Upgrade Unbound to 1.6.4. More to follow.

svn path=/head/; revision=333561

contrib/unbound/Makefile.in

@@ -100,6 +100,9 @@ PYUNBOUND_OBJ=@PYUNBOUND_OBJ@
 SUBNET_SRC=edns-subnet/edns-subnet.c edns-subnet/subnetmod.c edns-subnet/addrtree.c edns-subnet/subnet-whitelist.c
 SUBNET_OBJ=@SUBNET_OBJ@
 SUBNET_HEADER=@SUBNET_HEADER@
+IPSECMOD_SRC=ipsecmod/ipsecmod.c ipsecmod/ipsecmod-whitelist.c
+IPSECMOD_OBJ=@IPSECMOD_OBJ@
+IPSECMOD_HEADER=@IPSECMOD_HEADER@
 COMMON_SRC=services/cache/dns.c services/cache/infra.c services/cache/rrset.c \
 util/as112.c util/data/dname.c util/data/msgencode.c util/data/msgparse.c \
 util/data/msgreply.c util/data/packed_rrset.c iterator/iterator.c \
@@ -109,7 +112,7 @@ iterator/iter_scrub.c iterator/iter_utils.c services/listen_dnsport.c \
 services/localzone.c services/mesh.c services/modstack.c services/view.c \
 services/outbound_list.c services/outside_network.c util/alloc.c \
 util/config_file.c util/configlexer.c util/configparser.c \
-util/shm_side/shm_main.c \
+util/shm_side/shm_main.c services/authzone.c\
 util/fptr_wlist.c util/locks.c util/log.c util/mini_event.c util/module.c \
 util/netevent.c util/net_help.c util/random.c util/rbtree.c util/regional.c \
 util/rtt.c util/storage/dnstree.c util/storage/lookup3.c \
@@ -122,7 +125,7 @@ validator/val_sigcrypt.c validator/val_utils.c dns64/dns64.c \
 edns-subnet/edns-subnet.c edns-subnet/subnetmod.c \
 edns-subnet/addrtree.c edns-subnet/subnet-whitelist.c \
 cachedb/cachedb.c respip/respip.c $(CHECKLOCK_SRC) \
-$(DNSTAP_SRC) $(DNSCRYPT_SRC)
+$(DNSTAP_SRC) $(DNSCRYPT_SRC) $(IPSECMOD_SRC)
 COMMON_OBJ_WITHOUT_NETCALL=dns.lo infra.lo rrset.lo dname.lo msgencode.lo \
 as112.lo msgparse.lo msgreply.lo packed_rrset.lo iterator.lo iter_delegpt.lo \
 iter_donotq.lo iter_fwd.lo iter_hints.lo iter_priv.lo iter_resptype.lo \
@@ -132,8 +135,9 @@ fptr_wlist.lo locks.lo log.lo mini_event.lo module.lo net_help.lo \
 random.lo rbtree.lo regional.lo rtt.lo dnstree.lo lookup3.lo lruhash.lo \
 slabhash.lo timehist.lo tube.lo winsock_event.lo autotrust.lo val_anchor.lo \
 validator.lo val_kcache.lo val_kentry.lo val_neg.lo val_nsec3.lo val_nsec.lo \
-val_secalgo.lo val_sigcrypt.lo val_utils.lo dns64.lo cachedb.lo \
-$(SUBNET_OBJ) $(PYTHONMOD_OBJ) $(CHECKLOCK_OBJ) $(DNSTAP_OBJ) $(DNSCRYPT_OBJ)
+val_secalgo.lo val_sigcrypt.lo val_utils.lo dns64.lo cachedb.lo authzone.lo\
+$(SUBNET_OBJ) $(PYTHONMOD_OBJ) $(CHECKLOCK_OBJ) $(DNSTAP_OBJ) $(DNSCRYPT_OBJ) \
+$(IPSECMOD_OBJ)
 COMMON_OBJ_WITHOUT_NETCALL+=respip.lo
 COMMON_OBJ_WITHOUT_UB_EVENT=$(COMMON_OBJ_WITHOUT_NETCALL) netevent.lo listen_dnsport.lo \
 outside_network.lo
@@ -159,10 +163,10 @@ UNITTEST_SRC=testcode/unitanchor.c testcode/unitdname.c \
 testcode/unitlruhash.c testcode/unitmain.c testcode/unitmsgparse.c \
 testcode/unitneg.c testcode/unitregional.c testcode/unitslabhash.c \
 testcode/unitverify.c testcode/readhex.c testcode/testpkts.c testcode/unitldns.c \
-testcode/unitecs.c
+testcode/unitecs.c testcode/unitauth.c
 UNITTEST_OBJ=unitanchor.lo unitdname.lo unitlruhash.lo unitmain.lo \
 unitmsgparse.lo unitneg.lo unitregional.lo unitslabhash.lo unitverify.lo \
-readhex.lo testpkts.lo unitldns.lo unitecs.lo
+readhex.lo testpkts.lo unitldns.lo unitecs.lo unitauth.lo
 UNITTEST_OBJ_LINK=$(UNITTEST_OBJ) worker_cb.lo $(COMMON_OBJ) $(SLDNS_OBJ) \
 $(COMPAT_OBJ)
 DAEMON_SRC=daemon/acl_list.c daemon/cachedump.c daemon/daemon.c \
@@ -605,6 +609,7 @@ depend:
 			-e 's?$$(srcdir)/dnscrypt/dnscrypt_config.h??g' \
 			-e 's?$$(srcdir)/pythonmod/pythonmod.h?$$(PYTHONMOD_HEADER)?g' \
 			-e 's?$$(srcdir)/edns-subnet/subnetmod.h $$(srcdir)/edns-subnet/subnet-whitelist.h $$(srcdir)/edns-subnet/edns-subnet.h $$(srcdir)/edns-subnet/addrtree.h?$$(SUBNET_HEADER)?g' \
+			-e 's?$$(srcdir)/ipsecmod/ipsecmod.h $$(srcdir)/ipsecmod/ipsecmod-whitelist.h?$$(IPSECMOD_HEADER)?g' \
 			-e 's!\(.*\)\.o[ :]*!\1.lo \1.o: !g' \
 			> $(DEPEND_TMP)
 	cp $(DEPEND_TARGET) $(DEPEND_TMP2)
@@ -622,18 +627,19 @@ depend:
 # Dependencies
 dns.lo dns.o: $(srcdir)/services/cache/dns.c config.h $(srcdir)/iterator/iter_delegpt.h $(srcdir)/util/log.h \
  $(srcdir)/validator/val_nsec.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
- $(srcdir)/util/locks.h $(srcdir)/services/cache/dns.h $(srcdir)/util/data/msgreply.h \
- $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/util/data/dname.h \
- $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
- $(srcdir)/util/net_help.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/sldns/sbuffer.h
+ $(srcdir)/util/locks.h $(srcdir)/validator/val_utils.h $(srcdir)/services/cache/dns.h \
+ $(srcdir)/util/data/msgreply.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \
+ $(srcdir)/util/data/dname.h $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
+ $(srcdir)/sldns/rrdef.h $(srcdir)/util/net_help.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h \
+ $(srcdir)/sldns/sbuffer.h
 infra.lo infra.o: $(srcdir)/services/cache/infra.c config.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/str2wire.h \
  $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
  $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/rtt.h $(srcdir)/util/netevent.h \
- $(srcdir)/dnscrypt/dnscrypt.h  $(srcdir)/util/data/msgreply.h \
- $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/util/storage/lookup3.h \
- $(srcdir)/util/data/dname.h $(srcdir)/util/net_help.h $(srcdir)/util/config_file.h $(srcdir)/iterator/iterator.h \
- $(srcdir)/services/outbound_list.h $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h \
- $(srcdir)/sldns/pkthdr.h
+ $(srcdir)/dnscrypt/dnscrypt.h  $(srcdir)/dnscrypt/cert.h \
+ $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/slabhash.h \
+ $(srcdir)/util/storage/lookup3.h $(srcdir)/util/data/dname.h $(srcdir)/util/net_help.h \
+ $(srcdir)/util/config_file.h $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h \
+ $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h
 rrset.lo rrset.o: $(srcdir)/services/cache/rrset.c config.h $(srcdir)/services/cache/rrset.h \
  $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/storage/slabhash.h \
  $(srcdir)/util/data/packed_rrset.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/config_file.h \
@@ -656,11 +662,11 @@ msgparse.lo msgparse.o: $(srcdir)/util/data/msgparse.c config.h $(srcdir)/util/d
 msgreply.lo msgreply.o: $(srcdir)/util/data/msgreply.c config.h $(srcdir)/util/data/msgreply.h \
  $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/packed_rrset.h \
  $(srcdir)/util/storage/lookup3.h $(srcdir)/util/alloc.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
-  $(srcdir)/util/net_help.h $(srcdir)/util/data/dname.h \
- $(srcdir)/util/regional.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
- $(srcdir)/util/data/msgencode.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h $(srcdir)/util/module.h \
- $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
- $(srcdir)/services/modstack.h
+  $(srcdir)/dnscrypt/cert.h $(srcdir)/util/net_help.h \
+ $(srcdir)/util/data/dname.h $(srcdir)/util/regional.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
+ $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgencode.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h \
+ $(srcdir)/util/module.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h \
+ $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h
 packed_rrset.lo packed_rrset.o: $(srcdir)/util/data/packed_rrset.c config.h \
  $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
  $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lookup3.h $(srcdir)/util/alloc.h $(srcdir)/util/regional.h \
@@ -674,10 +680,11 @@ iterator.lo iterator.o: $(srcdir)/iterator/iterator.c config.h $(srcdir)/iterato
  $(srcdir)/iterator/iter_delegpt.h $(srcdir)/iterator/iter_scrub.h $(srcdir)/iterator/iter_priv.h \
  $(srcdir)/validator/val_neg.h $(srcdir)/services/cache/dns.h $(srcdir)/services/cache/infra.h \
  $(srcdir)/util/rtt.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
-  $(srcdir)/util/net_help.h $(srcdir)/util/regional.h \
- $(srcdir)/util/data/dname.h $(srcdir)/util/data/msgencode.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h \
- $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h $(srcdir)/util/config_file.h $(srcdir)/util/random.h \
- $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/sbuffer.h
+  $(srcdir)/dnscrypt/cert.h $(srcdir)/util/net_help.h \
+ $(srcdir)/util/regional.h $(srcdir)/util/data/dname.h $(srcdir)/util/data/msgencode.h \
+ $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h \
+ $(srcdir)/util/config_file.h $(srcdir)/util/random.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h \
+ $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/sbuffer.h
 iter_delegpt.lo iter_delegpt.o: $(srcdir)/iterator/iter_delegpt.c config.h $(srcdir)/iterator/iter_delegpt.h \
  $(srcdir)/util/log.h $(srcdir)/services/cache/dns.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
  $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/regional.h \
@@ -719,17 +726,18 @@ iter_utils.lo iter_utils.o: $(srcdir)/iterator/iter_utils.c config.h $(srcdir)/i
  $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/iterator/iter_fwd.h \
  $(srcdir)/iterator/iter_donotq.h $(srcdir)/iterator/iter_delegpt.h $(srcdir)/iterator/iter_priv.h \
  $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
-  $(srcdir)/services/cache/dns.h $(srcdir)/services/cache/rrset.h \
- $(srcdir)/util/storage/slabhash.h $(srcdir)/util/net_help.h $(srcdir)/util/config_file.h \
- $(srcdir)/util/regional.h $(srcdir)/util/data/dname.h $(srcdir)/util/random.h $(srcdir)/util/fptr_wlist.h \
- $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h $(srcdir)/validator/val_anchor.h \
- $(srcdir)/validator/val_kcache.h $(srcdir)/validator/val_kentry.h $(srcdir)/validator/val_utils.h \
- $(srcdir)/validator/val_sigcrypt.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/str2wire.h
+  $(srcdir)/dnscrypt/cert.h $(srcdir)/services/cache/dns.h \
+ $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/util/net_help.h \
+ $(srcdir)/util/config_file.h $(srcdir)/util/regional.h $(srcdir)/util/data/dname.h $(srcdir)/util/random.h \
+ $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h \
+ $(srcdir)/validator/val_anchor.h $(srcdir)/validator/val_kcache.h $(srcdir)/validator/val_kentry.h \
+ $(srcdir)/validator/val_utils.h $(srcdir)/validator/val_sigcrypt.h $(srcdir)/sldns/sbuffer.h \
+ $(srcdir)/sldns/str2wire.h
 listen_dnsport.lo listen_dnsport.o: $(srcdir)/services/listen_dnsport.c config.h \
  $(srcdir)/services/listen_dnsport.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
-  $(srcdir)/services/outside_network.h $(srcdir)/util/rbtree.h \
-  $(srcdir)/util/log.h $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h \
- $(srcdir)/sldns/sbuffer.h
+  $(srcdir)/dnscrypt/cert.h $(srcdir)/services/outside_network.h \
+ $(srcdir)/util/rbtree.h  $(srcdir)/util/log.h $(srcdir)/util/config_file.h \
+ $(srcdir)/util/net_help.h $(srcdir)/sldns/sbuffer.h
 localzone.lo localzone.o: $(srcdir)/services/localzone.c config.h $(srcdir)/services/localzone.h \
  $(srcdir)/util/rbtree.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/storage/dnstree.h \
  $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/data/msgreply.h \
@@ -737,27 +745,30 @@ localzone.lo localzone.o: $(srcdir)/services/localzone.c config.h $(srcdir)/serv
  $(srcdir)/sldns/rrdef.h $(srcdir)/services/view.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/sbuffer.h \
  $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/util/data/dname.h \
  $(srcdir)/util/data/msgencode.h $(srcdir)/util/net_help.h $(srcdir)/util/netevent.h \
- $(srcdir)/dnscrypt/dnscrypt.h  $(srcdir)/util/as112.h
+ $(srcdir)/dnscrypt/dnscrypt.h  $(srcdir)/dnscrypt/cert.h \
+ $(srcdir)/util/as112.h
 mesh.lo mesh.o: $(srcdir)/services/mesh.c config.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
  $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h  \
- $(srcdir)/util/data/msgparse.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
- $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
- $(srcdir)/util/data/packed_rrset.h $(srcdir)/services/modstack.h $(srcdir)/services/outbound_list.h \
- $(srcdir)/services/cache/dns.h $(srcdir)/util/net_help.h $(srcdir)/util/regional.h \
- $(srcdir)/util/data/msgencode.h $(srcdir)/util/timehist.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h \
- $(srcdir)/util/alloc.h $(srcdir)/util/config_file.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h \
- $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h \
- $(srcdir)/util/data/dname.h $(srcdir)/respip/respip.h
+ $(srcdir)/dnscrypt/cert.h $(srcdir)/util/data/msgparse.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
+ $(srcdir)/util/log.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h \
+ $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/services/modstack.h \
+ $(srcdir)/services/outbound_list.h $(srcdir)/services/cache/dns.h $(srcdir)/util/net_help.h \
+ $(srcdir)/util/regional.h $(srcdir)/util/data/msgencode.h $(srcdir)/util/timehist.h $(srcdir)/util/fptr_wlist.h \
+ $(srcdir)/util/tube.h $(srcdir)/util/alloc.h $(srcdir)/util/config_file.h $(srcdir)/sldns/sbuffer.h \
+ $(srcdir)/sldns/wire2str.h $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h \
+ $(srcdir)/services/view.h $(srcdir)/util/data/dname.h $(srcdir)/respip/respip.h
 modstack.lo modstack.o: $(srcdir)/services/modstack.c config.h $(srcdir)/services/modstack.h \
  $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
  $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
  $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h \
- $(srcdir)/dnscrypt/dnscrypt.h  $(srcdir)/util/tube.h \
- $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/dns64/dns64.h $(srcdir)/iterator/iterator.h \
- $(srcdir)/services/outbound_list.h $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h \
- $(srcdir)/respip/respip.h $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h \
- $(srcdir)/services/view.h $(srcdir)/edns-subnet/subnetmod.h $(srcdir)/util/alloc.h $(srcdir)/util/net_help.h \
- $(srcdir)/util/storage/slabhash.h $(srcdir)/edns-subnet/addrtree.h $(srcdir)/edns-subnet/edns-subnet.h
+ $(srcdir)/dnscrypt/dnscrypt.h  $(srcdir)/dnscrypt/cert.h \
+ $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/dns64/dns64.h \
+ $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h $(srcdir)/validator/validator.h \
+ $(srcdir)/validator/val_utils.h $(srcdir)/respip/respip.h $(srcdir)/services/localzone.h \
+ $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(PYTHONMOD_HEADER) \
+ $(srcdir)/cachedb/cachedb.h $(srcdir)/ipsecmod/ipsecmod.h $(srcdir)/edns-subnet/subnetmod.h \
+ $(srcdir)/util/alloc.h $(srcdir)/util/net_help.h $(srcdir)/util/storage/slabhash.h \
+ $(srcdir)/edns-subnet/addrtree.h $(srcdir)/edns-subnet/edns-subnet.h
 view.lo view.o: $(srcdir)/services/view.c config.h $(srcdir)/services/view.h $(srcdir)/util/rbtree.h \
  $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h \
  $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/data/msgreply.h \
@@ -766,31 +777,32 @@ view.lo view.o: $(srcdir)/services/view.c config.h $(srcdir)/services/view.h $(s
 outbound_list.lo outbound_list.o: $(srcdir)/services/outbound_list.c config.h \
  $(srcdir)/services/outbound_list.h $(srcdir)/services/outside_network.h $(srcdir)/util/rbtree.h \
  $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h  \
- 
+ $(srcdir)/dnscrypt/cert.h 
 outside_network.lo outside_network.o: $(srcdir)/services/outside_network.c config.h \
  $(srcdir)/services/outside_network.h $(srcdir)/util/rbtree.h $(srcdir)/util/netevent.h \
- $(srcdir)/dnscrypt/dnscrypt.h   \
- $(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/lruhash.h \
- $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rtt.h \
- $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
- $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgencode.h $(srcdir)/util/data/dname.h \
- $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/module.h \
- $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h $(srcdir)/sldns/sbuffer.h \
- $(srcdir)/dnstap/dnstap.h
+ $(srcdir)/dnscrypt/dnscrypt.h  $(srcdir)/dnscrypt/cert.h \
+  $(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/infra.h \
+ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/storage/dnstree.h \
+ $(srcdir)/util/rtt.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
+ $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgencode.h \
+ $(srcdir)/util/data/dname.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/util/fptr_wlist.h \
+ $(srcdir)/util/module.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h \
+ $(srcdir)/sldns/sbuffer.h $(srcdir)/dnstap/dnstap.h \
+ 
 alloc.lo alloc.o: $(srcdir)/util/alloc.c config.h $(srcdir)/util/alloc.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
  $(srcdir)/util/regional.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
  $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
-  $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
- $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h \
- $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h
+  $(srcdir)/dnscrypt/cert.h $(srcdir)/util/module.h \
+ $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
+ $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h
 config_file.lo config_file.o: $(srcdir)/util/config_file.c config.h $(srcdir)/util/log.h \
  $(srcdir)/util/configyyrename.h $(srcdir)/util/config_file.h util/configparser.h \
  $(srcdir)/util/net_help.h $(srcdir)/util/data/msgparse.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
  $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
  $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/regional.h $(srcdir)/util/fptr_wlist.h \
  $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h  \
- $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h \
- $(srcdir)/util/data/dname.h $(srcdir)/util/rtt.h $(srcdir)/services/cache/infra.h \
+ $(srcdir)/dnscrypt/cert.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
+ $(srcdir)/services/modstack.h $(srcdir)/util/data/dname.h $(srcdir)/util/rtt.h $(srcdir)/services/cache/infra.h \
  $(srcdir)/util/storage/dnstree.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/parseutil.h \
  $(srcdir)/edns-subnet/edns-subnet.h $(srcdir)/util/iana_ports.inc
 configlexer.lo configlexer.o: util/configlexer.c config.h $(srcdir)/util/configyyrename.h \
@@ -798,24 +810,33 @@ configlexer.lo configlexer.o: util/configlexer.c config.h $(srcdir)/util/configy
 configparser.lo configparser.o: util/configparser.c config.h $(srcdir)/util/configyyrename.h \
  $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h
 shm_main.lo shm_main.o: $(srcdir)/util/shm_side/shm_main.c config.h $(srcdir)/util/shm_side/shm_main.h \
- $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
-   $(srcdir)/daemon/worker.h \
- $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h \
- $(srcdir)/util/storage/lruhash.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
- $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
- $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \
- $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/cache/rrset.h \
- $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h \
- $(srcdir)/util/rtt.h $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h \
- $(srcdir)/util/config_file.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h
+ $(srcdir)/libunbound/unbound.h $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
+ $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h  \
+  $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h \
+ $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
+ $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h $(srcdir)/util/data/msgreply.h \
+ $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h \
+ $(srcdir)/util/timehist.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h $(srcdir)/services/mesh.h \
+ $(srcdir)/util/rbtree.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \
+ $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rtt.h \
+ $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h $(srcdir)/util/config_file.h \
+ $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h
+authzone.lo authzone.o: $(srcdir)/services/authzone.c config.h $(srcdir)/services/authzone.h \
+ $(srcdir)/util/rbtree.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/dname.h \
+ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
+ $(srcdir)/util/regional.h $(srcdir)/util/net_help.h $(srcdir)/util/config_file.h $(srcdir)/services/cache/dns.h \
+ $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/str2wire.h \
+ $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/parseutil.h $(srcdir)/validator/val_nsec3.h \
+ $(srcdir)/validator/val_secalgo.h
 fptr_wlist.lo fptr_wlist.o: $(srcdir)/util/fptr_wlist.c config.h $(srcdir)/util/fptr_wlist.h \
  $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h  \
- $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/module.h \
- $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
- $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
- $(srcdir)/services/modstack.h $(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h \
- $(srcdir)/services/outside_network.h  $(srcdir)/services/localzone.h \
- $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \
+ $(srcdir)/dnscrypt/cert.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
+ $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
+ $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h \
+ $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h $(srcdir)/util/mini_event.h \
+ $(srcdir)/util/rbtree.h $(srcdir)/services/outside_network.h  \
+ $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h \
+ $(srcdir)/services/authzone.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \
  $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/dns64/dns64.h \
  $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h $(srcdir)/iterator/iter_fwd.h \
  $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h $(srcdir)/validator/val_anchor.h \
@@ -823,38 +844,42 @@ fptr_wlist.lo fptr_wlist.o: $(srcdir)/util/fptr_wlist.c config.h $(srcdir)/util/
  $(srcdir)/validator/val_neg.h $(srcdir)/validator/autotrust.h $(srcdir)/libunbound/libworker.h \
  $(srcdir)/libunbound/context.h $(srcdir)/util/alloc.h $(srcdir)/libunbound/unbound.h \
  $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h $(srcdir)/respip/respip.h \
+ $(PYTHONMOD_HEADER) $(srcdir)/cachedb/cachedb.h $(srcdir)/ipsecmod/ipsecmod.h \
  $(srcdir)/edns-subnet/subnetmod.h $(srcdir)/util/net_help.h $(srcdir)/edns-subnet/addrtree.h \
  $(srcdir)/edns-subnet/edns-subnet.h
 locks.lo locks.o: $(srcdir)/util/locks.c config.h $(srcdir)/util/locks.h $(srcdir)/util/log.h
 log.lo log.o: $(srcdir)/util/log.c config.h $(srcdir)/util/log.h $(srcdir)/util/locks.h $(srcdir)/sldns/sbuffer.h
 mini_event.lo mini_event.o: $(srcdir)/util/mini_event.c config.h $(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h \
  $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
-  $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
- $(srcdir)/util/log.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
- $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h \
- $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h
+  $(srcdir)/dnscrypt/cert.h $(srcdir)/util/storage/lruhash.h \
+ $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
+ $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
+ $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
+ $(srcdir)/services/modstack.h
 module.lo module.o: $(srcdir)/util/module.c config.h $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h \
  $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
  $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/wire2str.h
 netevent.lo netevent.o: $(srcdir)/util/netevent.c config.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
-  $(srcdir)/util/ub_event.h $(srcdir)/util/log.h $(srcdir)/util/net_help.h \
- $(srcdir)/util/fptr_wlist.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/module.h \
- $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
- $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
- $(srcdir)/services/modstack.h $(srcdir)/sldns/sbuffer.h $(srcdir)/dnstap/dnstap.h \
+  $(srcdir)/dnscrypt/cert.h $(srcdir)/util/ub_event.h $(srcdir)/util/log.h \
+ $(srcdir)/util/net_help.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
+ $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
+ $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h \
+ $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h $(srcdir)/sldns/sbuffer.h \
+ $(srcdir)/dnstap/dnstap.h  \
  
 net_help.lo net_help.o: $(srcdir)/util/net_help.c config.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h \
  $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/module.h \
  $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
  $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/regional.h $(srcdir)/sldns/parseutil.h \
- $(srcdir)/sldns/wire2str.h
+ $(srcdir)/sldns/wire2str.h \
+ 
 random.lo random.o: $(srcdir)/util/random.c config.h $(srcdir)/util/random.h $(srcdir)/util/log.h
 rbtree.lo rbtree.o: $(srcdir)/util/rbtree.c config.h $(srcdir)/util/log.h $(srcdir)/util/fptr_wlist.h \
  $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h  \
- $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/module.h \
- $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
- $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
- $(srcdir)/services/modstack.h
+ $(srcdir)/dnscrypt/cert.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
+ $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
+ $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h \
+ $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h
 regional.lo regional.o: $(srcdir)/util/regional.c config.h $(srcdir)/util/log.h $(srcdir)/util/regional.h
 rtt.lo rtt.o: $(srcdir)/util/rtt.c config.h $(srcdir)/util/rtt.h
 dnstree.lo dnstree.o: $(srcdir)/util/storage/dnstree.c config.h $(srcdir)/util/storage/dnstree.h \
@@ -863,25 +888,25 @@ dnstree.lo dnstree.o: $(srcdir)/util/storage/dnstree.c config.h $(srcdir)/util/s
 lookup3.lo lookup3.o: $(srcdir)/util/storage/lookup3.c config.h $(srcdir)/util/storage/lookup3.h
 lruhash.lo lruhash.o: $(srcdir)/util/storage/lruhash.c config.h $(srcdir)/util/storage/lruhash.h \
  $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h \
- $(srcdir)/dnscrypt/dnscrypt.h  $(srcdir)/util/module.h \
- $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
- $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
- $(srcdir)/services/modstack.h
+ $(srcdir)/dnscrypt/dnscrypt.h  $(srcdir)/dnscrypt/cert.h \
+ $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
+ $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h \
+ $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h
 slabhash.lo slabhash.o: $(srcdir)/util/storage/slabhash.c config.h $(srcdir)/util/storage/slabhash.h \
  $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h
 timehist.lo timehist.o: $(srcdir)/util/timehist.c config.h $(srcdir)/util/timehist.h $(srcdir)/util/log.h
 tube.lo tube.o: $(srcdir)/util/tube.c config.h $(srcdir)/util/tube.h $(srcdir)/util/log.h $(srcdir)/util/net_help.h \
  $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h  \
- $(srcdir)/util/fptr_wlist.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/module.h \
- $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
- $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
- $(srcdir)/services/modstack.h $(srcdir)/util/ub_event.h
+ $(srcdir)/dnscrypt/cert.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
+ $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
+ $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/services/mesh.h \
+ $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h $(srcdir)/util/ub_event.h
 ub_event.lo ub_event.o: $(srcdir)/util/ub_event.c config.h $(srcdir)/util/ub_event.h $(srcdir)/util/log.h \
  $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h  \
- $(srcdir)/util/tube.h $(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h
+ $(srcdir)/dnscrypt/cert.h $(srcdir)/util/tube.h $(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h
 ub_event_pluggable.lo ub_event_pluggable.o: $(srcdir)/util/ub_event_pluggable.c config.h $(srcdir)/util/ub_event.h \
  $(srcdir)/libunbound/unbound-event.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
-  $(srcdir)/util/log.h $(srcdir)/util/fptr_wlist.h \
+  $(srcdir)/dnscrypt/cert.h $(srcdir)/util/log.h $(srcdir)/util/fptr_wlist.h \
  $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
  $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
  $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
@@ -894,9 +919,10 @@ autotrust.lo autotrust.o: $(srcdir)/validator/autotrust.c config.h $(srcdir)/val
  $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
  $(srcdir)/util/net_help.h $(srcdir)/util/config_file.h $(srcdir)/util/regional.h $(srcdir)/util/random.h \
  $(srcdir)/services/mesh.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
-  $(srcdir)/services/modstack.h $(srcdir)/services/cache/rrset.h \
- $(srcdir)/util/storage/slabhash.h $(srcdir)/validator/val_kcache.h $(srcdir)/sldns/sbuffer.h \
- $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/keyraw.h
+  $(srcdir)/dnscrypt/cert.h $(srcdir)/services/modstack.h \
+ $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/validator/val_kcache.h \
+ $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/keyraw.h \
+ 
 val_anchor.lo val_anchor.o: $(srcdir)/validator/val_anchor.c config.h $(srcdir)/validator/val_anchor.h \
  $(srcdir)/util/rbtree.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/validator/val_sigcrypt.h \
  $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/validator/autotrust.h \
@@ -912,7 +938,8 @@ validator.lo validator.o: $(srcdir)/validator/validator.c config.h $(srcdir)/val
  $(srcdir)/validator/autotrust.h $(srcdir)/services/cache/dns.h $(srcdir)/util/data/dname.h \
  $(srcdir)/util/net_help.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/util/fptr_wlist.h \
  $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h  \
- $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h $(srcdir)/sldns/wire2str.h
+ $(srcdir)/dnscrypt/cert.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h \
+ $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h
 val_kcache.lo val_kcache.o: $(srcdir)/validator/val_kcache.c config.h $(srcdir)/validator/val_kcache.h \
  $(srcdir)/util/storage/slabhash.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
  $(srcdir)/validator/val_kentry.h $(srcdir)/util/config_file.h $(srcdir)/util/data/dname.h \
@@ -921,13 +948,15 @@ val_kcache.lo val_kcache.o: $(srcdir)/validator/val_kcache.c config.h $(srcdir)/
 val_kentry.lo val_kentry.o: $(srcdir)/validator/val_kentry.c config.h $(srcdir)/validator/val_kentry.h \
  $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/packed_rrset.h \
  $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lookup3.h $(srcdir)/util/regional.h $(srcdir)/util/net_help.h \
- $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/keyraw.h
-val_neg.lo val_neg.o: $(srcdir)/validator/val_neg.c config.h $(srcdir)/validator/val_neg.h $(srcdir)/util/locks.h \
- $(srcdir)/util/log.h $(srcdir)/util/rbtree.h $(srcdir)/validator/val_nsec.h $(srcdir)/util/data/packed_rrset.h \
- $(srcdir)/util/storage/lruhash.h $(srcdir)/validator/val_nsec3.h $(srcdir)/validator/val_utils.h \
- $(srcdir)/util/data/dname.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/net_help.h \
- $(srcdir)/util/config_file.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \
- $(srcdir)/services/cache/dns.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/sbuffer.h
+ $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/keyraw.h \
+ 
+val_neg.lo val_neg.o: $(srcdir)/validator/val_neg.c config.h \
+ $(srcdir)/validator/val_neg.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/rbtree.h \
+ $(srcdir)/validator/val_nsec.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
+ $(srcdir)/validator/val_nsec3.h $(srcdir)/validator/val_utils.h $(srcdir)/util/data/dname.h \
+ $(srcdir)/util/data/msgreply.h $(srcdir)/util/net_help.h $(srcdir)/util/config_file.h \
+ $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/dns.h \
+ $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/sbuffer.h
 val_nsec3.lo val_nsec3.o: $(srcdir)/validator/val_nsec3.c config.h $(srcdir)/validator/val_nsec3.h \
  $(srcdir)/util/rbtree.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
  $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/validator/val_secalgo.h $(srcdir)/validator/validator.h \
@@ -943,14 +972,16 @@ val_nsec.lo val_nsec.o: $(srcdir)/validator/val_nsec.c config.h $(srcdir)/valida
 val_secalgo.lo val_secalgo.o: $(srcdir)/validator/val_secalgo.c config.h $(srcdir)/util/data/packed_rrset.h \
  $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/validator/val_secalgo.h \
  $(srcdir)/validator/val_nsec3.h $(srcdir)/util/rbtree.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/keyraw.h \
- $(srcdir)/sldns/sbuffer.h
+ $(srcdir)/sldns/sbuffer.h \
+ 
 val_sigcrypt.lo val_sigcrypt.o: $(srcdir)/validator/val_sigcrypt.c config.h \
  $(srcdir)/validator/val_sigcrypt.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
  $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/validator/val_secalgo.h $(srcdir)/validator/validator.h \
  $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
  $(srcdir)/sldns/rrdef.h $(srcdir)/validator/val_utils.h $(srcdir)/util/data/dname.h $(srcdir)/util/rbtree.h \
  $(srcdir)/util/net_help.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/sldns/keyraw.h \
- $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/wire2str.h
+ $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/wire2str.h \
+ 
 val_utils.lo val_utils.o: $(srcdir)/validator/val_utils.c config.h $(srcdir)/validator/val_utils.h \
  $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
  $(srcdir)/validator/validator.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
@@ -958,15 +989,16 @@ val_utils.lo val_utils.o: $(srcdir)/validator/val_utils.c config.h $(srcdir)/val
  $(srcdir)/validator/val_sigcrypt.h $(srcdir)/validator/val_anchor.h $(srcdir)/util/rbtree.h \
  $(srcdir)/validator/val_nsec.h $(srcdir)/validator/val_neg.h $(srcdir)/services/cache/rrset.h \
  $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/dns.h $(srcdir)/util/data/dname.h \
- $(srcdir)/util/net_help.h $(srcdir)/util/regional.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/parseutil.h
+ $(srcdir)/util/net_help.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/sldns/wire2str.h \
+ $(srcdir)/sldns/parseutil.h
 dns64.lo dns64.o: $(srcdir)/dns64/dns64.c config.h $(srcdir)/dns64/dns64.h $(srcdir)/util/module.h \
  $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/msgreply.h \
  $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
  $(srcdir)/sldns/rrdef.h $(srcdir)/services/cache/dns.h $(srcdir)/services/cache/rrset.h \
  $(srcdir)/util/storage/slabhash.h $(srcdir)/util/config_file.h $(srcdir)/util/fptr_wlist.h \
  $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h  \
- $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h \
- $(srcdir)/util/net_help.h $(srcdir)/util/regional.h
+ $(srcdir)/dnscrypt/cert.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
+ $(srcdir)/services/modstack.h $(srcdir)/util/net_help.h $(srcdir)/util/regional.h
 edns-subnet.lo edns-subnet.o: $(srcdir)/edns-subnet/edns-subnet.c config.h \
  $(srcdir)/edns-subnet/edns-subnet.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h
 subnetmod.lo subnetmod.o: $(srcdir)/edns-subnet/subnetmod.c config.h $(srcdir)/edns-subnet/subnetmod.h \
@@ -976,8 +1008,9 @@ subnetmod.lo subnetmod.o: $(srcdir)/edns-subnet/subnetmod.c config.h $(srcdir)/e
  $(srcdir)/util/net_help.h $(srcdir)/util/storage/slabhash.h $(srcdir)/edns-subnet/addrtree.h \
  $(srcdir)/edns-subnet/edns-subnet.h $(srcdir)/edns-subnet/subnet-whitelist.h \
  $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/mesh.h $(srcdir)/util/netevent.h \
- $(srcdir)/dnscrypt/dnscrypt.h  $(srcdir)/services/modstack.h \
- $(srcdir)/services/cache/dns.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/sldns/sbuffer.h
+ $(srcdir)/dnscrypt/dnscrypt.h  $(srcdir)/dnscrypt/cert.h \
+ $(srcdir)/services/modstack.h $(srcdir)/services/cache/dns.h $(srcdir)/util/regional.h \
+ $(srcdir)/util/config_file.h $(srcdir)/sldns/sbuffer.h
 addrtree.lo addrtree.o: $(srcdir)/edns-subnet/addrtree.c config.h $(srcdir)/util/log.h \
  $(srcdir)/util/data/msgreply.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
  $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h \
@@ -985,18 +1018,43 @@ addrtree.lo addrtree.o: $(srcdir)/edns-subnet/addrtree.c config.h $(srcdir)/util
 subnet-whitelist.lo subnet-whitelist.o: $(srcdir)/edns-subnet/subnet-whitelist.c config.h \
  $(srcdir)/edns-subnet/edns-subnet.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h \
  $(srcdir)/edns-subnet/subnet-whitelist.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h \
- $(srcdir)/util/regional.h $(srcdir)/util/config_file.h
-cachedb.lo cachedb.o: $(srcdir)/cachedb/cachedb.c config.h
+ $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h \
+ $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h
+cachedb.lo cachedb.o: $(srcdir)/cachedb/cachedb.c config.h $(srcdir)/cachedb/cachedb.h $(srcdir)/util/module.h \
+ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/msgreply.h \
+ $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
+ $(srcdir)/sldns/rrdef.h $(srcdir)/util/regional.h $(srcdir)/util/net_help.h $(srcdir)/util/config_file.h \
+ $(srcdir)/util/data/msgencode.h $(srcdir)/services/cache/dns.h $(srcdir)/validator/val_neg.h \
+ $(srcdir)/util/rbtree.h $(srcdir)/validator/val_secalgo.h $(srcdir)/iterator/iter_utils.h \
+ $(srcdir)/iterator/iter_resptype.h $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/wire2str.h \
+ $(srcdir)/sldns/sbuffer.h
 respip.lo respip.o: $(srcdir)/respip/respip.c config.h $(srcdir)/services/localzone.h $(srcdir)/util/rbtree.h \
  $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/module.h \
  $(srcdir)/util/storage/lruhash.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
  $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/services/view.h \
  $(srcdir)/services/cache/dns.h $(srcdir)/sldns/str2wire.h $(srcdir)/util/config_file.h \
  $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
-  $(srcdir)/util/tube.h $(srcdir)/services/mesh.h \
+  $(srcdir)/dnscrypt/cert.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h \
  $(srcdir)/services/modstack.h $(srcdir)/util/net_help.h $(srcdir)/util/regional.h $(srcdir)/respip/respip.h
 checklocks.lo checklocks.o: $(srcdir)/testcode/checklocks.c config.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
  $(srcdir)/testcode/checklocks.h
+dnscrypt.lo dnscrypt.o: $(srcdir)/dnscrypt/dnscrypt.c config.h $(srcdir)/sldns/sbuffer.h \
+ $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h $(srcdir)/util/netevent.h \
+ $(srcdir)/dnscrypt/dnscrypt.h  $(srcdir)/dnscrypt/cert.h
+ipsecmod.lo ipsecmod.o: $(srcdir)/ipsecmod/ipsecmod.c config.h $(srcdir)/ipsecmod/ipsecmod.h \
+ $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
+ $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
+ $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/rbtree.h $(srcdir)/ipsecmod/ipsecmod-whitelist.h \
+ $(srcdir)/util/storage/dnstree.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h \
+ $(srcdir)/dnscrypt/dnscrypt.h  $(srcdir)/dnscrypt/cert.h \
+ $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h $(srcdir)/util/regional.h \
+ $(srcdir)/util/net_help.h $(srcdir)/util/config_file.h $(srcdir)/services/cache/dns.h $(srcdir)/sldns/wire2str.h
+ipsecmod-whitelist.lo ipsecmod-whitelist.o: $(srcdir)/ipsecmod/ipsecmod-whitelist.c config.h \
+ $(srcdir)/ipsecmod/ipsecmod.h $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
+ $(srcdir)/util/log.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
+ $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/rbtree.h \
+ $(srcdir)/ipsecmod/ipsecmod-whitelist.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/regional.h \
+ $(srcdir)/util/config_file.h $(srcdir)/util/data/dname.h $(srcdir)/sldns/str2wire.h
 unitanchor.lo unitanchor.o: $(srcdir)/testcode/unitanchor.c config.h $(srcdir)/util/log.h $(srcdir)/util/data/dname.h \
  $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/testcode/unitmain.h \
  $(srcdir)/validator/val_anchor.h $(srcdir)/util/rbtree.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/rrdef.h
@@ -1005,14 +1063,15 @@ unitdname.lo unitdname.o: $(srcdir)/testcode/unitdname.c config.h $(srcdir)/util
  $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h
 unitlruhash.lo unitlruhash.o: $(srcdir)/testcode/unitlruhash.c config.h $(srcdir)/testcode/unitmain.h \
  $(srcdir)/util/log.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/storage/slabhash.h
-unitmain.lo unitmain.o: $(srcdir)/testcode/unitmain.c config.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/keyraw.h \
+unitmain.lo unitmain.o: $(srcdir)/testcode/unitmain.c config.h \
+ $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/keyraw.h \
  $(srcdir)/util/log.h $(srcdir)/testcode/unitmain.h $(srcdir)/util/alloc.h $(srcdir)/util/locks.h $(srcdir)/util/net_help.h \
- $(srcdir)/util/config_file.h $(srcdir)/util/rtt.h $(srcdir)/services/cache/infra.h \
- $(srcdir)/util/storage/lruhash.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h \
- $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h  \
- $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/random.h \
- $(srcdir)/respip/respip.h $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
- $(srcdir)/services/localzone.h $(srcdir)/services/view.h
+ $(srcdir)/util/config_file.h $(srcdir)/util/rtt.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h \
+ $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/storage/dnstree.h \
+ $(srcdir)/util/rbtree.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
+  $(srcdir)/dnscrypt/cert.h $(srcdir)/util/data/msgreply.h \
+ $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/random.h $(srcdir)/respip/respip.h $(srcdir)/util/module.h \
+ $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/services/localzone.h $(srcdir)/services/view.h
 unitmsgparse.lo unitmsgparse.o: $(srcdir)/testcode/unitmsgparse.c config.h $(srcdir)/util/log.h \
  $(srcdir)/testcode/unitmain.h $(srcdir)/util/data/msgparse.h $(srcdir)/util/storage/lruhash.h \
  $(srcdir)/util/locks.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgreply.h \
@@ -1049,18 +1108,24 @@ unitecs.lo unitecs.o: $(srcdir)/testcode/unitecs.c config.h $(srcdir)/util/log.h
  $(srcdir)/sldns/rrdef.h $(srcdir)/testcode/unitmain.h $(srcdir)/edns-subnet/addrtree.h \
  $(srcdir)/edns-subnet/subnetmod.h $(srcdir)/services/outbound_list.h $(srcdir)/util/alloc.h \
  $(srcdir)/util/net_help.h $(srcdir)/util/storage/slabhash.h $(srcdir)/edns-subnet/edns-subnet.h
+unitauth.lo unitauth.o: $(srcdir)/testcode/unitauth.c config.h $(srcdir)/services/authzone.h \
+ $(srcdir)/util/rbtree.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/testcode/unitmain.h \
+ $(srcdir)/util/regional.h $(srcdir)/util/net_help.h $(srcdir)/util/data/msgreply.h \
+ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/services/cache/dns.h \
+ $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/sbuffer.h
 acl_list.lo acl_list.o: $(srcdir)/daemon/acl_list.c config.h $(srcdir)/daemon/acl_list.h \
  $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/view.h $(srcdir)/util/locks.h \
  $(srcdir)/util/log.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h \
  $(srcdir)/services/localzone.h $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h \
  $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
  $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/str2wire.h
-cachedump.lo cachedump.o: $(srcdir)/daemon/cachedump.c config.h $(srcdir)/daemon/cachedump.h \
- $(srcdir)/daemon/remote.h $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
- $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
- $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h  \
- $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
- $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/util/module.h \
+cachedump.lo cachedump.o: $(srcdir)/daemon/cachedump.c config.h \
+ $(srcdir)/daemon/cachedump.h $(srcdir)/daemon/remote.h $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h \
+ $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
+ $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
+  $(srcdir)/dnscrypt/cert.h $(srcdir)/util/alloc.h \
+ $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
+ $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/util/module.h \
  $(srcdir)/dnstap/dnstap.h  $(srcdir)/services/cache/rrset.h \
  $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/dns.h $(srcdir)/services/cache/infra.h \
  $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/rtt.h $(srcdir)/util/regional.h \
@@ -1068,24 +1133,27 @@ cachedump.lo cachedump.o: $(srcdir)/daemon/cachedump.c config.h $(srcdir)/daemon
  $(srcdir)/services/outbound_list.h $(srcdir)/iterator/iter_delegpt.h $(srcdir)/iterator/iter_utils.h \
  $(srcdir)/iterator/iter_resptype.h $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h \
  $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h
-daemon.lo daemon.o: $(srcdir)/daemon/daemon.c config.h $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h \
- $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h  \
-  $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h \
- $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
- $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/util/data/msgreply.h \
- $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h \
- $(srcdir)/util/timehist.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/remote.h \
+daemon.lo daemon.o: $(srcdir)/daemon/daemon.c config.h \
+ $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
+   $(srcdir)/daemon/worker.h \
+ $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h \
+ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
+ $(srcdir)/dnscrypt/cert.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
+ $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h \
+ $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/remote.h \
  $(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/view.h \
  $(srcdir)/util/config_file.h $(srcdir)/util/shm_side/shm_main.h $(srcdir)/util/storage/lookup3.h \
  $(srcdir)/util/storage/slabhash.h $(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/rrset.h \
  $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h $(srcdir)/services/localzone.h $(srcdir)/util/random.h \
  $(srcdir)/util/tube.h $(srcdir)/util/net_help.h $(srcdir)/sldns/keyraw.h $(srcdir)/respip/respip.h
-remote.lo remote.o: $(srcdir)/daemon/remote.c config.h $(srcdir)/daemon/remote.h $(srcdir)/daemon/worker.h \
- $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h \
- $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/netevent.h \
- $(srcdir)/dnscrypt/dnscrypt.h  $(srcdir)/util/alloc.h \
- $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
- $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \
+remote.lo remote.o: $(srcdir)/daemon/remote.c config.h \
+ $(srcdir)/daemon/remote.h \
+ $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
+ $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
+ $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h  \
+ $(srcdir)/dnscrypt/cert.h $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h \
+ $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \
+ $(srcdir)/libunbound/unbound.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \
   $(srcdir)/daemon/daemon.h $(srcdir)/services/modstack.h \
  $(srcdir)/daemon/cachedump.h $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h \
  $(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \
@@ -1098,48 +1166,51 @@ remote.lo remote.o: $(srcdir)/daemon/remote.c config.h $(srcdir)/daemon/remote.h
  $(srcdir)/services/outside_network.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/parseutil.h \
  $(srcdir)/sldns/wire2str.h
 stats.lo stats.o: $(srcdir)/daemon/stats.c config.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \
- $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
+ $(srcdir)/libunbound/unbound.h $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
  $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
  $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h  \
- $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
- $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h  \
- $(srcdir)/daemon/daemon.h $(srcdir)/services/modstack.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
- $(srcdir)/services/outside_network.h $(srcdir)/services/listen_dnsport.h $(srcdir)/util/config_file.h \
- $(srcdir)/util/tube.h $(srcdir)/util/net_help.h $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h \
- $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/infra.h \
- $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rtt.h $(srcdir)/validator/val_kcache.h
+ $(srcdir)/dnscrypt/cert.h $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h \
+ $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \
+  $(srcdir)/daemon/daemon.h $(srcdir)/services/modstack.h \
+ $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/outside_network.h \
+ $(srcdir)/services/listen_dnsport.h $(srcdir)/util/config_file.h $(srcdir)/util/tube.h $(srcdir)/util/net_help.h \
+ $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h $(srcdir)/services/cache/rrset.h \
+ $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h \
+ $(srcdir)/util/rtt.h $(srcdir)/validator/val_kcache.h
 unbound.lo unbound.o: $(srcdir)/daemon/unbound.c config.h $(srcdir)/util/log.h $(srcdir)/daemon/daemon.h \
  $(srcdir)/util/locks.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h  \
-  $(srcdir)/daemon/remote.h $(srcdir)/util/config_file.h \
- $(srcdir)/util/storage/slabhash.h $(srcdir)/util/storage/lruhash.h $(srcdir)/services/listen_dnsport.h \
- $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/services/cache/rrset.h \
- $(srcdir)/util/data/packed_rrset.h $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h \
- $(srcdir)/util/rbtree.h $(srcdir)/util/rtt.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/fptr_wlist.h \
- $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
- $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/net_help.h $(srcdir)/util/ub_event.h
+  $(srcdir)/daemon/remote.h \
+ $(srcdir)/util/config_file.h $(srcdir)/util/storage/slabhash.h $(srcdir)/util/storage/lruhash.h \
+ $(srcdir)/services/listen_dnsport.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
+ $(srcdir)/dnscrypt/cert.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/data/packed_rrset.h \
+ $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/rtt.h \
+ $(srcdir)/util/data/msgreply.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/module.h \
+ $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h \
+ $(srcdir)/services/mesh.h $(srcdir)/util/net_help.h $(srcdir)/util/ub_event.h
 worker.lo worker.o: $(srcdir)/daemon/worker.c config.h $(srcdir)/util/log.h $(srcdir)/util/net_help.h \
  $(srcdir)/util/random.h $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
  $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
  $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h  \
- $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
- $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/util/module.h \
- $(srcdir)/dnstap/dnstap.h  $(srcdir)/daemon/daemon.h \
- $(srcdir)/services/modstack.h $(srcdir)/daemon/remote.h $(srcdir)/daemon/acl_list.h \
- $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/view.h $(srcdir)/util/config_file.h \
- $(srcdir)/util/regional.h $(srcdir)/util/storage/slabhash.h $(srcdir)/services/listen_dnsport.h \
- $(srcdir)/services/outside_network.h $(srcdir)/services/outbound_list.h \
- $(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \
- $(srcdir)/services/cache/dns.h $(srcdir)/services/mesh.h $(srcdir)/services/localzone.h \
+ $(srcdir)/dnscrypt/cert.h $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h \
+ $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \
+ $(srcdir)/libunbound/unbound.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \
+  $(srcdir)/daemon/daemon.h $(srcdir)/services/modstack.h \
+ $(srcdir)/daemon/remote.h \
+ $(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/view.h \
+ $(srcdir)/util/config_file.h $(srcdir)/util/regional.h $(srcdir)/util/storage/slabhash.h \
+ $(srcdir)/services/listen_dnsport.h $(srcdir)/services/outside_network.h \
+ $(srcdir)/services/outbound_list.h $(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h \
+ $(srcdir)/util/rtt.h $(srcdir)/services/cache/dns.h $(srcdir)/services/mesh.h $(srcdir)/services/localzone.h \
  $(srcdir)/util/data/msgencode.h $(srcdir)/util/data/dname.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h \
  $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h $(srcdir)/validator/autotrust.h \
  $(srcdir)/validator/val_anchor.h $(srcdir)/respip/respip.h $(srcdir)/libunbound/context.h \
- $(srcdir)/libunbound/unbound.h $(srcdir)/libunbound/libworker.h $(srcdir)/sldns/wire2str.h \
- $(srcdir)/util/shm_side/shm_main.h
+ $(srcdir)/libunbound/libworker.h $(srcdir)/sldns/wire2str.h $(srcdir)/util/shm_side/shm_main.h
 testbound.lo testbound.o: $(srcdir)/testcode/testbound.c config.h $(srcdir)/testcode/testpkts.h \
  $(srcdir)/testcode/replay.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
-  $(srcdir)/util/rbtree.h $(srcdir)/testcode/fake_event.h \
- $(srcdir)/daemon/remote.h $(srcdir)/util/config_file.h $(srcdir)/sldns/keyraw.h $(srcdir)/daemon/unbound.c \
- $(srcdir)/util/log.h $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
+  $(srcdir)/dnscrypt/cert.h $(srcdir)/util/rbtree.h \
+ $(srcdir)/testcode/fake_event.h $(srcdir)/daemon/remote.h \
+ $(srcdir)/util/config_file.h $(srcdir)/sldns/keyraw.h $(srcdir)/daemon/unbound.c $(srcdir)/util/log.h \
+ $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
   $(srcdir)/util/storage/slabhash.h $(srcdir)/util/storage/lruhash.h \
  $(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/rrset.h \
  $(srcdir)/util/data/packed_rrset.h $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h \
@@ -1153,69 +1224,72 @@ worker.lo worker.o: $(srcdir)/daemon/worker.c config.h $(srcdir)/util/log.h $(sr
  $(srcdir)/util/random.h $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
  $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
  $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h  \
- $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
- $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/util/module.h \
- $(srcdir)/dnstap/dnstap.h  $(srcdir)/daemon/daemon.h \
- $(srcdir)/services/modstack.h $(srcdir)/daemon/remote.h $(srcdir)/daemon/acl_list.h \
- $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/view.h $(srcdir)/util/config_file.h \
- $(srcdir)/util/regional.h $(srcdir)/util/storage/slabhash.h $(srcdir)/services/listen_dnsport.h \
- $(srcdir)/services/outside_network.h $(srcdir)/services/outbound_list.h \
- $(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \
- $(srcdir)/services/cache/dns.h $(srcdir)/services/mesh.h $(srcdir)/services/localzone.h \
+ $(srcdir)/dnscrypt/cert.h $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h \
+ $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \
+ $(srcdir)/libunbound/unbound.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \
+  $(srcdir)/daemon/daemon.h $(srcdir)/services/modstack.h \
+ $(srcdir)/daemon/remote.h \
+ $(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/view.h \
+ $(srcdir)/util/config_file.h $(srcdir)/util/regional.h $(srcdir)/util/storage/slabhash.h \
+ $(srcdir)/services/listen_dnsport.h $(srcdir)/services/outside_network.h \
+ $(srcdir)/services/outbound_list.h $(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h \
+ $(srcdir)/util/rtt.h $(srcdir)/services/cache/dns.h $(srcdir)/services/mesh.h $(srcdir)/services/localzone.h \
  $(srcdir)/util/data/msgencode.h $(srcdir)/util/data/dname.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h \
  $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h $(srcdir)/validator/autotrust.h \
  $(srcdir)/validator/val_anchor.h $(srcdir)/respip/respip.h $(srcdir)/libunbound/context.h \
- $(srcdir)/libunbound/unbound.h $(srcdir)/libunbound/libworker.h $(srcdir)/sldns/wire2str.h \
- $(srcdir)/util/shm_side/shm_main.h
+ $(srcdir)/libunbound/libworker.h $(srcdir)/sldns/wire2str.h $(srcdir)/util/shm_side/shm_main.h
 acl_list.lo acl_list.o: $(srcdir)/daemon/acl_list.c config.h $(srcdir)/daemon/acl_list.h \
  $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/view.h $(srcdir)/util/locks.h \
  $(srcdir)/util/log.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h \
  $(srcdir)/services/localzone.h $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h \
  $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
  $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/str2wire.h
-daemon.lo daemon.o: $(srcdir)/daemon/daemon.c config.h $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h \
- $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h  \
-  $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h \
- $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
- $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/util/data/msgreply.h \
- $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h \
- $(srcdir)/util/timehist.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/remote.h \
+daemon.lo daemon.o: $(srcdir)/daemon/daemon.c config.h \
+ $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
+   $(srcdir)/daemon/worker.h \
+ $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h \
+ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
+ $(srcdir)/dnscrypt/cert.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
+ $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h \
+ $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/remote.h \
  $(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/view.h \
  $(srcdir)/util/config_file.h $(srcdir)/util/shm_side/shm_main.h $(srcdir)/util/storage/lookup3.h \
  $(srcdir)/util/storage/slabhash.h $(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/rrset.h \
  $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h $(srcdir)/services/localzone.h $(srcdir)/util/random.h \
  $(srcdir)/util/tube.h $(srcdir)/util/net_help.h $(srcdir)/sldns/keyraw.h $(srcdir)/respip/respip.h
 stats.lo stats.o: $(srcdir)/daemon/stats.c config.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \
- $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
+ $(srcdir)/libunbound/unbound.h $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
  $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
  $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h  \
- $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
- $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h  \
- $(srcdir)/daemon/daemon.h $(srcdir)/services/modstack.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
- $(srcdir)/services/outside_network.h $(srcdir)/services/listen_dnsport.h $(srcdir)/util/config_file.h \
- $(srcdir)/util/tube.h $(srcdir)/util/net_help.h $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h \
- $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/infra.h \
- $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rtt.h $(srcdir)/validator/val_kcache.h
+ $(srcdir)/dnscrypt/cert.h $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h \
+ $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \
+  $(srcdir)/daemon/daemon.h $(srcdir)/services/modstack.h \
+ $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/outside_network.h \
+ $(srcdir)/services/listen_dnsport.h $(srcdir)/util/config_file.h $(srcdir)/util/tube.h $(srcdir)/util/net_help.h \
+ $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h $(srcdir)/services/cache/rrset.h \
+ $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h \
+ $(srcdir)/util/rtt.h $(srcdir)/validator/val_kcache.h
 replay.lo replay.o: $(srcdir)/testcode/replay.c config.h $(srcdir)/util/log.h $(srcdir)/util/net_help.h \
  $(srcdir)/util/config_file.h $(srcdir)/testcode/replay.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
-  $(srcdir)/testcode/testpkts.h $(srcdir)/util/rbtree.h \
- $(srcdir)/testcode/fake_event.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h
+  $(srcdir)/dnscrypt/cert.h $(srcdir)/testcode/testpkts.h \
+ $(srcdir)/util/rbtree.h $(srcdir)/testcode/fake_event.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h
 fake_event.lo fake_event.o: $(srcdir)/testcode/fake_event.c config.h $(srcdir)/testcode/fake_event.h \
  $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h  \
- $(srcdir)/util/net_help.h $(srcdir)/util/log.h $(srcdir)/util/data/msgparse.h $(srcdir)/util/storage/lruhash.h \
- $(srcdir)/util/locks.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgreply.h \
- $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgencode.h $(srcdir)/util/data/dname.h \
- $(srcdir)/util/config_file.h $(srcdir)/services/listen_dnsport.h $(srcdir)/services/outside_network.h \
- $(srcdir)/util/rbtree.h  $(srcdir)/services/cache/infra.h \
- $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rtt.h $(srcdir)/testcode/replay.h $(srcdir)/testcode/testpkts.h \
- $(srcdir)/util/fptr_wlist.h $(srcdir)/util/module.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h \
- $(srcdir)/services/modstack.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h
+ $(srcdir)/dnscrypt/cert.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h $(srcdir)/util/data/msgparse.h \
+ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
+ $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgencode.h \
+ $(srcdir)/util/data/dname.h $(srcdir)/util/config_file.h $(srcdir)/services/listen_dnsport.h \
+ $(srcdir)/services/outside_network.h $(srcdir)/util/rbtree.h  \
+ $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rtt.h \
+ $(srcdir)/testcode/replay.h $(srcdir)/testcode/testpkts.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/module.h \
+ $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h $(srcdir)/sldns/sbuffer.h \
+ $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h
 lock_verify.lo lock_verify.o: $(srcdir)/testcode/lock_verify.c config.h $(srcdir)/util/log.h $(srcdir)/util/rbtree.h \
  $(srcdir)/util/locks.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
-  $(srcdir)/util/storage/lruhash.h $(srcdir)/util/module.h \
- $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
- $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h \
- $(srcdir)/services/modstack.h
+  $(srcdir)/dnscrypt/cert.h $(srcdir)/util/storage/lruhash.h \
+ $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
+ $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h \
+ $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h
 pktview.lo pktview.o: $(srcdir)/testcode/pktview.c config.h $(srcdir)/util/log.h $(srcdir)/util/data/dname.h \
  $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
  $(srcdir)/sldns/rrdef.h $(srcdir)/testcode/unitmain.h $(srcdir)/testcode/readhex.h $(srcdir)/sldns/sbuffer.h \
@@ -1224,10 +1298,10 @@ readhex.lo readhex.o: $(srcdir)/testcode/readhex.c config.h $(srcdir)/testcode/r
  $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/parseutil.h
 memstats.lo memstats.o: $(srcdir)/testcode/memstats.c config.h $(srcdir)/util/log.h $(srcdir)/util/rbtree.h \
  $(srcdir)/util/locks.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
-  $(srcdir)/util/storage/lruhash.h $(srcdir)/util/module.h \
- $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
- $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h \
- $(srcdir)/services/modstack.h
+  $(srcdir)/dnscrypt/cert.h $(srcdir)/util/storage/lruhash.h \
+ $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
+ $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h \
+ $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h
 unbound-checkconf.lo unbound-checkconf.o: $(srcdir)/smallapp/unbound-checkconf.c config.h $(srcdir)/util/log.h \
  $(srcdir)/util/config_file.h $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
  $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
@@ -1235,14 +1309,14 @@ unbound-checkconf.lo unbound-checkconf.o: $(srcdir)/smallapp/unbound-checkconf.c
  $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h $(srcdir)/iterator/iter_fwd.h \
  $(srcdir)/util/rbtree.h $(srcdir)/iterator/iter_hints.h $(srcdir)/util/storage/dnstree.h \
  $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h $(srcdir)/services/localzone.h \
- $(srcdir)/services/view.h $(srcdir)/respip/respip.h $(srcdir)/sldns/sbuffer.h
+ $(srcdir)/services/view.h $(srcdir)/respip/respip.h $(srcdir)/sldns/sbuffer.h $(PYTHONMOD_HEADER)
 worker_cb.lo worker_cb.o: $(srcdir)/smallapp/worker_cb.c config.h $(srcdir)/libunbound/context.h \
  $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h \
  $(srcdir)/libunbound/unbound.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
  $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h \
- $(srcdir)/dnscrypt/dnscrypt.h  $(srcdir)/util/module.h \
- $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
- $(srcdir)/util/tube.h $(srcdir)/services/mesh.h
+ $(srcdir)/dnscrypt/dnscrypt.h  $(srcdir)/dnscrypt/cert.h \
+ $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
+ $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h
 context.lo context.o: $(srcdir)/libunbound/context.c config.h $(srcdir)/libunbound/context.h \
  $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h \
  $(srcdir)/libunbound/unbound.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
@@ -1251,7 +1325,7 @@ context.lo context.o: $(srcdir)/libunbound/context.c config.h $(srcdir)/libunbou
  $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/services/cache/rrset.h \
  $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \
  $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h  \
- $(srcdir)/sldns/sbuffer.h
+ $(srcdir)/dnscrypt/cert.h $(srcdir)/sldns/sbuffer.h
 libunbound.lo libunbound.o: $(srcdir)/libunbound/libunbound.c $(srcdir)/libunbound/unbound.h \
  $(srcdir)/libunbound/unbound-event.h config.h $(srcdir)/libunbound/context.h $(srcdir)/util/locks.h \
  $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h \
@@ -1261,22 +1335,22 @@ libunbound.lo libunbound.o: $(srcdir)/libunbound/libunbound.c $(srcdir)/libunbou
  $(srcdir)/util/random.h $(srcdir)/util/net_help.h $(srcdir)/util/tube.h $(srcdir)/util/ub_event.h \
  $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h \
  $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
-  $(srcdir)/services/cache/rrset.h \
+  $(srcdir)/dnscrypt/cert.h $(srcdir)/services/cache/rrset.h \
  $(srcdir)/util/storage/slabhash.h $(srcdir)/sldns/sbuffer.h
-libworker.lo libworker.o: $(srcdir)/libunbound/libworker.c config.h $(srcdir)/libunbound/libworker.h \
- $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
- $(srcdir)/libunbound/context.h $(srcdir)/util/alloc.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h \
- $(srcdir)/libunbound/unbound.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
- $(srcdir)/libunbound/unbound-event.h $(srcdir)/services/outside_network.h $(srcdir)/util/netevent.h \
- $(srcdir)/dnscrypt/dnscrypt.h   \
- $(srcdir)/services/mesh.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
- $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/services/localzone.h \
- $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/services/cache/rrset.h \
- $(srcdir)/util/storage/slabhash.h $(srcdir)/services/outbound_list.h $(srcdir)/util/fptr_wlist.h \
- $(srcdir)/util/tube.h $(srcdir)/util/regional.h $(srcdir)/util/random.h $(srcdir)/util/config_file.h \
- $(srcdir)/util/storage/lookup3.h $(srcdir)/util/net_help.h $(srcdir)/util/data/dname.h \
- $(srcdir)/util/data/msgencode.h $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h \
- $(srcdir)/sldns/str2wire.h
+libworker.lo libworker.o: $(srcdir)/libunbound/libworker.c config.h \
+ $(srcdir)/libunbound/libworker.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
+ $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/libunbound/context.h $(srcdir)/util/alloc.h $(srcdir)/util/rbtree.h \
+ $(srcdir)/services/modstack.h $(srcdir)/libunbound/unbound.h $(srcdir)/libunbound/worker.h \
+ $(srcdir)/sldns/sbuffer.h $(srcdir)/libunbound/unbound-event.h $(srcdir)/services/outside_network.h \
+ $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h  \
+ $(srcdir)/dnscrypt/cert.h  $(srcdir)/services/mesh.h \
+ $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h \
+ $(srcdir)/util/data/msgreply.h $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h \
+ $(srcdir)/services/view.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \
+ $(srcdir)/services/outbound_list.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h $(srcdir)/util/regional.h \
+ $(srcdir)/util/random.h $(srcdir)/util/config_file.h $(srcdir)/util/storage/lookup3.h $(srcdir)/util/net_help.h \
+ $(srcdir)/util/data/dname.h $(srcdir)/util/data/msgencode.h $(srcdir)/iterator/iter_fwd.h \
+ $(srcdir)/iterator/iter_hints.h $(srcdir)/sldns/str2wire.h
 unbound-host.lo unbound-host.o: $(srcdir)/smallapp/unbound-host.c config.h $(srcdir)/libunbound/unbound.h \
  $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/wire2str.h
 asynclook.lo asynclook.o: $(srcdir)/testcode/asynclook.c config.h $(srcdir)/libunbound/unbound.h \
@@ -1287,34 +1361,40 @@ streamtcp.lo streamtcp.o: $(srcdir)/testcode/streamtcp.c config.h $(srcdir)/util
  $(srcdir)/util/net_help.h $(srcdir)/util/data/msgencode.h $(srcdir)/util/data/msgparse.h \
  $(srcdir)/util/storage/lruhash.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgreply.h \
  $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/dname.h $(srcdir)/sldns/sbuffer.h \
- $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/wire2str.h
+ $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/wire2str.h \
+ 
 perf.lo perf.o: $(srcdir)/testcode/perf.c config.h $(srcdir)/util/log.h $(srcdir)/util/locks.h $(srcdir)/util/net_help.h \
  $(srcdir)/util/data/msgencode.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/storage/lruhash.h \
  $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
  $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h
 delayer.lo delayer.o: $(srcdir)/testcode/delayer.c config.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h \
  $(srcdir)/util/config_file.h $(srcdir)/sldns/sbuffer.h
-unbound-control.lo unbound-control.o: $(srcdir)/smallapp/unbound-control.c config.h $(srcdir)/util/log.h \
- $(srcdir)/util/config_file.h $(srcdir)/util/locks.h $(srcdir)/util/net_help.h $(srcdir)/util/shm_side/shm_main.h \
- $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/pkthdr.h
+unbound-control.lo unbound-control.o: $(srcdir)/smallapp/unbound-control.c config.h \
+ $(srcdir)/util/log.h $(srcdir)/util/config_file.h $(srcdir)/util/locks.h $(srcdir)/util/net_help.h \
+ $(srcdir)/util/shm_side/shm_main.h $(srcdir)/libunbound/unbound.h $(srcdir)/daemon/stats.h \
+ $(srcdir)/util/timehist.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/pkthdr.h
 unbound-anchor.lo unbound-anchor.o: $(srcdir)/smallapp/unbound-anchor.c config.h $(srcdir)/libunbound/unbound.h \
- $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/parseutil.h
-petal.lo petal.o: $(srcdir)/testcode/petal.c config.h
+ $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/parseutil.h \
+ 
+petal.lo petal.o: $(srcdir)/testcode/petal.c config.h \
+ 
 pythonmod_utils.lo pythonmod_utils.o: $(srcdir)/pythonmod/pythonmod_utils.c config.h $(srcdir)/util/module.h \
  $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/msgreply.h \
  $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
  $(srcdir)/sldns/rrdef.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
-  $(srcdir)/util/net_help.h $(srcdir)/services/cache/dns.h \
- $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/util/regional.h \
- $(srcdir)/iterator/iter_delegpt.h $(srcdir)/sldns/sbuffer.h
+  $(srcdir)/dnscrypt/cert.h $(srcdir)/util/net_help.h \
+ $(srcdir)/services/cache/dns.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \
+ $(srcdir)/util/regional.h $(srcdir)/iterator/iter_delegpt.h $(srcdir)/sldns/sbuffer.h \
+ 
 win_svc.lo win_svc.o: $(srcdir)/winrc/win_svc.c config.h $(srcdir)/winrc/win_svc.h $(srcdir)/winrc/w_inst.h \
  $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
    $(srcdir)/daemon/worker.h \
  $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h \
  $(srcdir)/util/storage/lruhash.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
- $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
- $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \
- $(srcdir)/daemon/remote.h $(srcdir)/util/config_file.h $(srcdir)/util/ub_event.h
+ $(srcdir)/dnscrypt/cert.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
+ $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h \
+ $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/remote.h \
+ $(srcdir)/util/config_file.h $(srcdir)/util/ub_event.h
 w_inst.lo w_inst.o: $(srcdir)/winrc/w_inst.c config.h $(srcdir)/winrc/w_inst.h $(srcdir)/winrc/win_svc.h
 unbound-service-install.lo unbound-service-install.o: $(srcdir)/winrc/unbound-service-install.c config.h \
  $(srcdir)/winrc/w_inst.h
@@ -1322,11 +1402,14 @@ unbound-service-remove.lo unbound-service-remove.o: $(srcdir)/winrc/unbound-serv
  $(srcdir)/winrc/w_inst.h
 anchor-update.lo anchor-update.o: $(srcdir)/winrc/anchor-update.c config.h $(srcdir)/libunbound/unbound.h \
  $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/wire2str.h
-keyraw.lo keyraw.o: $(srcdir)/sldns/keyraw.c config.h $(srcdir)/sldns/keyraw.h $(srcdir)/sldns/rrdef.h
+keyraw.lo keyraw.o: $(srcdir)/sldns/keyraw.c config.h $(srcdir)/sldns/keyraw.h \
+ $(srcdir)/sldns/rrdef.h \
+ 
 sbuffer.lo sbuffer.o: $(srcdir)/sldns/sbuffer.c config.h $(srcdir)/sldns/sbuffer.h
 wire2str.lo wire2str.o: $(srcdir)/sldns/wire2str.c config.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h \
  $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/sbuffer.h \
- $(srcdir)/sldns/keyraw.h
+ $(srcdir)/sldns/keyraw.h \
+ 
 parse.lo parse.o: $(srcdir)/sldns/parse.c config.h $(srcdir)/sldns/parse.h $(srcdir)/sldns/parseutil.h \
  $(srcdir)/sldns/sbuffer.h
 parseutil.lo parseutil.o: $(srcdir)/sldns/parseutil.c config.h $(srcdir)/sldns/parseutil.h
@@ -1346,9 +1429,11 @@ snprintf.lo snprintf.o: $(srcdir)/compat/snprintf.c config.h
 strlcat.lo strlcat.o: $(srcdir)/compat/strlcat.c config.h
 strlcpy.lo strlcpy.o: $(srcdir)/compat/strlcpy.c config.h
 strptime.lo strptime.o: $(srcdir)/compat/strptime.c config.h
-getentropy_linux.lo getentropy_linux.o: $(srcdir)/compat/getentropy_linux.c config.h
+getentropy_linux.lo getentropy_linux.o: $(srcdir)/compat/getentropy_linux.c config.h \
+ 
 getentropy_osx.lo getentropy_osx.o: $(srcdir)/compat/getentropy_osx.c config.h
-getentropy_solaris.lo getentropy_solaris.o: $(srcdir)/compat/getentropy_solaris.c config.h
+getentropy_solaris.lo getentropy_solaris.o: $(srcdir)/compat/getentropy_solaris.c config.h \
+ 
 getentropy_win.lo getentropy_win.o: $(srcdir)/compat/getentropy_win.c
 explicit_bzero.lo explicit_bzero.o: $(srcdir)/compat/explicit_bzero.c config.h
 arc4random.lo arc4random.o: $(srcdir)/compat/arc4random.c config.h $(srcdir)/compat/chacha_private.h

