Upgrade Unbound to 1.7.2. More to follow.

Approved by:	re (kib@)

contrib/unbound/Makefile.in

@@ -327,7 +327,7 @@ unbound-control$(EXEEXT):	$(CONTROL_OBJ_LINK) libunbound.la
 	$(LINK) -o $@ $(CONTROL_OBJ_LINK) $(EXTRALINK) $(SSLLIB) $(LIBS)
 
 unbound-host$(EXEEXT):	$(HOST_OBJ_LINK) libunbound.la
-	$(LINK) -o $@ $(HOST_OBJ_LINK) -L. -L.libs -lunbound $(LIBS)
+	$(LINK) -o $@ $(HOST_OBJ_LINK) -L. -L.libs -lunbound $(SSLLIB) $(LIBS)
 
 unbound-anchor$(EXEEXT):	$(UBANCHOR_OBJ_LINK) libunbound.la
 	$(LINK) -o $@ $(UBANCHOR_OBJ_LINK) -L. -L.libs -lunbound -lexpat $(SSLLIB) $(LIBS)
@@ -360,7 +360,7 @@ memstats$(EXEEXT):	$(MEMSTATS_OBJ_LINK)
 	$(LINK) -o $@ $(MEMSTATS_OBJ_LINK) $(SSLLIB) $(LIBS)
 
 asynclook$(EXEEXT):	$(ASYNCLOOK_OBJ_LINK) libunbound.la
-	$(LINK) -o $@ $(ASYNCLOOK_OBJ_LINK) $(LIBS) -L. -L.libs -lunbound
+	$(LINK) -o $@ $(ASYNCLOOK_OBJ_LINK) -L. -L.libs -lunbound $(SSLLIB) $(LIBS)
 
 streamtcp$(EXEEXT):	$(STREAMTCP_OBJ_LINK)
 	$(LINK) -o $@ $(STREAMTCP_OBJ_LINK) $(SSLLIB) $(LIBS)
@@ -1463,7 +1463,7 @@ win_svc.lo win_svc.o: $(srcdir)/winrc/win_svc.c config.h $(srcdir)/winrc/win_svc
  $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h \
  $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \
  $(srcdir)/daemon/remote.h \
- $(srcdir)/util/config_file.h $(srcdir)/util/ub_event.h
+ $(srcdir)/util/config_file.h $(srcdir)/util/ub_event.h $(srcdir)/util/net_help.h
 w_inst.lo w_inst.o: $(srcdir)/winrc/w_inst.c config.h $(srcdir)/winrc/w_inst.h $(srcdir)/winrc/win_svc.h
 unbound-service-install.lo unbound-service-install.o: $(srcdir)/winrc/unbound-service-install.c config.h \
  $(srcdir)/winrc/w_inst.h

contrib/unbound/compat/arc4random.c

@@ -71,6 +71,72 @@ static struct {
 
 static inline void _rs_rekey(u_char *dat, size_t datlen);
 
+/*
+ * Basic sanity checking; wish we could do better.
+ */
+static int
+fallback_gotdata(char *buf, size_t len)
+{
+	char	any_set = 0;
+	size_t	i;
+
+	for (i = 0; i < len; ++i)
+		any_set |= buf[i];
+	if (any_set == 0)
+		return -1;
+	return 0;
+}
+
+/* fallback for getentropy in case libc returns failure */
+static int
+fallback_getentropy_urandom(void *buf, size_t len)
+{
+	size_t i;
+	int fd, flags;
+	int save_errno = errno;
+
+start:
+
+	flags = O_RDONLY;
+#ifdef O_NOFOLLOW
+	flags |= O_NOFOLLOW;
+#endif
+#ifdef O_CLOEXEC
+	flags |= O_CLOEXEC;
+#endif
+	fd = open("/dev/urandom", flags, 0);
+	if (fd == -1) {
+		if (errno == EINTR)
+			goto start;
+		goto nodevrandom;
+	}
+#ifndef O_CLOEXEC
+#  ifdef HAVE_FCNTL
+	fcntl(fd, F_SETFD, fcntl(fd, F_GETFD) | FD_CLOEXEC);
+#  endif
+#endif
+	for (i = 0; i < len; ) {
+		size_t wanted = len - i;
+		ssize_t ret = read(fd, (char*)buf + i, wanted);
+
+		if (ret == -1) {
+			if (errno == EAGAIN || errno == EINTR)
+				continue;
+			close(fd);
+			goto nodevrandom;
+		}
+		i += ret;
+	}
+	close(fd);
+	if (fallback_gotdata(buf, len) == 0) {
+		errno = save_errno;
+		return 0;		/* satisfied */
+	}
+nodevrandom:
+	errno = EIO;
+	return -1;
+}
+
 static inline void
 _rs_init(u_char *buf, size_t n)
 {
@@ -114,11 +180,14 @@ _rs_stir(void)
 	u_char rnd[KEYSZ + IVSZ];
 
 	if (getentropy(rnd, sizeof rnd) == -1) {
+		if(errno != ENOSYS ||
+			fallback_getentropy_urandom(rnd, sizeof rnd) == -1) {
 #ifdef SIGKILL
-		raise(SIGKILL);
+			raise(SIGKILL);
 #else
-		exit(9); /* windows */
+			exit(9); /* windows */
 #endif
+		}
 	}
 
 	if (!rs)

contrib/unbound/config.h

@@ -31,6 +31,9 @@
    internal symbols */
 /* #undef EXPORT_ALL_SYMBOLS */
 
+/* Define to 1 if you have the `accept4' function. */
+#define HAVE_ACCEPT4 1
+
 /* Define to 1 if you have the `arc4random' function. */
 #define HAVE_ARC4RANDOM 1
 
@@ -628,7 +631,7 @@
 #define PACKAGE_NAME "unbound"
 
 /* Define to the full name and version of this package. */
-#define PACKAGE_STRING "unbound 1.7.1"
+#define PACKAGE_STRING "unbound 1.7.2"
 
 /* Define to the one symbol short name of this package. */
 #define PACKAGE_TARNAME "unbound"
@@ -637,7 +640,7 @@
 #define PACKAGE_URL ""
 
 /* Define to the version of this package. */
-#define PACKAGE_VERSION "1.7.1"
+#define PACKAGE_VERSION "1.7.2"
 
 /* default pidfile location */
 #define PIDFILE "/var/unbound/unbound.pid"
@@ -656,7 +659,7 @@
 #define ROOT_CERT_FILE "/var/unbound/icannbundle.pem"
 
 /* version number for resource files */
-#define RSRC_PACKAGE_VERSION 1,7,1,0
+#define RSRC_PACKAGE_VERSION 1,7,2,0
 
 /* Directory to chdir to */
 #define RUN_DIR "/var/unbound"

contrib/unbound/config.h.in

@@ -30,6 +30,9 @@
    internal symbols */
 #undef EXPORT_ALL_SYMBOLS
 
+/* Define to 1 if you have the `accept4' function. */
+#undef HAVE_ACCEPT4
+
 /* Define to 1 if you have the `arc4random' function. */
 #undef HAVE_ARC4RANDOM
 

contrib/unbound/configure

@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for unbound 1.7.1.
+# Generated by GNU Autoconf 2.69 for unbound 1.7.2.
 #
 # Report bugs to <unbound-bugs@nlnetlabs.nl>.
 #
@@ -590,8 +590,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='unbound'
 PACKAGE_TARNAME='unbound'
-PACKAGE_VERSION='1.7.1'
-PACKAGE_STRING='unbound 1.7.1'
+PACKAGE_VERSION='1.7.2'
+PACKAGE_STRING='unbound 1.7.2'
 PACKAGE_BUGREPORT='unbound-bugs@nlnetlabs.nl'
 PACKAGE_URL=''
 
@@ -1440,7 +1440,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures unbound 1.7.1 to adapt to many kinds of systems.
+\`configure' configures unbound 1.7.2 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1505,7 +1505,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of unbound 1.7.1:";;
+     short | recursive ) echo "Configuration of unbound 1.7.2:";;
    esac
   cat <<\_ACEOF
 
@@ -1722,7 +1722,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-unbound configure 1.7.1
+unbound configure 1.7.2
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2431,7 +2431,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by unbound $as_me 1.7.1, which was
+It was created by unbound $as_me 1.7.2, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -2783,11 +2783,11 @@ UNBOUND_VERSION_MAJOR=1
 
 UNBOUND_VERSION_MINOR=7
 
-UNBOUND_VERSION_MICRO=1
+UNBOUND_VERSION_MICRO=2
 
 
 LIBUNBOUND_CURRENT=7
-LIBUNBOUND_REVISION=9
+LIBUNBOUND_REVISION=10
 LIBUNBOUND_AGE=5
 # 1.0.0 had 0:12:0
 # 1.0.1 had 0:13:0
@@ -2848,6 +2848,7 @@ LIBUNBOUND_AGE=5
 # 1.6.8 had 7:7:5
 # 1.7.0 had 7:8:5
 # 1.7.1 had 7:9:5
+# 1.7.2 had 7:10:5
 
 #   Current  -- the number of the binary API that we're implementing
 #   Revision -- which iteration of the implementation of the binary
@@ -19467,7 +19468,7 @@ else
   WINDRES="$ac_cv_prog_WINDRES"
 fi
 
-	LIBS="$LIBS -liphlpapi"
+	LIBS="$LIBS -liphlpapi -lcrypt32"
 	WINAPPS="unbound-service-install.exe unbound-service-remove.exe anchor-update.exe"
 
 	WIN_DAEMON_SRC="winrc/win_svc.c winrc/w_inst.c"
@@ -19701,7 +19702,7 @@ if test "$ac_res" != no; then :
 
 fi
 
-for ac_func in tzset sigprocmask fcntl getpwnam endpwent getrlimit setrlimit setsid chroot kill chown sleep usleep random srandom recvmsg sendmsg writev socketpair glob initgroups strftime localtime_r setusercontext _beginthreadex endservent endprotoent fsync shmget
+for ac_func in tzset sigprocmask fcntl getpwnam endpwent getrlimit setrlimit setsid chroot kill chown sleep usleep random srandom recvmsg sendmsg writev socketpair glob initgroups strftime localtime_r setusercontext _beginthreadex endservent endprotoent fsync shmget accept4
 do :
   as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
 ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
@@ -20854,6 +20855,8 @@ if test "${enable_cachedb+set}" = set; then :
   enableval=$enable_cachedb;
 fi
 
+# turn on cachedb when hiredis support is enabled.
+if test "$found_libhiredis" = "yes"; then enable_cachedb="yes"; fi
 case "$enable_cachedb" in
     yes)
 
@@ -21041,7 +21044,7 @@ _ACEOF
 
 
 
-version=1.7.1
+version=1.7.2
 
 date=`date +'%b %e, %Y'`
 
@@ -21560,7 +21563,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by unbound $as_me 1.7.1, which was
+This file was extended by unbound $as_me 1.7.2, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -21626,7 +21629,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-unbound config.status 1.7.1
+unbound config.status 1.7.2
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 

contrib/unbound/configure.ac

@@ -11,14 +11,14 @@ sinclude(dnscrypt/dnscrypt.m4)
 # must be numbers. ac_defun because of later processing
 m4_define([VERSION_MAJOR],[1])
 m4_define([VERSION_MINOR],[7])
-m4_define([VERSION_MICRO],[1])
+m4_define([VERSION_MICRO],[2])
 AC_INIT(unbound, m4_defn([VERSION_MAJOR]).m4_defn([VERSION_MINOR]).m4_defn([VERSION_MICRO]), unbound-bugs@nlnetlabs.nl, unbound)
 AC_SUBST(UNBOUND_VERSION_MAJOR, [VERSION_MAJOR])
 AC_SUBST(UNBOUND_VERSION_MINOR, [VERSION_MINOR])
 AC_SUBST(UNBOUND_VERSION_MICRO, [VERSION_MICRO])
 
 LIBUNBOUND_CURRENT=7
-LIBUNBOUND_REVISION=9
+LIBUNBOUND_REVISION=10
 LIBUNBOUND_AGE=5
 # 1.0.0 had 0:12:0
 # 1.0.1 had 0:13:0
@@ -79,6 +79,7 @@ LIBUNBOUND_AGE=5
 # 1.6.8 had 7:7:5
 # 1.7.0 had 7:8:5
 # 1.7.1 had 7:9:5
+# 1.7.2 had 7:10:5
 
