Rebase on master

configure

@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for unbound 1.10.2.
+# Generated by GNU Autoconf 2.69 for unbound 1.11.1.
 #
 # Report bugs to <unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues>.
 #
@@ -591,8 +591,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='unbound'
 PACKAGE_TARNAME='unbound'
-PACKAGE_VERSION='1.10.2'
-PACKAGE_STRING='unbound 1.10.2'
+PACKAGE_VERSION='1.11.1'
+PACKAGE_STRING='unbound 1.11.1'
 PACKAGE_BUGREPORT='unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues'
 PACKAGE_URL=''
 
@@ -1458,7 +1458,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures unbound 1.10.2 to adapt to many kinds of systems.
+\`configure' configures unbound 1.11.1 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1523,7 +1523,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of unbound 1.10.2:";;
+     short | recursive ) echo "Configuration of unbound 1.11.1:";;
    esac
   cat <<\_ACEOF
 
@@ -1750,7 +1750,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-unbound configure 1.10.2
+unbound configure 1.11.1
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2459,7 +2459,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by unbound $as_me 1.10.2, which was
+It was created by unbound $as_me 1.11.1, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -2809,13 +2809,13 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu
 
 UNBOUND_VERSION_MAJOR=1
 
-UNBOUND_VERSION_MINOR=10
+UNBOUND_VERSION_MINOR=11
 
-UNBOUND_VERSION_MICRO=2
+UNBOUND_VERSION_MICRO=1
 
 
 LIBUNBOUND_CURRENT=9
-LIBUNBOUND_REVISION=9
+LIBUNBOUND_REVISION=10
 LIBUNBOUND_AGE=1
 # 1.0.0 had 0:12:0
 # 1.0.1 had 0:13:0
@@ -2891,7 +2891,8 @@ LIBUNBOUND_AGE=1
 # 1.9.6 had 9:6:1
 # 1.10.0 had 9:7:1
 # 1.10.1 had 9:8:1
-# 1.10.2 had 9:9:1
+# 1.11.0 had 9:9:1
+# 1.11.1 had 9:10:1
 
 #   Current  -- the number of the binary API that we're implementing
 #   Revision -- which iteration of the implementation of the binary
@@ -21619,7 +21620,7 @@ _ACEOF
 
 
 
-version=1.10.2
+version=1.11.1
 
 date=`date +'%b %e, %Y'`
 
@@ -22138,7 +22139,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by unbound $as_me 1.10.2, which was
+This file was extended by unbound $as_me 1.11.1, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -22204,7 +22205,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-unbound config.status 1.10.2
+unbound config.status 1.11.1
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 

configure.ac

@@ -10,15 +10,15 @@ sinclude(dnscrypt/dnscrypt.m4)
 
 # must be numbers. ac_defun because of later processing
 m4_define([VERSION_MAJOR],[1])
-m4_define([VERSION_MINOR],[10])
-m4_define([VERSION_MICRO],[2])
+m4_define([VERSION_MINOR],[11])
+m4_define([VERSION_MICRO],[1])
 AC_INIT(unbound, m4_defn([VERSION_MAJOR]).m4_defn([VERSION_MINOR]).m4_defn([VERSION_MICRO]), unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues, unbound)
 AC_SUBST(UNBOUND_VERSION_MAJOR, [VERSION_MAJOR])
 AC_SUBST(UNBOUND_VERSION_MINOR, [VERSION_MINOR])
 AC_SUBST(UNBOUND_VERSION_MICRO, [VERSION_MICRO])
 
 LIBUNBOUND_CURRENT=9
-LIBUNBOUND_REVISION=9
+LIBUNBOUND_REVISION=10
 LIBUNBOUND_AGE=1
 # 1.0.0 had 0:12:0
 # 1.0.1 had 0:13:0
@@ -94,7 +94,8 @@ LIBUNBOUND_AGE=1
 # 1.9.6 had 9:6:1
 # 1.10.0 had 9:7:1
 # 1.10.1 had 9:8:1
-# 1.10.2 had 9:9:1
+# 1.11.0 had 9:9:1
+# 1.11.1 had 9:10:1
 
 #   Current  -- the number of the binary API that we're implementing
 #   Revision -- which iteration of the implementation of the binary

contrib/fastrpz.patch

@@ -2,7 +2,7 @@ Description: based on the included patch contrib/fastrpz.patch
 Author: fastrpz@farsightsecurity.com
 ---
 diff --git a/Makefile.in b/Makefile.in
-index a20058cc..495779cc 100644
+index bac212df..4824927f 100644
 --- a/Makefile.in
 +++ b/Makefile.in
 @@ -23,6 +23,8 @@ CHECKLOCK_SRC=testcode/checklocks.c
@@ -13,8 +13,8 @@ index a20058cc..495779cc 100644
 +FASTRPZ_OBJ=@FASTRPZ_OBJ@
  DNSCRYPT_SRC=@DNSCRYPT_SRC@
  DNSCRYPT_OBJ=@DNSCRYPT_OBJ@
- WITH_PYTHONMODULE=@WITH_PYTHONMODULE@
-@@ -127,7 +129,7 @@ validator/val_sigcrypt.c validator/val_utils.c dns64/dns64.c \
+ WITH_DYNLIBMODULE=@WITH_DYNLIBMODULE@
+@@ -134,7 +136,7 @@ validator/val_sigcrypt.c validator/val_utils.c dns64/dns64.c \
  edns-subnet/edns-subnet.c edns-subnet/subnetmod.c \
  edns-subnet/addrtree.c edns-subnet/subnet-whitelist.c \
  cachedb/cachedb.c cachedb/redis.c respip/respip.c $(CHECKLOCK_SRC) \
@@ -23,16 +23,16 @@ index a20058cc..495779cc 100644
  COMMON_OBJ_WITHOUT_NETCALL=dns.lo infra.lo rrset.lo dname.lo msgencode.lo \
  as112.lo msgparse.lo msgreply.lo packed_rrset.lo iterator.lo iter_delegpt.lo \
  iter_donotq.lo iter_fwd.lo iter_hints.lo iter_priv.lo iter_resptype.lo \
-@@ -140,7 +142,7 @@ autotrust.lo val_anchor.lo rpz.lo \
+@@ -147,7 +149,7 @@ autotrust.lo val_anchor.lo rpz.lo \
  validator.lo val_kcache.lo val_kentry.lo val_neg.lo val_nsec3.lo val_nsec.lo \
  val_secalgo.lo val_sigcrypt.lo val_utils.lo dns64.lo cachedb.lo redis.lo authzone.lo \
  $(SUBNET_OBJ) $(PYTHONMOD_OBJ) $(CHECKLOCK_OBJ) $(DNSTAP_OBJ) $(DNSCRYPT_OBJ) \
--$(IPSECMOD_OBJ) $(IPSET_OBJ) respip.lo
-+$(FASTRPZ_OBJ) $(IPSECMOD_OBJ) $(IPSET_OBJ) respip.lo
+-$(IPSECMOD_OBJ) $(IPSET_OBJ) $(DYNLIBMOD_OBJ) respip.lo
++$(FASTRPZ_OBJ) $(IPSECMOD_OBJ) $(IPSET_OBJ) $(DYNLIBMOD_OBJ) respip.lo
  COMMON_OBJ_WITHOUT_UB_EVENT=$(COMMON_OBJ_WITHOUT_NETCALL) netevent.lo listen_dnsport.lo \
  outside_network.lo
  COMMON_OBJ=$(COMMON_OBJ_WITHOUT_UB_EVENT) ub_event.lo
-@@ -410,6 +412,11 @@ dnscrypt.lo dnscrypt.o: $(srcdir)/dnscrypt/dnscrypt.c config.h \
+@@ -428,6 +430,11 @@ dnscrypt.lo dnscrypt.o: $(srcdir)/dnscrypt/dnscrypt.c config.h \
  	$(srcdir)/util/config_file.h $(srcdir)/util/log.h \
  	$(srcdir)/util/netevent.h
  
@@ -45,10 +45,10 @@ index a20058cc..495779cc 100644
  pythonmod.lo pythonmod.o: $(srcdir)/pythonmod/pythonmod.c config.h \
  	pythonmod/interface.h \
 diff --git a/config.h.in b/config.h.in
-index 78d47fed..e33073e4 100644
+index f7a4095e..d5a4fa01 100644
 --- a/config.h.in
 +++ b/config.h.in
-@@ -1345,4 +1345,11 @@ void *unbound_stat_realloc_log(void *ptr, size_t size, const char* file,
+@@ -1364,4 +1364,11 @@ void *unbound_stat_realloc_log(void *ptr, size_t size, const char* file,
  /** the version of unbound-control that this software implements */
  #define UNBOUND_CONTROL_VERSION 1
  
@@ -62,7 +62,7 @@ index 78d47fed..e33073e4 100644
 +/** turn on fastrpz response policy zones */
 +#undef ENABLE_FASTRPZ
 diff --git a/configure.ac b/configure.ac
-index 2b91dd3c..e6063d17 100644
+index 5c373d9d..e45abd89 100644
 --- a/configure.ac
 +++ b/configure.ac
 @@ -6,6 +6,7 @@ sinclude(ax_pthread.m4)
@@ -73,10 +73,10 @@ index 2b91dd3c..e6063d17 100644
  sinclude(dnscrypt/dnscrypt.m4)
  
  # must be numbers. ac_defun because of later processing
-@@ -1778,6 +1779,9 @@ case "$enable_ipset" in
- 		;;
+@@ -1819,6 +1820,9 @@ case "$enable_explicit_port_randomisation" in
  esac
  
+ 
 +# check for Fastrpz with fastrpz/rpz.m4
 +ck_FASTRPZ
 +
@@ -84,7 +84,7 @@ index 2b91dd3c..e6063d17 100644
  # on openBSD, the implicit rule make $< work.
  # on Solaris, it does not work ($? is changed sources, $^ lists dependencies).
 diff --git a/daemon/daemon.c b/daemon/daemon.c
-index 8b0fc348..7ffb9221 100644
+index 5d427925..f89f1437 100644
 --- a/daemon/daemon.c
 +++ b/daemon/daemon.c
 @@ -91,6 +91,9 @@
@@ -97,8 +97,8 @@ index 8b0fc348..7ffb9221 100644
  
  #ifdef HAVE_SYSTEMD
  #include <systemd/sd-daemon.h>
-@@ -458,6 +461,14 @@ daemon_create_workers(struct daemon* daemon)
- 		dt_apply_cfg(daemon->dtenv, daemon->cfg);
+@@ -456,6 +459,14 @@ daemon_create_workers(struct daemon* daemon)
+ 			fatal_exit("dt_create failed");
  #else
  		fatal_exit("dnstap enabled in config but not built with dnstap support");
 +#endif
@@ -112,7 +112,7 @@ index 8b0fc348..7ffb9221 100644
  #endif
  	}
  	for(i=0; i<daemon->num; i++) {
-@@ -731,6 +742,9 @@ daemon_cleanup(struct daemon* daemon)
+@@ -729,6 +740,9 @@ daemon_cleanup(struct daemon* daemon)
  #ifdef USE_DNSCRYPT
  	dnsc_delete(daemon->dnscenv);
  	daemon->dnscenv = NULL;
@@ -139,7 +139,7 @@ index 3effbafb..4d4c34da 100644
  