contrib/unbound/cachedb/cachedb.c

@@ -171,12 +171,13 @@ static int
 cachedb_apply_cfg(struct cachedb_env* cachedb_env, struct config_file* cfg)
 {
 	const char* backend_str = "testframe"; /* TODO get from cfg */
+	(void)cfg;     /* need this until the TODO is implemented */
 	if(backend_str && backend_str[0]) {
 		cachedb_env->backend = cachedb_find_backend(backend_str);
 		if(!cachedb_env->backend) {
 			log_err("cachedb: cannot find backend name '%s",
 				backend_str);
-			return NULL;
+			return 0;
 		}
 	}
 	/* TODO see if more configuration needs to be applied or not */
@@ -374,6 +375,36 @@ good_expiry_and_qinfo(struct module_qstate* qstate, struct sldns_buffer* buf)
 	return 1;
 }
 
+static void
+packed_rrset_ttl_subtract(struct packed_rrset_data* data, time_t subtract)
+{
+        size_t i;
+        size_t total = data->count + data->rrsig_count;
+	if(data->ttl > subtract)
+		data->ttl -= subtract;
+	else	data->ttl = 0;
+        for(i=0; i<total; i++) {
+		if(data->rr_ttl[i] > subtract)
+                	data->rr_ttl[i] -= subtract;
+                else	data->rr_ttl[i] = 0;
+	}
+}
+
+static void
+adjust_msg_ttl(struct dns_msg* msg, time_t adjust)
+{
+	size_t i;
+	if(msg->rep->ttl > adjust)
+		msg->rep->ttl -= adjust;
+	else	msg->rep->ttl = 0;
+	msg->rep->prefetch_ttl = PREFETCH_TTL_CALC(msg->rep->ttl);
+
+	for(i=0; i<msg->rep->rrset_count; i++) {
+		packed_rrset_ttl_subtract((struct packed_rrset_data*)msg->
+			rep->rrsets[i]->entry.data, adjust);
+	}
+}
+
 /** convert dns message in buffer to return_msg */
 static int
 parse_data(struct module_qstate* qstate, struct sldns_buffer* buf)
@@ -420,24 +451,18 @@ parse_data(struct module_qstate* qstate, struct sldns_buffer* buf)
 	qstate->return_rcode = LDNS_RCODE_NOERROR;
 
 	/* see how much of the TTL expired, and remove it */
-	adjust = *qstate->env->now - (time_t)timestamp;
-	verbose(VERB_ALGO, "cachedb msg adjusted down by %d", (int)adjust);
-	/*adjust_msg(qstate->return_msg, adjust);*/
-	/* TODO:
-		msg->rep->ttl = r->ttl - adjust;
-		msg->rep->prefetch_ttl = PREFETCH_TTL_CALC(msg->rep->ttl);
-		for(i=0; i<d->count + d->rrsig_count; i++) {
-			if(d->rr_ttl[i] < adjust)
-				d->rr_ttl[i] = 0;
-			else    d->rr_ttl[i] -= adjust;
+	if(*qstate->env->now <= (time_t)timestamp) {
+		verbose(VERB_ALGO, "cachedb msg adjust by zero");
+		return 1; /* message from the future (clock skew?) */
 	}
-		if(d->ttl < adjust)
-			d->ttl = 0;
-		else    d->ttl -= adjust;
-		*/
-	/* TODO */
-
-	return 0;
+	adjust = *qstate->env->now - (time_t)timestamp;
+	if(qstate->return_msg->rep->ttl < adjust) {
+		verbose(VERB_ALGO, "cachedb msg expired");
+		return 0; /* message expired */
+	}
+	verbose(VERB_ALGO, "cachedb msg adjusted down by %d", (int)adjust);
+	adjust_msg_ttl(qstate->return_msg, adjust);
+	return 1;
 }
 
 /**

contrib/unbound/config.h

@@ -80,6 +80,10 @@
    don't. */
 #define HAVE_DECL_INET_PTON 1
 
+/* Define to 1 if you have the declaration of `NID_ED25519', and to 0 if you
+   don't. */
+#define HAVE_DECL_NID_ED25519 0
+
 /* Define to 1 if you have the declaration of `NID_secp384r1', and to 0 if you
    don't. */
 #define HAVE_DECL_NID_SECP384R1 1
@@ -158,6 +162,9 @@
 /* Define to 1 if you have the `EVP_cleanup' function. */
 #define HAVE_EVP_CLEANUP 1
 
+/* Define to 1 if you have the `EVP_DigestVerify' function. */
+/* #undef HAVE_EVP_DIGESTVERIFY */
+
 /* Define to 1 if you have the `EVP_dss1' function. */
 #define HAVE_EVP_DSS1 1
 
@@ -595,7 +602,7 @@
 #define PACKAGE_NAME "unbound"
 
 /* Define to the full name and version of this package. */
-#define PACKAGE_STRING "unbound 1.6.3"
+#define PACKAGE_STRING "unbound 1.6.4"
 
 /* Define to the one symbol short name of this package. */
 #define PACKAGE_TARNAME "unbound"
@@ -604,7 +611,7 @@
 #define PACKAGE_URL ""
 
 /* Define to the version of this package. */
-#define PACKAGE_VERSION "1.6.3"
+#define PACKAGE_VERSION "1.6.4"
 
 /* default pidfile location */
 #define PIDFILE "/var/unbound/unbound.pid"
@@ -623,7 +630,7 @@
 #define ROOT_CERT_FILE "/var/unbound/icannbundle.pem"
 
 /* version number for resource files */
-#define RSRC_PACKAGE_VERSION 1,6,3,0
+#define RSRC_PACKAGE_VERSION 1,6,4,0
 
 /* Directory to chdir to */
 #define RUN_DIR "/var/unbound"
@@ -667,6 +674,9 @@
 /* Define to 1 to enable dnscrypt support */
 /* #undef USE_DNSCRYPT */
 
+/* Define to 1 to enable dnscrypt with xchacha20 support */
+/* #undef USE_DNSCRYPT_XCHACHA20 */
+
 /* Define to 1 to enable dnstap support */
 /* #undef USE_DNSTAP */
 
@@ -679,9 +689,15 @@
 /* Define this to enable an EVP workaround for older openssl */
 /* #undef USE_ECDSA_EVP_WORKAROUND */
 
+/* Define this to enable ED25519 support. */
+/* #undef USE_ED25519 */
+
 /* Define this to enable GOST support. */
 #define USE_GOST 1
 
+/* Define to 1 to use ipsecmod support. */
+/* #undef USE_IPSECMOD */
+
 /* Define if you want to use internal select based events */
 #define USE_MINI_EVENT 1
 

contrib/unbound/config.h.in

@@ -79,6 +79,10 @@
    don't. */
 #undef HAVE_DECL_INET_PTON
 
+/* Define to 1 if you have the declaration of `NID_ED25519', and to 0 if you
+   don't. */
+#undef HAVE_DECL_NID_ED25519
+
 /* Define to 1 if you have the declaration of `NID_secp384r1', and to 0 if you
    don't. */
 #undef HAVE_DECL_NID_SECP384R1
@@ -157,6 +161,9 @@
 /* Define to 1 if you have the `EVP_cleanup' function. */
 #undef HAVE_EVP_CLEANUP
 
+/* Define to 1 if you have the `EVP_DigestVerify' function. */
+#undef HAVE_EVP_DIGESTVERIFY
+
 /* Define to 1 if you have the `EVP_dss1' function. */
 #undef HAVE_EVP_DSS1
 
@@ -666,6 +673,9 @@
 /* Define to 1 to enable dnscrypt support */
 #undef USE_DNSCRYPT
 
+/* Define to 1 to enable dnscrypt with xchacha20 support */
+#undef USE_DNSCRYPT_XCHACHA20
+
 /* Define to 1 to enable dnstap support */
 #undef USE_DNSTAP
 
@@ -678,9 +688,15 @@
 /* Define this to enable an EVP workaround for older openssl */
 #undef USE_ECDSA_EVP_WORKAROUND
 
+/* Define this to enable ED25519 support. */
+#undef USE_ED25519
+
 /* Define this to enable GOST support. */
 #undef USE_GOST
 
+/* Define to 1 to use ipsecmod support. */
+#undef USE_IPSECMOD
+
 /* Define if you want to use internal select based events */
 #undef USE_MINI_EVENT
 

contrib/unbound/configure

@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for unbound 1.6.3.
+# Generated by GNU Autoconf 2.69 for unbound 1.6.4.
 #
 # Report bugs to <unbound-bugs@nlnetlabs.nl>.
 #
@@ -590,8 +590,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='unbound'
 PACKAGE_TARNAME='unbound'
-PACKAGE_VERSION='1.6.3'
-PACKAGE_STRING='unbound 1.6.3'
+PACKAGE_VERSION='1.6.4'
+PACKAGE_STRING='unbound 1.6.4'
 PACKAGE_BUGREPORT='unbound-bugs@nlnetlabs.nl'
 PACKAGE_URL=''
 
@@ -638,9 +638,12 @@ INSTALLTARGET
 ALLTARGET
 SOURCEFILE
 SOURCEDETERMINE
+IPSECMOD_HEADER
+IPSECMOD_OBJ
 DNSCRYPT_OBJ
 DNSCRYPT_SRC
 ENABLE_DNSCRYPT
+ENABLE_DNSCRYPT_XCHACHA20
 DNSTAP_OBJ
 DNSTAP_SRC
 opt_dnstap_socket_path
@@ -755,6 +758,9 @@ UNBOUND_CHROOT_DIR
 UNBOUND_RUN_DIR
 ub_conf_dir
 ub_conf_file
+UNBOUND_LOCALSTATE_DIR
+UNBOUND_SYSCONF_DIR
+UNBOUND_SBIN_DIR
 EGREP
 GREP
 CPP
@@ -851,6 +857,7 @@ enable_subnet
 enable_gost
 enable_ecdsa
 enable_dsa
+enable_ed25519
 enable_event_api
 enable_tfo_client
 enable_tfo_server
@@ -867,6 +874,7 @@ with_libfstrm
 enable_dnscrypt
 with_libsodium
 enable_cachedb
+enable_ipsecmod
 with_libunbound_only
 '
       ac_precious_vars='build_alias
@@ -1429,7 +1437,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures unbound 1.6.3 to adapt to many kinds of systems.
+\`configure' configures unbound 1.6.4 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1494,7 +1502,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of unbound 1.6.3:";;
+     short | recursive ) echo "Configuration of unbound 1.6.4:";;
    esac
   cat <<\_ACEOF
 
@@ -1531,6 +1539,7 @@ Optional Features:
   --disable-gost          Disable GOST support
   --disable-ecdsa         Disable ECDSA support
   --disable-dsa           Disable DSA support
+  --disable-ed25519       Disable ED25519 support
   --enable-event-api      Enable (experimental) pluggable event base
                           libunbound API installed to unbound-event.h
   --enable-tfo-client     Enable TCP Fast Open for client mode
@@ -1547,6 +1556,8 @@ Optional Features:
   --enable-dnscrypt       Enable dnscrypt support (requires libsodium)
   --enable-cachedb        enable cachedb module that can use external cache
                           storage
+  --enable-ipsecmod       Enable ipsecmod module that facilitates
+                          opportunistic IPsec
 
 Optional Packages:
   --with-PACKAGE[=ARG]    use PACKAGE [ARG=yes]
@@ -1703,7 +1714,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-unbound configure 1.6.3
+unbound configure 1.6.4
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2412,7 +2423,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by unbound $as_me 1.6.3, which was
+It was created by unbound $as_me 1.6.4, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -2764,11 +2775,11 @@ UNBOUND_VERSION_MAJOR=1
 
 UNBOUND_VERSION_MINOR=6
 
-UNBOUND_VERSION_MICRO=3
+UNBOUND_VERSION_MICRO=4
 
 
 LIBUNBOUND_CURRENT=7
-LIBUNBOUND_REVISION=2
+LIBUNBOUND_REVISION=3
 LIBUNBOUND_AGE=5
 # 1.0.0 had 0:12:0
 # 1.0.1 had 0:13:0
@@ -2822,6 +2833,7 @@ LIBUNBOUND_AGE=5
 # 1.6.1 had 7:0:5 # ub_callback_t typedef renamed to ub_callback_type
 # 1.6.2 had 7:1:5
 # 1.6.3 had 7:2:5
+# 1.6.4 had 7:3:5
 
 #   Current  -- the number of the binary API that we're implementing
 #   Revision -- which iteration of the implementation of the binary
@@ -4106,6 +4118,11 @@ case "$prefix" in
 		prefix="/usr/local"
         ;;
 esac
+case "$exec_prefix" in
+        NONE)
+		exec_prefix="$prefix"
+        ;;
+esac
 
 # are we on MinGW?
 if uname -s 2>&1 | grep MINGW32 >/dev/null; then on_mingw="yes"
@@ -4117,6 +4134,12 @@ fi
 #
 # Determine configuration file
 # the eval is to evaluate shell expansion twice
+UNBOUND_SBIN_DIR=`eval echo "${sbindir}"`
+
+UNBOUND_SYSCONF_DIR=`eval echo "${sysconfdir}"`
+
+UNBOUND_LOCALSTATE_DIR=`eval echo "${localstatedir}"`
+
 if test $on_mingw = "no"; then
   ub_conf_file=`eval echo "${sysconfdir}/unbound/unbound.conf"`
 else
@@ -17598,7 +17621,7 @@ fi
 
 done
 
-for ac_func in OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1
+for ac_func in OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1 EVP_DigestVerify
 do :
   as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
 ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
@@ -18046,6 +18069,47 @@ fi
       ;;
 esac
 
+# Check whether --enable-ed25519 was given.
+if test "${enable_ed25519+set}" = set; then :
+  enableval=$enable_ed25519;
+fi
+
+use_ed25519="no"
+case "$enable_ed25519" in
+    no)
+      ;;
+    *)
+      if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then
+	      ac_fn_c_check_decl "$LINENO" "NID_ED25519" "ac_cv_have_decl_NID_ED25519" "$ac_includes_default
+#include <openssl/evp.h>
+
+"
+if test "x$ac_cv_have_decl_NID_ED25519" = xyes; then :
+  ac_have_decl=1
+else
+  ac_have_decl=0
+fi
+
+cat >>confdefs.h <<_ACEOF
+#define HAVE_DECL_NID_ED25519 $ac_have_decl
+_ACEOF
+if test $ac_have_decl = 1; then :
+
+
+cat >>confdefs.h <<_ACEOF
+#define USE_ED25519 1
+_ACEOF
+
+      		use_ed25519="yes"
+
+else
+   if test "x$enable_ed25519" = "xyes"; then as_fn_error $? "OpenSSL does not support ED25519 and you used --enable-ed25519." "$LINENO" 5
+	      	fi
+fi
+
+      fi
+      ;;
+esac
 
 # Check whether --enable-event-api was given.
 if test "${enable_event_api+set}" = set; then :
@@ -20309,6 +20373,73 @@ else
   as_fn_error $? "The sodium library was not found. Please install sodium!" "$LINENO" 5
 fi
 
+    { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing crypto_box_curve25519xchacha20poly1305_beforenm" >&5
+$as_echo_n "checking for library containing crypto_box_curve25519xchacha20poly1305_beforenm... " >&6; }
+if ${ac_cv_search_crypto_box_curve25519xchacha20poly1305_beforenm+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  ac_func_search_save_LIBS=$LIBS
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char crypto_box_curve25519xchacha20poly1305_beforenm ();
+int
+main ()
+{
+return crypto_box_curve25519xchacha20poly1305_beforenm ();
+  ;
+  return 0;
+}
+_ACEOF
+for ac_lib in '' sodium; do
+  if test -z "$ac_lib"; then
+    ac_res="none required"
+  else
+    ac_res=-l$ac_lib
+    LIBS="-l$ac_lib  $ac_func_search_save_LIBS"
+  fi
+  if ac_fn_c_try_link "$LINENO"; then :
+  ac_cv_search_crypto_box_curve25519xchacha20poly1305_beforenm=$ac_res
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext
+  if ${ac_cv_search_crypto_box_curve25519xchacha20poly1305_beforenm+:} false; then :
+  break
+fi
+done
+if ${ac_cv_search_crypto_box_curve25519xchacha20poly1305_beforenm+:} false; then :
+
+else
+  ac_cv_search_crypto_box_curve25519xchacha20poly1305_beforenm=no
+fi
+rm conftest.$ac_ext
+LIBS=$ac_func_search_save_LIBS
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_crypto_box_curve25519xchacha20poly1305_beforenm" >&5
+$as_echo "$ac_cv_search_crypto_box_curve25519xchacha20poly1305_beforenm" >&6; }
+ac_res=$ac_cv_search_crypto_box_curve25519xchacha20poly1305_beforenm
+if test "$ac_res" != no; then :
+  test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
+
+            ENABLE_DNSCRYPT_XCHACHA20=1
+
+
+$as_echo "#define USE_DNSCRYPT_XCHACHA20 1" >>confdefs.h
+
+
+else
+
+            ENABLE_DNSCRYPT_XCHACHA20=0
+
+
+fi
+
 
 
 $as_echo "#define USE_DNSCRYPT 1" >>confdefs.h
@@ -20322,6 +20453,8 @@ $as_echo "#define USE_DNSCRYPT 1" >>confdefs.h
 
 
   else
+    ENABLE_DNSCRYPT_XCHACHA20=0
+
 
         ENABLE_DNSCRYPT=0
 
@@ -20347,6 +20480,27 @@ $as_echo "#define USE_CACHEDB 1" >>confdefs.h
     	;;
 esac
 
+# check for ipsecmod if requested
+# Check whether --enable-ipsecmod was given.
+if test "${enable_ipsecmod+set}" = set; then :
+  enableval=$enable_ipsecmod;
+fi
+
+case "$enable_ipsecmod" in
+	yes)
+
+$as_echo "#define USE_IPSECMOD 1" >>confdefs.h
+
+		IPSECMOD_OBJ="ipsecmod.lo ipsecmod-whitelist.lo"
+
+		IPSECMOD_HEADER='$(srcdir)/ipsecmod/ipsecmod.h $(srcdir)/ipsecmod/ipsecmod-whitelist.h'
+
+		;;
+	no|*)
+		# nothing
+		;;
+esac
+
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking if ${MAKE:-make} supports $< with implicit rule in scope" >&5
 $as_echo_n "checking if ${MAKE:-make} supports $< with implicit rule in scope... " >&6; }
 # on openBSD, the implicit rule make $< work.
@@ -20488,7 +20642,7 @@ _ACEOF
 
 
 
-version=1.6.3
+version=1.6.4
 
 date=`date +'%b %e, %Y'`
 
@@ -21007,7 +21161,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by unbound $as_me 1.6.3, which was
+This file was extended by unbound $as_me 1.6.4, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -21073,7 +21227,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-unbound config.status 1.6.3
+unbound config.status 1.6.4
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 

contrib/unbound/configure.ac

@@ -11,14 +11,14 @@ sinclude(dnscrypt/dnscrypt.m4)
 # must be numbers. ac_defun because of later processing
 m4_define([VERSION_MAJOR],[1])
 m4_define([VERSION_MINOR],[6])
-m4_define([VERSION_MICRO],[3])
+m4_define([VERSION_MICRO],[4])
 AC_INIT(unbound, m4_defn([VERSION_MAJOR]).m4_defn([VERSION_MINOR]).m4_defn([VERSION_MICRO]), unbound-bugs@nlnetlabs.nl, unbound)
 AC_SUBST(UNBOUND_VERSION_MAJOR, [VERSION_MAJOR])
 AC_SUBST(UNBOUND_VERSION_MINOR, [VERSION_MINOR])
 AC_SUBST(UNBOUND_VERSION_MICRO, [VERSION_MICRO])
 
 LIBUNBOUND_CURRENT=7
-LIBUNBOUND_REVISION=2
+LIBUNBOUND_REVISION=3
 LIBUNBOUND_AGE=5
 # 1.0.0 had 0:12:0
 # 1.0.1 had 0:13:0
@@ -72,6 +72,7 @@ LIBUNBOUND_AGE=5
 # 1.6.1 had 7:0:5 # ub_callback_t typedef renamed to ub_callback_type
 # 1.6.2 had 7:1:5
 # 1.6.3 had 7:2:5
+# 1.6.4 had 7:3:5
 
 #   Current  -- the number of the binary API that we're implementing
 #   Revision -- which iteration of the implementation of the binary
@@ -109,6 +110,11 @@ case "$prefix" in
 		prefix="/usr/local"
         ;;
 esac
+case "$exec_prefix" in
+        NONE)
+		exec_prefix="$prefix"
+        ;;
+esac
 
 # are we on MinGW?
 if uname -s 2>&1 | grep MINGW32 >/dev/null; then on_mingw="yes"
@@ -120,6 +126,12 @@ fi
 #
 # Determine configuration file
 # the eval is to evaluate shell expansion twice
+UNBOUND_SBIN_DIR=`eval echo "${sbindir}"`
+AC_SUBST(UNBOUND_SBIN_DIR)
+UNBOUND_SYSCONF_DIR=`eval echo "${sysconfdir}"`
+AC_SUBST(UNBOUND_SYSCONF_DIR)
+UNBOUND_LOCALSTATE_DIR=`eval echo "${localstatedir}"`
+AC_SUBST(UNBOUND_LOCALSTATE_DIR)
 if test $on_mingw = "no"; then
   ub_conf_file=`eval echo "${sysconfdir}/unbound/unbound.conf"`
 else
@@ -680,7 +692,7 @@ else
 	AC_MSG_RESULT([no])
 fi
 AC_CHECK_HEADERS([openssl/conf.h openssl/engine.h openssl/bn.h openssl/dh.h openssl/dsa.h openssl/rsa.h],,, [AC_INCLUDES_DEFAULT])
-AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1])
+AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1 EVP_DigestVerify])
 
 # these check_funcs need -lssl
 BAKLIBS="$LIBS"
@@ -906,6 +918,23 @@ case "$enable_dsa" in
       ;;
 esac
 
+AC_ARG_ENABLE(ed25519, AC_HELP_STRING([--disable-ed25519], [Disable ED25519 support]))
+use_ed25519="no"
+case "$enable_ed25519" in
+    no)
+      ;;
+    *)
+      if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then
+	      AC_CHECK_DECLS([NID_ED25519], [
+      		AC_DEFINE_UNQUOTED([USE_ED25519], [1], [Define this to enable ED25519 support.])
+      		use_ed25519="yes"
+	      ], [ if test "x$enable_ed25519" = "xyes"; then AC_MSG_ERROR([OpenSSL does not support ED25519 and you used --enable-ed25519.])
+	      	fi ], [AC_INCLUDES_DEFAULT
+#include <openssl/evp.h>
+	      ])
+      fi
+      ;;
+esac
 
 AC_ARG_ENABLE(event-api, AC_HELP_STRING([--enable-event-api], [Enable (experimental) pluggable event base libunbound API installed to unbound-event.h]))
 case "$enable_event_api" in
@@ -1353,6 +1382,21 @@ case "$enable_cachedb" in
     	;;
 esac
 
+# check for ipsecmod if requested
+AC_ARG_ENABLE(ipsecmod, AC_HELP_STRING([--enable-ipsecmod], [Enable ipsecmod module that facilitates opportunistic IPsec]))
+case "$enable_ipsecmod" in
+	yes)
+		AC_DEFINE([USE_IPSECMOD], [1], [Define to 1 to use ipsecmod support.])
+		IPSECMOD_OBJ="ipsecmod.lo ipsecmod-whitelist.lo"
+		AC_SUBST(IPSECMOD_OBJ)
+		IPSECMOD_HEADER='$(srcdir)/ipsecmod/ipsecmod.h $(srcdir)/ipsecmod/ipsecmod-whitelist.h'
+		AC_SUBST(IPSECMOD_HEADER)
+		;;
+	no|*)
+		# nothing
+		;;
+esac
+
 AC_MSG_CHECKING([if ${MAKE:-make} supports $< with implicit rule in scope])
 # on openBSD, the implicit rule make $< work.
 # on Solaris, it does not work ($? is changed sources, $^ lists dependencies).

contrib/unbound/contrib/README

@@ -31,3 +31,6 @@ distribution but may be helpful.
   Contributed by Yuri Voinov.
 * unbound.socket and unbound.service: systemd files for unbound, install them
   in /usr/lib/systemd/system.  Contributed by Sami Kerola and Pavel Odintsov.
+* redirect-bogus.patch: Return configured address for bogus A and AAAA answers,
+  instead of SERVFAIL. Contributed by SIDN.
+* fastrpz.patch: fastrpz support from Farsight Security.

