
+     3178, 3170, 3176, 3183, 3184, 3175, 3185, 3177, 3186, 3183,
+     3189, 3174,    0, 3186, 3182, 3190, 3190, 3192, 3192, 3194,
+     3196, 3193, 3195, 3203, 3184, 3185, 3193, 3197, 3195, 3198,
+     3198, 3189, 3196, 3194, 3199, 3197, 3201, 3202, 3204, 3199,
+     3201, 3205, 3202, 3203, 3206, 3207, 3205, 3209, 3210, 3211,
+     3212, 3207, 3215, 3214, 3240, 3209, 3206, 3216, 3204, 3217,
+     3218, 3220, 3221, 3225, 3227, 3218, 3220, 3210, 3215, 3211,
+     3212, 3214, 3222, 3240, 3216, 3216, 3223, 3227, 3222,    0,
 
-     3273, 3274, 3279, 3279, 3278, 3284, 3275, 3281, 3281, 3276,
-     3272, 3285, 3290, 3287, 3288, 3291, 3277, 3292, 3288, 3295,
-     3291, 3293, 3294, 3296, 3297, 3301, 3284, 3287, 3296, 3297,
-     3302, 3285, 3290, 3303, 3293, 3294, 3292, 3306, 3295, 3298,
-     3298, 3304, 3304, 3306, 3305, 3301, 3307, 3307, 3302, 3305,
-     3308, 3309, 3303, 3310, 3311, 3308, 3309, 3312, 3310, 3314,
-     3314, 3315, 3319, 3312, 3316, 3316, 3315, 3318, 3320, 3321,
-     3322, 3318, 3323, 3311, 3324, 3320, 3332, 3325, 3323, 3327,
-     3327, 3319, 3329, 3329, 3333, 3330, 3331, 3334, 3321, 3322,
-     3325, 3331, 3337, 3324, 3330, 3332, 3336, 3330, 3335, 3335,
+     3217, 3223, 3221, 3225, 3226, 3231, 3231, 3226, 3232, 3232,
+     3233, 3238, 3238, 3239, 3233, 3241, 3241, 3243, 3239, 3245,
+     3245, 3246, 3246, 3250, 3246, 3247, 3247, 3250, 3247, 3248,
+     3248, 3255, 3243, 3249, 3249, 3252, 3249, 3253, 3254, 3254,
+     3252, 3256, 3259, 3259, 3260, 3261, 3253, 3262, 3264, 3255,
+     3263, 3263, 3262, 3267, 3268, 3256, 3269, 3270, 3271, 3273,
+     3269, 3268, 3274, 3276, 3260, 3261, 3270, 3274, 3264, 3275,
+     3275, 3280, 3276, 3271, 3277, 3277, 3285, 3273, 3267, 3278,
+     3278, 3279, 3279, 3281, 3282, 3283, 3280, 3286, 3281, 3284,
+     3283, 3283, 3287, 3282, 3288, 3284, 3282, 3290, 3289, 3288,
 
-     3334, 3336, 3339, 3333, 3341, 3337, 3340, 3340, 3342, 3342,
-     3343, 3343, 3344, 3345, 3346, 3347, 3347, 3344,    0, 3348,
-     3345, 3350, 3350, 3341, 3348, 3349, 3353, 3349, 3339, 3351,
-     3352, 3355, 3358, 3346, 3354, 3362, 3351, 3352, 3360, 3354,
-     3357, 3357, 3361, 3360, 3363, 3353, 3367, 3361, 3364, 3364,
-     3355, 3358, 3366, 3366, 3362, 3368, 3369, 3369, 3370, 3370,
-     3371, 3373, 3373, 3363, 3375, 3367, 3381, 3371, 3374, 3374,
-     3377, 3375, 3380, 3382, 3368, 3377,    0, 3380, 3383, 3383,
-     3384, 3384,    0,    0,    0, 3381,    0,    0,    0,    0,
-        0,    0, 3382, 3388, 3388, 3388, 3388, 3388, 3388, 3388,
+     3292, 3285, 3286, 3289, 3291, 3291, 3292, 3296, 3293, 3294,
+     3294, 3295, 3295, 3287, 3293, 3297, 3290, 3300, 3300, 3303,
+     3297, 3305, 3296, 3302, 3302, 3307, 3307, 3316, 3303, 3308,
+     3308, 3309, 3309, 3310, 3310, 3312, 3312, 3313, 3313, 3305,
+     3314, 3314, 3315, 3315, 3322, 3318, 3319, 3319, 3320, 3320,
+     3321, 3323, 3328, 3316, 3318, 3326, 3322, 3325, 3325, 3321,
+     3327, 3327, 3329, 3334, 3330, 3331, 3331, 3328, 3332, 3332,
+     3338, 3323, 3335, 3335, 3326, 3329, 3330, 3339, 3334, 3340,
+     3339, 3341, 3341, 3342, 3344, 3345, 3346, 3344, 3338, 3347,
+     3348, 3345, 3349, 3352, 3347, 3350, 3360, 3353, 3356, 3352,
 
-     3389, 3389, 3389, 3389, 3389, 3389, 3389, 3390, 3390, 3390,
-     3390, 3390, 3390, 3390, 3391, 3391, 3391, 3391, 3391, 3391,
-     3391, 3392, 3392, 3392, 3392, 3392, 3392, 3392, 3393, 3393,
-     3393, 3393, 3393, 3393, 3393, 3394, 3394, 3394, 3394, 3394,
-     3394, 3394, 3396, 3396,    0, 3396, 3396, 3396, 3396, 3397,
-     3397,    0,    0,    0, 3397, 3397, 3398, 3398,    0,    0,
-     3398,    0, 3398, 3399,    0,    0,    0,    0,    0, 3399,
-     3400, 3400,    0,    0,    0, 3400, 3400, 3401,    0,    0,
-        0,    0,    0, 3401, 3402, 3402,    0, 3402, 3402, 3402,
-     3402, 3403,    0,    0,    0,    0,    0, 3403, 3404, 3404,
+     3346, 3342, 3356, 3357, 3361, 3340, 3353, 3370, 3374, 3348,
+     3349, 3350, 3370, 3371, 3375, 3375, 3371, 3380, 3357, 3376,
+     3376, 3374, 3360, 3381, 3361, 3378, 3378, 3382, 3383, 3385,
+     3387, 3382, 3381, 3388, 3389, 3390, 3391, 3390, 3394, 3389,
+     3380, 3392, 3392, 3385, 3388, 3393, 3395, 3396, 3383, 3397,
+     3398, 3391, 3399, 3387, 3400, 3401, 3402, 3394, 3393, 3404,
+     3401, 3399, 3403, 3396, 3395, 3398, 3400, 3403, 3405, 3405,
+     3406, 3407, 3411, 3412, 3397, 3414, 3407, 3402, 3404, 3413,
+     3413, 3415, 3415, 3419, 3414, 3420, 3411, 3416, 3416, 3424,
+     3406, 3417, 3417, 3412, 3418, 3418, 3421, 3425, 3422, 3421,
 
-        0,    0,    0, 3404, 3404, 3405, 3405,    0, 3405, 3405,
-     3405, 3405, 3387, 3387, 3387, 3387, 3387, 3387, 3387, 3387,
-     3387, 3387, 3387, 3387, 3387, 3387, 3387, 3387, 3387, 3387,
-     3387, 3387, 3387, 3387, 3387, 3387, 3387, 3387, 3387, 3387,
-     3387, 3387, 3387, 3387, 3387, 3387, 3387, 3387, 3387, 3387,
-     3387, 3387, 3387
+     3436, 3423, 3419, 3422, 3426, 3420, 3423, 3427, 3428, 3431,
+     3426, 3429, 3425, 3437, 3424, 3436, 3429, 3430, 3430, 3440,
+     3428, 3427, 3432, 3432, 3433, 3433, 3435, 3435, 3442, 3431,
+     3438, 3438, 3437, 3447, 3440, 3445, 3445, 3446, 3446, 3448,
+     3451, 3447, 3449, 3450, 3452, 3453, 3442, 3454, 3449, 3450,
+     3455, 3455, 3454, 3461, 3451, 3457, 3457, 3452, 3448, 3462,
+     3467, 3464, 3465, 3468, 3453, 3469, 3465, 3472, 3468, 3470,
+     3471, 3473, 3474, 3478, 3461, 3464, 3473, 3474, 3479, 3462,
+     3467, 3480, 3470, 3471, 3469, 3483, 3472, 3475, 3475, 3481,
+     3481, 3483, 3482, 3478, 3484, 3484, 3479, 3482, 3485, 3486,
+
+     3480, 3487, 3488, 3485, 3486, 3489, 3487, 3491, 3491, 3492,
+     3496, 3489, 3493, 3493, 3492, 3495, 3497, 3498, 3499, 3495,
+     3500, 3488, 3501, 3497, 3509, 3502, 3500, 3504, 3504, 3496,
+     3506, 3506, 3510, 3507, 3508, 3511, 3498, 3499, 3502, 3508,
+     3514, 3501, 3507, 3509, 3513, 3507, 3512, 3512, 3511, 3513,
+     3516, 3510, 3518, 3514, 3517, 3517, 3519, 3519, 3520, 3520,
+     3521, 3522, 3523, 3524, 3524, 3521,    0, 3525, 3522, 3527,
+     3527, 3518, 3525, 3526, 3530, 3526, 3516, 3528, 3529, 3532,
+     3535, 3523, 3531, 3539, 3528, 3529, 3537, 3531, 3534, 3534,
+     3538, 3537, 3540, 3530, 3544, 3538, 3541, 3541, 3532, 3535,
+
+     3543, 3543, 3539, 3545, 3546, 3546, 3547, 3547, 3548, 3550,
+     3550, 3540, 3552, 3544, 3558, 3548, 3551, 3551, 3554, 3552,
+     3557, 3559, 3545, 3554,    0, 3557, 3560, 3560, 3561, 3561,
+        0,    0,    0, 3558,    0,    0,    0,    0,    0,    0,
+     3559, 3565, 3565, 3565, 3565, 3565, 3565, 3565, 3566, 3566,
+     3566, 3566, 3566, 3566, 3566, 3567, 3567, 3567, 3567, 3567,
+     3567, 3567, 3568, 3568, 3568, 3568, 3568, 3568, 3568, 3569,
+     3569, 3569, 3569, 3569, 3569, 3569, 3570, 3570, 3570, 3570,
+     3570, 3570, 3570, 3571, 3571, 3571, 3571, 3571, 3571, 3571,
+     3573, 3573,    0, 3573, 3573, 3573, 3573, 3574, 3574,    0,
+
+        0,    0, 3574, 3574, 3575, 3575,    0,    0, 3575,    0,
+     3575, 3576,    0,    0,    0,    0,    0, 3576, 3577, 3577,
+        0,    0,    0, 3577, 3577, 3578,    0,    0,    0,    0,
+        0, 3578, 3579, 3579,    0, 3579, 3579, 3579, 3579, 3580,
+        0,    0,    0,    0,    0, 3580, 3581, 3581,    0,    0,
+        0, 3581, 3581, 3582, 3582,    0, 3582, 3582, 3582, 3582,
+     3564, 3564, 3564, 3564, 3564, 3564, 3564, 3564, 3564, 3564,
+     3564, 3564, 3564, 3564, 3564, 3564, 3564, 3564, 3564, 3564,
+     3564, 3564, 3564, 3564, 3564, 3564, 3564, 3564, 3564, 3564,
+     3564, 3564, 3564, 3564, 3564, 3564, 3564, 3564, 3564, 3564,
+
+     3564
     } ;
 
 static yy_state_type yy_last_accepting_state;
@@ -3212,7 +3348,7 @@ static void config_end_include(void)
         }
 #endif
 
-#line 3213 "<stdout>"
+#line 3349 "<stdout>"
 #define YY_NO_INPUT 1
 #line 191 "./util/configlexer.lex"
 #ifndef YY_NO_UNPUT
@@ -3221,9 +3357,9 @@ static void config_end_include(void)
 #ifndef YY_NO_INPUT
 #define YY_NO_INPUT 1
 #endif
-#line 3222 "<stdout>"
+#line 3358 "<stdout>"
 
-#line 3224 "<stdout>"
+#line 3360 "<stdout>"
 
 #define INITIAL 0
 #define quotedstring 1
@@ -3447,7 +3583,7 @@ YY_DECL
 	{
 #line 211 "./util/configlexer.lex"
 
-#line 3448 "<stdout>"
+#line 3584 "<stdout>"
 
 	while ( /*CONSTCOND*/1 )		/* loops until end-of-file is reached */
 		{
@@ -3480,13 +3616,13 @@ yy_match:
 			while ( yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state )
 				{
 				yy_current_state = (int) yy_def[yy_current_state];
-				if ( yy_current_state >= 3388 )
+				if ( yy_current_state >= 3565 )
 					yy_c = yy_meta[yy_c];
 				}
 			yy_current_state = yy_nxt[yy_base[yy_current_state] + yy_c];
 			++yy_cp;
 			}
-		while ( yy_base[yy_current_state] != 6613 );
+		while ( yy_base[yy_current_state] != 6961 );
 
 yy_find_action:
 		yy_act = yy_accept[yy_current_state];
@@ -3631,82 +3767,82 @@ YY_RULE_SETUP
 case 24:
 YY_RULE_SETUP
 #line 238 "./util/configlexer.lex"
-{ YDVAR(1, VAR_EDNS_TCP_KEEPALIVE) }
+{ YDVAR(1, VAR_MAX_REUSE_TCP_QUERIES) }
 	YY_BREAK
 case 25:
 YY_RULE_SETUP
 #line 239 "./util/configlexer.lex"
-{ YDVAR(1, VAR_EDNS_TCP_KEEPALIVE_TIMEOUT) }
+{ YDVAR(1, VAR_TCP_REUSE_TIMEOUT) }
 	YY_BREAK
 case 26:
 YY_RULE_SETUP
 #line 240 "./util/configlexer.lex"
-{ YDVAR(1, VAR_SSL_UPSTREAM) }
+{ YDVAR(1, VAR_TCP_AUTH_QUERY_TIMEOUT) }
 	YY_BREAK
 case 27:
 YY_RULE_SETUP
 #line 241 "./util/configlexer.lex"
-{ YDVAR(1, VAR_SSL_UPSTREAM) }
+{ YDVAR(1, VAR_EDNS_TCP_KEEPALIVE) }
 	YY_BREAK
 case 28:
 YY_RULE_SETUP
 #line 242 "./util/configlexer.lex"
-{ YDVAR(1, VAR_SSL_SERVICE_KEY) }
+{ YDVAR(1, VAR_EDNS_TCP_KEEPALIVE_TIMEOUT) }
 	YY_BREAK
 case 29:
 YY_RULE_SETUP
 #line 243 "./util/configlexer.lex"
-{ YDVAR(1, VAR_SSL_SERVICE_KEY) }
+{ YDVAR(1, VAR_SSL_UPSTREAM) }
 	YY_BREAK
 case 30:
 YY_RULE_SETUP
 #line 244 "./util/configlexer.lex"
-{ YDVAR(1, VAR_SSL_SERVICE_PEM) }
+{ YDVAR(1, VAR_SSL_UPSTREAM) }
 	YY_BREAK
 case 31:
 YY_RULE_SETUP
 #line 245 "./util/configlexer.lex"
-{ YDVAR(1, VAR_SSL_SERVICE_PEM) }
+{ YDVAR(1, VAR_SSL_SERVICE_KEY) }
 	YY_BREAK
 case 32:
 YY_RULE_SETUP
 #line 246 "./util/configlexer.lex"
-{ YDVAR(1, VAR_SSL_PORT) }
+{ YDVAR(1, VAR_SSL_SERVICE_KEY) }
 	YY_BREAK
 case 33:
 YY_RULE_SETUP
 #line 247 "./util/configlexer.lex"
-{ YDVAR(1, VAR_SSL_PORT) }
+{ YDVAR(1, VAR_SSL_SERVICE_PEM) }
 	YY_BREAK
 case 34:
 YY_RULE_SETUP
 #line 248 "./util/configlexer.lex"
-{ YDVAR(1, VAR_TLS_CERT_BUNDLE) }
+{ YDVAR(1, VAR_SSL_SERVICE_PEM) }
 	YY_BREAK
 case 35:
 YY_RULE_SETUP
 #line 249 "./util/configlexer.lex"
-{ YDVAR(1, VAR_TLS_CERT_BUNDLE) }
+{ YDVAR(1, VAR_SSL_PORT) }
 	YY_BREAK
 case 36:
 YY_RULE_SETUP
 #line 250 "./util/configlexer.lex"
-{ YDVAR(1, VAR_TLS_WIN_CERT) }
+{ YDVAR(1, VAR_SSL_PORT) }
 	YY_BREAK
 case 37:
 YY_RULE_SETUP
 #line 251 "./util/configlexer.lex"
-{ YDVAR(1, VAR_TLS_ADDITIONAL_PORT) }
+{ YDVAR(1, VAR_TLS_CERT_BUNDLE) }
 	YY_BREAK
 case 38:
 YY_RULE_SETUP
 #line 252 "./util/configlexer.lex"
-{ YDVAR(1, VAR_TLS_ADDITIONAL_PORT) }
+{ YDVAR(1, VAR_TLS_CERT_BUNDLE) }
 	YY_BREAK
 case 39:
 YY_RULE_SETUP
 #line 253 "./util/configlexer.lex"
-{ YDVAR(1, VAR_TLS_ADDITIONAL_PORT) }
+{ YDVAR(1, VAR_TLS_WIN_CERT) }
 	YY_BREAK
 case 40:
 YY_RULE_SETUP
@@ -3716,1429 +3852,1499 @@ YY_RULE_SETUP
 case 41:
 YY_RULE_SETUP
 #line 255 "./util/configlexer.lex"
-{ YDVAR(1, VAR_TLS_SESSION_TICKET_KEYS) }
+{ YDVAR(1, VAR_TLS_ADDITIONAL_PORT) }
 	YY_BREAK
 case 42:
 YY_RULE_SETUP
 #line 256 "./util/configlexer.lex"
-{ YDVAR(1, VAR_TLS_CIPHERS) }
+{ YDVAR(1, VAR_TLS_ADDITIONAL_PORT) }
 	YY_BREAK
 case 43:
 YY_RULE_SETUP
 #line 257 "./util/configlexer.lex"
-{ YDVAR(1, VAR_TLS_CIPHERSUITES) }
+{ YDVAR(1, VAR_TLS_ADDITIONAL_PORT) }
 	YY_BREAK
 case 44:
 YY_RULE_SETUP
 #line 258 "./util/configlexer.lex"
-{ YDVAR(1, VAR_TLS_USE_SNI) }
+{ YDVAR(1, VAR_TLS_SESSION_TICKET_KEYS) }
 	YY_BREAK
 case 45:
 YY_RULE_SETUP
 #line 259 "./util/configlexer.lex"
-{ YDVAR(1, VAR_HTTPS_PORT) }
+{ YDVAR(1, VAR_TLS_CIPHERS) }
 	YY_BREAK
 case 46:
 YY_RULE_SETUP
 #line 260 "./util/configlexer.lex"
-{ YDVAR(1, VAR_HTTP_ENDPOINT) }
+{ YDVAR(1, VAR_TLS_CIPHERSUITES) }
 	YY_BREAK
 case 47:
 YY_RULE_SETUP
 #line 261 "./util/configlexer.lex"
-{ YDVAR(1, VAR_HTTP_MAX_STREAMS) }
+{ YDVAR(1, VAR_TLS_USE_SNI) }
 	YY_BREAK
 case 48:
 YY_RULE_SETUP
 #line 262 "./util/configlexer.lex"
-{ YDVAR(1, VAR_HTTP_QUERY_BUFFER_SIZE) }
+{ YDVAR(1, VAR_HTTPS_PORT) }
 	YY_BREAK
 case 49:
 YY_RULE_SETUP
 #line 263 "./util/configlexer.lex"
-{ YDVAR(1, VAR_HTTP_RESPONSE_BUFFER_SIZE) }
+{ YDVAR(1, VAR_HTTP_ENDPOINT) }
 	YY_BREAK
 case 50:
 YY_RULE_SETUP
 #line 264 "./util/configlexer.lex"
-{ YDVAR(1, VAR_HTTP_NODELAY) }
+{ YDVAR(1, VAR_HTTP_MAX_STREAMS) }
 	YY_BREAK
 case 51:
 YY_RULE_SETUP
 #line 265 "./util/configlexer.lex"
-{ YDVAR(1, VAR_HTTP_NOTLS_DOWNSTREAM) }
+{ YDVAR(1, VAR_HTTP_QUERY_BUFFER_SIZE) }
 	YY_BREAK
 case 52:
 YY_RULE_SETUP
 #line 266 "./util/configlexer.lex"
-{ YDVAR(1, VAR_USE_SYSTEMD) }
+{ YDVAR(1, VAR_HTTP_RESPONSE_BUFFER_SIZE) }
 	YY_BREAK
 case 53:
 YY_RULE_SETUP
 #line 267 "./util/configlexer.lex"
-{ YDVAR(1, VAR_DO_DAEMONIZE) }
+{ YDVAR(1, VAR_HTTP_NODELAY) }
 	YY_BREAK
 case 54:
 YY_RULE_SETUP
 #line 268 "./util/configlexer.lex"
-{ YDVAR(1, VAR_INTERFACE) }
+{ YDVAR(1, VAR_HTTP_NOTLS_DOWNSTREAM) }
 	YY_BREAK
 case 55:
 YY_RULE_SETUP
 #line 269 "./util/configlexer.lex"
-{ YDVAR(1, VAR_INTERFACE) }
+{ YDVAR(1, VAR_USE_SYSTEMD) }
 	YY_BREAK
 case 56:
 YY_RULE_SETUP
 #line 270 "./util/configlexer.lex"
-{ YDVAR(1, VAR_OUTGOING_INTERFACE) }
+{ YDVAR(1, VAR_DO_DAEMONIZE) }
 	YY_BREAK
 case 57:
 YY_RULE_SETUP
 #line 271 "./util/configlexer.lex"
-{ YDVAR(1, VAR_INTERFACE_AUTOMATIC) }
+{ YDVAR(1, VAR_INTERFACE) }
 	YY_BREAK
 case 58:
 YY_RULE_SETUP
 #line 272 "./util/configlexer.lex"
-{ YDVAR(1, VAR_SO_RCVBUF) }
+{ YDVAR(1, VAR_INTERFACE) }
 	YY_BREAK
 case 59:
 YY_RULE_SETUP
 #line 273 "./util/configlexer.lex"
-{ YDVAR(1, VAR_SO_SNDBUF) }
+{ YDVAR(1, VAR_OUTGOING_INTERFACE) }
 	YY_BREAK
 case 60:
 YY_RULE_SETUP
 #line 274 "./util/configlexer.lex"
-{ YDVAR(1, VAR_SO_REUSEPORT) }
+{ YDVAR(1, VAR_INTERFACE_AUTOMATIC) }
 	YY_BREAK
 case 61:
 YY_RULE_SETUP
 #line 275 "./util/configlexer.lex"
-{ YDVAR(1, VAR_IP_TRANSPARENT) }
+{ YDVAR(1, VAR_INTERFACE_AUTOMATIC_PORTS) }
 	YY_BREAK
 case 62:
 YY_RULE_SETUP
 #line 276 "./util/configlexer.lex"
-{ YDVAR(1, VAR_IP_FREEBIND) }
+{ YDVAR(1, VAR_SO_RCVBUF) }
 	YY_BREAK
 case 63:
 YY_RULE_SETUP
 #line 277 "./util/configlexer.lex"
-{ YDVAR(1, VAR_IP_DSCP) }
+{ YDVAR(1, VAR_SO_SNDBUF) }
 	YY_BREAK
 case 64:
 YY_RULE_SETUP
 #line 278 "./util/configlexer.lex"
-{ YDVAR(1, VAR_CHROOT) }
+{ YDVAR(1, VAR_SO_REUSEPORT) }
 	YY_BREAK
 case 65:
 YY_RULE_SETUP
 #line 279 "./util/configlexer.lex"
-{ YDVAR(1, VAR_USERNAME) }
+{ YDVAR(1, VAR_IP_TRANSPARENT) }
 	YY_BREAK
 case 66:
 YY_RULE_SETUP
 #line 280 "./util/configlexer.lex"
-{ YDVAR(1, VAR_DIRECTORY) }
+{ YDVAR(1, VAR_IP_FREEBIND) }
 	YY_BREAK
 case 67:
 YY_RULE_SETUP
 #line 281 "./util/configlexer.lex"
-{ YDVAR(1, VAR_LOGFILE) }
+{ YDVAR(1, VAR_IP_DSCP) }
 	YY_BREAK
 case 68:
 YY_RULE_SETUP
 #line 282 "./util/configlexer.lex"
-{ YDVAR(1, VAR_PIDFILE) }
+{ YDVAR(1, VAR_CHROOT) }
 	YY_BREAK
 case 69:
 YY_RULE_SETUP
 #line 283 "./util/configlexer.lex"
-{ YDVAR(1, VAR_ROOT_HINTS) }
+{ YDVAR(1, VAR_USERNAME) }
 	YY_BREAK
 case 70:
 YY_RULE_SETUP
 #line 284 "./util/configlexer.lex"
-{ YDVAR(1, VAR_STREAM_WAIT_SIZE) }
+{ YDVAR(1, VAR_DIRECTORY) }
 	YY_BREAK
 case 71:
 YY_RULE_SETUP
 #line 285 "./util/configlexer.lex"
-{ YDVAR(1, VAR_EDNS_BUFFER_SIZE) }
+{ YDVAR(1, VAR_LOGFILE) }
 	YY_BREAK
 case 72:
 YY_RULE_SETUP
 #line 286 "./util/configlexer.lex"
-{ YDVAR(1, VAR_MSG_BUFFER_SIZE) }
+{ YDVAR(1, VAR_PIDFILE) }
 	YY_BREAK
 case 73:
 YY_RULE_SETUP
 #line 287 "./util/configlexer.lex"
-{ YDVAR(1, VAR_MSG_CACHE_SIZE) }
+{ YDVAR(1, VAR_ROOT_HINTS) }
 	YY_BREAK
 case 74:
 YY_RULE_SETUP
 #line 288 "./util/configlexer.lex"
-{ YDVAR(1, VAR_MSG_CACHE_SLABS) }
+{ YDVAR(1, VAR_STREAM_WAIT_SIZE) }
 	YY_BREAK
 case 75:
 YY_RULE_SETUP
 #line 289 "./util/configlexer.lex"
-{ YDVAR(1, VAR_RRSET_CACHE_SIZE) }
+{ YDVAR(1, VAR_EDNS_BUFFER_SIZE) }
 	YY_BREAK
 case 76:
 YY_RULE_SETUP
 #line 290 "./util/configlexer.lex"
-{ YDVAR(1, VAR_RRSET_CACHE_SLABS) }
+{ YDVAR(1, VAR_MSG_BUFFER_SIZE) }
 	YY_BREAK
 case 77:
 YY_RULE_SETUP
 #line 291 "./util/configlexer.lex"
-{ YDVAR(1, VAR_CACHE_MAX_TTL) }
+{ YDVAR(1, VAR_MSG_CACHE_SIZE) }
 	YY_BREAK
 case 78:
 YY_RULE_SETUP
 #line 292 "./util/configlexer.lex"
-{ YDVAR(1, VAR_CACHE_MAX_NEGATIVE_TTL) }
+{ YDVAR(1, VAR_MSG_CACHE_SLABS) }
 	YY_BREAK
 case 79:
 YY_RULE_SETUP
 #line 293 "./util/configlexer.lex"
-{ YDVAR(1, VAR_CACHE_MIN_TTL) }
+{ YDVAR(1, VAR_RRSET_CACHE_SIZE) }
 	YY_BREAK
 case 80:
 YY_RULE_SETUP
 #line 294 "./util/configlexer.lex"
-{ YDVAR(1, VAR_INFRA_HOST_TTL) }
+{ YDVAR(1, VAR_RRSET_CACHE_SLABS) }
 	YY_BREAK
 case 81:
 YY_RULE_SETUP
 #line 295 "./util/configlexer.lex"
-{ YDVAR(1, VAR_INFRA_LAME_TTL) }
+{ YDVAR(1, VAR_CACHE_MAX_TTL) }
 	YY_BREAK
 case 82:
 YY_RULE_SETUP
 #line 296 "./util/configlexer.lex"
-{ YDVAR(1, VAR_INFRA_CACHE_SLABS) }
+{ YDVAR(1, VAR_CACHE_MAX_NEGATIVE_TTL) }
 	YY_BREAK
 case 83:
 YY_RULE_SETUP
 #line 297 "./util/configlexer.lex"
-{ YDVAR(1, VAR_INFRA_CACHE_NUMHOSTS) }
+{ YDVAR(1, VAR_CACHE_MIN_TTL) }
 	YY_BREAK
 case 84:
 YY_RULE_SETUP
 #line 298 "./util/configlexer.lex"
-{ YDVAR(1, VAR_INFRA_CACHE_LAME_SIZE) }
+{ YDVAR(1, VAR_INFRA_HOST_TTL) }
 	YY_BREAK
 case 85:
 YY_RULE_SETUP
 #line 299 "./util/configlexer.lex"
-{ YDVAR(1, VAR_INFRA_CACHE_MIN_RTT) }
+{ YDVAR(1, VAR_INFRA_LAME_TTL) }
 	YY_BREAK
 case 86:
 YY_RULE_SETUP
 #line 300 "./util/configlexer.lex"
-{ YDVAR(1, VAR_INFRA_KEEP_PROBING) }
+{ YDVAR(1, VAR_INFRA_CACHE_SLABS) }
 	YY_BREAK
 case 87:
 YY_RULE_SETUP
 #line 301 "./util/configlexer.lex"
-{ YDVAR(1, VAR_NUM_QUERIES_PER_THREAD) }
+{ YDVAR(1, VAR_INFRA_CACHE_NUMHOSTS) }
 	YY_BREAK
 case 88:
 YY_RULE_SETUP
 #line 302 "./util/configlexer.lex"
-{ YDVAR(1, VAR_JOSTLE_TIMEOUT) }
+{ YDVAR(1, VAR_INFRA_CACHE_LAME_SIZE) }
 	YY_BREAK
 case 89:
 YY_RULE_SETUP
 #line 303 "./util/configlexer.lex"
-{ YDVAR(1, VAR_DELAY_CLOSE) }
+{ YDVAR(1, VAR_INFRA_CACHE_MIN_RTT) }
 	YY_BREAK
 case 90:
 YY_RULE_SETUP
 #line 304 "./util/configlexer.lex"
-{ YDVAR(1, VAR_UDP_CONNECT) }
+{ YDVAR(1, VAR_INFRA_KEEP_PROBING) }
 	YY_BREAK
 case 91:
 YY_RULE_SETUP
 #line 305 "./util/configlexer.lex"
-{ YDVAR(1, VAR_TARGET_FETCH_POLICY) }
+{ YDVAR(1, VAR_NUM_QUERIES_PER_THREAD) }
 	YY_BREAK
 case 92:
 YY_RULE_SETUP
 #line 306 "./util/configlexer.lex"
-{ YDVAR(1, VAR_HARDEN_SHORT_BUFSIZE) }
+{ YDVAR(1, VAR_JOSTLE_TIMEOUT) }
 	YY_BREAK
 case 93:
 YY_RULE_SETUP
 #line 307 "./util/configlexer.lex"
-{ YDVAR(1, VAR_HARDEN_LARGE_QUERIES) }
+{ YDVAR(1, VAR_DELAY_CLOSE) }
 	YY_BREAK
 case 94:
 YY_RULE_SETUP
 #line 308 "./util/configlexer.lex"
-{ YDVAR(1, VAR_HARDEN_GLUE) }
+{ YDVAR(1, VAR_UDP_CONNECT) }
 	YY_BREAK
 case 95:
 YY_RULE_SETUP
 #line 309 "./util/configlexer.lex"
-{ YDVAR(1, VAR_HARDEN_DNSSEC_STRIPPED) }
+{ YDVAR(1, VAR_TARGET_FETCH_POLICY) }
 	YY_BREAK
 case 96:
 YY_RULE_SETUP
 #line 310 "./util/configlexer.lex"
-{ YDVAR(1, VAR_HARDEN_BELOW_NXDOMAIN) }
+{ YDVAR(1, VAR_HARDEN_SHORT_BUFSIZE) }
 	YY_BREAK
 case 97:
 YY_RULE_SETUP
 #line 311 "./util/configlexer.lex"
-{ YDVAR(1, VAR_HARDEN_REFERRAL_PATH) }
+{ YDVAR(1, VAR_HARDEN_LARGE_QUERIES) }
 	YY_BREAK
 case 98:
 YY_RULE_SETUP
 #line 312 "./util/configlexer.lex"
-{ YDVAR(1, VAR_HARDEN_ALGO_DOWNGRADE) }
+{ YDVAR(1, VAR_HARDEN_GLUE) }
 	YY_BREAK
 case 99:
 YY_RULE_SETUP
 #line 313 "./util/configlexer.lex"
-{ YDVAR(1, VAR_USE_CAPS_FOR_ID) }
+{ YDVAR(1, VAR_HARDEN_DNSSEC_STRIPPED) }
 	YY_BREAK
 case 100:
 YY_RULE_SETUP
 #line 314 "./util/configlexer.lex"
-{ YDVAR(1, VAR_CAPS_WHITELIST) }
+{ YDVAR(1, VAR_HARDEN_BELOW_NXDOMAIN) }
 	YY_BREAK
 case 101:
 YY_RULE_SETUP
 #line 315 "./util/configlexer.lex"
-{ YDVAR(1, VAR_CAPS_WHITELIST) }
+{ YDVAR(1, VAR_HARDEN_REFERRAL_PATH) }
 	YY_BREAK
 case 102:
 YY_RULE_SETUP
 #line 316 "./util/configlexer.lex"
-{ YDVAR(1, VAR_UNWANTED_REPLY_THRESHOLD) }
+{ YDVAR(1, VAR_HARDEN_ALGO_DOWNGRADE) }
 	YY_BREAK
 case 103:
 YY_RULE_SETUP
 #line 317 "./util/configlexer.lex"
-{ YDVAR(1, VAR_PRIVATE_ADDRESS) }
+{ YDVAR(1, VAR_USE_CAPS_FOR_ID) }
 	YY_BREAK
 case 104:
 YY_RULE_SETUP
 #line 318 "./util/configlexer.lex"
-{ YDVAR(1, VAR_PRIVATE_DOMAIN) }
+{ YDVAR(1, VAR_CAPS_WHITELIST) }
 	YY_BREAK
 case 105:
 YY_RULE_SETUP
 #line 319 "./util/configlexer.lex"
-{ YDVAR(1, VAR_PREFETCH_KEY) }
+{ YDVAR(1, VAR_CAPS_WHITELIST) }
 	YY_BREAK
 case 106:
 YY_RULE_SETUP
 #line 320 "./util/configlexer.lex"
-{ YDVAR(1, VAR_PREFETCH) }
+{ YDVAR(1, VAR_UNWANTED_REPLY_THRESHOLD) }
 	YY_BREAK
 case 107:
 YY_RULE_SETUP
 #line 321 "./util/configlexer.lex"
-{ YDVAR(1, VAR_DENY_ANY) }
+{ YDVAR(1, VAR_PRIVATE_ADDRESS) }
 	YY_BREAK
 case 108:
 YY_RULE_SETUP
 #line 322 "./util/configlexer.lex"
-{ YDVAR(0, VAR_STUB_ZONE) }
+{ YDVAR(1, VAR_PRIVATE_DOMAIN) }
 	YY_BREAK
 case 109:
 YY_RULE_SETUP
 #line 323 "./util/configlexer.lex"
-{ YDVAR(1, VAR_NAME) }
+{ YDVAR(1, VAR_PREFETCH_KEY) }
 	YY_BREAK
 case 110:
 YY_RULE_SETUP
 #line 324 "./util/configlexer.lex"
-{ YDVAR(1, VAR_STUB_ADDR) }
+{ YDVAR(1, VAR_PREFETCH) }
 	YY_BREAK
 case 111:
 YY_RULE_SETUP
 #line 325 "./util/configlexer.lex"
-{ YDVAR(1, VAR_STUB_HOST) }
+{ YDVAR(1, VAR_DENY_ANY) }
 	YY_BREAK
 case 112:
 YY_RULE_SETUP
 #line 326 "./util/configlexer.lex"
-{ YDVAR(1, VAR_STUB_PRIME) }
+{ YDVAR(0, VAR_STUB_ZONE) }
 	YY_BREAK
 case 113:
 YY_RULE_SETUP
 #line 327 "./util/configlexer.lex"
-{ YDVAR(1, VAR_STUB_FIRST) }
+{ YDVAR(1, VAR_NAME) }
 	YY_BREAK
 case 114:
 YY_RULE_SETUP
 #line 328 "./util/configlexer.lex"
-{ YDVAR(1, VAR_STUB_NO_CACHE) }
+{ YDVAR(1, VAR_STUB_ADDR) }
 	YY_BREAK
 case 115:
 YY_RULE_SETUP
 #line 329 "./util/configlexer.lex"
-{ YDVAR(1, VAR_STUB_SSL_UPSTREAM) }
+{ YDVAR(1, VAR_STUB_HOST) }
 	YY_BREAK
 case 116:
 YY_RULE_SETUP
 #line 330 "./util/configlexer.lex"
-{ YDVAR(1, VAR_STUB_SSL_UPSTREAM) }
+{ YDVAR(1, VAR_STUB_PRIME) }
 	YY_BREAK
 case 117:
 YY_RULE_SETUP
 #line 331 "./util/configlexer.lex"
-{ YDVAR(0, VAR_FORWARD_ZONE) }
+{ YDVAR(1, VAR_STUB_FIRST) }
 	YY_BREAK
 case 118:
 YY_RULE_SETUP
 #line 332 "./util/configlexer.lex"
-{ YDVAR(1, VAR_FORWARD_ADDR) }
+{ YDVAR(1, VAR_STUB_NO_CACHE) }
 	YY_BREAK
 case 119:
 YY_RULE_SETUP
 #line 333 "./util/configlexer.lex"
-{ YDVAR(1, VAR_FORWARD_HOST) }
+{ YDVAR(1, VAR_STUB_SSL_UPSTREAM) }
 	YY_BREAK
 case 120:
 YY_RULE_SETUP
 #line 334 "./util/configlexer.lex"
-{ YDVAR(1, VAR_FORWARD_FIRST) }
+{ YDVAR(1, VAR_STUB_SSL_UPSTREAM) }
 	YY_BREAK
 case 121:
 YY_RULE_SETUP
 #line 335 "./util/configlexer.lex"
-{ YDVAR(1, VAR_FORWARD_NO_CACHE) }
+{ YDVAR(1, VAR_STUB_TCP_UPSTREAM) }
 	YY_BREAK
 case 122:
 YY_RULE_SETUP
 #line 336 "./util/configlexer.lex"
-{ YDVAR(1, VAR_FORWARD_SSL_UPSTREAM) }
+{ YDVAR(0, VAR_FORWARD_ZONE) }
 	YY_BREAK
 case 123:
 YY_RULE_SETUP
 #line 337 "./util/configlexer.lex"
-{ YDVAR(1, VAR_FORWARD_SSL_UPSTREAM) }
+{ YDVAR(1, VAR_FORWARD_ADDR) }
 	YY_BREAK
 case 124:
 YY_RULE_SETUP
 #line 338 "./util/configlexer.lex"
-{ YDVAR(0, VAR_AUTH_ZONE) }
+{ YDVAR(1, VAR_FORWARD_HOST) }
 	YY_BREAK
 case 125:
 YY_RULE_SETUP
 #line 339 "./util/configlexer.lex"
-{ YDVAR(0, VAR_RPZ) }
+{ YDVAR(1, VAR_FORWARD_FIRST) }
 	YY_BREAK
 case 126:
 YY_RULE_SETUP
 #line 340 "./util/configlexer.lex"
-{ YDVAR(1, VAR_TAGS) }
+{ YDVAR(1, VAR_FORWARD_NO_CACHE) }
 	YY_BREAK
 case 127:
 YY_RULE_SETUP
 #line 341 "./util/configlexer.lex"
-{ YDVAR(1, VAR_RPZ_ACTION_OVERRIDE) }
+{ YDVAR(1, VAR_FORWARD_SSL_UPSTREAM) }
 	YY_BREAK
 case 128:
 YY_RULE_SETUP
 #line 342 "./util/configlexer.lex"
-{ YDVAR(1, VAR_RPZ_CNAME_OVERRIDE) }
+{ YDVAR(1, VAR_FORWARD_SSL_UPSTREAM) }
 	YY_BREAK
 case 129:
 YY_RULE_SETUP
 #line 343 "./util/configlexer.lex"
-{ YDVAR(1, VAR_RPZ_LOG) }
+{ YDVAR(1, VAR_FORWARD_TCP_UPSTREAM) }
 	YY_BREAK
 case 130:
 YY_RULE_SETUP
 #line 344 "./util/configlexer.lex"
-{ YDVAR(1, VAR_RPZ_LOG_NAME) }
+{ YDVAR(0, VAR_AUTH_ZONE) }
 	YY_BREAK
 case 131:
 YY_RULE_SETUP
 #line 345 "./util/configlexer.lex"
-{ YDVAR(1, VAR_ZONEFILE) }
+{ YDVAR(0, VAR_RPZ) }
 	YY_BREAK
 case 132:
 YY_RULE_SETUP
 #line 346 "./util/configlexer.lex"
-{ YDVAR(1, VAR_MASTER) }
+{ YDVAR(1, VAR_TAGS) }
 	YY_BREAK
 case 133:
 YY_RULE_SETUP
 #line 347 "./util/configlexer.lex"
-{ YDVAR(1, VAR_MASTER) }
+{ YDVAR(1, VAR_RPZ_ACTION_OVERRIDE) }
 	YY_BREAK
 case 134:
 YY_RULE_SETUP
 #line 348 "./util/configlexer.lex"
-{ YDVAR(1, VAR_URL) }
+{ YDVAR(1, VAR_RPZ_CNAME_OVERRIDE) }
 	YY_BREAK
 case 135:
 YY_RULE_SETUP
 #line 349 "./util/configlexer.lex"
-{ YDVAR(1, VAR_ALLOW_NOTIFY) }
+{ YDVAR(1, VAR_RPZ_LOG) }
 	YY_BREAK
 case 136:
 YY_RULE_SETUP
 #line 350 "./util/configlexer.lex"
-{ YDVAR(1, VAR_FOR_DOWNSTREAM) }
+{ YDVAR(1, VAR_RPZ_LOG_NAME) }
 	YY_BREAK
 case 137:
 YY_RULE_SETUP
 #line 351 "./util/configlexer.lex"
-{ YDVAR(1, VAR_FOR_UPSTREAM) }
+{ YDVAR(1, VAR_RPZ_SIGNAL_NXDOMAIN_RA) }
 	YY_BREAK
 case 138:
 YY_RULE_SETUP
 #line 352 "./util/configlexer.lex"
-{ YDVAR(1, VAR_FALLBACK_ENABLED) }
+{ YDVAR(1, VAR_ZONEFILE) }
 	YY_BREAK
 case 139:
 YY_RULE_SETUP
 #line 353 "./util/configlexer.lex"
-{ YDVAR(0, VAR_VIEW) }
+{ YDVAR(1, VAR_MASTER) }
 	YY_BREAK
 case 140:
 YY_RULE_SETUP
 #line 354 "./util/configlexer.lex"
-{ YDVAR(1, VAR_VIEW_FIRST) }
+{ YDVAR(1, VAR_MASTER) }
 	YY_BREAK
 case 141:
 YY_RULE_SETUP
 #line 355 "./util/configlexer.lex"
-{ YDVAR(1, VAR_DO_NOT_QUERY_ADDRESS) }
+{ YDVAR(1, VAR_URL) }
 	YY_BREAK
 case 142:
 YY_RULE_SETUP
 #line 356 "./util/configlexer.lex"
-{ YDVAR(1, VAR_DO_NOT_QUERY_LOCALHOST) }
+{ YDVAR(1, VAR_ALLOW_NOTIFY) }
 	YY_BREAK
 case 143:
 YY_RULE_SETUP
 #line 357 "./util/configlexer.lex"
-{ YDVAR(2, VAR_ACCESS_CONTROL) }
+{ YDVAR(1, VAR_FOR_DOWNSTREAM) }
 	YY_BREAK
 case 144:
 YY_RULE_SETUP
 #line 358 "./util/configlexer.lex"
-{ YDVAR(1, VAR_SEND_CLIENT_SUBNET) }
+{ YDVAR(1, VAR_FOR_UPSTREAM) }
 	YY_BREAK
 case 145:
 YY_RULE_SETUP
 #line 359 "./util/configlexer.lex"
-{ YDVAR(1, VAR_CLIENT_SUBNET_ZONE) }
+{ YDVAR(1, VAR_FALLBACK_ENABLED) }
 	YY_BREAK
 case 146:
 YY_RULE_SETUP
 #line 360 "./util/configlexer.lex"
-{ YDVAR(1, VAR_CLIENT_SUBNET_ALWAYS_FORWARD) }
+{ YDVAR(0, VAR_VIEW) }
 	YY_BREAK
 case 147:
 YY_RULE_SETUP
 #line 361 "./util/configlexer.lex"
-{ YDVAR(1, VAR_CLIENT_SUBNET_OPCODE) }
+{ YDVAR(1, VAR_VIEW_FIRST) }
 	YY_BREAK
 case 148:
 YY_RULE_SETUP
 #line 362 "./util/configlexer.lex"
-{ YDVAR(1, VAR_MAX_CLIENT_SUBNET_IPV4) }
+{ YDVAR(1, VAR_DO_NOT_QUERY_ADDRESS) }
 	YY_BREAK
 case 149:
 YY_RULE_SETUP
 #line 363 "./util/configlexer.lex"
-{ YDVAR(1, VAR_MAX_CLIENT_SUBNET_IPV6) }
+{ YDVAR(1, VAR_DO_NOT_QUERY_LOCALHOST) }
 	YY_BREAK
 case 150:
 YY_RULE_SETUP
 #line 364 "./util/configlexer.lex"
-{ YDVAR(1, VAR_MIN_CLIENT_SUBNET_IPV4) }
+{ YDVAR(2, VAR_ACCESS_CONTROL) }
 	YY_BREAK
 case 151:
 YY_RULE_SETUP
 #line 365 "./util/configlexer.lex"
-{ YDVAR(1, VAR_MIN_CLIENT_SUBNET_IPV6) }
+{ YDVAR(1, VAR_SEND_CLIENT_SUBNET) }
 	YY_BREAK
 case 152:
 YY_RULE_SETUP
 #line 366 "./util/configlexer.lex"
-{ YDVAR(1, VAR_MAX_ECS_TREE_SIZE_IPV4) }
+{ YDVAR(1, VAR_CLIENT_SUBNET_ZONE) }
 	YY_BREAK
 case 153:
 YY_RULE_SETUP
 #line 367 "./util/configlexer.lex"
-{ YDVAR(1, VAR_MAX_ECS_TREE_SIZE_IPV6) }
+{ YDVAR(1, VAR_CLIENT_SUBNET_ALWAYS_FORWARD) }
 	YY_BREAK
 case 154:
 YY_RULE_SETUP
 #line 368 "./util/configlexer.lex"
-{ YDVAR(1, VAR_HIDE_IDENTITY) }
+{ YDVAR(1, VAR_CLIENT_SUBNET_OPCODE) }
 	YY_BREAK
 case 155:
 YY_RULE_SETUP
 #line 369 "./util/configlexer.lex"
-{ YDVAR(1, VAR_HIDE_VERSION) }
+{ YDVAR(1, VAR_MAX_CLIENT_SUBNET_IPV4) }
 	YY_BREAK
 case 156:
 YY_RULE_SETUP
 #line 370 "./util/configlexer.lex"
-{ YDVAR(1, VAR_HIDE_TRUSTANCHOR) }
+{ YDVAR(1, VAR_MAX_CLIENT_SUBNET_IPV6) }
 	YY_BREAK
 case 157:
 YY_RULE_SETUP
 #line 371 "./util/configlexer.lex"
-{ YDVAR(1, VAR_IDENTITY) }
+{ YDVAR(1, VAR_MIN_CLIENT_SUBNET_IPV4) }
 	YY_BREAK
 case 158:
 YY_RULE_SETUP
 #line 372 "./util/configlexer.lex"
-{ YDVAR(1, VAR_VERSION) }
+{ YDVAR(1, VAR_MIN_CLIENT_SUBNET_IPV6) }
 	YY_BREAK
 case 159:
 YY_RULE_SETUP
 #line 373 "./util/configlexer.lex"
-{ YDVAR(1, VAR_MODULE_CONF) }
+{ YDVAR(1, VAR_MAX_ECS_TREE_SIZE_IPV4) }
 	YY_BREAK
 case 160:
 YY_RULE_SETUP
 #line 374 "./util/configlexer.lex"
-{ YDVAR(1, VAR_DLV_ANCHOR) }
+{ YDVAR(1, VAR_MAX_ECS_TREE_SIZE_IPV6) }
 	YY_BREAK
 case 161:
 YY_RULE_SETUP
 #line 375 "./util/configlexer.lex"
-{ YDVAR(1, VAR_DLV_ANCHOR_FILE) }
+{ YDVAR(1, VAR_HIDE_IDENTITY) }
 	YY_BREAK
 case 162:
 YY_RULE_SETUP
 #line 376 "./util/configlexer.lex"
-{ YDVAR(1, VAR_TRUST_ANCHOR_FILE) }
+{ YDVAR(1, VAR_HIDE_VERSION) }
 	YY_BREAK
 case 163:
 YY_RULE_SETUP
 #line 377 "./util/configlexer.lex"
-{ YDVAR(1, VAR_AUTO_TRUST_ANCHOR_FILE) }
+{ YDVAR(1, VAR_HIDE_TRUSTANCHOR) }
 	YY_BREAK
 case 164:
 YY_RULE_SETUP
 #line 378 "./util/configlexer.lex"
-{ YDVAR(1, VAR_TRUSTED_KEYS_FILE) }
+{ YDVAR(1, VAR_HIDE_HTTP_USER_AGENT) }
 	YY_BREAK
 case 165:
 YY_RULE_SETUP
 #line 379 "./util/configlexer.lex"
-{ YDVAR(1, VAR_TRUST_ANCHOR) }
+{ YDVAR(1, VAR_IDENTITY) }
 	YY_BREAK
 case 166:
 YY_RULE_SETUP
 #line 380 "./util/configlexer.lex"
-{ YDVAR(1, VAR_TRUST_ANCHOR_SIGNALING) }
+{ YDVAR(1, VAR_VERSION) }
 	YY_BREAK
 case 167:
 YY_RULE_SETUP
 #line 381 "./util/configlexer.lex"
-{ YDVAR(1, VAR_ROOT_KEY_SENTINEL) }
+{ YDVAR(1, VAR_HTTP_USER_AGENT) }
 	YY_BREAK
 case 168:
 YY_RULE_SETUP
 #line 382 "./util/configlexer.lex"
-{ YDVAR(1, VAR_VAL_OVERRIDE_DATE) }
+{ YDVAR(1, VAR_MODULE_CONF) }
 	YY_BREAK
 case 169:
 YY_RULE_SETUP
 #line 383 "./util/configlexer.lex"
-{ YDVAR(1, VAR_VAL_SIG_SKEW_MIN) }
+{ YDVAR(1, VAR_DLV_ANCHOR) }
 	YY_BREAK
 case 170:
 YY_RULE_SETUP
 #line 384 "./util/configlexer.lex"
-{ YDVAR(1, VAR_VAL_SIG_SKEW_MAX) }
+{ YDVAR(1, VAR_DLV_ANCHOR_FILE) }
 	YY_BREAK
 case 171:
 YY_RULE_SETUP
 #line 385 "./util/configlexer.lex"
-{ YDVAR(1, VAR_BOGUS_TTL) }
+{ YDVAR(1, VAR_TRUST_ANCHOR_FILE) }
 	YY_BREAK
 case 172:
 YY_RULE_SETUP
 #line 386 "./util/configlexer.lex"
-{ YDVAR(1, VAR_VAL_CLEAN_ADDITIONAL) }
+{ YDVAR(1, VAR_AUTO_TRUST_ANCHOR_FILE) }
 	YY_BREAK
 case 173:
 YY_RULE_SETUP
 #line 387 "./util/configlexer.lex"
-{ YDVAR(1, VAR_VAL_PERMISSIVE_MODE) }
+{ YDVAR(1, VAR_TRUSTED_KEYS_FILE) }
 	YY_BREAK
 case 174:
 YY_RULE_SETUP
 #line 388 "./util/configlexer.lex"
-{ YDVAR(1, VAR_AGGRESSIVE_NSEC) }
+{ YDVAR(1, VAR_TRUST_ANCHOR) }
 	YY_BREAK
 case 175:
 YY_RULE_SETUP
 #line 389 "./util/configlexer.lex"
-{ YDVAR(1, VAR_IGNORE_CD_FLAG) }
+{ YDVAR(1, VAR_TRUST_ANCHOR_SIGNALING) }
 	YY_BREAK
 case 176:
 YY_RULE_SETUP
 #line 390 "./util/configlexer.lex"
-{ YDVAR(1, VAR_SERVE_EXPIRED) }
+{ YDVAR(1, VAR_ROOT_KEY_SENTINEL) }
 	YY_BREAK
 case 177:
 YY_RULE_SETUP
 #line 391 "./util/configlexer.lex"
-{ YDVAR(1, VAR_SERVE_EXPIRED_TTL) }
+{ YDVAR(1, VAR_VAL_OVERRIDE_DATE) }
 	YY_BREAK
 case 178:
 YY_RULE_SETUP
 #line 392 "./util/configlexer.lex"
-{ YDVAR(1, VAR_SERVE_EXPIRED_TTL_RESET) }
+{ YDVAR(1, VAR_VAL_SIG_SKEW_MIN) }
 	YY_BREAK
 case 179:
 YY_RULE_SETUP
 #line 393 "./util/configlexer.lex"
-{ YDVAR(1, VAR_SERVE_EXPIRED_REPLY_TTL) }
+{ YDVAR(1, VAR_VAL_SIG_SKEW_MAX) }
 	YY_BREAK
 case 180:
 YY_RULE_SETUP
 #line 394 "./util/configlexer.lex"
-{ YDVAR(1, VAR_SERVE_EXPIRED_CLIENT_TIMEOUT) }
+{ YDVAR(1, VAR_VAL_MAX_RESTART) }
 	YY_BREAK
 case 181:
 YY_RULE_SETUP
 #line 395 "./util/configlexer.lex"
-{ YDVAR(1, VAR_SERVE_ORIGINAL_TTL) }
+{ YDVAR(1, VAR_BOGUS_TTL) }
 	YY_BREAK
 case 182:
 YY_RULE_SETUP
 #line 396 "./util/configlexer.lex"
-{ YDVAR(1, VAR_FAKE_DSA) }
+{ YDVAR(1, VAR_VAL_CLEAN_ADDITIONAL) }
 	YY_BREAK
 case 183:
 YY_RULE_SETUP
 #line 397 "./util/configlexer.lex"
-{ YDVAR(1, VAR_FAKE_SHA1) }
+{ YDVAR(1, VAR_VAL_PERMISSIVE_MODE) }
 	YY_BREAK
 case 184:
 YY_RULE_SETUP
 #line 398 "./util/configlexer.lex"
-{ YDVAR(1, VAR_VAL_LOG_LEVEL) }
+{ YDVAR(1, VAR_AGGRESSIVE_NSEC) }
 	YY_BREAK
 case 185:
 YY_RULE_SETUP
 #line 399 "./util/configlexer.lex"
-{ YDVAR(1, VAR_KEY_CACHE_SIZE) }
+{ YDVAR(1, VAR_IGNORE_CD_FLAG) }
 	YY_BREAK
 case 186:
 YY_RULE_SETUP
 #line 400 "./util/configlexer.lex"
-{ YDVAR(1, VAR_KEY_CACHE_SLABS) }
+{ YDVAR(1, VAR_SERVE_EXPIRED) }
 	YY_BREAK
 case 187:
 YY_RULE_SETUP
 #line 401 "./util/configlexer.lex"
-{ YDVAR(1, VAR_NEG_CACHE_SIZE) }
+{ YDVAR(1, VAR_SERVE_EXPIRED_TTL) }
 	YY_BREAK
 case 188:
 YY_RULE_SETUP
 #line 402 "./util/configlexer.lex"
-{ 
-				  YDVAR(1, VAR_VAL_NSEC3_KEYSIZE_ITERATIONS) }
+{ YDVAR(1, VAR_SERVE_EXPIRED_TTL_RESET) }
 	YY_BREAK
 case 189:
 YY_RULE_SETUP
-#line 404 "./util/configlexer.lex"
-{ YDVAR(1, VAR_ZONEMD_PERMISSIVE_MODE) }
+#line 403 "./util/configlexer.lex"
+{ YDVAR(1, VAR_SERVE_EXPIRED_REPLY_TTL) }
 	YY_BREAK
 case 190:
 YY_RULE_SETUP
-#line 405 "./util/configlexer.lex"
-{ YDVAR(1, VAR_ZONEMD_REJECT_ABSENCE) }
+#line 404 "./util/configlexer.lex"
+{ YDVAR(1, VAR_SERVE_EXPIRED_CLIENT_TIMEOUT) }
 	YY_BREAK
 case 191:
 YY_RULE_SETUP
-#line 406 "./util/configlexer.lex"
-{ YDVAR(1, VAR_ADD_HOLDDOWN) }
+#line 405 "./util/configlexer.lex"
+{ YDVAR(1, VAR_SERVE_ORIGINAL_TTL) }
 	YY_BREAK
 case 192:
 YY_RULE_SETUP
-#line 407 "./util/configlexer.lex"
-{ YDVAR(1, VAR_DEL_HOLDDOWN) }
+#line 406 "./util/configlexer.lex"
+{ YDVAR(1, VAR_FAKE_DSA) }
 	YY_BREAK
 case 193:
 YY_RULE_SETUP
-#line 408 "./util/configlexer.lex"
-{ YDVAR(1, VAR_KEEP_MISSING) }
+#line 407 "./util/configlexer.lex"
+{ YDVAR(1, VAR_FAKE_SHA1) }
 	YY_BREAK
 case 194:
 YY_RULE_SETUP
-#line 409 "./util/configlexer.lex"
-{ YDVAR(1, VAR_PERMIT_SMALL_HOLDDOWN) }
+#line 408 "./util/configlexer.lex"
+{ YDVAR(1, VAR_VAL_LOG_LEVEL) }
 	YY_BREAK
 case 195:
 YY_RULE_SETUP
-#line 410 "./util/configlexer.lex"
-{ YDVAR(1, VAR_USE_SYSLOG) }
+#line 409 "./util/configlexer.lex"
+{ YDVAR(1, VAR_KEY_CACHE_SIZE) }
 	YY_BREAK
 case 196:
 YY_RULE_SETUP
-#line 411 "./util/configlexer.lex"
-{ YDVAR(1, VAR_LOG_IDENTITY) }
+#line 410 "./util/configlexer.lex"
+{ YDVAR(1, VAR_KEY_CACHE_SLABS) }
 	YY_BREAK
 case 197:
 YY_RULE_SETUP
-#line 412 "./util/configlexer.lex"
-{ YDVAR(1, VAR_LOG_TIME_ASCII) }
+#line 411 "./util/configlexer.lex"
+{ YDVAR(1, VAR_NEG_CACHE_SIZE) }
 	YY_BREAK
 case 198:
 YY_RULE_SETUP
-#line 413 "./util/configlexer.lex"
-{ YDVAR(1, VAR_LOG_QUERIES) }
+#line 412 "./util/configlexer.lex"
+{ 
+				  YDVAR(1, VAR_VAL_NSEC3_KEYSIZE_ITERATIONS) }
 	YY_BREAK
 case 199:
 YY_RULE_SETUP
 #line 414 "./util/configlexer.lex"
-{ YDVAR(1, VAR_LOG_REPLIES) }
+{ YDVAR(1, VAR_ZONEMD_PERMISSIVE_MODE) }
 	YY_BREAK
 case 200:
 YY_RULE_SETUP
 #line 415 "./util/configlexer.lex"
-{ YDVAR(1, VAR_LOG_TAG_QUERYREPLY) }
+{ YDVAR(1, VAR_ZONEMD_CHECK) }
 	YY_BREAK
 case 201:
 YY_RULE_SETUP
 #line 416 "./util/configlexer.lex"
-{ YDVAR(1, VAR_LOG_LOCAL_ACTIONS) }
+{ YDVAR(1, VAR_ZONEMD_REJECT_ABSENCE) }
 	YY_BREAK
 case 202:
 YY_RULE_SETUP
 #line 417 "./util/configlexer.lex"
-{ YDVAR(1, VAR_LOG_SERVFAIL) }
+{ YDVAR(1, VAR_ADD_HOLDDOWN) }
 	YY_BREAK
 case 203:
 YY_RULE_SETUP
 #line 418 "./util/configlexer.lex"
-{ YDVAR(2, VAR_LOCAL_ZONE) }
+{ YDVAR(1, VAR_DEL_HOLDDOWN) }
 	YY_BREAK
 case 204:
 YY_RULE_SETUP
 #line 419 "./util/configlexer.lex"
-{ YDVAR(1, VAR_LOCAL_DATA) }
+{ YDVAR(1, VAR_KEEP_MISSING) }
 	YY_BREAK
 case 205:
 YY_RULE_SETUP
 #line 420 "./util/configlexer.lex"
-{ YDVAR(1, VAR_LOCAL_DATA_PTR) }
+{ YDVAR(1, VAR_PERMIT_SMALL_HOLDDOWN) }
 	YY_BREAK
 case 206:
 YY_RULE_SETUP
 #line 421 "./util/configlexer.lex"
-{ YDVAR(1, VAR_UNBLOCK_LAN_ZONES) }
+{ YDVAR(1, VAR_USE_SYSLOG) }
 	YY_BREAK
 case 207:
 YY_RULE_SETUP
 #line 422 "./util/configlexer.lex"
-{ YDVAR(1, VAR_INSECURE_LAN_ZONES) }
+{ YDVAR(1, VAR_LOG_IDENTITY) }
 	YY_BREAK
 case 208:
 YY_RULE_SETUP
 #line 423 "./util/configlexer.lex"
-{ YDVAR(1, VAR_STATISTICS_INTERVAL) }
+{ YDVAR(1, VAR_LOG_TIME_ASCII) }
 	YY_BREAK
 case 209:
 YY_RULE_SETUP
 #line 424 "./util/configlexer.lex"
-{ YDVAR(1, VAR_STATISTICS_CUMULATIVE) }
+{ YDVAR(1, VAR_LOG_QUERIES) }
 	YY_BREAK
 case 210:
 YY_RULE_SETUP
 #line 425 "./util/configlexer.lex"
-{ YDVAR(1, VAR_EXTENDED_STATISTICS) }
+{ YDVAR(1, VAR_LOG_REPLIES) }
 	YY_BREAK
 case 211:
 YY_RULE_SETUP
 #line 426 "./util/configlexer.lex"
-{ YDVAR(1, VAR_SHM_ENABLE) }
+{ YDVAR(1, VAR_LOG_TAG_QUERYREPLY) }
 	YY_BREAK
 case 212:
 YY_RULE_SETUP
 #line 427 "./util/configlexer.lex"
-{ YDVAR(1, VAR_SHM_KEY) }
+{ YDVAR(1, VAR_LOG_LOCAL_ACTIONS) }
 	YY_BREAK
 case 213:
 YY_RULE_SETUP
 #line 428 "./util/configlexer.lex"
-{ YDVAR(0, VAR_REMOTE_CONTROL) }
+{ YDVAR(1, VAR_LOG_SERVFAIL) }
 	YY_BREAK
 case 214:
 YY_RULE_SETUP
 #line 429 "./util/configlexer.lex"
-{ YDVAR(1, VAR_CONTROL_ENABLE) }
+{ YDVAR(2, VAR_LOCAL_ZONE) }
 	YY_BREAK
 case 215:
 YY_RULE_SETUP
 #line 430 "./util/configlexer.lex"
-{ YDVAR(1, VAR_CONTROL_INTERFACE) }
+{ YDVAR(1, VAR_LOCAL_DATA) }
 	YY_BREAK
 case 216:
 YY_RULE_SETUP
 #line 431 "./util/configlexer.lex"
-{ YDVAR(1, VAR_CONTROL_PORT) }
+{ YDVAR(1, VAR_LOCAL_DATA_PTR) }
 	YY_BREAK
 case 217:
 YY_RULE_SETUP
 #line 432 "./util/configlexer.lex"
-{ YDVAR(1, VAR_CONTROL_USE_CERT) }
+{ YDVAR(1, VAR_UNBLOCK_LAN_ZONES) }
 	YY_BREAK
 case 218:
 YY_RULE_SETUP
 #line 433 "./util/configlexer.lex"
-{ YDVAR(1, VAR_SERVER_KEY_FILE) }
+{ YDVAR(1, VAR_INSECURE_LAN_ZONES) }
 	YY_BREAK
 case 219:
 YY_RULE_SETUP
 #line 434 "./util/configlexer.lex"
-{ YDVAR(1, VAR_SERVER_CERT_FILE) }
+{ YDVAR(1, VAR_STATISTICS_INTERVAL) }
 	YY_BREAK
 case 220:
 YY_RULE_SETUP
 #line 435 "./util/configlexer.lex"
-{ YDVAR(1, VAR_CONTROL_KEY_FILE) }
+{ YDVAR(1, VAR_STATISTICS_CUMULATIVE) }
 	YY_BREAK
 case 221:
 YY_RULE_SETUP
 #line 436 "./util/configlexer.lex"
-{ YDVAR(1, VAR_CONTROL_CERT_FILE) }
+{ YDVAR(1, VAR_EXTENDED_STATISTICS) }
 	YY_BREAK
 case 222:
 YY_RULE_SETUP
 #line 437 "./util/configlexer.lex"
-{ YDVAR(1, VAR_PYTHON_SCRIPT) }
+{ YDVAR(1, VAR_SHM_ENABLE) }
 	YY_BREAK
 case 223:
 YY_RULE_SETUP
 #line 438 "./util/configlexer.lex"
-{ YDVAR(0, VAR_PYTHON) }
+{ YDVAR(1, VAR_SHM_KEY) }
 	YY_BREAK
 case 224:
 YY_RULE_SETUP
 #line 439 "./util/configlexer.lex"
-{ YDVAR(1, VAR_DYNLIB_FILE) }
+{ YDVAR(0, VAR_REMOTE_CONTROL) }
 	YY_BREAK
 case 225:
 YY_RULE_SETUP
 #line 440 "./util/configlexer.lex"
-{ YDVAR(0, VAR_DYNLIB) }
+{ YDVAR(1, VAR_CONTROL_ENABLE) }
 	YY_BREAK
 case 226:
 YY_RULE_SETUP
 #line 441 "./util/configlexer.lex"
-{ YDVAR(1, VAR_DOMAIN_INSECURE) }
+{ YDVAR(1, VAR_CONTROL_INTERFACE) }
 	YY_BREAK
 case 227:
 YY_RULE_SETUP
 #line 442 "./util/configlexer.lex"
-{ YDVAR(1, VAR_MINIMAL_RESPONSES) }
+{ YDVAR(1, VAR_CONTROL_PORT) }
 	YY_BREAK
 case 228:
 YY_RULE_SETUP
 #line 443 "./util/configlexer.lex"
-{ YDVAR(1, VAR_RRSET_ROUNDROBIN) }
+{ YDVAR(1, VAR_CONTROL_USE_CERT) }
 	YY_BREAK
 case 229:
 YY_RULE_SETUP
 #line 444 "./util/configlexer.lex"
-{ YDVAR(1, VAR_UNKNOWN_SERVER_TIME_LIMIT) }
+{ YDVAR(1, VAR_SERVER_KEY_FILE) }
 	YY_BREAK
 case 230:
 YY_RULE_SETUP
 #line 445 "./util/configlexer.lex"
-{ YDVAR(1, VAR_MAX_UDP_SIZE) }
+{ YDVAR(1, VAR_SERVER_CERT_FILE) }
 	YY_BREAK
 case 231:
 YY_RULE_SETUP
 #line 446 "./util/configlexer.lex"
-{ YDVAR(1, VAR_DNS64_PREFIX) }
+{ YDVAR(1, VAR_CONTROL_KEY_FILE) }
 	YY_BREAK
 case 232:
 YY_RULE_SETUP
 #line 447 "./util/configlexer.lex"
-{ YDVAR(1, VAR_DNS64_SYNTHALL) }
+{ YDVAR(1, VAR_CONTROL_CERT_FILE) }
 	YY_BREAK
 case 233:
 YY_RULE_SETUP
 #line 448 "./util/configlexer.lex"
-{ YDVAR(1, VAR_DNS64_IGNORE_AAAA) }
+{ YDVAR(1, VAR_PYTHON_SCRIPT) }
 	YY_BREAK
 case 234:
 YY_RULE_SETUP
 #line 449 "./util/configlexer.lex"
-{ YDVAR(1, VAR_DEFINE_TAG) }
+{ YDVAR(0, VAR_PYTHON) }
 	YY_BREAK
 case 235:
 YY_RULE_SETUP
 #line 450 "./util/configlexer.lex"
-{ YDVAR(2, VAR_LOCAL_ZONE_TAG) }
+{ YDVAR(1, VAR_DYNLIB_FILE) }
 	YY_BREAK
 case 236:
 YY_RULE_SETUP
 #line 451 "./util/configlexer.lex"
-{ YDVAR(2, VAR_ACCESS_CONTROL_TAG) }
+{ YDVAR(0, VAR_DYNLIB) }
 	YY_BREAK
 case 237:
 YY_RULE_SETUP
 #line 452 "./util/configlexer.lex"
-{ YDVAR(3, VAR_ACCESS_CONTROL_TAG_ACTION) }
+{ YDVAR(1, VAR_DOMAIN_INSECURE) }
 	YY_BREAK
 case 238:
 YY_RULE_SETUP
 #line 453 "./util/configlexer.lex"
-{ YDVAR(3, VAR_ACCESS_CONTROL_TAG_DATA) }
+{ YDVAR(1, VAR_MINIMAL_RESPONSES) }
 	YY_BREAK
 case 239:
 YY_RULE_SETUP
 #line 454 "./util/configlexer.lex"
-{ YDVAR(2, VAR_ACCESS_CONTROL_VIEW) }
+{ YDVAR(1, VAR_RRSET_ROUNDROBIN) }
 	YY_BREAK
 case 240:
 YY_RULE_SETUP
 #line 455 "./util/configlexer.lex"
-{ YDVAR(3, VAR_LOCAL_ZONE_OVERRIDE) }
+{ YDVAR(1, VAR_UNKNOWN_SERVER_TIME_LIMIT) }
 	YY_BREAK
 case 241:
 YY_RULE_SETUP
 #line 456 "./util/configlexer.lex"
-{ YDVAR(0, VAR_DNSTAP) }
+{ YDVAR(1, VAR_MAX_UDP_SIZE) }
 	YY_BREAK
 case 242:
 YY_RULE_SETUP
 #line 457 "./util/configlexer.lex"
-{ YDVAR(1, VAR_DNSTAP_ENABLE) }
+{ YDVAR(1, VAR_DNS64_PREFIX) }
 	YY_BREAK
 case 243:
 YY_RULE_SETUP
 #line 458 "./util/configlexer.lex"
-{ YDVAR(1, VAR_DNSTAP_BIDIRECTIONAL) }
+{ YDVAR(1, VAR_DNS64_SYNTHALL) }
 	YY_BREAK
 case 244:
 YY_RULE_SETUP
 #line 459 "./util/configlexer.lex"
-{ YDVAR(1, VAR_DNSTAP_SOCKET_PATH) }
+{ YDVAR(1, VAR_DNS64_IGNORE_AAAA) }
 	YY_BREAK
 case 245:
 YY_RULE_SETUP
 #line 460 "./util/configlexer.lex"
-{ YDVAR(1, VAR_DNSTAP_IP) }
+{ YDVAR(1, VAR_DEFINE_TAG) }
 	YY_BREAK
 case 246:
 YY_RULE_SETUP
 #line 461 "./util/configlexer.lex"
-{ YDVAR(1, VAR_DNSTAP_TLS) }
+{ YDVAR(2, VAR_LOCAL_ZONE_TAG) }
 	YY_BREAK
 case 247:
 YY_RULE_SETUP
 #line 462 "./util/configlexer.lex"
-{ YDVAR(1, VAR_DNSTAP_TLS_SERVER_NAME) }
+{ YDVAR(2, VAR_ACCESS_CONTROL_TAG) }
 	YY_BREAK
 case 248:
 YY_RULE_SETUP
 #line 463 "./util/configlexer.lex"
-{ YDVAR(1, VAR_DNSTAP_TLS_CERT_BUNDLE) }
+{ YDVAR(3, VAR_ACCESS_CONTROL_TAG_ACTION) }
 	YY_BREAK
 case 249:
 YY_RULE_SETUP
 #line 464 "./util/configlexer.lex"
-{
-		YDVAR(1, VAR_DNSTAP_TLS_CLIENT_KEY_FILE) }
+{ YDVAR(3, VAR_ACCESS_CONTROL_TAG_DATA) }
 	YY_BREAK
 case 250:
 YY_RULE_SETUP
-#line 466 "./util/configlexer.lex"
-{
-		YDVAR(1, VAR_DNSTAP_TLS_CLIENT_CERT_FILE) }
+#line 465 "./util/configlexer.lex"
+{ YDVAR(2, VAR_ACCESS_CONTROL_VIEW) }
 	YY_BREAK
 case 251:
 YY_RULE_SETUP
-#line 468 "./util/configlexer.lex"
-{ YDVAR(1, VAR_DNSTAP_SEND_IDENTITY) }
+#line 466 "./util/configlexer.lex"
+{ YDVAR(3, VAR_LOCAL_ZONE_OVERRIDE) }
 	YY_BREAK
 case 252:
 YY_RULE_SETUP
-#line 469 "./util/configlexer.lex"
-{ YDVAR(1, VAR_DNSTAP_SEND_VERSION) }
+#line 467 "./util/configlexer.lex"
+{ YDVAR(0, VAR_DNSTAP) }
 	YY_BREAK
 case 253:
 YY_RULE_SETUP
-#line 470 "./util/configlexer.lex"
-{ YDVAR(1, VAR_DNSTAP_IDENTITY) }
+#line 468 "./util/configlexer.lex"
+{ YDVAR(1, VAR_DNSTAP_ENABLE) }
 	YY_BREAK
 case 254:
 YY_RULE_SETUP
-#line 471 "./util/configlexer.lex"
-{ YDVAR(1, VAR_DNSTAP_VERSION) }
+#line 469 "./util/configlexer.lex"
+{ YDVAR(1, VAR_DNSTAP_BIDIRECTIONAL) }
 	YY_BREAK
 case 255:
 YY_RULE_SETUP
-#line 472 "./util/configlexer.lex"
-{
-		YDVAR(1, VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES) }
+#line 470 "./util/configlexer.lex"
+{ YDVAR(1, VAR_DNSTAP_SOCKET_PATH) }
 	YY_BREAK
 case 256:
 YY_RULE_SETUP
-#line 474 "./util/configlexer.lex"
-{
-		YDVAR(1, VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES) }
+#line 471 "./util/configlexer.lex"
+{ YDVAR(1, VAR_DNSTAP_IP) }
 	YY_BREAK
 case 257:
 YY_RULE_SETUP
-#line 476 "./util/configlexer.lex"
-{
-		YDVAR(1, VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES) }
+#line 472 "./util/configlexer.lex"
+{ YDVAR(1, VAR_DNSTAP_TLS) }
 	YY_BREAK
 case 258:
 YY_RULE_SETUP
-#line 478 "./util/configlexer.lex"
-{
-		YDVAR(1, VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES) }
+#line 473 "./util/configlexer.lex"
+{ YDVAR(1, VAR_DNSTAP_TLS_SERVER_NAME) }
 	YY_BREAK
 case 259:
 YY_RULE_SETUP
-#line 480 "./util/configlexer.lex"
-{
-		YDVAR(1, VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES) }
+#line 474 "./util/configlexer.lex"
+{ YDVAR(1, VAR_DNSTAP_TLS_CERT_BUNDLE) }
 	YY_BREAK
 case 260:
 YY_RULE_SETUP
-#line 482 "./util/configlexer.lex"
+#line 475 "./util/configlexer.lex"
 {
-		YDVAR(1, VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES) }
+		YDVAR(1, VAR_DNSTAP_TLS_CLIENT_KEY_FILE) }
 	YY_BREAK
 case 261:
 YY_RULE_SETUP
-#line 484 "./util/configlexer.lex"
-{ YDVAR(1, VAR_DISABLE_DNSSEC_LAME_CHECK) }
+#line 477 "./util/configlexer.lex"
+{
+		YDVAR(1, VAR_DNSTAP_TLS_CLIENT_CERT_FILE) }
 	YY_BREAK
 case 262:
 YY_RULE_SETUP
-#line 485 "./util/configlexer.lex"
-{ YDVAR(1, VAR_IP_RATELIMIT) }
+#line 479 "./util/configlexer.lex"
+{ YDVAR(1, VAR_DNSTAP_SEND_IDENTITY) }
 	YY_BREAK
 case 263:
 YY_RULE_SETUP
-#line 486 "./util/configlexer.lex"
-{ YDVAR(1, VAR_RATELIMIT) }
+#line 480 "./util/configlexer.lex"
+{ YDVAR(1, VAR_DNSTAP_SEND_VERSION) }
 	YY_BREAK
 case 264:
 YY_RULE_SETUP
-#line 487 "./util/configlexer.lex"
-{ YDVAR(1, VAR_IP_RATELIMIT_SLABS) }
+#line 481 "./util/configlexer.lex"
+{ YDVAR(1, VAR_DNSTAP_IDENTITY) }
 	YY_BREAK
 case 265:
 YY_RULE_SETUP
-#line 488 "./util/configlexer.lex"
-{ YDVAR(1, VAR_RATELIMIT_SLABS) }
+#line 482 "./util/configlexer.lex"
+{ YDVAR(1, VAR_DNSTAP_VERSION) }
 	YY_BREAK
 case 266:
 YY_RULE_SETUP
-#line 489 "./util/configlexer.lex"
-{ YDVAR(1, VAR_IP_RATELIMIT_SIZE) }
+#line 483 "./util/configlexer.lex"
+{
+		YDVAR(1, VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES) }
 	YY_BREAK
 case 267:
 YY_RULE_SETUP
-#line 490 "./util/configlexer.lex"
-{ YDVAR(1, VAR_RATELIMIT_SIZE) }
+#line 485 "./util/configlexer.lex"
+{
+		YDVAR(1, VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES) }
 	YY_BREAK
 case 268:
 YY_RULE_SETUP
-#line 491 "./util/configlexer.lex"
-{ YDVAR(2, VAR_RATELIMIT_FOR_DOMAIN) }
+#line 487 "./util/configlexer.lex"
+{
+		YDVAR(1, VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES) }
 	YY_BREAK
 case 269:
 YY_RULE_SETUP
-#line 492 "./util/configlexer.lex"
-{ YDVAR(2, VAR_RATELIMIT_BELOW_DOMAIN) }
+#line 489 "./util/configlexer.lex"
+{
+		YDVAR(1, VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES) }
 	YY_BREAK
 case 270:
 YY_RULE_SETUP
-#line 493 "./util/configlexer.lex"
-{ YDVAR(1, VAR_IP_RATELIMIT_FACTOR) }
+#line 491 "./util/configlexer.lex"
+{
+		YDVAR(1, VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES) }
 	YY_BREAK
 case 271:
 YY_RULE_SETUP
-#line 494 "./util/configlexer.lex"
-{ YDVAR(1, VAR_RATELIMIT_FACTOR) }
+#line 493 "./util/configlexer.lex"
+{
+		YDVAR(1, VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES) }
 	YY_BREAK
 case 272:
 YY_RULE_SETUP
 #line 495 "./util/configlexer.lex"
-{ YDVAR(1, VAR_LOW_RTT) }
+{ YDVAR(1, VAR_DISABLE_DNSSEC_LAME_CHECK) }
 	YY_BREAK
 case 273:
 YY_RULE_SETUP
 #line 496 "./util/configlexer.lex"
-{ YDVAR(1, VAR_FAST_SERVER_NUM) }
+{ YDVAR(1, VAR_IP_RATELIMIT) }
 	YY_BREAK
 case 274:
 YY_RULE_SETUP
 #line 497 "./util/configlexer.lex"
-{ YDVAR(1, VAR_FAST_SERVER_PERMIL) }
+{ YDVAR(1, VAR_RATELIMIT) }
 	YY_BREAK
 case 275:
 YY_RULE_SETUP
 #line 498 "./util/configlexer.lex"
-{ YDVAR(1, VAR_FAST_SERVER_PERMIL) }
+{ YDVAR(1, VAR_IP_RATELIMIT_SLABS) }
 	YY_BREAK
 case 276:
 YY_RULE_SETUP
 #line 499 "./util/configlexer.lex"
-{ YDVAR(1, VAR_FAST_SERVER_PERMIL) }
+{ YDVAR(1, VAR_RATELIMIT_SLABS) }
 	YY_BREAK
 case 277:
 YY_RULE_SETUP
 #line 500 "./util/configlexer.lex"
-{ YDVAR(2, VAR_RESPONSE_IP_TAG) }
+{ YDVAR(1, VAR_IP_RATELIMIT_SIZE) }
 	YY_BREAK
 case 278:
 YY_RULE_SETUP
 #line 501 "./util/configlexer.lex"
-{ YDVAR(2, VAR_RESPONSE_IP) }
+{ YDVAR(1, VAR_RATELIMIT_SIZE) }
 	YY_BREAK
 case 279:
 YY_RULE_SETUP
 #line 502 "./util/configlexer.lex"
-{ YDVAR(2, VAR_RESPONSE_IP_DATA) }
+{ YDVAR(2, VAR_RATELIMIT_FOR_DOMAIN) }
 	YY_BREAK
 case 280:
 YY_RULE_SETUP
 #line 503 "./util/configlexer.lex"
-{ YDVAR(0, VAR_DNSCRYPT) }
+{ YDVAR(2, VAR_RATELIMIT_BELOW_DOMAIN) }
 	YY_BREAK
 case 281:
 YY_RULE_SETUP
 #line 504 "./util/configlexer.lex"
-{ YDVAR(1, VAR_DNSCRYPT_ENABLE) }
+{ YDVAR(1, VAR_IP_RATELIMIT_FACTOR) }
 	YY_BREAK
 case 282:
 YY_RULE_SETUP
 #line 505 "./util/configlexer.lex"
-{ YDVAR(1, VAR_DNSCRYPT_PORT) }
+{ YDVAR(1, VAR_RATELIMIT_FACTOR) }
 	YY_BREAK
 case 283:
 YY_RULE_SETUP
 #line 506 "./util/configlexer.lex"
-{ YDVAR(1, VAR_DNSCRYPT_PROVIDER) }
+{ YDVAR(1, VAR_IP_RATELIMIT_BACKOFF) }
 	YY_BREAK
 case 284:
 YY_RULE_SETUP
 #line 507 "./util/configlexer.lex"
-{ YDVAR(1, VAR_DNSCRYPT_SECRET_KEY) }
+{ YDVAR(1, VAR_RATELIMIT_BACKOFF) }
 	YY_BREAK
 case 285:
 YY_RULE_SETUP
 #line 508 "./util/configlexer.lex"
-{ YDVAR(1, VAR_DNSCRYPT_PROVIDER_CERT) }
+{ YDVAR(1, VAR_OUTBOUND_MSG_RETRY) }
 	YY_BREAK
 case 286:
 YY_RULE_SETUP
 #line 509 "./util/configlexer.lex"
-{ YDVAR(1, VAR_DNSCRYPT_PROVIDER_CERT_ROTATED) }
+{ YDVAR(1, VAR_LOW_RTT) }
 	YY_BREAK
 case 287:
 YY_RULE_SETUP
 #line 510 "./util/configlexer.lex"
-{
-		YDVAR(1, VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE) }
+{ YDVAR(1, VAR_FAST_SERVER_NUM) }
 	YY_BREAK
 case 288:
 YY_RULE_SETUP
-#line 512 "./util/configlexer.lex"
-{
-		YDVAR(1, VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS) }
+#line 511 "./util/configlexer.lex"
+{ YDVAR(1, VAR_FAST_SERVER_PERMIL) }
 	YY_BREAK
 case 289:
 YY_RULE_SETUP
-#line 514 "./util/configlexer.lex"
-{ YDVAR(1, VAR_DNSCRYPT_NONCE_CACHE_SIZE) }
+#line 512 "./util/configlexer.lex"
+{ YDVAR(1, VAR_FAST_SERVER_PERMIL) }
 	YY_BREAK
 case 290:
 YY_RULE_SETUP
-#line 515 "./util/configlexer.lex"
-{ YDVAR(1, VAR_DNSCRYPT_NONCE_CACHE_SLABS) }
+#line 513 "./util/configlexer.lex"
+{ YDVAR(1, VAR_FAST_SERVER_PERMIL) }
 	YY_BREAK
 case 291:
 YY_RULE_SETUP
-#line 516 "./util/configlexer.lex"
-{ YDVAR(1, VAR_PAD_RESPONSES) }
+#line 514 "./util/configlexer.lex"
+{ YDVAR(2, VAR_RESPONSE_IP_TAG) }
 	YY_BREAK
 case 292:
 YY_RULE_SETUP
-#line 517 "./util/configlexer.lex"
-{ YDVAR(1, VAR_PAD_RESPONSES_BLOCK_SIZE) }
+#line 515 "./util/configlexer.lex"
+{ YDVAR(2, VAR_RESPONSE_IP) }
 	YY_BREAK
 case 293:
 YY_RULE_SETUP
-#line 518 "./util/configlexer.lex"
-{ YDVAR(1, VAR_PAD_QUERIES) }
+#line 516 "./util/configlexer.lex"
+{ YDVAR(2, VAR_RESPONSE_IP_DATA) }
 	YY_BREAK
 case 294:
 YY_RULE_SETUP
-#line 519 "./util/configlexer.lex"
-{ YDVAR(1, VAR_PAD_QUERIES_BLOCK_SIZE) }
+#line 517 "./util/configlexer.lex"
+{ YDVAR(0, VAR_DNSCRYPT) }
 	YY_BREAK
 case 295:
 YY_RULE_SETUP
-#line 520 "./util/configlexer.lex"
-{ YDVAR(1, VAR_IPSECMOD_ENABLED) }
+#line 518 "./util/configlexer.lex"
+{ YDVAR(1, VAR_DNSCRYPT_ENABLE) }
 	YY_BREAK
 case 296:
 YY_RULE_SETUP
-#line 521 "./util/configlexer.lex"
-{ YDVAR(1, VAR_IPSECMOD_IGNORE_BOGUS) }
+#line 519 "./util/configlexer.lex"
+{ YDVAR(1, VAR_DNSCRYPT_PORT) }
 	YY_BREAK
 case 297:
 YY_RULE_SETUP
-#line 522 "./util/configlexer.lex"
-{ YDVAR(1, VAR_IPSECMOD_HOOK) }
+#line 520 "./util/configlexer.lex"
+{ YDVAR(1, VAR_DNSCRYPT_PROVIDER) }
 	YY_BREAK
 case 298:
 YY_RULE_SETUP
-#line 523 "./util/configlexer.lex"
-{ YDVAR(1, VAR_IPSECMOD_MAX_TTL) }
+#line 521 "./util/configlexer.lex"
+{ YDVAR(1, VAR_DNSCRYPT_SECRET_KEY) }
 	YY_BREAK
 case 299:
 YY_RULE_SETUP
-#line 524 "./util/configlexer.lex"
-{ YDVAR(1, VAR_IPSECMOD_WHITELIST) }
+#line 522 "./util/configlexer.lex"
+{ YDVAR(1, VAR_DNSCRYPT_PROVIDER_CERT) }
 	YY_BREAK
 case 300:
 YY_RULE_SETUP
-#line 525 "./util/configlexer.lex"
-{ YDVAR(1, VAR_IPSECMOD_WHITELIST) }
+#line 523 "./util/configlexer.lex"
+{ YDVAR(1, VAR_DNSCRYPT_PROVIDER_CERT_ROTATED) }
 	YY_BREAK
 case 301:
 YY_RULE_SETUP
-#line 526 "./util/configlexer.lex"
-{ YDVAR(1, VAR_IPSECMOD_STRICT) }
+#line 524 "./util/configlexer.lex"
+{
+		YDVAR(1, VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE) }
 	YY_BREAK
 case 302:
 YY_RULE_SETUP
-#line 527 "./util/configlexer.lex"
-{ YDVAR(0, VAR_CACHEDB) }
+#line 526 "./util/configlexer.lex"
+{
+		YDVAR(1, VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS) }
 	YY_BREAK
 case 303:
 YY_RULE_SETUP
 #line 528 "./util/configlexer.lex"
-{ YDVAR(1, VAR_CACHEDB_BACKEND) }
+{ YDVAR(1, VAR_DNSCRYPT_NONCE_CACHE_SIZE) }
 	YY_BREAK
 case 304:
 YY_RULE_SETUP
 #line 529 "./util/configlexer.lex"
-{ YDVAR(1, VAR_CACHEDB_SECRETSEED) }
+{ YDVAR(1, VAR_DNSCRYPT_NONCE_CACHE_SLABS) }
 	YY_BREAK
 case 305:
 YY_RULE_SETUP
 #line 530 "./util/configlexer.lex"
-{ YDVAR(1, VAR_CACHEDB_REDISHOST) }
+{ YDVAR(1, VAR_PAD_RESPONSES) }
 	YY_BREAK
 case 306:
 YY_RULE_SETUP
 #line 531 "./util/configlexer.lex"
-{ YDVAR(1, VAR_CACHEDB_REDISPORT) }
+{ YDVAR(1, VAR_PAD_RESPONSES_BLOCK_SIZE) }
 	YY_BREAK
 case 307:
 YY_RULE_SETUP
 #line 532 "./util/configlexer.lex"
-{ YDVAR(1, VAR_CACHEDB_REDISTIMEOUT) }
+{ YDVAR(1, VAR_PAD_QUERIES) }
 	YY_BREAK
 case 308:
 YY_RULE_SETUP
 #line 533 "./util/configlexer.lex"
-{ YDVAR(1, VAR_CACHEDB_REDISEXPIRERECORDS) }
+{ YDVAR(1, VAR_PAD_QUERIES_BLOCK_SIZE) }
 	YY_BREAK
 case 309:
 YY_RULE_SETUP
 #line 534 "./util/configlexer.lex"
-{ YDVAR(0, VAR_IPSET) }
+{ YDVAR(1, VAR_IPSECMOD_ENABLED) }
 	YY_BREAK
 case 310:
 YY_RULE_SETUP
 #line 535 "./util/configlexer.lex"
-{ YDVAR(1, VAR_IPSET_NAME_V4) }
+{ YDVAR(1, VAR_IPSECMOD_IGNORE_BOGUS) }
 	YY_BREAK
 case 311:
 YY_RULE_SETUP
 #line 536 "./util/configlexer.lex"
-{ YDVAR(1, VAR_IPSET_NAME_V6) }
+{ YDVAR(1, VAR_IPSECMOD_HOOK) }
 	YY_BREAK
 case 312:
 YY_RULE_SETUP
 #line 537 "./util/configlexer.lex"
-{ YDVAR(1, VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM) }
+{ YDVAR(1, VAR_IPSECMOD_MAX_TTL) }
 	YY_BREAK
 case 313:
 YY_RULE_SETUP
 #line 538 "./util/configlexer.lex"
-{ YDVAR(2, VAR_TCP_CONNECTION_LIMIT) }
+{ YDVAR(1, VAR_IPSECMOD_WHITELIST) }
 	YY_BREAK
 case 314:
 YY_RULE_SETUP
 #line 539 "./util/configlexer.lex"
-{ YDVAR(2, VAR_EDNS_CLIENT_STRING) }
+{ YDVAR(1, VAR_IPSECMOD_WHITELIST) }
 	YY_BREAK
 case 315:
 YY_RULE_SETUP
 #line 540 "./util/configlexer.lex"
-{ YDVAR(1, VAR_EDNS_CLIENT_STRING_OPCODE) }
+{ YDVAR(1, VAR_IPSECMOD_STRICT) }
 	YY_BREAK
 case 316:
 YY_RULE_SETUP
 #line 541 "./util/configlexer.lex"
-{ YDVAR(1, VAR_NSID ) }
+{ YDVAR(0, VAR_CACHEDB) }
 	YY_BREAK
 case 317:
-/* rule 317 can match eol */
 YY_RULE_SETUP
 #line 542 "./util/configlexer.lex"
+{ YDVAR(1, VAR_CACHEDB_BACKEND) }
+	YY_BREAK
+case 318:
+YY_RULE_SETUP
+#line 543 "./util/configlexer.lex"
+{ YDVAR(1, VAR_CACHEDB_SECRETSEED) }
+	YY_BREAK
+case 319:
+YY_RULE_SETUP
+#line 544 "./util/configlexer.lex"
+{ YDVAR(1, VAR_CACHEDB_REDISHOST) }
+	YY_BREAK
+case 320:
+YY_RULE_SETUP
+#line 545 "./util/configlexer.lex"
+{ YDVAR(1, VAR_CACHEDB_REDISPORT) }
+	YY_BREAK
+case 321:
+YY_RULE_SETUP
+#line 546 "./util/configlexer.lex"
+{ YDVAR(1, VAR_CACHEDB_REDISTIMEOUT) }
+	YY_BREAK
+case 322:
+YY_RULE_SETUP
+#line 547 "./util/configlexer.lex"
+{ YDVAR(1, VAR_CACHEDB_REDISEXPIRERECORDS) }
+	YY_BREAK
+case 323:
+YY_RULE_SETUP
+#line 548 "./util/configlexer.lex"
+{ YDVAR(0, VAR_IPSET) }
+	YY_BREAK
+case 324:
+YY_RULE_SETUP
+#line 549 "./util/configlexer.lex"
+{ YDVAR(1, VAR_IPSET_NAME_V4) }
+	YY_BREAK
+case 325:
+YY_RULE_SETUP
+#line 550 "./util/configlexer.lex"
+{ YDVAR(1, VAR_IPSET_NAME_V6) }
+	YY_BREAK
+case 326:
+YY_RULE_SETUP
+#line 551 "./util/configlexer.lex"
+{ YDVAR(1, VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM) }
+	YY_BREAK
+case 327:
+YY_RULE_SETUP
+#line 552 "./util/configlexer.lex"
+{ YDVAR(2, VAR_TCP_CONNECTION_LIMIT) }
+	YY_BREAK
+case 328:
+YY_RULE_SETUP
+#line 553 "./util/configlexer.lex"
+{ YDVAR(2, VAR_EDNS_CLIENT_STRING) }
+	YY_BREAK
+case 329:
+YY_RULE_SETUP
+#line 554 "./util/configlexer.lex"
+{ YDVAR(1, VAR_EDNS_CLIENT_STRING_OPCODE) }
+	YY_BREAK
+case 330:
+YY_RULE_SETUP
+#line 555 "./util/configlexer.lex"
+{ YDVAR(1, VAR_NSID ) }
+	YY_BREAK
+case 331:
+/* rule 331 can match eol */
+YY_RULE_SETUP
+#line 556 "./util/configlexer.lex"
 { LEXOUT(("NL\n")); cfg_parser->line++; }
 	YY_BREAK
 /* Quoted strings. Strip leading and ending quotes */
-case 318:
+case 332:
 YY_RULE_SETUP
-#line 545 "./util/configlexer.lex"
+#line 559 "./util/configlexer.lex"
 { BEGIN(quotedstring); LEXOUT(("QS ")); }
 	YY_BREAK
 case YY_STATE_EOF(quotedstring):
-#line 546 "./util/configlexer.lex"
+#line 560 "./util/configlexer.lex"
 {
         yyerror("EOF inside quoted string");
 	if(--num_args == 0) { BEGIN(INITIAL); }
 	else		    { BEGIN(val); }
 }
 	YY_BREAK
-case 319:
+case 333:
 YY_RULE_SETUP
-#line 551 "./util/configlexer.lex"
+#line 565 "./util/configlexer.lex"
 { LEXOUT(("STR(%s) ", yytext)); yymore(); }
 	YY_BREAK
-case 320:
-/* rule 320 can match eol */
+case 334:
+/* rule 334 can match eol */
 YY_RULE_SETUP
-#line 552 "./util/configlexer.lex"
+#line 566 "./util/configlexer.lex"
 { yyerror("newline inside quoted string, no end \""); 
 			  cfg_parser->line++; BEGIN(INITIAL); }
 	YY_BREAK
-case 321:
+case 335:
 YY_RULE_SETUP
-#line 554 "./util/configlexer.lex"
+#line 568 "./util/configlexer.lex"
 {
         LEXOUT(("QE "));
 	if(--num_args == 0) { BEGIN(INITIAL); }
@@ -5151,34 +5357,34 @@ YY_RULE_SETUP
 }
 	YY_BREAK
 /* Single Quoted strings. Strip leading and ending quotes */
-case 322:
+case 336:
 YY_RULE_SETUP
-#line 566 "./util/configlexer.lex"
+#line 580 "./util/configlexer.lex"
 { BEGIN(singlequotedstr); LEXOUT(("SQS ")); }
 	YY_BREAK
 case YY_STATE_EOF(singlequotedstr):
-#line 567 "./util/configlexer.lex"
+#line 581 "./util/configlexer.lex"
 {
         yyerror("EOF inside quoted string");
 	if(--num_args == 0) { BEGIN(INITIAL); }
 	else		    { BEGIN(val); }
 }
 	YY_BREAK
-case 323:
+case 337:
 YY_RULE_SETUP
-#line 572 "./util/configlexer.lex"
+#line 586 "./util/configlexer.lex"
 { LEXOUT(("STR(%s) ", yytext)); yymore(); }
 	YY_BREAK
-case 324:
-/* rule 324 can match eol */
+case 338:
+/* rule 338 can match eol */
 YY_RULE_SETUP
-#line 573 "./util/configlexer.lex"
+#line 587 "./util/configlexer.lex"
 { yyerror("newline inside quoted string, no end '"); 
 			     cfg_parser->line++; BEGIN(INITIAL); }
 	YY_BREAK
-case 325:
+case 339:
 YY_RULE_SETUP
-#line 575 "./util/configlexer.lex"
+#line 589 "./util/configlexer.lex"
 {
         LEXOUT(("SQE "));
 	if(--num_args == 0) { BEGIN(INITIAL); }
@@ -5191,38 +5397,38 @@ YY_RULE_SETUP
 }
 	YY_BREAK
 /* include: directive */
-case 326:
+case 340:
 YY_RULE_SETUP
-#line 587 "./util/configlexer.lex"
+#line 601 "./util/configlexer.lex"
 { 
 	LEXOUT(("v(%s) ", yytext)); inc_prev = YYSTATE; BEGIN(include); }
 	YY_BREAK
 case YY_STATE_EOF(include):
-#line 589 "./util/configlexer.lex"
+#line 603 "./util/configlexer.lex"
 {
         yyerror("EOF inside include directive");
         BEGIN(inc_prev);
 }
 	YY_BREAK
-case 327:
+case 341:
 YY_RULE_SETUP
-#line 593 "./util/configlexer.lex"
+#line 607 "./util/configlexer.lex"
 { LEXOUT(("ISP ")); /* ignore */ }
 	YY_BREAK
-case 328:
-/* rule 328 can match eol */
+case 342:
+/* rule 342 can match eol */
 YY_RULE_SETUP
-#line 594 "./util/configlexer.lex"
+#line 608 "./util/configlexer.lex"
 { LEXOUT(("NL\n")); cfg_parser->line++;}
 	YY_BREAK
-case 329:
+case 343:
 YY_RULE_SETUP
-#line 595 "./util/configlexer.lex"
+#line 609 "./util/configlexer.lex"
 { LEXOUT(("IQS ")); BEGIN(include_quoted); }
 	YY_BREAK
-case 330:
+case 344:
 YY_RULE_SETUP
-#line 596 "./util/configlexer.lex"
+#line 610 "./util/configlexer.lex"
 {
 	LEXOUT(("Iunquotedstr(%s) ", yytext));
 	config_start_include_glob(yytext, 0);
@@ -5230,27 +5436,27 @@ YY_RULE_SETUP
 }
 	YY_BREAK
 case YY_STATE_EOF(include_quoted):
-#line 601 "./util/configlexer.lex"
+#line 615 "./util/configlexer.lex"
 {
         yyerror("EOF inside quoted string");
         BEGIN(inc_prev);
 }
 	YY_BREAK
-case 331:
+case 345:
 YY_RULE_SETUP
-#line 605 "./util/configlexer.lex"
+#line 619 "./util/configlexer.lex"
 { LEXOUT(("ISTR(%s) ", yytext)); yymore(); }
 	YY_BREAK
-case 332:
-/* rule 332 can match eol */
+case 346:
+/* rule 346 can match eol */
 YY_RULE_SETUP
-#line 606 "./util/configlexer.lex"
+#line 620 "./util/configlexer.lex"
 { yyerror("newline before \" in include name"); 
 				  cfg_parser->line++; BEGIN(inc_prev); }
 	YY_BREAK
-case 333:
+case 347:
 YY_RULE_SETUP
-#line 608 "./util/configlexer.lex"
+#line 622 "./util/configlexer.lex"
 {
 	LEXOUT(("IQE "));
 	yytext[yyleng - 1] = '\0';
@@ -5260,7 +5466,7 @@ YY_RULE_SETUP
 	YY_BREAK
 case YY_STATE_EOF(INITIAL):
 case YY_STATE_EOF(val):
-#line 614 "./util/configlexer.lex"
+#line 628 "./util/configlexer.lex"
 {
 	LEXOUT(("LEXEOF "));
 	yy_set_bol(1); /* Set beginning of line, so "^" rules match.  */
@@ -5275,39 +5481,39 @@ case YY_STATE_EOF(val):
 }
 	YY_BREAK
 /* include-toplevel: directive */
-case 334:
+case 348:
 YY_RULE_SETUP
-#line 628 "./util/configlexer.lex"
+#line 642 "./util/configlexer.lex"
 {
 	LEXOUT(("v(%s) ", yytext)); inc_prev = YYSTATE; BEGIN(include_toplevel);
 }
 	YY_BREAK
 case YY_STATE_EOF(include_toplevel):
-#line 631 "./util/configlexer.lex"
+#line 645 "./util/configlexer.lex"
 {
 	yyerror("EOF inside include_toplevel directive");
 	BEGIN(inc_prev);
 }
 	YY_BREAK
-case 335:
+case 349:
 YY_RULE_SETUP
-#line 635 "./util/configlexer.lex"
+#line 649 "./util/configlexer.lex"
 { LEXOUT(("ITSP ")); /* ignore */ }
 	YY_BREAK
-case 336:
-/* rule 336 can match eol */
+case 350:
+/* rule 350 can match eol */
 YY_RULE_SETUP
-#line 636 "./util/configlexer.lex"
+#line 650 "./util/configlexer.lex"
 { LEXOUT(("NL\n")); cfg_parser->line++; }
 	YY_BREAK
-case 337:
+case 351:
 YY_RULE_SETUP
-#line 637 "./util/configlexer.lex"
+#line 651 "./util/configlexer.lex"
 { LEXOUT(("ITQS ")); BEGIN(include_toplevel_quoted); }
 	YY_BREAK
-case 338:
+case 352:
 YY_RULE_SETUP
-#line 638 "./util/configlexer.lex"
+#line 652 "./util/configlexer.lex"
 {
 	LEXOUT(("ITunquotedstr(%s) ", yytext));
 	config_start_include_glob(yytext, 1);
@@ -5316,29 +5522,29 @@ YY_RULE_SETUP
 }
 	YY_BREAK
 case YY_STATE_EOF(include_toplevel_quoted):
-#line 644 "./util/configlexer.lex"
+#line 658 "./util/configlexer.lex"
 {
 	yyerror("EOF inside quoted string");
 	BEGIN(inc_prev);
 }
 	YY_BREAK
-case 339:
+case 353:
 YY_RULE_SETUP
-#line 648 "./util/configlexer.lex"
+#line 662 "./util/configlexer.lex"
 { LEXOUT(("ITSTR(%s) ", yytext)); yymore(); }
 	YY_BREAK
-case 340:
-/* rule 340 can match eol */
+case 354:
+/* rule 354 can match eol */
 YY_RULE_SETUP
-#line 649 "./util/configlexer.lex"
+#line 663 "./util/configlexer.lex"
 {
 	yyerror("newline before \" in include name");
 	cfg_parser->line++; BEGIN(inc_prev);
 }
 	YY_BREAK
-case 341:
+case 355:
 YY_RULE_SETUP
-#line 653 "./util/configlexer.lex"
+#line 667 "./util/configlexer.lex"
 {
 	LEXOUT(("ITQE "));
 	yytext[yyleng - 1] = '\0';
@@ -5347,33 +5553,33 @@ YY_RULE_SETUP
 	return (VAR_FORCE_TOPLEVEL);
 }
 	YY_BREAK
-case 342:
+case 356:
 YY_RULE_SETUP
-#line 661 "./util/configlexer.lex"
+#line 675 "./util/configlexer.lex"
 { LEXOUT(("unquotedstr(%s) ", yytext)); 
 			if(--num_args == 0) { BEGIN(INITIAL); }
 			yylval.str = strdup(yytext); return STRING_ARG; }
 	YY_BREAK
-case 343:
+case 357:
 YY_RULE_SETUP
-#line 665 "./util/configlexer.lex"
+#line 679 "./util/configlexer.lex"
 {
 	ub_c_error_msg("unknown keyword '%s'", yytext);
 	}
 	YY_BREAK
-case 344:
+case 358:
 YY_RULE_SETUP
-#line 669 "./util/configlexer.lex"
+#line 683 "./util/configlexer.lex"
 {
 	ub_c_error_msg("stray '%s'", yytext);
 	}
 	YY_BREAK
-case 345:
+case 359:
 YY_RULE_SETUP
-#line 673 "./util/configlexer.lex"
+#line 687 "./util/configlexer.lex"
 ECHO;
 	YY_BREAK
-#line 5374 "<stdout>"
+#line 5580 "<stdout>"
 
 	case YY_END_OF_BUFFER:
 		{
@@ -5668,7 +5874,7 @@ static int yy_get_next_buffer (void)
 		while ( yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state )
 			{
 			yy_current_state = (int) yy_def[yy_current_state];
-			if ( yy_current_state >= 3388 )
+			if ( yy_current_state >= 3565 )
 				yy_c = yy_meta[yy_c];
 			}
 		yy_current_state = yy_nxt[yy_base[yy_current_state] + yy_c];
@@ -5696,11 +5902,11 @@ static int yy_get_next_buffer (void)
 	while ( yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state )
 		{
 		yy_current_state = (int) yy_def[yy_current_state];
-		if ( yy_current_state >= 3388 )
+		if ( yy_current_state >= 3565 )
 			yy_c = yy_meta[yy_c];
 		}
 	yy_current_state = yy_nxt[yy_base[yy_current_state] + yy_c];
-	yy_is_jam = (yy_current_state == 3387);
+	yy_is_jam = (yy_current_state == 3564);
 
 		return yy_is_jam ? 0 : yy_current_state;
 }
@@ -6339,6 +6545,6 @@ void yyfree (void * ptr )
 
 #define YYTABLES_NAME "yytables"
 
-#line 673 "./util/configlexer.lex"
+#line 687 "./util/configlexer.lex"
 
 
diff --git a/util/configlexer.lex b/util/configlexer.lex
index 17d281faa..141ca9ffe 100644
--- a/util/configlexer.lex
+++ b/util/configlexer.lex
@@ -235,6 +235,9 @@ tcp-upstream{COLON}		{ YDVAR(1, VAR_TCP_UPSTREAM) }
 tcp-mss{COLON}			{ YDVAR(1, VAR_TCP_MSS) }
 outgoing-tcp-mss{COLON}		{ YDVAR(1, VAR_OUTGOING_TCP_MSS) }
 tcp-idle-timeout{COLON}		{ YDVAR(1, VAR_TCP_IDLE_TIMEOUT) }
+max-reuse-tcp-queries{COLON}	{ YDVAR(1, VAR_MAX_REUSE_TCP_QUERIES) }
+tcp-reuse-timeout{COLON}	{ YDVAR(1, VAR_TCP_REUSE_TIMEOUT) }
+tcp-auth-query-timeout{COLON}	{ YDVAR(1, VAR_TCP_AUTH_QUERY_TIMEOUT) }
 edns-tcp-keepalive{COLON}	{ YDVAR(1, VAR_EDNS_TCP_KEEPALIVE) }
 edns-tcp-keepalive-timeout{COLON} { YDVAR(1, VAR_EDNS_TCP_KEEPALIVE_TIMEOUT) }
 ssl-upstream{COLON}		{ YDVAR(1, VAR_SSL_UPSTREAM) }
@@ -269,6 +272,7 @@ interface{COLON}		{ YDVAR(1, VAR_INTERFACE) }
 ip-address{COLON}		{ YDVAR(1, VAR_INTERFACE) }
 outgoing-interface{COLON}	{ YDVAR(1, VAR_OUTGOING_INTERFACE) }
 interface-automatic{COLON}	{ YDVAR(1, VAR_INTERFACE_AUTOMATIC) }
+interface-automatic-ports{COLON} { YDVAR(1, VAR_INTERFACE_AUTOMATIC_PORTS) }
 so-rcvbuf{COLON}		{ YDVAR(1, VAR_SO_RCVBUF) }
 so-sndbuf{COLON}		{ YDVAR(1, VAR_SO_SNDBUF) }
 so-reuseport{COLON}		{ YDVAR(1, VAR_SO_REUSEPORT) }
@@ -328,6 +332,7 @@ stub-first{COLON}		{ YDVAR(1, VAR_STUB_FIRST) }
 stub-no-cache{COLON}		{ YDVAR(1, VAR_STUB_NO_CACHE) }
 stub-ssl-upstream{COLON}	{ YDVAR(1, VAR_STUB_SSL_UPSTREAM) }
 stub-tls-upstream{COLON}	{ YDVAR(1, VAR_STUB_SSL_UPSTREAM) }
+stub-tcp-upstream{COLON}	{ YDVAR(1, VAR_STUB_TCP_UPSTREAM) }
 forward-zone{COLON}		{ YDVAR(0, VAR_FORWARD_ZONE) }
 forward-addr{COLON}		{ YDVAR(1, VAR_FORWARD_ADDR) }
 forward-host{COLON}		{ YDVAR(1, VAR_FORWARD_HOST) }
@@ -335,6 +340,7 @@ forward-first{COLON}		{ YDVAR(1, VAR_FORWARD_FIRST) }
 forward-no-cache{COLON}		{ YDVAR(1, VAR_FORWARD_NO_CACHE) }
 forward-ssl-upstream{COLON}	{ YDVAR(1, VAR_FORWARD_SSL_UPSTREAM) }
 forward-tls-upstream{COLON}	{ YDVAR(1, VAR_FORWARD_SSL_UPSTREAM) }
+forward-tcp-upstream{COLON}	{ YDVAR(1, VAR_FORWARD_TCP_UPSTREAM) }
 auth-zone{COLON}		{ YDVAR(0, VAR_AUTH_ZONE) }
 rpz{COLON}			{ YDVAR(0, VAR_RPZ) }
 tags{COLON}			{ YDVAR(1, VAR_TAGS) }
@@ -342,6 +348,7 @@ rpz-action-override{COLON}	{ YDVAR(1, VAR_RPZ_ACTION_OVERRIDE) }
 rpz-cname-override{COLON}	{ YDVAR(1, VAR_RPZ_CNAME_OVERRIDE) }
 rpz-log{COLON}			{ YDVAR(1, VAR_RPZ_LOG) }
 rpz-log-name{COLON}		{ YDVAR(1, VAR_RPZ_LOG_NAME) }
+rpz-signal-nxdomain-ra{COLON}	{ YDVAR(1, VAR_RPZ_SIGNAL_NXDOMAIN_RA) }
 zonefile{COLON}			{ YDVAR(1, VAR_ZONEFILE) }
 master{COLON}			{ YDVAR(1, VAR_MASTER) }
 primary{COLON}			{ YDVAR(1, VAR_MASTER) }
@@ -368,8 +375,10 @@ max-ecs-tree-size-ipv6{COLON}	{ YDVAR(1, VAR_MAX_ECS_TREE_SIZE_IPV6) }
 hide-identity{COLON}		{ YDVAR(1, VAR_HIDE_IDENTITY) }
 hide-version{COLON}		{ YDVAR(1, VAR_HIDE_VERSION) }
 hide-trustanchor{COLON}		{ YDVAR(1, VAR_HIDE_TRUSTANCHOR) }
+hide-http-user-agent{COLON}		{ YDVAR(1, VAR_HIDE_HTTP_USER_AGENT) }
 identity{COLON}			{ YDVAR(1, VAR_IDENTITY) }
 version{COLON}			{ YDVAR(1, VAR_VERSION) }
+http-user-agent{COLON}			{ YDVAR(1, VAR_HTTP_USER_AGENT) }
 module-config{COLON}     	{ YDVAR(1, VAR_MODULE_CONF) }
 dlv-anchor{COLON}		{ YDVAR(1, VAR_DLV_ANCHOR) }
 dlv-anchor-file{COLON}		{ YDVAR(1, VAR_DLV_ANCHOR_FILE) }
@@ -382,6 +391,7 @@ root-key-sentinel{COLON}	{ YDVAR(1, VAR_ROOT_KEY_SENTINEL) }
 val-override-date{COLON}	{ YDVAR(1, VAR_VAL_OVERRIDE_DATE) }
 val-sig-skew-min{COLON}		{ YDVAR(1, VAR_VAL_SIG_SKEW_MIN) }
 val-sig-skew-max{COLON}		{ YDVAR(1, VAR_VAL_SIG_SKEW_MAX) }
+val-max-restart{COLON}		{ YDVAR(1, VAR_VAL_MAX_RESTART) }
 val-bogus-ttl{COLON}		{ YDVAR(1, VAR_BOGUS_TTL) }
 val-clean-additional{COLON}	{ YDVAR(1, VAR_VAL_CLEAN_ADDITIONAL) }
 val-permissive-mode{COLON}	{ YDVAR(1, VAR_VAL_PERMISSIVE_MODE) }
@@ -402,6 +412,7 @@ neg-cache-size{COLON}		{ YDVAR(1, VAR_NEG_CACHE_SIZE) }
 val-nsec3-keysize-iterations{COLON}	{ 
 				  YDVAR(1, VAR_VAL_NSEC3_KEYSIZE_ITERATIONS) }
 zonemd-permissive-mode{COLON}	{ YDVAR(1, VAR_ZONEMD_PERMISSIVE_MODE) }
+zonemd-check{COLON}		{ YDVAR(1, VAR_ZONEMD_CHECK) }
 zonemd-reject-absence{COLON}	{ YDVAR(1, VAR_ZONEMD_REJECT_ABSENCE) }
 add-holddown{COLON}		{ YDVAR(1, VAR_ADD_HOLDDOWN) }
 del-holddown{COLON}		{ YDVAR(1, VAR_DEL_HOLDDOWN) }
@@ -492,6 +503,9 @@ ratelimit-for-domain{COLON}	{ YDVAR(2, VAR_RATELIMIT_FOR_DOMAIN) }
 ratelimit-below-domain{COLON}	{ YDVAR(2, VAR_RATELIMIT_BELOW_DOMAIN) }
 ip-ratelimit-factor{COLON}		{ YDVAR(1, VAR_IP_RATELIMIT_FACTOR) }
 ratelimit-factor{COLON}		{ YDVAR(1, VAR_RATELIMIT_FACTOR) }
+ip-ratelimit-backoff{COLON}		{ YDVAR(1, VAR_IP_RATELIMIT_BACKOFF) }
+ratelimit-backoff{COLON}		{ YDVAR(1, VAR_RATELIMIT_BACKOFF) }
+outbound-msg-retry{COLON}		{ YDVAR(1, VAR_OUTBOUND_MSG_RETRY) }
 low-rtt{COLON}			{ YDVAR(1, VAR_LOW_RTT) }
 fast-server-num{COLON}		{ YDVAR(1, VAR_FAST_SERVER_NUM) }
 low-rtt-pct{COLON}		{ YDVAR(1, VAR_FAST_SERVER_PERMIL) }
diff --git a/util/configparser.c b/util/configparser.c
index 4da644d3a..13b83a593 100644
--- a/util/configparser.c
+++ b/util/configparser.c
@@ -1,8 +1,8 @@
-/* A Bison parser, made by GNU Bison 3.6.4.  */
+/* A Bison parser, made by GNU Bison 3.7.6.  */
 
 /* Bison implementation for Yacc-like parsers in C
 
-   Copyright (C) 1984, 1989-1990, 2000-2015, 2018-2020 Free Software Foundation,
+   Copyright (C) 1984, 1989-1990, 2000-2015, 2018-2021 Free Software Foundation,
    Inc.
 
