From 697291b66c481c617cf9875497e2189bc4a4b096 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dag-Erling=20Sm=C3=B8rgrav?= <des@FreeBSD.org>
Date: Fri, 5 Apr 2013 09:06:26 +0000
Subject: [PATCH] Import unbound 1.4.20

---
 Makefile.in                                   |  115 +-
 aclocal.m4                                    |  294 +++--
 acx_python.m4                                 |    7 +-
 config.guess                                  |  261 ++--
 config.h.in                                   |   11 +
 config.sub                                    |  213 ++--
 configure                                     |  610 ++++++----
 configure.ac                                  |   88 +-
 contrib/README                                |    4 +
 contrib/patch_rsamd5_enable.diff              |   22 +
 contrib/unbound.spec                          |    2 +-
 contrib/unbound_munin_                        |   10 +-
 contrib/unbound_unixsock.diff                 |  305 +++++
 daemon/cachedump.c                            |    2 -
 daemon/daemon.c                               |   53 +-
 daemon/remote.c                               |   74 +-
 daemon/remote.h                               |    6 +
 daemon/unbound.c                              |   17 +-
 daemon/worker.c                               |   13 +-
 doc/Changelog                                 |  268 +++++
 doc/FEATURES                                  |    2 +
 doc/README                                    |    2 +-
 doc/example.conf.in                           |    4 +-
 doc/libunbound.3.in                           |    9 +-
 doc/unbound-anchor.8.in                       |   12 +-
 doc/unbound-checkconf.8.in                    |    2 +-
 doc/unbound-control.8.in                      |   10 +-
 doc/unbound-host.1                            |    2 +-
 doc/unbound.8.in                              |    4 +-
 doc/unbound.conf.5.in                         |   12 +-
 doc/unbound.doxygen                           |    6 +-
 install-sh                                    |   35 +-
 iterator/iter_fwd.c                           |   42 +-
 iterator/iter_hints.c                         |   63 +-
 iterator/iter_utils.c                         |    7 +-
 iterator/iter_utils.h                         |    8 +-
 iterator/iterator.c                           |   69 +-
 libunbound/libworker.c                        |   41 +-
 libunbound/unbound.h                          |    6 +
 ltmain.sh                                     |   95 +-
 pythonmod/doc/examples/example0-1.py          |    3 -
 pythonmod/pythonmod.c                         |    1 +
 services/cache/infra.c                        |    5 +
 services/listen_dnsport.c                     |   31 +-
 services/localzone.c                          |    4 +-
 services/mesh.c                               |   22 +-
 services/outside_network.c                    |   37 +-
 services/outside_network.h                    |    9 +-
 smallapp/unbound-anchor.c                     |  165 ++-
 smallapp/unbound-control.c                    |   26 +-
 smallapp/unbound-host.c                       |   10 +
 testcode/fake_event.c                         |    3 +-
 testcode/ldns-testpkts.c                      |   43 +-
 testcode/ldns-testpkts.h                      |    8 +-
 testcode/replay.c                             |    4 +-
 testcode/testbound.c                          |    2 +-
 testcode/unitmain.c                           |   32 +-
 testcode/unitverify.c                         |   18 +-
 testdata/09-unbound-control.tpkg              |  Bin 6961 -> 7043 bytes
 testdata/10-unbound-anchor.tpkg               |  Bin 12318 -> 13085 bytes
 testdata/common.sh                            |    2 +-
 testdata/fwd_zero.tpkg                        |  Bin 1479 -> 1529 bytes
 testdata/iter_ds_locate_ns_detach.rpl         |  296 +++++
 testdata/nss_compile.tpkg                     |  Bin 0 -> 1049 bytes
 testdata/val_cnametocnamewctoposwc.rpl        |  208 ++++
 testdata/val_cnametonodata_nonsec.rpl         |  262 ++++
 testdata/val_ds_cnamesub.rpl                  |  275 +++++
 testdata/val_nsec3_cnametocnamewctoposwc.rpl  |  206 ++++
 testdata/val_nsec3_entnodata_optout.rpl       |  200 +++
 .../val_nsec3_entnodata_optout_badopt.rpl     |  196 +++
 testdata/val_nsec3_entnodata_optout_match.rpl |  200 +++
 util/alloc.h                                  |    5 +-
 util/config_file.c                            |  113 +-
 util/configlexer.c                            |  413 ++++---
 util/configlexer.lex                          |   52 +-
 util/configparser.c                           |  552 ++++-----
 util/configparser.h                           |   36 +-
 util/data/msgparse.c                          |    5 +-
 util/iana_ports.inc                           |   40 +-
 util/log.c                                    |    9 +
 util/net_help.c                               |   84 ++
 util/net_help.h                               |   11 +
 util/netevent.c                               |   28 +-
 util/random.c                                 |   84 +-
 util/rtt.c                                    |    1 -
 util/storage/lookup3.c                        |   14 +
 util/tube.c                                   |    1 +
 validator/autotrust.c                         |   20 +-
 validator/val_anchor.c                        |    4 +-
 validator/val_neg.c                           |    7 +-
 validator/val_nsec3.c                         |   51 +-
 validator/val_secalgo.c                       | 1070 +++++++++++++++++
 validator/val_secalgo.h                       |   83 ++
 validator/val_sigcrypt.c                      |  485 +-------
 validator/val_utils.c                         |    1 -
 validator/validator.c                         |   10 +-
 validator/validator.h                         |    4 +-
 winrc/setup.nsi                               |    2 +-
 winrc/win_svc.c                               |    3 +
 99 files changed, 6333 insertions(+), 1929 deletions(-)
 create mode 100644 contrib/patch_rsamd5_enable.diff
 create mode 100644 contrib/unbound_unixsock.diff
 create mode 100644 testdata/iter_ds_locate_ns_detach.rpl
 create mode 100644 testdata/nss_compile.tpkg
 create mode 100644 testdata/val_cnametocnamewctoposwc.rpl
 create mode 100644 testdata/val_cnametonodata_nonsec.rpl
 create mode 100644 testdata/val_ds_cnamesub.rpl
 create mode 100644 testdata/val_nsec3_cnametocnamewctoposwc.rpl
 create mode 100644 testdata/val_nsec3_entnodata_optout.rpl
 create mode 100644 testdata/val_nsec3_entnodata_optout_badopt.rpl
 create mode 100644 testdata/val_nsec3_entnodata_optout_match.rpl
 create mode 100644 validator/val_secalgo.c
 create mode 100644 validator/val_secalgo.h

diff --git a/Makefile.in b/Makefile.in
index af9fba806563..0064341462c0 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -30,6 +30,7 @@ PYTHONMOD_INSTALL=@PYTHONMOD_INSTALL@
 PYTHONMOD_UNINSTALL=@PYTHONMOD_UNINSTALL@
 PYUNBOUND_INSTALL=@PYUNBOUND_INSTALL@
 PYUNBOUND_UNINSTALL=@PYUNBOUND_UNINSTALL@
+ALLTARGET=@ALLTARGET@
 
 # _unbound.la if pyunbound enabled.
 PYUNBOUND_TARGET=@PYUNBOUND_TARGET@
@@ -99,7 +100,8 @@ util/storage/lruhash.c util/storage/slabhash.c util/timehist.c util/tube.c \
 util/winsock_event.c validator/autotrust.c validator/val_anchor.c \
 validator/validator.c validator/val_kcache.c validator/val_kentry.c \
 validator/val_neg.c validator/val_nsec3.c validator/val_nsec.c \
-validator/val_sigcrypt.c validator/val_utils.c $(CHECKLOCK_SRC)
+validator/val_secalgo.c validator/val_sigcrypt.c \
+validator/val_utils.c $(CHECKLOCK_SRC)
 COMMON_OBJ_WITHOUT_NETCALL=dns.lo infra.lo rrset.lo dname.lo msgencode.lo \
 msgparse.lo msgreply.lo packed_rrset.lo iterator.lo iter_delegpt.lo \
 iter_donotq.lo iter_fwd.lo iter_hints.lo iter_priv.lo iter_resptype.lo \
@@ -109,7 +111,7 @@ fptr_wlist.lo locks.lo log.lo mini_event.lo module.lo net_help.lo \
 random.lo rbtree.lo regional.lo rtt.lo dnstree.lo lookup3.lo lruhash.lo \
 slabhash.lo timehist.lo tube.lo winsock_event.lo autotrust.lo val_anchor.lo \
 validator.lo val_kcache.lo val_kentry.lo val_neg.lo val_nsec3.lo val_nsec.lo \
-val_sigcrypt.lo val_utils.lo $(PYTHONMOD_OBJ) $(CHECKLOCK_OBJ)
+val_secalgo.lo val_sigcrypt.lo val_utils.lo $(PYTHONMOD_OBJ) $(CHECKLOCK_OBJ)
 COMMON_OBJ=$(COMMON_OBJ_WITHOUT_NETCALL) netevent.lo listen_dnsport.lo \
 outside_network.lo
 # set to $COMMON_OBJ or to "" if --enableallsymbols
@@ -227,9 +229,11 @@ COMPILE=$(LIBTOOL) --tag=CC --mode=compile $(CC) $(CPPFLAGS) $(CFLAGS)
 LINK=$(LIBTOOL) --tag=CC --mode=link $(CC) $(staticexe) $(RUNTIME_PATH) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS)
 LINK_LIB=$(LIBTOOL) --tag=CC --mode=link $(CC) $(RUNTIME_PATH) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) $(staticexe) -version-info @LIBUNBOUND_CURRENT@:@LIBUNBOUND_REVISION@:@LIBUNBOUND_AGE@ -no-undefined
 
-.PHONY:	clean realclean doc lint all install uninstall tests test strip lib longtest longcheck check
+.PHONY:	clean realclean doc lint all install uninstall tests test strip lib longtest longcheck check alltargets
 
-all:	$(COMMON_OBJ) unbound$(EXEEXT) unbound-checkconf$(EXEEXT) lib unbound-host$(EXEEXT) unbound-control$(EXEEXT) unbound-anchor$(EXEEXT) unbound-control-setup $(WINAPPS) $(PYUNBOUND_TARGET)
+all:	$(COMMON_OBJ) $(ALLTARGET)
+
+alltargets:	unbound$(EXEEXT) unbound-checkconf$(EXEEXT) lib unbound-host$(EXEEXT) unbound-control$(EXEEXT) unbound-anchor$(EXEEXT) unbound-control-setup $(WINAPPS) $(PYUNBOUND_TARGET)
 
 # compat with BSD make, register suffix, and an implicit rule to actualise it.
 .SUFFIXES: .lo
@@ -358,7 +362,7 @@ pythonmod.lo pythonmod.o: $(srcdir)/pythonmod/pythonmod.c config.h \
 	$(srcdir)/services/cache/dns.h $(srcdir)/services/mesh.h \
 	$(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h
 
-pythonmod/interface.h:	$(srcdir)/pythonmod/interface.i $(srcdir)/config.h
+pythonmod/interface.h:	$(srcdir)/pythonmod/interface.i config.h
 	@-if test ! -d pythonmod; then $(INSTALL) -d pythonmod; fi
 	$(SWIG) $(CPPFLAGS) -o $@ -python $(srcdir)/pythonmod/interface.i
 
@@ -389,12 +393,14 @@ clean:
 	rm -f *.o *.d *.lo *~ tags
 	rm -f unbound$(EXEEXT) unbound-checkconf$(EXEEXT) unbound-host$(EXEEXT) unbound-control$(EXEEXT) unbound-anchor$(EXEEXT) unbound-control-setup libunbound.la
 	rm -f $(ALL_SRC:.c=.lint)
+	rm -f _unbound.la libunbound/python/libunbound_wrap.c libunbound/python/unbound.py pythonmod/interface.h pythonmod/unboundmodule.py
 	rm -rf autom4te.cache .libs build doc/html doc/xml
 
 realclean: clean
 	rm -f config.status config.log config.h.in config.h
 	rm -f configure config.sub config.guess ltmain.sh aclocal.m4 libtool
 	rm -f util/configlexer.c util/configparser.c util/configparser.h
+	rm -f doc/example.conf doc/libunbound.3 doc/unbound-anchor.8 doc/unbound-checkconf.8 doc/unbound-control.8 doc/unbound.8 doc/unbound.conf.5
 	rm -f $(TEST_BIN)
 	rm -f Makefile 
 
@@ -439,7 +445,7 @@ pythonmod-install:
 
 pyunbound-install:
 	$(INSTALL) -m 755 -d $(DESTDIR)$(PYTHON_SITE_PKG)
-	$(INSTALL) -c -m 644 libunbound/python/unbound.py $(DESTDIR)$(PYTHON_SITE_PKG)/unbound.py
+	$(INSTALL) -c -m 644 $(srcdir)/libunbound/python/unbound.py $(DESTDIR)$(PYTHON_SITE_PKG)/unbound.py
 	$(LIBTOOL) --mode=install cp _unbound.la $(DESTDIR)$(PYTHON_SITE_PKG)
 	$(LIBTOOL) --mode=finish $(DESTDIR)$(PYTHON_SITE_PKG)
 
@@ -464,6 +470,16 @@ install:	all $(PYTHONMOD_INSTALL) $(PYUNBOUND_INSTALL)
 	$(INSTALL) -c -m 644 doc/unbound.conf.5 $(DESTDIR)$(mandir)/man5
 	$(INSTALL) -c -m 644 $(srcdir)/doc/unbound-host.1 $(DESTDIR)$(mandir)/man1
 	$(INSTALL) -c -m 644 doc/libunbound.3 $(DESTDIR)$(mandir)/man3
+	for mpage in ub_ctx ub_result ub_ctx_create ub_ctx_delete \
+		ub_ctx_set_option ub_ctx_get_option ub_ctx_config ub_ctx_set_fwd \
+		ub_ctx_resolvconf ub_ctx_hosts ub_ctx_add_ta ub_ctx_add_ta_file \
+		ub_ctx_trustedkeys ub_ctx_debugout ub_ctx_debuglevel ub_ctx_async \
+		ub_poll ub_wait ub_fd ub_process ub_resolve ub_resolve_async ub_cancel \
+		ub_resolve_free ub_strerror ub_ctx_print_local_zones ub_ctx_zone_add \
+		ub_ctx_zone_remove ub_ctx_data_add ub_ctx_data_remove; \
+	do \
+		echo ".so man3/libunbound.3" > $(DESTDIR)$(mandir)/man3/$$mpage.3 ; \
+	done
 	$(INSTALL) -c -m 755 unbound-control-setup $(DESTDIR)$(sbindir)/unbound-control-setup
 	if test ! -e $(DESTDIR)$(configfile); then $(INSTALL) -d `dirname $(DESTDIR)$(configfile)`; $(INSTALL) -c -m 644 doc/example.conf $(DESTDIR)$(configfile); fi
 	$(LIBTOOL) --mode=install cp $(srcdir)/libunbound/unbound.h $(DESTDIR)$(includedir)/unbound.h
@@ -481,6 +497,16 @@ uninstall:	$(PYTHONMOD_UNINSTALL) $(PYUNBOUND_UNINSTALL)
 	rm -f -- $(DESTDIR)$(sbindir)/unbound$(EXEEXT) $(DESTDIR)$(sbindir)/unbound-checkconf$(EXEEXT) $(DESTDIR)$(sbindir)/unbound-host$(EXEEXT) $(DESTDIR)$(sbindir)/unbound-control$(EXEEXT) $(DESTDIR)$(sbindir)/unbound-anchor$(EXEEXT) $(DESTDIR)$(sbindir)/unbound-control-setup
 	rm -f -- $(DESTDIR)$(mandir)/man8/unbound.8 $(DESTDIR)$(mandir)/man8/unbound-checkconf.8 $(DESTDIR)$(mandir)/man5/unbound.conf.5 $(DESTDIR)$(mandir)/man8/unbound-control.8 $(DESTDIR)$(mandir)/man8/unbound-anchor.8
 	rm -f -- $(DESTDIR)$(mandir)/man1/unbound-host.1 $(DESTDIR)$(mandir)/man3/libunbound.3
+	for mpage in ub_ctx ub_result ub_ctx_create ub_ctx_delete \
+		ub_ctx_set_option ub_ctx_get_option ub_ctx_config ub_ctx_set_fwd \
+		ub_ctx_resolvconf ub_ctx_hosts ub_ctx_add_ta ub_ctx_add_ta_file \
+		ub_ctx_trustedkeys ub_ctx_debugout ub_ctx_debuglevel ub_ctx_async \
+		ub_poll ub_wait ub_fd ub_process ub_resolve ub_resolve_async ub_cancel \
+		ub_resolve_free ub_strerror ub_ctx_print_local_zones ub_ctx_zone_add \
+		ub_ctx_zone_remove ub_ctx_data_add ub_ctx_data_remove; \
+	do \
+		rm -f -- $(DESTDIR)$(mandir)/man3/$$mpage.3 ; \
+	done
 	rm -f -- $(DESTDIR)$(includedir)/unbound.h
 	$(LIBTOOL) --mode=uninstall rm -f $(DESTDIR)$(libdir)/libunbound.la
 	@echo
@@ -562,9 +588,8 @@ msgencode.lo msgencode.o: $(srcdir)/util/data/msgencode.c config.h \
  $(srcdir)/util/regional.h $(srcdir)/util/net_help.h
 msgparse.lo msgparse.o: $(srcdir)/util/data/msgparse.c config.h \
  $(srcdir)/util/data/msgparse.h \
- $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/net_help.h \
- $(srcdir)/util/data/dname.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lookup3.h \
- $(srcdir)/util/regional.h
+ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/dname.h \
+ $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lookup3.h $(srcdir)/util/regional.h
 msgreply.lo msgreply.o: $(srcdir)/util/data/msgreply.c config.h \
  $(srcdir)/util/data/msgreply.h \
  $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/packed_rrset.h \
@@ -669,7 +694,7 @@ modstack.lo modstack.o: $(srcdir)/services/modstack.c config.h $(srcdir)/service
  $(srcdir)/util/fptr_wlist.h \
  $(srcdir)/util/netevent.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
  $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h $(srcdir)/validator/validator.h \
- $(srcdir)/validator/val_utils.h $(PYTHONMOD_HEADER)
+ $(srcdir)/validator/val_utils.h
 outbound_list.lo outbound_list.o: $(srcdir)/services/outbound_list.c config.h \
  $(srcdir)/services/outbound_list.h $(srcdir)/services/outside_network.h $(srcdir)/util/rbtree.h \
  $(srcdir)/util/netevent.h \
@@ -710,8 +735,8 @@ fptr_wlist.lo fptr_wlist.o: $(srcdir)/util/fptr_wlist.c config.h $(srcdir)/util/
  $(srcdir)/util/data/msgparse.h \
  $(srcdir)/util/tube.h \
  $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h $(srcdir)/util/mini_event.h \
- $(srcdir)/util/rbtree.h $(srcdir)/daemon/worker.h $(srcdir)/util/alloc.h $(srcdir)/daemon/stats.h \
- $(srcdir)/util/timehist.h $(srcdir)/daemon/remote.h \
+ $(srcdir)/daemon/worker.h $(srcdir)/util/alloc.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \
+ $(srcdir)/daemon/remote.h \
  $(srcdir)/services/outside_network.h $(srcdir)/services/localzone.h $(srcdir)/services/cache/infra.h \
  $(srcdir)/util/rtt.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \
  $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h $(srcdir)/iterator/iter_fwd.h \
@@ -719,19 +744,12 @@ fptr_wlist.lo fptr_wlist.o: $(srcdir)/util/fptr_wlist.c config.h $(srcdir)/util/
  $(srcdir)/validator/val_nsec3.h $(srcdir)/validator/val_sigcrypt.h $(srcdir)/validator/val_kentry.h \
  $(srcdir)/validator/val_neg.h $(srcdir)/validator/autotrust.h $(srcdir)/util/storage/dnstree.h \
  $(srcdir)/libunbound/libworker.h $(srcdir)/libunbound/context.h $(srcdir)/libunbound/unbound.h \
- $(srcdir)/util/config_file.h $(PYTHONMOD_HEADER)
+ $(srcdir)/util/config_file.h
 locks.lo locks.o: $(srcdir)/util/locks.c config.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
  
 log.lo log.o: $(srcdir)/util/log.c config.h $(srcdir)/util/log.h \
  $(srcdir)/util/locks.h
-mini_event.lo mini_event.o: $(srcdir)/util/mini_event.c config.h $(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h \
- $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h \
- $(srcdir)/util/storage/lruhash.h \
- $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
- $(srcdir)/util/data/packed_rrset.h \
- $(srcdir)/util/data/msgparse.h \
- $(srcdir)/util/tube.h \
- $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h
+mini_event.lo mini_event.o: $(srcdir)/util/mini_event.c config.h
 module.lo module.o: $(srcdir)/util/module.c config.h $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h \
  $(srcdir)/util/locks.h $(srcdir)/util/log.h \
  $(srcdir)/util/data/msgreply.h \
@@ -744,7 +762,7 @@ netevent.lo netevent.o: $(srcdir)/util/netevent.c config.h \
  $(srcdir)/util/locks.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
  $(srcdir)/util/data/msgparse.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
  $(srcdir)/services/modstack.h \
- $(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h
+ 
 net_help.lo net_help.o: $(srcdir)/util/net_help.c config.h \
  $(srcdir)/util/net_help.h \
  $(srcdir)/util/log.h $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
@@ -762,8 +780,7 @@ rbtree.lo rbtree.o: $(srcdir)/util/rbtree.c config.h $(srcdir)/util/log.h \
  $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h
 regional.lo regional.o: $(srcdir)/util/regional.c config.h $(srcdir)/util/log.h \
  $(srcdir)/util/regional.h
-rtt.lo rtt.o: $(srcdir)/util/rtt.c config.h $(srcdir)/util/rtt.h $(srcdir)/util/log.h \
- 
+rtt.lo rtt.o: $(srcdir)/util/rtt.c config.h $(srcdir)/util/rtt.h
 dnstree.lo dnstree.o: $(srcdir)/util/storage/dnstree.c config.h $(srcdir)/util/storage/dnstree.h \
  $(srcdir)/util/rbtree.h $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
  $(srcdir)/util/log.h \
@@ -848,12 +865,16 @@ val_nsec.lo val_nsec.o: $(srcdir)/validator/val_nsec.c config.h \
  $(srcdir)/validator/val_utils.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/dname.h \
  $(srcdir)/util/net_help.h $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h \
  $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h
+val_secalgo.lo val_secalgo.o: $(srcdir)/validator/val_secalgo.c config.h \
+ $(srcdir)/validator/val_secalgo.h \
+ $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
+ 
 val_sigcrypt.lo val_sigcrypt.o: $(srcdir)/validator/val_sigcrypt.c config.h \
  $(srcdir)/validator/val_sigcrypt.h \
  $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
- $(srcdir)/validator/validator.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
- $(srcdir)/util/data/msgparse.h $(srcdir)/validator/val_utils.h $(srcdir)/util/data/dname.h \
- $(srcdir)/util/rbtree.h $(srcdir)/util/net_help.h $(srcdir)/util/regional.h \
+ $(srcdir)/validator/val_secalgo.h $(srcdir)/validator/validator.h $(srcdir)/util/module.h \
+ $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/validator/val_utils.h \
+ $(srcdir)/util/data/dname.h $(srcdir)/util/rbtree.h $(srcdir)/util/net_help.h $(srcdir)/util/regional.h \
  
 val_utils.lo val_utils.o: $(srcdir)/validator/val_utils.c config.h $(srcdir)/validator/val_utils.h \
  $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
@@ -863,7 +884,7 @@ val_utils.lo val_utils.o: $(srcdir)/validator/val_utils.c config.h $(srcdir)/val
  $(srcdir)/validator/val_sigcrypt.h $(srcdir)/validator/val_anchor.h $(srcdir)/util/rbtree.h \
  $(srcdir)/validator/val_nsec.h $(srcdir)/validator/val_neg.h $(srcdir)/services/cache/rrset.h \
  $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/dns.h $(srcdir)/util/data/dname.h \
- $(srcdir)/util/net_help.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h
+ $(srcdir)/util/net_help.h $(srcdir)/util/regional.h
 checklocks.lo checklocks.o: $(srcdir)/testcode/checklocks.c config.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
  $(srcdir)/testcode/checklocks.h
 unitanchor.lo unitanchor.o: $(srcdir)/testcode/unitanchor.c config.h \
@@ -904,11 +925,11 @@ unitverify.lo unitverify.o: $(srcdir)/testcode/unitverify.c config.h $(srcdir)/u
  $(srcdir)/testcode/unitmain.h \
  $(srcdir)/validator/val_sigcrypt.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
  $(srcdir)/util/locks.h \
- $(srcdir)/validator/val_nsec.h \
- $(srcdir)/validator/val_nsec3.h $(srcdir)/util/rbtree.h $(srcdir)/validator/validator.h $(srcdir)/util/module.h \
- $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h \
- $(srcdir)/validator/val_utils.h \
- $(srcdir)/testcode/ldns-testpkts.h \
+ $(srcdir)/validator/val_secalgo.h \
+ $(srcdir)/validator/val_nsec.h $(srcdir)/validator/val_nsec3.h $(srcdir)/util/rbtree.h \
+ $(srcdir)/validator/validator.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
+ $(srcdir)/util/data/msgparse.h \
+ $(srcdir)/validator/val_utils.h $(srcdir)/testcode/ldns-testpkts.h \
  $(srcdir)/util/data/dname.h \
  $(srcdir)/util/regional.h $(srcdir)/util/alloc.h $(srcdir)/util/net_help.h $(srcdir)/util/config_file.h
 readhex.lo readhex.o: $(srcdir)/testcode/readhex.c config.h $(srcdir)/testcode/readhex.h \
@@ -924,13 +945,12 @@ cachedump.lo cachedump.o: $(srcdir)/daemon/cachedump.c config.h \
  $(srcdir)/daemon/remote.h $(srcdir)/daemon/worker.h $(srcdir)/util/netevent.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
  $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/storage/lruhash.h \
  $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/daemon/stats.h \
- $(srcdir)/util/timehist.h $(srcdir)/util/module.h $(srcdir)/daemon/daemon.h $(srcdir)/services/modstack.h \
- $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/dns.h \
- $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h $(srcdir)/util/regional.h $(srcdir)/util/net_help.h \
- $(srcdir)/util/data/dname.h $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h \
- $(srcdir)/iterator/iter_delegpt.h $(srcdir)/iterator/iter_utils.h $(srcdir)/iterator/iter_resptype.h \
- $(srcdir)/iterator/iter_fwd.h $(srcdir)/util/rbtree.h $(srcdir)/iterator/iter_hints.h \
- $(srcdir)/util/storage/dnstree.h
+ $(srcdir)/util/timehist.h $(srcdir)/util/module.h $(srcdir)/services/cache/rrset.h \
+ $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/dns.h $(srcdir)/services/cache/infra.h \
+ $(srcdir)/util/rtt.h $(srcdir)/util/regional.h $(srcdir)/util/net_help.h $(srcdir)/util/data/dname.h \
+ $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h $(srcdir)/iterator/iter_delegpt.h \
+ $(srcdir)/iterator/iter_utils.h $(srcdir)/iterator/iter_resptype.h $(srcdir)/iterator/iter_fwd.h \
+ $(srcdir)/util/rbtree.h $(srcdir)/iterator/iter_hints.h $(srcdir)/util/storage/dnstree.h
 daemon.lo daemon.o: $(srcdir)/daemon/daemon.c config.h \
  $(srcdir)/daemon/daemon.h \
  $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h $(srcdir)/daemon/worker.h \
@@ -940,7 +960,7 @@ daemon.lo daemon.o: $(srcdir)/daemon/daemon.c config.h \
  $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/config_file.h \
  $(srcdir)/util/storage/lookup3.h $(srcdir)/util/storage/slabhash.h $(srcdir)/services/listen_dnsport.h \
  $(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \
- $(srcdir)/services/localzone.h $(srcdir)/util/random.h $(srcdir)/util/tube.h
+ $(srcdir)/services/localzone.h $(srcdir)/util/random.h $(srcdir)/util/tube.h $(srcdir)/util/net_help.h
 remote.lo remote.o: $(srcdir)/daemon/remote.c config.h \
  $(srcdir)/daemon/remote.h \
  $(srcdir)/daemon/worker.h $(srcdir)/util/netevent.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/alloc.h \
@@ -971,8 +991,7 @@ unbound.lo unbound.o: $(srcdir)/daemon/unbound.c config.h $(srcdir)/util/log.h \
  $(srcdir)/util/data/packed_rrset.h \
  $(srcdir)/services/cache/infra.h \
  $(srcdir)/util/rtt.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h \
- $(srcdir)/util/net_help.h \
- $(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h
+ $(srcdir)/util/net_help.h
 worker.lo worker.o: $(srcdir)/daemon/worker.c config.h \
  $(srcdir)/util/log.h \
  $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/daemon/worker.h $(srcdir)/util/netevent.h \
@@ -995,8 +1014,7 @@ testbound.lo testbound.o: $(srcdir)/testcode/testbound.c config.h $(srcdir)/test
  $(srcdir)/util/locks.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h $(srcdir)/util/storage/slabhash.h \
  $(srcdir)/util/storage/lruhash.h $(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/rrset.h \
  $(srcdir)/util/data/packed_rrset.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \
- $(srcdir)/util/data/msgreply.h $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h $(srcdir)/util/net_help.h \
- $(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h
+ $(srcdir)/util/data/msgreply.h $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h $(srcdir)/util/net_help.h
 ldns-testpkts.lo ldns-testpkts.o: $(srcdir)/testcode/ldns-testpkts.c config.h \
  $(srcdir)/testcode/ldns-testpkts.h
 worker.lo worker.o: $(srcdir)/daemon/worker.c config.h \
@@ -1027,7 +1045,7 @@ daemon.lo daemon.o: $(srcdir)/daemon/daemon.c config.h \
  $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/config_file.h \
  $(srcdir)/util/storage/lookup3.h $(srcdir)/util/storage/slabhash.h $(srcdir)/services/listen_dnsport.h \
  $(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \
- $(srcdir)/services/localzone.h $(srcdir)/util/random.h $(srcdir)/util/tube.h
+ $(srcdir)/services/localzone.h $(srcdir)/util/random.h $(srcdir)/util/tube.h $(srcdir)/util/net_help.h
 stats.lo stats.o: $(srcdir)/daemon/stats.c config.h \
  $(srcdir)/daemon/stats.h \
  $(srcdir)/util/timehist.h $(srcdir)/daemon/worker.h $(srcdir)/util/netevent.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
@@ -1085,7 +1103,7 @@ unbound-checkconf.lo unbound-checkconf.o: $(srcdir)/smallapp/unbound-checkconf.c
  $(srcdir)/util/regional.h $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h \
  $(srcdir)/iterator/iter_fwd.h $(srcdir)/util/rbtree.h $(srcdir)/iterator/iter_hints.h \
  $(srcdir)/util/storage/dnstree.h $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h \
- $(srcdir)/services/localzone.h $(PYTHONMOD_HEADER)
+ $(srcdir)/services/localzone.h
 worker_cb.lo worker_cb.o: $(srcdir)/smallapp/worker_cb.c config.h $(srcdir)/util/log.h \
  $(srcdir)/services/mesh.h \
  $(srcdir)/util/rbtree.h $(srcdir)/util/netevent.h $(srcdir)/util/data/msgparse.h \
@@ -1160,8 +1178,7 @@ pythonmod_utils.lo pythonmod_utils.o: $(srcdir)/pythonmod/pythonmod_utils.c conf
  $(srcdir)/util/data/msgparse.h \
  $(srcdir)/util/netevent.h \
  $(srcdir)/util/net_help.h $(srcdir)/services/cache/dns.h $(srcdir)/services/cache/rrset.h \
- $(srcdir)/util/storage/slabhash.h $(srcdir)/util/regional.h \
- 
+ $(srcdir)/util/storage/slabhash.h $(srcdir)/util/regional.h
 win_svc.lo win_svc.o: $(srcdir)/winrc/win_svc.c config.h $(srcdir)/winrc/win_svc.h $(srcdir)/winrc/w_inst.h \
  $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
  $(srcdir)/util/alloc.h \
diff --git a/aclocal.m4 b/aclocal.m4
index de630d85b48f..4e52c6520628 100644
--- a/aclocal.m4
+++ b/aclocal.m4
@@ -1,7 +1,7 @@
-# generated automatically by aclocal 1.11.1 -*- Autoconf -*-
+# generated automatically by aclocal 1.12.2 -*- Autoconf -*-
+
+# Copyright (C) 1996-2012 Free Software Foundation, Inc.
 
-# Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004,
-# 2005, 2006, 2007, 2008, 2009  Free Software Foundation, Inc.
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -14,8 +14,8 @@
 # libtool.m4 - Configure libtool for the host system. -*-Autoconf-*-
 #
 #   Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2003, 2004, 2005,
-#                 2006, 2007, 2008, 2009, 2010 Free Software Foundation,
-#                 Inc.
+#                 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+#                 Foundation, Inc.
 #   Written by Gordon Matzigkeit, 1996
 #
 # This file is free software; the Free Software Foundation gives
@@ -24,8 +24,8 @@
 
 m4_define([_LT_COPYING], [dnl
 #   Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2003, 2004, 2005,
-#                 2006, 2007, 2008, 2009, 2010 Free Software Foundation,
-#                 Inc.
+#                 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+#                 Foundation, Inc.
 #   Written by Gordon Matzigkeit, 1996
 #
 #   This file is part of GNU Libtool.
@@ -159,6 +159,8 @@ AC_REQUIRE([AC_CANONICAL_BUILD])dnl
 AC_REQUIRE([_LT_PREPARE_SED_QUOTE_VARS])dnl
 AC_REQUIRE([_LT_PROG_ECHO_BACKSLASH])dnl
 
+_LT_DECL([], [PATH_SEPARATOR], [1], [The PATH separator for the build system])dnl
+dnl
 _LT_DECL([], [host_alias], [0], [The host system])dnl
 _LT_DECL([], [host], [0])dnl
 _LT_DECL([], [host_os], [0])dnl
@@ -644,7 +646,7 @@ m4_ifset([AC_PACKAGE_NAME], [AC_PACKAGE_NAME ])config.lt[]dnl
 m4_ifset([AC_PACKAGE_VERSION], [ AC_PACKAGE_VERSION])
 configured by $[0], generated by m4_PACKAGE_STRING.
 
-Copyright (C) 2010 Free Software Foundation, Inc.
+Copyright (C) 2011 Free Software Foundation, Inc.
 This config.lt script is free software; the Free Software Foundation
 gives unlimited permision to copy, distribute and modify it."
 
@@ -808,6 +810,7 @@ AC_DEFUN([LT_LANG],
 m4_case([$1],
   [C],			[_LT_LANG(C)],
   [C++],		[_LT_LANG(CXX)],
+  [Go],			[_LT_LANG(GO)],
   [Java],		[_LT_LANG(GCJ)],
   [Fortran 77],		[_LT_LANG(F77)],
   [Fortran],		[_LT_LANG(FC)],
@@ -829,6 +832,29 @@ m4_defun([_LT_LANG],
 ])# _LT_LANG
 
 
+m4_ifndef([AC_PROG_GO], [
+# NOTE: This macro has been submitted for inclusion into   #
+#  GNU Autoconf as AC_PROG_GO.  When it is available in    #
+#  a released version of Autoconf we should remove this    #
+#  macro and use it instead.                               #
+m4_defun([AC_PROG_GO],
+[AC_LANG_PUSH(Go)dnl
+AC_ARG_VAR([GOC],     [Go compiler command])dnl
+AC_ARG_VAR([GOFLAGS], [Go compiler flags])dnl
+_AC_ARG_VAR_LDFLAGS()dnl
+AC_CHECK_TOOL(GOC, gccgo)
+if test -z "$GOC"; then
+  if test -n "$ac_tool_prefix"; then
+    AC_CHECK_PROG(GOC, [${ac_tool_prefix}gccgo], [${ac_tool_prefix}gccgo])
+  fi
+fi
+if test -z "$GOC"; then
+  AC_CHECK_PROG(GOC, gccgo, gccgo, false)
+fi
+])#m4_defun
+])#m4_ifndef
+
+
 # _LT_LANG_DEFAULT_CONFIG
 # -----------------------
 m4_defun([_LT_LANG_DEFAULT_CONFIG],
@@ -859,6 +885,10 @@ AC_PROVIDE_IFELSE([AC_PROG_GCJ],
        m4_ifdef([LT_PROG_GCJ],
 	[m4_define([LT_PROG_GCJ], defn([LT_PROG_GCJ])[LT_LANG(GCJ)])])])])])
 
+AC_PROVIDE_IFELSE([AC_PROG_GO],
+  [LT_LANG(GO)],
+  [m4_define([AC_PROG_GO], defn([AC_PROG_GO])[LT_LANG(GO)])])
+
 AC_PROVIDE_IFELSE([LT_PROG_RC],
   [LT_LANG(RC)],
   [m4_define([LT_PROG_RC], defn([LT_PROG_RC])[LT_LANG(RC)])])
@@ -961,7 +991,13 @@ m4_defun_once([_LT_REQUIRED_DARWIN_CHECKS],[
 	$LTCC $LTCFLAGS $LDFLAGS -o libconftest.dylib \
 	  -dynamiclib -Wl,-single_module conftest.c 2>conftest.err
         _lt_result=$?
-	if test -f libconftest.dylib && test ! -s conftest.err && test $_lt_result = 0; then
+	# If there is a non-empty error log, and "single_module"
+	# appears in it, assume the flag caused a linker warning
+        if test -s conftest.err && $GREP single_module conftest.err; then
+	  cat conftest.err >&AS_MESSAGE_LOG_FD
+	# Otherwise, if the output was created with a 0 exit code from
+	# the compiler, it worked.
+	elif test -f libconftest.dylib && test $_lt_result -eq 0; then
 	  lt_cv_apple_cc_single_mod=yes
 	else
 	  cat conftest.err >&AS_MESSAGE_LOG_FD
@@ -969,6 +1005,7 @@ m4_defun_once([_LT_REQUIRED_DARWIN_CHECKS],[
 	rm -rf libconftest.dylib*
 	rm -f conftest.*
       fi])
+
     AC_CACHE_CHECK([for -exported_symbols_list linker flag],
       [lt_cv_ld_exported_symbols_list],
       [lt_cv_ld_exported_symbols_list=no
@@ -980,6 +1017,7 @@ m4_defun_once([_LT_REQUIRED_DARWIN_CHECKS],[
 	[lt_cv_ld_exported_symbols_list=no])
 	LDFLAGS="$save_LDFLAGS"
     ])
+
     AC_CACHE_CHECK([for -force_load linker flag],[lt_cv_ld_force_load],
       [lt_cv_ld_force_load=no
       cat > conftest.c << _LT_EOF
@@ -997,7 +1035,9 @@ _LT_EOF
       echo "$LTCC $LTCFLAGS $LDFLAGS -o conftest conftest.c -Wl,-force_load,./libconftest.a" >&AS_MESSAGE_LOG_FD
       $LTCC $LTCFLAGS $LDFLAGS -o conftest conftest.c -Wl,-force_load,./libconftest.a 2>conftest.err
       _lt_result=$?
-      if test -f conftest && test ! -s conftest.err && test $_lt_result = 0 && $GREP forced_load conftest 2>&1 >/dev/null; then
+      if test -s conftest.err && $GREP force_load conftest.err; then
+	cat conftest.err >&AS_MESSAGE_LOG_FD
+      elif test -f conftest && test $_lt_result -eq 0 && $GREP forced_load conftest >/dev/null 2>&1 ; then
 	lt_cv_ld_force_load=yes
       else
 	cat conftest.err >&AS_MESSAGE_LOG_FD
@@ -1042,8 +1082,8 @@ _LT_EOF
 ])
 
 
-# _LT_DARWIN_LINKER_FEATURES
-# --------------------------
+# _LT_DARWIN_LINKER_FEATURES([TAG])
+# ---------------------------------
 # Checks for linker and compiler features on darwin
 m4_defun([_LT_DARWIN_LINKER_FEATURES],
 [
@@ -1054,6 +1094,8 @@ m4_defun([_LT_DARWIN_LINKER_FEATURES],
   _LT_TAGVAR(hardcode_shlibpath_var, $1)=unsupported
   if test "$lt_cv_ld_force_load" = "yes"; then
     _LT_TAGVAR(whole_archive_flag_spec, $1)='`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience ${wl}-force_load,$conv\"; done; func_echo_all \"$new_convenience\"`'
+    m4_case([$1], [F77], [_LT_TAGVAR(compiler_needs_object, $1)=yes],
+                  [FC],  [_LT_TAGVAR(compiler_needs_object, $1)=yes])
   else
     _LT_TAGVAR(whole_archive_flag_spec, $1)=''
   fi
@@ -1337,14 +1379,27 @@ s390*-*linux*|s390*-*tpf*|sparc*-*linux*)
     CFLAGS="$SAVE_CFLAGS"
   fi
   ;;
-sparc*-*solaris*)
+*-*solaris*)
   # Find out which ABI we are using.
   echo 'int i;' > conftest.$ac_ext
   if AC_TRY_EVAL(ac_compile); then
     case `/usr/bin/file conftest.o` in
     *64-bit*)
       case $lt_cv_prog_gnu_ld in
-      yes*) LD="${LD-ld} -m elf64_sparc" ;;
+      yes*)
+        case $host in
+        i?86-*-solaris*)
+          LD="${LD-ld} -m elf_x86_64"
+          ;;
+        sparc*-*-solaris*)
+          LD="${LD-ld} -m elf64_sparc"
+          ;;
+        esac
+        # GNU ld 2.21 introduced _sol2 emulations.  Use them if available.
+        if ${LD-ld} -V | grep _sol2 >/dev/null 2>&1; then
+          LD="${LD-ld}_sol2"
+        fi
+        ;;
       *)
 	if ${LD-ld} -64 -r -o conftest2.o conftest.o >/dev/null 2>&1; then
 	  LD="${LD-ld} -64"
@@ -1421,13 +1476,13 @@ old_postuninstall_cmds=
 if test -n "$RANLIB"; then
   case $host_os in
   openbsd*)
-    old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB -t \$oldlib"
+    old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB -t \$tool_oldlib"
     ;;
   *)
-    old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB \$oldlib"
+    old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB \$tool_oldlib"
     ;;
   esac
-  old_archive_cmds="$old_archive_cmds~\$RANLIB \$oldlib"
+  old_archive_cmds="$old_archive_cmds~\$RANLIB \$tool_oldlib"
 fi
 
 case $host_os in
@@ -1607,6 +1662,11 @@ AC_CACHE_VAL([lt_cv_sys_max_cmd_len], [dnl
     lt_cv_sys_max_cmd_len=196608
     ;;
 
+  os2*)
+    # The test takes a long time on OS/2.
+    lt_cv_sys_max_cmd_len=8192
+    ;;
+
   osf*)
     # Dr. Hans Ekkehard Plesser reports seeing a kernel panic running configure
     # due to this test when exec_disable_arg_limit is 1 on Tru64. It is not
@@ -1646,7 +1706,7 @@ AC_CACHE_VAL([lt_cv_sys_max_cmd_len], [dnl
       # If test is not a shell built-in, we'll probably end up computing a
       # maximum length that is only half of the actual maximum length, but
       # we can't tell.
-      while { test "X"`func_fallback_echo "$teststring$teststring" 2>/dev/null` \
+      while { test "X"`env echo "$teststring$teststring" 2>/dev/null` \
 	         = "X$teststring$teststring"; } >/dev/null 2>&1 &&
 	      test $i != 17 # 1/2 MB should be enough
       do
@@ -2192,7 +2252,7 @@ need_version=unknown
 
 case $host_os in
 aix3*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   library_names_spec='${libname}${release}${shared_ext}$versuffix $libname.a'
   shlibpath_var=LIBPATH
 
@@ -2201,7 +2261,7 @@ aix3*)
   ;;
 
 aix[[4-9]]*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   need_lib_prefix=no
   need_version=no
   hardcode_into_libs=yes
@@ -2266,7 +2326,7 @@ beos*)
   ;;
 
 bsdi[[45]]*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   need_version=no
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
   soname_spec='${libname}${release}${shared_ext}$major'
@@ -2405,7 +2465,7 @@ m4_if([$1], [],[
   ;;
 
 dgux*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   need_lib_prefix=no
   need_version=no
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname$shared_ext'
@@ -2413,10 +2473,6 @@ dgux*)
   shlibpath_var=LD_LIBRARY_PATH
   ;;
 
-freebsd1*)
-  dynamic_linker=no
-  ;;
-
 freebsd* | dragonfly*)
   # DragonFly does not have aout.  When/if they implement a new
   # versioning mechanism, adjust this.
@@ -2424,7 +2480,7 @@ freebsd* | dragonfly*)
     objformat=`/usr/bin/objformat`
   else
     case $host_os in
-    freebsd[[123]]*) objformat=aout ;;
+    freebsd[[23]].*) objformat=aout ;;
     *) objformat=elf ;;
     esac
   fi
@@ -2442,7 +2498,7 @@ freebsd* | dragonfly*)
   esac
   shlibpath_var=LD_LIBRARY_PATH
   case $host_os in
-  freebsd2*)
+  freebsd2.*)
     shlibpath_overrides_runpath=yes
     ;;
   freebsd3.[[01]]* | freebsdelf3.[[01]]*)
@@ -2462,17 +2518,18 @@ freebsd* | dragonfly*)
   ;;
 
 gnu*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   need_lib_prefix=no
   need_version=no
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}${major} ${libname}${shared_ext}'
   soname_spec='${libname}${release}${shared_ext}$major'
   shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=no
   hardcode_into_libs=yes
   ;;
 
 haiku*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   need_lib_prefix=no
   need_version=no
   dynamic_linker="$host_os runtime_loader"
@@ -2533,7 +2590,7 @@ hpux9* | hpux10* | hpux11*)
   ;;
 
 interix[[3-9]]*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   need_lib_prefix=no
   need_version=no
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
@@ -2549,7 +2606,7 @@ irix5* | irix6* | nonstopux*)
     nonstopux*) version_type=nonstopux ;;
     *)
 	if test "$lt_cv_prog_gnu_ld" = yes; then
-		version_type=linux
+		version_type=linux # correct to gnu/linux during the next big refactor
 	else
 		version_type=irix
 	fi ;;
@@ -2586,9 +2643,9 @@ linux*oldld* | linux*aout* | linux*coff*)
   dynamic_linker=no
   ;;
 
-# This must be Linux ELF.
+# This must be glibc/ELF.
 linux* | k*bsd*-gnu | kopensolaris*-gnu)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   need_lib_prefix=no
   need_version=no
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
@@ -2655,7 +2712,7 @@ netbsd*)
   ;;
 
 newsos6)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
   shlibpath_var=LD_LIBRARY_PATH
   shlibpath_overrides_runpath=yes
@@ -2724,7 +2781,7 @@ rdos*)
   ;;
 
 solaris*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   need_lib_prefix=no
   need_version=no
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
@@ -2749,7 +2806,7 @@ sunos4*)
   ;;
 
 sysv4 | sysv4.3*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
   soname_spec='${libname}${release}${shared_ext}$major'
   shlibpath_var=LD_LIBRARY_PATH
@@ -2773,7 +2830,7 @@ sysv4 | sysv4.3*)
 
 sysv4*MP*)
   if test -d /usr/nec ;then
-    version_type=linux
+    version_type=linux # correct to gnu/linux during the next big refactor
     library_names_spec='$libname${shared_ext}.$versuffix $libname${shared_ext}.$major $libname${shared_ext}'
     soname_spec='$libname${shared_ext}.$major'
     shlibpath_var=LD_LIBRARY_PATH
@@ -2804,7 +2861,7 @@ sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX* | sysv4*uw2*)
 
 tpf*)
   # TPF is a cross-target only.  Preferred cross-host = GNU/Linux.
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   need_lib_prefix=no
   need_version=no
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
@@ -2814,7 +2871,7 @@ tpf*)
   ;;
 
 uts4*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
   soname_spec='${libname}${release}${shared_ext}$major'
   shlibpath_var=LD_LIBRARY_PATH
@@ -3236,7 +3293,7 @@ irix5* | irix6* | nonstopux*)
   lt_cv_deplibs_check_method=pass_all
   ;;
 
-# This must be Linux ELF.
+# This must be glibc/ELF.
 linux* | k*bsd*-gnu | kopensolaris*-gnu)
   lt_cv_deplibs_check_method=pass_all
   ;;
@@ -3656,6 +3713,7 @@ for ac_symprfx in "" "_"; do
     # which start with @ or ?.
     lt_cv_sys_global_symbol_pipe="$AWK ['"\
 "     {last_section=section; section=\$ 3};"\
+"     /^COFF SYMBOL TABLE/{for(i in hide) delete hide[i]};"\
 "     /Section length .*#relocs.*(pick any)/{hide[last_section]=1};"\
 "     \$ 0!~/External *\|/{next};"\
 "     / 0+ UNDEF /{next}; / UNDEF \([^|]\)*()/{next};"\
@@ -4240,7 +4298,9 @@ m4_if([$1], [CXX], [
     case $cc_basename in
     nvcc*) # Cuda Compiler Driver 2.2
       _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Xlinker '
-      _LT_TAGVAR(lt_prog_compiler_pic, $1)='-Xcompiler -fPIC'
+      if test -n "$_LT_TAGVAR(lt_prog_compiler_pic, $1)"; then
+        _LT_TAGVAR(lt_prog_compiler_pic, $1)="-Xcompiler $_LT_TAGVAR(lt_prog_compiler_pic, $1)"
+      fi
       ;;
     esac
   else
@@ -4332,18 +4392,33 @@ m4_if([$1], [CXX], [
 	;;
       *)
 	case `$CC -V 2>&1 | sed 5q` in
-	*Sun\ F* | *Sun*Fortran*)
+	*Sun\ Ceres\ Fortran* | *Sun*Fortran*\ [[1-7]].* | *Sun*Fortran*\ 8.[[0-3]]*)
 	  # Sun Fortran 8.3 passes all unrecognized flags to the linker
 	  _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
 	  _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
 	  _LT_TAGVAR(lt_prog_compiler_wl, $1)=''
 	  ;;
+	*Sun\ F* | *Sun*Fortran*)
+	  _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+	  _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+	  _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Qoption ld '
+	  ;;
 	*Sun\ C*)
 	  # Sun C 5.9
 	  _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
 	  _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
 	  _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
 	  ;;
+        *Intel*\ [[CF]]*Compiler*)
+	  _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+	  _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
+	  _LT_TAGVAR(lt_prog_compiler_static, $1)='-static'
+	  ;;
+	*Portland\ Group*)
+	  _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+	  _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fpic'
+	  _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+	  ;;
 	esac
 	;;
       esac
@@ -4503,7 +4578,9 @@ m4_if([$1], [CXX], [
     ;;
   cygwin* | mingw* | cegcc*)
     case $cc_basename in
-    cl*) ;;
+    cl*)
+      _LT_TAGVAR(exclude_expsyms, $1)='_NULL_IMPORT_DESCRIPTOR|_IMPORT_DESCRIPTOR_.*'
+      ;;
     *)
       _LT_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[[BCDGRS]][[ ]]/s/.*[[ ]]\([[^ ]]*\)/\1 DATA/;s/^.*[[ ]]__nm__\([[^ ]]*\)[[ ]][[^ ]]*/\1 DATA/;/^I[[ ]]/d;/^[[AITW]][[ ]]/s/.* //'\'' | sort | uniq > $export_symbols'
       _LT_TAGVAR(exclude_expsyms, $1)=['[_]+GLOBAL_OFFSET_TABLE_|[_]+GLOBAL__[FID]_.*|[_]+head_[A-Za-z0-9_]+_dll|[A-Za-z0-9_]+_dll_iname']
@@ -4528,7 +4605,6 @@ m4_if([$1], [CXX], [
   _LT_TAGVAR(hardcode_direct, $1)=no
   _LT_TAGVAR(hardcode_direct_absolute, $1)=no
   _LT_TAGVAR(hardcode_libdir_flag_spec, $1)=
-  _LT_TAGVAR(hardcode_libdir_flag_spec_ld, $1)=
   _LT_TAGVAR(hardcode_libdir_separator, $1)=
   _LT_TAGVAR(hardcode_minus_L, $1)=no
   _LT_TAGVAR(hardcode_shlibpath_var, $1)=unsupported
@@ -4779,8 +4855,7 @@ _LT_EOF
 	xlf* | bgf* | bgxlf* | mpixlf*)
 	  # IBM XL Fortran 10.1 on PPC cannot create shared libs itself
 	  _LT_TAGVAR(whole_archive_flag_spec, $1)='--whole-archive$convenience --no-whole-archive'
-	  _LT_TAGVAR(hardcode_libdir_flag_spec, $1)=
-	  _LT_TAGVAR(hardcode_libdir_flag_spec_ld, $1)='-rpath $libdir'
+	  _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
 	  _LT_TAGVAR(archive_cmds, $1)='$LD -shared $libobjs $deplibs $linker_flags -soname $soname -o $lib'
 	  if test "x$supports_anon_versioning" = xyes; then
 	    _LT_TAGVAR(archive_expsym_cmds, $1)='echo "{ global:" > $output_objdir/$libname.ver~
@@ -5075,6 +5150,7 @@ _LT_EOF
 	# The linker will not automatically build a static lib if we build a DLL.
 	# _LT_TAGVAR(old_archive_from_new_cmds, $1)='true'
 	_LT_TAGVAR(enable_shared_with_static_runtimes, $1)=yes
+	_LT_TAGVAR(exclude_expsyms, $1)='_NULL_IMPORT_DESCRIPTOR|_IMPORT_DESCRIPTOR_.*'
 	_LT_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[[BCDGRS]][[ ]]/s/.*[[ ]]\([[^ ]]*\)/\1,DATA/'\'' | $SED -e '\''/^[[AITW]][[ ]]/s/.*[[ ]]//'\'' | sort | uniq > $export_symbols'
 	# Don't use ranlib
 	_LT_TAGVAR(old_postinstall_cmds, $1)='chmod 644 $oldlib'
@@ -5121,10 +5197,6 @@ _LT_EOF
       _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
       ;;
 
-    freebsd1*)
-      _LT_TAGVAR(ld_shlibs, $1)=no
-      ;;
-
     # FreeBSD 2.2.[012] allows us to include c++rt0.o to get C++ constructor
     # support.  Future versions do this automatically, but an explicit c++rt0.o
     # does not break anything, and helps significantly (at the cost of a little
@@ -5137,7 +5209,7 @@ _LT_EOF
       ;;
 
     # Unfortunately, older versions of FreeBSD 2 do not have this feature.
-    freebsd2*)
+    freebsd2.*)
       _LT_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'
       _LT_TAGVAR(hardcode_direct, $1)=yes
       _LT_TAGVAR(hardcode_minus_L, $1)=yes
@@ -5176,7 +5248,6 @@ _LT_EOF
       fi
       if test "$with_gnu_ld" = no; then
 	_LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir'
-	_LT_TAGVAR(hardcode_libdir_flag_spec_ld, $1)='+b $libdir'
 	_LT_TAGVAR(hardcode_libdir_separator, $1)=:
 	_LT_TAGVAR(hardcode_direct, $1)=yes
 	_LT_TAGVAR(hardcode_direct_absolute, $1)=yes
@@ -5618,9 +5689,6 @@ _LT_TAGDECL([], [no_undefined_flag], [1],
 _LT_TAGDECL([], [hardcode_libdir_flag_spec], [1],
     [Flag to hardcode $libdir into a binary during linking.
     This must work even if $libdir does not exist])
-_LT_TAGDECL([], [hardcode_libdir_flag_spec_ld], [1],
-    [[If ld is used when linking, flag to hardcode $libdir into a binary
-    during linking.  This must work even if $libdir does not exist]])
 _LT_TAGDECL([], [hardcode_libdir_separator], [1],
     [Whether we need a single "-rpath" flag with a separated argument])
 _LT_TAGDECL([], [hardcode_direct], [0],
@@ -5774,7 +5842,6 @@ _LT_TAGVAR(export_dynamic_flag_spec, $1)=
 _LT_TAGVAR(hardcode_direct, $1)=no
 _LT_TAGVAR(hardcode_direct_absolute, $1)=no
 _LT_TAGVAR(hardcode_libdir_flag_spec, $1)=
-_LT_TAGVAR(hardcode_libdir_flag_spec_ld, $1)=
 _LT_TAGVAR(hardcode_libdir_separator, $1)=
 _LT_TAGVAR(hardcode_minus_L, $1)=no
 _LT_TAGVAR(hardcode_shlibpath_var, $1)=unsupported
@@ -6144,7 +6211,7 @@ if test "$_lt_caught_CXX_error" != yes; then
         esac
         ;;
 
-      freebsd[[12]]*)
+      freebsd2.*)
         # C++ shared libraries reported to be fairly broken before
 	# switch to ELF
         _LT_TAGVAR(ld_shlibs, $1)=no
@@ -6905,12 +6972,18 @@ public class foo {
   }
 };
 _LT_EOF
+], [$1], [GO], [cat > conftest.$ac_ext <<_LT_EOF
+package foo
+func foo() {
+}
+_LT_EOF
 ])
 
 _lt_libdeps_save_CFLAGS=$CFLAGS
 case "$CC $CFLAGS " in #(
 *\ -flto*\ *) CFLAGS="$CFLAGS -fno-lto" ;;
 *\ -fwhopr*\ *) CFLAGS="$CFLAGS -fno-whopr" ;;
+*\ -fuse-linker-plugin*\ *) CFLAGS="$CFLAGS -fno-use-linker-plugin" ;;
 esac
 
 dnl Parse the compiler output and extract the necessary
@@ -7107,7 +7180,6 @@ _LT_TAGVAR(export_dynamic_flag_spec, $1)=
 _LT_TAGVAR(hardcode_direct, $1)=no
 _LT_TAGVAR(hardcode_direct_absolute, $1)=no
 _LT_TAGVAR(hardcode_libdir_flag_spec, $1)=
-_LT_TAGVAR(hardcode_libdir_flag_spec_ld, $1)=
 _LT_TAGVAR(hardcode_libdir_separator, $1)=
 _LT_TAGVAR(hardcode_minus_L, $1)=no
 _LT_TAGVAR(hardcode_automatic, $1)=no
@@ -7240,7 +7312,6 @@ _LT_TAGVAR(export_dynamic_flag_spec, $1)=
 _LT_TAGVAR(hardcode_direct, $1)=no
 _LT_TAGVAR(hardcode_direct_absolute, $1)=no
 _LT_TAGVAR(hardcode_libdir_flag_spec, $1)=
-_LT_TAGVAR(hardcode_libdir_flag_spec_ld, $1)=
 _LT_TAGVAR(hardcode_libdir_separator, $1)=
 _LT_TAGVAR(hardcode_minus_L, $1)=no
 _LT_TAGVAR(hardcode_automatic, $1)=no
@@ -7423,6 +7494,73 @@ CFLAGS=$lt_save_CFLAGS
 ])# _LT_LANG_GCJ_CONFIG
 
 
+# _LT_LANG_GO_CONFIG([TAG])
+# --------------------------
+# Ensure that the configuration variables for the GNU Go compiler
+# are suitably defined.  These variables are subsequently used by _LT_CONFIG
+# to write the compiler configuration to `libtool'.
+m4_defun([_LT_LANG_GO_CONFIG],
+[AC_REQUIRE([LT_PROG_GO])dnl
+AC_LANG_SAVE
+
+# Source file extension for Go test sources.
+ac_ext=go
+
+# Object file extension for compiled Go test sources.
+objext=o
+_LT_TAGVAR(objext, $1)=$objext
+
+# Code to be used in simple compile tests
+lt_simple_compile_test_code="package main; func main() { }"
+
+# Code to be used in simple link tests
+lt_simple_link_test_code='package main; func main() { }'
+
+# ltmain only uses $CC for tagged configurations so make sure $CC is set.
+_LT_TAG_COMPILER
+
+# save warnings/boilerplate of simple test code
+_LT_COMPILER_BOILERPLATE
+_LT_LINKER_BOILERPLATE
+
+# Allow CC to be a program name with arguments.
+lt_save_CC=$CC
+lt_save_CFLAGS=$CFLAGS
+lt_save_GCC=$GCC
+GCC=yes
+CC=${GOC-"gccgo"}
+CFLAGS=$GOFLAGS
+compiler=$CC
+_LT_TAGVAR(compiler, $1)=$CC
+_LT_TAGVAR(LD, $1)="$LD"
+_LT_CC_BASENAME([$compiler])
+
+# Go did not exist at the time GCC didn't implicitly link libc in.
+_LT_TAGVAR(archive_cmds_need_lc, $1)=no
+
+_LT_TAGVAR(old_archive_cmds, $1)=$old_archive_cmds
+_LT_TAGVAR(reload_flag, $1)=$reload_flag
+_LT_TAGVAR(reload_cmds, $1)=$reload_cmds
+
+if test -n "$compiler"; then
+  _LT_COMPILER_NO_RTTI($1)
+  _LT_COMPILER_PIC($1)
+  _LT_COMPILER_C_O($1)
+  _LT_COMPILER_FILE_LOCKS($1)
+  _LT_LINKER_SHLIBS($1)
+  _LT_LINKER_HARDCODE_LIBPATH($1)
+
+  _LT_CONFIG($1)
+fi
+
+AC_LANG_RESTORE
+
+GCC=$lt_save_GCC
+CC=$lt_save_CC
+CFLAGS=$lt_save_CFLAGS
+])# _LT_LANG_GO_CONFIG
+
+
 # _LT_LANG_RC_CONFIG([TAG])
 # -------------------------
 # Ensure that the configuration variables for the Windows resource compiler
@@ -7492,6 +7630,13 @@ dnl aclocal-1.4 backwards compatibility:
 dnl AC_DEFUN([LT_AC_PROG_GCJ], [])
 
 
+# LT_PROG_GO
+# ----------
+AC_DEFUN([LT_PROG_GO],
+[AC_CHECK_TOOL(GOC, gccgo,)
+])
+
+
 # LT_PROG_RC
 # ----------
 AC_DEFUN([LT_PROG_RC],
@@ -8156,9 +8301,24 @@ dnl AC_DEFUN([AM_DISABLE_FAST_INSTALL], [])
 # MODE is either `yes' or `no'.  If omitted, it defaults to `both'.
 m4_define([_LT_WITH_PIC],
 [AC_ARG_WITH([pic],
-    [AS_HELP_STRING([--with-pic],
+    [AS_HELP_STRING([--with-pic@<:@=PKGS@:>@],
 	[try to use only PIC/non-PIC objects @<:@default=use both@:>@])],
-    [pic_mode="$withval"],
+    [lt_p=${PACKAGE-default}
+    case $withval in
+    yes|no) pic_mode=$withval ;;
+    *)
+      pic_mode=default
+      # Look at the argument we got.  We use all the common list separators.
+      lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR,"
+      for lt_pkg in $withval; do
+	IFS="$lt_save_ifs"
+	if test "X$lt_pkg" = "X$lt_p"; then
+	  pic_mode=yes
+	fi
+      done
+      IFS="$lt_save_ifs"
+      ;;
+    esac],
     [pic_mode=default])
 
 test -z "$pic_mode" && pic_mode=m4_default([$1], [default])
@@ -8330,15 +8490,15 @@ m4_define([lt_dict_filter],
 
 # @configure_input@
 
-# serial 3293 ltversion.m4
+# serial 3337 ltversion.m4
 # This file is part of GNU Libtool
 
-m4_define([LT_PACKAGE_VERSION], [2.4])
-m4_define([LT_PACKAGE_REVISION], [1.3293])
+m4_define([LT_PACKAGE_VERSION], [2.4.2])
+m4_define([LT_PACKAGE_REVISION], [1.3337])
 
 AC_DEFUN([LTVERSION_VERSION],
-[macro_version='2.4'
-macro_revision='1.3293'
+[macro_version='2.4.2'
+macro_revision='1.3337'
 _LT_DECL(, macro_version, 0, [Which release of libtool.m4 was used?])
 _LT_DECL(, macro_revision, 0)
 ])
diff --git a/acx_python.m4 b/acx_python.m4
index 6fa925af1684..99ffa254a8e4 100644
--- a/acx_python.m4
+++ b/acx_python.m4
@@ -164,8 +164,11 @@ $ac_distutils_result])
         AC_MSG_CHECKING([consistency of all components of python development environment])
         AC_LANG_PUSH([C])
         # save current global flags
-        LIBS="$ac_save_LIBS $PYTHON_LDFLAGS"
-        CPPFLAGS="$ac_save_CPPFLAGS $PYTHON_CPPFLAGS"
+        ac_save_LIBS="$LIBS"
+        ac_save_CPPFLAGS="$CPPFLAGS"
+
+        LIBS="$LIBS $PYTHON_LDFLAGS"
+        CPPFLAGS="$CPPFLAGS $PYTHON_CPPFLAGS"
         AC_TRY_LINK([
                 #include <Python.h>
         ],[
diff --git a/config.guess b/config.guess
index dc84c68ef798..c0adba94b2f7 100755
--- a/config.guess
+++ b/config.guess
@@ -1,10 +1,10 @@
 #! /bin/sh
 # Attempt to guess a canonical system name.
 #   Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999,
-#   2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009
-#   Free Software Foundation, Inc.
+#   2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010,
+#   2011, 2012 Free Software Foundation, Inc.
 
-timestamp='2009-11-20'
+timestamp='2012-06-10'
 
 # This file is free software; you can redistribute it and/or modify it
 # under the terms of the GNU General Public License as published by
@@ -17,9 +17,7 @@ timestamp='2009-11-20'
 # General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA
-# 02110-1301, USA.
+# along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
 # As a special exception to the GNU General Public License, if you
 # distribute this file as part of a program that contains a
@@ -56,8 +54,9 @@ version="\
 GNU config.guess ($timestamp)
 
 Originally written by Per Bothner.
-Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001,
-2002, 2003, 2004, 2005, 2006, 2007, 2008 Free Software Foundation, Inc.
+Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000,
+2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012
+Free Software Foundation, Inc.
 
 This is free software; see the source for copying conditions.  There is NO
 warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
@@ -144,7 +143,7 @@ UNAME_VERSION=`(uname -v) 2>/dev/null` || UNAME_VERSION=unknown
 case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
     *:NetBSD:*:*)
 	# NetBSD (nbsd) targets should (where applicable) match one or
-	# more of the tupples: *-*-netbsdelf*, *-*-netbsdaout*,
+	# more of the tuples: *-*-netbsdelf*, *-*-netbsdaout*,
 	# *-*-netbsdecoff* and *-*-netbsd*.  For targets that recently
 	# switched to ELF, *-*-netbsd* would select the old
 	# object file format.  This provides both forward
@@ -180,7 +179,7 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
 		fi
 		;;
 	    *)
-	        os=netbsd
+		os=netbsd
 		;;
 	esac
 	# The OS release
@@ -223,7 +222,7 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
 		UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $3}'`
 		;;
 	*5.*)
-	        UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $4}'`
+		UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $4}'`
 		;;
 	esac
 	# According to Compaq, /usr/sbin/psrinfo has been available on
@@ -269,7 +268,10 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
 	# A Xn.n version is an unreleased experimental baselevel.
 	# 1.2 uses "1.2" for uname -r.
 	echo ${UNAME_MACHINE}-dec-osf`echo ${UNAME_RELEASE} | sed -e 's/^[PVTX]//' | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'`
-	exit ;;
+	# Reset EXIT trap before exiting to avoid spurious non-zero exit code.
+	exitcode=$?
+	trap '' 0
+	exit $exitcode ;;
     Alpha\ *:Windows_NT*:*)
 	# How do we know it's Interix rather than the generic POSIX subsystem?
 	# Should we change UNAME_MACHINE based on the output of uname instead
@@ -295,7 +297,7 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
 	echo s390-ibm-zvmoe
 	exit ;;
     *:OS400:*:*)
-        echo powerpc-ibm-os400
+	echo powerpc-ibm-os400
 	exit ;;
     arm:RISC*:1.[012]*:*|arm:riscix:1.[012]*:*)
 	echo arm-acorn-riscix${UNAME_RELEASE}
@@ -394,23 +396,23 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
     # MiNT.  But MiNT is downward compatible to TOS, so this should
     # be no problem.
     atarist[e]:*MiNT:*:* | atarist[e]:*mint:*:* | atarist[e]:*TOS:*:*)
-        echo m68k-atari-mint${UNAME_RELEASE}
+	echo m68k-atari-mint${UNAME_RELEASE}
 	exit ;;
     atari*:*MiNT:*:* | atari*:*mint:*:* | atarist[e]:*TOS:*:*)
 	echo m68k-atari-mint${UNAME_RELEASE}
-        exit ;;
+	exit ;;
     *falcon*:*MiNT:*:* | *falcon*:*mint:*:* | *falcon*:*TOS:*:*)
-        echo m68k-atari-mint${UNAME_RELEASE}
+	echo m68k-atari-mint${UNAME_RELEASE}
 	exit ;;
     milan*:*MiNT:*:* | milan*:*mint:*:* | *milan*:*TOS:*:*)
-        echo m68k-milan-mint${UNAME_RELEASE}
-        exit ;;
+	echo m68k-milan-mint${UNAME_RELEASE}
+	exit ;;
     hades*:*MiNT:*:* | hades*:*mint:*:* | *hades*:*TOS:*:*)
-        echo m68k-hades-mint${UNAME_RELEASE}
-        exit ;;
+	echo m68k-hades-mint${UNAME_RELEASE}
+	exit ;;
     *:*MiNT:*:* | *:*mint:*:* | *:*TOS:*:*)
-        echo m68k-unknown-mint${UNAME_RELEASE}
-        exit ;;
+	echo m68k-unknown-mint${UNAME_RELEASE}
+	exit ;;
     m68k:machten:*:*)
 	echo m68k-apple-machten${UNAME_RELEASE}
 	exit ;;
@@ -480,8 +482,8 @@ EOF
 	echo m88k-motorola-sysv3
 	exit ;;
     AViiON:dgux:*:*)
-        # DG/UX returns AViiON for all architectures
-        UNAME_PROCESSOR=`/usr/bin/uname -p`
+	# DG/UX returns AViiON for all architectures
+	UNAME_PROCESSOR=`/usr/bin/uname -p`
 	if [ $UNAME_PROCESSOR = mc88100 ] || [ $UNAME_PROCESSOR = mc88110 ]
 	then
 	    if [ ${TARGET_BINARY_INTERFACE}x = m88kdguxelfx ] || \
@@ -494,7 +496,7 @@ EOF
 	else
 	    echo i586-dg-dgux${UNAME_RELEASE}
 	fi
- 	exit ;;
+	exit ;;
     M88*:DolphinOS:*:*)	# DolphinOS (SVR3)
 	echo m88k-dolphin-sysv3
 	exit ;;
@@ -551,7 +553,7 @@ EOF
 		echo rs6000-ibm-aix3.2
 	fi
 	exit ;;
-    *:AIX:*:[456])
+    *:AIX:*:[4567])
 	IBM_CPU_ID=`/usr/sbin/lsdev -C -c processor -S available | sed 1q | awk '{ print $1 }'`
 	if /usr/sbin/lsattr -El ${IBM_CPU_ID} | grep ' POWER' >/dev/null 2>&1; then
 		IBM_ARCH=rs6000
@@ -594,52 +596,52 @@ EOF
 	    9000/[678][0-9][0-9])
 		if [ -x /usr/bin/getconf ]; then
 		    sc_cpu_version=`/usr/bin/getconf SC_CPU_VERSION 2>/dev/null`
-                    sc_kernel_bits=`/usr/bin/getconf SC_KERNEL_BITS 2>/dev/null`
-                    case "${sc_cpu_version}" in
-                      523) HP_ARCH="hppa1.0" ;; # CPU_PA_RISC1_0
-                      528) HP_ARCH="hppa1.1" ;; # CPU_PA_RISC1_1
-                      532)                      # CPU_PA_RISC2_0
-                        case "${sc_kernel_bits}" in
-                          32) HP_ARCH="hppa2.0n" ;;
-                          64) HP_ARCH="hppa2.0w" ;;
+		    sc_kernel_bits=`/usr/bin/getconf SC_KERNEL_BITS 2>/dev/null`
+		    case "${sc_cpu_version}" in
+		      523) HP_ARCH="hppa1.0" ;; # CPU_PA_RISC1_0
+		      528) HP_ARCH="hppa1.1" ;; # CPU_PA_RISC1_1
+		      532)                      # CPU_PA_RISC2_0
+			case "${sc_kernel_bits}" in
+			  32) HP_ARCH="hppa2.0n" ;;
+			  64) HP_ARCH="hppa2.0w" ;;
 			  '') HP_ARCH="hppa2.0" ;;   # HP-UX 10.20
-                        esac ;;
-                    esac
+			esac ;;
+		    esac
 		fi
 		if [ "${HP_ARCH}" = "" ]; then
 		    eval $set_cc_for_build
-		    sed 's/^              //' << EOF >$dummy.c
+		    sed 's/^		//' << EOF >$dummy.c
 
-              #define _HPUX_SOURCE
-              #include <stdlib.h>
-              #include <unistd.h>
+		#define _HPUX_SOURCE
+		#include <stdlib.h>
+		#include <unistd.h>
 
-              int main ()
-              {
-              #if defined(_SC_KERNEL_BITS)
-                  long bits = sysconf(_SC_KERNEL_BITS);
-              #endif
-                  long cpu  = sysconf (_SC_CPU_VERSION);
+		int main ()
+		{
+		#if defined(_SC_KERNEL_BITS)
+		    long bits = sysconf(_SC_KERNEL_BITS);
+		#endif
+		    long cpu  = sysconf (_SC_CPU_VERSION);
 
-                  switch (cpu)
-              	{
-              	case CPU_PA_RISC1_0: puts ("hppa1.0"); break;
-              	case CPU_PA_RISC1_1: puts ("hppa1.1"); break;
-              	case CPU_PA_RISC2_0:
-              #if defined(_SC_KERNEL_BITS)
-              	    switch (bits)
-              		{
-              		case 64: puts ("hppa2.0w"); break;
-              		case 32: puts ("hppa2.0n"); break;
-              		default: puts ("hppa2.0"); break;
-              		} break;
-              #else  /* !defined(_SC_KERNEL_BITS) */
-              	    puts ("hppa2.0"); break;
-              #endif
-              	default: puts ("hppa1.0"); break;
-              	}
-                  exit (0);
-              }
+		    switch (cpu)
+			{
+			case CPU_PA_RISC1_0: puts ("hppa1.0"); break;
+			case CPU_PA_RISC1_1: puts ("hppa1.1"); break;
+			case CPU_PA_RISC2_0:
+		#if defined(_SC_KERNEL_BITS)
+			    switch (bits)
+				{
+				case 64: puts ("hppa2.0w"); break;
+				case 32: puts ("hppa2.0n"); break;
+				default: puts ("hppa2.0"); break;
+				} break;
+		#else  /* !defined(_SC_KERNEL_BITS) */
+			    puts ("hppa2.0"); break;
+		#endif
+			default: puts ("hppa1.0"); break;
+			}
+		    exit (0);
+		}
 EOF
 		    (CCOPTS= $CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null) && HP_ARCH=`$dummy`
 		    test -z "$HP_ARCH" && HP_ARCH=hppa
@@ -730,22 +732,22 @@ EOF
 	exit ;;
     C1*:ConvexOS:*:* | convex:ConvexOS:C1*:*)
 	echo c1-convex-bsd
-        exit ;;
+	exit ;;
     C2*:ConvexOS:*:* | convex:ConvexOS:C2*:*)
 	if getsysinfo -f scalar_acc
 	then echo c32-convex-bsd
 	else echo c2-convex-bsd
 	fi
-        exit ;;
+	exit ;;
     C34*:ConvexOS:*:* | convex:ConvexOS:C34*:*)
 	echo c34-convex-bsd
-        exit ;;
+	exit ;;
     C38*:ConvexOS:*:* | convex:ConvexOS:C38*:*)
 	echo c38-convex-bsd
-        exit ;;
+	exit ;;
     C4*:ConvexOS:*:* | convex:ConvexOS:C4*:*)
 	echo c4-convex-bsd
-        exit ;;
+	exit ;;
     CRAY*Y-MP:*:*:*)
 	echo ymp-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
 	exit ;;
@@ -769,14 +771,14 @@ EOF
 	exit ;;
     F30[01]:UNIX_System_V:*:* | F700:UNIX_System_V:*:*)
 	FUJITSU_PROC=`uname -m | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'`
-        FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'`
-        FUJITSU_REL=`echo ${UNAME_RELEASE} | sed -e 's/ /_/'`
-        echo "${FUJITSU_PROC}-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}"
-        exit ;;
+	FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'`
+	FUJITSU_REL=`echo ${UNAME_RELEASE} | sed -e 's/ /_/'`
+	echo "${FUJITSU_PROC}-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}"
+	exit ;;
     5000:UNIX_System_V:4.*:*)
-        FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'`
-        FUJITSU_REL=`echo ${UNAME_RELEASE} | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/ /_/'`
-        echo "sparc-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}"
+	FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'`
+	FUJITSU_REL=`echo ${UNAME_RELEASE} | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/ /_/'`
+	echo "sparc-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}"
 	exit ;;
     i*86:BSD/386:*:* | i*86:BSD/OS:*:* | *:Ascend\ Embedded/OS:*:*)
 	echo ${UNAME_MACHINE}-pc-bsdi${UNAME_RELEASE}
@@ -788,13 +790,12 @@ EOF
 	echo ${UNAME_MACHINE}-unknown-bsdi${UNAME_RELEASE}
 	exit ;;
     *:FreeBSD:*:*)
-	case ${UNAME_MACHINE} in
-	    pc98)
-		echo i386-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;;
+	UNAME_PROCESSOR=`/usr/bin/uname -p`
+	case ${UNAME_PROCESSOR} in
 	    amd64)
 		echo x86_64-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;;
 	    *)
-		echo ${UNAME_MACHINE}-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;;
+		echo ${UNAME_PROCESSOR}-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;;
 	esac
 	exit ;;
     i*:CYGWIN*:*)
@@ -803,15 +804,18 @@ EOF
     *:MINGW*:*)
 	echo ${UNAME_MACHINE}-pc-mingw32
 	exit ;;
+    i*:MSYS*:*)
+	echo ${UNAME_MACHINE}-pc-msys
+	exit ;;
     i*:windows32*:*)
-    	# uname -m includes "-pc" on this system.
-    	echo ${UNAME_MACHINE}-mingw32
+	# uname -m includes "-pc" on this system.
+	echo ${UNAME_MACHINE}-mingw32
 	exit ;;
     i*:PW*:*)
 	echo ${UNAME_MACHINE}-pc-pw32
 	exit ;;
     *:Interix*:*)
-    	case ${UNAME_MACHINE} in
+	case ${UNAME_MACHINE} in
 	    x86)
 		echo i586-pc-interix${UNAME_RELEASE}
 		exit ;;
@@ -857,6 +861,13 @@ EOF
     i*86:Minix:*:*)
 	echo ${UNAME_MACHINE}-pc-minix
 	exit ;;
+    aarch64:Linux:*:*)
+	echo ${UNAME_MACHINE}-unknown-linux-gnu
+	exit ;;
+    aarch64_be:Linux:*:*)
+	UNAME_MACHINE=aarch64_be
+	echo ${UNAME_MACHINE}-unknown-linux-gnu
+	exit ;;
     alpha:Linux:*:*)
 	case `sed -n '/^cpu model/s/^.*: \(.*\)/\1/p' < /proc/cpuinfo` in
 	  EV5)   UNAME_MACHINE=alphaev5 ;;
@@ -866,7 +877,7 @@ EOF
 	  EV6)   UNAME_MACHINE=alphaev6 ;;
 	  EV67)  UNAME_MACHINE=alphaev67 ;;
 	  EV68*) UNAME_MACHINE=alphaev68 ;;
-        esac
+	esac
 	objdump --private-headers /bin/sh | grep -q ld.so.1
 	if test "$?" = 0 ; then LIBC="libc1" ; else LIBC="" ; fi
 	echo ${UNAME_MACHINE}-unknown-linux-gnu${LIBC}
@@ -878,20 +889,29 @@ EOF
 	then
 	    echo ${UNAME_MACHINE}-unknown-linux-gnu
 	else
-	    echo ${UNAME_MACHINE}-unknown-linux-gnueabi
+	    if echo __ARM_PCS_VFP | $CC_FOR_BUILD -E - 2>/dev/null \
+		| grep -q __ARM_PCS_VFP
+	    then
+		echo ${UNAME_MACHINE}-unknown-linux-gnueabi
+	    else
+		echo ${UNAME_MACHINE}-unknown-linux-gnueabihf
+	    fi
 	fi
 	exit ;;
     avr32*:Linux:*:*)
 	echo ${UNAME_MACHINE}-unknown-linux-gnu
 	exit ;;
     cris:Linux:*:*)
-	echo cris-axis-linux-gnu
+	echo ${UNAME_MACHINE}-axis-linux-gnu
 	exit ;;
     crisv32:Linux:*:*)
-	echo crisv32-axis-linux-gnu
+	echo ${UNAME_MACHINE}-axis-linux-gnu
 	exit ;;
     frv:Linux:*:*)
-    	echo frv-unknown-linux-gnu
+	echo ${UNAME_MACHINE}-unknown-linux-gnu
+	exit ;;
+    hexagon:Linux:*:*)
+	echo ${UNAME_MACHINE}-unknown-linux-gnu
 	exit ;;
     i*86:Linux:*:*)
 	LIBC=gnu
@@ -933,7 +953,7 @@ EOF
 	test x"${CPU}" != x && { echo "${CPU}-unknown-linux-gnu"; exit; }
 	;;
     or32:Linux:*:*)
-	echo or32-unknown-linux-gnu
+	echo ${UNAME_MACHINE}-unknown-linux-gnu
 	exit ;;
     padre:Linux:*:*)
 	echo sparc-unknown-linux-gnu
@@ -959,7 +979,7 @@ EOF
 	echo ${UNAME_MACHINE}-ibm-linux
 	exit ;;
     sh64*:Linux:*:*)
-    	echo ${UNAME_MACHINE}-unknown-linux-gnu
+	echo ${UNAME_MACHINE}-unknown-linux-gnu
 	exit ;;
     sh*:Linux:*:*)
 	echo ${UNAME_MACHINE}-unknown-linux-gnu
@@ -967,14 +987,17 @@ EOF
     sparc:Linux:*:* | sparc64:Linux:*:*)
 	echo ${UNAME_MACHINE}-unknown-linux-gnu
 	exit ;;
+    tile*:Linux:*:*)
+	echo ${UNAME_MACHINE}-unknown-linux-gnu
+	exit ;;
     vax:Linux:*:*)
 	echo ${UNAME_MACHINE}-dec-linux-gnu
 	exit ;;
     x86_64:Linux:*:*)
-	echo x86_64-unknown-linux-gnu
+	echo ${UNAME_MACHINE}-unknown-linux-gnu
 	exit ;;
     xtensa*:Linux:*:*)
-    	echo ${UNAME_MACHINE}-unknown-linux-gnu
+	echo ${UNAME_MACHINE}-unknown-linux-gnu
 	exit ;;
     i*86:DYNIX/ptx:4*:*)
 	# ptx 4.0 does uname -s correctly, with DYNIX/ptx in there.
@@ -983,11 +1006,11 @@ EOF
 	echo i386-sequent-sysv4
 	exit ;;
     i*86:UNIX_SV:4.2MP:2.*)
-        # Unixware is an offshoot of SVR4, but it has its own version
-        # number series starting with 2...
-        # I am not positive that other SVR4 systems won't match this,
+	# Unixware is an offshoot of SVR4, but it has its own version
+	# number series starting with 2...
+	# I am not positive that other SVR4 systems won't match this,
 	# I just have to hope.  -- rms.
-        # Use sysv4.2uw... so that sysv4* matches it.
+	# Use sysv4.2uw... so that sysv4* matches it.
 	echo ${UNAME_MACHINE}-pc-sysv4.2uw${UNAME_VERSION}
 	exit ;;
     i*86:OS/2:*:*)
@@ -1019,7 +1042,7 @@ EOF
 	fi
 	exit ;;
     i*86:*:5:[678]*)
-    	# UnixWare 7.x, OpenUNIX and OpenServer 6.
+	# UnixWare 7.x, OpenUNIX and OpenServer 6.
 	case `/bin/uname -X | grep "^Machine"` in
 	    *486*)	     UNAME_MACHINE=i486 ;;
 	    *Pentium)	     UNAME_MACHINE=i586 ;;
@@ -1047,13 +1070,13 @@ EOF
 	exit ;;
     pc:*:*:*)
 	# Left here for compatibility:
-        # uname -m prints for DJGPP always 'pc', but it prints nothing about
-        # the processor, so we play safe by assuming i586.
+	# uname -m prints for DJGPP always 'pc', but it prints nothing about
+	# the processor, so we play safe by assuming i586.
 	# Note: whatever this is, it MUST be the same as what config.sub
 	# prints for the "djgpp" host, or else GDB configury will decide that
 	# this is a cross-build.
 	echo i586-pc-msdosdjgpp
-        exit ;;
+	exit ;;
     Intel:Mach:3*:*)
 	echo i386-pc-mach3
 	exit ;;
@@ -1088,8 +1111,8 @@ EOF
 	/bin/uname -p 2>/dev/null | /bin/grep entium >/dev/null \
 	  && { echo i586-ncr-sysv4.3${OS_REL}; exit; } ;;
     3[34]??:*:4.0:* | 3[34]??,*:*:4.0:*)
-        /bin/uname -p 2>/dev/null | grep 86 >/dev/null \
-          && { echo i486-ncr-sysv4; exit; } ;;
+	/bin/uname -p 2>/dev/null | grep 86 >/dev/null \
+	  && { echo i486-ncr-sysv4; exit; } ;;
     NCR*:*:4.2:* | MPRAS*:*:4.2:*)
 	OS_REL='.3'
 	test -r /etc/.relid \
@@ -1132,10 +1155,10 @@ EOF
 		echo ns32k-sni-sysv
 	fi
 	exit ;;
-    PENTIUM:*:4.0*:*) # Unisys `ClearPath HMP IX 4000' SVR4/MP effort
-                      # says <Richard.M.Bartel@ccMail.Census.GOV>
-        echo i586-unisys-sysv4
-        exit ;;
+    PENTIUM:*:4.0*:*)	# Unisys `ClearPath HMP IX 4000' SVR4/MP effort
+			# says <Richard.M.Bartel@ccMail.Census.GOV>
+	echo i586-unisys-sysv4
+	exit ;;
     *:UNIX_System_V:4*:FTX*)
 	# From Gerald Hewes <hewes@openmarket.com>.
 	# How about differentiating between stratus architectures? -djm
@@ -1161,11 +1184,11 @@ EOF
 	exit ;;
     R[34]000:*System_V*:*:* | R4000:UNIX_SYSV:*:* | R*000:UNIX_SV:*:*)
 	if [ -d /usr/nec ]; then
-	        echo mips-nec-sysv${UNAME_RELEASE}
+		echo mips-nec-sysv${UNAME_RELEASE}
 	else
-	        echo mips-unknown-sysv${UNAME_RELEASE}
+		echo mips-unknown-sysv${UNAME_RELEASE}
 	fi
-        exit ;;
+	exit ;;
     BeBox:BeOS:*:*)	# BeOS running on hardware made by Be, PPC only.
 	echo powerpc-be-beos
 	exit ;;
@@ -1230,7 +1253,10 @@ EOF
     *:QNX:*:4*)
 	echo i386-pc-qnx
 	exit ;;
-    NSE-?:NONSTOP_KERNEL:*:*)
+    NEO-?:NONSTOP_KERNEL:*:*)
+	echo neo-tandem-nsk${UNAME_RELEASE}
+	exit ;;
+    NSE-*:NONSTOP_KERNEL:*:*)
 	echo nse-tandem-nsk${UNAME_RELEASE}
 	exit ;;
     NSR-?:NONSTOP_KERNEL:*:*)
@@ -1275,13 +1301,13 @@ EOF
 	echo pdp10-unknown-its
 	exit ;;
     SEI:*:*:SEIUX)
-        echo mips-sei-seiux${UNAME_RELEASE}
+	echo mips-sei-seiux${UNAME_RELEASE}
 	exit ;;
     *:DragonFly:*:*)
 	echo ${UNAME_MACHINE}-unknown-dragonfly`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`
 	exit ;;
     *:*VMS:*:*)
-    	UNAME_MACHINE=`(uname -p) 2>/dev/null`
+	UNAME_MACHINE=`(uname -p) 2>/dev/null`
 	case "${UNAME_MACHINE}" in
 	    A*) echo alpha-dec-vms ; exit ;;
 	    I*) echo ia64-dec-vms ; exit ;;
@@ -1299,6 +1325,9 @@ EOF
     i*86:AROS:*:*)
 	echo ${UNAME_MACHINE}-pc-aros
 	exit ;;
+    x86_64:VMkernel:*:*)
+	echo ${UNAME_MACHINE}-unknown-esx
+	exit ;;
 esac
 
 #echo '(No uname command or uname output not recognized.)' 1>&2
@@ -1321,11 +1350,11 @@ main ()
 #include <sys/param.h>
   printf ("m68k-sony-newsos%s\n",
 #ifdef NEWSOS4
-          "4"
+	"4"
 #else
-	  ""
+	""
 #endif
-         ); exit (0);
+	); exit (0);
 #endif
 #endif
 
diff --git a/config.h.in b/config.h.in
index cacf294b9089..7e1a5a34b079 100644
--- a/config.h.in
+++ b/config.h.in
@@ -106,6 +106,9 @@
 /* Define to 1 if you have the `fcntl' function. */
 #undef HAVE_FCNTL
 
+/* Define to 1 if you have the `FIPS_mode' function. */
+#undef HAVE_FIPS_MODE
+
 /* Define to 1 if you have the `fork' function. */
 #undef HAVE_FORK
 
@@ -193,6 +196,9 @@
 /* Define to 1 if you have the <netinet/in.h> header file. */
 #undef HAVE_NETINET_IN_H
 
+/* Use libnss for crypto */
+#undef HAVE_NSS
+
 /* Define to 1 if you have the `OPENSSL_config' function. */
 #undef HAVE_OPENSSL_CONFIG
 
@@ -543,6 +549,11 @@
    `char[]'. */
 #undef YYTEXT_POINTER
 
+/* Enable large inode numbers on Mac OS X 10.5.  */
+#ifndef _DARWIN_USE_64_BIT_INODE
+# define _DARWIN_USE_64_BIT_INODE 1
+#endif
+
 /* Number of bits in a file offset, on hosts where this is settable. */
 #undef _FILE_OFFSET_BITS
 
diff --git a/config.sub b/config.sub
index 2a55a50751c1..6205f8423d6a 100755
--- a/config.sub
+++ b/config.sub
@@ -1,10 +1,10 @@
 #! /bin/sh
 # Configuration validation subroutine script.
 #   Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999,
-#   2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009
-#   Free Software Foundation, Inc.
+#   2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010,
+#   2011, 2012 Free Software Foundation, Inc.
 
-timestamp='2009-11-20'
+timestamp='2012-04-18'
 
 # This file is (in principle) common to ALL GNU software.
 # The presence of a machine in this file suggests that SOME GNU software
@@ -21,9 +21,7 @@ timestamp='2009-11-20'
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA
-# 02110-1301, USA.
+# along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
 # As a special exception to the GNU General Public License, if you
 # distribute this file as part of a program that contains a
@@ -75,8 +73,9 @@ Report bugs and patches to <config-patches@gnu.org>."
 version="\
 GNU config.sub ($timestamp)
 
-Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001,
-2002, 2003, 2004, 2005, 2006, 2007, 2008 Free Software Foundation, Inc.
+Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000,
+2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012
+Free Software Foundation, Inc.
 