contrib/unbound/contrib/redirect-bogus.patch

@@ -0,0 +1,344 @@
+Index: daemon/worker.c
+===================================================================
+--- daemon/worker.c	(revision 4191)
++++ daemon/worker.c	(working copy)
+@@ -663,8 +663,21 @@
+ 		if(!inplace_cb_reply_servfail_call(&worker->env, qinfo, NULL, rep,
+ 			LDNS_RCODE_SERVFAIL, edns, worker->scratchpad))
+ 			goto bail_out;
+-		error_encode(repinfo->c->buffer, LDNS_RCODE_SERVFAIL, 
+-			qinfo, id, flags, edns);
++		if (qinfo->qtype == LDNS_RR_TYPE_A &&
++			worker->env.cfg->redirect_bogus_ipv4) {
++			/* BAD cached */
++			fixed_address_encode(repinfo->c->buffer,
++				LDNS_RCODE_NOERROR, qinfo, id, flags, edns,
++				worker->env.cfg->redirect_bogus_ipv4);
++		} else if (qinfo->qtype == LDNS_RR_TYPE_AAAA &&
++			worker->env.cfg->redirect_bogus_ipv6) {
++			fixed_address_encode(repinfo->c->buffer,
++				LDNS_RCODE_NOERROR, qinfo, id, flags, edns,
++				worker->env.cfg->redirect_bogus_ipv6);
++		} else {
++			error_encode(repinfo->c->buffer, LDNS_RCODE_SERVFAIL, 
++ 			qinfo, id, flags, edns);
++		}
+ 		rrset_array_unlock_touch(worker->env.rrset_cache, 
+ 			worker->scratchpad, rep->ref, rep->rrset_count);
+ 		if(worker->stats.extended) {
+Index: doc/unbound.conf.5.in
+===================================================================
+--- doc/unbound.conf.5.in	(revision 4191)
++++ doc/unbound.conf.5.in	(working copy)
+@@ -1244,6 +1244,18 @@
+ This can make ordinary queries complete (if repeatedly queried for),
+ and enter the cache, whilst also mitigating the traffic flow by the
+ factor given.
++.TP 5
++.B redirect-bogus-ipv4: \fI<IPv4 address>
++Set a fixed address for DNSSEC failures that are cached
++Instead of responding to A queries with SERVFAIL, respond
++with NOERROR and the address specified here
++The TTL of the response will be 5 seconds
++.TP 5
++.B redirect-bogus-ipv6: \fI<IPv4 address>
++Set a fixed address for DNSSEC failures that are cached
++Instead of responding to AAAA queries with SERVFAIL, respond
++with NOERROR and the address specified here
++The TTL of the response will be 5 seconds
+ .SS "Remote Control Options"
+ In the
+ .B remote\-control:
+Index: services/mesh.c
+===================================================================
+--- services/mesh.c	(revision 4191)
++++ services/mesh.c	(working copy)
+@@ -1006,6 +1006,7 @@
+ 	struct timeval end_time;
+ 	struct timeval duration;
+ 	int secure;
++	int bogus_override = 0;
+ 	/* Copy the client's EDNS for later restore, to make sure the edns
+ 	 * compare is with the correct edns options. */
+ 	struct edns_data edns_bak = r->edns;
+@@ -1016,6 +1017,7 @@
+ 		rcode = LDNS_RCODE_SERVFAIL;
+ 		if(m->s.env->cfg->stat_extended) 
+ 			m->s.env->mesh->ans_bogus++;
++		bogus_override = 1;
+ 	}
+ 	if(rep && rep->security == sec_status_secure)
+ 		secure = 1;
+@@ -1047,17 +1049,34 @@
+ 	} else if(rcode) {
+ 		m->s.qinfo.qname = r->qname;
+ 		m->s.qinfo.local_alias = r->local_alias;
+-		if(rcode == LDNS_RCODE_SERVFAIL) {
+-			if(!inplace_cb_reply_servfail_call(m->s.env, &m->s.qinfo, &m->s,
+-				rep, rcode, &r->edns, m->s.region))
+-					r->edns.opt_list = NULL;
+-		} else { 
+-			if(!inplace_cb_reply_call(m->s.env, &m->s.qinfo, &m->s, rep, rcode,
+-				&r->edns, m->s.region))
+-					r->edns.opt_list = NULL;
++		if(bogus_override && m->s.qinfo.qtype == LDNS_RR_TYPE_A &&
++			m->s.env->cfg->redirect_bogus_ipv4) {
++			fixed_address_encode(r->query_reply.c->buffer,
++				LDNS_RCODE_NOERROR, &m->s.qinfo, r->qid,
++				r->qflags, &r->edns,
++				m->s.env->cfg->redirect_bogus_ipv4);
++		} else if(bogus_override &&
++			m->s.qinfo.qtype == LDNS_RR_TYPE_AAAA &&
++			m->s.env->cfg->redirect_bogus_ipv6) {
++			fixed_address_encode(r->query_reply.c->buffer,
++				LDNS_RCODE_NOERROR, &m->s.qinfo, r->qid,
++				r->qflags, &r->edns,
++				m->s.env->cfg->redirect_bogus_ipv6);
++		} else {
++			if(rcode == LDNS_RCODE_SERVFAIL) {
++				if(!inplace_cb_reply_servfail_call(m->s.env,
++					&m->s.qinfo, &m->s,
++					rep, rcode, &r->edns, m->s.region))
++						r->edns.opt_list = NULL;
++			} else { 
++				if(!inplace_cb_reply_call(m->s.env, &m->s.qinfo,
++					&m->s, rep, rcode, &r->edns,
++					m->s.region))
++						r->edns.opt_list = NULL;
++			}
++			error_encode(r->query_reply.c->buffer, rcode,
++				&m->s.qinfo, r->qid, r->qflags, &r->edns);
+ 		}
+-		error_encode(r->query_reply.c->buffer, rcode, &m->s.qinfo,
+-			r->qid, r->qflags, &r->edns);
+ 		comm_point_send_reply(&r->query_reply);
+ 	} else {
+ 		size_t udp_size = r->edns.udp_size;
+Index: util/config_file.c
+===================================================================
+--- util/config_file.c	(revision 4191)
++++ util/config_file.c	(working copy)
+@@ -273,6 +273,8 @@
+ 	cfg->ratelimit_factor = 10;
+ 	cfg->qname_minimisation = 0;
+ 	cfg->qname_minimisation_strict = 0;
++	cfg->redirect_bogus_ipv4 = NULL;
++	cfg->redirect_bogus_ipv6 = NULL;
+ 	cfg->shm_enable = 0;
+ 	cfg->shm_key = 11777;
+ 	cfg->dnscrypt = 0;
+@@ -602,6 +604,10 @@
+ 		}
+ 		oi[cfg->num_out_ifs++] = d;
+ 		cfg->out_ifs = oi;
++	} else if (strcmp(opt, "redirect-bogus-ipv4:") == 0) {
++		cfg->redirect_bogus_ipv4 = strdup(val);
++	} else if (strcmp(opt, "redirect-bogus-ipv6:") == 0) {
++		cfg->redirect_bogus_ipv6 = strdup(val);
+ 	} else {
+ 		/* unknown or unsupported (from the set_option interface):
+ 		 * interface, outgoing-interface, access-control,
+@@ -1250,6 +1256,12 @@
+ 	free(cfg->dnstap_version);
+ 	config_deldblstrlist(cfg->ratelimit_for_domain);
+ 	config_deldblstrlist(cfg->ratelimit_below_domain);
++	if (cfg->redirect_bogus_ipv4) {
++		free(cfg->redirect_bogus_ipv4);
++	}
++	if (cfg->redirect_bogus_ipv6) {
++		free(cfg->redirect_bogus_ipv6);
++	}
+ #ifdef USE_IPSECMOD
+ 	free(cfg->ipsecmod_hook);
+ 	config_delstrlist(cfg->ipsecmod_whitelist);
+Index: util/config_file.h
+===================================================================
+--- util/config_file.h	(revision 4191)
++++ util/config_file.h	(working copy)
+@@ -444,6 +444,9 @@
+ 	/** minimise QNAME in strict mode, minimise according to RFC.
+ 	 *  Do not apply fallback */
+ 	int qname_minimisation_strict;
++	/** construct fake responses for DNSSEC failures */
++	char *redirect_bogus_ipv4;
++	char *redirect_bogus_ipv6;
+ 	/** SHM data - true if shm is enabled */
+ 	int shm_enable;
+ 	/** SHM data - key for the shm */
+Index: util/configlexer.lex
+===================================================================
+--- util/configlexer.lex	(revision 4191)
++++ util/configlexer.lex	(working copy)
+@@ -410,6 +410,8 @@
+ response-ip-tag{COLON}		{ YDVAR(2, VAR_RESPONSE_IP_TAG) }
+ response-ip{COLON}		{ YDVAR(2, VAR_RESPONSE_IP) }
+ response-ip-data{COLON}		{ YDVAR(2, VAR_RESPONSE_IP_DATA) }
++redirect-bogus-ipv4{COLON}	{ YDVAR(1, VAR_REDIRECT_BOGUS_IPV4) }
++redirect-bogus-ipv6{COLON}	{ YDVAR(1, VAR_REDIRECT_BOGUS_IPV6) }
+ dnscrypt{COLON}			{ YDVAR(0, VAR_DNSCRYPT) }
+ dnscrypt-enable{COLON}		{ YDVAR(1, VAR_DNSCRYPT_ENABLE) }
+ dnscrypt-port{COLON}		{ YDVAR(1, VAR_DNSCRYPT_PORT) }
+Index: util/configparser.y
+===================================================================
+--- util/configparser.y	(revision 4191)
++++ util/configparser.y	(working copy)
+@@ -44,6 +44,7 @@
+ #include <stdlib.h>
+ #include <assert.h>
+ 
++#include "sldns/str2wire.h"
+ #include "util/configyyrename.h"
+ #include "util/config_file.h"
+ #include "util/net_help.h"
+@@ -141,6 +142,7 @@
+ %token VAR_ACCESS_CONTROL_TAG_DATA VAR_VIEW VAR_ACCESS_CONTROL_VIEW
+ %token VAR_VIEW_FIRST VAR_SERVE_EXPIRED VAR_FAKE_DSA VAR_FAKE_SHA1
+ %token VAR_LOG_IDENTITY VAR_HIDE_TRUSTANCHOR VAR_TRUST_ANCHOR_SIGNALING
++%token VAR_REDIRECT_BOGUS_IPV4 VAR_REDIRECT_BOGUS_IPV6
+ %token VAR_USE_SYSTEMD VAR_SHM_ENABLE VAR_SHM_KEY
+ %token VAR_DNSCRYPT VAR_DNSCRYPT_ENABLE VAR_DNSCRYPT_PORT VAR_DNSCRYPT_PROVIDER
+ %token VAR_DNSCRYPT_SECRET_KEY VAR_DNSCRYPT_PROVIDER_CERT
+@@ -228,6 +230,7 @@
+ 	server_access_control_tag_data | server_access_control_view |
+ 	server_qname_minimisation_strict | server_serve_expired |
+ 	server_fake_dsa | server_log_identity | server_use_systemd |
++	server_redirect_bogus_ipv4 | server_redirect_bogus_ipv6 |
+ 	server_response_ip_tag | server_response_ip | server_response_ip_data |
+ 	server_shm_enable | server_shm_key | server_fake_sha1 |
+ 	server_hide_trustanchor | server_trust_anchor_signaling |
+@@ -1873,6 +1876,34 @@
+ 	#endif
+ 	}
+ 	;
++server_redirect_bogus_ipv4: VAR_REDIRECT_BOGUS_IPV4 STRING_ARG
++	{
++		uint8_t data[4];
++		size_t data_len = 4;
++		OUTYY(("P(name:%s)\n", $2));
++		if(cfg_parser->cfg->redirect_bogus_ipv4) {
++			yyerror("redirect-bogus-ipv4, can only use one address");
++		}
++		if(sldns_str2wire_a_buf($2, data, &data_len) != LDNS_WIREPARSE_ERR_OK) {
++			yyerror("redirect-bogus-ipv4, not a valid IPv4 address");
++		}
++		free(cfg_parser->cfg->redirect_bogus_ipv4);
++		cfg_parser->cfg->redirect_bogus_ipv4 = $2;
++	}
++server_redirect_bogus_ipv6: VAR_REDIRECT_BOGUS_IPV6 STRING_ARG
++	{
++		uint8_t data[16];
++		size_t data_len = 16;
++		OUTYY(("P(name:%s)\n", $2));
++		if(cfg_parser->cfg->redirect_bogus_ipv6) {
++			yyerror("redirect-bogus-ipv6, can only use one address");
++		}
++		if(sldns_str2wire_aaaa_buf($2, data, &data_len) != LDNS_WIREPARSE_ERR_OK) {
++			yyerror("redirect-bogus-ipv6, not a valid IPv6 address");
++		}
++		free(cfg_parser->cfg->redirect_bogus_ipv6);
++		cfg_parser->cfg->redirect_bogus_ipv6 = $2;
++	}
+ stub_name: VAR_NAME STRING_ARG
+ 	{
+ 		OUTYY(("P(name:%s)\n", $2));
+Index: util/data/msgencode.c
+===================================================================
+--- util/data/msgencode.c	(revision 4191)
++++ util/data/msgencode.c	(working copy)
+@@ -48,6 +48,7 @@
+ #include "util/regional.h"
+ #include "util/net_help.h"
+ #include "sldns/sbuffer.h"
++#include "sldns/str2wire.h"
+ #include "services/localzone.h"
+ 
+ /** return code that means the function ran out of memory. negative so it does
+@@ -914,3 +915,63 @@
+ 		attach_edns_record(buf, &es);
+ 	}
+ }
++
++void 
++fixed_address_encode(sldns_buffer* buf, int r, struct query_info* qinfo,
++	uint16_t qid, uint16_t qflags, struct edns_data* edns, char* data)
++{
++	uint16_t flags;
++	uint8_t addr_data[16];
++	size_t addr_len = 16;
++	if (qinfo->qtype == LDNS_RR_TYPE_A) {
++		sldns_str2wire_a_buf(data, addr_data, &addr_len);
++	} else if (qinfo->qtype == LDNS_RR_TYPE_AAAA) {
++		sldns_str2wire_aaaa_buf(data, addr_data, &addr_len);
++	} else {
++		return error_encode(buf, LDNS_RCODE_NOERROR, qinfo, qid, qflags, edns);
++	}
++	sldns_buffer_clear(buf);
++	sldns_buffer_write(buf, &qid, sizeof(uint16_t));
++	flags = (uint16_t)(BIT_QR | BIT_RA | r); /* QR and retcode*/
++	flags |= (qflags & (BIT_RD|BIT_CD)); /* copy RD and CD bit */
++	sldns_buffer_write_u16(buf, flags);
++	if(qinfo) flags = 1;
++	else	flags = 0;
++	sldns_buffer_write_u16(buf, flags);
++	sldns_buffer_write_u16(buf, 1);
++	flags = 0;
++	sldns_buffer_write(buf, &flags, sizeof(uint16_t));
++	sldns_buffer_write(buf, &flags, sizeof(uint16_t));
++	if(qinfo) {
++		// query
++		if(sldns_buffer_current(buf) == qinfo->qname)
++			sldns_buffer_skip(buf, (ssize_t)qinfo->qname_len);
++		else	sldns_buffer_write(buf, qinfo->qname, qinfo->qname_len);
++		sldns_buffer_write_u16(buf, qinfo->qtype);
++		sldns_buffer_write_u16(buf, qinfo->qclass);
++		// faked answer
++		if(sldns_buffer_current(buf) == qinfo->qname)
++			sldns_buffer_skip(buf, (ssize_t)qinfo->qname_len);
++		else	sldns_buffer_write(buf, qinfo->qname, qinfo->qname_len);
++		sldns_buffer_write_u16(buf, qinfo->qtype);
++		sldns_buffer_write_u16(buf, qinfo->qclass);
++		sldns_buffer_write_u16(buf, 0);
++		// TTL. Should we make this configurable too?
++		sldns_buffer_write_u16(buf, 5);
++		sldns_buffer_write_u16(buf, addr_len);
++		sldns_buffer_write(buf, addr_data, addr_len);
++		fflush(stderr);
++	}
++	sldns_buffer_flip(buf);
++	if(edns) {
++		struct edns_data es = *edns;
++		es.edns_version = EDNS_ADVERTISED_VERSION;
++		es.udp_size = EDNS_ADVERTISED_SIZE;
++		es.ext_rcode = 0;
++		es.bits &= EDNS_DO;
++		if(sldns_buffer_limit(buf) + calc_edns_field_size(&es) >
++			edns->udp_size)
++			return;
++		attach_edns_record(buf, &es);
++	}
++}
+Index: util/data/msgencode.h
+===================================================================
+--- util/data/msgencode.h	(revision 4191)
++++ util/data/msgencode.h	(working copy)
+@@ -128,4 +128,20 @@
+ void error_encode(struct sldns_buffer* pkt, int r, struct query_info* qinfo,
+ 	uint16_t qid, uint16_t qflags, struct edns_data* edns);
+ 
++/**
++ * Encode a fixed address response.
++ * This is a fake answer to either an A or AAA query
++ *
++ * It will answer with that address
++ *
++ * @param pkt: where to store the packet.
++ * @param r: RCODE value to encode.
++ * @param qinfo: if not NULL, the query is included.
++ * @param qid: query ID to set in packet. network order.
++ * @param qflags: original query flags (to copy RD and CD bits). host order.
++ * @param edns: if not NULL, this is the query edns info,
++ * 	and an edns reply is attached. Only attached if EDNS record fits reply.
++ */
++void fixed_address_encode(struct sldns_buffer* pkt, int r, struct query_info* qinfo,
++	uint16_t qid, uint16_t qflags, struct edns_data* edns, char* address);
+ #endif /* UTIL_DATA_MSGENCODE_H */

contrib/unbound/contrib/unbound.service.in

@@ -7,7 +7,7 @@ WantedBy=multi-user.target
 
 [Service]
 ExecReload=/bin/kill -HUP $MAINPID
-ExecStart=/home/vagrant/unbound_systemd/unbound
+ExecStart=@UNBOUND_SBIN_DIR@/unbound
 NotifyAccess=main
 Type=notify
 CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT
@@ -20,7 +20,7 @@ ProtectControlGroups=true
 ProtectKernelModules=true
 ProtectKernelTunables=true
 ProtectSystem=strict
-ReadWritePaths=/etc/unbound /run
+ReadWritePaths=@UNBOUND_SYSCONF_DIR@ @UNBOUND_LOCALSTATE_DIR@ /run @UNBOUND_RUN_DIR@
 RestrictAddressFamilies=AF_INET AF_UNIX
 RestrictRealtime=true
 SystemCallArchitectures=native

contrib/unbound/daemon/remote.c

@@ -124,7 +124,7 @@ timeval_subtract(struct timeval* d, const struct timeval* end,
 
 /** divide sum of timers to get average */
 static void
-timeval_divide(struct timeval* avg, const struct timeval* sum, size_t d)
+timeval_divide(struct timeval* avg, const struct timeval* sum, long long d)
 {
 #ifndef S_SPLINT_S
 	size_t leftover;
@@ -260,10 +260,10 @@ daemon_remote_create(struct config_file* cfg)
 		return NULL;
 	}
 #endif
-#ifdef SHA256_DIGEST_LENGTH
+#if defined(SHA256_DIGEST_LENGTH) && defined(USE_ECDSA)
 	/* if we have sha256, set the cipher list to have no known vulns */
 	if(!SSL_CTX_set_cipher_list(rc->ctx, "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256"))
-		log_crypto_err("coult not set cipher list with SSL_CTX_set_cipher_list");
+		log_crypto_err("could not set cipher list with SSL_CTX_set_cipher_list");
 #endif
 
 	if (cfg->remote_control_use_cert == 0) {
@@ -780,9 +780,9 @@ do_verbosity(SSL* ssl, char* str)
 
 /** print stats from statinfo */
 static int
-print_stats(SSL* ssl, const char* nm, struct stats_info* s)
+print_stats(SSL* ssl, const char* nm, struct ub_stats_info* s)
 {
-	struct timeval avg;
+	struct timeval sumwait, avg;
 	if(!ssl_printf(ssl, "%s.num.queries"SQ"%lu\n", nm, 
 		(unsigned long)s->svr.num_queries)) return 0;
 	if(!ssl_printf(ssl, "%s.num.queries_ip_ratelimited"SQ"%lu\n", nm,
@@ -811,7 +811,7 @@ print_stats(SSL* ssl, const char* nm, struct stats_info* s)
 	if(!ssl_printf(ssl, "%s.requestlist.avg"SQ"%g\n", nm,
 		(s->svr.num_queries_missed_cache+s->svr.num_queries_prefetch)?
 			(double)s->svr.sum_query_list_size/
-			(s->svr.num_queries_missed_cache+
+			(double)(s->svr.num_queries_missed_cache+
 			s->svr.num_queries_prefetch) : 0.0)) return 0;
 	if(!ssl_printf(ssl, "%s.requestlist.max"SQ"%lu\n", nm,
 		(unsigned long)s->svr.max_query_list_size)) return 0;
@@ -823,7 +823,11 @@ print_stats(SSL* ssl, const char* nm, struct stats_info* s)
 		(unsigned long)s->mesh_num_states)) return 0;
 	if(!ssl_printf(ssl, "%s.requestlist.current.user"SQ"%lu\n", nm,
 		(unsigned long)s->mesh_num_reply_states)) return 0;
-	timeval_divide(&avg, &s->mesh_replies_sum_wait, s->mesh_replies_sent);
+#ifndef S_SPLINT_S
+	sumwait.tv_sec = s->mesh_replies_sum_wait_sec;
+	sumwait.tv_usec = s->mesh_replies_sum_wait_usec;
+#endif
+	timeval_divide(&avg, &sumwait, s->mesh_replies_sent);
 	if(!ssl_printf(ssl, "%s.recursion.time.avg"SQ ARG_LL "d.%6.6d\n", nm,
 		(long long)avg.tv_sec, (int)avg.tv_usec)) return 0;
 	if(!ssl_printf(ssl, "%s.recursion.time.median"SQ"%g\n", nm, 
@@ -835,7 +839,7 @@ print_stats(SSL* ssl, const char* nm, struct stats_info* s)
 
 /** print stats for one thread */
 static int
-print_thread_stats(SSL* ssl, int i, struct stats_info* s)
+print_thread_stats(SSL* ssl, int i, struct ub_stats_info* s)
 {
 	char nm[16];
 	snprintf(nm, sizeof(nm), "thread%d", i);
@@ -862,46 +866,24 @@ print_longnum(SSL* ssl, const char* desc, size_t x)
 static int
 print_mem(SSL* ssl, struct worker* worker, struct daemon* daemon)
 {
-	int m;
 	size_t msg, rrset, val, iter, respip;
 #ifdef CLIENT_SUBNET
 	size_t subnet = 0;
 #endif /* CLIENT_SUBNET */
+#ifdef USE_IPSECMOD
+	size_t ipsecmod = 0;
+#endif /* USE_IPSECMOD */
 	msg = slabhash_get_mem(daemon->env->msg_cache);
 	rrset = slabhash_get_mem(&daemon->env->rrset_cache->table);
-	val=0;
-	iter=0;
-	respip=0;
-	m = modstack_find(&worker->env.mesh->mods, "validator");
-	if(m != -1) {
-		fptr_ok(fptr_whitelist_mod_get_mem(worker->env.mesh->
-			mods.mod[m]->get_mem));
-		val = (*worker->env.mesh->mods.mod[m]->get_mem)
-			(&worker->env, m);
-	}
-	m = modstack_find(&worker->env.mesh->mods, "iterator");
-	if(m != -1) {
-		fptr_ok(fptr_whitelist_mod_get_mem(worker->env.mesh->
-			mods.mod[m]->get_mem));
-		iter = (*worker->env.mesh->mods.mod[m]->get_mem)
-			(&worker->env, m);
-	}
-	m = modstack_find(&worker->env.mesh->mods, "respip");
-	if(m != -1) {
-		fptr_ok(fptr_whitelist_mod_get_mem(worker->env.mesh->
-			mods.mod[m]->get_mem));
-		respip = (*worker->env.mesh->mods.mod[m]->get_mem)
-			(&worker->env, m);
-	}
+	val = mod_get_mem(&worker->env, "validator");
+	iter = mod_get_mem(&worker->env, "iterator");
+	respip = mod_get_mem(&worker->env, "respip");
 #ifdef CLIENT_SUBNET
-	m = modstack_find(&worker->env.mesh->mods, "subnet");
-	if(m != -1) {
-		fptr_ok(fptr_whitelist_mod_get_mem(worker->env.mesh->
-			mods.mod[m]->get_mem));
-		subnet = (*worker->env.mesh->mods.mod[m]->get_mem)
-			(&worker->env, m);
-	}
+	subnet = mod_get_mem(&worker->env, "subnet");
 #endif /* CLIENT_SUBNET */
+#ifdef USE_IPSECMOD
+	ipsecmod = mod_get_mem(&worker->env, "ipsecmod");
+#endif /* USE_IPSECMOD */
 
 	if(!print_longnum(ssl, "mem.cache.rrset"SQ, rrset))
 		return 0;
@@ -917,6 +899,10 @@ print_mem(SSL* ssl, struct worker* worker, struct daemon* daemon)
 	if(!print_longnum(ssl, "mem.mod.subnet"SQ, subnet))
 		return 0;
 #endif /* CLIENT_SUBNET */
+#ifdef USE_IPSECMOD
+	if(!print_longnum(ssl, "mem.mod.ipsecmod"SQ, ipsecmod))
+		return 0;
+#endif /* USE_IPSECMOD */
 	return 1;
 }
 
@@ -941,7 +927,7 @@ print_uptime(SSL* ssl, struct worker* worker, int reset)
 
 /** print extended histogram */
 static int
-print_hist(SSL* ssl, struct stats_info* s)
+print_hist(SSL* ssl, struct ub_stats_info* s)
 {
 	struct timehist* hist;
 	size_t i;
@@ -969,14 +955,14 @@ print_hist(SSL* ssl, struct stats_info* s)
 
 /** print extended stats */
 static int
-print_ext(SSL* ssl, struct stats_info* s)
+print_ext(SSL* ssl, struct ub_stats_info* s)
 {
 	int i;
 	char nm[16];
 	const sldns_rr_descriptor* desc;
 	const sldns_lookup_table* lt;
 	/* TYPE */
-	for(i=0; i<STATS_QTYPE_NUM; i++) {
+	for(i=0; i<UB_STATS_QTYPE_NUM; i++) {
 		if(inhibit_zero && s->svr.qtype[i] == 0)
 			continue;
 		desc = sldns_rr_descript((uint16_t)i);
@@ -1003,7 +989,7 @@ print_ext(SSL* ssl, struct stats_info* s)
 			(unsigned long)s->svr.qtype_big)) return 0;
 	}
 	/* CLASS */
-	for(i=0; i<STATS_QCLASS_NUM; i++) {
+	for(i=0; i<UB_STATS_QCLASS_NUM; i++) {
 		if(inhibit_zero && s->svr.qclass[i] == 0)
 			continue;
 		lt = sldns_lookup_by_id(sldns_rr_classes, i);
@@ -1020,7 +1006,7 @@ print_ext(SSL* ssl, struct stats_info* s)
 			(unsigned long)s->svr.qclass_big)) return 0;
 	}
 	/* OPCODE */
-	for(i=0; i<STATS_OPCODE_NUM; i++) {
+	for(i=0; i<UB_STATS_OPCODE_NUM; i++) {
 		if(inhibit_zero && s->svr.qopcode[i] == 0)
 			continue;
 		lt = sldns_lookup_by_id(sldns_opcodes, i);
@@ -1062,7 +1048,7 @@ print_ext(SSL* ssl, struct stats_info* s)
 		(unsigned long)s->svr.qEDNS_DO)) return 0;
 
 	/* RCODE */
-	for(i=0; i<STATS_RCODE_NUM; i++) {
+	for(i=0; i<UB_STATS_RCODE_NUM; i++) {
 		/* Always include RCODEs 0-5 */
 		if(inhibit_zero && i > LDNS_RCODE_REFUSED && s->svr.ans_rcode[i] == 0)
 			continue;
@@ -1108,8 +1094,8 @@ static void
 do_stats(SSL* ssl, struct daemon_remote* rc, int reset)
 {
 	struct daemon* daemon = rc->worker->daemon;
-	struct stats_info total;
-	struct stats_info s;
+	struct ub_stats_info total;
+	struct ub_stats_info s;
 	int i;
 	log_assert(daemon->num > 0);
 	/* gather all thread statistics in one place */
@@ -1407,6 +1393,14 @@ do_view_zone_add(SSL* ssl, struct worker* worker, char* arg)
 			ssl_printf(ssl,"error out of memory\n");
 			return;
 		}
+		if(!v->isfirst) {
+			/* Global local-zone is not used for this view,
+			 * therefore add defaults to this view-specic
+			 * local-zone. */
+			struct config_file lz_cfg;
+			memset(&lz_cfg, 0, sizeof(lz_cfg));
+			local_zone_enter_defaults(v->local_zones, &lz_cfg);
+		}
 	}
 	do_zone_add(ssl, v->local_zones, arg2);
 	lock_rw_unlock(&v->lock);

contrib/unbound/daemon/stats.c

@@ -63,42 +63,42 @@
 
 /** add timers and the values do not overflow or become negative */
 static void
-timeval_add(struct timeval* d, const struct timeval* add)
+stats_timeval_add(long long* d_sec, long long* d_usec, long long add_sec, long long add_usec)
 {
 #ifndef S_SPLINT_S
-	d->tv_sec += add->tv_sec;
-	d->tv_usec += add->tv_usec;
-	if(d->tv_usec > 1000000) {
-		d->tv_usec -= 1000000;
-		d->tv_sec++;
+	(*d_sec) += add_sec;
+	(*d_usec) += add_usec;
+	if((*d_usec) > 1000000) {
+		(*d_usec) -= 1000000;
+		(*d_sec)++;
 	}
 #endif
 }
 
-void server_stats_init(struct server_stats* stats, struct config_file* cfg)
+void server_stats_init(struct ub_server_stats* stats, struct config_file* cfg)
 {
 	memset(stats, 0, sizeof(*stats));
 	stats->extended = cfg->stat_extended;
 }
 
-void server_stats_querymiss(struct server_stats* stats, struct worker* worker)
+void server_stats_querymiss(struct ub_server_stats* stats, struct worker* worker)
 {
 	stats->num_queries_missed_cache++;
 	stats->sum_query_list_size += worker->env.mesh->all.count;
-	if(worker->env.mesh->all.count > stats->max_query_list_size)
-		stats->max_query_list_size = worker->env.mesh->all.count;
+	if((long long)worker->env.mesh->all.count > stats->max_query_list_size)
+		stats->max_query_list_size = (long long)worker->env.mesh->all.count;
 }
 
-void server_stats_prefetch(struct server_stats* stats, struct worker* worker)
+void server_stats_prefetch(struct ub_server_stats* stats, struct worker* worker)
 {
 	stats->num_queries_prefetch++;
 	/* changes the query list size so account that, like a querymiss */
 	stats->sum_query_list_size += worker->env.mesh->all.count;
-	if(worker->env.mesh->all.count > stats->max_query_list_size)
-		stats->max_query_list_size = worker->env.mesh->all.count;
+	if((long long)worker->env.mesh->all.count > stats->max_query_list_size)
+		stats->max_query_list_size = (long long)worker->env.mesh->all.count;
 }
 
-void server_stats_log(struct server_stats* stats, struct worker* worker,
+void server_stats_log(struct ub_server_stats* stats, struct worker* worker,
 	int threadnum)
 {
 	log_info("server stats for thread %d: %u queries, "
@@ -115,7 +115,7 @@ void server_stats_log(struct server_stats* stats, struct worker* worker,
 		(unsigned)stats->max_query_list_size,
 		(stats->num_queries_missed_cache+stats->num_queries_prefetch)?
 			(double)stats->sum_query_list_size/
-			(stats->num_queries_missed_cache+
+			(double)(stats->num_queries_missed_cache+
 			stats->num_queries_prefetch) : 0.0,
 		(unsigned)worker->env.mesh->stats_dropped,
 		(unsigned)worker->env.mesh->stats_jostled);
@@ -140,49 +140,50 @@ get_rrset_bogus(struct worker* worker)
 }
 
 void
-server_stats_compile(struct worker* worker, struct stats_info* s, int reset)
+server_stats_compile(struct worker* worker, struct ub_stats_info* s, int reset)
 {
 	int i;
 	struct listen_list* lp;
 
 	s->svr = worker->stats;
-	s->mesh_num_states = worker->env.mesh->all.count;
-	s->mesh_num_reply_states = worker->env.mesh->num_reply_states;
-	s->mesh_jostled = worker->env.mesh->stats_jostled;
-	s->mesh_dropped = worker->env.mesh->stats_dropped;
-	s->mesh_replies_sent = worker->env.mesh->replies_sent;
-	s->mesh_replies_sum_wait = worker->env.mesh->replies_sum_wait;
+	s->mesh_num_states = (long long)worker->env.mesh->all.count;
+	s->mesh_num_reply_states = (long long)worker->env.mesh->num_reply_states;
+	s->mesh_jostled = (long long)worker->env.mesh->stats_jostled;
+	s->mesh_dropped = (long long)worker->env.mesh->stats_dropped;
+	s->mesh_replies_sent = (long long)worker->env.mesh->replies_sent;
+	s->mesh_replies_sum_wait_sec = (long long)worker->env.mesh->replies_sum_wait.tv_sec;
+	s->mesh_replies_sum_wait_usec = (long long)worker->env.mesh->replies_sum_wait.tv_usec;
 	s->mesh_time_median = timehist_quartile(worker->env.mesh->histogram,
 		0.50);
 
 	/* add in the values from the mesh */
-	s->svr.ans_secure += worker->env.mesh->ans_secure;
-	s->svr.ans_bogus += worker->env.mesh->ans_bogus;
-	s->svr.ans_rcode_nodata += worker->env.mesh->ans_nodata;
+	s->svr.ans_secure += (long long)worker->env.mesh->ans_secure;
+	s->svr.ans_bogus += (long long)worker->env.mesh->ans_bogus;
+	s->svr.ans_rcode_nodata += (long long)worker->env.mesh->ans_nodata;
 	for(i=0; i<16; i++)
-		s->svr.ans_rcode[i] += worker->env.mesh->ans_rcode[i];
+		s->svr.ans_rcode[i] += (long long)worker->env.mesh->ans_rcode[i];
 	timehist_export(worker->env.mesh->histogram, s->svr.hist, 
 		NUM_BUCKETS_HIST);
 	/* values from outside network */
-	s->svr.unwanted_replies = worker->back->unwanted_replies;
-	s->svr.qtcp_outgoing = worker->back->num_tcp_outgoing;
+	s->svr.unwanted_replies = (long long)worker->back->unwanted_replies;
+	s->svr.qtcp_outgoing = (long long)worker->back->num_tcp_outgoing;
 
 	/* get and reset validator rrset bogus number */
-	s->svr.rrset_bogus = get_rrset_bogus(worker);
+	s->svr.rrset_bogus = (long long)get_rrset_bogus(worker);
 
 	/* get cache sizes */
-	s->svr.msg_cache_count = count_slabhash_entries(worker->env.msg_cache);
-	s->svr.rrset_cache_count = count_slabhash_entries(&worker->env.rrset_cache->table);
-	s->svr.infra_cache_count = count_slabhash_entries(worker->env.infra_cache->hosts);
+	s->svr.msg_cache_count = (long long)count_slabhash_entries(worker->env.msg_cache);
+	s->svr.rrset_cache_count = (long long)count_slabhash_entries(&worker->env.rrset_cache->table);
+	s->svr.infra_cache_count = (long long)count_slabhash_entries(worker->env.infra_cache->hosts);
 	if(worker->env.key_cache)
-		s->svr.key_cache_count = count_slabhash_entries(worker->env.key_cache->slab);
+		s->svr.key_cache_count = (long long)count_slabhash_entries(worker->env.key_cache->slab);
 	else	s->svr.key_cache_count = 0;
 
 	/* get tcp accept usage */
 	s->svr.tcp_accept_usage = 0;
 	for(lp = worker->front->cps; lp; lp = lp->next) {
 		if(lp->com->type == comm_tcp_accept)
-			s->svr.tcp_accept_usage += lp->com->cur_tcp_count;
+			s->svr.tcp_accept_usage += (long long)lp->com->cur_tcp_count;
 	}
 
 	if(reset && !worker->env.cfg->stat_cumulative) {
@@ -191,7 +192,7 @@ server_stats_compile(struct worker* worker, struct stats_info* s, int reset)
 }
 
 void server_stats_obtain(struct worker* worker, struct worker* who,
-	struct stats_info* s, int reset)
+	struct ub_stats_info* s, int reset)
 {
 	uint8_t *reply = NULL;
 	uint32_t len = 0;
@@ -217,7 +218,7 @@ void server_stats_obtain(struct worker* worker, struct worker* who,
 
 void server_stats_reply(struct worker* worker, int reset)
 {
-	struct stats_info s;
+	struct ub_stats_info s;
 	server_stats_compile(worker, &s, reset);
 	verbose(VERB_ALGO, "write stats replymsg");
 	if(!tube_write_msg(worker->daemon->workers[0]->cmd, 
@@ -225,7 +226,7 @@ void server_stats_reply(struct worker* worker, int reset)
 		fatal_exit("could not write stat values over cmd channel");
 }
 
-void server_stats_add(struct stats_info* total, struct stats_info* a)
+void server_stats_add(struct ub_stats_info* total, struct ub_stats_info* a)
 {
 	total->svr.num_queries += a->svr.num_queries;
 	total->svr.num_queries_ip_ratelimited += a->svr.num_queries_ip_ratelimited;
@@ -269,13 +270,13 @@ void server_stats_add(struct stats_info* total, struct stats_info* a)
 		total->svr.unwanted_replies += a->svr.unwanted_replies;
 		total->svr.unwanted_queries += a->svr.unwanted_queries;
 		total->svr.tcp_accept_usage += a->svr.tcp_accept_usage;
-		for(i=0; i<STATS_QTYPE_NUM; i++)
+		for(i=0; i<UB_STATS_QTYPE_NUM; i++)
 			total->svr.qtype[i] += a->svr.qtype[i];
-		for(i=0; i<STATS_QCLASS_NUM; i++)
+		for(i=0; i<UB_STATS_QCLASS_NUM; i++)
 			total->svr.qclass[i] += a->svr.qclass[i];
-		for(i=0; i<STATS_OPCODE_NUM; i++)
+		for(i=0; i<UB_STATS_OPCODE_NUM; i++)
 			total->svr.qopcode[i] += a->svr.qopcode[i];
-		for(i=0; i<STATS_RCODE_NUM; i++)
+		for(i=0; i<UB_STATS_RCODE_NUM; i++)
 			total->svr.ans_rcode[i] += a->svr.ans_rcode[i];
 		for(i=0; i<NUM_BUCKETS_HIST; i++)
 			total->svr.hist[i] += a->svr.hist[i];
@@ -286,22 +287,22 @@ void server_stats_add(struct stats_info* total, struct stats_info* a)
 	total->mesh_jostled += a->mesh_jostled;
 	total->mesh_dropped += a->mesh_dropped;
 	total->mesh_replies_sent += a->mesh_replies_sent;
-	timeval_add(&total->mesh_replies_sum_wait, &a->mesh_replies_sum_wait);
+	stats_timeval_add(&total->mesh_replies_sum_wait_sec, &total->mesh_replies_sum_wait_usec, a->mesh_replies_sum_wait_sec, a->mesh_replies_sum_wait_usec);
 	/* the medians are averaged together, this is not as accurate as
 	 * taking the median over all of the data, but is good and fast
 	 * added up here, division later*/
 	total->mesh_time_median += a->mesh_time_median;
 }
 
-void server_stats_insquery(struct server_stats* stats, struct comm_point* c,
+void server_stats_insquery(struct ub_server_stats* stats, struct comm_point* c,
 	uint16_t qtype, uint16_t qclass, struct edns_data* edns,
 	struct comm_reply* repinfo)
 {
 	uint16_t flags = sldns_buffer_read_u16_at(c->buffer, 2);
-	if(qtype < STATS_QTYPE_NUM)
+	if(qtype < UB_STATS_QTYPE_NUM)
 		stats->qtype[qtype]++;
 	else	stats->qtype_big++;
-	if(qclass < STATS_QCLASS_NUM)
+	if(qclass < UB_STATS_QCLASS_NUM)
 		stats->qclass[qclass]++;
 	else	stats->qclass_big++;
 	stats->qopcode[ LDNS_OPCODE_WIRE(sldns_buffer_begin(c->buffer)) ]++;
@@ -332,7 +333,7 @@ void server_stats_insquery(struct server_stats* stats, struct comm_point* c,
 	}
 }
 
-void server_stats_insrcode(struct server_stats* stats, sldns_buffer* buf)
+void server_stats_insrcode(struct ub_server_stats* stats, sldns_buffer* buf)
 {
 	if(stats->extended && sldns_buffer_limit(buf) != 0) {
 		int r = (int)LDNS_RCODE_WIRE( sldns_buffer_begin(buf) );

contrib/unbound/daemon/stats.h

@@ -43,7 +43,6 @@
 #ifndef DAEMON_STATS_H
 #define DAEMON_STATS_H
 #include "util/timehist.h"
-#include "dnscrypt/dnscrypt_config.h"
 struct worker;
 struct config_file;
 struct comm_point;
@@ -51,156 +50,24 @@ struct comm_reply;
 struct edns_data;
 struct sldns_buffer;
 
-/** number of qtype that is stored for in array */
-#define STATS_QTYPE_NUM 256
-/** number of qclass that is stored for in array */
-#define STATS_QCLASS_NUM 256
-/** number of rcodes in stats */
-#define STATS_RCODE_NUM 16
-/** number of opcodes in stats */
-#define STATS_OPCODE_NUM 16
-
-/** per worker statistics */
-struct server_stats {
-	/** number of queries from clients received. */
-	size_t num_queries;
-	/** number of queries that have been dropped/ratelimited by ip. */
-	size_t num_queries_ip_ratelimited;
-	/** number of queries that had a cache-miss. */
-	size_t num_queries_missed_cache;
-	/** number of prefetch queries - cachehits with prefetch */
-	size_t num_queries_prefetch;
-
-	/**
-	 * Sum of the querylistsize of the worker for 
-	 * every query that missed cache. To calculate average.
-	 */
-	size_t sum_query_list_size;
-	/** max value of query list size reached. */
-	size_t max_query_list_size;
-
-	/** Extended stats below (bool) */
-	int extended;
-
-	/** qtype stats */
-	size_t qtype[STATS_QTYPE_NUM];
-	/** bigger qtype values not in array */
-	size_t qtype_big;
-	/** qclass stats */
-	size_t qclass[STATS_QCLASS_NUM];
-	/** bigger qclass values not in array */
-	size_t qclass_big;
-	/** query opcodes */
-	size_t qopcode[STATS_OPCODE_NUM];
-	/** number of queries over TCP */
-	size_t qtcp;
-	/** number of outgoing queries over TCP */
-	size_t qtcp_outgoing;
-	/** number of queries over IPv6 */
-	size_t qipv6;
-	/** number of queries with QR bit */
-	size_t qbit_QR;
-	/** number of queries with AA bit */
-	size_t qbit_AA;
-	/** number of queries with TC bit */
-	size_t qbit_TC;
-	/** number of queries with RD bit */
-	size_t qbit_RD;
-	/** number of queries with RA bit */
-	size_t qbit_RA;
-	/** number of queries with Z bit */
-	size_t qbit_Z;
-	/** number of queries with AD bit */
-	size_t qbit_AD;
-	/** number of queries with CD bit */
-	size_t qbit_CD;
-	/** number of queries with EDNS OPT record */
-	size_t qEDNS;
-	/** number of queries with EDNS with DO flag */
-	size_t qEDNS_DO;
-	/** answer rcodes */
-	size_t ans_rcode[STATS_RCODE_NUM];
-	/** answers with pseudo rcode 'nodata' */
-	size_t ans_rcode_nodata;
-	/** answers that were secure (AD) */
-	size_t ans_secure;
-	/** answers that were bogus (withheld as SERVFAIL) */
-	size_t ans_bogus;
-	/** rrsets marked bogus by validator */
-	size_t rrset_bogus;
-	/** unwanted traffic received on server-facing ports */
-	size_t unwanted_replies;
-	/** unwanted traffic received on client-facing ports */
-	size_t unwanted_queries;
-	/** usage of tcp accept list */
-	size_t tcp_accept_usage;
-	/** answers served from expired cache */
-	size_t zero_ttl_responses;
-	/** histogram data exported to array 
-	 * if the array is the same size, no data is lost, and
-	 * if all histograms are same size (is so by default) then
-	 * adding up works well. */
-	size_t hist[NUM_BUCKETS_HIST];
-	
-	/** number of message cache entries */
-	size_t msg_cache_count;
-	/** number of rrset cache entries */
-	size_t rrset_cache_count;
-	/** number of infra cache entries */
-	size_t infra_cache_count;
-	/** number of key cache entries */
-	size_t key_cache_count;
-#ifdef USE_DNSCRYPT
-    /** number of queries that used dnscrypt */
-    size_t num_query_dnscrypt_crypted;
-    /** number of queries that queried dnscrypt certificates */
-    size_t num_query_dnscrypt_cert;
-    /** number of queries in clear text and not asking for the certificates */
-    size_t num_query_dnscrypt_cleartext;
-    /** number of malformed encrypted queries */
-    size_t num_query_dnscrypt_crypted_malformed;
-#endif
-};
-
-/** 
- * Statistics to send over the control pipe when asked
- * This struct is made to be memcpied, sent in binary.
- */
-struct stats_info {
-	/** the thread stats */
-	struct server_stats svr;
-
-	/** mesh stats: current number of states */
-	size_t mesh_num_states;
-	/** mesh stats: current number of reply (user) states */
-	size_t mesh_num_reply_states;
-	/** mesh stats: number of reply states overwritten with a new one */
-	size_t mesh_jostled;
-	/** mesh stats: number of incoming queries dropped */
-	size_t mesh_dropped;
-	/** mesh stats: replies sent */
-	size_t mesh_replies_sent;
-	/** mesh stats: sum of waiting times for the replies */
-	struct timeval mesh_replies_sum_wait;
-	/** mesh stats: median of waiting times for replies (in sec) */
-	double mesh_time_median;
-};
+/* stats struct */
+#include "libunbound/unbound.h"
 
 /** 
  * Initialize server stats to 0.
  * @param stats: what to init (this is alloced by the caller).
  * @param cfg: with extended statistics option.
  */
-void server_stats_init(struct server_stats* stats, struct config_file* cfg);
+void server_stats_init(struct ub_server_stats* stats, struct config_file* cfg);
 
 /** add query if it missed the cache */
-void server_stats_querymiss(struct server_stats* stats, struct worker* worker);
+void server_stats_querymiss(struct ub_server_stats* stats, struct worker* worker);
 
 /** add query if was cached and also resulted in a prefetch */
-void server_stats_prefetch(struct server_stats* stats, struct worker* worker);
+void server_stats_prefetch(struct ub_server_stats* stats, struct worker* worker);
 
 /** display the stats to the log */
-void server_stats_log(struct server_stats* stats, struct worker* worker,
+void server_stats_log(struct ub_server_stats* stats, struct worker* worker,
 	int threadnum);
 
 /**
@@ -211,7 +78,7 @@ void server_stats_log(struct server_stats* stats, struct worker* worker,
  * @param reset: if stats can be reset.
  */
 void server_stats_obtain(struct worker* worker, struct worker* who,
-	struct stats_info* s, int reset);
+	struct ub_stats_info* s, int reset);
 
 /**
  * Compile stats into structure for this thread worker.
@@ -221,7 +88,7 @@ void server_stats_obtain(struct worker* worker, struct worker* who,
  * @param reset: if true, depending on config stats are reset.
  * 	if false, statistics are not reset.
  */
-void server_stats_compile(struct worker* worker, struct stats_info* s, 
+void server_stats_compile(struct worker* worker, struct ub_stats_info* s, 
 	int reset);
 
 /**
@@ -237,7 +104,7 @@ void server_stats_reply(struct worker* worker, int reset);
  * @param total: sum of the two entries.
  * @param a: to add to it.
  */
-void server_stats_add(struct stats_info* total, struct stats_info* a);
+void server_stats_add(struct ub_stats_info* total, struct ub_stats_info* a);
 
 /**
  * Add stats for this query
@@ -248,7 +115,7 @@ void server_stats_add(struct stats_info* total, struct stats_info* a);
  * @param edns: edns record
  * @param repinfo: reply info with remote address
  */
-void server_stats_insquery(struct server_stats* stats, struct comm_point* c,
+void server_stats_insquery(struct ub_server_stats* stats, struct comm_point* c,
 	uint16_t qtype, uint16_t qclass, struct edns_data* edns, 
 	struct comm_reply* repinfo);
 
@@ -257,6 +124,6 @@ void server_stats_insquery(struct server_stats* stats, struct comm_point* c,
  * @param stats: the stats
  * @param buf: buffer with rcode. If buffer is length0: not counted.
  */
-void server_stats_insrcode(struct server_stats* stats, struct sldns_buffer* buf);
+void server_stats_insrcode(struct ub_server_stats* stats, struct sldns_buffer* buf);
 
 #endif /* DAEMON_STATS_H */

contrib/unbound/daemon/worker.c

@@ -811,6 +811,8 @@ chaos_replystr(sldns_buffer* pkt, char** str, int num, struct edns_data* edns,
 	if(!inplace_cb_reply_local_call(&worker->env, NULL, NULL, NULL,
 		LDNS_RCODE_NOERROR, edns, worker->scratchpad))
 			edns->opt_list = NULL;
+	if(sldns_buffer_capacity(pkt) >=
+		sldns_buffer_limit(pkt)+calc_edns_field_size(edns))
 		attach_edns_record(pkt, edns);
 }
 
@@ -1021,22 +1023,27 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 	}
 	if(c->dnscrypt && !repinfo->is_dnscrypted) {
 		char buf[LDNS_MAX_DOMAINLEN+1];
-        // Check if this is unencrypted and asking for certs
+		/* Check if this is unencrypted and asking for certs */
 		if(worker_check_request(c->buffer, worker) != 0) {
-            verbose(VERB_ALGO, "dnscrypt: worker check request: bad query.");
-            log_addr(VERB_CLIENT,"from",&repinfo->addr, repinfo->addrlen);
+			verbose(VERB_ALGO,
+				"dnscrypt: worker check request: bad query.");
+			log_addr(VERB_CLIENT,"from",&repinfo->addr,
+				repinfo->addrlen);
 			comm_point_drop_reply(repinfo);
 			return 0;
 		}
 		if(!query_info_parse(&qinfo, c->buffer)) {
-            verbose(VERB_ALGO, "dnscrypt: worker parse request: formerror.");
-            log_addr(VERB_CLIENT,"from",&repinfo->addr, repinfo->addrlen);
+			verbose(VERB_ALGO,
+				"dnscrypt: worker parse request: formerror.");
+			log_addr(VERB_CLIENT, "from", &repinfo->addr,
+				repinfo->addrlen);
 			comm_point_drop_reply(repinfo);
 			return 0;
 		}
 		dname_str(qinfo.qname, buf);
 		if(!(qinfo.qtype == LDNS_RR_TYPE_TXT &&
-             strcasecmp(buf, worker->daemon->dnscenv->provider_name) == 0)) {
+			strcasecmp(buf,
+			worker->daemon->dnscenv->provider_name) == 0)) {
 			verbose(VERB_ALGO,
 				"dnscrypt: not TXT %s. Receive: %s %s",
 				worker->daemon->dnscenv->provider_name,
@@ -1182,6 +1189,8 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 		error_encode(c->buffer, EDNS_RCODE_BADVERS&0xf, &qinfo,
 			*(uint16_t*)(void *)sldns_buffer_begin(c->buffer),
 			sldns_buffer_read_u16_at(c->buffer, 2), NULL);
+		if(sldns_buffer_capacity(c->buffer) >=
+			sldns_buffer_limit(c->buffer)+calc_edns_field_size(&edns))
 			attach_edns_record(c->buffer, &edns);
 		regional_free_all(worker->scratchpad);
 		goto send_reply;
@@ -1664,6 +1673,7 @@ worker_init(struct worker* worker, struct config_file *cfg,
 	worker->env.mesh = mesh_create(&worker->daemon->mods, &worker->env);
 	worker->env.detach_subs = &mesh_detach_subs;
 	worker->env.attach_sub = &mesh_attach_sub;
+	worker->env.add_sub = &mesh_add_sub;
 	worker->env.kill_sub = &mesh_state_delete;
 	worker->env.detect_cycle = &mesh_detect_cycle;
 	worker->env.scratch_buffer = sldns_buffer_new(cfg->msg_buffer_size);

contrib/unbound/daemon/worker.h

@@ -116,7 +116,7 @@ struct worker {
 	/** allocation cache for this thread */
 	struct alloc_cache alloc;
 	/** per thread statistics */
-	struct server_stats stats;
+	struct ub_server_stats stats;
 	/** thread scratch regional */
 	struct regional* scratchpad;
 

contrib/unbound/dnscrypt/cert.h

@@ -20,12 +20,12 @@ struct SignedCert {
     uint8_t version_minor[2];
 
     // Signed Content
+    uint8_t signed_content[64];
     uint8_t server_publickey[crypto_box_PUBLICKEYBYTES];
     uint8_t magic_query[8];
     uint8_t serial[4];
     uint8_t ts_begin[4];
     uint8_t ts_end[4];
-    uint8_t end[64];
 };
 
 

contrib/unbound/dnscrypt/dnscrypt.c

@@ -15,6 +15,7 @@
 
 #include "dnscrypt/cert.h"
 #include "dnscrypt/dnscrypt.h"
+#include "dnscrypt/dnscrypt_config.h"
 
 #include <ctype.h>
 
@@ -35,18 +36,18 @@
     (DNSCRYPT_MAGIC_HEADER_LEN + crypto_box_HALF_NONCEBYTES + crypto_box_HALF_NONCEBYTES)
 
 /**
- * Decrypt a query using the keypair that was found using dnsc_find_keypair.
+ * Decrypt a query using the dnsccert that was found using dnsc_find_cert.
  * The client nonce will be extracted from the encrypted query and stored in
  * client_nonce, a shared secret will be computed and stored in nmkey and the
  * buffer will be decrypted inplace.
- * \param[in] keypair the keypair that matches this encrypted query.
+ * \param[in] cert the cert that matches this encrypted query.
  * \param[in] client_nonce where the client nonce will be stored.
  * \param[in] nmkey where the shared secret key will be written.
  * \param[in] buffer the encrypted buffer.
  * \return 0 on success.
  */
 static int
-dnscrypt_server_uncurve(const KeyPair *keypair,
+dnscrypt_server_uncurve(const dnsccert *cert,
                         uint8_t client_nonce[crypto_box_HALF_NONCEBYTES],
                         uint8_t nmkey[crypto_box_BEFORENMBYTES],
                         struct sldns_buffer* buffer)
@@ -62,24 +63,47 @@ dnscrypt_server_uncurve(const KeyPair *keypair,
 
     query_header = (struct dnscrypt_query_header *)buf;
     memcpy(nmkey, query_header->publickey, crypto_box_PUBLICKEYBYTES);
-    if (crypto_box_beforenm(nmkey, nmkey, keypair->crypt_secretkey) != 0) {
+    if(cert->es_version[1] == 2) {
+#ifdef USE_DNSCRYPT_XCHACHA20
+        if (crypto_box_curve25519xchacha20poly1305_beforenm(
+                nmkey, nmkey, cert->keypair->crypt_secretkey) != 0) {
             return -1;
         }
+#else
+        return -1;
+#endif
+    } else {
+        if (crypto_box_beforenm(nmkey, nmkey, cert->keypair->crypt_secretkey) != 0) {
+            return -1;
+        }
+    }
 
     memcpy(nonce, query_header->nonce, crypto_box_HALF_NONCEBYTES);
     memset(nonce + crypto_box_HALF_NONCEBYTES, 0, crypto_box_HALF_NONCEBYTES);
 