  /**
 diff --git a/daemon/worker.c b/daemon/worker.c
-index eb7fdf2f..1982228d 100644
+index 23e3244c..b63d49b7 100644
 --- a/daemon/worker.c
 +++ b/daemon/worker.c
 @@ -76,6 +76,9 @@
@@ -152,7 +152,7 @@ index eb7fdf2f..1982228d 100644
  #include "sldns/wire2str.h"
  #include "util/shm_side/shm_main.h"
  #include "dnscrypt/dnscrypt.h"
-@@ -534,8 +537,27 @@ answer_norec_from_cache(struct worker* worker, struct query_info* qinfo,
+@@ -535,8 +538,27 @@ answer_norec_from_cache(struct worker* worker, struct query_info* qinfo,
  			/* not secure */
  			secure = 0;
  			break;
@@ -180,7 +180,7 @@ index eb7fdf2f..1982228d 100644
  	/* return this delegation from the cache */
  	edns_bak = *edns;
  	edns->edns_version = EDNS_ADVERTISED_VERSION;
-@@ -710,6 +732,23 @@ answer_from_cache(struct worker* worker, struct query_info* qinfo,
+@@ -711,6 +733,23 @@ answer_from_cache(struct worker* worker, struct query_info* qinfo,
  			*is_secure_answer = 0;
  		}
  	} else *is_secure_answer = 0;
@@ -204,7 +204,7 @@ index eb7fdf2f..1982228d 100644
  
  	edns_bak = *edns;
  	edns->edns_version = EDNS_ADVERTISED_VERSION;
-@@ -1435,6 +1474,15 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
+@@ -1436,6 +1475,15 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
  		log_addr(VERB_ALGO, "refused nonrec (cache snoop) query from",
  			&repinfo->addr, repinfo->addrlen);
  		goto send_reply;
@@ -220,7 +220,7 @@ index eb7fdf2f..1982228d 100644
  	}
  
  	/* If we've found a local alias, replace the qname with the alias
-@@ -1485,12 +1533,21 @@ lookup_cache:
+@@ -1486,12 +1534,21 @@ lookup_cache:
  		h = query_info_hash(lookup_qinfo, sldns_buffer_read_u16_at(c->buffer, 2));
  		if((e=slabhash_lookup(worker->env.msg_cache, h, lookup_qinfo, 0))) {
  			/* answer from cache - we have acquired a readlock on it */
@@ -244,7 +244,7 @@ index eb7fdf2f..1982228d 100644
  				/* prefetch it if the prefetch TTL expired.
  				 * Note that if there is more than one pass
  				 * its qname must be that used for cache
-@@ -1547,11 +1604,19 @@ lookup_cache:
+@@ -1548,11 +1605,19 @@ lookup_cache:
  			lock_rw_unlock(&e->lock);
  		}
  		if(!LDNS_RD_WIRE(sldns_buffer_begin(c->buffer))) {
@@ -267,10 +267,10 @@ index eb7fdf2f..1982228d 100644
  			}
  			verbose(VERB_ALGO, "answer norec from cache -- "
 diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in
-index 38c2d298..3b07f392 100644
+index cd43f04e..b92a1af8 100644
 --- a/doc/unbound.conf.5.in
 +++ b/doc/unbound.conf.5.in
-@@ -1828,6 +1828,81 @@ List domain for which the AAAA records are ignored and the A record is
+@@ -1878,6 +1878,81 @@ List domain for which the AAAA records are ignored and the A record is
  used by dns64 processing instead.  Can be entered multiple times, list a
  new domain for which it applies, one per line.  Applies also to names
  underneath the name given.
@@ -2888,7 +2888,7 @@ index 00000000..21235355
 +  fi
 +])
 diff --git a/iterator/iterator.c b/iterator/iterator.c
-index 1e0113a8..2fcbf547 100644
+index 23b07ea9..c3d31a33 100644
 --- a/iterator/iterator.c
 +++ b/iterator/iterator.c
 @@ -68,6 +68,9 @@
@@ -2901,7 +2901,7 @@ index 1e0113a8..2fcbf547 100644
  
  /* in msec */
  int UNKNOWN_SERVER_NICENESS = 376;
-@@ -555,6 +558,23 @@ handle_cname_response(struct module_qstate* qstate, struct iter_qstate* iq,
+@@ -563,6 +566,23 @@ handle_cname_response(struct module_qstate* qstate, struct iter_qstate* iq,
  		if(ntohs(r->rk.type) == LDNS_RR_TYPE_CNAME &&
  			query_dname_compare(*mname, r->rk.dname) == 0 &&
  			!iter_find_rrset_in_prepend_answer(iq, r)) {
@@ -2925,7 +2925,7 @@ index 1e0113a8..2fcbf547 100644
  			/* Add this relevant CNAME rrset to the prepend list.*/
  			if(!iter_add_prepend_answer(qstate, iq, r))
  				return 0;
-@@ -563,6 +583,9 @@ handle_cname_response(struct module_qstate* qstate, struct iter_qstate* iq,
+@@ -571,6 +591,9 @@ handle_cname_response(struct module_qstate* qstate, struct iter_qstate* iq,
  
  		/* Other rrsets in the section are ignored. */
  	}
@@ -2935,7 +2935,7 @@ index 1e0113a8..2fcbf547 100644
  	/* add authority rrsets to authority prepend, for wildcarded CNAMEs */
  	for(i=msg->rep->an_numrrsets; i<msg->rep->an_numrrsets +
  		msg->rep->ns_numrrsets; i++) {
-@@ -1199,6 +1222,7 @@ processInitRequest(struct module_qstate* qstate, struct iter_qstate* iq,
+@@ -1231,6 +1254,7 @@ processInitRequest(struct module_qstate* qstate, struct iter_qstate* iq,
  	uint8_t* delname;
  	size_t delnamelen;
  	struct dns_msg* msg = NULL;
@@ -2943,7 +2943,7 @@ index 1e0113a8..2fcbf547 100644
  
  	log_query_info(VERB_DETAIL, "resolving", &qstate->qinfo);
  	/* check effort */
-@@ -1285,8 +1309,7 @@ processInitRequest(struct module_qstate* qstate, struct iter_qstate* iq,
+@@ -1317,8 +1341,7 @@ processInitRequest(struct module_qstate* qstate, struct iter_qstate* iq,
  	}
  	if(msg) {
  		/* handle positive cache response */
@@ -2953,7 +2953,7 @@ index 1e0113a8..2fcbf547 100644
  		if(verbosity >= VERB_ALGO) {
  			log_dns_msg("msg from cache lookup", &msg->qinfo, 
  				msg->rep);
-@@ -1294,7 +1317,22 @@ processInitRequest(struct module_qstate* qstate, struct iter_qstate* iq,
+@@ -1326,7 +1349,22 @@ processInitRequest(struct module_qstate* qstate, struct iter_qstate* iq,
  				(int)msg->rep->ttl, 
  				(int)msg->rep->prefetch_ttl);
  		}
@@ -2976,7 +2976,7 @@ index 1e0113a8..2fcbf547 100644
  		if(type == RESPONSE_TYPE_CNAME) {
  			uint8_t* sname = 0;
  			size_t slen = 0;
-@@ -2718,6 +2756,62 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
+@@ -2801,6 +2839,62 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
  			sock_list_insert(&qstate->reply_origin, 
  				&qstate->reply->addr, qstate->reply->addrlen, 
  				qstate->region);
@@ -3039,7 +3039,7 @@ index 1e0113a8..2fcbf547 100644
  		if(iq->minimisation_state != DONOT_MINIMISE_STATE
  			&& !(iq->chase_flags & BIT_RD)) {
  			if(FLAGS_GET_RCODE(iq->response->rep->flags) != 
-@@ -3471,12 +3565,44 @@ processFinished(struct module_qstate* qstate, struct iter_qstate* iq,
+@@ -3563,12 +3657,44 @@ processFinished(struct module_qstate* qstate, struct iter_qstate* iq,
  		 * but only if we did recursion. The nonrecursion referral
  		 * from cache does not need to be stored in the msg cache. */
  		if(!qstate->no_cache_store && qstate->query_flags&BIT_RD) {
@@ -3085,10 +3085,10 @@ index 1e0113a8..2fcbf547 100644
  	qstate->return_msg = iq->response;
  	return 0;
 diff --git a/iterator/iterator.h b/iterator/iterator.h
-index a2f1b570..e1e4a738 100644
+index 342ac207..49b0ecdd 100644
 --- a/iterator/iterator.h
 +++ b/iterator/iterator.h
-@@ -386,6 +386,16 @@ struct iter_qstate {
+@@ -396,6 +396,16 @@ struct iter_qstate {
  	 */
  	int minimise_count;
  
@@ -3104,12 +3104,12 @@ index a2f1b570..e1e4a738 100644
 +
  	/**
  	 * Count number of time-outs. Used to prevent resolving failures when
- 	 * the QNAME minimisation QTYPE is blocked. */
+ 	 * the QNAME minimisation QTYPE is blocked. Used to determine if
 diff --git a/services/cache/dns.c b/services/cache/dns.c
-index 2a5bca4a..6de8863a 100644
+index 7b6e142c..6d7449f5 100644
 --- a/services/cache/dns.c
 +++ b/services/cache/dns.c
-@@ -967,6 +967,14 @@ dns_cache_store(struct module_env* env, struct query_info* msgqinf,
+@@ -969,6 +969,14 @@ dns_cache_store(struct module_env* env, struct query_info* msgqinf,
  	struct regional* region, uint32_t flags)
  {
  	struct reply_info* rep = NULL;
@@ -3125,7 +3125,7 @@ index 2a5bca4a..6de8863a 100644
  	rep = reply_info_copy(msgrep, env->alloc, NULL);
  	if(!rep)
 diff --git a/services/mesh.c b/services/mesh.c
-index 9114ef4c..3dc518e5 100644
+index 4b0c5db4..eb9cfa5b 100644
 --- a/services/mesh.c
 +++ b/services/mesh.c
 @@ -61,6 +61,9 @@
@@ -3138,7 +3138,7 @@ index 9114ef4c..3dc518e5 100644
  #include "respip/respip.h"
  #include "services/listen_dnsport.h"
  
-@@ -1195,6 +1198,13 @@ mesh_send_reply(struct mesh_state* m, int rcode, struct reply_info* rep,
+@@ -1207,6 +1210,13 @@ mesh_send_reply(struct mesh_state* m, int rcode, struct reply_info* rep,
  	else	secure = 0;
  	if(!rep && rcode == LDNS_RCODE_NOERROR)
  		rcode = LDNS_RCODE_SERVFAIL;
@@ -3152,7 +3152,7 @@ index 9114ef4c..3dc518e5 100644
  	/* send the reply */
  	/* We don't reuse the encoded answer if either the previous or current
  	 * response has a local alias.  We could compare the alias records
-@@ -1415,6 +1425,7 @@ struct mesh_state* mesh_area_find(struct mesh_area* mesh,
+@@ -1434,6 +1444,7 @@ struct mesh_state* mesh_area_find(struct mesh_area* mesh,
  	key.s.is_valrec = valrec;
  	key.s.qinfo = *qinfo;
  	key.s.query_flags = qflags;
@@ -3160,7 +3160,7 @@ index 9114ef4c..3dc518e5 100644
  	/* We are searching for a similar mesh state when we DO want to
  	 * aggregate the state. Thus unique is set to NULL. (default when we
  	 * desire aggregation).*/
-@@ -1461,6 +1472,10 @@ int mesh_state_add_reply(struct mesh_state* s, struct edns_data* edns,
+@@ -1480,6 +1491,10 @@ int mesh_state_add_reply(struct mesh_state* s, struct edns_data* edns,
  	if(!r)
  		return 0;
  	r->query_reply = *rep;
@@ -3172,11 +3172,11 @@ index 9114ef4c..3dc518e5 100644
  	if(edns->opt_list) {
  		r->edns.opt_list = edns_opt_copy_region(edns->opt_list,
 diff --git a/util/config_file.c b/util/config_file.c
-index 52ca5a18..0660248f 100644
+index 0e9ee471..a5fd72e0 100644
 --- a/util/config_file.c
 +++ b/util/config_file.c
-@@ -1460,6 +1460,8 @@ config_delete(struct config_file* cfg)
- 	free(cfg->dnstap_socket_path);
+@@ -1495,6 +1495,8 @@ config_delete(struct config_file* cfg)
+ 	free(cfg->dnstap_tls_client_cert_file);
  	free(cfg->dnstap_identity);
  	free(cfg->dnstap_version);
 +	if (cfg->rpz_cstr)
@@ -3185,10 +3185,10 @@ index 52ca5a18..0660248f 100644
  	config_deldblstrlist(cfg->ratelimit_below_domain);
  	config_delstrlist(cfg->python_script);
 diff --git a/util/config_file.h b/util/config_file.h
-index 8739ca2a..a2dcf215 100644
+index 66e5025d..504f4f92 100644
 --- a/util/config_file.h
 +++ b/util/config_file.h
-@@ -499,6 +499,11 @@ struct config_file {
+@@ -522,6 +522,11 @@ struct config_file {
  	/** true to disable DNSSEC lameness check in iterator */
  	int disable_dnssec_lame_check;
  