    This program is free software: you can redistribute it and/or modify
@@ -16,7 +16,7 @@
    GNU General Public License for more details.
 
    You should have received a copy of the GNU General Public License
-   along with this program.  If not, see <http://www.gnu.org/licenses/>.  */
+   along with this program.  If not, see <https://www.gnu.org/licenses/>.  */
 
 /* As a special exception, you may create a larger work that contains
    part or all of the Bison parser skeleton and distribute that work
@@ -45,11 +45,11 @@
    define necessary library symbols; they are noted "INFRINGES ON
    USER NAME SPACE" below.  */
 
-/* Identify Bison output.  */
-#define YYBISON 1
+/* Identify Bison output, and Bison version.  */
+#define YYBISON 30706
 
-/* Bison version.  */
-#define YYBISON_VERSION "3.6.4"
+/* Bison version string.  */
+#define YYBISON_VERSION "3.7.6"
 
 /* Skeleton name.  */
 #define YYSKELETON_NAME "yacc.c"
@@ -119,673 +119,7 @@ extern struct config_parser_state* cfg_parser;
 #  endif
 # endif
 
-/* Use api.header.include to #include this header
-   instead of duplicating it here.  */
-#ifndef YY_YY_UTIL_CONFIGPARSER_H_INCLUDED
-# define YY_YY_UTIL_CONFIGPARSER_H_INCLUDED
-/* Debug traces.  */
-#ifndef YYDEBUG
-# define YYDEBUG 0
-#endif
-#if YYDEBUG
-extern int yydebug;
-#endif
-
-/* Token kinds.  */
-#ifndef YYTOKENTYPE
-# define YYTOKENTYPE
-  enum yytokentype
-  {
-    YYEMPTY = -2,
-    YYEOF = 0,                     /* "end of file"  */
-    YYerror = 256,                 /* error  */
-    YYUNDEF = 257,                 /* "invalid token"  */
-    SPACE = 258,                   /* SPACE  */
-    LETTER = 259,                  /* LETTER  */
-    NEWLINE = 260,                 /* NEWLINE  */
-    COMMENT = 261,                 /* COMMENT  */
-    COLON = 262,                   /* COLON  */
-    ANY = 263,                     /* ANY  */
-    ZONESTR = 264,                 /* ZONESTR  */
-    STRING_ARG = 265,              /* STRING_ARG  */
-    VAR_FORCE_TOPLEVEL = 266,      /* VAR_FORCE_TOPLEVEL  */
-    VAR_SERVER = 267,              /* VAR_SERVER  */
-    VAR_VERBOSITY = 268,           /* VAR_VERBOSITY  */
-    VAR_NUM_THREADS = 269,         /* VAR_NUM_THREADS  */
-    VAR_PORT = 270,                /* VAR_PORT  */
-    VAR_OUTGOING_RANGE = 271,      /* VAR_OUTGOING_RANGE  */
-    VAR_INTERFACE = 272,           /* VAR_INTERFACE  */
-    VAR_PREFER_IP4 = 273,          /* VAR_PREFER_IP4  */
-    VAR_DO_IP4 = 274,              /* VAR_DO_IP4  */
-    VAR_DO_IP6 = 275,              /* VAR_DO_IP6  */
-    VAR_PREFER_IP6 = 276,          /* VAR_PREFER_IP6  */
-    VAR_DO_UDP = 277,              /* VAR_DO_UDP  */
-    VAR_DO_TCP = 278,              /* VAR_DO_TCP  */
-    VAR_TCP_MSS = 279,             /* VAR_TCP_MSS  */
-    VAR_OUTGOING_TCP_MSS = 280,    /* VAR_OUTGOING_TCP_MSS  */
-    VAR_TCP_IDLE_TIMEOUT = 281,    /* VAR_TCP_IDLE_TIMEOUT  */
-    VAR_EDNS_TCP_KEEPALIVE = 282,  /* VAR_EDNS_TCP_KEEPALIVE  */
-    VAR_EDNS_TCP_KEEPALIVE_TIMEOUT = 283, /* VAR_EDNS_TCP_KEEPALIVE_TIMEOUT  */
-    VAR_CHROOT = 284,              /* VAR_CHROOT  */
-    VAR_USERNAME = 285,            /* VAR_USERNAME  */
-    VAR_DIRECTORY = 286,           /* VAR_DIRECTORY  */
-    VAR_LOGFILE = 287,             /* VAR_LOGFILE  */
-    VAR_PIDFILE = 288,             /* VAR_PIDFILE  */
-    VAR_MSG_CACHE_SIZE = 289,      /* VAR_MSG_CACHE_SIZE  */
-    VAR_MSG_CACHE_SLABS = 290,     /* VAR_MSG_CACHE_SLABS  */
-    VAR_NUM_QUERIES_PER_THREAD = 291, /* VAR_NUM_QUERIES_PER_THREAD  */
-    VAR_RRSET_CACHE_SIZE = 292,    /* VAR_RRSET_CACHE_SIZE  */
-    VAR_RRSET_CACHE_SLABS = 293,   /* VAR_RRSET_CACHE_SLABS  */
-    VAR_OUTGOING_NUM_TCP = 294,    /* VAR_OUTGOING_NUM_TCP  */
-    VAR_INFRA_HOST_TTL = 295,      /* VAR_INFRA_HOST_TTL  */
-    VAR_INFRA_LAME_TTL = 296,      /* VAR_INFRA_LAME_TTL  */
-    VAR_INFRA_CACHE_SLABS = 297,   /* VAR_INFRA_CACHE_SLABS  */
-    VAR_INFRA_CACHE_NUMHOSTS = 298, /* VAR_INFRA_CACHE_NUMHOSTS  */
-    VAR_INFRA_CACHE_LAME_SIZE = 299, /* VAR_INFRA_CACHE_LAME_SIZE  */
-    VAR_NAME = 300,                /* VAR_NAME  */
-    VAR_STUB_ZONE = 301,           /* VAR_STUB_ZONE  */
-    VAR_STUB_HOST = 302,           /* VAR_STUB_HOST  */
-    VAR_STUB_ADDR = 303,           /* VAR_STUB_ADDR  */
-    VAR_TARGET_FETCH_POLICY = 304, /* VAR_TARGET_FETCH_POLICY  */
-    VAR_HARDEN_SHORT_BUFSIZE = 305, /* VAR_HARDEN_SHORT_BUFSIZE  */
-    VAR_HARDEN_LARGE_QUERIES = 306, /* VAR_HARDEN_LARGE_QUERIES  */
-    VAR_FORWARD_ZONE = 307,        /* VAR_FORWARD_ZONE  */
-    VAR_FORWARD_HOST = 308,        /* VAR_FORWARD_HOST  */
-    VAR_FORWARD_ADDR = 309,        /* VAR_FORWARD_ADDR  */
-    VAR_DO_NOT_QUERY_ADDRESS = 310, /* VAR_DO_NOT_QUERY_ADDRESS  */
-    VAR_HIDE_IDENTITY = 311,       /* VAR_HIDE_IDENTITY  */
-    VAR_HIDE_VERSION = 312,        /* VAR_HIDE_VERSION  */
-    VAR_IDENTITY = 313,            /* VAR_IDENTITY  */
-    VAR_VERSION = 314,             /* VAR_VERSION  */
-    VAR_HARDEN_GLUE = 315,         /* VAR_HARDEN_GLUE  */
-    VAR_MODULE_CONF = 316,         /* VAR_MODULE_CONF  */
-    VAR_TRUST_ANCHOR_FILE = 317,   /* VAR_TRUST_ANCHOR_FILE  */
-    VAR_TRUST_ANCHOR = 318,        /* VAR_TRUST_ANCHOR  */
-    VAR_VAL_OVERRIDE_DATE = 319,   /* VAR_VAL_OVERRIDE_DATE  */
-    VAR_BOGUS_TTL = 320,           /* VAR_BOGUS_TTL  */
-    VAR_VAL_CLEAN_ADDITIONAL = 321, /* VAR_VAL_CLEAN_ADDITIONAL  */
-    VAR_VAL_PERMISSIVE_MODE = 322, /* VAR_VAL_PERMISSIVE_MODE  */
-    VAR_INCOMING_NUM_TCP = 323,    /* VAR_INCOMING_NUM_TCP  */
-    VAR_MSG_BUFFER_SIZE = 324,     /* VAR_MSG_BUFFER_SIZE  */
-    VAR_KEY_CACHE_SIZE = 325,      /* VAR_KEY_CACHE_SIZE  */
-    VAR_KEY_CACHE_SLABS = 326,     /* VAR_KEY_CACHE_SLABS  */
-    VAR_TRUSTED_KEYS_FILE = 327,   /* VAR_TRUSTED_KEYS_FILE  */
-    VAR_VAL_NSEC3_KEYSIZE_ITERATIONS = 328, /* VAR_VAL_NSEC3_KEYSIZE_ITERATIONS  */
-    VAR_USE_SYSLOG = 329,          /* VAR_USE_SYSLOG  */
-    VAR_OUTGOING_INTERFACE = 330,  /* VAR_OUTGOING_INTERFACE  */
-    VAR_ROOT_HINTS = 331,          /* VAR_ROOT_HINTS  */
-    VAR_DO_NOT_QUERY_LOCALHOST = 332, /* VAR_DO_NOT_QUERY_LOCALHOST  */
-    VAR_CACHE_MAX_TTL = 333,       /* VAR_CACHE_MAX_TTL  */
-    VAR_HARDEN_DNSSEC_STRIPPED = 334, /* VAR_HARDEN_DNSSEC_STRIPPED  */
-    VAR_ACCESS_CONTROL = 335,      /* VAR_ACCESS_CONTROL  */
-    VAR_LOCAL_ZONE = 336,          /* VAR_LOCAL_ZONE  */
-    VAR_LOCAL_DATA = 337,          /* VAR_LOCAL_DATA  */
-    VAR_INTERFACE_AUTOMATIC = 338, /* VAR_INTERFACE_AUTOMATIC  */
-    VAR_STATISTICS_INTERVAL = 339, /* VAR_STATISTICS_INTERVAL  */
-    VAR_DO_DAEMONIZE = 340,        /* VAR_DO_DAEMONIZE  */
-    VAR_USE_CAPS_FOR_ID = 341,     /* VAR_USE_CAPS_FOR_ID  */
-    VAR_STATISTICS_CUMULATIVE = 342, /* VAR_STATISTICS_CUMULATIVE  */
-    VAR_OUTGOING_PORT_PERMIT = 343, /* VAR_OUTGOING_PORT_PERMIT  */
-    VAR_OUTGOING_PORT_AVOID = 344, /* VAR_OUTGOING_PORT_AVOID  */
-    VAR_DLV_ANCHOR_FILE = 345,     /* VAR_DLV_ANCHOR_FILE  */
-    VAR_DLV_ANCHOR = 346,          /* VAR_DLV_ANCHOR  */
-    VAR_NEG_CACHE_SIZE = 347,      /* VAR_NEG_CACHE_SIZE  */
-    VAR_HARDEN_REFERRAL_PATH = 348, /* VAR_HARDEN_REFERRAL_PATH  */
-    VAR_PRIVATE_ADDRESS = 349,     /* VAR_PRIVATE_ADDRESS  */
-    VAR_PRIVATE_DOMAIN = 350,      /* VAR_PRIVATE_DOMAIN  */
-    VAR_REMOTE_CONTROL = 351,      /* VAR_REMOTE_CONTROL  */
-    VAR_CONTROL_ENABLE = 352,      /* VAR_CONTROL_ENABLE  */
-    VAR_CONTROL_INTERFACE = 353,   /* VAR_CONTROL_INTERFACE  */
-    VAR_CONTROL_PORT = 354,        /* VAR_CONTROL_PORT  */
-    VAR_SERVER_KEY_FILE = 355,     /* VAR_SERVER_KEY_FILE  */
-    VAR_SERVER_CERT_FILE = 356,    /* VAR_SERVER_CERT_FILE  */
-    VAR_CONTROL_KEY_FILE = 357,    /* VAR_CONTROL_KEY_FILE  */
-    VAR_CONTROL_CERT_FILE = 358,   /* VAR_CONTROL_CERT_FILE  */
-    VAR_CONTROL_USE_CERT = 359,    /* VAR_CONTROL_USE_CERT  */
-    VAR_EXTENDED_STATISTICS = 360, /* VAR_EXTENDED_STATISTICS  */
-    VAR_LOCAL_DATA_PTR = 361,      /* VAR_LOCAL_DATA_PTR  */
-    VAR_JOSTLE_TIMEOUT = 362,      /* VAR_JOSTLE_TIMEOUT  */
-    VAR_STUB_PRIME = 363,          /* VAR_STUB_PRIME  */
-    VAR_UNWANTED_REPLY_THRESHOLD = 364, /* VAR_UNWANTED_REPLY_THRESHOLD  */
-    VAR_LOG_TIME_ASCII = 365,      /* VAR_LOG_TIME_ASCII  */
-    VAR_DOMAIN_INSECURE = 366,     /* VAR_DOMAIN_INSECURE  */
-    VAR_PYTHON = 367,              /* VAR_PYTHON  */
-    VAR_PYTHON_SCRIPT = 368,       /* VAR_PYTHON_SCRIPT  */
-    VAR_VAL_SIG_SKEW_MIN = 369,    /* VAR_VAL_SIG_SKEW_MIN  */
-    VAR_VAL_SIG_SKEW_MAX = 370,    /* VAR_VAL_SIG_SKEW_MAX  */
-    VAR_CACHE_MIN_TTL = 371,       /* VAR_CACHE_MIN_TTL  */
-    VAR_VAL_LOG_LEVEL = 372,       /* VAR_VAL_LOG_LEVEL  */
-    VAR_AUTO_TRUST_ANCHOR_FILE = 373, /* VAR_AUTO_TRUST_ANCHOR_FILE  */
-    VAR_KEEP_MISSING = 374,        /* VAR_KEEP_MISSING  */
-    VAR_ADD_HOLDDOWN = 375,        /* VAR_ADD_HOLDDOWN  */
-    VAR_DEL_HOLDDOWN = 376,        /* VAR_DEL_HOLDDOWN  */
-    VAR_SO_RCVBUF = 377,           /* VAR_SO_RCVBUF  */
-    VAR_EDNS_BUFFER_SIZE = 378,    /* VAR_EDNS_BUFFER_SIZE  */
-    VAR_PREFETCH = 379,            /* VAR_PREFETCH  */
-    VAR_PREFETCH_KEY = 380,        /* VAR_PREFETCH_KEY  */
-    VAR_SO_SNDBUF = 381,           /* VAR_SO_SNDBUF  */
-    VAR_SO_REUSEPORT = 382,        /* VAR_SO_REUSEPORT  */
-    VAR_HARDEN_BELOW_NXDOMAIN = 383, /* VAR_HARDEN_BELOW_NXDOMAIN  */
-    VAR_IGNORE_CD_FLAG = 384,      /* VAR_IGNORE_CD_FLAG  */
-    VAR_LOG_QUERIES = 385,         /* VAR_LOG_QUERIES  */
-    VAR_LOG_REPLIES = 386,         /* VAR_LOG_REPLIES  */
-    VAR_LOG_LOCAL_ACTIONS = 387,   /* VAR_LOG_LOCAL_ACTIONS  */
-    VAR_TCP_UPSTREAM = 388,        /* VAR_TCP_UPSTREAM  */
-    VAR_SSL_UPSTREAM = 389,        /* VAR_SSL_UPSTREAM  */
-    VAR_SSL_SERVICE_KEY = 390,     /* VAR_SSL_SERVICE_KEY  */
-    VAR_SSL_SERVICE_PEM = 391,     /* VAR_SSL_SERVICE_PEM  */
-    VAR_SSL_PORT = 392,            /* VAR_SSL_PORT  */
-    VAR_FORWARD_FIRST = 393,       /* VAR_FORWARD_FIRST  */
-    VAR_STUB_SSL_UPSTREAM = 394,   /* VAR_STUB_SSL_UPSTREAM  */
-    VAR_FORWARD_SSL_UPSTREAM = 395, /* VAR_FORWARD_SSL_UPSTREAM  */
-    VAR_TLS_CERT_BUNDLE = 396,     /* VAR_TLS_CERT_BUNDLE  */
-    VAR_HTTPS_PORT = 397,          /* VAR_HTTPS_PORT  */
-    VAR_HTTP_ENDPOINT = 398,       /* VAR_HTTP_ENDPOINT  */
-    VAR_HTTP_MAX_STREAMS = 399,    /* VAR_HTTP_MAX_STREAMS  */
-    VAR_HTTP_QUERY_BUFFER_SIZE = 400, /* VAR_HTTP_QUERY_BUFFER_SIZE  */
-    VAR_HTTP_RESPONSE_BUFFER_SIZE = 401, /* VAR_HTTP_RESPONSE_BUFFER_SIZE  */
-    VAR_HTTP_NODELAY = 402,        /* VAR_HTTP_NODELAY  */
-    VAR_HTTP_NOTLS_DOWNSTREAM = 403, /* VAR_HTTP_NOTLS_DOWNSTREAM  */
-    VAR_STUB_FIRST = 404,          /* VAR_STUB_FIRST  */
-    VAR_MINIMAL_RESPONSES = 405,   /* VAR_MINIMAL_RESPONSES  */
-    VAR_RRSET_ROUNDROBIN = 406,    /* VAR_RRSET_ROUNDROBIN  */
-    VAR_MAX_UDP_SIZE = 407,        /* VAR_MAX_UDP_SIZE  */
-    VAR_DELAY_CLOSE = 408,         /* VAR_DELAY_CLOSE  */
-    VAR_UDP_CONNECT = 409,         /* VAR_UDP_CONNECT  */
-    VAR_UNBLOCK_LAN_ZONES = 410,   /* VAR_UNBLOCK_LAN_ZONES  */
-    VAR_INSECURE_LAN_ZONES = 411,  /* VAR_INSECURE_LAN_ZONES  */
-    VAR_INFRA_CACHE_MIN_RTT = 412, /* VAR_INFRA_CACHE_MIN_RTT  */
-    VAR_INFRA_KEEP_PROBING = 413,  /* VAR_INFRA_KEEP_PROBING  */
-    VAR_DNS64_PREFIX = 414,        /* VAR_DNS64_PREFIX  */
-    VAR_DNS64_SYNTHALL = 415,      /* VAR_DNS64_SYNTHALL  */
-    VAR_DNS64_IGNORE_AAAA = 416,   /* VAR_DNS64_IGNORE_AAAA  */
-    VAR_DNSTAP = 417,              /* VAR_DNSTAP  */
-    VAR_DNSTAP_ENABLE = 418,       /* VAR_DNSTAP_ENABLE  */
-    VAR_DNSTAP_SOCKET_PATH = 419,  /* VAR_DNSTAP_SOCKET_PATH  */
-    VAR_DNSTAP_IP = 420,           /* VAR_DNSTAP_IP  */
-    VAR_DNSTAP_TLS = 421,          /* VAR_DNSTAP_TLS  */
-    VAR_DNSTAP_TLS_SERVER_NAME = 422, /* VAR_DNSTAP_TLS_SERVER_NAME  */
-    VAR_DNSTAP_TLS_CERT_BUNDLE = 423, /* VAR_DNSTAP_TLS_CERT_BUNDLE  */
-    VAR_DNSTAP_TLS_CLIENT_KEY_FILE = 424, /* VAR_DNSTAP_TLS_CLIENT_KEY_FILE  */
-    VAR_DNSTAP_TLS_CLIENT_CERT_FILE = 425, /* VAR_DNSTAP_TLS_CLIENT_CERT_FILE  */
-    VAR_DNSTAP_SEND_IDENTITY = 426, /* VAR_DNSTAP_SEND_IDENTITY  */
-    VAR_DNSTAP_SEND_VERSION = 427, /* VAR_DNSTAP_SEND_VERSION  */
-    VAR_DNSTAP_BIDIRECTIONAL = 428, /* VAR_DNSTAP_BIDIRECTIONAL  */
-    VAR_DNSTAP_IDENTITY = 429,     /* VAR_DNSTAP_IDENTITY  */
-    VAR_DNSTAP_VERSION = 430,      /* VAR_DNSTAP_VERSION  */
-    VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES = 431, /* VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES  */
-    VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES = 432, /* VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES  */
-    VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES = 433, /* VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES  */
-    VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES = 434, /* VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES  */
-    VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES = 435, /* VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES  */
-    VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES = 436, /* VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES  */
-    VAR_RESPONSE_IP_TAG = 437,     /* VAR_RESPONSE_IP_TAG  */
-    VAR_RESPONSE_IP = 438,         /* VAR_RESPONSE_IP  */
-    VAR_RESPONSE_IP_DATA = 439,    /* VAR_RESPONSE_IP_DATA  */
-    VAR_HARDEN_ALGO_DOWNGRADE = 440, /* VAR_HARDEN_ALGO_DOWNGRADE  */
-    VAR_IP_TRANSPARENT = 441,      /* VAR_IP_TRANSPARENT  */
-    VAR_IP_DSCP = 442,             /* VAR_IP_DSCP  */
-    VAR_DISABLE_DNSSEC_LAME_CHECK = 443, /* VAR_DISABLE_DNSSEC_LAME_CHECK  */
-    VAR_IP_RATELIMIT = 444,        /* VAR_IP_RATELIMIT  */
-    VAR_IP_RATELIMIT_SLABS = 445,  /* VAR_IP_RATELIMIT_SLABS  */
-    VAR_IP_RATELIMIT_SIZE = 446,   /* VAR_IP_RATELIMIT_SIZE  */
-    VAR_RATELIMIT = 447,           /* VAR_RATELIMIT  */
-    VAR_RATELIMIT_SLABS = 448,     /* VAR_RATELIMIT_SLABS  */
-    VAR_RATELIMIT_SIZE = 449,      /* VAR_RATELIMIT_SIZE  */
-    VAR_RATELIMIT_FOR_DOMAIN = 450, /* VAR_RATELIMIT_FOR_DOMAIN  */
-    VAR_RATELIMIT_BELOW_DOMAIN = 451, /* VAR_RATELIMIT_BELOW_DOMAIN  */
-    VAR_IP_RATELIMIT_FACTOR = 452, /* VAR_IP_RATELIMIT_FACTOR  */
-    VAR_RATELIMIT_FACTOR = 453,    /* VAR_RATELIMIT_FACTOR  */
-    VAR_SEND_CLIENT_SUBNET = 454,  /* VAR_SEND_CLIENT_SUBNET  */
-    VAR_CLIENT_SUBNET_ZONE = 455,  /* VAR_CLIENT_SUBNET_ZONE  */
-    VAR_CLIENT_SUBNET_ALWAYS_FORWARD = 456, /* VAR_CLIENT_SUBNET_ALWAYS_FORWARD  */
-    VAR_CLIENT_SUBNET_OPCODE = 457, /* VAR_CLIENT_SUBNET_OPCODE  */
-    VAR_MAX_CLIENT_SUBNET_IPV4 = 458, /* VAR_MAX_CLIENT_SUBNET_IPV4  */
-    VAR_MAX_CLIENT_SUBNET_IPV6 = 459, /* VAR_MAX_CLIENT_SUBNET_IPV6  */
-    VAR_MIN_CLIENT_SUBNET_IPV4 = 460, /* VAR_MIN_CLIENT_SUBNET_IPV4  */
-    VAR_MIN_CLIENT_SUBNET_IPV6 = 461, /* VAR_MIN_CLIENT_SUBNET_IPV6  */
-    VAR_MAX_ECS_TREE_SIZE_IPV4 = 462, /* VAR_MAX_ECS_TREE_SIZE_IPV4  */
-    VAR_MAX_ECS_TREE_SIZE_IPV6 = 463, /* VAR_MAX_ECS_TREE_SIZE_IPV6  */
-    VAR_CAPS_WHITELIST = 464,      /* VAR_CAPS_WHITELIST  */
-    VAR_CACHE_MAX_NEGATIVE_TTL = 465, /* VAR_CACHE_MAX_NEGATIVE_TTL  */
-    VAR_PERMIT_SMALL_HOLDDOWN = 466, /* VAR_PERMIT_SMALL_HOLDDOWN  */
-    VAR_QNAME_MINIMISATION = 467,  /* VAR_QNAME_MINIMISATION  */
-    VAR_QNAME_MINIMISATION_STRICT = 468, /* VAR_QNAME_MINIMISATION_STRICT  */
-    VAR_IP_FREEBIND = 469,         /* VAR_IP_FREEBIND  */
-    VAR_DEFINE_TAG = 470,          /* VAR_DEFINE_TAG  */
-    VAR_LOCAL_ZONE_TAG = 471,      /* VAR_LOCAL_ZONE_TAG  */
-    VAR_ACCESS_CONTROL_TAG = 472,  /* VAR_ACCESS_CONTROL_TAG  */
-    VAR_LOCAL_ZONE_OVERRIDE = 473, /* VAR_LOCAL_ZONE_OVERRIDE  */
-    VAR_ACCESS_CONTROL_TAG_ACTION = 474, /* VAR_ACCESS_CONTROL_TAG_ACTION  */
-    VAR_ACCESS_CONTROL_TAG_DATA = 475, /* VAR_ACCESS_CONTROL_TAG_DATA  */
-    VAR_VIEW = 476,                /* VAR_VIEW  */
-    VAR_ACCESS_CONTROL_VIEW = 477, /* VAR_ACCESS_CONTROL_VIEW  */
-    VAR_VIEW_FIRST = 478,          /* VAR_VIEW_FIRST  */
-    VAR_SERVE_EXPIRED = 479,       /* VAR_SERVE_EXPIRED  */
-    VAR_SERVE_EXPIRED_TTL = 480,   /* VAR_SERVE_EXPIRED_TTL  */
-    VAR_SERVE_EXPIRED_TTL_RESET = 481, /* VAR_SERVE_EXPIRED_TTL_RESET  */
-    VAR_SERVE_EXPIRED_REPLY_TTL = 482, /* VAR_SERVE_EXPIRED_REPLY_TTL  */
-    VAR_SERVE_EXPIRED_CLIENT_TIMEOUT = 483, /* VAR_SERVE_EXPIRED_CLIENT_TIMEOUT  */
-    VAR_SERVE_ORIGINAL_TTL = 484,  /* VAR_SERVE_ORIGINAL_TTL  */
-    VAR_FAKE_DSA = 485,            /* VAR_FAKE_DSA  */
-    VAR_FAKE_SHA1 = 486,           /* VAR_FAKE_SHA1  */
-    VAR_LOG_IDENTITY = 487,        /* VAR_LOG_IDENTITY  */
-    VAR_HIDE_TRUSTANCHOR = 488,    /* VAR_HIDE_TRUSTANCHOR  */
-    VAR_TRUST_ANCHOR_SIGNALING = 489, /* VAR_TRUST_ANCHOR_SIGNALING  */
-    VAR_AGGRESSIVE_NSEC = 490,     /* VAR_AGGRESSIVE_NSEC  */
-    VAR_USE_SYSTEMD = 491,         /* VAR_USE_SYSTEMD  */
-    VAR_SHM_ENABLE = 492,          /* VAR_SHM_ENABLE  */
-    VAR_SHM_KEY = 493,             /* VAR_SHM_KEY  */
-    VAR_ROOT_KEY_SENTINEL = 494,   /* VAR_ROOT_KEY_SENTINEL  */
-    VAR_DNSCRYPT = 495,            /* VAR_DNSCRYPT  */
-    VAR_DNSCRYPT_ENABLE = 496,     /* VAR_DNSCRYPT_ENABLE  */
-    VAR_DNSCRYPT_PORT = 497,       /* VAR_DNSCRYPT_PORT  */
-    VAR_DNSCRYPT_PROVIDER = 498,   /* VAR_DNSCRYPT_PROVIDER  */
-    VAR_DNSCRYPT_SECRET_KEY = 499, /* VAR_DNSCRYPT_SECRET_KEY  */
-    VAR_DNSCRYPT_PROVIDER_CERT = 500, /* VAR_DNSCRYPT_PROVIDER_CERT  */
-    VAR_DNSCRYPT_PROVIDER_CERT_ROTATED = 501, /* VAR_DNSCRYPT_PROVIDER_CERT_ROTATED  */
-    VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE = 502, /* VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE  */
-    VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS = 503, /* VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS  */
-    VAR_DNSCRYPT_NONCE_CACHE_SIZE = 504, /* VAR_DNSCRYPT_NONCE_CACHE_SIZE  */
-    VAR_DNSCRYPT_NONCE_CACHE_SLABS = 505, /* VAR_DNSCRYPT_NONCE_CACHE_SLABS  */
-    VAR_PAD_RESPONSES = 506,       /* VAR_PAD_RESPONSES  */
-    VAR_PAD_RESPONSES_BLOCK_SIZE = 507, /* VAR_PAD_RESPONSES_BLOCK_SIZE  */
-    VAR_PAD_QUERIES = 508,         /* VAR_PAD_QUERIES  */
-    VAR_PAD_QUERIES_BLOCK_SIZE = 509, /* VAR_PAD_QUERIES_BLOCK_SIZE  */
-    VAR_IPSECMOD_ENABLED = 510,    /* VAR_IPSECMOD_ENABLED  */
-    VAR_IPSECMOD_HOOK = 511,       /* VAR_IPSECMOD_HOOK  */
-    VAR_IPSECMOD_IGNORE_BOGUS = 512, /* VAR_IPSECMOD_IGNORE_BOGUS  */
-    VAR_IPSECMOD_MAX_TTL = 513,    /* VAR_IPSECMOD_MAX_TTL  */
-    VAR_IPSECMOD_WHITELIST = 514,  /* VAR_IPSECMOD_WHITELIST  */
-    VAR_IPSECMOD_STRICT = 515,     /* VAR_IPSECMOD_STRICT  */
-    VAR_CACHEDB = 516,             /* VAR_CACHEDB  */
-    VAR_CACHEDB_BACKEND = 517,     /* VAR_CACHEDB_BACKEND  */
-    VAR_CACHEDB_SECRETSEED = 518,  /* VAR_CACHEDB_SECRETSEED  */
-    VAR_CACHEDB_REDISHOST = 519,   /* VAR_CACHEDB_REDISHOST  */
-    VAR_CACHEDB_REDISPORT = 520,   /* VAR_CACHEDB_REDISPORT  */
-    VAR_CACHEDB_REDISTIMEOUT = 521, /* VAR_CACHEDB_REDISTIMEOUT  */
-    VAR_CACHEDB_REDISEXPIRERECORDS = 522, /* VAR_CACHEDB_REDISEXPIRERECORDS  */
-    VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM = 523, /* VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM  */
-    VAR_FOR_UPSTREAM = 524,        /* VAR_FOR_UPSTREAM  */
-    VAR_AUTH_ZONE = 525,           /* VAR_AUTH_ZONE  */
-    VAR_ZONEFILE = 526,            /* VAR_ZONEFILE  */
-    VAR_MASTER = 527,              /* VAR_MASTER  */
-    VAR_URL = 528,                 /* VAR_URL  */
-    VAR_FOR_DOWNSTREAM = 529,      /* VAR_FOR_DOWNSTREAM  */
-    VAR_FALLBACK_ENABLED = 530,    /* VAR_FALLBACK_ENABLED  */
-    VAR_TLS_ADDITIONAL_PORT = 531, /* VAR_TLS_ADDITIONAL_PORT  */
-    VAR_LOW_RTT = 532,             /* VAR_LOW_RTT  */
-    VAR_LOW_RTT_PERMIL = 533,      /* VAR_LOW_RTT_PERMIL  */
-    VAR_FAST_SERVER_PERMIL = 534,  /* VAR_FAST_SERVER_PERMIL  */
-    VAR_FAST_SERVER_NUM = 535,     /* VAR_FAST_SERVER_NUM  */
-    VAR_ALLOW_NOTIFY = 536,        /* VAR_ALLOW_NOTIFY  */
-    VAR_TLS_WIN_CERT = 537,        /* VAR_TLS_WIN_CERT  */
-    VAR_TCP_CONNECTION_LIMIT = 538, /* VAR_TCP_CONNECTION_LIMIT  */
-    VAR_FORWARD_NO_CACHE = 539,    /* VAR_FORWARD_NO_CACHE  */
-    VAR_STUB_NO_CACHE = 540,       /* VAR_STUB_NO_CACHE  */
-    VAR_LOG_SERVFAIL = 541,        /* VAR_LOG_SERVFAIL  */
-    VAR_DENY_ANY = 542,            /* VAR_DENY_ANY  */
-    VAR_UNKNOWN_SERVER_TIME_LIMIT = 543, /* VAR_UNKNOWN_SERVER_TIME_LIMIT  */
-    VAR_LOG_TAG_QUERYREPLY = 544,  /* VAR_LOG_TAG_QUERYREPLY  */
-    VAR_STREAM_WAIT_SIZE = 545,    /* VAR_STREAM_WAIT_SIZE  */
-    VAR_TLS_CIPHERS = 546,         /* VAR_TLS_CIPHERS  */
-    VAR_TLS_CIPHERSUITES = 547,    /* VAR_TLS_CIPHERSUITES  */
-    VAR_TLS_USE_SNI = 548,         /* VAR_TLS_USE_SNI  */
-    VAR_IPSET = 549,               /* VAR_IPSET  */
-    VAR_IPSET_NAME_V4 = 550,       /* VAR_IPSET_NAME_V4  */
-    VAR_IPSET_NAME_V6 = 551,       /* VAR_IPSET_NAME_V6  */
-    VAR_TLS_SESSION_TICKET_KEYS = 552, /* VAR_TLS_SESSION_TICKET_KEYS  */
-    VAR_RPZ = 553,                 /* VAR_RPZ  */
-    VAR_TAGS = 554,                /* VAR_TAGS  */
-    VAR_RPZ_ACTION_OVERRIDE = 555, /* VAR_RPZ_ACTION_OVERRIDE  */
-    VAR_RPZ_CNAME_OVERRIDE = 556,  /* VAR_RPZ_CNAME_OVERRIDE  */
-    VAR_RPZ_LOG = 557,             /* VAR_RPZ_LOG  */
-    VAR_RPZ_LOG_NAME = 558,        /* VAR_RPZ_LOG_NAME  */
-    VAR_DYNLIB = 559,              /* VAR_DYNLIB  */
-    VAR_DYNLIB_FILE = 560,         /* VAR_DYNLIB_FILE  */
-    VAR_EDNS_CLIENT_STRING = 561,  /* VAR_EDNS_CLIENT_STRING  */
-    VAR_EDNS_CLIENT_STRING_OPCODE = 562, /* VAR_EDNS_CLIENT_STRING_OPCODE  */
-    VAR_NSID = 563,                /* VAR_NSID  */
-    VAR_ZONEMD_PERMISSIVE_MODE = 564, /* VAR_ZONEMD_PERMISSIVE_MODE  */
-    VAR_ZONEMD_REJECT_ABSENCE = 565 /* VAR_ZONEMD_REJECT_ABSENCE  */
-  };
-  typedef enum yytokentype yytoken_kind_t;
-#endif
-/* Token kinds.  */
-#define YYEOF 0
-#define YYerror 256
-#define YYUNDEF 257
-#define SPACE 258
-#define LETTER 259
-#define NEWLINE 260
-#define COMMENT 261
-#define COLON 262
-#define ANY 263
-#define ZONESTR 264
-#define STRING_ARG 265
-#define VAR_FORCE_TOPLEVEL 266
-#define VAR_SERVER 267
-#define VAR_VERBOSITY 268
-#define VAR_NUM_THREADS 269
-#define VAR_PORT 270
-#define VAR_OUTGOING_RANGE 271
-#define VAR_INTERFACE 272
-#define VAR_PREFER_IP4 273
-#define VAR_DO_IP4 274
-#define VAR_DO_IP6 275
-#define VAR_PREFER_IP6 276
-#define VAR_DO_UDP 277
-#define VAR_DO_TCP 278
-#define VAR_TCP_MSS 279
-#define VAR_OUTGOING_TCP_MSS 280
-#define VAR_TCP_IDLE_TIMEOUT 281
-#define VAR_EDNS_TCP_KEEPALIVE 282
-#define VAR_EDNS_TCP_KEEPALIVE_TIMEOUT 283
-#define VAR_CHROOT 284
-#define VAR_USERNAME 285
-#define VAR_DIRECTORY 286
-#define VAR_LOGFILE 287
-#define VAR_PIDFILE 288
-#define VAR_MSG_CACHE_SIZE 289
-#define VAR_MSG_CACHE_SLABS 290
-#define VAR_NUM_QUERIES_PER_THREAD 291
-#define VAR_RRSET_CACHE_SIZE 292
-#define VAR_RRSET_CACHE_SLABS 293
-#define VAR_OUTGOING_NUM_TCP 294
-#define VAR_INFRA_HOST_TTL 295
-#define VAR_INFRA_LAME_TTL 296
-#define VAR_INFRA_CACHE_SLABS 297
-#define VAR_INFRA_CACHE_NUMHOSTS 298
-#define VAR_INFRA_CACHE_LAME_SIZE 299
-#define VAR_NAME 300
-#define VAR_STUB_ZONE 301
-#define VAR_STUB_HOST 302
-#define VAR_STUB_ADDR 303
-#define VAR_TARGET_FETCH_POLICY 304
-#define VAR_HARDEN_SHORT_BUFSIZE 305
-#define VAR_HARDEN_LARGE_QUERIES 306
-#define VAR_FORWARD_ZONE 307
-#define VAR_FORWARD_HOST 308
-#define VAR_FORWARD_ADDR 309
-#define VAR_DO_NOT_QUERY_ADDRESS 310
-#define VAR_HIDE_IDENTITY 311
-#define VAR_HIDE_VERSION 312
-#define VAR_IDENTITY 313
-#define VAR_VERSION 314
-#define VAR_HARDEN_GLUE 315
-#define VAR_MODULE_CONF 316
-#define VAR_TRUST_ANCHOR_FILE 317
-#define VAR_TRUST_ANCHOR 318
-#define VAR_VAL_OVERRIDE_DATE 319
-#define VAR_BOGUS_TTL 320
-#define VAR_VAL_CLEAN_ADDITIONAL 321
-#define VAR_VAL_PERMISSIVE_MODE 322
-#define VAR_INCOMING_NUM_TCP 323
-#define VAR_MSG_BUFFER_SIZE 324
-#define VAR_KEY_CACHE_SIZE 325
-#define VAR_KEY_CACHE_SLABS 326
-#define VAR_TRUSTED_KEYS_FILE 327
-#define VAR_VAL_NSEC3_KEYSIZE_ITERATIONS 328
-#define VAR_USE_SYSLOG 329
-#define VAR_OUTGOING_INTERFACE 330
-#define VAR_ROOT_HINTS 331
-#define VAR_DO_NOT_QUERY_LOCALHOST 332
-#define VAR_CACHE_MAX_TTL 333
-#define VAR_HARDEN_DNSSEC_STRIPPED 334
-#define VAR_ACCESS_CONTROL 335
-#define VAR_LOCAL_ZONE 336
-#define VAR_LOCAL_DATA 337
-#define VAR_INTERFACE_AUTOMATIC 338
-#define VAR_STATISTICS_INTERVAL 339
-#define VAR_DO_DAEMONIZE 340
-#define VAR_USE_CAPS_FOR_ID 341
-#define VAR_STATISTICS_CUMULATIVE 342
-#define VAR_OUTGOING_PORT_PERMIT 343
-#define VAR_OUTGOING_PORT_AVOID 344
-#define VAR_DLV_ANCHOR_FILE 345
-#define VAR_DLV_ANCHOR 346
-#define VAR_NEG_CACHE_SIZE 347
-#define VAR_HARDEN_REFERRAL_PATH 348
-#define VAR_PRIVATE_ADDRESS 349
-#define VAR_PRIVATE_DOMAIN 350
-#define VAR_REMOTE_CONTROL 351
-#define VAR_CONTROL_ENABLE 352
-#define VAR_CONTROL_INTERFACE 353
-#define VAR_CONTROL_PORT 354
-#define VAR_SERVER_KEY_FILE 355
-#define VAR_SERVER_CERT_FILE 356
-#define VAR_CONTROL_KEY_FILE 357
-#define VAR_CONTROL_CERT_FILE 358
-#define VAR_CONTROL_USE_CERT 359
-#define VAR_EXTENDED_STATISTICS 360
-#define VAR_LOCAL_DATA_PTR 361
-#define VAR_JOSTLE_TIMEOUT 362
-#define VAR_STUB_PRIME 363
-#define VAR_UNWANTED_REPLY_THRESHOLD 364
-#define VAR_LOG_TIME_ASCII 365
-#define VAR_DOMAIN_INSECURE 366
-#define VAR_PYTHON 367
-#define VAR_PYTHON_SCRIPT 368
-#define VAR_VAL_SIG_SKEW_MIN 369
-#define VAR_VAL_SIG_SKEW_MAX 370
-#define VAR_CACHE_MIN_TTL 371
-#define VAR_VAL_LOG_LEVEL 372
-#define VAR_AUTO_TRUST_ANCHOR_FILE 373
-#define VAR_KEEP_MISSING 374
-#define VAR_ADD_HOLDDOWN 375
-#define VAR_DEL_HOLDDOWN 376
-#define VAR_SO_RCVBUF 377
-#define VAR_EDNS_BUFFER_SIZE 378
-#define VAR_PREFETCH 379
-#define VAR_PREFETCH_KEY 380
-#define VAR_SO_SNDBUF 381
-#define VAR_SO_REUSEPORT 382
-#define VAR_HARDEN_BELOW_NXDOMAIN 383
-#define VAR_IGNORE_CD_FLAG 384
-#define VAR_LOG_QUERIES 385
-#define VAR_LOG_REPLIES 386
-#define VAR_LOG_LOCAL_ACTIONS 387
-#define VAR_TCP_UPSTREAM 388
-#define VAR_SSL_UPSTREAM 389
-#define VAR_SSL_SERVICE_KEY 390
-#define VAR_SSL_SERVICE_PEM 391
-#define VAR_SSL_PORT 392
-#define VAR_FORWARD_FIRST 393
-#define VAR_STUB_SSL_UPSTREAM 394
-#define VAR_FORWARD_SSL_UPSTREAM 395
-#define VAR_TLS_CERT_BUNDLE 396
-#define VAR_HTTPS_PORT 397
-#define VAR_HTTP_ENDPOINT 398
-#define VAR_HTTP_MAX_STREAMS 399
-#define VAR_HTTP_QUERY_BUFFER_SIZE 400
-#define VAR_HTTP_RESPONSE_BUFFER_SIZE 401
-#define VAR_HTTP_NODELAY 402
-#define VAR_HTTP_NOTLS_DOWNSTREAM 403
-#define VAR_STUB_FIRST 404
-#define VAR_MINIMAL_RESPONSES 405
-#define VAR_RRSET_ROUNDROBIN 406
-#define VAR_MAX_UDP_SIZE 407
-#define VAR_DELAY_CLOSE 408
-#define VAR_UDP_CONNECT 409
-#define VAR_UNBLOCK_LAN_ZONES 410
-#define VAR_INSECURE_LAN_ZONES 411
-#define VAR_INFRA_CACHE_MIN_RTT 412
-#define VAR_INFRA_KEEP_PROBING 413
-#define VAR_DNS64_PREFIX 414
-#define VAR_DNS64_SYNTHALL 415
-#define VAR_DNS64_IGNORE_AAAA 416
-#define VAR_DNSTAP 417
-#define VAR_DNSTAP_ENABLE 418
-#define VAR_DNSTAP_SOCKET_PATH 419
-#define VAR_DNSTAP_IP 420
-#define VAR_DNSTAP_TLS 421
-#define VAR_DNSTAP_TLS_SERVER_NAME 422
-#define VAR_DNSTAP_TLS_CERT_BUNDLE 423
-#define VAR_DNSTAP_TLS_CLIENT_KEY_FILE 424
-#define VAR_DNSTAP_TLS_CLIENT_CERT_FILE 425
-#define VAR_DNSTAP_SEND_IDENTITY 426
-#define VAR_DNSTAP_SEND_VERSION 427
-#define VAR_DNSTAP_BIDIRECTIONAL 428
-#define VAR_DNSTAP_IDENTITY 429
-#define VAR_DNSTAP_VERSION 430
-#define VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES 431
-#define VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES 432
-#define VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES 433
-#define VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES 434
-#define VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES 435
-#define VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES 436
-#define VAR_RESPONSE_IP_TAG 437
-#define VAR_RESPONSE_IP 438
-#define VAR_RESPONSE_IP_DATA 439
-#define VAR_HARDEN_ALGO_DOWNGRADE 440
-#define VAR_IP_TRANSPARENT 441
-#define VAR_IP_DSCP 442
-#define VAR_DISABLE_DNSSEC_LAME_CHECK 443
-#define VAR_IP_RATELIMIT 444
-#define VAR_IP_RATELIMIT_SLABS 445
-#define VAR_IP_RATELIMIT_SIZE 446
-#define VAR_RATELIMIT 447
-#define VAR_RATELIMIT_SLABS 448
-#define VAR_RATELIMIT_SIZE 449
-#define VAR_RATELIMIT_FOR_DOMAIN 450
-#define VAR_RATELIMIT_BELOW_DOMAIN 451
-#define VAR_IP_RATELIMIT_FACTOR 452
-#define VAR_RATELIMIT_FACTOR 453
-#define VAR_SEND_CLIENT_SUBNET 454
-#define VAR_CLIENT_SUBNET_ZONE 455
-#define VAR_CLIENT_SUBNET_ALWAYS_FORWARD 456
-#define VAR_CLIENT_SUBNET_OPCODE 457
-#define VAR_MAX_CLIENT_SUBNET_IPV4 458
-#define VAR_MAX_CLIENT_SUBNET_IPV6 459
-#define VAR_MIN_CLIENT_SUBNET_IPV4 460
-#define VAR_MIN_CLIENT_SUBNET_IPV6 461
-#define VAR_MAX_ECS_TREE_SIZE_IPV4 462
-#define VAR_MAX_ECS_TREE_SIZE_IPV6 463
-#define VAR_CAPS_WHITELIST 464
-#define VAR_CACHE_MAX_NEGATIVE_TTL 465
-#define VAR_PERMIT_SMALL_HOLDDOWN 466
-#define VAR_QNAME_MINIMISATION 467
-#define VAR_QNAME_MINIMISATION_STRICT 468
-#define VAR_IP_FREEBIND 469
-#define VAR_DEFINE_TAG 470
-#define VAR_LOCAL_ZONE_TAG 471
-#define VAR_ACCESS_CONTROL_TAG 472
-#define VAR_LOCAL_ZONE_OVERRIDE 473
-#define VAR_ACCESS_CONTROL_TAG_ACTION 474
-#define VAR_ACCESS_CONTROL_TAG_DATA 475
-#define VAR_VIEW 476
-#define VAR_ACCESS_CONTROL_VIEW 477
-#define VAR_VIEW_FIRST 478
-#define VAR_SERVE_EXPIRED 479
-#define VAR_SERVE_EXPIRED_TTL 480
-#define VAR_SERVE_EXPIRED_TTL_RESET 481
-#define VAR_SERVE_EXPIRED_REPLY_TTL 482
-#define VAR_SERVE_EXPIRED_CLIENT_TIMEOUT 483
-#define VAR_SERVE_ORIGINAL_TTL 484
-#define VAR_FAKE_DSA 485
-#define VAR_FAKE_SHA1 486
-#define VAR_LOG_IDENTITY 487
-#define VAR_HIDE_TRUSTANCHOR 488
-#define VAR_TRUST_ANCHOR_SIGNALING 489
-#define VAR_AGGRESSIVE_NSEC 490
-#define VAR_USE_SYSTEMD 491
-#define VAR_SHM_ENABLE 492
-#define VAR_SHM_KEY 493
-#define VAR_ROOT_KEY_SENTINEL 494
-#define VAR_DNSCRYPT 495
-#define VAR_DNSCRYPT_ENABLE 496
-#define VAR_DNSCRYPT_PORT 497
-#define VAR_DNSCRYPT_PROVIDER 498
-#define VAR_DNSCRYPT_SECRET_KEY 499
-#define VAR_DNSCRYPT_PROVIDER_CERT 500
-#define VAR_DNSCRYPT_PROVIDER_CERT_ROTATED 501
-#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE 502
-#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS 503
-#define VAR_DNSCRYPT_NONCE_CACHE_SIZE 504
-#define VAR_DNSCRYPT_NONCE_CACHE_SLABS 505
-#define VAR_PAD_RESPONSES 506
-#define VAR_PAD_RESPONSES_BLOCK_SIZE 507
-#define VAR_PAD_QUERIES 508
-#define VAR_PAD_QUERIES_BLOCK_SIZE 509
-#define VAR_IPSECMOD_ENABLED 510
-#define VAR_IPSECMOD_HOOK 511
-#define VAR_IPSECMOD_IGNORE_BOGUS 512
-#define VAR_IPSECMOD_MAX_TTL 513
-#define VAR_IPSECMOD_WHITELIST 514
-#define VAR_IPSECMOD_STRICT 515
-#define VAR_CACHEDB 516
-#define VAR_CACHEDB_BACKEND 517
-#define VAR_CACHEDB_SECRETSEED 518
-#define VAR_CACHEDB_REDISHOST 519
-#define VAR_CACHEDB_REDISPORT 520
-#define VAR_CACHEDB_REDISTIMEOUT 521
-#define VAR_CACHEDB_REDISEXPIRERECORDS 522
-#define VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM 523
-#define VAR_FOR_UPSTREAM 524
-#define VAR_AUTH_ZONE 525
-#define VAR_ZONEFILE 526
-#define VAR_MASTER 527
-#define VAR_URL 528
-#define VAR_FOR_DOWNSTREAM 529
-#define VAR_FALLBACK_ENABLED 530
-#define VAR_TLS_ADDITIONAL_PORT 531
-#define VAR_LOW_RTT 532
-#define VAR_LOW_RTT_PERMIL 533
-#define VAR_FAST_SERVER_PERMIL 534
-#define VAR_FAST_SERVER_NUM 535
-#define VAR_ALLOW_NOTIFY 536
-#define VAR_TLS_WIN_CERT 537
-#define VAR_TCP_CONNECTION_LIMIT 538
-#define VAR_FORWARD_NO_CACHE 539
-#define VAR_STUB_NO_CACHE 540
-#define VAR_LOG_SERVFAIL 541
-#define VAR_DENY_ANY 542
-#define VAR_UNKNOWN_SERVER_TIME_LIMIT 543
-#define VAR_LOG_TAG_QUERYREPLY 544
-#define VAR_STREAM_WAIT_SIZE 545
-#define VAR_TLS_CIPHERS 546
-#define VAR_TLS_CIPHERSUITES 547
-#define VAR_TLS_USE_SNI 548
-#define VAR_IPSET 549
-#define VAR_IPSET_NAME_V4 550
-#define VAR_IPSET_NAME_V6 551
-#define VAR_TLS_SESSION_TICKET_KEYS 552
-#define VAR_RPZ 553
-#define VAR_TAGS 554
-#define VAR_RPZ_ACTION_OVERRIDE 555
-#define VAR_RPZ_CNAME_OVERRIDE 556
-#define VAR_RPZ_LOG 557
-#define VAR_RPZ_LOG_NAME 558
-#define VAR_DYNLIB 559
-#define VAR_DYNLIB_FILE 560
-#define VAR_EDNS_CLIENT_STRING 561
-#define VAR_EDNS_CLIENT_STRING_OPCODE 562
-#define VAR_NSID 563
-#define VAR_ZONEMD_PERMISSIVE_MODE 564
-#define VAR_ZONEMD_REJECT_ABSENCE 565
-
-/* Value type.  */
-#if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED
-union YYSTYPE
-{
-#line 66 "./util/configparser.y"
-
-	char*	str;
-
-#line 776 "util/configparser.c"
-
-};
-typedef union YYSTYPE YYSTYPE;
-# define YYSTYPE_IS_TRIVIAL 1
-# define YYSTYPE_IS_DECLARED 1
-#endif
-
-
-extern YYSTYPE yylval;
-
-int yyparse (void);
-
-#endif /* !YY_YY_UTIL_CONFIGPARSER_H_INCLUDED  */
+#include "configparser.h"
 /* Symbol kind.  */
 enum yysymbol_kind_t
 {
@@ -895,548 +229,576 @@ enum yysymbol_kind_t
   YYSYMBOL_VAR_CONTROL_KEY_FILE = 102,     /* VAR_CONTROL_KEY_FILE  */
   YYSYMBOL_VAR_CONTROL_CERT_FILE = 103,    /* VAR_CONTROL_CERT_FILE  */
   YYSYMBOL_VAR_CONTROL_USE_CERT = 104,     /* VAR_CONTROL_USE_CERT  */
-  YYSYMBOL_VAR_EXTENDED_STATISTICS = 105,  /* VAR_EXTENDED_STATISTICS  */
-  YYSYMBOL_VAR_LOCAL_DATA_PTR = 106,       /* VAR_LOCAL_DATA_PTR  */
-  YYSYMBOL_VAR_JOSTLE_TIMEOUT = 107,       /* VAR_JOSTLE_TIMEOUT  */
-  YYSYMBOL_VAR_STUB_PRIME = 108,           /* VAR_STUB_PRIME  */
-  YYSYMBOL_VAR_UNWANTED_REPLY_THRESHOLD = 109, /* VAR_UNWANTED_REPLY_THRESHOLD  */
-  YYSYMBOL_VAR_LOG_TIME_ASCII = 110,       /* VAR_LOG_TIME_ASCII  */
-  YYSYMBOL_VAR_DOMAIN_INSECURE = 111,      /* VAR_DOMAIN_INSECURE  */
-  YYSYMBOL_VAR_PYTHON = 112,               /* VAR_PYTHON  */
-  YYSYMBOL_VAR_PYTHON_SCRIPT = 113,        /* VAR_PYTHON_SCRIPT  */
-  YYSYMBOL_VAR_VAL_SIG_SKEW_MIN = 114,     /* VAR_VAL_SIG_SKEW_MIN  */
-  YYSYMBOL_VAR_VAL_SIG_SKEW_MAX = 115,     /* VAR_VAL_SIG_SKEW_MAX  */
-  YYSYMBOL_VAR_CACHE_MIN_TTL = 116,        /* VAR_CACHE_MIN_TTL  */
-  YYSYMBOL_VAR_VAL_LOG_LEVEL = 117,        /* VAR_VAL_LOG_LEVEL  */
-  YYSYMBOL_VAR_AUTO_TRUST_ANCHOR_FILE = 118, /* VAR_AUTO_TRUST_ANCHOR_FILE  */
-  YYSYMBOL_VAR_KEEP_MISSING = 119,         /* VAR_KEEP_MISSING  */
-  YYSYMBOL_VAR_ADD_HOLDDOWN = 120,         /* VAR_ADD_HOLDDOWN  */
-  YYSYMBOL_VAR_DEL_HOLDDOWN = 121,         /* VAR_DEL_HOLDDOWN  */
-  YYSYMBOL_VAR_SO_RCVBUF = 122,            /* VAR_SO_RCVBUF  */
-  YYSYMBOL_VAR_EDNS_BUFFER_SIZE = 123,     /* VAR_EDNS_BUFFER_SIZE  */
-  YYSYMBOL_VAR_PREFETCH = 124,             /* VAR_PREFETCH  */
-  YYSYMBOL_VAR_PREFETCH_KEY = 125,         /* VAR_PREFETCH_KEY  */
-  YYSYMBOL_VAR_SO_SNDBUF = 126,            /* VAR_SO_SNDBUF  */
-  YYSYMBOL_VAR_SO_REUSEPORT = 127,         /* VAR_SO_REUSEPORT  */
-  YYSYMBOL_VAR_HARDEN_BELOW_NXDOMAIN = 128, /* VAR_HARDEN_BELOW_NXDOMAIN  */
-  YYSYMBOL_VAR_IGNORE_CD_FLAG = 129,       /* VAR_IGNORE_CD_FLAG  */
-  YYSYMBOL_VAR_LOG_QUERIES = 130,          /* VAR_LOG_QUERIES  */
-  YYSYMBOL_VAR_LOG_REPLIES = 131,          /* VAR_LOG_REPLIES  */
-  YYSYMBOL_VAR_LOG_LOCAL_ACTIONS = 132,    /* VAR_LOG_LOCAL_ACTIONS  */
-  YYSYMBOL_VAR_TCP_UPSTREAM = 133,         /* VAR_TCP_UPSTREAM  */
-  YYSYMBOL_VAR_SSL_UPSTREAM = 134,         /* VAR_SSL_UPSTREAM  */
-  YYSYMBOL_VAR_SSL_SERVICE_KEY = 135,      /* VAR_SSL_SERVICE_KEY  */
-  YYSYMBOL_VAR_SSL_SERVICE_PEM = 136,      /* VAR_SSL_SERVICE_PEM  */
-  YYSYMBOL_VAR_SSL_PORT = 137,             /* VAR_SSL_PORT  */
-  YYSYMBOL_VAR_FORWARD_FIRST = 138,        /* VAR_FORWARD_FIRST  */
-  YYSYMBOL_VAR_STUB_SSL_UPSTREAM = 139,    /* VAR_STUB_SSL_UPSTREAM  */
-  YYSYMBOL_VAR_FORWARD_SSL_UPSTREAM = 140, /* VAR_FORWARD_SSL_UPSTREAM  */
-  YYSYMBOL_VAR_TLS_CERT_BUNDLE = 141,      /* VAR_TLS_CERT_BUNDLE  */
-  YYSYMBOL_VAR_HTTPS_PORT = 142,           /* VAR_HTTPS_PORT  */
-  YYSYMBOL_VAR_HTTP_ENDPOINT = 143,        /* VAR_HTTP_ENDPOINT  */
-  YYSYMBOL_VAR_HTTP_MAX_STREAMS = 144,     /* VAR_HTTP_MAX_STREAMS  */
-  YYSYMBOL_VAR_HTTP_QUERY_BUFFER_SIZE = 145, /* VAR_HTTP_QUERY_BUFFER_SIZE  */
-  YYSYMBOL_VAR_HTTP_RESPONSE_BUFFER_SIZE = 146, /* VAR_HTTP_RESPONSE_BUFFER_SIZE  */
-  YYSYMBOL_VAR_HTTP_NODELAY = 147,         /* VAR_HTTP_NODELAY  */
-  YYSYMBOL_VAR_HTTP_NOTLS_DOWNSTREAM = 148, /* VAR_HTTP_NOTLS_DOWNSTREAM  */
-  YYSYMBOL_VAR_STUB_FIRST = 149,           /* VAR_STUB_FIRST  */
-  YYSYMBOL_VAR_MINIMAL_RESPONSES = 150,    /* VAR_MINIMAL_RESPONSES  */
-  YYSYMBOL_VAR_RRSET_ROUNDROBIN = 151,     /* VAR_RRSET_ROUNDROBIN  */
-  YYSYMBOL_VAR_MAX_UDP_SIZE = 152,         /* VAR_MAX_UDP_SIZE  */
-  YYSYMBOL_VAR_DELAY_CLOSE = 153,          /* VAR_DELAY_CLOSE  */
-  YYSYMBOL_VAR_UDP_CONNECT = 154,          /* VAR_UDP_CONNECT  */
-  YYSYMBOL_VAR_UNBLOCK_LAN_ZONES = 155,    /* VAR_UNBLOCK_LAN_ZONES  */
-  YYSYMBOL_VAR_INSECURE_LAN_ZONES = 156,   /* VAR_INSECURE_LAN_ZONES  */
-  YYSYMBOL_VAR_INFRA_CACHE_MIN_RTT = 157,  /* VAR_INFRA_CACHE_MIN_RTT  */
-  YYSYMBOL_VAR_INFRA_KEEP_PROBING = 158,   /* VAR_INFRA_KEEP_PROBING  */
-  YYSYMBOL_VAR_DNS64_PREFIX = 159,         /* VAR_DNS64_PREFIX  */
-  YYSYMBOL_VAR_DNS64_SYNTHALL = 160,       /* VAR_DNS64_SYNTHALL  */
-  YYSYMBOL_VAR_DNS64_IGNORE_AAAA = 161,    /* VAR_DNS64_IGNORE_AAAA  */
-  YYSYMBOL_VAR_DNSTAP = 162,               /* VAR_DNSTAP  */
-  YYSYMBOL_VAR_DNSTAP_ENABLE = 163,        /* VAR_DNSTAP_ENABLE  */
-  YYSYMBOL_VAR_DNSTAP_SOCKET_PATH = 164,   /* VAR_DNSTAP_SOCKET_PATH  */
-  YYSYMBOL_VAR_DNSTAP_IP = 165,            /* VAR_DNSTAP_IP  */
-  YYSYMBOL_VAR_DNSTAP_TLS = 166,           /* VAR_DNSTAP_TLS  */
-  YYSYMBOL_VAR_DNSTAP_TLS_SERVER_NAME = 167, /* VAR_DNSTAP_TLS_SERVER_NAME  */
-  YYSYMBOL_VAR_DNSTAP_TLS_CERT_BUNDLE = 168, /* VAR_DNSTAP_TLS_CERT_BUNDLE  */
-  YYSYMBOL_VAR_DNSTAP_TLS_CLIENT_KEY_FILE = 169, /* VAR_DNSTAP_TLS_CLIENT_KEY_FILE  */
-  YYSYMBOL_VAR_DNSTAP_TLS_CLIENT_CERT_FILE = 170, /* VAR_DNSTAP_TLS_CLIENT_CERT_FILE  */
-  YYSYMBOL_VAR_DNSTAP_SEND_IDENTITY = 171, /* VAR_DNSTAP_SEND_IDENTITY  */
-  YYSYMBOL_VAR_DNSTAP_SEND_VERSION = 172,  /* VAR_DNSTAP_SEND_VERSION  */
-  YYSYMBOL_VAR_DNSTAP_BIDIRECTIONAL = 173, /* VAR_DNSTAP_BIDIRECTIONAL  */
-  YYSYMBOL_VAR_DNSTAP_IDENTITY = 174,      /* VAR_DNSTAP_IDENTITY  */
-  YYSYMBOL_VAR_DNSTAP_VERSION = 175,       /* VAR_DNSTAP_VERSION  */
-  YYSYMBOL_VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES = 176, /* VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES  */
-  YYSYMBOL_VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES = 177, /* VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES  */
-  YYSYMBOL_VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES = 178, /* VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES  */
-  YYSYMBOL_VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES = 179, /* VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES  */
-  YYSYMBOL_VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES = 180, /* VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES  */
-  YYSYMBOL_VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES = 181, /* VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES  */
-  YYSYMBOL_VAR_RESPONSE_IP_TAG = 182,      /* VAR_RESPONSE_IP_TAG  */
-  YYSYMBOL_VAR_RESPONSE_IP = 183,          /* VAR_RESPONSE_IP  */
-  YYSYMBOL_VAR_RESPONSE_IP_DATA = 184,     /* VAR_RESPONSE_IP_DATA  */
-  YYSYMBOL_VAR_HARDEN_ALGO_DOWNGRADE = 185, /* VAR_HARDEN_ALGO_DOWNGRADE  */
-  YYSYMBOL_VAR_IP_TRANSPARENT = 186,       /* VAR_IP_TRANSPARENT  */
-  YYSYMBOL_VAR_IP_DSCP = 187,              /* VAR_IP_DSCP  */
-  YYSYMBOL_VAR_DISABLE_DNSSEC_LAME_CHECK = 188, /* VAR_DISABLE_DNSSEC_LAME_CHECK  */
-  YYSYMBOL_VAR_IP_RATELIMIT = 189,         /* VAR_IP_RATELIMIT  */
-  YYSYMBOL_VAR_IP_RATELIMIT_SLABS = 190,   /* VAR_IP_RATELIMIT_SLABS  */
-  YYSYMBOL_VAR_IP_RATELIMIT_SIZE = 191,    /* VAR_IP_RATELIMIT_SIZE  */
-  YYSYMBOL_VAR_RATELIMIT = 192,            /* VAR_RATELIMIT  */
-  YYSYMBOL_VAR_RATELIMIT_SLABS = 193,      /* VAR_RATELIMIT_SLABS  */
-  YYSYMBOL_VAR_RATELIMIT_SIZE = 194,       /* VAR_RATELIMIT_SIZE  */
-  YYSYMBOL_VAR_RATELIMIT_FOR_DOMAIN = 195, /* VAR_RATELIMIT_FOR_DOMAIN  */
-  YYSYMBOL_VAR_RATELIMIT_BELOW_DOMAIN = 196, /* VAR_RATELIMIT_BELOW_DOMAIN  */
-  YYSYMBOL_VAR_IP_RATELIMIT_FACTOR = 197,  /* VAR_IP_RATELIMIT_FACTOR  */
-  YYSYMBOL_VAR_RATELIMIT_FACTOR = 198,     /* VAR_RATELIMIT_FACTOR  */
-  YYSYMBOL_VAR_SEND_CLIENT_SUBNET = 199,   /* VAR_SEND_CLIENT_SUBNET  */
-  YYSYMBOL_VAR_CLIENT_SUBNET_ZONE = 200,   /* VAR_CLIENT_SUBNET_ZONE  */
-  YYSYMBOL_VAR_CLIENT_SUBNET_ALWAYS_FORWARD = 201, /* VAR_CLIENT_SUBNET_ALWAYS_FORWARD  */
-  YYSYMBOL_VAR_CLIENT_SUBNET_OPCODE = 202, /* VAR_CLIENT_SUBNET_OPCODE  */
-  YYSYMBOL_VAR_MAX_CLIENT_SUBNET_IPV4 = 203, /* VAR_MAX_CLIENT_SUBNET_IPV4  */
-  YYSYMBOL_VAR_MAX_CLIENT_SUBNET_IPV6 = 204, /* VAR_MAX_CLIENT_SUBNET_IPV6  */
-  YYSYMBOL_VAR_MIN_CLIENT_SUBNET_IPV4 = 205, /* VAR_MIN_CLIENT_SUBNET_IPV4  */
-  YYSYMBOL_VAR_MIN_CLIENT_SUBNET_IPV6 = 206, /* VAR_MIN_CLIENT_SUBNET_IPV6  */
-  YYSYMBOL_VAR_MAX_ECS_TREE_SIZE_IPV4 = 207, /* VAR_MAX_ECS_TREE_SIZE_IPV4  */
-  YYSYMBOL_VAR_MAX_ECS_TREE_SIZE_IPV6 = 208, /* VAR_MAX_ECS_TREE_SIZE_IPV6  */
-  YYSYMBOL_VAR_CAPS_WHITELIST = 209,       /* VAR_CAPS_WHITELIST  */
-  YYSYMBOL_VAR_CACHE_MAX_NEGATIVE_TTL = 210, /* VAR_CACHE_MAX_NEGATIVE_TTL  */
-  YYSYMBOL_VAR_PERMIT_SMALL_HOLDDOWN = 211, /* VAR_PERMIT_SMALL_HOLDDOWN  */
-  YYSYMBOL_VAR_QNAME_MINIMISATION = 212,   /* VAR_QNAME_MINIMISATION  */
-  YYSYMBOL_VAR_QNAME_MINIMISATION_STRICT = 213, /* VAR_QNAME_MINIMISATION_STRICT  */
-  YYSYMBOL_VAR_IP_FREEBIND = 214,          /* VAR_IP_FREEBIND  */
-  YYSYMBOL_VAR_DEFINE_TAG = 215,           /* VAR_DEFINE_TAG  */
-  YYSYMBOL_VAR_LOCAL_ZONE_TAG = 216,       /* VAR_LOCAL_ZONE_TAG  */
-  YYSYMBOL_VAR_ACCESS_CONTROL_TAG = 217,   /* VAR_ACCESS_CONTROL_TAG  */
-  YYSYMBOL_VAR_LOCAL_ZONE_OVERRIDE = 218,  /* VAR_LOCAL_ZONE_OVERRIDE  */
-  YYSYMBOL_VAR_ACCESS_CONTROL_TAG_ACTION = 219, /* VAR_ACCESS_CONTROL_TAG_ACTION  */
-  YYSYMBOL_VAR_ACCESS_CONTROL_TAG_DATA = 220, /* VAR_ACCESS_CONTROL_TAG_DATA  */
-  YYSYMBOL_VAR_VIEW = 221,                 /* VAR_VIEW  */
-  YYSYMBOL_VAR_ACCESS_CONTROL_VIEW = 222,  /* VAR_ACCESS_CONTROL_VIEW  */
-  YYSYMBOL_VAR_VIEW_FIRST = 223,           /* VAR_VIEW_FIRST  */
-  YYSYMBOL_VAR_SERVE_EXPIRED = 224,        /* VAR_SERVE_EXPIRED  */
-  YYSYMBOL_VAR_SERVE_EXPIRED_TTL = 225,    /* VAR_SERVE_EXPIRED_TTL  */
-  YYSYMBOL_VAR_SERVE_EXPIRED_TTL_RESET = 226, /* VAR_SERVE_EXPIRED_TTL_RESET  */
-  YYSYMBOL_VAR_SERVE_EXPIRED_REPLY_TTL = 227, /* VAR_SERVE_EXPIRED_REPLY_TTL  */
-  YYSYMBOL_VAR_SERVE_EXPIRED_CLIENT_TIMEOUT = 228, /* VAR_SERVE_EXPIRED_CLIENT_TIMEOUT  */
-  YYSYMBOL_VAR_SERVE_ORIGINAL_TTL = 229,   /* VAR_SERVE_ORIGINAL_TTL  */
-  YYSYMBOL_VAR_FAKE_DSA = 230,             /* VAR_FAKE_DSA  */
-  YYSYMBOL_VAR_FAKE_SHA1 = 231,            /* VAR_FAKE_SHA1  */
-  YYSYMBOL_VAR_LOG_IDENTITY = 232,         /* VAR_LOG_IDENTITY  */
-  YYSYMBOL_VAR_HIDE_TRUSTANCHOR = 233,     /* VAR_HIDE_TRUSTANCHOR  */
-  YYSYMBOL_VAR_TRUST_ANCHOR_SIGNALING = 234, /* VAR_TRUST_ANCHOR_SIGNALING  */
-  YYSYMBOL_VAR_AGGRESSIVE_NSEC = 235,      /* VAR_AGGRESSIVE_NSEC  */
-  YYSYMBOL_VAR_USE_SYSTEMD = 236,          /* VAR_USE_SYSTEMD  */
-  YYSYMBOL_VAR_SHM_ENABLE = 237,           /* VAR_SHM_ENABLE  */
-  YYSYMBOL_VAR_SHM_KEY = 238,              /* VAR_SHM_KEY  */
-  YYSYMBOL_VAR_ROOT_KEY_SENTINEL = 239,    /* VAR_ROOT_KEY_SENTINEL  */
-  YYSYMBOL_VAR_DNSCRYPT = 240,             /* VAR_DNSCRYPT  */
-  YYSYMBOL_VAR_DNSCRYPT_ENABLE = 241,      /* VAR_DNSCRYPT_ENABLE  */
-  YYSYMBOL_VAR_DNSCRYPT_PORT = 242,        /* VAR_DNSCRYPT_PORT  */
-  YYSYMBOL_VAR_DNSCRYPT_PROVIDER = 243,    /* VAR_DNSCRYPT_PROVIDER  */
-  YYSYMBOL_VAR_DNSCRYPT_SECRET_KEY = 244,  /* VAR_DNSCRYPT_SECRET_KEY  */
-  YYSYMBOL_VAR_DNSCRYPT_PROVIDER_CERT = 245, /* VAR_DNSCRYPT_PROVIDER_CERT  */
-  YYSYMBOL_VAR_DNSCRYPT_PROVIDER_CERT_ROTATED = 246, /* VAR_DNSCRYPT_PROVIDER_CERT_ROTATED  */
-  YYSYMBOL_VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE = 247, /* VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE  */
-  YYSYMBOL_VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS = 248, /* VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS  */
-  YYSYMBOL_VAR_DNSCRYPT_NONCE_CACHE_SIZE = 249, /* VAR_DNSCRYPT_NONCE_CACHE_SIZE  */
-  YYSYMBOL_VAR_DNSCRYPT_NONCE_CACHE_SLABS = 250, /* VAR_DNSCRYPT_NONCE_CACHE_SLABS  */
-  YYSYMBOL_VAR_PAD_RESPONSES = 251,        /* VAR_PAD_RESPONSES  */
-  YYSYMBOL_VAR_PAD_RESPONSES_BLOCK_SIZE = 252, /* VAR_PAD_RESPONSES_BLOCK_SIZE  */
-  YYSYMBOL_VAR_PAD_QUERIES = 253,          /* VAR_PAD_QUERIES  */
-  YYSYMBOL_VAR_PAD_QUERIES_BLOCK_SIZE = 254, /* VAR_PAD_QUERIES_BLOCK_SIZE  */
-  YYSYMBOL_VAR_IPSECMOD_ENABLED = 255,     /* VAR_IPSECMOD_ENABLED  */
-  YYSYMBOL_VAR_IPSECMOD_HOOK = 256,        /* VAR_IPSECMOD_HOOK  */
-  YYSYMBOL_VAR_IPSECMOD_IGNORE_BOGUS = 257, /* VAR_IPSECMOD_IGNORE_BOGUS  */
-  YYSYMBOL_VAR_IPSECMOD_MAX_TTL = 258,     /* VAR_IPSECMOD_MAX_TTL  */
-  YYSYMBOL_VAR_IPSECMOD_WHITELIST = 259,   /* VAR_IPSECMOD_WHITELIST  */
-  YYSYMBOL_VAR_IPSECMOD_STRICT = 260,      /* VAR_IPSECMOD_STRICT  */
-  YYSYMBOL_VAR_CACHEDB = 261,              /* VAR_CACHEDB  */
-  YYSYMBOL_VAR_CACHEDB_BACKEND = 262,      /* VAR_CACHEDB_BACKEND  */
-  YYSYMBOL_VAR_CACHEDB_SECRETSEED = 263,   /* VAR_CACHEDB_SECRETSEED  */
-  YYSYMBOL_VAR_CACHEDB_REDISHOST = 264,    /* VAR_CACHEDB_REDISHOST  */
-  YYSYMBOL_VAR_CACHEDB_REDISPORT = 265,    /* VAR_CACHEDB_REDISPORT  */
-  YYSYMBOL_VAR_CACHEDB_REDISTIMEOUT = 266, /* VAR_CACHEDB_REDISTIMEOUT  */
-  YYSYMBOL_VAR_CACHEDB_REDISEXPIRERECORDS = 267, /* VAR_CACHEDB_REDISEXPIRERECORDS  */
-  YYSYMBOL_VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM = 268, /* VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM  */
-  YYSYMBOL_VAR_FOR_UPSTREAM = 269,         /* VAR_FOR_UPSTREAM  */
-  YYSYMBOL_VAR_AUTH_ZONE = 270,            /* VAR_AUTH_ZONE  */
-  YYSYMBOL_VAR_ZONEFILE = 271,             /* VAR_ZONEFILE  */
-  YYSYMBOL_VAR_MASTER = 272,               /* VAR_MASTER  */
-  YYSYMBOL_VAR_URL = 273,                  /* VAR_URL  */
-  YYSYMBOL_VAR_FOR_DOWNSTREAM = 274,       /* VAR_FOR_DOWNSTREAM  */
-  YYSYMBOL_VAR_FALLBACK_ENABLED = 275,     /* VAR_FALLBACK_ENABLED  */
-  YYSYMBOL_VAR_TLS_ADDITIONAL_PORT = 276,  /* VAR_TLS_ADDITIONAL_PORT  */
-  YYSYMBOL_VAR_LOW_RTT = 277,              /* VAR_LOW_RTT  */
-  YYSYMBOL_VAR_LOW_RTT_PERMIL = 278,       /* VAR_LOW_RTT_PERMIL  */
-  YYSYMBOL_VAR_FAST_SERVER_PERMIL = 279,   /* VAR_FAST_SERVER_PERMIL  */
-  YYSYMBOL_VAR_FAST_SERVER_NUM = 280,      /* VAR_FAST_SERVER_NUM  */
-  YYSYMBOL_VAR_ALLOW_NOTIFY = 281,         /* VAR_ALLOW_NOTIFY  */
-  YYSYMBOL_VAR_TLS_WIN_CERT = 282,         /* VAR_TLS_WIN_CERT  */
-  YYSYMBOL_VAR_TCP_CONNECTION_LIMIT = 283, /* VAR_TCP_CONNECTION_LIMIT  */
-  YYSYMBOL_VAR_FORWARD_NO_CACHE = 284,     /* VAR_FORWARD_NO_CACHE  */
-  YYSYMBOL_VAR_STUB_NO_CACHE = 285,        /* VAR_STUB_NO_CACHE  */
-  YYSYMBOL_VAR_LOG_SERVFAIL = 286,         /* VAR_LOG_SERVFAIL  */
-  YYSYMBOL_VAR_DENY_ANY = 287,             /* VAR_DENY_ANY  */
-  YYSYMBOL_VAR_UNKNOWN_SERVER_TIME_LIMIT = 288, /* VAR_UNKNOWN_SERVER_TIME_LIMIT  */
-  YYSYMBOL_VAR_LOG_TAG_QUERYREPLY = 289,   /* VAR_LOG_TAG_QUERYREPLY  */
-  YYSYMBOL_VAR_STREAM_WAIT_SIZE = 290,     /* VAR_STREAM_WAIT_SIZE  */
-  YYSYMBOL_VAR_TLS_CIPHERS = 291,          /* VAR_TLS_CIPHERS  */
-  YYSYMBOL_VAR_TLS_CIPHERSUITES = 292,     /* VAR_TLS_CIPHERSUITES  */
-  YYSYMBOL_VAR_TLS_USE_SNI = 293,          /* VAR_TLS_USE_SNI  */
-  YYSYMBOL_VAR_IPSET = 294,                /* VAR_IPSET  */
-  YYSYMBOL_VAR_IPSET_NAME_V4 = 295,        /* VAR_IPSET_NAME_V4  */
-  YYSYMBOL_VAR_IPSET_NAME_V6 = 296,        /* VAR_IPSET_NAME_V6  */
-  YYSYMBOL_VAR_TLS_SESSION_TICKET_KEYS = 297, /* VAR_TLS_SESSION_TICKET_KEYS  */
-  YYSYMBOL_VAR_RPZ = 298,                  /* VAR_RPZ  */
-  YYSYMBOL_VAR_TAGS = 299,                 /* VAR_TAGS  */
-  YYSYMBOL_VAR_RPZ_ACTION_OVERRIDE = 300,  /* VAR_RPZ_ACTION_OVERRIDE  */
-  YYSYMBOL_VAR_RPZ_CNAME_OVERRIDE = 301,   /* VAR_RPZ_CNAME_OVERRIDE  */
-  YYSYMBOL_VAR_RPZ_LOG = 302,              /* VAR_RPZ_LOG  */
-  YYSYMBOL_VAR_RPZ_LOG_NAME = 303,         /* VAR_RPZ_LOG_NAME  */
-  YYSYMBOL_VAR_DYNLIB = 304,               /* VAR_DYNLIB  */
-  YYSYMBOL_VAR_DYNLIB_FILE = 305,          /* VAR_DYNLIB_FILE  */
-  YYSYMBOL_VAR_EDNS_CLIENT_STRING = 306,   /* VAR_EDNS_CLIENT_STRING  */
-  YYSYMBOL_VAR_EDNS_CLIENT_STRING_OPCODE = 307, /* VAR_EDNS_CLIENT_STRING_OPCODE  */
-  YYSYMBOL_VAR_NSID = 308,                 /* VAR_NSID  */
-  YYSYMBOL_VAR_ZONEMD_PERMISSIVE_MODE = 309, /* VAR_ZONEMD_PERMISSIVE_MODE  */
-  YYSYMBOL_VAR_ZONEMD_REJECT_ABSENCE = 310, /* VAR_ZONEMD_REJECT_ABSENCE  */
-  YYSYMBOL_YYACCEPT = 311,                 /* $accept  */
-  YYSYMBOL_toplevelvars = 312,             /* toplevelvars  */
-  YYSYMBOL_toplevelvar = 313,              /* toplevelvar  */
-  YYSYMBOL_force_toplevel = 314,           /* force_toplevel  */
-  YYSYMBOL_serverstart = 315,              /* serverstart  */
-  YYSYMBOL_contents_server = 316,          /* contents_server  */
-  YYSYMBOL_content_server = 317,           /* content_server  */
-  YYSYMBOL_stubstart = 318,                /* stubstart  */
-  YYSYMBOL_contents_stub = 319,            /* contents_stub  */
-  YYSYMBOL_content_stub = 320,             /* content_stub  */
-  YYSYMBOL_forwardstart = 321,             /* forwardstart  */
-  YYSYMBOL_contents_forward = 322,         /* contents_forward  */
-  YYSYMBOL_content_forward = 323,          /* content_forward  */
-  YYSYMBOL_viewstart = 324,                /* viewstart  */
-  YYSYMBOL_contents_view = 325,            /* contents_view  */
-  YYSYMBOL_content_view = 326,             /* content_view  */
-  YYSYMBOL_authstart = 327,                /* authstart  */
-  YYSYMBOL_contents_auth = 328,            /* contents_auth  */
-  YYSYMBOL_content_auth = 329,             /* content_auth  */
-  YYSYMBOL_rpz_tag = 330,                  /* rpz_tag  */
-  YYSYMBOL_rpz_action_override = 331,      /* rpz_action_override  */
-  YYSYMBOL_rpz_cname_override = 332,       /* rpz_cname_override  */
-  YYSYMBOL_rpz_log = 333,                  /* rpz_log  */
-  YYSYMBOL_rpz_log_name = 334,             /* rpz_log_name  */
-  YYSYMBOL_rpzstart = 335,                 /* rpzstart  */
-  YYSYMBOL_contents_rpz = 336,             /* contents_rpz  */
-  YYSYMBOL_content_rpz = 337,              /* content_rpz  */
-  YYSYMBOL_server_num_threads = 338,       /* server_num_threads  */
-  YYSYMBOL_server_verbosity = 339,         /* server_verbosity  */
-  YYSYMBOL_server_statistics_interval = 340, /* server_statistics_interval  */
-  YYSYMBOL_server_statistics_cumulative = 341, /* server_statistics_cumulative  */
-  YYSYMBOL_server_extended_statistics = 342, /* server_extended_statistics  */
-  YYSYMBOL_server_shm_enable = 343,        /* server_shm_enable  */
-  YYSYMBOL_server_shm_key = 344,           /* server_shm_key  */
-  YYSYMBOL_server_port = 345,              /* server_port  */
-  YYSYMBOL_server_send_client_subnet = 346, /* server_send_client_subnet  */
-  YYSYMBOL_server_client_subnet_zone = 347, /* server_client_subnet_zone  */
-  YYSYMBOL_server_client_subnet_always_forward = 348, /* server_client_subnet_always_forward  */
-  YYSYMBOL_server_client_subnet_opcode = 349, /* server_client_subnet_opcode  */
-  YYSYMBOL_server_max_client_subnet_ipv4 = 350, /* server_max_client_subnet_ipv4  */
-  YYSYMBOL_server_max_client_subnet_ipv6 = 351, /* server_max_client_subnet_ipv6  */
-  YYSYMBOL_server_min_client_subnet_ipv4 = 352, /* server_min_client_subnet_ipv4  */
-  YYSYMBOL_server_min_client_subnet_ipv6 = 353, /* server_min_client_subnet_ipv6  */
-  YYSYMBOL_server_max_ecs_tree_size_ipv4 = 354, /* server_max_ecs_tree_size_ipv4  */
-  YYSYMBOL_server_max_ecs_tree_size_ipv6 = 355, /* server_max_ecs_tree_size_ipv6  */
-  YYSYMBOL_server_interface = 356,         /* server_interface  */
-  YYSYMBOL_server_outgoing_interface = 357, /* server_outgoing_interface  */
-  YYSYMBOL_server_outgoing_range = 358,    /* server_outgoing_range  */
-  YYSYMBOL_server_outgoing_port_permit = 359, /* server_outgoing_port_permit  */
-  YYSYMBOL_server_outgoing_port_avoid = 360, /* server_outgoing_port_avoid  */
-  YYSYMBOL_server_outgoing_num_tcp = 361,  /* server_outgoing_num_tcp  */
-  YYSYMBOL_server_incoming_num_tcp = 362,  /* server_incoming_num_tcp  */
-  YYSYMBOL_server_interface_automatic = 363, /* server_interface_automatic  */
-  YYSYMBOL_server_do_ip4 = 364,            /* server_do_ip4  */
-  YYSYMBOL_server_do_ip6 = 365,            /* server_do_ip6  */
-  YYSYMBOL_server_do_udp = 366,            /* server_do_udp  */
-  YYSYMBOL_server_do_tcp = 367,            /* server_do_tcp  */
-  YYSYMBOL_server_prefer_ip4 = 368,        /* server_prefer_ip4  */
-  YYSYMBOL_server_prefer_ip6 = 369,        /* server_prefer_ip6  */
-  YYSYMBOL_server_tcp_mss = 370,           /* server_tcp_mss  */
-  YYSYMBOL_server_outgoing_tcp_mss = 371,  /* server_outgoing_tcp_mss  */
-  YYSYMBOL_server_tcp_idle_timeout = 372,  /* server_tcp_idle_timeout  */
-  YYSYMBOL_server_tcp_keepalive = 373,     /* server_tcp_keepalive  */
-  YYSYMBOL_server_tcp_keepalive_timeout = 374, /* server_tcp_keepalive_timeout  */
-  YYSYMBOL_server_tcp_upstream = 375,      /* server_tcp_upstream  */
-  YYSYMBOL_server_udp_upstream_without_downstream = 376, /* server_udp_upstream_without_downstream  */
-  YYSYMBOL_server_ssl_upstream = 377,      /* server_ssl_upstream  */
-  YYSYMBOL_server_ssl_service_key = 378,   /* server_ssl_service_key  */
-  YYSYMBOL_server_ssl_service_pem = 379,   /* server_ssl_service_pem  */
-  YYSYMBOL_server_ssl_port = 380,          /* server_ssl_port  */
-  YYSYMBOL_server_tls_cert_bundle = 381,   /* server_tls_cert_bundle  */
-  YYSYMBOL_server_tls_win_cert = 382,      /* server_tls_win_cert  */
-  YYSYMBOL_server_tls_additional_port = 383, /* server_tls_additional_port  */
-  YYSYMBOL_server_tls_ciphers = 384,       /* server_tls_ciphers  */
-  YYSYMBOL_server_tls_ciphersuites = 385,  /* server_tls_ciphersuites  */
-  YYSYMBOL_server_tls_session_ticket_keys = 386, /* server_tls_session_ticket_keys  */
-  YYSYMBOL_server_tls_use_sni = 387,       /* server_tls_use_sni  */
-  YYSYMBOL_server_https_port = 388,        /* server_https_port  */
-  YYSYMBOL_server_http_endpoint = 389,     /* server_http_endpoint  */
-  YYSYMBOL_server_http_max_streams = 390,  /* server_http_max_streams  */
-  YYSYMBOL_server_http_query_buffer_size = 391, /* server_http_query_buffer_size  */
-  YYSYMBOL_server_http_response_buffer_size = 392, /* server_http_response_buffer_size  */
-  YYSYMBOL_server_http_nodelay = 393,      /* server_http_nodelay  */
-  YYSYMBOL_server_http_notls_downstream = 394, /* server_http_notls_downstream  */
-  YYSYMBOL_server_use_systemd = 395,       /* server_use_systemd  */
-  YYSYMBOL_server_do_daemonize = 396,      /* server_do_daemonize  */
-  YYSYMBOL_server_use_syslog = 397,        /* server_use_syslog  */
-  YYSYMBOL_server_log_time_ascii = 398,    /* server_log_time_ascii  */
-  YYSYMBOL_server_log_queries = 399,       /* server_log_queries  */
-  YYSYMBOL_server_log_replies = 400,       /* server_log_replies  */
-  YYSYMBOL_server_log_tag_queryreply = 401, /* server_log_tag_queryreply  */
-  YYSYMBOL_server_log_servfail = 402,      /* server_log_servfail  */
-  YYSYMBOL_server_log_local_actions = 403, /* server_log_local_actions  */
-  YYSYMBOL_server_chroot = 404,            /* server_chroot  */
-  YYSYMBOL_server_username = 405,          /* server_username  */
-  YYSYMBOL_server_directory = 406,         /* server_directory  */
-  YYSYMBOL_server_logfile = 407,           /* server_logfile  */
-  YYSYMBOL_server_pidfile = 408,           /* server_pidfile  */
-  YYSYMBOL_server_root_hints = 409,        /* server_root_hints  */
-  YYSYMBOL_server_dlv_anchor_file = 410,   /* server_dlv_anchor_file  */
-  YYSYMBOL_server_dlv_anchor = 411,        /* server_dlv_anchor  */
-  YYSYMBOL_server_auto_trust_anchor_file = 412, /* server_auto_trust_anchor_file  */
-  YYSYMBOL_server_trust_anchor_file = 413, /* server_trust_anchor_file  */
-  YYSYMBOL_server_trusted_keys_file = 414, /* server_trusted_keys_file  */
-  YYSYMBOL_server_trust_anchor = 415,      /* server_trust_anchor  */
-  YYSYMBOL_server_trust_anchor_signaling = 416, /* server_trust_anchor_signaling  */
-  YYSYMBOL_server_root_key_sentinel = 417, /* server_root_key_sentinel  */
-  YYSYMBOL_server_domain_insecure = 418,   /* server_domain_insecure  */
-  YYSYMBOL_server_hide_identity = 419,     /* server_hide_identity  */
-  YYSYMBOL_server_hide_version = 420,      /* server_hide_version  */
-  YYSYMBOL_server_hide_trustanchor = 421,  /* server_hide_trustanchor  */
-  YYSYMBOL_server_identity = 422,          /* server_identity  */
-  YYSYMBOL_server_version = 423,           /* server_version  */
-  YYSYMBOL_server_nsid = 424,              /* server_nsid  */
-  YYSYMBOL_server_so_rcvbuf = 425,         /* server_so_rcvbuf  */
-  YYSYMBOL_server_so_sndbuf = 426,         /* server_so_sndbuf  */
-  YYSYMBOL_server_so_reuseport = 427,      /* server_so_reuseport  */
-  YYSYMBOL_server_ip_transparent = 428,    /* server_ip_transparent  */
-  YYSYMBOL_server_ip_freebind = 429,       /* server_ip_freebind  */
-  YYSYMBOL_server_ip_dscp = 430,           /* server_ip_dscp  */
-  YYSYMBOL_server_stream_wait_size = 431,  /* server_stream_wait_size  */
-  YYSYMBOL_server_edns_buffer_size = 432,  /* server_edns_buffer_size  */
-  YYSYMBOL_server_msg_buffer_size = 433,   /* server_msg_buffer_size  */
-  YYSYMBOL_server_msg_cache_size = 434,    /* server_msg_cache_size  */
-  YYSYMBOL_server_msg_cache_slabs = 435,   /* server_msg_cache_slabs  */
-  YYSYMBOL_server_num_queries_per_thread = 436, /* server_num_queries_per_thread  */
-  YYSYMBOL_server_jostle_timeout = 437,    /* server_jostle_timeout  */
-  YYSYMBOL_server_delay_close = 438,       /* server_delay_close  */
-  YYSYMBOL_server_udp_connect = 439,       /* server_udp_connect  */
-  YYSYMBOL_server_unblock_lan_zones = 440, /* server_unblock_lan_zones  */
-  YYSYMBOL_server_insecure_lan_zones = 441, /* server_insecure_lan_zones  */
-  YYSYMBOL_server_rrset_cache_size = 442,  /* server_rrset_cache_size  */
-  YYSYMBOL_server_rrset_cache_slabs = 443, /* server_rrset_cache_slabs  */
-  YYSYMBOL_server_infra_host_ttl = 444,    /* server_infra_host_ttl  */
-  YYSYMBOL_server_infra_lame_ttl = 445,    /* server_infra_lame_ttl  */
-  YYSYMBOL_server_infra_cache_numhosts = 446, /* server_infra_cache_numhosts  */
-  YYSYMBOL_server_infra_cache_lame_size = 447, /* server_infra_cache_lame_size  */
-  YYSYMBOL_server_infra_cache_slabs = 448, /* server_infra_cache_slabs  */
-  YYSYMBOL_server_infra_cache_min_rtt = 449, /* server_infra_cache_min_rtt  */
-  YYSYMBOL_server_infra_keep_probing = 450, /* server_infra_keep_probing  */
-  YYSYMBOL_server_target_fetch_policy = 451, /* server_target_fetch_policy  */
-  YYSYMBOL_server_harden_short_bufsize = 452, /* server_harden_short_bufsize  */
-  YYSYMBOL_server_harden_large_queries = 453, /* server_harden_large_queries  */
-  YYSYMBOL_server_harden_glue = 454,       /* server_harden_glue  */
-  YYSYMBOL_server_harden_dnssec_stripped = 455, /* server_harden_dnssec_stripped  */
-  YYSYMBOL_server_harden_below_nxdomain = 456, /* server_harden_below_nxdomain  */
-  YYSYMBOL_server_harden_referral_path = 457, /* server_harden_referral_path  */
-  YYSYMBOL_server_harden_algo_downgrade = 458, /* server_harden_algo_downgrade  */
-  YYSYMBOL_server_use_caps_for_id = 459,   /* server_use_caps_for_id  */
-  YYSYMBOL_server_caps_whitelist = 460,    /* server_caps_whitelist  */
-  YYSYMBOL_server_private_address = 461,   /* server_private_address  */
-  YYSYMBOL_server_private_domain = 462,    /* server_private_domain  */
-  YYSYMBOL_server_prefetch = 463,          /* server_prefetch  */
-  YYSYMBOL_server_prefetch_key = 464,      /* server_prefetch_key  */
-  YYSYMBOL_server_deny_any = 465,          /* server_deny_any  */
-  YYSYMBOL_server_unwanted_reply_threshold = 466, /* server_unwanted_reply_threshold  */
-  YYSYMBOL_server_do_not_query_address = 467, /* server_do_not_query_address  */
-  YYSYMBOL_server_do_not_query_localhost = 468, /* server_do_not_query_localhost  */
-  YYSYMBOL_server_access_control = 469,    /* server_access_control  */
-  YYSYMBOL_server_module_conf = 470,       /* server_module_conf  */
-  YYSYMBOL_server_val_override_date = 471, /* server_val_override_date  */
-  YYSYMBOL_server_val_sig_skew_min = 472,  /* server_val_sig_skew_min  */
-  YYSYMBOL_server_val_sig_skew_max = 473,  /* server_val_sig_skew_max  */
-  YYSYMBOL_server_cache_max_ttl = 474,     /* server_cache_max_ttl  */
-  YYSYMBOL_server_cache_max_negative_ttl = 475, /* server_cache_max_negative_ttl  */
-  YYSYMBOL_server_cache_min_ttl = 476,     /* server_cache_min_ttl  */
-  YYSYMBOL_server_bogus_ttl = 477,         /* server_bogus_ttl  */
-  YYSYMBOL_server_val_clean_additional = 478, /* server_val_clean_additional  */
-  YYSYMBOL_server_val_permissive_mode = 479, /* server_val_permissive_mode  */
-  YYSYMBOL_server_aggressive_nsec = 480,   /* server_aggressive_nsec  */
-  YYSYMBOL_server_ignore_cd_flag = 481,    /* server_ignore_cd_flag  */
-  YYSYMBOL_server_serve_expired = 482,     /* server_serve_expired  */
-  YYSYMBOL_server_serve_expired_ttl = 483, /* server_serve_expired_ttl  */
-  YYSYMBOL_server_serve_expired_ttl_reset = 484, /* server_serve_expired_ttl_reset  */
-  YYSYMBOL_server_serve_expired_reply_ttl = 485, /* server_serve_expired_reply_ttl  */
-  YYSYMBOL_server_serve_expired_client_timeout = 486, /* server_serve_expired_client_timeout  */
-  YYSYMBOL_server_serve_original_ttl = 487, /* server_serve_original_ttl  */
-  YYSYMBOL_server_fake_dsa = 488,          /* server_fake_dsa  */
-  YYSYMBOL_server_fake_sha1 = 489,         /* server_fake_sha1  */
-  YYSYMBOL_server_val_log_level = 490,     /* server_val_log_level  */
-  YYSYMBOL_server_val_nsec3_keysize_iterations = 491, /* server_val_nsec3_keysize_iterations  */
-  YYSYMBOL_server_zonemd_permissive_mode = 492, /* server_zonemd_permissive_mode  */
-  YYSYMBOL_server_add_holddown = 493,      /* server_add_holddown  */
-  YYSYMBOL_server_del_holddown = 494,      /* server_del_holddown  */
-  YYSYMBOL_server_keep_missing = 495,      /* server_keep_missing  */
-  YYSYMBOL_server_permit_small_holddown = 496, /* server_permit_small_holddown  */
-  YYSYMBOL_server_key_cache_size = 497,    /* server_key_cache_size  */
-  YYSYMBOL_server_key_cache_slabs = 498,   /* server_key_cache_slabs  */
-  YYSYMBOL_server_neg_cache_size = 499,    /* server_neg_cache_size  */
-  YYSYMBOL_server_local_zone = 500,        /* server_local_zone  */
-  YYSYMBOL_server_local_data = 501,        /* server_local_data  */
-  YYSYMBOL_server_local_data_ptr = 502,    /* server_local_data_ptr  */
-  YYSYMBOL_server_minimal_responses = 503, /* server_minimal_responses  */
-  YYSYMBOL_server_rrset_roundrobin = 504,  /* server_rrset_roundrobin  */
-  YYSYMBOL_server_unknown_server_time_limit = 505, /* server_unknown_server_time_limit  */
-  YYSYMBOL_server_max_udp_size = 506,      /* server_max_udp_size  */
-  YYSYMBOL_server_dns64_prefix = 507,      /* server_dns64_prefix  */
-  YYSYMBOL_server_dns64_synthall = 508,    /* server_dns64_synthall  */
-  YYSYMBOL_server_dns64_ignore_aaaa = 509, /* server_dns64_ignore_aaaa  */
-  YYSYMBOL_server_define_tag = 510,        /* server_define_tag  */
-  YYSYMBOL_server_local_zone_tag = 511,    /* server_local_zone_tag  */
-  YYSYMBOL_server_access_control_tag = 512, /* server_access_control_tag  */
-  YYSYMBOL_server_access_control_tag_action = 513, /* server_access_control_tag_action  */
-  YYSYMBOL_server_access_control_tag_data = 514, /* server_access_control_tag_data  */
-  YYSYMBOL_server_local_zone_override = 515, /* server_local_zone_override  */
-  YYSYMBOL_server_access_control_view = 516, /* server_access_control_view  */
-  YYSYMBOL_server_response_ip_tag = 517,   /* server_response_ip_tag  */
-  YYSYMBOL_server_ip_ratelimit = 518,      /* server_ip_ratelimit  */
-  YYSYMBOL_server_ratelimit = 519,         /* server_ratelimit  */
-  YYSYMBOL_server_ip_ratelimit_size = 520, /* server_ip_ratelimit_size  */
-  YYSYMBOL_server_ratelimit_size = 521,    /* server_ratelimit_size  */
-  YYSYMBOL_server_ip_ratelimit_slabs = 522, /* server_ip_ratelimit_slabs  */
-  YYSYMBOL_server_ratelimit_slabs = 523,   /* server_ratelimit_slabs  */
-  YYSYMBOL_server_ratelimit_for_domain = 524, /* server_ratelimit_for_domain  */
-  YYSYMBOL_server_ratelimit_below_domain = 525, /* server_ratelimit_below_domain  */
-  YYSYMBOL_server_ip_ratelimit_factor = 526, /* server_ip_ratelimit_factor  */
-  YYSYMBOL_server_ratelimit_factor = 527,  /* server_ratelimit_factor  */
-  YYSYMBOL_server_low_rtt = 528,           /* server_low_rtt  */
-  YYSYMBOL_server_fast_server_num = 529,   /* server_fast_server_num  */
-  YYSYMBOL_server_fast_server_permil = 530, /* server_fast_server_permil  */
-  YYSYMBOL_server_qname_minimisation = 531, /* server_qname_minimisation  */
-  YYSYMBOL_server_qname_minimisation_strict = 532, /* server_qname_minimisation_strict  */
-  YYSYMBOL_server_pad_responses = 533,     /* server_pad_responses  */
-  YYSYMBOL_server_pad_responses_block_size = 534, /* server_pad_responses_block_size  */
-  YYSYMBOL_server_pad_queries = 535,       /* server_pad_queries  */
-  YYSYMBOL_server_pad_queries_block_size = 536, /* server_pad_queries_block_size  */
-  YYSYMBOL_server_ipsecmod_enabled = 537,  /* server_ipsecmod_enabled  */
-  YYSYMBOL_server_ipsecmod_ignore_bogus = 538, /* server_ipsecmod_ignore_bogus  */
-  YYSYMBOL_server_ipsecmod_hook = 539,     /* server_ipsecmod_hook  */
-  YYSYMBOL_server_ipsecmod_max_ttl = 540,  /* server_ipsecmod_max_ttl  */
-  YYSYMBOL_server_ipsecmod_whitelist = 541, /* server_ipsecmod_whitelist  */
-  YYSYMBOL_server_ipsecmod_strict = 542,   /* server_ipsecmod_strict  */
-  YYSYMBOL_server_edns_client_string = 543, /* server_edns_client_string  */
-  YYSYMBOL_server_edns_client_string_opcode = 544, /* server_edns_client_string_opcode  */
-  YYSYMBOL_stub_name = 545,                /* stub_name  */
-  YYSYMBOL_stub_host = 546,                /* stub_host  */
-  YYSYMBOL_stub_addr = 547,                /* stub_addr  */
-  YYSYMBOL_stub_first = 548,               /* stub_first  */
-  YYSYMBOL_stub_no_cache = 549,            /* stub_no_cache  */
-  YYSYMBOL_stub_ssl_upstream = 550,        /* stub_ssl_upstream  */
-  YYSYMBOL_stub_prime = 551,               /* stub_prime  */
-  YYSYMBOL_forward_name = 552,             /* forward_name  */
-  YYSYMBOL_forward_host = 553,             /* forward_host  */
-  YYSYMBOL_forward_addr = 554,             /* forward_addr  */
-  YYSYMBOL_forward_first = 555,            /* forward_first  */
-  YYSYMBOL_forward_no_cache = 556,         /* forward_no_cache  */
-  YYSYMBOL_forward_ssl_upstream = 557,     /* forward_ssl_upstream  */
-  YYSYMBOL_auth_name = 558,                /* auth_name  */
-  YYSYMBOL_auth_zonefile = 559,            /* auth_zonefile  */
-  YYSYMBOL_auth_master = 560,              /* auth_master  */
-  YYSYMBOL_auth_url = 561,                 /* auth_url  */
-  YYSYMBOL_auth_allow_notify = 562,        /* auth_allow_notify  */
-  YYSYMBOL_auth_zonemd_reject_absence = 563, /* auth_zonemd_reject_absence  */
-  YYSYMBOL_auth_for_downstream = 564,      /* auth_for_downstream  */
-  YYSYMBOL_auth_for_upstream = 565,        /* auth_for_upstream  */
-  YYSYMBOL_auth_fallback_enabled = 566,    /* auth_fallback_enabled  */
-  YYSYMBOL_view_name = 567,                /* view_name  */
-  YYSYMBOL_view_local_zone = 568,          /* view_local_zone  */
-  YYSYMBOL_view_response_ip = 569,         /* view_response_ip  */
-  YYSYMBOL_view_response_ip_data = 570,    /* view_response_ip_data  */
-  YYSYMBOL_view_local_data = 571,          /* view_local_data  */
-  YYSYMBOL_view_local_data_ptr = 572,      /* view_local_data_ptr  */
-  YYSYMBOL_view_first = 573,               /* view_first  */
-  YYSYMBOL_rcstart = 574,                  /* rcstart  */
-  YYSYMBOL_contents_rc = 575,              /* contents_rc  */
-  YYSYMBOL_content_rc = 576,               /* content_rc  */
-  YYSYMBOL_rc_control_enable = 577,        /* rc_control_enable  */
-  YYSYMBOL_rc_control_port = 578,          /* rc_control_port  */
-  YYSYMBOL_rc_control_interface = 579,     /* rc_control_interface  */
-  YYSYMBOL_rc_control_use_cert = 580,      /* rc_control_use_cert  */
-  YYSYMBOL_rc_server_key_file = 581,       /* rc_server_key_file  */
-  YYSYMBOL_rc_server_cert_file = 582,      /* rc_server_cert_file  */
-  YYSYMBOL_rc_control_key_file = 583,      /* rc_control_key_file  */
-  YYSYMBOL_rc_control_cert_file = 584,     /* rc_control_cert_file  */
-  YYSYMBOL_dtstart = 585,                  /* dtstart  */
-  YYSYMBOL_contents_dt = 586,              /* contents_dt  */
-  YYSYMBOL_content_dt = 587,               /* content_dt  */
-  YYSYMBOL_dt_dnstap_enable = 588,         /* dt_dnstap_enable  */
-  YYSYMBOL_dt_dnstap_bidirectional = 589,  /* dt_dnstap_bidirectional  */
-  YYSYMBOL_dt_dnstap_socket_path = 590,    /* dt_dnstap_socket_path  */
-  YYSYMBOL_dt_dnstap_ip = 591,             /* dt_dnstap_ip  */
-  YYSYMBOL_dt_dnstap_tls = 592,            /* dt_dnstap_tls  */
-  YYSYMBOL_dt_dnstap_tls_server_name = 593, /* dt_dnstap_tls_server_name  */
-  YYSYMBOL_dt_dnstap_tls_cert_bundle = 594, /* dt_dnstap_tls_cert_bundle  */
-  YYSYMBOL_dt_dnstap_tls_client_key_file = 595, /* dt_dnstap_tls_client_key_file  */
-  YYSYMBOL_dt_dnstap_tls_client_cert_file = 596, /* dt_dnstap_tls_client_cert_file  */
-  YYSYMBOL_dt_dnstap_send_identity = 597,  /* dt_dnstap_send_identity  */
-  YYSYMBOL_dt_dnstap_send_version = 598,   /* dt_dnstap_send_version  */
-  YYSYMBOL_dt_dnstap_identity = 599,       /* dt_dnstap_identity  */
-  YYSYMBOL_dt_dnstap_version = 600,        /* dt_dnstap_version  */
-  YYSYMBOL_dt_dnstap_log_resolver_query_messages = 601, /* dt_dnstap_log_resolver_query_messages  */
-  YYSYMBOL_dt_dnstap_log_resolver_response_messages = 602, /* dt_dnstap_log_resolver_response_messages  */
-  YYSYMBOL_dt_dnstap_log_client_query_messages = 603, /* dt_dnstap_log_client_query_messages  */
-  YYSYMBOL_dt_dnstap_log_client_response_messages = 604, /* dt_dnstap_log_client_response_messages  */
-  YYSYMBOL_dt_dnstap_log_forwarder_query_messages = 605, /* dt_dnstap_log_forwarder_query_messages  */
-  YYSYMBOL_dt_dnstap_log_forwarder_response_messages = 606, /* dt_dnstap_log_forwarder_response_messages  */
-  YYSYMBOL_pythonstart = 607,              /* pythonstart  */
-  YYSYMBOL_contents_py = 608,              /* contents_py  */
-  YYSYMBOL_content_py = 609,               /* content_py  */
-  YYSYMBOL_py_script = 610,                /* py_script  */
-  YYSYMBOL_dynlibstart = 611,              /* dynlibstart  */
-  YYSYMBOL_contents_dl = 612,              /* contents_dl  */
-  YYSYMBOL_content_dl = 613,               /* content_dl  */
-  YYSYMBOL_dl_file = 614,                  /* dl_file  */
-  YYSYMBOL_server_disable_dnssec_lame_check = 615, /* server_disable_dnssec_lame_check  */
-  YYSYMBOL_server_log_identity = 616,      /* server_log_identity  */
-  YYSYMBOL_server_response_ip = 617,       /* server_response_ip  */
-  YYSYMBOL_server_response_ip_data = 618,  /* server_response_ip_data  */
-  YYSYMBOL_dnscstart = 619,                /* dnscstart  */
-  YYSYMBOL_contents_dnsc = 620,            /* contents_dnsc  */
-  YYSYMBOL_content_dnsc = 621,             /* content_dnsc  */
-  YYSYMBOL_dnsc_dnscrypt_enable = 622,     /* dnsc_dnscrypt_enable  */
-  YYSYMBOL_dnsc_dnscrypt_port = 623,       /* dnsc_dnscrypt_port  */
-  YYSYMBOL_dnsc_dnscrypt_provider = 624,   /* dnsc_dnscrypt_provider  */
-  YYSYMBOL_dnsc_dnscrypt_provider_cert = 625, /* dnsc_dnscrypt_provider_cert  */
-  YYSYMBOL_dnsc_dnscrypt_provider_cert_rotated = 626, /* dnsc_dnscrypt_provider_cert_rotated  */
-  YYSYMBOL_dnsc_dnscrypt_secret_key = 627, /* dnsc_dnscrypt_secret_key  */
-  YYSYMBOL_dnsc_dnscrypt_shared_secret_cache_size = 628, /* dnsc_dnscrypt_shared_secret_cache_size  */
-  YYSYMBOL_dnsc_dnscrypt_shared_secret_cache_slabs = 629, /* dnsc_dnscrypt_shared_secret_cache_slabs  */
-  YYSYMBOL_dnsc_dnscrypt_nonce_cache_size = 630, /* dnsc_dnscrypt_nonce_cache_size  */
-  YYSYMBOL_dnsc_dnscrypt_nonce_cache_slabs = 631, /* dnsc_dnscrypt_nonce_cache_slabs  */
-  YYSYMBOL_cachedbstart = 632,             /* cachedbstart  */
-  YYSYMBOL_contents_cachedb = 633,         /* contents_cachedb  */
-  YYSYMBOL_content_cachedb = 634,          /* content_cachedb  */
-  YYSYMBOL_cachedb_backend_name = 635,     /* cachedb_backend_name  */
-  YYSYMBOL_cachedb_secret_seed = 636,      /* cachedb_secret_seed  */
-  YYSYMBOL_redis_server_host = 637,        /* redis_server_host  */
-  YYSYMBOL_redis_server_port = 638,        /* redis_server_port  */
-  YYSYMBOL_redis_timeout = 639,            /* redis_timeout  */
-  YYSYMBOL_redis_expire_records = 640,     /* redis_expire_records  */
-  YYSYMBOL_server_tcp_connection_limit = 641, /* server_tcp_connection_limit  */
-  YYSYMBOL_ipsetstart = 642,               /* ipsetstart  */
-  YYSYMBOL_contents_ipset = 643,           /* contents_ipset  */
-  YYSYMBOL_content_ipset = 644,            /* content_ipset  */
-  YYSYMBOL_ipset_name_v4 = 645,            /* ipset_name_v4  */
-  YYSYMBOL_ipset_name_v6 = 646             /* ipset_name_v6  */
+  YYSYMBOL_VAR_TCP_REUSE_TIMEOUT = 105,    /* VAR_TCP_REUSE_TIMEOUT  */
+  YYSYMBOL_VAR_MAX_REUSE_TCP_QUERIES = 106, /* VAR_MAX_REUSE_TCP_QUERIES  */
+  YYSYMBOL_VAR_EXTENDED_STATISTICS = 107,  /* VAR_EXTENDED_STATISTICS  */
+  YYSYMBOL_VAR_LOCAL_DATA_PTR = 108,       /* VAR_LOCAL_DATA_PTR  */
+  YYSYMBOL_VAR_JOSTLE_TIMEOUT = 109,       /* VAR_JOSTLE_TIMEOUT  */
+  YYSYMBOL_VAR_STUB_PRIME = 110,           /* VAR_STUB_PRIME  */
+  YYSYMBOL_VAR_UNWANTED_REPLY_THRESHOLD = 111, /* VAR_UNWANTED_REPLY_THRESHOLD  */
+  YYSYMBOL_VAR_LOG_TIME_ASCII = 112,       /* VAR_LOG_TIME_ASCII  */
+  YYSYMBOL_VAR_DOMAIN_INSECURE = 113,      /* VAR_DOMAIN_INSECURE  */
+  YYSYMBOL_VAR_PYTHON = 114,               /* VAR_PYTHON  */
+  YYSYMBOL_VAR_PYTHON_SCRIPT = 115,        /* VAR_PYTHON_SCRIPT  */
+  YYSYMBOL_VAR_VAL_SIG_SKEW_MIN = 116,     /* VAR_VAL_SIG_SKEW_MIN  */
+  YYSYMBOL_VAR_VAL_SIG_SKEW_MAX = 117,     /* VAR_VAL_SIG_SKEW_MAX  */
+  YYSYMBOL_VAR_VAL_MAX_RESTART = 118,      /* VAR_VAL_MAX_RESTART  */
+  YYSYMBOL_VAR_CACHE_MIN_TTL = 119,        /* VAR_CACHE_MIN_TTL  */
+  YYSYMBOL_VAR_VAL_LOG_LEVEL = 120,        /* VAR_VAL_LOG_LEVEL  */
+  YYSYMBOL_VAR_AUTO_TRUST_ANCHOR_FILE = 121, /* VAR_AUTO_TRUST_ANCHOR_FILE  */
+  YYSYMBOL_VAR_KEEP_MISSING = 122,         /* VAR_KEEP_MISSING  */
+  YYSYMBOL_VAR_ADD_HOLDDOWN = 123,         /* VAR_ADD_HOLDDOWN  */
+  YYSYMBOL_VAR_DEL_HOLDDOWN = 124,         /* VAR_DEL_HOLDDOWN  */
+  YYSYMBOL_VAR_SO_RCVBUF = 125,            /* VAR_SO_RCVBUF  */
+  YYSYMBOL_VAR_EDNS_BUFFER_SIZE = 126,     /* VAR_EDNS_BUFFER_SIZE  */
+  YYSYMBOL_VAR_PREFETCH = 127,             /* VAR_PREFETCH  */
+  YYSYMBOL_VAR_PREFETCH_KEY = 128,         /* VAR_PREFETCH_KEY  */
+  YYSYMBOL_VAR_SO_SNDBUF = 129,            /* VAR_SO_SNDBUF  */
+  YYSYMBOL_VAR_SO_REUSEPORT = 130,         /* VAR_SO_REUSEPORT  */
+  YYSYMBOL_VAR_HARDEN_BELOW_NXDOMAIN = 131, /* VAR_HARDEN_BELOW_NXDOMAIN  */
+  YYSYMBOL_VAR_IGNORE_CD_FLAG = 132,       /* VAR_IGNORE_CD_FLAG  */
+  YYSYMBOL_VAR_LOG_QUERIES = 133,          /* VAR_LOG_QUERIES  */
+  YYSYMBOL_VAR_LOG_REPLIES = 134,          /* VAR_LOG_REPLIES  */
+  YYSYMBOL_VAR_LOG_LOCAL_ACTIONS = 135,    /* VAR_LOG_LOCAL_ACTIONS  */
+  YYSYMBOL_VAR_TCP_UPSTREAM = 136,         /* VAR_TCP_UPSTREAM  */
+  YYSYMBOL_VAR_SSL_UPSTREAM = 137,         /* VAR_SSL_UPSTREAM  */
+  YYSYMBOL_VAR_TCP_AUTH_QUERY_TIMEOUT = 138, /* VAR_TCP_AUTH_QUERY_TIMEOUT  */
+  YYSYMBOL_VAR_SSL_SERVICE_KEY = 139,      /* VAR_SSL_SERVICE_KEY  */
+  YYSYMBOL_VAR_SSL_SERVICE_PEM = 140,      /* VAR_SSL_SERVICE_PEM  */
+  YYSYMBOL_VAR_SSL_PORT = 141,             /* VAR_SSL_PORT  */
+  YYSYMBOL_VAR_FORWARD_FIRST = 142,        /* VAR_FORWARD_FIRST  */
+  YYSYMBOL_VAR_STUB_SSL_UPSTREAM = 143,    /* VAR_STUB_SSL_UPSTREAM  */
+  YYSYMBOL_VAR_FORWARD_SSL_UPSTREAM = 144, /* VAR_FORWARD_SSL_UPSTREAM  */
+  YYSYMBOL_VAR_TLS_CERT_BUNDLE = 145,      /* VAR_TLS_CERT_BUNDLE  */
+  YYSYMBOL_VAR_STUB_TCP_UPSTREAM = 146,    /* VAR_STUB_TCP_UPSTREAM  */
+  YYSYMBOL_VAR_FORWARD_TCP_UPSTREAM = 147, /* VAR_FORWARD_TCP_UPSTREAM  */
+  YYSYMBOL_VAR_HTTPS_PORT = 148,           /* VAR_HTTPS_PORT  */
+  YYSYMBOL_VAR_HTTP_ENDPOINT = 149,        /* VAR_HTTP_ENDPOINT  */
+  YYSYMBOL_VAR_HTTP_MAX_STREAMS = 150,     /* VAR_HTTP_MAX_STREAMS  */
+  YYSYMBOL_VAR_HTTP_QUERY_BUFFER_SIZE = 151, /* VAR_HTTP_QUERY_BUFFER_SIZE  */
+  YYSYMBOL_VAR_HTTP_RESPONSE_BUFFER_SIZE = 152, /* VAR_HTTP_RESPONSE_BUFFER_SIZE  */
+  YYSYMBOL_VAR_HTTP_NODELAY = 153,         /* VAR_HTTP_NODELAY  */
+  YYSYMBOL_VAR_HTTP_NOTLS_DOWNSTREAM = 154, /* VAR_HTTP_NOTLS_DOWNSTREAM  */
+  YYSYMBOL_VAR_STUB_FIRST = 155,           /* VAR_STUB_FIRST  */
+  YYSYMBOL_VAR_MINIMAL_RESPONSES = 156,    /* VAR_MINIMAL_RESPONSES  */
+  YYSYMBOL_VAR_RRSET_ROUNDROBIN = 157,     /* VAR_RRSET_ROUNDROBIN  */
+  YYSYMBOL_VAR_MAX_UDP_SIZE = 158,         /* VAR_MAX_UDP_SIZE  */
+  YYSYMBOL_VAR_DELAY_CLOSE = 159,          /* VAR_DELAY_CLOSE  */
+  YYSYMBOL_VAR_UDP_CONNECT = 160,          /* VAR_UDP_CONNECT  */
+  YYSYMBOL_VAR_UNBLOCK_LAN_ZONES = 161,    /* VAR_UNBLOCK_LAN_ZONES  */
+  YYSYMBOL_VAR_INSECURE_LAN_ZONES = 162,   /* VAR_INSECURE_LAN_ZONES  */
+  YYSYMBOL_VAR_INFRA_CACHE_MIN_RTT = 163,  /* VAR_INFRA_CACHE_MIN_RTT  */
+  YYSYMBOL_VAR_INFRA_KEEP_PROBING = 164,   /* VAR_INFRA_KEEP_PROBING  */
+  YYSYMBOL_VAR_DNS64_PREFIX = 165,         /* VAR_DNS64_PREFIX  */
+  YYSYMBOL_VAR_DNS64_SYNTHALL = 166,       /* VAR_DNS64_SYNTHALL  */
+  YYSYMBOL_VAR_DNS64_IGNORE_AAAA = 167,    /* VAR_DNS64_IGNORE_AAAA  */
+  YYSYMBOL_VAR_DNSTAP = 168,               /* VAR_DNSTAP  */
+  YYSYMBOL_VAR_DNSTAP_ENABLE = 169,        /* VAR_DNSTAP_ENABLE  */
+  YYSYMBOL_VAR_DNSTAP_SOCKET_PATH = 170,   /* VAR_DNSTAP_SOCKET_PATH  */
+  YYSYMBOL_VAR_DNSTAP_IP = 171,            /* VAR_DNSTAP_IP  */
+  YYSYMBOL_VAR_DNSTAP_TLS = 172,           /* VAR_DNSTAP_TLS  */
+  YYSYMBOL_VAR_DNSTAP_TLS_SERVER_NAME = 173, /* VAR_DNSTAP_TLS_SERVER_NAME  */
+  YYSYMBOL_VAR_DNSTAP_TLS_CERT_BUNDLE = 174, /* VAR_DNSTAP_TLS_CERT_BUNDLE  */
+  YYSYMBOL_VAR_DNSTAP_TLS_CLIENT_KEY_FILE = 175, /* VAR_DNSTAP_TLS_CLIENT_KEY_FILE  */
+  YYSYMBOL_VAR_DNSTAP_TLS_CLIENT_CERT_FILE = 176, /* VAR_DNSTAP_TLS_CLIENT_CERT_FILE  */
+  YYSYMBOL_VAR_DNSTAP_SEND_IDENTITY = 177, /* VAR_DNSTAP_SEND_IDENTITY  */
+  YYSYMBOL_VAR_DNSTAP_SEND_VERSION = 178,  /* VAR_DNSTAP_SEND_VERSION  */
+  YYSYMBOL_VAR_DNSTAP_BIDIRECTIONAL = 179, /* VAR_DNSTAP_BIDIRECTIONAL  */
+  YYSYMBOL_VAR_DNSTAP_IDENTITY = 180,      /* VAR_DNSTAP_IDENTITY  */
+  YYSYMBOL_VAR_DNSTAP_VERSION = 181,       /* VAR_DNSTAP_VERSION  */
+  YYSYMBOL_VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES = 182, /* VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES  */
+  YYSYMBOL_VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES = 183, /* VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES  */
+  YYSYMBOL_VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES = 184, /* VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES  */
+  YYSYMBOL_VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES = 185, /* VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES  */
+  YYSYMBOL_VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES = 186, /* VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES  */
+  YYSYMBOL_VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES = 187, /* VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES  */
+  YYSYMBOL_VAR_RESPONSE_IP_TAG = 188,      /* VAR_RESPONSE_IP_TAG  */
+  YYSYMBOL_VAR_RESPONSE_IP = 189,          /* VAR_RESPONSE_IP  */
+  YYSYMBOL_VAR_RESPONSE_IP_DATA = 190,     /* VAR_RESPONSE_IP_DATA  */
+  YYSYMBOL_VAR_HARDEN_ALGO_DOWNGRADE = 191, /* VAR_HARDEN_ALGO_DOWNGRADE  */
+  YYSYMBOL_VAR_IP_TRANSPARENT = 192,       /* VAR_IP_TRANSPARENT  */
+  YYSYMBOL_VAR_IP_DSCP = 193,              /* VAR_IP_DSCP  */
+  YYSYMBOL_VAR_DISABLE_DNSSEC_LAME_CHECK = 194, /* VAR_DISABLE_DNSSEC_LAME_CHECK  */
+  YYSYMBOL_VAR_IP_RATELIMIT = 195,         /* VAR_IP_RATELIMIT  */
+  YYSYMBOL_VAR_IP_RATELIMIT_SLABS = 196,   /* VAR_IP_RATELIMIT_SLABS  */
+  YYSYMBOL_VAR_IP_RATELIMIT_SIZE = 197,    /* VAR_IP_RATELIMIT_SIZE  */
+  YYSYMBOL_VAR_RATELIMIT = 198,            /* VAR_RATELIMIT  */
+  YYSYMBOL_VAR_RATELIMIT_SLABS = 199,      /* VAR_RATELIMIT_SLABS  */
+  YYSYMBOL_VAR_RATELIMIT_SIZE = 200,       /* VAR_RATELIMIT_SIZE  */
+  YYSYMBOL_VAR_OUTBOUND_MSG_RETRY = 201,   /* VAR_OUTBOUND_MSG_RETRY  */
+  YYSYMBOL_VAR_RATELIMIT_FOR_DOMAIN = 202, /* VAR_RATELIMIT_FOR_DOMAIN  */
+  YYSYMBOL_VAR_RATELIMIT_BELOW_DOMAIN = 203, /* VAR_RATELIMIT_BELOW_DOMAIN  */
+  YYSYMBOL_VAR_IP_RATELIMIT_FACTOR = 204,  /* VAR_IP_RATELIMIT_FACTOR  */
+  YYSYMBOL_VAR_RATELIMIT_FACTOR = 205,     /* VAR_RATELIMIT_FACTOR  */
+  YYSYMBOL_VAR_IP_RATELIMIT_BACKOFF = 206, /* VAR_IP_RATELIMIT_BACKOFF  */
+  YYSYMBOL_VAR_RATELIMIT_BACKOFF = 207,    /* VAR_RATELIMIT_BACKOFF  */
+  YYSYMBOL_VAR_SEND_CLIENT_SUBNET = 208,   /* VAR_SEND_CLIENT_SUBNET  */
+  YYSYMBOL_VAR_CLIENT_SUBNET_ZONE = 209,   /* VAR_CLIENT_SUBNET_ZONE  */
+  YYSYMBOL_VAR_CLIENT_SUBNET_ALWAYS_FORWARD = 210, /* VAR_CLIENT_SUBNET_ALWAYS_FORWARD  */
+  YYSYMBOL_VAR_CLIENT_SUBNET_OPCODE = 211, /* VAR_CLIENT_SUBNET_OPCODE  */
+  YYSYMBOL_VAR_MAX_CLIENT_SUBNET_IPV4 = 212, /* VAR_MAX_CLIENT_SUBNET_IPV4  */
+  YYSYMBOL_VAR_MAX_CLIENT_SUBNET_IPV6 = 213, /* VAR_MAX_CLIENT_SUBNET_IPV6  */
+  YYSYMBOL_VAR_MIN_CLIENT_SUBNET_IPV4 = 214, /* VAR_MIN_CLIENT_SUBNET_IPV4  */
+  YYSYMBOL_VAR_MIN_CLIENT_SUBNET_IPV6 = 215, /* VAR_MIN_CLIENT_SUBNET_IPV6  */
+  YYSYMBOL_VAR_MAX_ECS_TREE_SIZE_IPV4 = 216, /* VAR_MAX_ECS_TREE_SIZE_IPV4  */
+  YYSYMBOL_VAR_MAX_ECS_TREE_SIZE_IPV6 = 217, /* VAR_MAX_ECS_TREE_SIZE_IPV6  */
+  YYSYMBOL_VAR_CAPS_WHITELIST = 218,       /* VAR_CAPS_WHITELIST  */
+  YYSYMBOL_VAR_CACHE_MAX_NEGATIVE_TTL = 219, /* VAR_CACHE_MAX_NEGATIVE_TTL  */
+  YYSYMBOL_VAR_PERMIT_SMALL_HOLDDOWN = 220, /* VAR_PERMIT_SMALL_HOLDDOWN  */
+  YYSYMBOL_VAR_QNAME_MINIMISATION = 221,   /* VAR_QNAME_MINIMISATION  */
+  YYSYMBOL_VAR_QNAME_MINIMISATION_STRICT = 222, /* VAR_QNAME_MINIMISATION_STRICT  */
+  YYSYMBOL_VAR_IP_FREEBIND = 223,          /* VAR_IP_FREEBIND  */
+  YYSYMBOL_VAR_DEFINE_TAG = 224,           /* VAR_DEFINE_TAG  */
+  YYSYMBOL_VAR_LOCAL_ZONE_TAG = 225,       /* VAR_LOCAL_ZONE_TAG  */
+  YYSYMBOL_VAR_ACCESS_CONTROL_TAG = 226,   /* VAR_ACCESS_CONTROL_TAG  */
+  YYSYMBOL_VAR_LOCAL_ZONE_OVERRIDE = 227,  /* VAR_LOCAL_ZONE_OVERRIDE  */
+  YYSYMBOL_VAR_ACCESS_CONTROL_TAG_ACTION = 228, /* VAR_ACCESS_CONTROL_TAG_ACTION  */
+  YYSYMBOL_VAR_ACCESS_CONTROL_TAG_DATA = 229, /* VAR_ACCESS_CONTROL_TAG_DATA  */
+  YYSYMBOL_VAR_VIEW = 230,                 /* VAR_VIEW  */
+  YYSYMBOL_VAR_ACCESS_CONTROL_VIEW = 231,  /* VAR_ACCESS_CONTROL_VIEW  */
+  YYSYMBOL_VAR_VIEW_FIRST = 232,           /* VAR_VIEW_FIRST  */
+  YYSYMBOL_VAR_SERVE_EXPIRED = 233,        /* VAR_SERVE_EXPIRED  */
+  YYSYMBOL_VAR_SERVE_EXPIRED_TTL = 234,    /* VAR_SERVE_EXPIRED_TTL  */
+  YYSYMBOL_VAR_SERVE_EXPIRED_TTL_RESET = 235, /* VAR_SERVE_EXPIRED_TTL_RESET  */
+  YYSYMBOL_VAR_SERVE_EXPIRED_REPLY_TTL = 236, /* VAR_SERVE_EXPIRED_REPLY_TTL  */
+  YYSYMBOL_VAR_SERVE_EXPIRED_CLIENT_TIMEOUT = 237, /* VAR_SERVE_EXPIRED_CLIENT_TIMEOUT  */
+  YYSYMBOL_VAR_SERVE_ORIGINAL_TTL = 238,   /* VAR_SERVE_ORIGINAL_TTL  */
+  YYSYMBOL_VAR_FAKE_DSA = 239,             /* VAR_FAKE_DSA  */
+  YYSYMBOL_VAR_FAKE_SHA1 = 240,            /* VAR_FAKE_SHA1  */
+  YYSYMBOL_VAR_LOG_IDENTITY = 241,         /* VAR_LOG_IDENTITY  */
+  YYSYMBOL_VAR_HIDE_TRUSTANCHOR = 242,     /* VAR_HIDE_TRUSTANCHOR  */
+  YYSYMBOL_VAR_HIDE_HTTP_USER_AGENT = 243, /* VAR_HIDE_HTTP_USER_AGENT  */
+  YYSYMBOL_VAR_HTTP_USER_AGENT = 244,      /* VAR_HTTP_USER_AGENT  */
+  YYSYMBOL_VAR_TRUST_ANCHOR_SIGNALING = 245, /* VAR_TRUST_ANCHOR_SIGNALING  */
+  YYSYMBOL_VAR_AGGRESSIVE_NSEC = 246,      /* VAR_AGGRESSIVE_NSEC  */
+  YYSYMBOL_VAR_USE_SYSTEMD = 247,          /* VAR_USE_SYSTEMD  */
+  YYSYMBOL_VAR_SHM_ENABLE = 248,           /* VAR_SHM_ENABLE  */
+  YYSYMBOL_VAR_SHM_KEY = 249,              /* VAR_SHM_KEY  */
+  YYSYMBOL_VAR_ROOT_KEY_SENTINEL = 250,    /* VAR_ROOT_KEY_SENTINEL  */
+  YYSYMBOL_VAR_DNSCRYPT = 251,             /* VAR_DNSCRYPT  */
+  YYSYMBOL_VAR_DNSCRYPT_ENABLE = 252,      /* VAR_DNSCRYPT_ENABLE  */
+  YYSYMBOL_VAR_DNSCRYPT_PORT = 253,        /* VAR_DNSCRYPT_PORT  */
+  YYSYMBOL_VAR_DNSCRYPT_PROVIDER = 254,    /* VAR_DNSCRYPT_PROVIDER  */
+  YYSYMBOL_VAR_DNSCRYPT_SECRET_KEY = 255,  /* VAR_DNSCRYPT_SECRET_KEY  */
+  YYSYMBOL_VAR_DNSCRYPT_PROVIDER_CERT = 256, /* VAR_DNSCRYPT_PROVIDER_CERT  */
+  YYSYMBOL_VAR_DNSCRYPT_PROVIDER_CERT_ROTATED = 257, /* VAR_DNSCRYPT_PROVIDER_CERT_ROTATED  */
+  YYSYMBOL_VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE = 258, /* VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE  */
+  YYSYMBOL_VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS = 259, /* VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS  */
+  YYSYMBOL_VAR_DNSCRYPT_NONCE_CACHE_SIZE = 260, /* VAR_DNSCRYPT_NONCE_CACHE_SIZE  */
+  YYSYMBOL_VAR_DNSCRYPT_NONCE_CACHE_SLABS = 261, /* VAR_DNSCRYPT_NONCE_CACHE_SLABS  */
+  YYSYMBOL_VAR_PAD_RESPONSES = 262,        /* VAR_PAD_RESPONSES  */
+  YYSYMBOL_VAR_PAD_RESPONSES_BLOCK_SIZE = 263, /* VAR_PAD_RESPONSES_BLOCK_SIZE  */
+  YYSYMBOL_VAR_PAD_QUERIES = 264,          /* VAR_PAD_QUERIES  */
+  YYSYMBOL_VAR_PAD_QUERIES_BLOCK_SIZE = 265, /* VAR_PAD_QUERIES_BLOCK_SIZE  */
+  YYSYMBOL_VAR_IPSECMOD_ENABLED = 266,     /* VAR_IPSECMOD_ENABLED  */
+  YYSYMBOL_VAR_IPSECMOD_HOOK = 267,        /* VAR_IPSECMOD_HOOK  */
+  YYSYMBOL_VAR_IPSECMOD_IGNORE_BOGUS = 268, /* VAR_IPSECMOD_IGNORE_BOGUS  */
+  YYSYMBOL_VAR_IPSECMOD_MAX_TTL = 269,     /* VAR_IPSECMOD_MAX_TTL  */
+  YYSYMBOL_VAR_IPSECMOD_WHITELIST = 270,   /* VAR_IPSECMOD_WHITELIST  */
+  YYSYMBOL_VAR_IPSECMOD_STRICT = 271,      /* VAR_IPSECMOD_STRICT  */
+  YYSYMBOL_VAR_CACHEDB = 272,              /* VAR_CACHEDB  */
+  YYSYMBOL_VAR_CACHEDB_BACKEND = 273,      /* VAR_CACHEDB_BACKEND  */
+  YYSYMBOL_VAR_CACHEDB_SECRETSEED = 274,   /* VAR_CACHEDB_SECRETSEED  */
+  YYSYMBOL_VAR_CACHEDB_REDISHOST = 275,    /* VAR_CACHEDB_REDISHOST  */
+  YYSYMBOL_VAR_CACHEDB_REDISPORT = 276,    /* VAR_CACHEDB_REDISPORT  */
+  YYSYMBOL_VAR_CACHEDB_REDISTIMEOUT = 277, /* VAR_CACHEDB_REDISTIMEOUT  */
+  YYSYMBOL_VAR_CACHEDB_REDISEXPIRERECORDS = 278, /* VAR_CACHEDB_REDISEXPIRERECORDS  */
+  YYSYMBOL_VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM = 279, /* VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM  */
+  YYSYMBOL_VAR_FOR_UPSTREAM = 280,         /* VAR_FOR_UPSTREAM  */
+  YYSYMBOL_VAR_AUTH_ZONE = 281,            /* VAR_AUTH_ZONE  */
+  YYSYMBOL_VAR_ZONEFILE = 282,             /* VAR_ZONEFILE  */
+  YYSYMBOL_VAR_MASTER = 283,               /* VAR_MASTER  */
+  YYSYMBOL_VAR_URL = 284,                  /* VAR_URL  */
+  YYSYMBOL_VAR_FOR_DOWNSTREAM = 285,       /* VAR_FOR_DOWNSTREAM  */
+  YYSYMBOL_VAR_FALLBACK_ENABLED = 286,     /* VAR_FALLBACK_ENABLED  */
+  YYSYMBOL_VAR_TLS_ADDITIONAL_PORT = 287,  /* VAR_TLS_ADDITIONAL_PORT  */
+  YYSYMBOL_VAR_LOW_RTT = 288,              /* VAR_LOW_RTT  */
+  YYSYMBOL_VAR_LOW_RTT_PERMIL = 289,       /* VAR_LOW_RTT_PERMIL  */
+  YYSYMBOL_VAR_FAST_SERVER_PERMIL = 290,   /* VAR_FAST_SERVER_PERMIL  */
+  YYSYMBOL_VAR_FAST_SERVER_NUM = 291,      /* VAR_FAST_SERVER_NUM  */
+  YYSYMBOL_VAR_ALLOW_NOTIFY = 292,         /* VAR_ALLOW_NOTIFY  */
+  YYSYMBOL_VAR_TLS_WIN_CERT = 293,         /* VAR_TLS_WIN_CERT  */
+  YYSYMBOL_VAR_TCP_CONNECTION_LIMIT = 294, /* VAR_TCP_CONNECTION_LIMIT  */
+  YYSYMBOL_VAR_FORWARD_NO_CACHE = 295,     /* VAR_FORWARD_NO_CACHE  */
+  YYSYMBOL_VAR_STUB_NO_CACHE = 296,        /* VAR_STUB_NO_CACHE  */
+  YYSYMBOL_VAR_LOG_SERVFAIL = 297,         /* VAR_LOG_SERVFAIL  */
+  YYSYMBOL_VAR_DENY_ANY = 298,             /* VAR_DENY_ANY  */
+  YYSYMBOL_VAR_UNKNOWN_SERVER_TIME_LIMIT = 299, /* VAR_UNKNOWN_SERVER_TIME_LIMIT  */
+  YYSYMBOL_VAR_LOG_TAG_QUERYREPLY = 300,   /* VAR_LOG_TAG_QUERYREPLY  */
+  YYSYMBOL_VAR_STREAM_WAIT_SIZE = 301,     /* VAR_STREAM_WAIT_SIZE  */
+  YYSYMBOL_VAR_TLS_CIPHERS = 302,          /* VAR_TLS_CIPHERS  */
+  YYSYMBOL_VAR_TLS_CIPHERSUITES = 303,     /* VAR_TLS_CIPHERSUITES  */
+  YYSYMBOL_VAR_TLS_USE_SNI = 304,          /* VAR_TLS_USE_SNI  */
+  YYSYMBOL_VAR_IPSET = 305,                /* VAR_IPSET  */
+  YYSYMBOL_VAR_IPSET_NAME_V4 = 306,        /* VAR_IPSET_NAME_V4  */
+  YYSYMBOL_VAR_IPSET_NAME_V6 = 307,        /* VAR_IPSET_NAME_V6  */
+  YYSYMBOL_VAR_TLS_SESSION_TICKET_KEYS = 308, /* VAR_TLS_SESSION_TICKET_KEYS  */
+  YYSYMBOL_VAR_RPZ = 309,                  /* VAR_RPZ  */
+  YYSYMBOL_VAR_TAGS = 310,                 /* VAR_TAGS  */
+  YYSYMBOL_VAR_RPZ_ACTION_OVERRIDE = 311,  /* VAR_RPZ_ACTION_OVERRIDE  */
+  YYSYMBOL_VAR_RPZ_CNAME_OVERRIDE = 312,   /* VAR_RPZ_CNAME_OVERRIDE  */
+  YYSYMBOL_VAR_RPZ_LOG = 313,              /* VAR_RPZ_LOG  */
+  YYSYMBOL_VAR_RPZ_LOG_NAME = 314,         /* VAR_RPZ_LOG_NAME  */
+  YYSYMBOL_VAR_DYNLIB = 315,               /* VAR_DYNLIB  */
+  YYSYMBOL_VAR_DYNLIB_FILE = 316,          /* VAR_DYNLIB_FILE  */
+  YYSYMBOL_VAR_EDNS_CLIENT_STRING = 317,   /* VAR_EDNS_CLIENT_STRING  */
+  YYSYMBOL_VAR_EDNS_CLIENT_STRING_OPCODE = 318, /* VAR_EDNS_CLIENT_STRING_OPCODE  */
+  YYSYMBOL_VAR_NSID = 319,                 /* VAR_NSID  */
+  YYSYMBOL_VAR_ZONEMD_PERMISSIVE_MODE = 320, /* VAR_ZONEMD_PERMISSIVE_MODE  */
+  YYSYMBOL_VAR_ZONEMD_CHECK = 321,         /* VAR_ZONEMD_CHECK  */
+  YYSYMBOL_VAR_ZONEMD_REJECT_ABSENCE = 322, /* VAR_ZONEMD_REJECT_ABSENCE  */
+  YYSYMBOL_VAR_RPZ_SIGNAL_NXDOMAIN_RA = 323, /* VAR_RPZ_SIGNAL_NXDOMAIN_RA  */
+  YYSYMBOL_VAR_INTERFACE_AUTOMATIC_PORTS = 324, /* VAR_INTERFACE_AUTOMATIC_PORTS  */
+  YYSYMBOL_YYACCEPT = 325,                 /* $accept  */
+  YYSYMBOL_toplevelvars = 326,             /* toplevelvars  */
+  YYSYMBOL_toplevelvar = 327,              /* toplevelvar  */
+  YYSYMBOL_force_toplevel = 328,           /* force_toplevel  */
+  YYSYMBOL_serverstart = 329,              /* serverstart  */
+  YYSYMBOL_contents_server = 330,          /* contents_server  */
+  YYSYMBOL_content_server = 331,           /* content_server  */
+  YYSYMBOL_stubstart = 332,                /* stubstart  */
+  YYSYMBOL_contents_stub = 333,            /* contents_stub  */
+  YYSYMBOL_content_stub = 334,             /* content_stub  */
+  YYSYMBOL_forwardstart = 335,             /* forwardstart  */
+  YYSYMBOL_contents_forward = 336,         /* contents_forward  */
+  YYSYMBOL_content_forward = 337,          /* content_forward  */
+  YYSYMBOL_viewstart = 338,                /* viewstart  */
+  YYSYMBOL_contents_view = 339,            /* contents_view  */
+  YYSYMBOL_content_view = 340,             /* content_view  */
+  YYSYMBOL_authstart = 341,                /* authstart  */
+  YYSYMBOL_contents_auth = 342,            /* contents_auth  */
+  YYSYMBOL_content_auth = 343,             /* content_auth  */
+  YYSYMBOL_rpz_tag = 344,                  /* rpz_tag  */
+  YYSYMBOL_rpz_action_override = 345,      /* rpz_action_override  */
+  YYSYMBOL_rpz_cname_override = 346,       /* rpz_cname_override  */
+  YYSYMBOL_rpz_log = 347,                  /* rpz_log  */
+  YYSYMBOL_rpz_log_name = 348,             /* rpz_log_name  */
+  YYSYMBOL_rpz_signal_nxdomain_ra = 349,   /* rpz_signal_nxdomain_ra  */
+  YYSYMBOL_rpzstart = 350,                 /* rpzstart  */
+  YYSYMBOL_contents_rpz = 351,             /* contents_rpz  */
+  YYSYMBOL_content_rpz = 352,              /* content_rpz  */
+  YYSYMBOL_server_num_threads = 353,       /* server_num_threads  */
+  YYSYMBOL_server_verbosity = 354,         /* server_verbosity  */
+  YYSYMBOL_server_statistics_interval = 355, /* server_statistics_interval  */
+  YYSYMBOL_server_statistics_cumulative = 356, /* server_statistics_cumulative  */
+  YYSYMBOL_server_extended_statistics = 357, /* server_extended_statistics  */
+  YYSYMBOL_server_shm_enable = 358,        /* server_shm_enable  */
+  YYSYMBOL_server_shm_key = 359,           /* server_shm_key  */
+  YYSYMBOL_server_port = 360,              /* server_port  */
+  YYSYMBOL_server_send_client_subnet = 361, /* server_send_client_subnet  */
+  YYSYMBOL_server_client_subnet_zone = 362, /* server_client_subnet_zone  */
+  YYSYMBOL_server_client_subnet_always_forward = 363, /* server_client_subnet_always_forward  */
+  YYSYMBOL_server_client_subnet_opcode = 364, /* server_client_subnet_opcode  */
+  YYSYMBOL_server_max_client_subnet_ipv4 = 365, /* server_max_client_subnet_ipv4  */
+  YYSYMBOL_server_max_client_subnet_ipv6 = 366, /* server_max_client_subnet_ipv6  */
+  YYSYMBOL_server_min_client_subnet_ipv4 = 367, /* server_min_client_subnet_ipv4  */
+  YYSYMBOL_server_min_client_subnet_ipv6 = 368, /* server_min_client_subnet_ipv6  */
+  YYSYMBOL_server_max_ecs_tree_size_ipv4 = 369, /* server_max_ecs_tree_size_ipv4  */
+  YYSYMBOL_server_max_ecs_tree_size_ipv6 = 370, /* server_max_ecs_tree_size_ipv6  */
+  YYSYMBOL_server_interface = 371,         /* server_interface  */
+  YYSYMBOL_server_outgoing_interface = 372, /* server_outgoing_interface  */
+  YYSYMBOL_server_outgoing_range = 373,    /* server_outgoing_range  */
+  YYSYMBOL_server_outgoing_port_permit = 374, /* server_outgoing_port_permit  */
+  YYSYMBOL_server_outgoing_port_avoid = 375, /* server_outgoing_port_avoid  */
+  YYSYMBOL_server_outgoing_num_tcp = 376,  /* server_outgoing_num_tcp  */
+  YYSYMBOL_server_incoming_num_tcp = 377,  /* server_incoming_num_tcp  */
+  YYSYMBOL_server_interface_automatic = 378, /* server_interface_automatic  */
+  YYSYMBOL_server_interface_automatic_ports = 379, /* server_interface_automatic_ports  */
+  YYSYMBOL_server_do_ip4 = 380,            /* server_do_ip4  */
+  YYSYMBOL_server_do_ip6 = 381,            /* server_do_ip6  */
+  YYSYMBOL_server_do_udp = 382,            /* server_do_udp  */
+  YYSYMBOL_server_do_tcp = 383,            /* server_do_tcp  */
+  YYSYMBOL_server_prefer_ip4 = 384,        /* server_prefer_ip4  */
+  YYSYMBOL_server_prefer_ip6 = 385,        /* server_prefer_ip6  */
+  YYSYMBOL_server_tcp_mss = 386,           /* server_tcp_mss  */
+  YYSYMBOL_server_outgoing_tcp_mss = 387,  /* server_outgoing_tcp_mss  */
+  YYSYMBOL_server_tcp_idle_timeout = 388,  /* server_tcp_idle_timeout  */
+  YYSYMBOL_server_max_reuse_tcp_queries = 389, /* server_max_reuse_tcp_queries  */
+  YYSYMBOL_server_tcp_reuse_timeout = 390, /* server_tcp_reuse_timeout  */
+  YYSYMBOL_server_tcp_auth_query_timeout = 391, /* server_tcp_auth_query_timeout  */
+  YYSYMBOL_server_tcp_keepalive = 392,     /* server_tcp_keepalive  */
+  YYSYMBOL_server_tcp_keepalive_timeout = 393, /* server_tcp_keepalive_timeout  */
+  YYSYMBOL_server_tcp_upstream = 394,      /* server_tcp_upstream  */
+  YYSYMBOL_server_udp_upstream_without_downstream = 395, /* server_udp_upstream_without_downstream  */
+  YYSYMBOL_server_ssl_upstream = 396,      /* server_ssl_upstream  */
+  YYSYMBOL_server_ssl_service_key = 397,   /* server_ssl_service_key  */
+  YYSYMBOL_server_ssl_service_pem = 398,   /* server_ssl_service_pem  */
+  YYSYMBOL_server_ssl_port = 399,          /* server_ssl_port  */
+  YYSYMBOL_server_tls_cert_bundle = 400,   /* server_tls_cert_bundle  */
+  YYSYMBOL_server_tls_win_cert = 401,      /* server_tls_win_cert  */
+  YYSYMBOL_server_tls_additional_port = 402, /* server_tls_additional_port  */
+  YYSYMBOL_server_tls_ciphers = 403,       /* server_tls_ciphers  */
+  YYSYMBOL_server_tls_ciphersuites = 404,  /* server_tls_ciphersuites  */
+  YYSYMBOL_server_tls_session_ticket_keys = 405, /* server_tls_session_ticket_keys  */
+  YYSYMBOL_server_tls_use_sni = 406,       /* server_tls_use_sni  */
+  YYSYMBOL_server_https_port = 407,        /* server_https_port  */
+  YYSYMBOL_server_http_endpoint = 408,     /* server_http_endpoint  */
+  YYSYMBOL_server_http_max_streams = 409,  /* server_http_max_streams  */
+  YYSYMBOL_server_http_query_buffer_size = 410, /* server_http_query_buffer_size  */
+  YYSYMBOL_server_http_response_buffer_size = 411, /* server_http_response_buffer_size  */
+  YYSYMBOL_server_http_nodelay = 412,      /* server_http_nodelay  */
+  YYSYMBOL_server_http_notls_downstream = 413, /* server_http_notls_downstream  */
+  YYSYMBOL_server_use_systemd = 414,       /* server_use_systemd  */
+  YYSYMBOL_server_do_daemonize = 415,      /* server_do_daemonize  */
+  YYSYMBOL_server_use_syslog = 416,        /* server_use_syslog  */
+  YYSYMBOL_server_log_time_ascii = 417,    /* server_log_time_ascii  */
+  YYSYMBOL_server_log_queries = 418,       /* server_log_queries  */
+  YYSYMBOL_server_log_replies = 419,       /* server_log_replies  */
+  YYSYMBOL_server_log_tag_queryreply = 420, /* server_log_tag_queryreply  */
+  YYSYMBOL_server_log_servfail = 421,      /* server_log_servfail  */
+  YYSYMBOL_server_log_local_actions = 422, /* server_log_local_actions  */
+  YYSYMBOL_server_chroot = 423,            /* server_chroot  */
+  YYSYMBOL_server_username = 424,          /* server_username  */
+  YYSYMBOL_server_directory = 425,         /* server_directory  */
+  YYSYMBOL_server_logfile = 426,           /* server_logfile  */
+  YYSYMBOL_server_pidfile = 427,           /* server_pidfile  */
+  YYSYMBOL_server_root_hints = 428,        /* server_root_hints  */
+  YYSYMBOL_server_dlv_anchor_file = 429,   /* server_dlv_anchor_file  */
+  YYSYMBOL_server_dlv_anchor = 430,        /* server_dlv_anchor  */
+  YYSYMBOL_server_auto_trust_anchor_file = 431, /* server_auto_trust_anchor_file  */
+  YYSYMBOL_server_trust_anchor_file = 432, /* server_trust_anchor_file  */
+  YYSYMBOL_server_trusted_keys_file = 433, /* server_trusted_keys_file  */
+  YYSYMBOL_server_trust_anchor = 434,      /* server_trust_anchor  */
+  YYSYMBOL_server_trust_anchor_signaling = 435, /* server_trust_anchor_signaling  */
+  YYSYMBOL_server_root_key_sentinel = 436, /* server_root_key_sentinel  */
+  YYSYMBOL_server_domain_insecure = 437,   /* server_domain_insecure  */
+  YYSYMBOL_server_hide_identity = 438,     /* server_hide_identity  */
+  YYSYMBOL_server_hide_version = 439,      /* server_hide_version  */
+  YYSYMBOL_server_hide_trustanchor = 440,  /* server_hide_trustanchor  */
+  YYSYMBOL_server_hide_http_user_agent = 441, /* server_hide_http_user_agent  */
+  YYSYMBOL_server_identity = 442,          /* server_identity  */
+  YYSYMBOL_server_version = 443,           /* server_version  */
+  YYSYMBOL_server_http_user_agent = 444,   /* server_http_user_agent  */
+  YYSYMBOL_server_nsid = 445,              /* server_nsid  */
+  YYSYMBOL_server_so_rcvbuf = 446,         /* server_so_rcvbuf  */
+  YYSYMBOL_server_so_sndbuf = 447,         /* server_so_sndbuf  */
+  YYSYMBOL_server_so_reuseport = 448,      /* server_so_reuseport  */
+  YYSYMBOL_server_ip_transparent = 449,    /* server_ip_transparent  */
+  YYSYMBOL_server_ip_freebind = 450,       /* server_ip_freebind  */
+  YYSYMBOL_server_ip_dscp = 451,           /* server_ip_dscp  */
+  YYSYMBOL_server_stream_wait_size = 452,  /* server_stream_wait_size  */
+  YYSYMBOL_server_edns_buffer_size = 453,  /* server_edns_buffer_size  */
+  YYSYMBOL_server_msg_buffer_size = 454,   /* server_msg_buffer_size  */
+  YYSYMBOL_server_msg_cache_size = 455,    /* server_msg_cache_size  */
+  YYSYMBOL_server_msg_cache_slabs = 456,   /* server_msg_cache_slabs  */
+  YYSYMBOL_server_num_queries_per_thread = 457, /* server_num_queries_per_thread  */
+  YYSYMBOL_server_jostle_timeout = 458,    /* server_jostle_timeout  */
+  YYSYMBOL_server_delay_close = 459,       /* server_delay_close  */
+  YYSYMBOL_server_udp_connect = 460,       /* server_udp_connect  */
+  YYSYMBOL_server_unblock_lan_zones = 461, /* server_unblock_lan_zones  */
+  YYSYMBOL_server_insecure_lan_zones = 462, /* server_insecure_lan_zones  */
+  YYSYMBOL_server_rrset_cache_size = 463,  /* server_rrset_cache_size  */
+  YYSYMBOL_server_rrset_cache_slabs = 464, /* server_rrset_cache_slabs  */
+  YYSYMBOL_server_infra_host_ttl = 465,    /* server_infra_host_ttl  */
+  YYSYMBOL_server_infra_lame_ttl = 466,    /* server_infra_lame_ttl  */
+  YYSYMBOL_server_infra_cache_numhosts = 467, /* server_infra_cache_numhosts  */
+  YYSYMBOL_server_infra_cache_lame_size = 468, /* server_infra_cache_lame_size  */
+  YYSYMBOL_server_infra_cache_slabs = 469, /* server_infra_cache_slabs  */
+  YYSYMBOL_server_infra_cache_min_rtt = 470, /* server_infra_cache_min_rtt  */
+  YYSYMBOL_server_infra_keep_probing = 471, /* server_infra_keep_probing  */
+  YYSYMBOL_server_target_fetch_policy = 472, /* server_target_fetch_policy  */
+  YYSYMBOL_server_harden_short_bufsize = 473, /* server_harden_short_bufsize  */
+  YYSYMBOL_server_harden_large_queries = 474, /* server_harden_large_queries  */
+  YYSYMBOL_server_harden_glue = 475,       /* server_harden_glue  */
+  YYSYMBOL_server_harden_dnssec_stripped = 476, /* server_harden_dnssec_stripped  */
+  YYSYMBOL_server_harden_below_nxdomain = 477, /* server_harden_below_nxdomain  */
+  YYSYMBOL_server_harden_referral_path = 478, /* server_harden_referral_path  */
+  YYSYMBOL_server_harden_algo_downgrade = 479, /* server_harden_algo_downgrade  */
+  YYSYMBOL_server_use_caps_for_id = 480,   /* server_use_caps_for_id  */
+  YYSYMBOL_server_caps_whitelist = 481,    /* server_caps_whitelist  */
+  YYSYMBOL_server_private_address = 482,   /* server_private_address  */
+  YYSYMBOL_server_private_domain = 483,    /* server_private_domain  */
+  YYSYMBOL_server_prefetch = 484,          /* server_prefetch  */
+  YYSYMBOL_server_prefetch_key = 485,      /* server_prefetch_key  */
+  YYSYMBOL_server_deny_any = 486,          /* server_deny_any  */
+  YYSYMBOL_server_unwanted_reply_threshold = 487, /* server_unwanted_reply_threshold  */
+  YYSYMBOL_server_do_not_query_address = 488, /* server_do_not_query_address  */
+  YYSYMBOL_server_do_not_query_localhost = 489, /* server_do_not_query_localhost  */
+  YYSYMBOL_server_access_control = 490,    /* server_access_control  */
+  YYSYMBOL_server_module_conf = 491,       /* server_module_conf  */
+  YYSYMBOL_server_val_override_date = 492, /* server_val_override_date  */
+  YYSYMBOL_server_val_sig_skew_min = 493,  /* server_val_sig_skew_min  */
+  YYSYMBOL_server_val_sig_skew_max = 494,  /* server_val_sig_skew_max  */
+  YYSYMBOL_server_val_max_restart = 495,   /* server_val_max_restart  */
+  YYSYMBOL_server_cache_max_ttl = 496,     /* server_cache_max_ttl  */
+  YYSYMBOL_server_cache_max_negative_ttl = 497, /* server_cache_max_negative_ttl  */
+  YYSYMBOL_server_cache_min_ttl = 498,     /* server_cache_min_ttl  */
+  YYSYMBOL_server_bogus_ttl = 499,         /* server_bogus_ttl  */
+  YYSYMBOL_server_val_clean_additional = 500, /* server_val_clean_additional  */
+  YYSYMBOL_server_val_permissive_mode = 501, /* server_val_permissive_mode  */
+  YYSYMBOL_server_aggressive_nsec = 502,   /* server_aggressive_nsec  */
+  YYSYMBOL_server_ignore_cd_flag = 503,    /* server_ignore_cd_flag  */
+  YYSYMBOL_server_serve_expired = 504,     /* server_serve_expired  */
+  YYSYMBOL_server_serve_expired_ttl = 505, /* server_serve_expired_ttl  */
+  YYSYMBOL_server_serve_expired_ttl_reset = 506, /* server_serve_expired_ttl_reset  */
+  YYSYMBOL_server_serve_expired_reply_ttl = 507, /* server_serve_expired_reply_ttl  */
+  YYSYMBOL_server_serve_expired_client_timeout = 508, /* server_serve_expired_client_timeout  */
+  YYSYMBOL_server_serve_original_ttl = 509, /* server_serve_original_ttl  */
+  YYSYMBOL_server_fake_dsa = 510,          /* server_fake_dsa  */
+  YYSYMBOL_server_fake_sha1 = 511,         /* server_fake_sha1  */
+  YYSYMBOL_server_val_log_level = 512,     /* server_val_log_level  */
+  YYSYMBOL_server_val_nsec3_keysize_iterations = 513, /* server_val_nsec3_keysize_iterations  */
+  YYSYMBOL_server_zonemd_permissive_mode = 514, /* server_zonemd_permissive_mode  */
+  YYSYMBOL_server_add_holddown = 515,      /* server_add_holddown  */
+  YYSYMBOL_server_del_holddown = 516,      /* server_del_holddown  */
+  YYSYMBOL_server_keep_missing = 517,      /* server_keep_missing  */
+  YYSYMBOL_server_permit_small_holddown = 518, /* server_permit_small_holddown  */
+  YYSYMBOL_server_key_cache_size = 519,    /* server_key_cache_size  */
+  YYSYMBOL_server_key_cache_slabs = 520,   /* server_key_cache_slabs  */
+  YYSYMBOL_server_neg_cache_size = 521,    /* server_neg_cache_size  */
+  YYSYMBOL_server_local_zone = 522,        /* server_local_zone  */
+  YYSYMBOL_server_local_data = 523,        /* server_local_data  */
+  YYSYMBOL_server_local_data_ptr = 524,    /* server_local_data_ptr  */
+  YYSYMBOL_server_minimal_responses = 525, /* server_minimal_responses  */
+  YYSYMBOL_server_rrset_roundrobin = 526,  /* server_rrset_roundrobin  */
+  YYSYMBOL_server_unknown_server_time_limit = 527, /* server_unknown_server_time_limit  */
+  YYSYMBOL_server_max_udp_size = 528,      /* server_max_udp_size  */
+  YYSYMBOL_server_dns64_prefix = 529,      /* server_dns64_prefix  */
+  YYSYMBOL_server_dns64_synthall = 530,    /* server_dns64_synthall  */
+  YYSYMBOL_server_dns64_ignore_aaaa = 531, /* server_dns64_ignore_aaaa  */
+  YYSYMBOL_server_define_tag = 532,        /* server_define_tag  */
+  YYSYMBOL_server_local_zone_tag = 533,    /* server_local_zone_tag  */
+  YYSYMBOL_server_access_control_tag = 534, /* server_access_control_tag  */
+  YYSYMBOL_server_access_control_tag_action = 535, /* server_access_control_tag_action  */
+  YYSYMBOL_server_access_control_tag_data = 536, /* server_access_control_tag_data  */
+  YYSYMBOL_server_local_zone_override = 537, /* server_local_zone_override  */
+  YYSYMBOL_server_access_control_view = 538, /* server_access_control_view  */
+  YYSYMBOL_server_response_ip_tag = 539,   /* server_response_ip_tag  */
+  YYSYMBOL_server_ip_ratelimit = 540,      /* server_ip_ratelimit  */
+  YYSYMBOL_server_ratelimit = 541,         /* server_ratelimit  */
+  YYSYMBOL_server_ip_ratelimit_size = 542, /* server_ip_ratelimit_size  */
+  YYSYMBOL_server_ratelimit_size = 543,    /* server_ratelimit_size  */
+  YYSYMBOL_server_ip_ratelimit_slabs = 544, /* server_ip_ratelimit_slabs  */
+  YYSYMBOL_server_ratelimit_slabs = 545,   /* server_ratelimit_slabs  */
+  YYSYMBOL_server_ratelimit_for_domain = 546, /* server_ratelimit_for_domain  */
+  YYSYMBOL_server_ratelimit_below_domain = 547, /* server_ratelimit_below_domain  */
+  YYSYMBOL_server_ip_ratelimit_factor = 548, /* server_ip_ratelimit_factor  */
+  YYSYMBOL_server_ratelimit_factor = 549,  /* server_ratelimit_factor  */
+  YYSYMBOL_server_ip_ratelimit_backoff = 550, /* server_ip_ratelimit_backoff  */
+  YYSYMBOL_server_ratelimit_backoff = 551, /* server_ratelimit_backoff  */
+  YYSYMBOL_server_outbound_msg_retry = 552, /* server_outbound_msg_retry  */
+  YYSYMBOL_server_low_rtt = 553,           /* server_low_rtt  */
+  YYSYMBOL_server_fast_server_num = 554,   /* server_fast_server_num  */
+  YYSYMBOL_server_fast_server_permil = 555, /* server_fast_server_permil  */
+  YYSYMBOL_server_qname_minimisation = 556, /* server_qname_minimisation  */
+  YYSYMBOL_server_qname_minimisation_strict = 557, /* server_qname_minimisation_strict  */
+  YYSYMBOL_server_pad_responses = 558,     /* server_pad_responses  */
+  YYSYMBOL_server_pad_responses_block_size = 559, /* server_pad_responses_block_size  */
+  YYSYMBOL_server_pad_queries = 560,       /* server_pad_queries  */
+  YYSYMBOL_server_pad_queries_block_size = 561, /* server_pad_queries_block_size  */
+  YYSYMBOL_server_ipsecmod_enabled = 562,  /* server_ipsecmod_enabled  */
+  YYSYMBOL_server_ipsecmod_ignore_bogus = 563, /* server_ipsecmod_ignore_bogus  */
+  YYSYMBOL_server_ipsecmod_hook = 564,     /* server_ipsecmod_hook  */
+  YYSYMBOL_server_ipsecmod_max_ttl = 565,  /* server_ipsecmod_max_ttl  */
+  YYSYMBOL_server_ipsecmod_whitelist = 566, /* server_ipsecmod_whitelist  */
+  YYSYMBOL_server_ipsecmod_strict = 567,   /* server_ipsecmod_strict  */
+  YYSYMBOL_server_edns_client_string = 568, /* server_edns_client_string  */
+  YYSYMBOL_server_edns_client_string_opcode = 569, /* server_edns_client_string_opcode  */
+  YYSYMBOL_stub_name = 570,                /* stub_name  */
+  YYSYMBOL_stub_host = 571,                /* stub_host  */
+  YYSYMBOL_stub_addr = 572,                /* stub_addr  */
+  YYSYMBOL_stub_first = 573,               /* stub_first  */
+  YYSYMBOL_stub_no_cache = 574,            /* stub_no_cache  */
+  YYSYMBOL_stub_ssl_upstream = 575,        /* stub_ssl_upstream  */
+  YYSYMBOL_stub_tcp_upstream = 576,        /* stub_tcp_upstream  */
+  YYSYMBOL_stub_prime = 577,               /* stub_prime  */
+  YYSYMBOL_forward_name = 578,             /* forward_name  */
+  YYSYMBOL_forward_host = 579,             /* forward_host  */
+  YYSYMBOL_forward_addr = 580,             /* forward_addr  */
+  YYSYMBOL_forward_first = 581,            /* forward_first  */
+  YYSYMBOL_forward_no_cache = 582,         /* forward_no_cache  */
+  YYSYMBOL_forward_ssl_upstream = 583,     /* forward_ssl_upstream  */
+  YYSYMBOL_forward_tcp_upstream = 584,     /* forward_tcp_upstream  */
+  YYSYMBOL_auth_name = 585,                /* auth_name  */
+  YYSYMBOL_auth_zonefile = 586,            /* auth_zonefile  */
+  YYSYMBOL_auth_master = 587,              /* auth_master  */
+  YYSYMBOL_auth_url = 588,                 /* auth_url  */
+  YYSYMBOL_auth_allow_notify = 589,        /* auth_allow_notify  */
+  YYSYMBOL_auth_zonemd_check = 590,        /* auth_zonemd_check  */
+  YYSYMBOL_auth_zonemd_reject_absence = 591, /* auth_zonemd_reject_absence  */
+  YYSYMBOL_auth_for_downstream = 592,      /* auth_for_downstream  */
+  YYSYMBOL_auth_for_upstream = 593,        /* auth_for_upstream  */
+  YYSYMBOL_auth_fallback_enabled = 594,    /* auth_fallback_enabled  */
+  YYSYMBOL_view_name = 595,                /* view_name  */
+  YYSYMBOL_view_local_zone = 596,          /* view_local_zone  */
+  YYSYMBOL_view_response_ip = 597,         /* view_response_ip  */
+  YYSYMBOL_view_response_ip_data = 598,    /* view_response_ip_data  */
+  YYSYMBOL_view_local_data = 599,          /* view_local_data  */
+  YYSYMBOL_view_local_data_ptr = 600,      /* view_local_data_ptr  */
+  YYSYMBOL_view_first = 601,               /* view_first  */
+  YYSYMBOL_rcstart = 602,                  /* rcstart  */
+  YYSYMBOL_contents_rc = 603,              /* contents_rc  */
+  YYSYMBOL_content_rc = 604,               /* content_rc  */
+  YYSYMBOL_rc_control_enable = 605,        /* rc_control_enable  */
+  YYSYMBOL_rc_control_port = 606,          /* rc_control_port  */
+  YYSYMBOL_rc_control_interface = 607,     /* rc_control_interface  */
+  YYSYMBOL_rc_control_use_cert = 608,      /* rc_control_use_cert  */
+  YYSYMBOL_rc_server_key_file = 609,       /* rc_server_key_file  */
+  YYSYMBOL_rc_server_cert_file = 610,      /* rc_server_cert_file  */
+  YYSYMBOL_rc_control_key_file = 611,      /* rc_control_key_file  */
+  YYSYMBOL_rc_control_cert_file = 612,     /* rc_control_cert_file  */
+  YYSYMBOL_dtstart = 613,                  /* dtstart  */
+  YYSYMBOL_contents_dt = 614,              /* contents_dt  */
+  YYSYMBOL_content_dt = 615,               /* content_dt  */
+  YYSYMBOL_dt_dnstap_enable = 616,         /* dt_dnstap_enable  */
+  YYSYMBOL_dt_dnstap_bidirectional = 617,  /* dt_dnstap_bidirectional  */
+  YYSYMBOL_dt_dnstap_socket_path = 618,    /* dt_dnstap_socket_path  */
+  YYSYMBOL_dt_dnstap_ip = 619,             /* dt_dnstap_ip  */
+  YYSYMBOL_dt_dnstap_tls = 620,            /* dt_dnstap_tls  */
+  YYSYMBOL_dt_dnstap_tls_server_name = 621, /* dt_dnstap_tls_server_name  */
+  YYSYMBOL_dt_dnstap_tls_cert_bundle = 622, /* dt_dnstap_tls_cert_bundle  */
+  YYSYMBOL_dt_dnstap_tls_client_key_file = 623, /* dt_dnstap_tls_client_key_file  */
+  YYSYMBOL_dt_dnstap_tls_client_cert_file = 624, /* dt_dnstap_tls_client_cert_file  */
+  YYSYMBOL_dt_dnstap_send_identity = 625,  /* dt_dnstap_send_identity  */
+  YYSYMBOL_dt_dnstap_send_version = 626,   /* dt_dnstap_send_version  */
+  YYSYMBOL_dt_dnstap_identity = 627,       /* dt_dnstap_identity  */
+  YYSYMBOL_dt_dnstap_version = 628,        /* dt_dnstap_version  */
+  YYSYMBOL_dt_dnstap_log_resolver_query_messages = 629, /* dt_dnstap_log_resolver_query_messages  */
+  YYSYMBOL_dt_dnstap_log_resolver_response_messages = 630, /* dt_dnstap_log_resolver_response_messages  */
+  YYSYMBOL_dt_dnstap_log_client_query_messages = 631, /* dt_dnstap_log_client_query_messages  */
+  YYSYMBOL_dt_dnstap_log_client_response_messages = 632, /* dt_dnstap_log_client_response_messages  */
+  YYSYMBOL_dt_dnstap_log_forwarder_query_messages = 633, /* dt_dnstap_log_forwarder_query_messages  */
+  YYSYMBOL_dt_dnstap_log_forwarder_response_messages = 634, /* dt_dnstap_log_forwarder_response_messages  */
+  YYSYMBOL_pythonstart = 635,              /* pythonstart  */
+  YYSYMBOL_contents_py = 636,              /* contents_py  */
+  YYSYMBOL_content_py = 637,               /* content_py  */
+  YYSYMBOL_py_script = 638,                /* py_script  */
+  YYSYMBOL_dynlibstart = 639,              /* dynlibstart  */
+  YYSYMBOL_contents_dl = 640,              /* contents_dl  */
+  YYSYMBOL_content_dl = 641,               /* content_dl  */
+  YYSYMBOL_dl_file = 642,                  /* dl_file  */
+  YYSYMBOL_server_disable_dnssec_lame_check = 643, /* server_disable_dnssec_lame_check  */
+  YYSYMBOL_server_log_identity = 644,      /* server_log_identity  */
+  YYSYMBOL_server_response_ip = 645,       /* server_response_ip  */
+  YYSYMBOL_server_response_ip_data = 646,  /* server_response_ip_data  */
+  YYSYMBOL_dnscstart = 647,                /* dnscstart  */
+  YYSYMBOL_contents_dnsc = 648,            /* contents_dnsc  */
+  YYSYMBOL_content_dnsc = 649,             /* content_dnsc  */
+  YYSYMBOL_dnsc_dnscrypt_enable = 650,     /* dnsc_dnscrypt_enable  */
+  YYSYMBOL_dnsc_dnscrypt_port = 651,       /* dnsc_dnscrypt_port  */
+  YYSYMBOL_dnsc_dnscrypt_provider = 652,   /* dnsc_dnscrypt_provider  */
+  YYSYMBOL_dnsc_dnscrypt_provider_cert = 653, /* dnsc_dnscrypt_provider_cert  */
+  YYSYMBOL_dnsc_dnscrypt_provider_cert_rotated = 654, /* dnsc_dnscrypt_provider_cert_rotated  */
+  YYSYMBOL_dnsc_dnscrypt_secret_key = 655, /* dnsc_dnscrypt_secret_key  */
+  YYSYMBOL_dnsc_dnscrypt_shared_secret_cache_size = 656, /* dnsc_dnscrypt_shared_secret_cache_size  */
+  YYSYMBOL_dnsc_dnscrypt_shared_secret_cache_slabs = 657, /* dnsc_dnscrypt_shared_secret_cache_slabs  */
+  YYSYMBOL_dnsc_dnscrypt_nonce_cache_size = 658, /* dnsc_dnscrypt_nonce_cache_size  */
+  YYSYMBOL_dnsc_dnscrypt_nonce_cache_slabs = 659, /* dnsc_dnscrypt_nonce_cache_slabs  */
+  YYSYMBOL_cachedbstart = 660,             /* cachedbstart  */
+  YYSYMBOL_contents_cachedb = 661,         /* contents_cachedb  */
+  YYSYMBOL_content_cachedb = 662,          /* content_cachedb  */
+  YYSYMBOL_cachedb_backend_name = 663,     /* cachedb_backend_name  */
+  YYSYMBOL_cachedb_secret_seed = 664,      /* cachedb_secret_seed  */
+  YYSYMBOL_redis_server_host = 665,        /* redis_server_host  */
+  YYSYMBOL_redis_server_port = 666,        /* redis_server_port  */
+  YYSYMBOL_redis_timeout = 667,            /* redis_timeout  */
+  YYSYMBOL_redis_expire_records = 668,     /* redis_expire_records  */
+  YYSYMBOL_server_tcp_connection_limit = 669, /* server_tcp_connection_limit  */
+  YYSYMBOL_ipsetstart = 670,               /* ipsetstart  */
+  YYSYMBOL_contents_ipset = 671,           /* contents_ipset  */
+  YYSYMBOL_content_ipset = 672,            /* content_ipset  */
+  YYSYMBOL_ipset_name_v4 = 673,            /* ipset_name_v4  */
+  YYSYMBOL_ipset_name_v6 = 674             /* ipset_name_v6  */
 };
 typedef enum yysymbol_kind_t yysymbol_kind_t;
 