 This is free software; see the source for copying conditions.  There is NO
 warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
@@ -123,13 +122,18 @@ esac
 # Here we must recognize all the valid KERNEL-OS combinations.
 maybe_os=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\2/'`
 case $maybe_os in
-  nto-qnx* | linux-gnu* | linux-dietlibc | linux-newlib* | linux-uclibc* | \
-  uclinux-uclibc* | uclinux-gnu* | kfreebsd*-gnu* | knetbsd*-gnu* | netbsd*-gnu* | \
+  nto-qnx* | linux-gnu* | linux-android* | linux-dietlibc | linux-newlib* | \
+  linux-uclibc* | uclinux-uclibc* | uclinux-gnu* | kfreebsd*-gnu* | \
+  knetbsd*-gnu* | netbsd*-gnu* | \
   kopensolaris*-gnu* | \
   storm-chaos* | os2-emx* | rtmk-nova*)
     os=-$maybe_os
     basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'`
     ;;
+  android-linux)
+    os=-linux-android
+    basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'`-unknown
+    ;;
   *)
     basic_machine=`echo $1 | sed 's/-[^-]*$//'`
     if [ $basic_machine != $1 ]
@@ -156,8 +160,8 @@ case $os in
 		os=
 		basic_machine=$1
 		;;
-        -bluegene*)
-	        os=-cnk
+	-bluegene*)
+		os=-cnk
 		;;
 	-sim | -cisco | -oki | -wec | -winbond)
 		os=
@@ -173,10 +177,10 @@ case $os in
 		os=-chorusos
 		basic_machine=$1
 		;;
- 	-chorusrdb)
- 		os=-chorusrdb
+	-chorusrdb)
+		os=-chorusrdb
 		basic_machine=$1
- 		;;
+		;;
 	-hiux*)
 		os=-hiuxwe2
 		;;
@@ -221,6 +225,12 @@ case $os in
 	-isc*)
 		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
 		;;
+	-lynx*178)
+		os=-lynxos178
+		;;
+	-lynx*5)
+		os=-lynxos5
+		;;
 	-lynx*)
 		os=-lynxos
 		;;
@@ -245,17 +255,22 @@ case $basic_machine in
 	# Some are omitted here because they have special meanings below.
 	1750a | 580 \
 	| a29k \
+	| aarch64 | aarch64_be \
 	| alpha | alphaev[4-8] | alphaev56 | alphaev6[78] | alphapca5[67] \
 	| alpha64 | alpha64ev[4-8] | alpha64ev56 | alpha64ev6[78] | alpha64pca5[67] \
 	| am33_2.0 \
 	| arc | arm | arm[bl]e | arme[lb] | armv[2345] | armv[345][lb] | avr | avr32 \
+        | be32 | be64 \
 	| bfin \
 	| c4x | clipper \
 	| d10v | d30v | dlx | dsp16xx \
+	| epiphany \
 	| fido | fr30 | frv \
 	| h8300 | h8500 | hppa | hppa1.[01] | hppa2.0 | hppa2.0[nw] | hppa64 \
+	| hexagon \
 	| i370 | i860 | i960 | ia64 \
 	| ip2k | iq2000 \
+	| le32 | le64 \
 	| lm32 \
 	| m32c | m32r | m32rle | m68000 | m68k | m88k \
 	| maxq | mb | microblaze | mcore | mep | metag \
@@ -281,29 +296,39 @@ case $basic_machine in
 	| moxie \
 	| mt \
 	| msp430 \
+	| nds32 | nds32le | nds32be \
 	| nios | nios2 \
 	| ns16k | ns32k \
+	| open8 \
 	| or32 \
 	| pdp10 | pdp11 | pj | pjl \
-	| powerpc | powerpc64 | powerpc64le | powerpcle | ppcbe \
+	| powerpc | powerpc64 | powerpc64le | powerpcle \
 	| pyramid \
-	| rx \
+	| rl78 | rx \
 	| score \
 	| sh | sh[1234] | sh[24]a | sh[24]aeb | sh[23]e | sh[34]eb | sheb | shbe | shle | sh[1234]le | sh3ele \
 	| sh64 | sh64le \
 	| sparc | sparc64 | sparc64b | sparc64v | sparc86x | sparclet | sparclite \
 	| sparcv8 | sparcv9 | sparcv9b | sparcv9v \
-	| spu | strongarm \
-	| tahoe | thumb | tic4x | tic80 | tron \
+	| spu \
+	| tahoe | tic4x | tic54x | tic55x | tic6x | tic80 | tron \
 	| ubicom32 \
-	| v850 | v850e \
+	| v850 | v850e | v850e1 | v850e2 | v850es | v850e2v3 \
 	| we32k \
-	| x86 | xc16x | xscale | xscalee[bl] | xstormy16 | xtensa \
+	| x86 | xc16x | xstormy16 | xtensa \
 	| z8k | z80)
 		basic_machine=$basic_machine-unknown
 		;;
-	m6811 | m68hc11 | m6812 | m68hc12 | picochip)
-		# Motorola 68HC11/12.
+	c54x)
+		basic_machine=tic54x-unknown
+		;;
+	c55x)
+		basic_machine=tic55x-unknown
+		;;
+	c6x)
+		basic_machine=tic6x-unknown
+		;;
+	m6811 | m68hc11 | m6812 | m68hc12 | m68hcs12x | picochip)
 		basic_machine=$basic_machine-unknown
 		os=-none
 		;;
@@ -313,6 +338,21 @@ case $basic_machine in
 		basic_machine=mt-unknown
 		;;
 
+	strongarm | thumb | xscale)
+		basic_machine=arm-unknown
+		;;
+	xgate)
+		basic_machine=$basic_machine-unknown
+		os=-none
+		;;
+	xscaleeb)
+		basic_machine=armeb-unknown
+		;;
+
+	xscaleel)
+		basic_machine=armel-unknown
+		;;
+
 	# We use `pc' rather than `unknown'
 	# because (1) that's what they normally are, and
 	# (2) the word "unknown" tends to confuse beginning users.
@@ -327,21 +367,25 @@ case $basic_machine in
 	# Recognize the basic CPU types with company name.
 	580-* \
 	| a29k-* \
+	| aarch64-* | aarch64_be-* \
 	| alpha-* | alphaev[4-8]-* | alphaev56-* | alphaev6[78]-* \
 	| alpha64-* | alpha64ev[4-8]-* | alpha64ev56-* | alpha64ev6[78]-* \
 	| alphapca5[67]-* | alpha64pca5[67]-* | arc-* \
 	| arm-*  | armbe-* | armle-* | armeb-* | armv*-* \
 	| avr-* | avr32-* \
+	| be32-* | be64-* \
 	| bfin-* | bs2000-* \
-	| c[123]* | c30-* | [cjt]90-* | c4x-* | c54x-* | c55x-* | c6x-* \
+	| c[123]* | c30-* | [cjt]90-* | c4x-* \
 	| clipper-* | craynv-* | cydra-* \
 	| d10v-* | d30v-* | dlx-* \
 	| elxsi-* \
 	| f30[01]-* | f700-* | fido-* | fr30-* | frv-* | fx80-* \
 	| h8300-* | h8500-* \
 	| hppa-* | hppa1.[01]-* | hppa2.0-* | hppa2.0[nw]-* | hppa64-* \
+	| hexagon-* \
 	| i*86-* | i860-* | i960-* | ia64-* \
 	| ip2k-* | iq2000-* \
+	| le32-* | le64-* \
 	| lm32-* \
 	| m32c-* | m32r-* | m32rle-* \
 	| m68000-* | m680[012346]0-* | m68360-* | m683?2-* | m68k-* \
@@ -367,25 +411,29 @@ case $basic_machine in
 	| mmix-* \
 	| mt-* \
 	| msp430-* \
+	| nds32-* | nds32le-* | nds32be-* \
 	| nios-* | nios2-* \
 	| none-* | np1-* | ns16k-* | ns32k-* \
+	| open8-* \
 	| orion-* \
 	| pdp10-* | pdp11-* | pj-* | pjl-* | pn-* | power-* \
-	| powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* | ppcbe-* \
+	| powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* \
 	| pyramid-* \
-	| romp-* | rs6000-* | rx-* \
+	| rl78-* | romp-* | rs6000-* | rx-* \
 	| sh-* | sh[1234]-* | sh[24]a-* | sh[24]aeb-* | sh[23]e-* | sh[34]eb-* | sheb-* | shbe-* \
 	| shle-* | sh[1234]le-* | sh3ele-* | sh64-* | sh64le-* \
 	| sparc-* | sparc64-* | sparc64b-* | sparc64v-* | sparc86x-* | sparclet-* \
 	| sparclite-* \
-	| sparcv8-* | sparcv9-* | sparcv9b-* | sparcv9v-* | strongarm-* | sv1-* | sx?-* \
-	| tahoe-* | thumb-* \
-	| tic30-* | tic4x-* | tic54x-* | tic55x-* | tic6x-* | tic80-* | tile-* \
+	| sparcv8-* | sparcv9-* | sparcv9b-* | sparcv9v-* | sv1-* | sx?-* \
+	| tahoe-* \
+	| tic30-* | tic4x-* | tic54x-* | tic55x-* | tic6x-* | tic80-* \
+	| tile*-* \
 	| tron-* \
 	| ubicom32-* \
-	| v850-* | v850e-* | vax-* \
+	| v850-* | v850e-* | v850e1-* | v850es-* | v850e2-* | v850e2v3-* \
+	| vax-* \
 	| we32k-* \
-	| x86-* | x86_64-* | xc16x-* | xps100-* | xscale-* | xscalee[bl]-* \
+	| x86-* | x86_64-* | xc16x-* | xps100-* \
 	| xstormy16-* | xtensa*-* \
 	| ymp-* \
 	| z8k-* | z80-*)
@@ -410,7 +458,7 @@ case $basic_machine in
 		basic_machine=a29k-amd
 		os=-udi
 		;;
-    	abacus)
+	abacus)
 		basic_machine=abacus-unknown
 		;;
 	adobe68k)
@@ -480,11 +528,20 @@ case $basic_machine in
 		basic_machine=powerpc-ibm
 		os=-cnk
 		;;
+	c54x-*)
+		basic_machine=tic54x-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	c55x-*)
+		basic_machine=tic55x-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	c6x-*)
+		basic_machine=tic6x-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
 	c90)
 		basic_machine=c90-cray
 		os=-unicos
 		;;
-        cegcc)
+	cegcc)
 		basic_machine=arm-unknown
 		os=-cegcc
 		;;
@@ -516,7 +573,7 @@ case $basic_machine in
 		basic_machine=craynv-cray
 		os=-unicosmp
 		;;
-	cr16)
+	cr16 | cr16-*)
 		basic_machine=cr16-unknown
 		os=-elf
 		;;
@@ -674,7 +731,6 @@ case $basic_machine in
 	i370-ibm* | ibm*)
 		basic_machine=i370-ibm
 		;;
-# I'm not sure what "Sysv32" means.  Should this be sysv3.2?
 	i*86v32)
 		basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
 		os=-sysv32
@@ -732,7 +788,7 @@ case $basic_machine in
 		basic_machine=ns32k-utek
 		os=-sysv
 		;;
-        microblaze)
+	microblaze)
 		basic_machine=microblaze-xilinx
 		;;
 	mingw32)
@@ -771,10 +827,18 @@ case $basic_machine in
 	ms1-*)
 		basic_machine=`echo $basic_machine | sed -e 's/ms1-/mt-/'`
 		;;
+	msys)
+		basic_machine=i386-pc
+		os=-msys
+		;;
 	mvs)
 		basic_machine=i370-ibm
 		os=-mvs
 		;;
+	nacl)
+		basic_machine=le32-unknown
+		os=-nacl
+		;;
 	ncr3000)
 		basic_machine=i486-ncr
 		os=-sysv4
@@ -839,6 +903,12 @@ case $basic_machine in
 	np1)
 		basic_machine=np1-gould
 		;;
+	neo-tandem)
+		basic_machine=neo-tandem
+		;;
+	nse-tandem)
+		basic_machine=nse-tandem
+		;;
 	nsr-tandem)
 		basic_machine=nsr-tandem
 		;;
@@ -921,9 +991,10 @@ case $basic_machine in
 		;;
 	power)	basic_machine=power-ibm
 		;;
-	ppc)	basic_machine=powerpc-unknown
+	ppc | ppcbe)	basic_machine=powerpc-unknown
 		;;
-	ppc-*)	basic_machine=powerpc-`echo $basic_machine | sed 's/^[^-]*-//'`
+	ppc-* | ppcbe-*)
+		basic_machine=powerpc-`echo $basic_machine | sed 's/^[^-]*-//'`
 		;;
 	ppcle | powerpclittle | ppc-le | powerpc-little)
 		basic_machine=powerpcle-unknown
@@ -1017,6 +1088,9 @@ case $basic_machine in
 		basic_machine=i860-stratus
 		os=-sysv4
 		;;
+	strongarm-* | thumb-*)
+		basic_machine=arm-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
 	sun2)
 		basic_machine=m68000-sun
 		;;
@@ -1073,20 +1147,8 @@ case $basic_machine in
 		basic_machine=t90-cray
 		os=-unicos
 		;;
-	tic54x | c54x*)
-		basic_machine=tic54x-unknown
-		os=-coff
-		;;
-	tic55x | c55x*)
-		basic_machine=tic55x-unknown
-		os=-coff
-		;;
-	tic6x | c6x*)
-		basic_machine=tic6x-unknown
-		os=-coff
-		;;
 	tile*)
-		basic_machine=tile-unknown
+		basic_machine=$basic_machine-unknown
 		os=-linux-gnu
 		;;
 	tx39)
@@ -1156,6 +1218,9 @@ case $basic_machine in
 	xps | xps100)
 		basic_machine=xps100-honeywell
 		;;
+	xscale-* | xscalee[bl]-*)
+		basic_machine=`echo $basic_machine | sed 's/^xscale/arm/'`
+		;;
 	ymp)
 		basic_machine=ymp-cray
 		os=-unicos
@@ -1253,11 +1318,11 @@ esac
 if [ x"$os" != x"" ]
 then
 case $os in
-        # First match some system type aliases
-        # that might get confused with valid system types.
+	# First match some system type aliases
+	# that might get confused with valid system types.
 	# -solaris* is a basic system type, with this one exception.
-        -auroraux)
-	        os=-auroraux
+	-auroraux)
+		os=-auroraux
 		;;
 	-solaris1 | -solaris1.*)
 		os=`echo $os | sed -e 's|solaris1|sunos4|'`
@@ -1293,8 +1358,9 @@ case $os in
 	      | -ptx* | -coff* | -ecoff* | -winnt* | -domain* | -vsta* \
 	      | -udi* | -eabi* | -lites* | -ieee* | -go32* | -aux* \
 	      | -chorusos* | -chorusrdb* | -cegcc* \
-	      | -cygwin* | -pe* | -psos* | -moss* | -proelf* | -rtems* \
-	      | -mingw32* | -linux-gnu* | -linux-newlib* | -linux-uclibc* \
+	      | -cygwin* | -msys* | -pe* | -psos* | -moss* | -proelf* | -rtems* \
+	      | -mingw32* | -linux-gnu* | -linux-android* \
+	      | -linux-newlib* | -linux-uclibc* \
 	      | -uxpv* | -beos* | -mpeix* | -udk* \
 	      | -interix* | -uwin* | -mks* | -rhapsody* | -darwin* | -opened* \
 	      | -openstep* | -oskit* | -conix* | -pw32* | -nonstopux* \
@@ -1341,7 +1407,7 @@ case $os in
 	-opened*)
 		os=-openedition
 		;;
-        -os400*)
+	-os400*)
 		os=-os400
 		;;
 	-wince*)
@@ -1390,7 +1456,7 @@ case $os in
 	-sinix*)
 		os=-sysv4
 		;;
-        -tpf*)
+	-tpf*)
 		os=-tpf
 		;;
 	-triton*)
@@ -1435,6 +1501,8 @@ case $os in
 	-dicos*)
 		os=-dicos
 		;;
+	-nacl*)
+		;;
 	-none)
 		;;
 	*)
@@ -1457,10 +1525,10 @@ else
 # system, and we'll never get to this point.
 
 case $basic_machine in
-        score-*)
+	score-*)
 		os=-elf
 		;;
-        spu-*)
+	spu-*)
 		os=-elf
 		;;
 	*-acorn)
@@ -1472,8 +1540,20 @@ case $basic_machine in
 	arm*-semi)
 		os=-aout
 		;;
-        c4x-* | tic4x-*)
-        	os=-coff
+	c4x-* | tic4x-*)
+		os=-coff
+		;;
+	hexagon-*)
+		os=-elf
+		;;
+	tic54x-*)
+		os=-coff
+		;;
+	tic55x-*)
+		os=-coff
+		;;
+	tic6x-*)
+		os=-coff
 		;;
 	# This must come before the *-dec entry.
 	pdp10-*)
@@ -1493,14 +1573,11 @@ case $basic_machine in
 		;;
 	m68000-sun)
 		os=-sunos3
-		# This also exists in the configure program, but was not the
-		# default.
-		# os=-sunos4
 		;;
 	m68*-cisco)
 		os=-aout
 		;;
-        mep-*)
+	mep-*)
 		os=-elf
 		;;
 	mips*-cisco)
@@ -1527,7 +1604,7 @@ case $basic_machine in
 	*-ibm)
 		os=-aix
 		;;
-    	*-knuth)
+	*-knuth)
 		os=-mmixware
 		;;
 	*-wec)
diff --git a/configure b/configure
index 14bd38173d6e..90deeca297a6 100755
--- a/configure
+++ b/configure
@@ -1,13 +1,11 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.68 for unbound 1.4.17.
+# Generated by GNU Autoconf 2.69 for unbound 1.4.20.
 #
 # Report bugs to <unbound-bugs@nlnetlabs.nl>.
 #
 #
-# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
-# 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 Free Software
-# Foundation, Inc.
+# Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc.
 #
 #
 # This configure script is free software; the Free Software Foundation
@@ -136,6 +134,31 @@ export LANGUAGE
 # CDPATH.
 (unset CDPATH) >/dev/null 2>&1 && unset CDPATH
 
+# Use a proper internal environment variable to ensure we don't fall
+  # into an infinite loop, continuously re-executing ourselves.
+  if test x"${_as_can_reexec}" != xno && test "x$CONFIG_SHELL" != x; then
+    _as_can_reexec=no; export _as_can_reexec;
+    # We cannot yet assume a decent shell, so we have to provide a
+# neutralization value for shells without unset; and this also
+# works around shells that cannot unset nonexistent variables.
+# Preserve -v and -x to the replacement shell.
+BASH_ENV=/dev/null
+ENV=/dev/null
+(unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV
+case $- in # ((((
+  *v*x* | *x*v* ) as_opts=-vx ;;
+  *v* ) as_opts=-v ;;
+  *x* ) as_opts=-x ;;
+  * ) as_opts= ;;
+esac
+exec $CONFIG_SHELL $as_opts "$as_myself" ${1+"$@"}
+# Admittedly, this is quite paranoid, since all the known shells bail
+# out after a failed `exec'.
+$as_echo "$0: could not re-execute with $CONFIG_SHELL" >&2
+as_fn_exit 255
+  fi
+  # We don't want this to propagate to other subprocesses.
+          { _as_can_reexec=; unset _as_can_reexec;}
 if test "x$CONFIG_SHELL" = x; then
   as_bourne_compatible="if test -n \"\${ZSH_VERSION+set}\" && (emulate sh) >/dev/null 2>&1; then :
   emulate sh
@@ -169,7 +192,8 @@ if ( set x; as_fn_ret_success y && test x = \"\$1\" ); then :
 else
   exitcode=1; echo positional parameters were not saved.
 fi
-test x\$exitcode = x0 || exit 1"
+test x\$exitcode = x0 || exit 1
+test -x / || exit 1"
   as_suggested="  as_lineno_1=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_1a=\$LINENO
   as_lineno_2=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_2a=\$LINENO
   eval 'test \"x\$as_lineno_1'\$as_run'\" != \"x\$as_lineno_2'\$as_run'\" &&
@@ -222,21 +246,25 @@ IFS=$as_save_IFS
 
 
       if test "x$CONFIG_SHELL" != x; then :
-  # We cannot yet assume a decent shell, so we have to provide a
-	# neutralization value for shells without unset; and this also
-	# works around shells that cannot unset nonexistent variables.
-	# Preserve -v and -x to the replacement shell.
-	BASH_ENV=/dev/null
-	ENV=/dev/null
-	(unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV
-	export CONFIG_SHELL
-	case $- in # ((((
-	  *v*x* | *x*v* ) as_opts=-vx ;;
-	  *v* ) as_opts=-v ;;
-	  *x* ) as_opts=-x ;;
-	  * ) as_opts= ;;
-	esac
-	exec "$CONFIG_SHELL" $as_opts "$as_myself" ${1+"$@"}
+  export CONFIG_SHELL
+             # We cannot yet assume a decent shell, so we have to provide a
+# neutralization value for shells without unset; and this also
+# works around shells that cannot unset nonexistent variables.
+# Preserve -v and -x to the replacement shell.
+BASH_ENV=/dev/null
+ENV=/dev/null
+(unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV
+case $- in # ((((
+  *v*x* | *x*v* ) as_opts=-vx ;;
+  *v* ) as_opts=-v ;;
+  *x* ) as_opts=-x ;;
+  * ) as_opts= ;;
+esac
+exec $CONFIG_SHELL $as_opts "$as_myself" ${1+"$@"}
+# Admittedly, this is quite paranoid, since all the known shells bail
+# out after a failed `exec'.
+$as_echo "$0: could not re-execute with $CONFIG_SHELL" >&2
+exit 255
 fi
 
     if test x$as_have_required = xno; then :
@@ -339,6 +367,14 @@ $as_echo X"$as_dir" |
 
 
 } # as_fn_mkdir_p
+
+# as_fn_executable_p FILE
+# -----------------------
+# Test if FILE is an executable regular file.
+as_fn_executable_p ()
+{
+  test -f "$1" && test -x "$1"
+} # as_fn_executable_p
 # as_fn_append VAR VALUE
 # ----------------------
 # Append the text in VALUE to the end of the definition contained in VAR. Take
@@ -460,6 +496,10 @@ as_cr_alnum=$as_cr_Letters$as_cr_digits
   chmod +x "$as_me.lineno" ||
     { $as_echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2; as_fn_exit 1; }
 
+  # If we had to re-execute with $CONFIG_SHELL, we're ensured to have
+  # already done that, so ensure we don't try to do so again and fall
+  # in an infinite loop.  This has already happened in practice.
+  _as_can_reexec=no; export _as_can_reexec
   # Don't try to exec as it changes $[0], causing all sort of problems
   # (the dirname of $[0] is not the place where we might find the
   # original and so on.  Autoconf is especially sensitive to this).
@@ -494,16 +534,16 @@ if (echo >conf$$.file) 2>/dev/null; then
     # ... but there are two gotchas:
     # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail.
     # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable.
-    # In both cases, we have to default to `cp -p'.
+    # In both cases, we have to default to `cp -pR'.
     ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe ||
-      as_ln_s='cp -p'
+      as_ln_s='cp -pR'
   elif ln conf$$.file conf$$ 2>/dev/null; then
     as_ln_s=ln
   else
-    as_ln_s='cp -p'
+    as_ln_s='cp -pR'
   fi
 else
-  as_ln_s='cp -p'
+  as_ln_s='cp -pR'
 fi
 rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file
 rmdir conf$$.dir 2>/dev/null
@@ -515,28 +555,8 @@ else
   as_mkdir_p=false
 fi
 
-if test -x / >/dev/null 2>&1; then
-  as_test_x='test -x'
-else
-  if ls -dL / >/dev/null 2>&1; then
-    as_ls_L_option=L
-  else
-    as_ls_L_option=
-  fi
-  as_test_x='
-    eval sh -c '\''
-      if test -d "$1"; then
-	test -d "$1/.";
-      else
-	case $1 in #(
-	-*)set "./$1";;
-	esac;
-	case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in #((
-	???[sx]*):;;*)false;;esac;fi
-    '\'' sh
-  '
-fi
-as_executable_p=$as_test_x
+as_test_x='test -x'
+as_executable_p=as_fn_executable_p
 
 # Sed expression to map a string onto a valid CPP name.
 as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'"
@@ -570,8 +590,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='unbound'
 PACKAGE_TARNAME='unbound'
-PACKAGE_VERSION='1.4.17'
-PACKAGE_STRING='unbound 1.4.17'
+PACKAGE_VERSION='1.4.20'
+PACKAGE_STRING='unbound 1.4.20'
 PACKAGE_BUGREPORT='unbound-bugs@nlnetlabs.nl'
 PACKAGE_URL=''
 
@@ -613,6 +633,7 @@ ac_includes_default="\
 
 ac_subst_vars='LTLIBOBJS
 ldnsdir
+ALLTARGET
 SOURCEFILE
 SOURCEDETERMINE
 UBSYMS
@@ -789,6 +810,7 @@ with_pthreads
 with_solaris_threads
 with_pyunbound
 with_pythonmodule
+with_nss
 with_ssl
 enable_sha2
 enable_gost
@@ -798,6 +820,7 @@ with_libexpat
 enable_static_exe
 enable_lock_checks
 enable_allsymbols
+with_libunbound_only
 with_ldns
 '
       ac_precious_vars='build_alias
@@ -1267,8 +1290,6 @@ target=$target_alias
 if test "x$host_alias" != x; then
   if test "x$build_alias" = x; then
     cross_compiling=maybe
-    $as_echo "$as_me: WARNING: if you wanted to set the --build type, don't use --host.
-    If a cross compiler is detected then cross compile mode will be used" >&2
   elif test "x$build_alias" != "x$host_alias"; then
     cross_compiling=yes
   fi
@@ -1354,7 +1375,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures unbound 1.4.17 to adapt to many kinds of systems.
+\`configure' configures unbound 1.4.20 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1420,7 +1441,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of unbound 1.4.17:";;
+     short | recursive ) echo "Configuration of unbound 1.4.20:";;
    esac
   cat <<\_ACEOF
 
@@ -1477,7 +1498,7 @@ Optional Packages:
                           not exist if you are content with the builtin.
   --with-username=user    set default user that unbound changes to (default
                           user is unbound)
-  --with-pic              try to use only PIC/non-PIC objects [default=use
+  --with-pic[=PKGS]       try to use only PIC/non-PIC objects [default=use
                           both]
   --with-gnu-ld           assume the C compiler uses GNU ld [default=no]
   --with-sysroot=DIR Search for dependent libraries within DIR
@@ -1489,6 +1510,7 @@ Optional Packages:
                           (default=no)
   --with-pythonmodule     build Python module, or --without-pythonmodule to
                           disable script engine. (default=no)
+  --with-nss=path         use libnss instead of openssl, installed at path.
   --with-ssl=pathname     enable SSL (will check /usr/local/ssl /usr/lib/ssl
                           /usr/ssl /usr/pkg /usr/local /opt/local /usr/sfw
                           /usr)
@@ -1498,6 +1520,7 @@ Optional Packages:
                           an explicit path). Slower, but allows use of large
                           outgoing port ranges.
   --with-libexpat=path    specify explicit path for libexpat.
+  --with-libunbound-only  do not build daemon and tool programs
   --with-ldns=PATH        specify prefix of path of ldns library to use
 
 Some influential environment variables:
@@ -1586,10 +1609,10 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-unbound configure 1.4.17
-generated by GNU Autoconf 2.68
+unbound configure 1.4.20
+generated by GNU Autoconf 2.69
 
-Copyright (C) 2010 Free Software Foundation, Inc.
+Copyright (C) 2012 Free Software Foundation, Inc.
 This configure script is free software; the Free Software Foundation
 gives unlimited permission to copy, distribute and modify it.
 _ACEOF
@@ -1866,7 +1889,7 @@ $as_echo "$ac_try_echo"; } >&5
 	 test ! -s conftest.err
        } && test -s conftest$ac_exeext && {
 	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
+	 test -x conftest$ac_exeext
        }; then :
   ac_retval=0
 else
@@ -2112,8 +2135,8 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by unbound $as_me 1.4.17, which was
-generated by GNU Autoconf 2.68.  Invocation command line was
+It was created by unbound $as_me 1.4.20, which was
+generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
 
@@ -2462,7 +2485,7 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu
 
 
 LIBUNBOUND_CURRENT=3
-LIBUNBOUND_REVISION=1
+LIBUNBOUND_REVISION=5
 LIBUNBOUND_AGE=1
 # 1.0.0 had 0:12:0
 # 1.0.1 had 0:13:0
@@ -2496,6 +2519,9 @@ LIBUNBOUND_AGE=1
 # 1.4.15 had 3:0:1 # adds ub_version()
 # 1.4.16 had 3:1:1
 # 1.4.17 had 3:2:1
+# 1.4.18 had 3:3:1
+# 1.4.19 had 3:4:1
+# 1.4.20 had 4:0:2 # adds libunbound.ttl
 
 #   Current  -- the number of the binary API that we're implementing
 #   Revision -- which iteration of the implementation of the binary
@@ -2705,7 +2731,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_CC="${ac_tool_prefix}gcc"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -2745,7 +2771,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_ac_ct_CC="gcc"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -2798,7 +2824,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_CC="${ac_tool_prefix}cc"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -2839,7 +2865,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     if test "$as_dir/$ac_word$ac_exec_ext" = "/usr/ucb/cc"; then
        ac_prog_rejected=yes
        continue
@@ -2897,7 +2923,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_CC="$ac_tool_prefix$ac_prog"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -2941,7 +2967,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_ac_ct_CC="$ac_prog"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -3387,8 +3413,7 @@ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 #include <stdarg.h>
 #include <stdio.h>
-#include <sys/types.h>
-#include <sys/stat.h>
+struct stat;
 /* Most of the following tests are stolen from RCS 5.7's src/conf.sh.  */
 struct buf { int x; };
 FILE * (*rcsopen) (struct buf *, struct stat *, int);
@@ -3628,7 +3653,7 @@ do
     for ac_prog in grep ggrep; do
     for ac_exec_ext in '' $ac_executable_extensions; do
       ac_path_GREP="$as_dir/$ac_prog$ac_exec_ext"
-      { test -f "$ac_path_GREP" && $as_test_x "$ac_path_GREP"; } || continue
+      as_fn_executable_p "$ac_path_GREP" || continue
 # Check for GNU ac_path_GREP and select it if it is found.
   # Check for GNU $ac_path_GREP
 case `"$ac_path_GREP" --version 2>&1` in
@@ -3694,7 +3719,7 @@ do
     for ac_prog in egrep; do
     for ac_exec_ext in '' $ac_executable_extensions; do
       ac_path_EGREP="$as_dir/$ac_prog$ac_exec_ext"
-      { test -f "$ac_path_EGREP" && $as_test_x "$ac_path_EGREP"; } || continue
+      as_fn_executable_p "$ac_path_EGREP" || continue
 # Check for GNU ac_path_EGREP and select it if it is found.
   # Check for GNU $ac_path_EGREP
 case `"$ac_path_EGREP" --version 2>&1` in
@@ -3901,8 +3926,8 @@ else
   cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
-#	  define __EXTENSIONS__ 1
-	  $ac_includes_default
+#         define __EXTENSIONS__ 1
+          $ac_includes_default
 int
 main ()
 {
@@ -4134,11 +4159,11 @@ else
 int
 main ()
 {
-/* FIXME: Include the comments suggested by Paul. */
+
 #ifndef __cplusplus
-  /* Ultrix mips cc rejects this.  */
+  /* Ultrix mips cc rejects this sort of thing.  */
   typedef int charset[2];
-  const charset cs;
+  const charset cs = { 0, 0 };
   /* SunOS 4.1.1 cc rejects this.  */
   char const *const *pcpcc;
   char **ppc;
@@ -4155,8 +4180,9 @@ main ()
   ++pcpcc;
   ppc = (char**) pcpcc;
   pcpcc = (char const *const *) ppc;
-  { /* SCO 3.2v4 cc rejects this.  */
-    char *t;
+  { /* SCO 3.2v4 cc rejects this sort of thing.  */
+    char tx;
+    char *t = &tx;
     char const *s = 0 ? (char *) 0 : (char const *) 0;
 
     *t++ = 0;
@@ -4172,10 +4198,10 @@ main ()
     iptr p = 0;
     ++p;
   }
-  { /* AIX XL C 1.02.0.0 rejects this saying
+  { /* AIX XL C 1.02.0.0 rejects this sort of thing, saying
        "k.c", line 2.27: 1506-025 (S) Operand must be a modifiable lvalue. */
-    struct s { int j; const int *ap[3]; };
-    struct s *b; b->j = 5;
+    struct s { int j; const int *ap[3]; } bx;
+    struct s *b = &bx; b->j = 5;
   }
   { /* ULTRIX-32 V3.1 (Rev 9) vcc rejects this */
     const int foo = 10;
@@ -4209,6 +4235,8 @@ ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
 ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
 ac_compiler_gnu=$ac_cv_c_compiler_gnu
 
+# allow user to override the -g -O2 flags.
+if test "x$CFLAGS" = "x" ; then
 
 
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $CC supports -g" >&5
@@ -4271,6 +4299,7 @@ $as_echo "no" >&6; }
 
 fi
 
+fi
 ac_ext=c
 ac_cpp='$CPP $CPPFLAGS'
 ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
@@ -4293,7 +4322,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_CC="${ac_tool_prefix}gcc"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -4333,7 +4362,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_ac_ct_CC="gcc"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -4386,7 +4415,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_CC="${ac_tool_prefix}cc"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -4427,7 +4456,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     if test "$as_dir/$ac_word$ac_exec_ext" = "/usr/ucb/cc"; then
        ac_prog_rejected=yes
        continue
@@ -4485,7 +4514,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_CC="$ac_tool_prefix$ac_prog"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -4529,7 +4558,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_ac_ct_CC="$ac_prog"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -4725,8 +4754,7 @@ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 #include <stdarg.h>
 #include <stdio.h>
-#include <sys/types.h>
-#include <sys/stat.h>
+struct stat;
 /* Most of the following tests are stolen from RCS 5.7's src/conf.sh.  */
 struct buf { int x; };
 FILE * (*rcsopen) (struct buf *, struct stat *, int);
@@ -5421,7 +5449,7 @@ fi
 
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether we need -D_POSIX_C_SOURCE=200112 as a flag for $CC" >&5
 $as_echo_n "checking whether we need -D_POSIX_C_SOURCE=200112 as a flag for $CC... " >&6; }
-cache=`$as_echo "-D_POSIX_C_SOURCE=200112" | $as_tr_sh`
+cache=_D_POSIX_C_SOURCE_200112
 if eval \${cv_prog_cc_flag_needed_$cache+:} false; then :
   $as_echo_n "(cached) " >&6
 else
@@ -5909,7 +5937,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_LEX="$ac_prog"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -5941,7 +5969,8 @@ a { ECHO; }
 b { REJECT; }
 c { yymore (); }
 d { yyless (1); }
-e { yyless (input () != 0); }
+e { /* IRIX 6.5 flex 2.5.4 underquotes its yyless argument.  */
+    yyless ((input () != 0)); }
 f { unput (yytext[0]); }
 . { BEGIN INITIAL; }
 %%
@@ -6079,7 +6108,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_YACC="$ac_prog"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -6120,7 +6149,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_doxygen="doxygen"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -6158,7 +6187,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_STRIP="${ac_tool_prefix}strip"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -6198,7 +6227,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_ac_ct_STRIP="strip"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -6272,7 +6301,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_path_AR="$as_dir/$ac_word$ac_exec_ext"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -6315,7 +6344,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_path_ac_pt_AR="$as_dir/$ac_word$ac_exec_ext"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -6363,8 +6392,8 @@ esac
 
 
 
-macro_version='2.4'
-macro_revision='1.3293'
+macro_version='2.4.2'
+macro_revision='1.3337'
 
 
 
@@ -6471,7 +6500,7 @@ do
     for ac_prog in sed gsed; do
     for ac_exec_ext in '' $ac_executable_extensions; do
       ac_path_SED="$as_dir/$ac_prog$ac_exec_ext"
-      { test -f "$ac_path_SED" && $as_test_x "$ac_path_SED"; } || continue
+      as_fn_executable_p "$ac_path_SED" || continue
 # Check for GNU ac_path_SED and select it if it is found.
   # Check for GNU $ac_path_SED
 case `"$ac_path_SED" --version 2>&1` in
@@ -6550,7 +6579,7 @@ do
     for ac_prog in fgrep; do
     for ac_exec_ext in '' $ac_executable_extensions; do
       ac_path_FGREP="$as_dir/$ac_prog$ac_exec_ext"
-      { test -f "$ac_path_FGREP" && $as_test_x "$ac_path_FGREP"; } || continue
+      as_fn_executable_p "$ac_path_FGREP" || continue
 # Check for GNU ac_path_FGREP and select it if it is found.
   # Check for GNU $ac_path_FGREP
 case `"$ac_path_FGREP" --version 2>&1` in
@@ -6806,7 +6835,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_DUMPBIN="$ac_tool_prefix$ac_prog"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -6850,7 +6879,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_ac_ct_DUMPBIN="$ac_prog"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -7008,6 +7037,11 @@ else
     lt_cv_sys_max_cmd_len=196608
     ;;
 
+  os2*)
+    # The test takes a long time on OS/2.
+    lt_cv_sys_max_cmd_len=8192
+    ;;
+
   osf*)
     # Dr. Hans Ekkehard Plesser reports seeing a kernel panic running configure
     # due to this test when exec_disable_arg_limit is 1 on Tru64. It is not
@@ -7047,7 +7081,7 @@ else
       # If test is not a shell built-in, we'll probably end up computing a
       # maximum length that is only half of the actual maximum length, but
       # we can't tell.
-      while { test "X"`func_fallback_echo "$teststring$teststring" 2>/dev/null` \
+      while { test "X"`env echo "$teststring$teststring" 2>/dev/null` \
 	         = "X$teststring$teststring"; } >/dev/null 2>&1 &&
 	      test $i != 17 # 1/2 MB should be enough
       do
@@ -7269,7 +7303,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_OBJDUMP="${ac_tool_prefix}objdump"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -7309,7 +7343,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_ac_ct_OBJDUMP="objdump"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -7476,7 +7510,7 @@ irix5* | irix6* | nonstopux*)
   lt_cv_deplibs_check_method=pass_all
   ;;
 
-# This must be Linux ELF.
+# This must be glibc/ELF.
 linux* | k*bsd*-gnu | kopensolaris*-gnu)
   lt_cv_deplibs_check_method=pass_all
   ;;
@@ -7615,7 +7649,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_DLLTOOL="${ac_tool_prefix}dlltool"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -7655,7 +7689,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_ac_ct_DLLTOOL="dlltool"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -7758,7 +7792,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_AR="$ac_tool_prefix$ac_prog"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -7802,7 +7836,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_ac_ct_AR="$ac_prog"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -7927,7 +7961,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_STRIP="${ac_tool_prefix}strip"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -7967,7 +8001,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_ac_ct_STRIP="strip"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -8026,7 +8060,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_RANLIB="${ac_tool_prefix}ranlib"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -8066,7 +8100,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_ac_ct_RANLIB="ranlib"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -8116,13 +8150,13 @@ old_postuninstall_cmds=
 if test -n "$RANLIB"; then
   case $host_os in
   openbsd*)
-    old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB -t \$oldlib"
+    old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB -t \$tool_oldlib"
     ;;
   *)
-    old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB \$oldlib"
+    old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB \$tool_oldlib"
     ;;
   esac
-  old_archive_cmds="$old_archive_cmds~\$RANLIB \$oldlib"
+  old_archive_cmds="$old_archive_cmds~\$RANLIB \$tool_oldlib"
 fi
 
 case $host_os in
@@ -8170,7 +8204,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_AWK="$ac_prog"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -8311,6 +8345,7 @@ for ac_symprfx in "" "_"; do
     # which start with @ or ?.
     lt_cv_sys_global_symbol_pipe="$AWK '"\
 "     {last_section=section; section=\$ 3};"\
+"     /^COFF SYMBOL TABLE/{for(i in hide) delete hide[i]};"\
 "     /Section length .*#relocs.*(pick any)/{hide[last_section]=1};"\
 "     \$ 0!~/External *\|/{next};"\
 "     / 0+ UNDEF /{next}; / UNDEF \([^|]\)*()/{next};"\
@@ -8699,7 +8734,7 @@ $as_echo "$lt_cv_cc_needs_belf" >&6; }
     CFLAGS="$SAVE_CFLAGS"
   fi
   ;;
-sparc*-*solaris*)
+*-*solaris*)
   # Find out which ABI we are using.
   echo 'int i;' > conftest.$ac_ext
   if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5
@@ -8710,7 +8745,20 @@ sparc*-*solaris*)
     case `/usr/bin/file conftest.o` in
     *64-bit*)
       case $lt_cv_prog_gnu_ld in
-      yes*) LD="${LD-ld} -m elf64_sparc" ;;
+      yes*)
+        case $host in
+        i?86-*-solaris*)
+          LD="${LD-ld} -m elf_x86_64"
+          ;;
+        sparc*-*-solaris*)
+          LD="${LD-ld} -m elf64_sparc"
+          ;;
+        esac
+        # GNU ld 2.21 introduced _sol2 emulations.  Use them if available.
+        if ${LD-ld} -V | grep _sol2 >/dev/null 2>&1; then
+          LD="${LD-ld}_sol2"
+        fi
+        ;;
       *)
 	if ${LD-ld} -64 -r -o conftest2.o conftest.o >/dev/null 2>&1; then
 	  LD="${LD-ld} -64"
@@ -8743,7 +8791,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_MANIFEST_TOOL="${ac_tool_prefix}mt"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -8783,7 +8831,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_ac_ct_MANIFEST_TOOL="mt"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -8863,7 +8911,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_DSYMUTIL="${ac_tool_prefix}dsymutil"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -8903,7 +8951,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_ac_ct_DSYMUTIL="dsymutil"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -8955,7 +9003,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_NMEDIT="${ac_tool_prefix}nmedit"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -8995,7 +9043,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_ac_ct_NMEDIT="nmedit"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -9047,7 +9095,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_LIPO="${ac_tool_prefix}lipo"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -9087,7 +9135,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_ac_ct_LIPO="lipo"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -9139,7 +9187,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_OTOOL="${ac_tool_prefix}otool"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -9179,7 +9227,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_ac_ct_OTOOL="otool"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -9231,7 +9279,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_OTOOL64="${ac_tool_prefix}otool64"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -9271,7 +9319,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_ac_ct_OTOOL64="otool64"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -9350,7 +9398,13 @@ else
 	$LTCC $LTCFLAGS $LDFLAGS -o libconftest.dylib \
 	  -dynamiclib -Wl,-single_module conftest.c 2>conftest.err
         _lt_result=$?
-	if test -f libconftest.dylib && test ! -s conftest.err && test $_lt_result = 0; then
+	# If there is a non-empty error log, and "single_module"
+	# appears in it, assume the flag caused a linker warning
+        if test -s conftest.err && $GREP single_module conftest.err; then
+	  cat conftest.err >&5
+	# Otherwise, if the output was created with a 0 exit code from
+	# the compiler, it worked.
+	elif test -f libconftest.dylib && test $_lt_result -eq 0; then
 	  lt_cv_apple_cc_single_mod=yes
 	else
 	  cat conftest.err >&5
@@ -9361,6 +9415,7 @@ else
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_apple_cc_single_mod" >&5
 $as_echo "$lt_cv_apple_cc_single_mod" >&6; }
+
     { $as_echo "$as_me:${as_lineno-$LINENO}: checking for -exported_symbols_list linker flag" >&5
 $as_echo_n "checking for -exported_symbols_list linker flag... " >&6; }
 if ${lt_cv_ld_exported_symbols_list+:} false; then :
@@ -9393,6 +9448,7 @@ rm -f core conftest.err conftest.$ac_objext \
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_ld_exported_symbols_list" >&5
 $as_echo "$lt_cv_ld_exported_symbols_list" >&6; }
+
     { $as_echo "$as_me:${as_lineno-$LINENO}: checking for -force_load linker flag" >&5
 $as_echo_n "checking for -force_load linker flag... " >&6; }
 if ${lt_cv_ld_force_load+:} false; then :
@@ -9414,7 +9470,9 @@ _LT_EOF
       echo "$LTCC $LTCFLAGS $LDFLAGS -o conftest conftest.c -Wl,-force_load,./libconftest.a" >&5
       $LTCC $LTCFLAGS $LDFLAGS -o conftest conftest.c -Wl,-force_load,./libconftest.a 2>conftest.err
       _lt_result=$?
-      if test -f conftest && test ! -s conftest.err && test $_lt_result = 0 && $GREP forced_load conftest 2>&1 >/dev/null; then
+      if test -s conftest.err && $GREP force_load conftest.err; then
+	cat conftest.err >&5
+      elif test -f conftest && test $_lt_result -eq 0 && $GREP forced_load conftest >/dev/null 2>&1 ; then
 	lt_cv_ld_force_load=yes
       else
 	cat conftest.err >&5
@@ -9554,7 +9612,22 @@ fi
 
 # Check whether --with-pic was given.
 if test "${with_pic+set}" = set; then :
-  withval=$with_pic; pic_mode="$withval"
+  withval=$with_pic; lt_p=${PACKAGE-default}
+    case $withval in
+    yes|no) pic_mode=$withval ;;
+    *)
+      pic_mode=default
+      # Look at the argument we got.  We use all the common list separators.
+      lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR,"
+      for lt_pkg in $withval; do
+	IFS="$lt_save_ifs"
+	if test "X$lt_pkg" = "X$lt_p"; then
+	  pic_mode=yes
+	fi
+      done
+      IFS="$lt_save_ifs"
+      ;;
+    esac
 else
   pic_mode=default
 fi
@@ -9627,6 +9700,10 @@ LIBTOOL='$(SHELL) $(top_builddir)/libtool'
 
 
 
+
+
+
+
 
 
 
@@ -10087,7 +10164,9 @@ lt_prog_compiler_static=
     case $cc_basename in
     nvcc*) # Cuda Compiler Driver 2.2
       lt_prog_compiler_wl='-Xlinker '
-      lt_prog_compiler_pic='-Xcompiler -fPIC'
+      if test -n "$lt_prog_compiler_pic"; then
+        lt_prog_compiler_pic="-Xcompiler $lt_prog_compiler_pic"
+      fi
       ;;
     esac
   else
@@ -10178,18 +10257,33 @@ lt_prog_compiler_static=
 	;;
       *)
 	case `$CC -V 2>&1 | sed 5q` in
-	*Sun\ F* | *Sun*Fortran*)
+	*Sun\ Ceres\ Fortran* | *Sun*Fortran*\ [1-7].* | *Sun*Fortran*\ 8.[0-3]*)
 	  # Sun Fortran 8.3 passes all unrecognized flags to the linker
 	  lt_prog_compiler_pic='-KPIC'
 	  lt_prog_compiler_static='-Bstatic'
 	  lt_prog_compiler_wl=''
 	  ;;
+	*Sun\ F* | *Sun*Fortran*)
+	  lt_prog_compiler_pic='-KPIC'
+	  lt_prog_compiler_static='-Bstatic'
+	  lt_prog_compiler_wl='-Qoption ld '
+	  ;;
 	*Sun\ C*)
 	  # Sun C 5.9
 	  lt_prog_compiler_pic='-KPIC'
 	  lt_prog_compiler_static='-Bstatic'
 	  lt_prog_compiler_wl='-Wl,'
 	  ;;
+        *Intel*\ [CF]*Compiler*)
+	  lt_prog_compiler_wl='-Wl,'
+	  lt_prog_compiler_pic='-fPIC'
+	  lt_prog_compiler_static='-static'
+	  ;;
+	*Portland\ Group*)
+	  lt_prog_compiler_wl='-Wl,'
+	  lt_prog_compiler_pic='-fpic'
+	  lt_prog_compiler_static='-Bstatic'
+	  ;;
 	esac
 	;;
       esac
@@ -10551,7 +10645,6 @@ $as_echo_n "checking whether the $compiler linker ($LD) supports shared librarie
   hardcode_direct=no
   hardcode_direct_absolute=no
   hardcode_libdir_flag_spec=
-  hardcode_libdir_flag_spec_ld=
   hardcode_libdir_separator=
   hardcode_minus_L=no
   hardcode_shlibpath_var=unsupported
@@ -10801,8 +10894,7 @@ _LT_EOF
 	xlf* | bgf* | bgxlf* | mpixlf*)
 	  # IBM XL Fortran 10.1 on PPC cannot create shared libs itself
 	  whole_archive_flag_spec='--whole-archive$convenience --no-whole-archive'
-	  hardcode_libdir_flag_spec=
-	  hardcode_libdir_flag_spec_ld='-rpath $libdir'
+	  hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir'
 	  archive_cmds='$LD -shared $libobjs $deplibs $linker_flags -soname $soname -o $lib'
 	  if test "x$supports_anon_versioning" = xyes; then
 	    archive_expsym_cmds='echo "{ global:" > $output_objdir/$libname.ver~
@@ -11181,6 +11273,7 @@ fi
 	# The linker will not automatically build a static lib if we build a DLL.
 	# _LT_TAGVAR(old_archive_from_new_cmds, )='true'
 	enable_shared_with_static_runtimes=yes
+	exclude_expsyms='_NULL_IMPORT_DESCRIPTOR|_IMPORT_DESCRIPTOR_.*'
 	export_symbols_cmds='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[BCDGRS][ ]/s/.*[ ]\([^ ]*\)/\1,DATA/'\'' | $SED -e '\''/^[AITW][ ]/s/.*[ ]//'\'' | sort | uniq > $export_symbols'
 	# Don't use ranlib
 	old_postinstall_cmds='chmod 644 $oldlib'
@@ -11226,6 +11319,7 @@ fi
   hardcode_shlibpath_var=unsupported
   if test "$lt_cv_ld_force_load" = "yes"; then
     whole_archive_flag_spec='`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience ${wl}-force_load,$conv\"; done; func_echo_all \"$new_convenience\"`'
+
   else
     whole_archive_flag_spec=''
   fi
@@ -11254,10 +11348,6 @@ fi
       hardcode_shlibpath_var=no
       ;;
 
-    freebsd1*)
-      ld_shlibs=no
-      ;;
-
     # FreeBSD 2.2.[012] allows us to include c++rt0.o to get C++ constructor
     # support.  Future versions do this automatically, but an explicit c++rt0.o
     # does not break anything, and helps significantly (at the cost of a little
@@ -11270,7 +11360,7 @@ fi
       ;;
 
     # Unfortunately, older versions of FreeBSD 2 do not have this feature.
-    freebsd2*)
+    freebsd2.*)
       archive_cmds='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'
       hardcode_direct=yes
       hardcode_minus_L=yes
@@ -11309,7 +11399,6 @@ fi
       fi
       if test "$with_gnu_ld" = no; then
 	hardcode_libdir_flag_spec='${wl}+b ${wl}$libdir'
-	hardcode_libdir_flag_spec_ld='+b $libdir'
 	hardcode_libdir_separator=:
 	hardcode_direct=yes
 	hardcode_direct_absolute=yes
@@ -11927,11 +12016,6 @@ esac
 
 
 
-
-
-
-
-
 
 
 
@@ -12027,7 +12111,7 @@ need_version=unknown
 
 case $host_os in
 aix3*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   library_names_spec='${libname}${release}${shared_ext}$versuffix $libname.a'
   shlibpath_var=LIBPATH
 
@@ -12036,7 +12120,7 @@ aix3*)
   ;;
 
 aix[4-9]*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   need_lib_prefix=no
   need_version=no
   hardcode_into_libs=yes
@@ -12101,7 +12185,7 @@ beos*)
   ;;
 
 bsdi[45]*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   need_version=no
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
   soname_spec='${libname}${release}${shared_ext}$major'
@@ -12240,7 +12324,7 @@ darwin* | rhapsody*)
   ;;
 
 dgux*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   need_lib_prefix=no
   need_version=no
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname$shared_ext'
@@ -12248,10 +12332,6 @@ dgux*)
   shlibpath_var=LD_LIBRARY_PATH
   ;;
 
-freebsd1*)
-  dynamic_linker=no
-  ;;
-
 freebsd* | dragonfly*)
   # DragonFly does not have aout.  When/if they implement a new
   # versioning mechanism, adjust this.
@@ -12259,7 +12339,7 @@ freebsd* | dragonfly*)
     objformat=`/usr/bin/objformat`
   else
     case $host_os in
-    freebsd[123]*) objformat=aout ;;
+    freebsd[23].*) objformat=aout ;;
     *) objformat=elf ;;
     esac
   fi
@@ -12277,7 +12357,7 @@ freebsd* | dragonfly*)
   esac
   shlibpath_var=LD_LIBRARY_PATH
   case $host_os in
-  freebsd2*)
+  freebsd2.*)
     shlibpath_overrides_runpath=yes
     ;;
   freebsd3.[01]* | freebsdelf3.[01]*)
@@ -12297,17 +12377,18 @@ freebsd* | dragonfly*)
   ;;
 
 gnu*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   need_lib_prefix=no
   need_version=no
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}${major} ${libname}${shared_ext}'
   soname_spec='${libname}${release}${shared_ext}$major'
   shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=no
   hardcode_into_libs=yes
   ;;
 
 haiku*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   need_lib_prefix=no
   need_version=no
   dynamic_linker="$host_os runtime_loader"
@@ -12368,7 +12449,7 @@ hpux9* | hpux10* | hpux11*)
   ;;
 
 interix[3-9]*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   need_lib_prefix=no
   need_version=no
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
@@ -12384,7 +12465,7 @@ irix5* | irix6* | nonstopux*)
     nonstopux*) version_type=nonstopux ;;
     *)
 	if test "$lt_cv_prog_gnu_ld" = yes; then
-		version_type=linux
+		version_type=linux # correct to gnu/linux during the next big refactor
 	else
 		version_type=irix
 	fi ;;
@@ -12421,9 +12502,9 @@ linux*oldld* | linux*aout* | linux*coff*)
   dynamic_linker=no
   ;;
 
-# This must be Linux ELF.
+# This must be glibc/ELF.
 linux* | k*bsd*-gnu | kopensolaris*-gnu)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   need_lib_prefix=no
   need_version=no
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
@@ -12509,7 +12590,7 @@ netbsd*)
   ;;
 
 newsos6)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
   shlibpath_var=LD_LIBRARY_PATH
   shlibpath_overrides_runpath=yes
@@ -12578,7 +12659,7 @@ rdos*)
   ;;
 
 solaris*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   need_lib_prefix=no
   need_version=no
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
@@ -12603,7 +12684,7 @@ sunos4*)
   ;;
 
 sysv4 | sysv4.3*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
   soname_spec='${libname}${release}${shared_ext}$major'
   shlibpath_var=LD_LIBRARY_PATH
@@ -12627,7 +12708,7 @@ sysv4 | sysv4.3*)
 
 sysv4*MP*)
   if test -d /usr/nec ;then
-    version_type=linux
+    version_type=linux # correct to gnu/linux during the next big refactor
     library_names_spec='$libname${shared_ext}.$versuffix $libname${shared_ext}.$major $libname${shared_ext}'
     soname_spec='$libname${shared_ext}.$major'
     shlibpath_var=LD_LIBRARY_PATH
@@ -12658,7 +12739,7 @@ sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX* | sysv4*uw2*)
 
 tpf*)
   # TPF is a cross-target only.  Preferred cross-host = GNU/Linux.
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   need_lib_prefix=no
   need_version=no
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
@@ -12668,7 +12749,7 @@ tpf*)
   ;;
 
 uts4*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
   soname_spec='${libname}${release}${shared_ext}$major'
   shlibpath_var=LD_LIBRARY_PATH
@@ -13450,6 +13531,8 @@ CC="$lt_save_CC"
 
 
 
+
+
         ac_config_commands="$ac_config_commands libtool"
 
 
@@ -14487,6 +14570,8 @@ _ACEOF
 esac
 rm -rf conftest*
   fi
+
+
 fi
 
 
@@ -14494,7 +14579,7 @@ fi
 
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether we need -D_LARGEFILE_SOURCE=1 as a flag for $CC" >&5
 $as_echo_n "checking whether we need -D_LARGEFILE_SOURCE=1 as a flag for $CC... " >&6; }
-cache=`$as_echo "-D_LARGEFILE_SOURCE=1" | $as_tr_sh`
+cache=_D_LARGEFILE_SOURCE_1
 if eval \${cv_prog_cc_flag_needed_$cache+:} false; then :
   $as_echo_n "(cached) " >&6
 else
@@ -15120,7 +15205,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_acx_pthread_config="yes"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -15276,7 +15361,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_PTHREAD_CC="$ac_prog"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -15537,7 +15622,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_path_PYTHON="$as_dir/$ac_word$ac_exec_ext"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -15744,8 +15829,11 @@ ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $
 ac_compiler_gnu=$ac_cv_c_compiler_gnu
 
         # save current global flags
-        LIBS="$ac_save_LIBS $PYTHON_LDFLAGS"
-        CPPFLAGS="$ac_save_CPPFLAGS $PYTHON_CPPFLAGS"
+        ac_save_LIBS="$LIBS"
+        ac_save_CPPFLAGS="$CPPFLAGS"
+
+        LIBS="$LIBS $PYTHON_LDFLAGS"
+        CPPFLAGS="$CPPFLAGS $PYTHON_CPPFLAGS"
         cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
@@ -15834,7 +15922,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_path_SWIG="$as_dir/$ac_word$ac_exec_ext"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -15985,6 +16073,40 @@ CONFIG_DATE=`date +%Y%m%d`
 
 # Checks for libraries.
 
+# libnss
+USE_NSS="no"
+
+# Check whether --with-nss was given.
+if test "${with_nss+set}" = set; then :
+  withval=$with_nss;
+	USE_NSS="yes"
+
+$as_echo "#define HAVE_NSS 1" >>confdefs.h
+
+	if test "$withval" != "" -a "$withval" != "yes"; then
+		CPPFLAGS="$CPPFLAGS -I$withval/include/nss3"
+		LDFLAGS="$LDFLAGS -L$withval/lib"
+
+	if test "x$enable_rpath" = xyes; then
+		if echo "$withval/lib" | grep "^/" >/dev/null; then
+			RUNTIME_PATH="$RUNTIME_PATH -R$withval/lib"
+		fi
+	fi
+
+		CPPFLAGS="-I$withval/include/nspr4 $CPPFLAGS"
+	else
+		CPPFLAGS="$CPPFLAGS -I/usr/include/nss3"
+		CPPFLAGS="-I/usr/include/nspr4 $CPPFLAGS"
+	fi
+        LIBS="$LIBS -lnss3 -lnspr4"
+
+
+fi
+
+
+# openssl
+if test $USE_NSS = "no"; then
+
 
 # Check whether --with-ssl was given.
 if test "${with_ssl+set}" = set; then :
@@ -16376,7 +16498,7 @@ fi
 
 done
 
-for ac_func in OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512
+for ac_func in OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode
 do :
   as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
 ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
@@ -16449,6 +16571,8 @@ cat >>confdefs.h <<_ACEOF
 #define HAVE_DECL_SK_SSL_COMP_POP_FREE $ac_have_decl
 _ACEOF
 
+fi
+
 
 # Check whether --enable-sha2 was given.
 if test "${enable_sha2+set}" = set; then :
@@ -16473,6 +16597,7 @@ if test "${enable_gost+set}" = set; then :
 fi
 
 use_gost="no"
+if test $USE_NSS = "no"; then
 case "$enable_gost" in
 	no)
 	;;
@@ -16484,7 +16609,7 @@ else
   as_fn_error $? "OpenSSL 1.0.0 is needed for GOST support" "$LINENO" 5
 fi
 
-        ac_fn_c_check_func "$LINENO" "EC_KEY_new" "ac_cv_func_EC_KEY_new"
+	ac_fn_c_check_func "$LINENO" "EC_KEY_new" "ac_cv_func_EC_KEY_new"
 if test "x$ac_cv_func_EC_KEY_new" = xyes; then :
 
 else
@@ -16606,7 +16731,7 @@ fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_c_gost_works" >&5
 $as_echo "$ac_cv_c_gost_works" >&6; }
 
-	if test $ac_cv_c_gost_works != no; then
+	if test "$ac_cv_c_gost_works" != no; then
 		use_gost="yes"
 
 $as_echo "#define USE_GOST 1" >>confdefs.h
@@ -16614,7 +16739,7 @@ $as_echo "#define USE_GOST 1" >>confdefs.h
 	fi
 	;;
 esac
-
+fi
 # Check whether --enable-ecdsa was given.
 if test "${enable_ecdsa+set}" = set; then :
   enableval=$enable_ecdsa;
@@ -16625,21 +16750,22 @@ case "$enable_ecdsa" in
     no)
       ;;
     *)
-      ac_fn_c_check_func "$LINENO" "ECDSA_sign" "ac_cv_func_ECDSA_sign"
+      if test $USE_NSS = "no"; then
+	      ac_fn_c_check_func "$LINENO" "ECDSA_sign" "ac_cv_func_ECDSA_sign"
 if test "x$ac_cv_func_ECDSA_sign" = xyes; then :
 
 else
   as_fn_error $? "OpenSSL does not support ECDSA: please upgrade or rerun with --disable-ecdsa" "$LINENO" 5
 fi
 
-      ac_fn_c_check_func "$LINENO" "SHA384_Init" "ac_cv_func_SHA384_Init"
+	      ac_fn_c_check_func "$LINENO" "SHA384_Init" "ac_cv_func_SHA384_Init"
 if test "x$ac_cv_func_SHA384_Init" = xyes; then :
 
 else
   as_fn_error $? "OpenSSL does not support SHA384: please upgrade or rerun with --disable-ecdsa" "$LINENO" 5
 fi
 
-      ac_fn_c_check_decl "$LINENO" "NID_X9_62_prime256v1" "ac_cv_have_decl_NID_X9_62_prime256v1" "$ac_includes_default
+	      ac_fn_c_check_decl "$LINENO" "NID_X9_62_prime256v1" "ac_cv_have_decl_NID_X9_62_prime256v1" "$ac_includes_default
 #include <openssl/evp.h>
 
 "
@@ -16676,20 +16802,21 @@ else
   as_fn_error $? "OpenSSL does not support the ECDSA curves: please upgrade or rerun with --disable-ecdsa" "$LINENO" 5
 fi
 
-      # see if OPENSSL 1.0.0 or later (has EVP MD and Verify independency)
-      { $as_echo "$as_me:${as_lineno-$LINENO}: checking if openssl supports SHA2 and ECDSA with EVP" >&5
+	      # see if OPENSSL 1.0.0 or later (has EVP MD and Verify independency)
+	      { $as_echo "$as_me:${as_lineno-$LINENO}: checking if openssl supports SHA2 and ECDSA with EVP" >&5
 $as_echo_n "checking if openssl supports SHA2 and ECDSA with EVP... " >&6; }
-      if grep OPENSSL_VERSION_NUMBER $ssldir/include/openssl/opensslv.h | grep 0x0 >/dev/null; then
-	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+	      if grep OPENSSL_VERSION_NUMBER $ssldir/include/openssl/opensslv.h | grep 0x0 >/dev/null; then
+		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 $as_echo "no" >&6; }
 
 cat >>confdefs.h <<_ACEOF
 #define USE_ECDSA_EVP_WORKAROUND 1
 _ACEOF
 
-      else
-	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+	      else
+		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
 $as_echo "yes" >&6; }
+	      fi
       fi
       # we now know we have ECDSA and the required curves.
 
@@ -17229,7 +17356,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_WINDRES="${ac_tool_prefix}windres"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -17269,7 +17396,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_ac_ct_WINDRES="windres"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -17774,6 +17901,20 @@ rm -f conftest.lo
 
 
 
+# see if we want to build the library or everything
+ALLTARGET="alltargets"
+
+# Check whether --with-libunbound-only was given.
+if test "${with_libunbound_only+set}" = set; then :
+  withval=$with_libunbound_only;
+	if test "$withval" = "yes"; then
+		ALLTARGET="lib"
+	fi
+
+fi
+
+
+
 # check this after all other compilation checks, since the linking of the lib
 # may break checks after this.
 
@@ -17854,11 +17995,15 @@ if test "x$ac_cv_func_ldns_buffer_copy" = xyes; then :
 
 fi
 
-ac_fn_c_check_func "$LINENO" "ldns_key_buf2rsa_raw" "ac_cv_func_ldns_key_buf2rsa_raw"
+if test $USE_NSS = "no"; then
+    ac_fn_c_check_func "$LINENO" "ldns_key_buf2rsa_raw" "ac_cv_func_ldns_key_buf2rsa_raw"
 if test "x$ac_cv_func_ldns_key_buf2rsa_raw" = xyes; then :
 
 fi
 
+else
+        ac_cv_func_ldns_key_buf2rsa_raw="yes"
+fi
 ac_fn_c_check_func "$LINENO" "ldns_get_random" "ac_cv_func_ldns_get_random"
 if test "x$ac_cv_func_ldns_get_random" = xyes; then :
 
@@ -17869,7 +18014,7 @@ if test "x$ac_cv_func_ldns_b32_ntop_extended_hex" = xyes; then :
 
 fi
 
-if test x$use_gost = xyes; then
+if test x$use_gost = xyes -a x$USE_NSS = xno; then
     ac_fn_c_check_func "$LINENO" "ldns_key_EVP_load_gost_id" "ac_cv_func_ldns_key_EVP_load_gost_id"
 if test "x$ac_cv_func_ldns_key_EVP_load_gost_id" = xyes; then :
 
@@ -17887,7 +18032,7 @@ fi
 done
 
 else
-    ac_cv_func_ldns_key_EVP_load_gost_id="yes"
+        ac_cv_func_ldns_key_EVP_load_gost_id="yes"
 fi
 if test x$use_ecdsa = xyes; then
     ac_fn_c_check_decl "$LINENO" "LDNS_ECDSAP384SHA384" "ac_cv_have_decl_LDNS_ECDSAP384SHA384" "
@@ -18446,16 +18591,16 @@ if (echo >conf$$.file) 2>/dev/null; then
     # ... but there are two gotchas:
     # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail.
     # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable.
-    # In both cases, we have to default to `cp -p'.
+    # In both cases, we have to default to `cp -pR'.
     ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe ||
-      as_ln_s='cp -p'
+      as_ln_s='cp -pR'
   elif ln conf$$.file conf$$ 2>/dev/null; then
     as_ln_s=ln
   else
-    as_ln_s='cp -p'
+    as_ln_s='cp -pR'
   fi
 else
-  as_ln_s='cp -p'
+  as_ln_s='cp -pR'
 fi
 rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file
 rmdir conf$$.dir 2>/dev/null
@@ -18515,28 +18660,16 @@ else
   as_mkdir_p=false
 fi
 
-if test -x / >/dev/null 2>&1; then
-  as_test_x='test -x'
-else
-  if ls -dL / >/dev/null 2>&1; then
-    as_ls_L_option=L
-  else
-    as_ls_L_option=
-  fi
-  as_test_x='
-    eval sh -c '\''
-      if test -d "$1"; then
-	test -d "$1/.";
-      else
-	case $1 in #(
-	-*)set "./$1";;
-	esac;
-	case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in #((
-	???[sx]*):;;*)false;;esac;fi
-    '\'' sh
-  '
-fi
-as_executable_p=$as_test_x
+
+# as_fn_executable_p FILE
+# -----------------------
+# Test if FILE is an executable regular file.
+as_fn_executable_p ()
+{
+  test -f "$1" && test -x "$1"
+} # as_fn_executable_p
+as_test_x='test -x'
+as_executable_p=as_fn_executable_p
 
 # Sed expression to map a string onto a valid CPP name.
 as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'"
@@ -18557,8 +18690,8 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by unbound $as_me 1.4.17, which was
-generated by GNU Autoconf 2.68.  Invocation command line was
+This file was extended by unbound $as_me 1.4.20, which was
+generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
   CONFIG_HEADERS  = $CONFIG_HEADERS
@@ -18623,11 +18756,11 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-unbound config.status 1.4.17
-configured by $0, generated by GNU Autoconf 2.68,
+unbound config.status 1.4.20
+configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 
-Copyright (C) 2010 Free Software Foundation, Inc.
+Copyright (C) 2012 Free Software Foundation, Inc.
 This config.status script is free software; the Free Software Foundation
 gives unlimited permission to copy, distribute and modify it."
 
@@ -18716,7 +18849,7 @@ fi
 _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 if \$ac_cs_recheck; then
-  set X '$SHELL' '$0' $ac_configure_args \$ac_configure_extra_args --no-create --no-recursion
+  set X $SHELL '$0' $ac_configure_args \$ac_configure_extra_args --no-create --no-recursion
   shift
   \$as_echo "running CONFIG_SHELL=$SHELL \$*" >&6
   CONFIG_SHELL='$SHELL'
@@ -18757,6 +18890,7 @@ pic_mode='`$ECHO "$pic_mode" | $SED "$delay_single_quote_subst"`'
 enable_fast_install='`$ECHO "$enable_fast_install" | $SED "$delay_single_quote_subst"`'
 SHELL='`$ECHO "$SHELL" | $SED "$delay_single_quote_subst"`'
 ECHO='`$ECHO "$ECHO" | $SED "$delay_single_quote_subst"`'
+PATH_SEPARATOR='`$ECHO "$PATH_SEPARATOR" | $SED "$delay_single_quote_subst"`'
 host_alias='`$ECHO "$host_alias" | $SED "$delay_single_quote_subst"`'
 host='`$ECHO "$host" | $SED "$delay_single_quote_subst"`'
 host_os='`$ECHO "$host_os" | $SED "$delay_single_quote_subst"`'
@@ -18839,7 +18973,6 @@ with_gnu_ld='`$ECHO "$with_gnu_ld" | $SED "$delay_single_quote_subst"`'
 allow_undefined_flag='`$ECHO "$allow_undefined_flag" | $SED "$delay_single_quote_subst"`'
 no_undefined_flag='`$ECHO "$no_undefined_flag" | $SED "$delay_single_quote_subst"`'
 hardcode_libdir_flag_spec='`$ECHO "$hardcode_libdir_flag_spec" | $SED "$delay_single_quote_subst"`'
-hardcode_libdir_flag_spec_ld='`$ECHO "$hardcode_libdir_flag_spec_ld" | $SED "$delay_single_quote_subst"`'
 hardcode_libdir_separator='`$ECHO "$hardcode_libdir_separator" | $SED "$delay_single_quote_subst"`'
 hardcode_direct='`$ECHO "$hardcode_direct" | $SED "$delay_single_quote_subst"`'
 hardcode_direct_absolute='`$ECHO "$hardcode_direct_absolute" | $SED "$delay_single_quote_subst"`'
@@ -18895,6 +19028,7 @@ _LTECHO_EOF'
 # Quote evaled strings.
 for var in SHELL \
 ECHO \
+PATH_SEPARATOR \
 SED \
 GREP \
 EGREP \
@@ -18945,7 +19079,6 @@ with_gnu_ld \
 allow_undefined_flag \
 no_undefined_flag \
 hardcode_libdir_flag_spec \
-hardcode_libdir_flag_spec_ld \
 hardcode_libdir_separator \
 exclude_expsyms \
 include_expsyms \
@@ -19608,8 +19741,8 @@ $as_echo "$as_me: executing $ac_file commands" >&6;}
 # NOTE: Changes made to this file will be lost: look at ltmain.sh.
 #
 #   Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2003, 2004, 2005,
-#                 2006, 2007, 2008, 2009, 2010 Free Software Foundation,
-#                 Inc.
+#                 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+#                 Foundation, Inc.
 #   Written by Gordon Matzigkeit, 1996
 #
 #   This file is part of GNU Libtool.
@@ -19663,6 +19796,9 @@ SHELL=$lt_SHELL
 # An echo program that protects backslashes.
 ECHO=$lt_ECHO
 
+# The PATH separator for the build system.
+PATH_SEPARATOR=$lt_PATH_SEPARATOR
+
 # The host system.
 host_alias=$host_alias
 host=$host
@@ -19964,10 +20100,6 @@ no_undefined_flag=$lt_no_undefined_flag
 # This must work even if \$libdir does not exist
 hardcode_libdir_flag_spec=$lt_hardcode_libdir_flag_spec
 
-# If ld is used when linking, flag to hardcode \$libdir into a binary
-# during linking.  This must work even if \$libdir does not exist.
-hardcode_libdir_flag_spec_ld=$lt_hardcode_libdir_flag_spec_ld
-
 # Whether we need a single "-rpath" flag with a separated argument.
 hardcode_libdir_separator=$lt_hardcode_libdir_separator
 
diff --git a/configure.ac b/configure.ac
index 92877285d478..1f3ac92252c6 100644
--- a/configure.ac
+++ b/configure.ac
@@ -6,10 +6,10 @@ sinclude(acx_pthread.m4)
 sinclude(acx_python.m4)
 sinclude(ac_pkg_swig.m4)
 
-AC_INIT(unbound, 1.4.17, unbound-bugs@nlnetlabs.nl, unbound)
+AC_INIT(unbound, 1.4.20, unbound-bugs@nlnetlabs.nl, unbound)
 
 LIBUNBOUND_CURRENT=3
-LIBUNBOUND_REVISION=1
+LIBUNBOUND_REVISION=5
 LIBUNBOUND_AGE=1
 # 1.0.0 had 0:12:0
 # 1.0.1 had 0:13:0
@@ -43,6 +43,9 @@ LIBUNBOUND_AGE=1
 # 1.4.15 had 3:0:1 # adds ub_version()
 # 1.4.16 had 3:1:1
 # 1.4.17 had 3:2:1
+# 1.4.18 had 3:3:1
+# 1.4.19 had 3:4:1
+# 1.4.20 had 4:0:2 # adds libunbound.ttl
 
 #   Current  -- the number of the binary API that we're implementing
 #   Revision -- which iteration of the implementation of the binary
@@ -208,8 +211,11 @@ AC_DEFINE_UNQUOTED(RSRC_PACKAGE_VERSION, [$wnvs], [version number for resource f
 # Checks for typedefs, structures, and compiler characteristics.
 AC_C_CONST
 AC_LANG_C
+# allow user to override the -g -O2 flags.
+if test "x$CFLAGS" = "x" ; then
 ACX_CHECK_COMPILER_FLAG(g, [CFLAGS="$CFLAGS -g"])
 ACX_CHECK_COMPILER_FLAG(O2, [CFLAGS="$CFLAGS -O2"])
+fi
 AC_PROG_CC
 ACX_DEPFLAG
 ACX_DETERMINE_EXT_FLAGS_UNBOUND
@@ -511,11 +517,34 @@ CONFIG_DATE=`date +%Y%m%d`
 AC_SUBST(CONFIG_DATE)
 
 # Checks for libraries.
+
+# libnss
+USE_NSS="no"
+AC_ARG_WITH([nss], AC_HELP_STRING([--with-nss=path],
+	[use libnss instead of openssl, installed at path.]),
+	[
+	USE_NSS="yes"
+	AC_DEFINE(HAVE_NSS, 1, [Use libnss for crypto])
+	if test "$withval" != "" -a "$withval" != "yes"; then
+		CPPFLAGS="$CPPFLAGS -I$withval/include/nss3"
+		LDFLAGS="$LDFLAGS -L$withval/lib"
+		ACX_RUNTIME_PATH_ADD([$withval/lib])
+		CPPFLAGS="-I$withval/include/nspr4 $CPPFLAGS"
+	else
+		CPPFLAGS="$CPPFLAGS -I/usr/include/nss3"
+		CPPFLAGS="-I/usr/include/nspr4 $CPPFLAGS"
+	fi
+        LIBS="$LIBS -lnss3 -lnspr4"
+	]
+)
+
+# openssl
+if test $USE_NSS = "no"; then
 ACX_WITH_SSL
 ACX_LIB_SSL
 AC_CHECK_HEADERS([openssl/conf.h],,, [AC_INCLUDES_DEFAULT])
 AC_CHECK_HEADERS([openssl/engine.h],,, [AC_INCLUDES_DEFAULT])
-AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512])
+AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode])
 AC_CHECK_DECLS([SSL_COMP_get_compression_methods,sk_SSL_COMP_pop_free], [], [], [
 AC_INCLUDES_DEFAULT
 #ifdef HAVE_OPENSSL_ERR_H
@@ -536,6 +565,8 @@ AC_INCLUDES_DEFAULT
 #include <openssl/ssl.h>
 #include <openssl/evp.h>
 ])
+fi
+
 
 AC_ARG_ENABLE(sha2, AC_HELP_STRING([--disable-sha2], [Disable SHA256 and SHA512 RRSIG support]))
 case "$enable_sha2" in
@@ -646,19 +677,21 @@ AC_MSG_RESULT($ac_cv_c_gost_works)
 
 AC_ARG_ENABLE(gost, AC_HELP_STRING([--disable-gost], [Disable GOST support]))
 use_gost="no"
+if test $USE_NSS = "no"; then
 case "$enable_gost" in
 	no)
 	;;
 	*)
 	AC_CHECK_FUNC(EVP_PKEY_set_type_str, [:],[AC_MSG_ERROR([OpenSSL 1.0.0 is needed for GOST support])])
-        AC_CHECK_FUNC(EC_KEY_new, [], [AC_MSG_ERROR([OpenSSL does not support ECC, needed for GOST support])])
+	AC_CHECK_FUNC(EC_KEY_new, [], [AC_MSG_ERROR([OpenSSL does not support ECC, needed for GOST support])])
 	AC_CHECK_GOST_WORKS
-	if test $ac_cv_c_gost_works != no; then
+	if test "$ac_cv_c_gost_works" != no; then
 		use_gost="yes"
 		AC_DEFINE([USE_GOST], [1], [Define this to enable GOST support.])
 	fi
 	;;
 esac
+fi dnl !USE_NSS
 
 AC_ARG_ENABLE(ecdsa, AC_HELP_STRING([--disable-ecdsa], [Disable ECDSA support]))
 use_ecdsa="no"
@@ -666,18 +699,20 @@ case "$enable_ecdsa" in
     no)
       ;;
     *)
-      AC_CHECK_FUNC(ECDSA_sign, [], [AC_MSG_ERROR([OpenSSL does not support ECDSA: please upgrade or rerun with --disable-ecdsa])])
-      AC_CHECK_FUNC(SHA384_Init, [], [AC_MSG_ERROR([OpenSSL does not support SHA384: please upgrade or rerun with --disable-ecdsa])])
-      AC_CHECK_DECLS([NID_X9_62_prime256v1, NID_secp384r1], [], [AC_MSG_ERROR([OpenSSL does not support the ECDSA curves: please upgrade or rerun with --disable-ecdsa])], [AC_INCLUDES_DEFAULT
+      if test $USE_NSS = "no"; then
+	      AC_CHECK_FUNC(ECDSA_sign, [], [AC_MSG_ERROR([OpenSSL does not support ECDSA: please upgrade or rerun with --disable-ecdsa])])
+	      AC_CHECK_FUNC(SHA384_Init, [], [AC_MSG_ERROR([OpenSSL does not support SHA384: please upgrade or rerun with --disable-ecdsa])])
+	      AC_CHECK_DECLS([NID_X9_62_prime256v1, NID_secp384r1], [], [AC_MSG_ERROR([OpenSSL does not support the ECDSA curves: please upgrade or rerun with --disable-ecdsa])], [AC_INCLUDES_DEFAULT
 #include <openssl/evp.h>
-      ])
-      # see if OPENSSL 1.0.0 or later (has EVP MD and Verify independency)
-      AC_MSG_CHECKING([if openssl supports SHA2 and ECDSA with EVP])
-      if grep OPENSSL_VERSION_NUMBER $ssldir/include/openssl/opensslv.h | grep 0x0 >/dev/null; then
-	AC_MSG_RESULT([no])
-	AC_DEFINE_UNQUOTED([USE_ECDSA_EVP_WORKAROUND], [1], [Define this to enable an EVP workaround for older openssl])
-      else
-	AC_MSG_RESULT([yes])
+	      ])
+	      # see if OPENSSL 1.0.0 or later (has EVP MD and Verify independency)
+	      AC_MSG_CHECKING([if openssl supports SHA2 and ECDSA with EVP])
+	      if grep OPENSSL_VERSION_NUMBER $ssldir/include/openssl/opensslv.h | grep 0x0 >/dev/null; then
+		AC_MSG_RESULT([no])
+		AC_DEFINE_UNQUOTED([USE_ECDSA_EVP_WORKAROUND], [1], [Define this to enable an EVP workaround for older openssl])
+	      else
+		AC_MSG_RESULT([yes])
+	      fi
       fi
       # we now know we have ECDSA and the required curves.
       AC_DEFINE_UNQUOTED([USE_ECDSA], [1], [Define this to enable ECDSA support.])
@@ -969,6 +1004,17 @@ rm -f conftest.lo
 AC_SUBST(SOURCEDETERMINE)
 AC_SUBST(SOURCEFILE)
 
+# see if we want to build the library or everything
+ALLTARGET="alltargets"
+AC_ARG_WITH(libunbound-only, AC_HELP_STRING([--with-libunbound-only],
+	[do not build daemon and tool programs]),
+	[
+	if test "$withval" = "yes"; then
+		ALLTARGET="lib"
+	fi
+])
+AC_SUBST(ALLTARGET)
+
 # check this after all other compilation checks, since the linking of the lib
 # may break checks after this.
 AC_ARG_WITH(ldns, AC_HELP_STRING([--with-ldns=PATH], 
@@ -990,13 +1036,19 @@ AC_CHECK_LIB(ldns, ldns_rr_new,,[
 	AC_MSG_ERROR([No ldns library found, install the ldns library into system lib dir or use --with-ldns=path to other location.  The --with-ldns can point to the make-dir of ldns.  Install the package ldns or download source http://www.nlnetlabs.nl/projects/ldns])
 ])
 AC_CHECK_FUNC(ldns_buffer_copy)
-AC_CHECK_FUNC(ldns_key_buf2rsa_raw)
+if test $USE_NSS = "no"; then
+    AC_CHECK_FUNC(ldns_key_buf2rsa_raw)
+else
+    dnl ignore test
+    ac_cv_func_ldns_key_buf2rsa_raw="yes"
+fi
 AC_CHECK_FUNC(ldns_get_random)
 AC_CHECK_FUNC(ldns_b32_ntop_extended_hex)
-if test x$use_gost = xyes; then
+if test x$use_gost = xyes -a x$USE_NSS = xno; then
     AC_CHECK_FUNC(ldns_key_EVP_load_gost_id)
     AC_CHECK_FUNCS([ldns_key_EVP_unload_gost])
 else
+    dnl ignore test
     ac_cv_func_ldns_key_EVP_load_gost_id="yes"
 fi
 if test x$use_ecdsa = xyes; then
diff --git a/contrib/README b/contrib/README
index f5123fc6c8a1..943ce526461d 100644
--- a/contrib/README
+++ b/contrib/README
@@ -15,3 +15,7 @@ distribution but may be helpful.
 	a local-zone and local-data include file for unbound.conf.
 * unbound-host.nagios.patch: makes unbound-host return status that fits right
 	in with the nagios monitoring framework.  Contributed by Migiel de Vos.
+* unbound_unixsock.diff: Add Unix socket support for unbound-control. 
+	Contributed by Ilya Bakulin, 2012-08-28.
+* patch_rsamd5_enable.diff: this patch enables RSAMD5 validation (otherwise
+  it is treated as insecure).  The RSAMD5 algorithm is deprecated (RFC6725).
diff --git a/contrib/patch_rsamd5_enable.diff b/contrib/patch_rsamd5_enable.diff
new file mode 100644
index 000000000000..dfd4a7b9f3f0
--- /dev/null
+++ b/contrib/patch_rsamd5_enable.diff
@@ -0,0 +1,22 @@
+Index: validator/val_secalgo.c
+===================================================================
+--- validator/val_secalgo.c	(revision 2759)
++++ validator/val_secalgo.c	(working copy)
+@@ -153,7 +153,7 @@
+ 	switch(id) {
+ 	case LDNS_RSAMD5:
+ 		/* RFC 6725 deprecates RSAMD5 */
+-		return 0;
++		return 1;
+ 	case LDNS_DSA:
+ 	case LDNS_DSA_NSEC3:
+ 	case LDNS_RSASHA1:
+@@ -617,7 +617,7 @@
+ 	switch(id) {
+ 	case LDNS_RSAMD5:
+ 		/* RFC 6725 deprecates RSAMD5 */
+-		return 0;
++		return 1;
+ 	case LDNS_DSA:
+ 	case LDNS_DSA_NSEC3:
+ 	case LDNS_RSASHA1:
diff --git a/contrib/unbound.spec b/contrib/unbound.spec
index 606430273938..6ddc5f18d91f 100644
--- a/contrib/unbound.spec
+++ b/contrib/unbound.spec
@@ -1,6 +1,6 @@
 Summary: Validating, recursive, and caching DNS resolver
 Name: unbound
-Version: 1.4.8
+Version: 1.4.18
 Release: 1%{?dist}
 License: BSD
 Url: http://www.nlnetlabs.nl/unbound/
diff --git a/contrib/unbound_munin_ b/contrib/unbound_munin_
index db6c33f38af4..5c047323cae2 100755
--- a/contrib/unbound_munin_
+++ b/contrib/unbound_munin_
@@ -230,9 +230,8 @@ if test "$1" = "config" ; then
 		echo "graph_args --base 1000 -l 0"
 		echo "graph_vlabel queries / second"
 		echo "graph_category DNS"
-		for x in thread0.num.queries thread1.num.queries \
-		thread2.num.queries thread3.num.queries thread4.num.queries \
-		thread5.num.queries thread6.num.queries thread7.num.queries; do
+		for x in `grep "^thread[0-9][0-9]*\.num\.queries=" $state |
+			sed -e 's/=.*//'`; do
 			exist_config $x "queries handled by `basename $x .num.queries`"
 		done
 		p_config "total.num.queries" "total queries from clients"
@@ -423,9 +422,8 @@ print_value ( ) {
 
 case $id in
 hits)
-	for x in thread0.num.queries thread1.num.queries thread2.num.queries \
-		thread3.num.queries thread4.num.queries thread5.num.queries \
-		thread6.num.queries thread7.num.queries total.num.queries \
+	for x in `grep "^thread[0-9][0-9]*\.num\.queries=" $state |
+		sed -e 's/=.*//'` total.num.queries \
 		total.num.cachehits total.num.prefetch num.query.tcp \
 		num.query.ipv6 unwanted.queries unwanted.replies; do
 		if grep "^"$x"=" $state >/dev/null 2>&1; then
diff --git a/contrib/unbound_unixsock.diff b/contrib/unbound_unixsock.diff
new file mode 100644
index 000000000000..09d05d39203f
--- /dev/null
+++ b/contrib/unbound_unixsock.diff
@@ -0,0 +1,305 @@
+diff --git a/daemon/remote.c b/daemon/remote.c
+index a2b2204..b6990f3 100644
+--- a/daemon/remote.c
++++ b/daemon/remote.c
+@@ -81,6 +81,11 @@
+ #ifdef HAVE_NETDB_H
+ #include <netdb.h>
+ #endif
++#ifdef HAVE_PWD_H
++#include <pwd.h>
++#include <sys/stat.h>
++#include <fcntl.h>
++#endif
+ 
+ /* just for portability */
+ #ifdef SQ
+@@ -235,7 +240,8 @@ void daemon_remote_delete(struct daemon_remote* rc)
+  * @return false on failure.
+  */
+ static int
+-add_open(const char* ip, int nr, struct listen_port** list, int noproto_is_err)
++add_open(const char* ip, int nr, struct listen_port** list, int noproto_is_err,
++	struct config_file* cfg)
+ {
+ 	struct addrinfo hints;
+ 	struct addrinfo* res;
+@@ -246,29 +252,74 @@ add_open(const char* ip, int nr, struct listen_port** list, int noproto_is_err)
+ 	snprintf(port, sizeof(port), "%d", nr);
+ 	port[sizeof(port)-1]=0;
+ 	memset(&hints, 0, sizeof(hints));
+-	hints.ai_socktype = SOCK_STREAM;
+-	hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST;
+-	if((r = getaddrinfo(ip, port, &hints, &res)) != 0 || !res) {
+-#ifdef USE_WINSOCK
+-		if(!noproto_is_err && r == EAI_NONAME) {
+-			/* tried to lookup the address as name */
+-			return 1; /* return success, but do nothing */
++
++	if(ip[0] == '/') {
++		/* This looks like UNIX socket! */
++		fd = create_domain_accept_sock(ip);
++/*
++ * When unbound starts, it first creates a socket and then
++ * drops privs, so the socket is created as root user.
++ * This is fine, but we would like to set _unbound user group
++ * for this socket, and permissions should be 0660 so only
++ * root and _unbound group members can invoke unbound-control.
++ * The username used here is the same as username that unbound
++ * uses for its worker processes.
++ */
++
++/*
++ * Note: this code is an exact copy of code from daemon.c
++ * Normally this should be either wrapped into a function,
++ * or gui/gid values should be retrieved at config parsing time
++ * and then stored in configfile structure.
++ * This requires action from unbound developers!
++*/
++#ifdef HAVE_GETPWNAM
++		struct passwd *pwd = NULL;
++		uid_t uid;
++		gid_t gid;
++		/* initialize, but not to 0 (root) */
++		memset(&uid, 112, sizeof(uid));
++		memset(&gid, 112, sizeof(gid));
++		log_assert(cfg);
++
++		if(cfg->username && cfg->username[0]) {
++			if((pwd = getpwnam(cfg->username)) == NULL)
++				fatal_exit("user '%s' does not exist.",
++					cfg->username);
++			uid = pwd->pw_uid;
++			gid = pwd->pw_gid;
++			endpwent();
+ 		}
++
++		chown(ip, 0, gid);
++		chmod(ip, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP);
++#endif
++	} else {
++		hints.ai_socktype = SOCK_STREAM;
++		hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST;
++		if((r = getaddrinfo(ip, port, &hints, &res)) != 0 || !res) {
++#ifdef USE_WINSOCK
++			if(!noproto_is_err && r == EAI_NONAME) {
++				/* tried to lookup the address as name */
++				return 1; /* return success, but do nothing */
++			}
+ #endif /* USE_WINSOCK */
+-                log_err("control interface %s:%s getaddrinfo: %s %s",
+-			ip?ip:"default", port, gai_strerror(r),
++			log_err("control interface %s:%s getaddrinfo: %s %s",
++				ip?ip:"default", port, gai_strerror(r),
+ #ifdef EAI_SYSTEM
+ 			r==EAI_SYSTEM?(char*)strerror(errno):""
+ #else
+ 			""
+ #endif
+ 			);
+-		return 0;
++			return 0;
++		}
++
++		/* open fd */
++		fd = create_tcp_accept_sock(res, 1, &noproto);
++		freeaddrinfo(res);
+ 	}
+ 
+-	/* open fd */
+-	fd = create_tcp_accept_sock(res, 1, &noproto);
+-	freeaddrinfo(res);
+ 	if(fd == -1 && noproto) {
+ 		if(!noproto_is_err)
+ 			return 1; /* return success, but do nothing */
+@@ -305,7 +356,7 @@ struct listen_port* daemon_remote_open_ports(struct config_file* cfg)
+ 	if(cfg->control_ifs) {
+ 		struct config_strlist* p;
+ 		for(p = cfg->control_ifs; p; p = p->next) {
+-			if(!add_open(p->str, cfg->control_port, &l, 1)) {
++			if(!add_open(p->str, cfg->control_port, &l, 1, cfg)) {
+ 				listening_ports_free(l);
+ 				return NULL;
+ 			}
+@@ -313,12 +364,12 @@ struct listen_port* daemon_remote_open_ports(struct config_file* cfg)
+ 	} else {
+ 		/* defaults */
+ 		if(cfg->do_ip6 &&
+-			!add_open("::1", cfg->control_port, &l, 0)) {
++			!add_open("::1", cfg->control_port, &l, 0, cfg)) {
+ 			listening_ports_free(l);
+ 			return NULL;
+ 		}
+ 		if(cfg->do_ip4 &&
+-			!add_open("127.0.0.1", cfg->control_port, &l, 1)) {
++			!add_open("127.0.0.1", cfg->control_port, &l, 1, cfg)) {
+ 			listening_ports_free(l);
+ 			return NULL;
+ 		}
+diff --git a/services/listen_dnsport.c b/services/listen_dnsport.c
+index ea7ec3a..4cb04e2 100644
+--- a/services/listen_dnsport.c
++++ b/services/listen_dnsport.c
+@@ -55,6 +55,10 @@
+ #endif
+ #include <fcntl.h>
+ 
++#ifndef USE_WINSOCK
++#include <sys/un.h>
++#endif
++
+ /** number of queued TCP connections for listen() */
+ #define TCP_BACKLOG 5 
+ 
+@@ -376,6 +380,53 @@ create_udp_sock(int family, int socktype, struct sockaddr* addr,
+ }
+ 
+ int
++create_domain_accept_sock(char *path) {
++	int s;
++	struct sockaddr_un unixaddr;
++
++#ifndef USE_WINSOCK
++	unixaddr.sun_len = sizeof(unixaddr);
++	unixaddr.sun_family = AF_UNIX;
++	strlcpy(unixaddr.sun_path, path, 104);
++
++	if((s = socket(AF_UNIX, SOCK_STREAM, 0)) == -1) {
++		log_err("Cannot create UNIX socket %s (%s)",
++			path, strerror(errno));
++		return -1;
++	}
++
++	if(unlink(path) && errno != ENOENT) {
++		/* The socket already exists and cannot be removed */
++		log_err("Cannot remove old UNIX socket %s (%s)",
++			path, strerror(errno));
++		return -1;
++	}
++
++	if(bind(s, (struct sockaddr *) &unixaddr,
++		sizeof(struct sockaddr_un)) == -1) {
++		log_err("Cannot bind UNIX socket %s (%s)",
++			path, strerror(errno));
++		return -1;
++	}
++
++	if(!fd_set_nonblock(s)) {
++		log_err("Cannot set non-blocking mode");
++		return -1;
++	}
++
++	if(listen(s, TCP_BACKLOG) == -1) {
++		log_err("can't listen: %s", strerror(errno));
++		return -1;
++	}
++
++	return s;
++#else
++	log_err("UNIX sockets are not supported");
++	return -1;
++#endif
++}
++
++int
+ create_tcp_accept_sock(struct addrinfo *addr, int v6only, int* noproto)
+ {
+ 	int s;
+diff --git a/smallapp/unbound-control.c b/smallapp/unbound-control.c
+index a872f92..10631fd 100644
+--- a/smallapp/unbound-control.c
++++ b/smallapp/unbound-control.c
+@@ -59,6 +59,8 @@
+ #include "util/locks.h"
+ #include "util/net_help.h"
+ 
++#include <sys/un.h>
++
+ /** Give unbound-control usage, and exit (1). */
+ static void
+ usage()
+@@ -158,6 +160,7 @@ contact_server(const char* svr, struct config_file* cfg, int statuscmd)
+ {
+ 	struct sockaddr_storage addr;
+ 	socklen_t addrlen;
++	int addrfamily = 0;
+ 	int fd;
+ 	/* use svr or the first config entry */
+ 	if(!svr) {
+@@ -176,12 +179,21 @@ contact_server(const char* svr, struct config_file* cfg, int statuscmd)
+ 	if(strchr(svr, '@')) {
+ 		if(!extstrtoaddr(svr, &addr, &addrlen))
+ 			fatal_exit("could not parse IP@port: %s", svr);
++	} else if(svr[0] == '/') {
++		struct sockaddr_un* unixsock = (struct sockaddr_un *) &addr;
++		unixsock->sun_family = AF_UNIX;
++		unixsock->sun_len = sizeof(unixsock);
++		strlcpy(unixsock->sun_path, svr, 104);
++		addrlen = sizeof(struct sockaddr_un);
++		addrfamily = AF_UNIX;
+ 	} else {
+ 		if(!ipstrtoaddr(svr, cfg->control_port, &addr, &addrlen))
+ 			fatal_exit("could not parse IP: %s", svr);
+ 	}
+-	fd = socket(addr_is_ip6(&addr, addrlen)?AF_INET6:AF_INET, 
+-		SOCK_STREAM, 0);
++
++	if(addrfamily != AF_UNIX)
++		addrfamily = addr_is_ip6(&addr, addrlen)?AF_INET6:AF_INET;
++	fd = socket(addrfamily, SOCK_STREAM, 0);
+ 	if(fd == -1) {
+ #ifndef USE_WINSOCK
+ 		fatal_exit("socket: %s", strerror(errno));
+diff --git a/util/net_help.c b/util/net_help.c
+index b3136a3..5b5b4a3 100644
+--- a/util/net_help.c
++++ b/util/net_help.c
+@@ -45,6 +45,7 @@
+ #include "util/module.h"
+ #include "util/regional.h"
+ #include <fcntl.h>
++#include <sys/un.h>
+ #include <openssl/ssl.h>
+ #include <openssl/err.h>
+ 
+@@ -135,7 +136,7 @@ log_addr(enum verbosity_value v, const char* str,
+ {
+ 	uint16_t port;
+ 	const char* family = "unknown";
+-	char dest[100];
++	char dest[108];
+ 	int af = (int)((struct sockaddr_in*)addr)->sin_family;
+ 	void* sinaddr = &((struct sockaddr_in*)addr)->sin_addr;
+ 	if(verbosity < v)
+@@ -148,15 +149,23 @@ log_addr(enum verbosity_value v, const char* str,
+ 		case AF_UNIX: family="unix"; break;
+ 		default: break;
+ 	}
+-	if(inet_ntop(af, sinaddr, dest, (socklen_t)sizeof(dest)) == 0) {
+-		strncpy(dest, "(inet_ntop error)", sizeof(dest));
++
++	if(af != AF_UNIX) {
++		if(inet_ntop(af, sinaddr, dest, (socklen_t)sizeof(dest)) == 0) {
++			strncpy(dest, "(inet_ntop error)", sizeof(dest));
++		}
++		dest[sizeof(dest)-1] = 0;
++		port = ntohs(((struct sockaddr_in*)addr)->sin_port);
++		if(verbosity >= 4)
++			verbose(v, "%s %s %s port %d (len %d)", str, family,
++				dest, (int)port, (int)addrlen);
++		else	verbose(v, "%s %s port %d", str, dest, (int)port);
++	} else {
++		struct sockaddr_un* unixsock;
++		unixsock = (struct sockaddr_un *) addr;
++		strlcpy(dest, unixsock->sun_path, sizeof(dest));
++		verbose(v, "%s %s %s", str, family, dest);
+ 	}
+-	dest[sizeof(dest)-1] = 0;
+-	port = ntohs(((struct sockaddr_in*)addr)->sin_port);
+-	if(verbosity >= 4)
+-		verbose(v, "%s %s %s port %d (len %d)", str, family, dest, 
+-			(int)port, (int)addrlen);
+-	else	verbose(v, "%s %s port %d", str, dest, (int)port);
+ }
+ 
+ int 
diff --git a/daemon/cachedump.c b/daemon/cachedump.c
index 988e247352e5..46c625f061af 100644
--- a/daemon/cachedump.c
+++ b/daemon/cachedump.c
@@ -44,11 +44,9 @@
 #include "daemon/cachedump.h"
 #include "daemon/remote.h"
 #include "daemon/worker.h"
-#include "daemon/daemon.h"
 #include "services/cache/rrset.h"
 #include "services/cache/dns.h"
 #include "services/cache/infra.h"
-#include "services/modstack.h"
 #include "util/data/msgreply.h"
 #include "util/regional.h"
 #include "util/net_help.h"
diff --git a/daemon/daemon.c b/daemon/daemon.c
index 9d6ce9fe47fe..b91683feb916 100644
--- a/daemon/daemon.c
+++ b/daemon/daemon.c
@@ -55,6 +55,12 @@
 #ifdef HAVE_OPENSSL_ENGINE_H
 #include <openssl/engine.h>
 #endif
+
+#ifdef HAVE_NSS
+/* nss3 */
+#include "nss.h"
+#endif
+
 #include <ldns/ldns.h>
 #include "daemon/daemon.h"
 #include "daemon/worker.h"
@@ -73,6 +79,7 @@
 #include "util/module.h"
 #include "util/random.h"
 #include "util/tube.h"
+#include "util/net_help.h"
 #include <signal.h>
 
