unbound: Vendor import 1.19.3

Release notes at
	https://www.nlnetlabs.nl/news/2024/Mar/14/unbound-1.19.3-released/

Merge commit '5a33598e88ad8fbc0affa74dee0a2d8cc4010fbc' into main

(cherry picked from commit b7c0c8c18e)

contrib/unbound/acx_nlnetlabs.m4

@@ -2,7 +2,10 @@
 # Copyright 2009, Wouter Wijngaards, NLnet Labs.   
 # BSD licensed.
 #
-# Version 46
+# Version 48
+# 2024-01-16 fix to add -l:libssp.a to -lcrypto link check.
+#	     and check for getaddrinfo with only header.
+# 2024-01-15 fix to add crypt32 to -lcrypto link check when checking for gdi32.
 # 2023-05-04 fix to remove unused whitespace.
 # 2023-01-26 fix -Wstrict-prototypes.
 # 2022-09-01 fix checking if nonblocking sockets work on OpenBSD.
@@ -707,7 +710,7 @@ AC_DEFUN([ACX_SSL_CHECKS], [
 		    LIBSSL_LDFLAGS="$LIBSSL_LDFLAGS -L$ssldir_lib"
 	    	    ACX_RUNTIME_PATH_ADD([$ssldir_lib])
 	    fi
-        
+
             AC_MSG_CHECKING([for EVP_sha256 in -lcrypto])
             LIBS="$LIBS -lcrypto"
             LIBSSL_LIBS="$LIBSSL_LIBS -lcrypto"
@@ -732,40 +735,73 @@ AC_DEFUN([ACX_SSL_CHECKS], [
                   ]])],[
                     AC_DEFINE([HAVE_EVP_SHA256], 1,
                         [If you have EVP_sha256])
-                    AC_MSG_RESULT(yes) 
+                    AC_MSG_RESULT(yes)
                   ],[
                     AC_MSG_RESULT(no)
                     LIBS="$BAKLIBS"
                     LIBSSL_LIBS="$BAKSSLLIBS"
-                    LIBS="$LIBS -ldl"
-                    LIBSSL_LIBS="$LIBSSL_LIBS -ldl"
-                    AC_MSG_CHECKING([if -lcrypto needs -ldl])
-                    AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[
-                        int EVP_sha256(void);
-                        (void)EVP_sha256();
-                      ]])],[
-                        AC_DEFINE([HAVE_EVP_SHA256], 1,
-                            [If you have EVP_sha256])
-                        AC_MSG_RESULT(yes) 
-                      ],[
-                        AC_MSG_RESULT(no)
-                        LIBS="$BAKLIBS"
-                        LIBSSL_LIBS="$BAKSSLLIBS"
-                        LIBS="$LIBS -ldl -pthread"
-                        LIBSSL_LIBS="$LIBSSL_LIBS -ldl -pthread"
-                        AC_MSG_CHECKING([if -lcrypto needs -ldl -pthread])
-                        AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[
-                            int EVP_sha256(void);
-                            (void)EVP_sha256();
-                          ]])],[
-                            AC_DEFINE([HAVE_EVP_SHA256], 1,
-                                [If you have EVP_sha256])
-                            AC_MSG_RESULT(yes) 
-                          ],[
-                            AC_MSG_RESULT(no)
-                            AC_MSG_ERROR([OpenSSL found in $ssldir, but version 0.9.7 or higher is required])
+
+		    LIBS="$LIBS -lgdi32 -lws2_32 -lcrypt32"
+		    LIBSSL_LIBS="$LIBSSL_LIBS -lgdi32 -lws2_32 -lcrypt32"
+                    AC_MSG_CHECKING([if -lcrypto needs -lgdi32 -lws2_32 -lcrypt32])
+		    AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[
+			int EVP_sha256(void);
+			(void)EVP_sha256();
+		      ]])],[
+			AC_DEFINE([HAVE_EVP_SHA256], 1,
+			    [If you have EVP_sha256])
+			AC_MSG_RESULT(yes)
+		      ],[
+			AC_MSG_RESULT(no)
+			LIBS="$BAKLIBS"
+			LIBSSL_LIBS="$BAKSSLLIBS"
+
+			LIBS="$LIBS -lgdi32 -lws2_32 -lcrypt32 -l:libssp.a"
+			LIBSSL_LIBS="$LIBSSL_LIBS -lgdi32 -lws2_32 -lcrypt32 -l:libssp.a"
+			AC_MSG_CHECKING([if -lcrypto needs -lgdi32 -lws2_32 -lcrypt32 -l:libssp.a])
+			AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[
+			    int EVP_sha256(void);
+			    (void)EVP_sha256();
+			  ]])],[
+			    AC_DEFINE([HAVE_EVP_SHA256], 1,
+				[If you have EVP_sha256])
+			    AC_MSG_RESULT(yes)
+			  ],[
+			    AC_MSG_RESULT(no)
+			    LIBS="$BAKLIBS"
+			    LIBSSL_LIBS="$BAKSSLLIBS"
+
+			    LIBS="$LIBS -ldl"
+			    LIBSSL_LIBS="$LIBSSL_LIBS -ldl"
+			    AC_MSG_CHECKING([if -lcrypto needs -ldl])
+			    AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[
+				int EVP_sha256(void);
+				(void)EVP_sha256();
+			      ]])],[
+				AC_DEFINE([HAVE_EVP_SHA256], 1,
+				    [If you have EVP_sha256])
+				AC_MSG_RESULT(yes)
+			      ],[
+				AC_MSG_RESULT(no)
+				LIBS="$BAKLIBS"
+				LIBSSL_LIBS="$BAKSSLLIBS"
+				LIBS="$LIBS -ldl -pthread"
+				LIBSSL_LIBS="$LIBSSL_LIBS -ldl -pthread"
+				AC_MSG_CHECKING([if -lcrypto needs -ldl -pthread])
+				AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[
+				    int EVP_sha256(void);
+				    (void)EVP_sha256();
+				  ]])],[
+				    AC_DEFINE([HAVE_EVP_SHA256], 1,
+					[If you have EVP_sha256])
+				    AC_MSG_RESULT(yes)
+				  ],[
+				    AC_MSG_RESULT(no)
+				    AC_MSG_ERROR([OpenSSL found in $ssldir, but version 0.9.7 or higher is required])
+				])
+			    ])
 			])
-                    ])
+		    ])
                 ])
             ])
         fi
@@ -779,7 +815,7 @@ AC_CHECK_HEADERS([openssl/rand.h],,, [AC_INCLUDES_DEFAULT])
 
 dnl Check for SSL, where SSL is mandatory
 dnl Adds --with-ssl option, searches for openssl and defines HAVE_SSL if found
-dnl Setup of CPPFLAGS, CFLAGS.  Adds -lcrypto to LIBS. 
+dnl Setup of CPPFLAGS, CFLAGS.  Adds -lcrypto to LIBS.
 dnl Checks main header files of SSL.
 dnl
 AC_DEFUN([ACX_WITH_SSL],
@@ -872,7 +908,7 @@ dnl see if on windows
 if test "$ac_cv_header_windows_h" = "yes"; then
 	AC_DEFINE(USE_WINSOCK, 1, [Whether the windows socket API is used])
 	USE_WINSOCK="1"
-	if echo $LIBS | grep 'lws2_32' >/dev/null; then
+	if echo "$LIBS" | grep 'lws2_32' >/dev/null; then
 		:
 	else
 		LIBS="$LIBS -lws2_32"
@@ -880,6 +916,24 @@ if test "$ac_cv_header_windows_h" = "yes"; then
 fi
 ],
 dnl no quick getaddrinfo, try mingw32 and winsock2 library.
+dnl perhaps getaddrinfo needs only the include
+AC_LINK_IFELSE(
+[AC_LANG_PROGRAM(
+[
+#ifdef HAVE_WS2TCPIP_H
+#include <ws2tcpip.h>
+#endif
+],
+[
+        (void)getaddrinfo(NULL, NULL, NULL, NULL);
+]
+)],
+[
+ac_cv_func_getaddrinfo="yes"
+AC_DEFINE(USE_WINSOCK, 1, [Whether the windows socket API is used])
+USE_WINSOCK="1"
+],
+
 ORIGLIBS="$LIBS"
 LIBS="$LIBS -lws2_32"
 AC_LINK_IFELSE(
@@ -904,6 +958,7 @@ ac_cv_func_getaddrinfo="no"
 LIBS="$ORIGLIBS"
 ])
 )
+)
 
 AC_MSG_RESULT($ac_cv_func_getaddrinfo)
 if test $ac_cv_func_getaddrinfo = yes; then

contrib/unbound/configure

@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for unbound 1.19.1.
+# Generated by GNU Autoconf 2.69 for unbound 1.19.3.
 #
 # Report bugs to <unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues>.
 #
@@ -591,8 +591,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='unbound'
 PACKAGE_TARNAME='unbound'
-PACKAGE_VERSION='1.19.1'
-PACKAGE_STRING='unbound 1.19.1'
+PACKAGE_VERSION='1.19.3'
+PACKAGE_STRING='unbound 1.19.3'
 PACKAGE_BUGREPORT='unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues'
 PACKAGE_URL=''
 
@@ -655,6 +655,8 @@ DNSTAP_SOCKET_TESTBIN
 DNSTAP_SOCKET_PATH
 opt_dnstap_socket_path
 ENABLE_DNSTAP
+PROTOBUFC_LIBS
+PROTOBUFC_CFLAGS
 PROTOC_C
 UBSYMS
 EXTRALINK
@@ -926,7 +928,9 @@ SYSTEMD_CFLAGS
 SYSTEMD_LIBS
 SYSTEMD_DAEMON_CFLAGS
 SYSTEMD_DAEMON_LIBS
-PYTHON_VERSION'
+PYTHON_VERSION
+PROTOBUFC_CFLAGS
+PROTOBUFC_LIBS'
 
 
 # Initialize some variables set by options.
@@ -1477,7 +1481,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures unbound 1.19.1 to adapt to many kinds of systems.
+\`configure' configures unbound 1.19.3 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1543,7 +1547,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of unbound 1.19.1:";;
+     short | recursive ) echo "Configuration of unbound 1.19.3:";;
    esac
   cat <<\_ACEOF
 
@@ -1718,6 +1722,10 @@ Some influential environment variables:
               The installed Python version to use, for example '2.3'. This
               string will be appended to the Python interpreter canonical
               name.
+  PROTOBUFC_CFLAGS
+              C compiler flags for PROTOBUFC, overriding pkg-config
+  PROTOBUFC_LIBS
+              linker flags for PROTOBUFC, overriding pkg-config
 
 Use these variables to override the choices made by `configure' or to help
 it to find libraries and programs with nonstandard names/locations.
@@ -1785,7 +1793,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-unbound configure 1.19.1
+unbound configure 1.19.3
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2494,7 +2502,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by unbound $as_me 1.19.1, which was
+It was created by unbound $as_me 1.19.3, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -2846,11 +2854,11 @@ UNBOUND_VERSION_MAJOR=1
 
 UNBOUND_VERSION_MINOR=19
 
-UNBOUND_VERSION_MICRO=1
+UNBOUND_VERSION_MICRO=3
 
 
 LIBUNBOUND_CURRENT=9
-LIBUNBOUND_REVISION=24
+LIBUNBOUND_REVISION=26
 LIBUNBOUND_AGE=1
 # 1.0.0 had 0:12:0
 # 1.0.1 had 0:13:0
@@ -2942,6 +2950,8 @@ LIBUNBOUND_AGE=1
 # 1.18.0 had 9:22:1
 # 1.19.0 had 9:23:1
 # 1.19.1 had 9:24:1
+# 1.19.2 had 9:25:1
+# 1.19.3 had 9:26:1
 
 #   Current  -- the number of the binary API that we're implementing
 #   Revision -- which iteration of the implementation of the binary
@@ -14416,7 +14426,7 @@ CC=$lt_save_CC
 
 
 # pkg-config is only needed for these options, do not require it otherwise
-if test "$enable_systemd" = "yes" -o "$with_pyunbound" = "yes" -o "$with_pythonmod" = "yes"; then
+if test "$enable_systemd" = "yes" -o "$enable_dnstap" = "yes" -o "$with_pyunbound" = "yes" -o "$with_pythonmod" = "yes"; then
 
 
 
@@ -18104,19 +18114,86 @@ else
 $as_echo "no" >&6; }
                     LIBS="$BAKLIBS"
                     LIBSSL_LIBS="$BAKSSLLIBS"
-                    LIBS="$LIBS -ldl"
-                    LIBSSL_LIBS="$LIBSSL_LIBS -ldl"
-                    { $as_echo "$as_me:${as_lineno-$LINENO}: checking if -lcrypto needs -ldl" >&5
+
+		    LIBS="$LIBS -lgdi32 -lws2_32 -lcrypt32"
+		    LIBSSL_LIBS="$LIBSSL_LIBS -lgdi32 -lws2_32 -lcrypt32"
+                    { $as_echo "$as_me:${as_lineno-$LINENO}: checking if -lcrypto needs -lgdi32 -lws2_32 -lcrypt32" >&5
+$as_echo_n "checking if -lcrypto needs -lgdi32 -lws2_32 -lcrypt32... " >&6; }
+		    cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+int
+main ()
+{
+
+			int EVP_sha256(void);
+			(void)EVP_sha256();
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+
+
+$as_echo "#define HAVE_EVP_SHA256 1" >>confdefs.h
+
+			{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+
+else
+
+			{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+			LIBS="$BAKLIBS"
+			LIBSSL_LIBS="$BAKSSLLIBS"
+
+			LIBS="$LIBS -lgdi32 -lws2_32 -lcrypt32 -l:libssp.a"
+			LIBSSL_LIBS="$LIBSSL_LIBS -lgdi32 -lws2_32 -lcrypt32 -l:libssp.a"
+			{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if -lcrypto needs -lgdi32 -lws2_32 -lcrypt32 -l:libssp.a" >&5
+$as_echo_n "checking if -lcrypto needs -lgdi32 -lws2_32 -lcrypt32 -l:libssp.a... " >&6; }
+			cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+int
+main ()
+{
+
+			    int EVP_sha256(void);
+			    (void)EVP_sha256();
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+
+
+$as_echo "#define HAVE_EVP_SHA256 1" >>confdefs.h
+
+			    { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+
+else
+
+			    { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+			    LIBS="$BAKLIBS"
+			    LIBSSL_LIBS="$BAKSSLLIBS"
+
+			    LIBS="$LIBS -ldl"
+			    LIBSSL_LIBS="$LIBSSL_LIBS -ldl"
+			    { $as_echo "$as_me:${as_lineno-$LINENO}: checking if -lcrypto needs -ldl" >&5
 $as_echo_n "checking if -lcrypto needs -ldl... " >&6; }
-                    cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+			    cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
 int
 main ()
 {
 
-                        int EVP_sha256(void);
-                        (void)EVP_sha256();
+				int EVP_sha256(void);
+				(void)EVP_sha256();
 
   ;
   return 0;
@@ -18127,28 +18204,28 @@ if ac_fn_c_try_link "$LINENO"; then :
 
 $as_echo "#define HAVE_EVP_SHA256 1" >>confdefs.h
 
-                        { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+				{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
 $as_echo "yes" >&6; }
 
 else
 
-                        { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+				{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 $as_echo "no" >&6; }
-                        LIBS="$BAKLIBS"
-                        LIBSSL_LIBS="$BAKSSLLIBS"
-                        LIBS="$LIBS -ldl -pthread"
-                        LIBSSL_LIBS="$LIBSSL_LIBS -ldl -pthread"
-                        { $as_echo "$as_me:${as_lineno-$LINENO}: checking if -lcrypto needs -ldl -pthread" >&5
+				LIBS="$BAKLIBS"
+				LIBSSL_LIBS="$BAKSSLLIBS"
+				LIBS="$LIBS -ldl -pthread"
+				LIBSSL_LIBS="$LIBSSL_LIBS -ldl -pthread"
+				{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if -lcrypto needs -ldl -pthread" >&5
 $as_echo_n "checking if -lcrypto needs -ldl -pthread... " >&6; }
-                        cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+				cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
 int
 main ()
 {
 
-                            int EVP_sha256(void);
-                            (void)EVP_sha256();
+				    int EVP_sha256(void);
+				    (void)EVP_sha256();
 
   ;
   return 0;
@@ -18159,14 +18236,22 @@ if ac_fn_c_try_link "$LINENO"; then :
 
 $as_echo "#define HAVE_EVP_SHA256 1" >>confdefs.h
 
-                            { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+				    { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
 $as_echo "yes" >&6; }
 
 else
 
-                            { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+				    { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 $as_echo "no" >&6; }
-                            as_fn_error $? "OpenSSL found in $ssldir, but version 0.9.7 or higher is required" "$LINENO" 5
+				    as_fn_error $? "OpenSSL found in $ssldir, but version 0.9.7 or higher is required" "$LINENO" 5
+
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
 
 fi
 rm -f core conftest.err conftest.$ac_objext \
@@ -19847,7 +19932,7 @@ if test x_$enable_static_exe = x_yes; then
 	if test "$on_mingw" = yes; then
 		staticexe="-all-static"
 		# for static compile, include gdi32 and zlib here.
-		if echo $LIBS | grep 'lgdi32' >/dev/null; then
+		if echo "$LIBS" | grep 'lgdi32' >/dev/null; then
 			:
 		else
 			LIBS="$LIBS -lgdi32"
@@ -19892,7 +19977,11 @@ if test "x$ac_cv_lib_z_compress" = xyes; then :
    LIBS="$LIBS -lz"
 fi
 
-		LIBS="$LIBS -l:libssp.a"
+		if echo "$LIBS" | grep -e "libssp.a" -e "lssp" >/dev/null; then
+			:
+		else
+			LIBS="$LIBS -l:libssp.a"
+		fi
 	fi
 fi
 
@@ -19951,7 +20040,11 @@ if test "x$ac_cv_lib_z_compress" = xyes; then :
    LIBS="$LIBS -lz"
 fi
 
-		LIBS="$LIBS -l:libssp.a"
+		if echo "$LIBS" | grep -e "libssp.a" -e "lssp" >/dev/null; then
+			:
+		else
+			LIBS="$LIBS -l:libssp.a"
+		fi
 	fi
 fi
 
@@ -19998,13 +20091,40 @@ if test "$ac_cv_header_windows_h" = "yes"; then
 $as_echo "#define USE_WINSOCK 1" >>confdefs.h
 
 	USE_WINSOCK="1"
-	if echo $LIBS | grep 'lws2_32' >/dev/null; then
+	if echo "$LIBS" | grep 'lws2_32' >/dev/null; then
 		:
 	else
 		LIBS="$LIBS -lws2_32"
 	fi
 fi
 
+else
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+#ifdef HAVE_WS2TCPIP_H
+#include <ws2tcpip.h>
+#endif
+
+int
+main ()
+{
+
+        (void)getaddrinfo(NULL, NULL, NULL, NULL);
+
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+
+ac_cv_func_getaddrinfo="yes"
+
+$as_echo "#define USE_WINSOCK 1" >>confdefs.h
+
+USE_WINSOCK="1"
+
 else
   ORIGLIBS="$LIBS"
 LIBS="$LIBS -lws2_32"
@@ -20047,6 +20167,10 @@ fi
 rm -f core conftest.err conftest.$ac_objext \
     conftest$ac_exeext conftest.$ac_ext
 
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_func_getaddrinfo" >&5
 $as_echo "$ac_cv_func_getaddrinfo" >&6; }
 if test $ac_cv_func_getaddrinfo = yes; then
@@ -20166,7 +20290,11 @@ else
   WINDRES="$ac_cv_prog_WINDRES"
 fi
 
-	LIBS="$LIBS -liphlpapi -lcrypt32"
+	if echo "$LIBS" | grep crypt32 >/dev/null; then
+		LIBS="$LIBS -liphlpapi"
+	else
+		LIBS="$LIBS -liphlpapi -lcrypt32"
+	fi
 	WINAPPS="unbound-service-install.exe unbound-service-remove.exe anchor-update.exe"
 
 	WIN_DAEMON_SRC="winrc/win_svc.c winrc/w_inst.c"
@@ -21199,7 +21327,7 @@ fi
 
 # check for dnstap if requested
 
-  # Check whether --enable-dnstap was given.
+    # Check whether --enable-dnstap was given.
 if test "${enable_dnstap+set}" = set; then :
   enableval=$enable_dnstap; opt_dnstap=$enableval
 else
@@ -21216,8 +21344,8 @@ else
 fi
 
 
-  if test "x$opt_dnstap" != "xno"; then
-    # Extract the first word of "protoc-c", so it can be a program name with args.
+    if test "x$opt_dnstap" != "xno"; then
+        # Extract the first word of "protoc-c", so it can be a program name with args.
 set dummy protoc-c; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
@@ -21257,36 +21385,132 @@ $as_echo "no" >&6; }
 fi
 
 
-    if test -z "$PROTOC_C"; then
-      as_fn_error $? "The protoc-c program was not found. Please install protobuf-c!" "$LINENO" 5
-    fi
+        if test -z "$PROTOC_C"; then
+          as_fn_error $? "The protoc-c program was not found. Please install protobuf-c!" "$LINENO" 5
+        fi
 
 # Check whether --with-protobuf-c was given.
 if test "${with_protobuf_c+set}" = set; then :
   withval=$with_protobuf_c;
-	  # workaround for protobuf-c includes at old dir before protobuf-c-1.0.0
-	  if test -f $withval/include/google/protobuf-c/protobuf-c.h; then
-	    CFLAGS="$CFLAGS -I$withval/include/google"
-	  else
-	    CFLAGS="$CFLAGS -I$withval/include"
-	  fi
-	  LDFLAGS="$LDFLAGS -L$withval/lib"
+                # workaround for protobuf-c includes at old dir before protobuf-c-1.0.0
+                if test -f $withval/include/google/protobuf-c/protobuf-c.h; then
+                    CFLAGS="$CFLAGS -I$withval/include/google"
+                else
+                    CFLAGS="$CFLAGS -I$withval/include"
+                fi
+                LDFLAGS="$LDFLAGS -L$withval/lib"
 
 else
 
-	  # workaround for protobuf-c includes at old dir before protobuf-c-1.0.0
-	  if test -f /usr/include/google/protobuf-c/protobuf-c.h; then
-	    CFLAGS="$CFLAGS -I/usr/include/google"
-	  else
-	    if test -f /usr/local/include/google/protobuf-c/protobuf-c.h; then
-	      CFLAGS="$CFLAGS -I/usr/local/include/google"
-	      LDFLAGS="$LDFLAGS -L/usr/local/lib"
-	    fi
-	  fi
+
+
+pkg_failed=no
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for PROTOBUFC" >&5
+$as_echo_n "checking for PROTOBUFC... " >&6; }
+
+if test -n "$PROTOBUFC_CFLAGS"; then
+    pkg_cv_PROTOBUFC_CFLAGS="$PROTOBUFC_CFLAGS"
+ elif test -n "$PKG_CONFIG"; then
+    if test -n "$PKG_CONFIG" && \
+    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libprotobuf-c\""; } >&5
+  ($PKG_CONFIG --exists --print-errors "libprotobuf-c") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; then
+  pkg_cv_PROTOBUFC_CFLAGS=`$PKG_CONFIG --cflags "libprotobuf-c" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
+else
+  pkg_failed=yes
+fi
+ else
+    pkg_failed=untried
+fi
+if test -n "$PROTOBUFC_LIBS"; then
+    pkg_cv_PROTOBUFC_LIBS="$PROTOBUFC_LIBS"
+ elif test -n "$PKG_CONFIG"; then
+    if test -n "$PKG_CONFIG" && \
+    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libprotobuf-c\""; } >&5
+  ($PKG_CONFIG --exists --print-errors "libprotobuf-c") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; then
+  pkg_cv_PROTOBUFC_LIBS=`$PKG_CONFIG --libs "libprotobuf-c" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
+else
+  pkg_failed=yes
+fi
+ else
+    pkg_failed=untried
+fi
+
+
+
+if test $pkg_failed = yes; then
+   	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+
+if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
+        _pkg_short_errors_supported=yes
+else
+        _pkg_short_errors_supported=no
+fi
+        if test $_pkg_short_errors_supported = yes; then
+	        PROTOBUFC_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "libprotobuf-c" 2>&1`
+        else
+	        PROTOBUFC_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "libprotobuf-c" 2>&1`
+        fi
+	# Put the nasty error message in config.log where it belongs
+	echo "$PROTOBUFC_PKG_ERRORS" >&5
+
+
+                                # pkg-config failed; try falling back to known values
+                                # workaround for protobuf-c includes at old dir before protobuf-c-1.0.0
+                                if test -f /usr/include/google/protobuf-c/protobuf-c.h; then
+                                    CFLAGS="$CFLAGS -I/usr/include/google"
+                                else
+                                    if test -f /usr/local/include/google/protobuf-c/protobuf-c.h; then
+                                        CFLAGS="$CFLAGS -I/usr/local/include/google"
+                                        LDFLAGS="$LDFLAGS -L/usr/local/lib"
+                                    else
+                                        as_fn_error $? "The protobuf-c package was not found with pkg-config. Please install protobuf-c!" "$LINENO" 5
+                                    fi
+                                fi
+
+
+elif test $pkg_failed = untried; then
+     	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+
+                                # pkg-config failed; try falling back to known values
+                                # workaround for protobuf-c includes at old dir before protobuf-c-1.0.0
+                                if test -f /usr/include/google/protobuf-c/protobuf-c.h; then
+                                    CFLAGS="$CFLAGS -I/usr/include/google"
+                                else
+                                    if test -f /usr/local/include/google/protobuf-c/protobuf-c.h; then
+                                        CFLAGS="$CFLAGS -I/usr/local/include/google"
+                                        LDFLAGS="$LDFLAGS -L/usr/local/lib"
+                                    else
+                                        as_fn_error $? "The protobuf-c package was not found with pkg-config. Please install protobuf-c!" "$LINENO" 5
+                                    fi
+                                fi
+
+
+else
+	PROTOBUFC_CFLAGS=$pkg_cv_PROTOBUFC_CFLAGS
+	PROTOBUFC_LIBS=$pkg_cv_PROTOBUFC_LIBS
+        { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+
+                                CFLAGS="$CFLAGS $PROTOBUFC_CFLAGS"
+                                LIBS="$LIBS $PROTOBUFC_LIBS"
 
 fi
 
-    { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing protobuf_c_message_pack" >&5
+
+
+fi
+
+        { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing protobuf_c_message_pack" >&5
 $as_echo_n "checking for library containing protobuf_c_message_pack... " >&6; }
 if ${ac_cv_search_protobuf_c_message_pack+:} false; then :
   $as_echo_n "(cached) " >&6
@@ -21368,13 +21592,13 @@ _ACEOF
         DNSTAP_OBJ="dnstap.lo dnstap.pb-c.lo dnstap_fstrm.lo dtstream.lo"
 