@@ -1480,6 +842,18 @@ typedef int_least16_t yytype_int16;
 typedef short yytype_int16;
 #endif
 
+/* Work around bug in HP-UX 11.23, which defines these macros
+   incorrectly for preprocessor constants.  This workaround can likely
+   be removed in 2023, as HPE has promised support for HP-UX 11.23
+   (aka HP-UX 11i v2) only through the end of 2022; see Table 2 of
+   <https://h20195.www2.hpe.com/V2/getpdf.aspx/4AA4-7673ENW.pdf>.  */
+#ifdef __hpux
+# undef UINT_LEAST8_MAX
+# undef UINT_LEAST16_MAX
+# define UINT_LEAST8_MAX 255
+# define UINT_LEAST16_MAX 65535
+#endif
+
 #if defined __UINT_LEAST8_MAX__ && __UINT_LEAST8_MAX__ <= __INT_MAX__
 typedef __UINT_LEAST8_TYPE__ yytype_uint8;
 #elif (!defined __UINT_LEAST8_MAX__ && defined YY_STDINT_H \
@@ -1577,9 +951,9 @@ typedef int yy_state_fast_t;
 
 /* Suppress unused-variable warnings by "using" E.  */
 #if ! defined lint || defined __GNUC__
-# define YYUSE(E) ((void) (E))
+# define YY_USE(E) ((void) (E))
 #else
-# define YYUSE(E) /* empty */
+# define YY_USE(E) /* empty */
 #endif
 
 #if defined __GNUC__ && ! defined __ICC && 407 <= __GNUC__ * 100 + __GNUC_MINOR__
@@ -1746,18 +1120,19 @@ union yyalloc
 /* YYFINAL -- State number of the termination state.  */
 #define YYFINAL  2
 /* YYLAST -- Last index in YYTABLE.  */
-#define YYLAST   657
+#define YYLAST   689
 
 /* YYNTOKENS -- Number of terminals.  */
-#define YYNTOKENS  311
+#define YYNTOKENS  325
 /* YYNNTS -- Number of nonterminals.  */
-#define YYNNTS  336
+#define YYNNTS  350
 /* YYNRULES -- Number of rules.  */
-#define YYNRULES  648
+#define YYNRULES  677
 /* YYNSTATES -- Number of states.  */
-#define YYNSTATES  963
+#define YYNSTATES  1006
 
-#define YYMAXUTOK   565
+/* YYMAXUTOK -- Last valid token kind.  */
+#define YYMAXUTOK   579
 
 
 /* YYTRANSLATE(TOKEN-NUM) -- Symbol number corresponding to TOKEN-NUM
@@ -1827,78 +1202,82 @@ static const yytype_int16 yytranslate[] =
      275,   276,   277,   278,   279,   280,   281,   282,   283,   284,
      285,   286,   287,   288,   289,   290,   291,   292,   293,   294,
      295,   296,   297,   298,   299,   300,   301,   302,   303,   304,
-     305,   306,   307,   308,   309,   310
+     305,   306,   307,   308,   309,   310,   311,   312,   313,   314,
+     315,   316,   317,   318,   319,   320,   321,   322,   323,   324
 };
 
 #if YYDEBUG
   /* YYRLINE[YYN] -- Source line where rule number YYN was defined.  */
 static const yytype_int16 yyrline[] =
 {
-       0,   188,   188,   188,   189,   189,   190,   190,   191,   191,
-     191,   192,   192,   193,   193,   194,   194,   195,   197,   203,
-     208,   209,   210,   210,   210,   211,   211,   212,   212,   212,
-     213,   213,   214,   214,   214,   215,   215,   216,   216,   216,
-     217,   217,   217,   218,   218,   219,   219,   220,   220,   221,
-     221,   222,   222,   223,   223,   224,   224,   225,   225,   226,
-     226,   226,   227,   227,   227,   228,   228,   228,   229,   229,
-     230,   230,   231,   231,   232,   232,   233,   233,   233,   234,
-     234,   235,   235,   236,   236,   236,   237,   237,   238,   238,
-     239,   239,   240,   240,   240,   241,   241,   242,   242,   243,
-     243,   244,   244,   245,   245,   246,   246,   246,   247,   247,
-     248,   248,   248,   249,   249,   249,   250,   250,   250,   251,
-     251,   251,   251,   252,   253,   253,   253,   254,   254,   254,
-     255,   255,   256,   256,   257,   257,   257,   258,   258,   258,
-     259,   259,   260,   260,   260,   261,   261,   262,   262,   262,
-     263,   263,   264,   264,   265,   265,   266,   267,   267,   268,
-     268,   269,   269,   270,   271,   271,   272,   272,   273,   273,
-     274,   274,   275,   275,   276,   276,   276,   277,   277,   278,
-     278,   279,   279,   280,   281,   281,   282,   282,   283,   284,
-     284,   285,   285,   286,   286,   287,   287,   288,   288,   288,
-     289,   289,   289,   290,   290,   291,   292,   292,   293,   293,
-     294,   294,   295,   295,   296,   296,   296,   297,   297,   297,
-     298,   298,   298,   299,   299,   300,   300,   301,   301,   302,
-     302,   303,   303,   304,   306,   318,   319,   320,   320,   320,
-     320,   320,   321,   321,   323,   335,   336,   337,   337,   337,
-     337,   338,   338,   340,   354,   355,   356,   356,   356,   356,
-     357,   357,   357,   359,   377,   378,   379,   379,   379,   379,
-     380,   380,   380,   381,   381,   384,   403,   420,   428,   438,
-     446,   463,   464,   465,   465,   465,   465,   465,   466,   466,
-     466,   467,   467,   469,   478,   487,   498,   507,   516,   525,
-     536,   545,   557,   571,   586,   597,   614,   631,   648,   665,
-     680,   695,   708,   723,   732,   741,   750,   759,   768,   777,
-     786,   795,   804,   813,   822,   831,   840,   849,   862,   871,
-     884,   893,   902,   911,   918,   925,   934,   941,   950,   958,
-     965,   972,   980,   989,   997,  1013,  1021,  1029,  1037,  1045,
-    1053,  1062,  1071,  1085,  1094,  1103,  1112,  1121,  1130,  1139,
-    1146,  1153,  1179,  1187,  1194,  1201,  1208,  1215,  1223,  1231,
-    1239,  1246,  1257,  1268,  1275,  1284,  1293,  1302,  1309,  1316,
-    1332,  1340,  1348,  1358,  1368,  1378,  1392,  1400,  1413,  1424,
-    1432,  1445,  1454,  1463,  1472,  1481,  1491,  1501,  1509,  1522,
-    1531,  1539,  1548,  1556,  1569,  1578,  1588,  1595,  1605,  1615,
-    1625,  1635,  1645,  1655,  1665,  1675,  1682,  1689,  1696,  1705,
-    1714,  1723,  1732,  1739,  1749,  1769,  1776,  1794,  1807,  1820,
-    1829,  1838,  1847,  1856,  1866,  1876,  1887,  1896,  1905,  1914,
-    1923,  1932,  1941,  1950,  1963,  1976,  1985,  1992,  2001,  2010,
-    2019,  2028,  2037,  2045,  2058,  2066,  2111,  2118,  2133,  2143,
-    2153,  2160,  2167,  2174,  2183,  2191,  2205,  2226,  2247,  2259,
-    2271,  2283,  2292,  2313,  2323,  2332,  2340,  2348,  2361,  2374,
-    2389,  2404,  2413,  2422,  2428,  2437,  2446,  2456,  2466,  2476,
-    2485,  2495,  2504,  2517,  2530,  2542,  2556,  2568,  2582,  2591,
-    2603,  2613,  2620,  2627,  2636,  2645,  2655,  2665,  2675,  2682,
-    2689,  2698,  2707,  2717,  2727,  2734,  2741,  2748,  2756,  2766,
-    2776,  2786,  2796,  2806,  2845,  2855,  2863,  2871,  2886,  2895,
-    2900,  2901,  2902,  2902,  2902,  2903,  2903,  2903,  2904,  2904,
-    2906,  2916,  2925,  2932,  2939,  2946,  2953,  2960,  2967,  2972,
-    2973,  2974,  2974,  2974,  2975,  2975,  2975,  2976,  2977,  2977,
-    2978,  2978,  2979,  2979,  2980,  2981,  2982,  2983,  2984,  2985,
-    2987,  2996,  3006,  3013,  3020,  3029,  3036,  3043,  3050,  3057,
-    3066,  3075,  3082,  3089,  3099,  3109,  3119,  3129,  3139,  3149,
-    3154,  3155,  3156,  3158,  3164,  3169,  3170,  3171,  3173,  3179,
-    3189,  3196,  3205,  3213,  3218,  3219,  3221,  3221,  3221,  3222,
-    3222,  3223,  3224,  3225,  3226,  3227,  3229,  3239,  3248,  3255,
-    3264,  3271,  3280,  3288,  3301,  3309,  3322,  3327,  3328,  3329,
-    3329,  3330,  3330,  3330,  3331,  3333,  3345,  3357,  3369,  3384,
-    3397,  3410,  3421,  3426,  3427,  3428,  3428,  3430,  3445
+       0,   194,   194,   194,   195,   195,   196,   196,   197,   197,
+     197,   198,   198,   199,   199,   200,   200,   201,   203,   209,
+     214,   215,   216,   216,   216,   217,   217,   218,   218,   218,
+     219,   219,   220,   220,   220,   221,   221,   222,   222,   222,
+     223,   223,   223,   224,   224,   225,   225,   226,   226,   227,
+     227,   228,   228,   229,   229,   230,   230,   231,   231,   232,
+     232,   232,   233,   233,   234,   234,   234,   235,   235,   235,
+     236,   236,   237,   237,   238,   238,   239,   239,   240,   240,
+     240,   241,   241,   242,   242,   243,   243,   243,   244,   244,
+     245,   245,   246,   246,   247,   247,   247,   248,   248,   249,
+     249,   250,   250,   251,   251,   252,   252,   253,   253,   254,
+     254,   255,   255,   256,   256,   256,   257,   257,   257,   258,
+     258,   258,   259,   259,   259,   259,   260,   261,   261,   261,
+     262,   262,   262,   263,   263,   264,   264,   265,   265,   265,
+     266,   266,   266,   267,   267,   268,   268,   268,   269,   269,
+     270,   270,   270,   271,   271,   272,   272,   273,   273,   274,
+     275,   275,   276,   276,   277,   277,   278,   278,   279,   279,
+     280,   280,   281,   281,   282,   282,   283,   283,   284,   284,
+     285,   285,   285,   286,   286,   287,   287,   288,   288,   289,
+     290,   290,   291,   291,   292,   293,   293,   294,   294,   295,
+     295,   296,   296,   297,   297,   297,   298,   298,   298,   299,
+     299,   300,   301,   301,   302,   302,   303,   303,   304,   304,
+     305,   305,   305,   306,   306,   306,   307,   307,   307,   308,
+     308,   309,   309,   310,   310,   311,   311,   312,   312,   313,
+     313,   314,   314,   315,   318,   331,   332,   333,   333,   333,
+     333,   333,   334,   334,   334,   336,   349,   350,   351,   351,
+     351,   351,   352,   352,   352,   354,   369,   370,   371,   371,
+     371,   371,   372,   372,   372,   374,   394,   395,   396,   396,
+     396,   396,   397,   397,   397,   398,   398,   398,   401,   420,
+     437,   445,   455,   462,   472,   490,   491,   492,   492,   492,
+     492,   492,   493,   493,   493,   494,   494,   494,   494,   496,
+     505,   514,   525,   534,   543,   552,   563,   572,   584,   598,
+     613,   624,   641,   658,   675,   692,   707,   722,   735,   750,
+     759,   768,   777,   786,   795,   804,   811,   820,   829,   838,
+     847,   856,   865,   874,   883,   896,   907,   918,   929,   938,
+     951,   960,   969,   978,   985,   992,  1001,  1008,  1017,  1025,
+    1032,  1039,  1047,  1056,  1064,  1080,  1088,  1096,  1104,  1112,
+    1120,  1129,  1138,  1152,  1161,  1170,  1179,  1188,  1197,  1206,
+    1213,  1220,  1246,  1254,  1261,  1268,  1275,  1282,  1290,  1298,
+    1306,  1313,  1324,  1335,  1342,  1351,  1360,  1369,  1378,  1385,
+    1392,  1399,  1415,  1423,  1431,  1441,  1451,  1461,  1475,  1483,
+    1496,  1507,  1515,  1528,  1537,  1546,  1555,  1564,  1574,  1584,
+    1592,  1605,  1614,  1622,  1631,  1639,  1652,  1661,  1671,  1678,
+    1688,  1698,  1708,  1718,  1728,  1738,  1748,  1758,  1765,  1772,
+    1779,  1788,  1797,  1806,  1815,  1822,  1832,  1852,  1859,  1877,
+    1890,  1903,  1916,  1925,  1934,  1943,  1952,  1962,  1972,  1983,
+    1992,  2001,  2010,  2019,  2028,  2037,  2046,  2059,  2072,  2081,
+    2088,  2097,  2106,  2115,  2124,  2133,  2141,  2154,  2162,  2217,
+    2224,  2239,  2249,  2259,  2266,  2273,  2280,  2289,  2297,  2311,
+    2332,  2353,  2365,  2377,  2389,  2398,  2419,  2428,  2437,  2445,
+    2453,  2466,  2479,  2494,  2509,  2518,  2527,  2537,  2547,  2556,
+    2562,  2571,  2580,  2590,  2600,  2610,  2619,  2629,  2638,  2651,
+    2664,  2676,  2690,  2702,  2716,  2725,  2737,  2747,  2754,  2761,
+    2770,  2779,  2789,  2799,  2809,  2819,  2826,  2833,  2842,  2851,
+    2861,  2871,  2881,  2888,  2895,  2902,  2910,  2920,  2930,  2940,
+    2950,  2960,  2970,  3026,  3036,  3044,  3052,  3067,  3076,  3081,
+    3082,  3083,  3083,  3083,  3084,  3084,  3084,  3085,  3085,  3087,
+    3097,  3106,  3113,  3120,  3127,  3134,  3141,  3148,  3153,  3154,
+    3155,  3155,  3155,  3156,  3156,  3156,  3157,  3158,  3158,  3159,
+    3159,  3160,  3160,  3161,  3162,  3163,  3164,  3165,  3166,  3168,
+    3177,  3187,  3194,  3201,  3210,  3217,  3224,  3231,  3238,  3247,
+    3256,  3263,  3270,  3280,  3290,  3300,  3310,  3320,  3330,  3335,
+    3336,  3337,  3339,  3345,  3350,  3351,  3352,  3354,  3360,  3370,
+    3377,  3386,  3394,  3399,  3400,  3402,  3402,  3402,  3403,  3403,
+    3404,  3405,  3406,  3407,  3408,  3410,  3420,  3429,  3436,  3445,
+    3452,  3461,  3469,  3482,  3490,  3503,  3508,  3509,  3510,  3510,
+    3511,  3511,  3511,  3512,  3514,  3526,  3538,  3550,  3565,  3578,
+    3591,  3602,  3607,  3608,  3609,  3609,  3611,  3626
 };
 #endif
 
@@ -1947,32 +1326,36 @@ static const char *const yytname[] =
   "VAR_PRIVATE_DOMAIN", "VAR_REMOTE_CONTROL", "VAR_CONTROL_ENABLE",
   "VAR_CONTROL_INTERFACE", "VAR_CONTROL_PORT", "VAR_SERVER_KEY_FILE",
   "VAR_SERVER_CERT_FILE", "VAR_CONTROL_KEY_FILE", "VAR_CONTROL_CERT_FILE",
-  "VAR_CONTROL_USE_CERT", "VAR_EXTENDED_STATISTICS", "VAR_LOCAL_DATA_PTR",
-  "VAR_JOSTLE_TIMEOUT", "VAR_STUB_PRIME", "VAR_UNWANTED_REPLY_THRESHOLD",
-  "VAR_LOG_TIME_ASCII", "VAR_DOMAIN_INSECURE", "VAR_PYTHON",
-  "VAR_PYTHON_SCRIPT", "VAR_VAL_SIG_SKEW_MIN", "VAR_VAL_SIG_SKEW_MAX",
+  "VAR_CONTROL_USE_CERT", "VAR_TCP_REUSE_TIMEOUT",
+  "VAR_MAX_REUSE_TCP_QUERIES", "VAR_EXTENDED_STATISTICS",
+  "VAR_LOCAL_DATA_PTR", "VAR_JOSTLE_TIMEOUT", "VAR_STUB_PRIME",
+  "VAR_UNWANTED_REPLY_THRESHOLD", "VAR_LOG_TIME_ASCII",
+  "VAR_DOMAIN_INSECURE", "VAR_PYTHON", "VAR_PYTHON_SCRIPT",
+  "VAR_VAL_SIG_SKEW_MIN", "VAR_VAL_SIG_SKEW_MAX", "VAR_VAL_MAX_RESTART",
   "VAR_CACHE_MIN_TTL", "VAR_VAL_LOG_LEVEL", "VAR_AUTO_TRUST_ANCHOR_FILE",
   "VAR_KEEP_MISSING", "VAR_ADD_HOLDDOWN", "VAR_DEL_HOLDDOWN",
   "VAR_SO_RCVBUF", "VAR_EDNS_BUFFER_SIZE", "VAR_PREFETCH",
   "VAR_PREFETCH_KEY", "VAR_SO_SNDBUF", "VAR_SO_REUSEPORT",
   "VAR_HARDEN_BELOW_NXDOMAIN", "VAR_IGNORE_CD_FLAG", "VAR_LOG_QUERIES",
   "VAR_LOG_REPLIES", "VAR_LOG_LOCAL_ACTIONS", "VAR_TCP_UPSTREAM",
-  "VAR_SSL_UPSTREAM", "VAR_SSL_SERVICE_KEY", "VAR_SSL_SERVICE_PEM",
-  "VAR_SSL_PORT", "VAR_FORWARD_FIRST", "VAR_STUB_SSL_UPSTREAM",
-  "VAR_FORWARD_SSL_UPSTREAM", "VAR_TLS_CERT_BUNDLE", "VAR_HTTPS_PORT",
-  "VAR_HTTP_ENDPOINT", "VAR_HTTP_MAX_STREAMS",
-  "VAR_HTTP_QUERY_BUFFER_SIZE", "VAR_HTTP_RESPONSE_BUFFER_SIZE",
-  "VAR_HTTP_NODELAY", "VAR_HTTP_NOTLS_DOWNSTREAM", "VAR_STUB_FIRST",
-  "VAR_MINIMAL_RESPONSES", "VAR_RRSET_ROUNDROBIN", "VAR_MAX_UDP_SIZE",
-  "VAR_DELAY_CLOSE", "VAR_UDP_CONNECT", "VAR_UNBLOCK_LAN_ZONES",
-  "VAR_INSECURE_LAN_ZONES", "VAR_INFRA_CACHE_MIN_RTT",
-  "VAR_INFRA_KEEP_PROBING", "VAR_DNS64_PREFIX", "VAR_DNS64_SYNTHALL",
-  "VAR_DNS64_IGNORE_AAAA", "VAR_DNSTAP", "VAR_DNSTAP_ENABLE",
-  "VAR_DNSTAP_SOCKET_PATH", "VAR_DNSTAP_IP", "VAR_DNSTAP_TLS",
-  "VAR_DNSTAP_TLS_SERVER_NAME", "VAR_DNSTAP_TLS_CERT_BUNDLE",
-  "VAR_DNSTAP_TLS_CLIENT_KEY_FILE", "VAR_DNSTAP_TLS_CLIENT_CERT_FILE",
-  "VAR_DNSTAP_SEND_IDENTITY", "VAR_DNSTAP_SEND_VERSION",
-  "VAR_DNSTAP_BIDIRECTIONAL", "VAR_DNSTAP_IDENTITY", "VAR_DNSTAP_VERSION",
+  "VAR_SSL_UPSTREAM", "VAR_TCP_AUTH_QUERY_TIMEOUT", "VAR_SSL_SERVICE_KEY",
+  "VAR_SSL_SERVICE_PEM", "VAR_SSL_PORT", "VAR_FORWARD_FIRST",
+  "VAR_STUB_SSL_UPSTREAM", "VAR_FORWARD_SSL_UPSTREAM",
+  "VAR_TLS_CERT_BUNDLE", "VAR_STUB_TCP_UPSTREAM",
+  "VAR_FORWARD_TCP_UPSTREAM", "VAR_HTTPS_PORT", "VAR_HTTP_ENDPOINT",
+  "VAR_HTTP_MAX_STREAMS", "VAR_HTTP_QUERY_BUFFER_SIZE",
+  "VAR_HTTP_RESPONSE_BUFFER_SIZE", "VAR_HTTP_NODELAY",
+  "VAR_HTTP_NOTLS_DOWNSTREAM", "VAR_STUB_FIRST", "VAR_MINIMAL_RESPONSES",
+  "VAR_RRSET_ROUNDROBIN", "VAR_MAX_UDP_SIZE", "VAR_DELAY_CLOSE",
+  "VAR_UDP_CONNECT", "VAR_UNBLOCK_LAN_ZONES", "VAR_INSECURE_LAN_ZONES",
+  "VAR_INFRA_CACHE_MIN_RTT", "VAR_INFRA_KEEP_PROBING", "VAR_DNS64_PREFIX",
+  "VAR_DNS64_SYNTHALL", "VAR_DNS64_IGNORE_AAAA", "VAR_DNSTAP",
+  "VAR_DNSTAP_ENABLE", "VAR_DNSTAP_SOCKET_PATH", "VAR_DNSTAP_IP",
+  "VAR_DNSTAP_TLS", "VAR_DNSTAP_TLS_SERVER_NAME",
+  "VAR_DNSTAP_TLS_CERT_BUNDLE", "VAR_DNSTAP_TLS_CLIENT_KEY_FILE",
+  "VAR_DNSTAP_TLS_CLIENT_CERT_FILE", "VAR_DNSTAP_SEND_IDENTITY",
+  "VAR_DNSTAP_SEND_VERSION", "VAR_DNSTAP_BIDIRECTIONAL",
+  "VAR_DNSTAP_IDENTITY", "VAR_DNSTAP_VERSION",
   "VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES",
   "VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES",
   "VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES",
@@ -1983,24 +1366,27 @@ static const char *const yytname[] =
   "VAR_IP_TRANSPARENT", "VAR_IP_DSCP", "VAR_DISABLE_DNSSEC_LAME_CHECK",
   "VAR_IP_RATELIMIT", "VAR_IP_RATELIMIT_SLABS", "VAR_IP_RATELIMIT_SIZE",
   "VAR_RATELIMIT", "VAR_RATELIMIT_SLABS", "VAR_RATELIMIT_SIZE",
-  "VAR_RATELIMIT_FOR_DOMAIN", "VAR_RATELIMIT_BELOW_DOMAIN",
-  "VAR_IP_RATELIMIT_FACTOR", "VAR_RATELIMIT_FACTOR",
-  "VAR_SEND_CLIENT_SUBNET", "VAR_CLIENT_SUBNET_ZONE",
-  "VAR_CLIENT_SUBNET_ALWAYS_FORWARD", "VAR_CLIENT_SUBNET_OPCODE",
-  "VAR_MAX_CLIENT_SUBNET_IPV4", "VAR_MAX_CLIENT_SUBNET_IPV6",
-  "VAR_MIN_CLIENT_SUBNET_IPV4", "VAR_MIN_CLIENT_SUBNET_IPV6",
-  "VAR_MAX_ECS_TREE_SIZE_IPV4", "VAR_MAX_ECS_TREE_SIZE_IPV6",
-  "VAR_CAPS_WHITELIST", "VAR_CACHE_MAX_NEGATIVE_TTL",
-  "VAR_PERMIT_SMALL_HOLDDOWN", "VAR_QNAME_MINIMISATION",
-  "VAR_QNAME_MINIMISATION_STRICT", "VAR_IP_FREEBIND", "VAR_DEFINE_TAG",
-  "VAR_LOCAL_ZONE_TAG", "VAR_ACCESS_CONTROL_TAG",
-  "VAR_LOCAL_ZONE_OVERRIDE", "VAR_ACCESS_CONTROL_TAG_ACTION",
-  "VAR_ACCESS_CONTROL_TAG_DATA", "VAR_VIEW", "VAR_ACCESS_CONTROL_VIEW",
-  "VAR_VIEW_FIRST", "VAR_SERVE_EXPIRED", "VAR_SERVE_EXPIRED_TTL",
+  "VAR_OUTBOUND_MSG_RETRY", "VAR_RATELIMIT_FOR_DOMAIN",
+  "VAR_RATELIMIT_BELOW_DOMAIN", "VAR_IP_RATELIMIT_FACTOR",
+  "VAR_RATELIMIT_FACTOR", "VAR_IP_RATELIMIT_BACKOFF",
+  "VAR_RATELIMIT_BACKOFF", "VAR_SEND_CLIENT_SUBNET",
+  "VAR_CLIENT_SUBNET_ZONE", "VAR_CLIENT_SUBNET_ALWAYS_FORWARD",
+  "VAR_CLIENT_SUBNET_OPCODE", "VAR_MAX_CLIENT_SUBNET_IPV4",
+  "VAR_MAX_CLIENT_SUBNET_IPV6", "VAR_MIN_CLIENT_SUBNET_IPV4",
+  "VAR_MIN_CLIENT_SUBNET_IPV6", "VAR_MAX_ECS_TREE_SIZE_IPV4",
+  "VAR_MAX_ECS_TREE_SIZE_IPV6", "VAR_CAPS_WHITELIST",
+  "VAR_CACHE_MAX_NEGATIVE_TTL", "VAR_PERMIT_SMALL_HOLDDOWN",
+  "VAR_QNAME_MINIMISATION", "VAR_QNAME_MINIMISATION_STRICT",
+  "VAR_IP_FREEBIND", "VAR_DEFINE_TAG", "VAR_LOCAL_ZONE_TAG",
+  "VAR_ACCESS_CONTROL_TAG", "VAR_LOCAL_ZONE_OVERRIDE",
+  "VAR_ACCESS_CONTROL_TAG_ACTION", "VAR_ACCESS_CONTROL_TAG_DATA",
+  "VAR_VIEW", "VAR_ACCESS_CONTROL_VIEW", "VAR_VIEW_FIRST",
+  "VAR_SERVE_EXPIRED", "VAR_SERVE_EXPIRED_TTL",
   "VAR_SERVE_EXPIRED_TTL_RESET", "VAR_SERVE_EXPIRED_REPLY_TTL",
   "VAR_SERVE_EXPIRED_CLIENT_TIMEOUT", "VAR_SERVE_ORIGINAL_TTL",
   "VAR_FAKE_DSA", "VAR_FAKE_SHA1", "VAR_LOG_IDENTITY",
-  "VAR_HIDE_TRUSTANCHOR", "VAR_TRUST_ANCHOR_SIGNALING",
+  "VAR_HIDE_TRUSTANCHOR", "VAR_HIDE_HTTP_USER_AGENT",
+  "VAR_HTTP_USER_AGENT", "VAR_TRUST_ANCHOR_SIGNALING",
   "VAR_AGGRESSIVE_NSEC", "VAR_USE_SYSTEMD", "VAR_SHM_ENABLE",
   "VAR_SHM_KEY", "VAR_ROOT_KEY_SENTINEL", "VAR_DNSCRYPT",
   "VAR_DNSCRYPT_ENABLE", "VAR_DNSCRYPT_PORT", "VAR_DNSCRYPT_PROVIDER",
@@ -2029,13 +1415,15 @@ static const char *const yytname[] =
   "VAR_RPZ_ACTION_OVERRIDE", "VAR_RPZ_CNAME_OVERRIDE", "VAR_RPZ_LOG",
   "VAR_RPZ_LOG_NAME", "VAR_DYNLIB", "VAR_DYNLIB_FILE",
   "VAR_EDNS_CLIENT_STRING", "VAR_EDNS_CLIENT_STRING_OPCODE", "VAR_NSID",
-  "VAR_ZONEMD_PERMISSIVE_MODE", "VAR_ZONEMD_REJECT_ABSENCE", "$accept",
-  "toplevelvars", "toplevelvar", "force_toplevel", "serverstart",
-  "contents_server", "content_server", "stubstart", "contents_stub",
-  "content_stub", "forwardstart", "contents_forward", "content_forward",
-  "viewstart", "contents_view", "content_view", "authstart",
-  "contents_auth", "content_auth", "rpz_tag", "rpz_action_override",
-  "rpz_cname_override", "rpz_log", "rpz_log_name", "rpzstart",
+  "VAR_ZONEMD_PERMISSIVE_MODE", "VAR_ZONEMD_CHECK",
+  "VAR_ZONEMD_REJECT_ABSENCE", "VAR_RPZ_SIGNAL_NXDOMAIN_RA",
+  "VAR_INTERFACE_AUTOMATIC_PORTS", "$accept", "toplevelvars",
+  "toplevelvar", "force_toplevel", "serverstart", "contents_server",
+  "content_server", "stubstart", "contents_stub", "content_stub",
+  "forwardstart", "contents_forward", "content_forward", "viewstart",
+  "contents_view", "content_view", "authstart", "contents_auth",
+  "content_auth", "rpz_tag", "rpz_action_override", "rpz_cname_override",
+  "rpz_log", "rpz_log_name", "rpz_signal_nxdomain_ra", "rpzstart",
   "contents_rpz", "content_rpz", "server_num_threads", "server_verbosity",
   "server_statistics_interval", "server_statistics_cumulative",
   "server_extended_statistics", "server_shm_enable", "server_shm_key",
@@ -2047,10 +1435,12 @@ static const char *const yytname[] =
   "server_interface", "server_outgoing_interface", "server_outgoing_range",
   "server_outgoing_port_permit", "server_outgoing_port_avoid",
   "server_outgoing_num_tcp", "server_incoming_num_tcp",
-  "server_interface_automatic", "server_do_ip4", "server_do_ip6",
-  "server_do_udp", "server_do_tcp", "server_prefer_ip4",
-  "server_prefer_ip6", "server_tcp_mss", "server_outgoing_tcp_mss",
-  "server_tcp_idle_timeout", "server_tcp_keepalive",
+  "server_interface_automatic", "server_interface_automatic_ports",
+  "server_do_ip4", "server_do_ip6", "server_do_udp", "server_do_tcp",
+  "server_prefer_ip4", "server_prefer_ip6", "server_tcp_mss",
+  "server_outgoing_tcp_mss", "server_tcp_idle_timeout",
+  "server_max_reuse_tcp_queries", "server_tcp_reuse_timeout",
+  "server_tcp_auth_query_timeout", "server_tcp_keepalive",
   "server_tcp_keepalive_timeout", "server_tcp_upstream",
   "server_udp_upstream_without_downstream", "server_ssl_upstream",
   "server_ssl_service_key", "server_ssl_service_pem", "server_ssl_port",
@@ -2071,7 +1461,8 @@ static const char *const yytname[] =
   "server_trust_anchor", "server_trust_anchor_signaling",
   "server_root_key_sentinel", "server_domain_insecure",
   "server_hide_identity", "server_hide_version", "server_hide_trustanchor",
-  "server_identity", "server_version", "server_nsid", "server_so_rcvbuf",
+  "server_hide_http_user_agent", "server_identity", "server_version",
+  "server_http_user_agent", "server_nsid", "server_so_rcvbuf",
   "server_so_sndbuf", "server_so_reuseport", "server_ip_transparent",
   "server_ip_freebind", "server_ip_dscp", "server_stream_wait_size",
   "server_edns_buffer_size", "server_msg_buffer_size",
@@ -2094,16 +1485,17 @@ static const char *const yytname[] =
   "server_do_not_query_localhost", "server_access_control",
   "server_module_conf", "server_val_override_date",
   "server_val_sig_skew_min", "server_val_sig_skew_max",
-  "server_cache_max_ttl", "server_cache_max_negative_ttl",
-  "server_cache_min_ttl", "server_bogus_ttl",
-  "server_val_clean_additional", "server_val_permissive_mode",
-  "server_aggressive_nsec", "server_ignore_cd_flag",
-  "server_serve_expired", "server_serve_expired_ttl",
-  "server_serve_expired_ttl_reset", "server_serve_expired_reply_ttl",
-  "server_serve_expired_client_timeout", "server_serve_original_ttl",
-  "server_fake_dsa", "server_fake_sha1", "server_val_log_level",
-  "server_val_nsec3_keysize_iterations", "server_zonemd_permissive_mode",
-  "server_add_holddown", "server_del_holddown", "server_keep_missing",
+  "server_val_max_restart", "server_cache_max_ttl",
+  "server_cache_max_negative_ttl", "server_cache_min_ttl",
+  "server_bogus_ttl", "server_val_clean_additional",
+  "server_val_permissive_mode", "server_aggressive_nsec",
+  "server_ignore_cd_flag", "server_serve_expired",
+  "server_serve_expired_ttl", "server_serve_expired_ttl_reset",
+  "server_serve_expired_reply_ttl", "server_serve_expired_client_timeout",
+  "server_serve_original_ttl", "server_fake_dsa", "server_fake_sha1",
+  "server_val_log_level", "server_val_nsec3_keysize_iterations",
+  "server_zonemd_permissive_mode", "server_add_holddown",
+  "server_del_holddown", "server_keep_missing",
   "server_permit_small_holddown", "server_key_cache_size",
   "server_key_cache_slabs", "server_neg_cache_size", "server_local_zone",
   "server_local_data", "server_local_data_ptr", "server_minimal_responses",
@@ -2117,24 +1509,26 @@ static const char *const yytname[] =
   "server_ratelimit_size", "server_ip_ratelimit_slabs",
   "server_ratelimit_slabs", "server_ratelimit_for_domain",
   "server_ratelimit_below_domain", "server_ip_ratelimit_factor",
-  "server_ratelimit_factor", "server_low_rtt", "server_fast_server_num",
-  "server_fast_server_permil", "server_qname_minimisation",
-  "server_qname_minimisation_strict", "server_pad_responses",
-  "server_pad_responses_block_size", "server_pad_queries",
-  "server_pad_queries_block_size", "server_ipsecmod_enabled",
-  "server_ipsecmod_ignore_bogus", "server_ipsecmod_hook",
-  "server_ipsecmod_max_ttl", "server_ipsecmod_whitelist",
-  "server_ipsecmod_strict", "server_edns_client_string",
-  "server_edns_client_string_opcode", "stub_name", "stub_host",
-  "stub_addr", "stub_first", "stub_no_cache", "stub_ssl_upstream",
-  "stub_prime", "forward_name", "forward_host", "forward_addr",
-  "forward_first", "forward_no_cache", "forward_ssl_upstream", "auth_name",
+  "server_ratelimit_factor", "server_ip_ratelimit_backoff",
+  "server_ratelimit_backoff", "server_outbound_msg_retry",
+  "server_low_rtt", "server_fast_server_num", "server_fast_server_permil",
+  "server_qname_minimisation", "server_qname_minimisation_strict",
+  "server_pad_responses", "server_pad_responses_block_size",
+  "server_pad_queries", "server_pad_queries_block_size",
+  "server_ipsecmod_enabled", "server_ipsecmod_ignore_bogus",
+  "server_ipsecmod_hook", "server_ipsecmod_max_ttl",
+  "server_ipsecmod_whitelist", "server_ipsecmod_strict",
+  "server_edns_client_string", "server_edns_client_string_opcode",
+  "stub_name", "stub_host", "stub_addr", "stub_first", "stub_no_cache",
+  "stub_ssl_upstream", "stub_tcp_upstream", "stub_prime", "forward_name",
+  "forward_host", "forward_addr", "forward_first", "forward_no_cache",
+  "forward_ssl_upstream", "forward_tcp_upstream", "auth_name",
   "auth_zonefile", "auth_master", "auth_url", "auth_allow_notify",
-  "auth_zonemd_reject_absence", "auth_for_downstream", "auth_for_upstream",
-  "auth_fallback_enabled", "view_name", "view_local_zone",
-  "view_response_ip", "view_response_ip_data", "view_local_data",
-  "view_local_data_ptr", "view_first", "rcstart", "contents_rc",
-  "content_rc", "rc_control_enable", "rc_control_port",
+  "auth_zonemd_check", "auth_zonemd_reject_absence", "auth_for_downstream",
+  "auth_for_upstream", "auth_fallback_enabled", "view_name",
+  "view_local_zone", "view_response_ip", "view_response_ip_data",
+  "view_local_data", "view_local_data_ptr", "view_first", "rcstart",
+  "contents_rc", "content_rc", "rc_control_enable", "rc_control_port",
   "rc_control_interface", "rc_control_use_cert", "rc_server_key_file",
   "rc_server_cert_file", "rc_control_key_file", "rc_control_cert_file",
   "dtstart", "contents_dt", "content_dt", "dt_dnstap_enable",
@@ -2208,11 +1602,12 @@ static const yytype_int16 yytoknum[] =
      535,   536,   537,   538,   539,   540,   541,   542,   543,   544,
      545,   546,   547,   548,   549,   550,   551,   552,   553,   554,
      555,   556,   557,   558,   559,   560,   561,   562,   563,   564,
-     565
+     565,   566,   567,   568,   569,   570,   571,   572,   573,   574,
+     575,   576,   577,   578,   579
 };
 #endif
 