 /** How many quit requests happened. */
@@ -189,20 +196,29 @@ daemon_init(void)
 #endif /* USE_WINSOCK */
 	signal_handling_record();
 	checklock_start();
+#ifdef HAVE_SSL
 	ERR_load_crypto_strings();
 	ERR_load_SSL_strings();
-#ifdef HAVE_OPENSSL_CONFIG
+#  ifdef HAVE_OPENSSL_CONFIG
 	OPENSSL_config("unbound");
-#endif
-#ifdef USE_GOST
+#  endif
+#  ifdef USE_GOST
 	(void)ldns_key_EVP_load_gost_id();
-#endif
+#  endif
 	OpenSSL_add_all_algorithms();
-#if HAVE_DECL_SSL_COMP_GET_COMPRESSION_METHODS
+#  if HAVE_DECL_SSL_COMP_GET_COMPRESSION_METHODS
 	/* grab the COMP method ptr because openssl leaks it */
 	comp_meth = (void*)SSL_COMP_get_compression_methods();
-#endif
+#  endif
 	(void)SSL_library_init();
+#  if defined(HAVE_SSL) && defined(OPENSSL_THREADS) && !defined(THREADS_DISABLED)
+	if(!ub_openssl_lock_init())
+		fatal_exit("could not init openssl locks");
+#  endif
+#elif defined(HAVE_NSS)
+	if(NSS_NoDB_Init(NULL) != SECSuccess)
+		fatal_exit("could not init NSS");
+#endif /* HAVE_SSL or HAVE_NSS */
 #ifdef HAVE_TZSET
 	/* init timezone info while we are not chrooted yet */
 	tzset();
@@ -530,31 +546,40 @@ daemon_delete(struct daemon* daemon)
 	free(daemon->chroot);
 	free(daemon->pidfile);
 	free(daemon->env);
+#ifdef HAVE_SSL
 	SSL_CTX_free((SSL_CTX*)daemon->listen_sslctx);
 	SSL_CTX_free((SSL_CTX*)daemon->connect_sslctx);
+#endif
 	free(daemon);
 #ifdef LEX_HAS_YYLEX_DESTROY
 	/* lex cleanup */
 	ub_c_lex_destroy();
 #endif
 	/* libcrypto cleanup */
-#if defined(USE_GOST) && defined(HAVE_LDNS_KEY_EVP_UNLOAD_GOST)
+#ifdef HAVE_SSL
+#  if defined(USE_GOST) && defined(HAVE_LDNS_KEY_EVP_UNLOAD_GOST)
 	ldns_key_EVP_unload_gost();
-#endif
-#if HAVE_DECL_SSL_COMP_GET_COMPRESSION_METHODS && HAVE_DECL_SK_SSL_COMP_POP_FREE
-#ifndef S_SPLINT_S
+#  endif
+#  if HAVE_DECL_SSL_COMP_GET_COMPRESSION_METHODS && HAVE_DECL_SK_SSL_COMP_POP_FREE
+#    ifndef S_SPLINT_S
 	sk_SSL_COMP_pop_free(comp_meth, (void(*)())CRYPTO_free);
-#endif
-#endif
-#ifdef HAVE_OPENSSL_CONFIG
+#    endif
+#  endif
+#  ifdef HAVE_OPENSSL_CONFIG
 	EVP_cleanup();
 	ENGINE_cleanup();
 	CONF_modules_free();
-#endif
+#  endif
 	CRYPTO_cleanup_all_ex_data(); /* safe, no more threads right now */
 	ERR_remove_state(0);
 	ERR_free_strings();
 	RAND_cleanup();
+#  if defined(HAVE_SSL) && defined(OPENSSL_THREADS) && !defined(THREADS_DISABLED)
+	ub_openssl_lock_delete();
+#  endif
+#elif defined(HAVE_NSS)
+	NSS_Shutdown();
+#endif /* HAVE_SSL or HAVE_NSS */
 	checklock_stop();
 #ifdef USE_WINSOCK
 	if(WSACleanup() != 0) {
diff --git a/daemon/remote.c b/daemon/remote.c
index 38ca15c85cdb..5dc05c5fa49f 100644
--- a/daemon/remote.c
+++ b/daemon/remote.c
@@ -1286,6 +1286,74 @@ do_flush_zone(SSL* ssl, struct worker* worker, char* arg)
 		(unsigned)inf.num_msgs, (unsigned)inf.num_keys);
 }
 
+/** callback to delete bogus rrsets */
+static void
+bogus_del_rrset(struct lruhash_entry* e, void* arg)
+{
+	/* entry is locked */
+	struct del_info* inf = (struct del_info*)arg;
+	struct packed_rrset_data* d = (struct packed_rrset_data*)e->data;
+	if(d->security == sec_status_bogus) {
+		d->ttl = inf->expired;
+		inf->num_rrsets++;
+	}
+}
+
+/** callback to delete bogus messages */
+static void
+bogus_del_msg(struct lruhash_entry* e, void* arg)
+{
+	/* entry is locked */
+	struct del_info* inf = (struct del_info*)arg;
+	struct reply_info* d = (struct reply_info*)e->data;
+	if(d->security == sec_status_bogus) {
+		d->ttl = inf->expired;
+		inf->num_msgs++;
+	}
+}
+
+/** callback to delete bogus keys */
+static void
+bogus_del_kcache(struct lruhash_entry* e, void* arg)
+{
+	/* entry is locked */
+	struct del_info* inf = (struct del_info*)arg;
+	struct key_entry_data* d = (struct key_entry_data*)e->data;
+	if(d->isbad) {
+		d->ttl = inf->expired;
+		inf->num_keys++;
+	}
+}
+
+/** remove all rrsets and keys from zone from cache */
+static void
+do_flush_bogus(SSL* ssl, struct worker* worker)
+{
+	struct del_info inf;
+	/* what we do is to set them all expired */
+	inf.worker = worker;
+	inf.now = *worker->env.now;
+	inf.expired = *worker->env.now;
+	inf.expired -= 3; /* handle 3 seconds skew between threads */
+	inf.num_rrsets = 0;
+	inf.num_msgs = 0;
+	inf.num_keys = 0;
+	slabhash_traverse(&worker->env.rrset_cache->table, 1, 
+		&bogus_del_rrset, &inf);
+
+	slabhash_traverse(worker->env.msg_cache, 1, &bogus_del_msg, &inf);
+
+	/* and validator cache */
+	if(worker->env.key_cache) {
+		slabhash_traverse(worker->env.key_cache->slab, 1, 
+			&bogus_del_kcache, &inf);
+	}
+
+	(void)ssl_printf(ssl, "ok removed %u rrsets, %u messages "
+		"and %u key entries\n", (unsigned)inf.num_rrsets, 
+		(unsigned)inf.num_msgs, (unsigned)inf.num_keys);
+}
+
 /** remove name rrset from cache */
 static void
 do_flush_name(SSL* ssl, struct worker* w, char* arg)
@@ -1393,6 +1461,7 @@ parse_delegpt(SSL* ssl, char* args, uint8_t* nm, int allow_names)
 				}
 				if(!delegpt_add_ns_mlc(dp, n, 0)) {
 					(void)ssl_printf(ssl, "error out of memory\n");
+					free(n);
 					delegpt_free_mlc(dp);
 					return NULL;
 				}
@@ -1442,7 +1511,6 @@ do_forward(SSL* ssl, struct worker* worker, char* args)
 			return;
 		if(!forwards_add_zone(fwd, LDNS_RR_CLASS_IN, dp)) {
 			(void)ssl_printf(ssl, "error out of memory\n");
-			delegpt_free_mlc(dp);
 			return;
 		}
 	}
@@ -1514,7 +1582,6 @@ do_forward_add(SSL* ssl, struct worker* worker, char* args)
 	}
 	if(!forwards_add_zone(fwd, LDNS_RR_CLASS_IN, dp)) {
 		(void)ssl_printf(ssl, "error out of memory\n");
-		delegpt_free_mlc(dp);
 		free(nm);
 		return;
 	}
@@ -1571,7 +1638,6 @@ do_stub_add(SSL* ssl, struct worker* worker, char* args)
 		forwards_delete_stub_hole(fwd, LDNS_RR_CLASS_IN, nm);
 		if(insecure) anchors_delete_insecure(worker->env.anchors,
 			LDNS_RR_CLASS_IN, nm);
-		delegpt_free_mlc(dp);
 		free(nm);
 		return;
 	}
@@ -2040,6 +2106,8 @@ execute_cmd(struct daemon_remote* rc, SSL* ssl, char* cmd,
 		do_set_option(ssl, worker, skipwhite(p+10));
 	} else if(cmdcmp(p, "get_option", 10)) {
 		do_get_option(ssl, worker, skipwhite(p+10));
+	} else if(cmdcmp(p, "flush_bogus", 11)) {
+		do_flush_bogus(ssl, worker);
 	} else {
 		(void)ssl_printf(ssl, "error unknown command '%s'\n", p);
 	}
diff --git a/daemon/remote.h b/daemon/remote.h
index 5919be4f2a3e..8d5b41257433 100644
--- a/daemon/remote.h
+++ b/daemon/remote.h
@@ -69,8 +69,10 @@ struct rc_state {
 	struct comm_point* c;
 	/** in the handshake part */
 	enum { rc_none, rc_hs_read, rc_hs_write } shake_state;
+#ifdef HAVE_SSL
 	/** the ssl state */
 	SSL* ssl;
+#endif
 	/** the rc this is part of */
 	struct daemon_remote* rc;
 };
@@ -93,8 +95,10 @@ struct daemon_remote {
 	int max_active;
 	/** current commpoints busy; should be a short list, malloced */
 	struct rc_state* busy_list;
+#ifdef HAVE_SSL
 	/** the SSL context for creating new SSL streams */
 	SSL_CTX* ctx;
+#endif
 };
 
 /**
@@ -159,6 +163,7 @@ int remote_accept_callback(struct comm_point*, void*, int, struct comm_reply*);
 /** handle remote control data callbacks */
 int remote_control_callback(struct comm_point*, void*, int, struct comm_reply*);
 
+#ifdef HAVE_SSL
 /** 
  * Print fixed line of text over ssl connection in blocking mode
  * @param ssl: print to
@@ -185,6 +190,7 @@ int ssl_printf(SSL* ssl, const char* format, ...)
  * @return false on connection failure.
  */
 int ssl_read_line(SSL* ssl, char* buf, size_t max);
+#endif /* HAVE_SSL */
 
 /** routine to printout option values over SSL */
 void remote_get_opt_ssl(char* line, void* arg);
diff --git a/daemon/unbound.c b/daemon/unbound.c
index 6d87a4f6d5c4..cd08c9c3f185 100644
--- a/daemon/unbound.c
+++ b/daemon/unbound.c
@@ -87,6 +87,11 @@
 #  include "winrc/win_svc.h"
 #endif
 
+#ifdef HAVE_NSS
+/* nss3 */
+#  include "nss.h"
+#endif
+
 /** global debug value to keep track of heap memory allocation */
 void* unbound_start_brk = 0;
 
@@ -159,7 +164,12 @@ static void usage()
 	get_event_sys(&evnm, &evsys, &evmethod);
 	printf("linked libs: %s %s (it uses %s), ldns %s, %s\n", 
 		evnm, evsys, evmethod, ldns_version(), 
-		SSLeay_version(SSLEAY_VERSION));
+#ifdef HAVE_SSL
+		SSLeay_version(SSLEAY_VERSION)
+#elif defined(HAVE_NSS)
+		NSS_GetVersion()
+#endif
+		);
 	printf("linked modules:");
 	for(m = module_list_avail(); *m; m++)
 		printf(" %s", *m);
@@ -445,6 +455,7 @@ perform_setup(struct daemon* daemon, struct config_file* cfg, int debug_mode,
 	 * given to unbound on the commandline. */
 
 	/* read ssl keys while superuser and outside chroot */
+#ifdef HAVE_SSL
 	if(!(daemon->rc = daemon_remote_create(cfg)))
 		fatal_exit("could not set up remote-control");
 	if(cfg->ssl_service_key && cfg->ssl_service_key[0]) {
@@ -454,6 +465,7 @@ perform_setup(struct daemon* daemon, struct config_file* cfg, int debug_mode,
 	}
 	if(!(daemon->connect_sslctx = connect_sslctx_create(NULL, NULL, NULL)))
 		fatal_exit("could not set up connect SSL_CTX");
+#endif
 
 #ifdef HAVE_KILL
 	/* check old pid file before forking */
@@ -528,6 +540,9 @@ perform_setup(struct daemon* daemon, struct config_file* cfg, int debug_mode,
 		if(chroot(cfg->chrootdir))
 			fatal_exit("unable to chroot to %s: %s", 
 				cfg->chrootdir, strerror(errno));
+		if(chdir("/"))
+			fatal_exit("unable to chdir to / in chroot %s: %s",
+				cfg->chrootdir, strerror(errno));
 		verbose(VERB_QUERY, "chroot to %s", cfg->chrootdir);
 		if(strncmp(*cfgfile, cfg->chrootdir, 
 			strlen(cfg->chrootdir)) == 0) 
diff --git a/daemon/worker.c b/daemon/worker.c
index 832278fc3d59..eeb323c8426a 100644
--- a/daemon/worker.c
+++ b/daemon/worker.c
@@ -1243,17 +1243,6 @@ worker_delete(struct worker* worker)
 	free(worker);
 }
 
-/** compare outbound entry qstates */
-static int
-outbound_entry_compare(void* a, void* b)
-{
-	struct outbound_entry* e1 = (struct outbound_entry*)a;
-	struct outbound_entry* e2 = (struct outbound_entry*)b;
-	if(e1->qstate == e2->qstate)
-		return 1;
-	return 0;
-}
-
 struct outbound_entry*
 worker_send_query(uint8_t* qname, size_t qnamelen, uint16_t qtype,
 	uint16_t qclass, uint16_t flags, int dnssec, int want_dnssec,
@@ -1270,7 +1259,7 @@ worker_send_query(uint8_t* qname, size_t qnamelen, uint16_t qtype,
 		qnamelen, qtype, qclass, flags, dnssec, want_dnssec,
 		q->env->cfg->tcp_upstream, q->env->cfg->ssl_upstream, addr,
 		addrlen, zone, zonelen, worker_handle_service_reply, e,
-		worker->back->udp_buff, &outbound_entry_compare);
+		worker->back->udp_buff);
 	if(!e->qsent) {
 		return NULL;
 	}
diff --git a/doc/Changelog b/doc/Changelog
index 3b2753f818de..346f02a764e5 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,5 +1,273 @@
+21 March 2013: Wouter
+	- release 1.4.20
+
+14 March 2013: Wouter
+	- iana portlist update.
+	- tag 1.4.20rc1
+
+12 March 2013: Wouter
+	- Fixup makedist.sh for windows compile.
+
+11 March 2013: Wouter
+	- iana portlist update.
+	- testcode/ldns-testpkts.c check for makedist is informational.
+
+15 February 2013: Wouter
+	- fix defines in lookup3 for bigendian bsd alpha
+
+11 February 2013: Wouter
+	- Fixup openssl_thread init code to only run if compiled with SSL.
+
+7 February 2013: Wouter
+	- detect endianness in lookup3 on BSD.
+	- add libunbound.ttl at end of result structure, version bump for
+	  libunbound and binary backwards compatible, but 1.4.19 is not
+	  forward compatible with 1.4.20.
+	- update iana port list.
+
+30 January 2013: Wouter
+	- includes and have_ssl fixes for nss.
+
+29 January 2013: Wouter
+	- printout name of zone with duplicate fwd and hint errors.
+
+28 January 2013: Wouter
+	- updated fwd_zero for newer nc. Updated common.sh for newer netstat.
+
+17 January 2013: Wouter
+	- unbound-anchors checks the emailAddress of the signer of the
+	  root.xml file, default is dnssec@iana.org.  It also checks that
+	  the signer has the correct key usage for a digital signature.
+	- update iana port list.
+
+3 January 2013: Wouter
+	- Test that unbound-control checks client credentials.
+	- Test that unbound can handle a CNAME at an intermediate node in
+	  the chain of trust (where it seeks a DS record).
+	- Check the commonName of the signer of the root.xml file in
+	  unbound-anchor, default is dnssec@iana.org.
+
+2 January 2013: Wouter
+	- Fix openssl lock free on exit (reported by Robert Fleischman).
+	- iana portlist updated.
+	- Tested that unbound implements the RFC5155 Technical Errata id 3441.
+	  Unbound already implements insecure classification of an empty
+	  nonterminal in NSEC3 optout zone.
+
+20 December 2012: Wouter
+	- Fix unbound-anchor xml parse of entity declarations for safety.
+
+19 December 2012: Wouter
+	- iana portlist updated.
+
+18 December 2012: Wouter
+	- iana portlist updated.
+
+14 December 2012: Wouter
+	- Change of D.ROOT-SERVERS.NET A address in default root hints.
+
+12 December 2012: Wouter
+	- 1.4.19 release.
+	- trunk has 1.4.20 under development.
+
+5 December 2012: Wouter
+	- note support for AAAA RR type RFC.
+
+4 December 2012: Wouter
+	- 1.4.19rc1 tag.
+
+30 November 2012: Wouter
+	- bug 481: fix python example0.
+	- iana portlist updated.
+
+27 November 2012: Wouter
+	- iana portlist updated.
+
+9 November 2012: Wouter
+	- Fix unbound-control forward disables configured stubs below it.
+
+7 November 2012: Wouter
+	- Fixup ldns-testpkts, identical to ldns/examples.
+	- iana portlist updated.
+
+30 October 2012: Wouter
+	- Fix bug #477: unbound-anchor segfaults if EDNS is blocked.
+
+29 October 2012: Matthijs
+	- Fix validation for responses with both CNAME and wildcard
+	  expanded CNAME records in answer section.
+
+8 October 2012: Wouter
+	- update ldns-testpkts.c to ldns 1.6.14 version.
+	- fix build of pythonmod in objdir, for unbound.py.
+	- make clean and makerealclean remove generated python and docs.
+
+5 October 2012: Wouter
+	- fix build of pythonmod in objdir (thanks Jakob Schlyter).
+
+3 October 2012: Wouter
+	- fix text in unbound-anchor man page.
+
+1 October 2012: Wouter
+	- ignore trusted-keys globs that have no files (from Paul Wouters).
+
+27 September 2012: Wouter
+	- include: directive in config file accepts wildcards.  Patch from
+	  Paul Wouters.  Suggested use: include: "/etc/unbound.d/conf.d/*"
+	- unbound-control -q option is quiet, patch from Mariano Absatz.
+	- iana portlist updated.
+	- updated contrib/unbound.spec, patch from Valentin Bud.
+
+21 September 2012: Wouter
+	- chdir to / after chroot call (suggested by Camiel Dobbelaar).
+
+17 September 2012: Wouter
+	- patch_rsamd5_enable.diff: this patch enables RSAMD5 validation
+	  otherwise it is treated as insecure.  The RSAMD5 algorithm is
+	  deprecated (RFC6725).  The MD5 hash is considered weak for some
+	  purposes, if you want to sign your zone, then RSASHA256 is an
+	  uncontested hash.
+
+30 August 2012: Wouter
+	- RFC6725 deprecates RSAMD5: this DNSKEY algorithm is disabled.
+	- iana portlist updated.
+
+29 August 2012: Wouter
+	- Nicer comments outgoing-port-avoid, thanks Stu (bug #465).
+
+22 August 2012: Wouter
+	- Fallback to 1472 and 1232, one fragment size without headers.
+
+21 August 2012: Wouter
+	- Fix timeouts so that when a server has been offline for a while
+	  and is probed to see it works, it becomes fully available for
+	  server selection again.
+
+17 August 2012: Wouter
+	- Add documentation to libunbound for default nonuse of resolv.conf.
+
+2 August 2012: Wouter
+	- trunk has 1.4.19 under development (fixes from 1 aug and 31 july
+	are for 1.4.19).
+	- iana portlist updated.
+
+1 August 2012: Wouter
+	- Fix openssl race condition, initializes openssl locks, reported
+	  by Einar Lonn and Patrik Wallstrom.
+
+31 July 2012: Wouter
+	- Improved forward-first and stub-first documentation.
+	- Fix that enables modules to register twice for the same
+	  serviced_query, without race conditions or administration issues.
+	  This should not happen with the current codebase, but it is robust.
+	- Fix forward-first option where it sets the RD flag wrongly.
+	- added manpage links for libunbound calls (Thanks Paul Wouters).
+
+30 July 2012: Wouter
+	- tag 1.4.18rc2 (became 1.4.18 release at 2 august 2012).
+
+27 July 2012: Wouter
+	- unbound-host works with libNSS
+	- fix bogus nodata cname chain not reported as bogus by validator,
+	  (Thanks Peter van Dijk).
+
+26 July 2012: Wouter
+	- iana portlist updated.
+	- tag 1.4.18rc1.
+
+25 July 2012: Wouter
+	- review fix for libnss, check hash prefix allocation size.
+
+23 July 2012: Wouter
+	- fix missing break for GOST DS hash function.
+	- implemented forward_first for the root.
+
+20 July 2012: Wouter
+	- Fix bug#452 and another assertion failure in mesh.c, makes
+	  assertions in mesh.c resist duplicates.  Fixes DS NS search to
+	  not generate duplicate sub queries.
+
+19 July 2012: Willem
+	- Fix bug#454: Remove ACX_CHECK_COMPILER_FLAG from configure.ac,
+	  if CFLAGS is specified at configure time then '-g -O2' is not
+	  appended to CFLAGS, so that the user can override them.
+
+18 July 2012: Willem
+	- Fix libunbound report of errors when in background mode.
+
+11 July 2012: Willem
+	- updated iana ports list.
+
+9 July 2012: Willem
+	- Add flush_bogus option for unbound-control
+
+6 July 2012: Wouter
+	- Fix validation of qtype DS queries that result in no data for
+	  non-optout NSEC3 zones.
+
+4 July 2012: Wouter
+	- compile libunbound with libnss on Suse, passes regression tests.
+
+3 July 2012: Wouter
+	- FIPS_mode openssl does not use arc4random but RAND_pseudo_bytes.
+
+2 July 2012: Wouter
+	- updated iana ports list.
+
+29 June 2012: Wouter
+	- patch for unbound_munin_ script to handle arbitrary thread count by
+	  Sven Ulland.
+
+28 June 2012: Wouter
+	- detect if openssl has FIPS_mode.
+	- code review: return value of cache_store can be ignored for better
+	  performance in out of memory conditions.
+	- fix edns-buffer-size and msg-buffer-size manpage documentation.
+	- updated iana ports list.
+
+25 June 2012: Wouter
+	- disable RSAMD5 if in FIPS mode (for openssl and for libnss).
+
+22 June 2012: Wouter
+	- implement DS records, NSEC3 and ECDSA for compile with libnss.
+
+21 June 2012: Wouter
+	- fix error handling of alloc failure during rrsig verification.
+	- nss check for verification failure.
+	- nss crypto works for RSA and DSA.
+
+20 June 2012: Wouter
+	- work on --with-nss build option (for now, --with-libunbound-only).
+
+19 June 2012: Wouter
+	- --with-libunbound-only build option, only builds the library and
+	  not the daemon and other tools.
+
+18 June 2012: Wouter
+	- code review.
+
+15 June 2012: Wouter
+	- implement log-time-ascii on windows.
+	- The key-cache bad key ttl is now 60 seconds.
+	- updated iana ports list.
+	- code review.
+
+11 June 2012: Wouter
+	- bug #452: fix crash on assert in mesh_state_attachment.
+
+30 May 2012: Wouter
+	- silence warning from swig-generated code (md set but not used in
+	  swig initmodule, due to ifdefs in swig-generated code).
+
+27 May 2012: Wouter
+	- Fix debian-bugs-658021: Please enable hardened build flags.
+
+25 May 2012: Wouter
+	- updated iana ports list.
+
 24 May 2012: Wouter
 	- tag for 1.4.17 release.
+	- trunk is 1.4.18 in development.
 
 18 May 2012: Wouter
 	- Review comments, removed duplicate memset to zero in delegpt.
diff --git a/doc/FEATURES b/doc/FEATURES
index b695eeb9d483..93ed2925718c 100644
--- a/doc/FEATURES
+++ b/doc/FEATURES
@@ -24,6 +24,7 @@ RFC 1034-1035: as a recursive, caching server. Not authoritative.
   including CNAMEs, referrals, wildcards, classes, ...
   AAAA type, and IP6 dual stack support.
   type ANY queries are supported, class ANY queries are supported.
+RFC 1123, 6.1 Requirements for DNS of internet hosts.
 RFC 4033-4035: as a validating caching server (unbound daemon). 
   as a validating stub (libunbound).
 RFC 1918.
@@ -91,6 +92,7 @@ AAAA type
 2672: DNAME type.
 OPT type
 3123: APL
+3596: AAAA
 SSHFP type
 4025: IPSECKEY
 4033-4035: DS, RRSIG, NSEC, DNSKEY
diff --git a/doc/README b/doc/README
index c150f7bd677c..c8c69c1aa2b6 100644
--- a/doc/README
+++ b/doc/README
@@ -1,4 +1,4 @@
-README for Unbound 1.4.17
+README for Unbound 1.4.20
 Copyright 2007 NLnet Labs
 http://unbound.net
 
diff --git a/doc/example.conf.in b/doc/example.conf.in
index 0378d045e43f..aa9a7f7d44da 100644
--- a/doc/example.conf.in
+++ b/doc/example.conf.in
@@ -1,7 +1,7 @@
 #
 # Example configuration file.
 #
-# See unbound.conf(5) man page, version 1.4.17.
+# See unbound.conf(5) man page, version 1.4.20.
 #
 # this is a comment.
 
@@ -67,6 +67,8 @@ server:
 	# Use this to make sure unbound does not grab a UDP port that some
 	# other server on this computer needs. The default is to avoid
 	# IANA-assigned port numbers.
+	# If multiple outgoing-port-permit and outgoing-port-avoid options
+	# are present, they are processed in order.
 	# outgoing-port-avoid: "3200-3208"
 
 	# number of outgoing simultaneous tcp buffers to hold per thread.
diff --git a/doc/libunbound.3.in b/doc/libunbound.3.in
index 8dacacd42b75..0f6f0c6c2947 100644
--- a/doc/libunbound.3.in
+++ b/doc/libunbound.3.in
@@ -1,4 +1,4 @@
-.TH "libunbound" "3" "May 24, 2012" "NLnet Labs" "unbound 1.4.17"
+.TH "libunbound" "3" "Mar 21, 2013" "NLnet Labs" "unbound 1.4.20"
 .\"
 .\" libunbound.3 -- unbound library functions manual
 .\"
@@ -42,7 +42,7 @@
 .B ub_ctx_zone_remove,
 .B ub_ctx_data_add,
 .B ub_ctx_data_remove
-\- Unbound DNS validating resolver 1.4.17 functions.
+\- Unbound DNS validating resolver 1.4.20 functions.
 .SH "SYNOPSIS"
 .LP
 .B #include <unbound.h>
@@ -203,7 +203,9 @@ At this time it is only possible to set configuration before the
 first resolve is done.
 .TP
 .B ub_ctx_resolvconf
-Read list of nameservers to use from the filename given.
+By default the root servers are queried and full resolver mode is used, but
+you can use this call to read the list of nameservers to use from the
+filename given.
 Usually "/etc/resolv.conf". Uses those nameservers as caching proxies.
 If they do not support DNSSEC, validation may fail.
 Only nameservers are picked up, the searchdomain, ndots and other
@@ -357,6 +359,7 @@ The result of the DNS resolution and validation is returned as
 		int secure;  /* true if result is secure */
 		int bogus;   /* true if a security failure happened */
 		char* why_bogus; /* string with error if bogus */
+		int ttl;     /* number of seconds the result is valid */
 	};
 .fi
 .P
diff --git a/doc/unbound-anchor.8.in b/doc/unbound-anchor.8.in
index b7f0bdaa43eb..0b5e5a0bf2af 100644
--- a/doc/unbound-anchor.8.in
+++ b/doc/unbound-anchor.8.in
@@ -1,4 +1,4 @@
-.TH "unbound-anchor" "8" "May 24, 2012" "NLnet Labs" "unbound 1.4.17"
+.TH "unbound-anchor" "8" "Mar 21, 2013" "NLnet Labs" "unbound 1.4.20"
 .\"
 .\" unbound-anchor.8 -- unbound anchor maintenance utility manual
 .\"
@@ -45,7 +45,7 @@ all checks are successful, it updates the root anchor file.  Otherwise
 the root anchor file is unchanged.  It performs RFC5011 tracking if the
 DNSSEC information available via the DNS makes that possible.
 .P
-If does not perform an update if the certificate is expired, if the network
+It does not perform an update if the certificate is expired, if the network
 is down or other errors occur.
 .P
 The available options are:
@@ -77,6 +77,11 @@ The pathname to the root\-anchors.p7s file on the server. (forms URL with \-u).
 The default is /root\-anchors/root\-anchors.p7s.  This file has to be a PKCS7
 signature over the xml file, using the pem file (\-c) as trust anchor.
 .TP
+.B \-n \fIname
+The emailAddress for the Subject of the signer's certificate from the p7s
+signature file.  Only signatures from this name are allowed.  default is
+dnssec@iana.org.  If you pass "" then the emailAddress is not checked.
+.TP
 .B \-4
 Use IPv4 for domain resolution and contacting the server on https.  Default is
 to use IPv4 and IPv6 where appropriate.
@@ -126,9 +131,6 @@ but then ignores the result and goes on to use the xml fallback method.
 .TP
 .B \-h
 Show the version and commandline option help.
-.TP
-.B \-v
-More verbose.  Prints output detailing what happens.
 .SH "EXIT CODE"
 This tool exits with value 1 if the root anchor was updated using the
 certificate or if the builtin root-anchor was used.  It exits with code
diff --git a/doc/unbound-checkconf.8.in b/doc/unbound-checkconf.8.in
index fdd7528a4fbc..4ae174f22559 100644
--- a/doc/unbound-checkconf.8.in
+++ b/doc/unbound-checkconf.8.in
@@ -1,4 +1,4 @@
-.TH "unbound-checkconf" "8" "May 24, 2012" "NLnet Labs" "unbound 1.4.17"
+.TH "unbound-checkconf" "8" "Mar 21, 2013" "NLnet Labs" "unbound 1.4.20"
 .\"
 .\" unbound-checkconf.8 -- unbound configuration checker manual
 .\"
diff --git a/doc/unbound-control.8.in b/doc/unbound-control.8.in
index 575f897829da..669e81dfd75c 100644
--- a/doc/unbound-control.8.in
+++ b/doc/unbound-control.8.in
@@ -1,4 +1,4 @@
-.TH "unbound-control" "8" "May 24, 2012" "NLnet Labs" "unbound 1.4.17"
+.TH "unbound-control" "8" "Mar 21, 2013" "NLnet Labs" "unbound 1.4.20"
 .\"
 .\" unbound-control.8 -- unbound remote control manual
 .\"
@@ -14,7 +14,7 @@
 \- Unbound remote server control utility.
 .SH "SYNOPSIS"
 .B unbound\-control
-.RB [ \-h ]
+.RB [ \-hq ]
 .RB [ \-c 
 .IR cfgfile ]
 .RB [ \-s 
@@ -38,6 +38,9 @@ config file @ub_conf_file@ is used.
 .B \-s \fIserver[@port]
 IPv4 or IPv6 address of the server to contact.  If not given, the
 address is read from the config file.
+.TP
+.B \-q
+quiet, if the option is given it does not print anything if it works ok.
 .SH "COMMANDS"
 There are several commands that the server understands.
 .TP
@@ -127,6 +130,9 @@ Remove all information at or below the name from the cache.
 The rrsets and key entries are removed so that new lookups will be performed.
 This needs to walk and inspect the entire cache, and is a slow operation.
 .TP
+.B flush_bogus
+Remove all bogus data from the cache.
+.TP
 .B flush_stats
 Reset statistics to zero.
 .TP
diff --git a/doc/unbound-host.1 b/doc/unbound-host.1
index 3848e5c3f19a..4957705cd88e 100644
--- a/doc/unbound-host.1
+++ b/doc/unbound-host.1
@@ -1,4 +1,4 @@
-.TH "unbound\-host" "1" "May 24, 2012" "NLnet Labs" "unbound 1.4.17"
+.TH "unbound\-host" "1" "Mar 21, 2013" "NLnet Labs" "unbound 1.4.20"
 .\"
 .\" unbound-host.1 -- unbound DNS lookup utility
 .\"
diff --git a/doc/unbound.8.in b/doc/unbound.8.in
index 06cf588d0264..5d84d9a781b3 100644
--- a/doc/unbound.8.in
+++ b/doc/unbound.8.in
@@ -1,4 +1,4 @@
-.TH "unbound" "8" "May 24, 2012" "NLnet Labs" "unbound 1.4.17"
+.TH "unbound" "8" "Mar 21, 2013" "NLnet Labs" "unbound 1.4.20"
 .\"
 .\" unbound.8 -- unbound manual
 .\"
@@ -10,7 +10,7 @@
 .SH "NAME"
 .LP
 .B unbound
-\- Unbound DNS validating resolver 1.4.17.
+\- Unbound DNS validating resolver 1.4.20.
 .SH "SYNOPSIS"
 .LP
 .B unbound
diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in
index 32188752c70e..6dd0216d0367 100644
--- a/doc/unbound.conf.5.in
+++ b/doc/unbound.conf.5.in
@@ -1,4 +1,4 @@
-.TH "unbound.conf" "5" "May 24, 2012" "NLnet Labs" "unbound 1.4.17"
+.TH "unbound.conf" "5" "Mar 21, 2013" "NLnet Labs" "unbound 1.4.20"
 .\"
 .\" unbound.conf.5 -- unbound.conf manual
 .\"
@@ -71,12 +71,12 @@ is followed by its containing attributes, or a value.
 .P
 Files can be included using the
 .B include:
-directive. It can appear anywhere, and takes a single filename as an argument.
+directive. It can appear anywhere, it accepts a single file name as argument.
 Processing continues as if the text from the included file was copied into
 the config file at that point.  If also using chroot, using full path names
 for the included files works, relative pathnames for the included names work
 if the directory where the daemon is started equals its chroot/working 
-directory.
+directory.  Wildcards can be used to include multiple files, see \fIglob\fR(7).
 .SS "Server Options"
 These options are part of the
 .B server:
@@ -176,7 +176,7 @@ to 0, or if do_tcp is "no", no TCP queries from clients are accepted.
 Number of bytes size to advertise as the EDNS reassembly buffer size.
 This is the value put into datagrams over UDP towards peers.  The actual
 buffer size is determined by msg\-buffer\-size (both for TCP and UDP).  Do
-not set lower than that value.  Default is 4096 which is RFC recommended.
+not set higher than that value.  Default is 4096 which is RFC recommended.
 If you have fragmentation reassembly problems, usually seen as timeouts,
 then a value of 1480 can fix it.  Setting to 512 bypasses even the most
 stringent path MTU problems, but is seen as extreme, since the amount
@@ -994,6 +994,8 @@ the resolver picks up a correct list online.
 .TP
 .B stub\-first: \fI<yes or no>
 If enabled, a query is attempted without the stub clause if it fails.
+The data could not be retrieved and would have caused SERVFAIL because
+the servers are unreachable, instead it is tried without this clause.
 The default is no.
 .SS "Forward Zone Options"
 .LP
@@ -1022,6 +1024,8 @@ To use a nondefault port for DNS communication append '@' with the port number.
 .TP
 .B forward\-first: \fI<yes or no>
 If enabled, a query is attempted without the forward clause if it fails.
+The data could not be retrieved and would have caused SERVFAIL because
+the servers are unreachable, instead it is tried without this clause.
 The default is no.
 .SS "Python Module Options"
 .LP
diff --git a/doc/unbound.doxygen b/doc/unbound.doxygen
index b32316b72a4f..199d7ad0de0b 100644
--- a/doc/unbound.doxygen
+++ b/doc/unbound.doxygen
@@ -487,7 +487,7 @@ SHOW_USED_FILES        = YES
 # then setting the SHOW_DIRECTORIES tag to YES will show the directory hierarchy
 # in the documentation. The default is NO.
 
-SHOW_DIRECTORIES       = YES
+#SHOW_DIRECTORIES       = YES
 
 # Set the SHOW_FILES tag to NO to disable the generation of the Files page.
 # This will remove the Files entry from the Quick Index and from the
@@ -862,7 +862,7 @@ HTML_TIMESTAMP         = YES
 # files or namespaces will be aligned in HTML using tables. If set to
 # NO a bullet list will be used.
 
-HTML_ALIGN_MEMBERS     = YES
+#HTML_ALIGN_MEMBERS     = YES
 
 # If the HTML_DYNAMIC_SECTIONS tag is set to YES then the generated HTML
 # documentation will contain sections that can be hidden and shown after the
@@ -1047,7 +1047,7 @@ GENERATE_TREEVIEW      = NO
 # By enabling USE_INLINE_TREES, doxygen will generate the Groups, Directories,
 # and Class Hierarchy pages using a tree view instead of an ordered list.
 
-USE_INLINE_TREES       = NO
+#USE_INLINE_TREES       = NO
 
 # If the treeview is enabled (see GENERATE_TREEVIEW) then this tag can be
 # used to set the initial width (in pixels) of the frame in which the tree
diff --git a/install-sh b/install-sh
index 6781b987bdbc..377bb8687ffe 100755
--- a/install-sh
+++ b/install-sh
@@ -1,7 +1,7 @@
 #!/bin/sh
 # install - install a program, script, or datafile
 
-scriptversion=2009-04-28.21; # UTC
+scriptversion=2011-11-20.07; # UTC
 
 # This originates from X11R5 (mit/util/scripts/install.sh), which was
 # later released in X11R6 (xc/config/util/install.sh) with the
@@ -35,7 +35,7 @@ scriptversion=2009-04-28.21; # UTC
 # FSF changes to this file are in the public domain.
 #
 # Calling this script install-sh is preferred over install.sh, to prevent
-# `make' implicit rules from creating a file called install from it
+# 'make' implicit rules from creating a file called install from it
 # when there is no Makefile.
 #
 # This script is compatible with the BSD install script, but was written
@@ -156,6 +156,10 @@ while test $# -ne 0; do
     -s) stripcmd=$stripprog;;
 
     -t) dst_arg=$2
+	# Protect names problematic for 'test' and other utilities.
+	case $dst_arg in
+	  -* | [=\(\)!]) dst_arg=./$dst_arg;;
+	esac
 	shift;;
 
     -T) no_target_directory=true;;
@@ -186,6 +190,10 @@ if test $# -ne 0 && test -z "$dir_arg$dst_arg"; then
     fi
     shift # arg
     dst_arg=$arg
+    # Protect names problematic for 'test' and other utilities.
+    case $dst_arg in
+      -* | [=\(\)!]) dst_arg=./$dst_arg;;
+    esac
   done
 fi
 
@@ -194,13 +202,17 @@ if test $# -eq 0; then
     echo "$0: no input file specified." >&2
     exit 1
   fi
-  # It's OK to call `install-sh -d' without argument.
+  # It's OK to call 'install-sh -d' without argument.
   # This can happen when creating conditional directories.
   exit 0
 fi
 
 if test -z "$dir_arg"; then
-  trap '(exit $?); exit' 1 2 13 15
+  do_exit='(exit $ret); exit $ret'
+  trap "ret=129; $do_exit" 1
+  trap "ret=130; $do_exit" 2
+  trap "ret=141; $do_exit" 13
+  trap "ret=143; $do_exit" 15
 
   # Set umask so as not to create temps with too-generous modes.
   # However, 'strip' requires both read and write access to temps.
@@ -228,9 +240,9 @@ fi
 
 for src
 do
-  # Protect names starting with `-'.
+  # Protect names problematic for 'test' and other utilities.
   case $src in
-    -*) src=./$src;;
+    -* | [=\(\)!]) src=./$src;;
   esac
 
   if test -n "$dir_arg"; then
@@ -252,12 +264,7 @@ do
       echo "$0: no destination specified." >&2
       exit 1
     fi
-
     dst=$dst_arg
-    # Protect names starting with `-'.
-    case $dst in
-      -*) dst=./$dst;;
-    esac
 
     # If destination is a directory, append the input filename; won't work
     # if double slashes aren't ignored.
@@ -347,7 +354,7 @@ do
 	      if test -z "$dir_arg" || {
 		   # Check for POSIX incompatibilities with -m.
 		   # HP-UX 11.23 and IRIX 6.5 mkdir -m -p sets group- or
-		   # other-writeable bit of parent directory when it shouldn't.
+		   # other-writable bit of parent directory when it shouldn't.
 		   # FreeBSD 6.1 mkdir -m -p sets mode of existing directory.
 		   ls_ld_tmpdir=`ls -ld "$tmpdir"`
 		   case $ls_ld_tmpdir in
@@ -385,7 +392,7 @@ do
 
       case $dstdir in
 	/*) prefix='/';;
-	-*) prefix='./';;
+	[-=\(\)!]*) prefix='./';;
 	*)  prefix='';;
       esac
 
@@ -403,7 +410,7 @@ do
 
       for d
       do
-	test -z "$d" && continue
+	test X"$d" = X && continue
 
 	prefix=$prefix$d
 	if test -d "$prefix"; then
diff --git a/iterator/iter_fwd.c b/iterator/iter_fwd.c
index 04976db18b8f..0b3b6525c26b 100644
--- a/iterator/iter_fwd.c
+++ b/iterator/iter_fwd.c
@@ -128,7 +128,9 @@ forwards_insert_data(struct iter_forwards* fwd, uint16_t c, uint8_t* nm,
 	node->namelabs = nmlabs;
 	node->dp = dp;
 	if(!rbtree_insert(fwd->tree, &node->node)) {
-		log_err("duplicate forward zone ignored.");
+		char buf[257];
+		dname_str(nm, buf);
+		log_err("duplicate forward zone %s ignored.", buf);
 		delegpt_free_mlc(dp);
 		free(node->name);
 		free(node);
@@ -250,43 +252,26 @@ read_forwards(struct iter_forwards* fwd, struct config_file* cfg)
 	struct config_stub* s;
 	for(s = cfg->forwards; s; s = s->next) {
 		struct delegpt* dp;
-		if(!(dp=read_fwds_name(s)) ||
-			!read_fwds_host(s, dp) ||
-			!read_fwds_addr(s, dp))
+		if(!(dp=read_fwds_name(s)))
 			return 0;
+		if(!read_fwds_host(s, dp) || !read_fwds_addr(s, dp)) {
+			delegpt_free_mlc(dp);
+			return 0;
+		}
 		/* set flag that parent side NS information is included.
 		 * Asking a (higher up) server on the internet is not useful */
 		/* the flag is turned off for 'forward-first' so that the
 		 * last resort will ask for parent-side NS record and thus
 		 * fallback to the internet name servers on a failure */
 		dp->has_parent_side_NS = (uint8_t)!s->isfirst;
-		if(!forwards_insert(fwd, LDNS_RR_CLASS_IN, dp))
-			return 0;
 		verbose(VERB_QUERY, "Forward zone server list:");
 		delegpt_log(VERB_QUERY, dp);
+		if(!forwards_insert(fwd, LDNS_RR_CLASS_IN, dp))
+			return 0;
 	}
 	return 1;
 }
 
-/** see if zone needs to have a hole inserted */
-static int
-need_hole_insert(rbtree_t* tree, struct iter_forward_zone* zone)
-{
-	struct iter_forward_zone k;
-	if(rbtree_search(tree, zone))
-		return 0; /* exact match exists */
-	k = *zone;
-	k.node.key = &k;
-	/* search up the tree */
-	do {
-		dname_remove_label(&k.name, &k.namelen);
-		k.namelabs --;
-		if(rbtree_search(tree, &k))
-			return 1; /* found an upper forward zone, need hole */
-	} while(k.namelabs > 1);
-	return 0; /* no forwards above, no holes needed */
-}
-
 /** insert a stub hole (if necessary) for stub name */
 static int
 fwd_add_stub_hole(struct iter_forwards* fwd, uint16_t c, uint8_t* nm)
@@ -296,11 +281,8 @@ fwd_add_stub_hole(struct iter_forwards* fwd, uint16_t c, uint8_t* nm)
 	key.dclass = c;
 	key.name = nm;
 	key.namelabs = dname_count_size_labels(key.name, &key.namelen);
-	if(need_hole_insert(fwd->tree, &key)) {
-		return forwards_insert_data(fwd, key.dclass, key.name,
-			key.namelen, key.namelabs, NULL);
-	}
-	return 1;
+	return forwards_insert_data(fwd, key.dclass, key.name,
+		key.namelen, key.namelabs, NULL);
 }
 
 /** make NULL entries for stubs */
diff --git a/iterator/iter_hints.c b/iterator/iter_hints.c
index cfb9db7abb8c..cde3a7e1bac3 100644
--- a/iterator/iter_hints.c
+++ b/iterator/iter_hints.c
@@ -119,39 +119,42 @@ compile_time_root_prime(int do_ip4, int do_ip6)
 	 ;           on server           FTP.INTERNIC.NET
 	 ;       -OR-                    RS.INTERNIC.NET
 	 ;
-	 ;       related version of root zone:   2010061700
+	 ;       related version of root zone:   changes-on-20120103
 	 */
 	struct delegpt* dp = delegpt_create_mlc((uint8_t*)"\000");
 	if(!dp)
 		return NULL;
 	dp->has_parent_side_NS = 1;
       if(do_ip4) {
-	if(!ah(dp, "A.ROOT-SERVERS.NET.", "198.41.0.4"))	return 0;
-	if(!ah(dp, "B.ROOT-SERVERS.NET.", "192.228.79.201")) return 0;
-	if(!ah(dp, "C.ROOT-SERVERS.NET.", "192.33.4.12"))	return 0;
-	if(!ah(dp, "D.ROOT-SERVERS.NET.", "128.8.10.90"))	return 0;
-	if(!ah(dp, "E.ROOT-SERVERS.NET.", "192.203.230.10")) return 0;
-	if(!ah(dp, "F.ROOT-SERVERS.NET.", "192.5.5.241"))	return 0;
-	if(!ah(dp, "G.ROOT-SERVERS.NET.", "192.112.36.4"))	return 0;
-	if(!ah(dp, "H.ROOT-SERVERS.NET.", "128.63.2.53"))	return 0;
-	if(!ah(dp, "I.ROOT-SERVERS.NET.", "192.36.148.17"))	return 0;
-	if(!ah(dp, "J.ROOT-SERVERS.NET.", "192.58.128.30"))	return 0;
-	if(!ah(dp, "K.ROOT-SERVERS.NET.", "193.0.14.129"))	return 0;
-	if(!ah(dp, "L.ROOT-SERVERS.NET.", "199.7.83.42"))	return 0;
-	if(!ah(dp, "M.ROOT-SERVERS.NET.", "202.12.27.33"))	return 0;
+	if(!ah(dp, "A.ROOT-SERVERS.NET.", "198.41.0.4"))	goto failed;
+	if(!ah(dp, "B.ROOT-SERVERS.NET.", "192.228.79.201")) goto failed;
+	if(!ah(dp, "C.ROOT-SERVERS.NET.", "192.33.4.12"))	goto failed;
+	if(!ah(dp, "D.ROOT-SERVERS.NET.", "199.7.91.13"))	goto failed;
+	if(!ah(dp, "E.ROOT-SERVERS.NET.", "192.203.230.10")) goto failed;
+	if(!ah(dp, "F.ROOT-SERVERS.NET.", "192.5.5.241"))	goto failed;
+	if(!ah(dp, "G.ROOT-SERVERS.NET.", "192.112.36.4"))	goto failed;
+	if(!ah(dp, "H.ROOT-SERVERS.NET.", "128.63.2.53"))	goto failed;
+	if(!ah(dp, "I.ROOT-SERVERS.NET.", "192.36.148.17"))	goto failed;
+	if(!ah(dp, "J.ROOT-SERVERS.NET.", "192.58.128.30"))	goto failed;
+	if(!ah(dp, "K.ROOT-SERVERS.NET.", "193.0.14.129"))	goto failed;
+	if(!ah(dp, "L.ROOT-SERVERS.NET.", "199.7.83.42"))	goto failed;
+	if(!ah(dp, "M.ROOT-SERVERS.NET.", "202.12.27.33"))	goto failed;
       }
       if(do_ip6) {
-	if(!ah(dp, "A.ROOT-SERVERS.NET.", "2001:503:ba3e::2:30")) return 0;
-	if(!ah(dp, "D.ROOT-SERVERS.NET.", "2001:500:2d::d")) return 0;
-	if(!ah(dp, "F.ROOT-SERVERS.NET.", "2001:500:2f::f")) return 0;
-	if(!ah(dp, "H.ROOT-SERVERS.NET.", "2001:500:1::803f:235")) return 0;
-	if(!ah(dp, "I.ROOT-SERVERS.NET.", "2001:7fe::53")) return 0;
-	if(!ah(dp, "J.ROOT-SERVERS.NET.", "2001:503:c27::2:30")) return 0;
-	if(!ah(dp, "K.ROOT-SERVERS.NET.", "2001:7fd::1")) return 0;
-	if(!ah(dp, "L.ROOT-SERVERS.NET.", "2001:500:3::42")) return 0;
-	if(!ah(dp, "M.ROOT-SERVERS.NET.", "2001:dc3::35")) return 0;
+	if(!ah(dp, "A.ROOT-SERVERS.NET.", "2001:503:ba3e::2:30")) goto failed;
+	if(!ah(dp, "D.ROOT-SERVERS.NET.", "2001:500:2d::d")) goto failed;
+	if(!ah(dp, "F.ROOT-SERVERS.NET.", "2001:500:2f::f")) goto failed;
+	if(!ah(dp, "H.ROOT-SERVERS.NET.", "2001:500:1::803f:235")) goto failed;
+	if(!ah(dp, "I.ROOT-SERVERS.NET.", "2001:7fe::53")) goto failed;
+	if(!ah(dp, "J.ROOT-SERVERS.NET.", "2001:503:c27::2:30")) goto failed;
+	if(!ah(dp, "K.ROOT-SERVERS.NET.", "2001:7fd::1")) goto failed;
+	if(!ah(dp, "L.ROOT-SERVERS.NET.", "2001:500:3::42")) goto failed;
+	if(!ah(dp, "M.ROOT-SERVERS.NET.", "2001:dc3::35")) goto failed;
       }
 	return dp;
+failed:
+	delegpt_free_mlc(dp);
+	return 0;
 }
 
 /** insert new hint info into hint structure */
@@ -169,7 +172,9 @@ hints_insert(struct iter_hints* hints, uint16_t c, struct delegpt* dp,
 	node->noprime = (uint8_t)noprime;
 	if(!name_tree_insert(&hints->tree, &node->node, dp->name, dp->namelen,
 		dp->namelabs, c)) {
-		log_err("second hints ignored.");
+		char buf[257];
+		dname_str(dp->name, buf);
+		log_err("second hints for zone %s ignored.", buf);
 		delegpt_free_mlc(dp);
 		free(node);
 	}
@@ -253,17 +258,19 @@ read_stubs(struct iter_hints* hints, struct config_file* cfg)
 	struct config_stub* s;
 	struct delegpt* dp;
 	for(s = cfg->stubs; s; s = s->next) {
-		if(!(dp=read_stubs_name(s)) ||
-			!read_stubs_host(s, dp) ||
-			!read_stubs_addr(s, dp))
+		if(!(dp=read_stubs_name(s)))
 			return 0;
+		if(!read_stubs_host(s, dp) || !read_stubs_addr(s, dp)) {
+			delegpt_free_mlc(dp);
+			return 0;
+		}
 		/* the flag is turned off for 'stub-first' so that the
 		 * last resort will ask for parent-side NS record and thus
 		 * fallback to the internet name servers on a failure */
 		dp->has_parent_side_NS = (uint8_t)!s->isfirst;
+		delegpt_log(VERB_QUERY, dp);
 		if(!hints_insert(hints, LDNS_RR_CLASS_IN, dp, !s->isprime))
 			return 0;
-		delegpt_log(VERB_QUERY, dp);
 	}
 	return 1;
 }
diff --git a/iterator/iter_utils.c b/iterator/iter_utils.c
index c7a3f4f52952..a500c75e786a 100644
--- a/iterator/iter_utils.c
+++ b/iterator/iter_utils.c
@@ -418,13 +418,14 @@ dns_copy_msg(struct dns_msg* from, struct regional* region)
 	return m;
 }
 
-int 
+void 
 iter_dns_store(struct module_env* env, struct query_info* msgqinf,
 	struct reply_info* msgrep, int is_referral, uint32_t leeway, int pside,
 	struct regional* region)
 {
-	return dns_cache_store(env, msgqinf, msgrep, is_referral, leeway,
-		pside, region);
+	if(!dns_cache_store(env, msgqinf, msgrep, is_referral, leeway,
+		pside, region))
+		log_err("out of memory: cannot store data in cache");
 }
 
 int 
diff --git a/iterator/iter_utils.h b/iterator/iter_utils.h
index 4fb8b005c197..8f5a291af678 100644
--- a/iterator/iter_utils.h
+++ b/iterator/iter_utils.h
@@ -124,9 +124,13 @@ struct dns_msg* dns_copy_msg(struct dns_msg* from, struct regional* regional);
  * @param pside: true if dp is parentside, thus message is 'fresh' and NS
  * 	can be prefetch-updates.
  * @param region: to copy modified (cache is better) rrs back to.
- * @return 0 on alloc error (out of memory).
+ * @return void, because we are not interested in alloc errors,
+ * 	the iterator and validator can operate on the results in their
+ * 	scratch space (the qstate.region) and are not dependent on the cache.
+ * 	It is useful to log the alloc failure (for the server operator),
+ * 	but the query resolution can continue without cache storage.
  */
-int iter_dns_store(struct module_env* env, struct query_info* qinf,
+void iter_dns_store(struct module_env* env, struct query_info* qinf,
 	struct reply_info* rep, int is_referral, uint32_t leeway, int pside,
 	struct regional* region);
 
diff --git a/iterator/iterator.c b/iterator/iterator.c
index af20c4261b7d..e3f058fe5122 100644
--- a/iterator/iterator.c
+++ b/iterator/iterator.c
@@ -259,9 +259,7 @@ error_response_cache(struct module_qstate* qstate, int id, int rcode)
 	/* do not waste time trying to validate this servfail */
 	err.security = sec_status_indeterminate;
 	verbose(VERB_ALGO, "store error response in message cache");
-	if(!iter_dns_store(qstate->env, &qstate->qinfo, &err, 0, 0, 0, NULL)) {
-		log_err("error_response_cache: could not store error (nomem)");
-	}
+	iter_dns_store(qstate->env, &qstate->qinfo, &err, 0, 0, 0, NULL);
 	return error_response(qstate, id, rcode);
 }
 
@@ -1432,7 +1430,25 @@ processLastResort(struct module_qstate* qstate, struct iter_qstate* iq,
 	verbose(VERB_ALGO, "No more query targets, attempting last resort");
 	log_assert(iq->dp);
 
-	if(!iq->dp->has_parent_side_NS) {
+	if(!iq->dp->has_parent_side_NS && dname_is_root(iq->dp->name)) {
+		struct delegpt* p = hints_lookup_root(qstate->env->hints,
+			iq->qchase.qclass);
+		if(p) {
+			struct delegpt_ns* ns;
+			struct delegpt_addr* a;
+			iq->chase_flags &= ~BIT_RD; /* go to authorities */
+			for(ns = p->nslist; ns; ns=ns->next) {
+				(void)delegpt_add_ns(iq->dp, qstate->region,
+					ns->name, (int)ns->lame);
+			}
+			for(a = p->target_list; a; a=a->next_target) {
+				(void)delegpt_add_addr(iq->dp, qstate->region,
+					&a->addr, a->addrlen, a->bogus,
+					a->lame);
+			}
+		}
+		iq->dp->has_parent_side_NS = 1;
+	} else if(!iq->dp->has_parent_side_NS) {
 		if(!iter_lookup_parent_NS_from_cache(qstate->env, iq->dp,
 			qstate->region, &qstate->qinfo) 
 			|| !iq->dp->has_parent_side_NS) {
@@ -1440,6 +1456,7 @@ processLastResort(struct module_qstate* qstate, struct iter_qstate* iq,
 			/* if: no parent NS in cache - go up one level */
 			verbose(VERB_ALGO, "try to grab parent NS");
 			iq->store_parent_NS = iq->dp;
+			iq->chase_flags &= ~BIT_RD; /* go to authorities */
 			iq->deleg_msg = NULL;
 			iq->refetch_glue = 1;
 			iq->query_restart_count++;
@@ -1541,8 +1558,7 @@ processLastResort(struct module_qstate* qstate, struct iter_qstate* iq,
  *         the final state (i.e., on answer).
  */
 static int
-processDSNSFind(struct module_qstate* qstate, struct iter_qstate* iq,
-	int id)
+processDSNSFind(struct module_qstate* qstate, struct iter_qstate* iq, int id)
 {
 	struct module_qstate* subq = NULL;
 	verbose(VERB_ALGO, "processDSNSFind");
@@ -1906,13 +1922,20 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
 		if(iq->qchase.qtype == LDNS_RR_TYPE_DS && !iq->dsns_point
 			&& !(iq->chase_flags&BIT_RD)
 			&& iter_ds_toolow(iq->response, iq->dp)
-			&& iter_dp_cangodown(&iq->qchase, iq->dp))
+			&& iter_dp_cangodown(&iq->qchase, iq->dp)) {
+			/* close down outstanding requests to be discarded */
+			outbound_list_clear(&iq->outlist);
+			iq->num_current_queries = 0;
+			fptr_ok(fptr_whitelist_modenv_detach_subs(
+				qstate->env->detach_subs));
+			(*qstate->env->detach_subs)(qstate);
+			iq->num_target_queries = 0;
 			return processDSNSFind(qstate, iq, id);
-		if(!iter_dns_store(qstate->env, &iq->response->qinfo,
+		}
+		iter_dns_store(qstate->env, &iq->response->qinfo,
 			iq->response->rep, 0, qstate->prefetch_leeway,
 			iq->dp&&iq->dp->has_parent_side_NS,
-			qstate->region))
-			return error_response(qstate, id, LDNS_RCODE_SERVFAIL);
+			qstate->region);
 		/* close down outstanding requests to be discarded */
 		outbound_list_clear(&iq->outlist);
 		iq->num_current_queries = 0;
@@ -1949,10 +1972,8 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
 		    )) {
 			/* Store the referral under the current query */
 			/* no prefetch-leeway, since its not the answer */
-			if(!iter_dns_store(qstate->env, &iq->response->qinfo,
-				iq->response->rep, 1, 0, 0, NULL))
-				return error_response(qstate, id, 
-					LDNS_RCODE_SERVFAIL);
+			iter_dns_store(qstate->env, &iq->response->qinfo,
+				iq->response->rep, 1, 0, 0, NULL);
 			if(iq->store_parent_NS)
 				iter_store_parentside_NS(qstate->env, 
 					iq->response->rep);
@@ -2032,8 +2053,15 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
 		if(iq->qchase.qtype == LDNS_RR_TYPE_DS && !iq->dsns_point
 			&& !(iq->chase_flags&BIT_RD)
 			&& iter_ds_toolow(iq->response, iq->dp)
-			&& iter_dp_cangodown(&iq->qchase, iq->dp))
+			&& iter_dp_cangodown(&iq->qchase, iq->dp)) {
+			outbound_list_clear(&iq->outlist);
+			iq->num_current_queries = 0;
+			fptr_ok(fptr_whitelist_modenv_detach_subs(
+				qstate->env->detach_subs));
+			(*qstate->env->detach_subs)(qstate);
+			iq->num_target_queries = 0;
 			return processDSNSFind(qstate, iq, id);
+		}
 		/* Process the CNAME response. */
 		if(!handle_cname_response(qstate, iq, iq->response, 
 			&sname, &snamelen))
@@ -2042,10 +2070,9 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
 		/* NOTE : set referral=1, so that rrsets get stored but not 
 		 * the partial query answer (CNAME only). */
 		/* prefetchleeway applied because this updates answer parts */
-		if(!iter_dns_store(qstate->env, &iq->response->qinfo,
+		iter_dns_store(qstate->env, &iq->response->qinfo,
 			iq->response->rep, 1, qstate->prefetch_leeway,
-			iq->dp&&iq->dp->has_parent_side_NS, NULL))
-			return error_response(qstate, id, LDNS_RCODE_SERVFAIL);
+			iq->dp&&iq->dp->has_parent_side_NS, NULL);
 		/* set the current request's qname to the new value. */
 		iq->qchase.qname = sname;
 		iq->qchase.qname_len = snamelen;
@@ -2555,12 +2582,10 @@ processFinished(struct module_qstate* qstate, struct iter_qstate* iq,
 		 * but only if we did recursion. The nonrecursion referral
 		 * from cache does not need to be stored in the msg cache. */
 		if(qstate->query_flags&BIT_RD) {
-			if(!iter_dns_store(qstate->env, &qstate->qinfo, 
+			iter_dns_store(qstate->env, &qstate->qinfo, 
 				iq->response->rep, 0, qstate->prefetch_leeway,
 				iq->dp&&iq->dp->has_parent_side_NS,
-				qstate->region))
-				return error_response(qstate, id, 
-					LDNS_RCODE_SERVFAIL);
+				qstate->region);
 		}
 	}
 	qstate->return_rcode = LDNS_RCODE_NOERROR;
diff --git a/libunbound/libworker.c b/libunbound/libworker.c
index 917a9106d078..bd61cea154a2 100644
--- a/libunbound/libworker.c
+++ b/libunbound/libworker.c
@@ -44,7 +44,9 @@
 #include "config.h"
 #include <ldns/dname.h>
 #include <ldns/wire2host.h>
+#ifdef HAVE_SSL
 #include <openssl/ssl.h>
+#endif
 #include "libunbound/libworker.h"
 #include "libunbound/context.h"
 #include "libunbound/unbound.h"
@@ -88,7 +90,9 @@ libworker_delete(struct libworker* w)
 		ub_randfree(w->env->rnd);
 		free(w->env);
 	}
+#ifdef HAVE_SSL
 	SSL_CTX_free(w->sslctx);
+#endif
 	outside_network_delete(w->back);
 	comm_base_delete(w->base);
 	free(w);
@@ -407,15 +411,18 @@ fill_canon(struct ub_result* res, uint8_t* s)
 /** fill data into result */
 static int
 fill_res(struct ub_result* res, struct ub_packed_rrset_key* answer,
-	uint8_t* finalcname, struct query_info* rq)
+	uint8_t* finalcname, struct query_info* rq, struct reply_info* rep)
 {
 	size_t i;
 	struct packed_rrset_data* data;
+	res->ttl = 0;
 	if(!answer) {
 		if(finalcname) {
 			if(!fill_canon(res, finalcname))
 				return 0; /* out of memory */
 		}
+		if(rep->rrset_count != 0)
+			res->ttl = (int)rep->ttl;
 		res->data = (char**)calloc(1, sizeof(char*));
 		res->len = (int*)calloc(1, sizeof(int));
 		return (res->data && res->len);
@@ -436,6 +443,21 @@ fill_res(struct ub_result* res, struct ub_packed_rrset_key* answer,
 		if(!res->data[i])
 			return 0; /* out of memory */
 	}
+	/* ttl for positive answers, from CNAME and answer RRs */
+	if(data->count != 0) {
+		size_t j;
+		res->ttl = (int)data->ttl;
+		for(j=0; j<rep->an_numrrsets; j++) {
+			struct packed_rrset_data* d =
+				(struct packed_rrset_data*)rep->rrsets[j]->
+				entry.data;
+			if((int)d->ttl < res->ttl)
+				res->ttl = (int)d->ttl;
+		}
+	}
+	/* ttl for negative answers */
+	if(data->count == 0 && rep->rrset_count != 0)
+		res->ttl = (int)rep->ttl;
 	res->data[data->count] = NULL;
 	res->len[data->count] = 0;
 	return 1;
@@ -455,7 +477,7 @@ libworker_enter_result(struct ub_result* res, ldns_buffer* buf,
 		return; /* error parsing buf, or out of memory */
 	}
 	if(!fill_res(res, reply_find_answer_rrset(&rq, rep), 
-		reply_find_final_cname_target(&rq, rep), &rq))
+		reply_find_final_cname_target(&rq, rep), &rq, rep))
 		return; /* out of memory */
 	/* rcode, havedata, nxdomain, secure, bogus */
 	res->rcode = (int)FLAGS_GET_RCODE(rep->flags);
@@ -643,6 +665,8 @@ libworker_bg_done_cb(void* arg, int rcode, ldns_buffer* buf, enum sec_status s,
 		return;
 	}
 	q->msg_security = s;
+	if(!buf)
+		buf = q->w->env->scratch_buffer;
 	if(rcode != 0) {
 		error_encode(buf, rcode, NULL, 0, BIT_RD, NULL);
 	}
@@ -703,17 +727,6 @@ void libworker_alloc_cleanup(void* arg)
         slabhash_clear(w->env->msg_cache);
 }
 
-/** compare outbound entry qstates */
-static int
-outbound_entry_compare(void* a, void* b)
-{
-        struct outbound_entry* e1 = (struct outbound_entry*)a;
-        struct outbound_entry* e2 = (struct outbound_entry*)b;
-        if(e1->qstate == e2->qstate)
-                return 1;
-        return 0;
-}
-
 struct outbound_entry* libworker_send_query(uint8_t* qname, size_t qnamelen,
         uint16_t qtype, uint16_t qclass, uint16_t flags, int dnssec,
 	int want_dnssec, struct sockaddr_storage* addr, socklen_t addrlen,
@@ -729,7 +742,7 @@ struct outbound_entry* libworker_send_query(uint8_t* qname, size_t qnamelen,
 		qnamelen, qtype, qclass, flags, dnssec, want_dnssec,
 		q->env->cfg->tcp_upstream, q->env->cfg->ssl_upstream, addr,
 		addrlen, zone, zonelen, libworker_handle_service_reply, e,
-		w->back->udp_buff, &outbound_entry_compare);
+		w->back->udp_buff);
 	if(!e->qsent) {
 		return NULL;
 	}
diff --git a/libunbound/unbound.h b/libunbound/unbound.h
index 085f9f53415f..d435bf28d35e 100644
--- a/libunbound/unbound.h
+++ b/libunbound/unbound.h
@@ -193,6 +193,12 @@ struct ub_result {
 	 * Is NULL if the result is not bogus.
 	 */
 	char* why_bogus;
+
+	/**
+	 * TTL for the result, in seconds.  If the security is bogus, then
+	 * you also cannot trust this value.
+	 */
+	int ttl;
 };
 
 /**
diff --git a/ltmain.sh b/ltmain.sh
index aa5624c81612..63ae69dc6fec 100755
--- a/ltmain.sh
+++ b/ltmain.sh
@@ -1,9 +1,9 @@
 
-# libtool (GNU libtool) 2.4
+# libtool (GNU libtool) 2.4.2
 # Written by Gordon Matzigkeit <gord@gnu.ai.mit.edu>, 1996
 
 # Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2003, 2004, 2005, 2006,
-# 2007, 2008, 2009, 2010 Free Software Foundation, Inc.
+# 2007, 2008, 2009, 2010, 2011 Free Software Foundation, Inc.
 # This is free software; see the source for copying conditions.  There is NO
 # warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
 
@@ -41,6 +41,7 @@
 #       --quiet, --silent    don't print informational messages
 #       --no-quiet, --no-silent
 #                            print informational messages (default)
+#       --no-warn            don't display warning messages
 #       --tag=TAG            use configuration variables from tag TAG
 #   -v, --verbose            print more informational messages than default
 #       --no-verbose         don't print the extra informational messages
@@ -69,7 +70,7 @@
 #         compiler:		$LTCC
 #         compiler flags:		$LTCFLAGS
 #         linker:		$LD (gnu? $with_gnu_ld)
-#         $progname:	(GNU libtool) 2.4
+#         $progname:	(GNU libtool) 2.4.2
 #         automake:	$automake_version
 #         autoconf:	$autoconf_version
 #
@@ -79,9 +80,9 @@
 
 PROGRAM=libtool
 PACKAGE=libtool
-VERSION=2.4
+VERSION=2.4.2
 TIMESTAMP=""
-package_revision=1.3293
+package_revision=1.3337
 
 # Be Bourne compatible
 if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
@@ -136,15 +137,10 @@ progpath="$0"
 
 : ${CP="cp -f"}
 test "${ECHO+set}" = set || ECHO=${as_echo-'printf %s\n'}
-: ${EGREP="/bin/grep -E"}
-: ${FGREP="/bin/grep -F"}
-: ${GREP="/bin/grep"}
-: ${LN_S="ln -s"}
 : ${MAKE="make"}
 : ${MKDIR="mkdir"}
 : ${MV="mv -f"}
 : ${RM="rm -f"}
-: ${SED="/bin/sed"}
 : ${SHELL="${CONFIG_SHELL-/bin/sh}"}
 : ${Xsed="$SED -e 1s/^X//"}
 
@@ -387,7 +383,7 @@ case $progpath in
      ;;
   *)
      save_IFS="$IFS"
-     IFS=:
+     IFS=${PATH_SEPARATOR-:}
      for progdir in $PATH; do
        IFS="$save_IFS"
        test -x "$progdir/$progname" && break
@@ -771,8 +767,8 @@ func_help ()
 	s*\$LTCFLAGS*'"$LTCFLAGS"'*
 	s*\$LD*'"$LD"'*
 	s/\$with_gnu_ld/'"$with_gnu_ld"'/
-	s/\$automake_version/'"`(automake --version) 2>/dev/null |$SED 1q`"'/
-	s/\$autoconf_version/'"`(autoconf --version) 2>/dev/null |$SED 1q`"'/
+	s/\$automake_version/'"`(${AUTOMAKE-automake} --version) 2>/dev/null |$SED 1q`"'/
+	s/\$autoconf_version/'"`(${AUTOCONF-autoconf} --version) 2>/dev/null |$SED 1q`"'/
 	p
 	d
      }
@@ -1052,6 +1048,7 @@ opt_finish=false
 opt_help=false
 opt_help_all=false
 opt_silent=:
+opt_warning=:
 opt_verbose=:
 opt_silent=false
 opt_verbose=false
@@ -1118,6 +1115,10 @@ esac
 			;;
       --no-silent|--no-quiet)
 			opt_silent=false
+func_append preserve_args " $opt"
+			;;
+      --no-warning|--no-warn)
+			opt_warning=false
 func_append preserve_args " $opt"
 			;;
       --no-verbose)
@@ -2059,7 +2060,7 @@ func_mode_compile ()
     *.[cCFSifmso] | \
     *.ada | *.adb | *.ads | *.asm | \
     *.c++ | *.cc | *.ii | *.class | *.cpp | *.cxx | \
-    *.[fF][09]? | *.for | *.java | *.obj | *.sx | *.cu | *.cup)
+    *.[fF][09]? | *.for | *.java | *.go | *.obj | *.sx | *.cu | *.cup)
       func_xform "$libobj"
       libobj=$func_xform_result
       ;;
@@ -3201,11 +3202,13 @@ func_mode_install ()
 
       # Set up the ranlib parameters.
       oldlib="$destdir/$name"
+      func_to_tool_file "$oldlib" func_convert_file_msys_to_w32
+      tool_oldlib=$func_to_tool_file_result
 
       func_show_eval "$install_prog \$file \$oldlib" 'exit $?'
 
       if test -n "$stripme" && test -n "$old_striplib"; then
-	func_show_eval "$old_striplib $oldlib" 'exit $?'
+	func_show_eval "$old_striplib $tool_oldlib" 'exit $?'
       fi
 
       # Do each command in the postinstall commands.
@@ -3470,7 +3473,7 @@ static const void *lt_preloaded_setup() {
 	  # linked before any other PIC object.  But we must not use
 	  # pic_flag when linking with -static.  The problem exists in
 	  # FreeBSD 2.2.6 and is fixed in FreeBSD 3.1.
-	  *-*-freebsd2*|*-*-freebsd3.0*|*-*-freebsdelf3.0*)
+	  *-*-freebsd2.*|*-*-freebsd3.0*|*-*-freebsdelf3.0*)
 	    pic_flag_for_symtable=" $pic_flag -DFREEBSD_WORKAROUND" ;;
 	  *-*-hpux*)
 	    pic_flag_for_symtable=" $pic_flag"  ;;
@@ -3982,14 +3985,17 @@ func_exec_program_core ()
 # launches target application with the remaining arguments.
 func_exec_program ()
 {
-  for lt_wr_arg
-  do
-    case \$lt_wr_arg in
-    --lt-*) ;;
-    *) set x \"\$@\" \"\$lt_wr_arg\"; shift;;
-    esac
-    shift
-  done
+  case \" \$* \" in
+  *\\ --lt-*)
+    for lt_wr_arg
+    do
+      case \$lt_wr_arg in
+      --lt-*) ;;
+      *) set x \"\$@\" \"\$lt_wr_arg\"; shift;;
+      esac
+      shift
+    done ;;
+  esac
   func_exec_program_core \${1+\"\$@\"}
 }
 
@@ -5057,9 +5063,15 @@ void lt_dump_script (FILE* f)
 {
 EOF
 	    func_emit_wrapper yes |
-              $SED -e 's/\([\\"]\)/\\\1/g' \
-	           -e 's/^/  fputs ("/' -e 's/$/\\n", f);/'
-
+	      $SED -n -e '
+s/^\(.\{79\}\)\(..*\)/\1\
+\2/
+h
+s/\([\\"]\)/\\\1/g
+s/$/\\n/
+s/\([^\n]*\).*/  fputs ("\1", f);/p
+g
+D'
             cat <<"EOF"
 }
 EOF
@@ -5643,7 +5655,8 @@ func_mode_link ()
 	continue
 	;;
 
-      -mt|-mthreads|-kthread|-Kthread|-pthread|-pthreads|--thread-safe|-threads)
+      -mt|-mthreads|-kthread|-Kthread|-pthread|-pthreads|--thread-safe \
+      |-threads|-fopenmp|-openmp|-mp|-xopenmp|-omp|-qsmp=*)
 	func_append compiler_flags " $arg"
 	func_append compile_command " $arg"
 	func_append finalize_command " $arg"
@@ -6147,7 +6160,8 @@ func_mode_link ()
 	lib=
 	found=no
 	case $deplib in
-	-mt|-mthreads|-kthread|-Kthread|-pthread|-pthreads|--thread-safe|-threads)
+	-mt|-mthreads|-kthread|-Kthread|-pthread|-pthreads|--thread-safe \
+        |-threads|-fopenmp|-openmp|-mp|-xopenmp|-omp|-qsmp=*)
 	  if test "$linkmode,$pass" = "prog,link"; then
 	    compile_deplibs="$deplib $compile_deplibs"
 	    finalize_deplibs="$deplib $finalize_deplibs"
@@ -6831,7 +6845,7 @@ func_mode_link ()
 	         test "$hardcode_direct_absolute" = no; then
 		add="$dir/$linklib"
 	      elif test "$hardcode_minus_L" = yes; then
-		add_dir="-L$dir"
+		add_dir="-L$absdir"
 		# Try looking first in the location we're being installed to.
 		if test -n "$inst_prefix_dir"; then
 		  case $libdir in
@@ -7316,6 +7330,7 @@ func_mode_link ()
 	  # which has an extra 1 added just for fun
 	  #
 	  case $version_type in
+	  # correct linux to gnu/linux during the next big refactor
 	  darwin|linux|osf|windows|none)
 	    func_arith $number_major + $number_minor
 	    current=$func_arith_result
@@ -7432,7 +7447,7 @@ func_mode_link ()
 	  versuffix="$major.$revision"
 	  ;;
 
-	linux)
+	linux) # correct to gnu/linux during the next big refactor
 	  func_arith $current - $age
 	  major=.$func_arith_result
 	  versuffix="$major.$age.$revision"
@@ -8020,6 +8035,11 @@ EOF
 
       # Test again, we may have decided not to build it any more
       if test "$build_libtool_libs" = yes; then
+	# Remove ${wl} instances when linking with ld.
+	# FIXME: should test the right _cmds variable.
+	case $archive_cmds in
+	  *\$LD\ *) wl= ;;
+        esac
 	if test "$hardcode_into_libs" = yes; then
 	  # Hardcode the library paths
 	  hardcode_libdirs=
@@ -8050,7 +8070,7 @@ EOF
 	    elif test -n "$runpath_var"; then
 	      case "$perm_rpath " in
 	      *" $libdir "*) ;;
-	      *) func_apped perm_rpath " $libdir" ;;
+	      *) func_append perm_rpath " $libdir" ;;
 	      esac
 	    fi
 	  done
@@ -8058,11 +8078,7 @@ EOF
 	  if test -n "$hardcode_libdir_separator" &&
 	     test -n "$hardcode_libdirs"; then
 	    libdir="$hardcode_libdirs"
-	    if test -n "$hardcode_libdir_flag_spec_ld"; then
-	      eval dep_rpath=\"$hardcode_libdir_flag_spec_ld\"
-	    else
-	      eval dep_rpath=\"$hardcode_libdir_flag_spec\"
-	    fi
+	    eval "dep_rpath=\"$hardcode_libdir_flag_spec\""
 	  fi
 	  if test -n "$runpath_var" && test -n "$perm_rpath"; then
 	    # We should set the runpath_var.
@@ -9152,6 +9168,8 @@ EOF
 	    esac
 	  done
 	fi
+	func_to_tool_file "$oldlib" func_convert_file_msys_to_w32
+	tool_oldlib=$func_to_tool_file_result
 	eval cmds=\"$old_archive_cmds\"
 
 	func_len " $cmds"
@@ -9261,7 +9279,8 @@ EOF
 	      *.la)
 		func_basename "$deplib"
 		name="$func_basename_result"
-		eval libdir=`${SED} -n -e 's/^libdir=\(.*\)$/\1/p' $deplib`
+		func_resolve_sysroot "$deplib"
+		eval libdir=`${SED} -n -e 's/^libdir=\(.*\)$/\1/p' $func_resolve_sysroot_result`
 		test -z "$libdir" && \
 		  func_fatal_error "\`$deplib' is not a valid libtool archive"
 		func_append newdependency_libs " ${lt_sysroot:+=}$libdir/$name"
diff --git a/pythonmod/doc/examples/example0-1.py b/pythonmod/doc/examples/example0-1.py
index 98a9acccdeaf..3b234f1e099c 100644
--- a/pythonmod/doc/examples/example0-1.py
+++ b/pythonmod/doc/examples/example0-1.py
@@ -1,7 +1,4 @@
 
-print mod_env.fname   # Print module script name
-mod_env.data = "test" # Store global module data
-
 def init(id, cfg):
    log_info("pythonmod: init called, module id is %d port: %d script: %s" % (id, cfg.port, cfg.python_script))
    return True
diff --git a/pythonmod/pythonmod.c b/pythonmod/pythonmod.c
index 9860d001d0e2..97f520a7cbe8 100644
--- a/pythonmod/pythonmod.c
+++ b/pythonmod/pythonmod.c
@@ -41,6 +41,7 @@
 /* ignore the varargs unused warning from SWIGs internal vararg support */
 #ifdef __GNUC__
 #pragma GCC diagnostic ignored "-Wunused-parameter"
+#pragma GCC diagnostic ignored "-Wunused-but-set-variable"
 #endif
 
 #include "config.h"
diff --git a/services/cache/infra.c b/services/cache/infra.c
index dbbd50326e59..c674aca66754 100644
--- a/services/cache/infra.c
+++ b/services/cache/infra.c
@@ -403,6 +403,11 @@ infra_rtt_update(struct infra_cache* infra, struct sockaddr_storage* addr,
 				data->timeout_other++;
 		}
 	} else {
+		/* if we got a reply, but the old timeout was above server
+		 * selection height, delete the timeout so the server is
+		 * fully available again */
+		if(rtt_unclamped(&data->rtt) >= USEFUL_SERVER_TOP_TIMEOUT)
+			rtt_init(&data->rtt);
 		rtt_update(&data->rtt, roundtrip);
 		data->probedelay = 0;
 		if(qtype == LDNS_RR_TYPE_A)
diff --git a/services/listen_dnsport.c b/services/listen_dnsport.c
index 59ca1991eb12..647cbe07ebd9 100644
--- a/services/listen_dnsport.c
+++ b/services/listen_dnsport.c
@@ -323,6 +323,11 @@ create_udp_sock(int family, int socktype, struct sockaddr* addr,
 			log_err("setsockopt(..., IP_MTU_DISCOVER, "
 				"IP_PMTUDISC_DONT...) failed: %s",
 				strerror(errno));
+#    ifndef USE_WINSOCK
+			close(s);
+#    else
+			closesocket(s);
+#    endif
 			return -1;
 		}
 #  elif defined(IP_DONTFRAG)
@@ -331,6 +336,11 @@ create_udp_sock(int family, int socktype, struct sockaddr* addr,
 			&off, (socklen_t)sizeof(off)) < 0) {
 			log_err("setsockopt(..., IP_DONTFRAG, ...) failed: %s",
 				strerror(errno));
+#    ifndef USE_WINSOCK
+			close(s);
+#    else
+			closesocket(s);
+#    endif
 			return -1;
 		}
 #  endif /* IPv4 MTU */
@@ -408,9 +418,11 @@ create_tcp_accept_sock(struct addrinfo *addr, int v6only, int* noproto)
 #ifndef USE_WINSOCK
 		log_err("setsockopt(.. SO_REUSEADDR ..) failed: %s",
 			strerror(errno));
+		close(s);
 #else
 		log_err("setsockopt(.. SO_REUSEADDR ..) failed: %s",
 			wsa_strerror(WSAGetLastError()));
+		closesocket(s);
 #endif
 		return -1;
 	}
@@ -422,9 +434,11 @@ create_tcp_accept_sock(struct addrinfo *addr, int v6only, int* noproto)
 #ifndef USE_WINSOCK
 			log_err("setsockopt(..., IPV6_V6ONLY, ...) failed: %s",
 				strerror(errno));
+			close(s);
 #else
 			log_err("setsockopt(..., IPV6_V6ONLY, ...) failed: %s",
 				wsa_strerror(WSAGetLastError()));
+			closesocket(s);
 #endif
 			return -1;
 		}
@@ -443,23 +457,32 @@ create_tcp_accept_sock(struct addrinfo *addr, int v6only, int* noproto)
 				(struct sockaddr_storage*)addr->ai_addr,
 				addr->ai_addrlen);
 		}
+		close(s);
 #else
 		log_err("can't bind socket: %s", 
 			wsa_strerror(WSAGetLastError()));
 		log_addr(0, "failed address",
 			(struct sockaddr_storage*)addr->ai_addr,
 			addr->ai_addrlen);
+		closesocket(s);
 #endif
 		return -1;
 	}
 	if(!fd_set_nonblock(s)) {
+#ifndef USE_WINSOCK
+		close(s);
+#else
+		closesocket(s);
+#endif
 		return -1;
 	}
 	if(listen(s, TCP_BACKLOG) == -1) {
 #ifndef USE_WINSOCK
 		log_err("can't listen: %s", strerror(errno));
+		close(s);
 #else
 		log_err("can't listen: %s", wsa_strerror(WSAGetLastError()));
+		closesocket(s);
 #endif
 		return -1;
 	}
@@ -653,8 +676,14 @@ ports_create_if(const char* ifname, int do_auto, int do_udp, int do_tcp,
 			return 0;
 		}
 		/* getting source addr packet info is highly non-portable */
-		if(!set_recvpktinfo(s, hints->ai_family))
+		if(!set_recvpktinfo(s, hints->ai_family)) {
+#ifndef USE_WINSOCK
+			close(s);
+#else
+			closesocket(s);
+#endif
 			return 0;
+		}
 		if(!port_insert(list, s, listen_type_udpancil)) {
 #ifndef USE_WINSOCK
 			close(s);
diff --git a/services/localzone.c b/services/localzone.c
index 98d69433e308..9fdab51c1081 100644
--- a/services/localzone.c
+++ b/services/localzone.c
@@ -449,8 +449,8 @@ lz_enter_rr_into_zone(struct local_zone* z, ldns_buffer* buf,
 	struct local_data* node;
 	struct local_rrset* rrset;
 	struct packed_rrset_data* pd;
-	uint16_t rrtype, rrclass;
-	uint32_t ttl;
+	uint16_t rrtype = 0, rrclass = 0;
+	uint32_t ttl = 0;
 	if(!get_rr_content(rrstr, &nm, &rrtype, &rrclass, &ttl, buf)) {
 		log_err("bad local-data: %s", rrstr);
 		return 0;
diff --git a/services/mesh.c b/services/mesh.c
index f6fd288adf82..5c66caf3236d 100644
--- a/services/mesh.c
+++ b/services/mesh.c
@@ -676,6 +676,7 @@ int mesh_attach_sub(struct module_qstate* qstate, struct query_info* qinfo,
 	/* find it, if not, create it */
 	struct mesh_area* mesh = qstate->env->mesh;
 	struct mesh_state* sub = mesh_area_find(mesh, qinfo, qflags, prime);
+	int was_detached;
 	if(mesh_detect_cycle_found(qstate, sub)) {
 		verbose(VERB_ALGO, "attach failed, cycle detected");
 		return 0;
@@ -706,9 +707,12 @@ int mesh_attach_sub(struct module_qstate* qstate, struct query_info* qinfo,
 		*newq = &sub->s;
 	} else
 		*newq = NULL;
+	was_detached = (sub->super_set.count == 0);
 	if(!mesh_state_attachment(qstate->mesh_info, sub))
 		return 0;
-	if(!sub->reply_list && !sub->cb_list && sub->super_set.count == 1) {
+	/* if it was a duplicate  attachment, the count was not zero before */
+	if(!sub->reply_list && !sub->cb_list && was_detached && 
+		sub->super_set.count == 1) {
 		/* it used to be detached, before this one got added */
 		log_assert(mesh->num_detached_states > 0);
 		mesh->num_detached_states--;
@@ -735,16 +739,20 @@ int mesh_state_attachment(struct mesh_state* super, struct mesh_state* sub)
 	superref->s = super;
 	subref->node.key = subref;
 	subref->s = sub;
-#ifdef UNBOUND_DEBUG
-	n =
-#endif
-	rbtree_insert(&sub->super_set, &superref->node);
-	log_assert(n != NULL);
+	if(!rbtree_insert(&sub->super_set, &superref->node)) {
+		/* this should not happen, iterator and validator do not
+		 * attach subqueries that are identical. */
+		/* already attached, we are done, nothing todo.
+		 * since superref and subref already allocated in region,
+		 * we cannot free them */
+		return 1;
+	}
 #ifdef UNBOUND_DEBUG
 	n =
 #endif
 	rbtree_insert(&super->sub_set, &subref->node);
-	log_assert(n != NULL);
+	log_assert(n != NULL); /* we checked above if statement, the reverse
+	  administration should not fail now, unless they are out of sync */
 	return 1;
 }
 
diff --git a/services/outside_network.c b/services/outside_network.c
index 24d65db39932..e1cd0fd3877f 100644
--- a/services/outside_network.c
+++ b/services/outside_network.c
@@ -58,7 +58,9 @@
 #include "util/net_help.h"
 #include "util/random.h"
 #include "util/fptr_wlist.h"
+#ifdef HAVE_OPENSSL_SSL_H
 #include <openssl/ssl.h>
+#endif
 