@@ -3201,10 +3201,10 @@ index 8739ca2a..a2dcf215 100644
  	int ip_ratelimit;
  	/** number of slabs for ip_ratelimit cache */
 diff --git a/util/configlexer.lex b/util/configlexer.lex
-index deedffa5..301458a3 100644
+index 83cea4b9..9a7feea4 100644
 --- a/util/configlexer.lex
 +++ b/util/configlexer.lex
-@@ -446,6 +446,10 @@ dnstap-log-forwarder-query-messages{COLON}	{
+@@ -467,6 +467,10 @@ dnstap-log-forwarder-query-messages{COLON}	{
  		YDVAR(1, VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES) }
  dnstap-log-forwarder-response-messages{COLON}	{
  		YDVAR(1, VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES) }
@@ -3216,18 +3216,18 @@ index deedffa5..301458a3 100644
  ip-ratelimit{COLON}		{ YDVAR(1, VAR_IP_RATELIMIT) }
  ratelimit{COLON}		{ YDVAR(1, VAR_RATELIMIT) }
 diff --git a/util/configparser.y b/util/configparser.y
-index d471babe..cb6b1d63 100644
+index fe600a99..ce43390f 100644
 --- a/util/configparser.y
 +++ b/util/configparser.y
-@@ -125,6 +125,7 @@ extern struct config_parser_state* cfg_parser;
+@@ -128,6 +128,7 @@ extern struct config_parser_state* cfg_parser;
  %token VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES
  %token VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES
  %token VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES
 +%token VAR_RPZ VAR_RPZ_ENABLE VAR_RPZ_ZONE VAR_RPZ_OPTION
  %token VAR_RESPONSE_IP_TAG VAR_RESPONSE_IP VAR_RESPONSE_IP_DATA
  %token VAR_HARDEN_ALGO_DOWNGRADE VAR_IP_TRANSPARENT
- %token VAR_DISABLE_DNSSEC_LAME_CHECK
-@@ -173,7 +174,7 @@ extern struct config_parser_state* cfg_parser;
+ %token VAR_IP_DSCP
+@@ -179,7 +180,7 @@ extern struct config_parser_state* cfg_parser;
  
  %%
  toplevelvars: /* empty */ | toplevelvars toplevelvar ;
@@ -3236,7 +3236,7 @@ index d471babe..cb6b1d63 100644
  	forwardstart contents_forward | pythonstart contents_py | 
  	rcstart contents_rc | dtstart contents_dt | viewstart contents_view |
  	dnscstart contents_dnsc | cachedbstart contents_cachedb |
-@@ -2837,6 +2838,50 @@ dt_dnstap_log_forwarder_response_messages: VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MES
+@@ -2939,6 +2940,50 @@ dt_dnstap_log_forwarder_response_messages: VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MES
  		free($2);
  	}
  	;
@@ -3384,7 +3384,7 @@ index 729877ba..ccd1a0c2 100644
  
  /**
 diff --git a/util/netevent.c b/util/netevent.c
-index 9fe5da2d..037e70d1 100644
+index 3e7a433e..f20d806f 100644
 --- a/util/netevent.c
 +++ b/util/netevent.c
 @@ -57,6 +57,9 @@
@@ -3397,7 +3397,7 @@ index 9fe5da2d..037e70d1 100644
  
  /* -------- Start of local definitions -------- */
  /** if CMSG_ALIGN is not defined on this platform, a workaround */
-@@ -590,6 +593,9 @@ comm_point_udp_ancil_callback(int fd, short event, void* arg)
+@@ -596,6 +599,9 @@ comm_point_udp_ancil_callback(int fd, short event, void* arg)
  	struct cmsghdr* cmsg;
  #endif /* S_SPLINT_S */
  
@@ -3407,7 +3407,7 @@ index 9fe5da2d..037e70d1 100644
  	rep.c = (struct comm_point*)arg;
  	log_assert(rep.c->type == comm_udp);
  
-@@ -679,6 +685,9 @@ comm_point_udp_callback(int fd, short event, void* arg)
+@@ -685,6 +691,9 @@ comm_point_udp_callback(int fd, short event, void* arg)
  	int i;
  	struct sldns_buffer *buffer;
  
@@ -3417,7 +3417,7 @@ index 9fe5da2d..037e70d1 100644
  	rep.c = (struct comm_point*)arg;
  	log_assert(rep.c->type == comm_udp);
  
-@@ -722,6 +731,9 @@ comm_point_udp_callback(int fd, short event, void* arg)
+@@ -728,6 +737,9 @@ comm_point_udp_callback(int fd, short event, void* arg)
  			(void)comm_point_send_udp_msg(rep.c, buffer,
  				(struct sockaddr*)&rep.addr, rep.addrlen);
  		}
@@ -3427,7 +3427,7 @@ index 9fe5da2d..037e70d1 100644
  		if(!rep.c || rep.c->fd != fd) /* commpoint closed to -1 or reused for
  		another UDP port. Note rep.c cannot be reused with TCP fd. */
  			break;
-@@ -3192,6 +3204,9 @@ comm_point_send_reply(struct comm_reply *repinfo)
+@@ -3175,6 +3187,9 @@ comm_point_send_reply(struct comm_reply *repinfo)
  				repinfo->c->tcp_timeout_msec);
  		}
  	}
@@ -3437,7 +3437,7 @@ index 9fe5da2d..037e70d1 100644
  }
  
  void 
-@@ -3201,6 +3216,9 @@ comm_point_drop_reply(struct comm_reply* repinfo)
+@@ -3184,6 +3199,9 @@ comm_point_drop_reply(struct comm_reply* repinfo)
  		return;
  	log_assert(repinfo->c);
  	log_assert(repinfo->c->type != comm_tcp_accept);
@@ -3447,7 +3447,7 @@ index 9fe5da2d..037e70d1 100644
  	if(repinfo->c->type == comm_udp)
  		return;
  	if(repinfo->c->tcp_req_info)
-@@ -3222,6 +3240,9 @@ comm_point_start_listening(struct comm_point* c, int newfd, int msec)
+@@ -3205,6 +3223,9 @@ comm_point_start_listening(struct comm_point* c, int newfd, int msec)
  {
  	verbose(VERB_ALGO, "comm point start listening %d (%d msec)", 
  		c->fd==-1?newfd:c->fd, msec);
@@ -3458,7 +3458,7 @@ index 9fe5da2d..037e70d1 100644
  		/* no use to start listening no free slots. */
  		return;
 diff --git a/util/netevent.h b/util/netevent.h
-index d80c72b3..0233292f 100644
+index bb2cd1e5..666067e8 100644
 --- a/util/netevent.h
 +++ b/util/netevent.h
 @@ -120,6 +120,10 @@ struct comm_reply {

contrib/unbound_munin_

@@ -174,11 +174,11 @@ get_state ( ) {
 if test "$1" = "autoconf" ; then
 	if test ! -f $conf; then
 		echo no "($conf does not exist)"
-		exit 1
+		exit 0
 	fi
 	if test ! -d `dirname $state`; then
 		echo no "(`dirname $state` directory does not exist)"
-		exit 1
+		exit 0
 	fi
 	echo yes
 	exit 0

daemon/unbound.c

@@ -534,6 +534,8 @@ perform_setup(struct daemon* daemon, struct config_file* cfg, int debug_mode,
 			LOGIN_SETALL & ~LOGIN_SETUSER & ~LOGIN_SETGROUP) != 0)
 			log_warn("unable to setusercontext %s: %s",
 				cfg->username, strerror(errno));
+#else
+		(void)pwd;
 #endif /* HAVE_SETUSERCONTEXT */
 	}
 #endif /* HAVE_GETPWNAM */

dnstap/dnstap_fstrm.c

@@ -92,6 +92,34 @@ void* fstrm_create_control_frame_stop(size_t* len)
 	return control;
 }
 
+void* fstrm_create_control_frame_ready(char* contenttype, size_t* len)
+{
+	uint32_t* control;
+	size_t n;
+	/* start bidirectional stream:
+	 * 4 bytes 0 escape
+	 * 4 bytes bigendian length of frame
+	 * 4 bytes bigendian type READY
+	 * 4 bytes bigendian frame option content type
+	 * 4 bytes bigendian length of string
+	 * string of content type.
+	 */
+	/* len includes the escape and framelength */
+	n = 4+4+4+4+4+strlen(contenttype);
+	control = malloc(n);
+	if(!control) {
+		return NULL;
+	}
+	control[0] = 0;
+	control[1] = htonl(4+4+4+strlen(contenttype));
+	control[2] = htonl(FSTRM_CONTROL_FRAME_READY);
+	control[3] = htonl(FSTRM_CONTROL_FIELD_TYPE_CONTENT_TYPE);
+	control[4] = htonl(strlen(contenttype));
+	memmove(&control[5], contenttype, strlen(contenttype));
+	*len = n;
+	return control;
+}
+
 void* fstrm_create_control_frame_accept(char* contenttype, size_t* len)
 {
 	uint32_t* control;

dnstap/dnstap_fstrm.h

@@ -127,6 +127,21 @@
  */
 void* fstrm_create_control_frame_start(char* contenttype, size_t* len);
 
+/**
+ * This creates an FSTRM control frame of type READY.
+ * @param contenttype: a zero delimited string with the content type.
+ * 	eg. use the constant DNSTAP_CONTENT_TYPE, which is defined as
+ * 	"protobuf:dnstap.Dnstap", for a dnstap frame stream.
+ * @param len: if a buffer is returned this is the length of that buffer.
+ * @return NULL on malloc failure.  Returns a malloced buffer with the
+ * protocol message.  The buffer starts with the 4 bytes of 0 that indicate
+ * a control frame.  The buffer should be sent without preceding it with
+ * the 'len' variable (like data frames are), but straight the content of the
+ * buffer, because the lengths are included in the buffer.  This is so that
+ * the zero control indicator can be included before the control frame length.
+ */
+void* fstrm_create_control_frame_ready(char* contenttype, size_t* len);
+
 /**
  * This creates an FSTRM control frame of type STOP.
  * @param len: if a buffer is returned this is the length of that buffer.

dnstap/dtstream.c

@@ -48,6 +48,7 @@
 #include "util/ub_event.h"
 #include "util/net_help.h"
 #include "services/outside_network.h"
+#include "sldns/sbuffer.h"
 #ifdef HAVE_SYS_UN_H
 #include <sys/un.h>
 #endif
@@ -68,6 +69,9 @@
 /** the msec to wait for reconnect slow, to stop busy spinning on reconnect */
 #define DTIO_RECONNECT_TIMEOUT_SLOW 1000
 
+/** maximum length of received frame */
+#define DTIO_RECV_FRAME_MAX_LEN 1000
+
 struct stop_flush_info;
 /** DTIO command channel commands */
 enum {
@@ -85,9 +89,13 @@ static int dtio_add_output_event_write(struct dt_io_thread* dtio);
 static void dtio_reconnect_enable(struct dt_io_thread* dtio);
 /** stop from stop_flush event loop */
 static void dtio_stop_flush_exit(struct stop_flush_info* info);
+/** setup a start control message */
+static int dtio_control_start_send(struct dt_io_thread* dtio);
 #ifdef HAVE_SSL
 /** enable briefly waiting for a read event, for SSL negotiation */
 static int dtio_enable_brief_read(struct dt_io_thread* dtio);
+/** enable briefly waiting for a write event, for SSL negotiation */
+static int dtio_enable_brief_write(struct dt_io_thread* dtio);
 #endif
 
 struct dt_msg_queue*
@@ -261,6 +269,7 @@ int dt_io_thread_apply_cfg(struct dt_io_thread* dtio, struct config_file *cfg)
 	} else {
 		dtio->upstream_is_unix = 1;
 	}
+	dtio->is_bidirectional = cfg->dnstap_bidirectional;
 
 	if(dtio->upstream_is_unix) {
 		if(!cfg->dnstap_socket_path ||
@@ -551,6 +560,20 @@ static void dtio_cur_msg_free(struct dt_io_thread* dtio)
 	dtio->cur_msg_len_done = 0;
 }
 