-#define YYPACT_NINF (-299)
+#define YYPACT_NINF (-310)
 
 #define yypact_value_is_default(Yyn) \
   ((Yyn) == YYPACT_NINF)
@@ -2226,103 +1621,107 @@ static const yytype_int16 yytoknum[] =
      STATE-NUM.  */
 static const yytype_int16 yypact[] =
 {
-    -299,     0,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,
-    -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,
-    -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,
-    -299,  -299,   292,   -39,   -35,   -43,   -44,   -28,   -67,   -93,
-    -108,  -298,  -221,  -222,  -292,     3,     4,     5,     6,    37,
-      38,    39,    40,    41,    43,    44,    45,    46,    47,    48,
-      49,    50,    51,    52,    54,    55,    56,    57,    58,    79,
-      80,    81,    82,    83,    84,    85,    87,    88,    89,    91,
-      92,    94,    96,    97,    98,    99,   101,   103,   104,   105,
-     106,   107,   108,   109,   110,   111,   112,   113,   114,   115,
-     116,   117,   118,   119,   120,   121,   122,   123,   124,   125,
-     126,   127,   128,   129,   132,   133,   134,   135,   136,   137,
-     138,   139,   140,   141,   142,   143,   144,   145,   146,   147,
-     148,   149,   150,   151,   153,   154,   155,   156,   157,   158,
-     159,   160,   161,   162,   163,   164,   165,   166,   167,   168,
-     169,   171,   172,   173,   174,   175,   176,   177,   178,   179,
-     180,   181,   182,   183,   184,   185,   186,   187,   188,   189,
-     190,   191,   192,   193,   194,   195,   196,   197,   198,   199,
-     200,   201,   202,   203,   204,   205,   206,   207,   208,   209,
-     210,   212,   213,   214,   216,   222,   223,   224,   225,   226,
-     228,   229,   231,   232,   237,   238,   240,   241,   242,   244,
-     245,   246,   247,   248,   249,   250,   252,   253,   254,   255,
-     257,   258,   259,   266,   267,   268,   269,   270,   271,   272,
-     273,   274,   275,   276,   277,   278,   279,   280,   281,   282,
-     283,   285,   286,   287,   289,   290,   291,   293,   327,   328,
-     329,   330,   334,   335,   336,   378,   379,  -299,  -299,  -299,
-    -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,
-    -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,
-    -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,
-    -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,
-    -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,
-    -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,
-    -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,
-    -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,
-    -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,
-    -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,
-    -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,
-    -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,
-    -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,
-    -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,
-    -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,
-    -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,
-    -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,
-    -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,
-    -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,
-    -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,
-    -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,
-     380,   381,   382,   383,   384,   385,   386,  -299,  -299,  -299,
-    -299,  -299,  -299,  -299,  -299,   390,   394,   395,   420,   421,
-     422,  -299,  -299,  -299,  -299,  -299,  -299,  -299,   431,   444,
-     445,   446,   447,   448,   449,  -299,  -299,  -299,  -299,  -299,
-    -299,  -299,  -299,   450,   451,   452,   453,   454,   455,   456,
-     457,   458,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,
-    -299,  -299,   459,   460,   461,   462,   463,  -299,  -299,  -299,
-    -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,   503,   505,
-     522,   523,   524,   525,   526,   527,  -299,  -299,  -299,  -299,
-    -299,  -299,  -299,  -299,  -299,   528,   529,   530,   531,   532,
-     543,   544,   545,   546,   547,   548,   549,   551,   552,   553,
-     554,   555,   556,   557,  -299,  -299,  -299,  -299,  -299,  -299,
-    -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,
-    -299,  -299,  -299,  -299,   560,  -299,  -299,   563,  -299,  -299,
-     566,   567,   576,   577,   578,   580,   581,   582,   583,   584,
-    -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,
-    -299,   585,   586,   587,   592,   593,   594,  -299,  -299,  -299,
-    -299,  -299,  -299,  -299,   595,   596,  -299,  -299,  -299,  -299,
-    -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,
-    -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,
-    -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,
-    -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,
-    -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,
-    -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,   597,
-     598,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,
-    -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,
-    -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,
-    -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,
-    -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,
-    -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,
-    -299,  -299,  -299,  -299,  -299,   599,   600,   601,  -299,  -299,
-    -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,   602,   603,
-    -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,
-    -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,   604,
-     605,   606,   607,   608,   609,  -299,  -299,  -299,  -299,  -299,
-    -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,
-    -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,
-    -299,  -299,  -299,  -299,  -299,  -299,  -299,   610,  -299,  -299,
-    -299,  -299,  -299,  -299,  -299,  -299,  -299,   611,  -299,  -299,
-    -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,
-    -299,  -299,  -299,  -299,  -299,   612,  -299,  -299,   613,   614,
-    -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,
-    -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,
-    -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,
-    -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,
-    -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,
-    -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,
-    -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,
-    -299,   615,   616,   617,  -299,  -299,  -299,  -299,  -299,  -299,
-    -299,  -299,  -299
+    -310,     0,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,
+    -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,
+    -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,
+    -310,  -310,   303,   -39,   -32,   -43,   -30,   -44,   -42,   -97,
+    -110,  -309,  -229,  -233,  -303,     4,     6,     7,     8,     9,
+      10,    23,    24,    25,    26,    27,    37,    38,    39,    40,
+      41,    43,    44,    53,    54,    56,    57,    58,    59,    60,
+      81,    82,    83,    84,    85,    87,    88,    89,    90,    91,
+      92,    93,    95,    96,    98,    99,   101,   103,   107,   108,
+     109,   110,   111,   112,   113,   114,   115,   116,   117,   118,
+     119,   120,   121,   122,   123,   124,   125,   126,   127,   128,
+     129,   130,   131,   132,   133,   134,   135,   138,   139,   140,
+     141,   142,   143,   144,   145,   146,   147,   148,   149,   150,
+     151,   152,   153,   154,   155,   156,   157,   159,   160,   161,
+     162,   163,   164,   165,   166,   167,   168,   169,   170,   171,
+     172,   173,   174,   175,   176,   177,   178,   180,   181,   182,
+     183,   184,   185,   186,   187,   188,   189,   190,   191,   192,
+     193,   194,   195,   196,   197,   198,   199,   200,   201,   202,
+     203,   204,   205,   206,   207,   208,   209,   210,   211,   212,
+     213,   214,   215,   216,   217,   218,   219,   221,   222,   223,
+     224,   225,   226,   227,   232,   233,   234,   235,   236,   237,
+     239,   248,   249,   250,   251,   254,   255,   261,   263,   264,
+     265,   266,   267,   268,   270,   272,   273,   274,   275,   276,
+     277,   278,   279,   280,   283,   284,   285,   286,   287,   288,
+     289,   290,   291,   292,   293,   294,   296,   297,   298,   300,
+     301,   302,   304,   338,   339,   340,   341,   345,   346,   347,
+     389,   390,   391,   392,   393,   394,   395,  -310,  -310,  -310,
+    -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,
+    -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,
+    -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,
+    -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,
+    -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,
+    -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,
+    -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,
+    -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,
+    -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,
+    -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,
+    -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,
+    -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,
+    -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,
+    -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,
+    -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,
+    -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,
+    -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,
+    -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,
+    -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,
+    -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,
+    -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,
+    -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,
+     396,   397,   403,   407,   408,   435,   436,   437,  -310,  -310,
+    -310,  -310,  -310,  -310,  -310,  -310,  -310,   439,   440,   448,
+     461,   462,   463,   464,  -310,  -310,  -310,  -310,  -310,  -310,
+    -310,  -310,   465,   466,   467,   468,   469,   470,   471,  -310,
+    -310,  -310,  -310,  -310,  -310,  -310,  -310,   472,   473,   474,
+     475,   476,   477,   478,   479,   480,   523,  -310,  -310,  -310,
+    -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,   525,   544,
+     545,   546,   547,   548,  -310,  -310,  -310,  -310,  -310,  -310,
+    -310,  -310,  -310,  -310,  -310,  -310,  -310,   549,   550,   551,
+     552,   553,   554,   565,   566,  -310,  -310,  -310,  -310,  -310,
+    -310,  -310,  -310,  -310,   567,   568,   569,   570,   571,   573,
+     574,   575,   576,   577,   578,   579,   582,   585,   588,   589,
+     598,   599,   600,  -310,  -310,  -310,  -310,  -310,  -310,  -310,
+    -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,
+    -310,  -310,  -310,   602,  -310,  -310,   603,  -310,  -310,   604,
+     605,   606,   607,   608,   609,   614,   615,   616,   618,  -310,
+    -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,
+     619,   620,   621,   622,   623,   624,  -310,  -310,  -310,  -310,
+    -310,  -310,  -310,   625,   626,  -310,  -310,  -310,  -310,  -310,
+    -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,
+    -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,
+    -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,
+    -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,
+    -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,
+    -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,   627,   628,
+    -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,
+    -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,
+    -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,
+    -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,
+    -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,
+    -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,
+    -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,   629,   630,
+     631,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,
+    -310,  -310,   632,   633,  -310,  -310,  -310,  -310,  -310,  -310,
+    -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,
+    -310,  -310,  -310,  -310,  -310,   634,   635,   636,   637,   638,
+     639,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,
+    -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,
+    -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,
+    -310,  -310,  -310,  -310,  -310,   640,  -310,  -310,  -310,  -310,
+    -310,  -310,  -310,  -310,  -310,   641,  -310,  -310,  -310,  -310,
+    -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,
+    -310,  -310,  -310,  -310,  -310,  -310,   642,  -310,  -310,   643,
+     644,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,
+    -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,
+    -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,
+    -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,
+    -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,
+    -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,
+    -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,
+    -310,  -310,  -310,  -310,   645,   646,   647,  -310,  -310,  -310,
+    -310,  -310,  -310,  -310,  -310,  -310
 };
 
   /* YYDEFACT[STATE-NUM] -- Default reduction number in state STATE-NUM.
@@ -2330,10 +1729,10 @@ static const yytype_int16 yypact[] =
      means the default is an error.  */
 static const yytype_int16 yydefact[] =
 {
-       2,     0,     1,    18,    19,   234,   244,   529,   589,   548,
-     253,   603,   626,   263,   642,   280,   594,     3,    17,    21,
-     236,   246,   255,   265,   282,   531,   550,   591,   596,   605,
-     628,   644,     4,     5,     6,    10,    14,    15,     8,     9,
+       2,     0,     1,    18,    19,   244,   255,   558,   618,   577,
+     265,   632,   655,   275,   671,   294,   623,     3,    17,    21,
+     246,   257,   267,   277,   296,   560,   579,   620,   625,   634,
+     657,   673,     4,     5,     6,    10,    14,    15,     8,     9,
        7,    16,    11,    12,    13,     0,     0,     0,     0,     0,
        0,     0,     0,     0,     0,     0,     0,     0,     0,     0,
        0,     0,     0,     0,     0,     0,     0,     0,     0,     0,
@@ -2355,331 +1754,137 @@ static const yytype_int16 yydefact[] =
        0,     0,     0,     0,     0,     0,     0,     0,     0,     0,
        0,     0,     0,     0,     0,     0,     0,     0,     0,     0,
        0,     0,     0,     0,     0,     0,     0,     0,     0,     0,
+       0,     0,     0,     0,     0,     0,     0,     0,     0,     0,
        0,     0,     0,     0,     0,     0,     0,    20,    22,    23,
-      86,    89,    98,   200,   201,    24,   160,   161,   162,   163,
-     164,   165,   166,   167,   168,   169,    37,    77,    25,    90,
-      91,    48,    70,    85,    26,    27,    30,    31,    28,    29,
-      32,    33,    34,    35,    36,   121,   212,   122,   124,   125,
-     126,   214,   219,   215,   226,   227,   228,   229,   127,   128,
-     129,   130,   131,   132,   133,   196,    87,    76,   102,   119,
-     120,   224,   221,   123,    38,    39,    40,    41,    42,    78,
-      92,    93,   108,    64,    74,    65,   204,   205,   103,    58,
-      59,   203,    60,    61,   232,   112,   116,   137,   147,   174,
-     150,   225,   113,    71,    43,    44,    45,   100,   138,   139,
-     140,   141,    46,    47,    49,    50,    52,    53,    51,   145,
-     151,    54,    55,    56,    62,    81,   117,    95,   146,    88,
-     170,    96,    97,   114,   115,   222,   101,    57,    79,    82,
-      63,    66,   104,   105,    80,   171,   106,    67,    68,    69,
-     213,   118,   188,   189,   190,   191,   192,   193,   194,   202,
-     107,    75,   233,   109,   110,   111,   172,    72,    73,    94,
-      83,    84,    99,   134,   135,   223,   136,   142,   143,   144,
-     175,   176,   178,   180,   181,   179,   182,   197,   148,   149,
-     154,   155,   152,   153,   156,   157,   159,   158,   216,   218,
-     217,   173,   183,   184,   185,   186,   187,   206,   208,   207,
-     209,   210,   211,   230,   231,   177,   195,   198,   199,   220,
-       0,     0,     0,     0,     0,     0,     0,   235,   237,   238,
-     239,   241,   242,   243,   240,     0,     0,     0,     0,     0,
-       0,   245,   247,   248,   249,   250,   251,   252,     0,     0,
-       0,     0,     0,     0,     0,   254,   256,   257,   260,   261,
-     258,   262,   259,     0,     0,     0,     0,     0,     0,     0,
-       0,     0,   264,   266,   267,   268,   269,   273,   274,   270,
-     271,   272,     0,     0,     0,     0,     0,   285,   289,   290,
-     291,   292,   281,   283,   284,   286,   287,   288,     0,     0,
-       0,     0,     0,     0,     0,     0,   530,   532,   534,   533,
-     539,   535,   536,   537,   538,     0,     0,     0,     0,     0,
+      88,    91,   100,   206,   207,    24,   166,   167,   168,   169,
+     170,   171,   172,   173,   174,   175,    37,    79,    25,    92,
+      93,    48,    72,    87,   243,    26,    27,    30,    31,    28,
+      29,    32,    33,    34,   240,   241,   242,    35,    36,   124,
+     218,   125,   127,   128,   129,   220,   225,   221,   232,   233,
+     234,   235,   130,   131,   132,   133,   134,   135,   136,   202,
+      89,    78,   104,   122,   123,   230,   227,   126,    38,    39,
+      40,    41,    42,    80,    94,    95,   111,    66,    76,    67,
+     210,   211,   105,    58,    59,   209,    62,    60,    61,    63,
+     238,   115,   119,   140,   150,   180,   153,   231,   116,    73,
+      43,    44,    45,   102,   141,   142,   143,   144,    46,    47,
+      49,    50,    52,    53,    51,   148,   154,    54,    55,    56,
+      64,    83,   120,    97,   149,    90,   176,    98,    99,   117,
+     118,   228,   103,    57,    81,    84,    65,    68,   106,   107,
+     108,    82,   177,   109,    69,    70,    71,   219,   121,   194,
+     195,   196,   197,   198,   199,   200,   208,   110,    77,   239,
+     112,   113,   114,   178,    74,    75,    96,    85,    86,   101,
+     137,   138,   229,   139,   145,   146,   147,   181,   182,   184,
+     186,   187,   185,   188,   203,   151,   152,   157,   158,   155,
+     156,   159,   160,   162,   161,   164,   163,   165,   222,   224,
+     223,   179,   189,   190,   191,   192,   193,   212,   214,   213,
+     215,   216,   217,   236,   237,   183,   201,   204,   205,   226,
+       0,     0,     0,     0,     0,     0,     0,     0,   245,   247,
+     248,   249,   251,   252,   253,   254,   250,     0,     0,     0,
+       0,     0,     0,     0,   256,   258,   259,   260,   261,   262,
+     263,   264,     0,     0,     0,     0,     0,     0,     0,   266,
+     268,   269,   272,   273,   270,   274,   271,     0,     0,     0,
+       0,     0,     0,     0,     0,     0,     0,   276,   278,   279,
+     280,   281,   285,   286,   287,   282,   283,   284,     0,     0,
+       0,     0,     0,     0,   299,   303,   304,   305,   306,   307,
+     295,   297,   298,   300,   301,   302,   308,     0,     0,     0,
+       0,     0,     0,     0,     0,   559,   561,   563,   562,   568,
+     564,   565,   566,   567,     0,     0,     0,     0,     0,     0,
        0,     0,     0,     0,     0,     0,     0,     0,     0,     0,
-       0,     0,     0,     0,   549,   551,   553,   552,   554,   555,
-     556,   557,   558,   559,   560,   561,   562,   563,   564,   565,
-     566,   567,   568,   569,     0,   590,   592,     0,   595,   597,
-       0,     0,     0,     0,     0,     0,     0,     0,     0,     0,
-     604,   606,   607,   608,   610,   611,   609,   612,   613,   614,
-     615,     0,     0,     0,     0,     0,     0,   627,   629,   630,
-     631,   632,   633,   634,     0,     0,   643,   645,   646,   294,
-     293,   300,   313,   311,   323,   319,   320,   324,   321,   322,
-     325,   326,   327,   328,   329,   359,   360,   361,   362,   363,
-     389,   390,   391,   397,   398,   316,   399,   400,   403,   401,
-     402,   406,   407,   408,   422,   374,   375,   377,   378,   409,
-     425,   368,   370,   426,   432,   433,   434,   317,   388,   452,
-     453,   369,   446,   352,   312,   364,   423,   429,   410,     0,
-       0,   456,   318,   295,   351,   414,   296,   314,   315,   365,
-     366,   454,   412,   416,   417,   297,   457,   392,   421,   353,
-     373,   427,   428,   431,   445,   367,   450,   448,   449,   380,
-     387,   418,   419,   381,   382,   411,   436,   354,   355,   358,
-     330,   332,   333,   334,   335,   336,   343,   344,   345,   346,
-     347,   348,   349,   458,   459,   461,   393,   394,   395,   396,
-     404,   405,   462,   463,   464,     0,     0,     0,   413,   383,
-     385,   599,   473,   477,   475,   474,   478,   476,     0,     0,
-     481,   482,   301,   302,   303,   304,   305,   306,   307,   308,
-     309,   310,   415,   430,   451,   486,   487,   384,   465,     0,
-       0,     0,     0,     0,     0,   437,   438,   439,   440,   441,
-     442,   443,   444,   600,   376,   371,   435,   350,   298,   299,
-     372,   488,   489,   490,   491,   492,   494,   493,   495,   496,
-     497,   331,   338,   483,   485,   484,   337,     0,   357,   420,
-     460,   356,   386,   339,   340,   342,   341,     0,   499,   379,
-     447,   500,   501,   502,   506,   505,   503,   504,   507,   508,
-     509,   510,   512,   511,   522,     0,   526,   527,     0,     0,
-     528,   513,   520,   514,   515,   516,   519,   521,   517,   518,
-     275,   276,   277,   278,   279,   540,   542,   541,   544,   545,
-     546,   547,   543,   570,   572,   573,   574,   575,   576,   577,
-     578,   579,   580,   571,   581,   582,   583,   584,   585,   586,
-     587,   588,   593,   598,   616,   617,   618,   621,   619,   620,
-     622,   623,   624,   625,   635,   636,   637,   638,   639,   640,
-     647,   648,   424,   455,   472,   601,   602,   479,   480,   466,
-     467,     0,     0,     0,   471,   641,   498,   523,   524,   525,
-     470,   468,   469
+       0,     0,     0,   578,   580,   582,   581,   583,   584,   585,
+     586,   587,   588,   589,   590,   591,   592,   593,   594,   595,
+     596,   597,   598,     0,   619,   621,     0,   624,   626,     0,
+       0,     0,     0,     0,     0,     0,     0,     0,     0,   633,
+     635,   636,   637,   639,   640,   638,   641,   642,   643,   644,
+       0,     0,     0,     0,     0,     0,   656,   658,   659,   660,
+     661,   662,   663,     0,     0,   672,   674,   675,   310,   309,
+     316,   329,   327,   340,   336,   337,   341,   338,   339,   342,
+     343,   344,   348,   349,   379,   380,   381,   382,   383,   411,
+     412,   413,   419,   420,   332,   421,   422,   425,   423,   424,
+     428,   429,   430,   444,   394,   395,   398,   399,   431,   447,
+     388,   390,   448,   455,   456,   457,   333,   410,   475,   476,
+     389,   469,   372,   328,   384,   445,   452,   432,     0,     0,
+     479,   334,   311,   371,   436,   312,   330,   331,   385,   386,
+     477,   434,   438,   439,   346,   345,   313,   480,   414,   443,
+     373,   393,   449,   450,   451,   454,   468,   387,   473,   471,
+     472,   402,   409,   440,   441,   403,   404,   433,   459,   374,
+     375,   378,   350,   352,   347,   353,   354,   355,   356,   363,
+     364,   365,   366,   367,   368,   369,   481,   482,   484,   415,
+     416,   417,   418,   426,   427,   485,   486,   487,     0,     0,
+       0,   435,   405,   407,   628,   496,   500,   498,   497,   501,
+     499,   508,     0,     0,   504,   505,   506,   507,   317,   318,
+     319,   320,   321,   322,   323,   324,   325,   326,   437,   453,
+     474,   512,   513,   406,   488,     0,     0,     0,     0,     0,
+       0,   460,   461,   462,   463,   464,   465,   466,   467,   629,
+     396,   397,   400,   391,   458,   370,   314,   315,   392,   514,
+     515,   516,   517,   518,   520,   519,   521,   522,   523,   351,
+     358,   509,   511,   510,   357,     0,   377,   442,   483,   376,
+     408,   359,   360,   362,   361,     0,   525,   401,   470,   335,
+     526,   527,   528,   533,   531,   532,   529,   530,   534,   535,
+     536,   537,   539,   540,   538,   551,     0,   555,   556,     0,
+       0,   557,   541,   549,   542,   543,   544,   548,   550,   545,
+     546,   547,   288,   289,   290,   291,   292,   293,   569,   571,
+     570,   573,   574,   575,   576,   572,   599,   601,   602,   603,
+     604,   605,   606,   607,   608,   609,   600,   610,   611,   612,
+     613,   614,   615,   616,   617,   622,   627,   645,   646,   647,
+     650,   648,   649,   651,   652,   653,   654,   664,   665,   666,
+     667,   668,   669,   676,   677,   446,   478,   495,   630,   631,
+     502,   503,   489,   490,     0,     0,     0,   494,   670,   524,
+     552,   553,   554,   493,   491,   492
 };
 
   /* YYPGOTO[NTERM-NUM].  */
 static const yytype_int16 yypgoto[] =
 {
-    -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,
-    -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,
-    -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,
-    -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,
-    -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,
-    -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,
-    -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,
-    -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,
-    -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,
-    -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,
-    -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,
-    -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,
-    -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,
-    -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,
-    -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,
-    -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,
-    -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,
-    -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,
-    -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,
-    -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,
-    -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,
-    -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,
-    -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,
-    -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,
-    -299,  -299,  -299,  -299,  -299,  -299,  -299,   265,   591,   618,
-     619,   620,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,
-    -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,
-    -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,
-    -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,
-    -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,
-    -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,
-    -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,
-    -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,  -299,
-    -299,  -299,  -299,  -299,  -299,  -299
+    -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,
+    -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,
+    -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,
+    -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,
+    -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,
+    -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,
+    -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,
+    -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,
+    -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,
+    -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,
+    -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,
+    -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,
+    -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,
+    -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,
+    -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,
+    -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,
+    -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,
+    -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,
+    -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,
+    -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,
+    -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,
+    -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,
+    -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,
+    -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,
+    -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,
+    -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,
+     -27,   648,   649,   650,   651,  -310,  -310,   652,  -310,  -310,
+    -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,
+    -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,
+    -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,
+    -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,
+    -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,
+    -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,
+    -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,
+    -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310,  -310
 };
 
   /* YYDEFGOTO[NTERM-NUM].  */
 static const yytype_int16 yydefgoto[] =
 {
-      -1,     1,    17,    18,    19,    32,   257,    20,    33,   477,
-      21,    34,   491,    22,    35,   505,    23,    36,   522,   537,
-     538,   539,   540,   541,    24,    37,   542,   258,   259,   260,
-     261,   262,   263,   264,   265,   266,   267,   268,   269,   270,
-     271,   272,   273,   274,   275,   276,   277,   278,   279,   280,
-     281,   282,   283,   284,   285,   286,   287,   288,   289,   290,
-     291,   292,   293,   294,   295,   296,   297,   298,   299,   300,
-     301,   302,   303,   304,   305,   306,   307,   308,   309,   310,
-     311,   312,   313,   314,   315,   316,   317,   318,   319,   320,
-     321,   322,   323,   324,   325,   326,   327,   328,   329,   330,
-     331,   332,   333,   334,   335,   336,   337,   338,   339,   340,
-     341,   342,   343,   344,   345,   346,   347,   348,   349,   350,
-     351,   352,   353,   354,   355,   356,   357,   358,   359,   360,
-     361,   362,   363,   364,   365,   366,   367,   368,   369,   370,
-     371,   372,   373,   374,   375,   376,   377,   378,   379,   380,
-     381,   382,   383,   384,   385,   386,   387,   388,   389,   390,
-     391,   392,   393,   394,   395,   396,   397,   398,   399,   400,
-     401,   402,   403,   404,   405,   406,   407,   408,   409,   410,
-     411,   412,   413,   414,   415,   416,   417,   418,   419,   420,
-     421,   422,   423,   424,   425,   426,   427,   428,   429,   430,
-     431,   432,   433,   434,   435,   436,   437,   438,   439,   440,
-     441,   442,   443,   444,   445,   446,   447,   448,   449,   450,
-     451,   452,   453,   454,   455,   456,   457,   458,   459,   460,
-     461,   462,   463,   464,   478,   479,   480,   481,   482,   483,
-     484,   492,   493,   494,   495,   496,   497,   523,   524,   525,
-     526,   527,   528,   529,   530,   531,   506,   507,   508,   509,
-     510,   511,   512,    25,    38,   556,   557,   558,   559,   560,
-     561,   562,   563,   564,    26,    39,   584,   585,   586,   587,
-     588,   589,   590,   591,   592,   593,   594,   595,   596,   597,
-     598,   599,   600,   601,   602,   603,    27,    40,   605,   606,
-      28,    41,   608,   609,   465,   466,   467,   468,    29,    42,
-     620,   621,   622,   623,   624,   625,   626,   627,   628,   629,
-     630,    30,    43,   637,   638,   639,   640,   641,   642,   643,
-     469,    31,    44,   646,   647,   648
-};
-
-  /* YYTABLE[YYPACT[STATE-NUM]] -- What to do in state STATE-NUM.  If
-     positive, shift that token.  If negative, reduce the rule whose
-     number is the opposite.  If YYTABLE_NINF, syntax error.  */
-static const yytype_int16 yytable[] =
-{
-       2,   513,   498,   644,   645,   604,   470,   607,   471,   472,
-     485,     3,     4,   649,   650,   651,   652,   513,   486,   487,
-     610,   611,   612,   613,   614,   615,   616,   617,   618,   619,
-     548,   549,   550,   551,   552,   553,   554,   555,   499,   500,
-     631,   632,   633,   634,   635,   636,     5,   653,   654,   655,
-     656,   657,     6,   658,   659,   660,   661,   662,   663,   664,
-     665,   666,   667,   501,   668,   669,   670,   671,   672,   473,
-     565,   566,   567,   568,   569,   570,   571,   572,   573,   574,
-     575,   576,   577,   578,   579,   580,   581,   582,   583,   673,
-     674,   675,   676,   677,   678,   679,     7,   680,   681,   682,
-     474,   683,   684,   488,   685,   489,   686,   687,   688,   689,
-     475,   690,     8,   691,   692,   693,   694,   695,   696,   697,
-     698,   699,   700,   701,   702,   703,   704,   705,   706,   707,
-     708,   709,   710,   711,   712,   713,   714,   715,   716,   717,
-     502,   503,   718,   719,   720,   721,   722,   723,   724,   725,
-     726,   727,   728,   729,   730,   731,   732,   733,   734,   735,
-     736,   737,     9,   738,   739,   740,   741,   742,   743,   744,
-     745,   746,   747,   748,   749,   750,   751,   752,   753,   754,
-     504,   755,   756,   757,   758,   759,   760,   761,   762,   763,
-     764,   765,   766,   767,   768,   769,   770,   771,   772,   773,
-     774,   775,   776,   777,   778,   779,   780,   781,   782,   783,
-     784,   785,   786,   787,   788,   789,   790,   791,   792,   793,
-     794,    10,   795,   796,   797,   514,   798,   515,   516,   517,
-     518,   519,   799,   800,   801,   802,   803,   520,   804,   805,
-      11,   806,   807,   515,   516,   517,   476,   808,   809,   490,
-     810,   811,   812,   520,   813,   814,   815,   816,   817,   818,
-     819,    12,   820,   821,   822,   823,   521,   824,   825,   826,
-      13,   532,   533,   534,   535,   536,   827,   828,   829,   830,
-     831,   832,   833,   834,   835,   836,   837,   838,   839,   840,
-     841,   842,   843,   844,    14,   845,   846,   847,    15,   848,
-     849,   850,   543,   851,    16,    45,    46,    47,    48,    49,
-      50,    51,    52,    53,    54,    55,    56,    57,    58,    59,
-      60,    61,    62,    63,    64,    65,    66,    67,    68,    69,
-      70,    71,    72,    73,    74,    75,    76,   852,   853,   854,
-     855,    77,    78,    79,   856,   857,   858,    80,    81,    82,
-      83,    84,    85,    86,    87,    88,    89,    90,    91,    92,
-      93,    94,    95,    96,    97,    98,    99,   100,   101,   102,
-     103,   104,   105,   106,   107,   108,   109,   110,   111,   112,
-     113,   114,   115,   116,   117,   118,   119,   120,   859,   860,
-     861,   862,   863,   864,   865,   866,   867,   121,   122,   123,
-     868,   124,   125,   126,   869,   870,   127,   128,   129,   130,
-     131,   132,   133,   134,   135,   136,   137,   138,   139,   140,
-     141,   142,   143,   144,   145,   146,   147,   148,   149,   150,
-     871,   872,   873,   151,   152,   153,   154,   155,   156,   157,
-     158,   874,   159,   160,   161,   162,   163,   164,   165,   166,
-     167,   168,   169,   170,   875,   876,   877,   878,   879,   880,
-     881,   882,   883,   884,   885,   886,   887,   888,   889,   890,
-     891,   892,   893,   894,   171,   172,   173,   174,   175,   176,
-     177,   178,   179,   180,   181,   182,   183,   184,   185,   186,
-     187,   188,   189,   190,   191,   192,   193,   194,   195,   196,
-     197,   198,   199,   200,   201,   202,   203,   204,   205,   206,
-     207,   208,   209,   895,   210,   896,   211,   212,   213,   214,
-     215,   216,   217,   218,   219,   220,   221,   222,   223,   224,
-     225,   226,   897,   898,   899,   900,   901,   902,   903,   904,
-     905,   906,   907,   227,   228,   229,   230,   231,   232,   233,
-     234,   235,   236,   908,   909,   910,   911,   912,   913,   914,
-     237,   915,   916,   917,   918,   919,   920,   921,   238,   239,
-     922,   240,   241,   923,   242,   243,   924,   925,   244,   245,
-     246,   247,   248,   249,   250,   251,   926,   927,   928,   252,
-     929,   930,   931,   932,   933,   934,   935,   936,   253,   254,
-     255,   256,   937,   938,   939,   940,   941,   942,   943,   944,
-     945,   946,   947,   948,   949,   950,   951,   952,   953,   954,
-     955,   956,   957,   958,   959,   960,   961,   962,   544,     0,
-       0,     0,     0,     0,     0,     0,     0,     0,     0,     0,
-       0,     0,     0,     0,     0,     0,     0,     0,     0,     0,
-       0,     0,     0,     0,     0,   545,   546,   547
-};
-
-static const yytype_int16 yycheck[] =
-{
-       0,    45,    45,   295,   296,   113,    45,   305,    47,    48,
-      45,    11,    12,    10,    10,    10,    10,    45,    53,    54,
-     241,   242,   243,   244,   245,   246,   247,   248,   249,   250,
-      97,    98,    99,   100,   101,   102,   103,   104,    81,    82,
-     262,   263,   264,   265,   266,   267,    46,    10,    10,    10,
-      10,    10,    52,    10,    10,    10,    10,    10,    10,    10,
-      10,    10,    10,   106,    10,    10,    10,    10,    10,   108,
-     163,   164,   165,   166,   167,   168,   169,   170,   171,   172,
-     173,   174,   175,   176,   177,   178,   179,   180,   181,    10,
-      10,    10,    10,    10,    10,    10,    96,    10,    10,    10,
-     139,    10,    10,   138,    10,   140,    10,    10,    10,    10,
-     149,    10,   112,    10,    10,    10,    10,    10,    10,    10,
-      10,    10,    10,    10,    10,    10,    10,    10,    10,    10,
-      10,    10,    10,    10,    10,    10,    10,    10,    10,    10,
-     183,   184,    10,    10,    10,    10,    10,    10,    10,    10,
-      10,    10,    10,    10,    10,    10,    10,    10,    10,    10,
-      10,    10,   162,    10,    10,    10,    10,    10,    10,    10,
-      10,    10,    10,    10,    10,    10,    10,    10,    10,    10,
-     223,    10,    10,    10,    10,    10,    10,    10,    10,    10,
-      10,    10,    10,    10,    10,    10,    10,    10,    10,    10,
-      10,    10,    10,    10,    10,    10,    10,    10,    10,    10,
-      10,    10,    10,    10,    10,    10,    10,    10,    10,    10,
-      10,   221,    10,    10,    10,   269,    10,   271,   272,   273,
-     274,   275,    10,    10,    10,    10,    10,   281,    10,    10,
-     240,    10,    10,   271,   272,   273,   285,    10,    10,   284,
-      10,    10,    10,   281,    10,    10,    10,    10,    10,    10,
-      10,   261,    10,    10,    10,    10,   310,    10,    10,    10,
-     270,   299,   300,   301,   302,   303,    10,    10,    10,    10,
-      10,    10,    10,    10,    10,    10,    10,    10,    10,    10,
-      10,    10,    10,    10,   294,    10,    10,    10,   298,    10,
-      10,    10,    37,    10,   304,    13,    14,    15,    16,    17,
-      18,    19,    20,    21,    22,    23,    24,    25,    26,    27,
-      28,    29,    30,    31,    32,    33,    34,    35,    36,    37,
-      38,    39,    40,    41,    42,    43,    44,    10,    10,    10,
-      10,    49,    50,    51,    10,    10,    10,    55,    56,    57,
-      58,    59,    60,    61,    62,    63,    64,    65,    66,    67,
-      68,    69,    70,    71,    72,    73,    74,    75,    76,    77,
-      78,    79,    80,    81,    82,    83,    84,    85,    86,    87,
-      88,    89,    90,    91,    92,    93,    94,    95,    10,    10,
-      10,    10,    10,    10,    10,    10,    10,   105,   106,   107,
-      10,   109,   110,   111,    10,    10,   114,   115,   116,   117,
-     118,   119,   120,   121,   122,   123,   124,   125,   126,   127,
-     128,   129,   130,   131,   132,   133,   134,   135,   136,   137,
-      10,    10,    10,   141,   142,   143,   144,   145,   146,   147,
-     148,    10,   150,   151,   152,   153,   154,   155,   156,   157,
-     158,   159,   160,   161,    10,    10,    10,    10,    10,    10,
-      10,    10,    10,    10,    10,    10,    10,    10,    10,    10,
-      10,    10,    10,    10,   182,   183,   184,   185,   186,   187,
-     188,   189,   190,   191,   192,   193,   194,   195,   196,   197,
-     198,   199,   200,   201,   202,   203,   204,   205,   206,   207,
-     208,   209,   210,   211,   212,   213,   214,   215,   216,   217,
-     218,   219,   220,    10,   222,    10,   224,   225,   226,   227,
-     228,   229,   230,   231,   232,   233,   234,   235,   236,   237,
-     238,   239,    10,    10,    10,    10,    10,    10,    10,    10,
-      10,    10,    10,   251,   252,   253,   254,   255,   256,   257,
-     258,   259,   260,    10,    10,    10,    10,    10,    10,    10,
-     268,    10,    10,    10,    10,    10,    10,    10,   276,   277,
-      10,   279,   280,    10,   282,   283,    10,    10,   286,   287,
-     288,   289,   290,   291,   292,   293,    10,    10,    10,   297,
-      10,    10,    10,    10,    10,    10,    10,    10,   306,   307,
-     308,   309,    10,    10,    10,    10,    10,    10,    10,    10,
-      10,    10,    10,    10,    10,    10,    10,    10,    10,    10,
-      10,    10,    10,    10,    10,    10,    10,    10,    37,    -1,
-      -1,    -1,    -1,    -1,    -1,    -1,    -1,    -1,    -1,    -1,
-      -1,    -1,    -1,    -1,    -1,    -1,    -1,    -1,    -1,    -1,
-      -1,    -1,    -1,    -1,    -1,    37,    37,    37
-};
-
-  /* YYSTOS[STATE-NUM] -- The (internal number of the) accessing
-     symbol of state STATE-NUM.  */
-static const yytype_int16 yystos[] =
-{
-       0,   312,     0,    11,    12,    46,    52,    96,   112,   162,
-     221,   240,   261,   270,   294,   298,   304,   313,   314,   315,
-     318,   321,   324,   327,   335,   574,   585,   607,   611,   619,
-     632,   642,   316,   319,   322,   325,   328,   336,   575,   586,
-     608,   612,   620,   633,   643,    13,    14,    15,    16,    17,
-      18,    19,    20,    21,    22,    23,    24,    25,    26,    27,
-      28,    29,    30,    31,    32,    33,    34,    35,    36,    37,
-      38,    39,    40,    41,    42,    43,    44,    49,    50,    51,
-      55,    56,    57,    58,    59,    60,    61,    62,    63,    64,
-      65,    66,    67,    68,    69,    70,    71,    72,    73,    74,
-      75,    76,    77,    78,    79,    80,    81,    82,    83,    84,
-      85,    86,    87,    88,    89,    90,    91,    92,    93,    94,
-      95,   105,   106,   107,   109,   110,   111,   114,   115,   116,
-     117,   118,   119,   120,   121,   122,   123,   124,   125,   126,
-     127,   128,   129,   130,   131,   132,   133,   134,   135,   136,
-     137,   141,   142,   143,   144,   145,   146,   147,   148,   150,
-     151,   152,   153,   154,   155,   156,   157,   158,   159,   160,
-     161,   182,   183,   184,   185,   186,   187,   188,   189,   190,
-     191,   192,   193,   194,   195,   196,   197,   198,   199,   200,
-     201,   202,   203,   204,   205,   206,   207,   208,   209,   210,
-     211,   212,   213,   214,   215,   216,   217,   218,   219,   220,
-     222,   224,   225,   226,   227,   228,   229,   230,   231,   232,
-     233,   234,   235,   236,   237,   238,   239,   251,   252,   253,
-     254,   255,   256,   257,   258,   259,   260,   268,   276,   277,
-     279,   280,   282,   283,   286,   287,   288,   289,   290,   291,
-     292,   293,   297,   306,   307,   308,   309,   317,   338,   339,
+       0,     1,    17,    18,    19,    32,   267,    20,    33,   498,
+      21,    34,   514,    22,    35,   529,    23,    36,   547,   564,
+     565,   566,   567,   568,   569,    24,    37,   570,   268,   269,
+     270,   271,   272,   273,   274,   275,   276,   277,   278,   279,
+     280,   281,   282,   283,   284,   285,   286,   287,   288,   289,
+     290,   291,   292,   293,   294,   295,   296,   297,   298,   299,
+     300,   301,   302,   303,   304,   305,   306,   307,   308,   309,
+     310,   311,   312,   313,   314,   315,   316,   317,   318,   319,
+     320,   321,   322,   323,   324,   325,   326,   327,   328,   329,
+     330,   331,   332,   333,   334,   335,   336,   337,   338,   339,
      340,   341,   342,   343,   344,   345,   346,   347,   348,   349,
      350,   351,   352,   353,   354,   355,   356,   357,   358,   359,
      360,   361,   362,   363,   364,   365,   366,   367,   368,   369,
@@ -2694,99 +1899,199 @@ static const yytype_int16 yystos[] =
      450,   451,   452,   453,   454,   455,   456,   457,   458,   459,
      460,   461,   462,   463,   464,   465,   466,   467,   468,   469,
      470,   471,   472,   473,   474,   475,   476,   477,   478,   479,
-     480,   481,   482,   483,   484,   485,   486,   487,   488,   489,
-     490,   491,   492,   493,   494,   495,   496,   497,   498,   499,
-     500,   501,   502,   503,   504,   505,   506,   507,   508,   509,
-     510,   511,   512,   513,   514,   515,   516,   517,   518,   519,
-     520,   521,   522,   523,   524,   525,   526,   527,   528,   529,
-     530,   531,   532,   533,   534,   535,   536,   537,   538,   539,
-     540,   541,   542,   543,   544,   615,   616,   617,   618,   641,
-      45,    47,    48,   108,   139,   149,   285,   320,   545,   546,
-     547,   548,   549,   550,   551,    45,    53,    54,   138,   140,
-     284,   323,   552,   553,   554,   555,   556,   557,    45,    81,
-      82,   106,   183,   184,   223,   326,   567,   568,   569,   570,
-     571,   572,   573,    45,   269,   271,   272,   273,   274,   275,
-     281,   310,   329,   558,   559,   560,   561,   562,   563,   564,
-     565,   566,   299,   300,   301,   302,   303,   330,   331,   332,
-     333,   334,   337,   558,   559,   560,   561,   562,    97,    98,
-      99,   100,   101,   102,   103,   104,   576,   577,   578,   579,
-     580,   581,   582,   583,   584,   163,   164,   165,   166,   167,
-     168,   169,   170,   171,   172,   173,   174,   175,   176,   177,
-     178,   179,   180,   181,   587,   588,   589,   590,   591,   592,
-     593,   594,   595,   596,   597,   598,   599,   600,   601,   602,
-     603,   604,   605,   606,   113,   609,   610,   305,   613,   614,
-     241,   242,   243,   244,   245,   246,   247,   248,   249,   250,
-     621,   622,   623,   624,   625,   626,   627,   628,   629,   630,
-     631,   262,   263,   264,   265,   266,   267,   634,   635,   636,
-     637,   638,   639,   640,   295,   296,   644,   645,   646,    10,
-      10,    10,    10,    10,    10,    10,    10,    10,    10,    10,
-      10,    10,    10,    10,    10,    10,    10,    10,    10,    10,
-      10,    10,    10,    10,    10,    10,    10,    10,    10,    10,
-      10,    10,    10,    10,    10,    10,    10,    10,    10,    10,
-      10,    10,    10,    10,    10,    10,    10,    10,    10,    10,
-      10,    10,    10,    10,    10,    10,    10,    10,    10,    10,
-      10,    10,    10,    10,    10,    10,    10,    10,    10,    10,
-      10,    10,    10,    10,    10,    10,    10,    10,    10,    10,
-      10,    10,    10,    10,    10,    10,    10,    10,    10,    10,
-      10,    10,    10,    10,    10,    10,    10,    10,    10,    10,
-      10,    10,    10,    10,    10,    10,    10,    10,    10,    10,
-      10,    10,    10,    10,    10,    10,    10,    10,    10,    10,
-      10,    10,    10,    10,    10,    10,    10,    10,    10,    10,
-      10,    10,    10,    10,    10,    10,    10,    10,    10,    10,
-      10,    10,    10,    10,    10,    10,    10,    10,    10,    10,
-      10,    10,    10,    10,    10,    10,    10,    10,    10,    10,
-      10,    10,    10,    10,    10,    10,    10,    10,    10,    10,
-      10,    10,    10,    10,    10,    10,    10,    10,    10,    10,
-      10,    10,    10,    10,    10,    10,    10,    10,    10,    10,
-      10,    10,    10,    10,    10,    10,    10,    10,    10,    10,
-      10,    10,    10,    10,    10,    10,    10,    10,    10,    10,
-      10,    10,    10,    10,    10,    10,    10,    10,    10,    10,
-      10,    10,    10,    10,    10,    10,    10,    10,    10,    10,
-      10,    10,    10,    10,    10,    10,    10,    10,    10,    10,
-      10,    10,    10,    10,    10,    10,    10,    10,    10,    10,
-      10,    10,    10,    10,    10,    10,    10,    10,    10,    10,
-      10,    10,    10,    10,    10,    10,    10,    10,    10,    10,
-      10,    10,    10,    10,    10,    10,    10,    10,    10,    10,
-      10,    10,    10,    10,    10,    10,    10,    10,    10,    10,
-      10,    10,    10,    10,    10,    10,    10,    10,    10,    10,
-      10,    10,    10,    10,    10,    10,    10,    10,    10,    10,
-      10,    10,    10
+     480,   481,   482,   483,   484,   499,   500,   501,   502,   503,
+     504,   505,   506,   515,   516,   517,   518,   519,   520,   521,
+     548,   549,   550,   551,   552,   553,   554,   555,   556,   557,
+     530,   531,   532,   533,   534,   535,   536,    25,    38,   585,
+     586,   587,   588,   589,   590,   591,   592,   593,    26,    39,
+     613,   614,   615,   616,   617,   618,   619,   620,   621,   622,
+     623,   624,   625,   626,   627,   628,   629,   630,   631,   632,
+      27,    40,   634,   635,    28,    41,   637,   638,   485,   486,
+     487,   488,    29,    42,   649,   650,   651,   652,   653,   654,
+     655,   656,   657,   658,   659,    30,    43,   666,   667,   668,
+     669,   670,   671,   672,   489,    31,    44,   675,   676,   677
 };
 
-  /* YYR1[YYN] -- Symbol number of symbol that rule YYN derives.  */
-static const yytype_int16 yyr1[] =
+  /* YYTABLE[YYPACT[STATE-NUM]] -- What to do in state STATE-NUM.  If
+     positive, shift that token.  If negative, reduce the rule whose
+     number is the opposite.  If YYTABLE_NINF, syntax error.  */
+static const yytype_int16 yytable[] =
 {
-       0,   311,   312,   312,   313,   313,   313,   313,   313,   313,
-     313,   313,   313,   313,   313,   313,   313,   313,   314,   315,
-     316,   316,   317,   317,   317,   317,   317,   317,   317,   317,
-     317,   317,   317,   317,   317,   317,   317,   317,   317,   317,
-     317,   317,   317,   317,   317,   317,   317,   317,   317,   317,
-     317,   317,   317,   317,   317,   317,   317,   317,   317,   317,
-     317,   317,   317,   317,   317,   317,   317,   317,   317,   317,
-     317,   317,   317,   317,   317,   317,   317,   317,   317,   317,
-     317,   317,   317,   317,   317,   317,   317,   317,   317,   317,
-     317,   317,   317,   317,   317,   317,   317,   317,   317,   317,
-     317,   317,   317,   317,   317,   317,   317,   317,   317,   317,
-     317,   317,   317,   317,   317,   317,   317,   317,   317,   317,
-     317,   317,   317,   317,   317,   317,   317,   317,   317,   317,
-     317,   317,   317,   317,   317,   317,   317,   317,   317,   317,
-     317,   317,   317,   317,   317,   317,   317,   317,   317,   317,
-     317,   317,   317,   317,   317,   317,   317,   317,   317,   317,
-     317,   317,   317,   317,   317,   317,   317,   317,   317,   317,
-     317,   317,   317,   317,   317,   317,   317,   317,   317,   317,
-     317,   317,   317,   317,   317,   317,   317,   317,   317,   317,
-     317,   317,   317,   317,   317,   317,   317,   317,   317,   317,
-     317,   317,   317,   317,   317,   317,   317,   317,   317,   317,
-     317,   317,   317,   317,   317,   317,   317,   317,   317,   317,
-     317,   317,   317,   317,   317,   317,   317,   317,   317,   317,
-     317,   317,   317,   317,   318,   319,   319,   320,   320,   320,
-     320,   320,   320,   320,   321,   322,   322,   323,   323,   323,
-     323,   323,   323,   324,   325,   325,   326,   326,   326,   326,
-     326,   326,   326,   327,   328,   328,   329,   329,   329,   329,
-     329,   329,   329,   329,   329,   330,   331,   332,   333,   334,
-     335,   336,   336,   337,   337,   337,   337,   337,   337,   337,
-     337,   337,   337,   338,   339,   340,   341,   342,   343,   344,
-     345,   346,   347,   348,   349,   350,   351,   352,   353,   354,
+       2,   537,   522,   673,   674,   633,   490,   636,   491,   492,
+     571,     3,     4,   507,   678,   537,   679,   680,   681,   682,
+     683,   508,   509,   639,   640,   641,   642,   643,   644,   645,
+     646,   647,   648,   684,   685,   686,   687,   688,   523,   524,
+     660,   661,   662,   663,   664,   665,     5,   689,   690,   691,
+     692,   693,     6,   694,   695,   577,   578,   579,   580,   581,
+     582,   583,   584,   696,   697,   525,   698,   699,   700,   701,
+     702,   493,   594,   595,   596,   597,   598,   599,   600,   601,
+     602,   603,   604,   605,   606,   607,   608,   609,   610,   611,
+     612,   703,   704,   705,   706,   707,     7,   708,   709,   710,
+     711,   712,   713,   714,   494,   715,   716,   495,   717,   718,
+     510,   719,   511,   720,     8,   512,   496,   721,   722,   723,
+     724,   725,   726,   727,   728,   729,   730,   731,   732,   733,
+     734,   735,   736,   737,   738,   739,   740,   741,   742,   743,
+     744,   745,   746,   747,   748,   749,   526,   527,   750,   751,
+     752,   753,   754,   755,   756,   757,   758,   759,   760,   761,
+     762,   763,   764,   765,   766,   767,   768,   769,     9,   770,
+     771,   772,   773,   774,   775,   776,   777,   778,   779,   780,
+     781,   782,   783,   784,   785,   786,   787,   788,   789,   528,
+     790,   791,   792,   793,   794,   795,   796,   797,   798,   799,
+     800,   801,   802,   803,   804,   805,   806,   807,   808,   809,
+     810,   811,   812,   813,   814,   815,   816,   817,   818,   819,
+     820,   821,   822,   823,   824,   825,   826,   827,   828,   829,
+      10,   830,   831,   832,   833,   834,   835,   836,   539,   540,
+     541,   542,   837,   838,   839,   840,   841,   842,   544,   843,
+     538,    11,   539,   540,   541,   542,   543,   497,   844,   845,
+     846,   847,   544,   513,   848,   849,   558,   559,   560,   561,
+     562,   850,    12,   851,   852,   853,   854,   855,   856,   563,
+     857,    13,   858,   859,   860,   861,   862,   863,   864,   865,
+     866,   545,   546,   867,   868,   869,   870,   871,   872,   873,
+     874,   875,   876,   877,   878,    14,   879,   880,   881,    15,
+     882,   883,   884,     0,   885,    16,    45,    46,    47,    48,
+      49,    50,    51,    52,    53,    54,    55,    56,    57,    58,
+      59,    60,    61,    62,    63,    64,    65,    66,    67,    68,
+      69,    70,    71,    72,    73,    74,    75,    76,   886,   887,
+     888,   889,    77,    78,    79,   890,   891,   892,    80,    81,
+      82,    83,    84,    85,    86,    87,    88,    89,    90,    91,
+      92,    93,    94,    95,    96,    97,    98,    99,   100,   101,
+     102,   103,   104,   105,   106,   107,   108,   109,   110,   111,
+     112,   113,   114,   115,   116,   117,   118,   119,   120,   893,
+     894,   895,   896,   897,   898,   899,   900,   901,   121,   122,
+     123,   124,   125,   902,   126,   127,   128,   903,   904,   129,
+     130,   131,   132,   133,   134,   135,   136,   137,   138,   139,
+     140,   141,   142,   143,   144,   145,   146,   147,   148,   149,
+     150,   151,   152,   153,   154,   905,   906,   907,   155,   908,
+     909,   156,   157,   158,   159,   160,   161,   162,   910,   163,
+     164,   165,   166,   167,   168,   169,   170,   171,   172,   173,
+     174,   911,   912,   913,   914,   915,   916,   917,   918,   919,
+     920,   921,   922,   923,   924,   925,   926,   927,   928,   929,
+     930,   175,   176,   177,   178,   179,   180,   181,   182,   183,
+     184,   185,   186,   187,   188,   189,   190,   191,   192,   193,
+     194,   195,   196,   197,   198,   199,   200,   201,   202,   203,
+     204,   205,   206,   207,   208,   209,   210,   211,   212,   213,
+     214,   215,   216,   931,   217,   932,   218,   219,   220,   221,
+     222,   223,   224,   225,   226,   227,   228,   229,   230,   231,
+     232,   233,   234,   235,   933,   934,   935,   936,   937,   938,
+     939,   940,   941,   942,   943,   236,   237,   238,   239,   240,
+     241,   242,   243,   244,   245,   944,   945,   946,   947,   948,
+     949,   950,   246,   951,   952,   953,   954,   955,   956,   957,
+     247,   248,   958,   249,   250,   959,   251,   252,   960,   961,
+     253,   254,   255,   256,   257,   258,   259,   260,   962,   963,
+     964,   261,   965,   966,   967,   968,   969,   970,   971,   972,
+     262,   263,   264,   265,   973,   974,   975,   266,   976,   977,
+     978,   979,   980,   981,   982,   983,   984,   985,   986,   987,
+     988,   989,   990,   991,   992,   993,   994,   995,   996,   997,
+     998,   999,  1000,  1001,  1002,  1003,  1004,  1005,     0,     0,
+       0,     0,     0,     0,     0,     0,     0,     0,     0,     0,
+       0,     0,     0,     0,     0,     0,     0,     0,     0,     0,
+       0,     0,     0,     0,     0,   572,   573,   574,   575,   576
+};
+
+static const yytype_int16 yycheck[] =
+{
+       0,    45,    45,   306,   307,   115,    45,   316,    47,    48,
+      37,    11,    12,    45,    10,    45,    10,    10,    10,    10,
+      10,    53,    54,   252,   253,   254,   255,   256,   257,   258,
+     259,   260,   261,    10,    10,    10,    10,    10,    81,    82,
+     273,   274,   275,   276,   277,   278,    46,    10,    10,    10,
+      10,    10,    52,    10,    10,    97,    98,    99,   100,   101,
+     102,   103,   104,    10,    10,   108,    10,    10,    10,    10,
+      10,   110,   169,   170,   171,   172,   173,   174,   175,   176,
+     177,   178,   179,   180,   181,   182,   183,   184,   185,   186,
+     187,    10,    10,    10,    10,    10,    96,    10,    10,    10,
+      10,    10,    10,    10,   143,    10,    10,   146,    10,    10,
+     142,    10,   144,    10,   114,   147,   155,    10,    10,    10,
+      10,    10,    10,    10,    10,    10,    10,    10,    10,    10,
+      10,    10,    10,    10,    10,    10,    10,    10,    10,    10,
+      10,    10,    10,    10,    10,    10,   189,   190,    10,    10,
+      10,    10,    10,    10,    10,    10,    10,    10,    10,    10,
+      10,    10,    10,    10,    10,    10,    10,    10,   168,    10,
+      10,    10,    10,    10,    10,    10,    10,    10,    10,    10,
+      10,    10,    10,    10,    10,    10,    10,    10,    10,   232,
+      10,    10,    10,    10,    10,    10,    10,    10,    10,    10,
+      10,    10,    10,    10,    10,    10,    10,    10,    10,    10,
+      10,    10,    10,    10,    10,    10,    10,    10,    10,    10,
+      10,    10,    10,    10,    10,    10,    10,    10,    10,    10,
+     230,    10,    10,    10,    10,    10,    10,    10,   282,   283,
+     284,   285,    10,    10,    10,    10,    10,    10,   292,    10,
+     280,   251,   282,   283,   284,   285,   286,   296,    10,    10,
+      10,    10,   292,   295,    10,    10,   310,   311,   312,   313,
+     314,    10,   272,    10,    10,    10,    10,    10,    10,   323,
+      10,   281,    10,    10,    10,    10,    10,    10,    10,    10,
+      10,   321,   322,    10,    10,    10,    10,    10,    10,    10,
+      10,    10,    10,    10,    10,   305,    10,    10,    10,   309,
+      10,    10,    10,    -1,    10,   315,    13,    14,    15,    16,
+      17,    18,    19,    20,    21,    22,    23,    24,    25,    26,
+      27,    28,    29,    30,    31,    32,    33,    34,    35,    36,
+      37,    38,    39,    40,    41,    42,    43,    44,    10,    10,
+      10,    10,    49,    50,    51,    10,    10,    10,    55,    56,
+      57,    58,    59,    60,    61,    62,    63,    64,    65,    66,
+      67,    68,    69,    70,    71,    72,    73,    74,    75,    76,
+      77,    78,    79,    80,    81,    82,    83,    84,    85,    86,
+      87,    88,    89,    90,    91,    92,    93,    94,    95,    10,
+      10,    10,    10,    10,    10,    10,    10,    10,   105,   106,
+     107,   108,   109,    10,   111,   112,   113,    10,    10,   116,
+     117,   118,   119,   120,   121,   122,   123,   124,   125,   126,
+     127,   128,   129,   130,   131,   132,   133,   134,   135,   136,
+     137,   138,   139,   140,   141,    10,    10,    10,   145,    10,
+      10,   148,   149,   150,   151,   152,   153,   154,    10,   156,
+     157,   158,   159,   160,   161,   162,   163,   164,   165,   166,
+     167,    10,    10,    10,    10,    10,    10,    10,    10,    10,
+      10,    10,    10,    10,    10,    10,    10,    10,    10,    10,
+      10,   188,   189,   190,   191,   192,   193,   194,   195,   196,
+     197,   198,   199,   200,   201,   202,   203,   204,   205,   206,
+     207,   208,   209,   210,   211,   212,   213,   214,   215,   216,
+     217,   218,   219,   220,   221,   222,   223,   224,   225,   226,
+     227,   228,   229,    10,   231,    10,   233,   234,   235,   236,
+     237,   238,   239,   240,   241,   242,   243,   244,   245,   246,
+     247,   248,   249,   250,    10,    10,    10,    10,    10,    10,
+      10,    10,    10,    10,    10,   262,   263,   264,   265,   266,
+     267,   268,   269,   270,   271,    10,    10,    10,    10,    10,
+      10,    10,   279,    10,    10,    10,    10,    10,    10,    10,
+     287,   288,    10,   290,   291,    10,   293,   294,    10,    10,
+     297,   298,   299,   300,   301,   302,   303,   304,    10,    10,
+      10,   308,    10,    10,    10,    10,    10,    10,    10,    10,
+     317,   318,   319,   320,    10,    10,    10,   324,    10,    10,
+      10,    10,    10,    10,    10,    10,    10,    10,    10,    10,
+      10,    10,    10,    10,    10,    10,    10,    10,    10,    10,
+      10,    10,    10,    10,    10,    10,    10,    10,    -1,    -1,
+      -1,    -1,    -1,    -1,    -1,    -1,    -1,    -1,    -1,    -1,
+      -1,    -1,    -1,    -1,    -1,    -1,    -1,    -1,    -1,    -1,
+      -1,    -1,    -1,    -1,    -1,    37,    37,    37,    37,    37
+};
+
+  /* YYSTOS[STATE-NUM] -- The (internal number of the) accessing
+     symbol of state STATE-NUM.  */
+static const yytype_int16 yystos[] =
+{
+       0,   326,     0,    11,    12,    46,    52,    96,   114,   168,
+     230,   251,   272,   281,   305,   309,   315,   327,   328,   329,
+     332,   335,   338,   341,   350,   602,   613,   635,   639,   647,
+     660,   670,   330,   333,   336,   339,   342,   351,   603,   614,
+     636,   640,   648,   661,   671,    13,    14,    15,    16,    17,
+      18,    19,    20,    21,    22,    23,    24,    25,    26,    27,
+      28,    29,    30,    31,    32,    33,    34,    35,    36,    37,
+      38,    39,    40,    41,    42,    43,    44,    49,    50,    51,
+      55,    56,    57,    58,    59,    60,    61,    62,    63,    64,
+      65,    66,    67,    68,    69,    70,    71,    72,    73,    74,
+      75,    76,    77,    78,    79,    80,    81,    82,    83,    84,
+      85,    86,    87,    88,    89,    90,    91,    92,    93,    94,
+      95,   105,   106,   107,   108,   109,   111,   112,   113,   116,
+     117,   118,   119,   120,   121,   122,   123,   124,   125,   126,
+     127,   128,   129,   130,   131,   132,   133,   134,   135,   136,
+     137,   138,   139,   140,   141,   145,   148,   149,   150,   151,
+     152,   153,   154,   156,   157,   158,   159,   160,   161,   162,
+     163,   164,   165,   166,   167,   188,   189,   190,   191,   192,
+     193,   194,   195,   196,   197,   198,   199,   200,   201,   202,
+     203,   204,   205,   206,   207,   208,   209,   210,   211,   212,
+     213,   214,   215,   216,   217,   218,   219,   220,   221,   222,
+     223,   224,   225,   226,   227,   228,   229,   231,   233,   234,
+     235,   236,   237,   238,   239,   240,   241,   242,   243,   244,
+     245,   246,   247,   248,   249,   250,   262,   263,   264,   265,
+     266,   267,   268,   269,   270,   271,   279,   287,   288,   290,
+     291,   293,   294,   297,   298,   299,   300,   301,   302,   303,
+     304,   308,   317,   318,   319,   320,   324,   331,   353,   354,
      355,   356,   357,   358,   359,   360,   361,   362,   363,   364,
      365,   366,   367,   368,   369,   370,   371,   372,   373,   374,
      375,   376,   377,   378,   379,   380,   381,   382,   383,   384,
@@ -2808,19 +2113,132 @@ static const yytype_int16 yyr1[] =
      535,   536,   537,   538,   539,   540,   541,   542,   543,   544,
      545,   546,   547,   548,   549,   550,   551,   552,   553,   554,
      555,   556,   557,   558,   559,   560,   561,   562,   563,   564,
-     565,   566,   567,   568,   569,   570,   571,   572,   573,   574,
-     575,   575,   576,   576,   576,   576,   576,   576,   576,   576,
-     577,   578,   579,   580,   581,   582,   583,   584,   585,   586,
-     586,   587,   587,   587,   587,   587,   587,   587,   587,   587,
-     587,   587,   587,   587,   587,   587,   587,   587,   587,   587,
-     588,   589,   590,   591,   592,   593,   594,   595,   596,   597,
-     598,   599,   600,   601,   602,   603,   604,   605,   606,   607,
-     608,   608,   609,   610,   611,   612,   612,   613,   614,   615,
-     616,   617,   618,   619,   620,   620,   621,   621,   621,   621,
-     621,   621,   621,   621,   621,   621,   622,   623,   624,   625,
-     626,   627,   628,   629,   630,   631,   632,   633,   633,   634,
-     634,   634,   634,   634,   634,   635,   636,   637,   638,   639,
-     640,   641,   642,   643,   643,   644,   644,   645,   646
+     565,   566,   567,   568,   569,   643,   644,   645,   646,   669,
+      45,    47,    48,   110,   143,   146,   155,   296,   334,   570,
+     571,   572,   573,   574,   575,   576,   577,    45,    53,    54,
+     142,   144,   147,   295,   337,   578,   579,   580,   581,   582,
+     583,   584,    45,    81,    82,   108,   189,   190,   232,   340,
+     595,   596,   597,   598,   599,   600,   601,    45,   280,   282,
+     283,   284,   285,   286,   292,   321,   322,   343,   585,   586,
+     587,   588,   589,   590,   591,   592,   593,   594,   310,   311,
+     312,   313,   314,   323,   344,   345,   346,   347,   348,   349,
+     352,   585,   586,   587,   588,   589,   592,    97,    98,    99,
+     100,   101,   102,   103,   104,   604,   605,   606,   607,   608,
+     609,   610,   611,   612,   169,   170,   171,   172,   173,   174,
+     175,   176,   177,   178,   179,   180,   181,   182,   183,   184,
+     185,   186,   187,   615,   616,   617,   618,   619,   620,   621,
+     622,   623,   624,   625,   626,   627,   628,   629,   630,   631,
+     632,   633,   634,   115,   637,   638,   316,   641,   642,   252,
+     253,   254,   255,   256,   257,   258,   259,   260,   261,   649,
+     650,   651,   652,   653,   654,   655,   656,   657,   658,   659,
+     273,   274,   275,   276,   277,   278,   662,   663,   664,   665,
+     666,   667,   668,   306,   307,   672,   673,   674,    10,    10,
+      10,    10,    10,    10,    10,    10,    10,    10,    10,    10,
+      10,    10,    10,    10,    10,    10,    10,    10,    10,    10,
+      10,    10,    10,    10,    10,    10,    10,    10,    10,    10,
+      10,    10,    10,    10,    10,    10,    10,    10,    10,    10,
+      10,    10,    10,    10,    10,    10,    10,    10,    10,    10,
+      10,    10,    10,    10,    10,    10,    10,    10,    10,    10,
+      10,    10,    10,    10,    10,    10,    10,    10,    10,    10,
+      10,    10,    10,    10,    10,    10,    10,    10,    10,    10,
+      10,    10,    10,    10,    10,    10,    10,    10,    10,    10,
+      10,    10,    10,    10,    10,    10,    10,    10,    10,    10,
+      10,    10,    10,    10,    10,    10,    10,    10,    10,    10,
+      10,    10,    10,    10,    10,    10,    10,    10,    10,    10,
+      10,    10,    10,    10,    10,    10,    10,    10,    10,    10,
+      10,    10,    10,    10,    10,    10,    10,    10,    10,    10,
+      10,    10,    10,    10,    10,    10,    10,    10,    10,    10,
+      10,    10,    10,    10,    10,    10,    10,    10,    10,    10,
+      10,    10,    10,    10,    10,    10,    10,    10,    10,    10,
+      10,    10,    10,    10,    10,    10,    10,    10,    10,    10,
+      10,    10,    10,    10,    10,    10,    10,    10,    10,    10,
+      10,    10,    10,    10,    10,    10,    10,    10,    10,    10,
+      10,    10,    10,    10,    10,    10,    10,    10,    10,    10,
+      10,    10,    10,    10,    10,    10,    10,    10,    10,    10,
+      10,    10,    10,    10,    10,    10,    10,    10,    10,    10,
+      10,    10,    10,    10,    10,    10,    10,    10,    10,    10,
+      10,    10,    10,    10,    10,    10,    10,    10,    10,    10,
+      10,    10,    10,    10,    10,    10,    10,    10,    10,    10,
+      10,    10,    10,    10,    10,    10,    10,    10,    10,    10,
+      10,    10,    10,    10,    10,    10,    10,    10,    10,    10,
+      10,    10,    10,    10,    10,    10,    10,    10,    10,    10,
+      10,    10,    10,    10,    10,    10,    10,    10,    10,    10,
+      10,    10,    10,    10,    10,    10,    10,    10,    10,    10,
+      10,    10,    10,    10,    10,    10,    10,    10,    10,    10,
+      10,    10,    10,    10,    10,    10
+};
+
+  /* YYR1[YYN] -- Symbol number of symbol that rule YYN derives.  */
+static const yytype_int16 yyr1[] =
+{
+       0,   325,   326,   326,   327,   327,   327,   327,   327,   327,
+     327,   327,   327,   327,   327,   327,   327,   327,   328,   329,
+     330,   330,   331,   331,   331,   331,   331,   331,   331,   331,
+     331,   331,   331,   331,   331,   331,   331,   331,   331,   331,
+     331,   331,   331,   331,   331,   331,   331,   331,   331,   331,
+     331,   331,   331,   331,   331,   331,   331,   331,   331,   331,
+     331,   331,   331,   331,   331,   331,   331,   331,   331,   331,
+     331,   331,   331,   331,   331,   331,   331,   331,   331,   331,
+     331,   331,   331,   331,   331,   331,   331,   331,   331,   331,
+     331,   331,   331,   331,   331,   331,   331,   331,   331,   331,
+     331,   331,   331,   331,   331,   331,   331,   331,   331,   331,
+     331,   331,   331,   331,   331,   331,   331,   331,   331,   331,
+     331,   331,   331,   331,   331,   331,   331,   331,   331,   331,
+     331,   331,   331,   331,   331,   331,   331,   331,   331,   331,
+     331,   331,   331,   331,   331,   331,   331,   331,   331,   331,
+     331,   331,   331,   331,   331,   331,   331,   331,   331,   331,
+     331,   331,   331,   331,   331,   331,   331,   331,   331,   331,
+     331,   331,   331,   331,   331,   331,   331,   331,   331,   331,
+     331,   331,   331,   331,   331,   331,   331,   331,   331,   331,
+     331,   331,   331,   331,   331,   331,   331,   331,   331,   331,
+     331,   331,   331,   331,   331,   331,   331,   331,   331,   331,
+     331,   331,   331,   331,   331,   331,   331,   331,   331,   331,
+     331,   331,   331,   331,   331,   331,   331,   331,   331,   331,
+     331,   331,   331,   331,   331,   331,   331,   331,   331,   331,
+     331,   331,   331,   331,   332,   333,   333,   334,   334,   334,
+     334,   334,   334,   334,   334,   335,   336,   336,   337,   337,
+     337,   337,   337,   337,   337,   338,   339,   339,   340,   340,
+     340,   340,   340,   340,   340,   341,   342,   342,   343,   343,
+     343,   343,   343,   343,   343,   343,   343,   343,   344,   345,
+     346,   347,   348,   349,   350,   351,   351,   352,   352,   352,
+     352,   352,   352,   352,   352,   352,   352,   352,   352,   353,
+     354,   355,   356,   357,   358,   359,   360,   361,   362,   363,
+     364,   365,   366,   367,   368,   369,   370,   371,   372,   373,
+     374,   375,   376,   377,   378,   379,   380,   381,   382,   383,
+     384,   385,   386,   387,   388,   389,   390,   391,   392,   393,
+     394,   395,   396,   397,   398,   399,   400,   401,   402,   403,
+     404,   405,   406,   407,   408,   409,   410,   411,   412,   413,
+     414,   415,   416,   417,   418,   419,   420,   421,   422,   423,
+     424,   425,   426,   427,   428,   429,   430,   431,   432,   433,
+     434,   435,   436,   437,   438,   439,   440,   441,   442,   443,
+     444,   445,   446,   447,   448,   449,   450,   451,   452,   453,
+     454,   455,   456,   457,   458,   459,   460,   461,   462,   463,
+     464,   465,   466,   467,   468,   469,   470,   471,   472,   473,
+     474,   475,   476,   477,   478,   479,   480,   481,   482,   483,
+     484,   485,   486,   487,   488,   489,   490,   491,   492,   493,
+     494,   495,   496,   497,   498,   499,   500,   501,   502,   503,
+     504,   505,   506,   507,   508,   509,   510,   511,   512,   513,
+     514,   515,   516,   517,   518,   519,   520,   521,   522,   523,
+     524,   525,   526,   527,   528,   529,   530,   531,   532,   533,
+     534,   535,   536,   537,   538,   539,   540,   541,   542,   543,
+     544,   545,   546,   547,   548,   549,   550,   551,   552,   553,
+     554,   555,   556,   557,   558,   559,   560,   561,   562,   563,
+     564,   565,   566,   567,   568,   569,   570,   571,   572,   573,
+     574,   575,   576,   577,   578,   579,   580,   581,   582,   583,
+     584,   585,   586,   587,   588,   589,   590,   591,   592,   593,
+     594,   595,   596,   597,   598,   599,   600,   601,   602,   603,
+     603,   604,   604,   604,   604,   604,   604,   604,   604,   605,
+     606,   607,   608,   609,   610,   611,   612,   613,   614,   614,
+     615,   615,   615,   615,   615,   615,   615,   615,   615,   615,
+     615,   615,   615,   615,   615,   615,   615,   615,   615,   616,
+     617,   618,   619,   620,   621,   622,   623,   624,   625,   626,
+     627,   628,   629,   630,   631,   632,   633,   634,   635,   636,
+     636,   637,   638,   639,   640,   640,   641,   642,   643,   644,
+     645,   646,   647,   648,   648,   649,   649,   649,   649,   649,
+     649,   649,   649,   649,   649,   650,   651,   652,   653,   654,
+     655,   656,   657,   658,   659,   660,   661,   661,   662,   662,
+     662,   662,   662,   662,   663,   664,   665,   666,   667,   668,
+     669,   670,   671,   671,   672,   672,   673,   674
 };
 
   /* YYR2[YYN] -- Number of symbols on the right hand side of rule YYN.  */
@@ -2849,13 +2267,14 @@ static const yytype_int8 yyr2[] =
        1,     1,     1,     1,     1,     1,     1,     1,     1,     1,
        1,     1,     1,     1,     1,     1,     1,     1,     1,     1,
        1,     1,     1,     1,     1,     1,     1,     1,     1,     1,
+       1,     1,     1,     1,     1,     1,     1,     1,     1,     1,
        1,     1,     1,     1,     1,     2,     0,     1,     1,     1,
-       1,     1,     1,     1,     1,     2,     0,     1,     1,     1,
-       1,     1,     1,     1,     2,     0,     1,     1,     1,     1,
-       1,     1,     1,     1,     2,     0,     1,     1,     1,     1,
-       1,     1,     1,     1,     1,     2,     2,     2,     2,     2,
-       1,     2,     0,     1,     1,     1,     1,     1,     1,     1,
-       1,     1,     1,     2,     2,     2,     2,     2,     2,     2,
+       1,     1,     1,     1,     1,     1,     2,     0,     1,     1,
+       1,     1,     1,     1,     1,     1,     2,     0,     1,     1,
+       1,     1,     1,     1,     1,     1,     2,     0,     1,     1,
+       1,     1,     1,     1,     1,     1,     1,     1,     2,     2,
+       2,     2,     2,     2,     1,     2,     0,     1,     1,     1,
+       1,     1,     1,     1,     1,     1,     1,     1,     1,     2,
        2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
        2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
        2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
@@ -2868,29 +2287,31 @@ static const yytype_int8 yyr2[] =
        2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
        2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
        2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     3,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     3,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     3,
+       3,     4,     4,     4,     3,     3,     2,     2,     2,     2,
+       2,     2,     3,     3,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
        2,     2,     2,     2,     3,     2,     2,     2,     2,     2,
        2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
        2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
-       2,     2,     2,     2,     2,     3,     2,     2,     2,     2,
-       2,     2,     2,     2,     2,     2,     3,     3,     4,     4,
-       4,     3,     3,     2,     2,     2,     2,     2,     2,     3,
-       3,     2,     2,     2,     2,     2,     2,     2,     2,     2,
-       2,     2,     2,     2,     2,     2,     2,     2,     3,     2,
-       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
-       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
-       2,     2,     2,     3,     3,     3,     2,     2,     2,     1,
-       2,     0,     1,     1,     1,     1,     1,     1,     1,     1,
-       2,     2,     2,     2,     2,     2,     2,     2,     1,     2,
-       0,     1,     1,     1,     1,     1,     1,     1,     1,     1,
+       2,     2,     3,     3,     3,     2,     2,     2,     1,     2,
+       0,     1,     1,     1,     1,     1,     1,     1,     1,     2,
+       2,     2,     2,     2,     2,     2,     2,     1,     2,     0,
        1,     1,     1,     1,     1,     1,     1,     1,     1,     1,
+       1,     1,     1,     1,     1,     1,     1,     1,     1,     2,
        2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
-       2,     2,     2,     2,     2,     2,     2,     2,     2,     1,
-       2,     0,     1,     2,     1,     2,     0,     1,     2,     2,
-       2,     3,     3,     1,     2,     0,     1,     1,     1,     1,
-       1,     1,     1,     1,     1,     1,     2,     2,     2,     2,
-       2,     2,     2,     2,     2,     2,     1,     2,     0,     1,
+       2,     2,     2,     2,     2,     2,     2,     2,     1,     2,
+       0,     1,     2,     1,     2,     0,     1,     2,     2,     2,
+       3,     3,     1,     2,     0,     1,     1,     1,     1,     1,
        1,     1,     1,     1,     1,     2,     2,     2,     2,     2,
-       2,     3,     1,     2,     0,     1,     1,     2,     2
+       2,     2,     2,     2,     2,     1,     2,     0,     1,     1,
+       1,     1,     1,     1,     2,     2,     2,     2,     2,     2,
+       3,     1,     2,     0,     1,     1,     2,     2
 };
 
 
@@ -2969,7 +2390,7 @@ yy_symbol_value_print (FILE *yyo,
                        yysymbol_kind_t yykind, YYSTYPE const * const yyvaluep)
 {
   FILE *yyoutput = yyo;
-  YYUSE (yyoutput);
+  YY_USE (yyoutput);
   if (!yyvaluep)
     return;
 # ifdef YYPRINT
@@ -2977,7 +2398,7 @@ yy_symbol_value_print (FILE *yyo,
     YYPRINT (yyo, yytoknum[yykind], *yyvaluep);
 # endif
   YY_IGNORE_MAYBE_UNINITIALIZED_BEGIN
-  YYUSE (yykind);
+  YY_USE (yykind);
   YY_IGNORE_MAYBE_UNINITIALIZED_END
 }
 
@@ -3091,18 +2512,18 @@ static void
 yydestruct (const char *yymsg,
             yysymbol_kind_t yykind, YYSTYPE *yyvaluep)
 {
-  YYUSE (yyvaluep);
+  YY_USE (yyvaluep);
   if (!yymsg)
     yymsg = "Deleting";
   YY_SYMBOL_PRINT (yymsg, yykind, yyvaluep, yylocationp);
 
   YY_IGNORE_MAYBE_UNINITIALIZED_BEGIN
-  YYUSE (yykind);
+  YY_USE (yykind);
   YY_IGNORE_MAYBE_UNINITIALIZED_END
 }
 
 
-/* The lookahead symbol.  */
+/* Lookahead token kind.  */
 int yychar;
 
 /* The semantic value of the lookahead symbol.  */
@@ -3120,34 +2541,30 @@ int yynerrs;
 int
 yyparse (void)
 {
-    yy_state_fast_t yystate;
+    yy_state_fast_t yystate = 0;
     /* Number of tokens to shift before error messages enabled.  */
-    int yyerrstatus;
+    int yyerrstatus = 0;
 
-    /* The stacks and their tools:
-       'yyss': related to states.
-       'yyvs': related to semantic values.
-
-       Refer to the stacks through separate pointers, to allow yyoverflow
+    /* Refer to the stacks through separate pointers, to allow yyoverflow
        to reallocate them elsewhere.  */
 
     /* Their size.  */
-    YYPTRDIFF_T yystacksize;
+    YYPTRDIFF_T yystacksize = YYINITDEPTH;
 
-    /* The state stack.  */
+    /* The state stack: array, bottom, top.  */
     yy_state_t yyssa[YYINITDEPTH];
-    yy_state_t *yyss;
-    yy_state_t *yyssp;
+    yy_state_t *yyss = yyssa;
+    yy_state_t *yyssp = yyss;
 
-    /* The semantic value stack.  */
+    /* The semantic value stack: array, bottom, top.  */
     YYSTYPE yyvsa[YYINITDEPTH];
-    YYSTYPE *yyvs;
-    YYSTYPE *yyvsp;
+    YYSTYPE *yyvs = yyvsa;
+    YYSTYPE *yyvsp = yyvs;
 
   int yyn;
   /* The return value of yyparse.  */
   int yyresult;
-  /* Lookahead token as an internal (translated) token number.  */
+  /* Lookahead symbol kind.  */
   yysymbol_kind_t yytoken = YYSYMBOL_YYEMPTY;
   /* The variables used to return semantic value and location from the
      action routines.  */
@@ -3161,15 +2578,6 @@ yyparse (void)
      Keep to zero when no symbol should be popped.  */
   int yylen = 0;
 
-  yynerrs = 0;
-  yystate = 0;
-  yyerrstatus = 0;
-
-  yystacksize = YYINITDEPTH;
-  yyssp = yyss = yyssa;
-  yyvsp = yyvs = yyvsa;
-
-
   YYDPRINTF ((stderr, "Starting parse\n"));
 
   yychar = YYEMPTY; /* Cause a token to be read.  */
@@ -3370,74 +2778,77 @@ yyreduce:
   YY_REDUCE_PRINT (yyn);
   switch (yyn)
     {
-  case 18:
-#line 198 "./util/configparser.y"
+  case 18: /* force_toplevel: VAR_FORCE_TOPLEVEL  */
+#line 204 "./util/configparser.y"
         {
 		OUTYY(("\nP(force-toplevel)\n"));
 	}
-#line 3379 "util/configparser.c"
+#line 2787 "util/configparser.c"
     break;
 
-  case 19:
-#line 204 "./util/configparser.y"
-        { 
+  case 19: /* serverstart: VAR_SERVER  */
+#line 210 "./util/configparser.y"
+        {
 		OUTYY(("\nP(server:)\n"));
 	}
-#line 3387 "util/configparser.c"
+#line 2795 "util/configparser.c"
     break;
 
-  case 234:
-#line 307 "./util/configparser.y"
+  case 244: /* stubstart: VAR_STUB_ZONE  */
+#line 319 "./util/configparser.y"
         {
 		struct config_stub* s;
-		OUTYY(("\nP(stub_zone:)\n")); 
+		OUTYY(("\nP(stub_zone:)\n"));
 		s = (struct config_stub*)calloc(1, sizeof(struct config_stub));
 		if(s) {
 			s->next = cfg_parser->cfg->stubs;
 			cfg_parser->cfg->stubs = s;
-		} else 
+		} else {
 			yyerror("out of memory");
+		}
 	}
-#line 3402 "util/configparser.c"
+#line 2811 "util/configparser.c"
     break;
 
-  case 244:
-#line 324 "./util/configparser.y"
+  case 255: /* forwardstart: VAR_FORWARD_ZONE  */
+#line 337 "./util/configparser.y"
         {
 		struct config_stub* s;
-		OUTYY(("\nP(forward_zone:)\n")); 
+		OUTYY(("\nP(forward_zone:)\n"));
 		s = (struct config_stub*)calloc(1, sizeof(struct config_stub));
 		if(s) {
 			s->next = cfg_parser->cfg->forwards;
 			cfg_parser->cfg->forwards = s;
-		} else 
+		} else {
 			yyerror("out of memory");
+		}
 	}
-#line 3417 "util/configparser.c"
+#line 2827 "util/configparser.c"
     break;
 
-  case 253:
-#line 341 "./util/configparser.y"
+  case 265: /* viewstart: VAR_VIEW  */
+#line 355 "./util/configparser.y"
         {
 		struct config_view* s;
-		OUTYY(("\nP(view:)\n")); 
+		OUTYY(("\nP(view:)\n"));
 		s = (struct config_view*)calloc(1, sizeof(struct config_view));
 		if(s) {
 			s->next = cfg_parser->cfg->views;
 			if(s->next && !s->next->name)
 				yyerror("view without name");
 			cfg_parser->cfg->views = s;
-		} else 
+		} else {
 			yyerror("out of memory");
+		}
 	}
-#line 3434 "util/configparser.c"
+#line 2845 "util/configparser.c"
     break;
 
-  case 263:
-#line 360 "./util/configparser.y"
+  case 275: /* authstart: VAR_AUTH_ZONE  */
+#line 375 "./util/configparser.y"
         {
 		struct config_auth* s;
-		OUTYY(("\nP(auth_zone:)\n")); 
+		OUTYY(("\nP(auth_zone:)\n"));
 		s = (struct config_auth*)calloc(1, sizeof(struct config_auth));
 		if(s) {
 			s->next = cfg_parser->cfg->auths;
@@ -3446,16 +2857,18 @@ yyreduce:
 			s->for_downstream = 1;
 			s->for_upstream = 1;
 			s->fallback_enabled = 0;
+			s->zonemd_check = 0;
 			s->zonemd_reject_absence = 0;
 			s->isrpz = 0;
-		} else 
+		} else {
 			yyerror("out of memory");
+		}
 	}
-#line 3455 "util/configparser.c"
+#line 2868 "util/configparser.c"
     break;
 
-  case 275:
-#line 385 "./util/configparser.y"
+  case 288: /* rpz_tag: VAR_TAGS STRING_ARG  */
+#line 402 "./util/configparser.y"
         {
 		uint8_t* bitlist;
 		size_t len = 0;
@@ -3472,11 +2885,11 @@ yyreduce:
 
 		}
 	}
-#line 3476 "util/configparser.c"
+#line 2889 "util/configparser.c"
     break;
 
-  case 276:
-#line 404 "./util/configparser.y"
+  case 289: /* rpz_action_override: VAR_RPZ_ACTION_OVERRIDE STRING_ARG  */
+#line 421 "./util/configparser.y"
         {
 		OUTYY(("P(rpz_action_override:%s)\n", (yyvsp[0].str)));
 		if(strcmp((yyvsp[0].str), "nxdomain")!=0 && strcmp((yyvsp[0].str), "nodata")!=0 &&
@@ -3491,21 +2904,21 @@ yyreduce:
 			cfg_parser->cfg->auths->rpz_action_override = (yyvsp[0].str);
 		}
 	}
-#line 3495 "util/configparser.c"
+#line 2908 "util/configparser.c"
     break;
 
-  case 277:
-#line 421 "./util/configparser.y"
+  case 290: /* rpz_cname_override: VAR_RPZ_CNAME_OVERRIDE STRING_ARG  */
+#line 438 "./util/configparser.y"
         {
 		OUTYY(("P(rpz_cname_override:%s)\n", (yyvsp[0].str)));
 		free(cfg_parser->cfg->auths->rpz_cname);
 		cfg_parser->cfg->auths->rpz_cname = (yyvsp[0].str);
 	}
-#line 3505 "util/configparser.c"
+#line 2918 "util/configparser.c"
     break;
 
-  case 278:
-#line 429 "./util/configparser.y"
+  case 291: /* rpz_log: VAR_RPZ_LOG STRING_ARG  */
+#line 446 "./util/configparser.y"
         {
 		OUTYY(("P(rpz_log:%s)\n", (yyvsp[0].str)));
 		if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -3513,21 +2926,33 @@ yyreduce:
 		else cfg_parser->cfg->auths->rpz_log = (strcmp((yyvsp[0].str), "yes")==0);
 		free((yyvsp[0].str));
 	}
-#line 3517 "util/configparser.c"
+#line 2930 "util/configparser.c"
     break;
 
-  case 279:
-#line 439 "./util/configparser.y"
+  case 292: /* rpz_log_name: VAR_RPZ_LOG_NAME STRING_ARG  */
+#line 456 "./util/configparser.y"
         {
 		OUTYY(("P(rpz_log_name:%s)\n", (yyvsp[0].str)));
 		free(cfg_parser->cfg->auths->rpz_log_name);
 		cfg_parser->cfg->auths->rpz_log_name = (yyvsp[0].str);
 	}
-#line 3527 "util/configparser.c"
+#line 2940 "util/configparser.c"
     break;
 
-  case 280:
-#line 447 "./util/configparser.y"
+  case 293: /* rpz_signal_nxdomain_ra: VAR_RPZ_SIGNAL_NXDOMAIN_RA STRING_ARG  */
+#line 463 "./util/configparser.y"
+        {
+		OUTYY(("P(rpz_signal_nxdomain_ra:%s)\n", (yyvsp[0].str)));
+		if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
+			yyerror("expected yes or no.");
+		else cfg_parser->cfg->auths->rpz_signal_nxdomain_ra = (strcmp((yyvsp[0].str), "yes")==0);
+		free((yyvsp[0].str));
+	}
+#line 2952 "util/configparser.c"
+    break;
+
+  case 294: /* rpzstart: VAR_RPZ  */
+#line 473 "./util/configparser.y"
         {
 		struct config_auth* s;
 		OUTYY(("\nP(rpz:)\n")); 
@@ -3540,40 +2965,41 @@ yyreduce:
 			s->for_upstream = 0;
 			s->fallback_enabled = 0;
 			s->isrpz = 1;
-		} else 
+		} else {
 			yyerror("out of memory");
+		}
 	}
-#line 3547 "util/configparser.c"
+#line 2973 "util/configparser.c"
     break;
 
-  case 293:
-#line 470 "./util/configparser.y"
-        { 
-		OUTYY(("P(server_num_threads:%s)\n", (yyvsp[0].str))); 
+  case 309: /* server_num_threads: VAR_NUM_THREADS STRING_ARG  */
+#line 497 "./util/configparser.y"
+        {
+		OUTYY(("P(server_num_threads:%s)\n", (yyvsp[0].str)));
 		if(atoi((yyvsp[0].str)) == 0 && strcmp((yyvsp[0].str), "0") != 0)
 			yyerror("number expected");
 		else cfg_parser->cfg->num_threads = atoi((yyvsp[0].str));
 		free((yyvsp[0].str));
 	}
-#line 3559 "util/configparser.c"
+#line 2985 "util/configparser.c"
     break;
 
-  case 294:
-#line 479 "./util/configparser.y"
-        { 
-		OUTYY(("P(server_verbosity:%s)\n", (yyvsp[0].str))); 
+  case 310: /* server_verbosity: VAR_VERBOSITY STRING_ARG  */
+#line 506 "./util/configparser.y"
+        {
+		OUTYY(("P(server_verbosity:%s)\n", (yyvsp[0].str)));
 		if(atoi((yyvsp[0].str)) == 0 && strcmp((yyvsp[0].str), "0") != 0)
 			yyerror("number expected");
 		else cfg_parser->cfg->verbosity = atoi((yyvsp[0].str));
 		free((yyvsp[0].str));
 	}
-#line 3571 "util/configparser.c"
+#line 2997 "util/configparser.c"
     break;
 
-  case 295:
-#line 488 "./util/configparser.y"
-        { 
-		OUTYY(("P(server_statistics_interval:%s)\n", (yyvsp[0].str))); 
+  case 311: /* server_statistics_interval: VAR_STATISTICS_INTERVAL STRING_ARG  */
+#line 515 "./util/configparser.y"
+        {
+		OUTYY(("P(server_statistics_interval:%s)\n", (yyvsp[0].str)));
 		if(strcmp((yyvsp[0].str), "") == 0 || strcmp((yyvsp[0].str), "0") == 0)
 			cfg_parser->cfg->stat_interval = 0;
 		else if(atoi((yyvsp[0].str)) == 0)
@@ -3581,11 +3007,11 @@ yyreduce:
 		else cfg_parser->cfg->stat_interval = atoi((yyvsp[0].str));
 		free((yyvsp[0].str));
 	}
-#line 3585 "util/configparser.c"
+#line 3011 "util/configparser.c"
     break;
 
-  case 296:
-#line 499 "./util/configparser.y"
+  case 312: /* server_statistics_cumulative: VAR_STATISTICS_CUMULATIVE STRING_ARG  */
+#line 526 "./util/configparser.y"
         {
 		OUTYY(("P(server_statistics_cumulative:%s)\n", (yyvsp[0].str)));
 		if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -3593,11 +3019,11 @@ yyreduce:
 		else cfg_parser->cfg->stat_cumulative = (strcmp((yyvsp[0].str), "yes")==0);
 		free((yyvsp[0].str));
 	}
-#line 3597 "util/configparser.c"
+#line 3023 "util/configparser.c"
     break;
 
-  case 297:
-#line 508 "./util/configparser.y"
+  case 313: /* server_extended_statistics: VAR_EXTENDED_STATISTICS STRING_ARG  */
+#line 535 "./util/configparser.y"
         {
 		OUTYY(("P(server_extended_statistics:%s)\n", (yyvsp[0].str)));
 		if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -3605,11 +3031,11 @@ yyreduce:
 		else cfg_parser->cfg->stat_extended = (strcmp((yyvsp[0].str), "yes")==0);
 		free((yyvsp[0].str));
 	}
-#line 3609 "util/configparser.c"
+#line 3035 "util/configparser.c"
     break;
 
-  case 298:
-#line 517 "./util/configparser.y"
+  case 314: /* server_shm_enable: VAR_SHM_ENABLE STRING_ARG  */
+#line 544 "./util/configparser.y"
         {
 		OUTYY(("P(server_shm_enable:%s)\n", (yyvsp[0].str)));
 		if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -3617,13 +3043,13 @@ yyreduce:
 		else cfg_parser->cfg->shm_enable = (strcmp((yyvsp[0].str), "yes")==0);
 		free((yyvsp[0].str));
 	}
-#line 3621 "util/configparser.c"
+#line 3047 "util/configparser.c"
     break;
 
-  case 299:
-#line 526 "./util/configparser.y"
-        { 
-		OUTYY(("P(server_shm_key:%s)\n", (yyvsp[0].str))); 
+  case 315: /* server_shm_key: VAR_SHM_KEY STRING_ARG  */
+#line 553 "./util/configparser.y"
+        {
+		OUTYY(("P(server_shm_key:%s)\n", (yyvsp[0].str)));
 		if(strcmp((yyvsp[0].str), "") == 0 || strcmp((yyvsp[0].str), "0") == 0)
 			cfg_parser->cfg->shm_key = 0;
 		else if(atoi((yyvsp[0].str)) == 0)
@@ -3631,11 +3057,11 @@ yyreduce:
 		else cfg_parser->cfg->shm_key = atoi((yyvsp[0].str));
 		free((yyvsp[0].str));
 	}
-#line 3635 "util/configparser.c"
+#line 3061 "util/configparser.c"
     break;
 
-  case 300:
-#line 537 "./util/configparser.y"
+  case 316: /* server_port: VAR_PORT STRING_ARG  */
+#line 564 "./util/configparser.y"
         {
 		OUTYY(("P(server_port:%s)\n", (yyvsp[0].str)));
 		if(atoi((yyvsp[0].str)) == 0)
@@ -3643,11 +3069,11 @@ yyreduce:
 		else cfg_parser->cfg->port = atoi((yyvsp[0].str));
 		free((yyvsp[0].str));
 	}
-#line 3647 "util/configparser.c"
+#line 3073 "util/configparser.c"
     break;
 
-  case 301:
-#line 546 "./util/configparser.y"
+  case 317: /* server_send_client_subnet: VAR_SEND_CLIENT_SUBNET STRING_ARG  */
+#line 573 "./util/configparser.y"
         {
 	#ifdef CLIENT_SUBNET
 		OUTYY(("P(server_send_client_subnet:%s)\n", (yyvsp[0].str)));
@@ -3658,11 +3084,11 @@ yyreduce:
 		free((yyvsp[0].str));
 	#endif
 	}
-#line 3662 "util/configparser.c"
+#line 3088 "util/configparser.c"
     break;
 
-  case 302:
-#line 558 "./util/configparser.y"
+  case 318: /* server_client_subnet_zone: VAR_CLIENT_SUBNET_ZONE STRING_ARG  */
+#line 585 "./util/configparser.y"
         {
 	#ifdef CLIENT_SUBNET
 		OUTYY(("P(server_client_subnet_zone:%s)\n", (yyvsp[0].str)));
@@ -3674,11 +3100,11 @@ yyreduce:
 		free((yyvsp[0].str));
 	#endif
 	}
-#line 3678 "util/configparser.c"
+#line 3104 "util/configparser.c"
     break;
 
-  case 303:
-#line 572 "./util/configparser.y"
+  case 319: /* server_client_subnet_always_forward: VAR_CLIENT_SUBNET_ALWAYS_FORWARD STRING_ARG  */
+#line 599 "./util/configparser.y"
         {
 	#ifdef CLIENT_SUBNET
 		OUTYY(("P(server_client_subnet_always_forward:%s)\n", (yyvsp[0].str)));
@@ -3692,11 +3118,11 @@ yyreduce:
 	#endif
 		free((yyvsp[0].str));
 	}
-#line 3696 "util/configparser.c"
+#line 3122 "util/configparser.c"
     break;
 
-  case 304:
-#line 587 "./util/configparser.y"
+  case 320: /* server_client_subnet_opcode: VAR_CLIENT_SUBNET_OPCODE STRING_ARG  */
+#line 614 "./util/configparser.y"
         {
 	#ifdef CLIENT_SUBNET
 		OUTYY(("P(client_subnet_opcode:%s)\n", (yyvsp[0].str)));
@@ -3706,11 +3132,11 @@ yyreduce:
 	#endif
 		free((yyvsp[0].str));
 	}
-#line 3710 "util/configparser.c"
+#line 3136 "util/configparser.c"
     break;
 
-  case 305:
-#line 598 "./util/configparser.y"
+  case 321: /* server_max_client_subnet_ipv4: VAR_MAX_CLIENT_SUBNET_IPV4 STRING_ARG  */
+#line 625 "./util/configparser.y"
         {
 	#ifdef CLIENT_SUBNET
 		OUTYY(("P(max_client_subnet_ipv4:%s)\n", (yyvsp[0].str)));
@@ -3726,11 +3152,11 @@ yyreduce:
 	#endif
 		free((yyvsp[0].str));
 	}
-#line 3730 "util/configparser.c"
+#line 3156 "util/configparser.c"
     break;
 
-  case 306:
-#line 615 "./util/configparser.y"
+  case 322: /* server_max_client_subnet_ipv6: VAR_MAX_CLIENT_SUBNET_IPV6 STRING_ARG  */
+#line 642 "./util/configparser.y"
         {
 	#ifdef CLIENT_SUBNET
 		OUTYY(("P(max_client_subnet_ipv6:%s)\n", (yyvsp[0].str)));
@@ -3746,11 +3172,11 @@ yyreduce:
 	#endif
 		free((yyvsp[0].str));
 	}
-#line 3750 "util/configparser.c"
+#line 3176 "util/configparser.c"
     break;
 
-  case 307:
-#line 632 "./util/configparser.y"
+  case 323: /* server_min_client_subnet_ipv4: VAR_MIN_CLIENT_SUBNET_IPV4 STRING_ARG  */
+#line 659 "./util/configparser.y"
         {
 	#ifdef CLIENT_SUBNET
 		OUTYY(("P(min_client_subnet_ipv4:%s)\n", (yyvsp[0].str)));
@@ -3766,11 +3192,11 @@ yyreduce:
 	#endif
 		free((yyvsp[0].str));
 	}
-#line 3770 "util/configparser.c"
+#line 3196 "util/configparser.c"
     break;
 
-  case 308:
-#line 649 "./util/configparser.y"
+  case 324: /* server_min_client_subnet_ipv6: VAR_MIN_CLIENT_SUBNET_IPV6 STRING_ARG  */
+#line 676 "./util/configparser.y"
         {
 	#ifdef CLIENT_SUBNET
 		OUTYY(("P(min_client_subnet_ipv6:%s)\n", (yyvsp[0].str)));
@@ -3786,11 +3212,11 @@ yyreduce:
 	#endif
 		free((yyvsp[0].str));
 	}
-#line 3790 "util/configparser.c"
+#line 3216 "util/configparser.c"
     break;
 
-  case 309:
-#line 666 "./util/configparser.y"
+  case 325: /* server_max_ecs_tree_size_ipv4: VAR_MAX_ECS_TREE_SIZE_IPV4 STRING_ARG  */
+#line 693 "./util/configparser.y"
         {
 	#ifdef CLIENT_SUBNET
 		OUTYY(("P(max_ecs_tree_size_ipv4:%s)\n", (yyvsp[0].str)));
@@ -3804,11 +3230,11 @@ yyreduce:
 	#endif
 		free((yyvsp[0].str));
 	}
-#line 3808 "util/configparser.c"
+#line 3234 "util/configparser.c"
     break;
 
-  case 310:
-#line 681 "./util/configparser.y"
+  case 326: /* server_max_ecs_tree_size_ipv6: VAR_MAX_ECS_TREE_SIZE_IPV6 STRING_ARG  */
+#line 708 "./util/configparser.y"
         {
 	#ifdef CLIENT_SUBNET
 		OUTYY(("P(max_ecs_tree_size_ipv6:%s)\n", (yyvsp[0].str)));
@@ -3822,33 +3248,33 @@ yyreduce:
 	#endif
 		free((yyvsp[0].str));
 	}
-#line 3826 "util/configparser.c"
+#line 3252 "util/configparser.c"
     break;
 
-  case 311:
-#line 696 "./util/configparser.y"
+  case 327: /* server_interface: VAR_INTERFACE STRING_ARG  */
+#line 723 "./util/configparser.y"
         {
 		OUTYY(("P(server_interface:%s)\n", (yyvsp[0].str)));
 		if(cfg_parser->cfg->num_ifs == 0)
 			cfg_parser->cfg->ifs = calloc(1, sizeof(char*));
-		else 	cfg_parser->cfg->ifs = realloc(cfg_parser->cfg->ifs,
+		else cfg_parser->cfg->ifs = realloc(cfg_parser->cfg->ifs,
 				(cfg_parser->cfg->num_ifs+1)*sizeof(char*));
 		if(!cfg_parser->cfg->ifs)
 			yyerror("out of memory");
 		else
 			cfg_parser->cfg->ifs[cfg_parser->cfg->num_ifs++] = (yyvsp[0].str);
 	}
-#line 3842 "util/configparser.c"
+#line 3268 "util/configparser.c"
     break;
 
-  case 312:
-#line 709 "./util/configparser.y"
+  case 328: /* server_outgoing_interface: VAR_OUTGOING_INTERFACE STRING_ARG  */
+#line 736 "./util/configparser.y"
         {
 		OUTYY(("P(server_outgoing_interface:%s)\n", (yyvsp[0].str)));
 		if(cfg_parser->cfg->num_out_ifs == 0)
 			cfg_parser->cfg->out_ifs = calloc(1, sizeof(char*));
-		else 	cfg_parser->cfg->out_ifs = realloc(
-			cfg_parser->cfg->out_ifs, 
+		else cfg_parser->cfg->out_ifs = realloc(
+			cfg_parser->cfg->out_ifs,
 			(cfg_parser->cfg->num_out_ifs+1)*sizeof(char*));
 		if(!cfg_parser->cfg->out_ifs)
 			yyerror("out of memory");
@@ -3856,11 +3282,11 @@ yyreduce:
 			cfg_parser->cfg->out_ifs[
 				cfg_parser->cfg->num_out_ifs++] = (yyvsp[0].str);
 	}
-#line 3860 "util/configparser.c"
+#line 3286 "util/configparser.c"
     break;
 
-  case 313:
-#line 724 "./util/configparser.y"
+  case 329: /* server_outgoing_range: VAR_OUTGOING_RANGE STRING_ARG  */
+#line 751 "./util/configparser.y"
         {
 		OUTYY(("P(server_outgoing_range:%s)\n", (yyvsp[0].str)));
 		if(atoi((yyvsp[0].str)) == 0)
@@ -3868,35 +3294,35 @@ yyreduce:
 		else cfg_parser->cfg->outgoing_num_ports = atoi((yyvsp[0].str));
 		free((yyvsp[0].str));
 	}
-#line 3872 "util/configparser.c"
+#line 3298 "util/configparser.c"
     break;
 
-  case 314:
-#line 733 "./util/configparser.y"
+  case 330: /* server_outgoing_port_permit: VAR_OUTGOING_PORT_PERMIT STRING_ARG  */
+#line 760 "./util/configparser.y"
         {
 		OUTYY(("P(server_outgoing_port_permit:%s)\n", (yyvsp[0].str)));
-		if(!cfg_mark_ports((yyvsp[0].str), 1, 
+		if(!cfg_mark_ports((yyvsp[0].str), 1,
 			cfg_parser->cfg->outgoing_avail_ports, 65536))
 			yyerror("port number or range (\"low-high\") expected");
 		free((yyvsp[0].str));
 	}
-#line 3884 "util/configparser.c"
+#line 3310 "util/configparser.c"
     break;
 