 #   Current  -- the number of the binary API that we're implementing
 #   Revision -- which iteration of the implementation of the binary
@@ -1245,7 +1246,7 @@ if test "$USE_WINSOCK" = 1; then
 #include <windows.h>
 	])
 	AC_CHECK_TOOL(WINDRES, windres)
-	LIBS="$LIBS -liphlpapi"
+	LIBS="$LIBS -liphlpapi -lcrypt32"
 	WINAPPS="unbound-service-install.exe unbound-service-remove.exe anchor-update.exe"
 	AC_SUBST(WINAPPS)
 	WIN_DAEMON_SRC="winrc/win_svc.c winrc/w_inst.c"
@@ -1318,7 +1319,7 @@ AC_INCLUDES_DEFAULT
 #endif
 ])
 AC_SEARCH_LIBS([setusercontext], [util])
-AC_CHECK_FUNCS([tzset sigprocmask fcntl getpwnam endpwent getrlimit setrlimit setsid chroot kill chown sleep usleep random srandom recvmsg sendmsg writev socketpair glob initgroups strftime localtime_r setusercontext _beginthreadex endservent endprotoent fsync shmget])
+AC_CHECK_FUNCS([tzset sigprocmask fcntl getpwnam endpwent getrlimit setrlimit setsid chroot kill chown sleep usleep random srandom recvmsg sendmsg writev socketpair glob initgroups strftime localtime_r setusercontext _beginthreadex endservent endprotoent fsync shmget accept4])
 AC_CHECK_FUNCS([setresuid],,[AC_CHECK_FUNCS([setreuid])])
 AC_CHECK_FUNCS([setresgid],,[AC_CHECK_FUNCS([setregid])])
 
@@ -1488,6 +1489,8 @@ dnsc_DNSCRYPT([
 
 # check for cachedb if requested
 AC_ARG_ENABLE(cachedb, AC_HELP_STRING([--enable-cachedb], [enable cachedb module that can use external cache storage]))
+# turn on cachedb when hiredis support is enabled.
+if test "$found_libhiredis" = "yes"; then enable_cachedb="yes"; fi
 case "$enable_cachedb" in
     yes)
     	AC_DEFINE([USE_CACHEDB], [1], [Define to 1 to use cachedb support])

contrib/unbound/contrib/libunbound.pc.in

@@ -7,7 +7,7 @@ Name: unbound
 Description: Library with validating, recursive, and caching DNS resolver
 URL: http://www.unbound.net
 Version: @PACKAGE_VERSION@
-Requires: libcrypto libssl @PC_LIBEVENT_DEPENDENCY@ @PC_PY_DEPENDENCY@
-Libs: -L${libdir} -lunbound
+Requires: @PC_LIBEVENT_DEPENDENCY@ @PC_PY_DEPENDENCY@
+Libs: -L${libdir} -lunbound -lssl -lcrypto
 Libs.private: @SSLLIB@ @LIBS@
 Cflags: -I${includedir} 

contrib/unbound/daemon/acl_list.c

@@ -111,6 +111,8 @@ acl_list_str_cfg(struct acl_list* acl, const char* str, const char* s2,
 		control = acl_refuse_non_local;
 	else if(strcmp(s2, "allow_snoop") == 0)
 		control = acl_allow_snoop;
+	else if(strcmp(s2, "allow_setrd") == 0)
+		control = acl_allow_setrd;
 	else {
 		log_err("access control type %s unknown", str);
 		return 0;

contrib/unbound/daemon/acl_list.h

@@ -63,7 +63,9 @@ enum acl_access {
 	/** allow full access for recursion (+RD) queries */
 	acl_allow,
 	/** allow full access for all queries, recursion and cache snooping */
-	acl_allow_snoop
+	acl_allow_snoop,
+	/** allow full access for recursion queries and set RD flag regardless of request */
+	acl_allow_setrd
 };
 
 /**

contrib/unbound/daemon/daemon.c

@@ -704,6 +704,7 @@ daemon_cleanup(struct daemon* daemon)
 	free(daemon->workers);
 	daemon->workers = NULL;
 	daemon->num = 0;
+	alloc_clear_special(&daemon->superalloc);
 #ifdef USE_DNSTAP
 	dt_delete(daemon->dtenv);
 	daemon->dtenv = NULL;

contrib/unbound/daemon/unbound.c

@@ -431,7 +431,7 @@ perform_setup(struct daemon* daemon, struct config_file* cfg, int debug_mode,
 			fatal_exit("could not set up listen SSL_CTX");
 	}
 	if(!(daemon->connect_sslctx = connect_sslctx_create(NULL, NULL,
-		cfg->tls_cert_bundle)))
+		cfg->tls_cert_bundle, cfg->tls_win_cert)))
 		fatal_exit("could not set up connect SSL_CTX");
 #endif
 

contrib/unbound/daemon/worker.c

@@ -1350,6 +1350,13 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 		return ret;
 	}
 
+	/* If this request does not have the recursion bit set, verify
+	 * ACLs allow the recursion bit to be treated as set. */
+	if(!(LDNS_RD_WIRE(sldns_buffer_begin(c->buffer))) &&
+		acl == acl_allow_setrd ) {
+		LDNS_RD_SET(sldns_buffer_begin(c->buffer));
+	}
+
 	/* If this request does not have the recursion bit set, verify
 	 * ACLs allow the snooping. */
 	if(!(LDNS_RD_WIRE(sldns_buffer_begin(c->buffer))) &&

contrib/unbound/doc/Changelog

@@ -1,8 +1,80 @@
+4 June 2018: Wouter
+	- Fix deadlock caused by incoming notify for auth-zone.
+	- tag for 1.7.2rc1
+
+1 June 2018: Wouter
+	- Rename additional-tls-port to tls-additional-ports.
+	  The older name is accepted for backwards compatibility.
+
+30 May 2018: Wouter
+	- Patch from Syzdek: Add ability to ignore RD bit and treat all
+	  requests as if the RD bit is set.
+
+29 May 2018: Wouter
+	- in compat/arc4random call getentropy_urandom when getentropy fails
+	  with ENOSYS.
+	- Fix that fallback for windows port.
+
+28 May 2018: Wouter
+	- Fix windows tcp and tls spin on events.
+	- Add routine from getdns to add windows cert store to the SSL_CTX.
+	- tls-win-cert option that adds the system certificate store for
+	  authenticating DNS-over-TLS connections.  It can be used instead
+	  of the tls-cert-bundle option, or with it to add certificates.
+
+25 May 2018: Wouter
+	- For TCP and TLS connections that don't establish, perform address
+	  update in infra cache, so future selections can exclude them.
+	- Fix that tcp sticky events are removed for closed fd on windows.
+	- Fix close events for tcp only.
+
+24 May 2018: Wouter
+	- Fix that libunbound can do DNS-over-TLS, when configured.
+	- Fix that windows unbound service can use DNS-over-TLS.
+	- unbound-host initializes ssl (for potential DNS-over-TLS usage
+	  inside libunbound), when ssl upstream or a cert-bundle is configured.
+
+23 May 2018: Wouter
+	- Use accept4 to speed up incoming TCP (and TLS) connections,
+	  available on Linux, FreeBSD and OpenBSD.
+
+17 May 2018: Ralph
+	- Qname minimisation default changed to yes.
+
+15 May 2018: Wouter
+	- Fix low-rtt-pct to low-rtt-permil, as it is parts in one thousand.
+
+11 May 2018: Wouter
+	- Fix contrib/libunbound.pc for libssl libcrypto references,
+	  from https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=226914
+
+7 May 2018: Wouter
+	- Fix windows to not have sticky TLS events for TCP.
+	- Fix read of DNS over TLS length and data in one read call.
+	- Fix mesh state assertion failure due to callback removal.
+
+3 May 2018: Wouter
+	- Fix that configure --with-libhiredis also turns on cachedb.
+	- Fix gcc 8 buffer warning in testcode.
+	- Fix function type cast warning in libunbound context callback type.
+
+2 May 2018: Wouter
+	- Fix fail to reject dead peers in forward-zone, with ssl-upstream.
+
+1 May 2018: Wouter
+	- Fix that unbound-control reload frees the rrset keys and returns
+	  the memory pages to the system.
+
+30 April 2018: Wouter
+	- Fix spelling error in man page and note defaults as no instead of
+	  off.
+
 26 April 2018: Wouter
 	- Fix for crash in daemon_cleanup with dnstap during reload,
 	  from Saksham Manchanda.
 	- Also that for dnscrypt.
-	- tag for 1.7.1rc1 release.
+	- tag for 1.7.1rc1 release.  Became 1.7.1 release on 3 May, trunk
+	  is from here 1.7.2 in development.
 
 25 April 2018: Ralph
 	- Fix memory leak when caching wildcard records for aggressive NSEC use

contrib/unbound/doc/README

@@ -1,4 +1,4 @@
-README for Unbound 1.7.1
+README for Unbound 1.7.2
 Copyright 2007 NLnet Labs
 http://unbound.net
 

contrib/unbound/doc/example.conf

@@ -1,7 +1,7 @@
 #
 # Example configuration file.
 #
-# See unbound.conf(5) man page, version 1.7.1.
+# See unbound.conf(5) man page, version 1.7.2.
 #
 # this is a comment.
 
@@ -223,7 +223,8 @@ server:
 	# to this server. Specify classless netblocks with /size and action.
 	# By default everything is refused, except for localhost.
 	# Choose deny (drop message), refuse (polite error reply),
-	# allow (recursive ok), allow_snoop (recursive and nonrecursive ok)
+	# allow (recursive ok), allow_setrd (recursive ok, rd bit is forced on),
+	# allow_snoop (recursive and nonrecursive ok)
 	# deny_non_local (drop queries unless can be answered from local-data)
 	# refuse_non_local (like deny_non_local but polite error reply).
 	# access-control: 0.0.0.0/0 refuse
@@ -372,7 +373,7 @@ server:
 	# Sent minimum amount of information to upstream servers to enhance
 	# privacy. Only sent minimum required labels of the QNAME and set QTYPE
 	# to A when possible.
-	# qname-minimisation: no
+	# qname-minimisation: yes
 
 	# QNAME minimisation in strict mode. Do not fall-back to sending full
 	# QNAME to potentially broken nameservers. A lot of domains will not be
@@ -681,8 +682,11 @@ server:
 	# Certificates used to authenticate connections made upstream.
 	# tls-cert-bundle: ""
 
+	# Add system certs to the cert bundle, from the Windows Cert Store
+	# tls-win-cert: no
+
 	# Also serve tls on these port numbers (eg. 443, ...), by listing
-	# additional-tls-port: portno for each of the port numbers.
+	# tls-additional-ports: portno for each of the port numbers.
 
 	# DNS64 prefix. Must be specified when DNS64 is use.
 	# Enable dns64 in module-config.  Used to synthesize IPv6 from IPv4.
@@ -725,7 +729,7 @@ server:
 	# low-rtt: 45
 	# select low rtt this many times out of 1000. 0 means the fast server
 	# select is disabled.  prefetches are not sped up.
-	# low-rtt-pct: 0
+	# low-rtt-permil: 0
 
 	# Specific options for ipsecmod. unbound needs to be configured with
 	# --enable-ipsecmod for these to take effect.

contrib/unbound/doc/example.conf.in

@@ -1,7 +1,7 @@
 #
 # Example configuration file.
 #
-# See unbound.conf(5) man page, version 1.7.1.
+# See unbound.conf(5) man page, version 1.7.2.
 #
 # this is a comment.
 
