Merge branch 'master' of https://github.com/NLnetLabs/unbound into restart_conf

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,41 @@
+---
+name: Bug report
+about: Create a report to help us improve Unbound
+title: ''
+labels: ''
+assignees: ''
+
+---
+
+<!--
+Thanks for taking the time to report an issue!
+
+Before continuing please make sure that you checked the existing (opened and closed) issues and pull requests to avoid opening a duplicate issue. We would rather prefer to add the information to the existing one. If you are able, feel free to reopen the closed issue afterwards. If not, please create a new issue linking to the old one.
+
+If you rather have a support question and you need guidance on running/configuring Unbound, please refrain from opening an issue and use the community support mailing list instead (https://www.nlnetlabs.nl/support/mailing-lists/).
+We would like to keep GitHub issues for possible bugs and feature requests only.
+
+If you are unsure whether an issue is a bug or not, feel free to reach out to mailing list users or open an issue here.
+
+If you are opening an issue, please complete as much of the following sections as possible to give us a better understanding of your situation.
+-->
+
+**Describe the bug**
+A clear and concise description of what the bug is.
+
+**To reproduce**
+Steps to reproduce the behavior:
+1.
+2.
+3.
+
+**Expected behavior**
+A clear and concise description of what you expected to happen.
+
+**System:**
+ - Unbound version:
+ - OS:
+ - `unbound -V` output:
+
+**Additional information**
+Add any other information that you may have gathered about the issue here.

.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,31 @@
+---
+name: Feature request
+about: Suggest an idea for Unbound
+title: "[FR]"
+labels: ''
+assignees: ''
+
+---
+
+<!--
+Thanks for taking the time to report an issue!
+
+Before continuing please make sure that you checked the existing (opened and closed) issues and pull requests to avoid opening a duplicate issue. We would rather prefer to add the information to the existing one. If you are able, feel free to reopen the closed issue afterwards. If not, please create a new issue linking to the old one.
+
+If you rather have a support question and you need guidance on running/configuring Unbound, please refrain from opening an issue and use the community support mailing list instead (https://www.nlnetlabs.nl/support/mailing-lists/).
+We would like to keep GitHub issues for possible bugs and feature requests only.
+
+If you are unsure whether an issue is a bug or not, feel free to reach out to mailing list users or open an issue here.
+
+If you are opening an issue, please complete as much of the following sections as possible to give us a better understanding of your situation.
+-->
+
+**Current behavior**
+Is there a current behavior that the feature relates to?
+If yes, would you wish the current behavior to change?
+
+**Describe the desired feature**
+A clear and concise description of what the feature should be.
+
+**Potential use-case**
+Describe how you see this feature being useful to other Unbound users.

.github/workflows/analysis_ports.yml

@@ -0,0 +1,346 @@
+name: Analysis and Ports
+
+on:
+  workflow_dispatch:
+    inputs:
+      start:
+        description: 'Start analysis and port workflow'
+        default: 'yes'
+        required: true
+
+jobs:
+  build:
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        include:
+          - name: GCC on Linux
+            os: ubuntu-latest
+            config: "--enable-debug --disable-flto"
+            make_test: "yes"
+          - name: Clang-analyzer
+            os: ubuntu-latest
+            config: "CC=clang --enable-debug --disable-flto --disable-static"
+            make_test: "yes"
+            clang_analysis: "yes"
+          - name: libevent
+            os: ubuntu-latest
+            install_libevent: "yes"
+            config: "CC=clang --enable-debug --disable-flto --with-libevent --disable-static"
+            make_test: "yes"
+            clang_analysis: "yes"
+          - name: OS X
+            os: macos-latest
+            install_expat: "yes"
+            config: "--enable-debug --disable-flto --with-ssl=/usr/local/opt/openssl --with-libexpat=/usr/local/opt/expat"
+            make_test: "yes"
+          - name: Clang on OS X
+            os: macos-latest
+            install_expat: "yes"
+            config: "CC=clang --enable-debug --disable-flto --with-ssl=/usr/local/opt/openssl --with-libexpat=/usr/local/opt/expat --disable-static"
+            make_test: "yes"
+            clang_analysis: "yes"
+          - name: ubsan (gcc undefined behaviour sanitizer)
+            os: ubuntu-latest
+            config: 'CFLAGS="-DNDEBUG -g2 -O3 -fsanitize=undefined -fno-sanitize-recover=all" --disable-flto --disable-static'
+            make_test: "yes"
+          - name: asan (gcc address sanitizer)
+            os: ubuntu-latest
+            config: 'CFLAGS="-DNDEBUG -g2 -O3 -fsanitize=address" --disable-flto --disable-static'
+            make_test: "yes"
+          - name: Apple iPhone on iOS, armv7
+            os: macos-latest
+            AUTOTOOLS_HOST: armv7-apple-ios
+            OPENSSL_HOST: ios-cross
+            IOS_SDK: iPhoneOS
+            IOS_CPU: armv7s
+            test_ios: "yes"
+            config: "no"
+            make: "no"
+          - name: Apple iPhone on iOS, arm64
+            os: macos-latest
+            AUTOTOOLS_HOST: aarch64-apple-ios
+            OPENSSL_HOST: ios64-cross
+            IOS_SDK: iPhoneOS
+            IOS_CPU: arm64
+            test_ios: "yes"
+            config: "no"
+            make: "no"
+          - name: Apple TV on iOS, arm64
+            os: macos-latest
+            AUTOTOOLS_HOST: aarch64-apple-ios
+            OPENSSL_HOST: ios64-cross
+            IOS_SDK: AppleTVOS
+            IOS_CPU: arm64
+            test_ios: "yes"
+            config: "no"
+            make: "no"
+          - name: Apple Watch on iOS, armv7
+            os: macos-latest
+            AUTOTOOLS_HOST: armv7-apple-ios
+            OPENSSL_HOST: ios-cross
+            IOS_SDK: WatchOS
+            IOS_CPU: armv7k
+            test_ios: "yes"
+            config: "no"
+            make: "no"
+          - name: iPhoneSimulator on OS X, i386
+            os: macos-latest
+            AUTOTOOLS_HOST: i386-apple-ios
+            OPENSSL_HOST: iphoneos-cross
+            IOS_SDK: iPhoneSimulator
+            IOS_CPU: i386
+            test_ios: "yes"
+            config: "no"
+            make: "no"
+          - name: iPhoneSimulator on OS X, x86_64
+            os: macos-latest
+            AUTOTOOLS_HOST: x86_64-apple-ios
+            OPENSSL_HOST: iphoneos-cross
+            IOS_SDK: iPhoneSimulator
+            IOS_CPU: x86_64
+            test_ios: "yes"
+            config: "no"
+            make: "no"
+          - name: AppleTVSimulator on OS X, x86_64
+            os: macos-latest
+            AUTOTOOLS_HOST: x86_64-apple-ios
+            OPENSSL_HOST: iphoneos-cross
+            IOS_SDK: AppleTVSimulator
+            IOS_CPU: x86_64
+            test_ios: "yes"
+            config: "no"
+            make: "no"
+          - name: WatchSimulator on OS X, i386
+            os: macos-latest
+            AUTOTOOLS_HOST: i386-apple-ios
+            OPENSSL_HOST: iphoneos-cross
+            IOS_SDK: WatchSimulator
+            IOS_CPU: i386
+            test_ios: "yes"
+            config: "no"
+            make: "no"
+          - name: Android armv7a
+            os: ubuntu-latest
+            AUTOTOOLS_HOST: armv7a-linux-androidabi
+            OPENSSL_HOST: android-arm
+            ANDROID_CPU: armv7a
+            ANDROID_API: 23
+            test_android: "yes"
+            config: "no"
+            make: "no"
+          - name: Android aarch64
+            os: ubuntu-latest
+            AUTOTOOLS_HOST: aarch64-linux-android
+            OPENSSL_HOST: android-arm64
+            ANDROID_CPU: aarch64
+            ANDROID_API: 23
+            test_android: "yes"
+            config: "no"
+            make: "no"
+          - name: Android x86
+            os: ubuntu-latest
+            AUTOTOOLS_HOST: i686-linux-android
+            OPENSSL_HOST: android-x86
+            ANDROID_CPU: x86
+            ANDROID_API: 23
+            test_android: "yes"
+            config: "no"
+            make: "no"
+          - name: Android x86_64
+            os: ubuntu-latest
+            AUTOTOOLS_HOST: x86_64-linux-android
+            OPENSSL_HOST: android-x86_64
+            ANDROID_CPU: x86_64
+            ANDROID_API: 23
+            test_android: "yes"
+            config: "no"
+            make: "no"
+          - name: Windows
+            os: windows-latest
+            test_windows: "yes"
+            config: "no"
+            make: "no"
+ 
+    steps:
+      - uses: actions/checkout@v2
+        with:
+          submodules: false
+      - name: test_windows
+        if: ${{ matrix.test_windows == 'yes' }}
+        shell: bash
+        run: |
+          export unboundpath=`pwd`
+          echo unboundpath=${unboundpath}
+          cd ..
+          export prepath=`pwd`
+          echo prepath=${prepath}
+          #echo "curl cpanm"
+          #curl -L -k -s -S -o cpanm https://cpanmin.us/
+          #echo "perl cpanm Pod::Usage"
+          #perl cpanm Pod::Usage
+          mkdir openssl
+          echo "curl openssl"
+          curl -L -k -s -S -o openssl-1.1.1j.tar.gz https://www.openssl.org/source/openssl-1.1.1j.tar.gz
+          tar xzf openssl-1.1.1j.tar.gz
+          cd openssl-1.1.1j
+          # remove pod::Usage because we do not need -help or -man output
+          # from the Configure script
+          echo "Fixup ./Configure by removing use Pod::Usage require"
+          sed -e 's/use Pod::Usage//' < Configure > Configure.fix
+          echo "./Configure.fix no-shared no-asm -DOPENSSL_NO_CAPIENG mingw64 --prefix=\""$prepath/openssl\"""
+          ./Configure.fix no-shared no-asm -DOPENSSL_NO_CAPIENG mingw64 --prefix="$prepath/openssl"
+          # make the libs only, build faster
+          echo "make build_libs"
+          #make
+          make build_libs
+          mv Makefile Makefile.orig
+          # fixup \\ in the installtop to /.
+          echo "fixup INSTALLTOP"
+          sed -e 's?^INSTALLTOP=.*$?INSTALLTOP='"$prepath"'/openssl?' < Makefile.orig > Makefile
+          # install the includes and libs only, build faster
+          echo "make install_dev"
+          #make install_sw
+          make install_dev
+          cd ..
+          mkdir expat
+          echo "curl expat"
+          curl -L -k -s -S -o expat-2.2.10.tar.gz https://github.com/libexpat/libexpat/releases/download/R_2_2_10/expat-2.2.10.tar.gz
+          tar xzf expat-2.2.10.tar.gz
+          cd expat-2.2.10
+          echo "./configure SHELL=/usr/bin/bash CONFIG_SHELL=/usr/bin/bash --prefix=\"$prepath/expat\" --exec-prefix=\"$prepath/expat\" --bindir=\"$prepath/expat/bin\" --includedir=\"$prepath/expat/include\" --mandir=\"$prepath/expat/man\" --libdir=\"$prepath/expat/lib\""
+          ./configure SHELL=/usr/bin/bash CONFIG_SHELL=/usr/bin/bash --prefix="$prepath/expat" --exec-prefix="$prepath/expat" --bindir="$prepath/expat/bin" --includedir="$prepath/expat/include" --mandir="$prepath/expat/man" --libdir="$prepath/expat/lib"
+          # fixup SHELL is treated specially, but SHELZZ is not by make.
+          echo "Fixup Makefiles by renaming SHELL to SHELLZZ"
+          mv Makefile Makefile.orig
+          sed -e 's/SHELL/SHELLZZ/g' < Makefile.orig > Makefile
+          mv lib/Makefile lib/Makefile.orig
+          sed -e 's/SHELL/SHELLZZ/g' < lib/Makefile.orig > lib/Makefile
+          mv doc/Makefile doc/Makefile.orig
+          sed -e 's/SHELL/SHELLZZ/g' < doc/Makefile.orig > doc/Makefile
+          mv examples/Makefile examples/Makefile.orig
+          sed -e 's/SHELL/SHELLZZ/g' < examples/Makefile.orig > examples/Makefile
+          mv tests/Makefile tests/Makefile.orig
+          sed -e 's/SHELL/SHELLZZ/g' < tests/Makefile.orig > tests/Makefile
+          mv xmlwf/Makefile xmlwf/Makefile.orig
+          sed -e 's/SHELL/SHELLZZ/g' < xmlwf/Makefile.orig > xmlwf/Makefile
+          echo "make"
+          make
+          echo "make install"
+          make install
+          cd ..
+          echo "unbound"
+          cd unbound
+          echo "./configure --enable-debug --enable-static-exe --disable-flto \"--with-ssl=$prepath/openssl\" --with-libexpat=\"$prepath/expat\" --disable-shared"
+          ./configure --enable-debug --enable-static-exe --disable-flto "--with-ssl=$prepath/openssl" --with-libexpat="$prepath/expat" --disable-shared
+          make
+          # specific test output
+          #make testbound.exe; ./testbound.exe -s
+          #make testbound; ./testbound.exe -p testdata/acl.rpl -o -vvvv
+          make test
+      - name: test_android
+        if: ${{ matrix.test_android == 'yes' }}
+        env:
+          AUTOTOOLS_HOST: ${{ matrix.AUTOTOOLS_HOST }}
+          OPENSSL_HOST: ${{ matrix.OPENSSL_HOST }}
+          ANDROID_API: ${{ matrix.ANDROID_API }}
+          ANDROID_CPU: ${{ matrix.ANDROID_CPU }}
+        run: |
+          #(already installed) ./contrib/android/install_tools.sh
+          export ANDROID_PREFIX="$HOME/android$ANDROID_API-$ANDROID_CPU"
+          echo ANDROID_PREFIX=${ANDROID_PREFIX}
+          export ANDROID_SDK_ROOT="$HOME/android-sdk"
+          echo ANDROID_SDK_ROOT=${ANDROID_SDK_ROOT}
+          export ANDROID_NDK_ROOT="$HOME/android-ndk"
+          echo ANDROID_NDK_ROOT=${ANDROID_NDK_ROOT}
+          export AUTOTOOLS_BUILD="$(./config.guess)"
+          echo AUTOTOOLS_BUILD=${AUTOTOOLS_BUILD}
+          export PKG_CONFIG_PATH="$ANDROID_PREFIX/lib/pkgconfig"
+          echo PKG_CONFIG_PATH=${PKG_CONFIG_PATH}
+          export CONFIG_OPTS="--build=$AUTOTOOLS_BUILD --host=$AUTOTOOLS_HOST --prefix=$ANDROID_PREFIX --with-ssl=$ANDROID_PREFIX --disable-gost --with-libexpat=$ANDROID_PREFIX"
+          echo CONFIG_OPTS=${CONFIG_OPTS}
+          echo "::group::install_ndk"
+          echo "./contrib/android/install_ndk.sh"
+          ./contrib/android/install_ndk.sh
+          echo "::endgroup::"
+          echo "::group::setenv_android.sh"
+          echo "./contrib/android/setenv_android.sh"
+          source ./contrib/android/setenv_android.sh
+          echo "::endgroup::"
+          echo "::group::install_openssl"
+          echo "./contrib/android/install_openssl.sh"
+          ./contrib/android/install_openssl.sh
+          echo "::endgroup::"
+          echo "::group::install_expat"
+          echo "./contrib/android/install_expat.sh"
+          ./contrib/android/install_expat.sh
+          echo "::endgroup::"
+          echo "::group::configure"
+          echo "./configure ${CONFIG_OPTS}"
+          ./configure ${CONFIG_OPTS}
+          echo "::endgroup::"
+          echo "::group::make"
+          # make is here to preserve environment variables
+          make
+          echo "::endgroup::"
+          echo "::group::make install"
+          make install
+          echo "::endgroup::"
+      - name: test ios
+        if: ${{ matrix.test_ios == 'yes' }}
+        env:
+          AUTOTOOLS_HOST: ${{ matrix.AUTOTOOLS_HOST }}
+          OPENSSL_HOST: ${{ matrix.OPENSSL_HOST }}
+          IOS_SDK: ${{ matrix.IOS_SDK }}
+          IOS_CPU: ${{ matrix.IOS_CPU }}
+        run: |
+          #(already installed) ./contrib/ios/install_tools.sh
+          export AUTOTOOLS_BUILD="$(./config.guess)"
+          echo AUTOTOOLS_BUILD=${AUTOTOOLS_BUILD}
+          export IOS_PREFIX="$HOME/$IOS_SDK-$IOS_CPU"
+          echo IOS_PREFIX=${IOS_PREFIX}
+          export PKG_CONFIG_PATH="$IOS_PREFIX/lib/pkgconfig"
+          echo PKG_CONFIG_PATH=${PKG_CONFIG_PATH}
+          export CONFIG_OPTS="--build=$AUTOTOOLS_BUILD --host=$AUTOTOOLS_HOST --prefix=$IOS_PREFIX --with-ssl=$IOS_PREFIX --disable-gost --with-libexpat=$IOS_PREFIX"
+          echo CONFIG_OPTS=${CONFIG_OPTS}
+          echo "::group::setenv_ios.sh"
+          echo "./contrib/ios/setenv_ios.sh"
+          source ./contrib/ios/setenv_ios.sh
+          echo "::endgroup::"
+          echo "::group::install_openssl"
+          echo "./contrib/ios/install_openssl.sh"
+          ./contrib/ios/install_openssl.sh
+          echo "::endgroup::"
+          echo "::group::install_expat"
+          echo "./contrib/ios/install_expat.sh"
+          ./contrib/ios/install_expat.sh
+          echo "::endgroup::"
+          echo "::group::configure"
+          echo "./configure ${CONFIG_OPTS}"
+          ./configure ${CONFIG_OPTS}
+          echo "::endgroup::"
+          echo "::group::make"
+          # make is here to preserve environment variables
+          make
+          echo "::endgroup::"
+          echo "::group::make install"
+          make install
+          echo "::endgroup::"
+      - name: install libevent
+        if: ${{ matrix.install_libevent == 'yes' }}
+        run: sudo apt-get install libevent-dev
+      - name: install expat
+        if: ${{ matrix.install_expat == 'yes' }}
+        run: brew install expat
+      - name: configure
+        if: ${{ matrix.config != 'no' }}
+        run: ./configure ${{ matrix.config }}
+      - name: make
+        if: ${{ matrix.make != 'no' }}
+        run: make
+      - name: make test
+        if: ${{ matrix.make_test == 'yes' }}
+        run: make test
+      - name: clang-analysis
+        if: ${{ matrix.clang_analysis == 'yes' }}
+        run: (cd testdata/clang-analysis.tdir; bash clang-analysis.test)

.github/workflows/ci.yml

@@ -0,0 +1,21 @@
+name: ci
+
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    branches: [ master ]
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v2
+    - name: configure
+      run: ./configure --enable-debug
+    - name: make
+      run: make
+    - name: make test
+      run: make test

.gitignore

@@ -37,6 +37,7 @@
 /perf
 /petal
 /pktview
+/readzone
 /streamtcp
 /unbound-dnstap-socket
 /testbound

Makefile.in

@@ -61,6 +61,7 @@ PYTHON_CPPFLAGS=-I. @PYTHON_CPPFLAGS@
 CFLAGS=-DSRCDIR=$(srcdir) @CFLAGS@
 LDFLAGS=@LDFLAGS@
 LIBS=@LIBS@
+PYTHON_LIBS=@PYTHON_LIBS@
 LIBOBJS=@LIBOBJS@
 # filter out ctime_r from compat obj.
 LIBOBJ_WITHOUT_CTIME=@LIBOBJ_WITHOUT_CTIME@
@@ -85,6 +86,8 @@ LINTFLAGS+=@NETBSD_LINTFLAGS@
 LINTFLAGS+="-Dsigset_t=long"
 # FreeBSD
 LINTFLAGS+="-D__uint16_t=uint16_t" "-DEVP_PKEY_ASN1_METHOD=int" "-D_RuneLocale=int" "-D__va_list=va_list" "-D__uint32_t=uint32_t" "-D_Alignof(x)=x" "-D__aligned(x)=" "-D__requires_exclusive(x)=" "-D__requires_unlocked(x)=" "-D__locks_exclusive(x)=" "-D__trylocks_exclusive(x)="  "-D__unlocks(x)=" "-D__locks_shared(x)=" "-D__trylocks_shared(x)="
+# GCC Docker
+LINTFLAGS+=@GCC_DOCKER_LINTFLAGS@
 
 INSTALL=$(SHELL) $(srcdir)/install-sh
 
@@ -175,10 +178,12 @@ UNITTEST_SRC=testcode/unitanchor.c testcode/unitdname.c \
 testcode/unitlruhash.c testcode/unitmain.c testcode/unitmsgparse.c \
 testcode/unitneg.c testcode/unitregional.c testcode/unitslabhash.c \
 testcode/unitverify.c testcode/readhex.c testcode/testpkts.c testcode/unitldns.c \
-testcode/unitecs.c testcode/unitauth.c testcode/unitzonemd.c
+testcode/unitecs.c testcode/unitauth.c testcode/unitzonemd.c \
+testcode/unittcpreuse.c
 UNITTEST_OBJ=unitanchor.lo unitdname.lo unitlruhash.lo unitmain.lo \
 unitmsgparse.lo unitneg.lo unitregional.lo unitslabhash.lo unitverify.lo \
-readhex.lo testpkts.lo unitldns.lo unitecs.lo unitauth.lo unitzonemd.lo
+readhex.lo testpkts.lo unitldns.lo unitecs.lo unitauth.lo unitzonemd.lo \
+unittcpreuse.lo
 UNITTEST_OBJ_LINK=$(UNITTEST_OBJ) worker_cb.lo $(COMMON_OBJ) $(SLDNS_OBJ) \
 $(COMPAT_OBJ)
 DAEMON_SRC=daemon/acl_list.c daemon/cachedump.c daemon/daemon.c \
@@ -244,6 +249,9 @@ DELAYER_SRC=testcode/delayer.c
 DELAYER_OBJ=delayer.lo
 DELAYER_OBJ_LINK=$(DELAYER_OBJ) worker_cb.lo $(COMMON_OBJ) $(COMPAT_OBJ) \
 $(SLDNS_OBJ)
+READZONE_SRC=testcode/readzone.c
+READZONE_OBJ=readzone.lo
+READZONE_OBJ_LINK=$(READZONE_OBJ) worker_cb.lo $(COMMON_OBJ) $(COMPAT_OBJ) $(SLDNS_OBJ)
 IPSET_SRC=@IPSET_SRC@
 IPSET_OBJ=@IPSET_OBJ@
 DNSTAP_SOCKET_SRC=dnstap/unbound-dnstap-socket.c
@@ -280,7 +288,7 @@ ALL_SRC=$(COMMON_SRC) $(UNITTEST_SRC) $(DAEMON_SRC) \
 	$(CONTROL_SRC) $(UBANCHOR_SRC) $(PETAL_SRC) $(DNSTAP_SOCKET_SRC)\
 	$(PYTHONMOD_SRC) $(PYUNBOUND_SRC) $(WIN_DAEMON_THE_SRC) \
 	$(SVCINST_SRC) $(SVCUNINST_SRC) $(ANCHORUPD_SRC) $(SLDNS_SRC) \
-	$(DOHCLIENT_SRC)
+	$(DOHCLIENT_SRC) $(READZONE_SRC)
 
 ALL_OBJ=$(COMMON_OBJ) $(UNITTEST_OBJ) $(DAEMON_OBJ) \
 	$(TESTBOUND_OBJ) $(LOCKVERIFY_OBJ) $(PKTVIEW_OBJ) \
@@ -289,7 +297,7 @@ ALL_OBJ=$(COMMON_OBJ) $(UNITTEST_OBJ) $(DAEMON_OBJ) \
 	$(CONTROL_OBJ) $(UBANCHOR_OBJ) $(PETAL_OBJ) $(DNSTAP_SOCKET_OBJ)\
 	$(COMPAT_OBJ) $(PYUNBOUND_OBJ) \
 	$(SVCINST_OBJ) $(SVCUNINST_OBJ) $(ANCHORUPD_OBJ) $(SLDNS_OBJ) \
-	$(DOHCLIENT_OBJ)
+	$(DOHCLIENT_OBJ) $(READZONE_OBJ)
 
 COMPILE=$(LIBTOOL) --tag=CC --mode=compile $(CC) $(CPPFLAGS) $(CFLAGS) @PTHREAD_CFLAGS_ONLY@
 LINK=$(LIBTOOL) --tag=CC --mode=link $(CC) $(staticexe) $(RUNTIME_PATH) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS)
@@ -327,7 +335,7 @@ TEST_BIN=asynclook$(EXEEXT) delayer$(EXEEXT) \
 	lock-verify$(EXEEXT) memstats$(EXEEXT) perf$(EXEEXT) \
 	petal$(EXEEXT) pktview$(EXEEXT) streamtcp$(EXEEXT) \
 	$(DNSTAP_SOCKET_TESTBIN) dohclient$(EXEEXT) \
-	testbound$(EXEEXT) unittest$(EXEEXT)
+	testbound$(EXEEXT) unittest$(EXEEXT) readzone$(EXEEXT)
 tests:	all $(TEST_BIN)
 
 check: test
@@ -405,6 +413,9 @@ perf$(EXEEXT):	$(PERF_OBJ_LINK)
 delayer$(EXEEXT):	$(DELAYER_OBJ_LINK)
 	$(LINK) -o $@ $(DELAYER_OBJ_LINK) $(SSLLIB) $(LIBS)
 
+readzone$(EXEEXT):	$(READZONE_OBJ_LINK)
+	$(LINK) -o $@ $(READZONE_OBJ_LINK) $(SSLLIB) $(LIBS)
+
 signit$(EXEEXT):	testcode/signit.c
 	$(CC) $(CPPFLAGS) $(CFLAGS) @PTHREAD_CFLAGS_ONLY@ -o $@ testcode/signit.c $(LDFLAGS) -lldns $(SSLLIB) $(LIBS)
 
@@ -468,7 +479,7 @@ libunbound/python/libunbound_wrap.c:	$(srcdir)/libunbound/python/libunbound.i un
 
 # Pyunbound python unbound wrapper
 _unbound.la:	libunbound_wrap.lo libunbound.la
-	$(LIBTOOL) --tag=CC --mode=link $(CC) $(RUNTIME_PATH) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) -module -avoid-version -no-undefined -shared -o $@ libunbound_wrap.lo -rpath $(PYTHON_SITE_PKG) libunbound.la $(LIBS)
+	$(LIBTOOL) --tag=CC --mode=link $(CC) $(RUNTIME_PATH) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) -module -avoid-version -no-undefined -shared -o $@ libunbound_wrap.lo -rpath $(PYTHON_SITE_PKG) -L. -L.libs libunbound.la $(PYTHON_LIBS)
 
 util/config_file.c:	util/configparser.h
 util/configlexer.c:  $(srcdir)/util/configlexer.lex util/configparser.h
@@ -572,6 +583,8 @@ install-lib:	lib $(UNBOUND_EVENT_INSTALL)
 		echo ".so man3/libunbound.3" > $(DESTDIR)$(mandir)/man3/$$mpage.3 ; \
 	done
 	$(LIBTOOL) --mode=install cp unbound.h $(DESTDIR)$(includedir)/unbound.h
+	$(INSTALL) -m 755 -d $(DESTDIR)$(libdir)/pkgconfig
+	$(INSTALL) -m 644 contrib/libunbound.pc $(DESTDIR)$(libdir)/pkgconfig
 	$(LIBTOOL) --mode=install cp libunbound.la $(DESTDIR)$(libdir)
 	$(LIBTOOL) --mode=finish $(DESTDIR)$(libdir)
 
@@ -581,8 +594,6 @@ install-all:	all $(PYTHONMOD_INSTALL) $(PYUNBOUND_INSTALL) $(UNBOUND_EVENT_INSTA
 	$(INSTALL) -m 755 -d $(DESTDIR)$(mandir)/man8
 	$(INSTALL) -m 755 -d $(DESTDIR)$(mandir)/man5
 	$(INSTALL) -m 755 -d $(DESTDIR)$(mandir)/man1
-	$(INSTALL) -m 755 -d $(DESTDIR)$(libdir)/pkgconfig
-	$(INSTALL) -m 644 contrib/libunbound.pc $(DESTDIR)$(libdir)/pkgconfig
 	$(LIBTOOL) --mode=install cp -f unbound$(EXEEXT) $(DESTDIR)$(sbindir)/unbound$(EXEEXT)
 	$(LIBTOOL) --mode=install cp -f unbound-checkconf$(EXEEXT) $(DESTDIR)$(sbindir)/unbound-checkconf$(EXEEXT)
 	$(LIBTOOL) --mode=install cp -f unbound-control$(EXEEXT) $(DESTDIR)$(sbindir)/unbound-control$(EXEEXT)
@@ -701,7 +712,8 @@ infra.lo infra.o: $(srcdir)/services/cache/infra.c config.h $(srcdir)/sldns/rrde
 rrset.lo rrset.o: $(srcdir)/services/cache/rrset.c config.h $(srcdir)/services/cache/rrset.h \
  $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/storage/slabhash.h \
  $(srcdir)/util/data/packed_rrset.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/config_file.h \
- $(srcdir)/util/data/msgreply.h $(srcdir)/util/regional.h $(srcdir)/util/alloc.h $(srcdir)/util/net_help.h
+ $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/util/regional.h \
+ $(srcdir)/util/alloc.h $(srcdir)/util/net_help.h
 as112.lo as112.o: $(srcdir)/util/as112.c $(srcdir)/util/as112.h
 dname.lo dname.o: $(srcdir)/util/data/dname.c config.h $(srcdir)/util/data/dname.h \
  $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/msgparse.h \
@@ -790,7 +802,8 @@ iter_utils.lo iter_utils.o: $(srcdir)/iterator/iter_utils.c config.h $(srcdir)/i
  $(srcdir)/iterator/iter_donotq.h $(srcdir)/iterator/iter_delegpt.h $(srcdir)/iterator/iter_priv.h \
  $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
   $(srcdir)/services/cache/dns.h $(srcdir)/services/cache/rrset.h \
- $(srcdir)/util/storage/slabhash.h $(srcdir)/util/net_help.h $(srcdir)/util/config_file.h \
+ $(srcdir)/util/storage/slabhash.h $(srcdir)/services/outside_network.h \
+  $(srcdir)/util/net_help.h $(srcdir)/util/config_file.h \
  $(srcdir)/util/regional.h $(srcdir)/util/data/dname.h $(srcdir)/util/random.h $(srcdir)/util/fptr_wlist.h \
  $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h \
  $(srcdir)/services/localzone.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/services/authzone.h \
@@ -837,11 +850,7 @@ modstack.lo modstack.o: $(srcdir)/services/modstack.c config.h $(srcdir)/service
  $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h \
  $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \
  $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/dns64/dns64.h $(srcdir)/iterator/iterator.h \
- $(srcdir)/services/outbound_list.h $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h \
+ $(srcdir)/services/outbound_list.h $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h
- $(PYTHONMOD_HEADER) $(DYNLIBMOD_HEADER) $(srcdir)/cachedb/cachedb.h \
- $(srcdir)/ipsecmod/ipsecmod.h $(srcdir)/edns-subnet/subnetmod.h $(srcdir)/util/alloc.h $(srcdir)/util/net_help.h \
- $(srcdir)/util/storage/slabhash.h $(srcdir)/util/data/dname.h $(srcdir)/edns-subnet/addrtree.h \
- $(srcdir)/edns-subnet/edns-subnet.h $(srcdir)/ipset/ipset.h
 view.lo view.o: $(srcdir)/services/view.c config.h $(srcdir)/services/view.h $(srcdir)/util/rbtree.h \
  $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h \
  $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/data/msgreply.h \
@@ -872,8 +881,7 @@ outside_network.lo outside_network.o: $(srcdir)/services/outside_network.c confi
  $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \
  $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h \
  $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h \
- $(srcdir)/util/edns.h $(srcdir)/dnstap/dnstap.h \
+ $(srcdir)/util/edns.h $(srcdir)/dnstap/dnstap.h
- 
 alloc.lo alloc.o: $(srcdir)/util/alloc.c config.h $(srcdir)/util/alloc.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
  $(srcdir)/util/regional.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
  $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
@@ -894,8 +902,7 @@ config_file.lo config_file.o: $(srcdir)/util/config_file.c config.h $(srcdir)/ut
  $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h \
  $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/util/data/dname.h \
  $(srcdir)/util/rtt.h $(srcdir)/services/cache/infra.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/parseutil.h \
- $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h $(srcdir)/edns-subnet/edns-subnet.h \
+ $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h $(srcdir)/util/iana_ports.inc
- $(srcdir)/util/iana_ports.inc
 configlexer.lo configlexer.o: util/configlexer.c config.h $(srcdir)/util/configyyrename.h \
  $(srcdir)/util/config_file.h util/configparser.h
 configparser.lo configparser.o: util/configparser.c config.h $(srcdir)/util/configyyrename.h \
@@ -924,8 +931,9 @@ authzone.lo authzone.o: $(srcdir)/services/authzone.c config.h $(srcdir)/service
  $(srcdir)/util/data/msgencode.h $(srcdir)/util/regional.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h \
  $(srcdir)/services/cache/dns.h $(srcdir)/services/outside_network.h  \
  $(srcdir)/services/listen_dnsport.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/wire2str.h \
- $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/keyraw.h \
+ $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/keyraw.h $(srcdir)/validator/val_nsec3.h \
- $(srcdir)/validator/val_nsec3.h $(srcdir)/validator/val_secalgo.h
+ $(srcdir)/validator/val_nsec.h $(srcdir)/validator/val_secalgo.h $(srcdir)/validator/val_sigcrypt.h \
+ $(srcdir)/validator/val_anchor.h $(srcdir)/validator/val_utils.h
 fptr_wlist.lo fptr_wlist.o: $(srcdir)/util/fptr_wlist.c config.h $(srcdir)/util/fptr_wlist.h \
  $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h  \
  $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/module.h \
@@ -934,7 +942,7 @@ fptr_wlist.lo fptr_wlist.o: $(srcdir)/util/fptr_wlist.c config.h $(srcdir)/util/
  $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \
  $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h \
  $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \
- $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/util/mini_event.h \
+ $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h \
  $(srcdir)/services/outside_network.h  $(srcdir)/services/cache/infra.h \
  $(srcdir)/util/rtt.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/dns64/dns64.h \
  $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h $(srcdir)/iterator/iter_fwd.h \
@@ -942,13 +950,18 @@ fptr_wlist.lo fptr_wlist.o: $(srcdir)/util/fptr_wlist.c config.h $(srcdir)/util/
  $(srcdir)/validator/val_nsec3.h $(srcdir)/validator/val_sigcrypt.h $(srcdir)/validator/val_kentry.h \
  $(srcdir)/validator/val_neg.h $(srcdir)/validator/autotrust.h $(srcdir)/libunbound/libworker.h \
  $(srcdir)/libunbound/context.h $(srcdir)/util/alloc.h $(srcdir)/libunbound/unbound-event.h \
- $(srcdir)/libunbound/worker.h $(PYTHONMOD_HEADER) $(DYNLIBMOD_HEADER) \
+ $(srcdir)/libunbound/worker.h
- $(srcdir)/cachedb/cachedb.h $(srcdir)/ipsecmod/ipsecmod.h $(srcdir)/edns-subnet/subnetmod.h \
- $(srcdir)/util/net_help.h $(srcdir)/util/data/dname.h $(srcdir)/edns-subnet/addrtree.h \
- $(srcdir)/edns-subnet/edns-subnet.h $(srcdir)/ipset/ipset.h $(srcdir)/dnstap/dtstream.h
 locks.lo locks.o: $(srcdir)/util/locks.c config.h $(srcdir)/util/locks.h $(srcdir)/util/log.h
 log.lo log.o: $(srcdir)/util/log.c config.h $(srcdir)/util/log.h $(srcdir)/util/locks.h $(srcdir)/sldns/sbuffer.h
-mini_event.lo mini_event.o: $(srcdir)/util/mini_event.c config.h $(srcdir)/util/mini_event.h
+mini_event.lo mini_event.o: $(srcdir)/util/mini_event.c config.h $(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h \
+ $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
+  $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
+ $(srcdir)/util/log.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
+ $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h \
+ $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h \
+ $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h \
+ $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h \
+ $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h
 module.lo module.o: $(srcdir)/util/module.c config.h $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h \
  $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
  $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/wire2str.h
@@ -961,14 +974,12 @@ netevent.lo netevent.o: $(srcdir)/util/netevent.c config.h $(srcdir)/util/neteve
  $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h $(srcdir)/services/view.h \
  $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h \
  $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/sldns/str2wire.h \
- $(srcdir)/dnstap/dnstap.h  $(srcdir)/services/listen_dnsport.h \
+ $(srcdir)/dnstap/dnstap.h  $(srcdir)/services/listen_dnsport.h
- 
 net_help.lo net_help.o: $(srcdir)/util/net_help.c config.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h \
  $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/module.h \
  $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
  $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h \
- $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/wire2str.h \
+ $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/wire2str.h
- 
 random.lo random.o: $(srcdir)/util/random.c config.h $(srcdir)/util/random.h $(srcdir)/util/log.h
 rbtree.lo rbtree.o: $(srcdir)/util/rbtree.c config.h $(srcdir)/util/log.h $(srcdir)/util/fptr_wlist.h \
  $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h  \
@@ -1022,8 +1033,7 @@ tube.lo tube.o: $(srcdir)/util/tube.c config.h $(srcdir)/util/tube.h $(srcdir)/u
  $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/util/ub_event.h
 ub_event.lo ub_event.o: $(srcdir)/util/ub_event.c config.h $(srcdir)/util/ub_event.h $(srcdir)/util/log.h \
  $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h  \
- $(srcdir)/util/tube.h \
+ $(srcdir)/util/tube.h $(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h
- 
 ub_event_pluggable.lo ub_event_pluggable.o: $(srcdir)/util/ub_event_pluggable.c config.h $(srcdir)/util/ub_event.h \
  $(srcdir)/libunbound/unbound-event.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
   $(srcdir)/util/log.h $(srcdir)/util/fptr_wlist.h \
@@ -1033,8 +1043,7 @@ ub_event_pluggable.lo ub_event_pluggable.o: $(srcdir)/util/ub_event_pluggable.c
  $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \
  $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h \
  $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \
- $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h \
+ $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h
- 
 winsock_event.lo winsock_event.o: $(srcdir)/util/winsock_event.c config.h
 autotrust.lo autotrust.o: $(srcdir)/validator/autotrust.c config.h $(srcdir)/validator/autotrust.h \
  $(srcdir)/util/rbtree.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
@@ -1047,8 +1056,7 @@ autotrust.lo autotrust.o: $(srcdir)/validator/autotrust.c config.h $(srcdir)/val
  $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h \
  $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h \
  $(srcdir)/respip/respip.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \
- $(srcdir)/validator/val_kcache.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/keyraw.h \
+ $(srcdir)/validator/val_kcache.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/keyraw.h
- 
 val_anchor.lo val_anchor.o: $(srcdir)/validator/val_anchor.c config.h $(srcdir)/validator/val_anchor.h \
  $(srcdir)/util/rbtree.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/validator/val_sigcrypt.h \
  $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/sldns/pkthdr.h \
@@ -1078,13 +1086,11 @@ val_kcache.lo val_kcache.o: $(srcdir)/validator/val_kcache.c config.h $(srcdir)/
 val_kentry.lo val_kentry.o: $(srcdir)/validator/val_kentry.c config.h $(srcdir)/validator/val_kentry.h \
  $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/packed_rrset.h \
  $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lookup3.h $(srcdir)/util/regional.h $(srcdir)/util/net_help.h \
- $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/keyraw.h \
+ $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/keyraw.h
- 
+val_neg.lo val_neg.o: $(srcdir)/validator/val_neg.c config.h $(srcdir)/validator/val_neg.h $(srcdir)/util/locks.h \
-val_neg.lo val_neg.o: $(srcdir)/validator/val_neg.c config.h \
+ $(srcdir)/util/log.h $(srcdir)/util/rbtree.h $(srcdir)/validator/val_nsec.h $(srcdir)/util/data/packed_rrset.h \
- $(srcdir)/validator/val_neg.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/rbtree.h \
+ $(srcdir)/util/storage/lruhash.h $(srcdir)/validator/val_nsec3.h $(srcdir)/validator/val_utils.h \
- $(srcdir)/validator/val_nsec.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
+ $(srcdir)/sldns/pkthdr.h $(srcdir)/util/data/dname.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/net_help.h \
- $(srcdir)/validator/val_nsec3.h $(srcdir)/validator/val_utils.h $(srcdir)/sldns/pkthdr.h \
- $(srcdir)/util/data/dname.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/net_help.h \
  $(srcdir)/util/config_file.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \
  $(srcdir)/services/cache/dns.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/sbuffer.h
 val_nsec3.lo val_nsec3.o: $(srcdir)/validator/val_nsec3.c config.h $(srcdir)/validator/val_nsec3.h \
@@ -1102,17 +1108,15 @@ val_nsec.lo val_nsec.o: $(srcdir)/validator/val_nsec.c config.h $(srcdir)/valida
 val_secalgo.lo val_secalgo.o: $(srcdir)/validator/val_secalgo.c config.h $(srcdir)/util/data/packed_rrset.h \
  $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/validator/val_secalgo.h \
  $(srcdir)/validator/val_nsec3.h $(srcdir)/util/rbtree.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/keyraw.h \
- $(srcdir)/sldns/sbuffer.h \
+ $(srcdir)/sldns/sbuffer.h
- 
 val_sigcrypt.lo val_sigcrypt.o: $(srcdir)/validator/val_sigcrypt.c config.h \
  $(srcdir)/validator/val_sigcrypt.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
  $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/sldns/pkthdr.h $(srcdir)/validator/val_secalgo.h \
  $(srcdir)/validator/validator.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
  $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/rrdef.h $(srcdir)/validator/val_utils.h \
  $(srcdir)/util/data/dname.h $(srcdir)/util/rbtree.h $(srcdir)/util/net_help.h $(srcdir)/util/regional.h \
- $(srcdir)/util/config_file.h $(srcdir)/sldns/keyraw.h \
+ $(srcdir)/util/config_file.h $(srcdir)/sldns/keyraw.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/parseutil.h \
- $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/wire2str.h \
+ $(srcdir)/sldns/wire2str.h
- 
 val_utils.lo val_utils.o: $(srcdir)/validator/val_utils.c config.h $(srcdir)/validator/val_utils.h \
  $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
  $(srcdir)/sldns/pkthdr.h $(srcdir)/validator/validator.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
@@ -1133,43 +1137,13 @@ dns64.lo dns64.o: $(srcdir)/dns64/dns64.c config.h $(srcdir)/dns64/dns64.h $(src
  $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h \
  $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/util/net_help.h \
  $(srcdir)/util/regional.h $(srcdir)/util/data/dname.h $(srcdir)/sldns/str2wire.h
-edns-subnet.lo edns-subnet.o: $(srcdir)/edns-subnet/edns-subnet.c config.h \
+edns-subnet.lo edns-subnet.o: $(srcdir)/edns-subnet/edns-subnet.c config.h
- $(srcdir)/edns-subnet/edns-subnet.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h
+subnetmod.lo subnetmod.o: $(srcdir)/edns-subnet/subnetmod.c config.h
-subnetmod.lo subnetmod.o: $(srcdir)/edns-subnet/subnetmod.c config.h $(srcdir)/edns-subnet/subnetmod.h \
- $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
- $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
- $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/services/outbound_list.h $(srcdir)/util/alloc.h \
- $(srcdir)/util/net_help.h $(srcdir)/util/storage/slabhash.h $(srcdir)/util/data/dname.h \
- $(srcdir)/edns-subnet/addrtree.h $(srcdir)/edns-subnet/edns-subnet.h \
- $(srcdir)/edns-subnet/subnet-whitelist.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h \
- $(srcdir)/services/mesh.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
-  $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h \
- $(srcdir)/services/localzone.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h \
- $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h \
- $(srcdir)/respip/respip.h $(srcdir)/services/cache/dns.h $(srcdir)/util/regional.h \
- $(srcdir)/iterator/iter_utils.h $(srcdir)/iterator/iter_resptype.h
 addrtree.lo addrtree.o: $(srcdir)/edns-subnet/addrtree.c config.h $(srcdir)/util/log.h \
  $(srcdir)/util/data/msgreply.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
  $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h \
  $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/edns-subnet/addrtree.h
-subnet-whitelist.lo subnet-whitelist.o: $(srcdir)/edns-subnet/subnet-whitelist.c config.h \
+subnet-whitelist.lo subnet-whitelist.o: $(srcdir)/edns-subnet/subnet-whitelist.c config.h
- $(srcdir)/edns-subnet/edns-subnet.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h \
- $(srcdir)/edns-subnet/subnet-whitelist.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h \
- $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h \
- $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h
-cachedb.lo cachedb.o: $(srcdir)/cachedb/cachedb.c config.h $(srcdir)/cachedb/cachedb.h $(srcdir)/util/module.h \
- $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/msgreply.h \
- $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
- $(srcdir)/sldns/rrdef.h $(srcdir)/cachedb/redis.h $(srcdir)/util/regional.h $(srcdir)/util/net_help.h \
- $(srcdir)/util/config_file.h $(srcdir)/util/data/msgencode.h $(srcdir)/services/cache/dns.h \
- $(srcdir)/validator/val_neg.h $(srcdir)/util/rbtree.h $(srcdir)/validator/val_secalgo.h \
- $(srcdir)/iterator/iter_utils.h $(srcdir)/iterator/iter_resptype.h $(srcdir)/sldns/parseutil.h \
- $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/sbuffer.h
-redis.lo redis.o: $(srcdir)/cachedb/redis.c config.h $(srcdir)/cachedb/redis.h $(srcdir)/cachedb/cachedb.h \
- $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
- $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
- $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/alloc.h $(srcdir)/util/config_file.h \
- $(srcdir)/sldns/sbuffer.h
 respip.lo respip.o: $(srcdir)/respip/respip.c config.h $(srcdir)/services/localzone.h $(srcdir)/util/rbtree.h \
  $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/module.h \
  $(srcdir)/util/storage/lruhash.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
@@ -1182,42 +1156,8 @@ respip.lo respip.o: $(srcdir)/respip/respip.c config.h $(srcdir)/services/localz
  $(srcdir)/util/regional.h
 checklocks.lo checklocks.o: $(srcdir)/testcode/checklocks.c config.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
  $(srcdir)/testcode/checklocks.h
-dnstap.lo dnstap.o: $(srcdir)/dnstap/dnstap.c  config.h $(srcdir)/sldns/sbuffer.h \
+ipsecmod.lo ipsecmod.o: $(srcdir)/ipsecmod/ipsecmod.c config.h
- $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h $(srcdir)/util/netevent.h \
+ipsecmod-whitelist.lo ipsecmod-whitelist.o: $(srcdir)/ipsecmod/ipsecmod-whitelist.c config.h
- $(srcdir)/dnscrypt/dnscrypt.h  \
- $(srcdir)/dnstap/dnstap.h \
- $(srcdir)/dnstap/dtstream.h $(srcdir)/util/locks.h dnstap/dnstap.pb-c.h
-dnstap.pb-c.lo dnstap.pb-c.o: dnstap/dnstap.pb-c.c dnstap/dnstap.pb-c.h \
- 
-dnstap_fstrm.lo dnstap_fstrm.o: $(srcdir)/dnstap/dnstap_fstrm.c config.h $(srcdir)/dnstap/dnstap_fstrm.h \
- $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h
-dtstream.lo dtstream.o: $(srcdir)/dnstap/dtstream.c config.h $(srcdir)/dnstap/dtstream.h $(srcdir)/util/locks.h \
- $(srcdir)/util/log.h $(srcdir)/dnstap/dnstap_fstrm.h $(srcdir)/util/config_file.h $(srcdir)/util/ub_event.h \
- $(srcdir)/util/net_help.h $(srcdir)/services/outside_network.h $(srcdir)/util/rbtree.h $(srcdir)/util/netevent.h \
- $(srcdir)/dnscrypt/dnscrypt.h   \
- $(srcdir)/sldns/sbuffer.h \
- 
-ipsecmod.lo ipsecmod.o: $(srcdir)/ipsecmod/ipsecmod.c config.h $(srcdir)/ipsecmod/ipsecmod.h \
- $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
- $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
- $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/rbtree.h $(srcdir)/ipsecmod/ipsecmod-whitelist.h \
- $(srcdir)/util/storage/dnstree.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h \
- $(srcdir)/dnscrypt/dnscrypt.h  $(srcdir)/util/tube.h \
- $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \
- $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h \
- $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h \
- $(srcdir)/util/regional.h $(srcdir)/util/net_help.h $(srcdir)/services/cache/dns.h $(srcdir)/sldns/wire2str.h
-ipsecmod-whitelist.lo ipsecmod-whitelist.o: $(srcdir)/ipsecmod/ipsecmod-whitelist.c config.h \
- $(srcdir)/ipsecmod/ipsecmod.h $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
- $(srcdir)/util/log.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
- $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/rbtree.h \
- $(srcdir)/ipsecmod/ipsecmod-whitelist.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/regional.h \
- $(srcdir)/util/config_file.h $(srcdir)/util/data/dname.h $(srcdir)/sldns/str2wire.h
-ipset.lo ipset.o: $(srcdir)/ipset/ipset.c config.h $(srcdir)/ipset/ipset.h $(srcdir)/util/module.h \
- $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/msgreply.h \
- $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
- $(srcdir)/sldns/rrdef.h $(srcdir)/util/regional.h $(srcdir)/util/net_help.h $(srcdir)/util/config_file.h \
- $(srcdir)/services/cache/dns.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/parseutil.h
 unitanchor.lo unitanchor.o: $(srcdir)/testcode/unitanchor.c config.h $(srcdir)/util/log.h $(srcdir)/util/data/dname.h \
  $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/testcode/unitmain.h \
  $(srcdir)/validator/val_anchor.h $(srcdir)/util/rbtree.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/rrdef.h
@@ -1226,8 +1166,7 @@ unitdname.lo unitdname.o: $(srcdir)/testcode/unitdname.c config.h $(srcdir)/util
  $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h
 unitlruhash.lo unitlruhash.o: $(srcdir)/testcode/unitlruhash.c config.h $(srcdir)/testcode/unitmain.h \
  $(srcdir)/util/log.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/storage/slabhash.h
-unitmain.lo unitmain.o: $(srcdir)/testcode/unitmain.c config.h \
+unitmain.lo unitmain.o: $(srcdir)/testcode/unitmain.c config.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/keyraw.h \
- $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/keyraw.h \
  $(srcdir)/util/log.h $(srcdir)/testcode/unitmain.h $(srcdir)/util/alloc.h $(srcdir)/util/locks.h $(srcdir)/util/net_help.h \
  $(srcdir)/util/config_file.h $(srcdir)/util/rtt.h $(srcdir)/util/timehist.h $(srcdir)/iterator/iterator.h \
  $(srcdir)/services/outbound_list.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/storage/lruhash.h \
@@ -1268,14 +1207,7 @@ testpkts.lo testpkts.o: $(srcdir)/testcode/testpkts.c config.h $(srcdir)/testcod
 unitldns.lo unitldns.o: $(srcdir)/testcode/unitldns.c config.h $(srcdir)/util/log.h $(srcdir)/testcode/unitmain.h \
  $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/wire2str.h \
  $(srcdir)/sldns/parseutil.h
-unitzonemd.lo unitzonemd.o: $(srcdir)/testcode/unitzonemd.c config.h $(srcdir)/services/authzone.h
+unitecs.lo unitecs.o: $(srcdir)/testcode/unitecs.c config.h
-unitecs.lo unitecs.o: $(srcdir)/testcode/unitecs.c config.h $(srcdir)/util/log.h $(srcdir)/util/module.h \
- $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/data/msgreply.h \
- $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
- $(srcdir)/sldns/rrdef.h $(srcdir)/testcode/unitmain.h $(srcdir)/edns-subnet/addrtree.h \
- $(srcdir)/edns-subnet/subnetmod.h $(srcdir)/services/outbound_list.h $(srcdir)/util/alloc.h \
- $(srcdir)/util/net_help.h $(srcdir)/util/storage/slabhash.h $(srcdir)/util/data/dname.h \
- $(srcdir)/edns-subnet/edns-subnet.h
 unitauth.lo unitauth.o: $(srcdir)/testcode/unitauth.c config.h $(srcdir)/services/authzone.h \
  $(srcdir)/util/rbtree.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/services/mesh.h $(srcdir)/util/netevent.h \
  $(srcdir)/dnscrypt/dnscrypt.h  $(srcdir)/util/data/msgparse.h \
@@ -1286,49 +1218,58 @@ unitauth.lo unitauth.o: $(srcdir)/testcode/unitauth.c config.h $(srcdir)/service
  $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/testcode/unitmain.h \
  $(srcdir)/util/regional.h $(srcdir)/util/net_help.h $(srcdir)/services/cache/dns.h $(srcdir)/sldns/str2wire.h \
  $(srcdir)/sldns/wire2str.h
+unitzonemd.lo unitzonemd.o: $(srcdir)/testcode/unitzonemd.c config.h $(srcdir)/util/log.h \
+ $(srcdir)/testcode/unitmain.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h $(srcdir)/services/authzone.h \
+ $(srcdir)/util/rbtree.h $(srcdir)/util/locks.h $(srcdir)/services/mesh.h $(srcdir)/util/netevent.h \
+ $(srcdir)/dnscrypt/dnscrypt.h  $(srcdir)/util/data/msgparse.h \
+ $(srcdir)/util/storage/lruhash.h $(srcdir)/sldns/pkthdr.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
+ $(srcdir)/util/data/packed_rrset.h $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h \
+ $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h \
+ $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \
+ $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/util/data/dname.h $(srcdir)/util/regional.h \
+ $(srcdir)/validator/val_anchor.h
+unittcpreuse.lo unittcpreuse.o: $(srcdir)/testcode/unittcpreuse.c config.h $(srcdir)/services/outside_network.h \
+$(srcdir)/util/random.h
 acl_list.lo acl_list.o: $(srcdir)/daemon/acl_list.c config.h $(srcdir)/daemon/acl_list.h \
  $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/view.h $(srcdir)/util/locks.h \
  $(srcdir)/util/log.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h \
  $(srcdir)/services/localzone.h $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h \
  $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
  $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/str2wire.h
-cachedump.lo cachedump.o: $(srcdir)/daemon/cachedump.c config.h \
+cachedump.lo cachedump.o: $(srcdir)/daemon/cachedump.c config.h $(srcdir)/daemon/cachedump.h \
- $(srcdir)/daemon/cachedump.h $(srcdir)/daemon/remote.h $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h \
+ $(srcdir)/daemon/remote.h $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
- $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
- $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
-  $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h \
- $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h \
- $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \
-  $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \
- $(srcdir)/services/cache/dns.h $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h \
- $(srcdir)/util/rbtree.h $(srcdir)/util/rtt.h $(srcdir)/util/regional.h $(srcdir)/util/net_help.h \
- $(srcdir)/util/data/dname.h $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h \
- $(srcdir)/iterator/iter_delegpt.h $(srcdir)/iterator/iter_utils.h $(srcdir)/iterator/iter_resptype.h \
- $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h $(srcdir)/sldns/wire2str.h \
- $(srcdir)/sldns/str2wire.h
-daemon.lo daemon.o: $(srcdir)/daemon/daemon.c config.h \
- $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
-   $(srcdir)/daemon/worker.h \
- $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h \
- $(srcdir)/util/storage/lruhash.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
- $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
- $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/util/module.h \
- $(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/remote.h \
- $(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/view.h \
- $(srcdir)/util/config_file.h $(srcdir)/util/shm_side/shm_main.h $(srcdir)/util/storage/lookup3.h \
- $(srcdir)/util/storage/slabhash.h $(srcdir)/util/tcp_conn_limit.h $(srcdir)/util/edns.h \
- $(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h \
- $(srcdir)/util/rtt.h $(srcdir)/services/localzone.h $(srcdir)/services/authzone.h $(srcdir)/services/mesh.h \
- $(srcdir)/services/rpz.h $(srcdir)/respip/respip.h $(srcdir)/util/random.h $(srcdir)/util/tube.h $(srcdir)/util/net_help.h \
- $(srcdir)/sldns/keyraw.h
-remote.lo remote.o: $(srcdir)/daemon/remote.c config.h \
- $(srcdir)/daemon/remote.h \
- $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
  $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
  $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h  \
  $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
  $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h \
- $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h  $(srcdir)/daemon/daemon.h \
+ $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h  \
+ $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/dns.h \
+ $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/rtt.h \
+ $(srcdir)/util/regional.h $(srcdir)/util/net_help.h $(srcdir)/util/data/dname.h $(srcdir)/iterator/iterator.h \
+ $(srcdir)/services/outbound_list.h $(srcdir)/iterator/iter_delegpt.h $(srcdir)/iterator/iter_utils.h \
+ $(srcdir)/iterator/iter_resptype.h $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h \
+ $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h $(srcdir)/util/config_file.h $(srcdir)/services/outside_network.h
+daemon.lo daemon.o: $(srcdir)/daemon/daemon.c config.h $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h \
+ $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h  \
+  $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h \
+ $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
+ $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/util/data/msgreply.h \
+ $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h \
+ $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \
+ $(srcdir)/daemon/remote.h $(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h \
+ $(srcdir)/services/view.h $(srcdir)/util/config_file.h $(srcdir)/util/shm_side/shm_main.h \
+ $(srcdir)/util/storage/lookup3.h $(srcdir)/util/storage/slabhash.h $(srcdir)/util/tcp_conn_limit.h \
+ $(srcdir)/util/edns.h $(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/rrset.h \
+ $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h $(srcdir)/services/localzone.h \
+ $(srcdir)/services/authzone.h $(srcdir)/services/mesh.h $(srcdir)/services/rpz.h $(srcdir)/respip/respip.h \
+ $(srcdir)/util/random.h $(srcdir)/util/tube.h $(srcdir)/util/net_help.h $(srcdir)/sldns/keyraw.h
+remote.lo remote.o: $(srcdir)/daemon/remote.c config.h $(srcdir)/daemon/remote.h $(srcdir)/daemon/worker.h \
+ $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h \
+ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/netevent.h \
+ $(srcdir)/dnscrypt/dnscrypt.h  $(srcdir)/util/alloc.h \
+ $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
+ $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/util/module.h \
+ $(srcdir)/dnstap/dnstap.h  $(srcdir)/daemon/daemon.h \
  $(srcdir)/services/modstack.h $(srcdir)/daemon/cachedump.h $(srcdir)/util/config_file.h \
  $(srcdir)/util/net_help.h $(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/rrset.h \
  $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h \
@@ -1353,21 +1294,19 @@ stats.lo stats.o: $(srcdir)/daemon/stats.c config.h $(srcdir)/daemon/stats.h $(s
  $(srcdir)/util/net_help.h $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h \
  $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h $(srcdir)/services/cache/rrset.h \
  $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \
- $(srcdir)/validator/val_kcache.h $(srcdir)/validator/val_neg.h $(srcdir)/edns-subnet/subnetmod.h \
+ $(srcdir)/validator/val_kcache.h $(srcdir)/validator/val_neg.h
- $(srcdir)/util/data/dname.h $(srcdir)/edns-subnet/addrtree.h $(srcdir)/edns-subnet/edns-subnet.h \
- 
 unbound.lo unbound.o: $(srcdir)/daemon/unbound.c config.h $(srcdir)/util/log.h $(srcdir)/daemon/daemon.h \
  $(srcdir)/util/locks.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h  \
-  $(srcdir)/daemon/remote.h \
+  $(srcdir)/daemon/remote.h $(srcdir)/util/config_file.h \
- $(srcdir)/util/config_file.h $(srcdir)/util/storage/slabhash.h $(srcdir)/util/storage/lruhash.h \
+ $(srcdir)/util/storage/slabhash.h $(srcdir)/util/storage/lruhash.h $(srcdir)/services/listen_dnsport.h \
- $(srcdir)/services/listen_dnsport.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
+ $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/services/cache/rrset.h \
- $(srcdir)/services/cache/rrset.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/services/cache/infra.h \
+ $(srcdir)/util/data/packed_rrset.h $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h \
- $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/rtt.h $(srcdir)/util/data/msgreply.h \
+ $(srcdir)/util/rbtree.h $(srcdir)/util/rtt.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/fptr_wlist.h \
- $(srcdir)/util/fptr_wlist.h $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
+ $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
- $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/rpz.h \
+ $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \
- $(srcdir)/services/localzone.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/services/authzone.h \
+ $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h \
- $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h \
+ $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/util/net_help.h \
- $(srcdir)/util/net_help.h $(srcdir)/util/ub_event.h
+ $(srcdir)/util/ub_event.h
 worker.lo worker.o: $(srcdir)/daemon/worker.c config.h $(srcdir)/util/log.h $(srcdir)/util/net_help.h \
  $(srcdir)/util/random.h $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
  $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
@@ -1375,32 +1314,32 @@ worker.lo worker.o: $(srcdir)/daemon/worker.c config.h $(srcdir)/util/log.h $(sr
  $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
  $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h \
  $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h  $(srcdir)/daemon/daemon.h \
- $(srcdir)/services/modstack.h $(srcdir)/daemon/remote.h \
+ $(srcdir)/services/modstack.h $(srcdir)/daemon/remote.h $(srcdir)/daemon/acl_list.h \
- $(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/view.h \
+ $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/view.h $(srcdir)/util/config_file.h \
- $(srcdir)/util/config_file.h $(srcdir)/util/regional.h $(srcdir)/util/storage/slabhash.h \
+ $(srcdir)/util/regional.h $(srcdir)/util/storage/slabhash.h $(srcdir)/services/listen_dnsport.h \
- $(srcdir)/services/listen_dnsport.h $(srcdir)/services/outside_network.h \
+ $(srcdir)/services/outside_network.h $(srcdir)/services/outbound_list.h \
- $(srcdir)/services/outbound_list.h $(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h \
+ $(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \
- $(srcdir)/util/rtt.h $(srcdir)/services/cache/dns.h $(srcdir)/services/authzone.h $(srcdir)/services/mesh.h \
+ $(srcdir)/services/cache/dns.h $(srcdir)/services/authzone.h $(srcdir)/services/mesh.h $(srcdir)/services/rpz.h \
- $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h $(srcdir)/respip/respip.h \
+ $(srcdir)/services/localzone.h $(srcdir)/respip/respip.h $(srcdir)/util/data/msgencode.h \
- $(srcdir)/util/data/msgencode.h $(srcdir)/util/data/dname.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h \
+ $(srcdir)/util/data/dname.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h $(srcdir)/util/edns.h \
- $(srcdir)/util/edns.h $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h \
+ $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h $(srcdir)/iterator/iter_utils.h \
- $(srcdir)/validator/autotrust.h $(srcdir)/validator/val_anchor.h $(srcdir)/libunbound/context.h \
+ $(srcdir)/iterator/iter_resptype.h $(srcdir)/validator/autotrust.h $(srcdir)/validator/val_anchor.h \
- $(srcdir)/libunbound/unbound-event.h $(srcdir)/libunbound/libworker.h $(srcdir)/sldns/wire2str.h \
+ $(srcdir)/libunbound/context.h $(srcdir)/libunbound/unbound-event.h $(srcdir)/libunbound/libworker.h \
- $(srcdir)/util/shm_side/shm_main.h $(srcdir)/dnstap/dtstream.h
+ $(srcdir)/sldns/wire2str.h $(srcdir)/util/shm_side/shm_main.h $(srcdir)/dnstap/dtstream.h
 testbound.lo testbound.o: $(srcdir)/testcode/testbound.c config.h $(srcdir)/testcode/testpkts.h \
  $(srcdir)/testcode/replay.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
   $(srcdir)/util/rbtree.h $(srcdir)/testcode/fake_event.h \
- $(srcdir)/daemon/remote.h \
+ $(srcdir)/daemon/remote.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
- $(srcdir)/util/config_file.h $(srcdir)/sldns/keyraw.h $(srcdir)/daemon/unbound.c $(srcdir)/util/log.h \
+ $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
- $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
+ $(srcdir)/util/config_file.h $(srcdir)/sldns/keyraw.h $(srcdir)/daemon/unbound.c $(srcdir)/daemon/daemon.h \
-  $(srcdir)/util/storage/slabhash.h $(srcdir)/util/storage/lruhash.h \
+ $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h  \
- $(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/rrset.h \
+ $(srcdir)/util/storage/slabhash.h $(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/rrset.h \
- $(srcdir)/util/data/packed_rrset.h $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h \
+ $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rtt.h \
- $(srcdir)/util/rtt.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/module.h \
+ $(srcdir)/util/data/msgreply.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/module.h \
  $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h \
  $(srcdir)/services/mesh.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h $(srcdir)/services/view.h \
- $(srcdir)/sldns/sbuffer.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \
+ $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h \
- $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/util/net_help.h $(srcdir)/util/ub_event.h
+ $(srcdir)/respip/respip.h $(srcdir)/util/net_help.h $(srcdir)/util/ub_event.h
 testpkts.lo testpkts.o: $(srcdir)/testcode/testpkts.c config.h $(srcdir)/testcode/testpkts.h \
  $(srcdir)/util/net_help.h $(srcdir)/util/log.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/pkthdr.h \
  $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/wire2str.h
@@ -1411,39 +1350,38 @@ worker.lo worker.o: $(srcdir)/daemon/worker.c config.h $(srcdir)/util/log.h $(sr
  $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
  $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h \
  $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h  $(srcdir)/daemon/daemon.h \
- $(srcdir)/services/modstack.h $(srcdir)/daemon/remote.h \
+ $(srcdir)/services/modstack.h $(srcdir)/daemon/remote.h $(srcdir)/daemon/acl_list.h \
- $(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/view.h \
+ $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/view.h $(srcdir)/util/config_file.h \
- $(srcdir)/util/config_file.h $(srcdir)/util/regional.h $(srcdir)/util/storage/slabhash.h \
+ $(srcdir)/util/regional.h $(srcdir)/util/storage/slabhash.h $(srcdir)/services/listen_dnsport.h \
- $(srcdir)/services/listen_dnsport.h $(srcdir)/services/outside_network.h \
+ $(srcdir)/services/outside_network.h $(srcdir)/services/outbound_list.h \
- $(srcdir)/services/outbound_list.h $(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h \
+ $(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \
- $(srcdir)/util/rtt.h $(srcdir)/services/cache/dns.h $(srcdir)/services/authzone.h $(srcdir)/services/mesh.h \
+ $(srcdir)/services/cache/dns.h $(srcdir)/services/authzone.h $(srcdir)/services/mesh.h $(srcdir)/services/rpz.h \
- $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h $(srcdir)/respip/respip.h \
+ $(srcdir)/services/localzone.h $(srcdir)/respip/respip.h $(srcdir)/util/data/msgencode.h \
- $(srcdir)/util/data/msgencode.h $(srcdir)/util/data/dname.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h \
+ $(srcdir)/util/data/dname.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h $(srcdir)/util/edns.h \
- $(srcdir)/util/edns.h $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h \
+ $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h $(srcdir)/iterator/iter_utils.h \
- $(srcdir)/validator/autotrust.h $(srcdir)/validator/val_anchor.h $(srcdir)/libunbound/context.h \
+ $(srcdir)/iterator/iter_resptype.h $(srcdir)/validator/autotrust.h $(srcdir)/validator/val_anchor.h \
- $(srcdir)/libunbound/unbound-event.h $(srcdir)/libunbound/libworker.h $(srcdir)/sldns/wire2str.h \
+ $(srcdir)/libunbound/context.h $(srcdir)/libunbound/unbound-event.h $(srcdir)/libunbound/libworker.h \
- $(srcdir)/util/shm_side/shm_main.h $(srcdir)/dnstap/dtstream.h
+ $(srcdir)/sldns/wire2str.h $(srcdir)/util/shm_side/shm_main.h $(srcdir)/dnstap/dtstream.h
 acl_list.lo acl_list.o: $(srcdir)/daemon/acl_list.c config.h $(srcdir)/daemon/acl_list.h \
  $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/view.h $(srcdir)/util/locks.h \
  $(srcdir)/util/log.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h \
  $(srcdir)/services/localzone.h $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h \
  $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
  $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/str2wire.h
-daemon.lo daemon.o: $(srcdir)/daemon/daemon.c config.h \
+daemon.lo daemon.o: $(srcdir)/daemon/daemon.c config.h $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h \
- $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
+ $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h  \
-   $(srcdir)/daemon/worker.h \
+  $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h \
- $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h \
+ $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
- $(srcdir)/util/storage/lruhash.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
+ $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/util/data/msgreply.h \
- $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
+ $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h \
- $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/util/module.h \
+ $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \
- $(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/remote.h \
+ $(srcdir)/daemon/remote.h $(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h \
- $(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/view.h \
+ $(srcdir)/services/view.h $(srcdir)/util/config_file.h $(srcdir)/util/shm_side/shm_main.h \
- $(srcdir)/util/config_file.h $(srcdir)/util/shm_side/shm_main.h $(srcdir)/util/storage/lookup3.h \
+ $(srcdir)/util/storage/lookup3.h $(srcdir)/util/storage/slabhash.h $(srcdir)/util/tcp_conn_limit.h \
- $(srcdir)/util/storage/slabhash.h $(srcdir)/util/tcp_conn_limit.h $(srcdir)/util/edns.h \
+ $(srcdir)/util/edns.h $(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/rrset.h \
- $(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h \
+ $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h $(srcdir)/services/localzone.h \
- $(srcdir)/util/rtt.h $(srcdir)/services/localzone.h $(srcdir)/services/authzone.h $(srcdir)/services/mesh.h \
+ $(srcdir)/services/authzone.h $(srcdir)/services/mesh.h $(srcdir)/services/rpz.h $(srcdir)/respip/respip.h \
- $(srcdir)/services/rpz.h $(srcdir)/respip/respip.h $(srcdir)/util/random.h $(srcdir)/util/tube.h $(srcdir)/util/net_help.h \
+ $(srcdir)/util/random.h $(srcdir)/util/tube.h $(srcdir)/util/net_help.h $(srcdir)/sldns/keyraw.h
- $(srcdir)/sldns/keyraw.h
 stats.lo stats.o: $(srcdir)/daemon/stats.c config.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \
  $(srcdir)/libunbound/unbound.h $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
  $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
@@ -1457,9 +1395,7 @@ stats.lo stats.o: $(srcdir)/daemon/stats.c config.h $(srcdir)/daemon/stats.h $(s
  $(srcdir)/util/net_help.h $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h \
  $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h $(srcdir)/services/cache/rrset.h \
  $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \
- $(srcdir)/validator/val_kcache.h $(srcdir)/validator/val_neg.h $(srcdir)/edns-subnet/subnetmod.h \
+ $(srcdir)/validator/val_kcache.h $(srcdir)/validator/val_neg.h
- $(srcdir)/util/data/dname.h $(srcdir)/edns-subnet/addrtree.h $(srcdir)/edns-subnet/edns-subnet.h \
- 
 replay.lo replay.o: $(srcdir)/testcode/replay.c config.h $(srcdir)/util/log.h $(srcdir)/util/net_help.h \
  $(srcdir)/util/config_file.h $(srcdir)/testcode/replay.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
   $(srcdir)/testcode/testpkts.h $(srcdir)/util/rbtree.h \
@@ -1476,7 +1412,7 @@ fake_event.lo fake_event.o: $(srcdir)/testcode/fake_event.c config.h $(srcdir)/t
  $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h \
  $(srcdir)/services/localzone.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/services/authzone.h \
  $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h \
- $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h
+ $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h $(srcdir)/daemon/remote.h
 lock_verify.lo lock_verify.o: $(srcdir)/testcode/lock_verify.c config.h $(srcdir)/util/log.h $(srcdir)/util/rbtree.h \
  $(srcdir)/util/locks.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
   $(srcdir)/util/storage/lruhash.h $(srcdir)/util/module.h \
@@ -1511,8 +1447,7 @@ unbound-checkconf.lo unbound-checkconf.o: $(srcdir)/smallapp/unbound-checkconf.c
  $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/services/authzone.h $(srcdir)/services/mesh.h \
  $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h  \
  $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \
- $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/sldns/str2wire.h \
+ $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/sldns/str2wire.h
- $(PYTHONMOD_HEADER) $(srcdir)/edns-subnet/subnet-whitelist.h
 worker_cb.lo worker_cb.o: $(srcdir)/smallapp/worker_cb.c config.h $(srcdir)/libunbound/context.h \
  $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h \
  $(srcdir)/libunbound/unbound.h $(srcdir)/libunbound/unbound-event.h $(srcdir)/util/data/packed_rrset.h \
@@ -1546,70 +1481,72 @@ libunbound.lo libunbound.o: $(srcdir)/libunbound/libunbound.c $(srcdir)/libunbou
  $(srcdir)/dnscrypt/dnscrypt.h  $(srcdir)/services/cache/rrset.h \
  $(srcdir)/util/storage/slabhash.h $(srcdir)/services/authzone.h $(srcdir)/services/mesh.h \
  $(srcdir)/services/rpz.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/respip/respip.h
-libworker.lo libworker.o: $(srcdir)/libunbound/libworker.c config.h \
+libworker.lo libworker.o: $(srcdir)/libunbound/libworker.c config.h $(srcdir)/libunbound/libworker.h \
- $(srcdir)/libunbound/libworker.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
+ $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
- $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/libunbound/context.h $(srcdir)/util/alloc.h $(srcdir)/util/rbtree.h \
+ $(srcdir)/libunbound/context.h $(srcdir)/util/alloc.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h \
- $(srcdir)/services/modstack.h $(srcdir)/libunbound/unbound.h $(srcdir)/libunbound/unbound-event.h \
+ $(srcdir)/libunbound/unbound.h $(srcdir)/libunbound/unbound-event.h $(srcdir)/libunbound/worker.h \
- $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h $(srcdir)/services/outside_network.h \
+ $(srcdir)/sldns/sbuffer.h $(srcdir)/services/outside_network.h $(srcdir)/util/netevent.h \
- $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h  \
+ $(srcdir)/dnscrypt/dnscrypt.h   \
-  $(srcdir)/services/mesh.h $(srcdir)/util/data/msgparse.h \
+ $(srcdir)/services/mesh.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
- $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
+ $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \
- $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h \
+ $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/util/config_file.h \
- $(srcdir)/services/view.h $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h \
+ $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/respip/respip.h \
- $(srcdir)/util/timehist.h $(srcdir)/respip/respip.h $(srcdir)/services/cache/rrset.h \
+ $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/services/outbound_list.h \
- $(srcdir)/util/storage/slabhash.h $(srcdir)/services/outbound_list.h $(srcdir)/util/fptr_wlist.h \
+ $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h $(srcdir)/util/regional.h $(srcdir)/util/random.h \
- $(srcdir)/util/tube.h $(srcdir)/util/regional.h $(srcdir)/util/random.h $(srcdir)/util/storage/lookup3.h \
+ $(srcdir)/util/storage/lookup3.h $(srcdir)/util/net_help.h $(srcdir)/util/data/dname.h \
- $(srcdir)/util/net_help.h $(srcdir)/util/data/dname.h $(srcdir)/util/data/msgencode.h \
+ $(srcdir)/util/data/msgencode.h $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h \
- $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h $(srcdir)/sldns/str2wire.h
+ $(srcdir)/sldns/str2wire.h
 unbound-host.lo unbound-host.o: $(srcdir)/smallapp/unbound-host.c config.h $(srcdir)/libunbound/unbound.h \
- $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/wire2str.h \
+ $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/wire2str.h
- 
 asynclook.lo asynclook.o: $(srcdir)/testcode/asynclook.c config.h $(srcdir)/libunbound/unbound.h \
  $(srcdir)/libunbound/context.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/util/rbtree.h \
  $(srcdir)/services/modstack.h $(srcdir)/libunbound/unbound-event.h $(srcdir)/util/data/packed_rrset.h \
- $(srcdir)/util/storage/lruhash.h $(srcdir)/sldns/rrdef.h \
+ $(srcdir)/util/storage/lruhash.h $(srcdir)/sldns/rrdef.h
- 
 streamtcp.lo streamtcp.o: $(srcdir)/testcode/streamtcp.c config.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
  $(srcdir)/util/net_help.h $(srcdir)/util/data/msgencode.h $(srcdir)/util/data/msgparse.h \
  $(srcdir)/util/storage/lruhash.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgreply.h \
  $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/dname.h $(srcdir)/sldns/sbuffer.h \
- $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/wire2str.h \
+ $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/wire2str.h
- 
 perf.lo perf.o: $(srcdir)/testcode/perf.c config.h $(srcdir)/util/log.h $(srcdir)/util/locks.h $(srcdir)/util/net_help.h \
  $(srcdir)/util/data/msgencode.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/storage/lruhash.h \
  $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
  $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h
 delayer.lo delayer.o: $(srcdir)/testcode/delayer.c config.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h \
  $(srcdir)/util/config_file.h $(srcdir)/sldns/sbuffer.h
-unbound-control.lo unbound-control.o: $(srcdir)/smallapp/unbound-control.c config.h \
+unbound-control.lo unbound-control.o: $(srcdir)/smallapp/unbound-control.c config.h $(srcdir)/util/log.h \
- $(srcdir)/util/log.h $(srcdir)/util/config_file.h $(srcdir)/util/locks.h $(srcdir)/util/net_help.h \
+ $(srcdir)/util/config_file.h $(srcdir)/util/locks.h $(srcdir)/util/net_help.h $(srcdir)/util/shm_side/shm_main.h \
- $(srcdir)/util/shm_side/shm_main.h $(srcdir)/libunbound/unbound.h $(srcdir)/daemon/stats.h \
+ $(srcdir)/libunbound/unbound.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/sldns/wire2str.h \
- $(srcdir)/util/timehist.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/pkthdr.h $(srcdir)/services/rpz.h \
+ $(srcdir)/sldns/pkthdr.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h $(srcdir)/util/rbtree.h \
- $(srcdir)/services/localzone.h $(srcdir)/util/rbtree.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/module.h \
+ $(srcdir)/util/storage/dnstree.h $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h \
- $(srcdir)/util/storage/lruhash.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
+ $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
- $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/rrdef.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h \
+ $(srcdir)/sldns/rrdef.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/services/authzone.h \
- $(srcdir)/services/authzone.h $(srcdir)/services/mesh.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
+ $(srcdir)/services/mesh.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
-  $(srcdir)/services/modstack.h $(srcdir)/respip/respip.h
+  $(srcdir)/services/modstack.h $(srcdir)/respip/respip.h \
+ $(srcdir)/services/listen_dnsport.h
 unbound-anchor.lo unbound-anchor.o: $(srcdir)/smallapp/unbound-anchor.c config.h $(srcdir)/libunbound/unbound.h \
- $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/parseutil.h \
+ $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/parseutil.h
- 
+petal.lo petal.o: $(srcdir)/testcode/petal.c config.h
-petal.lo petal.o: $(srcdir)/testcode/petal.c config.h \
- 
 unbound-dnstap-socket.lo unbound-dnstap-socket.o: $(srcdir)/dnstap/unbound-dnstap-socket.c config.h \
  $(srcdir)/dnstap/dtstream.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/dnstap/dnstap_fstrm.h \
  $(srcdir)/util/ub_event.h $(srcdir)/util/net_help.h $(srcdir)/services/listen_dnsport.h \
  $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h  \
- $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h \
+ $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h $(srcdir)/util/config_file.h \
- dnstap/dnstap.pb-c.h \
+ $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/daemon/worker.h \
- $(srcdir)/util/config_file.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h
+ $(srcdir)/libunbound/worker.h $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h \
-pythonmod_utils.lo pythonmod_utils.o: $(srcdir)/pythonmod/pythonmod_utils.c config.h $(srcdir)/util/module.h \
+ $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h \
- $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/msgreply.h \
+ $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \
- $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
+  $(srcdir)/daemon/remote.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h \
- $(srcdir)/sldns/rrdef.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
+ $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h \
-  $(srcdir)/util/net_help.h $(srcdir)/services/cache/dns.h \
+ $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h \
- $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/util/regional.h \
+ $(srcdir)/services/authzone.h $(srcdir)/respip/respip.h $(srcdir)/libunbound/context.h \
- $(srcdir)/iterator/iter_delegpt.h $(srcdir)/sldns/sbuffer.h \
+ $(srcdir)/libunbound/unbound-event.h
- 
+pythonmod_utils.lo pythonmod_utils.o: $(srcdir)/pythonmod/pythonmod_utils.c config.h \
+ $(srcdir)/pythonmod/pythonmod_utils.h $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h \
+ $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
+ $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/netevent.h \
+ $(srcdir)/dnscrypt/dnscrypt.h  $(srcdir)/util/net_help.h \
+ $(srcdir)/services/cache/dns.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \
+ $(srcdir)/util/regional.h $(srcdir)/iterator/iter_delegpt.h $(srcdir)/sldns/sbuffer.h
 win_svc.lo win_svc.o: $(srcdir)/winrc/win_svc.c config.h $(srcdir)/winrc/win_svc.h $(srcdir)/winrc/w_inst.h \
  $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
    $(srcdir)/daemon/worker.h \
@@ -1617,8 +1554,8 @@ win_svc.lo win_svc.o: $(srcdir)/winrc/win_svc.c config.h $(srcdir)/winrc/win_svc
  $(srcdir)/util/storage/lruhash.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
  $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
  $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/util/module.h \
- $(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/remote.h \
+ $(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/remote.h $(srcdir)/util/config_file.h $(srcdir)/util/ub_event.h \
- $(srcdir)/util/config_file.h $(srcdir)/util/ub_event.h $(srcdir)/util/net_help.h
+ $(srcdir)/util/net_help.h
 w_inst.lo w_inst.o: $(srcdir)/winrc/w_inst.c config.h $(srcdir)/winrc/w_inst.h $(srcdir)/winrc/win_svc.h
 unbound-service-install.lo unbound-service-install.o: $(srcdir)/winrc/unbound-service-install.c config.h \
  $(srcdir)/winrc/w_inst.h
@@ -1626,14 +1563,12 @@ unbound-service-remove.lo unbound-service-remove.o: $(srcdir)/winrc/unbound-serv
  $(srcdir)/winrc/w_inst.h
 anchor-update.lo anchor-update.o: $(srcdir)/winrc/anchor-update.c config.h $(srcdir)/libunbound/unbound.h \
  $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/wire2str.h
-keyraw.lo keyraw.o: $(srcdir)/sldns/keyraw.c config.h $(srcdir)/sldns/keyraw.h \
+keyraw.lo keyraw.o: $(srcdir)/sldns/keyraw.c config.h $(srcdir)/sldns/keyraw.h $(srcdir)/sldns/rrdef.h
- $(srcdir)/sldns/rrdef.h \
- 
 sbuffer.lo sbuffer.o: $(srcdir)/sldns/sbuffer.c config.h $(srcdir)/sldns/sbuffer.h
 wire2str.lo wire2str.o: $(srcdir)/sldns/wire2str.c config.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h \
  $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/sbuffer.h \
- $(srcdir)/sldns/keyraw.h \
+ $(srcdir)/sldns/keyraw.h $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
- $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h
+ $(srcdir)/util/log.h
 parse.lo parse.o: $(srcdir)/sldns/parse.c config.h $(srcdir)/sldns/parse.h $(srcdir)/sldns/parseutil.h \
  $(srcdir)/sldns/sbuffer.h
 parseutil.lo parseutil.o: $(srcdir)/sldns/parseutil.c config.h $(srcdir)/sldns/parseutil.h
@@ -1644,8 +1579,8 @@ dohclient.lo dohclient.o: $(srcdir)/testcode/dohclient.c config.h $(srcdir)/sldn
  $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/parseutil.h \
  $(srcdir)/util/data/msgencode.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/storage/lruhash.h \
  $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
- $(srcdir)/sldns/pkthdr.h $(srcdir)/util/net_help.h \
+ $(srcdir)/sldns/pkthdr.h $(srcdir)/util/net_help.h
- 
+readzone.lo readzone.o: $(srcdir)/testcode/readzone.c
 ctime_r.lo ctime_r.o: $(srcdir)/compat/ctime_r.c config.h $(srcdir)/util/locks.h $(srcdir)/util/log.h
 fake-rfc2553.lo fake-rfc2553.o: $(srcdir)/compat/fake-rfc2553.c $(srcdir)/compat/fake-rfc2553.h config.h
 gmtime_r.lo gmtime_r.o: $(srcdir)/compat/gmtime_r.c config.h
@@ -1660,11 +1595,9 @@ strlcat.lo strlcat.o: $(srcdir)/compat/strlcat.c config.h
 strlcpy.lo strlcpy.o: $(srcdir)/compat/strlcpy.c config.h
 strptime.lo strptime.o: $(srcdir)/compat/strptime.c config.h
 getentropy_freebsd.lo getentropy_freebsd.o: $(srcdir)/compat/getentropy_freebsd.c
-getentropy_linux.lo getentropy_linux.o: $(srcdir)/compat/getentropy_linux.c config.h \
+getentropy_linux.lo getentropy_linux.o: $(srcdir)/compat/getentropy_linux.c config.h
- 
 getentropy_osx.lo getentropy_osx.o: $(srcdir)/compat/getentropy_osx.c
-getentropy_solaris.lo getentropy_solaris.o: $(srcdir)/compat/getentropy_solaris.c config.h \
+getentropy_solaris.lo getentropy_solaris.o: $(srcdir)/compat/getentropy_solaris.c config.h
- 
 getentropy_win.lo getentropy_win.o: $(srcdir)/compat/getentropy_win.c
 explicit_bzero.lo explicit_bzero.o: $(srcdir)/compat/explicit_bzero.c config.h
 arc4random.lo arc4random.o: $(srcdir)/compat/arc4random.c config.h $(srcdir)/compat/chacha_private.h

README-Travis.md

@@ -241,7 +241,7 @@ If you are working from a developer machine you probably already have the necess
 
 The fourth step builds OpenSSL and Expat. OpenSSL and Expat are built for iOS using the scripts `contrib/ios/install_openssl.sh` and `contrib/ios/install_expat.sh`. The scripts download, configure and install the latest release version of the libraries. The libraries are configured with `--prefix="$IOS_PREFIX"` so the headers are placed in `$IOS_PREFIX/include` directory, and the libraries are placed in the `$IOS_PREFIX/lib` directory.
 