-  case 315:
-#line 742 "./util/configparser.y"
+  case 331: /* server_outgoing_port_avoid: VAR_OUTGOING_PORT_AVOID STRING_ARG  */
+#line 769 "./util/configparser.y"
         {
 		OUTYY(("P(server_outgoing_port_avoid:%s)\n", (yyvsp[0].str)));
-		if(!cfg_mark_ports((yyvsp[0].str), 0, 
+		if(!cfg_mark_ports((yyvsp[0].str), 0,
 			cfg_parser->cfg->outgoing_avail_ports, 65536))
 			yyerror("port number or range (\"low-high\") expected");
 		free((yyvsp[0].str));
 	}
-#line 3896 "util/configparser.c"
+#line 3322 "util/configparser.c"
     break;
 
-  case 316:
-#line 751 "./util/configparser.y"
+  case 332: /* server_outgoing_num_tcp: VAR_OUTGOING_NUM_TCP STRING_ARG  */
+#line 778 "./util/configparser.y"
         {
 		OUTYY(("P(server_outgoing_num_tcp:%s)\n", (yyvsp[0].str)));
 		if(atoi((yyvsp[0].str)) == 0 && strcmp((yyvsp[0].str), "0") != 0)
@@ -3904,11 +3330,11 @@ yyreduce:
 		else cfg_parser->cfg->outgoing_num_tcp = atoi((yyvsp[0].str));
 		free((yyvsp[0].str));
 	}
-#line 3908 "util/configparser.c"
+#line 3334 "util/configparser.c"
     break;
 
-  case 317:
-#line 760 "./util/configparser.y"
+  case 333: /* server_incoming_num_tcp: VAR_INCOMING_NUM_TCP STRING_ARG  */
+#line 787 "./util/configparser.y"
         {
 		OUTYY(("P(server_incoming_num_tcp:%s)\n", (yyvsp[0].str)));
 		if(atoi((yyvsp[0].str)) == 0 && strcmp((yyvsp[0].str), "0") != 0)
@@ -3916,11 +3342,11 @@ yyreduce:
 		else cfg_parser->cfg->incoming_num_tcp = atoi((yyvsp[0].str));
 		free((yyvsp[0].str));
 	}
-#line 3920 "util/configparser.c"
+#line 3346 "util/configparser.c"
     break;
 
-  case 318:
-#line 769 "./util/configparser.y"
+  case 334: /* server_interface_automatic: VAR_INTERFACE_AUTOMATIC STRING_ARG  */
+#line 796 "./util/configparser.y"
         {
 		OUTYY(("P(server_interface_automatic:%s)\n", (yyvsp[0].str)));
 		if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -3928,11 +3354,21 @@ yyreduce:
 		else cfg_parser->cfg->if_automatic = (strcmp((yyvsp[0].str), "yes")==0);
 		free((yyvsp[0].str));
 	}
-#line 3932 "util/configparser.c"
+#line 3358 "util/configparser.c"
     break;
 
-  case 319:
-#line 778 "./util/configparser.y"
+  case 335: /* server_interface_automatic_ports: VAR_INTERFACE_AUTOMATIC_PORTS STRING_ARG  */
+#line 805 "./util/configparser.y"
+        {
+		OUTYY(("P(server_interface_automatic_ports:%s)\n", (yyvsp[0].str)));
+		free(cfg_parser->cfg->if_automatic_ports);
+		cfg_parser->cfg->if_automatic_ports = (yyvsp[0].str);
+	}
+#line 3368 "util/configparser.c"
+    break;
+
+  case 336: /* server_do_ip4: VAR_DO_IP4 STRING_ARG  */
+#line 812 "./util/configparser.y"
         {
 		OUTYY(("P(server_do_ip4:%s)\n", (yyvsp[0].str)));
 		if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -3940,11 +3376,11 @@ yyreduce:
 		else cfg_parser->cfg->do_ip4 = (strcmp((yyvsp[0].str), "yes")==0);
 		free((yyvsp[0].str));
 	}
-#line 3944 "util/configparser.c"
+#line 3380 "util/configparser.c"
     break;
 
-  case 320:
-#line 787 "./util/configparser.y"
+  case 337: /* server_do_ip6: VAR_DO_IP6 STRING_ARG  */
+#line 821 "./util/configparser.y"
         {
 		OUTYY(("P(server_do_ip6:%s)\n", (yyvsp[0].str)));
 		if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -3952,11 +3388,11 @@ yyreduce:
 		else cfg_parser->cfg->do_ip6 = (strcmp((yyvsp[0].str), "yes")==0);
 		free((yyvsp[0].str));
 	}
-#line 3956 "util/configparser.c"
+#line 3392 "util/configparser.c"
     break;
 
-  case 321:
-#line 796 "./util/configparser.y"
+  case 338: /* server_do_udp: VAR_DO_UDP STRING_ARG  */
+#line 830 "./util/configparser.y"
         {
 		OUTYY(("P(server_do_udp:%s)\n", (yyvsp[0].str)));
 		if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -3964,11 +3400,11 @@ yyreduce:
 		else cfg_parser->cfg->do_udp = (strcmp((yyvsp[0].str), "yes")==0);
 		free((yyvsp[0].str));
 	}
-#line 3968 "util/configparser.c"
+#line 3404 "util/configparser.c"
     break;
 
-  case 322:
-#line 805 "./util/configparser.y"
+  case 339: /* server_do_tcp: VAR_DO_TCP STRING_ARG  */
+#line 839 "./util/configparser.y"
         {
 		OUTYY(("P(server_do_tcp:%s)\n", (yyvsp[0].str)));
 		if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -3976,11 +3412,11 @@ yyreduce:
 		else cfg_parser->cfg->do_tcp = (strcmp((yyvsp[0].str), "yes")==0);
 		free((yyvsp[0].str));
 	}
-#line 3980 "util/configparser.c"
+#line 3416 "util/configparser.c"
     break;
 
-  case 323:
-#line 814 "./util/configparser.y"
+  case 340: /* server_prefer_ip4: VAR_PREFER_IP4 STRING_ARG  */
+#line 848 "./util/configparser.y"
         {
 		OUTYY(("P(server_prefer_ip4:%s)\n", (yyvsp[0].str)));
 		if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -3988,11 +3424,11 @@ yyreduce:
 		else cfg_parser->cfg->prefer_ip4 = (strcmp((yyvsp[0].str), "yes")==0);
 		free((yyvsp[0].str));
 	}
-#line 3992 "util/configparser.c"
+#line 3428 "util/configparser.c"
     break;
 
-  case 324:
-#line 823 "./util/configparser.y"
+  case 341: /* server_prefer_ip6: VAR_PREFER_IP6 STRING_ARG  */
+#line 857 "./util/configparser.y"
         {
 		OUTYY(("P(server_prefer_ip6:%s)\n", (yyvsp[0].str)));
 		if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -4000,23 +3436,23 @@ yyreduce:
 		else cfg_parser->cfg->prefer_ip6 = (strcmp((yyvsp[0].str), "yes")==0);
 		free((yyvsp[0].str));
 	}
-#line 4004 "util/configparser.c"
+#line 3440 "util/configparser.c"
     break;
 
-  case 325:
-#line 832 "./util/configparser.y"
+  case 342: /* server_tcp_mss: VAR_TCP_MSS STRING_ARG  */
+#line 866 "./util/configparser.y"
         {
 		OUTYY(("P(server_tcp_mss:%s)\n", (yyvsp[0].str)));
-                if(atoi((yyvsp[0].str)) == 0 && strcmp((yyvsp[0].str), "0") != 0)
-                        yyerror("number expected");
-                else cfg_parser->cfg->tcp_mss = atoi((yyvsp[0].str));
-                free((yyvsp[0].str));
+		if(atoi((yyvsp[0].str)) == 0 && strcmp((yyvsp[0].str), "0") != 0)
+				yyerror("number expected");
+		else cfg_parser->cfg->tcp_mss = atoi((yyvsp[0].str));
+		free((yyvsp[0].str));
 	}
-#line 4016 "util/configparser.c"
+#line 3452 "util/configparser.c"
     break;
 
-  case 326:
-#line 841 "./util/configparser.y"
+  case 343: /* server_outgoing_tcp_mss: VAR_OUTGOING_TCP_MSS STRING_ARG  */
+#line 875 "./util/configparser.y"
         {
 		OUTYY(("P(server_outgoing_tcp_mss:%s)\n", (yyvsp[0].str)));
 		if(atoi((yyvsp[0].str)) == 0 && strcmp((yyvsp[0].str), "0") != 0)
@@ -4024,11 +3460,11 @@ yyreduce:
 		else cfg_parser->cfg->outgoing_tcp_mss = atoi((yyvsp[0].str));
 		free((yyvsp[0].str));
 	}
-#line 4028 "util/configparser.c"
+#line 3464 "util/configparser.c"
     break;
 
-  case 327:
-#line 850 "./util/configparser.y"
+  case 344: /* server_tcp_idle_timeout: VAR_TCP_IDLE_TIMEOUT STRING_ARG  */
+#line 884 "./util/configparser.y"
         {
 		OUTYY(("P(server_tcp_idle_timeout:%s)\n", (yyvsp[0].str)));
 		if(atoi((yyvsp[0].str)) == 0 && strcmp((yyvsp[0].str), "0") != 0)
@@ -4040,11 +3476,53 @@ yyreduce:
 		else cfg_parser->cfg->tcp_idle_timeout = atoi((yyvsp[0].str));
 		free((yyvsp[0].str));
 	}
-#line 4044 "util/configparser.c"
+#line 3480 "util/configparser.c"
     break;
 
-  case 328:
-#line 863 "./util/configparser.y"
+  case 345: /* server_max_reuse_tcp_queries: VAR_MAX_REUSE_TCP_QUERIES STRING_ARG  */
+#line 897 "./util/configparser.y"
+        {
+		OUTYY(("P(server_max_reuse_tcp_queries:%s)\n", (yyvsp[0].str)));
+		if(atoi((yyvsp[0].str)) == 0 && strcmp((yyvsp[0].str), "0") != 0)
+			yyerror("number expected");
+		else if (atoi((yyvsp[0].str)) < 1)
+			cfg_parser->cfg->max_reuse_tcp_queries = 0;
+		else cfg_parser->cfg->max_reuse_tcp_queries = atoi((yyvsp[0].str));
+		free((yyvsp[0].str));
+	}
+#line 3494 "util/configparser.c"
+    break;
+
+  case 346: /* server_tcp_reuse_timeout: VAR_TCP_REUSE_TIMEOUT STRING_ARG  */
+#line 908 "./util/configparser.y"
+        {
+		OUTYY(("P(server_tcp_reuse_timeout:%s)\n", (yyvsp[0].str)));
+		if(atoi((yyvsp[0].str)) == 0 && strcmp((yyvsp[0].str), "0") != 0)
+			yyerror("number expected");
+		else if (atoi((yyvsp[0].str)) < 1)
+			cfg_parser->cfg->tcp_reuse_timeout = 0;
+		else cfg_parser->cfg->tcp_reuse_timeout = atoi((yyvsp[0].str));
+		free((yyvsp[0].str));
+	}
+#line 3508 "util/configparser.c"
+    break;
+
+  case 347: /* server_tcp_auth_query_timeout: VAR_TCP_AUTH_QUERY_TIMEOUT STRING_ARG  */
+#line 919 "./util/configparser.y"
+        {
+		OUTYY(("P(server_tcp_auth_query_timeout:%s)\n", (yyvsp[0].str)));
+		if(atoi((yyvsp[0].str)) == 0 && strcmp((yyvsp[0].str), "0") != 0)
+			yyerror("number expected");
+		else if (atoi((yyvsp[0].str)) < 1)
+			cfg_parser->cfg->tcp_auth_query_timeout = 0;
+		else cfg_parser->cfg->tcp_auth_query_timeout = atoi((yyvsp[0].str));
+		free((yyvsp[0].str));
+	}
+#line 3522 "util/configparser.c"
+    break;
+
+  case 348: /* server_tcp_keepalive: VAR_EDNS_TCP_KEEPALIVE STRING_ARG  */
+#line 930 "./util/configparser.y"
         {
 		OUTYY(("P(server_tcp_keepalive:%s)\n", (yyvsp[0].str)));
 		if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -4052,11 +3530,11 @@ yyreduce:
 		else cfg_parser->cfg->do_tcp_keepalive = (strcmp((yyvsp[0].str), "yes")==0);
 		free((yyvsp[0].str));
 	}
-#line 4056 "util/configparser.c"
+#line 3534 "util/configparser.c"
     break;
 
-  case 329:
-#line 872 "./util/configparser.y"
+  case 349: /* server_tcp_keepalive_timeout: VAR_EDNS_TCP_KEEPALIVE_TIMEOUT STRING_ARG  */
+#line 939 "./util/configparser.y"
         {
 		OUTYY(("P(server_tcp_keepalive_timeout:%s)\n", (yyvsp[0].str)));
 		if(atoi((yyvsp[0].str)) == 0 && strcmp((yyvsp[0].str), "0") != 0)
@@ -4068,11 +3546,11 @@ yyreduce:
 		else cfg_parser->cfg->tcp_keepalive_timeout = atoi((yyvsp[0].str));
 		free((yyvsp[0].str));
 	}
-#line 4072 "util/configparser.c"
+#line 3550 "util/configparser.c"
     break;
 
-  case 330:
-#line 885 "./util/configparser.y"
+  case 350: /* server_tcp_upstream: VAR_TCP_UPSTREAM STRING_ARG  */
+#line 952 "./util/configparser.y"
         {
 		OUTYY(("P(server_tcp_upstream:%s)\n", (yyvsp[0].str)));
 		if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -4080,11 +3558,11 @@ yyreduce:
 		else cfg_parser->cfg->tcp_upstream = (strcmp((yyvsp[0].str), "yes")==0);
 		free((yyvsp[0].str));
 	}
-#line 4084 "util/configparser.c"
+#line 3562 "util/configparser.c"
     break;
 
-  case 331:
-#line 894 "./util/configparser.y"
+  case 351: /* server_udp_upstream_without_downstream: VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM STRING_ARG  */
+#line 961 "./util/configparser.y"
         {
 		OUTYY(("P(server_udp_upstream_without_downstream:%s)\n", (yyvsp[0].str)));
 		if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -4092,11 +3570,11 @@ yyreduce:
 		else cfg_parser->cfg->udp_upstream_without_downstream = (strcmp((yyvsp[0].str), "yes")==0);
 		free((yyvsp[0].str));
 	}
-#line 4096 "util/configparser.c"
+#line 3574 "util/configparser.c"
     break;
 
-  case 332:
-#line 903 "./util/configparser.y"
+  case 352: /* server_ssl_upstream: VAR_SSL_UPSTREAM STRING_ARG  */
+#line 970 "./util/configparser.y"
         {
 		OUTYY(("P(server_ssl_upstream:%s)\n", (yyvsp[0].str)));
 		if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -4104,31 +3582,31 @@ yyreduce:
 		else cfg_parser->cfg->ssl_upstream = (strcmp((yyvsp[0].str), "yes")==0);
 		free((yyvsp[0].str));
 	}
-#line 4108 "util/configparser.c"
+#line 3586 "util/configparser.c"
     break;
 
-  case 333:
-#line 912 "./util/configparser.y"
+  case 353: /* server_ssl_service_key: VAR_SSL_SERVICE_KEY STRING_ARG  */
+#line 979 "./util/configparser.y"
         {
 		OUTYY(("P(server_ssl_service_key:%s)\n", (yyvsp[0].str)));
 		free(cfg_parser->cfg->ssl_service_key);
 		cfg_parser->cfg->ssl_service_key = (yyvsp[0].str);
 	}
-#line 4118 "util/configparser.c"
+#line 3596 "util/configparser.c"
     break;
 
-  case 334:
-#line 919 "./util/configparser.y"
+  case 354: /* server_ssl_service_pem: VAR_SSL_SERVICE_PEM STRING_ARG  */
+#line 986 "./util/configparser.y"
         {
 		OUTYY(("P(server_ssl_service_pem:%s)\n", (yyvsp[0].str)));
 		free(cfg_parser->cfg->ssl_service_pem);
 		cfg_parser->cfg->ssl_service_pem = (yyvsp[0].str);
 	}
-#line 4128 "util/configparser.c"
+#line 3606 "util/configparser.c"
     break;
 
-  case 335:
-#line 926 "./util/configparser.y"
+  case 355: /* server_ssl_port: VAR_SSL_PORT STRING_ARG  */
+#line 993 "./util/configparser.y"
         {
 		OUTYY(("P(server_ssl_port:%s)\n", (yyvsp[0].str)));
 		if(atoi((yyvsp[0].str)) == 0)
@@ -4136,21 +3614,21 @@ yyreduce:
 		else cfg_parser->cfg->ssl_port = atoi((yyvsp[0].str));
 		free((yyvsp[0].str));
 	}
-#line 4140 "util/configparser.c"
+#line 3618 "util/configparser.c"
     break;
 
-  case 336:
-#line 935 "./util/configparser.y"
+  case 356: /* server_tls_cert_bundle: VAR_TLS_CERT_BUNDLE STRING_ARG  */
+#line 1002 "./util/configparser.y"
         {
 		OUTYY(("P(server_tls_cert_bundle:%s)\n", (yyvsp[0].str)));
 		free(cfg_parser->cfg->tls_cert_bundle);
 		cfg_parser->cfg->tls_cert_bundle = (yyvsp[0].str);
 	}
-#line 4150 "util/configparser.c"
+#line 3628 "util/configparser.c"
     break;
 
-  case 337:
-#line 942 "./util/configparser.y"
+  case 357: /* server_tls_win_cert: VAR_TLS_WIN_CERT STRING_ARG  */
+#line 1009 "./util/configparser.y"
         {
 		OUTYY(("P(server_tls_win_cert:%s)\n", (yyvsp[0].str)));
 		if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -4158,53 +3636,53 @@ yyreduce:
 		else cfg_parser->cfg->tls_win_cert = (strcmp((yyvsp[0].str), "yes")==0);
 		free((yyvsp[0].str));
 	}
-#line 4162 "util/configparser.c"
+#line 3640 "util/configparser.c"
     break;
 
-  case 338:
-#line 951 "./util/configparser.y"
+  case 358: /* server_tls_additional_port: VAR_TLS_ADDITIONAL_PORT STRING_ARG  */
+#line 1018 "./util/configparser.y"
         {
 		OUTYY(("P(server_tls_additional_port:%s)\n", (yyvsp[0].str)));
 		if(!cfg_strlist_insert(&cfg_parser->cfg->tls_additional_port,
 			(yyvsp[0].str)))
 			yyerror("out of memory");
 	}
-#line 4173 "util/configparser.c"
+#line 3651 "util/configparser.c"
     break;
 
-  case 339:
-#line 959 "./util/configparser.y"
+  case 359: /* server_tls_ciphers: VAR_TLS_CIPHERS STRING_ARG  */
+#line 1026 "./util/configparser.y"
         {
 		OUTYY(("P(server_tls_ciphers:%s)\n", (yyvsp[0].str)));
 		free(cfg_parser->cfg->tls_ciphers);
 		cfg_parser->cfg->tls_ciphers = (yyvsp[0].str);
 	}
-#line 4183 "util/configparser.c"
+#line 3661 "util/configparser.c"
     break;
 
-  case 340:
-#line 966 "./util/configparser.y"
+  case 360: /* server_tls_ciphersuites: VAR_TLS_CIPHERSUITES STRING_ARG  */
+#line 1033 "./util/configparser.y"
         {
 		OUTYY(("P(server_tls_ciphersuites:%s)\n", (yyvsp[0].str)));
 		free(cfg_parser->cfg->tls_ciphersuites);
 		cfg_parser->cfg->tls_ciphersuites = (yyvsp[0].str);
 	}
-#line 4193 "util/configparser.c"
+#line 3671 "util/configparser.c"
     break;
 
-  case 341:
-#line 973 "./util/configparser.y"
+  case 361: /* server_tls_session_ticket_keys: VAR_TLS_SESSION_TICKET_KEYS STRING_ARG  */
+#line 1040 "./util/configparser.y"
         {
 		OUTYY(("P(server_tls_session_ticket_keys:%s)\n", (yyvsp[0].str)));
 		if(!cfg_strlist_append(&cfg_parser->cfg->tls_session_ticket_keys,
 			(yyvsp[0].str)))
 			yyerror("out of memory");
 	}
-#line 4204 "util/configparser.c"
+#line 3682 "util/configparser.c"
     break;
 
-  case 342:
-#line 981 "./util/configparser.y"
+  case 362: /* server_tls_use_sni: VAR_TLS_USE_SNI STRING_ARG  */
+#line 1048 "./util/configparser.y"
         {
 		OUTYY(("P(server_tls_use_sni:%s)\n", (yyvsp[0].str)));
 		if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -4212,11 +3690,11 @@ yyreduce:
 		else cfg_parser->cfg->tls_use_sni = (strcmp((yyvsp[0].str), "yes")==0);
 		free((yyvsp[0].str));
 	}
-#line 4216 "util/configparser.c"
+#line 3694 "util/configparser.c"
     break;
 
-  case 343:
-#line 990 "./util/configparser.y"
+  case 363: /* server_https_port: VAR_HTTPS_PORT STRING_ARG  */
+#line 1057 "./util/configparser.y"
         {
 		OUTYY(("P(server_https_port:%s)\n", (yyvsp[0].str)));
 		if(atoi((yyvsp[0].str)) == 0)
@@ -4224,11 +3702,11 @@ yyreduce:
 		else cfg_parser->cfg->https_port = atoi((yyvsp[0].str));
 		free((yyvsp[0].str));
 	}
-#line 4228 "util/configparser.c"
+#line 3706 "util/configparser.c"
     break;
 
-  case 344:
-#line 998 "./util/configparser.y"
+  case 364: /* server_http_endpoint: VAR_HTTP_ENDPOINT STRING_ARG  */
+#line 1065 "./util/configparser.y"
         {
 		OUTYY(("P(server_http_endpoint:%s)\n", (yyvsp[0].str)));
 		free(cfg_parser->cfg->http_endpoint);
@@ -4244,11 +3722,11 @@ yyreduce:
 			cfg_parser->cfg->http_endpoint = (yyvsp[0].str);
 		}
 	}
-#line 4248 "util/configparser.c"
+#line 3726 "util/configparser.c"
     break;
 
-  case 345:
-#line 1014 "./util/configparser.y"
+  case 365: /* server_http_max_streams: VAR_HTTP_MAX_STREAMS STRING_ARG  */
+#line 1081 "./util/configparser.y"
         {
 		OUTYY(("P(server_http_max_streams:%s)\n", (yyvsp[0].str)));
 		if(atoi((yyvsp[0].str)) == 0 && strcmp((yyvsp[0].str), "0") != 0)
@@ -4256,11 +3734,11 @@ yyreduce:
 		else cfg_parser->cfg->http_max_streams = atoi((yyvsp[0].str));
 		free((yyvsp[0].str));
 	}
-#line 4260 "util/configparser.c"
+#line 3738 "util/configparser.c"
     break;
 
-  case 346:
-#line 1022 "./util/configparser.y"
+  case 366: /* server_http_query_buffer_size: VAR_HTTP_QUERY_BUFFER_SIZE STRING_ARG  */
+#line 1089 "./util/configparser.y"
         {
 		OUTYY(("P(server_http_query_buffer_size:%s)\n", (yyvsp[0].str)));
 		if(!cfg_parse_memsize((yyvsp[0].str),
@@ -4268,11 +3746,11 @@ yyreduce:
 			yyerror("memory size expected");
 		free((yyvsp[0].str));
 	}
-#line 4272 "util/configparser.c"
+#line 3750 "util/configparser.c"
     break;
 
-  case 347:
-#line 1030 "./util/configparser.y"
+  case 367: /* server_http_response_buffer_size: VAR_HTTP_RESPONSE_BUFFER_SIZE STRING_ARG  */
+#line 1097 "./util/configparser.y"
         {
 		OUTYY(("P(server_http_response_buffer_size:%s)\n", (yyvsp[0].str)));
 		if(!cfg_parse_memsize((yyvsp[0].str),
@@ -4280,11 +3758,11 @@ yyreduce:
 			yyerror("memory size expected");
 		free((yyvsp[0].str));
 	}
-#line 4284 "util/configparser.c"
+#line 3762 "util/configparser.c"
     break;
 
-  case 348:
-#line 1038 "./util/configparser.y"
+  case 368: /* server_http_nodelay: VAR_HTTP_NODELAY STRING_ARG  */
+#line 1105 "./util/configparser.y"
         {
 		OUTYY(("P(server_http_nodelay:%s)\n", (yyvsp[0].str)));
 		if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -4292,11 +3770,11 @@ yyreduce:
 		else cfg_parser->cfg->http_nodelay = (strcmp((yyvsp[0].str), "yes")==0);
 		free((yyvsp[0].str));
 	}
-#line 4296 "util/configparser.c"
+#line 3774 "util/configparser.c"
     break;
 
-  case 349:
-#line 1046 "./util/configparser.y"
+  case 369: /* server_http_notls_downstream: VAR_HTTP_NOTLS_DOWNSTREAM STRING_ARG  */
+#line 1113 "./util/configparser.y"
         {
 		OUTYY(("P(server_http_notls_downstream:%s)\n", (yyvsp[0].str)));
 		if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -4304,11 +3782,11 @@ yyreduce:
 		else cfg_parser->cfg->http_notls_downstream = (strcmp((yyvsp[0].str), "yes")==0);
 		free((yyvsp[0].str));
 	}
-#line 4308 "util/configparser.c"
+#line 3786 "util/configparser.c"
     break;
 
-  case 350:
-#line 1054 "./util/configparser.y"
+  case 370: /* server_use_systemd: VAR_USE_SYSTEMD STRING_ARG  */
+#line 1121 "./util/configparser.y"
         {
 		OUTYY(("P(server_use_systemd:%s)\n", (yyvsp[0].str)));
 		if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -4316,11 +3794,11 @@ yyreduce:
 		else cfg_parser->cfg->use_systemd = (strcmp((yyvsp[0].str), "yes")==0);
 		free((yyvsp[0].str));
 	}
-#line 4320 "util/configparser.c"
+#line 3798 "util/configparser.c"
     break;
 
-  case 351:
-#line 1063 "./util/configparser.y"
+  case 371: /* server_do_daemonize: VAR_DO_DAEMONIZE STRING_ARG  */
+#line 1130 "./util/configparser.y"
         {
 		OUTYY(("P(server_do_daemonize:%s)\n", (yyvsp[0].str)));
 		if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -4328,11 +3806,11 @@ yyreduce:
 		else cfg_parser->cfg->do_daemonize = (strcmp((yyvsp[0].str), "yes")==0);
 		free((yyvsp[0].str));
 	}
-#line 4332 "util/configparser.c"
+#line 3810 "util/configparser.c"
     break;
 
-  case 352:
-#line 1072 "./util/configparser.y"
+  case 372: /* server_use_syslog: VAR_USE_SYSLOG STRING_ARG  */
+#line 1139 "./util/configparser.y"
         {
 		OUTYY(("P(server_use_syslog:%s)\n", (yyvsp[0].str)));
 		if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -4345,11 +3823,11 @@ yyreduce:
 #endif
 		free((yyvsp[0].str));
 	}
-#line 4349 "util/configparser.c"
+#line 3827 "util/configparser.c"
     break;
 
-  case 353:
-#line 1086 "./util/configparser.y"
+  case 373: /* server_log_time_ascii: VAR_LOG_TIME_ASCII STRING_ARG  */
+#line 1153 "./util/configparser.y"
         {
 		OUTYY(("P(server_log_time_ascii:%s)\n", (yyvsp[0].str)));
 		if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -4357,11 +3835,11 @@ yyreduce:
 		else cfg_parser->cfg->log_time_ascii = (strcmp((yyvsp[0].str), "yes")==0);
 		free((yyvsp[0].str));
 	}
-#line 4361 "util/configparser.c"
+#line 3839 "util/configparser.c"
     break;
 
-  case 354:
-#line 1095 "./util/configparser.y"
+  case 374: /* server_log_queries: VAR_LOG_QUERIES STRING_ARG  */
+#line 1162 "./util/configparser.y"
         {
 		OUTYY(("P(server_log_queries:%s)\n", (yyvsp[0].str)));
 		if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -4369,35 +3847,35 @@ yyreduce:
 		else cfg_parser->cfg->log_queries = (strcmp((yyvsp[0].str), "yes")==0);
 		free((yyvsp[0].str));
 	}
-#line 4373 "util/configparser.c"
+#line 3851 "util/configparser.c"
     break;
 
-  case 355:
-#line 1104 "./util/configparser.y"
-  {
-  	OUTYY(("P(server_log_replies:%s)\n", (yyvsp[0].str)));
-  	if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
-  		yyerror("expected yes or no.");
-  	else cfg_parser->cfg->log_replies = (strcmp((yyvsp[0].str), "yes")==0);
-  	free((yyvsp[0].str));
-  }
-#line 4385 "util/configparser.c"
+  case 375: /* server_log_replies: VAR_LOG_REPLIES STRING_ARG  */
+#line 1171 "./util/configparser.y"
+        {
+		OUTYY(("P(server_log_replies:%s)\n", (yyvsp[0].str)));
+		if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
+			yyerror("expected yes or no.");
+		else cfg_parser->cfg->log_replies = (strcmp((yyvsp[0].str), "yes")==0);
+		free((yyvsp[0].str));
+	}
+#line 3863 "util/configparser.c"
     break;
 
-  case 356:
-#line 1113 "./util/configparser.y"
-  {
-  	OUTYY(("P(server_log_tag_queryreply:%s)\n", (yyvsp[0].str)));
-  	if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
-  		yyerror("expected yes or no.");
-  	else cfg_parser->cfg->log_tag_queryreply = (strcmp((yyvsp[0].str), "yes")==0);
-  	free((yyvsp[0].str));
-  }
-#line 4397 "util/configparser.c"
+  case 376: /* server_log_tag_queryreply: VAR_LOG_TAG_QUERYREPLY STRING_ARG  */
+#line 1180 "./util/configparser.y"
+        {
+		OUTYY(("P(server_log_tag_queryreply:%s)\n", (yyvsp[0].str)));
+		if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
+			yyerror("expected yes or no.");
+		else cfg_parser->cfg->log_tag_queryreply = (strcmp((yyvsp[0].str), "yes")==0);
+		free((yyvsp[0].str));
+	}
+#line 3875 "util/configparser.c"
     break;
 
-  case 357:
-#line 1122 "./util/configparser.y"
+  case 377: /* server_log_servfail: VAR_LOG_SERVFAIL STRING_ARG  */
+#line 1189 "./util/configparser.y"
         {
 		OUTYY(("P(server_log_servfail:%s)\n", (yyvsp[0].str)));
 		if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -4405,43 +3883,43 @@ yyreduce:
 		else cfg_parser->cfg->log_servfail = (strcmp((yyvsp[0].str), "yes")==0);
 		free((yyvsp[0].str));
 	}
-#line 4409 "util/configparser.c"
+#line 3887 "util/configparser.c"
     break;
 
-  case 358:
-#line 1131 "./util/configparser.y"
-  {
-  	OUTYY(("P(server_log_local_actions:%s)\n", (yyvsp[0].str)));
-  	if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
-  		yyerror("expected yes or no.");
-  	else cfg_parser->cfg->log_local_actions = (strcmp((yyvsp[0].str), "yes")==0);
-  	free((yyvsp[0].str));
-  }
-#line 4421 "util/configparser.c"
+  case 378: /* server_log_local_actions: VAR_LOG_LOCAL_ACTIONS STRING_ARG  */
+#line 1198 "./util/configparser.y"
+        {
+		OUTYY(("P(server_log_local_actions:%s)\n", (yyvsp[0].str)));
+		if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
+			yyerror("expected yes or no.");
+		else cfg_parser->cfg->log_local_actions = (strcmp((yyvsp[0].str), "yes")==0);
+		free((yyvsp[0].str));
+	}
+#line 3899 "util/configparser.c"
     break;
 
-  case 359:
-#line 1140 "./util/configparser.y"
+  case 379: /* server_chroot: VAR_CHROOT STRING_ARG  */
+#line 1207 "./util/configparser.y"
         {
 		OUTYY(("P(server_chroot:%s)\n", (yyvsp[0].str)));
 		free(cfg_parser->cfg->chrootdir);
 		cfg_parser->cfg->chrootdir = (yyvsp[0].str);
 	}
-#line 4431 "util/configparser.c"
+#line 3909 "util/configparser.c"
     break;
 
-  case 360:
-#line 1147 "./util/configparser.y"
+  case 380: /* server_username: VAR_USERNAME STRING_ARG  */
+#line 1214 "./util/configparser.y"
         {
 		OUTYY(("P(server_username:%s)\n", (yyvsp[0].str)));
 		free(cfg_parser->cfg->username);
 		cfg_parser->cfg->username = (yyvsp[0].str);
 	}
-#line 4441 "util/configparser.c"
+#line 3919 "util/configparser.c"
     break;
 
-  case 361:
-#line 1154 "./util/configparser.y"
+  case 381: /* server_directory: VAR_DIRECTORY STRING_ARG  */
+#line 1221 "./util/configparser.y"
         {
 		OUTYY(("P(server_directory:%s)\n", (yyvsp[0].str)));
 		free(cfg_parser->cfg->directory);
@@ -4460,111 +3938,111 @@ yyreduce:
 				cfg_parser->chroot)) == 0)
 				d += strlen(cfg_parser->chroot);
 			if(d[0]) {
-			    if(chdir(d))
+				if(chdir(d))
 				log_err("cannot chdir to directory: %s (%s)",
 					d, strerror(errno));
 			}
 		}
 	}
-#line 4470 "util/configparser.c"
+#line 3948 "util/configparser.c"
     break;
 
-  case 362:
-#line 1180 "./util/configparser.y"
+  case 382: /* server_logfile: VAR_LOGFILE STRING_ARG  */
+#line 1247 "./util/configparser.y"
         {
 		OUTYY(("P(server_logfile:%s)\n", (yyvsp[0].str)));
 		free(cfg_parser->cfg->logfile);
 		cfg_parser->cfg->logfile = (yyvsp[0].str);
 		cfg_parser->cfg->use_syslog = 0;
 	}
-#line 4481 "util/configparser.c"
+#line 3959 "util/configparser.c"
     break;
 
-  case 363:
-#line 1188 "./util/configparser.y"
+  case 383: /* server_pidfile: VAR_PIDFILE STRING_ARG  */
+#line 1255 "./util/configparser.y"
         {
 		OUTYY(("P(server_pidfile:%s)\n", (yyvsp[0].str)));
 		free(cfg_parser->cfg->pidfile);
 		cfg_parser->cfg->pidfile = (yyvsp[0].str);
 	}
-#line 4491 "util/configparser.c"
+#line 3969 "util/configparser.c"
     break;
 
-  case 364:
-#line 1195 "./util/configparser.y"
+  case 384: /* server_root_hints: VAR_ROOT_HINTS STRING_ARG  */
+#line 1262 "./util/configparser.y"
         {
 		OUTYY(("P(server_root_hints:%s)\n", (yyvsp[0].str)));
 		if(!cfg_strlist_insert(&cfg_parser->cfg->root_hints, (yyvsp[0].str)))
 			yyerror("out of memory");
 	}
-#line 4501 "util/configparser.c"
+#line 3979 "util/configparser.c"
     break;
 
-  case 365:
-#line 1202 "./util/configparser.y"
+  case 385: /* server_dlv_anchor_file: VAR_DLV_ANCHOR_FILE STRING_ARG  */
+#line 1269 "./util/configparser.y"
         {
 		OUTYY(("P(server_dlv_anchor_file:%s)\n", (yyvsp[0].str)));
 		log_warn("option dlv-anchor-file ignored: DLV is decommissioned");
 		free((yyvsp[0].str));
 	}
-#line 4511 "util/configparser.c"
+#line 3989 "util/configparser.c"
     break;
 
-  case 366:
-#line 1209 "./util/configparser.y"
+  case 386: /* server_dlv_anchor: VAR_DLV_ANCHOR STRING_ARG  */
+#line 1276 "./util/configparser.y"
         {
 		OUTYY(("P(server_dlv_anchor:%s)\n", (yyvsp[0].str)));
 		log_warn("option dlv-anchor ignored: DLV is decommissioned");
 		free((yyvsp[0].str));
 	}
-#line 4521 "util/configparser.c"
+#line 3999 "util/configparser.c"
     break;
 
-  case 367:
-#line 1216 "./util/configparser.y"
+  case 387: /* server_auto_trust_anchor_file: VAR_AUTO_TRUST_ANCHOR_FILE STRING_ARG  */
+#line 1283 "./util/configparser.y"
         {
 		OUTYY(("P(server_auto_trust_anchor_file:%s)\n", (yyvsp[0].str)));
 		if(!cfg_strlist_insert(&cfg_parser->cfg->
 			auto_trust_anchor_file_list, (yyvsp[0].str)))
 			yyerror("out of memory");
 	}
-#line 4532 "util/configparser.c"
+#line 4010 "util/configparser.c"
     break;
 
-  case 368:
-#line 1224 "./util/configparser.y"
+  case 388: /* server_trust_anchor_file: VAR_TRUST_ANCHOR_FILE STRING_ARG  */
+#line 1291 "./util/configparser.y"
         {
 		OUTYY(("P(server_trust_anchor_file:%s)\n", (yyvsp[0].str)));
 		if(!cfg_strlist_insert(&cfg_parser->cfg->
 			trust_anchor_file_list, (yyvsp[0].str)))
 			yyerror("out of memory");
 	}
-#line 4543 "util/configparser.c"
+#line 4021 "util/configparser.c"
     break;
 
-  case 369:
-#line 1232 "./util/configparser.y"
+  case 389: /* server_trusted_keys_file: VAR_TRUSTED_KEYS_FILE STRING_ARG  */
+#line 1299 "./util/configparser.y"
         {
 		OUTYY(("P(server_trusted_keys_file:%s)\n", (yyvsp[0].str)));
 		if(!cfg_strlist_insert(&cfg_parser->cfg->
 			trusted_keys_file_list, (yyvsp[0].str)))
 			yyerror("out of memory");
 	}
-#line 4554 "util/configparser.c"
+#line 4032 "util/configparser.c"
     break;
 
-  case 370:
-#line 1240 "./util/configparser.y"
+  case 390: /* server_trust_anchor: VAR_TRUST_ANCHOR STRING_ARG  */
+#line 1307 "./util/configparser.y"
         {
 		OUTYY(("P(server_trust_anchor:%s)\n", (yyvsp[0].str)));
 		if(!cfg_strlist_insert(&cfg_parser->cfg->trust_anchor_list, (yyvsp[0].str)))
 			yyerror("out of memory");
 	}
-#line 4564 "util/configparser.c"
+#line 4042 "util/configparser.c"
     break;
 
-  case 371:
-#line 1247 "./util/configparser.y"
+  case 391: /* server_trust_anchor_signaling: VAR_TRUST_ANCHOR_SIGNALING STRING_ARG  */
+#line 1314 "./util/configparser.y"
         {
 		OUTYY(("P(server_trust_anchor_signaling:%s)\n", (yyvsp[0].str)));
 		if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -4574,11 +4052,11 @@ yyreduce:
 				(strcmp((yyvsp[0].str), "yes")==0);
 		free((yyvsp[0].str));
 	}
-#line 4578 "util/configparser.c"
+#line 4056 "util/configparser.c"
     break;
 
-  case 372:
-#line 1258 "./util/configparser.y"
+  case 392: /* server_root_key_sentinel: VAR_ROOT_KEY_SENTINEL STRING_ARG  */
+#line 1325 "./util/configparser.y"
         {
 		OUTYY(("P(server_root_key_sentinel:%s)\n", (yyvsp[0].str)));
 		if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -4588,21 +4066,21 @@ yyreduce:
 				(strcmp((yyvsp[0].str), "yes")==0);
 		free((yyvsp[0].str));
 	}
-#line 4592 "util/configparser.c"
+#line 4070 "util/configparser.c"
     break;
 
-  case 373:
-#line 1269 "./util/configparser.y"
+  case 393: /* server_domain_insecure: VAR_DOMAIN_INSECURE STRING_ARG  */
+#line 1336 "./util/configparser.y"
         {
 		OUTYY(("P(server_domain_insecure:%s)\n", (yyvsp[0].str)));
 		if(!cfg_strlist_insert(&cfg_parser->cfg->domain_insecure, (yyvsp[0].str)))
 			yyerror("out of memory");
 	}
-#line 4602 "util/configparser.c"
+#line 4080 "util/configparser.c"
     break;
 
-  case 374:
-#line 1276 "./util/configparser.y"
+  case 394: /* server_hide_identity: VAR_HIDE_IDENTITY STRING_ARG  */
+#line 1343 "./util/configparser.y"
         {
 		OUTYY(("P(server_hide_identity:%s)\n", (yyvsp[0].str)));
 		if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -4610,11 +4088,11 @@ yyreduce:
 		else cfg_parser->cfg->hide_identity = (strcmp((yyvsp[0].str), "yes")==0);
 		free((yyvsp[0].str));
 	}
-#line 4614 "util/configparser.c"
+#line 4092 "util/configparser.c"
     break;
 
-  case 375:
-#line 1285 "./util/configparser.y"
+  case 395: /* server_hide_version: VAR_HIDE_VERSION STRING_ARG  */
+#line 1352 "./util/configparser.y"
         {
 		OUTYY(("P(server_hide_version:%s)\n", (yyvsp[0].str)));
 		if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -4622,11 +4100,11 @@ yyreduce:
 		else cfg_parser->cfg->hide_version = (strcmp((yyvsp[0].str), "yes")==0);
 		free((yyvsp[0].str));
 	}
-#line 4626 "util/configparser.c"
+#line 4104 "util/configparser.c"
     break;
 
-  case 376:
-#line 1294 "./util/configparser.y"
+  case 396: /* server_hide_trustanchor: VAR_HIDE_TRUSTANCHOR STRING_ARG  */
+#line 1361 "./util/configparser.y"
         {
 		OUTYY(("P(server_hide_trustanchor:%s)\n", (yyvsp[0].str)));
 		if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -4634,31 +4112,53 @@ yyreduce:
 		else cfg_parser->cfg->hide_trustanchor = (strcmp((yyvsp[0].str), "yes")==0);
 		free((yyvsp[0].str));
 	}
-#line 4638 "util/configparser.c"
+#line 4116 "util/configparser.c"
     break;
 
-  case 377:
-#line 1303 "./util/configparser.y"
+  case 397: /* server_hide_http_user_agent: VAR_HIDE_HTTP_USER_AGENT STRING_ARG  */
+#line 1370 "./util/configparser.y"
+        {
+		OUTYY(("P(server_hide_user_agent:%s)\n", (yyvsp[0].str)));
+		if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
+			yyerror("expected yes or no.");
+		else cfg_parser->cfg->hide_http_user_agent = (strcmp((yyvsp[0].str), "yes")==0);
+		free((yyvsp[0].str));
+	}
+#line 4128 "util/configparser.c"
+    break;
+
+  case 398: /* server_identity: VAR_IDENTITY STRING_ARG  */
+#line 1379 "./util/configparser.y"
         {
 		OUTYY(("P(server_identity:%s)\n", (yyvsp[0].str)));
 		free(cfg_parser->cfg->identity);
 		cfg_parser->cfg->identity = (yyvsp[0].str);
 	}
-#line 4648 "util/configparser.c"
+#line 4138 "util/configparser.c"
     break;
 
-  case 378:
-#line 1310 "./util/configparser.y"
+  case 399: /* server_version: VAR_VERSION STRING_ARG  */
+#line 1386 "./util/configparser.y"
         {
 		OUTYY(("P(server_version:%s)\n", (yyvsp[0].str)));
 		free(cfg_parser->cfg->version);
 		cfg_parser->cfg->version = (yyvsp[0].str);
 	}
-#line 4658 "util/configparser.c"
+#line 4148 "util/configparser.c"
     break;
 
-  case 379:
-#line 1317 "./util/configparser.y"
+  case 400: /* server_http_user_agent: VAR_HTTP_USER_AGENT STRING_ARG  */
+#line 1393 "./util/configparser.y"
+        {
+		OUTYY(("P(server_http_user_agent:%s)\n", (yyvsp[0].str)));
+		free(cfg_parser->cfg->http_user_agent);
+		cfg_parser->cfg->http_user_agent = (yyvsp[0].str);
+	}
+#line 4158 "util/configparser.c"
+    break;
+
+  case 401: /* server_nsid: VAR_NSID STRING_ARG  */
+#line 1400 "./util/configparser.y"
         {
 		OUTYY(("P(server_nsid:%s)\n", (yyvsp[0].str)));
 		free(cfg_parser->cfg->nsid_cfg_str);
@@ -4673,72 +4173,72 @@ yyreduce:
 			yyerror("the NSID must be either a hex string or an "
 			    "ascii character string prepended with ascii_.");
 	}
-#line 4677 "util/configparser.c"
+#line 4177 "util/configparser.c"
     break;
 
-  case 380:
-#line 1333 "./util/configparser.y"
+  case 402: /* server_so_rcvbuf: VAR_SO_RCVBUF STRING_ARG  */
+#line 1416 "./util/configparser.y"
         {
 		OUTYY(("P(server_so_rcvbuf:%s)\n", (yyvsp[0].str)));
 		if(!cfg_parse_memsize((yyvsp[0].str), &cfg_parser->cfg->so_rcvbuf))
 			yyerror("buffer size expected");
 		free((yyvsp[0].str));
 	}
-#line 4688 "util/configparser.c"
+#line 4188 "util/configparser.c"
     break;
 
-  case 381:
-#line 1341 "./util/configparser.y"
+  case 403: /* server_so_sndbuf: VAR_SO_SNDBUF STRING_ARG  */
+#line 1424 "./util/configparser.y"
         {
 		OUTYY(("P(server_so_sndbuf:%s)\n", (yyvsp[0].str)));
 		if(!cfg_parse_memsize((yyvsp[0].str), &cfg_parser->cfg->so_sndbuf))
 			yyerror("buffer size expected");
 		free((yyvsp[0].str));
 	}
-#line 4699 "util/configparser.c"
+#line 4199 "util/configparser.c"
     break;
 
-  case 382:
-#line 1349 "./util/configparser.y"
-    {
-        OUTYY(("P(server_so_reuseport:%s)\n", (yyvsp[0].str)));
-        if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
-            yyerror("expected yes or no.");
-        else cfg_parser->cfg->so_reuseport =
-            (strcmp((yyvsp[0].str), "yes")==0);
-        free((yyvsp[0].str));
-    }
-#line 4712 "util/configparser.c"
+  case 404: /* server_so_reuseport: VAR_SO_REUSEPORT STRING_ARG  */
+#line 1432 "./util/configparser.y"
+        {
+		OUTYY(("P(server_so_reuseport:%s)\n", (yyvsp[0].str)));
+		if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
+			yyerror("expected yes or no.");
+		else cfg_parser->cfg->so_reuseport =
+			(strcmp((yyvsp[0].str), "yes")==0);
+		free((yyvsp[0].str));
+	}
+#line 4212 "util/configparser.c"
     break;
 
-  case 383:
-#line 1359 "./util/configparser.y"
-    {
-        OUTYY(("P(server_ip_transparent:%s)\n", (yyvsp[0].str)));
-        if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
-            yyerror("expected yes or no.");
-        else cfg_parser->cfg->ip_transparent =
-            (strcmp((yyvsp[0].str), "yes")==0);
-        free((yyvsp[0].str));
-    }
-#line 4725 "util/configparser.c"
+  case 405: /* server_ip_transparent: VAR_IP_TRANSPARENT STRING_ARG  */
+#line 1442 "./util/configparser.y"
+        {
+		OUTYY(("P(server_ip_transparent:%s)\n", (yyvsp[0].str)));
+		if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
+			yyerror("expected yes or no.");
+		else cfg_parser->cfg->ip_transparent =
+			(strcmp((yyvsp[0].str), "yes")==0);
+		free((yyvsp[0].str));
+	}
+#line 4225 "util/configparser.c"
     break;
 
-  case 384:
-#line 1369 "./util/configparser.y"
-    {
-        OUTYY(("P(server_ip_freebind:%s)\n", (yyvsp[0].str)));
-        if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
-            yyerror("expected yes or no.");
-        else cfg_parser->cfg->ip_freebind =
-            (strcmp((yyvsp[0].str), "yes")==0);
-        free((yyvsp[0].str));
-    }
-#line 4738 "util/configparser.c"
+  case 406: /* server_ip_freebind: VAR_IP_FREEBIND STRING_ARG  */
+#line 1452 "./util/configparser.y"
+        {
+		OUTYY(("P(server_ip_freebind:%s)\n", (yyvsp[0].str)));
+		if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
+			yyerror("expected yes or no.");
+		else cfg_parser->cfg->ip_freebind =
+			(strcmp((yyvsp[0].str), "yes")==0);
+		free((yyvsp[0].str));
+	}
+#line 4238 "util/configparser.c"
     break;
 
-  case 385:
-#line 1379 "./util/configparser.y"
+  case 407: /* server_ip_dscp: VAR_IP_DSCP STRING_ARG  */
+#line 1462 "./util/configparser.y"
         {
 		OUTYY(("P(server_ip_dscp:%s)\n", (yyvsp[0].str)));
 		if(atoi((yyvsp[0].str)) == 0 && strcmp((yyvsp[0].str), "0") != 0)
@@ -4751,22 +4251,22 @@ yyreduce:
 			cfg_parser->cfg->ip_dscp = atoi((yyvsp[0].str));
 		free((yyvsp[0].str));
 	}
-#line 4755 "util/configparser.c"
+#line 4255 "util/configparser.c"
     break;
 
-  case 386:
-#line 1393 "./util/configparser.y"
+  case 408: /* server_stream_wait_size: VAR_STREAM_WAIT_SIZE STRING_ARG  */
+#line 1476 "./util/configparser.y"
         {
 		OUTYY(("P(server_stream_wait_size:%s)\n", (yyvsp[0].str)));
 		if(!cfg_parse_memsize((yyvsp[0].str), &cfg_parser->cfg->stream_wait_size))
 			yyerror("memory size expected");
 		free((yyvsp[0].str));
 	}
-#line 4766 "util/configparser.c"
+#line 4266 "util/configparser.c"
     break;
 
-  case 387:
-#line 1401 "./util/configparser.y"
+  case 409: /* server_edns_buffer_size: VAR_EDNS_BUFFER_SIZE STRING_ARG  */
+#line 1484 "./util/configparser.y"
         {
 		OUTYY(("P(server_edns_buffer_size:%s)\n", (yyvsp[0].str)));
 		if(atoi((yyvsp[0].str)) == 0)
@@ -4778,11 +4278,11 @@ yyreduce:
 		else cfg_parser->cfg->edns_buffer_size = atoi((yyvsp[0].str));
 		free((yyvsp[0].str));
 	}
-#line 4782 "util/configparser.c"
+#line 4282 "util/configparser.c"
     break;
 
-  case 388:
-#line 1414 "./util/configparser.y"
+  case 410: /* server_msg_buffer_size: VAR_MSG_BUFFER_SIZE STRING_ARG  */
+#line 1497 "./util/configparser.y"
         {
 		OUTYY(("P(server_msg_buffer_size:%s)\n", (yyvsp[0].str)));
 		if(atoi((yyvsp[0].str)) == 0)
@@ -4792,38 +4292,38 @@ yyreduce:
 		else cfg_parser->cfg->msg_buffer_size = atoi((yyvsp[0].str));
 		free((yyvsp[0].str));
 	}
-#line 4796 "util/configparser.c"
+#line 4296 "util/configparser.c"
     break;
 
-  case 389:
-#line 1425 "./util/configparser.y"
+  case 411: /* server_msg_cache_size: VAR_MSG_CACHE_SIZE STRING_ARG  */
+#line 1508 "./util/configparser.y"
         {
 		OUTYY(("P(server_msg_cache_size:%s)\n", (yyvsp[0].str)));
 		if(!cfg_parse_memsize((yyvsp[0].str), &cfg_parser->cfg->msg_cache_size))
 			yyerror("memory size expected");
 		free((yyvsp[0].str));
 	}
-#line 4807 "util/configparser.c"
+#line 4307 "util/configparser.c"
     break;
 
-  case 390:
-#line 1433 "./util/configparser.y"
+  case 412: /* server_msg_cache_slabs: VAR_MSG_CACHE_SLABS STRING_ARG  */
+#line 1516 "./util/configparser.y"
         {
 		OUTYY(("P(server_msg_cache_slabs:%s)\n", (yyvsp[0].str)));
-		if(atoi((yyvsp[0].str)) == 0)
+		if(atoi((yyvsp[0].str)) == 0) {
 			yyerror("number expected");
-		else {
+		} else {
 			cfg_parser->cfg->msg_cache_slabs = atoi((yyvsp[0].str));
 			if(!is_pow2(cfg_parser->cfg->msg_cache_slabs))
 				yyerror("must be a power of 2");
 		}
 		free((yyvsp[0].str));
 	}
-#line 4823 "util/configparser.c"
+#line 4323 "util/configparser.c"
     break;
 
-  case 391:
-#line 1446 "./util/configparser.y"
+  case 413: /* server_num_queries_per_thread: VAR_NUM_QUERIES_PER_THREAD STRING_ARG  */
+#line 1529 "./util/configparser.y"
         {
 		OUTYY(("P(server_num_queries_per_thread:%s)\n", (yyvsp[0].str)));
 		if(atoi((yyvsp[0].str)) == 0)
@@ -4831,11 +4331,11 @@ yyreduce:
 		else cfg_parser->cfg->num_queries_per_thread = atoi((yyvsp[0].str));
 		free((yyvsp[0].str));
 	}
-#line 4835 "util/configparser.c"
+#line 4335 "util/configparser.c"
     break;
 
-  case 392:
-#line 1455 "./util/configparser.y"
+  case 414: /* server_jostle_timeout: VAR_JOSTLE_TIMEOUT STRING_ARG  */
+#line 1538 "./util/configparser.y"
         {
 		OUTYY(("P(server_jostle_timeout:%s)\n", (yyvsp[0].str)));
 		if(atoi((yyvsp[0].str)) == 0 && strcmp((yyvsp[0].str), "0") != 0)
@@ -4843,11 +4343,11 @@ yyreduce:
 		else cfg_parser->cfg->jostle_time = atoi((yyvsp[0].str));
 		free((yyvsp[0].str));
 	}
-#line 4847 "util/configparser.c"
+#line 4347 "util/configparser.c"
     break;
 
-  case 393:
-#line 1464 "./util/configparser.y"
+  case 415: /* server_delay_close: VAR_DELAY_CLOSE STRING_ARG  */
+#line 1547 "./util/configparser.y"
         {
 		OUTYY(("P(server_delay_close:%s)\n", (yyvsp[0].str)));
 		if(atoi((yyvsp[0].str)) == 0 && strcmp((yyvsp[0].str), "0") != 0)
@@ -4855,11 +4355,11 @@ yyreduce:
 		else cfg_parser->cfg->delay_close = atoi((yyvsp[0].str));
 		free((yyvsp[0].str));
 	}
-#line 4859 "util/configparser.c"
+#line 4359 "util/configparser.c"
     break;
 
-  case 394:
-#line 1473 "./util/configparser.y"
+  case 416: /* server_udp_connect: VAR_UDP_CONNECT STRING_ARG  */
+#line 1556 "./util/configparser.y"
         {
 		OUTYY(("P(server_udp_connect:%s)\n", (yyvsp[0].str)));
 		if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -4867,64 +4367,64 @@ yyreduce:
 		else cfg_parser->cfg->udp_connect = (strcmp((yyvsp[0].str), "yes")==0);
 		free((yyvsp[0].str));
 	}
-#line 4871 "util/configparser.c"
+#line 4371 "util/configparser.c"
     break;
 
-  case 395:
-#line 1482 "./util/configparser.y"
+  case 417: /* server_unblock_lan_zones: VAR_UNBLOCK_LAN_ZONES STRING_ARG  */
+#line 1565 "./util/configparser.y"
         {
 		OUTYY(("P(server_unblock_lan_zones:%s)\n", (yyvsp[0].str)));
 		if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
 			yyerror("expected yes or no.");
-		else cfg_parser->cfg->unblock_lan_zones = 
+		else cfg_parser->cfg->unblock_lan_zones =
 			(strcmp((yyvsp[0].str), "yes")==0);
 		free((yyvsp[0].str));
 	}
-#line 4884 "util/configparser.c"
+#line 4384 "util/configparser.c"
     break;
 
-  case 396:
-#line 1492 "./util/configparser.y"
+  case 418: /* server_insecure_lan_zones: VAR_INSECURE_LAN_ZONES STRING_ARG  */
+#line 1575 "./util/configparser.y"
         {
 		OUTYY(("P(server_insecure_lan_zones:%s)\n", (yyvsp[0].str)));
 		if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
 			yyerror("expected yes or no.");
-		else cfg_parser->cfg->insecure_lan_zones = 
+		else cfg_parser->cfg->insecure_lan_zones =
 			(strcmp((yyvsp[0].str), "yes")==0);
 		free((yyvsp[0].str));
 	}
-#line 4897 "util/configparser.c"
+#line 4397 "util/configparser.c"
     break;
 
-  case 397:
-#line 1502 "./util/configparser.y"
+  case 419: /* server_rrset_cache_size: VAR_RRSET_CACHE_SIZE STRING_ARG  */
+#line 1585 "./util/configparser.y"
         {
 		OUTYY(("P(server_rrset_cache_size:%s)\n", (yyvsp[0].str)));
 		if(!cfg_parse_memsize((yyvsp[0].str), &cfg_parser->cfg->rrset_cache_size))
 			yyerror("memory size expected");
 		free((yyvsp[0].str));
 	}
-#line 4908 "util/configparser.c"
+#line 4408 "util/configparser.c"
     break;
 
-  case 398:
-#line 1510 "./util/configparser.y"
+  case 420: /* server_rrset_cache_slabs: VAR_RRSET_CACHE_SLABS STRING_ARG  */
+#line 1593 "./util/configparser.y"
         {
 		OUTYY(("P(server_rrset_cache_slabs:%s)\n", (yyvsp[0].str)));
-		if(atoi((yyvsp[0].str)) == 0)
+		if(atoi((yyvsp[0].str)) == 0) {
 			yyerror("number expected");
-		else {
+		} else {
 			cfg_parser->cfg->rrset_cache_slabs = atoi((yyvsp[0].str));
 			if(!is_pow2(cfg_parser->cfg->rrset_cache_slabs))
 				yyerror("must be a power of 2");
 		}
 		free((yyvsp[0].str));
 	}
-#line 4924 "util/configparser.c"
+#line 4424 "util/configparser.c"
     break;
 
-  case 399:
-#line 1523 "./util/configparser.y"
+  case 421: /* server_infra_host_ttl: VAR_INFRA_HOST_TTL STRING_ARG  */
+#line 1606 "./util/configparser.y"
         {
 		OUTYY(("P(server_infra_host_ttl:%s)\n", (yyvsp[0].str)));
 		if(atoi((yyvsp[0].str)) == 0 && strcmp((yyvsp[0].str), "0") != 0)
@@ -4932,22 +4432,22 @@ yyreduce:
 		else cfg_parser->cfg->host_ttl = atoi((yyvsp[0].str));
 		free((yyvsp[0].str));
 	}
-#line 4936 "util/configparser.c"
+#line 4436 "util/configparser.c"
     break;
 
-  case 400:
-#line 1532 "./util/configparser.y"
+  case 422: /* server_infra_lame_ttl: VAR_INFRA_LAME_TTL STRING_ARG  */
+#line 1615 "./util/configparser.y"
         {
 		OUTYY(("P(server_infra_lame_ttl:%s)\n", (yyvsp[0].str)));
 		verbose(VERB_DETAIL, "ignored infra-lame-ttl: %s (option "
 			"removed, use infra-host-ttl)", (yyvsp[0].str));
 		free((yyvsp[0].str));
 	}
-#line 4947 "util/configparser.c"
+#line 4447 "util/configparser.c"
     break;
 
-  case 401:
-#line 1540 "./util/configparser.y"
+  case 423: /* server_infra_cache_numhosts: VAR_INFRA_CACHE_NUMHOSTS STRING_ARG  */
+#line 1623 "./util/configparser.y"
         {
 		OUTYY(("P(server_infra_cache_numhosts:%s)\n", (yyvsp[0].str)));
 		if(atoi((yyvsp[0].str)) == 0)
@@ -4955,38 +4455,38 @@ yyreduce:
 		else cfg_parser->cfg->infra_cache_numhosts = atoi((yyvsp[0].str));
 		free((yyvsp[0].str));
 	}
-#line 4959 "util/configparser.c"
+#line 4459 "util/configparser.c"
     break;
 
-  case 402:
-#line 1549 "./util/configparser.y"
+  case 424: /* server_infra_cache_lame_size: VAR_INFRA_CACHE_LAME_SIZE STRING_ARG  */
+#line 1632 "./util/configparser.y"
         {
 		OUTYY(("P(server_infra_cache_lame_size:%s)\n", (yyvsp[0].str)));
 		verbose(VERB_DETAIL, "ignored infra-cache-lame-size: %s "
 			"(option removed, use infra-cache-numhosts)", (yyvsp[0].str));
 		free((yyvsp[0].str));
 	}
-#line 4970 "util/configparser.c"
+#line 4470 "util/configparser.c"
     break;
 
-  case 403:
-#line 1557 "./util/configparser.y"
+  case 425: /* server_infra_cache_slabs: VAR_INFRA_CACHE_SLABS STRING_ARG  */
+#line 1640 "./util/configparser.y"
         {
 		OUTYY(("P(server_infra_cache_slabs:%s)\n", (yyvsp[0].str)));
-		if(atoi((yyvsp[0].str)) == 0)
+		if(atoi((yyvsp[0].str)) == 0) {
 			yyerror("number expected");
-		else {
+		} else {
 			cfg_parser->cfg->infra_cache_slabs = atoi((yyvsp[0].str));
 			if(!is_pow2(cfg_parser->cfg->infra_cache_slabs))
 				yyerror("must be a power of 2");
 		}
 		free((yyvsp[0].str));
 	}
-#line 4986 "util/configparser.c"
+#line 4486 "util/configparser.c"
     break;
 
-  case 404:
-#line 1570 "./util/configparser.y"
+  case 426: /* server_infra_cache_min_rtt: VAR_INFRA_CACHE_MIN_RTT STRING_ARG  */
+#line 1653 "./util/configparser.y"
         {
 		OUTYY(("P(server_infra_cache_min_rtt:%s)\n", (yyvsp[0].str)));
 		if(atoi((yyvsp[0].str)) == 0 && strcmp((yyvsp[0].str), "0") != 0)
@@ -4994,11 +4494,11 @@ yyreduce:
 		else cfg_parser->cfg->infra_cache_min_rtt = atoi((yyvsp[0].str));
 		free((yyvsp[0].str));
 	}
-#line 4998 "util/configparser.c"
+#line 4498 "util/configparser.c"
     break;
 
-  case 405:
-#line 1579 "./util/configparser.y"
+  case 427: /* server_infra_keep_probing: VAR_INFRA_KEEP_PROBING STRING_ARG  */
+#line 1662 "./util/configparser.y"
         {
 		OUTYY(("P(server_infra_keep_probing:%s)\n", (yyvsp[0].str)));
 		if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -5007,155 +4507,155 @@ yyreduce:
 			(strcmp((yyvsp[0].str), "yes")==0);
 		free((yyvsp[0].str));
 	}
-#line 5011 "util/configparser.c"
+#line 4511 "util/configparser.c"
     break;
 
-  case 406:
-#line 1589 "./util/configparser.y"
+  case 428: /* server_target_fetch_policy: VAR_TARGET_FETCH_POLICY STRING_ARG  */
+#line 1672 "./util/configparser.y"
         {
 		OUTYY(("P(server_target_fetch_policy:%s)\n", (yyvsp[0].str)));
 		free(cfg_parser->cfg->target_fetch_policy);
 		cfg_parser->cfg->target_fetch_policy = (yyvsp[0].str);
 	}
-#line 5021 "util/configparser.c"
+#line 4521 "util/configparser.c"
     break;
 
-  case 407:
-#line 1596 "./util/configparser.y"
+  case 429: /* server_harden_short_bufsize: VAR_HARDEN_SHORT_BUFSIZE STRING_ARG  */
+#line 1679 "./util/configparser.y"
         {
 		OUTYY(("P(server_harden_short_bufsize:%s)\n", (yyvsp[0].str)));
 		if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
 			yyerror("expected yes or no.");
-		else cfg_parser->cfg->harden_short_bufsize = 
+		else cfg_parser->cfg->harden_short_bufsize =
 			(strcmp((yyvsp[0].str), "yes")==0);
 		free((yyvsp[0].str));
 	}
-#line 5034 "util/configparser.c"
+#line 4534 "util/configparser.c"
     break;
 
-  case 408:
-#line 1606 "./util/configparser.y"
+  case 430: /* server_harden_large_queries: VAR_HARDEN_LARGE_QUERIES STRING_ARG  */
+#line 1689 "./util/configparser.y"
         {
 		OUTYY(("P(server_harden_large_queries:%s)\n", (yyvsp[0].str)));
 		if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
 			yyerror("expected yes or no.");
-		else cfg_parser->cfg->harden_large_queries = 
+		else cfg_parser->cfg->harden_large_queries =
 			(strcmp((yyvsp[0].str), "yes")==0);
 		free((yyvsp[0].str));
 	}
-#line 5047 "util/configparser.c"
+#line 4547 "util/configparser.c"
     break;
 
-  case 409:
-#line 1616 "./util/configparser.y"
+  case 431: /* server_harden_glue: VAR_HARDEN_GLUE STRING_ARG  */
+#line 1699 "./util/configparser.y"
         {
 		OUTYY(("P(server_harden_glue:%s)\n", (yyvsp[0].str)));
 		if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
 			yyerror("expected yes or no.");
-		else cfg_parser->cfg->harden_glue = 
+		else cfg_parser->cfg->harden_glue =
 			(strcmp((yyvsp[0].str), "yes")==0);
 		free((yyvsp[0].str));
 	}
-#line 5060 "util/configparser.c"
+#line 4560 "util/configparser.c"
     break;
 
-  case 410:
-#line 1626 "./util/configparser.y"
+  case 432: /* server_harden_dnssec_stripped: VAR_HARDEN_DNSSEC_STRIPPED STRING_ARG  */
+#line 1709 "./util/configparser.y"
         {
 		OUTYY(("P(server_harden_dnssec_stripped:%s)\n", (yyvsp[0].str)));
 		if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
 			yyerror("expected yes or no.");
-		else cfg_parser->cfg->harden_dnssec_stripped = 
+		else cfg_parser->cfg->harden_dnssec_stripped =
 			(strcmp((yyvsp[0].str), "yes")==0);
 		free((yyvsp[0].str));
 	}
-#line 5073 "util/configparser.c"
+#line 4573 "util/configparser.c"
     break;
 
-  case 411:
-#line 1636 "./util/configparser.y"
+  case 433: /* server_harden_below_nxdomain: VAR_HARDEN_BELOW_NXDOMAIN STRING_ARG  */
+#line 1719 "./util/configparser.y"
         {
 		OUTYY(("P(server_harden_below_nxdomain:%s)\n", (yyvsp[0].str)));
 		if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
 			yyerror("expected yes or no.");
-		else cfg_parser->cfg->harden_below_nxdomain = 
+		else cfg_parser->cfg->harden_below_nxdomain =
 			(strcmp((yyvsp[0].str), "yes")==0);
 		free((yyvsp[0].str));
 	}
-#line 5086 "util/configparser.c"
+#line 4586 "util/configparser.c"
     break;
 
-  case 412:
-#line 1646 "./util/configparser.y"
+  case 434: /* server_harden_referral_path: VAR_HARDEN_REFERRAL_PATH STRING_ARG  */
+#line 1729 "./util/configparser.y"
         {
 		OUTYY(("P(server_harden_referral_path:%s)\n", (yyvsp[0].str)));
 		if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
 			yyerror("expected yes or no.");
-		else cfg_parser->cfg->harden_referral_path = 
+		else cfg_parser->cfg->harden_referral_path =
 			(strcmp((yyvsp[0].str), "yes")==0);
 		free((yyvsp[0].str));
 	}
-#line 5099 "util/configparser.c"
+#line 4599 "util/configparser.c"
     break;
 
-  case 413:
-#line 1656 "./util/configparser.y"
+  case 435: /* server_harden_algo_downgrade: VAR_HARDEN_ALGO_DOWNGRADE STRING_ARG  */
+#line 1739 "./util/configparser.y"
         {
 		OUTYY(("P(server_harden_algo_downgrade:%s)\n", (yyvsp[0].str)));
 		if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
 			yyerror("expected yes or no.");
-		else cfg_parser->cfg->harden_algo_downgrade = 
+		else cfg_parser->cfg->harden_algo_downgrade =
 			(strcmp((yyvsp[0].str), "yes")==0);
 		free((yyvsp[0].str));
 	}
-#line 5112 "util/configparser.c"
+#line 4612 "util/configparser.c"
     break;
 
-  case 414:
-#line 1666 "./util/configparser.y"
+  case 436: /* server_use_caps_for_id: VAR_USE_CAPS_FOR_ID STRING_ARG  */
+#line 1749 "./util/configparser.y"
         {
 		OUTYY(("P(server_use_caps_for_id:%s)\n", (yyvsp[0].str)));
 		if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
 			yyerror("expected yes or no.");
-		else cfg_parser->cfg->use_caps_bits_for_id = 
+		else cfg_parser->cfg->use_caps_bits_for_id =
 			(strcmp((yyvsp[0].str), "yes")==0);
 		free((yyvsp[0].str));
 	}
-#line 5125 "util/configparser.c"
+#line 4625 "util/configparser.c"
     break;
 
-  case 415:
-#line 1676 "./util/configparser.y"
+  case 437: /* server_caps_whitelist: VAR_CAPS_WHITELIST STRING_ARG  */
+#line 1759 "./util/configparser.y"
         {
 		OUTYY(("P(server_caps_whitelist:%s)\n", (yyvsp[0].str)));
 		if(!cfg_strlist_insert(&cfg_parser->cfg->caps_whitelist, (yyvsp[0].str)))
 			yyerror("out of memory");
 	}
-#line 5135 "util/configparser.c"
+#line 4635 "util/configparser.c"
     break;
 
-  case 416:
-#line 1683 "./util/configparser.y"
+  case 438: /* server_private_address: VAR_PRIVATE_ADDRESS STRING_ARG  */
+#line 1766 "./util/configparser.y"
         {
 		OUTYY(("P(server_private_address:%s)\n", (yyvsp[0].str)));
 		if(!cfg_strlist_insert(&cfg_parser->cfg->private_address, (yyvsp[0].str)))
 			yyerror("out of memory");
 	}
-#line 5145 "util/configparser.c"
+#line 4645 "util/configparser.c"
     break;
 
-  case 417:
-#line 1690 "./util/configparser.y"
+  case 439: /* server_private_domain: VAR_PRIVATE_DOMAIN STRING_ARG  */
+#line 1773 "./util/configparser.y"
         {
 		OUTYY(("P(server_private_domain:%s)\n", (yyvsp[0].str)));
 		if(!cfg_strlist_insert(&cfg_parser->cfg->private_domain, (yyvsp[0].str)))
 			yyerror("out of memory");
 	}
-#line 5155 "util/configparser.c"
+#line 4655 "util/configparser.c"
     break;
 
-  case 418:
-#line 1697 "./util/configparser.y"
+  case 440: /* server_prefetch: VAR_PREFETCH STRING_ARG  */
+#line 1780 "./util/configparser.y"
         {
 		OUTYY(("P(server_prefetch:%s)\n", (yyvsp[0].str)));
 		if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -5163,11 +4663,11 @@ yyreduce:
 		else cfg_parser->cfg->prefetch = (strcmp((yyvsp[0].str), "yes")==0);
 		free((yyvsp[0].str));
 	}
-#line 5167 "util/configparser.c"
+#line 4667 "util/configparser.c"
     break;
 
-  case 419:
-#line 1706 "./util/configparser.y"
+  case 441: /* server_prefetch_key: VAR_PREFETCH_KEY STRING_ARG  */
+#line 1789 "./util/configparser.y"
         {
 		OUTYY(("P(server_prefetch_key:%s)\n", (yyvsp[0].str)));
 		if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -5175,11 +4675,11 @@ yyreduce:
 		else cfg_parser->cfg->prefetch_key = (strcmp((yyvsp[0].str), "yes")==0);
 		free((yyvsp[0].str));
 	}
-#line 5179 "util/configparser.c"
+#line 4679 "util/configparser.c"
     break;
 
-  case 420:
-#line 1715 "./util/configparser.y"
+  case 442: /* server_deny_any: VAR_DENY_ANY STRING_ARG  */
+#line 1798 "./util/configparser.y"
         {
 		OUTYY(("P(server_deny_any:%s)\n", (yyvsp[0].str)));
 		if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -5187,11 +4687,11 @@ yyreduce:
 		else cfg_parser->cfg->deny_any = (strcmp((yyvsp[0].str), "yes")==0);
 		free((yyvsp[0].str));
 	}
-#line 5191 "util/configparser.c"
+#line 4691 "util/configparser.c"
     break;
 
-  case 421:
-#line 1724 "./util/configparser.y"
+  case 443: /* server_unwanted_reply_threshold: VAR_UNWANTED_REPLY_THRESHOLD STRING_ARG  */
+#line 1807 "./util/configparser.y"
         {
 		OUTYY(("P(server_unwanted_reply_threshold:%s)\n", (yyvsp[0].str)));
 		if(atoi((yyvsp[0].str)) == 0 && strcmp((yyvsp[0].str), "0") != 0)
@@ -5199,41 +4699,41 @@ yyreduce:
 		else cfg_parser->cfg->unwanted_threshold = atoi((yyvsp[0].str));
 		free((yyvsp[0].str));
 	}
-#line 5203 "util/configparser.c"
+#line 4703 "util/configparser.c"
     break;
 
-  case 422:
-#line 1733 "./util/configparser.y"
+  case 444: /* server_do_not_query_address: VAR_DO_NOT_QUERY_ADDRESS STRING_ARG  */
+#line 1816 "./util/configparser.y"
         {
 		OUTYY(("P(server_do_not_query_address:%s)\n", (yyvsp[0].str)));
 		if(!cfg_strlist_insert(&cfg_parser->cfg->donotqueryaddrs, (yyvsp[0].str)))
 			yyerror("out of memory");
 	}
-#line 5213 "util/configparser.c"
+#line 4713 "util/configparser.c"
     break;
 
-  case 423:
-#line 1740 "./util/configparser.y"
+  case 445: /* server_do_not_query_localhost: VAR_DO_NOT_QUERY_LOCALHOST STRING_ARG  */
+#line 1823 "./util/configparser.y"
         {
 		OUTYY(("P(server_do_not_query_localhost:%s)\n", (yyvsp[0].str)));
 		if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
 			yyerror("expected yes or no.");
-		else cfg_parser->cfg->donotquery_localhost = 
+		else cfg_parser->cfg->donotquery_localhost =
 			(strcmp((yyvsp[0].str), "yes")==0);
 		free((yyvsp[0].str));
 	}
-#line 5226 "util/configparser.c"
+#line 4726 "util/configparser.c"
     break;
 
-  case 424:
-#line 1750 "./util/configparser.y"
+  case 446: /* server_access_control: VAR_ACCESS_CONTROL STRING_ARG STRING_ARG  */
+#line 1833 "./util/configparser.y"
         {
 		OUTYY(("P(server_access_control:%s %s)\n", (yyvsp[-1].str), (yyvsp[0].str)));
 		if(strcmp((yyvsp[0].str), "deny")!=0 && strcmp((yyvsp[0].str), "refuse")!=0 &&
 			strcmp((yyvsp[0].str), "deny_non_local")!=0 &&
 			strcmp((yyvsp[0].str), "refuse_non_local")!=0 &&
-			strcmp((yyvsp[0].str), "allow_setrd")!=0 && 
-			strcmp((yyvsp[0].str), "allow")!=0 && 
+			strcmp((yyvsp[0].str), "allow_setrd")!=0 &&
+			strcmp((yyvsp[0].str), "allow")!=0 &&
 			strcmp((yyvsp[0].str), "allow_snoop")!=0) {
 			yyerror("expected deny, refuse, deny_non_local, "
 				"refuse_non_local, allow, allow_setrd or "
@@ -5245,27 +4745,27 @@ yyreduce:
 				fatal_exit("out of memory adding acl");
 		}
 	}
-#line 5249 "util/configparser.c"
+#line 4749 "util/configparser.c"
     break;
 
-  case 425:
-#line 1770 "./util/configparser.y"
+  case 447: /* server_module_conf: VAR_MODULE_CONF STRING_ARG  */
+#line 1853 "./util/configparser.y"
         {
 		OUTYY(("P(server_module_conf:%s)\n", (yyvsp[0].str)));
 		free(cfg_parser->cfg->module_conf);
 		cfg_parser->cfg->module_conf = (yyvsp[0].str);
 	}
-#line 5259 "util/configparser.c"
+#line 4759 "util/configparser.c"
     break;
 
-  case 426:
-#line 1777 "./util/configparser.y"
+  case 448: /* server_val_override_date: VAR_VAL_OVERRIDE_DATE STRING_ARG  */
+#line 1860 "./util/configparser.y"
         {
 		OUTYY(("P(server_val_override_date:%s)\n", (yyvsp[0].str)));
 		if(*(yyvsp[0].str) == '\0' || strcmp((yyvsp[0].str), "0") == 0) {
 			cfg_parser->cfg->val_date_override = 0;
 		} else if(strlen((yyvsp[0].str)) == 14) {
-			cfg_parser->cfg->val_date_override = 
+			cfg_parser->cfg->val_date_override =
 				cfg_convert_timeval((yyvsp[0].str));
 			if(!cfg_parser->cfg->val_date_override)
 				yyerror("bad date/time specification");
@@ -5276,11 +4776,11 @@ yyreduce:
 		}
 		free((yyvsp[0].str));
 	}
-#line 5280 "util/configparser.c"
+#line 4780 "util/configparser.c"
     break;
 
-  case 427:
-#line 1795 "./util/configparser.y"
+  case 449: /* server_val_sig_skew_min: VAR_VAL_SIG_SKEW_MIN STRING_ARG  */
+#line 1878 "./util/configparser.y"
         {
 		OUTYY(("P(server_val_sig_skew_min:%s)\n", (yyvsp[0].str)));
 		if(*(yyvsp[0].str) == '\0' || strcmp((yyvsp[0].str), "0") == 0) {
@@ -5292,11 +4792,11 @@ yyreduce:
 		}
 		free((yyvsp[0].str));
 	}
-#line 5296 "util/configparser.c"
+#line 4796 "util/configparser.c"
     break;
 
-  case 428:
-#line 1808 "./util/configparser.y"
+  case 450: /* server_val_sig_skew_max: VAR_VAL_SIG_SKEW_MAX STRING_ARG  */
+#line 1891 "./util/configparser.y"
         {
 		OUTYY(("P(server_val_sig_skew_max:%s)\n", (yyvsp[0].str)));
 		if(*(yyvsp[0].str) == '\0' || strcmp((yyvsp[0].str), "0") == 0) {
@@ -5308,11 +4808,27 @@ yyreduce:
 		}
 		free((yyvsp[0].str));
 	}
-#line 5312 "util/configparser.c"
+#line 4812 "util/configparser.c"
     break;
 
-  case 429:
-#line 1821 "./util/configparser.y"
+  case 451: /* server_val_max_restart: VAR_VAL_MAX_RESTART STRING_ARG  */
+#line 1904 "./util/configparser.y"
+        {
+		OUTYY(("P(server_val_max_restart:%s)\n", (yyvsp[0].str)));
+		if(*(yyvsp[0].str) == '\0' || strcmp((yyvsp[0].str), "0") == 0) {
+			cfg_parser->cfg->val_max_restart = 0;
+		} else {
+			cfg_parser->cfg->val_max_restart = atoi((yyvsp[0].str));
+			if(!cfg_parser->cfg->val_max_restart)
+				yyerror("number expected");
+		}
+		free((yyvsp[0].str));
+	}
+#line 4828 "util/configparser.c"
+    break;
+
+  case 452: /* server_cache_max_ttl: VAR_CACHE_MAX_TTL STRING_ARG  */
+#line 1917 "./util/configparser.y"
         {
 		OUTYY(("P(server_cache_max_ttl:%s)\n", (yyvsp[0].str)));
 		if(atoi((yyvsp[0].str)) == 0 && strcmp((yyvsp[0].str), "0") != 0)
@@ -5320,11 +4836,11 @@ yyreduce:
 		else cfg_parser->cfg->max_ttl = atoi((yyvsp[0].str));
 		free((yyvsp[0].str));
 	}
-#line 5324 "util/configparser.c"
+#line 4840 "util/configparser.c"
     break;
 
-  case 430:
-#line 1830 "./util/configparser.y"
+  case 453: /* server_cache_max_negative_ttl: VAR_CACHE_MAX_NEGATIVE_TTL STRING_ARG  */
+#line 1926 "./util/configparser.y"
         {
 		OUTYY(("P(server_cache_max_negative_ttl:%s)\n", (yyvsp[0].str)));
 		if(atoi((yyvsp[0].str)) == 0 && strcmp((yyvsp[0].str), "0") != 0)
@@ -5332,11 +4848,11 @@ yyreduce:
 		else cfg_parser->cfg->max_negative_ttl = atoi((yyvsp[0].str));
 		free((yyvsp[0].str));
 	}
-#line 5336 "util/configparser.c"
+#line 4852 "util/configparser.c"
     break;
 
-  case 431:
-#line 1839 "./util/configparser.y"
+  case 454: /* server_cache_min_ttl: VAR_CACHE_MIN_TTL STRING_ARG  */
+#line 1935 "./util/configparser.y"
         {
 		OUTYY(("P(server_cache_min_ttl:%s)\n", (yyvsp[0].str)));
 		if(atoi((yyvsp[0].str)) == 0 && strcmp((yyvsp[0].str), "0") != 0)
@@ -5344,11 +4860,11 @@ yyreduce:
 		else cfg_parser->cfg->min_ttl = atoi((yyvsp[0].str));
 		free((yyvsp[0].str));
 	}
-#line 5348 "util/configparser.c"
+#line 4864 "util/configparser.c"
     break;
 
-  case 432:
-#line 1848 "./util/configparser.y"
+  case 455: /* server_bogus_ttl: VAR_BOGUS_TTL STRING_ARG  */
+#line 1944 "./util/configparser.y"
         {
 		OUTYY(("P(server_bogus_ttl:%s)\n", (yyvsp[0].str)));
 		if(atoi((yyvsp[0].str)) == 0 && strcmp((yyvsp[0].str), "0") != 0)
@@ -5356,37 +4872,37 @@ yyreduce:
 		else cfg_parser->cfg->bogus_ttl = atoi((yyvsp[0].str));
 		free((yyvsp[0].str));
 	}
-#line 5360 "util/configparser.c"
+#line 4876 "util/configparser.c"
     break;
 
-  case 433:
-#line 1857 "./util/configparser.y"
+  case 456: /* server_val_clean_additional: VAR_VAL_CLEAN_ADDITIONAL STRING_ARG  */
+#line 1953 "./util/configparser.y"
         {
 		OUTYY(("P(server_val_clean_additional:%s)\n", (yyvsp[0].str)));
 		if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
 			yyerror("expected yes or no.");
-		else cfg_parser->cfg->val_clean_additional = 
+		else cfg_parser->cfg->val_clean_additional =
 			(strcmp((yyvsp[0].str), "yes")==0);
 		free((yyvsp[0].str));
 	}
-#line 5373 "util/configparser.c"
+#line 4889 "util/configparser.c"
     break;
 
-  case 434:
-#line 1867 "./util/configparser.y"
+  case 457: /* server_val_permissive_mode: VAR_VAL_PERMISSIVE_MODE STRING_ARG  */
+#line 1963 "./util/configparser.y"
         {
 		OUTYY(("P(server_val_permissive_mode:%s)\n", (yyvsp[0].str)));
 		if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
 			yyerror("expected yes or no.");
-		else cfg_parser->cfg->val_permissive_mode = 
+		else cfg_parser->cfg->val_permissive_mode =
 			(strcmp((yyvsp[0].str), "yes")==0);
 		free((yyvsp[0].str));
 	}
-#line 5386 "util/configparser.c"
+#line 4902 "util/configparser.c"
     break;
 
-  case 435:
-#line 1877 "./util/configparser.y"
+  case 458: /* server_aggressive_nsec: VAR_AGGRESSIVE_NSEC STRING_ARG  */
+#line 1973 "./util/configparser.y"
         {
 		OUTYY(("P(server_aggressive_nsec:%s)\n", (yyvsp[0].str)));
 		if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -5396,11 +4912,11 @@ yyreduce:
 				(strcmp((yyvsp[0].str), "yes")==0);
 		free((yyvsp[0].str));
 	}
-#line 5400 "util/configparser.c"
+#line 4916 "util/configparser.c"
     break;
 
-  case 436:
-#line 1888 "./util/configparser.y"
+  case 459: /* server_ignore_cd_flag: VAR_IGNORE_CD_FLAG STRING_ARG  */
+#line 1984 "./util/configparser.y"
         {
 		OUTYY(("P(server_ignore_cd_flag:%s)\n", (yyvsp[0].str)));
 		if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -5408,11 +4924,11 @@ yyreduce:
 		else cfg_parser->cfg->ignore_cd = (strcmp((yyvsp[0].str), "yes")==0);
 		free((yyvsp[0].str));
 	}
-#line 5412 "util/configparser.c"
+#line 4928 "util/configparser.c"
     break;
 
-  case 437:
-#line 1897 "./util/configparser.y"
+  case 460: /* server_serve_expired: VAR_SERVE_EXPIRED STRING_ARG  */
+#line 1993 "./util/configparser.y"
         {
 		OUTYY(("P(server_serve_expired:%s)\n", (yyvsp[0].str)));
 		if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -5420,11 +4936,11 @@ yyreduce:
 		else cfg_parser->cfg->serve_expired = (strcmp((yyvsp[0].str), "yes")==0);
 		free((yyvsp[0].str));
 	}
-#line 5424 "util/configparser.c"
+#line 4940 "util/configparser.c"
     break;
 
-  case 438:
-#line 1906 "./util/configparser.y"
+  case 461: /* server_serve_expired_ttl: VAR_SERVE_EXPIRED_TTL STRING_ARG  */
+#line 2002 "./util/configparser.y"
         {
 		OUTYY(("P(server_serve_expired_ttl:%s)\n", (yyvsp[0].str)));
 		if(atoi((yyvsp[0].str)) == 0 && strcmp((yyvsp[0].str), "0") != 0)
@@ -5432,11 +4948,11 @@ yyreduce:
 		else cfg_parser->cfg->serve_expired_ttl = atoi((yyvsp[0].str));
 		free((yyvsp[0].str));
 	}
-#line 5436 "util/configparser.c"
+#line 4952 "util/configparser.c"
     break;
 
-  case 439:
-#line 1915 "./util/configparser.y"
+  case 462: /* server_serve_expired_ttl_reset: VAR_SERVE_EXPIRED_TTL_RESET STRING_ARG  */
+#line 2011 "./util/configparser.y"
         {
 		OUTYY(("P(server_serve_expired_ttl_reset:%s)\n", (yyvsp[0].str)));
 		if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -5444,11 +4960,11 @@ yyreduce:
 		else cfg_parser->cfg->serve_expired_ttl_reset = (strcmp((yyvsp[0].str), "yes")==0);
 		free((yyvsp[0].str));
 	}
-#line 5448 "util/configparser.c"
+#line 4964 "util/configparser.c"
     break;
 
-  case 440:
-#line 1924 "./util/configparser.y"
+  case 463: /* server_serve_expired_reply_ttl: VAR_SERVE_EXPIRED_REPLY_TTL STRING_ARG  */
+#line 2020 "./util/configparser.y"
         {
 		OUTYY(("P(server_serve_expired_reply_ttl:%s)\n", (yyvsp[0].str)));
 		if(atoi((yyvsp[0].str)) == 0 && strcmp((yyvsp[0].str), "0") != 0)
@@ -5456,11 +4972,11 @@ yyreduce:
 		else cfg_parser->cfg->serve_expired_reply_ttl = atoi((yyvsp[0].str));
 		free((yyvsp[0].str));
 	}
-#line 5460 "util/configparser.c"
+#line 4976 "util/configparser.c"
     break;
 
-  case 441:
-#line 1933 "./util/configparser.y"
+  case 464: /* server_serve_expired_client_timeout: VAR_SERVE_EXPIRED_CLIENT_TIMEOUT STRING_ARG  */
+#line 2029 "./util/configparser.y"
         {
 		OUTYY(("P(server_serve_expired_client_timeout:%s)\n", (yyvsp[0].str)));
 		if(atoi((yyvsp[0].str)) == 0 && strcmp((yyvsp[0].str), "0") != 0)
@@ -5468,11 +4984,11 @@ yyreduce:
 		else cfg_parser->cfg->serve_expired_client_timeout = atoi((yyvsp[0].str));
 		free((yyvsp[0].str));
 	}
-#line 5472 "util/configparser.c"
+#line 4988 "util/configparser.c"
     break;
 
-  case 442:
-#line 1942 "./util/configparser.y"
+  case 465: /* server_serve_original_ttl: VAR_SERVE_ORIGINAL_TTL STRING_ARG  */
+#line 2038 "./util/configparser.y"
         {
 		OUTYY(("P(server_serve_original_ttl:%s)\n", (yyvsp[0].str)));
 		if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -5480,11 +4996,11 @@ yyreduce:
 		else cfg_parser->cfg->serve_original_ttl = (strcmp((yyvsp[0].str), "yes")==0);
 		free((yyvsp[0].str));
 	}
-#line 5484 "util/configparser.c"
+#line 5000 "util/configparser.c"
     break;
 
-  case 443:
-#line 1951 "./util/configparser.y"
+  case 466: /* server_fake_dsa: VAR_FAKE_DSA STRING_ARG  */
+#line 2047 "./util/configparser.y"
         {
 		OUTYY(("P(server_fake_dsa:%s)\n", (yyvsp[0].str)));
 		if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -5496,11 +5012,11 @@ yyreduce:
 #endif
 		free((yyvsp[0].str));
 	}
-#line 5500 "util/configparser.c"
+#line 5016 "util/configparser.c"
     break;
 
-  case 444:
-#line 1964 "./util/configparser.y"
+  case 467: /* server_fake_sha1: VAR_FAKE_SHA1 STRING_ARG  */
+#line 2060 "./util/configparser.y"
         {
 		OUTYY(("P(server_fake_sha1:%s)\n", (yyvsp[0].str)));
 		if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -5512,11 +5028,11 @@ yyreduce:
 #endif
 		free((yyvsp[0].str));
 	}
-#line 5516 "util/configparser.c"
+#line 5032 "util/configparser.c"
     break;
 
-  case 445:
-#line 1977 "./util/configparser.y"
+  case 468: /* server_val_log_level: VAR_VAL_LOG_LEVEL STRING_ARG  */
+#line 2073 "./util/configparser.y"
         {
 		OUTYY(("P(server_val_log_level:%s)\n", (yyvsp[0].str)));
 		if(atoi((yyvsp[0].str)) == 0 && strcmp((yyvsp[0].str), "0") != 0)
@@ -5524,21 +5040,21 @@ yyreduce:
 		else cfg_parser->cfg->val_log_level = atoi((yyvsp[0].str));
 		free((yyvsp[0].str));
 	}
-#line 5528 "util/configparser.c"
+#line 5044 "util/configparser.c"
     break;
 
-  case 446:
-#line 1986 "./util/configparser.y"
+  case 469: /* server_val_nsec3_keysize_iterations: VAR_VAL_NSEC3_KEYSIZE_ITERATIONS STRING_ARG  */
+#line 2082 "./util/configparser.y"
         {
 		OUTYY(("P(server_val_nsec3_keysize_iterations:%s)\n", (yyvsp[0].str)));
 		free(cfg_parser->cfg->val_nsec3_key_iterations);
 		cfg_parser->cfg->val_nsec3_key_iterations = (yyvsp[0].str);
 	}
-#line 5538 "util/configparser.c"
+#line 5054 "util/configparser.c"
     break;
 
-  case 447:
-#line 1993 "./util/configparser.y"
+  case 470: /* server_zonemd_permissive_mode: VAR_ZONEMD_PERMISSIVE_MODE STRING_ARG  */
+#line 2089 "./util/configparser.y"
         {
 		OUTYY(("P(server_zonemd_permissive_mode:%s)\n", (yyvsp[0].str)));
 		if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -5546,11 +5062,11 @@ yyreduce:
 		else	cfg_parser->cfg->zonemd_permissive_mode = (strcmp((yyvsp[0].str), "yes")==0);
 		free((yyvsp[0].str));
 	}
-#line 5550 "util/configparser.c"
+#line 5066 "util/configparser.c"
     break;
 
-  case 448:
-#line 2002 "./util/configparser.y"
+  case 471: /* server_add_holddown: VAR_ADD_HOLDDOWN STRING_ARG  */
+#line 2098 "./util/configparser.y"
         {
 		OUTYY(("P(server_add_holddown:%s)\n", (yyvsp[0].str)));
 		if(atoi((yyvsp[0].str)) == 0 && strcmp((yyvsp[0].str), "0") != 0)
@@ -5558,11 +5074,11 @@ yyreduce:
 		else cfg_parser->cfg->add_holddown = atoi((yyvsp[0].str));
 		free((yyvsp[0].str));
 	}
-#line 5562 "util/configparser.c"
+#line 5078 "util/configparser.c"
     break;
 
-  case 449:
-#line 2011 "./util/configparser.y"
+  case 472: /* server_del_holddown: VAR_DEL_HOLDDOWN STRING_ARG  */
+#line 2107 "./util/configparser.y"
         {
 		OUTYY(("P(server_del_holddown:%s)\n", (yyvsp[0].str)));
 		if(atoi((yyvsp[0].str)) == 0 && strcmp((yyvsp[0].str), "0") != 0)
@@ -5570,11 +5086,11 @@ yyreduce:
 		else cfg_parser->cfg->del_holddown = atoi((yyvsp[0].str));
 		free((yyvsp[0].str));
 	}
-#line 5574 "util/configparser.c"
+#line 5090 "util/configparser.c"
     break;
 
-  case 450:
-#line 2020 "./util/configparser.y"
+  case 473: /* server_keep_missing: VAR_KEEP_MISSING STRING_ARG  */
+#line 2116 "./util/configparser.y"
         {
 		OUTYY(("P(server_keep_missing:%s)\n", (yyvsp[0].str)));
 		if(atoi((yyvsp[0].str)) == 0 && strcmp((yyvsp[0].str), "0") != 0)
@@ -5582,11 +5098,11 @@ yyreduce:
 		else cfg_parser->cfg->keep_missing = atoi((yyvsp[0].str));
 		free((yyvsp[0].str));
 	}
-#line 5586 "util/configparser.c"
+#line 5102 "util/configparser.c"
     break;
 
-  case 451:
-#line 2029 "./util/configparser.y"
+  case 474: /* server_permit_small_holddown: VAR_PERMIT_SMALL_HOLDDOWN STRING_ARG  */
+#line 2125 "./util/configparser.y"
         {
 		OUTYY(("P(server_permit_small_holddown:%s)\n", (yyvsp[0].str)));
 		if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -5595,49 +5111,49 @@ yyreduce:
 			(strcmp((yyvsp[0].str), "yes")==0);
 		free((yyvsp[0].str));
 	}
-#line 5599 "util/configparser.c"
+#line 5115 "util/configparser.c"
     break;
 
-  case 452:
-#line 2038 "./util/configparser.y"
+  case 475: /* server_key_cache_size: VAR_KEY_CACHE_SIZE STRING_ARG  */
+#line 2134 "./util/configparser.y"
         {
 		OUTYY(("P(server_key_cache_size:%s)\n", (yyvsp[0].str)));
 		if(!cfg_parse_memsize((yyvsp[0].str), &cfg_parser->cfg->key_cache_size))
 			yyerror("memory size expected");
 		free((yyvsp[0].str));
 	}
-#line 5610 "util/configparser.c"
+#line 5126 "util/configparser.c"
     break;
 
-  case 453:
-#line 2046 "./util/configparser.y"
+  case 476: /* server_key_cache_slabs: VAR_KEY_CACHE_SLABS STRING_ARG  */
+#line 2142 "./util/configparser.y"
         {
 		OUTYY(("P(server_key_cache_slabs:%s)\n", (yyvsp[0].str)));
-		if(atoi((yyvsp[0].str)) == 0)
+		if(atoi((yyvsp[0].str)) == 0) {
 			yyerror("number expected");
-		else {
+		} else {
 			cfg_parser->cfg->key_cache_slabs = atoi((yyvsp[0].str));
 			if(!is_pow2(cfg_parser->cfg->key_cache_slabs))
 				yyerror("must be a power of 2");
 		}
 		free((yyvsp[0].str));
 	}
-#line 5626 "util/configparser.c"
+#line 5142 "util/configparser.c"
     break;
 
-  case 454:
-#line 2059 "./util/configparser.y"
+  case 477: /* server_neg_cache_size: VAR_NEG_CACHE_SIZE STRING_ARG  */
+#line 2155 "./util/configparser.y"
         {
 		OUTYY(("P(server_neg_cache_size:%s)\n", (yyvsp[0].str)));
 		if(!cfg_parse_memsize((yyvsp[0].str), &cfg_parser->cfg->neg_cache_size))
 			yyerror("memory size expected");
 		free((yyvsp[0].str));
 	}
-#line 5637 "util/configparser.c"
+#line 5153 "util/configparser.c"
     break;
 
-  case 455:
-#line 2067 "./util/configparser.y"
+  case 478: /* server_local_zone: VAR_LOCAL_ZONE STRING_ARG STRING_ARG  */
+#line 2163 "./util/configparser.y"
         {
 		OUTYY(("P(server_local_zone:%s %s)\n", (yyvsp[-1].str), (yyvsp[0].str)));
 		if(strcmp((yyvsp[0].str), "static")!=0 && strcmp((yyvsp[0].str), "deny")!=0 &&
@@ -5653,7 +5169,7 @@ yyreduce:
 		   && strcmp((yyvsp[0].str), "noview")!=0
 		   && strcmp((yyvsp[0].str), "inform")!=0 && strcmp((yyvsp[0].str), "inform_deny")!=0
 		   && strcmp((yyvsp[0].str), "inform_redirect") != 0
-			 && strcmp((yyvsp[0].str), "ipset") != 0) {
+		   && strcmp((yyvsp[0].str), "ipset") != 0) {
 			yyerror("local-zone type: expected static, deny, "
 				"refuse, redirect, transparent, "
 				"typetransparent, inform, inform_deny, "
@@ -5670,32 +5186,42 @@ yyreduce:
 			free((yyvsp[0].str));
 #ifdef USE_IPSET
 		} else if(strcmp((yyvsp[0].str), "ipset")==0) {
+			size_t len = strlen((yyvsp[-1].str));
+			/* Make sure to add the trailing dot.
+			 * These are str compared to domain names. */
+			if((yyvsp[-1].str)[len-1] != '.') {
+				if(!((yyvsp[-1].str) = realloc((yyvsp[-1].str), len+2))) {
+					fatal_exit("out of memory adding local-zone");
+				}
+				(yyvsp[-1].str)[len] = '.';
+				(yyvsp[-1].str)[len+1] = 0;
+			}
 			if(!cfg_strlist_insert(&cfg_parser->cfg->
 				local_zones_ipset, (yyvsp[-1].str)))
 				fatal_exit("out of memory adding local-zone");
 			free((yyvsp[0].str));
 #endif
 		} else {
-			if(!cfg_str2list_insert(&cfg_parser->cfg->local_zones, 
+			if(!cfg_str2list_insert(&cfg_parser->cfg->local_zones,
 				(yyvsp[-1].str), (yyvsp[0].str)))
 				fatal_exit("out of memory adding local-zone");
 		}
 	}
-#line 5685 "util/configparser.c"
+#line 5211 "util/configparser.c"
     break;
 
-  case 456:
-#line 2112 "./util/configparser.y"
+  case 479: /* server_local_data: VAR_LOCAL_DATA STRING_ARG  */
+#line 2218 "./util/configparser.y"
         {
 		OUTYY(("P(server_local_data:%s)\n", (yyvsp[0].str)));
 		if(!cfg_strlist_insert(&cfg_parser->cfg->local_data, (yyvsp[0].str)))
 			fatal_exit("out of memory adding local-data");
 	}
-#line 5695 "util/configparser.c"
+#line 5221 "util/configparser.c"
     break;
 
-  case 457:
-#line 2119 "./util/configparser.y"
+  case 480: /* server_local_data_ptr: VAR_LOCAL_DATA_PTR STRING_ARG  */
+#line 2225 "./util/configparser.y"
         {
 		char* ptr;
 		OUTYY(("P(server_local_data_ptr:%s)\n", (yyvsp[0].str)));
@@ -5709,11 +5235,11 @@ yyreduce:
 			yyerror("local-data-ptr could not be reversed");
 		}
 	}
-#line 5713 "util/configparser.c"
+#line 5239 "util/configparser.c"
     break;
 
-  case 458:
-#line 2134 "./util/configparser.y"
+  case 481: /* server_minimal_responses: VAR_MINIMAL_RESPONSES STRING_ARG  */
+#line 2240 "./util/configparser.y"
         {
 		OUTYY(("P(server_minimal_responses:%s)\n", (yyvsp[0].str)));
 		if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -5722,11 +5248,11 @@ yyreduce:
 			(strcmp((yyvsp[0].str), "yes")==0);
 		free((yyvsp[0].str));
 	}
-#line 5726 "util/configparser.c"
+#line 5252 "util/configparser.c"
     break;
 
-  case 459:
-#line 2144 "./util/configparser.y"
+  case 482: /* server_rrset_roundrobin: VAR_RRSET_ROUNDROBIN STRING_ARG  */
+#line 2250 "./util/configparser.y"
         {
 		OUTYY(("P(server_rrset_roundrobin:%s)\n", (yyvsp[0].str)));
 		if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -5735,41 +5261,41 @@ yyreduce:
 			(strcmp((yyvsp[0].str), "yes")==0);
 		free((yyvsp[0].str));
 	}
-#line 5739 "util/configparser.c"
+#line 5265 "util/configparser.c"
     break;
 
-  case 460:
-#line 2154 "./util/configparser.y"
+  case 483: /* server_unknown_server_time_limit: VAR_UNKNOWN_SERVER_TIME_LIMIT STRING_ARG  */
+#line 2260 "./util/configparser.y"
         {
 		OUTYY(("P(server_unknown_server_time_limit:%s)\n", (yyvsp[0].str)));
 		cfg_parser->cfg->unknown_server_time_limit = atoi((yyvsp[0].str));
 		free((yyvsp[0].str));
 	}
-#line 5749 "util/configparser.c"
+#line 5275 "util/configparser.c"
     break;
 
-  case 461:
-#line 2161 "./util/configparser.y"
+  case 484: /* server_max_udp_size: VAR_MAX_UDP_SIZE STRING_ARG  */
+#line 2267 "./util/configparser.y"
         {
 		OUTYY(("P(server_max_udp_size:%s)\n", (yyvsp[0].str)));
 		cfg_parser->cfg->max_udp_size = atoi((yyvsp[0].str));
 		free((yyvsp[0].str));
 	}
-#line 5759 "util/configparser.c"
+#line 5285 "util/configparser.c"
     break;
 
-  case 462:
-#line 2168 "./util/configparser.y"
+  case 485: /* server_dns64_prefix: VAR_DNS64_PREFIX STRING_ARG  */
+#line 2274 "./util/configparser.y"
         {
 		OUTYY(("P(dns64_prefix:%s)\n", (yyvsp[0].str)));
 		free(cfg_parser->cfg->dns64_prefix);
 		cfg_parser->cfg->dns64_prefix = (yyvsp[0].str);
 	}
-#line 5769 "util/configparser.c"
+#line 5295 "util/configparser.c"
     break;
 
-  case 463:
-#line 2175 "./util/configparser.y"
+  case 486: /* server_dns64_synthall: VAR_DNS64_SYNTHALL STRING_ARG  */
+#line 2281 "./util/configparser.y"
         {
 		OUTYY(("P(server_dns64_synthall:%s)\n", (yyvsp[0].str)));
 		if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -5777,22 +5303,22 @@ yyreduce:
 		else cfg_parser->cfg->dns64_synthall = (strcmp((yyvsp[0].str), "yes")==0);
 		free((yyvsp[0].str));
 	}
-#line 5781 "util/configparser.c"
+#line 5307 "util/configparser.c"
     break;
 
-  case 464:
-#line 2184 "./util/configparser.y"
+  case 487: /* server_dns64_ignore_aaaa: VAR_DNS64_IGNORE_AAAA STRING_ARG  */
+#line 2290 "./util/configparser.y"
         {
 		OUTYY(("P(dns64_ignore_aaaa:%s)\n", (yyvsp[0].str)));
 		if(!cfg_strlist_insert(&cfg_parser->cfg->dns64_ignore_aaaa,
 			(yyvsp[0].str)))
 			fatal_exit("out of memory adding dns64-ignore-aaaa");
 	}
-#line 5792 "util/configparser.c"
+#line 5318 "util/configparser.c"
     break;
 
-  case 465:
-#line 2192 "./util/configparser.y"
+  case 488: /* server_define_tag: VAR_DEFINE_TAG STRING_ARG  */
+#line 2298 "./util/configparser.y"
         {
 		char* p, *s = (yyvsp[0].str);
 		OUTYY(("P(server_define_tag:%s)\n", (yyvsp[0].str)));
@@ -5805,11 +5331,11 @@ yyreduce:
 		}
 		free((yyvsp[0].str));
 	}
-#line 5809 "util/configparser.c"
+#line 5335 "util/configparser.c"
     break;
 
-  case 466:
-#line 2206 "./util/configparser.y"
+  case 489: /* server_local_zone_tag: VAR_LOCAL_ZONE_TAG STRING_ARG STRING_ARG  */
+#line 2312 "./util/configparser.y"
         {
 		size_t len = 0;
 		uint8_t* bitlist = config_parse_taglist(cfg_parser->cfg, (yyvsp[0].str),
@@ -5829,11 +5355,11 @@ yyreduce:
 			}
 		}
 	}
-#line 5833 "util/configparser.c"
+#line 5359 "util/configparser.c"
     break;
 
-  case 467:
-#line 2227 "./util/configparser.y"
+  case 490: /* server_access_control_tag: VAR_ACCESS_CONTROL_TAG STRING_ARG STRING_ARG  */
+#line 2333 "./util/configparser.y"
         {
 		size_t len = 0;
 		uint8_t* bitlist = config_parse_taglist(cfg_parser->cfg, (yyvsp[0].str),
@@ -5853,11 +5379,11 @@ yyreduce:
 			}
 		}
 	}
-#line 5857 "util/configparser.c"
+#line 5383 "util/configparser.c"
     break;
 
-  case 468:
-#line 2248 "./util/configparser.y"
+  case 491: /* server_access_control_tag_action: VAR_ACCESS_CONTROL_TAG_ACTION STRING_ARG STRING_ARG STRING_ARG  */
+#line 2354 "./util/configparser.y"
         {
 		OUTYY(("P(server_access_control_tag_action:%s %s %s)\n", (yyvsp[-2].str), (yyvsp[-1].str), (yyvsp[0].str)));
 		if(!cfg_str3list_insert(&cfg_parser->cfg->acl_tag_actions,
@@ -5868,11 +5394,11 @@ yyreduce:
 			free((yyvsp[0].str));
 		}
 	}
-#line 5872 "util/configparser.c"
+#line 5398 "util/configparser.c"
     break;
 