@@ -223,7 +223,8 @@ server:
 	# to this server. Specify classless netblocks with /size and action.
 	# By default everything is refused, except for localhost.
 	# Choose deny (drop message), refuse (polite error reply),
-	# allow (recursive ok), allow_snoop (recursive and nonrecursive ok)
+	# allow (recursive ok), allow_setrd (recursive ok, rd bit is forced on),
+	# allow_snoop (recursive and nonrecursive ok)
 	# deny_non_local (drop queries unless can be answered from local-data)
 	# refuse_non_local (like deny_non_local but polite error reply).
 	# access-control: 0.0.0.0/0 refuse
@@ -372,7 +373,7 @@ server:
 	# Sent minimum amount of information to upstream servers to enhance
 	# privacy. Only sent minimum required labels of the QNAME and set QTYPE
 	# to A when possible.
-	# qname-minimisation: no
+	# qname-minimisation: yes
 
 	# QNAME minimisation in strict mode. Do not fall-back to sending full
 	# QNAME to potentially broken nameservers. A lot of domains will not be
@@ -681,8 +682,11 @@ server:
 	# Certificates used to authenticate connections made upstream.
 	# tls-cert-bundle: ""
 
+	# Add system certs to the cert bundle, from the Windows Cert Store
+	# tls-win-cert: no
+
 	# Also serve tls on these port numbers (eg. 443, ...), by listing
-	# additional-tls-port: portno for each of the port numbers.
+	# tls-additional-ports: portno for each of the port numbers.
 
 	# DNS64 prefix. Must be specified when DNS64 is use.
 	# Enable dns64 in module-config.  Used to synthesize IPv6 from IPv4.
@@ -725,7 +729,7 @@ server:
 	# low-rtt: 45
 	# select low rtt this many times out of 1000. 0 means the fast server
 	# select is disabled.  prefetches are not sped up.
-	# low-rtt-pct: 0
+	# low-rtt-permil: 0
 
 	# Specific options for ipsecmod. unbound needs to be configured with
 	# --enable-ipsecmod for these to take effect.

contrib/unbound/doc/libunbound.3

@@ -1,4 +1,4 @@
-.TH "libunbound" "3" "May  3, 2018" "NLnet Labs" "unbound 1.7.1"
+.TH "libunbound" "3" "Jun 11, 2018" "NLnet Labs" "unbound 1.7.2"
 .\"
 .\" libunbound.3 -- unbound library functions manual
 .\"
@@ -43,7 +43,7 @@
 .B ub_ctx_zone_remove,
 .B ub_ctx_data_add,
 .B ub_ctx_data_remove
-\- Unbound DNS validating resolver 1.7.1 functions.
+\- Unbound DNS validating resolver 1.7.2 functions.
 .SH "SYNOPSIS"
 .B #include <unbound.h>
 .LP

contrib/unbound/doc/libunbound.3.in

@@ -1,4 +1,4 @@
-.TH "libunbound" "3" "May  3, 2018" "NLnet Labs" "unbound 1.7.1"
+.TH "libunbound" "3" "Jun 11, 2018" "NLnet Labs" "unbound 1.7.2"
 .\"
 .\" libunbound.3 -- unbound library functions manual
 .\"
@@ -43,7 +43,7 @@
 .B ub_ctx_zone_remove,
 .B ub_ctx_data_add,
 .B ub_ctx_data_remove
-\- Unbound DNS validating resolver 1.7.1 functions.
+\- Unbound DNS validating resolver 1.7.2 functions.
 .SH "SYNOPSIS"
 .B #include <unbound.h>
 .LP

contrib/unbound/doc/unbound-anchor.8

@@ -1,4 +1,4 @@
-.TH "unbound-anchor" "8" "May  3, 2018" "NLnet Labs" "unbound 1.7.1"
+.TH "unbound-anchor" "8" "Jun 11, 2018" "NLnet Labs" "unbound 1.7.2"
 .\"
 .\" unbound-anchor.8 -- unbound anchor maintenance utility manual
 .\"

contrib/unbound/doc/unbound-anchor.8.in

@@ -1,4 +1,4 @@
-.TH "unbound-anchor" "8" "May  3, 2018" "NLnet Labs" "unbound 1.7.1"
+.TH "unbound-anchor" "8" "Jun 11, 2018" "NLnet Labs" "unbound 1.7.2"
 .\"
 .\" unbound-anchor.8 -- unbound anchor maintenance utility manual
 .\"

contrib/unbound/doc/unbound-checkconf.8

@@ -1,4 +1,4 @@
-.TH "unbound-checkconf" "8" "May  3, 2018" "NLnet Labs" "unbound 1.7.1"
+.TH "unbound-checkconf" "8" "Jun 11, 2018" "NLnet Labs" "unbound 1.7.2"
 .\"
 .\" unbound-checkconf.8 -- unbound configuration checker manual
 .\"
@@ -8,7 +8,7 @@
 .\"
 .\"
 .SH "NAME"
-unbound\-checkconf
+.B unbound\-checkconf
 \- Check unbound configuration file for errors.
 .SH "SYNOPSIS"
 .B unbound\-checkconf

contrib/unbound/doc/unbound-checkconf.8.in

@@ -1,4 +1,4 @@
-.TH "unbound-checkconf" "8" "May  3, 2018" "NLnet Labs" "unbound 1.7.1"
+.TH "unbound-checkconf" "8" "Jun 11, 2018" "NLnet Labs" "unbound 1.7.2"
 .\"
 .\" unbound-checkconf.8 -- unbound configuration checker manual
 .\"

contrib/unbound/doc/unbound-control.8

@@ -1,4 +1,4 @@
-.TH "unbound-control" "8" "May  3, 2018" "NLnet Labs" "unbound 1.7.1"
+.TH "unbound-control" "8" "Jun 11, 2018" "NLnet Labs" "unbound 1.7.2"
 .\"
 .\" unbound-control.8 -- unbound remote control manual
 .\"

contrib/unbound/doc/unbound-control.8.in

@@ -1,4 +1,4 @@
-.TH "unbound-control" "8" "May  3, 2018" "NLnet Labs" "unbound 1.7.1"
+.TH "unbound-control" "8" "Jun 11, 2018" "NLnet Labs" "unbound 1.7.2"
 .\"
 .\" unbound-control.8 -- unbound remote control manual
 .\"

contrib/unbound/doc/unbound-host.1

@@ -1,4 +1,4 @@
-.TH "unbound\-host" "1" "May  3, 2018" "NLnet Labs" "unbound 1.7.1"
+.TH "unbound\-host" "1" "Jun 11, 2018" "NLnet Labs" "unbound 1.7.2"
 .\"
 .\" unbound-host.1 -- unbound DNS lookup utility
 .\"

contrib/unbound/doc/unbound-host.1.in

@@ -1,4 +1,4 @@
-.TH "unbound\-host" "1" "May  3, 2018" "NLnet Labs" "unbound 1.7.1"
+.TH "unbound\-host" "1" "Jun 11, 2018" "NLnet Labs" "unbound 1.7.2"
 .\"
 .\" unbound-host.1 -- unbound DNS lookup utility
 .\"

contrib/unbound/doc/unbound.8

@@ -1,4 +1,4 @@
-.TH "unbound" "8" "May  3, 2018" "NLnet Labs" "unbound 1.7.1"
+.TH "unbound" "8" "Jun 11, 2018" "NLnet Labs" "unbound 1.7.2"
 .\"
 .\" unbound.8 -- unbound manual
 .\"
@@ -9,7 +9,7 @@
 .\"
 .SH "NAME"
 .B unbound
-\- Unbound DNS validating resolver 1.7.1.
+\- Unbound DNS validating resolver 1.7.2.
 .SH "SYNOPSIS"
 .B unbound
 .RB [ \-h ]

contrib/unbound/doc/unbound.8.in

@@ -1,4 +1,4 @@
-.TH "unbound" "8" "May  3, 2018" "NLnet Labs" "unbound 1.7.1"
+.TH "unbound" "8" "Jun 11, 2018" "NLnet Labs" "unbound 1.7.2"
 .\"
 .\" unbound.8 -- unbound manual
 .\"
@@ -9,7 +9,7 @@
 .\"
 .SH "NAME"
 .B unbound
-\- Unbound DNS validating resolver 1.7.1.
+\- Unbound DNS validating resolver 1.7.2.
 .SH "SYNOPSIS"
 .B unbound
 .RB [ \-h ]

contrib/unbound/doc/unbound.conf.5

@@ -1,4 +1,4 @@
-.TH "unbound.conf" "5" "May  3, 2018" "NLnet Labs" "unbound 1.7.1"
+.TH "unbound.conf" "5" "Jun 11, 2018" "NLnet Labs" "unbound 1.7.2"
 .\"
 .\" unbound.conf.5 -- unbound.conf manual
 .\"
@@ -403,6 +403,8 @@ Enabled or disable whether the upstream queries use TLS only for transport.
 Default is no.  Useful in tunneling scenarios.  The TLS contains plain DNS in
 TCP wireformat.  The other server must support this (see
 \fBtls\-service\-key\fR).
+If you enable this, also configure a tls\-cert\-bundle or use tls\-win\cert to
+load CA certs, otherwise the connections cannot be authenticated.
 .TP
 .B ssl\-upstream: \fI<yes or no>
 Alternate syntax for \fBtls\-upstream\fR.  If both are present in the config
@@ -444,8 +446,14 @@ urls, and also DNS over TLS connections.
 .B ssl\-cert\-bundle: \fI<file>
 Alternate syntax for \fBtls\-cert\-bundle\fR.
 .TP
-.B additional\-tls\-port: \fI<portnr>
-List portnumbers as additional\-tls\-port, and when interfaces are defined,
+.B tls\-win\-cert: \fI<yes or no>
+Add the system certificates to the cert bundle certificates for authentication.
+If no cert bundle, it uses only these certificates.  Default is no.
+On windows this option uses the certificates from the cert store.  Use
+the tls\-cert\-bundle option on other systems.
+.TP
+.B tls\-additional\-ports: \fI<portnr>
+List portnumbers as tls\-additional\-ports, and when interfaces are defined,
 eg. with the @port suffix, as this port number, they provide dns over TLS
 service.  Can list multiple, each on a new statement.
 .TP
@@ -461,7 +469,8 @@ Default is yes.
 .B access\-control: \fI<IP netblock> <action>
 The netblock is given as an IP4 or IP6 address with /size appended for a
 classless network block. The action can be \fIdeny\fR, \fIrefuse\fR,
-\fIallow\fR, \fIallow_snoop\fR, \fIdeny_non_local\fR or \fIrefuse_non_local\fR.
+\fIallow\fR, \fIallow_setrd\fR, \fIallow_snoop\fR, \fIdeny_non_local\fR or
+\fIrefuse_non_local\fR.
 The most specific netblock match is used, if none match \fIdeny\fR is used.
 .IP
 The action \fIdeny\fR stops queries from hosts from that netblock.
@@ -480,6 +489,15 @@ in the reply.  This supports normal operations where nonrecursive queries
 are made for the authoritative data.  For nonrecursive queries any replies
 from the dynamic cache are refused.
 .IP
+The \fIallow_setrd\fR action ignores the recursion desired (RD) bit and
+treats all requests as if the recursion desired bit is set.  Note that this
+behavior violates RFC 1034 which states that a name server should never perform
+recursive service unless asked via the RD bit since this interferes with
+trouble shooting of name servers and their databases. This prohibited behavior
+may be useful if another DNS server must forward requests for specific
+zones to a resolver DNS server, but only supports stub domains and
+sends queries to the resolver DNS server with the RD bit cleared.
+.IP
 The action \fIallow_snoop\fR gives nonrecursive access too.  This give
 both recursive and non recursive access.  The name \fIallow_snoop\fR refers
 to cache snooping, a technique to use nonrecursive queries to examine
@@ -691,7 +709,7 @@ infrastructure data.  Validates the replies if trust anchors are configured
 and the zones are signed.  This enforces DNSSEC validation on nameserver
 NS sets and the nameserver addresses that are encountered on the referral
 path to the answer.
-Default off, because it burdens the authority servers, and it is
+Default no, because it burdens the authority servers, and it is
 not RFC standard, and could lead to performance problems because of the
 extra query load that is generated.  Experimental option.
 If you enable it consider adding more numbers after the target\-fetch\-policy
@@ -722,7 +740,7 @@ Send minimum amount of information to upstream servers to enhance privacy.
 Only sent minimum required labels of the QNAME and set QTYPE to A when
 possible. Best effort approach; full QNAME and original QTYPE will be sent when
 upstream replies with a RCODE other than NOERROR, except when receiving
-NXDOMAIN from a DNSSEC signed zone. Default is off.
+NXDOMAIN from a DNSSEC signed zone. Default is yes.
 .TP
 .B qname\-minimisation\-strict: \fI<yes or no>
 QNAME minimisation in strict mode. Do not fall-back to sending full QNAME to
@@ -1315,10 +1333,10 @@ factor given.
 .TP 5
 .B low\-rtt: \fI<msec time>
 Set the time in millisecond that is considere a low ping time for fast
-server selection with the low\-rtt\-pct option, that turns this on or off.
+server selection with the low\-rtt\-permil option, that turns this on or off.
 The default is 45 msec, a number from IPv6 quick response documents.
 .TP 5
-.B low\-rtt\-pct: \fI<number>
+.B low\-rtt\-permil: \fI<number>
 Specify how many times out of 1000 to pick the fast server from the low
 rtt band.  0 turns the feature off.  A value of 900 would pick the fast
 server when such fast servers are available 90 percent of the time, and
@@ -1328,7 +1346,7 @@ sped up, because there is no one waiting for it, and it presents a good
 moment to perform server exploration.  The low\-rtt option can be used
 to specify which servers are picked for fast server selection, servers
 with a ping roundtrip time below that value are considered.
-The default for low\-rtt\-pct is 0.
+The default for low\-rtt\-permil is 0.
 .SS "Remote Control Options"
 In the
 .B remote\-control:
@@ -1429,7 +1447,7 @@ IP address of stub zone nameserver. Can be IP 4 or IP 6.
 To use a nondefault port for DNS communication append '@' with the port number.
 .TP
 .B stub\-prime: \fI<yes or no>
-This option is by default off.  If enabled it performs NS set priming,
+This option is by default no.  If enabled it performs NS set priming,
 which is similar to root hints, where it starts using the list of nameservers
 currently published by the zone.  Thus, if the hint list is slightly outdated,
 the resolver picks up a correct list online.
@@ -1490,6 +1508,8 @@ The default is no.
 .B forward\-tls\-upstream: \fI<yes or no>
 Enabled or disable whether the queries to this forwarder use TLS for transport.
 Default is no.
+If you enable this, also configure a tls\-cert\-bundle or use tls\-win\cert to
+load CA certs, otherwise the connections cannot be authenticated.
 .TP
 .B forward\-ssl\-upstream: \fI<yes or no>
 Alternate syntax for \fBforward\-tls\-upstream\fR.
@@ -1827,7 +1847,7 @@ If Unbound was built with
 on a system that has installed the hiredis C client library of Redis,
 then the "redis" backend can be used.
 This backend communicates with the specified Redis server over a TCP
-connection to store and retrive cache data.
+connection to store and retrieve cache data.
 It can be used as a persistent and/or shared cache backend.
 It should be noted that Unbound never removes data stored in the Redis server,
 even if some data have expired in terms of DNS TTL or the Redis server has