-`IOS_PREFIX` is the value `$HOME/$IOS_SDK-$IOS_CPU`. The scheme handles both iOS SDKs and cpu architectures so the pair recieves a unique installation directory. The libraries will be installed in `$HOME/iPhoneOS-armv7s`, `$HOME/iPhoneOS-arm64`, `$HOME/iPhoneSimulator-i386`, etc. For Autotools projects, the appropriate `PKG_CONFIG_PATH` is exported.
+`IOS_PREFIX` is the value `$HOME/$IOS_SDK-$IOS_CPU`. The scheme handles both iOS SDKs and cpu architectures so the pair receives a unique installation directory. The libraries will be installed in `$HOME/iPhoneOS-armv7s`, `$HOME/iPhoneOS-arm64`, `$HOME/iPhoneSimulator-i386`, etc. For Autotools projects, the appropriate `PKG_CONFIG_PATH` is exported.
 
 `PKG_CONFIG_PATH` is an important variable. It is the userland equivalent to sysroot, and allows Autotools to find non-system headers and libraries for an architecture. Typical `PKG_CONFIG_PATH` are `$HOME/iPhoneOS-armv7s/lib/pkgconfig` and `$HOME/iPhoneOS-arm64/lib/pkgconfig`.
 

README.md

@@ -11,7 +11,7 @@ have any feedback, we would love to hear from you. Don’t hesitate to
 [create an issue on Github](https://github.com/NLnetLabs/unbound/issues/new)
 or post a message on the [Unbound mailing list](https://lists.nlnetlabs.nl/mailman/listinfo/unbound-users).
 You can learn more about Unbound by reading our
-[documentation](https://nlnetlabs.nl/documentation/unbound/).
+[documentation](https://unbound.docs.nlnetlabs.nl/).
 
 ## Compiling
 
@@ -33,7 +33,7 @@ support.
 
 All of Unbound's configuration options are described in the man pages, which
 will be installed and are available on the Unbound
-[documentation page](https://nlnetlabs.nl/documentation/unbound/).
+[documentation page](https://unbound.docs.nlnetlabs.nl/).
 
 An example configuration file is located in
 [doc/example.conf](https://github.com/NLnetLabs/unbound/blob/master/doc/example.conf.in).

aclocal.m4

@@ -1,6 +1,6 @@
-# generated automatically by aclocal 1.16.1 -*- Autoconf -*-
+# generated automatically by aclocal 1.16.2 -*- Autoconf -*-
 
-# Copyright (C) 1996-2018 Free Software Foundation, Inc.
+# Copyright (C) 1996-2020 Free Software Foundation, Inc.
 
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -736,6 +736,7 @@ _LT_CONFIG_SAVE_COMMANDS([
     cat <<_LT_EOF >> "$cfgfile"
 #! $SHELL
 # Generated automatically by $as_me ($PACKAGE) $VERSION
+# Libtool was configured on host `(hostname || uname -n) 2>/dev/null | sed 1q`:
 # NOTE: Changes made to this file will be lost: look at ltmain.sh.
 
 # Provide generalized library-building support services.
@@ -1047,8 +1048,8 @@ int forced_loaded() { return 2;}
 _LT_EOF
       echo "$LTCC $LTCFLAGS -c -o conftest.o conftest.c" >&AS_MESSAGE_LOG_FD
       $LTCC $LTCFLAGS -c -o conftest.o conftest.c 2>&AS_MESSAGE_LOG_FD
-      echo "$AR cr libconftest.a conftest.o" >&AS_MESSAGE_LOG_FD
+      echo "$AR cru libconftest.a conftest.o" >&AS_MESSAGE_LOG_FD
-      $AR cr libconftest.a conftest.o 2>&AS_MESSAGE_LOG_FD
+      $AR cru libconftest.a conftest.o 2>&AS_MESSAGE_LOG_FD
       echo "$RANLIB libconftest.a" >&AS_MESSAGE_LOG_FD
       $RANLIB libconftest.a 2>&AS_MESSAGE_LOG_FD
       cat > conftest.c << _LT_EOF
@@ -1498,7 +1499,7 @@ need_locks=$enable_libtool_lock
 m4_defun([_LT_PROG_AR],
 [AC_CHECK_TOOLS(AR, [ar], false)
 : ${AR=ar}
-: ${AR_FLAGS=cr}
+: ${AR_FLAGS=cru}
 _LT_DECL([], [AR], [1], [The archiver])
 _LT_DECL([], [AR_FLAGS], [1], [Flags to create an archive])
 
@@ -2872,6 +2873,9 @@ linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*)
   # before this can be enabled.
   hardcode_into_libs=yes
 
+  # Add ABI-specific directories to the system library path.
+  sys_lib_dlsearch_path_spec="/lib64 /usr/lib64 /lib /usr/lib"
+
   # Ideally, we could use ldconfig to report *all* directores which are
   # searched for libraries, however this is still not possible.  Aside from not
   # being certain /sbin/ldconfig is available, command
@@ -2880,7 +2884,7 @@ linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*)
   # appending ld.so.conf contents (and includes) to the search path.
   if test -f /etc/ld.so.conf; then
     lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \[$]2)); skip = 1; } { if (!skip) print \[$]0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[	 ]*hwcap[	 ]/d;s/[:,	]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;s/"//g;/^$/d' | tr '\n' ' '`
-    sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra"
+    sys_lib_dlsearch_path_spec="$sys_lib_dlsearch_path_spec $lt_ld_extra"
   fi
 
   # We used to test for /lib/ld.so.1 and disable shared libraries on
@@ -2892,18 +2896,6 @@ linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*)
   dynamic_linker='GNU/Linux ld.so'
   ;;
 
-netbsdelf*-gnu)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=no
-  hardcode_into_libs=yes
-  dynamic_linker='NetBSD ld.elf_so'
-  ;;
-
 netbsd*)
   version_type=sunos
   need_lib_prefix=no
@@ -3563,7 +3555,7 @@ linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*)
   lt_cv_deplibs_check_method=pass_all
   ;;
 
-netbsd* | netbsdelf*-gnu)
+netbsd*)
   if echo __ELF__ | $CC -E - | $GREP __ELF__ > /dev/null; then
     lt_cv_deplibs_check_method='match_pattern /lib[[^/]]+(\.so\.[[0-9]]+\.[[0-9]]+|_pic\.a)$'
   else
@@ -4069,8 +4061,7 @@ _LT_EOF
   if AC_TRY_EVAL(ac_compile); then
     # Now try to grab the symbols.
     nlist=conftest.nm
-    $ECHO "$as_me:$LINENO: $NM conftest.$ac_objext | $lt_cv_sys_global_symbol_pipe > $nlist" >&AS_MESSAGE_LOG_FD
+    if AC_TRY_EVAL(NM conftest.$ac_objext \| "$lt_cv_sys_global_symbol_pipe" \> $nlist) && test -s "$nlist"; then
-    if eval "$NM" conftest.$ac_objext \| "$lt_cv_sys_global_symbol_pipe" \> $nlist 2>&AS_MESSAGE_LOG_FD && test -s "$nlist"; then
       # Try sorting and uniquifying the output.
       if sort "$nlist" | uniq > "$nlist"T; then
 	mv -f "$nlist"T "$nlist"
@@ -4442,7 +4433,7 @@ m4_if([$1], [CXX], [
 	    ;;
 	esac
 	;;
-      netbsd* | netbsdelf*-gnu)
+      netbsd*)
 	;;
       *qnx* | *nto*)
         # QNX uses GNU C++, but need to define -shared option too, otherwise
@@ -4710,12 +4701,6 @@ m4_if([$1], [CXX], [
 	_LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
 	_LT_TAGVAR(lt_prog_compiler_static, $1)='-static'
         ;;
-      # flang / f18. f95 an alias for gfortran or flang on Debian
-      flang* | f18* | f95*)
-	_LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-	_LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
-	_LT_TAGVAR(lt_prog_compiler_static, $1)='-static'
-        ;;
       # icc used to be incompatible with GCC.
       # ICC 10 doesn't accept -KPIC any more.
       icc* | ifort*)
@@ -4960,9 +4945,6 @@ m4_if([$1], [CXX], [
       ;;
     esac
     ;;
-  linux* | k*bsd*-gnu | gnu*)
-    _LT_TAGVAR(link_all_deplibs, $1)=no
-    ;;
   *)
     _LT_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols'
     ;;
@@ -5025,9 +5007,6 @@ dnl Note also adjust exclude_expsyms for C++ above.
   openbsd* | bitrig*)
     with_gnu_ld=no
     ;;
-  linux* | k*bsd*-gnu | gnu*)
-    _LT_TAGVAR(link_all_deplibs, $1)=no
-    ;;
   esac
 
   _LT_TAGVAR(ld_shlibs, $1)=yes
@@ -5282,7 +5261,7 @@ _LT_EOF
       fi
       ;;
 
-    netbsd* | netbsdelf*-gnu)
+    netbsd*)
       if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then
 	_LT_TAGVAR(archive_cmds, $1)='$LD -Bshareable $libobjs $deplibs $linker_flags -o $lib'
 	wlarc=
@@ -5803,7 +5782,6 @@ _LT_EOF
 	if test yes = "$lt_cv_irix_exported_symbol"; then
           _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags $wl-soname $wl$soname `test -n "$verstring" && func_echo_all "$wl-set_version $wl$verstring"` $wl-update_registry $wl$output_objdir/so_locations $wl-exports_file $wl$export_symbols -o $lib'
 	fi
-	_LT_TAGVAR(link_all_deplibs, $1)=no
       else
 	_LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry $output_objdir/so_locations -o $lib'
 	_LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry $output_objdir/so_locations -exports_file $export_symbols -o $lib'
@@ -5825,7 +5803,7 @@ _LT_EOF
       esac
       ;;
 
-    netbsd* | netbsdelf*-gnu)
+    netbsd*)
       if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then
 	_LT_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'  # a.out
       else
@@ -6447,7 +6425,7 @@ if test yes != "$_lt_caught_CXX_error"; then
       # Commands to make compiler produce verbose output that lists
       # what "hidden" libraries, object files and flags are used when
       # linking a shared library.
-      output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP " \-L"'
+      output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP "\-L"'
 
     else
       GXX=no
@@ -6822,7 +6800,7 @@ if test yes != "$_lt_caught_CXX_error"; then
             # explicitly linking system object files so we need to strip them
             # from the output so that they don't get included in the library
             # dependencies.
-            output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | $EGREP " \-L"`; list= ; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; func_echo_all "$list"'
+            output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | $EGREP "\-L"`; list= ; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; func_echo_all "$list"'
             ;;
           *)
             if test yes = "$GXX"; then
@@ -6887,7 +6865,7 @@ if test yes != "$_lt_caught_CXX_error"; then
 	    # explicitly linking system object files so we need to strip them
 	    # from the output so that they don't get included in the library
 	    # dependencies.
-	    output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | $GREP " \-L"`; list= ; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; func_echo_all "$list"'
+	    output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | $GREP "\-L"`; list= ; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; func_echo_all "$list"'
 	    ;;
           *)
 	    if test yes = "$GXX"; then
@@ -7226,7 +7204,7 @@ if test yes != "$_lt_caught_CXX_error"; then
 	      # Commands to make compiler produce verbose output that lists
 	      # what "hidden" libraries, object files and flags are used when
 	      # linking a shared library.
-	      output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP " \-L"'
+	      output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP "\-L"'
 
 	    else
 	      # FIXME: insert proper C++ library support
@@ -7310,7 +7288,7 @@ if test yes != "$_lt_caught_CXX_error"; then
 	        # Commands to make compiler produce verbose output that lists
 	        # what "hidden" libraries, object files and flags are used when
 	        # linking a shared library.
-	        output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP " \-L"'
+	        output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP "\-L"'
 	      else
 	        # g++ 2.7 appears to require '-G' NOT '-shared' on this
 	        # platform.
@@ -7321,7 +7299,7 @@ if test yes != "$_lt_caught_CXX_error"; then
 	        # Commands to make compiler produce verbose output that lists
 	        # what "hidden" libraries, object files and flags are used when
 	        # linking a shared library.
-	        output_verbose_link_cmd='$CC -G $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP " \-L"'
+	        output_verbose_link_cmd='$CC -G $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP "\-L"'
 	      fi
 
 	      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='$wl-R $wl$libdir'
@@ -9066,9 +9044,9 @@ m4_ifndef([_LT_PROG_F77],		[AC_DEFUN([_LT_PROG_F77])])
 m4_ifndef([_LT_PROG_FC],		[AC_DEFUN([_LT_PROG_FC])])
 m4_ifndef([_LT_PROG_CXX],		[AC_DEFUN([_LT_PROG_CXX])])
 
-dnl pkg.m4 - Macros to locate and utilise pkg-config.   -*- Autoconf -*-
+# pkg.m4 - Macros to locate and utilise pkg-config.   -*- Autoconf -*-
-dnl serial 11 (pkg-config-0.29.1)
+# serial 11 (pkg-config-0.29.1)
-dnl
+
 dnl Copyright © 2004 Scott James Remnant <scott@netsplit.com>.
 dnl Copyright © 2012-2015 Dan Nicholson <dbn.lists@gmail.com>
 dnl
@@ -9342,9 +9320,77 @@ AS_VAR_COPY([$1], [pkg_cv_][$1])
 AS_VAR_IF([$1], [""], [$5], [$4])dnl
 ])dnl PKG_CHECK_VAR
 
+dnl PKG_WITH_MODULES(VARIABLE-PREFIX, MODULES,
+dnl   [ACTION-IF-FOUND],[ACTION-IF-NOT-FOUND],
+dnl   [DESCRIPTION], [DEFAULT])
+dnl ------------------------------------------
+dnl
+dnl Prepare a "--with-" configure option using the lowercase
+dnl [VARIABLE-PREFIX] name, merging the behaviour of AC_ARG_WITH and
+dnl PKG_CHECK_MODULES in a single macro.
+AC_DEFUN([PKG_WITH_MODULES],
+[
+m4_pushdef([with_arg], m4_tolower([$1]))
+
+m4_pushdef([description],
+           [m4_default([$5], [build with ]with_arg[ support])])
+
+m4_pushdef([def_arg], [m4_default([$6], [auto])])
+m4_pushdef([def_action_if_found], [AS_TR_SH([with_]with_arg)=yes])
+m4_pushdef([def_action_if_not_found], [AS_TR_SH([with_]with_arg)=no])
+
+m4_case(def_arg,
+            [yes],[m4_pushdef([with_without], [--without-]with_arg)],
+            [m4_pushdef([with_without],[--with-]with_arg)])
+
+AC_ARG_WITH(with_arg,
+     AS_HELP_STRING(with_without, description[ @<:@default=]def_arg[@:>@]),,
+    [AS_TR_SH([with_]with_arg)=def_arg])
+
+AS_CASE([$AS_TR_SH([with_]with_arg)],
+            [yes],[PKG_CHECK_MODULES([$1],[$2],$3,$4)],
+            [auto],[PKG_CHECK_MODULES([$1],[$2],
+                                        [m4_n([def_action_if_found]) $3],
+                                        [m4_n([def_action_if_not_found]) $4])])
+
+m4_popdef([with_arg])
+m4_popdef([description])
+m4_popdef([def_arg])
+
+])dnl PKG_WITH_MODULES
+
+dnl PKG_HAVE_WITH_MODULES(VARIABLE-PREFIX, MODULES,
+dnl   [DESCRIPTION], [DEFAULT])
+dnl -----------------------------------------------
+dnl
+dnl Convenience macro to trigger AM_CONDITIONAL after PKG_WITH_MODULES
+dnl check._[VARIABLE-PREFIX] is exported as make variable.
+AC_DEFUN([PKG_HAVE_WITH_MODULES],
+[
+PKG_WITH_MODULES([$1],[$2],,,[$3],[$4])
+
+AM_CONDITIONAL([HAVE_][$1],
+               [test "$AS_TR_SH([with_]m4_tolower([$1]))" = "yes"])
+])dnl PKG_HAVE_WITH_MODULES
+
+dnl PKG_HAVE_DEFINE_WITH_MODULES(VARIABLE-PREFIX, MODULES,
+dnl   [DESCRIPTION], [DEFAULT])
+dnl ------------------------------------------------------
+dnl
+dnl Convenience macro to run AM_CONDITIONAL and AC_DEFINE after
+dnl PKG_WITH_MODULES check. HAVE_[VARIABLE-PREFIX] is exported as make
+dnl and preprocessor variable.
+AC_DEFUN([PKG_HAVE_DEFINE_WITH_MODULES],
+[
+PKG_HAVE_WITH_MODULES([$1],[$2],[$3],[$4])
+
+AS_IF([test "$AS_TR_SH([with_]m4_tolower([$1]))" = "yes"],
+        [AC_DEFINE([HAVE_][$1], 1, [Enable ]m4_tolower([$1])[ support])])
+])dnl PKG_HAVE_DEFINE_WITH_MODULES
+
 # AM_CONDITIONAL                                            -*- Autoconf -*-
 
-# Copyright (C) 1997-2018 Free Software Foundation, Inc.
+# Copyright (C) 1997-2020 Free Software Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -9375,7 +9421,7 @@ AC_CONFIG_COMMANDS_PRE(
 Usually this means the macro was only invoked conditionally.]])
 fi])])
 
-# Copyright (C) 2006-2018 Free Software Foundation, Inc.
+# Copyright (C) 2006-2020 Free Software Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,

acx_nlnetlabs.m4

@@ -2,7 +2,14 @@
 # Copyright 2009, Wouter Wijngaards, NLnet Labs.   
 # BSD licensed.
 #
-# Version 38
+# Version 43
+# 2021-08-17 fix sed script in ssldir split handling.
+# 2021-08-17 fix for openssl to detect split version, with ssldir_include
+# 	     and ssldir_lib output directories.
+# 2021-07-30 fix for openssl use of lib64 directory.
+# 2021-06-14 fix nonblocking test to use host instead of target for mingw test.
+# 2021-05-17 fix nonblocking socket test from grep on mingw32 to mingw for
+# 	     64bit compatibility.
 # 2021-03-24 fix ACX_FUNC_DEPRECATED to use CPPFLAGS and CFLAGS.
 # 2021-01-05 fix defun for aclocal
 # 2021-01-05 autoconf 2.70 autoupdate and fixes, no AC_TRY_COMPILE
@@ -643,6 +650,30 @@ AC_DEFUN([ACX_SSL_CHECKS], [
     withval=$1
     if test x_$withval != x_no; then
         AC_MSG_CHECKING(for SSL)
+	if test -n "$withval"; then
+		dnl look for openssl install with different version, eg.
+		dnl in /usr/include/openssl11/openssl/ssl.h
+		dnl and /usr/lib64/openssl11/libssl.so
+		dnl with the --with-ssl=/usr/include/openssl11
+		if test ! -f "$withval/include/openssl/ssl.h" -a -f "$withval/openssl/ssl.h"; then
+			ssldir="$withval"
+			found_ssl="yes"
+			withval=""
+			ssldir_include="$ssldir"
+			dnl find the libdir
+			ssldir_lib=`echo $ssldir | sed -e 's/include/lib/'`
+			if test -f "$ssldir_lib/libssl.a" -o -f "$ssldir_lib/libssl.so"; then
+				: # found here
+			else
+				ssldir_lib=`echo $ssldir | sed -e 's/include/lib64/'`
+				if test -f "$ssldir_lib/libssl.a" -o -f "$ssldir_lib/libssl.so"; then
+					: # found here
+				else
+					AC_MSG_ERROR([Could not find openssl lib file, $ssldir_lib/libssl.[so,a], pass like "/usr/local" or "/usr/include/openssl11"])
+				fi
+			fi
+		fi
+	fi
         if test x_$withval = x_ -o x_$withval = x_yes; then
             withval="/usr/local/ssl /usr/lib/ssl /usr/ssl /usr/pkg /usr/local /opt/local /usr/sfw /usr"
         fi
@@ -650,12 +681,12 @@ AC_DEFUN([ACX_SSL_CHECKS], [
             ssldir="$dir"
             if test -f "$dir/include/openssl/ssl.h"; then
                 found_ssl="yes"
-                AC_DEFINE_UNQUOTED([HAVE_SSL], [], [Define if you have the SSL libraries installed.])
+		ssldir_include="$ssldir/include"
-                dnl assume /usr/include is already in the include-path.
+		if test ! -d "$ssldir/lib" -a -d "$ssldir/lib64"; then
-                if test "$ssldir" != "/usr"; then
+			ssldir_lib="$ssldir/lib64"
-                        CPPFLAGS="$CPPFLAGS -I$ssldir/include"
+		else
-                        LIBSSL_CPPFLAGS="$LIBSSL_CPPFLAGS -I$ssldir/include"
+			ssldir_lib="$ssldir/lib"
-                fi
+		fi
                 break;
             fi
         done
@@ -663,13 +694,16 @@ AC_DEFUN([ACX_SSL_CHECKS], [
             AC_MSG_ERROR(Cannot find the SSL libraries in $withval)
         else
             AC_MSG_RESULT(found in $ssldir)
+            AC_DEFINE_UNQUOTED([HAVE_SSL], [], [Define if you have the SSL libraries installed.])
             HAVE_SSL=yes
-            dnl assume /usr is already in the lib and dynlib paths.
+	    dnl assume /usr is already in the include, lib and dynlib paths.
-            if test "$ssldir" != "/usr" -a "$ssldir" != ""; then
+            if test "$ssldir" != "/usr"; then
-                LDFLAGS="$LDFLAGS -L$ssldir/lib"
+		    CPPFLAGS="$CPPFLAGS -I$ssldir_include"
-                LIBSSL_LDFLAGS="$LIBSSL_LDFLAGS -L$ssldir/lib"
+		    LIBSSL_CPPFLAGS="$LIBSSL_CPPFLAGS -I$ssldir_include"
-                ACX_RUNTIME_PATH_ADD([$ssldir/lib])
+		    LDFLAGS="$LDFLAGS -L$ssldir_lib"
-            fi
+		    LIBSSL_LDFLAGS="$LIBSSL_LDFLAGS -L$ssldir_lib"
+	    	    ACX_RUNTIME_PATH_ADD([$ssldir_lib])
+	    fi
         
             AC_MSG_CHECKING([for EVP_sha256 in -lcrypto])
             LIBS="$LIBS -lcrypto"
@@ -748,7 +782,7 @@ dnl
 AC_DEFUN([ACX_WITH_SSL],
 [
 AC_ARG_WITH(ssl, AS_HELP_STRING([--with-ssl=pathname],[enable SSL (will check /usr/local/ssl
-                            /usr/lib/ssl /usr/ssl /usr/pkg /usr/local /opt/local /usr/sfw /usr)]),[
+                            /usr/lib/ssl /usr/ssl /usr/pkg /usr/local /opt/local /usr/sfw /usr or specify like /usr/include/openssl11)]),[
         ],[
             withval="yes"
         ])
@@ -766,7 +800,7 @@ dnl
 AC_DEFUN([ACX_WITH_SSL_OPTIONAL],
 [
 AC_ARG_WITH(ssl, AS_HELP_STRING([--with-ssl=pathname],[enable SSL (will check /usr/local/ssl
-                                /usr/lib/ssl /usr/ssl /usr/pkg /usr/local /opt/local /usr/sfw /usr)]),[
+                                /usr/lib/ssl /usr/ssl /usr/pkg /usr/local /opt/local /usr/sfw /usr or specify like /usr/include/openssl11)]),[
         ],[
             withval="yes"
         ])
@@ -915,7 +949,7 @@ dnl a nonblocking socket do not work, a new call to select is necessary.
 AC_DEFUN([ACX_CHECK_NONBLOCKING_BROKEN],
 [
 AC_MSG_CHECKING([if nonblocking sockets work])
-if echo $target | grep mingw32 >/dev/null; then 
+if echo $host | grep mingw >/dev/null; then
 	AC_MSG_RESULT([no (windows)])
 	AC_DEFINE([NONBLOCKING_IS_BROKEN], 1, [Define if the network stack does not fully support nonblocking io (causes lower performance).])
 else

acx_python.m4

@@ -18,27 +18,45 @@ AC_DEFUN([AC_PYTHON_DEVEL],[
 			print(sys.version.split()[[0]])"`
 	fi
 
-        #
+	# Check if you have sysconfig
-        # Check if you have distutils, else fail
+	AC_MSG_CHECKING([for the sysconfig Python module])
-        #
+        if ac_sysconfig_result=`$PYTHON -c "import sysconfig" 2>&1`; then
-        AC_MSG_CHECKING([for the distutils Python package])
-        if ac_distutils_result=`$PYTHON -c "import distutils" 2>&1`; then
                 AC_MSG_RESULT([yes])
-        else
+		sysconfig_module="sysconfig"
+		# if yes, use sysconfig, because distutils is deprecated.
+	else
                 AC_MSG_RESULT([no])
-                AC_MSG_ERROR([cannot import Python module "distutils".
+		# if no, try to use distutils
-Please check your Python installation. The error was:
+
-$ac_distutils_result])
+		#
-                PYTHON_VERSION=""
+		# Check if you have distutils, else fail
-        fi
+		#
+		AC_MSG_CHECKING([for the distutils Python package])
+		if ac_distutils_result=`$PYTHON -c "import distutils" 2>&1`; then
+			AC_MSG_RESULT([yes])
+		else
+			AC_MSG_RESULT([no])
+			AC_MSG_ERROR([cannot import Python module "distutils".
+	Please check your Python installation. The error was:
+	$ac_distutils_result])
+			PYTHON_VERSION=""
+		fi
+
+		sysconfig_module="distutils.sysconfig"
+	fi
 
         #
         # Check for Python include path
         #
         AC_MSG_CHECKING([for Python include path])
         if test -z "$PYTHON_CPPFLAGS"; then
-                python_path=`$PYTHON -c "import distutils.sysconfig; \
+		if test "$sysconfig_module" = "sysconfig"; then
-                        print(distutils.sysconfig.get_python_inc());"`
+			python_path=`$PYTHON -c 'import sysconfig; \
+				print(sysconfig.get_path("include"));'`
+		else
+			python_path=`$PYTHON -c "import distutils.sysconfig; \
+				print(distutils.sysconfig.get_python_inc());"`
+		fi
                 if test -n "${python_path}"; then
                         python_path="-I$python_path"
                 fi
@@ -52,14 +70,14 @@ $ac_distutils_result])
         #
         AC_MSG_CHECKING([for Python library path])
         if test -z "$PYTHON_LDFLAGS"; then
-                PYTHON_LDFLAGS=`$PYTHON -c "from distutils.sysconfig import *; \
+                PYTHON_LDFLAGS=`$PYTHON -c "from $sysconfig_module import *; \
                         print('-L'+get_config_var('LIBDIR')+' -L'+get_config_var('LIBDEST')+' '+get_config_var('BLDLIBRARY'));"`
         fi
         AC_MSG_RESULT([$PYTHON_LDFLAGS])
         AC_SUBST([PYTHON_LDFLAGS])
 
         if test -z "$PYTHON_LIBDIR"; then
-                PYTHON_LIBDIR=`$PYTHON -c "from distutils.sysconfig import *; \
+                PYTHON_LIBDIR=`$PYTHON -c "from $sysconfig_module import *; \
                         print(get_config_var('LIBDIR'));"`
         fi
 
@@ -68,8 +86,13 @@ $ac_distutils_result])
         #
         AC_MSG_CHECKING([for Python site-packages path])
         if test -z "$PYTHON_SITE_PKG"; then
-                PYTHON_SITE_PKG=`$PYTHON -c "import distutils.sysconfig; \
+		if test "$sysconfig_module" = "sysconfig"; then
-                        print(distutils.sysconfig.get_python_lib(1,0));"`
+			PYTHON_SITE_PKG=`$PYTHON -c 'import sysconfig; \
+				print(sysconfig.get_path("platlib"));'`
+		else
+			PYTHON_SITE_PKG=`$PYTHON -c "import distutils.sysconfig; \
+				print(distutils.sysconfig.get_python_lib(1,0));"`
+		fi
         fi
         AC_MSG_RESULT([$PYTHON_SITE_PKG])
         AC_SUBST([PYTHON_SITE_PKG])

cachedb/cachedb.c

@@ -519,7 +519,7 @@ parse_data(struct module_qstate* qstate, struct sldns_buffer* buf)
 		sldns_buffer_set_limit(buf, lim);
 		return 0;
 	}
-	if(parse_extract_edns(prs, &edns, qstate->env->scratch) !=
+	if(parse_extract_edns_from_response_msg(prs, &edns, qstate->env->scratch) !=
 		LDNS_RCODE_NOERROR) {
 		sldns_buffer_set_limit(buf, lim);
 		return 0;
@@ -617,12 +617,18 @@ cachedb_extcache_store(struct module_qstate* qstate, struct cachedb_env* ie)
 static int
 cachedb_intcache_lookup(struct module_qstate* qstate)
 {
+	uint8_t* dpname=NULL;
+	size_t dpnamelen=0;
 	struct dns_msg* msg;
+	if(iter_stub_fwd_no_cache(qstate, &qstate->qinfo,
+		&dpname, &dpnamelen))
+		return 0; /* no cache for these queries */
 	msg = dns_cache_lookup(qstate->env, qstate->qinfo.qname,
 		qstate->qinfo.qname_len, qstate->qinfo.qtype,
 		qstate->qinfo.qclass, qstate->query_flags,
 		qstate->region, qstate->env->scratch,
-		1 /* no partial messages with only a CNAME */
+		1, /* no partial messages with only a CNAME */
+		dpname, dpnamelen
 		);
 	if(!msg && qstate->env->neg_cache &&
 		iter_qname_indicates_dnssec(qstate->env, &qstate->qinfo)) {

compat/ctime_r.c

@@ -38,5 +38,5 @@ char *ctime_r(const time_t *timep, char *buf)
 		strcpy(buf, result);
 	}
 	lock_basic_unlock(&ctime_lock);
-	return result;
+	return buf;
 }

config.h.in

@@ -28,6 +28,9 @@
 /* Whether daemon is deprecated */
 #undef DEPRECATED_DAEMON
 
+/* Deprecate RSA 1024 bit length, makes that an unsupported key */
+#undef DEPRECATE_RSA_1024
+
 /* Define this to enable kernel based UDP source port randomization. */
 #undef DISABLE_EXPLICIT_PORT_RANDOMISATION
 
@@ -69,6 +72,9 @@
 /* If we have be64toh */
 #undef HAVE_BE64TOH
 
+/* Define to 1 if you have the `BIO_set_callback_ex' function. */
+#undef HAVE_BIO_SET_CALLBACK_EX
+
 /* Define to 1 if you have the <bsd/stdlib.h> header file. */
 #undef HAVE_BSD_STDLIB_H
 
@@ -312,6 +318,9 @@
 /* Define to 1 if you have the <ifaddrs.h> header file. */
 #undef HAVE_IFADDRS_H
 
+/* Define to 1 if you have the `if_nametoindex' function. */
+#undef HAVE_IF_NAMETOINDEX
+
 /* Define to 1 if you have the `inet_aton' function. */
 #undef HAVE_INET_ATON
 
@@ -372,6 +381,9 @@
 /* Define to 1 if you have the <netinet/tcp.h> header file. */
 #undef HAVE_NETINET_TCP_H
 
+/* Define to 1 if you have the <netioapi.h> header file. */
+#undef HAVE_NETIOAPI_H
+
 /* Use libnettle for crypto */
 #undef HAVE_NETTLE
 
@@ -426,6 +438,9 @@
 /* Define to 1 if you have the `OPENSSL_init_ssl' function. */
 #undef HAVE_OPENSSL_INIT_SSL
 
+/* Define to 1 if you have the <openssl/param_build.h> header file. */
+#undef HAVE_OPENSSL_PARAM_BUILD_H
+
 /* Define to 1 if you have the <openssl/rand.h> header file. */
 #undef HAVE_OPENSSL_RAND_H
 
@@ -435,6 +450,9 @@
 /* Define to 1 if you have the <openssl/ssl.h> header file. */
 #undef HAVE_OPENSSL_SSL_H
 
+/* Define to 1 if you have the `OSSL_PARAM_BLD_new' function. */
+#undef HAVE_OSSL_PARAM_BLD_NEW
+
 /* Define if you have POSIX threads libraries and header files. */
 #undef HAVE_PTHREAD
 
@@ -516,6 +534,9 @@
 /* Define if you have the SSL libraries installed. */
 #undef HAVE_SSL
 
+/* Define to 1 if you have the `SSL_CTX_set_alpn_protos' function. */
+#undef HAVE_SSL_CTX_SET_ALPN_PROTOS
+
 /* Define to 1 if you have the `SSL_CTX_set_alpn_select_cb' function. */
 #undef HAVE_SSL_CTX_SET_ALPN_SELECT_CB
 
@@ -529,9 +550,15 @@
    function. */
 #undef HAVE_SSL_CTX_SET_TLSEXT_TICKET_KEY_EVP_CB
 
+/* Define to 1 if you have the `SSL_get0_alpn_selected' function. */
+#undef HAVE_SSL_GET0_ALPN_SELECTED
+
 /* Define to 1 if you have the `SSL_get0_peername' function. */
 #undef HAVE_SSL_GET0_PEERNAME
 
+/* Define to 1 if you have the `SSL_get1_peer_certificate' function. */
+#undef HAVE_SSL_GET1_PEER_CERTIFICATE
+
 /* Define to 1 if you have the `SSL_set1_host' function. */
 #undef HAVE_SSL_SET1_HOST
 
@@ -847,6 +874,14 @@
 /* Define if you enable libevent */
 #undef USE_LIBEVENT
 
+/* Define this to enable use of /proc/sys/net/ipv4/ip_local_port_range as a
+   default outgoing port range. This is only for the libunbound on Linux and
+   does not affect unbound resolving daemon itself. This may severely limit
+   the number of available outgoing ports and thus decrease randomness. Define
+   this only when the target system restricts (e.g. some of SELinux enabled
+   distributions) the use of non-ephemeral ports. */
+#undef USE_LINUX_IP_LOCAL_PORT_RANGE
+
 /* Define if you want to use internal select based events */
 #undef USE_MINI_EVENT
 
@@ -936,6 +971,10 @@
 /* Define to 1 if you need to in order for `stat' and other things to work. */
 #undef _POSIX_SOURCE
 
+/* defined to use gcc ansi snprintf and sscanf that understands %lld when
+   compiled for windows. */
+#undef __USE_MINGW_ANSI_STDIO
+
 /* Define to empty if `const' does not conform to ANSI C. */
 #undef const
 
@@ -1115,7 +1154,7 @@
 #include <ws2tcpip.h>
 #endif
 
-#ifndef USE_WINSOCK
+#if !defined(USE_WINSOCK) || !defined(HAVE_SNPRINTF) || defined(SNPRINTF_RET_BROKEN) || defined(__USE_MINGW_ANSI_STDIO)
 #define ARG_LL "%ll"
 #else
 #define ARG_LL "%I64"

configure

@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for unbound 1.13.2.
+# Generated by GNU Autoconf 2.69 for unbound 1.15.1.
 #
 # Report bugs to <unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues>.
 #
@@ -591,8 +591,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='unbound'
 PACKAGE_TARNAME='unbound'
-PACKAGE_VERSION='1.13.2'
+PACKAGE_VERSION='1.15.1'
-PACKAGE_STRING='unbound 1.13.2'
+PACKAGE_STRING='unbound 1.15.1'
 PACKAGE_BUGREPORT='unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues'
 PACKAGE_URL=''
 
@@ -682,6 +682,7 @@ SSLLIB
 HAVE_SSL
 PC_CRYPTO_DEPENDENCY
 CONFIG_DATE
+GCC_DOCKER_LINTFLAGS
 NETBSD_LINTFLAGS
 PYUNBOUND_UNINSTALL
 PYUNBOUND_INSTALL
@@ -697,6 +698,7 @@ swig
 SWIG_LIB
 SWIG
 PC_PY_DEPENDENCY
+PYTHON_LIBS
 PY_MAJOR_VERSION
 PYTHON_SITE_PKG
 PYTHON_LDFLAGS
@@ -811,6 +813,7 @@ infodir
 docdir
 oldincludedir
 includedir
+runstatedir
 localstatedir
 sharedstatedir
 sysconfdir
@@ -877,6 +880,7 @@ enable_subnet
 enable_gost
 enable_ecdsa
 enable_dsa
+with_deprecate_rsa_1024
 enable_ed25519
 enable_ed448
 enable_event_api
@@ -900,6 +904,7 @@ enable_ipsecmod
 enable_ipset
 with_libmnl
 enable_explicit_port_randomisation
+enable_linux_ip_local_port_range
 with_libunbound_only
 '
       ac_precious_vars='build_alias
@@ -960,6 +965,7 @@ datadir='${datarootdir}'
 sysconfdir='${prefix}/etc'
 sharedstatedir='${prefix}/com'
 localstatedir='${prefix}/var'
+runstatedir='${localstatedir}/run'
 includedir='${prefix}/include'
 oldincludedir='/usr/include'
 docdir='${datarootdir}/doc/${PACKAGE_TARNAME}'
@@ -1212,6 +1218,15 @@ do
   | -silent | --silent | --silen | --sile | --sil)
     silent=yes ;;
 
+  -runstatedir | --runstatedir | --runstatedi | --runstated \
+  | --runstate | --runstat | --runsta | --runst | --runs \
+  | --run | --ru | --r)
+    ac_prev=runstatedir ;;
+  -runstatedir=* | --runstatedir=* | --runstatedi=* | --runstated=* \
+  | --runstate=* | --runstat=* | --runsta=* | --runst=* | --runs=* \
+  | --run=* | --ru=* | --r=*)
+    runstatedir=$ac_optarg ;;
+
   -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb)
     ac_prev=sbindir ;;
   -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \
@@ -1349,7 +1364,7 @@ fi
 for ac_var in	exec_prefix prefix bindir sbindir libexecdir datarootdir \
 		datadir sysconfdir sharedstatedir localstatedir includedir \
 		oldincludedir docdir infodir htmldir dvidir pdfdir psdir \
-		libdir localedir mandir
+		libdir localedir mandir runstatedir
 do
   eval ac_val=\$$ac_var
   # Remove trailing slashes.
@@ -1462,7 +1477,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures unbound 1.13.2 to adapt to many kinds of systems.
+\`configure' configures unbound 1.15.1 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1502,6 +1517,7 @@ Fine tuning of the installation directories:
   --sysconfdir=DIR        read-only single-machine data [PREFIX/etc]
   --sharedstatedir=DIR    modifiable architecture-independent data [PREFIX/com]
   --localstatedir=DIR     modifiable single-machine data [PREFIX/var]
+  --runstatedir=DIR       modifiable per-process data [LOCALSTATEDIR/run]
   --libdir=DIR            object code libraries [EPREFIX/lib]
   --includedir=DIR        C header files [PREFIX/include]
   --oldincludedir=DIR     C header files for non-gcc [/usr/include]
@@ -1527,7 +1543,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of unbound 1.13.2:";;
+     short | recursive ) echo "Configuration of unbound 1.15.1:";;
    esac
   cat <<\_ACEOF
 
@@ -1592,6 +1608,16 @@ Optional Features:
   --disable-explicit-port-randomisation
                           disable explicit source port randomisation and rely
                           on the kernel to provide random source ports
+  --enable-linux-ip-local-port-range
+                          Define this to enable use of
+                          /proc/sys/net/ipv4/ip_local_port_range as a default
+                          outgoing port range. This is only for the libunbound
+                          on Linux and does not affect unbound resolving
+                          daemon itself. This may severely limit the number of
+                          available outgoing ports and thus decrease
+                          randomness. Define this only when the target system
+                          restricts (e.g. some of SELinux enabled
+                          distributions) the use of non-ephemeral ports.
 
 Optional Packages:
   --with-PACKAGE[=ARG]    use PACKAGE [ARG=yes]
@@ -1637,8 +1663,12 @@ Optional Packages:
   --with-nettle=path      use libnettle as crypto library, installed at path.
   --with-ssl=pathname     enable SSL (will check /usr/local/ssl /usr/lib/ssl
                           /usr/ssl /usr/pkg /usr/local /opt/local /usr/sfw
-                          /usr)
+                          /usr or specify like /usr/include/openssl11)
   --with-libbsd           Use portable libbsd functions
+  --with-deprecate-rsa-1024
+                          Deprecate RSA 1024 bit length, makes that an
+                          unsupported key, for use when OpenSSL FIPS refuses
+                          1024 bit verification
   --with-libevent=pathname
                           use libevent (will check /usr/local /opt/local
                           /usr/lib /usr/pkg /usr/sfw /usr or you can specify
@@ -1755,7 +1785,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-unbound configure 1.13.2
+unbound configure 1.15.1
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2464,7 +2494,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by unbound $as_me 1.13.2, which was
+It was created by unbound $as_me 1.15.1, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -2814,13 +2844,13 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu
 
 UNBOUND_VERSION_MAJOR=1
 
-UNBOUND_VERSION_MINOR=13
+UNBOUND_VERSION_MINOR=15
 
-UNBOUND_VERSION_MICRO=2
+UNBOUND_VERSION_MICRO=1
 
 
 LIBUNBOUND_CURRENT=9
-LIBUNBOUND_REVISION=13
+LIBUNBOUND_REVISION=16
 LIBUNBOUND_AGE=1
 # 1.0.0 had 0:12:0
 # 1.0.1 had 0:13:0
@@ -2901,6 +2931,9 @@ LIBUNBOUND_AGE=1
 # 1.13.0 had 9:11:1
 # 1.13.1 had 9:12:1
 # 1.13.2 had 9:13:1
+# 1.14.0 had 9:14:1
+# 1.15.0 had 9:15:1
+# 1.15.1 had 9:16:1
 
 #   Current  -- the number of the binary API that we're implementing
 #   Revision -- which iteration of the implementation of the binary
@@ -4199,9 +4232,9 @@ case "$exec_prefix" in
 esac
 
 # are we on MinGW?
-if uname -s 2>&1 | grep MINGW32 >/dev/null; then on_mingw="yes"
+if uname -s 2>&1 | grep MINGW >/dev/null; then on_mingw="yes"
 else
-	if echo $host $target | grep mingw32 >/dev/null; then on_mingw="yes"
+	if echo $host | grep mingw >/dev/null; then on_mingw="yes"
 	else on_mingw="no"; fi
 fi
 
@@ -8074,7 +8107,7 @@ linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*)
   lt_cv_deplibs_check_method=pass_all
   ;;
 
-netbsd* | netbsdelf*-gnu)
+netbsd*)
   if echo __ELF__ | $CC -E - | $GREP __ELF__ > /dev/null; then
     lt_cv_deplibs_check_method='match_pattern /lib[^/]+(\.so\.[0-9]+\.[0-9]+|_pic\.a)$'
   else
@@ -8436,7 +8469,7 @@ esac
 fi
 
 : ${AR=ar}
-: ${AR_FLAGS=cr}
+: ${AR_FLAGS=cru}
 
 
 
@@ -8979,8 +9012,11 @@ _LT_EOF
   test $ac_status = 0; }; then
     # Now try to grab the symbols.
     nlist=conftest.nm
-    $ECHO "$as_me:$LINENO: $NM conftest.$ac_objext | $lt_cv_sys_global_symbol_pipe > $nlist" >&5
+    if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$NM conftest.$ac_objext \| "$lt_cv_sys_global_symbol_pipe" \> $nlist\""; } >&5
-    if eval "$NM" conftest.$ac_objext \| "$lt_cv_sys_global_symbol_pipe" \> $nlist 2>&5 && test -s "$nlist"; then
+  (eval $NM conftest.$ac_objext \| "$lt_cv_sys_global_symbol_pipe" \> $nlist) 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; } && test -s "$nlist"; then
       # Try sorting and uniquifying the output.
       if sort "$nlist" | uniq > "$nlist"T; then
 	mv -f "$nlist"T "$nlist"
@@ -10199,8 +10235,8 @@ int forced_loaded() { return 2;}
 _LT_EOF
       echo "$LTCC $LTCFLAGS -c -o conftest.o conftest.c" >&5
       $LTCC $LTCFLAGS -c -o conftest.o conftest.c 2>&5
-      echo "$AR cr libconftest.a conftest.o" >&5
+      echo "$AR cru libconftest.a conftest.o" >&5
-      $AR cr libconftest.a conftest.o 2>&5
+      $AR cru libconftest.a conftest.o 2>&5
       echo "$RANLIB libconftest.a" >&5
       $RANLIB libconftest.a 2>&5
       cat > conftest.c << _LT_EOF
@@ -11060,12 +11096,6 @@ lt_prog_compiler_static=
 	lt_prog_compiler_pic='-KPIC'
 	lt_prog_compiler_static='-static'
         ;;
-      # flang / f18. f95 an alias for gfortran or flang on Debian
-      flang* | f18* | f95*)
-	lt_prog_compiler_wl='-Wl,'
-	lt_prog_compiler_pic='-fPIC'
-	lt_prog_compiler_static='-static'
-        ;;
       # icc used to be incompatible with GCC.
       # ICC 10 doesn't accept -KPIC any more.
       icc* | ifort*)
@@ -11542,9 +11572,6 @@ $as_echo_n "checking whether the $compiler linker ($LD) supports shared librarie
   openbsd* | bitrig*)
     with_gnu_ld=no
     ;;
-  linux* | k*bsd*-gnu | gnu*)
-    link_all_deplibs=no
-    ;;
   esac
 
   ld_shlibs=yes
@@ -11799,7 +11826,7 @@ _LT_EOF
       fi
       ;;
 
-    netbsd* | netbsdelf*-gnu)
+    netbsd*)
       if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then
 	archive_cmds='$LD -Bshareable $libobjs $deplibs $linker_flags -o $lib'
 	wlarc=
@@ -12469,7 +12496,6 @@ $as_echo "$lt_cv_irix_exported_symbol" >&6; }
 	if test yes = "$lt_cv_irix_exported_symbol"; then
           archive_expsym_cmds='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags $wl-soname $wl$soname `test -n "$verstring" && func_echo_all "$wl-set_version $wl$verstring"` $wl-update_registry $wl$output_objdir/so_locations $wl-exports_file $wl$export_symbols -o $lib'
 	fi
-	link_all_deplibs=no
       else
 	archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry $output_objdir/so_locations -o $lib'
 	archive_expsym_cmds='$CC -shared $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry $output_objdir/so_locations -exports_file $export_symbols -o $lib'
@@ -12491,7 +12517,7 @@ $as_echo "$lt_cv_irix_exported_symbol" >&6; }
       esac
       ;;
 
-    netbsd* | netbsdelf*-gnu)
+    netbsd*)
       if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then
 	archive_cmds='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'  # a.out
       else
@@ -13586,6 +13612,9 @@ fi
   # before this can be enabled.
   hardcode_into_libs=yes
 
+  # Add ABI-specific directories to the system library path.
+  sys_lib_dlsearch_path_spec="/lib64 /usr/lib64 /lib /usr/lib"
+
   # Ideally, we could use ldconfig to report *all* directores which are
   # searched for libraries, however this is still not possible.  Aside from not
   # being certain /sbin/ldconfig is available, command
@@ -13594,7 +13623,7 @@ fi
   # appending ld.so.conf contents (and includes) to the search path.
   if test -f /etc/ld.so.conf; then
     lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[	 ]*hwcap[	 ]/d;s/[:,	]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;s/"//g;/^$/d' | tr '\n' ' '`
-    sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra"
+    sys_lib_dlsearch_path_spec="$sys_lib_dlsearch_path_spec $lt_ld_extra"
   fi
 
   # We used to test for /lib/ld.so.1 and disable shared libraries on
@@ -13606,18 +13635,6 @@ fi
   dynamic_linker='GNU/Linux ld.so'
   ;;
 
-netbsdelf*-gnu)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=no
-  hardcode_into_libs=yes
-  dynamic_linker='NetBSD ld.elf_so'
-  ;;
-
 netbsd*)
   version_type=sunos
   need_lib_prefix=no
@@ -14627,6 +14644,8 @@ CC=$lt_save_CC
 
 
 
+# pkg-config is only needed for these options, do not require it otherwise
+if test "$enable_systemd" = "yes" -o "$with_pyunbound" = "yes" -o "$with_pythonmod" = "yes"; then
 
 
 
@@ -14747,6 +14766,7 @@ $as_echo "no" >&6; }
 		PKG_CONFIG=""
 	fi
 fi
+fi
 
 # Checks for header files.
 for ac_header in stdarg.h stdbool.h netinet/in.h netinet/tcp.h sys/param.h sys/select.h sys/socket.h sys/un.h sys/uio.h sys/resource.h arpa/inet.h syslog.h netdb.h sys/wait.h pwd.h glob.h grp.h login_cap.h winsock2.h ws2tcpip.h endian.h sys/endian.h libkern/OSByteOrder.h sys/ipc.h sys/shm.h ifaddrs.h
@@ -14806,6 +14826,51 @@ fi
 
 done
 
+for ac_header in netioapi.h
+do :
+  ac_fn_c_check_header_compile "$LINENO" "netioapi.h" "ac_cv_header_netioapi_h" "$ac_includes_default
+#if HAVE_SYS_PARAM_H
+#include <sys/param.h>
+#endif
+
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+
+#ifdef HAVE_SYS_UIO_H
+#include <sys/uio.h>
+#endif
+
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+
+#ifdef HAVE_NETINET_TCP_H
+#include <netinet/tcp.h>
+#endif
+
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
+
+#ifdef HAVE_WINSOCK2_H
+#include <winsock2.h>
+#endif
+
+#ifdef HAVE_WS2TCPIP_H
+#include <ws2tcpip.h>
+#endif
+
+"
+if test "x$ac_cv_header_netioapi_h" = xyes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_NETIOAPI_H 1
+_ACEOF
+
+fi
+
+done
+
 
 # check for types.
 # Using own tests for int64* because autoconf builtin only give 32bit.
@@ -15319,7 +15384,7 @@ if test "$ac_res" != no; then :
 fi
 
 
-# check wether strptime also works
+# check whether strptime also works
 
 # check some functions of the OS before linking libs (while still runnable).
 for ac_header in unistd.h
@@ -15938,7 +16003,7 @@ fi
 
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking if nonblocking sockets work" >&5
 $as_echo_n "checking if nonblocking sockets work... " >&6; }
-if echo $target | grep mingw32 >/dev/null; then
+if echo $host | grep mingw >/dev/null; then
 	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no (windows)" >&5
 $as_echo "no (windows)" >&6; }
 
@@ -16206,7 +16271,10 @@ done
 
 
 # check if we can use SO_REUSEPORT
-if echo "$host" | $GREP -i -e linux -e dragonfly >/dev/null; then
+reuseport_default=0
+if echo "$host" | $GREP -i -e linux >/dev/null; then reuseport_default=1; fi
+if echo "$host" | $GREP -i -e dragonfly >/dev/null; then reuseport_default=1; fi
+if test "$reuseport_default" = 1; then
 
 $as_echo "#define REUSEPORT_DEFAULT 1" >>confdefs.h
 
@@ -17400,22 +17468,38 @@ fi
 			print(sys.version.split()[0])"`
 	fi
 
-        #
+	# Check if you have sysconfig
-        # Check if you have distutils, else fail
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for the sysconfig Python module" >&5
-        #
+$as_echo_n "checking for the sysconfig Python module... " >&6; }
-        { $as_echo "$as_me:${as_lineno-$LINENO}: checking for the distutils Python package" >&5
+        if ac_sysconfig_result=`$PYTHON -c "import sysconfig" 2>&1`; then
-$as_echo_n "checking for the distutils Python package... " >&6; }
-        if ac_distutils_result=`$PYTHON -c "import distutils" 2>&1`; then
                 { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
 $as_echo "yes" >&6; }
-        else
+		sysconfig_module="sysconfig"
+		# if yes, use sysconfig, because distutils is deprecated.
+	else
                 { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 $as_echo "no" >&6; }
-                as_fn_error $? "cannot import Python module \"distutils\".
+		# if no, try to use distutils
-Please check your Python installation. The error was:
+
-$ac_distutils_result" "$LINENO" 5
+		#
-                PYTHON_VERSION=""
+		# Check if you have distutils, else fail
-        fi
+		#
+		{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for the distutils Python package" >&5
+$as_echo_n "checking for the distutils Python package... " >&6; }
+		if ac_distutils_result=`$PYTHON -c "import distutils" 2>&1`; then
+			{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+		else
+			{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+			as_fn_error $? "cannot import Python module \"distutils\".
+	Please check your Python installation. The error was:
+	$ac_distutils_result" "$LINENO" 5
+			PYTHON_VERSION=""
+		fi
+
+		sysconfig_module="distutils.sysconfig"
+	fi
 
         #
         # Check for Python include path
@@ -17423,8 +17507,13 @@ $ac_distutils_result" "$LINENO" 5
         { $as_echo "$as_me:${as_lineno-$LINENO}: checking for Python include path" >&5
 $as_echo_n "checking for Python include path... " >&6; }
         if test -z "$PYTHON_CPPFLAGS"; then
-                python_path=`$PYTHON -c "import distutils.sysconfig; \
+		if test "$sysconfig_module" = "sysconfig"; then
-                        print(distutils.sysconfig.get_python_inc());"`
+			python_path=`$PYTHON -c 'import sysconfig; \
+				print(sysconfig.get_path("include"));'`
+		else
+			python_path=`$PYTHON -c "import distutils.sysconfig; \
+				print(distutils.sysconfig.get_python_inc());"`
+		fi
                 if test -n "${python_path}"; then
                         python_path="-I$python_path"
                 fi
@@ -17440,7 +17529,7 @@ $as_echo "$PYTHON_CPPFLAGS" >&6; }
         { $as_echo "$as_me:${as_lineno-$LINENO}: checking for Python library path" >&5
 $as_echo_n "checking for Python library path... " >&6; }
         if test -z "$PYTHON_LDFLAGS"; then
-                PYTHON_LDFLAGS=`$PYTHON -c "from distutils.sysconfig import *; \
+                PYTHON_LDFLAGS=`$PYTHON -c "from $sysconfig_module import *; \
                         print('-L'+get_config_var('LIBDIR')+' -L'+get_config_var('LIBDEST')+' '+get_config_var('BLDLIBRARY'));"`
         fi
         { $as_echo "$as_me:${as_lineno-$LINENO}: result: $PYTHON_LDFLAGS" >&5
@@ -17448,7 +17537,7 @@ $as_echo "$PYTHON_LDFLAGS" >&6; }
 
 
         if test -z "$PYTHON_LIBDIR"; then
-                PYTHON_LIBDIR=`$PYTHON -c "from distutils.sysconfig import *; \
+                PYTHON_LIBDIR=`$PYTHON -c "from $sysconfig_module import *; \
                         print(get_config_var('LIBDIR'));"`
         fi
 
@@ -17458,8 +17547,13 @@ $as_echo "$PYTHON_LDFLAGS" >&6; }
         { $as_echo "$as_me:${as_lineno-$LINENO}: checking for Python site-packages path" >&5
 $as_echo_n "checking for Python site-packages path... " >&6; }
         if test -z "$PYTHON_SITE_PKG"; then
-                PYTHON_SITE_PKG=`$PYTHON -c "import distutils.sysconfig; \
+		if test "$sysconfig_module" = "sysconfig"; then
-                        print(distutils.sysconfig.get_python_lib(1,0));"`
+			PYTHON_SITE_PKG=`$PYTHON -c 'import sysconfig; \
+				print(sysconfig.get_path("platlib"));'`
+		else
+			PYTHON_SITE_PKG=`$PYTHON -c "import distutils.sysconfig; \
+				print(distutils.sysconfig.get_python_lib(1,0));"`
+		fi
         fi
         { $as_echo "$as_me:${as_lineno-$LINENO}: result: $PYTHON_SITE_PKG" >&5
 $as_echo "$PYTHON_SITE_PKG" >&6; }
@@ -17547,11 +17641,15 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu
 
 $as_echo "#define HAVE_PYTHON 1" >>confdefs.h
 
-      if test -n "$LIBS"; then
+      if test x_$ub_with_pythonmod != x_no; then
-        LIBS="$PYTHON_LDFLAGS $LIBS"
+        if test -n "$LIBS"; then
-      else
+          LIBS="$PYTHON_LDFLAGS $LIBS"
-        LIBS="$PYTHON_LDFLAGS"
+        else
+          LIBS="$PYTHON_LDFLAGS"
+        fi
       fi
+      PYTHON_LIBS="$PYTHON_LDFLAGS"
+
       if test -n "$CPPFLAGS"; then
         CPPFLAGS="$CPPFLAGS $PYTHON_CPPFLAGS"
       else
@@ -17880,6 +17978,12 @@ fi
 if test "`uname`" = "NetBSD"; then
 	NETBSD_LINTFLAGS='"-D__RENAME(x)=" -D_NETINET_IN_H_'
 
+fi
+
+if test "`uname`" = "Linux"; then
+	# splint cannot parse modern c99 header files
+	GCC_DOCKER_LINTFLAGS='-syntax'
+
 fi
 CONFIG_DATE=`date +%Y%m%d`
 
@@ -17987,6 +18091,25 @@ fi
     if test x_$withval != x_no; then
         { $as_echo "$as_me:${as_lineno-$LINENO}: checking for SSL" >&5
 $as_echo_n "checking for SSL... " >&6; }
+	if test -n "$withval"; then
+										if test ! -f "$withval/include/openssl/ssl.h" -a -f "$withval/openssl/ssl.h"; then
+			ssldir="$withval"
+			found_ssl="yes"
+			withval=""
+			ssldir_include="$ssldir"
+						ssldir_lib=`echo $ssldir | sed -e 's/include/lib/'`
+			if test -f "$ssldir_lib/libssl.a" -o -f "$ssldir_lib/libssl.so"; then
+				: # found here
+			else
+				ssldir_lib=`echo $ssldir | sed -e 's/include/lib64/'`
+				if test -f "$ssldir_lib/libssl.a" -o -f "$ssldir_lib/libssl.so"; then
+					: # found here
+				else
+					as_fn_error $? "Could not find openssl lib file, $ssldir_lib/libssl.so,a, pass like \"/usr/local\" or \"/usr/include/openssl11\"" "$LINENO" 5
+				fi
+			fi
+		fi
+	fi
         if test x_$withval = x_ -o x_$withval = x_yes; then
             withval="/usr/local/ssl /usr/lib/ssl /usr/ssl /usr/pkg /usr/local /opt/local /usr/sfw /usr"
         fi
@@ -17994,15 +18117,12 @@ $as_echo_n "checking for SSL... " >&6; }
             ssldir="$dir"
             if test -f "$dir/include/openssl/ssl.h"; then
                 found_ssl="yes"
-
+		ssldir_include="$ssldir/include"
-cat >>confdefs.h <<_ACEOF
+		if test ! -d "$ssldir/lib" -a -d "$ssldir/lib64"; then
-#define HAVE_SSL /**/
+			ssldir_lib="$ssldir/lib64"
-_ACEOF
+		else
-
+			ssldir_lib="$ssldir/lib"
-                                if test "$ssldir" != "/usr"; then
+		fi
-                        CPPFLAGS="$CPPFLAGS -I$ssldir/include"
-                        LIBSSL_CPPFLAGS="$LIBSSL_CPPFLAGS -I$ssldir/include"
-                fi
                 break;
             fi
         done
@@ -18011,18 +18131,25 @@ _ACEOF
         else
             { $as_echo "$as_me:${as_lineno-$LINENO}: result: found in $ssldir" >&5
 $as_echo "found in $ssldir" >&6; }
+
+cat >>confdefs.h <<_ACEOF
+#define HAVE_SSL /**/
+_ACEOF
+
             HAVE_SSL=yes
-                        if test "$ssldir" != "/usr" -a "$ssldir" != ""; then
+	                if test "$ssldir" != "/usr"; then
-                LDFLAGS="$LDFLAGS -L$ssldir/lib"
+		    CPPFLAGS="$CPPFLAGS -I$ssldir_include"
-                LIBSSL_LDFLAGS="$LIBSSL_LDFLAGS -L$ssldir/lib"
+		    LIBSSL_CPPFLAGS="$LIBSSL_CPPFLAGS -I$ssldir_include"
+		    LDFLAGS="$LDFLAGS -L$ssldir_lib"
+		    LIBSSL_LDFLAGS="$LIBSSL_LDFLAGS -L$ssldir_lib"
 
 	if test "x$enable_rpath" = xyes; then
-		if echo "$ssldir/lib" | grep "^/" >/dev/null; then
+		if echo "$ssldir_lib" | grep "^/" >/dev/null; then
-			RUNTIME_PATH="$RUNTIME_PATH -R$ssldir/lib"
+			RUNTIME_PATH="$RUNTIME_PATH -R$ssldir_lib"
 		fi
 	fi
 
-            fi
+	    fi
 
             { $as_echo "$as_me:${as_lineno-$LINENO}: checking for EVP_sha256 in -lcrypto" >&5
 $as_echo_n "checking for EVP_sha256 in -lcrypto... " >&6; }
@@ -18310,7 +18437,7 @@ rm -f core conftest.err conftest.$ac_objext \
     conftest$ac_exeext conftest.$ac_ext
 SSLLIB="-lssl"
 
-PC_CRYPTO_DEPENDENCY="libcrypto libssl"
+PC_CRYPTO_DEPENDENCY=""
 
 
 # check if -lcrypt32 is needed because CAPIENG needs that. (on windows)
@@ -18351,7 +18478,7 @@ rm -f core conftest.err conftest.$ac_objext \
 
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for LibreSSL" >&5
 $as_echo_n "checking for LibreSSL... " >&6; }
-if grep VERSION_TEXT $ssldir/include/openssl/opensslv.h | grep "LibreSSL" >/dev/null; then
+if grep VERSION_TEXT $ssldir_include/openssl/opensslv.h | grep "LibreSSL" >/dev/null; then
 	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
 $as_echo "yes" >&6; }
 
@@ -18404,7 +18531,7 @@ else
 	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 $as_echo "no" >&6; }
 fi
-for ac_header in openssl/conf.h openssl/engine.h openssl/bn.h openssl/dh.h openssl/dsa.h openssl/rsa.h openssl/core_names.h
+for ac_header in openssl/conf.h openssl/engine.h openssl/bn.h openssl/dh.h openssl/dsa.h openssl/rsa.h openssl/core_names.h openssl/param_build.h
 do :
   as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
 ac_fn_c_check_header_compile "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default
@@ -18418,7 +18545,7 @@ fi
 
 done
 
-for ac_func in OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ENGINE_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1 EVP_DigestVerify EVP_aes_256_cbc EVP_EncryptInit_ex HMAC_Init_ex CRYPTO_THREADID_set_callback EVP_MAC_CTX_set_params
+for ac_func in OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ENGINE_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1 EVP_DigestVerify EVP_aes_256_cbc EVP_EncryptInit_ex HMAC_Init_ex CRYPTO_THREADID_set_callback EVP_MAC_CTX_set_params OSSL_PARAM_BLD_new BIO_set_callback_ex
 do :
   as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
 ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
@@ -18434,7 +18561,7 @@ done
 # these check_funcs need -lssl
 BAKLIBS="$LIBS"
 LIBS="-lssl $LIBS"
-for ac_func in OPENSSL_init_ssl SSL_CTX_set_security_level SSL_set1_host SSL_get0_peername X509_VERIFY_PARAM_set1_host SSL_CTX_set_ciphersuites SSL_CTX_set_tlsext_ticket_key_evp_cb SSL_CTX_set_alpn_select_cb
+for ac_func in OPENSSL_init_ssl SSL_CTX_set_security_level SSL_set1_host SSL_get0_peername X509_VERIFY_PARAM_set1_host SSL_CTX_set_ciphersuites SSL_CTX_set_tlsext_ticket_key_evp_cb SSL_CTX_set_alpn_select_cb SSL_get0_alpn_selected SSL_CTX_set_alpn_protos SSL_get1_peer_certificate
 do :
   as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
 ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
@@ -18740,7 +18867,7 @@ $as_echo "#define CLIENT_SUBNET 1" >>confdefs.h
 	;;
 esac
 
-# check wether gost also works
+# check whether gost also works
 
 # Check whether --enable-gost was given.
 if test "${enable_gost+set}" = set; then :
@@ -18773,7 +18900,7 @@ $as_echo_n "checking if GOST works... " >&6; }
 if test c${cross_compiling} = cno; then
 BAKCFLAGS="$CFLAGS"
 if test -n "$ssldir"; then
-	CFLAGS="$CFLAGS -Wl,-rpath,$ssldir/lib"
+	CFLAGS="$CFLAGS -Wl,-rpath,$ssldir_lib"
 fi
 if test "$cross_compiling" = yes; then :
   { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
@@ -18956,8 +19083,8 @@ fi
 	      # see if OPENSSL 1.0.0 or later (has EVP MD and Verify independency)
 	      { $as_echo "$as_me:${as_lineno-$LINENO}: checking if openssl supports SHA2 and ECDSA with EVP" >&5
 $as_echo_n "checking if openssl supports SHA2 and ECDSA with EVP... " >&6; }
-	      if grep OPENSSL_VERSION_TEXT $ssldir/include/openssl/opensslv.h | grep "OpenSSL" >/dev/null; then
+	      if grep OPENSSL_VERSION_TEXT $ssldir_include/openssl/opensslv.h | grep "OpenSSL" >/dev/null; then
-		if grep OPENSSL_VERSION_NUMBER $ssldir/include/openssl/opensslv.h | grep 0x0 >/dev/null; then
+		if grep OPENSSL_VERSION_NUMBER $ssldir_include/openssl/opensslv.h | grep 0x0 >/dev/null; then
 		  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 $as_echo "no" >&6; }
 
@@ -19051,6 +19178,18 @@ _ACEOF
       ;;
 esac
 
+
+# Check whether --with-deprecate-rsa-1024 was given.
+if test "${with_deprecate_rsa_1024+set}" = set; then :
+  withval=$with_deprecate_rsa_1024;
+fi
+
+if test "$with_deprecate_rsa_1024" = "yes"; then
+
+$as_echo "#define DEPRECATE_RSA_1024 1" >>confdefs.h
+
+fi
+
 # Check whether --enable-ed25519 was given.
 if test "${enable_ed25519+set}" = set; then :
   enableval=$enable_ed25519;
@@ -19177,8 +19316,8 @@ fi
 
 case "$enable_tfo_client" in
 	yes)
-		case `uname` in
+		case "$host_os" in
-			Linux) ac_fn_c_check_decl "$LINENO" "MSG_FASTOPEN" "ac_cv_have_decl_MSG_FASTOPEN" "$ac_includes_default
+			linux*) ac_fn_c_check_decl "$LINENO" "MSG_FASTOPEN" "ac_cv_have_decl_MSG_FASTOPEN" "$ac_includes_default
 #include <netinet/tcp.h>
 
 "
@@ -19194,8 +19333,8 @@ cat >>confdefs.h <<_ACEOF
 #define USE_MSG_FASTOPEN 1
 _ACEOF
 
-			  ;;
+				;;
-			Darwin) ac_fn_c_check_decl "$LINENO" "CONNECT_RESUME_ON_READ_WRITE" "ac_cv_have_decl_CONNECT_RESUME_ON_READ_WRITE" "$ac_includes_default
+			darwin*) ac_fn_c_check_decl "$LINENO" "CONNECT_RESUME_ON_READ_WRITE" "ac_cv_have_decl_CONNECT_RESUME_ON_READ_WRITE" "$ac_includes_default
 #include <sys/socket.h>
 
 "
@@ -19211,9 +19350,9 @@ cat >>confdefs.h <<_ACEOF
 #define USE_OSX_MSG_FASTOPEN 1
 _ACEOF
 
-			  ;;
+				;;
 		esac
-	;;
+		;;
 	no|*)
 		;;
 esac
@@ -20081,6 +20220,9 @@ fi
 
 	WIN_CHECKCONF_OBJ_LINK="rsrc_unbound_checkconf.o"
 
+
+$as_echo "#define __USE_MINGW_ANSI_STDIO 1" >>confdefs.h
+
 fi
 if test $ac_cv_func_getaddrinfo = no; then
 	case " $LIBOBJS " in
@@ -20368,7 +20510,7 @@ if test "$ac_res" != no; then :
 
 fi
 
-for ac_func in tzset sigprocmask fcntl getpwnam endpwent getrlimit setrlimit setsid chroot kill chown sleep usleep random srandom recvmsg sendmsg writev socketpair glob initgroups strftime localtime_r setusercontext _beginthreadex endservent endprotoent fsync shmget accept4 getifaddrs
+for ac_func in tzset sigprocmask fcntl getpwnam endpwent getrlimit setrlimit setsid chroot kill chown sleep usleep random srandom recvmsg sendmsg writev socketpair glob initgroups strftime localtime_r setusercontext _beginthreadex endservent endprotoent fsync shmget accept4 getifaddrs if_nametoindex
 do :
   as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
 ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
@@ -20428,7 +20570,7 @@ done
 
 
 # check if setreuid en setregid fail, on MacOSX10.4(darwin8).
-if echo $target_os | grep darwin8 > /dev/null; then
+if echo $host_os | grep darwin8 > /dev/null; then
 
 $as_echo "#define DARWIN_BROKEN_SETREUID 1" >>confdefs.h
 
@@ -21065,7 +21207,7 @@ case "$enable_allsymbols" in
 	yes)
 	COMMON_OBJ_ALL_SYMBOLS=""
 	UBSYMS=""
-	EXTRALINK="-L. -L.libs -lunbound"
+	EXTRALINK="libunbound.la"
 
 $as_echo "#define EXPORT_ALL_SYMBOLS 1" >>confdefs.h
 
@@ -21613,6 +21755,23 @@ $as_echo "#define DISABLE_EXPLICIT_PORT_RANDOMISATION 1" >>confdefs.h
 		;;
 esac
 
+if echo "$host" | $GREP -i -e linux >/dev/null; then
+	# Check whether --enable-linux-ip-local-port-range was given.
+if test "${enable_linux_ip_local_port_range+set}" = set; then :
+  enableval=$enable_linux_ip_local_port_range;
+fi
+
+	case "$enable_linux_ip_local_port_range" in
+		yes)
+
+$as_echo "#define USE_LINUX_IP_LOCAL_PORT_RANGE 1" >>confdefs.h
+
+			;;
+		no|*)
+			;;
+	esac
+fi
+
 
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking if ${MAKE:-make} supports $< with implicit rule in scope" >&5
 $as_echo_n "checking if ${MAKE:-make} supports $< with implicit rule in scope... " >&6; }
@@ -21769,7 +21928,7 @@ _ACEOF
 
 
 
-version=1.13.2
+version=1.15.1
 
 date=`date +'%b %e, %Y'`
 
@@ -22288,7 +22447,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by unbound $as_me 1.13.2, which was
+This file was extended by unbound $as_me 1.15.1, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -22354,7 +22513,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-unbound config.status 1.13.2
+unbound config.status 1.15.1
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 
@@ -23347,6 +23506,7 @@ $as_echo "$as_me: executing $ac_file commands" >&6;}
     cat <<_LT_EOF >> "$cfgfile"
 #! $SHELL
 # Generated automatically by $as_me ($PACKAGE) $VERSION
+# Libtool was configured on host `(hostname || uname -n) 2>/dev/null | sed 1q`:
 # NOTE: Changes made to this file will be lost: look at ltmain.sh.
 