 
-  else
+    else
 
         ENABLE_DNSTAP=0
 
 
 
-  fi
+    fi
 
 
 # check for dnscrypt if requested
@@ -21895,7 +22119,7 @@ _ACEOF
 
 
 
-version=1.19.1
+version=1.19.3
 
 date=`date +'%b %e, %Y'`
 
@@ -22414,7 +22638,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by unbound $as_me 1.19.1, which was
+This file was extended by unbound $as_me 1.19.3, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -22480,7 +22704,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-unbound config.status 1.19.1
+unbound config.status 1.19.3
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 

contrib/unbound/configure.ac

@@ -11,14 +11,14 @@ sinclude(dnscrypt/dnscrypt.m4)
 # must be numbers. ac_defun because of later processing
 m4_define([VERSION_MAJOR],[1])
 m4_define([VERSION_MINOR],[19])
-m4_define([VERSION_MICRO],[1])
+m4_define([VERSION_MICRO],[3])
 AC_INIT([unbound],m4_defn([VERSION_MAJOR]).m4_defn([VERSION_MINOR]).m4_defn([VERSION_MICRO]),[unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues],[unbound])
 AC_SUBST(UNBOUND_VERSION_MAJOR, [VERSION_MAJOR])
 AC_SUBST(UNBOUND_VERSION_MINOR, [VERSION_MINOR])
 AC_SUBST(UNBOUND_VERSION_MICRO, [VERSION_MICRO])
 
 LIBUNBOUND_CURRENT=9
-LIBUNBOUND_REVISION=24
+LIBUNBOUND_REVISION=26
 LIBUNBOUND_AGE=1
 # 1.0.0 had 0:12:0
 # 1.0.1 had 0:13:0
@@ -110,6 +110,8 @@ LIBUNBOUND_AGE=1
 # 1.18.0 had 9:22:1
 # 1.19.0 had 9:23:1
 # 1.19.1 had 9:24:1
+# 1.19.2 had 9:25:1
+# 1.19.3 had 9:26:1
 
 #   Current  -- the number of the binary API that we're implementing
 #   Revision -- which iteration of the implementation of the binary
@@ -407,7 +409,7 @@ AC_CHECK_TOOL(STRIP, strip)
 ACX_LIBTOOL_C_ONLY
 
 # pkg-config is only needed for these options, do not require it otherwise
-if test "$enable_systemd" = "yes" -o "$with_pyunbound" = "yes" -o "$with_pythonmod" = "yes"; then
+if test "$enable_systemd" = "yes" -o "$enable_dnstap" = "yes" -o "$with_pyunbound" = "yes" -o "$with_pythonmod" = "yes"; then
 PKG_PROG_PKG_CONFIG
 fi
 
@@ -1526,13 +1528,17 @@ if test x_$enable_static_exe = x_yes; then
 	if test "$on_mingw" = yes; then
 		staticexe="-all-static"
 		# for static compile, include gdi32 and zlib here.
-		if echo $LIBS | grep 'lgdi32' >/dev/null; then
+		if echo "$LIBS" | grep 'lgdi32' >/dev/null; then
 			:
 		else
 			LIBS="$LIBS -lgdi32"
 		fi
 		AC_CHECK_LIB([z], [compress], [ LIBS="$LIBS -lz" ])
-		LIBS="$LIBS -l:libssp.a"
+		if echo "$LIBS" | grep -e "libssp.a" -e "lssp" >/dev/null; then
+			:
+		else
+			LIBS="$LIBS -l:libssp.a"
+		fi
 	fi
 fi
 
@@ -1549,7 +1555,11 @@ if test x_$enable_fully_static = x_yes; then
 			LIBS="$LIBS -lgdi32"
 		fi
 		AC_CHECK_LIB([z], [compress], [ LIBS="$LIBS -lz" ])
-		LIBS="$LIBS -l:libssp.a"
+		if echo "$LIBS" | grep -e "libssp.a" -e "lssp" >/dev/null; then
+			:
+		else
+			LIBS="$LIBS -l:libssp.a"
+		fi
 	fi
 fi
 
@@ -1569,7 +1579,11 @@ if test "$USE_WINSOCK" = 1; then
 #include <windows.h>
 	])
 	AC_CHECK_TOOL(WINDRES, windres)
-	LIBS="$LIBS -liphlpapi -lcrypt32"
+	if echo "$LIBS" | grep crypt32 >/dev/null; then
+		LIBS="$LIBS -liphlpapi"
+	else
+		LIBS="$LIBS -liphlpapi -lcrypt32"
+	fi
 	WINAPPS="unbound-service-install.exe unbound-service-remove.exe anchor-update.exe"
 	AC_SUBST(WINAPPS)
 	WIN_DAEMON_SRC="winrc/win_svc.c winrc/w_inst.c"

contrib/unbound/daemon/remote.c

@@ -553,7 +553,7 @@ ssl_print_text(RES* res, const char* text)
 static int
 ssl_print_vmsg(RES* ssl, const char* format, va_list args)
 {
-	char msg[1024];
+	char msg[65535];
 	vsnprintf(msg, sizeof(msg), format, args);
 	return ssl_print_text(ssl, msg);
 }
@@ -3181,10 +3181,10 @@ execute_cmd(struct daemon_remote* rc, RES* ssl, char* cmd,
 		do_flush_bogus(ssl, worker);
 	} else if(cmdcmp(p, "flush_negative", 14)) {
 		do_flush_negative(ssl, worker);
-    } else if(cmdcmp(p, "rpz_enable", 10)) {
-        do_rpz_enable(ssl, worker, skipwhite(p+10));
-    } else if(cmdcmp(p, "rpz_disable", 11)) {
-        do_rpz_disable(ssl, worker, skipwhite(p+11));
+	} else if(cmdcmp(p, "rpz_enable", 10)) {
+		do_rpz_enable(ssl, worker, skipwhite(p+10));
+	} else if(cmdcmp(p, "rpz_disable", 11)) {
+		do_rpz_disable(ssl, worker, skipwhite(p+11));
 	} else {
 		(void)ssl_printf(ssl, "error unknown command '%s'\n", p);
 	}

contrib/unbound/daemon/worker.c

@@ -1151,7 +1151,7 @@ deny_refuse(struct comm_point* c, enum acl_access acl,
 		log_assert(sldns_buffer_limit(c->buffer) >= LDNS_HEADER_SIZE
 			&& LDNS_QDCOUNT(sldns_buffer_begin(c->buffer)) == 1);
 
-		sldns_buffer_skip(c->buffer, LDNS_HEADER_SIZE); /* skip header */
+		sldns_buffer_set_position(c->buffer, LDNS_HEADER_SIZE); /* skip header */
 
 		/* check additional section is present and that we respond with EDEs */
 		if(LDNS_ARCOUNT(sldns_buffer_begin(c->buffer)) != 1
@@ -1163,6 +1163,7 @@ deny_refuse(struct comm_point* c, enum acl_access acl,
 			LDNS_QR_SET(sldns_buffer_begin(c->buffer));
 			LDNS_RCODE_SET(sldns_buffer_begin(c->buffer),
 				LDNS_RCODE_REFUSED);
+			sldns_buffer_set_position(c->buffer, LDNS_HEADER_SIZE);
 			sldns_buffer_flip(c->buffer);
 			return 1;
 		}
@@ -1326,15 +1327,6 @@ deny_refuse_non_local(struct comm_point* c, enum acl_access acl,
 		worker, repinfo, acladdr, ede, check_result);
 }
 
-/* Returns 1 if the ip rate limit check can happen before EDNS parsing,
- * else 0 */
-static int
-pre_edns_ip_ratelimit_check(enum acl_access acl)
-{
-	if(acl == acl_allow_cookie) return 0;
-	return 1;
-}
-
 /* Check if the query is blocked by source IP rate limiting.
  * Returns 1 if it passes the check, 0 otherwise. */
 static int
@@ -1463,7 +1455,7 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 	if(worker->dtenv.log_client_query_messages) {
 		log_addr(VERB_ALGO, "request from client", &repinfo->client_addr, repinfo->client_addrlen);
 		log_addr(VERB_ALGO, "to local addr", (void*)repinfo->c->socket->addr->ai_addr, repinfo->c->socket->addr->ai_addrlen);
-		dt_msg_send_client_query(&worker->dtenv, &repinfo->client_addr, (void*)repinfo->c->socket->addr->ai_addr, c->type, c->buffer,
+		dt_msg_send_client_query(&worker->dtenv, &repinfo->client_addr, (void*)repinfo->c->socket->addr->ai_addr, c->type, c->ssl, c->buffer,
 		((worker->env.cfg->sock_queue_timeout && timeval_isset(&c->recv_tv))?&c->recv_tv:NULL));
 	}
 #endif
@@ -1498,7 +1490,9 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 	}
 
 	worker->stats.num_queries++;
-	pre_edns_ip_ratelimit = pre_edns_ip_ratelimit_check(acl);
+	pre_edns_ip_ratelimit = !worker->env.cfg->do_answer_cookie
+		|| sldns_buffer_limit(c->buffer) < LDNS_HEADER_SIZE
+		|| LDNS_ARCOUNT(sldns_buffer_begin(c->buffer)) == 0;
 
 	/* If the IP rate limiting check needs extra EDNS information (e.g.,
 	 * DNS Cookies) postpone the check until after EDNS is parsed. */
@@ -1952,7 +1946,7 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 	if(worker->dtenv.log_client_response_messages) {
 		log_addr(VERB_ALGO, "from local addr", (void*)repinfo->c->socket->addr->ai_addr, repinfo->c->socket->addr->ai_addrlen);
 		log_addr(VERB_ALGO, "response to client", &repinfo->client_addr, repinfo->client_addrlen);
-		dt_msg_send_client_response(&worker->dtenv, &repinfo->client_addr, (void*)repinfo->c->socket->addr->ai_addr, c->type, c->buffer);
+		dt_msg_send_client_response(&worker->dtenv, &repinfo->client_addr, (void*)repinfo->c->socket->addr->ai_addr, c->type, c->ssl, c->buffer);
 	}
 #endif
 	if(worker->env.cfg->log_replies)
@@ -1966,11 +1960,15 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 			qinfo.qname = qinfo.local_alias->rrset->rk.dname;
 			log_reply_info(NO_VERBOSE, &qinfo,
 				&repinfo->client_addr, repinfo->client_addrlen,
-				tv, 1, c->buffer);
+				tv, 1, c->buffer,
+				(worker->env.cfg->log_destaddr?(void*)repinfo->c->socket->addr->ai_addr:NULL),
+				c->type);
 		} else {
 			log_reply_info(NO_VERBOSE, &qinfo,
 				&repinfo->client_addr, repinfo->client_addrlen,
-				tv, 1, c->buffer);
+				tv, 1, c->buffer,
+				(worker->env.cfg->log_destaddr?(void*)repinfo->c->socket->addr->ai_addr:NULL),
+				c->type);
 		}
 	}
 #ifdef USE_DNSCRYPT

contrib/unbound/dnstap/dnstap.c

@@ -305,6 +305,7 @@ dt_msg_fill_net(struct dt_msg *dm,
 		struct sockaddr_storage *qs,
 		struct sockaddr_storage *rs,
 		enum comm_point_type cptype,
+		void *cpssl,
 		ProtobufCBinaryData *qaddr, protobuf_c_boolean *has_qaddr,
 		uint32_t *qport, protobuf_c_boolean *has_qport,
 		ProtobufCBinaryData *raddr, protobuf_c_boolean *has_raddr,
@@ -371,13 +372,26 @@ dt_msg_fill_net(struct dt_msg *dm,
                 *has_rport = 1;
         }
 
-	log_assert(cptype == comm_udp || cptype == comm_tcp);
 	if (cptype == comm_udp) {
 		/* socket_protocol */
 		dm->m.socket_protocol = DNSTAP__SOCKET_PROTOCOL__UDP;
 		dm->m.has_socket_protocol = 1;
 	} else if (cptype == comm_tcp) {
+		if (cpssl == NULL) {
+			/* socket_protocol */
+			dm->m.socket_protocol = DNSTAP__SOCKET_PROTOCOL__TCP;
+			dm->m.has_socket_protocol = 1;
+		} else {
+			/* socket_protocol */
+			dm->m.socket_protocol = DNSTAP__SOCKET_PROTOCOL__DOT;
+			dm->m.has_socket_protocol = 1;
+		}
+	} else if (cptype == comm_http) {
 		/* socket_protocol */
+		dm->m.socket_protocol = DNSTAP__SOCKET_PROTOCOL__DOH;
+		dm->m.has_socket_protocol = 1;
+	} else {
+		/* other socket protocol */
 		dm->m.socket_protocol = DNSTAP__SOCKET_PROTOCOL__TCP;
 		dm->m.has_socket_protocol = 1;
 	}
@@ -388,6 +402,7 @@ dt_msg_send_client_query(struct dt_env *env,
 			 struct sockaddr_storage *qsock,
 			 struct sockaddr_storage *rsock,
 			 enum comm_point_type cptype,
+			 void *cpssl,
 			 sldns_buffer *qmsg,
 			 struct timeval* tstamp)
 {
@@ -410,8 +425,7 @@ dt_msg_send_client_query(struct dt_env *env,
 	dt_fill_buffer(qmsg, &dm.m.query_message, &dm.m.has_query_message);
 
 	/* socket_family, socket_protocol, query_address, query_port, response_address, response_port */
-	log_assert(cptype == comm_udp || cptype == comm_tcp);
-	dt_msg_fill_net(&dm, qsock, rsock, cptype,
+	dt_msg_fill_net(&dm, qsock, rsock, cptype, cpssl,
 			&dm.m.query_address, &dm.m.has_query_address,
 			&dm.m.query_port, &dm.m.has_query_port,
 			&dm.m.response_address, &dm.m.has_response_address,
@@ -427,6 +441,7 @@ dt_msg_send_client_response(struct dt_env *env,
 			    struct sockaddr_storage *qsock,
 			    struct sockaddr_storage *rsock,
 			    enum comm_point_type cptype,
+			    void *cpssl,
 			    sldns_buffer *rmsg)
 {
 	struct dt_msg dm;
@@ -446,8 +461,7 @@ dt_msg_send_client_response(struct dt_env *env,
 	dt_fill_buffer(rmsg, &dm.m.response_message, &dm.m.has_response_message);
 
 	/* socket_family, socket_protocol, query_address, query_port, response_address, response_port */
-	log_assert(cptype == comm_udp || cptype == comm_tcp);
-	dt_msg_fill_net(&dm, qsock, rsock, cptype,
+	dt_msg_fill_net(&dm, qsock, rsock, cptype, cpssl,
 			&dm.m.query_address, &dm.m.has_query_address,
 			&dm.m.query_port, &dm.m.has_query_port,
                         &dm.m.response_address, &dm.m.has_response_address,
@@ -462,6 +476,7 @@ dt_msg_send_outside_query(struct dt_env *env,
 			  struct sockaddr_storage *rsock,
 			  struct sockaddr_storage *qsock,
 			  enum comm_point_type cptype,
+			  void *cpssl,
 			  uint8_t *zone, size_t zone_len,
 			  sldns_buffer *qmsg)
 {
@@ -497,8 +512,7 @@ dt_msg_send_outside_query(struct dt_env *env,
 	dt_fill_buffer(qmsg, &dm.m.query_message, &dm.m.has_query_message);
 
 	/* socket_family, socket_protocol, response_address, response_port, query_address, query_port */
-	log_assert(cptype == comm_udp || cptype == comm_tcp);
-	dt_msg_fill_net(&dm, rsock, qsock, cptype,
+	dt_msg_fill_net(&dm, rsock, qsock, cptype, cpssl,
 			&dm.m.response_address, &dm.m.has_response_address,
 			&dm.m.response_port, &dm.m.has_response_port,
 			&dm.m.query_address, &dm.m.has_query_address,
@@ -513,6 +527,7 @@ dt_msg_send_outside_response(struct dt_env *env,
 	struct sockaddr_storage *rsock,
 	struct sockaddr_storage *qsock,
 	enum comm_point_type cptype,
+	void *cpssl,
 	uint8_t *zone, size_t zone_len,
 	uint8_t *qbuf, size_t qbuf_len,
 	const struct timeval *qtime,
@@ -556,8 +571,7 @@ dt_msg_send_outside_response(struct dt_env *env,
 	dt_fill_buffer(rmsg, &dm.m.response_message, &dm.m.has_response_message);
 
 	/* socket_family, socket_protocol, response_address, response_port, query_address, query_port */
-	log_assert(cptype == comm_udp || cptype == comm_tcp);
-	dt_msg_fill_net(&dm, rsock, qsock, cptype,
+	dt_msg_fill_net(&dm, rsock, qsock, cptype, cpssl,
 			&dm.m.response_address, &dm.m.has_response_address,
 			&dm.m.response_port, &dm.m.has_response_port,
 			&dm.m.query_address, &dm.m.has_query_address,

contrib/unbound/dnstap/dnstap.h

@@ -133,6 +133,7 @@ dt_msg_send_client_query(struct dt_env *env,
 			 struct sockaddr_storage *qsock,
 			 struct sockaddr_storage *rsock,
 			 enum comm_point_type cptype,
+			 void *cpssl,
 			 struct sldns_buffer *qmsg,
 			 struct timeval* tstamp);
 
@@ -149,6 +150,7 @@ dt_msg_send_client_response(struct dt_env *env,
 			    struct sockaddr_storage *qsock,
 			    struct sockaddr_storage *rsock,
 			    enum comm_point_type cptype,
+			    void *cpssl,
 			    struct sldns_buffer *rmsg);
 
 /**
@@ -168,6 +170,7 @@ dt_msg_send_outside_query(struct dt_env *env,
 			  struct sockaddr_storage *rsock,
 			  struct sockaddr_storage *qsock,
 			  enum comm_point_type cptype,
+			  void *cpssl,
 			  uint8_t *zone, size_t zone_len,
 			  struct sldns_buffer *qmsg);
 
@@ -192,6 +195,7 @@ dt_msg_send_outside_response(struct dt_env *env,
 			     struct sockaddr_storage *rsock,
 			     struct sockaddr_storage *qsock,
 			     enum comm_point_type cptype,
+			     void *cpssl,
 			     uint8_t *zone, size_t zone_len,
 			     uint8_t *qbuf, size_t qbuf_len,
 			     const struct timeval *qtime,

contrib/unbound/dnstap/dnstap.m4

@@ -5,45 +5,76 @@
 # Check for required dnstap libraries and add dnstap configure args.
 AC_DEFUN([dt_DNSTAP],
 [
-  AC_ARG_ENABLE([dnstap],
-    AS_HELP_STRING([--enable-dnstap],
-                   [Enable dnstap support (requires protobuf-c)]),
-    [opt_dnstap=$enableval], [opt_dnstap=no])
+    AC_ARG_ENABLE([dnstap],
+        AS_HELP_STRING([--enable-dnstap],
+            [Enable dnstap support (requires protobuf-c)]),
+        [opt_dnstap=$enableval],
+        [opt_dnstap=no])
 
-  AC_ARG_WITH([dnstap-socket-path],
-    AS_HELP_STRING([--with-dnstap-socket-path=pathname],
-                   [set default dnstap socket path]),
-    [opt_dnstap_socket_path=$withval], [opt_dnstap_socket_path="$1"])
+    AC_ARG_WITH([dnstap-socket-path],
+        AS_HELP_STRING([--with-dnstap-socket-path=pathname],
+            [set default dnstap socket path]),
+        [opt_dnstap_socket_path=$withval],
+        [opt_dnstap_socket_path="$1"])
 
-  if test "x$opt_dnstap" != "xno"; then
-    AC_PATH_PROG([PROTOC_C], [protoc-c])
-    if test -z "$PROTOC_C"; then
-      AC_MSG_ERROR([The protoc-c program was not found. Please install protobuf-c!])
+    if test "x$opt_dnstap" != "xno"; then
+        AC_PATH_PROG([PROTOC_C], [protoc-c])
+        if test -z "$PROTOC_C"; then
+          AC_MSG_ERROR([The protoc-c program was not found. Please install protobuf-c!])
+        fi
+        AC_ARG_WITH([protobuf-c],
+            AS_HELP_STRING([--with-protobuf-c=path], [Path where protobuf-c is installed, for dnstap]),
+            [
+                # workaround for protobuf-c includes at old dir before protobuf-c-1.0.0
+                if test -f $withval/include/google/protobuf-c/protobuf-c.h; then
+                    CFLAGS="$CFLAGS -I$withval/include/google"
+                else
+                    CFLAGS="$CFLAGS -I$withval/include"
+                fi
+                LDFLAGS="$LDFLAGS -L$withval/lib"
+            ],
+            [
+                ifdef([PKG_CHECK_MODULES],
+                    [
+                        PKG_CHECK_MODULES([PROTOBUFC], [libprotobuf-c],
+                            [
+                                CFLAGS="$CFLAGS $PROTOBUFC_CFLAGS"
+                                LIBS="$LIBS $PROTOBUFC_LIBS"
+                            ],
+                            [
+                                # pkg-config failed; try falling back to known values
+                                # workaround for protobuf-c includes at old dir before protobuf-c-1.0.0
+                                if test -f /usr/include/google/protobuf-c/protobuf-c.h; then
+                                    CFLAGS="$CFLAGS -I/usr/include/google"
+                                else
+                                    if test -f /usr/local/include/google/protobuf-c/protobuf-c.h; then
+                                        CFLAGS="$CFLAGS -I/usr/local/include/google"
+                                        LDFLAGS="$LDFLAGS -L/usr/local/lib"
+                                    else
+                                        AC_MSG_ERROR([The protobuf-c package was not found with pkg-config. Please install protobuf-c!])
+                                    fi
+                                fi
+                            ]
+                        )
+                    ],
+                    [
+                        # workaround for protobuf-c includes at old dir before protobuf-c-1.0.0
+                        if test -f /usr/include/google/protobuf-c/protobuf-c.h; then
+                            CFLAGS="$CFLAGS -I/usr/include/google"
+                        else
+                            if test -f /usr/local/include/google/protobuf-c/protobuf-c.h; then
+                                CFLAGS="$CFLAGS -I/usr/local/include/google"
+                                LDFLAGS="$LDFLAGS -L/usr/local/lib"
+                            fi
+                        fi
+                    ]
+                )
+            ]
+        )
+        AC_SEARCH_LIBS([protobuf_c_message_pack], [protobuf-c], [],
+            AC_MSG_ERROR([The protobuf-c library was not found. Please install the development libraries for protobuf-c!]))
+        $2
+    else
+        $3
     fi
-    AC_ARG_WITH([protobuf-c], AS_HELP_STRING([--with-protobuf-c=path],
-    	[Path where protobuf-c is installed, for dnstap]), [
-	  # workaround for protobuf-c includes at old dir before protobuf-c-1.0.0
-	  if test -f $withval/include/google/protobuf-c/protobuf-c.h; then
-	    CFLAGS="$CFLAGS -I$withval/include/google"
-	  else
-	    CFLAGS="$CFLAGS -I$withval/include"
-	  fi
-	  LDFLAGS="$LDFLAGS -L$withval/lib"
-	], [
-	  # workaround for protobuf-c includes at old dir before protobuf-c-1.0.0
-	  if test -f /usr/include/google/protobuf-c/protobuf-c.h; then
-	    CFLAGS="$CFLAGS -I/usr/include/google"
-	  else
-	    if test -f /usr/local/include/google/protobuf-c/protobuf-c.h; then
-	      CFLAGS="$CFLAGS -I/usr/local/include/google"
-	      LDFLAGS="$LDFLAGS -L/usr/local/lib"
-	    fi
-	  fi
-    ])
-    AC_SEARCH_LIBS([protobuf_c_message_pack], [protobuf-c], [],
-      AC_MSG_ERROR([The protobuf-c library was not found. Please install the development libraries for protobuf-c!]))
-    $2
-  else
-    $3
-  fi
 ])

contrib/unbound/dnstap/dnstap.proto

@@ -13,8 +13,8 @@
 // with this file. If not, see:
 //
 // <http://creativecommons.org/publicdomain/zero/1.0/>.
-syntax = "proto2";
 
+syntax = "proto2";
 package dnstap;
 
 // "Dnstap": this is the top-level dnstap type, which is a "union" type that
@@ -56,11 +56,60 @@ enum SocketFamily {
     INET6 = 2;  // IPv6 (RFC 2460)
 }
 