contrib/unbound/doc/unbound.conf.5.in

@@ -1,4 +1,4 @@
-.TH "unbound.conf" "5" "May  3, 2018" "NLnet Labs" "unbound 1.7.1"
+.TH "unbound.conf" "5" "Jun 11, 2018" "NLnet Labs" "unbound 1.7.2"
 .\"
 .\" unbound.conf.5 -- unbound.conf manual
 .\"
@@ -403,6 +403,8 @@ Enabled or disable whether the upstream queries use TLS only for transport.
 Default is no.  Useful in tunneling scenarios.  The TLS contains plain DNS in
 TCP wireformat.  The other server must support this (see
 \fBtls\-service\-key\fR).
+If you enable this, also configure a tls\-cert\-bundle or use tls\-win\cert to
+load CA certs, otherwise the connections cannot be authenticated.
 .TP
 .B ssl\-upstream: \fI<yes or no>
 Alternate syntax for \fBtls\-upstream\fR.  If both are present in the config
@@ -444,8 +446,14 @@ urls, and also DNS over TLS connections.
 .B ssl\-cert\-bundle: \fI<file>
 Alternate syntax for \fBtls\-cert\-bundle\fR.
 .TP
-.B additional\-tls\-port: \fI<portnr>
-List portnumbers as additional\-tls\-port, and when interfaces are defined,
+.B tls\-win\-cert: \fI<yes or no>
+Add the system certificates to the cert bundle certificates for authentication.
+If no cert bundle, it uses only these certificates.  Default is no.
+On windows this option uses the certificates from the cert store.  Use
+the tls\-cert\-bundle option on other systems.
+.TP
+.B tls\-additional\-ports: \fI<portnr>
+List portnumbers as tls\-additional\-ports, and when interfaces are defined,
 eg. with the @port suffix, as this port number, they provide dns over TLS
 service.  Can list multiple, each on a new statement.
 .TP
@@ -461,7 +469,8 @@ Default is yes.
 .B access\-control: \fI<IP netblock> <action>
 The netblock is given as an IP4 or IP6 address with /size appended for a
 classless network block. The action can be \fIdeny\fR, \fIrefuse\fR,
-\fIallow\fR, \fIallow_snoop\fR, \fIdeny_non_local\fR or \fIrefuse_non_local\fR.
+\fIallow\fR, \fIallow_setrd\fR, \fIallow_snoop\fR, \fIdeny_non_local\fR or
+\fIrefuse_non_local\fR.
 The most specific netblock match is used, if none match \fIdeny\fR is used.
 .IP
 The action \fIdeny\fR stops queries from hosts from that netblock.
@@ -480,6 +489,15 @@ in the reply.  This supports normal operations where nonrecursive queries
 are made for the authoritative data.  For nonrecursive queries any replies
 from the dynamic cache are refused.
 .IP
+The \fIallow_setrd\fR action ignores the recursion desired (RD) bit and
+treats all requests as if the recursion desired bit is set.  Note that this
+behavior violates RFC 1034 which states that a name server should never perform
+recursive service unless asked via the RD bit since this interferes with
+trouble shooting of name servers and their databases. This prohibited behavior
+may be useful if another DNS server must forward requests for specific
+zones to a resolver DNS server, but only supports stub domains and
+sends queries to the resolver DNS server with the RD bit cleared.
+.IP
 The action \fIallow_snoop\fR gives nonrecursive access too.  This give
 both recursive and non recursive access.  The name \fIallow_snoop\fR refers
 to cache snooping, a technique to use nonrecursive queries to examine
@@ -691,7 +709,7 @@ infrastructure data.  Validates the replies if trust anchors are configured
 and the zones are signed.  This enforces DNSSEC validation on nameserver
 NS sets and the nameserver addresses that are encountered on the referral
 path to the answer.
-Default off, because it burdens the authority servers, and it is
+Default no, because it burdens the authority servers, and it is
 not RFC standard, and could lead to performance problems because of the
 extra query load that is generated.  Experimental option.
 If you enable it consider adding more numbers after the target\-fetch\-policy
@@ -722,7 +740,7 @@ Send minimum amount of information to upstream servers to enhance privacy.
 Only sent minimum required labels of the QNAME and set QTYPE to A when
 possible. Best effort approach; full QNAME and original QTYPE will be sent when
 upstream replies with a RCODE other than NOERROR, except when receiving
-NXDOMAIN from a DNSSEC signed zone. Default is off.
+NXDOMAIN from a DNSSEC signed zone. Default is yes.
 .TP
 .B qname\-minimisation\-strict: \fI<yes or no>
 QNAME minimisation in strict mode. Do not fall-back to sending full QNAME to
@@ -1315,10 +1333,10 @@ factor given.
 .TP 5
 .B low\-rtt: \fI<msec time>
 Set the time in millisecond that is considere a low ping time for fast
-server selection with the low\-rtt\-pct option, that turns this on or off.
+server selection with the low\-rtt\-permil option, that turns this on or off.
 The default is 45 msec, a number from IPv6 quick response documents.
 .TP 5
-.B low\-rtt\-pct: \fI<number>
+.B low\-rtt\-permil: \fI<number>
 Specify how many times out of 1000 to pick the fast server from the low
 rtt band.  0 turns the feature off.  A value of 900 would pick the fast
 server when such fast servers are available 90 percent of the time, and
@@ -1328,7 +1346,7 @@ sped up, because there is no one waiting for it, and it presents a good
 moment to perform server exploration.  The low\-rtt option can be used
 to specify which servers are picked for fast server selection, servers
 with a ping roundtrip time below that value are considered.
-The default for low\-rtt\-pct is 0.
+The default for low\-rtt\-permil is 0.
 .SS "Remote Control Options"
 In the
 .B remote\-control:
@@ -1429,7 +1447,7 @@ IP address of stub zone nameserver. Can be IP 4 or IP 6.
 To use a nondefault port for DNS communication append '@' with the port number.
 .TP
 .B stub\-prime: \fI<yes or no>
-This option is by default off.  If enabled it performs NS set priming,
+This option is by default no.  If enabled it performs NS set priming,
 which is similar to root hints, where it starts using the list of nameservers
 currently published by the zone.  Thus, if the hint list is slightly outdated,
 the resolver picks up a correct list online.
@@ -1490,6 +1508,8 @@ The default is no.
 .B forward\-tls\-upstream: \fI<yes or no>
 Enabled or disable whether the queries to this forwarder use TLS for transport.
 Default is no.
+If you enable this, also configure a tls\-cert\-bundle or use tls\-win\cert to
+load CA certs, otherwise the connections cannot be authenticated.
 .TP
 .B forward\-ssl\-upstream: \fI<yes or no>
 Alternate syntax for \fBforward\-tls\-upstream\fR.
@@ -1827,7 +1847,7 @@ If Unbound was built with
 on a system that has installed the hiredis C client library of Redis,
 then the "redis" backend can be used.
 This backend communicates with the specified Redis server over a TCP
-connection to store and retrive cache data.
+connection to store and retrieve cache data.
 It can be used as a persistent and/or shared cache backend.
 It should be noted that Unbound never removes data stored in the Redis server,
 even if some data have expired in terms of DNS TTL or the Redis server has

contrib/unbound/iterator/iter_utils.c

@@ -329,9 +329,9 @@ iter_filter_order(struct iter_env* iter_env, struct module_env* env,
 			     return 0 to force the caller to fetch more */
 	}
 
-	if(env->cfg->low_rtt_pct != 0 && prefetch == 0 &&
+	if(env->cfg->low_rtt_permil != 0 && prefetch == 0 &&
 		low_rtt < env->cfg->low_rtt &&
-		ub_random_max(env->rnd, 1000) < env->cfg->low_rtt_pct) {
+		ub_random_max(env->rnd, 1000) < env->cfg->low_rtt_permil) {
 		/* the query is not prefetch, but for a downstream client,
 		 * there is a low_rtt (fast) server.  We choose that x% of the
 		 * time */

contrib/unbound/libunbound/context.c

@@ -130,7 +130,7 @@ find_id(struct ub_ctx* ctx, int* id)
 
 struct ctx_query* 
 context_new(struct ub_ctx* ctx, const char* name, int rrtype, int rrclass, 
-	ub_callback_type cb, void* cbarg)
+	ub_callback_type cb, ub_event_callback_type cb_event, void* cbarg)
 {
 	struct ctx_query* q = (struct ctx_query*)calloc(1, sizeof(*q));
 	if(!q) return NULL;
@@ -142,8 +142,9 @@ context_new(struct ub_ctx* ctx, const char* name, int rrtype, int rrclass,
 	}
 	lock_basic_unlock(&ctx->cfglock);
 	q->node.key = &q->querynum;
-	q->async = (cb != NULL);
+	q->async = (cb != NULL || cb_event != NULL);
 	q->cb = cb;
+	q->cb_event = cb_event;
 	q->cb_arg = cbarg;
 	q->res = (struct ub_result*)calloc(1, sizeof(*q->res));
 	if(!q->res) {

contrib/unbound/libunbound/context.h

@@ -45,6 +45,7 @@
 #include "util/rbtree.h"
 #include "services/modstack.h"
 #include "libunbound/unbound.h"
+#include "libunbound/unbound-event.h"
 #include "util/data/packed_rrset.h"
 struct libworker;
 struct tube;
@@ -148,8 +149,10 @@ struct ctx_query {
 	/** was this query cancelled (for bg worker) */
 	int cancelled;
 