 #ifdef HAVE_NETDB_H
 #include <netdb.h>
@@ -297,9 +299,11 @@ decomission_pending_tcp(struct outside_network* outnet,
 	struct pending_tcp* pend)
 {
 	if(pend->c->ssl) {
+#ifdef HAVE_SSL
 		SSL_shutdown(pend->c->ssl);
 		SSL_free(pend->c->ssl);
 		pend->c->ssl = NULL;
+#endif
 	}
 	comm_point_close(pend->c);
 	pend->next_free = outnet->tcp_free;
@@ -1439,7 +1443,7 @@ static void
 serviced_callbacks(struct serviced_query* sq, int error, struct comm_point* c,
 	struct comm_reply* rep)
 {
-	struct service_callback* p = sq->cblist, *n;
+	struct service_callback* p;
 	int dobackup = (sq->cblist && sq->cblist->next); /* >1 cb*/
 	uint8_t *backup_p = NULL;
 	size_t backlen = 0;
@@ -1498,8 +1502,9 @@ serviced_callbacks(struct serviced_query* sq, int error, struct comm_point* c,
 		}
 		sq->outnet->svcd_overhead = backlen;
 	}
-	while(p) {
-		n = p->next;
+	/* test the actual sq->cblist, because the next elem could be deleted*/
+	while((p=sq->cblist) != NULL) {
+		sq->cblist = p->next; /* remove this element */
 		if(dobackup && c) {
 			ldns_buffer_clear(c->buffer);
 			ldns_buffer_write(c->buffer, backup_p, backlen);
@@ -1507,7 +1512,7 @@ serviced_callbacks(struct serviced_query* sq, int error, struct comm_point* c,
 		}
 		fptr_ok(fptr_whitelist_serviced_query(p->cb));
 		(void)(*p->cb)(c, p->cb_arg, error, rep);
-		p = n;
+		free(p);
 	}
 	if(backup_p) {
 		free(backup_p);
@@ -1781,37 +1786,21 @@ serviced_udp_callback(struct comm_point* c, void* arg, int error,
 	return 0;
 }
 
-/** find callback in list */
-static struct service_callback*
-callback_list_find(struct serviced_query* sq, void* cb_arg, 
-	int (*arg_compare)(void*,void*))
-{
-	struct service_callback* p;
-	for(p = sq->cblist; p; p = p->next) {
-		if(arg_compare(p->cb_arg, cb_arg))
-			return p;
-	}
-	return NULL;
-}
-
 struct serviced_query* 
 outnet_serviced_query(struct outside_network* outnet,
 	uint8_t* qname, size_t qnamelen, uint16_t qtype, uint16_t qclass,
 	uint16_t flags, int dnssec, int want_dnssec, int tcp_upstream,
 	int ssl_upstream, struct sockaddr_storage* addr, socklen_t addrlen,
 	uint8_t* zone, size_t zonelen, comm_point_callback_t* callback,
-	void* callback_arg, ldns_buffer* buff, int (*arg_compare)(void*,void*))
+	void* callback_arg, ldns_buffer* buff)
 {
 	struct serviced_query* sq;
 	struct service_callback* cb;
 	serviced_gen_query(buff, qname, qnamelen, qtype, qclass, flags);
 	sq = lookup_serviced(outnet, buff, dnssec, addr, addrlen);
-	if(sq) {
-		/* see if it is a duplicate notification request for cb_arg */
-		if(callback_list_find(sq, callback_arg, arg_compare)) {
-			return sq;
-		}
-	}
+	/* duplicate entries are included in the callback list, because
+	 * there is a counterpart registration by our caller that needs to
+	 * be doubly-removed (with callbacks perhaps). */
 	if(!(cb = (struct service_callback*)malloc(sizeof(*cb))))
 		return NULL;
 	if(!sq) {
diff --git a/services/outside_network.h b/services/outside_network.h
index ab18d2406e6a..9ec81f405e6d 100644
--- a/services/outside_network.h
+++ b/services/outside_network.h
@@ -279,9 +279,9 @@ struct service_callback {
 };
 
 /** fallback size for fragmentation for EDNS in IPv4 */
-#define EDNS_FRAG_SIZE_IP4 1480
+#define EDNS_FRAG_SIZE_IP4 1472
 /** fallback size for EDNS in IPv6, fits one fragment with ip6-tunnel-ids */
-#define EDNS_FRAG_SIZE_IP6 1260
+#define EDNS_FRAG_SIZE_IP6 1232
 
 /**
  * Query service record.
@@ -468,8 +468,6 @@ void pending_delete(struct outside_network* outnet, struct pending* p);
 	authoritative.
  * @param zonelen: length of zone.
  * @param buff: scratch buffer to create query contents in. Empty on exit.
- * @param arg_compare: function to compare callback args, return true if 
- * 	identical. It is given the callback_arg and args that are listed.
  * @return 0 on error, or pointer to serviced query that is used to answer
  *	this serviced query may be shared with other callbacks as well.
  */
@@ -478,8 +476,7 @@ struct serviced_query* outnet_serviced_query(struct outside_network* outnet,
 	uint16_t flags, int dnssec, int want_dnssec, int tcp_upstream,
 	int ssl_upstream, struct sockaddr_storage* addr, socklen_t addrlen,
 	uint8_t* zone, size_t zonelen, comm_point_callback_t* callback,
-	void* callback_arg, ldns_buffer* buff,
-	int (*arg_compare)(void*,void*));
+	void* callback_arg, ldns_buffer* buff);
 
 /**
  * Remove service query callback.
diff --git a/smallapp/unbound-anchor.c b/smallapp/unbound-anchor.c
index e14ca733fd7c..ef0031c94316 100644
--- a/smallapp/unbound-anchor.c
+++ b/smallapp/unbound-anchor.c
@@ -134,6 +134,7 @@
 #include <openssl/rand.h>
 #endif
 #include <openssl/x509.h>
+#include <openssl/x509v3.h>
 #include <openssl/pem.h>
 
 /** name of server in URL to fetch HTTPS from */
@@ -142,6 +143,8 @@
 #define XMLNAME "root-anchors/root-anchors.xml"
 /** path on HTTPS server to p7s file */
 #define P7SNAME "root-anchors/root-anchors.p7s"
+/** name of the signer of the certificate */
+#define P7SIGNER "dnssec@iana.org"
 /** port number for https access */
 #define HTTPS_PORT 443
 
@@ -184,6 +187,7 @@ usage()
 	printf("-u name		server in https url, default %s\n", URLNAME);
 	printf("-x path		pathname to xml in url, default %s\n", XMLNAME);
 	printf("-s path		pathname to p7s in url, default %s\n", P7SNAME);
+	printf("-n name		signer's subject emailAddress, default %s\n", P7SIGNER);
 	printf("-4		work using IPv4 only\n");
 	printf("-6		work using IPv6 only\n");
 	printf("-f resolv.conf	use given resolv.conf to resolve -u name\n");
@@ -540,6 +544,11 @@ resolve_host_ip(struct ub_ctx* ctx, char* host, int port, int tp, int cl,
 		ub_ctx_delete(ctx);
 		exit(0);
 	}
+	if(!res->havedata || res->rcode || !res->data) {
+		if(verb) printf("resolve %s %s: no result\n", host,
+			(tp==LDNS_RR_TYPE_A)?"A":"AAAA");
+		return;
+	}
 	for(i = 0; res->data[i]; i++) {
 		struct ip_list* ip = RR_to_ip(tp, res->data[i], res->len[i],
 			port);
@@ -1498,6 +1507,20 @@ xml_endelem(void *userData, const XML_Char *name)
 	}
 }
 
+/* Stop the parser when an entity declaration is encountered. For safety. */
+static void
+xml_entitydeclhandler(void *userData,
+	const XML_Char *ATTR_UNUSED(entityName),
+	int ATTR_UNUSED(is_parameter_entity),
+	const XML_Char *ATTR_UNUSED(value), int ATTR_UNUSED(value_length),
+	const XML_Char *ATTR_UNUSED(base),
+	const XML_Char *ATTR_UNUSED(systemId),
+	const XML_Char *ATTR_UNUSED(publicId),
+	const XML_Char *ATTR_UNUSED(notationName))
+{
+	(void)XML_StopParser((XML_Parser)userData, XML_FALSE);
+}
+
 /**
  * XML parser setup of the callbacks for the tags
  */
@@ -1526,6 +1549,7 @@ xml_parse_setup(XML_Parser parser, struct xml_data* data, time_t now)
 		if(verb) printf("out of memory\n");
 		exit(0);
 	}
+	XML_SetEntityDeclHandler(parser, xml_entitydeclhandler);
 	XML_SetElementHandler(parser, xml_startelem, xml_endelem);
 	XML_SetCharacterDataHandler(parser, xml_charhandle);
 }
@@ -1603,12 +1627,113 @@ xml_parse(BIO* xml, time_t now)
 	}
 }
 
+/* get key usage out of its extension, returns 0 if no key_usage extension */
+static unsigned long
+get_usage_of_ex(X509* cert)
+{
+	unsigned long val = 0;
+	ASN1_BIT_STRING* s;
+	if((s=X509_get_ext_d2i(cert, NID_key_usage, NULL, NULL))) {
+		if(s->length > 0) {
+			val = s->data[0];
+			if(s->length > 1)
+				val |= s->data[1] << 8;
+		}
+		ASN1_BIT_STRING_free(s);
+	}
+	return val;
+}
+
+/** get valid signers from the list of signers in the signature */
+static STACK_OF(X509)*
+get_valid_signers(PKCS7* p7, char* p7signer)
+{
+	int i;
+	STACK_OF(X509)* validsigners = sk_X509_new_null();
+	STACK_OF(X509)* signers = PKCS7_get0_signers(p7, NULL, 0);
+	unsigned long usage = 0;
+	if(!validsigners) {
+		if(verb) printf("out of memory\n");
+		sk_X509_free(signers);
+		return NULL;
+	}
+	if(!signers) {
+		if(verb) printf("no signers in pkcs7 signature\n");
+		sk_X509_free(validsigners);
+		return NULL;
+	}
+	for(i=0; i<sk_X509_num(signers); i++) {
+		X509_NAME* nm = X509_get_subject_name(
+			sk_X509_value(signers, i));
+		char buf[1024];
+		if(!nm) {
+			if(verb) printf("signer %d: cert has no subject name\n", i);
+			continue;
+		}
+		if(verb && nm) {
+			char* nmline = X509_NAME_oneline(nm, buf,
+				(int)sizeof(buf));
+			printf("signer %d: Subject: %s\n", i,
+				nmline?nmline:"no subject");
+			if(verb >= 3 && X509_NAME_get_text_by_NID(nm,
+				NID_commonName, buf, (int)sizeof(buf)))
+				printf("commonName: %s\n", buf);
+			if(verb >= 3 && X509_NAME_get_text_by_NID(nm,
+				NID_pkcs9_emailAddress, buf, (int)sizeof(buf)))
+				printf("emailAddress: %s\n", buf);
+		}
+		if(verb) {
+			int ku_loc = X509_get_ext_by_NID(
+				sk_X509_value(signers, i), NID_key_usage, -1);
+			if(verb >= 3 && ku_loc >= 0) {
+				X509_EXTENSION *ex = X509_get_ext(
+					sk_X509_value(signers, i), ku_loc);
+				if(ex) {
+					printf("keyUsage: ");
+					X509V3_EXT_print_fp(stdout, ex, 0, 0);
+					printf("\n");
+				}
+			}
+		}
+		if(!p7signer || strcmp(p7signer, "")==0) {
+			/* there is no name to check, return all records */
+			if(verb) printf("did not check commonName of signer\n");
+		} else {
+			if(!X509_NAME_get_text_by_NID(nm,
+				NID_pkcs9_emailAddress,
+				buf, (int)sizeof(buf))) {
+				if(verb) printf("removed cert with no name\n");
+				continue; /* no name, no use */
+			}
+			if(strcmp(buf, p7signer) != 0) {
+				if(verb) printf("removed cert with wrong name\n");
+				continue; /* wrong name, skip it */
+			}
+		}
+
+		/* check that the key usage allows digital signatures
+		 * (the p7s) */
+		usage = get_usage_of_ex(sk_X509_value(signers, i));
+		if(!(usage & KU_DIGITAL_SIGNATURE)) {
+			if(verb) printf("removed cert with no key usage Digital Signature allowed\n");
+			continue;
+		}
+
+		/* we like this cert, add it to our list of valid
+		 * signers certificates */
+		sk_X509_push(validsigners, sk_X509_value(signers, i));
+	}
+	sk_X509_free(signers);
+	return validsigners;
+}
+
 /** verify a PKCS7 signature, false on failure */
 static int
-verify_p7sig(BIO* data, BIO* p7s, STACK_OF(X509)* trust)
+verify_p7sig(BIO* data, BIO* p7s, STACK_OF(X509)* trust, char* p7signer)
 {
 	PKCS7* p7;
 	X509_STORE *store = X509_STORE_new();
+	STACK_OF(X509)* validsigners;
 	int secure = 0;
 	int i;
 #ifdef X509_V_FLAG_CHECK_SS_SIGNATURE
@@ -1630,6 +1755,9 @@ verify_p7sig(BIO* data, BIO* p7s, STACK_OF(X509)* trust)
 #endif
 		return 0;
 	}
+#ifdef X509_V_FLAG_CHECK_SS_SIGNATURE
+	X509_VERIFY_PARAM_free(param);
+#endif
 
 	(void)BIO_reset(p7s);
 	(void)BIO_reset(data);
@@ -1654,7 +1782,15 @@ verify_p7sig(BIO* data, BIO* p7s, STACK_OF(X509)* trust)
 	}
 	if(verb >= 2) printf("setup the X509_STORE\n");
 
-	if(PKCS7_verify(p7, NULL, store, data, NULL, 0) == 1) {
+	/* check what is in the Subject name of the certificates,
+	 * and build a stack that contains only the right certificates */
+	validsigners = get_valid_signers(p7, p7signer);
+	if(!validsigners) {
+			X509_STORE_free(store);
+			PKCS7_free(p7);
+			return 0;
+	}
+	if(PKCS7_verify(p7, validsigners, store, data, NULL, PKCS7_NOINTERN) == 1) {
 		secure = 1;
 		if(verb) printf("the PKCS7 signature verified\n");
 	} else {
@@ -1663,6 +1799,7 @@ verify_p7sig(BIO* data, BIO* p7s, STACK_OF(X509)* trust)
 		}
 	}
 
+	sk_X509_free(validsigners);
 	X509_STORE_free(store);
 	PKCS7_free(p7);
 	return secure;
@@ -1723,12 +1860,12 @@ write_root_anchor(char* root_anchor_file, BIO* ds)
 /** Perform the verification and update of the trustanchor file */
 static void
 verify_and_update_anchor(char* root_anchor_file, BIO* xml, BIO* p7s,
-	STACK_OF(X509)* cert)
+	STACK_OF(X509)* cert, char* p7signer)
 {
 	BIO* ds;
 
 	/* verify xml file */
-	if(!verify_p7sig(xml, p7s, cert)) {
+	if(!verify_p7sig(xml, p7s, cert, p7signer)) {
 		printf("the PKCS7 signature failed\n");
 		exit(0);
 	}
@@ -1752,7 +1889,7 @@ static void do_wsa_cleanup(void) { WSACleanup(); }
 /** perform actual certupdate work */
 static int
 do_certupdate(char* root_anchor_file, char* root_cert_file,
-	char* urlname, char* xmlname, char* p7sname,
+	char* urlname, char* xmlname, char* p7sname, char* p7signer,
 	char* res_conf, char* root_hints, char* debugconf,
 	int ip4only, int ip6only, int port, struct ub_result* dnskey)
 {
@@ -1785,7 +1922,7 @@ do_certupdate(char* root_anchor_file, char* root_cert_file,
 	p7s = https(ip_list, p7sname, urlname);
 
 	/* verify and update the root anchor */
-	verify_and_update_anchor(root_anchor_file, xml, p7s, cert);
+	verify_and_update_anchor(root_anchor_file, xml, p7s, cert, p7signer);
 	if(verb) printf("success: the anchor has been updated "
 			"using the cert\n");
 
@@ -2035,7 +2172,7 @@ probe_date_allows_certupdate(char* root_anchor_file)
 /** perform the unbound-anchor work */
 static int
 do_root_update_work(char* root_anchor_file, char* root_cert_file,
-	char* urlname, char* xmlname, char* p7sname,
+	char* urlname, char* xmlname, char* p7sname, char* p7signer,
 	char* res_conf, char* root_hints, char* debugconf,
 	int ip4only, int ip6only, int force, int port)
 {
@@ -2068,8 +2205,8 @@ do_root_update_work(char* root_anchor_file, char* root_cert_file,
 	if((dnskey->rcode == 0 &&
 		probe_date_allows_certupdate(root_anchor_file)) || force) {
 		if(do_certupdate(root_anchor_file, root_cert_file, urlname,
-			xmlname, p7sname, res_conf, root_hints, debugconf,
-			ip4only, ip6only, port, dnskey))
+			xmlname, p7sname, p7signer, res_conf, root_hints,
+			debugconf, ip4only, ip6only, port, dnskey))
 			return 1;
 		return used_builtin;
 	}
@@ -2092,12 +2229,13 @@ int main(int argc, char* argv[])
 	char* urlname = URLNAME;
 	char* xmlname = XMLNAME;
 	char* p7sname = P7SNAME;
+	char* p7signer = P7SIGNER;
 	char* res_conf = NULL;
 	char* root_hints = NULL;
 	char* debugconf = NULL;
 	int dolist=0, ip4only=0, ip6only=0, force=0, port = HTTPS_PORT;
 	/* parse the options */
-	while( (c=getopt(argc, argv, "46C:FP:a:c:f:hlr:s:u:vx:")) != -1) {
+	while( (c=getopt(argc, argv, "46C:FP:a:c:f:hln:r:s:u:vx:")) != -1) {
 		switch(c) {
 		case 'l':
 			dolist = 1;
@@ -2123,6 +2261,9 @@ int main(int argc, char* argv[])
 		case 's':
 			p7sname = optarg;
 			break;
+		case 'n':
+			p7signer = optarg;
+			break;
 		case 'f':
 			res_conf = optarg;
 			break;
@@ -2160,6 +2301,6 @@ int main(int argc, char* argv[])
 	if(dolist) do_list_builtin();
 
 	return do_root_update_work(root_anchor_file, root_cert_file, urlname,
-		xmlname, p7sname, res_conf, root_hints, debugconf, ip4only,
-		ip6only, force, port);
+		xmlname, p7sname, p7signer, res_conf, root_hints, debugconf,
+		ip4only, ip6only, force, port);
 }
diff --git a/smallapp/unbound-control.c b/smallapp/unbound-control.c
index 58be7b7abfc0..cc48866c5dbd 100644
--- a/smallapp/unbound-control.c
+++ b/smallapp/unbound-control.c
@@ -68,6 +68,7 @@ usage()
 	printf("Options:\n");
 	printf("  -c file	config file, default is %s\n", CONFIGFILE);
 	printf("  -s ip[@port]	server address, if omitted config is used.\n");
+	printf("  -q		quiet (don't print anything if it works ok).\n");
 	printf("  -h		show this usage help.\n");
 	printf("Commands:\n");
 	printf("  start				start server; runs unbound(8)\n");
@@ -93,6 +94,7 @@ usage()
 	printf("  flush_type <name> <type>	flush name, type from cache\n");
 	printf("  flush_zone <name>		flush everything at or under name\n");
 	printf("  				from rr and dnssec caches\n");
+	printf("  flush_bogus			flush all bogus data\n");
 	printf("  flush_stats 			flush statistics, make zero\n");
 	printf("  flush_requestlist 		drop queries that are worked on\n");
 	printf("  dump_requestlist		show what is worked on\n");
@@ -262,7 +264,7 @@ send_file(SSL* ssl, FILE* in, char* buf, size_t sz)
 
 /** send command and display result */
 static int
-go_cmd(SSL* ssl, int argc, char* argv[])
+go_cmd(SSL* ssl, int quiet, int argc, char* argv[])
 {
 	char pre[10];
 	const char* space=" ";
@@ -296,9 +298,12 @@ go_cmd(SSL* ssl, int argc, char* argv[])
 			ssl_err("could not SSL_read");
 		}
 		buf[r] = 0;
-		printf("%s", buf);
-		if(first_line && strncmp(buf, "error", 5) == 0)
+		if(first_line && strncmp(buf, "error", 5) == 0) {
+			printf("%s", buf);
 			was_error = 1;
+		} else if (!quiet)
+			printf("%s", buf);
+
 		first_line = 0;
 	}
 	return was_error;
@@ -306,7 +311,7 @@ go_cmd(SSL* ssl, int argc, char* argv[])
 
 /** go ahead and read config, contact server and perform command and display */
 static int
-go(const char* cfgfile, char* svr, int argc, char* argv[])
+go(const char* cfgfile, char* svr, int quiet, int argc, char* argv[])
 {
 	struct config_file* cfg;
 	int fd, ret;
@@ -327,7 +332,7 @@ go(const char* cfgfile, char* svr, int argc, char* argv[])
 	ssl = setup_ssl(ctx, fd);
 	
 	/* send command */
-	ret = go_cmd(ssl, argc, argv);
+	ret = go_cmd(ssl, quiet, argc, argv);
 
 	SSL_free(ssl);
 #ifndef USE_WINSOCK
@@ -349,6 +354,7 @@ extern char* optarg;
 int main(int argc, char* argv[])
 {
 	int c, ret;
+	int quiet = 0;
 	const char* cfgfile = CONFIGFILE;
 	char* svr = NULL;
 #ifdef USE_WINSOCK
@@ -379,7 +385,8 @@ int main(int argc, char* argv[])
 	if(!RAND_status()) {
                 /* try to seed it */
                 unsigned char buf[256];
-                unsigned int v, seed=(unsigned)time(NULL) ^ (unsigned)getpid();
+                unsigned int seed=(unsigned)time(NULL) ^ (unsigned)getpid();
+		unsigned int v = seed;
                 size_t i;
                 for(i=0; i<256/sizeof(v); i++) {
                         memmove(buf+i*sizeof(v), &v, sizeof(v));
@@ -390,7 +397,7 @@ int main(int argc, char* argv[])
 	}
 
 	/* parse the options */
-	while( (c=getopt(argc, argv, "c:s:h")) != -1) {
+	while( (c=getopt(argc, argv, "c:s:qh")) != -1) {
 		switch(c) {
 		case 'c':
 			cfgfile = optarg;
@@ -398,6 +405,9 @@ int main(int argc, char* argv[])
 		case 's':
 			svr = optarg;
 			break;
+		case 'q':
+			quiet = 1;
+			break;
 		case '?':
 		case 'h':
 		default:
@@ -416,7 +426,7 @@ int main(int argc, char* argv[])
 		}
 	}
 
-	ret = go(cfgfile, svr, argc, argv);
+	ret = go(cfgfile, svr, quiet, argc, argv);
 
 #ifdef USE_WINSOCK
         WSACleanup();
diff --git a/smallapp/unbound-host.c b/smallapp/unbound-host.c
index 095396749ff1..715aa4a6516b 100644
--- a/smallapp/unbound-host.c
+++ b/smallapp/unbound-host.c
@@ -61,6 +61,10 @@
 #endif
 #include "libunbound/unbound.h"
 #include <ldns/ldns.h>
+#ifdef HAVE_NSS
+/* nss3 */
+#include "nss.h"
+#endif
 
 /** verbosity for unbound-host app */
 static int verb = 0;
@@ -509,6 +513,12 @@ int main(int argc, char* argv[])
 	if(argc != 1)
 		usage();
 
+#ifdef HAVE_NSS
+        if(NSS_NoDB_Init(".") != SECSuccess) {
+		fprintf(stderr, "could not init NSS\n");
+		return 1;
+	}
+#endif
 	lookup(ctx, argv[0], qtype, qclass);
 	return 0;
 }
diff --git a/testcode/fake_event.c b/testcode/fake_event.c
index 26dfaa8b068b..180ff30697e2 100644
--- a/testcode/fake_event.c
+++ b/testcode/fake_event.c
@@ -1041,14 +1041,13 @@ struct serviced_query* outnet_serviced_query(struct outside_network* outnet,
 	int ATTR_UNUSED(tcp_upstream), int ATTR_UNUSED(ssl_upstream),
 	struct sockaddr_storage* addr, socklen_t addrlen, uint8_t* zone,
 	size_t zonelen, comm_point_callback_t* callback, void* callback_arg,
-	ldns_buffer* ATTR_UNUSED(buff), int (*arg_compare)(void*,void*))
+	ldns_buffer* ATTR_UNUSED(buff))
 {
 	struct replay_runtime* runtime = (struct replay_runtime*)outnet->base;
 	struct fake_pending* pend = (struct fake_pending*)calloc(1,
 		sizeof(struct fake_pending));
 	char z[256];
 	ldns_status status;
-	(void)arg_compare;
 	log_assert(pend);
 	log_nametypeclass(VERB_OPS, "pending serviced query", 
 		qname, qtype, qclass);
diff --git a/testcode/ldns-testpkts.c b/testcode/ldns-testpkts.c
index d8139511ab5c..be94eb2fe438 100644
--- a/testcode/ldns-testpkts.c
+++ b/testcode/ldns-testpkts.c
@@ -323,7 +323,7 @@ data_buffer2wire(ldns_buffer *data_buffer)
 	uint8_t *hexbuf;
 	int hexbufpos = 0;
 	size_t wirelen;
-	uint8_t *data_wire = (uint8_t *) ldns_buffer_export(data_buffer);
+	uint8_t *data_wire = (uint8_t *) ldns_buffer_begin(data_buffer);
 	uint8_t *wire = LDNS_XMALLOC(uint8_t, LDNS_MAX_PACKETLEN);
 	
 	hexbuf = LDNS_XMALLOC(uint8_t, LDNS_MAX_PACKETLEN);
@@ -340,6 +340,12 @@ data_buffer2wire(ldns_buffer *data_buffer)
 					(c >= 'a' && c <= 'f') ||
 					(c >= 'A' && c <= 'F') )
 				{
+					if (hexbufpos >= LDNS_MAX_PACKETLEN) {
+						error("buffer overflow");
+						LDNS_FREE(hexbuf);
+						return 0;
+
+					}
 					hexbuf[hexbufpos] = (uint8_t) c;
 					hexbufpos++;
 				} else if (c == ';') {
@@ -354,14 +360,14 @@ data_buffer2wire(ldns_buffer *data_buffer)
 				}
 				break;
 			case 2:
+				if (hexbufpos >= LDNS_MAX_PACKETLEN) {
+					error("buffer overflow");
+					LDNS_FREE(hexbuf);
+					return 0;
+				}
 				hexbuf[hexbufpos] = (uint8_t) c;
 				hexbufpos++;
 				break;
-			default:
-				error("unknown state while reading");
-				LDNS_FREE(hexbuf);
-				return 0;
-				break;
 		}
 	}
 
@@ -371,6 +377,11 @@ data_buffer2wire(ldns_buffer *data_buffer)
 	
 	/* lenient mode: length must be multiple of 2 */
 	if (hexbufpos % 2 != 0) {
+		if (hexbufpos >= LDNS_MAX_PACKETLEN) {
+			error("buffer overflow");
+			LDNS_FREE(hexbuf);
+			return 0;
+		}
 		hexbuf[hexbufpos] = (uint8_t) '0';
 		hexbufpos++;
 	}
@@ -415,7 +426,7 @@ get_origin(const char* name, int lineno, ldns_rdf** origin, char* parse)
 /* Reads one entry from file. Returns entry or NULL on error. */
 struct entry*
 read_entry(FILE* in, const char* name, int *lineno, uint32_t* default_ttl, 
-	ldns_rdf** origin, ldns_rdf** prev_rr)
+	ldns_rdf** origin, ldns_rdf** prev_rr, int skip_whitespace)
 {
 	struct entry* current = NULL;
 	char line[MAX_LINE];
@@ -485,7 +496,10 @@ read_entry(FILE* in, const char* name, int *lineno, uint32_t* default_ttl,
 			reading_hex = false;
 			cur_reply->reply_from_hex = data_buffer2wire(hex_data_buffer);
 			ldns_buffer_free(hex_data_buffer);
+			hex_data_buffer = NULL;
 		} else if(str_keyword(&parse, "ENTRY_END")) {
+			if (hex_data_buffer)
+				ldns_buffer_free(hex_data_buffer);
 			return current;
 		} else if(reading_hex) {
 			ldns_buffer_printf(hex_data_buffer, line);
@@ -493,14 +507,17 @@ read_entry(FILE* in, const char* name, int *lineno, uint32_t* default_ttl,
 			/* it must be a RR, parse and add to packet. */
 			ldns_rr* n = NULL;
 			ldns_status status;
+			char* rrstr = line;
+			if (skip_whitespace)
+				rrstr = parse;
 			if(add_section == LDNS_SECTION_QUESTION)
 				status = ldns_rr_new_question_frm_str(
-					&n, parse, *origin, prev_rr);
-			else status = ldns_rr_new_frm_str(&n, parse, 
+					&n, rrstr, *origin, prev_rr);
+			else status = ldns_rr_new_frm_str(&n, rrstr,
 				*default_ttl, *origin, prev_rr);
 			if(status != LDNS_STATUS_OK)
 				error("%s line %d:\n\t%s: %s", name, *lineno,
-					ldns_get_errorstr_by_id(status), parse);
+					ldns_get_errorstr_by_id(status), rrstr);
 			ldns_pkt_push_rr(cur_reply->reply, add_section, n);
 		}
 
@@ -518,7 +535,7 @@ read_entry(FILE* in, const char* name, int *lineno, uint32_t* default_ttl,
 
 /* reads the canned reply file and returns a list of structs */
 struct entry* 
-read_datafile(const char* name)
+read_datafile(const char* name, int skip_whitespace)
 {
 	struct entry* list = NULL;
 	struct entry* last = NULL;
@@ -535,7 +552,7 @@ read_datafile(const char* name)
 	}
 
 	while((current = read_entry(in, name, &lineno, &default_ttl, 
-		&origin, &prev_rr)))
+		&origin, &prev_rr, skip_whitespace)))
 	{
 		if(last)
 			last->next = current;
@@ -815,7 +832,7 @@ handle_query(uint8_t* inbuf, ssize_t inlen, struct entry* entries, int* count,
 				/* still try to adjust ID */
 				answer_size = ldns_buffer_capacity(p->reply_from_hex);
 				outbuf = LDNS_XMALLOC(uint8_t, answer_size);
-				memcpy(outbuf, ldns_buffer_export(p->reply_from_hex), answer_size);
+				memcpy(outbuf, ldns_buffer_begin(p->reply_from_hex), answer_size);
 				if(entry->copy_id) {
 					ldns_write_uint16(outbuf, 
 						ldns_pkt_id(query_pkt));
diff --git a/testcode/ldns-testpkts.h b/testcode/ldns-testpkts.h
index 59e428952759..2431e2e1e17d 100644
--- a/testcode/ldns-testpkts.h
+++ b/testcode/ldns-testpkts.h
@@ -197,8 +197,10 @@ struct entry {
 /**
  * reads the canned reply file and returns a list of structs 
  * does an exit on error.
+ * @param name: name of the file to read.
+ * @param skip_whitespace: skip leftside whitespace.
  */
-struct entry* read_datafile(const char* name);
+struct entry* read_datafile(const char* name, int skip_whitespace);
 
 /**
  * Delete linked list of entries.
@@ -217,10 +219,12 @@ void delete_entry(struct entry* list);
  *	later it stores the $ORIGIN value last seen. Often &NULL or the zone
  *	name on first call.
  * @param prev_rr: previous rr name for correcter parsing. &NULL on first call.
+ * @param skip_whitespace: skip leftside whitespace.
  * @return: The entry read (malloced) or NULL if no entry could be read.
  */
 struct entry* read_entry(FILE* in, const char* name, int *lineno, 
-	uint32_t* default_ttl, ldns_rdf** origin, ldns_rdf** prev_rr);
+	uint32_t* default_ttl, ldns_rdf** origin, ldns_rdf** prev_rr,
+	int skip_whitespace);
 
 /**
  * finds entry in list, or returns NULL.
diff --git a/testcode/replay.c b/testcode/replay.c
index 3d3aa01a08d1..2ce647da1197 100644
--- a/testcode/replay.c
+++ b/testcode/replay.c
@@ -193,7 +193,7 @@ replay_range_read(char* remain, FILE* in, const char* name, int* lineno,
 		/* set position before line; read entry */
 		(*lineno)--;
 		fseeko(in, pos, SEEK_SET);
-		entry = read_entry(in, name, lineno, ttl, or, prev);
+		entry = read_entry(in, name, lineno, ttl, or, prev, 1);
 		if(!entry)
 			fatal_exit("%d: bad entry", *lineno);
 		entry->next = NULL;
@@ -393,7 +393,7 @@ replay_moment_read(char* remain, FILE* in, const char* name, int* lineno,
 	} 
 
 	if(readentry) {
-		mom->match = read_entry(in, name, lineno, ttl, or, prev);
+		mom->match = read_entry(in, name, lineno, ttl, or, prev, 1);
 		if(!mom->match) {
 			free(mom);
 			return NULL;
diff --git a/testcode/testbound.c b/testcode/testbound.c
index 05982849cc29..6e88edf22e62 100644
--- a/testcode/testbound.c
+++ b/testcode/testbound.c
@@ -281,7 +281,7 @@ main(int argc, char* argv[])
 			printf("selftest successful\n");
 			exit(0);
 		case '2':
-#if defined(HAVE_EVP_SHA256) && defined(USE_SHA2)
+#if (defined(HAVE_EVP_SHA256) || defined(HAVE_NSS)) && defined(USE_SHA2)
 			printf("SHA256 supported\n");
 			exit(0);
 #else
diff --git a/testcode/unitmain.c b/testcode/unitmain.c
index f381b0b03e23..122f09b86149 100644
--- a/testcode/unitmain.c
+++ b/testcode/unitmain.c
@@ -55,6 +55,12 @@
 #ifdef HAVE_OPENSSL_ENGINE_H
 #include <openssl/engine.h>
 #endif
+
+#ifdef HAVE_NSS
+/* nss3 */
+#include "nss.h"
+#endif
+
 #include <ldns/ldns.h>
 #include "util/log.h"
 #include "testcode/unitmain.h"
@@ -555,13 +561,18 @@ main(int argc, char* argv[])
 		return 1;
 	}
 	printf("Start of %s unit test.\n", PACKAGE_STRING);
+#ifdef HAVE_SSL
 	ERR_load_crypto_strings();
-#ifdef HAVE_OPENSSL_CONFIG
+#  ifdef HAVE_OPENSSL_CONFIG
 	OPENSSL_config("unbound");
-#endif
-#ifdef USE_GOST
+#  endif
+#  ifdef USE_GOST
 	(void)ldns_key_EVP_load_gost_id();
-#endif
+#  endif
+#elif defined(HAVE_NSS)
+	if(NSS_NoDB_Init(".") != SECSuccess)
+		fatal_exit("could not init NSS");
+#endif /* HAVE_SSL or HAVE_NSS*/
 	checklock_start();
 	neg_test();
 	rnd_test();
@@ -579,18 +590,23 @@ main(int argc, char* argv[])
 	msgparse_test();
 	checklock_stop();
 	printf("%d checks ok.\n", testcount);
-#if defined(USE_GOST) && defined(HAVE_LDNS_KEY_EVP_UNLOAD_GOST)
+#ifdef HAVE_SSL
+#  if defined(USE_GOST) && defined(HAVE_LDNS_KEY_EVP_UNLOAD_GOST)
 	ldns_key_EVP_unload_gost();
-#endif
-#ifdef HAVE_OPENSSL_CONFIG
+#  endif
+#  ifdef HAVE_OPENSSL_CONFIG
 	EVP_cleanup();
 	ENGINE_cleanup();
 	CONF_modules_free();
-#endif
+#  endif
 	CRYPTO_cleanup_all_ex_data();
 	ERR_remove_state(0);
 	ERR_free_strings();
 	RAND_cleanup();
+#elif defined(HAVE_NSS)
+	if(NSS_Shutdown() != SECSuccess)
+		fatal_exit("could not shutdown NSS");
+#endif /* HAVE_SSL or HAVE_NSS */
 #ifdef HAVE_PTHREAD
 	/* dlopen frees its thread specific state */
 	pthread_exit(NULL);
diff --git a/testcode/unitverify.c b/testcode/unitverify.c
index 2bc842c75374..d3fbf25f5312 100644
--- a/testcode/unitverify.c
+++ b/testcode/unitverify.c
@@ -42,6 +42,7 @@
 #include "util/log.h"
 #include "testcode/unitmain.h"
 #include "validator/val_sigcrypt.h"
+#include "validator/val_secalgo.h"
 #include "validator/val_nsec.h"
 #include "validator/val_nsec3.h"
 #include "validator/validator.h"
@@ -297,7 +298,7 @@ verifytest_file(const char* fname, const char* at_date)
 	struct alloc_cache alloc;
 	ldns_buffer* buf = ldns_buffer_new(65535);
 	struct entry* e;
-	struct entry* list = read_datafile(fname);
+	struct entry* list = read_datafile(fname, 1);
 	struct module_env env;
 	struct val_env ve;
 	uint32_t now = time(NULL);
@@ -341,7 +342,7 @@ dstest_file(const char* fname)
 	struct alloc_cache alloc;
 	ldns_buffer* buf = ldns_buffer_new(65535);
 	struct entry* e;
-	struct entry* list = read_datafile(fname);
+	struct entry* list = read_datafile(fname, 1);
 	struct module_env env;
 
 	if(!list)
@@ -474,7 +475,7 @@ nsec3_hash_test(const char* fname)
 	struct alloc_cache alloc;
 	ldns_buffer* buf = ldns_buffer_new(65535);
 	struct entry* e;
-	struct entry* list = read_datafile(fname);
+	struct entry* list = read_datafile(fname, 1);
 
 	if(!list)
 		fatal_exit("could not read %s: %s", fname, strerror(errno));
@@ -505,12 +506,12 @@ verify_test(void)
 	verifytest_file("testdata/test_signatures.6", "20080416005004");
 	verifytest_file("testdata/test_signatures.7", "20070829144150");
 	verifytest_file("testdata/test_signatures.8", "20070829144150");
-#if defined(HAVE_EVP_SHA256) && defined(USE_SHA2)
+#if (defined(HAVE_EVP_SHA256) || defined(HAVE_NSS)) && defined(USE_SHA2)
 	verifytest_file("testdata/test_sigs.rsasha256", "20070829144150");
 	verifytest_file("testdata/test_sigs.sha1_and_256", "20070829144150");
 	verifytest_file("testdata/test_sigs.rsasha256_draft", "20090101000000");
 #endif
-#if defined(HAVE_EVP_SHA512) && defined(USE_SHA2)
+#if (defined(HAVE_EVP_SHA512) || defined(HAVE_NSS)) && defined(USE_SHA2)
 	verifytest_file("testdata/test_sigs.rsasha512_draft", "20070829144150");
 #endif
 	verifytest_file("testdata/test_sigs.hinfo", "20090107100022");
@@ -521,8 +522,11 @@ verify_test(void)
 	else printf("Warning: skipped GOST, openssl does not provide gost.\n");
 #endif
 #ifdef USE_ECDSA
-	verifytest_file("testdata/test_sigs.ecdsa_p256", "20100908100439");
-	verifytest_file("testdata/test_sigs.ecdsa_p384", "20100908100439");
+	/* test for support in case we use libNSS and ECC is removed */
+	if(dnskey_algo_id_is_supported(LDNS_ECDSAP256SHA256)) {
+		verifytest_file("testdata/test_sigs.ecdsa_p256", "20100908100439");
+		verifytest_file("testdata/test_sigs.ecdsa_p384", "20100908100439");
+	}
 	dstest_file("testdata/test_ds.sha384");
 #endif
 	dstest_file("testdata/test_ds.sha1");
diff --git a/testdata/09-unbound-control.tpkg b/testdata/09-unbound-control.tpkg
index e45a0525c5aa2cfc6cfd3d823ad03459c16d2a57..d7a9ceb269321ca664a02f5fa1d82389af69fbdc 100644
GIT binary patch
literal 7043
zcmV-}8+_y+iwFR_W93i)1ME9#liJ9V{%ZXSZI5I8-VzPEh32ijqZ0%=5EAF?dk$R)
zq5DEW?2lgoO`EpccKcXQ%x-5pXq1&zc~)ksx(rdbRcs|y?A+Q(T;@sGcKp2a;zt71
z0Ey$r-!O?o*S|0D0!APbMhKW7uon=F5jgS!#DAz1pMa_;%^U<@)Javk`KRf=H2xO_
z=yCr)f-c>njEisL(Ex#ApY%Ttp)X(<B1jlV5tMiVAx!{~FF@!=EBhGyKllGXz}Sr3
z!p*mC4jx?$uKdsiUa4cTCn})3Gov(g+jbJQfmenhfhYk%0KhB8c=3+m8yY~S4Ym&^
zshv13n3emq`8+NPjQNqY0JSkl)1adA<FPshXl^jk4bV=~{X5?Qbe=UtRROgLuOGhv
zbzQ#{m6!DW2(9QdeteIA2}5lJYNJpagYKl@7491Z()saJphf8^616X8h~2V%7VnDn
zpY6i$f=}#!%XHpdo>MpaP9C4%|1eD4?|-D(`c3{Pi6#v^@Bg0ww?{Z_8<6G4hA4<E
zZSW^7Ad4cC99WjtYL?YF2k+#Gz3Jgwj#d~i$ku`1qiTquwTVD;v@Vb7n)4RiRMR-V
zc3{AY23u!_2Qq`rIfKSzF4!v@elKq{ND-0-CpNgnPCne@>fVN5$jqWg!xJ8$ck-xN
zz_-w8wPfLqh2W4KQH3n_Rx%CsSUv0MqJ?rAf0Tlzv7SP6EaPiK#?!bG@NsxaWVF7e
zHzPq<OH!D1nYt|EXqCw$ImSt6NPBAwQ~i}IVLe?^c?jvOhg{$U>ed7%J!Fz`${JCV
zkx>l-jBZ6eL>eRqUs(5tq3Bu(wM7=bFjJXnsd6(LE$1Tx7DJs^pdAp?JvWpiSF%Sg
zJ91kzE^?vRKM0-H!sk34?dp^x!DLd49IesJhiU=LSucj}r(1iNEwJvKniW~%O<_W6
z9SqW+ua{W4*J+Ap0@!RpUgdOrZZy;xpNxh8mLJmfbY)?B(_=Z)$mq4;nUb1Bh^9tQ
zmWa8;hr3LyIzdj>m@Pp0aJ$^iMg=p@7MnhR_w!+w%{8dC*iQO$zamAGW~JVCIA35!
zW}<y<zvat=G#g<3wVL;KT>&_SP?H}&4y!*q<e%XRK9T?LaQ8JJaQENA;|uv8Z<@Vh
z{ztK<`#bf25CJ{s|DOU^`G2g_;AkvPn~e$%`Ne$=VCS^R(DW&zas-!n3R~zdZ^9Kt
zwTRJVYV{5q`EYQ3N*0GiL1C?fou;HptBeWchY<~J!+oWclY&>!tR5wirfHGrSq7=j
zg98iKnV;-xlYppQB6X8lM<iVoC31eh?E|_&4C;v^dXRMRIum`+g<YeT<HJICFeWXs
zoN`AfT3P0p?5#UQLK0yjsiCc%6DmL_Jz6kO7sX}K6S0aL47zh@yy~Zj!m5Zg@i1d(
z&3xMoJ1jJ#w&57=?7C17PI=ftmcT42v%z#`<Z4E^OtOQiG3%9*ht#89Kvf)pv?!f3
zP;%|ggmA+0;Vi?URO=A|Wvu-kz;XLDSnih{9BFaRY;XCdHVCRAq2ie~uN1nR4&>BZ
zS6DCZ(>&YM&!S4><wWCBGd<)0Ca{>S2NKev;nBDxJZ!qIlT1wqbF;si#(hE{>3UMB
zl2Z4aG0twcB$TcO<RJ695)uK!-9E%Ebxa354N-ZFVhasQ`va%%J64DUVk}k*;{Z`D
zLq(-oZN@Mei+Z0j&Bb=g<v>d9U<T6;HI?mm29<;%d2l=UxbBcFN^2WT8_)*AAZE+z
zT7gH;nF156ypqtopKt>Y7$Jf-*VCywn_!`bNMTV4i!E19<mtp(I#L>%@n$)<b2CI2
z)C`_jh}=qDr`s&N(3BQnj#JMi_XWAF#hPSLf=N(QjcuW&+Y7fP1Tt<!q$qX<eLh(k
z<Wj5U5xk9eO(hOI%LNwOS*9?Ai7G5bNq&%M1BRBd$(nP<9)TJ;Av(dHU^TPf>2waX
zLdJAHSglsW-b`?63gCwMELF1YVp+~R_KF`=_Rt=)5x$VR>`+)(+8&!G>~3Q7Z{F9x
zN4M3Vz3uPeGyVVhrSSXP|1bCd_;vq}9{YccK%Vpe&wwxW|Iw-c*P8yH<ti^;H|;Ya
z9ezOnFT)@A{|&C@H@qe{{qCjz@89?TO<x~>#F-c9rp#<Ky7m?U>n(VCyRfpuxVAJG
zVt}!<*&AtHq*EbeoGr|kWXBG8UcgDo3J<&h&9c(5a?Hnz-a60Vm9@l#)@r=xNqW+1
z0o-Irj`es)@8N|{;ANE6+{h@%K}%Ya6ve;?NW)+*Rt!a*sIZJ7L3YSH0nY7)MPf|>
zIoePfGE{o#AnIC^wAWXnvEUV=fe)rK&(bwd)5aqPZPfBKb`KnS@(jg0)NY>ev!arO
z*+ez@;WWd!c{MNRmMy2;j0g~3N^;XgA$+?gm-Tvs5A<whM}P|L_L+E?Zx0=N;p|nz
z;{!+LmK}bp6}zEPZ#RTXV+4%t88}A=749w_td}MP(_iap1teLK=a5qkS_73<jJ?UE
zp}3RbV$-+An9wVuTnJ)j!Dw&ZJoo*7EqG%8|6N7kspmge{XhPE{`+&_E6#t2xv3Ds
zVb;OE<NRkQ8#LbhhUEM6pGlLF?r}f#{D%X+_I2gMw-w-PUspbSTLHfIb>-9NKRtn-
zN2b=V1dpz4qCZ_PmIKE~b`rB*?V5aDV#!k3*cQw>$pKX*6q6?~15iAk78_)g_C})L
z?Tnij2d1P4{U)8`_AK@i2u-kM<kUk&KbX5Pg)#WhLGwu|WPG1z0beD&5o@3m(kTgf
z&yqQ@b>wV6Bh1hlp=?=mkf$B|AuT7HmO-y*JA1AJe+~FT{=a(%_^#uhZ#n<LQ0zJX
z{|tD_`OmDrod2+>Kn{v6QbBMkNmMSxn?jy+M3WUJ;-Nzz7-yS&7h7W9Mh@{{Mgyq1
z)9kDY;X17K+#1$-67O3MweELX@*FCc^)~F*s2Z&!mG(`orT5uFtkli4);4pfXj*uN
zfJX<sHKP6LHXfPOKwL1mmJbPT$`?Dazv;@VjSq(EIFEU~5V$q5cV+kb{D-b)Nsmc$
zL#4Zu-YUeUY!R5sPM=j#v6$~9S=g}M8Cz@=Sh32cbmVYF*NLMqb%3ZghwZ$zH2QI}
zD#$&7&Dm~%VtqqpIph$|$iUysETg;Fj2FU$NGJh6OnMwOX3ZFK3ZR%4wt=LDq#ssJ
z5ec+yMRCvBErNM~j96IcmuANAcJ4Yi!`|e0{$ppkM^)Nz9<DVXnA7Gc@9O?+TaF{d
zq(oU>2IJLawzR`hKO<J`OsOU&%e8F7EU}udGB=3n1By=hq^MC~HSZNk(CHk{f8gFm
z?9X%6*28o)9ax0os!Zi=#^sV+at7{MWi0DdVnJD44yQz6ni9Y&(V(t4N<-(t1mD1|
zs=r<IMu>8-2M)q+*7bm9r_fpnr?N}c)T+M~6s%VhGfSqX{s@2)omk`pbG1;63g7mY
z^XX1Xlvu(lR9TpWIhsV(a=uY&Mp_NJD|~7t%h8G$Hw%l3g8<2b?pnIvp-CK<=U5gc
zhdznrn6QJDD#IszBkGQ8&h0=0bGz#boed?=(!qiXmmDvkAt1)M>RKbSqwK|4k7k`_
z<z+RZ%yA6G924{xx!-ERG^y+Z*&lS`J`{00YsEpU-t8bAkm^iyOJ=>Zx~^8s9)`Dk
zx=*rwTGqOZRtcS0;0ZS=y*GdL^Pfl1Y3_b2kI(0S1VZ5^|KkYWVDaNUAp|0^=kuSR
z0>6O2+}?tZyZiR`7vLALNUGd+!E)__ky$i00Jn|7j<-a>dhN!bU%oDmqqz(G0p6~_
zcDvIq)4*#tWbL~d{{(;i^|H_-;|-UpXh!bQ=Zh#w4*K!=Qc8pLO{-y<nnmHq-W{ul
z6CQARFa!YYBVRj-q9kq?Yru2McexomN%SsF@)AUWiNdH8g?l$r$Htpi<GXKwFuS1s
z_P2X1*aG3d{~cge#Tcv7qvJ?3?%L}Fym`3r_0tXb_U(s)p69&hdinNg+J{nHKRq_*
z=+GwMPu8u?+-Zz|v_<H|#k=zjFW{BLDf&Bu*9}DnZ&UDIhR4F>JO_Ncs-1S2cp&oj
zR~Y>DY&Ma5^XlKOH98{hzI;Nq$P8StS$pMs=Zi>%>wvc|_`2x)eiY%qe($_~V8hp)
z*Ozfay{EWHd^LJ)m=n!4;z;)&kEwSQ1$+xu*6G{5@$Se@;o0m9%d`V8KVpE<n16F~
z4Dt32@Tz&Zbkg8$^UuC41irmPU)$_nt!ukIKwdpOYCqd7Kg89h|G>NNsuaBQ)p_jF
z={NW*nf~Ipnx5gQ@OAe;zmdmh>wi=J5%lW*FM7QH38T<+{r?&8$@+h)sQ;Hbfa}cM
zuyc3*anZ1HLB9ZDFo_!pOwWCgwJ+8HZ`XjoIt%jZKf&AB1>t`jRgQs|=RAFUt@W-K
zJ<5JsuwnP|gogn)EZob4$4Gwz)!_}W@_{>Zgoz#8Zr$8p?ZJk9nlzd>CO8hCL^+Do
zIOXp4Zlgw(w(si3ThM7r==I&z;}zZ;;E4SlM#whQ{J^L3eqByKngRZI!^#Dl;6Ih)
z%i{LhwFA(Mi`va^j;8T)HwAC5F6Z7{<~+31QNe37G)px_tEo6g(xNfd@$u43oS&}C
z(%md2DNm-l81`(k4_$f+PP3`b4tVVR%wxeWK+oU0@x@G!JNtc|w!$Xn%-mbwd?GF$
zA^qA&X(G?f^CUk7%C{Ni<M6VRJa_H#F+P_F%iS<(O!Gd1+K)w*ZANYrSD>{A)2b|+
zo!6K&cI#$=COpmX)-g*HbVE0C<MPrF-K}?L<nz;SSM<Muugz7n?av~#K~Vu|5N{K0
zvfX`sYHcnZ*VEi|Ugyg`I@5jVAm|GYI*AGvm2JC4@i6GFH`}#FU*2dB^#7_&c4wzQ
zVS`0Yu>{xV)@?o<Fsqu(<Q8C@)NQcYZcSEh((au~Pjp;Ue9Pj?emjvheRvtA?N_gU
zod51^`mZu6&9EI;QTtA<H-Esl)Ia}#nvZ{fb#ur0^QJx~nmdI~cD<AKp$(gzU?qiL
z?w@F(dwLN0vYoDoe_)XRau<okJ}%AOIf)#1dTQoPk@{*qHi5JH8dZ+;Uz=0U+N?}J
ztaA5pZBAt&cbz6}`DR!EcKSY*HvxQ=eR4NSO7|k<Z>Rk90m;jAj=K%q{q1q1{RUp$
zplXnxn`66q`SGOGjUJtJC&dSxuI}l6cGd^HuKv9L*tAdi=tB0i;Czhwf5D$cnj|aN
zu|xk@h^{@GN5@w2Ubi3Y=#T$Y_C#lYF!9;pPj`6knx%X0L(W|Vcu3;+h4aKHSzQg?
zJTXh1X1qJj0I&Yf*D0&}_Lq~^|Fm<Y-HGGK{TlxYZ|{ESUMBIyWoBmI7z`L=%wZhB
zU;6pN27KY${Q8w0NE4DwppW#MS@d24*rk$Gl1g={{<Qk{<H(ncr4Y|f?yv!23nOtL
zm*98Uxr2HO&ks0nLK7UKr%eL5APipBa`GE`muWe9jSID$N7}u=2zEpn8*Gjzq%mb6
zjHQ|jUN}z(bP9O}g`QQpj70pL9uBA;{}U*bGjSlHp01nQeOCdbp@+{1b^a#!{Bi@A
z?4wsud~XKvb9TqipLz%I-<(V2azK9X_i^r($oLmtuYC-3V<|^g_zBkBLV?Nmj^~|k
z7I;3D`MiDWayZ2SMg*v;`f^|vBz*Xn==lO}Jc!{9Sal;yD~2El9KZym+NJN>@JY+x
zy0*S%9$wyl0c?Qzxs1~JiTe3D)=LiL7png~_S@ki`%l<!T4Z~Ly+@Tn=bnmR#iIh^
z1AqjLS&{by?gjhg<>tvVS5e-L&qd>JFPSf}KfvH{WEMC~;E~Pr6)VGW7KYq{2~_W6
z>K@PT!#q8C{dCHTVOXxa0kd)T7A&Bj&DGb{`+l_i*M2X+p?hcx5XaVKXXO}RZ3nQT
zt8#8f2dY5+A%Agt{{p)v;G~vy2Nj0Qy&d!m-OlGvxmHzF`)xmc=TPQZr613W{{Hs=
zr4<Ec?ixC8>I(47#kd!%eRq@cS-tpN<Tg2#bf@#_nWK2M{!bdtsp5R@Fiz`zS6$R`
z6QIDm-jQSDY~!};onzZ}z3<5s1F&76x^Qy65D12rl@&O2?GDP5*9@rn?>GwO-p7w0
z;n2^1N8w-dPx!ar;eYQT9-fp+@TX7UtL8#C0QUx*=I|{F9|xp7M6o<@i>Jrfeh|5c
znvd1fH8|75U*J6a1ngGO{hPqj^OFz^q+kvE8VBfM|5sQ61K8xC#g|{98!*<JFFJ>t
z6T^f(-z_Neau43Zr{y-JSBCd=LV_>{iM)S)z02;DCciv4b{+G{FMa<2LGZpDR?RIq
z-;~^09Qv}V-#xCLoIu6$J9Z==L;mLxa^K7`V1YVu{f(acvu+M^^BQE{{XOK#;BTG}
z|K>2pn_?ot-?2CCDJh>IJH>RUQk*L}O7t4JbV)fs{znVcuWjS4{BH#Mc>kkPE$)BR
z@N4|<yOgFJ=)7#}jTd5opnKg9R<6^4u{#u^^+5GkURXRp$%jpUdagZqP~gMQ&;?jp
zxwRhDqU8`YGjJVP$eDcw#;^ufZlHCz)fT2Oj-qvFAg`Pd{N>>Sntun+?pk*g_*ktS
zLk5z20JQ)X!}YTU47FU_11#GK8&J#EXx-BtEdbBId}DOWYd|Ca#o^^4&d|sW!k1ry
z7tmCH<!upCL`7*QXHlS`ksJiN)_^(>JiPIjVM6Ec|6Ex4$~NA(|5fDw-0%MyQN;g&
zAJ_f=9%Ub!1Km9O>KZT(-2kySvTs8(w<m)24bJI2OuhjZLD+vlH$a`f4YB~7zzrZE
zLpNZ}=xSJO%MU;T@K)M`&+)_ItOieVp~&=IH++BrD14{jJozupy#>P1Z617)-4<3m
zv)Gvc`H5E+dh~7TP96~00McZT_xSJ_a1h;J0`Ug)`=IE)^1ji)zM$KW@Hj3UjP#km
z_b{YmhcEPkd-oJBcez3@cyk}&j$OLYOAg#;kOj)UP2)CKf&g*$B+ccp!y8%C06YEg
zNQ^)Bq4IwKQSyTOKkko-|IOc3AMXF;F~Au15dVAK|L;;>zyIUDbNug7D~EvJKWpRc
zz~6iXnhR&(B|r@JgPS;Tf#~E;P_FiU27C%W+)>H>FF*qV+VesCN>-uyOy>Ex*S3p}
z6gs)C>Ds3P-%}O&zlf&Ch!cV5xwd=;#1B_#&dC4zZI{3QasK`9qx?_R%Ju&DyOay_
z|Am((RE176s$QB<6*|qRdTBz{;{JD+ND!cZEC;O!afHfH8>eJb*p3WdaYSJorDRH>
zOVb!lEgqc`?j#(kTe-%Hv^WF$L)Js&D(+{cU3Zg^bsncu*J?=y!Pg`rjwUJI8L0g}
zpLo+9ZL89(Hnj(vN@wIQt413dISUI}F43g4Nw-vq!`phw5c5@)@;E_K*V(Q=TbDEr
zr=lroZ1Vfxgf?1*NpG4OEsBPEGLzthPIM-l0b(Xt*Q+aG)lnkA9`4iB8<N#6)*hFZ
ztqif3s4{4?v`3`7LA$pc5q=r!+PosCGM3-}CY3s;H#udDt2SN|2fAovMl+bKd`%qJ
z>Qy<~GDMwK;uW&43S>ZAcnWQ?coMEQ?WV-emK!q|?)+WSq5C?f^pJMjArqFOcEe;s
zk?eLNjl^2O`Lmv9+f!v}mN>}KCw(F4c3h!Xb;`p@%Z<3yaHS41U(YRV6sO)e5lG1y
zjxsV8xIwVpIF5^s$1J7OAqDlO^@UmOCcW7#BKx{dFX~CEV*$-sExVkp6-n}T-GNE?
zf>@oiVYFSR!HigDnmZ(S4gp05r^T_;>!g&Piiu+6`TzKAfDx%WRF)z;T$BFV>b6X@
zMVkm(9`aUQVCqcM8Ptu4f+lRQB2?ohlj!#o*K12^2Mfk_H5n`keT@X&O_uR7n@%>1
zzxw^}=d$a!v~gzszvKKL*p>gkOF2LPA06;4Cfc6a?tDZ3zc=$geRKZ5Fx4}KBmIz<
z1t>%0R4Ui#&M4~|=6!2`l){K2y5?xu)qA}it4ke&#{-e+`<|w<YI}=kLBGn@V`sUT
zAP}<dklak=D$4=C^IU0d^z6-OV<vu!Tf3Or?qMX?77{(2)=SHE(zBGx4vz()OX*@i
ziy#A=a08)PMrhg@3c`9LSJJlM9GCULSu>kA^8Zm1MDnQRaBV&)vx9gflx(Nos@SBm
z*>rkSjlg>=ZoNcz#=`4~N@vbg=W^R8yS&sCyY;2sg)F2xo6H@>xfc|xS8=s*d7gG9
za^)-*)onN<&?v4|nb_@nrLlymM7fG;+N93Qk*T&A29jz*X{>PbRmsO$%JfF=PHL^2
zj5VRrRl1`vyFZ??CMy}&{C|J7@^=2$Zx;W*M*gp$SNs3Flne7ek!IxcOfziO#+`OF
zVuwyEv&5O$!4Xj)Vlo?#$8#qLqxoPwpU7Jb!lHP^*@@hZ{ChHVjCqA*defjet(Ez)
zA9ni7HqG6yIN!!)pBj+EUEq{MCniv4KAO;LNF1uz0IiH`;%+Sq{xB|0H>378Gea?x
zM;N_uQAM?tG!!-q6_?txR$`7emY5vpf10j$Qp%To*`CR~!^$2zotMR$uI~B>>NSZp
z5jb2=@748Co9q@^pDE4mdu+N;FdHI}HP3ZgJf$;4rJAL>9=jvIMmXJCWx<j?Oqz{n
zQ%4{K8k`(7Rw6u`qETf$>$t1XTS7qSWk{wxuNa+XC2mP1xwv;13?|NJBh`pSCP{Z_
z?Dp)iYPI@B{_pZ)T&9QtTI#RrF~nG<N~bS!j)00`bCc+;cmo7yY$r|D>xEx6IcIBW
zoz2FWHv2Ojt9jyljylO?pp3AEG>2BDnBG=cK9~O!OkV_c3w7?Pft<LN8eioWa@>s(
zrxIam>`lEs9Xe%o&Y<FUixK%ThIhp2PIhqKY_<Efy0}wjvaTmh)=n3ijFl!pOxFan
zzo|x3s-3N!L|n&p6K7`@%j3&2#ObqiV$pufk5;>qJR{k%VId^hb;n+YsC8l*nC9A{
zCsLrOG(U?Gf8LZ3e+m$H#<2{w!g+OB%bI;-K+sIc#@T?_Dfa`0q!e<TDnT1b6A5Sr
z{jODI?2^t)UOFJu&PrU$-2jCUX}yt#P0U6IagUQd3t*nNh!KmlOZA!}J6&nQT9s`m
zR1wCVS1g8{jy7Dq9Ryj8;)f94oZ`djSWak+D&6;c{+O8uXuUFA*2A&5^p^}1)&iox
h{R`!Px|VCXmTS3|Yq^$dxt9O0@;@pGiQWKs0019y9f|+|

literal 6961
zcmV-18_wh(iwFQu4pmJ61MFIPv!h0m@4xvJTH9gIgrXleh>o>mxDNpW0YcL5MhBM=
z;uN>|^ow2}e%*d;yT_iMb!=z67gS|dRaRvczf2_sQ7^l~FS{aq8I(m^m)S#@)ZmLh
zlc1SM9KSzd5{Dk^For!o-_i>h#t|HWNEn7++=X+q1^%bb;uF+0tyeD=FNU&fqx#p{
zMRoHfCiG<qdVc?XFMK^OxR2_GG`js!9WxPc_WQa0hjD_O_a7q2`3xX1I`2P;!pMsS
z^rx)wH|YQQ{=d8v!;7-M*jn_$*vdQF<`--J@F)Q^S!UfqW@viN#3oCfyIPl+mLW}n
z?+j&Au(!-{9RUFy3+<_!X`1_@X}i5<?zi3*2H>tw)O_&7uHI2?5$|zIlI@1ENlZ8E
zR#=~SPTeJHog-dNYt&|H3al-96q5GFmb(DXCV({vH%Vu@cvijXmv(CK*W0;uZk_>i
zhZ6FG+#g#jJp{;+ciG`=q?t3AGDn*<1JI>N+n4D$>R9dNuBR7@S1I-$bI2%|)*w_d
z=r~v^5{<jyvI)1-AzVvKcPA_3!H07I1uwcPusR({C{EnQDC$e2CecD9@q<Fi@X<A0
zyRcA;TN4TgFVQNeImkC%p-kH91PG-iQ4+StV}ZeY_DE5OU3rjTXYU$8+&j`RPEcRU
zc}ryMnrBUu!wx1!qZ+haC#xQivL!C89ks9^r)AP1V*6A8_waPwUM`24IIG1q3xza|
zZD#F8Fj+bKJyZ-^%{Sn~aStTRp1b0TPNzIQz|o<}S*Y02nm3d<sT1nK>%|@{@D2|8
z%C6R2TVTOnf}HCWM%T9vKm^C0yaLhBEWajK&g8pZ6b+1$kB88Mms?YzL+iXwiO#0^
z+oc$sOTRiJikm4qaxwuma>s4P)ok4*)6#P(1&cF~qQugyZeXxN?dE*G6x{aM_yMQ8
zJy`FVBUsz>z=GL(0Nd_~6M19Sv4(O|tMoSwo&239QM6B)qu=o0I2@^Uv=%c$%9oLT
ztVRtDgv2>{Vgmu-@sb`l44gw+FRNaa%_Hww)KEZvxgve95RY3W!>_GHfKs`~Gl{Z|
zR9*2+b0cYe10alzY;4mTIGA4U)^cr1`vzL!o71W_ol||1q?T;Z^)>$SN8s`G;dSo$
z*XrN>+P|ky;Qw3R>vy~=%Kw0l-@t#EKp*iR#SoN0i5Cz8p(Obg|Gxx1!GD(D+Oi<C
z^Fe)&{Y*KrENu=fYjVWi(+Od6L5!nyCQh&CG!dx*VrbJ5XpXkDEj@7Yf!oda#SbA2
z__@-DE}m)(w&!db)3|ihY#N`RkS3HfPo8<sZSym45HI{eV-6w>J3K&-nlTTM_~@=X
zvhc-6a45*BMw7*pMnfWNT}4awQO@M=v!H2A)M<`o67%k@I1V7VGS=C~ig*w1C~8R<
z&dwL7i#APBLTU1vXeews1yx0E=ndo5lR-m$cI))kX?Pt4u7gqLvs26E*tf~eKAl*2
zxF+Q|cmza^rMfCzP$nZ3C2IcGOO{P2gA>Xzq)zed69HufNA{o<)4>WcrfRM=6&Wbn
z`QDZk&md8fL{_SsEO_g#K3*2Uyjd4RivqpRJyYt0nC=2X+MN$aCA7;?WzMHjtjZQE
zkNPF>VKyu$bfcn}=D-X<@p#o-5Tg<eIaz_*p}aCJtw_pJ!2`F5O9(BoV;&A`-I}~H
zt6&VCK(uyR;mS)q3nUvNHdq^V$gm}}8%x$iA8OZ|OL$pmplmyEP;5@gn%2t8(xy*z
zaQzwoesQe+-ADc_J)z&g|F^#Z{t*2CHvZ$kz<&h6zT*Fvpx?s({1N}nJN`Gi0y}wi
z=7s5Bi2wYBH?<k>-r>LW9{*=tFMgq!7w8$cFD5<2hm?&EJl&4b%~z?q)jbQif!=t;
zNKP<rVtn4Q8n|pb8WqpRMvP>6Qlg^}>qz5B>$(a9CE%~ft(l|vRbQMATMz&*0;Rfv
zik~!ns><Ufmh;p|&qK|sml6(m8KzX;8lu)-El-z0&U}1Addm{&$him3F}zhZi@`vS
zD>jyONj-ezYsSQ)rnpEcOAkCv+s_zuURG?<M}X3ytWbHq!4$1GtYu!TSUjivG!<k!
zL=ibrFDGb<50&ir!d{x)G+$Gqeq<bRb&5nF0||G#FZ^O>`I(HDp^5EB@kk}b;Xqtl
z7lpc>B&5DvS4;B<2Pj5BVYprCUUv>yNdk_fwKRQopDb%cq0g03PDl2_NZFQyl5wKp
zd~MpwSvh_X_kP9wzXJWv`2P<jfqrlP=L!B}F!2@tzXbiB{Lh|#m;d3o&kd-7k0a{O
z4XA;SBkIo$s2}q`f{jKfuF0{Cb)2HC_R#huRfx`R5Y>q>d+obP;AJ2Sxm2HRVQ^eQ
zB3$ush#Ud8Y_H1Bwd>85h?sJOsVy6~YK#nqm{J`_AWO>PY?M4lu8=t_pSf2Ys!Wkc
zDf^s=0LR^`^msdhII`qI_vR;_sifVS*x*-l-|2L_Q?x2RcbHg6^ke>~>8j%Bm|W#m
zQw?AOi)mJ>B1;-Jwk;83yYn2zZz^T)NvB;Q5dujMPPb9@K@7Jz+xH|?ofJ~J#w!)c
zf%SOHaDTJC=YJroE>P@XLY1V1QWE+ZlFEhL9qb9Bmi7i!-N7qhvXCu_^1MU8<7%Ly
zMwr3OX`rsR(Wc5QBc}+&w*yGBC~aOaQ=x5yLA<5E^3#~!GYuyAb*G}WRB}oT7>Ho*
zt!lS%9W09xHETNI&~vS$?HvCYs#WF{m*YODy$n52F6{V-wydIXH4l6+^(EkKt2iQW
z4cQO!Kr$%7l&H5U0%2(dhiECJ8gA#LEQ5-~mnWM%nuBJ*eKE?JmBxMq9D4VvGlYlg
zEJdkFTAB(&YnXH9!fi~Tc1_4(dLvlVlRyxhBMq{kYvpu0twmP|2MXZUwOi@e{%~yf
zU~uA<E?5U!HpdU@id_o_-@IYFk{z9Z|EuSJ?)m>e1^XX$e185PBfiG}UxYpr|JwwI
zkHnR>dir7r!dX?b>xvoLrpQlM&Cm**4A*pg_OVTJid0MlEOo;}2zXv|X_#($&k+&l
z%IRlhQyO-sq!_)-MMPD~DG|=nI+G*6q<Z9#2=0d2wHttQ1GL>6Hax$_ybg^8Ek>D^
zM`~b1tPw3~T;?)angnopNVwQSR~8kjFj)>y@Lxm+kn`G;#&%#~;hWGLDaN`QvF;a+
zb?ruKq@mL}HtbA?Y_#0AMsW2=#o-(mFzTBOdIVD6mXnwc)JjL_vCP<GjOyeO?Yr%W
z2wJdS>qBKvTpk=<($2LM7mV^m#5`aWhYUQOpkbMgS9+-;d^AevJ|XBzwT{8%Hm%*u
zGE@<|v#B_}<3Ac2Nju2)7_&47$euJHvj-ElsRo`0SgcllOB8-LChcw<s|`h5VcuMx
z*c+IiAYbDZu0qF2<K>fq))*k>y6=r1e8+#vU#StJ`X&<O$kNdwC%(l@vrX#IG07F-
zbyo>pDSn@T7s8?%E<;A(3isPKNqOd|xTo~oY^Hh|1a2L{z6|nwK@AE`Pn%&&Q_6LF
zG#s)~YgexF-1blBr3w_$c5OAHP+BrkV4E#lcIp_HM*-Yl_E~83V`UB&bu2c<jT$Xg
zYp!Wgl#n^&f5f#kAls|MnGgrrbvtSuMciREj1k;$YR2Z+?cyJg)g)?Xw6+{#ue9Cu
zGBz%Hx`pM2nhF%?Vm0jhLKa3k8lAz9@A$9ZG#DL&jel~K&4sEjnaG|YmOFzGw$Zbd
zC9Nc;&{lCr16xJLEuv?nA=+)ria!Pd+?Y8rXeTtffQ^{mZhEhb+w|~P$Ny*8RUQ4a
zI({Ah5eS9feE*-N`2C&$0^#`A@4sJ!zFmC#^5x?B?SA?4Tj1M8Q+9O_E!uOm$h~H^
z(W0LXc1p5nF`T1fk+eTFcWE5~|Fw8|T0A^}4{epk4|B7Jw>|!6@%{Jj26{$5Ynjcv
z_?g{CO}jXi^&%-2kL8(}c>b)i@|q?o;<u_k?C^n>4@3a)aMv4@d0rL|%^8TJ_I2$Q
zVVS?K%DP>kfTJ@TN9SG}o2~uhciXomKycr&{`R-`+{JPM|NZX(yV33KMtxR}%<?EW
zmy2&c9QbMNo5fE*eLT@OeSX&ZuJq})AI{=w?YTbp4V@4Cqjd+b4rk-vZIOjV^ZMSP
zXn^ljPPbm$yk+aw;$^jXKZoaz$(uflpH4&gkd^TQ`RRLj@%<aK$=r|M{m0W4-5GBS
zpO{<jrO{#@`;^3wM+|79aPcx){Lp~^xKH7~{{jB+fen8Ee|RUiH}6}#oADFrQ^P#A
zdCIuA`_Jc=cc04Qr$y&KmfjohZL`PYIlmXa7o>50=K#i*|M8pq5r6mw_-?Me%cLw`
z&VRwXffhf#Wk0pq`(-_~+Xu`im1pf2c<sl$!Am~a-Pc{Uc)M3`WbZOPGyln)fd4xl
z>MQ*#>G%8punGQI9l!4XAsmI?=l^ixG5?37U;Y0VA;xPW-OHm_&!8W$o0puF#j6GU
z00CUo1a(rij|_-<<Cj0`v8bcGY#$N)vD%jNC~O^h_g?ewuUU;&77Ht?7BIem;a4#B
z3R*4L+1D%(2wDM}mlW;%AJwlGVg0ahAJ_+aek7M7_GWk00PH+UT-LW&3xF;2sw|?S
zeFd<2$VF9Dgw4$Vxg<qd^=kh8_U!WRAr4@aP5ZoX765ki3F#xY(%mS`KI*Q>n8T7N
zd<6(zl6AAXzYKi-j{MIb`}q6f_uv0{lmEdU^FP?v{QnoB&$#~+;$U3{7ZLCO!2O?_
ze&KK0#f0?t-+vFIHofQlsrP?c;B(VeA7`t8&rMf-oUH;rH(mAV`#)0E2kYwrTkR>g
zxt8$`Ce-C*lga*k#M+xhQ#_Nx-V%zt5KK5@Z7~U%uK}!{s`KvTV-^CD;V!quCG6^z
zM`UPai`xITcbv_MBiYaBSM+&ZwKK~C5*cP^Z$yqF$E`b;LKBrxKtSD(ziuJ02p)s&
zv3Is;*I*;Pe%&v>?tao#qWwx%TrG-bV6MfiFrOo}@^ZN9)%8?!F_;yINI@&d(^`Y{
z4wjule`>~xES;|8m*xH-++MJuLSwzm8k<V56fR6^T7DJJ-Oho3j`n>0|Et~q#q~d~
z{r_O>mjAs=yS)A<oiWGq1i8;><rVcmd;edhPW?Z+_WJst<$zmkniki9WQu53X6v?U
z>1sD8ri3MxHDUpNp3UYWu?i<{vN^K1Fa%BuPa}GMqAjQqHw@>zqvkprqdQ(Nk?E9U
z&6d2P*VJGdjTq9x%GBF>tmLf>V~IqH+K`Pfm64e?Q|r{IYB)GwY_z~Ul3A5?h3gVk
zX_jaN%S=90lHy!P%@-J{nH%fHcBIs;W}m75Nw0}bzS;{#0*O^$$@X-!lIwM9Y_{B8
zL^6G|Z}d67s%Co8c`#d1G?opKk>w;dv?jAiskIpK5>X>p>qT+XUv2{YKv>t><Lq3h
zW`=?6vZ1faZEHD;LOL9!!s`^Jg-T`w4ux=DRidfFq@|jKvd}e+6wH#hRHK>pnoX%<
zaaE=CS%GVYb9qD3a&tK~NHuQtKR;W$eEq-OKYGy^&#nK-z5fpd?fM@oc&q<^pY{dF
zX!XAh_1h)Az3qBmYZh@#fGbu~Md;@h$xqz3+Z7Osk|aT7nRavVV8;!jO1IMmps2he
zK(H{@D*D7oiDtH58GuF;&@^Cb*=DoWB<M`3gBJU|qOKpN0@2E*+r=6K8l7wl|3O%m
z<tZ{AdVhyzTD@#@f89fo{vhcOk^V60%mO)^7fh&?ZFX~Xv2w|b{5v+t(C}}k=NkH>
zMfj?AS^f9xN<dyv{}&A3>ObD4UHSZHC>JZ~%b-b8YNe9Ua`H^Cb^=8<o$C}gfoL$C
z;n{3FJPeO#RWUN}(L{({HTZ=oQkH17G_GuEioEs;iAf>gt@cS{Xf4IK6{<-SsYXxP
zhPPEn>qWCR>spOjpVUzbmx@yLO~hNLr`@GoXA`C3AQfq7<!Gjx)mO#BEMBegky5$V
z)Z}bS&t)djHLOB+{U2@ilzd9n+BG`f$&bWHWignu%&OHhC4JCeRjRpJI^Ij`GlpU~
zqmjvIlu28P&>FUgs5#p#``%%@AS)w1wvLAT>G(VpF0^auOmHLiV)N;&$F<{wS#yx<
zM3qD?vgzbAiDsIWNkJ#{uFkiEs$OYrMuINoXr7bgys#R~`}1HuP2~y(yU4CqaH6qd
zzJu#O_=Pr3n2mB@oHV9HpJwY?yfy7DjiwZ26UAzEIB$+Ry&*5w3ybI|-DAuSo6dOo
zHfw|}+FZc7Om9M=ZdTE)5HafKb!8q1;Q9|LKPwjcT8(ds>Zn`dq71C1%<-&g3}eGg
zJ2K`Bx!Ou79J!E<ayP28Y=uZOQpqwiiAJbD??h&l*DNdt`FfDq@FgLbo=vP0o$ito
zM(kE$!b*$^%N!HVThSg@O?0Pqf>c`3fmUKi1Ey_8mib}7yQ(ORTnU>YX23?-dPg#c
z{TXAWDx*?-6zOuxus(`55#k~v1PNt8$GO%tK*u7HYCpV?luaQP*21|J#h8mor_h$-
zO)CQfWQkp_;<>;qQSGUvK|&m6vbm5*6y-<_a&<Pqtc!9>>ID$yp;=F`O_`K4sd-_b
zO}$=<jxp<bby^C@1yagn)0{l_TB{Y=A}ZFR2#wTa#l>O6s*b}E@02dY(gnKOh^HE6
zE+FT!QK%R{|MQ<u<bN+5<GcQ!iXp#`{C|kV`5zf3vHy>SA~*m49_`8c4?7q9CslyB
zPv+5Za5cq9MH7Ol4k)0=Xa?*U9-P|m&$WCLVmjJR<o@5lCqqDe!6eIsXM0YM!`j%5
z6wlp8h=%jn*C_&uI^1<Q2bu)6@*Odn5)L~=g`fLS{xuz~0UBOa5aoyk__jS2JS8L)
zCwoU^n5y5Y8~76l(=l-8t~iCiBk<L4XnEx)(GO*pceu+bPI`d<p`jo^#$m4ucF6e&
z<mZ5ubqi{Dm^EV!s^HF*oZs#G9P$Yh=w<^##TtmvF$UEUtMJ!dG0FCuyDY)!#VCf&
zsvTpuEISsdt(+|2SOMV59~KvE=wLiuLV3rg^TK|t)8Is;bF4O=+&!TeXF#vj6r_1j
z(-h5Cl$SB(RK0jb(;#o08)v6s8Wa`8nnw-tpVKNHEu4^E0d5Uc(=d?bA(qO}LI{w0
zvZ7C54HiHVN>Da-1u+gjhsoP-Nf&$){K}4y*>9)d2PpfbLBt>R$NceM?b4QA#m!}6
z+TwX$Mq9XJ0g=xL$et?DO`eCkeyDVAV{=pVyrCV?f0dCreEI+blTfe(6LtyFhX58P
z@=Q<%vSRrGGB@Ovk=u1hx=?T^_!|22a<jp}pTLk*|NZ^j$#2io{~C(HihkLY{0>=P
z|Dt?}|NKRwkKgX^oRPoJYV2qnf^5DzvpwV?vII`ir^fn14(;JV@OeJDfZtHbe{nQX
zU&{u&+By+z=_;$CAaykzv$-(3h7=5ctxw%jGul>ToTtVP3mO!V+nTbXPVnlZD@O|K
z@;=+5mfa+iwtqST@oasZZw}W!Y-mYv_y(=-_2HproOV*7bheW-i=&ZT&+2@)*U?z6
z5|4A;o|4fH>@wv%2mQA4#05rh8<w^~25c1h(T~~#DI?ddy9<@p?(u+o0M{0vZRAt_
zc^&?4_qQ|9YiO~f_0g6lioH}Kh{9CRPhCpXb9jD$`!OcSrydW9;B-TOGU>$|w$~-S
zxW|=A@1A$>ACX<0k&tm5ux7%d*t`-HbVEL1&@to%96IT89gCQLrdFkk%m;7?J8zV*
z9P5qGnJR)DL*s-|mm9&u`2nu6qbE?jwS)K=>-c!l%gFy?FM-!5_!wv}d(IsH5{$<_
z>2N$^P0{!a1jWv0vF)hp<*UR~QDV8hRvnIUAc_!Id5zU4HVd~O7Q_mi+-7A-w9qw0
z!6u>Asvt}#$r)*ibX=(WTHShy9L}2`T9708T*qk~Q6EmRUK5bdbpL1A+wNTR1ME#O
zCDmU3^DLU&VftlXvLWseBpOUK)dRRQ+f~=^R$Zt?cp4A(;LoefBkT`Yf4WwQI{~`3
z(4JUyx)0^?h89|hxw-3>?p96*w+}^TlOZa~97*G16SSdEWc9LsZ^z4D99sZ}vKtFA
zM}n+8mB&c8b-+QM#oMZADS&^mkI%sU4wMP<q@w62?0qd~TkMf<m-{EYs<ONN;fU`N
z&YX1m@xJJvza2ahO?`q-3N90!4SszZcedM`?=W68iwC>Z<v7!A_uCgz@nruGBIkJF
zd?^{n{oZsfDk~ORz$>b2pZnsyPDQ<Bt5Z?m(kbf5Tn~5j@wyNthN8H(aX`UO;990C
z-TxXS349p!=@T%t^;Z&n!N0*DU%|ZtvAyE;g3q7PpMpYo5bimO=D<e+_w%XShg!GZ
z;xLRkMBo$^)2c!NtfBEcz)zzhYem!d=pw|C5D{X#2B*gkx>o)II7Gl4gW7+5Av}my
z&*Pdy!OWNdRa0z^oS(sS_yoL%^aOc_0?`c&Vygdo`3cT3Pkuk$>~j0b$GP7T1aR6;
zYkVlaaro@e&{!V&_u7LQWUHV1T+t2r+aA&x#tmqrwiIm+@$rUdC!41r@$?<YBjP=$
z<a>5BdTc?Wf9}JTLslLjJI1u@V#gJXlKlIWTKp~B74QF0eoXxbz85|G|3A?0aOhV5
z@gD8z_kSqwT>s%3WmoX=y)iB>{J<0l3Rt6?2r)|c6-x#-qN8_$U_bw$P6e=gM+M$+
zK`sx4%bmNmrpDytndeVVc(o^D2Vp2c;j@kJFed&P5a2Q(o9H?Yj~77va36NL{p0N9
zg=0KZ|4WjO&;Q3lA#DHA*v<amr8%`3glB&^mjpq=gYsNc@);Anfv6{OV8*Y>Ndo&N
zEZ+zZ;)YLO>nP+VQASL7kj_Bfupi66Lm?ko(e{w>ZWo-<6`Tc4G(|DCFqomT{pJDu
zO;CI&`|;t!_qEU7rkmJL<|E`s$FIcxFcZqSAS{W}M;*_2cX=u!L5@&9gXX<k**<YU
znWP@kITX6z3xg;<IoREi<UZXc&Ya~Q!{IYl;>_{w9?pG+OPo8gJ%O}QI-3|iyy`*B
zaaf8IuiYJ15HxgY&x~)*t8%{G{p1fX+}f?(+O6H%t=-zK-P*0)+EwlULptr_0C)fZ
DTMXBW