-// SocketProtocol: the transport protocol of a socket. This specifies how to
-// interpret "transport port" fields.
+// SocketProtocol: the protocol used to transport a DNS message.
 enum SocketProtocol {
-    UDP = 1;    // User Datagram Protocol (RFC 768)
-    TCP = 2;    // Transmission Control Protocol (RFC 793)
+    UDP = 1;         // DNS over UDP transport (RFC 1035 section 4.2.1)
+    TCP = 2;         // DNS over TCP transport (RFC 1035 section 4.2.2)
+    DOT = 3;         // DNS over TLS (RFC 7858)
+    DOH = 4;         // DNS over HTTPS (RFC 8484)
+    DNSCryptUDP = 5; // DNSCrypt over UDP (https://dnscrypt.info/protocol)
+    DNSCryptTCP = 6; // DNSCrypt over TCP (https://dnscrypt.info/protocol)
+    DOQ = 7;         // DNS over QUIC (RFC 9250)
+}
+
+// Policy: information about any name server operator policy
+// applied to the processing of a DNS message.
+message Policy {
+
+    // Match: what aspect of the message or message exchange
+    // triggered the application of the Policy.
+    enum Match {
+        QNAME = 1;       // Name in question section of query
+        CLIENT_IP = 2;   // Client IP address
+        RESPONSE_IP = 3; // Address in A/AAAA RRSet
+        NS_NAME = 4;     // Authoritative name server, by name
+        NS_IP = 5;       // Authoritative name server, by IP address
+    }
+
+    // The Action taken to implement the Policy.
+    enum Action {
+        NXDOMAIN = 1;   // Respond with NXDOMAIN
+        NODATA = 2;     // Respond with empty answer section
+        PASS = 3;       // Do not alter the response (passthrough)
+        DROP = 4;       // Do not respond.
+        TRUNCATE = 5;   // Truncate UDP response, forcing TCP retry
+        LOCAL_DATA = 6; // Respond with local data from policy
+    }
+
+    // type: the type of policy applied, e.g. "RPZ" for a
+    // policy from a Response Policy Zone.
+    optional string type = 1;
+
+    // rule: the rule matched by the message.
+    //
+    // In a RPZ context, this is the owner name of the rule in
+    // the Reponse Policy Zone in wire format.
+    optional bytes rule = 2;
+
+    // action: the policy action taken in response to the
+    // rule match.
+    optional Action action = 3;
+
+    // match: the feature of the message exchange which matched the rule.
+    optional Match match = 4;
+
+    // The matched value. Format depends on the matched feature .
+    optional bytes value = 5;
 }
 
 // Message: a wire-format (RFC 1035 section 4) DNS message and associated
@@ -158,6 +207,24 @@ message Message {
         // STUB_RESPONSE is a DNS response message sent from a DNS server to a
         // stub resolver, from the perspective of the stub resolver.
         STUB_RESPONSE = 10;
+
+        // TOOL_QUERY is a DNS query message sent from a DNS software tool to a
+        // DNS server, from the perspective of the tool.
+        TOOL_QUERY = 11;
+
+        // TOOL_RESPONSE is a DNS response message received by a DNS software
+        // tool from a DNS server, from the perspective of the tool.
+        TOOL_RESPONSE = 12;
+
+        // UPDATE_QUERY is a Dynamic DNS Update request (RFC 2136) received
+        // by an authoritative name server, from the perspective of the
+        // authoritative name server.
+        UPDATE_QUERY = 13;
+
+        // UPDATE_RESPONSE is a Dynamic DNS Update response (RFC 2136) sent
+        // from an authoritative name server, from the perspective of the
+        // authoritative name server.
+        UPDATE_RESPONSE = 14;
     }
 
     // One of the Type values described above.
@@ -215,6 +282,9 @@ message Message {
 
     // The responder's original wire-format DNS response message, verbatim.
     optional bytes              response_message = 14;
+
+    // Operator policy applied to the processing of this message, if any.
+    optional Policy             policy = 15;
 }
 
 // All fields except for 'type' in the Message schema are optional.
@@ -236,7 +306,6 @@ message Message {
 
 // RESOLVER_QUERY:
 //      socket_family, socket_protocol
-//      query_name, query_type, query_class
 //      query_message
 //      query_time_sec, query_time_nsec
 //      query_zone
@@ -244,7 +313,6 @@ message Message {
 
 // RESOLVER_RESPONSE:
 //      socket_family, socket_protocol
-//      query_name, query_type, query_class
 //      query_time_sec, query_time_nsec
 //      query_zone
 //      response_address, response_port

contrib/unbound/doc/Changelog

@@ -1,6 +1,144 @@
+8 March 2024: Wouter
+	- Fix unbound-control-setup.cmd to use 3072 bits so that certificates
+	  are long enough for newer OpenSSL versions.
+	- Fix TTL of synthesized CNAME when a DNAME is used from cache.
+	- Fix unbound-control-setup.cmd to have CA v3 basicConstraints,
+	  like unbound-control-setup.sh has.
+
+7 March 2024: Wouter
+	- Version set to 1.19.3 for release. After 1.19.2 point release with
+	  security fix for CVE-2024-1931, Denial of service when trimming
+	  EDE text on positive replies. The code repo includes the fix and
+	  is for version 1.19.3.
+
+5 March 2024: Wouter
+	- Fix for #1022: Fix ede prohibited in access control refused answers.
+
+4 March 2024: Wouter
+	- Fix edns subnet replies for scope zero answers to not get stored
+	  in the global cache, and in cachedb, when the upstream replies
+	  without an EDNS record.
+
+28 February 2024: Wouter
+	- Move github workflows to use checkoutv4.
+
+23 February 2024: Yorgos
+	- Document the suspend argument for process_ds_response().
+
+22 February 2024: Wouter
+	- Fix trim of EDE text from large udp responses from spinning cpu.
+
+20 February 2024: Yorgos
+	- Merge #1010: Mention REFUSED has the TC bit set with unmatched
+	  allow_cookie acl in the manpage. It also fixes the code to match the
+	  documentation about clients with a valid cookie that bypass the
+	  ratelimit regardless of the allow_cookie acl.
+
+13 February 2024: Wouter
+	- Fix CVE-2023-50387, DNSSEC verification complexity can be exploited
+	  to exhaust CPU resources and stall DNS resolvers.
+	- Fix CVE-2023-50868, NSEC3 closest encloser proof can exhaust CPU.
+	- These fixes are part of the 1.19.1 release, that is a security
+	  point release on 1.19.0, the code repository continues with these
+	  fixes, with version number 1.19.2.
+
+8 February 2024: Wouter
+	- Fix documentation for access-control in the unbound.conf man page.
+
+7 February 2024: Yorgos
+	- Fix #1006: Can't find protobuf-c package since #999.
+
+30 January 2024: Wouter
+	- Merge #999: Search for protobuf-c with pkg-config.
+
+23 January 2024: Yorgos
+	- Update message TTL when using cached RRSETs. It could result in
+	  non-expired messages with expired RRSETs (non-usable messages by
+	  Unbound).
+
+22 January 2024: Yorgos
+	- Update error printout for duplicate trust anchors to include the
+	  trust anchor name (relates to #920).
+
+22 January 2024: Wouter
+	- Fix for #997: Print details for SSL certificate failure.
+
+17 January 2024: Wouter
+	- Update workflow for ports to use newer openssl on windows compile.
+	- Fix warning for windres on resource files due to redefinition.
+
+16 January 2024: Wouter
+	- Fix to link with libssp for libcrypto and getaddrinfo check for
+	  only header. Also update crosscompile to remove ssp for 32bit.
+	- Merge #993: Update b.root-servers.net also in example config file.
+
+15 January 2024: Wouter
+	- Fix to link with -lcrypt32 for OpenSSL 3.2.0 on Windows.
+
+9 January 2024: Wouter
+	- Merge #988: Fix NLnetLabs#981: dump_cache truncates large records.
+
+5 January 2024: Wouter
+	- Merge #987: skip edns frag retry if advertised udp payload size is
+	  not smaller.
+	- Fix unit test for #987 change in udp1xxx retry packet send.
+
+4 January 2024: Wouter
+	- Remove unneeded newlines and improve indentation in remote control
+	  code.
+
+3 January 2024: Wouter
+	- Merge #980: DoH: reject non-h2 early. To fix #979: Improve errors
+	  for non-HTTP/2 DoH clients.
+	- Merge #985: Add DoH and DoT to dnstap message.
+	- Fix #983: Sha1 runtime insecure change was incomplete.
+
+22 December 2023: Yorgos
+	- Update example.conf with cookie options.
+
+8 December 2023: Yorgos
+	- Merge PR #973: Use the origin (DNAME) TTL for synthesized CNAMEs as
+	  per RFC 6672.
+
+8 December 2023: Wouter
+	- Fix root_zonemd unit test, it checks that the root ZONEMD verifies,
+	  now that the root has a valid ZONEMD.
+
+7 December 2023: Wouter
+	- Fix #974: doc: default number of outgoing ports without libevent.
+	- Merge #975: Fixed some syntax errors in rpl files.
+
+6 December 2023: Wouter
+	- Fix to sync the tests script file common.sh.
+	- iana portlist update.
+	- Updated IPv4 and IPv6 address for b.root-servers.net in root hints.
+	- Update test script file common.sh.
+	- Fix tests to use new common.sh functions, wait_logfile and
+	  kill_from_pidfile.
+
+5 December 2023: Wouter
+	- Merge #971: fix 'WARNING: Message has 41 extra bytes at end'.
+	- Fix #969: [FR] distinguish Do53, DoT and DoH in the logs.
+	- Fix dnstap that assertion failed on logging other than UDP and TCP
+	  traffic. It lists it as TCP traffic.
+
+27 November 2023: Yorgos
+	- Merge #968: Replace the obsolescent fgrep with grep -F in tests.
+
+27 November 2023: Wouter
+	- Fix #964: config.h.in~ backup file in release tar balls.
+
+24 November 2023: Yorgos
+	- Use 127.0.0.1 explicitly in tests to avoid delays and errors on
+	  newer systems.
+
+9 November 2023: Wouter
+	- Fix unit test parse of origin syntax.
+
 2 November 2023: Wouter
 	- Set version number to 1.19.0.
-	- Tag for 1.19.0rc1 release.
+	- Tag for 1.19.0rc1 release. It became 1.19.0 release on 8 nov 2023.
+	  The repository continues with 1.19.1.
 
 1 November 2023: George
 	- Mention flex and bison in README.md when building from repository

contrib/unbound/doc/README

@@ -1,4 +1,4 @@
-README for Unbound 1.19.1
+README for Unbound 1.19.3
 Copyright 2007 NLnet Labs
 http://unbound.net
 
@@ -19,11 +19,10 @@ The DNSTAP code has BSD license in dnstap/dnstap.c.
 * Make and install: ./configure; make; make install
   * --with-libevent=/path/to/libevent
   	Can be set to either the system install or the build directory.
-	--with-libevent=no (default) gives a builtin alternative 
-	implementation. libevent is useful when having many (thousands) 
-	of outgoing ports. This improves randomization and spoof 
-	resistance. For the default of 16 ports the builtin alternative 
-	works well and is a little faster.
+	--with-libevent=no gives a builtin alternative implementation.
+	Libevent is enabled by default, it is useful when having many
+	(thousands) of outgoing ports. This improves randomization and spoof
+	resistance. It also allows a higher number of outgoing queries.
   * --with-libexpat=/path/to/libexpat
   	Can be set to the install directory of libexpat.
   * --without-pthreads 

contrib/unbound/doc/example.conf.in

@@ -1,7 +1,7 @@
 #
 # Example configuration file.
 #
-# See unbound.conf(5) man page, version 1.19.1.
+# See unbound.conf(5) man page, version 1.19.3.
 #
 # this is a comment.
 
@@ -303,6 +303,7 @@ server:
 	# Choose deny (drop message), refuse (polite error reply),
 	# allow (recursive ok), allow_setrd (recursive ok, rd bit is forced on),
 	# allow_snoop (recursive and nonrecursive ok)
+	# allow_cookie (allow UDP with valid cookie or stateful transport)
 	# deny_non_local (drop queries unless can be answered from local-data)
 	# refuse_non_local (like deny_non_local but polite error reply).
 	# access-control: 127.0.0.0/8 allow
@@ -441,6 +442,9 @@ server:
 	# filtering log-queries and log-replies from the log.
 	# log-tag-queryreply: no
 
+	# log with destination address, port and type for log-replies.
+	# log-destaddr: no
+
 	# log the local-zone actions, like local-zone type inform is enabled
 	# also for the other local zone types.
 	# log-local-actions: no
@@ -983,6 +987,13 @@ server:
 	# if 0(default) it is disabled, otherwise states qps allowed per ip address
 	# ip-ratelimit: 0
 
+	# global query ratelimit for all ip addresses with a valid DNS Cookie.
+	# feature is experimental.
+	# if 0(default) it is disabled, otherwise states qps allowed per ip address
+	# useful in combination with 'allow_cookie'.
+	# If used, suggested to be higher than ip-ratelimit, tenfold.
+	# ip-ratelimit-cookie: 0
+
 	# ip ratelimits are tracked in a cache, size in bytes of cache (or k,m).
 	# ip-ratelimit-size: 4m
 	# ip ratelimit cache slabs, reduces lock contention if equal to cpucount.
@@ -1004,6 +1015,14 @@ server:
 	# the number of servers that will be used in the fast server selection.
 	# fast-server-num: 3
 
+	# reply to requests containing DNS Cookies as specified in RFC 7873 and RFC 9018.
+	# answer-cookie: no
+
+	# secret for DNS Cookie generation.
+	# useful for anycast deployments.
+	# example value "000102030405060708090a0b0c0d0e0f".
+	# cookie-secret: <128 bit random hex string>
+
 	# Enable to attach Extended DNS Error codes (RFC8914) to responses.
 	# ede: no
 
@@ -1150,7 +1169,7 @@ remote-control:
 # sources of notifies.
 # auth-zone:
 #	name: "."
-#	primary: 199.9.14.201         # b.root-servers.net
+#	primary: 170.247.170.2        # b.root-servers.net
 #	primary: 192.33.4.12          # c.root-servers.net
 #	primary: 199.7.91.13          # d.root-servers.net
 #	primary: 192.5.5.241          # f.root-servers.net
@@ -1158,7 +1177,7 @@ remote-control:
 #	primary: 193.0.14.129         # k.root-servers.net
 #	primary: 192.0.47.132         # xfr.cjr.dns.icann.org
 #	primary: 192.0.32.132         # xfr.lax.dns.icann.org
-#	primary: 2001:500:200::b      # b.root-servers.net
+#	primary: 2801:1b8:10::b       # b.root-servers.net
 #	primary: 2001:500:2::c        # c.root-servers.net
 #	primary: 2001:500:2d::d       # d.root-servers.net
 #	primary: 2001:500:2f::f       # f.root-servers.net

contrib/unbound/doc/libunbound.3.in

@@ -1,4 +1,4 @@
-.TH "libunbound" "3" "Feb 13, 2024" "NLnet Labs" "unbound 1.19.1"
+.TH "libunbound" "3" "Mar 14, 2024" "NLnet Labs" "unbound 1.19.3"
 .\"
 .\" libunbound.3 -- unbound library functions manual
 .\"
@@ -44,7 +44,7 @@
 .B ub_ctx_zone_remove,
 .B ub_ctx_data_add,
 .B ub_ctx_data_remove
-\- Unbound DNS validating resolver 1.19.1 functions.
+\- Unbound DNS validating resolver 1.19.3 functions.
 .SH "SYNOPSIS"
 .B #include <unbound.h>
 .LP

contrib/unbound/doc/unbound-anchor.8.in

@@ -1,4 +1,4 @@
-.TH "unbound-anchor" "8" "Feb 13, 2024" "NLnet Labs" "unbound 1.19.1"
+.TH "unbound-anchor" "8" "Mar 14, 2024" "NLnet Labs" "unbound 1.19.3"
 .\"
 .\" unbound-anchor.8 -- unbound anchor maintenance utility manual
 .\"

contrib/unbound/doc/unbound-checkconf.8.in

@@ -1,4 +1,4 @@
-.TH "unbound-checkconf" "8" "Feb 13, 2024" "NLnet Labs" "unbound 1.19.1"
+.TH "unbound-checkconf" "8" "Mar 14, 2024" "NLnet Labs" "unbound 1.19.3"
 .\"
 .\" unbound-checkconf.8 -- unbound configuration checker manual
 .\"

contrib/unbound/doc/unbound-control.8.in

@@ -1,4 +1,4 @@
-.TH "unbound-control" "8" "Feb 13, 2024" "NLnet Labs" "unbound 1.19.1"
+.TH "unbound-control" "8" "Mar 14, 2024" "NLnet Labs" "unbound 1.19.3"
 .\"
 .\" unbound-control.8 -- unbound remote control manual
 .\"

contrib/unbound/doc/unbound-host.1.in

@@ -1,4 +1,4 @@
-.TH "unbound\-host" "1" "Feb 13, 2024" "NLnet Labs" "unbound 1.19.1"
+.TH "unbound\-host" "1" "Mar 14, 2024" "NLnet Labs" "unbound 1.19.3"
 .\"
 .\" unbound-host.1 -- unbound DNS lookup utility
 .\"

contrib/unbound/doc/unbound.8.in

@@ -1,4 +1,4 @@
-.TH "unbound" "8" "Feb 13, 2024" "NLnet Labs" "unbound 1.19.1"
+.TH "unbound" "8" "Mar 14, 2024" "NLnet Labs" "unbound 1.19.3"
 .\"
 .\" unbound.8 -- unbound manual
 .\"
@@ -9,7 +9,7 @@
 .\"
 .SH "NAME"
 .B unbound
-\- Unbound DNS validating resolver 1.19.1.
+\- Unbound DNS validating resolver 1.19.3.
 .SH "SYNOPSIS"
 .B unbound
 .RB [ \-h ]

contrib/unbound/doc/unbound.conf.5.in

@@ -1,4 +1,4 @@
-.TH "unbound.conf" "5" "Feb 13, 2024" "NLnet Labs" "unbound 1.19.1"
+.TH "unbound.conf" "5" "Mar 14, 2024" "NLnet Labs" "unbound 1.19.3"
 .\"
 .\" unbound.conf.5 -- unbound.conf manual
 .\"
@@ -699,6 +699,12 @@ When at the limit, further connections are accepted but closed immediately.
 This option is experimental at this time.
 .TP
 .B access\-control: \fI<IP netblock> <action>
+Specify treatment of incoming queries from their originating IP address.
+Queries can be allowed to have access to this server that gives DNS
+answers, or refused, with other actions possible. The IP address range
+can be specified as a netblock, it is possible to give the statement
+several times in order to specify the treatment of different netblocks.
+.IP
 The netblock is given as an IP4 or IP6 address with /size appended for a
 classless network block. The action can be \fIdeny\fR, \fIrefuse\fR,
 \fIallow\fR, \fIallow_setrd\fR, \fIallow_snoop\fR, \fIallow_cookie\fR,
@@ -738,7 +744,7 @@ the cache contents (for malicious acts).  However, nonrecursive queries can
 also be a valuable debugging tool (when you want to examine the cache
 contents). In that case use \fIallow_snoop\fR for your administration host.
 .IP
-The \fIallow_cookie\fR action allows access to UDP queries that contain a
+The \fIallow_cookie\fR action allows access only to UDP queries that contain a
 valid DNS Cookie as specified in RFC 7873 and RFC 9018, when the
 \fBanswer\-cookie\fR option is enabled.
 UDP queries containing only a DNS Client Cookie and no Server Cookie, or an
@@ -747,10 +753,8 @@ generated DNS Cookie, allowing clients to retry with that DNS Cookie.
 The \fIallow_cookie\fR action will also accept requests over stateful
 transports, regardless of the presence of an DNS Cookie and regardless of the
 \fBanswer\-cookie\fR setting.
-If \fBip\-ratelimit\fR is used, clients with a valid DNS Cookie will bypass the
-ratelimit.
-If a ratelimit for such clients is still needed, \fBip\-ratelimit\-cookie\fR
-can be used instead.
+UDP queries without a DNS Cookie receive REFUSED responses with the TC flag set,
+that may trigger fall back to TCP for those clients.
 .IP
 By default only localhost is \fIallow\fRed, the rest is \fIrefuse\fRd.
 The default is \fIrefuse\fRd, because that is protocol\-friendly. The DNS
@@ -913,6 +917,11 @@ Prints the word 'query' and 'reply' with log\-queries and log\-replies.
 This makes filtering logs easier.  The default is off (for backwards
 compatibility).
 .TP
+.B log\-destaddr: \fI<yes or no>
+Prints the destination address, port and type in the log\-replies output.
+This disambiguates what type of traffic, eg. udp or tcp, and to what local
+port the traffic was sent to.
+.TP
 .B log\-local\-actions: \fI<yes or no>
 Print log lines to inform about local zone actions.  These lines are like the
 local\-zone type inform prints out, but they are also printed for the other
@@ -1839,6 +1848,9 @@ The ratelimit is in queries per second that are allowed.  More queries are
 completely dropped and will not receive a reply, SERVFAIL or otherwise.
 IP ratelimiting happens before looking in the cache. This may be useful for
 mitigating amplification attacks.
+Clients with a valid DNS Cookie will bypass the ratelimit.
+If a ratelimit for such clients is still needed, \fBip\-ratelimit\-cookie\fR
+can be used instead.
 Default is 0 (disabled).
 .TP 5
 .B ip\-ratelimit\-cookie: \fI<number or 0>

contrib/unbound/iterator/iter_fwd.c

@@ -523,4 +523,3 @@ forwards_delete_stub_hole(struct iter_forwards* fwd, uint16_t c, uint8_t* nm)
 	fwd_zone_free(z);
 	fwd_init_parents(fwd);
 }
-

contrib/unbound/iterator/iter_hints.c

@@ -129,7 +129,7 @@ compile_time_root_prime(int do_ip4, int do_ip6)
 	dp->has_parent_side_NS = 1;
       if(do_ip4) {
 	if(!ah(dp, "A.ROOT-SERVERS.NET.", "198.41.0.4"))	goto failed;
-	if(!ah(dp, "B.ROOT-SERVERS.NET.", "199.9.14.201")) goto failed;
+	if(!ah(dp, "B.ROOT-SERVERS.NET.", "170.247.170.2"))	goto failed;
 	if(!ah(dp, "C.ROOT-SERVERS.NET.", "192.33.4.12"))	goto failed;
 	if(!ah(dp, "D.ROOT-SERVERS.NET.", "199.7.91.13"))	goto failed;
 	if(!ah(dp, "E.ROOT-SERVERS.NET.", "192.203.230.10")) goto failed;
@@ -144,7 +144,7 @@ compile_time_root_prime(int do_ip4, int do_ip6)
       }
       if(do_ip6) {
 	if(!ah(dp, "A.ROOT-SERVERS.NET.", "2001:503:ba3e::2:30")) goto failed;
-	if(!ah(dp, "B.ROOT-SERVERS.NET.", "2001:500:200::b")) goto failed;
+	if(!ah(dp, "B.ROOT-SERVERS.NET.", "2801:1b8:10::b")) goto failed;
 	if(!ah(dp, "C.ROOT-SERVERS.NET.", "2001:500:2::c")) goto failed;
 	if(!ah(dp, "D.ROOT-SERVERS.NET.", "2001:500:2d::d")) goto failed;
 	if(!ah(dp, "E.ROOT-SERVERS.NET.", "2001:500:a8::e")) goto failed;
@@ -560,4 +560,3 @@ hints_delete_stub(struct iter_hints* hints, uint16_t c, uint8_t* nm)
 	hints_stub_free(z);
 	name_tree_init_parents(&hints->tree);
 }
-

contrib/unbound/iterator/iter_scrub.c

@@ -283,7 +283,8 @@ synth_cname_rrset(uint8_t** sname, size_t* snamelen, uint8_t* alias,
 		sizeof(uint32_t)+sizeof(uint16_t)+aliaslen);
 	if(!cn->rr_first->ttl_data)
 		return NULL;
-	sldns_write_uint32(cn->rr_first->ttl_data, 0); /* TTL = 0 */
+	memmove(cn->rr_first->ttl_data, rrset->rr_first->ttl_data,
+		sizeof(uint32_t)); /* RFC6672: synth CNAME TTL == DNAME TTL */
 	sldns_write_uint16(cn->rr_first->ttl_data+4, aliaslen);
 	memmove(cn->rr_first->ttl_data+6, alias, aliaslen);
 	cn->rr_first->size = sizeof(uint16_t)+aliaslen;

contrib/unbound/iterator/iterator.c

@@ -4151,10 +4151,10 @@ process_response(struct module_qstate* qstate, struct iter_qstate* iq,
 			/* like packet got dropped */
 			goto handle_it;
 		}
-		if(!inplace_cb_edns_back_parsed_call(qstate->env, qstate)) {
-			log_err("unable to call edns_back_parsed callback");
-			goto handle_it;
-		}
+	}
+	if(!inplace_cb_edns_back_parsed_call(qstate->env, qstate)) {
+		log_err("unable to call edns_back_parsed callback");
+		goto handle_it;
 	}
 
 	/* remove CD-bit, we asked for in case we handle validation ourself */

contrib/unbound/services/authzone.c

@@ -2702,7 +2702,7 @@ create_synth_cname(uint8_t* qname, size_t qname_len, struct regional* region,
 	if(!d)
 		return 0; /* out of memory */
 	(*cname)->entry.data = d;
-	d->ttl = 0; /* 0 for synthesized CNAME TTL */
+	d->ttl = dname->data->ttl; /* RFC6672: synth CNAME TTL == DNAME TTL */
 	d->count = 1;
 	d->rrsig_count = 0;
 	d->trust = rrset_trust_ans_noAA;

contrib/unbound/services/cache/dns.c

@@ -80,6 +80,7 @@ store_rrsets(struct module_env* env, struct reply_info* rep, time_t now,
 	struct regional* region, time_t qstarttime)
 {
 	size_t i;
+	time_t ttl, min_ttl = rep->ttl;
 	/* see if rrset already exists in cache, if not insert it. */
 	for(i=0; i<rep->rrset_count; i++) {
 		rep->ref[i].key = rep->rrsets[i];
@@ -112,6 +113,15 @@ store_rrsets(struct module_env* env, struct reply_info* rep, time_t now,
 		case 1: /* ref updated, item inserted */
 			rep->rrsets[i] = rep->ref[i].key;
 		}
+		/* if ref was updated make sure the message ttl is updated to
+		 * the minimum of the current rrsets. */
+		ttl = ((struct packed_rrset_data*)rep->rrsets[i]->entry.data)->ttl;
+		if(ttl < min_ttl) min_ttl = ttl;
+	}
+	if(min_ttl < rep->ttl) {
+		rep->ttl = min_ttl;
+		rep->prefetch_ttl = PREFETCH_TTL_CALC(rep->ttl);
+		rep->serve_expired_ttl = rep->ttl + SERVE_EXPIRED_TTL;
 	}
 }
 