+/** delete the buffer and counters used to read frame */
+static void dtio_read_frame_free(struct dt_frame_read_buf* rb)
+{
+	if(rb->buf) {
+		free(rb->buf);
+		rb->buf = NULL;
+	}
+	rb->buf_count = 0;
+	rb->buf_cap = 0;
+	rb->frame_len = 0;
+	rb->frame_len_done = 0;
+	rb->control_frame = 0;
+}
+
 /** del the output file descriptor event for listening */
 static void dtio_del_output_event(struct dt_io_thread* dtio)
 {
@@ -594,6 +617,11 @@ static void dtio_close_output(struct dt_io_thread* dtio)
 	if(dtio->cur_msg) {
 		dtio_cur_msg_free(dtio);
 	}
+
+	dtio->ready_frame_sent = 0;
+	dtio->accept_frame_received = 0;
+	dtio_read_frame_free(&dtio->read_frame);
+
 	dtio_reconnect_enable(dtio);
 }
 
@@ -855,6 +883,94 @@ static int dtio_write_more(struct dt_io_thread* dtio)
 	return 1;
 }
 
+/** Receive bytes from dtio->fd, store in buffer. Returns 0: closed,
+ * -1: continue, >0: number of bytes read into buffer */
+static ssize_t receive_bytes(struct dt_io_thread* dtio, void* buf, size_t len) {
+	ssize_t r;
+	r = recv(dtio->fd, (void*)buf, len, 0);
+	if(r == -1) {
+		char* to = dtio->socket_path;
+		if(!to) to = dtio->ip_str;
+		if(!to) to = "";
+#ifndef USE_WINSOCK
+		if(errno == EINTR || errno == EAGAIN)
+			return -1; /* try later */
+#else
+		if(WSAGetLastError() == WSAEINPROGRESS) {
+			return -1; /* try later */
+		} else if(WSAGetLastError() == WSAEWOULDBLOCK) {
+			ub_winsock_tcp_wouldblock(
+				(dtio->stop_flush_event?
+				dtio->stop_flush_event:dtio->event),
+				UB_EV_READ);
+			return -1; /* try later */
+		}
+#endif
+		if(dtio->reconnect_timeout > DTIO_RECONNECT_TIMEOUT_MIN &&
+			verbosity < 4)
+			return 0; /* no log retries on low verbosity */
+		log_err("dnstap io: output closed, recv %s: %s", to,
+			strerror(errno));
+		/* and close below */
+		return 0;
+	}
+	if(r == 0) {
+		if(dtio->reconnect_timeout > DTIO_RECONNECT_TIMEOUT_MIN &&
+			verbosity < 4)
+			return 0; /* no log retries on low verbosity */
+		verbose(VERB_DETAIL, "dnstap io: output closed by the other side");
+		/* and close below */
+		return 0;
+	}
+	/* something was received */
+	return r;
+}
+
+#ifdef HAVE_SSL
+/** Receive bytes over TLS from dtio->fd, store in buffer. Returns 0: closed,
+ * -1: continue, >0: number of bytes read into buffer */
+static int ssl_read_bytes(struct dt_io_thread* dtio, void* buf, size_t len)
+{
+	int r;
+	ERR_clear_error();
+	r = SSL_read(dtio->ssl, buf, len);
+	if(r <= 0) {
+		int want = SSL_get_error(dtio->ssl, r);
+		if(want == SSL_ERROR_ZERO_RETURN) {
+			if(dtio->reconnect_timeout > DTIO_RECONNECT_TIMEOUT_MIN &&
+				verbosity < 4)
+				return 0; /* no log retries on low verbosity */
+			verbose(VERB_DETAIL, "dnstap io: output closed by the "
+				"other side");
+			return 0;
+		} else if(want == SSL_ERROR_WANT_READ) {
+			/* continue later */
+			return -1;
+		} else if(want == SSL_ERROR_WANT_WRITE) {
+			(void)dtio_enable_brief_write(dtio);
+			return -1;
+		} else if(want == SSL_ERROR_SYSCALL) {
+#ifdef ECONNRESET
+			if(dtio->reconnect_timeout > DTIO_RECONNECT_TIMEOUT_MIN &&
+				errno == ECONNRESET && verbosity < 4)
+				return 0; /* silence reset by peer */
+#endif
+			if(errno != 0)
+				log_err("SSL_read syscall: %s",
+					strerror(errno));
+			verbose(VERB_DETAIL, "dnstap io: output closed by the "
+				"other side");
+			return 0;
+		}
+		log_crypto_err("could not SSL_read");
+		verbose(VERB_DETAIL, "dnstap io: output closed by the "
+				"other side");
+		return 0;
+	}
+	return r;
+}
+#endif /* HAVE_SSL */
+
 /** check if the output fd has been closed,
  * it returns false if the stream is closed. */
 static int dtio_check_close(struct dt_io_thread* dtio)
@@ -864,44 +980,17 @@ static int dtio_check_close(struct dt_io_thread* dtio)
 	 * packets is okay for the framestream protocol.  And also, the
 	 * read call can return that the stream has been closed by the
 	 * other side. */
-	ssize_t r;
 	uint8_t buf[1024];
+	int r = -1;
+
+
 	if(dtio->fd == -1) return 0;
-	while(1) {
-		r = recv(dtio->fd, (void*)buf, sizeof(buf), 0);
-		if(r == -1) {
-			char* to = dtio->socket_path;
-			if(!to) to = dtio->ip_str;
-			if(!to) to = "";
-#ifndef USE_WINSOCK
-			if(errno == EINTR || errno == EAGAIN)
-				return 1; /* try later */
-#else
-			if(WSAGetLastError() == WSAEINPROGRESS) {
-				return 1; /* try later */
-			} else if(WSAGetLastError() == WSAEWOULDBLOCK) {
-				ub_winsock_tcp_wouldblock(
-					(dtio->stop_flush_event?
-					dtio->stop_flush_event:dtio->event),
-					UB_EV_READ);
-				return 1; /* try later */
-			}
-#endif
-			if(dtio->reconnect_timeout > DTIO_RECONNECT_TIMEOUT_MIN && verbosity < 4)
-				break; /* no log retries on low verbosity */
-			log_err("dnstap io: output closed, recv %s: %s", to,
-				strerror(errno));
-			/* and close below */
-			break;
-		}
-		if(r == 0) {
-			if(dtio->reconnect_timeout > DTIO_RECONNECT_TIMEOUT_MIN && verbosity < 4)
-				break; /* no log retries on low verbosity */
-			verbose(VERB_DETAIL, "dnstap io: output closed by the other side");
-			/* and close below */
-			break;
-		}
-		/* something was received, ignore it */
+
+	while(r != 0) {
+		/* not interested in buffer content, overwrite */
+		r = receive_bytes(dtio, (void*)buf, sizeof(buf));
+		if(r == -1)
+			return 1;
 	}
 	/* the other end has been closed */
 	/* close the channel */
@@ -910,6 +999,143 @@ static int dtio_check_close(struct dt_io_thread* dtio)
 	return 0;
 }
 
+/** Read accept frame. Returns -1: continue reading, 0: closed,
+ * 1: valid accept received. */
+static int dtio_read_accept_frame(struct dt_io_thread* dtio)
+{
+	int r;
+	size_t read_frame_done;
+	while(dtio->read_frame.frame_len_done < 4) {
+#ifdef HAVE_SSL
+		if(dtio->ssl) {
+			r = ssl_read_bytes(dtio,
+				(uint8_t*)&dtio->read_frame.frame_len+
+				dtio->read_frame.frame_len_done,
+				4-dtio->read_frame.frame_len_done);
+		} else {
+#endif
+			r = receive_bytes(dtio,
+				(uint8_t*)&dtio->read_frame.frame_len+
+				dtio->read_frame.frame_len_done,
+				4-dtio->read_frame.frame_len_done);
+#ifdef HAVE_SSL
+		}
+#endif
+		if(r == -1)
+			return -1; /* continue reading */
+		if(r == 0) {
+			 /* connection closed */
+			goto close_connection;
+		}
+		dtio->read_frame.frame_len_done += r;
+		if(dtio->read_frame.frame_len_done < 4)
+			return -1; /* continue reading */
+
+		if(dtio->read_frame.frame_len == 0) {
+			dtio->read_frame.frame_len_done = 0;
+			dtio->read_frame.control_frame = 1;
+			continue;
+		}
+		dtio->read_frame.frame_len = ntohl(dtio->read_frame.frame_len);
+		if(dtio->read_frame.frame_len > DTIO_RECV_FRAME_MAX_LEN) {
+			verbose(VERB_OPS, "dnstap: received frame exceeds max "
+				"length of %d bytes, closing connection",
+				DTIO_RECV_FRAME_MAX_LEN);
+			goto close_connection;
+		}
+		dtio->read_frame.buf = calloc(1, dtio->read_frame.frame_len);
+		dtio->read_frame.buf_cap = dtio->read_frame.frame_len;
+		if(!dtio->read_frame.buf) {
+			log_err("dnstap io: out of memory (creating read "
+				"buffer)");
+			goto close_connection;
+		}
+	}
+	if(dtio->read_frame.buf_count < dtio->read_frame.frame_len) {
+#ifdef HAVE_SSL
+		if(dtio->ssl) {
+			r = ssl_read_bytes(dtio, dtio->read_frame.buf+
+				dtio->read_frame.buf_count,
+				dtio->read_frame.buf_cap-
+				dtio->read_frame.buf_count);
+		} else {
+#endif
+			r = receive_bytes(dtio, dtio->read_frame.buf+
+				dtio->read_frame.buf_count,
+				dtio->read_frame.buf_cap-
+				dtio->read_frame.buf_count);
+#ifdef HAVE_SSL
+		}
+#endif
+		if(r == -1)
+			return -1; /* continue reading */
+		if(r == 0) {
+			 /* connection closed */
+			goto close_connection;
+		}
+		dtio->read_frame.buf_count += r;
+		if(dtio->read_frame.buf_count < dtio->read_frame.frame_len)
+			return -1; /* continue reading */
+	}
+
+	/* Complete frame received, check if this is a valid ACCEPT control
+	 * frame. */
+	if(dtio->read_frame.frame_len < 4) {
+		verbose(VERB_OPS, "dnstap: invalid data received");
+		goto close_connection;
+	}
+	if(sldns_read_uint32(dtio->read_frame.buf) !=
+		FSTRM_CONTROL_FRAME_ACCEPT) {
+		verbose(VERB_ALGO, "dnstap: invalid control type received, "
+			"ignored");
+		dtio->ready_frame_sent = 0;
+		dtio->accept_frame_received = 0;
+		dtio_read_frame_free(&dtio->read_frame);
+		return -1;
+	}
+	read_frame_done = 4; /* control frame type */
+
+	/* Iterate over control fields, ignore unknown types.
+	 * Need to be able to read at least 8 bytes (control field type +
+	 * length). */
+	while(read_frame_done+8 < dtio->read_frame.frame_len) {
+		uint32_t type = sldns_read_uint32(dtio->read_frame.buf +
+			read_frame_done);
+		uint32_t len = sldns_read_uint32(dtio->read_frame.buf +
+			read_frame_done + 4);
+		if(type == FSTRM_CONTROL_FIELD_TYPE_CONTENT_TYPE) {
+			if(len == strlen(DNSTAP_CONTENT_TYPE) &&
+				read_frame_done+8+len <=
+				dtio->read_frame.frame_len &&
+				memcmp(dtio->read_frame.buf + read_frame_done +
+					+ 8, DNSTAP_CONTENT_TYPE, len) == 0) {
+				if(!dtio_control_start_send(dtio)) {
+					verbose(VERB_OPS, "dnstap io: out of "
+					 "memory while sending START frame");
+					goto close_connection;
+				}
+				dtio->accept_frame_received = 1;
+				return 1;
+			} else {
+				/* unknow content type */
+				verbose(VERB_ALGO, "dnstap: ACCEPT frame "
+					"contains unknown content type, "
+					"closing connection");
+				goto close_connection;
+			}
+		}
+		/* unknown option, try next */
+		read_frame_done += 8+len;
+	}
+
+
+close_connection:
+	dtio_del_output_event(dtio);
+	dtio_reconnect_slow(dtio, DTIO_RECONNECT_TIMEOUT_SLOW);
+	dtio_close_output(dtio);
+	return 0;
+}
+
 /** add the output file descriptor event for listening, read only */
 static int dtio_add_output_event_read(struct dt_io_thread* dtio)
 {
@@ -1002,6 +1228,24 @@ static int dtio_disable_brief_read(struct dt_io_thread* dtio)
 }
 #endif /* HAVE_SSL */
 