-    sldns_buffer_set_at(buffer,
-                        DNSCRYPT_QUERY_BOX_OFFSET - crypto_box_BOXZEROBYTES,
-                        0, crypto_box_BOXZEROBYTES);
-
-    if (crypto_box_open_afternm
-        (buf + DNSCRYPT_QUERY_BOX_OFFSET - crypto_box_BOXZEROBYTES,
-         buf + DNSCRYPT_QUERY_BOX_OFFSET - crypto_box_BOXZEROBYTES,
-         len - DNSCRYPT_QUERY_BOX_OFFSET + crypto_box_BOXZEROBYTES, nonce,
+    if(cert->es_version[1] == 2) {
+#ifdef USE_DNSCRYPT_XCHACHA20
+        if (crypto_box_curve25519xchacha20poly1305_open_easy_afternm
+                (buf,
+                buf + DNSCRYPT_QUERY_BOX_OFFSET,
+                len - DNSCRYPT_QUERY_BOX_OFFSET, nonce,
                 nmkey) != 0) {
             return -1;
         }
+#else
+        return -1;
+#endif
+    } else {
+        if (crypto_box_open_easy_afternm
+            (buf,
+             buf + DNSCRYPT_QUERY_BOX_OFFSET,
+             len - DNSCRYPT_QUERY_BOX_OFFSET, nonce,
+             nmkey) != 0) {
+            return -1;
+        }
+    }
+
+    len -= DNSCRYPT_QUERY_HEADER_SIZE;
 
     while (*sldns_buffer_at(buffer, --len) == 0)
 	    ;
@@ -89,12 +113,9 @@ dnscrypt_server_uncurve(const KeyPair *keypair,
     }
 
     memcpy(client_nonce, nonce, crypto_box_HALF_NONCEBYTES);
-    memmove(sldns_buffer_begin(buffer),
-            sldns_buffer_at(buffer, DNSCRYPT_QUERY_HEADER_SIZE),
-            len - DNSCRYPT_QUERY_HEADER_SIZE);
 
     sldns_buffer_set_position(buffer, 0);
-    sldns_buffer_set_limit(buffer, len - DNSCRYPT_QUERY_HEADER_SIZE);
+    sldns_buffer_set_limit(buffer, len);
 
     return 0;
 }
@@ -182,10 +203,10 @@ add_server_nonce(uint8_t *nonce)
 }
 
 /**
- * Encrypt a reply using the keypair that was used with the query.
+ * Encrypt a reply using the dnsccert that was used with the query.
  * The client nonce will be extracted from the encrypted query and stored in
  * The buffer will be encrypted inplace.
- * \param[in] keypair the keypair that matches this encrypted query.
+ * \param[in] cert the dnsccert that matches this encrypted query.
  * \param[in] client_nonce client nonce used during the query
  * \param[in] nmkey shared secret key used during the query.
  * \param[in] buffer the buffer where to encrypt the reply.
@@ -194,7 +215,7 @@ add_server_nonce(uint8_t *nonce)
  * \return 0 on success.
  */
 static int
-dnscrypt_server_curve(const KeyPair *keypair,
+dnscrypt_server_curve(const dnsccert *cert,
                       uint8_t client_nonce[crypto_box_HALF_NONCEBYTES],
                       uint8_t nmkey[crypto_box_BEFORENMBYTES],
                       struct sldns_buffer* buffer,
@@ -223,7 +244,7 @@ dnscrypt_server_curve(const KeyPair *keypair,
     memmove(boxed + crypto_box_MACBYTES, buf, len);
     len = dnscrypt_pad(boxed + crypto_box_MACBYTES, len,
                        max_len - DNSCRYPT_REPLY_HEADER_SIZE, nonce,
-                       keypair->crypt_secretkey);
+                       cert->keypair->crypt_secretkey);
     sldns_buffer_set_at(buffer,
                         DNSCRYPT_REPLY_BOX_OFFSET - crypto_box_BOXZEROBYTES,
                         0, crypto_box_ZEROBYTES);
@@ -231,11 +252,21 @@ dnscrypt_server_curve(const KeyPair *keypair,
     // add server nonce extension
     add_server_nonce(nonce);
 
-    if (crypto_box_afternm
-        (boxed - crypto_box_BOXZEROBYTES, boxed - crypto_box_BOXZEROBYTES,
-         len + crypto_box_ZEROBYTES, nonce, nmkey) != 0) {
+    if(cert->es_version[1] == 2) {
+#ifdef USE_DNSCRYPT_XCHACHA20
+        if (crypto_box_curve25519xchacha20poly1305_easy_afternm
+            (boxed, boxed + crypto_box_MACBYTES, len, nonce, nmkey) != 0) {
             return -1;
         }
+#else
+        return -1;
+#endif
+    } else {
+        if (crypto_box_easy_afternm
+            (boxed, boxed + crypto_box_MACBYTES, len, nonce, nmkey) != 0) {
+            return -1;
+        }
+    }
 
     sldns_buffer_write_at(buffer, 0, DNSCRYPT_MAGIC_RESPONSE, DNSCRYPT_MAGIC_HEADER_LEN);
     sldns_buffer_write_at(buffer, DNSCRYPT_MAGIC_HEADER_LEN, nonce, crypto_box_NONCEBYTES);
@@ -266,6 +297,25 @@ dnsc_read_from_file(char *fname, char *buf, size_t count)
 	return 0;
 }
 
+/**
+ * Given an absolute path on the original root, returns the absolute path
+ * within the chroot. If chroot is disabled, the path is not modified.
+ * No char * is malloced so there is no need to free this.
+ * \param[in] cfg the configuration.
+ * \param[in] path the path from the original root.
+ * \return the path from inside the chroot.
+ */
+static char *
+dnsc_chroot_path(struct config_file *cfg, char *path)
+{
+	char *nm;
+	nm = path;
+	if(cfg->chrootdir && cfg->chrootdir[0] && strncmp(nm,
+		cfg->chrootdir, strlen(cfg->chrootdir)) == 0)
+		nm += strlen(cfg->chrootdir);
+	return nm;
+}
+
 /**
  * Parse certificates files provided by the configuration and load them into
  * dnsc_env.
@@ -278,6 +328,7 @@ dnsc_parse_certs(struct dnsc_env *env, struct config_file *cfg)
 {
 	struct config_strlist *head;
 	size_t signed_cert_id;
+	char *nm;
 
 	env->signed_certs_count = 0U;
 	for (head = cfg->dnscrypt_provider_cert; head; head = head->next) {
@@ -288,8 +339,9 @@ dnsc_parse_certs(struct dnsc_env *env, struct config_file *cfg)
 
 	signed_cert_id = 0U;
 	for(head = cfg->dnscrypt_provider_cert; head; head = head->next, signed_cert_id++) {
+		nm = dnsc_chroot_path(cfg, head->str);
 		if(dnsc_read_from_file(
-				head->str,
+				nm,
 				(char *)(env->signed_certs + signed_cert_id),
 				sizeof(struct SignedCert)) != 0) {
 			fatal_exit("dnsc_parse_certs: failed to load %s: %s", head->str, strerror(errno));
@@ -326,16 +378,17 @@ dnsc_key_to_fingerprint(char fingerprint[80U], const uint8_t * const key)
 }
 
 /**
- * Find the keypair matching a DNSCrypt query.
- * \param[in] dnscenv The DNSCrypt enviroment, which contains the list of keys
+ * Find the cert matching a DNSCrypt query.
+ * \param[in] dnscenv The DNSCrypt enviroment, which contains the list of certs
  * supported by the server.
  * \param[in] buffer The encrypted DNS query.
- * \return a KeyPair * if we found a key pair matching the query, NULL otherwise.
+ * \return a dnsccert * if we found a cert matching the magic_number of the
+ * query, NULL otherwise.
  */
-static const KeyPair *
-dnsc_find_keypair(struct dnsc_env* dnscenv, struct sldns_buffer* buffer)
+static const dnsccert *
+dnsc_find_cert(struct dnsc_env* dnscenv, struct sldns_buffer* buffer)
 {
-	const KeyPair *keypairs = dnscenv->keypairs;
+	const dnsccert *certs = dnscenv->certs;
 	struct dnscrypt_query_header *dnscrypt_header;
 	size_t i;
 
@@ -343,10 +396,10 @@ dnsc_find_keypair(struct dnsc_env* dnscenv, struct sldns_buffer* buffer)
 		return NULL;
 	}
 	dnscrypt_header = (struct dnscrypt_query_header *)sldns_buffer_begin(buffer);
-	for (i = 0U; i < dnscenv->keypairs_count; i++) {
-		if (memcmp(keypairs[i].crypt_publickey, dnscrypt_header->magic_query,
+	for (i = 0U; i < dnscenv->signed_certs_count; i++) {
+		if (memcmp(certs[i].magic_query, dnscrypt_header->magic_query,
                    DNSCRYPT_MAGIC_HEADER_LEN) == 0) {
-			return &keypairs[i];
+			return &certs[i];
 		}
 	}
 	return NULL;
@@ -404,9 +457,33 @@ dnsc_load_local_data(struct dnsc_env* dnscenv, struct config_file *cfg)
     return dnscenv->signed_certs_count;
 }
 
+static const char *
+key_get_es_version(uint8_t version[2])
+{
+    struct es_version {
+        uint8_t es_version[2];
+        const char *name;
+    };
+
+    struct es_version es_versions[] = {
+        {{0x00, 0x01}, "X25519-XSalsa20Poly1305"},
+        {{0x00, 0x02}, "X25519-XChacha20Poly1305"},
+    };
+    int i;
+    for(i=0; i < (int)sizeof(es_versions); i++){
+        if(es_versions[i].es_version[0] == version[0] &&
+           es_versions[i].es_version[1] == version[1]){
+            return es_versions[i].name;
+        }
+    }
+    return NULL;
+}
+
+
 /**
  * Parse the secret key files from `dnscrypt-secret-key` config and populates
- * a list of secret/public keys supported by dnscrypt listener.
+ * a list of dnsccert with es_version, magic number and secret/public keys
+ * supported by dnscrypt listener.
  * \param[in] env The dnsc_env structure which will hold the keypairs.
  * \param[in] cfg The config with the secret key file paths.
  */
@@ -414,33 +491,76 @@ static int
 dnsc_parse_keys(struct dnsc_env *env, struct config_file *cfg)
 {
 	struct config_strlist *head;
-	size_t keypair_id;
+	size_t cert_id, keypair_id;
+	size_t c;
+	char *nm;
 
 	env->keypairs_count = 0U;
 	for (head = cfg->dnscrypt_secret_key; head; head = head->next) {
 		env->keypairs_count++;
 	}
+
 	env->keypairs = sodium_allocarray(env->keypairs_count,
 		sizeof *env->keypairs);
+	env->certs = sodium_allocarray(env->signed_certs_count, 
+		sizeof *env->certs);
 
+	cert_id = 0U;
 	keypair_id = 0U;
 	for(head = cfg->dnscrypt_secret_key; head; head = head->next, keypair_id++) {
 		char fingerprint[80];
+		int found_cert = 0;
+		KeyPair *current_keypair = &env->keypairs[keypair_id];
+		nm = dnsc_chroot_path(cfg, head->str);
 		if(dnsc_read_from_file(
-				head->str,
-				(char *)(env->keypairs[keypair_id].crypt_secretkey),
+				nm,
+				(char *)(current_keypair->crypt_secretkey),
 				crypto_box_SECRETKEYBYTES) != 0) {
 			fatal_exit("dnsc_parse_keys: failed to load %s: %s", head->str, strerror(errno));
 		}
 		verbose(VERB_OPS, "Loaded key %s", head->str);
-		if (crypto_scalarmult_base(env->keypairs[keypair_id].crypt_publickey,
-								   env->keypairs[keypair_id].crypt_secretkey) != 0) {
+		if (crypto_scalarmult_base(current_keypair->crypt_publickey,
+			current_keypair->crypt_secretkey) != 0) {
 			fatal_exit("dnsc_parse_keys: could not generate public key from %s", head->str);
 		}
-		dnsc_key_to_fingerprint(fingerprint, env->keypairs[keypair_id].crypt_publickey);
+		dnsc_key_to_fingerprint(fingerprint, current_keypair->crypt_publickey);
 		verbose(VERB_OPS, "Crypt public key fingerprint for %s: %s", head->str, fingerprint);
+		// find the cert matching this key
+		for(c = 0; c < env->signed_certs_count; c++) {
+			if(memcmp(current_keypair->crypt_publickey,
+				env->signed_certs[c].server_publickey,
+				crypto_box_PUBLICKEYBYTES) == 0) {
+				dnsccert *current_cert = &env->certs[cert_id++];
+				found_cert = 1;
+				current_cert->keypair = current_keypair;
+				memcpy(current_cert->magic_query,
+				       env->signed_certs[c].magic_query,
+					sizeof env->signed_certs[c].magic_query);
+				memcpy(current_cert->es_version,
+				       env->signed_certs[c].version_major,
+				       sizeof env->signed_certs[c].version_major
+				);
+				dnsc_key_to_fingerprint(fingerprint,
+							current_cert->keypair->crypt_publickey);
+				verbose(VERB_OPS, "Crypt public key fingerprint for %s: %s",
+					head->str, fingerprint);
+				verbose(VERB_OPS, "Using %s",
+					key_get_es_version(current_cert->es_version));
+#ifndef USE_DNSCRYPT_XCHACHA20
+				if (current_cert->es_version[1] == 0x02) {
+				    fatal_exit("Certificate for XChacha20 but libsodium does not support it.");
 				}
-	return keypair_id;
+#endif
+
+            		}
+        	}
+		if (!found_cert) {
+		    fatal_exit("dnsc_parse_keys: could not match certificate for key "
+			       "%s. Unable to determine ES version.",
+			       head->str);
+		}
+	}
+	return cert_id;
 }
 
 
@@ -463,8 +583,8 @@ dnsc_handle_curved_request(struct dnsc_env* dnscenv,
     // Attempt to decrypt the query. If it is not crypted, we may still need
     // to serve the certificate.
     verbose(VERB_ALGO, "handle request called on DNSCrypt socket");
-    if ((repinfo->keypair = dnsc_find_keypair(dnscenv, c->buffer)) != NULL) {
-        if(dnscrypt_server_uncurve(repinfo->keypair,
+    if ((repinfo->dnsc_cert = dnsc_find_cert(dnscenv, c->buffer)) != NULL) {
+        if(dnscrypt_server_uncurve(repinfo->dnsc_cert,
                                    repinfo->client_nonce,
                                    repinfo->nmkey,
                                    c->buffer) != 0){
@@ -488,7 +608,7 @@ dnsc_handle_uncurved_request(struct comm_reply *repinfo)
     if(!repinfo->is_dnscrypted) {
         return 1;
     }
-	if(dnscrypt_server_curve(repinfo->keypair,
+	if(dnscrypt_server_curve(repinfo->dnsc_cert,
                              repinfo->client_nonce,
                              repinfo->nmkey,
                              repinfo->c->dnscrypt_buffer,

contrib/unbound/dnscrypt/dnscrypt.h

@@ -44,8 +44,15 @@ typedef struct KeyPair_ {
     uint8_t crypt_secretkey[crypto_box_SECRETKEYBYTES];
 } KeyPair;
 
+typedef struct cert_ {
+    uint8_t magic_query[DNSCRYPT_MAGIC_HEADER_LEN];
+    uint8_t es_version[2];
+    KeyPair *keypair;
+} dnsccert;
+
 struct dnsc_env {
 	struct SignedCert *signed_certs;
+    dnsccert *certs;
 	size_t signed_certs_count;
 	uint8_t provider_publickey[crypto_sign_ed25519_PUBLICKEYBYTES];
 	uint8_t provider_secretkey[crypto_sign_ed25519_SECRETKEYBYTES];

contrib/unbound/dnscrypt/dnscrypt.m4

@@ -18,8 +18,19 @@ AC_DEFUN([dnsc_DNSCRYPT],
     ])
     AC_SEARCH_LIBS([sodium_init], [sodium], [],
       AC_MSG_ERROR([The sodium library was not found. Please install sodium!]))
+    AC_SEARCH_LIBS([crypto_box_curve25519xchacha20poly1305_beforenm], [sodium],
+        [
+            AC_SUBST([ENABLE_DNSCRYPT_XCHACHA20], [1])
+            AC_DEFINE(
+                [USE_DNSCRYPT_XCHACHA20], [1],
+                [Define to 1 to enable dnscrypt with xchacha20 support])
+        ],
+        [
+            AC_SUBST([ENABLE_DNSCRYPT_XCHACHA20], [0])
+        ])
     $1
   else
+    AC_SUBST([ENABLE_DNSCRYPT_XCHACHA20], [0])
     $2
   fi
 ])

contrib/unbound/doc/Changelog

@@ -1,12 +1,198 @@
+22 June 2017: Wouter
+	- Tag 1.6.4rc2
+
+22 June 2017: Ralph
+	- Added fastrpz patch to contrib
+
+21 June 2017: Wouter
+	- Fix #1316: heap read buffer overflow in parse_edns_options.
+
+20 June 2017: Wouter
+	- Fix warning in pythonmod under clang compiler.
+	- Tag 1.6.4rc1
+	- Fix lintian typo.
+
+16 June 2017: Ralph
+	- Fix #1277: disable domain ratelimit by setting value to 0.
+
+16 June 2017: Wouter
+	- Fix #1301: memory leak in respip and tests.
+	- Free callback in edns-subnetmod on exit and restart.
+	- Fix memory leak in sldns_buffer_new_frm_data.
+	- Fix memory leak in dnscrypt config read.
+	- Fix dnscrypt chacha cert support ifdefs.
+	- Fix dnscrypt chacha cert unit test escapes in grep.
+	- Remove asynclook tests that cause test and purifier problems.
+	- Fix to unlock view in view test.
+
+15 June 2017: Wouter
+	- Fix stub zone queries leaking to the internet for
+	  harden-referral-path ns checks.
+	- Fix query for refetch_glue of stub leaking to internet.
+
 13 June 2017: Wouter
+	- Fix #1279: Memory leak on reload when python module is enabled.
 	- Fix #1280: Unbound fails assert when response from authoritative
 	  contains malformed qname.  When 0x20 caps-for-id is enabled, when
 	  assertions are not enabled the malformed qname is handled correctly.
-	- tag for 1.6.3
+	- 1.6.3 tag created, with only #1280 fix, trunk is 1.6.4 development.
+	- More fixes in depth for buffer checks in 0x20 qname checks.
+
+12 June 2017: Wouter
+	- Fix #1278: Incomplete wildcard proof.
+
+8 June 2017: Ralph
+	- Added domain name based ECS whitelist.
+
+8 June 2017: Wouter
+	- Detect chacha for dnscrypt at configure time.
+	- dnscrypt unit tests with chacha.
+
+7 June 2017: Wouter
+	- Fix that unbound-control can set val_clean_additional and val_permissive_mode.
+	- Add dnscrypt XChaCha20 tests.
+
+6 June 2017: Wouter
+	- Add an explicit type cast for TCP FASTOPEN fix.
+	- renumbering B-Root's IPv6 address to 2001:500:200::b.
+	- Fix #1275: cached data in cachedb is never used.
+	- Fix #1276: [dnscrypt] add XChaCha20-Poly1305 cipher.
+
+1 June 2017: Ralph
+	- Fix #1274: automatically trim chroot path from dnscrypt key/cert paths
+	  (from Manu Bretelle).
+
+1 June 2017: Wouter
+	- Fix fastopen EPIPE fallthrough to perform connect.
+
+31 May 2017: Ralph
+	- Also use global local-zones when there is a matching view that does
+	  not have any local-zone specified.
+
+31 May 2017: Wouter
+	- Fix #1273: cachedb.c doesn't compile with -Wextra.
+	- If MSG_FASTOPEN gives EPIPE fallthrough to try normal tcp write.
+
+30 May 2017: Ralph
+	- Fix #1269: inconsistent use of built-in local zones with views.
+	- Add defaults for new local-zone trees added to views using
+	  unbound-control.
+
+30 May 2017: Wouter
+	- Support for openssl EVP_DigestVerify.
+	- Support for the ED25519 algorithm with openssl (from openssl 1.1.1).
+
+29 May 2017: Wouter
+	- Fix assertion for low buffer size and big edns payload when worker
+	  overrides udpsize.
+
+26 May 2017: Ralph
+	- Added redirect-bogus.patch to contrib directory.
+
+26 May 2017: Wouter
+	- Fix #1270: unitauth.c doesn't compile with higher warning level
+	  and optimization
+	- exec_prefix is by default equal to prefix.
+	- printout localzone for duplicate local-zone warnings.
+
+24 May 2017: Wouter
+	- authzone cname chain, no rrset duplicates, wildcard doesn't change
+	  rrsets added for cname chain.
+
+23 May 2017: Wouter
+	- first services/authzone check in, it compiles and reads and writes
+	  zonefiles.
+	- iana portlist update
+
+22 May 2017: Wouter
+	- Fix #1268: SIGSEGV after log_reopen.
+
+18 May 2017: Wouter
+	- Fix #1265 to use /bin/kill.
+	- Fix #1267: Libunbound validator/val_secalgo.c uses obsolete APIs,
+	  and compatibility with BoringSSL.
+
+17 May 2017: Wouter
+	- Fix #1265: contrib/unbound.service contains hardcoded path.
+
+17 May 2017: George
+	- Use qstate's region for IPSECKEY rrset (ipsecmod).
+
+16 May 2017: George
+	- Implemented opportunistic IPsec support module (ipsecmod).
+	- Some whitespace fixup.
+
+16 May 2017: Wouter
+	- updated dependencies in the makefile.
+	- document trust-anchor-signaling in example config file.
+	- updated configure, dependencies and flex output.
+	- better module memory lookup, fix of unbound-control shm names for
+	  module memory printout of statistics.
+	- Fix type AVC sldns rrdef.
+
+12 May 2017: Wouter
+	- Adjust servfail by iterator to not store in cache when serve-expired
+	  is enabled, to avoid overwriting useful information there.
+	- Fix queries for nameservers under a stub leaking to the internet.
+
+9 May 2017: Ralph
+	- Add 'c' to getopt() in testbound.
+	- iana portlist update
+
+8 May 2017: Wouter
+	- Fix tcp-mss failure printout text.
+	- Set SO_REUSEADDR on outgoing tcp connections to fix the bind before
+	  connect limited tcp connections.  With the option tcp connections
+	  can share the same source port (for different destinations).
+
+2 May 2017: Ralph
+	- Added mesh_add_sub to add detached mesh entries.
+	- Use mesh_add_sub for key tag signaling query.
+
+2 May 2017: Wouter
+	- Added test for leak of stub information.
+	- Fix sldns wire2str printout of RR type CAA tags.
+	- Fix sldns int16_data parse.
+	- Fix sldns parse and printout of TSIG RRs.
+	- sldns SMIMEA and AVC definitions, same as getdns definitions.
+
+1 May 2017: Wouter
+	- Fix #1259: "--disable-ecdsa" argument overwritten 
+	  by "#ifdef SHA256_DIGEST_LENGTH@daemon/remote.c".
+	- iana portlist update
+	- Fix #1258: Windows 10 X64 unbound 1.6.2 service will not start.
+	  and fix that 64bit getting installed in C:\Program Files (x86).
+
+26 April 2017: Ralph
+	- Implemented trust anchor signaling using key tag query.
+
+26 April 2017: Wouter
+	- Based on #1257: check parse limit before t increment in sldns RR
+	  string parse routine.
+
+24 April 2017: Wouter
+	- unbound-checkconf -o allows query of dnstap config variables.
+	  Also unbound-control get_option.  Also for dnscrypt.
+	- trunk contains 1.6.3 version number (changes from 1.6.2 back from
+	  when the 1.6.2rc1 tag has been created).
+
+21 April 2017: Ralph
+	- Fix #1254: clarify ratelimit-{for,below}-domain (from Manu Bretelle).
+	- iana portlist update
+	
+18 April 2017: Ralph
+	- Fix #1252: more indentation inconsistencies.
+	- Fix #1253: unused variable in edns-subnet/addrtree.c:getbit().
+
+13 April 2017: Ralph
+	- Added ECS unit test (from Manu Bretelle).
+	- ECS documentation fix (from Manu Bretelle).
 
 13 April 2017: Wouter
 	- Fix #1250: inconsistent indentation in services/listen_dnsport.c.
 	- tag for 1.6.2rc1
+	- (for 1.6.3:) unbound.h exports the shm stats structures.  They use
+	  type long long and no ifdefs, and ub_ before the typenames.
 
 12 April 2017: Wouter
 	- subnet mem value is available in shm, also when not enabled,
@@ -243,7 +429,7 @@
 	- Fix #1184: Log DNS replies. This includes the same logging
 	  information that DNS queries and response code and response size,
 	  patch from Larissa Feng.
-	- Fix #1185: Source IP rate limiting, patch from Larissa Feng.
+	- Fix #1187: Source IP rate limiting, patch from Larissa Feng.
 
 3 January 2017: Wouter
 	- configure --enable-systemd and lets unbound use systemd sockets if

contrib/unbound/doc/README

@@ -1,4 +1,4 @@
-README for Unbound 1.6.3
+README for Unbound 1.6.4
 Copyright 2007 NLnet Labs
 http://unbound.net
 

contrib/unbound/doc/example.conf

@@ -1,7 +1,7 @@
 #
 # Example configuration file.
 #
-# See unbound.conf(5) man page, version 1.6.3.
+# See unbound.conf(5) man page, version 1.6.4.
 #
 # this is a comment.
 
@@ -448,6 +448,9 @@ server:
 	# and under the terms of our LICENSE (see that file in the source).
 	# auto-trust-anchor-file: "/var/unbound/root.key"
 
+	# trust anchor signaling sends a RFC8145 key tag query after priming.
+	# trust-anchor-signaling: no
+
 	# File with DLV trusted keys. Same format as trust-anchor-file.
 	# There can be only one DLV configured, it is trusted from root down.
 	# DLV is going to be decommissioned.  Please do not use it any more.
@@ -698,6 +701,34 @@ server:
 	# 0 blocks when ip is ratelimited, otherwise let 1/xth traffic through
 	# ip-ratelimit-factor: 10
 
+	# Specific options for ipsecmod. unbound needs to be configured with
+	# --enable-ipsecmod for these to take effect.
+	#
+	# Enable or disable ipsecmod (it still needs to be defined in
+	# module-config above). Can be used when ipsecmod needs to be
+	# enabled/disabled via remote-control(below).
+	# ipsecmod-enabled: yes
+	#
+	# Path to executable external hook. It must be defined when ipsecmod is
+	# listed in module-config (above).
+	# ipsecmod-hook: "./my_executable"
+	#
+	# When enabled unbound will reply with SERVFAIL if the return value of
+	# the ipsecmod-hook is not 0.
+	# ipsecmod-strict: no
+	#
+	# Maximum time to live (TTL) for cached A/AAAA records with IPSECKEY.
+	# ipsecmod-max-ttl: 3600
+	#
+	# Reply with A/AAAA even if the relevant IPSECKEY is bogus. Mainly used for
+	# testing.
+	# ipsecmod-ignore-bogus: no
+	#
+	# Domains for which ipsecmod will be triggered. If not defined (default)
+	# all domains are treated as being whitelisted.
+	# ipsecmod-whitelist: "example.com"
+	# ipsecmod-whitelist: "nlnetlabs.nl"
+
 
 # Python config section. To enable:
 # o use --with-pythonmodule to configure before compiling.

contrib/unbound/doc/example.conf.in

@@ -1,7 +1,7 @@
 #
 # Example configuration file.
 #
-# See unbound.conf(5) man page, version 1.6.3.
+# See unbound.conf(5) man page, version 1.6.4.
 #
 # this is a comment.
 
@@ -448,6 +448,9 @@ server:
 	# and under the terms of our LICENSE (see that file in the source).
 	# auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@"
 
+	# trust anchor signaling sends a RFC8145 key tag query after priming.
+	# trust-anchor-signaling: no
+
 	# File with DLV trusted keys. Same format as trust-anchor-file.
 	# There can be only one DLV configured, it is trusted from root down.
 	# DLV is going to be decommissioned.  Please do not use it any more.
@@ -698,6 +701,34 @@ server:
 	# 0 blocks when ip is ratelimited, otherwise let 1/xth traffic through
 	# ip-ratelimit-factor: 10
 
+	# Specific options for ipsecmod. unbound needs to be configured with
+	# --enable-ipsecmod for these to take effect.
+	#
+	# Enable or disable ipsecmod (it still needs to be defined in
+	# module-config above). Can be used when ipsecmod needs to be
+	# enabled/disabled via remote-control(below).
+	# ipsecmod-enabled: yes
+	#
+	# Path to executable external hook. It must be defined when ipsecmod is
+	# listed in module-config (above).
+	# ipsecmod-hook: "./my_executable"
+	#
+	# When enabled unbound will reply with SERVFAIL if the return value of
+	# the ipsecmod-hook is not 0.
+	# ipsecmod-strict: no
+	#
+	# Maximum time to live (TTL) for cached A/AAAA records with IPSECKEY.
+	# ipsecmod-max-ttl: 3600
+	#
+	# Reply with A/AAAA even if the relevant IPSECKEY is bogus. Mainly used for
+	# testing.
+	# ipsecmod-ignore-bogus: no
+	#
+	# Domains for which ipsecmod will be triggered. If not defined (default)
+	# all domains are treated as being whitelisted.
+	# ipsecmod-whitelist: "example.com"
+	# ipsecmod-whitelist: "nlnetlabs.nl"
+
 
 # Python config section. To enable:
 # o use --with-pythonmodule to configure before compiling.

contrib/unbound/doc/libunbound.3

@@ -1,4 +1,4 @@
-.TH "libunbound" "3" "Jun 13, 2017" "NLnet Labs" "unbound 1.6.3"
+.TH "libunbound" "3" "Jun 27, 2017" "NLnet Labs" "unbound 1.6.4"
 .\"
 .\" libunbound.3 -- unbound library functions manual
 .\"
@@ -43,7 +43,7 @@
 .B ub_ctx_zone_remove,
 .B ub_ctx_data_add,
 .B ub_ctx_data_remove
-\- Unbound DNS validating resolver 1.6.3 functions.
+\- Unbound DNS validating resolver 1.6.4 functions.
 .SH "SYNOPSIS"
 .B #include <unbound.h>
 .LP

contrib/unbound/doc/libunbound.3.in

@@ -1,4 +1,4 @@
-.TH "libunbound" "3" "Jun 13, 2017" "NLnet Labs" "unbound 1.6.3"
+.TH "libunbound" "3" "Jun 27, 2017" "NLnet Labs" "unbound 1.6.4"
 .\"
 .\" libunbound.3 -- unbound library functions manual
 .\"
@@ -43,7 +43,7 @@
 .B ub_ctx_zone_remove,
 .B ub_ctx_data_add,
 .B ub_ctx_data_remove
-\- Unbound DNS validating resolver 1.6.3 functions.
+\- Unbound DNS validating resolver 1.6.4 functions.
 .SH "SYNOPSIS"
 .B #include <unbound.h>
 .LP

contrib/unbound/doc/unbound-anchor.8

@@ -1,4 +1,4 @@
-.TH "unbound-anchor" "8" "Jun 13, 2017" "NLnet Labs" "unbound 1.6.3"
+.TH "unbound-anchor" "8" "Jun 27, 2017" "NLnet Labs" "unbound 1.6.4"
 .\"
 .\" unbound-anchor.8 -- unbound anchor maintenance utility manual
 .\"

contrib/unbound/doc/unbound-anchor.8.in

@@ -1,4 +1,4 @@
-.TH "unbound-anchor" "8" "Jun 13, 2017" "NLnet Labs" "unbound 1.6.3"
+.TH "unbound-anchor" "8" "Jun 27, 2017" "NLnet Labs" "unbound 1.6.4"
 .\"
 .\" unbound-anchor.8 -- unbound anchor maintenance utility manual
 .\"

contrib/unbound/doc/unbound-checkconf.8

@@ -1,4 +1,4 @@
-.TH "unbound-checkconf" "8" "Jun 13, 2017" "NLnet Labs" "unbound 1.6.3"
+.TH "unbound-checkconf" "8" "Jun 27, 2017" "NLnet Labs" "unbound 1.6.4"
 .\"
 .\" unbound-checkconf.8 -- unbound configuration checker manual
 .\"

contrib/unbound/doc/unbound-checkconf.8.in

@@ -1,4 +1,4 @@
-.TH "unbound-checkconf" "8" "Jun 13, 2017" "NLnet Labs" "unbound 1.6.3"
+.TH "unbound-checkconf" "8" "Jun 27, 2017" "NLnet Labs" "unbound 1.6.4"
 .\"
 .\" unbound-checkconf.8 -- unbound configuration checker manual
 .\"

contrib/unbound/doc/unbound-control.8

@@ -1,4 +1,4 @@
-.TH "unbound-control" "8" "Jun 13, 2017" "NLnet Labs" "unbound 1.6.3"
+.TH "unbound-control" "8" "Jun 27, 2017" "NLnet Labs" "unbound 1.6.4"
 .\"
 .\" unbound-control.8 -- unbound remote control manual
 .\"

contrib/unbound/doc/unbound-control.8.in

@@ -1,4 +1,4 @@
-.TH "unbound-control" "8" "Jun 13, 2017" "NLnet Labs" "unbound 1.6.3"
+.TH "unbound-control" "8" "Jun 27, 2017" "NLnet Labs" "unbound 1.6.4"
 .\"
 .\" unbound-control.8 -- unbound remote control manual
 .\"

contrib/unbound/doc/unbound-host.1

@@ -1,4 +1,4 @@
-.TH "unbound\-host" "1" "Jun 13, 2017" "NLnet Labs" "unbound 1.6.3"
+.TH "unbound\-host" "1" "Jun 27, 2017" "NLnet Labs" "unbound 1.6.4"
 .\"
 .\" unbound-host.1 -- unbound DNS lookup utility
 .\"

contrib/unbound/doc/unbound-host.1.in

@@ -1,4 +1,4 @@
-.TH "unbound\-host" "1" "Jun 13, 2017" "NLnet Labs" "unbound 1.6.3"
+.TH "unbound\-host" "1" "Jun 27, 2017" "NLnet Labs" "unbound 1.6.4"
 .\"
 .\" unbound-host.1 -- unbound DNS lookup utility
 .\"

contrib/unbound/doc/unbound.8

@@ -1,4 +1,4 @@
-.TH "unbound" "8" "Jun 13, 2017" "NLnet Labs" "unbound 1.6.3"
+.TH "unbound" "8" "Jun 27, 2017" "NLnet Labs" "unbound 1.6.4"
 .\"
 .\" unbound.8 -- unbound manual
 .\"
@@ -9,7 +9,7 @@
 .\"
 .SH "NAME"
 .B unbound
-\- Unbound DNS validating resolver 1.6.3.
+\- Unbound DNS validating resolver 1.6.4.
 .SH "SYNOPSIS"
 .B unbound
 .RB [ \-h ]

contrib/unbound/doc/unbound.8.in

@@ -1,4 +1,4 @@
-.TH "unbound" "8" "Jun 13, 2017" "NLnet Labs" "unbound 1.6.3"
+.TH "unbound" "8" "Jun 27, 2017" "NLnet Labs" "unbound 1.6.4"
 .\"
 .\" unbound.8 -- unbound manual
 .\"
@@ -9,7 +9,7 @@
 .\"
 .SH "NAME"
 .B unbound
-\- Unbound DNS validating resolver 1.6.3.
+\- Unbound DNS validating resolver 1.6.4.
 .SH "SYNOPSIS"
 .B unbound
 .RB [ \-h ]

contrib/unbound/doc/unbound.conf.5

@@ -1,4 +1,4 @@
-.TH "unbound.conf" "5" "Jun 13, 2017" "NLnet Labs" "unbound 1.6.3"
+.TH "unbound.conf" "5" "Jun 27, 2017" "NLnet Labs" "unbound 1.6.4"
 .\"
 .\" unbound.conf.5 -- unbound.conf manual
 .\"
@@ -16,7 +16,8 @@
 .B unbound.conf
 is used to configure
 \fIunbound\fR(8).
-The file format has attributes and values. Some attributes have attributes inside them.
+The file format has attributes and values. Some attributes have attributes
+inside them.
 The notation is: attribute: value.
 .P
 Comments start with # and last to the end of line. Empty lines are
@@ -62,8 +63,8 @@ server:
 	access\-control: 2001:DB8::/64 allow
 .fi
 .SH "FILE FORMAT"
-There must be whitespace between keywords. Attribute keywords end with a colon ':'. An attribute
-is followed by its containing attributes, or a value.
+There must be whitespace between keywords. Attribute keywords end with a colon ':'.
+An attribute is followed by its containing attributes, or a value.
 .P
 Files can be included using the
 .B include:
@@ -393,7 +394,8 @@ Default is no.  Useful in tunneling scenarios.
 .B ssl\-upstream: \fI<yes or no>
 Enabled or disable whether the upstream queries use SSL only for transport.
 Default is no.  Useful in tunneling scenarios.  The SSL contains plain DNS in
-TCP wireformat.  The other server must support this (see \fBssl\-service\-key\fR).
+TCP wireformat.  The other server must support this (see
+\fBssl\-service\-key\fR).
 .TP
 .B ssl\-service-key: \fI<file>
 If enabled, the server provider SSL service on its TCP sockets.  The clients
@@ -804,6 +806,9 @@ the trusted\-keys { name flag proto algo "key"; }; clauses are read.
 It is possible to use wildcards with this statement, the wildcard is
 expanded on start and on reload.
 .TP
+.B trust\-anchor\-signaling: \fI<yes or no>
+Send RFC8145 key tag query after trust anchor priming. Default is off.
+.TP
 .B dlv\-anchor\-file: \fI<filename>
 This option was used during early days DNSSEC deployment when no parent-side
 DS record registrations were easily available.  Nowadays, it is best to have
@@ -812,8 +817,8 @@ File with trusted keys for DLV (DNSSEC Lookaside Validation). Both DS and
 DNSKEY entries can be used in the file, in the same format as for
 \fItrust\-anchor\-file:\fR statements. Only one DLV can be configured, more
 would be slow. The DLV configured is used as a root trusted DLV, this
-means that it is a lookaside for the root. Default is "", or no dlv anchor file.
-DLV is going to be decommissioned.  Please do not use it any more.
+means that it is a lookaside for the root. Default is "", or no dlv anchor
+file. DLV is going to be decommissioned.  Please do not use it any more.
 .TP
 .B dlv\-anchor: \fI<"Resource Record">
 Much like trust\-anchor, this is a DLV anchor with the DS or DNSKEY inline.
@@ -1197,18 +1202,20 @@ This can make ordinary queries complete (if repeatedly queried for),
 and enter the cache, whilst also mitigating the traffic flow by the
 factor given.
 .TP 5
-.B ratelimit\-for\-domain: \fI<domain> <number qps>
+.B ratelimit\-for\-domain: \fI<domain> <number qps or 0>
 Override the global ratelimit for an exact match domain name with the listed
 number.  You can give this for any number of names.  For example, for
 a top\-level\-domain you may want to have a higher limit than other names.
+A value of 0 will disable ratelimiting for that domain.
 .TP 5
-.B ratelimit\-below\-domain: \fI<domain> <number qps>
+.B ratelimit\-below\-domain: \fI<domain> <number qps or 0>
 Override the global ratelimit for a domain name that ends in this name.
 You can give this multiple times, it then describes different settings
 in different parts of the namespace.  The closest matching suffix is used
 to determine the qps limit.  The rate for the exact matching domain name
 is not changed, use ratelimit\-for\-domain to set that, you might want
 to use different settings for a top\-level\-domain and subdomains.
+A value of 0 will disable ratelimiting for domain names that end in this name.
 .TP 5
 .B ip\-ratelimit: \fI<number or 0>
 Enable global ratelimiting of queries accepted per ip address.
@@ -1390,10 +1397,10 @@ Default is no.
 There may be multiple
 .B view:
 clauses. Each with a \fBname:\fR and zero or more \fBlocal\-zone\fR and
-\fBlocal\-data\fR elements. View can be mapped to requests by specifying the view
-name in an \fBaccess\-control\-view\fR element. Options from matching views will
-override global options. Global options will be used if no matching view
-is found.
+\fBlocal\-data\fR elements. View can be mapped to requests by specifying the
+view name in an \fBaccess\-control\-view\fR element. Options from matching
+views will override global options. Global options will be used if no matching
+view is found, or when the matching view does not have the option specified.
 .TP
 .B name: \fI<view name>
 Name of the view. Must be unique. This name is used in access\-control\-view
@@ -1401,7 +1408,11 @@ elements.
 .TP
 .B local\-zone: \fI<zone> <type>
 View specific local\-zone elements. Has the same types and behaviour as the
-global local\-zone elements.
+global local\-zone elements. When there is at least one local\-zone specified
+and view\-first is no, the default local-zones will be added to this view.
+Defaults can be disabled using the nodefault type. When view\-first is yes or
+when a view does not have a local\-zone, the global local\-zone will be used
+including it's default zones.
 .TP
 .B local\-data: \fI"<resource record string>"
 View specific local\-data elements. Has the same behaviour as the global
@@ -1454,7 +1465,8 @@ clause give the settings of the dnscrypt channel. While those options are
 available, they are only meaningful if unbound was compiled with
 \fB\-\-enable\-dnscrypt\fR.
 Currently certificate and secret/public keys cannot be generated by unbound.
-You can use dnscrypt-wrapper to generate those: https://github.com/cofyc/dnscrypt-wrapper/blob/master/README.md#usage
+You can use dnscrypt-wrapper to generate those: https://github.com/cofyc/\
+dnscrypt-wrapper/blob/master/README.md#usage
 .TP
 .B dnscrypt\-enable: \fI<yes or no>\fR
 Whether or not the \fBdnscrypt\fR config should be enabled. You may define
@@ -1475,23 +1487,24 @@ Path to the time limited secret key file. This option may be specified multiple
 times.
 .TP
 .B dnscrypt\-provider\-cert: \fI<path to cert file>\fR
-Path to the certificate related to the \fBdnscrypt\-secret\-key\fRs. This option
-may be specified multiple times.
+Path to the certificate related to the \fBdnscrypt\-secret\-key\fRs.
+This option may be specified multiple times.
 .SS "EDNS Client Subnet Module Options"
 .LP
 The ECS module must be configured in the \fBmodule\-config:\fR "subnetcache
 validator iterator" directive and be compiled into the daemon to be
 enabled.  These settings go in the \fBserver:\fR section.
 .LP
-If the destination address is whitelisted with Unbound will add the EDNS0 option
-to the query containing the relevant part of the client's address. When an
-answer contains the ECS option the response and the option are placed in a
-specialized cache. If the authority indicated no support, the response is stored
-in the regular cache.
+If the destination address is whitelisted with Unbound will add the EDNS0
+option to the query containing the relevant part of the client's address. When
+an answer contains the ECS option the response and the option are placed in a
+specialized cache. If the authority indicated no support, the response is
+stored in the regular cache.
 .LP
 Additionally, when a client includes the option in its queries, Unbound will
-forward the option to the authority regardless of the authorities presence in
-the whitelist. In this case the lookup in the regular cache is skipped.
+forward the option to the authority if prensent in the whitelist, or
+\fBclient\-subnet\-always\-forward\fR is set to yes. In this case the lookup in
+the regular cache is skipped.
 .LP
 The maximum size of the ECS cache is controlled by 'msg-cache-size' in the
 configuration file. On top of that, for each query only 100 different subnets
@@ -1502,7 +1515,12 @@ entries will be purged from cache.
 Send client source address to this authority. Append /num to indicate a
 classless delegation netblock, for example like 10.2.3.4/24 or 2001::11/64. Can
 be given multiple times. Authorities not listed will not receive edns-subnet
-information.
+information, unless domain in query is specified in \fBclient\-subnet\-zone\fR.
+.TP
+.B client\-subnet\-zone: \fI<domain>\fR
+Send client source address in queries for this domain and its subdomains. Can be
+given multiple times. Zones not listed will not receive edns-subnet information,
+unless hosted by authority specified in \fBsend\-client\-subnet\fR.
 .TP
 .B client\-subnet\-always\-forward: \fI<yes or no>\fR
 Specify whether the ECS whitelist check (configured using
@@ -1519,6 +1537,72 @@ to expose to third parties for IPv6.  Defaults to 56.
 .B max\-client\-subnet\-ipv4: \fI<number>\fR
 Specifies the maximum prefix length of the client source address we are willing
 to expose to third parties for IPv4. Defaults to 24.
+.SS "Opportunistic IPsec Support Module Options"
+.LP
+The IPsec module must be configured in the \fBmodule\-config:\fR "ipsecmod
+validator iterator" directive and be compiled into the daemon to be
+enabled.  These settings go in the \fBserver:\fR section.
+.LP
+When unbound receives an A/AAAA query that is not in the cache and finds a
+valid answer, it will withhold returning the answer and instead will generate
+an IPSECKEY subquery for the same domain name.  If an answer was found, unbound
+will call an external hook passing the following arguments:
+.TP 10
+\h'5'\fIQNAME\fR
+Domain name of the A/AAAA and IPSECKEY query.  In string format.
+.TP 10
+\h'5'\fIIPSECKEY TTL\fR
+TTL of the IPSECKEY RRset.
+.TP 10
+\h'5'\fIA/AAAA\fR
+String of space separated IP addresses present in the A/AAAA RRset.  The IP
+addresses are in string format.
+.TP 10
+\h'5'\fIIPSECKEY\fR
+String of space separated IPSECKEY RDATA present in the IPSECKEY RRset.  The
+IPSECKEY RDATA are in DNS presentation format.
+.LP
+The A/AAAA answer is then cached and returned to the client.  If the external
+hook was called the TTL changes to ensure it doesn't surpass
+\fBipsecmod-max-ttl\fR.
+.LP
+The same procedure is also followed when \fBprefetch:\fR is used, but the
+A/AAAA answer is given to the client before the hook is called.
+\fBipsecmod-max-ttl\fR ensures that the A/AAAA answer given from cache is still
+relevant for opportunistic IPsec.
+.TP
+.B ipsecmod-enabled: \fI<yes or no>\fR
+Specifies whether the IPsec module is enabled or not.  The IPsec module still
+needs to be defined in the \fBmodule\-config:\fR directive.  This option
+facilitates turning on/off the module without restarting/reloading unbound.
+Defaults to yes.
+.TP
+.B ipsecmod\-hook: \fI<filename>\fR
+Specifies the external hook that unbound will call with \fIsystem\fR(3).  The
+file can be specified as an absolute/relative path.  The file needs the proper
+permissions to be able to be executed by the same user that runs unbound.  It
+must be present when the IPsec module is defined in the \fBmodule\-config:\fR
+directive.
+.TP
+.B ipsecmod-strict: \fI<yes or no>\fR
+If enabled unbound requires the external hook to return a success value of 0.
+Failing to do so unbound will reply with SERVFAIL.  The A/AAAA answer will also
+not be cached.  Defaults to no.
+.TP
+.B ipsecmod\-max-ttl: \fI<seconds>\fR
+Time to live maximum for A/AAAA cached records after calling the external hook.
+Defaults to 3600.
+.TP
+.B ipsecmod-ignore-bogus: \fI<yes or no>\fR
+Specifies the behaviour of unbound when the IPSECKEY answer is bogus.  If set
+to yes, the hook will be called and the A/AAAA answer will be returned to the
+client.  If set to no, the hook will not be called and the answer to the
+A/AAAA query will be SERVFAIL.  Mainly used for testing.  Defaults to no.
+.TP
+.B ipsecmod\-whitelist: \fI<domain>\fR
+Whitelist the domain so that the module logic will be executed.  Can
+be given multiple times, for different domains.  If the option is not
+specified, all domains are treated as being whitelisted (default).
 .SH "MEMORY CONTROL EXAMPLE"
 In the example config settings below memory usage is reduced. Some service
 levels are lower, notable very large data and a high TCP load are no longer