@@ -818,7 +828,7 @@ synth_dname_msg(struct ub_packed_rrset_key* rrset, struct regional* region,
 	if(!newd)
 		return NULL;
 	ck->entry.data = newd;
-	newd->ttl = 0; /* 0 for synthesized CNAME TTL */
+	newd->ttl = d->ttl - now; /* RFC6672: synth CNAME TTL == DNAME TTL */
 	newd->count = 1;
 	newd->rrsig_count = 0;
 	newd->trust = rrset_trust_ans_noAA;

contrib/unbound/services/localzone.c

@@ -1532,7 +1532,7 @@ local_data_answer(struct local_zone* z, struct module_env* env,
 			return 0; /* invalid cname */
 		if(dname_is_wild(ctarget)) {
 			/* synthesize cname target */
-			struct packed_rrset_data* d;
+			struct packed_rrset_data* d, *lr_d;
 			/* -3 for wildcard label and root label from qname */
 			size_t newtargetlen = qinfo->qname_len + ctargetlen - 3;
 
@@ -1560,8 +1560,10 @@ local_data_answer(struct local_zone* z, struct module_env* env,
 				+ newtargetlen);
 			if(!d)
 				return 0; /* out of memory */
+			lr_d = (struct packed_rrset_data*)lr->rrset->entry.data;
 			qinfo->local_alias->rrset->entry.data = d;
-			d->ttl = 0; /* 0 for synthesized CNAME TTL */
+			d->ttl = lr_d->rr_ttl[0]; /* RFC6672-like behavior:
+					    synth CNAME TTL uses original TTL*/
 			d->count = 1;
 			d->rrsig_count = 0;
 			d->trust = rrset_trust_ans_noAA;

contrib/unbound/services/mesh.c

@@ -69,6 +69,12 @@
 #include "edns-subnet/subnetmod.h"
 #include "edns-subnet/edns-subnet.h"
 #endif
+#ifdef HAVE_SYS_TYPES_H
+#  include <sys/types.h>
+#endif
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
 
 /**
  * Compare two response-ip client info entries for the purpose of mesh state
@@ -1429,7 +1435,9 @@ mesh_send_reply(struct mesh_state* m, int rcode, struct reply_info* rep,
 	if(m->s.env->cfg->log_replies) {
 		log_reply_info(NO_VERBOSE, &m->s.qinfo,
 			&r->query_reply.client_addr,
-			r->query_reply.client_addrlen, duration, 0, r_buffer);
+			r->query_reply.client_addrlen, duration, 0, r_buffer,
+			(m->s.env->cfg->log_destaddr?(void*)r->query_reply.c->socket->addr->ai_addr:NULL),
+			r->query_reply.c->type);
 	}
 }
 

contrib/unbound/services/outside_network.c

@@ -1009,7 +1009,7 @@ use_free_buffer(struct outside_network* outnet)
 			sldns_buffer tmp;
 			sldns_buffer_init_frm_data(&tmp, w->pkt, w->pkt_len);
 			dt_msg_send_outside_query(outnet->dtenv, &w->sq->addr,
-				&pend_tcp->pi->addr, comm_tcp, w->sq->zone,
+				&pend_tcp->pi->addr, comm_tcp, NULL, w->sq->zone,
 				w->sq->zonelen, &tmp);
 		}
 #endif
@@ -2237,7 +2237,7 @@ randomize_and_send_udp(struct pending* pend, sldns_buffer* packet, int timeout)
 		outnet->dtenv->log_forwarder_query_messages)) {
 			log_addr(VERB_ALGO, "from local addr", &pend->pc->pif->addr, pend->pc->pif->addrlen);
 			log_addr(VERB_ALGO, "request to upstream", &pend->addr, pend->addrlen);
-			dt_msg_send_outside_query(outnet->dtenv, &pend->addr, &pend->pc->pif->addr, comm_udp,
+			dt_msg_send_outside_query(outnet->dtenv, &pend->addr, &pend->pc->pif->addr, comm_udp, NULL,
 				pend->sq->zone, pend->sq->zonelen, packet);
 	}
 #endif
@@ -2517,7 +2517,7 @@ pending_tcp_query(struct serviced_query* sq, sldns_buffer* packet,
 			sldns_buffer tmp;
 			sldns_buffer_init_frm_data(&tmp, w->pkt, w->pkt_len);
 			dt_msg_send_outside_query(sq->outnet->dtenv, &sq->addr,
-				&pend->pi->addr, comm_tcp, sq->zone,
+				&pend->pi->addr, comm_tcp, NULL, sq->zone,
 				sq->zonelen, &tmp);
 		}
 #endif
@@ -2820,6 +2820,25 @@ serviced_perturb_qname(struct ub_randstate* rnd, uint8_t* qbuf, size_t len)
 	}
 }
 
+static uint16_t
+serviced_query_udp_size(struct serviced_query* sq, enum serviced_query_status status) {
+	uint16_t udp_size;
+	if(status == serviced_query_UDP_EDNS_FRAG) {
+		if(addr_is_ip6(&sq->addr, sq->addrlen)) {
+			if(EDNS_FRAG_SIZE_IP6 < EDNS_ADVERTISED_SIZE)
+				udp_size = EDNS_FRAG_SIZE_IP6;
+			else	udp_size = EDNS_ADVERTISED_SIZE;
+		} else {
+			if(EDNS_FRAG_SIZE_IP4 < EDNS_ADVERTISED_SIZE)
+				udp_size = EDNS_FRAG_SIZE_IP4;
+			else	udp_size = EDNS_ADVERTISED_SIZE;
+		}
+	} else {
+		udp_size = EDNS_ADVERTISED_SIZE;
+	}
+	return udp_size;
+}
+
 /** put serviced query into a buffer */
 static void
 serviced_encode(struct serviced_query* sq, sldns_buffer* buff, int with_edns)
@@ -2843,19 +2862,7 @@ serviced_encode(struct serviced_query* sq, sldns_buffer* buff, int with_edns)
 		edns.opt_list_in = NULL;
 		edns.opt_list_out = sq->opt_list;
 		edns.opt_list_inplace_cb_out = NULL;
-		if(sq->status == serviced_query_UDP_EDNS_FRAG) {
-			if(addr_is_ip6(&sq->addr, sq->addrlen)) {
-				if(EDNS_FRAG_SIZE_IP6 < EDNS_ADVERTISED_SIZE)
-					edns.udp_size = EDNS_FRAG_SIZE_IP6;
-				else	edns.udp_size = EDNS_ADVERTISED_SIZE;
-			} else {
-				if(EDNS_FRAG_SIZE_IP4 < EDNS_ADVERTISED_SIZE)
-					edns.udp_size = EDNS_FRAG_SIZE_IP4;
-				else	edns.udp_size = EDNS_ADVERTISED_SIZE;
-			}
-		} else {
-			edns.udp_size = EDNS_ADVERTISED_SIZE;
-		}
+		edns.udp_size = serviced_query_udp_size(sq, sq->status);
 		edns.bits = 0;
 		if(sq->dnssec & EDNS_DO)
 			edns.bits = EDNS_DO;
@@ -3083,7 +3090,7 @@ serviced_tcp_callback(struct comm_point* c, void* arg, int error,
 		log_addr(VERB_ALGO, "response from upstream", &sq->addr, sq->addrlen);
 		log_addr(VERB_ALGO, "to local addr", &pi->addr, pi->addrlen);
 		dt_msg_send_outside_response(sq->outnet->dtenv, &sq->addr,
-			&pi->addr, c->type, sq->zone, sq->zonelen, sq->qbuf,
+			&pi->addr, c->type, c->ssl, sq->zone, sq->zonelen, sq->qbuf,
 			sq->qbuflen, &sq->last_sent_time, sq->outnet->now_tv,
 			c->buffer);
 	}
@@ -3252,7 +3259,8 @@ serviced_udp_callback(struct comm_point* c, void* arg, int error,
 
 	sq->pending = NULL; /* removed after callback */
 	if(error == NETEVENT_TIMEOUT) {
-		if(sq->status == serviced_query_UDP_EDNS && sq->last_rtt < 5000) {
+		if(sq->status == serviced_query_UDP_EDNS && sq->last_rtt < 5000 &&
+		   (serviced_query_udp_size(sq, serviced_query_UDP_EDNS_FRAG) < serviced_query_udp_size(sq, serviced_query_UDP_EDNS))) {
 			/* fallback to 1480/1280 */
 			sq->status = serviced_query_UDP_EDNS_FRAG;
 			log_name_addr(VERB_ALGO, "try edns1xx0", sq->qbuf+10,
@@ -3296,7 +3304,7 @@ serviced_udp_callback(struct comm_point* c, void* arg, int error,
 		log_addr(VERB_ALGO, "to local addr", &p->pc->pif->addr,
 			p->pc->pif->addrlen);
 		dt_msg_send_outside_response(outnet->dtenv, &sq->addr,
-			&p->pc->pif->addr, c->type, sq->zone, sq->zonelen,
+			&p->pc->pif->addr, c->type, c->ssl, sq->zone, sq->zonelen,
 			sq->qbuf, sq->qbuflen, &sq->last_sent_time,
 			sq->outnet->now_tv, c->buffer);
 	}

contrib/unbound/testdata/cachedb_no_store.tdir/cachedb_no_store.post

@@ -16,5 +16,5 @@ if test -f fwd4.log; then cat fwd4.log; else echo "no fwd4.log"; fi
 cat unbound.log
 if test -f unbound2.log; then cat unbound2.log; else echo "no unbound2.log"; fi
 kill_pid $FWD_PID
-kill_pid `cat unbound.pid`
+kill_from_pidfile "unbound.pid"
 rm -f $CONTROL_PATH/controlpipe.$CONTROL_PID

contrib/unbound/testdata/cachedb_no_store.tdir/cachedb_no_store.test

@@ -13,7 +13,7 @@ get_ldns_testns
 # query for a text record that is stored by unbound's cache and cachedb
 # in the testframe cache.
 echo "> dig txt1.example.com."
-dig @localhost -p $UNBOUND_PORT txt1.example.com. TXT | tee outfile
+dig @127.0.0.1 -p $UNBOUND_PORT txt1.example.com. TXT | tee outfile
 if grep "example text message" outfile; then
 	echo "OK"
 else
@@ -31,7 +31,7 @@ echo "FWD_PID=$FWD_PID" >> .tpkg.var.test
 wait_ldns_testns_up fwd2.log
 
 echo "> dig txt1.example.com. from unbound cache"
-dig @localhost -p $UNBOUND_PORT txt1.example.com. TXT | tee outfile
+dig @127.0.0.1 -p $UNBOUND_PORT txt1.example.com. TXT | tee outfile
 if grep "example text message" outfile; then
 	echo "OK"
 else
@@ -50,7 +50,7 @@ else
 fi
 
 echo "> dig txt1.example.com. from cachedb"
-dig @localhost -p $UNBOUND_PORT txt1.example.com. TXT | tee outfile
+dig @127.0.0.1 -p $UNBOUND_PORT txt1.example.com. TXT | tee outfile
 if grep "example text message" outfile; then
 	echo "OK"
 else
@@ -69,7 +69,7 @@ wait_ldns_testns_up fwd3.log
 
 # stop unbound to flush the cachedb cache
 echo "> stop unbound"
-kill_pid `cat unbound.pid`
+kill_from_pidfile "unbound.pid"
 
 echo ""
 echo "> config unbound with cachedb-no-store: yes"
@@ -84,7 +84,7 @@ wait_unbound_up unbound2.log
 
 echo ""
 echo "> dig txt1.example.com."
-dig @localhost -p $UNBOUND_PORT txt1.example.com. TXT | tee outfile
+dig @127.0.0.1 -p $UNBOUND_PORT txt1.example.com. TXT | tee outfile
 if grep "example text message" outfile; then
 	echo "OK"
 else
@@ -102,7 +102,7 @@ echo "FWD_PID=$FWD_PID" >> .tpkg.var.test
 wait_ldns_testns_up fwd4.log
 
 echo "> dig txt1.example.com. from unbound cache"
-dig @localhost -p $UNBOUND_PORT txt1.example.com. TXT | tee outfile
+dig @127.0.0.1 -p $UNBOUND_PORT txt1.example.com. TXT | tee outfile
 if grep "example text message" outfile; then
 	echo "OK"
 else
@@ -121,7 +121,7 @@ else
 fi
 
 echo "> dig txt1.example.com. from cachedb, but that has no message stored"
-dig @localhost -p $UNBOUND_PORT txt1.example.com. TXT | tee outfile
+dig @127.0.0.1 -p $UNBOUND_PORT txt1.example.com. TXT | tee outfile
 if grep "SERVFAIL" outfile; then
 	echo "OK"
 else

contrib/unbound/testdata/iter_cname_minimise_nx.rpl

@@ -241,6 +241,5 @@ v.example.com.	3600	IN	RRSIG	NSEC 3 3 3600 20070926134150 20070829134150 2854 ex
 example.com.	3600	IN	NSEC	abc.example.com. NS SOA RRSIG NSEC DNSKEY
 example.com.	3600	IN	RRSIG	NSEC 3 2 3600 20070926134150 20070829134150 2854 example.com. ABEOu6iietfjKY1MS0TutZZxUtRYA6XKsC1rMTrenwBF2darY3/Emco=
 ENTRY_END
-ENTRY_END
 
 SCENARIO_END

contrib/unbound/testdata/iter_dname_ttl.rpl

@@ -0,0 +1,310 @@
+; config options
+; The island of trust is at example.com
+; validation is enabled because the pickup of DNAME from cache wants
+; a DNSSEC signed DNAME.
+server:
+	trust-anchor: "example.com.    3600    IN      DS      2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b"
+	trust-anchor: "example.net.    3600    IN      DNSKEY  256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b}"
+	val-override-date: "20070916134226"
+	target-fetch-policy: "0 0 0 0 0"
+	qname-minimisation: "no"
+	fake-sha1: yes
+	trust-anchor-signaling: no
+
+stub-zone:
+	name: "."
+	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
+CONFIG_END
+
+SCENARIO_BEGIN Test iterator for TTL of synthesized CNAME of a DNAME from cache.
+
+; K.ROOT-SERVERS.NET.
+RANGE_BEGIN 0 100
+	ADDRESS 193.0.14.129 
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+. IN NS
+SECTION ANSWER
+. IN NS	K.ROOT-SERVERS.NET.
+SECTION ADDITIONAL
+K.ROOT-SERVERS.NET.	IN	A	193.0.14.129
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+com. IN NS
+SECTION AUTHORITY
+com.	IN NS	a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net.	IN 	A	192.5.6.30
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+net. IN A
+SECTION AUTHORITY
+net.	IN NS	a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net.	IN 	A	192.5.6.30
+ENTRY_END
+RANGE_END
+
+; a.gtld-servers.net.
+RANGE_BEGIN 0 100
+	ADDRESS 192.5.6.30
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+com. IN NS
+SECTION ANSWER
+com.    IN NS   a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net.     IN      A       192.5.6.30
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+net. IN NS
+SECTION ANSWER
+net.    IN NS   a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net.     IN      A       192.5.6.30
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+example.com. IN NS
+SECTION AUTHORITY
+example.com.	IN NS	ns.example.com.
+SECTION ADDITIONAL
+ns.example.com.		IN 	A	1.2.3.4
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+example.net. IN A
+SECTION AUTHORITY
+example.net.	IN NS	ns.example.net.
+SECTION ADDITIONAL
+ns.example.net.		IN 	A	1.2.3.5
+ENTRY_END
+RANGE_END
+
+; ns.example.com.
+RANGE_BEGIN 0 100
+	ADDRESS 1.2.3.4
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+example.com. IN NS
+SECTION ANSWER
+example.com.    IN NS   ns.example.com.
+example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
+SECTION ADDITIONAL
+ns.example.com.         IN      A       1.2.3.4
+ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
+ENTRY_END
+
+; response to DNSKEY priming query
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+example.com. IN DNSKEY
+SECTION ANSWER
+example.com.    3600    IN      DNSKEY  256 3 3 ALXLUsWqUrY3JYER3T4TBJII s70j+sDS/UT2QRp61SE7S3E EXopNXoFE73JLRmvpi/UrOO/Vz4Se 6wXv/CYCKjGw06U4WRgR YXcpEhJROyNapmdIKSx hOzfLVE1gqA0PweZR8d tY3aNQSRn3sPpwJr6Mi /PqQKAMMrZ9ckJpf1+b QMOOvxgzz2U1GS18b3y ZKcgTMEaJzd/GZYzi/B N2DzQ0MsrSwYXfsNLFO Bbs8PJMW4LYIxeeOe6rUgkWOF 7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b}
+example.com. 3600    IN      RRSIG   DNSKEY DSA 2 3600 20070926134150 20070829134150 2854 example.com. MCwCFBQRtlR4BEv9ohi+PGFjp+AHsJuHAhRCvz0shggvnvI88DFnBDCczHUcVA== ;{id = 2854}
+SECTION AUTHORITY
+example.com.	IN NS	ns.example.com.
+example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
+SECTION ADDITIONAL
+ns.example.com.		IN 	A	1.2.3.4
+ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
+ENTRY_END
+
+; response to query of interest
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+www.example.com. IN CNAME
+SECTION ANSWER
+www.example.com. IN	CNAME	www.example.net.
+www.example.com.        3600    IN      RRSIG   CNAME DSA 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFGcJxnNxpWCBzXejiSdl4p1BKRMnAhUApoJrugVBRwFgAoYAhhqlZFac7fE= ;{id = 2854}
+SECTION AUTHORITY
+SECTION ADDITIONAL
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+www2.example.com. IN A
+SECTION ANSWER
+www2.example.com.	3600	IN	CNAME	www.example.net.
+www2.example.com.	3600	IN	RRSIG	CNAME 3 3 3600 20070926135752 20070829135752 2854 example.com. AGgh6pDCL7VF0uJablClW7cgvsPuNzpHZ+M7nZIwi61+0RPhFZLHcN4=
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+foo.test-dname.example.com. IN A
+SECTION ANSWER
+test-dname.example.com.	3600	IN	DNAME	example.net.
+test-dname.example.com.	3600	IN	RRSIG	DNAME 3 3 3600 20070926135752 20070829135752 2854 example.com. ACp31Evt1c6tKzmTh/smAuGFydZ1OO26Qkej/BW4Bw5RFBQiKaY22Z0=
+foo.test-dname.example.com. 3600 IN CNAME foo.example.net.
+ENTRY_END
+RANGE_END
+
+; ns.example.net.
+RANGE_BEGIN 0 100
+	ADDRESS 1.2.3.5
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+example.net. IN NS
+SECTION ANSWER
+example.net.	IN NS	ns.example.net.
+example.net.    3600    IN      RRSIG   NS RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. E8JX0l4B+cSR5bkHQwOJy1pBmlLMTYCJ8EwfNMU/eCv0YhKwo26rHhn52FGisgv+Nwp7/NbhHqQ+kJgoZC94XA== ;{id = 30899}
+SECTION ADDITIONAL
+ns.example.net.		IN 	A	1.2.3.5
+ns.example.net. 3600    IN      RRSIG   A RSASHA1 3 3600 20070926134150 20070829134150 30899 example.net. x+tQMC9FhzT7Fcy1pM5NrOC7E8nLd7THPI3C6ie4EwL8PrxllqlR3q/DKB0d/m0qCOPcgN6HFOYURV1s4uAcsw== ;{id = 30899}
+ENTRY_END
+
+; response to DNSKEY priming query
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+example.net. IN DNSKEY
+SECTION ANSWER
+example.net.    3600    IN      DNSKEY  256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b}
+example.net.    3600    IN      RRSIG   DNSKEY RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. hiFzlQ8VoYgCuvIsfVuxC3mfJDqsTh0yc6abs5xMx5uEcIjb0dndFQx7INOM+imlzveEN73Hqp4OLFpFhsWLlw== ;{id = 30899}
+SECTION AUTHORITY
+example.net.	IN NS	ns.example.net.
+example.net.    3600    IN      RRSIG   NS RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. E8JX0l4B+cSR5bkHQwOJy1pBmlLMTYCJ8EwfNMU/eCv0YhKwo26rHhn52FGisgv+Nwp7/NbhHqQ+kJgoZC94XA== ;{id = 30899}
+SECTION ADDITIONAL
+ns.example.net.		IN 	A	1.2.3.5
+ns.example.net. 3600    IN      RRSIG   A RSASHA1 3 3600 20070926134150 20070829134150 30899 example.net. x+tQMC9FhzT7Fcy1pM5NrOC7E8nLd7THPI3C6ie4EwL8PrxllqlR3q/DKB0d/m0qCOPcgN6HFOYURV1s4uAcsw== ;{id = 30899}
+ENTRY_END
+
+; response to query of interest
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+www.example.net. IN A
+SECTION ANSWER
+www.example.net. IN	A	11.12.13.14
+www.example.net.        3600    IN      RRSIG   A 5 3 3600 20070926134150 20070829134150 30899 example.net. CPxF5hK9Kg5eT7W6LgZwr0ePYEm9HMcSY4vvqCS6gDWB4X9jvXLCfBkCLhsNybPBpGWlsLi5wM6MTdJXuPpsRA== ;{id = 30899}
+SECTION AUTHORITY
+SECTION ADDITIONAL
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+foo.example.net. IN A
+SECTION ANSWER
+foo.example.net. IN	A	11.12.13.15
+foo.example.net.	3600	IN	RRSIG	A 5 3 3600 20070926134150 20070829134150 30899 example.net. X6T6SE9UzxAD/4zKpwGOxEDyE4g7lfYYw3lvw533uwRN8mWTcBvSva0/jjyhrogJcuLO32jPHK6zGb93w2xnuA==
+SECTION AUTHORITY
+SECTION ADDITIONAL
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+foo2.example.net. IN A
+SECTION ANSWER
+foo2.example.net. IN	A	11.12.13.16
+foo2.example.net.	3600	IN	RRSIG	A 5 3 3600 20070926134150 20070829134150 30899 example.net. BZm+GljD8m9N+pNJN8D+LlSyHqM+InNUe0+heKILR9be+Goqv6SEb7LKtX6+kj3239Y5by7u+/Cuk8kkWistEQ==
+SECTION AUTHORITY
+SECTION ADDITIONAL
+ENTRY_END
+RANGE_END
+
+STEP 1 TIME_PASSES ELAPSE 10
+; Get DNAME in cache and then pick it up again from cache.
+STEP 10 QUERY
+ENTRY_BEGIN
+REPLY RD DO
+SECTION QUESTION
+foo.test-dname.example.com. IN A
+ENTRY_END
+
+STEP 20 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AD DO NOERROR
+SECTION QUESTION
+foo.test-dname.example.com. IN A
+SECTION ANSWER
+test-dname.example.com.	3600	IN	DNAME	example.net.
+test-dname.example.com.	3600	IN	RRSIG	DNAME 3 3 3600 20070926135752 20070829135752 2854 example.com. ACp31Evt1c6tKzmTh/smAuGFydZ1OO26Qkej/BW4Bw5RFBQiKaY22Z0=
+foo.test-dname.example.com. 3600 IN CNAME foo.example.net.
+foo.example.net. IN	A	11.12.13.15
+foo.example.net.	3600	IN	RRSIG	A 5 3 3600 20070926134150 20070829134150 30899 example.net. X6T6SE9UzxAD/4zKpwGOxEDyE4g7lfYYw3lvw533uwRN8mWTcBvSva0/jjyhrogJcuLO32jPHK6zGb93w2xnuA==
+ENTRY_END
+
+STEP 30 TIME_PASSES ELAPSE 10
+
+; Use DNAME from cache
+STEP 40 QUERY
+ENTRY_BEGIN
+REPLY RD DO
+SECTION QUESTION
+foo2.test-dname.example.com. IN A
+ENTRY_END
+
+; Test the TTL on the synthesized CNAME for the DNAME record from cache.
+STEP 50 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ttl
+REPLY QR RD RA AD DO NOERROR
+SECTION QUESTION
+foo2.test-dname.example.com. IN A
+SECTION ANSWER
+test-dname.example.com.	3590	IN	DNAME	example.net.
+test-dname.example.com.	3590	IN	RRSIG	DNAME 3 3 3600 20070926135752 20070829135752 2854 example.com. ACp31Evt1c6tKzmTh/smAuGFydZ1OO26Qkej/BW4Bw5RFBQiKaY22Z0=
+foo2.test-dname.example.com. 3590 IN CNAME foo2.example.net.
+foo2.example.net. 	3600	IN	A	11.12.13.16
+foo2.example.net.	3600	IN	RRSIG	A 5 3 3600 20070926134150 20070829134150 30899 example.net. BZm+GljD8m9N+pNJN8D+LlSyHqM+InNUe0+heKILR9be+Goqv6SEb7LKtX6+kj3239Y5by7u+/Cuk8kkWistEQ==
+ENTRY_END
+
+SCENARIO_END

contrib/unbound/testdata/root_zonemd.tdir/root_zonemd.test

@@ -6,8 +6,8 @@
 
 PRE="../.."
 # do the test
-echo "> dig www.example.com."
-dig @localhost -p $UNBOUND_PORT . SOA | tee outfile
+echo "> dig . SOA"
+dig @127.0.0.1 -p $UNBOUND_PORT . SOA | tee outfile
 echo "> check answer"
 if grep root-servers outfile | grep "nstld.verisign-grs.com"; then
 	echo "OK"
@@ -26,7 +26,19 @@ else
 fi
 
