diff --git a/config.h.in b/config.h.in
index 90c9cbb5a..956224da7 100644
--- a/config.h.in
+++ b/config.h.in
@@ -76,6 +76,12 @@
 /* Define to 1 if you have the `getrlimit' function. */
 #undef HAVE_GETRLIMIT
 
+/* Define to 1 if you have the `glob' function. */
+#undef HAVE_GLOB
+
+/* Define to 1 if you have the <glob.h> header file. */
+#undef HAVE_GLOB_H
+
 /* Define to 1 if you have the `gmtime_r' function. */
 #undef HAVE_GMTIME_R
 
diff --git a/configure b/configure
index 027766ebd..55a68c5f2 100755
--- a/configure
+++ b/configure
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.61 for unbound 1.1.2.
+# Generated by GNU Autoconf 2.61 for unbound 1.2.0.
 #
 # Report bugs to <unbound-bugs@nlnetlabs.nl>.
 #
@@ -724,8 +724,8 @@ SHELL=${CONFIG_SHELL-/bin/sh}
 # Identity of this package.
 PACKAGE_NAME='unbound'
 PACKAGE_TARNAME='unbound'
-PACKAGE_VERSION='1.1.2'
-PACKAGE_STRING='unbound 1.1.2'
+PACKAGE_VERSION='1.2.0'
+PACKAGE_STRING='unbound 1.2.0'
 PACKAGE_BUGREPORT='unbound-bugs@nlnetlabs.nl'
 
 # Factoring default headers for most tests.
@@ -1368,7 +1368,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures unbound 1.1.2 to adapt to many kinds of systems.
+\`configure' configures unbound 1.2.0 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1433,7 +1433,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of unbound 1.1.2:";;
+     short | recursive ) echo "Configuration of unbound 1.2.0:";;
    esac
   cat <<\_ACEOF
 
@@ -1566,7 +1566,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-unbound configure 1.1.2
+unbound configure 1.2.0
 generated by GNU Autoconf 2.61
 
 Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
@@ -1580,7 +1580,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by unbound $as_me 1.1.2, which was
+It was created by unbound $as_me 1.2.0, which was
 generated by GNU Autoconf 2.61.  Invocation command line was
 
   $ $0 $@
@@ -1942,7 +1942,7 @@ LIBUNBOUND_AGE=0
 # 1.0.2 had 0:14:0
 # 1.1.0 had 0:15:0
 # 1.1.1 had 0:16:0
-# 1.1.2 had 0:17:0
+# 1.2.0 had 0:17:0
 
 #   Current  -- the number of the binary API that we're implementing
 #   Revision -- which iteration of the implementation of the binary
@@ -19758,7 +19758,8 @@ fi
 
 
 
-for ac_header in stdarg.h stdbool.h netinet/in.h sys/param.h sys/socket.h sys/uio.h sys/resource.h arpa/inet.h syslog.h netdb.h sys/wait.h pwd.h
+
+for ac_header in stdarg.h stdbool.h netinet/in.h sys/param.h sys/socket.h sys/uio.h sys/resource.h arpa/inet.h syslog.h netdb.h sys/wait.h pwd.h glob.h
 do
 as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
 { echo "$as_me:$LINENO: checking for $ac_header" >&5
@@ -25072,7 +25073,8 @@ fi
 
 
 
-for ac_func in tzset sigprocmask fcntl getpwnam getrlimit setsid sbrk chroot kill sleep usleep random srandom recvmsg sendmsg writev setresuid setreuid setresgid setregid
+
+for ac_func in tzset sigprocmask fcntl getpwnam getrlimit setsid sbrk chroot kill sleep usleep random srandom recvmsg sendmsg writev setresuid setreuid setresgid setregid glob
 do
 as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
 { echo "$as_me:$LINENO: checking for $ac_func" >&5
@@ -26879,7 +26881,7 @@ exec 6>&1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by unbound $as_me 1.1.2, which was
+This file was extended by unbound $as_me 1.2.0, which was
 generated by GNU Autoconf 2.61.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -26928,7 +26930,7 @@ Report bugs to <bug-autoconf@gnu.org>."
 _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF
 ac_cs_version="\\
-unbound config.status 1.1.2
+unbound config.status 1.2.0
 configured by $0, generated by GNU Autoconf 2.61,
   with options \\"`echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`\\"
 
diff --git a/configure.ac b/configure.ac
index 3b8479643..587120d77 100644
--- a/configure.ac
+++ b/configure.ac
@@ -2,7 +2,7 @@
 # Process this file with autoconf to produce a configure script.
 AC_PREREQ(2.56)
 
-AC_INIT(unbound, 1.1.2, unbound-bugs@nlnetlabs.nl, unbound)
+AC_INIT(unbound, 1.2.0, unbound-bugs@nlnetlabs.nl, unbound)
 