 # Provide generalized library-building support services.

configure.ac

@@ -10,15 +10,15 @@ sinclude(dnscrypt/dnscrypt.m4)
 
 # must be numbers. ac_defun because of later processing
 m4_define([VERSION_MAJOR],[1])
-m4_define([VERSION_MINOR],[13])
+m4_define([VERSION_MINOR],[15])
-m4_define([VERSION_MICRO],[2])
+m4_define([VERSION_MICRO],[1])
 AC_INIT([unbound],m4_defn([VERSION_MAJOR]).m4_defn([VERSION_MINOR]).m4_defn([VERSION_MICRO]),[unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues],[unbound])
 AC_SUBST(UNBOUND_VERSION_MAJOR, [VERSION_MAJOR])
 AC_SUBST(UNBOUND_VERSION_MINOR, [VERSION_MINOR])
 AC_SUBST(UNBOUND_VERSION_MICRO, [VERSION_MICRO])
 
 LIBUNBOUND_CURRENT=9
-LIBUNBOUND_REVISION=13
+LIBUNBOUND_REVISION=16
 LIBUNBOUND_AGE=1
 # 1.0.0 had 0:12:0
 # 1.0.1 had 0:13:0
@@ -99,6 +99,9 @@ LIBUNBOUND_AGE=1
 # 1.13.0 had 9:11:1
 # 1.13.1 had 9:12:1
 # 1.13.2 had 9:13:1
+# 1.14.0 had 9:14:1
+# 1.15.0 had 9:15:1
+# 1.15.1 had 9:16:1
 
 #   Current  -- the number of the binary API that we're implementing
 #   Revision -- which iteration of the implementation of the binary
@@ -147,9 +150,9 @@ case "$exec_prefix" in
 esac
 
 # are we on MinGW?
-if uname -s 2>&1 | grep MINGW32 >/dev/null; then on_mingw="yes"
+if uname -s 2>&1 | grep MINGW >/dev/null; then on_mingw="yes"
 else 
-	if echo $host $target | grep mingw32 >/dev/null; then on_mingw="yes"
+	if echo $host | grep mingw >/dev/null; then on_mingw="yes"
 	else on_mingw="no"; fi
 fi
 
@@ -385,7 +388,10 @@ AC_CHECK_PROG(doxygen, doxygen, doxygen)
 AC_CHECK_TOOL(STRIP, strip)
 ACX_LIBTOOL_C_ONLY
 
+# pkg-config is only needed for these options, do not require it otherwise
+if test "$enable_systemd" = "yes" -o "$with_pyunbound" = "yes" -o "$with_pythonmod" = "yes"; then
 PKG_PROG_PKG_CONFIG
+fi
 
 # Checks for header files.
 AC_CHECK_HEADERS([stdarg.h stdbool.h netinet/in.h netinet/tcp.h sys/param.h sys/select.h sys/socket.h sys/un.h sys/uio.h sys/resource.h arpa/inet.h syslog.h netdb.h sys/wait.h pwd.h glob.h grp.h login_cap.h winsock2.h ws2tcpip.h endian.h sys/endian.h libkern/OSByteOrder.h sys/ipc.h sys/shm.h ifaddrs.h],,, [AC_INCLUDES_DEFAULT])
@@ -408,6 +414,39 @@ AC_CHECK_HEADERS([net/if.h],,, [
 
 # Check for Apple header. This uncovers TARGET_OS_IPHONE, TARGET_OS_TV or TARGET_OS_WATCH
 AC_CHECK_HEADERS([TargetConditionals.h],,, [AC_INCLUDES_DEFAULT])
+AC_CHECK_HEADERS([netioapi.h],,, [AC_INCLUDES_DEFAULT
+#if HAVE_SYS_PARAM_H
+#include <sys/param.h>
+#endif
+
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+
+#ifdef HAVE_SYS_UIO_H
+#include <sys/uio.h>
+#endif
+
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+
+#ifdef HAVE_NETINET_TCP_H
+#include <netinet/tcp.h>
+#endif
+
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
+
+#ifdef HAVE_WINSOCK2_H
+#include <winsock2.h>
+#endif
+
+#ifdef HAVE_WS2TCPIP_H
+#include <ws2tcpip.h>
+#endif
+])
 
 # check for types.  
 # Using own tests for int64* because autoconf builtin only give 32bit.
@@ -454,7 +493,7 @@ AC_SUBST(RUNTIME_PATH)
 AC_SEARCH_LIBS([inet_pton], [nsl])
 AC_SEARCH_LIBS([socket], [socket])
 
-# check wether strptime also works
+# check whether strptime also works
 AC_DEFUN([AC_CHECK_STRPTIME_WORKS],
 [AC_REQUIRE([AC_PROG_CC])
 AC_MSG_CHECKING(whether strptime works)
@@ -490,7 +529,10 @@ ACX_MKDIR_ONE_ARG
 AC_CHECK_FUNCS([strptime],[AC_CHECK_STRPTIME_WORKS],[AC_LIBOBJ([strptime])])
 
 # check if we can use SO_REUSEPORT
-if echo "$host" | $GREP -i -e linux -e dragonfly >/dev/null; then
+reuseport_default=0
+if echo "$host" | $GREP -i -e linux >/dev/null; then reuseport_default=1; fi
+if echo "$host" | $GREP -i -e dragonfly >/dev/null; then reuseport_default=1; fi
+if test "$reuseport_default" = 1; then
 	AC_DEFINE(REUSEPORT_DEFAULT, 1, [if REUSEPORT is enabled by default])
 else
 	AC_DEFINE(REUSEPORT_DEFAULT, 0, [if REUSEPORT is enabled by default])
@@ -693,11 +735,15 @@ if test x_$ub_test_python != x_no; then
       AC_SUBST(PY_MAJOR_VERSION)
       # Have Python
       AC_DEFINE(HAVE_PYTHON,1,[Define if you have Python libraries and header files.])
-      if test -n "$LIBS"; then
+      if test x_$ub_with_pythonmod != x_no; then
-        LIBS="$PYTHON_LDFLAGS $LIBS"
+        if test -n "$LIBS"; then
-      else
+          LIBS="$PYTHON_LDFLAGS $LIBS"
-        LIBS="$PYTHON_LDFLAGS"
+        else
+          LIBS="$PYTHON_LDFLAGS"
+        fi
       fi
+      PYTHON_LIBS="$PYTHON_LDFLAGS"
+      AC_SUBST(PYTHON_LIBS)
       if test -n "$CPPFLAGS"; then
         CPPFLAGS="$CPPFLAGS $PYTHON_CPPFLAGS"
       else
@@ -770,6 +816,12 @@ if test "`uname`" = "NetBSD"; then
 	NETBSD_LINTFLAGS='"-D__RENAME(x)=" -D_NETINET_IN_H_'
 	AC_SUBST(NETBSD_LINTFLAGS)
 fi
+
+if test "`uname`" = "Linux"; then
+	# splint cannot parse modern c99 header files
+	GCC_DOCKER_LINTFLAGS='-syntax'
+	AC_SUBST(GCC_DOCKER_LINTFLAGS)
+fi
 CONFIG_DATE=`date +%Y%m%d`
 AC_SUBST(CONFIG_DATE)
 
@@ -824,7 +876,7 @@ ACX_WITH_SSL
 ACX_LIB_SSL
 SSLLIB="-lssl"
 
-PC_CRYPTO_DEPENDENCY="libcrypto libssl"
+PC_CRYPTO_DEPENDENCY=""
 AC_SUBST(PC_CRYPTO_DEPENDENCY)
 
 # check if -lcrypt32 is needed because CAPIENG needs that. (on windows)
@@ -844,7 +896,7 @@ AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[
 ])
 
 AC_MSG_CHECKING([for LibreSSL])
-if grep VERSION_TEXT $ssldir/include/openssl/opensslv.h | grep "LibreSSL" >/dev/null; then
+if grep VERSION_TEXT $ssldir_include/openssl/opensslv.h | grep "LibreSSL" >/dev/null; then
 	AC_MSG_RESULT([yes])
 	AC_DEFINE([HAVE_LIBRESSL], [1], [Define if we have LibreSSL])
 	# libressl provides these compat functions, but they may also be
@@ -853,13 +905,13 @@ if grep VERSION_TEXT $ssldir/include/openssl/opensslv.h | grep "LibreSSL" >/dev/
 else
 	AC_MSG_RESULT([no])
 fi
-AC_CHECK_HEADERS([openssl/conf.h openssl/engine.h openssl/bn.h openssl/dh.h openssl/dsa.h openssl/rsa.h openssl/core_names.h],,, [AC_INCLUDES_DEFAULT])
+AC_CHECK_HEADERS([openssl/conf.h openssl/engine.h openssl/bn.h openssl/dh.h openssl/dsa.h openssl/rsa.h openssl/core_names.h openssl/param_build.h],,, [AC_INCLUDES_DEFAULT])
-AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ENGINE_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1 EVP_DigestVerify EVP_aes_256_cbc EVP_EncryptInit_ex HMAC_Init_ex CRYPTO_THREADID_set_callback EVP_MAC_CTX_set_params])
+AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ENGINE_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1 EVP_DigestVerify EVP_aes_256_cbc EVP_EncryptInit_ex HMAC_Init_ex CRYPTO_THREADID_set_callback EVP_MAC_CTX_set_params OSSL_PARAM_BLD_new BIO_set_callback_ex])
 
 # these check_funcs need -lssl
 BAKLIBS="$LIBS"
 LIBS="-lssl $LIBS"
-AC_CHECK_FUNCS([OPENSSL_init_ssl SSL_CTX_set_security_level SSL_set1_host SSL_get0_peername X509_VERIFY_PARAM_set1_host SSL_CTX_set_ciphersuites SSL_CTX_set_tlsext_ticket_key_evp_cb SSL_CTX_set_alpn_select_cb])
+AC_CHECK_FUNCS([OPENSSL_init_ssl SSL_CTX_set_security_level SSL_set1_host SSL_get0_peername X509_VERIFY_PARAM_set1_host SSL_CTX_set_ciphersuites SSL_CTX_set_tlsext_ticket_key_evp_cb SSL_CTX_set_alpn_select_cb SSL_get0_alpn_selected SSL_CTX_set_alpn_protos SSL_get1_peer_certificate])
 LIBS="$BAKLIBS"
 
 AC_CHECK_DECLS([SSL_COMP_get_compression_methods,sk_SSL_COMP_pop_free,SSL_CTX_set_ecdh_auto], [], [], [
@@ -967,14 +1019,14 @@ case "$enable_subnet" in
 	;;
 esac
 
-# check wether gost also works
+# check whether gost also works
 AC_DEFUN([AC_CHECK_GOST_WORKS],
 [AC_REQUIRE([AC_PROG_CC])
 AC_MSG_CHECKING([if GOST works])
 if test c${cross_compiling} = cno; then
 BAKCFLAGS="$CFLAGS"
 if test -n "$ssldir"; then
-	CFLAGS="$CFLAGS -Wl,-rpath,$ssldir/lib"
+	CFLAGS="$CFLAGS -Wl,-rpath,$ssldir_lib"
 fi
 AC_RUN_IFELSE([AC_LANG_SOURCE([[
 #include <string.h>
@@ -1097,8 +1149,8 @@ case "$enable_ecdsa" in
 	      ])
 	      # see if OPENSSL 1.0.0 or later (has EVP MD and Verify independency)
 	      AC_MSG_CHECKING([if openssl supports SHA2 and ECDSA with EVP])
-	      if grep OPENSSL_VERSION_TEXT $ssldir/include/openssl/opensslv.h | grep "OpenSSL" >/dev/null; then
+	      if grep OPENSSL_VERSION_TEXT $ssldir_include/openssl/opensslv.h | grep "OpenSSL" >/dev/null; then
-		if grep OPENSSL_VERSION_NUMBER $ssldir/include/openssl/opensslv.h | grep 0x0 >/dev/null; then
+		if grep OPENSSL_VERSION_NUMBER $ssldir_include/openssl/opensslv.h | grep 0x0 >/dev/null; then
 		  AC_MSG_RESULT([no])
 		  AC_DEFINE_UNQUOTED([USE_ECDSA_EVP_WORKAROUND], [1], [Define this to enable an EVP workaround for older openssl])
 		else
@@ -1155,6 +1207,11 @@ AC_INCLUDES_DEFAULT
       ;;
 esac
 
+AC_ARG_WITH(deprecate-rsa-1024, AS_HELP_STRING([--with-deprecate-rsa-1024],[Deprecate RSA 1024 bit length, makes that an unsupported key, for use when OpenSSL FIPS refuses 1024 bit verification]))
+if test "$with_deprecate_rsa_1024" = "yes"; then
+	AC_DEFINE([DEPRECATE_RSA_1024], [1], [Deprecate RSA 1024 bit length, makes that an unsupported key])
+fi
+
 AC_ARG_ENABLE(ed25519, AS_HELP_STRING([--disable-ed25519],[Disable ED25519 support]))
 use_ed25519="no"
 case "$enable_ed25519" in
@@ -1211,23 +1268,23 @@ esac
 AC_ARG_ENABLE(tfo-client, AS_HELP_STRING([--enable-tfo-client],[Enable TCP Fast Open for client mode]))
 case "$enable_tfo_client" in
 	yes)
-		case `uname` in
+		case "$host_os" in
-			Linux) AC_CHECK_DECL([MSG_FASTOPEN], [AC_MSG_WARN([Check the platform specific TFO kernel parameters are correctly configured to support client mode TFO])],
+			linux*) AC_CHECK_DECL([MSG_FASTOPEN], [AC_MSG_WARN([Check the platform specific TFO kernel parameters are correctly configured to support client mode TFO])],
-			                     [AC_MSG_ERROR([TCP Fast Open is not available for client mode: please rerun without --enable-tfo-client])], 
+				[AC_MSG_ERROR([TCP Fast Open is not available for client mode: please rerun without --enable-tfo-client])],
-			                     [AC_INCLUDES_DEFAULT 
+				[AC_INCLUDES_DEFAULT
 #include <netinet/tcp.h>
 ])
-					AC_DEFINE_UNQUOTED([USE_MSG_FASTOPEN], [1], [Define this to enable client TCP Fast Open.])
+				AC_DEFINE_UNQUOTED([USE_MSG_FASTOPEN], [1], [Define this to enable client TCP Fast Open.])
-			  ;;
+				;;
-			Darwin) AC_CHECK_DECL([CONNECT_RESUME_ON_READ_WRITE], [AC_MSG_WARN([Check the platform specific TFO kernel parameters are correctly configured to support client mode TFO])], 
+			darwin*) AC_CHECK_DECL([CONNECT_RESUME_ON_READ_WRITE], [AC_MSG_WARN([Check the platform specific TFO kernel parameters are correctly configured to support client mode TFO])],
-			                      [AC_MSG_ERROR([TCP Fast Open is not available for client mode: please rerun without --enable-tfo-client])], 
+				[AC_MSG_ERROR([TCP Fast Open is not available for client mode: please rerun without --enable-tfo-client])],
-			                      [AC_INCLUDES_DEFAULT
+				[AC_INCLUDES_DEFAULT
 #include <sys/socket.h>
 ])
-					AC_DEFINE_UNQUOTED([USE_OSX_MSG_FASTOPEN], [1], [Define this to enable client TCP Fast Open.])
+				AC_DEFINE_UNQUOTED([USE_OSX_MSG_FASTOPEN], [1], [Define this to enable client TCP Fast Open.])
-			  ;;
+				;;
 		esac
-	;;
+		;;
 	no|*)
 		;;
 esac
@@ -1497,6 +1554,7 @@ if test "$USE_WINSOCK" = 1; then
 	AC_SUBST(WIN_CONTROL_OBJ_LINK)
 	WIN_CHECKCONF_OBJ_LINK="rsrc_unbound_checkconf.o"
 	AC_SUBST(WIN_CHECKCONF_OBJ_LINK)
+	AC_DEFINE(__USE_MINGW_ANSI_STDIO, 1, [defined to use gcc ansi snprintf and sscanf that understands %lld when compiled for windows.])
 fi
 if test $ac_cv_func_getaddrinfo = no; then
 	AC_LIBOBJ([fake-rfc2553])
@@ -1583,12 +1641,12 @@ AC_LINK_IFELSE([AC_LANG_PROGRAM([
   AC_MSG_RESULT(no))
 
 AC_SEARCH_LIBS([setusercontext], [util])
-AC_CHECK_FUNCS([tzset sigprocmask fcntl getpwnam endpwent getrlimit setrlimit setsid chroot kill chown sleep usleep random srandom recvmsg sendmsg writev socketpair glob initgroups strftime localtime_r setusercontext _beginthreadex endservent endprotoent fsync shmget accept4 getifaddrs])
+AC_CHECK_FUNCS([tzset sigprocmask fcntl getpwnam endpwent getrlimit setrlimit setsid chroot kill chown sleep usleep random srandom recvmsg sendmsg writev socketpair glob initgroups strftime localtime_r setusercontext _beginthreadex endservent endprotoent fsync shmget accept4 getifaddrs if_nametoindex])
 AC_CHECK_FUNCS([setresuid],,[AC_CHECK_FUNCS([setreuid])])
 AC_CHECK_FUNCS([setresgid],,[AC_CHECK_FUNCS([setregid])])
 
 # check if setreuid en setregid fail, on MacOSX10.4(darwin8).
-if echo $target_os | grep darwin8 > /dev/null; then
+if echo $host_os | grep darwin8 > /dev/null; then
 	AC_DEFINE(DARWIN_BROKEN_SETREUID, 1, [Define this if on macOSX10.4-darwin8 and setreuid and setregid do not work])
 fi
 AC_CHECK_DECLS([inet_pton,inet_ntop], [], [], [
@@ -1851,6 +1909,17 @@ case "$enable_explicit_port_randomisation" in
 		;;
 esac
 
+if echo "$host" | $GREP -i -e linux >/dev/null; then
+	AC_ARG_ENABLE(linux-ip-local-port-range, AC_HELP_STRING([--enable-linux-ip-local-port-range], [Define this to enable use of /proc/sys/net/ipv4/ip_local_port_range as a default outgoing port range. This is only for the libunbound on Linux and does not affect unbound resolving daemon itself. This may severely limit the number of available outgoing ports and thus decrease randomness. Define this only when the target system restricts (e.g. some of SELinux enabled distributions) the use of non-ephemeral ports.]))
+	case "$enable_linux_ip_local_port_range" in
+		yes)
+			AC_DEFINE([USE_LINUX_IP_LOCAL_PORT_RANGE], [1], [Define this to enable use of /proc/sys/net/ipv4/ip_local_port_range as a default outgoing port range. This is only for the libunbound on Linux and does not affect unbound resolving daemon itself. This may severely limit the number of available outgoing ports and thus decrease randomness. Define this only when the target system restricts (e.g. some of SELinux enabled distributions) the use of non-ephemeral ports.])
+			;;
+		no|*)
+			;;
+	esac
+fi
+
 
 AC_MSG_CHECKING([if ${MAKE:-make} supports $< with implicit rule in scope])
 # on openBSD, the implicit rule make $< work.
@@ -1993,7 +2062,7 @@ dnl includes
 #include <ws2tcpip.h>
 #endif
 
-#ifndef USE_WINSOCK
+#if !defined(USE_WINSOCK) || !defined(HAVE_SNPRINTF) || defined(SNPRINTF_RET_BROKEN) || defined(__USE_MINGW_ANSI_STDIO)
 #define ARG_LL "%ll"
 #else
 #define ARG_LL "%I64"

contrib/Dockerfile.tests

@@ -0,0 +1,11 @@
+FROM gcc:latest
+WORKDIR /usr/src/unbound
+RUN apt-get update
+# install semantic parser & lexical analyzer
+RUN apt-get install -y bison flex
+# install packages used in tests
+RUN apt-get install -y ldnsutils dnsutils xxd splint doxygen netcat
+# accept short rsa keys, which are used in tests
+RUN sed -i 's/SECLEVEL=2/SECLEVEL=1/g' /usr/lib/ssl/openssl.cnf
+
+CMD ["/bin/bash"]

contrib/aaaa-filter-iterator.patch

@@ -1,8 +1,8 @@
 diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in
-index f426ac5f..147fbfa9 100644
+index 5a75e319..c6c6dbe2 100644
 --- a/doc/unbound.conf.5.in
 +++ b/doc/unbound.conf.5.in
-@@ -872,6 +872,13 @@ potentially broken nameservers. A lot of domains will not be resolvable when
+@@ -970,6 +970,13 @@ potentially broken nameservers. A lot of domains will not be resolvable when
  this option in enabled. Only use if you know what you are doing.
  This option only has effect when qname-minimisation is enabled. Default is no.
  .TP
@@ -17,10 +17,10 @@ index f426ac5f..147fbfa9 100644
  Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN
  and other denials, using information from previous NXDOMAINs answers.
 diff --git a/iterator/iter_scrub.c b/iterator/iter_scrub.c
-index aae934dd..55c55de0 100644
+index f093c1bf..e55a2246 100644
 --- a/iterator/iter_scrub.c
 +++ b/iterator/iter_scrub.c
-@@ -667,6 +667,32 @@ static int sanitize_nsec_is_overreach(struct rrset_parse* rrset,
+@@ -679,6 +679,32 @@ static int sanitize_nsec_is_overreach(sldns_buffer* pkt,
  	return 0;
  }
  
@@ -53,7 +53,7 @@ index aae934dd..55c55de0 100644
  /**
   * Given a response event, remove suspect RRsets from the response.
   * "Suspect" rrsets are potentially poison. Note that this routine expects
-@@ -686,6 +712,7 @@ scrub_sanitize(sldns_buffer* pkt, struct msg_parse* msg,
+@@ -698,6 +724,7 @@ scrub_sanitize(sldns_buffer* pkt, struct msg_parse* msg,
  	struct query_info* qinfo, uint8_t* zonename, struct module_env* env,
  	struct iter_env* ie)
  {
@@ -61,7 +61,7 @@ index aae934dd..55c55de0 100644
  	int del_addi = 0; /* if additional-holding rrsets are deleted, we
  		do not trust the normalized additional-A-AAAA any more */
  	struct rrset_parse* rrset, *prev;
-@@ -721,6 +748,13 @@ scrub_sanitize(sldns_buffer* pkt, struct msg_parse* msg,
+@@ -733,6 +760,13 @@ scrub_sanitize(sldns_buffer* pkt, struct msg_parse* msg,
  		rrset = rrset->rrset_all_next;
  	}
  
@@ -75,7 +75,7 @@ index aae934dd..55c55de0 100644
  	/* At this point, we brutally remove ALL rrsets that aren't 
  	 * children of the originating zone. The idea here is that, 
  	 * as far as we know, the server that we contacted is ONLY 
-@@ -732,6 +766,24 @@ scrub_sanitize(sldns_buffer* pkt, struct msg_parse* msg,
+@@ -744,6 +778,24 @@ scrub_sanitize(sldns_buffer* pkt, struct msg_parse* msg,
  	rrset = msg->rrset_first;
  	while(rrset) {
  
@@ -101,22 +101,22 @@ index aae934dd..55c55de0 100644
  		if( (rrset->type == LDNS_RR_TYPE_A || 
  			rrset->type == LDNS_RR_TYPE_AAAA)) {
 diff --git a/iterator/iter_utils.c b/iterator/iter_utils.c
-index 7bc67da6..e10f547a 100644
+index 2482a1f4..bd5ba243 100644
 --- a/iterator/iter_utils.c
 +++ b/iterator/iter_utils.c
-@@ -175,6 +175,7 @@ iter_apply_cfg(struct iter_env* iter_env, struct config_file* cfg)
+@@ -177,6 +177,7 @@ iter_apply_cfg(struct iter_env* iter_env, struct config_file* cfg)
- 	}
  	iter_env->supports_ipv6 = cfg->do_ip6;
  	iter_env->supports_ipv4 = cfg->do_ip4;
+ 	iter_env->outbound_msg_retry = cfg->outbound_msg_retry;
 +	iter_env->aaaa_filter = cfg->aaaa_filter;
  	return 1;
  }
  
 diff --git a/iterator/iterator.c b/iterator/iterator.c
-index 23b07ea9..ca29b48c 100644
+index 54006940..768fe202 100644
 --- a/iterator/iterator.c
 +++ b/iterator/iterator.c
-@@ -2127,6 +2127,53 @@ processDSNSFind(struct module_qstate* qstate, struct iter_qstate* iq, int id)
+@@ -2155,6 +2155,53 @@ processDSNSFind(struct module_qstate* qstate, struct iter_qstate* iq, int id)
  
  	return 0;
  }
@@ -170,7 +170,7 @@ index 23b07ea9..ca29b48c 100644
  	
  /** 
   * This is the request event state where the request will be sent to one of
-@@ -2186,6 +2233,13 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
+@@ -2216,6 +2263,13 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
  		return error_response(qstate, id, LDNS_RCODE_SERVFAIL);
  	}
  	
@@ -184,7 +184,7 @@ index 23b07ea9..ca29b48c 100644
  	/* Make sure we have a delegation point, otherwise priming failed
  	 * or another failure occurred */
  	if(!iq->dp) {
-@@ -3574,6 +3628,61 @@ processFinished(struct module_qstate* qstate, struct iter_qstate* iq,
+@@ -3648,6 +3702,61 @@ processFinished(struct module_qstate* qstate, struct iter_qstate* iq,
  	return 0;
  }
  
@@ -246,7 +246,7 @@ index 23b07ea9..ca29b48c 100644
  /*
   * Return priming query results to interested super querystates.
   * 
-@@ -3593,6 +3702,9 @@ iter_inform_super(struct module_qstate* qstate, int id,
+@@ -3667,6 +3776,9 @@ iter_inform_super(struct module_qstate* qstate, int id,
  	else if(super->qinfo.qtype == LDNS_RR_TYPE_DS && ((struct iter_qstate*)
  		super->minfo[id])->state == DSNS_FIND_STATE)
  		processDSNSResponse(qstate, id, super);
@@ -256,7 +256,7 @@ index 23b07ea9..ca29b48c 100644
  	else if(qstate->return_rcode != LDNS_RCODE_NOERROR)
  		error_supers(qstate, id, super);
  	else if(qstate->is_priming)
-@@ -3630,6 +3742,9 @@ iter_handle(struct module_qstate* qstate, struct iter_qstate* iq,
+@@ -3704,6 +3816,9 @@ iter_handle(struct module_qstate* qstate, struct iter_qstate* iq,
  			case INIT_REQUEST_3_STATE:
  				cont = processInitRequest3(qstate, iq, id);
  				break;
@@ -266,7 +266,7 @@ index 23b07ea9..ca29b48c 100644
  			case QUERYTARGETS_STATE:
  				cont = processQueryTargets(qstate, iq, ie, id);
  				break;
-@@ -3961,6 +4076,8 @@ iter_state_to_string(enum iter_state state)
+@@ -4040,6 +4155,8 @@ iter_state_to_string(enum iter_state state)
  		return "INIT REQUEST STATE (stage 2)";
  	case INIT_REQUEST_3_STATE:
  		return "INIT REQUEST STATE (stage 3)";
@@ -275,7 +275,7 @@ index 23b07ea9..ca29b48c 100644
  	case QUERYTARGETS_STATE :
  		return "QUERY TARGETS STATE";
  	case PRIME_RESP_STATE :
-@@ -3985,6 +4102,7 @@ iter_state_is_responsestate(enum iter_state s)
+@@ -4064,6 +4181,7 @@ iter_state_is_responsestate(enum iter_state s)
  		case INIT_REQUEST_STATE :
  		case INIT_REQUEST_2_STATE :
  		case INIT_REQUEST_3_STATE :
@@ -284,10 +284,10 @@ index 23b07ea9..ca29b48c 100644
  		case COLLECT_CLASS_STATE :
  			return 0;
 diff --git a/iterator/iterator.h b/iterator/iterator.h
-index 342ac207..731948d1 100644
+index 8b840528..a61c4195 100644
 --- a/iterator/iterator.h
 +++ b/iterator/iterator.h
-@@ -135,6 +135,9 @@ struct iter_env {
+@@ -133,6 +133,9 @@ struct iter_env {
  	 */
  	int* target_fetch_policy;
  
@@ -297,7 +297,7 @@ index 342ac207..731948d1 100644
  	/** lock on ratelimit counter */
  	lock_basic_type queries_ratelimit_lock;
  	/** number of queries that have been ratelimited */
-@@ -186,6 +189,14 @@ enum iter_state {
+@@ -187,6 +190,14 @@ enum iter_state {
  	 */
  	INIT_REQUEST_3_STATE,
  
@@ -312,7 +312,7 @@ index 342ac207..731948d1 100644
  	/**
  	 * Each time a delegation point changes for a given query or a 
  	 * query times out and/or wakes up, this state is (re)visited. 
-@@ -375,6 +386,13 @@ struct iter_qstate {
+@@ -376,6 +387,13 @@ struct iter_qstate {
  	 */
  	int refetch_glue;
  
@@ -327,10 +327,10 @@ index 342ac207..731948d1 100644
  	struct outbound_list outlist;
  
 diff --git a/pythonmod/interface.i b/pythonmod/interface.i
-index f08b575d..47f1bb2e 100644
+index 1ca8686a..d91b19ec 100644
 --- a/pythonmod/interface.i
 +++ b/pythonmod/interface.i
-@@ -975,6 +975,7 @@ struct config_file {
+@@ -995,6 +995,7 @@ struct config_file {
     int harden_dnssec_stripped;
     int harden_referral_path;
     int use_caps_bits_for_id;
@@ -339,10 +339,10 @@ index f08b575d..47f1bb2e 100644
     struct config_strlist* private_domain;
     size_t unwanted_threshold;
 diff --git a/util/config_file.c b/util/config_file.c
-index 0ab8614a..729fb147 100644
+index 969d664b..8d94b008 100644
 --- a/util/config_file.c
 +++ b/util/config_file.c
-@@ -218,6 +218,7 @@ config_create(void)
+@@ -231,6 +231,7 @@ config_create(void)
  	cfg->harden_referral_path = 0;
  	cfg->harden_algo_downgrade = 0;
  	cfg->use_caps_bits_for_id = 0;
@@ -351,10 +351,10 @@ index 0ab8614a..729fb147 100644
  	cfg->private_address = NULL;
  	cfg->private_domain = NULL;
 diff --git a/util/config_file.h b/util/config_file.h
-index e61257a3..dabaa7bb 100644
+index c7c9a0a4..e3aa15b0 100644
 --- a/util/config_file.h
 +++ b/util/config_file.h
-@@ -260,6 +260,8 @@ struct config_file {
+@@ -285,6 +285,8 @@ struct config_file {
  	int harden_algo_downgrade;
  	/** use 0x20 bits in query as random ID bits */
  	int use_caps_bits_for_id;
@@ -364,38 +364,38 @@ index e61257a3..dabaa7bb 100644
  	struct config_strlist* caps_whitelist;
  	/** strip away these private addrs from answers, no DNS Rebinding */
 diff --git a/util/configlexer.lex b/util/configlexer.lex
-index 79a0edca..4eaec678 100644
+index 34a0e5dd..c890be2a 100644
 --- a/util/configlexer.lex
 +++ b/util/configlexer.lex
-@@ -304,6 +304,7 @@ harden-algo-downgrade{COLON}	{ YDVAR(1, VAR_HARDEN_ALGO_DOWNGRADE) }
+@@ -317,6 +317,7 @@ use-caps-for-id{COLON}		{ YDVAR(1, VAR_USE_CAPS_FOR_ID) }
- use-caps-for-id{COLON}		{ YDVAR(1, VAR_USE_CAPS_FOR_ID) }
  caps-whitelist{COLON}		{ YDVAR(1, VAR_CAPS_WHITELIST) }
+ caps-exempt{COLON}		{ YDVAR(1, VAR_CAPS_WHITELIST) }
  unwanted-reply-threshold{COLON}	{ YDVAR(1, VAR_UNWANTED_REPLY_THRESHOLD) }
 +aaaa-filter{COLON}		{ YDVAR(1, VAR_AAAA_FILTER) }
  private-address{COLON}		{ YDVAR(1, VAR_PRIVATE_ADDRESS) }
  private-domain{COLON}		{ YDVAR(1, VAR_PRIVATE_DOMAIN) }
  prefetch-key{COLON}		{ YDVAR(1, VAR_PREFETCH_KEY) }
 diff --git a/util/configparser.y b/util/configparser.y
-index 1d0e8658..f284dd43 100644
+index d4f965f9..8cc237c6 100644
 --- a/util/configparser.y
 +++ b/util/configparser.y
 @@ -97,6 +97,7 @@ extern struct config_parser_state* cfg_parser;
- %token VAR_STATISTICS_CUMULATIVE VAR_OUTGOING_PORT_PERMIT 
+ %token VAR_STATISTICS_CUMULATIVE VAR_OUTGOING_PORT_PERMIT
  %token VAR_OUTGOING_PORT_AVOID VAR_DLV_ANCHOR_FILE VAR_DLV_ANCHOR
  %token VAR_NEG_CACHE_SIZE VAR_HARDEN_REFERRAL_PATH VAR_PRIVATE_ADDRESS
 +%token VAR_AAAA_FILTER
  %token VAR_PRIVATE_DOMAIN VAR_REMOTE_CONTROL VAR_CONTROL_ENABLE
  %token VAR_CONTROL_INTERFACE VAR_CONTROL_PORT VAR_SERVER_KEY_FILE
  %token VAR_SERVER_CERT_FILE VAR_CONTROL_KEY_FILE VAR_CONTROL_CERT_FILE
-@@ -233,6 +234,7 @@ content_server: server_num_threads | server_verbosity | server_port |
+@@ -247,6 +248,7 @@ content_server: server_num_threads | server_verbosity | server_port |
  	server_dlv_anchor_file | server_dlv_anchor | server_neg_cache_size |
  	server_harden_referral_path | server_private_address |
- 	server_private_domain | server_extended_statistics | 
+ 	server_private_domain | server_extended_statistics |
 +	server_aaaa_filter |
- 	server_local_data_ptr | server_jostle_timeout | 
+ 	server_local_data_ptr | server_jostle_timeout |
- 	server_unwanted_reply_threshold | server_log_time_ascii | 
+ 	server_unwanted_reply_threshold | server_log_time_ascii |
- 	server_domain_insecure | server_val_sig_skew_min | 
+ 	server_domain_insecure | server_val_sig_skew_min |
-@@ -1563,6 +1565,15 @@ server_caps_whitelist: VAR_CAPS_WHITELIST STRING_ARG
+@@ -1754,6 +1756,15 @@ server_caps_whitelist: VAR_CAPS_WHITELIST STRING_ARG
  			yyerror("out of memory");
  	}
  	;

contrib/drop2rpz

@@ -4,7 +4,7 @@
 #
 # unbound.conf:
 #  rpz:
-#    name: "spamhaus-drop.rpz.local."
+#    name: "drop.spamhaus.org.rpz.local."
 #    zonefile: "/path/tp/spamhaus-drop.rpz.local"
 #    rpz-log: yes
 #    rpz-log-name: "spamhaus-drop"

contrib/unbound.service.in

@@ -60,8 +60,13 @@ NoNewPrivileges=true
 PrivateDevices=true
 PrivateTmp=true
 ProtectHome=true
+ProtectClock=true
 ProtectControlGroups=true
+ProtectKernelLogs=true
 ProtectKernelModules=true
+# This breaks using socket options like 'so-rcvbuf'. Explicitly disable for visibility.
+ProtectKernelTunables=false
+ProtectProc=invisible
 ProtectSystem=strict
 RuntimeDirectory=unbound
 ConfigurationDirectory=unbound

contrib/unbound.spec

@@ -1,15 +1,14 @@
 Summary: Validating, recursive, and caching DNS resolver
 Name: unbound
-Version: 1.4.18
+Version: 1.13.1
 Release: 1%{?dist}
 License: BSD
 Url: http://www.nlnetlabs.nl/unbound/
-Source: http://www.unbound.net/downloads/%{name}-%{version}.tar.gz
+Source: http://www.nlnetlabs.nl/downloads/unbound/%{name}-%{version}.tar.gz
 #Source1: unbound.init
 Group: System Environment/Daemons
-Requires: ldns
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
-BuildRequires: flex, openssl-devel, expat-devel, ldns-devel
+BuildRequires: flex, openssl-devel, expat-devel
 
 %description
 Unbound is a validating, recursive, and caching DNS resolver.
@@ -42,7 +41,7 @@ install -d 0700 %{buildroot}%{_localstatedir}/%{name}
 install -d 0755 %{buildroot}%{_initrddir}
 install -m 0755 contrib/unbound.init %{buildroot}%{_initrddir}/unbound
 # add symbolic link from /etc/unbound.conf -> /var/unbound/unbound.conf
-ln -s %{_localstatedir}/unbound/unbound.conf %{buildroot}%{_sysconfdir}/unbound.conf 
+ln -s ../%{_localstatedir}/unbound/unbound.conf %{buildroot}%{_sysconfdir}/unbound.conf
 # remove static library from install (fedora packaging guidelines)
 rm -f %{buildroot}%{_libdir}/libunbound.a %{buildroot}%{_libdir}/libunbound.la
 
@@ -55,11 +54,12 @@ rm -rf ${RPM_BUILD_ROOT}
 %attr(0755,root,root) %{_initrddir}/%{name}
 %attr(0700,%{name},%{name}) %dir %{_localstatedir}/%{name}
 %attr(0644,%{name},%{name}) %config(noreplace) %{_localstatedir}/%{name}/unbound.conf
-%attr(0644,%{name},%{name}) %config(noreplace) %{_sysconfdir}/unbound.conf
+%config(noreplace) %{_sysconfdir}/unbound.conf
 %{_sbindir}/*
 %{_mandir}/*/*
 %{_includedir}/*
 %{_libdir}/libunbound*
+%{_libdir}/pkgconfig/libunbound*
 
 %pre
 getent group unbound >/dev/null || groupadd -r unbound
@@ -89,7 +89,13 @@ if [ "$1" -ge "1" ]; then
 fi
 
 %changelog
-* Thu Jul 13 2011 Wouter Wijngaards <wouter@nlnetlabs.nl> - 1.4.8
+* Thu Jun 10 2021 Wouter Wijngaards <wouter@nlnetlabs.nl> - 1.13.1
+- ldns and ldns-devel no longer required. Fixed date. Version to 1.13.1.
+- Removed symlink attr mode, made unbound.conf symlink relative.
+- Added pkgconfig/libunbound.pc to the packaged files.
+- fixed download url to nlnetlabs.nl download.
+
+* Wed Jul 13 2011 Wouter Wijngaards <wouter@nlnetlabs.nl> - 1.4.8
 - ldns required and ldns-devel required for build, no more ldns-builtin.
 
 * Thu Mar 17 2011 Wouter Wijngaards <wouter@nlnetlabs.nl> - 1.4.8

contrib/unbound_munin_

@@ -14,7 +14,6 @@
 # Run the command unbound-control-setup to generate the key files.
 #
 # Environment variables for this script
-#	statefile	- where to put temporary statefile.
 #	unbound_conf	- where the unbound.conf file is located.
 #	unbound_control	- where to find unbound-control executable.
 #	spoof_warn	- what level to warn about spoofing
@@ -24,7 +23,6 @@
 # with:
 # [unbound*]
 # user root
-# env.statefile /usr/local/var/munin/plugin-state/unbound-state
 # env.unbound_conf /usr/local/etc/unbound/unbound.conf
 # env.unbound_control /usr/local/sbin/unbound-control
 # env.spoof_warn 1000
@@ -66,7 +64,6 @@ System with unbound daemon.
 
   [unbound*]
   user root
-  env.statefile /usr/local/var/munin/plugin-state/unbound-state
   env.unbound_conf /usr/local/etc/unbound/unbound.conf
   env.unbound_control /usr/local/sbin/unbound-control
   env.spoof_warn 1000
@@ -98,7 +95,8 @@ BSD
 
 =cut
 
-state=${statefile:-/usr/local/var/munin/plugin-state/unbound-state}
+state="${MUNIN_PLUGSTATE}/unbound.state"
+seentags="${MUNIN_PLUGSTATE}/unbound-seentags.state"
 conf=${unbound_conf:-/usr/local/etc/unbound/unbound.conf}
 ctrl=${unbound_control:-/usr/local/sbin/unbound-control}
 warn=${spoof_warn:-1000}
@@ -121,12 +119,24 @@ get_value ( ) {
 	fi
 }
 
+# Update list of seen query types etc to seentags file. This is run while
+# holding the lock, after the state file is updated.
+update_seentags() {
+    tmplist="$(cat ${seentags} 2> /dev/null)
+num.query.type.A
+num.query.class.IN
+num.query.opcode.QUERY
+num.answer.rcode.NOERROR
+"
+    (echo "${tmplist}"; grep ^num ${state} | sed -e 's/=.*//') | sort -u > ${seentags}
+}
+
 # download the state from the unbound server.
 get_state ( ) {
 	# obtain lock for fetching the state
 	# because there is a race condition in fetching and writing to file
 
-	# see if the lock is stale, if so, take it 
+	# see if the lock is stale, if so, take it
 	if test -f $lock ; then
 		pid="`cat $lock 2>&1`"
 		kill -0 "$pid" >/dev/null 2>&1
@@ -168,6 +178,7 @@ get_state ( ) {
 		rm -f $lock
 		exit 1
 	fi
+	update_seentags
 	rm -f $lock
 }
 
@@ -232,7 +243,7 @@ if test "$1" = "config" ; then
 		echo "graph_args --base 1000 -l 0"
 		echo "graph_vlabel queries / \${graph_period}"
 		echo "graph_scale no"
-		echo "graph_category DNS"
+		echo "graph_category dns"
 		for x in `grep "^thread[0-9][0-9]*\.num\.queries=" $state |
 			sed -e 's/=.*//'`; do
 			exist_config $x "queries handled by `basename $x .num.queries`"
@@ -256,7 +267,7 @@ if test "$1" = "config" ; then
 		echo "graph_args --base 1000 -l 0"
 		echo "graph_vlabel number of queries"
 		echo "graph_scale no"
-		echo "graph_category DNS"
+		echo "graph_category dns"
 		p_config "total.requestlist.avg" "Average size of queue on insert" "GAUGE"
 		p_config "total.requestlist.max" "Max size of queue (in 5 min)" "GAUGE"
 		p_config "total.requestlist.overwritten" "Number of queries replaced by new ones" "GAUGE"
@@ -267,7 +278,7 @@ if test "$1" = "config" ; then
 		echo "graph_title Unbound memory usage"
 		echo "graph_args --base 1024 -l 0"
 		echo "graph_vlabel memory used in bytes"
-		echo "graph_category DNS"
+		echo "graph_category dns"
 		p_config "mem.cache.rrset" "RRset cache memory" "GAUGE"
 		p_config "mem.cache.message" "Message cache memory" "GAUGE"
 		p_config "mem.mod.iterator" "Iterator module memory" "GAUGE"
@@ -283,9 +294,8 @@ if test "$1" = "config" ; then
 		echo "graph_args --base 1000 -l 0"
 		echo "graph_vlabel queries / \${graph_period}"
 		echo "graph_scale no"
-		echo "graph_category DNS"
+		echo "graph_category dns"
-		for x in `grep "^num.query.type" $state`; do
+		for nm in `grep "^num.query.type" $seentags`; do
-			nm=`echo $x | sed -e 's/=.*$//'`
 			tp=`echo $nm | sed -e s/num.query.type.//`
 			p_config "$nm" "$tp" "ABSOLUTE"
 		done
@@ -296,9 +306,8 @@ if test "$1" = "config" ; then
 		echo "graph_args --base 1000 -l 0"
 		echo "graph_vlabel queries / \${graph_period}"
 		echo "graph_scale no"
-		echo "graph_category DNS"
+		echo "graph_category dns"
-		for x in `grep "^num.query.class" $state`; do
+		for nm in `grep "^num.query.class" $seentags`; do
-			nm=`echo $x | sed -e 's/=.*$//'`
 			tp=`echo $nm | sed -e s/num.query.class.//`
 			p_config "$nm" "$tp" "ABSOLUTE"
 		done
@@ -309,9 +318,8 @@ if test "$1" = "config" ; then
 		echo "graph_args --base 1000 -l 0"
 		echo "graph_vlabel queries / \${graph_period}"
 		echo "graph_scale no"
-		echo "graph_category DNS"
+		echo "graph_category dns"
-		for x in `grep "^num.query.opcode" $state`; do
+		for nm in `grep "^num.query.opcode" $seentags`; do
-			nm=`echo $x | sed -e 's/=.*$//'`
 			tp=`echo $nm | sed -e s/num.query.opcode.//`
 			p_config "$nm" "$tp" "ABSOLUTE"
 		done
@@ -322,9 +330,8 @@ if test "$1" = "config" ; then
 		echo "graph_args --base 1000 -l 0"
 		echo "graph_vlabel answer packets / \${graph_period}"
 		echo "graph_scale no"
-		echo "graph_category DNS"
+		echo "graph_category dns"
-		for x in `grep "^num.answer.rcode" $state`; do
+		for nm in `grep "^num.answer.rcode" $seentags`; do
-			nm=`echo $x | sed -e 's/=.*$//'`
 			tp=`echo $nm | sed -e s/num.answer.rcode.//`
 			p_config "$nm" "$tp" "ABSOLUTE"
 		done
@@ -338,7 +345,7 @@ if test "$1" = "config" ; then
 		echo "graph_args --base 1000 -l 0"
 		echo "graph_vlabel queries / \${graph_period}"
 		echo "graph_scale no"
-		echo "graph_category DNS"
+		echo "graph_category dns"
 		p_config "num.query.flags.QR" "QR (query reply) flag" "ABSOLUTE"
 		p_config "num.query.flags.AA" "AA (auth answer) flag" "ABSOLUTE"
 		p_config "num.query.flags.TC" "TC (truncated) flag" "ABSOLUTE"
@@ -356,7 +363,7 @@ if test "$1" = "config" ; then
 		echo "graph_args --base 1000 -l 0"
 		echo "graph_vlabel queries / \${graph_period}"
 		echo "graph_scale no"
-		echo "graph_category DNS"
+		echo "graph_category dns"
 		echo hcache.label "cache hits"
 		echo hcache.min 0
 		echo hcache.type ABSOLUTE
@@ -467,27 +474,23 @@ memory)
 	done
 	;;
 by_type)
-	for x in `grep "^num.query.type" $state`; do
+	for nm in `grep "^num.query.type" $seentags`; do
-		nm=`echo $x | sed -e 's/=.*$//'`
+		print_value $nm
-		print_value_line $nm $x
 	done
 	;;
 by_class)
-	for x in `grep "^num.query.class" $state`; do
+	for nm in `grep "^num.query.class" $seentags`; do
-		nm=`echo $x | sed -e 's/=.*$//'`
+		print_value $nm
-		print_value_line $nm $x
 	done
 	;;
 by_opcode)
-	for x in `grep "^num.query.opcode" $state`; do
+	for nm in `grep "^num.query.opcode" $seentags`; do
-		nm=`echo $x | sed -e 's/=.*$//'`
+		print_value $nm
-		print_value_line $nm $x
 	done
 	;;
 by_rcode)
-	for x in `grep "^num.answer.rcode" $state`; do
+	for nm in `grep "^num.answer.rcode" $seentags`; do
-		nm=`echo $x | sed -e 's/=.*$//'`
+		print_value $nm
-		print_value_line $nm $x
 	done
 	print_value "num.answer.secure"
 	print_value "num.answer.bogus"

daemon/acl_list.c

@@ -487,3 +487,38 @@ acl_list_get_mem(struct acl_list* acl)
 	if(!acl) return 0;
 	return sizeof(*acl) + regional_get_mem(acl->region);
 }
+
+const char* acl_access_to_str(enum acl_access acl)
+{
+	switch(acl) {
+	case acl_deny: return "deny";
+	case acl_refuse: return "refuse";
+	case acl_deny_non_local: return "deny_non_local";
+	case acl_refuse_non_local: return "refuse_non_local";
+	case acl_allow: return "allow";
+	case acl_allow_snoop: return "allow_snoop";
+	case acl_allow_setrd: return "allow_setrd";
+	default: break;
+	}
+	return "unknown";
+}
+
+void
+log_acl_action(const char* action, struct sockaddr_storage* addr,
+	socklen_t addrlen, enum acl_access acl, struct acl_addr* acladdr)
+{
+	char a[128], n[128];
+	uint16_t port;
+	addr_to_str(addr, addrlen, a, sizeof(a));
+	port = ntohs(((struct sockaddr_in*)addr)->sin_port);
+	if(acladdr) {
+		addr_to_str(&acladdr->node.addr, acladdr->node.addrlen,
+			n, sizeof(n));
+		verbose(VERB_ALGO, "%s query from %s port %d because of "
+			"%s/%d %s", action, a, (int)port, n, acladdr->node.net,
+			acl_access_to_str(acl));
+	} else {
+		verbose(VERB_ALGO, "%s query from %s port %d", action, a,
+			(int)port);
+	}
+}

daemon/acl_list.h

@@ -154,4 +154,15 @@ acl_addr_lookup(struct acl_list* acl, struct sockaddr_storage* addr,
  */
 size_t acl_list_get_mem(struct acl_list* acl);
 
+/*
+ * Get string for acl access specification
+ * @param acl: access type value
+ * @return string
+ */
+const char* acl_access_to_str(enum acl_access acl);
+
+/* log acl and addr for action */
+void log_acl_action(const char* action, struct sockaddr_storage* addr,
+	socklen_t addrlen, enum acl_access acl, struct acl_addr* acladdr);
+
 #endif /* DAEMON_ACL_LIST_H */

daemon/cachedump.c

@@ -47,10 +47,12 @@
 #include "services/cache/rrset.h"
 #include "services/cache/dns.h"
 #include "services/cache/infra.h"
+#include "services/outside_network.h"
 #include "util/data/msgreply.h"
 #include "util/regional.h"
 #include "util/net_help.h"
 #include "util/data/dname.h"
+#include "util/config_file.h"
 #include "iterator/iterator.h"
 #include "iterator/iter_delegpt.h"
 #include "iterator/iter_utils.h"
@@ -854,7 +856,9 @@ int print_deleg_lookup(RES* ssl, struct worker* worker, uint8_t* nm,
 				"cache; goes to configured roots\n");
 		}
 		/* go up? */
-		if(iter_dp_is_useless(&qinfo, BIT_RD, dp)) {
+		if(iter_dp_is_useless(&qinfo, BIT_RD, dp,
+			(worker->env.cfg->do_ip4 && worker->back->num_ip4 != 0),
+			(worker->env.cfg->do_ip6 && worker->back->num_ip6 != 0))) {
 			print_dp_main(ssl, dp, msg);
 			print_dp_details(ssl, worker, dp);
 			if(!ssl_printf(ssl, "cache delegation was "

daemon/daemon.c

@@ -210,7 +210,6 @@ daemon_init(void)
 	}
 #endif /* USE_WINSOCK */
 	signal_handling_record();
-	checklock_start();
 #ifdef HAVE_SSL
 #  ifdef HAVE_ERR_LOAD_CRYPTO_STRINGS
 	ERR_load_crypto_strings();
@@ -280,6 +279,7 @@ daemon_init(void)
 		free(daemon);
 		return NULL;
 	}
+	listen_setup_locks();
 	if(gettimeofday(&daemon->time_boot, NULL) < 0)
 		log_err("gettimeofday: %s", strerror(errno));
 	daemon->time_last_stat = daemon->time_boot;
@@ -781,6 +781,7 @@ daemon_delete(struct daemon* daemon)
 	alloc_clear(&daemon->superalloc);
 	acl_list_delete(daemon->acl);
 	tcl_list_delete(daemon->tcl);
+	listen_desetup_locks();
 	free(daemon->chroot);
 	free(daemon->pidfile);
 	free(daemon->env);

daemon/remote.c

@@ -130,7 +130,7 @@ timeval_divide(struct timeval* avg, const struct timeval* sum, long long d)
 {
 #ifndef S_SPLINT_S
 	size_t leftover;
-	if(d == 0) {
+	if(d <= 0) {
 		avg->tv_sec = 0;
 		avg->tv_usec = 0;
 		return;
@@ -139,7 +139,13 @@ timeval_divide(struct timeval* avg, const struct timeval* sum, long long d)
 	avg->tv_usec = sum->tv_usec / d;
 	/* handle fraction from seconds divide */
 	leftover = sum->tv_sec - avg->tv_sec*d;
-	avg->tv_usec += (leftover*1000000)/d;
+	if(leftover <= 0)
+		leftover = 0;
+	avg->tv_usec += (((long long)leftover)*((long long)1000000))/d;
+	if(avg->tv_sec < 0)
+		avg->tv_sec = 0;
+	if(avg->tv_usec < 0)
+		avg->tv_usec = 0;
 #endif
 }
 
@@ -294,6 +300,7 @@ add_open(const char* ip, int nr, struct listen_port** list, int noproto_is_err,
 		 */
 		if(fd != -1) {
 #ifdef HAVE_CHOWN
+			chmod(ip, (mode_t)(S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP));
 			if (cfg->username && cfg->username[0] &&
 				cfg_uid != (uid_t)-1) {
 				if(chown(ip, cfg_uid, cfg_gid) == -1)
@@ -301,7 +308,6 @@ add_open(const char* ip, int nr, struct listen_port** list, int noproto_is_err,
 					  (unsigned)cfg_uid, (unsigned)cfg_gid,
 					  ip, strerror(errno));
 			}
-			chmod(ip, (mode_t)(S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP));
 #else
 			(void)cfg;
 #endif
@@ -807,7 +813,7 @@ print_mem(RES* ssl, struct worker* worker, struct daemon* daemon,
 	iter = mod_get_mem(&worker->env, "iterator");
 	respip = mod_get_mem(&worker->env, "respip");
 #ifdef CLIENT_SUBNET
-	subnet = mod_get_mem(&worker->env, "subnet");
+	subnet = mod_get_mem(&worker->env, "subnetcache");
 #endif /* CLIENT_SUBNET */
 #ifdef USE_IPSECMOD
 	ipsecmod = mod_get_mem(&worker->env, "ipsecmod");
@@ -1298,10 +1304,35 @@ do_zones_remove(RES* ssl, struct local_zones* zones)
 	(void)ssl_printf(ssl, "removed %d zones\n", num);
 }
 
+/** check syntax of newly added RR */
+static int
+check_RR_syntax(RES* ssl, char* str, int line)
+{
+	uint8_t rr[LDNS_RR_BUF_SIZE];
+	size_t len = sizeof(rr), dname_len = 0;
+	int s = sldns_str2wire_rr_buf(str, rr, &len, &dname_len, 3600,
+		NULL, 0, NULL, 0);
+	if(s != 0) {
+		char linestr[32];
+		if(line == 0)
+			linestr[0]=0;
+		else 	snprintf(linestr, sizeof(linestr), "line %d ", line);
+		if(!ssl_printf(ssl, "error parsing local-data at %sposition %d '%s': %s\n",
+			linestr, LDNS_WIREPARSE_OFFSET(s), str,
+			sldns_get_errorstr_parse(s)))
+			return 0;
+		return 0;
+	}
+	return 1;
+}
+
 /** Add new RR data */
 static int
-perform_data_add(RES* ssl, struct local_zones* zones, char* arg)
+perform_data_add(RES* ssl, struct local_zones* zones, char* arg, int line)
 {
+	if(!check_RR_syntax(ssl, arg, line)) {
+		return 0;
+	}
 	if(!local_zones_add_RR(zones, arg)) {
 		ssl_printf(ssl,"error in syntax or out of memory, %s\n", arg);
 		return 0;
@@ -1313,7 +1344,7 @@ perform_data_add(RES* ssl, struct local_zones* zones, char* arg)
 static void
 do_data_add(RES* ssl, struct local_zones* zones, char* arg)
 {
-	if(!perform_data_add(ssl, zones, arg))
+	if(!perform_data_add(ssl, zones, arg, 0))
 		return;
 	send_ok(ssl);
 }
@@ -1323,15 +1354,12 @@ static void
 do_datas_add(RES* ssl, struct local_zones* zones)
 {
 	char buf[2048];
-	int num = 0;
+	int num = 0, line = 0;
 	while(ssl_read_line(ssl, buf, sizeof(buf))) {
 		if(buf[0] == 0x04 && buf[1] == 0)
 			break; /* end of transmission */
-		if(!perform_data_add(ssl, zones, buf)) {
+		line++;
-			if(!ssl_printf(ssl, "error for input line: %s\n", buf))
+		if(perform_data_add(ssl, zones, buf, line))
-				return;
-		}
-		else
 			num++;
 	}
 	(void)ssl_printf(ssl, "added %d datas\n", num);
@@ -1987,7 +2015,7 @@ print_root_fwds(RES* ssl, struct iter_forwards* fwds, uint8_t* root)
 
 /** parse args into delegpt */
 static struct delegpt*
-parse_delegpt(RES* ssl, char* args, uint8_t* nm, int allow_names)
+parse_delegpt(RES* ssl, char* args, uint8_t* nm)
 {
 	/* parse args and add in */
 	char* p = args;
@@ -2009,40 +2037,35 @@ parse_delegpt(RES* ssl, char* args, uint8_t* nm, int allow_names)
 		}
 		/* parse address */
 		if(!authextstrtoaddr(todo, &addr, &addrlen, &auth_name)) {
-			if(allow_names) {
+			uint8_t* dname= NULL;
-				uint8_t* n = NULL;
+			int port;
-				size_t ln;
+			dname = authextstrtodname(todo, &port, &auth_name);
-				int lb;
+			if(!dname) {
-				if(!parse_arg_name(ssl, todo, &n, &ln, &lb)) {
-					(void)ssl_printf(ssl, "error cannot "
-						"parse IP address or name "
-						"'%s'\n", todo);
-					delegpt_free_mlc(dp);
-					return NULL;
-				}
-				if(!delegpt_add_ns_mlc(dp, n, 0)) {
-					(void)ssl_printf(ssl, "error out of memory\n");
-					free(n);
-					delegpt_free_mlc(dp);
-					return NULL;
-				}
-				free(n);
-
-			} else {
 				(void)ssl_printf(ssl, "error cannot parse"
-					" IP address '%s'\n", todo);
+					" '%s'\n", todo);
+				delegpt_free_mlc(dp);
+				return NULL;
+			}
+#if ! defined(HAVE_SSL_SET1_HOST) && ! defined(HAVE_X509_VERIFY_PARAM_SET1_HOST)
+			if(auth_name)
+				log_err("no name verification functionality in "
+				"ssl library, ignored name for %s", todo);
+#endif
+			if(!delegpt_add_ns_mlc(dp, dname, 0, auth_name, port)) {
+				(void)ssl_printf(ssl, "error out of memory\n");
+				free(dname);
 				delegpt_free_mlc(dp);
 				return NULL;
 			}
 		} else {
 #if ! defined(HAVE_SSL_SET1_HOST) && ! defined(HAVE_X509_VERIFY_PARAM_SET1_HOST)
 			if(auth_name)
-			  log_err("no name verification functionality in "
+				log_err("no name verification functionality in "
 				"ssl library, ignored name for %s", todo);
 #endif
 			/* add address */
 			if(!delegpt_add_addr_mlc(dp, &addr, addrlen, 0, 0,
-				auth_name)) {
+				auth_name, -1)) {
 				(void)ssl_printf(ssl, "error out of memory\n");
 				delegpt_free_mlc(dp);
 				return NULL;
@@ -2075,7 +2098,7 @@ do_forward(RES* ssl, struct worker* worker, char* args)
 		forwards_delete_zone(fwd, LDNS_RR_CLASS_IN, root);
 	} else {
 		struct delegpt* dp;
-		if(!(dp = parse_delegpt(ssl, args, root, 0)))
+		if(!(dp = parse_delegpt(ssl, args, root)))
 			return;
 		if(!forwards_add_zone(fwd, LDNS_RR_CLASS_IN, dp)) {
 			(void)ssl_printf(ssl, "error out of memory\n");
@@ -2121,7 +2144,7 @@ parse_fs_args(RES* ssl, char* args, uint8_t** nm, struct delegpt** dp,
 
 	/* parse dp */
 	if(dp) {
-		if(!(*dp = parse_delegpt(ssl, args, *nm, 1))) {
+		if(!(*dp = parse_delegpt(ssl, args, *nm))) {
 			free(*nm);
 			return 0;
 		}
@@ -2837,6 +2860,8 @@ struct ratelimit_list_arg {
 	int all;
 	/** current time */
 	time_t now;
+	/** if backoff is enabled */
+	int backoff;
 };
 
 #define ip_ratelimit_list_arg ratelimit_list_arg
@@ -2850,7 +2875,7 @@ rate_list(struct lruhash_entry* e, void* arg)
 	struct rate_data* d = (struct rate_data*)e->data;
 	char buf[257];
 	int lim = infra_find_ratelimit(a->infra, k->name, k->namelen);
-	int max = infra_rate_max(d, a->now);
+	int max = infra_rate_max(d, a->now, a->backoff);
 	if(a->all == 0) {
 		if(max < lim)
 			return;
@@ -2868,7 +2893,7 @@ ip_rate_list(struct lruhash_entry* e, void* arg)
 	struct ip_rate_key* k = (struct ip_rate_key*)e->key;
 	struct ip_rate_data* d = (struct ip_rate_data*)e->data;
 	int lim = infra_ip_ratelimit;
-	int max = infra_rate_max(d, a->now);
+	int max = infra_rate_max(d, a->now, a->backoff);
 	if(a->all == 0) {
 		if(max < lim)
 			return;
@@ -2886,6 +2911,7 @@ do_ratelimit_list(RES* ssl, struct worker* worker, char* arg)
 	a.infra = worker->env.infra_cache;
 	a.now = *worker->env.now;
 	a.ssl = ssl;
+	a.backoff = worker->env.cfg->ratelimit_backoff;
 	arg = skipwhite(arg);
 	if(strcmp(arg, "+a") == 0)
 		a.all = 1;
@@ -2904,6 +2930,7 @@ do_ip_ratelimit_list(RES* ssl, struct worker* worker, char* arg)
 	a.infra = worker->env.infra_cache;
 	a.now = *worker->env.now;
 	a.ssl = ssl;
+	a.backoff = worker->env.cfg->ip_ratelimit_backoff;
 	arg = skipwhite(arg);
 	if(strcmp(arg, "+a") == 0)
 		a.all = 1;
@@ -3310,7 +3337,11 @@ int remote_control_callback(struct comm_point* c, void* arg, int err,
 	if (!rc->use_cert) {
 		verbose(VERB_ALGO, "unauthenticated remote control connection");
 	} else if(SSL_get_verify_result(s->ssl) == X509_V_OK) {
+#ifdef HAVE_SSL_GET1_PEER_CERTIFICATE
+		X509* x = SSL_get1_peer_certificate(s->ssl);
+#else
 		X509* x = SSL_get_peer_certificate(s->ssl);
+#endif
 		if(!x) {
 			verbose(VERB_DETAIL, "remote control connection "
 				"provided no client certificate");

daemon/stats.c

@@ -137,7 +137,7 @@ static void
 set_subnet_stats(struct worker* worker, struct ub_server_stats* svr,
 	int reset)
 {
-	int m = modstack_find(&worker->env.mesh->mods, "subnet");
+	int m = modstack_find(&worker->env.mesh->mods, "subnetcache");
 	struct subnet_env* sne;
 	if(m == -1)
 		return;

daemon/unbound.c

@@ -212,15 +212,17 @@ checkrlimits(struct config_file* cfg)
 	}
 #endif
 
+#ifdef RLIMIT_AS
 	if(getrlimit(RLIMIT_AS, &rlim) == 0) {
 		if(rlim.rlim_cur != (rlim_t)RLIM_INFINITY &&
 			rlim.rlim_cur < (rlim_t)memsize_expect) {
 			log_warn("the ulimit(max memory size) is smaller than the expected memory usage (added size of caches). %u < %u bytes", (unsigned)rlim.rlim_cur, (unsigned)memsize_expect);
 		}
 	}
+#endif
 	if(getrlimit(RLIMIT_DATA, &rlim) == 0) {
 		if(rlim.rlim_cur != (rlim_t)RLIM_INFINITY &&
-			rlim.rlim_cur < memsize_expect) {
+			rlim.rlim_cur < (rlim_t)memsize_expect) {
 			log_warn("the ulimit(data seg size) is smaller than the expected memory usage (added size of caches). %u < %u bytes", (unsigned)rlim.rlim_cur, (unsigned)memsize_expect);
 		}
 	}
@@ -779,6 +781,7 @@ main(int argc, char* argv[])
 	int cmdline_cfg = 0;
 #endif
 
+	checklock_start();
 	log_init(NULL, 0, NULL);
 	log_ident_default = strrchr(argv[0],'/')?strrchr(argv[0],'/')+1:argv[0];
 	log_ident_set_default(log_ident_default);

daemon/worker.c

@@ -146,7 +146,7 @@ worker_mem_report(struct worker* ATTR_UNUSED(worker),
 				(&worker->env, i);
 #ifdef CLIENT_SUBNET
 		else if(strcmp(worker->env.mesh->mods.mod[i]->name,
-			"subnet")==0)
+			"subnetcache")==0)
 			subnet += (*worker->env.mesh->mods.mod[i]->get_mem)
 				(&worker->env, i);
 #endif /* CLIENT_SUBNET */
@@ -205,7 +205,7 @@ worker_mem_report(struct worker* ATTR_UNUSED(worker),
 				(&worker->env, i);
 #ifdef CLIENT_SUBNET
 		else if(strcmp(worker->env.mesh->mods.mod[i]->name,
-			"subnet")==0)
+			"subnetcache")==0)
 			subnet += (*worker->env.mesh->mods.mod[i]->get_mem)
 				(&worker->env, i);
 #endif /* CLIENT_SUBNET */
@@ -236,38 +236,6 @@ worker_send_cmd(struct worker* worker, enum worker_commands cmd)
 	}
 }
 
-int 
-worker_handle_reply(struct comm_point* c, void* arg, int error, 
-	struct comm_reply* reply_info)
-{
-	struct module_qstate* q = (struct module_qstate*)arg;
-	struct worker* worker = q->env->worker;
-	struct outbound_entry e;
-	e.qstate = q;
-	e.qsent = NULL;
-
-	if(error != 0) {
-		mesh_report_reply(worker->env.mesh, &e, reply_info, error);
-		worker_mem_report(worker, NULL);
-		return 0;
-	}
-	/* sanity check. */
-	if(!LDNS_QR_WIRE(sldns_buffer_begin(c->buffer))
-		|| LDNS_OPCODE_WIRE(sldns_buffer_begin(c->buffer)) != 
-			LDNS_PACKET_QUERY
-		|| LDNS_QDCOUNT(sldns_buffer_begin(c->buffer)) > 1) {
-		/* error becomes timeout for the module as if this reply
-		 * never arrived. */
-		mesh_report_reply(worker->env.mesh, &e, reply_info, 
-			NETEVENT_TIMEOUT);
-		worker_mem_report(worker, NULL);
-		return 0;
-	}
-	mesh_report_reply(worker->env.mesh, &e, reply_info, NETEVENT_NOERROR);
-	worker_mem_report(worker, NULL);
-	return 0;
-}
-
 int 
 worker_handle_service_reply(struct comm_point* c, void* arg, int error, 
 	struct comm_reply* reply_info)
@@ -481,7 +449,6 @@ answer_norec_from_cache(struct worker* worker, struct query_info* qinfo,
 	 * Then check if it needs validation, if so, this routine fails,
 	 * so that iterator can prime and validator can verify rrsets.
 	 */
-	struct edns_data edns_bak;
 	uint16_t udpsize = edns->udp_size;
 	int secure = 0;
 	time_t timenow = *worker->env.now;
@@ -540,7 +507,6 @@ answer_norec_from_cache(struct worker* worker, struct query_info* qinfo,
 		}
 	}
 	/* return this delegation from the cache */
-	edns_bak = *edns;
 	edns->edns_version = EDNS_ADVERTISED_VERSION;
 	edns->udp_size = EDNS_ADVERTISED_SIZE;
 	edns->ext_rcode = 0;
@@ -550,15 +516,13 @@ answer_norec_from_cache(struct worker* worker, struct query_info* qinfo,
 		worker->env.now_tv))
 			return 0;
 	msg->rep->flags |= BIT_QR|BIT_RA;
-	if(!apply_edns_options(edns, &edns_bak, worker->env.cfg,
+	if(!reply_info_answer_encode(&msg->qinfo, msg->rep, id, flags,
-		repinfo->c, worker->scratchpad) ||
-		!reply_info_answer_encode(&msg->qinfo, msg->rep, id, flags, 
 		repinfo->c->buffer, 0, 1, worker->scratchpad,
 		udpsize, edns, (int)(edns->bits & EDNS_DO), secure)) {
 		if(!inplace_cb_reply_servfail_call(&worker->env, qinfo, NULL, NULL,
 			LDNS_RCODE_SERVFAIL, edns, repinfo, worker->scratchpad,
 			worker->env.now_tv))
-				edns->opt_list = NULL;
+				edns->opt_list_inplace_cb_out = NULL;
 		error_encode(repinfo->c->buffer, LDNS_RCODE_SERVFAIL, 
 			&msg->qinfo, id, flags, edns);
 	}
@@ -589,7 +553,7 @@ apply_respip_action(struct worker* worker, const struct query_info* qinfo,
 		return 1;
 
 	if(!respip_rewrite_reply(qinfo, cinfo, rep, encode_repp, &actinfo,
-		alias_rrset, 0, worker->scratchpad, az))
+		alias_rrset, 0, worker->scratchpad, az, NULL))
 		return 0;
 