diff --git a/testdata/10-unbound-anchor.tpkg b/testdata/10-unbound-anchor.tpkg
index 85f63e842b1ce6ee87549c9a9843827afc23dcf1..de8fb4df78715d4ec239dd07bfe53a52d0a5dbc6 100644
GIT binary patch
literal 13085
zcmV+&Gvdr2iwFQu=l4(m1MFG}lpFPV-^<1;UvWchNCSv9;enN1&3_J!wCpaPOZP|`
z-4X>d(u}0hF(b{4W+Xw1*AS<`BaZ@s5NhH;VqU<Mv@}2q2~c<mq+m)DhqIW3=a9s&
zjUmP~9Hp~s@EYS}xoW~=zg?~LKfiCj>;L=yS^$l<<$}_dg;8EERupwikW^>ihf0t|
zIEKx<0~~`6et(Pl0BlXcT?hu@eGouV6zQ{LAFddOr?#f^s@>jaDs5d<|M<N5#y_S6
z4r_m1)bz89qN<NI#l{EbF=JpCivBVC0}MkB*dIb+%l<e(p*}nGAw1u_^a;2B=nRpJ
zFA%X)OgtIz1}GxQ%=X&YK!D05DT>I2%7hspiE<!FM6g_-)~1YL31bP!M<rUmM4*7s
z97B>^ieRZ+hprMVS&pP_B*7-hELj(PUX6`&CR5G@LrOkSF^Um_tC8Mv+RSI;l>$wO
zUK8rDJ)*-Vi`FaEjnHY{W_9-1Dr2%VccAlN4)Zav&2gYeq(?-^a;;UVNj{GWkp#zh
z2_j1NIKnI!YgD<&5bYSL<nod?+OEL~IRe=NT1BKB89ZnZ!J^^TYg)JGtdt44mC$LK
zRykBxy)FpnDGu*ct8ghnw3-rYgbgT$P<q>@7L##*Bc3Ii3B*U1K&+Z+DIGTC4w4-z
z;E$lOP_x@Yi@m6xi1}TFx1Mq!AuS#^yNz(UnY1MsfJJhK6J}j`#90i3L@g?$jWn(1
z4N#7vQHto8YB}KYvs#tYO%b>nK8@shsy|6ZeQ8@8<@7*;NztmA55qVd^J;mOY5KE*
zC#)x$Es9a1Y`dyrXfxCynIKVSNrLcIX-i)$q4{hCNC~vbF_sTd75Y#mre>9BauiP>
zT@9<yF*cG0N;c5(yV`K5L}YE0N6!TVf-@0^I&QO~<=YWH!Q?G}Y6vVQ$lZ)k6}#@3
zq~JKrc${9CPmw-vP2h!m2W7i90k4oHMsh|NiV10MSItv~q-sHuQ4k5~GG8sYd}cSo
zc?`OP=P_@>P394bhRA$CptuxcD~H;2B16WbTnf=!YE`JgT+;M$wJO{w_mXZL1ZBXQ
zc@t_Bd$DQ)bWxXwsdgJ~Q$pI5U}Fjj9aVfJ)oi4=LWeY5!2pgGQ<Tt%L>RNmRr64m
zGbe4cp~FPzcZSnP9qNar!{>iZD$A1oVeyzJ|3f(BI^_JvTrSr_{y!45)*cH{3EVzo
zal543)=F|os*95V#>XJ*2RLQr?1rL>XV=88Hr8p>ZEGz}{HZxjT(iAn7gbU8+12k{
zJUcYANE3DYsA01yO;Oggx?O8X4beV2E83_e+fUlRt9{hk!+z468_kSZZ0&Q9Wu`T|
zNL1}_12VG<ON!dC(@fkxYNZce?b^>h*DhL)ZyzZt?Ydx>6@6A2BZrD%h^kbwb}lNi
zF3S3xG&7PNB+MKGikR(ty9|e6w}0n3hRs@0!|kI@Rg(8F)DG+`SkLr!hPv3%KR{|Z
zeEf&T91w&#5FA0>Gy42sJ~m(cV-VU00Ez(sT&|gZ;6iY8A^wj9jSV9%2pSGVhUrKm
z#N>uy47Ve8%ubjLK@_WLXTa6X<)E;SWLl&*pMXNHUa>%>i4w0Cq6!rvQ%p&VJLR;{
zMVcnt6|zb*m9CW0JcR4Xw%dfuxnzt8#|(^dF+p!oED#79hoVIz8H>{@;=)1CLTOQt
zzsrRj@pjS)3AoSM6euy6h0A`wlvaJX$0e5_+#PlDWnHP}-41^cq!A@7)A<~kpfd)n
zgyAp=v(2i*1)vNbR~t-&;~H>?XJalti{#h>(Io>aT}}6bNl8VW88gWE<Ng-r$(kM@
zmV>nfTxdd}KnMvUI_GVflauz-&XENBq<uCP?5EVU+Noc#5=2k5`T&Nw3Sav3JlNkQ
zy^Hv_@{qyn;``?@PyE9u0uG6P-15SO_&*X9+i%=aE6I<}oG`pTZa2UfY$NJrMV0hQ
zW86vxr^FLP!cTxxZLA`+>uqh^-i>74RW(?ta$1f_C``H@=2SJ((Sj+`)6z9pIiPsC
zxTE8D2x%lN%0w>+M5!Ln_~?q9Y=bD?qj|Ezx(UtUtR)q$ma1bKU8?vwtm|PtOw=f;
zMmCZqYdBO25-R4yV$L|C6&!Uah}KIyQ51t2tzaN6!I?Bn+|#09DI)jKqMXi(<#sVr
zFM9(K-bxupPV?uwjTo+G;|1N<&L#3BRme3J)7fm6gmOot1B|3aBU!c{4H;EWfv9l;
zBdRhe(MZ}wG~(fWTjrFqT9idVWK>(MU8qY%rqfhp3l5Ci363CbZ>n>yHyiT9B~&eC
z++iPUCMXVb$&>^VF@wYFn5*O90qa2%P7YTU6K80QK|5{9M8hr9s8#56(Af~%e4bXj
zxLFIA^sbO}WtFfV$tL+|S*!+(Vm)H$3`RlOK%AGuUdkD*OQ~FdCh`$8=1Wt#tUDhl
z6$=*ECKf4s7^OrNK!s2EWM{^LKnSSGyeY<oq)Ma$u{!E;aFt+#_fu+8_ov%ACYrAX
z_-HKQ3y?-9Pt=@Fr0aEgvpFQ5j`NXtvdDxpMz~l{2)d5JqMlAe&IFUGR4X$YX^3Fl
zj+#u<aHrBnD_V<&5*@J(cm;*M8Nb=;nJK~Bjff#N)hQzk&I_32NkcsEt+WckP><8o
zDOD61UCC;RxKT9<nILK@(`5KAXr*bi!vxWkSLZb*(cugONNKA8#(PZHjMvOWAc?x1
z`vrk5L1d`n0Lg5ro?u!+heGQy$?OIwXU_qoZVRe;)iw?#NW_CBP}EO!<pM_v8sE%k
zVNXLV)g4Y<YQwZ#3}i*1q<NZd#hL{*n#3Y`*6-<Xa-L351=d~1eccY0A`w<ABpp_X
z38z&eZF|c(ETuHvAe^L)MwiHgNERt~sg@(zRO+=DXT~D308?3iFG<uT)msi4Udo4*
zbCIf{=dprUuSqZy(b+_WOU8RqydD%Af@YniR1R+In66~lhzC=sPLu%7aL*t1S8%q3
zvZPr|7F&fj!_@r;WU=&OLiui{Q)}ltU9Te@;L>cGYbPCyiy$L(7D6NtR@-SbYEtfu
zUS}bHrxUKk88U<dkrvRDRu6_)cO>fc(Q$^VIMPbY5$J?Nfkw<13}clF$S0GUyBEmj
zO<Z?sm0-yY^F<-5N$GM112#$#OC_l&&BhIYqIn}i#QdVuB%`o{h@u`QrBq@yE!y#R
zJ%Xt<Nsvud>oL;PGdzfpD&+;GjWnzI7GP=}IZjo0!feFZT&JcXDJj{Y+uZ^i>4oaN
zm*cBl(veckDglIq?#&fwZ!@h1T87IHweSr5u|Cw_10DYSpDWHj3?A?0{vSnW&VLMr
z7ViI#2+e2z0x!&z?H`E8eD$9T!29tZGUEX=_x~0Q1Pl1@NYKRTmUU-tAT&vlCr7{-
zG-4O!q9RCgd2%F`^p3hmPM@+(BvngM#H@$dC1G-epivmOFz+Zr0%8=!arda(i^8Kc
zf)ap6ftU6mBX&(`t3`2gq@wH1ai>$@b$(3ZWqwRi%d_`BZ#td!w#JOZjaWSM*3mRI
zHsPFow@rk^E-jTsO`jDYRBbhM+!(PNd|eW}s?wMofg#JCA$$~INeCLB{dLU#9ofG;
z$(N^QYnln?n=RYK0h~L9O*rQowu$|`lHH~_1ty#awcZ+<Dqt=i0Ui`70kp(hA7L03
z0E(B~1ppwtfV(lzjDNqi+FI#6@DMYNgOob;5gj=5#s8r<d+&$GeDxm;umkxYM({oe
zhA;$Ki2ox&(8i$)7Z0!7<lpr2^8TX+wrm{gSzX3Je?M3X4KH5gSTQ*8*+qTO(z!|f
zTQ&}y32hw6K^yxwZW$ct9~c<!dnP*)+IZJhe}I-BnApF_T6Z#70WDiRm>L@V^rEJy
z^L21E^cM%F4EL|z-wPeTW;sA00B`^>7{&5ymLo8LAoR`VyWVGd=fM*6FX|hdez*^s
zesEy=-o88bRQRuddHgr7pr(&JaMsdYcb>dwSbbykvWIT{-(&i&{r1f(n!BlsYin*k
zt#Z<7KXUK;l6~FQwa&5ES3d2KZ@&N0<Auz?6}KO==A|j@#_K<A+jD7a$@Ig|zWCjr
z{Qc)1+8v+x>kX?@Q%~Qt%C~Imm@VOFyV%8VJih(voi8ulaq5cp89P?oru=;H4!0fr
z>m5set$pE=rOk8B+WOghV%z`Wr%QhEwL32uJ@Le&SKM{1Q{Fdm#<AOizB6}*zQ3-z
zB)9_p_3q~{3f{kJcwn%<umAd$&~nQfgQ??I4h;<s3|w%C#s{qj{l?(A+kW+_N1z?;
zZ>ivfn{GRG&zhxAWl#Fbd4c1=@0Zj|&*lBz^&2kSj9gWIuv|RHx$>f~zWR9dyfvjO
zhIpZUL+;1t!{!~tx&FJ+^%tyrWc>2S(TiNa{N^R>x+k8z<cFK?TN~TA=Y{{emI>XH
zd)mHt(PhUCFB;l#)A@lfa-K!_Z8tt=u$M;rFTHGX>-p$wzl)cD_Rz8S1^(`#|M`!{
z#>V&hU%cj_k!POWyy{;D$ET-lS6@NgMcjRz|94j%J^aKaXm~B@($8E5HumqeoNJHe
zg%I*?O@FWx&N=Ru>BpgC<|Yq<gB=<A+}y|_u<{@m!~n=cYv)FX!0Mr+`(BxNA+mn`
z<FDVI|K;&#Tr7Skdc`WJJ2z=1s6*A6NcrL>f4?|5)W7cF#_EF`1CVX;lKtxjkAhYl
z_&hK$(6_;|=v=#hJ#^Imr#b5F{iht_=tI-@oWou4y=&L}_J?*8?zy|W9{YCuv1R}H
zy^Y@-fA!4Ek@L3>3=!*J>7m{iM(*CWlooa@7GFblr<d&0WB<JL`>Xew+0`3v8GicK
zt<$0FOG}8K$oGD&_=8iIef{?UOnv8s2agv=$*J>JGCTjxd6w(M<02cU_eDg{{r~hl
zdgG_=9YUTer_uKPi?h?Vn}=_Ir17omFSl=wZjx?U_Q03k`111IR7UXKRtW}U>gkj2
zP1}`YZoK%)%vl4!y6}{1<i9<M-IcuPod3S#qfUmOK$`FTf9rd@55nVJ<9`c4f!X>G
zhZes7Ju<X_|NnpSzgsN8A7}hOQ~$qD*nfcD3;stjbf*5t@P+#Sh|mK5U%>wh`2QXF
zAA#KO#Q*2-eR};P+rF`FL*|*+?|$hwH~i%#Cs2P@`2V=cm-^LLrnWr)d9n|@v>o}I
z@Q*Lv@r#GoHsc6*O_{vqf+y}ewpTvm<R?$O^31QC{;c}5wVtz+uik!gcOTw(#kb1;
z<j(E>fqR=TUU41$aEkr8;}2W^@wsuZ)`P$P#0~#G^@Hob`slrv_m3K%*}V70N0yy(
z-cBa>qs}fWu^AbIULMh2y6(Hz9JiTXe&<o2KjYl{km?9pxO(#{_t*+y@p-?U+`RkI
zzq;niZBIcsvgJP4{Y!SNe(j#*`d!;Mj~0XncHOG>K9l(AN1Y5mf%Km4|K4XEFyH_G
z!`T0^cjZlv8cY6vJ_T<);k85V=8(9?>xqW|aY*7u*T%*Kr$C$nBtQ}S-4~>u?ip{}
zJwA5U-q#teR;kXcL{*iURrS-u`HwL^MqqUC|KafK`u|nvUqt`E<+8FmN<PVk|1Hdf
z-_URJ%lb|IE&BaeFpvJ<(---F{-6Q)TkJo0$cGRx`a1uA6?(P*UhThE`|s8Md$s@m
zHR%`D|Nj|Vxxc%O7w`X|_{a1ANS|@A|6b4ke<hmQl`q?=Kb*Mz*)s=LH><Eux`zSQ
zuiP>!>T85KSR<e327~^E_0uP4XC64*S_4l-Z}9o|08{$*P>$_C^<~2oX!r#<hCu{-
zH^$z<6v%Lf2@d87u(YGB?q7cS4)n@<aDC6*)BRg?$o95fdKJL*we)64_YMS@JbgH4
z4=}06`h}l)RUiKp68xli2dL$9{ktzpA5inEem1R-2ZnAwmpI($1L#vbixPimMYXHS
z_uc_BJ4#M{TYn>C<x9u^(B<rRS^+QOKj6g2@lW*2LqGnJ0S4lA{C@@d5zPA0U-{+v
z;kGO|Tq_0MD!MpeLfivyO>+SbcLV|8$LkpP?do>h_TA07(9Z*Pl=P!_4BrEsZ0g$&
zS3C(|Nt=uS=7pPkK6tFVqW?cM2I!o+*n*l4(ljV5oUSW6K(mt7&jD^;bRQxQFgV5(
z6&cj5erD(c!2Qz|#m7WiHrAXD+=Dk7m>k}Fwy$){4T7&X8h`VR#;04Mx^9U4gW!7^
z!Z#@o4;!X>Wf@1Y>&M<y!yZ50D!vEngSc88?Ny29NU_+qvXftQQfbwU&lpLDN?qCI
z;_7nX_UAn4gchBI{BmQ*cp@eXVMp;ss<hS;B9Ntj%0k0i9)m-b$F)l=<6=tsI!>Fu
zdhl%3^mGA3s74ToBNqz?Y%R(2v!tAPLZjLWSH^Q%=E`yu<+X57q;0Wx(%mfQWa+%P
z91oM(N`f76pX}L@vEwEFOhHF_<ge*Du|BO0e{@Qg7PJ;1BWtISJZBFEZ9|aR9WIM7
z5p^B2%)>&ox^&(06LxGm(r1GHFW_Nta54-0bry){=l`og^~W!MKhR75pD}?w>VE`2
z;6LCf{_6kvD)b5dk8aSQs*5Yy<iLKkKVkr}fhJCAdOl#hAgu<?T^qktm!0D>wWpY(
zfLa~8S2~CdY-ed%gqg}}3VSOKmL)(x$s;`-!xJOVie?`MDhgSPot&N6eZj+HXpD9u
z5kspBk4N+*jAs2D3(aYI%|IhGK>&@Z?1ovPj#19$@G5k7B|$Ha8;?B4tgVqaF^5sA
zD-McQ(-MgtJ!PD7dPkUi?OE;#Q1Ec!ul#y~P+MO^XQUg*ZHA9M!ci_Vzfjj$+t`dZ
zw%mU3iw+!5+F*8eqU@|{mTv(P6iv45+HYrDV=>~G>q4US@?aL5jh2ikWrWdOXk;G3
z=ZF--g+UYkR8meG&Gj7~&>f<SixJLDcvP<0OVl)~E_)*0XqpCBU5b!;(5*C~^Z1e=
zq0EUyXF3*`4D%^;83L&vT-JErQ1f$&*6rfL&uJt%=bi4zDTy319`d_=G(HjX(Zf{v
zJeqjI0o7wONn6Dafn&xlS1Oiz<Y}j#@nkD!WhP$E3r5GznJRm$CL<~Oco9iVblIKP
z!8*0uOysFkv3uGA@Mw>pHYa^^Hu$KMAjR4kWtQ)4O$uq{aE=8lT<x@2Ra%9DO<9;6
zVBVY0YsXl(qIUt3d2o{aDa{=#*j$Vl{OlMcvT4R^#7;Wav!?O5l$Of$xW@JFhzasy
zbijm>6jUJ*oLyj>_#><lcsGJo>cY%+Ot~e+n#iclOl*2CmH`*xxn!d}+1RRtI9k}o
zHi?=6Rb=xeuwgO?nNF42VI{WMjGUluL60s4X5%Q|&&~W+)l5^LP9YT9HQ5@o#kfrN
z*o3ZA=Q!N~N;pDe$&)k|s)Kx$x>%K49BR0xV0&{+pATHflZJ{9@x~Y}joo1b$KtY@
ziqlmbh5$3Nb?zV?Z7M1Wi0cUboGv!r_QbR`ztA@Y0qNwZJh<}-Wwy975_M_k_quQz
zgwAoy0R5K?F-sB;ChaC_DQ=UnVMRGcTPk~(mMQiO<;Czs=Kc52Rc-qWm#bhKLZqJ_
zHNgPJfkde%e4Sk!F0R(*%s_*HnzKC9QroH!XA)-4pnSv9_9^9e-mVuwRHnFs#3fnt
zTVO^J5j;_M2{Lllw7u4Z5n@`hI2ottdS<B{;pRMAJESJ<UC(3p)GFB|(eAi+Idd0C
zKrE$O&TLE9$i{Y#pAiI?$*v8#y|q8YX~me)Y~POYh+SoyW{#_3J*vbLxnu}`E8Anh
z@yqfIEm33+FZ2wB#kJm^t=!>Z0&aYPq4#l|6M?zjm*^83)3cM?|Mlei7ocBT|Nji^
zzkyz||0XE<wEh#f^?&ku|L3dFOZb1Y3&YSB%`h6P;5fX%I&8r|hXKdZ+ESY|EWKq{
zn#OX?ssTR3_G4-6itl&PE=zW1U!nb28olEEJ;W`i^k>k1z$3PwC<H%88|+)9>4_lI
zEHmx2=d}~yCH3Sb?F4v9J$Xqx0bWv1UeZp0m(-JIwG;E{2?3wO^i8Mnrl0UtRNpxJ
zQLCn&G*NM;In!8+EOreu8g<^Poyf`Ago}0LvcS&DHV1c2OG)f2Cu>R{XFRbM%yLs$
z7JW#)<7{<AyV;@kt?kq+XBSv!r|4lx1-?JuDnM%PTW{Byl#Pd{wCz_rY!&QH7`5BQ
zA%#%-$aFJx=>!v%HgbtgG8mz`({8aNHwn650nS!fW`fD*EFzrnnao}EeY|AwjY;-a
z@Ig3Vw6JiY;{t2AfUBZR<GszKZmQGT3CPw1jzk*CS*(y}4^HjBA57o>8hxq%uPA>%
z0MM8D|1cEmt-t<#@c)mISNyN9Lf?Sj+}%Cz8^62z2KeUT2p3p~KA757F9Pt~%j=3g
z*M$Cn8TfD2kXrh{e}H!Zcz+Mw*G0U)@3Y-Ml=x5Z+iyQs^h|o+%Bkv89;0u5$l;_}
zcJoR0k&*56O%`_5kM8|LQ=b?3td-A_0N{RT*Ui&3&+e-bP<8I7Hv=d4Z-BjDe<<zD
z%hL}<Ue+KAsGLbJKB$Ur{`6Lt*=q=xt=WgD@4kDC1xFzA{rA8P(C^b?PvJM<`}aR*
z=a&De#*d-r@?QB%?brvtb3O2F&-stw+a*2cz^jt>Jup0@{wsVHSYwx7FVCS!;$_u`
zo7WzAyI^JGgUK1DY=CzK_}Jht>}_Nf_&#X7`y}6k==*OG@Y`GWMfRt+|M-;qA>twM
zEbkv#8_xe#plAEN{DGklHw_cKJA-#N_~!Ar(VHuGPr?J=-!#!r7<owil$B4S9)r)Z
z<J$GlqblD6?|kr01^v@hh8F(`JqibU1OEFn0&?>#0N;Zr=NbZl#*RLd_J>meJ_zrY
zcJ0Ct``DMiy#H@F?fd6}!2cHf7kHTe5p06MulO%tgMQ`t|7jrbxAh<X<@Ntl{P)}X
zkHD|{|6he(@!wzZ-(T_HU-93cng1W+KMa7^W&Q`Y17Dc`Ki~hG4D&xS9>4DYeHHqm
z{XhC~{|_zTrMX&h!C5Knbt2;BV$Qd=5H!$4vf2&Pu!0`P-4qUE(a@JIKt}0w6y>nJ
zMJ+d`E(ts}_o_XwXFd&&l2g2k32g8y(WW}vH4ej9Biw8;I+rIS`62@L%I+}wq>vnP
z!s(Tly7Y0{sUw|2y9*YKO{$+2jcR*2sylp(GzwMOPF=>lxoxswxd$?%uDf$G6+@j}
zJDf5q*9(+kB3P=+tcd1hWuslCF-K~P?;`$SQYyC=cTL=Cc!!xHuwK<&ROfM4u%W+m
zpZ5Rgy}vQk5cM%yPIu!P&d`lv8MbRk?pzythh>U-v;a&T<{X|W&0v=YaqXT`{*;W?
zljZ4%Y_hW6xb3)JGDo_RrEbMxilJ=~DmX9>vp9I8gAb5xUZ7(-pW$?cWcEck=$Q^>
z=9DEgxkX#YUX!})*nDC7D32zE=j^Gp)BBYrnv!Y^5aSl2HCH{R6GNCv#wfNRjf$ym
zrwhCWso^#`)9DsAn9TDVlvLen)K8t_7>x-ZvQ@xfIPJVT&V4a5BzSiqbt5L#3*rvD
zO>!+)XP2|l6)CqO)h*CVbDnORe0s7*9;H^78c_113&rW#f@doj7xs~;)~1mQ3z67`
zRETY|2|MG{+920HA2!B{k&&oz*VGJ6yk7kP78^I;9Jo1(%s1PaOmF=hCeEh>T69o%
z<-!^#OERR7M`AXe=-6d%F>V2qGi61SbppiP9FcO`3krOFo-EOpm+(5By8(rk@Ql1n
z*%hAeHjr1V&Fr!cr#mYeU2M7+26uFt8epV4U1D9&1|G+;7;I{KCGR3r+zJ_tIR2)Q
z_S$qtk5=$_USD+1k5A+MMU=#aPdUX5NaREmd-W*|Cz(c`luTPg6Z*iU`hM%FtdQDg
zNOg_Onpsl_U*QmnN8`}2YMP=a0%Zf5m`p@RXuXuiYt9NQ7bXJP(R60BuEyE+5UDzy
za`b`qC(E$fZWYVARA^|<F4AIx&w!IF@HGuXrzPQ|zP707)Kdz{ZbOq*s)%pW&D<v0
zR9eh7q_`Kf_;k=o4CZ+!z*uevw8wa}EgJ=g>Vr%)6v1t`vXw=%6(q0H=>>OI>6WNV
zI;GF&J+aKEi38<$*5r(K%&aA#bqBGdXt*Xvb3tCt46U(x{cR+OO=L|VqC+ptak`cE
zq^ulD?*NTQ#F$1WrAjt>fndPps4)hSE*9%_+Y-f^Lw15p`rC2K=R#T%i%T*cd6z9e
z`gApZ-T!-@US9w29@hW6%CAqw?`h-L?SBLvPtYg(Z}|Ne6v5F~`|qpJH~)ZoH5#fy
zU~u+6`^fLB5WEA2A7?ogpkXYohr6R7a_!o$u5Q|&6}wi&<V9CT`>+PTbH4{s7$$!J
z<we%lvap@%9;A~5yrx%Rc{_jV-CqluVN`)t9@LFp`d}X(eir4yuiNJU`#;_HqN*+<
z=QJEEzaBUr9LUkfY}c5FpLZER?W-TaCaOcQXLWe*pJZQ2ntQiS^i})-4s8{FnMQT(
zdtg!K=g8{=b!gXD-*=EFN!~=+9_%~mMMI&guVg5e`t`f#`06<iJ~DJY1Dp2WwZ5~%
z@%C$-wv(Uz>yg)+pt8J<T>po@qI!@)($_Uq@zmh8U!QZ+H|QpIl=|hfvZ)54d?JaD
zJoFv(P7iMVKbH;gp>tl|>p6Z_U*$VUD*JEtp0znqW!w8T{E9wKs?N+9BZ{viJNsTl
zRD6H}#>c5$IS7a-ih>W!J@>!g)s4?2Gn1J;m9x*@Qk4`o-K*EDSFeWdwTw9M-^HH_
z&;(S+vo*&*aGD5+G(19oOOt5Yq#1sUcMxNA@V!_Qc@@>zyaGrc9uvmfpjbp7F(}vb
zq0bF~>YG?q0DTvkQv=FPtQCO8#9f#uWDB%306ox1G=K*o8}=G`&>(+i>R5%KnT=J;
z!^$%a)yVe`=&NNxL5fsV+pNqZxNpePgHYfLDBp#LJmREAR~AZT6_ur0ftMA;;svB6
zs<M!8sgkS!lnARp+X#8Yie1Ea8ZxgaNRp9IZ`1?;2k>Q9R0UqSLW0QES_MHYT_FI0
zL<txr)CH9<V2q?I((%iNNGhT_FLP!1$>xQcpms@*ML`vDZ$;=1W>OZ`wp^>m$^fj<
zk{go3BTQUDP`DZ^)cL|S-iIwph=1Tk6)9!5RwG@?Jl<<X&^{&*<#_;A6WDx>4?6)8
z3xdpZDyHRd#{uI2wb~U@8ayZ98@|H>9jx5F0;t&ZNTR~SsvihqYpB51*%A=;@yi?`
z`~abFEt#)lbfqGIQCfLL71S1Z3?)e_5R?^Oeh@fbxkEKcA<Swi{1x<}vbb{$1ULnc
z;XdC|1k5u4C5S37%dH09w*Co(+y<@y{VX&t5cZPY>_izPxr@PKP7v;2p>~;va*(nZ
z(x%ERW`zR0<J9Ad(5H$&nj9!aB44Trz;KSoPbCbeEhzjafW*pzf~yE&*KHR1ZDG=h
zm;kfz_DFTFh%k{*L~P+fz^I3nu?_$?gsr+jq0-{YTgG3LuR!Kv0cOI##XrEoFm)J`
z#3GR|i9S`}6%}NBA7A=j+;MfyiJJ?3=Yrr?Frt=V0<h`vm;Dhy2u%ToaXcYWSVX)m
zvUUERd~l&SP;pTu1<wvR0a$W`!Cq|esI^_=CAb3HRqnG%eE#7>xJw?43-*sf%ewHX
zJP7<AZ=A<9h8oP4+AdB4Rc4j)y+70v_*q}`%>&X~T+sIH1qMke5AtK4Rrve;yZ0})
z+fBA%Lr$%Q4WGTV!OhoTv$W{~#k_UQ1Gg7xx^DVD`siyLv~icnTTVk8r@>t8x{F(6
zd9(YCiK`IgKEeFxIQLWc(>1l6X#N<{bdrz@HWc&2orM!3lnj<ro&30^OwR*+KcY|Q
zf2oV`Q{5$v1{(hIN1olH%R~eo1@;0ZsQ<&w^`WVcVOq7w<N-j|!(9$Fbol|rrY55A
zU~-`@bj+2@1c-sUh#8-#3wv;=X3kOK4o?WvuqPCmnqba%a0w%0M&u6EkGj|?U*s|g
z*!V+xu%IsP?x>5;pLTeE-7(twMMNuJ5m96Z1@Oe$e}SEq!zh5M$cGy<Y`;4_w^P9D
zL+cB}9B4}i<a4=2dH-zYn3x@VN#al4p<9G!XFM_bSbv~n9KPk?)<jMT+<v0P^}uHW
zsbH>Q2Tj91k-Y*@SX-1rnGrUbzNYW^X1G%m%h7WGcDwyN8!`w+%Yozr{<;B5vHL}m
z<AvfnWXIFVWPNCXl>{FsG>_Rtc!%|ZG=Xly8aDA0HlV$jgbf0${lzu4)0Ef%UG9b)
ze!UrL%wAWIAB9c*2xU6HxvOEBQ`6J1Wjlof{MqI5gDRe{ZBrJW0KCL@<5h~oHW3PR
z^BB|J7=H!R<451b^tkeuFg*eICQJ`v@l9tC=3m^N1I0rkG$iB`{I8xlUjk9r`oKcJ
z{KCUz`wuAkjoPaBBetsdq|<%T#JIo2wv@u2+H3))h{Ap%(6hAtp=mr~^LP(X9$ywy
zL7KjKGz0L>uv6yWub4+&qe!Q(RR4_%_le+BvG<pU*@QADn(eTL0m~Kt<N@^$0`WHr
znAP$%%e*&i%LXf_028#u(lf8HesaJITtZ=rcTzp(#jDyM^7N=0jDT$d$?(xZt8jYB
zkC^-Di2K_C^68LX5@4Yik?V;*Vrw<9trLu}y<MXiW+0eL4b0Oeo)4d^^DeLD7mz=x
z7&$1)0>}3;v5^9v!2~?nqZoFG^IV?v5z`EVG}@{YyM#5vDK3#mQX%Z=$W%But<a9P
z(2EE&o?fAuJu{7ek7mA22M-R+&sLrNFb`E{t2H67zNI`TCgL^aA-eM~bShKQ{#cVZ
z_I2UmC$A_e$A-B3Wc`R@g!j*l7FMN~X7gKGdR+0VTKWOK)YFq*4tg5$@<>m2^`7gg
zZ-PsJUk$*TIDA)e(#6!ptx2+1^vmg}z+Tv^LXAWo`<}Z7PF>Fi0s6Q$`>)IP833ra
zZAWqge@G<Jb)(ohnQpPy4lBGVD#DyTa06sd$mThFdV7F3gGZ)kPQlv*KS?uI;CAEv
zRye?%w;?Vg{8-tbCMU0yV%RGU-EjW^&4kglAsYbKu4mvELwF&NPp(d8&IVHkj-ymX
zZutITU(o<PaV^w$gX_qV=x~x<pe$wv1o0Cgp6X$kU-+566L);)7J}N7*9SY7{D{ku
z7ji$63Eu9uLo<T!Zol9Hg@V~h<%n5CcX013aPFq$&Bo#NgHP$h39M;c@cf@y(r2#7
ziT0jQdIVqhv>D}1o|&F)$?Lp(ePq8V^*v{AniS$K`b)A#xklWvVuXA!t`R>ayFo!_
zTM2}_^1^h>E>;W-54))J`6d5XukZN&|HHe$zP0}=l}$d||CL~p>GS*l_qe{b|4STk
z9Q%;txF*+MB->s^i<|2g8>z_opUD@_|M0DPUO3(;R$=9CQ7=8v-S&E29_nIUt*`4U
z&%j@zK58b~xa>&?sCt2=_k|<2SC{p5vAOFZo#;<0E2Etr*V@HpH#uDCqtk6()R*>o
zE#^jnPdv!w?9;sM%oJ(9*$n;mkjXWo+(Z3g?Xv;htJEpW5PBRxR_g;{W)0lASel4V
zxzf<n2HQ#%lC~#zEU_``&q_Th+AEJdi+>8*dTBlM8q0BxGMm+c*%;}YlGFB=&Dv;{
z7yC=A*y&B#s-=(O<ALG((asGWH{uNMmFk&M(wvBTVbw29vKp1nkCXKZ^CVPgudjRQ
zrXsYOiAhjc%@g*GWw{Hkucb3xdsQnfe2-`6tF|=h4qZB~21Ve3Ua7Yvf7#j;oxbjR
zTBVX{raF^OxX+7U7n;YL=J;a1$rdn=hB~wE>iq)MTHZ*0f64TR{h-E;!AYIRnYGDF
zIl0hc*iAlX*tW~sW6ctz{>@FxeBhb3VEECB&?sao)TEkjt(2(KkaG$z)n$V&-z54x
zKTGtcQ42h{crQDS2R92Q*BK{7dL&JGN6$=CD<_q#)+FjF>1dU<zA&@h&giK)(!`)~
zGw@3mA0$?CppO=_PP46aqwXjwKTOhN*-y8tophbs6yme!hU(Z0D;w8nL9O=NiPG$0
zt#vZfhGx1?W+pdb=95h(<<L30!%a2Dw)#Vx878&Of7*7g@4nt(|HHM`?}!HRUGX2n
z{a=a9`TXa*T<7=?=lBoj_z&m!59jy~f6ePn=YM`@AgJ%y|D9pd;rXA$dHwe;*LUv!
zPUT9&;Y4U<GHS1?GfjI_Ox4nTf0ARJO?;D7o@$L~iRH{$m6mjAQK0Ok-|^IiTPdtc
zQlobxaPx_<$t~l}xL!?W7J<l{y`s)JHN9Jmx1yppAMtB%JudTtr85?ln@_9W@Ts0j
z2)TjFwjb22J`alJLKW<$BMK@k8SHqx`!t&lZq}=ZYBQZ^-?XH~B;IDTR*Dh|Wp2ri
zTz#_<IVPX&%)8pUSde_9E~I+x?2w~}g4~o=`SGg1>gL+P#8<|K!O+V@b>a$?Vx=}2
zX*IRS9?v(&hxxzBF~g>_VzP2Em-I{H3E<kul*}l*<h$JRW|d0mmDHFT_QvIekd|zI
zA!f8`m0e34*Ad!2x9&~62J_TTk2t|@+p?E-WwRzd)%o?jn$+U)j%swfl&g45uFv$!
zt#10}p^@v&v+1>4FD*sWVA5lDQVO05awB00adom%S6bPbcQ>mbzX+ziianxwT7vV`
zsCH9X$(f;$3pyUpFkF#VGZiVZVpeq7%r94FI+|m2u3UAarOjN(k7`V@Vwr;;#rut?
zj8~dA3RSgh)i;_mDn2kZA#IPjZnNNM`RT@Pj}u&W(UsBx!^v*hwU@Rn^F3~=SE=S$
z2}X9oRT{LXN11$cmK>Lu%_gJVOvKc@-fZwSev#KQeMxq$K&(a^ft6EbAs!7Zv$&x8
zu940gsoB8EbkoDmB$=qJ`C8GDo*DwvsADXoZZ*@(u1w38Dw_>k>C{KMKxfN2g)VuN
z(rf1isYO|SlA^LF&*U^KK4~6b>tv_JcypAVG&*)qwC#GK<m$nEEItWZx?HSD^ZZaA
zuP8UW;S$^^olAnZQY>%yzTXSvOslRoY6j1=G#Rj9IW8ft7-OPUl6F5@UGvS<FrJiL
z&84a-sTGv!17p4f&(>N99WnnP28DKZUSpIZo6fGSQ7WMIN~^rg*1MHao`c1xlUxep
z<hnSfWJQung3P2VMN^Nvaqp&5=r&rqA0IYyYAZ8z$6Ov}-g3Vj_j+?Jx*9TSV^kV-
ziWAuwSyZJhw%3|k%1YXUYNV^#zNM_Yi>BRN`RS4qH-grKY|*w;tp%lgCa=!Kn|_Hc
z2erPlsNSrogr9TbGfxXPc`x4ZS9$O%gqoewTG?LErAv%dl9dNqWGDF`nXCJTrPG`8
zkeMsv{`!IUD9g)gtAs6;vy5p*-4r*ew>#ZdzAV+-X=O?KbhA7XONF{E+p^28p1O0R
zrdLKcalcpzB$eXoOuAhvnbksFT=qLzF4Ohg=1pRr9k(V!J6kSynWnTEa)s7;|Mxeq
zx3B+y{1EVW#edqa|5NAqAMbLV<3F9_Kb_-0{rTSOzV&+D{{OV4AGzN2{&%1MDT(tx
zCDP~k@9%P**MH~r-+BFaUjLofe}B#Et??i6{;D7C;~VooP4YjI{J-gJDns)Brq1iX
z_qjfV=L@#mcNgyVkOo?K+5jJIgpx3<-8B`y2e_p!3^z7)7qR)$^fobaSZheKC{0~z
z8-p<R<W5bfIVG8;BKW|_?ulj?-tAGyzyH|<-i!Q!qT>B^t~bYj1quIXAKx1PsSJIH
z|C%P_KTV(af4s}}#rUr--ah}15nzvc*@b-lS|4u?{fa3t+;B(v!UPNCuBV6qdKMFQ
zY&*{5%r?+2qUlk|KCI}U&P2UF{;StfnodVa;-YKgcO`%RuQ$y9bZY<oH-pO)ndCYC
z<NI8POkV}%B23(sMhW!R-0kQN1@6Ke$7cAXY0NU8Tpj+e%vo$;TBZ@RY-?l19DC(@
zF<rB4Cx!zn3}aJmpm{N48Q8&}ZcP0rUEh=c@kjgk#`w=N+xWi;CYj76GsOSTp5y<$
z%k`!CKRiD7CyD@n9P(XisLFjLwnY0?2#PgM;*Q6-U4ZXxjB*?oVSCasyeH@UreRF)
z2vtz-|A|kKKASlIc?fB+KXSi^6mrn@#;~^9MNJ4RKa$dqByNH|AVJ^v(YS`hF*`zU
zaD>}pm-G^lzDEB-mS@gT<fCuuOV9iiLBGZga}}R19cOodJUkyRRjG^cxcK(GI6ieI
zRbkn7fvMVsGY@|q!kAy|!vGBI<M0h%qxA~)m-w7uh?BE<LHq8}&m(^a@jVzo^pG6j
zv|QKNhQ9~ouE?2V5`780QIaS5<J3hhxrV^i_H9t@T^@nYpFblUs~@IexQ&FRmjwm=
zx+j%7;mI}ub1WcehcOO<i4#FF|EOe^^&{vKtNuQ!z~z6Vzun__8ppu|c%X=ctJ<?*
zOCykYq@CC>Xsa+J2?3U-^w~icyPNBo=k`q!!3Ao<xD1m*AHqG6uT0M=Pll8Oz>^^4
z`;qrL{YAn8QfE(o*y2m1Cw`1{AcjbAfRF1w$DKKnS_G%9MIbsR3lm-FS<$at37Q_9
z6!epkw}|_FXbponkfX^T`#2Iv*8lWEWU1H4PT}h(lO0MK@Hh~TfBX#fhK8ZZ*r6Ud
zDD=T{pc8;#IgSHuKviPv^r1Ed|Mvv^E3CvX$X?-P{}01VJjY=h60;YPKQdzv<1w_f
z#O%Zt_5>dYc5y@)bNbTGq(eS`Kz+~D#^JefVz02tzTRaA`MV$A=TMFV@8OQF(DA>c
zU!I$}KY)qevwDx{`|uhOUfVuenI6n`_&;(T;|0qzA<HML16F-UBOLpH9PkFW;MSUt
zl;spDKnuD-G;^EE+@^4@X*zKvn7cdN=5c#o{1#n*zI;)Z*bfOJvu$_BvhpT-B>ugo
zmauj^MTUI90Whb|hD2gAU$QeBvhxq%58yxnE{+N0nm+z)u=BdmM;e6~y)tX$zJh*n
zOTpvB^~^`SCGnVwqtc%thyAd*yOa3`smd2#9X7j|Vg%l<;vM?`cJAc_Ko|-F;N3Fp
z!h$@ApaH@9&Bs7u135U;Kw!gzJ#BkDWq|5F_ciT{l^62PSYL1Rrd^F_J3=hQ>E^xx
rEkplzKq_wlv0Y#D)OPQ_d0Te?00000000000RHL$R?uM>0Pp|+qNF@m

literal 12318
zcma)=Q*#{*phaUlX>40fW81db*j8iPO~b~vb)v?$ZJX!h+;8T-+{e3TzwFsRV9hMD
zI0T3kpr#T8^p&n&bFp^nOY^S?THpeS+qch?XkXqMaVQvb%sb8j+K@GBueay0IwRKZ
z)5vx&O_gw_!x7j#nn!``s4a{)36ls<lYeBPjPjQ!7P&v>c!C%PnABkI{U~uD0U&7?
z;PpFIU>G@!JULDb<r&W<bu87cLks|S<a4RrXwIR1H{NrXX1cys;m?Z##79$jk3Cps
z0ruahjQST1r!gFDP{XVLi%D%l-ODJVB~5IR_GcP<NMLgW80#D$7UcdJ<b%m1+thX(
z-b@q63D3Om=uteuNykbI@6hiG7epziOYu`Y#iy{b9hiNRJsi)DjA8&I$gT-Z=DT;F
zXm&Sv7EiP*R8E18<r+?x0UzEKEN2uib^Oni#Gn8|tM;s%BLfyY2%gb@kr=mPCDL=9
zGILlv<5lNdKbEyHjRqRW4u-KhWdAGS9-kL?;+2idn5F0_J$aVb{ZRDf!Ss0QYlTp8
z`y$HyD!Ha(PLsS6+x{A+>9xyE>vrd`=~hkksE<NDKhk<^y_Qgrzbt!O2)jpSC9xZB
z%oIfaPs(MzIm}>W`0F_+jt*{oK6un=X~98d!go~I^m3v_i5YmfUW!Vpc+SVeU!43d
zg)!CvgYx@=8ktM~yp{^aH05$jhA>AIP&7-5tGTtPaW(dB=c%oVO`>g4I`Er|i2!L5
zyrbpSyy1F3&LZ>H;OU2izETy7tQiGDpo<}bpV!563KU_Kt5bEky|bz6i>-Nju4#MY
z(L0pg4k4lu)qp9R*C%V)F17f~Z?5B%zYaGu{F7MsRFB3h+x6~nXfB%C317`N_l!qW
z=6#EreQvQfEe@p(_rA{-d1rLej?W7?%3pH-`*Prb%zil@RwCIqbjFQ`OLJqRz!B`!
zTUx%0z3i_+4^SIG!0<D<w`~`7o}qnuv1@HF`6Kfp#9%k*)_2S((}jC&z7r_IEd3E(
zSS}tvsAbbUk!+54JJJRS*YS(xQK_10VHBB{K*<_-+s$bwVzmK+d!NDQY!8zQpI_iN
zSNNe}v|{$$uQ!_}inCM^wnHAENUX&e9atr`-Zwl{?xGqD#wr1uZlU{f26e0`5qRu6
z!yi#~LH?_CYGP#p>|$*O<tmxpKt9YS=#K`@x9>VzPnX_KQ}hzm(*17T!-<{e+E^lW
z$n^DM@lCUz=e;chv3jx7RQ9`xrq=M9Pz%@Akn*V^lQmSzhk3ytYdao!iM0TKY!eMn
zRm8gx)=lr(vF2#pJwp(RQ+k}mx9-;kqx-m`il!5@I`W#%;x|R6nCBCB{W?Y_)k@6S
z`jBOEDyo51bs_5Ux}7dn{&B;1RkHIvFcY~~Mo2tq^hci(3mdYY|AJvFFG-XDcIZ}g
zL`h{bQxYFF{cP;6j&z`X5u;dt>H1lqu4M|l&;?_qb}b}yLk`*UyYG_F%{<eNAzKS&
zW$`!xjGilj`9+x6HyFNaC`l_9Y|e@@Qic#Zn1G9BOr8A0<nkW(;E59SfWGWX4xPGf
zVuKO`ro0pVf%D9*V+zKWzt{+9UdQgL43zMBu~RRWq;DG)3TUUDEo>&mE*T%>EksmH
zI;@fl{ppNn>aeJhM_TN(r)ze>ESIn|SMg7(aQ=0TUA>F`gX4h70XZI;Y!X_sBaHBA
zN`@{{FRz&puQp1tP84~~->$2eHVb@cDA|KFz2$5P>4*;?T(XE!(ao7V!Q=8`J{lpc
zC0<73mqT}gYu((|qqVg~RO||JTF#M>Fj2*V{rwL7JPRH<N{`mfKd1Y`;aSjqjP5w0
z1it)&!iex&xZQ={rpEE%sNMBf3USRyXWwlmaFxYHAjEXYzvbRwO!nfI-Nn<Pu{}BD
zTA}HC$#RSA8#?$QaqGoXC=&06bt0j1JB3Bv7AdY9$B`^q2~FsvT+zy2!w7<x$jscE
z5T<orrz|yvo!$P*<E3+{gio8>5$Ovc@f9jV=T4VTHZmTIQN{j4KSl|VbZ^|867pUt
zW_8=f_pFUoo7rZ=rEik%A%ROtYse|zj+&tpZ=C$DImf@Oh<e$RTXB$_?y5k6eEK&~
z#^YIP8NcYH3|o}kYMtpbUA?|zA~EHg(2y}kEJ#IHyEnc;#H6g}wOntDuW7#`ao#{6
z1g2)Bn>~|4eo^4f_UKGOr{eC{pY$i@1{q?xH~jX^0~bx(YZy78-rho<#-)I-dZJsU
z0(^w5#&CO0rm^KJStXj?;!uWk7`<?7wtF|mSY&nD<&U_g_FK3Rm9Ij`zyeV!e{t`<
z@b95U<$gQ)w5~r78Uq`m?RSy$tTICe%s($iJ(GlPzOXSLD*4@QAx0i*{4{pVy?$l{
zh(uMj5yy#gg?>)mT>14tQ*#T<Bm3U(b3M3|zuu*F6$WK-?Sb9^(qS+4_E5mS4{+35
zQtt`{OzfV?C74YNU=Ai51=Cek*HwZOy!xG2!1(V9pT!8Fm?n>a|86btB(VBx*5o;e
zVAJ+Si8hBBEDfr^f6%|R2ULJX5-J^pV~|~bRe|5_ltkp=5EY6aS%-y^f4_UbK+VDT
zaJmrh^XHNdlqQc$^T}&801`2NHPB@dy@U8>t#Osz*9EJw^D?ejtM~gQuIa5ap?=m*
zE1@Um{f6+-dFm|C7_Nqa%Vhnq7?ZnBY@vl(BJ5kl<#P$mh5*IjCg;N_8%pnWnpp>W
z|D5xssQdlTRMoO==V2*uL1F}Z5zcJ&DD^mDS*us;=jyb?z{GhrAbikv)i51(!j&N4
z?9W9C$vL;^>B?Syyv#?oM?1bz$Jp0z6*xZZ%mCLezRQaqzdPFl8Ry>M>De4ez!hw;
z(0b{FTJffk4pzpm*xNpYIPS|rj#d4o84S1GHA!7-#n~JWpEq4<gTi`mH1RH!^?!T<
z8_})dZB9B#0i^j7kT<NM1f_z_thcRQ;#=HV+8c{wfi+H|2Y!D0qX(MAMXXl$;?Ti4
zcg5RA^3&qmGp}MSo`mK)3`Xn%sB#N_7PAMo$!haer0jm|YLxRKHStrJm8GC(NWRa@
z#g1*h9un-Lwit<x=zyhJy||AGyjyN8=3T7<zYE+M&%!jB`?-kk62vMyyWMzq0zmM^
zTV%;QPuD<D1vm}>1pi^(GXa6K3hP0;|64%TESL`z0t_Mnx^w=j2FIxl1Kz-^_4Qw1
zg}GTEcpb(7#4K=`)gXklqrwpkfXas5bJqsRq+U$>>phdnRq@<fEeBCo?(}47fm2HS
z9*wn8jWOZ3uvV8exF~|PKXl=BD(p9YVq{01*_hrNvCQLN@%W6Pp7-O^*6$oEEM=*i
zT(Nd+h+wwc@$>v?P(IE#T|#T7!k}Ap!94Lh6<6*Y?e=f_TmBJZUWh9<N2%3tb$fb&
zqJ=xD5y|~m1K;qh85eG0NM03@h1Au@V&Wb6yMRF9@;!2p76Cuyi`mtEmUPO<NdhkI
zdvnl^0$fSCF-P!1m{MJA8fNKp#r8M{orR4ujcTE@qB1+&sjuSElwki?o^TFdEt{+*
zv3jAWzJR27Fn<g8_*6~dByYowZgX#M96_&9*L3ACX;ou1Zf1V=PJmU@j^58+9m@%o
z>~t5VT)fhz@8=4XrN!qigsBPh5t#FoeIc&J9ctG*5md3nMk-6eSxf9co?uI+=75od
zBS;y_1CMes%)e+ebEc)xf8(m46?U7aA<G=8hP{1|vq9GtrFoEdKj0e?w1i0cnfXT5
z1meXC1ma{VOni8?89+5KO87)twC|%CRbo9Ng-tyg_H~iCaEUZqIs@Qp*j-15rcI?9
z+)c06Sga|={jb`_;PvEw-%&Ur)h1i1%uM3cqjZUAjld2L<T1_iu&ulY5}+iLW@q$f
znqr(MW61y1wc8*uT~Ule<c>7lbL%KLz)H?DEq8>`&|%@4$@RBwoanaxAV`Pmctor#
zt3Azg@VA{`!paH@O*<${dQpcrt<b52Q9>z&wF>Yf4rOS4)5wvtI46bv!-gJvw(#KS
zd;|h1VmDAn=!D_{r=O;b>Iqb+m$rY{S<(+Ya&=Eg!Y|~e8jZ~{2vymOB1Y~@SN<>v
zS5?xsm?oH=(B>Hl$g+m(C+QWq`Ju&?FmLSMvu#ZJohYh;z^H@nlEkUStBdEJWY7x-
zPPJ$L{2nM8J^jGNo5uL<Slti%xdR~@uzEH;L|eI&g<8rC+Z~6evH=pD0$gr=EzZ1x
zAwgb1@SOz^JV$E;e*4b(s}~$sNFN_~12$V?`Z}b4|M3-s`0)ZLY)uW`@OZpF*}U$i
z1+SHDqHjKXZi=*(RXP-xoHyCy!Wu0&)q6hHZ|>;2K3h078EiO$F+uKegY2MfZH=mo
zIIQsNQ5O2x>&<{}$JBOQ3E;hBamLT<w%Yn_e6De?z<M&dR<tLj^ctqN%U!;h<~IAL
zhTEpD4LGeHqv_^pVHSTPy`*nkkH{wLzuHNfS-0y{O=g!Dn9`aOgLsE04!W-uR;X+z
zYA#cKK5Z^2;#RX*QM;Z^nwl75{idomy@V`td%0Vg(pK9z&-;SVS7U)6h^m^SmxIrB
zwNclh-_GK!F;<4`FVc#tx+aT`x--;X7sMJL{2Jew@2(92lFdl*vE)o?Cq~;XY^6X&
z>;m>0`1sFnt0w3cpNIPge$(!$RsM^&3L07{wIB7Xoj(ogbjrs=i$FE!JkY(4Kms7y
zYzfW!X4|UAxAbx3nM)%Lu7M54;2%131?9Uq1+{pW*TQ|e%Szo7xjNcr4_%B*K))Q#
zd;a_$r+=|UHQkn<Vfrh1_ejpYDVvx4_kb%ygS4WtwqH)aV9UEm%i4`-@G!6Q`7sd?
zd>~<Z^4I1=f}^)^Fy_C10tyuA6|U>fFS6G;tVOs;NJ=eFCNk^;J6EzS&8;HwB#klB
zok)<y5x5@7Td)xFD?-)&7%%Zi%E@?^+A9(y$P8F(Y0zSgy4zTzA^E0jEp^f&7KOx4
z1Rwq&vD%x^OhHw;h)0!L3`rM|hIhQ3pp?!p1}ZN57|DD?&4|1Zg*pfhNJv4ASrsWt
zokAPQrA8)GBZtcPW=d~MPap{YLtQwNBxn;utLrRzRTneBihn_r^TaC2Xgt}>*=UYr
ztOP}utN9SJ7}D%QSL0ir%>Ev)oHcwr*HNcTA>`S&W4a!P!mcqCIIAo|wqT;tja6t#
z0YQu($-ifU>-ixij;Ir?QF${b>2UGUD!AXGFBoU#@1R8v2YB%vzc6JZ{>r3y{^EjL
z7Uh`WkdTIe{yctVQQv^(jUcfHVpLUogy08m&7+RvLywTtBk5GtJZ?yu`+~mnt3EC0
zTI7KdKG^Zs_;8?@VPgkQXLPd)r-SL`xP6p}sv}Fr$b!?#`x#AvC^l0WCt62t{r#e`
z+)?I#Y2+`1B+Dt$Z=l&Gm)B4dLdxbsu5}N)D9^BeFLV$xFg^~7Lcv-4>Q;&JX~><5
zK*+_@o;Sp5dJ0*I0xWo+7L-JrFAl$Xh-A)4ma<N`U?Wx;YenKitR&~}LpfboXa{fu
zsi3T5)2zr9OA7YzMA?av6~{R#|1z<;sD~eVLchIL_Nk=#VHo^W_2#@(6f<RFFMc71
z>7Prx$s!{Eiv+7W;wdg(80Vw(GZLub8&6;cIc!zj<Er3UxVD8Nh_RCBvf|eWs^v}0
zzEt5FGdbq%(I5yQ7pbDO&!i;TyQ9mc%xM_efLUJ<EXWg=l*TJqXpI?aD$VA{D=qL8
zs~){9m6a^8G2xG&5edm}W>Zbtb@Wzl(~?-h*F**Q*+A!ziB54AqXf#Lp(7UdR@mw(
z|0x2LoL~x#_;anxXvKdQV@*7~!oHy0EH8$xPM-*bc;`UKFM1oIYC@l0lHrJ_k3u%5
zZ;|P##iHzJ-jLCLKgK?wMx1-adxHJ|j0wQ&68CnG&SfCxhGtq7%=rV+aK0Hw9*hA@
z-R-Y+g=MRqvIT>ahX^5HB3?vqcZ<<e!psZA+{AYD<``djU7#Os2EKxO9<{UVX3+kL
z425H83H|j>fgXI<bFv+S|GfDgO!jbt(%0<|Ws_Fds}<Sv2_*1+O+vTs1*pX5`>Msn
z>KJ->XF@%Np9R5>PgvmwYo>>yD=(8m0SSYXvQ};#tgUXK_X<9(GfXDhLZGMb59FB8
zhGKCCu28ToknW-7m@kax|8#Fc7PXy+2djnn1%HRE7p)cx{VA?|blm^#rdd8?R{lF*
zrET8z&(RcU(AfwW7D6?)4h81tq}3Q6h=nNl0Eh~@Zg1|c@gZAFjxE&Au3=*#mkkyt
zH!#VrY#|wzT8Ht_SiY0bcY!&Jkl-y6z2x$joRRg_{rh^#08i$u9ql`C;i<OF)hm%p
z?m6?rkj@PYTe{7FuU|O1rOY-slu^#E2tAl%YenqVY|F=USSv>W#`IBt@sT)4YVop&
z=SOcH(Era40+2$9%}FlL^f}qj=}1$SwOsO>EXE$w69C(~9X`yjMVs~GvR+WO4GirB
z!uE}P#lzPsm{2xxig;NRiZ4a5wA(}pr-XTsWY6!-sw4SCMoCf;oyc-_rYe2YLHdg6
zx5bj-bnp)vCqmFXcX+Y4GKsMMaaL^yQIs)X5Xb7Y%TIw)38{-~IQ1C6hweSLjxCD&
zp-T7#$IhNxBls#!g^z)LCLw0#h%u{(A#!6j_(AC0aCl1}q;Y?9FwP8F4GS-gxfn57
zd?)p<N`k%I`O}BpvD@M4%K0a{EU1>%+hhVsOGU?>FZlFp#-e&bumLk#jBLKP-SY};
zd1i<|0wCgNdu#}u`EJK(&<mTN!v`evk-q{)?tHX31SL>s`fmF+9DPe}QY`h?XT6(?
zT6i&$`G!#He7Ipi-&^-)l-?%;_;;?vhL@||)-!nCxwFcvM3UURzd^#RUmb<WV<gGp
z07~YQiv02uU?NxYTdwr>Hp!F=klo*p)e8A?bIGj#d|`qt+;JDsyl(#R&lM$GzPX|$
z6W2%0G{xM2mGl0FSApkbff3hxwkWlOi^CU#4atuX9dCOYj0Y_t454pLGn%>>!qy3I
z>h?Hw3b`;6OIMC(i}u?nSSH8TFB+RjxHE+5I?0qYYI6@k2JUy>g3RFs<bZ+{(H^ze
zyp^Hgj!~!6r2zx}dYDFf>@M#;Zj|v8(vCu3z=<Qo%kjt8RCaw$z-z*8eE<}a$x=^P
zfiMV7rjpqGWg??d{;Ge+y}z&MVSecNT{Kqr5`&rFTyz=`TVmoGLG-i}|0Lg+@!NnJ
z5r8B#>uub=efj+}r`r~*C!Dso#QnU_P*Sky>IXZcz*-VLS@vXM0Ojjdhzx#^yrwue
z{1wEp7+MS{00|8C4Lp4ZPZB=O-U4-2$=1L@!eFIE>aWLl@UAOp00fp+(5;uS-Ets|
z>yt|Cv1sQg%(PuI548Zvo|T8_W8<%^zi|9h=R~`Y_Q=H7+d6a;Q^RwN*^XFfY^_ha
z&@Qm~88IagSN9JN+J2`t$-b#`^DgRWFRtfEza*~3OHD+tAX3TDuGah~KZlLIj)zp8
z$Zm58Gr@PV*Nf+OTcX;HsDK4BwYL@_?WP7{E1UKZ+1#<4Y$XShBu)jdvvnsY(yrXp
z4T;Le-wXD*1_~Rp;{w0>rcP^ZG0VD~H>ul3Kh2max;A;aGXx)i;iocRR^XuF)JwJG
zw3Zb|%*wqeQJq!>-XA|_XV(J-oVjX@hh$ceO@?XY@81-i{-_o3(U0;bmofP3hR4X~
zmn}tR^i-D9Xx8vSA9Ed{cMF@XTz((QpH0zK8Cyv;j6URB&abHbmso~&uevswsH858
zjr1>OQFANfLi#sRCj(sfI|m!T9wv+54xHX^-W>cN&D)c$C;E2Zn#1Yj+TsYN^FvQ9
z6JwOE3j{Q4rSxmolI#av={&iin>O9^mZA1Fo|hEEWsg5bwn#{)O&9Z$p<^Bbyo3*+
znz2cGE0dZ%xOFN*En9WtdwWl9fuRXC!kiD!=7+A0b>=ZzR072;`^ZQ4YfGDdx7JW)
z7)AD)6W0wH^{;T<0A;vNlXE40wJv#1k<1o37i$UEj5afs&&<?!J0WBq(8ne6CH&#~
z^pC&X#ZD718F~*>&Zi@Z6b5Y?OD)7h&*E(Dm&YWpOO{$BH|=n!3Z}xzrp_u1$Q&zF
z^L&xlA0u-y4F1hT$#gL^3aEPJwVs^HDw65tZmY5kl6rR?q?nY&iQ6YeMe;ZJx;fa1
zB1c-e^3h$-U19Dtt%%$ek8~;1Hxf{RA~{*Z_a}C)V<5c0+tPZ|x(z6uZwD`Rqezi$
zDHZqE?C5SS4*5DSn#s+gM)w|JN7W_SbQK|_N~`zQSu7v=E!?=edpeXpw{CEbOnY86
z=c&zp%Q6?zyPDGPqeb<ka`?He+RVeckTbCuW{c2bu8fj%v8bRUGS!^IGoc}maN)&~
zZ^L>53lgL7_(NjB)Sd-Jg&Ss-{JhB*T3%b&r!;l2CU;@?$6LCH6}2aluMF=WF}AGK
z+!G@0ce8SG{h=i<mMi+Y@w^*0bZlX<t#EGlEe**(9=ZBkrbGK4++^O8R=lN8LYd}N
zu2jfdbBls3KOYwZtkG+B%8XRHd&N00ykyli#9ThMRCm~{xi)j@?kf^*ZGwpFg!FMv
zk7W7k^qhe1VDR*1)C1TANRce!^7TmrJ{<l}5qKMl{QAmyZr+ZGP8)D|)R_qi0)q+w
zUSFR?UZFiwDm&(MV+K!0EdO_Cc|GJk?iy&J{19xZbP>F<llYS|bx7-UzHdvZ`mWZP
z+SjMPLOpOwJ9IDzqqa(ybycu+%<76_dqk*YC&QXvGR8AtN_5ejVlk_0koLGn*75fn
zI?`l4Q*+H)wIsFrSo*7e^|@lIPg-@moDxM~>oO0&M}Y^Cfy3$%PO8v2=unq`4CIT;
zW1piq4=XaemPhA-*_Gl+VBW3Ko4v8?UN-jwq@Op&70^<6Kj*I4t@avun4S8Vp2<Z!
zP}NCvrNalviLwL4)p%`4XFqohZZ$;eeLMnR-#_kOgT8>2cS!}{k$$K<Yam#lj!Yk%
zV7wBv+hg{)g3LW;;JnuJ9E$p|Ld5OdYZ}(`964>kwnkpxX9oQpP2l&mv{-HJ5`Cn}
zWl91v$Bu!8LEhgyWtH_=>C9#v3`aRKkYnvQH;nj9N18Wp#UBTS=^-1g!3B%x_LgN=
zPOPN1<hfeEmZuV{D4g|Zw~b+!gz%XQF2|85FA?;Z8vNXF;V^jLfTc{gwLzW~Rqw<)
znHyVQYmKVhRl>Fo3a(v*L2=iWG1h}f><pyqm0y2PrcGI8<f!u=Agk4UOD0~9Fj_aJ
zZm3)7#}9B{Fc&xC^dxSWHD;_vWEb6YKG%(Nj=T0q{5`D%7t`pylzbla*N^&mja6`|
zOtg?n69}5t)=WdUZ><#q^<`fW5kIN}XV2MztpDQ05*$wydLw4hj&OLwsNl6Vg|nX`
z<*j)f?M6vxCc-u%vFv-by2^AqBc`CsrAZ_Q9@tw0&AXAgv)fDJ6E~XcJRtN@bb40f
z{b?y$(8@N3vWh+Tb65s-TiexwqNmm>621B5y}zd*Rc+c~tYlW^wWY69?`2b))g_`x
zTzXtc2D(O<r8B(C?Wv>EB4>5aK&h?#7`$EY#nhSAzNc=f;39ntcOodVePyUcZ%rnO
zY6IL``#Dyyaetr6inNuvPy{{`n%S3)IQt1SU(<Nxi7e=oqW$DHMUtXLX<5&#v#-@}
zYWzrOQ{&3`Q}T?9wn9F*?AJ-92NR6KldA2$O#jn({=^!xU3pWXR~Bd0{D?bi^^oOB
zmTYfUUFrL1>bPBBU3;zzytW-e=SAyspgUn+W>0}~LY;Dr_O&owgOq>1Q>jxDXV<gO
z2*-&q4(<ySe!s$CS?H%66ZVO0yOO`Igb|F7BcIjOxopk;h;AmKrL1DNMMin8E_ss`
za*a64=E>Fz^>5f6^HcqvM%`x&0N#vmu`II?<#b0j^bA{j;=e!Mqc<by8Y_2QPGa0b
zPFT}upfX0QR?Us}NapJ)t2D_><<z5RijddF5M0dPT+6Wm#B8wfBWQ_ZoOQROPZPhp
z5bxbVuPe`fUr|H}#xJ)QhY7$WwWr6AB!^U`<Ts97yE&0vFvy_p^%$2jaK}NW2jOO3
za32N~9TMb2LW<zeJO}~#;#+H@P>vu-^p#A-=09h97J;Up4_Wzg%~&}r;5ZvP^XbL2
ziK0d2v-JA0FR|Vr*f(`g_;DAIPvA7HwOPdW>C$k&y=n*Xa8X-Da))yB(Q5<!qg(xC
z0dlftCTfP2zh}XS<{iy9sMlJq7=3d%t}639&Xfq{qH7eKy!ZG43_5nQ1Dy-+<bsDM
zZvlISlt*BZAn>ho7yr+TehKC~y!O5aK2AugmjeVGA#;S&677QwYbfEraDv^g2Hk?k
zQf9ngZlRdl&W_*RNilJ6kixu(-{3atUMp@K)UYI6FR<kT2RBSH>xk$>_VGEn29_Yf
zc}LiGbV+AVDS?*#WX{-~W!Y=s)ty$+cC}o4kppVuu*DWc3UpJdPuj%146oLO2^F*T
zROZPh8ighjfnX{<CcUPb44QX}#TIJOJ+3V49PWKJH`za;q)$(faw;8JNBRA*;$!=F
z9fpMDbK*lvvmrT|qWf?+Q#Hn3#8<<@ZVOZ10Y}^G>v`EhC*ae9Y;XZ0cIzG!DFqG-
zU5x%;p0-(1wav?ghhStQGmQKm&bu#DJ~PAwEn!>sVQgFqVuD8k1UgfWQ9lG&=)dP=
z3lf`F$+7=1(H`sE#Bc9DKE?F25S&$Du#baukK&Xph`&zLYk0qO+~Py`=iUl34xe{h
z3WJ#oD;~LAQ;P~Ew5K8vH?E%e2ZLpgf+bou>EQo{wDL3wq7*<m>7%kJm8fTPVO`zJ
zigDRqCFG1-O&*XD9`bnzA&1e$n5GM+)6eA~7>9|naWaHx^X>%GWiE~3NtbXQV2bJ1
zbTJ|->N8SI;da-`i$A9!8by{cTmF@@Uj5C_G8YkAMe~_gG>!B_R2|I{kL-I1c72M`
z?-lJ<xDA@bHMZ4n#%V2<D!Te~!sJ-W2+!fAl3TjQ@mn$Camk%MtEdka%QU&{-LSf3
z44rP}mJH%{IS!_p(2tBXL9%}0qJ8qQg8_KS(oEDP`X>kQmLb0YB2GNae_(Tnq7CQe
zd4JNPWDvTC!E6nwcfuQ~1NLIJWBdo>UR^Jp+j*Alz}*vFsU9y9m)|*5zRvipl0^P=
z9gG5gqd^s(L`^{nh3--QRg4kMdCI8ZkyQ3(6}uvhgMwN&|B+G{h3GF9XN=ig&B)41
zd)+{0DeJ<3DS_O|t)55E$Pr50_$!N0d>vP5Go*+WlHWrfVQ!YjlEUF0(c)o{XuMQw
zE`f46(hy!gyaxxHIywUrhojU}+;<NjLr86IG+k1MT@UXbd9EEvnUwD)_;)aglo9#)
zan#bqJWW;{4LlifrQaxl)78TzCgQ;%PUGAC-|;mmYu386LiP%{?KuPwkDc{&{WMwk
z%N$u%&l;pB=MpT<$~01F6s2w%7~bR57)@`#3C4{Zs<2f`Iu8i72%TIFtJuca+Th;@
z=5ehk4=K#NJ=w7*sKz)_(t?+%mSM{BXl}#sAxE;$^$=<)HJ2A&FoHey!>2M_L~7*Z
zH-(fgK7^PsXZ29&YwkAHIJO3&{2@@=RD{!%ZK0`B@}dUnv2<BcRx{+=s=NJ!dIW_$
z9YqN(4t#oie~8#1<x<H#DT~kl{)n-;MjfIMz?itp!U5K~%g)45-;&6lOq_d@$9_xx
zRaiYN%yWj2*7gNKIF@WhJ)Oza;RcHe+R9Fkt*i*X^%#k_nv}D3-RCn?3`JGV`<JRv
zTdnF$iM_~#iD7GzYFGm8F^m3IJf;#al9kJtlA9&k4qICSd)7#OXJ!*Ztb;a2`3J|H
zE7FAtlz4S%L34KXO+0|kkX?yIO8!i9Ng~vdk+G&r+dWKKfOd0Oh;;t-0F!A<^8|DI
z5H6gQ)K4Uqft+nDMIZm6BOz^!2mxvvRY^aAQgyv$<(5lTDjv<Fzad<98AIkGDl5h6
zGa?=gjmP&zGW(@4UU~2s#7H;;p0rhtxdtqRBDs#D%)=WIdrAniaT#3xRSHh0Z`o9$
zo)iPWB9%NpCN}Weny~WErh!7DSJC~1Gc&QeXuDf`vDdLN5(xckLvTW)13xL}$={@u
zJ+<@xEh%#w$R$KNa9-AEH)qV*B(R7U_8ZCa_p%O_RY&;KBu}%5P6Z=FRb_S_u(RE(
zE?U|z>LD^PK>ft}f?t=8Mn#hAREKSGr-{kD?hdGJ@?+iDQO>!r^9cO$fkw35kLt~5
zZ}7uOX3Q4Xj>t~m<EB9i*Tz$7eb3ZlsZ}1Kt;Ne9hoptk{FaR*-GAd6H({K!aLJXw
zcxO!DN6nyoPB+{YZZ-F?8{^Lo&xRqxpV8br>AIiSoExQ8X|P7EJ+2vB7VJI-5}s9@
ztb1izr9ZQWurUKjN@?Jz7AKI(g4>FFN6H+Dl96dUE2VevpE6ufw#%9#{XBc8r+XjZ
zWQrr)Ys@!^^8VN;1<GF9lW=eJQbg1^&Q*NZMGc&2(h9Rex#f6SJ3_o>U#Phys;Q!6
za)NEumMU6DYO0{yYBn$JXofsXOJ_bcM6N)ML6mc9-MF|k4~OR}kzyR0D4W#%vwtM-
zft-$Sb)XGwNRNNJFi;9iTuC-G4J~{5OIyzF!14oK56Uw{-y)6K@`pFVbM26Dp0%ip
z461~il(*3#qYV0K{c8>iiIr!Y@uR9jvEo0j2T+JpPIcq#H8QeL3agfdN<&$CyBnc^
z^L-~VZug{}DyLN#Tv(OLs>L0{X1o$AwDhBBUR9?9{Z#fkoKhMq4&yx%X4tHQ1G-;s
zFNvSnswFWy>gzkshc?x9&Fh=c29|+LUZYc?;z~Kg{w5b{RofRgk;%fXvqMTNfn{62
zYC=t=*k!XVF=w{W1rfLB=Vh(7Rou39m2=EX8|pGcOU<?|vDjIwWIUgTlK#QMIRPyr
zct7CnUm3^FM^dOlJ{aNa@4E@yW>6{YX$}|_$u=LXBu68>|7m2a=yQOV*-sOVR*kuX
z>4q2vi4`b|<WAY;sxY)InY4O)ivktNvea%X!1BD2p1d~2j*xTn@yAZ_H&_BM2x4pa
z34jm&ZUc%+vG`1C+3Nw49e}g7gQV~MF3gjok~|`bA+zQ-V~D4ZCEZ9Ws^&IIq;z1g
zkmxHa=rQFplc!?eV18ZLkJ}?wYA4Mk;)}fhdt26ZRr~TI5fW5eIu?(k{AOuZTqZ`B
z$fHx(i#X>7O}<8+>>Qkb_YJ^=af2h{DESwW-X+gvc*l~ek~~}XP7paLguOB`!9lLm
zk3fQz%AB*Y%Ei|1#!U3ee5z-(d4(hfW~gyGVt5@Y{e5lY4|O97omi)WUX%tM-12=q
zwWKR26N6aHWMdOF{CRPxxrS$IL(PU$B!l)O)^Lj4*aQbc_)5XjeFl9fzK4&DYIn29
z@87thv#OY;HWM%d9?gMJyPjW<)Z2a7_%dHfE#TAP#{w-MkO)iv3wZ5|Y!htp8RP&C
zvNDG{4N}oZ#b5o((vIf`=cFzA0JCtZt^NM-?HCFg{2FLJUNnkI8(0I1SQ&^=C>nyZ
zno*!ZLA)7Ik3ssuuR(*KBKx3%yDt?Va5)n;_8izK?fPY85qx}l0Vb!s0WXH&fOa#P
zE;`1X4959%%M=H?2qHEiS&!W!;?yd(N|hu3YAI_~Hr1qiPmCkE$wuD^X=3DaiTb{o
z{Y3_%-HA<1`}^P>-}@DjPTZ1Uh-+pI9X@N^ndUh$?m-;FPb`ZZkqkQUCj378U^Bez
zSmPQw4x%js|EH)!C0@wf0=~TcFx-t|uhGab&7(Y$Q<8^JliHvt4w`VEc!H%vk0t9A
z3ZcZqFD_3d)R0J47881GprJ4g!b&0|AkfX>lC2wINb#|P4qQ6Lj~NtxE#F7*jMKC*
zdL8cx0t?m-%@`Mg1%G`#l3`+f2C=sg-+%`yM8WmBvBRT7-)6vv%Ry87cIvkAbYMQ|
z{A4gO@@0XBiw}s0rJ@IOiS;QeR6s~m4xfP~q+A4n)wy4T#<uaYQhhwZu4n;m7IH4S
zj>K3eL$X+Fj6k`ve2q|Af<d!Ny-Kq_Swmm@uUQL{bUlj&4TpU$BVr4fK5N`CF<Ron
z6NXrw;z(?BbePb{XBgED57O2vSXq*#HvKPH(h8bv*-xmUJ(R%a?)h0-6B=tC!H5jY
zubO%eExSkyr?_R&gYSb$41jg-**#P&&F@so>?NaVcVOLGnUT?SgsR3+W|aiz`$L04
zp)*cIT}4tZ@><}F+eagl9;Qc*qRQ_NKj8i?s3mOiUkOJ(sK9VMJ{@c-I%fK%f?S93
zg=f(!s*;gzvqeKiyQljRV158KVZ`6)mSu!{+=nxKC?YhH26i1i7%$;41EIHINQaz&
zdA|vRg;+Yok3?`?P6xu@L@NGhPLer;3QqnbrJJ-MIOMPaEaN9yUobE=#j<0%cK2^N
zySb^Yu7CnkY}MN8C#SE+%~WnG@Tx|NkHEv2Q~hM+SugJVSr7T_IeS^JlVG!8-TmZ#
z_iGifphI_Hc@nJCH+r<FGd<;$odOCYwp3L%0qogHKM}zWhFJ;V8cvI!*T-%r-j8&>
zY5@LZr=|4X*ueGPl-77galQntT(1RKztiP%5U2F`DD23<X9i{xePsIGW$XsJJC3lm
z-%g|FS8cB~n>tH*oBcyBwO&d6CxB$R(CnU=1@l7s>)KDpU}g5jsC&=7)orzn45MIs
zm&bp59=p6C;JuQjKDSBx>#WUQe`(Zvwzk_YD!qY#uy`V2w-0oY`3e~GcbEDFzTkN*
zz}%VGF_Gs4HwL|o-%a>GgtqTAS<H(~Rs(zkU*L1lw!~PB_}Reg5l#Ks6U)f2_?J$<
z0Q=|WyABq8z@th4aM;Jk$w}Mmr}PPZkyV(RFH<pk&vA^?{IQLRP>08Cn`4wWvE$c}
zJ8aU``j_szr*&V@Nn6i}(gh7&;w>NM+H?Ln+5#~BcDvx_*ZyQui2-Sk?@BQbi}Ohz
zWBQ43)AM@Hua9<<D}#Vtfk3dXm5&z-n6eT8+VnQ5j-GjU`1}jF5xU<m{ztbS=v#AN
zN~qr$w()Z52mn7u!UO8oTc2iBcrKa(g`WY$Ov3jwt+kr~;qLaCzPrVj(PDw9K8D}k
zi<LuUEFVp+*VS}rf-g0$k0*=XUpD?ada~_ziH8p&oR{Bsp_L9v<|5B7XKELhaMK)2
z4OV-VOmfJjoVe3A_ReU=>G-CI*JANI5-^hM-K^k^k^}g|I)9GzY=VFFe5~b1y=<+#
z?5v*(gDp=F{GBRFi^pZ%@kOq~Sp25pBxnnSsG517PyQ_BF#q|@XAr>VkDFJ}F*7kS
z(Sf>T^dQ{)C!Z$s=gQb!ks6E7NLSd4&@#=awzXi7&E>#qes**1aSl(?QT^=Js<+O2
zrXyYNej@CE@2keFh`Y;Tik?W#4%lX<F6i?a*pv5IV4|_J^J!|MV+sgtzx`J;eFJ_!
zO7Q3OvJ$MF-24D0G41@~eVxPm=q~t-v+e(U0s%pzXj=l{Gv_|t7I3C?`yrjl*TF88
zULMQqwc-5$C-*~A4zg1PDlvbpiRWG;Y!aJ~WyHa#NWCzN9<aZz`<CT?rsL8%GFRm^
z%bK*#xU*`t?@mO)v0TA=!Gvs6ug7XpBC4v~z{X6GfYs*fl=3+^<`wMn1%C~mY~uP4
z5s+Kp!!NMgHJCsfa(JQ>6f~lf0p8R!0==vUl8_k#{HVZ8kFzJn>Y$*y2g{SmsRHBt
z_wr+&T#73Rbdq-;rE87sc46S=dRfwwg!c3{0Py+}2_$hA>^yq@@s2*#nh*Lk*yz0N
zGsd0kbk+hqyl*#&^r*R?B(Y6zXM+dfS&L5(6Ug4Y;PoGbzrIN74C)LXR`kXzt4{*z
zO^x@<Iwx-?Id-jBXY}44(Iuh^fXm=o(CvQSv;hCLOn$TNOn^b)u)1n<W8X==Nq*N?
zMxadfmtmvNE09j})``9EmpOQ7wmOM9XlnB5w}9qGA{}?o!xEdo%9qpOXfwBB``qAf
zPDM+Qcj^!r`3#)Fn7BXp!Itm|Zh?3OcYpzgpFx6OqlZE9<7R?jfE+0(o;@EVbMZcl
rggXtc*6sPq!rgl;xPPC01D-Oy0<BU0pNXGD2BYgnPZ>hoK|uTu`Nf)2

diff --git a/testdata/common.sh b/testdata/common.sh
index 8e3b2293ec67..2a8ec7bb34bf 100755
--- a/testdata/common.sh
+++ b/testdata/common.sh
@@ -116,7 +116,7 @@ get_random_port () {
 		# depending on uname try to check for collisions in port numbers
 		case "`uname`" in
 		linux|Linux)
-			plist=`netstat -n -A ip -A ip6 -a | sed -e 's/^.*:\([0-9]*\) .*$/\1/'`
+			plist=`netstat -n -A ip -A ip6 -a 2>/dev/null | sed -e 's/^.*:\([0-9]*\) .*$/\1/'`
 		;;
 		FreeBSD|freebsd|NetBSD|netbsd|OpenBSD|openbsd)
 			plist=`netstat -n -a | grep "^[ut][dc]p[46] " | sed -e 's/^.*\.\([0-9]*\) .*$/\1/'`
diff --git a/testdata/fwd_zero.tpkg b/testdata/fwd_zero.tpkg
index 151d695635f297aa1c65b4e3efc617dd93ec8766..adadef133c850ddf703d0804c19178e1758dbdc7 100644
GIT binary patch
literal 1529
zcmV<V1qS*biwFR!5EW4X1MOM=bJ{i(@2}{ucyn?|dz+1n!EWi23jw;OYk?B7UT@oR
z#unfOEZ4G2==G1^lfT7e$+Fv}+0ya|SbCD4-jnp6-p84)-0>$Ca?SO^>Z311lv1nF
z0DS6}X{1k!%4b2K*L14avDvBv7V1=g1dT7G&j!UJvO`p5#p8&DH}|`(J+q^DJ`kFg
z_rItFA-lsla6Qa={l@**8<qvS-l#Qd)X;Sk_usS(+<$t9I^0O#`2O#}j;ca=<5hKs
z?112L=rD-p43@S)%i*IP!qi(ZSk0LaUbHV{Yskp2piV*4s#+AB&ou0&Wg~uvy}ew}
zHSIV{EU=|uM@&R8<so=JBxPiJ_5`O4Y#}^<mQA%eU}KhzCPFkhufvy1?rUOBW-J<q
zw(s)gIN)IfHFDNF?w|EK<3WEoI@ld%CGz53&U*Z~;KKKyKY2o!Gv}ae4lLIcI6S<n
zNIK?HYF@gouUvdQlF3S}?9j!9l6o&(UyNl3Uy$9`o!;qq)IA;bPC*TzkaxL}X-_yr
zhPL1{s2%R<u$LNk(mB}uuB?+}WQ7|vTH5Cf9PUrOS#k)7U@oW(_C@tbPW;<Zb$??O
z_N)7O`>0>^$n})1KVB*;1;Zi4lcZEEK<rO=?7PWvz;igUo%2~JIb<;G9w_oiX$slJ
zN;U7Q;-8ZXg2RkmUV%c%@+xdFOO<O^!?B~Qyp`>3?9ez4AY1vgEmK7DOF9wqU%USe
z@jtcVuI9KU{$tR``(M`$YSs*+Mlt?db;I1o|NEfl;M+?kSojeGb{c@Cd++v#CqJF^
zfL++jV8PIxmKxa|jb4LcQc6g-HyXYlA9t}2dD9xTUjh#t?lSlgtpog(Ldmc@c>NyU
z4x!b8UcWmW_J^d^d3AO=!cY>d$DT`0yY10QzXxy6FqmP1tX8YaNw3l>T3Wr+cimyZ
zujo{(QO%%Qon~5ed!7G*BRx>M-v4Fvyt_GW_5Zql)&FVT+WP-}Q0n<jQo-K|7hbe(
zVp>$$0Y6@<(L7|fE1IB_icFZAkX-ghq=Jc?D%Jw;uqODNRPgjLC*mQFRut^)xiXAk
zCBN;EgM4Qmavr69P(&!hL|SvX>hnnb5VLTtF1TYa=3GRH@GK8fKXIR-qS+X{`73#g
z?Ybed^qQqn{OCtn&T*t{1H&zJ^ZkE!bKHvm3^T$14gA*XiT~@gzV-k6pey(<$pF44
z1XxB2q(2xPD5|FrZwkHx>O2JnpJ5iV0L=zPU4dYZz`VcevX50iUM!wVBYgrHr7~6u
znR*FSV~9GEs0Ax8nx~l$OyUS5SCnN#KfniPf%?ParM*DwmMj~RgULgw4Q4o6Io&Gt
zexhU@Cw1c~)l;vbWiqUUsAV>+r>1VY7BwBSK@HO|r>0A(f>vH!AUX;qVEmkzAN#P2
z=0FXK$O#)D4wt7`hHU(2+!qGu3rU)Y3*hrrx>eB}aZ#2?dIBMwhlApvFwsTmc-2OQ
zNbXS)?-MY)p}}8PWmAD%xWr_58A+Z{5`>lm-=tE;T*Z(%bI!r`#fpW=iAWBCQpzut
ze46YCRMMgSpK&`Dg5~udZnWf8*o7D2RVfcfQlt;y^10#tAHT==PwNf+^8KG-B=KKw
zY~%lZ(AD>U{GQ`~X_h?T|J@w_IPgmgTn=k&M8TLO@|6#XpeyeL&oNAmF*}9)4Ood&
zdK2^jT=`$o_5SY)=MLw%-T$ou|JC(c^8TN0{r_I**cPmpAgX-x$uBGv9`_OTX_R!B
za6&JL62>S`&tyNCtRn_zodMvzxmW`xI4qR?U}}2{(njbgYaKg6;iH(rE87RaOrJK5
zXU*DEXm>Hep!6AeV|#vtU&Nu{h8n!n+FA=A-XH$VM%NXjjY4J#x+HDB3=jzVQIoWn
zZifY!fFVL9m!+3%5j4plEZHRguR#V0pxg*`L|W9`On*r$zIY+?2oyDtM!8M$0xgPB
f;MW=jwzQ=!ZD~te+R~P`^sUgJ?*oj104M+ewnqr*

literal 1479
zcmV;&1vvU2iwFQ^231V}1ML`VbJ|AGU%6kg#f+UyD_IW^327J;AdS-m2*%B1+72V6
z0~CupS&v{c`SINo5|#+ACo>L7Q>`Dm+uOU{+q-?;bZL)2QlHDV<DVRS9Z(SJwVL><
z^_mj*)oL~VCUBstHLa#8x~l63imKIB^#E#LNuC@;L1_8_2TLA>)c-d+>IeG}XumMc
zp8uv}aW=g_9^!zF^?C0+f4!>W`K!8OXu7W9xLVWec>c=$iEumo&(9xs^?~{gQo{ce
z9ysBu0U9YC0*e+>IQOY(2Mth3$>V<5fYU*LI65UI)P@wS0+-Jkz&I)4?V(o4eVkn`
zBe7#o9hYJ!ViO)QTSg4xt+~&6xTX;bW#)pedp4IC52dS!`YXxhmg&xU5XOs7xxX}h
zTl&ZuMM0A}GEPcIOxyMmg>FMu@JBs89ra^D%Y=Mu1%KzT+x|V&{r&N{%l@l1b<6+P
zs(QV!|9!wA97+=84jv@wkQ_q5Bj2JB&M7R+0CfW&P*K9HVL7J^obWghqdp~nf;0tL
zK9NK3awa30oXq$ej*ilWc8uq_gcNz-!DF*POq^RjH$=n^Yz`|N#D&pG@FjzIAz4Ub
z@x_8OIhd16$92c(ouKmkZD%|<>trw&y=VQ4-WvO@59%wyZu_?b>mGUBZU6O6{I9B-
zuzyV}?0+xt%nWERj;QJ3lRt2y4rdtkWrcKTVEK+0#)y$HIt;oX=wPx6DO_|0;8V|C
zff=BN1RYFG$0cn{9Yn8VhPe1BqVUpW00yW^Lx0@R9znZ10!>jKlh>xhLj1!#1Z-c1
zw{lx<;m3K;W+s|$K-##-EY2=Sn=d>}1X$Q0?S<W;9%Uj!AvdiT)b$!<;Ai$EduaHB
zIHAb7IwE$I!Nsnl6<t3^4<wcvh)vlI@*H;*;etP&7uaq8LJ#-H;|}{*_4>yCtC~@d
z<3ExW_P+<%ivMv~-DmtqwQfgs;b0uLNe3Krf-F6>M2F43Gz}nwVfSfSu*P~pYzln@
z#6<=yop26UqMCq76k?$f!d1BPDEtCfmW%A*!NPP=m<3IyJS5bbb0{}~S+HC#WqNHc
zJeOj*ypS{056cPRq^dts)b%A-vVb>UfKoSV^+$$k*mcFQjGCewx-m6uMJdB4xW2YQ
z@<H;jjSQuTfwTk-Hf2sGLBV1tnehn~M*%OhI4QAZ#+PedhI2E7b-f2p06~a(4n*E&
zQ?@hvY*%F>u&0}XOh}XG`k5Z`0;G#u$Q!FgfeXq+^zhEfh=I71mWhbCnKGx=C73K&
zQol@`Da<g?V3nuHnj-6pTtzJ<Y@UdV$Vh2Dwf{RFfE&=X-@~I7xDvf~Lab${4k2+<
z`SJYum%=UepHJ_R$6fxv7W@CC{!@)O|EuYR|KA5}*MC0!k-Yy_tv93L*f*KY7i009
z1sch^vZs|{(jsvw7^5CM*kIvjP#>l-AU`qND?_unEy#M#&8lf@7p+h}UddP!;&lrZ
zCFFK(7K{Y}3rOWvr*}Rcb<an=^VlP&>*WJE3!s^LS*>}b!VyVo+^3bFvN8!o(zr#U
zg?ULqyb5D9i2XXI#UN2Q4o>1H!M{#Vj&oW#J~>Xu*Kct#MJlHl{S|W0&CrBs61O%A
zNP<Fq9q=AbOzU#y3rsGmSFm%El1lh%r3*nb6IN0UWNP{wE##1y&Q5KJc(sLFnojP7
z#*vrCxAj;eh`?t<-M5cFx99)t-n`wN@BgZ@{r+D!iu`{s@B~B#oMeS-2Q19H(jT7v
zcGiPzW=ATc(JRmmMIofy8x7x$pLLOjyl#!!FMxX%w`r0>$7wYgb_cKC!J8qpTF~ov
zhr|Amv^p;@&PV7<yw%vT$$7UuI_vk~%>_C$Y!FN*OJ}`OYcta7oxkl4H~3N}{Y#|i
h_B!8zAr(+S0R<FLKmi35P{4lx{sGAjN1p&F007hM${+v$

diff --git a/testdata/iter_ds_locate_ns_detach.rpl b/testdata/iter_ds_locate_ns_detach.rpl
new file mode 100644
index 000000000000..9288fe56011e
--- /dev/null
+++ b/testdata/iter_ds_locate_ns_detach.rpl
@@ -0,0 +1,296 @@
+; config options
+server:
+	target-fetch-policy: "3 2 1 0 0"
+
+stub-zone:
+	name: "."
+	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
+CONFIG_END
+
+SCENARIO_BEGIN Test locate of NS records for DS and with detached queries
+; the additional targets looked up cause detached queries.
+; hence the target fetch policy is increased above.
+
+; K.ROOT-SERVERS.NET.
+RANGE_BEGIN 0 100
+	ADDRESS 193.0.14.129 
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+. IN NS
+SECTION ANSWER
+. IN NS	K.ROOT-SERVERS.NET.
+SECTION ADDITIONAL
+K.ROOT-SERVERS.NET.	IN	A	193.0.14.129
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id 
+REPLY QR AA NOERROR
+SECTION QUESTION
+k.root-servers.net. IN A
+SECTION ANSWER
+K.ROOT-SERVERS.NET.	IN	A	193.0.14.129
+SECTION AUTHORITY
+root-servers.net. IN NS	K.ROOT-SERVERS.NET.
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id 
+REPLY QR AA NOERROR
+SECTION QUESTION
+k.root-servers.net. IN AAAA
+SECTION ANSWER
+SECTION AUTHORITY
+root-servers.net. IN SOA	K.ROOT-SERVERS.NET. hostmaster. 1 2 3 4 5
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id 
+REPLY QR AA NOERROR
+SECTION QUESTION
+net. IN DS
+SECTION ANSWER
+SECTION AUTHORITY
+. IN SOA	K.ROOT-SERVERS.NET. hostmaster. 1 2 3 4 5
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+net. IN A
+SECTION AUTHORITY
+net.	IN NS	a.server.net.
+net.	IN NS	b.server.net.
+net.	IN NS	c.server.net.
+SECTION ADDITIONAL
+a.server.net. IN A 192.5.6.30
+ENTRY_END
+RANGE_END
+
+; a.server.net.
+; The b.server.net and c.server.net servers are here to cause
+; extra lookups to be generated (to create detached queries in the
+; iterator), there is no IP address that answers for them set up.
+; force DSNSFind, we host a grandchild zone.
+; also, this range of steps is without responses for b and c, so that
+; they can be force to happen later (after the DSNS is activated).
+RANGE_BEGIN 0 20
+	ADDRESS 192.5.6.30
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+net. IN NS
+SECTION ANSWER
+net.	IN NS	a.server.net.
+net.	IN NS	b.server.net.
+net.	IN NS	c.server.net.
+SECTION ADDITIONAL
+a.server.net. IN A 192.5.6.30
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+a.server.net. IN A
+SECTION ANSWER
+a.server.net. IN A 192.5.6.30
+SECTION AUTHORITY
+net.	IN NS	a.server.net.
+net.	IN NS	b.server.net.
+net.	IN NS	c.server.net.
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+a.sub.example.net. IN DS
+SECTION AUTHORITY
+sub.example.net. IN SOA a.gtld-servers.net. hostmaster. 2 3 4 5 6
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+sub.example.net. IN NS
+SECTION ANSWER
+sub.example.net. IN NS	a.server.net.
+sub.example.net. IN NS	b.server.net.
+sub.example.net. IN NS	c.server.net.
+SECTION ADDITIONAL
+a.server.net. IN A 192.5.6.30
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+a.sub.example.net. IN A
+SECTION AUTHORITY
+sub.example.net. IN NS	a.server.net.
+SECTION ADDITIONAL
+a.server.net. IN A 192.5.6.30
+ENTRY_END
+RANGE_END
+
+; a.server.net range with all the answers (to finish the test).
+RANGE_BEGIN 30 100
+	ADDRESS 192.5.6.30
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+net. IN NS
+SECTION ANSWER
+net.	IN NS	a.server.net.
+net.	IN NS	b.server.net.
+net.	IN NS	c.server.net.
+SECTION ADDITIONAL
+a.server.net. IN A 192.5.6.30
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+a.server.net. IN A
+SECTION ANSWER
+a.server.net. IN A 192.5.6.30
+SECTION AUTHORITY
+net.	IN NS	a.server.net.
+net.	IN NS	b.server.net.
+net.	IN NS	c.server.net.
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+a.server.net. IN AAAA
+SECTION AUTHORITY
+net. IN SOA a.gtld-servers.net. hostmaster. 2 3 4 5 6
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+b.server.net. IN A
+SECTION AUTHORITY
+net. IN SOA a.gtld-servers.net. hostmaster. 2 3 4 5 6
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+b.server.net. IN AAAA
+SECTION AUTHORITY
+net. IN SOA a.gtld-servers.net. hostmaster. 2 3 4 5 6
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+c.server.net. IN A
+SECTION AUTHORITY
+net. IN SOA a.gtld-servers.net. hostmaster. 2 3 4 5 6
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+c.server.net. IN AAAA
+SECTION AUTHORITY
+net. IN SOA a.gtld-servers.net. hostmaster. 2 3 4 5 6
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+a.sub.example.net. IN DS
+SECTION AUTHORITY
+sub.example.net. IN SOA a.gtld-servers.net. hostmaster. 2 3 4 5 6
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+sub.example.net. IN NS
+SECTION ANSWER
+sub.example.net. IN NS	a.server.net.
+sub.example.net. IN NS	b.server.net.
+sub.example.net. IN NS	c.server.net.
+SECTION ADDITIONAL
+a.server.net. IN A 192.5.6.30
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+a.sub.example.net. IN A
+SECTION AUTHORITY
+sub.example.net. IN NS	a.server.net.
+SECTION ADDITIONAL
+a.server.net. IN A 192.5.6.30
+ENTRY_END
+RANGE_END
+
+STEP 1 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+a.sub.example.net. IN DS
+ENTRY_END
+
+; make traffic flow at this time
+STEP 15 TRAFFIC
+
+STEP 20 TRAFFIC
+
+STEP 40 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+a.sub.example.net. IN DS
+SECTION ANSWER
+SECTION AUTHORITY
+sub.example.net. IN SOA a.gtld-servers.net. hostmaster. 2 3 4 5 6
+SECTION ADDITIONAL
+ENTRY_END
+
+STEP 50 TRAFFIC
+
+SCENARIO_END
diff --git a/testdata/nss_compile.tpkg b/testdata/nss_compile.tpkg
new file mode 100644
index 0000000000000000000000000000000000000000..6be7bc46eccd4eddaff2c961aa34c091aa865104
GIT binary patch
literal 1049
zcmV+!1m^o6iwFS19Tiak1MODpZ`(Ey&)4#=I4D8gWYx>hLV*KxPO=S4i(o0%55tzw
z5^b}QNr9xAWXt~d9cB5EIFA8KS`_0CutoBI_uw5xozVI;mD7UfEXcSDH=Y4e6!khC
zz-Qd+wr0;>WS<K_+>E16Gmd-B4n%P$>b5ta^Blq4MyU-|7|Mk#4O92?9+TJmSUkTG
zh+Fkvog1djQ~1DqbldHF>)&d{?RovX-Chh)GipWM4Tzq?`D6H>*MAc>eIIUD9ejV2
zY=V}hN*S05gDKUxefUfjjF1Hv6DEM0hPG10$Zz0}APB<16zAgrX+f>=JG^{3H*|*_
zy_6ayi{;AwNGjk0sxdBdIz*QR)tZZO?dqn&4KFuDgz(YKkasqb+6X#jXCCyylLZrj
z$OSVw9cmnTyLK~zykO}>qFjKbyoOW?!$rv|Gag~NW^;~^1{ORaE5>Wca4_K-*kzIP
zl$-p@LxoFjAR;49NMJL8`JPG<=m{A!b2_Exj2!=R(D!VT0*`Fwnb5gR`=0(RzSDY=
zgyCAmA<Dv>50M%gRf=<uEYxh7Q0EQ`k%iIyvn_NNmSQMNk%2#fYZxn5*xio!xKu2|
z6^;KsgN6?O2zF47OQ918!^TqP>97%oV-L;<8I>Zn9AHXGby{ut)i(Kyyhy33EeE+A
z&(pUR&l3}qzX_S1;}ulpFr$W&w16tc`9io8s3Kp;!(g3Z2Ro|_GIO-Iw+EOA3;}F{
zJYpwU9;pm$)hVkaaDBZRyqC%{&%l;hGgB6|_R=UVja1C;tQNgWvud;pm~<m$&i`cK
zr}##3fmcnQ@2=`BR<{?9SADKoUpiitX%@EcUvM+QJIdEOUyZ^Zv^nzz31=DC_RaG3
zgf>^EV_Dq*^C?R+O;_d_6>R(dJlzazHRP>#Z+|{mOH;M_fIa(W)Jm(iY}uEtw(OCv
z_vc%3e?2R6F<y2HCLh)>fG<UU1xNdbM{j>P>H9}vsa1%Fg68(+v7bc`8iV8GncVY#
zS|M<e=4Hk#DXfg&Ei9DRAYVRi_|H-Qi(0Rh*(0-RKUmiF!!f&Im*Yo{#f(nstMzMt
zOTR@t)c<8VeG(s!^nX#S*Q)!!C~CHww*QN|9oPST34BjAdyg$qvf2ZZUzyVQ8BZV%
zBC^kPs(AJ7Phc=(fW3y`{mBU#C`PSlpBglBs5l(5A;24m+etf0nr~om@Bx}p+#>HN
z7Y2V!CGfFICw%0e#F$c*X)-_qW2vqZAl8W#OqhfWrrAEjwkN~3gDgisvb;#hv10g#
zU#o<Cz?&dh>to5=^70TTR^=GmN0uezkn+5=ieEeR4h{|u4h{|u4h{|u4h{|u4h{|u
T4h{|u&w_sdO4V8904M+em80}W