contrib/unbound/doc/unbound.conf.5.in

@@ -1,4 +1,4 @@
-.TH "unbound.conf" "5" "Jun 13, 2017" "NLnet Labs" "unbound 1.6.3"
+.TH "unbound.conf" "5" "Jun 27, 2017" "NLnet Labs" "unbound 1.6.4"
 .\"
 .\" unbound.conf.5 -- unbound.conf manual
 .\"
@@ -16,7 +16,8 @@
 .B unbound.conf
 is used to configure
 \fIunbound\fR(8).
-The file format has attributes and values. Some attributes have attributes inside them.
+The file format has attributes and values. Some attributes have attributes
+inside them.
 The notation is: attribute: value.
 .P
 Comments start with # and last to the end of line. Empty lines are
@@ -62,8 +63,8 @@ server:
 	access\-control: 2001:DB8::/64 allow
 .fi
 .SH "FILE FORMAT"
-There must be whitespace between keywords. Attribute keywords end with a colon ':'. An attribute
-is followed by its containing attributes, or a value.
+There must be whitespace between keywords. Attribute keywords end with a colon ':'.
+An attribute is followed by its containing attributes, or a value.
 .P
 Files can be included using the
 .B include:
@@ -393,7 +394,8 @@ Default is no.  Useful in tunneling scenarios.
 .B ssl\-upstream: \fI<yes or no>
 Enabled or disable whether the upstream queries use SSL only for transport.
 Default is no.  Useful in tunneling scenarios.  The SSL contains plain DNS in
-TCP wireformat.  The other server must support this (see \fBssl\-service\-key\fR).
+TCP wireformat.  The other server must support this (see
+\fBssl\-service\-key\fR).
 .TP
 .B ssl\-service-key: \fI<file>
 If enabled, the server provider SSL service on its TCP sockets.  The clients
@@ -804,6 +806,9 @@ the trusted\-keys { name flag proto algo "key"; }; clauses are read.
 It is possible to use wildcards with this statement, the wildcard is
 expanded on start and on reload.
 .TP
+.B trust\-anchor\-signaling: \fI<yes or no>
+Send RFC8145 key tag query after trust anchor priming. Default is off.
+.TP
 .B dlv\-anchor\-file: \fI<filename>
 This option was used during early days DNSSEC deployment when no parent-side
 DS record registrations were easily available.  Nowadays, it is best to have
@@ -812,8 +817,8 @@ File with trusted keys for DLV (DNSSEC Lookaside Validation). Both DS and
 DNSKEY entries can be used in the file, in the same format as for
 \fItrust\-anchor\-file:\fR statements. Only one DLV can be configured, more
 would be slow. The DLV configured is used as a root trusted DLV, this
-means that it is a lookaside for the root. Default is "", or no dlv anchor file.
-DLV is going to be decommissioned.  Please do not use it any more.
+means that it is a lookaside for the root. Default is "", or no dlv anchor
+file. DLV is going to be decommissioned.  Please do not use it any more.
 .TP
 .B dlv\-anchor: \fI<"Resource Record">
 Much like trust\-anchor, this is a DLV anchor with the DS or DNSKEY inline.
@@ -1197,18 +1202,20 @@ This can make ordinary queries complete (if repeatedly queried for),
 and enter the cache, whilst also mitigating the traffic flow by the
 factor given.
 .TP 5
-.B ratelimit\-for\-domain: \fI<domain> <number qps>
+.B ratelimit\-for\-domain: \fI<domain> <number qps or 0>
 Override the global ratelimit for an exact match domain name with the listed
 number.  You can give this for any number of names.  For example, for
 a top\-level\-domain you may want to have a higher limit than other names.
+A value of 0 will disable ratelimiting for that domain.
 .TP 5
-.B ratelimit\-below\-domain: \fI<domain> <number qps>
+.B ratelimit\-below\-domain: \fI<domain> <number qps or 0>
 Override the global ratelimit for a domain name that ends in this name.
 You can give this multiple times, it then describes different settings
 in different parts of the namespace.  The closest matching suffix is used
 to determine the qps limit.  The rate for the exact matching domain name
 is not changed, use ratelimit\-for\-domain to set that, you might want
 to use different settings for a top\-level\-domain and subdomains.
+A value of 0 will disable ratelimiting for domain names that end in this name.
 .TP 5
 .B ip\-ratelimit: \fI<number or 0>
 Enable global ratelimiting of queries accepted per ip address.
@@ -1390,10 +1397,10 @@ Default is no.
 There may be multiple
 .B view:
 clauses. Each with a \fBname:\fR and zero or more \fBlocal\-zone\fR and
-\fBlocal\-data\fR elements. View can be mapped to requests by specifying the view
-name in an \fBaccess\-control\-view\fR element. Options from matching views will
-override global options. Global options will be used if no matching view
-is found.
+\fBlocal\-data\fR elements. View can be mapped to requests by specifying the
+view name in an \fBaccess\-control\-view\fR element. Options from matching
+views will override global options. Global options will be used if no matching
+view is found, or when the matching view does not have the option specified.
 .TP
 .B name: \fI<view name>
 Name of the view. Must be unique. This name is used in access\-control\-view
@@ -1401,7 +1408,11 @@ elements.
 .TP
 .B local\-zone: \fI<zone> <type>
 View specific local\-zone elements. Has the same types and behaviour as the
-global local\-zone elements.
+global local\-zone elements. When there is at least one local\-zone specified
+and view\-first is no, the default local-zones will be added to this view.
+Defaults can be disabled using the nodefault type. When view\-first is yes or
+when a view does not have a local\-zone, the global local\-zone will be used
+including it's default zones.
 .TP
 .B local\-data: \fI"<resource record string>"
 View specific local\-data elements. Has the same behaviour as the global
@@ -1454,7 +1465,8 @@ clause give the settings of the dnscrypt channel. While those options are
 available, they are only meaningful if unbound was compiled with
 \fB\-\-enable\-dnscrypt\fR.
 Currently certificate and secret/public keys cannot be generated by unbound.
-You can use dnscrypt-wrapper to generate those: https://github.com/cofyc/dnscrypt-wrapper/blob/master/README.md#usage
+You can use dnscrypt-wrapper to generate those: https://github.com/cofyc/\
+dnscrypt-wrapper/blob/master/README.md#usage
 .TP
 .B dnscrypt\-enable: \fI<yes or no>\fR
 Whether or not the \fBdnscrypt\fR config should be enabled. You may define
@@ -1475,23 +1487,24 @@ Path to the time limited secret key file. This option may be specified multiple
 times.
 .TP
 .B dnscrypt\-provider\-cert: \fI<path to cert file>\fR
-Path to the certificate related to the \fBdnscrypt\-secret\-key\fRs. This option
-may be specified multiple times.
+Path to the certificate related to the \fBdnscrypt\-secret\-key\fRs.
+This option may be specified multiple times.
 .SS "EDNS Client Subnet Module Options"
 .LP
 The ECS module must be configured in the \fBmodule\-config:\fR "subnetcache
 validator iterator" directive and be compiled into the daemon to be
 enabled.  These settings go in the \fBserver:\fR section.
 .LP
-If the destination address is whitelisted with Unbound will add the EDNS0 option
-to the query containing the relevant part of the client's address. When an
-answer contains the ECS option the response and the option are placed in a
-specialized cache. If the authority indicated no support, the response is stored
-in the regular cache.
+If the destination address is whitelisted with Unbound will add the EDNS0
+option to the query containing the relevant part of the client's address. When
+an answer contains the ECS option the response and the option are placed in a
+specialized cache. If the authority indicated no support, the response is
+stored in the regular cache.
 .LP
 Additionally, when a client includes the option in its queries, Unbound will
-forward the option to the authority regardless of the authorities presence in
-the whitelist. In this case the lookup in the regular cache is skipped.
+forward the option to the authority if prensent in the whitelist, or
+\fBclient\-subnet\-always\-forward\fR is set to yes. In this case the lookup in
+the regular cache is skipped.
 .LP
 The maximum size of the ECS cache is controlled by 'msg-cache-size' in the
 configuration file. On top of that, for each query only 100 different subnets
@@ -1502,7 +1515,12 @@ entries will be purged from cache.
 Send client source address to this authority. Append /num to indicate a
 classless delegation netblock, for example like 10.2.3.4/24 or 2001::11/64. Can
 be given multiple times. Authorities not listed will not receive edns-subnet
-information.
+information, unless domain in query is specified in \fBclient\-subnet\-zone\fR.
+.TP
+.B client\-subnet\-zone: \fI<domain>\fR
+Send client source address in queries for this domain and its subdomains. Can be
+given multiple times. Zones not listed will not receive edns-subnet information,
+unless hosted by authority specified in \fBsend\-client\-subnet\fR.
 .TP
 .B client\-subnet\-always\-forward: \fI<yes or no>\fR
 Specify whether the ECS whitelist check (configured using
@@ -1519,6 +1537,72 @@ to expose to third parties for IPv6.  Defaults to 56.
 .B max\-client\-subnet\-ipv4: \fI<number>\fR
 Specifies the maximum prefix length of the client source address we are willing
 to expose to third parties for IPv4. Defaults to 24.
+.SS "Opportunistic IPsec Support Module Options"
+.LP
+The IPsec module must be configured in the \fBmodule\-config:\fR "ipsecmod
+validator iterator" directive and be compiled into the daemon to be
+enabled.  These settings go in the \fBserver:\fR section.
+.LP
+When unbound receives an A/AAAA query that is not in the cache and finds a
+valid answer, it will withhold returning the answer and instead will generate
+an IPSECKEY subquery for the same domain name.  If an answer was found, unbound
+will call an external hook passing the following arguments:
+.TP 10
+\h'5'\fIQNAME\fR
+Domain name of the A/AAAA and IPSECKEY query.  In string format.
+.TP 10
+\h'5'\fIIPSECKEY TTL\fR
+TTL of the IPSECKEY RRset.
+.TP 10
+\h'5'\fIA/AAAA\fR
+String of space separated IP addresses present in the A/AAAA RRset.  The IP
+addresses are in string format.
+.TP 10
+\h'5'\fIIPSECKEY\fR
+String of space separated IPSECKEY RDATA present in the IPSECKEY RRset.  The
+IPSECKEY RDATA are in DNS presentation format.
+.LP
+The A/AAAA answer is then cached and returned to the client.  If the external
+hook was called the TTL changes to ensure it doesn't surpass
+\fBipsecmod-max-ttl\fR.
+.LP
+The same procedure is also followed when \fBprefetch:\fR is used, but the
+A/AAAA answer is given to the client before the hook is called.
+\fBipsecmod-max-ttl\fR ensures that the A/AAAA answer given from cache is still
+relevant for opportunistic IPsec.
+.TP
+.B ipsecmod-enabled: \fI<yes or no>\fR
+Specifies whether the IPsec module is enabled or not.  The IPsec module still
+needs to be defined in the \fBmodule\-config:\fR directive.  This option
+facilitates turning on/off the module without restarting/reloading unbound.
+Defaults to yes.
+.TP
+.B ipsecmod\-hook: \fI<filename>\fR
+Specifies the external hook that unbound will call with \fIsystem\fR(3).  The
+file can be specified as an absolute/relative path.  The file needs the proper
+permissions to be able to be executed by the same user that runs unbound.  It
+must be present when the IPsec module is defined in the \fBmodule\-config:\fR
+directive.
+.TP
+.B ipsecmod-strict: \fI<yes or no>\fR
+If enabled unbound requires the external hook to return a success value of 0.
+Failing to do so unbound will reply with SERVFAIL.  The A/AAAA answer will also
+not be cached.  Defaults to no.
+.TP
+.B ipsecmod\-max-ttl: \fI<seconds>\fR
+Time to live maximum for A/AAAA cached records after calling the external hook.
+Defaults to 3600.
+.TP
+.B ipsecmod-ignore-bogus: \fI<yes or no>\fR
+Specifies the behaviour of unbound when the IPSECKEY answer is bogus.  If set
+to yes, the hook will be called and the A/AAAA answer will be returned to the
+client.  If set to no, the hook will not be called and the answer to the
+A/AAAA query will be SERVFAIL.  Mainly used for testing.  Defaults to no.
+.TP
+.B ipsecmod\-whitelist: \fI<domain>\fR
+Whitelist the domain so that the module logic will be executed.  Can
+be given multiple times, for different domains.  If the option is not
+specified, all domains are treated as being whitelisted (default).
 .SH "MEMORY CONTROL EXAMPLE"
 In the example config settings below memory usage is reduced. Some service
 levels are lower, notable very large data and a high TCP load are no longer

contrib/unbound/edns-subnet/addrtree.c

@@ -302,6 +302,7 @@ static int
 getbit(const addrkey_t *addr, addrlen_t addrlen, addrlen_t n)
 {
 	log_assert(addrlen > n);
+	(void)addrlen;
 	return (int)(addr[n/KEYWIDTH]>>((KEYWIDTH-1)-(n%KEYWIDTH))) & 1;
 }
 

contrib/unbound/edns-subnet/subnet-whitelist.c

@@ -50,42 +50,44 @@
 #include "util/config_file.h"
 #include "util/net_help.h"
 #include "util/storage/dnstree.h"
+#include "sldns/str2wire.h"
+#include "util/data/dname.h"
 
-struct ednssubnet_upstream* 
-upstream_create(void)
+struct ecs_whitelist* 
+ecs_whitelist_create(void)
 {
-	struct ednssubnet_upstream* upstream = 
-		(struct ednssubnet_upstream*)calloc(1,
-		sizeof(struct ednssubnet_upstream));
-	if(!upstream)
+	struct ecs_whitelist* whitelist = 
+		(struct ecs_whitelist*)calloc(1,
+		sizeof(struct ecs_whitelist));
+	if(!whitelist)
 		return NULL;
-	upstream->region = regional_create();
-	if(!upstream->region) {
-		upstream_delete(upstream);
+	whitelist->region = regional_create();
+	if(!whitelist->region) {
+		ecs_whitelist_delete(whitelist);
 		return NULL;
 	}
-	return upstream;
+	return whitelist;
 }
 
 void 
-upstream_delete(struct ednssubnet_upstream* upstream)
+ecs_whitelist_delete(struct ecs_whitelist* whitelist)
 {
-	if(!upstream) 
+	if(!whitelist) 
 		return;
-	regional_destroy(upstream->region);
-	free(upstream);
+	regional_destroy(whitelist->region);
+	free(whitelist);
 }
 
-/** insert new address into upstream structure */
+/** insert new address into whitelist structure */
 static int
-upstream_insert(struct ednssubnet_upstream* upstream, 
+upstream_insert(struct ecs_whitelist* whitelist, 
 	struct sockaddr_storage* addr, socklen_t addrlen, int net)
 {
 	struct addr_tree_node* node = (struct addr_tree_node*)regional_alloc(
-		upstream->region, sizeof(*node));
+		whitelist->region, sizeof(*node));
 	if(!node)
 		return 0;
-	if(!addr_tree_insert(&upstream->tree, node, addr, addrlen, net)) {
+	if(!addr_tree_insert(&whitelist->upstream, node, addr, addrlen, net)) {
 		verbose(VERB_QUERY,
 			"duplicate send-client-subnet address ignored.");
 	}
@@ -94,7 +96,7 @@ upstream_insert(struct ednssubnet_upstream* upstream,
 
 /** apply edns-subnet string */
 static int
-upstream_str_cfg(struct ednssubnet_upstream* upstream, const char* str)
+upstream_str_cfg(struct ecs_whitelist* whitelist, const char* str)
 {
 	struct sockaddr_storage addr;
 	int net;
@@ -104,7 +106,7 @@ upstream_str_cfg(struct ednssubnet_upstream* upstream, const char* str)
 		log_err("cannot parse send-client-subnet netblock: %s", str);
 		return 0;
 	}
-	if(!upstream_insert(upstream, &addr, addrlen, net)) {
+	if(!upstream_insert(whitelist, &addr, addrlen, net)) {
 		log_err("out of memory");
 		return 0;
 	}
@@ -113,41 +115,93 @@ upstream_str_cfg(struct ednssubnet_upstream* upstream, const char* str)
 
 /** read client_subnet config */
 static int 
-read_upstream(struct ednssubnet_upstream* upstream, struct config_file* cfg)
+read_upstream(struct ecs_whitelist* whitelist, struct config_file* cfg)
 {
 	struct config_strlist* p;
 	for(p = cfg->client_subnet; p; p = p->next) {
 		log_assert(p->str);
-		if(!upstream_str_cfg(upstream, p->str))
+		if(!upstream_str_cfg(whitelist, p->str))
 			return 0;
 	}
 	return 1;
 }
 
+/** read client_subnet_zone config */
+static int 
+read_names(struct ecs_whitelist* whitelist, struct config_file* cfg)
+{
+	/* parse names, report errors, insert into tree */
+	struct config_strlist* p;
+	struct name_tree_node* n;
+	uint8_t* nm, *nmr;
+	size_t nm_len;
+	int nm_labs;
+
+	for(p = cfg->client_subnet_zone; p; p = p->next) {
+		log_assert(p->str);
+		nm = sldns_str2wire_dname(p->str, &nm_len);
+		if(!nm) {
+			log_err("cannot parse client-subnet-zone: %s", p->str);
+			return 0;
+		}
+		nm_labs = dname_count_size_labels(nm, &nm_len);
+		nmr = (uint8_t*)regional_alloc_init(whitelist->region, nm,
+			nm_len);
+		free(nm);
+		if(!nmr) {
+			log_err("out of memory");
+			return 0;
+		}
+		n = (struct name_tree_node*)regional_alloc(whitelist->region,
+			sizeof(*n));
+		if(!n) {
+			log_err("out of memory");
+			return 0;
+		}
+		if(!name_tree_insert(&whitelist->dname, n, nmr, nm_len, nm_labs,
+			LDNS_RR_CLASS_IN)) {
+			verbose(VERB_QUERY, "ignoring duplicate "
+				"client-subnet-zone: %s", p->str);
+		}
+	}
+	return 1;
+}
+
 int 
-upstream_apply_cfg(struct ednssubnet_upstream* upstream,
+ecs_whitelist_apply_cfg(struct ecs_whitelist* whitelist,
 	struct config_file* cfg)
 {
-	regional_free_all(upstream->region);
-	addr_tree_init(&upstream->tree);
-	if(!read_upstream(upstream, cfg))
+	regional_free_all(whitelist->region);
+	addr_tree_init(&whitelist->upstream);
+	name_tree_init(&whitelist->dname);
+	if(!read_upstream(whitelist, cfg))
 		return 0;
-	addr_tree_init_parents(&upstream->tree);
+	if(!read_names(whitelist, cfg))
+		return 0;
+	addr_tree_init_parents(&whitelist->upstream);
+	name_tree_init_parents(&whitelist->dname);
 	return 1;
 }
 
 int 
-upstream_is_whitelisted(struct ednssubnet_upstream* upstream,
-	struct sockaddr_storage* addr, socklen_t addrlen)
+ecs_is_whitelisted(struct ecs_whitelist* whitelist,
+	struct sockaddr_storage* addr, socklen_t addrlen, uint8_t* qname,
+	size_t qname_len, uint16_t qclass)
 {
-	return addr_tree_lookup(&upstream->tree, addr, addrlen) != NULL;
+	int labs;
+	if(addr_tree_lookup(&whitelist->upstream, addr, addrlen))
+		return 1;
+	/* Not in upstream whitelist, check dname whitelist. */
+	labs = dname_count_labels(qname);
+	return name_tree_lookup(&whitelist->dname, qname, qname_len, labs,
+		qclass) != NULL;
 }
 
 size_t 
-upstream_get_mem(struct ednssubnet_upstream* upstream)
+ecs_whitelist_get_mem(struct ecs_whitelist* whitelist)
 {
-	if(!upstream) return 0;
-	return sizeof(*upstream) + regional_get_mem(upstream->region);
+	if(!whitelist) return 0;
+	return sizeof(*whitelist) + regional_get_mem(whitelist->region);
 }
 
 #endif /* CLIENT_SUBNET */

contrib/unbound/edns-subnet/subnet-whitelist.h

@@ -36,8 +36,8 @@
 /**
  * \file
  *
- * Keep track of the white listed servers for subnet option. Based
- * on acl_list.c|h
+ * Keep track of the white listed servers and domain names for subnet option.
+ * Based on acl_list.c|h
  */
 
 #ifndef EDNSSUBNET_WHITELIST_H
@@ -48,9 +48,9 @@ struct config_file;
 struct regional;
 
 /**
- * ednssubnet_upstream structure
+ * ecs_whitelist structure
  */
-struct ednssubnet_upstream {
+struct ecs_whitelist {
 	/** regional for allocation */
 	struct regional* region;
 	/** 
@@ -58,45 +58,54 @@ struct ednssubnet_upstream {
 	 * contents of type addr_tree_node. Each node is an address span 
 	 * Unbound will append subnet option for.
 	 */
-	rbtree_type tree;
+	rbtree_type upstream;
+	/**
+	 * Tree of domain names for which Unbound will append an ECS option.
+	 * rbtree of struct name_tree_node.
+	 */
+	rbtree_type dname;
 };
 
 /**
- * Create ednssubnet_upstream structure 
+ * Create ecs_whitelist structure 
  * @return new structure or NULL on error.
  */
-struct ednssubnet_upstream* upstream_create(void);
+struct ecs_whitelist* ecs_whitelist_create(void);
 
 /**
- * Delete ednssubnet_upstream structure.
- * @param upstream: to delete.
+ * Delete ecs_whitelist structure.
+ * @param whitelist: to delete.
  */
-void upstream_delete(struct ednssubnet_upstream* upstream);
+void ecs_whitelist_delete(struct ecs_whitelist* whitelist);
 
 /**
- * Process ednssubnet_upstream config.
- * @param upstream: where to store.
+ * Process ecs_whitelist config.
+ * @param whitelist: where to store.
  * @param cfg: config options.
  * @return 0 on error.
  */
-int upstream_apply_cfg(struct ednssubnet_upstream* upstream,
+int ecs_whitelist_apply_cfg(struct ecs_whitelist* whitelist,
 	struct config_file* cfg);
 
 /**
- * See if an address is whitelisted.
- * @param upstream: structure for address storage.
+ * See if an address or domain is whitelisted.
+ * @param whitelist: structure for address storage.
  * @param addr: address to check
  * @param addrlen: length of addr.
+ * @param qname: dname in query
+ * @param qname_len: length of dname
+ * @param qclass: class in query
  * @return: true if the address is whitelisted for subnet option. 
  */
-int upstream_is_whitelisted(struct ednssubnet_upstream* upstream,
-	struct sockaddr_storage* addr, socklen_t addrlen);
+int ecs_is_whitelisted(struct ecs_whitelist* whitelist,
+	struct sockaddr_storage* addr, socklen_t addrlen, uint8_t* qname,
+	size_t qname_len, uint16_t qclass);
 
 /**
- * Get memory used by ednssubnet_upstream structure.
- * @param upstream: structure for address storage.
+ * Get memory used by ecs_whitelist structure.
+ * @param whitelist: structure for address storage.
  * @return bytes in use.
  */
-size_t upstream_get_mem(struct ednssubnet_upstream* upstream);
+size_t ecs_whitelist_get_mem(struct ecs_whitelist* whitelist);
 
 #endif /* EDNSSUBNET_WHITELIST_H */

contrib/unbound/edns-subnet/subnetmod.c

@@ -135,7 +135,7 @@ ecs_opt_list_append(struct ecs_data* ecs, struct edns_option** list,
 	}
 }
 
-int ecs_whitelist_check(struct query_info* ATTR_UNUSED(qinfo),
+int ecs_whitelist_check(struct query_info* qinfo,
 	uint16_t ATTR_UNUSED(flags), struct module_qstate* qstate,
 	struct sockaddr_storage* addr, socklen_t addrlen,
 	uint8_t* ATTR_UNUSED(zone), size_t ATTR_UNUSED(zonelen),
@@ -154,8 +154,9 @@ int ecs_whitelist_check(struct query_info* ATTR_UNUSED(qinfo),
 
 	if(sq->ecs_server_out.subnet_validdata && ((sq->subnet_downstream &&
 		qstate->env->cfg->client_subnet_always_forward) ||
-		upstream_is_whitelisted(sn_env->edns_subnet_upstreams, 
-		addr, addrlen))) {
+		ecs_is_whitelisted(sn_env->whitelist, 
+		addr, addrlen, qinfo->qname, qinfo->qname_len,
+		qinfo->qclass))) {
 		/* Address on whitelist or client query contains ECS option, we
 		 * want to sent out ECS. Only add option if it is not already
 		 * set. */
@@ -199,9 +200,9 @@ subnetmod_init(struct module_env *env, int id)
 		return 0;
 	}
 	/* whitelist for edns subnet capable servers */
-	sn_env->edns_subnet_upstreams = upstream_create();
-	if(!sn_env->edns_subnet_upstreams ||
-		!upstream_apply_cfg(sn_env->edns_subnet_upstreams, env->cfg)) {
+	sn_env->whitelist = ecs_whitelist_create();
+	if(!sn_env->whitelist ||
+		!ecs_whitelist_apply_cfg(sn_env->whitelist, env->cfg)) {
 		log_err("subnet: could not create ECS whitelist");
 		slabhash_delete(sn_env->subnet_msg_cache);
 		free(sn_env);
@@ -217,7 +218,7 @@ subnetmod_init(struct module_env *env, int id)
 		env->cfg->client_subnet_always_forward /* bypass cache */,
 		0 /* no aggregation */, env)) {
 		log_err("subnet: could not register opcode");
-		upstream_delete(sn_env->edns_subnet_upstreams);
+		ecs_whitelist_delete(sn_env->whitelist);
 		slabhash_delete(sn_env->subnet_msg_cache);
 		free(sn_env);
 		env->modinfo[id] = NULL;
@@ -243,7 +244,8 @@ subnetmod_deinit(struct module_env *env, int id)
 	lock_rw_destroy(&sn_env->biglock);
 	inplace_cb_delete(env, inplace_cb_edns_back_parsed, id);
 	inplace_cb_delete(env, inplace_cb_query, id);
-	upstream_delete(sn_env->edns_subnet_upstreams);
+	inplace_cb_delete(env, inplace_cb_query_response, id);
+	ecs_whitelist_delete(sn_env->whitelist);
 	slabhash_delete(sn_env->subnet_msg_cache);
 	alloc_clear(&sn_env->alloc);
 	free(sn_env);
@@ -781,7 +783,7 @@ subnetmod_get_mem(struct module_env *env, int id)
 	if (!sn_env) return 0;
 	return sizeof(*sn_env) + 
 		slabhash_get_mem(sn_env->subnet_msg_cache) +
-		upstream_get_mem(sn_env->edns_subnet_upstreams);
+		ecs_whitelist_get_mem(sn_env->whitelist);
 }
 
 /**

contrib/unbound/edns-subnet/subnetmod.h

@@ -57,7 +57,7 @@ struct subnet_env {
 	 * data: struct subnet_msg_cache_data* */
 	struct slabhash* subnet_msg_cache;
 	/** access control, which upstream servers we send client address */
-	struct ednssubnet_upstream* edns_subnet_upstreams;
+	struct ecs_whitelist* whitelist;
 	/** allocation service */
 	struct alloc_cache alloc;
 	lock_rw_type biglock;

contrib/unbound/ipsecmod/ipsecmod-whitelist.c

@@ -0,0 +1,158 @@
+/*
+ * ipsecmod/ipsecmod-whitelist.h - White listed domains for the ipsecmod to
+ * operate on.
+ *
+ * Copyright (c) 2017, NLnet Labs. All rights reserved.
+ *
+ * This software is open source.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ *
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ *
+ * Neither the name of the NLNET LABS nor the names of its contributors may
+ * be used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
+ * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+/**
+ * \file
+ *
+ * Keep track of the white listed domains for ipsecmod.
+ */
+
+#include "config.h"
+
+#ifdef USE_IPSECMOD
+#include "ipsecmod/ipsecmod.h"
+#include "ipsecmod/ipsecmod-whitelist.h"
+#include "util/regional.h"
+#include "util/log.h"
+#include "util/config_file.h"
+#include "util/rbtree.h"
+#include "util/data/dname.h"
+#include "util/storage/dnstree.h"
+#include "sldns/str2wire.h"
+
+/** Apply ipsecmod-whitelist string. */
+static int
+whitelist_str_cfg(rbtree_type* whitelist, const char* name)
+{
+    struct name_tree_node* n;
+    size_t len;
+    uint8_t* nm = sldns_str2wire_dname(name, &len);
+    if(!nm) {
+        log_err("ipsecmod: could not parse %s for whitelist.", name);
+        return 0;
+    }
+    n = (struct name_tree_node*)calloc(1, sizeof(*n));
+    if(!n) {
+        log_err("ipsecmod: out of memory while creating whitelist.");
+        free(nm);
+        return 0;
+    }
+    n->node.key = n;
+    n->name = nm;
+    n->len = len;
+    n->labs = dname_count_labels(nm);
+    n->dclass = LDNS_RR_CLASS_IN;
+    if(!name_tree_insert(whitelist, n, nm, len, n->labs, n->dclass)) {
+        /* duplicate element ignored, idempotent */
+        free(n->name);
+        free(n);
+    }
+    return 1;
+}
+
+/** Read ipsecmod-whitelist config. */
+static int
+read_whitelist(rbtree_type* whitelist, struct config_file* cfg)
+{
+	struct config_strlist* p;
+	for(p = cfg->ipsecmod_whitelist; p; p = p->next) {
+		log_assert(p->str);
+		if(!whitelist_str_cfg(whitelist, p->str))
+			return 0;
+	}
+	return 1;
+}
+
+int
+ipsecmod_whitelist_apply_cfg(struct ipsecmod_env* ie,
+	struct config_file* cfg)
+{
+	ie->whitelist = rbtree_create(name_tree_compare);
+	if(!read_whitelist(ie->whitelist, cfg))
+		return 0;
+	name_tree_init_parents(ie->whitelist);
+	return 1;
+}
+
+/** Delete ipsecmod_env->whitelist element. */
+static void
+whitelist_free(struct rbnode_type* n, void* ATTR_UNUSED(d))
+{
+	if(n) {
+		free(((struct name_tree_node*)n)->name);
+		free(n);
+	}
+}
+
+/** Get memory usage of ipsecmod_env->whitelist element. */
+static void
+whitelist_get_mem(struct rbnode_type* n, void* arg)
+{
+	struct name_tree_node* node = (struct name_tree_node*)n;
+	size_t* size = (size_t*) arg;
+	if(node) {
+		*size += sizeof(node) + node->len;
+	}
+}
+
+void
+ipsecmod_whitelist_delete(rbtree_type* whitelist)
+{
+	if(whitelist) {
+		traverse_postorder(whitelist, whitelist_free, NULL);
+		free(whitelist);
+	}
+}
+
+int
+ipsecmod_domain_is_whitelisted(struct ipsecmod_env* ie, uint8_t* dname,
+	size_t dname_len, uint16_t qclass)
+{
+	if(!ie->whitelist) return 1; /* No whitelist, treat as whitelisted. */
+	return name_tree_lookup(ie->whitelist, dname, dname_len,
+		dname_count_labels(dname), qclass) != NULL;
+}
+
+size_t
+ipsecmod_whitelist_get_mem(rbtree_type* whitelist)
+{
+	size_t size = 0;
+	if(whitelist) {
+		traverse_postorder(whitelist, whitelist_get_mem, &size);
+	}
+	return size;
+}
+
+#endif /* USE_IPSECMOD */

contrib/unbound/ipsecmod/ipsecmod-whitelist.h

@@ -0,0 +1,82 @@
+/*
+ * ipsecmod/ipsecmod-whitelist.h - White listed domains for the ipsecmod to
+ * operate on.
+ *
+ * Copyright (c) 2017, NLnet Labs. All rights reserved.
+ *
+ * This software is open source.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ *
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ *
+ * Neither the name of the NLNET LABS nor the names of its contributors may
+ * be used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
+ * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+/**
+ * \file
+ *
+ * Keep track of the white listed domains for ipsecmod.
+ */
+
+#ifndef IPSECMOD_WHITELIST_H
+#define IPSECMOD_WHITELIST_H
+#include "util/storage/dnstree.h"
+
+struct config_file;
+struct regional;
+
+/**
+ * Process ipsecmod_whitelist config.
+ * @param ie: ipsecmod environment.
+ * @param cfg: config options.
+ * @return 0 on error.
+ */
+int ipsecmod_whitelist_apply_cfg(struct ipsecmod_env* ie,
+	struct config_file* cfg);
+
+/**
+ * Delete the ipsecmod whitelist.
+ * @param whitelist: ipsecmod whitelist.
+ */
+void ipsecmod_whitelist_delete(rbtree_type* whitelist);
+
+/**
+ * See if a domain is whitelisted.
+ * @param ie: ipsecmod environment.
+ * @param dname: domain name to check.
+ * @param dname_len: length of domain name.
+ * @param qclass: query CLASS.
+ * @return: true if the domain is whitelisted for the ipsecmod.
+ */
+int ipsecmod_domain_is_whitelisted(struct ipsecmod_env* ie, uint8_t* dname,
+	size_t dname_len, uint16_t qclass);
+
+/**
+ * Get memory used by ipsecmod whitelist.
+ * @param whitelist: structure for domain storage.
+ * @return bytes in use.
+ */
+size_t ipsecmod_whitelist_get_mem(rbtree_type* whitelist);
+
+#endif /* IPSECMOD_WHITELIST_H */

contrib/unbound/ipsecmod/ipsecmod.c

@@ -0,0 +1,515 @@
+/*
+ * ipsecmod/ipsecmod.c - facilitate opportunistic IPsec module
+ *
+ * Copyright (c) 2017, NLnet Labs. All rights reserved.
+ *
+ * This software is open source.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ * 
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ * 
+ * Neither the name of the NLNET LABS nor the names of its contributors may
+ * be used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
+ * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/**
+ * \file
+ *
+ * This file contains a module that facilitates opportunistic IPsec. It does so
+ * by also quering for the IPSECKEY for A/AAAA queries and calling a
+ * configurable hook (eg. signaling an IKE daemon) before replying.
+ */
+
+#include "config.h"
+#ifdef USE_IPSECMOD
+#include "ipsecmod/ipsecmod.h"
+#include "ipsecmod/ipsecmod-whitelist.h"
+#include "util/fptr_wlist.h"
+#include "util/regional.h"
+#include "util/net_help.h"
+#include "util/config_file.h"
+#include "services/cache/dns.h"
+#include "sldns/wire2str.h"
+
+/** Apply configuration to ipsecmod module 'global' state. */
+static int
+ipsecmod_apply_cfg(struct ipsecmod_env* ipsecmod_env, struct config_file* cfg)
+{
+	if(!cfg->ipsecmod_hook || (cfg->ipsecmod_hook && !cfg->ipsecmod_hook[0])) {
+		log_err("ipsecmod: missing ipsecmod-hook.");
+		return 0;
+	}
+	if(cfg->ipsecmod_whitelist &&
+		!ipsecmod_whitelist_apply_cfg(ipsecmod_env, cfg))
+		return 0;
+	return 1;
+}
+
+int
+ipsecmod_init(struct module_env* env, int id)
+{
+	struct ipsecmod_env* ipsecmod_env = (struct ipsecmod_env*)calloc(1,
+		sizeof(struct ipsecmod_env));
+	if(!ipsecmod_env) {
+		log_err("malloc failure");
+		return 0;
+	}
+	env->modinfo[id] = (void*)ipsecmod_env;
+	ipsecmod_env->whitelist = NULL;
+	if(!ipsecmod_apply_cfg(ipsecmod_env, env->cfg)) {
+		log_err("ipsecmod: could not apply configuration settings.");
+		return 0;
+	}
+	return 1;
+}
+
+void
+ipsecmod_deinit(struct module_env* env, int id)
+{
+	struct ipsecmod_env* ipsecmod_env;
+	if(!env || !env->modinfo[id])
+		return;
+	ipsecmod_env = (struct ipsecmod_env*)env->modinfo[id];
+	/* Free contents. */
+	ipsecmod_whitelist_delete(ipsecmod_env->whitelist);
+	free(ipsecmod_env);
+	env->modinfo[id] = NULL;
+}
+
+/** New query for ipsecmod. */
+static int
+ipsecmod_new(struct module_qstate* qstate, int id)
+{
+	struct ipsecmod_qstate* iq = (struct ipsecmod_qstate*)regional_alloc(
+		qstate->region, sizeof(struct ipsecmod_qstate));
+	memset(iq, 0, sizeof(*iq));
+	qstate->minfo[id] = iq;
+	if(!iq)
+		return 0;
+	/* Initialise it. */
+	iq->enabled = qstate->env->cfg->ipsecmod_enabled;
+	iq->is_whitelisted = ipsecmod_domain_is_whitelisted(
+		(struct ipsecmod_env*)qstate->env->modinfo[id], qstate->qinfo.qname,
+		qstate->qinfo.qname_len, qstate->qinfo.qclass);
+	return 1;
+}
+
+/**
+ * Exit module with an error status.
+ * @param qstate: query state
+ * @param id: module id.
+ */
+static void
+ipsecmod_error(struct module_qstate* qstate, int id)
+{
+	qstate->ext_state[id] = module_error;
+	qstate->return_rcode = LDNS_RCODE_SERVFAIL;
+}
+
+/**
+ * Generate a request for the IPSECKEY.
+ *
+ * @param qstate: query state that is the parent.
+ * @param id: module id.
+ * @param name: what name to query for.
+ * @param namelen: length of name.
+ * @param qtype: query type.
+ * @param qclass: query class.
+ * @param flags: additional flags, such as the CD bit (BIT_CD), or 0.
+ * @return false on alloc failure.
+ */
+static int
+generate_request(struct module_qstate* qstate, int id, uint8_t* name,
+	size_t namelen, uint16_t qtype, uint16_t qclass, uint16_t flags)
+{
+	struct module_qstate* newq;
+	struct query_info ask;
+	ask.qname = name;
+	ask.qname_len = namelen;
+	ask.qtype = qtype;
+	ask.qclass = qclass;
+	ask.local_alias = NULL;
+	log_query_info(VERB_ALGO, "ipsecmod: generate request", &ask);
+	fptr_ok(fptr_whitelist_modenv_attach_sub(qstate->env->attach_sub));
+	if(!(*qstate->env->attach_sub)(qstate, &ask,
+		(uint16_t)(BIT_RD|flags), 0, 0, &newq)){
+		log_err("Could not generate request: out of memory");
+		return 0;
+	}
+	qstate->ext_state[id] = module_wait_subquery;
+	return 1;
+}
+
+/**
+ *  Prepare the data and call the hook.
+ *
+ *  @param qstate: query state.
+ *  @param iq: ipsecmod qstate.
+ *  @param ie: ipsecmod environment.
+ *  @return true on success, false otherwise.
+ */
+static int
+call_hook(struct module_qstate* qstate, struct ipsecmod_qstate* iq,
+	struct ipsecmod_env* ATTR_UNUSED(ie))
+{
+	size_t slen, tempdata_len, tempstring_len, i;
+	char str[65535], *s, *tempstring;
+	int w;
+	struct ub_packed_rrset_key* rrset_key;
+	struct packed_rrset_data* rrset_data;
+	uint8_t *tempdata;
+
+	/* Check if a shell is available */
+	if(system(NULL) == 0) {
+		log_err("ipsecmod: no shell available for ipsecmod-hook");
+		return 0;
+	}
+
+	/* Zero the buffer. */
+	s = str;
+	slen = sizeof(str);
+	memset(s, 0, slen);
+
+	/* Copy the hook into the buffer. */
+	sldns_str_print(&s, &slen, "%s", qstate->env->cfg->ipsecmod_hook);
+	/* Put space into the buffer. */
+	sldns_str_print(&s, &slen, " ");
+	/* Copy the qname into the buffer. */
+	tempstring = sldns_wire2str_dname(qstate->qinfo.qname,
+		qstate->qinfo.qname_len);
+	if(!tempstring) {
+		log_err("ipsecmod: out of memory when calling the hook");
+		return 0;
+	}
+	sldns_str_print(&s, &slen, "\"%s\"", tempstring);
+	free(tempstring);
+	/* Put space into the buffer. */
+	sldns_str_print(&s, &slen, " ");
+	/* Copy the IPSECKEY TTL into the buffer. */
+	rrset_data = (struct packed_rrset_data*)iq->ipseckey_rrset->entry.data;
+	sldns_str_print(&s, &slen, "\"%ld\"", (long)rrset_data->ttl);
+	/* Put space into the buffer. */
+	sldns_str_print(&s, &slen, " ");
+	/* Copy the A/AAAA record(s) into the buffer. Start and end this section
+	 * with a double quote. */
+	rrset_key = reply_find_answer_rrset(&qstate->return_msg->qinfo,
+		qstate->return_msg->rep);
+	rrset_data = (struct packed_rrset_data*)rrset_key->entry.data;
+	sldns_str_print(&s, &slen, "\"");
+	for(i=0; i<rrset_data->count; i++) {
+		if(i > 0) {
+			/* Put space into the buffer. */
+			sldns_str_print(&s, &slen, " ");
+		}
+		/* Ignore the first two bytes, they are the rr_data len. */
+		w = sldns_wire2str_rdata_buf(rrset_data->rr_data[i] + 2,
+			rrset_data->rr_len[i] - 2, s, slen, qstate->qinfo.qtype);
+		if(w < 0) {
+			/* Error in printout. */
+			return -1;
+		} else if((size_t)w >= slen) {
+			s = NULL; /* We do not want str to point outside of buffer. */
+			slen = 0;
+			return -1;
+		} else {
+			s += w;
+			slen -= w;
+		}
+	}
+	sldns_str_print(&s, &slen, "\"");
+	/* Put space into the buffer. */
+	sldns_str_print(&s, &slen, " ");
+	/* Copy the IPSECKEY record(s) into the buffer. Start and end this section
+	 * with a double quote. */
+	sldns_str_print(&s, &slen, "\"");
+	rrset_data = (struct packed_rrset_data*)iq->ipseckey_rrset->entry.data;
+	for(i=0; i<rrset_data->count; i++) {
+		if(i > 0) {
+			/* Put space into the buffer. */
+			sldns_str_print(&s, &slen, " ");
+		}
+		/* Ignore the first two bytes, they are the rr_data len. */
+		tempdata = rrset_data->rr_data[i] + 2;
+		tempdata_len = rrset_data->rr_len[i] - 2;
+		/* Save the buffer pointers. */
+		tempstring = s; tempstring_len = slen;
+		w = sldns_wire2str_ipseckey_scan(&tempdata, &tempdata_len, &s, &slen,
+			NULL, 0);
+		/* There was an error when parsing the IPSECKEY; reset the buffer
+		 * pointers to their previous values. */
+		if(w == -1){
+			s = tempstring; slen = tempstring_len;
+		}
+	}
+	sldns_str_print(&s, &slen, "\"");
+	verbose(VERB_ALGO, "ipsecmod: hook command: '%s'", str);
+	/* ipsecmod-hook should return 0 on success. */
+	if(system(str) != 0)
+		return 0;
+	return 1;
+}
+
+/**
+ * Handle an ipsecmod module event with a query
+ * @param qstate: query state (from the mesh), passed between modules.
+ * 	contains qstate->env module environment with global caches and so on.
+ * @param iq: query state specific for this module.  per-query.
+ * @param ie: environment specific for this module.  global.
+ * @param id: module id.
+ */
+static void
+ipsecmod_handle_query(struct module_qstate* qstate,
+	struct ipsecmod_qstate* iq, struct ipsecmod_env* ie, int id)
+{
+	struct ub_packed_rrset_key* rrset_key;
+	struct packed_rrset_data* rrset_data;
+	size_t i;
+	/* Pass to next module if we are not enabled and whitelisted. */
+	if(!(iq->enabled && iq->is_whitelisted)) {
+		qstate->ext_state[id] = module_wait_module;
+		return;
+	}
+	/* New query, check if the query is for an A/AAAA record and disable
+	 * caching for other modules. */
+	if(!iq->ipseckey_done) {
+		if(qstate->qinfo.qtype == LDNS_RR_TYPE_A ||
+			qstate->qinfo.qtype == LDNS_RR_TYPE_AAAA) {
+			char type[16];
+			sldns_wire2str_type_buf(qstate->qinfo.qtype, type,
+				sizeof(type));
+			verbose(VERB_ALGO, "ipsecmod: query for %s; engaging",
+				type);
+			qstate->no_cache_store = 1;
+		}
+		/* Pass request to next module. */
+		qstate->ext_state[id] = module_wait_module;
+		return;
+	}
+	/* IPSECKEY subquery is finished. */
+	/* We have an IPSECKEY answer. */
+	if(iq->ipseckey_rrset) {
+		rrset_data = (struct packed_rrset_data*)iq->ipseckey_rrset->entry.data;
+		if(rrset_data) {
+			/* If bogus return SERVFAIL. */
+			if(!qstate->env->cfg->ipsecmod_ignore_bogus &&
+				rrset_data->security == sec_status_bogus) {
+				log_err("ipsecmod: bogus IPSECKEY");
+				ipsecmod_error(qstate, id);
+				return;
+			}
+			/* We have a valid IPSECKEY reply, call hook. */
+			if(!call_hook(qstate, iq, ie) &&
+				qstate->env->cfg->ipsecmod_strict) {
+				log_err("ipsecmod: ipsecmod-hook failed");
+				ipsecmod_error(qstate, id);
+				return;
+			}
+			/* Make sure the A/AAAA's TTL is equal/less than the
+			 * ipsecmod_max_ttl. */
+			rrset_key = reply_find_answer_rrset(&qstate->return_msg->qinfo,
+				qstate->return_msg->rep);
+			rrset_data = (struct packed_rrset_data*)rrset_key->entry.data;
+			if(rrset_data->ttl > (time_t)qstate->env->cfg->ipsecmod_max_ttl) {
+				/* Update TTL for rrset to fixed value. */
+				rrset_data->ttl = qstate->env->cfg->ipsecmod_max_ttl;
+				for(i=0; i<rrset_data->count+rrset_data->rrsig_count; i++)
+					rrset_data->rr_ttl[i] = qstate->env->cfg->ipsecmod_max_ttl;
+				/* Also update reply_info's TTL */
+				if(qstate->return_msg->rep->ttl > (time_t)qstate->env->cfg->ipsecmod_max_ttl) {
+					qstate->return_msg->rep->ttl =
+						qstate->env->cfg->ipsecmod_max_ttl;
+					qstate->return_msg->rep->prefetch_ttl = PREFETCH_TTL_CALC(
+						qstate->return_msg->rep->ttl);
+				}
+			}
+		}
+	}
+	/* Store A/AAAA in cache. */
+	if(!dns_cache_store(qstate->env, &qstate->qinfo,
+		qstate->return_msg->rep, 0, qstate->prefetch_leeway,
+		0, qstate->region, qstate->query_flags)) {
+		log_err("ipsecmod: out of memory caching record");
+	}
+	qstate->ext_state[id] = module_finished;
+}
+
+/**
+ * Handle an ipsecmod module event with a response from the iterator.
+ * @param qstate: query state (from the mesh), passed between modules.
+ * 	contains qstate->env module environment with global caches and so on.
+ * @param iq: query state specific for this module.  per-query.
+ * @param ie: environment specific for this module.  global.
+ * @param id: module id.
+ */
+static void
+ipsecmod_handle_response(struct module_qstate* qstate,
+	struct ipsecmod_qstate* ATTR_UNUSED(iq),
+	struct ipsecmod_env* ATTR_UNUSED(ie), int id)
+{
+	/* Pass to previous module if we are not enabled and whitelisted. */
+	if(!(iq->enabled && iq->is_whitelisted)) {
+		qstate->ext_state[id] = module_finished;
+		return;
+	}
+	/* check if the response is for an A/AAAA query. */
+	if((qstate->qinfo.qtype == LDNS_RR_TYPE_A ||
+		qstate->qinfo.qtype == LDNS_RR_TYPE_AAAA) &&
+		/* check that we had an answer for the A/AAAA query. */
+		qstate->return_msg &&
+		reply_find_answer_rrset(&qstate->return_msg->qinfo,
+		qstate->return_msg->rep) &&
+		/* check that another module didn't SERVFAIL. */
+		qstate->return_rcode == LDNS_RCODE_NOERROR) {
+		char type[16];
+		sldns_wire2str_type_buf(qstate->qinfo.qtype, type,
+			sizeof(type));
+		verbose(VERB_ALGO, "ipsecmod: response for %s; generating IPSECKEY "
+			"subquery", type);
+		/* generate an IPSECKEY query. */
+		if(!generate_request(qstate, id, qstate->qinfo.qname,
+			qstate->qinfo.qname_len, LDNS_RR_TYPE_IPSECKEY,
+			qstate->qinfo.qclass, 0)) {
+			log_err("ipsecmod: could not generate subquery.");
+			ipsecmod_error(qstate, id);
+		}
+		return;
+	}
+	/* we are done with the query. */
+	qstate->ext_state[id] = module_finished;
+}
+
+void
+ipsecmod_operate(struct module_qstate* qstate, enum module_ev event, int id,
+	struct outbound_entry* outbound)
+{
+	struct ipsecmod_env* ie = (struct ipsecmod_env*)qstate->env->modinfo[id];
+	struct ipsecmod_qstate* iq = (struct ipsecmod_qstate*)qstate->minfo[id];
+	verbose(VERB_QUERY, "ipsecmod[module %d] operate: extstate:%s event:%s",
+		id, strextstate(qstate->ext_state[id]), strmodulevent(event));
+	if(iq) log_query_info(VERB_QUERY, "ipsecmod operate: query",
+		&qstate->qinfo);
+
+	/* create ipsecmod_qstate. */
+	if((event == module_event_new || event == module_event_pass) &&
+		iq == NULL) {
+		if(!ipsecmod_new(qstate, id)) {
+			ipsecmod_error(qstate, id);
+			return;
+		}
+		iq = (struct ipsecmod_qstate*)qstate->minfo[id];
+	}
+	if(iq && (event == module_event_pass || event == module_event_new)) {
+		ipsecmod_handle_query(qstate, iq, ie, id);
+		return;
+	}
+	if(iq && (event == module_event_moddone)) {
+		ipsecmod_handle_response(qstate, iq, ie, id);
+		return;
+	}
+	if(iq && outbound) {
+		/* cachedb does not need to process responses at this time
+		 * ignore it.
+		cachedb_process_response(qstate, iq, ie, id, outbound, event);
+		*/
+		return;
+	}
+	if(event == module_event_error) {
+		verbose(VERB_ALGO, "got called with event error, giving up");
+		ipsecmod_error(qstate, id);
+		return;
+	}
+	if(!iq && (event == module_event_moddone)) {
+		/* during priming, module done but we never started. */
+		qstate->ext_state[id] = module_finished;
+		return;
+	}
+
+	log_err("ipsecmod: bad event %s", strmodulevent(event));
+	ipsecmod_error(qstate, id);
+	return;
+}
+
+void
+ipsecmod_inform_super(struct module_qstate* qstate, int id,
+	struct module_qstate* super)
+{
+	struct ipsecmod_qstate* siq;
+	log_query_info(VERB_ALGO, "ipsecmod: inform_super, sub is",
+		&qstate->qinfo);
+	log_query_info(VERB_ALGO, "super is", &super->qinfo);
+	siq = (struct ipsecmod_qstate*)super->minfo[id];
+	if(!siq) {
+		verbose(VERB_ALGO, "super has no ipsecmod state");
+		return;
+	}
+
+	if(qstate->return_msg) {
+		struct ub_packed_rrset_key* rrset_key = reply_find_answer_rrset(
+			&qstate->return_msg->qinfo, qstate->return_msg->rep);
+		if(rrset_key) {
+			/* We have an answer. */
+			/* Copy to super's region. */
+			rrset_key = packed_rrset_copy_region(rrset_key, super->region, 0);
+			siq->ipseckey_rrset = rrset_key;
+			if(!rrset_key) {
+				log_err("ipsecmod: out of memory.");
+			}
+		}
+	}
+	/* Notify super to proceed. */
+	siq->ipseckey_done = 1;
+}
+
+void
+ipsecmod_clear(struct module_qstate* qstate, int id)
+{
+	if(!qstate)
+		return;
+	qstate->minfo[id] = NULL;
+}
+
+size_t
+ipsecmod_get_mem(struct module_env* env, int id)
+{
+	struct ipsecmod_env* ie = (struct ipsecmod_env*)env->modinfo[id];
+	if(!ie)
+		return 0;
+	return sizeof(*ie) + ipsecmod_whitelist_get_mem(ie->whitelist);
+}
+
+/**
+ * The ipsecmod function block
+ */
+static struct module_func_block ipsecmod_block = {
+	"ipsecmod",
+	&ipsecmod_init, &ipsecmod_deinit, &ipsecmod_operate,
+	&ipsecmod_inform_super, &ipsecmod_clear, &ipsecmod_get_mem
+};
+
+struct module_func_block*
+ipsecmod_get_funcblock(void)
+{
+	return &ipsecmod_block;
+}
+#endif /* USE_IPSECMOD */

contrib/unbound/ipsecmod/ipsecmod.h

@@ -0,0 +1,97 @@
+/*
+ * ipsecmod/ipsecmod.h - facilitate opportunistic IPsec module
+ *
+ * Copyright (c) 2017, NLnet Labs. All rights reserved.
+ *
+ * This software is open source.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ * 
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ * 
+ * Neither the name of the NLNET LABS nor the names of its contributors may
+ * be used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
+ * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/**
+ * \file
+ *
+ * This file contains a module that facilitates opportunistic IPsec. It does so
+ * by also quering for the IPSECKEY for A/AAAA queries and calling a
+ * configurable hook (eg. signaling an IKE daemon) before replying.
+ */
+
+#ifndef IPSECMOD_H
+#define IPSECMOD_H
+#include "util/module.h"
+#include "util/rbtree.h"
+
+/**
+ * The global variable environment contents for the ipsecmod
+ * Shared between threads, this represents long term information.
+ */
+struct ipsecmod_env {
+	/** White listed domains for ipsecmod. */
+	rbtree_type* whitelist;
+};
+
+/**
+ * Per query state for the ipsecmod module.
+ */
+struct ipsecmod_qstate {
+	/** State of the IPsec module. */
+	/** NOTE: This value is copied here from the configuration so that a change
+	 *  with unbound-control would not complicate an already running mesh. */
+	int enabled;
+	/** If the qname is whitelisted or not. */
+	/** NOTE: No whitelist means all qnames are whitelisted. */
+	int is_whitelisted;
+	/** Pointer to IPSECKEY rrset allocated in the qstate region. NULL if there
+	 *  was no IPSECKEY reply from the subquery. */
+	struct ub_packed_rrset_key* ipseckey_rrset;
+	/** If the IPSECKEY subquery has finished. */
+	int ipseckey_done;
+};
+
+/** Init the ipsecmod module */
+int ipsecmod_init(struct module_env* env, int id);
+/** Deinit the ipsecmod module */
+void ipsecmod_deinit(struct module_env* env, int id);
+/** Operate on an event on a query (in qstate). */
+void ipsecmod_operate(struct module_qstate* qstate, enum module_ev event,
+	int id, struct outbound_entry* outbound);
+/** Subordinate query done, inform this super request of its conclusion */
+void ipsecmod_inform_super(struct module_qstate* qstate, int id,
+	struct module_qstate* super);
+/** clear the ipsecmod query-specific contents out of qstate */
+void ipsecmod_clear(struct module_qstate* qstate, int id);
+/** return memory estimate for the ipsecmod module */
+size_t ipsecmod_get_mem(struct module_env* env, int id);
+
+/**
+ * Get the function block with pointers to the ipsecmod functions
+ * @return the function block for "ipsecmod".
+ */
+struct module_func_block* ipsecmod_get_funcblock(void);
+
+#endif /* IPSECMOD_H */

contrib/unbound/iterator/iter_hints.c

@@ -144,7 +144,7 @@ compile_time_root_prime(int do_ip4, int do_ip6)
       }
       if(do_ip6) {
 	if(!ah(dp, "A.ROOT-SERVERS.NET.", "2001:503:ba3e::2:30")) goto failed;
-	if(!ah(dp, "B.ROOT-SERVERS.NET.", "2001:500:84::b")) goto failed;
+	if(!ah(dp, "B.ROOT-SERVERS.NET.", "2001:500:200::b")) goto failed;
 	if(!ah(dp, "C.ROOT-SERVERS.NET.", "2001:500:2::c")) goto failed;
 	if(!ah(dp, "D.ROOT-SERVERS.NET.", "2001:500:2d::d")) goto failed;
 	if(!ah(dp, "E.ROOT-SERVERS.NET.", "2001:500:a8::e")) goto failed;

contrib/unbound/iterator/iterator.c

@@ -288,6 +288,22 @@ error_response_cache(struct module_qstate* qstate, int id, int rcode)
 				return error_response(qstate, id, rcode);
 			/* if that fails (not in cache), fall through to store err */
 		}
+		if(qstate->env->cfg->serve_expired) {
+			/* if serving expired contents, and such content is
+			 * already available, don't overwrite this servfail */
+			struct msgreply_entry* msg;
+			if((msg=msg_cache_lookup(qstate->env,
+				qstate->qinfo.qname, qstate->qinfo.qname_len,
+				qstate->qinfo.qtype, qstate->qinfo.qclass,
+				qstate->query_flags, 0, 0))
+				!= NULL) {
+				lock_rw_unlock(&msg->entry.lock);
+				return error_response(qstate, id, rcode);
+			}
+			/* serving expired contents, but nothing is cached
+			 * at all, so the servfail cache entry is useful
+			 * (stops waste of time on this servfail NORR_TTL) */
+		}
 		memset(&err, 0, sizeof(err));
 		err.flags = (uint16_t)(BIT_QR | BIT_RA);
 		FLAGS_SET_RCODE(err.flags, rcode);
@@ -509,6 +525,33 @@ handle_cname_response(struct module_qstate* qstate, struct iter_qstate* iq,
 	return 1;
 }
 