 	/* xxx_deny actions mean dropping the reply, unless the original reply
@@ -636,7 +600,6 @@ answer_from_cache(struct worker* worker, struct query_info* qinfo,
 	struct reply_info* rep, uint16_t id, uint16_t flags,
 	struct comm_reply* repinfo, struct edns_data* edns)
 {
-	struct edns_data edns_bak;
 	time_t timenow = *worker->env.now;
 	uint16_t udpsize = edns->udp_size;
 	struct reply_info* encode_rep = rep;
@@ -717,7 +680,6 @@ answer_from_cache(struct worker* worker, struct query_info* qinfo,
 		}
 	} else *is_secure_answer = 0;
 
-	edns_bak = *edns;
 	edns->edns_version = EDNS_ADVERTISED_VERSION;
 	edns->udp_size = EDNS_ADVERTISED_SIZE;
 	edns->ext_rcode = 0;
@@ -754,15 +716,13 @@ answer_from_cache(struct worker* worker, struct query_info* qinfo,
 			if(!*partial_repp)
 				goto bail_out;
 		}
-	} else if(!apply_edns_options(edns, &edns_bak, worker->env.cfg,
+	} else if(!reply_info_answer_encode(qinfo, encode_rep, id, flags,
-		repinfo->c, worker->scratchpad) ||
-		!reply_info_answer_encode(qinfo, encode_rep, id, flags,
 		repinfo->c->buffer, timenow, 1, worker->scratchpad,
 		udpsize, edns, (int)(edns->bits & EDNS_DO), *is_secure_answer)) {
 		if(!inplace_cb_reply_servfail_call(&worker->env, qinfo, NULL, NULL,
 			LDNS_RCODE_SERVFAIL, edns, repinfo, worker->scratchpad,
 			worker->env.now_tv))
-				edns->opt_list = NULL;
+				edns->opt_list_inplace_cb_out = NULL;
 		error_encode(repinfo->c->buffer, LDNS_RCODE_SERVFAIL, 
 			qinfo, id, flags, edns);
 	}
@@ -782,7 +742,8 @@ bail_out:
 /** Reply to client and perform prefetch to keep cache up to date. */
 static void
 reply_and_prefetch(struct worker* worker, struct query_info* qinfo, 
-	uint16_t flags, struct comm_reply* repinfo, time_t leeway, int noreply)
+	uint16_t flags, struct comm_reply* repinfo, time_t leeway, int noreply,
+	int rpz_passthru)
 {
 	/* first send answer to client to keep its latency 
 	 * as small as a cachereply */
@@ -801,7 +762,7 @@ reply_and_prefetch(struct worker* worker, struct query_info* qinfo,
 	 * the cache and go to the network for the data). */
 	/* this (potentially) runs the mesh for the new query */
 	mesh_new_prefetch(worker->env.mesh, qinfo, flags, leeway + 
-		PREFETCH_EXPIRY_ADD);
+		PREFETCH_EXPIRY_ADD, rpz_passthru);
 }
 
 /**
@@ -821,6 +782,14 @@ chaos_replystr(sldns_buffer* pkt, char** str, int num, struct edns_data* edns,
 	int i;
 	unsigned int rd = LDNS_RD_WIRE(sldns_buffer_begin(pkt));
 	unsigned int cd = LDNS_CD_WIRE(sldns_buffer_begin(pkt));
+	size_t udpsize = edns->udp_size;
+	edns->edns_version = EDNS_ADVERTISED_VERSION;
+	edns->udp_size = EDNS_ADVERTISED_SIZE;
+	edns->bits &= EDNS_DO;
+	if(!inplace_cb_reply_local_call(&worker->env, NULL, NULL, NULL,
+		LDNS_RCODE_NOERROR, edns, repinfo, worker->scratchpad,
+		worker->env.now_tv))
+			edns->opt_list_inplace_cb_out = NULL;
 	sldns_buffer_clear(pkt);
 	sldns_buffer_skip(pkt, (ssize_t)sizeof(uint16_t)); /* skip id */
 	sldns_buffer_write_u16(pkt, (uint16_t)(BIT_QR|BIT_RA));
@@ -836,6 +805,12 @@ chaos_replystr(sldns_buffer* pkt, char** str, int num, struct edns_data* edns,
 	for(i=0; i<num; i++) {
 		size_t len = strlen(str[i]);
 		if(len>255) len=255; /* cap size of TXT record */
+		if(sldns_buffer_position(pkt)+2+2+2+4+2+1+len+
+			calc_edns_field_size(edns) > udpsize) {
+			sldns_buffer_write_u16_at(pkt, 6, i); /* ANCOUNT */
+			LDNS_TC_SET(sldns_buffer_begin(pkt));
+			break;
+		}
 		sldns_buffer_write_u16(pkt, 0xc00c); /* compr ptr to query */
 		sldns_buffer_write_u16(pkt, LDNS_RR_TYPE_TXT);
 		sldns_buffer_write_u16(pkt, LDNS_RR_CLASS_CH);
@@ -845,13 +820,6 @@ chaos_replystr(sldns_buffer* pkt, char** str, int num, struct edns_data* edns,
 		sldns_buffer_write(pkt, str[i], len);
 	}
 	sldns_buffer_flip(pkt);
-	edns->edns_version = EDNS_ADVERTISED_VERSION;
-	edns->udp_size = EDNS_ADVERTISED_SIZE;
-	edns->bits &= EDNS_DO;
-	if(!inplace_cb_reply_local_call(&worker->env, NULL, NULL, NULL,
-		LDNS_RCODE_NOERROR, edns, repinfo, worker->scratchpad,
-		worker->env.now_tv))
-			edns->opt_list = NULL;
 	if(sldns_buffer_capacity(pkt) >=
 		sldns_buffer_limit(pkt)+calc_edns_field_size(edns))
 		attach_edns_record(pkt, edns);
@@ -1036,7 +1004,6 @@ answer_notify(struct worker* w, struct query_info* qinfo,
 	edns->udp_size = EDNS_ADVERTISED_SIZE;
 	edns->ext_rcode = 0;
 	edns->bits &= EDNS_DO;
-	edns->opt_list = NULL;
 	error_encode(pkt, rcode, qinfo,
 		*(uint16_t*)(void *)sldns_buffer_begin(pkt),
 		sldns_buffer_read_u16_at(pkt, 2), edns);
@@ -1046,17 +1013,25 @@ answer_notify(struct worker* w, struct query_info* qinfo,
 static int
 deny_refuse(struct comm_point* c, enum acl_access acl,
 	enum acl_access deny, enum acl_access refuse,
-	struct worker* worker, struct comm_reply* repinfo)
+	struct worker* worker, struct comm_reply* repinfo,
+	struct acl_addr* acladdr)
 {
 	if(acl == deny) {
+		if(verbosity >= VERB_ALGO) {
+			log_acl_action("dropped", &repinfo->addr,
+				repinfo->addrlen, acl, acladdr);
+			log_buf(VERB_ALGO, "dropped", c->buffer);
+		}
 		comm_point_drop_reply(repinfo);
 		if(worker->stats.extended)
 			worker->stats.unwanted_queries++;
 		return 0;
 	} else if(acl == refuse) {
-		log_addr(VERB_ALGO, "refused query from",
+		if(verbosity >= VERB_ALGO) {
-			&repinfo->addr, repinfo->addrlen);
+			log_acl_action("refused", &repinfo->addr,
-		log_buf(VERB_ALGO, "refuse", c->buffer);
+				repinfo->addrlen, acl, acladdr);
+			log_buf(VERB_ALGO, "refuse", c->buffer);
+		}
 		if(worker->stats.extended)
 			worker->stats.unwanted_queries++;
 		if(worker_check_request(c->buffer, worker) == -1) {
@@ -1079,16 +1054,20 @@ deny_refuse(struct comm_point* c, enum acl_access acl,
 
 static int
 deny_refuse_all(struct comm_point* c, enum acl_access acl,
-	struct worker* worker, struct comm_reply* repinfo)
+	struct worker* worker, struct comm_reply* repinfo,
+	struct acl_addr* acladdr)
 {
-	return deny_refuse(c, acl, acl_deny, acl_refuse, worker, repinfo);
+	return deny_refuse(c, acl, acl_deny, acl_refuse, worker, repinfo,
+		acladdr);
 }
 
 static int
 deny_refuse_non_local(struct comm_point* c, enum acl_access acl,
-	struct worker* worker, struct comm_reply* repinfo)
+	struct worker* worker, struct comm_reply* repinfo,
+	struct acl_addr* acladdr)
 {
-	return deny_refuse(c, acl, acl_deny_non_local, acl_refuse_non_local, worker, repinfo);
+	return deny_refuse(c, acl, acl_deny_non_local, acl_refuse_non_local,
+		worker, repinfo, acladdr);
 }
 
 int 
@@ -1107,6 +1086,7 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 	int need_drop = 0;
 	int is_expired_answer = 0;
 	int is_secure_answer = 0;
+	int rpz_passthru = 0;
 	/* We might have to chase a CNAME chain internally, in which case
 	 * we'll have up to two replies and combine them to build a complete
 	 * answer.  These variables control this case. */
@@ -1179,7 +1159,7 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 	acladdr = acl_addr_lookup(worker->daemon->acl, &repinfo->addr, 
 		repinfo->addrlen);
 	acl = acl_get_control(acladdr);
-	if((ret=deny_refuse_all(c, acl, worker, repinfo)) != -1)
+	if((ret=deny_refuse_all(c, acl, worker, repinfo, acladdr)) != -1)
 	{
 		if(ret == 1)
 			goto send_reply;
@@ -1201,7 +1181,8 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 
 	/* check if this query should be dropped based on source ip rate limiting */
 	if(!infra_ip_ratelimit_inc(worker->env.infra_cache, repinfo,
-			*worker->env.now, c->buffer)) {
+			*worker->env.now,
+			worker->env.cfg->ip_ratelimit_backoff, c->buffer)) {
 		/* See if we are passed through with slip factor */
 		if(worker->env.cfg->ip_ratelimit_factor != 0 &&
 			ub_random_max(worker->env.rnd,
@@ -1273,7 +1254,8 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 		}
 		goto send_reply;
 	}
-	if((ret=parse_edns_from_pkt(c->buffer, &edns, worker->scratchpad)) != 0) {
+	if((ret=parse_edns_from_query_pkt(c->buffer, &edns, worker->env.cfg, c,
+					worker->scratchpad)) != 0) {
 		struct edns_data reply_edns;
 		verbose(VERB_ALGO, "worker parse edns: formerror.");
 		log_addr(VERB_CLIENT,"from",&repinfo->addr, repinfo->addrlen);
@@ -1288,13 +1270,14 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 		goto send_reply;
 	}
 	if(edns.edns_present) {
-		struct edns_option* edns_opt;
 		if(edns.edns_version != 0) {
 			edns.ext_rcode = (uint8_t)(EDNS_RCODE_BADVERS>>4);
 			edns.edns_version = EDNS_ADVERTISED_VERSION;
 			edns.udp_size = EDNS_ADVERTISED_SIZE;
 			edns.bits &= EDNS_DO;
-			edns.opt_list = NULL;
+			edns.opt_list_in = NULL;
+			edns.opt_list_out = NULL;
+			edns.opt_list_inplace_cb_out = NULL;
 			edns.padding_block_size = 0;
 			verbose(VERB_ALGO, "query with bad edns version.");
 			log_addr(VERB_CLIENT,"from",&repinfo->addr, repinfo->addrlen);
@@ -1314,26 +1297,6 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 			log_addr(VERB_CLIENT,"from",&repinfo->addr, repinfo->addrlen);
 			edns.udp_size = NORMAL_UDP_SIZE;
 		}
-		if(c->type != comm_udp) {
-			edns_opt = edns_opt_list_find(edns.opt_list, LDNS_EDNS_KEEPALIVE);
-			if(edns_opt && edns_opt->opt_len > 0) {
-				edns.ext_rcode = 0;
-				edns.edns_version = EDNS_ADVERTISED_VERSION;
-				edns.udp_size = EDNS_ADVERTISED_SIZE;
-				edns.bits &= EDNS_DO;
-				edns.opt_list = NULL;
-				verbose(VERB_ALGO, "query with bad edns keepalive.");
-				log_addr(VERB_CLIENT,"from",&repinfo->addr, repinfo->addrlen);
-				error_encode(c->buffer, LDNS_RCODE_FORMERR, &qinfo,
-					*(uint16_t*)(void *)sldns_buffer_begin(c->buffer),
-					sldns_buffer_read_u16_at(c->buffer, 2), NULL);
-				if(sldns_buffer_capacity(c->buffer) >=
-				   sldns_buffer_limit(c->buffer)+calc_edns_field_size(&edns))
-					attach_edns_record(c->buffer, &edns);
-				regional_free_all(worker->scratchpad);
-				goto send_reply;
-			}
-		}
 	}
 	if(edns.udp_size > worker->daemon->cfg->max_udp_size &&
 		c->type == comm_udp) {
@@ -1387,9 +1350,10 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 		goto send_reply;
 	}
 	if(worker->env.auth_zones &&
-		rpz_apply_qname_trigger(worker->env.auth_zones,
+		rpz_callback_from_worker_request(worker->env.auth_zones,
 		&worker->env, &qinfo, &edns, c->buffer, worker->scratchpad,
-		repinfo, acladdr->taglist, acladdr->taglen, &worker->stats)) {
+		repinfo, acladdr->taglist, acladdr->taglen, &worker->stats,
+		&rpz_passthru)) {
 		regional_free_all(worker->scratchpad);
 		if(sldns_buffer_limit(c->buffer) == 0) {
 			comm_point_drop_reply(repinfo);
@@ -1415,7 +1379,7 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 
 	/* We've looked in our local zones. If the answer isn't there, we
 	 * might need to bail out based on ACLs now. */
-	if((ret=deny_refuse_non_local(c, acl, worker, repinfo)) != -1)
+	if((ret=deny_refuse_non_local(c, acl, worker, repinfo, acladdr)) != -1)
 	{
 		regional_free_all(worker->scratchpad);
 		if(ret == 1)
@@ -1485,7 +1449,7 @@ lookup_cache:
 	 * this is a two-pass operation, and lookup_qinfo is different for
 	 * each pass.  We should still pass the original qinfo to
 	 * answer_from_cache(), however, since it's used to build the reply. */
-	if(!edns_bypass_cache_stage(edns.opt_list, &worker->env)) {
+	if(!edns_bypass_cache_stage(edns.opt_list_in, &worker->env)) {
 		is_expired_answer = 0;
 		is_secure_answer = 0;
 		h = query_info_hash(lookup_qinfo, sldns_buffer_read_u16_at(c->buffer, 2));
@@ -1515,7 +1479,8 @@ lookup_cache:
 					reply_and_prefetch(worker, lookup_qinfo,
 						sldns_buffer_read_u16_at(c->buffer, 2),
 						repinfo, leeway,
-						(partial_rep || need_drop));
+						(partial_rep || need_drop),
+						rpz_passthru);
 					if(!partial_rep) {
 						rc = 0;
 						regional_free_all(worker->scratchpad);
@@ -1578,7 +1543,8 @@ lookup_cache:
 	/* grab a work request structure for this new request */
 	mesh_new_client(worker->env.mesh, &qinfo, cinfo,
 		sldns_buffer_read_u16_at(c->buffer, 2),
-		&edns, repinfo, *(uint16_t*)(void *)sldns_buffer_begin(c->buffer));
+		&edns, repinfo, *(uint16_t*)(void *)sldns_buffer_begin(c->buffer),
+		rpz_passthru);
 	regional_free_all(worker->scratchpad);
 	worker_mem_report(worker, NULL);
 	return 0;
@@ -1642,6 +1608,9 @@ worker_sighandler(int sig, void* arg)
 		case SIGHUP:
 			comm_base_exit(worker->base);
 			break;
+#endif
+#ifdef SIGBREAK
+		case SIGBREAK:
 #endif
 		case SIGINT:
 			worker->need_to_exit = 1;
@@ -1760,6 +1729,9 @@ worker_init(struct worker* worker, struct config_file *cfg,
 	if(do_sigs) {
 #ifdef SIGHUP
 		ub_thread_sig_unblock(SIGHUP);
+#endif
+#ifdef SIGBREAK
+		ub_thread_sig_unblock(SIGBREAK);
 #endif
 		ub_thread_sig_unblock(SIGINT);
 #ifdef SIGQUIT
@@ -1777,6 +1749,9 @@ worker_init(struct worker* worker, struct config_file *cfg,
 			|| !comm_signal_bind(worker->comsig, SIGQUIT)
 #endif
 			|| !comm_signal_bind(worker->comsig, SIGTERM)
+#ifdef SIGBREAK
+			|| !comm_signal_bind(worker->comsig, SIGBREAK)
+#endif
 			|| !comm_signal_bind(worker->comsig, SIGINT)) {
 			log_err("could not create signal handlers");
 			worker_delete(worker);
@@ -1826,7 +1801,9 @@ worker_init(struct worker* worker, struct config_file *cfg,
 		&worker_alloc_cleanup, worker,
 		cfg->do_udp || cfg->udp_upstream_without_downstream,
 		worker->daemon->connect_sslctx, cfg->delay_close,
-		cfg->tls_use_sni, dtenv, cfg->udp_connect);
+		cfg->tls_use_sni, dtenv, cfg->udp_connect,
+		cfg->max_reuse_tcp_queries, cfg->tcp_reuse_timeout,
+		cfg->tcp_auth_query_timeout);
 	if(!worker->back) {
 		log_err("could not create outgoing sockets");
 		worker_delete(worker);
@@ -1880,6 +1857,11 @@ worker_init(struct worker* worker, struct config_file *cfg,
 		return 0;
 	}
 	worker->env.mesh = mesh_create(&worker->daemon->mods, &worker->env);
+	if(!worker->env.mesh) {
+		log_err("malloc failure");
+		worker_delete(worker);
+		return 0;
+	}
 	/* Pass on daemon variables that we would need in the mesh area */
 	worker->env.mesh->use_response_ip = worker->daemon->use_response_ip;
 	worker->env.mesh->use_rpz = worker->daemon->use_rpz;
@@ -1890,6 +1872,11 @@ worker_init(struct worker* worker, struct config_file *cfg,
 	worker->env.kill_sub = &mesh_state_delete;
 	worker->env.detect_cycle = &mesh_detect_cycle;
 	worker->env.scratch_buffer = sldns_buffer_new(cfg->msg_buffer_size);
+	if(!worker->env.scratch_buffer) {
+		log_err("malloc failure");
+		worker_delete(worker);
+		return 0;
+	}
 	if(!(worker->env.fwds = forwards_create()) ||
 		!forwards_apply_cfg(worker->env.fwds, cfg)) {
 		log_err("Could not set forward zones");
@@ -1944,10 +1931,6 @@ worker_init(struct worker* worker, struct config_file *cfg,
 		}
 	}
 #endif /* USE_DNSTAP */
-	if(!worker->env.mesh || !worker->env.scratch_buffer) {
-		worker_delete(worker);
-		return 0;
-	}
 	worker_mem_report(worker, NULL);
 	/* if statistics enabled start timer */
 	if(worker->env.cfg->stat_interval > 0) {
@@ -2011,9 +1994,10 @@ worker_delete(struct worker* worker)
 
 struct outbound_entry*
 worker_send_query(struct query_info* qinfo, uint16_t flags, int dnssec,
-	int want_dnssec, int nocaps, struct sockaddr_storage* addr,
+	int want_dnssec, int nocaps, int check_ratelimit,
-	socklen_t addrlen, uint8_t* zone, size_t zonelen, int ssl_upstream,
+	struct sockaddr_storage* addr, socklen_t addrlen, uint8_t* zone,
-	char* tls_auth_name, struct module_qstate* q)
+	size_t zonelen, int tcp_upstream, int ssl_upstream, char* tls_auth_name,
+	struct module_qstate* q, int* was_ratelimited)
 {
 	struct worker* worker = q->env->worker;
 	struct outbound_entry* e = (struct outbound_entry*)regional_alloc(
@@ -2022,9 +2006,10 @@ worker_send_query(struct query_info* qinfo, uint16_t flags, int dnssec,
 		return NULL;
 	e->qstate = q;
 	e->qsent = outnet_serviced_query(worker->back, qinfo, flags, dnssec,
-		want_dnssec, nocaps, q->env->cfg->tcp_upstream,
+		want_dnssec, nocaps, check_ratelimit, tcp_upstream,
 		ssl_upstream, tls_auth_name, addr, addrlen, zone, zonelen, q,
-		worker_handle_service_reply, e, worker->back->udp_buff, q->env);
+		worker_handle_service_reply, e, worker->back->udp_buff, q->env,
+		was_ratelimited);
 	if(!e->qsent) {
 		return NULL;
 	}
@@ -2068,18 +2053,11 @@ struct outbound_entry* libworker_send_query(
 	struct query_info* ATTR_UNUSED(qinfo),
 	uint16_t ATTR_UNUSED(flags), int ATTR_UNUSED(dnssec),
 	int ATTR_UNUSED(want_dnssec), int ATTR_UNUSED(nocaps),
+	int ATTR_UNUSED(check_ratelimit),
 	struct sockaddr_storage* ATTR_UNUSED(addr), socklen_t ATTR_UNUSED(addrlen),
-	uint8_t* ATTR_UNUSED(zone), size_t ATTR_UNUSED(zonelen),
+	uint8_t* ATTR_UNUSED(zone), size_t ATTR_UNUSED(zonelen), int ATTR_UNUSED(tcp_upstream),
 	int ATTR_UNUSED(ssl_upstream), char* ATTR_UNUSED(tls_auth_name),
-	struct module_qstate* ATTR_UNUSED(q))
+	struct module_qstate* ATTR_UNUSED(q), int* ATTR_UNUSED(was_ratelimited))
-{
-	log_assert(0);
-	return 0;
-}
-
-int libworker_handle_reply(struct comm_point* ATTR_UNUSED(c), 
-	void* ATTR_UNUSED(arg), int ATTR_UNUSED(error),
-        struct comm_reply* ATTR_UNUSED(reply_info))
 {
 	log_assert(0);
 	return 0;

dns64/dns64.c

@@ -685,8 +685,12 @@ dns64_operate(struct module_qstate* qstate, enum module_ev event, int id,
 	switch(event) {
 		case module_event_new:
 			/* Tag this query as being new and fall through. */
-			iq = (struct dns64_qstate*)regional_alloc(
+			if (!(iq = (struct dns64_qstate*)regional_alloc(
-				qstate->region, sizeof(*iq));
+				qstate->region, sizeof(*iq)))) {
+				log_err("out of memory");
+				qstate->ext_state[id] = module_error;
+				return;
+			}
 			qstate->minfo[id] = iq;
 			iq->state = DNS64_NEW_QUERY;
 			iq->started_no_cache_store = qstate->no_cache_store;
@@ -913,8 +917,9 @@ dns64_adjust_ptr(struct module_qstate* qstate, struct module_qstate* super)
                     sizeof(struct dns_msg))))
         return;
     super->return_msg->qinfo = super->qinfo;
-    super->return_msg->rep = reply_info_copy(qstate->return_msg->rep, NULL,
+    if (!(super->return_msg->rep = reply_info_copy(qstate->return_msg->rep,
-            super->region);
+                    NULL, super->region)))
+        return;
 
     /*
      * Adjust the domain name of the answer RR set so that it matches the

dnscrypt/dnscrypt.c

@@ -435,7 +435,7 @@ dnscrypt_hrtime(void)
 
 /**
  * Add the server nonce part to once.
- * The nonce is made half of client nonce and the seconf half of the server
+ * The nonce is made half of client nonce and the second half of the server
  * nonce, both of them of size crypto_box_HALF_NONCEBYTES.
  * \param[in] nonce: a uint8_t* of size crypto_box_NONCEBYTES
  */
@@ -674,7 +674,7 @@ dnsc_find_cert(struct dnsc_env* dnscenv, struct sldns_buffer* buffer)
 /**
  * Insert local-zone and local-data into configuration.
  * In order to be able to serve certs over TXT, we can reuse the local-zone and
- * local-data config option. The zone and qname are infered from the
+ * local-data config option. The zone and qname are inferred from the
  * provider_name and the content of the TXT record from the certificate content.
  * returns the number of certificate TXT record that were loaded.
  * < 0 in case of error.

dnscrypt/dnscrypt.h

@@ -114,7 +114,7 @@ void dnsc_delete(struct dnsc_env *env);
 
 /**
  * handle a crypted dnscrypt request.
- * Determine wether or not a query is coming over the dnscrypt listener and
+ * Determine whether or not a query is coming over the dnscrypt listener and
  * attempt to uncurve it or detect if it is a certificate query.
  * return 0 in case of failure.
  */
@@ -122,7 +122,7 @@ int dnsc_handle_curved_request(struct dnsc_env* dnscenv,
                                struct comm_reply* repinfo);
 /**
  * handle an unencrypted dnscrypt request.
- * Determine wether or not a query is going over the dnscrypt channel and
+ * Determine whether or not a query is going over the dnscrypt channel and
  * attempt to curve it unless it was not crypted like when  it is a
  * certificate query.
  * \return 0 in case of failure.

dnstap/dnstap.c

@@ -507,19 +507,19 @@ dt_msg_send_outside_query(struct dt_env *env,
 
 void
 dt_msg_send_outside_response(struct dt_env *env,
-			     struct sockaddr_storage *rsock,
+	struct sockaddr_storage *rsock,
-			     struct sockaddr_storage *qsock,
+	struct sockaddr_storage *qsock,
-			     enum comm_point_type cptype,
+	enum comm_point_type cptype,
-			     uint8_t *zone, size_t zone_len,
+	uint8_t *zone, size_t zone_len,
-			     uint8_t *qbuf, size_t qbuf_len,
+	uint8_t *qbuf, size_t qbuf_len,
-			     const struct timeval *qtime,
+	const struct timeval *qtime,
-			     const struct timeval *rtime,
+	const struct timeval *rtime,
-			     sldns_buffer *rmsg)
+	sldns_buffer *rmsg)
 {
 	struct dt_msg dm;
 	uint16_t qflags;
 
-	log_assert(qbuf_len >= sizeof(qflags));
+	(void)qbuf_len; log_assert(qbuf_len >= sizeof(qflags));
 	memcpy(&qflags, qbuf, sizeof(qflags));
 	qflags = ntohs(qflags);
 

dnstap/dtstream.c

@@ -188,9 +188,9 @@ mq_wakeup_cb(void* arg)
 
 /** start timer to wakeup dtio because there is content in the queue */
 static void
-dt_msg_queue_start_timer(struct dt_msg_queue* mq)
+dt_msg_queue_start_timer(struct dt_msg_queue* mq, int wakeupnow)
 {
-	struct timeval tv;
+	struct timeval tv = {0};
 	/* Start a timer to process messages to be logged.
 	 * If we woke up the dtio thread for every message, the wakeup
 	 * messages take up too much processing power.  If the queue
@@ -204,19 +204,26 @@ dt_msg_queue_start_timer(struct dt_msg_queue* mq)
 
 	/* do not start the timer if a timer already exists, perhaps
 	 * in another worker.  So this variable is protected by a lock in
-	 * dtio */
+	 * dtio. */
+
+	/* If we need to wakeupnow, 0 the timer to force the callback. */
 	lock_basic_lock(&mq->dtio->wakeup_timer_lock);
 	if(mq->dtio->wakeup_timer_enabled) {
+		if(wakeupnow) {
+			comm_timer_set(mq->wakeup_timer, &tv);
+		}
 		lock_basic_unlock(&mq->dtio->wakeup_timer_lock);
 		return;
 	}
 	mq->dtio->wakeup_timer_enabled = 1; /* we are going to start one */
-	lock_basic_unlock(&mq->dtio->wakeup_timer_lock);
 
 	/* start the timer, in mq, in the event base of our worker */
-	tv.tv_sec = 1;
+	if(!wakeupnow) {
-	tv.tv_usec = 0;
+		tv.tv_sec = 1;
+		tv.tv_usec = 0;
+	}
 	comm_timer_set(mq->wakeup_timer, &tv);
+	lock_basic_unlock(&mq->dtio->wakeup_timer_lock);
 }
 
 void
@@ -251,7 +258,7 @@ dt_msg_queue_submit(struct dt_msg_queue* mq, void* buf, size_t len)
 	entry->buf = buf;
 	entry->len = len;
 
-	/* aqcuire lock */
+	/* acquire lock */
 	lock_basic_lock(&mq->lock);
 	/* if list was empty, start timer for (eventual) wakeup */
 	if(mq->first == NULL)
@@ -283,10 +290,8 @@ dt_msg_queue_submit(struct dt_msg_queue* mq, void* buf, size_t len)
 	/* release lock */
 	lock_basic_unlock(&mq->lock);
 
-	if(wakeupnow) {
+	if(wakeupnow || wakeupstarttimer) {
-		dtio_wakeup(mq->dtio);
+		dt_msg_queue_start_timer(mq, wakeupnow);
-	} else if(wakeupstarttimer) {
-		dt_msg_queue_start_timer(mq);
 	}
 }
 
@@ -930,7 +935,7 @@ static int dtio_write_more_of_data(struct dt_io_thread* dtio)
 	return 1;
 }
 
-/** write more of the current messsage. false if incomplete, true if
+/** write more of the current message. false if incomplete, true if
  * the message is done */
 static int dtio_write_more(struct dt_io_thread* dtio)
 {
@@ -1181,7 +1186,7 @@ static int dtio_read_accept_frame(struct dt_io_thread* dtio)
 					goto close_connection;
 				return 1;
 			} else {
-				/* unknow content type */
+				/* unknown content type */
 				verbose(VERB_ALGO, "dnstap: ACCEPT frame "
 					"contains unknown content type, "
 					"closing connection");

dnstap/unbound-dnstap-socket.c

@@ -1012,6 +1012,7 @@ void dtio_tap_callback(int fd, short ATTR_UNUSED(bits), void* arg)
 		if(verbosity) log_info("bidirectional stream");
 		if(!reply_with_accept(data)) {
 			tap_data_free(data);
+			return;
 		}
 	} else if(data->len >= 4 && sldns_read_uint32(data->frame) ==
 		FSTRM_CONTROL_FRAME_STOP && data->is_bidirectional) {
@@ -1166,8 +1167,13 @@ int sig_quit = 0;
 /** signal handler for user quit */
 static RETSIGTYPE main_sigh(int sig)
 {
-	if(!sig_quit)
+	if(!sig_quit) {
-		fprintf(stderr, "exit on signal %d\n", sig);
+		char str[] = "exit on signal   \n";
+		str[15] = '0' + (sig/10)%10;
+		str[16] = '0' + sig%10;
+		/* simple cast to void will not silence Wunused-result */
+		(void)!write(STDERR_FILENO, str, strlen(str));
+	}
 	if(sig_base) {
 		ub_event_base_loopexit(sig_base);
 		sig_base = NULL;
@@ -1258,9 +1264,9 @@ int main(int argc, char** argv)
 	memset(&tls_list, 0, sizeof(tls_list));
 
 	/* lock debug start (if any) */
+	checklock_start();
 	log_ident_set("unbound-dnstap-socket");
 	log_init(0, 0, 0);
-	checklock_start();
 
 #ifdef SIGPIPE
 	if(signal(SIGPIPE, SIG_IGN) == SIG_ERR) {
@@ -1375,14 +1381,6 @@ int worker_handle_request(struct comm_point* ATTR_UNUSED(c),
 	return 0;
 }
 
-int worker_handle_reply(struct comm_point* ATTR_UNUSED(c), 
-	void* ATTR_UNUSED(arg), int ATTR_UNUSED(error),
-        struct comm_reply* ATTR_UNUSED(reply_info))
-{
-	log_assert(0);
-	return 0;
-}
-
 int worker_handle_service_reply(struct comm_point* ATTR_UNUSED(c), 
 	void* ATTR_UNUSED(arg), int ATTR_UNUSED(error),
         struct comm_reply* ATTR_UNUSED(reply_info))
@@ -1415,10 +1413,12 @@ void worker_sighandler(int ATTR_UNUSED(sig), void* ATTR_UNUSED(arg))
 struct outbound_entry* worker_send_query(
 	struct query_info* ATTR_UNUSED(qinfo), uint16_t ATTR_UNUSED(flags),
 	int ATTR_UNUSED(dnssec), int ATTR_UNUSED(want_dnssec),
-	int ATTR_UNUSED(nocaps), struct sockaddr_storage* ATTR_UNUSED(addr),
+	int ATTR_UNUSED(nocaps), int ATTR_UNUSED(check_ratelimit),
+	struct sockaddr_storage* ATTR_UNUSED(addr),
 	socklen_t ATTR_UNUSED(addrlen), uint8_t* ATTR_UNUSED(zone),
-	size_t ATTR_UNUSED(zonelen), int ATTR_UNUSED(ssl_upstream),
+	size_t ATTR_UNUSED(zonelen), int ATTR_UNUSED(tcp_upstream),
-	char* ATTR_UNUSED(tls_auth_name), struct module_qstate* ATTR_UNUSED(q))
+	int ATTR_UNUSED(ssl_upstream), char* ATTR_UNUSED(tls_auth_name),
+	struct module_qstate* ATTR_UNUSED(q), int* ATTR_UNUSED(was_ratelimited))
 {
 	log_assert(0);
 	return 0;
@@ -1447,18 +1447,12 @@ worker_alloc_cleanup(void* ATTR_UNUSED(arg))
 struct outbound_entry* libworker_send_query(
 	struct query_info* ATTR_UNUSED(qinfo), uint16_t ATTR_UNUSED(flags),
 	int ATTR_UNUSED(dnssec), int ATTR_UNUSED(want_dnssec),
-	int ATTR_UNUSED(nocaps), struct sockaddr_storage* ATTR_UNUSED(addr),
+	int ATTR_UNUSED(nocaps), int ATTR_UNUSED(check_ratelimit),
+	struct sockaddr_storage* ATTR_UNUSED(addr),
 	socklen_t ATTR_UNUSED(addrlen), uint8_t* ATTR_UNUSED(zone),
-	size_t ATTR_UNUSED(zonelen), int ATTR_UNUSED(ssl_upstream),
+	size_t ATTR_UNUSED(zonelen), int ATTR_UNUSED(tcp_upstream),
-	char* ATTR_UNUSED(tls_auth_name), struct module_qstate* ATTR_UNUSED(q))
+	int ATTR_UNUSED(ssl_upstream), char* ATTR_UNUSED(tls_auth_name),
-{
+	struct module_qstate* ATTR_UNUSED(q), int* ATTR_UNUSED(was_ratelimited))
-	log_assert(0);
-	return 0;
-}
-
-int libworker_handle_reply(struct comm_point* ATTR_UNUSED(c), 
-	void* ATTR_UNUSED(arg), int ATTR_UNUSED(error),
-        struct comm_reply* ATTR_UNUSED(reply_info))
 {
 	log_assert(0);
 	return 0;

doc/Changelog

@@ -1,3 +1,640 @@
+8 April 2022: Wouter
+	- Fix zonemd check to allow unsupported algorithms to load.
+	  If there are only unsupported algorithms, or unsupported schemes,
+	  and no failed or successful other ZONEMD records, or malformed
+	  or bad ZONEMD records, the unsupported records allow the zone load.
+	- Fix zonemd unsupported algo check.
+	- Fix zonemd unsupported algo check reason to not copy to next record,
+	  and check for success for debug printout.
+	- Fix zonemd unsupported algo check to print unsupported reason before
+	  zeroing it.
+	- Fix zonemd unsupported algo check to set reason to NULL before the
+	  check routine, but after malformed checks, to get the correct NULL
+	  output when the digest matches.
+
+25 March 2022: Wouter
+	- Fix spelling error in comment in sldns_str2wire_svcparam_key_lookup.
+
+23 March 2022: Wouter
+	- Fix #651: [FR] Better logging for refused queries.
+
+18 March 2022: George
+	- Merge PR #648 from eaglegai: fix -q doesn't work when use with
+	  'unbound-control stats_shm'.
+
+17 March 2022: Wouter
+	- Fix to describe auth-zone and other configuration at the local-zone
+	  configuration option, to allow for more broadly view of the options.
+
+16 March 2022: Wouter
+	- Fix to ensure uniform handling of spaces and tabs when parsing RRs.
+
+9 March 2022: Wouter
+	- Merge #644: Make `install-lib` make target install the pkg-config
+	  file.
+
+7 March 2022: Wouter
+	- Fix configure for python to use sysutils, because distutils is
+	  deprecated. It uses sysutils when available, distutils otherwise.
+
+3 March 2022: Wouter
+	- Fix #637: Integer Overflow in sldns_str2period function.
+	- Fix for #637: fix integer overflow checks in sldns_str2period.
+
+2 March 2022: George
+	- Merge PR #632 from scottrw93: Match cnames in ipset.
+	- Various fixes for #632: variable initialisation, convert the qinfo
+	  to str once, accept trailing dot in the local-zone ipset option.
+
+2 March 2022: Wouter
+	- Fix compile warnings for printf ll format on mingw compile.
+
+1 March 2022: Wouter
+	- Fix pythonmod for change in iter_dp_is_useless function prototype.
+
+28 February 2022: George
+	- Fix #630: Unify the RPZ log messages.
+	- Merge #623 from rex4539: Fix typos.
+
+28 February 2022: Wouter
+	- Fix #633: Document unix domain socket support for unbound-control.
+	- Fix for #633: updated fix with new text.
+	- Fix edns client subnet to add the option based on the option list,
+	  so that it is not state dependent, after the state fix of #605 for
+	  double EDNS options.
+	- Fix for edns client subnet option add fix in removal code, from review.
+
+25 February 2022: Wouter
+	- Fix to detect that no IPv6 support means that IPv6 addresses are
+	  useless for delegation point lookups.
+	- update Makefile dependencies.
+	- Fix check interface existence for support detection in remote lookup.
+
+18 February 2022: Wouter
+	- Fix that address not available is squelched from the logs for
+	  udp connect failures. It is visible on verbosity 4 and more.
+	- Merge #631 from mollyim: Replace OpenSSL's ERR_PACK with
+	  ERR_GET_REASON.
+
+16 February 2022: Wouter
+	- Fix for #628: fix rpz-passthru for qname trigger by localzone type.
+
+15 February 2022: Wouter
+	- Fix #628: A rpz-passthru action is not ending RPZ zone processing.
+
+11 February 2022: Wouter
+	- Fix #624: Unable to stop Unbound in Windows console (does not
+	  respond to CTRL+C command).
+	- Fix #618: enabling interface-automatic disables DNS-over-TLS.
+	  Adds the option to list interface-automatic-ports.
+	- Remove debug info from #618 fix.
+
+7 February 2022: Wouter
+	- Fix that TCP interface does not use TLS when TLS is also configured.
+
+4 February 2022: Wouter
+	- Fix #412: cache invalidation issue with CNAME+A.
+
+3 February 2022: Wouter
+	- Fix for #611: Integer overflow in sldns_wire2str_pkt_scan.
+	- Tag for 1.15.0rc1 created. That became 1.15.0 on 10 feb 2022.
+	  The repository continues with version 1.15.1.
+
+2 February 2022: George
+	- Merge PR #532 from Shchelk: Fix: buffer overflow bug.
+	- Merge PR #616: Update ratelimit logic. It also introduces
+	  ratelimit-backoff and ip-ratelimit-backoff configuration options.
+	- Change aggressive-nsec default to yes.
+	- Merge PR #617: Update stub/forward-host notation to accept port and
+	  tls-auth-name.
+	- Update stream_ssl.tdir test to also use the new forward-host
+	  notation.
+
+2 February 2022: Wouter
+	- Update version number in repo to 1.15.0 for upcoming release,
+	  since it changes the aggressive-nsec default and the ratelimit change.
+	- Fix header comment for doxygen for authextstrtoaddr.
+	- please clang analyzer for loop in test code.
+	- Fix docker splint test to use more portable uname.
+	- Update contrib/aaaa-filter-iterator.patch with diff for current
+	  software version.
+
+1 February 2022: George
+	- Merge PR #603 from fobser: Use OpenSSL 1.1 API to access DSA and RSA
+	  internals.
+
+31 January 2022: George
+	- Fix review comment for use-after-free when failing to send UDP out.
+
+31 January 2022: Wouter
+	- iana portlist update.
+
+29 January 2022: George
+	- Fix tls-* and ssl-* documented alternate syntax to also be available
+	  through remote-control and unbound-checkconf.
+	- Better cleanup on failed DoT/DoH listening socket creation.
+
+26 January 2022: George
+	- Fix #599: [FR] RFC 9156 (obsoletes RFC 7816), by noting the new RFC
+	  document.
+
+26 January 2022: Wouter
+	- Test for NSID in SERVFAIL response due to DNSSEC bogus.
+
+25 January 2022: George
+	- Fix #588: Unbound 1.13.2 crashes due to p->pc is NULL in
+	  serviced_udp_callback.
+	- Merge PR #612: TCP race condition.
+
+25 January 2022: Wouter
+	- Fix #610: Undefine-shift in sldns_str2wire_hip_buf.
+
+19 January 2022: George
+	- For dnstap, do not wakeupnow right there. Instead zero the timer to
+	  force the wakeup callback asap.
+
+14 January 2022: George
+	- Merge PR #605:
+	  - Fix EDNS to upstream where the same option could be attached
+	     more than once.
+	  - Add a region to serviced_query for allocations.
+
+14 January 2022: Wouter
+	- Add rpz: for-downstream: yesno option, where the RPZ zone is
+	  authoritatively answered for, so the RPZ zone contents can be
+	  checked with DNS queries directed at the RPZ zone.
+	- For #602: Allow the module-config "subnetcache validator cachedb
+	  iterator".
+
+11 January 2022: George
+	- Fix prematurely terminated TCP queries when a reply has the same ID.
+
+7 January 2022: Wouter
+	- Merge #600 from pemensik: Change file mode before changing file
+	  owner.
+
+5 January 2022: Wouter
+	- Fix for #596: fix that rpz return message is returned and not just
+	  the rcode from the iterator return path. This fixes signal unset RA
+	  after a CNAME.
+	- Fix unit tests for rpz now that the AA flag returns successfully from
+	  the iterator loop.
+	- Fix for #596: add unit test for nsdname trigger and signal unset RA.
+	- Fix for #596: add unit test for nsip trigger and signal unset RA.
+	- Fix #598: Fix unbound-checkconf fatal error: module conf
+	  'respip dns64 validator iterator' is not known to work.
+	- Fix for #596: Fix rpz-signal-nxdomain-ra to work for clientip
+	  triggered operation.
+
+4 January 2022: Wouter
+	- Fix #596: unset the RA bit when a query is blocked by an unbound
+	  RPZ nxdomain reply. The option rpz-signal-nxdomain-ra allows to
+	  signal that a domain is externally blocked to clients when it
+	  is blocked with NXDOMAIN by unsetting RA.
+	- Fix to add test for rpz-signal-nxdomain-ra.
+	- Fix #596: only unset RA when NXDOMAIN is signalled.
+	- Fix that RPZ does not set RD flag on replies, it should be copied
+	  from the query.
+
+22 December 2021: George
+	- contrib/aaaa-filter-iterator.patch file renewed diff content to
+	  apply cleanly to the current coderepo for the current code version.
+
+20 December 2021: George
+	- Fix #591: Unbound-anchor manpage links to non-existent license file.
+
+13 December 2021: George
+	- Add missing configure flags for optional features in the
+	  documentation.
+	- Fix Unbound capitalization in the documentation.
+
+13 December 2021: Wouter
+	- Fix to pick up other class local zone information before unlock.
+
+10 December 2021: George
+	- Allow local-data for classes other than IN to inherit a configured
+	  local-zone's type if possible, instead of defaulting to type
+	  transparent as per the implicit rule.
+
+10 December 2021: Wouter
+	- Add code similar to fix for ldns for tab between strings, for
+	  consistency, the test case was not broken.
+
+6 December 2021: Wouter
+	- Merge PR #581 from fobser: Fix -Wmissing-prototypes and -Wshadow
+	  warnings in rpz.
+	- Fix validator debug output about DS support, print correct algorithm.
+
+3 December 2021: Wouter
+	- Fix compile warning for if_nametoindex on windows 64bit.
+
+1 December 2021: Wouter
+	- configure is set to 1.14.0, and release branch.
+	  This was released as version 1.14.0 on 9 Dec 2021, with the doxygen
+	  fix below included. The main branch continues as 1.14.1.
+	- Fix doc/unbound.doxygen to remove obsolete tag warning.
+
+1 December 2021: George
+	- Merge PR #511 from yan12125: Reduce unnecessary linking.
+	- Merge PR #493 from Jaap: Fix generation of libunbound.pc.
+	- Merge PR #555 from fobser: Allow interface names as scope-id in IPv6
+	  link-local addresses.
+	- Merge PR #562 from Willem: Reset keepalive per new tcp session.
+	- Merge PR #522 from sibeream: memory management violations fixed.
+	- Merge PR #530 from Shchelk: Fix: dereferencing a null pointer.
+	- Fix #454: listen_dnsport.c:825: error: ‘IPV6_TCLASS’ undeclared.
+	- Fix #574: Review fixes for size allocation.
+
+30 November 2021: Wouter
+	- Fix to remove git tracking and ci information from release tarballs.
+	- iana portlist update.
+
+29 November 2021: Wouter
+	- Merge PR #570 from rex4539: Fix typos.
+	- Fix for #570: regen aclocal.m4, fix configure.ac for spelling.
+	- Fix to make python module opt_list use opt_list_in.
+	- Fix #574: unbound-checkconf reports fatal error if interface names
+	  are used as value for interfaces:
+	- Fix #574: Review fixes for it.
+	- Fix #576: [FR] UB_* error codes in unbound.h
+	- Fix #574: Review fix for spelling.
+
+15 November 2021: Tom
+	- Improve EDNS option handling, now also works for synthesised
+	  responses such as local-data and server.id CH TXT responses.
+
+5 November 2021: George
+	- Fix for #558: fix loop in comm_point->tcp_free when a comm_point is
+	  reclaimed more than once during callbacks.
+	- Fix for #558: clear the UB_EV_TIMEOUT bit before adding an event.
+
+5 November 2021: Wouter
+	- Fix that forward-zone name is documented as the full name of the
+	  zone. It is not relative but a fully qualified domain name.
+	- Fix analyzer review failure in rpz action override code to not
+	  crash on unlocking the local zone lock.
+	- Fix to remove unused code from rpz resolve client and action
+	  function.
+	- Merge #565: unbound.service.in: Disable ProtectKernelTunables again.
+
+2 November 2021: Wouter
+	- Fix #552: Unbound assumes index.html exists on RPZ host.
+
+11 October 2021: Wouter
+	- Fix chaos replies to have truncation for short message lengths,
+	  or long reply strings.
+	- Fix to protect custom regional create against small values.
+
+4 October 2021: Wouter
+	- Fix to add example.conf note for outbound-msg-retry.
+
+27 September 2021: Wouter
+	- Implement RFC8375: Special-Use Domain 'home.arpa.'.
+
+21 September 2021: Wouter
+	- For crosscompile on windows, detect 64bit stackprotector library.
+	- Fix crosscompile shell syntax.
+	- Fix crosscompile windows to use libssp when it exists.
+	- For the windows compile script disable gost.
+	- Fix that on windows, use BIO_set_callback_ex instead of deprecated
+	  BIO_set_callback.
+	- Fix crosscompile script for the shared build flags.
+
+20 September 2021: Wouter
+	- Fix crosscompile on windows to work with openssl 3.0.0 the
+	  link with ws2_32 needs -l:libssp.a for __strcpy_chk.
+	  Also copy results from lib64 directory if needed.
+
+10 September 2021: Wouter
+	- Fix initialisation errors reported by gcc sanitizer.
+	- Fix lock debug code for gcc sanitizer reports.
+	- Fix more initialisation errors reported by gcc sanitizer.
+
+8 September 2021: Wouter
+	- Merged #41 from Moritz Schneider: made outbound-msg-retry
+	  configurable.
+	- Small fixes for #41: changelog, conflicts resolved,
+	  processQueryResponse takes an iterator env argument like other
+	  functions in the iterator, no colon in string for set_option,
+	  and some whitespace style, to make it similar to the rest.
+	- Fix for #41: change outbound retry to int to fix signed comparison
+	  warnings.
+	- Fix root_anchor test to check with new icannbundle date.
+
+3 September 2021: Wouter
+	- Fix #538: Fix subnetcache statistics.
+
+1 September 2021: Wouter
+	- Fix tcp fastopen failure when disabled, try normal connect instead.
+
+27 August 2021: Wouter
+	- Fix #533: Negative responses get cached even when setting
+	  cache-max-negative-ttl: 1
+
+25 August 2021: Wouter
+	- Merge #401: RPZ triggers. This add additional RPZ triggers,
+	  unbound supports a full set of rpz triggers, and this now
+	  includes nsdname, nsip and clientip triggers. Also actions
+	  are fully supported, and this now includes the tcp-only action.
+	- Fix #536: error: RPZ: name of record (drop.spamhaus.org.rpz.local.)
+	  to insert into RPZ.
+	- Fix the stream wait stream_wait_count_lock and http2 buffer locks
+	  setup and desetup from race condition.
+	- Fix RPZ locks. Do not unlock zones lock if requested and rpz find
+	  zone does not find the zone. Readlock the clientip that is found
+	  for ipbased triggers. Unlock the nsdname zone lock when done.
+	  Unlock zone and ip in rpz nsip and nsdname callback. Unlock
+	  authzone and localzone if clientip found in rpz worker call.
+	- Fix compile warning in libunbound for listen desetup routine.
+	- Fix asynclook unit test for setup of lockchecks before log.
+
+20 August 2021: Wouter
+	- Fix #529: Fix: log_assert does nothing if UNBOUND_DEBUG is
+	  undefined.
+	- Fix #531: Fix: passed to proc after free.
+
+17 August 2021: Wouter
+	- Fix that --with-ssl can use "/usr/include/openssl11" to pass the
+	  location of a different openssl version.
+	- Fix #527: not sending quad9 cert to syslog (and may be more).
+	- Fix sed script in ssldir split handling.
+
+16 August 2021: George
+	- Merge PR #528 from fobser: Make sldns_str2wire_svcparam_buf()
+	  static.
+
+16 August 2021: Wouter
+	- Fix to support harden-algo-downgrade for ZONEMD dnssec checks.
+
+13 August 2021: Wouter
+	- Support using system-wide crypto policies.
+	- Fix for #431: Squelch permission denied errors for udp connect,
+	  and udp send, they are visible at higher verbosity settings.
+	- Fix zonemd verification of key that is not in DNS but in the zone
+	  and needs a chain of trust.
+	- zonemd, fix order of bogus printout string manipulation.
+
+12 August 2021: George
+	- Merge PR #514, from ziollek: Docker environment for run tests.
+	- For #514: generate configure.
+
+12 August 2021: Wouter
+	- And 1.13.2rc1 became the 1.13.2 with the fix for the python module
+	  build. The current code repository continues with version 1.13.3.
+	- Add test tool readzone to .gitignore.
+	- Merge #521: Update mini_event.c.
+	- Merge #523: fix: free() call more than once with the same pointer.
+	- Merge #519: Support for selective enabling tcp-upstream for
+	  stub/forward zones.
+	- For #519: note stub-tcp-upstream and forward-tcp-upstream in
+	  the example configuration file.
+	- For #519: yacc and lex. And fix python bindings, and test program
+	  unbound-dnstap-socket.
+	- For #519: fix comments for doxygen.
+	- Fix to print error from unbound-anchor for writing to the key
+	  file, also when not verbose.
+
+5 August 2021: Wouter
+	- Tag for 1.13.2rc1 release.
+	- Fix #520: Unbound 1.13.2rc1 fails to build python module.
+
+4 August 2021: George
+	- Merge PR #415 from sibeream: Use
+	  /proc/sys/net/ipv4/ip_local_port_range to determine available outgoing
+	  ports. (New --enable-linux-ip-local-port-range configuration option)
+	- Bump MAX_RESTART_COUNT to 11 from 8; in relation to #438. This
+	  allows longer CNAME chains in Unbound.
+
+4 August 2021: Wouter
+	- In unit test use openssl set security level to allow keys in test.
+	- Fix static analysis warnings about localzone locks that are unused.
+	- Fix missing locks in zonemd unit test.
+	- Fix readzone compile under debug config.
+	- Fix out of sourcedir run of zonemd unit tests.
+	- Fix libnettle zonemd unit test.
+	- Fix unit test zonemd_reload for use in run_vm.
+
+3 August 2021: George
+	- Listen to read or write events after the SSL handshake.
+	  Sticky events on windows would stick on read when write was needed.
+
+3 August 2021: Wouter
+	- Merge PR #517 from dyunwei: #420 breaks the mesh reply list
+	  function that need to reuse the dns answer.
+	- Annotate assertion into error printout; we think it may be an
+	  error, but the situation looks harmless.
+	- Fix sign comparison warning on FreeBSD.
+
+2 August 2021: Wouter
+	- Prepare for OpenSSL 3.0.0 provider API usage, move the sldns
+	  keyraw functions to produce EVP_PKEY results.
+	- Move RSA and DSA to use OpenSSL 3.0.0 API.
+	- Move ECDSA functions to use OpenSSL 3.0.0 API.
+	- iana portlist update.
+	- Fix verbose printout failure in tcp reuse unit test.
+
+30 July 2021: Wouter
+	- Fix #515: Compilation against openssl 3.0.0 beta2 is failing to
+	  build unbound.
+	- For #515: Fix compilation with openssl 3.0.0 beta2, lib64 dir and
+	  SSL_get_peer_certificate.
+	- Move acx_nlnetlabs.m4 to version 41, with lib64 openssl dir check.
+
+26 July 2021: George
+	- Merge #513: Stream reuse, attempt to fix #411, #439, #469. This
+	  introduces a couple of fixes for the stream reuse functionality
+	  that could result in broken internal structures.
+
+26 July 2021: Wouter
+	- Merge #512: unbound.service.in: upgrade hardening to latest
+	  standards.
+	- Fix readzone unknown type print for memory resize.
+
+21 July 2021: Wouter
+	- Fix that ldns_zone_new_frm_fp_l counts the line number for an empty
+	  line after a comment.
+
+16 July 2021: George
+	- Introduce 'http-user-agent:' and 'hide-http-user-agent:' options.
+
+16 July 2021: Wouter
+	- Merge #510 from ndptech: Don't call a function which hasn't been
+	  defined.
+	- Fix for #510: in depth, use ifdefs for windows api event calls.
+	- Fix spelling in doc/unbound.doxygen comment.
+	- Fix spelling in localzone.h comment.
+	- Fix unbound-control local_data and local_datas to print detailed
+	  syntax errors.
+	- review fix to remove duplicate error printout.
+	- Insert header into testcode/readzone.c, it was missing.
+	- Fix from lint for ignored return value.
+	- Fix for older parsers for function call in serve expired get cached.
+
+6 July 2021: Wouter
+	- iana portlist update.
+
+5 July 2021: George
+	- Fix compiler warnings for #491.
+	- Fix clang-analysis warnings for testcode/readzone.c.
+
+4 July 2021: George
+	- Fix Wunused-result compile warnings.
+
+2 July 2021: Tom
+	- Merge PR #491: Add SVCB and HTTPS types and handling according to
+	  draft-ietf-dnsop-svcb-https.
+
+2 July 2021: Wouter
+	- Fix #506: Python Module Seems to Leak Memory if it Experiences an
+	  Unhandled Exception.
+
+25 June 2021: Wouter
+	- Fix up permissions on rpl data file in tests.
+	- Fix testbound newline treatment in moment_read and tempfile write.
+	- Fix configure grep for reuseport default for failure.
+	- Fix compat ctime_r return value
+	- Fix configure does not require pkg-config if not needed.
+	- Fix unit test in the ctime_r calls for autotrust and in testbound.
+	- Fix auth zone download on windows to unlink before rename.
+
+24 June 2021: Wouter
+	- Add analyzer and port compile github workflow.
+
+23 June 2021: Wouter
+	- Fix #503: DNS over HTTPS response truncated.
+	- Fix warnings reported by the gcc analyzer.
+
+21 June 2021: George
+	- Fix #495: Documentation or implementation of "verbosity" option.
+
+18 June 2021: Wouter
+	- Fix a number of warnings reported by the gcc analyzer.
+
+15 June 2021: George
+	- Merge #440 by kimheino: Various fixes to contrib/unbound_munin_ file.
+
+14 June 2021: Wouter
+	- Fix configure nonblocking test and onmingw test to use host.
+
+10 June 2021: Wouter
+	- Fix #500: SPEC file in version 1.13.1 references version 1.4;
+	  unable to build RPM from source.
+	- Fix contrib/unbound.spec, fixed url and comment.
+
+9 June 2021: George
+	- Merge #486 by fobster: Make VAL_MAX_RESTART_COUNT configurable.
+	- Generated lexer and parser for #486; updated example.conf.
+	- Fix #413 (based on patch by k-ronny): unbound: does not compile
+	  on macOS 11.1-x86_64 host.
+	- Use host_os instead of target_os in configure for Darwin8 build.
+
+8 June 2021: George
+	- Fix unused variable warning when compiling with --enable-dnstap.
+
+7 June 2021: George
+	- Merge #448 from shoeper: Update unbound-control.8.in, fix
+	  rpz_disable typo.
+	- Fix #425: Document auth-zone supports communication with DNS
+	  primary on nondefault port.
+
+1 June 2021: George
+	- Fix test for zonemd-check option.
+
+27 May 2021: Wouter
+	- Merge #496 from banburybill: Use build system endianness if
+	  available, otherwise try to work it out.
+	- zonemd-check: yesno option, default no, enables the processing
+	  of ZONEMD records for that zone.
+
+25 May 2021: Wouter
+	- Move the NSEC3 max iterations count in line with the 150 value
+	  used by BIND, Knot and PowerDNS. This sets the default value
+	  for it in the configuration to 150 for all key sizes.
+	- Fix #492: module-config respip missing in unbound.conf.5.in man
+	  page. Merges #494 from he32.
+	- For #492: Fix font highlighting for the man page on emacs.
+
+21 May 2021: Wouter
+	- Test code has -q option for quiet output.
+
+19 May 2021: George
+	- Fix for #411, #439, #469: Reset the DNS message ID when moving queries
+	  between TCP streams.
+	- Refactor for uniform way to produce random DNS message IDs.
+
+17 May 2021: Wouter
+	- Fix #489: Compile using MSYS2 MinGW 64-bit.
+
+12 May 2021: Wouter
+	- Fix that auth-zone zonefiles use last TTL if no TTL is specified.
+
+10 May 2021: Wouter
+	- Merge PR #487: ifdef RLIMIT_AS in recently added check.
+
+7 May 2021: Wouter
+	- Fix #485: Unbound occasionally reports broken stats.
+	- Add ./configure --with-deprecate-rsa-1024 that turns off RSA 1024.
+	- Remove case fallthrough from deprecate-rsa-1024 code.
+
+4 May 2021: George
+	- Fix for #367: only attempt to get the interface for queries that are no
+	  longer on the tcp_waiting_list.
+	- Add more logging for out-of-memory cases.
+
+4 May 2021: Wouter
+	- Merge #478: Allow configuration of TCP timeout while waiting for
+	  response.
+	- Fix to squelch tcp socket bind failures when the interface is gone.
+	- Rerun flex and bison.
+
+3 May 2021: Wouter
+	- Fix #481: Fix comment in configuration file.
+
+29 April 2021: Wouter
+	- Add that log-servfail prints an IP address and more information
+	  about one of the last failures for that query.
+
+28 April 2021: George
+	- Fix compiler warning for signed/unsigned comparison for
+	  max_reuse_tcp_queries.
+
+28 April 2021: Wouter
+	- Fix #474: always_null and others inside view.
+
+26 April 2021: Wouter
+	- Merge #470 from edevil: Allow configuration of persistent TCP
+	  connections.
+
+22 April 2021: Wouter
+	- Merge #466 from FGasper: Support OpenSSLs that lack
+	  SSL_get0_alpn_selected.
+	- Fix #468: OpenSSL 1.0.1 can no longer build Unbound.
+	- Further fix for #468: detect SSL_CTX_set_alpn_protos for build with
+	  OpenSSL 1.0.1.
+	- Fix that testcode dohclient has OpenSSL initialisation calls.
+
+13 April 2021: George
+	- Fix documentation comment for files previously residing in checkconf/.
+	- Remove unused functions worker_handle_reply and libworker_handle_reply.
+
+13 April 2021: Wouter
+	- Fix that nxdomain synthesis does not happen above the stub or
+	  forward definition.
+
+12 April 2021: George
+	- Fix (increase) verbosity level for iterator error log in
+	  processQueryTargets().
+
+12 April 2021: Wouter
+	- Fix permission denied sendto log, squelch the log messages
+	  unless high verbosity is set.
+
+9 April 2021: Wouter
+	- rebuild configure to set EXTRALINK to libunbound.la for #460.
+
+7 April 2021: Wouter
+	- Fix for #411: Depth protect for crash on deleted element timeout.
+
 1 April 2021: Wouter
 	- Merge #460 from orbea: build: Link with the libtool archive.
 	- Fix to stop IPv6 PMTU discovery.

doc/README.tests

@@ -15,6 +15,14 @@ You need to have the following programs installed and in your PATH.
 * xxd and nc (optional) - for (malformed) packet transmission.
 The optional programs are detected and can be omitted.
 
+You can also use prepared Dockerfile to run tests inside docker based on latest gcc image:
+* build container: docker build -t unbound-tester -f contrib/Dockerfile.tests .
+* run container: docker run -it --mount type=bind,source="$(pwd)",target=/usr/src/unbound --rm unbound-tester
+* configure environment: ./configure
+* run test: make test
+* run long tests: make longtest
+It is worth to mention that you need to enable [ipv6 in your docker daemon configuration](https://docs.docker.com/config/daemon/ipv6/) because some tests need ipv6 network stack.
+
 testdata/ contains the data for tests. 
 testcode/ contains scripts and c code for the tests.
 

doc/example.conf.in

@@ -55,6 +55,10 @@ server:
 	# Socket options are not supported on all platforms. experimental.
 	# interface-automatic: no
 
+	# instead of the default port, open additional ports separated by
+	# spaces when interface-automatic is enabled, by listing them here.
+	# interface-automatic-ports: ""
+
 	# port to answer queries from
 	# port: 53
 
@@ -82,13 +86,13 @@ server:
 	# num-queries-per-thread, or, use as many as the OS will allow you.
 	# outgoing-range: 4096
 
-	# permit unbound to use this port number or port range for
+	# permit Unbound to use this port number or port range for
 	# making outgoing queries, using an outgoing interface.
 	# outgoing-port-permit: 32768
 
-	# deny unbound the use this of port number or port range for
+	# deny Unbound the use this of port number or port range for
 	# making outgoing queries, using an outgoing interface.
-	# Use this to make sure unbound does not grab a UDP port that some
+	# Use this to make sure Unbound does not grab a UDP port that some
 	# other server on this computer needs. The default is to avoid
 	# IANA-assigned port numbers.
 	# If multiple outgoing-port-permit and outgoing-port-avoid options
@@ -164,6 +168,9 @@ server:
 	# perform connect for UDP sockets to mitigate ICMP side channel.
 	# udp-connect: yes
 
+	# The number of retries when a non-positive response is received.
+	# outbound-msg-retry: 5
+
 	# msec for waiting for an unknown server to reply.  Increase if you
 	# are behind a slow satellite link, to eg. 1128.
 	# unknown-server-time-limit: 376
@@ -251,7 +258,7 @@ server:
 	# use-systemd: no
 
 	# Detach from the terminal, run in background, "yes" or "no".
-	# Set the value to "no" when unbound runs as systemd service.
+	# Set the value to "no" when Unbound runs as systemd service.
 	# do-daemonize: yes
 
 	# control which clients are allowed to make (recursive) queries
@@ -304,7 +311,7 @@ server:
 	# The pid file can be absolute and outside of the chroot, it is
 	# written just prior to performing the chroot and dropping permissions.
 	#
-	# Additionally, unbound may need to access /dev/urandom (for entropy).
+	# Additionally, Unbound may need to access /dev/urandom (for entropy).
 	# How to do this is specific to your OS.
 	#
 	# If you give "" no chroot is performed. The path must not end in a /.
@@ -371,6 +378,9 @@ server:
 	# enable to not answer trustanchor.unbound queries.
 	# hide-trustanchor: no
 
+	# enable to not set the User-Agent HTTP header.
+	# hide-http-user-agent: no
+
 	# the identity to report. Leave "" or default to return hostname.
 	# identity: ""
 
@@ -380,6 +390,10 @@ server:
 	# NSID identity (hex string, or "ascii_somestring"). default disabled.
 	# nsid: "aabbccdd"
 
+	# User-Agent HTTP header to use. Leave "" or default to use package name
+	# and version.
+	# http-user-agent: ""
+
 	# the target fetch policy.
 	# series of integers describing the policy per dependency depth.
 	# The number of values in the list determines the maximum dependency
@@ -432,7 +446,7 @@ server:
 
 	# Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN
 	# and other denials, using information from previous NXDOMAINs answers.
-	# aggressive-nsec: no
+	# aggressive-nsec: yes
 
 	# Use 0x20-encoded random bits in the query to foil spoof attempts.
 	# This feature is an experimental implementation of draft dns-0x20.
@@ -507,7 +521,8 @@ server:
 	# Use several entries, one per domain name, to track multiple zones.
 	#
 	# If you want to perform DNSSEC validation, run unbound-anchor before
-	# you start unbound (i.e. in the system boot scripts).  And enable:
+	# you start Unbound (i.e. in the system boot scripts).
+	# And then enable the auto-trust-anchor-file config item.
 	# Please note usage of unbound-anchor root anchor is at your own risk
 	# and under the terms of our LICENSE (see that file in the source).
 	# auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@"
@@ -556,6 +571,10 @@ server:
 	# val-sig-skew-min: 3600
 	# val-sig-skew-max: 86400
 
+	# The maximum number the validator should restart validation with
+	# another authority in case of failed validation.
+	# val-max-restart: 5
+
 	# Should additional section of secure message also be kept clean of
 	# unsecure data. Useful to shield the users of this validator from
 	# potential bogus data in the additional section. All unsigned data
@@ -570,7 +589,7 @@ server:
 	# val-permissive-mode: no
 
 	# Ignore the CD flag in incoming queries and refuse them bogus data.
-	# Enable it if the only clients of unbound are legacy servers (w2008)
+	# Enable it if the only clients of Unbound are legacy servers (w2008)
 	# that set CD but cannot validate themselves.
 	# ignore-cd-flag: no
 
@@ -600,7 +619,7 @@ server:
 
 	# Return the original TTL as received from the upstream name server rather
 	# than the decrementing TTL as stored in the cache.  Enabling this feature
-	# does not impact cache expiry, it only changes the TTL unbound embeds in
+	# does not impact cache expiry, it only changes the TTL Unbound embeds in
 	# responses to queries. Note that enabling this feature implicitly disables
 	# enforcement of the configured minimum and maximum TTL.
 	# serve-original-ttl: no
@@ -613,7 +632,7 @@ server:
 	# keysize. Keep this table very short, as linear search is done.
 	# A message with an NSEC3 with larger count is marked insecure.
 	# List in ascending order the keysize and count values.
-	# val-nsec3-keysize-iterations: "1024 150 2048 500 4096 2500"
+	# val-nsec3-keysize-iterations: "1024 150 2048 150 4096 150"
 
 	# if enabled, ZONEMD verification failures do not block the zone.
 	# zonemd-permissive-mode: no
@@ -654,6 +673,7 @@ server:
 	# local-zone: "localhost." nodefault
 	# local-zone: "127.in-addr.arpa." nodefault
 	# local-zone: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." nodefault
+	# local-zone: "home.arpa." nodefault
 	# local-zone: "onion." nodefault
 	# local-zone: "test." nodefault
 	# local-zone: "invalid." nodefault
@@ -693,9 +713,9 @@ server:
 	# Add example.com into ipset
 	# local-zone: "example.com" ipset
 
-	# If unbound is running service for the local host then it is useful
+	# If Unbound is running service for the local host then it is useful
 	# to perform lan-wide lookups to the upstream, and unblock the
-	# long list of local-zones above.  If this unbound is a dns server
+	# long list of local-zones above.  If this Unbound is a dns server
 	# for a network of computers, disabled is better and stops information
 	# leakage of local lan information.
 	# unblock-lan-zones: no
@@ -844,6 +864,10 @@ server:
 	# 0 blocks when ratelimited, otherwise let 1/xth traffic through
 	# ratelimit-factor: 10
 
+	# Aggressive rate limit when the limit is reached and until demand has
+	# decreased in a 2 second rate window.
+	# ratelimit-backoff: no
+
 	# override the ratelimit for a specific domain name.
 	# give this setting multiple times to have multiple overrides.
 	# ratelimit-for-domain: example.com 1000
@@ -864,6 +888,10 @@ server:
 	# 0 blocks when ip is ratelimited, otherwise let 1/xth traffic through
 	# ip-ratelimit-factor: 10
 
+	# Aggressive rate limit when the limit is reached and until demand has
+	# decreased in a 2 second rate window.
+	# ip-ratelimit-backoff: no
+
 	# Limit the number of connections simultaneous from a netblock
 	# tcp-connection-limit: 192.0.2.0/24 12
 
@@ -873,7 +901,7 @@ server:
 	# the number of servers that will be used in the fast server selection.
 	# fast-server-num: 3
 
-	# Specific options for ipsecmod. unbound needs to be configured with
+	# Specific options for ipsecmod. Unbound needs to be configured with
 	# --enable-ipsecmod for these to take effect.
 	#
 	# Enable or disable ipsecmod (it still needs to be defined in
@@ -885,7 +913,7 @@ server:
 	# listed in module-config (above).
 	# ipsecmod-hook: "./my_executable"
 	#
-	# When enabled unbound will reply with SERVFAIL if the return value of
+	# When enabled Unbound will reply with SERVFAIL if the return value of
 	# the ipsecmod-hook is not 0.
 	# ipsecmod-strict: no
 	#
@@ -901,6 +929,13 @@ server:
 	# ipsecmod-allow: "example.com"
 	# ipsecmod-allow: "nlnetlabs.nl"
 
+	# Timeout for REUSE entries in milliseconds.
+	# tcp-reuse-timeout: 60000
+	# Max number of queries on a reuse connection.
+	# max-reuse-tcp-queries: 200
+	# Timeout in milliseconds for TCP queries to auth servers.
+	# tcp-auth-query-timeout: 3000
+
 
 # Python config section. To enable:
 # o use --with-pythonmodule to configure before compiling.
@@ -943,10 +978,10 @@ remote-control:
 	# For local sockets this option is ignored, and TLS is not used.
 	# control-use-cert: "yes"
 
-	# unbound server key file.
+	# Unbound server key file.
 	# server-key-file: "@UNBOUND_RUN_DIR@/unbound_server.key"
 
-	# unbound server certificate file.
+	# Unbound server certificate file.
 	# server-cert-file: "@UNBOUND_RUN_DIR@/unbound_server.pem"
 
 	# unbound-control key file.
@@ -968,6 +1003,7 @@ remote-control:
 #	stub-addr: 192.0.2.68
 #	stub-prime: no
 #	stub-first: no
+#	stub-tcp-upstream: no
 #	stub-tls-upstream: no
 #	stub-no-cache: no
 # stub-zone:
@@ -985,6 +1021,7 @@ remote-control:
 # 	forward-addr: 192.0.2.68
 # 	forward-addr: 192.0.2.73@5355  # forward to port 5355.
 # 	forward-first: no
+# 	forward-tcp-upstream: no
 # 	forward-tls-upstream: no
 #	forward-no-cache: no
 # forward-zone:
@@ -1025,6 +1062,7 @@ remote-control:
 #	name: "example.org"
 #	for-downstream: yes
 #	for-upstream: yes
+#	zonemd-check: no
 #	zonemd-reject-absence: no
 #	zonefile: "example.org.zone"
 
@@ -1046,8 +1084,9 @@ remote-control:
 #	local-zone: "example.com" refuse
 
 # DNSCrypt
+# To enable, use --enable-dnscrypt to configure before compiling.
 # Caveats:
-# 1. the keys/certs cannot be produced by unbound. You can use dnscrypt-wrapper
+# 1. the keys/certs cannot be produced by Unbound. You can use dnscrypt-wrapper
 #   for this: https://github.com/cofyc/dnscrypt-wrapper/blob/master/README.md#usage
 # 2. dnscrypt channel attaches to an interface. you MUST set interfaces to
 #   listen on `dnscrypt-port` with the follo0wing snippet:
@@ -1066,7 +1105,9 @@ remote-control:
 #     dnscrypt-provider-cert: /path/unbound-conf/keys2/1.cert
 
 # CacheDB
-# Enable external backend DB as auxiliary cache.  Specify the backend name
+# External backend DB as auxiliary cache.
+# To enable, use --enable-cachedb to configure before compiling.
+# Specify the backend name
 # (default is "testframe", which has no use other than for debugging and
 # testing) and backend-specific options.  The 'cachedb' module must be
 # included in module-config, just before the iterator module.
@@ -1076,6 +1117,7 @@ remote-control:
 #     secret-seed: "default"
 #
 #     # For "redis" backend:
+#     # (to enable, use --with-libhiredis to configure before compiling)
 #     # redis server's IP address or host name
 #     redis-server-host: 127.0.0.1
 #     # redis server's TCP port
@@ -1087,7 +1129,9 @@ remote-control:
 
 # IPSet
 # Add specify domain into set via ipset.
-# Note: To enable ipset unbound needs to run as root user.
+# To enable:
+# o use --enable-ipset to configure before compiling;
+# o Unbound then needs to run as root user.
 # ipset:
 #     # set name for ip v4 addresses
 #     name-v4: "list-v4"
@@ -1095,9 +1139,10 @@ remote-control:
 #     name-v6: "list-v6"
 #
 
-# Dnstap logging support, if compiled in.  To enable, set the dnstap-enable
+# Dnstap logging support, if compiled in by using --enable-dnstap to configure.
-# to yes and also some of dnstap-log-..-messages to yes.  And select an
+# To enable, set the dnstap-enable to yes and also some of
-# upstream log destination, by socket path, TCP or TLS destination.
+# dnstap-log-..-messages to yes.  And select an upstream log destination, by
+# socket path, TCP or TLS destination.
 # dnstap:
 # 	dnstap-enable: no
 # 	# if set to yes frame streams will be used in bidirectional mode
@@ -1110,7 +1155,7 @@ remote-control:
 # 	dnstap-tls: yes
 # 	# name for authenticating the upstream server. or "" disabled.
 # 	dnstap-tls-server-name: ""
-# 	# if "", it uses the cert bundle from the main unbound config.
+# 	# if "", it uses the cert bundle from the main Unbound config.
 # 	dnstap-tls-cert-bundle: ""
 # 	# key file for client authentication, or "" disabled.
 # 	dnstap-tls-client-key-file: ""
@@ -1130,10 +1175,11 @@ remote-control:
 # 	dnstap-log-forwarder-response-messages: no
 