-	/** for async query, the callback function */
+	/** for async query, the callback function of type ub_callback_type */
 	ub_callback_type cb;
+	/** for event callbacks the type is ub_event_callback_type */
+        ub_event_callback_type cb_event;
 	/** for async query, the callback user arg */
 	void* cb_arg;
 
@@ -238,11 +241,13 @@ void context_query_delete(struct ctx_query* q);
  * @param rrtype: type
  * @param rrclass: class
  * @param cb: callback for async, or NULL for sync.
+ * @param cb_event: event callback for async, or NULL for sync.
  * @param cbarg: user arg for async queries.
  * @return new ctx_query or NULL for malloc failure.
  */
 struct ctx_query* context_new(struct ub_ctx* ctx, const char* name, int rrtype,
-        int rrclass, ub_callback_type cb, void* cbarg);
+        int rrclass,  ub_callback_type cb, ub_event_callback_type cb_event,
+	void* cbarg);
 
 /**
  * Get a new alloc. Creates a new one or uses a cached one.

contrib/unbound/libunbound/libunbound.c

@@ -690,7 +690,7 @@ ub_resolve(struct ub_ctx* ctx, const char* name, int rrtype,
 	}
 	/* create new ctx_query and attempt to add to the list */
 	lock_basic_unlock(&ctx->cfglock);
-	q = context_new(ctx, name, rrtype, rrclass, NULL, NULL);
+	q = context_new(ctx, name, rrtype, rrclass, NULL, NULL, NULL);
 	if(!q)
 		return UB_NOMEM;
 	/* become a resolver thread for a bit */
@@ -747,8 +747,7 @@ ub_resolve_event(struct ub_ctx* ctx, const char* name, int rrtype,
 	ub_comm_base_now(ctx->event_worker->base);
 
 	/* create new ctx_query and attempt to add to the list */
-	q = context_new(ctx, name, rrtype, rrclass, (ub_callback_type)callback,
-		mydata);
+	q = context_new(ctx, name, rrtype, rrclass, NULL, callback, mydata);
 	if(!q)
 		return UB_NOMEM;
 
@@ -793,7 +792,7 @@ ub_resolve_async(struct ub_ctx* ctx, const char* name, int rrtype,
 	}
 
 	/* create new ctx_query and attempt to add to the list */
-	q = context_new(ctx, name, rrtype, rrclass, callback, mydata);
+	q = context_new(ctx, name, rrtype, rrclass, callback, NULL, mydata);
 	if(!q)
 		return UB_NOMEM;
 

contrib/unbound/libunbound/libworker.c

@@ -158,9 +158,9 @@ libworker_setup(struct ub_ctx* ctx, int is_bg, struct ub_event_base* eb)
 		hints_delete(w->env->hints);
 		w->env->hints = NULL;
 	}
-	if(cfg->ssl_upstream) {
+	if(cfg->ssl_upstream || (cfg->tls_cert_bundle && cfg->tls_cert_bundle[0]) || cfg->tls_win_cert) {
 		w->sslctx = connect_sslctx_create(NULL, NULL,
-			cfg->tls_cert_bundle);
+			cfg->tls_cert_bundle, cfg->tls_win_cert);
 		if(!w->sslctx) {
 			/* to make the setup fail after unlock */
 			hints_delete(w->env->hints);
@@ -637,7 +637,7 @@ libworker_event_done_cb(void* arg, int rcode, sldns_buffer* buf,
 	enum sec_status s, char* why_bogus)
 {
 	struct ctx_query* q = (struct ctx_query*)arg;
-	ub_event_callback_type cb = (ub_event_callback_type)q->cb;
+	ub_event_callback_type cb = q->cb_event;
 	void* cb_arg = q->cb_arg;
 	int cancelled = q->cancelled;
 

contrib/unbound/services/authzone.c

@@ -3425,14 +3425,17 @@ xfr_process_notify(struct auth_xfer* xfr, struct module_env* env,
 {
 	/* if the serial of notify is older than we have, don't fetch
 	 * a zone, we already have it */
-	if(has_serial && !xfr_serial_means_update(xfr, serial))
+	if(has_serial && !xfr_serial_means_update(xfr, serial)) {
+		lock_basic_unlock(&xfr->lock);
 		return;
+	}
 	/* start new probe with this addr src, or note serial */
 	if(!xfr_start_probe(xfr, env, fromhost)) {
 		/* not started because already in progress, note the serial */
 		xfr_note_notify_serial(xfr, has_serial, serial);
 		lock_basic_unlock(&xfr->lock);
 	}
+	/* successful end of start_probe unlocked xfr->lock */
 }
 
 int auth_zones_notify(struct auth_zones* az, struct module_env* env,

contrib/unbound/services/listen_dnsport.c

@@ -1059,7 +1059,7 @@ set_recvpktinfo(int s, int family)
 /** see if interface is ssl, its port number == the ssl port number */
 static int
 if_is_ssl(const char* ifname, const char* port, int ssl_port,
-	struct config_strlist* additional_tls_port)
+	struct config_strlist* tls_additional_ports)
 {
 	struct config_strlist* s;
 	char* p = strchr(ifname, '@');
@@ -1067,7 +1067,7 @@ if_is_ssl(const char* ifname, const char* port, int ssl_port,
 		return 1;
 	if(p && atoi(p+1) == ssl_port)
 		return 1;
-	for(s = additional_tls_port; s; s = s->next) {
+	for(s = tls_additional_ports; s; s = s->next) {
 		if(p && atoi(p+1) == atoi(s->str))
 			return 1;
 		if(!p && atoi(port) == atoi(s->str))
@@ -1089,7 +1089,7 @@ if_is_ssl(const char* ifname, const char* port, int ssl_port,
  * @param rcv: receive buffer size for UDP
  * @param snd: send buffer size for UDP
  * @param ssl_port: ssl service port number
- * @param additional_tls_port: list of additional ssl service port numbers.
+ * @param tls_additional_ports: list of additional ssl service port numbers.
  * @param reuseport: try to set SO_REUSEPORT if nonNULL and true.
  * 	set to false on exit if reuseport failed due to no kernel support.
  * @param transparent: set IP_TRANSPARENT socket option.
@@ -1103,7 +1103,7 @@ static int
 ports_create_if(const char* ifname, int do_auto, int do_udp, int do_tcp, 
 	struct addrinfo *hints, const char* port, struct listen_port** list,
 	size_t rcv, size_t snd, int ssl_port,
-	struct config_strlist* additional_tls_port, int* reuseport,
+	struct config_strlist* tls_additional_ports, int* reuseport,
 	int transparent, int tcp_mss, int freebind, int use_systemd,
 	int dnscrypt_port)
 {
@@ -1170,7 +1170,7 @@ ports_create_if(const char* ifname, int do_auto, int do_udp, int do_tcp,
 	}
 	if(do_tcp) {
 		int is_ssl = if_is_ssl(ifname, port, ssl_port,
-			additional_tls_port);
+			tls_additional_ports);
 		if((s = make_sock_port(SOCK_STREAM, ifname, port, hints, 1, 
 			&noip6, 0, 0, reuseport, transparent, tcp_mss,
 			freebind, use_systemd)) == -1) {
@@ -1356,7 +1356,7 @@ listening_ports_open(struct config_file* cfg, int* reuseport)
 				do_auto, cfg->do_udp, do_tcp, 
 				&hints, portbuf, &list,
 				cfg->so_rcvbuf, cfg->so_sndbuf,
-				cfg->ssl_port, cfg->additional_tls_port,
+				cfg->ssl_port, cfg->tls_additional_ports,
 				reuseport, cfg->ip_transparent,
 				cfg->tcp_mss, cfg->ip_freebind, cfg->use_systemd,
 				cfg->dnscrypt_port)) {
@@ -1370,7 +1370,7 @@ listening_ports_open(struct config_file* cfg, int* reuseport)
 				do_auto, cfg->do_udp, do_tcp, 
 				&hints, portbuf, &list,
 				cfg->so_rcvbuf, cfg->so_sndbuf,
-				cfg->ssl_port, cfg->additional_tls_port,
+				cfg->ssl_port, cfg->tls_additional_ports,
 				reuseport, cfg->ip_transparent,
 				cfg->tcp_mss, cfg->ip_freebind, cfg->use_systemd,
 				cfg->dnscrypt_port)) {
@@ -1386,7 +1386,7 @@ listening_ports_open(struct config_file* cfg, int* reuseport)
 			if(!ports_create_if(cfg->ifs[i], 0, cfg->do_udp, 
 				do_tcp, &hints, portbuf, &list, 
 				cfg->so_rcvbuf, cfg->so_sndbuf,
-				cfg->ssl_port, cfg->additional_tls_port,
+				cfg->ssl_port, cfg->tls_additional_ports,
 				reuseport, cfg->ip_transparent,
 				cfg->tcp_mss, cfg->ip_freebind, cfg->use_systemd,
 				cfg->dnscrypt_port)) {
@@ -1400,7 +1400,7 @@ listening_ports_open(struct config_file* cfg, int* reuseport)
 			if(!ports_create_if(cfg->ifs[i], 0, cfg->do_udp, 
 				do_tcp, &hints, portbuf, &list, 
 				cfg->so_rcvbuf, cfg->so_sndbuf,
-				cfg->ssl_port, cfg->additional_tls_port,
+				cfg->ssl_port, cfg->tls_additional_ports,
 				reuseport, cfg->ip_transparent,
 				cfg->tcp_mss, cfg->ip_freebind, cfg->use_systemd,
 				cfg->dnscrypt_port)) {

contrib/unbound/services/mesh.c

@@ -1173,6 +1173,10 @@ void mesh_query_done(struct mesh_state* mstate)
 	while((c = mstate->cb_list) != NULL) {
 		/* take this cb off the list; so that the list can be
 		 * changed, eg. by adds from the callback routine */
+		if(!mstate->reply_list && mstate->cb_list && !c->next) {
+			/* was a reply state, not anymore */
+			mstate->s.env->mesh->num_reply_states--;
+		}
 		mstate->cb_list = c->next;
 		if(!mstate->reply_list && !mstate->cb_list &&
 			mstate->super_set.count == 0)

contrib/unbound/services/outside_network.c

@@ -1301,8 +1301,8 @@ pending_tcp_query(struct serviced_query* sq, sldns_buffer* packet,
 	w->ssl_upstream = sq->ssl_upstream;
 	w->tls_auth_name = sq->tls_auth_name;
 #ifndef S_SPLINT_S
-	tv.tv_sec = timeout;
-	tv.tv_usec = 0;
+	tv.tv_sec = timeout/1000;
+	tv.tv_usec = (timeout%1000)*1000;
 #endif
 	comm_timer_set(w->timer, &tv);
 	if(pend) {
@@ -1812,7 +1812,12 @@ serviced_tcp_callback(struct comm_point* c, void* arg, int error,
 	}
 	if(sq->tcp_upstream || sq->ssl_upstream) {
 	    struct timeval now = *sq->outnet->now_tv;
-	    if(now.tv_sec > sq->last_sent_time.tv_sec ||
+	    if(error!=NETEVENT_NOERROR) {
+	        if(!infra_rtt_update(sq->outnet->infra, &sq->addr,
+		    sq->addrlen, sq->zone, sq->zonelen, sq->qtype,
+		    -1, sq->last_rtt, (time_t)now.tv_sec))
+		    log_err("out of memory in TCP exponential backoff.");
+	    } else if(now.tv_sec > sq->last_sent_time.tv_sec ||
 		(now.tv_sec == sq->last_sent_time.tv_sec &&
 		now.tv_usec > sq->last_sent_time.tv_usec)) {
 		/* convert from microseconds to milliseconds */
@@ -1822,7 +1827,7 @@ serviced_tcp_callback(struct comm_point* c, void* arg, int error,
 		log_assert(roundtime >= 0);
 		/* only store if less then AUTH_TIMEOUT seconds, it could be
 		 * huge due to system-hibernated and we woke up */
-		if(roundtime < TCP_AUTH_QUERY_TIMEOUT*1000) {
+		if(roundtime < 60000) {
 		    if(!infra_rtt_update(sq->outnet->infra, &sq->addr,
 			sq->addrlen, sq->zone, sq->zonelen, sq->qtype,
 			roundtime, sq->last_rtt, (time_t)now.tv_sec))
@@ -1863,18 +1868,26 @@ serviced_tcp_initiate(struct serviced_query* sq, sldns_buffer* buff)
 static int
 serviced_tcp_send(struct serviced_query* sq, sldns_buffer* buff)
 {
-	int vs, rtt;
+	int vs, rtt, timeout;
 	uint8_t edns_lame_known;
 	if(!infra_host(sq->outnet->infra, &sq->addr, sq->addrlen, sq->zone,
 		sq->zonelen, *sq->outnet->now_secs, &vs, &edns_lame_known,
 		&rtt))
 		return 0;
+	sq->last_rtt = rtt;
 	if(vs != -1)
 		sq->status = serviced_query_TCP_EDNS;
 	else 	sq->status = serviced_query_TCP;
 	serviced_encode(sq, buff, sq->status == serviced_query_TCP_EDNS);
 	sq->last_sent_time = *sq->outnet->now_tv;
-	sq->pending = pending_tcp_query(sq, buff, TCP_AUTH_QUERY_TIMEOUT,
+	if(sq->tcp_upstream || sq->ssl_upstream) {
+		timeout = rtt;
+		if(rtt >= 376 && rtt < TCP_AUTH_QUERY_TIMEOUT)
+			timeout = TCP_AUTH_QUERY_TIMEOUT;
+	} else {
+		timeout = TCP_AUTH_QUERY_TIMEOUT;
+	}
+	sq->pending = pending_tcp_query(sq, buff, timeout,
 		serviced_tcp_callback, sq);
 	return sq->pending != NULL;
 }