-  case 469:
-#line 2260 "./util/configparser.y"
+  case 492: /* server_access_control_tag_data: VAR_ACCESS_CONTROL_TAG_DATA STRING_ARG STRING_ARG STRING_ARG  */
+#line 2366 "./util/configparser.y"
         {
 		OUTYY(("P(server_access_control_tag_data:%s %s %s)\n", (yyvsp[-2].str), (yyvsp[-1].str), (yyvsp[0].str)));
 		if(!cfg_str3list_insert(&cfg_parser->cfg->acl_tag_datas,
@@ -5883,11 +5409,11 @@ yyreduce:
 			free((yyvsp[0].str));
 		}
 	}
-#line 5887 "util/configparser.c"
+#line 5413 "util/configparser.c"
     break;
 
-  case 470:
-#line 2272 "./util/configparser.y"
+  case 493: /* server_local_zone_override: VAR_LOCAL_ZONE_OVERRIDE STRING_ARG STRING_ARG STRING_ARG  */
+#line 2378 "./util/configparser.y"
         {
 		OUTYY(("P(server_local_zone_override:%s %s %s)\n", (yyvsp[-2].str), (yyvsp[-1].str), (yyvsp[0].str)));
 		if(!cfg_str3list_insert(&cfg_parser->cfg->local_zone_overrides,
@@ -5898,11 +5424,11 @@ yyreduce:
 			free((yyvsp[0].str));
 		}
 	}
-#line 5902 "util/configparser.c"
+#line 5428 "util/configparser.c"
     break;
 
-  case 471:
-#line 2284 "./util/configparser.y"
+  case 494: /* server_access_control_view: VAR_ACCESS_CONTROL_VIEW STRING_ARG STRING_ARG  */
+#line 2390 "./util/configparser.y"
         {
 		OUTYY(("P(server_access_control_view:%s %s)\n", (yyvsp[-1].str), (yyvsp[0].str)));
 		if(!cfg_str2list_insert(&cfg_parser->cfg->acl_view,
@@ -5910,11 +5436,11 @@ yyreduce:
 			yyerror("out of memory");
 		}
 	}
-#line 5914 "util/configparser.c"
+#line 5440 "util/configparser.c"
     break;
 
-  case 472:
-#line 2293 "./util/configparser.y"
+  case 495: /* server_response_ip_tag: VAR_RESPONSE_IP_TAG STRING_ARG STRING_ARG  */
+#line 2399 "./util/configparser.y"
         {
 		size_t len = 0;
 		uint8_t* bitlist = config_parse_taglist(cfg_parser->cfg, (yyvsp[0].str),
@@ -5934,89 +5460,89 @@ yyreduce:
 			}
 		}
 	}
-#line 5938 "util/configparser.c"
+#line 5464 "util/configparser.c"
     break;
 
-  case 473:
-#line 2314 "./util/configparser.y"
-        { 
-		OUTYY(("P(server_ip_ratelimit:%s)\n", (yyvsp[0].str))); 
+  case 496: /* server_ip_ratelimit: VAR_IP_RATELIMIT STRING_ARG  */
+#line 2420 "./util/configparser.y"
+        {
+		OUTYY(("P(server_ip_ratelimit:%s)\n", (yyvsp[0].str)));
 		if(atoi((yyvsp[0].str)) == 0 && strcmp((yyvsp[0].str), "0") != 0)
 			yyerror("number expected");
 		else cfg_parser->cfg->ip_ratelimit = atoi((yyvsp[0].str));
 		free((yyvsp[0].str));
 	}
-#line 5950 "util/configparser.c"
+#line 5476 "util/configparser.c"
     break;
 
-  case 474:
-#line 2324 "./util/configparser.y"
-        { 
-		OUTYY(("P(server_ratelimit:%s)\n", (yyvsp[0].str))); 
+  case 497: /* server_ratelimit: VAR_RATELIMIT STRING_ARG  */
+#line 2429 "./util/configparser.y"
+        {
+		OUTYY(("P(server_ratelimit:%s)\n", (yyvsp[0].str)));
 		if(atoi((yyvsp[0].str)) == 0 && strcmp((yyvsp[0].str), "0") != 0)
 			yyerror("number expected");
 		else cfg_parser->cfg->ratelimit = atoi((yyvsp[0].str));
 		free((yyvsp[0].str));
 	}
-#line 5962 "util/configparser.c"
+#line 5488 "util/configparser.c"
     break;
 
-  case 475:
-#line 2333 "./util/configparser.y"
-  {
-  	OUTYY(("P(server_ip_ratelimit_size:%s)\n", (yyvsp[0].str)));
-  	if(!cfg_parse_memsize((yyvsp[0].str), &cfg_parser->cfg->ip_ratelimit_size))
-  		yyerror("memory size expected");
-  	free((yyvsp[0].str));
-  }
-#line 5973 "util/configparser.c"
+  case 498: /* server_ip_ratelimit_size: VAR_IP_RATELIMIT_SIZE STRING_ARG  */
+#line 2438 "./util/configparser.y"
+        {
+		OUTYY(("P(server_ip_ratelimit_size:%s)\n", (yyvsp[0].str)));
+		if(!cfg_parse_memsize((yyvsp[0].str), &cfg_parser->cfg->ip_ratelimit_size))
+			yyerror("memory size expected");
+		free((yyvsp[0].str));
+	}
+#line 5499 "util/configparser.c"
     break;
 
-  case 476:
-#line 2341 "./util/configparser.y"
+  case 499: /* server_ratelimit_size: VAR_RATELIMIT_SIZE STRING_ARG  */
+#line 2446 "./util/configparser.y"
         {
 		OUTYY(("P(server_ratelimit_size:%s)\n", (yyvsp[0].str)));
 		if(!cfg_parse_memsize((yyvsp[0].str), &cfg_parser->cfg->ratelimit_size))
 			yyerror("memory size expected");
 		free((yyvsp[0].str));
 	}
-#line 5984 "util/configparser.c"
+#line 5510 "util/configparser.c"
     break;
 
-  case 477:
-#line 2349 "./util/configparser.y"
-  {
-  	OUTYY(("P(server_ip_ratelimit_slabs:%s)\n", (yyvsp[0].str)));
-  	if(atoi((yyvsp[0].str)) == 0)
-  		yyerror("number expected");
-  	else {
-  		cfg_parser->cfg->ip_ratelimit_slabs = atoi((yyvsp[0].str));
-  		if(!is_pow2(cfg_parser->cfg->ip_ratelimit_slabs))
-  			yyerror("must be a power of 2");
-  	}
-  	free((yyvsp[0].str));
-  }
-#line 6000 "util/configparser.c"
+  case 500: /* server_ip_ratelimit_slabs: VAR_IP_RATELIMIT_SLABS STRING_ARG  */
+#line 2454 "./util/configparser.y"
+        {
+		OUTYY(("P(server_ip_ratelimit_slabs:%s)\n", (yyvsp[0].str)));
+		if(atoi((yyvsp[0].str)) == 0) {
+			yyerror("number expected");
+		} else {
+			cfg_parser->cfg->ip_ratelimit_slabs = atoi((yyvsp[0].str));
+			if(!is_pow2(cfg_parser->cfg->ip_ratelimit_slabs))
+				yyerror("must be a power of 2");
+		}
+		free((yyvsp[0].str));
+	}
+#line 5526 "util/configparser.c"
     break;
 
-  case 478:
-#line 2362 "./util/configparser.y"
+  case 501: /* server_ratelimit_slabs: VAR_RATELIMIT_SLABS STRING_ARG  */
+#line 2467 "./util/configparser.y"
         {
 		OUTYY(("P(server_ratelimit_slabs:%s)\n", (yyvsp[0].str)));
-		if(atoi((yyvsp[0].str)) == 0)
+		if(atoi((yyvsp[0].str)) == 0) {
 			yyerror("number expected");
-		else {
+		} else {
 			cfg_parser->cfg->ratelimit_slabs = atoi((yyvsp[0].str));
 			if(!is_pow2(cfg_parser->cfg->ratelimit_slabs))
 				yyerror("must be a power of 2");
 		}
 		free((yyvsp[0].str));
 	}
-#line 6016 "util/configparser.c"
+#line 5542 "util/configparser.c"
     break;
 
-  case 479:
-#line 2375 "./util/configparser.y"
+  case 502: /* server_ratelimit_for_domain: VAR_RATELIMIT_FOR_DOMAIN STRING_ARG STRING_ARG  */
+#line 2480 "./util/configparser.y"
         {
 		OUTYY(("P(server_ratelimit_for_domain:%s %s)\n", (yyvsp[-1].str), (yyvsp[0].str)));
 		if(atoi((yyvsp[0].str)) == 0 && strcmp((yyvsp[0].str), "0") != 0) {
@@ -6030,11 +5556,11 @@ yyreduce:
 					"ratelimit-for-domain");
 		}
 	}
-#line 6034 "util/configparser.c"
+#line 5560 "util/configparser.c"
     break;
 
-  case 480:
-#line 2390 "./util/configparser.y"
+  case 503: /* server_ratelimit_below_domain: VAR_RATELIMIT_BELOW_DOMAIN STRING_ARG STRING_ARG  */
+#line 2495 "./util/configparser.y"
         {
 		OUTYY(("P(server_ratelimit_below_domain:%s %s)\n", (yyvsp[-1].str), (yyvsp[0].str)));
 		if(atoi((yyvsp[0].str)) == 0 && strcmp((yyvsp[0].str), "0") != 0) {
@@ -6048,94 +5574,132 @@ yyreduce:
 					"ratelimit-below-domain");
 		}
 	}
-#line 6052 "util/configparser.c"
+#line 5578 "util/configparser.c"
     break;
 
-  case 481:
-#line 2405 "./util/configparser.y"
-  { 
-  	OUTYY(("P(server_ip_ratelimit_factor:%s)\n", (yyvsp[0].str))); 
-  	if(atoi((yyvsp[0].str)) == 0 && strcmp((yyvsp[0].str), "0") != 0)
-  		yyerror("number expected");
-  	else cfg_parser->cfg->ip_ratelimit_factor = atoi((yyvsp[0].str));
-  	free((yyvsp[0].str));
+  case 504: /* server_ip_ratelimit_factor: VAR_IP_RATELIMIT_FACTOR STRING_ARG  */
+#line 2510 "./util/configparser.y"
+        {
+		OUTYY(("P(server_ip_ratelimit_factor:%s)\n", (yyvsp[0].str)));
+		if(atoi((yyvsp[0].str)) == 0 && strcmp((yyvsp[0].str), "0") != 0)
+			yyerror("number expected");
+		else cfg_parser->cfg->ip_ratelimit_factor = atoi((yyvsp[0].str));
+		free((yyvsp[0].str));
 	}
-#line 6064 "util/configparser.c"
+#line 5590 "util/configparser.c"
     break;
 
-  case 482:
-#line 2414 "./util/configparser.y"
-        { 
-		OUTYY(("P(server_ratelimit_factor:%s)\n", (yyvsp[0].str))); 
+  case 505: /* server_ratelimit_factor: VAR_RATELIMIT_FACTOR STRING_ARG  */
+#line 2519 "./util/configparser.y"
+        {
+		OUTYY(("P(server_ratelimit_factor:%s)\n", (yyvsp[0].str)));
 		if(atoi((yyvsp[0].str)) == 0 && strcmp((yyvsp[0].str), "0") != 0)
 			yyerror("number expected");
 		else cfg_parser->cfg->ratelimit_factor = atoi((yyvsp[0].str));
 		free((yyvsp[0].str));
 	}
-#line 6076 "util/configparser.c"
+#line 5602 "util/configparser.c"
     break;
 
-  case 483:
-#line 2423 "./util/configparser.y"
-        { 
+  case 506: /* server_ip_ratelimit_backoff: VAR_IP_RATELIMIT_BACKOFF STRING_ARG  */
+#line 2528 "./util/configparser.y"
+        {
+		OUTYY(("P(server_ip_ratelimit_backoff:%s)\n", (yyvsp[0].str)));
+		if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
+			yyerror("expected yes or no.");
+		else cfg_parser->cfg->ip_ratelimit_backoff =
+			(strcmp((yyvsp[0].str), "yes")==0);
+		free((yyvsp[0].str));
+	}
+#line 5615 "util/configparser.c"
+    break;
+
+  case 507: /* server_ratelimit_backoff: VAR_RATELIMIT_BACKOFF STRING_ARG  */
+#line 2538 "./util/configparser.y"
+        {
+		OUTYY(("P(server_ratelimit_backoff:%s)\n", (yyvsp[0].str)));
+		if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
+			yyerror("expected yes or no.");
+		else cfg_parser->cfg->ratelimit_backoff =
+			(strcmp((yyvsp[0].str), "yes")==0);
+		free((yyvsp[0].str));
+	}
+#line 5628 "util/configparser.c"
+    break;
+
+  case 508: /* server_outbound_msg_retry: VAR_OUTBOUND_MSG_RETRY STRING_ARG  */
+#line 2548 "./util/configparser.y"
+        {
+		OUTYY(("P(server_outbound_msg_retry:%s)\n", (yyvsp[0].str)));
+		if(atoi((yyvsp[0].str)) == 0 && strcmp((yyvsp[0].str), "0") != 0)
+			yyerror("number expected");
+		else cfg_parser->cfg->outbound_msg_retry = atoi((yyvsp[0].str));
+		free((yyvsp[0].str));
+	}
+#line 5640 "util/configparser.c"
+    break;
+
+  case 509: /* server_low_rtt: VAR_LOW_RTT STRING_ARG  */
+#line 2557 "./util/configparser.y"
+        {
 		OUTYY(("P(low-rtt option is deprecated, use fast-server-num instead)\n"));
 		free((yyvsp[0].str));
 	}
-#line 6085 "util/configparser.c"
+#line 5649 "util/configparser.c"
     break;
 
-  case 484:
-#line 2429 "./util/configparser.y"
-        { 
-		OUTYY(("P(server_fast_server_num:%s)\n", (yyvsp[0].str))); 
+  case 510: /* server_fast_server_num: VAR_FAST_SERVER_NUM STRING_ARG  */
+#line 2563 "./util/configparser.y"
+        {
+		OUTYY(("P(server_fast_server_num:%s)\n", (yyvsp[0].str)));
 		if(atoi((yyvsp[0].str)) <= 0)
 			yyerror("number expected");
 		else cfg_parser->cfg->fast_server_num = atoi((yyvsp[0].str));
 		free((yyvsp[0].str));
 	}
-#line 6097 "util/configparser.c"
+#line 5661 "util/configparser.c"
     break;
 
-  case 485:
-#line 2438 "./util/configparser.y"
-        { 
-		OUTYY(("P(server_fast_server_permil:%s)\n", (yyvsp[0].str))); 
+  case 511: /* server_fast_server_permil: VAR_FAST_SERVER_PERMIL STRING_ARG  */
+#line 2572 "./util/configparser.y"
+        {
+		OUTYY(("P(server_fast_server_permil:%s)\n", (yyvsp[0].str)));
 		if(atoi((yyvsp[0].str)) == 0 && strcmp((yyvsp[0].str), "0") != 0)
 			yyerror("number expected");
 		else cfg_parser->cfg->fast_server_permil = atoi((yyvsp[0].str));
 		free((yyvsp[0].str));
 	}
-#line 6109 "util/configparser.c"
+#line 5673 "util/configparser.c"
     break;
 
-  case 486:
-#line 2447 "./util/configparser.y"
+  case 512: /* server_qname_minimisation: VAR_QNAME_MINIMISATION STRING_ARG  */
+#line 2581 "./util/configparser.y"
         {
 		OUTYY(("P(server_qname_minimisation:%s)\n", (yyvsp[0].str)));
 		if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
 			yyerror("expected yes or no.");
-		else cfg_parser->cfg->qname_minimisation = 
+		else cfg_parser->cfg->qname_minimisation =
 			(strcmp((yyvsp[0].str), "yes")==0);
 		free((yyvsp[0].str));
 	}
-#line 6122 "util/configparser.c"
+#line 5686 "util/configparser.c"
     break;
 
-  case 487:
-#line 2457 "./util/configparser.y"
+  case 513: /* server_qname_minimisation_strict: VAR_QNAME_MINIMISATION_STRICT STRING_ARG  */
+#line 2591 "./util/configparser.y"
         {
 		OUTYY(("P(server_qname_minimisation_strict:%s)\n", (yyvsp[0].str)));
 		if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
 			yyerror("expected yes or no.");
-		else cfg_parser->cfg->qname_minimisation_strict = 
+		else cfg_parser->cfg->qname_minimisation_strict =
 			(strcmp((yyvsp[0].str), "yes")==0);
 		free((yyvsp[0].str));
 	}
-#line 6135 "util/configparser.c"
+#line 5699 "util/configparser.c"
     break;
 
-  case 488:
-#line 2467 "./util/configparser.y"
+  case 514: /* server_pad_responses: VAR_PAD_RESPONSES STRING_ARG  */
+#line 2601 "./util/configparser.y"
         {
 		OUTYY(("P(server_pad_responses:%s)\n", (yyvsp[0].str)));
 		if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -6144,11 +5708,11 @@ yyreduce:
 			(strcmp((yyvsp[0].str), "yes")==0);
 		free((yyvsp[0].str));
 	}
-#line 6148 "util/configparser.c"
+#line 5712 "util/configparser.c"
     break;
 
-  case 489:
-#line 2477 "./util/configparser.y"
+  case 515: /* server_pad_responses_block_size: VAR_PAD_RESPONSES_BLOCK_SIZE STRING_ARG  */
+#line 2611 "./util/configparser.y"
         {
 		OUTYY(("P(server_pad_responses_block_size:%s)\n", (yyvsp[0].str)));
 		if(atoi((yyvsp[0].str)) == 0)
@@ -6156,11 +5720,11 @@ yyreduce:
 		else cfg_parser->cfg->pad_responses_block_size = atoi((yyvsp[0].str));
 		free((yyvsp[0].str));
 	}
-#line 6160 "util/configparser.c"
+#line 5724 "util/configparser.c"
     break;
 
-  case 490:
-#line 2486 "./util/configparser.y"
+  case 516: /* server_pad_queries: VAR_PAD_QUERIES STRING_ARG  */
+#line 2620 "./util/configparser.y"
         {
 		OUTYY(("P(server_pad_queries:%s)\n", (yyvsp[0].str)));
 		if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -6169,11 +5733,11 @@ yyreduce:
 			(strcmp((yyvsp[0].str), "yes")==0);
 		free((yyvsp[0].str));
 	}
-#line 6173 "util/configparser.c"
+#line 5737 "util/configparser.c"
     break;
 
-  case 491:
-#line 2496 "./util/configparser.y"
+  case 517: /* server_pad_queries_block_size: VAR_PAD_QUERIES_BLOCK_SIZE STRING_ARG  */
+#line 2630 "./util/configparser.y"
         {
 		OUTYY(("P(server_pad_queries_block_size:%s)\n", (yyvsp[0].str)));
 		if(atoi((yyvsp[0].str)) == 0)
@@ -6181,11 +5745,11 @@ yyreduce:
 		else cfg_parser->cfg->pad_queries_block_size = atoi((yyvsp[0].str));
 		free((yyvsp[0].str));
 	}
-#line 6185 "util/configparser.c"
+#line 5749 "util/configparser.c"
     break;
 
-  case 492:
-#line 2505 "./util/configparser.y"
+  case 518: /* server_ipsecmod_enabled: VAR_IPSECMOD_ENABLED STRING_ARG  */
+#line 2639 "./util/configparser.y"
         {
 	#ifdef USE_IPSECMOD
 		OUTYY(("P(server_ipsecmod_enabled:%s)\n", (yyvsp[0].str)));
@@ -6197,11 +5761,11 @@ yyreduce:
 	#endif
 		free((yyvsp[0].str));
 	}
-#line 6201 "util/configparser.c"
+#line 5765 "util/configparser.c"
     break;
 
-  case 493:
-#line 2518 "./util/configparser.y"
+  case 519: /* server_ipsecmod_ignore_bogus: VAR_IPSECMOD_IGNORE_BOGUS STRING_ARG  */
+#line 2652 "./util/configparser.y"
         {
 	#ifdef USE_IPSECMOD
 		OUTYY(("P(server_ipsecmod_ignore_bogus:%s)\n", (yyvsp[0].str)));
@@ -6213,11 +5777,11 @@ yyreduce:
 	#endif
 		free((yyvsp[0].str));
 	}
-#line 6217 "util/configparser.c"
+#line 5781 "util/configparser.c"
     break;
 
-  case 494:
-#line 2531 "./util/configparser.y"
+  case 520: /* server_ipsecmod_hook: VAR_IPSECMOD_HOOK STRING_ARG  */
+#line 2665 "./util/configparser.y"
         {
 	#ifdef USE_IPSECMOD
 		OUTYY(("P(server_ipsecmod_hook:%s)\n", (yyvsp[0].str)));
@@ -6228,11 +5792,11 @@ yyreduce:
 		free((yyvsp[0].str));
 	#endif
 	}
-#line 6232 "util/configparser.c"
+#line 5796 "util/configparser.c"
     break;
 
-  case 495:
-#line 2543 "./util/configparser.y"
+  case 521: /* server_ipsecmod_max_ttl: VAR_IPSECMOD_MAX_TTL STRING_ARG  */
+#line 2677 "./util/configparser.y"
         {
 	#ifdef USE_IPSECMOD
 		OUTYY(("P(server_ipsecmod_max_ttl:%s)\n", (yyvsp[0].str)));
@@ -6245,11 +5809,11 @@ yyreduce:
 		free((yyvsp[0].str));
 	#endif
 	}
-#line 6249 "util/configparser.c"
+#line 5813 "util/configparser.c"
     break;
 
-  case 496:
-#line 2557 "./util/configparser.y"
+  case 522: /* server_ipsecmod_whitelist: VAR_IPSECMOD_WHITELIST STRING_ARG  */
+#line 2691 "./util/configparser.y"
         {
 	#ifdef USE_IPSECMOD
 		OUTYY(("P(server_ipsecmod_whitelist:%s)\n", (yyvsp[0].str)));
@@ -6260,11 +5824,11 @@ yyreduce:
 		free((yyvsp[0].str));
 	#endif
 	}
-#line 6264 "util/configparser.c"
+#line 5828 "util/configparser.c"
     break;
 
-  case 497:
-#line 2569 "./util/configparser.y"
+  case 523: /* server_ipsecmod_strict: VAR_IPSECMOD_STRICT STRING_ARG  */
+#line 2703 "./util/configparser.y"
         {
 	#ifdef USE_IPSECMOD
 		OUTYY(("P(server_ipsecmod_strict:%s)\n", (yyvsp[0].str)));
@@ -6277,11 +5841,11 @@ yyreduce:
 		free((yyvsp[0].str));
 	#endif
 	}
-#line 6281 "util/configparser.c"
+#line 5845 "util/configparser.c"
     break;
 
-  case 498:
-#line 2583 "./util/configparser.y"
+  case 524: /* server_edns_client_string: VAR_EDNS_CLIENT_STRING STRING_ARG STRING_ARG  */
+#line 2717 "./util/configparser.y"
         {
 		OUTYY(("P(server_edns_client_string:%s %s)\n", (yyvsp[-1].str), (yyvsp[0].str)));
 		if(!cfg_str2list_insert(
@@ -6289,11 +5853,11 @@ yyreduce:
 			fatal_exit("out of memory adding "
 				"edns-client-string");
 	}
-#line 6293 "util/configparser.c"
+#line 5857 "util/configparser.c"
     break;
 
-  case 499:
-#line 2592 "./util/configparser.y"
+  case 525: /* server_edns_client_string_opcode: VAR_EDNS_CLIENT_STRING_OPCODE STRING_ARG  */
+#line 2726 "./util/configparser.y"
         {
 		OUTYY(("P(edns_client_string_opcode:%s)\n", (yyvsp[0].str)));
 		if(atoi((yyvsp[0].str)) == 0 && strcmp((yyvsp[0].str), "0") != 0)
@@ -6304,11 +5868,11 @@ yyreduce:
 		free((yyvsp[0].str));
 
 	}
-#line 6308 "util/configparser.c"
+#line 5872 "util/configparser.c"
     break;
 
-  case 500:
-#line 2604 "./util/configparser.y"
+  case 526: /* stub_name: VAR_NAME STRING_ARG  */
+#line 2738 "./util/configparser.y"
         {
 		OUTYY(("P(name:%s)\n", (yyvsp[0].str)));
 		if(cfg_parser->cfg->stubs->name)
@@ -6317,31 +5881,31 @@ yyreduce:
 		free(cfg_parser->cfg->stubs->name);
 		cfg_parser->cfg->stubs->name = (yyvsp[0].str);
 	}
-#line 6321 "util/configparser.c"
+#line 5885 "util/configparser.c"
     break;
 
-  case 501:
-#line 2614 "./util/configparser.y"
+  case 527: /* stub_host: VAR_STUB_HOST STRING_ARG  */
+#line 2748 "./util/configparser.y"
         {
 		OUTYY(("P(stub-host:%s)\n", (yyvsp[0].str)));
 		if(!cfg_strlist_insert(&cfg_parser->cfg->stubs->hosts, (yyvsp[0].str)))
 			yyerror("out of memory");
 	}
-#line 6331 "util/configparser.c"
+#line 5895 "util/configparser.c"
     break;
 
-  case 502:
-#line 2621 "./util/configparser.y"
+  case 528: /* stub_addr: VAR_STUB_ADDR STRING_ARG  */
+#line 2755 "./util/configparser.y"
         {
 		OUTYY(("P(stub-addr:%s)\n", (yyvsp[0].str)));
 		if(!cfg_strlist_insert(&cfg_parser->cfg->stubs->addrs, (yyvsp[0].str)))
 			yyerror("out of memory");
 	}
-#line 6341 "util/configparser.c"
+#line 5905 "util/configparser.c"
     break;
 
-  case 503:
-#line 2628 "./util/configparser.y"
+  case 529: /* stub_first: VAR_STUB_FIRST STRING_ARG  */
+#line 2762 "./util/configparser.y"
         {
 		OUTYY(("P(stub-first:%s)\n", (yyvsp[0].str)));
 		if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -6349,11 +5913,11 @@ yyreduce:
 		else cfg_parser->cfg->stubs->isfirst=(strcmp((yyvsp[0].str), "yes")==0);
 		free((yyvsp[0].str));
 	}
-#line 6353 "util/configparser.c"
+#line 5917 "util/configparser.c"
     break;
 
-  case 504:
-#line 2637 "./util/configparser.y"
+  case 530: /* stub_no_cache: VAR_STUB_NO_CACHE STRING_ARG  */
+#line 2771 "./util/configparser.y"
         {
 		OUTYY(("P(stub-no-cache:%s)\n", (yyvsp[0].str)));
 		if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -6361,37 +5925,50 @@ yyreduce:
 		else cfg_parser->cfg->stubs->no_cache=(strcmp((yyvsp[0].str), "yes")==0);
 		free((yyvsp[0].str));
 	}
-#line 6365 "util/configparser.c"
+#line 5929 "util/configparser.c"
     break;
 
-  case 505:
-#line 2646 "./util/configparser.y"
+  case 531: /* stub_ssl_upstream: VAR_STUB_SSL_UPSTREAM STRING_ARG  */
+#line 2780 "./util/configparser.y"
         {
 		OUTYY(("P(stub-ssl-upstream:%s)\n", (yyvsp[0].str)));
 		if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
 			yyerror("expected yes or no.");
-		else cfg_parser->cfg->stubs->ssl_upstream = 
+		else cfg_parser->cfg->stubs->ssl_upstream =
 			(strcmp((yyvsp[0].str), "yes")==0);
 		free((yyvsp[0].str));
 	}
-#line 6378 "util/configparser.c"
+#line 5942 "util/configparser.c"
     break;
 
-  case 506:
-#line 2656 "./util/configparser.y"
+  case 532: /* stub_tcp_upstream: VAR_STUB_TCP_UPSTREAM STRING_ARG  */
+#line 2790 "./util/configparser.y"
+        {
+                OUTYY(("P(stub-tcp-upstream:%s)\n", (yyvsp[0].str)));
+                if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
+                        yyerror("expected yes or no.");
+                else cfg_parser->cfg->stubs->tcp_upstream =
+                        (strcmp((yyvsp[0].str), "yes")==0);
+                free((yyvsp[0].str));
+        }
+#line 5955 "util/configparser.c"
+    break;
+
+  case 533: /* stub_prime: VAR_STUB_PRIME STRING_ARG  */
+#line 2800 "./util/configparser.y"
         {
 		OUTYY(("P(stub-prime:%s)\n", (yyvsp[0].str)));
 		if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
 			yyerror("expected yes or no.");
-		else cfg_parser->cfg->stubs->isprime = 
+		else cfg_parser->cfg->stubs->isprime =
 			(strcmp((yyvsp[0].str), "yes")==0);
 		free((yyvsp[0].str));
 	}
-#line 6391 "util/configparser.c"
+#line 5968 "util/configparser.c"
     break;
 
-  case 507:
-#line 2666 "./util/configparser.y"
+  case 534: /* forward_name: VAR_NAME STRING_ARG  */
+#line 2810 "./util/configparser.y"
         {
 		OUTYY(("P(name:%s)\n", (yyvsp[0].str)));
 		if(cfg_parser->cfg->forwards->name)
@@ -6400,31 +5977,31 @@ yyreduce:
 		free(cfg_parser->cfg->forwards->name);
 		cfg_parser->cfg->forwards->name = (yyvsp[0].str);
 	}
-#line 6404 "util/configparser.c"
+#line 5981 "util/configparser.c"
     break;
 
-  case 508:
-#line 2676 "./util/configparser.y"
+  case 535: /* forward_host: VAR_FORWARD_HOST STRING_ARG  */
+#line 2820 "./util/configparser.y"
         {
 		OUTYY(("P(forward-host:%s)\n", (yyvsp[0].str)));
 		if(!cfg_strlist_insert(&cfg_parser->cfg->forwards->hosts, (yyvsp[0].str)))
 			yyerror("out of memory");
 	}
-#line 6414 "util/configparser.c"
+#line 5991 "util/configparser.c"
     break;
 
-  case 509:
-#line 2683 "./util/configparser.y"
+  case 536: /* forward_addr: VAR_FORWARD_ADDR STRING_ARG  */
+#line 2827 "./util/configparser.y"
         {
 		OUTYY(("P(forward-addr:%s)\n", (yyvsp[0].str)));
 		if(!cfg_strlist_insert(&cfg_parser->cfg->forwards->addrs, (yyvsp[0].str)))
 			yyerror("out of memory");
 	}
-#line 6424 "util/configparser.c"
+#line 6001 "util/configparser.c"
     break;
 
-  case 510:
-#line 2690 "./util/configparser.y"
+  case 537: /* forward_first: VAR_FORWARD_FIRST STRING_ARG  */
+#line 2834 "./util/configparser.y"
         {
 		OUTYY(("P(forward-first:%s)\n", (yyvsp[0].str)));
 		if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -6432,11 +6009,11 @@ yyreduce:
 		else cfg_parser->cfg->forwards->isfirst=(strcmp((yyvsp[0].str), "yes")==0);
 		free((yyvsp[0].str));
 	}
-#line 6436 "util/configparser.c"
+#line 6013 "util/configparser.c"
     break;
 
-  case 511:
-#line 2699 "./util/configparser.y"
+  case 538: /* forward_no_cache: VAR_FORWARD_NO_CACHE STRING_ARG  */
+#line 2843 "./util/configparser.y"
         {
 		OUTYY(("P(forward-no-cache:%s)\n", (yyvsp[0].str)));
 		if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -6444,24 +6021,37 @@ yyreduce:
 		else cfg_parser->cfg->forwards->no_cache=(strcmp((yyvsp[0].str), "yes")==0);
 		free((yyvsp[0].str));
 	}
-#line 6448 "util/configparser.c"
+#line 6025 "util/configparser.c"
     break;
 
-  case 512:
-#line 2708 "./util/configparser.y"
+  case 539: /* forward_ssl_upstream: VAR_FORWARD_SSL_UPSTREAM STRING_ARG  */
+#line 2852 "./util/configparser.y"
         {
 		OUTYY(("P(forward-ssl-upstream:%s)\n", (yyvsp[0].str)));
 		if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
 			yyerror("expected yes or no.");
-		else cfg_parser->cfg->forwards->ssl_upstream = 
+		else cfg_parser->cfg->forwards->ssl_upstream =
 			(strcmp((yyvsp[0].str), "yes")==0);
 		free((yyvsp[0].str));
 	}
-#line 6461 "util/configparser.c"
+#line 6038 "util/configparser.c"
     break;
 
-  case 513:
-#line 2718 "./util/configparser.y"
+  case 540: /* forward_tcp_upstream: VAR_FORWARD_TCP_UPSTREAM STRING_ARG  */
+#line 2862 "./util/configparser.y"
+        {
+                OUTYY(("P(forward-tcp-upstream:%s)\n", (yyvsp[0].str)));
+                if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
+                        yyerror("expected yes or no.");
+                else cfg_parser->cfg->forwards->tcp_upstream =
+                        (strcmp((yyvsp[0].str), "yes")==0);
+                free((yyvsp[0].str));
+        }
+#line 6051 "util/configparser.c"
+    break;
+
+  case 541: /* auth_name: VAR_NAME STRING_ARG  */
+#line 2872 "./util/configparser.y"
         {
 		OUTYY(("P(name:%s)\n", (yyvsp[0].str)));
 		if(cfg_parser->cfg->auths->name)
@@ -6470,52 +6060,65 @@ yyreduce:
 		free(cfg_parser->cfg->auths->name);
 		cfg_parser->cfg->auths->name = (yyvsp[0].str);
 	}
-#line 6474 "util/configparser.c"
+#line 6064 "util/configparser.c"
     break;
 
-  case 514:
-#line 2728 "./util/configparser.y"
+  case 542: /* auth_zonefile: VAR_ZONEFILE STRING_ARG  */
+#line 2882 "./util/configparser.y"
         {
 		OUTYY(("P(zonefile:%s)\n", (yyvsp[0].str)));
 		free(cfg_parser->cfg->auths->zonefile);
 		cfg_parser->cfg->auths->zonefile = (yyvsp[0].str);
 	}
-#line 6484 "util/configparser.c"
+#line 6074 "util/configparser.c"
     break;
 
-  case 515:
-#line 2735 "./util/configparser.y"
+  case 543: /* auth_master: VAR_MASTER STRING_ARG  */
+#line 2889 "./util/configparser.y"
         {
 		OUTYY(("P(master:%s)\n", (yyvsp[0].str)));
 		if(!cfg_strlist_insert(&cfg_parser->cfg->auths->masters, (yyvsp[0].str)))
 			yyerror("out of memory");
 	}
-#line 6494 "util/configparser.c"
+#line 6084 "util/configparser.c"
     break;
 
-  case 516:
-#line 2742 "./util/configparser.y"
+  case 544: /* auth_url: VAR_URL STRING_ARG  */
+#line 2896 "./util/configparser.y"
         {
 		OUTYY(("P(url:%s)\n", (yyvsp[0].str)));
 		if(!cfg_strlist_insert(&cfg_parser->cfg->auths->urls, (yyvsp[0].str)))
 			yyerror("out of memory");
 	}
-#line 6504 "util/configparser.c"
+#line 6094 "util/configparser.c"
     break;
 
-  case 517:
-#line 2749 "./util/configparser.y"
+  case 545: /* auth_allow_notify: VAR_ALLOW_NOTIFY STRING_ARG  */
+#line 2903 "./util/configparser.y"
         {
 		OUTYY(("P(allow-notify:%s)\n", (yyvsp[0].str)));
 		if(!cfg_strlist_insert(&cfg_parser->cfg->auths->allow_notify,
 			(yyvsp[0].str)))
 			yyerror("out of memory");
 	}
-#line 6515 "util/configparser.c"
+#line 6105 "util/configparser.c"
     break;
 
-  case 518:
-#line 2757 "./util/configparser.y"
+  case 546: /* auth_zonemd_check: VAR_ZONEMD_CHECK STRING_ARG  */
+#line 2911 "./util/configparser.y"
+        {
+		OUTYY(("P(zonemd-check:%s)\n", (yyvsp[0].str)));
+		if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
+			yyerror("expected yes or no.");
+		else cfg_parser->cfg->auths->zonemd_check =
+			(strcmp((yyvsp[0].str), "yes")==0);
+		free((yyvsp[0].str));
+	}
+#line 6118 "util/configparser.c"
+    break;
+
+  case 547: /* auth_zonemd_reject_absence: VAR_ZONEMD_REJECT_ABSENCE STRING_ARG  */
+#line 2921 "./util/configparser.y"
         {
 		OUTYY(("P(zonemd-reject-absence:%s)\n", (yyvsp[0].str)));
 		if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -6524,11 +6127,11 @@ yyreduce:
 			(strcmp((yyvsp[0].str), "yes")==0);
 		free((yyvsp[0].str));
 	}
-#line 6528 "util/configparser.c"
+#line 6131 "util/configparser.c"
     break;
 
-  case 519:
-#line 2767 "./util/configparser.y"
+  case 548: /* auth_for_downstream: VAR_FOR_DOWNSTREAM STRING_ARG  */
+#line 2931 "./util/configparser.y"
         {
 		OUTYY(("P(for-downstream:%s)\n", (yyvsp[0].str)));
 		if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -6537,11 +6140,11 @@ yyreduce:
 			(strcmp((yyvsp[0].str), "yes")==0);
 		free((yyvsp[0].str));
 	}
-#line 6541 "util/configparser.c"
+#line 6144 "util/configparser.c"
     break;
 
-  case 520:
-#line 2777 "./util/configparser.y"
+  case 549: /* auth_for_upstream: VAR_FOR_UPSTREAM STRING_ARG  */
+#line 2941 "./util/configparser.y"
         {
 		OUTYY(("P(for-upstream:%s)\n", (yyvsp[0].str)));
 		if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -6550,11 +6153,11 @@ yyreduce:
 			(strcmp((yyvsp[0].str), "yes")==0);
 		free((yyvsp[0].str));
 	}
-#line 6554 "util/configparser.c"
+#line 6157 "util/configparser.c"
     break;
 
-  case 521:
-#line 2787 "./util/configparser.y"
+  case 550: /* auth_fallback_enabled: VAR_FALLBACK_ENABLED STRING_ARG  */
+#line 2951 "./util/configparser.y"
         {
 		OUTYY(("P(fallback-enabled:%s)\n", (yyvsp[0].str)));
 		if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -6563,11 +6166,11 @@ yyreduce:
 			(strcmp((yyvsp[0].str), "yes")==0);
 		free((yyvsp[0].str));
 	}
-#line 6567 "util/configparser.c"
+#line 6170 "util/configparser.c"
     break;
 
-  case 522:
-#line 2797 "./util/configparser.y"
+  case 551: /* view_name: VAR_NAME STRING_ARG  */
+#line 2961 "./util/configparser.y"
         {
 		OUTYY(("P(name:%s)\n", (yyvsp[0].str)));
 		if(cfg_parser->cfg->views->name)
@@ -6576,11 +6179,11 @@ yyreduce:
 		free(cfg_parser->cfg->views->name);
 		cfg_parser->cfg->views->name = (yyvsp[0].str);
 	}
-#line 6580 "util/configparser.c"
+#line 6183 "util/configparser.c"
     break;
 
-  case 523:
-#line 2807 "./util/configparser.y"
+  case 552: /* view_local_zone: VAR_LOCAL_ZONE STRING_ARG STRING_ARG  */
+#line 2971 "./util/configparser.y"
         {
 		OUTYY(("P(view_local_zone:%s %s)\n", (yyvsp[-1].str), (yyvsp[0].str)));
 		if(strcmp((yyvsp[0].str), "static")!=0 && strcmp((yyvsp[0].str), "deny")!=0 &&
@@ -6590,13 +6193,20 @@ yyreduce:
 		   && strcmp((yyvsp[0].str), "always_transparent")!=0
 		   && strcmp((yyvsp[0].str), "always_refuse")!=0
 		   && strcmp((yyvsp[0].str), "always_nxdomain")!=0
+		   && strcmp((yyvsp[0].str), "always_nodata")!=0
+		   && strcmp((yyvsp[0].str), "always_deny")!=0
+		   && strcmp((yyvsp[0].str), "always_null")!=0
 		   && strcmp((yyvsp[0].str), "noview")!=0
-		   && strcmp((yyvsp[0].str), "inform")!=0 && strcmp((yyvsp[0].str), "inform_deny")!=0) {
+		   && strcmp((yyvsp[0].str), "inform")!=0 && strcmp((yyvsp[0].str), "inform_deny")!=0
+		   && strcmp((yyvsp[0].str), "inform_redirect") != 0
+		   && strcmp((yyvsp[0].str), "ipset") != 0) {
 			yyerror("local-zone type: expected static, deny, "
 				"refuse, redirect, transparent, "
 				"typetransparent, inform, inform_deny, "
-				"always_transparent, always_refuse, "
-				"always_nxdomain, noview or nodefault");
+				"inform_redirect, always_transparent, "
+				"always_refuse, always_nxdomain, "
+				"always_nodata, always_deny, always_null, "
+				"noview, nodefault or ipset");
 			free((yyvsp[-1].str));
 			free((yyvsp[0].str));
 		} else if(strcmp((yyvsp[0].str), "nodefault")==0) {
@@ -6606,6 +6216,16 @@ yyreduce:
 			free((yyvsp[0].str));
 #ifdef USE_IPSET
 		} else if(strcmp((yyvsp[0].str), "ipset")==0) {
+			size_t len = strlen((yyvsp[-1].str));
+			/* Make sure to add the trailing dot.
+			 * These are str compared to domain names. */
+			if((yyvsp[-1].str)[len-1] != '.') {
+				if(!((yyvsp[-1].str) = realloc((yyvsp[-1].str), len+2))) {
+					fatal_exit("out of memory adding local-zone");
+				}
+				(yyvsp[-1].str)[len] = '.';
+				(yyvsp[-1].str)[len+1] = 0;
+			}
 			if(!cfg_strlist_insert(&cfg_parser->cfg->views->
 				local_zones_ipset, (yyvsp[-1].str)))
 				fatal_exit("out of memory adding local-zone");
@@ -6613,16 +6233,16 @@ yyreduce:
 #endif
 		} else {
 			if(!cfg_str2list_insert(
-				&cfg_parser->cfg->views->local_zones, 
+				&cfg_parser->cfg->views->local_zones,
 				(yyvsp[-1].str), (yyvsp[0].str)))
 				fatal_exit("out of memory adding local-zone");
 		}
 	}
-#line 6622 "util/configparser.c"
+#line 6242 "util/configparser.c"
     break;
 
-  case 524:
-#line 2846 "./util/configparser.y"
+  case 553: /* view_response_ip: VAR_RESPONSE_IP STRING_ARG STRING_ARG  */
+#line 3027 "./util/configparser.y"
         {
 		OUTYY(("P(view_response_ip:%s %s)\n", (yyvsp[-1].str), (yyvsp[0].str)));
 		validate_respip_action((yyvsp[0].str));
@@ -6631,33 +6251,33 @@ yyreduce:
 			fatal_exit("out of memory adding per-view "
 				"response-ip action");
 	}
-#line 6635 "util/configparser.c"
+#line 6255 "util/configparser.c"
     break;
 
-  case 525:
-#line 2856 "./util/configparser.y"
+  case 554: /* view_response_ip_data: VAR_RESPONSE_IP_DATA STRING_ARG STRING_ARG  */
+#line 3037 "./util/configparser.y"
         {
 		OUTYY(("P(view_response_ip_data:%s)\n", (yyvsp[-1].str)));
 		if(!cfg_str2list_insert(
 			&cfg_parser->cfg->views->respip_data, (yyvsp[-1].str), (yyvsp[0].str)))
 			fatal_exit("out of memory adding response-ip-data");
 	}
-#line 6646 "util/configparser.c"
+#line 6266 "util/configparser.c"
     break;
 
-  case 526:
-#line 2864 "./util/configparser.y"
+  case 555: /* view_local_data: VAR_LOCAL_DATA STRING_ARG  */
+#line 3045 "./util/configparser.y"
         {
 		OUTYY(("P(view_local_data:%s)\n", (yyvsp[0].str)));
 		if(!cfg_strlist_insert(&cfg_parser->cfg->views->local_data, (yyvsp[0].str))) {
 			fatal_exit("out of memory adding local-data");
 		}
 	}
-#line 6657 "util/configparser.c"
+#line 6277 "util/configparser.c"
     break;
 
-  case 527:
-#line 2872 "./util/configparser.y"
+  case 556: /* view_local_data_ptr: VAR_LOCAL_DATA_PTR STRING_ARG  */
+#line 3053 "./util/configparser.y"
         {
 		char* ptr;
 		OUTYY(("P(view_local_data_ptr:%s)\n", (yyvsp[0].str)));
@@ -6671,11 +6291,11 @@ yyreduce:
 			yyerror("local-data-ptr could not be reversed");
 		}
 	}
-#line 6675 "util/configparser.c"
+#line 6295 "util/configparser.c"
     break;
 
-  case 528:
-#line 2887 "./util/configparser.y"
+  case 557: /* view_first: VAR_VIEW_FIRST STRING_ARG  */
+#line 3068 "./util/configparser.y"
         {
 		OUTYY(("P(view-first:%s)\n", (yyvsp[0].str)));
 		if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -6683,32 +6303,32 @@ yyreduce:
 		else cfg_parser->cfg->views->isfirst=(strcmp((yyvsp[0].str), "yes")==0);
 		free((yyvsp[0].str));
 	}
-#line 6687 "util/configparser.c"
+#line 6307 "util/configparser.c"
     break;
 
-  case 529:
-#line 2896 "./util/configparser.y"
-        { 
-		OUTYY(("\nP(remote-control:)\n")); 
+  case 558: /* rcstart: VAR_REMOTE_CONTROL  */
+#line 3077 "./util/configparser.y"
+        {
+		OUTYY(("\nP(remote-control:)\n"));
 	}
-#line 6695 "util/configparser.c"
+#line 6315 "util/configparser.c"
     break;
 
-  case 540:
-#line 2907 "./util/configparser.y"
+  case 569: /* rc_control_enable: VAR_CONTROL_ENABLE STRING_ARG  */
+#line 3088 "./util/configparser.y"
         {
 		OUTYY(("P(control_enable:%s)\n", (yyvsp[0].str)));
 		if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
 			yyerror("expected yes or no.");
-		else cfg_parser->cfg->remote_control_enable = 
+		else cfg_parser->cfg->remote_control_enable =
 			(strcmp((yyvsp[0].str), "yes")==0);
 		free((yyvsp[0].str));
 	}
-#line 6708 "util/configparser.c"
+#line 6328 "util/configparser.c"
     break;
 
-  case 541:
-#line 2917 "./util/configparser.y"
+  case 570: /* rc_control_port: VAR_CONTROL_PORT STRING_ARG  */
+#line 3098 "./util/configparser.y"
         {
 		OUTYY(("P(control_port:%s)\n", (yyvsp[0].str)));
 		if(atoi((yyvsp[0].str)) == 0)
@@ -6716,79 +6336,79 @@ yyreduce:
 		else cfg_parser->cfg->control_port = atoi((yyvsp[0].str));
 		free((yyvsp[0].str));
 	}
-#line 6720 "util/configparser.c"
+#line 6340 "util/configparser.c"
     break;
 
-  case 542:
-#line 2926 "./util/configparser.y"
+  case 571: /* rc_control_interface: VAR_CONTROL_INTERFACE STRING_ARG  */
+#line 3107 "./util/configparser.y"
         {
 		OUTYY(("P(control_interface:%s)\n", (yyvsp[0].str)));
 		if(!cfg_strlist_append(&cfg_parser->cfg->control_ifs, (yyvsp[0].str)))
 			yyerror("out of memory");
 	}
-#line 6730 "util/configparser.c"
+#line 6350 "util/configparser.c"
     break;
 
-  case 543:
-#line 2933 "./util/configparser.y"
+  case 572: /* rc_control_use_cert: VAR_CONTROL_USE_CERT STRING_ARG  */
+#line 3114 "./util/configparser.y"
         {
 		OUTYY(("P(control_use_cert:%s)\n", (yyvsp[0].str)));
 		cfg_parser->cfg->control_use_cert = (strcmp((yyvsp[0].str), "yes")==0);
 		free((yyvsp[0].str));
 	}
-#line 6740 "util/configparser.c"
+#line 6360 "util/configparser.c"
     break;
 
-  case 544:
-#line 2940 "./util/configparser.y"
+  case 573: /* rc_server_key_file: VAR_SERVER_KEY_FILE STRING_ARG  */
+#line 3121 "./util/configparser.y"
         {
 		OUTYY(("P(rc_server_key_file:%s)\n", (yyvsp[0].str)));
 		free(cfg_parser->cfg->server_key_file);
 		cfg_parser->cfg->server_key_file = (yyvsp[0].str);
 	}
-#line 6750 "util/configparser.c"
+#line 6370 "util/configparser.c"
     break;
 
-  case 545:
-#line 2947 "./util/configparser.y"
+  case 574: /* rc_server_cert_file: VAR_SERVER_CERT_FILE STRING_ARG  */
+#line 3128 "./util/configparser.y"
         {
 		OUTYY(("P(rc_server_cert_file:%s)\n", (yyvsp[0].str)));
 		free(cfg_parser->cfg->server_cert_file);
 		cfg_parser->cfg->server_cert_file = (yyvsp[0].str);
 	}
-#line 6760 "util/configparser.c"
+#line 6380 "util/configparser.c"
     break;
 
-  case 546:
-#line 2954 "./util/configparser.y"
+  case 575: /* rc_control_key_file: VAR_CONTROL_KEY_FILE STRING_ARG  */
+#line 3135 "./util/configparser.y"
         {
 		OUTYY(("P(rc_control_key_file:%s)\n", (yyvsp[0].str)));
 		free(cfg_parser->cfg->control_key_file);
 		cfg_parser->cfg->control_key_file = (yyvsp[0].str);
 	}
-#line 6770 "util/configparser.c"
+#line 6390 "util/configparser.c"
     break;
 
-  case 547:
-#line 2961 "./util/configparser.y"
+  case 576: /* rc_control_cert_file: VAR_CONTROL_CERT_FILE STRING_ARG  */
+#line 3142 "./util/configparser.y"
         {
 		OUTYY(("P(rc_control_cert_file:%s)\n", (yyvsp[0].str)));
 		free(cfg_parser->cfg->control_cert_file);
 		cfg_parser->cfg->control_cert_file = (yyvsp[0].str);
 	}
-#line 6780 "util/configparser.c"
+#line 6400 "util/configparser.c"
     break;
 
-  case 548:
-#line 2968 "./util/configparser.y"
+  case 577: /* dtstart: VAR_DNSTAP  */
+#line 3149 "./util/configparser.y"
         {
 		OUTYY(("\nP(dnstap:)\n"));
 	}
-#line 6788 "util/configparser.c"
+#line 6408 "util/configparser.c"
     break;
 
-  case 570:
-#line 2988 "./util/configparser.y"
+  case 599: /* dt_dnstap_enable: VAR_DNSTAP_ENABLE STRING_ARG  */
+#line 3169 "./util/configparser.y"
         {
 		OUTYY(("P(dt_dnstap_enable:%s)\n", (yyvsp[0].str)));
 		if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -6796,11 +6416,11 @@ yyreduce:
 		else cfg_parser->cfg->dnstap = (strcmp((yyvsp[0].str), "yes")==0);
 		free((yyvsp[0].str));
 	}
-#line 6800 "util/configparser.c"
+#line 6420 "util/configparser.c"
     break;
 
-  case 571:
-#line 2997 "./util/configparser.y"
+  case 600: /* dt_dnstap_bidirectional: VAR_DNSTAP_BIDIRECTIONAL STRING_ARG  */
+#line 3178 "./util/configparser.y"
         {
 		OUTYY(("P(dt_dnstap_bidirectional:%s)\n", (yyvsp[0].str)));
 		if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -6809,31 +6429,31 @@ yyreduce:
 			(strcmp((yyvsp[0].str), "yes")==0);
 		free((yyvsp[0].str));
 	}
-#line 6813 "util/configparser.c"
+#line 6433 "util/configparser.c"
     break;
 
-  case 572:
-#line 3007 "./util/configparser.y"
+  case 601: /* dt_dnstap_socket_path: VAR_DNSTAP_SOCKET_PATH STRING_ARG  */
+#line 3188 "./util/configparser.y"
         {
 		OUTYY(("P(dt_dnstap_socket_path:%s)\n", (yyvsp[0].str)));
 		free(cfg_parser->cfg->dnstap_socket_path);
 		cfg_parser->cfg->dnstap_socket_path = (yyvsp[0].str);
 	}
-#line 6823 "util/configparser.c"
+#line 6443 "util/configparser.c"
     break;
 
-  case 573:
-#line 3014 "./util/configparser.y"
+  case 602: /* dt_dnstap_ip: VAR_DNSTAP_IP STRING_ARG  */
+#line 3195 "./util/configparser.y"
         {
 		OUTYY(("P(dt_dnstap_ip:%s)\n", (yyvsp[0].str)));
 		free(cfg_parser->cfg->dnstap_ip);
 		cfg_parser->cfg->dnstap_ip = (yyvsp[0].str);
 	}
-#line 6833 "util/configparser.c"
+#line 6453 "util/configparser.c"
     break;
 
-  case 574:
-#line 3021 "./util/configparser.y"
+  case 603: /* dt_dnstap_tls: VAR_DNSTAP_TLS STRING_ARG  */
+#line 3202 "./util/configparser.y"
         {
 		OUTYY(("P(dt_dnstap_tls:%s)\n", (yyvsp[0].str)));
 		if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -6841,51 +6461,51 @@ yyreduce:
 		else cfg_parser->cfg->dnstap_tls = (strcmp((yyvsp[0].str), "yes")==0);
 		free((yyvsp[0].str));
 	}
-#line 6845 "util/configparser.c"
+#line 6465 "util/configparser.c"
     break;
 
-  case 575:
-#line 3030 "./util/configparser.y"
+  case 604: /* dt_dnstap_tls_server_name: VAR_DNSTAP_TLS_SERVER_NAME STRING_ARG  */
+#line 3211 "./util/configparser.y"
         {
 		OUTYY(("P(dt_dnstap_tls_server_name:%s)\n", (yyvsp[0].str)));
 		free(cfg_parser->cfg->dnstap_tls_server_name);
 		cfg_parser->cfg->dnstap_tls_server_name = (yyvsp[0].str);
 	}
-#line 6855 "util/configparser.c"
+#line 6475 "util/configparser.c"
     break;
 
-  case 576:
-#line 3037 "./util/configparser.y"
+  case 605: /* dt_dnstap_tls_cert_bundle: VAR_DNSTAP_TLS_CERT_BUNDLE STRING_ARG  */
+#line 3218 "./util/configparser.y"
         {
 		OUTYY(("P(dt_dnstap_tls_cert_bundle:%s)\n", (yyvsp[0].str)));
 		free(cfg_parser->cfg->dnstap_tls_cert_bundle);
 		cfg_parser->cfg->dnstap_tls_cert_bundle = (yyvsp[0].str);
 	}
-#line 6865 "util/configparser.c"
+#line 6485 "util/configparser.c"
     break;
 
-  case 577:
-#line 3044 "./util/configparser.y"
+  case 606: /* dt_dnstap_tls_client_key_file: VAR_DNSTAP_TLS_CLIENT_KEY_FILE STRING_ARG  */
+#line 3225 "./util/configparser.y"
         {
 		OUTYY(("P(dt_dnstap_tls_client_key_file:%s)\n", (yyvsp[0].str)));
 		free(cfg_parser->cfg->dnstap_tls_client_key_file);
 		cfg_parser->cfg->dnstap_tls_client_key_file = (yyvsp[0].str);
 	}
-#line 6875 "util/configparser.c"
+#line 6495 "util/configparser.c"
     break;
 
-  case 578:
-#line 3051 "./util/configparser.y"
+  case 607: /* dt_dnstap_tls_client_cert_file: VAR_DNSTAP_TLS_CLIENT_CERT_FILE STRING_ARG  */
+#line 3232 "./util/configparser.y"
         {
 		OUTYY(("P(dt_dnstap_tls_client_cert_file:%s)\n", (yyvsp[0].str)));
 		free(cfg_parser->cfg->dnstap_tls_client_cert_file);
 		cfg_parser->cfg->dnstap_tls_client_cert_file = (yyvsp[0].str);
 	}
-#line 6885 "util/configparser.c"
+#line 6505 "util/configparser.c"
     break;
 
-  case 579:
-#line 3058 "./util/configparser.y"
+  case 608: /* dt_dnstap_send_identity: VAR_DNSTAP_SEND_IDENTITY STRING_ARG  */
+#line 3239 "./util/configparser.y"
         {
 		OUTYY(("P(dt_dnstap_send_identity:%s)\n", (yyvsp[0].str)));
 		if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -6893,11 +6513,11 @@ yyreduce:
 		else cfg_parser->cfg->dnstap_send_identity = (strcmp((yyvsp[0].str), "yes")==0);
 		free((yyvsp[0].str));
 	}
-#line 6897 "util/configparser.c"
+#line 6517 "util/configparser.c"
     break;
 
-  case 580:
-#line 3067 "./util/configparser.y"
+  case 609: /* dt_dnstap_send_version: VAR_DNSTAP_SEND_VERSION STRING_ARG  */
+#line 3248 "./util/configparser.y"
         {
 		OUTYY(("P(dt_dnstap_send_version:%s)\n", (yyvsp[0].str)));
 		if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -6905,31 +6525,31 @@ yyreduce:
 		else cfg_parser->cfg->dnstap_send_version = (strcmp((yyvsp[0].str), "yes")==0);
 		free((yyvsp[0].str));
 	}
-#line 6909 "util/configparser.c"
+#line 6529 "util/configparser.c"
     break;
 
-  case 581:
-#line 3076 "./util/configparser.y"
+  case 610: /* dt_dnstap_identity: VAR_DNSTAP_IDENTITY STRING_ARG  */
+#line 3257 "./util/configparser.y"
         {
 		OUTYY(("P(dt_dnstap_identity:%s)\n", (yyvsp[0].str)));
 		free(cfg_parser->cfg->dnstap_identity);
 		cfg_parser->cfg->dnstap_identity = (yyvsp[0].str);
 	}
-#line 6919 "util/configparser.c"
+#line 6539 "util/configparser.c"
     break;
 
-  case 582:
-#line 3083 "./util/configparser.y"
+  case 611: /* dt_dnstap_version: VAR_DNSTAP_VERSION STRING_ARG  */
+#line 3264 "./util/configparser.y"
         {
 		OUTYY(("P(dt_dnstap_version:%s)\n", (yyvsp[0].str)));
 		free(cfg_parser->cfg->dnstap_version);
 		cfg_parser->cfg->dnstap_version = (yyvsp[0].str);
 	}
-#line 6929 "util/configparser.c"
+#line 6549 "util/configparser.c"
     break;
 
-  case 583:
-#line 3090 "./util/configparser.y"
+  case 612: /* dt_dnstap_log_resolver_query_messages: VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES STRING_ARG  */
+#line 3271 "./util/configparser.y"
         {
 		OUTYY(("P(dt_dnstap_log_resolver_query_messages:%s)\n", (yyvsp[0].str)));
 		if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -6938,11 +6558,11 @@ yyreduce:
 			(strcmp((yyvsp[0].str), "yes")==0);
 		free((yyvsp[0].str));
 	}
-#line 6942 "util/configparser.c"
+#line 6562 "util/configparser.c"
     break;
 
-  case 584:
-#line 3100 "./util/configparser.y"
+  case 613: /* dt_dnstap_log_resolver_response_messages: VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES STRING_ARG  */
+#line 3281 "./util/configparser.y"
         {
 		OUTYY(("P(dt_dnstap_log_resolver_response_messages:%s)\n", (yyvsp[0].str)));
 		if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -6951,11 +6571,11 @@ yyreduce:
 			(strcmp((yyvsp[0].str), "yes")==0);
 		free((yyvsp[0].str));
 	}
-#line 6955 "util/configparser.c"
+#line 6575 "util/configparser.c"
     break;
 
-  case 585:
-#line 3110 "./util/configparser.y"
+  case 614: /* dt_dnstap_log_client_query_messages: VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES STRING_ARG  */
+#line 3291 "./util/configparser.y"
         {
 		OUTYY(("P(dt_dnstap_log_client_query_messages:%s)\n", (yyvsp[0].str)));
 		if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -6964,11 +6584,11 @@ yyreduce:
 			(strcmp((yyvsp[0].str), "yes")==0);
 		free((yyvsp[0].str));
 	}
-#line 6968 "util/configparser.c"
+#line 6588 "util/configparser.c"
     break;
 
-  case 586:
-#line 3120 "./util/configparser.y"
+  case 615: /* dt_dnstap_log_client_response_messages: VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES STRING_ARG  */
+#line 3301 "./util/configparser.y"
         {
 		OUTYY(("P(dt_dnstap_log_client_response_messages:%s)\n", (yyvsp[0].str)));
 		if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -6977,11 +6597,11 @@ yyreduce:
 			(strcmp((yyvsp[0].str), "yes")==0);
 		free((yyvsp[0].str));
 	}
-#line 6981 "util/configparser.c"
+#line 6601 "util/configparser.c"
     break;
 
-  case 587:
-#line 3130 "./util/configparser.y"
+  case 616: /* dt_dnstap_log_forwarder_query_messages: VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES STRING_ARG  */
+#line 3311 "./util/configparser.y"
         {
 		OUTYY(("P(dt_dnstap_log_forwarder_query_messages:%s)\n", (yyvsp[0].str)));
 		if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -6990,11 +6610,11 @@ yyreduce:
 			(strcmp((yyvsp[0].str), "yes")==0);
 		free((yyvsp[0].str));
 	}
-#line 6994 "util/configparser.c"
+#line 6614 "util/configparser.c"
     break;
 
-  case 588:
-#line 3140 "./util/configparser.y"
+  case 617: /* dt_dnstap_log_forwarder_response_messages: VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES STRING_ARG  */
+#line 3321 "./util/configparser.y"
         {
 		OUTYY(("P(dt_dnstap_log_forwarder_response_messages:%s)\n", (yyvsp[0].str)));
 		if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -7003,47 +6623,47 @@ yyreduce:
 			(strcmp((yyvsp[0].str), "yes")==0);
 		free((yyvsp[0].str));
 	}
-#line 7007 "util/configparser.c"
+#line 6627 "util/configparser.c"
     break;
 
-  case 589:
-#line 3150 "./util/configparser.y"
-        { 
-		OUTYY(("\nP(python:)\n")); 
+  case 618: /* pythonstart: VAR_PYTHON  */
+#line 3331 "./util/configparser.y"
+        {
+		OUTYY(("\nP(python:)\n"));
 	}
-#line 7015 "util/configparser.c"
+#line 6635 "util/configparser.c"
     break;
 
-  case 593:
-#line 3159 "./util/configparser.y"
+  case 622: /* py_script: VAR_PYTHON_SCRIPT STRING_ARG  */
+#line 3340 "./util/configparser.y"
         {
 		OUTYY(("P(python-script:%s)\n", (yyvsp[0].str)));
 		if(!cfg_strlist_append_ex(&cfg_parser->cfg->python_script, (yyvsp[0].str)))
 			yyerror("out of memory");
 	}
-#line 7025 "util/configparser.c"
+#line 6645 "util/configparser.c"
     break;
 
-  case 594:
-#line 3165 "./util/configparser.y"
+  case 623: /* dynlibstart: VAR_DYNLIB  */
+#line 3346 "./util/configparser.y"
         { 
 		OUTYY(("\nP(dynlib:)\n")); 
 	}
-#line 7033 "util/configparser.c"
+#line 6653 "util/configparser.c"
     break;
 
-  case 598:
-#line 3174 "./util/configparser.y"
+  case 627: /* dl_file: VAR_DYNLIB_FILE STRING_ARG  */
+#line 3355 "./util/configparser.y"
         {
 		OUTYY(("P(dynlib-file:%s)\n", (yyvsp[0].str)));
 		if(!cfg_strlist_append_ex(&cfg_parser->cfg->dynlib_file, (yyvsp[0].str)))
 			yyerror("out of memory");
 	}
-#line 7043 "util/configparser.c"
+#line 6663 "util/configparser.c"
     break;
 
-  case 599:
-#line 3180 "./util/configparser.y"
+  case 628: /* server_disable_dnssec_lame_check: VAR_DISABLE_DNSSEC_LAME_CHECK STRING_ARG  */
+#line 3361 "./util/configparser.y"
         {
 		OUTYY(("P(disable_dnssec_lame_check:%s)\n", (yyvsp[0].str)));
 		if (strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -7052,21 +6672,21 @@ yyreduce:
 			(strcmp((yyvsp[0].str), "yes")==0);
 		free((yyvsp[0].str));
 	}
-#line 7056 "util/configparser.c"
+#line 6676 "util/configparser.c"
     break;
 
-  case 600:
-#line 3190 "./util/configparser.y"
+  case 629: /* server_log_identity: VAR_LOG_IDENTITY STRING_ARG  */
+#line 3371 "./util/configparser.y"
         {
 		OUTYY(("P(server_log_identity:%s)\n", (yyvsp[0].str)));
 		free(cfg_parser->cfg->log_identity);
 		cfg_parser->cfg->log_identity = (yyvsp[0].str);
 	}
-#line 7066 "util/configparser.c"
+#line 6686 "util/configparser.c"
     break;
 
-  case 601:
-#line 3197 "./util/configparser.y"
+  case 630: /* server_response_ip: VAR_RESPONSE_IP STRING_ARG STRING_ARG  */
+#line 3378 "./util/configparser.y"
         {
 		OUTYY(("P(server_response_ip:%s %s)\n", (yyvsp[-1].str), (yyvsp[0].str)));
 		validate_respip_action((yyvsp[0].str));
@@ -7074,30 +6694,30 @@ yyreduce:
 			(yyvsp[-1].str), (yyvsp[0].str)))
 			fatal_exit("out of memory adding response-ip");
 	}
-#line 7078 "util/configparser.c"
+#line 6698 "util/configparser.c"
     break;
 
-  case 602:
-#line 3206 "./util/configparser.y"
+  case 631: /* server_response_ip_data: VAR_RESPONSE_IP_DATA STRING_ARG STRING_ARG  */
+#line 3387 "./util/configparser.y"
         {
 		OUTYY(("P(server_response_ip_data:%s)\n", (yyvsp[-1].str)));
 		if(!cfg_str2list_insert(&cfg_parser->cfg->respip_data,
 			(yyvsp[-1].str), (yyvsp[0].str)))
 			fatal_exit("out of memory adding response-ip-data");
 	}
-#line 7089 "util/configparser.c"
+#line 6709 "util/configparser.c"
     break;
 
-  case 603:
-#line 3214 "./util/configparser.y"
+  case 632: /* dnscstart: VAR_DNSCRYPT  */
+#line 3395 "./util/configparser.y"
         {
 		OUTYY(("\nP(dnscrypt:)\n"));
 	}
-#line 7097 "util/configparser.c"
+#line 6717 "util/configparser.c"
     break;
 
-  case 616:
-#line 3230 "./util/configparser.y"
+  case 645: /* dnsc_dnscrypt_enable: VAR_DNSCRYPT_ENABLE STRING_ARG  */
+#line 3411 "./util/configparser.y"
         {
 		OUTYY(("P(dnsc_dnscrypt_enable:%s)\n", (yyvsp[0].str)));
 		if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -7105,11 +6725,11 @@ yyreduce:
 		else cfg_parser->cfg->dnscrypt = (strcmp((yyvsp[0].str), "yes")==0);
 		free((yyvsp[0].str));
 	}
-#line 7109 "util/configparser.c"
+#line 6729 "util/configparser.c"
     break;
 
-  case 617:
-#line 3240 "./util/configparser.y"
+  case 646: /* dnsc_dnscrypt_port: VAR_DNSCRYPT_PORT STRING_ARG  */
+#line 3421 "./util/configparser.y"
         {
 		OUTYY(("P(dnsc_dnscrypt_port:%s)\n", (yyvsp[0].str)));
 		if(atoi((yyvsp[0].str)) == 0)
@@ -7117,21 +6737,21 @@ yyreduce:
 		else cfg_parser->cfg->dnscrypt_port = atoi((yyvsp[0].str));
 		free((yyvsp[0].str));
 	}
-#line 7121 "util/configparser.c"
+#line 6741 "util/configparser.c"
     break;
 
-  case 618:
-#line 3249 "./util/configparser.y"
+  case 647: /* dnsc_dnscrypt_provider: VAR_DNSCRYPT_PROVIDER STRING_ARG  */
+#line 3430 "./util/configparser.y"
         {
 		OUTYY(("P(dnsc_dnscrypt_provider:%s)\n", (yyvsp[0].str)));
 		free(cfg_parser->cfg->dnscrypt_provider);
 		cfg_parser->cfg->dnscrypt_provider = (yyvsp[0].str);
 	}
-#line 7131 "util/configparser.c"
+#line 6751 "util/configparser.c"
     break;
 
-  case 619:
-#line 3256 "./util/configparser.y"
+  case 648: /* dnsc_dnscrypt_provider_cert: VAR_DNSCRYPT_PROVIDER_CERT STRING_ARG  */
+#line 3437 "./util/configparser.y"
         {
 		OUTYY(("P(dnsc_dnscrypt_provider_cert:%s)\n", (yyvsp[0].str)));
 		if(cfg_strlist_find(cfg_parser->cfg->dnscrypt_provider_cert, (yyvsp[0].str)))
@@ -7139,21 +6759,21 @@ yyreduce:
 		if(!cfg_strlist_insert(&cfg_parser->cfg->dnscrypt_provider_cert, (yyvsp[0].str)))
 			fatal_exit("out of memory adding dnscrypt-provider-cert");
 	}
-#line 7143 "util/configparser.c"
+#line 6763 "util/configparser.c"
     break;
 
-  case 620:
-#line 3265 "./util/configparser.y"
+  case 649: /* dnsc_dnscrypt_provider_cert_rotated: VAR_DNSCRYPT_PROVIDER_CERT_ROTATED STRING_ARG  */
+#line 3446 "./util/configparser.y"
         {
 		OUTYY(("P(dnsc_dnscrypt_provider_cert_rotated:%s)\n", (yyvsp[0].str)));
 		if(!cfg_strlist_insert(&cfg_parser->cfg->dnscrypt_provider_cert_rotated, (yyvsp[0].str)))
 			fatal_exit("out of memory adding dnscrypt-provider-cert-rotated");
 	}
-#line 7153 "util/configparser.c"
+#line 6773 "util/configparser.c"
     break;
 
-  case 621:
-#line 3272 "./util/configparser.y"
+  case 650: /* dnsc_dnscrypt_secret_key: VAR_DNSCRYPT_SECRET_KEY STRING_ARG  */
+#line 3453 "./util/configparser.y"
         {
 		OUTYY(("P(dnsc_dnscrypt_secret_key:%s)\n", (yyvsp[0].str)));
 		if(cfg_strlist_find(cfg_parser->cfg->dnscrypt_secret_key, (yyvsp[0].str)))
@@ -7161,73 +6781,73 @@ yyreduce:
 		if(!cfg_strlist_insert(&cfg_parser->cfg->dnscrypt_secret_key, (yyvsp[0].str)))
 			fatal_exit("out of memory adding dnscrypt-secret-key");
 	}
-#line 7165 "util/configparser.c"
+#line 6785 "util/configparser.c"
     break;
 
-  case 622:
-#line 3281 "./util/configparser.y"
+  case 651: /* dnsc_dnscrypt_shared_secret_cache_size: VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE STRING_ARG  */
+#line 3462 "./util/configparser.y"
   {
-  	OUTYY(("P(dnscrypt_shared_secret_cache_size:%s)\n", (yyvsp[0].str)));
-  	if(!cfg_parse_memsize((yyvsp[0].str), &cfg_parser->cfg->dnscrypt_shared_secret_cache_size))
-  		yyerror("memory size expected");
-  	free((yyvsp[0].str));
+	OUTYY(("P(dnscrypt_shared_secret_cache_size:%s)\n", (yyvsp[0].str)));
+	if(!cfg_parse_memsize((yyvsp[0].str), &cfg_parser->cfg->dnscrypt_shared_secret_cache_size))
+		yyerror("memory size expected");
+	free((yyvsp[0].str));
   }
-#line 7176 "util/configparser.c"
+#line 6796 "util/configparser.c"
     break;
 
-  case 623:
-#line 3289 "./util/configparser.y"
+  case 652: /* dnsc_dnscrypt_shared_secret_cache_slabs: VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS STRING_ARG  */
+#line 3470 "./util/configparser.y"
   {
-  	OUTYY(("P(dnscrypt_shared_secret_cache_slabs:%s)\n", (yyvsp[0].str)));
-  	if(atoi((yyvsp[0].str)) == 0)
-  		yyerror("number expected");
-  	else {
-  		cfg_parser->cfg->dnscrypt_shared_secret_cache_slabs = atoi((yyvsp[0].str));
-  		if(!is_pow2(cfg_parser->cfg->dnscrypt_shared_secret_cache_slabs))
-  			yyerror("must be a power of 2");
-  	}
-  	free((yyvsp[0].str));
+	OUTYY(("P(dnscrypt_shared_secret_cache_slabs:%s)\n", (yyvsp[0].str)));
+	if(atoi((yyvsp[0].str)) == 0) {
+		yyerror("number expected");
+	} else {
+		cfg_parser->cfg->dnscrypt_shared_secret_cache_slabs = atoi((yyvsp[0].str));
+		if(!is_pow2(cfg_parser->cfg->dnscrypt_shared_secret_cache_slabs))
+			yyerror("must be a power of 2");
+	}
+	free((yyvsp[0].str));
   }
-#line 7192 "util/configparser.c"
+#line 6812 "util/configparser.c"
     break;
 
-  case 624:
-#line 3302 "./util/configparser.y"
+  case 653: /* dnsc_dnscrypt_nonce_cache_size: VAR_DNSCRYPT_NONCE_CACHE_SIZE STRING_ARG  */
+#line 3483 "./util/configparser.y"
   {
-  	OUTYY(("P(dnscrypt_nonce_cache_size:%s)\n", (yyvsp[0].str)));
-  	if(!cfg_parse_memsize((yyvsp[0].str), &cfg_parser->cfg->dnscrypt_nonce_cache_size))
-  		yyerror("memory size expected");
-  	free((yyvsp[0].str));
+	OUTYY(("P(dnscrypt_nonce_cache_size:%s)\n", (yyvsp[0].str)));
+	if(!cfg_parse_memsize((yyvsp[0].str), &cfg_parser->cfg->dnscrypt_nonce_cache_size))
+		yyerror("memory size expected");
+	free((yyvsp[0].str));
   }
-#line 7203 "util/configparser.c"
+#line 6823 "util/configparser.c"
     break;
 
-  case 625:
-#line 3310 "./util/configparser.y"
+  case 654: /* dnsc_dnscrypt_nonce_cache_slabs: VAR_DNSCRYPT_NONCE_CACHE_SLABS STRING_ARG  */
+#line 3491 "./util/configparser.y"
   {
-  	OUTYY(("P(dnscrypt_nonce_cache_slabs:%s)\n", (yyvsp[0].str)));
-  	if(atoi((yyvsp[0].str)) == 0)
-  		yyerror("number expected");
-  	else {
-  		cfg_parser->cfg->dnscrypt_nonce_cache_slabs = atoi((yyvsp[0].str));
-  		if(!is_pow2(cfg_parser->cfg->dnscrypt_nonce_cache_slabs))
-  			yyerror("must be a power of 2");
-  	}
-  	free((yyvsp[0].str));
+	OUTYY(("P(dnscrypt_nonce_cache_slabs:%s)\n", (yyvsp[0].str)));
+	if(atoi((yyvsp[0].str)) == 0) {
+		yyerror("number expected");
+	} else {
+		cfg_parser->cfg->dnscrypt_nonce_cache_slabs = atoi((yyvsp[0].str));
+		if(!is_pow2(cfg_parser->cfg->dnscrypt_nonce_cache_slabs))
+			yyerror("must be a power of 2");
+	}
+	free((yyvsp[0].str));
   }
-#line 7219 "util/configparser.c"
+#line 6839 "util/configparser.c"
     break;
 
-  case 626:
-#line 3323 "./util/configparser.y"
+  case 655: /* cachedbstart: VAR_CACHEDB  */
+#line 3504 "./util/configparser.y"
         {
 		OUTYY(("\nP(cachedb:)\n"));
 	}
-#line 7227 "util/configparser.c"
+#line 6847 "util/configparser.c"
     break;
 
-  case 635:
-#line 3334 "./util/configparser.y"
+  case 664: /* cachedb_backend_name: VAR_CACHEDB_BACKEND STRING_ARG  */
+#line 3515 "./util/configparser.y"
         {
 	#ifdef USE_CACHEDB
 		OUTYY(("P(backend:%s)\n", (yyvsp[0].str)));
@@ -7238,11 +6858,11 @@ yyreduce:
 		free((yyvsp[0].str));
 	#endif
 	}
-#line 7242 "util/configparser.c"
+#line 6862 "util/configparser.c"
     break;
 
-  case 636:
-#line 3346 "./util/configparser.y"
+  case 665: /* cachedb_secret_seed: VAR_CACHEDB_SECRETSEED STRING_ARG  */
+#line 3527 "./util/configparser.y"
         {
 	#ifdef USE_CACHEDB
 		OUTYY(("P(secret-seed:%s)\n", (yyvsp[0].str)));
@@ -7253,11 +6873,11 @@ yyreduce:
 		free((yyvsp[0].str));
 	#endif
 	}
-#line 7257 "util/configparser.c"
+#line 6877 "util/configparser.c"
     break;
 
-  case 637:
-#line 3358 "./util/configparser.y"
+  case 666: /* redis_server_host: VAR_CACHEDB_REDISHOST STRING_ARG  */
+#line 3539 "./util/configparser.y"
         {
 	#if defined(USE_CACHEDB) && defined(USE_REDIS)
 		OUTYY(("P(redis_server_host:%s)\n", (yyvsp[0].str)));
@@ -7268,11 +6888,11 @@ yyreduce:
 		free((yyvsp[0].str));
 	#endif
 	}
-#line 7272 "util/configparser.c"
+#line 6892 "util/configparser.c"
     break;
 
-  case 638:
-#line 3370 "./util/configparser.y"
+  case 667: /* redis_server_port: VAR_CACHEDB_REDISPORT STRING_ARG  */
+#line 3551 "./util/configparser.y"
         {
 	#if defined(USE_CACHEDB) && defined(USE_REDIS)
 		int port;
@@ -7286,11 +6906,11 @@ yyreduce:
 	#endif
 		free((yyvsp[0].str));
 	}
-#line 7290 "util/configparser.c"
+#line 6910 "util/configparser.c"
     break;
 
-  case 639:
-#line 3385 "./util/configparser.y"
+  case 668: /* redis_timeout: VAR_CACHEDB_REDISTIMEOUT STRING_ARG  */
+#line 3566 "./util/configparser.y"
         {
 	#if defined(USE_CACHEDB) && defined(USE_REDIS)
 		OUTYY(("P(redis_timeout:%s)\n", (yyvsp[0].str)));
@@ -7302,11 +6922,11 @@ yyreduce:
 	#endif
 		free((yyvsp[0].str));
 	}
-#line 7306 "util/configparser.c"
+#line 6926 "util/configparser.c"
     break;
 
-  case 640:
-#line 3398 "./util/configparser.y"
+  case 669: /* redis_expire_records: VAR_CACHEDB_REDISEXPIRERECORDS STRING_ARG  */
+#line 3579 "./util/configparser.y"
         {
 	#if defined(USE_CACHEDB) && defined(USE_REDIS)
 		OUTYY(("P(redis_expire_records:%s)\n", (yyvsp[0].str)));
@@ -7318,11 +6938,11 @@ yyreduce:
 	#endif
 		free((yyvsp[0].str));
 	}
-#line 7322 "util/configparser.c"
+#line 6942 "util/configparser.c"
     break;
 
-  case 641:
-#line 3411 "./util/configparser.y"
+  case 670: /* server_tcp_connection_limit: VAR_TCP_CONNECTION_LIMIT STRING_ARG STRING_ARG  */
+#line 3592 "./util/configparser.y"
         {
 		OUTYY(("P(server_tcp_connection_limit:%s %s)\n", (yyvsp[-1].str), (yyvsp[0].str)));
 		if (atoi((yyvsp[0].str)) < 0)
@@ -7332,19 +6952,19 @@ yyreduce:
 				fatal_exit("out of memory adding tcp connection limit");
 		}
 	}
-#line 7336 "util/configparser.c"
+#line 6956 "util/configparser.c"
     break;
 
-  case 642:
-#line 3422 "./util/configparser.y"
+  case 671: /* ipsetstart: VAR_IPSET  */
+#line 3603 "./util/configparser.y"
                 {
 			OUTYY(("\nP(ipset:)\n"));
 		}
-#line 7344 "util/configparser.c"
+#line 6964 "util/configparser.c"
     break;
 
-  case 647:
-#line 3431 "./util/configparser.y"
+  case 676: /* ipset_name_v4: VAR_IPSET_NAME_V4 STRING_ARG  */
+#line 3612 "./util/configparser.y"
                 {
 		#ifdef USE_IPSET
 			OUTYY(("P(name-v4:%s)\n", (yyvsp[0].str)));
@@ -7358,11 +6978,11 @@ yyreduce:
 			free((yyvsp[0].str));
 		#endif
 		}
-#line 7362 "util/configparser.c"
+#line 6982 "util/configparser.c"
     break;
 
-  case 648:
-#line 3446 "./util/configparser.y"
+  case 677: /* ipset_name_v6: VAR_IPSET_NAME_V6 STRING_ARG  */
+#line 3627 "./util/configparser.y"
         {
 		#ifdef USE_IPSET
 			OUTYY(("P(name-v6:%s)\n", (yyvsp[0].str)));
@@ -7376,11 +6996,11 @@ yyreduce:
 			free((yyvsp[0].str));
 		#endif
 		}
-#line 7380 "util/configparser.c"
+#line 7000 "util/configparser.c"
     break;
 
 
-#line 7384 "util/configparser.c"
+#line 7004 "util/configparser.c"
 
       default: break;
     }
@@ -7540,13 +7160,13 @@ yyabortlab:
 yyexhaustedlab:
   yyerror (YY_("memory exhausted"));
   yyresult = 2;
-  /* Fall through.  */
+  goto yyreturn;
 #endif
 
 
-/*-----------------------------------------------------.
-| yyreturn -- parsing is finished, return the result.  |
-`-----------------------------------------------------*/
+/*-------------------------------------------------------.
+| yyreturn -- parsing is finished, clean up and return.  |
+`-------------------------------------------------------*/
 yyreturn:
   if (yychar != YYEMPTY)
     {
@@ -7574,7 +7194,7 @@ yyreturn:
   return yyresult;
 }
 
-#line 3460 "./util/configparser.y"
+#line 3641 "./util/configparser.y"
 
 
 /* parse helper routines could be here */
diff --git a/util/configparser.h b/util/configparser.h
index fcbb51ec4..c299937c8 100644
--- a/util/configparser.h
+++ b/util/configparser.h
@@ -1,8 +1,8 @@
-/* A Bison parser, made by GNU Bison 3.6.4.  */
+/* A Bison parser, made by GNU Bison 3.7.6.  */
 
 /* Bison interface for Yacc-like parsers in C
 
-   Copyright (C) 1984, 1989-1990, 2000-2015, 2018-2020 Free Software Foundation,
+   Copyright (C) 1984, 1989-1990, 2000-2015, 2018-2021 Free Software Foundation,
    Inc.
 
    This program is free software: you can redistribute it and/or modify
@@ -16,7 +16,7 @@
    GNU General Public License for more details.
 
    You should have received a copy of the GNU General Public License
-   along with this program.  If not, see <http://www.gnu.org/licenses/>.  */
+   along with this program.  If not, see <https://www.gnu.org/licenses/>.  */
 