 # Response Policy Zones
-# RPZ policies. Applied in order of configuration. QNAME and Response IP
+# RPZ policies. Applied in order of configuration. QNAME, Response IP
-# Address trigger are the only supported triggers. Supported actions are:
+# Address, nsdname, nsip and clientip triggers are supported. Supported
-# NXDOMAIN, NODATA, PASSTHRU, DROP and Local Data. Policies can be loaded from
+# actions are: NXDOMAIN, NODATA, PASSTHRU, DROP, Local Data, tcp-only
-# file, using zone transfer, or using HTTP. The respip module needs to be added
+# and drop.  Policies can be loaded from a file, or using zone
+# transfer, or using HTTP. The respip module needs to be added
 # to the module-config, e.g.: module-config: "respip validator iterator".
 # rpz:
 #     name: "rpz.example.com"
@@ -1145,4 +1191,6 @@ remote-control:
 #     rpz-cname-override: www.example.org
 #     rpz-log: yes
 #     rpz-log-name: "example policy"
+#     rpz-signal-nxdomain-ra: no
+#     for-downstream: no
 #     tags: "example"

doc/unbound-anchor.8.in

@@ -41,7 +41,7 @@ update certificate files.
 .P
 It tests if the root anchor file works, and if not, and an update is possible,
 attempts to update the root anchor using the root update certificate.
-It performs a https fetch of root-anchors.xml and checks the results (RFC7958), 
+It performs a https fetch of root-anchors.xml and checks the results (RFC7958),
 if all checks are successful, it updates the root anchor file.  Otherwise
 the root anchor file is unchanged.  It performs RFC5011 tracking if the
 DNSSEC information available via the DNS makes that possible.
@@ -159,7 +159,7 @@ Or something more suitable for your operational environment.
 The root keys and update certificate included in this tool
 are provided for convenience and under the terms of our
 license (see the LICENSE file in the source distribution or
-http://unbound.nlnetlabs.nl/svn/trunk/LICENSE) and might be stale or
+https://github.com/NLnetLabs/unbound/blob/master/LICENSE) and might be stale or
 not suitable to your purpose.
 .P
 By running "unbound\-anchor \-l" the  keys and certificate that are
@@ -185,5 +185,5 @@ Source for the root key information.
 .I https://data.iana.org/root\-anchors/root\-anchors.p7s
 Signature on the root key information.
 .SH "SEE ALSO"
-\fIunbound.conf\fR(5), 
+\fIunbound.conf\fR(5),
 \fIunbound\fR(8).

doc/unbound-checkconf.8.in

@@ -9,7 +9,7 @@
 .\"
 .SH "NAME"
 unbound\-checkconf
-\- Check unbound configuration file for errors.
+\- Check Unbound configuration file for errors.
 .SH "SYNOPSIS"
 .B unbound\-checkconf
 .RB [ \-h ]
@@ -21,8 +21,8 @@ unbound\-checkconf
 .B Unbound\-checkconf
 checks the configuration file for the
 \fIunbound\fR(8)
-DNS resolver for syntax and other errors. 
+DNS resolver for syntax and other errors.
-The config file syntax is described in 
+The config file syntax is described in
 \fIunbound.conf\fR(5).
 .P
 The available options are:
@@ -34,19 +34,19 @@ Show the version and commandline option help.
 Print full pathname, with chroot applied to it.  Use with the \-o option.
 .TP
 .B \-o\fI option
-If given, after checking the config file the value of this option is 
+If given, after checking the config file the value of this option is
 printed to stdout.  For "" (disabled) options an empty line is printed.
 .TP
 .I cfgfile
-The config file to read with settings for unbound. It is checked.
+The config file to read with settings for Unbound. It is checked.
 If omitted, the config file at the default location is checked.
 .SH "EXIT CODE"
-The unbound\-checkconf program exits with status code 1 on error, 
+The unbound\-checkconf program exits with status code 1 on error,
 0 for a correct config file.
 .SH "FILES"
 .TP
 .I @ub_conf_file@
-unbound configuration file.
+Unbound configuration file.
 .SH "SEE ALSO"
-\fIunbound.conf\fR(5), 
+\fIunbound.conf\fR(5),
 \fIunbound\fR(8).

doc/unbound-control.8.in

@@ -14,15 +14,15 @@
 .SH "SYNOPSIS"
 .B unbound\-control
 .RB [ \-hq ]
-.RB [ \-c 
+.RB [ \-c
 .IR cfgfile ]
-.RB [ \-s 
+.RB [ \-s
 .IR server ]
 .IR command
 .SH "DESCRIPTION"
 .B Unbound\-control
 performs remote administration on the \fIunbound\fR(8) DNS server.
-It reads the configuration file, contacts the unbound server over SSL
+It reads the configuration file, contacts the Unbound server over SSL
 sends the command and displays the result.
 .P
 The available options are:
@@ -44,8 +44,8 @@ quiet, if the option is given it does not print anything if it works ok.
 There are several commands that the server understands.
 .TP
 .B start
-Start the server. Simply execs \fIunbound\fR(8).  The unbound executable 
+Start the server. Simply execs \fIunbound\fR(8).  The Unbound executable
-is searched for in the \fBPATH\fR set in the environment.  It is started 
+is searched for in the \fBPATH\fR set in the environment.  It is started
 with the config file specified using \fI\-c\fR or the default config file.
 .TP
 .B stop
@@ -65,8 +65,8 @@ daemon release the file it is logging to.  If you are using syslog it will
 attempt to close and open the syslog (which may not work if chrooted).
 .TP
 .B stats
-Print statistics. Resets the internal counters to zero, this can be 
+Print statistics. Resets the internal counters to zero, this can be
-controlled using the \fBstatistics\-cumulative\fR config statement. 
+controlled using the \fBstatistics\-cumulative\fR config statement.
 Statistics are printed with one [name]: [value] per line.
 .TP
 .B stats_noreset
@@ -74,7 +74,7 @@ Peek at statistics. Prints them like the \fBstats\fR command does, but does not
 reset the internal counters to zero.
 .TP
 .B status
-Display server status. Exit code 3 if not running (the connection to the 
+Display server status. Exit code 3 if not running (the connection to the
 port is refused), 1 on error, 0 if running.
 .TP
 .B local_zone \fIname\fR \fItype
@@ -88,15 +88,14 @@ it.  If the zone does not exist, the command succeeds.
 .B local_data \fIRR data...
 Add new local data, the given resource record. Like \fBlocal\-data\fR
 config statement, except for when no covering zone exists.  In that case
-this remote control command creates a transparent zone with the same 
+this remote control command creates a transparent zone with the same
-name as this record.  This command is not good at returning detailed syntax 
+name as this record.
-errors.
 .TP
 .B local_data_remove \fIname
 Remove all RR data from local name.  If the name already has no items,
 nothing happens.  Often results in NXDOMAIN for the name (in a static zone),
-but if the name has become an empty nonterminal (there is still data in 
+but if the name has become an empty nonterminal (there is still data in
-domain names below the removed name), NOERROR nodata answers are the 
+domain names below the removed name), NOERROR nodata answers are the
 result for that name.
 .TP
 .B local_zones
@@ -126,22 +125,22 @@ in old or wrong data returned to clients.  Loading data into the cache
 in this way is supported in order to aid with debugging.
 .TP
 .B lookup \fIname
-Print to stdout the name servers that would be used to look up the 
+Print to stdout the name servers that would be used to look up the
 name specified.
 .TP
 .B flush \fIname
 Remove the name from the cache. Removes the types
 A, AAAA, NS, SOA, CNAME, DNAME, MX, PTR, SRV and NAPTR.
-Because that is fast to do. Other record types can be removed using 
+Because that is fast to do. Other record types can be removed using
-.B flush_type 
+.B flush_type
-or 
+or
 .B flush_zone\fR.
 .TP
 .B flush_type \fIname\fR \fItype
 Remove the name, type information from the cache.
 .TP
 .B flush_zone \fIname
-Remove all information at or below the name from the cache. 
+Remove all information at or below the name from the cache.
 The rrsets and key entries are removed so that new lookups will be performed.
 This needs to walk and inspect the entire cache, and is a slow operation.
 The entries are set to expired in the implementation of this command (so,
@@ -188,7 +187,7 @@ therefore not flushed.  The option must end with a ':' and whitespace
 must be between the option and the value.  Some values may not have an
 effect if set this way, the new values are not written to the config file,
 not all options are supported.  This is different from the set_option call
-in libunbound, where all values work because unbound has not been initialized.
+in libunbound, where all values work because Unbound has not been initialized.
 .IP
 The values that work are: statistics\-interval, statistics\-cumulative,
 do\-not\-query\-localhost, harden\-short\-bufsize, harden\-large\-queries,
@@ -228,36 +227,36 @@ List the local data RRs in use.  The resource records are printed.
 .TP
 .B insecure_add \fIzone
 Add a \fBdomain\-insecure\fR for the given zone, like the statement in unbound.conf.
-Adds to the running unbound without affecting the cache contents (which may
+Adds to the running Unbound without affecting the cache contents (which may
 still be bogus, use \fBflush_zone\fR to remove it), does not affect the config file.
 .TP
 .B insecure_remove \fIzone
 Removes domain\-insecure for the given zone.
 .TP
 .B forward_add \fR[\fI+i\fR] \fIzone addr ...
-Add a new forward zone to running unbound.  With +i option also adds a
+Add a new forward zone to running Unbound.  With +i option also adds a
 \fIdomain\-insecure\fR for the zone (so it can resolve insecurely if you have
 a DNSSEC root trust anchor configured for other names).
 The addr can be IP4, IP6 or nameserver names, like \fIforward-zone\fR config
 in unbound.conf.
 .TP
 .B forward_remove \fR[\fI+i\fR] \fIzone
-Remove a forward zone from running unbound.  The +i also removes a
+Remove a forward zone from running Unbound.  The +i also removes a
 \fIdomain\-insecure\fR for the zone.
 .TP
 .B stub_add \fR[\fI+ip\fR] \fIzone addr ...
-Add a new stub zone to running unbound.  With +i option also adds a
+Add a new stub zone to running Unbound.  With +i option also adds a
 \fIdomain\-insecure\fR for the zone.  With +p the stub zone is set to prime,
 without it it is set to notprime.  The addr can be IP4, IP6 or nameserver
 names, like the \fIstub-zone\fR config in unbound.conf.
 .TP
 .B stub_remove \fR[\fI+i\fR] \fIzone
-Remove a stub zone from running unbound.  The +i also removes a
+Remove a stub zone from running Unbound.  The +i also removes a
 \fIdomain\-insecure\fR for the zone.
 .TP
 .B forward \fR[\fIoff\fR | \fIaddr ...\fR ]
 Setup forwarding mode.  Configures if the server should ask other upstream
-nameservers, should go to the internet root nameservers itself, or show 
+nameservers, should go to the internet root nameservers itself, or show
 the current config.  You could pass the nameservers after a DHCP update.
 .IP
 Without arguments the current list of addresses used to forward all queries
@@ -297,7 +296,7 @@ status, indicating if the zone is expired and current serial number.
 Reload the auth zone from zonefile.  The zonefile is read in overwriting
 the current contents of the zone in memory.  This changes the auth zone
 contents itself, not the cache contents.  Such cache contents exists if
-you set unbound to validate with for-upstream yes and that can be cleared
+you set Unbound to validate with for-upstream yes and that can be cleared
 with \fBflush_zone\fR \fIzone\fR.
 .TP
 .B auth_zone_transfer \fIzone\fR
@@ -308,7 +307,7 @@ serial check).  And then the zone is transferred for a newer zone version.
 .B rpz_enable \fIzone\fR
 Enable the RPZ zone if it had previously been disabled.
 .TP
-.B rpz_enable \fIzone\fR
+.B rpz_disable \fIzone\fR
 Disable the RPZ zone.
 .TP
 .B view_list_local_zones \fIview\fR
@@ -337,7 +336,7 @@ Add a list of \fIlocal_data\fR for given view from stdin.  Like local_datas.
 .SH "EXIT CODE"
 The unbound\-control program exits with status code 1 on error, 0 on success.
 .SH "SET UP"
-The setup requires a self\-signed certificate and private keys for both 
+The setup requires a self\-signed certificate and private keys for both
 the server and client.  The script \fIunbound\-control\-setup\fR generates
 these in the default run directory, or with \-d in another directory.
 If you change the access control permissions on the key files you can decide
@@ -351,7 +350,7 @@ If you have not configured
 a username in unbound.conf, the keys need read permission for the user
 credentials under which the daemon is started.
 The script preserves private keys present in the directory.
-After running the script as root, turn on \fBcontrol\-enable\fR in 
+After running the script as root, turn on \fBcontrol\-enable\fR in
 \fIunbound.conf\fR.
 .SH "STATISTIC COUNTERS"
 The \fIstats\fR command shows a number of statistic counters.
@@ -418,8 +417,8 @@ Average time it took to answer queries that needed recursive processing. Note th
 .TP
 .I threadX.recursion.time.median
 The median of the time it took to answer queries that needed recursive
-processing.  The median means that 50% of the user queries were answered in 
+processing.  The median means that 50% of the user queries were answered in
-less than this time.  Because of big outliers (usually queries to non 
+less than this time.  Because of big outliers (usually queries to non
 responsive servers), the average can be bigger than the median.  This median
 has been calculated by interpolation from a histogram.
 .TP
@@ -545,32 +544,32 @@ The total number of queries over all threads with query opcode QUERY.
 Also printed for other opcodes, UPDATE, ...
 .TP
 .I num.query.tcp
-Number of queries that were made using TCP towards the unbound server.
+Number of queries that were made using TCP towards the Unbound server.
 .TP
 .I num.query.tcpout
-Number of queries that the unbound server made using TCP outgoing towards
+Number of queries that the Unbound server made using TCP outgoing towards
 other servers.
 .TP
 .I num.query.tls
-Number of queries that were made using TLS towards the unbound server.
+Number of queries that were made using TLS towards the Unbound server.
 These are also counted in num.query.tcp, because TLS uses TCP.
 .TP
 .I num.query.tls.resume
 Number of TLS session resumptions, these are queries over TLS towards
-the unbound server where the client negotiated a TLS session resumption key.
+the Unbound server where the client negotiated a TLS session resumption key.
 .TP
 .I num.query.https
-Number of queries that were made using HTTPS towards the unbound server.
+Number of queries that were made using HTTPS towards the Unbound server.
 These are also counted in num.query.tcp and num.query.tls, because HTTPS
 uses TLS and TCP.
 .TP
 .I num.query.ipv6
-Number of queries that were made using IPv6 towards the unbound server.
+Number of queries that were made using IPv6 towards the Unbound server.
 .TP
 .I num.query.flags.RD
 The number of queries that had the RD flag set in the header.
 Also printed for flags QR, AA, TC, RA, Z, AD, CD.
-Note that queries with flags QR, AA or TC may have been rejected 
+Note that queries with flags QR, AA or TC may have been rejected
 because of that.
 .TP
 .I num.query.edns.present
@@ -604,7 +603,7 @@ These queries are also included in the num.answer.rcode.NOERROR number.
 Common for AAAA lookups when an A record exists, and no AAAA.
 .TP
 .I num.answer.secure
-Number of answers that were secure.  The answer validated correctly. 
+Number of answers that were secure.  The answer validated correctly.
 The AD bit might have been set in some of these answers, where the client
 signalled (with DO or AD bit in the query) that they were ready to accept
 the AD bit in the answer.
@@ -645,7 +644,7 @@ per delegation point, and their validation status.
 .I dnscrypt_shared_secret.cache.count
 The number of items in the shared secret cache. These are precomputed shared
 secrets for a given client public key/server secret key pair. Shared secrets
-are CPU intensive and this cache allows unbound to avoid recomputing the
+are CPU intensive and this cache allows Unbound to avoid recomputing the
 shared secret when multiple dnscrypt queries are sent from the same client.
 .TP
 .I dnscrypt_nonce.cache.count
@@ -685,16 +684,16 @@ specific cache, after getting processed by the edns client subnet module.
 .TP
 .I num.rpz.action.<rpz_action>
 Number of queries answered using configured RPZ policy, per RPZ action type.
-Possible actions are: nxdomain, nodata, passthru, drop, local_data, disabled,
+Possible actions are: nxdomain, nodata, passthru, drop, tcp\-only, local\-data,
-and cname_override.
+disabled, and cname\-override.
 .SH "FILES"
 .TP
 .I @ub_conf_file@
-unbound configuration file.
+Unbound configuration file.
 .TP
 .I @UNBOUND_RUN_DIR@
 directory with private keys (unbound_server.key and unbound_control.key) and
 self\-signed certificates (unbound_server.pem and unbound_control.pem).
 .SH "SEE ALSO"
-\fIunbound.conf\fR(5), 
+\fIunbound.conf\fR(5),
 \fIunbound\fR(8).

doc/unbound-host.1.in

@@ -15,7 +15,7 @@
 .RB [ \-C
 .IR configfile ]
 .RB [ \-vdhr46D ]
-.RB [ \-c 
+.RB [ \-c
 .IR class ]
 .RB [ \-t
 .IR type ]
@@ -28,12 +28,12 @@
 .I hostname
 .SH "DESCRIPTION"
 .B Unbound\-host
-uses the unbound validating resolver to query for the hostname and display
+uses the Unbound validating resolver to query for the hostname and display
-results. With the \fB\-v\fR option it displays validation 
+results. With the \fB\-v\fR option it displays validation
 status: secure, insecure, bogus (security failure).
 .P
 By default it reads no configuration file whatsoever.  It attempts to reach
-the internet root servers.  With \fB\-C\fR an unbound config file and with
+the internet root servers.  With \fB\-C\fR an Unbound config file and with
 \fB\-r\fR resolv.conf can be read.
 .P
 The available options are:
@@ -73,7 +73,7 @@ For example \-y "example.com DS 31560 5 1 1CFED84787E6E19CCF9372C1187325972FE546
 .TP
 .B \-D
 Enables DNSSEC validation.  Reads the root anchor from the default configured
-root anchor at the default location, \fI@UNBOUND_ROOTKEY_FILE@\fR. 
+root anchor at the default location, \fI@UNBOUND_ROOTKEY_FILE@\fR.
 .TP
 .B \-f \fIkeyfile
 Reads keys from a file. Every line has a DS or DNSKEY record, in the format
@@ -110,9 +110,9 @@ $ unbound\-host \-v \-y "example.com DS 31560 5 1 1CFED84787E6E19CCF9372C1187325
 .P
 $ unbound\-host \-v \-y "example.com DS 31560 5 1 1CFED84787E6E19CCF9372C1187325972FE546CD" 192.0.2.153
 .SH "EXIT CODE"
-The unbound\-host program exits with status code 1 on error, 
+The unbound\-host program exits with status code 1 on error,
 0 on no error. The data may not be available on exit code 0, exit code 1
 means the lookup encountered a fatal error.
 .SH "SEE ALSO"
-\fIunbound.conf\fR(5), 
+\fIunbound.conf\fR(5),
 \fIunbound\fR(8).

doc/unbound.8.in

@@ -57,7 +57,7 @@ The available options are:
 Show the version number and commandline option help, and exit.
 .TP
 .B \-c\fI cfgfile
-Set the config file with settings for unbound to read instead of reading the
+Set the config file with settings for Unbound to read instead of reading the
 file at the default location, @ub_conf_file@. The syntax is
 described in \fIunbound.conf\fR(5).
 .TP
@@ -70,7 +70,7 @@ or to syslog, but the log messages are printed to stderr all the time.
 .TP
 .B \-p
 Don't use a pidfile.  This argument should only be used by supervision
-systems which can ensure that only one instance of unbound will run
+systems which can ensure that only one instance of Unbound will run
 concurrently.
 .TP
 .B \-v

doc/unbound.doxygen

@@ -279,10 +279,10 @@ TYPEDEF_HIDES_STRUCT   = NO
 # For small to medium size projects (<1000 input files) the default value is
 # probably good enough. For larger projects a too small cache size can cause
 # doxygen to be busy swapping symbols to and from disk most of the time
-# causing a significant performance penality.
+# causing a significant performance penalty.
 # If the system has enough physical memory increasing the cache will improve the
 # performance by keeping more symbols in memory. Note that the value works on
-# a logarithmic scale so increasing the size by one will rougly double the
+# a logarithmic scale so increasing the size by one will roughly double the
 # memory usage. The cache size is given by this formula:
 # 2^(16+SYMBOL_CACHE_SIZE). The valid range is 0..9, the default is 0,
 # corresponding to a cache size of 2^16 = 65536 symbols
@@ -779,7 +779,7 @@ ALPHABETICAL_INDEX     = YES
 # the COLS_IN_ALPHA_INDEX tag can be used to specify the number of columns
 # in which this list will be split (can be a number in the range [1..20])
 
-COLS_IN_ALPHA_INDEX    = 5
+#COLS_IN_ALPHA_INDEX    = 5
 
 # In case all classes in a project start with a common prefix, all
 # classes will be put under the same header in the alphabetical index.
@@ -1076,7 +1076,7 @@ TREEVIEW_WIDTH         = 250
 
 FORMULA_FONTSIZE       = 10
 
-# Use the FORMULA_TRANPARENT tag to determine whether or not the images
+# Use the FORMULA_TRANSPARENT tag to determine whether or not the images
 # generated for formulas are transparent PNGs. Transparent PNGs are
 # not supported properly for IE 6.0, but are supported on all modern browsers.
 # Note that when changing this option you need to delete any form_*.png files

edns-subnet/edns-subnet.h

@@ -59,7 +59,7 @@ struct ecs_data {
 
 /** 
  * copy the first n BITS from src to dst iff both src and dst 
- * are large enough, return 0 on succes
+ * are large enough, return 0 on success
  */
 int
 copy_clear(uint8_t* dst, size_t dstlen, uint8_t* src, size_t srclen, size_t n);

edns-subnet/subnetmod.c

@@ -150,7 +150,7 @@ int ecs_whitelist_check(struct query_info* qinfo,
 
 	/* Cache by default, might be disabled after parsing EDNS option
 	 * received from nameserver. */
-	if(!iter_stub_fwd_no_cache(qstate, &qstate->qinfo)) {
+	if(!iter_stub_fwd_no_cache(qstate, &qstate->qinfo, NULL, NULL)) {
 		qstate->no_cache_store = 0;
 	}
 
@@ -162,17 +162,21 @@ int ecs_whitelist_check(struct query_info* qinfo,
 		/* Address on whitelist or client query contains ECS option, we
 		 * want to sent out ECS. Only add option if it is not already
 		 * set. */
-		if(!(sq->subnet_sent)) {
+		if(!edns_opt_list_find(qstate->edns_opts_back_out,
+			qstate->env->cfg->client_subnet_opcode)) {
 			ecs_opt_list_append(&sq->ecs_server_out,
 				&qstate->edns_opts_back_out, qstate);
-			sq->subnet_sent = 1;
 		}
+		sq->subnet_sent = 1;
 	}
-	else if(sq->subnet_sent) {
+	else {
 		/* Outgoing ECS option is set, but we don't want to sent it to
 		 * this address, remove option. */
-		edns_opt_list_remove(&qstate->edns_opts_back_out,
+		if(edns_opt_list_find(qstate->edns_opts_back_out,
-			qstate->env->cfg->client_subnet_opcode);
+			qstate->env->cfg->client_subnet_opcode)) {
+			edns_opt_list_remove(&qstate->edns_opts_back_out,
+				qstate->env->cfg->client_subnet_opcode);
+		}
 		sq->subnet_sent = 0;
 	}
 	return 1;
@@ -497,7 +501,7 @@ eval_response(struct module_qstate *qstate, int id, struct subnet_qstate *sq)
 	if (!s_in->subnet_validdata) {
 		/* The authority indicated no support for edns subnet. As a
 		 * consequence the answer ended up in the regular cache. It
-		 * is still usefull to put it in the edns subnet cache for
+		 * is still useful to put it in the edns subnet cache for
 		 * when a client explicitly asks for subnet specific answer. */
 		verbose(VERB_QUERY, "subnetcache: Authority indicates no support");
 		if(!sq->started_no_cache_store) {

ipsecmod/ipsecmod.c

@@ -37,7 +37,7 @@
  * \file
  *
  * This file contains a module that facilitates opportunistic IPsec. It does so
- * by also quering for the IPSECKEY for A/AAAA queries and calling a
+ * by also querying for the IPSECKEY for A/AAAA queries and calling a
  * configurable hook (eg. signaling an IKE daemon) before replying.
  */
 
@@ -419,6 +419,7 @@ ipsecmod_handle_query(struct module_qstate* qstate,
 			if(!qstate->env->cfg->ipsecmod_ignore_bogus &&
 				rrset_data->security == sec_status_bogus) {
 				log_err("ipsecmod: bogus IPSECKEY");
+				errinf(qstate, "ipsecmod: bogus IPSECKEY");
 				ipsecmod_error(qstate, id);
 				return;
 			}
@@ -426,6 +427,7 @@ ipsecmod_handle_query(struct module_qstate* qstate,
 			if(!call_hook(qstate, iq, ie) &&
 				qstate->env->cfg->ipsecmod_strict) {
 				log_err("ipsecmod: ipsecmod-hook failed");
+				errinf(qstate, "ipsecmod: ipsecmod-hook failed");
 				ipsecmod_error(qstate, id);
 				return;
 			}
@@ -497,6 +499,7 @@ ipsecmod_handle_response(struct module_qstate* qstate,
 			qstate->qinfo.qname_len, LDNS_RR_TYPE_IPSECKEY,
 			qstate->qinfo.qclass, 0)) {
 			log_err("ipsecmod: could not generate subquery.");
+			errinf(qstate, "ipsecmod: could not generate subquery.");
 			ipsecmod_error(qstate, id);
 		}
 		return;
@@ -520,6 +523,7 @@ ipsecmod_operate(struct module_qstate* qstate, enum module_ev event, int id,
 	if((event == module_event_new || event == module_event_pass) &&
 		iq == NULL) {
 		if(!ipsecmod_new(qstate, id)) {
+			errinf(qstate, "ipsecmod: could not ipsecmod_new");
 			ipsecmod_error(qstate, id);
 			return;
 		}
@@ -542,6 +546,7 @@ ipsecmod_operate(struct module_qstate* qstate, enum module_ev event, int id,
 	}
 	if(event == module_event_error) {
 		verbose(VERB_ALGO, "got called with event error, giving up");
+		errinf(qstate, "ipsecmod: got called with event error");
 		ipsecmod_error(qstate, id);
 		return;
 	}
@@ -552,6 +557,7 @@ ipsecmod_operate(struct module_qstate* qstate, enum module_ev event, int id,
 	}
 
 	log_err("ipsecmod: bad event %s", strmodulevent(event));
+	errinf(qstate, "ipsecmod: operate got bad event");
 	ipsecmod_error(qstate, id);
 	return;
 }

ipsecmod/ipsecmod.h

@@ -37,7 +37,7 @@
  * \file
  *
  * This file contains a module that facilitates opportunistic IPsec. It does so
- * by also quering for the IPSECKEY for A/AAAA queries and calling a
+ * by also querying for the IPSECKEY for A/AAAA queries and calling a
  * configurable hook (eg. signaling an IKE daemon) before replying.
  */
 

ipset/ipset.c

@@ -138,10 +138,10 @@ ipset_add_rrset_data(struct ipset_env *ie, struct mnl_socket *mnl,
 static int
 ipset_check_zones_for_rrset(struct module_env *env, struct ipset_env *ie,
 	struct mnl_socket *mnl, struct ub_packed_rrset_key *rrset,
-	const char *setname, int af)
+	const char *qname, const int qlen, const char *setname, int af)
 {
 	static char dname[BUFF_LEN];
-	const char *s;
+	const char *ds, *qs;
 	int dlen, plen;
 
 	struct config_strlist *p;
@@ -152,70 +152,73 @@ ipset_check_zones_for_rrset(struct module_env *env, struct ipset_env *ie,
 		log_err("bad domain name");
 		return -1;
 	}
-	if (dname[dlen - 1] == '.') {
-		dlen--;
-	}
 
 	for (p = env->cfg->local_zones_ipset; p; p = p->next) {
+		ds = NULL;
+		qs = NULL;
 		plen = strlen(p->str);
 
 		if (dlen >= plen) {
-			s = dname + (dlen - plen);
+			ds = dname + (dlen - plen);
-
+		}
-			if (strncasecmp(p->str, s, plen) == 0) {
+		if (qlen >= plen) {
-				d = (struct packed_rrset_data*)rrset->entry.data;
+			qs = qname + (qlen - plen);
-				ipset_add_rrset_data(ie, mnl, d, setname,
+		}
-					af, dname);
+		if ((ds && strncasecmp(p->str, ds, plen) == 0)
-				break;
+			|| (qs && strncasecmp(p->str, qs, plen) == 0)) {
-			}
+			d = (struct packed_rrset_data*)rrset->entry.data;
+			ipset_add_rrset_data(ie, mnl, d, setname,
+				af, dname);
+			break;
 		}
 	}
 	return 0;
 }
 
-static int ipset_update(struct module_env *env, struct dns_msg *return_msg, struct ipset_env *ie) {
+static int ipset_update(struct module_env *env, struct dns_msg *return_msg,
+	struct query_info qinfo, struct ipset_env *ie)
+{
 	struct mnl_socket *mnl;
-
 	size_t i;
-
 	const char *setname;
-
 	struct ub_packed_rrset_key *rrset;
-
 	int af;
-
+	static char qname[BUFF_LEN];
+	int qlen;
 
 	mnl = (struct mnl_socket *)ie->mnl;
 	if (!mnl) {
-		// retry to create mnl socket
+		/* retry to create mnl socket */
 		mnl = open_mnl_socket();
 		if (!mnl) {
 			return -1;
 		}
-
 		ie->mnl = mnl;
 	}
 
-	for (i = 0; i < return_msg->rep->rrset_count; ++i) {
+	qlen = sldns_wire2str_dname_buf(qinfo.qname, qinfo.qname_len,
+		qname, BUFF_LEN);
+	if(qlen == 0) {
+		log_err("bad domain name");
+		return -1;
+	}
+
+	for(i = 0; i < return_msg->rep->rrset_count; i++) {
 		setname = NULL;
-
 		rrset = return_msg->rep->rrsets[i];
-
+		if(ntohs(rrset->rk.type) == LDNS_RR_TYPE_A &&
-		if (rrset->rk.type == htons(LDNS_RR_TYPE_A)) {
+			ie->v4_enabled == 1) {
 			af = AF_INET;
-			if ((ie->v4_enabled == 1)) {
+			setname = ie->name_v4;
-				setname = ie->name_v4;
+		} else if(ntohs(rrset->rk.type) == LDNS_RR_TYPE_AAAA &&
-			}
+			ie->v6_enabled == 1) {
-		} else {
 			af = AF_INET6;
-			if ((ie->v6_enabled == 1)) {
+			setname = ie->name_v6;
-				setname = ie->name_v6;
-			}
 		}
 
 		if (setname) {
 			if(ipset_check_zones_for_rrset(env, ie, mnl, rrset,
-				setname, af) == -1)
+				qname, qlen, setname, af) == -1)
 				return -1;
 		}
 	}
@@ -311,7 +314,7 @@ void ipset_operate(struct module_qstate *qstate, enum module_ev event, int id,
 
 	if (iq && (event == module_event_moddone)) {
 		if (qstate->return_msg && qstate->return_msg->rep) {
-			ipset_update(qstate->env, qstate->return_msg, ie);
+			ipset_update(qstate->env, qstate->return_msg, qstate->qinfo, ie);
 		}
 		qstate->ext_state[id] = module_finished;
 		return;

iterator/iter_delegpt.c

@@ -73,8 +73,10 @@ struct delegpt* delegpt_copy(struct delegpt* dp, struct regional* region)
 	copy->bogus = dp->bogus;
 	copy->has_parent_side_NS = dp->has_parent_side_NS;
 	copy->ssl_upstream = dp->ssl_upstream;
+	copy->tcp_upstream = dp->tcp_upstream;
 	for(ns = dp->nslist; ns; ns = ns->next) {
-		if(!delegpt_add_ns(copy, region, ns->name, ns->lame))
+		if(!delegpt_add_ns(copy, region, ns->name, ns->lame,
+			ns->tls_auth_name, ns->port))
 			return NULL;
 		copy->nslist->resolved = ns->resolved;
 		copy->nslist->got4 = ns->got4;
@@ -83,8 +85,8 @@ struct delegpt* delegpt_copy(struct delegpt* dp, struct regional* region)
 		copy->nslist->done_pside6 = ns->done_pside6;
 	}
 	for(a = dp->target_list; a; a = a->next_target) {
-		if(!delegpt_add_addr(copy, region, &a->addr, a->addrlen, 
+		if(!delegpt_add_addr(copy, region, &a->addr, a->addrlen,
-			a->bogus, a->lame, a->tls_auth_name, NULL))
+			a->bogus, a->lame, a->tls_auth_name, -1, NULL))
 			return NULL;
 	}
 	return copy;
@@ -101,7 +103,7 @@ delegpt_set_name(struct delegpt* dp, struct regional* region, uint8_t* name)
 
 int 
 delegpt_add_ns(struct delegpt* dp, struct regional* region, uint8_t* name,
-	uint8_t lame)
+	uint8_t lame, char* tls_auth_name, int port)
 {
 	struct delegpt_ns* ns;
 	size_t len;
@@ -125,6 +127,14 @@ delegpt_add_ns(struct delegpt* dp, struct regional* region, uint8_t* name,
 	ns->lame = lame;
 	ns->done_pside4 = 0;
 	ns->done_pside6 = 0;
+	ns->port = port;
+	if(tls_auth_name) {
+		ns->tls_auth_name = regional_strdup(region, tls_auth_name);
+		if(!ns->tls_auth_name)
+			return 0;
+	} else {
+		ns->tls_auth_name = NULL;
+	}
 	return ns->name != 0;
 }
 
@@ -158,9 +168,9 @@ delegpt_find_addr(struct delegpt* dp, struct sockaddr_storage* addr,
 	return NULL;
 }
 
-int 
+int
-delegpt_add_target(struct delegpt* dp, struct regional* region, 
+delegpt_add_target(struct delegpt* dp, struct regional* region,
-	uint8_t* name, size_t namelen, struct sockaddr_storage* addr, 
+	uint8_t* name, size_t namelen, struct sockaddr_storage* addr,
 	socklen_t addrlen, uint8_t bogus, uint8_t lame, int* additions)
 {
 	struct delegpt_ns* ns = delegpt_find_ns(dp, name, namelen);
@@ -176,17 +186,22 @@ delegpt_add_target(struct delegpt* dp, struct regional* region,
 		if(ns->got4 && ns->got6)
 			ns->resolved = 1;
 	}
-	return delegpt_add_addr(dp, region, addr, addrlen, bogus, lame, NULL,
+	log_assert(ns->port>0);
-		additions);
+	return delegpt_add_addr(dp, region, addr, addrlen, bogus, lame,
+		ns->tls_auth_name, ns->port, additions);
 }
 
-int 
+int
-delegpt_add_addr(struct delegpt* dp, struct regional* region, 
+delegpt_add_addr(struct delegpt* dp, struct regional* region,
-	struct sockaddr_storage* addr, socklen_t addrlen, uint8_t bogus, 
+	struct sockaddr_storage* addr, socklen_t addrlen, uint8_t bogus,
-	uint8_t lame, char* tls_auth_name, int* additions)
+	uint8_t lame, char* tls_auth_name, int port, int* additions)
 {
 	struct delegpt_addr* a;
 	log_assert(!dp->dp_type_mlc);
+	if(port != -1) {
+		log_assert(port>0);
+		sockaddr_store_port(addr, addrlen, port);
+	}
 	/* check for duplicates */
 	if((a = delegpt_find_addr(dp, addr, addrlen))) {
 		if(bogus)
@@ -411,7 +426,8 @@ delegpt_rrset_add_ns(struct delegpt* dp, struct regional* region,
 			(size_t)sldns_read_uint16(nsdata->rr_data[i]))
 			continue; /* bad format */
 		/* add rdata of NS (= wirefmt dname), skip rdatalen bytes */
-		if(!delegpt_add_ns(dp, region, nsdata->rr_data[i]+2, lame))
+		if(!delegpt_add_ns(dp, region, nsdata->rr_data[i]+2, lame,
+			NULL, UNBOUND_DNS_PORT))
 			return 0;
 	}
 	return 1;
@@ -428,7 +444,6 @@ delegpt_add_rrset_A(struct delegpt* dp, struct regional* region,
 	log_assert(!dp->dp_type_mlc);
         memset(&sa, 0, len);
         sa.sin_family = AF_INET;
-        sa.sin_port = (in_port_t)htons(UNBOUND_DNS_PORT);
         for(i=0; i<d->count; i++) {
                 if(d->rr_len[i] != 2 + INET_SIZE)
                         continue;
@@ -452,7 +467,6 @@ delegpt_add_rrset_AAAA(struct delegpt* dp, struct regional* region,
 	log_assert(!dp->dp_type_mlc);
         memset(&sa, 0, len);
         sa.sin6_family = AF_INET6;
-        sa.sin6_port = (in_port_t)htons(UNBOUND_DNS_PORT);
         for(i=0; i<d->count; i++) {
                 if(d->rr_len[i] != 2 + INET6_SIZE) /* rdatalen + len of IP6 */
                         continue;
@@ -554,6 +568,7 @@ void delegpt_free_mlc(struct delegpt* dp)
 	while(n) {
 		nn = n->next;
 		free(n->name);
+		free(n->tls_auth_name);
 		free(n);
 		n = nn;
 	}
@@ -576,7 +591,8 @@ int delegpt_set_name_mlc(struct delegpt* dp, uint8_t* name)
 	return (dp->name != NULL);
 }
 
-int delegpt_add_ns_mlc(struct delegpt* dp, uint8_t* name, uint8_t lame)
+int delegpt_add_ns_mlc(struct delegpt* dp, uint8_t* name, uint8_t lame,
+	char* tls_auth_name, int port)
 {
 	struct delegpt_ns* ns;
 	size_t len;
@@ -603,14 +619,30 @@ int delegpt_add_ns_mlc(struct delegpt* dp, uint8_t* name, uint8_t lame)
 	ns->lame = (uint8_t)lame;
 	ns->done_pside4 = 0;
 	ns->done_pside6 = 0;
+	ns->port = port;
+	if(tls_auth_name) {
+		ns->tls_auth_name = strdup(tls_auth_name);
+		if(!ns->tls_auth_name) {
+			free(ns->name);
+			free(ns);
+			return 0;
+		}
+	} else {
+		ns->tls_auth_name = NULL;
+	}
 	return 1;
 }
 
 int delegpt_add_addr_mlc(struct delegpt* dp, struct sockaddr_storage* addr,
-	socklen_t addrlen, uint8_t bogus, uint8_t lame, char* tls_auth_name)
+	socklen_t addrlen, uint8_t bogus, uint8_t lame, char* tls_auth_name,
+	int port)
 {
 	struct delegpt_addr* a;
 	log_assert(dp->dp_type_mlc);
+	if(port != -1) {
+		log_assert(port>0);
+		sockaddr_store_port(addr, addrlen, port);
+	}
 	/* check for duplicates */
 	if((a = delegpt_find_addr(dp, addr, addrlen))) {
 		if(bogus)
@@ -663,7 +695,9 @@ int delegpt_add_target_mlc(struct delegpt* dp, uint8_t* name, size_t namelen,
 		if(ns->got4 && ns->got6)
 			ns->resolved = 1;
 	}
-	return delegpt_add_addr_mlc(dp, addr, addrlen, bogus, lame, NULL);
+	log_assert(ns->port>0);
+	return delegpt_add_addr_mlc(dp, addr, addrlen, bogus, lame,
+		ns->tls_auth_name, ns->port);
 }
 
 size_t delegpt_get_mem(struct delegpt* dp)

iterator/iter_delegpt.h

@@ -83,6 +83,8 @@ struct delegpt {
 	uint8_t dp_type_mlc;
 	/** use SSL for upstream query */
 	uint8_t ssl_upstream;
+	/** use TCP for upstream query */
+	uint8_t tcp_upstream;
 	/** delegpt from authoritative zone that is locally hosted */
 	uint8_t auth_dp;
 	/*** no cache */
@@ -124,6 +126,11 @@ struct delegpt_ns {
 	 * Also enabled if a parent-side cache entry exists, or a parent-side
 	 * negative-cache entry exists. */
 	uint8_t done_pside6;
+	/** the TLS authentication name, (if not NULL) to use. */
+	char* tls_auth_name;
+	/** the port to use; it should mostly be the default 53 but configured
+	 *  upstreams can provide nondefault ports. */
+	int port;
 };
 
 /**
@@ -189,10 +196,12 @@ int delegpt_set_name(struct delegpt* dp, struct regional* regional,
  * @param regional: where to allocate the info.
  * @param name: domain name in wire format.
  * @param lame: name is lame, disprefer it.
+ * @param tls_auth_name: TLS authentication name (or NULL).
+ * @param port: port to use for resolved addresses.
  * @return false on error.
  */
-int delegpt_add_ns(struct delegpt* dp, struct regional* regional, 
+int delegpt_add_ns(struct delegpt* dp, struct regional* regional,
-	uint8_t* name, uint8_t lame);
+	uint8_t* name, uint8_t lame, char* tls_auth_name, int port);
 
 /**
  * Add NS rrset; calls add_ns repeatedly.
@@ -269,12 +278,14 @@ int delegpt_add_rrset(struct delegpt* dp, struct regional* regional,
  * @param bogus: if address is bogus.
  * @param lame: if address is lame.
  * @param tls_auth_name: TLS authentication name (or NULL).
+ * @param port: the port to use; if -1 the port is taken from addr.
  * @param additions: will be set to 1 if a new address is added
  * @return false on error.
  */
-int delegpt_add_addr(struct delegpt* dp, struct regional* regional, 
+int delegpt_add_addr(struct delegpt* dp, struct regional* regional,
 	struct sockaddr_storage* addr, socklen_t addrlen,
-	uint8_t bogus, uint8_t lame, char* tls_auth_name, int* additions);
+	uint8_t bogus, uint8_t lame, char* tls_auth_name, int port,
+	int* additions);
 
 /** 
  * Find NS record in name list of delegation point.
@@ -402,22 +413,27 @@ int delegpt_set_name_mlc(struct delegpt* dp, uint8_t* name);
  * @param dp: must have been created with delegpt_create_mlc. 
  * @param name: the name to add.
  * @param lame: the name is lame, disprefer.
+ * @param tls_auth_name: TLS authentication name (or NULL).
+ * @param port: port to use for resolved addresses.
  * @return false on error.
  */
-int delegpt_add_ns_mlc(struct delegpt* dp, uint8_t* name, uint8_t lame);
+int delegpt_add_ns_mlc(struct delegpt* dp, uint8_t* name, uint8_t lame,
+	char* tls_auth_name, int port);
 
 /**
  * add an address to a malloced delegation point.
- * @param dp: must have been created with delegpt_create_mlc. 
+ * @param dp: must have been created with delegpt_create_mlc.
  * @param addr: the address.
  * @param addrlen: the length of addr.
  * @param bogus: if address is bogus.
  * @param lame: if address is lame.
  * @param tls_auth_name: TLS authentication name (or NULL).
+ * @param port: the port to use; if -1 the port is taken from addr.
  * @return false on error.
  */
 int delegpt_add_addr_mlc(struct delegpt* dp, struct sockaddr_storage* addr,
-	socklen_t addrlen, uint8_t bogus, uint8_t lame, char* tls_auth_name);
+	socklen_t addrlen, uint8_t bogus, uint8_t lame, char* tls_auth_name,
+	int port);
 
 /**
  * Add target address to the delegation point.

iterator/iter_fwd.c

@@ -200,21 +200,27 @@ read_fwds_name(struct config_stub* s)
 }
 
 /** set fwd host names */
-static int 
+static int
 read_fwds_host(struct config_stub* s, struct delegpt* dp)
 {
 	struct config_strlist* p;
 	uint8_t* dname;
-	size_t dname_len;
+	char* tls_auth_name;
+	int port;
 	for(p = s->hosts; p; p = p->next) {
 		log_assert(p->str);
-		dname = sldns_str2wire_dname(p->str, &dname_len);
+		dname = authextstrtodname(p->str, &port, &tls_auth_name);
 		if(!dname) {
 			log_err("cannot parse forward %s server name: '%s'", 
 				s->name, p->str);
 			return 0;
 		}
-		if(!delegpt_add_ns_mlc(dp, dname, 0)) {
+#if ! defined(HAVE_SSL_SET1_HOST) && ! defined(HAVE_X509_VERIFY_PARAM_SET1_HOST)
+		if(tls_auth_name)
+			log_err("no name verification functionality in "
+				"ssl library, ignored name for %s", p->str);
+#endif
+		if(!delegpt_add_ns_mlc(dp, dname, 0, tls_auth_name, port)) {
 			free(dname);
 			log_err("out of memory");
 			return 0;
@@ -245,7 +251,7 @@ read_fwds_addr(struct config_stub* s, struct delegpt* dp)
 				"ssl library, ignored name for %s", p->str);
 #endif
 		if(!delegpt_add_addr_mlc(dp, &addr, addrlen, 0, 0,
-			tls_auth_name)) {
+			tls_auth_name, -1)) {
 			log_err("out of memory");
 			return 0;
 		}
@@ -276,6 +282,8 @@ read_forwards(struct iter_forwards* fwd, struct config_file* cfg)
 		dp->no_cache = s->no_cache;
 		/* use SSL for queries to this forwarder */
 		dp->ssl_upstream = (uint8_t)s->ssl_upstream;
+		/* use TCP for queries to this forwarder */
+		dp->tcp_upstream = (uint8_t)s->tcp_upstream;
 		verbose(VERB_QUERY, "Forward zone server list:");
 		delegpt_log(VERB_QUERY, dp);
 		if(!forwards_insert(fwd, LDNS_RR_CLASS_IN, dp))

iterator/iter_hints.c

@@ -99,7 +99,7 @@ ah(struct delegpt* dp, const char* sv, const char* ip)
 		log_err("could not parse %s", sv);
 		return 0;
 	}
-	if(!delegpt_add_ns_mlc(dp, dname, 0) ||
+	if(!delegpt_add_ns_mlc(dp, dname, 0, NULL, UNBOUND_DNS_PORT) ||
 	   !extstrtoaddr(ip, &addr, &addrlen) ||
 	   !delegpt_add_target_mlc(dp, dname, dname_len,
 		&addr, addrlen, 0, 0)) {
@@ -213,21 +213,27 @@ read_stubs_name(struct config_stub* s)
 }
 
 /** set stub host names */
-static int 
+static int
 read_stubs_host(struct config_stub* s, struct delegpt* dp)
 {
 	struct config_strlist* p;
-	size_t dname_len;
 	uint8_t* dname;
+	char* tls_auth_name;
+	int port;
 	for(p = s->hosts; p; p = p->next) {
 		log_assert(p->str);
-		dname = sldns_str2wire_dname(p->str, &dname_len);
+		dname = authextstrtodname(p->str, &port, &tls_auth_name);
 		if(!dname) {
 			log_err("cannot parse stub %s nameserver name: '%s'", 
 				s->name, p->str);
 			return 0;
 		}
-		if(!delegpt_add_ns_mlc(dp, dname, 0)) {
+#if ! defined(HAVE_SSL_SET1_HOST) && ! defined(HAVE_X509_VERIFY_PARAM_SET1_HOST)
+		if(tls_auth_name)
+			log_err("no name verification functionality in "
+				"ssl library, ignored name for %s", p->str);
+#endif
+		if(!delegpt_add_ns_mlc(dp, dname, 0, tls_auth_name, port)) {
 			free(dname);
 			log_err("out of memory");
 			return 0;
@@ -258,7 +264,7 @@ read_stubs_addr(struct config_stub* s, struct delegpt* dp)
 				"ssl library, ignored name for %s", p->str);
 #endif
 		if(!delegpt_add_addr_mlc(dp, &addr, addrlen, 0, 0,
-			auth_name)) {
+			auth_name, -1)) {
 			log_err("out of memory");
 			return 0;
 		}
@@ -287,6 +293,8 @@ read_stubs(struct iter_hints* hints, struct config_file* cfg)
 		dp->no_cache = s->no_cache;
 		/* ssl_upstream */
 		dp->ssl_upstream = (uint8_t)s->ssl_upstream;
+		/* tcp_upstream */
+		dp->tcp_upstream = (uint8_t)s->tcp_upstream;
 		delegpt_log(VERB_QUERY, dp);
 		if(!hints_insert(hints, LDNS_RR_CLASS_IN, dp, !s->isprime))
 			return 0;
@@ -336,7 +344,7 @@ read_root_hints(struct iter_hints* hints, char* fname)
 		if(sldns_wirerr_get_type(rr, rr_len, dname_len)
 			== LDNS_RR_TYPE_NS) {
 			if(!delegpt_add_ns_mlc(dp, sldns_wirerr_get_rdata(rr,
-				rr_len, dname_len), 0)) {
+				rr_len, dname_len), 0, NULL, UNBOUND_DNS_PORT)) {
 				log_err("out of memory reading root hints");
 				goto stop_read;
 			}
@@ -395,10 +403,10 @@ read_root_hints(struct iter_hints* hints, char* fname)
 		delegpt_free_mlc(dp);
 		return 1;
 	}
+	delegpt_log(VERB_QUERY, dp);
 	if(!hints_insert(hints, c, dp, 0)) {
 		return 0;
 	}
-	delegpt_log(VERB_QUERY, dp);
 	return 1;
 
 stop_read:

iterator/iter_utils.c

@@ -4,22 +4,22 @@
  * Copyright (c) 2007, NLnet Labs. All rights reserved.
  *
  * This software is open source.
- * 
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
- * 
+ *
  * Redistributions of source code must retain the above copyright notice,
  * this list of conditions and the following disclaimer.
- * 
+ *
  * Redistributions in binary form must reproduce the above copyright notice,
  * this list of conditions and the following disclaimer in the documentation
  * and/or other materials provided with the distribution.
- * 
+ *
  * Neither the name of the NLNET LABS nor the names of its contributors may
  * be used to endorse or promote products derived from this software without
  * specific prior written permission.
- * 
+ *
  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
@@ -37,7 +37,7 @@
  * \file
  *
  * This file contains functions to assist the iterator module.
- * Configuration options. Forward zones. 
+ * Configuration options. Forward zones.
  */
 #include "config.h"
 #include "iterator/iter_utils.h"
@@ -141,7 +141,7 @@ caps_white_apply_cfg(rbtree_type* ntree, struct config_file* cfg)
 	return 1;
 }
 
-int 
+int
 iter_apply_cfg(struct iter_env* iter_env, struct config_file* cfg)
 {
 	int i;
@@ -151,7 +151,7 @@ iter_apply_cfg(struct iter_env* iter_env, struct config_file* cfg)
 	for(i=0; i<iter_env->max_dependency_depth+1; i++)
 		verbose(VERB_QUERY, "target fetch policy for level %d is %d",
 			i, iter_env->target_fetch_policy[i]);
-	
+
 	if(!iter_env->donotq)
 		iter_env->donotq = donotq_create();
 	if(!iter_env->donotq || !donotq_apply_cfg(iter_env->donotq, cfg)) {
@@ -176,8 +176,8 @@ iter_apply_cfg(struct iter_env* iter_env, struct config_file* cfg)
 	}
 	iter_env->supports_ipv6 = cfg->do_ip6;
 	iter_env->supports_ipv4 = cfg->do_ip4;
-
 	iter_env->max_query_restarts = cfg->max_query_restarts;
+	iter_env->outbound_msg_retry = cfg->outbound_msg_retry;
 
 	return 1;
 }
@@ -215,7 +215,7 @@ iter_apply_cfg(struct iter_env* iter_env, struct config_file* cfg)
  *		dnsseclame servers get penalty
  *	USEFUL_SERVER_TOP_TIMEOUT*3 ..
  *		recursion lame servers get penalty
- *	UNKNOWN_SERVER_NICENESS 
+ *	UNKNOWN_SERVER_NICENESS
  *		If no information is known about the server, this is
  *		returned. 376 msec or so.
  *	+BLACKLIST_PENALTY (of USEFUL_TOP_TIMEOUT*4) for dnssec failed IPs.
@@ -224,11 +224,11 @@ iter_apply_cfg(struct iter_env* iter_env, struct config_file* cfg)
  * is turned off (so we do not discard the reply).
  * When a final value is chosen that is recursionlame; RD bit is set on query.
  * Because of the numbers this means recursionlame also have dnssec lameness
- * checking turned off. 
+ * checking turned off.
  */
 static int
 iter_filter_unsuitable(struct iter_env* iter_env, struct module_env* env,
-	uint8_t* name, size_t namelen, uint16_t qtype, time_t now, 
+	uint8_t* name, size_t namelen, uint16_t qtype, time_t now,
 	struct delegpt_addr* a)
 {
 	int rtt, lame, reclame, dnsseclame;
@@ -246,8 +246,8 @@ iter_filter_unsuitable(struct iter_env* iter_env, struct module_env* env,
 		return -1; /* there is no ip4 available */
 	}
 	/* check lameness - need zone , class info */
-	if(infra_get_lame_rtt(env->infra_cache, &a->addr, a->addrlen, 
+	if(infra_get_lame_rtt(env->infra_cache, &a->addr, a->addrlen,
-		name, namelen, qtype, &lame, &dnsseclame, &reclame, 
+		name, namelen, qtype, &lame, &dnsseclame, &reclame,
 		&rtt, now)) {
 		log_addr(VERB_ALGO, "servselect", &a->addr, a->addrlen);
 		verbose(VERB_ALGO, "   rtt=%d%s%s%s%s", rtt,
@@ -285,7 +285,7 @@ iter_filter_unsuitable(struct iter_env* iter_env, struct module_env* env,
 /** lookup RTT information, and also store fastest rtt (if any) */
 static int
 iter_fill_rtt(struct iter_env* iter_env, struct module_env* env,
-	uint8_t* name, size_t namelen, uint16_t qtype, time_t now, 
+	uint8_t* name, size_t namelen, uint16_t qtype, time_t now,
 	struct delegpt* dp, int* best_rtt, struct sock_list* blacklist,
 	size_t* num_suitable_results)
 {
@@ -296,7 +296,7 @@ iter_fill_rtt(struct iter_env* iter_env, struct module_env* env,
 	if(dp->bogus)
 		return 0; /* NS bogus, all bogus, nothing found */
 	for(a=dp->result_list; a; a = a->next_result) {
-		a->sel_rtt = iter_filter_unsuitable(iter_env, env, 
+		a->sel_rtt = iter_filter_unsuitable(iter_env, env,
 			name, namelen, qtype, now, a);
 		if(a->sel_rtt != -1) {
 			if(sock_list_find(blacklist, &a->addr, a->addrlen))
@@ -332,7 +332,7 @@ nth_rtt(struct delegpt_addr* result_list, size_t num_results, size_t n)
 	int rtt_band;
 	size_t i;
 	int* rtt_list, *rtt_index;
-	
+
 	if(num_results < 1 || n >= num_results) {
 		return -1;
 	}
@@ -364,8 +364,8 @@ nth_rtt(struct delegpt_addr* result_list, size_t num_results, size_t n)
  * returns number of best targets (or 0, no suitable targets) */
 static int
 iter_filter_order(struct iter_env* iter_env, struct module_env* env,
-	uint8_t* name, size_t namelen, uint16_t qtype, time_t now, 
+	uint8_t* name, size_t namelen, uint16_t qtype, time_t now,
-	struct delegpt* dp, int* selected_rtt, int open_target, 
+	struct delegpt* dp, int* selected_rtt, int open_target,
 	struct sock_list* blacklist, time_t prefetch)
 {
 	int got_num = 0, low_rtt = 0, swap_to_front, rtt_band = RTT_BAND, nth;
@@ -373,9 +373,9 @@ iter_filter_order(struct iter_env* iter_env, struct module_env* env,
 	struct delegpt_addr* a, *n, *prev=NULL;
 
 	/* fillup sel_rtt and find best rtt in the bunch */
-	got_num = iter_fill_rtt(iter_env, env, name, namelen, qtype, now, dp, 
+	got_num = iter_fill_rtt(iter_env, env, name, namelen, qtype, now, dp,
 		&low_rtt, blacklist, &num_results);
-	if(got_num == 0) 
+	if(got_num == 0)
 		return 0;
 	if(low_rtt >= USEFUL_SERVER_TOP_TIMEOUT &&
 		(delegpt_count_missing_targets(dp) > 0 || open_target > 0)) {
@@ -443,6 +443,7 @@ iter_filter_order(struct iter_env* iter_env, struct module_env* env,
 		prev = NULL;
 		a = dp->result_list;
 		for(i = 0; i < got_num; i++) {
+			if(!a) break; /* robustness */
 			swap_to_front = 0;
 			if(a->addr.ss_family != AF_INET6 && attempt == -1) {
 				/* if we only have ip4 at low attempt count,
@@ -500,6 +501,7 @@ iter_filter_order(struct iter_env* iter_env, struct module_env* env,
 		prev = NULL;
 		a = dp->result_list;
 		for(i = 0; i < got_num; i++) {
+			if(!a) break; /* robustness */
 			swap_to_front = 0;
 			if(a->addr.ss_family != AF_INET && attempt == -1) {
 				/* if we only have ip6 at low attempt count,
@@ -549,9 +551,9 @@ iter_filter_order(struct iter_env* iter_env, struct module_env* env,
 	return got_num;
 }
 
-struct delegpt_addr* 
+struct delegpt_addr*
-iter_server_selection(struct iter_env* iter_env, 
+iter_server_selection(struct iter_env* iter_env,
-	struct module_env* env, struct delegpt* dp, 
+	struct module_env* env, struct delegpt* dp,
 	uint8_t* name, size_t namelen, uint16_t qtype, int* dnssec_lame,
 	int* chase_to_rd, int open_target, struct sock_list* blacklist,
 	time_t prefetch)
@@ -593,7 +595,7 @@ iter_server_selection(struct iter_env* iter_env,
 
 	if(num == 1) {
 		a = dp->result_list;
-		if(++a->attempts < OUTBOUND_MSG_RETRY)
+		if(++a->attempts < iter_env->outbound_msg_retry)
 			return a;
 		dp->result_list = a->next_result;
 		return a;
@@ -603,7 +605,7 @@ iter_server_selection(struct iter_env* iter_env,
 	log_assert(num > 1);
 	/* grab secure random number, to pick unexpected server.
 	 * also we need it to be threadsafe. */
-	sel = ub_random_max(env->rnd, num); 
+	sel = ub_random_max(env->rnd, num);
 	a = dp->result_list;
 	prev = NULL;
 	while(sel > 0 && a) {
@@ -613,7 +615,7 @@ iter_server_selection(struct iter_env* iter_env,
 	}
 	if(!a)  /* robustness */
 		return NULL;
-	if(++a->attempts < OUTBOUND_MSG_RETRY)
+	if(++a->attempts < iter_env->outbound_msg_retry)
 		return a;
 	/* remove it from the delegation point result list */
 	if(prev)
@@ -622,8 +624,8 @@ iter_server_selection(struct iter_env* iter_env,
 	return a;
 }
 
-struct dns_msg* 
+struct dns_msg*
-dns_alloc_msg(sldns_buffer* pkt, struct msg_parse* msg, 
+dns_alloc_msg(sldns_buffer* pkt, struct msg_parse* msg,
 	struct regional* region)
 {
 	struct dns_msg* m = (struct dns_msg*)regional_alloc(region,
@@ -638,7 +640,7 @@ dns_alloc_msg(sldns_buffer* pkt, struct msg_parse* msg,
 	return m;
 }
 
-struct dns_msg* 
+struct dns_msg*
 dns_copy_msg(struct dns_msg* from, struct regional* region)
 {
 	struct dns_msg* m = (struct dns_msg*)regional_alloc(region,
@@ -654,7 +656,7 @@ dns_copy_msg(struct dns_msg* from, struct regional* region)
 	return m;
 }
 
-void 
+void
 iter_dns_store(struct module_env* env, struct query_info* msgqinf,
 	struct reply_info* msgrep, int is_referral, time_t leeway, int pside,
 	struct regional* region, uint16_t flags)
@@ -664,7 +666,7 @@ iter_dns_store(struct module_env* env, struct query_info* msgqinf,
 		log_err("out of memory: cannot store data in cache");
 }
 
-int 
+int
 iter_ns_probability(struct ub_randstate* rnd, int n, int m)
 {
 	int sel;
@@ -672,7 +674,7 @@ iter_ns_probability(struct ub_randstate* rnd, int n, int m)
 		return 1;
 	/* we do not need secure random numbers here, but
 	 * we do need it to be threadsafe, so we use this */
-	sel = ub_random_max(rnd, m); 
+	sel = ub_random_max(rnd, m);
 	return (sel < n);
 }
 
@@ -689,12 +691,12 @@ causes_cycle(struct module_qstate* qstate, uint8_t* name, size_t namelen,
 	qinf.local_alias = NULL;
 	fptr_ok(fptr_whitelist_modenv_detect_cycle(
 		qstate->env->detect_cycle));
-	return (*qstate->env->detect_cycle)(qstate, &qinf, 
+	return (*qstate->env->detect_cycle)(qstate, &qinf,
 		(uint16_t)(BIT_RD|BIT_CD), qstate->is_priming,
 		qstate->is_valrec);
 }
 
-void 
+void
 iter_mark_cycle_targets(struct module_qstate* qstate, struct delegpt* dp)
 {
 	struct delegpt_ns* ns;
@@ -702,21 +704,21 @@ iter_mark_cycle_targets(struct module_qstate* qstate, struct delegpt* dp)
 		if(ns->resolved)
 			continue;
 		/* see if this ns as target causes dependency cycle */
-		if(causes_cycle(qstate, ns->name, ns->namelen, 
+		if(causes_cycle(qstate, ns->name, ns->namelen,
 			LDNS_RR_TYPE_AAAA, qstate->qinfo.qclass) ||
-		   causes_cycle(qstate, ns->name, ns->namelen, 
+		   causes_cycle(qstate, ns->name, ns->namelen,
 			LDNS_RR_TYPE_A, qstate->qinfo.qclass)) {
 			log_nametypeclass(VERB_QUERY, "skipping target due "
 			 	"to dependency cycle (harden-glue: no may "
-				"fix some of the cycles)", 
+				"fix some of the cycles)",
-				ns->name, LDNS_RR_TYPE_A, 
+				ns->name, LDNS_RR_TYPE_A,
 				qstate->qinfo.qclass);
 			ns->resolved = 1;
 		}
 	}
 }
 
-void 
+void
 iter_mark_pside_cycle_targets(struct module_qstate* qstate, struct delegpt* dp)
 {
 	struct delegpt_ns* ns;
@@ -724,14 +726,14 @@ iter_mark_pside_cycle_targets(struct module_qstate* qstate, struct delegpt* dp)
 		if(ns->done_pside4 && ns->done_pside6)
 			continue;
 		/* see if this ns as target causes dependency cycle */
-		if(causes_cycle(qstate, ns->name, ns->namelen, 
+		if(causes_cycle(qstate, ns->name, ns->namelen,
 			LDNS_RR_TYPE_A, qstate->qinfo.qclass)) {
 			log_nametypeclass(VERB_QUERY, "skipping target due "
 			 	"to dependency cycle", ns->name,
 				LDNS_RR_TYPE_A, qstate->qinfo.qclass);
 			ns->done_pside4 = 1;
 		}
-		if(causes_cycle(qstate, ns->name, ns->namelen, 
+		if(causes_cycle(qstate, ns->name, ns->namelen,
 			LDNS_RR_TYPE_AAAA, qstate->qinfo.qclass)) {
 			log_nametypeclass(VERB_QUERY, "skipping target due "
 			 	"to dependency cycle", ns->name,
@@ -741,11 +743,12 @@ iter_mark_pside_cycle_targets(struct module_qstate* qstate, struct delegpt* dp)
 	}
 }
 
-int 
+int
-iter_dp_is_useless(struct query_info* qinfo, uint16_t qflags, 
+iter_dp_is_useless(struct query_info* qinfo, uint16_t qflags,
-	struct delegpt* dp)
+	struct delegpt* dp, int supports_ipv4, int supports_ipv6)
 {
 	struct delegpt_ns* ns;
+	struct delegpt_addr* a;
 	/* check:
 	 *      o RD qflag is on.
 	 *      o no addresses are provided.
@@ -758,17 +761,28 @@ iter_dp_is_useless(struct query_info* qinfo, uint16_t qflags,
 	 */
 	if(!(qflags&BIT_RD))
 		return 0;
-	/* either available or unused targets */
+	/* either available or unused targets,
-	if(dp->usable_list || dp->result_list)
+	 * if they exist, the dp is not useless. */
-		return 0;
+	for(a = dp->usable_list; a; a = a->next_usable) {
-	
+		if(!addr_is_ip6(&a->addr, a->addrlen) && supports_ipv4)
+			return 0;
+		else if(addr_is_ip6(&a->addr, a->addrlen) && supports_ipv6)
+			return 0;
+	}
+	for(a = dp->result_list; a; a = a->next_result) {
+		if(!addr_is_ip6(&a->addr, a->addrlen) && supports_ipv4)
+			return 0;
+		else if(addr_is_ip6(&a->addr, a->addrlen) && supports_ipv6)
+			return 0;
+	}
+
 	/* see if query is for one of the nameservers, which is glue */
-	if( (qinfo->qtype == LDNS_RR_TYPE_A ||
+	if( ((qinfo->qtype == LDNS_RR_TYPE_A && supports_ipv4) ||
-		qinfo->qtype == LDNS_RR_TYPE_AAAA) &&
+		(qinfo->qtype == LDNS_RR_TYPE_AAAA && supports_ipv6)) &&
 		dname_subdomain_c(qinfo->qname, dp->name) &&
 		delegpt_find_ns(dp, qinfo->qname, qinfo->qname_len))
 		return 1;
-	
+
 	for(ns = dp->nslist; ns; ns = ns->next) {
 		if(ns->resolved) /* skip failed targets */
 			continue;
@@ -786,7 +800,7 @@ iter_qname_indicates_dnssec(struct module_env* env, struct query_info *qinfo)
 		return 0;
 	/* a trust anchor exists above the name? */
 	if((a=anchors_lookup(env->anchors, qinfo->qname, qinfo->qname_len,
-		qinfo->qclass))) { 
+		qinfo->qclass))) {
 		if(a->numDS == 0 && a->numDNSKEY == 0) {
 			/* insecure trust point */
 			lock_basic_unlock(&a->lock);
@@ -799,7 +813,7 @@ iter_qname_indicates_dnssec(struct module_env* env, struct query_info *qinfo)
 	return 0;
 }
 
-int 
+int
 iter_indicates_dnssec(struct module_env* env, struct delegpt* dp,
         struct dns_msg* msg, uint16_t dclass)
 {
@@ -843,7 +857,7 @@ iter_indicates_dnssec(struct module_env* env, struct delegpt* dp,
 	return 0;
 }
 
-int 
+int
 iter_msg_has_dnssec(struct dns_msg* msg)
 {
 	size_t i;
@@ -876,7 +890,7 @@ int iter_msg_from_zone(struct dns_msg* msg, struct delegpt* dp,
 		 * and referral to example.com. NS ... , then origin zone
 		 * is .com. For a referral to sub.example.com. NS ... then
 		 * we do not know, since example.com. may be in between. */
-		for(i=0; i<msg->rep->an_numrrsets+msg->rep->ns_numrrsets; 
+		for(i=0; i<msg->rep->an_numrrsets+msg->rep->ns_numrrsets;
 			i++) {
 			struct ub_packed_rrset_key* s = msg->rep->rrsets[i];
 			if(ntohs(s->rk.type) == LDNS_RR_TYPE_NS &&
@@ -891,7 +905,7 @@ int iter_msg_from_zone(struct dns_msg* msg, struct delegpt* dp,
 		return 0;
 	}
 	log_assert(type==RESPONSE_TYPE_ANSWER || type==RESPONSE_TYPE_CNAME);
-	/* not a referral, and not lame delegation (upwards), so, 
+	/* not a referral, and not lame delegation (upwards), so,
 	 * any NS rrset must be from the zone itself */
 	if(reply_find_rrset_section_an(msg->rep, dp->name, dp->namelen,
 		LDNS_RR_TYPE_NS, dclass) ||
@@ -907,7 +921,7 @@ int iter_msg_from_zone(struct dns_msg* msg, struct delegpt* dp,
 }
 
 /**
- * check equality of two rrsets 
+ * check equality of two rrsets
  * @param k1: rrset
  * @param k2: rrset
  * @return true if equal
@@ -936,7 +950,7 @@ rrset_equal(struct ub_packed_rrset_key* k1, struct ub_packed_rrset_key* k2)
 	for(i=0; i<t; i++) {
 		if(d1->rr_len[i] != d2->rr_len[i] ||
 			/* no ttl check: d1->rr_ttl[i] != d2->rr_ttl[i] ||*/
-			memcmp(d1->rr_data[i], d2->rr_data[i], 
+			memcmp(d1->rr_data[i], d2->rr_data[i],
 				d1->rr_len[i]) != 0)
 			return 0;
 	}
@@ -967,7 +981,7 @@ rrset_canonical_sort_cmp(const void* x, const void* y)
 	return 0;
 }
 
-int 
+int
 reply_equal(struct reply_info* p, struct reply_info* q, struct regional* region)
 {
 	size_t i;
@@ -1025,7 +1039,7 @@ reply_equal(struct reply_info* p, struct reply_info* q, struct regional* region)
 	return 1;
 }
 
-void 
+void
 caps_strip_reply(struct reply_info* rep)
 {
 	size_t i;
@@ -1067,8 +1081,8 @@ int caps_failed_rcode(struct reply_info* rep)
 		FLAGS_GET_RCODE(rep->flags) == LDNS_RCODE_NXDOMAIN);
 }
 
-void 
+void
-iter_store_parentside_rrset(struct module_env* env, 
+iter_store_parentside_rrset(struct module_env* env,
 	struct ub_packed_rrset_key* rrset)
 {
 	struct rrset_ref ref;
@@ -1108,12 +1122,12 @@ iter_store_parentside_NS(struct module_env* env, struct reply_info* rep)
 	}
 }
 
-void iter_store_parentside_neg(struct module_env* env, 
+void iter_store_parentside_neg(struct module_env* env,
         struct query_info* qinfo, struct reply_info* rep)
 {
 	/* TTL: NS from referral in iq->deleg_msg,
 	 *      or first RR from iq->response,
-	 *      or servfail5secs if !iq->response */ 
+	 *      or servfail5secs if !iq->response */
 	time_t ttl = NORR_TTL;
 	struct ub_packed_rrset_key* neg;
 	struct packed_rrset_data* newd;
@@ -1134,7 +1148,7 @@ void iter_store_parentside_neg(struct module_env* env,
 	neg->rk.type = htons(qinfo->qtype);
 	neg->rk.rrset_class = htons(qinfo->qclass);
 	neg->rk.flags = 0;
-	neg->rk.dname = regional_alloc_init(env->scratch, qinfo->qname, 
+	neg->rk.dname = regional_alloc_init(env->scratch, qinfo->qname,
 		qinfo->qname_len);
 	if(!neg->rk.dname) {
 		log_err("out of memory in store_parentside_neg");
@@ -1142,7 +1156,7 @@ void iter_store_parentside_neg(struct module_env* env,
 	}
 	neg->rk.dname_len = qinfo->qname_len;
 	neg->entry.hash = rrset_key_hash(&neg->rk);
-	newd = (struct packed_rrset_data*)regional_alloc_zero(env->scratch, 
+	newd = (struct packed_rrset_data*)regional_alloc_zero(env->scratch,
 		sizeof(struct packed_rrset_data) + sizeof(size_t) +
 		sizeof(uint8_t*) + sizeof(time_t) + sizeof(uint16_t));
 	if(!newd) {
@@ -1167,13 +1181,13 @@ void iter_store_parentside_neg(struct module_env* env,
 	iter_store_parentside_rrset(env, neg);
 }
 
-int 
+int
 iter_lookup_parent_NS_from_cache(struct module_env* env, struct delegpt* dp,
 	struct regional* region, struct query_info* qinfo)
 {
 	struct ub_packed_rrset_key* akey;
-	akey = rrset_cache_lookup(env->rrset_cache, dp->name, 
+	akey = rrset_cache_lookup(env->rrset_cache, dp->name,
-		dp->namelen, LDNS_RR_TYPE_NS, qinfo->qclass, 
+		dp->namelen, LDNS_RR_TYPE_NS, qinfo->qclass,
 		PACKED_RRSET_PARENT_SIDE, *env->now, 0);
 	if(akey) {
 		log_rrset_key(VERB_ALGO, "found parent-side NS in cache", akey);
@@ -1196,8 +1210,8 @@ int iter_lookup_parent_glue_from_cache(struct module_env* env,
 	size_t num = delegpt_count_targets(dp);
 	for(ns = dp->nslist; ns; ns = ns->next) {
 		/* get cached parentside A */
-		akey = rrset_cache_lookup(env->rrset_cache, ns->name, 
+		akey = rrset_cache_lookup(env->rrset_cache, ns->name,
-			ns->namelen, LDNS_RR_TYPE_A, qinfo->qclass, 
+			ns->namelen, LDNS_RR_TYPE_A, qinfo->qclass,
 			PACKED_RRSET_PARENT_SIDE, *env->now, 0);
 		if(akey) {
 			log_rrset_key(VERB_ALGO, "found parent-side", akey);
@@ -1208,8 +1222,8 @@ int iter_lookup_parent_glue_from_cache(struct module_env* env,
 			lock_rw_unlock(&akey->entry.lock);
 		}
 		/* get cached parentside AAAA */
-		akey = rrset_cache_lookup(env->rrset_cache, ns->name, 
+		akey = rrset_cache_lookup(env->rrset_cache, ns->name,
-			ns->namelen, LDNS_RR_TYPE_AAAA, qinfo->qclass, 
+			ns->namelen, LDNS_RR_TYPE_AAAA, qinfo->qclass,
 			PACKED_RRSET_PARENT_SIDE, *env->now, 0);
 		if(akey) {
 			log_rrset_key(VERB_ALGO, "found parent-side", akey);
@@ -1224,8 +1238,8 @@ int iter_lookup_parent_glue_from_cache(struct module_env* env,
 	return delegpt_count_targets(dp) != num;
 }
 
-int 
+int
-iter_get_next_root(struct iter_hints* hints, struct iter_forwards* fwd, 
+iter_get_next_root(struct iter_hints* hints, struct iter_forwards* fwd,
 	uint16_t* c)
 {
 	uint16_t c1 = *c, c2 = *c;
@@ -1247,7 +1261,7 @@ void
 iter_scrub_ds(struct dns_msg* msg, struct ub_packed_rrset_key* ns, uint8_t* z)
 {
 	/* Only the DS record for the delegation itself is expected.
-	 * We allow DS for everything between the bailiwick and the 
+	 * We allow DS for everything between the bailiwick and the
 	 * zonecut, thus DS records must be at or above the zonecut.
 	 * And the DS records must be below the server authority zone.
 	 * The answer section is already scrubbed. */
@@ -1261,7 +1275,7 @@ iter_scrub_ds(struct dns_msg* msg, struct ub_packed_rrset_key* ns, uint8_t* z)
 				s->rk.dname, ntohs(s->rk.type),
 				ntohs(s->rk.rrset_class));
 			memmove(msg->rep->rrsets+i, msg->rep->rrsets+i+1,
-				sizeof(struct ub_packed_rrset_key*) * 
+				sizeof(struct ub_packed_rrset_key*) *
 				(msg->rep->rrset_count-i-1));
 			msg->rep->ns_numrrsets--;
 			msg->rep->rrset_count--;
@@ -1285,11 +1299,11 @@ iter_scrub_nxdomain(struct dns_msg* msg)
 	msg->rep->an_numrrsets = 0;
 }
 