contrib/unbound/services/outside_network.h

@@ -376,7 +376,7 @@ struct serviced_query {
 	int retry;
 	/** time last UDP was sent */
 	struct timeval last_sent_time;
-	/** rtt of last (UDP) message */
+	/** rtt of last message */
 	int last_rtt;
 	/** do we know edns probe status already, for UDP_EDNS queries */
 	int edns_lame_known;
@@ -456,7 +456,7 @@ struct pending* pending_udp_query(struct serviced_query* sq,
  * checks id.
  * @param sq: serviced query.
  * @param packet: wireformat query to send to destination. copied from.
- * @param timeout: in seconds from now.
+ * @param timeout: in milliseconds from now.
  *    Timer starts running now. Timer may expire if all buffers are used,
  *    without any query been sent to the server yet.
  * @param callback: function to call on error, timeout or reply.

contrib/unbound/smallapp/unbound-host.c

@@ -66,6 +66,14 @@
 /* nss3 */
 #include "nss.h"
 #endif
+#ifdef HAVE_SSL
+#ifdef HAVE_OPENSSL_SSL_H
+#include <openssl/ssl.h>
+#endif
+#ifdef HAVE_OPENSSL_ERR_H
+#include <openssl/err.h>
+#endif
+#endif /* HAVE_SSL */
 
 /** verbosity for unbound-host app */
 static int verb = 0;
@@ -487,6 +495,26 @@ int main(int argc, char* argv[])
 	if(argc != 1)
 		usage();
 
+#ifdef HAVE_SSL
+#ifdef HAVE_ERR_LOAD_CRYPTO_STRINGS
+	ERR_load_crypto_strings();
+#endif
+#if OPENSSL_VERSION_NUMBER < 0x10100000 || !defined(HAVE_OPENSSL_INIT_SSL)
+	ERR_load_SSL_strings();
+#endif
+#if OPENSSL_VERSION_NUMBER < 0x10100000 || !defined(HAVE_OPENSSL_INIT_CRYPTO)
+	OpenSSL_add_all_algorithms();
+#else
+	OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS
+		| OPENSSL_INIT_ADD_ALL_DIGESTS
+		| OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL);
+#endif
+#if OPENSSL_VERSION_NUMBER < 0x10100000 || !defined(HAVE_OPENSSL_INIT_SSL)
+	(void)SSL_library_init();
+#else
+	(void)OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL);
+#endif
+#endif /* HAVE_SSL */
 #ifdef HAVE_NSS
         if(NSS_NoDB_Init(".") != SECSuccess) {
 		fprintf(stderr, "could not init NSS\n");

contrib/unbound/util/alloc.c

@@ -126,10 +126,40 @@ alloc_init(struct alloc_cache* alloc, struct alloc_cache* super,
 	}
 }
 
+/** free the special list */
+static void
+alloc_clear_special_list(struct alloc_cache* alloc)
+{
+	alloc_special_type* p, *np;
+	/* free */
+	p = alloc->quar;
+	while(p) {
+		np = alloc_special_next(p);
+		/* deinit special type */
+		lock_rw_destroy(&p->entry.lock);
+		free(p);
+		p = np;
+	}
+}
+
+void
+alloc_clear_special(struct alloc_cache* alloc)
+{
+	if(!alloc->super) {
+		lock_quick_lock(&alloc->lock);
+	}
+	alloc_clear_special_list(alloc);
+	alloc->quar = 0;
+	alloc->num_quar = 0;
+	if(!alloc->super) {
+		lock_quick_unlock(&alloc->lock);
+	}
+}
+
 void 
 alloc_clear(struct alloc_cache* alloc)
 {
-	alloc_special_type* p, *np;
+	alloc_special_type* p;
 	struct regional* r, *nr;
 	if(!alloc)
 		return;
@@ -147,15 +177,7 @@ alloc_clear(struct alloc_cache* alloc)
 		alloc->super->num_quar += alloc->num_quar;
 		lock_quick_unlock(&alloc->super->lock);
 	} else {
-		/* free */
-		p = alloc->quar;
-		while(p) {
-			np = alloc_special_next(p);
-			/* deinit special type */
-			lock_rw_destroy(&p->entry.lock);
-			free(p);
-			p = np;
-		}
+		alloc_clear_special_list(alloc);
 	}
 	alloc->quar = 0;
 	alloc->num_quar = 0;

contrib/unbound/util/alloc.h

@@ -115,6 +115,14 @@ void alloc_init(struct alloc_cache* alloc, struct alloc_cache* super,
  */
 void alloc_clear(struct alloc_cache* alloc);
 
+/**
+ * Free the special alloced items.  The rrset and message caches must be
+ * empty, there must be no more references to rrset pointers into the
+ * rrset cache.
+ * @param alloc: the special allocs are freed.
+ */
+void alloc_clear_special(struct alloc_cache* alloc);
+
 /**
  * Get a new special_type element.
  * @param alloc: where to alloc it.

contrib/unbound/util/config_file.c

@@ -109,6 +109,7 @@ config_create(void)
 	cfg->ssl_port = UNBOUND_DNS_OVER_TLS_PORT;
 	cfg->ssl_upstream = 0;
 	cfg->tls_cert_bundle = NULL;
+	cfg->tls_win_cert = 0;
 	cfg->use_syslog = 1;
 	cfg->log_identity = NULL; /* changed later with argv[0] */
 	cfg->log_time_ascii = 0;
@@ -161,7 +162,7 @@ config_create(void)
 	if(!(cfg->logfile = strdup(""))) goto error_exit;
 	if(!(cfg->pidfile = strdup(PIDFILE))) goto error_exit;
 	if(!(cfg->target_fetch_policy = strdup("3 2 1 0 0"))) goto error_exit;
-	cfg->low_rtt_pct = 0;
+	cfg->low_rtt_permil = 0;
 	cfg->low_rtt = 45;
 	cfg->donotqueryaddrs = NULL;
 	cfg->donotquery_localhost = 1;
@@ -280,7 +281,7 @@ config_create(void)
 	cfg->ratelimit_below_domain = NULL;
 	cfg->ip_ratelimit_factor = 10;
 	cfg->ratelimit_factor = 10;
-	cfg->qname_minimisation = 0;
+	cfg->qname_minimisation = 1;
 	cfg->qname_minimisation_strict = 0;
 	cfg->shm_enable = 0;
 	cfg->shm_key = 11777;
@@ -455,7 +456,9 @@ int config_set_option(struct config_file* cfg, const char* opt,
 	else S_STR("ssl-service-pem:", ssl_service_pem)
 	else S_NUMBER_NONZERO("ssl-port:", ssl_port)
 	else S_STR("tls-cert-bundle:", tls_cert_bundle)
-	else S_STRLIST("additional-tls-port:", additional_tls_port)
+	else S_YNO("tls-win-cert:", tls_win_cert)
+	else S_STRLIST("additional-tls-port:", tls_additional_ports)
+	else S_STRLIST("tls-additional-ports:", tls_additional_ports)
 	else S_YNO("interface-automatic:", if_automatic)
 	else S_YNO("use-systemd:", use_systemd)
 	else S_YNO("do-daemonize:", do_daemonize)
@@ -618,7 +621,8 @@ int config_set_option(struct config_file* cfg, const char* opt,
 	else S_NUMBER_OR_ZERO("ip-ratelimit-factor:", ip_ratelimit_factor)
 	else S_NUMBER_OR_ZERO("ratelimit-factor:", ratelimit_factor)
 	else S_NUMBER_OR_ZERO("low-rtt:", low_rtt)
-	else S_NUMBER_OR_ZERO("low-rtt-pct:", low_rtt_pct)
+	else S_NUMBER_OR_ZERO("low-rtt-pct:", low_rtt_permil)
+	else S_NUMBER_OR_ZERO("low-rtt-permil:", low_rtt_permil)
 	else S_YNO("qname-minimisation:", qname_minimisation)
 	else S_YNO("qname-minimisation-strict:", qname_minimisation_strict)
 #ifdef USE_IPSECMOD
@@ -874,7 +878,8 @@ config_get_option(struct config_file* cfg, const char* opt,
 	else O_STR(opt, "ssl-service-pem", ssl_service_pem)
 	else O_DEC(opt, "ssl-port", ssl_port)
 	else O_STR(opt, "tls-cert-bundle", tls_cert_bundle)
-	else O_LST(opt, "additional-tls-port", additional_tls_port)
+	else O_YNO(opt, "tls-win-cert", tls_win_cert)
+	else O_LST(opt, "tls-additional-ports", tls_additional_ports)
 	else O_YNO(opt, "use-systemd", use_systemd)
 	else O_YNO(opt, "do-daemonize", do_daemonize)
 	else O_STR(opt, "chroot", chrootdir)
@@ -1001,7 +1006,8 @@ config_get_option(struct config_file* cfg, const char* opt,
 	else O_DEC(opt, "ip-ratelimit-factor", ip_ratelimit_factor)
 	else O_DEC(opt, "ratelimit-factor", ratelimit_factor)
 	else O_DEC(opt, "low-rtt", low_rtt)
-	else O_DEC(opt, "low-rtt-pct", low_rtt_pct)
+	else O_DEC(opt, "low-rtt-pct", low_rtt_permil)
+	else O_DEC(opt, "low-rtt-permil", low_rtt_permil)
 	else O_DEC(opt, "val-sig-skew-min", val_sig_skew_min)
 	else O_DEC(opt, "val-sig-skew-max", val_sig_skew_max)
 	else O_YNO(opt, "qname-minimisation", qname_minimisation)
@@ -1297,7 +1303,7 @@ config_delete(struct config_file* cfg)
 	free(cfg->ssl_service_key);
 	free(cfg->ssl_service_pem);
 	free(cfg->tls_cert_bundle);
-	config_delstrlist(cfg->additional_tls_port);
+	config_delstrlist(cfg->tls_additional_ports);
 	free(cfg->log_identity);
 	config_del_strarray(cfg->ifs, cfg->num_ifs);
 	config_del_strarray(cfg->out_ifs, cfg->num_out_ifs);

contrib/unbound/util/config_file.h

@@ -102,8 +102,10 @@ struct config_file {
 	int ssl_upstream;
 	/** cert bundle for outgoing connections */
 	char* tls_cert_bundle;
+	/** should the system certificate store get added to the cert bundle */
+	int tls_win_cert;
 	/** additional tls ports */
-	struct config_strlist* additional_tls_port;
+	struct config_strlist* tls_additional_ports;
 