literal 0
HcmV?d00001

diff --git a/testdata/val_cnametocnamewctoposwc.rpl b/testdata/val_cnametocnamewctoposwc.rpl
new file mode 100644
index 000000000000..12f83e82b4f1
--- /dev/null
+++ b/testdata/val_cnametocnamewctoposwc.rpl
@@ -0,0 +1,208 @@
+; config options
+; The island of trust is at example.com
+server:
+	trust-anchor: "example.com.    IN      DNSKEY  257 3 8 AwEAAdL6YJdvoKQJEt/SgB6MrbQ2RDwnrcQQb6bDE8FpGgLen6hvF31ntVsZ3RZzhCmwL6lvumOLFIRKaP9ZBEVutT9iMoF2dNRbT0TCUrv6uQNHcuCZ0BJhuDNBU42f3yOnfFv7PKxd0NP+yFHJkvDQAVLMB5GeUQuYnvgQGeZsf/3b"
+	val-override-date: "-1"
+	target-fetch-policy: "0 0 0 0 0"
+
+stub-zone:
+	name: "."
+	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
+CONFIG_END
+
+SCENARIO_BEGIN Test validator with a regular cname to wildcard cname to wildcard response
+
+; K.ROOT-SERVERS.NET.
+RANGE_BEGIN 0 100
+	ADDRESS 193.0.14.129 
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+. IN NS
+SECTION ANSWER
+. IN NS	K.ROOT-SERVERS.NET.
+SECTION ADDITIONAL
+K.ROOT-SERVERS.NET.	IN	A	193.0.14.129
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+start.example.com. IN A
+SECTION AUTHORITY
+com.	IN NS	a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net.	IN 	A	192.5.6.30
+ENTRY_END
+
+RANGE_END
+
+; a.gtld-servers.net.
+RANGE_BEGIN 0 100
+	ADDRESS 192.5.6.30
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+com. IN NS
+SECTION ANSWER
+com.    IN NS   a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net.     IN      A       192.5.6.30
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+start.example.com. IN A
+SECTION AUTHORITY
+example.com.	IN NS	ns.example.com.
+SECTION ADDITIONAL
+ns.example.com.	120	IN	A	1.2.3.4
+ENTRY_END
+RANGE_END
+
+; ns.example.com.
+RANGE_BEGIN 0 100
+	ADDRESS 1.2.3.4
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+example.com. IN NS
+SECTION ANSWER
+example.com.	3600	IN	NS	ns.example.com.
+example.com.	3600	IN	RRSIG	NS 8 2 3600 20121126123249 20121029123249 64050 example.com. cpLjgKPacNxVIGo59tYMZ98GVYpH28WHRWj3AeIHK0StYFcAlflGLdkae1LEgMwfUmzrayrA5GMe3AH8LyuTgA2Dn1oNFxGfuShQvK2MFQ+LxvQfiuoqlAlL5Aa94IWcSoU/wLrr66I1K8oSB2yK1Tyyv73c2N40D1mBbzIE70U=
+SECTION ADDITIONAL
+ns.example.com.	3600	IN	A	1.2.3.4
+ns.example.com.	3600	IN	RRSIG	A 8 2 3600 20121126123249 20121029123249 64050 example.com. zxGyimwFsd39j8T7jJ+tSAQPwZ7tjk6HHmzosTMCRePM4k4newbLb5HbrpucSiW/plaEZvjRTDTJ6bPkw0msPXjPCI/22Zh236XO5vhGtMOlxDgAEazuhifVF6UsM7GZwONPBCvw705HgWQyCR1YlTK2w9ffH3GopU9f4oP7Pmk=
+ENTRY_END
+
+; response to DNSKEY priming query
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+example.com. IN DNSKEY
+SECTION ANSWER
+example.com.	3600	IN	DNSKEY	256 3 8 AwEAAdWzfjQD2bfQuoQGNYuS0ByosBxiTkoKcy9kMoWOQ/jx9rvTRhHImWxTxFtIyZOoRgn6E6mE71e5Y1q1nuyH544Em+4rNRMMW4bzecQmMmPk+B97MqW9aW6e4BwiCTt52IGfL++5GORYcaITw9UOlQLYH1oHHUNUC6ebHENofLTj ;{id = 64050 (zsk), size = 1024b}
+example.com.	3600	IN	DNSKEY	257 3 8 AwEAAdL6YJdvoKQJEt/SgB6MrbQ2RDwnrcQQb6bDE8FpGgLen6hvF31ntVsZ3RZzhCmwL6lvumOLFIRKaP9ZBEVutT9iMoF2dNRbT0TCUrv6uQNHcuCZ0BJhuDNBU42f3yOnfFv7PKxd0NP+yFHJkvDQAVLMB5GeUQuYnvgQGeZsf/3b ;{id = 46426 (ksk), size = 1024b}
+example.com.	3600	IN	RRSIG	DNSKEY 8 2 3600 20121126123249 20121029123249 46426 example.com. pisNb/A40XDEiMpcYtxc+yO6osISyfpqz+0UZ61pd70+TLXMF197zr9SqOVJHyRI6G2lSnFggxYrZDpxLbxOW0RY/KfjD3xlI14M/2DieJ1NdlQuYFGgTwxcoINUJ/wRd4YUxkF4JS0D4NBdQ0yQYR0KqDr84oyhnULEHX6WB7s=
+SECTION AUTHORITY
+SECTION ADDITIONAL
+ENTRY_END
+
+; response to query of interest
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+start.example.com. IN A
+SECTION ANSWER
+start.example.com.	3600	IN	CNAME	x.y.z.wc.example.com.
+start.example.com.	3600	IN	RRSIG	CNAME 8 3 3600 20121126131853 20121029131853 64050 example.com. uN8+hg2b9kqpso4zTtpb8CdkGkgOdlbayH1Ui7NVSi1Y8un8FDG4NHy2gpCi0zIMpeAOa5bENe3cdTEwYZKHQdvnGjaI/zFWpFAzXsEFg0VlLxDQXSzRB6GtoFoUEYiZBHsmLIy3zWjuihlWK9fRzyPyVtBDDmqU8KK7+H3BYp0=
+x.y.z.wc.example.com.	3600	IN	CNAME	x.y.z.end.example.com.
+x.y.z.wc.example.com.	3600	IN	RRSIG	CNAME 8 3 3600 20121126131853 20121029131853 64050 example.com. NQTIY1uMK1jxVMHOaMB4shedyhdAERZuPiZXytfqSH36hDVMf1C8tSxdbCjJ90lOLEWNtMmT09l5kh14gp1XIaBHzLuDsYmZJVeudBGCaQRkbM5focd2VMd8V4hHQk4odwsRrSY6IETftHeqeFiRifru/rI3x5Dlv8awI6V5TZI=
+x.y.z.end.example.com.	3600	IN	A	1.2.3.5
+x.y.z.end.example.com.	3600	IN	RRSIG	A 8 3 3600 20121126131826 20121029131826 64050 example.com. iS1Pe45xt8SLGlmfmrSPTrnIAlwpIX8leTrsoLgpQJc98aA0XJmO/D32CbMTRZzAM1oBVggm80ht2RIQkX3W1NvN/prcu+Gp0Zrm0rtW+7Q7VwcSbo7jyHh5K8Mppp2OsCleexco5NVAKpDMvD0nyG+CsKtNMQpKK2DlumQsraE=
+SECTION AUTHORITY
+*.wc.example.com.	86400	IN	NSEC	www.example.com. CNAME RRSIG NSEC 
+*.wc.example.com.	86400	IN	RRSIG	NSEC 8 3 86400 20121126131853 20121029131853 64050 example.com. YrmCLu0uGgD2gcU4p12BGnUGYcrKmfg82MJHSF5OnVmmJxXiSbSBnZPahbJNGA/kPLt+SlDyBTcssZKXWxM6bW7WF57OwffOj7rMyr5vhx7J6OsuWKotPVqnUFDx9j/rOum24yCKqoBWvpW/RYUHLuX1Wm05WMCgNWhuN4wqwiU=
+*.end.example.com.	86400	IN	NSEC	escapedtext.example.com. A RRSIG NSEC 
+*.end.example.com.	86400	IN	RRSIG	NSEC 8 3 86400 20121126131826 20121029131826 64050 example.com. P6uJSImaee+5NHlTP06pMxgO69qxjJc0Uo1+htjVyE8f15MhG8A7NttvzggbtyzmfLMPr7TilM+Mm7hC3pIk/TeBEdH8p+8qypnY0NzPntz5z1+6C6ZTjDXp6NxDwMz7th31r3B3u4xo/K4qMnXmrAFOIE5Lopk0uDGXfjKPCKE=
+example.com.	3600	IN	NS	ns.example.com.
+example.com.	3600	IN	RRSIG	NS 8 2 3600 20121126131826 20121029131826 64050 example.com. NgY7UAdkXprnCi/O6c5XoB82tqLBd1bY9LmDG9wwN0zEUR5aHQcOmX9waHyqXQI86SOFQbGCvO2wDLqdqWniw1IYf4S66Vf9KrpaH2gVbvHKiEpGJPeDYQcD5xkv50Lsp4ktcLyuO/dk8ORCP7E2yC5IQVNeFgUfaqttZcJoxuQ=
+SECTION ADDITIONAL
+ns.example.com.	3600	IN	A	1.2.3.4
+ns.example.com.	3600	IN	RRSIG	A 8 2 3600 20121126131826 20121029131826 64050 example.com. L/EsWsRNhM0Lt8877XYfm0FkVc+utuRPYlW/yxEi/Nzs/mTb9BMrOygsW0qfpYakYgfFvinR7S7ce9/naWidzGkWKYR85g2WFms3/TgchpmfjZHEsNyuT8zsiGrj3bQ3RxpT5cmt/IS2QlOak/RhdtawKfd9aqkMTVpP2idEQwY=
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+x.y.z.wc.example.com. IN A
+SECTION ANSWER
+x.y.z.wc.example.com.	3600	IN	CNAME	x.y.z.end.example.com.
+x.y.z.wc.example.com.	3600	IN	RRSIG	CNAME 8 3 3600 20121126131853 20121029131853 64050 example.com. NQTIY1uMK1jxVMHOaMB4shedyhdAERZuPiZXytfqSH36hDVMf1C8tSxdbCjJ90lOLEWNtMmT09l5kh14gp1XIaBHzLuDsYmZJVeudBGCaQRkbM5focd2VMd8V4hHQk4odwsRrSY6IETftHeqeFiRifru/rI3x5Dlv8awI6V5TZI=
+x.y.z.end.example.com.	3600	IN	A	1.2.3.5
+x.y.z.end.example.com.	3600	IN	RRSIG	A 8 3 3600 20121126131826 20121029131826 64050 example.com. iS1Pe45xt8SLGlmfmrSPTrnIAlwpIX8leTrsoLgpQJc98aA0XJmO/D32CbMTRZzAM1oBVggm80ht2RIQkX3W1NvN/prcu+Gp0Zrm0rtW+7Q7VwcSbo7jyHh5K8Mppp2OsCleexco5NVAKpDMvD0nyG+CsKtNMQpKK2DlumQsraE=
+SECTION AUTHORITY
+*.wc.example.com.	86400	IN	NSEC	www.example.com. CNAME RRSIG NSEC 
+*.wc.example.com.	86400	IN	RRSIG	NSEC 8 3 86400 20121126131853 20121029131853 64050 example.com. YrmCLu0uGgD2gcU4p12BGnUGYcrKmfg82MJHSF5OnVmmJxXiSbSBnZPahbJNGA/kPLt+SlDyBTcssZKXWxM6bW7WF57OwffOj7rMyr5vhx7J6OsuWKotPVqnUFDx9j/rOum24yCKqoBWvpW/RYUHLuX1Wm05WMCgNWhuN4wqwiU=
+*.end.example.com.	86400	IN	NSEC	escapedtext.example.com. A RRSIG NSEC 
+*.end.example.com.	86400	IN	RRSIG	NSEC 8 3 86400 20121126131826 20121029131826 64050 example.com. P6uJSImaee+5NHlTP06pMxgO69qxjJc0Uo1+htjVyE8f15MhG8A7NttvzggbtyzmfLMPr7TilM+Mm7hC3pIk/TeBEdH8p+8qypnY0NzPntz5z1+6C6ZTjDXp6NxDwMz7th31r3B3u4xo/K4qMnXmrAFOIE5Lopk0uDGXfjKPCKE=
+example.com.	3600	IN	NS	ns.example.com.
+example.com.	3600	IN	RRSIG	NS 8 2 3600 20121126131826 20121029131826 64050 example.com. NgY7UAdkXprnCi/O6c5XoB82tqLBd1bY9LmDG9wwN0zEUR5aHQcOmX9waHyqXQI86SOFQbGCvO2wDLqdqWniw1IYf4S66Vf9KrpaH2gVbvHKiEpGJPeDYQcD5xkv50Lsp4ktcLyuO/dk8ORCP7E2yC5IQVNeFgUfaqttZcJoxuQ=
+SECTION ADDITIONAL
+ns.example.com.	3600	IN	A	1.2.3.4
+ns.example.com.	3600	IN	RRSIG	A 8 2 3600 20121126131826 20121029131826 64050 example.com. L/EsWsRNhM0Lt8877XYfm0FkVc+utuRPYlW/yxEi/Nzs/mTb9BMrOygsW0qfpYakYgfFvinR7S7ce9/naWidzGkWKYR85g2WFms3/TgchpmfjZHEsNyuT8zsiGrj3bQ3RxpT5cmt/IS2QlOak/RhdtawKfd9aqkMTVpP2idEQwY=
+ENTRY_END
+
+ENTRY_BEGING
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+x.y.z.end.example.com. IN A
+SECTION ANSWER
+x.y.z.end.example.com.	3600	IN	A	1.2.3.5
+x.y.z.end.example.com.	3600	IN	RRSIG	A 8 3 3600 20121126131826 20121029131826 64050 example.com. iS1Pe45xt8SLGlmfmrSPTrnIAlwpIX8leTrsoLgpQJc98aA0XJmO/D32CbMTRZzAM1oBVggm80ht2RIQkX3W1NvN/prcu+Gp0Zrm0rtW+7Q7VwcSbo7jyHh5K8Mppp2OsCleexco5NVAKpDMvD0nyG+CsKtNMQpKK2DlumQsraE=
+SECTION AUTHORITY
+*.end.example.com.	86400	IN	NSEC	escapedtext.example.com. A RRSIG NSEC 
+*.end.example.com.	86400	IN	RRSIG	NSEC 8 3 86400 20121126131826 20121029131826 64050 example.com. P6uJSImaee+5NHlTP06pMxgO69qxjJc0Uo1+htjVyE8f15MhG8A7NttvzggbtyzmfLMPr7TilM+Mm7hC3pIk/TeBEdH8p+8qypnY0NzPntz5z1+6C6ZTjDXp6NxDwMz7th31r3B3u4xo/K4qMnXmrAFOIE5Lopk0uDGXfjKPCKE=
+example.com.	3600	IN	NS	ns.example.com.
+example.com.	3600	IN	RRSIG	NS 8 2 3600 20121126131826 20121029131826 64050 example.com. NgY7UAdkXprnCi/O6c5XoB82tqLBd1bY9LmDG9wwN0zEUR5aHQcOmX9waHyqXQI86SOFQbGCvO2wDLqdqWniw1IYf4S66Vf9KrpaH2gVbvHKiEpGJPeDYQcD5xkv50Lsp4ktcLyuO/dk8ORCP7E2yC5IQVNeFgUfaqttZcJoxuQ=
+SECTION ADDITIONAL
+ns.example.com.	3600	IN	A	1.2.3.4
+ns.example.com.	3600	IN	RRSIG	A 8 2 3600 20121126123249 20121029123249 64050 example.com. zxGyimwFsd39j8T7jJ+tSAQPwZ7tjk6HHmzosTMCRePM4k4newbLb5HbrpucSiW/plaEZvjRTDTJ6bPkw0msPXjPCI/22Zh236XO5vhGtMOlxDgAEazuhifVF6UsM7GZwONPBCvw705HgWQyCR1YlTK2w9ffH3GopU9f4oP7Pmk=
+ENTRY_END
+RANGE_END
+
+
+
+STEP 1 QUERY
+ENTRY_BEGIN
+REPLY RD DO
+SECTION QUESTION
+start.example.com. IN A
+ENTRY_END
+
+; recursion happens here.
+STEP 10 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AD NOERROR
+SECTION QUESTION
+start.example.com. IN A
+SECTION ANSWER
+start.example.com.	3600	IN	CNAME	x.y.z.wc.example.com.
+start.example.com.	3600	IN	RRSIG	CNAME 8 3 3600 20121126131853 20121029131853 64050 example.com. uN8+hg2b9kqpso4zTtpb8CdkGkgOdlbayH1Ui7NVSi1Y8un8FDG4NHy2gpCi0zIMpeAOa5bENe3cdTEwYZKHQdvnGjaI/zFWpFAzXsEFg0VlLxDQXSzRB6GtoFoUEYiZBHsmLIy3zWjuihlWK9fRzyPyVtBDDmqU8KK7+H3BYp0=
+x.y.z.wc.example.com.	3600	IN	CNAME	x.y.z.end.example.com.
+x.y.z.wc.example.com.	3600	IN	RRSIG	CNAME 8 3 3600 20121126131853 20121029131853 64050 example.com. NQTIY1uMK1jxVMHOaMB4shedyhdAERZuPiZXytfqSH36hDVMf1C8tSxdbCjJ90lOLEWNtMmT09l5kh14gp1XIaBHzLuDsYmZJVeudBGCaQRkbM5focd2VMd8V4hHQk4odwsRrSY6IETftHeqeFiRifru/rI3x5Dlv8awI6V5TZI=
+x.y.z.end.example.com.	3600	IN	A	1.2.3.5
+x.y.z.end.example.com.	3600	IN	RRSIG	A 8 3 3600 20121126131826 20121029131826 64050 example.com. iS1Pe45xt8SLGlmfmrSPTrnIAlwpIX8leTrsoLgpQJc98aA0XJmO/D32CbMTRZzAM1oBVggm80ht2RIQkX3W1NvN/prcu+Gp0Zrm0rtW+7Q7VwcSbo7jyHh5K8Mppp2OsCleexco5NVAKpDMvD0nyG+CsKtNMQpKK2DlumQsraE=
+SECTION AUTHORITY
+*.wc.example.com.	86400	IN	NSEC	www.example.com. CNAME RRSIG NSEC 
+*.wc.example.com.	86400	IN	RRSIG	NSEC 8 3 86400 20121126131853 20121029131853 64050 example.com. YrmCLu0uGgD2gcU4p12BGnUGYcrKmfg82MJHSF5OnVmmJxXiSbSBnZPahbJNGA/kPLt+SlDyBTcssZKXWxM6bW7WF57OwffOj7rMyr5vhx7J6OsuWKotPVqnUFDx9j/rOum24yCKqoBWvpW/RYUHLuX1Wm05WMCgNWhuN4wqwiU=
+*.end.example.com.	86400	IN	NSEC	escapedtext.example.com. A RRSIG NSEC 
+*.end.example.com.	86400	IN	RRSIG	NSEC 8 3 86400 20121126131826 20121029131826 64050 example.com. P6uJSImaee+5NHlTP06pMxgO69qxjJc0Uo1+htjVyE8f15MhG8A7NttvzggbtyzmfLMPr7TilM+Mm7hC3pIk/TeBEdH8p+8qypnY0NzPntz5z1+6C6ZTjDXp6NxDwMz7th31r3B3u4xo/K4qMnXmrAFOIE5Lopk0uDGXfjKPCKE=
+example.com.	3600	IN	NS	ns.example.com.
+example.com.	3600	IN	RRSIG	NS 8 2 3600 20121126131826 20121029131826 64050 example.com. NgY7UAdkXprnCi/O6c5XoB82tqLBd1bY9LmDG9wwN0zEUR5aHQcOmX9waHyqXQI86SOFQbGCvO2wDLqdqWniw1IYf4S66Vf9KrpaH2gVbvHKiEpGJPeDYQcD5xkv50Lsp4ktcLyuO/dk8ORCP7E2yC5IQVNeFgUfaqttZcJoxuQ=
+SECTION ADDITIONAL
+ns.example.com.	3600	IN	A	1.2.3.4
+ns.example.com.	3600	IN	RRSIG	A 8 2 3600 20121126123249 20121029123249 64050 example.com. zxGyimwFsd39j8T7jJ+tSAQPwZ7tjk6HHmzosTMCRePM4k4newbLb5HbrpucSiW/plaEZvjRTDTJ6bPkw0msPXjPCI/22Zh236XO5vhGtMOlxDgAEazuhifVF6UsM7GZwONPBCvw705HgWQyCR1YlTK2w9ffH3GopU9f4oP7Pmk=
+ENTRY_END
+
+SCENARIO_END
diff --git a/testdata/val_cnametonodata_nonsec.rpl b/testdata/val_cnametonodata_nonsec.rpl
new file mode 100644
index 000000000000..5a263632c192
--- /dev/null
+++ b/testdata/val_cnametonodata_nonsec.rpl
@@ -0,0 +1,262 @@
+; config options
+; The island of trust is at example.com
+server:
+	trust-anchor: "example.com.    3600    IN      DS      2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b"
+	trust-anchor: "example.net.    3600    IN      DNSKEY  256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b}"
+	val-override-date: "20070916134226"
+	target-fetch-policy: "0 0 0 0 0"
+
+stub-zone:
+	name: "."
+	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
+CONFIG_END
+
+SCENARIO_BEGIN Test validator with cname to nodata
+
+; K.ROOT-SERVERS.NET.
+RANGE_BEGIN 0 100
+	ADDRESS 193.0.14.129 
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+. IN NS
+SECTION ANSWER
+. IN NS	K.ROOT-SERVERS.NET.
+SECTION ADDITIONAL
+K.ROOT-SERVERS.NET.	IN	A	193.0.14.129
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION AUTHORITY
+com.	IN NS	a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net.	IN 	A	192.5.6.30
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+www.example.net. IN A
+SECTION AUTHORITY
+net.	IN NS	a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net.	IN 	A	192.5.6.30
+ENTRY_END
+RANGE_END
+
+; a.gtld-servers.net.
+RANGE_BEGIN 0 100
+	ADDRESS 192.5.6.30
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+com. IN NS
+SECTION ANSWER
+com.    IN NS   a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net.     IN      A       192.5.6.30
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+net. IN NS
+SECTION ANSWER
+net.    IN NS   a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net.     IN      A       192.5.6.30
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION AUTHORITY
+example.com.	IN NS	ns.example.com.
+SECTION ADDITIONAL
+ns.example.com.		IN 	A	1.2.3.4
+ENTRY_END
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+www.example.net. IN A
+SECTION AUTHORITY
+example.net.	IN NS	ns.example.net.
+SECTION ADDITIONAL
+ns.example.net.		IN 	A	1.2.3.5
+ENTRY_END
+RANGE_END
+
+; ns.example.com.
+RANGE_BEGIN 0 100
+	ADDRESS 1.2.3.4
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+example.com. IN NS
+SECTION ANSWER
+example.com.    IN NS   ns.example.com.
+example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
+SECTION ADDITIONAL
+ns.example.com.         IN      A       1.2.3.4
+ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
+ENTRY_END
+
+; response to DNSKEY priming query
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+example.com. IN DNSKEY
+SECTION ANSWER
+example.com.    3600    IN      DNSKEY  256 3 3 ALXLUsWqUrY3JYER3T4TBJII s70j+sDS/UT2QRp61SE7S3E EXopNXoFE73JLRmvpi/UrOO/Vz4Se 6wXv/CYCKjGw06U4WRgR YXcpEhJROyNapmdIKSx hOzfLVE1gqA0PweZR8d tY3aNQSRn3sPpwJr6Mi /PqQKAMMrZ9ckJpf1+b QMOOvxgzz2U1GS18b3y ZKcgTMEaJzd/GZYzi/B N2DzQ0MsrSwYXfsNLFO Bbs8PJMW4LYIxeeOe6rUgkWOF 7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b}
+example.com. 3600    IN      RRSIG   DNSKEY DSA 2 3600 20070926134150 20070829134150 2854 example.com. MCwCFBQRtlR4BEv9ohi+PGFjp+AHsJuHAhRCvz0shggvnvI88DFnBDCczHUcVA== ;{id = 2854}
+SECTION AUTHORITY
+example.com.	IN NS	ns.example.com.
+example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
+SECTION ADDITIONAL
+ns.example.com.		IN 	A	1.2.3.4
+ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+ns.example.com. IN AAAA
+SECTION ANSWER
+SECTION AUTHORITY
+; NSEC here ...
+SECTION ADDITIONAL
+ENTRY_END
+
+; response to query of interest
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com.  3600    IN      CNAME   www.example.net.
+www.example.com.        3600    IN      RRSIG   CNAME 3 3 3600 20070926134150 20070829134150 2854 example.com. MCwCFGtYzScyRnHV8U/jOIPYwrlI9t3oAhRF0PIf+IthUR7uCWIvskWp5CfReQ== ;{id = 2854}
+SECTION AUTHORITY
+SECTION ADDITIONAL
+ENTRY_END
+RANGE_END
+
+; ns.example.net.
+RANGE_BEGIN 0 100
+	ADDRESS 1.2.3.5
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+example.net. IN NS
+SECTION ANSWER
+example.net.	IN NS	ns.example.net.
+example.net.    3600    IN      RRSIG   NS RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. E8JX0l4B+cSR5bkHQwOJy1pBmlLMTYCJ8EwfNMU/eCv0YhKwo26rHhn52FGisgv+Nwp7/NbhHqQ+kJgoZC94XA== ;{id = 30899}
+SECTION ADDITIONAL
+ns.example.net.		IN 	A	1.2.3.5
+ns.example.net. 3600    IN      RRSIG   A RSASHA1 3 3600 20070926134150 20070829134150 30899 example.net. x+tQMC9FhzT7Fcy1pM5NrOC7E8nLd7THPI3C6ie4EwL8PrxllqlR3q/DKB0d/m0qCOPcgN6HFOYURV1s4uAcsw== ;{id = 30899}
+ENTRY_END
+
+; response to DNSKEY priming query
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+example.net. IN DNSKEY
+SECTION ANSWER
+example.net.    3600    IN      DNSKEY  256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b}
+example.net.    3600    IN      RRSIG   DNSKEY RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. hiFzlQ8VoYgCuvIsfVuxC3mfJDqsTh0yc6abs5xMx5uEcIjb0dndFQx7INOM+imlzveEN73Hqp4OLFpFhsWLlw== ;{id = 30899}
+SECTION AUTHORITY
+example.net.	IN NS	ns.example.net.
+example.net.    3600    IN      RRSIG   NS RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. E8JX0l4B+cSR5bkHQwOJy1pBmlLMTYCJ8EwfNMU/eCv0YhKwo26rHhn52FGisgv+Nwp7/NbhHqQ+kJgoZC94XA== ;{id = 30899}
+SECTION ADDITIONAL
+ns.example.net.		IN 	A	1.2.3.5
+ns.example.net. 3600    IN      RRSIG   A RSASHA1 3 3600 20070926134150 20070829134150 30899 example.net. x+tQMC9FhzT7Fcy1pM5NrOC7E8nLd7THPI3C6ie4EwL8PrxllqlR3q/DKB0d/m0qCOPcgN6HFOYURV1s4uAcsw== ;{id = 30899}
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+ns.example.net. IN AAAA
+SECTION ANSWER
+SECTION AUTHORITY
+; NSEC here
+SECTION ADDITIONAL
+ENTRY_END
+
+; response to query of interest
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+www.example.net. IN A
+SECTION ANSWER
+SECTION AUTHORITY
+;www.example.net. IN NSEC	example.net. MX NSEC RRSIG
+;www.example.net.        3600    IN      RRSIG   NSEC 5 3 3600 20070926134150 20070829134150 30899 example.net. Z+3/WKJEqhWoMOQLC7Yb1dTVGaqzmU0bZ2cH9jSfNQZiT0O37yzCNNUmMsW4gsJOh3o61iZ+hxpze3aO3aedqQ== ;{id = 30899}
+SECTION ADDITIONAL
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+www.example.net. IN DS
+SECTION ANSWER
+SECTION AUTHORITY
+www.example.net. IN NSEC	example.net. MX NSEC RRSIG
+www.example.net.        3600    IN      RRSIG   NSEC 5 3 3600 20070926134150 20070829134150 30899 example.net. Z+3/WKJEqhWoMOQLC7Yb1dTVGaqzmU0bZ2cH9jSfNQZiT0O37yzCNNUmMsW4gsJOh3o61iZ+hxpze3aO3aedqQ== ;{id = 30899}
+SECTION ADDITIONAL
+ENTRY_END
+RANGE_END
+
+STEP 1 QUERY
+ENTRY_BEGIN
+REPLY RD DO
+SECTION QUESTION
+www.example.com. IN A
+ENTRY_END
+
+; recursion happens here.
+STEP 10 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA SERVFAIL
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+SECTION ADDITIONAL
+ENTRY_END
+
+SCENARIO_END
diff --git a/testdata/val_ds_cnamesub.rpl b/testdata/val_ds_cnamesub.rpl
new file mode 100644
index 000000000000..a147b93d682c
--- /dev/null
+++ b/testdata/val_ds_cnamesub.rpl
@@ -0,0 +1,275 @@
+; config options
+; The island of trust is at example.com
+server:
+	trust-anchor: "example.com.    3600    IN      DS      2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b"
+	val-override-date: "20070916134226"
+	target-fetch-policy: "0 0 0 0 0"
+
+stub-zone:
+	name: "."
+	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
+CONFIG_END
+
+SCENARIO_BEGIN Test validator with CNAME response to DS in chain of trust
+; the CNAME is at a nonempty nonterminal name in the parent zone.
+
+; K.ROOT-SERVERS.NET.
+RANGE_BEGIN 0 100
+	ADDRESS 193.0.14.129 
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+. IN NS
+SECTION ANSWER
+. IN NS	K.ROOT-SERVERS.NET.
+SECTION ADDITIONAL
+K.ROOT-SERVERS.NET.	IN	A	193.0.14.129
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+com. IN A
+SECTION AUTHORITY
+com.	IN NS	a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net.	IN 	A	192.5.6.30
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+net. IN A
+SECTION AUTHORITY
+net.	IN NS	a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net.	IN 	A	192.5.6.30
+ENTRY_END
+RANGE_END
+
+; a.gtld-servers.net.
+RANGE_BEGIN 0 100
+	ADDRESS 192.5.6.30
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+com. IN NS
+SECTION ANSWER
+com.    IN NS   a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net.     IN      A       192.5.6.30
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+example.com. IN A
+SECTION AUTHORITY
+example.com.	IN NS	ns.example.com.
+SECTION ADDITIONAL
+ns.example.com.		IN 	A	1.2.3.4
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+ns.example.com. IN AAAA
+SECTION ANSWER
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR AA NOERROR
+SECTION QUESTION
+example.net. IN A
+SECTION AUTHORITY
+example.net. IN NS ns.example.net.
+SECTION ADDITIONAL
+ns.example.net. IN A 1.2.3.6
+ENTRY_END
+
+RANGE_END
+
+; ns.example.com.
+RANGE_BEGIN 0 100
+	ADDRESS 1.2.3.4
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+ns.example.com. IN AAAA
+SECTION ANSWER
+; not legal NOERROR/NODATA response, but leniently accepted (not validated)
+SECTION AUTHORITY
+example.com.    IN NS   ns.example.com.
+example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
+;example.com. IN SOA alfa.ns.example.com.cz. hostmaster.example.com. 2010030800 10800 86400 604800 86400
+;example.com.	3600	IN	RRSIG	SOA 3 2 3600 20070926134150 20070829134150 2854 example.com. ADsxLOHjxFzwFmwIiGOubqD9nKWAp4RccRIXQ0+EAUGfSDZMCB0ZiFA= ;{id = 2854}
+SECTION ADDITIONAL
+ns.example.com.         IN      A       1.2.3.4
+ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+example.com. IN NS
+SECTION ANSWER
+example.com.    IN NS   ns.example.com.
+example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
+SECTION ADDITIONAL
+ns.example.com.         IN      A       1.2.3.4
+ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
+ENTRY_END
+
+; response to DNSKEY priming query
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+example.com. IN DNSKEY
+SECTION ANSWER
+example.com.    3600    IN      DNSKEY  256 3 3 ALXLUsWqUrY3JYER3T4TBJII s70j+sDS/UT2QRp61SE7S3E EXopNXoFE73JLRmvpi/UrOO/Vz4Se 6wXv/CYCKjGw06U4WRgR YXcpEhJROyNapmdIKSx hOzfLVE1gqA0PweZR8d tY3aNQSRn3sPpwJr6Mi /PqQKAMMrZ9ckJpf1+b QMOOvxgzz2U1GS18b3y ZKcgTMEaJzd/GZYzi/B N2DzQ0MsrSwYXfsNLFO Bbs8PJMW4LYIxeeOe6rUgkWOF 7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b}
+example.com.    3600    IN      RRSIG   DNSKEY 3 2 3600 20070926134802 20070829134802 2854 example.com. MCwCFG1yhRNtTEa3Eno2zhVVuy2EJX3wAhQeLyUp6+UXcpC5qGNu9tkrTEgPUg== ;{id = 2854}
+SECTION AUTHORITY
+example.com.	IN NS	ns.example.com.
+example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
+SECTION ADDITIONAL
+ns.example.com.		IN 	A	1.2.3.4
+ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
+ENTRY_END
+
+; response to DS query for a.example.com, a CNAME
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+a.example.com. IN DS
+SECTION ANSWER
+a.example.com. IN CNAME zzz.example.net.
+a.example.com.	3600	IN	RRSIG	CNAME 3 3 3600 20070926134150 20070829134150 2854 example.com. AKM6/j6yowuwqbazKzi4fEsavcLwXo3PjglhH9KD68ANZOrdN9y1ZCc=
+SECTION AUTHORITY
+SECTION ADDITIONAL
+ENTRY_END
+
+; response to DS query for sub.a.example.com.
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+sub.a.example.com. IN DS
+SECTION ANSWER
+sub.a.example.com.	3600	IN	DS	57024 7 1 e54100bff773a794854808694c5d217267a53649
+sub.a.example.com.	3600	IN	RRSIG	DS 3 4 3600 20070926134150 20070829134150 2854 example.com. ALHDGmpgZlXnAb54z4FbBKw/9nXVBdosG0UCEuh4qU7Lm/fs5Dv9aJw=
+SECTION AUTHORITY
+SECTION ADDITIONAL
+ENTRY_END
+
+; delegation down
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+sub.a.example.com. IN NS
+SECTION ANSWER
+SECTION AUTHORITY
+sub.a.example.com.	3600	IN	DS	57024 7 1 e54100bff773a794854808694c5d217267a53649
+sub.a.example.com.	3600	IN	RRSIG	DS 3 4 3600 20070926134150 20070829134150 2854 example.com. ALHDGmpgZlXnAb54z4FbBKw/9nXVBdosG0UCEuh4qU7Lm/fs5Dv9aJw=
+sub.a.example.com. IN NS ns.sub.a.example.com.
+SECTION ADDITIONAL
+ns.sub.a.example.com. IN A 1.2.3.5
+ENTRY_END
+RANGE_END
+
+; ns.sub.a.example.com.
+RANGE_BEGIN 0 100
+	ADDRESS 1.2.3.5
+
+; DNSKEY query
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+sub.a.example.com. IN DNSKEY
+SECTION ANSWER
+sub.a.example.com.	3600	IN	DNSKEY	257 3 7 AwEAAbvre/wK/WVeoj0SiwVkTD+NefvHPru9YIqLWY0m+0E5NYOpJZdc+PGQQYRzFNOlugVZtFirmv5Lmz7GNiASXtG/IFi//SlE30DxEKQOjt2F6qSZTZ1nZ5XOIMGTwWyp4OoI0egk5JavC5mQbyXqcj82ywt6F5Z3CmnThVl6MtOv ;{id = 57024 (ksk), size = 1024b}
+sub.a.example.com.	3600	IN	RRSIG	DNSKEY 7 4 3600 20070926134150 20070829134150 57024 sub.a.example.com. TB3rkkPBD/ESQR9WBpfq2aV+2howI+EJq2+om2EI6PiemQOdpN6ovLvKwCILb0LOsTEFfPpAvRCOuDzRC24sJqBgWpZ4xLxMTcQJ8hMvv7rIUfZotDPO2JYNHSRmpeQLuDGA6P+AtJLYIr7yfOltJmJ0aCJxy3Fm9RQxJxHVbEQ=
+SECTION AUTHORITY
+SECTION ADDITIONAL
+ENTRY_END
+
+; query of interest
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+www.sub.a.example.com. IN A
+SECTION ANSWER
+www.sub.a.example.com. IN A 10.20.30.40
+www.sub.a.example.com.	3600	IN	RRSIG	A 7 5 3600 20070926134150 20070829134150 57024 sub.a.example.com. az44R7VbfooRtaSOO65W+GP4K/fHlIcKMkF/z3LVvDXOdCK+zuYPJycBCYljH5cAhslMXgDeHMOWdcPhKIZ3EjykYUJIGlMckVIMobBieFKFhIX9r/bRpT0vlsCF2YKbmvyjpeRF/sIg2iSNMf/s6wxpZq02Kq6yuHtUEqgx7uA=
+SECTION AUTHORITY
+SECTION ADDITIONAL
+ENTRY_END
+
+RANGE_END
+
+; ns.example.net.
+RANGE_BEGIN 0 100
+	ADDRESS 1.2.3.6
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+zzz.example.net. IN DS
+SECTION ANSWER
+SECTION AUTHORITY
+example.net. IN SOA root. host. 1 2 3 4 5
+SECTION ADDITIONAL
+ENTRY_END
+RANGE_END
+
+
+STEP 1 QUERY
+ENTRY_BEGIN
+REPLY RD DO
+SECTION QUESTION
+www.sub.a.example.com. IN A
+ENTRY_END
+
+; recursion happens here.
+STEP 10 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AD NOERROR
+SECTION QUESTION
+www.sub.a.example.com. IN A
+SECTION ANSWER
+www.sub.a.example.com.  3600    IN      A       10.20.30.40
+www.sub.a.example.com.  3600    IN      RRSIG   A 7 5 3600 20070926134150 20070829134150 57024 sub.a.example.com. az44R7VbfooRtaSOO65W+GP4K/fHlIcKMkF/z3LVvDXOdCK+zuYPJycBCYljH5cAhslMXgDeHMOWdcPhKIZ3EjykYUJIGlMckVIMobBieFKFhIX9r/bRpT0vlsCF2YKbmvyjpeRF/sIg2iSNMf/s6wxpZq02Kq6yuHtUEqgx7uA=
+ENTRY_END
+
+SCENARIO_END
diff --git a/testdata/val_nsec3_cnametocnamewctoposwc.rpl b/testdata/val_nsec3_cnametocnamewctoposwc.rpl
new file mode 100644
index 000000000000..d6e92d89ac9a
--- /dev/null
+++ b/testdata/val_nsec3_cnametocnamewctoposwc.rpl
@@ -0,0 +1,206 @@
+; config options
+; The island of trust is at example.com
+server:
+	trust-anchor: "example.com.    IN      DNSKEY  257 3 8 AwEAAdL6YJdvoKQJEt/SgB6MrbQ2RDwnrcQQb6bDE8FpGgLen6hvF31ntVsZ3RZzhCmwL6lvumOLFIRKaP9ZBEVutT9iMoF2dNRbT0TCUrv6uQNHcuCZ0BJhuDNBU42f3yOnfFv7PKxd0NP+yFHJkvDQAVLMB5GeUQuYnvgQGeZsf/3b"
+	val-override-date: "-1"
+	target-fetch-policy: "0 0 0 0 0"
+
+stub-zone:
+	name: "."
+	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
+CONFIG_END
+
+SCENARIO_BEGIN Test validator with a regular cname to wildcard cname to wildcard response
+
+; K.ROOT-SERVERS.NET.
+RANGE_BEGIN 0 100
+	ADDRESS 193.0.14.129 
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+. IN NS
+SECTION ANSWER
+. IN NS	K.ROOT-SERVERS.NET.
+SECTION ADDITIONAL
+K.ROOT-SERVERS.NET.	IN	A	193.0.14.129
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+start.example.com. IN A
+SECTION AUTHORITY
+com.	IN NS	a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net.	IN 	A	192.5.6.30
+ENTRY_END
+
+RANGE_END
+
+; a.gtld-servers.net.
+RANGE_BEGIN 0 100
+	ADDRESS 192.5.6.30
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+com. IN NS
+SECTION ANSWER
+com.    IN NS   a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net.     IN      A       192.5.6.30
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+start.example.com. IN A
+SECTION AUTHORITY
+example.com.	IN NS	ns.example.com.
+SECTION ADDITIONAL
+ns.example.com.	120	IN	A	1.2.3.4
+ENTRY_END
+RANGE_END
+
+; ns.example.com.
+RANGE_BEGIN 0 100
+	ADDRESS 1.2.3.4
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+example.com. IN NS
+SECTION ANSWER
+example.com.	3600	IN	NS	ns.example.com.
+example.com.	3600	IN	RRSIG	NS 8 2 3600 20121126123249 20121029123249 64050 example.com. cpLjgKPacNxVIGo59tYMZ98GVYpH28WHRWj3AeIHK0StYFcAlflGLdkae1LEgMwfUmzrayrA5GMe3AH8LyuTgA2Dn1oNFxGfuShQvK2MFQ+LxvQfiuoqlAlL5Aa94IWcSoU/wLrr66I1K8oSB2yK1Tyyv73c2N40D1mBbzIE70U=
+SECTION ADDITIONAL
+ns.example.com.	3600	IN	A	1.2.3.4
+ns.example.com.	3600	IN	RRSIG	A 8 2 3600 20121126123249 20121029123249 64050 example.com. zxGyimwFsd39j8T7jJ+tSAQPwZ7tjk6HHmzosTMCRePM4k4newbLb5HbrpucSiW/plaEZvjRTDTJ6bPkw0msPXjPCI/22Zh236XO5vhGtMOlxDgAEazuhifVF6UsM7GZwONPBCvw705HgWQyCR1YlTK2w9ffH3GopU9f4oP7Pmk=
+ENTRY_END
+
+; response to DNSKEY priming query
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+example.com. IN DNSKEY
+SECTION ANSWER
+example.com.	3600	IN	DNSKEY	256 3 8 AwEAAdWzfjQD2bfQuoQGNYuS0ByosBxiTkoKcy9kMoWOQ/jx9rvTRhHImWxTxFtIyZOoRgn6E6mE71e5Y1q1nuyH544Em+4rNRMMW4bzecQmMmPk+B97MqW9aW6e4BwiCTt52IGfL++5GORYcaITw9UOlQLYH1oHHUNUC6ebHENofLTj ;{id = 64050 (zsk), size = 1024b}
+example.com.	3600	IN	DNSKEY	257 3 8 AwEAAdL6YJdvoKQJEt/SgB6MrbQ2RDwnrcQQb6bDE8FpGgLen6hvF31ntVsZ3RZzhCmwL6lvumOLFIRKaP9ZBEVutT9iMoF2dNRbT0TCUrv6uQNHcuCZ0BJhuDNBU42f3yOnfFv7PKxd0NP+yFHJkvDQAVLMB5GeUQuYnvgQGeZsf/3b ;{id = 46426 (ksk), size = 1024b}
+example.com.	3600	IN	RRSIG	DNSKEY 8 2 3600 20121126123249 20121029123249 46426 example.com. pisNb/A40XDEiMpcYtxc+yO6osISyfpqz+0UZ61pd70+TLXMF197zr9SqOVJHyRI6G2lSnFggxYrZDpxLbxOW0RY/KfjD3xlI14M/2DieJ1NdlQuYFGgTwxcoINUJ/wRd4YUxkF4JS0D4NBdQ0yQYR0KqDr84oyhnULEHX6WB7s=
+SECTION AUTHORITY
+SECTION ADDITIONAL
+ENTRY_END
+
+; response to query of interest
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+start.example.com. IN A
+SECTION ANSWER
+start.example.com.	3600	IN	CNAME	x.y.z.wc.example.com.
+start.example.com.	3600	IN	RRSIG	CNAME 8 3 3600 20121126123316 20121029123316 64050 example.com. LHpx5n++Z0Jgjjalac+e7wdYSbfurqSDpLRAOI1PybTJkwrMvgDKfp0ycT4HwsLVy7spumZ/Ahg/5II9pai7jCiqv1Iyh6fx19ZVeClTFMOLotCK8xMHACYJIY39BhTwD2D3r9BxbK+RopUlXypwV02yzdY2xEnPCBJVDUn5d0g=
+x.y.z.wc.example.com.	3600	IN	CNAME	x.y.z.end.example.com.
+x.y.z.wc.example.com.	3600	IN	RRSIG	CNAME 8 3 3600 20121126123316 20121029123316 64050 example.com. BCnT6CIuqvF1U9LfiHIovgvXIVFJsCXqQWmnjHtbFvzUlTlfGj+56YBSOEpyCep4CBJ0CBgZ8gl5kWip8N+sTlveU/UWMv4FAkqLXRYjp4CZegslmJIuXU5uS+Q0GlLbWdSB9ZCZcbbO0qrOtUfrJ2ozcSTCS+D+oIZ+CkwvDlQ=
+x.y.z.end.example.com.	3600	IN	A	1.2.3.5
+x.y.z.end.example.com.	3600	IN	RRSIG	A 8 3 3600 20121126123249 20121029123249 64050 example.com. MyXXd3MvXtEYVNqWDepM3+Ra/j/b63QehzSHXZe5gL954WxW8KGHPYmeWyhDtruThpZS6s6jeARY2xt0lmEDnMgNyPJGA6UWwTIgvGD0u9Qw5kocCq3ZH4cSG4xu4rmZoi+h8OGrHxUb4jIKzipzAQDxhnAcp/wKF7e+p+OE+Fo=
+SECTION AUTHORITY
+; H(z.wc.example.com.) = isn85psesctb6afn2q105mv966tqqepi.
+isjq5aarcp8p5sukc56g961cccjus5u2.example.com.	86400	IN	NSEC3	1 0 1 abcd  isoaarjsq14bkqaamivn1t1milkv95lc A RRSIG 
+isjq5aarcp8p5sukc56g961cccjus5u2.example.com.	86400	IN	RRSIG	NSEC3 8 3 86400 20121126123259 20121029123259 64050 example.com. Cxwzq1DUQvhkTVHEJHlb92c511Y+uJy/C0yL9br6W/5lB/usuSiK2DjW58ibPh2kLH1P3SpGqd1Y7LigptdXoPBDFakcNcimPWCN93R3J80+vrHHPkPyIsBaywwYI3SNGgfnHfPF+wmH+tZ1vfEHbigOxqPFK+T0ntKq7dkSndg=
+; H(z.end.example.com.) = a62608t4becqb6233m87ar7a3648rj3b.
+a61sejfu6am5a36p628t4s089s309o44.example.com.	86400	IN	NSEC3	1 0 1 abcd  a64lt5ij9a1up15h5cdsn1u2071901hu A RRSIG 
+a61sejfu6am5a36p628t4s089s309o44.example.com.	86400	IN	RRSIG	NSEC3 8 3 86400 20121126123315 20121029123315 64050 example.com. gfBu4oqo9cVxJbqrw2Ly7mK638kGPOF8l8eh7ovalniwkU3F+PNYJyfSE9yGX8tMGbXrkEW9mAzAh39igr2+Bbzi9WPTRp4RDVM0qw+eyMmQRPWKt7FeanDtP+OcdVp0Hf2aPzsgmgTdS6s0AboUq1rX53H2M6F8xAiwPrBJXDQ=
+example.com.	3600	IN	NS	ns.example.com.
+example.com.	3600	IN	RRSIG	NS 8 2 3600 20121126123249 20121029123249 64050 example.com. cpLjgKPacNxVIGo59tYMZ98GVYpH28WHRWj3AeIHK0StYFcAlflGLdkae1LEgMwfUmzrayrA5GMe3AH8LyuTgA2Dn1oNFxGfuShQvK2MFQ+LxvQfiuoqlAlL5Aa94IWcSoU/wLrr66I1K8oSB2yK1Tyyv73c2N40D1mBbzIE70U=
+SECTION ADDITIONAL
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+x.y.z.wc.example.com. IN A
+SECTION ANSWER
+x.y.z.wc.example.com.	3600	IN	CNAME	x.y.z.end.example.com.
+x.y.z.wc.example.com.	3600	IN	RRSIG	CNAME 8 3 3600 20121126123316 20121029123316 64050 example.com. BCnT6CIuqvF1U9LfiHIovgvXIVFJsCXqQWmnjHtbFvzUlTlfGj+56YBSOEpyCep4CBJ0CBgZ8gl5kWip8N+sTlveU/UWMv4FAkqLXRYjp4CZegslmJIuXU5uS+Q0GlLbWdSB9ZCZcbbO0qrOtUfrJ2ozcSTCS+D+oIZ+CkwvDlQ=
+x.y.z.end.example.com.	3600	IN	A	1.2.3.5
+x.y.z.end.example.com.	3600	IN	RRSIG	A 8 3 3600 20121126123249 20121029123249 64050 example.com. MyXXd3MvXtEYVNqWDepM3+Ra/j/b63QehzSHXZe5gL954WxW8KGHPYmeWyhDtruThpZS6s6jeARY2xt0lmEDnMgNyPJGA6UWwTIgvGD0u9Qw5kocCq3ZH4cSG4xu4rmZoi+h8OGrHxUb4jIKzipzAQDxhnAcp/wKF7e+p+OE+Fo=
+SECTION AUTHORITY
+isjq5aarcp8p5sukc56g961cccjus5u2.example.com.	86400	IN	NSEC3	1 0 1 abcd  isoaarjsq14bkqaamivn1t1milkv95lc A RRSIG 
+isjq5aarcp8p5sukc56g961cccjus5u2.example.com.	86400	IN	RRSIG	NSEC3 8 3 86400 20121126123259 20121029123259 64050 example.com. Cxwzq1DUQvhkTVHEJHlb92c511Y+uJy/C0yL9br6W/5lB/usuSiK2DjW58ibPh2kLH1P3SpGqd1Y7LigptdXoPBDFakcNcimPWCN93R3J80+vrHHPkPyIsBaywwYI3SNGgfnHfPF+wmH+tZ1vfEHbigOxqPFK+T0ntKq7dkSndg=
+a61sejfu6am5a36p628t4s089s309o44.example.com.	86400	IN	NSEC3	1 0 1 abcd  a64lt5ij9a1up15h5cdsn1u2071901hu A RRSIG 
+a61sejfu6am5a36p628t4s089s309o44.example.com.	86400	IN	RRSIG	NSEC3 8 3 86400 20121126123315 20121029123315 64050 example.com. gfBu4oqo9cVxJbqrw2Ly7mK638kGPOF8l8eh7ovalniwkU3F+PNYJyfSE9yGX8tMGbXrkEW9mAzAh39igr2+Bbzi9WPTRp4RDVM0qw+eyMmQRPWKt7FeanDtP+OcdVp0Hf2aPzsgmgTdS6s0AboUq1rX53H2M6F8xAiwPrBJXDQ=
+example.com.	3600	IN	NS	ns.example.com.
+example.com.	3600	IN	RRSIG	NS 8 2 3600 20121126123249 20121029123249 64050 example.com. cpLjgKPacNxVIGo59tYMZ98GVYpH28WHRWj3AeIHK0StYFcAlflGLdkae1LEgMwfUmzrayrA5GMe3AH8LyuTgA2Dn1oNFxGfuShQvK2MFQ+LxvQfiuoqlAlL5Aa94IWcSoU/wLrr66I1K8oSB2yK1Tyyv73c2N40D1mBbzIE70U=
+SECTION ADDITIONAL
+ENTRY_END
+
+ENTRY_BEGING
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+x.y.z.end.example.com. IN A
+SECTION ANSWER
+x.y.z.end.example.com.	3600	IN	A	1.2.3.5
+x.y.z.end.example.com.	3600	IN	RRSIG	A 8 3 3600 20121126123249 20121029123249 64050 example.com. MyXXd3MvXtEYVNqWDepM3+Ra/j/b63QehzSHXZe5gL954WxW8KGHPYmeWyhDtruThpZS6s6jeARY2xt0lmEDnMgNyPJGA6UWwTIgvGD0u9Qw5kocCq3ZH4cSG4xu4rmZoi+h8OGrHxUb4jIKzipzAQDxhnAcp/wKF7e+p+OE+Fo=
+SECTION AUTHORITY
+a61sejfu6am5a36p628t4s089s309o44.example.com.	86400	IN	NSEC3	1 0 1 abcd  a64lt5ij9a1up15h5cdsn1u2071901hu A RRSIG 
+a61sejfu6am5a36p628t4s089s309o44.example.com.	86400	IN	RRSIG	NSEC3 8 3 86400 20121126123315 20121029123315 64050 example.com. gfBu4oqo9cVxJbqrw2Ly7mK638kGPOF8l8eh7ovalniwkU3F+PNYJyfSE9yGX8tMGbXrkEW9mAzAh39igr2+Bbzi9WPTRp4RDVM0qw+eyMmQRPWKt7FeanDtP+OcdVp0Hf2aPzsgmgTdS6s0AboUq1rX53H2M6F8xAiwPrBJXDQ=
+example.com.	3600	IN	NS	ns.example.com.
+example.com.	3600	IN	RRSIG	NS 8 2 3600 20121126123249 20121029123249 64050 example.com. cpLjgKPacNxVIGo59tYMZ98GVYpH28WHRWj3AeIHK0StYFcAlflGLdkae1LEgMwfUmzrayrA5GMe3AH8LyuTgA2Dn1oNFxGfuShQvK2MFQ+LxvQfiuoqlAlL5Aa94IWcSoU/wLrr66I1K8oSB2yK1Tyyv73c2N40D1mBbzIE70U=
+SECTION ADDITIONAL
+ns.example.com.	3600	IN	A	1.2.3.4
+ns.example.com.	3600	IN	RRSIG	A 8 2 3600 20121126123249 20121029123249 64050 example.com. zxGyimwFsd39j8T7jJ+tSAQPwZ7tjk6HHmzosTMCRePM4k4newbLb5HbrpucSiW/plaEZvjRTDTJ6bPkw0msPXjPCI/22Zh236XO5vhGtMOlxDgAEazuhifVF6UsM7GZwONPBCvw705HgWQyCR1YlTK2w9ffH3GopU9f4oP7Pmk=
+ENTRY_END
+RANGE_END
+
+
+
+STEP 1 QUERY
+ENTRY_BEGIN
+REPLY RD DO
+SECTION QUESTION
+start.example.com. IN A
+ENTRY_END
+
+; recursion happens here.
+STEP 10 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AD NOERROR
+SECTION QUESTION
+start.example.com. IN A
+SECTION ANSWER
+start.example.com.	3600	IN	CNAME	x.y.z.wc.example.com.
+start.example.com.	3600	IN	RRSIG	CNAME 8 3 3600 20121126123316 20121029123316 64050 example.com. LHpx5n++Z0Jgjjalac+e7wdYSbfurqSDpLRAOI1PybTJkwrMvgDKfp0ycT4HwsLVy7spumZ/Ahg/5II9pai7jCiqv1Iyh6fx19ZVeClTFMOLotCK8xMHACYJIY39BhTwD2D3r9BxbK+RopUlXypwV02yzdY2xEnPCBJVDUn5d0g=
+x.y.z.wc.example.com.	3600	IN	CNAME	x.y.z.end.example.com.
+x.y.z.wc.example.com.	3600	IN	RRSIG	CNAME 8 3 3600 20121126123316 20121029123316 64050 example.com. BCnT6CIuqvF1U9LfiHIovgvXIVFJsCXqQWmnjHtbFvzUlTlfGj+56YBSOEpyCep4CBJ0CBgZ8gl5kWip8N+sTlveU/UWMv4FAkqLXRYjp4CZegslmJIuXU5uS+Q0GlLbWdSB9ZCZcbbO0qrOtUfrJ2ozcSTCS+D+oIZ+CkwvDlQ=
+x.y.z.end.example.com.	3600	IN	A	1.2.3.5
+x.y.z.end.example.com.	3600	IN	RRSIG	A 8 3 3600 20121126123249 20121029123249 64050 example.com. MyXXd3MvXtEYVNqWDepM3+Ra/j/b63QehzSHXZe5gL954WxW8KGHPYmeWyhDtruThpZS6s6jeARY2xt0lmEDnMgNyPJGA6UWwTIgvGD0u9Qw5kocCq3ZH4cSG4xu4rmZoi+h8OGrHxUb4jIKzipzAQDxhnAcp/wKF7e+p+OE+Fo=
+SECTION AUTHORITY
+isjq5aarcp8p5sukc56g961cccjus5u2.example.com.	86400	IN	NSEC3	1 0 1 abcd  isoaarjsq14bkqaamivn1t1milkv95lc A RRSIG 
+isjq5aarcp8p5sukc56g961cccjus5u2.example.com.	86400	IN	RRSIG	NSEC3 8 3 86400 20121126123259 20121029123259 64050 example.com. Cxwzq1DUQvhkTVHEJHlb92c511Y+uJy/C0yL9br6W/5lB/usuSiK2DjW58ibPh2kLH1P3SpGqd1Y7LigptdXoPBDFakcNcimPWCN93R3J80+vrHHPkPyIsBaywwYI3SNGgfnHfPF+wmH+tZ1vfEHbigOxqPFK+T0ntKq7dkSndg=
+a61sejfu6am5a36p628t4s089s309o44.example.com.	86400	IN	NSEC3	1 0 1 abcd  a64lt5ij9a1up15h5cdsn1u2071901hu A RRSIG 
+a61sejfu6am5a36p628t4s089s309o44.example.com.	86400	IN	RRSIG	NSEC3 8 3 86400 20121126123315 20121029123315 64050 example.com. gfBu4oqo9cVxJbqrw2Ly7mK638kGPOF8l8eh7ovalniwkU3F+PNYJyfSE9yGX8tMGbXrkEW9mAzAh39igr2+Bbzi9WPTRp4RDVM0qw+eyMmQRPWKt7FeanDtP+OcdVp0Hf2aPzsgmgTdS6s0AboUq1rX53H2M6F8xAiwPrBJXDQ=
+example.com.	3600	IN	NS	ns.example.com.
+example.com.	3600	IN	RRSIG	NS 8 2 3600 20121126123249 20121029123249 64050 example.com. cpLjgKPacNxVIGo59tYMZ98GVYpH28WHRWj3AeIHK0StYFcAlflGLdkae1LEgMwfUmzrayrA5GMe3AH8LyuTgA2Dn1oNFxGfuShQvK2MFQ+LxvQfiuoqlAlL5Aa94IWcSoU/wLrr66I1K8oSB2yK1Tyyv73c2N40D1mBbzIE70U=
+SECTION ADDITIONAL
+ns.example.com.	3600	IN	A	1.2.3.4
+ns.example.com.	3600	IN	RRSIG	A 8 2 3600 20121126123249 20121029123249 64050 example.com. zxGyimwFsd39j8T7jJ+tSAQPwZ7tjk6HHmzosTMCRePM4k4newbLb5HbrpucSiW/plaEZvjRTDTJ6bPkw0msPXjPCI/22Zh236XO5vhGtMOlxDgAEazuhifVF6UsM7GZwONPBCvw705HgWQyCR1YlTK2w9ffH3GopU9f4oP7Pmk=
+ENTRY_END
+
+SCENARIO_END
diff --git a/testdata/val_nsec3_entnodata_optout.rpl b/testdata/val_nsec3_entnodata_optout.rpl
new file mode 100644
index 000000000000..56ed195fc3f5
--- /dev/null
+++ b/testdata/val_nsec3_entnodata_optout.rpl
@@ -0,0 +1,200 @@
+; config options
+; The island of trust is at example.com
+server:
+	trust-anchor: "example.com.    3600    IN      DS      2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b"
+	val-override-date: "20070916134226"
+	target-fetch-policy: "0 0 0 0 0"
+
+stub-zone:
+	name: "."
+	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
+CONFIG_END
+
+SCENARIO_BEGIN Test validator with NSEC3 response for NODATA ENT with optout. 
+
+; K.ROOT-SERVERS.NET.
+RANGE_BEGIN 0 100
+	ADDRESS 193.0.14.129 
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+. IN NS
+SECTION ANSWER
+. IN NS	K.ROOT-SERVERS.NET.
+SECTION ADDITIONAL
+K.ROOT-SERVERS.NET.	IN	A	193.0.14.129
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+com. IN A
+SECTION AUTHORITY
+com.	IN NS	a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net.	IN 	A	192.5.6.30
+ENTRY_END
+RANGE_END
+
+; a.gtld-servers.net.
+RANGE_BEGIN 0 100
+	ADDRESS 192.5.6.30
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+com. IN NS
+SECTION ANSWER
+com.    IN NS   a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net.     IN      A       192.5.6.30
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+example.com. IN A
+SECTION AUTHORITY
+example.com.	IN NS	ns.example.com.
+SECTION ADDITIONAL
+ns.example.com.		IN 	A	1.2.3.4
+ENTRY_END
+RANGE_END
+
+; ns.example.com.
+RANGE_BEGIN 0 100
+	ADDRESS 1.2.3.4
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA REFUSED
+SECTION QUESTION
+ns.example.com. IN A
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA REFUSED
+SECTION QUESTION
+ns.example.com. IN AAAA
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+example.com. IN NS
+SECTION ANSWER
+example.com.    IN NS   ns.example.com.
+example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
+SECTION ADDITIONAL
+ns.example.com.         IN      A       1.2.3.4
+ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
+ENTRY_END
+
+; response to DNSKEY priming query
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+example.com. IN DNSKEY
+SECTION ANSWER
+example.com.    3600    IN      DNSKEY  256 3 3 ALXLUsWqUrY3JYER3T4TBJII s70j+sDS/UT2QRp61SE7S3E EXopNXoFE73JLRmvpi/UrOO/Vz4Se 6wXv/CYCKjGw06U4WRgR YXcpEhJROyNapmdIKSx hOzfLVE1gqA0PweZR8d tY3aNQSRn3sPpwJr6Mi /PqQKAMMrZ9ckJpf1+b QMOOvxgzz2U1GS18b3y ZKcgTMEaJzd/GZYzi/B N2DzQ0MsrSwYXfsNLFO Bbs8PJMW4LYIxeeOe6rUgkWOF 7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b}
+example.com.    3600    IN      RRSIG   DNSKEY 3 2 3600 20070926134802 20070829134802 2854 example.com. MCwCFG1yhRNtTEa3Eno2zhVVuy2EJX3wAhQeLyUp6+UXcpC5qGNu9tkrTEgPUg== ;{id = 2854}
+SECTION AUTHORITY
+example.com.	IN NS	ns.example.com.
+example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
+SECTION ADDITIONAL
+ns.example.com.		IN 	A	1.2.3.4
+ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION AUTHORITY
+example.com.	IN SOA	ns.example.com. hostmaster.example.com. 2007090400 28800 7200 604800 18000
+example.com.    3600    IN      RRSIG   SOA 3 2 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCM6lsu9byZIQ1yYjJmyYfFWM2RWAIUcR5t84r2La824oWCkLjmHXRQlco= ;{id = 2854}
+
+; NODATA response. H(www.example.com.) = s1unhcti19bkdr98fegs0v46mbu3t4m3
+s1unhcti19bkdr98fegs0v46mbu3t4m3.example.com. IN NSEC3  1 1 123 aabb00123456bbccdd s1unhcti19bkdr98fegs0v46mbu3t4m4 MX RRSIG
+s1unhcti19bkdr98fegs0v46mbu3t4m3.example.com.   3600    IN      RRSIG   NSEC3 3 3 3600 20070926135752 20070829135752 2854 example.com. MCwCFE/a24nsY2luhQmZjY/ObAIgNSMkAhQWd4MUOUVK55bD6AbMHWrDA0yvEA== ;{id = 2854}
+
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+ent.example.com. IN DS
+SECTION AUTHORITY
+; example.com. -> b6fuorg741ufili49mg9j4328ig53sqg.
+; OPTOUT
+b6fuorg741ufili49mg9j4328ig53sqg.example.com. IN NSEC3 1 1 123 aabb00123456bbccdd b6fuorg741ufili49mg9j4328ig54sqg NS SOA DNSKEY RRSIG
+b6fuorg741ufili49mg9j4328ig53sqg.example.com.	3600	IN	RRSIG	NSEC3 3 3 3600 20070926135752 20070829135752 2854 example.com. AHNLlpOM8cBFBBdzUO9nQC/O6mw3rDUrqcdiSwMKAIckd3k5WZvoP78=
+
+; ent.example.com. -> 2kekcu37chvrqjb272ptidu9jhk8oqag.
+; OPTOUT SPAN around it
+2kekcu37chvrqjb272ptidu9jhk7oqag.example.com. IN NSEC3 1 1 123 aabb00123456bbccdd 2kekcu37chvrqjb272ptidu9jhk9oqag
+2kekcu37chvrqjb272ptidu9jhk7oqag.example.com.	3600	IN	RRSIG	NSEC3 3 3 3600 20070926135752 20070829135752 2854 example.com. AFgtC3UEm/Tu4HIjfDHIDmZkvgwHF0kWKcD3wP2hs+/wOfaILtXBr4c=
+ENTRY_END
+
+; refer to server one down
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+ent.example.com. IN A
+SECTION AUTHORITY
+; example.com. -> b6fuorg741ufili49mg9j4328ig53sqg.
+; OPTOUT
+b6fuorg741ufili49mg9j4328ig53sqg.example.com. IN NSEC3 1 1 123 aabb00123456bbccdd b6fuorg741ufili49mg9j4328ig54sqg NS SOA DNSKEY RRSIG
+b6fuorg741ufili49mg9j4328ig53sqg.example.com.	3600	IN	RRSIG	NSEC3 3 3 3600 20070926135752 20070829135752 2854 example.com. AHNLlpOM8cBFBBdzUO9nQC/O6mw3rDUrqcdiSwMKAIckd3k5WZvoP78=
+
+; ent.example.com. -> 2kekcu37chvrqjb272ptidu9jhk8oqag.
+; OPTOUT SPAN around it
+2kekcu37chvrqjb272ptidu9jhk7oqag.example.com. IN NSEC3 1 1 123 aabb00123456bbccdd 2kekcu37chvrqjb272ptidu9jhk9oqag
+2kekcu37chvrqjb272ptidu9jhk7oqag.example.com.	3600	IN	RRSIG	NSEC3 3 3 3600 20070926135752 20070829135752 2854 example.com. AFgtC3UEm/Tu4HIjfDHIDmZkvgwHF0kWKcD3wP2hs+/wOfaILtXBr4c=
+ENTRY_END
+
+RANGE_END
+
+STEP 1 QUERY
+ENTRY_BEGIN
+REPLY RD DO
+SECTION QUESTION
+ent.example.com. IN A
+ENTRY_END
+
+; recursion happens here.
+STEP 10 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA DO NOERROR
+SECTION QUESTION
+ent.example.com. IN A
+SECTION ANSWER
+SECTION AUTHORITY
+b6fuorg741ufili49mg9j4328ig53sqg.example.com. IN NSEC3 1 1 123 aabb00123456bbccdd b6fuorg741ufili49mg9j4328ig54sqg NS SOA DNSKEY RRSIG
+b6fuorg741ufili49mg9j4328ig53sqg.example.com.	3600	IN	RRSIG	NSEC3 3 3 3600 20070926135752 20070829135752 2854 example.com. AHNLlpOM8cBFBBdzUO9nQC/O6mw3rDUrqcdiSwMKAIckd3k5WZvoP78=
+2kekcu37chvrqjb272ptidu9jhk7oqag.example.com. IN NSEC3 1 1 123 aabb00123456bbccdd 2kekcu37chvrqjb272ptidu9jhk9oqag
+2kekcu37chvrqjb272ptidu9jhk7oqag.example.com.	3600	IN	RRSIG	NSEC3 3 3 3600 20070926135752 20070829135752 2854 example.com. AFgtC3UEm/Tu4HIjfDHIDmZkvgwHF0kWKcD3wP2hs+/wOfaILtXBr4c=
+SECTION ADDITIONAL
+ENTRY_END
+
+SCENARIO_END
diff --git a/testdata/val_nsec3_entnodata_optout_badopt.rpl b/testdata/val_nsec3_entnodata_optout_badopt.rpl
new file mode 100644
index 000000000000..d1548f522f36
--- /dev/null
+++ b/testdata/val_nsec3_entnodata_optout_badopt.rpl
@@ -0,0 +1,196 @@
+; config options
+; The island of trust is at example.com
+server:
+	trust-anchor: "example.com.    3600    IN      DS      2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b"
+	val-override-date: "20070916134226"
+	target-fetch-policy: "0 0 0 0 0"
+
+stub-zone:
+	name: "."
+	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
+CONFIG_END
+
+SCENARIO_BEGIN Test validator with NSEC3 response for NODATA ENT with optout. 
+
+; K.ROOT-SERVERS.NET.
+RANGE_BEGIN 0 100
+	ADDRESS 193.0.14.129 
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+. IN NS
+SECTION ANSWER
+. IN NS	K.ROOT-SERVERS.NET.
+SECTION ADDITIONAL
+K.ROOT-SERVERS.NET.	IN	A	193.0.14.129
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+com. IN A
+SECTION AUTHORITY
+com.	IN NS	a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net.	IN 	A	192.5.6.30
+ENTRY_END
+RANGE_END
+
+; a.gtld-servers.net.
+RANGE_BEGIN 0 100
+	ADDRESS 192.5.6.30
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+com. IN NS
+SECTION ANSWER
+com.    IN NS   a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net.     IN      A       192.5.6.30
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+example.com. IN A
+SECTION AUTHORITY
+example.com.	IN NS	ns.example.com.
+SECTION ADDITIONAL
+ns.example.com.		IN 	A	1.2.3.4
+ENTRY_END
+RANGE_END
+
+; ns.example.com.
+RANGE_BEGIN 0 100
+	ADDRESS 1.2.3.4
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA REFUSED
+SECTION QUESTION
+ns.example.com. IN A
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA REFUSED
+SECTION QUESTION
+ns.example.com. IN AAAA
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+example.com. IN NS
+SECTION ANSWER
+example.com.    IN NS   ns.example.com.
+example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
+SECTION ADDITIONAL
+ns.example.com.         IN      A       1.2.3.4
+ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
+ENTRY_END
+
+; response to DNSKEY priming query
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+example.com. IN DNSKEY
+SECTION ANSWER
+example.com.    3600    IN      DNSKEY  256 3 3 ALXLUsWqUrY3JYER3T4TBJII s70j+sDS/UT2QRp61SE7S3E EXopNXoFE73JLRmvpi/UrOO/Vz4Se 6wXv/CYCKjGw06U4WRgR YXcpEhJROyNapmdIKSx hOzfLVE1gqA0PweZR8d tY3aNQSRn3sPpwJr6Mi /PqQKAMMrZ9ckJpf1+b QMOOvxgzz2U1GS18b3y ZKcgTMEaJzd/GZYzi/B N2DzQ0MsrSwYXfsNLFO Bbs8PJMW4LYIxeeOe6rUgkWOF 7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b}
+example.com.    3600    IN      RRSIG   DNSKEY 3 2 3600 20070926134802 20070829134802 2854 example.com. MCwCFG1yhRNtTEa3Eno2zhVVuy2EJX3wAhQeLyUp6+UXcpC5qGNu9tkrTEgPUg== ;{id = 2854}
+SECTION AUTHORITY
+example.com.	IN NS	ns.example.com.
+example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
+SECTION ADDITIONAL
+ns.example.com.		IN 	A	1.2.3.4
+ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION AUTHORITY
+example.com.	IN SOA	ns.example.com. hostmaster.example.com. 2007090400 28800 7200 604800 18000
+example.com.    3600    IN      RRSIG   SOA 3 2 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCM6lsu9byZIQ1yYjJmyYfFWM2RWAIUcR5t84r2La824oWCkLjmHXRQlco= ;{id = 2854}
+
+; NODATA response. H(www.example.com.) = s1unhcti19bkdr98fegs0v46mbu3t4m3
+s1unhcti19bkdr98fegs0v46mbu3t4m3.example.com. IN NSEC3  1 1 123 aabb00123456bbccdd s1unhcti19bkdr98fegs0v46mbu3t4m4 MX RRSIG
+s1unhcti19bkdr98fegs0v46mbu3t4m3.example.com.   3600    IN      RRSIG   NSEC3 3 3 3600 20070926135752 20070829135752 2854 example.com. MCwCFE/a24nsY2luhQmZjY/ObAIgNSMkAhQWd4MUOUVK55bD6AbMHWrDA0yvEA== ;{id = 2854}
+
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+ent.example.com. IN DS
+SECTION AUTHORITY
+; example.com. -> b6fuorg741ufili49mg9j4328ig53sqg.
+; OPTOUT
+b6fuorg741ufili49mg9j4328ig53sqg.example.com. IN NSEC3 1 1 123 aabb00123456bbccdd b6fuorg741ufili49mg9j4328ig54sqg NS SOA DNSKEY RRSIG
+b6fuorg741ufili49mg9j4328ig53sqg.example.com.	3600	IN	RRSIG	NSEC3 3 3 3600 20070926135752 20070829135752 2854 example.com. AHNLlpOM8cBFBBdzUO9nQC/O6mw3rDUrqcdiSwMKAIckd3k5WZvoP78=
+
+; ent.example.com. -> 2kekcu37chvrqjb272ptidu9jhk8oqag.
+; the span does not have OPTOUT
+2kekcu37chvrqjb272ptidu9jhk7oqag.example.com. IN NSEC3 1 0 123 aabb00123456bbccdd 2kekcu37chvrqjb272ptidu9jhk9oqag
+2kekcu37chvrqjb272ptidu9jhk7oqag.example.com.	3600	IN	RRSIG	NSEC3 3 3 3600 20070926135752 20070829135752 2854 example.com. AAaGjBrmbElksOWsOAU0vdNwbRKsbsQgOwhFkONaynSk9M+2QpJQ6+k=
+ENTRY_END
+
+; refer to server one down
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+ent.example.com. IN A
+SECTION AUTHORITY
+; example.com. -> b6fuorg741ufili49mg9j4328ig53sqg.
+; OPTOUT
+b6fuorg741ufili49mg9j4328ig53sqg.example.com. IN NSEC3 1 1 123 aabb00123456bbccdd b6fuorg741ufili49mg9j4328ig54sqg NS SOA DNSKEY RRSIG
+b6fuorg741ufili49mg9j4328ig53sqg.example.com.	3600	IN	RRSIG	NSEC3 3 3 3600 20070926135752 20070829135752 2854 example.com. AHNLlpOM8cBFBBdzUO9nQC/O6mw3rDUrqcdiSwMKAIckd3k5WZvoP78=
+
+; ent.example.com. -> 2kekcu37chvrqjb272ptidu9jhk8oqag.
+; the span does not have OPTOUT
+2kekcu37chvrqjb272ptidu9jhk7oqag.example.com. IN NSEC3 1 0 123 aabb00123456bbccdd 2kekcu37chvrqjb272ptidu9jhk9oqag
+2kekcu37chvrqjb272ptidu9jhk7oqag.example.com.	3600	IN	RRSIG	NSEC3 3 3 3600 20070926135752 20070829135752 2854 example.com. AAaGjBrmbElksOWsOAU0vdNwbRKsbsQgOwhFkONaynSk9M+2QpJQ6+k=
+ENTRY_END
+
+RANGE_END
+
+STEP 1 QUERY
+ENTRY_BEGIN
+REPLY RD DO
+SECTION QUESTION
+ent.example.com. IN A
+ENTRY_END
+
+; recursion happens here.
+STEP 10 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA DO SERVFAIL
+SECTION QUESTION
+ent.example.com. IN A
+SECTION ANSWER
+SECTION AUTHORITY
+SECTION ADDITIONAL
+ENTRY_END
+
+SCENARIO_END
diff --git a/testdata/val_nsec3_entnodata_optout_match.rpl b/testdata/val_nsec3_entnodata_optout_match.rpl
new file mode 100644
index 000000000000..329db5f53d57
--- /dev/null
+++ b/testdata/val_nsec3_entnodata_optout_match.rpl
@@ -0,0 +1,200 @@
+; config options
+; The island of trust is at example.com
+server:
+	trust-anchor: "example.com.    3600    IN      DS      2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b"
+	val-override-date: "20070916134226"
+	target-fetch-policy: "0 0 0 0 0"
+
+stub-zone:
+	name: "."
+	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
+CONFIG_END
+
+SCENARIO_BEGIN Test validator NODATA ENT with nsec3 optout matches the ent. 
+
+; K.ROOT-SERVERS.NET.
+RANGE_BEGIN 0 100
+	ADDRESS 193.0.14.129 
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+. IN NS
+SECTION ANSWER
+. IN NS	K.ROOT-SERVERS.NET.
+SECTION ADDITIONAL
+K.ROOT-SERVERS.NET.	IN	A	193.0.14.129
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+com. IN A
+SECTION AUTHORITY
+com.	IN NS	a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net.	IN 	A	192.5.6.30
+ENTRY_END
+RANGE_END
+
+; a.gtld-servers.net.
+RANGE_BEGIN 0 100
+	ADDRESS 192.5.6.30
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+com. IN NS
+SECTION ANSWER
+com.    IN NS   a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net.     IN      A       192.5.6.30
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+example.com. IN A
+SECTION AUTHORITY
+example.com.	IN NS	ns.example.com.
+SECTION ADDITIONAL
+ns.example.com.		IN 	A	1.2.3.4
+ENTRY_END
+RANGE_END
+
+; ns.example.com.
+RANGE_BEGIN 0 100
+	ADDRESS 1.2.3.4
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA REFUSED
+SECTION QUESTION
+ns.example.com. IN A
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA REFUSED
+SECTION QUESTION
+ns.example.com. IN AAAA
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+example.com. IN NS
+SECTION ANSWER
+example.com.    IN NS   ns.example.com.
+example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
+SECTION ADDITIONAL
+ns.example.com.         IN      A       1.2.3.4
+ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
+ENTRY_END
+
+; response to DNSKEY priming query
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+example.com. IN DNSKEY
+SECTION ANSWER
+example.com.    3600    IN      DNSKEY  256 3 3 ALXLUsWqUrY3JYER3T4TBJII s70j+sDS/UT2QRp61SE7S3E EXopNXoFE73JLRmvpi/UrOO/Vz4Se 6wXv/CYCKjGw06U4WRgR YXcpEhJROyNapmdIKSx hOzfLVE1gqA0PweZR8d tY3aNQSRn3sPpwJr6Mi /PqQKAMMrZ9ckJpf1+b QMOOvxgzz2U1GS18b3y ZKcgTMEaJzd/GZYzi/B N2DzQ0MsrSwYXfsNLFO Bbs8PJMW4LYIxeeOe6rUgkWOF 7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b}
+example.com.    3600    IN      RRSIG   DNSKEY 3 2 3600 20070926134802 20070829134802 2854 example.com. MCwCFG1yhRNtTEa3Eno2zhVVuy2EJX3wAhQeLyUp6+UXcpC5qGNu9tkrTEgPUg== ;{id = 2854}
+SECTION AUTHORITY
+example.com.	IN NS	ns.example.com.
+example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
+SECTION ADDITIONAL
+ns.example.com.		IN 	A	1.2.3.4
+ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION AUTHORITY
+example.com.	IN SOA	ns.example.com. hostmaster.example.com. 2007090400 28800 7200 604800 18000
+example.com.    3600    IN      RRSIG   SOA 3 2 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCM6lsu9byZIQ1yYjJmyYfFWM2RWAIUcR5t84r2La824oWCkLjmHXRQlco= ;{id = 2854}
+
+; NODATA response. H(www.example.com.) = s1unhcti19bkdr98fegs0v46mbu3t4m3
+s1unhcti19bkdr98fegs0v46mbu3t4m3.example.com. IN NSEC3  1 1 123 aabb00123456bbccdd s1unhcti19bkdr98fegs0v46mbu3t4m4 MX RRSIG
+s1unhcti19bkdr98fegs0v46mbu3t4m3.example.com.   3600    IN      RRSIG   NSEC3 3 3 3600 20070926135752 20070829135752 2854 example.com. MCwCFE/a24nsY2luhQmZjY/ObAIgNSMkAhQWd4MUOUVK55bD6AbMHWrDA0yvEA== ;{id = 2854}
+
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+ent.example.com. IN DS
+SECTION AUTHORITY
+; example.com. -> b6fuorg741ufili49mg9j4328ig53sqg.
+; OPTOUT
+b6fuorg741ufili49mg9j4328ig53sqg.example.com. IN NSEC3 1 1 123 aabb00123456bbccdd b6fuorg741ufili49mg9j4328ig54sqg NS SOA DNSKEY RRSIG
+b6fuorg741ufili49mg9j4328ig53sqg.example.com.	3600	IN	RRSIG	NSEC3 3 3 3600 20070926135752 20070829135752 2854 example.com. AHNLlpOM8cBFBBdzUO9nQC/O6mw3rDUrqcdiSwMKAIckd3k5WZvoP78=
+
+; ent.example.com. -> 2kekcu37chvrqjb272ptidu9jhk8oqag.
+; OPTOUT
+2kekcu37chvrqjb272ptidu9jhk8oqag.example.com. IN NSEC3 1 1 123 aabb00123456bbccdd 2kekcu37chvrqjb272ptidu9jhk9oqag
+2kekcu37chvrqjb272ptidu9jhk8oqag.example.com.	3600	IN	RRSIG	NSEC3 3 3 3600 20070926135752 20070829135752 2854 example.com. AJl6kanB5RTIcTJysEzDUNqQAr0ftIqzGzQw2+v8RLEbn3Yhi1bEfOQ=
+ENTRY_END
+
+; refer to server one down
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+ent.example.com. IN A
+SECTION AUTHORITY
+; example.com. -> b6fuorg741ufili49mg9j4328ig53sqg.
+; OPTOUT
+b6fuorg741ufili49mg9j4328ig53sqg.example.com. IN NSEC3 1 1 123 aabb00123456bbccdd b6fuorg741ufili49mg9j4328ig54sqg NS SOA DNSKEY RRSIG
+b6fuorg741ufili49mg9j4328ig53sqg.example.com.	3600	IN	RRSIG	NSEC3 3 3 3600 20070926135752 20070829135752 2854 example.com. AHNLlpOM8cBFBBdzUO9nQC/O6mw3rDUrqcdiSwMKAIckd3k5WZvoP78=
+
+; ent.example.com. -> 2kekcu37chvrqjb272ptidu9jhk8oqag.
+; OPTOUT
+2kekcu37chvrqjb272ptidu9jhk8oqag.example.com. IN NSEC3 1 1 123 aabb00123456bbccdd 2kekcu37chvrqjb272ptidu9jhk9oqag
+2kekcu37chvrqjb272ptidu9jhk8oqag.example.com.	3600	IN	RRSIG	NSEC3 3 3 3600 20070926135752 20070829135752 2854 example.com. AJl6kanB5RTIcTJysEzDUNqQAr0ftIqzGzQw2+v8RLEbn3Yhi1bEfOQ=
+ENTRY_END
+
+RANGE_END
+
+STEP 1 QUERY
+ENTRY_BEGIN
+REPLY RD DO
+SECTION QUESTION
+ent.example.com. IN A
+ENTRY_END
+
+; recursion happens here.
+STEP 10 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AD DO NOERROR
+SECTION QUESTION
+ent.example.com. IN A
+SECTION ANSWER
+SECTION AUTHORITY
+b6fuorg741ufili49mg9j4328ig53sqg.example.com.   3600    IN      NSEC3   1 1 123 aabb00123456bbccdd  b6fuorg741ufili49mg9j4328ig54sqg NS SOA RRSIG DNSKEY 
+b6fuorg741ufili49mg9j4328ig53sqg.example.com.   3600    IN      RRSIG   NSEC3 3 3 3600 20070926135752 20070829135752 2854 example.com. AHNLlpOM8cBFBBdzUO9nQC/O6mw3rDUrqcdiSwMKAIckd3k5WZvoP78=
+2kekcu37chvrqjb272ptidu9jhk8oqag.example.com.   3600    IN      NSEC3   1 1 123 aabb00123456bbccdd  2kekcu37chvrqjb272ptidu9jhk9oqag
+2kekcu37chvrqjb272ptidu9jhk8oqag.example.com.   3600    IN      RRSIG   NSEC3 3 3 3600 20070926135752 20070829135752 2854 example.com. AJl6kanB5RTIcTJysEzDUNqQAr0ftIqzGzQw2+v8RLEbn3Yhi1bEfOQ=
+SECTION ADDITIONAL
+ENTRY_END
+
+SCENARIO_END
diff --git a/util/alloc.h b/util/alloc.h
index 4ed0053e2b4a..cb8d6b1bceb7 100644
--- a/util/alloc.h
+++ b/util/alloc.h
@@ -177,8 +177,11 @@ void alloc_set_id_cleanup(struct alloc_cache* alloc, void (*cleanup)(void*),
 	void* arg);
 
 #ifdef UNBOUND_ALLOC_LITE
+#  include <ldns/ldns.h>
 #  include <ldns/packet.h>
-#  include <openssl/ssl.h>
+#  ifdef HAVE_OPENSSL_SSL_H
+#    include <openssl/ssl.h>
+#  endif
 #  define malloc(s) unbound_stat_malloc_lite(s, __FILE__, __LINE__, __func__)
 #  define calloc(n,s) unbound_stat_calloc_lite(n, s, __FILE__, __LINE__, __func__)
 #  define free(p) unbound_stat_free_lite(p, __FILE__, __LINE__, __func__)
diff --git a/util/config_file.c b/util/config_file.c
index 8ba79d2a29ca..b946f0df0dc5 100644
--- a/util/config_file.c
+++ b/util/config_file.c
@@ -53,6 +53,10 @@
 #include "util/regional.h"
 #include "util/fptr_wlist.h"
 #include "util/data/dname.h"
+#ifdef HAVE_GLOB_H
+# include <glob.h>
+#endif
+
 /** global config during parsing */
 struct config_parser_state* cfg_parser = 0;
 /** lex in file */
@@ -286,7 +290,7 @@ struct config_file* config_create_forlib(void)
 	{ return cfg_strlist_insert(&cfg->var, strdup(val)); }
 
 int config_set_option(struct config_file* cfg, const char* opt,
-        const char* val)
+	const char* val)
 {
 	S_NUMBER_OR_ZERO("verbosity:", verbosity)
 	else if(strcmp(opt, "statistics-interval:") == 0) {
@@ -458,7 +462,7 @@ void config_collate_func(char* line, void* arg)
 }
 
 int config_get_option_list(struct config_file* cfg, const char* opt,
-        struct config_strlist** list)
+	struct config_strlist** list)
 {
 	struct config_collate_arg m;
 	memset(&m, 0, sizeof(m));
@@ -687,8 +691,69 @@ config_read(struct config_file* cfg, const char* filename, const char* chroot)
 {
 	FILE *in;
 	char *fname = (char*)filename;
+#ifdef HAVE_GLOB
+	glob_t g;
+	size_t i;
+	int r, flags;
+#endif
 	if(!fname)
 		return 1;
+
+	/* check for wildcards */
+#ifdef HAVE_GLOB
+	if(!(!strchr(fname, '*') && !strchr(fname, '?') && !strchr(fname, '[') &&
+		!strchr(fname, '{') && !strchr(fname, '~'))) {
+		verbose(VERB_QUERY, "wildcard found, processing %s", fname);
+		flags = 0
+#ifdef GLOB_ERR
+			| GLOB_ERR
+#endif
+#ifdef GLOB_NOSORT
+			| GLOB_NOSORT
+#endif
+#ifdef GLOB_BRACE
+			| GLOB_BRACE
+#endif
+#ifdef GLOB_TILDE
+			| GLOB_TILDE
+#endif
+		;
+		memset(&g, 0, sizeof(g));
+		r = glob(fname, flags, NULL, &g);
+		if(r) {
+			/* some error */
+			globfree(&g);
+			if(r == GLOB_NOMATCH) {
+				verbose(VERB_QUERY, "include: "
+				"no matches for %s", fname);
+				return 1; 
+			} else if(r == GLOB_NOSPACE) {
+				log_err("include: %s: "
+					"fnametern out of memory", fname);
+			} else if(r == GLOB_ABORTED) {
+				log_err("wildcard include: %s: expansion "
+					"aborted (%s)", fname, strerror(errno));
+			} else {
+				log_err("wildcard include: %s: expansion "
+					"failed (%s)", fname, strerror(errno));
+			}
+			/* ignore globs that yield no files */
+			return 1;
+		}
+		/* process files found, if any */
+		for(i=0; i<(size_t)g.gl_pathc; i++) {
+			if(!config_read(cfg, g.gl_pathv[i], chroot)) {
+				log_err("error reading wildcard "
+					"include: %s", g.gl_pathv[i]);
+				globfree(&g);
+				return 0;
+			}
+		}
+		globfree(&g);
+		return 1;
+	}
+#endif /* HAVE_GLOB */
+
 	in = fopen(fname, "r");
 	if(!in) {
 		log_err("Could not open %s: %s", fname, strerror(errno));
@@ -1003,26 +1068,26 @@ cfg_convert_timeval(const char* str)
 int 
 cfg_count_numbers(const char* s)
 {
-        /* format ::= (sp num)+ sp      */
-        /* num ::= [-](0-9)+            */
-        /* sp ::= (space|tab)*          */
-        int num = 0;
-        while(*s) {
-                while(*s && isspace((int)*s))
-                        s++;
-                if(!*s) /* end of string */
-                        break;
-                if(*s == '-')
-                        s++;
-                if(!*s) /* only - not allowed */
-                        return 0;
-                if(!isdigit((int)*s)) /* bad character */
-                        return 0;
-                while(*s && isdigit((int)*s))
-                        s++;
-                num++;
-        }
-        return num;
+	/* format ::= (sp num)+ sp  */
+	/* num ::= [-](0-9)+        */
+	/* sp ::= (space|tab)*      */
+	int num = 0;
+	while(*s) {
+		while(*s && isspace((int)*s))
+			s++;
+		if(!*s) /* end of string */
+			break;
+		if(*s == '-')
+			s++;
+		if(!*s) /* only - not allowed */
+			return 0;
+		if(!isdigit((int)*s)) /* bad character */
+			return 0;
+		while(*s && isdigit((int)*s))
+			s++;
+		num++;
+	}
+	return num;
 }
 
 /** all digit number */
@@ -1038,9 +1103,9 @@ static int isalldigit(const char* str, size_t l)
 int 
 cfg_parse_memsize(const char* str, size_t* res)
 {
-	size_t len = (size_t)strlen(str);
+	size_t len;
 	size_t mult = 1;
-	if(!str || len == 0) {
+	if(!str || (len=(size_t)strlen(str)) == 0) {
 		log_err("not a size: '%s'", str);
 		return 0;
 	}
diff --git a/util/configlexer.c b/util/configlexer.c
index 4e8ed337821e..9ee356660258 100644
--- a/util/configlexer.c
+++ b/util/configlexer.c
@@ -10,7 +10,7 @@
 #define FLEX_SCANNER
 #define YY_FLEX_MAJOR_VERSION 2
 #define YY_FLEX_MINOR_VERSION 5
-#define YY_FLEX_SUBMINOR_VERSION 35
+#define YY_FLEX_SUBMINOR_VERSION 36
 #if YY_FLEX_SUBMINOR_VERSION > 0
 #define FLEX_BETA
 #endif
@@ -55,7 +55,6 @@ typedef int flex_int32_t;
 typedef unsigned char flex_uint8_t; 
 typedef unsigned short int flex_uint16_t;
 typedef unsigned int flex_uint32_t;
-#endif /* ! C99 */
 