 LIBUNBOUND_CURRENT=0
 LIBUNBOUND_REVISION=17
@@ -12,7 +12,7 @@ LIBUNBOUND_AGE=0
 # 1.0.2 had 0:14:0
 # 1.1.0 had 0:15:0
 # 1.1.1 had 0:16:0
-# 1.1.2 had 0:17:0
+# 1.2.0 had 0:17:0
 
 #   Current  -- the number of the binary API that we're implementing
 #   Revision -- which iteration of the implementation of the binary
@@ -441,7 +441,7 @@ AC_PROG_LIBTOOL
 
 # Checks for header files.
 AC_HEADER_STDC
-AC_CHECK_HEADERS([stdarg.h stdbool.h netinet/in.h sys/param.h sys/socket.h sys/uio.h sys/resource.h arpa/inet.h syslog.h netdb.h sys/wait.h pwd.h],,, [AC_INCLUDES_DEFAULT])
+AC_CHECK_HEADERS([stdarg.h stdbool.h netinet/in.h sys/param.h sys/socket.h sys/uio.h sys/resource.h arpa/inet.h syslog.h netdb.h sys/wait.h pwd.h glob.h],,, [AC_INCLUDES_DEFAULT])
 
 # check for types
 AC_CHECK_TYPE(int8_t, char)
@@ -815,7 +815,7 @@ AC_CHECK_GETADDRINFO_WITH_INCLUDES
 if test $ac_cv_func_getaddrinfo = no; then
 AC_LIBOBJ([fake-rfc2553])
 fi
-AC_CHECK_FUNCS([tzset sigprocmask fcntl getpwnam getrlimit setsid sbrk chroot kill sleep usleep random srandom recvmsg sendmsg writev setresuid setreuid setresgid setregid])
+AC_CHECK_FUNCS([tzset sigprocmask fcntl getpwnam getrlimit setsid sbrk chroot kill sleep usleep random srandom recvmsg sendmsg writev setresuid setreuid setresgid setregid glob])
 
 # check if setreuid en setregid fail, on MacOSX10.4(darwin8).
 if echo $build_os | grep darwin8 > /dev/null; then
diff --git a/doc/Changelog b/doc/Changelog
index b0c684630..8a2296c9d 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,8 @@
+7 January 2009: Wouter
+	- version 1.2.0 in preparation.
+	- feature to allow wildcards (*, ?, [], {}. ~) in trusted-keys-file
+	  statements. (Adapted from patch by Paul Wouters).
+
 6 January 2009: Wouter
 	- fixup packet-of-death when compiled with --enable-debug.
 	  A malformed packet could cause an internal assertion failure.
diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in
index cf50d2725..036f97994 100644
--- a/doc/unbound.conf.5.in
+++ b/doc/unbound.conf.5.in
@@ -491,6 +491,8 @@ File with trusted keys for validation. Specify more than one file
 with several entries, one file per entry. Like \fBtrust\-anchor\-file\fR
 but has a different file format. Format is BIND\-9 style format, 
 the trusted\-keys { name flag proto algo "key"; }; clauses are read.
+It is possible to use wildcards with this statement, the wildcard is
+expanded on start and on reload.
 .TP
 .B dlv\-anchor\-file: \fI<filename>
 File with trusted keys for DLV (DNSSEC Lookaside Validation). Both DS and
diff --git a/smallapp/unbound-checkconf.c b/smallapp/unbound-checkconf.c
index 665d42404..4b78e6a21 100644
--- a/smallapp/unbound-checkconf.c
+++ b/smallapp/unbound-checkconf.c
@@ -57,6 +57,9 @@
 #ifdef HAVE_SYS_STAT_H
 #include <sys/stat.h>
 #endif
+#ifdef HAVE_GLOB_H
+#include <glob.h>
+#endif
 
 /** Give checkconf usage, and exit (1). */
 static void
@@ -262,6 +265,27 @@ check_chroot_filelist(const char* desc, struct config_strlist* list,
 	}
 }
 