+#ifdef HAVE_SSL
+/** enable the brief write condition */
+static int dtio_enable_brief_write(struct dt_io_thread* dtio)
+{
+	dtio->ssl_brief_write = 1;
+	return dtio_add_output_event_write(dtio);
+}
+#endif /* HAVE_SSL */
+
+#ifdef HAVE_SSL
+/** disable the brief write condition */
+static int dtio_disable_brief_write(struct dt_io_thread* dtio)
+{
+	dtio->ssl_brief_write = 0;
+	return dtio_add_output_event_read(dtio);
+}
+#endif /* HAVE_SSL */
+
 #ifdef HAVE_SSL
 /** check peer verification after ssl handshake connection, false if closed*/
 static int dtio_ssl_check_peer(struct dt_io_thread* dtio)
@@ -1175,8 +1419,13 @@ void dtio_output_cb(int ATTR_UNUSED(fd), short bits, void* arg)
 	}
 #endif
 
-	if((bits&UB_EV_READ)) {
-		if(!dtio_check_close(dtio))
+	if((bits&UB_EV_READ || dtio->ssl_brief_write)) {
+		if(dtio->ssl_brief_write)
+			(void)dtio_disable_brief_write(dtio);
+		if(dtio->ready_frame_sent && !dtio->accept_frame_received) {
+			if(dtio_read_accept_frame(dtio) <= 0)
+				return;
+		} else if(!dtio_check_close(dtio))
 			return;
 	}
 
@@ -1208,6 +1457,15 @@ void dtio_output_cb(int ATTR_UNUSED(fd), short bits, void* arg)
 
 		/* done with the current message */
 		dtio_cur_msg_free(dtio);
+
+		/* If this is a bidirectional stream the first message will be
+		 * the READY control frame. We can only continue writing after
+		 * receiving an ACCEPT control frame. */
+		if(dtio->is_bidirectional && !dtio->ready_frame_sent) {
+			dtio->ready_frame_sent = 1;
+			(void)dtio_add_output_event_read(dtio);
+			break;
+		}
 	}
 }
 
@@ -1240,6 +1498,13 @@ void dtio_cmd_cb(int fd, short ATTR_UNUSED(bits), void* arg)
 		verbose(VERB_ALGO, "dnstap io: cmd channel cmd quit");
 	} else if(r == 1 && cmd == DTIO_COMMAND_WAKEUP) {
 		verbose(VERB_ALGO, "dnstap io: cmd channel cmd wakeup");
+
+		if(dtio->is_bidirectional && !dtio->accept_frame_received) {
+			verbose(VERB_ALGO, "dnstap io: cmd wakeup ignored, "
+				"waiting for ACCEPT control frame");
+			return;
+		}
+
 		/* reregister event */
 		if(!dtio_add_output_event_write(dtio))
 			return;
@@ -1561,6 +1826,25 @@ static int dtio_control_start_send(struct dt_io_thread* dtio)
 	return 1;
 }
 
+/** setup a ready control message */
+static int dtio_control_ready_send(struct dt_io_thread* dtio)
+{
+	log_assert(dtio->cur_msg == NULL && dtio->cur_msg_len == 0);
+	dtio->cur_msg = fstrm_create_control_frame_ready(DNSTAP_CONTENT_TYPE,
+		&dtio->cur_msg_len);
+	if(!dtio->cur_msg) {
+		return 0;
+	}
+	/* setup to send the control message */
+	/* set that the buffer needs to be sent, but the length
+	 * of that buffer is already written, that way the buffer can
+	 * start with 0 length and then the length of the control frame
+	 * in it */
+	dtio->cur_msg_done = 0;
+	dtio->cur_msg_len_done = 4;
+	return 1;
+}
+
 /** open the output file descriptor for af_local */
 static int dtio_open_output_local(struct dt_io_thread* dtio)
 {
@@ -1693,7 +1977,8 @@ static void dtio_open_output(struct dt_io_thread* dtio)
 	}
 	dtio->check_nb_connect = 1;
 
-	/* the EV_READ is to catch channel close, write to write packets */
+	/* the EV_READ is to read ACCEPT control messages, and catch channel
+	 * close. EV_WRITE is to write packets */
 	ev = ub_event_new(dtio->event_base, dtio->fd,
 		UB_EV_READ | UB_EV_WRITE | UB_EV_PERSIST, &dtio_output_cb,
 		dtio);
@@ -1712,7 +1997,8 @@ static void dtio_open_output(struct dt_io_thread* dtio)
 	dtio->event = ev;
 
 	/* setup protocol control message to start */
-	if(!dtio_control_start_send(dtio)) {
+	if((!dtio->is_bidirectional && !dtio_control_start_send(dtio)) ||
+		(dtio->is_bidirectional && !dtio_control_ready_send(dtio)) ) {
 		log_err("dnstap io: out of memory");
 		ub_event_free(dtio->event);
 		dtio->event = NULL;

dnstap/dtstream.h

@@ -88,6 +88,27 @@ struct dt_msg_entry {
 	size_t len;
 };
 
+/**
+ * Containing buffer and counter for reading DNSTAP frames.
+ */
+struct dt_frame_read_buf {
+	/** Buffer containing frame, except length counter(s). */
+	void* buf;
+	/** Number of bytes written to buffer. */
+	size_t buf_count;
+	/** Capacity of the buffer. */
+	size_t buf_cap;
+
+	/** Frame length field. Will contain the 2nd length field for control
+	 * frames. */
+	uint32_t frame_len;
+	/** Number of bytes that have been written to the frame_length field. */
+	size_t frame_len_done;
+
+	/** Set to 1 if this is a control frame, 0 otherwise (ie data frame). */
+	int control_frame;
+};
+
 /**
  * IO thread that reads from the queues and writes them.
  */
@@ -130,6 +151,9 @@ struct dt_io_thread {
 	 * This happens during negotiation, we then do not want to write,
 	 * but wait for a read event. */
 	int ssl_brief_read;
+	/** true if SSL_read is waiting for a write event. Set back to 0 after
+	 * single write event is handled. */
+	int ssl_brief_write;
 
 	/** the buffer that currently getting written, or NULL if no
 	 * (partial) message written now */
@@ -171,6 +195,16 @@ struct dt_io_thread {
 	 * and client certificates can be used for authentication. */
 	int upstream_is_tls;
 
+	/** Perform bidirectional Frame Streams handshake before sending
+	 * messages. */
+	int is_bidirectional;
+	/** Set if the READY control frame has been sent. */
+	int ready_frame_sent;
+	/** Set if valid ACCEPT frame is received. */
+	int accept_frame_received;
+	/** (partially) read frame */
+	struct dt_frame_read_buf read_frame;
+
 	/** the file path for unix socket (or NULL) */
 	char* socket_path;
 	/** the ip address and port number (or NULL) */

dnstap/unbound-dnstap-socket.c

@@ -770,10 +770,11 @@ void tap_data_free(struct tap_data* data)
 
 /** reply with ACCEPT control frame to bidirectional client,
  * returns 0 on error */
-static int reply_with_accept(int fd)
+static int reply_with_accept(struct tap_data* data)
 {
 #ifdef USE_DNSTAP
 	/* len includes the escape and framelength */
+	int r;
 	size_t len = 0;
 	void* acceptframe = fstrm_create_control_frame_accept(
 		DNSTAP_CONTENT_TYPE, &len);
@@ -782,26 +783,39 @@ static int reply_with_accept(int fd)
 		return 0;
 	}
 
-	fd_set_block(fd);
-	if(send(fd, acceptframe, len, 0) == -1) {
+	fd_set_block(data->fd);
+	if(data->ssl) {
+		if((r=SSL_write(data->ssl, acceptframe, len)) <= 0) {
+			if(SSL_get_error(data->ssl, r) == SSL_ERROR_ZERO_RETURN)
+				log_err("SSL_write, peer closed connection");
+			else
+				log_err("could not SSL_write");
+			fd_set_nonblock(data->fd);
+			free(acceptframe);
+			return 0;
+		}
+	} else {
+		if(send(data->fd, acceptframe, len, 0) == -1) {
 #ifndef USE_WINSOCK
-		log_err("send failed: %s", strerror(errno));
+			log_err("send failed: %s", strerror(errno));
 #else
-		log_err("send failed: %s", wsa_strerror(WSAGetLastError()));
+			log_err("send failed: %s",
+				wsa_strerror(WSAGetLastError()));
 #endif
-		fd_set_nonblock(fd);
-		free(acceptframe);
-		return 0;
+			fd_set_nonblock(data->fd);
+			free(acceptframe);
+			return 0;
+		}
 	}
 	if(verbosity) log_info("sent control frame(accept) content-type:(%s)",
 			DNSTAP_CONTENT_TYPE);
 
-	fd_set_nonblock(fd);
+	fd_set_nonblock(data->fd);
 	free(acceptframe);
 	return 1;
 #else
 	log_err("no dnstap compiled, no reply");
-	(void)fd;
+	(void)data;
 	return 0;
 #endif
 }
@@ -1033,7 +1047,7 @@ void dtio_tap_callback(int fd, short ATTR_UNUSED(bits), void* arg)
 		FSTRM_CONTROL_FRAME_READY) {
 		data->is_bidirectional = 1;
 		if(verbosity) log_info("bidirectional stream");
-		if(!reply_with_accept(fd)) {
+		if(!reply_with_accept(data)) {
 			tap_data_free(data);
 		}
 	} else if(data->len >= 4 && sldns_read_uint32(data->frame) ==

doc/Changelog

@@ -1,3 +1,43 @@
+27 July 2020: George
+	- Merge PR #268, draft-ietf-dnsop-serve-stale-10 has become RFC 8767 on
+	  March 2020, by and0x000.
+
+27 July 2020: Ralph
+	- Merge PR #269, Fix python module len() implementations, by Torbjörn
+	  Lönnemark
+
+27 July 2020: Wouter
+	- branch now named 1.11.1.  1.11.0rc1 became the 1.11.0 release.
+	- Merge PR #270 from cgzones: munin plugin: always exit 0 in autoconf
+
+20 July 2020: Wouter
+	- Fix streamtcp to print packet data to stdout.  This makes the
+	  stdout and stderr not mix together lines, when parsing its output.
+	- Fix contrib/fastrpz.patch to apply cleanly.  It fixes for changes
+	  due to added libdynmod, but it does not compile, it conflicts with
+	  new rpz code.
+	- branch now named 1.11.0 and 1.11.0rc1 tag.
+
+17 July 2020: Wouter
+	- Fix libnettle compile for session ticket key callback function
+	  changes.
+	- Fix lock dependency cycle in rpz zone config setup.
+
+17 July 2020: Ralph
+	- Merge PR #234 - Ensure proper alignment of cmsg buffers by Jérémie
+	  Courrèges-Anglas.
+	- Fix PR #234 log_assert sizeof to use union buffer.
+
+16 July 2020: Wouter
+	- Fix check conf test for referencing installation paths.
+	- Fix unused variable warning for clang analyzer.
+
+16 July 2020: George
+	- Introduce 'include-toplevel:' configuration option.
+
+16 July 2020: Ralph
+	- Add bidirectional frame streams support.
+
 8 July 2020: Wouter
 	- Fix add missing DSA header, for compilation without deprecated
 	  OpenSSL APIs.

doc/example.conf.in

@@ -5,9 +5,13 @@
 #
 # this is a comment.
 