 # This is the output when an unsupported algorithm is used.
-if grep "auth zone . ZONEMD unsupported algorithm" unbound.log; then
+if grep "auth zone . zonemd DNSSEC verification of SOA and ZONEMD RRsets secure" unbound.log; then
+	echo "OK"
+else
+	echo "ZONEMD verification not OK"
+	exit 1
+fi
+if grep "auth-zone . ZONEMD hash is correct" unbound.log; then
+	echo "OK"
+else
+	echo "ZONEMD verification not OK"
+	exit 1
+fi
+if grep "auth zone . ZONEMD verification successful" unbound.log; then
 	echo "OK"
 else
 	echo "ZONEMD verification not OK"
@@ -40,12 +52,12 @@ if test $? -ne 0; then
 	exit 1
 fi
 # The output of the reload can be checked.
-#echo "> check unbound-control output"
-#if grep "example.com: ZONEMD verification successful" outfile; then
-	#echo "OK"
-#else
-	#echo "Not OK"
-	#exit 1
-#fi
+echo "> check unbound-control output"
+if grep ".: ZONEMD verification successful" outfile; then
+	echo "OK"
+else
+	echo "Not OK"
+	exit 1
+fi
 
 exit 0

contrib/unbound/testdata/rrset_use_cached.rpl

@@ -0,0 +1,151 @@
+server:
+	minimal-responses: no
+	serve-expired: yes
+	# The value does not matter, we will not simulate delay.
+	# We do not want only serve-expired because fetches from that
+	# apply a generous PREFETCH_LEEWAY.
+	serve-expired-client-timeout: 1000
+	# So that we can only have to give one SERVFAIL answer.
+	outbound-msg-retry: 0
+
+forward-zone: name: "." forward-addr: 216.0.0.1
+CONFIG_END
+
+SCENARIO_BEGIN RRset from cache updates the message TTL.
+
+STEP 1 QUERY
+ENTRY_BEGIN
+	REPLY RD
+	SECTION QUESTION
+	www.example.com. IN A
+ENTRY_END
+; the query is sent to the forwarder - no cache yet.
+STEP 2 CHECK_OUT_QUERY
+ENTRY_BEGIN
+	MATCH qname qtype opcode
+	SECTION QUESTION
+	www.example.com. IN A
+ENTRY_END
+STEP 3 REPLY
+ENTRY_BEGIN
+	MATCH opcode qtype qname
+	ADJUST copy_id
+	; authoritative answer
+	REPLY QR AA RD RA NOERROR
+	SECTION QUESTION
+	www.example.com. IN A
+	SECTION ANSWER
+	www.example.com. 5 IN A 10.20.30.40
+	SECTION AUTHORITY
+	example.com. 10 IN NS ns.example.com.
+	SECTION ADDITIONAL
+	ns.example.com. 10 IN A 10.20.30.50
+ENTRY_END
+STEP 4 CHECK_ANSWER
+ENTRY_BEGIN
+	MATCH all ttl
+	REPLY QR RD RA
+	SECTION QUESTION
+	www.example.com. IN A
+	SECTION ANSWER
+	www.example.com. 5 IN A 10.20.30.40
+	SECTION AUTHORITY
+	example.com. 10 IN NS ns.example.com.
+	SECTION ADDITIONAL
+	ns.example.com. 10 IN A 10.20.30.50
+ENTRY_END
+
+; Wait for the A RRSET to expire.
+STEP 5 TIME_PASSES ELAPSE 6
+
+STEP 6 QUERY
+ENTRY_BEGIN
+	REPLY RD
+	SECTION QUESTION
+	www.example.com. IN A
+ENTRY_END
+; expired answer will not be served due to serve-expired-client-timeout.
+STEP 7 CHECK_OUT_QUERY
+ENTRY_BEGIN
+	MATCH qname qtype opcode
+	SECTION QUESTION
+	www.example.com. IN A
+ENTRY_END
+STEP 8 REPLY
+ENTRY_BEGIN
+	MATCH opcode qtype qname
+	ADJUST copy_id
+	; authoritative answer
+	REPLY QR AA RD RA NOERROR
+	SECTION QUESTION
+	www.example.com. IN A
+	SECTION ANSWER
+	www.example.com. 5 IN A 10.20.30.40
+	SECTION AUTHORITY
+	example.com. 10 IN NS ns.example.com.
+	SECTION ADDITIONAL
+	ns.example.com. 10 IN A 10.20.30.50
+ENTRY_END
+; The cached NS related RRSETs will not be overwritten by the fresh answer.
+; The message should have a TTL of 4 instead of 5 from above.
+STEP 9 CHECK_ANSWER
+ENTRY_BEGIN
+	MATCH all ttl
+	REPLY QR RD RA
+	SECTION QUESTION
+	www.example.com. IN A
+	SECTION ANSWER
+	www.example.com. 5 IN A 10.20.30.40
+	SECTION AUTHORITY
+	example.com. 4 IN NS ns.example.com.
+	SECTION ADDITIONAL
+	ns.example.com. 4 IN A 10.20.30.50
+ENTRY_END
+
+; Wait for the NS RRSETs to expire.
+STEP 10 TIME_PASSES ELAPSE 5
+
+STEP 11 QUERY
+ENTRY_BEGIN
+	REPLY RD
+	SECTION QUESTION
+	www.example.com. IN A
+ENTRY_END
+; The message should be expired, again no expired answer at this point due to
+; serve-expired-client-timeout.
+STEP 12 CHECK_OUT_QUERY
+ENTRY_BEGIN
+	MATCH qname qtype opcode
+	SECTION QUESTION
+	www.example.com. IN A
+ENTRY_END
+STEP 13 REPLY
+ENTRY_BEGIN
+	MATCH opcode qtype qname
+	ADJUST copy_id
+	REPLY QR RD RA SERVFAIL
+	SECTION QUESTION
+	www.example.com. IN A
+ENTRY_END
+; The SERVFAIL will trigger the serve-expired-client-timeout logic to try and
+; replace the SERVFAIL with a possible cached (expired) answer.
+; The A RRSET would be at 0TTL left (not expired) but the message should have
+; been updated to use a TTL of 4 so expired by now.
+; If the message TTL was not updated (bug), this message would be treated as
+; non-expired and the now expired NS related RRSETs would fail sanity checks
+; for non-expired messages. The result would be SERVFAIL here.
+STEP 14 CHECK_ANSWER
+ENTRY_BEGIN
+	MATCH all ttl
+	REPLY QR RD RA
+	SECTION QUESTION
+	www.example.com. IN A
+	SECTION ANSWER
+	www.example.com. 0 IN A 10.20.30.40
+	SECTION AUTHORITY
+	example.com. 30 IN NS ns.example.com.
+	SECTION ADDITIONAL
+	ns.example.com. 30 IN A 10.20.30.50
+ENTRY_END
+
+SCENARIO_END

contrib/unbound/testdata/serve_expired_0ttl_nodata.rpl

@@ -46,7 +46,7 @@ RANGE_BEGIN 30 100
 		ADJUST copy_id
 		REPLY QR NOERROR
 		SECTION QUESTION
-			example.com. 10 IN NS
+			example.com. IN NS
 		SECTION ANSWER
 			example.com. 10 IN NS ns.example.com.
 		SECTION ADDITIONAL

contrib/unbound/testdata/serve_expired_0ttl_nxdomain.rpl

@@ -46,7 +46,7 @@ RANGE_BEGIN 30 100
 		ADJUST copy_id
 		REPLY QR NOERROR
 		SECTION QUESTION
-			example.com. 10 IN NS
+			example.com. IN NS
 		SECTION ANSWER
 			example.com. 10 IN NS ns.example.com.
 		SECTION ADDITIONAL

contrib/unbound/testdata/serve_expired_0ttl_servfail.rpl

@@ -44,7 +44,7 @@ RANGE_BEGIN 30 100
 		ADJUST copy_id
 		REPLY QR NOERROR
 		SECTION QUESTION
-			example.com. 10 IN NS
+			example.com. IN NS
 		SECTION ANSWER
 			example.com. 10 IN NS ns.example.com.
 		SECTION ADDITIONAL

contrib/unbound/testdata/serve_expired_cached_servfail.rpl

@@ -45,7 +45,7 @@ RANGE_BEGIN 30 100
 		ADJUST copy_id
 		REPLY QR NOERROR
 		SECTION QUESTION
-			example.com. 10 IN NS
+			example.com. IN NS
 		SECTION ANSWER
 			example.com. 10 IN NS ns.example.com.
 		SECTION ADDITIONAL

contrib/unbound/testdata/serve_expired_cached_servfail_refresh.rpl

@@ -49,7 +49,7 @@ RANGE_BEGIN 60 100
 		ADJUST copy_id
 		REPLY QR NOERROR
 		SECTION QUESTION
-			example.com. 10 IN NS
+			example.com. IN NS
 		SECTION ANSWER
 			example.com. 10 IN NS ns.example.com.
 		SECTION ADDITIONAL

contrib/unbound/testdata/subnet_scopezero_noedns.crpl

@@ -0,0 +1,441 @@
+; scope of 0, if the query also had scope of 0, do not answer this
+; to everyone, but only for scope 0 queries. Otherwise can answer cached.
+
+server:
+	target-fetch-policy: "0 0 0 0 0"
+	send-client-subnet: 1.2.3.4
+	module-config: "subnetcache validator iterator"
+	verbosity: 4
+	qname-minimisation: no
+
+stub-zone:
+	name: "."
+	stub-addr: 193.0.14.129
+
+stub-zone:
+	name: "example.com"
+	stub-addr: 1.2.3.4
+CONFIG_END
+
+SCENARIO_BEGIN Test subnet cache with scope zero response without EDNS.
+
+; the upstream server.
+RANGE_BEGIN 0 100
+	ADDRESS 193.0.14.129
+
+ENTRY_BEGIN
+MATCH opcode qtype qname ednsdata
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+. IN NS
+SECTION ANSWER
+. IN NS K.ROOT-SERVERS.NET.
+SECTION ADDITIONAL
+HEX_EDNSDATA_BEGIN
+	;; we expect to receive empty
+HEX_EDNSDATA_END
+K.ROOT-SERVERS.NET.     IN      A       193.0.14.129
+ENTRY_END
+RANGE_END
+
+RANGE_BEGIN 0 11
+	ADDRESS 1.2.3.4
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+;copy_ednsdata_assume_clientsubnet
+REPLY QR NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. IN A   10.20.30.40
+SECTION AUTHORITY
+SECTION ADDITIONAL
+HEX_EDNSDATA_BEGIN
+			; client is 127.0.0.1
+	00 08           ; OPC
+	00 07           ; option length
+	00 01           ; Family
+	18 11           ; source mask, scopemask
+	7f 00 00        ; address
+HEX_EDNSDATA_END
+ENTRY_END
+RANGE_END
+
+RANGE_BEGIN 20 31
+	ADDRESS 1.2.3.4
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+;copy_ednsdata_assume_clientsubnet
+REPLY QR NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. IN A   10.20.30.41
+SECTION AUTHORITY
+SECTION ADDITIONAL
+HEX_EDNSDATA_BEGIN
+			; client is 127.0.0.1
+	00 08           ; OPC
+	00 07           ; option length
+	00 01           ; Family
+	18 11           ; source mask, scopemask
+	7f 01 00        ; address
+HEX_EDNSDATA_END
+ENTRY_END
+RANGE_END
+
+RANGE_BEGIN 40 51
+	ADDRESS 1.2.3.4
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+;copy_ednsdata_assume_clientsubnet
+REPLY QR NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. IN A   10.20.30.42
+SECTION AUTHORITY
+SECTION ADDITIONAL
+;no EDNS in this answer. Tests if the back_parsed callback
+;is called to process the lack of edns contents.
+;HEX_EDNSDATA_BEGIN
+	;00 08           ; OPC
+	;00 04           ; option length
+	;00 01           ; Family
+	;00 00           ; source mask, scopemask
+	;                ; address 0.0.0.0/0 scope 0
+;HEX_EDNSDATA_END
+ENTRY_END
+RANGE_END
+
+RANGE_BEGIN 120 131
+	ADDRESS 1.2.3.4
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+;copy_ednsdata_assume_clientsubnet
+REPLY QR NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. IN A   10.20.30.43
+SECTION AUTHORITY
+SECTION ADDITIONAL
+HEX_EDNSDATA_BEGIN
+	00 08           ; OPC
+	00 07           ; option length
+	00 01           ; Family
+	18 00           ; source mask, scopemask
+	7f 02 00        ; address 127.2.0.0/24 scope 0
+HEX_EDNSDATA_END
+ENTRY_END
+RANGE_END
+
+; query for 127.0.0.0/24
+STEP 1 QUERY
+ENTRY_BEGIN
+HEX_ANSWER_BEGIN
+	00 00 01 00 00 01 00 00         ;ID 0
+	00 00 00 01 03 77 77 77         ; www.example.com A? (DO)
+	07 65 78 61 6d 70 6c 65
+	03 63 6f 6d 00 00 01 00
+	01 00 00 29 10 00 00 00
+	80 00 00 0b
+
+	00 08 00 07                     ; OPC, optlen
+	00 01 18 00                     ; ip4, scope 24, source 0
+	7f 00 00                        ;127.0.0.0/24
+HEX_ANSWER_END
+ENTRY_END
+
+; answer is 10.20.30.40 for 127.0.0.0/24 scope 17
+STEP 10 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ednsdata
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. IN A   10.20.30.40
+SECTION AUTHORITY
+SECTION ADDITIONAL
+HEX_EDNSDATA_BEGIN
+			; client is 127.0.0.1
+	00 08           ; OPC
+	00 07           ; option length
+	00 01           ; Family
+	18 11           ; source mask, scopemask
+	7f 00 00        ; address
+HEX_EDNSDATA_END
+ENTRY_END
+
+; query for 127.1.0.0/24
+STEP 20 QUERY
+ENTRY_BEGIN
+HEX_ANSWER_BEGIN
+	00 00 01 00 00 01 00 00         ;ID 0
+	00 00 00 01 03 77 77 77         ; www.example.com A? (DO)
+	07 65 78 61 6d 70 6c 65
+	03 63 6f 6d 00 00 01 00
+	01 00 00 29 10 00 00 00
+	80 00 00 0b
+
+	00 08 00 07                     ; OPC, optlen
+	00 01 18 00                     ; ip4, scope 24, source 0
+	7f 01 00                        ;127.1.0.0/24
+HEX_ANSWER_END
+ENTRY_END
+
+; answer is 10.20.30.41 for 127.1.0.0/24 scope 17
+STEP 30 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ednsdata
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. IN A   10.20.30.41
+SECTION AUTHORITY
+SECTION ADDITIONAL
+HEX_EDNSDATA_BEGIN
+			; client is 127.1.0.1
+	00 08           ; OPC
+	00 07           ; option length
+	00 01           ; Family
+	18 11           ; source mask, scopemask
+	7f 01 00        ; address
+HEX_EDNSDATA_END
+ENTRY_END
+
+; query for 0.0.0.0/0
+STEP 40 QUERY
+ENTRY_BEGIN
+HEX_ANSWER_BEGIN
+	00 00 01 00 00 01 00 00         ;ID 0
+	00 00 00 01 03 77 77 77         ; www.example.com A? (DO)
+	07 65 78 61 6d 70 6c 65
+	03 63 6f 6d 00 00 01 00
+	01 00 00 29 10 00 00 00
+	80 00 00 08
+
+	00 08 00 04                     ; OPC, optlen
+	00 01 00 00                     ; ip4, scope 0, source 0
+	                                ;0.0.0.0/0
+HEX_ANSWER_END
+ENTRY_END
+
+; answer is 10.20.30.42 for 0.0.0.0/0 scope 0
+STEP 50 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ednsdata
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. IN A   10.20.30.42
+SECTION AUTHORITY
+SECTION ADDITIONAL
+HEX_EDNSDATA_BEGIN
+	00 08           ; OPC
+	00 04           ; option length
+	00 01           ; Family
+	00 00           ; source mask, scopemask
+	                ; address
+HEX_EDNSDATA_END
+ENTRY_END
+
+; query for 127.0.0.0/24, again, it should be in cache.
+; and not from the scope 0 answer.
+STEP 60 QUERY
+ENTRY_BEGIN
+HEX_ANSWER_BEGIN
+	00 00 01 00 00 01 00 00         ;ID 0
+	00 00 00 01 03 77 77 77         ; www.example.com A? (DO)
+	07 65 78 61 6d 70 6c 65
+	03 63 6f 6d 00 00 01 00
+	01 00 00 29 10 00 00 00
+	80 00 00 0b
+
+	00 08 00 07                     ; OPC, optlen
+	00 01 18 00                     ; ip4, scope 24, source 0
+	7f 00 00                        ;127.0.0.0/24
+HEX_ANSWER_END
+ENTRY_END
+
+; answer should be 10.20.30.40 for 127.0.0.0/24 scope 17
+STEP 70 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ednsdata
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. IN A   10.20.30.40
+SECTION AUTHORITY
+SECTION ADDITIONAL
+HEX_EDNSDATA_BEGIN
+			; client is 127.0.0.1
+	00 08           ; OPC
+	00 07           ; option length
+	00 01           ; Family
+	18 11           ; source mask, scopemask
+	7f 00 00        ; address
+HEX_EDNSDATA_END
+ENTRY_END
+
+; query for 127.1.0.0/24, again, it should be in cache.
+STEP 80 QUERY
+ENTRY_BEGIN
+HEX_ANSWER_BEGIN
+	00 00 01 00 00 01 00 00         ;ID 0
+	00 00 00 01 03 77 77 77         ; www.example.com A? (DO)
+	07 65 78 61 6d 70 6c 65
+	03 63 6f 6d 00 00 01 00
+	01 00 00 29 10 00 00 00
+	80 00 00 0b
+
+	00 08 00 07                     ; OPC, optlen
+	00 01 18 00                     ; ip4, scope 24, source 0
+	7f 01 00                        ;127.1.0.0/24
+HEX_ANSWER_END
+ENTRY_END
+
+; answer should be 10.20.30.41 for 127.1.0.0/24 scope 17
+STEP 90 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ednsdata
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. IN A   10.20.30.41
+SECTION AUTHORITY
+SECTION ADDITIONAL
+HEX_EDNSDATA_BEGIN
+			; client is 127.1.0.1
+	00 08           ; OPC
+	00 07           ; option length
+	00 01           ; Family
+	18 11           ; source mask, scopemask
+	7f 01 00        ; address
+HEX_EDNSDATA_END
+ENTRY_END
+
+; query for 0.0.0.0/0, again.
+STEP 100 QUERY
+ENTRY_BEGIN
+HEX_ANSWER_BEGIN
+	00 00 01 00 00 01 00 00         ;ID 0
+	00 00 00 01 03 77 77 77         ; www.example.com A? (DO)
+	07 65 78 61 6d 70 6c 65
+	03 63 6f 6d 00 00 01 00
+	01 00 00 29 10 00 00 00
+	80 00 00 08
+
+	00 08 00 04                     ; OPC, optlen
+	00 01 00 00                     ; ip4, scope 0, source 0
+	                                ;0.0.0.0/0
+HEX_ANSWER_END
+ENTRY_END
+
+; answer should be 10.20.30.42 for 0.0.0.0/0 scope 0
+STEP 110 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ednsdata
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. IN A   10.20.30.42
+SECTION AUTHORITY
+SECTION ADDITIONAL
+HEX_EDNSDATA_BEGIN
+	00 08           ; OPC
+	00 04           ; option length
+	00 01           ; Family
+	00 00           ; source mask, scopemask
+	                ; address
+HEX_EDNSDATA_END
+ENTRY_END
+
+; now a query for a /24 that gets an answer for a /0.
+STEP 120 QUERY
+ENTRY_BEGIN
+HEX_ANSWER_BEGIN
+	00 00 01 00 00 01 00 00         ;ID 0
+	00 00 00 01 03 77 77 77         ; www.example.com A? (DO)
+	07 65 78 61 6d 70 6c 65
+	03 63 6f 6d 00 00 01 00
+	01 00 00 29 10 00 00 00
+	80 00 00 0b
+
+	00 08 00 07                     ; OPC, optlen
+	00 01 18 00                     ; ip4, scope 24, source 0
+	7f 02 00                        ;127.2.0.0/24
+HEX_ANSWER_END
+ENTRY_END
+
+; answer should be 10.20.30.43 for 127.2.0.0/24 scope 0
+STEP 130 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ednsdata
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. IN A   10.20.30.43
+SECTION AUTHORITY
+SECTION ADDITIONAL
+HEX_EDNSDATA_BEGIN
+			; client is 127.2.0.1
+	00 08           ; OPC
+	00 07           ; option length
+	00 01           ; Family
+	18 00           ; source mask, scopemask
+	7f 02 00        ; address
+HEX_EDNSDATA_END
+ENTRY_END
+
+; the scope 0 answer is now used to answer queries from
+; query for 127.0.0.0/24
+STEP 140 QUERY
+ENTRY_BEGIN
+HEX_ANSWER_BEGIN
+	00 00 01 00 00 01 00 00         ;ID 0
+	00 00 00 01 03 77 77 77         ; www.example.com A? (DO)
+	07 65 78 61 6d 70 6c 65
+	03 63 6f 6d 00 00 01 00
+	01 00 00 29 10 00 00 00
+	80 00 00 0b
+
+	00 08 00 07                     ; OPC, optlen
+	00 01 18 00                     ; ip4, scope 24, source 0
+	7f 00 00                        ;127.0.0.0/24
+HEX_ANSWER_END
+ENTRY_END
+
+STEP 150 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ednsdata
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. IN A   10.20.30.43
+SECTION AUTHORITY
+SECTION ADDITIONAL
+HEX_EDNSDATA_BEGIN
+			; client is 127.0.0.1
+	00 08           ; OPC
+	00 07           ; option length
+	00 01           ; Family
+	18 00           ; source mask, scopemask
+	7f 00 00        ; address
+HEX_EDNSDATA_END
+ENTRY_END
+
+SCENARIO_END

contrib/unbound/util/config_file.c

@@ -142,6 +142,7 @@ config_create(void)
 	cfg->log_tag_queryreply = 0;
 	cfg->log_local_actions = 0;
 	cfg->log_servfail = 0;
+	cfg->log_destaddr = 0;
 #ifndef USE_WINSOCK
 #  ifdef USE_MINI_EVENT
 	/* select max 1024 sockets */
@@ -690,6 +691,7 @@ int config_set_option(struct config_file* cfg, const char* opt,
 	else S_YNO("log-tag-queryreply:", log_tag_queryreply)
 	else S_YNO("log-local-actions:", log_local_actions)
 	else S_YNO("log-servfail:", log_servfail)
+	else S_YNO("log-destaddr:", log_destaddr)
 	else S_YNO("val-permissive-mode:", val_permissive_mode)
 	else S_YNO("aggressive-nsec:", aggressive_nsec)
 	else S_YNO("ignore-cd-flag:", ignore_cd)
@@ -1127,6 +1129,7 @@ config_get_option(struct config_file* cfg, const char* opt,
 	else O_YNO(opt, "log-tag-queryreply", log_tag_queryreply)
 	else O_YNO(opt, "log-local-actions", log_local_actions)
 	else O_YNO(opt, "log-servfail", log_servfail)
+	else O_YNO(opt, "log-destaddr", log_destaddr)
 	else O_STR(opt, "pidfile", pidfile)
 	else O_YNO(opt, "hide-identity", hide_identity)
 	else O_YNO(opt, "hide-version", hide_version)

contrib/unbound/util/config_file.h

@@ -349,6 +349,8 @@ struct config_file {
 	int log_servfail;
 	/** log identity to report */
 	char* log_identity;
+	/** log dest addr for log_replies */
+	int log_destaddr;
 