+/** see if last resort is possible - does config allow queries to parent */
+static int
+can_have_last_resort(struct module_env* env, uint8_t* nm, size_t nmlen,
+	uint16_t qclass)
+{
+	struct delegpt* fwddp;
+	struct iter_hints_stub* stub;
+	int labs = dname_count_labels(nm);
+	/* do not process a last resort (the parent side) if a stub
+	 * or forward is configured, because we do not want to go 'above'
+	 * the configured servers */
+	if(!dname_is_root(nm) && (stub = (struct iter_hints_stub*)
+		name_tree_find(&env->hints->tree, nm, nmlen, labs, qclass)) &&
+		/* has_parent side is turned off for stub_first, where we
+		 * are allowed to go to the parent */
+		stub->dp->has_parent_side_NS) {
+		return 0;
+	}
+	if((fwddp = forwards_find(env->fwds, nm, qclass)) &&
+		/* has_parent_side is turned off for forward_first, where
+		 * we are allowed to go to the parent */
+		fwddp->has_parent_side_NS) {
+		return 0;
+	}
+	return 1;
+}
+
 /** see if target name is caps-for-id whitelisted */
 static int
 is_caps_whitelisted(struct iter_env* ie, struct iter_qstate* iq)
@@ -853,6 +896,9 @@ generate_ns_check(struct module_qstate* qstate, struct iter_qstate* iq, int id)
 
 	if(iq->depth == ie->max_dependency_depth)
 		return;
+	if(!can_have_last_resort(qstate->env, iq->dp->name, iq->dp->namelen,
+		iq->qchase.qclass))
+		return;
 	/* is this query the same as the nscheck? */
 	if(qstate->qinfo.qtype == LDNS_RR_TYPE_NS &&
 		query_dname_compare(iq->dp->name, qstate->qinfo.qname)==0 &&
@@ -1025,6 +1071,20 @@ processInitRequest(struct module_qstate* qstate, struct iter_qstate* iq,
 		return next_state(iq, COLLECT_CLASS_STATE);
 	}
 
+	/*
+	 * If we are restricted by a forward-zone or a stub-zone, we
+	 * can't re-fetch glue for this delegation point.
+	 * we won’t try to re-fetch glue if the iq->dp is null.
+	 */
+	if (iq->refetch_glue &&
+	        iq->dp &&
+	        !can_have_last_resort(qstate->env,
+	                              iq->dp->name,
+	                              iq->dp->namelen,
+	                              iq->qchase.qclass)) {
+	    iq->refetch_glue = 0;
+	}
+
 	/* Resolver Algorithm Step 1 -- Look for the answer in local data. */
 
 	/* This either results in a query restart (CNAME cache response), a
@@ -1558,35 +1618,6 @@ query_for_targets(struct module_qstate* qstate, struct iter_qstate* iq,
 	return 1;
 }
 
-/** see if last resort is possible - does config allow queries to parent */
-static int
-can_have_last_resort(struct module_env* env, struct delegpt* dp,
-	struct iter_qstate* iq)
-{
-	struct delegpt* fwddp;
-	struct iter_hints_stub* stub;
-	/* do not process a last resort (the parent side) if a stub
-	 * or forward is configured, because we do not want to go 'above'
-	 * the configured servers */
-	if(!dname_is_root(dp->name) && (stub = (struct iter_hints_stub*)
-		name_tree_find(&env->hints->tree, dp->name, dp->namelen,
-		dp->namelabs, iq->qchase.qclass)) &&
-		/* has_parent side is turned off for stub_first, where we
-		 * are allowed to go to the parent */
-		stub->dp->has_parent_side_NS) {
-		verbose(VERB_QUERY, "configured stub servers failed -- returning SERVFAIL");
-		return 0;
-	}
-	if((fwddp = forwards_find(env->fwds, dp->name, iq->qchase.qclass)) &&
-		/* has_parent_side is turned off for forward_first, where
-		 * we are allowed to go to the parent */
-		fwddp->has_parent_side_NS) {
-		verbose(VERB_QUERY, "configured forward servers failed -- returning SERVFAIL");
-		return 0;
-	}
-	return 1;
-}
-
 /**
  * Called by processQueryTargets when it would like extra targets to query
  * but it seems to be out of options.  At last resort some less appealing
@@ -1608,9 +1639,11 @@ processLastResort(struct module_qstate* qstate, struct iter_qstate* iq,
 	verbose(VERB_ALGO, "No more query targets, attempting last resort");
 	log_assert(iq->dp);
 
-	if(!can_have_last_resort(qstate->env, iq->dp, iq)) {
+	if(!can_have_last_resort(qstate->env, iq->dp->name, iq->dp->namelen,
+		iq->qchase.qclass)) {
 		/* fail -- no more targets, no more hope of targets, no hope 
 		 * of a response. */
+		verbose(VERB_QUERY, "configured stub or forward servers failed -- returning SERVFAIL");
 		return error_response_cache(qstate, id, LDNS_RCODE_SERVFAIL);
 	}
 	if(!iq->dp->has_parent_side_NS && dname_is_root(iq->dp->name)) {
@@ -1695,6 +1728,19 @@ processLastResort(struct module_qstate* qstate, struct iter_qstate* iq,
 	/* see if we can issue queries to get nameserver addresses */
 	/* this lookup is not randomized, but sequential. */
 	for(ns = iq->dp->nslist; ns; ns = ns->next) {
+		/* if this nameserver is at a delegation point, but that
+		 * delegation point is a stub and we cannot go higher, skip*/
+		if( ((ie->supports_ipv6 && !ns->done_pside6) ||
+		    (ie->supports_ipv4 && !ns->done_pside4)) &&
+		    !can_have_last_resort(qstate->env, ns->name, ns->namelen,
+			iq->qchase.qclass)) {
+			log_nametypeclass(VERB_ALGO, "cannot pside lookup ns "
+				"because it is also a stub/forward,",
+				ns->name, LDNS_RR_TYPE_NS, iq->qchase.qclass);
+			if(ie->supports_ipv6) ns->done_pside6 = 1;
+			if(ie->supports_ipv4) ns->done_pside4 = 1;
+			continue;
+		}
 		/* query for parent-side A and AAAA for nameservers */
 		if(ie->supports_ipv6 && !ns->done_pside6) {
 			/* Send the AAAA request. */

contrib/unbound/libunbound/unbound.h

@@ -601,6 +601,167 @@ int ub_ctx_data_remove(struct ub_ctx* ctx, const char *data);
  */
 const char* ub_version(void);
 
+/** 
+ * Some global statistics that are not in struct stats_info,
+ * this struct is shared on a shm segment (shm-key in unbound.conf)
+ */
+struct ub_shm_stat_info {
+	int num_threads;
+
+	struct {
+		long long now_sec, now_usec;
+		long long up_sec, up_usec;
+		long long elapsed_sec, elapsed_usec;
+	} time;
+
+	struct {
+		long long msg;
+		long long rrset;
+		long long val;
+		long long iter;
+		long long subnet;
+		long long ipsecmod;
+		long long respip;
+	} mem;
+};
+
+/** number of qtype that is stored for in array */
+#define UB_STATS_QTYPE_NUM 256
+/** number of qclass that is stored for in array */
+#define UB_STATS_QCLASS_NUM 256
+/** number of rcodes in stats */
+#define UB_STATS_RCODE_NUM 16
+/** number of opcodes in stats */
+#define UB_STATS_OPCODE_NUM 16
+/** number of histogram buckets */
+#define UB_STATS_BUCKET_NUM 40
+
+/** per worker statistics. */
+struct ub_server_stats {
+	/** number of queries from clients received. */
+	long long num_queries;
+	/** number of queries that have been dropped/ratelimited by ip. */
+	long long num_queries_ip_ratelimited;
+	/** number of queries that had a cache-miss. */
+	long long num_queries_missed_cache;
+	/** number of prefetch queries - cachehits with prefetch */
+	long long num_queries_prefetch;
+
+	/**
+	 * Sum of the querylistsize of the worker for 
+	 * every query that missed cache. To calculate average.
+	 */
+	long long sum_query_list_size;
+	/** max value of query list size reached. */
+	long long max_query_list_size;
+
+	/** Extended stats below (bool) */
+	int extended;
+
+	/** qtype stats */
+	long long qtype[UB_STATS_QTYPE_NUM];
+	/** bigger qtype values not in array */
+	long long qtype_big;
+	/** qclass stats */
+	long long qclass[UB_STATS_QCLASS_NUM];
+	/** bigger qclass values not in array */
+	long long qclass_big;
+	/** query opcodes */
+	long long qopcode[UB_STATS_OPCODE_NUM];
+	/** number of queries over TCP */
+	long long qtcp;
+	/** number of outgoing queries over TCP */
+	long long qtcp_outgoing;
+	/** number of queries over IPv6 */
+	long long qipv6;
+	/** number of queries with QR bit */
+	long long qbit_QR;
+	/** number of queries with AA bit */
+	long long qbit_AA;
+	/** number of queries with TC bit */
+	long long qbit_TC;
+	/** number of queries with RD bit */
+	long long qbit_RD;
+	/** number of queries with RA bit */
+	long long qbit_RA;
+	/** number of queries with Z bit */
+	long long qbit_Z;
+	/** number of queries with AD bit */
+	long long qbit_AD;
+	/** number of queries with CD bit */
+	long long qbit_CD;
+	/** number of queries with EDNS OPT record */
+	long long qEDNS;
+	/** number of queries with EDNS with DO flag */
+	long long qEDNS_DO;
+	/** answer rcodes */
+	long long ans_rcode[UB_STATS_RCODE_NUM];
+	/** answers with pseudo rcode 'nodata' */
+	long long ans_rcode_nodata;
+	/** answers that were secure (AD) */
+	long long ans_secure;
+	/** answers that were bogus (withheld as SERVFAIL) */
+	long long ans_bogus;
+	/** rrsets marked bogus by validator */
+	long long rrset_bogus;
+	/** unwanted traffic received on server-facing ports */
+	long long unwanted_replies;
+	/** unwanted traffic received on client-facing ports */
+	long long unwanted_queries;
+	/** usage of tcp accept list */
+	long long tcp_accept_usage;
+	/** answers served from expired cache */
+	long long zero_ttl_responses;
+	/** histogram data exported to array 
+	 * if the array is the same size, no data is lost, and
+	 * if all histograms are same size (is so by default) then
+	 * adding up works well. */
+	long long hist[UB_STATS_BUCKET_NUM];
+	
+	/** number of message cache entries */
+	long long msg_cache_count;
+	/** number of rrset cache entries */
+	long long rrset_cache_count;
+	/** number of infra cache entries */
+	long long infra_cache_count;
+	/** number of key cache entries */
+	long long key_cache_count;
+
+	/** number of queries that used dnscrypt */
+	long long num_query_dnscrypt_crypted;
+	/** number of queries that queried dnscrypt certificates */
+	long long num_query_dnscrypt_cert;
+	/** number of queries in clear text and not asking for the certificates */
+	long long num_query_dnscrypt_cleartext;
+	/** number of malformed encrypted queries */
+	long long num_query_dnscrypt_crypted_malformed;
+};
+
+/** 
+ * Statistics to send over the control pipe when asked
+ * This struct is made to be memcpied, sent in binary.
+ * shm mapped with (number+1) at num_threads+1, with first as total
+ */
+struct ub_stats_info {
+	/** the thread stats */
+	struct ub_server_stats svr;
+
+	/** mesh stats: current number of states */
+	long long mesh_num_states;
+	/** mesh stats: current number of reply (user) states */
+	long long mesh_num_reply_states;
+	/** mesh stats: number of reply states overwritten with a new one */
+	long long mesh_jostled;
+	/** mesh stats: number of incoming queries dropped */
+	long long mesh_dropped;
+	/** mesh stats: replies sent */
+	long long mesh_replies_sent;
+	/** mesh stats: sum of waiting times for the replies */
+	long long mesh_replies_sum_wait_sec, mesh_replies_sum_wait_usec;
+	/** mesh stats: median of waiting times for replies (in sec) */
+	double mesh_time_median;
+};
+
 #ifdef __cplusplus
 }
 #endif

contrib/unbound/respip/respip.c

@@ -261,6 +261,7 @@ respip_enter_rr(struct regional* region, struct resp_addr* raddr,
 		log_err("bad response-ip-data: %s", rrstr);
 		return 0;
 	}
+	free(nm);
 	sa = (struct sockaddr*)&raddr->node.addr;
 	if (rrtype == LDNS_RR_TYPE_CNAME && raddr->data) {
 		log_err("CNAME response-ip data (%s) can not co-exist with other "

contrib/unbound/services/authzone.h

@@ -0,0 +1,209 @@
+/*
+ * services/authzone.h - authoritative zone that is locally hosted.
+ *
+ * Copyright (c) 2017, NLnet Labs. All rights reserved.
+ *
+ * This software is open source.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ * 
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ * 
+ * Neither the name of the NLNET LABS nor the names of its contributors may
+ * be used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
+ * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/**
+ * \file
+ *
+ * This file contains the functions for an authority zone.  This zone
+ * is queried by the iterator, just like a stub or forward zone, but then
+ * the data is locally held.
+ */
+
+#ifndef SERVICES_AUTHZONE_H
+#define SERVICES_AUTHZONE_H
+#include "util/rbtree.h"
+#include "util/locks.h"
+struct ub_packed_rrset_key;
+struct regional;
+struct config_file;
+struct query_info;
+struct dns_msg;
+
+/**
+ * Authoritative zones, shared.
+ */
+struct auth_zones {
+	/** lock on the authzone tree */
+	lock_rw_type lock;
+	/** rbtree of struct auth_zone */
+	rbtree_type ztree;
+};
+
+/**
+ * Auth zone.  Authoritative data, that is fetched from instead of sending
+ * packets to the internet.
+ */
+struct auth_zone {
+	/** rbtree node, key is name and class */
+	rbnode_type node;
+
+	/** zone name, in uncompressed wireformat */
+	uint8_t* name;
+	/** length of zone name */
+	size_t namelen;
+	/** number of labels in zone name */
+	int namelabs;
+	/** the class of this zone, in host byteorder.
+	 * uses 'dclass' to not conflict with c++ keyword class. */
+	uint16_t dclass;
+
+	/** lock on the data in the structure
+	 * For the node, parent, name, namelen, namelabs, dclass, you
+	 * need to also hold the zones_tree lock to change them (or to
+	 * delete this zone) */
+	lock_rw_type lock;
+
+	/** auth data for this zone
+	 * rbtree of struct auth_data */
+	rbtree_type data;
+
+	/* zonefile name (or NULL for no zonefile) */
+	char* zonefile;
+	/* fallback to the internet on failure or ttl-expiry of auth zone */
+	int fallback_enabled;
+};
+
+/**
+ * Auth data. One domain name, and the RRs to go with it.
+ */
+struct auth_data {
+	/** rbtree node, key is name only */
+	rbnode_type node;
+	/** domain name */
+	uint8_t* name;
+	/** length of name */
+	size_t namelen;
+	/** number of labels in name */
+	int namelabs;
+	/** the data rrsets, with different types, linked list.
+	 * if the list if NULL the node would be an empty non-terminal,
+	 * but in this data structure such nodes that represent an empty
+	 * non-terminal are not needed; they just don't exist.
+	 */
+	struct auth_rrset* rrsets;
+};
+
+/**
+ * A auth data RRset
+ */
+struct auth_rrset {
+	/** next in list */
+	struct auth_rrset* next;
+	/** RR type in host byteorder */
+	uint16_t type;
+	/** RRset data item */
+	struct packed_rrset_data* data;
+};
+
+/**
+ * Create auth zones structure
+ */
+struct auth_zones* auth_zones_create(void);
+
+/**
+ * Apply configuration to auth zones.  Reads zonefiles.
+ */
+int auth_zones_apply_config(struct auth_zones* az, struct config_file* cfg);
+
+/**
+ * Delete auth zones structure
+ */
+void auth_zones_delete(struct auth_zones* az);
+
+/**
+ * Write auth zone data to file, in zonefile format.
+ */
+int auth_zone_write_file(struct auth_zone* z, const char* fname);
+
+/**
+ * Use auth zones to lookup the answer to a query.
+ * The query is from the iterator.  And the auth zones attempts to provide
+ * the answer instead of going to the internet.
+ *
+ * @param az: auth zones structure.
+ * @param qinfo: query info to lookup.
+ * @param region: region to use to allocate the reply in.
+ * @param msg: reply is stored here (if one).
+ * @param fallback: if true, fallback to making a query to the internet.
+ * @param dp_nm: name of delegation point to look for.  This zone is used
+ *	to answer the query.
+ *	If the dp_nm is not found, fallback is set to true and false returned.
+ * @param dp_nmlen: length of dp_nm.
+ * @return 0: failure (an error of some sort, like servfail).
+ *         if 0 and fallback is true, fallback to the internet.
+ *         if 0 and fallback is false, like getting servfail.
+ *         If true, an answer is available.
+ */
+int auth_zones_lookup(struct auth_zones* az, struct query_info* qinfo,
+	struct regional* region, struct dns_msg** msg, int* fallback,
+	uint8_t* dp_nm, size_t dp_nmlen);
+
+/** 
+ * Find the auth zone that is above the given qname.
+ * Return NULL when there is no auth_zone above the give name, otherwise
+ * returns the closest auth_zone above the qname that pertains to it.
+ * @param az: auth zones structure.
+ * @param qinfo: query info to lookup.
+ * @return NULL or auth_zone that pertains to the query.
+ */
+struct auth_zone* auth_zones_find_zone(struct auth_zones* az,
+	struct query_info* qinfo);
+
+/** find an auth zone by name (exact match by name or NULL returned) */
+struct auth_zone* auth_zone_find(struct auth_zones* az, uint8_t* nm,
+	size_t nmlen, uint16_t dclass);
+
+/** create an auth zone. returns wrlocked zone. caller must have wrlock
+ * on az. returns NULL on malloc failure */
+struct auth_zone* auth_zone_create(struct auth_zones* az, uint8_t* nm,
+	size_t nmlen, uint16_t dclass);
+
+/** set auth zone zonefile string. caller must have lock on zone */
+int auth_zone_set_zonefile(struct auth_zone* z, char* zonefile);
+
+/** set auth zone fallback. caller must have lock on zone.
+ * fallbackstr is "yes" or "no". false on parse failure. */
+int auth_zone_set_fallback(struct auth_zone* z, char* fallbackstr);
+
+/** read auth zone from zonefile. caller must lock zone. false on failure */
+int auth_zone_read_zonefile(struct auth_zone* z);
+
+/** compare auth_zones for sorted rbtree */
+int auth_zone_cmp(const void* z1, const void* z2);
+
+/** compare auth_data for sorted rbtree */
+int auth_data_cmp(const void* z1, const void* z2);
+
+#endif /* SERVICES_AUTHZONE_H */

contrib/unbound/services/cache/dns.c

@@ -41,6 +41,7 @@
 #include "config.h"
 #include "iterator/iter_delegpt.h"
 #include "validator/val_nsec.h"
+#include "validator/val_utils.h"
 #include "services/cache/dns.h"
 #include "services/cache/rrset.h"
 #include "util/data/msgreply.h"
@@ -182,7 +183,7 @@ addr_to_additional(struct ub_packed_rrset_key* rrset, struct regional* region,
 }
 
 /** lookup message in message cache */
-static struct msgreply_entry* 
+struct msgreply_entry* 
 msg_cache_lookup(struct module_env* env, uint8_t* qname, size_t qnamelen, 
 	uint16_t qtype, uint16_t qclass, uint16_t flags, time_t now, int wr)
 {
@@ -755,11 +756,17 @@ dns_cache_lookup(struct module_env* env,
 	if( qtype != LDNS_RR_TYPE_DS &&
 	   (rrset=rrset_cache_lookup(env->rrset_cache, qname, qnamelen, 
 		LDNS_RR_TYPE_CNAME, qclass, 0, now, 0))) {
+		uint8_t* wc = NULL;
+		/* if the rrset is not a wildcard expansion, with wcname */
+		/* because, if we return that CNAME rrset on its own, it is
+		 * missing the NSEC or NSEC3 proof */
+		if(!(val_rrset_wildcard(rrset, &wc) && wc != NULL)) {
 			struct dns_msg* msg = rrset_msg(rrset, region, now, &k);
 			if(msg) {
 				lock_rw_unlock(&rrset->entry.lock);
 				return msg;
 			}
+		}
 		lock_rw_unlock(&rrset->entry.lock);
 	}
 

contrib/unbound/services/cache/dns.h

@@ -208,4 +208,10 @@ int dns_msg_authadd(struct dns_msg* msg, struct regional* region,
 int dns_cache_prefetch_adjust(struct module_env* env, struct query_info* qinfo,
         time_t adjust, uint16_t flags);
 
+/** lookup message in message cache
+ * the returned nonNULL entry is locked and has to be unlocked by the caller */
+struct msgreply_entry* msg_cache_lookup(struct module_env* env,
+	uint8_t* qname, size_t qnamelen, uint16_t qtype, uint16_t qclass,
+	uint16_t flags, time_t now, int wr);
+
 #endif /* SERVICES_CACHE_DNS_H */

contrib/unbound/services/cache/infra.c

@@ -893,6 +893,8 @@ int infra_ratelimit_inc(struct infra_cache* infra, uint8_t* name,
 
 	/* find ratelimit */
 	lim = infra_find_ratelimit(infra, name, namelen);
+	if(!lim)
+		return 1; /* disabled for this domain */
 	
 	/* find or insert ratedata */
 	entry = infra_find_ratedata(infra, name, namelen, 1);
@@ -941,6 +943,8 @@ int infra_ratelimit_exceeded(struct infra_cache* infra, uint8_t* name,
 
 	/* find ratelimit */
 	lim = infra_find_ratelimit(infra, name, namelen);
+	if(!lim)
+		return 0; /* disabled for this domain */
 
 	/* find current rate */
 	entry = infra_find_ratedata(infra, name, namelen, 0);

contrib/unbound/services/cache/infra.h

@@ -401,7 +401,7 @@ int infra_ratelimit_exceeded(struct infra_cache* infra, uint8_t* name,
 /** find the maximum rate stored, not too old. 0 if no information. */
 int infra_rate_max(void* data, time_t now);
 
-/** find the ratelimit in qps for a domain */
+/** find the ratelimit in qps for a domain. 0 if no limit for domain. */
 int infra_find_ratelimit(struct infra_cache* infra, uint8_t* name,
 	size_t namelen);
 

contrib/unbound/services/localzone.c

@@ -187,7 +187,9 @@ lz_enter_zone_dname(struct local_zones* zones, uint8_t* nm, size_t len,
 	lock_rw_wrlock(&z->lock);
 	if(!rbtree_insert(&zones->ztree, &z->node)) {
 		struct local_zone* oldz;
-		log_warn("duplicate local-zone");
+		char str[256];
+		dname_str(nm, str);
+		log_warn("duplicate local-zone %s", str);
 		lock_rw_unlock(&z->lock);
 		/* save zone name locally before deallocation,
 		 * otherwise, nm is gone if we zone_delete now. */
@@ -744,12 +746,15 @@ add_as112_default(struct local_zones* zones, struct config_file* cfg,
 }
 
 /** enter default zones */
-static int
-lz_enter_defaults(struct local_zones* zones, struct config_file* cfg)
+int local_zone_enter_defaults(struct local_zones* zones, struct config_file* cfg)
 {
 	struct local_zone* z;
 	const char** zstr;
 
+	/* Do not add any default */
+	if(cfg->local_zones_disable_default)
+		return 1;
+
 	/* this list of zones is from RFC 6303 and RFC 7686 */
 
 	/* block localhost level zones first, then onion and later the LAN zones */
@@ -1019,7 +1024,7 @@ local_zones_apply_cfg(struct local_zones* zones, struct config_file* cfg)
 		return 0;
 	}
 	/* apply default zones+content (unless disabled, or overridden) */
-	if(!lz_enter_defaults(zones, cfg)) {
+	if(!local_zone_enter_defaults(zones, cfg)) {
 		return 0;
 	}
 	/* enter local zone overrides */
@@ -1585,7 +1590,7 @@ local_zones_answer(struct local_zones* zones, struct module_env* env,
 			lock_rw_rdlock(&z->lock);
 			lzt = z->type;
 		}
-		if(!z && !view->isfirst){
+		if(view->local_zones && !z && !view->isfirst){
 			lock_rw_unlock(&view->lock);
 			return 0;
 		}
@@ -1670,6 +1675,8 @@ int local_zone_str2type(const char* type, enum localzone_type* t)
 		*t = local_zone_always_refuse;
 	else if(strcmp(type, "always_nxdomain") == 0)
 		*t = local_zone_always_nxdomain;
+	else if(strcmp(type, "nodefault") == 0)
+		*t = local_zone_nodefault;
 	else return 0;
 	return 1;
 }

contrib/unbound/services/localzone.h

@@ -427,6 +427,15 @@ enum localzone_type local_data_find_tag_action(const uint8_t* taglist,
 	const uint8_t* tagactions, size_t tagactionssize,
 	enum localzone_type lzt, int* tag, char* const* tagname, int num_tags);
 
+/**
+ * Enter defaults to local zone.
+ * @param zones: to add defaults to
+ * @param cfg: containing list of zones to exclude from default set.
+ * @return 1 on success; 0 otherwise.
+ */
+int local_zone_enter_defaults(struct local_zones* zones,
+	struct config_file* cfg);
+
 /**
   * Parses resource record string into wire format, also returning its field values.
   * @param str: input resource record

contrib/unbound/services/mesh.c

@@ -821,26 +821,26 @@ void mesh_detach_subs(struct module_qstate* qstate)
 	rbtree_init(&qstate->mesh_info->sub_set, &mesh_state_ref_compare);
 }
 
-int mesh_attach_sub(struct module_qstate* qstate, struct query_info* qinfo,
-        uint16_t qflags, int prime, int valrec, struct module_qstate** newq)
+int mesh_add_sub(struct module_qstate* qstate, struct query_info* qinfo,
+        uint16_t qflags, int prime, int valrec, struct module_qstate** newq,
+	struct mesh_state** sub)
 {
 	/* find it, if not, create it */
 	struct mesh_area* mesh = qstate->env->mesh;
-	struct mesh_state* sub = mesh_area_find(mesh, NULL, qinfo, qflags,
+	*sub = mesh_area_find(mesh, NULL, qinfo, qflags,
 		prime, valrec);
-	int was_detached;
-	if(mesh_detect_cycle_found(qstate, sub)) {
+	if(mesh_detect_cycle_found(qstate, *sub)) {
 		verbose(VERB_ALGO, "attach failed, cycle detected");
 		return 0;
 	}
-	if(!sub) {
+	if(!*sub) {
 #ifdef UNBOUND_DEBUG
 		struct rbnode_type* n;
 #endif
 		/* create a new one */
-		sub = mesh_state_create(qstate->env, qinfo, NULL, qflags, prime,
+		*sub = mesh_state_create(qstate->env, qinfo, NULL, qflags, prime,
 			valrec);
-		if(!sub) {
+		if(!*sub) {
 			log_err("mesh_attach_sub: out of memory");
 			return 0;
 		}
@@ -849,7 +849,7 @@ int mesh_attach_sub(struct module_qstate* qstate, struct query_info* qinfo,
 #else
 		(void)
 #endif
-		rbtree_insert(&mesh->all, &sub->node);
+		rbtree_insert(&mesh->all, &(*sub)->node);
 		log_assert(n != NULL);
 		/* set detached (it is now) */
 		mesh->num_detached_states++;
@@ -859,11 +859,22 @@ int mesh_attach_sub(struct module_qstate* qstate, struct query_info* qinfo,
 #else
 		(void)
 #endif
-		rbtree_insert(&mesh->run, &sub->run_node);
+		rbtree_insert(&mesh->run, &(*sub)->run_node);
 		log_assert(n != NULL);
-		*newq = &sub->s;
+		*newq = &(*sub)->s;
 	} else
 		*newq = NULL;
+	return 1;
+}
+
+int mesh_attach_sub(struct module_qstate* qstate, struct query_info* qinfo,
+        uint16_t qflags, int prime, int valrec, struct module_qstate** newq)
+{
+	struct mesh_area* mesh = qstate->env->mesh;
+	struct mesh_state* sub = NULL;
+	int was_detached;
+	if(!mesh_add_sub(qstate, qinfo, qflags, prime, valrec, newq, &sub))
+		return 0;
 	was_detached = (sub->super_set.count == 0);
 	if(!mesh_state_attachment(qstate->mesh_info, sub))
 		return 0;

contrib/unbound/services/mesh.h

@@ -370,6 +370,35 @@ void mesh_detach_subs(struct module_qstate* qstate);
 int mesh_attach_sub(struct module_qstate* qstate, struct query_info* qinfo,
 	uint16_t qflags, int prime, int valrec, struct module_qstate** newq);
 
+/**
+ * Add detached query.
+ * Creates it if it does not exist already.
+ * Does not make super/sub references.
+ * Performs a cycle detection - for double check - and fails if there is one.
+ * Updates stat items in mesh_area structure.
+ * Pass if it is priming query or not.
+ * return:
+ * 	o if error (malloc) happened.
+ * 	o need to initialise the new state (module init; it is a new state).
+ * 	  so that the next run of the query with this module is successful.
+ * 	o no init needed, attachment successful.
+ * 	o added subquery, created if it did not exist already.
+ *
+ * @param qstate: the state to find mesh state, and that wants to receive
+ * 	the results from the new subquery.
+ * @param qinfo: what to query for (copied).
+ * @param qflags: what flags to use (RD / CD flag or not).
+ * @param prime: if it is a (stub) priming query.
+ * @param valrec: if it is a validation recursion query (lookup of key, DS).
+ * @param newq: If the new subquery needs initialisation, it is returned,
+ * 	otherwise NULL is returned.
+ * @param sub: The added mesh state, created if it did not exist already.
+ * @return: false on error, true if success (and init may be needed).
+ */
+int mesh_add_sub(struct module_qstate* qstate, struct query_info* qinfo,
+        uint16_t qflags, int prime, int valrec, struct module_qstate** newq,
+	struct mesh_state** sub);
+
 /**
  * Query state is done, send messages to reply entries.
  * Encode messages using reply entry values and the querystate (with original

contrib/unbound/services/modstack.c

@@ -54,6 +54,9 @@
 #ifdef USE_CACHEDB
 #include "cachedb/cachedb.h"
 #endif
+#ifdef USE_IPSECMOD
+#include "ipsecmod/ipsecmod.h"
+#endif
 #ifdef CLIENT_SUBNET
 #include "edns-subnet/subnetmod.h"
 #endif
@@ -131,6 +134,9 @@ module_list_avail(void)
 #ifdef USE_CACHEDB
 		"cachedb",
 #endif
+#ifdef USE_IPSECMOD
+		"ipsecmod",
+#endif
 #ifdef CLIENT_SUBNET
 		"subnetcache",
 #endif
@@ -156,6 +162,9 @@ module_funcs_avail(void)
 #ifdef USE_CACHEDB
 		&cachedb_get_funcblock,
 #endif
+#ifdef USE_IPSECMOD
+		&ipsecmod_get_funcblock,
+#endif
 #ifdef CLIENT_SUBNET
 		&subnetmod_get_funcblock,
 #endif
@@ -234,3 +243,15 @@ modstack_find(struct module_stack* stack, const char* name)
 	}
 	return -1;
 }
+
+size_t
+mod_get_mem(struct module_env* env, const char* name)
+{
+	int m = modstack_find(&env->mesh->mods, name);
+	if(m != -1) {
+		fptr_ok(fptr_whitelist_mod_get_mem(env->mesh->
+			mods.mod[m]->get_mem));
+		return (*env->mesh->mods.mod[m]->get_mem)(env, m);
+	}
+	return 0;
+}

contrib/unbound/services/modstack.h

@@ -110,4 +110,7 @@ void modstack_desetup(struct module_stack* stack, struct module_env* env);
  */
 int modstack_find(struct module_stack* stack, const char* name);
 
+/** fetch memory for a module by name, returns 0 if module not there */
+size_t mod_get_mem(struct module_env* env, const char* name);
+
 #endif /* SERVICES_MODSTACK_H */

contrib/unbound/services/outside_network.c

@@ -204,6 +204,9 @@ outnet_tcp_take_into_use(struct waiting_tcp* w, uint8_t* pkt, size_t pkt_len)
 {
 	struct pending_tcp* pend = w->outnet->tcp_free;
 	int s;
+#ifdef SO_REUSEADDR
+	int on = 1;
+#endif
 	log_assert(pend);
 	log_assert(pkt);
 	log_assert(w->addrlen > 0);
@@ -225,13 +228,20 @@ outnet_tcp_take_into_use(struct waiting_tcp* w, uint8_t* pkt, size_t pkt_len)
 		return 0;
 	}
 
+#ifdef SO_REUSEADDR
+	if(setsockopt(s, SOL_SOCKET, SO_REUSEADDR, (void*)&on,
+		(socklen_t)sizeof(on)) < 0) {
+		verbose(VERB_ALGO, "outgoing tcp:"
+			" setsockopt(.. SO_REUSEADDR ..) failed");
+	}
+#endif
 	if (w->outnet->tcp_mss > 0) {
 #if defined(IPPROTO_TCP) && defined(TCP_MAXSEG)
 		if(setsockopt(s, IPPROTO_TCP, TCP_MAXSEG,
 			(void*)&w->outnet->tcp_mss,
 			(socklen_t)sizeof(w->outnet->tcp_mss)) < 0) {
 			verbose(VERB_ALGO, "outgoing tcp:"
-				" setsockopt(.. SO_REUSEADDR ..) failed");
+				" setsockopt(.. TCP_MAXSEG ..) failed");
 		}
 #else
 		verbose(VERB_ALGO, "outgoing tcp:"
@@ -1538,18 +1548,22 @@ serviced_udp_send(struct serviced_query* sq, sldns_buffer* buff)
 static int
 serviced_check_qname(sldns_buffer* pkt, uint8_t* qbuf, size_t qbuflen)
 {
-	uint8_t* d1 = sldns_buffer_at(pkt, 12);
+	uint8_t* d1 = sldns_buffer_begin(pkt)+12;
 	uint8_t* d2 = qbuf+10;
 	uint8_t len1, len2;
 	int count = 0;
+	if(sldns_buffer_limit(pkt) < 12+1+4) /* packet too small for qname */
+		return 0;
 	log_assert(qbuflen >= 15 /* 10 header, root, type, class */);
 	len1 = *d1++;
 	len2 = *d2++;
-	if(sldns_buffer_limit(pkt) < 12+1+4) /* packet too small for qname */
-		return 0;
 	while(len1 != 0 || len2 != 0) {
 		if(LABEL_IS_PTR(len1)) {
+			/* check if we can read *d1 with compression ptr rest */
+			if(d1 >= sldns_buffer_at(pkt, sldns_buffer_limit(pkt)))
+				return 0;
 			d1 = sldns_buffer_begin(pkt)+PTR_OFFSET(len1, *d1);
+			/* check if we can read the destination *d1 */
 			if(d1 >= sldns_buffer_at(pkt, sldns_buffer_limit(pkt)))
 				return 0;
 			len1 = *d1++;
@@ -1563,6 +1577,9 @@ serviced_check_qname(sldns_buffer* pkt, uint8_t* qbuf, size_t qbuflen)
 			return 0;
 		if(len1 > LDNS_MAX_LABELLEN)
 			return 0;
+		/* check len1 + 1(next length) are okay to read */
+		if(d1+len1 >= sldns_buffer_at(pkt, sldns_buffer_limit(pkt)))
+			return 0;
 		log_assert(len1 <= LDNS_MAX_LABELLEN);
 		log_assert(len2 <= LDNS_MAX_LABELLEN);
 		log_assert(len1 == len2 && len1 != 0);

contrib/unbound/services/view.c

@@ -167,6 +167,44 @@ views_apply_cfg(struct views* vs, struct config_file* cfg)
 			lz_cfg.local_data = cv->local_data;
 			lz_cfg.local_zones_nodefault =
 				cv->local_zones_nodefault;
+			if(v->isfirst) {
+				/* Do not add defaults to view-specific
+				 * local-zone when global local zone will be
+				 * used. */
+				struct config_strlist* nd;
+				lz_cfg.local_zones_disable_default = 1;
+				/* Add nodefault zones to list of zones to add,
+				 * so they will be used as if they are
+				 * configured as type transparent */
+				for(nd = cv->local_zones_nodefault; nd;
+					nd = nd->next) {
+					char* nd_str, *nd_type;
+					nd_str = strdup(nd->str);
+					if(!nd_str) {
+						log_err("out of memory");
+						lock_rw_unlock(&v->lock);
+						return 0;
+					}
+					nd_type = strdup("nodefault");
+					if(!nd_type) {
+						log_err("out of memory");
+						free(nd_str);
+						lock_rw_unlock(&v->lock);
+						return 0;
+					}
+					if(!cfg_str2list_insert(
+						&lz_cfg.local_zones, nd_str,
+						nd_type)) {
+						log_err("failed to insert "
+							"default zones into "
+							"local-zone list");
+						free(nd_str);
+						free(nd_type);
+						lock_rw_unlock(&v->lock);
+						return 0;
+					}
+				}
+			}
 			if(!local_zones_apply_cfg(v->local_zones, &lz_cfg)){
 				lock_rw_unlock(&v->lock);
 				return 0;

contrib/unbound/sldns/keyraw.c

@@ -388,6 +388,27 @@ sldns_ecdsa2pkey_raw(unsigned char* key, size_t keylen, uint8_t algo)
 }
 #endif /* USE_ECDSA */
 
+#ifdef USE_ED25519
+EVP_PKEY*
+sldns_ed255192pkey_raw(const unsigned char* key, size_t keylen)
+{
+	/* ASN1 for ED25519 is 302a300506032b6570032100 <32byteskey> */
+	uint8_t pre[] = {0x30, 0x2a, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65,
+		0x70, 0x03, 0x21, 0x00};
+	int pre_len = 12;
+	uint8_t buf[256];
+	EVP_PKEY *evp_key;
+	/* pp gets modified by d2i() */
+	const unsigned char* pp = (unsigned char*)buf;
+	if(keylen != 32 || keylen + pre_len > sizeof(buf))
+		return NULL; /* wrong length */
+	memmove(buf, pre, pre_len);
+	memmove(buf+pre_len, key, keylen);
+	evp_key = d2i_PUBKEY(NULL, &pp, (int)(pre_len+keylen));
+	return evp_key;
+}
+#endif /* USE_ED25519 */
+
 int
 sldns_digest_evp(unsigned char* data, unsigned int len, unsigned char* dest,
 	const EVP_MD* md)

contrib/unbound/sldns/keyraw.h

@@ -92,6 +92,15 @@ EVP_PKEY* sldns_ecdsa2pkey_raw(unsigned char* key, size_t keylen, uint8_t algo);
  */
 RSA *sldns_key_buf2rsa_raw(unsigned char* key, size_t len);
 
+/**
+ * Converts a holding buffer with key material to EVP PKEY in openssl.
+ * Only available if ldns was compiled with ED25519.
+ * \param[in] key the uncompressed wireformat of the key.
+ * \param[in] len length of key data
+ * \return the key or NULL on error.
+ */
+EVP_PKEY* sldns_ed255192pkey_raw(const unsigned char* key, size_t len);
+
 /**
  * Utility function to calculate hash using generic EVP_MD pointer.
  * \param[in] data the data to hash.

contrib/unbound/sldns/parse.c

@@ -120,6 +120,10 @@ sldns_fget_token_l(FILE *f, char *token, const char *delim, size_t limit, int *l
 			if (line_nr) {
 				*line_nr = *line_nr + 1;
 			}
+			if (limit > 0 && (i >= limit || (size_t)(t-token) >= limit)) {
+				*t = '\0';
+				return -1;
+			}
 			*t++ = ' ';
 			prev_c = c;
 			continue;

contrib/unbound/sldns/rrdef.c

@@ -175,7 +175,7 @@ static const sldns_rdf_type type_tkey_wireformat[] = {
 	LDNS_RDF_TYPE_TIME,
 	LDNS_RDF_TYPE_TIME,
 	LDNS_RDF_TYPE_INT16,
-	LDNS_RDF_TYPE_INT16,
+	LDNS_RDF_TYPE_TSIGERROR,
 	LDNS_RDF_TYPE_INT16_DATA,
 	LDNS_RDF_TYPE_INT16_DATA,
 };
@@ -185,7 +185,7 @@ static const sldns_rdf_type type_tsig_wireformat[] = {
 	LDNS_RDF_TYPE_INT16,
 	LDNS_RDF_TYPE_INT16_DATA,
 	LDNS_RDF_TYPE_INT16,
-	LDNS_RDF_TYPE_INT16,
+	LDNS_RDF_TYPE_TSIGERROR,
 	LDNS_RDF_TYPE_INT16_DATA
 };
 static const sldns_rdf_type type_tlsa_wireformat[] = {
@@ -341,8 +341,12 @@ static sldns_rr_descriptor rdata_field_descriptors[] = {
 	{LDNS_RR_TYPE_NSEC3PARAM, "NSEC3PARAM", 4, 4, type_nsec3param_wireformat, LDNS_RDF_TYPE_NONE, LDNS_RR_NO_COMPRESS, 0 },
 	/* 52 */
 	{LDNS_RR_TYPE_TLSA, "TLSA", 4, 4, type_tlsa_wireformat, LDNS_RDF_TYPE_NONE, LDNS_RR_NO_COMPRESS, 0 },
-
+	/*53 */
+#ifdef DRAFT_RRTYPES
+	{LDNS_RR_TYPE_SMIMEA, "SMIMEA", 4, 4, type_tlsa_wireformat, LDNS_RDF_TYPE_NONE, LDNS_RR_NO_COMPRESS, 0 },
+#else
 {LDNS_RR_TYPE_NULL, "TYPE53", 1, 1, type_0_wireformat, LDNS_RDF_TYPE_NONE, LDNS_RR_NO_COMPRESS, 0 },
+#endif
 {LDNS_RR_TYPE_NULL, "TYPE54", 1, 1, type_0_wireformat, LDNS_RDF_TYPE_NONE, LDNS_RR_NO_COMPRESS, 0 },
         /* 55
 	 * Hip ends with 0 or more Rendezvous Servers represented as dname's.
@@ -600,6 +604,12 @@ static sldns_rr_descriptor rdata_field_descriptors[] = {
 	{LDNS_RR_TYPE_URI, "URI", 3, 3, type_uri_wireformat, LDNS_RDF_TYPE_NONE, LDNS_RR_NO_COMPRESS, 0 },
 	/* 257 */
 	{LDNS_RR_TYPE_CAA, "CAA", 3, 3, type_caa_wireformat, LDNS_RDF_TYPE_NONE, LDNS_RR_NO_COMPRESS, 0 },
+#ifdef DRAFT_RRTYPES
+	/* 258 */
+	{LDNS_RR_TYPE_AVC, "AVC", 1, 0, NULL, LDNS_RDF_TYPE_STR, LDNS_RR_NO_COMPRESS, 0 },
+#else
+{LDNS_RR_TYPE_NULL, "TYPE258", 1, 1, type_0_wireformat, LDNS_RDF_TYPE_NONE, LDNS_RR_NO_COMPRESS, 0 },
+#endif
 
 /* split in array, no longer contiguous */
 

contrib/unbound/sldns/rrdef.h

@@ -38,7 +38,7 @@ extern "C" {
 #define LDNS_KEY_REVOKE_KEY 0x0080 /* used to revoke KSK, rfc 5011 */
 
 /* The first fields are contiguous and can be referenced instantly */
-#define LDNS_RDATA_FIELD_DESCRIPTORS_COMMON 258
+#define LDNS_RDATA_FIELD_DESCRIPTORS_COMMON 259
 
 /** lookuptable for rr classes  */
 extern struct sldns_struct_lookup_table* sldns_rr_classes;
@@ -226,6 +226,7 @@ enum sldns_enum_rr_type
 	LDNS_RR_TYPE_ANY = 255,
 	LDNS_RR_TYPE_URI = 256, /* RFC 7553 */
 	LDNS_RR_TYPE_CAA = 257, /* RFC 6844 */
+	LDNS_RR_TYPE_AVC = 258,
 
 	/** DNSSEC Trust Authorities */
 	LDNS_RR_TYPE_TA = 32768,
@@ -350,6 +351,9 @@ enum sldns_enum_rdf_type
          */
         LDNS_RDF_TYPE_LONG_STR,
 
+	/** TSIG extended 16bit error value */
+	LDNS_RDF_TYPE_TSIGERROR,
+
         /* Aliases */
         LDNS_RDF_TYPE_BITMAP = LDNS_RDF_TYPE_NSEC
 };
@@ -430,6 +434,15 @@ typedef enum sldns_enum_edns_option sldns_edns_option;
 
 #define LDNS_EDNS_MASK_DO_BIT 0x8000
 
+/** TSIG and TKEY extended rcodes (16bit), 0-15 are the normal rcodes. */
+#define LDNS_TSIG_ERROR_NOERROR  0
+#define LDNS_TSIG_ERROR_BADSIG   16
+#define LDNS_TSIG_ERROR_BADKEY   17
+#define LDNS_TSIG_ERROR_BADTIME  18
+#define LDNS_TSIG_ERROR_BADMODE  19
+#define LDNS_TSIG_ERROR_BADNAME  20
+#define LDNS_TSIG_ERROR_BADALG   21
+
 /**
  * Contains all information about resource record types.
  *

contrib/unbound/sldns/sbuffer.c

@@ -50,6 +50,8 @@ sldns_buffer_new_frm_data(sldns_buffer *buffer, void *data, size_t size)
 	buffer->_limit = buffer->_capacity = size;
 	buffer->_fixed = 0;
 	buffer->_vfixed = 0;
+	if (!buffer->_fixed && buffer->_data)
+		free(buffer->_data);
 	buffer->_data = malloc(size);
 	if(!buffer->_data) {
 		buffer->_status_err = 1;

contrib/unbound/sldns/str2wire.c

@@ -664,6 +664,14 @@ rrinternal_parse_rdata(sldns_buffer* strbuf, char* token, size_t token_len,
 					&pre_data_pos, delimiters,
 					rdftype, &token_strlen))
 					break;
+			} else if(rdftype == LDNS_RDF_TYPE_INT16_DATA &&
+				strcmp(token, "0")!=0) {
+				/* affix len and b64 fields */
+				if(!sldns_affix_token(strbuf, token,
+					&token_len, &quoted, &parens,
+					&pre_data_pos, delimiters,
+					rdftype, &token_strlen))
+					break;
 			}
 