-#Use this to include other text into the file.
+# Use this anywhere in the file to include other text into this file.
 #include: "otherfile.conf"
 
+# Use this anywhere in the file to include other text, that explicitly starts a
+# clause, into this file. Text after this directive needs to start a clause.
+#include-toplevel: "otherfile.conf"
+
 # The server clause sets the main parameters.
 server:
 	# whitespace is not necessary, but looks cleaner.
@@ -585,7 +589,7 @@ server:
 	#
 	# Time in milliseconds before replying to the client with expired data.
 	# This essentially enables the serve-stale behavior as specified in
-	# draft-ietf-dnsop-serve-stale-10 that first tries to resolve before
+	# RFC 8767 that first tries to resolve before
 	# immediately responding with expired data.  0 disables this behavior.
 	# A recommended value is 1800.
 	# serve-expired-client-timeout: 0
@@ -1046,6 +1050,8 @@ remote-control:
 # upstream log destination, by socket path, TCP or TLS destination.
 # dnstap:
 # 	dnstap-enable: no
+# 	# if set to yes frame streams will be used in bidirectional mode
+# 	dnstap-bidirectional: yes
 # 	dnstap-socket-path: "@DNSTAP_SOCKET_PATH@"
 # 	# if "" use the unix socket in dnstap-socket-path, otherwise,
 # 	# set it to "IPaddress[@port]" of the destination.

doc/unbound.conf.5.in

@@ -77,6 +77,12 @@ for the included files works, relative pathnames for the included names work
 if the directory where the daemon is started equals its chroot/working
 directory or is specified before the include statement with directory: dir.
 Wildcards can be used to include multiple files, see \fIglob\fR(7).
+.P
+For a more structural include option, the
+.B include\-toplevel:
+directive can be used.  This closes whatever clause is currently active (if any)
+and forces the use of clauses in the included files and right after this
+directive.
 .SS "Server Options"
 These options are part of the
 .B server:
@@ -1102,7 +1108,7 @@ later on.  Default is "no".
 .B serve\-expired\-ttl: \fI<seconds>
 Limit serving of expired responses to configured seconds after expiration. 0
 disables the limit.  This option only applies when \fBserve\-expired\fR is
-enabled.  A suggested value per draft-ietf-dnsop-serve-stale-10 is between
+enabled.  A suggested value per RFC 8767 is between
 86400 (1 day) and 259200 (3 days).  The default is 0.
 .TP
 .B serve\-expired\-ttl\-reset: \fI<yes or no>
@@ -1114,14 +1120,14 @@ expired records will be served as long as there are queries for it.  Default is
 .B serve\-expired\-reply\-ttl: \fI<seconds>
 TTL value to use when replying with expired data.  If
 \fBserve\-expired\-client\-timeout\fR is also used then it is RECOMMENDED to
-use 30 as the value (draft-ietf-dnsop-serve-stale-10).  The default is 30.
+use 30 as the value (RFC 8767).  The default is 30.
 .TP
 .B serve\-expired\-client\-timeout: \fI<msec>
 Time in milliseconds before replying to the client with expired data.  This
 essentially enables the serve-stale behavior as specified in
-draft-ietf-dnsop-serve-stale-10 that first tries to resolve before immediately
+RFC 8767 that first tries to resolve before immediately
 responding with expired data.  A recommended value per
-draft-ietf-dnsop-serve-stale-10 is 1800.  Setting this to 0 will disable this
+RFC 8767 is 1800.  Setting this to 0 will disable this
 behavior.  Default is 0.
 .TP
 .B serve\-original\-ttl: \fI<yes or no>
@@ -2196,6 +2202,10 @@ If dnstap is enabled.  Default no.  If yes, it connects to the dnstap server
 and if any of the dnstap-log-..-messages options is enabled it sends logs
 for those messages to the server.
 .TP
+.B dnstap-bidirectional: \fI<yes or no>
+Use frame streams in bidirectional mode to transfer DNSTAP messages. Default is
+yes.
+.TP
 .B dnstap-socket-path: \fI<file name>
 Sets the unix socket file name for connecting to the server that is
 listening on that socket.  Default is "@DNSTAP_SOCKET_PATH@".

pythonmod/interface.i

@@ -314,16 +314,16 @@ struct packed_rrset_data {
     class RRSetData_RRLen:
         def __init__(self, obj): self.obj = obj
         def __getitem__(self, index): return _unboundmodule._get_data_rr_len(self.obj, index)
-        def __len__(self): return obj.count + obj.rrsig_count
+        def __len__(self): return self.obj.count + self.obj.rrsig_count
     class RRSetData_RRTTL:
         def __init__(self, obj): self.obj = obj
         def __getitem__(self, index): return _unboundmodule._get_data_rr_ttl(self.obj, index)
         def __setitem__(self, index, value): _unboundmodule._set_data_rr_ttl(self.obj, index, value)
-        def __len__(self): return obj.count + obj.rrsig_count
+        def __len__(self): return self.obj.count + self.obj.rrsig_count
     class RRSetData_RRData:
         def __init__(self, obj): self.obj = obj
         def __getitem__(self, index): return _unboundmodule._get_data_rr_data(self.obj, index)
-        def __len__(self): return obj.count + obj.rrsig_count
+        def __len__(self): return self.obj.count + self.obj.rrsig_count
 %}
 
 %inline %{
@@ -404,12 +404,12 @@ struct dns_msg {
     class ReplyInfo_RRSet:
         def __init__(self, obj): self.obj = obj
         def __getitem__(self, index): return _unboundmodule._rrset_rrsets_get(self.obj, index)
-        def __len__(self): return obj.rrset_count
+        def __len__(self): return self.obj.rrset_count
 
     class ReplyInfo_Ref:
         def __init__(self, obj): self.obj = obj
         def __getitem__(self, index): return _unboundmodule._rrset_ref_get(self.obj, index)
-        def __len__(self): return obj.rrset_count
+        def __len__(self): return self.obj.rrset_count
 %}
 
 %inline %{

services/authzone.c

@@ -1866,15 +1866,26 @@ auth_zones_cfg(struct auth_zones* az, struct config_auth* c)
 	struct auth_xfer* x = NULL;
 
 	/* create zone */
+	if(c->isrpz) {
+		/* if the rpz lock is needed, grab it before the other
+		 * locks to avoid a lock dependency cycle */
+		lock_rw_wrlock(&az->rpz_lock);
+	}
 	lock_rw_wrlock(&az->lock);
 	if(!(z=auth_zones_find_or_add_zone(az, c->name))) {
 		lock_rw_unlock(&az->lock);
+		if(c->isrpz) {
+			lock_rw_unlock(&az->rpz_lock);
+		}
 		return 0;
 	}
 	if(c->masters || c->urls) {
 		if(!(x=auth_zones_find_or_add_xfer(az, z))) {
 			lock_rw_unlock(&az->lock);
 			lock_rw_unlock(&z->lock);
+			if(c->isrpz) {
+				lock_rw_unlock(&az->rpz_lock);
+			}
 			return 0;
 		}
 	}
@@ -1889,6 +1900,9 @@ auth_zones_cfg(struct auth_zones* az, struct config_auth* c)
 			lock_basic_unlock(&x->lock);
 		}
 		lock_rw_unlock(&z->lock);
+		if(c->isrpz) {
+			lock_rw_unlock(&az->rpz_lock);
+		}
 		return 0;
 	}
 	z->for_downstream = c->for_downstream;
@@ -1900,11 +1914,13 @@ auth_zones_cfg(struct auth_zones* az, struct config_auth* c)
 			return 0;
 		}
 		lock_protect(&z->lock, &z->rpz->local_zones, sizeof(*z->rpz));
-		lock_rw_wrlock(&az->rpz_lock);
+		/* the az->rpz_lock is locked above */
 		z->rpz_az_next = az->rpz_first;
 		if(az->rpz_first)
 			az->rpz_first->rpz_az_prev = z;
 		az->rpz_first = z;
+	}
+	if(c->isrpz) {
 		lock_rw_unlock(&az->rpz_lock);
 	}
 

testcode/streamtcp.c

@@ -200,6 +200,7 @@ write_q(int fd, int udp, SSL* ssl, sldns_buffer* buf, uint16_t id,
 static void
 recv_one(int fd, int udp, SSL* ssl, sldns_buffer* buf)
 {
+	size_t i;
 	char* pktstr;
 	uint16_t len;
 	if(!udp) {
@@ -270,7 +271,13 @@ recv_one(int fd, int udp, SSL* ssl, sldns_buffer* buf)
 		len = (size_t)l;
 	}
 	printf("\nnext received packet\n");
-	log_buf(0, "data", buf);
+	printf("data[%d] ", (int)sldns_buffer_limit(buf));
+	for(i=0; i<sldns_buffer_limit(buf); i++) {
+		const char* hex = "0123456789ABCDEF";
+		printf("%c%c", hex[(sldns_buffer_read_u8_at(buf, i)&0xf0)>>4],
+                        hex[sldns_buffer_read_u8_at(buf, i)&0x0f]);
+	}
+	printf("\n");
 
 	pktstr = sldns_wire2str_pkt(sldns_buffer_begin(buf), len);
 	printf("%s", pktstr);

testdata/04-checkconf.tdir/bad.badfwd

@@ -2,6 +2,7 @@ server:
 	# to make sure the check doesn't fail on username or chrootdir.
 	username: ""	
 	chroot: ""
+	directory: ""
 
 forward-zone:
 	name: "example.com"

testdata/04-checkconf.tdir/bad.include-toplevel.1

@@ -0,0 +1,3 @@
+include-toplevel: include.withoutclauses.*
+server:
+    identity: "top 1"

testdata/04-checkconf.tdir/bad.include-toplevel.2

@@ -0,0 +1,5 @@
+include-toplevel: include.withclauses.*
+server:
+    identity: "top 1"
+    include: include.withoutclauses.*
+    include-toplevel: include.withoutclauses.*

testdata/04-checkconf.tdir/bad.include-toplevel.3

@@ -0,0 +1,6 @@
+include-toplevel: include.withclauses.*
+server:
+    identity: "top 1"
+    include: include.withoutclauses.*
+    include-toplevel: include.withclauses.*
+include: include.withoutclauses.*

testdata/04-checkconf.tdir/bad.include-toplevel.4

@@ -0,0 +1,7 @@
+include-toplevel: include.withclauses.*
+server:
+    identity: "top 1"
+    include: include.withoutclauses.*
+    include-toplevel: include.withclauses.*
+include: include.withclauses.*
+include-toplevel: include.withoutclauses.*

testdata/04-checkconf.tdir/bad.include-toplevel.5

@@ -0,0 +1,8 @@
+include-toplevel: include.withclauses.*
+server:
+    identity: "top 1"
+    include: include.withoutclauses.*
+    include-toplevel: include.withsomeclauses.*
+include: include.withclauses.*
+include-toplevel: include.withclauses.*
+server: identity: "top 2"

testdata/04-checkconf.tdir/bad.include-toplevel.6

@@ -0,0 +1,10 @@
+include-toplevel: include.withclauses.*
+include-toplevel: include.withclauses.*
+server:
+    identity: "top 1"
+    include: include.withoutclauses.*
+    include-toplevel: include.withclauses.*
+include: include.withclauses.*
+include-toplevel: include.withclauses.*
+server: identity: "top 2"
+include-toplevel: include.includetop.withoutclauses.*