 /* As a special exception, you may create a larger work that contains
    part or all of the Bison parser skeleton and distribute that work
@@ -156,216 +156,231 @@ extern int yydebug;
     VAR_CONTROL_KEY_FILE = 357,    /* VAR_CONTROL_KEY_FILE  */
     VAR_CONTROL_CERT_FILE = 358,   /* VAR_CONTROL_CERT_FILE  */
     VAR_CONTROL_USE_CERT = 359,    /* VAR_CONTROL_USE_CERT  */
-    VAR_EXTENDED_STATISTICS = 360, /* VAR_EXTENDED_STATISTICS  */
-    VAR_LOCAL_DATA_PTR = 361,      /* VAR_LOCAL_DATA_PTR  */
-    VAR_JOSTLE_TIMEOUT = 362,      /* VAR_JOSTLE_TIMEOUT  */
-    VAR_STUB_PRIME = 363,          /* VAR_STUB_PRIME  */
-    VAR_UNWANTED_REPLY_THRESHOLD = 364, /* VAR_UNWANTED_REPLY_THRESHOLD  */
-    VAR_LOG_TIME_ASCII = 365,      /* VAR_LOG_TIME_ASCII  */
-    VAR_DOMAIN_INSECURE = 366,     /* VAR_DOMAIN_INSECURE  */
-    VAR_PYTHON = 367,              /* VAR_PYTHON  */
-    VAR_PYTHON_SCRIPT = 368,       /* VAR_PYTHON_SCRIPT  */
-    VAR_VAL_SIG_SKEW_MIN = 369,    /* VAR_VAL_SIG_SKEW_MIN  */
-    VAR_VAL_SIG_SKEW_MAX = 370,    /* VAR_VAL_SIG_SKEW_MAX  */
-    VAR_CACHE_MIN_TTL = 371,       /* VAR_CACHE_MIN_TTL  */
-    VAR_VAL_LOG_LEVEL = 372,       /* VAR_VAL_LOG_LEVEL  */
-    VAR_AUTO_TRUST_ANCHOR_FILE = 373, /* VAR_AUTO_TRUST_ANCHOR_FILE  */
-    VAR_KEEP_MISSING = 374,        /* VAR_KEEP_MISSING  */
-    VAR_ADD_HOLDDOWN = 375,        /* VAR_ADD_HOLDDOWN  */
-    VAR_DEL_HOLDDOWN = 376,        /* VAR_DEL_HOLDDOWN  */
-    VAR_SO_RCVBUF = 377,           /* VAR_SO_RCVBUF  */
-    VAR_EDNS_BUFFER_SIZE = 378,    /* VAR_EDNS_BUFFER_SIZE  */
-    VAR_PREFETCH = 379,            /* VAR_PREFETCH  */
-    VAR_PREFETCH_KEY = 380,        /* VAR_PREFETCH_KEY  */
-    VAR_SO_SNDBUF = 381,           /* VAR_SO_SNDBUF  */
-    VAR_SO_REUSEPORT = 382,        /* VAR_SO_REUSEPORT  */
-    VAR_HARDEN_BELOW_NXDOMAIN = 383, /* VAR_HARDEN_BELOW_NXDOMAIN  */
-    VAR_IGNORE_CD_FLAG = 384,      /* VAR_IGNORE_CD_FLAG  */
-    VAR_LOG_QUERIES = 385,         /* VAR_LOG_QUERIES  */
-    VAR_LOG_REPLIES = 386,         /* VAR_LOG_REPLIES  */
-    VAR_LOG_LOCAL_ACTIONS = 387,   /* VAR_LOG_LOCAL_ACTIONS  */
-    VAR_TCP_UPSTREAM = 388,        /* VAR_TCP_UPSTREAM  */
-    VAR_SSL_UPSTREAM = 389,        /* VAR_SSL_UPSTREAM  */
-    VAR_SSL_SERVICE_KEY = 390,     /* VAR_SSL_SERVICE_KEY  */
-    VAR_SSL_SERVICE_PEM = 391,     /* VAR_SSL_SERVICE_PEM  */
-    VAR_SSL_PORT = 392,            /* VAR_SSL_PORT  */
-    VAR_FORWARD_FIRST = 393,       /* VAR_FORWARD_FIRST  */
-    VAR_STUB_SSL_UPSTREAM = 394,   /* VAR_STUB_SSL_UPSTREAM  */
-    VAR_FORWARD_SSL_UPSTREAM = 395, /* VAR_FORWARD_SSL_UPSTREAM  */
-    VAR_TLS_CERT_BUNDLE = 396,     /* VAR_TLS_CERT_BUNDLE  */
-    VAR_HTTPS_PORT = 397,          /* VAR_HTTPS_PORT  */
-    VAR_HTTP_ENDPOINT = 398,       /* VAR_HTTP_ENDPOINT  */
-    VAR_HTTP_MAX_STREAMS = 399,    /* VAR_HTTP_MAX_STREAMS  */
-    VAR_HTTP_QUERY_BUFFER_SIZE = 400, /* VAR_HTTP_QUERY_BUFFER_SIZE  */
-    VAR_HTTP_RESPONSE_BUFFER_SIZE = 401, /* VAR_HTTP_RESPONSE_BUFFER_SIZE  */
-    VAR_HTTP_NODELAY = 402,        /* VAR_HTTP_NODELAY  */
-    VAR_HTTP_NOTLS_DOWNSTREAM = 403, /* VAR_HTTP_NOTLS_DOWNSTREAM  */
-    VAR_STUB_FIRST = 404,          /* VAR_STUB_FIRST  */
-    VAR_MINIMAL_RESPONSES = 405,   /* VAR_MINIMAL_RESPONSES  */
-    VAR_RRSET_ROUNDROBIN = 406,    /* VAR_RRSET_ROUNDROBIN  */
-    VAR_MAX_UDP_SIZE = 407,        /* VAR_MAX_UDP_SIZE  */
-    VAR_DELAY_CLOSE = 408,         /* VAR_DELAY_CLOSE  */
-    VAR_UDP_CONNECT = 409,         /* VAR_UDP_CONNECT  */
-    VAR_UNBLOCK_LAN_ZONES = 410,   /* VAR_UNBLOCK_LAN_ZONES  */
-    VAR_INSECURE_LAN_ZONES = 411,  /* VAR_INSECURE_LAN_ZONES  */
-    VAR_INFRA_CACHE_MIN_RTT = 412, /* VAR_INFRA_CACHE_MIN_RTT  */
-    VAR_INFRA_KEEP_PROBING = 413,  /* VAR_INFRA_KEEP_PROBING  */
-    VAR_DNS64_PREFIX = 414,        /* VAR_DNS64_PREFIX  */
-    VAR_DNS64_SYNTHALL = 415,      /* VAR_DNS64_SYNTHALL  */
-    VAR_DNS64_IGNORE_AAAA = 416,   /* VAR_DNS64_IGNORE_AAAA  */
-    VAR_DNSTAP = 417,              /* VAR_DNSTAP  */
-    VAR_DNSTAP_ENABLE = 418,       /* VAR_DNSTAP_ENABLE  */
-    VAR_DNSTAP_SOCKET_PATH = 419,  /* VAR_DNSTAP_SOCKET_PATH  */
-    VAR_DNSTAP_IP = 420,           /* VAR_DNSTAP_IP  */
-    VAR_DNSTAP_TLS = 421,          /* VAR_DNSTAP_TLS  */
-    VAR_DNSTAP_TLS_SERVER_NAME = 422, /* VAR_DNSTAP_TLS_SERVER_NAME  */
-    VAR_DNSTAP_TLS_CERT_BUNDLE = 423, /* VAR_DNSTAP_TLS_CERT_BUNDLE  */
-    VAR_DNSTAP_TLS_CLIENT_KEY_FILE = 424, /* VAR_DNSTAP_TLS_CLIENT_KEY_FILE  */
-    VAR_DNSTAP_TLS_CLIENT_CERT_FILE = 425, /* VAR_DNSTAP_TLS_CLIENT_CERT_FILE  */
-    VAR_DNSTAP_SEND_IDENTITY = 426, /* VAR_DNSTAP_SEND_IDENTITY  */
-    VAR_DNSTAP_SEND_VERSION = 427, /* VAR_DNSTAP_SEND_VERSION  */
-    VAR_DNSTAP_BIDIRECTIONAL = 428, /* VAR_DNSTAP_BIDIRECTIONAL  */
-    VAR_DNSTAP_IDENTITY = 429,     /* VAR_DNSTAP_IDENTITY  */
-    VAR_DNSTAP_VERSION = 430,      /* VAR_DNSTAP_VERSION  */
-    VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES = 431, /* VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES  */
-    VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES = 432, /* VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES  */
-    VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES = 433, /* VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES  */
-    VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES = 434, /* VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES  */
-    VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES = 435, /* VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES  */
-    VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES = 436, /* VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES  */
-    VAR_RESPONSE_IP_TAG = 437,     /* VAR_RESPONSE_IP_TAG  */
-    VAR_RESPONSE_IP = 438,         /* VAR_RESPONSE_IP  */
-    VAR_RESPONSE_IP_DATA = 439,    /* VAR_RESPONSE_IP_DATA  */
-    VAR_HARDEN_ALGO_DOWNGRADE = 440, /* VAR_HARDEN_ALGO_DOWNGRADE  */
-    VAR_IP_TRANSPARENT = 441,      /* VAR_IP_TRANSPARENT  */
-    VAR_IP_DSCP = 442,             /* VAR_IP_DSCP  */
-    VAR_DISABLE_DNSSEC_LAME_CHECK = 443, /* VAR_DISABLE_DNSSEC_LAME_CHECK  */
-    VAR_IP_RATELIMIT = 444,        /* VAR_IP_RATELIMIT  */
-    VAR_IP_RATELIMIT_SLABS = 445,  /* VAR_IP_RATELIMIT_SLABS  */
-    VAR_IP_RATELIMIT_SIZE = 446,   /* VAR_IP_RATELIMIT_SIZE  */
-    VAR_RATELIMIT = 447,           /* VAR_RATELIMIT  */
-    VAR_RATELIMIT_SLABS = 448,     /* VAR_RATELIMIT_SLABS  */
-    VAR_RATELIMIT_SIZE = 449,      /* VAR_RATELIMIT_SIZE  */
-    VAR_RATELIMIT_FOR_DOMAIN = 450, /* VAR_RATELIMIT_FOR_DOMAIN  */
-    VAR_RATELIMIT_BELOW_DOMAIN = 451, /* VAR_RATELIMIT_BELOW_DOMAIN  */
-    VAR_IP_RATELIMIT_FACTOR = 452, /* VAR_IP_RATELIMIT_FACTOR  */
-    VAR_RATELIMIT_FACTOR = 453,    /* VAR_RATELIMIT_FACTOR  */
-    VAR_SEND_CLIENT_SUBNET = 454,  /* VAR_SEND_CLIENT_SUBNET  */
-    VAR_CLIENT_SUBNET_ZONE = 455,  /* VAR_CLIENT_SUBNET_ZONE  */
-    VAR_CLIENT_SUBNET_ALWAYS_FORWARD = 456, /* VAR_CLIENT_SUBNET_ALWAYS_FORWARD  */
-    VAR_CLIENT_SUBNET_OPCODE = 457, /* VAR_CLIENT_SUBNET_OPCODE  */
-    VAR_MAX_CLIENT_SUBNET_IPV4 = 458, /* VAR_MAX_CLIENT_SUBNET_IPV4  */
-    VAR_MAX_CLIENT_SUBNET_IPV6 = 459, /* VAR_MAX_CLIENT_SUBNET_IPV6  */
-    VAR_MIN_CLIENT_SUBNET_IPV4 = 460, /* VAR_MIN_CLIENT_SUBNET_IPV4  */
-    VAR_MIN_CLIENT_SUBNET_IPV6 = 461, /* VAR_MIN_CLIENT_SUBNET_IPV6  */
-    VAR_MAX_ECS_TREE_SIZE_IPV4 = 462, /* VAR_MAX_ECS_TREE_SIZE_IPV4  */
-    VAR_MAX_ECS_TREE_SIZE_IPV6 = 463, /* VAR_MAX_ECS_TREE_SIZE_IPV6  */
-    VAR_CAPS_WHITELIST = 464,      /* VAR_CAPS_WHITELIST  */
-    VAR_CACHE_MAX_NEGATIVE_TTL = 465, /* VAR_CACHE_MAX_NEGATIVE_TTL  */
-    VAR_PERMIT_SMALL_HOLDDOWN = 466, /* VAR_PERMIT_SMALL_HOLDDOWN  */
-    VAR_QNAME_MINIMISATION = 467,  /* VAR_QNAME_MINIMISATION  */
-    VAR_QNAME_MINIMISATION_STRICT = 468, /* VAR_QNAME_MINIMISATION_STRICT  */
-    VAR_IP_FREEBIND = 469,         /* VAR_IP_FREEBIND  */
-    VAR_DEFINE_TAG = 470,          /* VAR_DEFINE_TAG  */
-    VAR_LOCAL_ZONE_TAG = 471,      /* VAR_LOCAL_ZONE_TAG  */
-    VAR_ACCESS_CONTROL_TAG = 472,  /* VAR_ACCESS_CONTROL_TAG  */
-    VAR_LOCAL_ZONE_OVERRIDE = 473, /* VAR_LOCAL_ZONE_OVERRIDE  */
-    VAR_ACCESS_CONTROL_TAG_ACTION = 474, /* VAR_ACCESS_CONTROL_TAG_ACTION  */
-    VAR_ACCESS_CONTROL_TAG_DATA = 475, /* VAR_ACCESS_CONTROL_TAG_DATA  */
-    VAR_VIEW = 476,                /* VAR_VIEW  */
-    VAR_ACCESS_CONTROL_VIEW = 477, /* VAR_ACCESS_CONTROL_VIEW  */
-    VAR_VIEW_FIRST = 478,          /* VAR_VIEW_FIRST  */
-    VAR_SERVE_EXPIRED = 479,       /* VAR_SERVE_EXPIRED  */
-    VAR_SERVE_EXPIRED_TTL = 480,   /* VAR_SERVE_EXPIRED_TTL  */
-    VAR_SERVE_EXPIRED_TTL_RESET = 481, /* VAR_SERVE_EXPIRED_TTL_RESET  */
-    VAR_SERVE_EXPIRED_REPLY_TTL = 482, /* VAR_SERVE_EXPIRED_REPLY_TTL  */
-    VAR_SERVE_EXPIRED_CLIENT_TIMEOUT = 483, /* VAR_SERVE_EXPIRED_CLIENT_TIMEOUT  */
-    VAR_SERVE_ORIGINAL_TTL = 484,  /* VAR_SERVE_ORIGINAL_TTL  */
-    VAR_FAKE_DSA = 485,            /* VAR_FAKE_DSA  */
-    VAR_FAKE_SHA1 = 486,           /* VAR_FAKE_SHA1  */
-    VAR_LOG_IDENTITY = 487,        /* VAR_LOG_IDENTITY  */
-    VAR_HIDE_TRUSTANCHOR = 488,    /* VAR_HIDE_TRUSTANCHOR  */
-    VAR_TRUST_ANCHOR_SIGNALING = 489, /* VAR_TRUST_ANCHOR_SIGNALING  */
-    VAR_AGGRESSIVE_NSEC = 490,     /* VAR_AGGRESSIVE_NSEC  */
-    VAR_USE_SYSTEMD = 491,         /* VAR_USE_SYSTEMD  */
-    VAR_SHM_ENABLE = 492,          /* VAR_SHM_ENABLE  */
-    VAR_SHM_KEY = 493,             /* VAR_SHM_KEY  */
-    VAR_ROOT_KEY_SENTINEL = 494,   /* VAR_ROOT_KEY_SENTINEL  */
-    VAR_DNSCRYPT = 495,            /* VAR_DNSCRYPT  */
-    VAR_DNSCRYPT_ENABLE = 496,     /* VAR_DNSCRYPT_ENABLE  */
-    VAR_DNSCRYPT_PORT = 497,       /* VAR_DNSCRYPT_PORT  */
-    VAR_DNSCRYPT_PROVIDER = 498,   /* VAR_DNSCRYPT_PROVIDER  */
-    VAR_DNSCRYPT_SECRET_KEY = 499, /* VAR_DNSCRYPT_SECRET_KEY  */
-    VAR_DNSCRYPT_PROVIDER_CERT = 500, /* VAR_DNSCRYPT_PROVIDER_CERT  */
-    VAR_DNSCRYPT_PROVIDER_CERT_ROTATED = 501, /* VAR_DNSCRYPT_PROVIDER_CERT_ROTATED  */
-    VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE = 502, /* VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE  */
-    VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS = 503, /* VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS  */
-    VAR_DNSCRYPT_NONCE_CACHE_SIZE = 504, /* VAR_DNSCRYPT_NONCE_CACHE_SIZE  */
-    VAR_DNSCRYPT_NONCE_CACHE_SLABS = 505, /* VAR_DNSCRYPT_NONCE_CACHE_SLABS  */
-    VAR_PAD_RESPONSES = 506,       /* VAR_PAD_RESPONSES  */
-    VAR_PAD_RESPONSES_BLOCK_SIZE = 507, /* VAR_PAD_RESPONSES_BLOCK_SIZE  */
-    VAR_PAD_QUERIES = 508,         /* VAR_PAD_QUERIES  */
-    VAR_PAD_QUERIES_BLOCK_SIZE = 509, /* VAR_PAD_QUERIES_BLOCK_SIZE  */
-    VAR_IPSECMOD_ENABLED = 510,    /* VAR_IPSECMOD_ENABLED  */
-    VAR_IPSECMOD_HOOK = 511,       /* VAR_IPSECMOD_HOOK  */
-    VAR_IPSECMOD_IGNORE_BOGUS = 512, /* VAR_IPSECMOD_IGNORE_BOGUS  */
-    VAR_IPSECMOD_MAX_TTL = 513,    /* VAR_IPSECMOD_MAX_TTL  */
-    VAR_IPSECMOD_WHITELIST = 514,  /* VAR_IPSECMOD_WHITELIST  */
-    VAR_IPSECMOD_STRICT = 515,     /* VAR_IPSECMOD_STRICT  */
-    VAR_CACHEDB = 516,             /* VAR_CACHEDB  */
-    VAR_CACHEDB_BACKEND = 517,     /* VAR_CACHEDB_BACKEND  */
-    VAR_CACHEDB_SECRETSEED = 518,  /* VAR_CACHEDB_SECRETSEED  */
-    VAR_CACHEDB_REDISHOST = 519,   /* VAR_CACHEDB_REDISHOST  */
-    VAR_CACHEDB_REDISPORT = 520,   /* VAR_CACHEDB_REDISPORT  */
-    VAR_CACHEDB_REDISTIMEOUT = 521, /* VAR_CACHEDB_REDISTIMEOUT  */
-    VAR_CACHEDB_REDISEXPIRERECORDS = 522, /* VAR_CACHEDB_REDISEXPIRERECORDS  */
-    VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM = 523, /* VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM  */
-    VAR_FOR_UPSTREAM = 524,        /* VAR_FOR_UPSTREAM  */
-    VAR_AUTH_ZONE = 525,           /* VAR_AUTH_ZONE  */
-    VAR_ZONEFILE = 526,            /* VAR_ZONEFILE  */
-    VAR_MASTER = 527,              /* VAR_MASTER  */
-    VAR_URL = 528,                 /* VAR_URL  */
-    VAR_FOR_DOWNSTREAM = 529,      /* VAR_FOR_DOWNSTREAM  */
-    VAR_FALLBACK_ENABLED = 530,    /* VAR_FALLBACK_ENABLED  */
-    VAR_TLS_ADDITIONAL_PORT = 531, /* VAR_TLS_ADDITIONAL_PORT  */
-    VAR_LOW_RTT = 532,             /* VAR_LOW_RTT  */
-    VAR_LOW_RTT_PERMIL = 533,      /* VAR_LOW_RTT_PERMIL  */
-    VAR_FAST_SERVER_PERMIL = 534,  /* VAR_FAST_SERVER_PERMIL  */
-    VAR_FAST_SERVER_NUM = 535,     /* VAR_FAST_SERVER_NUM  */
-    VAR_ALLOW_NOTIFY = 536,        /* VAR_ALLOW_NOTIFY  */
-    VAR_TLS_WIN_CERT = 537,        /* VAR_TLS_WIN_CERT  */
-    VAR_TCP_CONNECTION_LIMIT = 538, /* VAR_TCP_CONNECTION_LIMIT  */
-    VAR_FORWARD_NO_CACHE = 539,    /* VAR_FORWARD_NO_CACHE  */
-    VAR_STUB_NO_CACHE = 540,       /* VAR_STUB_NO_CACHE  */
-    VAR_LOG_SERVFAIL = 541,        /* VAR_LOG_SERVFAIL  */
-    VAR_DENY_ANY = 542,            /* VAR_DENY_ANY  */
-    VAR_UNKNOWN_SERVER_TIME_LIMIT = 543, /* VAR_UNKNOWN_SERVER_TIME_LIMIT  */
-    VAR_LOG_TAG_QUERYREPLY = 544,  /* VAR_LOG_TAG_QUERYREPLY  */
-    VAR_STREAM_WAIT_SIZE = 545,    /* VAR_STREAM_WAIT_SIZE  */
-    VAR_TLS_CIPHERS = 546,         /* VAR_TLS_CIPHERS  */
-    VAR_TLS_CIPHERSUITES = 547,    /* VAR_TLS_CIPHERSUITES  */
-    VAR_TLS_USE_SNI = 548,         /* VAR_TLS_USE_SNI  */
-    VAR_IPSET = 549,               /* VAR_IPSET  */
-    VAR_IPSET_NAME_V4 = 550,       /* VAR_IPSET_NAME_V4  */
-    VAR_IPSET_NAME_V6 = 551,       /* VAR_IPSET_NAME_V6  */
-    VAR_TLS_SESSION_TICKET_KEYS = 552, /* VAR_TLS_SESSION_TICKET_KEYS  */
-    VAR_RPZ = 553,                 /* VAR_RPZ  */
-    VAR_TAGS = 554,                /* VAR_TAGS  */
-    VAR_RPZ_ACTION_OVERRIDE = 555, /* VAR_RPZ_ACTION_OVERRIDE  */
-    VAR_RPZ_CNAME_OVERRIDE = 556,  /* VAR_RPZ_CNAME_OVERRIDE  */
-    VAR_RPZ_LOG = 557,             /* VAR_RPZ_LOG  */
-    VAR_RPZ_LOG_NAME = 558,        /* VAR_RPZ_LOG_NAME  */
-    VAR_DYNLIB = 559,              /* VAR_DYNLIB  */
-    VAR_DYNLIB_FILE = 560,         /* VAR_DYNLIB_FILE  */
-    VAR_EDNS_CLIENT_STRING = 561,  /* VAR_EDNS_CLIENT_STRING  */
-    VAR_EDNS_CLIENT_STRING_OPCODE = 562, /* VAR_EDNS_CLIENT_STRING_OPCODE  */
-    VAR_NSID = 563,                /* VAR_NSID  */
-    VAR_ZONEMD_PERMISSIVE_MODE = 564, /* VAR_ZONEMD_PERMISSIVE_MODE  */
-    VAR_ZONEMD_REJECT_ABSENCE = 565 /* VAR_ZONEMD_REJECT_ABSENCE  */
+    VAR_TCP_REUSE_TIMEOUT = 360,   /* VAR_TCP_REUSE_TIMEOUT  */
+    VAR_MAX_REUSE_TCP_QUERIES = 361, /* VAR_MAX_REUSE_TCP_QUERIES  */
+    VAR_EXTENDED_STATISTICS = 362, /* VAR_EXTENDED_STATISTICS  */
+    VAR_LOCAL_DATA_PTR = 363,      /* VAR_LOCAL_DATA_PTR  */
+    VAR_JOSTLE_TIMEOUT = 364,      /* VAR_JOSTLE_TIMEOUT  */
+    VAR_STUB_PRIME = 365,          /* VAR_STUB_PRIME  */
+    VAR_UNWANTED_REPLY_THRESHOLD = 366, /* VAR_UNWANTED_REPLY_THRESHOLD  */
+    VAR_LOG_TIME_ASCII = 367,      /* VAR_LOG_TIME_ASCII  */
+    VAR_DOMAIN_INSECURE = 368,     /* VAR_DOMAIN_INSECURE  */
+    VAR_PYTHON = 369,              /* VAR_PYTHON  */
+    VAR_PYTHON_SCRIPT = 370,       /* VAR_PYTHON_SCRIPT  */
+    VAR_VAL_SIG_SKEW_MIN = 371,    /* VAR_VAL_SIG_SKEW_MIN  */
+    VAR_VAL_SIG_SKEW_MAX = 372,    /* VAR_VAL_SIG_SKEW_MAX  */
+    VAR_VAL_MAX_RESTART = 373,     /* VAR_VAL_MAX_RESTART  */
+    VAR_CACHE_MIN_TTL = 374,       /* VAR_CACHE_MIN_TTL  */
+    VAR_VAL_LOG_LEVEL = 375,       /* VAR_VAL_LOG_LEVEL  */
+    VAR_AUTO_TRUST_ANCHOR_FILE = 376, /* VAR_AUTO_TRUST_ANCHOR_FILE  */
+    VAR_KEEP_MISSING = 377,        /* VAR_KEEP_MISSING  */
+    VAR_ADD_HOLDDOWN = 378,        /* VAR_ADD_HOLDDOWN  */
+    VAR_DEL_HOLDDOWN = 379,        /* VAR_DEL_HOLDDOWN  */
+    VAR_SO_RCVBUF = 380,           /* VAR_SO_RCVBUF  */
+    VAR_EDNS_BUFFER_SIZE = 381,    /* VAR_EDNS_BUFFER_SIZE  */
+    VAR_PREFETCH = 382,            /* VAR_PREFETCH  */
+    VAR_PREFETCH_KEY = 383,        /* VAR_PREFETCH_KEY  */
+    VAR_SO_SNDBUF = 384,           /* VAR_SO_SNDBUF  */
+    VAR_SO_REUSEPORT = 385,        /* VAR_SO_REUSEPORT  */
+    VAR_HARDEN_BELOW_NXDOMAIN = 386, /* VAR_HARDEN_BELOW_NXDOMAIN  */
+    VAR_IGNORE_CD_FLAG = 387,      /* VAR_IGNORE_CD_FLAG  */
+    VAR_LOG_QUERIES = 388,         /* VAR_LOG_QUERIES  */
+    VAR_LOG_REPLIES = 389,         /* VAR_LOG_REPLIES  */
+    VAR_LOG_LOCAL_ACTIONS = 390,   /* VAR_LOG_LOCAL_ACTIONS  */
+    VAR_TCP_UPSTREAM = 391,        /* VAR_TCP_UPSTREAM  */
+    VAR_SSL_UPSTREAM = 392,        /* VAR_SSL_UPSTREAM  */
+    VAR_TCP_AUTH_QUERY_TIMEOUT = 393, /* VAR_TCP_AUTH_QUERY_TIMEOUT  */
+    VAR_SSL_SERVICE_KEY = 394,     /* VAR_SSL_SERVICE_KEY  */
+    VAR_SSL_SERVICE_PEM = 395,     /* VAR_SSL_SERVICE_PEM  */
+    VAR_SSL_PORT = 396,            /* VAR_SSL_PORT  */
+    VAR_FORWARD_FIRST = 397,       /* VAR_FORWARD_FIRST  */
+    VAR_STUB_SSL_UPSTREAM = 398,   /* VAR_STUB_SSL_UPSTREAM  */
+    VAR_FORWARD_SSL_UPSTREAM = 399, /* VAR_FORWARD_SSL_UPSTREAM  */
+    VAR_TLS_CERT_BUNDLE = 400,     /* VAR_TLS_CERT_BUNDLE  */
+    VAR_STUB_TCP_UPSTREAM = 401,   /* VAR_STUB_TCP_UPSTREAM  */
+    VAR_FORWARD_TCP_UPSTREAM = 402, /* VAR_FORWARD_TCP_UPSTREAM  */
+    VAR_HTTPS_PORT = 403,          /* VAR_HTTPS_PORT  */
+    VAR_HTTP_ENDPOINT = 404,       /* VAR_HTTP_ENDPOINT  */
+    VAR_HTTP_MAX_STREAMS = 405,    /* VAR_HTTP_MAX_STREAMS  */
+    VAR_HTTP_QUERY_BUFFER_SIZE = 406, /* VAR_HTTP_QUERY_BUFFER_SIZE  */
+    VAR_HTTP_RESPONSE_BUFFER_SIZE = 407, /* VAR_HTTP_RESPONSE_BUFFER_SIZE  */
+    VAR_HTTP_NODELAY = 408,        /* VAR_HTTP_NODELAY  */
+    VAR_HTTP_NOTLS_DOWNSTREAM = 409, /* VAR_HTTP_NOTLS_DOWNSTREAM  */
+    VAR_STUB_FIRST = 410,          /* VAR_STUB_FIRST  */
+    VAR_MINIMAL_RESPONSES = 411,   /* VAR_MINIMAL_RESPONSES  */
+    VAR_RRSET_ROUNDROBIN = 412,    /* VAR_RRSET_ROUNDROBIN  */
+    VAR_MAX_UDP_SIZE = 413,        /* VAR_MAX_UDP_SIZE  */
+    VAR_DELAY_CLOSE = 414,         /* VAR_DELAY_CLOSE  */
+    VAR_UDP_CONNECT = 415,         /* VAR_UDP_CONNECT  */
+    VAR_UNBLOCK_LAN_ZONES = 416,   /* VAR_UNBLOCK_LAN_ZONES  */
+    VAR_INSECURE_LAN_ZONES = 417,  /* VAR_INSECURE_LAN_ZONES  */
+    VAR_INFRA_CACHE_MIN_RTT = 418, /* VAR_INFRA_CACHE_MIN_RTT  */
+    VAR_INFRA_KEEP_PROBING = 419,  /* VAR_INFRA_KEEP_PROBING  */
+    VAR_DNS64_PREFIX = 420,        /* VAR_DNS64_PREFIX  */
+    VAR_DNS64_SYNTHALL = 421,      /* VAR_DNS64_SYNTHALL  */
+    VAR_DNS64_IGNORE_AAAA = 422,   /* VAR_DNS64_IGNORE_AAAA  */
+    VAR_DNSTAP = 423,              /* VAR_DNSTAP  */
+    VAR_DNSTAP_ENABLE = 424,       /* VAR_DNSTAP_ENABLE  */
+    VAR_DNSTAP_SOCKET_PATH = 425,  /* VAR_DNSTAP_SOCKET_PATH  */
+    VAR_DNSTAP_IP = 426,           /* VAR_DNSTAP_IP  */
+    VAR_DNSTAP_TLS = 427,          /* VAR_DNSTAP_TLS  */
+    VAR_DNSTAP_TLS_SERVER_NAME = 428, /* VAR_DNSTAP_TLS_SERVER_NAME  */
+    VAR_DNSTAP_TLS_CERT_BUNDLE = 429, /* VAR_DNSTAP_TLS_CERT_BUNDLE  */
+    VAR_DNSTAP_TLS_CLIENT_KEY_FILE = 430, /* VAR_DNSTAP_TLS_CLIENT_KEY_FILE  */
+    VAR_DNSTAP_TLS_CLIENT_CERT_FILE = 431, /* VAR_DNSTAP_TLS_CLIENT_CERT_FILE  */
+    VAR_DNSTAP_SEND_IDENTITY = 432, /* VAR_DNSTAP_SEND_IDENTITY  */
+    VAR_DNSTAP_SEND_VERSION = 433, /* VAR_DNSTAP_SEND_VERSION  */
+    VAR_DNSTAP_BIDIRECTIONAL = 434, /* VAR_DNSTAP_BIDIRECTIONAL  */
+    VAR_DNSTAP_IDENTITY = 435,     /* VAR_DNSTAP_IDENTITY  */
+    VAR_DNSTAP_VERSION = 436,      /* VAR_DNSTAP_VERSION  */
+    VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES = 437, /* VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES  */
+    VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES = 438, /* VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES  */
+    VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES = 439, /* VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES  */
+    VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES = 440, /* VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES  */
+    VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES = 441, /* VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES  */
+    VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES = 442, /* VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES  */
+    VAR_RESPONSE_IP_TAG = 443,     /* VAR_RESPONSE_IP_TAG  */
+    VAR_RESPONSE_IP = 444,         /* VAR_RESPONSE_IP  */
+    VAR_RESPONSE_IP_DATA = 445,    /* VAR_RESPONSE_IP_DATA  */
+    VAR_HARDEN_ALGO_DOWNGRADE = 446, /* VAR_HARDEN_ALGO_DOWNGRADE  */
+    VAR_IP_TRANSPARENT = 447,      /* VAR_IP_TRANSPARENT  */
+    VAR_IP_DSCP = 448,             /* VAR_IP_DSCP  */
+    VAR_DISABLE_DNSSEC_LAME_CHECK = 449, /* VAR_DISABLE_DNSSEC_LAME_CHECK  */
+    VAR_IP_RATELIMIT = 450,        /* VAR_IP_RATELIMIT  */
+    VAR_IP_RATELIMIT_SLABS = 451,  /* VAR_IP_RATELIMIT_SLABS  */
+    VAR_IP_RATELIMIT_SIZE = 452,   /* VAR_IP_RATELIMIT_SIZE  */
+    VAR_RATELIMIT = 453,           /* VAR_RATELIMIT  */
+    VAR_RATELIMIT_SLABS = 454,     /* VAR_RATELIMIT_SLABS  */
+    VAR_RATELIMIT_SIZE = 455,      /* VAR_RATELIMIT_SIZE  */
+    VAR_OUTBOUND_MSG_RETRY = 456,  /* VAR_OUTBOUND_MSG_RETRY  */
+    VAR_RATELIMIT_FOR_DOMAIN = 457, /* VAR_RATELIMIT_FOR_DOMAIN  */
+    VAR_RATELIMIT_BELOW_DOMAIN = 458, /* VAR_RATELIMIT_BELOW_DOMAIN  */
+    VAR_IP_RATELIMIT_FACTOR = 459, /* VAR_IP_RATELIMIT_FACTOR  */
+    VAR_RATELIMIT_FACTOR = 460,    /* VAR_RATELIMIT_FACTOR  */
+    VAR_IP_RATELIMIT_BACKOFF = 461, /* VAR_IP_RATELIMIT_BACKOFF  */
+    VAR_RATELIMIT_BACKOFF = 462,   /* VAR_RATELIMIT_BACKOFF  */
+    VAR_SEND_CLIENT_SUBNET = 463,  /* VAR_SEND_CLIENT_SUBNET  */
+    VAR_CLIENT_SUBNET_ZONE = 464,  /* VAR_CLIENT_SUBNET_ZONE  */
+    VAR_CLIENT_SUBNET_ALWAYS_FORWARD = 465, /* VAR_CLIENT_SUBNET_ALWAYS_FORWARD  */
+    VAR_CLIENT_SUBNET_OPCODE = 466, /* VAR_CLIENT_SUBNET_OPCODE  */
+    VAR_MAX_CLIENT_SUBNET_IPV4 = 467, /* VAR_MAX_CLIENT_SUBNET_IPV4  */
+    VAR_MAX_CLIENT_SUBNET_IPV6 = 468, /* VAR_MAX_CLIENT_SUBNET_IPV6  */
+    VAR_MIN_CLIENT_SUBNET_IPV4 = 469, /* VAR_MIN_CLIENT_SUBNET_IPV4  */
+    VAR_MIN_CLIENT_SUBNET_IPV6 = 470, /* VAR_MIN_CLIENT_SUBNET_IPV6  */
+    VAR_MAX_ECS_TREE_SIZE_IPV4 = 471, /* VAR_MAX_ECS_TREE_SIZE_IPV4  */
+    VAR_MAX_ECS_TREE_SIZE_IPV6 = 472, /* VAR_MAX_ECS_TREE_SIZE_IPV6  */
+    VAR_CAPS_WHITELIST = 473,      /* VAR_CAPS_WHITELIST  */
+    VAR_CACHE_MAX_NEGATIVE_TTL = 474, /* VAR_CACHE_MAX_NEGATIVE_TTL  */
+    VAR_PERMIT_SMALL_HOLDDOWN = 475, /* VAR_PERMIT_SMALL_HOLDDOWN  */
+    VAR_QNAME_MINIMISATION = 476,  /* VAR_QNAME_MINIMISATION  */
+    VAR_QNAME_MINIMISATION_STRICT = 477, /* VAR_QNAME_MINIMISATION_STRICT  */
+    VAR_IP_FREEBIND = 478,         /* VAR_IP_FREEBIND  */
+    VAR_DEFINE_TAG = 479,          /* VAR_DEFINE_TAG  */
+    VAR_LOCAL_ZONE_TAG = 480,      /* VAR_LOCAL_ZONE_TAG  */
+    VAR_ACCESS_CONTROL_TAG = 481,  /* VAR_ACCESS_CONTROL_TAG  */
+    VAR_LOCAL_ZONE_OVERRIDE = 482, /* VAR_LOCAL_ZONE_OVERRIDE  */
+    VAR_ACCESS_CONTROL_TAG_ACTION = 483, /* VAR_ACCESS_CONTROL_TAG_ACTION  */
+    VAR_ACCESS_CONTROL_TAG_DATA = 484, /* VAR_ACCESS_CONTROL_TAG_DATA  */
+    VAR_VIEW = 485,                /* VAR_VIEW  */
+    VAR_ACCESS_CONTROL_VIEW = 486, /* VAR_ACCESS_CONTROL_VIEW  */
+    VAR_VIEW_FIRST = 487,          /* VAR_VIEW_FIRST  */
+    VAR_SERVE_EXPIRED = 488,       /* VAR_SERVE_EXPIRED  */
+    VAR_SERVE_EXPIRED_TTL = 489,   /* VAR_SERVE_EXPIRED_TTL  */
+    VAR_SERVE_EXPIRED_TTL_RESET = 490, /* VAR_SERVE_EXPIRED_TTL_RESET  */
+    VAR_SERVE_EXPIRED_REPLY_TTL = 491, /* VAR_SERVE_EXPIRED_REPLY_TTL  */
+    VAR_SERVE_EXPIRED_CLIENT_TIMEOUT = 492, /* VAR_SERVE_EXPIRED_CLIENT_TIMEOUT  */
+    VAR_SERVE_ORIGINAL_TTL = 493,  /* VAR_SERVE_ORIGINAL_TTL  */
+    VAR_FAKE_DSA = 494,            /* VAR_FAKE_DSA  */
+    VAR_FAKE_SHA1 = 495,           /* VAR_FAKE_SHA1  */
+    VAR_LOG_IDENTITY = 496,        /* VAR_LOG_IDENTITY  */
+    VAR_HIDE_TRUSTANCHOR = 497,    /* VAR_HIDE_TRUSTANCHOR  */
+    VAR_HIDE_HTTP_USER_AGENT = 498, /* VAR_HIDE_HTTP_USER_AGENT  */
+    VAR_HTTP_USER_AGENT = 499,     /* VAR_HTTP_USER_AGENT  */
+    VAR_TRUST_ANCHOR_SIGNALING = 500, /* VAR_TRUST_ANCHOR_SIGNALING  */
+    VAR_AGGRESSIVE_NSEC = 501,     /* VAR_AGGRESSIVE_NSEC  */
+    VAR_USE_SYSTEMD = 502,         /* VAR_USE_SYSTEMD  */
+    VAR_SHM_ENABLE = 503,          /* VAR_SHM_ENABLE  */
+    VAR_SHM_KEY = 504,             /* VAR_SHM_KEY  */
+    VAR_ROOT_KEY_SENTINEL = 505,   /* VAR_ROOT_KEY_SENTINEL  */
+    VAR_DNSCRYPT = 506,            /* VAR_DNSCRYPT  */
+    VAR_DNSCRYPT_ENABLE = 507,     /* VAR_DNSCRYPT_ENABLE  */
+    VAR_DNSCRYPT_PORT = 508,       /* VAR_DNSCRYPT_PORT  */
+    VAR_DNSCRYPT_PROVIDER = 509,   /* VAR_DNSCRYPT_PROVIDER  */
+    VAR_DNSCRYPT_SECRET_KEY = 510, /* VAR_DNSCRYPT_SECRET_KEY  */
+    VAR_DNSCRYPT_PROVIDER_CERT = 511, /* VAR_DNSCRYPT_PROVIDER_CERT  */
+    VAR_DNSCRYPT_PROVIDER_CERT_ROTATED = 512, /* VAR_DNSCRYPT_PROVIDER_CERT_ROTATED  */
+    VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE = 513, /* VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE  */
+    VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS = 514, /* VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS  */
+    VAR_DNSCRYPT_NONCE_CACHE_SIZE = 515, /* VAR_DNSCRYPT_NONCE_CACHE_SIZE  */
+    VAR_DNSCRYPT_NONCE_CACHE_SLABS = 516, /* VAR_DNSCRYPT_NONCE_CACHE_SLABS  */
+    VAR_PAD_RESPONSES = 517,       /* VAR_PAD_RESPONSES  */
+    VAR_PAD_RESPONSES_BLOCK_SIZE = 518, /* VAR_PAD_RESPONSES_BLOCK_SIZE  */
+    VAR_PAD_QUERIES = 519,         /* VAR_PAD_QUERIES  */
+    VAR_PAD_QUERIES_BLOCK_SIZE = 520, /* VAR_PAD_QUERIES_BLOCK_SIZE  */
+    VAR_IPSECMOD_ENABLED = 521,    /* VAR_IPSECMOD_ENABLED  */
+    VAR_IPSECMOD_HOOK = 522,       /* VAR_IPSECMOD_HOOK  */
+    VAR_IPSECMOD_IGNORE_BOGUS = 523, /* VAR_IPSECMOD_IGNORE_BOGUS  */
+    VAR_IPSECMOD_MAX_TTL = 524,    /* VAR_IPSECMOD_MAX_TTL  */
+    VAR_IPSECMOD_WHITELIST = 525,  /* VAR_IPSECMOD_WHITELIST  */
+    VAR_IPSECMOD_STRICT = 526,     /* VAR_IPSECMOD_STRICT  */
+    VAR_CACHEDB = 527,             /* VAR_CACHEDB  */
+    VAR_CACHEDB_BACKEND = 528,     /* VAR_CACHEDB_BACKEND  */
+    VAR_CACHEDB_SECRETSEED = 529,  /* VAR_CACHEDB_SECRETSEED  */
+    VAR_CACHEDB_REDISHOST = 530,   /* VAR_CACHEDB_REDISHOST  */
+    VAR_CACHEDB_REDISPORT = 531,   /* VAR_CACHEDB_REDISPORT  */
+    VAR_CACHEDB_REDISTIMEOUT = 532, /* VAR_CACHEDB_REDISTIMEOUT  */
+    VAR_CACHEDB_REDISEXPIRERECORDS = 533, /* VAR_CACHEDB_REDISEXPIRERECORDS  */
+    VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM = 534, /* VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM  */
+    VAR_FOR_UPSTREAM = 535,        /* VAR_FOR_UPSTREAM  */
+    VAR_AUTH_ZONE = 536,           /* VAR_AUTH_ZONE  */
+    VAR_ZONEFILE = 537,            /* VAR_ZONEFILE  */
+    VAR_MASTER = 538,              /* VAR_MASTER  */
+    VAR_URL = 539,                 /* VAR_URL  */
+    VAR_FOR_DOWNSTREAM = 540,      /* VAR_FOR_DOWNSTREAM  */
+    VAR_FALLBACK_ENABLED = 541,    /* VAR_FALLBACK_ENABLED  */
+    VAR_TLS_ADDITIONAL_PORT = 542, /* VAR_TLS_ADDITIONAL_PORT  */
+    VAR_LOW_RTT = 543,             /* VAR_LOW_RTT  */
+    VAR_LOW_RTT_PERMIL = 544,      /* VAR_LOW_RTT_PERMIL  */
+    VAR_FAST_SERVER_PERMIL = 545,  /* VAR_FAST_SERVER_PERMIL  */
+    VAR_FAST_SERVER_NUM = 546,     /* VAR_FAST_SERVER_NUM  */
+    VAR_ALLOW_NOTIFY = 547,        /* VAR_ALLOW_NOTIFY  */
+    VAR_TLS_WIN_CERT = 548,        /* VAR_TLS_WIN_CERT  */
+    VAR_TCP_CONNECTION_LIMIT = 549, /* VAR_TCP_CONNECTION_LIMIT  */
+    VAR_FORWARD_NO_CACHE = 550,    /* VAR_FORWARD_NO_CACHE  */
+    VAR_STUB_NO_CACHE = 551,       /* VAR_STUB_NO_CACHE  */
+    VAR_LOG_SERVFAIL = 552,        /* VAR_LOG_SERVFAIL  */
+    VAR_DENY_ANY = 553,            /* VAR_DENY_ANY  */
+    VAR_UNKNOWN_SERVER_TIME_LIMIT = 554, /* VAR_UNKNOWN_SERVER_TIME_LIMIT  */
+    VAR_LOG_TAG_QUERYREPLY = 555,  /* VAR_LOG_TAG_QUERYREPLY  */
+    VAR_STREAM_WAIT_SIZE = 556,    /* VAR_STREAM_WAIT_SIZE  */
+    VAR_TLS_CIPHERS = 557,         /* VAR_TLS_CIPHERS  */
+    VAR_TLS_CIPHERSUITES = 558,    /* VAR_TLS_CIPHERSUITES  */
+    VAR_TLS_USE_SNI = 559,         /* VAR_TLS_USE_SNI  */
+    VAR_IPSET = 560,               /* VAR_IPSET  */
+    VAR_IPSET_NAME_V4 = 561,       /* VAR_IPSET_NAME_V4  */
+    VAR_IPSET_NAME_V6 = 562,       /* VAR_IPSET_NAME_V6  */
+    VAR_TLS_SESSION_TICKET_KEYS = 563, /* VAR_TLS_SESSION_TICKET_KEYS  */
+    VAR_RPZ = 564,                 /* VAR_RPZ  */
+    VAR_TAGS = 565,                /* VAR_TAGS  */
+    VAR_RPZ_ACTION_OVERRIDE = 566, /* VAR_RPZ_ACTION_OVERRIDE  */
+    VAR_RPZ_CNAME_OVERRIDE = 567,  /* VAR_RPZ_CNAME_OVERRIDE  */
+    VAR_RPZ_LOG = 568,             /* VAR_RPZ_LOG  */
+    VAR_RPZ_LOG_NAME = 569,        /* VAR_RPZ_LOG_NAME  */
+    VAR_DYNLIB = 570,              /* VAR_DYNLIB  */
+    VAR_DYNLIB_FILE = 571,         /* VAR_DYNLIB_FILE  */
+    VAR_EDNS_CLIENT_STRING = 572,  /* VAR_EDNS_CLIENT_STRING  */
+    VAR_EDNS_CLIENT_STRING_OPCODE = 573, /* VAR_EDNS_CLIENT_STRING_OPCODE  */
+    VAR_NSID = 574,                /* VAR_NSID  */
+    VAR_ZONEMD_PERMISSIVE_MODE = 575, /* VAR_ZONEMD_PERMISSIVE_MODE  */
+    VAR_ZONEMD_CHECK = 576,        /* VAR_ZONEMD_CHECK  */
+    VAR_ZONEMD_REJECT_ABSENCE = 577, /* VAR_ZONEMD_REJECT_ABSENCE  */
+    VAR_RPZ_SIGNAL_NXDOMAIN_RA = 578, /* VAR_RPZ_SIGNAL_NXDOMAIN_RA  */
+    VAR_INTERFACE_AUTOMATIC_PORTS = 579 /* VAR_INTERFACE_AUTOMATIC_PORTS  */
   };
   typedef enum yytokentype yytoken_kind_t;
 #endif
 /* Token kinds.  */
+#define YYEMPTY -2
 #define YYEOF 0
 #define YYerror 256
 #define YYUNDEF 257
@@ -471,212 +486,226 @@ extern int yydebug;
 #define VAR_CONTROL_KEY_FILE 357
 #define VAR_CONTROL_CERT_FILE 358
 #define VAR_CONTROL_USE_CERT 359
-#define VAR_EXTENDED_STATISTICS 360
-#define VAR_LOCAL_DATA_PTR 361
-#define VAR_JOSTLE_TIMEOUT 362
-#define VAR_STUB_PRIME 363
-#define VAR_UNWANTED_REPLY_THRESHOLD 364
-#define VAR_LOG_TIME_ASCII 365
-#define VAR_DOMAIN_INSECURE 366
-#define VAR_PYTHON 367
-#define VAR_PYTHON_SCRIPT 368
-#define VAR_VAL_SIG_SKEW_MIN 369
-#define VAR_VAL_SIG_SKEW_MAX 370
-#define VAR_CACHE_MIN_TTL 371
-#define VAR_VAL_LOG_LEVEL 372
-#define VAR_AUTO_TRUST_ANCHOR_FILE 373
-#define VAR_KEEP_MISSING 374
-#define VAR_ADD_HOLDDOWN 375
-#define VAR_DEL_HOLDDOWN 376
-#define VAR_SO_RCVBUF 377
-#define VAR_EDNS_BUFFER_SIZE 378
-#define VAR_PREFETCH 379
-#define VAR_PREFETCH_KEY 380
-#define VAR_SO_SNDBUF 381
-#define VAR_SO_REUSEPORT 382
-#define VAR_HARDEN_BELOW_NXDOMAIN 383
-#define VAR_IGNORE_CD_FLAG 384
-#define VAR_LOG_QUERIES 385
-#define VAR_LOG_REPLIES 386
-#define VAR_LOG_LOCAL_ACTIONS 387
-#define VAR_TCP_UPSTREAM 388
-#define VAR_SSL_UPSTREAM 389
-#define VAR_SSL_SERVICE_KEY 390
-#define VAR_SSL_SERVICE_PEM 391
-#define VAR_SSL_PORT 392
-#define VAR_FORWARD_FIRST 393
-#define VAR_STUB_SSL_UPSTREAM 394
-#define VAR_FORWARD_SSL_UPSTREAM 395
-#define VAR_TLS_CERT_BUNDLE 396
-#define VAR_HTTPS_PORT 397
-#define VAR_HTTP_ENDPOINT 398
-#define VAR_HTTP_MAX_STREAMS 399
-#define VAR_HTTP_QUERY_BUFFER_SIZE 400
-#define VAR_HTTP_RESPONSE_BUFFER_SIZE 401
-#define VAR_HTTP_NODELAY 402
-#define VAR_HTTP_NOTLS_DOWNSTREAM 403
-#define VAR_STUB_FIRST 404
-#define VAR_MINIMAL_RESPONSES 405
-#define VAR_RRSET_ROUNDROBIN 406
-#define VAR_MAX_UDP_SIZE 407
-#define VAR_DELAY_CLOSE 408
-#define VAR_UDP_CONNECT 409
-#define VAR_UNBLOCK_LAN_ZONES 410
-#define VAR_INSECURE_LAN_ZONES 411
-#define VAR_INFRA_CACHE_MIN_RTT 412
-#define VAR_INFRA_KEEP_PROBING 413
-#define VAR_DNS64_PREFIX 414
-#define VAR_DNS64_SYNTHALL 415
-#define VAR_DNS64_IGNORE_AAAA 416
-#define VAR_DNSTAP 417
-#define VAR_DNSTAP_ENABLE 418
-#define VAR_DNSTAP_SOCKET_PATH 419
-#define VAR_DNSTAP_IP 420
-#define VAR_DNSTAP_TLS 421
-#define VAR_DNSTAP_TLS_SERVER_NAME 422
-#define VAR_DNSTAP_TLS_CERT_BUNDLE 423
-#define VAR_DNSTAP_TLS_CLIENT_KEY_FILE 424
-#define VAR_DNSTAP_TLS_CLIENT_CERT_FILE 425
-#define VAR_DNSTAP_SEND_IDENTITY 426
-#define VAR_DNSTAP_SEND_VERSION 427
-#define VAR_DNSTAP_BIDIRECTIONAL 428
-#define VAR_DNSTAP_IDENTITY 429
-#define VAR_DNSTAP_VERSION 430
-#define VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES 431
-#define VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES 432
-#define VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES 433
-#define VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES 434
-#define VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES 435
-#define VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES 436
-#define VAR_RESPONSE_IP_TAG 437
-#define VAR_RESPONSE_IP 438
-#define VAR_RESPONSE_IP_DATA 439
-#define VAR_HARDEN_ALGO_DOWNGRADE 440
-#define VAR_IP_TRANSPARENT 441
-#define VAR_IP_DSCP 442
-#define VAR_DISABLE_DNSSEC_LAME_CHECK 443
-#define VAR_IP_RATELIMIT 444
-#define VAR_IP_RATELIMIT_SLABS 445
-#define VAR_IP_RATELIMIT_SIZE 446
-#define VAR_RATELIMIT 447
-#define VAR_RATELIMIT_SLABS 448
-#define VAR_RATELIMIT_SIZE 449
-#define VAR_RATELIMIT_FOR_DOMAIN 450
-#define VAR_RATELIMIT_BELOW_DOMAIN 451
-#define VAR_IP_RATELIMIT_FACTOR 452
-#define VAR_RATELIMIT_FACTOR 453
-#define VAR_SEND_CLIENT_SUBNET 454
-#define VAR_CLIENT_SUBNET_ZONE 455
-#define VAR_CLIENT_SUBNET_ALWAYS_FORWARD 456
-#define VAR_CLIENT_SUBNET_OPCODE 457
-#define VAR_MAX_CLIENT_SUBNET_IPV4 458
-#define VAR_MAX_CLIENT_SUBNET_IPV6 459
-#define VAR_MIN_CLIENT_SUBNET_IPV4 460
-#define VAR_MIN_CLIENT_SUBNET_IPV6 461
-#define VAR_MAX_ECS_TREE_SIZE_IPV4 462
-#define VAR_MAX_ECS_TREE_SIZE_IPV6 463
-#define VAR_CAPS_WHITELIST 464
-#define VAR_CACHE_MAX_NEGATIVE_TTL 465
-#define VAR_PERMIT_SMALL_HOLDDOWN 466
-#define VAR_QNAME_MINIMISATION 467
-#define VAR_QNAME_MINIMISATION_STRICT 468
-#define VAR_IP_FREEBIND 469
-#define VAR_DEFINE_TAG 470
-#define VAR_LOCAL_ZONE_TAG 471
-#define VAR_ACCESS_CONTROL_TAG 472
-#define VAR_LOCAL_ZONE_OVERRIDE 473
-#define VAR_ACCESS_CONTROL_TAG_ACTION 474
-#define VAR_ACCESS_CONTROL_TAG_DATA 475
-#define VAR_VIEW 476
-#define VAR_ACCESS_CONTROL_VIEW 477
-#define VAR_VIEW_FIRST 478
-#define VAR_SERVE_EXPIRED 479
-#define VAR_SERVE_EXPIRED_TTL 480
-#define VAR_SERVE_EXPIRED_TTL_RESET 481
-#define VAR_SERVE_EXPIRED_REPLY_TTL 482
-#define VAR_SERVE_EXPIRED_CLIENT_TIMEOUT 483
-#define VAR_SERVE_ORIGINAL_TTL 484
-#define VAR_FAKE_DSA 485
-#define VAR_FAKE_SHA1 486
-#define VAR_LOG_IDENTITY 487
-#define VAR_HIDE_TRUSTANCHOR 488
-#define VAR_TRUST_ANCHOR_SIGNALING 489
-#define VAR_AGGRESSIVE_NSEC 490
-#define VAR_USE_SYSTEMD 491
-#define VAR_SHM_ENABLE 492
-#define VAR_SHM_KEY 493
-#define VAR_ROOT_KEY_SENTINEL 494
-#define VAR_DNSCRYPT 495
-#define VAR_DNSCRYPT_ENABLE 496
-#define VAR_DNSCRYPT_PORT 497
-#define VAR_DNSCRYPT_PROVIDER 498
-#define VAR_DNSCRYPT_SECRET_KEY 499
-#define VAR_DNSCRYPT_PROVIDER_CERT 500
-#define VAR_DNSCRYPT_PROVIDER_CERT_ROTATED 501
-#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE 502
-#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS 503
-#define VAR_DNSCRYPT_NONCE_CACHE_SIZE 504
-#define VAR_DNSCRYPT_NONCE_CACHE_SLABS 505
-#define VAR_PAD_RESPONSES 506
-#define VAR_PAD_RESPONSES_BLOCK_SIZE 507
-#define VAR_PAD_QUERIES 508
-#define VAR_PAD_QUERIES_BLOCK_SIZE 509
-#define VAR_IPSECMOD_ENABLED 510
-#define VAR_IPSECMOD_HOOK 511
-#define VAR_IPSECMOD_IGNORE_BOGUS 512
-#define VAR_IPSECMOD_MAX_TTL 513
-#define VAR_IPSECMOD_WHITELIST 514
-#define VAR_IPSECMOD_STRICT 515
-#define VAR_CACHEDB 516
-#define VAR_CACHEDB_BACKEND 517
-#define VAR_CACHEDB_SECRETSEED 518
-#define VAR_CACHEDB_REDISHOST 519
-#define VAR_CACHEDB_REDISPORT 520
-#define VAR_CACHEDB_REDISTIMEOUT 521
-#define VAR_CACHEDB_REDISEXPIRERECORDS 522
-#define VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM 523
-#define VAR_FOR_UPSTREAM 524
-#define VAR_AUTH_ZONE 525
-#define VAR_ZONEFILE 526
-#define VAR_MASTER 527
-#define VAR_URL 528
-#define VAR_FOR_DOWNSTREAM 529
-#define VAR_FALLBACK_ENABLED 530
-#define VAR_TLS_ADDITIONAL_PORT 531
-#define VAR_LOW_RTT 532
-#define VAR_LOW_RTT_PERMIL 533
-#define VAR_FAST_SERVER_PERMIL 534
-#define VAR_FAST_SERVER_NUM 535
-#define VAR_ALLOW_NOTIFY 536
-#define VAR_TLS_WIN_CERT 537
-#define VAR_TCP_CONNECTION_LIMIT 538
-#define VAR_FORWARD_NO_CACHE 539
-#define VAR_STUB_NO_CACHE 540
-#define VAR_LOG_SERVFAIL 541
-#define VAR_DENY_ANY 542
-#define VAR_UNKNOWN_SERVER_TIME_LIMIT 543
-#define VAR_LOG_TAG_QUERYREPLY 544
-#define VAR_STREAM_WAIT_SIZE 545
-#define VAR_TLS_CIPHERS 546
-#define VAR_TLS_CIPHERSUITES 547
-#define VAR_TLS_USE_SNI 548
-#define VAR_IPSET 549
-#define VAR_IPSET_NAME_V4 550
-#define VAR_IPSET_NAME_V6 551
-#define VAR_TLS_SESSION_TICKET_KEYS 552
-#define VAR_RPZ 553
-#define VAR_TAGS 554
-#define VAR_RPZ_ACTION_OVERRIDE 555
-#define VAR_RPZ_CNAME_OVERRIDE 556
-#define VAR_RPZ_LOG 557
-#define VAR_RPZ_LOG_NAME 558
-#define VAR_DYNLIB 559
-#define VAR_DYNLIB_FILE 560
-#define VAR_EDNS_CLIENT_STRING 561
-#define VAR_EDNS_CLIENT_STRING_OPCODE 562
-#define VAR_NSID 563
-#define VAR_ZONEMD_PERMISSIVE_MODE 564
-#define VAR_ZONEMD_REJECT_ABSENCE 565
+#define VAR_TCP_REUSE_TIMEOUT 360
+#define VAR_MAX_REUSE_TCP_QUERIES 361
+#define VAR_EXTENDED_STATISTICS 362
+#define VAR_LOCAL_DATA_PTR 363
+#define VAR_JOSTLE_TIMEOUT 364
+#define VAR_STUB_PRIME 365
+#define VAR_UNWANTED_REPLY_THRESHOLD 366
+#define VAR_LOG_TIME_ASCII 367
+#define VAR_DOMAIN_INSECURE 368
+#define VAR_PYTHON 369
+#define VAR_PYTHON_SCRIPT 370
+#define VAR_VAL_SIG_SKEW_MIN 371
+#define VAR_VAL_SIG_SKEW_MAX 372
+#define VAR_VAL_MAX_RESTART 373
+#define VAR_CACHE_MIN_TTL 374
+#define VAR_VAL_LOG_LEVEL 375
+#define VAR_AUTO_TRUST_ANCHOR_FILE 376
+#define VAR_KEEP_MISSING 377
+#define VAR_ADD_HOLDDOWN 378
+#define VAR_DEL_HOLDDOWN 379
+#define VAR_SO_RCVBUF 380
+#define VAR_EDNS_BUFFER_SIZE 381
+#define VAR_PREFETCH 382
+#define VAR_PREFETCH_KEY 383
+#define VAR_SO_SNDBUF 384
+#define VAR_SO_REUSEPORT 385
+#define VAR_HARDEN_BELOW_NXDOMAIN 386
+#define VAR_IGNORE_CD_FLAG 387
+#define VAR_LOG_QUERIES 388
+#define VAR_LOG_REPLIES 389
+#define VAR_LOG_LOCAL_ACTIONS 390
+#define VAR_TCP_UPSTREAM 391
+#define VAR_SSL_UPSTREAM 392
+#define VAR_TCP_AUTH_QUERY_TIMEOUT 393
+#define VAR_SSL_SERVICE_KEY 394
+#define VAR_SSL_SERVICE_PEM 395
+#define VAR_SSL_PORT 396
+#define VAR_FORWARD_FIRST 397
+#define VAR_STUB_SSL_UPSTREAM 398
+#define VAR_FORWARD_SSL_UPSTREAM 399
+#define VAR_TLS_CERT_BUNDLE 400
+#define VAR_STUB_TCP_UPSTREAM 401
+#define VAR_FORWARD_TCP_UPSTREAM 402
+#define VAR_HTTPS_PORT 403
+#define VAR_HTTP_ENDPOINT 404
+#define VAR_HTTP_MAX_STREAMS 405
+#define VAR_HTTP_QUERY_BUFFER_SIZE 406
+#define VAR_HTTP_RESPONSE_BUFFER_SIZE 407
+#define VAR_HTTP_NODELAY 408
+#define VAR_HTTP_NOTLS_DOWNSTREAM 409
+#define VAR_STUB_FIRST 410
+#define VAR_MINIMAL_RESPONSES 411
+#define VAR_RRSET_ROUNDROBIN 412
+#define VAR_MAX_UDP_SIZE 413
+#define VAR_DELAY_CLOSE 414
+#define VAR_UDP_CONNECT 415
+#define VAR_UNBLOCK_LAN_ZONES 416
+#define VAR_INSECURE_LAN_ZONES 417
+#define VAR_INFRA_CACHE_MIN_RTT 418
+#define VAR_INFRA_KEEP_PROBING 419
+#define VAR_DNS64_PREFIX 420
+#define VAR_DNS64_SYNTHALL 421
+#define VAR_DNS64_IGNORE_AAAA 422
+#define VAR_DNSTAP 423
+#define VAR_DNSTAP_ENABLE 424
+#define VAR_DNSTAP_SOCKET_PATH 425
+#define VAR_DNSTAP_IP 426
+#define VAR_DNSTAP_TLS 427
+#define VAR_DNSTAP_TLS_SERVER_NAME 428
+#define VAR_DNSTAP_TLS_CERT_BUNDLE 429
+#define VAR_DNSTAP_TLS_CLIENT_KEY_FILE 430
+#define VAR_DNSTAP_TLS_CLIENT_CERT_FILE 431
+#define VAR_DNSTAP_SEND_IDENTITY 432
+#define VAR_DNSTAP_SEND_VERSION 433
+#define VAR_DNSTAP_BIDIRECTIONAL 434
+#define VAR_DNSTAP_IDENTITY 435
+#define VAR_DNSTAP_VERSION 436
+#define VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES 437
+#define VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES 438
+#define VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES 439
+#define VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES 440
+#define VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES 441
+#define VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES 442
+#define VAR_RESPONSE_IP_TAG 443
+#define VAR_RESPONSE_IP 444
+#define VAR_RESPONSE_IP_DATA 445
+#define VAR_HARDEN_ALGO_DOWNGRADE 446
+#define VAR_IP_TRANSPARENT 447
+#define VAR_IP_DSCP 448
+#define VAR_DISABLE_DNSSEC_LAME_CHECK 449
+#define VAR_IP_RATELIMIT 450
+#define VAR_IP_RATELIMIT_SLABS 451
+#define VAR_IP_RATELIMIT_SIZE 452
+#define VAR_RATELIMIT 453
+#define VAR_RATELIMIT_SLABS 454
+#define VAR_RATELIMIT_SIZE 455
+#define VAR_OUTBOUND_MSG_RETRY 456
+#define VAR_RATELIMIT_FOR_DOMAIN 457
+#define VAR_RATELIMIT_BELOW_DOMAIN 458
+#define VAR_IP_RATELIMIT_FACTOR 459
+#define VAR_RATELIMIT_FACTOR 460
+#define VAR_IP_RATELIMIT_BACKOFF 461
+#define VAR_RATELIMIT_BACKOFF 462
+#define VAR_SEND_CLIENT_SUBNET 463
+#define VAR_CLIENT_SUBNET_ZONE 464
+#define VAR_CLIENT_SUBNET_ALWAYS_FORWARD 465
+#define VAR_CLIENT_SUBNET_OPCODE 466
+#define VAR_MAX_CLIENT_SUBNET_IPV4 467
+#define VAR_MAX_CLIENT_SUBNET_IPV6 468
+#define VAR_MIN_CLIENT_SUBNET_IPV4 469
+#define VAR_MIN_CLIENT_SUBNET_IPV6 470
+#define VAR_MAX_ECS_TREE_SIZE_IPV4 471
+#define VAR_MAX_ECS_TREE_SIZE_IPV6 472
+#define VAR_CAPS_WHITELIST 473
+#define VAR_CACHE_MAX_NEGATIVE_TTL 474
+#define VAR_PERMIT_SMALL_HOLDDOWN 475
+#define VAR_QNAME_MINIMISATION 476
+#define VAR_QNAME_MINIMISATION_STRICT 477
+#define VAR_IP_FREEBIND 478
+#define VAR_DEFINE_TAG 479
+#define VAR_LOCAL_ZONE_TAG 480
+#define VAR_ACCESS_CONTROL_TAG 481
+#define VAR_LOCAL_ZONE_OVERRIDE 482
+#define VAR_ACCESS_CONTROL_TAG_ACTION 483
+#define VAR_ACCESS_CONTROL_TAG_DATA 484
+#define VAR_VIEW 485
+#define VAR_ACCESS_CONTROL_VIEW 486
+#define VAR_VIEW_FIRST 487
+#define VAR_SERVE_EXPIRED 488
+#define VAR_SERVE_EXPIRED_TTL 489
+#define VAR_SERVE_EXPIRED_TTL_RESET 490
+#define VAR_SERVE_EXPIRED_REPLY_TTL 491
+#define VAR_SERVE_EXPIRED_CLIENT_TIMEOUT 492
+#define VAR_SERVE_ORIGINAL_TTL 493
+#define VAR_FAKE_DSA 494
+#define VAR_FAKE_SHA1 495
+#define VAR_LOG_IDENTITY 496
+#define VAR_HIDE_TRUSTANCHOR 497
+#define VAR_HIDE_HTTP_USER_AGENT 498
+#define VAR_HTTP_USER_AGENT 499
+#define VAR_TRUST_ANCHOR_SIGNALING 500
+#define VAR_AGGRESSIVE_NSEC 501
+#define VAR_USE_SYSTEMD 502
+#define VAR_SHM_ENABLE 503
+#define VAR_SHM_KEY 504
+#define VAR_ROOT_KEY_SENTINEL 505
+#define VAR_DNSCRYPT 506
+#define VAR_DNSCRYPT_ENABLE 507
+#define VAR_DNSCRYPT_PORT 508
+#define VAR_DNSCRYPT_PROVIDER 509
+#define VAR_DNSCRYPT_SECRET_KEY 510
+#define VAR_DNSCRYPT_PROVIDER_CERT 511
+#define VAR_DNSCRYPT_PROVIDER_CERT_ROTATED 512
+#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE 513
+#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS 514
+#define VAR_DNSCRYPT_NONCE_CACHE_SIZE 515
+#define VAR_DNSCRYPT_NONCE_CACHE_SLABS 516
+#define VAR_PAD_RESPONSES 517
+#define VAR_PAD_RESPONSES_BLOCK_SIZE 518
+#define VAR_PAD_QUERIES 519
+#define VAR_PAD_QUERIES_BLOCK_SIZE 520
+#define VAR_IPSECMOD_ENABLED 521
+#define VAR_IPSECMOD_HOOK 522
+#define VAR_IPSECMOD_IGNORE_BOGUS 523
+#define VAR_IPSECMOD_MAX_TTL 524
+#define VAR_IPSECMOD_WHITELIST 525
+#define VAR_IPSECMOD_STRICT 526
+#define VAR_CACHEDB 527
+#define VAR_CACHEDB_BACKEND 528
+#define VAR_CACHEDB_SECRETSEED 529
+#define VAR_CACHEDB_REDISHOST 530
+#define VAR_CACHEDB_REDISPORT 531
+#define VAR_CACHEDB_REDISTIMEOUT 532
+#define VAR_CACHEDB_REDISEXPIRERECORDS 533
+#define VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM 534
+#define VAR_FOR_UPSTREAM 535
+#define VAR_AUTH_ZONE 536
+#define VAR_ZONEFILE 537
+#define VAR_MASTER 538
+#define VAR_URL 539
+#define VAR_FOR_DOWNSTREAM 540
+#define VAR_FALLBACK_ENABLED 541
+#define VAR_TLS_ADDITIONAL_PORT 542
+#define VAR_LOW_RTT 543
+#define VAR_LOW_RTT_PERMIL 544
+#define VAR_FAST_SERVER_PERMIL 545
+#define VAR_FAST_SERVER_NUM 546
+#define VAR_ALLOW_NOTIFY 547
+#define VAR_TLS_WIN_CERT 548
+#define VAR_TCP_CONNECTION_LIMIT 549
+#define VAR_FORWARD_NO_CACHE 550
+#define VAR_STUB_NO_CACHE 551
+#define VAR_LOG_SERVFAIL 552
+#define VAR_DENY_ANY 553
+#define VAR_UNKNOWN_SERVER_TIME_LIMIT 554
+#define VAR_LOG_TAG_QUERYREPLY 555
+#define VAR_STREAM_WAIT_SIZE 556
+#define VAR_TLS_CIPHERS 557
+#define VAR_TLS_CIPHERSUITES 558
+#define VAR_TLS_USE_SNI 559
+#define VAR_IPSET 560
+#define VAR_IPSET_NAME_V4 561
+#define VAR_IPSET_NAME_V6 562
+#define VAR_TLS_SESSION_TICKET_KEYS 563
+#define VAR_RPZ 564
+#define VAR_TAGS 565
+#define VAR_RPZ_ACTION_OVERRIDE 566
+#define VAR_RPZ_CNAME_OVERRIDE 567
+#define VAR_RPZ_LOG 568
+#define VAR_RPZ_LOG_NAME 569
+#define VAR_DYNLIB 570
+#define VAR_DYNLIB_FILE 571
+#define VAR_EDNS_CLIENT_STRING 572
+#define VAR_EDNS_CLIENT_STRING_OPCODE 573
+#define VAR_NSID 574
+#define VAR_ZONEMD_PERMISSIVE_MODE 575
+#define VAR_ZONEMD_CHECK 576
+#define VAR_ZONEMD_REJECT_ABSENCE 577
+#define VAR_RPZ_SIGNAL_NXDOMAIN_RA 578
+#define VAR_INTERFACE_AUTOMATIC_PORTS 579
 
 /* Value type.  */
 #if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED
@@ -686,7 +715,7 @@ union YYSTYPE
 
 	char*	str;
 
-#line 690 "util/configparser.h"
+#line 719 "util/configparser.h"
 
 };
 typedef union YYSTYPE YYSTYPE;
diff --git a/util/configparser.y b/util/configparser.y
index 95426dd9c..66997659b 100644
--- a/util/configparser.y
+++ b/util/configparser.y
@@ -4,24 +4,24 @@
  * Copyright (c) 2001-2006, NLnet Labs. All rights reserved.
  *
  * Copyright (c) 2007, NLnet Labs. All rights reserved.
- * 
+ *
  * This software is open source.
- * 
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
- * 
+ *
  * Redistributions of source code must retain the above copyright notice,
  * this list of conditions and the following disclaimer.
- * 
+ *
  * Redistributions in binary form must reproduce the above copyright notice,
  * this list of conditions and the following disclaimer in the documentation
  * and/or other materials provided with the distribution.
- * 
+ *
  * Neither the name of the NLNET LABS nor the names of its contributors may
  * be used to endorse or promote products derived from this software without
  * specific prior written permission.
- * 
+ *
  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
@@ -88,30 +88,32 @@ extern struct config_parser_state* cfg_parser;
 %token VAR_TRUST_ANCHOR_FILE VAR_TRUST_ANCHOR VAR_VAL_OVERRIDE_DATE
 %token VAR_BOGUS_TTL VAR_VAL_CLEAN_ADDITIONAL VAR_VAL_PERMISSIVE_MODE
 %token VAR_INCOMING_NUM_TCP VAR_MSG_BUFFER_SIZE VAR_KEY_CACHE_SIZE
-%token VAR_KEY_CACHE_SLABS VAR_TRUSTED_KEYS_FILE 
-%token VAR_VAL_NSEC3_KEYSIZE_ITERATIONS VAR_USE_SYSLOG 
+%token VAR_KEY_CACHE_SLABS VAR_TRUSTED_KEYS_FILE
+%token VAR_VAL_NSEC3_KEYSIZE_ITERATIONS VAR_USE_SYSLOG
 %token VAR_OUTGOING_INTERFACE VAR_ROOT_HINTS VAR_DO_NOT_QUERY_LOCALHOST
 %token VAR_CACHE_MAX_TTL VAR_HARDEN_DNSSEC_STRIPPED VAR_ACCESS_CONTROL
 %token VAR_LOCAL_ZONE VAR_LOCAL_DATA VAR_INTERFACE_AUTOMATIC
 %token VAR_STATISTICS_INTERVAL VAR_DO_DAEMONIZE VAR_USE_CAPS_FOR_ID
-%token VAR_STATISTICS_CUMULATIVE VAR_OUTGOING_PORT_PERMIT 
+%token VAR_STATISTICS_CUMULATIVE VAR_OUTGOING_PORT_PERMIT
 %token VAR_OUTGOING_PORT_AVOID VAR_DLV_ANCHOR_FILE VAR_DLV_ANCHOR
 %token VAR_NEG_CACHE_SIZE VAR_HARDEN_REFERRAL_PATH VAR_PRIVATE_ADDRESS
 %token VAR_PRIVATE_DOMAIN VAR_REMOTE_CONTROL VAR_CONTROL_ENABLE
 %token VAR_CONTROL_INTERFACE VAR_CONTROL_PORT VAR_SERVER_KEY_FILE
 %token VAR_SERVER_CERT_FILE VAR_CONTROL_KEY_FILE VAR_CONTROL_CERT_FILE
-%token VAR_CONTROL_USE_CERT
+%token VAR_CONTROL_USE_CERT VAR_TCP_REUSE_TIMEOUT VAR_MAX_REUSE_TCP_QUERIES
 %token VAR_EXTENDED_STATISTICS VAR_LOCAL_DATA_PTR VAR_JOSTLE_TIMEOUT
 %token VAR_STUB_PRIME VAR_UNWANTED_REPLY_THRESHOLD VAR_LOG_TIME_ASCII
 %token VAR_DOMAIN_INSECURE VAR_PYTHON VAR_PYTHON_SCRIPT VAR_VAL_SIG_SKEW_MIN
-%token VAR_VAL_SIG_SKEW_MAX VAR_CACHE_MIN_TTL VAR_VAL_LOG_LEVEL
-%token VAR_AUTO_TRUST_ANCHOR_FILE VAR_KEEP_MISSING VAR_ADD_HOLDDOWN 
-%token VAR_DEL_HOLDDOWN VAR_SO_RCVBUF VAR_EDNS_BUFFER_SIZE VAR_PREFETCH
-%token VAR_PREFETCH_KEY VAR_SO_SNDBUF VAR_SO_REUSEPORT VAR_HARDEN_BELOW_NXDOMAIN
-%token VAR_IGNORE_CD_FLAG VAR_LOG_QUERIES VAR_LOG_REPLIES VAR_LOG_LOCAL_ACTIONS
-%token VAR_TCP_UPSTREAM VAR_SSL_UPSTREAM
-%token VAR_SSL_SERVICE_KEY VAR_SSL_SERVICE_PEM VAR_SSL_PORT VAR_FORWARD_FIRST
+%token VAR_VAL_SIG_SKEW_MAX VAR_VAL_MAX_RESTART VAR_CACHE_MIN_TTL
+%token VAR_VAL_LOG_LEVEL VAR_AUTO_TRUST_ANCHOR_FILE VAR_KEEP_MISSING
+%token VAR_ADD_HOLDDOWN VAR_DEL_HOLDDOWN VAR_SO_RCVBUF VAR_EDNS_BUFFER_SIZE
+%token VAR_PREFETCH VAR_PREFETCH_KEY VAR_SO_SNDBUF VAR_SO_REUSEPORT
+%token VAR_HARDEN_BELOW_NXDOMAIN VAR_IGNORE_CD_FLAG VAR_LOG_QUERIES
+%token VAR_LOG_REPLIES VAR_LOG_LOCAL_ACTIONS VAR_TCP_UPSTREAM
+%token VAR_SSL_UPSTREAM VAR_TCP_AUTH_QUERY_TIMEOUT VAR_SSL_SERVICE_KEY
+%token VAR_SSL_SERVICE_PEM VAR_SSL_PORT VAR_FORWARD_FIRST
 %token VAR_STUB_SSL_UPSTREAM VAR_FORWARD_SSL_UPSTREAM VAR_TLS_CERT_BUNDLE
+%token VAR_STUB_TCP_UPSTREAM VAR_FORWARD_TCP_UPSTREAM
 %token VAR_HTTPS_PORT VAR_HTTP_ENDPOINT VAR_HTTP_MAX_STREAMS
 %token VAR_HTTP_QUERY_BUFFER_SIZE VAR_HTTP_RESPONSE_BUFFER_SIZE
 %token VAR_HTTP_NODELAY VAR_HTTP_NOTLS_DOWNSTREAM
@@ -137,8 +139,10 @@ extern struct config_parser_state* cfg_parser;
 %token VAR_DISABLE_DNSSEC_LAME_CHECK
 %token VAR_IP_RATELIMIT VAR_IP_RATELIMIT_SLABS VAR_IP_RATELIMIT_SIZE
 %token VAR_RATELIMIT VAR_RATELIMIT_SLABS VAR_RATELIMIT_SIZE
+%token VAR_OUTBOUND_MSG_RETRY
 %token VAR_RATELIMIT_FOR_DOMAIN VAR_RATELIMIT_BELOW_DOMAIN
 %token VAR_IP_RATELIMIT_FACTOR VAR_RATELIMIT_FACTOR
+%token VAR_IP_RATELIMIT_BACKOFF VAR_RATELIMIT_BACKOFF
 %token VAR_SEND_CLIENT_SUBNET VAR_CLIENT_SUBNET_ZONE
 %token VAR_CLIENT_SUBNET_ALWAYS_FORWARD VAR_CLIENT_SUBNET_OPCODE
 %token VAR_MAX_CLIENT_SUBNET_IPV4 VAR_MAX_CLIENT_SUBNET_IPV6
@@ -153,6 +157,7 @@ extern struct config_parser_state* cfg_parser;
 %token VAR_SERVE_EXPIRED_TTL_RESET VAR_SERVE_EXPIRED_REPLY_TTL
 %token VAR_SERVE_EXPIRED_CLIENT_TIMEOUT VAR_SERVE_ORIGINAL_TTL VAR_FAKE_DSA
 %token VAR_FAKE_SHA1 VAR_LOG_IDENTITY VAR_HIDE_TRUSTANCHOR
+%token VAR_HIDE_HTTP_USER_AGENT VAR_HTTP_USER_AGENT
 %token VAR_TRUST_ANCHOR_SIGNALING VAR_AGGRESSIVE_NSEC VAR_USE_SYSTEMD
 %token VAR_SHM_ENABLE VAR_SHM_KEY VAR_ROOT_KEY_SENTINEL
 %token VAR_DNSCRYPT VAR_DNSCRYPT_ENABLE VAR_DNSCRYPT_PORT VAR_DNSCRYPT_PROVIDER
@@ -183,12 +188,13 @@ extern struct config_parser_state* cfg_parser;
 %token VAR_RPZ_CNAME_OVERRIDE VAR_RPZ_LOG VAR_RPZ_LOG_NAME
 %token VAR_DYNLIB VAR_DYNLIB_FILE VAR_EDNS_CLIENT_STRING
 %token VAR_EDNS_CLIENT_STRING_OPCODE VAR_NSID
-%token VAR_ZONEMD_PERMISSIVE_MODE VAR_ZONEMD_REJECT_ABSENCE
+%token VAR_ZONEMD_PERMISSIVE_MODE VAR_ZONEMD_CHECK VAR_ZONEMD_REJECT_ABSENCE
+%token VAR_RPZ_SIGNAL_NXDOMAIN_RA VAR_INTERFACE_AUTOMATIC_PORTS
 
 %%
 toplevelvars: /* empty */ | toplevelvars toplevelvar ;
 toplevelvar: serverstart contents_server | stubstart contents_stub |
-	forwardstart contents_forward | pythonstart contents_py | 
+	forwardstart contents_forward | pythonstart contents_py |
 	rcstart contents_rc | dtstart contents_dt | viewstart contents_view |
 	dnscstart contents_dnsc | cachedbstart contents_cachedb |
 	ipsetstart contents_ipset | authstart contents_auth |
@@ -202,7 +208,7 @@ force_toplevel: VAR_FORCE_TOPLEVEL
 	;
 /* server: declaration */
 serverstart: VAR_SERVER
-	{ 
+	{
 		OUTYY(("\nP(server:)\n"));
 	}
 	;
@@ -214,38 +220,40 @@ content_server: server_num_threads | server_verbosity | server_port |
 	server_do_udp | server_do_tcp |
 	server_tcp_mss | server_outgoing_tcp_mss | server_tcp_idle_timeout |
 	server_tcp_keepalive | server_tcp_keepalive_timeout |
-	server_interface | server_chroot | server_username | 
+	server_interface | server_chroot | server_username |
 	server_directory | server_logfile | server_pidfile |
 	server_msg_cache_size | server_msg_cache_slabs |
-	server_num_queries_per_thread | server_rrset_cache_size | 
-	server_rrset_cache_slabs | server_outgoing_num_tcp | 
-	server_infra_host_ttl | server_infra_lame_ttl | 
+	server_num_queries_per_thread | server_rrset_cache_size |
+	server_rrset_cache_slabs | server_outgoing_num_tcp |
+	server_infra_host_ttl | server_infra_lame_ttl |
 	server_infra_cache_slabs | server_infra_cache_numhosts |
-	server_infra_cache_lame_size | server_target_fetch_policy | 
+	server_infra_cache_lame_size | server_target_fetch_policy |
 	server_harden_short_bufsize | server_harden_large_queries |
 	server_do_not_query_address | server_hide_identity |
 	server_hide_version | server_identity | server_version |
+	server_hide_http_user_agent | server_http_user_agent |
 	server_harden_glue | server_module_conf | server_trust_anchor_file |
 	server_trust_anchor | server_val_override_date | server_bogus_ttl |
 	server_val_clean_additional | server_val_permissive_mode |
-	server_incoming_num_tcp | server_msg_buffer_size | 
-	server_key_cache_size | server_key_cache_slabs | 
+	server_incoming_num_tcp | server_msg_buffer_size |
+	server_key_cache_size | server_key_cache_slabs |
 	server_trusted_keys_file | server_val_nsec3_keysize_iterations |
 	server_use_syslog | server_outgoing_interface | server_root_hints |
 	server_do_not_query_localhost | server_cache_max_ttl |
 	server_harden_dnssec_stripped | server_access_control |
 	server_local_zone | server_local_data | server_interface_automatic |
-	server_statistics_interval | server_do_daemonize | 
+	server_statistics_interval | server_do_daemonize |
 	server_use_caps_for_id | server_statistics_cumulative |
 	server_outgoing_port_permit | server_outgoing_port_avoid |
 	server_dlv_anchor_file | server_dlv_anchor | server_neg_cache_size |
 	server_harden_referral_path | server_private_address |
-	server_private_domain | server_extended_statistics | 
-	server_local_data_ptr | server_jostle_timeout | 
-	server_unwanted_reply_threshold | server_log_time_ascii | 
-	server_domain_insecure | server_val_sig_skew_min | 
-	server_val_sig_skew_max | server_cache_min_ttl | server_val_log_level |
-	server_auto_trust_anchor_file | server_add_holddown | 
+	server_private_domain | server_extended_statistics |
+	server_local_data_ptr | server_jostle_timeout |
+	server_unwanted_reply_threshold | server_log_time_ascii |
+	server_domain_insecure | server_val_sig_skew_min |
+	server_val_sig_skew_max | server_val_max_restart |
+	server_cache_min_ttl | server_val_log_level |
+	server_auto_trust_anchor_file |	server_add_holddown |
 	server_del_holddown | server_keep_missing | server_so_rcvbuf |
 	server_edns_buffer_size | server_prefetch | server_prefetch_key |
 	server_so_sndbuf | server_harden_below_nxdomain | server_ignore_cd_flag |
@@ -266,9 +274,10 @@ content_server: server_num_threads | server_verbosity | server_port |
 	server_ip_ratelimit_size | server_ratelimit_size |
 	server_ratelimit_for_domain |
 	server_ratelimit_below_domain | server_ratelimit_factor |
-	server_ip_ratelimit_factor | server_send_client_subnet |
-	server_client_subnet_zone | server_client_subnet_always_forward |
-	server_client_subnet_opcode |
+	server_ip_ratelimit_factor | server_ratelimit_backoff |
+	server_ip_ratelimit_backoff | server_outbound_msg_retry |
+	server_send_client_subnet | server_client_subnet_zone |
+	server_client_subnet_always_forward | server_client_subnet_opcode |
 	server_max_client_subnet_ipv4 | server_max_client_subnet_ipv6 |
 	server_min_client_subnet_ipv4 | server_min_client_subnet_ipv6 |
 	server_max_ecs_tree_size_ipv4 | server_max_ecs_tree_size_ipv6 |
@@ -303,57 +312,63 @@ content_server: server_num_threads | server_verbosity | server_port |
 	server_tls_ciphersuites | server_tls_session_ticket_keys |
 	server_tls_use_sni | server_edns_client_string |
 	server_edns_client_string_opcode | server_nsid |
-	server_zonemd_permissive_mode
+	server_zonemd_permissive_mode | server_max_reuse_tcp_queries |
+	server_tcp_reuse_timeout | server_tcp_auth_query_timeout |
+	server_interface_automatic_ports
+
 	;
 stubstart: VAR_STUB_ZONE
 	{
 		struct config_stub* s;
-		OUTYY(("\nP(stub_zone:)\n")); 
+		OUTYY(("\nP(stub_zone:)\n"));
 		s = (struct config_stub*)calloc(1, sizeof(struct config_stub));
 		if(s) {
 			s->next = cfg_parser->cfg->stubs;
 			cfg_parser->cfg->stubs = s;
-		} else 
+		} else {
 			yyerror("out of memory");
+		}
 	}
 	;
-contents_stub: contents_stub content_stub 
+contents_stub: contents_stub content_stub
 	| ;
 content_stub: stub_name | stub_host | stub_addr | stub_prime | stub_first |
-	stub_no_cache | stub_ssl_upstream
+	stub_no_cache | stub_ssl_upstream | stub_tcp_upstream
 	;
 forwardstart: VAR_FORWARD_ZONE
 	{
 		struct config_stub* s;
-		OUTYY(("\nP(forward_zone:)\n")); 
+		OUTYY(("\nP(forward_zone:)\n"));
 		s = (struct config_stub*)calloc(1, sizeof(struct config_stub));
 		if(s) {
 			s->next = cfg_parser->cfg->forwards;
 			cfg_parser->cfg->forwards = s;
-		} else 
+		} else {
 			yyerror("out of memory");
+		}
 	}
 	;
-contents_forward: contents_forward content_forward 
+contents_forward: contents_forward content_forward
 	| ;
 content_forward: forward_name | forward_host | forward_addr | forward_first |
-	forward_no_cache | forward_ssl_upstream
+	forward_no_cache | forward_ssl_upstream | forward_tcp_upstream
 	;
 viewstart: VAR_VIEW
 	{
 		struct config_view* s;
-		OUTYY(("\nP(view:)\n")); 
+		OUTYY(("\nP(view:)\n"));
 		s = (struct config_view*)calloc(1, sizeof(struct config_view));
 		if(s) {
 			s->next = cfg_parser->cfg->views;
 			if(s->next && !s->next->name)
 				yyerror("view without name");
 			cfg_parser->cfg->views = s;
-		} else 
+		} else {
 			yyerror("out of memory");
+		}
 	}
 	;
-contents_view: contents_view content_view 
+contents_view: contents_view content_view
 	| ;
 content_view: view_name | view_local_zone | view_local_data | view_first |
 		view_response_ip | view_response_ip_data | view_local_data_ptr
@@ -361,7 +376,7 @@ content_view: view_name | view_local_zone | view_local_data | view_first |
 authstart: VAR_AUTH_ZONE
 	{
 		struct config_auth* s;
-		OUTYY(("\nP(auth_zone:)\n")); 
+		OUTYY(("\nP(auth_zone:)\n"));
 		s = (struct config_auth*)calloc(1, sizeof(struct config_auth));
 		if(s) {
 			s->next = cfg_parser->cfg->auths;
@@ -370,17 +385,19 @@ authstart: VAR_AUTH_ZONE
 			s->for_downstream = 1;
 			s->for_upstream = 1;
 			s->fallback_enabled = 0;
+			s->zonemd_check = 0;
 			s->zonemd_reject_absence = 0;
 			s->isrpz = 0;
-		} else 
+		} else {
 			yyerror("out of memory");
+		}
 	}
 	;
-contents_auth: contents_auth content_auth 
+contents_auth: contents_auth content_auth
 	| ;
 content_auth: auth_name | auth_zonefile | auth_master | auth_url |
 	auth_for_downstream | auth_for_upstream | auth_fallback_enabled |
-	auth_allow_notify | auth_zonemd_reject_absence
+	auth_allow_notify | auth_zonemd_check | auth_zonemd_reject_absence
 	;
 
 rpz_tag: VAR_TAGS STRING_ARG
@@ -444,6 +461,15 @@ rpz_log_name: VAR_RPZ_LOG_NAME STRING_ARG
 		cfg_parser->cfg->auths->rpz_log_name = $2;
 	}
 	;
+rpz_signal_nxdomain_ra: VAR_RPZ_SIGNAL_NXDOMAIN_RA STRING_ARG
+	{
+		OUTYY(("P(rpz_signal_nxdomain_ra:%s)\n", $2));
+		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
+			yyerror("expected yes or no.");
+		else cfg_parser->cfg->auths->rpz_signal_nxdomain_ra = (strcmp($2, "yes")==0);
+		free($2);
+	}
+	;
 
 rpzstart: VAR_RPZ
 	{
@@ -458,37 +484,38 @@ rpzstart: VAR_RPZ
 			s->for_upstream = 0;
 			s->fallback_enabled = 0;
 			s->isrpz = 1;
-		} else 
+		} else {
 			yyerror("out of memory");
+		}
 	}
 	;
 contents_rpz: contents_rpz content_rpz 
 	| ;
 content_rpz: auth_name | auth_zonefile | rpz_tag | auth_master | auth_url |
 	   auth_allow_notify | rpz_action_override | rpz_cname_override |
-	   rpz_log | rpz_log_name
+	   rpz_log | rpz_log_name | rpz_signal_nxdomain_ra | auth_for_downstream
 	;
-server_num_threads: VAR_NUM_THREADS STRING_ARG 
-	{ 
-		OUTYY(("P(server_num_threads:%s)\n", $2)); 
+server_num_threads: VAR_NUM_THREADS STRING_ARG
+	{
+		OUTYY(("P(server_num_threads:%s)\n", $2));
 		if(atoi($2) == 0 && strcmp($2, "0") != 0)
 			yyerror("number expected");
 		else cfg_parser->cfg->num_threads = atoi($2);
 		free($2);
 	}
 	;
-server_verbosity: VAR_VERBOSITY STRING_ARG 
-	{ 
-		OUTYY(("P(server_verbosity:%s)\n", $2)); 
+server_verbosity: VAR_VERBOSITY STRING_ARG
+	{
+		OUTYY(("P(server_verbosity:%s)\n", $2));
 		if(atoi($2) == 0 && strcmp($2, "0") != 0)
 			yyerror("number expected");
 		else cfg_parser->cfg->verbosity = atoi($2);
 		free($2);
 	}
 	;
-server_statistics_interval: VAR_STATISTICS_INTERVAL STRING_ARG 
-	{ 
-		OUTYY(("P(server_statistics_interval:%s)\n", $2)); 
+server_statistics_interval: VAR_STATISTICS_INTERVAL STRING_ARG
+	{
+		OUTYY(("P(server_statistics_interval:%s)\n", $2));
 		if(strcmp($2, "") == 0 || strcmp($2, "0") == 0)
 			cfg_parser->cfg->stat_interval = 0;
 		else if(atoi($2) == 0)
@@ -524,9 +551,9 @@ server_shm_enable: VAR_SHM_ENABLE STRING_ARG
 		free($2);
 	}
 	;
-server_shm_key: VAR_SHM_KEY STRING_ARG 
-	{ 
-		OUTYY(("P(server_shm_key:%s)\n", $2)); 
+server_shm_key: VAR_SHM_KEY STRING_ARG
+	{
+		OUTYY(("P(server_shm_key:%s)\n", $2));
 		if(strcmp($2, "") == 0 || strcmp($2, "0") == 0)
 			cfg_parser->cfg->shm_key = 0;
 		else if(atoi($2) == 0)
@@ -699,7 +726,7 @@ server_interface: VAR_INTERFACE STRING_ARG
 		OUTYY(("P(server_interface:%s)\n", $2));
 		if(cfg_parser->cfg->num_ifs == 0)
 			cfg_parser->cfg->ifs = calloc(1, sizeof(char*));
-		else 	cfg_parser->cfg->ifs = realloc(cfg_parser->cfg->ifs,
+		else cfg_parser->cfg->ifs = realloc(cfg_parser->cfg->ifs,
 				(cfg_parser->cfg->num_ifs+1)*sizeof(char*));
 		if(!cfg_parser->cfg->ifs)
 			yyerror("out of memory");
@@ -712,8 +739,8 @@ server_outgoing_interface: VAR_OUTGOING_INTERFACE STRING_ARG
 		OUTYY(("P(server_outgoing_interface:%s)\n", $2));
 		if(cfg_parser->cfg->num_out_ifs == 0)
 			cfg_parser->cfg->out_ifs = calloc(1, sizeof(char*));
-		else 	cfg_parser->cfg->out_ifs = realloc(
-			cfg_parser->cfg->out_ifs, 
+		else cfg_parser->cfg->out_ifs = realloc(
+			cfg_parser->cfg->out_ifs,
 			(cfg_parser->cfg->num_out_ifs+1)*sizeof(char*));
 		if(!cfg_parser->cfg->out_ifs)
 			yyerror("out of memory");
@@ -734,7 +761,7 @@ server_outgoing_range: VAR_OUTGOING_RANGE STRING_ARG
 server_outgoing_port_permit: VAR_OUTGOING_PORT_PERMIT STRING_ARG
 	{
 		OUTYY(("P(server_outgoing_port_permit:%s)\n", $2));
-		if(!cfg_mark_ports($2, 1, 
+		if(!cfg_mark_ports($2, 1,
 			cfg_parser->cfg->outgoing_avail_ports, 65536))
 			yyerror("port number or range (\"low-high\") expected");
 		free($2);
@@ -743,7 +770,7 @@ server_outgoing_port_permit: VAR_OUTGOING_PORT_PERMIT STRING_ARG
 server_outgoing_port_avoid: VAR_OUTGOING_PORT_AVOID STRING_ARG
 	{
 		OUTYY(("P(server_outgoing_port_avoid:%s)\n", $2));
-		if(!cfg_mark_ports($2, 0, 
+		if(!cfg_mark_ports($2, 0,
 			cfg_parser->cfg->outgoing_avail_ports, 65536))
 			yyerror("port number or range (\"low-high\") expected");
 		free($2);
@@ -776,6 +803,13 @@ server_interface_automatic: VAR_INTERFACE_AUTOMATIC STRING_ARG
 		free($2);
 	}
 	;
+server_interface_automatic_ports: VAR_INTERFACE_AUTOMATIC_PORTS STRING_ARG
+	{
+		OUTYY(("P(server_interface_automatic_ports:%s)\n", $2));
+		free(cfg_parser->cfg->if_automatic_ports);
+		cfg_parser->cfg->if_automatic_ports = $2;
+	}
+	;
 server_do_ip4: VAR_DO_IP4 STRING_ARG
 	{
 		OUTYY(("P(server_do_ip4:%s)\n", $2));
@@ -833,10 +867,10 @@ server_prefer_ip6: VAR_PREFER_IP6 STRING_ARG
 server_tcp_mss: VAR_TCP_MSS STRING_ARG
 	{
 		OUTYY(("P(server_tcp_mss:%s)\n", $2));
-                if(atoi($2) == 0 && strcmp($2, "0") != 0)
-                        yyerror("number expected");
-                else cfg_parser->cfg->tcp_mss = atoi($2);
-                free($2);
+		if(atoi($2) == 0 && strcmp($2, "0") != 0)
+				yyerror("number expected");
+		else cfg_parser->cfg->tcp_mss = atoi($2);
+		free($2);
 	}
 	;
 server_outgoing_tcp_mss: VAR_OUTGOING_TCP_MSS STRING_ARG
@@ -861,6 +895,39 @@ server_tcp_idle_timeout: VAR_TCP_IDLE_TIMEOUT STRING_ARG
 		free($2);
 	}
 	;
+server_max_reuse_tcp_queries: VAR_MAX_REUSE_TCP_QUERIES STRING_ARG
+	{
+		OUTYY(("P(server_max_reuse_tcp_queries:%s)\n", $2));
+		if(atoi($2) == 0 && strcmp($2, "0") != 0)
+			yyerror("number expected");
+		else if (atoi($2) < 1)
+			cfg_parser->cfg->max_reuse_tcp_queries = 0;
+		else cfg_parser->cfg->max_reuse_tcp_queries = atoi($2);
+		free($2);
+	}
+	;
+server_tcp_reuse_timeout: VAR_TCP_REUSE_TIMEOUT STRING_ARG
+	{
+		OUTYY(("P(server_tcp_reuse_timeout:%s)\n", $2));
+		if(atoi($2) == 0 && strcmp($2, "0") != 0)
+			yyerror("number expected");
+		else if (atoi($2) < 1)
+			cfg_parser->cfg->tcp_reuse_timeout = 0;
+		else cfg_parser->cfg->tcp_reuse_timeout = atoi($2);
+		free($2);
+	}
+	;
+server_tcp_auth_query_timeout: VAR_TCP_AUTH_QUERY_TIMEOUT STRING_ARG
+	{
+		OUTYY(("P(server_tcp_auth_query_timeout:%s)\n", $2));
+		if(atoi($2) == 0 && strcmp($2, "0") != 0)
+			yyerror("number expected");
+		else if (atoi($2) < 1)
+			cfg_parser->cfg->tcp_auth_query_timeout = 0;
+		else cfg_parser->cfg->tcp_auth_query_timeout = atoi($2);
+		free($2);
+	}
+	;
 server_tcp_keepalive: VAR_EDNS_TCP_KEEPALIVE STRING_ARG
 	{
 		OUTYY(("P(server_tcp_keepalive:%s)\n", $2));
@@ -1103,23 +1170,23 @@ server_log_queries: VAR_LOG_QUERIES STRING_ARG
 	}
 	;
 server_log_replies: VAR_LOG_REPLIES STRING_ARG
-  {
-  	OUTYY(("P(server_log_replies:%s)\n", $2));
-  	if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
-  		yyerror("expected yes or no.");
-  	else cfg_parser->cfg->log_replies = (strcmp($2, "yes")==0);
-  	free($2);
-  }
-  ;
+	{
+		OUTYY(("P(server_log_replies:%s)\n", $2));
+		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
+			yyerror("expected yes or no.");
+		else cfg_parser->cfg->log_replies = (strcmp($2, "yes")==0);
+		free($2);
+	}
+	;
 server_log_tag_queryreply: VAR_LOG_TAG_QUERYREPLY STRING_ARG
-  {
-  	OUTYY(("P(server_log_tag_queryreply:%s)\n", $2));
-  	if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
-  		yyerror("expected yes or no.");
-  	else cfg_parser->cfg->log_tag_queryreply = (strcmp($2, "yes")==0);
-  	free($2);
-  }
-  ;
+	{
+		OUTYY(("P(server_log_tag_queryreply:%s)\n", $2));
+		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
+			yyerror("expected yes or no.");
+		else cfg_parser->cfg->log_tag_queryreply = (strcmp($2, "yes")==0);
+		free($2);
+	}
+	;
 server_log_servfail: VAR_LOG_SERVFAIL STRING_ARG
 	{
 		OUTYY(("P(server_log_servfail:%s)\n", $2));
@@ -1130,14 +1197,14 @@ server_log_servfail: VAR_LOG_SERVFAIL STRING_ARG
 	}
 	;
 server_log_local_actions: VAR_LOG_LOCAL_ACTIONS STRING_ARG
-  {
-  	OUTYY(("P(server_log_local_actions:%s)\n", $2));
-  	if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
-  		yyerror("expected yes or no.");
-  	else cfg_parser->cfg->log_local_actions = (strcmp($2, "yes")==0);
-  	free($2);
-  }
-  ;
+	{
+		OUTYY(("P(server_log_local_actions:%s)\n", $2));
+		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
+			yyerror("expected yes or no.");
+		else cfg_parser->cfg->log_local_actions = (strcmp($2, "yes")==0);
+		free($2);
+	}
+	;
 server_chroot: VAR_CHROOT STRING_ARG
 	{
 		OUTYY(("P(server_chroot:%s)\n", $2));
@@ -1171,7 +1238,7 @@ server_directory: VAR_DIRECTORY STRING_ARG
 				cfg_parser->chroot)) == 0)
 				d += strlen(cfg_parser->chroot);
 			if(d[0]) {
-			    if(chdir(d))
+				if(chdir(d))
 				log_err("cannot chdir to directory: %s (%s)",
 					d, strerror(errno));
 			}
@@ -1301,6 +1368,15 @@ server_hide_trustanchor: VAR_HIDE_TRUSTANCHOR STRING_ARG
 		free($2);
 	}
 	;
+server_hide_http_user_agent: VAR_HIDE_HTTP_USER_AGENT STRING_ARG
+	{
+		OUTYY(("P(server_hide_user_agent:%s)\n", $2));
+		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
+			yyerror("expected yes or no.");
+		else cfg_parser->cfg->hide_http_user_agent = (strcmp($2, "yes")==0);
+		free($2);
+	}
+	;
 server_identity: VAR_IDENTITY STRING_ARG
 	{
 		OUTYY(("P(server_identity:%s)\n", $2));
@@ -1315,6 +1391,13 @@ server_version: VAR_VERSION STRING_ARG
 		cfg_parser->cfg->version = $2;
 	}
 	;
+server_http_user_agent: VAR_HTTP_USER_AGENT STRING_ARG
+	{
+		OUTYY(("P(server_http_user_agent:%s)\n", $2));
+		free(cfg_parser->cfg->http_user_agent);
+		cfg_parser->cfg->http_user_agent = $2;
+	}
+	;
 server_nsid: VAR_NSID STRING_ARG
 	{
 		OUTYY(("P(server_nsid:%s)\n", $2));
@@ -1348,35 +1431,35 @@ server_so_sndbuf: VAR_SO_SNDBUF STRING_ARG
 	}
 	;
 server_so_reuseport: VAR_SO_REUSEPORT STRING_ARG
-    {
-        OUTYY(("P(server_so_reuseport:%s)\n", $2));
-        if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
-            yyerror("expected yes or no.");
-        else cfg_parser->cfg->so_reuseport =
-            (strcmp($2, "yes")==0);
-        free($2);
-    }
-    ;
+	{
+		OUTYY(("P(server_so_reuseport:%s)\n", $2));
+		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
+			yyerror("expected yes or no.");
+		else cfg_parser->cfg->so_reuseport =
+			(strcmp($2, "yes")==0);
+		free($2);
+	}
+	;
 server_ip_transparent: VAR_IP_TRANSPARENT STRING_ARG
-    {
-        OUTYY(("P(server_ip_transparent:%s)\n", $2));
-        if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
-            yyerror("expected yes or no.");
-        else cfg_parser->cfg->ip_transparent =
-            (strcmp($2, "yes")==0);
-        free($2);
-    }
-    ;
+	{
+		OUTYY(("P(server_ip_transparent:%s)\n", $2));
+		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
+			yyerror("expected yes or no.");
+		else cfg_parser->cfg->ip_transparent =
+			(strcmp($2, "yes")==0);
+		free($2);
+	}
+	;
 server_ip_freebind: VAR_IP_FREEBIND STRING_ARG
-    {
-        OUTYY(("P(server_ip_freebind:%s)\n", $2));
-        if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
-            yyerror("expected yes or no.");
-        else cfg_parser->cfg->ip_freebind =
-            (strcmp($2, "yes")==0);
-        free($2);
-    }
-    ;
+	{
+		OUTYY(("P(server_ip_freebind:%s)\n", $2));
+		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
+			yyerror("expected yes or no.");
+		else cfg_parser->cfg->ip_freebind =
+			(strcmp($2, "yes")==0);
+		free($2);
+	}
+	;
 server_ip_dscp: VAR_IP_DSCP STRING_ARG
 	{
 		OUTYY(("P(server_ip_dscp:%s)\n", $2));
@@ -1434,9 +1517,9 @@ server_msg_cache_size: VAR_MSG_CACHE_SIZE STRING_ARG
 server_msg_cache_slabs: VAR_MSG_CACHE_SLABS STRING_ARG
 	{
 		OUTYY(("P(server_msg_cache_slabs:%s)\n", $2));
-		if(atoi($2) == 0)
+		if(atoi($2) == 0) {
 			yyerror("number expected");
-		else {
+		} else {
 			cfg_parser->cfg->msg_cache_slabs = atoi($2);
 			if(!is_pow2(cfg_parser->cfg->msg_cache_slabs))
 				yyerror("must be a power of 2");
@@ -1485,7 +1568,7 @@ server_unblock_lan_zones: VAR_UNBLOCK_LAN_ZONES STRING_ARG
 		OUTYY(("P(server_unblock_lan_zones:%s)\n", $2));
 		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
 			yyerror("expected yes or no.");
-		else cfg_parser->cfg->unblock_lan_zones = 
+		else cfg_parser->cfg->unblock_lan_zones =
 			(strcmp($2, "yes")==0);
 		free($2);
 	}
@@ -1495,7 +1578,7 @@ server_insecure_lan_zones: VAR_INSECURE_LAN_ZONES STRING_ARG
 		OUTYY(("P(server_insecure_lan_zones:%s)\n", $2));
 		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
 			yyerror("expected yes or no.");
-		else cfg_parser->cfg->insecure_lan_zones = 
+		else cfg_parser->cfg->insecure_lan_zones =
 			(strcmp($2, "yes")==0);
 		free($2);
 	}
@@ -1511,9 +1594,9 @@ server_rrset_cache_size: VAR_RRSET_CACHE_SIZE STRING_ARG
 server_rrset_cache_slabs: VAR_RRSET_CACHE_SLABS STRING_ARG
 	{
 		OUTYY(("P(server_rrset_cache_slabs:%s)\n", $2));
-		if(atoi($2) == 0)
+		if(atoi($2) == 0) {
 			yyerror("number expected");
-		else {
+		} else {
 			cfg_parser->cfg->rrset_cache_slabs = atoi($2);
 			if(!is_pow2(cfg_parser->cfg->rrset_cache_slabs))
 				yyerror("must be a power of 2");
@@ -1558,9 +1641,9 @@ server_infra_cache_lame_size: VAR_INFRA_CACHE_LAME_SIZE STRING_ARG
 server_infra_cache_slabs: VAR_INFRA_CACHE_SLABS STRING_ARG
 	{
 		OUTYY(("P(server_infra_cache_slabs:%s)\n", $2));
-		if(atoi($2) == 0)
+		if(atoi($2) == 0) {
 			yyerror("number expected");
-		else {
+		} else {
 			cfg_parser->cfg->infra_cache_slabs = atoi($2);
 			if(!is_pow2(cfg_parser->cfg->infra_cache_slabs))
 				yyerror("must be a power of 2");
@@ -1599,7 +1682,7 @@ server_harden_short_bufsize: VAR_HARDEN_SHORT_BUFSIZE STRING_ARG
 		OUTYY(("P(server_harden_short_bufsize:%s)\n", $2));
 		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
 			yyerror("expected yes or no.");
-		else cfg_parser->cfg->harden_short_bufsize = 
+		else cfg_parser->cfg->harden_short_bufsize =
 			(strcmp($2, "yes")==0);
 		free($2);
 	}
@@ -1609,7 +1692,7 @@ server_harden_large_queries: VAR_HARDEN_LARGE_QUERIES STRING_ARG
 		OUTYY(("P(server_harden_large_queries:%s)\n", $2));
 		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
 			yyerror("expected yes or no.");
-		else cfg_parser->cfg->harden_large_queries = 
+		else cfg_parser->cfg->harden_large_queries =
 			(strcmp($2, "yes")==0);
 		free($2);
 	}
@@ -1619,7 +1702,7 @@ server_harden_glue: VAR_HARDEN_GLUE STRING_ARG
 		OUTYY(("P(server_harden_glue:%s)\n", $2));
 		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
 			yyerror("expected yes or no.");
-		else cfg_parser->cfg->harden_glue = 
+		else cfg_parser->cfg->harden_glue =
 			(strcmp($2, "yes")==0);
 		free($2);
 	}
@@ -1629,7 +1712,7 @@ server_harden_dnssec_stripped: VAR_HARDEN_DNSSEC_STRIPPED STRING_ARG
 		OUTYY(("P(server_harden_dnssec_stripped:%s)\n", $2));
 		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
 			yyerror("expected yes or no.");
-		else cfg_parser->cfg->harden_dnssec_stripped = 
+		else cfg_parser->cfg->harden_dnssec_stripped =
 			(strcmp($2, "yes")==0);
 		free($2);
 	}
@@ -1639,7 +1722,7 @@ server_harden_below_nxdomain: VAR_HARDEN_BELOW_NXDOMAIN STRING_ARG
 		OUTYY(("P(server_harden_below_nxdomain:%s)\n", $2));
 		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
 			yyerror("expected yes or no.");
-		else cfg_parser->cfg->harden_below_nxdomain = 
+		else cfg_parser->cfg->harden_below_nxdomain =
 			(strcmp($2, "yes")==0);
 		free($2);
 	}
@@ -1649,7 +1732,7 @@ server_harden_referral_path: VAR_HARDEN_REFERRAL_PATH STRING_ARG
 		OUTYY(("P(server_harden_referral_path:%s)\n", $2));
 		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
 			yyerror("expected yes or no.");
-		else cfg_parser->cfg->harden_referral_path = 
+		else cfg_parser->cfg->harden_referral_path =
 			(strcmp($2, "yes")==0);
 		free($2);
 	}
@@ -1659,7 +1742,7 @@ server_harden_algo_downgrade: VAR_HARDEN_ALGO_DOWNGRADE STRING_ARG
 		OUTYY(("P(server_harden_algo_downgrade:%s)\n", $2));
 		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
 			yyerror("expected yes or no.");
-		else cfg_parser->cfg->harden_algo_downgrade = 
+		else cfg_parser->cfg->harden_algo_downgrade =
 			(strcmp($2, "yes")==0);
 		free($2);
 	}
@@ -1669,7 +1752,7 @@ server_use_caps_for_id: VAR_USE_CAPS_FOR_ID STRING_ARG
 		OUTYY(("P(server_use_caps_for_id:%s)\n", $2));
 		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
 			yyerror("expected yes or no.");
-		else cfg_parser->cfg->use_caps_bits_for_id = 
+		else cfg_parser->cfg->use_caps_bits_for_id =
 			(strcmp($2, "yes")==0);
 		free($2);
 	}
@@ -1743,7 +1826,7 @@ server_do_not_query_localhost: VAR_DO_NOT_QUERY_LOCALHOST STRING_ARG
 		OUTYY(("P(server_do_not_query_localhost:%s)\n", $2));
 		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
 			yyerror("expected yes or no.");
-		else cfg_parser->cfg->donotquery_localhost = 
+		else cfg_parser->cfg->donotquery_localhost =
 			(strcmp($2, "yes")==0);
 		free($2);
 	}
@@ -1754,8 +1837,8 @@ server_access_control: VAR_ACCESS_CONTROL STRING_ARG STRING_ARG
 		if(strcmp($3, "deny")!=0 && strcmp($3, "refuse")!=0 &&
 			strcmp($3, "deny_non_local")!=0 &&
 			strcmp($3, "refuse_non_local")!=0 &&
-			strcmp($3, "allow_setrd")!=0 && 
-			strcmp($3, "allow")!=0 && 
+			strcmp($3, "allow_setrd")!=0 &&
+			strcmp($3, "allow")!=0 &&
 			strcmp($3, "allow_snoop")!=0) {
 			yyerror("expected deny, refuse, deny_non_local, "
 				"refuse_non_local, allow, allow_setrd or "
@@ -1781,7 +1864,7 @@ server_val_override_date: VAR_VAL_OVERRIDE_DATE STRING_ARG
 		if(*$2 == '\0' || strcmp($2, "0") == 0) {
 			cfg_parser->cfg->val_date_override = 0;
 		} else if(strlen($2) == 14) {
-			cfg_parser->cfg->val_date_override = 
+			cfg_parser->cfg->val_date_override =
 				cfg_convert_timeval($2);
 			if(!cfg_parser->cfg->val_date_override)
 				yyerror("bad date/time specification");
@@ -1819,6 +1902,19 @@ server_val_sig_skew_max: VAR_VAL_SIG_SKEW_MAX STRING_ARG
 		free($2);
 	}
 	;
+server_val_max_restart: VAR_VAL_MAX_RESTART STRING_ARG
+	{
+		OUTYY(("P(server_val_max_restart:%s)\n", $2));
+		if(*$2 == '\0' || strcmp($2, "0") == 0) {
+			cfg_parser->cfg->val_max_restart = 0;
+		} else {
+			cfg_parser->cfg->val_max_restart = atoi($2);
+			if(!cfg_parser->cfg->val_max_restart)
+				yyerror("number expected");
+		}
+		free($2);
+	}
+	;
 server_cache_max_ttl: VAR_CACHE_MAX_TTL STRING_ARG
 	{
 		OUTYY(("P(server_cache_max_ttl:%s)\n", $2));
@@ -1860,7 +1956,7 @@ server_val_clean_additional: VAR_VAL_CLEAN_ADDITIONAL STRING_ARG
 		OUTYY(("P(server_val_clean_additional:%s)\n", $2));
 		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
 			yyerror("expected yes or no.");
-		else cfg_parser->cfg->val_clean_additional = 
+		else cfg_parser->cfg->val_clean_additional =
 			(strcmp($2, "yes")==0);
 		free($2);
 	}
@@ -1870,7 +1966,7 @@ server_val_permissive_mode: VAR_VAL_PERMISSIVE_MODE STRING_ARG
 		OUTYY(("P(server_val_permissive_mode:%s)\n", $2));
 		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
 			yyerror("expected yes or no.");
-		else cfg_parser->cfg->val_permissive_mode = 
+		else cfg_parser->cfg->val_permissive_mode =
 			(strcmp($2, "yes")==0);
 		free($2);
 	}
@@ -2047,9 +2143,9 @@ server_key_cache_size: VAR_KEY_CACHE_SIZE STRING_ARG
 server_key_cache_slabs: VAR_KEY_CACHE_SLABS STRING_ARG
 	{
 		OUTYY(("P(server_key_cache_slabs:%s)\n", $2));
-		if(atoi($2) == 0)
+		if(atoi($2) == 0) {
 			yyerror("number expected");
-		else {
+		} else {
 			cfg_parser->cfg->key_cache_slabs = atoi($2);
 			if(!is_pow2(cfg_parser->cfg->key_cache_slabs))
 				yyerror("must be a power of 2");
@@ -2081,7 +2177,7 @@ server_local_zone: VAR_LOCAL_ZONE STRING_ARG STRING_ARG
 		   && strcmp($3, "noview")!=0
 		   && strcmp($3, "inform")!=0 && strcmp($3, "inform_deny")!=0
 		   && strcmp($3, "inform_redirect") != 0
-			 && strcmp($3, "ipset") != 0) {
+		   && strcmp($3, "ipset") != 0) {
 			yyerror("local-zone type: expected static, deny, "
 				"refuse, redirect, transparent, "
 				"typetransparent, inform, inform_deny, "
@@ -2098,13 +2194,23 @@ server_local_zone: VAR_LOCAL_ZONE STRING_ARG STRING_ARG
 			free($3);
 #ifdef USE_IPSET
 		} else if(strcmp($3, "ipset")==0) {
+			size_t len = strlen($2);
+			/* Make sure to add the trailing dot.
+			 * These are str compared to domain names. */
+			if($2[len-1] != '.') {
+				if(!($2 = realloc($2, len+2))) {
+					fatal_exit("out of memory adding local-zone");
+				}
+				$2[len] = '.';
+				$2[len+1] = 0;
+			}
 			if(!cfg_strlist_insert(&cfg_parser->cfg->
 				local_zones_ipset, $2))
 				fatal_exit("out of memory adding local-zone");
 			free($3);
 #endif
 		} else {
-			if(!cfg_str2list_insert(&cfg_parser->cfg->local_zones, 
+			if(!cfg_str2list_insert(&cfg_parser->cfg->local_zones,
 				$2, $3))
 				fatal_exit("out of memory adding local-zone");
 		}
@@ -2312,19 +2418,18 @@ server_response_ip_tag: VAR_RESPONSE_IP_TAG STRING_ARG STRING_ARG
 		}
 	}
 	;
-server_ip_ratelimit: VAR_IP_RATELIMIT STRING_ARG 
-	{ 
-		OUTYY(("P(server_ip_ratelimit:%s)\n", $2)); 
+server_ip_ratelimit: VAR_IP_RATELIMIT STRING_ARG
+	{
+		OUTYY(("P(server_ip_ratelimit:%s)\n", $2));
 		if(atoi($2) == 0 && strcmp($2, "0") != 0)
 			yyerror("number expected");
 		else cfg_parser->cfg->ip_ratelimit = atoi($2);
 		free($2);
 	}
 	;
-
-server_ratelimit: VAR_RATELIMIT STRING_ARG 
-	{ 
-		OUTYY(("P(server_ratelimit:%s)\n", $2)); 
+server_ratelimit: VAR_RATELIMIT STRING_ARG
+	{
+		OUTYY(("P(server_ratelimit:%s)\n", $2));
 		if(atoi($2) == 0 && strcmp($2, "0") != 0)
 			yyerror("number expected");
 		else cfg_parser->cfg->ratelimit = atoi($2);
@@ -2332,13 +2437,13 @@ server_ratelimit: VAR_RATELIMIT STRING_ARG
 	}
 	;
 server_ip_ratelimit_size: VAR_IP_RATELIMIT_SIZE STRING_ARG
-  {
-  	OUTYY(("P(server_ip_ratelimit_size:%s)\n", $2));
-  	if(!cfg_parse_memsize($2, &cfg_parser->cfg->ip_ratelimit_size))
-  		yyerror("memory size expected");
-  	free($2);
-  }
-  ;
+	{
+		OUTYY(("P(server_ip_ratelimit_size:%s)\n", $2));
+		if(!cfg_parse_memsize($2, &cfg_parser->cfg->ip_ratelimit_size))
+			yyerror("memory size expected");
+		free($2);
+	}
+	;
 server_ratelimit_size: VAR_RATELIMIT_SIZE STRING_ARG
 	{
 		OUTYY(("P(server_ratelimit_size:%s)\n", $2));
@@ -2348,24 +2453,24 @@ server_ratelimit_size: VAR_RATELIMIT_SIZE STRING_ARG
 	}
 	;
 server_ip_ratelimit_slabs: VAR_IP_RATELIMIT_SLABS STRING_ARG
-  {
-  	OUTYY(("P(server_ip_ratelimit_slabs:%s)\n", $2));
-  	if(atoi($2) == 0)
-  		yyerror("number expected");
-  	else {
-  		cfg_parser->cfg->ip_ratelimit_slabs = atoi($2);
-  		if(!is_pow2(cfg_parser->cfg->ip_ratelimit_slabs))
-  			yyerror("must be a power of 2");
-  	}
-  	free($2);
-  }
-  ;
+	{
+		OUTYY(("P(server_ip_ratelimit_slabs:%s)\n", $2));
+		if(atoi($2) == 0) {
+			yyerror("number expected");
+		} else {
+			cfg_parser->cfg->ip_ratelimit_slabs = atoi($2);
+			if(!is_pow2(cfg_parser->cfg->ip_ratelimit_slabs))
+				yyerror("must be a power of 2");
+		}
+		free($2);
+	}
+	;
 server_ratelimit_slabs: VAR_RATELIMIT_SLABS STRING_ARG
 	{
 		OUTYY(("P(server_ratelimit_slabs:%s)\n", $2));
-		if(atoi($2) == 0)
+		if(atoi($2) == 0) {
 			yyerror("number expected");
-		else {
+		} else {
 			cfg_parser->cfg->ratelimit_slabs = atoi($2);
 			if(!is_pow2(cfg_parser->cfg->ratelimit_slabs))
 				yyerror("must be a power of 2");
@@ -2403,42 +2508,71 @@ server_ratelimit_below_domain: VAR_RATELIMIT_BELOW_DOMAIN STRING_ARG STRING_ARG
 		}
 	}
 	;
-server_ip_ratelimit_factor: VAR_IP_RATELIMIT_FACTOR STRING_ARG 
-  { 
-  	OUTYY(("P(server_ip_ratelimit_factor:%s)\n", $2)); 
-  	if(atoi($2) == 0 && strcmp($2, "0") != 0)
-  		yyerror("number expected");
-  	else cfg_parser->cfg->ip_ratelimit_factor = atoi($2);
-  	free($2);
+server_ip_ratelimit_factor: VAR_IP_RATELIMIT_FACTOR STRING_ARG
+	{
+		OUTYY(("P(server_ip_ratelimit_factor:%s)\n", $2));
+		if(atoi($2) == 0 && strcmp($2, "0") != 0)
+			yyerror("number expected");
+		else cfg_parser->cfg->ip_ratelimit_factor = atoi($2);
+		free($2);
 	}
 	;
-server_ratelimit_factor: VAR_RATELIMIT_FACTOR STRING_ARG 
-	{ 
-		OUTYY(("P(server_ratelimit_factor:%s)\n", $2)); 
+server_ratelimit_factor: VAR_RATELIMIT_FACTOR STRING_ARG
+	{
+		OUTYY(("P(server_ratelimit_factor:%s)\n", $2));
 		if(atoi($2) == 0 && strcmp($2, "0") != 0)
 			yyerror("number expected");
 		else cfg_parser->cfg->ratelimit_factor = atoi($2);
 		free($2);
 	}
 	;
-server_low_rtt: VAR_LOW_RTT STRING_ARG 
-	{ 
+server_ip_ratelimit_backoff: VAR_IP_RATELIMIT_BACKOFF STRING_ARG
+	{
+		OUTYY(("P(server_ip_ratelimit_backoff:%s)\n", $2));
+		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
+			yyerror("expected yes or no.");
+		else cfg_parser->cfg->ip_ratelimit_backoff =
+			(strcmp($2, "yes")==0);
+		free($2);
+	}
+	;
+server_ratelimit_backoff: VAR_RATELIMIT_BACKOFF STRING_ARG
+	{
+		OUTYY(("P(server_ratelimit_backoff:%s)\n", $2));
+		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
+			yyerror("expected yes or no.");
+		else cfg_parser->cfg->ratelimit_backoff =
+			(strcmp($2, "yes")==0);
+		free($2);
+	}
+	;
+server_outbound_msg_retry: VAR_OUTBOUND_MSG_RETRY STRING_ARG
+	{
+		OUTYY(("P(server_outbound_msg_retry:%s)\n", $2));
+		if(atoi($2) == 0 && strcmp($2, "0") != 0)
+			yyerror("number expected");
+		else cfg_parser->cfg->outbound_msg_retry = atoi($2);
+		free($2);
+	}
+	;
+server_low_rtt: VAR_LOW_RTT STRING_ARG
+	{
 		OUTYY(("P(low-rtt option is deprecated, use fast-server-num instead)\n"));
 		free($2);
 	}
 	;
-server_fast_server_num: VAR_FAST_SERVER_NUM STRING_ARG 
-	{ 
-		OUTYY(("P(server_fast_server_num:%s)\n", $2)); 
+server_fast_server_num: VAR_FAST_SERVER_NUM STRING_ARG
+	{
+		OUTYY(("P(server_fast_server_num:%s)\n", $2));
 		if(atoi($2) <= 0)
 			yyerror("number expected");
 		else cfg_parser->cfg->fast_server_num = atoi($2);
 		free($2);
 	}
 	;
-server_fast_server_permil: VAR_FAST_SERVER_PERMIL STRING_ARG 
-	{ 
-		OUTYY(("P(server_fast_server_permil:%s)\n", $2)); 
+server_fast_server_permil: VAR_FAST_SERVER_PERMIL STRING_ARG
+	{
+		OUTYY(("P(server_fast_server_permil:%s)\n", $2));
 		if(atoi($2) == 0 && strcmp($2, "0") != 0)
 			yyerror("number expected");
 		else cfg_parser->cfg->fast_server_permil = atoi($2);
@@ -2450,7 +2584,7 @@ server_qname_minimisation: VAR_QNAME_MINIMISATION STRING_ARG
 		OUTYY(("P(server_qname_minimisation:%s)\n", $2));
 		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
 			yyerror("expected yes or no.");
-		else cfg_parser->cfg->qname_minimisation = 
+		else cfg_parser->cfg->qname_minimisation =
 			(strcmp($2, "yes")==0);
 		free($2);
 	}
@@ -2460,7 +2594,7 @@ server_qname_minimisation_strict: VAR_QNAME_MINIMISATION_STRICT STRING_ARG
 		OUTYY(("P(server_qname_minimisation_strict:%s)\n", $2));
 		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
 			yyerror("expected yes or no.");
-		else cfg_parser->cfg->qname_minimisation_strict = 
+		else cfg_parser->cfg->qname_minimisation_strict =
 			(strcmp($2, "yes")==0);
 		free($2);
 	}
@@ -2658,17 +2792,27 @@ stub_ssl_upstream: VAR_STUB_SSL_UPSTREAM STRING_ARG
 		OUTYY(("P(stub-ssl-upstream:%s)\n", $2));
 		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
 			yyerror("expected yes or no.");
-		else cfg_parser->cfg->stubs->ssl_upstream = 
+		else cfg_parser->cfg->stubs->ssl_upstream =
 			(strcmp($2, "yes")==0);
 		free($2);
 	}
 	;
+stub_tcp_upstream: VAR_STUB_TCP_UPSTREAM STRING_ARG
+        {
+                OUTYY(("P(stub-tcp-upstream:%s)\n", $2));
+                if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
+                        yyerror("expected yes or no.");
+                else cfg_parser->cfg->stubs->tcp_upstream =
+                        (strcmp($2, "yes")==0);
+                free($2);
+        }
+        ;
 stub_prime: VAR_STUB_PRIME STRING_ARG
 	{
 		OUTYY(("P(stub-prime:%s)\n", $2));
 		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
 			yyerror("expected yes or no.");
-		else cfg_parser->cfg->stubs->isprime = 
+		else cfg_parser->cfg->stubs->isprime =
 			(strcmp($2, "yes")==0);
 		free($2);
 	}
@@ -2720,11 +2864,21 @@ forward_ssl_upstream: VAR_FORWARD_SSL_UPSTREAM STRING_ARG
 		OUTYY(("P(forward-ssl-upstream:%s)\n", $2));
 		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
 			yyerror("expected yes or no.");
-		else cfg_parser->cfg->forwards->ssl_upstream = 
+		else cfg_parser->cfg->forwards->ssl_upstream =
 			(strcmp($2, "yes")==0);
 		free($2);
 	}
 	;
+forward_tcp_upstream: VAR_FORWARD_TCP_UPSTREAM STRING_ARG
+        {
+                OUTYY(("P(forward-tcp-upstream:%s)\n", $2));
+                if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
+                        yyerror("expected yes or no.");
+                else cfg_parser->cfg->forwards->tcp_upstream =
+                        (strcmp($2, "yes")==0);
+                free($2);
+        }
+        ;
 auth_name: VAR_NAME STRING_ARG
 	{
 		OUTYY(("P(name:%s)\n", $2));
@@ -2764,6 +2918,16 @@ auth_allow_notify: VAR_ALLOW_NOTIFY STRING_ARG
 			yyerror("out of memory");
 	}
 	;
+auth_zonemd_check: VAR_ZONEMD_CHECK STRING_ARG
+	{
+		OUTYY(("P(zonemd-check:%s)\n", $2));
+		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
+			yyerror("expected yes or no.");
+		else cfg_parser->cfg->auths->zonemd_check =
+			(strcmp($2, "yes")==0);
+		free($2);
+	}
+	;
 auth_zonemd_reject_absence: VAR_ZONEMD_REJECT_ABSENCE STRING_ARG
 	{
 		OUTYY(("P(zonemd-reject-absence:%s)\n", $2));
@@ -2824,13 +2988,20 @@ view_local_zone: VAR_LOCAL_ZONE STRING_ARG STRING_ARG
 		   && strcmp($3, "always_transparent")!=0
 		   && strcmp($3, "always_refuse")!=0
 		   && strcmp($3, "always_nxdomain")!=0
+		   && strcmp($3, "always_nodata")!=0
+		   && strcmp($3, "always_deny")!=0
+		   && strcmp($3, "always_null")!=0
 		   && strcmp($3, "noview")!=0
-		   && strcmp($3, "inform")!=0 && strcmp($3, "inform_deny")!=0) {
+		   && strcmp($3, "inform")!=0 && strcmp($3, "inform_deny")!=0
+		   && strcmp($3, "inform_redirect") != 0
+		   && strcmp($3, "ipset") != 0) {
 			yyerror("local-zone type: expected static, deny, "
 				"refuse, redirect, transparent, "
 				"typetransparent, inform, inform_deny, "
-				"always_transparent, always_refuse, "
-				"always_nxdomain, noview or nodefault");
+				"inform_redirect, always_transparent, "
+				"always_refuse, always_nxdomain, "
+				"always_nodata, always_deny, always_null, "
+				"noview, nodefault or ipset");
 			free($2);
 			free($3);
 		} else if(strcmp($3, "nodefault")==0) {
@@ -2840,6 +3011,16 @@ view_local_zone: VAR_LOCAL_ZONE STRING_ARG STRING_ARG
 			free($3);
 #ifdef USE_IPSET
 		} else if(strcmp($3, "ipset")==0) {
+			size_t len = strlen($2);
+			/* Make sure to add the trailing dot.
+			 * These are str compared to domain names. */
+			if($2[len-1] != '.') {
+				if(!($2 = realloc($2, len+2))) {
+					fatal_exit("out of memory adding local-zone");
+				}
+				$2[len] = '.';
+				$2[len+1] = 0;
+			}
 			if(!cfg_strlist_insert(&cfg_parser->cfg->views->
 				local_zones_ipset, $2))
 				fatal_exit("out of memory adding local-zone");
@@ -2847,7 +3028,7 @@ view_local_zone: VAR_LOCAL_ZONE STRING_ARG STRING_ARG
 #endif
 		} else {
 			if(!cfg_str2list_insert(
-				&cfg_parser->cfg->views->local_zones, 
+				&cfg_parser->cfg->views->local_zones,
 				$2, $3))
 				fatal_exit("out of memory adding local-zone");
 		}
@@ -2904,11 +3085,11 @@ view_first: VAR_VIEW_FIRST STRING_ARG
 	}
 	;
 rcstart: VAR_REMOTE_CONTROL
-	{ 
-		OUTYY(("\nP(remote-control:)\n")); 
+	{
+		OUTYY(("\nP(remote-control:)\n"));
 	}
 	;
-contents_rc: contents_rc content_rc 
+contents_rc: contents_rc content_rc
 	| ;
 content_rc: rc_control_enable | rc_control_interface | rc_control_port |
 	rc_server_key_file | rc_server_cert_file | rc_control_key_file |
@@ -2919,7 +3100,7 @@ rc_control_enable: VAR_CONTROL_ENABLE STRING_ARG
 		OUTYY(("P(control_enable:%s)\n", $2));
 		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
 			yyerror("expected yes or no.");
-		else cfg_parser->cfg->remote_control_enable = 
+		else cfg_parser->cfg->remote_control_enable =
 			(strcmp($2, "yes")==0);
 		free($2);
 	}
@@ -3158,8 +3339,8 @@ dt_dnstap_log_forwarder_response_messages: VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MES
 	}
 	;
 pythonstart: VAR_PYTHON
-	{ 
-		OUTYY(("\nP(python:)\n")); 
+	{
+		OUTYY(("\nP(python:)\n"));
 	}
 	;
 contents_py: contents_py content_py
@@ -3290,44 +3471,44 @@ dnsc_dnscrypt_secret_key: VAR_DNSCRYPT_SECRET_KEY STRING_ARG
 	;
 dnsc_dnscrypt_shared_secret_cache_size: VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE STRING_ARG
   {
-  	OUTYY(("P(dnscrypt_shared_secret_cache_size:%s)\n", $2));
-  	if(!cfg_parse_memsize($2, &cfg_parser->cfg->dnscrypt_shared_secret_cache_size))
-  		yyerror("memory size expected");
-  	free($2);
+	OUTYY(("P(dnscrypt_shared_secret_cache_size:%s)\n", $2));
+	if(!cfg_parse_memsize($2, &cfg_parser->cfg->dnscrypt_shared_secret_cache_size))
+		yyerror("memory size expected");
+	free($2);
   }
   ;
 dnsc_dnscrypt_shared_secret_cache_slabs: VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS STRING_ARG
   {
-  	OUTYY(("P(dnscrypt_shared_secret_cache_slabs:%s)\n", $2));
-  	if(atoi($2) == 0)
-  		yyerror("number expected");
-  	else {
-  		cfg_parser->cfg->dnscrypt_shared_secret_cache_slabs = atoi($2);
-  		if(!is_pow2(cfg_parser->cfg->dnscrypt_shared_secret_cache_slabs))
-  			yyerror("must be a power of 2");
-  	}
-  	free($2);
+	OUTYY(("P(dnscrypt_shared_secret_cache_slabs:%s)\n", $2));
+	if(atoi($2) == 0) {
+		yyerror("number expected");
+	} else {
+		cfg_parser->cfg->dnscrypt_shared_secret_cache_slabs = atoi($2);
+		if(!is_pow2(cfg_parser->cfg->dnscrypt_shared_secret_cache_slabs))
+			yyerror("must be a power of 2");
+	}
+	free($2);
   }
   ;
 dnsc_dnscrypt_nonce_cache_size: VAR_DNSCRYPT_NONCE_CACHE_SIZE STRING_ARG
   {
-  	OUTYY(("P(dnscrypt_nonce_cache_size:%s)\n", $2));
-  	if(!cfg_parse_memsize($2, &cfg_parser->cfg->dnscrypt_nonce_cache_size))
-  		yyerror("memory size expected");
-  	free($2);
+	OUTYY(("P(dnscrypt_nonce_cache_size:%s)\n", $2));
+	if(!cfg_parse_memsize($2, &cfg_parser->cfg->dnscrypt_nonce_cache_size))
+		yyerror("memory size expected");
+	free($2);
   }
   ;
 dnsc_dnscrypt_nonce_cache_slabs: VAR_DNSCRYPT_NONCE_CACHE_SLABS STRING_ARG
   {
-  	OUTYY(("P(dnscrypt_nonce_cache_slabs:%s)\n", $2));
-  	if(atoi($2) == 0)
-  		yyerror("number expected");
-  	else {
-  		cfg_parser->cfg->dnscrypt_nonce_cache_slabs = atoi($2);
-  		if(!is_pow2(cfg_parser->cfg->dnscrypt_nonce_cache_slabs))
-  			yyerror("must be a power of 2");
-  	}
-  	free($2);
+	OUTYY(("P(dnscrypt_nonce_cache_slabs:%s)\n", $2));
+	if(atoi($2) == 0) {
+		yyerror("number expected");
+	} else {
+		cfg_parser->cfg->dnscrypt_nonce_cache_slabs = atoi($2);
+		if(!is_pow2(cfg_parser->cfg->dnscrypt_nonce_cache_slabs))
+			yyerror("must be a power of 2");
+	}
+	free($2);
   }
   ;
 cachedbstart: VAR_CACHEDB
diff --git a/util/data/msgencode.c b/util/data/msgencode.c
index 5f297b551..fe21cfb86 100644
--- a/util/data/msgencode.c
+++ b/util/data/msgencode.c
@@ -796,7 +796,10 @@ calc_edns_field_size(struct edns_data* edns)
 	struct edns_option* opt;
 	if(!edns || !edns->edns_present)
 		return 0;
-	for(opt = edns->opt_list; opt; opt = opt->next) {
+	for(opt = edns->opt_list_inplace_cb_out; opt; opt = opt->next) {
+		rdatalen += 4 + opt->opt_len;
+	}
+	for(opt = edns->opt_list_out; opt; opt = opt->next) {
 		rdatalen += 4 + opt->opt_len;
 	}
 	/* domain root '.' + type + class + ttl + rdatalen */
@@ -827,7 +830,17 @@ attach_edns_record_max_msg_sz(sldns_buffer* pkt, struct edns_data* edns,
 	rdatapos = sldns_buffer_position(pkt);
 	sldns_buffer_write_u16(pkt, 0); /* rdatalen */
 	/* write rdata */
-	for(opt=edns->opt_list; opt; opt=opt->next) {
+	for(opt=edns->opt_list_inplace_cb_out; opt; opt=opt->next) {
+		if (opt->opt_code == LDNS_EDNS_PADDING) {
+			padding_option = opt;
+			continue;
+		}
+		sldns_buffer_write_u16(pkt, opt->opt_code);
+		sldns_buffer_write_u16(pkt, opt->opt_len);
+		if(opt->opt_len != 0)
+			sldns_buffer_write(pkt, opt->opt_data, opt->opt_len);
+	}
+	for(opt=edns->opt_list_out; opt; opt=opt->next) {
 		if (opt->opt_code == LDNS_EDNS_PADDING) {
 			padding_option = opt;
 			continue;
@@ -860,8 +873,7 @@ attach_edns_record_max_msg_sz(sldns_buffer* pkt, struct edns_data* edns,
 			sldns_buffer_skip(pkt, pad_sz);
 		}
 	}
-	if(edns->opt_list)
-		sldns_buffer_write_u16_at(pkt, rdatapos, 
+	sldns_buffer_write_u16_at(pkt, rdatapos, 
 			sldns_buffer_position(pkt)-rdatapos-2);
 	sldns_buffer_flip(pkt);
 }
diff --git a/util/data/msgparse.c b/util/data/msgparse.c
index 6ee5559db..a600a8c60 100644
--- a/util/data/msgparse.c
+++ b/util/data/msgparse.c
@@ -37,10 +37,12 @@
  * Routines for message parsing a packet buffer to a descriptive structure.
  */
 #include "config.h"
+#include "util/config_file.h"
 #include "util/data/msgparse.h"
 #include "util/data/msgreply.h"
 #include "util/data/dname.h"
 #include "util/data/packed_rrset.h"
+#include "util/netevent.h"
 #include "util/storage/lookup3.h"
 #include "util/regional.h"
 #include "sldns/rrdef.h"
@@ -938,11 +940,40 @@ parse_packet(sldns_buffer* pkt, struct msg_parse* msg, struct regional* region)
 	return 0;
 }
 