 			/* normal RR */
@@ -861,6 +869,8 @@ int sldns_fp2wire_rr_buf(FILE* in, uint8_t* rr, size_t* len, size_t* dname_len,
 	/* we can have the situation, where we've read ok, but still got
 	 * no bytes to play with, in this case size is 0 */
 	if(size == 0) {
+		if(*len > 0)
+			rr[0] = 0;
 		*len = 0;
 		*dname_len = 0;
 		return LDNS_WIREPARSE_ERR_OK;
@@ -868,6 +878,7 @@ int sldns_fp2wire_rr_buf(FILE* in, uint8_t* rr, size_t* len, size_t* dname_len,
 
 	if(strncmp(line, "$ORIGIN", 7) == 0 && isspace((unsigned char)line[7])) {
 		int s;
+		strlcpy((char*)rr, line, *len);
 		*len = 0;
 		*dname_len = 0;
 		if(!parse_state) return LDNS_WIREPARSE_ERR_OK;
@@ -878,12 +889,19 @@ int sldns_fp2wire_rr_buf(FILE* in, uint8_t* rr, size_t* len, size_t* dname_len,
 		return s;
 	} else if(strncmp(line, "$TTL", 4) == 0 && isspace((unsigned char)line[4])) {
 		const char* end = NULL;
+		strlcpy((char*)rr, line, *len);
 		*len = 0;
 		*dname_len = 0;
 		if(!parse_state) return LDNS_WIREPARSE_ERR_OK;
 		parse_state->default_ttl = sldns_str2period(
 			sldns_strip_ws(line+5), &end);
 	} else if (strncmp(line, "$INCLUDE", 8) == 0) {
+		strlcpy((char*)rr, line, *len);
+		*len = 0;
+		*dname_len = 0;
+		return LDNS_WIREPARSE_ERR_INCLUDE;
+	} else if (strncmp(line, "$", 1) == 0) {
+		strlcpy((char*)rr, line, *len);
 		*len = 0;
 		*dname_len = 0;
 		return LDNS_WIREPARSE_ERR_INCLUDE;
@@ -940,6 +958,8 @@ int sldns_str2wire_rdf_buf(const char* str, uint8_t* rd, size_t* len,
 		return sldns_str2wire_time_buf(str, rd, len);
 	case LDNS_RDF_TYPE_PERIOD:
 		return sldns_str2wire_period_buf(str, rd, len);
+	case LDNS_RDF_TYPE_TSIGTIME:
+		return sldns_str2wire_tsigtime_buf(str, rd, len);
 	case LDNS_RDF_TYPE_LOC:
 		return sldns_str2wire_loc_buf(str, rd, len);
 	case LDNS_RDF_TYPE_WKS:
@@ -964,6 +984,8 @@ int sldns_str2wire_rdf_buf(const char* str, uint8_t* rd, size_t* len,
 		return sldns_str2wire_tag_buf(str, rd, len);
 	case LDNS_RDF_TYPE_LONG_STR:
 		return sldns_str2wire_long_str_buf(str, rd, len);
+	case LDNS_RDF_TYPE_TSIGERROR:
+		return sldns_str2wire_tsigerror_buf(str, rd, len);
 	case LDNS_RDF_TYPE_HIP:
 		return sldns_str2wire_hip_buf(str, rd, len);
 	case LDNS_RDF_TYPE_INT16_DATA:
@@ -1341,6 +1363,21 @@ int sldns_str2wire_alg_buf(const char* str, uint8_t* rd, size_t* len)
 	return LDNS_WIREPARSE_ERR_OK;
 }
 
+int sldns_str2wire_tsigerror_buf(const char* str, uint8_t* rd, size_t* len)
+{
+	sldns_lookup_table *lt = sldns_lookup_by_name(sldns_tsig_errors, str);
+	if(*len < 2)
+		return LDNS_WIREPARSE_ERR_BUFFER_TOO_SMALL;
+	if(lt) {
+		sldns_write_uint16(rd, (uint16_t)lt->id);
+		*len = 2;
+	} else {
+		/* try as-is (a number) */
+		return sldns_str2wire_int16_buf(str, rd, len);
+	}
+	return LDNS_WIREPARSE_ERR_OK;
+}
+
 int sldns_str2wire_time_buf(const char* str, uint8_t* rd, size_t* len)
 {
 	/* convert a time YYYYDDMMHHMMSS to wireformat */
@@ -1383,6 +1420,24 @@ int sldns_str2wire_time_buf(const char* str, uint8_t* rd, size_t* len)
 	return LDNS_WIREPARSE_ERR_OK;
 }
 
+int sldns_str2wire_tsigtime_buf(const char* str, uint8_t* rd, size_t* len)
+{
+	char* end;
+	uint64_t t = (uint64_t)strtol((char*)str, &end, 10);
+	uint16_t high;
+	uint32_t low;
+	if(*end != 0)
+		return RET_ERR(LDNS_WIREPARSE_ERR_SYNTAX_TIME, end-str);
+	if(*len < 6)
+		return LDNS_WIREPARSE_ERR_BUFFER_TOO_SMALL;
+	high = (uint16_t)(t>>32);
+	low = (uint32_t)(t);
+	sldns_write_uint16(rd, high);
+	sldns_write_uint32(rd+2, low);
+	*len = 6;
+	return LDNS_WIREPARSE_ERR_OK;
+}
+
 int sldns_str2wire_period_buf(const char* str, uint8_t* rd, size_t* len)
 {
 	const char* end;
@@ -2008,16 +2063,29 @@ int sldns_str2wire_hip_buf(const char* str, uint8_t* rd, size_t* len)
 
 int sldns_str2wire_int16_data_buf(const char* str, uint8_t* rd, size_t* len)
 {
-	size_t sz = sldns_b64_pton_calculate_size(strlen(str));
+	char* s;
 	int n;
-	if(*len < sz+2)
+	n = strtol(str, &s, 10);
+	if(*len < ((size_t)n)+2)
 		return LDNS_WIREPARSE_ERR_BUFFER_TOO_SMALL;
-	if(sz > 65535)
+	if(n > 65535)
 		return LDNS_WIREPARSE_ERR_LABEL_OVERFLOW;
-	n = sldns_b64_pton(str, rd+2, (*len)-2);
+
+	if(n == 0) {
+		sldns_write_uint16(rd, 0);
+		*len = 2;
+		return LDNS_WIREPARSE_ERR_OK;
+	}
+	if(*s != ' ')
+		return RET_ERR(LDNS_WIREPARSE_ERR_SYNTAX_INT, s-(char*)str);
+	s++;
+	while(*s == ' ')
+		s++;
+
+	n = sldns_b64_pton(s, rd+2, (*len)-2);
 	if(n < 0)
 		return LDNS_WIREPARSE_ERR_SYNTAX_B64;
 	sldns_write_uint16(rd, (uint16_t)n);
-	*len = (size_t)n;
+	*len = ((size_t)n)+2;
 	return LDNS_WIREPARSE_ERR_OK;
 }

contrib/unbound/sldns/str2wire.h

@@ -237,6 +237,8 @@ struct sldns_file_parse_state {
  * @param rr: this is malloced by the user and the result is stored here,
  * 	if an RR is read.  If no RR is read this is signalled with the
  * 	return len set to 0 (for ORIGIN, TTL directives).
+ * 	The read line is available in the rr_buf (zero terminated), for
+ * 	$DIRECTIVE style elements.
  * @param len: on input, the length of the rr buffer.  on output the rr len.
  * 	Buffer size of 64k should be enough.
  * @param dname_len: returns the length of the dname initial part of the rr.
@@ -417,6 +419,24 @@ int sldns_str2wire_time_buf(const char* str, uint8_t* rd, size_t* len);
  */
 int sldns_str2wire_period_buf(const char* str, uint8_t* rd, size_t* len);
 
+/**
+ * Convert rdf of type LDNS_RDF_TYPE_TSIGTIME from string to wireformat.
+ * @param str: the text to convert for this rdata element.
+ * @param rd: rdata buffer for the wireformat.
+ * @param len: length of rd buffer on input, used length on output.
+ * @return 0 on success, error on failure.
+ */
+int sldns_str2wire_tsigtime_buf(const char* str, uint8_t* rd, size_t* len);
+
+/**
+ * Convert rdf of type LDNS_RDF_TYPE_TSIGERROR from string to wireformat.
+ * @param str: the text to convert for this rdata element.
+ * @param rd: rdata buffer for the wireformat.
+ * @param len: length of rd buffer on input, used length on output.
+ * @return 0 on success, error on failure.
+ */
+int sldns_str2wire_tsigerror_buf(const char* str, uint8_t* rd, size_t* len);
+
 /**
  * Convert rdf of type LDNS_RDF_TYPE_LOC from string to wireformat.
  * @param str: the text to convert for this rdata element.

contrib/unbound/sldns/wire2str.c

@@ -173,6 +173,28 @@ static sldns_lookup_table sldns_edns_options_data[] = {
 };
 sldns_lookup_table* sldns_edns_options = sldns_edns_options_data;
 
+static sldns_lookup_table sldns_tsig_errors_data[] = {
+	{ LDNS_TSIG_ERROR_NOERROR, "NOERROR" },
+	{ LDNS_RCODE_FORMERR, "FORMERR" },
+	{ LDNS_RCODE_SERVFAIL, "SERVFAIL" },
+	{ LDNS_RCODE_NXDOMAIN, "NXDOMAIN" },
+	{ LDNS_RCODE_NOTIMPL, "NOTIMPL" },
+	{ LDNS_RCODE_REFUSED, "REFUSED" },
+	{ LDNS_RCODE_YXDOMAIN, "YXDOMAIN" },
+	{ LDNS_RCODE_YXRRSET, "YXRRSET" },
+	{ LDNS_RCODE_NXRRSET, "NXRRSET" },
+	{ LDNS_RCODE_NOTAUTH, "NOTAUTH" },
+	{ LDNS_RCODE_NOTZONE, "NOTZONE" },
+	{ LDNS_TSIG_ERROR_BADSIG, "BADSIG" },
+	{ LDNS_TSIG_ERROR_BADKEY, "BADKEY" },
+	{ LDNS_TSIG_ERROR_BADTIME, "BADTIME" },
+	{ LDNS_TSIG_ERROR_BADMODE, "BADMODE" },
+	{ LDNS_TSIG_ERROR_BADNAME, "BADNAME" },
+	{ LDNS_TSIG_ERROR_BADALG, "BADALG" },
+	{ 0, NULL }
+};
+sldns_lookup_table* sldns_tsig_errors = sldns_tsig_errors_data;
+
 char* sldns_wire2str_pkt(uint8_t* data, size_t len)
 {
 	size_t slen = (size_t)sldns_wire2str_pkt_buf(data, len, NULL, 0);
@@ -976,6 +998,8 @@ int sldns_wire2str_rdf_scan(uint8_t** d, size_t* dlen, char** s, size_t* slen,
 		return sldns_wire2str_tag_scan(d, dlen, s, slen);
 	case LDNS_RDF_TYPE_LONG_STR:
 		return sldns_wire2str_long_str_scan(d, dlen, s, slen);
+	case LDNS_RDF_TYPE_TSIGERROR:
+		return sldns_wire2str_tsigerror_scan(d, dlen, s, slen);
 	}
 	/* unknown rdf type */
 	return -1;
@@ -1574,6 +1598,7 @@ int sldns_wire2str_hip_scan(uint8_t** d, size_t* dl, char** s, size_t* sl)
 
 int sldns_wire2str_int16_data_scan(uint8_t** d, size_t* dl, char** s, size_t* sl)
 {
+	int w;
 	uint16_t n;
 	if(*dl < 2)
 		return -1;
@@ -1582,7 +1607,12 @@ int sldns_wire2str_int16_data_scan(uint8_t** d, size_t* dl, char** s, size_t* sl
 		return -1;
 	(*d)+=2;
 	(*dl)-=2;
-	return sldns_wire2str_b64_scan_num(d, dl, s, sl, n);
+	if(n == 0) {
+		return sldns_str_print(s, sl, "0");
+	}
+	w = sldns_str_print(s, sl, "%u ", (unsigned)n);
+	w += sldns_wire2str_b64_scan_num(d, dl, s, sl, n);
+	return w;
 }
 
 int sldns_wire2str_nsec3_next_owner_scan(uint8_t** d, size_t* dl, char** s,
@@ -1639,10 +1669,10 @@ int sldns_wire2str_tag_scan(uint8_t** d, size_t* dl, char** s, size_t* sl)
 	if(*dl < 1+n)
 		return -1;
 	for(i=0; i<n; i++)
-		if(!isalnum((unsigned char)(*d)[i]))
+		if(!isalnum((unsigned char)(*d)[i+1]))
 			return -1;
 	for(i=0; i<n; i++)
-		w += sldns_str_print(s, sl, "%c", (char)(*d)[i]);
+		w += sldns_str_print(s, sl, "%c", (char)(*d)[i+1]);
 	(*d)+=n+1;
 	(*dl)-=(n+1);
 	return w;
@@ -1661,6 +1691,21 @@ int sldns_wire2str_long_str_scan(uint8_t** d, size_t* dl, char** s, size_t* sl)
 	return w;
 }
 
+int sldns_wire2str_tsigerror_scan(uint8_t** d, size_t* dl, char** s, size_t* sl)
+{
+	sldns_lookup_table *lt;
+	int data, w;
+	if(*dl < 2) return -1;
+	data = (int)sldns_read_uint16(*d);
+	lt = sldns_lookup_by_id(sldns_tsig_errors, data);
+	if(lt && lt->name)
+		w = sldns_str_print(s, sl, "%s", lt->name);
+	else 	w = sldns_str_print(s, sl, "%d", data);
+	(*dl)-=2;
+	(*d)+=2;
+	return w;
+}
+
 int sldns_wire2str_edns_llq_print(char** s, size_t* sl, uint8_t* data,
 	size_t len)
 {

contrib/unbound/sldns/wire2str.h

@@ -38,6 +38,8 @@ extern struct sldns_struct_lookup_table* sldns_edns_flags;
 extern struct sldns_struct_lookup_table* sldns_edns_options;
 /** error string from wireparse */
 extern struct sldns_struct_lookup_table* sldns_wireparse_errors;
+/** tsig errors are the rcodes with extra (higher) values */
+extern struct sldns_struct_lookup_table* sldns_tsig_errors;
 
 /**
  * Convert wireformat packet to a string representation
@@ -807,6 +809,19 @@ int sldns_wire2str_hip_scan(uint8_t** data, size_t* data_len, char** str,
 int sldns_wire2str_int16_data_scan(uint8_t** data, size_t* data_len, char** str,
 	size_t* str_len);
 
+/**
+ * Scan wireformat tsigerror field to string, with user buffers.
+ * It shifts the arguments to move along (see sldns_wire2str_pkt_scan).
+ * @param data: wireformat data.
+ * @param data_len: length of data buffer.
+ * @param str: string buffer.
+ * @param str_len: length of string buffer.
+ * @return number of characters (except null) needed to print.
+ * 	Can return -1 on failure.
+ */
+int sldns_wire2str_tsigerror_scan(uint8_t** data, size_t* data_len, char** str,
+	size_t* str_len);
+
 /**
  * Scan wireformat nsec3_next_owner field to string, with user buffers.
  * It shifts the arguments to move along (see sldns_wire2str_pkt_scan).

contrib/unbound/smallapp/unbound-anchor.c

@@ -241,6 +241,8 @@ static const char*
 get_builtin_ds(void)
 {
 	return
+/* The anchors must start on a new line with ". IN DS and end with \n"[;]
+ * because the makedist script greps on the source here */
 /* anchor 19036 is from 2010 */
 /* anchor 20326 is from 2017 */
 ". IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5\n"

contrib/unbound/smallapp/unbound-checkconf.c

@@ -426,6 +426,10 @@ morechecks(struct config_file* cfg, const char* fname)
 		cfg->trusted_keys_file_list, cfg->chrootdir, cfg);
 	check_chroot_string("dlv-anchor-file", &cfg->dlv_anchor_file,
 		cfg->chrootdir, cfg);
+#ifdef USE_IPSECMOD
+	check_chroot_string("ipsecmod-hook", &cfg->ipsecmod_hook, cfg->chrootdir,
+		cfg);
+#endif
 	/* remove chroot setting so that modules are not stripping pathnames*/
 	free(cfg->chrootdir);
 	cfg->chrootdir = NULL;
@@ -478,6 +482,18 @@ morechecks(struct config_file* cfg, const char* fname)
 		&& strcmp(cfg->module_conf, "python subnetcache validator iterator") != 0
 		&& strcmp(cfg->module_conf, "subnetcache python validator iterator") != 0
 		&& strcmp(cfg->module_conf, "subnetcache validator python iterator") != 0
+#endif
+#ifdef USE_IPSECMOD
+		&& strcmp(cfg->module_conf, "ipsecmod iterator") != 0
+		&& strcmp(cfg->module_conf, "ipsecmod validator iterator") != 0
+#endif
+#if defined(WITH_PYTHONMODULE) && defined(USE_IPSECMOD)
+		&& strcmp(cfg->module_conf, "python ipsecmod iterator") != 0
+		&& strcmp(cfg->module_conf, "ipsecmod python iterator") != 0
+		&& strcmp(cfg->module_conf, "ipsecmod validator iterator") != 0
+		&& strcmp(cfg->module_conf, "python ipsecmod validator iterator") != 0
+		&& strcmp(cfg->module_conf, "ipsecmod python validator iterator") != 0
+		&& strcmp(cfg->module_conf, "ipsecmod validator python iterator") != 0
 #endif
 		) {
 		fatal_exit("module conf '%s' is not known to work",

contrib/unbound/smallapp/unbound-control.c

@@ -161,7 +161,7 @@ usage(void)
 static const int inhibit_zero = 1;
 /** divide sum of timers to get average */
 static void
-timeval_divide(struct timeval* avg, const struct timeval* sum, size_t d)
+timeval_divide(struct timeval* avg, const struct timeval* sum, long long d)
 {
 #ifndef S_SPLINT_S
 	size_t leftover;
@@ -184,12 +184,14 @@ timeval_divide(struct timeval* avg, const struct timeval* sum, size_t d)
 #define PR_UL_SUB(str, nm, var) printf(str".%s"SQ"%lu\n", nm, (unsigned long)(var));
 #define PR_TIMEVAL(str, var) printf(str SQ ARG_LL "d.%6.6d\n", \
 	(long long)var.tv_sec, (int)var.tv_usec);
+#define PR_STATSTIME(str, var) printf(str SQ ARG_LL "d.%6.6d\n", \
+	(long long)var ## _sec, (int)var ## _usec);
 #define PR_LL(str, var) printf(str SQ ARG_LL"d\n", (long long)(var));
 
 /** print stat block */
-static void pr_stats(const char* nm, struct stats_info* s)
+static void pr_stats(const char* nm, struct ub_stats_info* s)
 {
-	struct timeval avg;
+	struct timeval sumwait, avg;
 	PR_UL_NM("num.queries", s->svr.num_queries);
 	PR_UL_NM("num.queries_ip_ratelimited", 
 		s->svr.num_queries_ip_ratelimited);
@@ -209,14 +211,18 @@ static void pr_stats(const char* nm, struct stats_info* s)
 	printf("%s.requestlist.avg"SQ"%g\n", nm,
 		(s->svr.num_queries_missed_cache+s->svr.num_queries_prefetch)?
 			(double)s->svr.sum_query_list_size/
-			(s->svr.num_queries_missed_cache+
+			(double)(s->svr.num_queries_missed_cache+
 			s->svr.num_queries_prefetch) : 0.0);
 	PR_UL_NM("requestlist.max", s->svr.max_query_list_size);
 	PR_UL_NM("requestlist.overwritten", s->mesh_jostled);
 	PR_UL_NM("requestlist.exceeded", s->mesh_dropped);
 	PR_UL_NM("requestlist.current.all", s->mesh_num_states);
 	PR_UL_NM("requestlist.current.user", s->mesh_num_reply_states);
-	timeval_divide(&avg, &s->mesh_replies_sum_wait, s->mesh_replies_sent);
+#ifndef S_SPLINT_S
+	sumwait.tv_sec = s->mesh_replies_sum_wait_sec;
+	sumwait.tv_usec = s->mesh_replies_sum_wait_usec;
+#endif
+	timeval_divide(&avg, &sumwait, s->mesh_replies_sent);
 	printf("%s.", nm);
 	PR_TIMEVAL("recursion.time.avg", avg);
 	printf("%s.recursion.time.median"SQ"%g\n", nm, s->mesh_time_median);
@@ -224,27 +230,31 @@ static void pr_stats(const char* nm, struct stats_info* s)
 }
 
 /** print uptime */
-static void print_uptime(struct shm_stat_info* shm_stat)
+static void print_uptime(struct ub_shm_stat_info* shm_stat)
 {
-	PR_TIMEVAL("time.now", shm_stat->time.now);
-	PR_TIMEVAL("time.up", shm_stat->time.up);
-	PR_TIMEVAL("time.elapsed", shm_stat->time.elapsed);
+	PR_STATSTIME("time.now", shm_stat->time.now);
+	PR_STATSTIME("time.up", shm_stat->time.up);
+	PR_STATSTIME("time.elapsed", shm_stat->time.elapsed);
 }
 
 /** print memory usage */
-static void print_mem(struct shm_stat_info* shm_stat)
+static void print_mem(struct ub_shm_stat_info* shm_stat)
 {
 	PR_LL("mem.cache.rrset", shm_stat->mem.rrset);
 	PR_LL("mem.cache.message", shm_stat->mem.msg);
-	PR_LL("mem.cache.iterator", shm_stat->mem.iter);
-	PR_LL("mem.cache.validator", shm_stat->mem.val);
+	PR_LL("mem.mod.iterator", shm_stat->mem.iter);
+	PR_LL("mem.mod.validator", shm_stat->mem.val);
+	PR_LL("mem.mod.respip", shm_stat->mem.respip);
 #ifdef CLIENT_SUBNET
-	PR_LL("mem.cache.subnet", shm_stat->mem.subnet);
+	PR_LL("mem.mod.subnet", shm_stat->mem.subnet);
+#endif
+#ifdef USE_IPSECMOD
+	PR_LL("mem.mod.ipsecmod", shm_stat->mem.ipsecmod);
 #endif
 }
 
 /** print histogram */
-static void print_hist(struct stats_info* s)
+static void print_hist(struct ub_stats_info* s)
 {
 	struct timehist* hist;
 	size_t i;
@@ -264,13 +274,13 @@ static void print_hist(struct stats_info* s)
 }
 
 /** print extended */
-static void print_extended(struct stats_info* s)
+static void print_extended(struct ub_stats_info* s)
 {
 	int i;
 	char nm[16];
 
 	/* TYPE */
-	for(i=0; i<STATS_QTYPE_NUM; i++) {
+	for(i=0; i<UB_STATS_QTYPE_NUM; i++) {
 		if(inhibit_zero && s->svr.qtype[i] == 0)
 			continue;
 		sldns_wire2str_type_buf((uint16_t)i, nm, sizeof(nm));
@@ -281,7 +291,7 @@ static void print_extended(struct stats_info* s)
 	}
 
 	/* CLASS */
-	for(i=0; i<STATS_QCLASS_NUM; i++) {
+	for(i=0; i<UB_STATS_QCLASS_NUM; i++) {
 		if(inhibit_zero && s->svr.qclass[i] == 0)
 			continue;
 		sldns_wire2str_class_buf((uint16_t)i, nm, sizeof(nm));
@@ -292,7 +302,7 @@ static void print_extended(struct stats_info* s)
 	}
 
 	/* OPCODE */
-	for(i=0; i<STATS_OPCODE_NUM; i++) {
+	for(i=0; i<UB_STATS_OPCODE_NUM; i++) {
 		if(inhibit_zero && s->svr.qopcode[i] == 0)
 			continue;
 		sldns_wire2str_opcode_buf(i, nm, sizeof(nm));
@@ -317,7 +327,7 @@ static void print_extended(struct stats_info* s)
 	PR_UL("num.query.edns.DO", s->svr.qEDNS_DO);
 
 	/* RCODE */
-	for(i=0; i<STATS_RCODE_NUM; i++) {
+	for(i=0; i<UB_STATS_RCODE_NUM; i++) {
 		/* Always include RCODEs 0-5 */
 		if(inhibit_zero && i > LDNS_RCODE_REFUSED && s->svr.ans_rcode[i] == 0)
 			continue;
@@ -342,8 +352,8 @@ static void print_extended(struct stats_info* s)
 }
 
 /** print statistics out of memory structures */
-static void do_stats_shm(struct config_file* cfg, struct stats_info* stats,
-	struct shm_stat_info* shm_stat)
+static void do_stats_shm(struct config_file* cfg, struct ub_stats_info* stats,
+	struct ub_shm_stat_info* shm_stat)
 {
 	int i;
 	char nm[16];
@@ -366,8 +376,8 @@ static void print_stats_shm(const char* cfgfile)
 {
 #ifdef HAVE_SHMGET
 	struct config_file* cfg;
-	struct stats_info* stats;
-	struct shm_stat_info* shm_stat;
+	struct ub_stats_info* stats;
+	struct ub_shm_stat_info* shm_stat;
 	int id_ctl, id_arr;
 	/* read config */
 	if(!(cfg = config_create()))
@@ -383,11 +393,11 @@ static void print_stats_shm(const char* cfgfile)
 	if(id_arr == -1) {
 		fatal_exit("shmget(%d): %s", cfg->shm_key+1, strerror(errno));
 	}
-	shm_stat = (struct shm_stat_info*)shmat(id_ctl, NULL, 0);
+	shm_stat = (struct ub_shm_stat_info*)shmat(id_ctl, NULL, 0);
 	if(shm_stat == (void*)-1) {
 		fatal_exit("shmat(%d): %s", id_ctl, strerror(errno));
 	}
-	stats = (struct stats_info*)shmat(id_arr, NULL, 0);
+	stats = (struct ub_stats_info*)shmat(id_arr, NULL, 0);
 	if(stats == (void*)-1) {
 		fatal_exit("shmat(%d): %s", id_arr, strerror(errno));
 	}

contrib/unbound/util/config_file.c

@@ -178,6 +178,7 @@ config_create(void)
 	cfg->forwards = NULL;
 #ifdef CLIENT_SUBNET
 	cfg->client_subnet = NULL;
+	cfg->client_subnet_zone = NULL;
 	cfg->client_subnet_opcode = LDNS_EDNS_CLIENT_SUBNET;
 	cfg->client_subnet_always_forward = 0;
 	cfg->max_client_subnet_ipv4 = 24;
@@ -206,6 +207,7 @@ config_create(void)
 	cfg->trust_anchor_file_list = NULL;
 	cfg->trust_anchor_list = NULL;
 	cfg->trusted_keys_file_list = NULL;
+	cfg->trust_anchor_signaling = 0;
 	cfg->dlv_anchor_file = NULL;
 	cfg->dlv_anchor_list = NULL;
 	cfg->domain_insecure = NULL;
@@ -227,6 +229,7 @@ config_create(void)
 	cfg->neg_cache_size = 1 * 1024 * 1024;
 	cfg->local_zones = NULL;
 	cfg->local_zones_nodefault = NULL;
+	cfg->local_zones_disable_default = 0;
 	cfg->local_data = NULL;
 	cfg->local_zone_overrides = NULL;
 	cfg->unblock_lan_zones = 0;
@@ -279,6 +282,14 @@ config_create(void)
 	cfg->dnscrypt_provider = NULL;
 	cfg->dnscrypt_provider_cert = NULL;
 	cfg->dnscrypt_secret_key = NULL;
+#ifdef USE_IPSECMOD
+	cfg->ipsecmod_enabled = 1;
+	cfg->ipsecmod_ignore_bogus = 0;
+	cfg->ipsecmod_hook = NULL;
+	cfg->ipsecmod_max_ttl = 3600;
+	cfg->ipsecmod_whitelist = NULL;
+	cfg->ipsecmod_strict = 0;
+#endif
 	return cfg;
 error_exit:
 	config_delete(cfg); 
@@ -480,6 +491,7 @@ int config_set_option(struct config_file* cfg, const char* opt,
 	else S_STRLIST("trust-anchor-file:", trust_anchor_file_list)
 	else S_STRLIST("trust-anchor:", trust_anchor_list)
 	else S_STRLIST("trusted-keys-file:", trusted_keys_file_list)
+	else S_YNO("trust-anchor-signaling:", trust_anchor_signaling)
 	else S_STR("dlv-anchor-file:", dlv_anchor_file)
 	else S_STRLIST("dlv-anchor:", dlv_anchor_list)
 	else S_STRLIST("domain-insecure:", domain_insecure)
@@ -522,6 +534,33 @@ int config_set_option(struct config_file* cfg, const char* opt,
 	 * generating the address tree. */
 	/* No client-subnet-always-forward here, module registration depends on
 	 * this option. */
+#endif
+#ifdef USE_DNSTAP
+	else S_YNO("dnstap-enable:", dnstap)
+	else S_STR("dnstap-socket-path:", dnstap_socket_path)
+	else S_YNO("dnstap-send-identity:", dnstap_send_identity)
+	else S_YNO("dnstap-send-version:", dnstap_send_version)
+	else S_STR("dnstap-identity:", dnstap_identity)
+	else S_STR("dnstap-version:", dnstap_version)
+	else S_YNO("dnstap-log-resolver-query-messages:",
+		dnstap_log_resolver_query_messages)
+	else S_YNO("dnstap-log-resolver-response-messages:",
+		dnstap_log_resolver_response_messages)
+	else S_YNO("dnstap-log-client-query-messages:",
+		dnstap_log_client_query_messages)
+	else S_YNO("dnstap-log-client-response-messages:",
+		dnstap_log_client_response_messages)
+	else S_YNO("dnstap-log-forwarder-query-messages:",
+		dnstap_log_forwarder_query_messages)
+	else S_YNO("dnstap-log-forwarder-response-messages:",
+		dnstap_log_forwarder_response_messages)
+#endif
+#ifdef USE_DNSCRYPT
+	else S_YNO("dnscrypt-enable:", dnscrypt)
+	else S_NUMBER_NONZERO("dnscrypt-port:", dnscrypt_port)
+	else S_STR("dnscrypt-provider:", dnscrypt_provider)
+	else S_STRLIST("dnscrypt-provider-cert:", dnscrypt_provider_cert)
+	else S_STRLIST("dnscrypt-secret-key:", dnscrypt_secret_key)
 #endif
 	else if(strcmp(opt, "ip-ratelimit:") == 0) {
 	    IS_NUMBER_OR_ZERO; cfg->ip_ratelimit = atoi(val);
@@ -539,6 +578,13 @@ int config_set_option(struct config_file* cfg, const char* opt,
 	else S_NUMBER_OR_ZERO("ratelimit-factor:", ratelimit_factor)
 	else S_YNO("qname-minimisation:", qname_minimisation)
 	else S_YNO("qname-minimisation-strict:", qname_minimisation_strict)
+#ifdef USE_IPSECMOD
+	else S_YNO("ipsecmod-enabled:", ipsecmod_enabled)
+	else S_YNO("ipsecmod-ignore-bogus:", ipsecmod_ignore_bogus)
+	else if(strcmp(opt, "ipsecmod-max-ttl:") == 0)
+	{ IS_NUMBER_OR_ZERO; cfg->ipsecmod_max_ttl = atoi(val); }
+	else S_YNO("ipsecmod-strict:", ipsecmod_strict)
+#endif
 	else if(strcmp(opt, "define-tag:") ==0) {
 		return config_add_tag(cfg, val);
 	/* val_sig_skew_min and max are copied into val_env during init,
@@ -566,9 +612,10 @@ int config_set_option(struct config_file* cfg, const char* opt,
 		 * stub-ssl-upstream, forward-zone,
 		 * name, forward-addr, forward-host,
 		 * ratelimit-for-domain, ratelimit-below-domain,
-		 * local-zone-tag, access-control-view 
-		 * send-client-subnet client-subnet-always-forward
-		 * max-client-subnet-ipv4 max-client-subnet-ipv6 */
+		 * local-zone-tag, access-control-view,
+		 * send-client-subnet, client-subnet-always-forward,
+		 * max-client-subnet-ipv4, max-client-subnet-ipv6, ipsecmod_hook,
+		 * ipsecmod_whitelist. */
 		return 0;
 	}
 	return 1;
@@ -834,6 +881,7 @@ config_get_option(struct config_file* cfg, const char* opt,
 	else O_LST(opt, "trust-anchor-file", trust_anchor_file_list)
 	else O_LST(opt, "trust-anchor", trust_anchor_list)
 	else O_LST(opt, "trusted-keys-file", trusted_keys_file_list)
+	else O_YNO(opt, "trust-anchor-signaling", trust_anchor_signaling)
 	else O_LST(opt, "dlv-anchor", dlv_anchor_list)
 	else O_LST(opt, "control-interface", control_ifs)
 	else O_LST(opt, "domain-insecure", domain_insecure)
@@ -842,10 +890,38 @@ config_get_option(struct config_file* cfg, const char* opt,
 	else O_YNO(opt, "rrset-roundrobin", rrset_roundrobin)
 #ifdef CLIENT_SUBNET
 	else O_LST(opt, "send-client-subnet", client_subnet)
+	else O_LST(opt, "client-subnet-zone", client_subnet_zone)
 	else O_DEC(opt, "max-client-subnet-ipv4", max_client_subnet_ipv4)
 	else O_DEC(opt, "max-client-subnet-ipv6", max_client_subnet_ipv6)
 	else O_YNO(opt, "client-subnet-always-forward:",
 		client_subnet_always_forward)
+#endif
+#ifdef USE_DNSTAP
+	else O_YNO(opt, "dnstap-enable", dnstap)
+	else O_STR(opt, "dnstap-socket-path", dnstap_socket_path)
+	else O_YNO(opt, "dnstap-send-identity", dnstap_send_identity)
+	else O_YNO(opt, "dnstap-send-version", dnstap_send_version)
+	else O_STR(opt, "dnstap-identity", dnstap_identity)
+	else O_STR(opt, "dnstap-version", dnstap_version)
+	else O_YNO(opt, "dnstap-log-resolver-query-messages",
+		dnstap_log_resolver_query_messages)
+	else O_YNO(opt, "dnstap-log-resolver-response-messages",
+		dnstap_log_resolver_response_messages)
+	else O_YNO(opt, "dnstap-log-client-query-messages",
+		dnstap_log_client_query_messages)
+	else O_YNO(opt, "dnstap-log-client-response-messages",
+		dnstap_log_client_response_messages)
+	else O_YNO(opt, "dnstap-log-forwarder-query-messages",
+		dnstap_log_forwarder_query_messages)
+	else O_YNO(opt, "dnstap-log-forwarder-response-messages",
+		dnstap_log_forwarder_response_messages)
+#endif
+#ifdef USE_DNSCRYPT
+	else O_YNO(opt, "dnscrypt-enable", dnscrypt)
+	else O_DEC(opt, "dnscrypt-port", dnscrypt_port)
+	else O_STR(opt, "dnscrypt-provider", dnscrypt_provider)
+	else O_LST(opt, "dnscrypt-provider-cert", dnscrypt_provider_cert)
+	else O_LST(opt, "dnscrypt-secret-key", dnscrypt_secret_key)
 #endif
 	else O_YNO(opt, "unblock-lan-zones", unblock_lan_zones)
 	else O_YNO(opt, "insecure-lan-zones", insecure_lan_zones)
@@ -874,6 +950,14 @@ config_get_option(struct config_file* cfg, const char* opt,
 	else O_LS3(opt, "access-control-tag-action", acl_tag_actions)
 	else O_LS3(opt, "access-control-tag-data", acl_tag_datas)
 	else O_LS2(opt, "access-control-view", acl_view)
+#ifdef USE_IPSECMOD
+	else O_YNO(opt, "ipsecmod-enabled", ipsecmod_enabled)
+	else O_YNO(opt, "ipsecmod-ignore-bogus", ipsecmod_ignore_bogus)
+	else O_STR(opt, "ipsecmod-hook", ipsecmod_hook)
+	else O_DEC(opt, "ipsecmod-max-ttl", ipsecmod_max_ttl)
+	else O_LST(opt, "ipsecmod-whitelist", ipsecmod_whitelist)
+	else O_YNO(opt, "ipsecmod-strict", ipsecmod_strict)
+#endif
 	/* not here:
 	 * outgoing-permit, outgoing-avoid - have list of ports
 	 * local-zone - zones and nodefault variables
@@ -1131,11 +1215,13 @@ config_delete(struct config_file* cfg)
 	config_delstrlist(cfg->root_hints);
 #ifdef CLIENT_SUBNET
 	config_delstrlist(cfg->client_subnet);
+	config_delstrlist(cfg->client_subnet_zone);
 #endif
 	free(cfg->identity);
 	free(cfg->version);
 	free(cfg->module_conf);
 	free(cfg->outgoing_avail_ports);
+	free(cfg->python_script);
 	config_delstrlist(cfg->caps_whitelist);
 	config_delstrlist(cfg->private_address);
 	config_delstrlist(cfg->private_domain);
@@ -1169,6 +1255,10 @@ config_delete(struct config_file* cfg)
 	free(cfg->dnstap_version);
 	config_deldblstrlist(cfg->ratelimit_for_domain);
 	config_deldblstrlist(cfg->ratelimit_below_domain);
+#ifdef USE_IPSECMOD
+	free(cfg->ipsecmod_hook);
+	config_delstrlist(cfg->ipsecmod_whitelist);
+#endif
 	free(cfg);
 }
 

contrib/unbound/util/config_file.h

@@ -176,6 +176,8 @@ struct config_file {
 	/** list of servers we send edns-client-subnet option to and 
 	 * accept option from, linked list */
 	struct config_strlist* client_subnet;
+	/** list of zones we send edns-client-subnet option for */
+	struct config_strlist* client_subnet_zone;
 	/** opcode assigned by IANA for edns0-client-subnet option */
 	uint16_t client_subnet_opcode;
 	/** Do not check whitelist if incoming query contains an ECS record */
@@ -274,6 +276,8 @@ struct config_file {
 	struct config_strlist* dlv_anchor_list;
 	/** insecure domain list */
 	struct config_strlist* domain_insecure;
+	/** send key tag query */
+	int trust_anchor_signaling;
 
 	/** if not 0, this value is the validation date for RRSIGs */
 	int32_t val_date_override;
@@ -317,6 +321,8 @@ struct config_file {
 	struct config_str2list* local_zones;
 	/** local zones nodefault list */
 	struct config_strlist* local_zones_nodefault;
+	/** do not add any default local zone */
+	int local_zones_disable_default;
 	/** local data RRs configured */
 	struct config_strlist* local_data;
 	/** local zone override types per netblock */
@@ -458,6 +464,22 @@ struct config_file {
 	struct config_strlist* dnscrypt_secret_key;
 	/** dnscrypt provider certs 1.cert */
 	struct config_strlist* dnscrypt_provider_cert;
+
+	/** IPsec module */
+#ifdef USE_IPSECMOD
+	/** false to bypass the IPsec module */
+	int ipsecmod_enabled;
+	/** whitelisted domains for ipsecmod */
+	struct config_strlist* ipsecmod_whitelist;
+	/** path to external hook */
+	char* ipsecmod_hook;
+	/** true to proceed even with a bogus IPSECKEY */
+	int ipsecmod_ignore_bogus;
+	/** max TTL for the A/AAAA records that call the hook */
+	int ipsecmod_max_ttl;
+	/** false to proceed even when ipsecmod_hook fails */
+	int ipsecmod_strict;
+#endif
 };
 
 /** from cfg username, after daemonise setup performed */

contrib/unbound/util/configlexer.lex

@@ -302,6 +302,7 @@ do-not-query-address{COLON}	{ YDVAR(1, VAR_DO_NOT_QUERY_ADDRESS) }
 do-not-query-localhost{COLON}	{ YDVAR(1, VAR_DO_NOT_QUERY_LOCALHOST) }
 access-control{COLON}		{ YDVAR(2, VAR_ACCESS_CONTROL) }
 send-client-subnet{COLON}	{ YDVAR(1, VAR_SEND_CLIENT_SUBNET) }
+client-subnet-zone{COLON}	{ YDVAR(1, VAR_CLIENT_SUBNET_ZONE) }
 client-subnet-always-forward{COLON} { YDVAR(1, VAR_CLIENT_SUBNET_ALWAYS_FORWARD) }
 client-subnet-opcode{COLON}	{ YDVAR(1, VAR_CLIENT_SUBNET_OPCODE) }
 max-client-subnet-ipv4{COLON}	{ YDVAR(1, VAR_MAX_CLIENT_SUBNET_IPV4) }
@@ -318,6 +319,7 @@ trust-anchor-file{COLON}	{ YDVAR(1, VAR_TRUST_ANCHOR_FILE) }
 auto-trust-anchor-file{COLON}	{ YDVAR(1, VAR_AUTO_TRUST_ANCHOR_FILE) }
 trusted-keys-file{COLON}	{ YDVAR(1, VAR_TRUSTED_KEYS_FILE) }
 trust-anchor{COLON}		{ YDVAR(1, VAR_TRUST_ANCHOR) }
+trust-anchor-signaling{COLON}	{ YDVAR(1, VAR_TRUST_ANCHOR_SIGNALING) }
 val-override-date{COLON}	{ YDVAR(1, VAR_VAL_OVERRIDE_DATE) }
 val-sig-skew-min{COLON}		{ YDVAR(1, VAR_VAL_SIG_SKEW_MIN) }
 val-sig-skew-max{COLON}		{ YDVAR(1, VAR_VAL_SIG_SKEW_MAX) }
@@ -416,6 +418,12 @@ dnscrypt-port{COLON}		{ YDVAR(1, VAR_DNSCRYPT_PORT) }
 dnscrypt-provider{COLON}	{ YDVAR(1, VAR_DNSCRYPT_PROVIDER) }
 dnscrypt-secret-key{COLON}	{ YDVAR(1, VAR_DNSCRYPT_SECRET_KEY) }
 dnscrypt-provider-cert{COLON}	{ YDVAR(1, VAR_DNSCRYPT_PROVIDER_CERT) }
+ipsecmod-enabled{COLON}		{ YDVAR(1, VAR_IPSECMOD_ENABLED) }
+ipsecmod-ignore-bogus{COLON}	{ YDVAR(1, VAR_IPSECMOD_IGNORE_BOGUS) }
+ipsecmod-hook{COLON}		{ YDVAR(1, VAR_IPSECMOD_HOOK) }
+ipsecmod-max-ttl{COLON}		{ YDVAR(1, VAR_IPSECMOD_MAX_TTL) }
+ipsecmod-whitelist{COLON}	{ YDVAR(1, VAR_IPSECMOD_WHITELIST) }
+ipsecmod-strict{COLON}		{ YDVAR(1, VAR_IPSECMOD_STRICT) }
 <INITIAL,val>{NEWLINE}		{ LEXOUT(("NL\n")); cfg_parser->line++; }
 
 	/* Quoted strings. Strip leading and ending quotes */

contrib/unbound/util/configparser.y

@@ -131,8 +131,8 @@ extern struct config_parser_state* cfg_parser;
 %token VAR_RATELIMIT VAR_RATELIMIT_SLABS VAR_RATELIMIT_SIZE
 %token VAR_RATELIMIT_FOR_DOMAIN VAR_RATELIMIT_BELOW_DOMAIN
 %token VAR_IP_RATELIMIT_FACTOR VAR_RATELIMIT_FACTOR
-%token VAR_SEND_CLIENT_SUBNET VAR_CLIENT_SUBNET_ALWAYS_FORWARD
-%token VAR_CLIENT_SUBNET_OPCODE
+%token VAR_SEND_CLIENT_SUBNET VAR_CLIENT_SUBNET_ZONE
+%token VAR_CLIENT_SUBNET_ALWAYS_FORWARD VAR_CLIENT_SUBNET_OPCODE
 %token VAR_MAX_CLIENT_SUBNET_IPV4 VAR_MAX_CLIENT_SUBNET_IPV6
 %token VAR_CAPS_WHITELIST VAR_CACHE_MAX_NEGATIVE_TTL VAR_PERMIT_SMALL_HOLDDOWN
 %token VAR_QNAME_MINIMISATION VAR_QNAME_MINIMISATION_STRICT VAR_IP_FREEBIND
@@ -140,10 +140,12 @@ extern struct config_parser_state* cfg_parser;
 %token VAR_LOCAL_ZONE_OVERRIDE VAR_ACCESS_CONTROL_TAG_ACTION
 %token VAR_ACCESS_CONTROL_TAG_DATA VAR_VIEW VAR_ACCESS_CONTROL_VIEW
 %token VAR_VIEW_FIRST VAR_SERVE_EXPIRED VAR_FAKE_DSA VAR_FAKE_SHA1
-%token VAR_LOG_IDENTITY VAR_HIDE_TRUSTANCHOR
+%token VAR_LOG_IDENTITY VAR_HIDE_TRUSTANCHOR VAR_TRUST_ANCHOR_SIGNALING
 %token VAR_USE_SYSTEMD VAR_SHM_ENABLE VAR_SHM_KEY
 %token VAR_DNSCRYPT VAR_DNSCRYPT_ENABLE VAR_DNSCRYPT_PORT VAR_DNSCRYPT_PROVIDER
 %token VAR_DNSCRYPT_SECRET_KEY VAR_DNSCRYPT_PROVIDER_CERT
+%token VAR_IPSECMOD_ENABLED VAR_IPSECMOD_HOOK VAR_IPSECMOD_IGNORE_BOGUS
+%token VAR_IPSECMOD_MAX_TTL VAR_IPSECMOD_WHITELIST VAR_IPSECMOD_STRICT
 
 %%
 toplevelvars: /* empty */ | toplevelvars toplevelvar ;
@@ -215,7 +217,7 @@ content_server: server_num_threads | server_verbosity | server_port |
 	server_ratelimit_for_domain |
 	server_ratelimit_below_domain | server_ratelimit_factor |
 	server_ip_ratelimit_factor | server_send_client_subnet |
-	server_client_subnet_always_forward |
+	server_client_subnet_zone | server_client_subnet_always_forward |
 	server_client_subnet_opcode |
 	server_max_client_subnet_ipv4 | server_max_client_subnet_ipv6 |
 	server_caps_whitelist | server_cache_max_negative_ttl |
@@ -228,7 +230,10 @@ content_server: server_num_threads | server_verbosity | server_port |
 	server_fake_dsa | server_log_identity | server_use_systemd |
 	server_response_ip_tag | server_response_ip | server_response_ip_data |
 	server_shm_enable | server_shm_key | server_fake_sha1 |
-	server_hide_trustanchor
+	server_hide_trustanchor | server_trust_anchor_signaling |
+	server_ipsecmod_enabled | server_ipsecmod_hook |
+	server_ipsecmod_ignore_bogus | server_ipsecmod_max_ttl |
+	server_ipsecmod_whitelist | server_ipsecmod_strict
 	;
 stubstart: VAR_STUB_ZONE
 	{
@@ -370,6 +375,18 @@ server_send_client_subnet: VAR_SEND_CLIENT_SUBNET STRING_ARG
 	#endif
 	}
 	;
+server_client_subnet_zone: VAR_CLIENT_SUBNET_ZONE STRING_ARG
+	{
+	#ifdef CLIENT_SUBNET
+		OUTYY(("P(server_client_subnet_zone:%s)\n", $2));
+		if(!cfg_strlist_insert(&cfg_parser->cfg->client_subnet_zone,
+			$2))
+			fatal_exit("out of memory adding client-subnet-zone");
+	#else
+		OUTYY(("P(Compiled without edns subnet option, ignoring)\n"));
+	#endif
+	}
+	;
 server_client_subnet_always_forward:
 	VAR_CLIENT_SUBNET_ALWAYS_FORWARD STRING_ARG
 	{
@@ -783,6 +800,17 @@ server_trust_anchor: VAR_TRUST_ANCHOR STRING_ARG
 			yyerror("out of memory");
 	}
 	;
+server_trust_anchor_signaling: VAR_TRUST_ANCHOR_SIGNALING STRING_ARG
+	{
+		OUTYY(("P(server_trust_anchor_signaling:%s)\n", $2));
+		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
+			yyerror("expected yes or no.");
+		else
+			cfg_parser->cfg->trust_anchor_signaling =
+				(strcmp($2, "yes")==0);
+		free($2);
+	}
+	;
 server_domain_insecure: VAR_DOMAIN_INSECURE STRING_ARG
 	{
 		OUTYY(("P(server_domain_insecure:%s)\n", $2));
@@ -1783,6 +1811,80 @@ server_qname_minimisation_strict: VAR_QNAME_MINIMISATION_STRICT STRING_ARG
 		free($2);
 	}
 	;
+server_ipsecmod_enabled: VAR_IPSECMOD_ENABLED STRING_ARG
+	{
+	#ifdef USE_IPSECMOD
+		OUTYY(("P(server_ipsecmod_enabled:%s)\n", $2));
+		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
+			yyerror("expected yes or no.");
+		else cfg_parser->cfg->ipsecmod_enabled = (strcmp($2, "yes")==0);
+		free($2);
+	#else
+		OUTYY(("P(Compiled without IPsec module, ignoring)\n"));
+	#endif
+	}
+	;
+server_ipsecmod_ignore_bogus: VAR_IPSECMOD_IGNORE_BOGUS STRING_ARG
+	{
+	#ifdef USE_IPSECMOD
+		OUTYY(("P(server_ipsecmod_ignore_bogus:%s)\n", $2));
+		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
+			yyerror("expected yes or no.");
+		else cfg_parser->cfg->ipsecmod_ignore_bogus = (strcmp($2, "yes")==0);
+		free($2);
+	#else
+		OUTYY(("P(Compiled without IPsec module, ignoring)\n"));
+	#endif
+	}
+	;
+server_ipsecmod_hook: VAR_IPSECMOD_HOOK STRING_ARG
+	{
+	#ifdef USE_IPSECMOD
+		OUTYY(("P(server_ipsecmod_hook:%s)\n", $2));
+		free(cfg_parser->cfg->ipsecmod_hook);
+		cfg_parser->cfg->ipsecmod_hook = $2;
+	#else
+		OUTYY(("P(Compiled without IPsec module, ignoring)\n"));
+	#endif
+	}
+	;
+server_ipsecmod_max_ttl: VAR_IPSECMOD_MAX_TTL STRING_ARG
+	{
+	#ifdef USE_IPSECMOD
+		OUTYY(("P(server_ipsecmod_max_ttl:%s)\n", $2));
+		if(atoi($2) == 0 && strcmp($2, "0") != 0)
+			yyerror("number expected");
+		else cfg_parser->cfg->ipsecmod_max_ttl = atoi($2);
+		free($2);
+	#else
+		OUTYY(("P(Compiled without IPsec module, ignoring)\n"));
+	#endif
+	}
+	;
+server_ipsecmod_whitelist: VAR_IPSECMOD_WHITELIST STRING_ARG
+	{
+	#ifdef USE_IPSECMOD
+		OUTYY(("P(server_ipsecmod_whitelist:%s)\n", $2));
+		if(!cfg_strlist_insert(&cfg_parser->cfg->ipsecmod_whitelist, $2))
+			yyerror("out of memory");
+	#else
+		OUTYY(("P(Compiled without IPsec module, ignoring)\n"));
+	#endif
+	}
+	;
+server_ipsecmod_strict: VAR_IPSECMOD_STRICT STRING_ARG
+	{
+	#ifdef USE_IPSECMOD
+		OUTYY(("P(server_ipsecmod_strict:%s)\n", $2));
+		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
+			yyerror("expected yes or no.");
+		else cfg_parser->cfg->ipsecmod_strict = (strcmp($2, "yes")==0);
+		free($2);
+	#else
+		OUTYY(("P(Compiled without IPsec module, ignoring)\n"));
+	#endif
+	}
+	;
 stub_name: VAR_NAME STRING_ARG
 	{
 		OUTYY(("P(name:%s)\n", $2));
@@ -2227,6 +2329,7 @@ dnsc_dnscrypt_enable: VAR_DNSCRYPT_ENABLE STRING_ARG
 		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
 			yyerror("expected yes or no.");
 		else cfg_parser->cfg->dnscrypt = (strcmp($2, "yes")==0);
+		free($2);
 	}
 	;
 

contrib/unbound/util/data/msgencode.c

@@ -647,6 +647,8 @@ reply_info_encode(struct query_info* qinfo, struct reply_info* rep,
 	sldns_buffer_clear(buffer);
 	if(udpsize < sldns_buffer_limit(buffer))
 		sldns_buffer_set_limit(buffer, udpsize);
+	else if(sldns_buffer_limit(buffer) < udpsize)
+		udpsize = sldns_buffer_limit(buffer);
 	if(sldns_buffer_remaining(buffer) < LDNS_HEADER_SIZE)
 		return 0;
 