+/** check file list, with wilcard processing. */
+static void
+check_chroot_filelist_wild(const char* desc, struct config_strlist* list,
+	const char* chrootdir, struct config_file* cfg)
+{
+	struct config_strlist* p;
+	for(p=list; p; p=p->next) {
+#ifdef HAVE_GLOB
+		if(strchr(p->str, '*') || strchr(p->str, '[') || 
+			strchr(p->str, '?') || strchr(p->str, '{') || 
+			strchr(p->str, '~')) {
+			char* s = p->str;
+			/* adjust whole pattern for chroot and check later */
+			p->str = fname_after_chroot(p->str, cfg, 1);
+			free(s);
+		} else
+#endif /* HAVE_GLOB */
+			check_chroot_string(desc, &p->str, chrootdir, cfg);
+	}
+}
+
 /** check configuration for errors */
 static void
 morechecks(struct config_file* cfg, const char* fname)
@@ -330,7 +354,7 @@ morechecks(struct config_file* cfg, const char* fname)
 		cfg->root_hints, cfg->chrootdir, cfg);
 	check_chroot_filelist("trust-anchor-file", 
 		cfg->trust_anchor_file_list, cfg->chrootdir, cfg);
-	check_chroot_filelist("trusted-keys-file", 
+	check_chroot_filelist_wild("trusted-keys-file", 
 		cfg->trusted_keys_file_list, cfg->chrootdir, cfg);
 	check_chroot_string("dlv-anchor-file", &cfg->dlv_anchor_file, 
 		cfg->chrootdir, cfg);
diff --git a/validator/val_anchor.c b/validator/val_anchor.c
index 30c35b02c..7060da82e 100644
--- a/validator/val_anchor.c
+++ b/validator/val_anchor.c
@@ -46,6 +46,9 @@
 #include "util/net_help.h"
 #include "util/regional.h"
 #include "util/config_file.h"
+#ifdef HAVE_GLOB_H
+#include <glob.h>
+#endif
 
 int
 anchor_cmp(const void* k1, const void* k2)
@@ -662,6 +665,77 @@ anchor_read_bind_file(struct val_anchors* anchors, ldns_buffer* buffer,
 	return 1;
 }
 
+/**
+ * Read a BIND9 like files with trust anchors in named.conf format.
+ * Performs wildcard processing of name.
+ * @param anchors: anchor storage.
+ * @param buffer: parsing buffer.
+ * @param pat: pattern string. (can be wildcarded)
+ * @return false on error.
+ */
+static int
+anchor_read_bind_file_wild(struct val_anchors* anchors, ldns_buffer* buffer,
+	const char* pat)
+{
+#ifdef HAVE_GLOB
+	glob_t g;
+	size_t i;
+	int r, flags;
+	if(!strchr(pat, '*') && !strchr(pat, '?') && !strchr(pat, '[') && 
+		!strchr(pat, '{') && !strchr(pat, '~')) {
+		return anchor_read_bind_file(anchors, buffer, pat);
+	}
+	verbose(VERB_QUERY, "wildcard found, processing %s", pat);
+	flags = 0 
+#ifdef GLOB_ERR
+		| GLOB_ERR
+#endif
+#ifdef GLOB_NOSORT
+		| GLOB_NOSORT
+#endif
+#ifdef GLOB_BRACE
+		| GLOB_BRACE
+#endif
+#ifdef GLOB_TILDE
+		| GLOB_TILDE
+#endif
+	;
+	memset(&g, 0, sizeof(g));
+	r = glob(pat, flags, NULL, &g);
+	if(r) {
+		/* some error */
+		if(r == GLOB_NOMATCH) {
+			verbose(VERB_QUERY, "trusted-keys-file: "
+				"no matches for %s", pat);
+			return 1;
+		} else if(r == GLOB_NOSPACE) {
+			log_err("wildcard trusted-keys-file %s: "
+				"pattern out of memory", pat);
+		} else if(r == GLOB_ABORTED) {
+			log_err("wildcard trusted-keys-file %s: expansion "
+				"aborted (%s)", pat, strerror(errno));
+		} else {
+			log_err("wildcard trusted-keys-file %s: expansion "
+				"failed (%s)", pat, strerror(errno));
+		}
+		return 0;
+	}
+	/* process files found, if any */
+	for(i=0; i<(size_t)g.gl_pathc; i++) {
+		if(!anchor_read_bind_file(anchors, buffer, g.gl_pathv[i])) {
+			log_err("error reading wildcard "
+				"trusted-keys-file: %s", g.gl_pathv[i]);
+			globfree(&g);
+			return 0;
+		}
+	}
+	globfree(&g);
+	return 1;
+#else /* not HAVE_GLOB */
+	return anchor_read_bind_file(anchors, buffer, pat);
+#endif /* HAVE_GLOB */
+}
+
 /** 
  * Assemble an rrset structure for the type 
  * @param region: allocated in this region.
@@ -789,7 +863,7 @@ anchors_apply_cfg(struct val_anchors* anchors, struct config_file* cfg)
 		if(cfg->chrootdir && cfg->chrootdir[0] && strncmp(nm,
 			cfg->chrootdir, strlen(cfg->chrootdir)) == 0)
 			nm += strlen(cfg->chrootdir);
-		if(!anchor_read_bind_file(anchors, parsebuf, nm)) {
+		if(!anchor_read_bind_file_wild(anchors, parsebuf, nm)) {
 			log_err("error reading trusted-keys-file: %s", f->str);
 			ldns_buffer_free(parsebuf);
 			return 0;