+static int
+edns_opt_list_append_keepalive(struct edns_option** list, int msec,
+		struct regional* region)
+{
+	uint8_t data[2]; /* For keepalive value */
+	data[0] = (uint8_t)((msec >> 8) & 0xff);
+	data[1] = (uint8_t)(msec & 0xff);
+	return edns_opt_list_append(list, LDNS_EDNS_KEEPALIVE, sizeof(data),
+			data, region);
+}
+
 /** parse EDNS options from EDNS wireformat rdata */
 static int
-parse_edns_options(uint8_t* rdata_ptr, size_t rdata_len,
-	struct edns_data* edns, struct regional* region)
+parse_edns_options_from_query(uint8_t* rdata_ptr, size_t rdata_len,
+	struct edns_data* edns, struct config_file* cfg, struct comm_point* c,
+	struct regional* region)
 {
+	/* To respond with a Keepalive option, the client connection must have
+	 * received one message with a TCP Keepalive EDNS option, and that
+	 * option must have 0 length data. Subsequent messages sent on that
+	 * connection will have a TCP Keepalive option.
+	 *
+	 * In the if-statement below, the option is added unsolicited. This
+	 * means that the client has sent an KEEPALIVE option earlier. We know
+	 * here this is true, because c->tcp_keepalive is set.
+	 */
+	if (cfg && cfg->do_tcp_keepalive && c && c->type != comm_udp && c->tcp_keepalive) {
+		if(!edns_opt_list_append_keepalive(&edns->opt_list_out,
+					c->tcp_timeout_msec / 100, region)) {
+			log_err("out of memory");
+			return LDNS_RCODE_SERVFAIL;
+		}
+	}
+
 	/* while still more options, and have code+len to read */
 	/* ignores partial content (i.e. rdata len 3) */
 	while(rdata_len >= 4) {
@@ -952,20 +983,81 @@ parse_edns_options(uint8_t* rdata_ptr, size_t rdata_len,
 		rdata_len -= 4;
 		if(opt_len > rdata_len)
 			break; /* option code partial */
-		if(!edns_opt_append(edns, region, opt_code, opt_len,
-			rdata_ptr)) {
+
+		/* handle parse time edns options here */
+		switch(opt_code) {
+		case LDNS_EDNS_NSID:
+			if (!cfg || !cfg->nsid)
+				break;
+			if(!edns_opt_list_append(&edns->opt_list_out,
+						LDNS_EDNS_NSID, cfg->nsid_len,
+						cfg->nsid, region)) {
+				log_err("out of memory");
+				return LDNS_RCODE_SERVFAIL;
+			}
+			break;
+
+		case LDNS_EDNS_KEEPALIVE:
+			/* To respond with a Keepalive option, the client
+			 * connection must have received one message with a TCP
+			 * Keepalive EDNS option, and that option must have 0
+			 * length data. Subsequent messages sent on that
+			 * connection will have a TCP Keepalive option.
+			 *
+			 * This should be the first time the client sends this
+			 * option, so c->tcp_keepalive is not set.
+			 * Besides adding the reply KEEPALIVE option, 
+			 * c->tcp_keepalive will be set so that the
+			 * option will be added unsolicited in subsequent
+			 * responses (see the comment above the if-statement
+			 * at the start of this function).
+			 */
+			if (!cfg || !cfg->do_tcp_keepalive || !c ||
+					c->type == comm_udp || c->tcp_keepalive)
+				break;
+			if(opt_len) {
+				verbose(VERB_ALGO, "query with bad edns keepalive.");
+				return LDNS_RCODE_FORMERR;
+			}
+			if(!edns_opt_list_append_keepalive(&edns->opt_list_out,
+						c->tcp_timeout_msec / 100,
+						region)) {
+				log_err("out of memory");
+				return LDNS_RCODE_SERVFAIL;
+			}
+			c->tcp_keepalive = 1;
+			break;
+
+		case LDNS_EDNS_PADDING:
+			if(!cfg || !cfg->pad_responses ||
+					!c || c->type != comm_tcp ||!c->ssl)
+				break;
+			if(!edns_opt_list_append(&edns->opt_list_out,
+						LDNS_EDNS_PADDING,
+						0, NULL, region)) {
+				log_err("out of memory");
+				return LDNS_RCODE_SERVFAIL;
+			}
+			edns->padding_block_size = cfg->pad_responses_block_size;
+			break;
+
+		default:
+			break;
+		}
+		if(!edns_opt_list_append(&edns->opt_list_in,
+				opt_code, opt_len, rdata_ptr, region)) {
 			log_err("out of memory");
-			return 0;
+			return LDNS_RCODE_SERVFAIL;
 		}
 		rdata_ptr += opt_len;
 		rdata_len -= opt_len;
 	}
-	return 1;
+	return LDNS_RCODE_NOERROR;
 }
 
 int 
-parse_extract_edns(struct msg_parse* msg, struct edns_data* edns,
-	struct regional* region)
+parse_extract_edns_from_response_msg(struct msg_parse* msg,
+	struct edns_data* edns, struct regional* region)
 {
 	struct rrset_parse* rrset = msg->rrset_first;
 	struct rrset_parse* prev = 0;
@@ -1019,18 +1111,35 @@ parse_extract_edns(struct msg_parse* msg, struct edns_data* edns,
 	edns->edns_version = found->rr_last->ttl_data[1];
 	edns->bits = sldns_read_uint16(&found->rr_last->ttl_data[2]);
 	edns->udp_size = ntohs(found->rrset_class);
-	edns->opt_list = NULL;
+	edns->opt_list_in = NULL;
+	edns->opt_list_out = NULL;
+	edns->opt_list_inplace_cb_out = NULL;
 	edns->padding_block_size = 0;
 
 	/* take the options */
 	rdata_len = found->rr_first->size-2;
 	rdata_ptr = found->rr_first->ttl_data+6;
-	if(!parse_edns_options(rdata_ptr, rdata_len, edns, region))
-		return 0;
 
+	/* while still more options, and have code+len to read */
+	/* ignores partial content (i.e. rdata len 3) */
+	while(rdata_len >= 4) {
+		uint16_t opt_code = sldns_read_uint16(rdata_ptr);
+		uint16_t opt_len = sldns_read_uint16(rdata_ptr+2);
+		rdata_ptr += 4;
+		rdata_len -= 4;
+		if(opt_len > rdata_len)
+			break; /* option code partial */
+
+		if(!edns_opt_list_append(&edns->opt_list_in,
+				opt_code, opt_len, rdata_ptr, region)) {
+			log_err("out of memory");
+			break;
+		}
+		rdata_ptr += opt_len;
+		rdata_len -= opt_len;
+	}
 	/* ignore rrsigs */
-
-	return 0;
+	return LDNS_RCODE_NOERROR;
 }
 
 /** skip RR in packet */
@@ -1060,8 +1169,8 @@ skip_pkt_rrs(sldns_buffer* pkt, int num)
 }
 
 int 
-parse_edns_from_pkt(sldns_buffer* pkt, struct edns_data* edns,
-	struct regional* region)
+parse_edns_from_query_pkt(sldns_buffer* pkt, struct edns_data* edns,
+	struct config_file* cfg, struct comm_point* c, struct regional* region)
 {
 	size_t rdata_len;
 	uint8_t* rdata_ptr;
@@ -1093,7 +1202,9 @@ parse_edns_from_pkt(sldns_buffer* pkt, struct edns_data* edns,
 	edns->ext_rcode = sldns_buffer_read_u8(pkt); /* ttl used for bits */
 	edns->edns_version = sldns_buffer_read_u8(pkt);
 	edns->bits = sldns_buffer_read_u16(pkt);
-	edns->opt_list = NULL;
+	edns->opt_list_in = NULL;
+	edns->opt_list_out = NULL;
+	edns->opt_list_inplace_cb_out = NULL;
 	edns->padding_block_size = 0;
 
 	/* take the options */
@@ -1101,12 +1212,9 @@ parse_edns_from_pkt(sldns_buffer* pkt, struct edns_data* edns,
 	if(sldns_buffer_remaining(pkt) < rdata_len)
 		return LDNS_RCODE_FORMERR;
 	rdata_ptr = sldns_buffer_current(pkt);
-	if(!parse_edns_options(rdata_ptr, rdata_len, edns, region))
-		return LDNS_RCODE_SERVFAIL;
-
 	/* ignore rrsigs */
-
-	return 0;
+	return parse_edns_options_from_query(rdata_ptr, rdata_len, edns, cfg,
+			c, region);
 }
 
 void
diff --git a/util/data/msgparse.h b/util/data/msgparse.h
index d2fd9c806..4c0559a73 100644
--- a/util/data/msgparse.h
+++ b/util/data/msgparse.h
@@ -70,6 +70,8 @@ struct rrset_parse;
 struct rr_parse;
 struct regional;
 struct edns_option;
+struct config_file;
+struct comm_point;
 
 /** number of buckets in parse rrset hash table. Must be power of 2. */
 #define PARSE_TABLE_SIZE 32
@@ -225,8 +227,15 @@ struct edns_data {
 	uint16_t bits;
 	/** UDP reassembly size. */
 	uint16_t udp_size;
-	/** rdata element list, or NULL if none */
-	struct edns_option* opt_list;
+	/** rdata element list of options of an incoming packet created at
+	 * parse time, or NULL if none */
+	struct edns_option* opt_list_in;
+	/** rdata element list of options to encode for outgoing packets,
+	 * or NULL if none */
+	struct edns_option* opt_list_out;
+	/** rdata element list of outgoing edns options from modules
+	 * or NULL if none */
+	struct edns_option* opt_list_inplace_cb_out;
 	/** block size to pad */
 	uint16_t padding_block_size;
 };
@@ -281,8 +290,8 @@ int parse_packet(struct sldns_buffer* pkt, struct msg_parse* msg,
  * @return: 0 on success. or an RCODE on an error.
  *	RCODE formerr if OPT in wrong section, and so on.
  */
-int parse_extract_edns(struct msg_parse* msg, struct edns_data* edns,
-	struct regional* region);
+int parse_extract_edns_from_response_msg(struct msg_parse* msg,
+	struct edns_data* edns, struct regional* region);
 
 /**
  * If EDNS data follows a query section, extract it and initialize edns struct.
@@ -290,12 +299,14 @@ int parse_extract_edns(struct msg_parse* msg, struct edns_data* edns,
  *	section. At end, right after EDNS data or no movement if failed.
  * @param edns: the edns data allocated by the caller. Does not have to be
  *	initialised.
+ * @param cfg: the configuration (with nsid value etc.)
+ * @param c: commpoint to determine transport (if needed)
  * @param region: region to alloc results in (edns option contents)
  * @return: 0 on success, or an RCODE on error.
  *	RCODE formerr if OPT is badly formatted and so on.
  */
-int parse_edns_from_pkt(struct sldns_buffer* pkt, struct edns_data* edns,
-	struct regional* region);
+int parse_edns_from_query_pkt(struct sldns_buffer* pkt, struct edns_data* edns,
+	struct config_file* cfg, struct comm_point* c, struct regional* region);
 
 /**
  * Calculate hash value for rrset in packet.
diff --git a/util/data/msgreply.c b/util/data/msgreply.c
index 4830b343f..ec46e4724 100644
--- a/util/data/msgreply.c
+++ b/util/data/msgreply.c
@@ -166,6 +166,32 @@ reply_info_alloc_rrset_keys(struct reply_info* rep, struct alloc_cache* alloc,
 	return 1;
 }
 
+struct reply_info *
+make_new_reply_info(const struct reply_info* rep, struct regional* region,
+	size_t an_numrrsets, size_t copy_rrsets)
+{
+	struct reply_info* new_rep;
+	size_t i;
+
+	/* create a base struct.  we specify 'insecure' security status as
+	 * the modified response won't be DNSSEC-valid.  In our faked response
+	 * the authority and additional sections will be empty (except possible
+	 * EDNS0 OPT RR in the additional section appended on sending it out),
+	 * so the total number of RRsets is an_numrrsets. */
+	new_rep = construct_reply_info_base(region, rep->flags,
+		rep->qdcount, rep->ttl, rep->prefetch_ttl,
+		rep->serve_expired_ttl, an_numrrsets, 0, 0, an_numrrsets,
+		sec_status_insecure);
+	if(!new_rep)
+		return NULL;
+	if(!reply_info_alloc_rrset_keys(new_rep, NULL, region))
+		return NULL;
+	for(i=0; i<copy_rrsets; i++)
+		new_rep->rrsets[i] = rep->rrsets[i];
+
+	return new_rep;
+}
+
 /** find the minimumttl in the rdata of SOA record */
 static time_t
 soa_find_minttl(struct rr_parse* rr)
@@ -196,13 +222,17 @@ rdata_copy(sldns_buffer* pkt, struct packed_rrset_data* data, uint8_t* to,
 		 * minimum-ttl in the rdata of the SOA record */
 		if(*rr_ttl > soa_find_minttl(rr))
 			*rr_ttl = soa_find_minttl(rr);
-		if(*rr_ttl > MAX_NEG_TTL)
-			*rr_ttl = MAX_NEG_TTL;
 	}
 	if(!SERVE_ORIGINAL_TTL && (*rr_ttl < MIN_TTL))
 		*rr_ttl = MIN_TTL;
 	if(!SERVE_ORIGINAL_TTL && (*rr_ttl > MAX_TTL))
 		*rr_ttl = MAX_TTL;
+	if(type == LDNS_RR_TYPE_SOA && section == LDNS_SECTION_AUTHORITY) {
+		/* max neg ttl overrides the min and max ttl of everything
+		 * else, it is for a more specific record */
+		if(*rr_ttl > MAX_NEG_TTL)
+			*rr_ttl = MAX_NEG_TTL;
+	}
 	if(*rr_ttl < data->ttl)
 		data->ttl = *rr_ttl;
 
@@ -329,7 +359,10 @@ parse_create_rrset(sldns_buffer* pkt, struct rrset_parse* pset,
 		return 0;
 	/* copy & decompress */
 	if(!parse_rr_copy(pkt, pset, *data)) {
-		if(!region) free(*data);
+		if(!region) {
+			free(*data);
+			*data = NULL;
+		}
 		return 0;
 	}
 	return 1;
@@ -394,8 +427,13 @@ parse_copy_decompress_rrset(sldns_buffer* pkt, struct msg_parse* msg,
 	pk->rk.type = htons(pset->type);
 	pk->rk.rrset_class = pset->rrset_class;
 	/** read data part. */
-	if(!parse_create_rrset(pkt, pset, &data, region))
+	if(!parse_create_rrset(pkt, pset, &data, region)) {
+		if(!region) {
+			free(pk->rk.dname);
+			pk->rk.dname = NULL;
+		}
 		return 0;
+	}
 	pk->entry.data = (void*)data;
 	pk->entry.key = (void*)pk;
 	pk->entry.hash = pset->hash;
@@ -480,14 +518,13 @@ int reply_info_parse(sldns_buffer* pkt, struct alloc_cache* alloc,
 	if((ret = parse_packet(pkt, msg, region)) != 0) {
 		return ret;
 	}
-	if((ret = parse_extract_edns(msg, edns, region)) != 0)
+	if((ret = parse_extract_edns_from_response_msg(msg, edns, region)) != 0)
 		return ret;
 
 	/* parse OK, allocate return structures */
 	/* this also performs dname decompression */
 	if(!parse_create_msg(pkt, msg, alloc, qinf, rep, NULL)) {
 		query_info_clear(qinf);
-		reply_info_parsedelete(*rep, alloc);
 		*rep = NULL;
 		return LDNS_RCODE_SERVFAIL;
 	}
@@ -825,9 +862,15 @@ log_dns_msg(const char* str, struct query_info* qinfo, struct reply_info* rep)
 	/* not particularly fast but flexible, make wireformat and print */
 	sldns_buffer* buf = sldns_buffer_new(65535);
 	struct regional* region = regional_create();
-	if(!reply_info_encode(qinfo, rep, 0, rep->flags, buf, 0, 
+	if(!(buf && region)) {
+		log_err("%s: log_dns_msg: out of memory", str);
+		sldns_buffer_free(buf);
+		regional_destroy(region);
+		return;
+	}
+	if(!reply_info_encode(qinfo, rep, 0, rep->flags, buf, 0,
 		region, 65535, 1, 0)) {
-		log_info("%s: log_dns_msg: out of memory", str);
+		log_err("%s: log_dns_msg: out of memory", str);
 	} else {
 		char* s = sldns_wire2str_pkt(sldns_buffer_begin(buf),
 			sldns_buffer_limit(buf));
@@ -946,34 +989,6 @@ parse_reply_in_temp_region(sldns_buffer* pkt, struct regional* region,
 	return rep;
 }
 
-int edns_opt_append(struct edns_data* edns, struct regional* region,
-	uint16_t code, size_t len, uint8_t* data)
-{
-	struct edns_option** prevp;
-	struct edns_option* opt;
-
-	/* allocate new element */
-	opt = (struct edns_option*)regional_alloc(region, sizeof(*opt));
-	if(!opt)
-		return 0;
-	opt->next = NULL;
-	opt->opt_code = code;
-	opt->opt_len = len;
-	opt->opt_data = NULL;
-	if(len > 0) {
-		opt->opt_data = regional_alloc_init(region, data, len);
-		if(!opt->opt_data)
-			return 0;
-	}
-	
-	/* append at end of list */
-	prevp = &edns->opt_list;
-	while(*prevp != NULL)
-		prevp = &((*prevp)->next);
-	*prevp = opt;
-	return 1;
-}
-
 int edns_opt_list_append(struct edns_option** list, uint16_t code, size_t len,
 	uint8_t* data, struct regional* region)
 {
@@ -1054,7 +1069,7 @@ static int inplace_cb_reply_call_generic(
 		(void)(*(inplace_cb_reply_func_type*)cb->cb)(qinfo, qstate, rep,
 			rcode, edns, &opt_list_out, repinfo, region, start_time, cb->id, cb->cb_arg);
 	}
-	edns->opt_list = opt_list_out;
+	edns->opt_list_inplace_cb_out = opt_list_out;
 	return 1;
 }
 
diff --git a/util/data/msgreply.h b/util/data/msgreply.h
index c6b220ed8..81c763fc7 100644
--- a/util/data/msgreply.h
+++ b/util/data/msgreply.h
@@ -382,6 +382,21 @@ struct reply_info* reply_info_copy(struct reply_info* rep,
 int reply_info_alloc_rrset_keys(struct reply_info* rep,
 	struct alloc_cache* alloc, struct regional* region);
 
+/*
+ * Create a new reply_info based on 'rep'.  The new info is based on
+ * the passed 'rep', but ignores any rrsets except for the first 'an_numrrsets'
+ * RRsets in the answer section.  These answer rrsets are copied to the
+ * new info, up to 'copy_rrsets' rrsets (which must not be larger than
+ * 'an_numrrsets').  If an_numrrsets > copy_rrsets, the remaining rrsets array
+ * entries will be kept empty so the caller can fill them later.  When rrsets
+ * are copied, they are shallow copied.  The caller must ensure that the
+ * copied rrsets are valid throughout its lifetime and must provide appropriate
+ * mutex if it can be shared by multiple threads.
+ */
+struct reply_info *
+make_new_reply_info(const struct reply_info* rep, struct regional* region,
+	size_t an_numrrsets, size_t copy_rrsets);
+
 /**
  * Copy a parsed rrset into given key, decompressing and allocating rdata.
  * @param pkt: packet for decompression
@@ -503,18 +518,6 @@ void log_reply_info(enum verbosity_value v, struct query_info *qinf,
 void log_query_info(enum verbosity_value v, const char* str, 
 	struct query_info* qinf);
 
-/**
- * Append edns option to edns data structure
- * @param edns: the edns data structure to append the edns option to.
- * @param region: region to allocate the new edns option.
- * @param code: the edns option's code.
- * @param len: the edns option's length.
- * @param data: the edns option's data.
- * @return false on failure.
- */
-int edns_opt_append(struct edns_data* edns, struct regional* region,
-	uint16_t code, size_t len, uint8_t* data);
-
 /**
  * Append edns option to edns option list
  * @param list: the edns option list to append the edns option to.
diff --git a/util/data/packed_rrset.h b/util/data/packed_rrset.h
index ff95c0af0..e1feb22bb 100644
--- a/util/data/packed_rrset.h
+++ b/util/data/packed_rrset.h
@@ -61,6 +61,13 @@ typedef uint64_t rrset_id_type;
  * updated on encoding in a reply.  This flag is not expected to be set in
  * cached data. */
 #define PACKED_RRSET_FIXEDTTL 0x80000000
+/** This rrset is from RPZ. It is not real, it is synthesized data to block
+ * access. The flag makes lookups, from cache in iterator, ignore the fake
+ * items and only use actual data.  Eg. when the iterator looksup NS, CNAME,
+ * A and AAAA types, it then gets items without this flag that are the
+ * actual network. But messages with these records in it can be stored in
+ * the cache and retrieved for a reply. */
+#define PACKED_RRSET_RPZ 0x8
 
 /** number of rrs and rrsets for integer overflow protection.  More than
  * this is not really possible (64K packet has much less RRs and RRsets) in
@@ -88,6 +95,7 @@ struct packed_rrset_key {
 	 * 	o PACKED_RRSET_PARENT_SIDE
 	 * 	o PACKED_RRSET_SOA_NEG
 	 * 	o PACKED_RRSET_FIXEDTTL (not supposed to be cached)
+	 * 	o PACKED_RRSET_RPZ
 	 */
 	uint32_t flags;
 	/** the rrset type in network format */
diff --git a/util/edns.c b/util/edns.c
index 84308449c..f55dcb97e 100644
--- a/util/edns.c
+++ b/util/edns.c
@@ -128,53 +128,3 @@ edns_string_addr_lookup(rbtree_type* tree, struct sockaddr_storage* addr,
 	return (struct edns_string_addr*)addr_tree_lookup(tree, addr, addrlen);
 }
 
-static int edns_keepalive(struct edns_data* edns_out, struct edns_data* edns_in,
-		struct comm_point* c, struct regional* region)
-{
-	if(c->type == comm_udp)
-		return 1;
-
-	/* To respond with a Keepalive option, the client connection
-	 * must have received one message with a TCP Keepalive EDNS option,
-	 * and that option must have 0 length data. Subsequent messages
-	 * sent on that connection will have a TCP Keepalive option.
-	 */
-	if(c->tcp_keepalive ||
-		edns_opt_list_find(edns_in->opt_list, LDNS_EDNS_KEEPALIVE)) {
-		int keepalive = c->tcp_timeout_msec / 100;
-		uint8_t data[2];
-		data[0] = (uint8_t)((keepalive >> 8) & 0xff);
-		data[1] = (uint8_t)(keepalive & 0xff);
-		if(!edns_opt_list_append(&edns_out->opt_list, LDNS_EDNS_KEEPALIVE,
-			sizeof(data), data, region))
-			return 0;
-		c->tcp_keepalive = 1;
-	}
-	return 1;
-}
-
-int apply_edns_options(struct edns_data* edns_out, struct edns_data* edns_in,
-	struct config_file* cfg, struct comm_point* c, struct regional* region)
-{
-	if(cfg->do_tcp_keepalive &&
-		!edns_keepalive(edns_out, edns_in, c, region))
-		return 0;
-
-	if (cfg->nsid && edns_opt_list_find(edns_in->opt_list, LDNS_EDNS_NSID)
-	&& !edns_opt_list_append(&edns_out->opt_list,
-			LDNS_EDNS_NSID, cfg->nsid_len, cfg->nsid, region))
-		return 0;
-
-	if(!cfg->pad_responses || c->type != comm_tcp || !c->ssl
-	|| !edns_opt_list_find(edns_in->opt_list, LDNS_EDNS_PADDING)) {
-	       ; /* pass */
-	}
-
-	else if(!edns_opt_list_append(&edns_out->opt_list, LDNS_EDNS_PADDING
-	                                                 , 0, NULL, region))
-		return 0;
-	else
-		edns_out->padding_block_size = cfg->pad_responses_block_size;
-
-	return 1;
-}
diff --git a/util/edns.h b/util/edns.h
index 11742eb5b..d9ded0b84 100644
--- a/util/edns.h
+++ b/util/edns.h
@@ -106,16 +106,4 @@ struct edns_string_addr*
 edns_string_addr_lookup(rbtree_type* tree, struct sockaddr_storage* addr,
 	socklen_t addrlen);
 
-/**
- * Apply common EDNS options.
- *
- * @param edns_out: initialised edns information with outbound edns.
- * @param edns_in: initialised edns information with received edns.
- * @param cfg: configuration.
- * @param c: comm channel.
- * @param region: the region to allocate the edns options in.
- */
-int apply_edns_options(struct edns_data* edns_out, struct edns_data* edns_in,
-	struct config_file* cfg, struct comm_point* c, struct regional* region);
-
 #endif
diff --git a/util/fptr_wlist.c b/util/fptr_wlist.c
index 2b01e533c..05a22d402 100644
--- a/util/fptr_wlist.c
+++ b/util/fptr_wlist.c
@@ -138,6 +138,7 @@ fptr_whitelist_comm_timer(void (*fptr)(void*))
 	else if(fptr == &auth_xfer_probe_timer_callback) return 1;
 	else if(fptr == &auth_xfer_transfer_timer_callback) return 1;
 	else if(fptr == &mesh_serve_expired_callback) return 1;
+	else if(fptr == &serviced_timer_cb) return 1;
 #ifdef USE_DNSTAP
 	else if(fptr == &mq_wakeup_cb) return 1;
 #endif
@@ -196,8 +197,6 @@ int
 fptr_whitelist_pending_udp(comm_point_callback_type *fptr)
 {
 	if(fptr == &serviced_udp_callback) return 1;
-	else if(fptr == &worker_handle_reply) return 1;
-	else if(fptr == &libworker_handle_reply) return 1;
 	return 0;
 }
 
@@ -205,8 +204,6 @@ int
 fptr_whitelist_pending_tcp(comm_point_callback_type *fptr)
 {
 	if(fptr == &serviced_tcp_callback) return 1;
-	else if(fptr == &worker_handle_reply) return 1;
-	else if(fptr == &libworker_handle_reply) return 1;
 	return 0;
 }
 
@@ -338,9 +335,10 @@ fptr_whitelist_hash_markdelfunc(lruhash_markdelfunc_type fptr)
 int 
 fptr_whitelist_modenv_send_query(struct outbound_entry* (*fptr)(
 	struct query_info* qinfo, uint16_t flags, int dnssec, int want_dnssec,
-	int nocaps, struct sockaddr_storage* addr, socklen_t addrlen,
-	uint8_t* zone, size_t zonelen, int ssl_upstream, char* tls_auth_name,
-	struct module_qstate* q))
+	int nocaps, int check_ratelimit, struct sockaddr_storage* addr,
+	socklen_t addrlen, uint8_t* zone, size_t zonelen, int tcp_upstream,
+	int ssl_upstream, char* tls_auth_name, struct module_qstate* q,
+	int* was_ratelimited))
 {
 	if(fptr == &worker_send_query) return 1;
 	else if(fptr == &libworker_send_query) return 1;
diff --git a/util/fptr_wlist.h b/util/fptr_wlist.h
index cd331febb..a0d986755 100644
--- a/util/fptr_wlist.h
+++ b/util/fptr_wlist.h
@@ -211,9 +211,10 @@ int fptr_whitelist_hash_markdelfunc(lruhash_markdelfunc_type fptr);
  */
 int fptr_whitelist_modenv_send_query(struct outbound_entry* (*fptr)(
 	struct query_info* qinfo, uint16_t flags, int dnssec, int want_dnssec,
-	int nocaps, struct sockaddr_storage* addr, socklen_t addrlen,
-	uint8_t* zone, size_t zonelen, int ssl_upstream, char* tls_auth_name,
-	struct module_qstate* q));
+	int nocaps, int check_ratelimit, struct sockaddr_storage* addr,
+	socklen_t addrlen, uint8_t* zone, size_t zonelen, int tcp_upstream,
+	int ssl_upstream, char* tls_auth_name, struct module_qstate* q,
+	int* was_ratelimited));
 
 /**
  * Check function pointer whitelist for module_env detach_subs callback values.
diff --git a/util/iana_ports.inc b/util/iana_ports.inc
index 60bf59115..c7662dc62 100644
--- a/util/iana_ports.inc
+++ b/util/iana_ports.inc
@@ -2499,6 +2499,7 @@
 2870,
 2871,
 2872,
+2873,
 2874,
 2875,
 2876,
@@ -3783,6 +3784,7 @@
 4308,
 4309,
 4310,
+4319,
 4320,
 4321,
 4322,
@@ -4053,7 +4055,6 @@
 5026,
 5027,
 5029,
-5030,
 5031,
 5042,
 5043,
@@ -4244,6 +4245,7 @@
 5504,
 5505,
 5506,
+5540,
 5553,
 5554,
 5555,
@@ -5377,6 +5379,7 @@
 30999,
 31016,
 31029,
+31337,
 31416,
 31457,
 31620,
diff --git a/util/mini_event.c b/util/mini_event.c
index 661d88d2e..c05dc668c 100644
--- a/util/mini_event.c
+++ b/util/mini_event.c
@@ -337,6 +337,15 @@ int event_del(struct event* ev)
 		FD_CLR(FD_SET_T ev->ev_fd, &ev->ev_base->writes);
 		FD_CLR(FD_SET_T ev->ev_fd, &ev->ev_base->ready);
 		FD_CLR(FD_SET_T ev->ev_fd, &ev->ev_base->content);
+		if(ev->ev_fd == ev->ev_base->maxfd) {
+                        int i = ev->ev_base->maxfd - 1;
+                        for (; i > 3; i--) {
+                                if (NULL != ev->ev_base->fds[i]) {
+                                        break;
+                                }
+                        }
+                        ev->ev_base->maxfd = i;
+                }
 	}
 	ev->added = 0;
 	return 0;
diff --git a/util/module.h b/util/module.h
index 81a31a9cc..1ae7477cb 100644
--- a/util/module.h
+++ b/util/module.h
@@ -350,14 +350,18 @@ struct module_env {
 	 * 	EDNS, the answer is likely to be useless for this domain.
 	 * @param nocaps: do not use caps_for_id, use the qname as given.
 	 *	(ignored if caps_for_id is disabled).
+	 * @param check_ratelimit: if set, will check ratelimit before sending out.
 	 * @param addr: where to.
 	 * @param addrlen: length of addr.
 	 * @param zone: delegation point name.
 	 * @param zonelen: length of zone name.
+	 * @param tcp_upstream: use TCP for upstream queries.
 	 * @param ssl_upstream: use SSL for upstream queries.
 	 * @param tls_auth_name: if ssl_upstream, use this name with TLS
 	 * 	authentication.
-	 * @param q: wich query state to reactivate upon return.
+	 * @param q: which query state to reactivate upon return.
+	 * @param was_ratelimited: it will signal back if the query failed to pass the
+	 *	ratelimit check.
 	 * @return: false on failure (memory or socket related). no query was
 	 *	sent. Or returns an outbound entry with qsent and qstate set.
 	 *	This outbound_entry will be used on later module invocations
@@ -365,9 +369,10 @@ struct module_env {
 	 */
 	struct outbound_entry* (*send_query)(struct query_info* qinfo,
 		uint16_t flags, int dnssec, int want_dnssec, int nocaps,
+		int check_ratelimit,
 		struct sockaddr_storage* addr, socklen_t addrlen,
-		uint8_t* zone, size_t zonelen, int ssl_upstream,
-		char* tls_auth_name, struct module_qstate* q);
+		uint8_t* zone, size_t zonelen, int tcp_upstream, int ssl_upstream,
+		char* tls_auth_name, struct module_qstate* q, int* was_ratelimited);
 
 	/**
 	 * Detach-subqueries.
@@ -662,6 +667,8 @@ struct module_qstate {
 	/** Extended result of response-ip action processing, mainly
 	 *  for logging purposes. */
 	struct respip_action_info* respip_action_info;
+	/** if the query is rpz passthru, no further rpz processing for it */
+	int rpz_passthru;
 
 	/** whether the reply should be dropped */
 	int is_drop;
diff --git a/util/net_help.c b/util/net_help.c
index bcc8d34bd..8bef56890 100644
--- a/util/net_help.c
+++ b/util/net_help.c
@@ -38,6 +38,15 @@
  */
 
 #include "config.h"
+#ifdef HAVE_SYS_TYPES_H
+#  include <sys/types.h>
+#endif
+#ifdef HAVE_NET_IF_H
+#include <net/if.h>
+#endif
+#ifdef HAVE_NETIOAPI_H
+#include <netioapi.h>
+#endif
 #include "util/net_help.h"
 #include "util/log.h"
 #include "util/data/dname.h"
@@ -46,6 +55,7 @@
 #include "util/config_file.h"
 #include "sldns/parseutil.h"
 #include "sldns/wire2str.h"
+#include "sldns/str2wire.h"
 #include <fcntl.h>
 #ifdef HAVE_OPENSSL_SSL_H
 #include <openssl/ssl.h>
@@ -266,7 +276,10 @@ ipstrtoaddr(const char* ip, int port, struct sockaddr_storage* addr,
 				return 0;
 			(void)strlcpy(buf, ip, sizeof(buf));
 			buf[s-ip]=0;
-			sa->sin6_scope_id = (uint32_t)atoi(s+1);
+#ifdef HAVE_IF_NAMETOINDEX
+			if (!(sa->sin6_scope_id = if_nametoindex(s+1)))
+#endif /* HAVE_IF_NAMETOINDEX */
+				sa->sin6_scope_id = (uint32_t)atoi(s+1);
 			ip = buf;
 		}
 		if(inet_pton((int)sa->sin6_family, ip, &sa->sin6_addr) <= 0) {
@@ -467,6 +480,42 @@ int authextstrtoaddr(char* str, struct sockaddr_storage* addr,
 	return ipstrtoaddr(str, port, addr, addrlen);
 }
 
+uint8_t* authextstrtodname(char* str, int* port, char** auth_name)
+{
+	char* s;
+	uint8_t* dname;
+	size_t dname_len;
+	*port = UNBOUND_DNS_PORT;
+	*auth_name = NULL;
+	if((s=strchr(str, '@'))) {
+		char* hash = strchr(s+1, '#');
+		if(hash) {
+			*auth_name = hash+1;
+		} else {
+			*auth_name = NULL;
+		}
+		*port = atoi(s+1);
+		if(*port == 0) {
+			if(!hash && strcmp(s+1,"0")!=0)
+				return 0;
+			if(hash && strncmp(s+1,"0#",2)!=0)
+				return 0;
+		}
+		*s = 0;
+		dname = sldns_str2wire_dname(str, &dname_len);
+		*s = '@';
+	} else if((s=strchr(str, '#'))) {
+		*port = UNBOUND_DNS_OVER_TLS_PORT;
+		*auth_name = s+1;
+		*s = 0;
+		dname = sldns_str2wire_dname(str, &dname_len);
+		*s = '#';
+	} else {
+		dname = sldns_str2wire_dname(str, &dname_len);
+	}
+	return dname;
+}
+
 /** store port number into sockaddr structure */
 void
 sockaddr_store_port(struct sockaddr_storage* addr, socklen_t addrlen, int port)
@@ -881,13 +930,19 @@ log_cert(unsigned level, const char* str, void* cert)
 	BIO_write(bio, &nul, (int)sizeof(nul));
 	len = BIO_get_mem_data(bio, &pp);
 	if(len != 0 && pp) {
+		/* reduce size of cert printout */
+		char* s;
+		while((s=strstr(pp, "  "))!=NULL)
+			memmove(s, s+1, strlen(s+1)+1);
+		while((s=strstr(pp, "\t\t"))!=NULL)
+			memmove(s, s+1, strlen(s+1)+1);
 		verbose(level, "%s: \n%s", str, pp);
 	}
 	BIO_free(bio);
 }
 #endif /* HAVE_SSL */
 
-#if defined(HAVE_SSL) && defined(HAVE_NGHTTP2)
+#if defined(HAVE_SSL) && defined(HAVE_NGHTTP2) && defined(HAVE_SSL_CTX_SET_ALPN_SELECT_CB)
 static int alpn_select_cb(SSL* ATTR_UNUSED(ssl), const unsigned char** out,
 	unsigned char* outlen, const unsigned char* in, unsigned int inlen,
 	void* ATTR_UNUSED(arg))
@@ -945,9 +1000,12 @@ listen_sslctx_setup(void* ctxt)
 	}
 #endif
 #if defined(SHA256_DIGEST_LENGTH) && defined(USE_ECDSA)
+	/* if we detect system-wide crypto policies, use those */
+	if (access( "/etc/crypto-policies/config", F_OK ) != 0 ) {
 	/* if we have sha256, set the cipher list to have no known vulns */
-	if(!SSL_CTX_set_cipher_list(ctx, "TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256"))
-		log_crypto_err("could not set cipher list with SSL_CTX_set_cipher_list");
+		if(!SSL_CTX_set_cipher_list(ctx, "TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256"))
+			log_crypto_err("could not set cipher list with SSL_CTX_set_cipher_list");
+	}
 #endif
 
 	if((SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE) &
@@ -1172,6 +1230,7 @@ void* connect_sslctx_create(char* key, char* pem, char* verifypem, int wincert)
 	if((SSL_CTX_set_options(ctx, SSL_OP_NO_RENEGOTIATION) &
 		SSL_OP_NO_RENEGOTIATION) != SSL_OP_NO_RENEGOTIATION) {
 		log_crypto_err("could not set SSL_OP_NO_RENEGOTIATION");
+		SSL_CTX_free(ctx);
 		return 0;
 	}
 #endif
diff --git a/util/net_help.h b/util/net_help.h
index 45b607a43..4dd398460 100644
--- a/util/net_help.h
+++ b/util/net_help.h
@@ -42,6 +42,7 @@
 #ifndef NET_HELP_H
 #define NET_HELP_H
 #include "util/log.h"
+#include "util/random.h"
 struct sock_list;
 struct regional;
 struct config_strlist;
@@ -76,8 +77,6 @@ struct config_strlist;
 
 /** timeout in milliseconds for UDP queries to auth servers. */
 #define UDP_AUTH_QUERY_TIMEOUT 3000
-/** timeout in milliseconds for TCP queries to auth servers. */
-#define TCP_AUTH_QUERY_TIMEOUT 3000
 /** Advertised version of EDNS capabilities */
 #define EDNS_ADVERTISED_VERSION         0
 /** Advertised size of EDNS capabilities */
@@ -94,6 +93,9 @@ extern uint16_t EDNS_ADVERTISED_SIZE;
 /** DNSKEY secure entry point, KSK flag */
 #define DNSKEY_BIT_SEP 0x0001
 
+/** return a random 16-bit number given a random source */
+#define GET_RANDOM_ID(rnd) (((unsigned)ub_random(rnd)>>8) & 0xffff)
+
 /** minimal responses when positive answer */
 extern int MINIMAL_RESPONSES;
 
@@ -208,17 +210,30 @@ int netblockstrtoaddr(const char* ip, int port, struct sockaddr_storage* addr,
 /**
  * Convert address string, with "@port" appendix, to sockaddr.
  * It can also have an "#tls-auth-name" appendix (after the port).
- * The returned tls-auth-name string is a pointer into the input string.
- * Uses DNS port by default.
+ * The returned auth_name string is a pointer into the input string.
+ * Uses DNS port by default; TLS port when a "#tls-auth-name" is configured.
  * @param str: the string
  * @param addr: where to store sockaddr.
  * @param addrlen: length of stored sockaddr is returned.
  * @param auth_name: returned pointer to tls_auth_name, or NULL if none.
  * @return 0 on error.
  */
-int authextstrtoaddr(char* str, struct sockaddr_storage* addr, 
+int authextstrtoaddr(char* str, struct sockaddr_storage* addr,
 	socklen_t* addrlen, char** auth_name);
 
+/**
+ * Convert domain string, with "@port" appendix, to dname.
+ * It can also have an "#tls-auth-name" appendix (after the port).
+ * The return port is the parsed port.
+ * Uses DNS port by default; TLS port when a "#tls-auth-name" is configured.
+ * The returned auth_name string is a pointer into the input string.
+ * @param str: the string
+ * @param port: pointer to be assigned the parsed port value.
+ * @param auth_name: returned pointer to tls_auth_name, or NULL if none.
+ * @return pointer to the dname.
+ */
+uint8_t* authextstrtodname(char* str, int* port, char** auth_name);
+
 /**
  * Store port number into sockaddr structure
  * @param addr: sockaddr structure, ip4 or ip6.
diff --git a/util/netevent.c b/util/netevent.c
index a5ea46229..f6fb8c242 100644
--- a/util/netevent.c
+++ b/util/netevent.c
@@ -299,6 +299,8 @@ udp_send_errno_needs_log(struct sockaddr* addr, socklen_t addrlen)
 #  ifdef ENETDOWN
 		case ENETDOWN:
 #  endif
+		case EPERM:
+		case EACCES:
 			if(verbosity < VERB_ALGO)
 				return 0;
 		default:
@@ -816,6 +818,7 @@ setup_tcp_handler(struct comm_point* c, int fd, int cur, int max)
 #endif
 	c->tcp_is_reading = 1;
 	c->tcp_byte_count = 0;
+	c->tcp_keepalive = 0;
 	/* if more than half the tcp handlers are in use, use a shorter
 	 * timeout for this TCP connection, we need to make space for
 	 * other connections to be able to get attention */
@@ -941,7 +944,16 @@ int comm_point_perform_accept(struct comm_point* c,
 
 #ifdef USE_WINSOCK
 static long win_bio_cb(BIO *b, int oper, const char* ATTR_UNUSED(argp),
-        int ATTR_UNUSED(argi), long argl, long retvalue)
+#ifdef HAVE_BIO_SET_CALLBACK_EX
+	size_t ATTR_UNUSED(len),
+#endif
+        int ATTR_UNUSED(argi), long argl,
+#ifndef HAVE_BIO_SET_CALLBACK_EX
+	long retvalue
+#else
+	int retvalue, size_t* ATTR_UNUSED(processed)
+#endif
+	)
 {
 	int wsa_err = WSAGetLastError(); /* store errcode before it is gone */
 	verbose(VERB_ALGO, "bio_cb %d, %s %s %s", oper,
@@ -971,9 +983,17 @@ comm_point_tcp_win_bio_cb(struct comm_point* c, void* thessl)
 {
 	SSL* ssl = (SSL*)thessl;
 	/* set them both just in case, but usually they are the same BIO */
+#ifdef HAVE_BIO_SET_CALLBACK_EX
+	BIO_set_callback_ex(SSL_get_rbio(ssl), &win_bio_cb);
+#else
 	BIO_set_callback(SSL_get_rbio(ssl), &win_bio_cb);
+#endif
 	BIO_set_callback_arg(SSL_get_rbio(ssl), (char*)c->ev->ev);
+#ifdef HAVE_BIO_SET_CALLBACK_EX
+	BIO_set_callback_ex(SSL_get_wbio(ssl), &win_bio_cb);
+#else
 	BIO_set_callback(SSL_get_wbio(ssl), &win_bio_cb);
+#endif
 	BIO_set_callback_arg(SSL_get_wbio(ssl), (char*)c->ev->ev);
 }
 #endif
@@ -1035,6 +1055,7 @@ comm_point_tcp_accept_callback(int fd, short event, void* arg)
 	/* clear leftover flags from previous use, and then set the
 	 * correct event base for the event structure for libevent */
 	ub_event_free(c_hdl->ev->ev);
+	c_hdl->ev->ev = NULL;
 	if((c_hdl->type == comm_tcp && c_hdl->tcp_req_info) ||
 		c_hdl->type == comm_local || c_hdl->type == comm_raw)
 		c_hdl->tcp_do_toggle_rw = 0;
@@ -1091,6 +1112,7 @@ comm_point_tcp_accept_callback(int fd, short event, void* arg)
 	/* grab the tcp handler buffers */
 	c->cur_tcp_count++;
 	c->tcp_free = c_hdl->tcp_free;
+	c_hdl->tcp_free = NULL;
 	if(!c->tcp_free) {
 		/* stop accepting incoming queries for now. */
 		comm_point_stop_listening(c);
@@ -1112,9 +1134,11 @@ reclaim_tcp_handler(struct comm_point* c)
 	}
 	comm_point_close(c);
 	if(c->tcp_parent) {
-		c->tcp_parent->cur_tcp_count--;
-		c->tcp_free = c->tcp_parent->tcp_free;
-		c->tcp_parent->tcp_free = c;
+		if(c != c->tcp_parent->tcp_free) {
+			c->tcp_parent->cur_tcp_count--;
+			c->tcp_free = c->tcp_parent->tcp_free;
+			c->tcp_parent->tcp_free = c;
+		}
 		if(!c->tcp_free) {
 			/* re-enable listening on accept socket */
 			comm_point_start_listening(c->tcp_parent, -1, -1);
@@ -1122,6 +1146,8 @@ reclaim_tcp_handler(struct comm_point* c)
 	}
 	c->tcp_more_read_again = NULL;
 	c->tcp_more_write_again = NULL;
+	c->tcp_byte_count = 0;
+	sldns_buffer_clear(c->buffer);
 }
 
 /** do the callback when writing is done */
@@ -1183,23 +1209,22 @@ squelch_err_ssl_handshake(unsigned long err)
 {
 	if(verbosity >= VERB_QUERY)
 		return 0; /* only squelch on low verbosity */
-	/* this is very specific, we could filter on ERR_GET_REASON()
-	 * (the third element in ERR_PACK) */
-	if(err == ERR_PACK(ERR_LIB_SSL, SSL_F_SSL3_GET_RECORD, SSL_R_HTTPS_PROXY_REQUEST) ||
-		err == ERR_PACK(ERR_LIB_SSL, SSL_F_SSL3_GET_RECORD, SSL_R_HTTP_REQUEST) ||
-		err == ERR_PACK(ERR_LIB_SSL, SSL_F_SSL3_GET_RECORD, SSL_R_WRONG_VERSION_NUMBER) ||
-		err == ERR_PACK(ERR_LIB_SSL, SSL_F_SSL3_READ_BYTES, SSL_R_SSLV3_ALERT_BAD_CERTIFICATE)
+	if(ERR_GET_LIB(err) == ERR_LIB_SSL &&
+		(ERR_GET_REASON(err) == SSL_R_HTTPS_PROXY_REQUEST ||
+		 ERR_GET_REASON(err) == SSL_R_HTTP_REQUEST ||
+		 ERR_GET_REASON(err) == SSL_R_WRONG_VERSION_NUMBER ||
+		 ERR_GET_REASON(err) == SSL_R_SSLV3_ALERT_BAD_CERTIFICATE
 #ifdef SSL_F_TLS_POST_PROCESS_CLIENT_HELLO
-		|| err == ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_POST_PROCESS_CLIENT_HELLO, SSL_R_NO_SHARED_CIPHER)
+		 || ERR_GET_REASON(err) == SSL_R_NO_SHARED_CIPHER
 #endif
 #ifdef SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO
-		|| err == ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, SSL_R_UNKNOWN_PROTOCOL)
-		|| err == ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, SSL_R_UNSUPPORTED_PROTOCOL)
+		 || ERR_GET_REASON(err) == SSL_R_UNKNOWN_PROTOCOL
+		 || ERR_GET_REASON(err) == SSL_R_UNSUPPORTED_PROTOCOL
 #  ifdef SSL_R_VERSION_TOO_LOW
-		|| err == ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, SSL_R_VERSION_TOO_LOW)
+		 || ERR_GET_REASON(err) == SSL_R_VERSION_TOO_LOW
 #  endif
 #endif
-		)
+		))
 		return 1;
 	return 0;
 }
@@ -1213,7 +1238,7 @@ ssl_handshake(struct comm_point* c)
 	int r;
 	if(c->ssl_shake_state == comm_ssl_shake_hs_read) {
 		/* read condition satisfied back to writing */
-		comm_point_listen_for_rw(c, 1, 1);
+		comm_point_listen_for_rw(c, 0, 1);
 		c->ssl_shake_state = comm_ssl_shake_none;
 		return 1;
 	}
@@ -1270,7 +1295,11 @@ ssl_handshake(struct comm_point* c)
 	if((SSL_get_verify_mode(c->ssl)&SSL_VERIFY_PEER)) {
 		/* verification */
 		if(SSL_get_verify_result(c->ssl) == X509_V_OK) {
+#ifdef HAVE_SSL_GET1_PEER_CERTIFICATE
+			X509* x = SSL_get1_peer_certificate(c->ssl);
+#else
 			X509* x = SSL_get_peer_certificate(c->ssl);
+#endif
 			if(!x) {
 				log_addr(VERB_ALGO, "SSL connection failed: "
 					"no certificate",
@@ -1296,7 +1325,11 @@ ssl_handshake(struct comm_point* c)
 #endif
 			X509_free(x);
 		} else {
+#ifdef HAVE_SSL_GET1_PEER_CERTIFICATE
+			X509* x = SSL_get1_peer_certificate(c->ssl);
+#else
 			X509* x = SSL_get_peer_certificate(c->ssl);
+#endif
 			if(x) {
 				log_cert(VERB_ALGO, "peer certificate", x);
 				X509_free(x);
@@ -1313,6 +1346,7 @@ ssl_handshake(struct comm_point* c)
 			c->repinfo.addrlen);
 	}
 
+#ifdef HAVE_SSL_GET0_ALPN_SELECTED
 	/* check if http2 use is negotiated */
 	if(c->type == comm_http && c->h2_session) {
 		const unsigned char *alpn;
@@ -1324,13 +1358,14 @@ ssl_handshake(struct comm_point* c)
 			c->use_h2 = 1;
 		}
 	}
+#endif
 
 	/* setup listen rw correctly */
 	if(c->tcp_is_reading) {
 		if(c->ssl_shake_state != comm_ssl_shake_read)
 			comm_point_listen_for_rw(c, 1, 0);
 	} else {
-		comm_point_listen_for_rw(c, 1, 1);
+		comm_point_listen_for_rw(c, 0, 1);
 	}
 	c->ssl_shake_state = comm_ssl_shake_none;
 	return 1;
@@ -1361,7 +1396,9 @@ ssl_handle_read(struct comm_point* c)
 					return tcp_req_info_handle_read_close(c->tcp_req_info);
 				return 0; /* shutdown, closed */
 			} else if(want == SSL_ERROR_WANT_READ) {
+#ifdef USE_WINSOCK
 				ub_winsock_tcp_wouldblock(c->ev->ev, UB_EV_READ);
+#endif
 				return 1; /* read more later */
 			} else if(want == SSL_ERROR_WANT_WRITE) {
 				c->ssl_shake_state = comm_ssl_shake_hs_write;
@@ -1409,7 +1446,9 @@ ssl_handle_read(struct comm_point* c)
 					return tcp_req_info_handle_read_close(c->tcp_req_info);
 				return 0; /* shutdown, closed */
 			} else if(want == SSL_ERROR_WANT_READ) {
+#ifdef USE_WINSOCK
 				ub_winsock_tcp_wouldblock(c->ev->ev, UB_EV_READ);
+#endif
 				return 1; /* read more later */
 			} else if(want == SSL_ERROR_WANT_WRITE) {
 				c->ssl_shake_state = comm_ssl_shake_hs_write;
@@ -1502,7 +1541,9 @@ ssl_handle_write(struct comm_point* c)
 				comm_point_listen_for_rw(c, 1, 0);
 				return 1; /* wait for read condition */
 			} else if(want == SSL_ERROR_WANT_WRITE) {
+#ifdef USE_WINSOCK
 				ub_winsock_tcp_wouldblock(c->ev->ev, UB_EV_WRITE);
+#endif
 				return 1; /* write more later */
 			} else if(want == SSL_ERROR_SYSCALL) {
 #ifdef EPIPE
@@ -1552,7 +1593,9 @@ ssl_handle_write(struct comm_point* c)
 			comm_point_listen_for_rw(c, 1, 0);
 			return 1; /* wait for read condition */
 		} else if(want == SSL_ERROR_WANT_WRITE) {
+#ifdef USE_WINSOCK
 			ub_winsock_tcp_wouldblock(c->ev->ev, UB_EV_WRITE);
+#endif
 			return 1; /* write more later */
 		} else if(want == SSL_ERROR_SYSCALL) {
 #ifdef EPIPE
@@ -1708,7 +1751,8 @@ comm_point_tcp_handle_read(int fd, struct comm_point* c, int short_ok)
 			(int)sldns_buffer_limit(c->buffer));
 	}
 
-	log_assert(sldns_buffer_remaining(c->buffer) > 0);
+	if(sldns_buffer_remaining(c->buffer) == 0)
+		log_err("in comm_point_tcp_handle_read buffer_remaining is not > 0 as expected, continuing with (harmless) 0 length recv");
 	r = recv(fd, (void*)sldns_buffer_current(c->buffer), 
 		sldns_buffer_remaining(c->buffer), 0);
 	if(r == 0) {
@@ -1842,13 +1886,22 @@ comm_point_tcp_handle_write(int fd, struct comm_point* c)
 			if(errno == EINTR || errno == EAGAIN)
 				return 1;
 			/* Not handling EISCONN here as shouldn't ever hit that case.*/
-			if(errno != EPIPE && errno != 0 && verbosity < 2)
-				return 0; /* silence lots of chatter in the logs */
-			if(errno != EPIPE && errno != 0) {
+			if(errno != EPIPE
+#ifdef EOPNOTSUPP
+				/* if /proc/sys/net/ipv4/tcp_fastopen is
+				 * disabled on Linux, sendmsg may return
+				 * 'Operation not supported', if so
+				 * fallthrough to ordinary connect. */
+				&& errno != EOPNOTSUPP
+#endif
+				&& errno != 0) {
+				if(verbosity < 2)
+					return 0; /* silence lots of chatter in the logs */
 				log_err_addr("tcp sendmsg", strerror(errno),
 					&c->repinfo.addr, c->repinfo.addrlen);
 				return 0;
 			}
+			verbose(VERB_ALGO, "tcp sendmsg for fastopen failed (with %s), try normal connect", strerror(errno));
 			/* fallthrough to nonFASTOPEN
 			 * (MSG_FASTOPEN on Linux 3 produces EPIPE)
 			 * we need to perform connect() */
@@ -2181,9 +2234,11 @@ reclaim_http_handler(struct comm_point* c)
 	}
 	comm_point_close(c);
 	if(c->tcp_parent) {
-		c->tcp_parent->cur_tcp_count--;
-		c->tcp_free = c->tcp_parent->tcp_free;
-		c->tcp_parent->tcp_free = c;
+		if(c != c->tcp_parent->tcp_free) {
+			c->tcp_parent->cur_tcp_count--;
+			c->tcp_free = c->tcp_parent->tcp_free;
+			c->tcp_parent->tcp_free = c;
+		}
 		if(!c->tcp_free) {
 			/* re-enable listening on accept socket */
 			comm_point_start_listening(c->tcp_parent, -1, -1);
@@ -3937,11 +3992,13 @@ comm_point_close(struct comm_point* c)
 
 	/* close fd after removing from event lists, or epoll.. is messed up */
 	if(c->fd != -1 && !c->do_not_close) {
+#ifdef USE_WINSOCK
 		if(c->type == comm_tcp || c->type == comm_http) {
 			/* delete sticky events for the fd, it gets closed */
 			ub_winsock_tcp_wouldblock(c->ev->ev, UB_EV_READ);
 			ub_winsock_tcp_wouldblock(c->ev->ev, UB_EV_WRITE);
 		}
+#endif
 		verbose(VERB_ALGO, "close fd %d", c->fd);
 		sock_close(c->fd);
 	}
@@ -4042,7 +4099,6 @@ comm_point_send_reply(struct comm_reply *repinfo)
 			}
 			repinfo->c->h2_stream = NULL;
 			repinfo->c->tcp_is_reading = 0;
-			sldns_buffer_clear(repinfo->c->buffer);
 			comm_point_stop_listening(repinfo->c);
 			comm_point_start_listening(repinfo->c, -1,
 				adjusted_tcp_timeout(repinfo->c));
@@ -4119,6 +4175,10 @@ comm_point_start_listening(struct comm_point* c, int newfd, int msec)
 		c->timeout->tv_sec = msec/1000;
 		c->timeout->tv_usec = (msec%1000)*1000;
 #endif /* S_SPLINT_S */
+	} else {
+		if(msec == 0 || !c->timeout) {
+			ub_event_del_bits(c->ev->ev, UB_EV_TIMEOUT);
+		}
 	}
 	if(c->type == comm_tcp || c->type == comm_http) {
 		ub_event_del_bits(c->ev->ev, UB_EV_READ|UB_EV_WRITE);
@@ -4143,6 +4203,7 @@ comm_point_start_listening(struct comm_point* c, int newfd, int msec)
 	}
 	if(ub_event_add(c->ev->ev, msec==0?NULL:c->timeout) != 0) {
 		log_err("event_add failed. in cpsl.");
+		return;
 	}
 	c->event_added = 1;
 }
@@ -4156,11 +4217,15 @@ void comm_point_listen_for_rw(struct comm_point* c, int rd, int wr)
 		}
 		c->event_added = 0;
 	}
+	if(!c->timeout) {
+		ub_event_del_bits(c->ev->ev, UB_EV_TIMEOUT);
+	}
 	ub_event_del_bits(c->ev->ev, UB_EV_READ|UB_EV_WRITE);
 	if(rd) ub_event_add_bits(c->ev->ev, UB_EV_READ);
 	if(wr) ub_event_add_bits(c->ev->ev, UB_EV_WRITE);
 	if(ub_event_add(c->ev->ev, c->timeout) != 0) {
 		log_err("event_add failed. in cplf.");
+		return;
 	}
 	c->event_added = 1;
 }
diff --git a/util/netevent.h b/util/netevent.h
index c79f99b3e..9f4d28ba9 100644
--- a/util/netevent.h
+++ b/util/netevent.h
@@ -743,7 +743,7 @@ struct comm_signal* comm_signal_create(struct comm_base* base,
 	void (*callback)(int, void*), void* cb_arg);
 
 /**
- * Bind signal struct to catch a signal. A signle comm_signal can be bound
+ * Bind signal struct to catch a signal. A single comm_signal can be bound
  * to multiple signals, calling comm_signal_bind multiple times.
  * @param comsig: the communication point, with callback information.
  * @param sig: signal number.
diff --git a/util/regional.c b/util/regional.c
index bd67ecf50..93e911c5e 100644
--- a/util/regional.c
+++ b/util/regional.c
@@ -103,6 +103,8 @@ regional_create_custom_large_object(size_t size, size_t large_object_size)
 struct regional*
 regional_create_custom(size_t size)
 {
+	if(size < sizeof(struct regional))
+		size = sizeof(struct regional);
 	return regional_create_custom_large_object(size,
 		REGIONAL_LARGE_OBJECT_SIZE);
 }
diff --git a/util/shm_side/shm_main.c b/util/shm_side/shm_main.c
index af8c5bcf3..6fd1f5ea6 100644
--- a/util/shm_side/shm_main.c
+++ b/util/shm_side/shm_main.c
@@ -130,6 +130,7 @@ int shm_main_init(struct daemon* daemon)
 
 		/* Just release memory unused */
 		free(daemon->shm_info);
+		daemon->shm_info = NULL;
 
 		return 0;
 	}
@@ -143,6 +144,7 @@ int shm_main_init(struct daemon* daemon)
 
 		/* Just release memory unused */
 		free(daemon->shm_info);
+		daemon->shm_info = NULL;
 
 		return 0;
 	}
@@ -156,6 +158,7 @@ int shm_main_init(struct daemon* daemon)
 
 		/* Just release memory unused */
 		free(daemon->shm_info);
+		daemon->shm_info = NULL;
 
 		return 0;
 	}
@@ -170,6 +173,7 @@ int shm_main_init(struct daemon* daemon)
 
 		/* Just release memory unused */
 		free(daemon->shm_info);
+		daemon->shm_info = NULL;
 
 		return 0;
 	}
@@ -210,6 +214,8 @@ void shm_main_shutdown(struct daemon* daemon)
 	if (daemon->shm_info->ptr_arr)
 		shmdt(daemon->shm_info->ptr_arr);
 
+	free(daemon->shm_info);
+	daemon->shm_info = NULL;
 #else
 	(void)daemon;
 #endif /* HAVE_SHMGET */
@@ -275,7 +281,7 @@ void shm_main_run(struct worker *worker)
 		shm_stat->mem.subnet = 0;
 #ifdef CLIENT_SUBNET
 		shm_stat->mem.subnet = (long long)mod_get_mem(&worker->env,
-			"subnet");
+			"subnetcache");
 #endif
 		/* ipsecmod mem value is available in shm, also when not enabled,
 		 * to make the struct easier to memmap by other applications,
diff --git a/util/storage/lookup3.c b/util/storage/lookup3.c
index bb25eb433..c4026626c 100644
--- a/util/storage/lookup3.c
+++ b/util/storage/lookup3.c
@@ -53,21 +53,69 @@ on 1 byte), but shoehorning those bytes into integers efficiently is messy.
 #include "util/storage/lookup3.h"
 #include <stdio.h>      /* defines printf for tests */
 #include <time.h>       /* defines time_t for timings in the test */
-/*#include <stdint.h>     defines uint32_t etc  (from config.h) */
-#include <sys/param.h>  /* attempt to define endianness */
-#ifdef HAVE_SYS_TYPES_H
-# include <sys/types.h> /* attempt to define endianness (solaris) */
-#endif
-#if defined(linux) || defined(__OpenBSD__)
+
+/*
+ * If our build system provides endianness info, signalled by
+ * HAVE_TARGET_ENDIANNESS and the presence or absence of TARGET_IS_BIG_ENDIAN,
+ * use that. Otherwise try to work out the endianness.
+ */
+#if defined(HAVE_TARGET_ENDIANNESS)
+# if defined(TARGET_IS_BIG_ENDIAN)
+#  define HASH_LITTLE_ENDIAN 0
+#  define HASH_BIG_ENDIAN 1
+# else
+#  define HASH_LITTLE_ENDIAN 1
+#  define HASH_BIG_ENDIAN 0
+# endif
+#else
+# include <sys/param.h>  /* attempt to define endianness */
+# ifdef HAVE_SYS_TYPES_H
+#  include <sys/types.h> /* attempt to define endianness (solaris) */
+# endif
+# if defined(linux) || defined(__OpenBSD__)
 #  ifdef HAVE_ENDIAN_H
 #    include <endian.h>    /* attempt to define endianness */
 #  else
 #    include <machine/endian.h> /* on older OpenBSD */
 #  endif
-#endif
-#if defined(__FreeBSD__) || defined(__NetBSD__) || defined(__DragonFly__)
-#include <sys/endian.h> /* attempt to define endianness */
-#endif
+# endif
+# if defined(__FreeBSD__) || defined(__NetBSD__) || defined(__DragonFly__)
+#  include <sys/endian.h> /* attempt to define endianness */
+# endif
+  /*
+   * My best guess at if you are big-endian or little-endian.  This may
+   * need adjustment.
+   */
+# if (defined(__BYTE_ORDER) && defined(__LITTLE_ENDIAN) && \
+      __BYTE_ORDER == __LITTLE_ENDIAN) || \
+     (defined(i386) || defined(__i386__) || defined(__i486__) || \
+      defined(__i586__) || defined(__i686__) || defined(vax) || defined(MIPSEL) || defined(__x86))
+#  define HASH_LITTLE_ENDIAN 1
+#  define HASH_BIG_ENDIAN 0
+# elif (defined(__BYTE_ORDER) && defined(__BIG_ENDIAN) && \
+        __BYTE_ORDER == __BIG_ENDIAN) || \
+       (defined(sparc) || defined(__sparc) || defined(__sparc__) || defined(POWERPC) || defined(mc68000) || defined(sel))
+#  define HASH_LITTLE_ENDIAN 0
+#  define HASH_BIG_ENDIAN 1
+# elif defined(_MACHINE_ENDIAN_H_)
+  /* test for machine_endian_h protects failure if some are empty strings */
+#  if defined(_BYTE_ORDER) && defined(_BIG_ENDIAN) && _BYTE_ORDER == _BIG_ENDIAN
+#   define HASH_LITTLE_ENDIAN 0
+#   define HASH_BIG_ENDIAN 1
+#  endif
+#  if defined(_BYTE_ORDER) && defined(_LITTLE_ENDIAN) && _BYTE_ORDER == _LITTLE_ENDIAN
+#   define HASH_LITTLE_ENDIAN 1
+#   define HASH_BIG_ENDIAN 0
+#  endif /* _MACHINE_ENDIAN_H_ */
+# else
+#  define HASH_LITTLE_ENDIAN 0
+#  define HASH_BIG_ENDIAN 0
+# endif
+#endif /* defined(HAVE_TARGET_ENDIANNESS) */
+
+#define hashsize(n) ((uint32_t)1<<(n))
+#define hashmask(n) (hashsize(n)-1)
+#define rot(x,k) (((x)<<(k)) | ((x)>>(32-(k))))
 
 /* random initial value */
 static uint32_t raninit = (uint32_t)0xdeadbeef;
@@ -78,40 +126,6 @@ hash_set_raninit(uint32_t v)
 	raninit = v;
 }
 
-/*
- * My best guess at if you are big-endian or little-endian.  This may
- * need adjustment.
- */
-#if (defined(__BYTE_ORDER) && defined(__LITTLE_ENDIAN) && \
-     __BYTE_ORDER == __LITTLE_ENDIAN) || \
-    (defined(i386) || defined(__i386__) || defined(__i486__) || \
-     defined(__i586__) || defined(__i686__) || defined(vax) || defined(MIPSEL) || defined(__x86))
-# define HASH_LITTLE_ENDIAN 1
-# define HASH_BIG_ENDIAN 0
-#elif (defined(__BYTE_ORDER) && defined(__BIG_ENDIAN) && \
-       __BYTE_ORDER == __BIG_ENDIAN) || \
-      (defined(sparc) || defined(__sparc) || defined(__sparc__) || defined(POWERPC) || defined(mc68000) || defined(sel))
-# define HASH_LITTLE_ENDIAN 0
-# define HASH_BIG_ENDIAN 1
-#elif defined(_MACHINE_ENDIAN_H_)
-/* test for machine_endian_h protects failure if some are empty strings */
-# if defined(_BYTE_ORDER) && defined(_BIG_ENDIAN) && _BYTE_ORDER == _BIG_ENDIAN
-#  define HASH_LITTLE_ENDIAN 0
-#  define HASH_BIG_ENDIAN 1
-# endif
-# if defined(_BYTE_ORDER) && defined(_LITTLE_ENDIAN) && _BYTE_ORDER == _LITTLE_ENDIAN
-#  define HASH_LITTLE_ENDIAN 1
-#  define HASH_BIG_ENDIAN 0
-# endif /* _MACHINE_ENDIAN_H_ */
-#else
-# define HASH_LITTLE_ENDIAN 0
-# define HASH_BIG_ENDIAN 0
-#endif
-
-#define hashsize(n) ((uint32_t)1<<(n))
-#define hashmask(n) (hashsize(n)-1)
-#define rot(x,k) (((x)<<(k)) | ((x)>>(32-(k))))
-
 /*
 -------------------------------------------------------------------------------
 mix -- mix 3 32-bit values reversibly.
diff --git a/util/tube.c b/util/tube.c
index dc6e3c2e7..40556e720 100644
--- a/util/tube.c
+++ b/util/tube.c
@@ -363,7 +363,11 @@ int tube_read_msg(struct tube* tube, uint8_t** buf, uint32_t* len,
 		}
 		d += r;
 	}
-	log_assert(*len < 65536*2);
+	if (*len >= 65536*2) {
+		log_err("tube msg length %u is too big", (unsigned)*len);
+		(void)fd_set_nonblock(fd);
+		return 0;
+	}
 	*buf = (uint8_t*)malloc(*len);
 	if(!*buf) {
 		log_err("tube read out of memory");
diff --git a/util/ub_event.c b/util/ub_event.c
index 68f633bb0..8cd87ec4e 100644
--- a/util/ub_event.c
+++ b/util/ub_event.c
@@ -1,5 +1,5 @@
 /*
- * util/ub_event.c - directly call libevent (compatability) functions
+ * util/ub_event.c - directly call libevent (compatibility) functions
  *
  * Copyright (c) 2007, NLnet Labs. All rights reserved.
  *
diff --git a/util/ub_event_pluggable.c b/util/ub_event_pluggable.c
index 235bba6ba..4280d4db1 100644
--- a/util/ub_event_pluggable.c
+++ b/util/ub_event_pluggable.c
@@ -666,7 +666,8 @@ ub_winsock_tcp_wouldblock(struct ub_event* ev, int eventbits)
 		fptr_ok(ev->vmt != &default_event_vmt ||
 			ev->vmt->winsock_tcp_wouldblock ==
 			my_winsock_tcp_wouldblock);
-		(*ev->vmt->winsock_tcp_wouldblock)(ev, eventbits);
+		if (ev->vmt->winsock_tcp_wouldblock)
+			(*ev->vmt->winsock_tcp_wouldblock)(ev, eventbits);
 	}
 }
 
diff --git a/validator/autotrust.c b/validator/autotrust.c
index 7ce07e0d8..96776a1f5 100644
--- a/validator/autotrust.c
+++ b/validator/autotrust.c
@@ -1077,6 +1077,17 @@ trustanchor_state2str(autr_state_type s)
         return " UNKNOWN ";
 }
 
+/** ctime r for autotrust */
+static char* autr_ctime_r(time_t* t, char* s)
+{
+	ctime_r(t, s);
+#ifdef USE_WINSOCK
+	if(strlen(s) > 10 && s[7]==' ' && s[8]=='0')
+		s[8]=' '; /* fix error in windows ctime */
+#endif
+	return s;
+}
+
 /** print ID to file */
 static int
 print_id(FILE* out, char* fname, uint8_t* nm, size_t nmlen, uint16_t dclass)
@@ -1123,13 +1134,13 @@ autr_write_contents(FILE* out, char* fn, struct trust_anchor* tp)
 	}
 	if(fprintf(out, ";;last_queried: %u ;;%s", 
 		(unsigned int)tp->autr->last_queried, 
-		ctime_r(&(tp->autr->last_queried), tmi)) < 0 ||
+		autr_ctime_r(&(tp->autr->last_queried), tmi)) < 0 ||
 	   fprintf(out, ";;last_success: %u ;;%s", 
 		(unsigned int)tp->autr->last_success,
-		ctime_r(&(tp->autr->last_success), tmi)) < 0 ||
+		autr_ctime_r(&(tp->autr->last_success), tmi)) < 0 ||
 	   fprintf(out, ";;next_probe_time: %u ;;%s", 
 		(unsigned int)tp->autr->next_probe_time,
-		ctime_r(&(tp->autr->next_probe_time), tmi)) < 0 ||
+		autr_ctime_r(&(tp->autr->next_probe_time), tmi)) < 0 ||
 	   fprintf(out, ";;query_failed: %d\n", (int)tp->autr->query_failed)<0
 	   || fprintf(out, ";;query_interval: %d\n", 
 	   (int)tp->autr->query_interval) < 0 ||
@@ -1160,7 +1171,7 @@ autr_write_contents(FILE* out, char* fn, struct trust_anchor* tp)
 			";;lastchange=%u ;;%s", str, (int)ta->s, 
 			trustanchor_state2str(ta->s), (int)ta->pending_count,
 			(unsigned int)ta->last_change, 
-			ctime_r(&(ta->last_change), tmi)) < 0) {
+			autr_ctime_r(&(ta->last_change), tmi)) < 0) {
 		   log_err("could not write to %s: %s", fn, strerror(errno));
 		   free(str);
 		   return 0;
@@ -1192,13 +1203,8 @@ void autr_write_file(struct module_env* env, struct trust_anchor* tp)
 #else
 	llvalue = (unsigned long long)tp;
 #endif
-#ifndef USE_WINSOCK
-	snprintf(tempf, sizeof(tempf), "%s.%d-%d-%llx", fname, (int)getpid(),
+	snprintf(tempf, sizeof(tempf), "%s.%d-%d-" ARG_LL "x", fname, (int)getpid(),
 		env->worker?*(int*)env->worker:0, llvalue);
-#else
-	snprintf(tempf, sizeof(tempf), "%s.%d-%d-%I64x", fname, (int)getpid(),
-		env->worker?*(int*)env->worker:0, llvalue);
-#endif
 #endif /* S_SPLINT_S */
 	verbose(VERB_ALGO, "autotrust: write to disk: %s", tempf);
 	out = fopen(tempf, "w");
@@ -1579,6 +1585,7 @@ key_matches_a_ds(struct module_env* env, struct val_env* ve,
 	for(ds_idx=0; ds_idx<num; ds_idx++) {
 		if(!ds_digest_algo_is_supported(ds_rrset, ds_idx) ||
 			!ds_key_algo_is_supported(ds_rrset, ds_idx) ||
+			!dnskey_size_is_supported(dnskey_rrset, key_idx) ||
 			ds_get_digest_algo(ds_rrset, ds_idx) != d)
 			continue;
 		if(ds_get_key_algo(ds_rrset, ds_idx)
@@ -1633,7 +1640,8 @@ update_events(struct module_env* env, struct val_env* ve,
 		}
 		/* is a key of this type supported?. Note rr_list and
 		 * packed_rrset are in the same order. */
-		if(!dnskey_algo_is_supported(dnskey_rrset, i)) {
+		if(!dnskey_algo_is_supported(dnskey_rrset, i) ||
+			!dnskey_size_is_supported(dnskey_rrset, i)) {
 			/* skip unknown algorithm key, it is useless to us */
 			log_nametypeclass(VERB_DETAIL, "trust point has "
 				"unsupported algorithm at", 
@@ -2262,7 +2270,7 @@ autr_debug_print_ta(struct autr_ta* ta)
 		return;
 	}
 	if(str[0]) str[strlen(str)-1]=0; /* remove newline */
-	ctime_r(&ta->last_change, buf);
+	(void)autr_ctime_r(&ta->last_change, buf);
 	if(buf[0]) buf[strlen(buf)-1]=0; /* remove newline */
 	log_info("[%s] %s ;;state:%d ;;pending_count:%d%s%s last:%s",
 		trustanchor_state2str(ta->s), str, ta->s, ta->pending_count,
@@ -2289,13 +2297,13 @@ autr_debug_print_tp(struct trust_anchor* tp)
 		log_packed_rrset(NO_VERBOSE, "DNSKEY:", tp->dnskey_rrset);
 	}
 	log_info("file %s", tp->autr->file);
-	ctime_r(&tp->autr->last_queried, buf);
+	(void)autr_ctime_r(&tp->autr->last_queried, buf);
 	if(buf[0]) buf[strlen(buf)-1]=0; /* remove newline */
 	log_info("last_queried: %u %s", (unsigned)tp->autr->last_queried, buf);
-	ctime_r(&tp->autr->last_success, buf);
+	(void)autr_ctime_r(&tp->autr->last_success, buf);
 	if(buf[0]) buf[strlen(buf)-1]=0; /* remove newline */
 	log_info("last_success: %u %s", (unsigned)tp->autr->last_success, buf);
-	ctime_r(&tp->autr->next_probe_time, buf);
+	(void)autr_ctime_r(&tp->autr->next_probe_time, buf);
 	if(buf[0]) buf[strlen(buf)-1]=0; /* remove newline */
 	log_info("next_probe_time: %u %s", (unsigned)tp->autr->next_probe_time,
 		buf);
@@ -2364,7 +2372,9 @@ probe_anchor(struct module_env* env, struct trust_anchor* tp)
 	edns.ext_rcode = 0;
 	edns.edns_version = 0;
 	edns.bits = EDNS_DO;
-	edns.opt_list = NULL;
+	edns.opt_list_in = NULL;
+	edns.opt_list_out = NULL;
+	edns.opt_list_inplace_cb_out = NULL;
 	edns.padding_block_size = 0;
 	if(sldns_buffer_capacity(buf) < 65535)
 		edns.udp_size = (uint16_t)sldns_buffer_capacity(buf);
@@ -2382,7 +2392,7 @@ probe_anchor(struct module_env* env, struct trust_anchor* tp)
 		qinfo.qclass);
 
 	if(!mesh_new_callback(env->mesh, &qinfo, qflags, &edns, buf, 0, 
-		&probe_answer_cb, env)) {
+		&probe_answer_cb, env, 0)) {
 		log_err("out of memory making 5011 probe");
 	}
 }
diff --git a/validator/val_anchor.c b/validator/val_anchor.c
index 9b6574c5d..b1a54e1f0 100644
--- a/validator/val_anchor.c
+++ b/validator/val_anchor.c
@@ -971,7 +971,8 @@ anchors_dnskey_unsupported(struct trust_anchor* ta)
 {
 	size_t i, num = 0;
 	for(i=0; i<ta->numDNSKEY; i++) {
-		if(!dnskey_algo_is_supported(ta->dnskey_rrset, i))
+		if(!dnskey_algo_is_supported(ta->dnskey_rrset, i) ||
+			!dnskey_size_is_supported(ta->dnskey_rrset, i))
 			num++;
 	}
 	return num;
@@ -1048,6 +1049,10 @@ anchors_apply_cfg(struct val_anchors* anchors, struct config_file* cfg)
 	const char** zstr;
 	char* nm;
 	sldns_buffer* parsebuf = sldns_buffer_new(65535);
+	if(!parsebuf) {
+		log_err("malloc error in anchors_apply_cfg.");
+		return 0;
+	}
 	if(cfg->insecure_lan_zones) {
 		for(zstr = as112_zones; *zstr; zstr++) {
 			if(!anchor_insert_insecure(anchors, *zstr)) {
diff --git a/validator/val_nsec.c b/validator/val_nsec.c
index 032d2ae03..a4e5b3137 100644
--- a/validator/val_nsec.c
+++ b/validator/val_nsec.c
@@ -180,6 +180,7 @@ nsec_verify_rrset(struct module_env* env, struct val_env* ve,
 {
 	struct packed_rrset_data* d = (struct packed_rrset_data*)
 		nsec->entry.data;
+	if(!d) return 0;
 	if(d->security == sec_status_secure)
 		return 1;
 	rrset_check_sec_status(env->rrset_cache, nsec, *env->now);
diff --git a/validator/val_secalgo.c b/validator/val_secalgo.c
index a4d020143..7abf66f01 100644
--- a/validator/val_secalgo.c
+++ b/validator/val_secalgo.c
@@ -513,29 +513,13 @@ static int
 setup_key_digest(int algo, EVP_PKEY** evp_key, const EVP_MD** digest_type, 
 	unsigned char* key, size_t keylen)
 {
-#if defined(USE_DSA) && defined(USE_SHA1)
-	DSA* dsa;
-#endif
-	RSA* rsa;
-
 	switch(algo) {
 #if defined(USE_DSA) && defined(USE_SHA1)
 		case LDNS_DSA:
 		case LDNS_DSA_NSEC3:
-			*evp_key = EVP_PKEY_new();
+			*evp_key = sldns_key_dsa2pkey_raw(key, keylen);
 			if(!*evp_key) {
-				log_err("verify: malloc failure in crypto");
-				return 0;
-			}
-			dsa = sldns_key_buf2dsa_raw(key, keylen);
-			if(!dsa) {
-				verbose(VERB_QUERY, "verify: "
-					"sldns_key_buf2dsa_raw failed");
-				return 0;
-			}
-			if(EVP_PKEY_assign_DSA(*evp_key, dsa) == 0) {
-				verbose(VERB_QUERY, "verify: "
-					"EVP_PKEY_assign_DSA failed");
+				verbose(VERB_QUERY, "verify: sldns_key_dsa2pkey failed");
 				return 0;
 			}
 #ifdef HAVE_EVP_DSS1
@@ -558,20 +542,9 @@ setup_key_digest(int algo, EVP_PKEY** evp_key, const EVP_MD** digest_type,
 #if defined(HAVE_EVP_SHA512) && defined(USE_SHA2)
 		case LDNS_RSASHA512:
 #endif
-			*evp_key = EVP_PKEY_new();
+			*evp_key = sldns_key_rsa2pkey_raw(key, keylen);
 			if(!*evp_key) {
-				log_err("verify: malloc failure in crypto");
-				return 0;
-			}
-			rsa = sldns_key_buf2rsa_raw(key, keylen);
-			if(!rsa) {
-				verbose(VERB_QUERY, "verify: "
-					"sldns_key_buf2rsa_raw SHA failed");
-				return 0;
-			}
-			if(EVP_PKEY_assign_RSA(*evp_key, rsa) == 0) {
-				verbose(VERB_QUERY, "verify: "
-					"EVP_PKEY_assign_RSA SHA failed");
+				verbose(VERB_QUERY, "verify: sldns_key_rsa2pkey SHA failed");
 				return 0;
 			}
 
@@ -595,20 +568,9 @@ setup_key_digest(int algo, EVP_PKEY** evp_key, const EVP_MD** digest_type,
 #endif /* defined(USE_SHA1) || (defined(HAVE_EVP_SHA256) && defined(USE_SHA2)) || (defined(HAVE_EVP_SHA512) && defined(USE_SHA2)) */
 
 		case LDNS_RSAMD5:
-			*evp_key = EVP_PKEY_new();
+			*evp_key = sldns_key_rsa2pkey_raw(key, keylen);
 			if(!*evp_key) {
-				log_err("verify: malloc failure in crypto");
-				return 0;
-			}
-			rsa = sldns_key_buf2rsa_raw(key, keylen);
-			if(!rsa) {
-				verbose(VERB_QUERY, "verify: "
-					"sldns_key_buf2rsa_raw MD5 failed");
-				return 0;
-			}
-			if(EVP_PKEY_assign_RSA(*evp_key, rsa) == 0) {
-				verbose(VERB_QUERY, "verify: "
-					"EVP_PKEY_assign_RSA MD5 failed");
+				verbose(VERB_QUERY, "verify: sldns_key_rsa2pkey MD5 failed");
 				return 0;
 			}
 			*digest_type = EVP_md5();
diff --git a/validator/val_sigcrypt.c b/validator/val_sigcrypt.c
index 14e13da06..b15fba3f4 100644
--- a/validator/val_sigcrypt.c
+++ b/validator/val_sigcrypt.c
@@ -386,6 +386,49 @@ int dnskey_algo_is_supported(struct ub_packed_rrset_key* dnskey_rrset,
 		dnskey_idx));
 }
 
+int dnskey_size_is_supported(struct ub_packed_rrset_key* dnskey_rrset,
+	size_t dnskey_idx)
+{
+#ifdef DEPRECATE_RSA_1024
+	uint8_t* rdata;
+	size_t len;
+	int alg = dnskey_get_algo(dnskey_rrset, dnskey_idx);
+	size_t keysize;
+
+	rrset_get_rdata(dnskey_rrset, dnskey_idx, &rdata, &len);
+	if(len < 2+4)
+		return 0;
+	keysize = sldns_rr_dnskey_key_size_raw(rdata+2+4, len-2-4, alg);
+
+	switch((sldns_algorithm)alg) {
+	case LDNS_RSAMD5:
+	case LDNS_RSASHA1:
+	case LDNS_RSASHA1_NSEC3:
+	case LDNS_RSASHA256:
+	case LDNS_RSASHA512:
+		/* reject RSA keys of 1024 bits and shorter */
+		if(keysize <= 1024)
+			return 0;
+		break;
+	default:
+		break;
+	}
+#else
+	(void)dnskey_rrset; (void)dnskey_idx;
+#endif /* DEPRECATE_RSA_1024 */
+	return 1;
+}
+
+int dnskeyset_size_is_supported(struct ub_packed_rrset_key* dnskey_rrset)
+{
+	size_t i, num = rrset_get_count(dnskey_rrset);
+	for(i=0; i<num; i++) {
+		if(!dnskey_size_is_supported(dnskey_rrset, i))
+			return 0;
+	}
+	return 1;
+}
+
 void algo_needs_init_dnskey_add(struct algo_needs* n,
         struct ub_packed_rrset_key* dnskey, uint8_t* sigalg)
 {
diff --git a/validator/val_sigcrypt.h b/validator/val_sigcrypt.h
index 23ca1d91b..bbb95780d 100644
--- a/validator/val_sigcrypt.h
+++ b/validator/val_sigcrypt.h
@@ -180,6 +180,23 @@ uint16_t ds_get_keytag(struct ub_packed_rrset_key* ds_rrset, size_t ds_idx);
 int dnskey_algo_is_supported(struct ub_packed_rrset_key* dnskey_rrset, 
 	size_t dnskey_idx);
 
+/**
+ * See if the DNSKEY size at that algorithm is supported.
+ * @param dnskey_rrset: DNSKEY rrset.
+ * @param dnskey_idx: index of RR in rrset.
+ * @return true if supported.
+ */
+int dnskey_size_is_supported(struct ub_packed_rrset_key* dnskey_rrset,
+	size_t dnskey_idx);
+
+/**
+ * See if the DNSKEY size at that algorithm is supported for all the
+ * RRs in the DNSKEY RRset.
+ * @param dnskey_rrset: DNSKEY rrset.
+ * @return true if supported.
+ */
+int dnskeyset_size_is_supported(struct ub_packed_rrset_key* dnskey_rrset);
+
 /** 
  * See if DS digest algorithm is supported 
  * @param ds_rrset: DS rrset
diff --git a/validator/val_utils.c b/validator/val_utils.c
index 2f36fccfd..bb366d339 100644
--- a/validator/val_utils.c
+++ b/validator/val_utils.c
@@ -418,7 +418,7 @@ verify_dnskeys_with_ds_rr(struct module_env* env, struct val_env* ve,
 	struct module_qstate* qstate)
 {
 	enum sec_status sec = sec_status_bogus;
-	size_t i, num, numchecked = 0, numhashok = 0;
+	size_t i, num, numchecked = 0, numhashok = 0, numsizesupp = 0;
 	num = rrset_get_count(dnskey_rrset);
 	for(i=0; i<num; i++) {
 		/* Skip DNSKEYs that don't match the basic criteria. */
@@ -441,6 +441,11 @@ verify_dnskeys_with_ds_rr(struct module_env* env, struct val_env* ve,
 			continue;
 		}
 		numhashok++;
+		if(!dnskey_size_is_supported(dnskey_rrset, i)) {
+			verbose(VERB_ALGO, "DS okay but that DNSKEY size is not supported");
+			numsizesupp++;
+			continue;
+		}
 		verbose(VERB_ALGO, "DS match digest ok, trying signature");
 
 		/* Otherwise, we have a match! Make sure that the DNSKEY 
@@ -452,6 +457,10 @@ verify_dnskeys_with_ds_rr(struct module_env* env, struct val_env* ve,
 		}
 		/* If it didn't validate with the DNSKEY, try the next one! */
 	}
+	if(numsizesupp != 0) {
+		/* there is a working DS, but that DNSKEY is not supported */
+		return sec_status_insecure;
+	}
 	if(numchecked == 0)
 		algo_needs_reason(env, ds_get_key_algo(ds_rrset, ds_idx),
 			reason, "no keys have a DS");
@@ -519,17 +528,24 @@ val_verify_DNSKEY_with_DS(struct module_env* env, struct val_env* ve,
 			continue;
 		}
 
+		sec = verify_dnskeys_with_ds_rr(env, ve, dnskey_rrset,
+			ds_rrset, i, reason, qstate);
+		if(sec == sec_status_insecure)
+			continue;
+
 		/* Once we see a single DS with a known digestID and 
 		 * algorithm, we cannot return INSECURE (with a 
 		 * "null" KeyEntry). */
 		has_useful_ds = 1;
 
-		sec = verify_dnskeys_with_ds_rr(env, ve, dnskey_rrset, 
-			ds_rrset, i, reason, qstate);
 		if(sec == sec_status_secure) {
 			if(!sigalg || algo_needs_set_secure(&needs,
 				(uint8_t)ds_get_key_algo(ds_rrset, i))) {
 				verbose(VERB_ALGO, "DS matched DNSKEY.");
+				if(!dnskeyset_size_is_supported(dnskey_rrset)) {
+					verbose(VERB_ALGO, "DS works, but dnskeyset contain keys that are unsupported, treat as insecure");
+					return sec_status_insecure;
+				}
 				return sec_status_secure;
 			}
 		} else if(sigalg && sec == sec_status_bogus) {
@@ -631,17 +647,24 @@ val_verify_DNSKEY_with_TA(struct module_env* env, struct val_env* ve,
 			ds_get_digest_algo(ta_ds, i) != digest_algo)
 			continue;
 
+		sec = verify_dnskeys_with_ds_rr(env, ve, dnskey_rrset,
+			ta_ds, i, reason, qstate);
+		if(sec == sec_status_insecure)
+			continue;
+
 		/* Once we see a single DS with a known digestID and 
 		 * algorithm, we cannot return INSECURE (with a 
 		 * "null" KeyEntry). */
 		has_useful_ta = 1;
 
-		sec = verify_dnskeys_with_ds_rr(env, ve, dnskey_rrset, 
-			ta_ds, i, reason, qstate);
 		if(sec == sec_status_secure) {
 			if(!sigalg || algo_needs_set_secure(&needs,
 				(uint8_t)ds_get_key_algo(ta_ds, i))) {
 				verbose(VERB_ALGO, "DS matched DNSKEY.");
+				if(!dnskeyset_size_is_supported(dnskey_rrset)) {
+					verbose(VERB_ALGO, "trustanchor works, but dnskeyset contain keys that are unsupported, treat as insecure");
+					return sec_status_insecure;
+				}
 				return sec_status_secure;
 			}
 		} else if(sigalg && sec == sec_status_bogus) {
@@ -658,6 +681,8 @@ val_verify_DNSKEY_with_TA(struct module_env* env, struct val_env* ve,
 		/* Check to see if we can understand this DNSKEY */
 		if(!dnskey_algo_is_supported(ta_dnskey, i))
 			continue;
+		if(!dnskey_size_is_supported(ta_dnskey, i))
+			continue;
 
 		/* we saw a useful TA */
 		has_useful_ta = 1;
@@ -668,6 +693,10 @@ val_verify_DNSKEY_with_TA(struct module_env* env, struct val_env* ve,
 			if(!sigalg || algo_needs_set_secure(&needs,
 				(uint8_t)dnskey_get_algo(ta_dnskey, i))) {
 				verbose(VERB_ALGO, "anchor matched DNSKEY.");
+				if(!dnskeyset_size_is_supported(dnskey_rrset)) {
+					verbose(VERB_ALGO, "trustanchor works, but dnskeyset contain keys that are unsupported, treat as insecure");
+					return sec_status_insecure;
+				}
 				return sec_status_secure;
 			}
 		} else if(sigalg && sec == sec_status_bogus) {
@@ -738,15 +767,15 @@ val_dsset_isusable(struct ub_packed_rrset_key* ds_rrset)
 		sldns_lookup_table *lt;
 		char herr[64], aerr[64];
 		lt = sldns_lookup_by_id(sldns_hashes,
-			(int)ds_get_digest_algo(ds_rrset, i));
+			(int)ds_get_digest_algo(ds_rrset, 0));
 		if(lt) snprintf(herr, sizeof(herr), "%s", lt->name);
 		else snprintf(herr, sizeof(herr), "%d",
-			(int)ds_get_digest_algo(ds_rrset, i));
+			(int)ds_get_digest_algo(ds_rrset, 0));
 		lt = sldns_lookup_by_id(sldns_algorithms,
-			(int)ds_get_key_algo(ds_rrset, i));
+			(int)ds_get_key_algo(ds_rrset, 0));
 		if(lt) snprintf(aerr, sizeof(aerr), "%s", lt->name);
 		else snprintf(aerr, sizeof(aerr), "%d",
-			(int)ds_get_key_algo(ds_rrset, i));
+			(int)ds_get_key_algo(ds_rrset, 0));
 		verbose(VERB_ALGO, "DS unsupported, hash %s %s, "
 			"key algorithm %s %s", herr,
 			(ds_digest_algo_is_supported(ds_rrset, 0)?
diff --git a/validator/validator.c b/validator/validator.c
index e12180b4b..e6307284f 100644
--- a/validator/validator.c
+++ b/validator/validator.c
@@ -137,9 +137,10 @@ val_apply_cfg(struct module_env* env, struct val_env* val_env,
 	val_env->date_override = cfg->val_date_override;
 	val_env->skew_min = cfg->val_sig_skew_min;
 	val_env->skew_max = cfg->val_sig_skew_max;
+	val_env->max_restart = cfg->val_max_restart;
 	c = cfg_count_numbers(cfg->val_nsec3_key_iterations);
 	if(c < 1 || (c&1)) {
-		log_err("validator: unparseable or odd nsec3 key "
+		log_err("validator: unparsable or odd nsec3 key "
 			"iterations: %s", cfg->val_nsec3_key_iterations);
 		return 0;
 	}
@@ -483,7 +484,7 @@ generate_keytag_query(struct module_qstate* qstate, int id,
 		return 0;
 	}
 
-	/* Not interrested in subquery response. Restore the ext_state,
+	/* Not interested in subquery response. Restore the ext_state,
 	 * that might be changed by generate_request() */
 	qstate->ext_state[id] = ext_state;
 
@@ -1487,7 +1488,7 @@ processInit(struct module_qstate* qstate, struct val_qstate* vq,
 	enum val_classification subtype = val_classify_response(
 		qstate->query_flags, &qstate->qinfo, &vq->qchase, 
 		vq->orig_msg->rep, vq->rrset_skip);
-	if(vq->restart_count > VAL_MAX_RESTART_COUNT) {
+	if(vq->restart_count > ve->max_restart) {
 		verbose(VERB_ALGO, "restart count exceeded");
 		return val_error(qstate, id);
 	}
@@ -1640,7 +1641,7 @@ processInit(struct module_qstate* qstate, struct val_qstate* vq,
 			errinf(qstate, key_entry_get_reason(vq->key_entry));
 		}
 		/* no retries, stop bothering the authority until timeout */
-		vq->restart_count = VAL_MAX_RESTART_COUNT;
+		vq->restart_count = ve->max_restart;
 		vq->chase_reply->security = sec_status_bogus;
 		vq->state = VAL_FINISHED_STATE;
 		return 1;
@@ -1848,7 +1849,7 @@ processValidate(struct module_qstate* qstate, struct val_qstate* vq,
 			LDNS_RR_TYPE_DNSKEY, vq->key_entry->key_class);
 		vq->chase_reply->security = sec_status_bogus;
 		errinf(qstate, "while building chain of trust");
-		if(vq->restart_count >= VAL_MAX_RESTART_COUNT)
+		if(vq->restart_count >= ve->max_restart)
 			key_cache_insert(ve->kcache, vq->key_entry, qstate);
 		return 1;
 	}
@@ -2064,7 +2065,7 @@ processFinished(struct module_qstate* qstate, struct val_qstate* vq,
 	 * endless bogus revalidation */
 	if(vq->orig_msg->rep->security == sec_status_bogus) {
 		/* see if we can try again to fetch data */
-		if(vq->restart_count < VAL_MAX_RESTART_COUNT) {
+		if(vq->restart_count < ve->max_restart) {
 			int restart_count = vq->restart_count+1;
 			verbose(VERB_ALGO, "validation failed, "
 				"blacklist and retry to fetch data");
@@ -2605,6 +2606,7 @@ process_ds_response(struct module_qstate* qstate, struct val_qstate* vq,
 	int id, int rcode, struct dns_msg* msg, struct query_info* qinfo,
 	struct sock_list* origin)
 {
+	struct val_env* ve = (struct val_env*)qstate->env->modinfo[id];
 	struct key_entry_key* dske = NULL;
 	uint8_t* olds = vq->empty_DS_name;
 	vq->empty_DS_name = NULL;
@@ -2638,7 +2640,7 @@ process_ds_response(struct module_qstate* qstate, struct val_qstate* vq,
 		vq->chain_blacklist = NULL; /* fresh blacklist for next part*/
 		/* Keep the forState.state on FINDKEY. */
 	} else if(key_entry_isbad(dske) 
-		&& vq->restart_count < VAL_MAX_RESTART_COUNT) {
+		&& vq->restart_count < ve->max_restart) {
 		vq->empty_DS_name = olds;
 		val_blacklist(&vq->chain_blacklist, qstate->region, origin, 1);
 		qstate->errinf = NULL;
@@ -2691,7 +2693,7 @@ process_dnskey_response(struct module_qstate* qstate, struct val_qstate* vq,
 		/* bad response */
 		verbose(VERB_DETAIL, "Missing DNSKEY RRset in response to "
 			"DNSKEY query.");
-		if(vq->restart_count < VAL_MAX_RESTART_COUNT) {
+		if(vq->restart_count < ve->max_restart) {
 			val_blacklist(&vq->chain_blacklist, qstate->region,
 				origin, 1);
 			qstate->errinf = NULL;
@@ -2730,7 +2732,7 @@ process_dnskey_response(struct module_qstate* qstate, struct val_qstate* vq,
 	 * state. */
 	if(!key_entry_isgood(vq->key_entry)) {
 		if(key_entry_isbad(vq->key_entry)) {
-			if(vq->restart_count < VAL_MAX_RESTART_COUNT) {
+			if(vq->restart_count < ve->max_restart) {
 				val_blacklist(&vq->chain_blacklist, 
 					qstate->region, origin, 1);
 				qstate->errinf = NULL;
@@ -2807,7 +2809,7 @@ process_prime_response(struct module_qstate* qstate, struct val_qstate* vq,
 	lock_basic_unlock(&ta->lock);
 	if(vq->key_entry) {
 		if(key_entry_isbad(vq->key_entry) 
-			&& vq->restart_count < VAL_MAX_RESTART_COUNT) {
+			&& vq->restart_count < ve->max_restart) {
 			val_blacklist(&vq->chain_blacklist, qstate->region, 
 				origin, 1);
 			qstate->errinf = NULL;
diff --git a/validator/validator.h b/validator/validator.h
index 35da1920a..a97eab25b 100644
--- a/validator/validator.h
+++ b/validator/validator.h
@@ -64,14 +64,11 @@ struct config_strlist;
  */
 #define BOGUS_KEY_TTL	60 /* seconds */
 
-/** max number of query restarts, number of IPs to probe */
-#define VAL_MAX_RESTART_COUNT 5
-
 /** Root key sentinel is ta preamble */
 #define SENTINEL_IS		"root-key-sentinel-is-ta-"
 /** Root key sentinel is not ta preamble */
 #define SENTINEL_NOT		"root-key-sentinel-not-ta-"
-/** Root key sentinal keytag length */
+/** Root key sentinel keytag length */
 #define SENTINEL_KEYTAG_LEN	5
 
 /**
@@ -95,6 +92,9 @@ struct val_env {
 	/** clock skew max for signatures */
 	int32_t skew_max;
 
+	/** max number of query restarts, number of IPs to probe */
+	int32_t max_restart;
+
 	/** TTL for bogus data; used instead of untrusted TTL from data.
 	 * Bogus data will not be verified more often than this interval. 
 	 * seconds. */