testdata/04-checkconf.tdir/bad.include-toplevel.7

@@ -0,0 +1,11 @@
+include-toplevel: include.withclauses.*
+include-toplevel: include.withclauses.*
+server:
+    identity: "top 1"
+    include: include.withoutclauses.*
+    include-toplevel: include.withclauses.*
+include: include.withclauses.*
+include-toplevel: include.withclauses.*
+server: identity: "top 2"
+include-toplevel: include.includetop.withclauses.*
+include-toplevel: include.include.withoutclauses.*

testdata/04-checkconf.tdir/bad.user

@@ -1,2 +1,4 @@
 server:
 	username: blabla_noexist_user
+	chroot: ""
+	directory: ""

testdata/04-checkconf.tdir/good.include-toplevel

@@ -0,0 +1,16 @@
+include-toplevel: include.withclauses.*
+include-toplevel: include.withclauses.*
+server:
+    identity: "top 1"
+    include: include.withoutclauses.*
+    include-toplevel: include.withclauses.*
+include: include.withclauses.*
+include-toplevel: include.withclauses.*
+server: identity: "top 2"
+include-toplevel: include.includetop.withclauses.*
+include-toplevel: include.include.withclauses.*
+include-toplevel: include.include.withclauses.*
+server:
+	chroot: ""
+	directory: ""
+	username: ""

testdata/04-checkconf.tdir/include.include.withclauses.1

@@ -0,0 +1 @@
+include: include.withclauses.*

testdata/04-checkconf.tdir/include.include.withclauses.2

@@ -0,0 +1 @@
+include: include.withclauses.*

testdata/04-checkconf.tdir/include.include.withclauses.3

@@ -0,0 +1 @@
+include: include.withclauses.*

testdata/04-checkconf.tdir/include.include.withoutclauses.1

@@ -0,0 +1 @@
+include: include.withoutclauses.*

testdata/04-checkconf.tdir/include.include.withoutclauses.2

@@ -0,0 +1 @@
+include: include.withoutclauses.*

testdata/04-checkconf.tdir/include.include.withoutclauses.3

@@ -0,0 +1 @@
+include: include.withoutclauses.*

testdata/04-checkconf.tdir/include.includetop.withclauses.1

@@ -0,0 +1 @@
+include-toplevel: include.withclauses.*

testdata/04-checkconf.tdir/include.includetop.withclauses.2

@@ -0,0 +1 @@
+include-toplevel: include.withclauses.*

testdata/04-checkconf.tdir/include.includetop.withclauses.3

@@ -0,0 +1 @@
+include-toplevel: include.withclauses.*

testdata/04-checkconf.tdir/include.includetop.withoutclauses.1

@@ -0,0 +1 @@
+include-toplevel: include.withoutclauses.*

testdata/04-checkconf.tdir/include.includetop.withoutclauses.2

@@ -0,0 +1 @@
+include-toplevel: include.withoutclauses.*

testdata/04-checkconf.tdir/include.includetop.withoutclauses.3

@@ -0,0 +1 @@
+include-toplevel: include.withoutclauses.*

testdata/04-checkconf.tdir/include.withclauses.1

@@ -0,0 +1 @@
+server: identity: "withclauses1"

testdata/04-checkconf.tdir/include.withclauses.2

@@ -0,0 +1 @@
+server: identity: "withclauses2"

testdata/04-checkconf.tdir/include.withclauses.3

@@ -0,0 +1 @@
+server: identity: "withclauses3"

testdata/04-checkconf.tdir/include.withoutclauses.1

@@ -0,0 +1 @@
+identity: "withoutclauses1"

testdata/04-checkconf.tdir/include.withoutclauses.2

@@ -0,0 +1 @@
+identity: "withoutclauses2"

testdata/04-checkconf.tdir/include.withoutclauses.3

@@ -0,0 +1 @@
+identity: "withoutclauses3"

testdata/04-checkconf.tdir/include.withsomeclauses.1

@@ -0,0 +1 @@
+server: identity: "withsomeclauses1"

testdata/04-checkconf.tdir/include.withsomeclauses.2

@@ -0,0 +1 @@
+identity: "withsomeclauses2"

testdata/04-checkconf.tdir/include.withsomeclauses.3

@@ -0,0 +1 @@
+identity: "withsomeclauses3"

util/config_file.c

@@ -299,6 +299,7 @@ config_create(void)
 	if(!(cfg->dnstap_socket_path = strdup(DNSTAP_SOCKET_PATH)))
 		goto error_exit;
 #endif
+	cfg->dnstap_bidirectional = 1;
 	cfg->dnstap_tls = 1;
 	cfg->disable_dnssec_lame_check = 0;
 	cfg->ip_ratelimit = 0;
@@ -641,6 +642,7 @@ int config_set_option(struct config_file* cfg, const char* opt,
 #endif
 #ifdef USE_DNSTAP
 	else S_YNO("dnstap-enable:", dnstap)
+	else S_YNO("dnstap-bidirectional:", dnstap_bidirectional)
 	else S_STR("dnstap-socket-path:", dnstap_socket_path)
 	else S_STR("dnstap-ip:", dnstap_ip)
 	else S_YNO("dnstap-tls:", dnstap_tls)
@@ -1058,6 +1060,7 @@ config_get_option(struct config_file* cfg, const char* opt,
 #endif
 #ifdef USE_DNSTAP
 	else O_YNO(opt, "dnstap-enable", dnstap)
+	else O_YNO(opt, "dnstap-bidirectional", dnstap_bidirectional)
 	else O_STR(opt, "dnstap-socket-path", dnstap_socket_path)
 	else O_STR(opt, "dnstap-ip", dnstap_ip)
 	else O_YNO(opt, "dnstap-tls", dnstap_tls)

util/config_file.h

@@ -483,6 +483,8 @@ struct config_file {
 
 	/** true to enable dnstap support */
 	int dnstap;
+	/** using bidirectional frame streams if true */
+	int dnstap_bidirectional;
 	/** dnstap socket path */
 	char* dnstap_socket_path;
 	/** dnstap IP */

util/configlexer.lex

@@ -45,11 +45,13 @@ struct inc_state {
 	int line;
 	YY_BUFFER_STATE buffer;
 	struct inc_state* next;
+	int inc_toplevel;
 };
 static struct inc_state* config_include_stack = NULL;
 static int inc_depth = 0;
 static int inc_prev = 0;
 static int num_args = 0;
+static int inc_toplevel = 0;
 
 void init_cfg_parse(void)
 {
@@ -57,14 +59,15 @@ void init_cfg_parse(void)
 	inc_depth = 0;
 	inc_prev = 0;
 	num_args = 0;
+	inc_toplevel = 0;
 }
 
-static void config_start_include(const char* filename)
+static void config_start_include(const char* filename, int toplevel)
 {
 	FILE *input;
 	struct inc_state* s;
 	char* nm;
-	if(inc_depth++ > 100000) {
+	if(inc_depth+1 > 100000) {
 		ub_c_error_msg("too many include files");
 		return;
 	}
@@ -96,17 +99,20 @@ static void config_start_include(const char* filename)
 		return;
 	}
 	LEXOUT(("switch_to_include_file(%s)\n", filename));
+	inc_depth++;
 	s->filename = cfg_parser->filename;
 	s->line = cfg_parser->line;
 	s->buffer = YY_CURRENT_BUFFER;
+	s->inc_toplevel = inc_toplevel;
 	s->next = config_include_stack;
 	config_include_stack = s;
 	cfg_parser->filename = nm;
 	cfg_parser->line = 1;
+	inc_toplevel = toplevel;
 	yy_switch_to_buffer(yy_create_buffer(input, YY_BUF_SIZE));
 }
 
-static void config_start_include_glob(const char* filename)
+static void config_start_include_glob(const char* filename, int toplevel)
 {
 
 	/* check for wildcards */
@@ -139,19 +145,19 @@ static void config_start_include_glob(const char* filename)
 			globfree(&g);
 			if(r == GLOB_NOMATCH)
 				return; /* no matches for pattern */
-			config_start_include(filename); /* let original deal with it */
+			config_start_include(filename, toplevel); /* let original deal with it */
 			return;
 		}
 		/* process files found, if any */
 		for(i=(int)g.gl_pathc-1; i>=0; i--) {
-			config_start_include(g.gl_pathv[i]);
+			config_start_include(g.gl_pathv[i], toplevel);
 		}
 		globfree(&g);
 		return;
 	}
 #endif /* HAVE_GLOB */
 
-	config_start_include(filename);
+	config_start_include(filename, toplevel);
 }
 
 static void config_end_include(void)
@@ -165,6 +171,7 @@ static void config_end_include(void)
 	yy_delete_buffer(YY_CURRENT_BUFFER);
 	yy_switch_to_buffer(s->buffer);
 	config_include_stack = s->next;
+	inc_toplevel = s->inc_toplevel;
 	free(s);
 }
 
@@ -199,7 +206,7 @@ COLON 	\:
 DQANY     [^\"\n\r\\]|\\.
 SQANY     [^\'\n\r\\]|\\.
 
-%x	quotedstring singlequotedstr include include_quoted val
+%x	quotedstring singlequotedstr include include_quoted val include_toplevel include_toplevel_quoted
 
 %%
 <INITIAL,val>{SPACE}*	{ 
@@ -435,6 +442,7 @@ access-control-view{COLON}	{ YDVAR(2, VAR_ACCESS_CONTROL_VIEW) }
 local-zone-override{COLON}	{ YDVAR(3, VAR_LOCAL_ZONE_OVERRIDE) }
 dnstap{COLON}			{ YDVAR(0, VAR_DNSTAP) }
 dnstap-enable{COLON}		{ YDVAR(1, VAR_DNSTAP_ENABLE) }
+dnstap-bidirectional{COLON}	{ YDVAR(1, VAR_DNSTAP_BIDIRECTIONAL) }
 dnstap-socket-path{COLON}	{ YDVAR(1, VAR_DNSTAP_SOCKET_PATH) }
 dnstap-ip{COLON}		{ YDVAR(1, VAR_DNSTAP_IP) }
 dnstap-tls{COLON}		{ YDVAR(1, VAR_DNSTAP_TLS) }
@@ -566,7 +574,7 @@ tcp-connection-limit{COLON}	{ YDVAR(2, VAR_TCP_CONNECTION_LIMIT) }
 <include>\"		{ LEXOUT(("IQS ")); BEGIN(include_quoted); }
 <include>{UNQUOTEDLETTER}*	{
 	LEXOUT(("Iunquotedstr(%s) ", yytext));
-	config_start_include_glob(yytext);
+	config_start_include_glob(yytext, 0);
 	BEGIN(inc_prev);
 }
 <include_quoted><<EOF>>	{
@@ -579,7 +587,7 @@ tcp-connection-limit{COLON}	{ YDVAR(2, VAR_TCP_CONNECTION_LIMIT) }
 <include_quoted>\"	{
 	LEXOUT(("IQE "));
 	yytext[yyleng - 1] = '\0';
-	config_start_include_glob(yytext);
+	config_start_include_glob(yytext, 0);
 	BEGIN(inc_prev);
 }
 <INITIAL,val><<EOF>>	{
@@ -588,11 +596,47 @@ tcp-connection-limit{COLON}	{ YDVAR(2, VAR_TCP_CONNECTION_LIMIT) }
 	if (!config_include_stack) {
 		yyterminate();
 	} else {
+		int prev_toplevel = inc_toplevel;
 		fclose(yyin);
 		config_end_include();
+		if(prev_toplevel) return (VAR_FORCE_TOPLEVEL);
 	}
 }
 