 	/** outgoing port range number of ports (per thread) */
 	int outgoing_num_ports;
@@ -144,7 +146,7 @@ struct config_file {
 	/** the target fetch policy for the iterator */
 	char* target_fetch_policy;
 	/** percent*10, how many times in 1000 to pick low rtt destinations */
-	int low_rtt_pct;
+	int low_rtt_permil;
 	/** what time in msec is a low rtt destination */
 	int low_rtt;
 

contrib/unbound/util/configlexer.lex

@@ -239,8 +239,10 @@ ssl-port{COLON}			{ YDVAR(1, VAR_SSL_PORT) }
 tls-port{COLON}			{ YDVAR(1, VAR_SSL_PORT) }
 ssl-cert-bundle{COLON}		{ YDVAR(1, VAR_TLS_CERT_BUNDLE) }
 tls-cert-bundle{COLON}		{ YDVAR(1, VAR_TLS_CERT_BUNDLE) }
-additional-ssl-port{COLON}	{ YDVAR(1, VAR_ADDITIONAL_TLS_PORT) }
-additional-tls-port{COLON}	{ YDVAR(1, VAR_ADDITIONAL_TLS_PORT) }
+tls-win-cert{COLON}		{ YDVAR(1, VAR_TLS_WIN_CERT) }
+additional-ssl-port{COLON}	{ YDVAR(1, VAR_TLS_ADDITIONAL_PORTS) }
+additional-tls-port{COLON}	{ YDVAR(1, VAR_TLS_ADDITIONAL_PORTS) }
+tls-additional-ports{COLON}	{ YDVAR(1, VAR_TLS_ADDITIONAL_PORTS) }
 use-systemd{COLON}		{ YDVAR(1, VAR_USE_SYSTEMD) }
 do-daemonize{COLON}		{ YDVAR(1, VAR_DO_DAEMONIZE) }
 interface{COLON}		{ YDVAR(1, VAR_INTERFACE) }
@@ -429,7 +431,8 @@ ratelimit-below-domain{COLON}	{ YDVAR(2, VAR_RATELIMIT_BELOW_DOMAIN) }
 ip-ratelimit-factor{COLON}		{ YDVAR(1, VAR_IP_RATELIMIT_FACTOR) }
 ratelimit-factor{COLON}		{ YDVAR(1, VAR_RATELIMIT_FACTOR) }
 low-rtt{COLON}			{ YDVAR(1, VAR_LOW_RTT) }
-low-rtt-pct{COLON}		{ YDVAR(1, VAR_LOW_RTT_PCT) }
+low-rtt-pct{COLON}		{ YDVAR(1, VAR_LOW_RTT_PERMIL) }
+low-rtt-permil{COLON}		{ YDVAR(1, VAR_LOW_RTT_PERMIL) }
 response-ip-tag{COLON}		{ YDVAR(2, VAR_RESPONSE_IP_TAG) }
 response-ip{COLON}		{ YDVAR(2, VAR_RESPONSE_IP) }
 response-ip-data{COLON}		{ YDVAR(2, VAR_RESPONSE_IP_DATA) }

contrib/unbound/util/configparser.y

@@ -156,8 +156,8 @@ extern struct config_parser_state* cfg_parser;
 %token VAR_CACHEDB_REDISHOST VAR_CACHEDB_REDISPORT VAR_CACHEDB_REDISTIMEOUT
 %token VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM VAR_FOR_UPSTREAM
 %token VAR_AUTH_ZONE VAR_ZONEFILE VAR_MASTER VAR_URL VAR_FOR_DOWNSTREAM
-%token VAR_FALLBACK_ENABLED VAR_ADDITIONAL_TLS_PORT VAR_LOW_RTT VAR_LOW_RTT_PCT
-%token VAR_ALLOW_NOTIFY
+%token VAR_FALLBACK_ENABLED VAR_TLS_ADDITIONAL_PORTS VAR_LOW_RTT VAR_LOW_RTT_PERMIL
+%token VAR_ALLOW_NOTIFY VAR_TLS_WIN_CERT
 
 %%
 toplevelvars: /* empty */ | toplevelvars toplevelvar ;
@@ -248,8 +248,8 @@ content_server: server_num_threads | server_verbosity | server_port |
 	server_ipsecmod_ignore_bogus | server_ipsecmod_max_ttl |
 	server_ipsecmod_whitelist | server_ipsecmod_strict |
 	server_udp_upstream_without_downstream | server_aggressive_nsec |
-	server_tls_cert_bundle | server_additional_tls_port | server_low_rtt |
-	server_low_rtt_pct
+	server_tls_cert_bundle | server_tls_additional_ports | server_low_rtt |
+	server_low_rtt_permil | server_tls_win_cert
 	;
 stubstart: VAR_STUB_ZONE
 	{
@@ -688,10 +688,19 @@ server_tls_cert_bundle: VAR_TLS_CERT_BUNDLE STRING_ARG
 		cfg_parser->cfg->tls_cert_bundle = $2;
 	}
 	;
-server_additional_tls_port: VAR_ADDITIONAL_TLS_PORT STRING_ARG
+server_tls_win_cert: VAR_TLS_WIN_CERT STRING_ARG
 	{
-		OUTYY(("P(server_additional_tls_port:%s)\n", $2));
-		if(!cfg_strlist_insert(&cfg_parser->cfg->additional_tls_port,
+		OUTYY(("P(server_tls_win_cert:%s)\n", $2));
+		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
+			yyerror("expected yes or no.");
+		else cfg_parser->cfg->tls_win_cert = (strcmp($2, "yes")==0);
+		free($2);
+	}
+	;
+server_tls_additional_ports: VAR_TLS_ADDITIONAL_PORTS STRING_ARG
+	{
+		OUTYY(("P(server_tls_additional_ports:%s)\n", $2));
+		if(!cfg_strlist_insert(&cfg_parser->cfg->tls_additional_ports,
 			$2))
 			yyerror("out of memory");
 	}
@@ -1305,11 +1314,12 @@ server_access_control: VAR_ACCESS_CONTROL STRING_ARG STRING_ARG
 		if(strcmp($3, "deny")!=0 && strcmp($3, "refuse")!=0 &&
 			strcmp($3, "deny_non_local")!=0 &&
 			strcmp($3, "refuse_non_local")!=0 &&
+			strcmp($3, "allow_setrd")!=0 && 
 			strcmp($3, "allow")!=0 && 
 			strcmp($3, "allow_snoop")!=0) {
 			yyerror("expected deny, refuse, deny_non_local, "
-				"refuse_non_local, allow or allow_snoop "
-				"in access control action");
+				"refuse_non_local, allow, allow_setrd or "
+				"allow_snoop in access control action");
 		} else {
 			if(!cfg_str2list_insert(&cfg_parser->cfg->acls, $2, $3))
 				fatal_exit("out of memory adding acl");
@@ -1885,12 +1895,12 @@ server_low_rtt: VAR_LOW_RTT STRING_ARG
 		free($2);
 	}
 	;
-server_low_rtt_pct: VAR_LOW_RTT_PCT STRING_ARG 
+server_low_rtt_permil: VAR_LOW_RTT_PERMIL STRING_ARG 
 	{ 
-		OUTYY(("P(server_low_rtt_pct:%s)\n", $2)); 
+		OUTYY(("P(server_low_rtt_permil:%s)\n", $2)); 
 		if(atoi($2) == 0 && strcmp($2, "0") != 0)
 			yyerror("number expected");
-		else cfg_parser->cfg->low_rtt_pct = atoi($2);
+		else cfg_parser->cfg->low_rtt_permil = atoi($2);
 		free($2);
 	}
 	;

contrib/unbound/util/net_help.c

@@ -52,6 +52,9 @@
 #ifdef HAVE_OPENSSL_ERR_H
 #include <openssl/err.h>
 #endif
+#ifdef USE_WINSOCK
+#include <wincrypt.h>
+#endif
 
 /** max length of an IP address (the address portion) that we allow */
 #define MAX_ADDR_STRLEN 128 /* characters */
@@ -796,7 +799,97 @@ void* listen_sslctx_create(char* key, char* pem, char* verifypem)
 #endif
 }
 
-void* connect_sslctx_create(char* key, char* pem, char* verifypem)
+#ifdef USE_WINSOCK
+/* For windows, the CA trust store is not read by openssl.
+   Add code to open the trust store using wincrypt API and add
+   the root certs into openssl trust store */
+static int
+add_WIN_cacerts_to_openssl_store(SSL_CTX* tls_ctx)
+{
+	HCERTSTORE      hSystemStore;
+	PCCERT_CONTEXT  pTargetCert = NULL;
+	X509_STORE*	store;
+
+	verbose(VERB_ALGO, "Adding Windows certificates from system root store to CA store");
+
+	/* load just once per context lifetime for this version
+	   TODO: dynamically update CA trust changes as they are available */
+	if (!tls_ctx)
+		return 0;
+
+	/* Call wincrypt's CertOpenStore to open the CA root store. */
+
+	if ((hSystemStore = CertOpenStore(
+		CERT_STORE_PROV_SYSTEM,
+		0,
+		0,
+		/* NOTE: mingw does not have this const: replace with 1 << 16 from code 
+		   CERT_SYSTEM_STORE_CURRENT_USER, */
+		1 << 16,
+		L"root")) == 0)
+	{
+		return 0;
+	}
+
+	store = SSL_CTX_get_cert_store(tls_ctx);
+	if (!store)
+		return 0;
+
+	/* failure if the CA store is empty or the call fails */
+	if ((pTargetCert = CertEnumCertificatesInStore(
+		hSystemStore, pTargetCert)) == 0) {
+		verbose(VERB_ALGO, "CA certificate store for Windows is empty.");
+		return 0;
+	}
+	/* iterate over the windows cert store and add to openssl store */
+	do
+	{
+		X509 *cert1 = d2i_X509(NULL,
+			(const unsigned char **)&pTargetCert->pbCertEncoded,
+			pTargetCert->cbCertEncoded);
+		if (!cert1) {
+			/* return error if a cert fails */
+			verbose(VERB_ALGO, "%s %d:%s",
+				"Unable to parse certificate in memory",
+				(int)ERR_get_error(), ERR_error_string(ERR_get_error(), NULL));
+			return 0;
+		}
+		else {
+			/* return error if a cert add to store fails */
+			if (X509_STORE_add_cert(store, cert1) == 0) {
+				unsigned long error = ERR_peek_last_error();
+
+				/* Ignore error X509_R_CERT_ALREADY_IN_HASH_TABLE which means the
+				* certificate is already in the store.  */
+				if(ERR_GET_LIB(error) != ERR_LIB_X509 ||
+				   ERR_GET_REASON(error) != X509_R_CERT_ALREADY_IN_HASH_TABLE) {
+					verbose(VERB_ALGO, "%s %d:%s\n",
+					    "Error adding certificate", (int)ERR_get_error(),
+					     ERR_error_string(ERR_get_error(), NULL));
+					X509_free(cert1);
+					return 0;
+				}
+			}
+			X509_free(cert1);
+		}
+	} while ((pTargetCert = CertEnumCertificatesInStore(
+		hSystemStore, pTargetCert)) != 0);
+
+	/* Clean up memory and quit. */
+	if (pTargetCert)
+		CertFreeCertificateContext(pTargetCert);
+	if (hSystemStore)
+	{
+		if (!CertCloseStore(
+			hSystemStore, 0))
+			return 0;
+	}
+	verbose(VERB_ALGO, "Completed adding Windows certificates to CA store successfully");
+	return 1;
+}
+#endif /* USE_WINSOCK */
+
+void* connect_sslctx_create(char* key, char* pem, char* verifypem, int wincert)
 {
 #ifdef HAVE_SSL
 	SSL_CTX* ctx = SSL_CTX_new(SSLv23_client_method());
@@ -836,17 +929,30 @@ void* connect_sslctx_create(char* key, char* pem, char* verifypem)
 			return NULL;
 		}
 	}
-	if(verifypem && verifypem[0]) {
-		if(!SSL_CTX_load_verify_locations(ctx, verifypem, NULL)) {
-			log_crypto_err("error in SSL_CTX verify");
-			SSL_CTX_free(ctx);
-			return NULL;
+	if((verifypem && verifypem[0]) || wincert) {
+		if(verifypem && verifypem[0]) {
+			if(!SSL_CTX_load_verify_locations(ctx, verifypem, NULL)) {
+				log_crypto_err("error in SSL_CTX verify");
+				SSL_CTX_free(ctx);
+				return NULL;
+			}
 		}
+#ifdef USE_WINSOCK
+		if(wincert) {
+			if(!add_WIN_cacerts_to_openssl_store(ctx)) {
+				log_crypto_err("error in add_WIN_cacerts_to_openssl_store");
+				SSL_CTX_free(ctx);
+				return NULL;
+			}
+		}
+#else
+		(void)wincert;
+#endif
 		SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL);
 	}
 	return ctx;
 #else
-	(void)key; (void)pem; (void)verifypem;
+	(void)key; (void)pem; (void)verifypem; (void)wincert;
 	return NULL;
 #endif
 }

contrib/unbound/util/net_help.h

@@ -73,10 +73,10 @@ struct regional;
 /** set RCODE bits in uint16 flags */
 #define FLAGS_SET_RCODE(f, r) (f = (((f) & 0xfff0) | (r)))
 