 	/** do not report identity (id.server, hostname.bind) */
 	int hide_identity;

contrib/unbound/util/configlexer.lex

@@ -435,6 +435,7 @@ log-replies{COLON}		{ YDVAR(1, VAR_LOG_REPLIES) }
 log-tag-queryreply{COLON}	{ YDVAR(1, VAR_LOG_TAG_QUERYREPLY) }
 log-local-actions{COLON}       { YDVAR(1, VAR_LOG_LOCAL_ACTIONS) }
 log-servfail{COLON}		{ YDVAR(1, VAR_LOG_SERVFAIL) }
+log-destaddr{COLON}		{ YDVAR(1, VAR_LOG_DESTADDR) }
 local-zone{COLON}		{ YDVAR(2, VAR_LOCAL_ZONE) }
 local-data{COLON}		{ YDVAR(1, VAR_LOCAL_DATA) }
 local-data-ptr{COLON}		{ YDVAR(1, VAR_LOCAL_DATA_PTR) }

contrib/unbound/util/configparser.h

@@ -0,0 +1,781 @@
+/* A Bison parser, made by GNU Bison 3.7.6.  */
+
+/* Bison interface for Yacc-like parsers in C
+
+   Copyright (C) 1984, 1989-1990, 2000-2015, 2018-2021 Free Software Foundation,
+   Inc.
+
+   This program is free software: you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation, either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <https://www.gnu.org/licenses/>.  */
+
+/* As a special exception, you may create a larger work that contains
+   part or all of the Bison parser skeleton and distribute that work
+   under terms of your choice, so long as that work isn't itself a
+   parser generator using the skeleton or a modified version thereof
+   as a parser skeleton.  Alternatively, if you modify or redistribute
+   the parser skeleton itself, you may (at your option) remove this
+   special exception, which will cause the skeleton and the resulting
+   Bison output files to be licensed under the GNU General Public
+   License without this special exception.
+
+   This special exception was added by the Free Software Foundation in
+   version 2.2 of Bison.  */
+
+/* DO NOT RELY ON FEATURES THAT ARE NOT DOCUMENTED in the manual,
+   especially those whose name start with YY_ or yy_.  They are
+   private implementation details that can be changed or removed.  */
+
+#ifndef YY_YY_UTIL_CONFIGPARSER_H_INCLUDED
+# define YY_YY_UTIL_CONFIGPARSER_H_INCLUDED
+/* Debug traces.  */
+#ifndef YYDEBUG
+# define YYDEBUG 0
+#endif
+#if YYDEBUG
+extern int yydebug;
+#endif
+
+/* Token kinds.  */
+#ifndef YYTOKENTYPE
+# define YYTOKENTYPE
+  enum yytokentype
+  {
+    YYEMPTY = -2,
+    YYEOF = 0,                     /* "end of file"  */
+    YYerror = 256,                 /* error  */
+    YYUNDEF = 257,                 /* "invalid token"  */
+    SPACE = 258,                   /* SPACE  */
+    LETTER = 259,                  /* LETTER  */
+    NEWLINE = 260,                 /* NEWLINE  */
+    COMMENT = 261,                 /* COMMENT  */
+    COLON = 262,                   /* COLON  */
+    ANY = 263,                     /* ANY  */
+    ZONESTR = 264,                 /* ZONESTR  */
+    STRING_ARG = 265,              /* STRING_ARG  */
+    VAR_FORCE_TOPLEVEL = 266,      /* VAR_FORCE_TOPLEVEL  */
+    VAR_SERVER = 267,              /* VAR_SERVER  */
+    VAR_VERBOSITY = 268,           /* VAR_VERBOSITY  */
+    VAR_NUM_THREADS = 269,         /* VAR_NUM_THREADS  */
+    VAR_PORT = 270,                /* VAR_PORT  */
+    VAR_OUTGOING_RANGE = 271,      /* VAR_OUTGOING_RANGE  */
+    VAR_INTERFACE = 272,           /* VAR_INTERFACE  */
+    VAR_PREFER_IP4 = 273,          /* VAR_PREFER_IP4  */
+    VAR_DO_IP4 = 274,              /* VAR_DO_IP4  */
+    VAR_DO_IP6 = 275,              /* VAR_DO_IP6  */
+    VAR_DO_NAT64 = 276,            /* VAR_DO_NAT64  */
+    VAR_PREFER_IP6 = 277,          /* VAR_PREFER_IP6  */
+    VAR_DO_UDP = 278,              /* VAR_DO_UDP  */
+    VAR_DO_TCP = 279,              /* VAR_DO_TCP  */
+    VAR_TCP_MSS = 280,             /* VAR_TCP_MSS  */
+    VAR_OUTGOING_TCP_MSS = 281,    /* VAR_OUTGOING_TCP_MSS  */
+    VAR_TCP_IDLE_TIMEOUT = 282,    /* VAR_TCP_IDLE_TIMEOUT  */
+    VAR_EDNS_TCP_KEEPALIVE = 283,  /* VAR_EDNS_TCP_KEEPALIVE  */
+    VAR_EDNS_TCP_KEEPALIVE_TIMEOUT = 284, /* VAR_EDNS_TCP_KEEPALIVE_TIMEOUT  */
+    VAR_SOCK_QUEUE_TIMEOUT = 285,  /* VAR_SOCK_QUEUE_TIMEOUT  */
+    VAR_CHROOT = 286,              /* VAR_CHROOT  */
+    VAR_USERNAME = 287,            /* VAR_USERNAME  */
+    VAR_DIRECTORY = 288,           /* VAR_DIRECTORY  */
+    VAR_LOGFILE = 289,             /* VAR_LOGFILE  */
+    VAR_PIDFILE = 290,             /* VAR_PIDFILE  */
+    VAR_MSG_CACHE_SIZE = 291,      /* VAR_MSG_CACHE_SIZE  */
+    VAR_MSG_CACHE_SLABS = 292,     /* VAR_MSG_CACHE_SLABS  */
+    VAR_NUM_QUERIES_PER_THREAD = 293, /* VAR_NUM_QUERIES_PER_THREAD  */
+    VAR_RRSET_CACHE_SIZE = 294,    /* VAR_RRSET_CACHE_SIZE  */
+    VAR_RRSET_CACHE_SLABS = 295,   /* VAR_RRSET_CACHE_SLABS  */
+    VAR_OUTGOING_NUM_TCP = 296,    /* VAR_OUTGOING_NUM_TCP  */
+    VAR_INFRA_HOST_TTL = 297,      /* VAR_INFRA_HOST_TTL  */
+    VAR_INFRA_LAME_TTL = 298,      /* VAR_INFRA_LAME_TTL  */
+    VAR_INFRA_CACHE_SLABS = 299,   /* VAR_INFRA_CACHE_SLABS  */
+    VAR_INFRA_CACHE_NUMHOSTS = 300, /* VAR_INFRA_CACHE_NUMHOSTS  */
+    VAR_INFRA_CACHE_LAME_SIZE = 301, /* VAR_INFRA_CACHE_LAME_SIZE  */
+    VAR_NAME = 302,                /* VAR_NAME  */
+    VAR_STUB_ZONE = 303,           /* VAR_STUB_ZONE  */
+    VAR_STUB_HOST = 304,           /* VAR_STUB_HOST  */
+    VAR_STUB_ADDR = 305,           /* VAR_STUB_ADDR  */
+    VAR_TARGET_FETCH_POLICY = 306, /* VAR_TARGET_FETCH_POLICY  */
+    VAR_HARDEN_SHORT_BUFSIZE = 307, /* VAR_HARDEN_SHORT_BUFSIZE  */
+    VAR_HARDEN_LARGE_QUERIES = 308, /* VAR_HARDEN_LARGE_QUERIES  */
+    VAR_FORWARD_ZONE = 309,        /* VAR_FORWARD_ZONE  */
+    VAR_FORWARD_HOST = 310,        /* VAR_FORWARD_HOST  */
+    VAR_FORWARD_ADDR = 311,        /* VAR_FORWARD_ADDR  */
+    VAR_DO_NOT_QUERY_ADDRESS = 312, /* VAR_DO_NOT_QUERY_ADDRESS  */
+    VAR_HIDE_IDENTITY = 313,       /* VAR_HIDE_IDENTITY  */
+    VAR_HIDE_VERSION = 314,        /* VAR_HIDE_VERSION  */
+    VAR_IDENTITY = 315,            /* VAR_IDENTITY  */
+    VAR_VERSION = 316,             /* VAR_VERSION  */
+    VAR_HARDEN_GLUE = 317,         /* VAR_HARDEN_GLUE  */
+    VAR_MODULE_CONF = 318,         /* VAR_MODULE_CONF  */
+    VAR_TRUST_ANCHOR_FILE = 319,   /* VAR_TRUST_ANCHOR_FILE  */
+    VAR_TRUST_ANCHOR = 320,        /* VAR_TRUST_ANCHOR  */
+    VAR_VAL_OVERRIDE_DATE = 321,   /* VAR_VAL_OVERRIDE_DATE  */
+    VAR_BOGUS_TTL = 322,           /* VAR_BOGUS_TTL  */
+    VAR_VAL_CLEAN_ADDITIONAL = 323, /* VAR_VAL_CLEAN_ADDITIONAL  */
+    VAR_VAL_PERMISSIVE_MODE = 324, /* VAR_VAL_PERMISSIVE_MODE  */
+    VAR_INCOMING_NUM_TCP = 325,    /* VAR_INCOMING_NUM_TCP  */
+    VAR_MSG_BUFFER_SIZE = 326,     /* VAR_MSG_BUFFER_SIZE  */
+    VAR_KEY_CACHE_SIZE = 327,      /* VAR_KEY_CACHE_SIZE  */
+    VAR_KEY_CACHE_SLABS = 328,     /* VAR_KEY_CACHE_SLABS  */
+    VAR_TRUSTED_KEYS_FILE = 329,   /* VAR_TRUSTED_KEYS_FILE  */
+    VAR_VAL_NSEC3_KEYSIZE_ITERATIONS = 330, /* VAR_VAL_NSEC3_KEYSIZE_ITERATIONS  */
+    VAR_USE_SYSLOG = 331,          /* VAR_USE_SYSLOG  */
+    VAR_OUTGOING_INTERFACE = 332,  /* VAR_OUTGOING_INTERFACE  */
+    VAR_ROOT_HINTS = 333,          /* VAR_ROOT_HINTS  */
+    VAR_DO_NOT_QUERY_LOCALHOST = 334, /* VAR_DO_NOT_QUERY_LOCALHOST  */
+    VAR_CACHE_MAX_TTL = 335,       /* VAR_CACHE_MAX_TTL  */
+    VAR_HARDEN_DNSSEC_STRIPPED = 336, /* VAR_HARDEN_DNSSEC_STRIPPED  */
+    VAR_ACCESS_CONTROL = 337,      /* VAR_ACCESS_CONTROL  */
+    VAR_LOCAL_ZONE = 338,          /* VAR_LOCAL_ZONE  */
+    VAR_LOCAL_DATA = 339,          /* VAR_LOCAL_DATA  */
+    VAR_INTERFACE_AUTOMATIC = 340, /* VAR_INTERFACE_AUTOMATIC  */
+    VAR_STATISTICS_INTERVAL = 341, /* VAR_STATISTICS_INTERVAL  */
+    VAR_DO_DAEMONIZE = 342,        /* VAR_DO_DAEMONIZE  */
+    VAR_USE_CAPS_FOR_ID = 343,     /* VAR_USE_CAPS_FOR_ID  */
+    VAR_STATISTICS_CUMULATIVE = 344, /* VAR_STATISTICS_CUMULATIVE  */
+    VAR_OUTGOING_PORT_PERMIT = 345, /* VAR_OUTGOING_PORT_PERMIT  */
+    VAR_OUTGOING_PORT_AVOID = 346, /* VAR_OUTGOING_PORT_AVOID  */
+    VAR_DLV_ANCHOR_FILE = 347,     /* VAR_DLV_ANCHOR_FILE  */
+    VAR_DLV_ANCHOR = 348,          /* VAR_DLV_ANCHOR  */
+    VAR_NEG_CACHE_SIZE = 349,      /* VAR_NEG_CACHE_SIZE  */
+    VAR_HARDEN_REFERRAL_PATH = 350, /* VAR_HARDEN_REFERRAL_PATH  */
+    VAR_PRIVATE_ADDRESS = 351,     /* VAR_PRIVATE_ADDRESS  */
+    VAR_PRIVATE_DOMAIN = 352,      /* VAR_PRIVATE_DOMAIN  */
+    VAR_REMOTE_CONTROL = 353,      /* VAR_REMOTE_CONTROL  */
+    VAR_CONTROL_ENABLE = 354,      /* VAR_CONTROL_ENABLE  */
+    VAR_CONTROL_INTERFACE = 355,   /* VAR_CONTROL_INTERFACE  */
+    VAR_CONTROL_PORT = 356,        /* VAR_CONTROL_PORT  */
+    VAR_SERVER_KEY_FILE = 357,     /* VAR_SERVER_KEY_FILE  */
+    VAR_SERVER_CERT_FILE = 358,    /* VAR_SERVER_CERT_FILE  */
+    VAR_CONTROL_KEY_FILE = 359,    /* VAR_CONTROL_KEY_FILE  */
+    VAR_CONTROL_CERT_FILE = 360,   /* VAR_CONTROL_CERT_FILE  */
+    VAR_CONTROL_USE_CERT = 361,    /* VAR_CONTROL_USE_CERT  */
+    VAR_TCP_REUSE_TIMEOUT = 362,   /* VAR_TCP_REUSE_TIMEOUT  */
+    VAR_MAX_REUSE_TCP_QUERIES = 363, /* VAR_MAX_REUSE_TCP_QUERIES  */
+    VAR_EXTENDED_STATISTICS = 364, /* VAR_EXTENDED_STATISTICS  */
+    VAR_LOCAL_DATA_PTR = 365,      /* VAR_LOCAL_DATA_PTR  */
+    VAR_JOSTLE_TIMEOUT = 366,      /* VAR_JOSTLE_TIMEOUT  */
+    VAR_STUB_PRIME = 367,          /* VAR_STUB_PRIME  */
+    VAR_UNWANTED_REPLY_THRESHOLD = 368, /* VAR_UNWANTED_REPLY_THRESHOLD  */
+    VAR_LOG_TIME_ASCII = 369,      /* VAR_LOG_TIME_ASCII  */
+    VAR_DOMAIN_INSECURE = 370,     /* VAR_DOMAIN_INSECURE  */
+    VAR_PYTHON = 371,              /* VAR_PYTHON  */
+    VAR_PYTHON_SCRIPT = 372,       /* VAR_PYTHON_SCRIPT  */
+    VAR_VAL_SIG_SKEW_MIN = 373,    /* VAR_VAL_SIG_SKEW_MIN  */
+    VAR_VAL_SIG_SKEW_MAX = 374,    /* VAR_VAL_SIG_SKEW_MAX  */
+    VAR_VAL_MAX_RESTART = 375,     /* VAR_VAL_MAX_RESTART  */
+    VAR_CACHE_MIN_TTL = 376,       /* VAR_CACHE_MIN_TTL  */
+    VAR_VAL_LOG_LEVEL = 377,       /* VAR_VAL_LOG_LEVEL  */
+    VAR_AUTO_TRUST_ANCHOR_FILE = 378, /* VAR_AUTO_TRUST_ANCHOR_FILE  */
+    VAR_KEEP_MISSING = 379,        /* VAR_KEEP_MISSING  */
+    VAR_ADD_HOLDDOWN = 380,        /* VAR_ADD_HOLDDOWN  */
+    VAR_DEL_HOLDDOWN = 381,        /* VAR_DEL_HOLDDOWN  */
+    VAR_SO_RCVBUF = 382,           /* VAR_SO_RCVBUF  */
+    VAR_EDNS_BUFFER_SIZE = 383,    /* VAR_EDNS_BUFFER_SIZE  */
+    VAR_PREFETCH = 384,            /* VAR_PREFETCH  */
+    VAR_PREFETCH_KEY = 385,        /* VAR_PREFETCH_KEY  */
+    VAR_SO_SNDBUF = 386,           /* VAR_SO_SNDBUF  */
+    VAR_SO_REUSEPORT = 387,        /* VAR_SO_REUSEPORT  */
+    VAR_HARDEN_BELOW_NXDOMAIN = 388, /* VAR_HARDEN_BELOW_NXDOMAIN  */
+    VAR_IGNORE_CD_FLAG = 389,      /* VAR_IGNORE_CD_FLAG  */
+    VAR_LOG_QUERIES = 390,         /* VAR_LOG_QUERIES  */
+    VAR_LOG_REPLIES = 391,         /* VAR_LOG_REPLIES  */
+    VAR_LOG_LOCAL_ACTIONS = 392,   /* VAR_LOG_LOCAL_ACTIONS  */
+    VAR_TCP_UPSTREAM = 393,        /* VAR_TCP_UPSTREAM  */
+    VAR_SSL_UPSTREAM = 394,        /* VAR_SSL_UPSTREAM  */
+    VAR_TCP_AUTH_QUERY_TIMEOUT = 395, /* VAR_TCP_AUTH_QUERY_TIMEOUT  */
+    VAR_SSL_SERVICE_KEY = 396,     /* VAR_SSL_SERVICE_KEY  */
+    VAR_SSL_SERVICE_PEM = 397,     /* VAR_SSL_SERVICE_PEM  */
+    VAR_SSL_PORT = 398,            /* VAR_SSL_PORT  */
+    VAR_FORWARD_FIRST = 399,       /* VAR_FORWARD_FIRST  */
+    VAR_STUB_SSL_UPSTREAM = 400,   /* VAR_STUB_SSL_UPSTREAM  */
+    VAR_FORWARD_SSL_UPSTREAM = 401, /* VAR_FORWARD_SSL_UPSTREAM  */
+    VAR_TLS_CERT_BUNDLE = 402,     /* VAR_TLS_CERT_BUNDLE  */
+    VAR_STUB_TCP_UPSTREAM = 403,   /* VAR_STUB_TCP_UPSTREAM  */
+    VAR_FORWARD_TCP_UPSTREAM = 404, /* VAR_FORWARD_TCP_UPSTREAM  */
+    VAR_HTTPS_PORT = 405,          /* VAR_HTTPS_PORT  */
+    VAR_HTTP_ENDPOINT = 406,       /* VAR_HTTP_ENDPOINT  */
+    VAR_HTTP_MAX_STREAMS = 407,    /* VAR_HTTP_MAX_STREAMS  */
+    VAR_HTTP_QUERY_BUFFER_SIZE = 408, /* VAR_HTTP_QUERY_BUFFER_SIZE  */
+    VAR_HTTP_RESPONSE_BUFFER_SIZE = 409, /* VAR_HTTP_RESPONSE_BUFFER_SIZE  */
+    VAR_HTTP_NODELAY = 410,        /* VAR_HTTP_NODELAY  */
+    VAR_HTTP_NOTLS_DOWNSTREAM = 411, /* VAR_HTTP_NOTLS_DOWNSTREAM  */
+    VAR_STUB_FIRST = 412,          /* VAR_STUB_FIRST  */
+    VAR_MINIMAL_RESPONSES = 413,   /* VAR_MINIMAL_RESPONSES  */
+    VAR_RRSET_ROUNDROBIN = 414,    /* VAR_RRSET_ROUNDROBIN  */
+    VAR_MAX_UDP_SIZE = 415,        /* VAR_MAX_UDP_SIZE  */
+    VAR_DELAY_CLOSE = 416,         /* VAR_DELAY_CLOSE  */
+    VAR_UDP_CONNECT = 417,         /* VAR_UDP_CONNECT  */
+    VAR_UNBLOCK_LAN_ZONES = 418,   /* VAR_UNBLOCK_LAN_ZONES  */
+    VAR_INSECURE_LAN_ZONES = 419,  /* VAR_INSECURE_LAN_ZONES  */
+    VAR_INFRA_CACHE_MIN_RTT = 420, /* VAR_INFRA_CACHE_MIN_RTT  */
+    VAR_INFRA_CACHE_MAX_RTT = 421, /* VAR_INFRA_CACHE_MAX_RTT  */
+    VAR_INFRA_KEEP_PROBING = 422,  /* VAR_INFRA_KEEP_PROBING  */
+    VAR_DNS64_PREFIX = 423,        /* VAR_DNS64_PREFIX  */
+    VAR_DNS64_SYNTHALL = 424,      /* VAR_DNS64_SYNTHALL  */
+    VAR_DNS64_IGNORE_AAAA = 425,   /* VAR_DNS64_IGNORE_AAAA  */
+    VAR_NAT64_PREFIX = 426,        /* VAR_NAT64_PREFIX  */
+    VAR_DNSTAP = 427,              /* VAR_DNSTAP  */
+    VAR_DNSTAP_ENABLE = 428,       /* VAR_DNSTAP_ENABLE  */
+    VAR_DNSTAP_SOCKET_PATH = 429,  /* VAR_DNSTAP_SOCKET_PATH  */
+    VAR_DNSTAP_IP = 430,           /* VAR_DNSTAP_IP  */
+    VAR_DNSTAP_TLS = 431,          /* VAR_DNSTAP_TLS  */
+    VAR_DNSTAP_TLS_SERVER_NAME = 432, /* VAR_DNSTAP_TLS_SERVER_NAME  */
+    VAR_DNSTAP_TLS_CERT_BUNDLE = 433, /* VAR_DNSTAP_TLS_CERT_BUNDLE  */
+    VAR_DNSTAP_TLS_CLIENT_KEY_FILE = 434, /* VAR_DNSTAP_TLS_CLIENT_KEY_FILE  */
+    VAR_DNSTAP_TLS_CLIENT_CERT_FILE = 435, /* VAR_DNSTAP_TLS_CLIENT_CERT_FILE  */
+    VAR_DNSTAP_SEND_IDENTITY = 436, /* VAR_DNSTAP_SEND_IDENTITY  */
+    VAR_DNSTAP_SEND_VERSION = 437, /* VAR_DNSTAP_SEND_VERSION  */
+    VAR_DNSTAP_BIDIRECTIONAL = 438, /* VAR_DNSTAP_BIDIRECTIONAL  */
+    VAR_DNSTAP_IDENTITY = 439,     /* VAR_DNSTAP_IDENTITY  */
+    VAR_DNSTAP_VERSION = 440,      /* VAR_DNSTAP_VERSION  */
+    VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES = 441, /* VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES  */
+    VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES = 442, /* VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES  */
+    VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES = 443, /* VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES  */
+    VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES = 444, /* VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES  */
+    VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES = 445, /* VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES  */
+    VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES = 446, /* VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES  */
+    VAR_RESPONSE_IP_TAG = 447,     /* VAR_RESPONSE_IP_TAG  */
+    VAR_RESPONSE_IP = 448,         /* VAR_RESPONSE_IP  */
+    VAR_RESPONSE_IP_DATA = 449,    /* VAR_RESPONSE_IP_DATA  */
+    VAR_HARDEN_ALGO_DOWNGRADE = 450, /* VAR_HARDEN_ALGO_DOWNGRADE  */
+    VAR_IP_TRANSPARENT = 451,      /* VAR_IP_TRANSPARENT  */
+    VAR_IP_DSCP = 452,             /* VAR_IP_DSCP  */
+    VAR_DISABLE_DNSSEC_LAME_CHECK = 453, /* VAR_DISABLE_DNSSEC_LAME_CHECK  */
+    VAR_IP_RATELIMIT = 454,        /* VAR_IP_RATELIMIT  */
+    VAR_IP_RATELIMIT_SLABS = 455,  /* VAR_IP_RATELIMIT_SLABS  */
+    VAR_IP_RATELIMIT_SIZE = 456,   /* VAR_IP_RATELIMIT_SIZE  */
+    VAR_RATELIMIT = 457,           /* VAR_RATELIMIT  */
+    VAR_RATELIMIT_SLABS = 458,     /* VAR_RATELIMIT_SLABS  */
+    VAR_RATELIMIT_SIZE = 459,      /* VAR_RATELIMIT_SIZE  */
+    VAR_OUTBOUND_MSG_RETRY = 460,  /* VAR_OUTBOUND_MSG_RETRY  */
+    VAR_MAX_SENT_COUNT = 461,      /* VAR_MAX_SENT_COUNT  */
+    VAR_MAX_QUERY_RESTARTS = 462,  /* VAR_MAX_QUERY_RESTARTS  */
+    VAR_RATELIMIT_FOR_DOMAIN = 463, /* VAR_RATELIMIT_FOR_DOMAIN  */
+    VAR_RATELIMIT_BELOW_DOMAIN = 464, /* VAR_RATELIMIT_BELOW_DOMAIN  */
+    VAR_IP_RATELIMIT_FACTOR = 465, /* VAR_IP_RATELIMIT_FACTOR  */
+    VAR_RATELIMIT_FACTOR = 466,    /* VAR_RATELIMIT_FACTOR  */
+    VAR_IP_RATELIMIT_BACKOFF = 467, /* VAR_IP_RATELIMIT_BACKOFF  */
+    VAR_RATELIMIT_BACKOFF = 468,   /* VAR_RATELIMIT_BACKOFF  */
+    VAR_SEND_CLIENT_SUBNET = 469,  /* VAR_SEND_CLIENT_SUBNET  */
+    VAR_CLIENT_SUBNET_ZONE = 470,  /* VAR_CLIENT_SUBNET_ZONE  */
+    VAR_CLIENT_SUBNET_ALWAYS_FORWARD = 471, /* VAR_CLIENT_SUBNET_ALWAYS_FORWARD  */
+    VAR_CLIENT_SUBNET_OPCODE = 472, /* VAR_CLIENT_SUBNET_OPCODE  */
+    VAR_MAX_CLIENT_SUBNET_IPV4 = 473, /* VAR_MAX_CLIENT_SUBNET_IPV4  */
+    VAR_MAX_CLIENT_SUBNET_IPV6 = 474, /* VAR_MAX_CLIENT_SUBNET_IPV6  */
+    VAR_MIN_CLIENT_SUBNET_IPV4 = 475, /* VAR_MIN_CLIENT_SUBNET_IPV4  */
+    VAR_MIN_CLIENT_SUBNET_IPV6 = 476, /* VAR_MIN_CLIENT_SUBNET_IPV6  */
+    VAR_MAX_ECS_TREE_SIZE_IPV4 = 477, /* VAR_MAX_ECS_TREE_SIZE_IPV4  */
+    VAR_MAX_ECS_TREE_SIZE_IPV6 = 478, /* VAR_MAX_ECS_TREE_SIZE_IPV6  */
+    VAR_CAPS_WHITELIST = 479,      /* VAR_CAPS_WHITELIST  */
+    VAR_CACHE_MAX_NEGATIVE_TTL = 480, /* VAR_CACHE_MAX_NEGATIVE_TTL  */
+    VAR_PERMIT_SMALL_HOLDDOWN = 481, /* VAR_PERMIT_SMALL_HOLDDOWN  */
+    VAR_QNAME_MINIMISATION = 482,  /* VAR_QNAME_MINIMISATION  */
+    VAR_QNAME_MINIMISATION_STRICT = 483, /* VAR_QNAME_MINIMISATION_STRICT  */
+    VAR_IP_FREEBIND = 484,         /* VAR_IP_FREEBIND  */
+    VAR_DEFINE_TAG = 485,          /* VAR_DEFINE_TAG  */
+    VAR_LOCAL_ZONE_TAG = 486,      /* VAR_LOCAL_ZONE_TAG  */
+    VAR_ACCESS_CONTROL_TAG = 487,  /* VAR_ACCESS_CONTROL_TAG  */
+    VAR_LOCAL_ZONE_OVERRIDE = 488, /* VAR_LOCAL_ZONE_OVERRIDE  */
+    VAR_ACCESS_CONTROL_TAG_ACTION = 489, /* VAR_ACCESS_CONTROL_TAG_ACTION  */
+    VAR_ACCESS_CONTROL_TAG_DATA = 490, /* VAR_ACCESS_CONTROL_TAG_DATA  */
+    VAR_VIEW = 491,                /* VAR_VIEW  */
+    VAR_ACCESS_CONTROL_VIEW = 492, /* VAR_ACCESS_CONTROL_VIEW  */
+    VAR_VIEW_FIRST = 493,          /* VAR_VIEW_FIRST  */
+    VAR_SERVE_EXPIRED = 494,       /* VAR_SERVE_EXPIRED  */
+    VAR_SERVE_EXPIRED_TTL = 495,   /* VAR_SERVE_EXPIRED_TTL  */
+    VAR_SERVE_EXPIRED_TTL_RESET = 496, /* VAR_SERVE_EXPIRED_TTL_RESET  */
+    VAR_SERVE_EXPIRED_REPLY_TTL = 497, /* VAR_SERVE_EXPIRED_REPLY_TTL  */
+    VAR_SERVE_EXPIRED_CLIENT_TIMEOUT = 498, /* VAR_SERVE_EXPIRED_CLIENT_TIMEOUT  */
+    VAR_EDE_SERVE_EXPIRED = 499,   /* VAR_EDE_SERVE_EXPIRED  */
+    VAR_SERVE_ORIGINAL_TTL = 500,  /* VAR_SERVE_ORIGINAL_TTL  */
+    VAR_FAKE_DSA = 501,            /* VAR_FAKE_DSA  */
+    VAR_FAKE_SHA1 = 502,           /* VAR_FAKE_SHA1  */
+    VAR_LOG_IDENTITY = 503,        /* VAR_LOG_IDENTITY  */
+    VAR_HIDE_TRUSTANCHOR = 504,    /* VAR_HIDE_TRUSTANCHOR  */
+    VAR_HIDE_HTTP_USER_AGENT = 505, /* VAR_HIDE_HTTP_USER_AGENT  */
+    VAR_HTTP_USER_AGENT = 506,     /* VAR_HTTP_USER_AGENT  */
+    VAR_TRUST_ANCHOR_SIGNALING = 507, /* VAR_TRUST_ANCHOR_SIGNALING  */