+	/* include-toplevel: directive */
+<INITIAL,val>include-toplevel{COLON} {
+	LEXOUT(("v(%s) ", yytext)); inc_prev = YYSTATE; BEGIN(include_toplevel);
+}
+<include_toplevel><<EOF>> {
+	yyerror("EOF inside include_toplevel directive");
+	BEGIN(inc_prev);
+}
+<include_toplevel>{SPACE}* { LEXOUT(("ITSP ")); /* ignore */ }
+<include_toplevel>{NEWLINE} { LEXOUT(("NL\n")); cfg_parser->line++; }
+<include_toplevel>\" { LEXOUT(("ITQS ")); BEGIN(include_toplevel_quoted); }
+<include_toplevel>{UNQUOTEDLETTER}* {
+	LEXOUT(("ITunquotedstr(%s) ", yytext));
+	config_start_include_glob(yytext, 1);
+	BEGIN(inc_prev);
+	return (VAR_FORCE_TOPLEVEL);
+}
+<include_toplevel_quoted><<EOF>> {
+	yyerror("EOF inside quoted string");
+	BEGIN(inc_prev);
+}
+<include_toplevel_quoted>{DQANY}* { LEXOUT(("ITSTR(%s) ", yytext)); yymore(); }
+<include_toplevel_quoted>{NEWLINE} {
+	yyerror("newline before \" in include name");
+	cfg_parser->line++; BEGIN(inc_prev);
+}
+<include_toplevel_quoted>\" {
+	LEXOUT(("ITQE "));
+	yytext[yyleng - 1] = '\0';
+	config_start_include_glob(yytext, 1);
+	BEGIN(inc_prev);
+	return (VAR_FORCE_TOPLEVEL);
+}
+
 <val>{UNQUOTEDLETTER}*	{ LEXOUT(("unquotedstr(%s) ", yytext)); 
 			if(--num_args == 0) { BEGIN(INITIAL); }
 			yylval.str = strdup(yytext); return STRING_ARG; }

util/configparser.y

@@ -69,6 +69,7 @@ extern struct config_parser_state* cfg_parser;
 
 %token SPACE LETTER NEWLINE COMMENT COLON ANY ZONESTR
 %token <str> STRING_ARG
+%token VAR_FORCE_TOPLEVEL
 %token VAR_SERVER VAR_VERBOSITY VAR_NUM_THREADS VAR_PORT
 %token VAR_OUTGOING_RANGE VAR_INTERFACE VAR_PREFER_IP4
 %token VAR_DO_IP4 VAR_DO_IP6 VAR_PREFER_IP6 VAR_DO_UDP VAR_DO_TCP
@@ -119,7 +120,7 @@ extern struct config_parser_state* cfg_parser;
 %token VAR_DNSTAP VAR_DNSTAP_ENABLE VAR_DNSTAP_SOCKET_PATH VAR_DNSTAP_IP
 %token VAR_DNSTAP_TLS VAR_DNSTAP_TLS_SERVER_NAME VAR_DNSTAP_TLS_CERT_BUNDLE
 %token VAR_DNSTAP_TLS_CLIENT_KEY_FILE VAR_DNSTAP_TLS_CLIENT_CERT_FILE
-%token VAR_DNSTAP_SEND_IDENTITY VAR_DNSTAP_SEND_VERSION
+%token VAR_DNSTAP_SEND_IDENTITY VAR_DNSTAP_SEND_VERSION VAR_DNSTAP_BIDIRECTIONAL
 %token VAR_DNSTAP_IDENTITY VAR_DNSTAP_VERSION
 %token VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES
 %token VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES
@@ -183,16 +184,21 @@ toplevelvar: serverstart contents_server | stubstart contents_stub |
 	rcstart contents_rc | dtstart contents_dt | viewstart contents_view |
 	dnscstart contents_dnsc | cachedbstart contents_cachedb |
 	ipsetstart contents_ipset | authstart contents_auth |
-	rpzstart contents_rpz | dynlibstart contents_dl
+	rpzstart contents_rpz | dynlibstart contents_dl |
+	force_toplevel
+	;
+force_toplevel: VAR_FORCE_TOPLEVEL
+	{
+		OUTYY(("\nP(force-toplevel)\n"));
+	}
 	;
-
 /* server: declaration */
 serverstart: VAR_SERVER
 	{ 
-		OUTYY(("\nP(server:)\n")); 
+		OUTYY(("\nP(server:)\n"));
 	}
 	;
-contents_server: contents_server content_server 
+contents_server: contents_server content_server
 	| ;
 content_server: server_num_threads | server_verbosity | server_port |
 	server_outgoing_range | server_do_ip4 |
@@ -2768,7 +2774,7 @@ dtstart: VAR_DNSTAP
 	;
 contents_dt: contents_dt content_dt
 	| ;
-content_dt: dt_dnstap_enable | dt_dnstap_socket_path |
+content_dt: dt_dnstap_enable | dt_dnstap_socket_path | dt_dnstap_bidirectional |
 	dt_dnstap_ip | dt_dnstap_tls | dt_dnstap_tls_server_name |
 	dt_dnstap_tls_cert_bundle |
 	dt_dnstap_tls_client_key_file | dt_dnstap_tls_client_cert_file |
@@ -2790,6 +2796,16 @@ dt_dnstap_enable: VAR_DNSTAP_ENABLE STRING_ARG
 		free($2);
 	}
 	;
+dt_dnstap_bidirectional: VAR_DNSTAP_BIDIRECTIONAL STRING_ARG
+	{
+		OUTYY(("P(dt_dnstap_bidirectional:%s)\n", $2));
+		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
+			yyerror("expected yes or no.");
+		else cfg_parser->cfg->dnstap_bidirectional =
+			(strcmp($2, "yes")==0);
+		free($2);
+	}
+	;
 dt_dnstap_socket_path: VAR_DNSTAP_SOCKET_PATH STRING_ARG
 	{
 		OUTYY(("P(dt_dnstap_socket_path:%s)\n", $2));

util/net_help.c

@@ -97,6 +97,7 @@ static struct tls_session_ticket_key {
  * @return 0 on no ticket, 1 for okay, and 2 for okay but renew the ticket
  * 	(the ticket is decrypt only). and <0 for failures.
  */
+#ifdef HAVE_SSL
 int tls_session_ticket_key_cb(SSL *s, unsigned char* key_name,
 	unsigned char* iv, EVP_CIPHER_CTX *evp_ctx,
 #ifdef HAVE_SSL_CTX_SET_TLSEXT_TICKET_KEY_EVP_CB
@@ -105,6 +106,7 @@ int tls_session_ticket_key_cb(SSL *s, unsigned char* key_name,
 	HMAC_CTX* hmac_ctx,
 #endif
 	int enc);
+#endif /* HAVE_SSL */
 
 /* returns true is string addr is an ip6 specced address */
 int
@@ -1267,6 +1269,7 @@ int set_auth_name_on_ssl(void* ssl, char* auth_name, int use_sni)
 	}
 #else
 	(void)ssl;
+	(void)use_sni;
 #endif
 #ifdef HAVE_SSL_SET1_HOST
 	SSL_set_verify(ssl, SSL_VERIFY_PEER, NULL);
@@ -1434,6 +1437,7 @@ int listen_sslctx_setup_ticket_keys(void* sslctx, struct config_strlist* tls_ses
 
 }
 
+#ifdef HAVE_SSL
 int tls_session_ticket_key_cb(SSL *ATTR_UNUSED(sslctx), unsigned char* key_name,
 	unsigned char* iv, EVP_CIPHER_CTX *evp_sctx,
 #ifdef HAVE_SSL_CTX_SET_TLSEXT_TICKET_KEY_EVP_CB
@@ -1531,6 +1535,7 @@ int tls_session_ticket_key_cb(SSL *ATTR_UNUSED(sslctx), unsigned char* key_name,
 	return 0;
 #endif
 }
+#endif /* HAVE_SSL */
 
 void
 listen_sslctx_delete_ticket_keys(void)

util/netevent.c

@@ -447,7 +447,10 @@ comm_point_send_udp_msg_if(struct comm_point *c, sldns_buffer* packet,
 	ssize_t sent;
 	struct msghdr msg;
 	struct iovec iov[1];
-	char control[256];
+	union {
+		struct cmsghdr hdr;
+		char buf[256];
+	} control;
 #ifndef S_SPLINT_S
 	struct cmsghdr *cmsg;
 #endif /* S_SPLINT_S */
@@ -465,9 +468,9 @@ comm_point_send_udp_msg_if(struct comm_point *c, sldns_buffer* packet,
 	iov[0].iov_len = sldns_buffer_remaining(packet);
 	msg.msg_iov = iov;
 	msg.msg_iovlen = 1;
-	msg.msg_control = control;
+	msg.msg_control = control.buf;
 #ifndef S_SPLINT_S
-	msg.msg_controllen = sizeof(control);
+	msg.msg_controllen = sizeof(control.buf);
 #endif /* S_SPLINT_S */
 	msg.msg_flags = 0;
 
@@ -477,7 +480,7 @@ comm_point_send_udp_msg_if(struct comm_point *c, sldns_buffer* packet,
 #ifdef IP_PKTINFO
 		void* cmsg_data;
 		msg.msg_controllen = CMSG_SPACE(sizeof(struct in_pktinfo));
-		log_assert(msg.msg_controllen <= sizeof(control));
+		log_assert(msg.msg_controllen <= sizeof(control.buf));
 		cmsg->cmsg_level = IPPROTO_IP;
 		cmsg->cmsg_type = IP_PKTINFO;
 		memmove(CMSG_DATA(cmsg), &r->pktinfo.v4info,
@@ -488,7 +491,7 @@ comm_point_send_udp_msg_if(struct comm_point *c, sldns_buffer* packet,
 		cmsg->cmsg_len = CMSG_LEN(sizeof(struct in_pktinfo));
 #elif defined(IP_SENDSRCADDR)
 		msg.msg_controllen = CMSG_SPACE(sizeof(struct in_addr));
-		log_assert(msg.msg_controllen <= sizeof(control));
+		log_assert(msg.msg_controllen <= sizeof(control.buf));
 		cmsg->cmsg_level = IPPROTO_IP;
 		cmsg->cmsg_type = IP_SENDSRCADDR;
 		memmove(CMSG_DATA(cmsg), &r->pktinfo.v4addr,
@@ -501,7 +504,7 @@ comm_point_send_udp_msg_if(struct comm_point *c, sldns_buffer* packet,
 	} else if(r->srctype == 6) {
 		void* cmsg_data;
 		msg.msg_controllen = CMSG_SPACE(sizeof(struct in6_pktinfo));
-		log_assert(msg.msg_controllen <= sizeof(control));
+		log_assert(msg.msg_controllen <= sizeof(control.buf));
 		cmsg->cmsg_level = IPPROTO_IPV6;
 		cmsg->cmsg_type = IPV6_PKTINFO;
 		memmove(CMSG_DATA(cmsg), &r->pktinfo.v6info,
@@ -513,7 +516,7 @@ comm_point_send_udp_msg_if(struct comm_point *c, sldns_buffer* packet,
 	} else {
 		/* try to pass all 0 to use default route */
 		msg.msg_controllen = CMSG_SPACE(sizeof(struct in6_pktinfo));
-		log_assert(msg.msg_controllen <= sizeof(control));
+		log_assert(msg.msg_controllen <= sizeof(control.buf));
 		cmsg->cmsg_level = IPPROTO_IPV6;
 		cmsg->cmsg_type = IPV6_PKTINFO;
 		memset(CMSG_DATA(cmsg), 0, sizeof(struct in6_pktinfo));
@@ -584,7 +587,10 @@ comm_point_udp_ancil_callback(int fd, short event, void* arg)
 	struct msghdr msg;
 	struct iovec iov[1];
 	ssize_t rcv;
-	char ancil[256];
+	union {
+		struct cmsghdr hdr;
+		char buf[256];
+	} ancil;
 	int i;
 #ifndef S_SPLINT_S
 	struct cmsghdr* cmsg;
@@ -608,9 +614,9 @@ comm_point_udp_ancil_callback(int fd, short event, void* arg)
 		iov[0].iov_len = sldns_buffer_remaining(rep.c->buffer);
 		msg.msg_iov = iov;
 		msg.msg_iovlen = 1;
-		msg.msg_control = ancil;
+		msg.msg_control = ancil.buf;
 #ifndef S_SPLINT_S
-		msg.msg_controllen = sizeof(ancil);
+		msg.msg_controllen = sizeof(ancil.buf);
 #endif /* S_SPLINT_S */
 		msg.msg_flags = 0;
 		rcv = recvmsg(fd, &msg, 0);