-void iter_dec_attempts(struct delegpt* dp, int d)
+void iter_dec_attempts(struct delegpt* dp, int d, int outbound_msg_retry)
 {
 	struct delegpt_addr* a;
 	for(a=dp->target_list; a; a = a->next_target) {
-		if(a->attempts >= OUTBOUND_MSG_RETRY) {
+		if(a->attempts >= outbound_msg_retry) {
 			/* add back to result list */
 			a->next_result = dp->result_list;
 			dp->result_list = a;
@@ -1300,7 +1314,8 @@ void iter_dec_attempts(struct delegpt* dp, int d)
 	}
 }
 
-void iter_merge_retry_counts(struct delegpt* dp, struct delegpt* old)
+void iter_merge_retry_counts(struct delegpt* dp, struct delegpt* old,
+	int outbound_msg_retry)
 {
 	struct delegpt_addr* a, *o, *prev;
 	for(a=dp->target_list; a; a = a->next_target) {
@@ -1314,7 +1329,7 @@ void iter_merge_retry_counts(struct delegpt* dp, struct delegpt* old)
 	prev = NULL;
 	a = dp->usable_list;
 	while(a) {
-		if(a->attempts >= OUTBOUND_MSG_RETRY) {
+		if(a->attempts >= outbound_msg_retry) {
 			log_addr(VERB_ALGO, "remove from usable list dp",
 				&a->addr, a->addrlen);
 			/* remove from result list */
@@ -1394,7 +1409,8 @@ int iter_dp_cangodown(struct query_info* qinfo, struct delegpt* dp)
 }
 
 int
-iter_stub_fwd_no_cache(struct module_qstate *qstate, struct query_info *qinf)
+iter_stub_fwd_no_cache(struct module_qstate *qstate, struct query_info *qinf,
+	uint8_t** retdpname, size_t* retdpnamelen)
 {
 	struct iter_hints_stub *stub;
 	struct delegpt *dp;
@@ -1423,6 +1439,10 @@ iter_stub_fwd_no_cache(struct module_qstate *qstate, struct query_info *qinf)
 			dname_str(stub->dp->name, dpname);
 			verbose(VERB_ALGO, "stub for %s %s has no_cache", qname, dpname);
 		}
+		if(retdpname) {
+			*retdpname = stub->dp->name;
+			*retdpnamelen = stub->dp->namelen;
+		}
 		return (stub->dp->no_cache);
 	}
 
@@ -1435,8 +1455,16 @@ iter_stub_fwd_no_cache(struct module_qstate *qstate, struct query_info *qinf)
 			dname_str(dp->name, dpname);
 			verbose(VERB_ALGO, "forward for %s %s has no_cache", qname, dpname);
 		}
+		if(retdpname) {
+			*retdpname = dp->name;
+			*retdpnamelen = dp->namelen;
+		}
 		return (dp->no_cache);
 	}
+	if(retdpname) {
+		*retdpname = NULL;
+		*retdpnamelen = 0;
+	}
 	return 0;
 }
 

iterator/iter_utils.h

@@ -175,10 +175,14 @@ void iter_mark_pside_cycle_targets(struct module_qstate* qstate,
  * @param qinfo: query name and type
  * @param qflags: query flags with RD flag
  * @param dp: delegpt to check.
+ * @param supports_ipv4: if we support ipv4 for lookups to the target.
+ * 	if not, then the IPv4 addresses are useless.
+ * @param supports_ipv6: if we support ipv6 for lookups to the target.
+ * 	if not, then the IPv6 addresses are useless.
  * @return true if dp is useless.
  */
 int iter_dp_is_useless(struct query_info* qinfo, uint16_t qflags, 
-	struct delegpt* dp);
+	struct delegpt* dp, int supports_ipv4, int supports_ipv6);
 
 /**
  * See if qname has DNSSEC needs.  This is true if there is a trust anchor above
@@ -347,16 +351,19 @@ void iter_scrub_nxdomain(struct dns_msg* msg);
  * Remove query attempts from all available ips. For 0x20.
  * @param dp: delegpt.
  * @param d: decrease.
+ * @param outbound_msg_retry: number of retries of outgoing queries
  */
-void iter_dec_attempts(struct delegpt* dp, int d);
+void iter_dec_attempts(struct delegpt* dp, int d, int outbound_msg_retry);
 
 /**
  * Add retry counts from older delegpt to newer delegpt.
  * Does not waste time on timeout'd (or other failing) addresses.
  * @param dp: new delegationpoint.
  * @param old: old delegationpoint.
+ * @param outbound_msg_retry: number of retries of outgoing queries
  */
-void iter_merge_retry_counts(struct delegpt* dp, struct delegpt* old);
+void iter_merge_retry_counts(struct delegpt* dp, struct delegpt* old,
+	int outbound_msg_retry);
 
 /**
  * See if a DS response (type ANSWER) is too low: a nodata answer with 
@@ -382,10 +389,15 @@ int iter_dp_cangodown(struct query_info* qinfo, struct delegpt* dp);
  * Lookup if no_cache is set in stub or fwd.
  * @param qstate: query state with env with hints and fwds.
  * @param qinf: query name to lookup for.
+ * @param retdpname: returns NULL or the deepest enclosing name of fwd or stub.
+ * 	This is the name under which the closest lookup is going to happen.
+ * 	Used for NXDOMAIN checks, above that it is an nxdomain from a
+ * 	different server and zone. You can pass NULL to not get it.
+ * @param retdpnamelen: returns the length of the dpname.
  * @return true if no_cache is set in stub or fwd.
  */
 int iter_stub_fwd_no_cache(struct module_qstate *qstate,
-	struct query_info *qinf);
+	struct query_info *qinf, uint8_t** retdpname, size_t* retdpnamelen);
 
 /**
  * Set support for IP4 and IP6 depending on outgoing interfaces

iterator/iterator.c

@@ -585,6 +585,60 @@ handle_cname_response(struct module_qstate* qstate, struct iter_qstate* iq,
 	return 1;
 }
 
+/** add response specific error information for log servfail */
+static void
+errinf_reply(struct module_qstate* qstate, struct iter_qstate* iq)
+{
+	if(qstate->env->cfg->val_log_level < 2 && !qstate->env->cfg->log_servfail)
+		return;
+	if((qstate->reply && qstate->reply->addrlen != 0) ||
+		(iq->fail_reply && iq->fail_reply->addrlen != 0)) {
+		char from[256], frm[512];
+		if(qstate->reply && qstate->reply->addrlen != 0)
+			addr_to_str(&qstate->reply->addr, qstate->reply->addrlen,
+				from, sizeof(from));
+		else
+			addr_to_str(&iq->fail_reply->addr, iq->fail_reply->addrlen,
+				from, sizeof(from));
+		snprintf(frm, sizeof(frm), "from %s", from);
+		errinf(qstate, frm);
+	}
+	if(iq->scrub_failures || iq->parse_failures) {
+		if(iq->scrub_failures)
+			errinf(qstate, "upstream response failed scrub");
+		if(iq->parse_failures)
+			errinf(qstate, "could not parse upstream response");
+	} else if(iq->response == NULL && iq->timeout_count != 0) {
+		errinf(qstate, "upstream server timeout");
+	} else if(iq->response == NULL) {
+		errinf(qstate, "no server to query");
+		if(iq->dp) {
+			if(iq->dp->target_list == NULL)
+				errinf(qstate, "no addresses for nameservers");
+			else	errinf(qstate, "nameserver addresses not usable");
+			if(iq->dp->nslist == NULL)
+				errinf(qstate, "have no nameserver names");
+			if(iq->dp->bogus)
+				errinf(qstate, "NS record was dnssec bogus");
+		}
+	}
+	if(iq->response && iq->response->rep) {
+		if(FLAGS_GET_RCODE(iq->response->rep->flags) != 0) {
+			char rcode[256], rc[32];
+			(void)sldns_wire2str_rcode_buf(
+				FLAGS_GET_RCODE(iq->response->rep->flags),
+				rc, sizeof(rc));
+			snprintf(rcode, sizeof(rcode), "got %s", rc);
+			errinf(qstate, rcode);
+		} else {
+			/* rcode NOERROR */
+			if(iq->response->rep->an_numrrsets == 0) {
+				errinf(qstate, "nodata answer");
+			}
+		}
+	}
+}
+
 /** see if last resort is possible - does config allow queries to parent */
 static int
 can_have_last_resort(struct module_env* env, uint8_t* nm, size_t nmlen,
@@ -1228,8 +1282,8 @@ static int
 processInitRequest(struct module_qstate* qstate, struct iter_qstate* iq,
 	struct iter_env* ie, int id)
 {
-	uint8_t* delname;
+	uint8_t* delname, *dpname=NULL;
-	size_t delnamelen;
+	size_t delnamelen, dpnamelen=0;
 	struct dns_msg* msg = NULL;
 
 	log_query_info(VERB_DETAIL, "resolving", &qstate->qinfo);
@@ -1283,7 +1337,7 @@ processInitRequest(struct module_qstate* qstate, struct iter_qstate* iq,
 	/* This either results in a query restart (CNAME cache response), a
 	 * terminating response (ANSWER), or a cache miss (null). */
 	
-	if (iter_stub_fwd_no_cache(qstate, &iq->qchase)) {
+	if (iter_stub_fwd_no_cache(qstate, &iq->qchase, &dpname, &dpnamelen)) {
 		/* Asked to not query cache. */
 		verbose(VERB_ALGO, "no-cache set, going to the network");
 		qstate->no_cache_lookup = 1;
@@ -1298,7 +1352,8 @@ processInitRequest(struct module_qstate* qstate, struct iter_qstate* iq,
 		msg = dns_cache_lookup(qstate->env, iq->qchase.qname, 
 			iq->qchase.qname_len, iq->qchase.qtype, 
 			iq->qchase.qclass, qstate->query_flags,
-			qstate->region, qstate->env->scratch, 0);
+			qstate->region, qstate->env->scratch, 0, dpname,
+			dpnamelen);
 		if(!msg && qstate->env->neg_cache &&
 			iter_qname_indicates_dnssec(qstate->env, &iq->qchase)) {
 			/* lookup in negative cache; may result in
@@ -1478,36 +1533,6 @@ processInitRequest(struct module_qstate* qstate, struct iter_qstate* iq,
 		if(!iq->ratelimit_ok && qstate->prefetch_leeway)
 			iq->ratelimit_ok = 1; /* allow prefetches, this keeps
 			otherwise valid data in the cache */
-		if(!iq->ratelimit_ok && infra_ratelimit_exceeded(
-			qstate->env->infra_cache, iq->dp->name,
-			iq->dp->namelen, *qstate->env->now)) {
-			/* and increment the rate, so that the rate for time
-			 * now will also exceed the rate, keeping cache fresh */
-			(void)infra_ratelimit_inc(qstate->env->infra_cache,
-				iq->dp->name, iq->dp->namelen,
-				*qstate->env->now, &qstate->qinfo,
-				qstate->reply);
-			/* see if we are passed through with slip factor */
-			if(qstate->env->cfg->ratelimit_factor != 0 &&
-				ub_random_max(qstate->env->rnd,
-				    qstate->env->cfg->ratelimit_factor) == 1) {
-				iq->ratelimit_ok = 1;
-				log_nametypeclass(VERB_ALGO, "ratelimit allowed through for "
-					"delegation point", iq->dp->name,
-					LDNS_RR_TYPE_NS, LDNS_RR_CLASS_IN);
-			} else {
-				lock_basic_lock(&ie->queries_ratelimit_lock);
-				ie->num_queries_ratelimited++;
-				lock_basic_unlock(&ie->queries_ratelimit_lock);
-				log_nametypeclass(VERB_ALGO, "ratelimit exceeded with "
-					"delegation point", iq->dp->name,
-					LDNS_RR_TYPE_NS, LDNS_RR_CLASS_IN);
-				qstate->was_ratelimited = 1;
-				errinf(qstate, "query was ratelimited");
-				errinf_dname(qstate, "for zone", iq->dp->name);
-				return error_response(qstate, id, LDNS_RCODE_SERVFAIL);
-			}
-		}
 
 		/* see if this dp not useless.
 		 * It is useless if:
@@ -1522,7 +1547,7 @@ processInitRequest(struct module_qstate* qstate, struct iter_qstate* iq,
 		 * same server reply) if useless-checked.
 		 */
 		if(iter_dp_is_useless(&qstate->qinfo, qstate->query_flags, 
-			iq->dp)) {
+			iq->dp, ie->supports_ipv4, ie->supports_ipv6)) {
 			struct delegpt* retdp = NULL;
 			if(!can_have_last_resort(qstate->env, iq->dp->name, iq->dp->namelen, iq->qchase.qclass, &retdp)) {
 				if(retdp) {
@@ -1921,6 +1946,7 @@ processLastResort(struct module_qstate* qstate, struct iter_qstate* iq,
 		 * of a response. */
 		errinf(qstate, "all the configured stub or forward servers failed,");
 		errinf_dname(qstate, "at zone", iq->dp->name);
+		errinf_reply(qstate, iq);
 		verbose(VERB_QUERY, "configured stub or forward servers failed -- returning SERVFAIL");
 		return error_response_cache(qstate, id, LDNS_RCODE_SERVFAIL);
 	}
@@ -1932,12 +1958,13 @@ processLastResort(struct module_qstate* qstate, struct iter_qstate* iq,
 			iq->chase_flags &= ~BIT_RD; /* go to authorities */
 			for(ns = p->nslist; ns; ns=ns->next) {
 				(void)delegpt_add_ns(iq->dp, qstate->region,
-					ns->name, ns->lame);
+					ns->name, ns->lame, ns->tls_auth_name,
+					ns->port);
 			}
 			for(a = p->target_list; a; a=a->next_target) {
 				(void)delegpt_add_addr(iq->dp, qstate->region,
 					&a->addr, a->addrlen, a->bogus,
-					a->lame, a->tls_auth_name, NULL);
+					a->lame, a->tls_auth_name, -1, NULL);
 			}
 		}
 		iq->dp->has_parent_side_NS = 1;
@@ -2067,6 +2094,7 @@ processLastResort(struct module_qstate* qstate, struct iter_qstate* iq,
 
 	errinf(qstate, "all servers for this domain failed,");
 	errinf_dname(qstate, "at zone", iq->dp->name);
+	errinf_reply(qstate, iq);
 	verbose(VERB_QUERY, "out of query targets -- returning SERVFAIL");
 	/* fail -- no more targets, no more hope of targets, no hope 
 	 * of a response. */
@@ -2154,9 +2182,11 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
 	int auth_fallback = 0;
 	uint8_t* qout_orig = NULL;
 	size_t qout_orig_len = 0;
+	int sq_check_ratelimit = 1;
+	int sq_was_ratelimited = 0;
 
-	/* NOTE: a request will encounter this state for each target it 
+	/* NOTE: a request will encounter this state for each target it
-	 * needs to send a query to. That is, at least one per referral, 
+	 * needs to send a query to. That is, at least one per referral,
 	 * more if some targets timeout or return throwaway answers. */
 
 	log_query_info(VERB_QUERY, "processQueryTargets:", &qstate->qinfo);
@@ -2241,7 +2271,7 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
 		iq->minimise_count++;
 		iq->timeout_count = 0;
 
-		iter_dec_attempts(iq->dp, 1);
+		iter_dec_attempts(iq->dp, 1, ie->outbound_msg_retry);
 
 		/* Limit number of iterations for QNAMEs with more
 		 * than MAX_MINIMISE_COUNT labels. Send first MINIMISE_ONE_LAB
@@ -2288,7 +2318,8 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
 				iq->qinfo_out.qname, iq->qinfo_out.qname_len, 
 				iq->qinfo_out.qtype, iq->qinfo_out.qclass, 
 				qstate->query_flags, qstate->region, 
-				qstate->env->scratch, 0);
+				qstate->env->scratch, 0, iq->dp->name,
+				iq->dp->namelen);
 			if(msg && FLAGS_GET_RCODE(msg->rep->flags) ==
 				LDNS_RCODE_NOERROR)
 				/* no need to send query if it is already 
@@ -2442,7 +2473,7 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
 				(int)iq->caps_server+1, (int)naddr*3);
 			iq->response = iq->caps_response;
 			iq->caps_fallback = 0;
-			iter_dec_attempts(iq->dp, 3); /* space for fallback */
+			iter_dec_attempts(iq->dp, 3, ie->outbound_msg_retry); /* space for fallback */
 			iq->num_current_queries++; /* RespState decrements it*/
 			iq->referral_count++; /* make sure we don't loop */
 			iq->sent_count = 0;
@@ -2471,6 +2502,23 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
 	/* Add the current set of unused targets to our queue. */
 	delegpt_add_unused_targets(iq->dp);
 
+	if(qstate->env->auth_zones) {
+		/* apply rpz triggers at query time */
+		struct dns_msg* forged_response = rpz_callback_from_iterator_module(qstate, iq);
+		if(forged_response != NULL) {
+			qstate->ext_state[id] = module_finished;
+			qstate->return_rcode = LDNS_RCODE_NOERROR;
+			qstate->return_msg = forged_response;
+			iq->response = forged_response;
+			next_state(iq, FINISHED_STATE);
+			if(!iter_prepend(iq, qstate->return_msg, qstate->region)) {
+				log_err("rpz: prepend rrsets: out of memory");
+				return error_response(qstate, id, LDNS_RCODE_SERVFAIL);
+			}
+			return 0;
+		}
+	}
+
 	/* Select the next usable target, filtering out unsuitable targets. */
 	target = iter_server_selection(ie, qstate->env, iq->dp, 
 		iq->dp->name, iq->dp->namelen, iq->qchase.qtype,
@@ -2530,7 +2578,7 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
 						(int)iq->caps_server+1);
 					iq->response = iq->caps_response;
 					iq->caps_fallback = 0;
-					iter_dec_attempts(iq->dp, 3); /* space for fallback */
+					iter_dec_attempts(iq->dp, 3, ie->outbound_msg_retry); /* space for fallback */
 					iq->num_current_queries++; /* RespState decrements it*/
 					iq->referral_count++; /* make sure we don't loop */
 					iq->sent_count = 0;
@@ -2571,22 +2619,9 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
 		return 0;
 	}
 
-	/* if not forwarding, check ratelimits per delegationpoint name */
+	/* Do not check ratelimit for forwarding queries or if we already got a
-	if(!(iq->chase_flags & BIT_RD) && !iq->ratelimit_ok) {
+	 * pass. */
-		if(!infra_ratelimit_inc(qstate->env->infra_cache, iq->dp->name,
+	sq_check_ratelimit = (!(iq->chase_flags & BIT_RD) && !iq->ratelimit_ok);
-			iq->dp->namelen, *qstate->env->now, &qstate->qinfo,
-			qstate->reply)) {
-			lock_basic_lock(&ie->queries_ratelimit_lock);
-			ie->num_queries_ratelimited++;
-			lock_basic_unlock(&ie->queries_ratelimit_lock);
-			verbose(VERB_ALGO, "query exceeded ratelimits");
-			qstate->was_ratelimited = 1;
-			errinf_dname(qstate, "exceeded ratelimit for zone",
-				iq->dp->name);
-			return error_response(qstate, id, LDNS_RCODE_SERVFAIL);
-		}
-	}
-
 	/* We have a valid target. */
 	if(verbosity >= VERB_QUERY) {
 		log_query_info(VERB_QUERY, "sending query:", &iq->qinfo_out);
@@ -2598,24 +2633,32 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
 	}
 	fptr_ok(fptr_whitelist_modenv_send_query(qstate->env->send_query));
 	outq = (*qstate->env->send_query)(&iq->qinfo_out,
-		iq->chase_flags | (iq->chase_to_rd?BIT_RD:0), 
+		iq->chase_flags | (iq->chase_to_rd?BIT_RD:0),
 		/* unset CD if to forwarder(RD set) and not dnssec retry
 		 * (blacklist nonempty) and no trust-anchors are configured
 		 * above the qname or on the first attempt when dnssec is on */
 		EDNS_DO| ((iq->chase_to_rd||(iq->chase_flags&BIT_RD)!=0)&&
 		!qstate->blacklist&&(!iter_qname_indicates_dnssec(qstate->env,
-		&iq->qinfo_out)||target->attempts==1)?0:BIT_CD), 
+		&iq->qinfo_out)||target->attempts==1)?0:BIT_CD),
 		iq->dnssec_expected, iq->caps_fallback || is_caps_whitelisted(
-		ie, iq), &target->addr, target->addrlen,
+		ie, iq), sq_check_ratelimit, &target->addr, target->addrlen,
 		iq->dp->name, iq->dp->namelen,
+		(iq->dp->tcp_upstream || qstate->env->cfg->tcp_upstream),
 		(iq->dp->ssl_upstream || qstate->env->cfg->ssl_upstream),
-		target->tls_auth_name, qstate);
+		target->tls_auth_name, qstate, &sq_was_ratelimited);
 	if(!outq) {
-		log_addr(VERB_DETAIL, "error sending query to auth server", 
+		if(sq_was_ratelimited) {
+			lock_basic_lock(&ie->queries_ratelimit_lock);
+			ie->num_queries_ratelimited++;
+			lock_basic_unlock(&ie->queries_ratelimit_lock);
+			verbose(VERB_ALGO, "query exceeded ratelimits");
+			qstate->was_ratelimited = 1;
+			errinf_dname(qstate, "exceeded ratelimit for zone",
+				iq->dp->name);
+			return error_response(qstate, id, LDNS_RCODE_SERVFAIL);
+		}
+		log_addr(VERB_QUERY, "error sending query to auth server",
 			&target->addr, target->addrlen);
-		if(!(iq->chase_flags & BIT_RD) && !iq->ratelimit_ok)
-		    infra_ratelimit_dec(qstate->env->infra_cache, iq->dp->name,
-			iq->dp->namelen, *qstate->env->now);
 		if(qstate->env->cfg->qname_minimisation)
 			iq->minimisation_state = SKIP_MINIMISE_STATE;
 		return next_state(iq, QUERYTARGETS_STATE);
@@ -2649,6 +2692,7 @@ find_NS(struct reply_info* rep, size_t from, size_t to)
  * 
  * @param qstate: query state.
  * @param iq: iterator query state.
+ * @param ie: iterator shared global environment.
  * @param id: module id.
  * @return true if the event requires more immediate processing, false if
  *         not. This is generally only true when forwarding the request to
@@ -2656,10 +2700,11 @@ find_NS(struct reply_info* rep, size_t from, size_t to)
  */
 static int
 processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
-	int id)
+	struct iter_env* ie, int id)
 {
 	int dnsseclame = 0;
 	enum response_type type;
+
 	iq->num_current_queries--;
 
 	if(!inplace_cb_query_response_call(qstate->env, qstate, iq->response))
@@ -2787,7 +2832,9 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
 		}
 		if(!qstate->no_cache_store)
 			iter_dns_store(qstate->env, &iq->response->qinfo,
-				iq->response->rep, 0, qstate->prefetch_leeway,
+				iq->response->rep,
+				iq->qchase.qtype != iq->response->qinfo.qtype,
+				qstate->prefetch_leeway,
 				iq->dp&&iq->dp->has_parent_side_NS,
 				qstate->region, qstate->query_flags);
 		/* close down outstanding requests to be discarded */
@@ -2857,14 +2904,6 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
 		 * delegation point, and back to the QUERYTARGETS_STATE. */
 		verbose(VERB_DETAIL, "query response was REFERRAL");
 
-		if(!(iq->chase_flags & BIT_RD) && !iq->ratelimit_ok) {
-			/* we have a referral, no ratelimit, we can send
-			 * our queries to the given name */
-			infra_ratelimit_dec(qstate->env->infra_cache,
-				iq->dp->name, iq->dp->namelen,
-				*qstate->env->now);
-		}
-
 		/* if hardened, only store referral if we asked for it */
 		if(!qstate->no_cache_store &&
 		(!qstate->env->cfg->harden_referral_path ||
@@ -2925,7 +2964,8 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
 		}
 		if(iq->store_parent_NS && query_dname_compare(iq->dp->name,
 			iq->store_parent_NS->name) == 0)
-			iter_merge_retry_counts(iq->dp, iq->store_parent_NS);
+			iter_merge_retry_counts(iq->dp, iq->store_parent_NS,
+				ie->outbound_msg_retry);
 		delegpt_log(VERB_ALGO, iq->dp);
 		/* Count this as a referral. */
 		iq->referral_count++;
@@ -2957,6 +2997,8 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
 			qstate->env->detach_subs));
 		(*qstate->env->detach_subs)(qstate);
 		iq->num_target_queries = 0;
+		iq->response = NULL;
+		iq->fail_reply = NULL;
 		verbose(VERB_ALGO, "cleared outbound list for next round");
 		return next_state(iq, QUERYTARGETS_STATE);
 	} else if(type == RESPONSE_TYPE_CNAME) {
@@ -3001,6 +3043,39 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
 		/* set the current request's qname to the new value. */
 		iq->qchase.qname = sname;
 		iq->qchase.qname_len = snamelen;
+		if(qstate->env->auth_zones) {
+			/* apply rpz qname triggers after cname */
+			struct dns_msg* forged_response =
+				rpz_callback_from_iterator_cname(qstate, iq);
+			while(forged_response && reply_find_rrset_section_an(
+				forged_response->rep, iq->qchase.qname,
+				iq->qchase.qname_len, LDNS_RR_TYPE_CNAME,
+				iq->qchase.qclass)) {
+				/* another cname to follow */
+				if(!handle_cname_response(qstate, iq, forged_response,
+					&sname, &snamelen)) {
+					errinf(qstate, "malloc failure, CNAME info");
+					return error_response(qstate, id, LDNS_RCODE_SERVFAIL);
+				}
+				iq->qchase.qname = sname;
+				iq->qchase.qname_len = snamelen;
+				forged_response =
+					rpz_callback_from_iterator_cname(qstate, iq);
+			}
+			if(forged_response != NULL) {
+				qstate->ext_state[id] = module_finished;
+				qstate->return_rcode = LDNS_RCODE_NOERROR;
+				qstate->return_msg = forged_response;
+				iq->response = forged_response;
+				next_state(iq, FINISHED_STATE);
+				if(!iter_prepend(iq, qstate->return_msg, qstate->region)) {
+					log_err("rpz: after cname, prepend rrsets: out of memory");
+					return error_response(qstate, id, LDNS_RCODE_SERVFAIL);
+				}
+				qstate->return_msg->qinfo = qstate->qinfo;
+				return 0;
+			}
+		}
 		/* Clear the query state, since this is a query restart. */
 		iq->deleg_msg = NULL;
 		iq->dp = NULL;
@@ -3128,7 +3203,7 @@ prime_supers(struct module_qstate* qstate, int id, struct module_qstate* forq)
 	/* Convert our response to a delegation point */
 	dp = delegpt_from_message(qstate->return_msg, forq->region);
 	if(!dp) {
-		/* if there is no convertable delegation point, then 
+		/* if there is no convertible delegation point, then 
 		 * the ANSWER type was (presumably) a negative answer. */
 		verbose(VERB_ALGO, "prime response was not a positive "
 			"ANSWER; failing");
@@ -3270,21 +3345,22 @@ processTargetResponse(struct module_qstate* qstate, int id,
 			log_err("out of memory adding pside glue");
 	}
 
-	/* This response is relevant to the current query, so we 
+	/* This response is relevant to the current query, so we
-	 * add (attempt to add, anyway) this target(s) and reactivate 
+	 * add (attempt to add, anyway) this target(s) and reactivate
-	 * the original event. 
+	 * the original event.
-	 * NOTE: we could only look for the AnswerRRset if the 
+	 * NOTE: we could only look for the AnswerRRset if the
 	 * response type was ANSWER. */
 	rrset = reply_find_answer_rrset(&iq->qchase, qstate->return_msg->rep);
 	if(rrset) {
 		int additions = 0;
 		/* if CNAMEs have been followed - add new NS to delegpt. */
 		/* BTW. RFC 1918 says NS should not have got CNAMEs. Robust. */
-		if(!delegpt_find_ns(foriq->dp, rrset->rk.dname, 
+		if(!delegpt_find_ns(foriq->dp, rrset->rk.dname,
 			rrset->rk.dname_len)) {
 			/* if dpns->lame then set newcname ns lame too */
-			if(!delegpt_add_ns(foriq->dp, forq->region, 
+			if(!delegpt_add_ns(foriq->dp, forq->region,
-				rrset->rk.dname, dpns->lame))
+				rrset->rk.dname, dpns->lame, dpns->tls_auth_name,
+				dpns->port))
 				log_err("out of memory adding cnamed-ns");
 		}
 		/* if dpns->lame then set the address(es) lame too */
@@ -3634,7 +3710,7 @@ iter_handle(struct module_qstate* qstate, struct iter_qstate* iq,
 				cont = processQueryTargets(qstate, iq, ie, id);
 				break;
 			case QUERY_RESP_STATE:
-				cont = processQueryResponse(qstate, iq, id);
+				cont = processQueryResponse(qstate, iq, ie, id);
 				break;
 			case PRIME_RESP_STATE:
 				cont = processPrimeResponse(qstate, id);
@@ -3704,7 +3780,7 @@ process_response(struct module_qstate* qstate, struct iter_qstate* iq,
 			iq->num_current_queries--;
 			/* need fresh attempts for the 0x20 fallback, if
 			 * that was the cause for the failure */
-			iter_dec_attempts(iq->dp, 3);
+			iter_dec_attempts(iq->dp, 3, ie->outbound_msg_retry);
 			verbose(VERB_DETAIL, "Capsforid: timeouts, starting fallback");
 			goto handle_it;
 		}
@@ -3720,6 +3796,7 @@ process_response(struct module_qstate* qstate, struct iter_qstate* iq,
 	}
 
 	/* parse message */
+	iq->fail_reply = qstate->reply;
 	prs = (struct msg_parse*)regional_alloc(qstate->env->scratch, 
 		sizeof(struct msg_parse));
 	if(!prs) {
@@ -3733,16 +3810,19 @@ process_response(struct module_qstate* qstate, struct iter_qstate* iq,
 	sldns_buffer_set_position(pkt, 0);
 	if(parse_packet(pkt, prs, qstate->env->scratch) != LDNS_RCODE_NOERROR) {
 		verbose(VERB_ALGO, "parse error on reply packet");
+		iq->parse_failures++;
 		goto handle_it;
 	}
 	/* edns is not examined, but removed from message to help cache */
-	if(parse_extract_edns(prs, &edns, qstate->env->scratch) !=
+	if(parse_extract_edns_from_response_msg(prs, &edns, qstate->env->scratch) !=
-		LDNS_RCODE_NOERROR)
+		LDNS_RCODE_NOERROR) {
+		iq->parse_failures++;
 		goto handle_it;
+	}
 
 	/* Copy the edns options we may got from the back end */
-	if(edns.opt_list) {
+	if(edns.opt_list_in) {
-		qstate->edns_opts_back_in = edns_opt_copy_region(edns.opt_list,
+		qstate->edns_opts_back_in = edns_opt_copy_region(edns.opt_list_in,
 			qstate->region);
 		if(!qstate->edns_opts_back_in) {
 			log_err("out of memory on incoming message");
@@ -3772,6 +3852,7 @@ process_response(struct module_qstate* qstate, struct iter_qstate* iq,
 			iq->num_current_queries--;
 			verbose(VERB_DETAIL, "Capsforid: scrub failed, starting fallback with no response");
 		}
+		iq->scrub_failures++;
 		goto handle_it;
 	}
 

iterator/iterator.h

@@ -61,7 +61,7 @@ struct rbtree_type;
  * its subqueries */
 #define MAX_TARGET_NX		5
 /** max number of query restarts. Determines max number of CNAME chain. */
-#define MAX_RESTART_COUNT       8
+#define MAX_RESTART_COUNT	11
 /** max number of referrals. Makes sure resolver does not run away */
 #define MAX_REFERRAL_COUNT	130
 /** max number of queries-sent-out.  Make sure large NS set does not loop */
@@ -80,7 +80,7 @@ struct rbtree_type;
 /**
  * number of labels from QNAME that are always send individually when using
  * QNAME minimisation, even when the number of labels of the QNAME is bigger
- * tham MAX_MINIMISE_COUNT */
+ * than MAX_MINIMISE_COUNT */
 #define MINIMISE_ONE_LAB	4
 #define MINIMISE_MULTIPLE_LABS	(MAX_MINIMISE_COUNT - MINIMISE_ONE_LAB)
 /** at what query-sent-count to stop target fetch policy */
@@ -94,8 +94,6 @@ extern int UNKNOWN_SERVER_NICENESS;
  * Equals RTT_MAX_TIMEOUT
  */
 #define USEFUL_SERVER_TOP_TIMEOUT	120000
-/** number of retries on outgoing queries */
-#define OUTBOUND_MSG_RETRY 5
 /** RTT band, within this amount from the best, servers are chosen randomly.
  * Chosen so that the UNKNOWN_SERVER_NICENESS falls within the band of a 
  * fast server, this causes server exploration as a side benefit. msec. */
@@ -142,6 +140,8 @@ struct iter_env {
 
 	/** max number of query restarts to limit length of CNAME chain */
 	size_t max_query_restarts;
+	/** number of retries on outgoing queries */
+	int outbound_msg_retry;
 };
 
 /**
@@ -381,7 +381,7 @@ struct iter_qstate {
 	/** list of pending queries to authoritative servers. */
 	struct outbound_list outlist;
 
-	/** QNAME minimisation state, RFC7816 */
+	/** QNAME minimisation state, RFC9156 */
 	enum minimisation_state minimisation_state;
 
 	/** State for capsfail: QNAME minimisation state for comparisons. */
@@ -409,6 +409,12 @@ struct iter_qstate {
 	int auth_zone_response;
 	/** True if the auth_zones should not be consulted for the query */
 	int auth_zone_avoid;
+	/** true if there have been scrubbing failures of reply packets */
+	int scrub_failures;
+	/** true if there have been parse failures of reply packets */
+	int parse_failures;
+	/** a failure printout address for last received answer */
+	struct comm_reply* fail_reply;
 };
 
 /**

libunbound/context.c

@@ -48,6 +48,7 @@
 #include "services/cache/rrset.h"
 #include "services/cache/infra.h"
 #include "services/authzone.h"
+#include "services/listen_dnsport.h"
 #include "util/data/msgreply.h"
 #include "util/storage/slabhash.h"
 #include "util/edns.h"
@@ -69,9 +70,11 @@ context_finalize(struct ub_ctx* ctx)
 	} else {
 		log_init(cfg->logfile, cfg->use_syslog, NULL);
 	}
+	cfg_apply_local_port_policy(cfg, 65536);
 	config_apply(cfg);
 	if(!modstack_setup(&ctx->mods, cfg->module_conf, ctx->env))
 		return UB_INITFAIL;
+	listen_setup_locks();
 	log_edns_known_options(VERB_ALGO, ctx->env);
 	ctx->local_zones = local_zones_create();
 	if(!ctx->local_zones)

libunbound/context.h

@@ -176,35 +176,6 @@ struct ctx_query {
 	struct ub_result* res;
 };
 
-/**
- * The error constants
- */
-enum ub_ctx_err {
-	/** no error */
-	UB_NOERROR = 0,
-	/** socket operation. Set to -1, so that if an error from _fd() is
-	 * passed (-1) it gives a socket error. */
-	UB_SOCKET = -1,
-	/** alloc failure */
-	UB_NOMEM = -2,
-	/** syntax error */
-	UB_SYNTAX = -3,
-	/** DNS service failed */
-	UB_SERVFAIL = -4,
-	/** fork() failed */
-	UB_FORKFAIL = -5,
-	/** cfg change after finalize() */
-	UB_AFTERFINAL = -6,
-	/** initialization failed (bad settings) */
-	UB_INITFAIL = -7,
-	/** error in pipe communication with async bg worker */
-	UB_PIPE = -8,
-	/** error reading from file (resolv.conf) */
-	UB_READFILE = -9,
-	/** error async_id does not exist or result already been delivered */
-	UB_NOID = -10
-};
-
 /**
  * Command codes for libunbound pipe.
  *

libunbound/libunbound.c

@@ -64,6 +64,7 @@
 #include "services/cache/infra.h"
 #include "services/cache/rrset.h"
 #include "services/authzone.h"
+#include "services/listen_dnsport.h"
 #include "sldns/sbuffer.h"
 #ifdef HAVE_PTHREAD
 #include <signal.h>
@@ -185,6 +186,7 @@ ub_ctx_create(void)
 		ub_randfree(ctx->seed_rnd);
 		config_delete(ctx->env->cfg);
 		modstack_desetup(&ctx->mods, ctx->env);
+		listen_desetup_locks();
 		edns_known_options_delete(ctx->env);
 		edns_strings_delete(ctx->env->edns_strings);
 		free(ctx->env);
@@ -198,6 +200,7 @@ ub_ctx_create(void)
 		ub_randfree(ctx->seed_rnd);
 		config_delete(ctx->env->cfg);
 		modstack_desetup(&ctx->mods, ctx->env);
+		listen_desetup_locks();
 		edns_known_options_delete(ctx->env);
 		edns_strings_delete(ctx->env->edns_strings);
 		free(ctx->env);
@@ -344,6 +347,7 @@ ub_ctx_delete(struct ub_ctx* ctx)
 	}
 	ub_randfree(ctx->seed_rnd);
 	alloc_clear(&ctx->superalloc);
+	listen_desetup_locks();
 	traverse_postorder(&ctx->queries, delq, NULL);
 	if(ctx_logfile_overridden) {
 		log_file(NULL);

libunbound/libworker.c

@@ -241,7 +241,9 @@ libworker_setup(struct ub_ctx* ctx, int is_bg, struct ub_event_base* eb)
 		ports, numports, cfg->unwanted_threshold,
 		cfg->outgoing_tcp_mss, &libworker_alloc_cleanup, w,
 		cfg->do_udp || cfg->udp_upstream_without_downstream, w->sslctx,
-		cfg->delay_close, cfg->tls_use_sni, NULL, cfg->udp_connect);
+		cfg->delay_close, cfg->tls_use_sni, NULL, cfg->udp_connect,
+		cfg->max_reuse_tcp_queries, cfg->tcp_reuse_timeout,
+		cfg->tcp_auth_query_timeout);
 	w->env->outnet = w->back;
 	if(!w->is_bg || w->is_bg_thread) {
 		lock_basic_unlock(&ctx->cfglock);
@@ -454,8 +456,15 @@ fill_res(struct ub_result* res, struct ub_packed_rrset_key* answer,
 		if(rep->rrset_count != 0)
 			res->ttl = (int)rep->ttl;
 		res->data = (char**)calloc(1, sizeof(char*));
+		if(!res->data)
+			return 0; /* out of memory */
 		res->len = (int*)calloc(1, sizeof(int));
-		return (res->data && res->len);
+		if(!res->len) {
+			free(res->data);
+			res->data = NULL;
+			return 0; /* out of memory */
+		}
+		return 1;
 	}
 	data = (struct packed_rrset_data*)answer->entry.data;
 	if(query_dname_compare(rq->qname, answer->rk.dname) != 0) {
@@ -463,15 +472,30 @@ fill_res(struct ub_result* res, struct ub_packed_rrset_key* answer,
 			return 0; /* out of memory */
 	} else	res->canonname = NULL;
 	res->data = (char**)calloc(data->count+1, sizeof(char*));
-	res->len = (int*)calloc(data->count+1, sizeof(int));
+	if(!res->data)
-	if(!res->data || !res->len)
 		return 0; /* out of memory */
+	res->len = (int*)calloc(data->count+1, sizeof(int));
+	if(!res->len) {
+		free(res->data);
+		res->data = NULL;
+		return 0; /* out of memory */
+	}
 	for(i=0; i<data->count; i++) {
 		/* remove rdlength from rdata */
 		res->len[i] = (int)(data->rr_len[i] - 2);
 		res->data[i] = memdup(data->rr_data[i]+2, (size_t)res->len[i]);
-		if(!res->data[i])
+		if(!res->data[i]) {
+			size_t j;
+			for(j=0; j<i; j++) {
+				free(res->data[j]);
+				res->data[j] = NULL;
+			}
+			free(res->data);
+			res->data = NULL;
+			free(res->len);
+			res->len = NULL;
 			return 0; /* out of memory */
+		}
 	}
 	/* ttl for positive answers, from CNAME and answer RRs */
 	if(data->count != 0) {
@@ -576,7 +600,9 @@ setup_qinfo_edns(struct libworker* w, struct ctx_query* q,
 	edns->ext_rcode = 0;
 	edns->edns_version = 0;
 	edns->bits = EDNS_DO;
-	edns->opt_list = NULL;
+	edns->opt_list_in = NULL;
+	edns->opt_list_out = NULL;
+	edns->opt_list_inplace_cb_out = NULL;
 	edns->padding_block_size = 0;
 	if(sldns_buffer_capacity(w->back->udp_buff) < 65535)
 		edns->udp_size = (uint16_t)sldns_buffer_capacity(
@@ -624,7 +650,7 @@ int libworker_fg(struct ub_ctx* ctx, struct ctx_query* q)
 	}
 	/* process new query */
 	if(!mesh_new_callback(w->env->mesh, &qinfo, qflags, &edns, 
-		w->back->udp_buff, qid, libworker_fg_done_cb, q)) {
+		w->back->udp_buff, qid, libworker_fg_done_cb, q, 0)) {
 		free(qinfo.qname);
 		return UB_NOMEM;
 	}
@@ -704,7 +730,7 @@ int libworker_attach_mesh(struct ub_ctx* ctx, struct ctx_query* q,
 	if(async_id)
 		*async_id = q->querynum;
 	if(!mesh_new_callback(w->env->mesh, &qinfo, qflags, &edns, 
-		w->back->udp_buff, qid, libworker_event_done_cb, q)) {
+		w->back->udp_buff, qid, libworker_event_done_cb, q, 0)) {
 		free(qinfo.qname);
 		return UB_NOMEM;
 	}
@@ -841,7 +867,7 @@ handle_newq(struct libworker* w, uint8_t* buf, uint32_t len)
 	q->w = w;
 	/* process new query */
 	if(!mesh_new_callback(w->env->mesh, &qinfo, qflags, &edns, 
-		w->back->udp_buff, qid, libworker_bg_done_cb, q)) {
+		w->back->udp_buff, qid, libworker_bg_done_cb, q, 0)) {
 		add_bg_result(w, q, NULL, UB_NOMEM, NULL, 0);
 	}
 	free(qinfo.qname);
@@ -856,9 +882,10 @@ void libworker_alloc_cleanup(void* arg)
 
 struct outbound_entry* libworker_send_query(struct query_info* qinfo,
 	uint16_t flags, int dnssec, int want_dnssec, int nocaps,
+	int check_ratelimit,
 	struct sockaddr_storage* addr, socklen_t addrlen, uint8_t* zone,
-	size_t zonelen, int ssl_upstream, char* tls_auth_name,
+	size_t zonelen, int tcp_upstream, int ssl_upstream, char* tls_auth_name,
-	struct module_qstate* q)
+	struct module_qstate* q, int* was_ratelimited)
 {
 	struct libworker* w = (struct libworker*)q->env->worker;
 	struct outbound_entry* e = (struct outbound_entry*)regional_alloc(
@@ -867,44 +894,16 @@ struct outbound_entry* libworker_send_query(struct query_info* qinfo,
 		return NULL;
 	e->qstate = q;
 	e->qsent = outnet_serviced_query(w->back, qinfo, flags, dnssec,
-		want_dnssec, nocaps, q->env->cfg->tcp_upstream, ssl_upstream,
+		want_dnssec, nocaps, check_ratelimit, tcp_upstream, ssl_upstream,
 		tls_auth_name, addr, addrlen, zone, zonelen, q,
-		libworker_handle_service_reply, e, w->back->udp_buff, q->env);
+		libworker_handle_service_reply, e, w->back->udp_buff, q->env,
+		was_ratelimited);
 	if(!e->qsent) {
 		return NULL;
 	}
 	return e;
 }
 
-int 
-libworker_handle_reply(struct comm_point* c, void* arg, int error,
-        struct comm_reply* reply_info)
-{
-	struct module_qstate* q = (struct module_qstate*)arg;
-	struct libworker* lw = (struct libworker*)q->env->worker;
-	struct outbound_entry e;
-	e.qstate = q;
-	e.qsent = NULL;
-
-	if(error != 0) {
-		mesh_report_reply(lw->env->mesh, &e, reply_info, error);
-		return 0;
-	}
-	/* sanity check. */
-	if(!LDNS_QR_WIRE(sldns_buffer_begin(c->buffer))
-		|| LDNS_OPCODE_WIRE(sldns_buffer_begin(c->buffer)) !=
-			LDNS_PACKET_QUERY
-		|| LDNS_QDCOUNT(sldns_buffer_begin(c->buffer)) > 1) {
-		/* error becomes timeout for the module as if this reply
-		 * never arrived. */
-		mesh_report_reply(lw->env->mesh, &e, reply_info, 
-			NETEVENT_TIMEOUT);
-		return 0;
-	}
-	mesh_report_reply(lw->env->mesh, &e, reply_info, NETEVENT_NOERROR);
-	return 0;
-}
-
 int 
 libworker_handle_service_reply(struct comm_point* c, void* arg, int error,
         struct comm_reply* reply_info)
@@ -947,14 +946,6 @@ int worker_handle_request(struct comm_point* ATTR_UNUSED(c),
 	return 0;
 }
 
-int worker_handle_reply(struct comm_point* ATTR_UNUSED(c), 
-	void* ATTR_UNUSED(arg), int ATTR_UNUSED(error),
-        struct comm_reply* ATTR_UNUSED(reply_info))
-{
-	log_assert(0);
-	return 0;
-}
-
 int worker_handle_service_reply(struct comm_point* ATTR_UNUSED(c), 
 	void* ATTR_UNUSED(arg), int ATTR_UNUSED(error),
         struct comm_reply* ATTR_UNUSED(reply_info))
@@ -987,10 +978,11 @@ void worker_sighandler(int ATTR_UNUSED(sig), void* ATTR_UNUSED(arg))
 struct outbound_entry* worker_send_query(struct query_info* ATTR_UNUSED(qinfo),
 	uint16_t ATTR_UNUSED(flags), int ATTR_UNUSED(dnssec),
 	int ATTR_UNUSED(want_dnssec), int ATTR_UNUSED(nocaps),
+	int ATTR_UNUSED(check_ratelimit),
 	struct sockaddr_storage* ATTR_UNUSED(addr), socklen_t ATTR_UNUSED(addrlen),
-	uint8_t* ATTR_UNUSED(zone), size_t ATTR_UNUSED(zonelen),
+	uint8_t* ATTR_UNUSED(zone), size_t ATTR_UNUSED(zonelen), int ATTR_UNUSED(tcp_upstream),
 	int ATTR_UNUSED(ssl_upstream), char* ATTR_UNUSED(tls_auth_name),
-	struct module_qstate* ATTR_UNUSED(q))
+	struct module_qstate* ATTR_UNUSED(q), int* ATTR_UNUSED(was_ratelimited))
 {
 	log_assert(0);
 	return 0;

libunbound/python/doc/examples/example4.rst

@@ -31,6 +31,6 @@ Source code
         else:
             print "Result is insecure"
 
-More detailed informations can be seen in libUnbound DNSSEC tutorial `here`_.
+More detailed information can be seen in libUnbound DNSSEC tutorial `here`_.
 
 .. _here: http://www.unbound.net/documentation/libunbound-tutorial-6.html

libunbound/python/libunbound.i

@@ -363,7 +363,7 @@ Result: ['74.125.43.147', '74.125.43.99', '74.125.43.103', '74.125.43.104']
                     ctx.debuglevel(3)
                     ctx.debugout(fw)
 
-                  Another option is to print the debug informations to stderr output
+                  Another option is to print the debug information to stderr output
 
                   ::
 
@@ -936,6 +936,8 @@ int _ub_resolve_async(struct ub_ctx* ctx, char* name, int rrtype, int rrclass, v
       int r;
       struct cb_data* id;
       id = (struct cb_data*) malloc(sizeof(struct cb_data));
+      if(!id)
+              return -2; /* UB_NOMEM */
       id->data = mydata;
       id->func = pyfunc;
    

libunbound/unbound-event.h

@@ -41,7 +41,7 @@
  *
  * Use ub_ctx_create_event_ub_base() to create an unbound context that uses
  * the user provided event base API.  Then, use the ub_resolve_event call
- * to add DNS resolve queries to the context.  Those then run whith the
+ * to add DNS resolve queries to the context.  Those then run with the
  * provided event_base, and when they are done you get a function callback.
  *
  * This method does not fork another process or create a thread, the effort

libunbound/unbound.h

@@ -224,7 +224,7 @@ struct ub_result {
  * It is called with
  *	void* my_arg: your pointer to a (struct of) data of your choice, 
  *		or NULL.
- *	int err: if 0 all is OK, otherwise an error occured and no results
+ *	int err: if 0 all is OK, otherwise an error occurred and no results
  *	     are forthcoming.
  *	struct result: pointer to more detailed result structure.
  *		This structure is allocated on the heap and needs to be
@@ -232,6 +232,35 @@ struct ub_result {
  */
 typedef void (*ub_callback_type)(void*, int, struct ub_result*);
 
+/**
+ * The error constants
+ */
+enum ub_ctx_err {
+	/** no error */
+	UB_NOERROR = 0,
+	/** socket operation. Set to -1, so that if an error from _fd() is
+	 * passed (-1) it gives a socket error. */
+	UB_SOCKET = -1,
+	/** alloc failure */
+	UB_NOMEM = -2,
+	/** syntax error */
+	UB_SYNTAX = -3,
+	/** DNS service failed */
+	UB_SERVFAIL = -4,
+	/** fork() failed */
+	UB_FORKFAIL = -5,
+	/** cfg change after finalize() */
+	UB_AFTERFINAL = -6,
+	/** initialization failed (bad settings) */
+	UB_INITFAIL = -7,
+	/** error in pipe communication with async bg worker */
+	UB_PIPE = -8,
+	/** error reading from file (resolv.conf) */
+	UB_READFILE = -9,
+	/** error async_id does not exist or result already been delivered */
+	UB_NOID = -10
+};
+
 /**
  * Create a resolving and validation context.
  * The information from /etc/resolv.conf and /etc/hosts is not utilised by
@@ -563,6 +592,7 @@ void ub_resolve_free(struct ub_result* result);
 /** 
  * Convert error value to a human readable string.
  * @param err: error code from one of the libunbound functions.
+ * 	The error codes are from the type enum ub_ctx_err.
  * @return pointer to constant text string, zero terminated.
  */
 const char* ub_strerror(int err);

libunbound/worker.h

@@ -58,26 +58,27 @@ struct query_info;
  * @param dnssec: if set, EDNS record will have DO bit set.
  * @param want_dnssec: signatures needed.
  * @param nocaps: ignore capsforid(if in config), do not perturb qname.
+ * @param check_ratelimit: if set, will check ratelimit before sending out.
  * @param addr: where to.
  * @param addrlen: length of addr.
  * @param zone: delegation point name.
  * @param zonelen: length of zone name wireformat dname.
+ * @param tcp_upstream: use TCP for upstream queries.
  * @param ssl_upstream: use SSL for upstream queries.
  * @param tls_auth_name: if ssl_upstream, use this name with TLS
  * 	authentication.
- * @param q: wich query state to reactivate upon return.
+ * @param q: which query state to reactivate upon return.
+ * @param was_ratelimited: it will signal back if the query failed to pass the
+ *	ratelimit check.
  * @return: false on failure (memory or socket related). no query was
  *      sent.
  */
 struct outbound_entry* libworker_send_query(struct query_info* qinfo,
 	uint16_t flags, int dnssec, int want_dnssec, int nocaps,
+	int check_ratelimit,
 	struct sockaddr_storage* addr, socklen_t addrlen, uint8_t* zone,
-	size_t zonelen, int ssl_upstream, char* tls_auth_name,
+	size_t zonelen, int tcp_upstream, int ssl_upstream, char* tls_auth_name,
-	struct module_qstate* q);
+	struct module_qstate* q, int* was_ratelimited);
-
-/** process incoming replies from the network */
-int libworker_handle_reply(struct comm_point* c, void* arg, int error,
-        struct comm_reply* reply_info);
 
 /** process incoming serviced query replies from the network */
 int libworker_handle_service_reply(struct comm_point* c, void* arg, int error,
@@ -113,22 +114,27 @@ void worker_sighandler(int sig, void* arg);
  * @param dnssec: if set, EDNS record will have DO bit set.
  * @param want_dnssec: signatures needed.
  * @param nocaps: ignore capsforid(if in config), do not perturb qname.
+ * @param check_ratelimit: if set, will check ratelimit before sending out.
  * @param addr: where to.
  * @param addrlen: length of addr.
  * @param zone: wireformat dname of the zone.
  * @param zonelen: length of zone name.
+ * @param tcp_upstream: use TCP for upstream queries.
  * @param ssl_upstream: use SSL for upstream queries.
  * @param tls_auth_name: if ssl_upstream, use this name with TLS
  * 	authentication.
- * @param q: wich query state to reactivate upon return.
+ * @param q: which query state to reactivate upon return.
+ * @param was_ratelimited: it will signal back if the query failed to pass the
+ *	ratelimit check.
  * @return: false on failure (memory or socket related). no query was
  *      sent.
  */
 struct outbound_entry* worker_send_query(struct query_info* qinfo,
 	uint16_t flags, int dnssec, int want_dnssec, int nocaps,
+	int check_ratelimit,
 	struct sockaddr_storage* addr, socklen_t addrlen, uint8_t* zone,
-	size_t zonelen, int ssl_upstream, char* tls_auth_name,
+	size_t zonelen, int tcp_upstream, int ssl_upstream, char* tls_auth_name,
-	struct module_qstate* q);
+	struct module_qstate* q, int* was_ratelimited);
 
 /** 
  * process control messages from the main thread. Frees the control 
@@ -146,10 +152,6 @@ void worker_handle_control_cmd(struct tube* tube, uint8_t* msg, size_t len,
 int worker_handle_request(struct comm_point* c, void* arg, int error,
 	struct comm_reply* repinfo);
 
-/** process incoming replies from the network */
-int worker_handle_reply(struct comm_point* c, void* arg, int error, 
-	struct comm_reply* reply_info);
-
 /** process incoming serviced query replies from the network */
 int worker_handle_service_reply(struct comm_point* c, void* arg, int error, 
 	struct comm_reply* reply_info);

makedist.sh

@@ -271,8 +271,18 @@ if [ "$DOWIN" = "yes" ]; then
 		else
 			sslflags="no-asm -DOPENSSL_NO_CAPIENG mingw"
 		fi
+		if test -f /usr/x86_64-w64-mingw32/sys-root/mingw/bin/libssp-0.dll; then
+			# stack protector lib needs to link in to make
+			# -lws2_32 work in openssl link stage
+			SSPLIB="-l:libssp.a"
+		else
+			# disable SSPLIB if no such file
+			SSPLIB=""
+		fi
 		info "winssl: Configure no-shared $sslflags"
-		CC=${warch}-w64-mingw32-gcc AR=${warch}-w64-mingw32-ar RANLIB=${warch}-w64-mingw32-ranlib WINDRES=${warch}-w64-mingw32-windres ./Configure --prefix="$sslinstall" no-shared $sslflags || error_cleanup "OpenSSL Configure failed"
+		set -x # echo the configure command
+		__CNF_LDLIBS=$SSPLIB CC=${warch}-w64-mingw32-gcc AR=${warch}-w64-mingw32-ar RANLIB=${warch}-w64-mingw32-ranlib WINDRES=${warch}-w64-mingw32-windres ./Configure --prefix="$sslinstall" no-shared $sslflags || error_cleanup "OpenSSL Configure failed"
+		set +x
 		info "winssl: make"
 		make $MINJ || error_cleanup "OpenSSL crosscompile failed"
 		# only install sw not docs, which take a long time.
@@ -285,7 +295,9 @@ if [ "$DOWIN" = "yes" ]; then
 		sslsharedinstall="`pwd`/sslsharedinstall"
 		cd openssl_shared
 		info "winssl: Configure shared $sslflags"
-		CC=${warch}-w64-mingw32-gcc AR=${warch}-w64-mingw32-ar RANLIB=${warch}-w64-mingw32-ranlib WINDRES=${warch}-w64-mingw32-windres ./Configure --prefix="$sslsharedinstall" shared $sslflags || error_cleanup "OpenSSL Configure failed"
+		set -x # echo the configure command
+		__CNF_LDLIBS=$SSPLIB CC=${warch}-w64-mingw32-gcc AR=${warch}-w64-mingw32-ar RANLIB=${warch}-w64-mingw32-ranlib WINDRES=${warch}-w64-mingw32-windres ./Configure --prefix="$sslsharedinstall" shared $sslflags || error_cleanup "OpenSSL Configure failed"
+		set +x
 		info "winssl: make"
 		make $MINJ || error_cleanup "OpenSSL crosscompile failed"
 		info "winssl: make install_sw"
@@ -317,7 +329,7 @@ if [ "$DOWIN" = "yes" ]; then
 	info "git clone --depth=1 --no-tags -b $GITBRANCH $GITREPO unbound"
 	git clone --depth=1 --no-tags -b $GITBRANCH $GITREPO unbound || error_cleanup "git clone failed"
 	cd unbound || error_cleanup "Unbound not exported correctly from git"
-	rm -rf .git || error_cleanup "Failed to remove .git tracking information"
+	rm -rf .git .travis.yml .gitattributes .github .gitignore || error_cleanup "Failed to remove .git tracking and ci information"
 
 	# on a re-configure the cache may no longer be valid...
 	if test -f mingw32-config.cache; then rm mingw32-config.cache; fi
@@ -364,12 +376,12 @@ if [ "$DOWIN" = "yes" ]; then
     fi
     if test "$W64" = "no"; then
 		# Disable stack-protector for 32-bit windows builds.
-		echo "$configure"' --enable-debug --enable-static-exe --disable-flto '"$* $cross_flag" "$file_flag" "$file2_flag" "$file3_flag" CFLAGS='-O2 -g -fno-stack-protector'
+		echo "$configure"' --enable-debug --enable-static-exe --disable-flto --disable-gost '"$* $cross_flag" "$file_flag" "$file2_flag" "$file3_flag" CFLAGS='-O2 -g -fno-stack-protector'
-		$configure --enable-debug --enable-static-exe --disable-flto $* $cross_flag "$file_flag" "$file2_flag" "$file3_flag" CFLAGS='-O2 -g -fno-stack-protector'\
+		$configure --enable-debug --enable-static-exe --disable-flto --disable-gost $* $cross_flag "$file_flag" "$file2_flag" "$file3_flag" CFLAGS='-O2 -g -fno-stack-protector'\
 		|| error_cleanup "Could not configure"
     else
-		echo "$configure"' --enable-debug --enable-static-exe --disable-flto '"$* $cross_flag"
+		echo "$configure"' --enable-debug --enable-static-exe --disable-flto --disable-gost '"$* $cross_flag"
-		$configure --enable-debug --enable-static-exe --disable-flto $* $cross_flag \
+		$configure --enable-debug --enable-static-exe --disable-flto --disable-gost $* $cross_flag \
 		|| error_cleanup "Could not configure"
     fi
     info "Calling make"
@@ -381,12 +393,12 @@ if [ "$DOWIN" = "yes" ]; then
     cd ../unbound_shared
     if test "$W64" = "no"; then
 	# Disable stack-protector for 32-bit windows builds.
-		echo "$configure"' --enable-debug --disable-flto '"$* $shared_cross_flag" "$file_flag" "$file2_flag" "$file3_flag" CFLAGS='-O2 -g -fno-stack-protector'
+		echo "$configure"' --enable-debug --disable-flto --disable-gost '"$* $shared_cross_flag" "$file_flag" "$file2_flag" "$file3_flag" CFLAGS='-O2 -g -fno-stack-protector'
-		$configure --enable-debug --disable-flto $* $shared_cross_flag "$file_flag" "$file2_flag" "$file3_flag" CFLAGS='-O2 -g -fno-stack-protector'\
+		$configure --enable-debug --disable-flto --disable-gost $* $shared_cross_flag "$file_flag" "$file2_flag" "$file3_flag" CFLAGS='-O2 -g -fno-stack-protector'\
 		|| error_cleanup "Could not configure"
     else
-		echo "$configure"' --enable-debug --disable-flto '"$* $shared_cross_flag"
+		echo "$configure"' --enable-debug --disable-flto --disable-gost '"$* $shared_cross_flag"
-        $configure --enable-debug --disable-flto $* $shared_cross_flag \
+        $configure --enable-debug --disable-flto --disable-gost $* $shared_cross_flag \
 		|| error_cleanup "Could not configure"
     fi
     info "Calling make for DLL"
@@ -415,12 +427,19 @@ if [ "$DOWIN" = "yes" ]; then
     cp ../doc/example.conf ../doc/Changelog .
     cp ../unbound.exe ../unbound-anchor.exe ../unbound-host.exe ../unbound-control.exe ../unbound-checkconf.exe ../unbound-service-install.exe ../unbound-service-remove.exe ../LICENSE ../winrc/unbound-control-setup.cmd ../winrc/unbound-website.url ../winrc/service.conf ../winrc/README.txt ../contrib/create_unbound_ad_servers.cmd ../contrib/warmup.cmd ../contrib/unbound_cache.cmd .
     mkdir libunbound
-    cp ../../unbound_shared/unbound.h ../../unbound_shared/.libs/libunbound*.dll ../../unbound_shared/.libs/libunbound.dll.a ../../unbound_shared/.libs/libunbound.a ../../unbound_shared/.libs/libunbound*.def ../../sslsharedinstall/lib/libcrypto.dll.a ../../sslsharedinstall/lib/libssl.dll.a ../../sslsharedinstall/bin/libcrypto*.dll ../../sslsharedinstall/bin/libssl*.dll ../../wxpinstall/bin/libexpat*.dll ../../wxpinstall/lib/libexpat.dll.a libunbound/.
+    # test to see if lib or lib64 (for openssl 3.0.0) needs to be used
-    if test "$W64" = "no"; then
+    if test -f ../../sslsharedinstall/lib/libcrypto.dll.a; then
-	# Disable stack-protector for 32-bit windows builds.
+	cp ../../sslsharedinstall/lib/libcrypto.dll.a libunbound/.
-	# cp /usr/i686-w64-mingw32/sys-root/mingw/bin/libssp-0.dll libunbound/.
-	:
     else
+	cp ../../sslsharedinstall/lib64/libcrypto.dll.a libunbound/.
+    fi
+    if test -f ../../sslsharedinstall/lib/libssl.dll.a; then
+	cp ../../sslsharedinstall/lib/libssl.dll.a libunbound/.
+    else
+	cp ../../sslsharedinstall/lib64/libssl.dll.a libunbound/.
+    fi
+    cp ../../unbound_shared/unbound.h ../../unbound_shared/.libs/libunbound*.dll ../../unbound_shared/.libs/libunbound.dll.a ../../unbound_shared/.libs/libunbound.a ../../unbound_shared/.libs/libunbound*.def ../../sslsharedinstall/bin/libcrypto*.dll ../../sslsharedinstall/bin/libssl*.dll ../../wxpinstall/bin/libexpat*.dll ../../wxpinstall/lib/libexpat.dll.a libunbound/.
+    if test -f /usr/x86_64-w64-mingw32/sys-root/mingw/bin/libssp-0.dll; then
 	    cp /usr/x86_64-w64-mingw32/sys-root/mingw/bin/libssp-0.dll libunbound/.
     fi
     # zipfile
@@ -470,7 +489,7 @@ info "git clone --depth=1 --no-tags -b $GITBRANCH $GITREPO unbound"
 git clone --depth=1 --no-tags -b $GITBRANCH $GITREPO unbound || error_cleanup "git clone failed"
 
 cd unbound || error_cleanup "Unbound not exported correctly from git"
-rm -rf .git || error_cleanup "Failed to remove .git tracking information"
+rm -rf .git .travis.yml .gitattributes .github .gitignore || error_cleanup "Failed to remove .git tracking and ci information"
 
 info "Adding libtool utils (libtoolize)."
 libtoolize -c --install || libtoolize -c || error_cleanup "Libtoolize failed."

pythonmod/doc/examples/example5.rst

@@ -90,7 +90,7 @@ We can also remove an EDNS option code from an EDNS option list.
         log_info("python: Option code {} was not found in the "
                  "list.".format(code))
 
-.. note:: All occurences of the EDNS option code will be removed from the list:
+.. note:: All occurrences of the EDNS option code will be removed from the list:
 
 
 Controlling other modules' cache behavior

pythonmod/doc/modules/struct.rst

@@ -12,7 +12,7 @@ module_qstate
 
     .. attribute:: qinfo
 
-        (:class:`query_info`) Informations about query being answered. Name, RR type, RR class.
+        (:class:`query_info`) Information about query being answered. Name, RR type, RR class.
 
     .. attribute:: query_flags
 
@@ -256,7 +256,7 @@ dns_msg
 
    .. attribute:: qinfo
    
-      (:class:`query_info`) Informations about query.
+      (:class:`query_info`) Information about query.
    
    .. attribute:: rep
    
@@ -440,7 +440,7 @@ DNSMessage
       
    .. method:: set_return_msg(self, qstate)
    
-      This method fills qstate return message according to the given informations. 
+      This method fills qstate return message according to the given information. 
 		It takes lists of RRs in each section of answer, created necessary RRsets in wire format and store the result in :attr:`qstate.return_msg`.
 		Returns 1 if OK.
    

pythonmod/doc/usecase.rst

@@ -21,7 +21,7 @@ almost every mail server supports DNS based blacklisting.
 
 DNS based Wake-On-Lan
 ---------------------
-Controled by secured queries secured with private key.
+Controlled by secured queries secured with private key.
 