+    VAR_AGGRESSIVE_NSEC = 508,     /* VAR_AGGRESSIVE_NSEC  */
+    VAR_USE_SYSTEMD = 509,         /* VAR_USE_SYSTEMD  */
+    VAR_SHM_ENABLE = 510,          /* VAR_SHM_ENABLE  */
+    VAR_SHM_KEY = 511,             /* VAR_SHM_KEY  */
+    VAR_ROOT_KEY_SENTINEL = 512,   /* VAR_ROOT_KEY_SENTINEL  */
+    VAR_DNSCRYPT = 513,            /* VAR_DNSCRYPT  */
+    VAR_DNSCRYPT_ENABLE = 514,     /* VAR_DNSCRYPT_ENABLE  */
+    VAR_DNSCRYPT_PORT = 515,       /* VAR_DNSCRYPT_PORT  */
+    VAR_DNSCRYPT_PROVIDER = 516,   /* VAR_DNSCRYPT_PROVIDER  */
+    VAR_DNSCRYPT_SECRET_KEY = 517, /* VAR_DNSCRYPT_SECRET_KEY  */
+    VAR_DNSCRYPT_PROVIDER_CERT = 518, /* VAR_DNSCRYPT_PROVIDER_CERT  */
+    VAR_DNSCRYPT_PROVIDER_CERT_ROTATED = 519, /* VAR_DNSCRYPT_PROVIDER_CERT_ROTATED  */
+    VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE = 520, /* VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE  */
+    VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS = 521, /* VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS  */
+    VAR_DNSCRYPT_NONCE_CACHE_SIZE = 522, /* VAR_DNSCRYPT_NONCE_CACHE_SIZE  */
+    VAR_DNSCRYPT_NONCE_CACHE_SLABS = 523, /* VAR_DNSCRYPT_NONCE_CACHE_SLABS  */
+    VAR_PAD_RESPONSES = 524,       /* VAR_PAD_RESPONSES  */
+    VAR_PAD_RESPONSES_BLOCK_SIZE = 525, /* VAR_PAD_RESPONSES_BLOCK_SIZE  */
+    VAR_PAD_QUERIES = 526,         /* VAR_PAD_QUERIES  */
+    VAR_PAD_QUERIES_BLOCK_SIZE = 527, /* VAR_PAD_QUERIES_BLOCK_SIZE  */
+    VAR_IPSECMOD_ENABLED = 528,    /* VAR_IPSECMOD_ENABLED  */
+    VAR_IPSECMOD_HOOK = 529,       /* VAR_IPSECMOD_HOOK  */
+    VAR_IPSECMOD_IGNORE_BOGUS = 530, /* VAR_IPSECMOD_IGNORE_BOGUS  */
+    VAR_IPSECMOD_MAX_TTL = 531,    /* VAR_IPSECMOD_MAX_TTL  */
+    VAR_IPSECMOD_WHITELIST = 532,  /* VAR_IPSECMOD_WHITELIST  */
+    VAR_IPSECMOD_STRICT = 533,     /* VAR_IPSECMOD_STRICT  */
+    VAR_CACHEDB = 534,             /* VAR_CACHEDB  */
+    VAR_CACHEDB_BACKEND = 535,     /* VAR_CACHEDB_BACKEND  */
+    VAR_CACHEDB_SECRETSEED = 536,  /* VAR_CACHEDB_SECRETSEED  */
+    VAR_CACHEDB_REDISHOST = 537,   /* VAR_CACHEDB_REDISHOST  */
+    VAR_CACHEDB_REDISPORT = 538,   /* VAR_CACHEDB_REDISPORT  */
+    VAR_CACHEDB_REDISTIMEOUT = 539, /* VAR_CACHEDB_REDISTIMEOUT  */
+    VAR_CACHEDB_REDISEXPIRERECORDS = 540, /* VAR_CACHEDB_REDISEXPIRERECORDS  */
+    VAR_CACHEDB_REDISPATH = 541,   /* VAR_CACHEDB_REDISPATH  */
+    VAR_CACHEDB_REDISPASSWORD = 542, /* VAR_CACHEDB_REDISPASSWORD  */
+    VAR_CACHEDB_REDISLOGICALDB = 543, /* VAR_CACHEDB_REDISLOGICALDB  */
+    VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM = 544, /* VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM  */
+    VAR_FOR_UPSTREAM = 545,        /* VAR_FOR_UPSTREAM  */
+    VAR_AUTH_ZONE = 546,           /* VAR_AUTH_ZONE  */
+    VAR_ZONEFILE = 547,            /* VAR_ZONEFILE  */
+    VAR_MASTER = 548,              /* VAR_MASTER  */
+    VAR_URL = 549,                 /* VAR_URL  */
+    VAR_FOR_DOWNSTREAM = 550,      /* VAR_FOR_DOWNSTREAM  */
+    VAR_FALLBACK_ENABLED = 551,    /* VAR_FALLBACK_ENABLED  */
+    VAR_TLS_ADDITIONAL_PORT = 552, /* VAR_TLS_ADDITIONAL_PORT  */
+    VAR_LOW_RTT = 553,             /* VAR_LOW_RTT  */
+    VAR_LOW_RTT_PERMIL = 554,      /* VAR_LOW_RTT_PERMIL  */
+    VAR_FAST_SERVER_PERMIL = 555,  /* VAR_FAST_SERVER_PERMIL  */
+    VAR_FAST_SERVER_NUM = 556,     /* VAR_FAST_SERVER_NUM  */
+    VAR_ALLOW_NOTIFY = 557,        /* VAR_ALLOW_NOTIFY  */
+    VAR_TLS_WIN_CERT = 558,        /* VAR_TLS_WIN_CERT  */
+    VAR_TCP_CONNECTION_LIMIT = 559, /* VAR_TCP_CONNECTION_LIMIT  */
+    VAR_ANSWER_COOKIE = 560,       /* VAR_ANSWER_COOKIE  */
+    VAR_COOKIE_SECRET = 561,       /* VAR_COOKIE_SECRET  */
+    VAR_IP_RATELIMIT_COOKIE = 562, /* VAR_IP_RATELIMIT_COOKIE  */
+    VAR_FORWARD_NO_CACHE = 563,    /* VAR_FORWARD_NO_CACHE  */
+    VAR_STUB_NO_CACHE = 564,       /* VAR_STUB_NO_CACHE  */
+    VAR_LOG_SERVFAIL = 565,        /* VAR_LOG_SERVFAIL  */
+    VAR_DENY_ANY = 566,            /* VAR_DENY_ANY  */
+    VAR_UNKNOWN_SERVER_TIME_LIMIT = 567, /* VAR_UNKNOWN_SERVER_TIME_LIMIT  */
+    VAR_LOG_TAG_QUERYREPLY = 568,  /* VAR_LOG_TAG_QUERYREPLY  */
+    VAR_STREAM_WAIT_SIZE = 569,    /* VAR_STREAM_WAIT_SIZE  */
+    VAR_TLS_CIPHERS = 570,         /* VAR_TLS_CIPHERS  */
+    VAR_TLS_CIPHERSUITES = 571,    /* VAR_TLS_CIPHERSUITES  */
+    VAR_TLS_USE_SNI = 572,         /* VAR_TLS_USE_SNI  */
+    VAR_IPSET = 573,               /* VAR_IPSET  */
+    VAR_IPSET_NAME_V4 = 574,       /* VAR_IPSET_NAME_V4  */
+    VAR_IPSET_NAME_V6 = 575,       /* VAR_IPSET_NAME_V6  */
+    VAR_TLS_SESSION_TICKET_KEYS = 576, /* VAR_TLS_SESSION_TICKET_KEYS  */
+    VAR_RPZ = 577,                 /* VAR_RPZ  */
+    VAR_TAGS = 578,                /* VAR_TAGS  */
+    VAR_RPZ_ACTION_OVERRIDE = 579, /* VAR_RPZ_ACTION_OVERRIDE  */
+    VAR_RPZ_CNAME_OVERRIDE = 580,  /* VAR_RPZ_CNAME_OVERRIDE  */
+    VAR_RPZ_LOG = 581,             /* VAR_RPZ_LOG  */
+    VAR_RPZ_LOG_NAME = 582,        /* VAR_RPZ_LOG_NAME  */
+    VAR_DYNLIB = 583,              /* VAR_DYNLIB  */
+    VAR_DYNLIB_FILE = 584,         /* VAR_DYNLIB_FILE  */
+    VAR_EDNS_CLIENT_STRING = 585,  /* VAR_EDNS_CLIENT_STRING  */
+    VAR_EDNS_CLIENT_STRING_OPCODE = 586, /* VAR_EDNS_CLIENT_STRING_OPCODE  */
+    VAR_NSID = 587,                /* VAR_NSID  */
+    VAR_ZONEMD_PERMISSIVE_MODE = 588, /* VAR_ZONEMD_PERMISSIVE_MODE  */
+    VAR_ZONEMD_CHECK = 589,        /* VAR_ZONEMD_CHECK  */
+    VAR_ZONEMD_REJECT_ABSENCE = 590, /* VAR_ZONEMD_REJECT_ABSENCE  */
+    VAR_RPZ_SIGNAL_NXDOMAIN_RA = 591, /* VAR_RPZ_SIGNAL_NXDOMAIN_RA  */
+    VAR_INTERFACE_AUTOMATIC_PORTS = 592, /* VAR_INTERFACE_AUTOMATIC_PORTS  */
+    VAR_EDE = 593,                 /* VAR_EDE  */
+    VAR_INTERFACE_ACTION = 594,    /* VAR_INTERFACE_ACTION  */
+    VAR_INTERFACE_VIEW = 595,      /* VAR_INTERFACE_VIEW  */
+    VAR_INTERFACE_TAG = 596,       /* VAR_INTERFACE_TAG  */
+    VAR_INTERFACE_TAG_ACTION = 597, /* VAR_INTERFACE_TAG_ACTION  */
+    VAR_INTERFACE_TAG_DATA = 598,  /* VAR_INTERFACE_TAG_DATA  */
+    VAR_PROXY_PROTOCOL_PORT = 599, /* VAR_PROXY_PROTOCOL_PORT  */
+    VAR_STATISTICS_INHIBIT_ZERO = 600, /* VAR_STATISTICS_INHIBIT_ZERO  */
+    VAR_HARDEN_UNKNOWN_ADDITIONAL = 601, /* VAR_HARDEN_UNKNOWN_ADDITIONAL  */
+    VAR_DISABLE_EDNS_DO = 602,     /* VAR_DISABLE_EDNS_DO  */
+    VAR_CACHEDB_NO_STORE = 603,    /* VAR_CACHEDB_NO_STORE  */
+    VAR_LOG_DESTADDR = 604         /* VAR_LOG_DESTADDR  */
+  };
+  typedef enum yytokentype yytoken_kind_t;
+#endif
+/* Token kinds.  */
+#define YYEMPTY -2
+#define YYEOF 0
+#define YYerror 256
+#define YYUNDEF 257
+#define SPACE 258
+#define LETTER 259
+#define NEWLINE 260
+#define COMMENT 261
+#define COLON 262
+#define ANY 263
+#define ZONESTR 264
+#define STRING_ARG 265
+#define VAR_FORCE_TOPLEVEL 266
+#define VAR_SERVER 267
+#define VAR_VERBOSITY 268
+#define VAR_NUM_THREADS 269
+#define VAR_PORT 270
+#define VAR_OUTGOING_RANGE 271
+#define VAR_INTERFACE 272
+#define VAR_PREFER_IP4 273
+#define VAR_DO_IP4 274
+#define VAR_DO_IP6 275
+#define VAR_DO_NAT64 276
+#define VAR_PREFER_IP6 277
+#define VAR_DO_UDP 278
+#define VAR_DO_TCP 279
+#define VAR_TCP_MSS 280
+#define VAR_OUTGOING_TCP_MSS 281
+#define VAR_TCP_IDLE_TIMEOUT 282
+#define VAR_EDNS_TCP_KEEPALIVE 283
+#define VAR_EDNS_TCP_KEEPALIVE_TIMEOUT 284
+#define VAR_SOCK_QUEUE_TIMEOUT 285
+#define VAR_CHROOT 286
+#define VAR_USERNAME 287
+#define VAR_DIRECTORY 288
+#define VAR_LOGFILE 289
+#define VAR_PIDFILE 290
+#define VAR_MSG_CACHE_SIZE 291
+#define VAR_MSG_CACHE_SLABS 292
+#define VAR_NUM_QUERIES_PER_THREAD 293
+#define VAR_RRSET_CACHE_SIZE 294
+#define VAR_RRSET_CACHE_SLABS 295
+#define VAR_OUTGOING_NUM_TCP 296
+#define VAR_INFRA_HOST_TTL 297
+#define VAR_INFRA_LAME_TTL 298
+#define VAR_INFRA_CACHE_SLABS 299
+#define VAR_INFRA_CACHE_NUMHOSTS 300
+#define VAR_INFRA_CACHE_LAME_SIZE 301
+#define VAR_NAME 302
+#define VAR_STUB_ZONE 303
+#define VAR_STUB_HOST 304
+#define VAR_STUB_ADDR 305
+#define VAR_TARGET_FETCH_POLICY 306
+#define VAR_HARDEN_SHORT_BUFSIZE 307
+#define VAR_HARDEN_LARGE_QUERIES 308
+#define VAR_FORWARD_ZONE 309
+#define VAR_FORWARD_HOST 310
+#define VAR_FORWARD_ADDR 311
+#define VAR_DO_NOT_QUERY_ADDRESS 312
+#define VAR_HIDE_IDENTITY 313
+#define VAR_HIDE_VERSION 314
+#define VAR_IDENTITY 315
+#define VAR_VERSION 316
+#define VAR_HARDEN_GLUE 317
+#define VAR_MODULE_CONF 318
+#define VAR_TRUST_ANCHOR_FILE 319
+#define VAR_TRUST_ANCHOR 320
+#define VAR_VAL_OVERRIDE_DATE 321
+#define VAR_BOGUS_TTL 322
+#define VAR_VAL_CLEAN_ADDITIONAL 323
+#define VAR_VAL_PERMISSIVE_MODE 324
+#define VAR_INCOMING_NUM_TCP 325
+#define VAR_MSG_BUFFER_SIZE 326
+#define VAR_KEY_CACHE_SIZE 327
+#define VAR_KEY_CACHE_SLABS 328
+#define VAR_TRUSTED_KEYS_FILE 329
+#define VAR_VAL_NSEC3_KEYSIZE_ITERATIONS 330
+#define VAR_USE_SYSLOG 331
+#define VAR_OUTGOING_INTERFACE 332
+#define VAR_ROOT_HINTS 333
+#define VAR_DO_NOT_QUERY_LOCALHOST 334
+#define VAR_CACHE_MAX_TTL 335
+#define VAR_HARDEN_DNSSEC_STRIPPED 336
+#define VAR_ACCESS_CONTROL 337
+#define VAR_LOCAL_ZONE 338
+#define VAR_LOCAL_DATA 339
+#define VAR_INTERFACE_AUTOMATIC 340
+#define VAR_STATISTICS_INTERVAL 341
+#define VAR_DO_DAEMONIZE 342
+#define VAR_USE_CAPS_FOR_ID 343
+#define VAR_STATISTICS_CUMULATIVE 344
+#define VAR_OUTGOING_PORT_PERMIT 345
+#define VAR_OUTGOING_PORT_AVOID 346
+#define VAR_DLV_ANCHOR_FILE 347
+#define VAR_DLV_ANCHOR 348
+#define VAR_NEG_CACHE_SIZE 349
+#define VAR_HARDEN_REFERRAL_PATH 350
+#define VAR_PRIVATE_ADDRESS 351
+#define VAR_PRIVATE_DOMAIN 352
+#define VAR_REMOTE_CONTROL 353
+#define VAR_CONTROL_ENABLE 354
+#define VAR_CONTROL_INTERFACE 355
+#define VAR_CONTROL_PORT 356
+#define VAR_SERVER_KEY_FILE 357
+#define VAR_SERVER_CERT_FILE 358
+#define VAR_CONTROL_KEY_FILE 359
+#define VAR_CONTROL_CERT_FILE 360
+#define VAR_CONTROL_USE_CERT 361
+#define VAR_TCP_REUSE_TIMEOUT 362
+#define VAR_MAX_REUSE_TCP_QUERIES 363
+#define VAR_EXTENDED_STATISTICS 364
+#define VAR_LOCAL_DATA_PTR 365
+#define VAR_JOSTLE_TIMEOUT 366
+#define VAR_STUB_PRIME 367
+#define VAR_UNWANTED_REPLY_THRESHOLD 368
+#define VAR_LOG_TIME_ASCII 369
+#define VAR_DOMAIN_INSECURE 370
+#define VAR_PYTHON 371
+#define VAR_PYTHON_SCRIPT 372
+#define VAR_VAL_SIG_SKEW_MIN 373
+#define VAR_VAL_SIG_SKEW_MAX 374
+#define VAR_VAL_MAX_RESTART 375
+#define VAR_CACHE_MIN_TTL 376
+#define VAR_VAL_LOG_LEVEL 377
+#define VAR_AUTO_TRUST_ANCHOR_FILE 378
+#define VAR_KEEP_MISSING 379
+#define VAR_ADD_HOLDDOWN 380
+#define VAR_DEL_HOLDDOWN 381
+#define VAR_SO_RCVBUF 382
+#define VAR_EDNS_BUFFER_SIZE 383
+#define VAR_PREFETCH 384
+#define VAR_PREFETCH_KEY 385
+#define VAR_SO_SNDBUF 386
+#define VAR_SO_REUSEPORT 387
+#define VAR_HARDEN_BELOW_NXDOMAIN 388
+#define VAR_IGNORE_CD_FLAG 389
+#define VAR_LOG_QUERIES 390
+#define VAR_LOG_REPLIES 391
+#define VAR_LOG_LOCAL_ACTIONS 392
+#define VAR_TCP_UPSTREAM 393
+#define VAR_SSL_UPSTREAM 394
+#define VAR_TCP_AUTH_QUERY_TIMEOUT 395
+#define VAR_SSL_SERVICE_KEY 396
+#define VAR_SSL_SERVICE_PEM 397
+#define VAR_SSL_PORT 398
+#define VAR_FORWARD_FIRST 399
+#define VAR_STUB_SSL_UPSTREAM 400
+#define VAR_FORWARD_SSL_UPSTREAM 401
+#define VAR_TLS_CERT_BUNDLE 402
+#define VAR_STUB_TCP_UPSTREAM 403
+#define VAR_FORWARD_TCP_UPSTREAM 404
+#define VAR_HTTPS_PORT 405
+#define VAR_HTTP_ENDPOINT 406
+#define VAR_HTTP_MAX_STREAMS 407
+#define VAR_HTTP_QUERY_BUFFER_SIZE 408
+#define VAR_HTTP_RESPONSE_BUFFER_SIZE 409
+#define VAR_HTTP_NODELAY 410
+#define VAR_HTTP_NOTLS_DOWNSTREAM 411
+#define VAR_STUB_FIRST 412
+#define VAR_MINIMAL_RESPONSES 413
+#define VAR_RRSET_ROUNDROBIN 414
+#define VAR_MAX_UDP_SIZE 415
+#define VAR_DELAY_CLOSE 416
+#define VAR_UDP_CONNECT 417
+#define VAR_UNBLOCK_LAN_ZONES 418
+#define VAR_INSECURE_LAN_ZONES 419
+#define VAR_INFRA_CACHE_MIN_RTT 420
+#define VAR_INFRA_CACHE_MAX_RTT 421
+#define VAR_INFRA_KEEP_PROBING 422
+#define VAR_DNS64_PREFIX 423
+#define VAR_DNS64_SYNTHALL 424
+#define VAR_DNS64_IGNORE_AAAA 425
+#define VAR_NAT64_PREFIX 426
+#define VAR_DNSTAP 427
+#define VAR_DNSTAP_ENABLE 428
+#define VAR_DNSTAP_SOCKET_PATH 429
+#define VAR_DNSTAP_IP 430
+#define VAR_DNSTAP_TLS 431
+#define VAR_DNSTAP_TLS_SERVER_NAME 432
+#define VAR_DNSTAP_TLS_CERT_BUNDLE 433
+#define VAR_DNSTAP_TLS_CLIENT_KEY_FILE 434
+#define VAR_DNSTAP_TLS_CLIENT_CERT_FILE 435
+#define VAR_DNSTAP_SEND_IDENTITY 436
+#define VAR_DNSTAP_SEND_VERSION 437
+#define VAR_DNSTAP_BIDIRECTIONAL 438
+#define VAR_DNSTAP_IDENTITY 439
+#define VAR_DNSTAP_VERSION 440
+#define VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES 441
+#define VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES 442
+#define VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES 443
+#define VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES 444
+#define VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES 445
+#define VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES 446
+#define VAR_RESPONSE_IP_TAG 447
+#define VAR_RESPONSE_IP 448
+#define VAR_RESPONSE_IP_DATA 449
+#define VAR_HARDEN_ALGO_DOWNGRADE 450
+#define VAR_IP_TRANSPARENT 451
+#define VAR_IP_DSCP 452
+#define VAR_DISABLE_DNSSEC_LAME_CHECK 453
+#define VAR_IP_RATELIMIT 454
+#define VAR_IP_RATELIMIT_SLABS 455
+#define VAR_IP_RATELIMIT_SIZE 456
+#define VAR_RATELIMIT 457
+#define VAR_RATELIMIT_SLABS 458
+#define VAR_RATELIMIT_SIZE 459
+#define VAR_OUTBOUND_MSG_RETRY 460
+#define VAR_MAX_SENT_COUNT 461
+#define VAR_MAX_QUERY_RESTARTS 462
+#define VAR_RATELIMIT_FOR_DOMAIN 463
+#define VAR_RATELIMIT_BELOW_DOMAIN 464
+#define VAR_IP_RATELIMIT_FACTOR 465
+#define VAR_RATELIMIT_FACTOR 466
+#define VAR_IP_RATELIMIT_BACKOFF 467
+#define VAR_RATELIMIT_BACKOFF 468
+#define VAR_SEND_CLIENT_SUBNET 469
+#define VAR_CLIENT_SUBNET_ZONE 470
+#define VAR_CLIENT_SUBNET_ALWAYS_FORWARD 471
+#define VAR_CLIENT_SUBNET_OPCODE 472
+#define VAR_MAX_CLIENT_SUBNET_IPV4 473
+#define VAR_MAX_CLIENT_SUBNET_IPV6 474
+#define VAR_MIN_CLIENT_SUBNET_IPV4 475
+#define VAR_MIN_CLIENT_SUBNET_IPV6 476
+#define VAR_MAX_ECS_TREE_SIZE_IPV4 477
+#define VAR_MAX_ECS_TREE_SIZE_IPV6 478
+#define VAR_CAPS_WHITELIST 479
+#define VAR_CACHE_MAX_NEGATIVE_TTL 480
+#define VAR_PERMIT_SMALL_HOLDDOWN 481
+#define VAR_QNAME_MINIMISATION 482
+#define VAR_QNAME_MINIMISATION_STRICT 483
+#define VAR_IP_FREEBIND 484
+#define VAR_DEFINE_TAG 485
+#define VAR_LOCAL_ZONE_TAG 486
+#define VAR_ACCESS_CONTROL_TAG 487
+#define VAR_LOCAL_ZONE_OVERRIDE 488
+#define VAR_ACCESS_CONTROL_TAG_ACTION 489
+#define VAR_ACCESS_CONTROL_TAG_DATA 490
+#define VAR_VIEW 491
+#define VAR_ACCESS_CONTROL_VIEW 492
+#define VAR_VIEW_FIRST 493
+#define VAR_SERVE_EXPIRED 494
+#define VAR_SERVE_EXPIRED_TTL 495
+#define VAR_SERVE_EXPIRED_TTL_RESET 496
+#define VAR_SERVE_EXPIRED_REPLY_TTL 497
+#define VAR_SERVE_EXPIRED_CLIENT_TIMEOUT 498
+#define VAR_EDE_SERVE_EXPIRED 499
+#define VAR_SERVE_ORIGINAL_TTL 500
+#define VAR_FAKE_DSA 501
+#define VAR_FAKE_SHA1 502
+#define VAR_LOG_IDENTITY 503
+#define VAR_HIDE_TRUSTANCHOR 504
+#define VAR_HIDE_HTTP_USER_AGENT 505
+#define VAR_HTTP_USER_AGENT 506
+#define VAR_TRUST_ANCHOR_SIGNALING 507
+#define VAR_AGGRESSIVE_NSEC 508
+#define VAR_USE_SYSTEMD 509
+#define VAR_SHM_ENABLE 510
+#define VAR_SHM_KEY 511
+#define VAR_ROOT_KEY_SENTINEL 512
+#define VAR_DNSCRYPT 513
+#define VAR_DNSCRYPT_ENABLE 514
+#define VAR_DNSCRYPT_PORT 515
+#define VAR_DNSCRYPT_PROVIDER 516
+#define VAR_DNSCRYPT_SECRET_KEY 517
+#define VAR_DNSCRYPT_PROVIDER_CERT 518
+#define VAR_DNSCRYPT_PROVIDER_CERT_ROTATED 519
+#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE 520
+#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS 521
+#define VAR_DNSCRYPT_NONCE_CACHE_SIZE 522
+#define VAR_DNSCRYPT_NONCE_CACHE_SLABS 523
+#define VAR_PAD_RESPONSES 524
+#define VAR_PAD_RESPONSES_BLOCK_SIZE 525
+#define VAR_PAD_QUERIES 526
+#define VAR_PAD_QUERIES_BLOCK_SIZE 527
+#define VAR_IPSECMOD_ENABLED 528
+#define VAR_IPSECMOD_HOOK 529
+#define VAR_IPSECMOD_IGNORE_BOGUS 530
+#define VAR_IPSECMOD_MAX_TTL 531
+#define VAR_IPSECMOD_WHITELIST 532
+#define VAR_IPSECMOD_STRICT 533
+#define VAR_CACHEDB 534
+#define VAR_CACHEDB_BACKEND 535
+#define VAR_CACHEDB_SECRETSEED 536
+#define VAR_CACHEDB_REDISHOST 537
+#define VAR_CACHEDB_REDISPORT 538
+#define VAR_CACHEDB_REDISTIMEOUT 539
+#define VAR_CACHEDB_REDISEXPIRERECORDS 540
+#define VAR_CACHEDB_REDISPATH 541
+#define VAR_CACHEDB_REDISPASSWORD 542
+#define VAR_CACHEDB_REDISLOGICALDB 543
+#define VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM 544
+#define VAR_FOR_UPSTREAM 545
+#define VAR_AUTH_ZONE 546
+#define VAR_ZONEFILE 547
+#define VAR_MASTER 548
+#define VAR_URL 549
+#define VAR_FOR_DOWNSTREAM 550
+#define VAR_FALLBACK_ENABLED 551
+#define VAR_TLS_ADDITIONAL_PORT 552
+#define VAR_LOW_RTT 553
+#define VAR_LOW_RTT_PERMIL 554
+#define VAR_FAST_SERVER_PERMIL 555
+#define VAR_FAST_SERVER_NUM 556
+#define VAR_ALLOW_NOTIFY 557
+#define VAR_TLS_WIN_CERT 558
+#define VAR_TCP_CONNECTION_LIMIT 559
+#define VAR_ANSWER_COOKIE 560
+#define VAR_COOKIE_SECRET 561
+#define VAR_IP_RATELIMIT_COOKIE 562
+#define VAR_FORWARD_NO_CACHE 563
+#define VAR_STUB_NO_CACHE 564
+#define VAR_LOG_SERVFAIL 565
+#define VAR_DENY_ANY 566
+#define VAR_UNKNOWN_SERVER_TIME_LIMIT 567
+#define VAR_LOG_TAG_QUERYREPLY 568
+#define VAR_STREAM_WAIT_SIZE 569
+#define VAR_TLS_CIPHERS 570
+#define VAR_TLS_CIPHERSUITES 571
+#define VAR_TLS_USE_SNI 572
+#define VAR_IPSET 573
+#define VAR_IPSET_NAME_V4 574
+#define VAR_IPSET_NAME_V6 575
+#define VAR_TLS_SESSION_TICKET_KEYS 576
+#define VAR_RPZ 577
+#define VAR_TAGS 578
+#define VAR_RPZ_ACTION_OVERRIDE 579
+#define VAR_RPZ_CNAME_OVERRIDE 580
+#define VAR_RPZ_LOG 581
+#define VAR_RPZ_LOG_NAME 582
+#define VAR_DYNLIB 583
+#define VAR_DYNLIB_FILE 584
+#define VAR_EDNS_CLIENT_STRING 585
+#define VAR_EDNS_CLIENT_STRING_OPCODE 586
+#define VAR_NSID 587
+#define VAR_ZONEMD_PERMISSIVE_MODE 588
+#define VAR_ZONEMD_CHECK 589
+#define VAR_ZONEMD_REJECT_ABSENCE 590
+#define VAR_RPZ_SIGNAL_NXDOMAIN_RA 591
+#define VAR_INTERFACE_AUTOMATIC_PORTS 592
+#define VAR_EDE 593
+#define VAR_INTERFACE_ACTION 594
+#define VAR_INTERFACE_VIEW 595
+#define VAR_INTERFACE_TAG 596
+#define VAR_INTERFACE_TAG_ACTION 597
+#define VAR_INTERFACE_TAG_DATA 598
+#define VAR_PROXY_PROTOCOL_PORT 599
+#define VAR_STATISTICS_INHIBIT_ZERO 600
+#define VAR_HARDEN_UNKNOWN_ADDITIONAL 601
+#define VAR_DISABLE_EDNS_DO 602
+#define VAR_CACHEDB_NO_STORE 603
+#define VAR_LOG_DESTADDR 604
+
+/* Value type.  */
+#if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED
+union YYSTYPE
+{
+#line 68 "util/configparser.y"
+
+	char*	str;
+
+#line 769 "util/configparser.h"
+
+};
+typedef union YYSTYPE YYSTYPE;
+# define YYSTYPE_IS_TRIVIAL 1
+# define YYSTYPE_IS_DECLARED 1
+#endif
+
+
+extern YYSTYPE yylval;
+
+int yyparse (void);
+
+#endif /* !YY_YY_UTIL_CONFIGPARSER_H_INCLUDED  */