 /* Limits of integral types. */
 #ifndef INT8_MIN
@@ -86,6 +85,8 @@ typedef unsigned int flex_uint32_t;
 #define UINT32_MAX             (4294967295U)
 #endif
 
+#endif /* ! C99 */
+
 #endif /* ! FLEXINT_H */
 
 #ifdef __cplusplus
@@ -154,7 +155,12 @@ typedef unsigned int flex_uint32_t;
 typedef struct yy_buffer_state *YY_BUFFER_STATE;
 #endif
 
-extern int yyleng;
+#ifndef YY_TYPEDEF_YY_SIZE_T
+#define YY_TYPEDEF_YY_SIZE_T
+typedef size_t yy_size_t;
+#endif
+
+extern yy_size_t yyleng;
 
 extern FILE *yyin, *yyout;
 
@@ -180,11 +186,6 @@ extern FILE *yyin, *yyout;
 
 #define unput(c) yyunput( c, (yytext_ptr)  )
 
-#ifndef YY_TYPEDEF_YY_SIZE_T
-#define YY_TYPEDEF_YY_SIZE_T
-typedef size_t yy_size_t;
-#endif
-
 #ifndef YY_STRUCT_YY_BUFFER_STATE
 #define YY_STRUCT_YY_BUFFER_STATE
 struct yy_buffer_state
@@ -202,7 +203,7 @@ struct yy_buffer_state
 	/* Number of characters read into yy_ch_buf, not including EOB
 	 * characters.
 	 */
-	int yy_n_chars;
+	yy_size_t yy_n_chars;
 
 	/* Whether we "own" the buffer - i.e., we know we created it,
 	 * and can realloc() it to grow it, and should free() it to
@@ -272,8 +273,8 @@ static YY_BUFFER_STATE * yy_buffer_stack = 0; /**< Stack as an array. */
 
 /* yy_hold_char holds the character lost when yytext is formed. */
 static char yy_hold_char;
-static int yy_n_chars;		/* number of characters read into yy_ch_buf */
-int yyleng;
+static yy_size_t yy_n_chars;		/* number of characters read into yy_ch_buf */
+yy_size_t yyleng;
 
 /* Points to current character in buffer. */
 static char *yy_c_buf_p = (char *) 0;
@@ -301,7 +302,7 @@ static void yy_init_buffer (YY_BUFFER_STATE b,FILE *file  );
 
 YY_BUFFER_STATE yy_scan_buffer (char *base,yy_size_t size  );
 YY_BUFFER_STATE yy_scan_string (yyconst char *yy_str  );
-YY_BUFFER_STATE yy_scan_bytes (yyconst char *bytes,int len  );
+YY_BUFFER_STATE yy_scan_bytes (yyconst char *bytes,yy_size_t len  );
 
 void *yyalloc (yy_size_t  );
 void *yyrealloc (void *,yy_size_t  );
@@ -1778,6 +1779,9 @@ char *yytext;
 #include <ctype.h>
 #include <string.h>
 #include <strings.h>
+#ifdef HAVE_GLOB_H
+# include <glob.h>
+#endif
 
 #include "util/config_file.h"
 #include "util/configparser.h"
@@ -1810,6 +1814,7 @@ static int config_include_stack_ptr = 0;
 static int inc_prev = 0;
 static int num_args = 0;
 
+
 static void config_start_include(const char* filename)
 {
 	FILE *input;
@@ -1841,6 +1846,50 @@ static void config_start_include(const char* filename)
 	++config_include_stack_ptr;
 }
 
+static void config_start_include_glob(const char* filename)
+{
+
+	/* check for wildcards */
+#ifdef HAVE_GLOB
+	glob_t g;
+	size_t i;
+	int r, flags;
+	if(!(!strchr(filename, '*') && !strchr(filename, '?') && !strchr(filename, '[') &&
+		!strchr(filename, '{') && !strchr(filename, '~'))) {
+		flags = 0
+#ifdef GLOB_ERR
+			| GLOB_ERR
+#endif
+#ifdef GLOB_NOSORT
+			| GLOB_NOSORT
+#endif
+#ifdef GLOB_BRACE
+			| GLOB_BRACE
+#endif
+#ifdef GLOB_TILDE
+			| GLOB_TILDE
+#endif
+		;
+		memset(&g, 0, sizeof(g));
+		r = glob(filename, flags, NULL, &g);
+		if(r) {
+			/* some error */
+			globfree(&g);
+			config_start_include(filename); /* let original deal with it */
+			return;
+		}
+		/* process files found, if any */
+		for(i=0; i<(size_t)g.gl_pathc; i++) {
+			config_start_include(g.gl_pathv[i]);
+		}
+		globfree(&g);
+		return;
+	}
+#endif /* HAVE_GLOB */
+
+	config_start_include(filename);
+}
+
 static void config_end_include(void)
 {
 	--config_include_stack_ptr;
@@ -1861,7 +1910,7 @@ static void config_end_include(void)
 #endif
 
 #define YY_NO_INPUT 1
-#line 100 "util/configlexer.lex"
+#line 148 "util/configlexer.lex"
 #ifndef YY_NO_UNPUT
 #define YY_NO_UNPUT 1
 #endif
@@ -1869,7 +1918,7 @@ static void config_end_include(void)
 #define YY_NO_INPUT 1
 #endif
 
-#line 1871 "<stdout>"
+#line 1920 "<stdout>"
 
 #define INITIAL 0
 #define quotedstring 1
@@ -1913,7 +1962,7 @@ FILE *yyget_out (void );
 
 void yyset_out  (FILE * out_str  );
 
-int yyget_leng (void );
+yy_size_t yyget_leng (void );
 
 char *yyget_text (void );
 
@@ -1972,7 +2021,7 @@ static int input (void );
 	if ( YY_CURRENT_BUFFER_LVALUE->yy_is_interactive ) \
 		{ \
 		int c = '*'; \
-		unsigned n; \
+		size_t n; \
 		for ( n = 0; n < max_size && \
 			     (c = getc( yyin )) != EOF && c != '\n'; ++n ) \
 			buf[n] = (char) c; \
@@ -2054,9 +2103,9 @@ YY_DECL
 	register char *yy_cp, *yy_bp;
 	register int yy_act;
     
-#line 120 "util/configlexer.lex"
+#line 168 "util/configlexer.lex"
 
-#line 2058 "<stdout>"
+#line 2107 "<stdout>"
 
 	if ( !(yy_init) )
 		{
@@ -2147,627 +2196,627 @@ YY_DECL
 
 case 1:
 YY_RULE_SETUP
-#line 121 "util/configlexer.lex"
+#line 169 "util/configlexer.lex"
 { 
 	LEXOUT(("SP ")); /* ignore */ }
 	YY_BREAK
 case 2:
 YY_RULE_SETUP
-#line 123 "util/configlexer.lex"
+#line 171 "util/configlexer.lex"
 { 
 	/* note that flex makes the longest match and '.' is any but not nl */
 	LEXOUT(("comment(%s) ", yytext)); /* ignore */ }
 	YY_BREAK
 case 3:
 YY_RULE_SETUP
-#line 126 "util/configlexer.lex"
+#line 174 "util/configlexer.lex"
 { YDVAR(0, VAR_SERVER) }
 	YY_BREAK
 case 4:
 YY_RULE_SETUP
-#line 127 "util/configlexer.lex"
+#line 175 "util/configlexer.lex"
 { YDVAR(1, VAR_NUM_THREADS) }
 	YY_BREAK
 case 5:
 YY_RULE_SETUP
-#line 128 "util/configlexer.lex"
+#line 176 "util/configlexer.lex"
 { YDVAR(1, VAR_VERBOSITY) }
 	YY_BREAK
 case 6:
 YY_RULE_SETUP
-#line 129 "util/configlexer.lex"
+#line 177 "util/configlexer.lex"
 { YDVAR(1, VAR_PORT) }
 	YY_BREAK
 case 7:
 YY_RULE_SETUP
-#line 130 "util/configlexer.lex"
+#line 178 "util/configlexer.lex"
 { YDVAR(1, VAR_OUTGOING_RANGE) }
 	YY_BREAK
 case 8:
 YY_RULE_SETUP
-#line 131 "util/configlexer.lex"
+#line 179 "util/configlexer.lex"
 { YDVAR(1, VAR_OUTGOING_PORT_PERMIT) }
 	YY_BREAK
 case 9:
 YY_RULE_SETUP
-#line 132 "util/configlexer.lex"
+#line 180 "util/configlexer.lex"
 { YDVAR(1, VAR_OUTGOING_PORT_AVOID) }
 	YY_BREAK
 case 10:
 YY_RULE_SETUP
-#line 133 "util/configlexer.lex"
+#line 181 "util/configlexer.lex"
 { YDVAR(1, VAR_OUTGOING_NUM_TCP) }
 	YY_BREAK
 case 11:
 YY_RULE_SETUP
-#line 134 "util/configlexer.lex"
+#line 182 "util/configlexer.lex"
 { YDVAR(1, VAR_INCOMING_NUM_TCP) }
 	YY_BREAK
 case 12:
 YY_RULE_SETUP
-#line 135 "util/configlexer.lex"
+#line 183 "util/configlexer.lex"
 { YDVAR(1, VAR_DO_IP4) }
 	YY_BREAK
 case 13:
 YY_RULE_SETUP
-#line 136 "util/configlexer.lex"
+#line 184 "util/configlexer.lex"
 { YDVAR(1, VAR_DO_IP6) }
 	YY_BREAK
 case 14:
 YY_RULE_SETUP
-#line 137 "util/configlexer.lex"
+#line 185 "util/configlexer.lex"
 { YDVAR(1, VAR_DO_UDP) }
 	YY_BREAK
 case 15:
 YY_RULE_SETUP
-#line 138 "util/configlexer.lex"
+#line 186 "util/configlexer.lex"
 { YDVAR(1, VAR_DO_TCP) }
 	YY_BREAK
 case 16:
 YY_RULE_SETUP
-#line 139 "util/configlexer.lex"
+#line 187 "util/configlexer.lex"
 { YDVAR(1, VAR_TCP_UPSTREAM) }
 	YY_BREAK
 case 17:
 YY_RULE_SETUP
-#line 140 "util/configlexer.lex"
+#line 188 "util/configlexer.lex"
 { YDVAR(1, VAR_SSL_UPSTREAM) }
 	YY_BREAK
 case 18:
 YY_RULE_SETUP
-#line 141 "util/configlexer.lex"
+#line 189 "util/configlexer.lex"
 { YDVAR(1, VAR_SSL_SERVICE_KEY) }
 	YY_BREAK
 case 19:
 YY_RULE_SETUP
-#line 142 "util/configlexer.lex"
+#line 190 "util/configlexer.lex"
 { YDVAR(1, VAR_SSL_SERVICE_PEM) }
 	YY_BREAK
 case 20:
 YY_RULE_SETUP
-#line 143 "util/configlexer.lex"
+#line 191 "util/configlexer.lex"
 { YDVAR(1, VAR_SSL_PORT) }
 	YY_BREAK
 case 21:
 YY_RULE_SETUP
-#line 144 "util/configlexer.lex"
+#line 192 "util/configlexer.lex"
 { YDVAR(1, VAR_DO_DAEMONIZE) }
 	YY_BREAK
 case 22:
 YY_RULE_SETUP
-#line 145 "util/configlexer.lex"
+#line 193 "util/configlexer.lex"
 { YDVAR(1, VAR_INTERFACE) }
 	YY_BREAK
 case 23:
 YY_RULE_SETUP
-#line 146 "util/configlexer.lex"
+#line 194 "util/configlexer.lex"
 { YDVAR(1, VAR_OUTGOING_INTERFACE) }
 	YY_BREAK
 case 24:
 YY_RULE_SETUP
-#line 147 "util/configlexer.lex"
+#line 195 "util/configlexer.lex"
 { YDVAR(1, VAR_INTERFACE_AUTOMATIC) }
 	YY_BREAK
 case 25:
 YY_RULE_SETUP
-#line 148 "util/configlexer.lex"
+#line 196 "util/configlexer.lex"
 { YDVAR(1, VAR_SO_RCVBUF) }
 	YY_BREAK
 case 26:
 YY_RULE_SETUP
-#line 149 "util/configlexer.lex"
+#line 197 "util/configlexer.lex"
 { YDVAR(1, VAR_SO_SNDBUF) }
 	YY_BREAK
 case 27:
 YY_RULE_SETUP
-#line 150 "util/configlexer.lex"
+#line 198 "util/configlexer.lex"
 { YDVAR(1, VAR_CHROOT) }
 	YY_BREAK
 case 28:
 YY_RULE_SETUP
-#line 151 "util/configlexer.lex"
+#line 199 "util/configlexer.lex"
 { YDVAR(1, VAR_USERNAME) }
 	YY_BREAK
 case 29:
 YY_RULE_SETUP
-#line 152 "util/configlexer.lex"
+#line 200 "util/configlexer.lex"
 { YDVAR(1, VAR_DIRECTORY) }
 	YY_BREAK
 case 30:
 YY_RULE_SETUP
-#line 153 "util/configlexer.lex"
+#line 201 "util/configlexer.lex"
 { YDVAR(1, VAR_LOGFILE) }
 	YY_BREAK
 case 31:
 YY_RULE_SETUP
-#line 154 "util/configlexer.lex"
+#line 202 "util/configlexer.lex"
 { YDVAR(1, VAR_PIDFILE) }
 	YY_BREAK
 case 32:
 YY_RULE_SETUP
-#line 155 "util/configlexer.lex"
+#line 203 "util/configlexer.lex"
 { YDVAR(1, VAR_ROOT_HINTS) }
 	YY_BREAK
 case 33:
 YY_RULE_SETUP
-#line 156 "util/configlexer.lex"
+#line 204 "util/configlexer.lex"
 { YDVAR(1, VAR_EDNS_BUFFER_SIZE) }
 	YY_BREAK
 case 34:
 YY_RULE_SETUP
-#line 157 "util/configlexer.lex"
+#line 205 "util/configlexer.lex"
 { YDVAR(1, VAR_MSG_BUFFER_SIZE) }
 	YY_BREAK
 case 35:
 YY_RULE_SETUP
-#line 158 "util/configlexer.lex"
+#line 206 "util/configlexer.lex"
 { YDVAR(1, VAR_MSG_CACHE_SIZE) }
 	YY_BREAK
 case 36:
 YY_RULE_SETUP
-#line 159 "util/configlexer.lex"
+#line 207 "util/configlexer.lex"
 { YDVAR(1, VAR_MSG_CACHE_SLABS) }
 	YY_BREAK
 case 37:
 YY_RULE_SETUP
-#line 160 "util/configlexer.lex"
+#line 208 "util/configlexer.lex"
 { YDVAR(1, VAR_RRSET_CACHE_SIZE) }
 	YY_BREAK
 case 38:
 YY_RULE_SETUP
-#line 161 "util/configlexer.lex"
+#line 209 "util/configlexer.lex"
 { YDVAR(1, VAR_RRSET_CACHE_SLABS) }
 	YY_BREAK
 case 39:
 YY_RULE_SETUP
-#line 162 "util/configlexer.lex"
+#line 210 "util/configlexer.lex"
 { YDVAR(1, VAR_CACHE_MAX_TTL) }
 	YY_BREAK
 case 40:
 YY_RULE_SETUP
-#line 163 "util/configlexer.lex"
+#line 211 "util/configlexer.lex"
 { YDVAR(1, VAR_CACHE_MIN_TTL) }
 	YY_BREAK
 case 41:
 YY_RULE_SETUP
-#line 164 "util/configlexer.lex"
+#line 212 "util/configlexer.lex"
 { YDVAR(1, VAR_INFRA_HOST_TTL) }
 	YY_BREAK
 case 42:
 YY_RULE_SETUP
-#line 165 "util/configlexer.lex"
+#line 213 "util/configlexer.lex"
 { YDVAR(1, VAR_INFRA_LAME_TTL) }
 	YY_BREAK
 case 43:
 YY_RULE_SETUP
-#line 166 "util/configlexer.lex"
+#line 214 "util/configlexer.lex"
 { YDVAR(1, VAR_INFRA_CACHE_SLABS) }
 	YY_BREAK
 case 44:
 YY_RULE_SETUP
-#line 167 "util/configlexer.lex"
+#line 215 "util/configlexer.lex"
 { YDVAR(1, VAR_INFRA_CACHE_NUMHOSTS) }
 	YY_BREAK
 case 45:
 YY_RULE_SETUP
-#line 168 "util/configlexer.lex"
+#line 216 "util/configlexer.lex"
 { YDVAR(1, VAR_INFRA_CACHE_LAME_SIZE) }
 	YY_BREAK
 case 46:
 YY_RULE_SETUP
-#line 169 "util/configlexer.lex"
+#line 217 "util/configlexer.lex"
 { YDVAR(1, VAR_NUM_QUERIES_PER_THREAD) }
 	YY_BREAK
 case 47:
 YY_RULE_SETUP
-#line 170 "util/configlexer.lex"
+#line 218 "util/configlexer.lex"
 { YDVAR(1, VAR_JOSTLE_TIMEOUT) }
 	YY_BREAK
 case 48:
 YY_RULE_SETUP
-#line 171 "util/configlexer.lex"
+#line 219 "util/configlexer.lex"
 { YDVAR(1, VAR_TARGET_FETCH_POLICY) }
 	YY_BREAK
 case 49:
 YY_RULE_SETUP
-#line 172 "util/configlexer.lex"
+#line 220 "util/configlexer.lex"
 { YDVAR(1, VAR_HARDEN_SHORT_BUFSIZE) }
 	YY_BREAK
 case 50:
 YY_RULE_SETUP
-#line 173 "util/configlexer.lex"
+#line 221 "util/configlexer.lex"
 { YDVAR(1, VAR_HARDEN_LARGE_QUERIES) }
 	YY_BREAK
 case 51:
 YY_RULE_SETUP
-#line 174 "util/configlexer.lex"
+#line 222 "util/configlexer.lex"
 { YDVAR(1, VAR_HARDEN_GLUE) }
 	YY_BREAK
 case 52:
 YY_RULE_SETUP
-#line 175 "util/configlexer.lex"
+#line 223 "util/configlexer.lex"
 { YDVAR(1, VAR_HARDEN_DNSSEC_STRIPPED) }
 	YY_BREAK
 case 53:
 YY_RULE_SETUP
-#line 176 "util/configlexer.lex"
+#line 224 "util/configlexer.lex"
 { YDVAR(1, VAR_HARDEN_BELOW_NXDOMAIN) }
 	YY_BREAK
 case 54:
 YY_RULE_SETUP
-#line 177 "util/configlexer.lex"
+#line 225 "util/configlexer.lex"
 { YDVAR(1, VAR_HARDEN_REFERRAL_PATH) }
 	YY_BREAK
 case 55:
 YY_RULE_SETUP
-#line 178 "util/configlexer.lex"
+#line 226 "util/configlexer.lex"
 { YDVAR(1, VAR_USE_CAPS_FOR_ID) }
 	YY_BREAK
 case 56:
 YY_RULE_SETUP
-#line 179 "util/configlexer.lex"
+#line 227 "util/configlexer.lex"
 { YDVAR(1, VAR_UNWANTED_REPLY_THRESHOLD) }
 	YY_BREAK
 case 57:
 YY_RULE_SETUP
-#line 180 "util/configlexer.lex"
+#line 228 "util/configlexer.lex"
 { YDVAR(1, VAR_PRIVATE_ADDRESS) }
 	YY_BREAK
 case 58:
 YY_RULE_SETUP
-#line 181 "util/configlexer.lex"
+#line 229 "util/configlexer.lex"
 { YDVAR(1, VAR_PRIVATE_DOMAIN) }
 	YY_BREAK
 case 59:
 YY_RULE_SETUP
-#line 182 "util/configlexer.lex"
+#line 230 "util/configlexer.lex"
 { YDVAR(1, VAR_PREFETCH_KEY) }
 	YY_BREAK
 case 60:
 YY_RULE_SETUP
-#line 183 "util/configlexer.lex"
+#line 231 "util/configlexer.lex"
 { YDVAR(1, VAR_PREFETCH) }
 	YY_BREAK
 case 61:
 YY_RULE_SETUP
-#line 184 "util/configlexer.lex"
+#line 232 "util/configlexer.lex"
 { YDVAR(0, VAR_STUB_ZONE) }
 	YY_BREAK
 case 62:
 YY_RULE_SETUP
-#line 185 "util/configlexer.lex"
+#line 233 "util/configlexer.lex"
 { YDVAR(1, VAR_NAME) }
 	YY_BREAK
 case 63:
 YY_RULE_SETUP
-#line 186 "util/configlexer.lex"
+#line 234 "util/configlexer.lex"
 { YDVAR(1, VAR_STUB_ADDR) }
 	YY_BREAK
 case 64:
 YY_RULE_SETUP
-#line 187 "util/configlexer.lex"
+#line 235 "util/configlexer.lex"
 { YDVAR(1, VAR_STUB_HOST) }
 	YY_BREAK
 case 65:
 YY_RULE_SETUP
-#line 188 "util/configlexer.lex"
+#line 236 "util/configlexer.lex"
 { YDVAR(1, VAR_STUB_PRIME) }
 	YY_BREAK
 case 66:
 YY_RULE_SETUP
-#line 189 "util/configlexer.lex"
+#line 237 "util/configlexer.lex"
 { YDVAR(1, VAR_STUB_FIRST) }
 	YY_BREAK
 case 67:
 YY_RULE_SETUP
-#line 190 "util/configlexer.lex"
+#line 238 "util/configlexer.lex"
 { YDVAR(0, VAR_FORWARD_ZONE) }
 	YY_BREAK
 case 68:
 YY_RULE_SETUP
-#line 191 "util/configlexer.lex"
+#line 239 "util/configlexer.lex"
 { YDVAR(1, VAR_FORWARD_ADDR) }
 	YY_BREAK
 case 69:
 YY_RULE_SETUP
-#line 192 "util/configlexer.lex"
+#line 240 "util/configlexer.lex"
 { YDVAR(1, VAR_FORWARD_HOST) }
 	YY_BREAK
 case 70:
 YY_RULE_SETUP
-#line 193 "util/configlexer.lex"
+#line 241 "util/configlexer.lex"
 { YDVAR(1, VAR_FORWARD_FIRST) }
 	YY_BREAK
 case 71:
 YY_RULE_SETUP
-#line 194 "util/configlexer.lex"
+#line 242 "util/configlexer.lex"
 { YDVAR(1, VAR_DO_NOT_QUERY_ADDRESS) }
 	YY_BREAK
 case 72:
 YY_RULE_SETUP
-#line 195 "util/configlexer.lex"
+#line 243 "util/configlexer.lex"
 { YDVAR(1, VAR_DO_NOT_QUERY_LOCALHOST) }
 	YY_BREAK
 case 73:
 YY_RULE_SETUP
-#line 196 "util/configlexer.lex"
+#line 244 "util/configlexer.lex"
 { YDVAR(2, VAR_ACCESS_CONTROL) }
 	YY_BREAK
 case 74:
 YY_RULE_SETUP
-#line 197 "util/configlexer.lex"
+#line 245 "util/configlexer.lex"
 { YDVAR(1, VAR_HIDE_IDENTITY) }
 	YY_BREAK
 case 75:
 YY_RULE_SETUP
-#line 198 "util/configlexer.lex"
+#line 246 "util/configlexer.lex"
 { YDVAR(1, VAR_HIDE_VERSION) }
 	YY_BREAK
 case 76:
 YY_RULE_SETUP
-#line 199 "util/configlexer.lex"
+#line 247 "util/configlexer.lex"
 { YDVAR(1, VAR_IDENTITY) }
 	YY_BREAK
 case 77:
 YY_RULE_SETUP
-#line 200 "util/configlexer.lex"
+#line 248 "util/configlexer.lex"
 { YDVAR(1, VAR_VERSION) }
 	YY_BREAK
 case 78:
 YY_RULE_SETUP
-#line 201 "util/configlexer.lex"
+#line 249 "util/configlexer.lex"
 { YDVAR(1, VAR_MODULE_CONF) }
 	YY_BREAK
 case 79:
 YY_RULE_SETUP
-#line 202 "util/configlexer.lex"
+#line 250 "util/configlexer.lex"
 { YDVAR(1, VAR_DLV_ANCHOR) }
 	YY_BREAK
 case 80:
 YY_RULE_SETUP
-#line 203 "util/configlexer.lex"
+#line 251 "util/configlexer.lex"
 { YDVAR(1, VAR_DLV_ANCHOR_FILE) }
 	YY_BREAK
 case 81:
 YY_RULE_SETUP
-#line 204 "util/configlexer.lex"
+#line 252 "util/configlexer.lex"
 { YDVAR(1, VAR_TRUST_ANCHOR_FILE) }
 	YY_BREAK
 case 82:
 YY_RULE_SETUP
-#line 205 "util/configlexer.lex"
+#line 253 "util/configlexer.lex"
 { YDVAR(1, VAR_AUTO_TRUST_ANCHOR_FILE) }
 	YY_BREAK
 case 83:
 YY_RULE_SETUP
-#line 206 "util/configlexer.lex"
+#line 254 "util/configlexer.lex"
 { YDVAR(1, VAR_TRUSTED_KEYS_FILE) }
 	YY_BREAK
 case 84:
 YY_RULE_SETUP
-#line 207 "util/configlexer.lex"
+#line 255 "util/configlexer.lex"
 { YDVAR(1, VAR_TRUST_ANCHOR) }
 	YY_BREAK
 case 85:
 YY_RULE_SETUP
-#line 208 "util/configlexer.lex"
+#line 256 "util/configlexer.lex"
 { YDVAR(1, VAR_VAL_OVERRIDE_DATE) }
 	YY_BREAK
 case 86:
 YY_RULE_SETUP
-#line 209 "util/configlexer.lex"
+#line 257 "util/configlexer.lex"
 { YDVAR(1, VAR_VAL_SIG_SKEW_MIN) }
 	YY_BREAK
 case 87:
 YY_RULE_SETUP
-#line 210 "util/configlexer.lex"
+#line 258 "util/configlexer.lex"
 { YDVAR(1, VAR_VAL_SIG_SKEW_MAX) }
 	YY_BREAK
 case 88:
 YY_RULE_SETUP
-#line 211 "util/configlexer.lex"
+#line 259 "util/configlexer.lex"
 { YDVAR(1, VAR_BOGUS_TTL) }
 	YY_BREAK
 case 89:
 YY_RULE_SETUP
-#line 212 "util/configlexer.lex"
+#line 260 "util/configlexer.lex"
 { YDVAR(1, VAR_VAL_CLEAN_ADDITIONAL) }
 	YY_BREAK
 case 90:
 YY_RULE_SETUP
-#line 213 "util/configlexer.lex"
+#line 261 "util/configlexer.lex"
 { YDVAR(1, VAR_VAL_PERMISSIVE_MODE) }
 	YY_BREAK
 case 91:
 YY_RULE_SETUP
-#line 214 "util/configlexer.lex"
+#line 262 "util/configlexer.lex"
 { YDVAR(1, VAR_IGNORE_CD_FLAG) }
 	YY_BREAK
 case 92:
 YY_RULE_SETUP
-#line 215 "util/configlexer.lex"
+#line 263 "util/configlexer.lex"
 { YDVAR(1, VAR_VAL_LOG_LEVEL) }
 	YY_BREAK
 case 93:
 YY_RULE_SETUP
-#line 216 "util/configlexer.lex"
+#line 264 "util/configlexer.lex"
 { YDVAR(1, VAR_KEY_CACHE_SIZE) }
 	YY_BREAK
 case 94:
 YY_RULE_SETUP
-#line 217 "util/configlexer.lex"
+#line 265 "util/configlexer.lex"
 { YDVAR(1, VAR_KEY_CACHE_SLABS) }
 	YY_BREAK
 case 95:
 YY_RULE_SETUP
-#line 218 "util/configlexer.lex"
+#line 266 "util/configlexer.lex"
 { YDVAR(1, VAR_NEG_CACHE_SIZE) }
 	YY_BREAK
 case 96:
 YY_RULE_SETUP
-#line 219 "util/configlexer.lex"
+#line 267 "util/configlexer.lex"
 { 
 				  YDVAR(1, VAR_VAL_NSEC3_KEYSIZE_ITERATIONS) }
 	YY_BREAK
 case 97:
 YY_RULE_SETUP
-#line 221 "util/configlexer.lex"
+#line 269 "util/configlexer.lex"
 { YDVAR(1, VAR_ADD_HOLDDOWN) }
 	YY_BREAK
 case 98:
 YY_RULE_SETUP
-#line 222 "util/configlexer.lex"
+#line 270 "util/configlexer.lex"
 { YDVAR(1, VAR_DEL_HOLDDOWN) }
 	YY_BREAK
 case 99:
 YY_RULE_SETUP
-#line 223 "util/configlexer.lex"
+#line 271 "util/configlexer.lex"
 { YDVAR(1, VAR_KEEP_MISSING) }
 	YY_BREAK
 case 100:
 YY_RULE_SETUP
-#line 224 "util/configlexer.lex"
+#line 272 "util/configlexer.lex"
 { YDVAR(1, VAR_USE_SYSLOG) }
 	YY_BREAK
 case 101:
 YY_RULE_SETUP
-#line 225 "util/configlexer.lex"
+#line 273 "util/configlexer.lex"
 { YDVAR(1, VAR_LOG_TIME_ASCII) }
 	YY_BREAK
 case 102:
 YY_RULE_SETUP
-#line 226 "util/configlexer.lex"
+#line 274 "util/configlexer.lex"
 { YDVAR(1, VAR_LOG_QUERIES) }
 	YY_BREAK
 case 103:
 YY_RULE_SETUP
-#line 227 "util/configlexer.lex"
+#line 275 "util/configlexer.lex"
 { YDVAR(2, VAR_LOCAL_ZONE) }
 	YY_BREAK
 case 104:
 YY_RULE_SETUP
-#line 228 "util/configlexer.lex"
+#line 276 "util/configlexer.lex"
 { YDVAR(1, VAR_LOCAL_DATA) }
 	YY_BREAK
 case 105:
 YY_RULE_SETUP
-#line 229 "util/configlexer.lex"
+#line 277 "util/configlexer.lex"
 { YDVAR(1, VAR_LOCAL_DATA_PTR) }
 	YY_BREAK
 case 106:
 YY_RULE_SETUP
-#line 230 "util/configlexer.lex"
+#line 278 "util/configlexer.lex"
 { YDVAR(1, VAR_STATISTICS_INTERVAL) }
 	YY_BREAK
 case 107:
 YY_RULE_SETUP
-#line 231 "util/configlexer.lex"
+#line 279 "util/configlexer.lex"
 { YDVAR(1, VAR_STATISTICS_CUMULATIVE) }
 	YY_BREAK
 case 108:
 YY_RULE_SETUP
-#line 232 "util/configlexer.lex"
+#line 280 "util/configlexer.lex"
 { YDVAR(1, VAR_EXTENDED_STATISTICS) }
 	YY_BREAK
 case 109:
 YY_RULE_SETUP
-#line 233 "util/configlexer.lex"
+#line 281 "util/configlexer.lex"
 { YDVAR(0, VAR_REMOTE_CONTROL) }
 	YY_BREAK
 case 110:
 YY_RULE_SETUP
-#line 234 "util/configlexer.lex"
+#line 282 "util/configlexer.lex"
 { YDVAR(1, VAR_CONTROL_ENABLE) }
 	YY_BREAK
 case 111:
 YY_RULE_SETUP
-#line 235 "util/configlexer.lex"
+#line 283 "util/configlexer.lex"
 { YDVAR(1, VAR_CONTROL_INTERFACE) }
 	YY_BREAK
 case 112:
 YY_RULE_SETUP
-#line 236 "util/configlexer.lex"
+#line 284 "util/configlexer.lex"
 { YDVAR(1, VAR_CONTROL_PORT) }
 	YY_BREAK
 case 113:
 YY_RULE_SETUP
-#line 237 "util/configlexer.lex"
+#line 285 "util/configlexer.lex"
 { YDVAR(1, VAR_SERVER_KEY_FILE) }
 	YY_BREAK
 case 114:
 YY_RULE_SETUP
-#line 238 "util/configlexer.lex"
+#line 286 "util/configlexer.lex"
 { YDVAR(1, VAR_SERVER_CERT_FILE) }
 	YY_BREAK
 case 115:
 YY_RULE_SETUP
-#line 239 "util/configlexer.lex"
+#line 287 "util/configlexer.lex"
 { YDVAR(1, VAR_CONTROL_KEY_FILE) }
 	YY_BREAK
 case 116:
 YY_RULE_SETUP
-#line 240 "util/configlexer.lex"
+#line 288 "util/configlexer.lex"
 { YDVAR(1, VAR_CONTROL_CERT_FILE) }
 	YY_BREAK
 case 117:
 YY_RULE_SETUP
-#line 241 "util/configlexer.lex"
+#line 289 "util/configlexer.lex"
 { YDVAR(1, VAR_PYTHON_SCRIPT) }
 	YY_BREAK
 case 118:
 YY_RULE_SETUP
-#line 242 "util/configlexer.lex"
+#line 290 "util/configlexer.lex"
 { YDVAR(0, VAR_PYTHON) }
 	YY_BREAK
 case 119:
 YY_RULE_SETUP
-#line 243 "util/configlexer.lex"
+#line 291 "util/configlexer.lex"
 { YDVAR(1, VAR_DOMAIN_INSECURE) }
 	YY_BREAK
 case 120:
 YY_RULE_SETUP
-#line 244 "util/configlexer.lex"
+#line 292 "util/configlexer.lex"
 { YDVAR(1, VAR_MINIMAL_RESPONSES) }
 	YY_BREAK
 case 121:
 YY_RULE_SETUP
-#line 245 "util/configlexer.lex"
+#line 293 "util/configlexer.lex"
 { YDVAR(1, VAR_RRSET_ROUNDROBIN) }
 	YY_BREAK
 case 122:
 /* rule 122 can match eol */
 YY_RULE_SETUP
-#line 246 "util/configlexer.lex"
+#line 294 "util/configlexer.lex"
 { LEXOUT(("NL\n")); cfg_parser->line++; }
 	YY_BREAK
 /* Quoted strings. Strip leading and ending quotes */
 case 123:
 YY_RULE_SETUP
-#line 249 "util/configlexer.lex"
+#line 297 "util/configlexer.lex"
 { BEGIN(quotedstring); LEXOUT(("QS ")); }
 	YY_BREAK
 case YY_STATE_EOF(quotedstring):
-#line 250 "util/configlexer.lex"
+#line 298 "util/configlexer.lex"
 {
         yyerror("EOF inside quoted string");
 	if(--num_args == 0) { BEGIN(INITIAL); }
@@ -2776,19 +2825,19 @@ case YY_STATE_EOF(quotedstring):
 	YY_BREAK
 case 124:
 YY_RULE_SETUP
-#line 255 "util/configlexer.lex"
+#line 303 "util/configlexer.lex"
 { LEXOUT(("STR(%s) ", yytext)); yymore(); }
 	YY_BREAK
 case 125:
 /* rule 125 can match eol */
 YY_RULE_SETUP
-#line 256 "util/configlexer.lex"
+#line 304 "util/configlexer.lex"
 { yyerror("newline inside quoted string, no end \""); 
 			  cfg_parser->line++; BEGIN(INITIAL); }
 	YY_BREAK
 case 126:
 YY_RULE_SETUP
-#line 258 "util/configlexer.lex"
+#line 306 "util/configlexer.lex"
 {
         LEXOUT(("QE "));
 	if(--num_args == 0) { BEGIN(INITIAL); }
@@ -2803,11 +2852,11 @@ YY_RULE_SETUP
 /* Single Quoted strings. Strip leading and ending quotes */
 case 127:
 YY_RULE_SETUP
-#line 270 "util/configlexer.lex"
+#line 318 "util/configlexer.lex"
 { BEGIN(singlequotedstr); LEXOUT(("SQS ")); }
 	YY_BREAK
 case YY_STATE_EOF(singlequotedstr):
-#line 271 "util/configlexer.lex"
+#line 319 "util/configlexer.lex"
 {
         yyerror("EOF inside quoted string");
 	if(--num_args == 0) { BEGIN(INITIAL); }
@@ -2816,19 +2865,19 @@ case YY_STATE_EOF(singlequotedstr):
 	YY_BREAK
 case 128:
 YY_RULE_SETUP
-#line 276 "util/configlexer.lex"
+#line 324 "util/configlexer.lex"
 { LEXOUT(("STR(%s) ", yytext)); yymore(); }
 	YY_BREAK
 case 129:
 /* rule 129 can match eol */
 YY_RULE_SETUP
-#line 277 "util/configlexer.lex"
+#line 325 "util/configlexer.lex"
 { yyerror("newline inside quoted string, no end '"); 
 			     cfg_parser->line++; BEGIN(INITIAL); }
 	YY_BREAK
 case 130:
 YY_RULE_SETUP
-#line 279 "util/configlexer.lex"
+#line 327 "util/configlexer.lex"
 {
         LEXOUT(("SQE "));
 	if(--num_args == 0) { BEGIN(INITIAL); }
@@ -2843,12 +2892,12 @@ YY_RULE_SETUP
 /* include: directive */
 case 131:
 YY_RULE_SETUP
-#line 291 "util/configlexer.lex"
+#line 339 "util/configlexer.lex"
 { 
 	LEXOUT(("v(%s) ", yytext)); inc_prev = YYSTATE; BEGIN(include); }
 	YY_BREAK
 case YY_STATE_EOF(include):
-#line 293 "util/configlexer.lex"
+#line 341 "util/configlexer.lex"
 {
         yyerror("EOF inside include directive");
         BEGIN(inc_prev);
@@ -2856,31 +2905,31 @@ case YY_STATE_EOF(include):
 	YY_BREAK
 case 132:
 YY_RULE_SETUP
-#line 297 "util/configlexer.lex"
+#line 345 "util/configlexer.lex"
 { LEXOUT(("ISP ")); /* ignore */ }
 	YY_BREAK
 case 133:
 /* rule 133 can match eol */
 YY_RULE_SETUP
-#line 298 "util/configlexer.lex"
+#line 346 "util/configlexer.lex"
 { LEXOUT(("NL\n")); cfg_parser->line++;}
 	YY_BREAK
 case 134:
 YY_RULE_SETUP
-#line 299 "util/configlexer.lex"
+#line 347 "util/configlexer.lex"
 { LEXOUT(("IQS ")); BEGIN(include_quoted); }
 	YY_BREAK
 case 135:
 YY_RULE_SETUP
-#line 300 "util/configlexer.lex"
+#line 348 "util/configlexer.lex"
 {
 	LEXOUT(("Iunquotedstr(%s) ", yytext));
-	config_start_include(yytext);
+	config_start_include_glob(yytext);
 	BEGIN(inc_prev);
 }
 	YY_BREAK
 case YY_STATE_EOF(include_quoted):
-#line 305 "util/configlexer.lex"
+#line 353 "util/configlexer.lex"
 {
         yyerror("EOF inside quoted string");
         BEGIN(inc_prev);
@@ -2888,29 +2937,29 @@ case YY_STATE_EOF(include_quoted):
 	YY_BREAK
 case 136:
 YY_RULE_SETUP
-#line 309 "util/configlexer.lex"
+#line 357 "util/configlexer.lex"
 { LEXOUT(("ISTR(%s) ", yytext)); yymore(); }
 	YY_BREAK
 case 137:
 /* rule 137 can match eol */
 YY_RULE_SETUP
-#line 310 "util/configlexer.lex"
+#line 358 "util/configlexer.lex"
 { yyerror("newline before \" in include name"); 
 				  cfg_parser->line++; BEGIN(inc_prev); }
 	YY_BREAK
 case 138:
 YY_RULE_SETUP
-#line 312 "util/configlexer.lex"
+#line 360 "util/configlexer.lex"
 {
 	LEXOUT(("IQE "));
 	yytext[yyleng - 1] = '\0';
-	config_start_include(yytext);
+	config_start_include_glob(yytext);
 	BEGIN(inc_prev);
 }
 	YY_BREAK
 case YY_STATE_EOF(INITIAL):
 case YY_STATE_EOF(val):
-#line 318 "util/configlexer.lex"
+#line 366 "util/configlexer.lex"
 {
 	yy_set_bol(1); /* Set beginning of line, so "^" rules match.  */
 	if (config_include_stack_ptr == 0) {
@@ -2923,31 +2972,31 @@ case YY_STATE_EOF(val):
 	YY_BREAK
 case 139:
 YY_RULE_SETUP
-#line 328 "util/configlexer.lex"
+#line 376 "util/configlexer.lex"
 { LEXOUT(("unquotedstr(%s) ", yytext)); 
 			if(--num_args == 0) { BEGIN(INITIAL); }
 			yylval.str = strdup(yytext); return STRING_ARG; }
 	YY_BREAK
 case 140:
 YY_RULE_SETUP
-#line 332 "util/configlexer.lex"
+#line 380 "util/configlexer.lex"
 {
 	ub_c_error_msg("unknown keyword '%s'", yytext);
 	}
 	YY_BREAK
 case 141:
 YY_RULE_SETUP
-#line 336 "util/configlexer.lex"
+#line 384 "util/configlexer.lex"
 {
 	ub_c_error_msg("stray '%s'", yytext);
 	}
 	YY_BREAK
 case 142:
 YY_RULE_SETUP
-#line 340 "util/configlexer.lex"
+#line 388 "util/configlexer.lex"
 ECHO;
 	YY_BREAK
-#line 2949 "<stdout>"
+#line 2998 "<stdout>"
 
 	case YY_END_OF_BUFFER:
 		{
@@ -3131,21 +3180,21 @@ static int yy_get_next_buffer (void)
 
 	else
 		{
-			int num_to_read =
+			yy_size_t num_to_read =
 			YY_CURRENT_BUFFER_LVALUE->yy_buf_size - number_to_move - 1;
 
 		while ( num_to_read <= 0 )
 			{ /* Not enough room in the buffer - grow it. */
 
 			/* just a shorter name for the current buffer */
-			YY_BUFFER_STATE b = YY_CURRENT_BUFFER;
+			YY_BUFFER_STATE b = YY_CURRENT_BUFFER_LVALUE;
 
 			int yy_c_buf_p_offset =
 				(int) ((yy_c_buf_p) - b->yy_ch_buf);
 
 			if ( b->yy_is_our_buffer )
 				{
-				int new_size = b->yy_buf_size * 2;
+				yy_size_t new_size = b->yy_buf_size * 2;
 
 				if ( new_size <= 0 )
 					b->yy_buf_size += b->yy_buf_size / 8;
@@ -3176,7 +3225,7 @@ static int yy_get_next_buffer (void)
 
 		/* Read in more data. */
 		YY_INPUT( (&YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[number_to_move]),
-			(yy_n_chars), (size_t) num_to_read );
+			(yy_n_chars), num_to_read );
 
 		YY_CURRENT_BUFFER_LVALUE->yy_n_chars = (yy_n_chars);
 		}
@@ -3271,7 +3320,7 @@ static int yy_get_next_buffer (void)
 	yy_current_state = yy_nxt[yy_base[yy_current_state] + (unsigned int) yy_c];
 	yy_is_jam = (yy_current_state == 1342);
 
-	return yy_is_jam ? 0 : yy_current_state;
+		return yy_is_jam ? 0 : yy_current_state;
 }
 
 #ifndef YY_NO_INPUT
@@ -3298,7 +3347,7 @@ static int yy_get_next_buffer (void)
 
 		else
 			{ /* need more input */
-			int offset = (yy_c_buf_p) - (yytext_ptr);
+			yy_size_t offset = (yy_c_buf_p) - (yytext_ptr);
 			++(yy_c_buf_p);
 
 			switch ( yy_get_next_buffer(  ) )
@@ -3458,10 +3507,6 @@ static void yy_load_buffer_state  (void)
 	yyfree((void *) b  );
 }
 
-#ifndef __cplusplus
-extern int isatty (int );
-#endif /* __cplusplus */
-    
 /* Initializes or reinitializes a buffer.
  * This function is sometimes called more than once on the same buffer,
  * such as during a yyrestart() or at EOF.
@@ -3574,7 +3619,7 @@ void yypop_buffer_state (void)
  */
 static void yyensure_buffer_stack (void)
 {
-	int num_to_alloc;
+	yy_size_t num_to_alloc;
     
 	if (!(yy_buffer_stack)) {
 
@@ -3666,12 +3711,12 @@ YY_BUFFER_STATE yy_scan_string (yyconst char * yystr )
 
 /** Setup the input buffer state to scan the given bytes. The next call to yylex() will
  * scan from a @e copy of @a bytes.
- * @param bytes the byte buffer to scan
- * @param len the number of bytes in the buffer pointed to by @a bytes.
+ * @param yybytes the byte buffer to scan
+ * @param _yybytes_len the number of bytes in the buffer pointed to by @a bytes.
  * 
  * @return the newly allocated buffer state object.
  */
-YY_BUFFER_STATE yy_scan_bytes  (yyconst char * yybytes, int  _yybytes_len )
+YY_BUFFER_STATE yy_scan_bytes  (yyconst char * yybytes, yy_size_t  _yybytes_len )
 {
 	YY_BUFFER_STATE b;
 	char *buf;
@@ -3758,7 +3803,7 @@ FILE *yyget_out  (void)
 /** Get the length of the current token.
  * 
  */
-int yyget_leng  (void)
+yy_size_t yyget_leng  (void)
 {
         return yyleng;
 }
@@ -3906,7 +3951,7 @@ void yyfree (void * ptr )
 
 #define YYTABLES_NAME "yytables"
 
-#line 340 "util/configlexer.lex"
+#line 388 "util/configlexer.lex"
 
 
 
diff --git a/util/configlexer.lex b/util/configlexer.lex
index ed808aafc393..4694cdd821e7 100644
--- a/util/configlexer.lex
+++ b/util/configlexer.lex
@@ -11,6 +11,9 @@
 #include <ctype.h>
 #include <string.h>
 #include <strings.h>
+#ifdef HAVE_GLOB_H
+# include <glob.h>
+#endif
 
 #include "util/config_file.h"
 #include "util/configparser.h"
@@ -43,6 +46,7 @@ static int config_include_stack_ptr = 0;
 static int inc_prev = 0;
 static int num_args = 0;
 
+
 static void config_start_include(const char* filename)
 {
 	FILE *input;
@@ -74,6 +78,50 @@ static void config_start_include(const char* filename)
 	++config_include_stack_ptr;
 }
 
+static void config_start_include_glob(const char* filename)
+{
+
+	/* check for wildcards */
+#ifdef HAVE_GLOB
+	glob_t g;
+	size_t i;
+	int r, flags;
+	if(!(!strchr(filename, '*') && !strchr(filename, '?') && !strchr(filename, '[') &&
+		!strchr(filename, '{') && !strchr(filename, '~'))) {
+		flags = 0
+#ifdef GLOB_ERR
+			| GLOB_ERR
+#endif
+#ifdef GLOB_NOSORT
+			| GLOB_NOSORT
+#endif
+#ifdef GLOB_BRACE
+			| GLOB_BRACE
+#endif
+#ifdef GLOB_TILDE
+			| GLOB_TILDE
+#endif
+		;
+		memset(&g, 0, sizeof(g));
+		r = glob(filename, flags, NULL, &g);
+		if(r) {
+			/* some error */
+			globfree(&g);
+			config_start_include(filename); /* let original deal with it */
+			return;
+		}
+		/* process files found, if any */
+		for(i=0; i<(size_t)g.gl_pathc; i++) {
+			config_start_include(g.gl_pathv[i]);
+		}
+		globfree(&g);
+		return;
+	}
+#endif /* HAVE_GLOB */
+
+	config_start_include(filename);
+}
+
 static void config_end_include(void)
 {
 	--config_include_stack_ptr;
@@ -299,7 +347,7 @@ rrset-roundrobin{COLON}		{ YDVAR(1, VAR_RRSET_ROUNDROBIN) }
 <include>\"		{ LEXOUT(("IQS ")); BEGIN(include_quoted); }
 <include>{UNQUOTEDLETTER}*	{
 	LEXOUT(("Iunquotedstr(%s) ", yytext));
-	config_start_include(yytext);
+	config_start_include_glob(yytext);
 	BEGIN(inc_prev);
 }
 <include_quoted><<EOF>>	{
@@ -312,7 +360,7 @@ rrset-roundrobin{COLON}		{ YDVAR(1, VAR_RRSET_ROUNDROBIN) }
 <include_quoted>\"	{
 	LEXOUT(("IQE "));
 	yytext[yyleng - 1] = '\0';
-	config_start_include(yytext);
+	config_start_include_glob(yytext);
 	BEGIN(inc_prev);
 }
 <INITIAL,val><<EOF>>	{
diff --git a/util/configparser.c b/util/configparser.c
index 6ed60dfad68f..70de0ccb3e31 100644
--- a/util/configparser.c
+++ b/util/configparser.c
@@ -1,8 +1,8 @@
-/* A Bison parser, made by GNU Bison 2.5.  */
+/* A Bison parser, made by GNU Bison 2.6.1.  */
 
 /* Bison implementation for Yacc-like parsers in C
    
-      Copyright (C) 1984, 1989-1990, 2000-2011 Free Software Foundation, Inc.
+      Copyright (C) 1984, 1989-1990, 2000-2012 Free Software Foundation, Inc.
    
    This program is free software: you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -44,7 +44,7 @@
 #define YYBISON 1
 
 /* Bison version.  */
-#define YYBISON_VERSION "2.5"
+#define YYBISON_VERSION "2.6.1"
 
 /* Skeleton name.  */
 #define YYSKELETON_NAME "yacc.c"
@@ -58,14 +58,11 @@
 /* Pull parsers.  */
 #define YYPULL 1
 
-/* Using locations.  */
-#define YYLSP_NEEDED 0
 
 
 
 /* Copy the first part of user declarations.  */
-
-/* Line 268 of yacc.c  */
+/* Line 336 of yacc.c  */
 #line 38 "util/configparser.y"
 
 #include "config.h"
@@ -93,14 +90,16 @@ extern struct config_parser_state* cfg_parser;
 #endif
 
 
+/* Line 336 of yacc.c  */
+#line 95 "util/configparser.c"
 
-/* Line 268 of yacc.c  */
-#line 99 "util/configparser.c"
-
-/* Enabling traces.  */
-#ifndef YYDEBUG
-# define YYDEBUG 0
-#endif
+# ifndef YY_NULL
+#  if defined __cplusplus && 201103L <= __cplusplus
+#   define YY_NULL nullptr
+#  else
+#   define YY_NULL 0
+#  endif
+# endif
 
 /* Enabling verbose error messages.  */
 #ifdef YYERROR_VERBOSE
@@ -110,11 +109,17 @@ extern struct config_parser_state* cfg_parser;
 # define YYERROR_VERBOSE 0
 #endif
 
-/* Enabling the token table.  */
-#ifndef YYTOKEN_TABLE
-# define YYTOKEN_TABLE 0
+/* In a future release of Bison, this section will be replaced
+   by #include "configparser.h".  */
+#ifndef YY_UTIL_CONFIGPARSER_H
+# define YY_UTIL_CONFIGPARSER_H
+/* Enabling traces.  */
+#ifndef YYDEBUG
+# define YYDEBUG 0
+#endif
+#if YYDEBUG
+extern int yydebug;
 #endif
-
 
 /* Tokens.  */
 #ifndef YYTOKENTYPE
@@ -382,32 +387,45 @@ extern struct config_parser_state* cfg_parser;
 
 
 
-
 #if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED
 typedef union YYSTYPE
 {
-
-/* Line 293 of yacc.c  */
+/* Line 350 of yacc.c  */
 #line 64 "util/configparser.y"
 
 	char*	str;
 
 
-
-/* Line 293 of yacc.c  */
-#line 399 "util/configparser.c"
+/* Line 350 of yacc.c  */
+#line 401 "util/configparser.c"
 } YYSTYPE;
 # define YYSTYPE_IS_TRIVIAL 1
 # define yystype YYSTYPE /* obsolescent; will be withdrawn */
 # define YYSTYPE_IS_DECLARED 1
 #endif
 
+extern YYSTYPE yylval;
+
+#ifdef YYPARSE_PARAM
+#if defined __STDC__ || defined __cplusplus
+int yyparse (void *YYPARSE_PARAM);
+#else
+int yyparse ();
+#endif
+#else /* ! YYPARSE_PARAM */
+#if defined __STDC__ || defined __cplusplus
+int yyparse (void);
+#else
+int yyparse ();
+#endif
+#endif /* ! YYPARSE_PARAM */
+
+#endif /* !YY_UTIL_CONFIGPARSER_H  */
 
 /* Copy the second part of user declarations.  */
 
-
-/* Line 343 of yacc.c  */
-#line 411 "util/configparser.c"
+/* Line 353 of yacc.c  */
+#line 429 "util/configparser.c"
 
 #ifdef short
 # undef short
@@ -513,6 +531,7 @@ YYID (yyi)
 #    if ! defined _ALLOCA_H && ! defined EXIT_SUCCESS && (defined __STDC__ || defined __C99__FUNC__ \
      || defined __cplusplus || defined _MSC_VER)
 #     include <stdlib.h> /* INFRINGES ON USER NAME SPACE */
+      /* Use EXIT_SUCCESS as a witness for stdlib.h.  */
 #     ifndef EXIT_SUCCESS
 #      define EXIT_SUCCESS 0
 #     endif
@@ -604,20 +623,20 @@ union yyalloc
 #endif
 
 #if defined YYCOPY_NEEDED && YYCOPY_NEEDED
-/* Copy COUNT objects from FROM to TO.  The source and destination do
+/* Copy COUNT objects from SRC to DST.  The source and destination do
    not overlap.  */
 # ifndef YYCOPY
 #  if defined __GNUC__ && 1 < __GNUC__
-#   define YYCOPY(To, From, Count) \
-      __builtin_memcpy (To, From, (Count) * sizeof (*(From)))
+#   define YYCOPY(Dst, Src, Count) \
+      __builtin_memcpy (Dst, Src, (Count) * sizeof (*(Src)))
 #  else
-#   define YYCOPY(To, From, Count)		\
-      do					\
-	{					\
-	  YYSIZE_T yyi;				\
-	  for (yyi = 0; yyi < (Count); yyi++)	\
-	    (To)[yyi] = (From)[yyi];		\
-	}					\
+#   define YYCOPY(Dst, Src, Count)              \
+      do                                        \
+        {                                       \
+          YYSIZE_T yyi;                         \
+          for (yyi = 0; yyi < (Count); yyi++)   \
+            (Dst)[yyi] = (Src)[yyi];            \
+        }                                       \
       while (YYID (0))
 #  endif
 # endif
@@ -821,7 +840,7 @@ static const yytype_uint16 yyrline[] =
 };
 #endif
 
-#if YYDEBUG || YYERROR_VERBOSE || YYTOKEN_TABLE
+#if YYDEBUG || YYERROR_VERBOSE || 0
 /* YYTNAME[SYMBOL-NUM] -- String name of the symbol SYMBOL-NUM.
    First, the terminals, then, starting at YYNTOKENS, nonterminals.  */
 static const char *const yytname[] =
@@ -917,7 +936,7 @@ static const char *const yytname[] =
   "rc_control_enable", "rc_control_port", "rc_control_interface",
   "rc_server_key_file", "rc_server_cert_file", "rc_control_key_file",
   "rc_control_cert_file", "pythonstart", "contents_py", "content_py",
-  "py_script", 0
+  "py_script", YY_NULL
 };
 #endif
 
@@ -1269,17 +1288,18 @@ static const yytype_uint16 yystos[] =
 
 #define YYRECOVERING()  (!!yyerrstatus)
 
-#define YYBACKUP(Token, Value)					\
-do								\
-  if (yychar == YYEMPTY && yylen == 1)				\
-    {								\
-      yychar = (Token);						\
-      yylval = (Value);						\
-      YYPOPSTACK (1);						\
-      goto yybackup;						\
-    }								\
-  else								\
-    {								\
+#define YYBACKUP(Token, Value)                                  \
+do                                                              \
+  if (yychar == YYEMPTY)                                        \
+    {                                                           \
+      yychar = (Token);                                         \
+      yylval = (Value);                                         \
+      YYPOPSTACK (yylen);                                       \
+      yystate = *yyssp;                                         \
+      goto yybackup;                                            \
+    }                                                           \
+  else                                                          \
+    {                                                           \
       yyerror (YY_("syntax error: cannot back up")); \
       YYERROR;							\
     }								\
@@ -1289,32 +1309,33 @@ while (YYID (0))
 #define YYTERROR	1
 #define YYERRCODE	256
 
-
 /* YYLLOC_DEFAULT -- Set CURRENT to span from RHS[1] to RHS[N].
    If N is 0, then set CURRENT to the empty location which ends
    the previous symbol: RHS[0] (always defined).  */
 
-#define YYRHSLOC(Rhs, K) ((Rhs)[K])
 #ifndef YYLLOC_DEFAULT
-# define YYLLOC_DEFAULT(Current, Rhs, N)				\
-    do									\
-      if (YYID (N))                                                    \
-	{								\
-	  (Current).first_line   = YYRHSLOC (Rhs, 1).first_line;	\
-	  (Current).first_column = YYRHSLOC (Rhs, 1).first_column;	\
-	  (Current).last_line    = YYRHSLOC (Rhs, N).last_line;		\
-	  (Current).last_column  = YYRHSLOC (Rhs, N).last_column;	\
-	}								\
-      else								\
-	{								\
-	  (Current).first_line   = (Current).last_line   =		\
-	    YYRHSLOC (Rhs, 0).last_line;				\
-	  (Current).first_column = (Current).last_column =		\
-	    YYRHSLOC (Rhs, 0).last_column;				\
-	}								\
+# define YYLLOC_DEFAULT(Current, Rhs, N)                                \
+    do                                                                  \
+      if (YYID (N))                                                     \
+        {                                                               \
+          (Current).first_line   = YYRHSLOC (Rhs, 1).first_line;        \
+          (Current).first_column = YYRHSLOC (Rhs, 1).first_column;      \
+          (Current).last_line    = YYRHSLOC (Rhs, N).last_line;         \
+          (Current).last_column  = YYRHSLOC (Rhs, N).last_column;       \
+        }                                                               \
+      else                                                              \
+        {                                                               \
+          (Current).first_line   = (Current).last_line   =              \
+            YYRHSLOC (Rhs, 0).last_line;                                \
+          (Current).first_column = (Current).last_column =              \
+            YYRHSLOC (Rhs, 0).last_column;                              \
+        }                                                               \
     while (YYID (0))
 #endif
 
+#define YYRHSLOC(Rhs, K) ((Rhs)[K])
+
+
 
 /* This macro is provided for backward compatibility. */
 
@@ -1374,6 +1395,8 @@ yy_symbol_value_print (yyoutput, yytype, yyvaluep)
     YYSTYPE const * const yyvaluep;
 #endif
 {
+  FILE *yyo = yyoutput;
+  YYUSE (yyo);
   if (!yyvaluep)
     return;
 # ifdef YYPRINT
@@ -1625,12 +1648,12 @@ static int
 yysyntax_error (YYSIZE_T *yymsg_alloc, char **yymsg,
                 yytype_int16 *yyssp, int yytoken)
 {
-  YYSIZE_T yysize0 = yytnamerr (0, yytname[yytoken]);
+  YYSIZE_T yysize0 = yytnamerr (YY_NULL, yytname[yytoken]);
   YYSIZE_T yysize = yysize0;
   YYSIZE_T yysize1;
   enum { YYERROR_VERBOSE_ARGS_MAXIMUM = 5 };
   /* Internationalized format string. */
-  const char *yyformat = 0;
+  const char *yyformat = YY_NULL;
   /* Arguments of yyformat. */
   char const *yyarg[YYERROR_VERBOSE_ARGS_MAXIMUM];
   /* Number of reported tokens (one for the "unexpected", one per
@@ -1690,7 +1713,7 @@ yysyntax_error (YYSIZE_T *yymsg_alloc, char **yymsg,
                     break;
                   }
                 yyarg[yycount++] = yytname[yyx];
-                yysize1 = yysize + yytnamerr (0, yytname[yyx]);
+                yysize1 = yysize + yytnamerr (YY_NULL, yytname[yyx]);
                 if (! (yysize <= yysize1
                        && yysize1 <= YYSTACK_ALLOC_MAXIMUM))
                   return 2;
@@ -1782,20 +1805,6 @@ yydestruct (yymsg, yytype, yyvaluep)
 }
 
 
-/* Prevent warnings from -Wmissing-prototypes.  */
-#ifdef YYPARSE_PARAM
-#if defined __STDC__ || defined __cplusplus
-int yyparse (void *YYPARSE_PARAM);
-#else
-int yyparse ();
-#endif
-#else /* ! YYPARSE_PARAM */
-#if defined __STDC__ || defined __cplusplus
-int yyparse (void);
-#else
-int yyparse ();
-#endif
-#endif /* ! YYPARSE_PARAM */
 
 
 /* The lookahead symbol.  */
@@ -1842,7 +1851,7 @@ yyparse ()
        `yyss': related to states.
        `yyvs': related to semantic values.
 
-       Refer to the stacks thru separate pointers, to allow yyoverflow
+       Refer to the stacks through separate pointers, to allow yyoverflow
        to reallocate them elsewhere.  */
 
     /* The state stack.  */
@@ -1896,7 +1905,6 @@ yyparse ()
      The wasted elements are never initialized.  */
   yyssp = yyss;
   yyvsp = yyvs;
-
   goto yysetstate;
 
 /*------------------------------------------------------------.
@@ -2074,8 +2082,7 @@ yyparse ()
   switch (yyn)
     {
         case 9:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 118 "util/configparser.y"
     { 
 		OUTYY(("\nP(server:)\n")); 
@@ -2083,8 +2090,7 @@ yyparse ()
     break;
 
   case 110:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 167 "util/configparser.y"
     {
 		struct config_stub* s;
@@ -2099,8 +2105,7 @@ yyparse ()
     break;
 
   case 118:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 183 "util/configparser.y"
     {
 		struct config_stub* s;
@@ -2115,8 +2120,7 @@ yyparse ()
     break;
 
   case 125:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 199 "util/configparser.y"
     { 
 		OUTYY(("P(server_num_threads:%s)\n", (yyvsp[(2) - (2)].str))); 
@@ -2128,8 +2132,7 @@ yyparse ()
     break;
 
   case 126:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 208 "util/configparser.y"
     { 
 		OUTYY(("P(server_verbosity:%s)\n", (yyvsp[(2) - (2)].str))); 
@@ -2141,8 +2144,7 @@ yyparse ()
     break;
 
   case 127:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 217 "util/configparser.y"
     { 
 		OUTYY(("P(server_statistics_interval:%s)\n", (yyvsp[(2) - (2)].str))); 
@@ -2156,8 +2158,7 @@ yyparse ()
     break;
 
   case 128:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 228 "util/configparser.y"
     {
 		OUTYY(("P(server_statistics_cumulative:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -2169,8 +2170,7 @@ yyparse ()
     break;
 
   case 129:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 237 "util/configparser.y"
     {
 		OUTYY(("P(server_extended_statistics:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -2182,8 +2182,7 @@ yyparse ()
     break;
 
   case 130:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 246 "util/configparser.y"
     {
 		OUTYY(("P(server_port:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -2195,8 +2194,7 @@ yyparse ()
     break;
 
   case 131:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 255 "util/configparser.y"
     {
 		OUTYY(("P(server_interface:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -2212,8 +2210,7 @@ yyparse ()
     break;
 
   case 132:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 268 "util/configparser.y"
     {
 		OUTYY(("P(server_outgoing_interface:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -2231,8 +2228,7 @@ yyparse ()
     break;
 
   case 133:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 283 "util/configparser.y"
     {
 		OUTYY(("P(server_outgoing_range:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -2244,8 +2240,7 @@ yyparse ()
     break;
 
   case 134:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 292 "util/configparser.y"
     {
 		OUTYY(("P(server_outgoing_port_permit:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -2257,8 +2252,7 @@ yyparse ()
     break;
 
   case 135:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 301 "util/configparser.y"
     {
 		OUTYY(("P(server_outgoing_port_avoid:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -2270,8 +2264,7 @@ yyparse ()
     break;
 
   case 136:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 310 "util/configparser.y"
     {
 		OUTYY(("P(server_outgoing_num_tcp:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -2283,8 +2276,7 @@ yyparse ()
     break;
 
   case 137:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 319 "util/configparser.y"
     {
 		OUTYY(("P(server_incoming_num_tcp:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -2296,8 +2288,7 @@ yyparse ()
     break;
 
   case 138:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 328 "util/configparser.y"
     {
 		OUTYY(("P(server_interface_automatic:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -2309,8 +2300,7 @@ yyparse ()
     break;
 
   case 139:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 337 "util/configparser.y"
     {
 		OUTYY(("P(server_do_ip4:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -2322,8 +2312,7 @@ yyparse ()
     break;
 
   case 140:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 346 "util/configparser.y"
     {
 		OUTYY(("P(server_do_ip6:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -2335,8 +2324,7 @@ yyparse ()
     break;
 
   case 141:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 355 "util/configparser.y"
     {
 		OUTYY(("P(server_do_udp:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -2348,8 +2336,7 @@ yyparse ()
     break;
 
   case 142:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 364 "util/configparser.y"
     {
 		OUTYY(("P(server_do_tcp:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -2361,8 +2348,7 @@ yyparse ()
     break;
 
   case 143:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 373 "util/configparser.y"
     {
 		OUTYY(("P(server_tcp_upstream:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -2374,8 +2360,7 @@ yyparse ()
     break;
 
   case 144:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 382 "util/configparser.y"
     {
 		OUTYY(("P(server_ssl_upstream:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -2387,8 +2372,7 @@ yyparse ()
     break;
 
   case 145:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 391 "util/configparser.y"
     {
 		OUTYY(("P(server_ssl_service_key:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -2398,8 +2382,7 @@ yyparse ()
     break;
 
   case 146:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 398 "util/configparser.y"
     {
 		OUTYY(("P(server_ssl_service_pem:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -2409,8 +2392,7 @@ yyparse ()
     break;
 
   case 147:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 405 "util/configparser.y"
     {
 		OUTYY(("P(server_ssl_port:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -2422,8 +2404,7 @@ yyparse ()
     break;
 
   case 148:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 414 "util/configparser.y"
     {
 		OUTYY(("P(server_do_daemonize:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -2435,8 +2416,7 @@ yyparse ()
     break;
 
   case 149:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 423 "util/configparser.y"
     {
 		OUTYY(("P(server_use_syslog:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -2453,8 +2433,7 @@ yyparse ()
     break;
 
   case 150:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 437 "util/configparser.y"
     {
 		OUTYY(("P(server_log_time_ascii:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -2466,8 +2445,7 @@ yyparse ()
     break;
 
   case 151:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 446 "util/configparser.y"
     {
 		OUTYY(("P(server_log_queries:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -2479,8 +2457,7 @@ yyparse ()
     break;
 
   case 152:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 455 "util/configparser.y"
     {
 		OUTYY(("P(server_chroot:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -2490,8 +2467,7 @@ yyparse ()
     break;
 
   case 153:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 462 "util/configparser.y"
     {
 		OUTYY(("P(server_username:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -2501,8 +2477,7 @@ yyparse ()
     break;
 
   case 154:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 469 "util/configparser.y"
     {
 		OUTYY(("P(server_directory:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -2512,8 +2487,7 @@ yyparse ()
     break;
 
   case 155:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 476 "util/configparser.y"
     {
 		OUTYY(("P(server_logfile:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -2524,8 +2498,7 @@ yyparse ()
     break;
 
   case 156:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 484 "util/configparser.y"
     {
 		OUTYY(("P(server_pidfile:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -2535,8 +2508,7 @@ yyparse ()
     break;
 
   case 157:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 491 "util/configparser.y"
     {
 		OUTYY(("P(server_root_hints:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -2546,8 +2518,7 @@ yyparse ()
     break;
 
   case 158:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 498 "util/configparser.y"
     {
 		OUTYY(("P(server_dlv_anchor_file:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -2557,8 +2528,7 @@ yyparse ()
     break;
 
   case 159:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 505 "util/configparser.y"
     {
 		OUTYY(("P(server_dlv_anchor:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -2568,8 +2538,7 @@ yyparse ()
     break;
 
   case 160:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 512 "util/configparser.y"
     {
 		OUTYY(("P(server_auto_trust_anchor_file:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -2580,8 +2549,7 @@ yyparse ()
     break;
 
   case 161:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 520 "util/configparser.y"
     {
 		OUTYY(("P(server_trust_anchor_file:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -2592,8 +2560,7 @@ yyparse ()
     break;
 
   case 162:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 528 "util/configparser.y"
     {
 		OUTYY(("P(server_trusted_keys_file:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -2604,8 +2571,7 @@ yyparse ()
     break;
 
   case 163:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 536 "util/configparser.y"
     {
 		OUTYY(("P(server_trust_anchor:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -2615,8 +2581,7 @@ yyparse ()
     break;
 
   case 164:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 543 "util/configparser.y"
     {
 		OUTYY(("P(server_domain_insecure:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -2626,8 +2591,7 @@ yyparse ()
     break;
 
   case 165:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 550 "util/configparser.y"
     {
 		OUTYY(("P(server_hide_identity:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -2639,8 +2603,7 @@ yyparse ()
     break;
 
   case 166:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 559 "util/configparser.y"
     {
 		OUTYY(("P(server_hide_version:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -2652,8 +2615,7 @@ yyparse ()
     break;
 
   case 167:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 568 "util/configparser.y"
     {
 		OUTYY(("P(server_identity:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -2663,8 +2625,7 @@ yyparse ()
     break;
 
   case 168:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 575 "util/configparser.y"
     {
 		OUTYY(("P(server_version:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -2674,8 +2635,7 @@ yyparse ()
     break;
 
   case 169:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 582 "util/configparser.y"
     {
 		OUTYY(("P(server_so_rcvbuf:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -2686,8 +2646,7 @@ yyparse ()
     break;
 
   case 170:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 590 "util/configparser.y"
     {
 		OUTYY(("P(server_so_sndbuf:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -2698,8 +2657,7 @@ yyparse ()
     break;
 
   case 171:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 598 "util/configparser.y"
     {
 		OUTYY(("P(server_edns_buffer_size:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -2715,8 +2673,7 @@ yyparse ()
     break;
 
   case 172:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 611 "util/configparser.y"
     {
 		OUTYY(("P(server_msg_buffer_size:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -2730,8 +2687,7 @@ yyparse ()
     break;
 
   case 173:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 622 "util/configparser.y"
     {
 		OUTYY(("P(server_msg_cache_size:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -2742,8 +2698,7 @@ yyparse ()
     break;
 
   case 174:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 630 "util/configparser.y"
     {
 		OUTYY(("P(server_msg_cache_slabs:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -2759,8 +2714,7 @@ yyparse ()
     break;
 
   case 175:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 643 "util/configparser.y"
     {
 		OUTYY(("P(server_num_queries_per_thread:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -2772,8 +2726,7 @@ yyparse ()
     break;
 
   case 176:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 652 "util/configparser.y"
     {
 		OUTYY(("P(server_jostle_timeout:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -2785,8 +2738,7 @@ yyparse ()
     break;
 
   case 177:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 661 "util/configparser.y"
     {
 		OUTYY(("P(server_rrset_cache_size:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -2797,8 +2749,7 @@ yyparse ()
     break;
 
   case 178:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 669 "util/configparser.y"
     {
 		OUTYY(("P(server_rrset_cache_slabs:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -2814,8 +2765,7 @@ yyparse ()
     break;
 
   case 179:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 682 "util/configparser.y"
     {
 		OUTYY(("P(server_infra_host_ttl:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -2827,8 +2777,7 @@ yyparse ()
     break;
 
   case 180:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 691 "util/configparser.y"
     {
 		OUTYY(("P(server_infra_lame_ttl:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -2839,8 +2788,7 @@ yyparse ()
     break;
 
   case 181:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 699 "util/configparser.y"
     {
 		OUTYY(("P(server_infra_cache_numhosts:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -2852,8 +2800,7 @@ yyparse ()
     break;
 
   case 182:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 708 "util/configparser.y"
     {
 		OUTYY(("P(server_infra_cache_lame_size:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -2864,8 +2811,7 @@ yyparse ()
     break;
 
   case 183:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 716 "util/configparser.y"
     {
 		OUTYY(("P(server_infra_cache_slabs:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -2881,8 +2827,7 @@ yyparse ()
     break;
 
   case 184:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 729 "util/configparser.y"
     {
 		OUTYY(("P(server_target_fetch_policy:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -2892,8 +2837,7 @@ yyparse ()
     break;
 
   case 185:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 736 "util/configparser.y"
     {
 		OUTYY(("P(server_harden_short_bufsize:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -2906,8 +2850,7 @@ yyparse ()
     break;
 
   case 186:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 746 "util/configparser.y"
     {
 		OUTYY(("P(server_harden_large_queries:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -2920,8 +2863,7 @@ yyparse ()
     break;
 
   case 187:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 756 "util/configparser.y"
     {
 		OUTYY(("P(server_harden_glue:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -2934,8 +2876,7 @@ yyparse ()
     break;
 
   case 188:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 766 "util/configparser.y"
     {
 		OUTYY(("P(server_harden_dnssec_stripped:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -2948,8 +2889,7 @@ yyparse ()
     break;
 
   case 189:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 776 "util/configparser.y"
     {
 		OUTYY(("P(server_harden_below_nxdomain:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -2962,8 +2902,7 @@ yyparse ()
     break;
 
   case 190:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 786 "util/configparser.y"
     {
 		OUTYY(("P(server_harden_referral_path:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -2976,8 +2915,7 @@ yyparse ()
     break;
 
   case 191:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 796 "util/configparser.y"
     {
 		OUTYY(("P(server_use_caps_for_id:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -2990,8 +2928,7 @@ yyparse ()
     break;
 
   case 192:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 806 "util/configparser.y"
     {
 		OUTYY(("P(server_private_address:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -3001,8 +2938,7 @@ yyparse ()
     break;
 
   case 193:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 813 "util/configparser.y"
     {
 		OUTYY(("P(server_private_domain:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -3012,8 +2948,7 @@ yyparse ()
     break;
 
   case 194:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 820 "util/configparser.y"
     {
 		OUTYY(("P(server_prefetch:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -3025,8 +2960,7 @@ yyparse ()
     break;
 
   case 195:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 829 "util/configparser.y"
     {
 		OUTYY(("P(server_prefetch_key:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -3038,8 +2972,7 @@ yyparse ()
     break;
 
   case 196:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 838 "util/configparser.y"
     {
 		OUTYY(("P(server_unwanted_reply_threshold:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -3051,8 +2984,7 @@ yyparse ()
     break;
 
   case 197:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 847 "util/configparser.y"
     {
 		OUTYY(("P(server_do_not_query_address:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -3062,8 +2994,7 @@ yyparse ()
     break;
 
   case 198:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 854 "util/configparser.y"
     {
 		OUTYY(("P(server_do_not_query_localhost:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -3076,8 +3007,7 @@ yyparse ()
     break;
 
   case 199:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 864 "util/configparser.y"
     {
 		OUTYY(("P(server_access_control:%s %s)\n", (yyvsp[(2) - (3)].str), (yyvsp[(3) - (3)].str)));
@@ -3094,8 +3024,7 @@ yyparse ()
     break;
 
   case 200:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 878 "util/configparser.y"
     {
 		OUTYY(("P(server_module_conf:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -3105,8 +3034,7 @@ yyparse ()
     break;
 
   case 201:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 885 "util/configparser.y"
     {
 		OUTYY(("P(server_val_override_date:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -3127,8 +3055,7 @@ yyparse ()
     break;
 
   case 202:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 903 "util/configparser.y"
     {
 		OUTYY(("P(server_val_sig_skew_min:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -3144,8 +3071,7 @@ yyparse ()
     break;
 
   case 203:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 916 "util/configparser.y"
     {
 		OUTYY(("P(server_val_sig_skew_max:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -3161,8 +3087,7 @@ yyparse ()
     break;
 
   case 204:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 929 "util/configparser.y"
     {
 		OUTYY(("P(server_cache_max_ttl:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -3174,8 +3099,7 @@ yyparse ()
     break;
 
   case 205:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 938 "util/configparser.y"
     {
 		OUTYY(("P(server_cache_min_ttl:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -3187,8 +3111,7 @@ yyparse ()
     break;
 
   case 206:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 947 "util/configparser.y"
     {
 		OUTYY(("P(server_bogus_ttl:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -3200,8 +3123,7 @@ yyparse ()
     break;
 
   case 207:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 956 "util/configparser.y"
     {
 		OUTYY(("P(server_val_clean_additional:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -3214,8 +3136,7 @@ yyparse ()
     break;
 
   case 208:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 966 "util/configparser.y"
     {
 		OUTYY(("P(server_val_permissive_mode:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -3228,8 +3149,7 @@ yyparse ()
     break;
 
   case 209:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 976 "util/configparser.y"
     {
 		OUTYY(("P(server_ignore_cd_flag:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -3241,8 +3161,7 @@ yyparse ()
     break;
 
   case 210:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 985 "util/configparser.y"
     {
 		OUTYY(("P(server_val_log_level:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -3254,8 +3173,7 @@ yyparse ()
     break;
 
   case 211:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 994 "util/configparser.y"
     {
 		OUTYY(("P(server_val_nsec3_keysize_iterations:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -3265,8 +3183,7 @@ yyparse ()
     break;
 
   case 212:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 1001 "util/configparser.y"
     {
 		OUTYY(("P(server_add_holddown:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -3278,8 +3195,7 @@ yyparse ()
     break;
 
   case 213:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 1010 "util/configparser.y"
     {
 		OUTYY(("P(server_del_holddown:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -3291,8 +3207,7 @@ yyparse ()
     break;
 
   case 214:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 1019 "util/configparser.y"
     {
 		OUTYY(("P(server_keep_missing:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -3304,8 +3219,7 @@ yyparse ()
     break;
 
   case 215:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 1028 "util/configparser.y"
     {
 		OUTYY(("P(server_key_cache_size:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -3316,8 +3230,7 @@ yyparse ()
     break;
 
   case 216:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 1036 "util/configparser.y"
     {
 		OUTYY(("P(server_key_cache_slabs:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -3333,8 +3246,7 @@ yyparse ()
     break;
 
   case 217:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 1049 "util/configparser.y"
     {
 		OUTYY(("P(server_neg_cache_size:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -3345,8 +3257,7 @@ yyparse ()
     break;
 
   case 218:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 1057 "util/configparser.y"
     {
 		OUTYY(("P(server_local_zone:%s %s)\n", (yyvsp[(2) - (3)].str), (yyvsp[(3) - (3)].str)));
@@ -3371,8 +3282,7 @@ yyparse ()
     break;
 
   case 219:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 1079 "util/configparser.y"
     {
 		OUTYY(("P(server_local_data:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -3382,8 +3292,7 @@ yyparse ()
     break;
 
   case 220:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 1086 "util/configparser.y"
     {
 		char* ptr;
@@ -3401,8 +3310,7 @@ yyparse ()
     break;
 
   case 221:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 1101 "util/configparser.y"
     {
 		OUTYY(("P(server_minimal_responses:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -3415,8 +3323,7 @@ yyparse ()
     break;
 
   case 222:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 1111 "util/configparser.y"
     {
 		OUTYY(("P(server_rrset_roundrobin:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -3429,8 +3336,7 @@ yyparse ()
     break;
 
   case 223:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 1121 "util/configparser.y"
     {
 		OUTYY(("P(name:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -3443,8 +3349,7 @@ yyparse ()
     break;
 
   case 224:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 1131 "util/configparser.y"
     {
 		OUTYY(("P(stub-host:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -3454,8 +3359,7 @@ yyparse ()
     break;
 
   case 225:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 1138 "util/configparser.y"
     {
 		OUTYY(("P(stub-addr:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -3465,8 +3369,7 @@ yyparse ()
     break;
 
   case 226:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 1145 "util/configparser.y"
     {
 		OUTYY(("P(stub-first:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -3478,8 +3381,7 @@ yyparse ()
     break;
 
   case 227:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 1154 "util/configparser.y"
     {
 		OUTYY(("P(stub-prime:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -3492,8 +3394,7 @@ yyparse ()
     break;
 
   case 228:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 1164 "util/configparser.y"
     {
 		OUTYY(("P(name:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -3506,8 +3407,7 @@ yyparse ()
     break;
 
   case 229:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 1174 "util/configparser.y"
     {
 		OUTYY(("P(forward-host:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -3517,8 +3417,7 @@ yyparse ()
     break;
 
   case 230:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 1181 "util/configparser.y"
     {
 		OUTYY(("P(forward-addr:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -3528,8 +3427,7 @@ yyparse ()
     break;
 
   case 231:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 1188 "util/configparser.y"
     {
 		OUTYY(("P(forward-first:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -3541,8 +3439,7 @@ yyparse ()
     break;
 
   case 232:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 1197 "util/configparser.y"
     { 
 		OUTYY(("\nP(remote-control:)\n")); 
@@ -3550,8 +3447,7 @@ yyparse ()
     break;
 
   case 242:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 1208 "util/configparser.y"
     {
 		OUTYY(("P(control_enable:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -3564,8 +3460,7 @@ yyparse ()
     break;
 
   case 243:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 1218 "util/configparser.y"
     {
 		OUTYY(("P(control_port:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -3577,8 +3472,7 @@ yyparse ()
     break;
 
   case 244:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 1227 "util/configparser.y"
     {
 		OUTYY(("P(control_interface:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -3588,8 +3482,7 @@ yyparse ()
     break;
 
   case 245:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 1234 "util/configparser.y"
     {
 		OUTYY(("P(rc_server_key_file:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -3599,8 +3492,7 @@ yyparse ()
     break;
 
   case 246:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 1241 "util/configparser.y"
     {
 		OUTYY(("P(rc_server_cert_file:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -3610,8 +3502,7 @@ yyparse ()
     break;
 
   case 247:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 1248 "util/configparser.y"
     {
 		OUTYY(("P(rc_control_key_file:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -3621,8 +3512,7 @@ yyparse ()
     break;
 
   case 248:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 1255 "util/configparser.y"
     {
 		OUTYY(("P(rc_control_cert_file:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -3632,8 +3522,7 @@ yyparse ()
     break;
 
   case 249:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 1262 "util/configparser.y"
     { 
 		OUTYY(("\nP(python:)\n")); 
@@ -3641,8 +3530,7 @@ yyparse ()
     break;
 
   case 253:
-
-/* Line 1806 of yacc.c  */
+/* Line 1787 of yacc.c  */
 #line 1271 "util/configparser.y"
     {
 		OUTYY(("P(python-script:%s)\n", (yyvsp[(2) - (2)].str)));
@@ -3652,9 +3540,8 @@ yyparse ()
     break;
 
 
-
-/* Line 1806 of yacc.c  */
-#line 3658 "util/configparser.c"
+/* Line 1787 of yacc.c  */
+#line 3545 "util/configparser.c"
       default: break;
     }
   /* User semantic actions sometimes alter yychar, and that requires
@@ -3841,7 +3728,7 @@ yyparse ()
   yyresult = 1;
   goto yyreturn;
 
-#if !defined(yyoverflow) || YYERROR_VERBOSE
+#if !defined yyoverflow || YYERROR_VERBOSE
 /*-------------------------------------------------.
 | yyexhaustedlab -- memory exhaustion comes here.  |
 `-------------------------------------------------*/
@@ -3883,8 +3770,7 @@ yyparse ()
 }
 
 
-
-/* Line 2067 of yacc.c  */
+/* Line 2048 of yacc.c  */
 #line 1276 "util/configparser.y"
 
 
diff --git a/util/configparser.h b/util/configparser.h
index 06dd5d9f3071..8d9c3c4826eb 100644
--- a/util/configparser.h
+++ b/util/configparser.h
@@ -1,8 +1,8 @@
-/* A Bison parser, made by GNU Bison 2.5.  */
+/* A Bison parser, made by GNU Bison 2.6.1.  */
 
 /* Bison interface for Yacc-like parsers in C
    
-      Copyright (C) 1984, 1989-1990, 2000-2011 Free Software Foundation, Inc.
+      Copyright (C) 1984, 1989-1990, 2000-2012 Free Software Foundation, Inc.
    