@@ -810,7 +812,7 @@ reply_info_answer_encode(struct query_info* qinf, struct reply_info* rep,
 	struct edns_data* edns, int dnssec, int secure)
 {
 	uint16_t flags;
-	int attach_edns = 1;
+	unsigned int attach_edns = 0;
 
 	if(!cached || rep->authoritative) {
 		/* original flags, copy RD and CD bits from query. */
@@ -833,12 +835,15 @@ reply_info_answer_encode(struct query_info* qinf, struct reply_info* rep,
 	log_assert(flags & BIT_QR); /* QR bit must be on in our replies */
 	if(udpsize < LDNS_HEADER_SIZE)
 		return 0;
+	if(sldns_buffer_capacity(pkt) < udpsize)
+		udpsize = sldns_buffer_capacity(pkt);
 	if(udpsize < LDNS_HEADER_SIZE + calc_edns_field_size(edns)) {
 		/* packet too small to contain edns, omit it. */
 		attach_edns = 0;
 	} else {
 		/* reserve space for edns record */
-		udpsize -= calc_edns_field_size(edns);
+		attach_edns = (unsigned int)calc_edns_field_size(edns);
+		udpsize -= attach_edns;
 	}
 
 	if(!reply_info_encode(qinf, rep, id, flags, pkt, timenow, region,
@@ -846,7 +851,8 @@ reply_info_answer_encode(struct query_info* qinf, struct reply_info* rep,
 		log_err("reply encode: out of memory");
 		return 0;
 	}
-	if(attach_edns)
+	if(attach_edns && sldns_buffer_capacity(pkt) >=
+		sldns_buffer_limit(pkt)+attach_edns)
 		attach_edns_record(pkt, edns);
 	return 1;
 }

contrib/unbound/util/data/msgparse.c

@@ -1018,7 +1018,7 @@ parse_extract_edns(struct msg_parse* msg, struct edns_data* edns,
 	edns->opt_list = NULL;
 
 	/* take the options */
-	rdata_len = found->rr_first->size;
+	rdata_len = found->rr_first->size-2;
 	rdata_ptr = found->rr_first->ttl_data+6;
 	if(!parse_edns_options(rdata_ptr, rdata_len, edns, region))
 		return 0;

contrib/unbound/util/fptr_wlist.c

@@ -49,6 +49,7 @@
 #include "services/outside_network.h"
 #include "services/mesh.h"
 #include "services/localzone.h"
+#include "services/authzone.h"
 #include "services/cache/infra.h"
 #include "services/cache/rrset.h"
 #include "services/view.h"
@@ -83,6 +84,9 @@
 #ifdef USE_CACHEDB
 #include "cachedb/cachedb.h"
 #endif
+#ifdef USE_IPSECMOD
+#include "ipsecmod/ipsecmod.h"
+#endif
 #ifdef CLIENT_SUBNET
 #include "edns-subnet/subnetmod.h"
 #endif
@@ -209,6 +213,8 @@ fptr_whitelist_rbtree_cmp(int (*fptr) (const void *, const void *))
 	else if(fptr == &probetree_cmp) return 1;
 	else if(fptr == &replay_var_compare) return 1;
 	else if(fptr == &view_cmp) return 1;
+	else if(fptr == &auth_zone_cmp) return 1;
+	else if(fptr == &auth_data_cmp) return 1;
 	return 0;
 }
 
@@ -306,6 +312,16 @@ fptr_whitelist_modenv_attach_sub(int (*fptr)(
 	return 0;
 }
 
+int 
+fptr_whitelist_modenv_add_sub(int (*fptr)(
+        struct module_qstate* qstate, struct query_info* qinfo,
+        uint16_t qflags, int prime, int valrec, struct module_qstate** newq,
+	struct mesh_state** sub))
+{
+	if(fptr == &mesh_add_sub) return 1;
+	return 0;
+}
+
 int 
 fptr_whitelist_modenv_kill_sub(void (*fptr)(struct module_qstate* newq))
 {
@@ -335,6 +351,9 @@ fptr_whitelist_mod_init(int (*fptr)(struct module_env* env, int id))
 #ifdef USE_CACHEDB
 	else if(fptr == &cachedb_init) return 1;
 #endif
+#ifdef USE_IPSECMOD
+	else if(fptr == &ipsecmod_init) return 1;
+#endif
 #ifdef CLIENT_SUBNET
 	else if(fptr == &subnetmod_init) return 1;
 #endif
@@ -354,6 +373,9 @@ fptr_whitelist_mod_deinit(void (*fptr)(struct module_env* env, int id))
 #ifdef USE_CACHEDB
 	else if(fptr == &cachedb_deinit) return 1;
 #endif
+#ifdef USE_IPSECMOD
+	else if(fptr == &ipsecmod_deinit) return 1;
+#endif
 #ifdef CLIENT_SUBNET
 	else if(fptr == &subnetmod_deinit) return 1;
 #endif
@@ -374,6 +396,9 @@ fptr_whitelist_mod_operate(void (*fptr)(struct module_qstate* qstate,
 #ifdef USE_CACHEDB
 	else if(fptr == &cachedb_operate) return 1;
 #endif
+#ifdef USE_IPSECMOD
+	else if(fptr == &ipsecmod_operate) return 1;
+#endif
 #ifdef CLIENT_SUBNET
 	else if(fptr == &subnetmod_operate) return 1;
 #endif
@@ -394,6 +419,9 @@ fptr_whitelist_mod_inform_super(void (*fptr)(
 #ifdef USE_CACHEDB
 	else if(fptr == &cachedb_inform_super) return 1;
 #endif
+#ifdef USE_IPSECMOD
+	else if(fptr == &ipsecmod_inform_super) return 1;
+#endif
 #ifdef CLIENT_SUBNET
 	else if(fptr == &subnetmod_inform_super) return 1;
 #endif
@@ -414,6 +442,9 @@ fptr_whitelist_mod_clear(void (*fptr)(struct module_qstate* qstate,
 #ifdef USE_CACHEDB
 	else if(fptr == &cachedb_clear) return 1;
 #endif
+#ifdef USE_IPSECMOD
+	else if(fptr == &ipsecmod_clear) return 1;
+#endif
 #ifdef CLIENT_SUBNET
 	else if(fptr == &subnetmod_clear) return 1;
 #endif
@@ -433,6 +464,9 @@ fptr_whitelist_mod_get_mem(size_t (*fptr)(struct module_env* env, int id))
 #ifdef USE_CACHEDB
 	else if(fptr == &cachedb_get_mem) return 1;
 #endif
+#ifdef USE_IPSECMOD
+	else if(fptr == &ipsecmod_get_mem) return 1;
+#endif
 #ifdef CLIENT_SUBNET
 	else if(fptr == &subnetmod_get_mem) return 1;
 #endif

contrib/unbound/util/fptr_wlist.h

@@ -233,6 +233,15 @@ int fptr_whitelist_modenv_attach_sub(int (*fptr)(
 	struct module_qstate* qstate, struct query_info* qinfo, 
 	uint16_t qflags, int prime, int valrec, struct module_qstate** newq));
 
+/**
+ * Check function pointer whitelist for module_env add_sub callback values.
+ *
+ * @param fptr: function pointer to check.
+ * @return false if not in whitelist.
+ */
+int fptr_whitelist_modenv_add_sub(int (*fptr)(struct module_qstate* qstate,
+	struct query_info* qinfo, uint16_t qflags, int prime, int valrec,
+	struct module_qstate** newq, struct mesh_state** sub));
 /**
  * Check function pointer whitelist for module_env kill_sub callback values.
  *

contrib/unbound/util/iana_ports.inc

@@ -29,7 +29,6 @@
 44,
 45,
 46,
-47,
 48,
 49,
 50,
@@ -41,7 +40,6 @@
 57,
 58,
 59,
-61,
 62,
 63,
 64,
@@ -4575,6 +4573,7 @@
 7014,
 7015,
 7016,
+7017,
 7019,
 7020,
 7021,
@@ -4855,6 +4854,7 @@
 8793,
 8800,
 8804,
+8805,
 8808,
 8873,
 8880,
@@ -5463,3 +5463,4 @@
 48556,
 48619,
 48653,
+49001,

contrib/unbound/util/log.c

@@ -103,8 +103,12 @@ log_init(const char* filename, int use_syslog, const char* chrootdir)
 			use_syslog?"syslog":(filename&&filename[0]?filename:"stderr"));
 		lock_quick_lock(&log_lock);
 	}
-	if(logfile && logfile != stderr)
-		fclose(logfile);
+	if(logfile && logfile != stderr) {
+		FILE* cl = logfile;
+		logfile = NULL; /* set to NULL before it is closed, so that
+			other threads have a valid logfile or NULL */
+		fclose(cl);
+	}
 #ifdef HAVE_SYSLOG_H
 	if(logging_to_syslog) {
 		closelog();

contrib/unbound/util/module.h

@@ -382,6 +382,37 @@ struct module_env {
 		struct query_info* qinfo, uint16_t qflags, int prime, 
 		int valrec, struct module_qstate** newq);
 
+	/**
+	 * Add detached query.
+	 * Creates it if it does not exist already.
+	 * Does not make super/sub references.
+	 * Performs a cycle detection - for double check - and fails if there is
+	 * 	one.
+	 * Updates stat items in mesh_area structure.
+	 * Pass if it is priming query or not.
+	 * return:
+	 * 	o if error (malloc) happened.
+	 * 	o need to initialise the new state (module init; it is a new state).
+	 * 	  so that the next run of the query with this module is successful.
+	 * 	o no init needed, attachment successful.
+	 * 	o added subquery, created if it did not exist already.
+	 *
+	 * @param qstate: the state to find mesh state, and that wants to receive
+	 * 	the results from the new subquery.
+	 * @param qinfo: what to query for (copied).
+	 * @param qflags: what flags to use (RD / CD flag or not).
+	 * @param prime: if it is a (stub) priming query.
+	 * @param valrec: if it is a validation recursion query (lookup of key, DS).
+	 * @param newq: If the new subquery needs initialisation, it is returned,
+	 * 	otherwise NULL is returned.
+	 * @param sub: The added mesh state, created if it did not exist already.
+	 * @return: false on error, true if success (and init may be needed).
+	 */
+	int (*add_sub)(struct module_qstate* qstate, 
+		struct query_info* qinfo, uint16_t qflags, int prime, 
+		int valrec, struct module_qstate** newq,
+		struct mesh_state** sub);
+
 	/**
 	 * Kill newly attached sub. If attach_sub returns newq for 
 	 * initialisation, but that fails, then this routine will cleanup and

contrib/unbound/util/netevent.c

@@ -1407,12 +1407,34 @@ comm_point_tcp_handle_write(int fd, struct comm_point* c)
 			if(errno == EINTR || errno == EAGAIN)
 				return 1;
 			/* Not handling EISCONN here as shouldn't ever hit that case.*/
-			if(errno != 0 && verbosity < 2)
+			if(errno != EPIPE && errno != 0 && verbosity < 2)
 				return 0; /* silence lots of chatter in the logs */
-			else if(errno != 0) 
+			if(errno != EPIPE && errno != 0) {
 				log_err_addr("tcp sendmsg", strerror(errno),
 					&c->repinfo.addr, c->repinfo.addrlen);
 				return 0;
+			}
+			/* fallthrough to nonFASTOPEN
+			 * (MSG_FASTOPEN on Linux 3 produces EPIPE)
+			 * we need to perform connect() */
+			if(connect(fd, (struct sockaddr *)&c->repinfo.addr, c->repinfo.addrlen) == -1) {
+#ifdef EINPROGRESS
+				if(errno == EINPROGRESS)
+					return 1; /* wait until connect done*/
+#endif
+#ifdef USE_WINSOCK
+				if(WSAGetLastError() == WSAEINPROGRESS ||
+					WSAGetLastError() == WSAEWOULDBLOCK)
+					return 1; /* wait until connect done*/
+#endif
+				if(tcp_connect_errno_needs_log(
+					(struct sockaddr *)&c->repinfo.addr, c->repinfo.addrlen)) {
+					log_err_addr("outgoing tcp: connect after EPIPE for fastopen",
+						strerror(errno), &c->repinfo.addr, c->repinfo.addrlen);
+				}
+				return 0;
+			}
+
 		} else {
 			c->tcp_byte_count += r;
 			if(c->tcp_byte_count < sizeof(uint16_t))
@@ -1767,8 +1789,8 @@ comm_point_create_tcp_handler(struct comm_base *base,
 #endif
 #ifdef USE_DNSCRYPT
 	c->dnscrypt = 0;
-    // We don't know just yet if this is a dnscrypt channel. Allocation
-    // will be done when handling the callback.
+	/* We don't know just yet if this is a dnscrypt channel. Allocation
+	 * will be done when handling the callback. */
 	c->dnscrypt_buffer = c->buffer;
 #endif
 	c->repinfo.c = c;

contrib/unbound/util/netevent.h

@@ -120,7 +120,7 @@ struct comm_reply {
 #ifdef USE_DNSCRYPT
 	uint8_t client_nonce[crypto_box_HALF_NONCEBYTES];
 	uint8_t nmkey[crypto_box_BEFORENMBYTES];
-	const KeyPair *keypair;
+	const dnsccert *dnsc_cert;
 	int is_dnscrypted;
 #endif
 	/** the return source interface data */

contrib/unbound/util/shm_side/shm_main.c

@@ -65,17 +65,17 @@
 #ifdef HAVE_SHMGET
 /** subtract timers and the values do not overflow or become negative */
 static void
-timeval_subtract(struct timeval* d, const struct timeval* end,
+stat_timeval_subtract(long long *d_sec, long long *d_usec, const struct timeval* end,
 	const struct timeval* start)
 {
 #ifndef S_SPLINT_S
 	time_t end_usec = end->tv_usec;
-	d->tv_sec = end->tv_sec - start->tv_sec;
+	*d_sec = end->tv_sec - start->tv_sec;
 	if(end_usec < start->tv_usec) {
 		end_usec += 1000000;
-		d->tv_sec--;
+		(*d_sec)--;
 	}
-	d->tv_usec = end_usec - start->tv_usec;
+	*d_usec = end_usec - start->tv_usec;
 #endif
 }
 #endif /* HAVE_SHMGET */
@@ -83,7 +83,7 @@ timeval_subtract(struct timeval* d, const struct timeval* end,
 int shm_main_init(struct daemon* daemon)
 {
 #ifdef HAVE_SHMGET
-	struct shm_stat_info *shm_stat;
+	struct ub_shm_stat_info *shm_stat;
 	size_t shm_size;
 	
 	/* sanitize */
@@ -95,7 +95,7 @@ int shm_main_init(struct daemon* daemon)
 		log_warn("shm-enable is yes but statistics-interval is 0");
 
 	/* Statistics to maintain the number of thread + total */
-	shm_size = (sizeof(struct stats_info) * (daemon->num + 1));
+	shm_size = (sizeof(struct ub_stats_info) * (daemon->num + 1));
 
 	/* Allocation of needed memory */
 	daemon->shm_info = (struct shm_main_info*)calloc(1, shm_size);
@@ -121,7 +121,7 @@ int shm_main_init(struct daemon* daemon)
 		shmctl(daemon->shm_info->id_arr, IPC_RMID, NULL);
 
 	/* SHM: Create the segment */
-	daemon->shm_info->id_ctl = shmget(daemon->shm_info->key, sizeof(struct shm_stat_info), IPC_CREAT | 0666);
+	daemon->shm_info->id_ctl = shmget(daemon->shm_info->key, sizeof(struct ub_shm_stat_info), IPC_CREAT | 0666);
 
 	if (daemon->shm_info->id_ctl < 0)
 	{
@@ -148,7 +148,7 @@ int shm_main_init(struct daemon* daemon)
 	}
 
 	/* SHM: attach the segment  */
-	daemon->shm_info->ptr_ctl = (struct shm_stat_info*)
+	daemon->shm_info->ptr_ctl = (struct ub_shm_stat_info*)
 		shmat(daemon->shm_info->id_ctl, NULL, 0);
 	if(daemon->shm_info->ptr_ctl == (void *) -1) {
 		log_err("SHM failed(ctl) cannot shmat(%d) %s",
@@ -160,7 +160,7 @@ int shm_main_init(struct daemon* daemon)
 		return 0;
 	}
 
-	daemon->shm_info->ptr_arr = (struct stats_info*)
+	daemon->shm_info->ptr_arr = (struct ub_stats_info*)
 		shmat(daemon->shm_info->id_arr, NULL, 0);
 
 	if (daemon->shm_info->ptr_arr == (void *) -1)
@@ -175,7 +175,7 @@ int shm_main_init(struct daemon* daemon)
 	}
 
 	/* Zero fill SHM to stand clean while is not filled by other events */
-	memset(daemon->shm_info->ptr_ctl, 0, sizeof(struct shm_stat_info));
+	memset(daemon->shm_info->ptr_ctl, 0, sizeof(struct ub_shm_stat_info));
 	memset(daemon->shm_info->ptr_arr, 0, shm_size);
 
 	shm_stat = daemon->shm_info->ptr_ctl;
@@ -218,10 +218,9 @@ void shm_main_shutdown(struct daemon* daemon)
 void shm_main_run(struct worker *worker)
 {
 #ifdef HAVE_SHMGET
-	struct shm_stat_info *shm_stat;
-	struct stats_info *stat_total;
-	struct stats_info *stat_info;
-	int modstack;
+	struct ub_shm_stat_info *shm_stat;
+	struct ub_stats_info *stat_total;
+	struct ub_stats_info *stat_info;
 	int offset;
 
 	verbose(VERB_DETAIL, "SHM run - worker [%d] - daemon [%p] - timenow(%u) - timeboot(%u)",
@@ -238,40 +237,40 @@ void shm_main_run(struct worker *worker)
 	if (worker->thread_num == 0) {
 
 		/* Copy data to the current position */
-		memset(stat_total, 0, sizeof(struct stats_info));
+		memset(stat_total, 0, sizeof(struct ub_stats_info));
 
 		/* Point to data into SHM */
 		shm_stat = worker->daemon->shm_info->ptr_ctl;
-		shm_stat->time.now = *worker->env.now_tv;
+		shm_stat->time.now_sec = (long long)worker->env.now_tv->tv_sec;
+		shm_stat->time.now_usec = (long long)worker->env.now_tv->tv_usec;
 
-		timeval_subtract(&shm_stat->time.up, &shm_stat->time.now, &worker->daemon->time_boot);
-		timeval_subtract(&shm_stat->time.elapsed, &shm_stat->time.now, &worker->daemon->time_last_stat);
+		stat_timeval_subtract(&shm_stat->time.up_sec, &shm_stat->time.up_usec, worker->env.now_tv, &worker->daemon->time_boot);
+		stat_timeval_subtract(&shm_stat->time.elapsed_sec, &shm_stat->time.elapsed_usec, worker->env.now_tv, &worker->daemon->time_last_stat);
 
-		shm_stat->mem.msg = slabhash_get_mem(worker->env.msg_cache);
-		shm_stat->mem.rrset = slabhash_get_mem(&worker->env.rrset_cache->table);
-		shm_stat->mem.val = 0;
-		shm_stat->mem.iter = 0;
+		shm_stat->mem.msg = (long long)slabhash_get_mem(worker->env.msg_cache);
+		shm_stat->mem.rrset = (long long)slabhash_get_mem(&worker->env.rrset_cache->table);
+		shm_stat->mem.val = (long long)mod_get_mem(&worker->env,
+			"validator");
+		shm_stat->mem.iter = (long long)mod_get_mem(&worker->env,
+			"iterator");
+		shm_stat->mem.respip = (long long)mod_get_mem(&worker->env,
+			"respip");
 
-		modstack = modstack_find(&worker->env.mesh->mods, "validator");
-		if(modstack != -1) {
-			fptr_ok(fptr_whitelist_mod_get_mem(worker->env.mesh->mods.mod[modstack]->get_mem));
-			shm_stat->mem.val = (*worker->env.mesh->mods.mod[modstack]->get_mem)(&worker->env, modstack);
-		}
-		modstack = modstack_find(&worker->env.mesh->mods, "iterator");
-		if(modstack != -1) {
-			fptr_ok(fptr_whitelist_mod_get_mem(worker->env.mesh->mods.mod[modstack]->get_mem));
-			shm_stat->mem.iter = (*worker->env.mesh->mods.mod[modstack]->get_mem)(&worker->env, modstack);
-		}
 		/* subnet mem value is available in shm, also when not enabled,
 		 * to make the struct easier to memmap by other applications,
 		 * independent of the configuration of unbound */
 		shm_stat->mem.subnet = 0;
 #ifdef CLIENT_SUBNET
-		modstack = modstack_find(&worker->env.mesh->mods, "subnet");
-		if(modstack != -1) {
-			fptr_ok(fptr_whitelist_mod_get_mem(worker->env.mesh->mods.mod[modstack]->get_mem));
-			shm_stat->mem.subnet = (*worker->env.mesh->mods.mod[modstack]->get_mem)(&worker->env, modstack);
-		}
+		shm_stat->mem.subnet = (long long)mod_get_mem(&worker->env,
+			"subnet");
+#endif
+		/* ipsecmod mem value is available in shm, also when not enabled,
+		 * to make the struct easier to memmap by other applications,
+		 * independent of the configuration of unbound */
+		shm_stat->mem.ipsecmod = 0;
+#ifdef USE_IPSECMOD
+		shm_stat->mem.ipsecmod = (long long)mod_get_mem(&worker->env,
+			"ipsecmod");
 #endif
 	}
 

contrib/unbound/util/shm_side/shm_main.h

@@ -44,26 +44,8 @@
 struct daemon;
 struct worker;
 
-/** Some global statistics that are not in struct stats_info,
- * this struct is shared on a shm segment */
-struct shm_stat_info {
-
-	int num_threads;
-
-	struct {
-		struct timeval now;
-		struct timeval up;
-		struct timeval elapsed;
-	} time;
-
-	struct {
-		size_t msg;
-		size_t rrset;
-		size_t val;
-		size_t iter;
-		size_t subnet;
-	} mem;
-};
+/* get struct ub_shm_stat_info */
+#include "libunbound/unbound.h"
 
 /**
  * The SHM info.
@@ -71,9 +53,9 @@ struct shm_stat_info {
 struct shm_main_info {
 	/** stats_info array, shared memory segment.
 	 * [0] is totals, [1..thread_num] are per-thread stats */
-	struct stats_info* ptr_arr;
+	struct ub_stats_info* ptr_arr;
 	/** the global stats block, shared memory segment */
-	struct shm_stat_info* ptr_ctl;
+	struct ub_shm_stat_info* ptr_ctl;
 	int key;
 	int id_ctl;
 	int id_arr;

contrib/unbound/util/timehist.c

@@ -225,23 +225,23 @@ timehist_quartile(struct timehist* hist, double q)
 }
 
 void 
-timehist_export(struct timehist* hist, size_t* array, size_t sz)
+timehist_export(struct timehist* hist, long long* array, size_t sz)
 {
 	size_t i;
 	if(!hist) return;
 	if(sz > hist->num)
 		sz = hist->num;
 	for(i=0; i<sz; i++)
-		array[i] = hist->buckets[i].count;
+		array[i] = (long long)hist->buckets[i].count;
 }
 
 void 
-timehist_import(struct timehist* hist, size_t* array, size_t sz)
+timehist_import(struct timehist* hist, long long* array, size_t sz)
 {
 	size_t i;
 	if(!hist) return;
 	if(sz > hist->num)
 		sz = hist->num;
 	for(i=0; i<sz; i++)
-		hist->buckets[i].count = array[i];
+		hist->buckets[i].count = (size_t)array[i];
 }

contrib/unbound/util/timehist.h

@@ -121,7 +121,7 @@ void timehist_log(struct timehist* hist, const char* name);
  * @param array: the array to export to.
  * @param sz: number of items in array.
  */
-void timehist_export(struct timehist* hist, size_t* array, size_t sz);
+void timehist_export(struct timehist* hist, long long* array, size_t sz);
 
 /**
  * Import histogram from an array.
@@ -129,6 +129,6 @@ void timehist_export(struct timehist* hist, size_t* array, size_t sz);
  * @param array: the array to import from.
  * @param sz: number of items in array.
  */
-void timehist_import(struct timehist* hist, size_t* array, size_t sz);
+void timehist_import(struct timehist* hist, long long* array, size_t sz);
 
 #endif /* UTIL_TIMEHIST_H */

contrib/unbound/validator/val_secalgo.c

@@ -228,6 +228,9 @@ dnskey_algo_id_is_supported(int id)
 	case LDNS_ECDSAP256SHA256:
 	case LDNS_ECDSAP384SHA384:
 #endif
+#ifdef USE_ED25519
+	case LDNS_ED25519:
+#endif
 #if (defined(HAVE_EVP_SHA256) && defined(USE_SHA2)) || (defined(HAVE_EVP_SHA512) && defined(USE_SHA2)) || defined(USE_ECDSA)
 		return 1;
 #endif
@@ -555,6 +558,17 @@ setup_key_digest(int algo, EVP_PKEY** evp_key, const EVP_MD** digest_type,
 #endif
 			break;
 #endif /* USE_ECDSA */
+#ifdef USE_ED25519
+		case LDNS_ED25519:
+			*evp_key = sldns_ed255192pkey_raw(key, keylen);
+			if(!*evp_key) {
+				verbose(VERB_QUERY, "verify: "
+					"sldns_ed255192pkey_raw failed");
+				return 0;
+			}
+			*digest_type = NULL;
+			break;
+#endif /* USE_ED25519 */
 		default:
 			verbose(VERB_QUERY, "verify: unknown algorithm %d", 
 				algo);
@@ -644,18 +658,29 @@ verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
 		else if(docrypto_free) OPENSSL_free(sigblock);
 		return sec_status_unchecked;
 	}
-	if(EVP_VerifyInit(ctx, digest_type) == 0) {
-		verbose(VERB_QUERY, "verify: EVP_VerifyInit failed");
+#ifndef HAVE_EVP_DIGESTVERIFY
+	if(EVP_DigestInit(ctx, digest_type) == 0) {
+		verbose(VERB_QUERY, "verify: EVP_DigestInit failed");
+#ifdef HAVE_EVP_MD_CTX_NEW
 		EVP_MD_CTX_destroy(ctx);
+#else
+		EVP_MD_CTX_cleanup(ctx);
+		free(ctx);
+#endif
 		EVP_PKEY_free(evp_key);
 		if(dofree) free(sigblock);
 		else if(docrypto_free) OPENSSL_free(sigblock);
 		return sec_status_unchecked;
 	}
-	if(EVP_VerifyUpdate(ctx, (unsigned char*)sldns_buffer_begin(buf), 
+	if(EVP_DigestUpdate(ctx, (unsigned char*)sldns_buffer_begin(buf), 
 		(unsigned int)sldns_buffer_limit(buf)) == 0) {
-		verbose(VERB_QUERY, "verify: EVP_VerifyUpdate failed");
+		verbose(VERB_QUERY, "verify: EVP_DigestUpdate failed");
+#ifdef HAVE_EVP_MD_CTX_NEW
 		EVP_MD_CTX_destroy(ctx);
+#else
+		EVP_MD_CTX_cleanup(ctx);
+		free(ctx);
+#endif
 		EVP_PKEY_free(evp_key);
 		if(dofree) free(sigblock);
 		else if(docrypto_free) OPENSSL_free(sigblock);
@@ -663,6 +688,24 @@ verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
 	}
 
 	res = EVP_VerifyFinal(ctx, sigblock, sigblock_len, evp_key);
+#else /* HAVE_EVP_DIGESTVERIFY */
+	if(EVP_DigestVerifyInit(ctx, NULL, digest_type, NULL, evp_key) == 0) {
+		verbose(VERB_QUERY, "verify: EVP_DigestVerifyInit failed");
+#ifdef HAVE_EVP_MD_CTX_NEW
+		EVP_MD_CTX_destroy(ctx);
+#else
+		EVP_MD_CTX_cleanup(ctx);
+		free(ctx);
+#endif
+		EVP_PKEY_free(evp_key);
+		if(dofree) free(sigblock);
+		else if(docrypto_free) OPENSSL_free(sigblock);
+		return sec_status_unchecked;
+	}
+	res = EVP_DigestVerify(ctx, sigblock, sigblock_len,
+		(unsigned char*)sldns_buffer_begin(buf),
+		sldns_buffer_limit(buf));
+#endif
 #ifdef HAVE_EVP_MD_CTX_NEW
 	EVP_MD_CTX_destroy(ctx);
 #else

contrib/unbound/validator/val_utils.c

@@ -54,6 +54,7 @@
 #include "util/net_help.h"
 #include "util/module.h"
 #include "util/regional.h"
+#include "util/config_file.h"
 #include "sldns/wire2str.h"
 #include "sldns/parseutil.h"
 
@@ -914,7 +915,7 @@ void val_reply_remove_auth(struct reply_info* rep, size_t index)
 }
 
 void
-val_check_nonsecure(struct val_env* ve, struct reply_info* rep) 
+val_check_nonsecure(struct module_env* env, struct reply_info* rep) 
 {
 	size_t i;
 	/* authority */
@@ -955,7 +956,7 @@ val_check_nonsecure(struct val_env* ve, struct reply_info* rep)
 		}
 	}
 	/* additional */
-	if(!ve->clean_additional)
+	if(!env->cfg->val_clean_additional)
 		return;
 	for(i=rep->an_numrrsets+rep->ns_numrrsets; i<rep->rrset_count; i++) {
 		if(((struct packed_rrset_data*)rep->rrsets[i]->entry.data)

contrib/unbound/validator/val_utils.h

@@ -306,10 +306,10 @@ void val_reply_remove_auth(struct reply_info* rep, size_t index);
  * So that unsigned data does not get let through to clients, when we have
  * found the data to be secure.
  *
- * @param ve: validator environment with cleaning options.
+ * @param env: environment with cleaning options.
  * @param rep: reply to dump all nonsecure stuff out of.
  */
-void val_check_nonsecure(struct val_env* ve, struct reply_info* rep);
+void val_check_nonsecure(struct module_env* env, struct reply_info* rep);
 
 /**
  * Mark all unchecked rrset entries not below a trust anchor as indeterminate.

contrib/unbound/validator/validator.c

@@ -60,6 +60,7 @@
 #include "util/fptr_wlist.h"
 #include "sldns/rrdef.h"
 #include "sldns/wire2str.h"
+#include "sldns/str2wire.h"
 
 /* forward decl for cache response and normal super inform calls of a DS */
 static void process_ds_response(struct module_qstate* qstate, 
@@ -112,8 +113,6 @@ val_apply_cfg(struct module_env* env, struct val_env* val_env,
 {
 	int c;
 	val_env->bogus_ttl = (uint32_t)cfg->bogus_ttl;
-	val_env->clean_additional = cfg->val_clean_additional;
-	val_env->permissive_mode = cfg->val_permissive_mode;
 	if(!env->anchors)
 		env->anchors = anchors_create();
 	if(!env->anchors) {
@@ -170,7 +169,6 @@ val_init(struct module_env* env, int id)
 	}
 	env->modinfo[id] = (void*)val_env;
 	env->need_to_validate = 1;
-	val_env->permissive_mode = 0;
 	lock_basic_init(&val_env->bogus_lock);
 	lock_protect(&val_env->bogus_lock, &val_env->num_rrset_bogus,
 		sizeof(val_env->num_rrset_bogus));
@@ -364,14 +362,17 @@ already_validated(struct dns_msg* ret_msg)
  * @param qtype: query type.
  * @param qclass: query class.
  * @param flags: additional flags, such as the CD bit (BIT_CD), or 0.
+ * @param newq: If the subquery is newly created, it is returned,
+ * 	otherwise NULL is returned
+ * @param detached: true if this qstate should not attach to the subquery
  * @return false on alloc failure.
  */
 static int
 generate_request(struct module_qstate* qstate, int id, uint8_t* name, 
-	size_t namelen, uint16_t qtype, uint16_t qclass, uint16_t flags)
+	size_t namelen, uint16_t qtype, uint16_t qclass, uint16_t flags, 
+	struct module_qstate** newq, int detached)
 {
 	struct val_qstate* vq = (struct val_qstate*)qstate->minfo[id];
-	struct module_qstate* newq;
 	struct query_info ask;
 	int valrec;
 	ask.qname = name;
@@ -380,28 +381,101 @@ generate_request(struct module_qstate* qstate, int id, uint8_t* name,
 	ask.qclass = qclass;
 	ask.local_alias = NULL;
 	log_query_info(VERB_ALGO, "generate request", &ask);
-	fptr_ok(fptr_whitelist_modenv_attach_sub(qstate->env->attach_sub));
 	/* enable valrec flag to avoid recursion to the same validation
 	 * routine, this lookup is simply a lookup. DLVs need validation */
 	if(qtype == LDNS_RR_TYPE_DLV)
 		valrec = 0;
 	else valrec = 1;
-	if(!(*qstate->env->attach_sub)(qstate, &ask, 
-		(uint16_t)(BIT_RD|flags), 0, valrec, &newq)){
+	if(detached) {
+		struct mesh_state* sub = NULL;
+		fptr_ok(fptr_whitelist_modenv_add_sub(
+			qstate->env->add_sub));
+		if(!(*qstate->env->add_sub)(qstate, &ask, 
+			(uint16_t)(BIT_RD|flags), 0, valrec, newq, &sub)){
 			log_err("Could not generate request: out of memory");
 			return 0;
 		}
+	}
+	else {
+		fptr_ok(fptr_whitelist_modenv_attach_sub(
+			qstate->env->attach_sub));
+		if(!(*qstate->env->attach_sub)(qstate, &ask, 
+			(uint16_t)(BIT_RD|flags), 0, valrec, newq)){
+			log_err("Could not generate request: out of memory");
+			return 0;
+		}
+	}
 	/* newq; validator does not need state created for that
 	 * query, and its a 'normal' for iterator as well */
-	if(newq) {
+	if(*newq) {
 		/* add our blacklist to the query blacklist */
-		sock_list_merge(&newq->blacklist, newq->region,
+		sock_list_merge(&(*newq)->blacklist, (*newq)->region,
 			vq->chain_blacklist);
 	}
 	qstate->ext_state[id] = module_wait_subquery;
 	return 1;
 }
 
+/**
+ * Generate, send and detach key tag signaling query.
+ *
+ * @param qstate: query state.
+ * @param id: module id.
+ * @param ta: trust anchor, locked.
+ * @return false on a processing error.
+ */
+static int
+generate_keytag_query(struct module_qstate* qstate, int id,
+	struct trust_anchor* ta)
+{
+	/* 3 bytes for "_ta", 5 bytes per tag (4 bytes + "-") */
+#define MAX_LABEL_TAGS (LDNS_MAX_LABELLEN-3)/5
+	size_t i, numtag;
+	uint16_t tags[MAX_LABEL_TAGS];
+	char tagstr[LDNS_MAX_LABELLEN+1] = "_ta"; /* +1 for NULL byte */
+	size_t tagstr_left = sizeof(tagstr) - strlen(tagstr);
+	char* tagstr_pos = tagstr + strlen(tagstr);
+	uint8_t dnamebuf[LDNS_MAX_DOMAINLEN+1]; /* +1 for label length byte */
+	size_t dnamebuf_len = sizeof(dnamebuf);
+	uint8_t* keytagdname;
+	struct module_qstate* newq = NULL;
+	enum module_ext_state ext_state = qstate->ext_state[id];
+
+	numtag = anchor_list_keytags(ta, tags, MAX_LABEL_TAGS);
+	if(numtag == 0)
+		return 0;
+
+	for(i=0; i<numtag; i++) {
+		/* Buffer can't overflow; numtag is limited to tags that fit in
+		 * the buffer. */
+		snprintf(tagstr_pos, tagstr_left, "-%04x", (unsigned)tags[i]);
+		tagstr_left -= strlen(tagstr_pos);
+		tagstr_pos += strlen(tagstr_pos);
+	}
+
+	sldns_str2wire_dname_buf_origin(tagstr, dnamebuf, &dnamebuf_len,
+		ta->name, ta->namelen);
+	if(!(keytagdname = (uint8_t*)regional_alloc_init(qstate->region,
+		dnamebuf, dnamebuf_len))) {
+		log_err("could not generate key tag query: out of memory");
+		return 0;
+	}
+
+	log_nametypeclass(VERB_ALGO, "keytag query", keytagdname,
+		LDNS_RR_TYPE_NULL, ta->dclass);
+	if(!generate_request(qstate, id, keytagdname, dnamebuf_len,
+		LDNS_RR_TYPE_NULL, ta->dclass, 0, &newq, 1)) {
+		log_err("failed to generate key tag signaling request");
+		return 0;
+	}
+
+	/* Not interrested in subquery response. Restore the ext_state,
+	 * that might be changed by generate_request() */
+	qstate->ext_state[id] = ext_state;
+
+	return 1;
+}
+
 /**
  * Prime trust anchor for use.
  * Generate and dispatch a priming query for the given trust anchor.
@@ -417,8 +491,16 @@ static int
 prime_trust_anchor(struct module_qstate* qstate, struct val_qstate* vq,
 	int id, struct trust_anchor* toprime)
 {
+	struct module_qstate* newq = NULL;
 	int ret = generate_request(qstate, id, toprime->name, toprime->namelen,
-		LDNS_RR_TYPE_DNSKEY, toprime->dclass, BIT_CD);
+		LDNS_RR_TYPE_DNSKEY, toprime->dclass, BIT_CD, &newq, 0);
+
+	if(newq && qstate->env->cfg->trust_anchor_signaling &&
+		!generate_keytag_query(qstate, id, toprime)) {
+		log_err("keytag signaling query failed");
+		return 0;
+	}
+
 	if(!ret) {
 		log_err("Could not prime trust anchor: out of memory");
 		return 0;
@@ -534,9 +616,11 @@ validate_msg_signatures(struct module_qstate* qstate, struct module_env* env,
 		}
 	}
 
-	/* attempt to validate the ADDITIONAL section rrsets */
-	if(!ve->clean_additional)
+	/* If set, the validator should clean the additional section of
+	 * secure messages. */
+	if(!env->cfg->val_clean_additional)
 		return 1;
+	/* attempt to validate the ADDITIONAL section rrsets */
 	for(i=chase_reply->an_numrrsets+chase_reply->ns_numrrsets; 
 		i<chase_reply->rrset_count; i++) {
 		s = chase_reply->rrsets[i];
@@ -1510,6 +1594,7 @@ processFindKey(struct module_qstate* qstate, struct val_qstate* vq, int id)
 	uint8_t* target_key_name, *current_key_name;
 	size_t target_key_len;
 	int strip_lab;
+	struct module_qstate* newq = NULL;
 
 	log_query_info(VERB_ALGO, "validator: FindKey", &vq->qchase);
 	/* We know that state.key_entry is not 0 or bad key -- if it were,
@@ -1522,7 +1607,7 @@ processFindKey(struct module_qstate* qstate, struct val_qstate* vq, int id)
 	if(key_entry_isnull(vq->key_entry)) {
 		if(!generate_request(qstate, id, vq->ds_rrset->rk.dname, 
 			vq->ds_rrset->rk.dname_len, LDNS_RR_TYPE_DNSKEY, 
-			vq->qchase.qclass, BIT_CD)) {
+			vq->qchase.qclass, BIT_CD, &newq, 0)) {
 			log_err("mem error generating DNSKEY request");
 			return val_error(qstate, id);
 		}
@@ -1594,7 +1679,7 @@ processFindKey(struct module_qstate* qstate, struct val_qstate* vq, int id)
 		vq->key_entry->name) != 0) {
 		if(!generate_request(qstate, id, vq->ds_rrset->rk.dname, 
 			vq->ds_rrset->rk.dname_len, LDNS_RR_TYPE_DNSKEY, 
-			vq->qchase.qclass, BIT_CD)) {
+			vq->qchase.qclass, BIT_CD, &newq, 0)) {
 			log_err("mem error generating DNSKEY request");
 			return val_error(qstate, id);
 		}
@@ -1623,7 +1708,7 @@ processFindKey(struct module_qstate* qstate, struct val_qstate* vq, int id)
 		}
 		if(!generate_request(qstate, id, target_key_name, 
 			target_key_len, LDNS_RR_TYPE_DS, vq->qchase.qclass,
-			BIT_CD)) {
+			BIT_CD, &newq, 0)) {
 			log_err("mem error generating DS request");
 			return val_error(qstate, id);
 		}
@@ -1633,7 +1718,7 @@ processFindKey(struct module_qstate* qstate, struct val_qstate* vq, int id)
 	/* Otherwise, it is time to query for the DNSKEY */
 	if(!generate_request(qstate, id, vq->ds_rrset->rk.dname, 
 		vq->ds_rrset->rk.dname_len, LDNS_RR_TYPE_DNSKEY, 
-		vq->qchase.qclass, BIT_CD)) {
+		vq->qchase.qclass, BIT_CD, &newq, 0)) {
 		log_err("mem error generating DNSKEY request");
 		return val_error(qstate, id);
 	}
@@ -1847,6 +1932,7 @@ val_dlv_init(struct module_qstate* qstate, struct val_qstate* vq,
 {
 	uint8_t* nm;
 	size_t nm_len;
+	struct module_qstate* newq = NULL;
 	/* there must be a DLV configured */
 	log_assert(qstate->env->anchors->dlv_anchor);
 	/* this bool is true to avoid looping in the DLV checks */
@@ -1948,7 +2034,7 @@ val_dlv_init(struct module_qstate* qstate, struct val_qstate* vq,
 	vq->state = VAL_DLVLOOKUP_STATE;
 	if(!generate_request(qstate, id, vq->dlv_lookup_name, 
 		vq->dlv_lookup_name_len, LDNS_RR_TYPE_DLV,
-		vq->qchase.qclass, 0)) {
+		vq->qchase.qclass, 0, &newq, 0)) {
 		return val_error(qstate, id);
 	}
 
@@ -2042,7 +2128,7 @@ processFinished(struct module_qstate* qstate, struct val_qstate* vq,
 		 * a different signer name). And drop additional rrsets
 		 * that are not secure (if clean-additional option is set) */
 		/* this may cause the msg to be marked bogus */
-		val_check_nonsecure(ve, vq->orig_msg->rep);
+		val_check_nonsecure(qstate->env, vq->orig_msg->rep);
 		if(vq->orig_msg->rep->security == sec_status_secure) {
 			log_query_info(VERB_DETAIL, "validation success", 
 				&qstate->qinfo);
@@ -2083,8 +2169,14 @@ processFinished(struct module_qstate* qstate, struct val_qstate* vq,
 				free(err);
 			}
 		}
+		/*
+		 * If set, the validator will not make messages bogus, instead
+		 * indeterminate is issued, so that no clients receive SERVFAIL.
+		 * This allows an operator to run validation 'shadow' without
+		 * hurting responses to clients.
+		 */
 		/* If we are in permissive mode, bogus gets indeterminate */
-		if(ve->permissive_mode)
+		if(qstate->env->cfg->val_permissive_mode)
 			vq->orig_msg->rep->security = sec_status_indeterminate;
 	}
 
@@ -2128,6 +2220,7 @@ static int
 processDLVLookup(struct module_qstate* qstate, struct val_qstate* vq, 
 	struct val_env* ve, int id)
 {
+	struct module_qstate* newq = NULL;
 	/* see if this we are ready to continue normal resolution */
 	/* we may need more DLV lookups */
 	if(vq->dlv_status==dlv_error)
@@ -2176,7 +2269,7 @@ processDLVLookup(struct module_qstate* qstate, struct val_qstate* vq,
 
 		if(!generate_request(qstate, id, vq->ds_rrset->rk.dname, 
 			vq->ds_rrset->rk.dname_len, LDNS_RR_TYPE_DNSKEY, 
-			vq->qchase.qclass, BIT_CD)) {
+			vq->qchase.qclass, BIT_CD, &newq, 0)) {
 			log_err("mem error generating DNSKEY request");
 			return val_error(qstate, id);
 		}
@@ -2218,7 +2311,7 @@ processDLVLookup(struct module_qstate* qstate, struct val_qstate* vq,
 
 	if(!generate_request(qstate, id, vq->dlv_lookup_name,
 		vq->dlv_lookup_name_len, LDNS_RR_TYPE_DLV, 
-		vq->qchase.qclass, 0)) {
+		vq->qchase.qclass, 0, &newq, 0)) {
 		return val_error(qstate, id);
 	}
 
@@ -2857,6 +2950,7 @@ process_prime_response(struct module_qstate* qstate, struct val_qstate* vq,
 			ta->name, ta->namelen, LDNS_RR_TYPE_DNSKEY,
 			ta->dclass);
 	}
+
 	if(ta->autr) {
 		if(!autr_process_prime(qstate->env, ve, ta, dnskey_rrset)) {
 			/* trust anchor revoked, restart with less anchors */

contrib/unbound/validator/validator.h

@@ -93,19 +93,6 @@ struct val_env {
 	 * seconds. */
 	uint32_t bogus_ttl;
 
-	/** If set, the validator should clean the additional section of
-	 * secure messages.
-	 */
-	int clean_additional;
-
-	/**
-	 * If set, the validator will not make messages bogus, instead
-	 * indeterminate is issued, so that no clients receive SERVFAIL.
-	 * This allows an operator to run validation 'shadow' without
-	 * hurting responses to clients.
-	 */
-	int permissive_mode;
-
 	/**
 	 * Number of entries in the NSEC3 maximum iteration count table.
 	 * Keep this table short, and sorted by size

lib/libunbound/Makefile

@@ -14,19 +14,20 @@ PACKAGE=	unbound
 
 CFLAGS+= -I${UNBOUNDDIR} -I${LDNSDIR} -I${.OBJDIR}
 
-SRCS=	alloc.c as112.c autotrust.c cachedb.c config_file.c configlexer.l \
-	configparser.y context.c dname.c dns.c dns64.c dnstree.c \
-	fptr_wlist.c infra.c iter_delegpt.c iter_donotq.c iter_fwd.c \
-	iter_hints.c iter_priv.c iter_resptype.c iter_scrub.c iter_utils.c \
-	iterator.c keyraw.c libunbound.c libworker.c listen_dnsport.c \
-	localzone.c locks.c log.c lookup3.c lruhash.c mesh.c mini_event.c \
-	modstack.c module.c msgencode.c msgparse.c msgreply.c net_help.c \
-	netevent.c outbound_list.c outside_network.c packed_rrset.c parse.c \
-	parseutil.c random.c rbtree.c regional.c respip.c rrdef.c rrset.c \
-	rtt.c sbuffer.c slabhash.c str2wire.c timehist.c tube.c \
-	ub_event_pluggable.c val_anchor.c val_kcache.c val_kentry.c \
-	val_neg.c val_nsec.c val_nsec3.c val_secalgo.c val_sigcrypt.c \
-	val_utils.c validator.c view.c winsock_event.c wire2str.c
+SRCS=	alloc.c as112.c authzone.c autotrust.c cachedb.c config_file.c \
+	configlexer.l configparser.y context.c dname.c dns.c dns64.c \
+	dnstree.c fptr_wlist.c infra.c iter_delegpt.c iter_donotq.c \
+	iter_fwd.c iter_hints.c iter_priv.c iter_resptype.c iter_scrub.c \
+	iter_utils.c iterator.c keyraw.c libunbound.c libworker.c \
+	listen_dnsport.c localzone.c locks.c log.c lookup3.c lruhash.c \
+	mesh.c mini_event.c modstack.c module.c msgencode.c msgparse.c \
+	msgreply.c net_help.c netevent.c outbound_list.c outside_network.c \
+	packed_rrset.c parse.c parseutil.c random.c rbtree.c regional.c \
+	respip.c rrdef.c rrset.c rtt.c sbuffer.c slabhash.c str2wire.c \
+	timehist.c tube.c ub_event_pluggable.c val_anchor.c val_kcache.c \
+	val_kentry.c val_neg.c val_nsec.c val_nsec3.c val_secalgo.c \
+	val_sigcrypt.c val_utils.c validator.c view.c winsock_event.c \
+	wire2str.c
 
 WARNS?=	3
 NO_WTHREAD_SAFETY= true