 Dynamic translation service
 ---------------------------

pythonmod/examples/edns.py

@@ -55,7 +55,7 @@
 #       Return True on success, False on failure.
 #
 #   edns_opt_list_remove(edns_opt_list, code):
-#       Remove all occurences of the given EDNS option code from the
+#       Remove all occurrences of the given EDNS option code from the
 #           edns_opt_list.
 #       Return True when at least one EDNS option was removed, False otherwise.
 #

pythonmod/interface.i

@@ -678,11 +678,14 @@ struct edns_data {
     uint8_t edns_version;
     uint16_t bits;
     uint16_t udp_size;
-    struct edns_option* opt_list;
+    struct edns_option* opt_list_in;
+    struct edns_option* opt_list_out;
+    struct edns_option* opt_list_inplace_cb_out;
+    uint16_t padding_block_size;
 };
 %inline %{
     struct edns_option** _edns_data_opt_list_get(struct edns_data* edns) {
-       return &edns->opt_list;
+       return &edns->opt_list_in;
     }
 %}
 %extend edns_data {
@@ -709,9 +712,10 @@ struct module_env {
     /* --- services --- */
     struct outbound_entry* (*send_query)(struct query_info* qinfo,
         uint16_t flags, int dnssec, int want_dnssec, int nocaps,
+        int check_ratelimit,
         struct sockaddr_storage* addr, socklen_t addrlen,
-        uint8_t* zone, size_t zonelen, int ssl_upstream, char* tls_auth_name,
+        uint8_t* zone, size_t zonelen, int tcp_upstream, int ssl_upstream,
-        struct module_qstate* q);
+        char* tls_auth_name, struct module_qstate* q, int* was_ratelimited);
     void (*detach_subs)(struct module_qstate* qstate);
     int (*attach_sub)(struct module_qstate* qstate,
         struct query_info* qinfo, uint16_t qflags, int prime,
@@ -1341,7 +1345,7 @@ int set_return_msg(struct module_qstate* qstate,
 %pythoncode %{
     class DNSMessage:
         def __init__(self, rr_name, rr_type, rr_class = RR_CLASS_IN, query_flags = 0, default_ttl = 0):
-            """Query flags is a combination of PKT_xx contants"""
+            """Query flags is a combination of PKT_xx constants"""
             self.rr_name = rr_name
             self.rr_type = rr_type
             self.rr_class = rr_class
@@ -1373,7 +1377,7 @@ struct delegpt* dns_cache_find_delegation(struct module_env* env,
         uint8_t* qname, size_t qnamelen, uint16_t qtype, uint16_t qclass,
         struct regional* region, struct dns_msg** msg, uint32_t timenow);
 int iter_dp_is_useless(struct query_info* qinfo, uint16_t qflags,
-        struct delegpt* dp);
+        struct delegpt* dp, int supports_ipv4, int supports_ipv6);
 struct iter_hints_stub* hints_lookup_stub(struct iter_hints* hints,
         uint8_t* qname, uint16_t qclass, struct delegpt* dp);
 
@@ -1403,7 +1407,8 @@ struct delegpt* find_delegation(struct module_qstate* qstate, char *nm, size_t n
         dp = dns_cache_find_delegation(qstate->env, (uint8_t*)nm, nmlen, qinfo.qtype, qinfo.qclass, region, &msg, timenow);
         if(!dp)
             return NULL;
-        if(iter_dp_is_useless(&qinfo, BIT_RD, dp)) {
+        if(iter_dp_is_useless(&qinfo, BIT_RD, dp,
+                qstate->env->cfg->do_ip4, qstate->env->cfg->do_ip6)) {
             if (dname_is_root((uint8_t*)nm))
                 return NULL;
             nm = (char*)dp->name;
@@ -1546,7 +1551,7 @@ int edns_opt_list_append(struct edns_option** list, uint16_t code, size_t len,
     {
         PyObject *func, *py_edns, *py_qstate, *py_opt_list_out, *py_qinfo;
         PyObject *py_rep, *py_repinfo, *py_region;
-        PyObject *py_args, *py_kwargs, *result;
+        PyObject *py_args = NULL, *py_kwargs = NULL, *result = NULL;
         int res = 0;
         double py_start_time = ((double)start_time->tv_sec) + ((double)start_time->tv_usec) / 1.0e6;
 
@@ -1561,11 +1566,20 @@ int edns_opt_list_append(struct edns_option** list, uint16_t code, size_t len,
         py_rep = SWIG_NewPointerObj((void*) rep, SWIGTYPE_p_reply_info, 0);
         py_repinfo = SWIG_NewPointerObj((void*) repinfo, SWIGTYPE_p_comm_reply, 0);
         py_region = SWIG_NewPointerObj((void*) region, SWIGTYPE_p_regional, 0);
-        py_args = Py_BuildValue("(OOOiOOO)", py_qinfo, py_qstate, py_rep,
+        if(py_qinfo && py_qstate && py_rep && py_edns && py_opt_list_out
-            rcode, py_edns, py_opt_list_out, py_region);
+                && py_region && py_repinfo) {
-        py_kwargs = Py_BuildValue("{s:O,s:d}", "repinfo", py_repinfo, "start_time",
+                py_args = Py_BuildValue("(OOOiOOO)", py_qinfo, py_qstate, py_rep,
-                                  py_start_time);
+                        rcode, py_edns, py_opt_list_out, py_region);
-        result = PyObject_Call(func, py_args, py_kwargs);
+                py_kwargs = Py_BuildValue("{s:O,s:d}", "repinfo", py_repinfo, "start_time",
+                          py_start_time);
+                if(py_args && py_kwargs) {
+                        result = PyObject_Call(func, py_args, py_kwargs);
+                } else {
+                        log_err("pythonmod: malloc failure in python_inplace_cb_reply_generic");
+                }
+        } else {
+                log_err("pythonmod: malloc failure in python_inplace_cb_reply_generic");
+        }
         Py_XDECREF(py_edns);
         Py_XDECREF(py_qstate);
         Py_XDECREF(py_opt_list_out);
@@ -1624,6 +1638,7 @@ int edns_opt_list_append(struct edns_option** list, uint16_t code, size_t len,
     {
         int res = 0;
         PyObject *func = python_callback;
+        PyObject *py_args = NULL, *py_kwargs = NULL, *result = NULL;
 
         PyGILState_STATE gstate = PyGILState_Ensure();
 
@@ -1632,12 +1647,19 @@ int edns_opt_list_append(struct edns_option** list, uint16_t code, size_t len,
         PyObject *py_addr = SWIG_NewPointerObj((void *) addr, SWIGTYPE_p_sockaddr_storage, 0);
         PyObject *py_zone = PyBytes_FromStringAndSize((const char *)zone, zonelen);
         PyObject *py_region = SWIG_NewPointerObj((void*) region, SWIGTYPE_p_regional, 0);
-
+        if(py_qinfo && py_qstate && py_addr && py_zone && py_region) {
-        PyObject *py_args = Py_BuildValue("(OiOOOO)", py_qinfo, flags, py_qstate, py_addr, py_zone, py_region);
+                py_args = Py_BuildValue("(OiOOOO)", py_qinfo, flags, py_qstate, py_addr, py_zone, py_region);
-        PyObject *py_kwargs = Py_BuildValue("{}");
+                py_kwargs = Py_BuildValue("{}");
-        PyObject *result = PyObject_Call(func, py_args, py_kwargs);
+                if(py_args && py_kwargs) {
-        if (result) {
+                        result = PyObject_Call(func, py_args, py_kwargs);
-            res = PyInt_AsLong(result);
+                        if (result) {
+                            res = PyInt_AsLong(result);
+                        }
+                } else {
+                        log_err("pythonmod: malloc failure in python_inplace_cb_query_generic");
+                }
+        } else {
+                log_err("pythonmod: malloc failure in python_inplace_cb_query_generic");
         }
 
         Py_XDECREF(py_qinfo);

pythonmod/pythonmod.c

@@ -245,6 +245,11 @@ cleanup:
 	/* clear the exception, by not restoring it */
 	/* Restore the exception state */
 	/* PyErr_Restore(exc_typ, exc_val, exc_tb); */
+	/* when using PyErr_Restore there is no need to Py_XDECREF for
+	 * these 3 pointers. */
+	Py_XDECREF(exc_typ);
+	Py_XDECREF(exc_val);
+	Py_XDECREF(exc_tb);
 }
 
 int pythonmod_init(struct module_env* env, int id)
@@ -561,9 +566,19 @@ void pythonmod_operate(struct module_qstate* qstate, enum module_ev event,
    {
       /* create qstate */
       pq = qstate->minfo[id] = malloc(sizeof(struct pythonmod_qstate));
+      if(!pq) {
+		log_err("pythonmod_operate: malloc failure for qstate");
+		PyGILState_Release(gil);
+		return;
+      }
 
       /* Initialize per query data */
       pq->data = PyDict_New();
+      if(!pq->data) {
+		log_err("pythonmod_operate: malloc failure for query data dict");
+		PyGILState_Release(gil);
+		return;
+      }
    }
 
    /* Call operate */

pythonmod/pythonmod_utils.c

@@ -132,7 +132,7 @@ int createResponse(struct module_qstate* qstate, sldns_buffer* pkt)
 		return 0;
 	}
 	/* edns is not examined, but removed from message to help cache */
-	if(parse_extract_edns(prs, &edns, qstate->env->scratch) !=
+	if(parse_extract_edns_from_response_msg(prs, &edns, qstate->env->scratch) !=
 		LDNS_RCODE_NOERROR)
 		return 0;
 

respip/respip.c

@@ -25,6 +25,7 @@
 #include "respip/respip.h"
 #include "services/view.h"
 #include "sldns/rrdef.h"
+#include "util/data/dname.h"
 
 
 /** Subset of resp_addr.node, used for inform-variant logging */
@@ -129,7 +130,7 @@ respip_sockaddr_delete(struct respip_set* set, struct resp_addr* node)
 	struct resp_addr* prev;
 	prev = (struct resp_addr*)rbtree_previous((struct rbnode_type*)node);	
 	lock_rw_destroy(&node->lock);
-	rbtree_delete(&set->ip_tree, node);
+	(void)rbtree_delete(&set->ip_tree, node);
 	/* no free'ing, all allocated in region */
 	if(!prev)
 		addr_tree_init_parents((rbtree_type*)set);
@@ -483,8 +484,8 @@ respip_views_apply_cfg(struct views* vs, struct config_file* cfg,
  * This function returns the copied rrset key on success, and NULL on memory
  * allocation failure.
  */
-static struct ub_packed_rrset_key*
+struct ub_packed_rrset_key*
-copy_rrset(const struct ub_packed_rrset_key* key, struct regional* region)
+respip_copy_rrset(const struct ub_packed_rrset_key* key, struct regional* region)
 {
 	struct ub_packed_rrset_key* ck = regional_alloc(region,
 		sizeof(struct ub_packed_rrset_key));
@@ -602,7 +603,7 @@ rdata2sockaddr(const struct packed_rrset_data* rd, uint16_t rtype, size_t i,
  */
 static struct resp_addr*
 respip_addr_lookup(const struct reply_info *rep, struct respip_set* rs,
-	size_t* rrset_id)
+	size_t* rrset_id, size_t* rr_id)
 {
 	size_t i;
 	struct resp_addr* ra;
@@ -625,6 +626,7 @@ respip_addr_lookup(const struct reply_info *rep, struct respip_set* rs,
 				&ss, addrlen);
 			if(ra) {
 				*rrset_id = i;
+				*rr_id = j;
 				lock_rw_rdlock(&ra->lock);
 				lock_rw_unlock(&rs->lock);
 				return ra;
@@ -635,43 +637,6 @@ respip_addr_lookup(const struct reply_info *rep, struct respip_set* rs,
 	return NULL;
 }
 
-/*
- * Create a new reply_info based on 'rep'.  The new info is based on
- * the passed 'rep', but ignores any rrsets except for the first 'an_numrrsets'
- * RRsets in the answer section.  These answer rrsets are copied to the
- * new info, up to 'copy_rrsets' rrsets (which must not be larger than
- * 'an_numrrsets').  If an_numrrsets > copy_rrsets, the remaining rrsets array
- * entries will be kept empty so the caller can fill them later.  When rrsets
- * are copied, they are shallow copied.  The caller must ensure that the
- * copied rrsets are valid throughout its lifetime and must provide appropriate
- * mutex if it can be shared by multiple threads.
- */
-static struct reply_info *
-make_new_reply_info(const struct reply_info* rep, struct regional* region,
-	size_t an_numrrsets, size_t copy_rrsets)
-{
-	struct reply_info* new_rep;
-	size_t i;
-
-	/* create a base struct.  we specify 'insecure' security status as
-	 * the modified response won't be DNSSEC-valid.  In our faked response
-	 * the authority and additional sections will be empty (except possible
-	 * EDNS0 OPT RR in the additional section appended on sending it out),
-	 * so the total number of RRsets is an_numrrsets. */
-	new_rep = construct_reply_info_base(region, rep->flags,
-		rep->qdcount, rep->ttl, rep->prefetch_ttl,
-		rep->serve_expired_ttl, an_numrrsets, 0, 0, an_numrrsets,
-		sec_status_insecure);
-	if(!new_rep)
-		return NULL;
-	if(!reply_info_alloc_rrset_keys(new_rep, NULL, region))
-		return NULL;
-	for(i=0; i<copy_rrsets; i++)
-		new_rep->rrsets[i] = rep->rrsets[i];
-
-	return new_rep;
-}
-
 /**
  * See if response-ip or tag data should override the original answer rrset
  * (which is rep->rrsets[rrset_id]) and if so override it.
@@ -730,7 +695,7 @@ respip_data_answer(enum respip_action action,
 				"response-ip redirect with tag data [%d] %s",
 				tag, (tag<num_tags?tagname[tag]:"null"));
 			/* use copy_rrset() to 'normalize' memory layout */
-			rp = copy_rrset(&r, region);
+			rp = respip_copy_rrset(&r, region);
 			if(!rp)
 				return -1;
 		}
@@ -743,7 +708,7 @@ respip_data_answer(enum respip_action action,
 	 * rename the dname for other actions than redirect.  This is because
 	 * response-ip-data isn't associated to any specific name. */
 	if(rp == data) {
-		rp = copy_rrset(rp, region);
+		rp = respip_copy_rrset(rp, region);
 		if(!rp)
 			return -1;
 		rp->rk.dname = rep->rrsets[rrset_id]->rk.dname;
@@ -807,7 +772,6 @@ respip_nodata_answer(uint16_t qtype, enum respip_action action,
 		 * is explicitly specified. */
 		int rcode = (action == respip_always_nxdomain)?
 			LDNS_RCODE_NXDOMAIN:LDNS_RCODE_NOERROR;
-
 		/* We should empty the answer section except for any preceding
 		 * CNAMEs (in that case rrset_id > 0).  Type-ANY case is
 		 * special as noted in respip_data_answer(). */
@@ -869,8 +833,11 @@ static int
 respip_use_rpz(struct resp_addr* raddr, struct rpz* r,
 	enum respip_action* action,
 	struct ub_packed_rrset_key** data, int* rpz_log, char** log_name,
-	int* rpz_cname_override, struct regional* region, int* is_rpz)
+	int* rpz_cname_override, struct regional* region, int* is_rpz,
+	int* rpz_passthru)
 {
+	if(rpz_passthru && *rpz_passthru)
+		return 0;
 	if(r->action_override == RPZ_DISABLED_ACTION) {
 		*is_rpz = 0;
 		return 1;
@@ -884,6 +851,9 @@ respip_use_rpz(struct resp_addr* raddr, struct rpz* r,
 		*data = r->cname_override;
 		*rpz_cname_override = 1;
 	}
+	if(*action == respip_always_transparent /* RPZ_PASSTHRU_ACTION */
+		&& rpz_passthru)
+		*rpz_passthru = 1;
 	*rpz_log = r->log;
 	if(r->log_name)
 		if(!(*log_name = regional_strdup(region, r->log_name)))
@@ -897,7 +867,7 @@ respip_rewrite_reply(const struct query_info* qinfo,
 	const struct respip_client_info* cinfo, const struct reply_info* rep,
 	struct reply_info** new_repp, struct respip_action_info* actinfo,
 	struct ub_packed_rrset_key** alias_rrset, int search_only,
-	struct regional* region, struct auth_zones* az)
+	struct regional* region, struct auth_zones* az, int* rpz_passthru)
 {
 	const uint8_t* ctaglist;
 	size_t ctaglen;
@@ -907,7 +877,7 @@ respip_rewrite_reply(const struct query_info* qinfo,
 	size_t tag_datas_size;
 	struct view* view = NULL;
 	struct respip_set* ipset = NULL;
-	size_t rrset_id = 0;
+	size_t rrset_id = 0, rr_id = 0;
 	enum respip_action action = respip_none;
 	int tag = -1;
 	struct resp_addr* raddr = NULL;
@@ -948,7 +918,7 @@ respip_rewrite_reply(const struct query_info* qinfo,
 		lock_rw_rdlock(&view->lock);
 		if(view->respip_set) {
 			if((raddr = respip_addr_lookup(rep,
-				view->respip_set, &rrset_id))) {
+				view->respip_set, &rrset_id, &rr_id))) {
 				/** for per-view respip directives the action
 				 * can only be direct (i.e. not tag-based) */
 				action = raddr->action;
@@ -962,7 +932,7 @@ respip_rewrite_reply(const struct query_info* qinfo,
 		}
 	}
 	if(!raddr && (raddr = respip_addr_lookup(rep, ipset,
-		&rrset_id))) {
+		&rrset_id, &rr_id))) {
 		action = (enum respip_action)local_data_find_tag_action(
 			raddr->taglist, raddr->taglen, ctaglist, ctaglen,
 			tag_actions, tag_actions_size,
@@ -970,16 +940,16 @@ respip_rewrite_reply(const struct query_info* qinfo,
 			ipset->tagname, ipset->num_tags);
 	}
 	lock_rw_rdlock(&az->rpz_lock);
-	for(a = az->rpz_first; a && !raddr; a = a->rpz_az_next) {
+	for(a = az->rpz_first; a && !raddr && !(rpz_passthru && *rpz_passthru); a = a->rpz_az_next) {
 		lock_rw_rdlock(&a->lock);
 		r = a->rpz;
 		if(!r->taglist || taglist_intersect(r->taglist, 
 			r->taglistlen, ctaglist, ctaglen)) {
 			if((raddr = respip_addr_lookup(rep,
-				r->respip_set, &rrset_id))) {
+				r->respip_set, &rrset_id, &rr_id))) {
 				if(!respip_use_rpz(raddr, r, &action, &data,
 					&rpz_log, &log_name, &rpz_cname_override,
-					region, &rpz_used)) {
+					region, &rpz_used, rpz_passthru)) {
 					log_err("out of memory");
 					lock_rw_unlock(&raddr->lock);
 					lock_rw_unlock(&a->lock);
@@ -987,6 +957,21 @@ respip_rewrite_reply(const struct query_info* qinfo,
 					return 0;
 				}
 				if(rpz_used) {
+					if(verbosity >= VERB_ALGO) {
+						struct sockaddr_storage ss;
+						socklen_t ss_len = 0;
+						char nm[256], ip[256];
+						char qn[255+1];
+						if(!rdata2sockaddr(rep->rrsets[rrset_id]->entry.data, ntohs(rep->rrsets[rrset_id]->rk.type), rr_id, &ss, &ss_len))
+							snprintf(ip, sizeof(ip), "invalidRRdata");
+						else
+							addr_to_str(&ss, ss_len, ip, sizeof(ip));
+						dname_str(qinfo->qname, qn);
+						addr_to_str(&raddr->node.addr,
+							raddr->node.addrlen,
+							nm, sizeof(nm));
+						verbose(VERB_ALGO, "respip: rpz: response-ip trigger %s/%d on %s %s with action %s", nm, raddr->node.net, qn, ip, rpz_action_to_string(respip_action_to_rpz_action(action)));
+					}
 					/* break to make sure 'a' stays pointed
 					 * to used auth_zone, and keeps lock */
 					break;
@@ -1115,7 +1100,8 @@ respip_operate(struct module_qstate* qstate, enum module_ev event, int id,
 			if(!respip_rewrite_reply(&qstate->qinfo,
 				qstate->client_info, qstate->return_msg->rep,
 				&new_rep, &actinfo, &alias_rrset, 0,
-				qstate->region, qstate->env->auth_zones)) {
+				qstate->region, qstate->env->auth_zones,
+				&qstate->rpz_passthru)) {
 				goto servfail;
 			}
 			if(actinfo.action != respip_none) {
@@ -1190,7 +1176,7 @@ respip_merge_cname(struct reply_info* base_rep,
 
 	/* see if the target reply would be subject to a response-ip action. */
 	if(!respip_rewrite_reply(qinfo, cinfo, tgt_rep, &tmp_rep, &actinfo,
-		&alias_rrset, 1, region, az))
+		&alias_rrset, 1, region, az, NULL))
 		return 0;
 	if(actinfo.action != respip_none) {
 		log_info("CNAME target of redirect response-ip action would "
@@ -1209,7 +1195,7 @@ respip_merge_cname(struct reply_info* base_rep,
 	if(!new_rep)
 		return 0;
 	for(i=0,j=base_rep->an_numrrsets; i<tgt_rep->an_numrrsets; i++,j++) {
-		new_rep->rrsets[j] = copy_rrset(tgt_rep->rrsets[i], region);
+		new_rep->rrsets[j] = respip_copy_rrset(tgt_rep->rrsets[i], region);
 		if(!new_rep->rrsets[j])
 			return 0;
 	}
@@ -1322,7 +1308,7 @@ respip_inform_print(struct respip_action_info* respip_actinfo, uint8_t* qname,
 		respip, sizeof(respip));
 	if(respip_actinfo->rpz_log) {
 		txtlen += snprintf(txt+txtlen, sizeof(txt)-txtlen, "%s",
-			"RPZ applied ");
+			"rpz: applied ");
 		if(respip_actinfo->rpz_cname_override)
 			actionstr = rpz_action_to_string(
 				RPZ_CNAME_OVERRIDE_ACTION);

respip/respip.h

@@ -176,6 +176,8 @@ int respip_merge_cname(struct reply_info* base_rep,
  *   will be set (or intact) accordingly but the modified reply won't be built.
  * @param az: auth zones containing RPZ information.
  * @param region: allocator to build *new_repp.
+ * @param rpz_passthru: keeps track of query state can have passthru that
+ *   stops further rpz processing. Or NULL for cached answer processing.
  * @return 1 on success, 0 on error.
  */
 int respip_rewrite_reply(const struct query_info* qinfo,
@@ -183,7 +185,8 @@ int respip_rewrite_reply(const struct query_info* qinfo,
 	const struct reply_info *rep, struct reply_info** new_repp,
 	struct respip_action_info* actinfo,
 	struct ub_packed_rrset_key** alias_rrset,
-	int search_only, struct regional* region, struct auth_zones* az);
+	int search_only, struct regional* region, struct auth_zones* az,
+	int* rpz_passthru);
 
 /**
  * Get the response-ip function block.
@@ -294,4 +297,7 @@ respip_enter_rr(struct regional* region, struct resp_addr* raddr,
  */
 void
 respip_sockaddr_delete(struct respip_set* set, struct resp_addr* node);
+
+struct ub_packed_rrset_key*
+respip_copy_rrset(const struct ub_packed_rrset_key* key, struct regional* region);
 #endif	/* RESPIP_RESPIP_H */

services/authzone.c

@@ -84,7 +84,7 @@
 #define AUTH_PROBE_TIMEOUT_STOP 1000 /* msec */
 /* auth transfer timeout for TCP connections, in msec */
 #define AUTH_TRANSFER_TIMEOUT 10000 /* msec */
-/* auth transfer max backoff for failed tranfers and probes */
+/* auth transfer max backoff for failed transfers and probes */
 #define AUTH_TRANSFER_MAX_BACKOFF 86400 /* sec */
 /* auth http port number */
 #define AUTH_HTTP_PORT 80
@@ -243,7 +243,7 @@ msg_add_rrset_an(struct auth_zone* z, struct regional* region,
 	return 1;
 }
 
-/** add rrset to authority section (no additonal section rrsets yet) */
+/** add rrset to authority section (no additional section rrsets yet) */
 static int
 msg_add_rrset_ns(struct auth_zone* z, struct regional* region,
 	struct dns_msg* msg, struct auth_data* node, struct auth_rrset* rrset)
@@ -1755,6 +1755,8 @@ zonemd_offline_verify(struct auth_zone* z, struct module_env* env_for_val,
 {
 	struct module_env env;
 	time_t now = 0;
+	if(!z->zonemd_check)
+		return;
 	env = *env_for_val;
 	env.scratch_buffer = sldns_buffer_new(env.cfg->msg_buffer_size);
 	if(!env.scratch_buffer) {
@@ -1880,6 +1882,8 @@ static int auth_zone_zonemd_check_hash(struct auth_zone* z,
 	struct regional* region = NULL;
 	struct sldns_buffer* buf = NULL;
 	uint32_t soa_serial = 0;
+	char* unsupported_reason = NULL;
+	int only_unsupported = 1;
 	region = env->scratch;
 	regional_free_all(region);
 	buf = env->scratch_buffer;
@@ -1909,6 +1913,7 @@ static int auth_zone_zonemd_check_hash(struct auth_zone* z,
 			&hashalgo, &hash, &hashlen)) {
 			/* malformed RR */
 			*reason = "ZONEMD rdata malformed";
+			only_unsupported = 0;
 			continue;
 		}
 		/* check for duplicates */
@@ -1918,25 +1923,51 @@ static int auth_zone_zonemd_check_hash(struct auth_zone* z,
 			 * is not allowed. */
 			*reason = "ZONEMD RRSet contains more than one RR "
 				"with the same scheme and hash algorithm";
+			only_unsupported = 0;
 			continue;
 		}
 		regional_free_all(region);
 		if(serial != soa_serial) {
 			*reason = "ZONEMD serial is wrong";
+			only_unsupported = 0;
 			continue;
 		}
+		*reason = NULL;
 		if(auth_zone_generate_zonemd_check(z, scheme, hashalgo,
 			hash, hashlen, region, buf, reason)) {
 			/* success */
+			if(*reason) {
+				if(!unsupported_reason)
+					unsupported_reason = *reason;
+				/* continue to check for valid ZONEMD */
+				if(verbosity >= VERB_ALGO) {
+					char zstr[255+1];
+					dname_str(z->name, zstr);
+					verbose(VERB_ALGO, "auth-zone %s ZONEMD %d %d is unsupported: %s", zstr, (int)scheme, (int)hashalgo, *reason);
+				}
+				*reason = NULL;
+				continue;
+			}
 			if(verbosity >= VERB_ALGO) {
 				char zstr[255+1];
 				dname_str(z->name, zstr);
-				verbose(VERB_ALGO, "auth-zone %s ZONEMD hash is correct", zstr);
+				if(!*reason)
+					verbose(VERB_ALGO, "auth-zone %s ZONEMD hash is correct", zstr);
 			}
 			return 1;
 		}
+		only_unsupported = 0;
 		/* try next one */
 	}
+	/* have we seen no failures but only unsupported algo,
+	 * and one unsupported algorithm, or more. */
+	if(only_unsupported && unsupported_reason) {
+		/* only unsupported algorithms, with valid serial, not
+		 * malformed. Did not see supported algorithms, failed or
+		 * successful ones. */
+		*reason = unsupported_reason;
+		return 1;
+	}
 	/* fail, we may have reason */
 	if(!*reason)
 		*reason = "no ZONEMD records found";
@@ -1948,6 +1979,17 @@ static int auth_zone_zonemd_check_hash(struct auth_zone* z,
 	return 0;
 }
 
+/** find the apex SOA RRset, if it exists */
+struct auth_rrset* auth_zone_get_soa_rrset(struct auth_zone* z)
+{
+	struct auth_data* apex;
+	struct auth_rrset* soa;
+	apex = az_find_name(z, z->name, z->namelen);
+	if(!apex) return NULL;
+	soa = az_domain_rrset(apex, LDNS_RR_TYPE_SOA);
+	return soa;
+}
+
 /** find serial number of zone or false if none */
 int
 auth_zone_get_serial(struct auth_zone* z, uint32_t* serial)
@@ -2096,6 +2138,7 @@ auth_zones_cfg(struct auth_zones* az, struct config_auth* c)
 	z->for_downstream = c->for_downstream;
 	z->for_upstream = c->for_upstream;
 	z->fallback_enabled = c->fallback_enabled;
+	z->zonemd_check = c->zonemd_check;
 	z->zonemd_reject_absence = c->zonemd_reject_absence;
 	if(c->isrpz && !z->rpz){
 		if(!(z->rpz = rpz_create(c))){
@@ -3504,7 +3547,7 @@ auth_error_encode(struct query_info* qinfo, struct module_env* env,
 
 	if(!inplace_cb_reply_local_call(env, qinfo, NULL, NULL,
 		rcode, edns, repinfo, temp, env->now_tv))
-		edns->opt_list = NULL;
+		edns->opt_list_inplace_cb_out = NULL;
 	error_encode(buf, rcode|BIT_AA, qinfo,
 		*(uint16_t*)sldns_buffer_begin(buf),
 		sldns_buffer_read_u16_at(buf, 2), edns);
@@ -4442,7 +4485,7 @@ chunkline_get_line_collated(struct auth_chunk** chunk, size_t* chunk_pos,
 	return 1;
 }
 
-/** process $ORIGIN for http */
+/** process $ORIGIN for http, 0 nothing, 1 done, 2 error */
 static int
 http_parse_origin(sldns_buffer* buf, struct sldns_file_parse_state* pstate)
 {
@@ -4453,13 +4496,16 @@ http_parse_origin(sldns_buffer* buf, struct sldns_file_parse_state* pstate)
 		pstate->origin_len = sizeof(pstate->origin);
 		s = sldns_str2wire_dname_buf(sldns_strip_ws(line+8),
 			pstate->origin, &pstate->origin_len);
-		if(s) pstate->origin_len = 0;
+		if(s) {
+			pstate->origin_len = 0;
+			return 2;
+		}
 		return 1;
 	}
 	return 0;
 }
 
-/** process $TTL for http */
+/** process $TTL for http, 0 nothing, 1 done, 2 error */
 static int
 http_parse_ttl(sldns_buffer* buf, struct sldns_file_parse_state* pstate)
 {
@@ -4467,8 +4513,12 @@ http_parse_ttl(sldns_buffer* buf, struct sldns_file_parse_state* pstate)
 	if(strncmp(line, "$TTL", 4) == 0 &&
 		isspace((unsigned char)line[4])) {
 		const char* end = NULL;
+		int overflow = 0;
 		pstate->default_ttl = sldns_str2period(
-			sldns_strip_ws(line+5), &end);
+			sldns_strip_ws(line+5), &end, &overflow);
+		if(overflow) {
+			return 2;
+		}
 		return 1;
 	}
 	return 0;
@@ -4479,15 +4529,20 @@ static int
 chunkline_non_comment_RR(struct auth_chunk** chunk, size_t* chunk_pos,
 	sldns_buffer* buf, struct sldns_file_parse_state* pstate)
 {
+	int ret;
 	while(chunkline_get_line_collated(chunk, chunk_pos, buf)) {
 		if(chunkline_is_comment_line_or_empty(buf)) {
 			/* a comment, go to next line */
 			continue;
 		}
-		if(http_parse_origin(buf, pstate)) {
+		if((ret=http_parse_origin(buf, pstate))!=0) {
+			if(ret == 2)
+				return 0;
 			continue; /* $ORIGIN has been handled */
 		}
-		if(http_parse_ttl(buf, pstate)) {
+		if((ret=http_parse_ttl(buf, pstate))!=0) {
+			if(ret == 2)
+				return 0;
 			continue; /* $TTL has been handled */
 		}
 		return 1;
@@ -4993,6 +5048,7 @@ apply_http(struct auth_xfer* xfr, struct auth_zone* z,
 	struct sldns_file_parse_state pstate;
 	struct auth_chunk* chunk;
 	size_t chunk_pos;
+	int ret;
 	memset(&pstate, 0, sizeof(pstate));
 	pstate.default_ttl = 3600;
 	if(xfr->namelen < sizeof(pstate.origin)) {
@@ -5049,10 +5105,24 @@ apply_http(struct auth_xfer* xfr, struct auth_zone* z,
 			continue;
 		}
 		/* parse line and add RR */
-		if(http_parse_origin(scratch_buffer, &pstate)) {
+		if((ret=http_parse_origin(scratch_buffer, &pstate))!=0) {
+			if(ret == 2) {
+				verbose(VERB_ALGO, "error parsing ORIGIN on line [%s:%d] %s",
+					xfr->task_transfer->master->file,
+					pstate.lineno,
+					sldns_buffer_begin(scratch_buffer));
+				return 0;
+			}
 			continue; /* $ORIGIN has been handled */
 		}
-		if(http_parse_ttl(scratch_buffer, &pstate)) {
+		if((ret=http_parse_ttl(scratch_buffer, &pstate))!=0) {
+			if(ret == 2) {
+				verbose(VERB_ALGO, "error parsing TTL on line [%s:%d] %s",
+					xfr->task_transfer->master->file,
+					pstate.lineno,
+					sldns_buffer_begin(scratch_buffer));
+				return 0;
+			}
 			continue; /* $TTL has been handled */
 		}
 		if(!http_parse_add_rr(xfr, z, scratch_buffer, &pstate)) {
@@ -5149,6 +5219,9 @@ xfr_write_after_update(struct auth_xfer* xfr, struct module_env* env)
 		lock_rw_unlock(&z->lock);
 		return;
 	}
+#ifdef UB_ON_WINDOWS
+	(void)unlink(zfilename); /* windows does not replace file with rename() */
+#endif
 	if(rename(tmpfile, zfilename) < 0) {
 		log_err("could not rename(%s, %s): %s", tmpfile, zfilename,
 			strerror(errno));
@@ -5341,7 +5414,9 @@ xfr_transfer_lookup_host(struct auth_xfer* xfr, struct module_env* env)
 	edns.ext_rcode = 0;
 	edns.edns_version = 0;
 	edns.bits = EDNS_DO;
-	edns.opt_list = NULL;
+	edns.opt_list_in = NULL;
+	edns.opt_list_out = NULL;
+	edns.opt_list_inplace_cb_out = NULL;
 	edns.padding_block_size = 0;
 	if(sldns_buffer_capacity(buf) < 65535)
 		edns.udp_size = (uint16_t)sldns_buffer_capacity(buf);
@@ -5351,7 +5426,7 @@ xfr_transfer_lookup_host(struct auth_xfer* xfr, struct module_env* env)
 	 * called straight away */
 	lock_basic_unlock(&xfr->lock);
 	if(!mesh_new_callback(env->mesh, &qinfo, qflags, &edns, buf, 0,
-		&auth_xfer_transfer_lookup_callback, xfr)) {
+		&auth_xfer_transfer_lookup_callback, xfr, 0)) {
 		lock_basic_lock(&xfr->lock);
 		log_err("out of memory lookup up master %s", master->host);
 		return 0;
@@ -5420,7 +5495,7 @@ xfr_transfer_init_fetch(struct auth_xfer* xfr, struct module_env* env)
 		xfr->task_transfer->cp = outnet_comm_point_for_http(
 			env->outnet, auth_xfer_transfer_http_callback, xfr,
 			&addr, addrlen, -1, master->ssl, master->host,
-			master->file);
+			master->file, env->cfg);
 		if(!xfr->task_transfer->cp) {
 			char zname[255+1], as[256];
 			dname_str(xfr->name, zname);
@@ -5442,7 +5517,7 @@ xfr_transfer_init_fetch(struct auth_xfer* xfr, struct module_env* env)
 	/* perform AXFR/IXFR */
 	/* set the packet to be written */
 	/* create new ID */
-	xfr->task_transfer->id = (uint16_t)(ub_random(env->rnd)&0xffff);
+	xfr->task_transfer->id = GET_RANDOM_ID(env->rnd);
 	xfr_create_ixfr_packet(xfr, env->scratch_buffer,
 		xfr->task_transfer->id, master);
 
@@ -6292,7 +6367,7 @@ xfr_probe_send_probe(struct auth_xfer* xfr, struct module_env* env,
 	/* create new ID for new probes, but not on timeout retries,
 	 * this means we'll accept replies to previous retries to same ip */
 	if(timeout == AUTH_PROBE_TIMEOUT)
-		xfr->task_probe->id = (uint16_t)(ub_random(env->rnd)&0xffff);
+		xfr->task_probe->id = GET_RANDOM_ID(env->rnd);
 	xfr_create_soa_probe_packet(xfr, env->scratch_buffer, 
 		xfr->task_probe->id);
 	/* we need to remove the cp if we have a different ip4/ip6 type now */
@@ -6474,7 +6549,7 @@ auth_xfer_probe_udp_callback(struct comm_point* c, void* arg, int err,
 	comm_point_delete(xfr->task_probe->cp);
 	xfr->task_probe->cp = NULL;
 
-	/* if the result was not a successfull probe, we need
+	/* if the result was not a successful probe, we need
 	 * to send the next one */
 	xfr_probe_nextmaster(xfr);
 	xfr_probe_send_or_end(xfr, env);
@@ -6530,7 +6605,9 @@ xfr_probe_lookup_host(struct auth_xfer* xfr, struct module_env* env)
 	edns.ext_rcode = 0;
 	edns.edns_version = 0;
 	edns.bits = EDNS_DO;
-	edns.opt_list = NULL;
+	edns.opt_list_in = NULL;
+	edns.opt_list_out = NULL;
+	edns.opt_list_inplace_cb_out = NULL;
 	edns.padding_block_size = 0;
 	if(sldns_buffer_capacity(buf) < 65535)
 		edns.udp_size = (uint16_t)sldns_buffer_capacity(buf);
@@ -6540,7 +6617,7 @@ xfr_probe_lookup_host(struct auth_xfer* xfr, struct module_env* env)
 	 * called straight away */
 	lock_basic_unlock(&xfr->lock);
 	if(!mesh_new_callback(env->mesh, &qinfo, qflags, &edns, buf, 0,
-		&auth_xfer_probe_lookup_callback, xfr)) {
+		&auth_xfer_probe_lookup_callback, xfr, 0)) {
 		lock_basic_lock(&xfr->lock);
 		log_err("out of memory lookup up master %s", master->host);
 		return 0;
@@ -7143,7 +7220,7 @@ parse_url(char* url, char** host, char** file, int* port, int* ssl)
 	while(p && *p == '/')
 		p++;
 	if(!p || p[0] == 0)
-		*file = strdup("index.html");
+		*file = strdup("/");
 	else	*file = strdup(p);
 	if(!*file) {
 		log_err("malloc failure");
@@ -7165,12 +7242,14 @@ xfer_set_masters(struct auth_master** list, struct config_auth* c,
 	if(with_http)
 	  for(p = c->urls; p; p = p->next) {
 		m = auth_master_new(&list);
+		if(!m) return 0;
 		m->http = 1;
 		if(!parse_url(p->str, &m->host, &m->file, &m->port, &m->ssl))
 			return 0;
 	}
 	for(p = c->masters; p; p = p->next) {
 		m = auth_master_new(&list);
+		if(!m) return 0;
 		m->ixfr = 1; /* this flag is not configurable */
 		m->host = strdup(p->str);
 		if(!m->host) {
@@ -7180,6 +7259,7 @@ xfer_set_masters(struct auth_master** list, struct config_auth* c,
 	}
 	for(p = c->allow_notify; p; p = p->next) {
 		m = auth_master_new(&list);
+		if(!m) return 0;
 		m->allow_notify = 1;
 		m->host = strdup(p->str);
 		if(!m->host) {
@@ -7608,13 +7688,16 @@ int auth_zone_generate_zonemd_check(struct auth_zone* z, int scheme,
 {
 	uint8_t gen[512];
 	size_t genlen = 0;
+	*reason = NULL;
 	if(!zonemd_hashalgo_supported(hashalgo)) {
+		/* allow it */
 		*reason = "unsupported algorithm";
-		return 0;
+		return 1;
 	}
 	if(!zonemd_scheme_supported(scheme)) {
+		/* allow it */
 		*reason = "unsupported scheme";
-		return 0;
+		return 1;
 	}
 	if(hashlen < 12) {
 		/* the ZONEMD draft requires digests to fail if too small */
@@ -7674,7 +7757,7 @@ static void auth_zone_log(uint8_t* name, enum verbosity_value level,
 static int zonemd_dnssec_verify_rrset(struct auth_zone* z,
 	struct module_env* env, struct module_stack* mods,
 	struct ub_packed_rrset_key* dnskey, struct auth_data* node,
-	struct auth_rrset* rrset, char** why_bogus)
+	struct auth_rrset* rrset, char** why_bogus, uint8_t* sigalg)
 {
 	struct ub_packed_rrset_key pk;
 	enum sec_status sec;
@@ -7702,7 +7785,7 @@ static int zonemd_dnssec_verify_rrset(struct auth_zone* z,
 		auth_zone_log(z->name, VERB_ALGO,
 			"zonemd: verify %s RRset with DNSKEY", typestr);
 	}
-	sec = dnskeyset_verify_rrset(env, ve, &pk, dnskey, NULL, why_bogus,
+	sec = dnskeyset_verify_rrset(env, ve, &pk, dnskey, sigalg, why_bogus,
 		LDNS_SECTION_ANSWER, NULL);
 	if(sec == sec_status_secure) {
 		return 1;
@@ -7746,7 +7829,7 @@ static int nsec3_of_param_has_type(struct auth_rrset* nsec3, int algo,
 static int zonemd_check_dnssec_absence(struct auth_zone* z,
 	struct module_env* env, struct module_stack* mods,
 	struct ub_packed_rrset_key* dnskey, struct auth_data* apex,
-	char** reason, char** why_bogus)
+	char** reason, char** why_bogus, uint8_t* sigalg)
 {
 	struct auth_rrset* nsec = NULL;
 	if(!apex) {
@@ -7758,7 +7841,7 @@ static int zonemd_check_dnssec_absence(struct auth_zone* z,
 		struct ub_packed_rrset_key pk;
 		/* dnssec verify the NSEC */
 		if(!zonemd_dnssec_verify_rrset(z, env, mods, dnskey, apex,
-			nsec, why_bogus)) {
+			nsec, why_bogus, sigalg)) {
 			*reason = "DNSSEC verify failed for NSEC RRset";
 			return 0;
 		}
@@ -7801,7 +7884,7 @@ static int zonemd_check_dnssec_absence(struct auth_zone* z,
 		}
 		/* dnssec verify the NSEC3 */
 		if(!zonemd_dnssec_verify_rrset(z, env, mods, dnskey, match,
-			nsec3, why_bogus)) {
+			nsec3, why_bogus, sigalg)) {
 			*reason = "DNSSEC verify failed for NSEC3 RRset";
 			return 0;
 		}
@@ -7822,7 +7905,8 @@ static int zonemd_check_dnssec_absence(struct auth_zone* z,
 static int zonemd_check_dnssec_soazonemd(struct auth_zone* z,
 	struct module_env* env, struct module_stack* mods,
 	struct ub_packed_rrset_key* dnskey, struct auth_data* apex,
-	struct auth_rrset* zonemd_rrset, char** reason, char** why_bogus)
+	struct auth_rrset* zonemd_rrset, char** reason, char** why_bogus,
+	uint8_t* sigalg)
 {
 	struct auth_rrset* soa;
 	if(!apex) {
@@ -7835,12 +7919,12 @@ static int zonemd_check_dnssec_soazonemd(struct auth_zone* z,
 		return 0;
 	}
 	if(!zonemd_dnssec_verify_rrset(z, env, mods, dnskey, apex, soa,
-		why_bogus)) {
+		why_bogus, sigalg)) {
 		*reason = "DNSSEC verify failed for SOA RRset";
 		return 0;
 	}
 	if(!zonemd_dnssec_verify_rrset(z, env, mods, dnskey, apex,
-		zonemd_rrset, why_bogus)) {
+		zonemd_rrset, why_bogus, sigalg)) {
 		*reason = "DNSSEC verify failed for ZONEMD RRset";
 		return 0;
 	}
@@ -7899,12 +7983,14 @@ static void auth_zone_zonemd_fail(struct auth_zone* z, struct module_env* env,
  * @param is_insecure: if true, the dnskey is not used, the zone is insecure.
  * 	And dnssec is not used.  It is DNSSEC secure insecure or not under
  * 	a trust anchor.
+ * @param sigalg: if nonNULL provide algorithm downgrade protection.
+ * 	Otherwise one algorithm is enough. Must have space of ALGO_NEEDS_MAX+1.
  * @param result: if not NULL result reason copied here.
  */
 static void
 auth_zone_verify_zonemd_with_key(struct auth_zone* z, struct module_env* env,
 	struct module_stack* mods, struct ub_packed_rrset_key* dnskey,
-	int is_insecure, char** result)
+	int is_insecure, char** result, uint8_t* sigalg)
 {
 	char* reason = NULL, *why_bogus = NULL;
 	struct auth_data* apex = NULL;
@@ -7934,7 +8020,7 @@ auth_zone_verify_zonemd_with_key(struct auth_zone* z, struct module_env* env,
 	} else if(!zonemd_rrset && dnskey && !is_insecure) {
 		/* fetch, DNSSEC verify, and check NSEC/NSEC3 */
 		if(!zonemd_check_dnssec_absence(z, env, mods, dnskey, apex,
-			&reason, &why_bogus)) {
+			&reason, &why_bogus, sigalg)) {
 			auth_zone_zonemd_fail(z, env, reason, why_bogus, result);
 			return;
 		}
@@ -7942,7 +8028,7 @@ auth_zone_verify_zonemd_with_key(struct auth_zone* z, struct module_env* env,
 	} else if(zonemd_rrset && dnskey && !is_insecure) {
 		/* check DNSSEC verify of SOA and ZONEMD */
 		if(!zonemd_check_dnssec_soazonemd(z, env, mods, dnskey, apex,
-			zonemd_rrset, &reason, &why_bogus)) {
+			zonemd_rrset, &reason, &why_bogus, sigalg)) {
 			auth_zone_zonemd_fail(z, env, reason, why_bogus, result);
 			return;
 		}
@@ -7976,9 +8062,13 @@ auth_zone_verify_zonemd_with_key(struct auth_zone* z, struct module_env* env,
 	}
 
 	/* success! log the success */
-	auth_zone_log(z->name, VERB_ALGO, "ZONEMD verification successful");
+	if(reason)
+		auth_zone_log(z->name, VERB_ALGO, "ZONEMD %s", reason);
+	else	auth_zone_log(z->name, VERB_ALGO, "ZONEMD verification successful");
 	if(result) {
-		*result = strdup("ZONEMD verification successful");
+		if(reason)
+			*result = strdup(reason);
+		else	*result = strdup("ZONEMD verification successful");
 		if(!*result) log_err("out of memory");
 	}
 }
@@ -8056,15 +8146,78 @@ zonemd_get_dnskey_from_anchor(struct auth_zone* z, struct module_env* env,
 	return NULL;
 }
 
+/** verify the DNSKEY from the zone with looked up DS record */
+static struct ub_packed_rrset_key*
+auth_zone_verify_zonemd_key_with_ds(struct auth_zone* z,
+	struct module_env* env, struct module_stack* mods,
+	struct ub_packed_rrset_key* ds, int* is_insecure, char** why_bogus,
+	struct ub_packed_rrset_key* keystorage, uint8_t* sigalg)
+{
+	struct auth_data* apex;
+	struct auth_rrset* dnskey_rrset;
+	enum sec_status sec;
+	struct val_env* ve;
+	int m;
+
+	/* fetch DNSKEY from zone data */
+	apex = az_find_name(z, z->name, z->namelen);
+	if(!apex) {
+		*why_bogus = "in verifywithDS, zone has no apex";
+		return NULL;
+	}
+	dnskey_rrset = az_domain_rrset(apex, LDNS_RR_TYPE_DNSKEY);
+	if(!dnskey_rrset || dnskey_rrset->data->count==0) {
+		*why_bogus = "in verifywithDS, zone has no DNSKEY";
+		return NULL;
+	}
+
+	m = modstack_find(mods, "validator");
+	if(m == -1) {
+		*why_bogus = "in verifywithDS, have no validator module";
+		return NULL;
+	}
+	ve = (struct val_env*)env->modinfo[m];
+
+	memset(keystorage, 0, sizeof(*keystorage));
+	keystorage->entry.key = keystorage;
+	keystorage->entry.data = dnskey_rrset->data;
+	keystorage->rk.dname = apex->name;
+	keystorage->rk.dname_len = apex->namelen;
+	keystorage->rk.type = htons(LDNS_RR_TYPE_DNSKEY);
+	keystorage->rk.rrset_class = htons(z->dclass);
+	auth_zone_log(z->name, VERB_QUERY, "zonemd: verify zone DNSKEY with DS");
+	sec = val_verify_DNSKEY_with_DS(env, ve, keystorage, ds, sigalg,
+		why_bogus, NULL);
+	regional_free_all(env->scratch);
+	if(sec == sec_status_secure) {
+		/* success */
+		return keystorage;
+	} else if(sec == sec_status_insecure) {
+		/* insecure */
+		*is_insecure = 1;
+	} else {
+		/* bogus */
+		*is_insecure = 0;
+		if(*why_bogus == NULL)
+			*why_bogus = "verify failed";
+		auth_zone_log(z->name, VERB_ALGO,
+			"zonemd: verify DNSKEY RRset with DS failed: %s",
+			*why_bogus);
+	}
+	return NULL;
+}
+
 /** callback for ZONEMD lookup of DNSKEY */
 void auth_zonemd_dnskey_lookup_callback(void* arg, int rcode, sldns_buffer* buf,
 	enum sec_status sec, char* why_bogus, int ATTR_UNUSED(was_ratelimited))
 {
 	struct auth_zone* z = (struct auth_zone*)arg;
 	struct module_env* env;
-	char* reason = NULL;
+	char* reason = NULL, *ds_bogus = NULL, *typestr="DNSKEY";
-	struct ub_packed_rrset_key* dnskey = NULL;
+	struct ub_packed_rrset_key* dnskey = NULL, *ds = NULL;
-	int is_insecure = 0;
+	int is_insecure = 0, downprot;
+	struct ub_packed_rrset_key keystorage;
+	uint8_t sigalg[ALGO_NEEDS_MAX+1];
 
 	lock_rw_wrlock(&z->lock);
 	env = z->zonemd_callback_env;
@@ -8075,16 +8228,22 @@ void auth_zonemd_dnskey_lookup_callback(void* arg, int rcode, sldns_buffer* buf,
 		lock_rw_unlock(&z->lock);
 		return; /* stop on quit */
 	}
+	if(z->zonemd_callback_qtype == LDNS_RR_TYPE_DS)
+		typestr = "DS";
+	downprot = env->cfg->harden_algo_downgrade;
 
 	/* process result */
 	if(sec == sec_status_bogus) {
 		reason = why_bogus;
-		if(!reason)
+		if(!reason) {
-			reason = "lookup of DNSKEY was bogus";
+			if(z->zonemd_callback_qtype == LDNS_RR_TYPE_DNSKEY)
+				reason = "lookup of DNSKEY was bogus";
+			else	reason = "lookup of DS was bogus";
+		}
 		auth_zone_log(z->name, VERB_ALGO,
-			"zonemd lookup of DNSKEY was bogus: %s", reason);
+			"zonemd lookup of %s was bogus: %s", typestr, reason);
 	} else if(rcode == LDNS_RCODE_NOERROR) {
-		uint16_t wanted_qtype = LDNS_RR_TYPE_DNSKEY;
+		uint16_t wanted_qtype = z->zonemd_callback_qtype;
 		struct regional* temp = env->scratch;
 		struct query_info rq;
 		struct reply_info* rep;
@@ -8097,25 +8256,29 @@ void auth_zonemd_dnskey_lookup_callback(void* arg, int rcode, sldns_buffer* buf,
 			struct ub_packed_rrset_key* answer =
 				reply_find_answer_rrset(&rq, rep);
 			if(answer && sec == sec_status_secure) {
-				dnskey = answer;
+				if(z->zonemd_callback_qtype == LDNS_RR_TYPE_DNSKEY)
+					dnskey = answer;
+				else	ds = answer;
 				auth_zone_log(z->name, VERB_ALGO,
-					"zonemd lookup of DNSKEY was secure");
+					"zonemd lookup of %s was secure", typestr);
 			} else if(sec == sec_status_secure && !answer) {
 				is_insecure = 1;
 				auth_zone_log(z->name, VERB_ALGO,
-					"zonemd lookup of DNSKEY has no content, but is secure, treat as insecure");
+					"zonemd lookup of %s has no content, but is secure, treat as insecure", typestr);
 			} else if(sec == sec_status_insecure) {
 				is_insecure = 1;
 				auth_zone_log(z->name, VERB_ALGO,
-					"zonemd lookup of DNSKEY was insecure");
+					"zonemd lookup of %s was insecure", typestr);
 			} else if(sec == sec_status_indeterminate) {
 				is_insecure = 1;
 				auth_zone_log(z->name, VERB_ALGO,
-					"zonemd lookup of DNSKEY was indeterminate, treat as insecure");
+					"zonemd lookup of %s was indeterminate, treat as insecure", typestr);
 			} else {
 				auth_zone_log(z->name, VERB_ALGO,
-					"zonemd lookup of DNSKEY has nodata");
+					"zonemd lookup of %s has nodata", typestr);
-				reason = "lookup of DNSKEY has nodata";
+				if(z->zonemd_callback_qtype == LDNS_RR_TYPE_DNSKEY)
+					reason = "lookup of DNSKEY has nodata";
+				else	reason = "lookup of DS has nodata";
 			}
 		} else if(rep && rq.qtype == wanted_qtype &&
 			query_dname_compare(z->name, rq.qname) == 0 &&
@@ -8128,40 +8291,52 @@ void auth_zonemd_dnskey_lookup_callback(void* arg, int rcode, sldns_buffer* buf,
 			 * trust, as insecure. */
 			is_insecure = 1;
 			auth_zone_log(z->name, VERB_ALGO,
-				"zonemd lookup of DNSKEY was secure NXDOMAIN, treat as insecure");
+				"zonemd lookup of %s was secure NXDOMAIN, treat as insecure", typestr);
 		} else if(rep && rq.qtype == wanted_qtype &&
 			query_dname_compare(z->name, rq.qname) == 0 &&
 			FLAGS_GET_RCODE(rep->flags) == LDNS_RCODE_NXDOMAIN &&
 			sec == sec_status_insecure) {
 			is_insecure = 1;
 			auth_zone_log(z->name, VERB_ALGO,
-				"zonemd lookup of DNSKEY was insecure NXDOMAIN, treat as insecure");
+				"zonemd lookup of %s was insecure NXDOMAIN, treat as insecure", typestr);
 		} else if(rep && rq.qtype == wanted_qtype &&
 			query_dname_compare(z->name, rq.qname) == 0 &&
 			FLAGS_GET_RCODE(rep->flags) == LDNS_RCODE_NXDOMAIN &&
 			sec == sec_status_indeterminate) {
 			is_insecure = 1;
 			auth_zone_log(z->name, VERB_ALGO,
-				"zonemd lookup of DNSKEY was indeterminate NXDOMAIN, treat as insecure");
+				"zonemd lookup of %s was indeterminate NXDOMAIN, treat as insecure", typestr);
 		} else {
 			auth_zone_log(z->name, VERB_ALGO,
-				"zonemd lookup of DNSKEY has no answer");
+				"zonemd lookup of %s has no answer", typestr);
-			reason = "lookup of DNSKEY has no answer";
+			if(z->zonemd_callback_qtype == LDNS_RR_TYPE_DNSKEY)
+				reason = "lookup of DNSKEY has no answer";
+			else	reason = "lookup of DS has no answer";
 		}
 	} else {
 		auth_zone_log(z->name, VERB_ALGO,
-			"zonemd lookup of DNSKEY failed");
+			"zonemd lookup of %s failed", typestr);
-		reason = "lookup of DNSKEY failed";
+		if(z->zonemd_callback_qtype == LDNS_RR_TYPE_DNSKEY)
+			reason = "lookup of DNSKEY failed";
+		else	reason = "lookup of DS failed";
+	}
+
+	if(!reason && !is_insecure && !dnskey && ds) {
+		dnskey = auth_zone_verify_zonemd_key_with_ds(z, env,
+			&env->mesh->mods, ds, &is_insecure, &ds_bogus,
+			&keystorage, downprot?sigalg:NULL);
+		if(!dnskey && !is_insecure && !reason)
+			reason = "DNSKEY verify with DS failed";
 	}
 
 	if(reason) {
-		auth_zone_zonemd_fail(z, env, reason, NULL, NULL);
+		auth_zone_zonemd_fail(z, env, reason, ds_bogus, NULL);
 		lock_rw_unlock(&z->lock);
 		return;
 	}
 
 	auth_zone_verify_zonemd_with_key(z, env, &env->mesh->mods, dnskey,
-		is_insecure, NULL);
+		is_insecure, NULL, downprot?sigalg:NULL);
 	regional_free_all(env->scratch);
 	lock_rw_unlock(&z->lock);
 }
@@ -8174,14 +8349,21 @@ zonemd_lookup_dnskey(struct auth_zone* z, struct module_env* env)
 	uint16_t qflags = BIT_RD;
 	struct edns_data edns;
 	sldns_buffer* buf = env->scratch_buffer;
+	int fetch_ds = 0;
 
+	if(!z->fallback_enabled) {
+		/* we cannot actually get the DNSKEY, because it is in the
+		 * zone we have ourselves, and it is not served yet
+		 * (possibly), so fetch type DS */
+		fetch_ds = 1;
+	}
 	if(z->zonemd_callback_env) {
 		/* another worker is already working on the callback
 		 * for the DNSKEY lookup for ZONEMD verification.
 		 * We do not also have to do ZONEMD verification, let that
 		 * worker do it */
 		auth_zone_log(z->name, VERB_ALGO,
-			"zonemd needs lookup of DNSKEY and that already worked on by another worker");
+			"zonemd needs lookup of %s and that already is worked on by another worker", (fetch_ds?"DS":"DNSKEY"));
 		return 1;
 	}
 
@@ -8190,21 +8372,26 @@ zonemd_lookup_dnskey(struct auth_zone* z, struct module_env* env)
 	qinfo.qname_len = z->namelen;
 	qinfo.qname = z->name;
 	qinfo.qclass = z->dclass;
-	qinfo.qtype = LDNS_RR_TYPE_DNSKEY;
+	if(fetch_ds)
+		qinfo.qtype = LDNS_RR_TYPE_DS;
+	else	qinfo.qtype = LDNS_RR_TYPE_DNSKEY;
 	qinfo.local_alias = NULL;
 	if(verbosity >= VERB_ALGO) {
 		char buf1[512];
 		char buf2[LDNS_MAX_DOMAINLEN+1];
 		dname_str(z->name, buf2);
-		snprintf(buf1, sizeof(buf1), "auth zone %s: lookup DNSKEY "
+		snprintf(buf1, sizeof(buf1), "auth zone %s: lookup %s "
-			"for zonemd verification", buf2);
+			"for zonemd verification", buf2,
+			(fetch_ds?"DS":"DNSKEY"));
 		log_query_info(VERB_ALGO, buf1, &qinfo);
 	}
 	edns.edns_present = 1;
 	edns.ext_rcode = 0;
 	edns.edns_version = 0;
 	edns.bits = EDNS_DO;
-	edns.opt_list = NULL;
+	edns.opt_list_in = NULL;
+	edns.opt_list_out = NULL;
+	edns.opt_list_inplace_cb_out = NULL;
 	if(sldns_buffer_capacity(buf) < 65535)
 		edns.udp_size = (uint16_t)sldns_buffer_capacity(buf);
 	else	edns.udp_size = 65535;
@@ -8212,12 +8399,14 @@ zonemd_lookup_dnskey(struct auth_zone* z, struct module_env* env)
 	/* store the worker-specific module env for the callback.
 	 * We can then reference this when the callback executes */
 	z->zonemd_callback_env = env;
+	z->zonemd_callback_qtype = qinfo.qtype;
 	/* the callback can be called straight away */
 	lock_rw_unlock(&z->lock);
 	if(!mesh_new_callback(env->mesh, &qinfo, qflags, &edns, buf, 0,
-		&auth_zonemd_dnskey_lookup_callback, z)) {
+		&auth_zonemd_dnskey_lookup_callback, z, 0)) {
 		lock_rw_wrlock(&z->lock);
-		log_err("out of memory lookup up dnskey for zonemd");
+		log_err("out of memory lookup of %s for zonemd",
+			(fetch_ds?"DS":"DNSKEY"));
 		return 0;
 	}
 	lock_rw_wrlock(&z->lock);
@@ -8234,6 +8423,10 @@ void auth_zone_verify_zonemd(struct auth_zone* z, struct module_env* env,
 	int is_insecure = 0;
 	/* verify the ZONEMD if present.
 	 * If not present check if absence is allowed by DNSSEC */
+	if(!z->zonemd_check)
+		return;
+	if(z->data.count == 0)
+		return; /* no data */
 
 	/* if zone is under a trustanchor */
 	/* is it equal to trustanchor - get dnskey's verified */
@@ -8287,7 +8480,7 @@ void auth_zone_verify_zonemd(struct auth_zone* z, struct module_env* env,
 	}
 
 	auth_zone_verify_zonemd_with_key(z, env, mods, dnskey, is_insecure,
-		result);
+		result, NULL);
 	regional_free_all(env->scratch);
 }
 
@@ -8302,6 +8495,10 @@ void auth_zones_pickup_zonemd_verify(struct auth_zones* az,
 	lock_rw_rdlock(&az->lock);
 	RBTREE_FOR(z, struct auth_zone*, &az->ztree) {
 		lock_rw_wrlock(&z->lock);
+		if(!z->zonemd_check) {
+			lock_rw_unlock(&z->lock);
+			continue;
+		}
 		key.dclass = z->dclass;
 		key.namelabs = z->namelabs;
 		if(z->namelen > sizeof(savezname)) {

services/authzone.h

@@ -132,6 +132,8 @@ struct auth_zone {
 	/** for upstream: this zone answers queries that unbound intends to
 	 * send upstream. */
 	int for_upstream;
+	/** check ZONEMD records */
+	int zonemd_check;
 	/** reject absence of ZONEMD records */
 	int zonemd_reject_absence;
 	/** RPZ zones */
@@ -141,6 +143,8 @@ struct auth_zone {
 	 * worker has already picked up the zonemd verification task and
 	 * this worker does not have to do it as well. */
 	struct module_env* zonemd_callback_env;
+	/** for the zonemd callback, the type of data looked up */
+	uint16_t zonemd_callback_qtype;
 	/** zone has been deleted */
 	int zone_deleted;
 	/** deletelist pointer, unused normally except during delete */
@@ -632,6 +636,9 @@ int auth_zones_startprobesequence(struct auth_zones* az,
 /** read auth zone from zonefile. caller must lock zone. false on failure */
 int auth_zone_read_zonefile(struct auth_zone* z, struct config_file* cfg);
 
+/** find the apex SOA RRset, if it exists. NULL if no SOA RRset. */
+struct auth_rrset* auth_zone_get_soa_rrset(struct auth_zone* z);
+
 /** find serial number of zone or false if none (no SOA record) */
 int auth_zone_get_serial(struct auth_zone* z, uint32_t* serial);
 
@@ -740,6 +747,9 @@ int zonemd_scheme_supported(int scheme);
  * @param region: temp region for allocs during canonicalisation.
  * @param buf: temp buffer during canonicalisation.
  * @param reason: string returned with failure reason.
+ * 	If the hash cannot be checked, but it is allowed, for unknown
+ * 	algorithms, the routine returns success, and the reason is nonNULL,
+ * 	with the allowance reason.
  * @return false on failure.
  */
 int auth_zone_generate_zonemd_check(struct auth_zone* z, int scheme,

services/cache/dns.c

@@ -801,7 +801,7 @@ struct dns_msg*
 dns_cache_lookup(struct module_env* env,
 	uint8_t* qname, size_t qnamelen, uint16_t qtype, uint16_t qclass,
 	uint16_t flags, struct regional* region, struct regional* scratch,
-	int no_partial)
+	int no_partial, uint8_t* dpname, size_t dpnamelen)
 {
 	struct lruhash_entry* e;
 	struct query_info k;
@@ -923,6 +923,9 @@ dns_cache_lookup(struct module_env* env,
 	 * the same.  We search upwards for NXDOMAINs. */
 	if(env->cfg->harden_below_nxdomain) {
 		while(!dname_is_root(k.qname)) {
+			if(dpname && dpnamelen
+				&& !dname_subdomain_c(k.qname, dpname))
+				break; /* no synth nxdomain above the stub */
 			dname_remove_label(&k.qname, &k.qname_len);
 			h = query_info_hash(&k, flags);
 			e = slabhash_lookup(env->msg_cache, h, &k, 0);

services/cache/dns.h

@@ -164,6 +164,8 @@ struct dns_msg* tomsg(struct module_env* env, struct query_info* q,
  * @param scratch: where to allocate temporary data.
  * @param no_partial: if true, only complete messages and not a partial
  *	one (with only the start of the CNAME chain and not the rest).
+ * @param dpname: if not NULL, do not return NXDOMAIN above this name.
+ * @param dpnamelen: length of dpname.
  * @return new response message (alloced in region, rrsets do not have IDs).
  * 	or NULL on error or if not found in cache.
  *	TTLs are made relative to the current time.
@@ -171,7 +173,7 @@ struct dns_msg* tomsg(struct module_env* env, struct query_info* q,
 struct dns_msg* dns_cache_lookup(struct module_env* env,
 	uint8_t* qname, size_t qnamelen, uint16_t qtype, uint16_t qclass,
 	uint16_t flags, struct regional* region, struct regional* scratch,
-	int no_partial);
+	int no_partial, uint8_t* dpname, size_t dpnamelen);
 
 /** 
  * find and add A and AAAA records for missing nameservers in delegpt 

services/cache/infra.c

@@ -236,6 +236,9 @@ infra_create(struct config_file* cfg)
 		sizeof(struct infra_cache));
 	size_t maxmem = cfg->infra_cache_numhosts * (sizeof(struct infra_key)+
 		sizeof(struct infra_data)+INFRA_BYTES_NAME);
+	if(!infra) {
+		return NULL;
+	}
 	infra->hosts = slabhash_create(cfg->infra_cache_slabs,
 		INFRA_HOST_STARTSIZE, maxmem, &infra_sizefunc, &infra_compfunc,
 		&infra_delkeyfunc, &infra_deldatafunc, NULL);
@@ -895,8 +898,9 @@ static void infra_ip_create_ratedata(struct infra_cache* infra,
 	slabhash_insert(infra->client_ip_rates, h, &k->entry, d, NULL);
 }
 
-/** find the second and return its rate counter, if none, remove oldest */
+/** Find the second and return its rate counter. If none and should_add, remove
-static int* infra_rate_find_second(void* data, time_t t)
+ *  oldest to accommodate. Else return none. */
+static int* infra_rate_find_second_or_none(void* data, time_t t, int should_add)
 {
 	struct rate_data* d = (struct rate_data*)data;
 	int i, oldest;
@@ -904,6 +908,7 @@ static int* infra_rate_find_second(void* data, time_t t)
 		if(d->timestamp[i] == t)
 			return &(d->qps[i]);
 	}
+	if(!should_add) return NULL;
 	/* remove oldest timestamp, and insert it at t with 0 qps */
 	oldest = 0;
 	for(i=0; i<RATE_WINDOW; i++) {
@@ -915,21 +920,41 @@ static int* infra_rate_find_second(void* data, time_t t)
 	return &(d->qps[oldest]);
 }
 
-int infra_rate_max(void* data, time_t now)
+/** find the second and return its rate counter, if none, remove oldest to
+ *  accommodate */
+static int* infra_rate_give_second(void* data, time_t t)
+{
+    return infra_rate_find_second_or_none(data, t, 1);
+}
+
+/** find the second and return its rate counter only if it exists. Caller
+ *  should check for NULL return value */
+static int* infra_rate_get_second(void* data, time_t t)
+{
+    return infra_rate_find_second_or_none(data, t, 0);
+}
+
+int infra_rate_max(void* data, time_t now, int backoff)
 {
 	struct rate_data* d = (struct rate_data*)data;
 	int i, max = 0;
 	for(i=0; i<RATE_WINDOW; i++) {
-		if(now-d->timestamp[i] <= RATE_WINDOW) {
+		if(backoff) {
-			if(d->qps[i] > max)
+			if(now-d->timestamp[i] <= RATE_WINDOW &&
+				d->qps[i] > max) {
 				max = d->qps[i];
+			}
+		} else {
+			if(now == d->timestamp[i]) {
+				return d->qps[i];
+			}
 		}
 	}
 	return max;
 }
 
 int infra_ratelimit_inc(struct infra_cache* infra, uint8_t* name,
-	size_t namelen, time_t timenow, struct query_info* qinfo,
+	size_t namelen, time_t timenow, int backoff, struct query_info* qinfo,
 	struct comm_reply* replylist)
 {
 	int lim, max;
@@ -946,13 +971,13 @@ int infra_ratelimit_inc(struct infra_cache* infra, uint8_t* name,
 	/* find or insert ratedata */
 	entry = infra_find_ratedata(infra, name, namelen, 1);
 	if(entry) {
-		int premax = infra_rate_max(entry->data, timenow);
+		int premax = infra_rate_max(entry->data, timenow, backoff);
-		int* cur = infra_rate_find_second(entry->data, timenow);
+		int* cur = infra_rate_give_second(entry->data, timenow);
 		(*cur)++;
-		max = infra_rate_max(entry->data, timenow);
+		max = infra_rate_max(entry->data, timenow, backoff);
 		lock_rw_unlock(&entry->lock);
 
-		if(premax < lim && max >= lim) {
+		if(premax <= lim && max > lim) {
 			char buf[257], qnm[257], ts[12], cs[12], ip[128];
 			dname_str(name, buf);
 			dname_str(qinfo->qname, qnm);
@@ -967,12 +992,12 @@ int infra_ratelimit_inc(struct infra_cache* infra, uint8_t* name,
 				verbose(VERB_OPS, "ratelimit exceeded %s %d query %s %s %s", buf, lim, qnm, cs, ts);
 			}
 		}
-		return (max < lim);
+		return (max <= lim);
 	}
 
 	/* create */
 	infra_create_ratedata(infra, name, namelen, timenow);
-	return (1 < lim);
+	return (1 <= lim);
 }
 
 void infra_ratelimit_dec(struct infra_cache* infra, uint8_t* name,
@@ -984,14 +1009,19 @@ void infra_ratelimit_dec(struct infra_cache* infra, uint8_t* name,
 		return; /* not enabled */
 	entry = infra_find_ratedata(infra, name, namelen, 1);
 	if(!entry) return; /* not cached */
-	cur = infra_rate_find_second(entry->data, timenow);
+	cur = infra_rate_get_second(entry->data, timenow);
+	if(cur == NULL) {
+		/* our timenow is not available anymore; nothing to decrease */
+		lock_rw_unlock(&entry->lock);
+		return;
+	}
 	if((*cur) > 0)
 		(*cur)--;
 	lock_rw_unlock(&entry->lock);
 }
 
 int infra_ratelimit_exceeded(struct infra_cache* infra, uint8_t* name,
-	size_t namelen, time_t timenow)
+	size_t namelen, time_t timenow, int backoff)
 {
 	struct lruhash_entry* entry;
 	int lim, max;
@@ -1007,7 +1037,7 @@ int infra_ratelimit_exceeded(struct infra_cache* infra, uint8_t* name,
 	entry = infra_find_ratedata(infra, name, namelen, 0);
 	if(!entry)
 		return 0; /* not cached */
-	max = infra_rate_max(entry->data, timenow);
+	max = infra_rate_max(entry->data, timenow, backoff);
 	lock_rw_unlock(&entry->lock);
 
 	return (max >= lim);
@@ -1024,7 +1054,8 @@ infra_get_mem(struct infra_cache* infra)
 }
 
 int infra_ip_ratelimit_inc(struct infra_cache* infra,
-  struct comm_reply* repinfo, time_t timenow, struct sldns_buffer* buffer)
+	struct comm_reply* repinfo, time_t timenow, int backoff,
+	struct sldns_buffer* buffer)
 {
 	int max;
 	struct lruhash_entry* entry;
@@ -1036,10 +1067,10 @@ int infra_ip_ratelimit_inc(struct infra_cache* infra,
 	/* find or insert ratedata */
 	entry = infra_find_ip_ratedata(infra, repinfo, 1);
 	if(entry) {
-		int premax = infra_rate_max(entry->data, timenow);
+		int premax = infra_rate_max(entry->data, timenow, backoff);
-		int* cur = infra_rate_find_second(entry->data, timenow);
+		int* cur = infra_rate_give_second(entry->data, timenow);
 		(*cur)++;
-		max = infra_rate_max(entry->data, timenow);
+		max = infra_rate_max(entry->data, timenow, backoff);
 		lock_rw_unlock(&entry->lock);
 
 		if(premax < infra_ip_ratelimit && max >= infra_ip_ratelimit) {

services/cache/infra.h

@@ -368,6 +368,7 @@ long long infra_get_host_rto(struct infra_cache* infra,
  * @param name: zone name
  * @param namelen: zone name length
  * @param timenow: what time it is now.
+ * @param backoff: if backoff is enabled.
  * @param qinfo: for logging, query name.
  * @param replylist: for logging, querier's address (if any).
  * @return 1 if it could be incremented. 0 if the increment overshot the
@@ -375,7 +376,7 @@ long long infra_get_host_rto(struct infra_cache* infra,
  * Failures like alloc failures are not returned (probably as 1).
  */
 int infra_ratelimit_inc(struct infra_cache* infra, uint8_t* name,
-	size_t namelen, time_t timenow, struct query_info* qinfo,
+	size_t namelen, time_t timenow, int backoff, struct query_info* qinfo,
 	struct comm_reply* replylist);
 
 /**
@@ -398,13 +399,15 @@ void infra_ratelimit_dec(struct infra_cache* infra, uint8_t* name,
  * @param name: zone name
  * @param namelen: zone name length
  * @param timenow: what time it is now.
+ * @param backoff: if backoff is enabled.
  * @return true if exceeded.
  */
 int infra_ratelimit_exceeded(struct infra_cache* infra, uint8_t* name,
-	size_t namelen, time_t timenow);
+	size_t namelen, time_t timenow, int backoff);
 
-/** find the maximum rate stored, not too old. 0 if no information. */
+/** find the maximum rate stored. 0 if no information.
-int infra_rate_max(void* data, time_t now);
+ *  When backoff is enabled look for the maximum in the whole RATE_WINDOW. */
+int infra_rate_max(void* data, time_t now, int backoff);
 
 /** find the ratelimit in qps for a domain. 0 if no limit for domain. */
 int infra_find_ratelimit(struct infra_cache* infra, uint8_t* name,
@@ -415,11 +418,12 @@ int infra_find_ratelimit(struct infra_cache* infra, uint8_t* name,
  *  @param infra: infra cache
  *  @param repinfo: information about client
  *  @param timenow: what time it is now.
+ *  @param backoff: if backoff is enabled.
  *  @param buffer: with query for logging.
  *  @return 1 if it could be incremented. 0 if the increment overshot the
  *  ratelimit and the query should be dropped. */
 int infra_ip_ratelimit_inc(struct infra_cache* infra,
-	struct comm_reply* repinfo, time_t timenow,
+	struct comm_reply* repinfo, time_t timenow, int backoff,
 	struct sldns_buffer* buffer);
 
 /**

services/cache/rrset.h

@@ -120,7 +120,7 @@ void rrset_cache_touch(struct rrset_cache* r, struct ub_packed_rrset_key* key,
  *	the new rrset. The reference may be changed if the cached rrset is
  *	superior.
  *	Before calling the rrset is presumed newly allocated and changeable.
- *	Afer calling you do not hold a lock, and the rrset is inserted in
+ *	After calling you do not hold a lock, and the rrset is inserted in
  *	the hashtable so you need a lock to change it.
  * @param alloc: how to allocate (and deallocate) the special rrset key.
  * @param timenow: current time (to see if ttl in cache is expired).
@@ -143,7 +143,7 @@ int rrset_cache_update(struct rrset_cache* r, struct rrset_ref* ref,
  * @param rrset: which rrset to cache as wildcard. This rrset is left 
  * 	untouched.
  * @param ce: the closest encloser, will be uses to generate the wildcard dname.
- * @param ce_len: the closest encloser lenght.
+ * @param ce_len: the closest encloser length.
  * @param alloc: how to allocate (and deallocate) the special rrset key.
  * @param timenow: current time (to see if ttl in cache is expired).
  */

services/listen_dnsport.c

@@ -47,6 +47,7 @@
 #ifdef USE_TCP_FASTOPEN
 #include <netinet/tcp.h>
 #endif
+#include <ctype.h>
 #include "services/listen_dnsport.h"
 #include "services/outside_network.h"
 #include "util/netevent.h"
@@ -869,9 +870,14 @@ set_ip_dscp(int socket, int addrfamily, int dscp)
 	ds = dscp << 2;
 	switch(addrfamily) {
 	case AF_INET6:
-		if(setsockopt(socket, IPPROTO_IPV6, IPV6_TCLASS, (void*)&ds, sizeof(ds)) < 0)
+	#ifdef IPV6_TCLASS
+		if(setsockopt(socket, IPPROTO_IPV6, IPV6_TCLASS, (void*)&ds,
+			sizeof(ds)) < 0)
 			return sock_strerror(errno);
 		break;
+	#else
+		return "IPV6_TCLASS not defined on this system";
+	#endif
 	default:
 		if(setsockopt(socket, IPPROTO_IP, IP_TOS, (void*)&ds, sizeof(ds)) < 0)
 			return sock_strerror(errno);
@@ -1306,6 +1312,38 @@ listen_cp_insert(struct comm_point* c, struct listen_dnsport* front)
 	return 1;
 }
 
+void listen_setup_locks(void)
+{
+	if(!stream_wait_lock_inited) {
+		lock_basic_init(&stream_wait_count_lock);
+		stream_wait_lock_inited = 1;
+	}
+	if(!http2_query_buffer_lock_inited) {
+		lock_basic_init(&http2_query_buffer_count_lock);
+		http2_query_buffer_lock_inited = 1;
+	}
+	if(!http2_response_buffer_lock_inited) {
+		lock_basic_init(&http2_response_buffer_count_lock);
+		http2_response_buffer_lock_inited = 1;
+	}
+}
+
+void listen_desetup_locks(void)
+{
+	if(stream_wait_lock_inited) {
+		stream_wait_lock_inited = 0;
+		lock_basic_destroy(&stream_wait_count_lock);
+	}
+	if(http2_query_buffer_lock_inited) {
+		http2_query_buffer_lock_inited = 0;
+		lock_basic_destroy(&http2_query_buffer_count_lock);
+	}
+	if(http2_response_buffer_lock_inited) {
+		http2_response_buffer_lock_inited = 0;
+		lock_basic_destroy(&http2_response_buffer_count_lock);
+	}
+}
+
 struct listen_dnsport* 
 listen_create(struct comm_base* base, struct listen_port* ports,
 	size_t bufsize, int tcp_accept_count, int tcp_idle_timeout,
@@ -1327,57 +1365,44 @@ listen_create(struct comm_base* base, struct listen_port* ports,
 		free(front);
 		return NULL;
 	}
-	if(!stream_wait_lock_inited) {
-		lock_basic_init(&stream_wait_count_lock);
-		stream_wait_lock_inited = 1;
-	}
-	if(!http2_query_buffer_lock_inited) {
-		lock_basic_init(&http2_query_buffer_count_lock);
-		http2_query_buffer_lock_inited = 1;
-	}
-	if(!http2_response_buffer_lock_inited) {
-		lock_basic_init(&http2_response_buffer_count_lock);
-		http2_response_buffer_lock_inited = 1;
-	}
 
 	/* create comm points as needed */
 	while(ports) {
 		struct comm_point* cp = NULL;
 		if(ports->ftype == listen_type_udp ||
-		   ports->ftype == listen_type_udp_dnscrypt)
+		   ports->ftype == listen_type_udp_dnscrypt) {
-			cp = comm_point_create_udp(base, ports->fd, 
+			cp = comm_point_create_udp(base, ports->fd,
 				front->udp_buff, cb, cb_arg, ports->socket);
-		else if(ports->ftype == listen_type_tcp ||
+		} else if(ports->ftype == listen_type_tcp ||
-				ports->ftype == listen_type_tcp_dnscrypt)
+				ports->ftype == listen_type_tcp_dnscrypt) {
-			cp = comm_point_create_tcp(base, ports->fd, 
+			cp = comm_point_create_tcp(base, ports->fd,
 				tcp_accept_count, tcp_idle_timeout,
 				harden_large_queries, 0, NULL,
 				tcp_conn_limit, bufsize, front->udp_buff,
 				ports->ftype, cb, cb_arg, ports->socket);
-		else if(ports->ftype == listen_type_ssl ||
+		} else if(ports->ftype == listen_type_ssl ||
 			ports->ftype == listen_type_http) {
-			cp = comm_point_create_tcp(base, ports->fd, 
+			cp = comm_point_create_tcp(base, ports->fd,
 				tcp_accept_count, tcp_idle_timeout,
 				harden_large_queries,
 				http_max_streams, http_endpoint,
 				tcp_conn_limit, bufsize, front->udp_buff,
 				ports->ftype, cb, cb_arg, ports->socket);
-			if(http_notls && ports->ftype == listen_type_http)
-				cp->ssl = NULL;
-			else
-				cp->ssl = sslctx;
 			if(ports->ftype == listen_type_http) {
 				if(!sslctx && !http_notls) {
-				  log_warn("HTTPS port configured, but no TLS "
+					log_warn("HTTPS port configured, but "
-					"tls-service-key or tls-service-pem "
+						"no TLS tls-service-key or "
-					"set");
+						"tls-service-pem set");
 				}
 #ifndef HAVE_SSL_CTX_SET_ALPN_SELECT_CB
-				if(!http_notls)
+				if(!http_notls) {
-				  log_warn("Unbound is not compiled with an "
+					log_warn("Unbound is not compiled "
-					"OpenSSL version supporting ALPN "
+						"with an OpenSSL version "
-					" (OpenSSL >= 1.0.2). This is required "
+						"supporting ALPN "
-					"to use DNS-over-HTTPS");
+						"(OpenSSL >= 1.0.2). This "
+						"is required to use "
+						"DNS-over-HTTPS");
+				}
 #endif
 #ifndef HAVE_NGHTTP2_NGHTTP2_H
 				log_warn("Unbound is not compiled with "
@@ -1386,14 +1411,25 @@ listen_create(struct comm_base* base, struct listen_port* ports,
 #endif
 			}
 		} else if(ports->ftype == listen_type_udpancil ||
-				  ports->ftype == listen_type_udpancil_dnscrypt)
+				  ports->ftype == listen_type_udpancil_dnscrypt) {
-			cp = comm_point_create_udp_ancil(base, ports->fd, 
+			cp = comm_point_create_udp_ancil(base, ports->fd,
 				front->udp_buff, cb, cb_arg, ports->socket);
+		}
 		if(!cp) {
-			log_err("can't create commpoint");	
+			log_err("can't create commpoint");
 			listen_delete(front);
 			return NULL;
 		}
+		if((http_notls && ports->ftype == listen_type_http) ||
+			(ports->ftype == listen_type_tcp) ||
+			(ports->ftype == listen_type_udp) ||
+			(ports->ftype == listen_type_udpancil) ||
+			(ports->ftype == listen_type_tcp_dnscrypt) ||
+			(ports->ftype == listen_type_udp_dnscrypt) ||
+			(ports->ftype == listen_type_udpancil_dnscrypt))
+			cp->ssl = NULL;
+		else
+			cp->ssl = sslctx;
 		cp->dtenv = dtenv;
 		cp->do_not_close = 1;
 #ifdef USE_DNSCRYPT
@@ -1454,18 +1490,6 @@ listen_delete(struct listen_dnsport* front)
 #endif
 	sldns_buffer_free(front->udp_buff);
 	free(front);
-	if(stream_wait_lock_inited) {
-		stream_wait_lock_inited = 0;
-		lock_basic_destroy(&stream_wait_count_lock);
-	}
-	if(http2_query_buffer_lock_inited) {
-		http2_query_buffer_lock_inited = 0;
-		lock_basic_destroy(&http2_query_buffer_count_lock);
-	}
-	if(http2_response_buffer_lock_inited) {
-		http2_response_buffer_lock_inited = 0;
-		lock_basic_destroy(&http2_response_buffer_count_lock);
-	}
 }
 