-/** timeout in seconds for UDP queries to auth servers. */
-#define UDP_AUTH_QUERY_TIMEOUT 4
-/** timeout in seconds for TCP queries to auth servers. */
-#define TCP_AUTH_QUERY_TIMEOUT 30
+/** timeout in milliseconds for UDP queries to auth servers. */
+#define UDP_AUTH_QUERY_TIMEOUT 3000
+/** timeout in milliseconds for TCP queries to auth servers. */
+#define TCP_AUTH_QUERY_TIMEOUT 3000
 /** Advertised version of EDNS capabilities */
 #define EDNS_ADVERTISED_VERSION         0
 /** Advertised size of EDNS capabilities */
@@ -395,9 +395,11 @@ void* listen_sslctx_create(char* key, char* pem, char* verifypem);
  * @param key: if nonNULL (also pem nonNULL), the client private key.
  * @param pem: client public key (or NULL if key is NULL).
  * @param verifypem: if nonNULL used for verifylocation file.
+ * @param wincert: add system certificate store to ctx (add to verifypem ca
+ * 	certs).
  * @return SSL_CTX* or NULL on failure (logged).
  */
-void* connect_sslctx_create(char* key, char* pem, char* verifypem);
+void* connect_sslctx_create(char* key, char* pem, char* verifypem, int wincert);
 
 /**
  * accept a new fd and wrap it in a BIO in SSL

contrib/unbound/util/netevent.c

@@ -764,7 +764,12 @@ int comm_point_perform_accept(struct comm_point* c,
 {
 	int new_fd;
 	*addrlen = (socklen_t)sizeof(*addr);
+#ifndef HAVE_ACCEPT4
 	new_fd = accept(c->fd, (struct sockaddr*)addr, addrlen);
+#else
+	/* SOCK_NONBLOCK saves extra calls to fcntl for the same result */
+	new_fd = accept4(c->fd, (struct sockaddr*)addr, addrlen, SOCK_NONBLOCK);
+#endif
 	if(new_fd == -1) {
 #ifndef USE_WINSOCK
 		/* EINTR is signal interrupt. others are closed connection. */
@@ -827,7 +832,9 @@ int comm_point_perform_accept(struct comm_point* c,
 #endif
 		return -1;
 	}
+#ifndef HAVE_ACCEPT4
 	fd_set_nonblock(new_fd);
+#endif
 	return new_fd;
 }
 
@@ -835,20 +842,21 @@ int comm_point_perform_accept(struct comm_point* c,
 static long win_bio_cb(BIO *b, int oper, const char* ATTR_UNUSED(argp),
         int ATTR_UNUSED(argi), long argl, long retvalue)
 {
+	int wsa_err = WSAGetLastError(); /* store errcode before it is gone */
 	verbose(VERB_ALGO, "bio_cb %d, %s %s %s", oper,
 		(oper&BIO_CB_RETURN)?"return":"before",
 		(oper&BIO_CB_READ)?"read":((oper&BIO_CB_WRITE)?"write":"other"),
-		WSAGetLastError()==WSAEWOULDBLOCK?"wsawb":"");
+		wsa_err==WSAEWOULDBLOCK?"wsawb":"");
 	/* on windows, check if previous operation caused EWOULDBLOCK */
 	if( (oper == (BIO_CB_READ|BIO_CB_RETURN) && argl == 0) ||
 		(oper == (BIO_CB_GETS|BIO_CB_RETURN) && argl == 0)) {
-		if(WSAGetLastError() == WSAEWOULDBLOCK)
+		if(wsa_err == WSAEWOULDBLOCK)
 			ub_winsock_tcp_wouldblock((struct ub_event*)
 				BIO_get_callback_arg(b), UB_EV_READ);
 	}
 	if( (oper == (BIO_CB_WRITE|BIO_CB_RETURN) && argl == 0) ||
 		(oper == (BIO_CB_PUTS|BIO_CB_RETURN) && argl == 0)) {
-		if(WSAGetLastError() == WSAEWOULDBLOCK)
+		if(wsa_err == WSAEWOULDBLOCK)
 			ub_winsock_tcp_wouldblock((struct ub_event*)
 				BIO_get_callback_arg(b), UB_EV_WRITE);
 	}
@@ -1128,6 +1136,7 @@ ssl_handle_read(struct comm_point* c)
 			if(want == SSL_ERROR_ZERO_RETURN) {
 				return 0; /* shutdown, closed */
 			} else if(want == SSL_ERROR_WANT_READ) {
+				ub_winsock_tcp_wouldblock(c->ev->ev, UB_EV_READ);
 				return 1; /* read more later */
 			} else if(want == SSL_ERROR_WANT_WRITE) {
 				c->ssl_shake_state = comm_ssl_shake_hs_write;
@@ -1143,7 +1152,7 @@ ssl_handle_read(struct comm_point* c)
 			return 0;
 		}
 		c->tcp_byte_count += r;
-		if(c->tcp_byte_count != sizeof(uint16_t))
+		if(c->tcp_byte_count < sizeof(uint16_t))
 			return 1;
 		if(sldns_buffer_read_u16_at(c->buffer, 0) >
 			sldns_buffer_capacity(c->buffer)) {
@@ -1156,33 +1165,36 @@ ssl_handle_read(struct comm_point* c)
 			verbose(VERB_QUERY, "ssl: dropped bogus too short.");
 			return 0;
 		}
+		sldns_buffer_skip(c->buffer, (ssize_t)(c->tcp_byte_count-sizeof(uint16_t)));
 		verbose(VERB_ALGO, "Reading ssl tcp query of length %d",
 			(int)sldns_buffer_limit(c->buffer));
 	}
-	log_assert(sldns_buffer_remaining(c->buffer) > 0);
-	ERR_clear_error();
-	r = SSL_read(c->ssl, (void*)sldns_buffer_current(c->buffer),
-		(int)sldns_buffer_remaining(c->buffer));
-	if(r <= 0) {
-		int want = SSL_get_error(c->ssl, r);
-		if(want == SSL_ERROR_ZERO_RETURN) {
-			return 0; /* shutdown, closed */
-		} else if(want == SSL_ERROR_WANT_READ) {
-			return 1; /* read more later */
-		} else if(want == SSL_ERROR_WANT_WRITE) {
-			c->ssl_shake_state = comm_ssl_shake_hs_write;
-			comm_point_listen_for_rw(c, 0, 1);
-			return 1;
-		} else if(want == SSL_ERROR_SYSCALL) {
-			if(errno != 0)
-				log_err("SSL_read syscall: %s",
-					strerror(errno));
+	if(sldns_buffer_remaining(c->buffer) > 0) {
+		ERR_clear_error();
+		r = SSL_read(c->ssl, (void*)sldns_buffer_current(c->buffer),
+			(int)sldns_buffer_remaining(c->buffer));
+		if(r <= 0) {
+			int want = SSL_get_error(c->ssl, r);
+			if(want == SSL_ERROR_ZERO_RETURN) {
+				return 0; /* shutdown, closed */
+			} else if(want == SSL_ERROR_WANT_READ) {
+				ub_winsock_tcp_wouldblock(c->ev->ev, UB_EV_READ);
+				return 1; /* read more later */
+			} else if(want == SSL_ERROR_WANT_WRITE) {
+				c->ssl_shake_state = comm_ssl_shake_hs_write;
+				comm_point_listen_for_rw(c, 0, 1);
+				return 1;
+			} else if(want == SSL_ERROR_SYSCALL) {
+				if(errno != 0)
+					log_err("SSL_read syscall: %s",
+						strerror(errno));
+				return 0;
+			}
+			log_crypto_err("could not SSL_read");
 			return 0;
 		}
-		log_crypto_err("could not SSL_read");
-		return 0;
+		sldns_buffer_skip(c->buffer, (ssize_t)r);
 	}
-	sldns_buffer_skip(c->buffer, (ssize_t)r);
 	if(sldns_buffer_remaining(c->buffer) <= 0) {
 		tcp_callback_reader(c);
 	}
@@ -1237,6 +1249,7 @@ ssl_handle_write(struct comm_point* c)
 				comm_point_listen_for_rw(c, 1, 0);
 				return 1; /* wait for read condition */
 			} else if(want == SSL_ERROR_WANT_WRITE) {
+				ub_winsock_tcp_wouldblock(c->ev->ev, UB_EV_WRITE);
 				return 1; /* write more later */
 			} else if(want == SSL_ERROR_SYSCALL) {
 				if(errno != 0)
@@ -1270,6 +1283,7 @@ ssl_handle_write(struct comm_point* c)
 			comm_point_listen_for_rw(c, 1, 0);
 			return 1; /* wait for read condition */
 		} else if(want == SSL_ERROR_WANT_WRITE) {
+			ub_winsock_tcp_wouldblock(c->ev->ev, UB_EV_WRITE);
 			return 1; /* write more later */
 		} else if(want == SSL_ERROR_SYSCALL) {
 			if(errno != 0)
@@ -2887,12 +2901,18 @@ comm_point_close(struct comm_point* c)
 {
 	if(!c)
 		return;
-	if(c->fd != -1)
+	if(c->fd != -1) {
 		if(ub_event_del(c->ev->ev) != 0) {
 			log_err("could not event_del on close");
 		}
+	}
 	/* close fd after removing from event lists, or epoll.. is messed up */
 	if(c->fd != -1 && !c->do_not_close) {
+		if(c->type == comm_tcp || c->type == comm_http) {
+			/* delete sticky events for the fd, it gets closed */
+			ub_winsock_tcp_wouldblock(c->ev->ev, UB_EV_READ);
+			ub_winsock_tcp_wouldblock(c->ev->ev, UB_EV_WRITE);
+		}
 		verbose(VERB_ALGO, "close fd %d", c->fd);
 #ifndef USE_WINSOCK
 		close(c->fd);

lib/libunbound/Makefile

@@ -22,12 +22,12 @@ SRCS=	alloc.c as112.c authzone.c autotrust.c cachedb.c config_file.c \
 	listen_dnsport.c localzone.c locks.c log.c lookup3.c lruhash.c \
 	mesh.c mini_event.c modstack.c module.c msgencode.c msgparse.c \
 	msgreply.c net_help.c netevent.c outbound_list.c outside_network.c \
-	packed_rrset.c parse.c parseutil.c random.c rbtree.c regional.c \
-	respip.c rrdef.c rrset.c rtt.c sbuffer.c slabhash.c str2wire.c \
-	timehist.c tube.c ub_event_pluggable.c val_anchor.c val_kcache.c \
-	val_kentry.c val_neg.c val_nsec.c val_nsec3.c val_secalgo.c \
-	val_sigcrypt.c val_utils.c validator.c view.c winsock_event.c \
-	wire2str.c
+	packed_rrset.c parse.c parseutil.c random.c rbtree.c redis.c \
+	regional.c respip.c rrdef.c rrset.c rtt.c sbuffer.c slabhash.c \
+	str2wire.c timehist.c tube.c ub_event_pluggable.c val_anchor.c \
+	val_kcache.c val_kentry.c val_neg.c val_nsec.c val_nsec3.c \
+	val_secalgo.c val_sigcrypt.c val_utils.c validator.c view.c \
+	winsock_event.c wire2str.c
 
 WARNS?=	3
 NO_WTHREAD_SAFETY= true