    This program is free software: you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -30,6 +30,15 @@
    This special exception was added by the Free Software Foundation in
    version 2.2 of Bison.  */
 
+#ifndef YY_UTIL_CONFIGPARSER_H
+# define YY_UTIL_CONFIGPARSER_H
+/* Enabling traces.  */
+#ifndef YYDEBUG
+# define YYDEBUG 0
+#endif
+#if YYDEBUG
+extern int yydebug;
+#endif
 
 /* Tokens.  */
 #ifndef YYTOKENTYPE
@@ -297,20 +306,17 @@
 
 
 
-
 #if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED
 typedef union YYSTYPE
 {
-
-/* Line 2068 of yacc.c  */
+/* Line 2049 of yacc.c  */
 #line 64 "util/configparser.y"
 
 	char*	str;
 
 
-
-/* Line 2068 of yacc.c  */
-#line 314 "util/configparser.h"
+/* Line 2049 of yacc.c  */
+#line 320 "util/configparser.h"
 } YYSTYPE;
 # define YYSTYPE_IS_TRIVIAL 1
 # define yystype YYSTYPE /* obsolescent; will be withdrawn */
@@ -319,4 +325,18 @@ typedef union YYSTYPE
 
 extern YYSTYPE yylval;
 
+#ifdef YYPARSE_PARAM
+#if defined __STDC__ || defined __cplusplus
+int yyparse (void *YYPARSE_PARAM);
+#else
+int yyparse ();
+#endif
+#else /* ! YYPARSE_PARAM */
+#if defined __STDC__ || defined __cplusplus
+int yyparse (void);
+#else
+int yyparse ();
+#endif
+#endif /* ! YYPARSE_PARAM */
 
+#endif /* !YY_UTIL_CONFIGPARSER_H  */
diff --git a/util/data/msgparse.c b/util/data/msgparse.c
index a03f543e827b..2791ae560865 100644
--- a/util/data/msgparse.c
+++ b/util/data/msgparse.c
@@ -39,7 +39,6 @@
 #include "config.h"
 #include <ldns/ldns.h>
 #include "util/data/msgparse.h"
-#include "util/net_help.h"
 #include "util/data/dname.h"
 #include "util/data/packed_rrset.h"
 #include "util/storage/lookup3.h"
@@ -655,8 +654,10 @@ calc_size(ldns_buffer* pkt, uint16_t type, struct rr_parse* rr)
 				len = 0;
 				break;
 			case LDNS_RDF_TYPE_STR:
-				if(pkt_len < 1)
+				if(pkt_len < 1) {
+					/* NOTREACHED, due to 'while(>0)' */
 					return 0; /* len byte exceeds rdata */
+				}
 				len = ldns_buffer_current(pkt)[0] + 1;
 				break;
 			default:
diff --git a/util/iana_ports.inc b/util/iana_ports.inc
index 8508d7e9f014..c2c7a2156403 100644
--- a/util/iana_ports.inc
+++ b/util/iana_ports.inc
@@ -692,7 +692,7 @@
 1022,
 1025,
 1026,
-1028,
+1027,
 1029,
 1030,
 1031,
@@ -895,6 +895,7 @@
 1229,
 1230,
 1231,
+1232,
 1233,
 1234,
 1235,
@@ -3848,6 +3849,7 @@
 4425,
 4426,
 4430,
+4432,
 4441,
 4442,
 4443,
@@ -3870,6 +3872,7 @@
 4486,
 4488,
 4500,
+4534,
 4535,
 4536,
 4537,
@@ -3957,6 +3960,7 @@
 4743,
 4744,
 4745,
+4747,
 4749,
 4750,
 4751,
@@ -4053,6 +4057,7 @@
 5050,
 5051,
 5052,
+5053,
 5055,
 5056,
 5057,
@@ -4232,6 +4237,7 @@
 5556,
 5567,
 5568,
+5569,
 5573,
 5580,
 5581,
@@ -4256,6 +4262,7 @@
 5632,
 5633,
 5634,
+5670,
 5671,
 5672,
 5673,
@@ -4350,6 +4357,7 @@
 6085,
 6086,
 6087,
+6088,
 6100,
 6101,
 6102,
@@ -4363,6 +4371,7 @@
 6110,
 6111,
 6112,
+6118,
 6122,
 6123,
 6124,
@@ -4382,6 +4391,7 @@
 6162,
 6163,
 6200,
+6201,
 6222,
 6241,
 6242,
@@ -4397,6 +4407,7 @@
 6306,
 6315,
 6316,
+6317,
 6320,
 6321,
 6322,
@@ -4441,6 +4452,7 @@
 6508,
 6509,
 6510,
+6511,
 6514,
 6515,
 6543,
@@ -4466,6 +4478,7 @@
 6626,
 6627,
 6628,
+6633,
 6657,
 6670,
 6671,
@@ -4485,6 +4498,7 @@
 6769,
 6770,
 6771,
+6784,
 6785,
 6786,
 6787,
@@ -4541,6 +4555,7 @@
 7070,
 7071,
 7080,
+7095,
 7099,
 7100,
 7101,
@@ -4651,6 +4666,7 @@
 7799,
 7800,
 7801,
+7802,
 7810,
 7845,
 7846,
@@ -4694,6 +4710,7 @@
 8057,
 8058,
 8059,
+8060,
 8074,
 8080,
 8081,
@@ -4758,6 +4775,7 @@
 8442,
 8443,
 8444,
+8445,
 8450,
 8472,
 8473,
@@ -4768,6 +4786,7 @@
 8555,
 8567,
 8600,
+8609,
 8610,
 8611,
 8612,
@@ -4781,6 +4800,7 @@
 8763,
 8764,
 8765,
+8766,
 8770,
 8786,
 8787,
@@ -4866,6 +4886,7 @@
 9217,
 9222,
 9255,
+9277,
 9278,
 9279,
 9280,
@@ -4929,7 +4950,7 @@
 9801,
 9802,
 9875,
-9876,
+9878,
 9888,
 9889,
 9898,
@@ -5000,6 +5021,7 @@
 10805,
 10810,
 10860,
+10880,
 10990,
 11000,
 11001,
@@ -5023,6 +5045,7 @@
 11600,
 11720,
 11751,
+11796,
 11876,
 11877,
 11967,
@@ -5067,9 +5090,11 @@
 13820,
 13821,
 13822,
+13894,
 13929,
 14000,
 14001,
+14002,
 14033,
 14034,
 14141,
@@ -5147,6 +5172,7 @@
 19539,
 19540,
 19541,
+19788,
 19999,
 20000,
 20001,
@@ -5210,6 +5236,7 @@
 24242,
 24249,
 24321,
+24322,
 24386,
 24465,
 24554,
@@ -5217,6 +5244,7 @@
 24677,
 24678,
 24680,
+24850,
 24922,
 25000,
 25001,
@@ -5233,6 +5261,8 @@
 25901,
 25902,
 25903,
+25954,
+25955,
 26000,
 26133,
 26208,
@@ -5250,6 +5280,7 @@
 27999,
 28000,
 28119,
+28200,
 28240,
 29167,
 30001,
@@ -5313,19 +5344,21 @@
 42508,
 42509,
 42510,
+43000,
 43188,
 43189,
 43190,
+43210,
 43439,
 43440,
 43441,
 44321,
 44322,
-44323,
 44544,
 44553,
 44600,
 44818,
+44900,
 45000,
 45054,
 45678,
@@ -5333,6 +5366,7 @@
 45966,
 46999,
 47000,
+47100,
 47557,
 47624,
 47806,
diff --git a/util/log.c b/util/log.c
index fc07dc6a9cba..8c09c7ce3122 100644
--- a/util/log.c
+++ b/util/log.c
@@ -171,6 +171,8 @@ log_vmsg(int pri, const char* type,
 #if defined(HAVE_STRFTIME) && defined(HAVE_LOCALTIME_R) 
 	char tmbuf[32];
 	struct tm tm;
+#elif defined(UB_ON_WINDOWS)
+	char tmbuf[128], dtbuf[128];
 #endif
 	(void)pri;
 	vsnprintf(message, sizeof(message), format, args);
@@ -218,6 +220,13 @@ log_vmsg(int pri, const char* type,
 		fprintf(logfile, "%s %s[%d:%x] %s: %s\n", tmbuf, 
 			ident, (int)getpid(), tid?*tid:0, type, message);
 	} else
+#elif defined(UB_ON_WINDOWS)
+	if(log_time_asc && GetTimeFormat(LOCALE_USER_DEFAULT, 0, NULL, NULL,
+		tmbuf, sizeof(tmbuf)) && GetDateFormat(LOCALE_USER_DEFAULT, 0,
+		NULL, NULL, dtbuf, sizeof(dtbuf))) {
+		fprintf(logfile, "%s %s %s[%d:%x] %s: %s\n", dtbuf, tmbuf, 
+			ident, (int)getpid(), tid?*tid:0, type, message);
+	} else
 #endif
 	fprintf(logfile, "[%u] %s[%d:%x] %s: %s\n", (unsigned)now, 
 		ident, (int)getpid(), tid?*tid:0, type, message);
diff --git a/util/net_help.c b/util/net_help.c
index 6be5fcc3132a..64bd876dcbb1 100644
--- a/util/net_help.c
+++ b/util/net_help.c
@@ -45,8 +45,12 @@
 #include "util/module.h"
 #include "util/regional.h"
 #include <fcntl.h>
+#ifdef HAVE_OPENSSL_SSL_H
 #include <openssl/ssl.h>
+#endif
+#ifdef HAVE_OPENSSL_ERR_H
 #include <openssl/err.h>
+#endif
 
 /** max length of an IP address (the address portion) that we allow */
 #define MAX_ADDR_STRLEN 128 /* characters */
@@ -565,6 +569,7 @@ void sock_list_merge(struct sock_list** list, struct regional* region,
 void
 log_crypto_err(const char* str)
 {
+#ifdef HAVE_SSL
 	/* error:[error code]:[library name]:[function name]:[reason string] */
 	char buf[128];
 	unsigned long e;
@@ -574,10 +579,14 @@ log_crypto_err(const char* str)
 		ERR_error_string_n(e, buf, sizeof(buf));
 		log_err("and additionally crypto %s", buf);
 	}
+#else
+	(void)str;
+#endif /* HAVE_SSL */
 }
 
 void* listen_sslctx_create(char* key, char* pem, char* verifypem)
 {
+#ifdef HAVE_SSL
 	SSL_CTX* ctx = SSL_CTX_new(SSLv23_server_method());
 	if(!ctx) {
 		log_crypto_err("could not SSL_CTX_new");
@@ -619,10 +628,15 @@ void* listen_sslctx_create(char* key, char* pem, char* verifypem)
 		SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL);
 	}
 	return ctx;
+#else
+	(void)key; (void)pem; (void)verifypem;
+	return NULL;
+#endif
 }
 
 void* connect_sslctx_create(char* key, char* pem, char* verifypem)
 {
+#ifdef HAVE_SSL
 	SSL_CTX* ctx = SSL_CTX_new(SSLv23_client_method());
 	if(!ctx) {
 		log_crypto_err("could not allocate SSL_CTX pointer");
@@ -662,10 +676,15 @@ void* connect_sslctx_create(char* key, char* pem, char* verifypem)
 		SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL);
 	}
 	return ctx;
+#else
+	(void)key; (void)pem; (void)verifypem;
+	return NULL;
+#endif
 }
 
 void* incoming_ssl_fd(void* sslctx, int fd)
 {
+#ifdef HAVE_SSL
 	SSL* ssl = SSL_new((SSL_CTX*)sslctx);
 	if(!ssl) {
 		log_crypto_err("could not SSL_new");
@@ -679,10 +698,15 @@ void* incoming_ssl_fd(void* sslctx, int fd)
 		return NULL;
 	}
 	return ssl;
+#else
+	(void)sslctx; (void)fd;
+	return NULL;
+#endif
 }
 
 void* outgoing_ssl_fd(void* sslctx, int fd)
 {
+#ifdef HAVE_SSL
 	SSL* ssl = SSL_new((SSL_CTX*)sslctx);
 	if(!ssl) {
 		log_crypto_err("could not SSL_new");
@@ -696,4 +720,64 @@ void* outgoing_ssl_fd(void* sslctx, int fd)
 		return NULL;
 	}
 	return ssl;
+#else
+	(void)sslctx; (void)fd;
+	return NULL;
+#endif
 }
+
+#if defined(HAVE_SSL) && defined(OPENSSL_THREADS) && !defined(THREADS_DISABLED)
+/** global lock list for openssl locks */
+static lock_basic_t *ub_openssl_locks = NULL;
+
+/** callback that gets thread id for openssl */
+static unsigned long
+ub_crypto_id_cb(void)
+{
+	return (unsigned long)ub_thread_self();
+}
+
+static void
+ub_crypto_lock_cb(int mode, int type, const char *ATTR_UNUSED(file),
+	int ATTR_UNUSED(line))
+{
+	if((mode&CRYPTO_LOCK)) {
+		lock_basic_lock(&ub_openssl_locks[type]);
+	} else {
+		lock_basic_unlock(&ub_openssl_locks[type]);
+	}
+}
+#endif /* OPENSSL_THREADS */
+
+int ub_openssl_lock_init(void)
+{
+#if defined(HAVE_SSL) && defined(OPENSSL_THREADS) && !defined(THREADS_DISABLED)
+	int i;
+	ub_openssl_locks = (lock_basic_t*)malloc(
+		sizeof(lock_basic_t)*CRYPTO_num_locks());
+	if(!ub_openssl_locks)
+		return 0;
+	for(i=0; i<CRYPTO_num_locks(); i++) {
+		lock_basic_init(&ub_openssl_locks[i]);
+	}
+	CRYPTO_set_id_callback(&ub_crypto_id_cb);
+	CRYPTO_set_locking_callback(&ub_crypto_lock_cb);
+#endif /* OPENSSL_THREADS */
+	return 1;
+}
+
+void ub_openssl_lock_delete(void)
+{
+#if defined(HAVE_SSL) && defined(OPENSSL_THREADS) && !defined(THREADS_DISABLED)
+	int i;
+	if(!ub_openssl_locks)
+		return;
+	CRYPTO_set_id_callback(NULL);
+	CRYPTO_set_locking_callback(NULL);
+	for(i=0; i<CRYPTO_num_locks(); i++) {
+		lock_basic_destroy(&ub_openssl_locks[i]);
+	}
+	free(ub_openssl_locks);
+#endif /* OPENSSL_THREADS */
+}
+
diff --git a/util/net_help.h b/util/net_help.h
index e0c0ebea1757..05b5087b4129 100644
--- a/util/net_help.h
+++ b/util/net_help.h
@@ -369,4 +369,15 @@ void* incoming_ssl_fd(void* sslctx, int fd);
  */
 void* outgoing_ssl_fd(void* sslctx, int fd);
 
+/**
+ * Initialize openssl locking for thread safety
+ * @return false on failure (alloc failure).
+ */
+int ub_openssl_lock_init(void);
+
+/**
+ * De-init the allocated openssl locks
+ */
+void ub_openssl_lock_delete(void);
+
 #endif /* NET_HELP_H */
diff --git a/util/netevent.c b/util/netevent.c
index 5b869765cc32..c5a7d8029f86 100644
--- a/util/netevent.c
+++ b/util/netevent.c
@@ -44,8 +44,12 @@
 #include "util/log.h"
 #include "util/net_help.h"
 #include "util/fptr_wlist.h"
+#ifdef HAVE_OPENSSL_SSL_H
 #include <openssl/ssl.h>
+#endif
+#ifdef HAVE_OPENSSL_ERR_H
 #include <openssl/err.h>
+#endif
 
 /* -------- Start of local definitions -------- */
 /** if CMSG_ALIGN is not defined on this platform, a workaround */
@@ -91,7 +95,13 @@
 #  endif /* USE_WINSOCK */
 #else /* USE_MINI_EVENT */
    /* we use libevent */
-#  include <event.h>
+#  ifdef HAVE_EVENT_H
+#    include <event.h>
+#  else
+#    include "event2/event.h"
+#    include "event2/event_struct.h"
+#    include "event2/event_compat.h"
+#  endif
 #endif /* USE_MINI_EVENT */
 
 /**
@@ -846,9 +856,11 @@ reclaim_tcp_handler(struct comm_point* c)
 {
 	log_assert(c->type == comm_tcp);
 	if(c->ssl) {
+#ifdef HAVE_SSL
 		SSL_shutdown(c->ssl);
 		SSL_free(c->ssl);
 		c->ssl = NULL;
+#endif
 	}
 	comm_point_close(c);
 	if(c->tcp_parent) {
@@ -893,6 +905,7 @@ tcp_callback_reader(struct comm_point* c)
 }
 
 /** continue ssl handshake */
+#ifdef HAVE_SSL
 static int
 ssl_handshake(struct comm_point* c)
 {
@@ -955,11 +968,13 @@ ssl_handshake(struct comm_point* c)
 	c->ssl_shake_state = comm_ssl_shake_none;
 	return 1;
 }
+#endif /* HAVE_SSL */
 
 /** ssl read callback on TCP */
 static int
 ssl_handle_read(struct comm_point* c)
 {
+#ifdef HAVE_SSL
 	int r;
 	if(c->ssl_shake_state != comm_ssl_shake_none) {
 		if(!ssl_handshake(c))
@@ -1036,12 +1051,17 @@ ssl_handle_read(struct comm_point* c)
 		tcp_callback_reader(c);
 	}
 	return 1;
+#else
+	(void)c;
+	return 0;
+#endif /* HAVE_SSL */
 }
 
 /** ssl write callback on TCP */
 static int
 ssl_handle_write(struct comm_point* c)
 {
+#ifdef HAVE_SSL
 	int r;
 	if(c->ssl_shake_state != comm_ssl_shake_none) {
 		if(!ssl_handshake(c))
@@ -1115,6 +1135,10 @@ ssl_handle_write(struct comm_point* c)
 		tcp_callback_writer(c);
 	}
 	return 1;
+#else
+	(void)c;
+	return 0;
+#endif /* HAVE_SSL */
 }
 
 /** handle ssl tcp connection with dns contents */
@@ -1844,8 +1868,10 @@ comm_point_delete(struct comm_point* c)
 	if(!c) 
 		return;
 	if(c->type == comm_tcp && c->ssl) {
+#ifdef HAVE_SSL
 		SSL_shutdown(c->ssl);
 		SSL_free(c->ssl);
+#endif
 	}
 	comm_point_close(c);
 	if(c->tcp_handlers) {
diff --git a/util/random.c b/util/random.c
index 72c58a2b4df5..5d71fcfa4c12 100644
--- a/util/random.c
+++ b/util/random.c
@@ -60,10 +60,25 @@
 #include "config.h"
 #include "util/random.h"
 #include "util/log.h"
+#ifdef HAVE_SSL
 #include <openssl/rand.h>
 #include <openssl/rc4.h>
 #include <openssl/err.h>
+#elif defined(HAVE_NSS)
+/* nspr4 */
+#include "prerror.h"
+/* nss3 */
+#include "secport.h"
+#include "pk11pub.h"
+#endif
 
+/** 
+ * Max random value.  Similar to RAND_MAX, but more portable
+ * (mingw uses only 15 bits random).
+ */
+#define MAX_VALUE 0x7fffffff
+
+#ifdef HAVE_SSL
 /**
  * Struct with per-thread random state.
  * Keeps SSL types away from the header file.
@@ -78,12 +93,6 @@ struct ub_randstate {
 /** Size of key to use (must be multiple of 8) */
 #define SEED_SIZE 24
 
-/** 
- * Max random value.  Similar to RAND_MAX, but more portable
- * (mingw uses only 15 bits random).
- */
-#define MAX_VALUE 0x7fffffff
-
 /** Number of bytes to reseed after */
 #define REKEY_BYTES	(1 << 24)
 
@@ -140,6 +149,16 @@ ub_arc4random_stir(struct ub_randstate* s, struct ub_randstate* from)
 			return;
 		}
 	}
+#ifdef HAVE_FIPS_MODE
+	if(FIPS_mode()) {
+		/* RC4 is not allowed, get some trustworthy randomness */
+		/* double certainty here, this routine should not be
+		 * called in FIPS_mode */
+		memset(rand_buf, 0, sizeof(rand_buf));
+		s->rc4_ready = REKEY_BYTES;
+		return;
+	}
+#endif /* FIPS_MODE */
 	RC4_set_key(&s->rc4, SEED_SIZE, (unsigned char*)rand_buf);
 
 	/*
@@ -164,6 +183,9 @@ ub_initstate(unsigned int seed, struct ub_randstate* from)
 		return NULL;
 	}
 	ub_systemseed(seed);
+#ifdef HAVE_FIPS_MODE
+	if(!FIPS_mode())
+#endif
 	ub_arc4random_stir(s, from);
 	return s;
 }
@@ -172,6 +194,20 @@ long int
 ub_random(struct ub_randstate* s)
 {
 	unsigned int r = 0;
+#ifdef HAVE_FIPS_MODE
+	if(FIPS_mode()) {
+		/* RC4 is not allowed, get some trustworthy randomness */
+		/* we use pseudo bytes: it tries to return secure randomness
+		 * but returns 'something' if that fails.  We need something
+		 * else if it fails, because we cannot block here */
+		if(RAND_pseudo_bytes((unsigned char*)&r, (int)sizeof(r))
+			== -1) {
+			log_err("FIPSmode, no arc4random but RAND failed "
+				"(error %ld)", ERR_get_error());
+		}
+		return (long int)((r) % (((unsigned)MAX_VALUE + 1)));
+	}
+#endif /* FIPS_MODE */
 	if (s->rc4_ready <= 0) {
 		ub_arc4random_stir(s, NULL);
 	}
@@ -182,6 +218,42 @@ ub_random(struct ub_randstate* s)
 	return (long int)((r) % (((unsigned)MAX_VALUE + 1)));
 }
 
+#elif defined(HAVE_NSS)
+
+/* not much to remember for NSS since we use its pk11_random, placeholder */
+struct ub_randstate {
+	int ready;
+};
+
+void ub_systemseed(unsigned int ATTR_UNUSED(seed))
+{
+}
+
+struct ub_randstate* ub_initstate(unsigned int ATTR_UNUSED(seed), 
+	struct ub_randstate* ATTR_UNUSED(from))
+{
+	struct ub_randstate* s = (struct ub_randstate*)calloc(1, sizeof(*s));
+	if(!s) {
+		log_err("malloc failure in random init");
+		return NULL;
+	}
+	return s;
+}
+
+long int ub_random(struct ub_randstate* ATTR_UNUSED(state))
+{
+	long int x;
+	/* random 31 bit value. */
+	SECStatus s = PK11_GenerateRandom((unsigned char*)&x, (int)sizeof(x));
+	if(s != SECSuccess) {
+		log_err("PK11_GenerateRandom error: %s",
+			PORT_ErrorToString(PORT_GetError()));
+	}
+	return x & MAX_VALUE;
+}
+
+#endif /* HAVE_SSL or HAVE_NSS */
+
 long int
 ub_random_max(struct ub_randstate* state, long int x)
 {
diff --git a/util/rtt.c b/util/rtt.c
index df1d437e4791..c888b0864f06 100644
--- a/util/rtt.c
+++ b/util/rtt.c
@@ -41,7 +41,6 @@
  */
 #include "config.h"
 #include "util/rtt.h"
-#include "util/log.h"
 
 /** calculate RTO from rtt information */
 static int
diff --git a/util/storage/lookup3.c b/util/storage/lookup3.c
index 65e0ad2a57cb..845cc388624b 100644
--- a/util/storage/lookup3.c
+++ b/util/storage/lookup3.c
@@ -1,4 +1,5 @@
 /*
+  February 2013(Wouter) patch defines for BSD endianness, from Brad Smith.
   January 2012(Wouter) added randomised initial value, fallout from 28c3.
   March 2007(Wouter) adapted from lookup3.c original, add config.h include.
      added #ifdef VALGRIND to remove 298,384,660 'unused variable k8' warnings.
@@ -52,6 +53,12 @@ on 1 byte), but shoehorning those bytes into integers efficiently is messy.
 #ifdef linux
 # include <endian.h>    /* attempt to define endianness */
 #endif
+#if defined(__FreeBSD__) || defined(__NetBSD__) || defined(__DragonFly__)
+#include <sys/endian.h> /* attempt to define endianness */
+#endif
+#ifdef __OpenBSD__
+#include <machine/endian.h> /* attempt to define endianness */
+#endif
 
 /* random initial value */
 static uint32_t raninit = 0xdeadbeef;
@@ -68,12 +75,19 @@ hash_set_raninit(uint32_t v)
  */
 #if (defined(__BYTE_ORDER) && defined(__LITTLE_ENDIAN) && \
      __BYTE_ORDER == __LITTLE_ENDIAN) || \
+    (defined(_BYTE_ORDER) && defined(_LITTLE_ENDIAN) && \
+     _BYTE_ORDER == _LITTLE_ENDIAN) || \
     (defined(i386) || defined(__i386__) || defined(__i486__) || \
      defined(__i586__) || defined(__i686__) || defined(vax) || defined(MIPSEL))
 # define HASH_LITTLE_ENDIAN 1
 # define HASH_BIG_ENDIAN 0
+#elif (!defined(_BYTE_ORDER) && !defined(__BYTE_ORDER) && defined(_BIG_ENDIAN))
+# define HASH_LITTLE_ENDIAN 0
+# define HASH_BIG_ENDIAN 1
 #elif (defined(__BYTE_ORDER) && defined(__BIG_ENDIAN) && \
        __BYTE_ORDER == __BIG_ENDIAN) || \
+      (defined(_BYTE_ORDER) && defined(_BIG_ENDIAN) && \
+       _BYTE_ORDER == _BIG_ENDIAN) || \
       (defined(sparc) || defined(POWERPC) || defined(mc68000) || defined(sel))
 # define HASH_LITTLE_ENDIAN 0
 # define HASH_BIG_ENDIAN 1
diff --git a/util/tube.c b/util/tube.c
index 67294e056c4b..28c51d79d16d 100644
--- a/util/tube.c
+++ b/util/tube.c
@@ -360,6 +360,7 @@ int tube_read_msg(struct tube* tube, uint8_t** buf, uint32_t* len,
 		}
 		d += r;
 	}
+	log_assert(*len < 65536*2);
 	*buf = (uint8_t*)malloc(*len);
 	if(!*buf) {
 		log_err("tube read out of memory");
diff --git a/validator/autotrust.c b/validator/autotrust.c
index 9896943245e4..99537d18aeeb 100644
--- a/validator/autotrust.c
+++ b/validator/autotrust.c
@@ -466,7 +466,7 @@ add_trustanchor_frm_str(struct val_anchors* anchors, char* str,
  * @param anchors: all points.
  * @param str: comments line
  * @param fname: filename
- * @param origin: $ORIGIN.
+ * @param origin: the $ORIGIN.
  * @param prev: passed to ldns.
  * @param skip: if true, the result is NULL, but not an error, skip it.
  * @return false on failure, otherwise the tp read.
@@ -1851,6 +1851,7 @@ static void
 autr_tp_remove(struct module_env* env, struct trust_anchor* tp,
 	struct ub_packed_rrset_key* dnskey_rrset)
 {
+	struct trust_anchor* del_tp;
 	struct trust_anchor key;
 	struct autr_point_data pd;
 	time_t mold, mnew;
@@ -1876,19 +1877,24 @@ autr_tp_remove(struct module_env* env, struct trust_anchor* tp,
 
 	/* take from tree. It could be deleted by someone else,hence (void). */
 	lock_basic_lock(&env->anchors->lock);
-	(void)rbtree_delete(env->anchors->tree, &key);
+	del_tp = (struct trust_anchor*)rbtree_delete(env->anchors->tree, &key);
 	mold = wait_probe_time(env->anchors);
 	(void)rbtree_delete(&env->anchors->autr->probe, &key);
 	mnew = wait_probe_time(env->anchors);
 	anchors_init_parents_locked(env->anchors);
 	lock_basic_unlock(&env->anchors->lock);
 
-	/* save on disk */
-	tp->autr->next_probe_time = 0; /* no more probing for it */
-	autr_write_file(env, tp);
+	/* if !del_tp then the trust point is no longer present in the tree,
+	 * it was deleted by someone else, who will write the zonefile and
+	 * clean up the structure */
+	if(del_tp) {
+		/* save on disk */
+		del_tp->autr->next_probe_time = 0; /* no more probing for it */
+		autr_write_file(env, del_tp);
 
-	/* delete */
-	autr_point_delete(tp);
+		/* delete */
+		autr_point_delete(del_tp);
+	}
 	if(mold != mnew) {
 		reset_worker_timer(env);
 	}
diff --git a/validator/val_anchor.c b/validator/val_anchor.c
index 200bf5d97be6..cc551f83320f 100644
--- a/validator/val_anchor.c
+++ b/validator/val_anchor.c
@@ -836,7 +836,8 @@ anchor_read_bind_file_wild(struct val_anchors* anchors, ldns_buffer* buffer,
 			log_err("wildcard trusted-keys-file %s: expansion "
 				"failed (%s)", pat, strerror(errno));
 		}
-		return 0;
+		/* ignore globs that yield no files */
+		return 1; 
 	}
 	/* process files found, if any */
 	for(i=0; i<(size_t)g.gl_pathc; i++) {
@@ -1246,6 +1247,7 @@ anchors_delete_insecure(struct val_anchors* anchors, uint16_t c,
 	lock_basic_lock(&ta->lock);
 	/* see if its really an insecure point */
 	if(ta->keylist || ta->autr || ta->numDS || ta->numDNSKEY) {
+		lock_basic_unlock(&anchors->lock);
 		lock_basic_unlock(&ta->lock);
 		/* its not an insecure point, do not remove it */
 		return;
diff --git a/validator/val_neg.c b/validator/val_neg.c
index 60434db03385..eec2eb1b6bb7 100644
--- a/validator/val_neg.c
+++ b/validator/val_neg.c
@@ -44,6 +44,9 @@
 #include "config.h"
 #ifdef HAVE_OPENSSL_SSL_H
 #include "openssl/ssl.h"
+#define NSEC3_SHA_LEN SHA_DIGEST_LENGTH
+#else
+#define NSEC3_SHA_LEN 20
 #endif
 #include "validator/val_neg.h"
 #include "validator/val_nsec.h"
@@ -1174,7 +1177,7 @@ neg_find_nsec3_ce(struct val_neg_zone* zone, uint8_t* qname, size_t qname_len,
 		int qlabs, ldns_buffer* buf, uint8_t* hashnc, size_t* nclen)
 {
 	struct val_neg_data* data;
-	uint8_t hashce[SHA_DIGEST_LENGTH];
+	uint8_t hashce[NSEC3_SHA_LEN];
 	uint8_t b32[257];
 	size_t celen, b32len;
 
@@ -1259,7 +1262,7 @@ neg_nsec3_proof_ds(struct val_neg_zone* zone, uint8_t* qname, size_t qname_len,
 {
 	struct dns_msg* msg;
 	struct val_neg_data* data;
-	uint8_t hashnc[SHA_DIGEST_LENGTH];
+	uint8_t hashnc[NSEC3_SHA_LEN];
 	size_t nclen;
 	struct ub_packed_rrset_key* ce_rrset, *nc_rrset;
 	struct nsec3_cached_hash c;
diff --git a/validator/val_nsec3.c b/validator/val_nsec3.c
index a18e3ab31d06..4b48e7beed60 100644
--- a/validator/val_nsec3.c
+++ b/validator/val_nsec3.c
@@ -45,6 +45,10 @@
 #ifdef HAVE_OPENSSL_SSL_H
 #include "openssl/ssl.h"
 #endif
+#ifdef HAVE_NSS
+/* nss3 */
+#include "sechash.h"
+#endif
 #include "validator/val_nsec3.h"
 #include "validator/validator.h"
 #include "validator/val_kentry.h"
@@ -541,26 +545,43 @@ nsec3_get_hashed(ldns_buffer* buf, uint8_t* nm, size_t nmlen, int algo,
 	ldns_buffer_write(buf, salt, saltlen);
 	ldns_buffer_flip(buf);
 	switch(algo) {
-#ifdef HAVE_EVP_SHA1
+#if defined(HAVE_EVP_SHA1) || defined(HAVE_NSS)
 		case NSEC3_HASH_SHA1:
+#ifdef HAVE_SSL
 			hash_len = SHA_DIGEST_LENGTH;
+#else
+			hash_len = SHA1_LENGTH;
+#endif
 			if(hash_len > max)
 				return 0;
+#  ifdef HAVE_SSL
 			(void)SHA1((unsigned char*)ldns_buffer_begin(buf),
 				(unsigned long)ldns_buffer_limit(buf),
 				(unsigned char*)res);
+#  else
+			(void)HASH_HashBuf(HASH_AlgSHA1, (unsigned char*)res,
+				(unsigned char*)ldns_buffer_begin(buf),
+				(unsigned long)ldns_buffer_limit(buf));
+#  endif
 			for(i=0; i<iter; i++) {
 				ldns_buffer_clear(buf);
 				ldns_buffer_write(buf, res, hash_len);
 				ldns_buffer_write(buf, salt, saltlen);
 				ldns_buffer_flip(buf);
+#  ifdef HAVE_SSL
 				(void)SHA1(
 					(unsigned char*)ldns_buffer_begin(buf),
 					(unsigned long)ldns_buffer_limit(buf),
 					(unsigned char*)res);
+#  else
+				(void)HASH_HashBuf(HASH_AlgSHA1,
+					(unsigned char*)res,
+					(unsigned char*)ldns_buffer_begin(buf),
+					(unsigned long)ldns_buffer_limit(buf));
+#  endif
 			}
 			break;
-#endif /* HAVE_EVP_SHA1 */
+#endif /* HAVE_EVP_SHA1 or NSS */
 		default:
 			log_err("nsec3 hash of unknown algo %d", algo);
 			return 0;
@@ -586,28 +607,46 @@ nsec3_calc_hash(struct regional* region, ldns_buffer* buf,
 	ldns_buffer_write(buf, salt, saltlen);
 	ldns_buffer_flip(buf);
 	switch(algo) {
-#ifdef HAVE_EVP_SHA1
+#if defined(HAVE_EVP_SHA1) || defined(HAVE_NSS)
 		case NSEC3_HASH_SHA1:
+#ifdef HAVE_SSL
 			c->hash_len = SHA_DIGEST_LENGTH;
+#else
+			c->hash_len = SHA1_LENGTH;
+#endif
 			c->hash = (uint8_t*)regional_alloc(region, 
 				c->hash_len);
 			if(!c->hash)
 				return 0;
+#  ifdef HAVE_SSL
 			(void)SHA1((unsigned char*)ldns_buffer_begin(buf),
 				(unsigned long)ldns_buffer_limit(buf),
 				(unsigned char*)c->hash);
+#  else
+			(void)HASH_HashBuf(HASH_AlgSHA1,
+				(unsigned char*)c->hash,
+				(unsigned char*)ldns_buffer_begin(buf),
+				(unsigned long)ldns_buffer_limit(buf));
+#  endif
 			for(i=0; i<iter; i++) {
 				ldns_buffer_clear(buf);
 				ldns_buffer_write(buf, c->hash, c->hash_len);
 				ldns_buffer_write(buf, salt, saltlen);
 				ldns_buffer_flip(buf);
+#  ifdef HAVE_SSL
 				(void)SHA1(
 					(unsigned char*)ldns_buffer_begin(buf),
 					(unsigned long)ldns_buffer_limit(buf),
 					(unsigned char*)c->hash);
+#  else
+				(void)HASH_HashBuf(HASH_AlgSHA1,
+					(unsigned char*)c->hash,
+					(unsigned char*)ldns_buffer_begin(buf),
+					(unsigned long)ldns_buffer_limit(buf));
+#  endif
 			}
 			break;
-#endif /* HAVE_EVP_SHA1 */
+#endif /* HAVE_EVP_SHA1 or NSS */
 		default:
 			log_err("nsec3 hash of unknown algo %d", algo);
 			return -1;
@@ -1133,8 +1172,8 @@ nsec3_do_prove_nodata(struct module_env* env, struct nsec3_filter* flt,
 		 * If not type DS: matching nsec3 must not be a delegation.
 		 */
 		if(qinfo->qtype == LDNS_RR_TYPE_DS && qinfo->qname_len != 1 
-			&& nsec3_has_type(rrset, rr, LDNS_RR_TYPE_SOA &&
-			!dname_is_root(qinfo->qname))) {
+			&& nsec3_has_type(rrset, rr, LDNS_RR_TYPE_SOA) &&
+			!dname_is_root(qinfo->qname)) {
 			verbose(VERB_ALGO, "proveNodata: apex NSEC3 "
 				"abused for no DS proof, bogus");
 			return sec_status_bogus;
diff --git a/validator/val_secalgo.c b/validator/val_secalgo.c
new file mode 100644
index 000000000000..5cca578b1be1
--- /dev/null
+++ b/validator/val_secalgo.c
@@ -0,0 +1,1070 @@
+/*
+ * validator/val_secalgo.c - validator security algorithm functions.
+ *
+ * Copyright (c) 2012, NLnet Labs. All rights reserved.
+ *
+ * This software is open source.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ * 
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ * 
+ * Neither the name of the NLNET LABS nor the names of its contributors may
+ * be used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/**
+ * \file
+ *
+ * This file contains helper functions for the validator module.
+ * These functions take raw data buffers, formatted for crypto verification,
+ * and do the library calls (for the crypto library in use).
+ */
+#include "config.h"
+#include <ldns/ldns.h>
+#include "validator/val_secalgo.h"
+#include "util/data/packed_rrset.h"
+#include "util/log.h"
+
+#if !defined(HAVE_SSL) && !defined(HAVE_NSS)
+#error "Need crypto library to do digital signature cryptography"
+#endif
+
+/* OpenSSL implementation */
+#ifdef HAVE_SSL
+#ifdef HAVE_OPENSSL_ERR_H
+#include <openssl/err.h>
+#endif
+
+#ifdef HAVE_OPENSSL_RAND_H
+#include <openssl/rand.h>
+#endif
+
+#ifdef HAVE_OPENSSL_CONF_H
+#include <openssl/conf.h>
+#endif
+
+#ifdef HAVE_OPENSSL_ENGINE_H
+#include <openssl/engine.h>
+#endif
+
+/**
+ * Return size of DS digest according to its hash algorithm.
+ * @param algo: DS digest algo.
+ * @return size in bytes of digest, or 0 if not supported. 
+ */
+size_t
+ds_digest_size_supported(int algo)
+{
+	switch(algo) {
+#ifdef HAVE_EVP_SHA1
+		case LDNS_SHA1:
+			return SHA_DIGEST_LENGTH;
+#endif
+#ifdef HAVE_EVP_SHA256
+		case LDNS_SHA256:
+			return SHA256_DIGEST_LENGTH;
+#endif
+#ifdef USE_GOST
+		case LDNS_HASH_GOST:
+			if(EVP_get_digestbyname("md_gost94"))
+				return 32;
+			else	return 0;
+#endif
+#ifdef USE_ECDSA
+		case LDNS_SHA384:
+			return SHA384_DIGEST_LENGTH;
+#endif
+		default: break;
+	}
+	return 0;
+}
+
+#ifdef USE_GOST
+/** Perform GOST hash */
+static int
+do_gost94(unsigned char* data, size_t len, unsigned char* dest)
+{
+	const EVP_MD* md = EVP_get_digestbyname("md_gost94");
+	if(!md) 
+		return 0;
+	return ldns_digest_evp(data, (unsigned int)len, dest, md);
+}
+#endif
+
+int
+secalgo_ds_digest(int algo, unsigned char* buf, size_t len,
+	unsigned char* res)
+{
+	switch(algo) {
+#ifdef HAVE_EVP_SHA1
+		case LDNS_SHA1:
+			(void)SHA1(buf, len, res);
+			return 1;
+#endif
+#ifdef HAVE_EVP_SHA256
+		case LDNS_SHA256:
+			(void)SHA256(buf, len, res);
+			return 1;
+#endif
+#ifdef USE_GOST
+		case LDNS_HASH_GOST:
+			if(do_gost94(buf, len, res))
+				return 1;
+			break;
+#endif
+#ifdef USE_ECDSA
+		case LDNS_SHA384:
+			(void)SHA384(buf, len, res);
+			return 1;
+#endif
+		default: 
+			verbose(VERB_QUERY, "unknown DS digest algorithm %d", 
+				algo);
+			break;
+	}
+	return 0;
+}
+
+/** return true if DNSKEY algorithm id is supported */
+int
+dnskey_algo_id_is_supported(int id)
+{
+	switch(id) {
+	case LDNS_RSAMD5:
+		/* RFC 6725 deprecates RSAMD5 */
+		return 0;
+	case LDNS_DSA:
+	case LDNS_DSA_NSEC3:
+	case LDNS_RSASHA1:
+	case LDNS_RSASHA1_NSEC3:
+#if defined(HAVE_EVP_SHA256) && defined(USE_SHA2)
+	case LDNS_RSASHA256:
+#endif
+#if defined(HAVE_EVP_SHA512) && defined(USE_SHA2)
+	case LDNS_RSASHA512:
+#endif
+#ifdef USE_ECDSA
+	case LDNS_ECDSAP256SHA256:
+	case LDNS_ECDSAP384SHA384:
+#endif
+		return 1;
+#ifdef USE_GOST
+	case LDNS_ECC_GOST:
+		/* we support GOST if it can be loaded */
+		return ldns_key_EVP_load_gost_id();
+#endif
+	default:
+		return 0;
+	}
+}
+
+/**
+ * Output a libcrypto openssl error to the logfile.
+ * @param str: string to add to it.
+ * @param e: the error to output, error number from ERR_get_error().
+ */
+static void
+log_crypto_error(const char* str, unsigned long e)
+{
+	char buf[128];
+	/* or use ERR_error_string if ERR_error_string_n is not avail TODO */
+	ERR_error_string_n(e, buf, sizeof(buf));
+	/* buf now contains */
+	/* error:[error code]:[library name]:[function name]:[reason string] */
+	log_err("%s crypto %s", str, buf);
+}
+
+/**
+ * Setup DSA key digest in DER encoding ... 
+ * @param sig: input is signature output alloced ptr (unless failure).
+ * 	caller must free alloced ptr if this routine returns true.
+ * @param len: input is initial siglen, output is output len.
+ * @return false on failure.
+ */
+static int
+setup_dsa_sig(unsigned char** sig, unsigned int* len)
+{
+	unsigned char* orig = *sig;
+	unsigned int origlen = *len;
+	int newlen;
+	BIGNUM *R, *S;
+	DSA_SIG *dsasig;
+
+	/* extract the R and S field from the sig buffer */
+	if(origlen < 1 + 2*SHA_DIGEST_LENGTH)
+		return 0;
+	R = BN_new();
+	if(!R) return 0;
+	(void) BN_bin2bn(orig + 1, SHA_DIGEST_LENGTH, R);
+	S = BN_new();
+	if(!S) return 0;
+	(void) BN_bin2bn(orig + 21, SHA_DIGEST_LENGTH, S);
+	dsasig = DSA_SIG_new();
+	if(!dsasig) return 0;
+
+	dsasig->r = R;
+	dsasig->s = S;
+	*sig = NULL;
+	newlen = i2d_DSA_SIG(dsasig, sig);
+	if(newlen < 0) {
+		DSA_SIG_free(dsasig);
+		free(*sig);
+		return 0;
+	}
+	*len = (unsigned int)newlen;
+	DSA_SIG_free(dsasig);
+	return 1;
+}
+
+#ifdef USE_ECDSA
+/**
+ * Setup the ECDSA signature in its encoding that the library wants.
+ * Converts from plain numbers to ASN formatted.
+ * @param sig: input is signature, output alloced ptr (unless failure).
+ * 	caller must free alloced ptr if this routine returns true.
+ * @param len: input is initial siglen, output is output len.
+ * @return false on failure.
+ */
+static int
+setup_ecdsa_sig(unsigned char** sig, unsigned int* len)
+{
+	ECDSA_SIG* ecdsa_sig;
+	int newlen;
+	int bnsize = (int)((*len)/2);
+	/* if too short or not even length, fails */
+	if(*len < 16 || bnsize*2 != (int)*len)
+		return 0;
+	/* use the raw data to parse two evenly long BIGNUMs, "r | s". */
+	ecdsa_sig = ECDSA_SIG_new();
+	if(!ecdsa_sig) return 0;
+	ecdsa_sig->r = BN_bin2bn(*sig, bnsize, ecdsa_sig->r);
+	ecdsa_sig->s = BN_bin2bn(*sig+bnsize, bnsize, ecdsa_sig->s);
+	if(!ecdsa_sig->r || !ecdsa_sig->s) {
+		ECDSA_SIG_free(ecdsa_sig);
+		return 0;
+	}
+
+	/* spool it into ASN format */
+	*sig = NULL;
+	newlen = i2d_ECDSA_SIG(ecdsa_sig, sig);
+	if(newlen <= 0) {
+		ECDSA_SIG_free(ecdsa_sig);
+		free(*sig);
+		return 0;
+	}
+	*len = (unsigned int)newlen;
+	ECDSA_SIG_free(ecdsa_sig);
+	return 1;
+}
+#endif /* USE_ECDSA */
+
+/**
+ * Setup key and digest for verification. Adjust sig if necessary.
+ *
+ * @param algo: key algorithm
+ * @param evp_key: EVP PKEY public key to create.
+ * @param digest_type: digest type to use
+ * @param key: key to setup for.
+ * @param keylen: length of key.
+ * @return false on failure.
+ */
+static int
+setup_key_digest(int algo, EVP_PKEY** evp_key, const EVP_MD** digest_type, 
+	unsigned char* key, size_t keylen)
+{
+	DSA* dsa;
+	RSA* rsa;
+
+	switch(algo) {
+		case LDNS_DSA:
+		case LDNS_DSA_NSEC3:
+			*evp_key = EVP_PKEY_new();
+			if(!*evp_key) {
+				log_err("verify: malloc failure in crypto");
+				return 0;
+			}
+			dsa = ldns_key_buf2dsa_raw(key, keylen);
+			if(!dsa) {
+				verbose(VERB_QUERY, "verify: "
+					"ldns_key_buf2dsa_raw failed");
+				return 0;
+			}
+			if(EVP_PKEY_assign_DSA(*evp_key, dsa) == 0) {
+				verbose(VERB_QUERY, "verify: "
+					"EVP_PKEY_assign_DSA failed");
+				return 0;
+			}
+			*digest_type = EVP_dss1();
+
+			break;
+		case LDNS_RSASHA1:
+		case LDNS_RSASHA1_NSEC3:
+#if defined(HAVE_EVP_SHA256) && defined(USE_SHA2)
+		case LDNS_RSASHA256:
+#endif
+#if defined(HAVE_EVP_SHA512) && defined(USE_SHA2)
+		case LDNS_RSASHA512:
+#endif
+			*evp_key = EVP_PKEY_new();
+			if(!*evp_key) {
+				log_err("verify: malloc failure in crypto");
+				return 0;
+			}
+			rsa = ldns_key_buf2rsa_raw(key, keylen);
+			if(!rsa) {
+				verbose(VERB_QUERY, "verify: "
+					"ldns_key_buf2rsa_raw SHA failed");
+				return 0;
+			}
+			if(EVP_PKEY_assign_RSA(*evp_key, rsa) == 0) {
+				verbose(VERB_QUERY, "verify: "
+					"EVP_PKEY_assign_RSA SHA failed");
+				return 0;
+			}
+
+			/* select SHA version */
+#if defined(HAVE_EVP_SHA256) && defined(USE_SHA2)
+			if(algo == LDNS_RSASHA256)
+				*digest_type = EVP_sha256();
+			else
+#endif
+#if defined(HAVE_EVP_SHA512) && defined(USE_SHA2)
+				if(algo == LDNS_RSASHA512)
+				*digest_type = EVP_sha512();
+			else
+#endif
+				*digest_type = EVP_sha1();
+
+			break;
+		case LDNS_RSAMD5:
+			*evp_key = EVP_PKEY_new();
+			if(!*evp_key) {
+				log_err("verify: malloc failure in crypto");
+				return 0;
+			}
+			rsa = ldns_key_buf2rsa_raw(key, keylen);
+			if(!rsa) {
+				verbose(VERB_QUERY, "verify: "
+					"ldns_key_buf2rsa_raw MD5 failed");
+				return 0;
+			}
+			if(EVP_PKEY_assign_RSA(*evp_key, rsa) == 0) {
+				verbose(VERB_QUERY, "verify: "
+					"EVP_PKEY_assign_RSA MD5 failed");
+				return 0;
+			}
+			*digest_type = EVP_md5();
+
+			break;
+#ifdef USE_GOST
+		case LDNS_ECC_GOST:
+			*evp_key = ldns_gost2pkey_raw(key, keylen);
+			if(!*evp_key) {
+				verbose(VERB_QUERY, "verify: "
+					"ldns_gost2pkey_raw failed");
+				return 0;
+			}
+			*digest_type = EVP_get_digestbyname("md_gost94");
+			if(!*digest_type) {
+				verbose(VERB_QUERY, "verify: "
+					"EVP_getdigest md_gost94 failed");
+				return 0;
+			}
+			break;
+#endif
+#ifdef USE_ECDSA
+		case LDNS_ECDSAP256SHA256:
+			*evp_key = ldns_ecdsa2pkey_raw(key, keylen,
+				LDNS_ECDSAP256SHA256);
+			if(!*evp_key) {
+				verbose(VERB_QUERY, "verify: "
+					"ldns_ecdsa2pkey_raw failed");
+				return 0;
+			}
+#ifdef USE_ECDSA_EVP_WORKAROUND
+			/* openssl before 1.0.0 fixes RSA with the SHA256
+			 * hash in EVP.  We create one for ecdsa_sha256 */
+			{
+				static int md_ecdsa_256_done = 0;
+				static EVP_MD md;
+				if(!md_ecdsa_256_done) {
+					EVP_MD m = *EVP_sha256();
+					md_ecdsa_256_done = 1;
+					m.required_pkey_type[0] = (*evp_key)->type;
+					m.verify = (void*)ECDSA_verify;
+					md = m;
+				}
+				*digest_type = &md;
+			}
+#else
+			*digest_type = EVP_sha256();
+#endif
+			break;
+		case LDNS_ECDSAP384SHA384:
+			*evp_key = ldns_ecdsa2pkey_raw(key, keylen,
+				LDNS_ECDSAP384SHA384);
+			if(!*evp_key) {
+				verbose(VERB_QUERY, "verify: "
+					"ldns_ecdsa2pkey_raw failed");
+				return 0;
+			}
+#ifdef USE_ECDSA_EVP_WORKAROUND
+			/* openssl before 1.0.0 fixes RSA with the SHA384
+			 * hash in EVP.  We create one for ecdsa_sha384 */
+			{
+				static int md_ecdsa_384_done = 0;
+				static EVP_MD md;
+				if(!md_ecdsa_384_done) {
+					EVP_MD m = *EVP_sha384();
+					md_ecdsa_384_done = 1;
+					m.required_pkey_type[0] = (*evp_key)->type;
+					m.verify = (void*)ECDSA_verify;
+					md = m;
+				}
+				*digest_type = &md;
+			}
+#else
+			*digest_type = EVP_sha384();
+#endif
+			break;
+#endif /* USE_ECDSA */
+		default:
+			verbose(VERB_QUERY, "verify: unknown algorithm %d", 
+				algo);
+			return 0;
+	}
+	return 1;
+}
+
+/**
+ * Check a canonical sig+rrset and signature against a dnskey
+ * @param buf: buffer with data to verify, the first rrsig part and the
+ *	canonicalized rrset.
+ * @param algo: DNSKEY algorithm.
+ * @param sigblock: signature rdata field from RRSIG
+ * @param sigblock_len: length of sigblock data.
+ * @param key: public key data from DNSKEY RR.
+ * @param keylen: length of keydata.
+ * @param reason: bogus reason in more detail.
+ * @return secure if verification succeeded, bogus on crypto failure,
+ *	unchecked on format errors and alloc failures.
+ */
+enum sec_status
+verify_canonrrset(ldns_buffer* buf, int algo, unsigned char* sigblock, 
+	unsigned int sigblock_len, unsigned char* key, unsigned int keylen,
+	char** reason)
+{
+	const EVP_MD *digest_type;
+	EVP_MD_CTX ctx;
+	int res, dofree = 0;
+	EVP_PKEY *evp_key = NULL;
+	
+	if(!setup_key_digest(algo, &evp_key, &digest_type, key, keylen)) {
+		verbose(VERB_QUERY, "verify: failed to setup key");
+		*reason = "use of key for crypto failed";
+		EVP_PKEY_free(evp_key);
+		return sec_status_bogus;
+	}
+	/* if it is a DSA signature in bind format, convert to DER format */
+	if((algo == LDNS_DSA || algo == LDNS_DSA_NSEC3) && 
+		sigblock_len == 1+2*SHA_DIGEST_LENGTH) {
+		if(!setup_dsa_sig(&sigblock, &sigblock_len)) {
+			verbose(VERB_QUERY, "verify: failed to setup DSA sig");
+			*reason = "use of key for DSA crypto failed";
+			EVP_PKEY_free(evp_key);
+			return sec_status_bogus;
+		}
+		dofree = 1;
+	}
+#ifdef USE_ECDSA
+	else if(algo == LDNS_ECDSAP256SHA256 || algo == LDNS_ECDSAP384SHA384) {
+		/* EVP uses ASN prefix on sig, which is not in the wire data */
+		if(!setup_ecdsa_sig(&sigblock, &sigblock_len)) {
+			verbose(VERB_QUERY, "verify: failed to setup ECDSA sig");
+			*reason = "use of signature for ECDSA crypto failed";
+			EVP_PKEY_free(evp_key);
+			return sec_status_bogus;
+		}
+		dofree = 1;
+	}
+#endif /* USE_ECDSA */
+
+	/* do the signature cryptography work */
+	EVP_MD_CTX_init(&ctx);
+	if(EVP_VerifyInit(&ctx, digest_type) == 0) {
+		verbose(VERB_QUERY, "verify: EVP_VerifyInit failed");
+		EVP_PKEY_free(evp_key);
+		if(dofree) free(sigblock);
+		return sec_status_unchecked;
+	}
+	if(EVP_VerifyUpdate(&ctx, (unsigned char*)ldns_buffer_begin(buf), 
+		(unsigned int)ldns_buffer_limit(buf)) == 0) {
+		verbose(VERB_QUERY, "verify: EVP_VerifyUpdate failed");
+		EVP_PKEY_free(evp_key);
+		if(dofree) free(sigblock);
+		return sec_status_unchecked;
+	}
+
+	res = EVP_VerifyFinal(&ctx, sigblock, sigblock_len, evp_key);
+	if(EVP_MD_CTX_cleanup(&ctx) == 0) {
+		verbose(VERB_QUERY, "verify: EVP_MD_CTX_cleanup failed");
+		EVP_PKEY_free(evp_key);
+		if(dofree) free(sigblock);
+		return sec_status_unchecked;
+	}
+	EVP_PKEY_free(evp_key);
+
+	if(dofree)
+		free(sigblock);
+
+	if(res == 1) {
+		return sec_status_secure;
+	} else if(res == 0) {
+		verbose(VERB_QUERY, "verify: signature mismatch");
+		*reason = "signature crypto failed";
+		return sec_status_bogus;
+	}
+
+	log_crypto_error("verify:", ERR_get_error());
+	return sec_status_unchecked;
+}
+
+/**************************************************/
+#elif defined(HAVE_NSS)
+/* libnss implementation */
+/* nss3 */
+#include "sechash.h"
+#include "pk11pub.h"
+#include "keyhi.h"
+#include "secerr.h"
+#include "cryptohi.h"
+/* nspr4 */
+#include "prerror.h"
+
+size_t
+ds_digest_size_supported(int algo)
+{
+	/* uses libNSS */
+	switch(algo) {
+		case LDNS_SHA1:
+			return SHA1_LENGTH;
+#ifdef USE_SHA2
+		case LDNS_SHA256:
+			return SHA256_LENGTH;
+#endif
+#ifdef USE_ECDSA
+		case LDNS_SHA384:
+			return SHA384_LENGTH;
+#endif
+		/* GOST not supported in NSS */
+		case LDNS_HASH_GOST:
+		default: break;
+	}
+	return 0;
+}
+
+int
+secalgo_ds_digest(int algo, unsigned char* buf, size_t len,
+	unsigned char* res)
+{
+	/* uses libNSS */
+	switch(algo) {
+		case LDNS_SHA1:
+			return HASH_HashBuf(HASH_AlgSHA1, res, buf, len)
+				== SECSuccess;
+#if defined(USE_SHA2)
+		case LDNS_SHA256:
+			return HASH_HashBuf(HASH_AlgSHA256, res, buf, len)
+				== SECSuccess;
+#endif
+#ifdef USE_ECDSA
+		case LDNS_SHA384:
+			return HASH_HashBuf(HASH_AlgSHA384, res, buf, len)
+				== SECSuccess;
+#endif
+		case LDNS_HASH_GOST:
+		default: 
+			verbose(VERB_QUERY, "unknown DS digest algorithm %d", 
+				algo);
+			break;
+	}
+	return 0;
+}
+
+int
+dnskey_algo_id_is_supported(int id)
+{
+	/* uses libNSS */
+	switch(id) {
+	case LDNS_RSAMD5:
+		/* RFC 6725 deprecates RSAMD5 */
+		return 0;
+	case LDNS_DSA:
+	case LDNS_DSA_NSEC3:
+	case LDNS_RSASHA1:
+	case LDNS_RSASHA1_NSEC3:
+#ifdef USE_SHA2
+	case LDNS_RSASHA256:
+#endif
+#ifdef USE_SHA2
+	case LDNS_RSASHA512:
+#endif
+		return 1;
+#ifdef USE_ECDSA
+	case LDNS_ECDSAP256SHA256:
+	case LDNS_ECDSAP384SHA384:
+		return PK11_TokenExists(CKM_ECDSA);
+#endif
+	case LDNS_ECC_GOST:
+	default:
+		return 0;
+	}
+}
+
+/* return a new public key for NSS */
+static SECKEYPublicKey* nss_key_create(KeyType ktype)
+{
+	SECKEYPublicKey* key;
+	PLArenaPool* arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+	if(!arena) {
+		log_err("out of memory, PORT_NewArena failed");
+		return NULL;
+	}
+	key = PORT_ArenaZNew(arena, SECKEYPublicKey);
+	if(!key) {
+		log_err("out of memory, PORT_ArenaZNew failed");
+		PORT_FreeArena(arena, PR_FALSE);
+		return NULL;
+	}
+	key->arena = arena;
+	key->keyType = ktype;
+	key->pkcs11Slot = NULL;
+	key->pkcs11ID = CK_INVALID_HANDLE;
+	return key;
+}
+
+static SECKEYPublicKey* nss_buf2ecdsa(unsigned char* key, size_t len, int algo)
+{
+	SECKEYPublicKey* pk;
+	SECItem pub = {siBuffer, NULL, 0};
+	SECItem params = {siBuffer, NULL, 0};
+	unsigned char param256[] = {
+		/* OBJECTIDENTIFIER 1.2.840.10045.3.1.7 (P-256)
+		 * {iso(1) member-body(2) us(840) ansi-x962(10045) curves(3) prime(1) prime256v1(7)} */
+		0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07
+	};
+	unsigned char param384[] = {
+		/* OBJECTIDENTIFIER 1.3.132.0.34 (P-384)
+		 * {iso(1) identified-organization(3) certicom(132) curve(0) ansip384r1(34)} */
+		0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x22
+	};
+	unsigned char buf[256+2]; /* sufficient for 2*384/8+1 */
+
+	/* check length, which uncompressed must be 2 bignums */
+	if(algo == LDNS_ECDSAP256SHA256) {
+		if(len != 2*256/8) return NULL;
+		/* ECCurve_X9_62_PRIME_256V1 */
+	} else if(algo == LDNS_ECDSAP384SHA384) {
+		if(len != 2*384/8) return NULL;
+		/* ECCurve_X9_62_PRIME_384R1 */
+	} else    return NULL;
+
+	buf[0] = 0x04; /* POINT_FORM_UNCOMPRESSED */
+	memmove(buf+1, key, len);
+	pub.data = buf;
+	pub.len = len+1;
+	if(algo == LDNS_ECDSAP256SHA256) {
+		params.data = param256;
+		params.len = sizeof(param256);
+	} else {
+		params.data = param384;
+		params.len = sizeof(param384);
+	}
+
+	pk = nss_key_create(ecKey);
+	if(!pk)
+		return NULL;
+	pk->u.ec.size = (len/2)*8;
+	if(SECITEM_CopyItem(pk->arena, &pk->u.ec.publicValue, &pub)) {
+		SECKEY_DestroyPublicKey(pk);
+		return NULL;
+	}
+	if(SECITEM_CopyItem(pk->arena, &pk->u.ec.DEREncodedParams, &params)) {
+		SECKEY_DestroyPublicKey(pk);
+		return NULL;
+	}
+
+	return pk;
+}
+
+static SECKEYPublicKey* nss_buf2dsa(unsigned char* key, size_t len)
+{
+	SECKEYPublicKey* pk;
+	uint8_t T;
+	uint16_t length;
+	uint16_t offset;
+	SECItem Q = {siBuffer, NULL, 0};
+	SECItem P = {siBuffer, NULL, 0};
+	SECItem G = {siBuffer, NULL, 0};
+	SECItem Y = {siBuffer, NULL, 0};
+
+	if(len == 0)
+		return NULL;
+	T = (uint8_t)key[0];
+	length = (64 + T * 8);
+	offset = 1;
+
+	if (T > 8) {
+		return NULL;
+	}
+	if(len < (size_t)1 + SHA1_LENGTH + 3*length)
+		return NULL;
+
+	Q.data = key+offset;
+	Q.len = SHA1_LENGTH;
+	offset += SHA1_LENGTH;
+
+	P.data = key+offset;
+	P.len = length;
+	offset += length;
+
+	G.data = key+offset;
+	G.len = length;
+	offset += length;
+
+	Y.data = key+offset;
+	Y.len = length;
+	offset += length;
+
+	pk = nss_key_create(dsaKey);
+	if(!pk)
+		return NULL;
+	if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.params.prime, &P)) {
+		SECKEY_DestroyPublicKey(pk);
+		return NULL;
+	}
+	if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.params.subPrime, &Q)) {
+		SECKEY_DestroyPublicKey(pk);
+		return NULL;
+	}
+	if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.params.base, &G)) {
+		SECKEY_DestroyPublicKey(pk);
+		return NULL;
+	}
+	if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.publicValue, &Y)) {
+		SECKEY_DestroyPublicKey(pk);
+		return NULL;
+	}
+	return pk;
+}
+
+static SECKEYPublicKey* nss_buf2rsa(unsigned char* key, size_t len)
+{
+	SECKEYPublicKey* pk;
+	uint16_t exp;
+	uint16_t offset;
+	uint16_t int16;
+	SECItem modulus = {siBuffer, NULL, 0};
+	SECItem exponent = {siBuffer, NULL, 0};
+	if(len == 0)
+		return NULL;
+	if(key[0] == 0) {
+		if(len < 3)
+			return NULL;
+		/* the exponent is too large so it's places further */
+		memmove(&int16, key+1, 2);
+		exp = ntohs(int16);
+		offset = 3;
+	} else {
+		exp = key[0];
+		offset = 1;
+	}
+
+	/* key length at least one */
+	if(len < (size_t)offset + exp + 1)
+		return NULL;
+	
+	exponent.data = key+offset;
+	exponent.len = exp;
+	offset += exp;
+	modulus.data = key+offset;
+	modulus.len = (len - offset);
+
+	pk = nss_key_create(rsaKey);
+	if(!pk)
+		return NULL;
+	if(SECITEM_CopyItem(pk->arena, &pk->u.rsa.modulus, &modulus)) {
+		SECKEY_DestroyPublicKey(pk);
+		return NULL;
+	}
+	if(SECITEM_CopyItem(pk->arena, &pk->u.rsa.publicExponent, &exponent)) {
+		SECKEY_DestroyPublicKey(pk);
+		return NULL;
+	}
+	return pk;
+}
+
+/**
+ * Setup key and digest for verification. Adjust sig if necessary.
+ *
+ * @param algo: key algorithm
+ * @param evp_key: EVP PKEY public key to create.
+ * @param digest_type: digest type to use
+ * @param key: key to setup for.
+ * @param keylen: length of key.
+ * @param prefix: if returned, the ASN prefix for the hashblob.
+ * @param prefixlen: length of the prefix.
+ * @return false on failure.
+ */
+static int
+nss_setup_key_digest(int algo, SECKEYPublicKey** pubkey, HASH_HashType* htype,
+	unsigned char* key, size_t keylen, unsigned char** prefix,
+	size_t* prefixlen)
+{
+	/* uses libNSS */
+
+	/* hash prefix for md5, RFC2537 */
+	unsigned char p_md5[] = {0x30, 0x20, 0x30, 0x0c, 0x06, 0x08, 0x2a,
+	0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x05, 0x05, 0x00, 0x04, 0x10};
+	/* hash prefix to prepend to hash output, from RFC3110 */
+	unsigned char p_sha1[] = {0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2B,
+		0x0E, 0x03, 0x02, 0x1A, 0x05, 0x00, 0x04, 0x14};
+	/* from RFC5702 */
+	unsigned char p_sha256[] = {0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60,
+	0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20};
+	unsigned char p_sha512[] = {0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60,
+	0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40};
+	/* from RFC6234 */
+	/* for future RSASHA384 .. 
+	unsigned char p_sha384[] = {0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60,
+	0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05, 0x00, 0x04, 0x30};
+	*/
+
+	switch(algo) {
+		case LDNS_DSA:
+		case LDNS_DSA_NSEC3:
+			*pubkey = nss_buf2dsa(key, keylen);
+			if(!*pubkey) {
+				log_err("verify: malloc failure in crypto");
+				return 0;
+			}
+			*htype = HASH_AlgSHA1;
+			/* no prefix for DSA verification */
+			break;
+		case LDNS_RSASHA1:
+		case LDNS_RSASHA1_NSEC3:
+#ifdef USE_SHA2
+		case LDNS_RSASHA256:
+#endif
+#ifdef USE_SHA2
+		case LDNS_RSASHA512:
+#endif
+			*pubkey = nss_buf2rsa(key, keylen);
+			if(!*pubkey) {
+				log_err("verify: malloc failure in crypto");
+				return 0;
+			}
+			/* select SHA version */
+#ifdef USE_SHA2
+			if(algo == LDNS_RSASHA256) {
+				*htype = HASH_AlgSHA256;
+				*prefix = p_sha256;
+				*prefixlen = sizeof(p_sha256);
+			} else
+#endif
+#ifdef USE_SHA2
+				if(algo == LDNS_RSASHA512) {
+				*htype = HASH_AlgSHA512;
+				*prefix = p_sha512;
+				*prefixlen = sizeof(p_sha512);
+			} else
+#endif
+			{
+				*htype = HASH_AlgSHA1;
+				*prefix = p_sha1;
+				*prefixlen = sizeof(p_sha1);
+			}
+
+			break;
+		case LDNS_RSAMD5:
+			*pubkey = nss_buf2rsa(key, keylen);
+			if(!*pubkey) {
+				log_err("verify: malloc failure in crypto");
+				return 0;
+			}
+			*htype = HASH_AlgMD5;
+			*prefix = p_md5;
+			*prefixlen = sizeof(p_md5);
+
+			break;
+#ifdef USE_ECDSA
+		case LDNS_ECDSAP256SHA256:
+			*pubkey = nss_buf2ecdsa(key, keylen,
+				LDNS_ECDSAP256SHA256);
+			if(!*pubkey) {
+				log_err("verify: malloc failure in crypto");
+				return 0;
+			}
+			*htype = HASH_AlgSHA256;
+			/* no prefix for DSA verification */
+			break;
+		case LDNS_ECDSAP384SHA384:
+			*pubkey = nss_buf2ecdsa(key, keylen,
+				LDNS_ECDSAP384SHA384);
+			if(!*pubkey) {
+				log_err("verify: malloc failure in crypto");
+				return 0;
+			}
+			*htype = HASH_AlgSHA384;
+			/* no prefix for DSA verification */
+			break;
+#endif /* USE_ECDSA */
+		case LDNS_ECC_GOST:
+		default:
+			verbose(VERB_QUERY, "verify: unknown algorithm %d", 
+				algo);
+			return 0;
+	}
+	return 1;
+}
+
+/**
+ * Check a canonical sig+rrset and signature against a dnskey
+ * @param buf: buffer with data to verify, the first rrsig part and the
+ *	canonicalized rrset.
+ * @param algo: DNSKEY algorithm.
+ * @param sigblock: signature rdata field from RRSIG
+ * @param sigblock_len: length of sigblock data.
+ * @param key: public key data from DNSKEY RR.
+ * @param keylen: length of keydata.
+ * @param reason: bogus reason in more detail.
+ * @return secure if verification succeeded, bogus on crypto failure,
+ *	unchecked on format errors and alloc failures.
+ */
+enum sec_status
+verify_canonrrset(ldns_buffer* buf, int algo, unsigned char* sigblock, 
+	unsigned int sigblock_len, unsigned char* key, unsigned int keylen,
+	char** reason)
+{
+	/* uses libNSS */
+	/* large enough for the different hashes */
+	unsigned char hash[HASH_LENGTH_MAX];
+	unsigned char hash2[HASH_LENGTH_MAX*2];
+	HASH_HashType htype = 0;
+	SECKEYPublicKey* pubkey = NULL;
+	SECItem secsig = {siBuffer, sigblock, sigblock_len};
+	SECItem sechash = {siBuffer, hash, 0};
+	SECStatus res;
+	unsigned char* prefix = NULL; /* prefix for hash, RFC3110, RFC5702 */
+	size_t prefixlen = 0;
+	int err;
+
+	if(!nss_setup_key_digest(algo, &pubkey, &htype, key, keylen,
+		&prefix, &prefixlen)) {
+		verbose(VERB_QUERY, "verify: failed to setup key");
+		*reason = "use of key for crypto failed";
+		SECKEY_DestroyPublicKey(pubkey);
+		return sec_status_bogus;
+	}
+
+	/* need to convert DSA, ECDSA signatures? */
+	if((algo == LDNS_DSA || algo == LDNS_DSA_NSEC3)) {
+		if(sigblock_len == 1+2*SHA1_LENGTH) {
+			secsig.data ++;
+			secsig.len --;
+		} else {
+			SECItem* p = DSAU_DecodeDerSig(&secsig);
+			if(!p) {
+				verbose(VERB_QUERY, "verify: failed DER decode");
+				*reason = "signature DER decode failed";
+				SECKEY_DestroyPublicKey(pubkey);
+				return sec_status_bogus;
+			}
+			if(SECITEM_CopyItem(pubkey->arena, &secsig, p)) {
+				log_err("alloc failure in DER decode");
+				SECKEY_DestroyPublicKey(pubkey);
+				SECITEM_FreeItem(p, PR_TRUE);
+				return sec_status_unchecked;
+			}
+			SECITEM_FreeItem(p, PR_TRUE);
+		}
+	}
+
+	/* do the signature cryptography work */
+	/* hash the data */
+	sechash.len = HASH_ResultLen(htype);
+	if(sechash.len > sizeof(hash)) {
+		verbose(VERB_QUERY, "verify: hash too large for buffer");
+		SECKEY_DestroyPublicKey(pubkey);
+		return sec_status_unchecked;
+	}
+	if(HASH_HashBuf(htype, hash, (unsigned char*)ldns_buffer_begin(buf),
+		(unsigned int)ldns_buffer_limit(buf)) != SECSuccess) {
+		verbose(VERB_QUERY, "verify: HASH_HashBuf failed");
+		SECKEY_DestroyPublicKey(pubkey);
+		return sec_status_unchecked;
+	}
+	if(prefix) {
+		int hashlen = sechash.len;
+		if(prefixlen+hashlen > sizeof(hash2)) {
+			verbose(VERB_QUERY, "verify: hashprefix too large");
+			SECKEY_DestroyPublicKey(pubkey);
+			return sec_status_unchecked;
+		}
+		sechash.data = hash2;
+		sechash.len = prefixlen+hashlen;
+		memcpy(sechash.data, prefix, prefixlen);
+		memmove(sechash.data+prefixlen, hash, hashlen);
+	}
+
+	/* verify the signature */
+	res = PK11_Verify(pubkey, &secsig, &sechash, NULL /*wincx*/);
+	SECKEY_DestroyPublicKey(pubkey);
+
+	if(res == SECSuccess) {
+		return sec_status_secure;
+	}
+	err = PORT_GetError();
+	if(err != SEC_ERROR_BAD_SIGNATURE) {
+		/* failed to verify */
+		verbose(VERB_QUERY, "verify: PK11_Verify failed: %s",
+			PORT_ErrorToString(err));
+		/* if it is not supported, like ECC is removed, we get,
+		 * SEC_ERROR_NO_MODULE */
+		if(err == SEC_ERROR_NO_MODULE)
+			return sec_status_unchecked;
+		/* but other errors are commonly returned
+		 * for a bad signature from NSS.  Thus we return bogus,
+		 * not unchecked */
+		*reason = "signature crypto failed";
+		return sec_status_bogus;
+	}
+	verbose(VERB_QUERY, "verify: signature mismatch: %s",
+		PORT_ErrorToString(err));
+	*reason = "signature crypto failed";
+	return sec_status_bogus;
+}
+
+
+#endif /* HAVE_SSL or HAVE_NSS */
diff --git a/validator/val_secalgo.h b/validator/val_secalgo.h
new file mode 100644
index 000000000000..a5832af871e8
--- /dev/null
+++ b/validator/val_secalgo.h
@@ -0,0 +1,83 @@
+/*
+ * validator/val_secalgo.h - validator security algorithm functions.
+ *
+ * Copyright (c) 2012, NLnet Labs. All rights reserved.
+ *
+ * This software is open source.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ * 
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ * 
+ * Neither the name of the NLNET LABS nor the names of its contributors may
+ * be used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/**
+ * \file
+ *
+ * This file contains helper functions for the validator module.
+ * The functions take buffers with raw data and convert to library calls.
+ */
+
+#ifndef VALIDATOR_VAL_SECALGO_H
+#define VALIDATOR_VAL_SECALGO_H
+
+/**
+ * Return size of DS digest according to its hash algorithm.
+ * @param algo: DS digest algo.
+ * @return size in bytes of digest, or 0 if not supported. 
+ */
+size_t ds_digest_size_supported(int algo);
+
+/**
+ * @param algo: the DS digest algo
+ * @param buf: the buffer to digest
+ * @param len: length of buffer to digest.
+ * @param res: result stored here (must have sufficient space).
+ * @return false on failure.
+ */
+int secalgo_ds_digest(int algo, unsigned char* buf, size_t len,
+	unsigned char* res);
+
+/** return true if DNSKEY algorithm id is supported */
+int dnskey_algo_id_is_supported(int id);
+
+/**
+ * Check a canonical sig+rrset and signature against a dnskey
+ * @param buf: buffer with data to verify, the first rrsig part and the
+ *	canonicalized rrset.
+ * @param algo: DNSKEY algorithm.
+ * @param sigblock: signature rdata field from RRSIG
+ * @param sigblock_len: length of sigblock data.
+ * @param key: public key data from DNSKEY RR.
+ * @param keylen: length of keydata.
+ * @param reason: bogus reason in more detail.
+ * @return secure if verification succeeded, bogus on crypto failure,
+ *	unchecked on format errors and alloc failures.
+ */
+enum sec_status verify_canonrrset(ldns_buffer* buf, int algo,
+	unsigned char* sigblock, unsigned int sigblock_len,
+	unsigned char* key, unsigned int keylen, char** reason);
+
+#endif /* VALIDATOR_VAL_SECALGO_H */
diff --git a/validator/val_sigcrypt.c b/validator/val_sigcrypt.c
index 4c79c004d02c..79d5e45a2379 100644
--- a/validator/val_sigcrypt.c
+++ b/validator/val_sigcrypt.c
@@ -43,6 +43,7 @@
 #include "config.h"
 #include <ldns/ldns.h>
 #include "validator/val_sigcrypt.h"
+#include "validator/val_secalgo.h"
 #include "validator/validator.h"
 #include "util/data/msgreply.h"
 #include "util/data/msgparse.h"
@@ -52,8 +53,8 @@
 #include "util/net_help.h"
 #include "util/regional.h"
 
-#ifndef HAVE_SSL
-#error "Need SSL library to do digital signature cryptography"
+#if !defined(HAVE_SSL) && !defined(HAVE_NSS)
+#error "Need crypto library to do digital signature cryptography"
 #endif
 
 #ifdef HAVE_OPENSSL_ERR_H
@@ -265,42 +266,9 @@ ds_get_sigdata(struct ub_packed_rrset_key* k, size_t idx, uint8_t** digest,
 static size_t
 ds_digest_size_algo(struct ub_packed_rrset_key* k, size_t idx)
 {
-	switch(ds_get_digest_algo(k, idx)) {
-#ifdef HAVE_EVP_SHA1
-		case LDNS_SHA1:
-			return SHA_DIGEST_LENGTH;
-#endif
-#ifdef HAVE_EVP_SHA256
-		case LDNS_SHA256:
-			return SHA256_DIGEST_LENGTH;
-#endif
-#ifdef USE_GOST
-		case LDNS_HASH_GOST:
-			if(EVP_get_digestbyname("md_gost94"))
-				return 32;
-			else	return 0;
-#endif
-#ifdef USE_ECDSA
-		case LDNS_SHA384:
-			return SHA384_DIGEST_LENGTH;
-#endif
-		default: break;
-	}
-	return 0;
+	return ds_digest_size_supported(ds_get_digest_algo(k, idx));
 }
 
-#ifdef USE_GOST
-/** Perform GOST hash */
-static int
-do_gost94(unsigned char* data, size_t len, unsigned char* dest)
-{
-	const EVP_MD* md = EVP_get_digestbyname("md_gost94");
-	if(!md) 
-		return 0;
-	return ldns_digest_evp(data, (unsigned int)len, dest, md);
-}
-#endif
-
 /**
  * Create a DS digest for a DNSKEY entry.
  *
@@ -333,37 +301,9 @@ ds_create_dnskey_digest(struct module_env* env,
 	ldns_buffer_write(b, dnskey_rdata+2, dnskey_len-2); /* skip rdatalen*/
 	ldns_buffer_flip(b);
 	
-	switch(ds_get_digest_algo(ds_rrset, ds_idx)) {
-#ifdef HAVE_EVP_SHA1
-		case LDNS_SHA1:
-			(void)SHA1((unsigned char*)ldns_buffer_begin(b),
-				ldns_buffer_limit(b), (unsigned char*)digest);
-			return 1;
-#endif
-#ifdef HAVE_EVP_SHA256
-		case LDNS_SHA256:
-			(void)SHA256((unsigned char*)ldns_buffer_begin(b),
-				ldns_buffer_limit(b), (unsigned char*)digest);
-			return 1;
-#endif
-#ifdef USE_GOST
-		case LDNS_HASH_GOST:
-			if(do_gost94((unsigned char*)ldns_buffer_begin(b), 
-				ldns_buffer_limit(b), (unsigned char*)digest))
-				return 1;
-#endif
-#ifdef USE_ECDSA
-		case LDNS_SHA384:
-			(void)SHA384((unsigned char*)ldns_buffer_begin(b),
-				ldns_buffer_limit(b), (unsigned char*)digest);
-			return 1;
-#endif
-		default: 
-			verbose(VERB_QUERY, "unknown DS digest algorithm %d", 
-				(int) ds_get_digest_algo(ds_rrset, ds_idx));
-			break;
-	}
-	return 0;
+	return secalgo_ds_digest(ds_get_digest_algo(ds_rrset, ds_idx),
+		(unsigned char*)ldns_buffer_begin(b), ldns_buffer_limit(b),
+		(unsigned char*)digest);
 }
 
 int ds_digest_match_dnskey(struct module_env* env,
@@ -412,37 +352,6 @@ ds_digest_algo_is_supported(struct ub_packed_rrset_key* ds_rrset,
 	return (ds_digest_size_algo(ds_rrset, ds_idx) != 0);
 }
 
-/** return true if DNSKEY algorithm id is supported */
-static int
-dnskey_algo_id_is_supported(int id)
-{
-	switch(id) {
-	case LDNS_DSA:
-	case LDNS_DSA_NSEC3:
-	case LDNS_RSASHA1:
-	case LDNS_RSASHA1_NSEC3:
-	case LDNS_RSAMD5:
-#if defined(HAVE_EVP_SHA256) && defined(USE_SHA2)
-	case LDNS_RSASHA256:
-#endif
-#if defined(HAVE_EVP_SHA512) && defined(USE_SHA2)
-	case LDNS_RSASHA512:
-#endif
-#ifdef USE_ECDSA
-	case LDNS_ECDSAP256SHA256:
-	case LDNS_ECDSAP384SHA384:
-#endif
-		return 1;
-#ifdef USE_GOST
-	case LDNS_ECC_GOST:
-		/* we support GOST if it can be loaded */
-		return ldns_key_EVP_load_gost_id();
-#endif
-	default:
-		return 0;
-	}
-}
-
 int 
 ds_key_algo_is_supported(struct ub_packed_rrset_key* ds_rrset, 
 	size_t ds_idx)
@@ -606,10 +515,14 @@ dnskeyset_verify_rrset(struct module_env* env, struct val_env* ve,
 				(uint8_t)rrset_get_sig_algo(rrset, i));
 		}
 	}
-	verbose(VERB_ALGO, "rrset failed to verify: no valid signatures for "
-		"%d algorithms", (int)algo_needs_num_missing(&needs));
 	if(sigalg && (alg=algo_needs_missing(&needs)) != 0) {
+		verbose(VERB_ALGO, "rrset failed to verify: "
+			"no valid signatures for %d algorithms",
+			(int)algo_needs_num_missing(&needs));
 		algo_needs_reason(env, alg, reason, "no signatures");
+	} else {
+		verbose(VERB_ALGO, "rrset failed to verify: "
+			"no valid signatures");
 	}
 	return sec_status_bogus;
 }
@@ -1314,378 +1227,6 @@ adjust_ttl(struct val_env* ve, uint32_t unow,
 	}
 }
 
-
-/**
- * Output a libcrypto openssl error to the logfile.
- * @param str: string to add to it.
- * @param e: the error to output, error number from ERR_get_error().
- */
-static void
-log_crypto_error(const char* str, unsigned long e)
-{
-	char buf[128];
-	/* or use ERR_error_string if ERR_error_string_n is not avail TODO */
-	ERR_error_string_n(e, buf, sizeof(buf));
-	/* buf now contains */
-	/* error:[error code]:[library name]:[function name]:[reason string] */
-	log_err("%s crypto %s", str, buf);
-}
-
-/**
- * Setup DSA key digest in DER encoding ... 
- * @param sig: input is signature output alloced ptr (unless failure).
- * 	caller must free alloced ptr if this routine returns true.
- * @param len: input is initial siglen, output is output len.
- * @return false on failure.
- */
-static int
-setup_dsa_sig(unsigned char** sig, unsigned int* len)
-{
-	unsigned char* orig = *sig;
-	unsigned int origlen = *len;
-	int newlen;
-	BIGNUM *R, *S;
-	DSA_SIG *dsasig;
-
-	/* extract the R and S field from the sig buffer */
-	if(origlen < 1 + 2*SHA_DIGEST_LENGTH)
-		return 0;
-	R = BN_new();
-	if(!R) return 0;
-	(void) BN_bin2bn(orig + 1, SHA_DIGEST_LENGTH, R);
-	S = BN_new();
-	if(!S) return 0;
-	(void) BN_bin2bn(orig + 21, SHA_DIGEST_LENGTH, S);
-	dsasig = DSA_SIG_new();
-	if(!dsasig) return 0;
-
-	dsasig->r = R;
-	dsasig->s = S;
-	*sig = NULL;
-	newlen = i2d_DSA_SIG(dsasig, sig);
-	if(newlen < 0) {
-		DSA_SIG_free(dsasig);
-		free(*sig);
-		return 0;
-	}
-	*len = (unsigned int)newlen;
-	DSA_SIG_free(dsasig);
-	return 1;
-}
-
-#ifdef USE_ECDSA
-/**
- * Setup the ECDSA signature in its encoding that the library wants.
- * Converts from plain numbers to ASN formatted.
- * @param sig: input is signature, output alloced ptr (unless failure).
- * 	caller must free alloced ptr if this routine returns true.
- * @param len: input is initial siglen, output is output len.
- * @return false on failure.
- */
-static int
-setup_ecdsa_sig(unsigned char** sig, unsigned int* len)
-{
-	ECDSA_SIG* ecdsa_sig;
-	int newlen;
-	int bnsize = (int)((*len)/2);
-	/* if too short or not even length, fails */
-	if(*len < 16 || bnsize*2 != (int)*len)
-		return 0;
-	/* use the raw data to parse two evenly long BIGNUMs, "r | s". */
-	ecdsa_sig = ECDSA_SIG_new();
-	if(!ecdsa_sig) return 0;
-	ecdsa_sig->r = BN_bin2bn(*sig, bnsize, ecdsa_sig->r);
-	ecdsa_sig->s = BN_bin2bn(*sig+bnsize, bnsize, ecdsa_sig->s);
-	if(!ecdsa_sig->r || !ecdsa_sig->s) {
-		ECDSA_SIG_free(ecdsa_sig);
-		return 0;
-	}
-
-	/* spool it into ASN format */
-	*sig = NULL;
-	newlen = i2d_ECDSA_SIG(ecdsa_sig, sig);
-	if(newlen <= 0) {
-		ECDSA_SIG_free(ecdsa_sig);
-		free(*sig);
-		return 0;
-	}
-	*len = (unsigned int)newlen;
-	ECDSA_SIG_free(ecdsa_sig);
-	return 1;
-}
-#endif /* USE_ECDSA */
-
-/**
- * Setup key and digest for verification. Adjust sig if necessary.
- *
- * @param algo: key algorithm
- * @param evp_key: EVP PKEY public key to create.
- * @param digest_type: digest type to use
- * @param key: key to setup for.
- * @param keylen: length of key.
- * @return false on failure.
- */
-static int
-setup_key_digest(int algo, EVP_PKEY** evp_key, const EVP_MD** digest_type, 
-	unsigned char* key, size_t keylen)
-{
-	DSA* dsa;
-	RSA* rsa;
-
-	switch(algo) {
-		case LDNS_DSA:
-		case LDNS_DSA_NSEC3:
-			*evp_key = EVP_PKEY_new();
-			if(!*evp_key) {
-				log_err("verify: malloc failure in crypto");
-				return sec_status_unchecked;
-			}
-			dsa = ldns_key_buf2dsa_raw(key, keylen);
-			if(!dsa) {
-				verbose(VERB_QUERY, "verify: "
-					"ldns_key_buf2dsa_raw failed");
-				return 0;
-			}
-			if(EVP_PKEY_assign_DSA(*evp_key, dsa) == 0) {
-				verbose(VERB_QUERY, "verify: "
-					"EVP_PKEY_assign_DSA failed");
-				return 0;
-			}
-			*digest_type = EVP_dss1();
-
-			break;
-		case LDNS_RSASHA1:
-		case LDNS_RSASHA1_NSEC3:
-#if defined(HAVE_EVP_SHA256) && defined(USE_SHA2)
-		case LDNS_RSASHA256:
-#endif
-#if defined(HAVE_EVP_SHA512) && defined(USE_SHA2)
-		case LDNS_RSASHA512:
-#endif
-			*evp_key = EVP_PKEY_new();
-			if(!*evp_key) {
-				log_err("verify: malloc failure in crypto");
-				return sec_status_unchecked;
-			}
-			rsa = ldns_key_buf2rsa_raw(key, keylen);
-			if(!rsa) {
-				verbose(VERB_QUERY, "verify: "
-					"ldns_key_buf2rsa_raw SHA failed");
-				return 0;
-			}
-			if(EVP_PKEY_assign_RSA(*evp_key, rsa) == 0) {
-				verbose(VERB_QUERY, "verify: "
-					"EVP_PKEY_assign_RSA SHA failed");
-				return 0;
-			}
-
-			/* select SHA version */
-#if defined(HAVE_EVP_SHA256) && defined(USE_SHA2)
-			if(algo == LDNS_RSASHA256)
-				*digest_type = EVP_sha256();
-			else
-#endif
-#if defined(HAVE_EVP_SHA512) && defined(USE_SHA2)
-				if(algo == LDNS_RSASHA512)
-				*digest_type = EVP_sha512();
-			else
-#endif
-				*digest_type = EVP_sha1();
-
-			break;
-		case LDNS_RSAMD5:
-			*evp_key = EVP_PKEY_new();
-			if(!*evp_key) {
-				log_err("verify: malloc failure in crypto");
-				return sec_status_unchecked;
-			}
-			rsa = ldns_key_buf2rsa_raw(key, keylen);
-			if(!rsa) {
-				verbose(VERB_QUERY, "verify: "
-					"ldns_key_buf2rsa_raw MD5 failed");
-				return 0;
-			}
-			if(EVP_PKEY_assign_RSA(*evp_key, rsa) == 0) {
-				verbose(VERB_QUERY, "verify: "
-					"EVP_PKEY_assign_RSA MD5 failed");
-				return 0;
-			}
-			*digest_type = EVP_md5();
-
-			break;
-#ifdef USE_GOST
-		case LDNS_ECC_GOST:
-			*evp_key = ldns_gost2pkey_raw(key, keylen);
-			if(!*evp_key) {
-				verbose(VERB_QUERY, "verify: "
-					"ldns_gost2pkey_raw failed");
-				return 0;
-			}
-			*digest_type = EVP_get_digestbyname("md_gost94");
-			if(!*digest_type) {
-				verbose(VERB_QUERY, "verify: "
-					"EVP_getdigest md_gost94 failed");
-				return 0;
-			}
-			break;
-#endif
-#ifdef USE_ECDSA
-		case LDNS_ECDSAP256SHA256:
-			*evp_key = ldns_ecdsa2pkey_raw(key, keylen,
-				LDNS_ECDSAP256SHA256);
-			if(!*evp_key) {
-				verbose(VERB_QUERY, "verify: "
-					"ldns_ecdsa2pkey_raw failed");
-				return 0;
-			}
-#ifdef USE_ECDSA_EVP_WORKAROUND
-			/* openssl before 1.0.0 fixes RSA with the SHA256
-			 * hash in EVP.  We create one for ecdsa_sha256 */
-			{
-				static int md_ecdsa_256_done = 0;
-				static EVP_MD md;
-				if(!md_ecdsa_256_done) {
-					EVP_MD m = *EVP_sha256();
-					md_ecdsa_256_done = 1;
-					m.required_pkey_type[0] = (*evp_key)->type;
-					m.verify = (void*)ECDSA_verify;
-					md = m;
-				}
-				*digest_type = &md;
-			}
-#else
-			*digest_type = EVP_sha256();
-#endif
-			break;
-		case LDNS_ECDSAP384SHA384:
-			*evp_key = ldns_ecdsa2pkey_raw(key, keylen,
-				LDNS_ECDSAP384SHA384);
-			if(!*evp_key) {
-				verbose(VERB_QUERY, "verify: "
-					"ldns_ecdsa2pkey_raw failed");
-				return 0;
-			}
-#ifdef USE_ECDSA_EVP_WORKAROUND
-			/* openssl before 1.0.0 fixes RSA with the SHA384
-			 * hash in EVP.  We create one for ecdsa_sha384 */
-			{
-				static int md_ecdsa_384_done = 0;
-				static EVP_MD md;
-				if(!md_ecdsa_384_done) {
-					EVP_MD m = *EVP_sha384();
-					md_ecdsa_384_done = 1;
-					m.required_pkey_type[0] = (*evp_key)->type;
-					m.verify = (void*)ECDSA_verify;
-					md = m;
-				}
-				*digest_type = &md;
-			}
-#else
-			*digest_type = EVP_sha384();
-#endif
-			break;
-#endif /* USE_ECDSA */
-		default:
-			verbose(VERB_QUERY, "verify: unknown algorithm %d", 
-				algo);
-			return 0;
-	}
-	return 1;
-}
-
-/**
- * Check a canonical sig+rrset and signature against a dnskey
- * @param buf: buffer with data to verify, the first rrsig part and the
- *	canonicalized rrset.
- * @param algo: DNSKEY algorithm.
- * @param sigblock: signature rdata field from RRSIG
- * @param sigblock_len: length of sigblock data.
- * @param key: public key data from DNSKEY RR.
- * @param keylen: length of keydata.
- * @param reason: bogus reason in more detail.
- * @return secure if verification succeeded, bogus on crypto failure,
- *	unchecked on format errors and alloc failures.
- */
-static enum sec_status
-verify_canonrrset(ldns_buffer* buf, int algo, unsigned char* sigblock, 
-	unsigned int sigblock_len, unsigned char* key, unsigned int keylen,
-	char** reason)
-{
-	const EVP_MD *digest_type;
-	EVP_MD_CTX ctx;
-	int res, dofree = 0;
-	EVP_PKEY *evp_key = NULL;
-	
-	if(!setup_key_digest(algo, &evp_key, &digest_type, key, keylen)) {
-		verbose(VERB_QUERY, "verify: failed to setup key");
-		*reason = "use of key for crypto failed";
-		EVP_PKEY_free(evp_key);
-		return sec_status_bogus;
-	}
-	/* if it is a DSA signature in bind format, convert to DER format */
-	if((algo == LDNS_DSA || algo == LDNS_DSA_NSEC3) && 
-		sigblock_len == 1+2*SHA_DIGEST_LENGTH) {
-		if(!setup_dsa_sig(&sigblock, &sigblock_len)) {
-			verbose(VERB_QUERY, "verify: failed to setup DSA sig");
-			*reason = "use of key for DSA crypto failed";
-			EVP_PKEY_free(evp_key);
-			return sec_status_bogus;
-		}
-		dofree = 1;
-	}
-#ifdef USE_ECDSA
-	else if(algo == LDNS_ECDSAP256SHA256 || algo == LDNS_ECDSAP384SHA384) {
-		/* EVP uses ASN prefix on sig, which is not in the wire data */
-		if(!setup_ecdsa_sig(&sigblock, &sigblock_len)) {
-			verbose(VERB_QUERY, "verify: failed to setup ECDSA sig");
-			*reason = "use of signature for ECDSA crypto failed";
-			EVP_PKEY_free(evp_key);
-			return sec_status_bogus;
-		}
-		dofree = 1;
-	}
-#endif /* USE_ECDSA */
-
-	/* do the signature cryptography work */
-	EVP_MD_CTX_init(&ctx);
-	if(EVP_VerifyInit(&ctx, digest_type) == 0) {
-		verbose(VERB_QUERY, "verify: EVP_VerifyInit failed");
-		EVP_PKEY_free(evp_key);
-		if(dofree) free(sigblock);
-		return sec_status_unchecked;
-	}
-	if(EVP_VerifyUpdate(&ctx, (unsigned char*)ldns_buffer_begin(buf), 
-		(unsigned int)ldns_buffer_limit(buf)) == 0) {
-		verbose(VERB_QUERY, "verify: EVP_VerifyUpdate failed");
-		EVP_PKEY_free(evp_key);
-		if(dofree) free(sigblock);
-		return sec_status_unchecked;
-	}
-
-	res = EVP_VerifyFinal(&ctx, sigblock, sigblock_len, evp_key);
-	if(EVP_MD_CTX_cleanup(&ctx) == 0) {
-		verbose(VERB_QUERY, "verify: EVP_MD_CTX_cleanup failed");
-		EVP_PKEY_free(evp_key);
-		if(dofree) free(sigblock);
-		return sec_status_unchecked;
-	}
-	EVP_PKEY_free(evp_key);
-
-	if(dofree)
-		free(sigblock);
-
-	if(res == 1) {
-		return sec_status_secure;
-	} else if(res == 0) {
-		verbose(VERB_QUERY, "verify: signature mismatch");
-		*reason = "signature crypto failed";
-		return sec_status_bogus;
-	}
-
-	log_crypto_error("verify:", ERR_get_error());
-	return sec_status_unchecked;
-}
-
 enum sec_status 
 dnskey_verify_rrset_sig(struct regional* region, ldns_buffer* buf, 
 	struct val_env* ve, uint32_t now,
diff --git a/validator/val_utils.c b/validator/val_utils.c
index b0475d8031c4..d4a64464d808 100644
--- a/validator/val_utils.c
+++ b/validator/val_utils.c
@@ -54,7 +54,6 @@
 #include "util/net_help.h"
 #include "util/module.h"
 #include "util/regional.h"
-#include "util/config_file.h"
 
 enum val_classification 
 val_classify_response(uint16_t query_flags, struct query_info* origqinf,
diff --git a/validator/validator.c b/validator/validator.c
index af1d344a6912..10b0a243cdf0 100644
--- a/validator/validator.c
+++ b/validator/validator.c
@@ -1023,6 +1023,13 @@ validate_cname_response(struct module_env* env, struct val_env* ve,
 			chase_reply->security = sec_status_bogus;
 			return;
 		}
+
+		/* If we have found a CNAME, stop looking for one.
+		 * The iterator has placed the CNAME chain in correct
+		 * order. */
+		if (ntohs(s->rk.type) == LDNS_RR_TYPE_CNAME) {
+			break;
+		}
 	}
 
 	/* AUTHORITY section */
@@ -1881,7 +1888,8 @@ processFinished(struct module_qstate* qstate, struct val_qstate* vq,
 	/* store overall validation result in orig_msg */
 	if(vq->rrset_skip == 0)
 		vq->orig_msg->rep->security = vq->chase_reply->security;
-	else if(vq->rrset_skip < vq->orig_msg->rep->an_numrrsets + 
+	else if(subtype != VAL_CLASS_REFERRAL ||
+		vq->rrset_skip < vq->orig_msg->rep->an_numrrsets + 
 		vq->orig_msg->rep->ns_numrrsets) {
 		/* ignore sec status of additional section if a referral 
 		 * type message skips there and
diff --git a/validator/validator.h b/validator/validator.h
index 18e905efcd2b..1a29c161b9f2 100644
--- a/validator/validator.h
+++ b/validator/validator.h
@@ -56,13 +56,13 @@ struct config_strlist;
  * will be primed no more often than this interval.  Used when harden-
  * dnssec-stripped is off and the trust anchor fails.
  */
-#define NULL_KEY_TTL	900 /* seconds */
+#define NULL_KEY_TTL	60 /* seconds */
 
 /**
  * TTL for bogus key entries.  When a DS or DNSKEY fails in the chain of
  * trust the entire zone for that name is blacked out for this TTL.
  */
-#define BOGUS_KEY_TTL	900 /* seconds */
+#define BOGUS_KEY_TTL	60 /* seconds */
 
 /** max number of query restarts, number of IPs to probe */
 #define VAL_MAX_RESTART_COUNT 5
diff --git a/winrc/setup.nsi b/winrc/setup.nsi
index 3d324f3f3c6f..99e34f2e2c92 100644
--- a/winrc/setup.nsi
+++ b/winrc/setup.nsi
@@ -82,7 +82,7 @@ section /o "DLV - dlv.isc.org" SectionDLV
 	SetOutPath $INSTDIR
 
 	# libgcc exception lib used by NSISdl plugin (in crosscompile).
-	File /nonfatal "/oname=$PLUGINSDIR\libgcc_s_sjlj-1.dll" "/usr/i686-pc-mingw32/sys-root/mingw/bin/libgcc_s_sjlj-1.dll"
+	File /nonfatal "/oname=$PLUGINSDIR\libgcc_s_sjlj-1.dll" "/usr/i686-w64-mingw32/sys-root/mingw/bin/libgcc_s_sjlj-1.dll"
 
 	NSISdl::download "http://ftp.isc.org/www/dlv/dlv.isc.org.key" "$INSTDIR\dlv.isc.org.key"
 	Pop $R0 # result from Inetc::get
diff --git a/winrc/win_svc.c b/winrc/win_svc.c
index 7ac8b2611130..cafda7bca409 100644
--- a/winrc/win_svc.c
+++ b/winrc/win_svc.c
@@ -380,6 +380,9 @@ service_deinit(struct daemon* daemon, struct config_file* cfg)
 	daemon_delete(daemon);
 }
 
+#ifdef DOXYGEN
+#define ATTR_UNUSED(x) x
+#endif
 /**
  * The main function for the service.
  * Called by the services API when starting unbound on windows in background.