contrib/unbound/util/configparser.y

@@ -200,6 +200,7 @@ extern struct config_parser_state* cfg_parser;
 %token VAR_INTERFACE_TAG_ACTION VAR_INTERFACE_TAG_DATA
 %token VAR_PROXY_PROTOCOL_PORT VAR_STATISTICS_INHIBIT_ZERO
 %token VAR_HARDEN_UNKNOWN_ADDITIONAL VAR_DISABLE_EDNS_DO VAR_CACHEDB_NO_STORE
+%token VAR_LOG_DESTADDR
 
 %%
 toplevelvars: /* empty */ | toplevelvars toplevelvar ;
@@ -333,7 +334,8 @@ content_server: server_num_threads | server_verbosity | server_port |
 	server_tcp_reuse_timeout | server_tcp_auth_query_timeout |
 	server_interface_automatic_ports | server_ede |
 	server_proxy_protocol_port | server_statistics_inhibit_zero |
-	server_harden_unknown_additional | server_disable_edns_do
+	server_harden_unknown_additional | server_disable_edns_do |
+	server_log_destaddr
 	;
 stubstart: VAR_STUB_ZONE
 	{
@@ -1250,6 +1252,15 @@ server_log_servfail: VAR_LOG_SERVFAIL STRING_ARG
 		free($2);
 	}
 	;
+server_log_destaddr: VAR_LOG_DESTADDR STRING_ARG
+	{
+		OUTYY(("P(server_log_destaddr:%s)\n", $2));
+		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
+			yyerror("expected yes or no.");
+		else cfg_parser->cfg->log_destaddr = (strcmp($2, "yes")==0);
+		free($2);
+	}
+	;
 server_log_local_actions: VAR_LOG_LOCAL_ACTIONS STRING_ARG
 	{
 		OUTYY(("P(server_log_local_actions:%s)\n", $2));

contrib/unbound/util/data/msgencode.c

@@ -886,6 +886,9 @@ ede_trim_text(struct edns_option** list)
 				curr->opt_len = 2;
 				prev = curr;
 				curr = curr->next;
+			} else {
+				prev = curr;
+				curr = curr->next;
 			}
 		} else {
 			/* continue */

contrib/unbound/util/data/msgreply.c

@@ -918,13 +918,15 @@ log_dns_msg(const char* str, struct query_info* qinfo, struct reply_info* rep)
 void
 log_reply_info(enum verbosity_value v, struct query_info *qinf,
 	struct sockaddr_storage *addr, socklen_t addrlen, struct timeval dur,
-	int cached, struct sldns_buffer *rmsg)
+	int cached, struct sldns_buffer *rmsg, struct sockaddr_storage* daddr,
+	enum comm_point_type tp)
 {
 	char qname_buf[LDNS_MAX_DOMAINLEN+1];
 	char clientip_buf[128];
 	char rcode_buf[16];
 	char type_buf[16];
 	char class_buf[16];
+	char dest_buf[160];
 	size_t pktlen;
 	uint16_t rcode = FLAGS_GET_RCODE(sldns_buffer_read_u16_at(rmsg, 2));
 
@@ -933,11 +935,46 @@ log_reply_info(enum verbosity_value v, struct query_info *qinf,
 
 	sldns_wire2str_rcode_buf((int)rcode, rcode_buf, sizeof(rcode_buf));
 	addr_to_str(addr, addrlen, clientip_buf, sizeof(clientip_buf));
+	if(daddr) {
+		char da[128];
+		int port = 0;
+		char* comm;
+		if(daddr->ss_family == AF_INET6) {
+			struct sockaddr_in6 *d = (struct sockaddr_in6 *)daddr;
+			if(inet_ntop(d->sin6_family, &d->sin6_addr, da,
+				sizeof(*d)) == 0)
+				snprintf(dest_buf, sizeof(dest_buf),
+					"(inet_ntop_error)");
+			port = ntohs(d->sin6_port);
+		} else if(daddr->ss_family == AF_INET) {
+			struct sockaddr_in *d = (struct sockaddr_in *)daddr;
+			if(inet_ntop(d->sin_family, &d->sin_addr, da,
+				sizeof(*d)) == 0)
+				snprintf(dest_buf, sizeof(dest_buf),
+					"(inet_ntop_error)");
+			port = ntohs(d->sin_port);
+		} else {
+			snprintf(da, sizeof(da), "socket%d",
+				(int)daddr->ss_family);
+		}
+		comm = "udp";
+		if(tp == comm_tcp) comm = "tcp";
+		else if(tp == comm_tcp_accept) comm = "tcp";
+		else if(tp == comm_http) comm = "dot";
+		else if(tp == comm_local) comm = "unix";
+		else if(tp == comm_raw) comm = "raw";
+		snprintf(dest_buf, sizeof(dest_buf), " on %s %s %d",
+			comm, da, port);
+	} else {
+		dest_buf[0]=0;
+	}
 	if(rcode == LDNS_RCODE_FORMERR)
 	{
 		if(LOG_TAG_QUERYREPLY)
-			log_reply("%s - - - %s - - - ", clientip_buf, rcode_buf);
-		else	log_info("%s - - - %s - - - ", clientip_buf, rcode_buf);
+			log_reply("%s - - - %s - - -%s", clientip_buf,
+				rcode_buf, dest_buf);
+		else	log_info("%s - - - %s - - -%s", clientip_buf,
+				rcode_buf, dest_buf);
 	} else {
 		if(qinf->qname)
 			dname_str(qinf->qname, qname_buf);
@@ -946,12 +983,14 @@ log_reply_info(enum verbosity_value v, struct query_info *qinf,
 		sldns_wire2str_type_buf(qinf->qtype, type_buf, sizeof(type_buf));
 		sldns_wire2str_class_buf(qinf->qclass, class_buf, sizeof(class_buf));
 		if(LOG_TAG_QUERYREPLY)
-		     log_reply("%s %s %s %s %s " ARG_LL "d.%6.6d %d %d",
+		     log_reply("%s %s %s %s %s " ARG_LL "d.%6.6d %d %d%s",
 			clientip_buf, qname_buf, type_buf, class_buf,
-			rcode_buf, (long long)dur.tv_sec, (int)dur.tv_usec, cached, (int)pktlen);
-		else log_info("%s %s %s %s %s " ARG_LL "d.%6.6d %d %d",
+			rcode_buf, (long long)dur.tv_sec, (int)dur.tv_usec,
+			cached, (int)pktlen, dest_buf);
+		else log_info("%s %s %s %s %s " ARG_LL "d.%6.6d %d %d%s",
 			clientip_buf, qname_buf, type_buf, class_buf,
-			rcode_buf, (long long)dur.tv_sec, (int)dur.tv_usec, cached, (int)pktlen);
+			rcode_buf, (long long)dur.tv_sec, (int)dur.tv_usec,
+			cached, (int)pktlen, dest_buf);
 	}
 }
 

contrib/unbound/util/data/msgreply.h

@@ -58,6 +58,7 @@ struct msg_parse;
 struct rrset_parse;
 struct local_rrset;
 struct dns_msg;
+enum comm_point_type;
 
 /** calculate the prefetch TTL as 90% of original. Calculation
  * without numerical overflow (uin32_t) */
@@ -520,10 +521,13 @@ void log_dns_msg(const char* str, struct query_info* qinfo,
  * @param cached: whether or not the reply is coming from
  *                    the cache, or an outside network.
  * @param rmsg: sldns buffer packet.
+ * @param daddr: if not NULL, the destination address and port are logged.
+ * @param tp: type of the comm point for logging destination connection type.
  */
 void log_reply_info(enum verbosity_value v, struct query_info *qinf,
 	struct sockaddr_storage *addr, socklen_t addrlen, struct timeval dur,
-	int cached, struct sldns_buffer *rmsg);
+	int cached, struct sldns_buffer *rmsg, struct sockaddr_storage* daddr,
+	enum comm_point_type tp);
 
 /**
  * Print string with neat domain name, type, class from query info.

contrib/unbound/util/data/packed_rrset.c

@@ -275,6 +275,7 @@ int packed_rr_to_string(struct ub_packed_rrset_key* rrset, size_t i,
 	struct packed_rrset_data* d = (struct packed_rrset_data*)rrset->
 		entry.data;
 	uint8_t rr[65535];
+	size_t wlen;
 	size_t rlen = rrset->rk.dname_len + 2 + 2 + 4 + d->rr_len[i];
 	time_t adjust = 0;
 	log_assert(dest_len > 0 && dest);
@@ -292,7 +293,9 @@ int packed_rr_to_string(struct ub_packed_rrset_key* rrset, size_t i,
 	sldns_write_uint32(rr+rrset->rk.dname_len+4,
 		(uint32_t)(d->rr_ttl[i]-adjust));
 	memmove(rr+rrset->rk.dname_len+8, d->rr_data[i], d->rr_len[i]);
-	if(sldns_wire2str_rr_buf(rr, rlen, dest, dest_len) == -1) {
+	wlen = (size_t)sldns_wire2str_rr_buf(rr, rlen, dest, dest_len);
+	if(wlen >= dest_len) {
+		/* the output string was truncated */
 		log_info("rrbuf failure %d %s", (int)d->rr_len[i], dest);
 		dest[0] = 0;
 		return 0;

contrib/unbound/util/iana_ports.inc

@@ -258,7 +258,6 @@
 356,
 357,
 358,
-359,
 360,
 361,
 362,

contrib/unbound/util/netevent.c

@@ -1672,8 +1672,13 @@ ssl_handshake(struct comm_point* c)
 		} else {
 			unsigned long err = ERR_get_error();
 			if(!squelch_err_ssl_handshake(err)) {
+				long vr;
 				log_crypto_err_io_code("ssl handshake failed",
 					want, err);
+				if((vr=SSL_get_verify_result(c->ssl)) != 0)
+					log_err("ssl handshake cert error: %s",
+						X509_verify_cert_error_string(
+						vr));
 				log_addr(VERB_OPS, "ssl handshake failed",
 					&c->repinfo.remote_addr,
 					c->repinfo.remote_addrlen);
@@ -1748,6 +1753,9 @@ ssl_handshake(struct comm_point* c)
 			/* connection upgraded to HTTP2 */
 			c->tcp_do_toggle_rw = 0;
 			c->use_h2 = 1;
+		} else {
+			verbose(VERB_ALGO, "client doesn't support HTTP/2");
+			return 0;
 		}
 	}
 #endif
@@ -4766,7 +4774,7 @@ comm_point_send_reply(struct comm_reply *repinfo)
 		if(repinfo->c->dtenv != NULL && repinfo->c->dtenv->log_client_response_messages) {
 			log_addr(VERB_ALGO, "from local addr", (void*)repinfo->c->socket->addr->ai_addr, repinfo->c->socket->addr->ai_addrlen);
 			log_addr(VERB_ALGO, "response to client", &repinfo->client_addr, repinfo->client_addrlen);
-			dt_msg_send_client_response(repinfo->c->dtenv, &repinfo->client_addr, (void*)repinfo->c->socket->addr->ai_addr, repinfo->c->type, repinfo->c->buffer);
+			dt_msg_send_client_response(repinfo->c->dtenv, &repinfo->client_addr, (void*)repinfo->c->socket->addr->ai_addr, repinfo->c->type, repinfo->c->ssl, repinfo->c->buffer);
 		}
 #endif
 	} else {
@@ -4777,7 +4785,7 @@ comm_point_send_reply(struct comm_reply *repinfo)
 		if(repinfo->c->tcp_parent->dtenv != NULL && repinfo->c->tcp_parent->dtenv->log_client_response_messages) {
 			log_addr(VERB_ALGO, "from local addr", (void*)repinfo->c->socket->addr->ai_addr, repinfo->c->socket->addr->ai_addrlen);
 			log_addr(VERB_ALGO, "response to client", &repinfo->client_addr, repinfo->client_addrlen);
-			dt_msg_send_client_response(repinfo->c->tcp_parent->dtenv, &repinfo->client_addr, (void*)repinfo->c->socket->addr->ai_addr, repinfo->c->type,
+			dt_msg_send_client_response(repinfo->c->tcp_parent->dtenv, &repinfo->client_addr, (void*)repinfo->c->socket->addr->ai_addr, repinfo->c->type, repinfo->c->ssl,
 				( repinfo->c->tcp_req_info? repinfo->c->tcp_req_info->spool_buffer: repinfo->c->buffer ));
 		}
 #endif

contrib/unbound/validator/autotrust.c

@@ -353,17 +353,21 @@ autr_tp_create(struct val_anchors* anchors, uint8_t* own, size_t own_len,
 
 	lock_basic_lock(&anchors->lock);
 	if(!rbtree_insert(anchors->tree, &tp->node)) {
+		char buf[LDNS_MAX_DOMAINLEN+1];
 		lock_basic_unlock(&anchors->lock);
-		log_err("trust anchor presented twice");
+		dname_str(tp->name, buf);
+		log_err("trust anchor for '%s' presented twice", buf);
 		free(tp->name);
 		free(tp->autr);
 		free(tp);
 		return NULL;
 	}
 	if(!rbtree_insert(&anchors->autr->probe, &tp->autr->pnode)) {
+		char buf[LDNS_MAX_DOMAINLEN+1];
 		(void)rbtree_delete(anchors->tree, tp);
 		lock_basic_unlock(&anchors->lock);
-		log_err("trust anchor in probetree twice");
+		dname_str(tp->name, buf);
+		log_err("trust anchor for '%s' in probetree twice", buf);
 		free(tp->name);
 		free(tp->autr);
 		free(tp);

contrib/unbound/validator/val_sigcrypt.c

@@ -748,7 +748,6 @@ dnskey_verify_rrset(struct module_env* env, struct val_env* ve,
 			return sec_status_bogus;
 		}
 	}
-	verbose(VERB_ALGO, "rrset failed to verify: all signatures are bogus");
 	if(!numchecked) {
 		*reason = "signature for expected key and algorithm missing";
 		if(reason_bogus)
@@ -761,6 +760,7 @@ dnskey_verify_rrset(struct module_env* env, struct val_env* ve,
 		*reason = "algorithm refused by cryptolib";
 		return sec_status_indeterminate;
 	}
+	verbose(VERB_ALGO, "rrset failed to verify: all signatures are bogus");
 	return sec_status_bogus;
 }
 

contrib/unbound/validator/val_utils.c

@@ -424,11 +424,13 @@ static enum sec_status
 verify_dnskeys_with_ds_rr(struct module_env* env, struct val_env* ve,
 	struct ub_packed_rrset_key* dnskey_rrset,
         struct ub_packed_rrset_key* ds_rrset, size_t ds_idx, char** reason,
-	sldns_ede_code *reason_bogus, struct module_qstate* qstate)
+	sldns_ede_code *reason_bogus, struct module_qstate* qstate,
+	int *nonechecked)
 {
 	enum sec_status sec = sec_status_bogus;
 	size_t i, num, numchecked = 0, numhashok = 0, numsizesupp = 0;
 	num = rrset_get_count(dnskey_rrset);
+	*nonechecked = 0;
 	for(i=0; i<num; i++) {
 		/* Skip DNSKEYs that don't match the basic criteria. */
 		if(ds_get_key_algo(ds_rrset, ds_idx) 
@@ -476,13 +478,15 @@ verify_dnskeys_with_ds_rr(struct module_env* env, struct val_env* ve,
 		/* there is a working DS, but that DNSKEY is not supported */
 		return sec_status_insecure;
 	}
-	if(numchecked == 0)
+	if(numchecked == 0) {
 		algo_needs_reason(env, ds_get_key_algo(ds_rrset, ds_idx),
 			reason, "no keys have a DS");
-	else if(numhashok == 0)
+		*nonechecked = 1;
+	} else if(numhashok == 0) {
 		*reason = "DS hash mismatches key";
-	else if(!*reason)
+	} else if(!*reason) {
 		*reason = "keyset not secured by DNSKEY that matches DS";
+	}
 	return sec_status_bogus;
 }
 
@@ -511,7 +515,8 @@ val_verify_DNSKEY_with_DS(struct module_env* env, struct val_env* ve,
 {
 	/* as long as this is false, we can consider this DS rrset to be
 	 * equivalent to no DS rrset. */
-	int has_useful_ds = 0, digest_algo, alg;
+	int has_useful_ds = 0, digest_algo, alg, has_algo_refusal = 0,
+		nonechecked, has_checked_ds = 0;
 	struct algo_needs needs;
 	size_t i, num;
 	enum sec_status sec;
@@ -544,9 +549,16 @@ val_verify_DNSKEY_with_DS(struct module_env* env, struct val_env* ve,
 		}
 
 		sec = verify_dnskeys_with_ds_rr(env, ve, dnskey_rrset,
-			ds_rrset, i, reason, reason_bogus, qstate);
-		if(sec == sec_status_insecure)
+			ds_rrset, i, reason, reason_bogus, qstate,
+			&nonechecked);
+		if(sec == sec_status_insecure) {
+			/* DNSKEY too large unsupported or algo refused by
+			 * crypto lib. */
+			has_algo_refusal = 1;
 			continue;
+		}
+		if(!nonechecked)
+			has_checked_ds = 1;
 
 		/* Once we see a single DS with a known digestID and 
 		 * algorithm, we cannot return INSECURE (with a 
@@ -571,6 +583,15 @@ val_verify_DNSKEY_with_DS(struct module_env* env, struct val_env* ve,
 
 	/* None of the DS's worked out. */
 
+	/* If none of the DSes have been checked, eg. that means no matches
+	 * for keytags, and the other dses are all algo_refusal, it is an
+	 * insecure delegation point, since the only matched DS records
+	 * have an algo refusal, or are unsupported. */
+	if(has_algo_refusal && !has_checked_ds) {
+		verbose(VERB_ALGO, "No supported DS records were found -- "
+			"treating as insecure.");
+		return sec_status_insecure;
+	}
 	/* If no DSs were understandable, then this is OK. */
 	if(!has_useful_ds) {
 		verbose(VERB_ALGO, "No usable DS records were found -- "
@@ -624,7 +645,8 @@ val_verify_DNSKEY_with_TA(struct module_env* env, struct val_env* ve,
 {
 	/* as long as this is false, we can consider this anchor to be
 	 * equivalent to no anchor. */
-	int has_useful_ta = 0, digest_algo = 0, alg;
+	int has_useful_ta = 0, digest_algo = 0, alg, has_algo_refusal = 0,
+		nonechecked, has_checked_ds = 0;
 	struct algo_needs needs;
 	size_t i, num;
 	enum sec_status sec;
@@ -670,9 +692,13 @@ val_verify_DNSKEY_with_TA(struct module_env* env, struct val_env* ve,
 			continue;
 
 		sec = verify_dnskeys_with_ds_rr(env, ve, dnskey_rrset,
-			ta_ds, i, reason, reason_bogus, qstate);
-		if(sec == sec_status_insecure)
+			ta_ds, i, reason, reason_bogus, qstate, &nonechecked);
+		if(sec == sec_status_insecure) {
+			has_algo_refusal = 1;
 			continue;
+		}
+		if(!nonechecked)
+			has_checked_ds = 1;
 
 		/* Once we see a single DS with a known digestID and 
 		 * algorithm, we cannot return INSECURE (with a 
@@ -728,6 +754,15 @@ val_verify_DNSKEY_with_TA(struct module_env* env, struct val_env* ve,
 	    }
 	}
 
+	/* If none of the DSes have been checked, eg. that means no matches
+	 * for keytags, and the other dses are all algo_refusal, it is an
+	 * insecure delegation point, since the only matched DS records
+	 * have an algo refusal, or are unsupported. */
+	if(has_algo_refusal && !has_checked_ds) {
+		verbose(VERB_ALGO, "No supported trust anchors were found -- "
+			"treating as insecure.");
+		return sec_status_insecure;
+	}
 	/* If no DSs were understandable, then this is OK. */
 	if(!has_useful_ta) {
 		verbose(VERB_ALGO, "No usable trust anchors were found -- "

contrib/unbound/validator/validator.c

@@ -3010,6 +3010,8 @@ ds_response_to_ke(struct module_qstate* qstate, struct val_qstate* vq,
  * @param msg: result message (if rcode is OK).
  * @param qinfo: from the sub query state, query info.
  * @param origin: the origin of msg.
+ * @param suspend: returned true if the task takes too long and needs to
+ * 	suspend to continue the effort later.
  */
 static void
 process_ds_response(struct module_qstate* qstate, struct val_qstate* vq,

usr.sbin/unbound/config.h

@@ -793,7 +793,7 @@
 #define PACKAGE_NAME "unbound"
 
 /* Define to the full name and version of this package. */
-#define PACKAGE_STRING "unbound 1.19.1"
+#define PACKAGE_STRING "unbound 1.19.3"
 
 /* Define to the one symbol short name of this package. */
 #define PACKAGE_TARNAME "unbound"
@@ -802,7 +802,7 @@
 #define PACKAGE_URL ""
 
 /* Define to the version of this package. */
-#define PACKAGE_VERSION "1.19.1"
+#define PACKAGE_VERSION "1.19.3"
 
 /* default pidfile location */
 #define PIDFILE "/var/unbound/unbound.pid"
@@ -825,7 +825,7 @@
 #define ROOT_CERT_FILE "/var/unbound/icannbundle.pem"
 
 /* version number for resource files */
-#define RSRC_PACKAGE_VERSION 1,19,0,0
+#define RSRC_PACKAGE_VERSION 1,19,3,0
 
 /* Directory to chdir to */
 #define RUN_DIR "/var/unbound"