 #ifdef HAVE_GETIFADDRS
@@ -1693,6 +1717,63 @@ listening_ports_open(struct config_file* cfg, char** ifs, int num_ifs,
 	}
 	/* create ip4 and ip6 ports so that return addresses are nice. */
 	if(do_auto || num_ifs == 0) {
+		if(do_auto && cfg->if_automatic_ports &&
+			cfg->if_automatic_ports[0]!=0) {
+			char* now = cfg->if_automatic_ports;
+			while(now && *now) {
+				char* after;
+				int extraport;
+				while(isspace((unsigned char)*now))
+					now++;
+				if(!*now)
+					break;
+				after = now;
+				extraport = (int)strtol(now, &after, 10);
+				if(extraport < 0 || extraport > 65535) {
+					log_err("interface-automatic-ports port number out of range, at position %d of '%s'", (int)(now-cfg->if_automatic_ports)+1, cfg->if_automatic_ports);
+					listening_ports_free(list);
+					return NULL;
+				}
+				if(extraport == 0 && now == after) {
+					log_err("interface-automatic-ports could not be parsed, at position %d of '%s'", (int)(now-cfg->if_automatic_ports)+1, cfg->if_automatic_ports);
+					listening_ports_free(list);
+					return NULL;
+				}
+				now = after;
+				snprintf(portbuf, sizeof(portbuf), "%d", extraport);
+				if(do_ip6) {
+					hints.ai_family = AF_INET6;
+					if(!ports_create_if("::0",
+						do_auto, cfg->do_udp, do_tcp,
+						&hints, portbuf, &list,
+						cfg->so_rcvbuf, cfg->so_sndbuf,
+						cfg->ssl_port, cfg->tls_additional_port,
+						cfg->https_port, reuseport, cfg->ip_transparent,
+						cfg->tcp_mss, cfg->ip_freebind,
+						cfg->http_nodelay, cfg->use_systemd,
+						cfg->dnscrypt_port, cfg->ip_dscp)) {
+						listening_ports_free(list);
+						return NULL;
+					}
+				}
+				if(do_ip4) {
+					hints.ai_family = AF_INET;
+					if(!ports_create_if("0.0.0.0",
+						do_auto, cfg->do_udp, do_tcp,
+						&hints, portbuf, &list,
+						cfg->so_rcvbuf, cfg->so_sndbuf,
+						cfg->ssl_port, cfg->tls_additional_port,
+						cfg->https_port, reuseport, cfg->ip_transparent,
+						cfg->tcp_mss, cfg->ip_freebind,
+						cfg->http_nodelay, cfg->use_systemd,
+						cfg->dnscrypt_port, cfg->ip_dscp)) {
+						listening_ports_free(list);
+						return NULL;
+					}
+				}
+			}
+			return list;
+		}
 		if(do_ip6) {
 			hints.ai_family = AF_INET6;
 			if(!ports_create_if(do_auto?"::0":"::1", 
@@ -2477,6 +2558,10 @@ static int http2_query_read_done(struct http2_session* h2_session,
 			"buffer already assigned to stream");
 		return -1;
 	}
+    
+    /* the c->buffer might be used by mesh_send_reply and no be cleard
+	 * need to be cleared before use */
+	sldns_buffer_clear(h2_session->c->buffer);
 	if(sldns_buffer_remaining(h2_session->c->buffer) <
 		sldns_buffer_remaining(h2_stream->qbuffer)) {
 		/* qbuffer will be free'd in frame close cb */
@@ -2606,7 +2691,7 @@ static int http2_req_begin_headers_cb(nghttp2_session* session,
 	int ret;
 	if(frame->hd.type != NGHTTP2_HEADERS ||
 		frame->headers.cat != NGHTTP2_HCAT_REQUEST) {
-		/* only interrested in request headers */
+		/* only interested in request headers */
 		return 0;
 	}
 	if(!(h2_stream = http2_stream_create(frame->hd.stream_id))) {
@@ -2678,18 +2763,45 @@ static int http2_buffer_uri_query(struct http2_session* h2_session,
 		return 0;
 	}
 
-	if(!(b64len = sldns_b64url_pton(
+	if(sldns_b64_contains_nonurl((char const*)start, length)) {
-		(char const *)start, length,
+		char buf[65536+4];
-		sldns_buffer_current(h2_stream->qbuffer),
+		verbose(VERB_ALGO, "HTTP2 stream contains wrong b64 encoding");
-		expectb64len)) || b64len < 0) {
+		/* copy to the scratch buffer temporarily to terminate the
-		lock_basic_lock(&http2_query_buffer_count_lock);
+		 * string with a zero */
-		http2_query_buffer_count -= expectb64len;
+		if(length+1 > sizeof(buf)) {
-		lock_basic_unlock(&http2_query_buffer_count_lock);
+			/* too long */
-		sldns_buffer_free(h2_stream->qbuffer);
+			lock_basic_lock(&http2_query_buffer_count_lock);
-		h2_stream->qbuffer = NULL;
+			http2_query_buffer_count -= expectb64len;
-		/* return without error, method can be an
+			lock_basic_unlock(&http2_query_buffer_count_lock);
-		 * unknown POST */
+			sldns_buffer_free(h2_stream->qbuffer);
-		return 1;
+			h2_stream->qbuffer = NULL;
+			return 1;
+		}
+		memmove(buf, start, length);
+		buf[length] = 0;
+		if(!(b64len = sldns_b64_pton(buf, sldns_buffer_current(
+			h2_stream->qbuffer), expectb64len)) || b64len < 0) {
+			lock_basic_lock(&http2_query_buffer_count_lock);
+			http2_query_buffer_count -= expectb64len;
+			lock_basic_unlock(&http2_query_buffer_count_lock);
+			sldns_buffer_free(h2_stream->qbuffer);
+			h2_stream->qbuffer = NULL;
+			return 1;
+		}
+	} else {
+		if(!(b64len = sldns_b64url_pton(
+			(char const *)start, length,
+			sldns_buffer_current(h2_stream->qbuffer),
+			expectb64len)) || b64len < 0) {
+			lock_basic_lock(&http2_query_buffer_count_lock);
+			http2_query_buffer_count -= expectb64len;
+			lock_basic_unlock(&http2_query_buffer_count_lock);
+			sldns_buffer_free(h2_stream->qbuffer);
+			h2_stream->qbuffer = NULL;
+			/* return without error, method can be an
+			 * unknown POST */
+			return 1;
+		}
 	}
 	sldns_buffer_skip(h2_stream->qbuffer, (size_t)b64len);
 	return 1;
@@ -2707,7 +2819,7 @@ static int http2_req_header_cb(nghttp2_session* session,
 	 * the HEADER */
 	if(frame->hd.type != NGHTTP2_HEADERS ||
 		frame->headers.cat != NGHTTP2_HCAT_REQUEST) {
-		/* only interrested in request headers */
+		/* only interested in request headers */
 		return 0;
 	}
 	if(!(h2_stream = nghttp2_session_get_stream_user_data(session,
@@ -2803,7 +2915,7 @@ static int http2_req_header_cb(nghttp2_session* session,
 			h2_stream->query_too_large = 1;
 			return 0;
 		}
-		/* guaranteed to only contian digits and be null terminated */
+		/* guaranteed to only contain digits and be null terminated */
 		h2_stream->content_length = atoi((const char*)value);
 		if(h2_stream->content_length >
 			h2_session->c->http2_stream_max_qbuffer_size) {
@@ -2843,7 +2955,7 @@ static int http2_req_data_chunk_recv_cb(nghttp2_session* ATTR_UNUSED(session),
 			/* setting this to msg-buffer-size can result in a lot
 			 * of memory consuption. Most queries should fit in a
 			 * single DATA frame, and most POST queries will
-			 * containt content-length which does not impose this
+			 * contain content-length which does not impose this
 			 * limit. */
 			qlen = len;
 		}

services/listen_dnsport.h

@@ -199,6 +199,11 @@ listen_create(struct comm_base* base, struct listen_port* ports,
  */
 void listen_delete(struct listen_dnsport* listen);
 
+/** setup the locks for the listen ports */
+void listen_setup_locks(void);
+/** desetup the locks for the listen ports */
+void listen_desetup_locks(void);
+
 /**
  * delete listen_list of commpoints. Calls commpointdelete() on items.
  * This may close the fds or not depending on flags.

services/localzone.c

@@ -56,6 +56,44 @@
  * with 16 bytes for an A record, a 64K packet has about 4000 max */
 #define LOCALZONE_RRSET_COUNT_MAX 4096
 
+/** print all RRsets in local zone */
+static void
+local_zone_out(struct local_zone* z)
+{
+	struct local_data* d;
+	struct local_rrset* p;
+	RBTREE_FOR(d, struct local_data*, &z->data) {
+		for(p = d->rrsets; p; p = p->next) {
+			log_nametypeclass(NO_VERBOSE, "rrset", d->name,
+				ntohs(p->rrset->rk.type),
+				ntohs(p->rrset->rk.rrset_class));
+		}
+	}
+}
+
+static void
+local_zone_print(struct local_zone* z)
+{
+	char buf[64];
+	lock_rw_rdlock(&z->lock);
+	snprintf(buf, sizeof(buf), "%s zone",
+		local_zone_type2str(z->type));
+	log_nametypeclass(NO_VERBOSE, buf, z->name, 0, z->dclass);
+	local_zone_out(z);
+	lock_rw_unlock(&z->lock);
+}
+
+void local_zones_print(struct local_zones* zones)
+{
+	struct local_zone* z;
+	lock_rw_rdlock(&zones->lock);
+	log_info("number of auth zones %u", (unsigned)zones->ztree.count);
+	RBTREE_FOR(z, struct local_zone*, &zones->ztree) {
+		local_zone_print(z);
+	}
+	lock_rw_unlock(&zones->lock);
+}
+
 struct local_zones* 
 local_zones_create(void)
 {
@@ -465,7 +503,7 @@ lz_find_create_node(struct local_zone* z, uint8_t* nm, size_t nmlen,
 
 /* Mark the SOA record for the zone. This only marks the SOA rrset; the data
  * for the RR is entered later on local_zone_enter_rr() as with the other
- * records. An artifical soa_negative record with a modified TTL (minimum of
+ * records. An artificial soa_negative record with a modified TTL (minimum of
  * the TTL and the SOA.MINIMUM) is also created and marked for usage with
  * negative answers and to avoid allocations during those answers. */
 static int
@@ -745,9 +783,15 @@ static int
 lz_enter_zones(struct local_zones* zones, struct config_file* cfg)
 {
 	struct config_str2list* p;
+#ifndef THREADS_DISABLED
 	struct local_zone* z;
+#endif
 	for(p = cfg->local_zones; p; p = p->next) {
-		if(!(z=lz_enter_zone(zones, p->str, p->str2, 
+		if(!(
+#ifndef THREADS_DISABLED
+			z=
+#endif
+			lz_enter_zone(zones, p->str, p->str2,
 			LDNS_RR_CLASS_IN)))
 			return 0;
 		lock_rw_unlock(&z->lock);
@@ -892,6 +936,11 @@ int local_zone_enter_defaults(struct local_zones* zones, struct config_file* cfg
 		}
 		lock_rw_unlock(&z->lock);
 	}
+	/* home.arpa. zone (RFC 8375) */
+	if(!add_empty_default(zones, cfg, "home.arpa.")) {
+		log_err("out of memory adding default zone");
+		return 0;
+	}
 	/* onion. zone (RFC 7686) */
 	if(!add_empty_default(zones, cfg, "onion.")) {
 		log_err("out of memory adding default zone");
@@ -999,6 +1048,38 @@ lz_setup_implicit(struct local_zones* zones, struct config_file* cfg)
 		lock_rw_rdlock(&zones->lock);
 		if(!local_zones_lookup(zones, rr_name, len, labs, rr_class,
 			rr_type)) {
+			/* Check if there is a zone that this could go
+			 * under but for different class; created zones are
+			 * always for LDNS_RR_CLASS_IN. Create the zone with
+			 * a different class but the same configured
+			 * local_zone_type. */
+			struct local_zone* z = local_zones_lookup(zones,
+				rr_name, len, labs, LDNS_RR_CLASS_IN, rr_type);
+			if(z) {
+				uint8_t* name = memdup(z->name, z->namelen);
+				size_t znamelen = z->namelen;
+				int znamelabs = z->namelabs;
+				enum localzone_type ztype = z->type;
+				lock_rw_unlock(&zones->lock);
+				if(!name) {
+					log_err("out of memory");
+					free(rr_name);
+					return 0;
+				}
+				if(!(
+#ifndef THREADS_DISABLED
+					z =
+#endif
+					lz_enter_zone_dname(zones, name,
+						znamelen, znamelabs,
+						ztype, rr_class))) {
+					free(rr_name);
+					return 0;
+				}
+				lock_rw_unlock(&z->lock);
+				free(rr_name);
+				continue;
+			}
 			if(!have_name) {
 				dclass = rr_class;
 				nm = rr_name;
@@ -1027,7 +1108,9 @@ lz_setup_implicit(struct local_zones* zones, struct config_file* cfg)
 	}
 	if(have_name) {
 		uint8_t* n2;
+#ifndef THREADS_DISABLED
 		struct local_zone* z;
+#endif
 		/* allocate zone of smallest shared topdomain to contain em */
 		n2 = nm;
 		dname_remove_labels(&n2, &nmlen, nmlabs - match);
@@ -1039,7 +1122,11 @@ lz_setup_implicit(struct local_zones* zones, struct config_file* cfg)
 		}
 		log_nametypeclass(VERB_ALGO, "implicit transparent local-zone", 
 			n2, 0, dclass);
-		if(!(z=lz_enter_zone_dname(zones, n2, nmlen, match, 
+		if(!(
+#ifndef THREADS_DISABLED
+			z=
+#endif
+			lz_enter_zone_dname(zones, n2, nmlen, match,
 			local_zone_transparent, dclass))) {
 			return 0;
 		}
@@ -1203,38 +1290,6 @@ local_zones_find_le(struct local_zones* zones,
 	return (struct local_zone*)node;
 }
 
-/** print all RRsets in local zone */
-static void 
-local_zone_out(struct local_zone* z)
-{
-	struct local_data* d;
-	struct local_rrset* p;
-	RBTREE_FOR(d, struct local_data*, &z->data) {
-		for(p = d->rrsets; p; p = p->next) {
-			log_nametypeclass(NO_VERBOSE, "rrset", d->name,
-				ntohs(p->rrset->rk.type),
-				ntohs(p->rrset->rk.rrset_class));
-		}
-	}
-}
-
-void local_zones_print(struct local_zones* zones)
-{
-	struct local_zone* z;
-	lock_rw_rdlock(&zones->lock);
-	log_info("number of auth zones %u", (unsigned)zones->ztree.count);
-	RBTREE_FOR(z, struct local_zone*, &zones->ztree) {
-		char buf[64];
-		lock_rw_rdlock(&z->lock);
-		snprintf(buf, sizeof(buf), "%s zone",
-			local_zone_type2str(z->type));
-		log_nametypeclass(NO_VERBOSE, buf, z->name, 0, z->dclass);
-		local_zone_out(z);
-		lock_rw_unlock(&z->lock);
-	}
-	lock_rw_unlock(&zones->lock);
-}
-
 /** encode answer consisting of 1 rrset */
 static int
 local_encode(struct query_info* qinfo, struct module_env* env,
@@ -1282,7 +1337,7 @@ local_error_encode(struct query_info* qinfo, struct module_env* env,
 
 	if(!inplace_cb_reply_local_call(env, qinfo, NULL, NULL,
 		rcode, edns, repinfo, temp, env->now_tv))
-		edns->opt_list = NULL;
+		edns->opt_list_inplace_cb_out = NULL;
 	error_encode(buf, r, qinfo, *(uint16_t*)sldns_buffer_begin(buf),
 		sldns_buffer_read_u16_at(buf, 2), edns);
 }
@@ -1509,7 +1564,7 @@ local_data_answer(struct local_zone* z, struct module_env* env,
 			/* write qname */
 			memmove(d->rr_data[0] + sizeof(uint16_t), qinfo->qname,
 				qinfo->qname_len - 1);
-			/* write cname target wilcard wildcard label */
+			/* write cname target wildcard label */
 			memmove(d->rr_data[0] + sizeof(uint16_t) +
 				qinfo->qname_len - 1, ctarget + 2,
 				ctargetlen - 2);
@@ -1558,6 +1613,15 @@ local_zone_does_not_cover(struct local_zone* z, struct query_info* qinfo,
 	return (lr == NULL);
 }
 
+static inline int
+local_zone_is_udp_query(struct comm_reply* repinfo) {
+	return repinfo != NULL
+			? (repinfo->c != NULL
+				? repinfo->c->type == comm_udp
+				: 0)
+			: 0;
+}
+
 int
 local_zones_zone_answer(struct local_zone* z, struct module_env* env,
 	struct query_info* qinfo, struct edns_data* edns,
@@ -1580,7 +1644,9 @@ local_zones_zone_answer(struct local_zone* z, struct module_env* env,
 		lz_type == local_zone_redirect ||
 		lz_type == local_zone_inform_redirect ||
 		lz_type == local_zone_always_nxdomain ||
-		lz_type == local_zone_always_nodata) {
+		lz_type == local_zone_always_nodata ||
+		(lz_type == local_zone_truncate
+			&& local_zone_is_udp_query(repinfo))) {
 		/* for static, reply nodata or nxdomain
 		 * for redirect, reply nodata */
 		/* no additional section processing,
@@ -1590,9 +1656,11 @@ local_zones_zone_answer(struct local_zone* z, struct module_env* env,
 		 */
 		int rcode = (ld || lz_type == local_zone_redirect ||
 			lz_type == local_zone_inform_redirect ||
-			lz_type == local_zone_always_nodata)?
+			lz_type == local_zone_always_nodata ||
+			lz_type == local_zone_truncate)?
 			LDNS_RCODE_NOERROR:LDNS_RCODE_NXDOMAIN;
-		if(z->soa && z->soa_negative)
+		rcode = (lz_type == local_zone_truncate ? (rcode|BIT_TC) : rcode);
+		if(z != NULL && z->soa && z->soa_negative)
 			return local_encode(qinfo, env, edns, repinfo, buf, temp,
 				z->soa_negative, 0, rcode);
 		local_error_encode(qinfo, env, edns, repinfo, buf, temp, rcode,
@@ -1649,7 +1717,7 @@ local_zones_zone_answer(struct local_zone* z, struct module_env* env,
 	 * does not, then we should make this noerror/nodata */
 	if(ld && ld->rrsets) {
 		int rcode = LDNS_RCODE_NOERROR;
-		if(z->soa && z->soa_negative)
+		if(z != NULL && z->soa && z->soa_negative)
 			return local_encode(qinfo, env, edns, repinfo, buf, temp,
 				z->soa_negative, 0, rcode);
 		local_error_encode(qinfo, env, edns, repinfo, buf, temp, rcode,
@@ -1848,6 +1916,7 @@ const char* local_zone_type2str(enum localzone_type t)
 		case local_zone_always_deny: return "always_deny";
 		case local_zone_always_null: return "always_null";
 		case local_zone_noview: return "noview";
+		case local_zone_truncate: return "truncate";
 		case local_zone_invalid: return "invalid";
 	}
 	return "badtyped"; 
@@ -1887,6 +1956,8 @@ int local_zone_str2type(const char* type, enum localzone_type* t)
 		*t = local_zone_always_null;
 	else if(strcmp(type, "noview") == 0)
 		*t = local_zone_noview;
+	else if(strcmp(type, "truncate") == 0)
+		*t = local_zone_truncate;
 	else if(strcmp(type, "nodefault") == 0)
 		*t = local_zone_nodefault;
 	else return 0;

services/localzone.h

@@ -101,6 +101,8 @@ enum localzone_type {
 	local_zone_always_null,
 	/** answer not from the view, but global or no-answer */
 	local_zone_noview,
+	/** truncate the response; client should retry via tcp */
+	local_zone_truncate,
 	/** Invalid type, cannot be used to generate answer */
 	local_zone_invalid
 };
@@ -158,7 +160,7 @@ struct local_zone {
 	rbtree_type data;
 	/** if data contains zone apex SOA data, this is a ptr to it. */
 	struct ub_packed_rrset_key* soa;
-	/** if data contains zone apex SOA data, this is a prt to an
+	/** if data contains zone apex SOA data, this is a ptr to an
 	 * artificial negative SOA rrset (TTL is the minimum of the TTL and the
 	 * SOA.MINIMUM). */
 	struct ub_packed_rrset_key* soa_negative;
@@ -255,7 +257,7 @@ void local_zone_delete(struct local_zone* z);
  * @param dclass: class to lookup.
  * @param dtype: type to lookup, if type DS a zone higher is used for zonecuts.
  * @param taglist: taglist to lookup.
- * @param taglen: lenth of taglist.
+ * @param taglen: length of taglist.
  * @param ignoretags: lookup zone by name and class, regardless the
  * local-zone's tags.
  * @return closest local_zone or NULL if no covering zone is found.
@@ -563,6 +565,8 @@ enum respip_action {
 	respip_always_nodata = local_zone_always_nodata,
         /** answer with nodata response */
 	respip_always_deny = local_zone_always_deny,
+	/** RPZ: truncate answer in order to force switch to tcp */
+	respip_truncate = local_zone_truncate,
 
 	/* The rest of the values are only possible as
 	 * access-control-tag-action */

services/mesh.c

@@ -99,7 +99,7 @@ timeval_divide(struct timeval* avg, const struct timeval* sum, size_t d)
 {
 #ifndef S_SPLINT_S
 	size_t leftover;
-	if(d == 0) {
+	if(d <= 0) {
 		avg->tv_sec = 0;
 		avg->tv_usec = 0;
 		return;
@@ -108,7 +108,13 @@ timeval_divide(struct timeval* avg, const struct timeval* sum, size_t d)
 	avg->tv_usec = sum->tv_usec / d;
 	/* handle fraction from seconds divide */
 	leftover = sum->tv_sec - avg->tv_sec*d;
-	avg->tv_usec += (leftover*1000000)/d;
+	if(leftover <= 0)
+		leftover = 0;
+	avg->tv_usec += (((long long)leftover)*((long long)1000000))/d;
+	if(avg->tv_sec < 0)
+		avg->tv_sec = 0;
+	if(avg->tv_usec < 0)
+		avg->tv_usec = 0;
 #endif
 }
 
@@ -433,7 +439,7 @@ mesh_serve_expired_init(struct mesh_state* mstate, int timeout)
 	mstate->s.serve_expired_data->get_cached_answer =
 		mstate->s.serve_expired_data->get_cached_answer?
 		mstate->s.serve_expired_data->get_cached_answer:
-		mesh_serve_expired_lookup;
+		&mesh_serve_expired_lookup;
 
 	/* In case this timer already popped, start it again */
 	if(!mstate->s.serve_expired_data->timer) {
@@ -452,10 +458,11 @@ mesh_serve_expired_init(struct mesh_state* mstate, int timeout)
 
 void mesh_new_client(struct mesh_area* mesh, struct query_info* qinfo,
 	struct respip_client_info* cinfo, uint16_t qflags,
-	struct edns_data* edns, struct comm_reply* rep, uint16_t qid)
+	struct edns_data* edns, struct comm_reply* rep, uint16_t qid,
+	int rpz_passthru)
 {
 	struct mesh_state* s = NULL;
-	int unique = unique_mesh_state(edns->opt_list, mesh->env);
+	int unique = unique_mesh_state(edns->opt_list_in, mesh->env);
 	int was_detached = 0;
 	int was_noreply = 0;
 	int added = 0;
@@ -499,7 +506,7 @@ void mesh_new_client(struct mesh_area* mesh, struct query_info* qinfo,
 			log_err("mesh_state_create: out of memory; SERVFAIL");
 			if(!inplace_cb_reply_servfail_call(mesh->env, qinfo, NULL, NULL,
 				LDNS_RCODE_SERVFAIL, edns, rep, mesh->env->scratch, mesh->env->now_tv))
-					edns->opt_list = NULL;
+					edns->opt_list_inplace_cb_out = NULL;
 			error_encode(r_buffer, LDNS_RCODE_SERVFAIL,
 				qinfo, qid, qflags, edns);
 			comm_point_send_reply(rep);
@@ -507,15 +514,16 @@ void mesh_new_client(struct mesh_area* mesh, struct query_info* qinfo,
 		}
 		if(unique)
 			mesh_state_make_unique(s);
+		s->s.rpz_passthru = rpz_passthru;
 		/* copy the edns options we got from the front */
-		if(edns->opt_list) {
+		if(edns->opt_list_in) {
-			s->s.edns_opts_front_in = edns_opt_copy_region(edns->opt_list,
+			s->s.edns_opts_front_in = edns_opt_copy_region(edns->opt_list_in,
 				s->s.region);
 			if(!s->s.edns_opts_front_in) {
 				log_err("mesh_state_create: out of memory; SERVFAIL");
 				if(!inplace_cb_reply_servfail_call(mesh->env, qinfo, NULL,
 					NULL, LDNS_RCODE_SERVFAIL, edns, rep, mesh->env->scratch, mesh->env->now_tv))
-						edns->opt_list = NULL;
+						edns->opt_list_inplace_cb_out = NULL;
 				error_encode(r_buffer, LDNS_RCODE_SERVFAIL,
 					qinfo, qid, qflags, edns);
 				comm_point_send_reply(rep);
@@ -588,7 +596,7 @@ void mesh_new_client(struct mesh_area* mesh, struct query_info* qinfo,
 servfail_mem:
 	if(!inplace_cb_reply_servfail_call(mesh->env, qinfo, &s->s,
 		NULL, LDNS_RCODE_SERVFAIL, edns, rep, mesh->env->scratch, mesh->env->now_tv))
-			edns->opt_list = NULL;
+			edns->opt_list_inplace_cb_out = NULL;
 	error_encode(r_buffer, LDNS_RCODE_SERVFAIL,
 		qinfo, qid, qflags, edns);
 	comm_point_send_reply(rep);
@@ -600,10 +608,10 @@ servfail_mem:
 int 
 mesh_new_callback(struct mesh_area* mesh, struct query_info* qinfo,
 	uint16_t qflags, struct edns_data* edns, sldns_buffer* buf, 
-	uint16_t qid, mesh_cb_func_type cb, void* cb_arg)
+	uint16_t qid, mesh_cb_func_type cb, void* cb_arg, int rpz_passthru)
 {
 	struct mesh_state* s = NULL;
-	int unique = unique_mesh_state(edns->opt_list, mesh->env);
+	int unique = unique_mesh_state(edns->opt_list_in, mesh->env);
 	int timeout = mesh->env->cfg->serve_expired?
 		mesh->env->cfg->serve_expired_client_timeout:0;
 	int was_detached = 0;
@@ -626,8 +634,9 @@ mesh_new_callback(struct mesh_area* mesh, struct query_info* qinfo,
 		}
 		if(unique)
 			mesh_state_make_unique(s);
-		if(edns->opt_list) {
+		s->s.rpz_passthru = rpz_passthru;
-			s->s.edns_opts_front_in = edns_opt_copy_region(edns->opt_list,
+		if(edns->opt_list_in) {
+			s->s.edns_opts_front_in = edns_opt_copy_region(edns->opt_list_in,
 				s->s.region);
 			if(!s->s.edns_opts_front_in) {
 				return 0;
@@ -680,7 +689,8 @@ mesh_new_callback(struct mesh_area* mesh, struct query_info* qinfo,
  * 0 (false), in which case the new state is only made runnable so it
  * will not be run recursively on top of the current state. */
 static void mesh_schedule_prefetch(struct mesh_area* mesh,
-	struct query_info* qinfo, uint16_t qflags, time_t leeway, int run)
+	struct query_info* qinfo, uint16_t qflags, time_t leeway, int run,
+	int rpz_passthru)
 {
 	struct mesh_state* s = mesh_area_find(mesh, NULL, qinfo,
 		qflags&(BIT_RD|BIT_CD), 0, 0);
@@ -735,6 +745,7 @@ static void mesh_schedule_prefetch(struct mesh_area* mesh,
 			s->list_select = mesh_jostle_list;
 		}
 	}
+	s->s.rpz_passthru = rpz_passthru;
 
 	if(!run) {
 #ifdef UNBOUND_DEBUG
@@ -751,9 +762,9 @@ static void mesh_schedule_prefetch(struct mesh_area* mesh,
 }
 
 void mesh_new_prefetch(struct mesh_area* mesh, struct query_info* qinfo,
-        uint16_t qflags, time_t leeway)
+        uint16_t qflags, time_t leeway, int rpz_passthru)
 {
-	mesh_schedule_prefetch(mesh, qinfo, qflags, leeway, 1);
+	mesh_schedule_prefetch(mesh, qinfo, qflags, leeway, 1, rpz_passthru);
 }
 
 void mesh_report_reply(struct mesh_area* mesh, struct outbound_entry* e,
@@ -1139,11 +1150,11 @@ mesh_do_callback(struct mesh_state* m, int rcode, struct reply_info* rep,
 		if(rcode == LDNS_RCODE_SERVFAIL) {
 			if(!inplace_cb_reply_servfail_call(m->s.env, &m->s.qinfo, &m->s,
 				rep, rcode, &r->edns, NULL, m->s.region, start_time))
-					r->edns.opt_list = NULL;
+					r->edns.opt_list_inplace_cb_out = NULL;
 		} else {
 			if(!inplace_cb_reply_call(m->s.env, &m->s.qinfo, &m->s, rep, rcode,
 				&r->edns, NULL, m->s.region, start_time))
-					r->edns.opt_list = NULL;
+					r->edns.opt_list_inplace_cb_out = NULL;
 		}
 		fptr_ok(fptr_whitelist_mesh_cb(r->cb));
 		(*r->cb)(r->cb_arg, rcode, r->buf, sec_status_unchecked, NULL,
@@ -1177,6 +1188,22 @@ mesh_do_callback(struct mesh_state* m, int rcode, struct reply_info* rep,
 	m->s.env->mesh->num_reply_addrs--;
 }
 
+static inline int
+mesh_is_rpz_respip_tcponly_action(struct mesh_state const* m)
+{
+	struct respip_action_info const* respip_info = m->s.respip_action_info;
+	return respip_info == NULL
+			? 0
+			: (respip_info->rpz_used
+			&& !respip_info->rpz_disabled
+			&& respip_info->action == respip_truncate);
+}
+
+static inline int
+mesh_is_udp(struct mesh_reply const* r) {
+	return r->query_reply.c->type == comm_udp;
+}
+
 /**
  * Send reply to mesh reply entry
  * @param m: mesh state to send it for.
@@ -1195,15 +1222,17 @@ mesh_send_reply(struct mesh_state* m, int rcode, struct reply_info* rep,
 	struct timeval end_time;
 	struct timeval duration;
 	int secure;
-	/* Copy the client's EDNS for later restore, to make sure the edns
-	 * compare is with the correct edns options. */
-	struct edns_data edns_bak = r->edns;
 	/* briefly set the replylist to null in case the
 	 * meshsendreply calls tcpreqinfo sendreply that
 	 * comm_point_drops because of size, and then the
 	 * null stops the mesh state remove and thus
 	 * reply_list modification and accounting */
 	struct mesh_reply* rlist = m->reply_list;
+
+	/* rpz: apply actions */
+	rcode = mesh_is_udp(r) && mesh_is_rpz_respip_tcponly_action(m)
+			? (rcode|BIT_TC) : rcode;
+
 	/* examine security status */
 	if(m->s.env->need_to_validate && (!(r->qflags&BIT_CD) ||
 		m->s.env->cfg->ignore_cd) && rep && 
@@ -1242,8 +1271,9 @@ mesh_send_reply(struct mesh_state* m, int rcode, struct reply_info* rep,
 		prev->edns.edns_present == r->edns.edns_present &&
 		prev->edns.bits == r->edns.bits &&
 		prev->edns.udp_size == r->edns.udp_size &&
-		edns_opt_list_compare(prev->edns.opt_list, r->edns.opt_list)
+		edns_opt_list_compare(prev->edns.opt_list_out, r->edns.opt_list_out) == 0 &&
-		== 0) {
+		edns_opt_list_compare(prev->edns.opt_list_inplace_cb_out, r->edns.opt_list_inplace_cb_out) == 0
+		) {
 		/* if the previous reply is identical to this one, fix ID */
 		if(prev_buffer != r_buffer)
 			sldns_buffer_copy(r_buffer, prev_buffer);
@@ -1259,11 +1289,11 @@ mesh_send_reply(struct mesh_state* m, int rcode, struct reply_info* rep,
 		if(rcode == LDNS_RCODE_SERVFAIL) {
 			if(!inplace_cb_reply_servfail_call(m->s.env, &m->s.qinfo, &m->s,
 				rep, rcode, &r->edns, &r->query_reply, m->s.region, &r->start_time))
-					r->edns.opt_list = NULL;
+					r->edns.opt_list_inplace_cb_out = NULL;
 		} else { 
 			if(!inplace_cb_reply_call(m->s.env, &m->s.qinfo, &m->s, rep, rcode,
 				&r->edns, &r->query_reply, m->s.region, &r->start_time))
-					r->edns.opt_list = NULL;
+					r->edns.opt_list_inplace_cb_out = NULL;
 		}
 		error_encode(r_buffer, rcode, &m->s.qinfo, r->qid,
 			r->qflags, &r->edns);
@@ -1280,9 +1310,6 @@ mesh_send_reply(struct mesh_state* m, int rcode, struct reply_info* rep,
 		m->s.qinfo.local_alias = r->local_alias;
 		if(!inplace_cb_reply_call(m->s.env, &m->s.qinfo, &m->s, rep,
 			LDNS_RCODE_NOERROR, &r->edns, &r->query_reply, m->s.region, &r->start_time) ||
-			!apply_edns_options(&r->edns, &edns_bak,
-				m->s.env->cfg, r->query_reply.c,
-				m->s.region) ||
 			!reply_info_answer_encode(&m->s.qinfo, rep, r->qid, 
 			r->qflags, r_buffer, 0, 1, m->s.env->scratch,
 			udp_size, &r->edns, (int)(r->edns.bits & EDNS_DO),
@@ -1290,11 +1317,10 @@ mesh_send_reply(struct mesh_state* m, int rcode, struct reply_info* rep,
 		{
 			if(!inplace_cb_reply_servfail_call(m->s.env, &m->s.qinfo, &m->s,
 			rep, LDNS_RCODE_SERVFAIL, &r->edns, &r->query_reply, m->s.region, &r->start_time))
-				r->edns.opt_list = NULL;
+				r->edns.opt_list_inplace_cb_out = NULL;
 			error_encode(r_buffer, LDNS_RCODE_SERVFAIL,
 				&m->s.qinfo, r->qid, r->qflags, &r->edns);
 		}
-		r->edns = edns_bak;
 		m->reply_list = NULL;
 		comm_point_send_reply(&r->query_reply);
 		m->reply_list = rlist;
@@ -1340,7 +1366,7 @@ void mesh_query_done(struct mesh_state* mstate)
 	}
 	if(mstate->s.return_rcode == LDNS_RCODE_SERVFAIL ||
 		(rep && FLAGS_GET_RCODE(rep->flags) == LDNS_RCODE_SERVFAIL)) {
-		/* we are SERVFAILing; check for expired asnwer here */
+		/* we are SERVFAILing; check for expired answer here */
 		mesh_serve_expired_callback(mstate);
 		if((mstate->reply_list || mstate->cb_list)
 		&& mstate->s.env->cfg->log_servfail
@@ -1482,12 +1508,15 @@ int mesh_state_add_cb(struct mesh_state* s, struct edns_data* edns,
 	r->cb = cb;
 	r->cb_arg = cb_arg;
 	r->edns = *edns;
-	if(edns->opt_list) {
+	if(edns->opt_list_in && !(r->edns.opt_list_in =
-		r->edns.opt_list = edns_opt_copy_region(edns->opt_list,
+			edns_opt_copy_region(edns->opt_list_in, s->s.region)))
-			s->s.region);
+		return 0;
-		if(!r->edns.opt_list)
+	if(edns->opt_list_out && !(r->edns.opt_list_out =
-			return 0;
+			edns_opt_copy_region(edns->opt_list_out, s->s.region)))
-	}
+		return 0;
+	if(edns->opt_list_inplace_cb_out && !(r->edns.opt_list_inplace_cb_out =
+			edns_opt_copy_region(edns->opt_list_inplace_cb_out, s->s.region)))
+		return 0;
 	r->qid = qid;
 	r->qflags = qflags;
 	r->next = s->cb_list;
@@ -1506,12 +1535,15 @@ int mesh_state_add_reply(struct mesh_state* s, struct edns_data* edns,
 		return 0;
 	r->query_reply = *rep;
 	r->edns = *edns;
-	if(edns->opt_list) {
+	if(edns->opt_list_in && !(r->edns.opt_list_in =
-		r->edns.opt_list = edns_opt_copy_region(edns->opt_list,
+			edns_opt_copy_region(edns->opt_list_in, s->s.region)))
-			s->s.region);
+		return 0;
-		if(!r->edns.opt_list)
+	if(edns->opt_list_out && !(r->edns.opt_list_out =
-			return 0;
+			edns_opt_copy_region(edns->opt_list_out, s->s.region)))
-	}
+		return 0;
+	if(edns->opt_list_inplace_cb_out && !(r->edns.opt_list_inplace_cb_out =
+			edns_opt_copy_region(edns->opt_list_inplace_cb_out, s->s.region)))
+		return 0;
 	r->qid = qid;
 	r->qflags = qflags;
 	r->start_time = *s->s.env->now_tv;
@@ -1557,7 +1589,7 @@ int mesh_state_add_reply(struct mesh_state* s, struct edns_data* edns,
 			return 0;
 
 		/* the rrset is not packed, like in the cache, but it is
-		 * individualy allocated with an allocator from localzone. */
+		 * individually allocated with an allocator from localzone. */
 		d = regional_alloc_zero(s->s.region, sizeof(*d));
 		if(!d)
 			return 0;
@@ -1666,6 +1698,7 @@ mesh_continue(struct mesh_area* mesh, struct mesh_state* mstate,
 		if(mstate->s.curmod == 0) {
 			struct query_info* qinfo = NULL;
 			uint16_t qflags;
+			int rpz_p = 0;
 
 			mesh_query_done(mstate);
 			mesh_walk_supers(mesh, mstate);
@@ -1674,13 +1707,15 @@ mesh_continue(struct mesh_area* mesh, struct mesh_state* mstate,
 			 * from an external DNS server, we'll need to schedule
 			 * a prefetch after removing the current state, so
 			 * we need to make a copy of the query info here. */
-			if(mstate->s.need_refetch)
+			if(mstate->s.need_refetch) {
 				mesh_copy_qinfo(mstate, &qinfo, &qflags);
+				rpz_p = mstate->s.rpz_passthru;
+			}
 
 			mesh_state_delete(&mstate->s);
 			if(qinfo) {
 				mesh_schedule_prefetch(mesh, qinfo, qflags,
-					0, 1);
+					0, 1, rpz_p);
 			}
 			return 0;
 		}
@@ -1890,7 +1925,7 @@ apply_respip_action(struct module_qstate* qstate,
 		return 1;
 
 	if(!respip_rewrite_reply(qinfo, cinfo, rep, encode_repp, actinfo,
-		alias_rrset, 0, qstate->region, az))
+		alias_rrset, 0, qstate->region, az, NULL))
 		return 0;
 
 	/* xxx_deny actions mean dropping the reply, unless the original reply
@@ -1940,7 +1975,7 @@ mesh_serve_expired_callback(void* arg)
 	while(1) {
 		fptr_ok(fptr_whitelist_serve_expired_lookup(
 			qstate->serve_expired_data->get_cached_answer));
-		msg = qstate->serve_expired_data->get_cached_answer(qstate,
+		msg = (*qstate->serve_expired_data->get_cached_answer)(qstate,
 			lookup_qinfo);
 		if(!msg)
 			return;

services/mesh.h

@@ -296,10 +296,13 @@ void mesh_delete(struct mesh_area* mesh);
  * @param edns: edns data from client query.
  * @param rep: where to reply to.
  * @param qid: query id to reply with.
+ * @param rpz_passthru: if true, the rpz passthru was previously found and
+ * 	further rpz processing is stopped.
  */
 void mesh_new_client(struct mesh_area* mesh, struct query_info* qinfo,
 	struct respip_client_info* cinfo, uint16_t qflags,
-	struct edns_data* edns, struct comm_reply* rep, uint16_t qid);
+	struct edns_data* edns, struct comm_reply* rep, uint16_t qid,
+	int rpz_passthru);
 
 /**
  * New query with callback. Create new query state if needed, and
@@ -314,11 +317,13 @@ void mesh_new_client(struct mesh_area* mesh, struct query_info* qinfo,
  * @param qid: query id to reply with.
  * @param cb: callback function.
  * @param cb_arg: callback user arg.
+ * @param rpz_passthru: if true, the rpz passthru was previously found and
+ * 	further rpz processing is stopped.
  * @return 0 on error.
  */
 int mesh_new_callback(struct mesh_area* mesh, struct query_info* qinfo,
 	uint16_t qflags, struct edns_data* edns, struct sldns_buffer* buf, 
-	uint16_t qid, mesh_cb_func_type cb, void* cb_arg);
+	uint16_t qid, mesh_cb_func_type cb, void* cb_arg, int rpz_passthru);
 
 /**
  * New prefetch message. Create new query state if needed.
@@ -328,9 +333,11 @@ int mesh_new_callback(struct mesh_area* mesh, struct query_info* qinfo,
  * @param qinfo: query from client.
  * @param qflags: flags from client query.
  * @param leeway: TTL leeway what to expire earlier for this update.
+ * @param rpz_passthru: if true, the rpz passthru was previously found and
+ * 	further rpz processing is stopped.
  */
 void mesh_new_prefetch(struct mesh_area* mesh, struct query_info* qinfo,
-	uint16_t qflags, time_t leeway);
+	uint16_t qflags, time_t leeway, int rpz_passthru);
 
 /**
  * Handle new event from the wire. A serviced query has returned.

services/outbound_list.h

@@ -79,7 +79,7 @@ void outbound_list_init(struct outbound_list* list);
  * Clear the user owner outbound list structure.
  * Deletes serviced queries.
  * @param list: the list structure. It is cleared, but the list struct itself
- * 	is callers responsability to delete.
+ * 	is callers responsibility to delete.
  */
 void outbound_list_clear(struct outbound_list* list);
 

services/outside_network.h

@@ -43,7 +43,9 @@
 #ifndef OUTSIDE_NETWORK_H
 #define OUTSIDE_NETWORK_H
 
+#include "util/alloc.h"
 #include "util/rbtree.h"
+#include "util/regional.h"
 #include "util/netevent.h"
 #include "dnstap/dnstap_config.h"
 struct pending;
@@ -63,6 +65,7 @@ struct edns_option;
 struct module_env;
 struct module_qstate;
 struct query_info;
+struct config_file;
 
 /**
  * Send queries to outside servers and wait for answers from servers.
@@ -158,6 +161,12 @@ struct outside_network {
 	size_t num_tcp;
 	/** number of tcp communication points in use. */
 	size_t num_tcp_outgoing;
+	/** max number of queries on a reuse connection */
+	size_t max_reuse_tcp_queries;
+	/** timeout for REUSE entries in milliseconds. */
+	int tcp_reuse_timeout;
+	/** timeout in milliseconds for TCP queries to auth servers. */
+	int tcp_auth_query_timeout;
 	/**
 	 * tree of still-open and waiting tcp connections for reuse.
 	 * can be closed and reopened to get a new tcp connection.
@@ -295,11 +304,6 @@ struct reuse_tcp {
 	struct outside_network* outnet;
 };
 
-/** max number of queries on a reuse connection */
-#define MAX_REUSE_TCP_QUERIES 200
-/** timeout for REUSE entries in milliseconds. */
-#define REUSE_TIMEOUT 60000
-
 /**
  * A query that has an answer pending for it.
  */
@@ -410,6 +414,8 @@ struct waiting_tcp {
 	char* tls_auth_name;
 	/** the packet was involved in an error, to stop looping errors */
 	int error_count;
+	/** if true, the item is at the cb_and_decommission stage */
+	int in_cb_and_decommission;
 #ifdef USE_DNSTAP
 	/** serviced query pointer for dnstap to get logging info, if nonNULL*/
 	struct serviced_query* sq;
@@ -510,6 +516,15 @@ struct serviced_query {
 	void* pending;
 	/** block size with which to pad encrypted queries (default: 128) */
 	size_t padding_block_size;
+	/** region for this serviced query. Will be cleared when this
+	 * serviced_query will be deleted */
+	struct regional* region;
+	/** allocation service for the region */
+	struct alloc_cache* alloc;
+	/** flash timer to start the net I/O as a separate event */
+	struct comm_timer* timer;
+	/** true if serviced_query is currently doing net I/O and may block */
+	int busy;
 };
 
 /**
@@ -540,6 +555,9 @@ struct serviced_query {
  * @param tls_use_sni: if SNI is used for TLS connections.
  * @param dtenv: environment to send dnstap events with (if enabled).
  * @param udp_connect: if the udp_connect option is enabled.
+ * @param max_reuse_tcp_queries: max number of queries on a reuse connection.
+ * @param tcp_reuse_timeout: timeout for REUSE entries in milliseconds.
+ * @param tcp_auth_query_timeout: timeout in milliseconds for TCP queries to auth servers.
  * @return: the new structure (with no pending answers) or NULL on error.
  */
 struct outside_network* outside_network_create(struct comm_base* base,
@@ -549,7 +567,8 @@ struct outside_network* outside_network_create(struct comm_base* base,
 	int numavailports, size_t unwanted_threshold, int tcp_mss,
 	void (*unwanted_action)(void*), void* unwanted_param, int do_udp,
 	void* sslctx, int delayclose, int tls_use_sni, struct dt_env *dtenv,
-	int udp_connect);
+	int udp_connect, int max_reuse_tcp_queries, int tcp_reuse_timeout,
+	int tcp_auth_query_timeout);
 
 /**
  * Delete outside_network structure.
@@ -613,6 +632,7 @@ void pending_delete(struct outside_network* outnet, struct pending* p);
  * @param want_dnssec: signatures are needed, without EDNS the answer is
  * 	likely to be useless.
  * @param nocaps: ignore use_caps_for_id and use unperturbed qname.
+ * @param check_ratelimit: if set, will check ratelimit before sending out.
  * @param tcp_upstream: use TCP for upstream queries.
  * @param ssl_upstream: use SSL for upstream queries.
  * @param tls_auth_name: when ssl_upstream is true, use this name to check
@@ -629,16 +649,18 @@ void pending_delete(struct outside_network* outnet, struct pending* p);
  * @param callback_arg: user argument to callback function.
  * @param buff: scratch buffer to create query contents in. Empty on exit.
  * @param env: the module environment.
+ * @param was_ratelimited: it will signal back if the query failed to pass the
+ *	ratelimit check.
  * @return 0 on error, or pointer to serviced query that is used to answer
  *	this serviced query may be shared with other callbacks as well.
  */
 struct serviced_query* outnet_serviced_query(struct outside_network* outnet,
 	struct query_info* qinfo, uint16_t flags, int dnssec, int want_dnssec,
-	int nocaps, int tcp_upstream, int ssl_upstream, char* tls_auth_name,
+	int nocaps, int check_ratelimit, int tcp_upstream, int ssl_upstream,
-	struct sockaddr_storage* addr, socklen_t addrlen, uint8_t* zone,
+	char* tls_auth_name, struct sockaddr_storage* addr, socklen_t addrlen,
-	size_t zonelen, struct module_qstate* qstate,
+	uint8_t* zone, size_t zonelen, struct module_qstate* qstate,
 	comm_point_callback_type* callback, void* callback_arg,
-	struct sldns_buffer* buff, struct module_env* env);
+	struct sldns_buffer* buff, struct module_env* env, int* was_ratelimited);
 
 /**
  * Remove service query callback.
@@ -676,12 +698,28 @@ struct waiting_tcp* reuse_tcp_by_id_find(struct reuse_tcp* reuse, uint16_t id);
 /** insert element in tree by id */
 void reuse_tree_by_id_insert(struct reuse_tcp* reuse, struct waiting_tcp* w);
 
+/** insert element in tcp_reuse tree and LRU list */
+int reuse_tcp_insert(struct outside_network* outnet,
+	struct pending_tcp* pend_tcp);
+
+/** touch the LRU of the element */
+void reuse_tcp_lru_touch(struct outside_network* outnet,
+	struct reuse_tcp* reuse);
+
+/** remove element from tree and LRU list */
+void reuse_tcp_remove_tree_list(struct outside_network* outnet,
+	struct reuse_tcp* reuse);
+
+/** snip the last reuse_tcp element off of the LRU list if any */
+struct reuse_tcp* reuse_tcp_lru_snip(struct outside_network* outnet);
+
 /** delete readwait waiting_tcp elements, deletes the elements in the list */
 void reuse_del_readwait(rbtree_type* tree_by_id);
 
 /** get TCP file descriptor for address, returns -1 on failure,
  * tcp_mss is 0 or maxseg size to set for TCP packets. */
-int outnet_get_tcp_fd(struct sockaddr_storage* addr, socklen_t addrlen, int tcp_mss, int dscp);
+int outnet_get_tcp_fd(struct sockaddr_storage* addr, socklen_t addrlen,
+	int tcp_mss, int dscp);
 
 /**
  * Create udp commpoint suitable for sending packets to the destination.
@@ -735,12 +773,13 @@ struct comm_point* outnet_comm_point_for_tcp(struct outside_network* outnet,
  * @param ssl: set to true for https.
  * @param host: hostname to use for the destination. part of http request.
  * @param path: pathname to lookup, eg. name of the file on the destination.
+ * @param cfg: running configuration for User-Agent setup.
  * @return http_out commpoint, or NULL.
  */
 struct comm_point* outnet_comm_point_for_http(struct outside_network* outnet,
 	comm_point_callback_type* cb, void* cb_arg,
 	struct sockaddr_storage* to_addr, socklen_t to_addrlen, int timeout,
-	int ssl, char* host, char* path);
+	int ssl, char* host, char* path, struct config_file* cfg);
 
 /** connect tcp connection to addr, 0 on failure */
 int outnet_tcp_connect(int s, struct sockaddr_storage* addr, socklen_t addrlen);
@@ -762,6 +801,9 @@ void pending_udp_timer_delay_cb(void *arg);
 /** callback for outgoing TCP timer event */
 void outnet_tcptimer(void* arg);
 
+/** callback to send serviced queries */
+void serviced_timer_cb(void *arg);
+
 /** callback for serviced query UDP answers */
 int serviced_udp_callback(struct comm_point* c, void* arg, int error,
         struct comm_reply* rep);

services/rpz.h

@@ -50,6 +50,7 @@
 #include "sldns/sbuffer.h"
 #include "daemon/stats.h"
 #include "respip/respip.h"
+struct iter_qstate;
 
 /**
  * RPZ triggers, only the QNAME trigger is currently supported in Unbound.
@@ -83,6 +84,27 @@ enum rpz_action {
 	RPZ_CNAME_OVERRIDE_ACTION, /* RPZ CNAME action override*/
 };
 
+struct clientip_synthesized_rrset{
+	struct regional* region;
+	struct rbtree_type entries;
+	lock_rw_type lock;	/* lock on the respip tree */
+};
+
+struct clientip_synthesized_rr {
+	/** node in address tree */
+	struct addr_tree_node node;
+	/** lock on the node item */
+	lock_rw_type lock;
+	/** tag bitlist */
+	uint8_t* taglist;
+	/** length of the taglist (in bytes) */
+	size_t taglen;
+	/** action for this address span */
+	enum rpz_action action;
+	/** "local data" for this node */
+	struct local_rrset* data;
+};
+
 /**
  * RPZ containing policies. Pointed to from corresponding auth-zone. Part of a
  * linked list to keep configuration order. Iterating or changing the linked
@@ -92,12 +114,17 @@ enum rpz_action {
 struct rpz {
 	struct local_zones* local_zones;
 	struct respip_set* respip_set;
+	struct clientip_synthesized_rrset* client_set;
+	struct clientip_synthesized_rrset* ns_set;
+	struct local_zones* nsdname_zones;
 	uint8_t* taglist;
 	size_t taglistlen;
 	enum rpz_action action_override;
 	struct ub_packed_rrset_key* cname_override;
 	int log;
 	char* log_name;
+	/** signal NXDOMAIN blocked with unset RA flag */
+	int signal_nxdomain_ra;
 	struct regional* region;
 	int disabled;
 };
@@ -147,14 +174,39 @@ void rpz_remove_rr(struct rpz* r, size_t aznamelen, uint8_t* dname,
  * @param temp: scratchpad
  * @param repinfo: reply info
  * @param taglist: taglist to lookup.
- * @param taglen: lenth of taglist.
+ * @param taglen: length of taglist.
  * @param stats: worker stats struct
+ * @param passthru: returns if the query can passthru further rpz processing.
  * @return: 1 if client answer is ready, 0 to continue resolving
  */
-int rpz_apply_qname_trigger(struct auth_zones* az, struct module_env* env,
+int rpz_callback_from_worker_request(struct auth_zones* az, struct module_env* env,
 	struct query_info* qinfo, struct edns_data* edns, sldns_buffer* buf,
 	struct regional* temp, struct comm_reply* repinfo,
-	uint8_t* taglist, size_t taglen, struct ub_server_stats* stats);
+	uint8_t* taglist, size_t taglen, struct ub_server_stats* stats,
+	int* passthru);
+
+/**
+ * Callback to process when the iterator module is about to send queries.
+ * Checks for nsip and nsdname triggers.
+ * @param qstate: the query state.
+ * @param iq: iterator module query state.
+ * @return NULL if nothing is done. Or a new message with the contents from
+ * 	the rpz, based on the delegation point. It is allocated in the
+ * 	qstate region.
+ */
+struct dns_msg* rpz_callback_from_iterator_module(struct module_qstate* qstate,
+	struct iter_qstate* iq);
+
+/**
+ * Callback to process when the iterator module has followed a cname.
+ * There can be a qname trigger for the new query name.
+ * @param qstate: the query state.
+ * @param iq: iterator module query state.
+ * @return NULL if nothing is done. Or a new message with the contents from
+ * 	the rpz, based on the iq.qchase. It is allocated in the qstate region.
+ */
+struct dns_msg* rpz_callback_from_iterator_cname(struct module_qstate* qstate,
+	struct iter_qstate* iq);
 
 /**
  * Delete RPZ
@@ -186,7 +238,7 @@ enum rpz_action
 respip_action_to_rpz_action(enum respip_action a);
 
 /**
- * Prepare RPZ after procesing feed content.
+ * Prepare RPZ after processing feed content.
  * @param r: RPZ to use
  */
 void rpz_finish_config(struct rpz* r);

sldns/keyraw.c

@@ -26,11 +26,15 @@
 #ifdef HAVE_OPENSSL_BN_H
 #include <openssl/bn.h>
 #endif
-#ifdef HAVE_OPENSSL_RSA_H
+#ifdef HAVE_OPENSSL_PARAM_BUILD_H
-#include <openssl/rsa.h>
+#  include <openssl/param_build.h>
-#endif
+#else
-#ifdef HAVE_OPENSSL_DSA_H
+#  ifdef HAVE_OPENSSL_RSA_H
-#include <openssl/dsa.h>
+#  include <openssl/rsa.h>
+#  endif
+#  ifdef HAVE_OPENSSL_DSA_H
+#  include <openssl/dsa.h>
+#  endif
 #endif
 #endif /* HAVE_SSL */
 
@@ -191,48 +195,63 @@ void sldns_key_EVP_unload_gost(void)
 }
 #endif /* USE_GOST */
 
-DSA *
+/* Retrieve params as BIGNUM from raw buffer */
-sldns_key_buf2dsa_raw(unsigned char* key, size_t len)
+static int
+sldns_key_dsa_buf_bignum(unsigned char* key, size_t len, BIGNUM** p,
+	BIGNUM** q, BIGNUM** g, BIGNUM** y)
 {
 	uint8_t T;
 	uint16_t length;
 	uint16_t offset;
-	DSA *dsa;
-	BIGNUM *Q; BIGNUM *P;
-	BIGNUM *G; BIGNUM *Y;
 
 	if(len == 0)
-		return NULL;
+		return 0;
 	T = (uint8_t)key[0];
 	length = (64 + T * 8);
 	offset = 1;
 
 	if (T > 8) {
-		return NULL;
+		return 0;
 	}
 	if(len < (size_t)1 + SHA_DIGEST_LENGTH + 3*length)
-		return NULL;
+		return 0;
 
-	Q = BN_bin2bn(key+offset, SHA_DIGEST_LENGTH, NULL);
+	*q = BN_bin2bn(key+offset, SHA_DIGEST_LENGTH, NULL);
 	offset += SHA_DIGEST_LENGTH;
 
-	P = BN_bin2bn(key+offset, (int)length, NULL);
+	*p = BN_bin2bn(key+offset, (int)length, NULL);
 	offset += length;
 
-	G = BN_bin2bn(key+offset, (int)length, NULL);
+	*g = BN_bin2bn(key+offset, (int)length, NULL);
 	offset += length;
 
-	Y = BN_bin2bn(key+offset, (int)length, NULL);
+	*y = BN_bin2bn(key+offset, (int)length, NULL);
 
-	/* create the key and set its properties */
+	if(!*q || !*p || !*g || !*y) {
-	if(!Q || !P || !G || !Y || !(dsa = DSA_new())) {
+		BN_free(*q);
-		BN_free(Q);
+		BN_free(*p);
-		BN_free(P);
+		BN_free(*g);
-		BN_free(G);
+		BN_free(*y);
-		BN_free(Y);
+		return 0;
+	}
+	return 1;
+}
+
+#ifndef HAVE_OSSL_PARAM_BLD_NEW
+DSA *
+sldns_key_buf2dsa_raw(unsigned char* key, size_t len)
+{
+	DSA *dsa;
+	BIGNUM *Q=NULL, *P=NULL, *G=NULL, *Y=NULL;
+	if(!sldns_key_dsa_buf_bignum(key, len, &P, &Q, &G, &Y)) {
 		return NULL;
 	}
-#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL)
+	/* create the key and set its properties */
+	if(!(dsa = DSA_new())) {
+		return NULL;
+	}
+#if OPENSSL_VERSION_NUMBER < 0x10100000 || \
+        (defined(HAVE_LIBRESSL) && LIBRESSL_VERSION_NUMBER < 0x02070000f)
 #ifndef S_SPLINT_S
 	dsa->p = P;
 	dsa->q = Q;
@@ -261,22 +280,111 @@ sldns_key_buf2dsa_raw(unsigned char* key, size_t len)
 
 	return dsa;
 }
+#endif /* HAVE_OSSL_PARAM_BLD_NEW */
 
-RSA *
+EVP_PKEY *sldns_key_dsa2pkey_raw(unsigned char* key, size_t len)
-sldns_key_buf2rsa_raw(unsigned char* key, size_t len)
+{
+#ifdef HAVE_OSSL_PARAM_BLD_NEW
+	EVP_PKEY* evp_key = NULL;
+	EVP_PKEY_CTX* ctx;
+	BIGNUM *p=NULL, *q=NULL, *g=NULL, *y=NULL;
+	OSSL_PARAM_BLD* param_bld;
+	OSSL_PARAM* params = NULL;
+	if(!sldns_key_dsa_buf_bignum(key, len, &p, &q, &g, &y)) {
+		return NULL;
+	}
+
+	param_bld = OSSL_PARAM_BLD_new();
+	if(!param_bld) {
+		BN_free(p);
+		BN_free(q);
+		BN_free(g);
+		BN_free(y);
+		return NULL;
+	}
+	if(!OSSL_PARAM_BLD_push_BN(param_bld, "p", p) ||
+	   !OSSL_PARAM_BLD_push_BN(param_bld, "g", g) ||
+	   !OSSL_PARAM_BLD_push_BN(param_bld, "q", q) ||
+	   !OSSL_PARAM_BLD_push_BN(param_bld, "pub", y)) {
+		OSSL_PARAM_BLD_free(param_bld);
+		BN_free(p);
+		BN_free(q);
+		BN_free(g);
+		BN_free(y);
+		return NULL;
+	}
+	params = OSSL_PARAM_BLD_to_param(param_bld);
+	OSSL_PARAM_BLD_free(param_bld);
+
+	ctx = EVP_PKEY_CTX_new_from_name(NULL, "DSA", NULL);
+	if(!ctx) {
+		OSSL_PARAM_free(params);
+		BN_free(p);
+		BN_free(q);
+		BN_free(g);
+		BN_free(y);
+		return NULL;
+	}
+	if(EVP_PKEY_fromdata_init(ctx) <= 0) {
+		EVP_PKEY_CTX_free(ctx);
+		OSSL_PARAM_free(params);
+		BN_free(p);
+		BN_free(q);
+		BN_free(g);
+		BN_free(y);
+		return NULL;
+	}
+	if(EVP_PKEY_fromdata(ctx, &evp_key, EVP_PKEY_PUBLIC_KEY, params) <= 0) {
+		EVP_PKEY_CTX_free(ctx);
+		OSSL_PARAM_free(params);
+		BN_free(p);
+		BN_free(q);
+		BN_free(g);
+		BN_free(y);
+		return NULL;
+	}
+
+	EVP_PKEY_CTX_free(ctx);
+	OSSL_PARAM_free(params);
+	BN_free(p);
+	BN_free(q);
+	BN_free(g);
+	BN_free(y);
+	return evp_key;
+#else
+	DSA* dsa;
+	EVP_PKEY* evp_key = EVP_PKEY_new();
+	if(!evp_key) {
+		return NULL;
+	}
+	dsa = sldns_key_buf2dsa_raw(key, len);
+	if(!dsa) {
+		EVP_PKEY_free(evp_key);
+		return NULL;
+	}
+	if(EVP_PKEY_assign_DSA(evp_key, dsa) == 0) {
+		DSA_free(dsa);
+		EVP_PKEY_free(evp_key);
+		return NULL;
+	}
+	return evp_key;
+#endif
+}
+
+/* Retrieve params as BIGNUM from raw buffer, n is modulus, e is exponent */
+static int
+sldns_key_rsa_buf_bignum(unsigned char* key, size_t len, BIGNUM** n,
+	BIGNUM** e)
 {
 	uint16_t offset;
 	uint16_t exp;
 	uint16_t int16;
-	RSA *rsa;
-	BIGNUM *modulus;
-	BIGNUM *exponent;
 
 	if (len == 0)
-		return NULL;
+		return 0;
 	if (key[0] == 0) {
 		if(len < 3)
-			return NULL;
+			return 0;
 		memmove(&int16, key+1, 2);
 		exp = ntohs(int16);
 		offset = 3;
@@ -287,30 +395,42 @@ sldns_key_buf2rsa_raw(unsigned char* key, size_t len)
 
 	/* key length at least one */
 	if(len < (size_t)offset + exp + 1)
-		return NULL;
+		return 0;
 
 	/* Exponent */
-	exponent = BN_new();
+	*e = BN_new();
-	if(!exponent) return NULL;
+	if(!*e) return 0;
-	(void) BN_bin2bn(key+offset, (int)exp, exponent);
+	(void) BN_bin2bn(key+offset, (int)exp, *e);
 	offset += exp;
 
 	/* Modulus */
-	modulus = BN_new();
+	*n = BN_new();
-	if(!modulus) {
+	if(!*n) {
-		BN_free(exponent);
+		BN_free(*e);
-		return NULL;
+		return 0;
 	}
 	/* length of the buffer must match the key length! */
-	(void) BN_bin2bn(key+offset, (int)(len - offset), modulus);
+	(void) BN_bin2bn(key+offset, (int)(len - offset), *n);
+	return 1;
+}
 
+#ifndef HAVE_OSSL_PARAM_BLD_NEW
+RSA *
+sldns_key_buf2rsa_raw(unsigned char* key, size_t len)
+{
+	BIGNUM* modulus = NULL;
+	BIGNUM* exponent = NULL;
+	RSA *rsa;
+	if(!sldns_key_rsa_buf_bignum(key, len, &modulus, &exponent))
+		return NULL;
 	rsa = RSA_new();
 	if(!rsa) {
 		BN_free(exponent);
 		BN_free(modulus);
 		return NULL;
 	}
-#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL)
+#if OPENSSL_VERSION_NUMBER < 0x10100000 || \
+        (defined(HAVE_LIBRESSL) && LIBRESSL_VERSION_NUMBER < 0x02070000f)
 #ifndef S_SPLINT_S
 	rsa->n = modulus;
 	rsa->e = exponent;
@@ -327,6 +447,88 @@ sldns_key_buf2rsa_raw(unsigned char* key, size_t len)
 
 	return rsa;
 }
+#endif /* HAVE_OSSL_PARAM_BLD_NEW */
+
+EVP_PKEY* sldns_key_rsa2pkey_raw(unsigned char* key, size_t len)
+{
+#ifdef HAVE_OSSL_PARAM_BLD_NEW
+	EVP_PKEY* evp_key = NULL;
+	EVP_PKEY_CTX* ctx;
+	BIGNUM *n=NULL, *e=NULL;
+	OSSL_PARAM_BLD* param_bld;
+	OSSL_PARAM* params = NULL;
+
+	if(!sldns_key_rsa_buf_bignum(key, len, &n, &e)) {
+		return NULL;
+	}
+
+	param_bld = OSSL_PARAM_BLD_new();
+	if(!param_bld) {
+		BN_free(n);
+		BN_free(e);
+		return NULL;
+	}
+	if(!OSSL_PARAM_BLD_push_BN(param_bld, "n", n)) {
+		OSSL_PARAM_BLD_free(param_bld);
+		BN_free(n);
+		BN_free(e);
+		return NULL;
+	}
+	if(!OSSL_PARAM_BLD_push_BN(param_bld, "e", e)) {
+		OSSL_PARAM_BLD_free(param_bld);
+		BN_free(n);
+		BN_free(e);
+		return NULL;
+	}
+	params = OSSL_PARAM_BLD_to_param(param_bld);
+	OSSL_PARAM_BLD_free(param_bld);
+
+	ctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL);
+	if(!ctx) {
+		OSSL_PARAM_free(params);
+		BN_free(n);
+		BN_free(e);
+		return NULL;
+	}
+	if(EVP_PKEY_fromdata_init(ctx) <= 0) {
+		EVP_PKEY_CTX_free(ctx);
+		OSSL_PARAM_free(params);
+		BN_free(n);
+		BN_free(e);
+		return NULL;
+	}
+	if(EVP_PKEY_fromdata(ctx, &evp_key, EVP_PKEY_PUBLIC_KEY, params) <= 0) {
+		EVP_PKEY_CTX_free(ctx);
+		OSSL_PARAM_free(params);
+		BN_free(n);
+		BN_free(e);
+		return NULL;
+	}
+
+	EVP_PKEY_CTX_free(ctx);
+	OSSL_PARAM_free(params);
+	BN_free(n);
+	BN_free(e);
+	return evp_key;
+#else
+	RSA* rsa;
+	EVP_PKEY *evp_key = EVP_PKEY_new();
+	if(!evp_key) {
+		return NULL;
+	}
+	rsa = sldns_key_buf2rsa_raw(key, len);
+	if(!rsa) {
+		EVP_PKEY_free(evp_key);
+		return NULL;
+	}
+	if(EVP_PKEY_assign_RSA(evp_key, rsa) == 0) {
+		RSA_free(rsa);
+		EVP_PKEY_free(evp_key);
+		return NULL;
+	}
+	return evp_key;
+#endif
+}
 
 #ifdef USE_GOST
 EVP_PKEY*
@@ -357,6 +559,62 @@ sldns_gost2pkey_raw(unsigned char* key, size_t keylen)
 EVP_PKEY*
 sldns_ecdsa2pkey_raw(unsigned char* key, size_t keylen, uint8_t algo)
 {
+#ifdef HAVE_OSSL_PARAM_BLD_NEW
+	unsigned char buf[256+2]; /* sufficient for 2*384/8+1 */
+	EVP_PKEY *evp_key = NULL;
+	EVP_PKEY_CTX* ctx;
+	OSSL_PARAM_BLD* param_bld;
+	OSSL_PARAM* params = NULL;
+	char* group = NULL;
+
+	/* check length, which uncompressed must be 2 bignums */
+	if(algo == LDNS_ECDSAP256SHA256) {
+		if(keylen != 2*256/8) return NULL;
+		group = "prime256v1";
+	} else if(algo == LDNS_ECDSAP384SHA384) {
+		if(keylen != 2*384/8) return NULL;
+		group = "P-384";
+	} else {
+		return NULL;
+	}
+	if(keylen+1 > sizeof(buf)) { /* sanity check */
+		return NULL;
+	}
+	/* prepend the 0x04 for uncompressed format */
+	buf[0] = POINT_CONVERSION_UNCOMPRESSED;
+	memmove(buf+1, key, keylen);
+
+	param_bld = OSSL_PARAM_BLD_new();
+	if(!param_bld) {
+		return NULL;
+	}
+	if(!OSSL_PARAM_BLD_push_utf8_string(param_bld, "group", group, 0) ||
+	   !OSSL_PARAM_BLD_push_octet_string(param_bld, "pub", buf, keylen+1)) {
+		OSSL_PARAM_BLD_free(param_bld);
+		return NULL;
+	}
+	params = OSSL_PARAM_BLD_to_param(param_bld);
+	OSSL_PARAM_BLD_free(param_bld);
+
+	ctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL);
+	if(!ctx) {
+		OSSL_PARAM_free(params);
+		return NULL;
+	}
+	if(EVP_PKEY_fromdata_init(ctx) <= 0) {
+		EVP_PKEY_CTX_free(ctx);
+		OSSL_PARAM_free(params);
+		return NULL;
+	}
+	if(EVP_PKEY_fromdata(ctx, &evp_key, EVP_PKEY_PUBLIC_KEY, params) <= 0) {
+		EVP_PKEY_CTX_free(ctx);
+		OSSL_PARAM_free(params);
+		return NULL;
+	}
+	EVP_PKEY_CTX_free(ctx);
+	OSSL_PARAM_free(params);
+	return evp_key;
+#else
 	unsigned char buf[256+2]; /* sufficient for 2*384/8+1 */
         const unsigned char* pp = buf;
         EVP_PKEY *evp_key;
@@ -393,6 +651,7 @@ sldns_ecdsa2pkey_raw(unsigned char* key, size_t keylen, uint8_t algo)
 		return NULL;
 	}
         return evp_key;
+#endif /* HAVE_OSSL_PARAM_BLD_NEW */
 }
 #endif /* USE_ECDSA */
 

sldns/keyraw.h

@@ -57,6 +57,7 @@ int sldns_key_EVP_load_gost_id(void);
 /** Release the engine reference held for the GOST engine. */
 void sldns_key_EVP_unload_gost(void);
 
+#ifndef HAVE_OSSL_PARAM_BLD_NEW
 /**
  * Like sldns_key_buf2dsa, but uses raw buffer.
  * \param[in] key the uncompressed wireformat of the key.
@@ -64,6 +65,15 @@ void sldns_key_EVP_unload_gost(void);
  * \return a DSA * structure with the key material
  */
 DSA *sldns_key_buf2dsa_raw(unsigned char* key, size_t len);
+#endif
+
+/**
+ * Converts a holding buffer with DSA key material to EVP PKEY in openssl.
+ * \param[in] key the uncompressed wireformat of the key.
+ * \param[in] len length of key data
+ * \return the key or NULL on error.
+ */
+EVP_PKEY *sldns_key_dsa2pkey_raw(unsigned char* key, size_t len);
 
 /**
  * Converts a holding buffer with key material to EVP PKEY in openssl.
@@ -84,6 +94,7 @@ EVP_PKEY* sldns_gost2pkey_raw(unsigned char* key, size_t keylen);
  */
 EVP_PKEY* sldns_ecdsa2pkey_raw(unsigned char* key, size_t keylen, uint8_t algo);
 
+#ifndef HAVE_OSSL_PARAM_BLD_NEW
 /**
  * Like sldns_key_buf2rsa, but uses raw buffer.
  * \param[in] key the uncompressed wireformat of the key.
@@ -91,6 +102,15 @@ EVP_PKEY* sldns_ecdsa2pkey_raw(unsigned char* key, size_t keylen, uint8_t algo);
  * \return a RSA * structure with the key material
  */
 RSA *sldns_key_buf2rsa_raw(unsigned char* key, size_t len);
+#endif
+
+/**
+ * Converts a holding buffer with RSA key material to EVP PKEY in openssl.
+ * \param[in] key the uncompressed wireformat of the key.
+ * \param[in] len length of key data
+ * \return the key or NULL on error.
+ */
+EVP_PKEY* sldns_key_rsa2pkey_raw(unsigned char* key, size_t len);
 
 /**
  * Converts a holding buffer with key material to EVP PKEY in openssl.

sldns/parse.c

@@ -149,6 +149,9 @@ sldns_fget_token_l(FILE *f, char *token, const char *delim, size_t limit, int *l
 		if (c != '\0' && c != '\n') {
 			*t++ = c;
 		}
+		if (c == '\n' && line_nr) {
+			*line_nr = *line_nr + 1;
+		}
 		if (c == '\\' && prev_c == '\\')
 			prev_c = 0;
 		else	prev_c = c;

sldns/parseutil.c

@@ -209,11 +209,13 @@ sldns_hexdigit_to_int(char ch)
 }
 
 uint32_t
-sldns_str2period(const char *nptr, const char **endptr)
+sldns_str2period(const char *nptr, const char **endptr, int* overflow)
 {
 	int sign = 0;
 	uint32_t i = 0;
 	uint32_t seconds = 0;
+	const uint32_t maxint = 0xffffffff;
+	*overflow = 0;
 
 	for(*endptr = nptr; **endptr; (*endptr)++) {
 		switch (**endptr) {
@@ -236,26 +238,46 @@ sldns_str2period(const char *nptr, const char **endptr)
 				break;
 			case 's':
 			case 'S':
+				if(seconds > maxint-i) {
+					*overflow = 1;
+					return 0;
+				}
 				seconds += i;
 				i = 0;
 				break;
 			case 'm':
 			case 'M':
+				if(i > maxint/60 || seconds > maxint-(i*60)) {
+					*overflow = 1;
+					return 0;
+				}
 				seconds += i * 60;
 				i = 0;
 				break;
 			case 'h':
 			case 'H':
+				if(i > maxint/(60*60) || seconds > maxint-(i*60*60)) {
+					*overflow = 1;
+					return 0;
+				}
 				seconds += i * 60 * 60;
 				i = 0;
 				break;
 			case 'd':
 			case 'D':
+				if(i > maxint/(60*60*24) || seconds > maxint-(i*60*60*24)) {
+					*overflow = 1;
+					return 0;
+				}
 				seconds += i * 60 * 60 * 24;
 				i = 0;
 				break;
 			case 'w':
 			case 'W':
+				if(i > maxint/(60*60*24*7) || seconds > maxint-(i*60*60*24*7)) {
+					*overflow = 1;
+					return 0;
+				}
 				seconds += i * 60 * 60 * 24 * 7;
 				i = 0;
 				break;
@@ -269,15 +291,27 @@ sldns_str2period(const char *nptr, const char **endptr)
 			case '7':
 			case '8':
 			case '9':
+				if(i > maxint/10 || i*10 > maxint - (**endptr - '0')) {
+					*overflow = 1;
+					return 0;
+				}
 				i *= 10;
 				i += (**endptr - '0');
 				break;
 			default:
+				if(seconds > maxint-i) {
+					*overflow = 1;
+					return 0;
+				}
 				seconds += i;
 				/* disregard signedness */
 				return seconds;
 		}
 	}
+	if(seconds > maxint-i) {
+		*overflow = 1;
+		return 0;
+	}
 	seconds += i;
 	/* disregard signedness */
 	return seconds;
@@ -790,3 +824,18 @@ int sldns_b64url_pton(char const *src, size_t srcsize, uint8_t *target,
 	}
 	return sldns_b64_pton_base(src, srcsize, target, targsize, 1);
 }
+
+int sldns_b64_contains_nonurl(char const *src, size_t srcsize)
+{
+	const char* s = src;
+	while(*s && srcsize) {
+		char d = *s++;
+		srcsize--;
+		/* the '+' and the '/' and padding '=' is not allowed in b64
+		 * url encoding */
+		if(d == '+' || d == '/' || d == '=') {
+			return 1;
+		}
+	}
+	return 0;
+}